[qa][openstack-ansible] redefining devstack

Graham Hayes gr at ham.ie
Tue Jun 4 16:23:46 UTC 2019

On 04/06/2019 16:47, Jeremy Stanley wrote:
> On 2019-06-04 07:30:11 -0700 (-0700), Clark Boylan wrote:
>> On Tue, Jun 4, 2019, at 1:01 AM, Sorin Sbarnea wrote:
>>> I am in favour of ditching or at least refactoring devstack because
>>> during the last year I often found myself blocked from fixing some
>>> zuul/jobs issues because the buggy code was still required by legacy
>>> devstack jobs that nobody had time maintain or fix, so they were
>>> isolated and the default job configurations were forced to use dirty
>>> hack needed for keeping these working.
>>> One such example is that there is a task that does a "chmod -R 0777 -R"
>>> on the entire source tree, a total security threat.
>> This is needed by devstack-gate and *not* devstack. We have been
>> trying now for almost two years to get people to stop using
>> devstack-gate in favor of the zuul v3 jobs. Please don't conflate
>> this with devstack itself, it is not related and not relevant to
>> this discussion.
> [...]
> Unfortunately this is not entirely the case. It's likely that the
> chmod workaround in question is only needed by legacy jobs using the
> deprecated devstack-gate wrappers, but it's actually being done by
> the fetch-zuul-cloner role[0] from zuul-jobs which is incorporated
> in our base job[1]. I agree that the solution is to stop using
> devstack-gate (and the old zuul-cloner v2 compatibility shim for
> that matter), but for it to have the effect of removing the problem
> permissions we also need to move the fetch-zuul-cloner role out of
> our base job. I fully expect this will be a widely-disruptive change
> due to newer or converted jobs, which are no longer inheriting from
> legacy-base or legacy-dsvm-base in openstack-zuul-jobs[2], retaining
> a dependency on this behavior. But the longer we wait, the worse
> that is going to get.

I have been trying to limit this behaviour for nearly 4 years [3]
(it can actually add 10-15 mins sometimes depending on what source trees
I have mounted via NFS into a devstack VM when doing dev)

> [0] https://opendev.org/zuul/zuul-jobs/src/commit/2f2d6ce3f7a0687fc8f655abc168d7afbfaf11aa/roles/fetch-zuul-cloner/tasks/main.yaml#L19-L25
> [1] https://opendev.org/opendev/base-jobs/src/commit/dbb56dda99e8e2346b22479b4dae97a8fc137217/playbooks/base/pre.yaml#L38
> [2] https://opendev.org/openstack/openstack-zuul-jobs/src/commit/a7aa530a6059b464b32df69509e3001dc97e2aed/zuul.d/jobs.yaml#L951-L1097
[3] - https://review.opendev.org/#/c/203698

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190604/597f7c9a/attachment.sig>

More information about the openstack-discuss mailing list