From f0d7c980b514dd2dcf125870ff7d81b5901b8b0f Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Mon, 31 May 2021 09:42:02 -0700 Subject: [PATCH] Handle no-sudo in stage-output The stage-output role had two assumptions: 1) The zuul_copy_output variable would always be defined 2) The role would be able to sudo on the remote node To make it easier for users who want to use this in a base job, remove both of those assumptions. 1) We now supply a default empty dict if the variable is not defined so that the role does not fail with an error. 2) We check to see if we can sudo on the remote node, and if we can, we do when copying files; otherwise we don't, and assume that the user will only specify files they have access to (if they don't then the copy will fail). Change-Id: I5428c44adfafac4872342b59a92de311f41687b6 --- roles/stage-output/tasks/main.yaml | 16 ++++++++++++---- test-playbooks/stage-output.yaml | 21 +++++++++++++++++++++ zuul-tests.d/general-roles-jobs.yaml | 10 ++++++++++ 3 files changed, 43 insertions(+), 4 deletions(-) create mode 100644 test-playbooks/stage-output.yaml diff --git a/roles/stage-output/tasks/main.yaml b/roles/stage-output/tasks/main.yaml index e0d5f94f1..333764841 100644 --- a/roles/stage-output/tasks/main.yaml +++ b/roles/stage-output/tasks/main.yaml @@ -1,12 +1,20 @@ - name: Register sources stat: path: "{{ zj_source.key }}" - loop: "{{ zuul_copy_output|dict2items }}" + loop: "{{ zuul_copy_output | default({}) | dict2items }}" loop_control: loop_var: zj_source register: sources no_log: true +# See if we're running with sudo; if so, we'll set 'become' later so +# we can copy root-owned files; if not, we'll just be able to copy +# user files. +- name: Check sudo + command: sudo -n true + failed_when: false + register: sudo_result + - name: Build the extensions list from a dict (or empty) set_fact: extension_list: > @@ -50,7 +58,7 @@ all_sources: "{{ results.results | selectattr('ansible_facts', 'defined') | map(attribute='ansible_facts') | list }}" - name: Ensure target folders exist - become: true + become: "{{ sudo_result.rc == 0 }}" file: path: "{{ stage_dir }}/{{ zj_output_dirs }}" state: directory @@ -67,7 +75,7 @@ # remote_src copy does not work recursively, synchronise is restricted by # zuul, using command command: cp -pRL {{ zj_source.source }} {{ stage_dir }}/{{ zj_source.dest }} - become: true + become: "{{ sudo_result.rc == 0 }}" with_items: "{{ all_sources }}" loop_control: loop_var: zj_source @@ -78,7 +86,7 @@ dest: "{{ stage_dir }}/logs" mode: u=rwX,g=rX,o=rX recurse: yes - become: yes + become: "{{ sudo_result.rc == 0 }}" - name: Discover log files that match extension_list find: diff --git a/test-playbooks/stage-output.yaml b/test-playbooks/stage-output.yaml new file mode 100644 index 000000000..2c97f46b8 --- /dev/null +++ b/test-playbooks/stage-output.yaml @@ -0,0 +1,21 @@ +- hosts: all + tasks: + - name: Write a test file + copy: + content: "Test file" + dest: "/tmp/test-output.txt" + - name: Test stage-output with a file + include_role: + name: stage-output + vars: + zuul_copy_output: + /tmp/test-output.txt: logs + - name: Test stage-output with no input + include_role: + name: stage-output + - name: Remove sudo + include_role: + name: revoke-sudo + - name: Test stage-output without sudo + include_role: + name: stage-output diff --git a/zuul-tests.d/general-roles-jobs.yaml b/zuul-tests.d/general-roles-jobs.yaml index 18587cc6e..3f093c782 100644 --- a/zuul-tests.d/general-roles-jobs.yaml +++ b/zuul-tests.d/general-roles-jobs.yaml @@ -688,6 +688,14 @@ - test-playbooks/update-json-file.yaml - roles/update-json-file/.* +- job: + name: zuul-jobs-test-stage-output + description: Test the state-output role + run: test-playbooks/stage-output.yaml + files: + - test-playbooks/stage-output.yaml + - roles/stage-output/.* + # -* AUTOGENERATED *- # The following project section is autogenerated by # tox -e update-test-platforms @@ -742,6 +750,7 @@ - zuul-jobs-test-shake-build - zuul-jobs-test-ensure-zookeeper - zuul-jobs-test-update-json-file + - zuul-jobs-test-stage-output gate: jobs: &id001 - zuul-jobs-test-add-authorized-keys @@ -787,5 +796,6 @@ - zuul-jobs-test-shake-build - zuul-jobs-test-ensure-zookeeper - zuul-jobs-test-update-json-file + - zuul-jobs-test-stage-output periodic-weekly: jobs: *id001