bootstrap-bridge: drop pip3 role, add venv

The pip3 role installs the latest upstream pip, overwriting the
packaged versions.  We would prefer to install things in
venv/virtualenvs moving forward to keep better isolation.

Unfortunately thanks to time the Bionic era packaged pip is so old
that it can't install anything modern like Ansible.  Thus we have to
squash installing Ansible into a separate venv into this change as
well.

Although the venv created by default on the Bionic host also has an
old pip, luckily we already worked around that in
I81fd268a9354685496a75e33a6f038a32b686352 which provides a create-venv
role that creates a fully updated venv for us.

To minimise other changes, this symlinks ansible/ansible-playbook into
/usr/local/bin.  On our current production bastion host this will make
a bit of a mess -- but we are looking at replacing that with a fresh
system soon.  The idea is that this new system will not be
bootstrapped with a globally installed Ansible, so we won't have
things lying around in multiple places.

Change-Id: I7551eb92bb6dc5918c367cc347f046ff562eab0c

playbooks/bootstrap-bridge.yaml

@@ -1,8 +1,7 @@
 - hosts: bridge.openstack.org:!disabled
   name: "Bridge: bootstrap the bastion host"
   become: true
-  roles:
-    - pip3
+  tasks:
     # Note for production use we expect to take the defaults; unit
     # test jobs override this to test with latest upstream ansible.
     # For example, if there is a fix on the ansible stable branch we
@@ -10,14 +9,20 @@
     #
     #  install_ansible_name: '{{ bridge_ansible_name | default("git+https://github.com/ansible/ansible.git@stable-2.7") }}'
     #  install_ansible_version: '{{ bridge_ansible_version | default(None) }}'
-    - role: install-ansible
-      install_ansible_name: '{{ bridge_ansible_name | default("ansible") }}'
-      install_ansible_version: '{{ bridge_ansible_version | default("4.0.0") }}'
-      install_ansible_openstacksdk_name: '{{ bridge_openstacksdk_name | default("openstacksdk") }}'
-      install_ansible_openstacksdk_version: '{{ bridge_openstacksdk_verison | default("latest") }}'
-      # NOTE(ianw): At 2018-12, ARA is only enabled during gate
-      # testing jobs as we decide if or how to store data on
-      # production bridge.o.o
-      install_ansible_ara_name: '{{ bridge_ara_name | default("ara[server]") }}'
-      install_ansible_ara_version: '{{ bridge_ara_version | default("latest") }}'
-    - root-keys
+    - name: Install ansible
+      include_role:
+        name: install-ansible
+      vars:
+        install_ansible_name: '{{ bridge_ansible_name | default("ansible") }}'
+        install_ansible_version: '{{ bridge_ansible_version | default("4.0.0") }}'
+        install_ansible_openstacksdk_name: '{{ bridge_openstacksdk_name | default("openstacksdk") }}'
+        install_ansible_openstacksdk_version: '{{ bridge_openstacksdk_verison | default("latest") }}'
+        # NOTE(ianw): At 2018-12, ARA is only enabled during gate
+        # testing jobs as we decide if or how to store data on
+        # production bridge.o.o
+        install_ansible_ara_name: '{{ bridge_ara_name | default("ara[server]") }}'
+        install_ansible_ara_version: '{{ bridge_ara_version | default("latest") }}'
+
+    - name: Install root keys
+      include_role:
+        name: root-keys

playbooks/roles/install-ansible/tasks/install_ara.yaml

@@ -24,9 +24,10 @@
     name: '{{ install_ansible_ara_name | default("ara[server]") }}'
     version: '{{ _install_ansible_ara_version | default(omit) }}'
     state: '{{ _install_ansible_ara_state | default(omit) }}'
+    virtualenv: '/usr/ansible-venv'
 
 # For configuring the callback plugins location in ansible.cfg
 - name: Get ARA's location for callback plugins
-  command: python3 -m ara.setup.callback_plugins
+  command: /usr/ansible-venv/bin/python3 -m ara.setup.callback_plugins
   register: install_ansible_ara_callback_plugins
   changed_when: false

playbooks/roles/install-ansible/tasks/main.yaml

@@ -1,3 +1,15 @@
+- name: Install python-venv package
+  package:
+    name:
+      - python3-venv
+    state: present
+
+- name: Create venv
+  include_role:
+    name: create-venv
+  vars:
+    create_venv_path: '/usr/ansible-venv'
+
 # If install_ansible_version is not defined (note; not *empty*) it
 # should be "latest"
 - name: Set ansible default version to latest
@@ -63,6 +75,16 @@
     name: '{{ install_ansible_name | default("ansible") }}'
     version: '{{ _install_ansible_version | default(omit) }}'
     state: '{{ _install_ansible_state | default(omit) }}'
+    virtualenv: '/usr/ansible-venv'
+
+- name: Symlink to local
+  file:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    state: link
+  loop:
+    - { src: '/usr/ansible-venv/bin/ansible-playbook', dest: '/usr/local/bin/ansible-playbook' }
+    - { src: '/usr/ansible-venv/bin/ansible', dest: '/usr/local/bin/ansible' }
 
 - name: Ansible version check
   command: 'ansible-playbook --version'
@@ -112,6 +134,7 @@
     name: '{{ install_ansible_openstacksdk_name | default("openstacksdk") }}'
     version: '{{ _install_ansible_openstacksdk_version | default(omit) }}'
     state: '{{ _install_openstacksdk_state | default(omit) }}'
+    virtualenv: '/usr/ansible-venv'
 
 - name: Ensure /etc/ansible and /etc/ansible/hosts
   file:

playbooks/zuul/run-base-post.yaml

@@ -51,7 +51,7 @@
       become: yes
 
     - name: Generate ARA static report
-      command: ara-manage generate /root/.ara/static
+      command: /usr/ansible-venv/bin/ara-manage generate /root/.ara/static
       become: yes
 
     - name: Collect testing ARA results

testinfra/test_bridge.py

@@ -58,7 +58,7 @@ def test_root_authorized_keys(host):
 
 
 def test_ara(host):
-    ara = host.run('ara-manage migrate')
+    ara = host.run('/usr/ansible-venv/bin/ara-manage migrate')
     assert ara.rc == 0
     database = host.file('/root/.ara/server/ansible.sqlite')
     assert database.exists