From 4cb0395d75f842f31e433073cf38f140e888394e Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Tue, 25 Jan 2022 14:45:47 +0100 Subject: [PATCH] Make virtual environment owned by root It's dangerous to allow a regular user to write into the source code of the services. The repositories are still writable, so that the development workflow can still use the ``--develop`` flag to make modifications. While here, remove the horribly outdated and broken ANSIBLE_INSTALL_ROOT. Change-Id: Id2e25dd57668d24a11dc2cd16eea2b607b7a3f16 --- doc/source/contributor/vagrant.rst | 11 +--------- .../notes/venv-owner-30669e2f5cffef2f.yaml | 13 +++++++++++ scripts/env-setup.sh | 22 +++---------------- scripts/install-deps.sh | 12 ++++++---- scripts/test-bifrost.sh | 1 - tools/vagrant_dev_env/Vagrantfile | 14 ++++-------- tools/vagrant_dev_env/vagrant.yml | 4 ---- 7 files changed, 29 insertions(+), 48 deletions(-) create mode 100644 releasenotes/notes/venv-owner-30669e2f5cffef2f.yaml diff --git a/doc/source/contributor/vagrant.rst b/doc/source/contributor/vagrant.rst index 5ae2c6cc5..78759bca0 100644 --- a/doc/source/contributor/vagrant.rst +++ b/doc/source/contributor/vagrant.rst @@ -66,13 +66,4 @@ Installation Options -------------------- Ansible is installed within the VM directly from `source `_ or from the path set by -``ANSIBLE_GIT_URL``. You can modify the path of installation by setting -``ANSIBLE_INSTALL_ROOT`` environment variable. The default value is -``/opt/stack``. When set in the host, this variable will also be set as an -environment variable inside the VM for use by test scripts. - -Note: - - Only the ansible installation path is configurable at this point using - the environment variable. All other dependencies will still continue to - cloned under ``/opt/stack``. +``ANSIBLE_GIT_URL`` into ``/opt/stack``. diff --git a/releasenotes/notes/venv-owner-30669e2f5cffef2f.yaml b/releasenotes/notes/venv-owner-30669e2f5cffef2f.yaml new file mode 100644 index 000000000..25fdd524e --- /dev/null +++ b/releasenotes/notes/venv-owner-30669e2f5cffef2f.yaml @@ -0,0 +1,13 @@ +--- +upgrade: + - | + Modification to the Bifrost virtual environment (``/opt/stack/bifrost`` by + default) will now need ``sudo`` as the directory is now owned by root. + - | + The deprecated and non-functioning variable ``ANSIBLE_INSTALL_ROOT`` is + no longer supported. +fixes: + - | + The Bifrost virtual environment (``/opt/stack/bifrost`` by default) is no + longer owned (and thus writable) by the regular user that started the + installation. diff --git a/scripts/env-setup.sh b/scripts/env-setup.sh index 5afa97f48..2aa727cfa 100755 --- a/scripts/env-setup.sh +++ b/scripts/env-setup.sh @@ -13,7 +13,6 @@ ANSIBLE_COLLECTION_SOURCE_PATH= if [[ -d "${WORKSPACE:-}/openstack/ansible-collections-openstack" ]]; then ANSIBLE_COLLECTION_SOURCE_PATH="${WORKSPACE}/openstack/ansible-collections-openstack" fi -ANSIBLE_INSTALL_ROOT=${ANSIBLE_INSTALL_ROOT:-/opt/stack} ANSIBLE_PIP_VERSION=${ANSIBLE_PIP_VERSION:-${DEFAULT_PIP_ANSIBLE}} ANSIBLE_SOURCE_PATH=${ANSIBLE_SOURCE_PATH:-ansible${ANSIBLE_PIP_VERSION}} @@ -29,35 +28,20 @@ if [ -f "$ANSIBLE" ]; then fi ${PIP} install "${ANSIBLE_SOURCE_PATH}" -ANSIBLE_GALAXY=${VENV}/bin/ansible-galaxy +ANSIBLE_GALAXY="${SUDO} ${VENV}/bin/ansible-galaxy" if [[ -z $BIFROST_COLLECTIONS_PATHS ]]; then echo "Setting ANSIBLE_COLLECTIONS_PATHS to virtualenv" export ANSIBLE_COLLECTIONS_PATHS=${VENV}/collections BIFROST_COLLECTIONS_PATHS=$ANSIBLE_COLLECTIONS_PATHS fi if [[ -n "$ANSIBLE_COLLECTION_SOURCE_PATH" ]]; then - mkdir -p "$BIFROST_COLLECTIONS_PATHS/ansible_collections/openstack" - ln -s "$ANSIBLE_COLLECTION_SOURCE_PATH" "$BIFROST_COLLECTIONS_PATHS/ansible_collections/openstack/cloud" + ${SUDO} mkdir -p "$BIFROST_COLLECTIONS_PATHS/ansible_collections/openstack" + ${SUDO} ln -s "$ANSIBLE_COLLECTION_SOURCE_PATH" "$BIFROST_COLLECTIONS_PATHS/ansible_collections/openstack/cloud" fi -# NOTE(pas-ha) the following is a temporary workaround for third-party CI -# scripts that try to source Ansible's hacking/env-setup -# after running this very script -# TODO(pas-ha) remove after deprecation (in Pike?) and when third-party CIs -# (in particular OPNFV) are fixed -ANSIBLE_USER=$(id -nu) -ANSIBLE_GROUP=$(id -ng) -if [[ ! -d ${ANSIBLE_INSTALL_ROOT} ]]; then - mkdir -p ${ANSIBLE_INSTALL_ROOT} || (sudo mkdir -p ${ANSIBLE_INSTALL_ROOT}) -fi -sudo -H chown -R ${ANSIBLE_USER}:${ANSIBLE_GROUP} ${ANSIBLE_INSTALL_ROOT} - # Install Collections if [[ -n "$ANSIBLE_COLLECTION_SOURCE_PATH" ]]; then echo "Using openstack ansible collection from $ANSIBLE_COLLECTION_SOURCE_PATH" -elif [[ -z $BIFROST_COLLECTIONS_PATHS ]]; then - echo "Installing ansible collections on default collections path" - ${ANSIBLE_GALAXY} collection install -r ${ANSIBLE_COLLECTIONS_REQ} else echo "Installing ansible collections on $BIFROST_COLLECTIONS_PATHS" ${ANSIBLE_GALAXY} collection install -r ${ANSIBLE_COLLECTIONS_REQ} -p ${BIFROST_COLLECTIONS_PATHS} diff --git a/scripts/install-deps.sh b/scripts/install-deps.sh index 7157cef9a..ad917a3ea 100755 --- a/scripts/install-deps.sh +++ b/scripts/install-deps.sh @@ -107,17 +107,21 @@ if [ "${#EXTRA_PKG_DEPS[@]}" -ne 0 ]; then done fi +SUDO="sudo -H -E" + if [ ! -f ${VENV}/bin/activate ]; then echo "Creating a virtual environment" # only create venv if one doesn't exist - sudo -H -E python3 -m venv --system-site-packages ${VENV} - sudo -H -E chown -R ${USER} ${VENV} + ${SUDO} python3 -m venv --system-site-packages ${VENV} else echo "Virtual environment exists, skipping creation" # NOTE(dtantsur): place here any actions required to upgrade existing # virtual environments. + + # The virtual environment used to be owned by the calling user. Upgrade. + ${SUDO} chown -R root:root ${VENV} fi # Note(cinerama): activate is not compatible with "set -u"; @@ -132,8 +136,8 @@ VIRTUAL_ENV=${VENV} # If we're using a venv, we need to work around sudo not # keeping the path even with -E. -PYTHON="python3" -PIP="${PYTHON} -m pip" +PYTHON="${VENV}/bin/python3" +PIP="${SUDO} ${PYTHON} -m pip" if [[ "${BIFROST_TRACE:-}" != true ]]; then PIP="$PIP --quiet" fi diff --git a/scripts/test-bifrost.sh b/scripts/test-bifrost.sh index fab429748..1a4b4a59e 100755 --- a/scripts/test-bifrost.sh +++ b/scripts/test-bifrost.sh @@ -5,7 +5,6 @@ set -euxo pipefail export PYTHONUNBUFFERED=1 SCRIPT_HOME="$(cd "$(dirname "$0")" && pwd)" BIFROST_HOME=$SCRIPT_HOME/.. -ANSIBLE_INSTALL_ROOT=${ANSIBLE_INSTALL_ROOT:-/opt/stack} USE_DHCP="${USE_DHCP:-false}" BUILD_IMAGE="${BUILD_IMAGE:-false}" BAREMETAL_DATA_FILE=${BAREMETAL_DATA_FILE:-'/tmp/baremetal.json'} diff --git a/tools/vagrant_dev_env/Vagrantfile b/tools/vagrant_dev_env/Vagrantfile index 102d1631c..7a0eae6f8 100644 --- a/tools/vagrant_dev_env/Vagrantfile +++ b/tools/vagrant_dev_env/Vagrantfile @@ -3,7 +3,6 @@ VAGRANTFILE_API_VERSION = '2' -ansible_install_root=(ENV['ANSIBLE_INSTALL_ROOT'] || "/opt/stack") Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| config.vm.box = 'generic/ubuntu1804' @@ -28,14 +27,10 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| lv.volume_cache = 'none' end - # If ANSIBLE_INSTALL_ROOT is available, set that value inside the VM - if ENV['ANSIBLE_INSTALL_ROOT'] - bifrost.vm.provision "shell", inline: <<-SHELL - echo "export ANSIBLE_INSTALL_ROOT=#{ENV['ANSIBLE_INSTALL_ROOT']}" >> /etc/profile.d/ansible-root.sh - echo "if [ \"$IFACE\" = \"eth0\" ]; then route del default dev eth0 ; fi" >> /etc/network/if-up.d - echo "[Match]\nName=eth0\n[Network]\nDHCP=yes\n[DHCP]\nUseRoutes=false" >>/etc/systemd/network/no-default-route.network - SHELL - end + bifrost.vm.provision "shell", inline: <<-SHELL + echo "if [ \"$IFACE\" = \"eth0\" ]; then route del default dev eth0 ; fi" >> /etc/network/if-up.d + echo "[Match]\nName=eth0\n[Network]\nDHCP=yes\n[DHCP]\nUseRoutes=false" >>/etc/systemd/network/no-default-route.network + SHELL # Set up private NAT'd network bifrost.vm.network 'private_network', ip: '192.168.99.10', use_dhcp_assigned_default_route: false @@ -58,7 +53,6 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| ansible.playbook = 'vagrant.yml' ansible.extra_vars = { # set key file name here - ansible_install_root: ansible_install_root, public_key: 'id_rsa.pub', # Edit the network_interface to match your needs: # eth0 - connected to a Nat network diff --git a/tools/vagrant_dev_env/vagrant.yml b/tools/vagrant_dev_env/vagrant.yml index 3232fc3d6..bda7b2185 100644 --- a/tools/vagrant_dev_env/vagrant.yml +++ b/tools/vagrant_dev_env/vagrant.yml @@ -81,13 +81,9 @@ - name: Ensure /opt/stack folder exists file: path=/opt/stack state=directory owner=vagrant - - name: Ensure ansible root folder exists - file: path={{ansible_install_root}} state=directory owner=vagrant - - name: Prepare VM for Bifrost command: scripts/env-setup.sh environment: - ANSIBLE_INSTALL_ROOT: "{{ansible_install_root}}" LANG: c VENV: "/opt/stack/bifrost" args: