Add custom user-agent for git clones from opendev.org

There has been one confirmed denial-of-service against the opendev git servers due to an openstack-ansible deployment failing to correctly use cached wheels from the repo server and instead clone and build the source code for each openstack service on each target host. Whilst we wait for further information to understand the root cause of that DOS, it is possible to adjust the user-agent that git uses on a per-domain basis. This patch sets the user-agent to a string which identifies that OSA is responsible for git operations, which version of OSA is in use, and if the host is a deploy host or an AIO build. Change-Id: I8157c744a58a8ade56776e8cb29956a8abed081c
2021-04-16 09:14:29 +01:00 · 2021-04-16 09:14:29 +01:00 · 672b720b59
commit 672b720b59
parent 01fb3816cf
5 changed files with 47 additions and 1 deletions
--- a/scripts/bootstrap-ansible.sh
+++ b/scripts/bootstrap-ansible.sh
@ -135,7 +135,7 @@ if [ "${SETUP_ARA}" == "true" ]; then
 fi

 # Get current code version (this runs at the root of OSA clone)
-CURRENT_OSA_VERSION=$(cd ${OSA_CLONE_DIR}; /opt/ansible-runtime/bin/python setup.py --version)
+export CURRENT_OSA_VERSION=$(cd ${OSA_CLONE_DIR}; /opt/ansible-runtime/bin/python setup.py --version)

 # Ensure that Ansible binaries run from the venv
 pushd /opt/ansible-runtime/bin
--- a/scripts/get-ansible-role-requirements.yml
+++ b/scripts/get-ansible-role-requirements.yml
@ -23,6 +23,20 @@
      setup:
        gather_subset: '!all'

+    - name: Find the git version
+      command:
+        cmd: "git --version"
+      register: _git_version
+      changed_when: false
+      tags:
+        - skip_ansible_lint
+
+    - name: Set the git user agent for the deploy host
+      git_config:
+        scope: system
+        name: http.https://opendev.org/.userAgent
+        value: "{{ 'git/' ~ _git_version.stdout.split(' ')[2] ~ ' (osa/' ~ lookup('env', 'CURRENT_OSA_VERSION') ~ '/deploy)' }}"
+
    - name: Remove target directory if required
      file:
        path: "{{ item.path | default(role_path_default) }}/{{ item.name | default(item.src | basename) }}"
--- a/scripts/log-collect.sh
+++ b/scripts/log-collect.sh
@ -45,6 +45,7 @@ COMMON_ETC_LOG_NAMES="apt \
    dnf \
    etcd \
    ganesha \
+    gitconfig \
    haproxy \
    httpd \
    memcached \
--- a/tests/roles/bootstrap-host/tasks/main.yml
+++ b/tests/roles/bootstrap-host/tasks/main.yml
@ -13,6 +13,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+# Identify AIO builds in the git user-agent
+- include_tasks: prepare_git_useragent.yml
+
 # Attempt data device detection if enabled
 - include_tasks: detect_data_disk_device.yml
  when:
--- a/tests/roles/bootstrap-host/tasks/prepare_git_useragent.yml
+++ b/tests/roles/bootstrap-host/tasks/prepare_git_useragent.yml
@ -0,0 +1,28 @@
+---
+# Copyright 2021, BBC R&D
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Find the git version
+  command:
+    cmd: "git --version"
+  register: _git_version
+  changed_when: false
+  tags:
+    - skip_ansible_lint
+
+- name: Set the git user agent for the AIO
+  git_config:
+    scope: system
+    name: http.https://opendev.org/.userAgent
+    value: "{{ 'git/' ~ _git_version.stdout.split(' ')[2] ~ ' (osa/' ~ lookup('env', 'OSA_VERSION') ~ '/aio)' }}"