[qa][openstack-ansible] redefining devstack

Jeremy Stanley fungi at yuggoth.org
Tue Jun 4 15:47:26 UTC 2019


On 2019-06-04 07:30:11 -0700 (-0700), Clark Boylan wrote:
> On Tue, Jun 4, 2019, at 1:01 AM, Sorin Sbarnea wrote:
> > I am in favour of ditching or at least refactoring devstack because
> > during the last year I often found myself blocked from fixing some
> > zuul/jobs issues because the buggy code was still required by legacy
> > devstack jobs that nobody had time maintain or fix, so they were
> > isolated and the default job configurations were forced to use dirty
> > hack needed for keeping these working.
> > 
> > One such example is that there is a task that does a "chmod -R 0777 -R"
> > on the entire source tree, a total security threat.
> 
> This is needed by devstack-gate and *not* devstack. We have been
> trying now for almost two years to get people to stop using
> devstack-gate in favor of the zuul v3 jobs. Please don't conflate
> this with devstack itself, it is not related and not relevant to
> this discussion.
[...]

Unfortunately this is not entirely the case. It's likely that the
chmod workaround in question is only needed by legacy jobs using the
deprecated devstack-gate wrappers, but it's actually being done by
the fetch-zuul-cloner role[0] from zuul-jobs which is incorporated
in our base job[1]. I agree that the solution is to stop using
devstack-gate (and the old zuul-cloner v2 compatibility shim for
that matter), but for it to have the effect of removing the problem
permissions we also need to move the fetch-zuul-cloner role out of
our base job. I fully expect this will be a widely-disruptive change
due to newer or converted jobs, which are no longer inheriting from
legacy-base or legacy-dsvm-base in openstack-zuul-jobs[2], retaining
a dependency on this behavior. But the longer we wait, the worse
that is going to get.

[0] https://opendev.org/zuul/zuul-jobs/src/commit/2f2d6ce3f7a0687fc8f655abc168d7afbfaf11aa/roles/fetch-zuul-cloner/tasks/main.yaml#L19-L25
[1] https://opendev.org/opendev/base-jobs/src/commit/dbb56dda99e8e2346b22479b4dae97a8fc137217/playbooks/base/pre.yaml#L38
[2] https://opendev.org/openstack/openstack-zuul-jobs/src/commit/a7aa530a6059b464b32df69509e3001dc97e2aed/zuul.d/jobs.yaml#L951-L1097
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190604/5a77aee6/attachment-0001.sig>


More information about the openstack-discuss mailing list