<fix>[conf]: Isolating ansible with python venv by MatheMatrix · Pull Request #1347 · zstackio/zstack

MatheMatrix · 2023-12-03T04:00:16Z

Since there will be manually installed python pacakges at the system level, this may cause ansible installnation failed due to conflicts. Therefore, install ansible into a new python virtual environment at /var/lib/zstack/virtualenv/zstacksys.

Resolves: ZSTAC-56494

Change-Id: I6a6165736a62686b61736c6963787765636c7670

Summary by CodeRabbit

新功能
- 在系统工具安装过程中增加了对Ansible特定版本的检查。如果未发现该版本，则会自动安装所需版本。
- 安装过程中新增了setuptools的安装。
改进
- 优化了Ansible安装和检查的逻辑，提高了安装过程的效率和准确性。
- 在执行与Ansible相关的命令前，现在会先激活虚拟环境，以确保环境的一致性和隔离性。

Since there will be manually installed python pacakges at the system level, this may cause ansible installnation failed due to conflicts. Therefore, install ansible into a new python virtual environment at /var/lib/zstack/virtualenv/zstacksys. Resolves: ZSTAC-56494 Change-Id: I6a6165736a62686b61736c6963787765636c7670

coderabbitai · 2023-12-03T04:00:25Z

Walkthrough

本次更新主要涉及zstack-sys工具的安装和设置。更新增加了检查特定版本的Ansible是否存在的逻辑，若不存在，则会安装所需版本。同时，如果需要安装，则会在/usr/bin下创建ansible和ansible-playbook的可执行脚本。此外，Ansible的初始化和运行函数也进行了修改，包括在执行Ansible相关命令前激活虚拟环境，以及安装过程中加入了setuptools。

Changes

文件路径	更改摘要
conf/tools/install.sh	添加了检查特定版本Ansible的逻辑；若未发现则安装所需版本，并在`/usr/bin`创建可执行脚本。新增全局变量`SYS_VIRENV_PATH`和`NEED_INSTALL`。
core/src/.../AnsibleFacadeImpl.java	修改了`init`和`run`函数。`init`函数中重构了检查和安装Ansible的逻辑，并新增了`setuptools`的安装。`run`函数中增加了在执行Ansible命令前激活虚拟环境的步骤。

🐇
代码如兔脚轻快跃，
更新迭代不停歇。
Ansible舞，虚拟环境启，
工具更强，开发者悦。

Tips

Chat with CodeRabbit Bot (`@coderabbitai`)

If you reply to a review comment from CodeRabbit, the bot will automatically respond.
To engage with CodeRabbit bot directly around the specific lines of code in the PR, mention @coderabbitai in your review comment
Note: Review comments are made on code diffs or files, not on the PR overview.
Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Commands (invoked as PR comments)

@coderabbitai pause to pause the reviews on a PR.
@coderabbitai resume to resume the paused reviews.
@coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
@coderabbitai resolve resolve all the CodeRabbit review comments.
@coderabbitai help to get help.

Note: For conversation with the bot, please use the review comments on code diffs or files.

CodeRabbit Configration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
The JSON schema for the configuration file is available here.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

coderabbitai

Review Status

Actionable comments generated: 4

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 3352921 and ce67d5f.

Files selected for processing (2)

conf/tools/install.sh (1 hunks)
core/src/main/java/org/zstack/core/ansible/AnsibleFacadeImpl.java (2 hunks)

Additional comments: 1

core/src/main/java/org/zstack/core/ansible/AnsibleFacadeImpl.java (1)

244-258: 在 run 函数中，激活虚拟环境的命令是通过源激活脚本来完成的，这是标准做法。但是，需要确保在执行 Ansible 命令之前，虚拟环境被正确激活，并且环境变量没有被不当地修改。

coderabbitai · 2023-12-03T04:01:52Z

core/src/main/java/org/zstack/core/ansible/AnsibleFacadeImpl.java

            placePip703();
-            placeAnsible4100();
-
-            ShellUtils.run(String.format("if ! sudo ansible --version | grep -q 'core 2.11.12'; then " +
-                    "if grep -i -s -E 'centos|rocky' /etc/system-release; then " +
-                    "sudo yum remove -y ansible; " +
-                    "elif grep -i -s ubuntu /etc/issue; then " +
-                    "sudo apt-get --assume-yes remove ansible; " +
-                    "else echo \"Warning: can't remove ansible from unknown platform\"; " +
+            placeAnsible196();
+
+            ShellUtils.run(String.format(
+                    "NEED_INSTALL=false; " +
+                    "if [ -d /var/lib/zstack/virtualenv/zstacksys ]; then " +
+                    ". /var/lib/zstack/virtualenv/zstacksys/bin/activate; " +
+                    "if ! ansible --version | grep -q 'core 2.11.12'; then " +
+                    "deactivate; " +
+                    "NEED_INSTALL=true; " +
                    "fi; " +
-                    "sudo pip uninstall -y ansible; " +
-                    "sudo pip install -i file://%s --trusted-host localhost -I setuptools==39.2.0; " +
-                    "sudo pip install -i file://%s --trusted-host localhost -I ansible==4.10.0; " +
-                    "fi", AnsibleConstant.PYPI_REPO, AnsibleConstant.PYPI_REPO), false);
+                    "else " +
+                    "NEED_INSTALL=true; "+
+                    "fi; " +
+                    "if $NEED_INSTALL; then " +
+                    "sudo bash -c 'rm -rf /var/lib/zstack/virtualenv/zstacksys && virtualenv /var/lib/zstack/virtualenv/zstacksys --python=python2.7; "+
+                    ". /var/lib/zstack/virtualenv/zstacksys/bin/activate; "+
+                    "pip install -i file://%s --trusted-host localhost -I setuptools==39.2.0; "+
+                    "pip install -i file://%s --trusted-host localhost -I ansible==4.10.0'; "+
+                    "fi" , AnsibleConstant.PYPI_REPO, AnsibleConstant.PYPI_REPO), false);


在 init 函数中，检查 Ansible 版本的逻辑似乎是硬编码的，这可能会在未来的更新中导致问题。此外，脚本中使用 sudo 可能会带来安全风险。建议使用配置文件或环境变量来管理 Ansible 版本，以及审查 sudo 的使用，确保它是必要的并且安全。

- if ! ansible --version | grep -q 'core 2.11.12'; then + # 应该使用配置文件或环境变量来管理版本 - sudo bash -c 'rm -rf /var/lib/zstack/virtualenv/zstacksys && virtualenv /var/lib/zstack/virtualenv/zstacksys --python=python2.7; + # 审查 sudo 的使用，确保它是必要的并且安全

Committable suggestion

❗ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

placePip703();

placeAnsible4100();

ShellUtils.run(String.format("if ! sudo ansible --version | grep -q 'core 2.11.12'; then " +

"if grep -i -s -E 'centos|rocky' /etc/system-release; then " +

"sudo yum remove -y ansible; " +

"elif grep -i -s ubuntu /etc/issue; then " +

"sudo apt-get --assume-yes remove ansible; " +

"else echo \"Warning: can't remove ansible from unknown platform\"; " +

placeAnsible196();

ShellUtils.run(String.format(

"NEED_INSTALL=false; " +

"if [ -d /var/lib/zstack/virtualenv/zstacksys ]; then " +

". /var/lib/zstack/virtualenv/zstacksys/bin/activate; " +

"if ! ansible --version | grep -q 'core 2.11.12'; then " +

"deactivate; " +

"NEED_INSTALL=true; " +

"fi; " +

"sudo pip uninstall -y ansible; " +

"sudo pip install -i file://%s --trusted-host localhost -I setuptools==39.2.0; " +

"sudo pip install -i file://%s --trusted-host localhost -I ansible==4.10.0; " +

"fi", AnsibleConstant.PYPI_REPO, AnsibleConstant.PYPI_REPO), false);

"else " +

"NEED_INSTALL=true; "+

"fi; " +

"if $NEED_INSTALL; then " +

"sudo bash -c 'rm -rf /var/lib/zstack/virtualenv/zstacksys && virtualenv /var/lib/zstack/virtualenv/zstacksys --python=python2.7; "+

". /var/lib/zstack/virtualenv/zstacksys/bin/activate; "+

"pip install -i file://%s --trusted-host localhost -I setuptools==39.2.0; "+

"pip install -i file://%s --trusted-host localhost -I ansible==4.10.0'; "+

"fi" , AnsibleConstant.PYPI_REPO, AnsibleConstant.PYPI_REPO), false);

placePip703();

placeAnsible196();

ShellUtils.run(String.format(

"NEED_INSTALL=false; " +

"if [ -d /var/lib/zstack/virtualenv/zstacksys ]; then " +

". /var/lib/zstack/virtualenv/zstacksys/bin/activate; " +

"# 应该使用配置文件或环境变量来管理版本 " +

"if ! ansible --version | grep -q 'core 2.11.12'; then " +

"deactivate; " +

"NEED_INSTALL=true; " +

"fi; " +

"else " +

"NEED_INSTALL=true; "+

"fi; " +

"if $NEED_INSTALL; then " +

"# 审查 sudo 的使用，确保它是必要的并且安全 " +

"sudo bash -c 'rm -rf /var/lib/zstack/virtualenv/zstacksys && virtualenv /var/lib/zstack/virtualenv/zstacksys --python=python2.7; "+

". /var/lib/zstack/virtualenv/zstacksys/bin/activate; "+

"pip install -i file://%s --trusted-host localhost -I setuptools==39.2.0; "+

"pip install -i file://%s --trusted-host localhost -I ansible==4.10.0'; "+

"fi" , AnsibleConstant.PYPI_REPO, AnsibleConstant.PYPI_REPO), false);

coderabbitai · 2023-12-03T04:01:52Z

conf/tools/install.sh

+elif [ $tool = 'zstack-sys' ]; then
+    SYS_VIRENV_PATH=/var/lib/zstack/virtualenv/zstacksys
+    NEED_INSTALL=false
+    if [ -d $SYS_VIRENV_PATH ]; then
+        . $SYS_VIRENV_PATH/bin/activate
+        if ! ansible --version | grep -q 'core 2.11.12.3'; then
+          deactivate
+          NEED_INSTALL=true
+        fi
+    else
+        NEED_INSTALL=true
+    fi
+    if $NEED_INSTALL; then
+        rm -rf $SYS_VIRENV_PATH && virtualenv $SYS_VIRENV_PATH --python=python2.7 || exit 1
+        . $SYS_VIRENV_PATH/bin/activate
+        cd $cwd
+        pip install -i $pypi_path --trusted-host localhost --ignore-installed setuptools==39.2.0 || exit 1
+        pip install -i $pypi_path --trusted-host localhost --ignore-installed ansible==4.10.0 || exit 1
+
+        cat > /usr/bin/ansible << EOF
+#! /bin/sh
+VIRTUAL_ENV=/var/lib/zstack/virtualenv/zstacksys
+if [ ! -d $VIRTUAL_ENV ]; then
+    echo "Need to install zstacksys before using it"
+    exit 1
+fi
+
+LANG=en_US.UTF-8
+LC_ALL=en_US.utf8
+export LANG LC_ALL
+. ${VIRTUAL_ENV}/bin/activate
+
+ansible \$@
+EOF
+        chmod +x /usr/bin/ansible
+
+        cat > /usr/bin/ansible-playbook << EOF
+#! /bin/sh
+VIRTUAL_ENV=/var/lib/zstack/virtualenv/zstacksys
+if [ ! -d $VIRTUAL_ENV ]; then
+    echo "Need to install zstacksys before using it"
+    exit 1
+fi
+
+LANG=en_US.UTF-8
+LC_ALL=en_US.utf8
+export LANG LC_ALL
+. ${VIRTUAL_ENV}/bin/activate
+
+ansible-playbook \$@
+EOF
+        chmod +x /usr/bin/ansible-playbook
+    fi


在安装 Ansible 时，脚本直接写入 /usr/bin，这可能需要 root 权限。如果脚本没有以适当的权限运行，这可能会导致安全问题或失败。建议检查脚本是否以 root 权限运行，或者提供一个更安全的方式来创建这些可执行脚本，例如使用系统的包管理器或将它们放在非全局路径中。

coderabbitai · 2023-12-03T04:01:52Z

conf/tools/install.sh

+        NEED_INSTALL=true
+    fi
+    if $NEED_INSTALL; then
+        rm -rf $SYS_VIRENV_PATH && virtualenv $SYS_VIRENV_PATH --python=python2.7 || exit 1


脚本使用 rm -rf 来删除现有的虚拟环境，这是一个破坏性操作，如果路径中包含错误或变量未设置，可能会非常危险。建议在执行此操作之前添加更多的检查，以确保路径是正确的，并且变量已经设置。

脚本使用了 virtualenv --python=python2.7，这表明它依赖于 Python 2.7。由于 Python 2.7 已经达到生命周期的终点，这可能是一个潜在的问题。如果可能，建议将脚本迁移到 Python 3，以确保长期的兼容性和安全性。

删除之前检查什么呢

@MatheMatrix 在执行删除操作之前，应该检查 SYS_VIRENV_PATH 变量确实已经被设置，并且不是指向根目录(/)或用户的主目录(~)。这可以通过添加一些条件语句来实现，例如：

if [ -n "$SYS_VIRENV_PATH" ] && [ "$SYS_VIRENV_PATH" != "/" ] && [ "$SYS_VIRENV_PATH" != "~" ]; then rm -rf $SYS_VIRENV_PATH else echo "Dangerous SYS_VIRENV_PATH set: '$SYS_VIRENV_PATH'. Aborting." exit 1 fi

这样可以防止脚本在变量为空或指向关键系统目录时执行危险的删除操作。

Merge branch 'master' into test-feature1/test1

d004f7a

coderabbitai bot reviewed Dec 3, 2023

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

<fix>[conf]: Isolating ansible with python venv#1347

<fix>[conf]: Isolating ansible with python venv#1347
MatheMatrix wants to merge 2 commits intozstackio:masterfrom
MatheMatrix:test-feature1/test1

MatheMatrix commented Dec 3, 2023 •

edited by coderabbitai bot

Loading

Uh oh!

coderabbitai bot commented Dec 3, 2023 •

edited

Loading

Chat with CodeRabbit Bot (`@coderabbitai`)

CodeRabbit Commands (invoked as PR comments)

CodeRabbit Configration File (`.coderabbit.yaml`)

Uh oh!

coderabbitai bot left a comment

Uh oh!

coderabbitai bot Dec 3, 2023

Uh oh!

coderabbitai bot Dec 3, 2023

Uh oh!

coderabbitai bot Dec 3, 2023 •

edited

Loading

Uh oh!

MatheMatrix Dec 3, 2023

Uh oh!

coderabbitai bot Dec 3, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

MatheMatrix commented Dec 3, 2023 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai bot commented Dec 3, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Chat with CodeRabbit Bot (@coderabbitai)

CodeRabbit Commands (invoked as PR comments)

CodeRabbit Configration File (.coderabbit.yaml)

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Dec 3, 2023

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Dec 3, 2023

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Dec 3, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

MatheMatrix Dec 3, 2023

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Dec 3, 2023

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

MatheMatrix commented Dec 3, 2023 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Dec 3, 2023 •

edited

Loading

Chat with CodeRabbit Bot (`@coderabbitai`)

CodeRabbit Configration File (`.coderabbit.yaml`)

coderabbitai bot Dec 3, 2023 •

edited

Loading