From 62fa3cc5f2434d58cccf782f526a9eed036e9a9c Mon Sep 17 00:00:00 2001 From: Jimmy McCrory Date: Wed, 16 Nov 2016 09:36:19 -0800 Subject: [PATCH] Use https to retrieve upper-constraints For consistency with independent roles' testing and increased security, use https to retrieve the upper-constraints.txt file when the Python version available has native support for SNI. Change-Id: I60dd9955a223ded35259f91742071e4f0575c303 --- playbooks/common-tasks/set-upper-constraints.yml | 8 +++++++- scripts/bootstrap-ansible.sh | 7 +++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/playbooks/common-tasks/set-upper-constraints.yml b/playbooks/common-tasks/set-upper-constraints.yml index 3f3c0fc4d1..329b8f869c 100644 --- a/playbooks/common-tasks/set-upper-constraints.yml +++ b/playbooks/common-tasks/set-upper-constraints.yml @@ -37,9 +37,15 @@ dest: "/opt/global-requirement-pins.txt" when: (upper_constraints_check.status | default(503)) != 200 +# Use https when Python with native SNI support is available +- name: Set pip install upper constraints protocol + set_fact: + pip_install_upper_constraints_proto: "{{ ansible_python_version | version_compare('2.7.9', '>=') | ternary('https','http') }}" + when: (upper_constraints_check.status | default(503)) != 200 + - name: Set pip install upper constraints set_fact: pip_install_upper_constraints: >- /opt/global-requirement-pins.txt - --constraint http://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt?id={{ requirements_git_install_branch | regex_replace(' #.*$','') }} + --constraint {{ pip_install_upper_constraints_proto }}://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt?id={{ requirements_git_install_branch | regex_replace(' #.*$','') }} when: (upper_constraints_check.status | default(503)) != 200 diff --git a/scripts/bootstrap-ansible.sh b/scripts/bootstrap-ansible.sh index c79b7e32e9..f8eddce7d2 100755 --- a/scripts/bootstrap-ansible.sh +++ b/scripts/bootstrap-ansible.sh @@ -26,8 +26,12 @@ export ANSIBLE_PACKAGE=${ANSIBLE_PACKAGE:-"git+https://github.com/ansible/ansibl export ANSIBLE_ROLE_FILE=${ANSIBLE_ROLE_FILE:-"ansible-role-requirements.yml"} export SSH_DIR=${SSH_DIR:-"/root/.ssh"} export DEBIAN_FRONTEND=${DEBIAN_FRONTEND:-"noninteractive"} +PYTHON_EXEC_PATH="$(which python2 || which python)" +PYTHON_VERSION="$($PYTHON_EXEC_PATH -c 'import sys; print(".".join(map(str, sys.version_info[:3])))')" +# Use https when Python with native SNI support is available +UPPER_CONSTRAINTS_PROTO=$([ "$PYTHON_VERSION" == $(echo -e "$PYTHON_VERSION\n2.7.9" | sort -V | tail -1) ] && echo "https" || echo "http") # Set the location of the constraints to use for all pip installations -export UPPER_CONSTRAINTS_FILE=${UPPER_CONSTRAINTS_FILE:-"http://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt?id=$(awk '/requirements_git_install_branch:/ {print $2}' playbooks/defaults/repo_packages/openstack_services.yml)"} +export UPPER_CONSTRAINTS_FILE=${UPPER_CONSTRAINTS_FILE:-"$UPPER_CONSTRAINTS_PROTO://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt?id=$(awk '/requirements_git_install_branch:/ {print $2}' playbooks/defaults/repo_packages/openstack_services.yml)"} # Set the role fetch mode to any option [galaxy, git-clone] export ANSIBLE_ROLE_FETCH_MODE=${ANSIBLE_ROLE_FETCH_MODE:-galaxy} # virtualenv vars @@ -95,7 +99,6 @@ elif [ -n "$HTTP_PROXY" ]; then fi # Create a Virtualenv for the Ansible runtime -PYTHON_EXEC_PATH="$(which python2 || which python)" virtualenv --clear ${VIRTUALENV_OPTIONS} --system-site-packages --python="${PYTHON_EXEC_PATH}" /opt/ansible-runtime # The vars used to prepare the Ansible runtime venv