[all] Devstack jobs are failing due to a git security fix

Jeremy Stanley fungi at yuggoth.org
Wed Apr 13 11:59:20 UTC 2022


On 2022-04-13 17:11:27 +1000 (+1000), Ian Wienand wrote:
[...]
> Since devstack checks out all code as "stack" and then installs
> globally with "sudo pip install -e ...", pbr will be running in a
> directory owned by "stack" as root and its git calls will hit this
> failure.
> 
> If we make the code directories owned by root, we now have additional
> problems.  Several places do things in the code repositories --
> e.g. setup virtualenvs, run ./tools/*.sh scripts to generate sample
> config files and run tox as "stack" (tox then tries to install the
> source tree in it's virtualenv -- if it's owned by root -- again --
> failure).
[...]

Forgive me as caffeine is still finding its way into my veins, but
it has occurred to me that the error is occurring because we're
calling PBR (and thus Git) while installing the software, when
that's not strictly necessary. It happens because we're taking
advantage of pip's ability to call out to a build process before
installing, but we can always separate building and installing. The
former doesn't need root privs, and the latter doesn't need to call
PBR/Git.

Update the install-from-source routine to build a wheel as stack and
then only sudo pip install the resulting wheel.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220413/4be85a07/attachment.sig>


More information about the openstack-discuss mailing list