Bug 1664276

Summary: [kubevirt-ansible] I can not run playbook as an unprivileged user (non-root) since playbook is writing under /usr/share/ansible/kubevirt-ansible/roles/kubevirt/templates directory
Product: Container Native Virtualization (CNV) Reporter: Lukas Bednar <lbednar>
Component: InstallationAssignee: Ryan Hallisey <rhallise>
Status: CLOSED CURRENTRELEASE QA Contact: Irina Gulina <igulina>
Severity: high Docs Contact:
Priority: high    
Version: 1.4CC: cnv-qe-bugs, ncredi, pousley, rhallise, sgordon, ysegev
Target Milestone: ---   
Target Release: 1.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: kubevirt-ansible-0.12.2-1.acde806 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-05 14:44:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
run installation playbook as a unprivileged user (non-root) none

Description Lukas Bednar 2019-01-08 10:05:46 UTC 
Description of problem:
I can not run playbook as a unprivileged user (non-root) since playbook is writing under /usr/share/ansible/kubevirt-ansible/roles/kubevirt/templates directory .

This playbook should require only oc-login for cluster admin and that is it.
Definitely no need for root user in my opinion.

Version-Release number of selected component (if applicable):
kubevirt-ansible-0.9.2-4.9c5b566.noarch

How reproducible: 100%


Steps to Reproduce:
1.ansible-playbook -i inventory -e@/usr/share/ansible/kubevirt-ansible/vars/all.yml -e@/usr/share/ansible/kubevirt-ansible/vars/cnv.yml -e "registry_url=brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888" /usr/share/ansible/kubevirt-ansible/playbooks/kubevirt.yml

Actual results:
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Destination /usr/share/ansible/kubevirt-ansible/roles/kubevirt/templates is not writable"}


Expected results:
Playbook should be executable without root permission, since it is not meant to perform any change on playbook controller's system.


Additional info:
PLAY [Initial configuration] ******************************************************************************************************************************************************************

TASK [Login As Super User] ********************************************************************************************************************************************************************
skipping: [localhost]

TASK [Config kubernetes client binary] ********************************************************************************************************************************************************
skipping: [localhost]

TASK [Config openshift client binary] *********************************************************************************************************************************************************
ok: [localhost]

PLAY [Initial configuration] ******************************************************************************************************************************************************************

TASK [Login As Super User] ********************************************************************************************************************************************************************
skipping: [localhost]

TASK [Config kubernetes client binary] ********************************************************************************************************************************************************
skipping: [localhost]

TASK [Config openshift client binary] *********************************************************************************************************************************************************
ok: [localhost]

PLAY [nodes masters] **************************************************************************************************************************************************************************

TASK [Gathering Facts] ************************************************************************************************************************************************************************
ok: [172.16.0.24]
ok: [172.16.0.25]
ok: [172.16.0.16]

TASK [remove multus config from nodes on deprovisioning] **************************************************************************************************************************************
skipping: [172.16.0.16] => (item=/etc/cni/net.d/00-multus.conf)
skipping: [172.16.0.16] => (item=/etc/cni/net.d/multus.d)
skipping: [172.16.0.24] => (item=/etc/cni/net.d/00-multus.conf)
skipping: [172.16.0.24] => (item=/etc/cni/net.d/multus.d)
skipping: [172.16.0.25] => (item=/etc/cni/net.d/00-multus.conf)
skipping: [172.16.0.25] => (item=/etc/cni/net.d/multus.d)

TASK [make sure ovs is installed] *************************************************************************************************************************************************************
skipping: [172.16.0.16]
skipping: [172.16.0.24]
skipping: [172.16.0.25]

TASK [enable and start OVS] *******************************************************************************************************************************************************************
skipping: [172.16.0.16]
skipping: [172.16.0.24]
skipping: [172.16.0.25]

TASK [Create /etc/pcidp] **********************************************************************************************************************************************************************
skipping: [172.16.0.16]
skipping: [172.16.0.24]
skipping: [172.16.0.25]

TASK [Configure SR-IOV DP allocation pool] ****************************************************************************************************************************************************
skipping: [172.16.0.16]
skipping: [172.16.0.24]
skipping: [172.16.0.25]

TASK [Fix SELinux labels for /var/lib/kubelet/device-plugins/] ********************************************************************************************************************************
skipping: [172.16.0.16]
skipping: [172.16.0.24]
skipping: [172.16.0.25]

PLAY [Deploy network roles] *******************************************************************************************************************************************************************

TASK [network-multus : include_tasks] *********************************************************************************************************************************************************
included: /usr/share/ansible/kubevirt-ansible/roles/network-multus/tasks/provision.yml for localhost

TASK [network-multus : Check if namespace "kube-system" exists] *******************************************************************************************************************************
changed: [localhost]

TASK [network-multus : Create kube-system namespace] ******************************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : openshift cni config] **************************************************************************************************************************************************
ok: [localhost]

TASK [network-multus : kubernetes cni config] *************************************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : Render multus deployment yaml] *****************************************************************************************************************************************
ok: [localhost]

TASK [network-multus : Create multus Resources] ***********************************************************************************************************************************************
changed: [localhost]

TASK [network-multus : Render cni plugins deployment yaml] ************************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : Create cni plugins Resources] ******************************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : Render OVS deployment yaml] ********************************************************************************************************************************************
ok: [localhost]

TASK [network-multus : Create ovs Resources] **************************************************************************************************************************************************
changed: [localhost]

TASK [network-multus : Render ovs-vsctl deployment yaml] **************************************************************************************************************************************
ok: [localhost]

TASK [network-multus : Create ovs-vsctl resources] ********************************************************************************************************************************************
changed: [localhost]

TASK [network-multus : Render SR-IOV DP deployment yaml] **************************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : Create SR-IOV DP resources] ********************************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : Render SR-IOV CNI deployment yaml] *************************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : Create SR-IOV CNI resources] *******************************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : Render SR-IOV network CRD yaml] ****************************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : Create SR-IOV network CRD] *********************************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : Wait until multus is running] ******************************************************************************************************************************************
changed: [localhost]

TASK [network-multus : Wait until CNI plugins are running] ************************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : Wait until OVS Plugin is running] **************************************************************************************************************************************
changed: [localhost]

TASK [network-multus : Wait until SR-IOV DP plugin is running] ********************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : Wait until SR-IOV CNI plugin is running] *******************************************************************************************************************************
skipping: [localhost]

TASK [skydive : include_tasks] ****************************************************************************************************************************************************************
skipping: [localhost]

PLAY [Deploy kubevirt role] *******************************************************************************************************************************************************************

TASK [kubevirt : include_tasks] ***************************************************************************************************************************************************************
included: /usr/share/ansible/kubevirt-ansible/roles/kubevirt/tasks/provision.yml for localhost

TASK [kubevirt : Check if kubevirt exists] ****************************************************************************************************************************************************
changed: [localhost]

TASK [kubevirt : Create kubevirt namespace] ***************************************************************************************************************************************************
changed: [localhost]

TASK [kubevirt : Add Privileged Policy] *******************************************************************************************************************************************************
changed: [localhost] => (item=kubevirt-privileged)
changed: [localhost] => (item=kubevirt-controller)
changed: [localhost] => (item=kubevirt-infra)
changed: [localhost] => (item=kubevirt-apiserver)

TASK [kubevirt : Add Hostmount-anyuid Policy] *************************************************************************************************************************************************
changed: [localhost]

TASK [kubevirt : Enable kubevirt feature gates] ***********************************************************************************************************************************************
changed: [localhost]

TASK [kubevirt : Check for kubevirt.yaml.j2 template in /usr/share/ansible/kubevirt-ansible/roles/kubevirt/templates] *************************************************************************
ok: [localhost]

TASK [kubevirt : Check for kubevirt.yaml.j2 version v0.12.0-alpha.2 in /opt/apb/kubevirt-templates] *******************************************************************************************
ok: [localhost]

TASK [kubevirt : Download KubeVirt Template] **************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Destination /usr/share/ansible/kubevirt-ansible/roles/kubevirt/templates is not writable"}
 [WARNING]: Could not create retry file '/usr/share/ansible/kubevirt-ansible/playbooks/kubevirt.retry'.         [Errno 13] Permission denied: u'/usr/share/ansible/kubevirt-
ansible/playbooks/kubevirt.retry'


PLAY RECAP ************************************************************************************************************************************************************************************
172.16.0.16                : ok=1    changed=0    unreachable=0    failed=0  
172.16.0.24                : ok=1    changed=0    unreachable=0    failed=0  
172.16.0.25                : ok=1    changed=0    unreachable=0    failed=0  
localhost                  : ok=21   changed=11   unreachable=0    failed=1
Comment 1 Ryan Hallisey 2019-01-08 13:40:14 UTC 
The download code will be removed in this PR https://github.com/kubevirt/kubevirt-ansible/pull/536.  The operator work will simplify what kubevirt-ansible does.
Comment 3 Nelly Credi 2019-01-10 12:20:51 UTC 
need to handle this one as well:
Destination /usr/share/ansible/kubevirt-ansible/roles/cdi/templates is not writable
Comment 4 Israel Pinto 2019-01-23 12:34:10 UTC 
*** Bug 1668694 has been marked as a duplicate of this bug. ***
Comment 5 Ryan Hallisey 2019-01-24 17:47:44 UTC 
cd into '/usr/share/ansible/kubevirt-ansible' to run you playbooks or run them locally.  Both these cases are covered in docs + kubevirt-ansible-0.12.2-1.acde806
Comment 6 Irina Gulina 2019-02-06 15:09:54 UTC 
Created attachment 1527526 [details]
run installation playbook as a unprivileged user (non-root)
Comment 7 Irina Gulina 2019-02-06 15:13:09 UTC 
I was able to run the playbook as a non root user, cloud-user, successfully, see the attachment and `oc get pods --all-namespaces` displays kubevirt pods. Docs line checked.

Thanks for a fix.