From 7e9229c86d9f46105df20c280a8221ea41f3b4b7 Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Fri, 9 Sep 2022 12:41:25 +1000
Subject: [PATCH] bootstrap-bridge: drop pip3 role, add venv

The pip3 role installs the latest upstream pip, overwriting the
packaged versions.  We would prefer to install things in
venv/virtualenvs moving forward to keep better isolation.

Unfortunately thanks to time the Bionic era packaged pip is so old
that it can't install anything modern like Ansible.  Thus we have to
squash installing Ansible into a separate venv into this change as
well.

Although the venv created by default on the Bionic host also has an
old pip, luckily we already worked around that in
I81fd268a9354685496a75e33a6f038a32b686352 which provides a create-venv
role that creates a fully updated venv for us.

To minimise other changes, this symlinks ansible/ansible-playbook into
/usr/local/bin.  On our current production bastion host this will make
a bit of a mess -- but we are looking at replacing that with a fresh
system soon.  The idea is that this new system will not be
bootstrapped with a globally installed Ansible, so we won't have
things lying around in multiple places.

Change-Id: I7551eb92bb6dc5918c367cc347f046ff562eab0c
---
 playbooks/bootstrap-bridge.yaml               | 31 +++++++++++--------
 .../install-ansible/tasks/install_ara.yaml    |  3 +-
 .../roles/install-ansible/tasks/main.yaml     | 23 ++++++++++++++
 playbooks/zuul/run-base-post.yaml             |  2 +-
 testinfra/test_bridge.py                      |  2 +-
 5 files changed, 45 insertions(+), 16 deletions(-)

diff --git a/playbooks/bootstrap-bridge.yaml b/playbooks/bootstrap-bridge.yaml
index ef0f0b01e4..73fa22d674 100644
--- a/playbooks/bootstrap-bridge.yaml
+++ b/playbooks/bootstrap-bridge.yaml
@@ -1,8 +1,7 @@
 - hosts: bridge.openstack.org:!disabled
   name: "Bridge: bootstrap the bastion host"
   become: true
-  roles:
-    - pip3
+  tasks:
     # Note for production use we expect to take the defaults; unit
     # test jobs override this to test with latest upstream ansible.
     # For example, if there is a fix on the ansible stable branch we
@@ -10,14 +9,20 @@
     #
     #  install_ansible_name: '{{ bridge_ansible_name | default("git+https://github.com/ansible/ansible.git@stable-2.7") }}'
     #  install_ansible_version: '{{ bridge_ansible_version | default(None) }}'
-    - role: install-ansible
-      install_ansible_name: '{{ bridge_ansible_name | default("ansible") }}'
-      install_ansible_version: '{{ bridge_ansible_version | default("4.0.0") }}'
-      install_ansible_openstacksdk_name: '{{ bridge_openstacksdk_name | default("openstacksdk") }}'
-      install_ansible_openstacksdk_version: '{{ bridge_openstacksdk_verison | default("latest") }}'
-      # NOTE(ianw): At 2018-12, ARA is only enabled during gate
-      # testing jobs as we decide if or how to store data on
-      # production bridge.o.o
-      install_ansible_ara_name: '{{ bridge_ara_name | default("ara[server]") }}'
-      install_ansible_ara_version: '{{ bridge_ara_version | default("latest") }}'
-    - root-keys
+    - name: Install ansible
+      include_role:
+        name: install-ansible
+      vars:
+        install_ansible_name: '{{ bridge_ansible_name | default("ansible") }}'
+        install_ansible_version: '{{ bridge_ansible_version | default("4.0.0") }}'
+        install_ansible_openstacksdk_name: '{{ bridge_openstacksdk_name | default("openstacksdk") }}'
+        install_ansible_openstacksdk_version: '{{ bridge_openstacksdk_verison | default("latest") }}'
+        # NOTE(ianw): At 2018-12, ARA is only enabled during gate
+        # testing jobs as we decide if or how to store data on
+        # production bridge.o.o
+        install_ansible_ara_name: '{{ bridge_ara_name | default("ara[server]") }}'
+        install_ansible_ara_version: '{{ bridge_ara_version | default("latest") }}'
+
+    - name: Install root keys
+      include_role:
+        name: root-keys
diff --git a/playbooks/roles/install-ansible/tasks/install_ara.yaml b/playbooks/roles/install-ansible/tasks/install_ara.yaml
index ae9dd875ac..400abdaf67 100644
--- a/playbooks/roles/install-ansible/tasks/install_ara.yaml
+++ b/playbooks/roles/install-ansible/tasks/install_ara.yaml
@@ -24,9 +24,10 @@
     name: '{{ install_ansible_ara_name | default("ara[server]") }}'
     version: '{{ _install_ansible_ara_version | default(omit) }}'
     state: '{{ _install_ansible_ara_state | default(omit) }}'
+    virtualenv: '/usr/ansible-venv'
 
 # For configuring the callback plugins location in ansible.cfg
 - name: Get ARA's location for callback plugins
-  command: python3 -m ara.setup.callback_plugins
+  command: /usr/ansible-venv/bin/python3 -m ara.setup.callback_plugins
   register: install_ansible_ara_callback_plugins
   changed_when: false
diff --git a/playbooks/roles/install-ansible/tasks/main.yaml b/playbooks/roles/install-ansible/tasks/main.yaml
index 6ba50a3868..6b47713d4f 100644
--- a/playbooks/roles/install-ansible/tasks/main.yaml
+++ b/playbooks/roles/install-ansible/tasks/main.yaml
@@ -1,3 +1,15 @@
+- name: Install python-venv package
+  package:
+    name:
+      - python3-venv
+    state: present
+
+- name: Create venv
+  include_role:
+    name: create-venv
+  vars:
+    create_venv_path: '/usr/ansible-venv'
+
 # If install_ansible_version is not defined (note; not *empty*) it
 # should be "latest"
 - name: Set ansible default version to latest
@@ -63,6 +75,16 @@
     name: '{{ install_ansible_name | default("ansible") }}'
     version: '{{ _install_ansible_version | default(omit) }}'
     state: '{{ _install_ansible_state | default(omit) }}'
+    virtualenv: '/usr/ansible-venv'
+
+- name: Symlink to local
+  file:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    state: link
+  loop:
+    - { src: '/usr/ansible-venv/bin/ansible-playbook', dest: '/usr/local/bin/ansible-playbook' }
+    - { src: '/usr/ansible-venv/bin/ansible', dest: '/usr/local/bin/ansible' }
 
 - name: Ansible version check
   command: 'ansible-playbook --version'
@@ -112,6 +134,7 @@
     name: '{{ install_ansible_openstacksdk_name | default("openstacksdk") }}'
     version: '{{ _install_ansible_openstacksdk_version | default(omit) }}'
     state: '{{ _install_openstacksdk_state | default(omit) }}'
+    virtualenv: '/usr/ansible-venv'
 
 - name: Ensure /etc/ansible and /etc/ansible/hosts
   file:
diff --git a/playbooks/zuul/run-base-post.yaml b/playbooks/zuul/run-base-post.yaml
index 8bd90ab1dd..66faf3bf93 100644
--- a/playbooks/zuul/run-base-post.yaml
+++ b/playbooks/zuul/run-base-post.yaml
@@ -51,7 +51,7 @@
       become: yes
 
     - name: Generate ARA static report
-      command: ara-manage generate /root/.ara/static
+      command: /usr/ansible-venv/bin/ara-manage generate /root/.ara/static
       become: yes
 
     - name: Collect testing ARA results
diff --git a/testinfra/test_bridge.py b/testinfra/test_bridge.py
index 339ed53bfd..13deeef512 100644
--- a/testinfra/test_bridge.py
+++ b/testinfra/test_bridge.py
@@ -58,7 +58,7 @@ def test_root_authorized_keys(host):
 
 
 def test_ara(host):
-    ara = host.run('ara-manage migrate')
+    ara = host.run('/usr/ansible-venv/bin/ara-manage migrate')
     assert ara.rc == 0
     database = host.file('/root/.ara/server/ansible.sqlite')
     assert database.exists