Avoid insecure umask which breaks loading of ansible.cfg

Ansible had a security fix which now prevents it from loading ansible.cfg files that are world writable (o+w) which is exactly what the old jobs did in order to make devstack work with hardlinks across multiple users. We replace the hardlinks with CoW and reset the permissions to system default which is what is to be expected for source code. Change-Id: Ia1bfc89ee8edecd1ebad3487e8c63bdda4d083a0 Partial-Bug: 1807703
2018-12-18 12:06:42 +00:00 · 2018-12-18 12:06:42 +00:00 · b62acc6360
parent 932fc21571
commit b62acc6360
1 changed files with 11 additions and 2 deletions
--- a/playbooks/tripleo-ci/run-v3.yaml
+++ b/playbooks/tripleo-ci/run-v3.yaml
@ -24,14 +24,23 @@
        path: '{{ workspace }}/logs'
        state: directory

-    - name: Hard link tripleo-ci to openstack namespace dir
+    - name: Assure src folder has safe permissions
+      # Workaround for https://bugs.launchpad.net/tripleo/+bug/1807703
+      file:
+        path: /home/zuul/src/
+        state: directory
+        mode: u=rwX,g=rX,o=rX
+        recurse: yes
+
+    - name: Copy tripleo-ci to openstack namespace dir
      shell:
        cmd: |
          set -e
          set -x
          # we still need all the repos under the same root directory, but instead of using
          # zuul-cloner, use the wrapped commands directly
-          cp -dRl /home/zuul/src/git.openstack.org/openstack-infra/tripleo-ci .
+          # reflink is an safer alternative to hardlinking which could fail
+          cp -dR --reflink=auto /home/zuul/src/git.openstack.org/openstack-infra/tripleo-ci .
        executable: /bin/bash
        chdir: '{{ tripleo_root }}'
      environment: '{{ zuul | zuul_legacy_vars }}'