From de1d9df7875d1f451fb7974840ddc0a645551b6e Mon Sep 17 00:00:00 2001 From: Etienne Champetier Date: Wed, 10 Feb 2021 08:36:59 -0500 Subject: [PATCH] Only use stat get_checksum: yes when needed (#7270) By default Ansible stat module compute checksum, list extended attributes and find mime type To find all stat invocations that really use one of those: git grep -F stat. | grep -vE 'stat.(islnk|exists|lnk_source|writeable)' Signed-off-by: Etienne Champetier --- roles/bootstrap-os/tasks/bootstrap-centos.yml | 3 +++ roles/bootstrap-os/tasks/bootstrap-opensuse.yml | 3 +++ roles/bootstrap-os/tasks/bootstrap-redhat.yml | 3 +++ roles/container-engine/containerd/tasks/main.yml | 3 +++ roles/container-engine/cri-o/tasks/main.yaml | 6 ++++++ roles/container-engine/crun/tasks/main.yml | 3 +++ roles/container-engine/docker/tasks/main.yml | 3 +++ roles/download/tasks/download_container.yml | 3 +++ roles/etcd/handlers/backup.yml | 3 +++ roles/etcd/tasks/check_certs.yml | 3 +++ roles/etcdctl/tasks/main.yml | 6 ++++++ roles/kubernetes-apps/helm/tasks/main.yml | 3 +++ .../control-plane/tasks/encrypt-at-rest.yml | 3 +++ .../control-plane/tasks/kubeadm-setup.yml | 12 ++++++++++++ roles/kubernetes/kubeadm/tasks/main.yml | 6 ++++++ .../node/tasks/loadbalancer/haproxy.yml | 3 +++ .../node/tasks/loadbalancer/nginx-proxy.yml | 3 +++ roles/kubernetes/preinstall/handlers/main.yml | 12 ++++++++++-- .../preinstall/tasks/0040-set_facts.yml | 15 +++++++++++++++ .../preinstall/tasks/0050-create_directories.yml | 3 +++ .../tasks/0080-system-configurations.yml | 6 ++++++ roles/kubernetes/preinstall/tasks/main.yml | 3 +++ roles/kubernetes/tokens/tasks/check-tokens.yml | 6 ++++++ roles/network_plugin/calico/tasks/reset.yml | 3 +++ roles/network_plugin/cilium/tasks/reset_iface.yml | 3 +++ roles/network_plugin/flannel/tasks/reset.yml | 6 ++++++ roles/network_plugin/kube-router/tasks/reset.yml | 6 ++++++ roles/reset/tasks/main.yml | 9 +++++++++ .../roles/packet-ci/tasks/delete-vms.yml | 3 +++ 29 files changed, 142 insertions(+), 2 deletions(-) diff --git a/roles/bootstrap-os/tasks/bootstrap-centos.yml b/roles/bootstrap-os/tasks/bootstrap-centos.yml index 2295d8a1e..680dcb60d 100644 --- a/roles/bootstrap-os/tasks/bootstrap-centos.yml +++ b/roles/bootstrap-os/tasks/bootstrap-centos.yml @@ -69,6 +69,9 @@ - name: Check presence of fastestmirror.conf stat: path: /etc/yum/pluginconf.d/fastestmirror.conf + get_attributes: no + get_checksum: no + get_mime: no register: fastestmirror # the fastestmirror plugin can actually slow down Ansible deployments diff --git a/roles/bootstrap-os/tasks/bootstrap-opensuse.yml b/roles/bootstrap-os/tasks/bootstrap-opensuse.yml index 54ce51242..5b2b6ab94 100644 --- a/roles/bootstrap-os/tasks/bootstrap-opensuse.yml +++ b/roles/bootstrap-os/tasks/bootstrap-opensuse.yml @@ -4,6 +4,9 @@ - name: Check that /etc/sysconfig/proxy file exists stat: path: /etc/sysconfig/proxy + get_attributes: no + get_checksum: no + get_mime: no register: stat_result - name: Create the /etc/sysconfig/proxy empty file diff --git a/roles/bootstrap-os/tasks/bootstrap-redhat.yml b/roles/bootstrap-os/tasks/bootstrap-redhat.yml index 5f70010e5..5a2bbf553 100644 --- a/roles/bootstrap-os/tasks/bootstrap-redhat.yml +++ b/roles/bootstrap-os/tasks/bootstrap-redhat.yml @@ -85,6 +85,9 @@ - name: Check presence of fastestmirror.conf stat: path: /etc/yum/pluginconf.d/fastestmirror.conf + get_attributes: no + get_checksum: no + get_mime: no register: fastestmirror # the fastestmirror plugin can actually slow down Ansible deployments diff --git a/roles/container-engine/containerd/tasks/main.yml b/roles/container-engine/containerd/tasks/main.yml index d8ac96321..cd97f88d9 100644 --- a/roles/container-engine/containerd/tasks/main.yml +++ b/roles/container-engine/containerd/tasks/main.yml @@ -2,6 +2,9 @@ - name: check if fedora coreos stat: path: /run/ostree-booted + get_attributes: no + get_checksum: no + get_mime: no register: ostree - name: set is_ostree diff --git a/roles/container-engine/cri-o/tasks/main.yaml b/roles/container-engine/cri-o/tasks/main.yaml index 4139af9f4..a36c2483c 100644 --- a/roles/container-engine/cri-o/tasks/main.yaml +++ b/roles/container-engine/cri-o/tasks/main.yaml @@ -2,6 +2,9 @@ - name: check if fedora coreos stat: path: /run/ostree-booted + get_attributes: no + get_checksum: no + get_mime: no register: ostree - name: set is_ostree @@ -94,6 +97,9 @@ - name: Check if already installed stat: path: "/bin/crio" + get_attributes: no + get_checksum: no + get_mime: no register: need_bootstrap_crio when: is_ostree diff --git a/roles/container-engine/crun/tasks/main.yml b/roles/container-engine/crun/tasks/main.yml index d580f32cf..aff1bfec1 100644 --- a/roles/container-engine/crun/tasks/main.yml +++ b/roles/container-engine/crun/tasks/main.yml @@ -9,6 +9,9 @@ - name: Check if binary exists stat: path: "{{ crun_bin_dir }}/crun" + get_attributes: no + get_checksum: no + get_mime: no register: crun_stat # TODO: use download_file.yml diff --git a/roles/container-engine/docker/tasks/main.yml b/roles/container-engine/docker/tasks/main.yml index b0ece93f0..13903e488 100644 --- a/roles/container-engine/docker/tasks/main.yml +++ b/roles/container-engine/docker/tasks/main.yml @@ -2,6 +2,9 @@ - name: check if fedora coreos stat: path: /run/ostree-booted + get_attributes: no + get_checksum: no + get_mime: no register: ostree - name: set is_ostree diff --git a/roles/download/tasks/download_container.yml b/roles/download/tasks/download_container.yml index 7f015999f..d2bea776d 100644 --- a/roles/download/tasks/download_container.yml +++ b/roles/download/tasks/download_container.yml @@ -24,6 +24,9 @@ - name: download_container | Determine if image is in cache stat: path: "{{ image_path_cached }}" + get_attributes: no + get_checksum: no + get_mime: no delegate_to: localhost connection: local delegate_facts: no diff --git a/roles/etcd/handlers/backup.yml b/roles/etcd/handlers/backup.yml index 6d2cc8bcb..ba6669b3f 100644 --- a/roles/etcd/handlers/backup.yml +++ b/roles/etcd/handlers/backup.yml @@ -29,6 +29,9 @@ - name: Stat etcd v2 data directory stat: path: "{{ etcd_data_dir }}/member" + get_attributes: no + get_checksum: no + get_mime: no register: etcd_data_dir_member - name: Backup etcd v2 data diff --git a/roles/etcd/tasks/check_certs.yml b/roles/etcd/tasks/check_certs.yml index 21e79015a..611026b48 100644 --- a/roles/etcd/tasks/check_certs.yml +++ b/roles/etcd/tasks/check_certs.yml @@ -17,6 +17,9 @@ - name: "Check certs | Register ca and etcd admin/member certs on etcd hosts" stat: path: "{{ etcd_cert_dir }}/{{ item }}" + get_attributes: no + get_checksum: yes + get_mime: no register: etcd_member_certs when: inventory_hostname in groups['etcd'] with_items: diff --git a/roles/etcdctl/tasks/main.yml b/roles/etcdctl/tasks/main.yml index 47aa04004..1039242bd 100644 --- a/roles/etcdctl/tasks/main.yml +++ b/roles/etcdctl/tasks/main.yml @@ -9,6 +9,9 @@ - name: Check if etcdctl exist stat: path: "{{ bin_dir }}/etcdctl" + get_attributes: no + get_checksum: no + get_mime: no register: stat_etcdctl - block: @@ -28,6 +31,9 @@ - name: Check if etcdctl still exist after version check stat: path: "{{ bin_dir }}/etcdctl" + get_attributes: no + get_checksum: no + get_mime: no register: stat_etcdctl - block: diff --git a/roles/kubernetes-apps/helm/tasks/main.yml b/roles/kubernetes-apps/helm/tasks/main.yml index f4d2e1904..ea3a5d150 100644 --- a/roles/kubernetes-apps/helm/tasks/main.yml +++ b/roles/kubernetes-apps/helm/tasks/main.yml @@ -17,6 +17,9 @@ - name: Check if bash_completion.d folder exists # noqa 503 stat: path: "/etc/bash_completion.d/" + get_attributes: no + get_checksum: no + get_mime: no register: stat_result - name: Get helm completion diff --git a/roles/kubernetes/control-plane/tasks/encrypt-at-rest.yml b/roles/kubernetes/control-plane/tasks/encrypt-at-rest.yml index 09584dce8..234fa9bff 100644 --- a/roles/kubernetes/control-plane/tasks/encrypt-at-rest.yml +++ b/roles/kubernetes/control-plane/tasks/encrypt-at-rest.yml @@ -2,6 +2,9 @@ - name: Check if secret for encrypting data at rest already exist stat: path: "{{ kube_cert_dir }}/secrets_encryption.yaml" + get_attributes: no + get_checksum: no + get_mime: no register: secrets_encryption_file - name: Slurp secrets_encryption file if it exists diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml index 1cef72396..6fa9cfd7f 100644 --- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml +++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml @@ -2,6 +2,9 @@ - name: kubeadm | Check if old apiserver cert exists on host stat: path: "{{ kube_cert_dir }}/apiserver.pem" + get_attributes: no + get_checksum: no + get_mime: no register: old_apiserver_cert delegate_to: "{{ groups['kube-master'] | first }}" run_once: true @@ -24,12 +27,18 @@ - name: kubeadm | Check serviceaccount key stat: path: "{{ kube_cert_dir }}/sa.key" + get_attributes: no + get_checksum: yes + get_mime: no register: sa_key_before run_once: true - name: kubeadm | Check if kubeadm has already run stat: path: "/var/lib/kubelet/config.yaml" + get_attributes: no + get_checksum: no + get_mime: no register: kubeadm_already_run - name: kubeadm | Delete old admin.conf @@ -211,6 +220,9 @@ - name: kubeadm | Check serviceaccount key again stat: path: "{{ kube_cert_dir }}/sa.key" + get_attributes: no + get_checksum: yes + get_mime: no register: sa_key_after run_once: true diff --git a/roles/kubernetes/kubeadm/tasks/main.yml b/roles/kubernetes/kubeadm/tasks/main.yml index 75bffc781..b939b38c4 100644 --- a/roles/kubernetes/kubeadm/tasks/main.yml +++ b/roles/kubernetes/kubeadm/tasks/main.yml @@ -13,11 +13,17 @@ - name: Check if kubelet.conf exists stat: path: "{{ kube_config_dir }}/kubelet.conf" + get_attributes: no + get_checksum: no + get_mime: no register: kubelet_conf - name: Check if kubeadm CA cert is accessible stat: path: "{{ kube_cert_dir }}/ca.crt" + get_attributes: no + get_checksum: no + get_mime: no register: kubeadm_ca_stat delegate_to: "{{ groups['kube-master'][0] }}" run_once: true diff --git a/roles/kubernetes/node/tasks/loadbalancer/haproxy.yml b/roles/kubernetes/node/tasks/loadbalancer/haproxy.yml index fcbf6b5f2..972878bf7 100644 --- a/roles/kubernetes/node/tasks/loadbalancer/haproxy.yml +++ b/roles/kubernetes/node/tasks/loadbalancer/haproxy.yml @@ -22,6 +22,9 @@ - name: haproxy | Get checksum from config stat: path: "{{ haproxy_config_dir }}/haproxy.cfg" + get_attributes: no + get_checksum: yes + get_mime: no register: haproxy_stat - name: haproxy | Write static pod diff --git a/roles/kubernetes/node/tasks/loadbalancer/nginx-proxy.yml b/roles/kubernetes/node/tasks/loadbalancer/nginx-proxy.yml index 91908791b..f90084cbc 100644 --- a/roles/kubernetes/node/tasks/loadbalancer/nginx-proxy.yml +++ b/roles/kubernetes/node/tasks/loadbalancer/nginx-proxy.yml @@ -22,6 +22,9 @@ - name: nginx-proxy | Get checksum from config stat: path: "{{ nginx_config_dir }}/nginx.conf" + get_attributes: no + get_checksum: yes + get_mime: no register: nginx_stat - name: nginx-proxy | Write static pod diff --git a/roles/kubernetes/preinstall/handlers/main.yml b/roles/kubernetes/preinstall/handlers/main.yml index 6818de27a..bdaaff3e3 100644 --- a/roles/kubernetes/preinstall/handlers/main.yml +++ b/roles/kubernetes/preinstall/handlers/main.yml @@ -50,13 +50,21 @@ # FIXME(mattymo): Also restart for kubeadm mode - name: Preinstall | kube-apiserver configured - stat: path="{{ kube_manifest_dir }}/kube-apiserver.manifest" + stat: + path: "{{ kube_manifest_dir }}/kube-apiserver.manifest" + get_attributes: no + get_checksum: no + get_mime: no register: kube_apiserver_set when: inventory_hostname in groups['kube-master'] and dns_mode != 'none' and resolvconf_mode == 'host_resolvconf' # FIXME(mattymo): Also restart for kubeadm mode - name: Preinstall | kube-controller configured - stat: path="{{ kube_manifest_dir }}/kube-controller-manager.manifest" + stat: + path: "{{ kube_manifest_dir }}/kube-controller-manager.manifest" + get_attributes: no + get_checksum: no + get_mime: no register: kube_controller_set when: inventory_hostname in groups['kube-master'] and dns_mode != 'none' and resolvconf_mode == 'host_resolvconf' diff --git a/roles/kubernetes/preinstall/tasks/0040-set_facts.yml b/roles/kubernetes/preinstall/tasks/0040-set_facts.yml index fdf1f9210..c0fb05605 100644 --- a/roles/kubernetes/preinstall/tasks/0040-set_facts.yml +++ b/roles/kubernetes/preinstall/tasks/0040-set_facts.yml @@ -9,6 +9,9 @@ - name: check if booted with ostree stat: path: /run/ostree-booted + get_attributes: no + get_checksum: no + get_mime: no register: ostree - name: set is_fedora_coreos @@ -59,6 +62,9 @@ - name: check if kubelet is configured stat: path: "{{ kube_config_dir }}/kubelet.env" + get_attributes: no + get_checksum: no + get_mime: no register: kubelet_configured changed_when: false @@ -84,6 +90,9 @@ - name: check if /etc/dhclient.conf exists stat: path: /etc/dhclient.conf + get_attributes: no + get_checksum: no + get_mime: no register: dhclient_stat - name: target dhclient conf file for /etc/dhclient.conf @@ -94,6 +103,9 @@ - name: check if /etc/dhcp/dhclient.conf exists stat: path: /etc/dhcp/dhclient.conf + get_attributes: no + get_checksum: no + get_mime: no register: dhcp_dhclient_stat - name: target dhclient conf file for /etc/dhcp/dhclient.conf @@ -170,6 +182,9 @@ - name: check /usr readonly stat: path: "/usr" + get_attributes: no + get_checksum: no + get_mime: no register: usr - name: set alternate flexvolume path diff --git a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml index 8be2b6c3a..402040674 100644 --- a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml +++ b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml @@ -46,6 +46,9 @@ - name: Check if kubernetes kubeadm compat cert dir exists stat: path: "{{ kube_cert_compat_dir }}" + get_attributes: no + get_checksum: no + get_mime: no register: kube_cert_compat_dir_check when: - inventory_hostname in groups['k8s-cluster'] diff --git a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml index 396ef3fa7..53c4db176 100644 --- a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml +++ b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml @@ -3,6 +3,9 @@ - name: Confirm selinux deployed stat: path: /etc/selinux/config + get_attributes: no + get_checksum: no + get_mime: no when: - ansible_os_family == "RedHat" - "'Amazon' not in ansible_distribution" @@ -36,6 +39,9 @@ - name: Stat sysctl file configuration stat: path: "{{ sysctl_file_path }}" + get_attributes: no + get_checksum: no + get_mime: no register: sysctl_file_stat tags: - bootstrap-os diff --git a/roles/kubernetes/preinstall/tasks/main.yml b/roles/kubernetes/preinstall/tasks/main.yml index 69a21ed13..b5c571342 100644 --- a/roles/kubernetes/preinstall/tasks/main.yml +++ b/roles/kubernetes/preinstall/tasks/main.yml @@ -92,6 +92,9 @@ - name: Check if we are running inside a Azure VM stat: path: /var/lib/waagent/ + get_attributes: no + get_checksum: no + get_mime: no register: azure_check when: - not dns_late diff --git a/roles/kubernetes/tokens/tasks/check-tokens.yml b/roles/kubernetes/tokens/tasks/check-tokens.yml index 160f46bb8..c8fe3812f 100644 --- a/roles/kubernetes/tokens/tasks/check-tokens.yml +++ b/roles/kubernetes/tokens/tasks/check-tokens.yml @@ -2,6 +2,9 @@ - name: "Check_tokens | check if the tokens have already been generated on first master" stat: path: "{{ kube_token_dir }}/known_tokens.csv" + get_attributes: no + get_checksum: yes + get_mime: no delegate_to: "{{ groups['kube-master'][0] }}" register: known_tokens_master run_once: true @@ -20,6 +23,9 @@ - name: "Check tokens | check if a cert already exists" stat: path: "{{ kube_token_dir }}/known_tokens.csv" + get_attributes: no + get_checksum: yes + get_mime: no register: known_tokens - name: "Check_tokens | Set 'sync_tokens' to true" diff --git a/roles/network_plugin/calico/tasks/reset.yml b/roles/network_plugin/calico/tasks/reset.yml index 0d7a4bf72..5c32d0e25 100644 --- a/roles/network_plugin/calico/tasks/reset.yml +++ b/roles/network_plugin/calico/tasks/reset.yml @@ -2,6 +2,9 @@ - name: reset | check dummy0 network device stat: path: /sys/class/net/dummy0 + get_attributes: no + get_checksum: no + get_mime: no register: dummy0 - name: reset | remove the network device created by calico diff --git a/roles/network_plugin/cilium/tasks/reset_iface.yml b/roles/network_plugin/cilium/tasks/reset_iface.yml index d4a5aad90..d84a065af 100644 --- a/roles/network_plugin/cilium/tasks/reset_iface.yml +++ b/roles/network_plugin/cilium/tasks/reset_iface.yml @@ -2,6 +2,9 @@ - name: "reset | check if network device {{ iface }} is present" stat: path: "/sys/class/net/{{ iface }}" + get_attributes: no + get_checksum: no + get_mime: no register: device_remains - name: "reset | remove network device {{ iface }}" diff --git a/roles/network_plugin/flannel/tasks/reset.yml b/roles/network_plugin/flannel/tasks/reset.yml index b2777b4ef..2fd86e2bd 100644 --- a/roles/network_plugin/flannel/tasks/reset.yml +++ b/roles/network_plugin/flannel/tasks/reset.yml @@ -2,6 +2,9 @@ - name: reset | check cni network device stat: path: /sys/class/net/cni0 + get_attributes: no + get_checksum: no + get_mime: no register: cni - name: reset | remove the network device created by the flannel @@ -11,6 +14,9 @@ - name: reset | check flannel network device stat: path: /sys/class/net/flannel.1 + get_attributes: no + get_checksum: no + get_mime: no register: flannel - name: reset | remove the network device created by the flannel diff --git a/roles/network_plugin/kube-router/tasks/reset.yml b/roles/network_plugin/kube-router/tasks/reset.yml index 23f79da4f..7b8ad2ceb 100644 --- a/roles/network_plugin/kube-router/tasks/reset.yml +++ b/roles/network_plugin/kube-router/tasks/reset.yml @@ -2,6 +2,9 @@ - name: reset | check kube-dummy-if network device stat: path: /sys/class/net/kube-dummy-if + get_attributes: no + get_checksum: no + get_mime: no register: kube_dummy_if - name: reset | remove the network device created by kube-router @@ -11,6 +14,9 @@ - name: check kube-bridge exists stat: path: /sys/class/net/kube-bridge + get_attributes: no + get_checksum: no + get_mime: no register: kube_bridge_if - name: reset | donw the network bridge create by kube-router diff --git a/roles/reset/tasks/main.yml b/roles/reset/tasks/main.yml index e317cb4b3..c17b096ac 100644 --- a/roles/reset/tasks/main.yml +++ b/roles/reset/tasks/main.yml @@ -68,6 +68,9 @@ - name: reset | check if crictl is present stat: path: "{{ bin_dir }}/crictl" + get_attributes: no + get_checksum: no + get_mime: no register: crictl - name: reset | stop all cri containers @@ -204,6 +207,9 @@ - name: reset | check kube-ipvs0 network device stat: path: /sys/class/net/kube-ipvs0 + get_attributes: no + get_checksum: no + get_mime: no register: kube_ipvs0 - name: reset | Remove kube-ipvs0 @@ -215,6 +221,9 @@ - name: reset | check nodelocaldns network device stat: path: /sys/class/net/nodelocaldns + get_attributes: no + get_checksum: no + get_mime: no register: nodelocaldns_device - name: reset | Remove nodelocaldns diff --git a/tests/cloud_playbooks/roles/packet-ci/tasks/delete-vms.yml b/tests/cloud_playbooks/roles/packet-ci/tasks/delete-vms.yml index 5cde2e7b0..f327cd32f 100644 --- a/tests/cloud_playbooks/roles/packet-ci/tasks/delete-vms.yml +++ b/tests/cloud_playbooks/roles/packet-ci/tasks/delete-vms.yml @@ -3,6 +3,9 @@ - name: Check if temp directory for {{ test_name }} exists stat: path: "/tmp/{{ test_name }}" + get_attributes: no + get_checksum: no + get_mime: no register: temp_dir_details - name: "Cleanup temp directory for {{ test_name }}"