From e6be08583c22ad9cc81700b234f1227361907d69 Mon Sep 17 00:00:00 2001 From: David Galloway Date: Mon, 4 Nov 2019 18:25:25 -0500 Subject: [PATCH] users: Tasks to allow skipping of role if all users/keys are already good Signed-off-by: David Galloway --- roles/users/README.rst | 8 ++++++++ roles/users/defaults/main.yml | 6 ++++++ roles/users/tasks/main.yml | 36 +++++++++++++++++++++++++++++++++++ 3 files changed, 50 insertions(+) diff --git a/roles/users/README.rst b/roles/users/README.rst index 2529baf..e4f5e3c 100644 --- a/roles/users/README.rst +++ b/roles/users/README.rst @@ -88,6 +88,14 @@ A list of usernames whose access is to be revoked:: revoked_users: [] +The users role writes a sentinel file, ``/keys-repo-sha1``, to indicate the sha1 of the keys repo when ceph-cm-ansible last ran. If the sha1 in that file matches the current keys repo HEAD sha1, users tasks will be skipped unless you set ``force_users_update: True``:: + + force_users_update: False + +By default, the users and pubkeys should be updated. A task in ``main.yml`` changes this to ``False`` if the machine's users and keys are already up to date (unless ``force_users_update: True``):: + + perform_users_role: True + Tags ++++ diff --git a/roles/users/defaults/main.yml b/roles/users/defaults/main.yml index 93a7722..d7e2f73 100644 --- a/roles/users/defaults/main.yml +++ b/roles/users/defaults/main.yml @@ -27,3 +27,9 @@ revoked_users: [] keys_repo: "https://github.com/ceph/keys" # Where to clone keys_repo on the *local* disk keys_repo_path: "~/.cache/src/keys" + +# If the keys git repo HEAD sha1 matches the sha1 of the host's /keys-repo-sha1 file, the users role will get skipped to save time. +# Update users and pubkeys by default (this is changed to False during the play if keys_repo_head.stdout == sentinel_sha1.stdout) +perform_users_role: True +# Set this to True if you want to run the users tasks anyway +force_users_update: False diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index 66cef4c..400bfa5 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -1,17 +1,53 @@ --- +- name: Check keys_repo HEAD sha1 + shell: "git ls-remote {{ keys_repo }} HEAD | awk '{ print $1 }'" + register: keys_repo_head + become: false + when: keys_repo is defined + connection: local + run_once: true + retries: 5 + delay: 10 + # perform_users_role is True by default so no need to fail the play if there's an error. + ignore_errors: true + +- name: Check host's /keys-repo-sha1 sentinel file + command: cat /keys-repo-sha1 + register: sentinel_sha1 + # perform_users_role is True by default so no need to fail the play if there's an error. + failed_when: false + +- name: Determine if we can skip users and pubkeys updates + set_fact: + perform_users_role: False + # perform_users_role is True by default so no need to fail the play if there's an error. + ignore_errors: true + when: (keys_repo_head.stdout == sentinel_sha1.stdout) and + not force_users_update + - import_tasks: filter_users.yml + when: perform_users_role tags: - always - import_tasks: create_users.yml + when: perform_users_role tags: - user - import_tasks: update_keys.yml + when: perform_users_role tags: - pubkeys - import_tasks: revoke_users.yml + when: perform_users_role tags: - user - revoke + +- name: Write /keys-repo-sha1 sentinel file + copy: + content: "{{ keys_repo_head.stdout }}" + dest: /keys-repo-sha1 + when: keys_repo_head is defined -- 2.39.5