Do not change process UID

When run with sudo, Anvil changed process real UID
to SUDO_UID thus easily creating files with different owners.
This mechanism can confuse some tools (like pip)
Now, we can almost safely stop changing real UID and run
prepare as non-root and bootstrap, install, start, status,
and stop as root.

Also, this removes dependency on sudo.

Implements: blueprint no-uid-tricks
Fixes: bug #1179747
Fixes: bug #1186440
Fixes: bug #1186448

Change-Id: I7ae293aad7f0a5ba08962e6b6b709fe49b8b81ec

anvil/packaging/base.py

@@ -103,7 +103,7 @@ class DependencyHandler(object):
         python_names = []
         for pkg_dir in package_dirs:
             cmdline = ["python", "setup.py", "--name"]
-            python_names.append(sh.execute(*cmdline, cwd=pkg_dir)[0].
+            python_names.append(sh.execute(cmdline, cwd=pkg_dir)[0].
                                 splitlines()[-1].strip())
         return python_names
 
@@ -171,7 +171,7 @@ class DependencyHandler(object):
         ]
         cmdline = cmdline + extra_pips + ["-r"] + requires_files
 
-        output = sh.execute(*cmdline, ignore_exit_code=True)
+        output = sh.execute(cmdline, check_exit_code=False)
         conflict_descr = output[1].strip()
         forced_keys = set()
         if conflict_descr:
@@ -252,5 +252,5 @@ class DependencyHandler(object):
         LOG.info("You can watch progress in another terminal with")
         LOG.info("    tail -f %s" % out_filename)
         with open(out_filename, "w") as out:
-            sh.execute(*cmdline, stdout_fh=out, stderrr_fh=out)
+            sh.execute(cmdline, stdout_fh=out, stderr_fh=out)
         return sh.listdir(self.download_dir, files_only=True)

anvil/packaging/helpers/changelog.py

@@ -72,7 +72,7 @@ class GitChangeLog(object):
 
     def _get_commit_detail(self, commit, field, am=1):
         detail_cmd = ['git', 'log', '--color=never', '-%s' % (am), "--pretty=format:%s" % (field), commit]
-        (stdout, _stderr) = sh.execute(*detail_cmd, cwd=self.wkdir)
+        (stdout, _stderr) = sh.execute(detail_cmd, cwd=self.wkdir)
         ret = stdout.strip('\n').splitlines()
         if len(ret) == 1:
             ret = ret[0]
@@ -106,7 +106,7 @@ class GitChangeLog(object):
 
     def _get_log(self):
         log_cmd = ['git', 'log', '--pretty=oneline', '--color=never']
-        (sysout, _stderr) = sh.execute(*log_cmd, cwd=self.wkdir)
+        (sysout, _stderr) = sh.execute(log_cmd, cwd=self.wkdir)
         lines = sysout.strip('\n').splitlines()
 
         # Extract the raw commit details

anvil/packaging/helpers/pip_helper.py

@@ -82,7 +82,7 @@ class Helper(object):
 
     def _list_installed(self):
         cmd = [self._pip_how] + FREEZE_CMD
-        (stdout, _stderr) = sh.execute(*cmd, run_as_root=True)
+        (stdout, _stderr) = sh.execute(cmd)
         return parse_requirements(stdout, True)
 
     def uncache(self):

anvil/packaging/helpers/yum_helper.py

@@ -14,8 +14,6 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-from anvil import shell as sh
-
 # See http://yum.baseurl.org/api/yum-3.2.26/yum-module.html
 from yum import YumBase
 
@@ -53,11 +51,8 @@ class Helper(object):
     @staticmethod
     def _get_yum_base():
         if Helper._yum_base is None:
-            # This 'root' seems needed...
-            # otherwise 'cannot open Packages database in /var/lib/rpm' starts to happen
-            with sh.Rooted(True):
-                _yum_base = YumBase()
-                _yum_base.setCacheDir(force=True)
+            _yum_base = YumBase()
+            _yum_base.setCacheDir(force=True)
             Helper._yum_base = _yum_base
         return Helper._yum_base
 
@@ -69,23 +64,17 @@ class Helper(object):
 
     def get_available(self):
         base = Helper._get_yum_base()
-        with sh.Rooted(True):
-            pkgs = base.doPackageLists()
-            avail = list(pkgs.available)
-            avail.extend(pkgs.installed)
-            return avail
+        pkgs = base.doPackageLists()
+        avail = list(pkgs.available)
+        avail.extend(pkgs.installed)
+        return avail
 
     def get_installed(self, name):
         base = Helper._get_yum_base()
-        # This 'root' seems needed...
-        # otherwise 'cannot open Packages database in /var/lib/rpm' starts to happen
-        # even though we are just doing a read-only operation, which
-        # is pretty odd...
-        with sh.Rooted(True):
-            pkgs = base.doPackageLists(pkgnarrow='installed',
-                                       ignore_case=True, patterns=[name])
-            if pkgs.installed:
-                whats_installed = list(pkgs.installed)
-            else:
-                whats_installed = []
+        pkgs = base.doPackageLists(pkgnarrow='installed',
+                                   ignore_case=True, patterns=[name])
+        if pkgs.installed:
+            whats_installed = list(pkgs.installed)
+        else:
+            whats_installed = []
         return whats_installed

anvil/packaging/yum.py

@@ -118,7 +118,7 @@ class YumDependencyHandler(base.DependencyHandler):
 Version: %s.%s.%s
 Release: 0
 License: Apache 2.0
-Summary: Python dependencies for OpenStack
+Summary: OpenStack dependencies
 BuildArch: noarch
 
 """ % (self.OPENSTACK_DEPS_PACKAGE_NAME, today.year, today.month, today.day)
@@ -140,7 +140,13 @@ BuildArch: noarch
         }
         for pack_name in sorted(packages.iterkeys()):
             pack = packages[pack_name]
-            spec_content += "Requires: %s\n" % pack["name"]
+            cont = [spec_content, "Requires: ", pack["name"]]
+            version = pack.get("version")
+            if version:
+                cont.append(" ")
+                cont.append(version)
+            cont.append("\n")
+            spec_content = "".join(cont)
             for script_name in script_map.iterkeys():
                 try:
                     script_list = pack[script_name]
@@ -186,7 +192,7 @@ BuildArch: noarch
             spec_filename,
         ]
         LOG.info("Building %s RPM" % self.OPENSTACK_DEPS_PACKAGE_NAME)
-        sh.execute(*cmdline)
+        sh.execute(cmdline)
 
     def _build_dependencies(self):
         package_files = self.download_dependencies()
@@ -205,7 +211,7 @@ BuildArch: noarch
         LOG.info("    tail -f %s" % out_filename)
         with open(out_filename, "w") as out:
             try:
-                sh.execute(*cmdline, stdout_fh=out, stderr_fh=out)
+                sh.execute(cmdline, stdout_fh=out, stderr_fh=out)
             except excp.ProcessExecutionError:
                 LOG.error("Some packages failed to build.")
                 LOG.error("That's usually not a big deal,"
@@ -223,7 +229,7 @@ BuildArch: noarch
         LOG.info("You can watch progress in another terminal with")
         LOG.info("    tail -f %s" % out_filename)
         with open(out_filename, "w") as out:
-            sh.execute(*cmdline, stdout_fh=out, stderr_fh=out)
+            sh.execute(cmdline, stdout_fh=out, stderr_fh=out)
 
     def _create_deps_repo(self):
         for filename in sh.listdir(sh.joinpths(self.rpmbuild_dir, "RPMS"),
@@ -235,7 +241,7 @@ BuildArch: noarch
         for repo_dir in self.deps_repo_dir, self.deps_src_repo_dir:
             cmdline = ["createrepo", repo_dir]
             LOG.info("Creating repo at %s" % repo_dir)
-            sh.execute(*cmdline)
+            sh.execute(cmdline)
         LOG.info("Writing anvil.repo to %s" % self.anvil_repo_filename)
         (_fn, content) = utils.load_template('packaging', 'anvil.repo')
         params = {"baseurl_bin": "file://%s" % self.deps_repo_dir,
@@ -249,8 +255,7 @@ BuildArch: noarch
 
         cmdline = [self.py2rpm_executable, "--convert"] + python_names
         rpm_names = []
-        # run as root since /tmp/pip-build-root must be owned by root
-        for name in sh.execute(*cmdline, run_as_root=True)[0].splitlines():
+        for name in sh.execute(cmdline)[0].splitlines():
             # name is "Requires: rpm-name"
             try:
                 rpm_names.append(name.split(":")[1].strip())
@@ -264,8 +269,7 @@ BuildArch: noarch
 
         # Ensure we copy the local repo file name to the main repo so that
         # yum will find it when installing packages.
-        with sh.Rooted(True):
-            sh.copy(self.anvil_repo_filename, "/etc/yum.repos.d/")
+        sh.copy(self.anvil_repo_filename, "/etc/yum.repos.d/")
 
         cmdline = []
         if helper.is_installed(self.OPENSTACK_DEPS_PACKAGE_NAME):
@@ -277,21 +281,18 @@ BuildArch: noarch
 
         if cmdline:
             cmdline = ["yum", "erase", "-y"] + cmdline
-            sh.execute(*cmdline, run_as_root=True, ignore_exit_code=True,
-                       stdout_fh=sys.stdout, stderr_fh=sys.stderr)
+            sh.execute(cmdline, stdout_fh=sys.stdout, stderr_fh=sys.stderr)
 
         cmdline = ["yum", "clean", "all"]
-        sh.execute(*cmdline, run_as_root=True)
+        sh.execute(cmdline)
 
         cmdline = ["yum", "install", "-y", self.OPENSTACK_DEPS_PACKAGE_NAME]
-        sh.execute(*cmdline, run_as_root=True,
-                   stdout_fh=sys.stdout, stderr_fh=sys.stderr)
+        sh.execute(cmdline, stdout_fh=sys.stdout, stderr_fh=sys.stderr)
 
         rpm_names = self._convert_names_python2rpm(self.python_names)
         if rpm_names:
             cmdline = ["yum", "install", "-y"] + rpm_names
-            sh.execute(*cmdline, run_as_root=True,
-                       stdout_fh=sys.stdout, stderr_fh=sys.stderr)
+            sh.execute(cmdline, stdout_fh=sys.stdout, stderr_fh=sys.stderr)
 
     def uninstall(self):
         super(YumDependencyHandler, self).uninstall()
@@ -303,5 +304,4 @@ BuildArch: noarch
 
         if rpm_names:
             cmdline = ["yum", "remove", "--remove-leaves", "-y"] + rpm_names
-            sh.execute(*cmdline, run_as_root=True,
-                       stdout_fh=sys.stdout, stderr_fh=sys.stderr)
+            sh.execute(cmdline, stdout_fh=sys.stdout, stderr_fh=sys.stderr)