Ensure python tooling requires hashes, bump builders trusty->xenial #3477
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change helps maintain that each developer is pulling the exact same resources, help mitigate against nefarious actors in the pip pipeline, and solve male baldness.
The biggest win was this includes a much more recent version of pip so we dont have the problem of trying to update pip using unsafe commands (without hash verification).
Ansible doesnt like jinja in when statements and we can utilize AND by converting the previous multi-line statement to a list.
* Makes sure we dont wreck the short lived container python tooling * Utilize the require-hashes for installs * Make sure we know what version of pip/wheel we are using
This test is now covered by the security test checker. Which confirms that specifically no security updates are needed.
With latest python pip hash changes, the developer trusty container's native pip version has no idea how to process those hashes.
heartsucker
suggested changes
May 25, 2018
| @@ -0,0 +1,28 @@ | |||
| #!/bin/bash | |||
| # | |||
| # Needs to be run from repo root directory | |||
There was a problem hiding this comment.
You can add this to ensure it's always run at the repo root. Portable across Linux/Mac.
get_script_dir() {
declare src="${BASH_SOURCE[0]}"
declare dir=
while [ -h "$src" ]; do
dir="$(cd -P "$( dirname "$src")" && pwd)"
src="$(readlink "$src")"
[[ $src != /* ]] && src="$dir/$src"
done
cd -P "$(dirname "$src")" && pwd
}
cd "$(get_script_dir)/../../"| ossec_download.stat.md5 == "{{ ossec_md5_checksum }}" and | ||
| ossec_download.stat.checksum == "{{ ossec_sha1_checksum }}") | ||
| when: | ||
| - not ossec_download.stat.exists |
There was a problem hiding this comment.
This logic isn't the same. You need to add a != for the other two to get the correct negations.
| @@ -1,9 +1,9 @@ | |||
| # April 28th, 2018 ubuntu:trusty | |||
| FROM ubuntu@sha256:b8855dc848e2622653ab557d1ce2f4c34218a9380cceaa51ced85c5f3c8eb201 | |||
| # ubuntu:xenial-20180417 | |||
This is intentional since there's like eggs and wheels and all sorts of other ways to actually install the software. Look at the bottom of the page for |
|
On a fresh checkout gives me this on |
|
yeahh thanks for the early review @heartsucker ... its obviously not ready for merge right now ... i also encountered breaking tests during local development that i wasnt able to fix. if someone else wants to step in and help out here ❤️ ❤️ otherwise im going to jump to some other tasks for a few days. I kind of did this ticket on a whim and I thought it would be easy-peasy...that older pip issue ended up causing a lot of headache and will require more work. |
9 tasks
|
now that we're on xenial only for the 0.13.x release series, closing in favor of #4435 ❤️ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change helps maintain that each developer is pulling the exact same
resources, help mitigate against nefarious actors in the pip pipeline,
and solve male baldness.
Status
Work in Progress
Description of Changes
Kinda, sorta addresses #3270 .
Doesn't do anything to squash the multiple hashes for some packages tho.
Changes proposed in this pull request:
pip install -U pipbefore that. Sooooo I made the call to jump the builders to xenial which has a much newer version of pip pre-installed.On a side note, our quay Clare scanner reported dramatically less vulnerabilities when using xenial vs. trusty. Take that report with a grain of salt but hey i consider this a win.
Testing
How should the reviewer test this PR?
vagrant up /staging/comes up.Deployment
Any special considerations for deployment?
This doesn't dramatically change deployment story but it does update a lot of the tooling behind the builder.