openstack
/
openstack-ansible
Code Issues Proposed changes

Fetch upper constraints file with curl rather than allow pip to download it 

On centos-7 the distro provided trust store for pip is out of date and
cannot validate LetsEncrypt certificates issued against their new root
CA.

Use curl to download a local copy of upper-constraints.txt so that we can
pass it to pip as a file instead of a url in order to boostrap the ansible
virtualenv and upgrade pip/setuptools/wheel to more modern versions.

Depends-On: https://review.opendev.org/c/openstack/ansible-role-python_venv_build/+/816317
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/815631
Change-Id: Ia5c80ff18836b08d4caff82b2ac69a11d6e54210
(cherry picked from commit 1f707ccf21)
This commit is contained in:
Jonathan Rosser 2021-10-19 12:41:06 +01:00 committed by Dmitriy Rabotyagov
parent c66a806ac8
commit bf854c2423
2 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
scripts/bootstrap-ansible.sh
View File

@ -131,6 +131,13 @@ UPPER_CONSTRAINTS_PROTO=$([ "$PYTHON_VERSION" == $(echo -e "$PYTHON_VERSION\n2.7
# Set the location of the constraints to use for all pip installations
export UPPER_CONSTRAINTS_FILE=${UPPER_CONSTRAINTS_FILE:-"$UPPER_CONSTRAINTS_PROTO://opendev.org/openstack/requirements/raw/$(awk '/requirements_git_install_branch:/ {print $2}' playbooks/defaults/repo_packages/openstack_services.yml)/upper-constraints.txt"}
# Define a location for a local copy of upper constraints and download it with curl
UPPER_CONSTRAINTS_LOCAL_FILE=/opt/ansible-runtime-venv-constraints.txt
curl -L -o ${UPPER_CONSTRAINTS_LOCAL_FILE} ${UPPER_CONSTRAINTS_FILE}
# Use the local copy for pip rather than have pip attempt (and fail due to outdated CA store) to download it itself
export UPPER_CONSTRAINTS_FILE=${UPPER_CONSTRAINTS_LOCAL_FILE}
if [[ -z "${SKIP_OSA_RUNTIME_VENV_BUILD+defined}" ]]; then
build_ansible_runtime_venv
fi

5
tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2
View File

@ -242,10 +242,7 @@ tempest_run: yes
tempest_network_ping_gateway: yes
{% if nodepool_dir.stat.exists %}
# Copy /etc/pip.conf into containers to get mirrors for wheels
# and due to extra-index-url bugs in Ubuntu, we workaround it
# by ignoring the config file during PIP upgrade time
venv_pip_upgrade_noconf: true
# Settings which are specific to opendev CI
lxc_container_cache_files_from_host:
- /etc/pip.conf
# Disable chronyd in OpenStack CI