[qa][openstack-ansible] redefining devstack
gr at ham.ie
Tue Jun 4 16:23:46 UTC 2019
On 04/06/2019 16:47, Jeremy Stanley wrote:
> On 2019-06-04 07:30:11 -0700 (-0700), Clark Boylan wrote:
>> On Tue, Jun 4, 2019, at 1:01 AM, Sorin Sbarnea wrote:
>>> I am in favour of ditching or at least refactoring devstack because
>>> during the last year I often found myself blocked from fixing some
>>> zuul/jobs issues because the buggy code was still required by legacy
>>> devstack jobs that nobody had time maintain or fix, so they were
>>> isolated and the default job configurations were forced to use dirty
>>> hack needed for keeping these working.
>>> One such example is that there is a task that does a "chmod -R 0777 -R"
>>> on the entire source tree, a total security threat.
>> This is needed by devstack-gate and *not* devstack. We have been
>> trying now for almost two years to get people to stop using
>> devstack-gate in favor of the zuul v3 jobs. Please don't conflate
>> this with devstack itself, it is not related and not relevant to
>> this discussion.
> Unfortunately this is not entirely the case. It's likely that the
> chmod workaround in question is only needed by legacy jobs using the
> deprecated devstack-gate wrappers, but it's actually being done by
> the fetch-zuul-cloner role from zuul-jobs which is incorporated
> in our base job. I agree that the solution is to stop using
> devstack-gate (and the old zuul-cloner v2 compatibility shim for
> that matter), but for it to have the effect of removing the problem
> permissions we also need to move the fetch-zuul-cloner role out of
> our base job. I fully expect this will be a widely-disruptive change
> due to newer or converted jobs, which are no longer inheriting from
> legacy-base or legacy-dsvm-base in openstack-zuul-jobs, retaining
> a dependency on this behavior. But the longer we wait, the worse
> that is going to get.
I have been trying to limit this behaviour for nearly 4 years 
(it can actually add 10-15 mins sometimes depending on what source trees
I have mounted via NFS into a devstack VM when doing dev)
>  https://opendev.org/zuul/zuul-jobs/src/commit/2f2d6ce3f7a0687fc8f655abc168d7afbfaf11aa/roles/fetch-zuul-cloner/tasks/main.yaml#L19-L25
>  https://opendev.org/opendev/base-jobs/src/commit/dbb56dda99e8e2346b22479b4dae97a8fc137217/playbooks/base/pre.yaml#L38
>  https://opendev.org/openstack/openstack-zuul-jobs/src/commit/a7aa530a6059b464b32df69509e3001dc97e2aed/zuul.d/jobs.yaml#L951-L1097
 - https://review.opendev.org/#/c/203698
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the openstack-discuss