Commit graph

7 commits

Author SHA1 Message Date
Luong Anh Tuan
ff8ae43265 Replace yaml.load() with yaml.safe_load()
Avoid dangerous file parsing and object serialization libraries.
yaml.load is the obvious function to use but it is dangerous[1]
Because yaml.load return Python object may be dangerous if you
receive a YAML document from an untrusted source such as the
Internet. The function yaml.safe_load limits this ability to
simple Python objects like integers or lists.

In addition, Bandit flags yaml.load() as security risk so replace
all occurrences with yaml.safe_load(). Thus I replace yaml.load()
with yaml.safe_load()

[1]https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html

Change-Id: I84640973fd9f45a69d2b21f6d594cd5bf10660a6
Closes-Bug: #1634265
2017-01-16 15:07:05 +07:00
Gregory Haynes
ecae8dcbd5 Allow package-installs to parse DIB_PYTHON_VERSION
Now that we are explicit about what python version we intend to use
for dib we can have package installs optionally install packages
depending on this.  Add a new dib_python_version that matches on the
DIB_PYTHON_VERSION string set by dib-python.

Co-Authored-By: Adam Harwell <flux.adam@gmail.com>
Change-Id: I70659aab7d12924bdb9bc0489a7f02d5fd0dbb39
2016-12-14 12:13:40 +11:00
Ian Wienand
8a1c8370a1 package-installs: add list to arch and "not-arch" list
Icf8a075224833fcfbbe2128e8802ff41c39f3c09 looked rather ugly, and it's
easy for us to expand the processing done in the arch list.

Change "arch" to a comma-separated list of architectures that should
match for install.

Add a "not-arch" list which will exclude the package from installation
on those architectures.  (An aside -- I considered making it just he
one list with foo,!bar,moo but ! has special meaning in YAML, so it's
easier to have two lists).

$ ARCH=ppc64 package-installs-squash --elements ironic-agent --path=./elements/ /dev/stdout | grep dmidecode
$ ARCH=ppc64 package-installs-squash --elements ironic-agent --path=./elements/ /dev/stdout | grep lshw
    "lshw",
$ ARCH=amd64 package-installs-squash --elements ironic-agent --path=./elements/ /dev/stdout | grep lshw
$ ARCH=amd64 package-installs-squash --elements ironic-agent --path=./elements/ /dev/stdout | grep dmidecode
    "dmidecode",

Change-Id: Ic69dd02a09e6f3ba9078a2377d8df29871a20db2
2016-07-01 21:31:59 +02:00
Gregory Haynes
28c42fafdc Support arch-specific package-installs
In some cases, like linux-image-* on debian, we need to only install
packages for a specific target architecture.

Change-Id: Ic0009d0c1e121d6f3f1f21345c544e2d98f080f9
2015-04-24 21:58:05 +00:00
James Slagle
ba19541d47 Fix check for installtype
Previously, this code was not checking for the proper environment
variable for an element's installtype. There was a line replacing '-'
with '_' as is required, but that value was not actually used when
searching for the environment variable.

Change-Id: I0bbd56969188389db81844d9276269464870f776
2015-03-10 21:59:03 -04:00
Gregory Haynes
3ff92589e1 Add installtype support to package-installs
Some packages should only be installed if a certain installtype is
specified.

Change-Id: Ia1a5af9ab4653e2646870ebd2d2db7e00a59305b
2015-01-28 20:11:51 -08:00
Monty Taylor
98d008c6af Rework package-installs to collapse on build host
Instead of doing the work in the image of parsing through the element's
package-install declarations, we can squash it on hostside, where we
have both YAML and JSON available to us, and then emit a single
pre-processed file into the target to be used later.

Change-Id: I3f182aa3aae0a79b2f3ea4e66c1878ad12878b0a
2014-12-11 00:05:32 -08:00