From 03701e5b25a4512651dd242b74d377a58531730e Mon Sep 17 00:00:00 2001 From: Michele Pagot Date: Mon, 30 Sep 2024 08:40:59 +0200 Subject: [PATCH] Local SAS token generation as normal user (#275) Do not run the sas token local generation as root. This prevent tools like az not to be found when running the deployment as normal user. --- .../playbooks/sap-hana-download-media.yaml | 37 ++++++------------- .../playbooks/tasks/cluster-bootstrap.yaml | 6 ++- 2 files changed, 16 insertions(+), 27 deletions(-) diff --git a/ansible/playbooks/sap-hana-download-media.yaml b/ansible/playbooks/sap-hana-download-media.yaml index 45eb394b..1018c534 100644 --- a/ansible/playbooks/sap-hana-download-media.yaml +++ b/ansible/playbooks/sap-hana-download-media.yaml @@ -2,8 +2,6 @@ - name: SAP HANA download media hosts: hana remote_user: cloudadmin - become: true - become_user: root vars: hana_download_path: /hana/shared/install url_timeout: 30 @@ -15,14 +13,6 @@ - name: Include external variables ansible.builtin.include_vars: ./vars/hana_media.yaml - - name: Create software directory - ansible.builtin.file: - path: "{{ hana_download_path }}" - state: directory - owner: root - group: root - mode: 0755 - - name: Retrieve account key ansible.builtin.command: >- az storage account keys list \ @@ -65,24 +55,19 @@ run_once: true when: az_sas_token is not defined or az_sas_token == "" - - name: Download HANA media with SAS token - ansible.builtin.get_url: - url: "https://{{ az_storage_account_name }}.blob.core.windows.net/{{ az_container_name }}/{{ item }}?{{ az_sas_token }}" - dest: "{{ hana_download_path + '/' + item | split('/') | last }}" + - name: Create software directory + ansible.builtin.file: + path: "{{ hana_download_path }}" + state: directory owner: root group: root - mode: 0600 - timeout: "{{ url_timeout }}" - register: result - until: result is succeeded - retries: "{{ url_retries_cnt }}" - delay: "{{ url_retries_delay }}" - with_items: "{{ az_blobs }}" - when: az_sas_token is defined + mode: 0755 + become: true + become_user: root - - name: Download HANA media without SAS token + - name: Download HANA media with SAS token ansible.builtin.get_url: - url: "https://{{ az_storage_account_name }}.blob.core.windows.net/{{ az_container_name }}/{{ item }}" + url: "https://{{ az_storage_account_name }}.blob.core.windows.net/{{ az_container_name }}/{{ item }}?{{ az_sas_token }}" dest: "{{ hana_download_path + '/' + item | split('/') | last }}" owner: root group: root @@ -93,4 +78,6 @@ retries: "{{ url_retries_cnt }}" delay: "{{ url_retries_delay }}" with_items: "{{ az_blobs }}" - when: az_sas_token is not defined + become: true + become_user: root + when: az_sas_token is defined diff --git a/ansible/playbooks/tasks/cluster-bootstrap.yaml b/ansible/playbooks/tasks/cluster-bootstrap.yaml index d731d3bb..830c7b18 100644 --- a/ansible/playbooks/tasks/cluster-bootstrap.yaml +++ b/ansible/playbooks/tasks/cluster-bootstrap.yaml @@ -270,8 +270,8 @@ register: stonith_config_result failed_when: "'ERROR' in stonith_config_result.stderr" -# Thee following STONITH commands for GCP have been adapted from -# https://cloud.google.com/solutions/sap/docs/sap-hana-ha-config-sles +# The following STONITH commands for GCP have been adapted from +# https://cloud.google.com/solutions/sap/docs/sap-hana-ha-config-sles#create_the_fencing_device_resources - name: Configure GCP Native Fencing STONITH for Primary ansible.builtin.command: > crm configure primitive rsc_gce_stonith_primary stonith:fence_gce @@ -287,6 +287,8 @@ - is_primary - not (use_sbd | bool) +# Command to configure the Secondary has to be executed on the primary +# https://cloud.google.com/solutions/sap/docs/sap-hana-ha-config-sles#create_the_fencing_device_resources - name: Configure GCP Native Fencing STONITH for Secondary ansible.builtin.command: > crm configure primitive rsc_gce_stonith_secondary stonith:fence_gce