Make virtual environment owned by root

It's dangerous to allow a regular user to write into the source code of
the services. The repositories are still writable, so that the
development workflow can still use the ``--develop`` flag to make
modifications.

While here, remove the horribly outdated and broken ANSIBLE_INSTALL_ROOT.

Change-Id: Id2e25dd57668d24a11dc2cd16eea2b607b7a3f16

doc/source/contributor/vagrant.rst

@@ -66,13 +66,4 @@ Installation Options
 --------------------
 Ansible is installed within the VM directly from `source
 <https://github.com/ansible/ansible.git>`_ or from the path set by
-``ANSIBLE_GIT_URL``. You can modify the path of installation by setting
-``ANSIBLE_INSTALL_ROOT`` environment variable. The default value is
-``/opt/stack``. When set in the host, this variable will also be set as an
-environment variable inside the VM for use by test scripts.
-
-Note:
-
-  Only the ansible installation path is configurable at this point using
-  the environment variable. All other dependencies will still continue to
-  cloned under ``/opt/stack``.
+``ANSIBLE_GIT_URL`` into ``/opt/stack``.

releasenotes/notes/venv-owner-30669e2f5cffef2f.yaml

@@ -0,0 +1,13 @@
+---
+upgrade:
+  - |
+    Modification to the Bifrost virtual environment (``/opt/stack/bifrost`` by
+    default) will now need ``sudo`` as the directory is now owned by root.
+  - |
+    The deprecated and non-functioning variable ``ANSIBLE_INSTALL_ROOT`` is
+    no longer supported.
+fixes:
+  - |
+    The Bifrost virtual environment (``/opt/stack/bifrost`` by default) is no
+    longer owned (and thus writable) by the regular user that started the
+    installation.

scripts/env-setup.sh

@@ -13,7 +13,6 @@ ANSIBLE_COLLECTION_SOURCE_PATH=
 if [[ -d "${WORKSPACE:-}/openstack/ansible-collections-openstack" ]]; then
     ANSIBLE_COLLECTION_SOURCE_PATH="${WORKSPACE}/openstack/ansible-collections-openstack"
 fi
-ANSIBLE_INSTALL_ROOT=${ANSIBLE_INSTALL_ROOT:-/opt/stack}
 ANSIBLE_PIP_VERSION=${ANSIBLE_PIP_VERSION:-${DEFAULT_PIP_ANSIBLE}}
 ANSIBLE_SOURCE_PATH=${ANSIBLE_SOURCE_PATH:-ansible${ANSIBLE_PIP_VERSION}}
 
@@ -29,35 +28,20 @@ if [ -f "$ANSIBLE" ]; then
 fi
 ${PIP} install "${ANSIBLE_SOURCE_PATH}"
 
-ANSIBLE_GALAXY=${VENV}/bin/ansible-galaxy
+ANSIBLE_GALAXY="${SUDO} ${VENV}/bin/ansible-galaxy"
 if [[ -z $BIFROST_COLLECTIONS_PATHS ]]; then
     echo  "Setting ANSIBLE_COLLECTIONS_PATHS to virtualenv"
     export ANSIBLE_COLLECTIONS_PATHS=${VENV}/collections
     BIFROST_COLLECTIONS_PATHS=$ANSIBLE_COLLECTIONS_PATHS
 fi
 if [[ -n "$ANSIBLE_COLLECTION_SOURCE_PATH" ]]; then
-    mkdir -p "$BIFROST_COLLECTIONS_PATHS/ansible_collections/openstack"
-    ln -s "$ANSIBLE_COLLECTION_SOURCE_PATH" "$BIFROST_COLLECTIONS_PATHS/ansible_collections/openstack/cloud"
+    ${SUDO} mkdir -p "$BIFROST_COLLECTIONS_PATHS/ansible_collections/openstack"
+    ${SUDO} ln -s "$ANSIBLE_COLLECTION_SOURCE_PATH" "$BIFROST_COLLECTIONS_PATHS/ansible_collections/openstack/cloud"
 fi
 
-# NOTE(pas-ha) the following is a temporary workaround for third-party CI
-# scripts that try to source Ansible's hacking/env-setup
-# after running this very script
-# TODO(pas-ha) remove after deprecation (in Pike?) and when third-party CIs
-# (in particular OPNFV) are fixed
-ANSIBLE_USER=$(id -nu)
-ANSIBLE_GROUP=$(id -ng)
-if [[ ! -d ${ANSIBLE_INSTALL_ROOT} ]]; then
-    mkdir -p ${ANSIBLE_INSTALL_ROOT} || (sudo mkdir -p ${ANSIBLE_INSTALL_ROOT})
-fi
-sudo -H chown -R ${ANSIBLE_USER}:${ANSIBLE_GROUP} ${ANSIBLE_INSTALL_ROOT}
-
 # Install Collections
 if [[ -n "$ANSIBLE_COLLECTION_SOURCE_PATH" ]]; then
     echo "Using openstack ansible collection from $ANSIBLE_COLLECTION_SOURCE_PATH"
-elif [[ -z $BIFROST_COLLECTIONS_PATHS ]]; then
-    echo "Installing ansible collections on default collections path"
-    ${ANSIBLE_GALAXY} collection install -r ${ANSIBLE_COLLECTIONS_REQ}
 else
     echo "Installing ansible collections on $BIFROST_COLLECTIONS_PATHS"
     ${ANSIBLE_GALAXY} collection install -r ${ANSIBLE_COLLECTIONS_REQ} -p ${BIFROST_COLLECTIONS_PATHS}

scripts/install-deps.sh

@@ -107,17 +107,21 @@ if [ "${#EXTRA_PKG_DEPS[@]}" -ne 0 ]; then
     done
 fi
 
+SUDO="sudo -H -E"
+
 if [ ! -f ${VENV}/bin/activate ]; then
     echo "Creating a virtual environment"
 
     # only create venv if one doesn't exist
-    sudo -H -E python3 -m venv --system-site-packages ${VENV}
-    sudo -H -E chown -R ${USER} ${VENV}
+    ${SUDO} python3 -m venv --system-site-packages ${VENV}
 else
     echo "Virtual environment exists, skipping creation"
 
     # NOTE(dtantsur): place here any actions required to upgrade existing
     # virtual environments.
+
+    # The virtual environment used to be owned by the calling user. Upgrade.
+    ${SUDO} chown -R root:root ${VENV}
 fi
 
 # Note(cinerama): activate is not compatible with "set -u";
@@ -132,8 +136,8 @@ VIRTUAL_ENV=${VENV}
 
 # If we're using a venv, we need to work around sudo not
 # keeping the path even with -E.
-PYTHON="python3"
-PIP="${PYTHON} -m pip"
+PYTHON="${VENV}/bin/python3"
+PIP="${SUDO} ${PYTHON} -m pip"
 if [[ "${BIFROST_TRACE:-}" != true ]]; then
     PIP="$PIP --quiet"
 fi

scripts/test-bifrost.sh

@@ -5,7 +5,6 @@ set -euxo pipefail
 export PYTHONUNBUFFERED=1
 SCRIPT_HOME="$(cd "$(dirname "$0")" && pwd)"
 BIFROST_HOME=$SCRIPT_HOME/..
-ANSIBLE_INSTALL_ROOT=${ANSIBLE_INSTALL_ROOT:-/opt/stack}
 USE_DHCP="${USE_DHCP:-false}"
 BUILD_IMAGE="${BUILD_IMAGE:-false}"
 BAREMETAL_DATA_FILE=${BAREMETAL_DATA_FILE:-'/tmp/baremetal.json'}

tools/vagrant_dev_env/Vagrantfile

@@ -3,7 +3,6 @@
 
 VAGRANTFILE_API_VERSION = '2'
 
-ansible_install_root=(ENV['ANSIBLE_INSTALL_ROOT'] || "/opt/stack")
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   config.vm.box = 'generic/ubuntu1804'
 
@@ -28,14 +27,10 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
       lv.volume_cache = 'none'
     end
 
-    # If ANSIBLE_INSTALL_ROOT is available, set that value inside the VM
-    if ENV['ANSIBLE_INSTALL_ROOT']
-      bifrost.vm.provision "shell", inline: <<-SHELL
-        echo "export ANSIBLE_INSTALL_ROOT=#{ENV['ANSIBLE_INSTALL_ROOT']}" >> /etc/profile.d/ansible-root.sh
-        echo "if [ \"$IFACE\" = \"eth0\" ]; then route del default dev eth0 ; fi" >> /etc/network/if-up.d
-	echo "[Match]\nName=eth0\n[Network]\nDHCP=yes\n[DHCP]\nUseRoutes=false" >>/etc/systemd/network/no-default-route.network
-      SHELL
-    end
+    bifrost.vm.provision "shell", inline: <<-SHELL
+      echo "if [ \"$IFACE\" = \"eth0\" ]; then route del default dev eth0 ; fi" >> /etc/network/if-up.d
+      echo "[Match]\nName=eth0\n[Network]\nDHCP=yes\n[DHCP]\nUseRoutes=false" >>/etc/systemd/network/no-default-route.network
+    SHELL
 
     # Set up private NAT'd network
     bifrost.vm.network 'private_network', ip: '192.168.99.10', use_dhcp_assigned_default_route: false
@@ -58,7 +53,6 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
       ansible.playbook = 'vagrant.yml'
       ansible.extra_vars = {
           # set key file name here
-          ansible_install_root: ansible_install_root,
           public_key: 'id_rsa.pub',
           # Edit the network_interface to match your needs:
           #  eth0 - connected to a Nat network

tools/vagrant_dev_env/vagrant.yml

@@ -81,13 +81,9 @@
     - name: Ensure /opt/stack folder exists
       file: path=/opt/stack state=directory owner=vagrant
 
-    - name: Ensure ansible root folder exists
-      file: path={{ansible_install_root}} state=directory owner=vagrant
-
     - name: Prepare VM for Bifrost
       command: scripts/env-setup.sh
       environment:
-          ANSIBLE_INSTALL_ROOT: "{{ansible_install_root}}"
           LANG: c
           VENV: "/opt/stack/bifrost"
       args: