Commit Graph

52 Commits

Author SHA1 Message Date
Ian Wienand
672705831f Add a best-effort sudo safety check
As motivation for this; we have had two breakouts of dib in recent
memory.  One was a failure to unmount through symlinks in the core
code (I335316019ef948758392b03e91f9869102a472b9) and the other was
removing host keys on the build-system
(Ib01d71ff9415a0ae04d963f6e380aab9ac2260ce).

For the most part, dib runs unprivileged.  Bits of the core code are
hopefully well tested (modulo bugs like the first one!).  We give free
reign inside the chroot (although there is still some potential there
for adverse external affects via bind mounts).  Where we could be a
bit safer (and could have prevented at least the second of these
breakouts) is with some better checking that the "sudo" calls
*outside* the chroot at least looked sane.

This adds a basic check that we're using chroot or image paths when
calling sudo in those parts of elements that run *outside* the chroot.
Various files are updated to accomodate this check; mostly by just
ignoring it for existing code (I have not audited these calls).

Nobody is pretending this type of checking makes dib magically safe,
or removes the issues with it needing to do things as root during the
build.  But this can help find egregious errors like the key removal.

Change-Id: I161a5aea1d29dcdc7236f70d372c53246ec73749
2016-05-09 15:41:38 +10:00
Ian Wienand
8c837409b8 Turn down tracing for source-repo cache
If you check logs like [1] it's literally thousands of lines of the
same thing over-and-over as the git caching happens.  It is basically
all just noise unless you're debugging it specifically.  Up this to
tracing level 2 ("-x -x") to see it.  Add a note in the help about
multiple flags, which has always been intended but not documented.

Image builds should continue to run with single "-x", but we could
probably greatly increase signal:noise ratio in the logs with a little
more judicial use of this to turn down some of the very noisy &
repetitive parts.

[1] anything in http://nodepool.openstack.org/

Change-Id: I91c5e55814ba9840769357261d203f4850e2eba6
2016-03-22 09:57:30 +11:00
Ian Wienand
4573d0d930 Prune old branches when updating cache
dib builds are failing in nodepool at the moment trying to download a
really old Fedora image.  What happens is that the devstack cache
script [1] goes through all the branches of the devstack checkout and
uses the inbuilt image-list tool [2] to get its list of images to
pre-download.  One of the old Fedora images required on the retired
branches has now gone, so the build halts with a 404 trying to get it.

Thus make sure we do a --prune when we fetch changes so that old
branches are removed from the cache.

[1] https://git.openstack.org/cgit/openstack-infra/project-config/tree/nodepool/elements/cache-devstack/extra-data.d/55-cache-devstack-repos
[2] https://git.openstack.org/cgit/openstack-dev/devstack/tree/tools/image_list.sh

Change-Id: Ieb6a6e9f55bd93f63c3d0a71828c276c2d02e1b9
2016-01-12 11:25:43 +11:00
Jeremy Stanley
f82400b432 Allow source-repositories ref to be "*"
Passing a source-repositories ref of "*" should signal fetching all
heads similar to when a non-cached ref is requested. Reuse the same
fallback logic, but skip unnecessary checks since "*" is not a real
refname. Also expand the fallback to update tags, and to --purge
local refs that no longer exist on the remote for additional safety.

Change-Id: I4562c9689a8d235ebe09b2f7178aa5890dbc85f1
2015-06-24 20:50:06 +00:00
Ian Wienand
36b59c001c Standarise tracing for scripts
There is a wide variety of tracing options through the various shell
scripts.  Some use "set -eux", others explicity set xtrace and others
do nothing.  There is a "-x" option to bin/disk-image-create but it
doesn't flow down to the many scripts it calls.

This adds a global integer variable set by disk-image-create
DIB_DEBUG_TRACE.  All scripts have a stanza added to detect this and
turn on tracing.  Any other tracing methods are rolled into this.  So
the standard header is

---
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
    set -x
fi
set -eu
set -o pipefail
---

Multiple -x options can be specified to dib-create-image, which
increases the value of DIB_DEBUG_TRACE.  If script authors feel their
script should only trace at higher levels, they should modify the
"-gt" value.  If they feel it should trace by default, they can modify
the default value also.

Changes to pachset 16 : scripts which currently trace themselves by
default have retained this behaviour with DIB_DEBUG_TRACE defaulting
to "1".  This was done by running [1] on patch set 15.  See the thread
beginning at [2]

dib-lint is also updated to look for the variable being matched.

[1] https://gist.github.com/ianw/71bbda9e6acc74ccd0fd
[2] http://lists.openstack.org/pipermail/openstack-dev/2014-November/051575.html

Change-Id: I6c5a962260741dcf6f89da9a33b96372a719b7b0
2015-02-12 10:41:32 +11:00
Jon-Paul Sullivan
8dd97597ea Allow multiple identical sources
The source-repositories element puts source in place in the generated image
for later installation.  It is possible for two elements to define the same
source to later install, and as long as the remote location and reference to be
installed is identical, we should not error.

Change-Id: Ic7dfb1961486c59d2005b5c1e7587267ea42e999
2014-11-19 12:03:16 +00:00
Dan Prince
022cb2c1c2 Support installing packages by default
Adds new disk-image-create --install-type option which
can be used to enable alternate install types. The
default install type is 'source'.

The motivation is to eliminate elements like
enable-package-installs which require coupling and also
don't work with elements in multiple element repositories.

This patch does not prevent you from using the previous
DIB_INSTALLTYPE_ variables to customize the install type,
rather it just changes the default so you don't have to
set it so often when using things like packages.

Change-Id: Icee98440fc2251728f2dca30e7c4789a0fd89b93
2014-10-28 15:05:53 -04:00
Ben Nemec
0eccd2808c Allow source-repositories to be disabled completely
In our official image builds we are only allowed to use resources
that are "blessed" by the build system.  This means that external
things like git repos and tar files are not allowed.  Currently,
even in offline mode source-repositories expects those things to
be available in the cache, so we need a way to disable it entirely.

This change adds an environment variable NO_SOURCE_REPOSITORIES
that does so.  It can be set in an environment.d script so elements
that might rely on a source repository will know it's not available.
The 02-lsb script in redhat-common is one such example and is
updated to handle this case.

Change-Id: I0de63bee6ad79733d6711478c707a9b41593e85f
2014-10-15 12:24:50 -04:00
Monty Taylor
3acc866f6d Use DIB_IMAGE_CACHE everywhere
disk-image-create processes a DIB_IMAGE_CACHE variable and exports it,
but there are several elements that ignore the value and wrote out
the base location themselves. Use the variable everywhere so that it
will get overridden everywhere.

Change-Id: I00fff354d6c931ad67cf3052d055f0e4604dfdc8
2014-10-05 13:58:32 -07:00
Jenkins
b404682d1b Merge "Increase source-repositories support for tarballs" 2014-08-20 11:19:59 +00:00
Jonathan Brownell
6e4e2cfeca Increase source-repositories support for tarballs
The existing support for tar files in source-repositories saves
only the contents within subdirectories contained in the archive.

This change makes the selection of contents within the tarball user-
definable based on the REPOREF specified (or overridden in the env).

A REPOREF of '*' (the current default, but deprecated) will select
the contents of subdirectories within the archive, while '.' will
select the entire contents of the archive.

For reference:
http://lists.openstack.org/pipermail/openstack-dev/2014-August/043197.html
http://lists.openstack.org/pipermail/openstack-dev/2014-August/043249.html

Change-Id: I45db42ce66bf1d63d6ab5730090bf458b1b37ce9
2014-08-19 13:24:02 -07:00
Jon-Paul Sullivan
fbb797ea42 Lock around source repositories setup
Problems were seen when building images in parallel with
git clones and fetches interfering with each other.

Stop it.

Co-Authored-By: Michael Kerrin <michael.kerrin@hp.com>
Change-Id: Iaa48f259755d8b22327459a5c6d224a342909aee
2014-07-09 19:37:06 +01:00
Robert Collins
d5e0c2d778 Correct source-repository comments
git revisions are not references.

Change-Id: If450e70e46cd30a2662b7246a2555c118ed33ad2
2014-06-11 19:32:27 +12:00
Jon-Paul Sullivan
76c59bfbde Add support for source-repos gerrit refs
Add the ability to supply a gerrit ref in DIB_REPOREF_* and
have that reference fetched from the remote and checked out for
building within the image.

Closes-Bug: #1314021
Change-Id: I5e5742c4cbff98e14121c50dde5e512f192b5415
Co-Authored-By: Robert Collins <rbtcollins@hp.com>
2014-05-23 16:00:22 +01:00
Jenkins
dcb5f57a5a Merge "Move instead of copy the temporary git manifest" 2014-05-12 03:02:28 +00:00
Ben Nemec
16be6d7ce0 set -u and -o pipefail everywhere
As with the previous similar changes, this is intended to catch
problems as they happen instead of ignoring them and continuing on
to potentially fail later.  Setting this on all existing scripts
will allow us to enforce use via Jenkins.

Change-Id: Iad2d490c86dceab148ea9ab08f457c49a5d5352e
2014-05-06 15:51:07 -05:00
Jenkins
4dc7d784b0 Merge "Change refspec used to fetch all branches and tags" 2014-04-17 20:23:05 +00:00
Jon-Paul Sullivan
b507cab2b5 Move instead of copy the temporary git manifest
This prevents a build-up of temporary files in the cache directory

Change-Id: Ice34b57ef4f24bbe69b43ee3b2e2e394894825e5
2014-04-15 11:24:43 +01:00
Jon-Paul Sullivan
4c467964f5 Standardise manifest creation and retrieval
* Create a standard element to copy manifests out of the image and
  into the build area.
* Ensure all current manifests are copied into a standard manifests
  directory

Change-Id: I37eff5a13a14564e1adc33eb4f0144d571267617
2014-04-10 12:25:13 +01:00
Jon-Paul Sullivan
f8416b1fe5 Change refspec used to fetch all branches and tags
When the repository references are sha1s the fetch command used will
not work.  This will ensure that all of the objects are still fetched,
and all of the local cache references for branches and tags will be
updated rather than just the specified reference in use.

Change-Id: Iad2554b3087a5da37dac6e9f6a72432d49fce83d
Closes-Bug: #1301435
2014-04-02 16:25:48 +01:00
James Slagle
b4dfa6cb90 Move install type enablement into base element
Move whether the package or source install type is enabled out of the
source-repositories element and into the base element.
source-repositories wasn't a great fit for this functionality to begin
with.

Specify the install type for an element via the
DIB_INSTALLTYPE_<install_dir_prefix> environment variable.

Additionally with this approach, any new install type can be added
in an element, without having to update source-repositories or anything
in dib.

You could just write your install type implementation under
nova-foo-install, then define DIB_INSTALLTYPE_nova=foo in your
environment, and the scripts under nova-foo-install would get run during
the image build.

Source installs (any scripts under <install_dir_prefix>-source-install)
is the default install type for all elements.

Change-Id: I9414aca360c41e030e27d3d0c0a52d9d8e13d8b1
2014-03-14 12:25:11 -04:00
Jenkins
09ad2ae482 Merge "Extract move cache logic to a function" 2014-03-14 08:08:24 +00:00
James Polley
ca95cf9f70 Extract move cache logic to a function
We use the same logic twice - extract it to a function.

Change-Id: I32a257663de37d5f3588c91e4164abceb12ee80d
2014-03-14 09:36:52 +11:00
Jenkins
bae43c91c6 Merge "98-source-repositories tries to return from script" 2014-03-13 16:17:51 +00:00
Jenkins
7b0119808d Merge "Create a git manifest from source-repositories" 2014-03-13 15:11:40 +00:00
Jon-Paul Sullivan
179aa31d41 Fixup all occurrences of REPONAME for replacing '-'
There was a single REPONAME variable missed in change 76679.
Fix it up.

Change-Id: Ibc6cd59cb3f3d949fd7679ee18d85c7574d9acd5
2014-03-11 13:13:10 +00:00
Jenkins
ffdd57b8a5 Merge "Replace more then just "-" in REPONAME" 2014-03-11 12:51:31 +00:00
Jon-Paul Sullivan
e4c43e608c Create a git manifest from source-repositories
As git repositories are copied into the image make a note of their
details and add them to a manifest on the build system.

This allows the code used in building an image to be found after
the image build is completed without needing to open the image up
for inspection.

Change-Id: I7dbe9e163ad38a418cf2869a81e720de2c27dfb1
2014-03-11 12:38:52 +00:00
Dan Prince
ef379f05e4 98-source-repositories tries to return from script
In 8b2325118f we added a line
so that 98-source-repositories tries to return from the top
level script (not from within a function).

Also, remove the return 1 within the function as well
because we just want to continue in these cases.

Change-Id: I66eddc12208b278594a0a8d8676c38d72045ca75
2014-03-10 17:21:20 -04:00
Jenkins
e83d4dcbb2 Merge "Bash eval the lines in source-repository scripts" 2014-03-10 18:55:06 +00:00
Derek Higgins
0226cf2246 Replace more then just "-" in REPONAME
Looks like shells only support alphanumeric characters and "_"'s in
environment variables. We were substituting "-" characters but in
order to be able to set overrides in projects with names containing
other characters we need to substitute more, I'm looking at you
oslo.config.

Change-Id: I3e2b1b0bc5871e4ec4ffd8117906cd077aa2cb0d
Co-authored-by: James Polley <jp@jamezpolley.com>
2014-03-06 04:56:50 +11:00
Jenkins
e602863642 Merge "Replace use of show-ref with name-rev" 2014-03-04 18:05:46 +00:00
Gregory Haynes
6a6d913459 Bash eval the lines in source-repository scripts
This will allow us to add environment variables to source-repository
scripts. Useful for things like arch-specific download urls.

Change-Id: I4d046825a317dc88db3d7673ad261cedacd1a104
2014-03-03 16:37:43 -08:00
Jenkins
9595197474 Merge "Improve usability of the source-repositories cache" 2014-03-04 00:21:52 +00:00
Jon-Paul Sullivan
41f1ca2ad4 Replace use of show-ref with name-rev
Testing showed that show-ref did not accurately determine whether a
git repository contained the given reference.  Testing with name-rev
showed that it did.

Change the HAS_REF determination appropriately to avoid unnecessary
cache updates when using fixed references.

Change-Id: Iece213348516358af84417807f8dd36e959139eb
2014-02-28 14:35:07 +00:00
Jon-Paul Sullivan
0edfcf6587 Enable simple modification of git repo location
Add the DIB_GITREPOBASE variable to the source-repositories element
to enable global changing of git repository location.

Change-Id: Icfac5e103fce6e5a3f1a2db094144a0ed89fcc33
2014-02-26 13:52:03 +00:00
Jon-Paul Sullivan
8b2325118f Improve usability of the source-repositories cache
* Rename the cache directory for sources

Make the cache directory name match that of the element that creates
it.  This makes it easier to find and more logically implies what
element created the cache directory.

* Add REPONAME to repository cache directory

For better usability add the reponame to the directory created
to cache it.

* Add migration code

Move pre-existing cache directories of the old name to the new name.

Change-Id: Ic62f19acb1746888ccbdf95eebf6e653f3e66357
2014-02-24 20:42:48 +00:00
Shane Wang
4aeee175d8 Fix misspellings in diskimage-builder
Fix misspellings detected by:
* pip install misspellings
* git ls-files | grep -v locale | misspellings -f -

Change-Id: I42acbcce7611ff3e2e120168acccc518299c2c42
Closes-Bug: #1257295
2014-02-07 14:42:45 +08:00
James Slagle
57ba300be4 Symlink correct element install type
The source-repositories element will now symlink the install scripts
corresponding to the set install type for an element into the install.d
directory.

Different install types are implemented by elements by writing scripts to do
the install type under install.d/<element-name>-<install-type>-install
directories.

For example, the nova element would provide:

nova/install.d/nova-package-install/74-nova
nova/install.d/nova-source-install/74-nova

source-repositories will create the following symlink for the package
install type:

$TMP_HOOKS_PATH/install.d/74-nova -> nova-package-install/74-nova

Or, for the source install type:

$TMP_HOOKS_PATH/install.d/74-nova -> nova-source-install/74-nova

Change-Id: I1bfaf39e5a98b2af904fbc6d674dbada30b27ed9
2014-01-15 14:57:08 -05:00
James Slagle
d253ed16d8 Add package support to source-repositories
Adds a new "package" type to source-repositories. When the package type
is specified in an origin-repository-* file the package name and type
"package" need to be specified like so:

nova package

The existing map-packages mechanism can be used to map the specified
package name to the actual distribution package names.  The
pre-configured package repositories on the image will be used to install
the packages during the install.d phase of the image build.

If the repo type is package, an environment.d hook script is updated
with an environment variable which is sourced by dib-run-parts. This is
so that other hooks, particularly in install.d, will know what repo type
was used and can make the correct decision about doing a source install
or not.

Change-Id: Ief4e524664cd32d2087aeb3b1766f05e017de91e
2014-01-13 08:23:53 -05:00
Chris Jones
4794df890a Log unsupported source repository types.
If we don't recognise git/tar/etc as source-repositories repotypes, we
now log the repotype, for debugging purposes.

Change-Id: I7b870807658441c928c7880291eb0284b6f97778
2013-12-20 14:53:53 +00:00
Chris Jones
4c7a3bf79f Improve source-repositories git caching.
We now unconditionally cache the repositories being fetched with
source-repositories.

Additionally, by improving the way we handle repository refs, we are now
able to build images with code taken directly from gerrit reviews.

Change-Id: Ifd4c5691f6761eb5551663e6d0aa1c0e42afced3
2013-12-20 14:48:30 +00:00
Mark McLoughlin
10eac21043 Log the repository fetches in source-repositories
Make the source-repositories element log which repo it's cloning from
so it's easier to tell what's going on.

Change-Id: I224f7bd98bc3d0ba94313dae9063d4ba4e25bdaa
2013-12-05 06:28:13 +00:00
Steve Baker
9e5bc37265 Add support for file to source-repositories
Adds a file type to source-repositories to allow individual files
to make use of source-repositories caching.

REPO_DIRECTORY has been rename to REPO_DEST since it is now sometimes
a file.

This change also fixes the incorrect path to the cache-url in the
tar type.

Change-Id: Ib79e41969c982a02f0235318d9f254b39c3c6d93
2013-09-04 10:16:49 +12:00
Robert Collins
c7c4ec19a3 Capture the repositories from source-repositories.
We try to expose metadata to users about what dib included in the
image and source-repositories was not doing that, so this fixes it. It
also permits easy introspection from other elements (such as an
upcoming PyPI cache layer).

Change-Id: I1e48e65f69ebe1f4556cc3bf35ccf195e99bcc76
2013-08-05 09:52:28 +12:00
Monty Taylor
4535c5323a Ignore emacs autosave files in source-repositories
source-repositories uses find to discover things it should import. If
someone happens to use emacs, and happens to have had an autosave file
in a directory with a wildly broken version of a source-repositories-
file, then dib will attempt to execute the contents of the autosave file
and the user will be sad. Adding a filter to the find command for files
ending in ~ will prevent pain and suffering.

Change-Id: I27c8a4b53d3c9b913ca926db16b4271941f6fb5d
2013-07-27 14:53:29 -04:00
Jenkins
5f52562570 Merge "Support repo names with multiple '-'s" 2013-07-19 19:45:42 +00:00
Derek Higgins
a4a0523f2b Support repo names with multiple '-'s
The search and replace that converted dashes in REPONAME only converted
the first dash. They should all be converted.

Change-Id: I76a48cf5bdfa8664f0a65d0238fa4da7d80305db
2013-07-19 17:45:01 +01:00
Derek Higgins
51216dbd2d Set work-dir to cached repository
source-repositories does a git reset on the .git directory of cached
repositories. But doesn't specify the directory to reset. A working
directory needs to be specified so that the $PWD isn't used.

Without this change $PWD is polluted with the contents of repositories
being cached.

Change-Id: Ic37b702ac579bf766bb2204a988fa9468d308abf
2013-07-19 17:40:16 +01:00
Robert Collins
e187a402ae Move the getsources hook earlier.
Caching PyPI objects will require inspecting the content downloaded by
the source repositories, so needs to run after it.

Change-Id: I551c075e0bb6853b2ef79268b7f6455a4f06743d
2013-07-18 23:06:30 +12:00