Mark our source trees as safe for git to use as other users
git commit [1] introduced a new behaviour to work around a CVE that disallows any git operations in directories not owned by the current user. This may seem unrelated to installation, but it plays havoc with PBR, which calls out to git to get to get revision history. So if you are "pip install"-ing from a source tree you don't own, the PBR git calls in that tree now fail and the install blows up. This plays havoc with our model. Firstly, we checkout all code as "stack" then install it globally with "sudo" (i.e. root) -- which breaks. We also have cases of essentially the opposite -- checkouts we have installed as root, but then run tox in them as a regular user; tox wants to install the source in its venv but now we have another user conflict. This uses the only available configuration option to avoid that by globally setting the source directories we clone as safe. This is an encroachment of the global system for sure, but is about the only switch available at the moment. For discussion of other approaches, see [2]. Related-Bug: https://bugs.launchpad.net/devstack/+bug/1968798 [1]8959555cee[2] https://review.opendev.org/c/openstack/devstack/+/837636 Note: this backport adds removal of grenade jobs from gate and sets the check jobs to non voting as the previous branch is EM. When that happens we no longer expect grenade to be able to upgrade from the previous branch. Change-Id: Ib9896a99b6d6c4d359ee412743ce30512b3c4fb7 (cherry picked from commit676dcaf944)
This commit is contained in:
Ian Wienand
committed by
Clark Boylan
Clark Boylan
parent
c490f394a5
commit
9c399a865d
22
.zuul.yaml
22
.zuul.yaml
@@ -635,7 +635,9 @@
|
||||
|
||||
- project:
|
||||
templates:
|
||||
- integrated-gate-py3
|
||||
# Note(frickler): No longer use this global template since we no
|
||||
# longer gate on grenade
|
||||
# - integrated-gate-py3
|
||||
- publish-openstack-docs-pti
|
||||
check:
|
||||
jobs:
|
||||
@@ -656,10 +658,12 @@
|
||||
voting: false
|
||||
irrelevant-files: *dsvm-irrelevant-files
|
||||
- grenade:
|
||||
voting: false
|
||||
irrelevant-files:
|
||||
- ^.*\.rst$
|
||||
- ^doc/.*$
|
||||
- neutron-grenade-multinode:
|
||||
voting: false
|
||||
irrelevant-files:
|
||||
- ^.*\.rst$
|
||||
- ^doc/.*$
|
||||
@@ -702,18 +706,18 @@
|
||||
- devstack-multinode
|
||||
- devstack-unit-tests
|
||||
- openstack-tox-bashate
|
||||
- neutron-grenade-multinode:
|
||||
irrelevant-files:
|
||||
- ^.*\.rst$
|
||||
- ^doc/.*$
|
||||
#- neutron-grenade-multinode:
|
||||
# irrelevant-files:
|
||||
# - ^.*\.rst$
|
||||
# - ^doc/.*$
|
||||
- neutron-tempest-linuxbridge:
|
||||
irrelevant-files:
|
||||
- ^.*\.rst$
|
||||
- ^doc/.*$
|
||||
- grenade:
|
||||
irrelevant-files:
|
||||
- ^.*\.rst$
|
||||
- ^doc/.*$
|
||||
#- grenade:
|
||||
# irrelevant-files:
|
||||
# - ^.*\.rst$
|
||||
# - ^doc/.*$
|
||||
- openstacksdk-functional-devstack:
|
||||
irrelevant-files:
|
||||
- ^.*\.rst$
|
||||
|
||||
@@ -590,6 +590,13 @@ function git_clone {
|
||||
fi
|
||||
fi
|
||||
|
||||
# NOTE(ianw) 2022-04-13 : commit [1] has broken many assumptions
|
||||
# about how we clone and work with repos. Mark them safe globally
|
||||
# as a work-around.
|
||||
#
|
||||
# [1] https://github.com/git/git/commit/8959555cee7ec045958f9b6dd62e541affb7e7d9
|
||||
sudo git config --global --add safe.directory ${git_dest}
|
||||
|
||||
# print out the results so we know what change was used in the logs
|
||||
cd $git_dest
|
||||
git show --oneline | head -1
|
||||
|
||||
Reference in New Issue
Block a user