openstack/bifrost
Code Issues Proposed changes

Make virtual environment owned by root

Browse Source 
It's dangerous to allow a regular user to write into the source code of
the services. The repositories are still writable, so that the
development workflow can still use the ``--develop`` flag to make
modifications.

While here, remove the horribly outdated and broken ANSIBLE_INSTALL_ROOT.

Change-Id: Id2e25dd57668d24a11dc2cd16eea2b607b7a3f16
This commit is contained in:
Dmitry Tantsur 2022-01-25 14:45:47 +01:00
parent a4657cc600
commit 4cb0395d75
7 changed files with 29 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
doc/source/contributor/vagrant.rst
View File

@ -66,13 +66,4 @@ Installation Options
-------------------- --------------------
Ansible is installed within the VM directly from `source Ansible is installed within the VM directly from `source
<https://github.com/ansible/ansible.git>`_ or from the path set by <https://github.com/ansible/ansible.git>`_ or from the path set by
``ANSIBLE_GIT_URL``. You can modify the path of installation by setting ``ANSIBLE_GIT_URL`` into ``/opt/stack``.
``ANSIBLE_INSTALL_ROOT`` environment variable. The default value is
``/opt/stack``. When set in the host, this variable will also be set as an
environment variable inside the VM for use by test scripts.
Note:
Only the ansible installation path is configurable at this point using
the environment variable. All other dependencies will still continue to
cloned under ``/opt/stack``.

13
releasenotes/notes/venv-owner-30669e2f5cffef2f.yaml Normal file
View File

@ -0,0 +1,13 @@
---
upgrade:
- |
Modification to the Bifrost virtual environment (``/opt/stack/bifrost`` by
default) will now need ``sudo`` as the directory is now owned by root.
- |
The deprecated and non-functioning variable ``ANSIBLE_INSTALL_ROOT`` is
no longer supported.
fixes:
- |
The Bifrost virtual environment (``/opt/stack/bifrost`` by default) is no
longer owned (and thus writable) by the regular user that started the
installation.

22
scripts/env-setup.sh
View File

@ -13,7 +13,6 @@ ANSIBLE_COLLECTION_SOURCE_PATH=
if [[ -d "${WORKSPACE:-}/openstack/ansible-collections-openstack" ]]; then if [[ -d "${WORKSPACE:-}/openstack/ansible-collections-openstack" ]]; then
ANSIBLE_COLLECTION_SOURCE_PATH="${WORKSPACE}/openstack/ansible-collections-openstack" ANSIBLE_COLLECTION_SOURCE_PATH="${WORKSPACE}/openstack/ansible-collections-openstack"
fi fi
ANSIBLE_INSTALL_ROOT=${ANSIBLE_INSTALL_ROOT:-/opt/stack}
ANSIBLE_PIP_VERSION=${ANSIBLE_PIP_VERSION:-${DEFAULT_PIP_ANSIBLE}} ANSIBLE_PIP_VERSION=${ANSIBLE_PIP_VERSION:-${DEFAULT_PIP_ANSIBLE}}
ANSIBLE_SOURCE_PATH=${ANSIBLE_SOURCE_PATH:-ansible${ANSIBLE_PIP_VERSION}} ANSIBLE_SOURCE_PATH=${ANSIBLE_SOURCE_PATH:-ansible${ANSIBLE_PIP_VERSION}}
@ -29,35 +28,20 @@ if [ -f "$ANSIBLE" ]; then
fi fi
${PIP} install "${ANSIBLE_SOURCE_PATH}" ${PIP} install "${ANSIBLE_SOURCE_PATH}"
ANSIBLE_GALAXY=${VENV}/bin/ansible-galaxy ANSIBLE_GALAXY="${SUDO} ${VENV}/bin/ansible-galaxy"
if [[ -z $BIFROST_COLLECTIONS_PATHS ]]; then if [[ -z $BIFROST_COLLECTIONS_PATHS ]]; then
echo "Setting ANSIBLE_COLLECTIONS_PATHS to virtualenv" echo "Setting ANSIBLE_COLLECTIONS_PATHS to virtualenv"
export ANSIBLE_COLLECTIONS_PATHS=${VENV}/collections export ANSIBLE_COLLECTIONS_PATHS=${VENV}/collections
BIFROST_COLLECTIONS_PATHS=$ANSIBLE_COLLECTIONS_PATHS BIFROST_COLLECTIONS_PATHS=$ANSIBLE_COLLECTIONS_PATHS
fi fi
if [[ -n "$ANSIBLE_COLLECTION_SOURCE_PATH" ]]; then if [[ -n "$ANSIBLE_COLLECTION_SOURCE_PATH" ]]; then
mkdir -p "$BIFROST_COLLECTIONS_PATHS/ansible_collections/openstack" ${SUDO} mkdir -p "$BIFROST_COLLECTIONS_PATHS/ansible_collections/openstack"
ln -s "$ANSIBLE_COLLECTION_SOURCE_PATH" "$BIFROST_COLLECTIONS_PATHS/ansible_collections/openstack/cloud" ${SUDO} ln -s "$ANSIBLE_COLLECTION_SOURCE_PATH" "$BIFROST_COLLECTIONS_PATHS/ansible_collections/openstack/cloud"
fi fi
# NOTE(pas-ha) the following is a temporary workaround for third-party CI
# scripts that try to source Ansible's hacking/env-setup
# after running this very script
# TODO(pas-ha) remove after deprecation (in Pike?) and when third-party CIs
# (in particular OPNFV) are fixed
ANSIBLE_USER=$(id -nu)
ANSIBLE_GROUP=$(id -ng)
if [[ ! -d ${ANSIBLE_INSTALL_ROOT} ]]; then
mkdir -p ${ANSIBLE_INSTALL_ROOT} || (sudo mkdir -p ${ANSIBLE_INSTALL_ROOT})
fi
sudo -H chown -R ${ANSIBLE_USER}:${ANSIBLE_GROUP} ${ANSIBLE_INSTALL_ROOT}
# Install Collections # Install Collections
if [[ -n "$ANSIBLE_COLLECTION_SOURCE_PATH" ]]; then if [[ -n "$ANSIBLE_COLLECTION_SOURCE_PATH" ]]; then
echo "Using openstack ansible collection from $ANSIBLE_COLLECTION_SOURCE_PATH" echo "Using openstack ansible collection from $ANSIBLE_COLLECTION_SOURCE_PATH"
elif [[ -z $BIFROST_COLLECTIONS_PATHS ]]; then
echo "Installing ansible collections on default collections path"
${ANSIBLE_GALAXY} collection install -r ${ANSIBLE_COLLECTIONS_REQ}
else else
echo "Installing ansible collections on $BIFROST_COLLECTIONS_PATHS" echo "Installing ansible collections on $BIFROST_COLLECTIONS_PATHS"
${ANSIBLE_GALAXY} collection install -r ${ANSIBLE_COLLECTIONS_REQ} -p ${BIFROST_COLLECTIONS_PATHS} ${ANSIBLE_GALAXY} collection install -r ${ANSIBLE_COLLECTIONS_REQ} -p ${BIFROST_COLLECTIONS_PATHS}

12
scripts/install-deps.sh
View File

@ -107,17 +107,21 @@ if [ "${#EXTRA_PKG_DEPS[@]}" -ne 0 ]; then
done done
fi fi
SUDO="sudo -H -E"
if [ ! -f ${VENV}/bin/activate ]; then if [ ! -f ${VENV}/bin/activate ]; then
echo "Creating a virtual environment" echo "Creating a virtual environment"
# only create venv if one doesn't exist # only create venv if one doesn't exist
sudo -H -E python3 -m venv --system-site-packages ${VENV} ${SUDO} python3 -m venv --system-site-packages ${VENV}
sudo -H -E chown -R ${USER} ${VENV}
else else
echo "Virtual environment exists, skipping creation" echo "Virtual environment exists, skipping creation"
# NOTE(dtantsur): place here any actions required to upgrade existing # NOTE(dtantsur): place here any actions required to upgrade existing
# virtual environments. # virtual environments.
# The virtual environment used to be owned by the calling user. Upgrade.
${SUDO} chown -R root:root ${VENV}
fi fi
# Note(cinerama): activate is not compatible with "set -u"; # Note(cinerama): activate is not compatible with "set -u";
@ -132,8 +136,8 @@ VIRTUAL_ENV=${VENV}
# If we're using a venv, we need to work around sudo not # If we're using a venv, we need to work around sudo not
# keeping the path even with -E. # keeping the path even with -E.
PYTHON="python3" PYTHON="${VENV}/bin/python3"
PIP="${PYTHON} -m pip" PIP="${SUDO} ${PYTHON} -m pip"
if [[ "${BIFROST_TRACE:-}" != true ]]; then if [[ "${BIFROST_TRACE:-}" != true ]]; then
PIP="$PIP --quiet" PIP="$PIP --quiet"
fi fi

1
scripts/test-bifrost.sh
View File

@ -5,7 +5,6 @@ set -euxo pipefail
export PYTHONUNBUFFERED=1 export PYTHONUNBUFFERED=1
SCRIPT_HOME="$(cd "$(dirname "$0")" && pwd)" SCRIPT_HOME="$(cd "$(dirname "$0")" && pwd)"
BIFROST_HOME=$SCRIPT_HOME/.. BIFROST_HOME=$SCRIPT_HOME/..
ANSIBLE_INSTALL_ROOT=${ANSIBLE_INSTALL_ROOT:-/opt/stack}
USE_DHCP="${USE_DHCP:-false}" USE_DHCP="${USE_DHCP:-false}"
BUILD_IMAGE="${BUILD_IMAGE:-false}" BUILD_IMAGE="${BUILD_IMAGE:-false}"
BAREMETAL_DATA_FILE=${BAREMETAL_DATA_FILE:-'/tmp/baremetal.json'} BAREMETAL_DATA_FILE=${BAREMETAL_DATA_FILE:-'/tmp/baremetal.json'}

6
tools/vagrant_dev_env/Vagrantfile vendored
View File

@ -3,7 +3,6 @@
VAGRANTFILE_API_VERSION = '2' VAGRANTFILE_API_VERSION = '2'
ansible_install_root=(ENV['ANSIBLE_INSTALL_ROOT'] || "/opt/stack")
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.vm.box = 'generic/ubuntu1804' config.vm.box = 'generic/ubuntu1804'
@ -28,14 +27,10 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
lv.volume_cache = 'none' lv.volume_cache = 'none'
end end
# If ANSIBLE_INSTALL_ROOT is available, set that value inside the VM
if ENV['ANSIBLE_INSTALL_ROOT']
bifrost.vm.provision "shell", inline: <<-SHELL bifrost.vm.provision "shell", inline: <<-SHELL
echo "export ANSIBLE_INSTALL_ROOT=#{ENV['ANSIBLE_INSTALL_ROOT']}" >> /etc/profile.d/ansible-root.sh
echo "if [ \"$IFACE\" = \"eth0\" ]; then route del default dev eth0 ; fi" >> /etc/network/if-up.d echo "if [ \"$IFACE\" = \"eth0\" ]; then route del default dev eth0 ; fi" >> /etc/network/if-up.d
echo "[Match]\nName=eth0\n[Network]\nDHCP=yes\n[DHCP]\nUseRoutes=false" >>/etc/systemd/network/no-default-route.network echo "[Match]\nName=eth0\n[Network]\nDHCP=yes\n[DHCP]\nUseRoutes=false" >>/etc/systemd/network/no-default-route.network
SHELL SHELL
end
# Set up private NAT'd network # Set up private NAT'd network
bifrost.vm.network 'private_network', ip: '192.168.99.10', use_dhcp_assigned_default_route: false bifrost.vm.network 'private_network', ip: '192.168.99.10', use_dhcp_assigned_default_route: false
@ -58,7 +53,6 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
ansible.playbook = 'vagrant.yml' ansible.playbook = 'vagrant.yml'
ansible.extra_vars = { ansible.extra_vars = {
# set key file name here # set key file name here
ansible_install_root: ansible_install_root,
public_key: 'id_rsa.pub', public_key: 'id_rsa.pub',
# Edit the network_interface to match your needs: # Edit the network_interface to match your needs:
# eth0 - connected to a Nat network # eth0 - connected to a Nat network

4
tools/vagrant_dev_env/vagrant.yml
View File

@ -81,13 +81,9 @@
- name: Ensure /opt/stack folder exists - name: Ensure /opt/stack folder exists
file: path=/opt/stack state=directory owner=vagrant file: path=/opt/stack state=directory owner=vagrant
- name: Ensure ansible root folder exists
file: path={{ansible_install_root}} state=directory owner=vagrant
- name: Prepare VM for Bifrost - name: Prepare VM for Bifrost
command: scripts/env-setup.sh command: scripts/env-setup.sh
environment: environment:
ANSIBLE_INSTALL_ROOT: "{{ansible_install_root}}"
LANG: c LANG: c
VENV: "/opt/stack/bifrost" VENV: "/opt/stack/bifrost"
args: args: