1664276 – [kubevirt-ansible] I can not run playbook as an unprivileged user (non-root) since playbook is writing under /usr/share/ansible/kubevirt-ansible/roles/kubevirt/templates directory

Bug 1664276 - [kubevirt-ansible] I can not run playbook as an unprivileged user (non-root) since playbook is writing under /usr/share/ansible/kubevirt-ansible/roles/kubevirt/templates directory

Summary: [kubevirt-ansible] I can not run playbook as an unprivileged user (non-root) ...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Container Native Virtualization (CNV)
Classification:	Red Hat
Component:	Installation
Sub Component:
Version:	1.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	1.4
Assignee:	Ryan Hallisey
QA Contact:	Irina Gulina
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1668694 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-01-08 10:05 UTC by Lukas Bednar
Modified:	2019-03-05 14:44 UTC (History)
CC List:	6 users (show)
Fixed In Version:	kubevirt-ansible-0.12.2-1.acde806
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-03-05 14:44:35 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
run installation playbook as a unprivileged user (non-root) (34.30 KB, text/plain) 2019-02-06 15:09 UTC, Irina Gulina	no flags	Details
View All

Description Lukas Bednar 2019-01-08 10:05:46 UTC

Description of problem:
I can not run playbook as a unprivileged user (non-root) since playbook is writing under /usr/share/ansible/kubevirt-ansible/roles/kubevirt/templates directory .

This playbook should require only oc-login for cluster admin and that is it.
Definitely no need for root user in my opinion.

Version-Release number of selected component (if applicable):
kubevirt-ansible-0.9.2-4.9c5b566.noarch

How reproducible: 100%


Steps to Reproduce:
1.ansible-playbook -i inventory -e@/usr/share/ansible/kubevirt-ansible/vars/all.yml -e@/usr/share/ansible/kubevirt-ansible/vars/cnv.yml -e "registry_url=brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888" /usr/share/ansible/kubevirt-ansible/playbooks/kubevirt.yml

Actual results:
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Destination /usr/share/ansible/kubevirt-ansible/roles/kubevirt/templates is not writable"}


Expected results:
Playbook should be executable without root permission, since it is not meant to perform any change on playbook controller's system.


Additional info:
PLAY [Initial configuration] ******************************************************************************************************************************************************************

TASK [Login As Super User] ********************************************************************************************************************************************************************
skipping: [localhost]

TASK [Config kubernetes client binary] ********************************************************************************************************************************************************
skipping: [localhost]

TASK [Config openshift client binary] *********************************************************************************************************************************************************
ok: [localhost]

PLAY [Initial configuration] ******************************************************************************************************************************************************************

TASK [Login As Super User] ********************************************************************************************************************************************************************
skipping: [localhost]

TASK [Config kubernetes client binary] ********************************************************************************************************************************************************
skipping: [localhost]

TASK [Config openshift client binary] *********************************************************************************************************************************************************
ok: [localhost]

PLAY [nodes masters] **************************************************************************************************************************************************************************

TASK [Gathering Facts] ************************************************************************************************************************************************************************
ok: [172.16.0.24]
ok: [172.16.0.25]
ok: [172.16.0.16]

TASK [remove multus config from nodes on deprovisioning] **************************************************************************************************************************************
skipping: [172.16.0.16] => (item=/etc/cni/net.d/00-multus.conf)
skipping: [172.16.0.16] => (item=/etc/cni/net.d/multus.d)
skipping: [172.16.0.24] => (item=/etc/cni/net.d/00-multus.conf)
skipping: [172.16.0.24] => (item=/etc/cni/net.d/multus.d)
skipping: [172.16.0.25] => (item=/etc/cni/net.d/00-multus.conf)
skipping: [172.16.0.25] => (item=/etc/cni/net.d/multus.d)

TASK [make sure ovs is installed] *************************************************************************************************************************************************************
skipping: [172.16.0.16]
skipping: [172.16.0.24]
skipping: [172.16.0.25]

TASK [enable and start OVS] *******************************************************************************************************************************************************************
skipping: [172.16.0.16]
skipping: [172.16.0.24]
skipping: [172.16.0.25]

TASK [Create /etc/pcidp] **********************************************************************************************************************************************************************
skipping: [172.16.0.16]
skipping: [172.16.0.24]
skipping: [172.16.0.25]

TASK [Configure SR-IOV DP allocation pool] ****************************************************************************************************************************************************
skipping: [172.16.0.16]
skipping: [172.16.0.24]
skipping: [172.16.0.25]

TASK [Fix SELinux labels for /var/lib/kubelet/device-plugins/] ********************************************************************************************************************************
skipping: [172.16.0.16]
skipping: [172.16.0.24]
skipping: [172.16.0.25]

PLAY [Deploy network roles] *******************************************************************************************************************************************************************

TASK [network-multus : include_tasks] *********************************************************************************************************************************************************
included: /usr/share/ansible/kubevirt-ansible/roles/network-multus/tasks/provision.yml for localhost

TASK [network-multus : Check if namespace "kube-system" exists] *******************************************************************************************************************************
changed: [localhost]

TASK [network-multus : Create kube-system namespace] ******************************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : openshift cni config] **************************************************************************************************************************************************
ok: [localhost]

TASK [network-multus : kubernetes cni config] *************************************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : Render multus deployment yaml] *****************************************************************************************************************************************
ok: [localhost]

TASK [network-multus : Create multus Resources] ***********************************************************************************************************************************************
changed: [localhost]

TASK [network-multus : Render cni plugins deployment yaml] ************************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : Create cni plugins Resources] ******************************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : Render OVS deployment yaml] ********************************************************************************************************************************************
ok: [localhost]

TASK [network-multus : Create ovs Resources] **************************************************************************************************************************************************
changed: [localhost]

TASK [network-multus : Render ovs-vsctl deployment yaml] **************************************************************************************************************************************
ok: [localhost]

TASK [network-multus : Create ovs-vsctl resources] ********************************************************************************************************************************************
changed: [localhost]

TASK [network-multus : Render SR-IOV DP deployment yaml] **************************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : Create SR-IOV DP resources] ********************************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : Render SR-IOV CNI deployment yaml] *************************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : Create SR-IOV CNI resources] *******************************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : Render SR-IOV network CRD yaml] ****************************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : Create SR-IOV network CRD] *********************************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : Wait until multus is running] ******************************************************************************************************************************************
changed: [localhost]

TASK [network-multus : Wait until CNI plugins are running] ************************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : Wait until OVS Plugin is running] **************************************************************************************************************************************
changed: [localhost]

TASK [network-multus : Wait until SR-IOV DP plugin is running] ********************************************************************************************************************************
skipping: [localhost]

TASK [network-multus : Wait until SR-IOV CNI plugin is running] *******************************************************************************************************************************
skipping: [localhost]

TASK [skydive : include_tasks] ****************************************************************************************************************************************************************
skipping: [localhost]

PLAY [Deploy kubevirt role] *******************************************************************************************************************************************************************

TASK [kubevirt : include_tasks] ***************************************************************************************************************************************************************
included: /usr/share/ansible/kubevirt-ansible/roles/kubevirt/tasks/provision.yml for localhost

TASK [kubevirt : Check if kubevirt exists] ****************************************************************************************************************************************************
changed: [localhost]

TASK [kubevirt : Create kubevirt namespace] ***************************************************************************************************************************************************
changed: [localhost]

TASK [kubevirt : Add Privileged Policy] *******************************************************************************************************************************************************
changed: [localhost] => (item=kubevirt-privileged)
changed: [localhost] => (item=kubevirt-controller)
changed: [localhost] => (item=kubevirt-infra)
changed: [localhost] => (item=kubevirt-apiserver)

TASK [kubevirt : Add Hostmount-anyuid Policy] *************************************************************************************************************************************************
changed: [localhost]

TASK [kubevirt : Enable kubevirt feature gates] ***********************************************************************************************************************************************
changed: [localhost]

TASK [kubevirt : Check for kubevirt.yaml.j2 template in /usr/share/ansible/kubevirt-ansible/roles/kubevirt/templates] *************************************************************************
ok: [localhost]

TASK [kubevirt : Check for kubevirt.yaml.j2 version v0.12.0-alpha.2 in /opt/apb/kubevirt-templates] *******************************************************************************************
ok: [localhost]

TASK [kubevirt : Download KubeVirt Template] **************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Destination /usr/share/ansible/kubevirt-ansible/roles/kubevirt/templates is not writable"}
 [WARNING]: Could not create retry file '/usr/share/ansible/kubevirt-ansible/playbooks/kubevirt.retry'.         [Errno 13] Permission denied: u'/usr/share/ansible/kubevirt-
ansible/playbooks/kubevirt.retry'


PLAY RECAP ************************************************************************************************************************************************************************************
172.16.0.16                : ok=1    changed=0    unreachable=0    failed=0  
172.16.0.24                : ok=1    changed=0    unreachable=0    failed=0  
172.16.0.25                : ok=1    changed=0    unreachable=0    failed=0  
localhost                  : ok=21   changed=11   unreachable=0    failed=1

Comment 1 Ryan Hallisey 2019-01-08 13:40:14 UTC

The download code will be removed in this PR https://github.com/kubevirt/kubevirt-ansible/pull/536.  The operator work will simplify what kubevirt-ansible does.

Comment 3 Nelly Credi 2019-01-10 12:20:51 UTC

need to handle this one as well:
Destination /usr/share/ansible/kubevirt-ansible/roles/cdi/templates is not writable

Comment 4 Israel Pinto 2019-01-23 12:34:10 UTC

*** Bug 1668694 has been marked as a duplicate of this bug. ***

Comment 5 Ryan Hallisey 2019-01-24 17:47:44 UTC

cd into '/usr/share/ansible/kubevirt-ansible' to run you playbooks or run them locally.  Both these cases are covered in docs + kubevirt-ansible-0.12.2-1.acde806

Comment 6 Irina Gulina 2019-02-06 15:09:54 UTC

Created attachment 1527526 [details]
run installation playbook as a unprivileged user (non-root)

Comment 7 Irina Gulina 2019-02-06 15:13:09 UTC

I was able to run the playbook as a non root user, cloud-user, successfully, see the attachment and `oc get pods --all-namespaces` displays kubevirt pods. Docs line checked.

Thanks for a fix.

Note You need to log in before you can comment on or make changes to this bug.