[RFE] Allow remote (http/https/swift) locations for the ansible deploy playbooks

Bug #1751255 reported by Dmitry Tantsur
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ironic
Confirmed
Wishlist
Unassigned

Bug Description

The ansible deploy interface was introduced with the goal of enabling higher customization of the deploy process. Thus, allowing operators to modify its playbooks is a cornerstone feature. However, the current approach with modifying them in the local file system has the following potential issues:
1. it assumes that an API user has write access to the local file system,
2. it requires a configuration management tool to be able to change the playbooks across multiple conductors in a sane way,
3. it does not play really well with containerized deployments.

The RFE proposes renaming [ansible]playbooks_dir and node.driver_info[ansible_playbooks_dir] to [ansible]playbooks_location and node.driver_info[ansible_playbooks_location] accordingly and allowing URLs in them.

We will accept 4 schemas initially: file, http, https and swift. Missing schema will designate a local directory for backward compatibility. The new 3 schemas will point at a tarball with the whole playbooks tree in it. This tarball will be fetched on node deploy and unpacked to a temporary location.

The swift URL will have a form of swift://[account@]container/object (account being optional and defaulting to the account of the service tenant, similar to how we treat temporary URLs).

Finally, since putting URLs to playbooks in driver_info essentially means remove code execution, it will be off by default. A new option [ansible]playbooks_location_schemas defaulting to ['file'] will regulate which schemas are acceptable in driver_info.

Tags: rfe ansible
Dmitry Tantsur (divius)
summary: - [RFE] Allow remove (http/https/swift) locations for the ansible deploy
+ [RFE] Allow remote (http/https/swift) locations for the ansible deploy
playbooks
Dmitry Tantsur (divius)
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.