run-production-playbook: encrypt logs in temporary staging directory

I didn't consider permissions on the production machine; since we run
Ansible as root the extant path can't access the logs.

By copying the logfile to encrypt to a staging area we can leave
everything else alone for now.  Upon reflection it seems like a better
idea to do this in an ephemeral location anyway and not leave anything
behind.  We move the cleanup into an always block too to ensure this.

Bump the codesearch playbook to trigger the prod job with these
changes.

Change-Id: I47f63df04d58b7a87bce445da0c0bdcb80edc8f9
changes/88/830288/3
Ian Wienand 12 months ago
parent 2db614c759
commit 35e8b1dbcc

@ -1,4 +1,4 @@
# NOTE(ianw): 2022-02-21 19:20 AEST : comment to trigger prod run
# NOTE(ianw): 2022-02-22 08:14 AEST : comment to trigger prod run
- hosts: "codesearch:!disabled"
name: "Configure codesearch"
roles:

@ -30,20 +30,30 @@
when: infra_prod_playbook_encrypt_log|default(False)
block:
- name: Create temp dir for download script
- name: Create temporary staging area for encrypted logs
tempfile:
state: directory
register: _download_tmpdir
register: _encrypt_tempdir
- name: Copy log to tempdir as Zuul user
copy:
src: '/var/log/ansible/{{ playbook_name }}.log'
dest: '{{ _encrypt_tempdir }}'
owner: zuul
group: zuul
mode: '0644'
remote_src: yes
become: yes
- name: Encrypt logs
include_role:
name: encrypt-logs
vars:
encrypt_logs_files:
- '/var/log/ansible/{{ playbook_name }}.log'
# Artifact in root directory
- '{{ _encrypt_tempdir.path }}/{{ playbook_name }}.log'
# Artifact URL should just point to root directory, so blank
encrypt_logs_artifact_path: ''
encrypt_logs_download_script_path: '{{ _download_tmpdir.path }}'
encrypt_logs_download_script_path: '{{ _encrypt_tempdir.path }}'
- name: Return logs
synchronize:
@ -52,13 +62,16 @@
mode: pull
verify_host: true
loop:
- [ '{{ zuul.executor.log_root }}/{{ playbook_name }}.log.gpg }}', '/var/log/ansible/{{ playbook_name }}.log.gpg' ]
- [ '{{ zuul.executor.log_root }}/download-gpg-logs.sh }}', '{{ _download_tmpdir.path }}/download-logs.sh }}' ]
- [ '{{ zuul.executor.log_root }}/{{ playbook_name }}.log.gpg }}', '{{ _encrypt_tempdir.path }}/{{ playbook_name }}.log.gpg' ]
- [ '{{ zuul.executor.log_root }}/download-gpg-logs.sh }}', '{{ _encrypt_tempdir.path }}/download-logs.sh }}' ]
always:
- name: Remove tmpdir
- name: Remove temporary staging
file:
path: '{{ _download_tmpdir.path }}'
path: '{{ _encrypt_tempdir.path }}'
state: absent
when: _encrypt_tempdir is defined
# Not using normal zuul job roles as bridge.openstack.org is not a
# test node with all the normal bits in place.

Loading…
Cancel
Save