[TripleO] gate blocker - impacting all quickstart-based jobs - openstack-ansible-os_tempest

Marios Andreou marios at redhat.com
Mon Apr 4 12:58:19 UTC 2022


On Mon, Apr 4, 2022 at 3:52 PM Jiri Podivin <jpodivin at redhat.com> wrote:

> Right, makes sense.
>
> On Mon, Apr 4, 2022 at 2:47 PM Marios Andreou <marios at redhat.com> wrote:
>
>>
>>
>> On Mon, Apr 4, 2022 at 3:36 PM Jiri Podivin <jpodivin at redhat.com> wrote:
>>
>>> I understand.
>>> The question is how far back, if at all, should we backport the change.
>>> Provided that it is merged into master of course.
>>>
>>>
>> well the proposed fix on our side is in the ci tooling
>> https://review.opendev.org/c/openstack/tripleo-quickstart/+/836104  and
>> that repo is branchless so we should be good
>>
>>
>>
>>
>>>
>>> On Mon, Apr 4, 2022 at 2:21 PM Jeremy Stanley <fungi at yuggoth.org> wrote:
>>>
>>>> On 2022-04-04 09:35:39 +0300 (+0300), Marios Andreou wrote:
>>>> [...]
>>>> > In this particular case, we can get away with installing the
>>>> > ansible galaxy collections because we have 'nested' ansible so
>>>> > something like zuul (ansible) calling bash (tripleo-quickstart)
>>>> > calling ansible.  There are other cases (zuul/ansible 'native',
>>>> > not nested) where we have to install such dependencies as python
>>>> > utilities because of the security concerns around allowing
>>>> > collections to be installed on the ansible controller (e.g. see
>>>> >
>>>> http://lists.zuul-ci.org/pipermail/zuul-discuss/2021-November/001752.html
>>>> ).
>>>> [...]
>>>>
>>>> We hope this will get simpler soon as we work toward Zuul v6:
>>>>
>>>>
>>>> https://zuul-ci.org/docs/zuul/latest/developer/specs/unrestricted-ansible.html
>>>>
>>>>
forgot to add thanks for the pointer fungi - interesting - from a quick
skim it doesn't appear to be completely unrestricted but will allow you to
add some files/roles/collections into a special ("bubblewrap") env ? adding
to reading list for more careful scanning later ;)

regards, marios



> --
>>>> Jeremy Stanley
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220404/0f10d822/attachment.htm>


More information about the openstack-discuss mailing list