Merge "Isolate Ansible from the deployment host"
This commit is contained in:
commit
36492536f1
9
releasenotes/notes/isolate-ansible-3e8fcfdff9962a9b.yaml
Normal file
9
releasenotes/notes/isolate-ansible-3e8fcfdff9962a9b.yaml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- To ensure the deployment system remains clean the Ansible execution environment is
|
||||||
|
contained within a virtual environment. The virtual environment is created at
|
||||||
|
"/opt/ansible-runtime" and the "ansible.*" CLI commands are linked within /usr/local/bin
|
||||||
|
to ensure there is no interruption in the deployer workflow.
|
||||||
|
deprecations:
|
||||||
|
- Installation of Ansible on the root system, outside of a virtual environment, will
|
||||||
|
no longer be supported.
|
@ -1,5 +1,8 @@
|
|||||||
netaddr>=0.7.12 # playbooks/inventory/dynamic_inventory.py
|
netaddr>=0.7.12 # playbooks/inventory/dynamic_inventory.py
|
||||||
PrettyTable>=0.7,<0.8 # scripts/inventory-manage.py
|
PrettyTable>=0.7,<0.8 # scripts/inventory-manage.py
|
||||||
|
pycrypto>=2.6 # scripts/pw-token-gen.py
|
||||||
|
PyYAML>=3.1.0 # scripts/pw-token-gen.py
|
||||||
|
virtualenv>=14.0.0 # Used for Ansible isolation
|
||||||
###
|
###
|
||||||
### These are pinned to ensure exactly the same behaviour forever! ###
|
### These are pinned to ensure exactly the same behaviour forever! ###
|
||||||
### These pins are updated through the sources-branch-updater script ###
|
### These pins are updated through the sources-branch-updater script ###
|
||||||
|
@ -83,17 +83,25 @@ if [ ! $(which "$PIP_COMMAND") ]; then
|
|||||||
PIP_COMMAND=pip
|
PIP_COMMAND=pip
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Install requirements if there are any
|
|
||||||
if [ -f "requirements.txt" ];then
|
|
||||||
# When upgrading there will already be a pip.conf file locking pip down to the repo server, in such cases it may be
|
|
||||||
# necessary to use --isolated because the repo server does not meet the specified requirements.
|
|
||||||
$PIP_COMMAND install $PIP_OPTS -r requirements.txt || $PIP_COMMAND install --isolated $PIP_OPTS -r requirements.txt
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Install ansible
|
|
||||||
# When upgrading there will already be a pip.conf file locking pip down to the repo server, in such cases it may be
|
# When upgrading there will already be a pip.conf file locking pip down to the repo server, in such cases it may be
|
||||||
# necessary to use --isolated because the repo server does not meet the specified requirements.
|
# necessary to use --isolated because the repo server does not meet the specified requirements.
|
||||||
$PIP_COMMAND install $PIP_OPTS "${ANSIBLE_WORKING_DIR}" || $PIP_COMMAND install --isolated $PIP_OPTS "${ANSIBLE_WORKING_DIR}"
|
$PIP_COMMAND install $PIP_OPTS -r requirements.txt || $PIP_COMMAND install --isolated $PIP_OPTS -r requirements.txt
|
||||||
|
|
||||||
|
# Create a Virtualenv for the Ansible runtime
|
||||||
|
PYTHON_EXEC_PATH="$(which python2 || which python)"
|
||||||
|
virtualenv --always-copy --system-site-packages --python="${PYTHON_EXEC_PATH}" /opt/ansible-runtime
|
||||||
|
|
||||||
|
# Install ansible
|
||||||
|
PIP_OPTS+=" --upgrade"
|
||||||
|
PIP_COMMAND="/opt/ansible-runtime/bin/pip"
|
||||||
|
# When upgrading there will already be a pip.conf file locking pip down to the repo server, in such cases it may be
|
||||||
|
# necessary to use --isolated because the repo server does not meet the specified requirements.
|
||||||
|
$PIP_COMMAND install $PIP_OPTS -r requirements.txt "${ANSIBLE_WORKING_DIR}" || $PIP_COMMAND install --isolated $PIP_OPTS "${ANSIBLE_WORKING_DIR}"
|
||||||
|
|
||||||
|
# Link the venv installation of Ansible to the local path
|
||||||
|
pushd /usr/local/bin
|
||||||
|
find /opt/ansible-runtime/bin/ -name 'ansible*' -exec ln -sf {} \;
|
||||||
|
popd
|
||||||
|
|
||||||
# Update dependent roles
|
# Update dependent roles
|
||||||
if [ -f "${ANSIBLE_ROLE_FILE}" ]; then
|
if [ -f "${ANSIBLE_ROLE_FILE}" ]; then
|
||||||
|
@ -7,6 +7,7 @@ hacking>=0.10.0,<0.11
|
|||||||
mccabe==0.2.1 # capped for flake8
|
mccabe==0.2.1 # capped for flake8
|
||||||
pep8==1.5.7
|
pep8==1.5.7
|
||||||
pyflakes==0.8.1
|
pyflakes==0.8.1
|
||||||
|
virtualenv>=14.0.0
|
||||||
|
|
||||||
# this is required for the docs build jobs
|
# this is required for the docs build jobs
|
||||||
sphinx!=1.2.0,!=1.3b1,<1.3,>=1.1.2
|
sphinx!=1.2.0,!=1.3b1,<1.3,>=1.1.2
|
||||||
|
Loading…
Reference in New Issue
Block a user