Merge "Make virtual environment owned by root"

2022-01-31 03:23:11 +00:00 · 2022-01-31 03:23:11 +00:00 · 9c2a1790fc
commit 9c2a1790fc
parent a980bf3a8b 4cb0395d75
7 changed files with 29 additions and 48 deletions
--- a/doc/source/contributor/vagrant.rst
+++ b/doc/source/contributor/vagrant.rst
@ -66,13 +66,4 @@ Installation Options
 --------------------
 Ansible is installed within the VM directly from `source
 <https://github.com/ansible/ansible.git>`_ or from the path set by
-``ANSIBLE_GIT_URL``. You can modify the path of installation by setting
-``ANSIBLE_INSTALL_ROOT`` environment variable. The default value is
-``/opt/stack``. When set in the host, this variable will also be set as an
-environment variable inside the VM for use by test scripts.
-
-Note:
-
-  Only the ansible installation path is configurable at this point using
-  the environment variable. All other dependencies will still continue to
-  cloned under ``/opt/stack``.
+``ANSIBLE_GIT_URL`` into ``/opt/stack``.
--- a/releasenotes/notes/venv-owner-30669e2f5cffef2f.yaml
+++ b/releasenotes/notes/venv-owner-30669e2f5cffef2f.yaml
@ -0,0 +1,13 @@
+---
+upgrade:
+  - |
+    Modification to the Bifrost virtual environment (``/opt/stack/bifrost`` by
+    default) will now need ``sudo`` as the directory is now owned by root.
+  - |
+    The deprecated and non-functioning variable ``ANSIBLE_INSTALL_ROOT`` is
+    no longer supported.
+fixes:
+  - |
+    The Bifrost virtual environment (``/opt/stack/bifrost`` by default) is no
+    longer owned (and thus writable) by the regular user that started the
+    installation.
--- a/scripts/env-setup.sh
+++ b/scripts/env-setup.sh
@ -13,7 +13,6 @@ ANSIBLE_COLLECTION_SOURCE_PATH=
 if [[ -d "${WORKSPACE:-}/openstack/ansible-collections-openstack" ]]; then
    ANSIBLE_COLLECTION_SOURCE_PATH="${WORKSPACE}/openstack/ansible-collections-openstack"
 fi
-ANSIBLE_INSTALL_ROOT=${ANSIBLE_INSTALL_ROOT:-/opt/stack}
 ANSIBLE_PIP_VERSION=${ANSIBLE_PIP_VERSION:-${DEFAULT_PIP_ANSIBLE}}
 ANSIBLE_SOURCE_PATH=${ANSIBLE_SOURCE_PATH:-ansible${ANSIBLE_PIP_VERSION}}

@ -29,35 +28,20 @@ if [ -f "$ANSIBLE" ]; then
 fi
 ${PIP} install "${ANSIBLE_SOURCE_PATH}"

-ANSIBLE_GALAXY=${VENV}/bin/ansible-galaxy
+ANSIBLE_GALAXY="${SUDO} ${VENV}/bin/ansible-galaxy"
 if [[ -z $BIFROST_COLLECTIONS_PATHS ]]; then
    echo  "Setting ANSIBLE_COLLECTIONS_PATHS to virtualenv"
    export ANSIBLE_COLLECTIONS_PATHS=${VENV}/collections
    BIFROST_COLLECTIONS_PATHS=$ANSIBLE_COLLECTIONS_PATHS
 fi
 if [[ -n "$ANSIBLE_COLLECTION_SOURCE_PATH" ]]; then
-    mkdir -p "$BIFROST_COLLECTIONS_PATHS/ansible_collections/openstack"
-    ln -s "$ANSIBLE_COLLECTION_SOURCE_PATH" "$BIFROST_COLLECTIONS_PATHS/ansible_collections/openstack/cloud"
+    ${SUDO} mkdir -p "$BIFROST_COLLECTIONS_PATHS/ansible_collections/openstack"
+    ${SUDO} ln -s "$ANSIBLE_COLLECTION_SOURCE_PATH" "$BIFROST_COLLECTIONS_PATHS/ansible_collections/openstack/cloud"
 fi

-# NOTE(pas-ha) the following is a temporary workaround for third-party CI
-# scripts that try to source Ansible's hacking/env-setup
-# after running this very script
-# TODO(pas-ha) remove after deprecation (in Pike?) and when third-party CIs
-# (in particular OPNFV) are fixed
-ANSIBLE_USER=$(id -nu)
-ANSIBLE_GROUP=$(id -ng)
-if [[ ! -d ${ANSIBLE_INSTALL_ROOT} ]]; then
-    mkdir -p ${ANSIBLE_INSTALL_ROOT} || (sudo mkdir -p ${ANSIBLE_INSTALL_ROOT})
-fi
-sudo -H chown -R ${ANSIBLE_USER}:${ANSIBLE_GROUP} ${ANSIBLE_INSTALL_ROOT}
-
 # Install Collections
 if [[ -n "$ANSIBLE_COLLECTION_SOURCE_PATH" ]]; then
    echo "Using openstack ansible collection from $ANSIBLE_COLLECTION_SOURCE_PATH"
-elif [[ -z $BIFROST_COLLECTIONS_PATHS ]]; then
-    echo "Installing ansible collections on default collections path"
-    ${ANSIBLE_GALAXY} collection install -r ${ANSIBLE_COLLECTIONS_REQ}
 else
    echo "Installing ansible collections on $BIFROST_COLLECTIONS_PATHS"
    ${ANSIBLE_GALAXY} collection install -r ${ANSIBLE_COLLECTIONS_REQ} -p ${BIFROST_COLLECTIONS_PATHS}
--- a/scripts/install-deps.sh
+++ b/scripts/install-deps.sh
@ -107,17 +107,21 @@ if [ "${#EXTRA_PKG_DEPS[@]}" -ne 0 ]; then
    done
 fi

+SUDO="sudo -H -E"
+
 if [ ! -f ${VENV}/bin/activate ]; then
    echo "Creating a virtual environment"

    # only create venv if one doesn't exist
-    sudo -H -E python3 -m venv --system-site-packages ${VENV}
-    sudo -H -E chown -R ${USER} ${VENV}
+    ${SUDO} python3 -m venv --system-site-packages ${VENV}
 else
    echo "Virtual environment exists, skipping creation"

    # NOTE(dtantsur): place here any actions required to upgrade existing
    # virtual environments.
+
+    # The virtual environment used to be owned by the calling user. Upgrade.
+    ${SUDO} chown -R root:root ${VENV}
 fi

 # Note(cinerama): activate is not compatible with "set -u";
@ -132,8 +136,8 @@ VIRTUAL_ENV=${VENV}

 # If we're using a venv, we need to work around sudo not
 # keeping the path even with -E.
-PYTHON="python3"
-PIP="${PYTHON} -m pip"
+PYTHON="${VENV}/bin/python3"
+PIP="${SUDO} ${PYTHON} -m pip"
 if [[ "${BIFROST_TRACE:-}" != true ]]; then
    PIP="$PIP --quiet"
 fi
--- a/scripts/test-bifrost.sh
+++ b/scripts/test-bifrost.sh
@ -5,7 +5,6 @@ set -euxo pipefail
 export PYTHONUNBUFFERED=1
 SCRIPT_HOME="$(cd "$(dirname "$0")" && pwd)"
 BIFROST_HOME=$SCRIPT_HOME/..
-ANSIBLE_INSTALL_ROOT=${ANSIBLE_INSTALL_ROOT:-/opt/stack}
 USE_DHCP="${USE_DHCP:-false}"
 BUILD_IMAGE="${BUILD_IMAGE:-false}"
 BAREMETAL_DATA_FILE=${BAREMETAL_DATA_FILE:-'/tmp/baremetal.json'}
--- a/tools/vagrant_dev_env/Vagrantfile
+++ b/tools/vagrant_dev_env/Vagrantfile
@ -3,7 +3,6 @@

 VAGRANTFILE_API_VERSION = '2'

-ansible_install_root=(ENV['ANSIBLE_INSTALL_ROOT'] || "/opt/stack")
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
  config.vm.box = 'generic/ubuntu1804'

@ -28,14 +27,10 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
      lv.volume_cache = 'none'
    end

-    # If ANSIBLE_INSTALL_ROOT is available, set that value inside the VM
-    if ENV['ANSIBLE_INSTALL_ROOT']
-      bifrost.vm.provision "shell", inline: <<-SHELL
-        echo "export ANSIBLE_INSTALL_ROOT=#{ENV['ANSIBLE_INSTALL_ROOT']}" >> /etc/profile.d/ansible-root.sh
-        echo "if [ \"$IFACE\" = \"eth0\" ]; then route del default dev eth0 ; fi" >> /etc/network/if-up.d
-	echo "[Match]\nName=eth0\n[Network]\nDHCP=yes\n[DHCP]\nUseRoutes=false" >>/etc/systemd/network/no-default-route.network
-      SHELL
-    end
+    bifrost.vm.provision "shell", inline: <<-SHELL
+      echo "if [ \"$IFACE\" = \"eth0\" ]; then route del default dev eth0 ; fi" >> /etc/network/if-up.d
+      echo "[Match]\nName=eth0\n[Network]\nDHCP=yes\n[DHCP]\nUseRoutes=false" >>/etc/systemd/network/no-default-route.network
+    SHELL

    # Set up private NAT'd network
    bifrost.vm.network 'private_network', ip: '192.168.99.10', use_dhcp_assigned_default_route: false
@ -58,7 +53,6 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
      ansible.playbook = 'vagrant.yml'
      ansible.extra_vars = {
          # set key file name here
-          ansible_install_root: ansible_install_root,
          public_key: 'id_rsa.pub',
          # Edit the network_interface to match your needs:
          #  eth0 - connected to a Nat network
--- a/tools/vagrant_dev_env/vagrant.yml
+++ b/tools/vagrant_dev_env/vagrant.yml
@ -81,13 +81,9 @@
    - name: Ensure /opt/stack folder exists
      file: path=/opt/stack state=directory owner=vagrant

-    - name: Ensure ansible root folder exists
-      file: path={{ansible_install_root}} state=directory owner=vagrant
-
    - name: Prepare VM for Bifrost
      command: scripts/env-setup.sh
      environment:
-          ANSIBLE_INSTALL_ROOT: "{{ansible_install_root}}"
          LANG: c
          VENV: "/opt/stack/bifrost"
      args: