Open Stack

On Tue, 2019-06-04 at 17:23 +0100, Graham Hayes wrote:
> On 04/06/2019 16:47, Jeremy Stanley wrote:
> > On 2019-06-04 07:30:11 -0700 (-0700), Clark Boylan wrote:
> > > On Tue, Jun 4, 2019, at 1:01 AM, Sorin Sbarnea wrote:
> > > > I am in favour of ditching or at least refactoring devstack because
> > > > during the last year I often found myself blocked from fixing some
> > > > zuul/jobs issues because the buggy code was still required by legacy
> > > > devstack jobs that nobody had time maintain or fix, so they were
> > > > isolated and the default job configurations were forced to use dirty
> > > > hack needed for keeping these working.
> > > > 
> > > > One such example is that there is a task that does a "chmod -R 0777 -R"
> > > > on the entire source tree, a total security threat.
> > > 
> > > This is needed by devstack-gate and *not* devstack. We have been
> > > trying now for almost two years to get people to stop using
> > > devstack-gate in favor of the zuul v3 jobs. Please don't conflate
> > > this with devstack itself, it is not related and not relevant to
> > > this discussion.
> > 
> > [...]
> > 
> > Unfortunately this is not entirely the case. It's likely that the
> > chmod workaround in question is only needed by legacy jobs using the
> > deprecated devstack-gate wrappers, but it's actually being done by
> > the fetch-zuul-cloner role[0] from zuul-jobs which is incorporated
> > in our base job[1]. I agree that the solution is to stop using
> > devstack-gate (and the old zuul-cloner v2 compatibility shim for
> > that matter), but for it to have the effect of removing the problem
> > permissions we also need to move the fetch-zuul-cloner role out of
> > our base job. I fully expect this will be a widely-disruptive change
> > due to newer or converted jobs, which are no longer inheriting from
> > legacy-base or legacy-dsvm-base in openstack-zuul-jobs[2], retaining
> > a dependency on this behavior. But the longer we wait, the worse
> > that is going to get.
> 
> I have been trying to limit this behaviour for nearly 4 years [3]
> (it can actually add 10-15 mins sometimes depending on what source trees
> I have mounted via NFS into a devstack VM when doing dev)
without looking into it i assuem this doeing this so that the stack user can read/execute scipts in the
different git repos but chown -R stack:stack would be sainer.

in anycase this is still a ci issue not a devstack one as devstack does not do this iteslf.
by defualt it clones the repos if they dont exist as the current user so you dont need to change permissions.

> > [0] 
> > https://opendev.org/zuul/zuul-jobs/src/commit/2f2d6ce3f7a0687fc8f655abc168d7afbfaf11aa/roles/fetch-zuul-cloner/tasks/main.yaml#L19-L25
> > [1] 
> > https://opendev.org/opendev/base-jobs/src/commit/dbb56dda99e8e2346b22479b4dae97a8fc137217/playbooks/base/pre.yaml#L38
> > [2] 
> > https://opendev.org/openstack/openstack-zuul-jobs/src/commit/a7aa530a6059b464b32df69509e3001dc97e2aed/zuul.d/jobs.yaml#L951-L1097
> > 
> 
> [3] - https://review.opendev.org/#/c/203698
>