From a78934672738ffc3a74495172534ed50c6f7f658 Mon Sep 17 00:00:00 2001 From: Steven Dake Date: Sat, 26 Mar 2016 10:11:32 -0700 Subject: [PATCH] Fix gate to use world writeable docker socket A recent change related to sudo securepath broke how sudo -E works. Now the PATH is reset by sudo as set by tox. As a result we can no longer rely on sudo -E anywhere in our gating system relating to path inheritence from the parent shell. This patch uses a shell operation in the setup_nodes.yml code to chmod the docker socket to 666 so docker containers can build properly. Now docker operations don't return a permission denied and we no longer require the sudo -E operation in any of our tox scripts. This isn't a security vulnerability because our gate scripts are only meant to be run in OpenStack infrastructure. To make this more clear I recommend moving these shell scripts to tests/gate. Change-Id: I5b3d6e280e3c12a25defedb14b5589ba642043fa Closes-Bug: #1562383 --- tools/setup_nodes.yml | 3 +++ tox.ini | 28 +++++++++++----------------- 2 files changed, 14 insertions(+), 17 deletions(-) diff --git a/tools/setup_nodes.yml b/tools/setup_nodes.yml index 82ca8ae6c8..d37cdaab37 100644 --- a/tools/setup_nodes.yml +++ b/tools/setup_nodes.yml @@ -26,3 +26,6 @@ - name: Run node setup shell: sudo /tmp/setup.sh + + - name: Changing permissions of docker socket to 666 + shell: sudo chmod 0666 /run/docker.sock diff --git a/tox.ini b/tox.ini index 40fa81bc11..eaddde96af 100644 --- a/tox.ini +++ b/tox.ini @@ -42,61 +42,56 @@ commands = [testenv:build-centos-binary] whitelist_externals = find bash - sudo setenv = DOCKER_BUILD_TEST=1 commands = find . -type f -name "*.pyc" -delete bash -c "if [ ! -d .testrepository ]; then testr init; fi" - sudo -E -g docker testr run test_build.BuildTestCentosBinary + testr run test_build.BuildTestCentosBinary {toxinidir}/tools/dump_info.sh [testenv:build-centos-source] whitelist_externals = find bash - sudo setenv = DOCKER_BUILD_TEST=1 commands = find . -type f -name "*.pyc" -delete bash -c "if [ ! -d .testrepository ]; then testr init; fi" - sudo -E -g docker testr run test_build.BuildTestCentosSource + testr run test_build.BuildTestCentosSource {toxinidir}/tools/dump_info.sh [testenv:build-ubuntu-source] whitelist_externals = find bash - sudo setenv = DOCKER_BUILD_TEST=1 commands = find . -type f -name "*.pyc" -delete bash -c "if [ ! -d .testrepository ]; then testr init; fi" - sudo -E -g docker testr run test_build.BuildTestUbuntuSource + testr run test_build.BuildTestUbuntuSource {toxinidir}/tools/dump_info.sh [testenv:build-oraclelinux-binary] whitelist_externals = find bash - sudo setenv = DOCKER_BUILD_TEST=1 commands = find . -type f -name "*.pyc" -delete bash -c "if [ ! -d .testrepository ]; then testr init; fi" - sudo -E -g docker testr run test_build.BuildTestOracleLinuxBinary + testr run test_build.BuildTestOracleLinuxBinary {toxinidir}/tools/dump_info.sh [testenv:build-oraclelinux-source] whitelist_externals = find bash - sudo setenv = DOCKER_BUILD_TEST=1 commands = find . -type f -name "*.pyc" -delete bash -c "if [ ! -d .testrepository ]; then testr init; fi" - sudo -E -g docker testr run test_build.BuildTestOracleLinuxSource + testr run test_build.BuildTestOracleLinuxSource {toxinidir}/tools/dump_info.sh [testenv:deploy-centos-binary] @@ -108,7 +103,7 @@ setenv = commands = find . -type f -name "*.pyc" -delete bash -c "if [ ! -d .testrepository ]; then testr init; fi" - sudo -E -g docker testr run test_build.DeployTestCentosBinary + testr run test_build.DeployTestCentosBinary sudo {toxinidir}/tools/deploy_aio.sh centos binary {toxinidir}/tools/dump_info.sh @@ -121,7 +116,7 @@ setenv = commands = find . -type f -name "*.pyc" -delete bash -c "if [ ! -d .testrepository ]; then testr init; fi" - sudo -E -g docker testr run test_build.DeployTestCentosSource + testr run test_build.DeployTestCentosSource sudo {toxinidir}/tools/deploy_aio.sh centos source {toxinidir}/tools/dump_info.sh @@ -134,7 +129,7 @@ setenv = commands = find . -type f -name "*.pyc" -delete bash -c "if [ ! -d .testrepository ]; then testr init; fi" - sudo -E -g docker testr run test_build.DeployTestOracleLinuxBinary + testr run test_build.DeployTestOracleLinuxBinary sudo {toxinidir}/tools/deploy_aio.sh oraclelinux binary {toxinidir}/tools/dump_info.sh @@ -147,7 +142,7 @@ setenv = commands = find . -type f -name "*.pyc" -delete bash -c "if [ ! -d .testrepository ]; then testr init; fi" - sudo -E -g docker testr run test_build.DeployTestOracleLinuxSource + testr run test_build.DeployTestOracleLinuxSource sudo {toxinidir}/tools/deploy_aio.sh oraclelinux source {toxinidir}/tools/dump_info.sh @@ -160,20 +155,19 @@ setenv = commands = find . -type f -name "*.pyc" -delete bash -c "if [ ! -d .testrepository ]; then testr init; fi" - sudo -E -g docker testr run test_build.DeployTestUbuntuSource + testr run test_build.DeployTestUbuntuSource sudo {toxinidir}/tools/deploy_aio.sh ubuntu source {toxinidir}/tools/dump_info.sh [testenv:deploy-multinode-ubuntu-source] whitelist_externals = find bash - sudo setenv = DOCKER_BUILD_TEST=1 commands = find . -type f -name "*.pyc" -delete bash -c "if [ ! -d .testrepository ]; then testr init; fi" - sudo -E -g docker testr run test_build.BuildTestUbuntuSource + testr run test_build.BuildTestUbuntuSource {toxinidir}/tools/dump_info.sh [testenv:genconfig]