Commit graph

1891 commits

Author SHA1 Message Date
Luong Anh Tuan
ff8ae43265 Replace yaml.load() with yaml.safe_load()
Avoid dangerous file parsing and object serialization libraries.
yaml.load is the obvious function to use but it is dangerous[1]
Because yaml.load return Python object may be dangerous if you
receive a YAML document from an untrusted source such as the
Internet. The function yaml.safe_load limits this ability to
simple Python objects like integers or lists.

In addition, Bandit flags yaml.load() as security risk so replace
all occurrences with yaml.safe_load(). Thus I replace yaml.load()
with yaml.safe_load()

[1]https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html

Change-Id: I84640973fd9f45a69d2b21f6d594cd5bf10660a6
Closes-Bug: #1634265
2017-01-16 15:07:05 +07:00
Jenkins
50941b13bc Merge "Update documented default Ubuntu version" 2017-01-15 23:31:57 +00:00
Jenkins
1f75aea634 Merge "Handle failure of carrier check in dhcp-all-interfaces.sh" 2017-01-13 20:11:20 +00:00
Jenkins
753ab9a019 Merge "Make DHCP timeout configurable" 2017-01-13 06:19:54 +00:00
Jenkins
14957664d4 Merge "Fix Gentoo builds on Ubuntu 16.04 Xenial hosts" 2017-01-12 23:07:27 +00:00
Jenkins
b8a985fc02 Merge "Run dhcp-interface@.service after network.target" 2017-01-12 15:47:03 +00:00
Bob Fournier
f8eba14d99 Handle failure of carrier check in dhcp-all-interfaces.sh
As described in the bug, there are conditions with certain switches
in which the interface is 'admin down'ed during initialization.
Doing a 'cat' on /sys/class/net/<interface>/carrier when it is
'admin down'ed produces an 'Invalid Argument' error and the script
terminates.  What this fix does is ignore failures of the 'cat'
operation (by '|| echo 0') and place the link up inside the retry
loop.

Change-Id: I4f098aa5078b8482681394a3e9a6b17ed4bd4451
Closes-Bug: 1654046
2017-01-12 10:36:43 -05:00
Matthew Thode
6c5234e162
Fix Gentoo builds on Ubuntu 16.04 Xenial hosts
Xenial's bind of /dev into the chroot includes /dev/shm which is in
use by the host.  An alternitive fix for this would be to use rbind
to recursivly bind mount /dev instead of just the base bind of /dev

Change-Id: I2c0f70afd1e82dd52a522f0dd2b3ea618b30b6c6
2017-01-10 10:34:12 -06:00
Ben Nemec
ccd00b10b2 Make DHCP timeout configurable
As noted in the bug, there may be circumstances where a longer
timeout than the current default is needed.  This patch allows users
to tune this timeout for their environment if need be.

Change-Id: I173f3dad684894fbc3c27dece5ae15b5f63bae5a
Closes-Bug: 1654027
2017-01-04 15:41:04 -06:00
Ben Nemec
5bed4a6d5e Run dhcp-interface@.service after network.target
When we configure dhcp interfaces before network.target has run,
network.target will try to bring up those interfaces a second time
after our service does so.  This causes two issues - first, the
network target will always fail because it can't bring up an
interface that is already up, and second, when configuring interfaces
that don't actually have an available DHCP server it will result in
a five minute delay waiting for DHCP on those interfaces.  This will
also cause the network target to fail and is an unnecessary delay.

By moving the dhcp-interface service to run after the network
target we avoid both of these problems.  network.target will still
bring up the interfaces on subsequent boots.  This could result in
the five minute delay happening on reboots, but the expected use
case for interfaces without DHCP is that they would be configured
statically on initial deployment so this should be a minor issue.

The dhcp-interface service is also configured to run before the
network-online target so that services which depend on the network
actually being available will not race the DHCP process.

A snippet from /var/log/messages on a node with this patch applied
is included in the bug to demonstrate the behavior described above.

Change-Id: I5cfabf20f920beea52abf4c42362b6f6ac0b37c4
Closes-Bug: 1653812
2017-01-04 10:49:59 -06:00
Cady_Chen
1d4bb04853 Change "Openstack" to "OpenStack"
According to the word choice convention in
http://docs.openstack.org/contributor-guide/writing-style/word-choice.html
We should use OpenStack instead of Openstack.

Change-Id: I66f0bf9eb81593220eb0000fe8192c478e8d075d
2016-12-30 01:15:27 +00:00
Gregory Haynes
7603f97cad Revert "Revert Xenial to Python 2"
We landed the fix for this in
Icdb769541eee9793f261b4b8ec563be76ee13fe2.

This reverts commit 2978ff885b.

Change-Id: Iecfc41ab2aad57bc4f6f86a13810b534d19a8fd5
2016-12-22 14:26:35 +11:00
Pierre Riteau
0576d20d49 Update documented default Ubuntu version
Since commit fd5fbdd4b5 xenial is the
version used by default.

Change-Id: I18e01d806635539b2d6c8a4e6b2d25460647c910
2016-12-21 11:49:27 +00:00
Ian Wienand
2978ff885b Revert Xenial to Python 2
There are issues with pip packages and a python3 only Xenial systems.
This is occuring after Ie609de51cc5fcde701296c9474e315981d9778a2.

We believe the issue is with VIRTUAL_ENV being set within the chroot
and messing up pip installs
(Icdb769541eee9793f261b4b8ec563be76ee13fe2) but a full solution is not
yet clear.

For now, set Xenial to ensure we use python2.  Install the package for
the ubuntu element (75-debian-minimal-baseinstall will install python2
for the minimal elements).

Change-Id: Id403919b0af93b375a900186c01a0d3a3bdfafea
2016-12-21 20:46:13 +11:00
Jenkins
9ee7acc5ee Merge "Increase func testing for ubuntu-minimal element" 2016-12-21 04:03:57 +00:00
Paul Belanger
d9dcb3fe99 Increase func testing for ubuntu-minimal element
Since we still run these 3 version of ubuntu-minimal elements in
openstack-infra, also run functional testing for them.

Trusty and xenial will be in voting gate, precise added as skipped for
non-voting.

Add the default skip/run status to the "-l" output just to confirm
this too.

Change-Id: Icfbfd0cb7d9acae824972474b77e2fe0486c4f69
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-12-21 11:50:47 +11:00
Jenkins
c73e6b5ab1 Merge "Set grub timeout default" 2016-12-20 22:45:07 +00:00
Jenkins
f9055b938d Merge "Support sysv init system used by Debian Wheezy" 2016-12-20 03:31:31 +00:00
Ian Wienand
61087d33e9 Set grub timeout default
Set the grub timeout to 5 seconds by default, and add notes on how to
update this.  This will stop infra having to carry an element that
goes and rewrites the grub configuration.

Change-Id: I556b3f48eff1b67ee8c4b9b64f749af95100fb99
2016-12-20 11:46:22 +11:00
Jenkins
46af2452f7 Merge "Generate ssh-hostkeys on boot for ironic agent" 2016-12-19 22:55:30 +00:00
Jenkins
029b6dd3d5 Merge "set default DIB_PYTHON_VERSION=2 for rhel7" 2016-12-19 18:07:31 +00:00
Jenkins
bbe81c30be Merge "Switch to openSUSE Leap 42.2 release by default" 2016-12-19 08:40:32 +00:00
Noam Angel
4789aa317e set default DIB_PYTHON_VERSION=2 for rhel7
python 3 not exist on minimal/KVM guest image. set default python version
2 for rhel7 also.

Change-Id: Icbc10e742da8dded25625a1eed0a79065702837d
2016-12-19 07:31:34 +00:00
Jenkins
e0a2163157 Merge "Fix bootloader element on ppc" 2016-12-19 04:55:05 +00:00
Jenkins
b8e60d52ea Merge "FIx the DIB_CLOUD_INIT_ALLOW_SSH_PWAUTH variable name in README file" 2016-12-19 04:10:17 +00:00
Jenkins
9e9425ba3a Merge "Install dracut-generic-config package" 2016-12-19 02:58:55 +00:00
Ian Wienand
f6a02fbdb9 Install dracut-generic-config package
dracut has a "hostonly" mode where it builds an initramfs that is
suitable for booting the system it is building on.  This is on by
default, but obviously in our nested multi-platform chroot situation
this is fraught with danger.

As highlighted by [1] our builds were inadvertently turning off
"hostonly" mode when the mountpoints in the chroot were not found.
The CentOS 7.3 behaviour change broke this and we ended up with an
initramfs with no file-system modules.

Iaf2a1e8470f642bfaaaad3f9b7f26cfc8cc445c9 introduced a regeneration of
the initramfs, which I think does work as described because it runs in
the loopback device.

However, dracut includes a package that installs configuration
overrides to build a generic initramfs.  This is really what we want,
and should solve the problem no matter where the initramfs is created.

Add this package into yum-minimal and remove the extra re-create call
which should not be necessary.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1405238

Change-Id: I5d203f2abe743cb23a44d449850e692a948e7871
2016-12-17 16:37:55 +00:00
Dirk Mueller
54f4e12765 Switch to openSUSE Leap 42.2 release by default
openSUSE 13.1 was discontinued on Feb 3rd, 2016, so defaulting
to it doesn't make sense (see https://en.opensuse.org/Lifetime).

Leap 42.2 is the most current release that is supported by
disk-image-builder and being tested in a 3rd party ci.

Enable functests for it to ensure we're not regressing again.
Moved to non-voting gate first.

Depends-On: Iff495b3cd0b6c3558c44cf4883651eca67b572d6
Change-Id: Iae6cd34a5853f1e309861c554d94d8595cbd9993
2016-12-17 10:46:17 +01:00
Jeffrey Zhang
ba93e63145 FIx the DIB_CLOUD_INIT_ALLOW_SSH_PWAUTH variable name in README file
DIB_CLOUD_INIT_ALLOW_SSH_PWAUTH is the correct one.

Change-Id: I3813cadf21327fcc8d960deb43df2309d812a05a
2016-12-17 11:51:32 +08:00
Paul Belanger
6d82543682 Add ubuntu-precise support to dib-python
Change-Id: I2796da88d839ed49ec28ae7b139ede04af51f068
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-12-16 11:27:45 -05:00
Mikhail S Medvedev
9d7725b475 Fix bootloader element on ppc
For some reason [1] introduced -m option without ever checking that the
mapping exists. Because there is no grub-ieee1275 mapping anywhere (not
in base, not in bootloader), pkg-map fails. So stop using the mapping in
package-install of grub-ieee1275 on ppc.

There is another patch that tries to solve the same bug by adding the
mapping [2]. I think it is better to undo the breakage introduced in [1]
first, and then, if various distributions have differing names for the
package, introduce various mappings. My reasoning is that at the moment
this element is broken for all ppc64 distributions. This patch would
fix it for some (namely, Ubuntu). Then we can add mappings as tests
are done for other distributions.

[1] Ibca43173c30c2a74a73a2e2d9dd6d6d832c62694
[2] Id2b0f63a7015f883070fd59b79fd96a1c024858a

Change-Id: I8425876c26e9e416c8ce2f53a4e38d26b4208633
Closes-Bug: #1624021
2016-12-15 18:10:29 -06:00
Ian Wienand
a72645f431 Recreate initramfs within loopback image
dracut has a loop [1] where it probes top-level directories, tries to
find what block device they are on, then determines the file-system of
that block device.  It then puts those file-system modules into the
initramfs for boot.

Since we install the kernel package during the chroot phase, / there
is not a block device and thus this loop matches nothing and we end up
with no file-system modules in the initramfs.  This results in a very
annoying silent boot hang.

By moving re-generation of dracut into finalise.d phase, we run inside
the final image where / is the loop-device; the root file-system gets
detected correctly and the ext4 module is included correctly.

[1] http://git.kernel.org/cgit/boot/dracut/dracut.git/tree/dracut.sh?h=RHEL-7#n1041

Change-Id: Iaf2a1e8470f642bfaaaad3f9b7f26cfc8cc445c9
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-12-15 12:37:00 -05:00
Peter Stachowski
280896759a Pip install as 10- incompatible with 05-heat-cfntools
Tripleo-image-elements have an install.d file '05-heat-cfntools' that runs
the following command:

virtualenv --setuptools $VENV

With the recent change to diskimage-builder (moving the install of pip
and virtualenv to the 10- range) virtualenv is no longer available for
this elementr; as a side-effect, the trove kick-start command is now
broken and gate jobs are failing.

The solutions is to move the (now) 10-install-pip to 04-install-pip.
This should still alleviate the race condition that
https://review.openstack.org/#/c/408277/ attempted to fix, as all
*-package-installs files are 00-, 01- or 02-.

Change-Id: Ia4e01f00c4c5e9a2087df1e2a91d9154480a0422
Closes-Bug: #1650008
2016-12-14 20:50:00 +00:00
Saverio Proto
3417bd6298 Support sysv init system used by Debian Wheezy
Change-Id: Ia6ca11ab78f16a51aba7b627c72c615c184d338d
2016-12-14 15:53:04 +01:00
Markos Chandras
339ecee2b2 elements: dib-python: Add python2 as the default version for openSUSE
Commit 6278371eaa13("Make dib-python use the default python for distro")
added default python version for various distros but it missed openSUSE
which leads to build failures since the openSUSE elements are pulling
python2 packages. Add openSUSE to the list of python2 distributions
until python3 support for the openSUSE elements is in place.

Change-Id: I95f1fa849a22607c430387a2a915f9d19c9c209f
2016-12-14 09:38:45 +00:00
Jenkins
5a64c9e9cf Merge "Fix pip-and-virtualenv to work with python3" 2016-12-14 07:18:32 +00:00
Jenkins
d1ca1b1957 Merge "Catch errors in DIB_INIT_SYSTEM export" 2016-12-14 07:14:10 +00:00
Gregory Haynes
3e777cd8f4 Fix pip-and-virtualenv to work with python3
We are explicitly calling python in this element which does not work on
systems which only have python3.

Change-Id: Ia730850a48e2478fd5461710a9d2619408725cd8
2016-12-14 17:14:02 +11:00
Jenkins
8565867734 Merge "Allow package-installs to parse DIB_PYTHON_VERSION" 2016-12-14 02:23:47 +00:00
Gregory Haynes
ecae8dcbd5 Allow package-installs to parse DIB_PYTHON_VERSION
Now that we are explicit about what python version we intend to use
for dib we can have package installs optionally install packages
depending on this.  Add a new dib_python_version that matches on the
DIB_PYTHON_VERSION string set by dib-python.

Co-Authored-By: Adam Harwell <flux.adam@gmail.com>
Change-Id: I70659aab7d12924bdb9bc0489a7f02d5fd0dbb39
2016-12-14 12:13:40 +11:00
Jenkins
d981d6b0cc Merge "Add install-types as pip-and-virtualenv dep" 2016-12-14 00:57:45 +00:00
Jenkins
95b6c1b00b Merge "Move pip-and-virtualenv source install to 10-" 2016-12-14 00:36:19 +00:00
Gregory Haynes
a1dfe505ea Add install-types as pip-and-virtualenv dep
This element supports install-types so we need to depend on it.

Change-Id: Ib1193673ca1c1a1cafe0006eabef981a01c87781
2016-12-14 11:21:11 +11:00
Gregory Haynes
6ddbb457d6 Move pip-and-virtualenv source install to 10-
We currently have this as a 01- script which causes it to race with
package-installs (the deps are installed after the script runs).

Change-Id: I7b04b4c186eaae783b8e2bda1aa724c0d7823eab
2016-12-14 11:07:12 +11:00
Jenkins
b34c5db441 Merge "Update sysctl-write-value to do conflict checking" 2016-12-14 00:04:55 +00:00
Jenkins
a52a82036e Merge "DIB element to support cinder local attach/detach functionality" 2016-12-13 23:58:36 +00:00
Jenkins
8ddbc6425d Merge "Make dib-python use the default python for distro" 2016-12-13 23:28:50 +00:00
Ben Nemec
bf5af6155c Don't set the executable bit on dhcp-interface@.service
systemd doesn't like it when service files have the executable bit
so this causes it to spam the journal with messages like:

Configuration file /usr/lib/systemd/system/dhcp-interface@.service is
marked executable. Please remove executable permission bits.
Proceeding anyway.

Removing the executable bit from the install permissions should
eliminate those messages.

Change-Id: Ie1bc39465b3fcb55dcda5cee9e46a128a6ccffcb
2016-12-12 10:55:03 -06:00
Gregory Haynes
6278371eaa Make dib-python use the default python for distro
Right now dib-python works by trying to find any python on a system in
an order of precedence. A much better way is if we are explicit about
the python we intend to be there which will allow us to make better
decisions in other elements (such as allowing for package-installs to
take into account DIB_PYTHON_VERSION) as well as allow for users to
specify a preferred python version.

Co-Authored-By: Adam Harwell <flux.adam@gmail.com>
Change-Id: Ie609de51cc5fcde701296c9474e315981d9778a2
2016-12-09 09:25:37 -08:00
Michael Johnson
2e82d7f214 Update sysctl-write-value to do conflict checking
Adds conflict checking to the sysctl-write-value script
to detect settings from multiple elements conflicting.

Change-Id: If312d199388036d6f4103e94dca99249cb3bcbaf
2016-12-06 22:58:20 +00:00