Set file modes explicitly

Ansible changed, then unchanged their behavior around file modes, but
being explicit is likely a good idea to handle any new future changes
from ansible.

We set modes generously (to 755 for dirs and 644 for files) to avoid
unexpected access problems. Note that depending on the perms in AFS this
may cause a perms ot update on existing dirs but that should be fine as
long as we aren't making them more restrictive.

Finally we skip two cases where modes are required by the linting rule
because they are tarball extraction steps and applying a single mode to
all dirs and files in a tarball doens't make a ton of sense.

Includes bumping linter configuration.

Change-Id: Iacf41549928ba7f05f0f71a79ddef1b6e1154e2a
Co-authored-by: Sorin Sbarnea <ssbarnea@redhat.com>

.ansible-lint

@@ -1,9 +1,10 @@
 ---
 parseable: true
+exclude_paths:
+  - ../../zuul/zuul-jobs
+  - zuul.d
 skip_list:
-  # [ANSIBLE0012] Commands should not change things if nothing needs doing
-  - ANSIBLE0012
   - '106'  # Role name does not match ``^[a-z][a-z0-9_]+$`` pattern
   - '204'  # Lines should be no longer than 160 chars
-  - '208'  # File permissions not mentioned
+  - '301'  # Commands should not change things if nothing needs doing
   - '701'  # No 'galaxy_info' found

playbooks/artifacts/promote-deployment.yaml

@@ -9,6 +9,7 @@
     - name: Create artifact staging directory
       file:
         state: directory
+        mode: 0755
         path: "{{ zuul.executor.work_root }}/artifacts"
     - name: Download artifacts
       include_role:
@@ -34,12 +35,15 @@
       file:
         path: "{{ src_dir }}"
         state: directory
+        mode: 0755
     - name: Ensure target directory exists
       file:
         path: "{{ target_dir }}"
         state: directory
+        mode: 0755
     - name: Unpack into publish dir
-      unarchive:
+      # TODO(clarkb) what is the proper way to set mode here?
+      unarchive:  # noqa 208
         src: "{{ item.path }}"
         dest: "{{ src_dir }}"
       loop: "{{ files.files }}"

playbooks/artifacts/promote.yaml

@@ -11,6 +11,7 @@
     - name: Create artifact staging directory
       file:
         state: directory
+        mode: 0755
         path: "{{ zuul.executor.work_root }}/artifacts"
     - name: Download artifacts
       include_role:
@@ -35,6 +36,7 @@
       file:
         path: "{{ target_dir }}"
         state: directory
+        mode: 0755
     - name: Upload to AFS
       command: "cp {{ item.path }} {{ target_dir }}/{{ item.path | basename | regex_replace(name_replacement, name_target) }}"
       when: "item.path is match(name_replacement)"

playbooks/buildset-registry/post.yaml

@@ -13,6 +13,7 @@
       file:
         path: "{{ ansible_user_dir }}/zuul-output/logs/docker"
         state: directory
+        mode: 0755
 
     - name: Save registry container logs
       when: "'buildset_registry' in docker_ps.stdout"

playbooks/docs/promote.yaml

@@ -18,12 +18,14 @@
       file:
         path: "{{ zuul.executor.work_root }}/docs"
         state: directory
+        mode: 0755
     - name: Extract docs archive
+      # TODO(clarkb) what is the proper way to set mode on this task?
       vars:
         findme:
           - "{{ zuul.executor.work_root }}/docs-html.tar.bz2"
           - "{{ zuul.executor.work_root }}/docs-html.tar.gz"
-      unarchive:
+      unarchive:  # noqa 208
         src: "{{ lookup('first_found', findme) }}"
         dest: "{{ zuul.executor.work_root }}/docs"
     - name: Write root_marker file
@@ -57,11 +59,13 @@
       file:
         path: "{{ target_dir }}"
         state: directory
+        mode: 0755
     - name: Create redirect htaccess file
       when: "afs.docs_redirect_path is defined and zuul.branch == 'master'"
       copy:
         dest: "{{ afs.docs_redirect_path }}"
         content: "{{ afs.docs_redirect_content }}"
+        mode: 0644
     - name: Upload to AFS
       include_role:
         name: upload-afs-roots

playbooks/tox-docs/publish.yaml

@@ -18,6 +18,7 @@
       file:
         path: "{{ target_dir }}"
         state: directory
+        mode: 0755
     - name: Upload to AFS
       include_role:
         name: upload-afs-roots

roles/configure-unbound/tasks/main.yaml

@@ -52,6 +52,9 @@
   file:
     path: "{{ unbound_confd }}"
     state: directory
+    owner: root
+    group: root
+    mode: 0755
 
 # TODO: Move this to /etc/unbound/conf.d ?
 - name: Configure unbound forwarding

roles/write-root-marker/tasks/main.yaml

@@ -3,8 +3,10 @@
   copy:
     dest: "{{ root_marker_dir }}/.root-marker"
     content: "Project: {{ zuul.project.name }} Branch: {{ zuul.branch }} Build: {{ zuul.build }} Revision: {{ zuul.ref }}"
+    mode: 0644
 - name: Write root marker if zuul.tag
   when: "zuul.tag is defined"
   copy:
     dest: "{{ root_marker_dir }}/.root-marker"
     content: "Project: {{ zuul.project.name }} Tag: {{ zuul.tag }} Build: {{ zuul.build }} Revision: {{ zuul.ref }}"
+    mode: 0644

test-requirements.txt

@@ -11,9 +11,9 @@ zuul
 # here to pull in ansible anyway; pip doesn't actually have a
 # dependency solver and the uncapped ansible requirement from
 # ansible-lint pull in the latest version.
-ansible>=2.5.1,<2.6 # https://review.openstack.org/567007
+ansible>=2.7.18,<2.8  # <-- keep it as old as possible
 # We need to pin ansible-lint to before 4.0 which blows up all over the place
-ansible-lint>=4.3.0a1,<5
+ansible-lint>=4.3.3,<5
 bashate>=0.2
 zuul-sphinx>=0.1.1
 stestr>=1.0.0 # Apache-2.0

tox.ini

@@ -36,11 +36,8 @@ whitelist_externals = bash
 commands =
   flake8 {posargs}
   {toxinidir}/tools/check_jobs_documented.py
-# Ansible lint
-  bash -c "find playbooks -type f -regex '.*.ya?ml' -print0 | \
-    xargs -t -n1 -0 ansible-lint"
-  bash -c 'find roles -maxdepth 1 -mindepth 1 -type d -printf "%p/\n" | \
-    xargs -t -n1 ansible-lint'
+  # Ansible lint
+  ansible-lint -v
   # Ansible Syntax Check
   bash -c "find playbooks -type f -regex '.*.ya?ml' -exec \
     ansible-playbook --syntax-check -i {toxinidir}/tests/inventory \