Accessing cluster using non-root user

Signed-off-by: Aishwarya Kamat <[email protected]>

docs/var.tfvars-doc.md

@@ -136,10 +136,11 @@ system_type         = "s922"    #Can be either s922 or e980
 
 These set of variables specify the username and the SSH key to be used for accessing the bastion node.
 ```
-rhel_username               = "root"
+rhel_username               = "root"  #Set it to an appropriate username for non-root user access
 public_key_file             = "data/id_rsa.pub"
 private_key_file            = "data/id_rsa"
 ```
+rhel_username is set to root. rhel_username can be set to an appropriate username having superuser privileges with no password prompt.
 Please note that only OpenSSH formatted keys are supported. Refer to the following links for instructions on creating SSH key based on your platform.
 - Windows 10 - https://phoenixnap.com/kb/generate-ssh-key-windows-10
 - Mac OSX - https://www.techrepublic.com/article/how-to-generate-ssh-keys-on-macos-mojave/

modules/1_prepare/prepare.tf

@@ -352,11 +352,11 @@ resource "null_resource" "setup_nfs_disk" {
   }
   provisioner "remote-exec" {
     inline = [
-      "rm -rf mkdir ${local.storage_path}; mkdir -p ${local.storage_path}; chmod -R 755 ${local.storage_path}",
+      "sudo rm -rf mkdir ${local.storage_path}; sudo mkdir -p ${local.storage_path}; sudo chmod -R 755 ${local.storage_path}",
       "sudo chmod +x /tmp/create_disk_link.sh",
       # Fix for copying file from Windows OS having CR
-      "sed -i 's/\r//g' /tmp/create_disk_link.sh",
-      "/tmp/create_disk_link.sh",
+      "sudo sed -i 's/\r//g' /tmp/create_disk_link.sh",
+      "sudo /tmp/create_disk_link.sh",
       "sudo mkfs.ext4 -F /dev/${local.disk_config.disk_name}",
       "echo '/dev/${local.disk_config.disk_name} ${local.storage_path} ext4 defaults 0 0' | sudo tee -a /etc/fstab > /dev/null",
       "sudo mount ${local.storage_path}",

modules/5_install/install.tf

@@ -78,10 +78,12 @@ locals {
   }
 
   helpernode_inventory = {
-    bastion_ip = var.bastion_ip
+    rhel_username = var.rhel_username
+    bastion_ip    = var.bastion_ip
   }
 
   install_inventory = {
+    rhel_username  = var.rhel_username
     bastion_hosts  = [for ix in range(length(var.bastion_ip)) : "${var.name_prefix}bastion-${ix}"]
     bootstrap_host = var.bootstrap_ip == "" ? "" : "${var.node_prefix}bootstrap"
     master_hosts   = [for ix in range(length(var.master_ips)) : "${var.node_prefix}master-${ix}"]
@@ -175,7 +177,7 @@ resource "null_resource" "config" {
     inline = [
       "sed -i \"/^helper:.*/a \\ \\ networkifacename: $(ip r | grep \"${var.cidr} dev\" | awk '{print $3}')\" ocp4-helpernode/helpernode_vars.yaml",
       "echo 'Running ocp4-helpernode playbook...'",
-      "cd ocp4-helpernode && ansible-playbook -e @helpernode_vars.yaml tasks/main.yml ${var.ansible_extra_options}"
+      "cd ocp4-helpernode && ansible-playbook -e @helpernode_vars.yaml tasks/main.yml ${var.ansible_extra_options} --become"
     ]
   }
 }
@@ -204,10 +206,10 @@ resource "null_resource" "configure_public_vip" {
   provisioner "remote-exec" {
     inline = [
       # Set state=MASTER,priority=100 for first bastion and state=BACKUP,priority=90 for others.
-      "sed -i \"s/state <STATE>/state ${count.index == 0 ? "MASTER" : "BACKUP"}/\" /tmp/keepalived_vrrp_instance",
-      "sed -i \"s/priority <PRIORITY>/priority ${count.index == 0 ? "100" : "90"}/\" /tmp/keepalived_vrrp_instance",
-      "sed -i \"s/interface <INTERFACE>/interface $(ip r | grep ${var.public_cidr} | awk '{print $3}')/\" /tmp/keepalived_vrrp_instance",
-      "cat /tmp/keepalived_vrrp_instance >> /etc/keepalived/keepalived.conf",
+      "sudo sed -i \"s/state <STATE>/state ${count.index == 0 ? "MASTER" : "BACKUP"}/\" /tmp/keepalived_vrrp_instance",
+      "sudo sed -i \"s/priority <PRIORITY>/priority ${count.index == 0 ? "100" : "90"}/\" /tmp/keepalived_vrrp_instance",
+      "sudo sed -i \"s/interface <INTERFACE>/interface $(ip r | grep ${var.public_cidr} | awk '{print $3}')/\" /tmp/keepalived_vrrp_instance",
+      "sudo cat /tmp/keepalived_vrrp_instance >> /etc/keepalived/keepalived.conf",
       "sudo systemctl restart keepalived"
     ]
   }
@@ -234,14 +236,14 @@ echo "Configuring SNAT (experimental)..."
 
 PRIVATE_INTERFACE=$(ip r | grep "${var.cidr} dev" | awk '{print $3}')
 
-firewall-cmd --zone=public --add-masquerade --permanent
+sudo firewall-cmd --zone=public --add-masquerade --permanent
 # Masquerade will enable ip forwarding automatically
-firewall-cmd --reload
+sudo firewall-cmd --reload
 
 #Checksum needs to be turned off to avoid a bug with ibmveth
-PRIVATE_CONNECTION_NAME=$(nmcli -t -f NAME connection show | grep $PRIVATE_INTERFACE)
-nmcli connection modify "$PRIVATE_CONNECTION_NAME" ethtool.feature-rx off
-nmcli connection up "$PRIVATE_CONNECTION_NAME"
+PRIVATE_CONNECTION_NAME=$(sudo nmcli -t -f NAME connection show | grep $PRIVATE_INTERFACE)
+sudo nmcli connection modify "$PRIVATE_CONNECTION_NAME" ethtool.feature-rx off
+sudo nmcli connection up "$PRIVATE_CONNECTION_NAME"
 
 EOF
     ]
@@ -301,7 +303,7 @@ resource "null_resource" "pre_install" {
   # DHCP config for setting MTU; Since helpernode DHCP template does not support MTU setting
   provisioner "remote-exec" {
     inline = [
-      "sed -i.mtubak '/option routers/i option interface-mtu ${var.private_network_mtu};' /etc/dhcp/dhcpd.conf",
+      "sudo sed -i.mtubak '/option routers/i option interface-mtu ${var.private_network_mtu};' /etc/dhcp/dhcpd.conf",
       "sudo systemctl restart dhcpd.service"
     ]
   }

modules/5_install/templates/helpernode_inventory

@@ -1,4 +1,4 @@
 [vmhost]
 %{ for ip in bastion_ip ~}
-${ip} ansible_connection=ssh ansible_user=root
+${ip} ansible_connection=ssh ansible_user=${rhel_username}
 %{ endfor ~}

modules/5_install/templates/install_inventory

@@ -1,6 +1,6 @@
 [bastion]
 %{ for bastion in bastion_hosts ~}
-${bastion} ansible_connection=ssh ansible_user=root
+${bastion} ansible_connection=ssh ansible_user=${rhel_username}
 %{ endfor ~}
 
 %{ if bootstrap_host != "" ~}

var.tfvars

@@ -26,8 +26,8 @@ processor_type   = "shared"
 system_type      = "s922"
 network_name     = "ocp-net"
 
-rhel_username                   = "root"
-connection_timeout              = 30 # minutes
+rhel_username                   = "root" #Set it to an appropriate username for non-root user access
+connection_timeout              = 30     # minutes
 public_key_file                 = "data/id_rsa.pub"
 private_key_file                = "data/id_rsa"
 rhel_subscription_username      = "<subscription-id>"       #Leave this as-is if using CentOS as bastion image