Open Stack

On Tue, Apr 12, 2022 at 05:05:22PM -0700, Michael Johnson wrote:
65;6602;1c> tldr: All devstack based jobs are going to fail with newer versions of
> git - don't bother rechecking
> 
> git has released a security fix [1] that is starting to roll out in
> distributions (Ubuntu focal for example) that will cause pbr to be
> unable to access the package metadata for packages checked out locally
> due to the directory ownership used in devstack.

This turns out to be annoyingly complicated.

Since devstack checks out all code as "stack" and then installs
globally with "sudo pip install -e ...", pbr will be running in a
directory owned by "stack" as root and its git calls will hit this
failure.

If we make the code directories owned by root, we now have additional
problems.  Several places do things in the code repositories --
e.g. setup virtualenvs, run ./tools/*.sh scripts to generate sample
config files and run tox as "stack" (tox then tries to install the
source tree in it's virtualenv -- if it's owned by root -- again --
failure).

I explored a bunch of these options in

  https://review.opendev.org/c/openstack/devstack/+/837636

and anyone feel free to take over that and keep trying.

The other option is to use the new config flag to mark our checkouts
as safe.  This is obviously simpler, but it seems like a very ugly
thing for a nominally generic tool like devstack to do to your global
git config.  This is done with

  https://review.opendev.org/c/openstack/devstack/+/837659

and appears to work; but will need backporting for grenade if we want
to take this path.

When this kicked off I sent in a link to HN thinking that thanks to
our very upstream focused CI we were likely some of the first to hit
this; it's currently the top post so I think that is accurate that
this is having wide impact:

  https://news.ycombinator.com/item?id=31009675

It is probably worth keeping one eye on upstream for any developments
that might change our options.

-i