As motivation for this; we have had two breakouts of dib in recent
memory. One was a failure to unmount through symlinks in the core
code (I335316019ef948758392b03e91f9869102a472b9) and the other was
removing host keys on the build-system
(Ib01d71ff9415a0ae04d963f6e380aab9ac2260ce).
For the most part, dib runs unprivileged. Bits of the core code are
hopefully well tested (modulo bugs like the first one!). We give free
reign inside the chroot (although there is still some potential there
for adverse external affects via bind mounts). Where we could be a
bit safer (and could have prevented at least the second of these
breakouts) is with some better checking that the "sudo" calls
*outside* the chroot at least looked sane.
This adds a basic check that we're using chroot or image paths when
calling sudo in those parts of elements that run *outside* the chroot.
Various files are updated to accomodate this check; mostly by just
ignoring it for existing code (I have not audited these calls).
Nobody is pretending this type of checking makes dib magically safe,
or removes the issues with it needing to do things as root during the
build. But this can help find egregious errors like the key removal.
Change-Id: I161a5aea1d29dcdc7236f70d372c53246ec73749
If you check logs like [1] it's literally thousands of lines of the
same thing over-and-over as the git caching happens. It is basically
all just noise unless you're debugging it specifically. Up this to
tracing level 2 ("-x -x") to see it. Add a note in the help about
multiple flags, which has always been intended but not documented.
Image builds should continue to run with single "-x", but we could
probably greatly increase signal:noise ratio in the logs with a little
more judicial use of this to turn down some of the very noisy &
repetitive parts.
[1] anything in http://nodepool.openstack.org/
Change-Id: I91c5e55814ba9840769357261d203f4850e2eba6
As mentioned in package-installs.yaml, git is a transitive dependency
for pbr in this element. Add pkg-map for the Gentoo package.
Change-Id: I7f2fe1663152ea66b941594e86f1da93ddd21677
Closes-Bug: 1539278
Largely enhance the documentation so it renders nicely when generated
with Sphinx.
Culpirt: the 'package' type is documented but unhandled in the shell
script.
Change-Id: I9f4f46e770077c147c0a5b1245b779bc3afa4e98
Passing a source-repositories ref of "*" should signal fetching all
heads similar to when a non-cached ref is requested. Reuse the same
fallback logic, but skip unnecessary checks since "*" is not a real
refname. Also expand the fallback to update tags, and to --purge
local refs that no longer exist on the remote for additional safety.
Change-Id: I4562c9689a8d235ebe09b2f7178aa5890dbc85f1
There is a wide variety of tracing options through the various shell
scripts. Some use "set -eux", others explicity set xtrace and others
do nothing. There is a "-x" option to bin/disk-image-create but it
doesn't flow down to the many scripts it calls.
This adds a global integer variable set by disk-image-create
DIB_DEBUG_TRACE. All scripts have a stanza added to detect this and
turn on tracing. Any other tracing methods are rolled into this. So
the standard header is
---
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
---
Multiple -x options can be specified to dib-create-image, which
increases the value of DIB_DEBUG_TRACE. If script authors feel their
script should only trace at higher levels, they should modify the
"-gt" value. If they feel it should trace by default, they can modify
the default value also.
Changes to pachset 16 : scripts which currently trace themselves by
default have retained this behaviour with DIB_DEBUG_TRACE defaulting
to "1". This was done by running [1] on patch set 15. See the thread
beginning at [2]
dib-lint is also updated to look for the variable being matched.
[1] https://gist.github.com/ianw/71bbda9e6acc74ccd0fd
[2] http://lists.openstack.org/pipermail/openstack-dev/2014-November/051575.html
Change-Id: I6c5a962260741dcf6f89da9a33b96372a719b7b0
We have a new package-installs file format. Migrating existing
package-installs files to the new format.
Change-Id: I57d4a007efee9624e60c41357cefa627d8c7373f
The source-repositories element puts source in place in the generated image
for later installation. It is possible for two elements to define the same
source to later install, and as long as the remote location and reference to be
installed is identical, we should not error.
Change-Id: Ic7dfb1961486c59d2005b5c1e7587267ea42e999
Adds new disk-image-create --install-type option which
can be used to enable alternate install types. The
default install type is 'source'.
The motivation is to eliminate elements like
enable-package-installs which require coupling and also
don't work with elements in multiple element repositories.
This patch does not prevent you from using the previous
DIB_INSTALLTYPE_ variables to customize the install type,
rather it just changes the default so you don't have to
set it so often when using things like packages.
Change-Id: Icee98440fc2251728f2dca30e7c4789a0fd89b93
In our official image builds we are only allowed to use resources
that are "blessed" by the build system. This means that external
things like git repos and tar files are not allowed. Currently,
even in offline mode source-repositories expects those things to
be available in the cache, so we need a way to disable it entirely.
This change adds an environment variable NO_SOURCE_REPOSITORIES
that does so. It can be set in an environment.d script so elements
that might rely on a source repository will know it's not available.
The 02-lsb script in redhat-common is one such example and is
updated to handle this case.
Change-Id: I0de63bee6ad79733d6711478c707a9b41593e85f
disk-image-create processes a DIB_IMAGE_CACHE variable and exports it,
but there are several elements that ignore the value and wrote out
the base location themselves. Use the variable everywhere so that it
will get overridden everywhere.
Change-Id: I00fff354d6c931ad67cf3052d055f0e4604dfdc8
Updates additional elements in diskimage-builder to use the declarative
package install support provided by the package-installs element.
package-installs does not yet support the pkg-map functionality, so
elements using pkg-map are not migrated. That support will come in the
near future.
Change-Id: I3d36adad317ba44326eabd95243d45807e2a8a16
The existing support for tar files in source-repositories saves
only the contents within subdirectories contained in the archive.
This change makes the selection of contents within the tarball user-
definable based on the REPOREF specified (or overridden in the env).
A REPOREF of '*' (the current default, but deprecated) will select
the contents of subdirectories within the archive, while '.' will
select the entire contents of the archive.
For reference:
http://lists.openstack.org/pipermail/openstack-dev/2014-August/043197.htmlhttp://lists.openstack.org/pipermail/openstack-dev/2014-August/043249.html
Change-Id: I45db42ce66bf1d63d6ab5730090bf458b1b37ce9
Problems were seen when building images in parallel with
git clones and fetches interfering with each other.
Stop it.
Co-Authored-By: Michael Kerrin <michael.kerrin@hp.com>
Change-Id: Iaa48f259755d8b22327459a5c6d224a342909aee
Add the ability to supply a gerrit ref in DIB_REPOREF_* and
have that reference fetched from the remote and checked out for
building within the image.
Closes-Bug: #1314021
Change-Id: I5e5742c4cbff98e14121c50dde5e512f192b5415
Co-Authored-By: Robert Collins <rbtcollins@hp.com>
As with the previous similar changes, this is intended to catch
problems as they happen instead of ignoring them and continuing on
to potentially fail later. Setting this on all existing scripts
will allow us to enforce use via Jenkins.
Change-Id: Iad2d490c86dceab148ea9ab08f457c49a5d5352e
* Create a standard element to copy manifests out of the image and
into the build area.
* Ensure all current manifests are copied into a standard manifests
directory
Change-Id: I37eff5a13a14564e1adc33eb4f0144d571267617
When the repository references are sha1s the fetch command used will
not work. This will ensure that all of the objects are still fetched,
and all of the local cache references for branches and tags will be
updated rather than just the specified reference in use.
Change-Id: Iad2554b3087a5da37dac6e9f6a72432d49fce83d
Closes-Bug: #1301435
Move whether the package or source install type is enabled out of the
source-repositories element and into the base element.
source-repositories wasn't a great fit for this functionality to begin
with.
Specify the install type for an element via the
DIB_INSTALLTYPE_<install_dir_prefix> environment variable.
Additionally with this approach, any new install type can be added
in an element, without having to update source-repositories or anything
in dib.
You could just write your install type implementation under
nova-foo-install, then define DIB_INSTALLTYPE_nova=foo in your
environment, and the scripts under nova-foo-install would get run during
the image build.
Source installs (any scripts under <install_dir_prefix>-source-install)
is the default install type for all elements.
Change-Id: I9414aca360c41e030e27d3d0c0a52d9d8e13d8b1
As git repositories are copied into the image make a note of their
details and add them to a manifest on the build system.
This allows the code used in building an image to be found after
the image build is completed without needing to open the image up
for inspection.
Change-Id: I7dbe9e163ad38a418cf2869a81e720de2c27dfb1
In 8b2325118f we added a line
so that 98-source-repositories tries to return from the top
level script (not from within a function).
Also, remove the return 1 within the function as well
because we just want to continue in these cases.
Change-Id: I66eddc12208b278594a0a8d8676c38d72045ca75
Looks like shells only support alphanumeric characters and "_"'s in
environment variables. We were substituting "-" characters but in
order to be able to set overrides in projects with names containing
other characters we need to substitute more, I'm looking at you
oslo.config.
Change-Id: I3e2b1b0bc5871e4ec4ffd8117906cd077aa2cb0d
Co-authored-by: James Polley <jp@jamezpolley.com>
This will allow us to add environment variables to source-repository
scripts. Useful for things like arch-specific download urls.
Change-Id: I4d046825a317dc88db3d7673ad261cedacd1a104
Testing showed that show-ref did not accurately determine whether a
git repository contained the given reference. Testing with name-rev
showed that it did.
Change the HAS_REF determination appropriately to avoid unnecessary
cache updates when using fixed references.
Change-Id: Iece213348516358af84417807f8dd36e959139eb
Add the DIB_GITREPOBASE variable to the source-repositories element
to enable global changing of git repository location.
Change-Id: Icfac5e103fce6e5a3f1a2db094144a0ed89fcc33
* Rename the cache directory for sources
Make the cache directory name match that of the element that creates
it. This makes it easier to find and more logically implies what
element created the cache directory.
* Add REPONAME to repository cache directory
For better usability add the reponame to the directory created
to cache it.
* Add migration code
Move pre-existing cache directories of the old name to the new name.
Change-Id: Ic62f19acb1746888ccbdf95eebf6e653f3e66357
The source-repositories element will now symlink the install scripts
corresponding to the set install type for an element into the install.d
directory.
Different install types are implemented by elements by writing scripts to do
the install type under install.d/<element-name>-<install-type>-install
directories.
For example, the nova element would provide:
nova/install.d/nova-package-install/74-nova
nova/install.d/nova-source-install/74-nova
source-repositories will create the following symlink for the package
install type:
$TMP_HOOKS_PATH/install.d/74-nova -> nova-package-install/74-nova
Or, for the source install type:
$TMP_HOOKS_PATH/install.d/74-nova -> nova-source-install/74-nova
Change-Id: I1bfaf39e5a98b2af904fbc6d674dbada30b27ed9
Adds a new "package" type to source-repositories. When the package type
is specified in an origin-repository-* file the package name and type
"package" need to be specified like so:
nova package
The existing map-packages mechanism can be used to map the specified
package name to the actual distribution package names. The
pre-configured package repositories on the image will be used to install
the packages during the install.d phase of the image build.
If the repo type is package, an environment.d hook script is updated
with an environment variable which is sourced by dib-run-parts. This is
so that other hooks, particularly in install.d, will know what repo type
was used and can make the correct decision about doing a source install
or not.
Change-Id: Ief4e524664cd32d2087aeb3b1766f05e017de91e
If we don't recognise git/tar/etc as source-repositories repotypes, we
now log the repotype, for debugging purposes.
Change-Id: I7b870807658441c928c7880291eb0284b6f97778
We now unconditionally cache the repositories being fetched with
source-repositories.
Additionally, by improving the way we handle repository refs, we are now
able to build images with code taken directly from gerrit reviews.
Change-Id: Ifd4c5691f6761eb5551663e6d0aa1c0e42afced3
Make the source-repositories element log which repo it's cloning from
so it's easier to tell what's going on.
Change-Id: I224f7bd98bc3d0ba94313dae9063d4ba4e25bdaa
Since we are using bash syntax in some of the element fragments,
we should make sure we use bash for all of them, so that things don't
break on systems where /bin/sh != /bin/bash.
Change-Id: If2f043c57aa4e1492b7f9839213ef6123f683612