Merge "Use unique loop vars to avoid conflicts"

This commit is contained in:
Zuul 2020-02-05 05:43:16 +00:00 committed by Gerrit Code Review
commit f2207abd50
9 changed files with 50 additions and 14 deletions

View File

@ -153,6 +153,30 @@ If relevant, the specific steps where the privilege escalation occurs should be
documented so that they can be reproduced when configuring hosts. If possible,
they should be grouped in a separate playbook that can be applied to hosts manually.
Ansible Loops in Roles
**********************
Because the Ansible roles contained in this repo are expected to be
pretty universally applicable in Zuul systems we must write them
defensively to work around some Ansible behaviors. In particular
nesting Ansible loops using the default `loop_var` of `item` is not
safe.
Roles in this repo should override the default `loop_var` in loops
and use a variable name prefixed with `zj_` to make them more unique.
The idea is this will avoid conflicts with the calling level which
may use `include_role` in a loop creating a `loop_var` conflict.
For example::
command: echo {{ zj_number }}
loop:
- one
- two
- three
loop_control:
loop_var: zj_number
Installing Dependencies in Roles
********************************

View File

@ -13,8 +13,8 @@
# We can't use the default 'item' because roles may be used in
# higher level loops and 'item' could conflict in that case.
loop_control:
loop_var: loop_container_name
shell: "{{ container_command }} logs {{ loop_container_name }} &> {{ ansible_user_dir }}/zuul-output/logs/{{ container_command }}/{{ loop_container_name }}.txt"
loop_var: zj_container_name
shell: "{{ container_command }} logs {{ zj_container_name }} &> {{ ansible_user_dir }}/zuul-output/logs/{{ container_command }}/{{ zj_container_name }}.txt"
args:
executable: /bin/bash
ignore_errors: true

View File

@ -1,10 +1,12 @@
- name: Verify repository names
when: |
docker_credentials.repository is defined
and not item.repository | regex_search(docker_credentials.repository)
and not zj_image.repository | regex_search(docker_credentials.repository)
loop: "{{ docker_images }}"
loop_control:
loop_var: zj_image
fail:
msg: "{{ item.repository }} not permitted by {{ docker_credentials.repository }}"
msg: "{{ zj_image.repository }} not permitted by {{ docker_credentials.repository }}"
# This is used by the delete tasks
- name: Get dockerhub JWT token
no_log: true

View File

@ -84,13 +84,15 @@
- name: Pull artifacts from intermediate registry
command: >-
skopeo --insecure-policy copy
{{ item.url }}
docker://127.0.0.1:{{ socat_port }}/{{ item.metadata.repository | regex_replace('^docker\.io/(.*)', '\1') }}:{{ item.metadata.tag }}
{{ zj_zuul_artifact.url }}
docker://127.0.0.1:{{ socat_port }}/{{ zj_zuul_artifact.metadata.repository | regex_replace('^docker\.io/(.*)', '\1') }}:{{ zj_zuul_artifact.metadata.tag }}
retries: 3
register: result
until: result is success
when: "'metadata' in item and item.metadata.type | default('') == 'container_image'"
when: "'metadata' in zj_zuul_artifact and zj_zuul_artifact.metadata.type | default('') == 'container_image'"
loop: "{{ zuul.artifacts | default([]) }}"
loop_control:
loop_var: zj_zuul_artifact
always:
- name: Remove docker user config
command: "shred ~/.docker/config.json"

View File

@ -19,10 +19,12 @@
- name: Ensure registry volume directories exists
file:
state: directory
path: "{{ buildset_registry_root }}/{{ item }}"
path: "{{ buildset_registry_root }}/{{ zj_dir }}"
loop:
- tls
- conf
loop_control:
loop_var: zj_dir
- name: Generate registry secrets
set_fact:
registry_password: "{{ lookup('password', '/dev/null') }}"

View File

@ -1,10 +1,12 @@
- name: Verify repository names
when: |
docker_credentials.repository is defined
and not item.repository | regex_search(docker_credentials.repository)
and not zj_image.repository | regex_search(docker_credentials.repository)
loop: "{{ docker_images }}"
loop_control:
loop_var: zj_image
fail:
msg: "{{ item.repository }} not permitted by {{ docker_credentials.repository }}"
msg: "{{ zj_image.repository }} not permitted by {{ docker_credentials.repository }}"
- name: Log in to dockerhub
command: "docker login -u {{ docker_credentials.username }} -p {{ docker_credentials.password }}"
no_log: true

View File

@ -1,8 +1,8 @@
- name: Upload tag to dockerhub
command: "docker push {{ image.repository }}:change_{{ zuul.change }}_{{ image_tag }}"
command: "docker push {{ image.repository }}:change_{{ zuul.change }}_{{ zj_image_tag }}"
loop: "{{ image.tags | default(['latest']) }}"
loop_control:
loop_var: image_tag
loop_var: zj_image_tag
register: result
until: result.rc == 0
retries: 3

View File

@ -8,5 +8,7 @@
- name: Build zone.db file list
set_fact:
zone_db_files: '{{ zone_db_files + [ [item.path.split("/")[-2], item.path] ] }}'
zone_db_files: '{{ zone_db_files + [ [zj_zone_db_found_file.path.split("/")[-2], zj_zone_db_found_file.path] ] }}'
loop: "{{ zone_db_found_files['files'] }}"
loop_control:
loop_var: zj_zone_db_found_file

View File

@ -9,5 +9,7 @@
when: not zone_db_files
- name: 'Run checkzone'
command: '/usr/sbin/named-checkzone {{ item[0] }} {{ item[1] }}'
command: '/usr/sbin/named-checkzone {{ zj_zone_db_file[0] }} {{ zj_zone_db_file[1] }}'
loop: "{{ zone_db_files }}"
loop_control:
loop_var: zj_zone_db_file