CFE-1124: Install ansible using pip instead of rpm #20
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: arkadeepsen The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
arkadeepsen
force-pushed
the
ansible-core
branch
3 times, most recently
from
2ba27f3
to
f429941
Compare
arkadeepsen
force-pushed
the
ansible-core
branch
2 times, most recently
from
56b540d
to
055157e
Compare
|
/test all |
|
/retest |
1 similar comment
|
/retest |
arkadeepsen
force-pushed
the
ansible-core
branch
2 times, most recently
from
39f84f0
to
a9dfd45
Compare
arkadeepsen
changed the title
|
@arkadeepsen: This pull request references CFE-1124 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.18.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
openshift-ci-robot
added
the
jira/valid-reference
arkadeepsen
force-pushed
the
ansible-core
branch
6 times, most recently
from
66c3432
to
cb12ea5
Compare
arkadeepsen
changed the title
|
@arkadeepsen: This pull request references CFE-1124 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.18.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
arkadeepsen
force-pushed
the
ansible-core
branch
3 times, most recently
from
01e052b
to
4f8cfa9
Compare
arkadeepsen
force-pushed
the
ansible-core
branch
from
ce8a18a
to
d0fe4e7
Compare
| RUN python3 -m pip install pipenv==2023.11.15 \ | ||
| && python3 -m pip install pip-tools \ | ||
| && pipenv install --deploy \ | ||
| && pipenv run pip freeze --all > ./requirements.in \ |
There was a problem hiding this comment.
It is better to have check for cve using pipenv check or safety to fail-fast before the building the requirements.
There was a problem hiding this comment.
How do we proceed if there are CVEs reported by pipenv check? The Pipfile and the Pipfile.lock are what we have from upstream. Do we go upstream first and update the files and then pull it downstream?
There was a problem hiding this comment.
Depends on the timeline commitments. If the downstream release can wait till there is a release from upstream, then upstream fixes can rebased. Otherwise, the upstream carry commits can be created. Once the fix is available from upstream, the carry PRs can be dropped.
There was a problem hiding this comment.
Found the following vulnerabilities after using pipenv check --ignore 70612 --ignore 71064:
20.87 Checking Pipfile.lock packages for vulnerabilities...
20.87 Notice: Ignoring Vulnerabilities 70612, 71064
22.84 +==============================================================================+
22.84
22.84 /$$$$$$ /$$
22.84 /$$__ $$ | $$
22.84 /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$
22.84 /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$
22.84 | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$
22.84 \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$
22.84 /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$
22.84 |_______/ \_______/|__/ \_______/ \___/ \____ $$
22.84 /$$ | $$
22.84 | $$$$$$/
22.84 by pyup.io \______/
22.84
22.84 +==============================================================================+
22.84
22.84 REPORT
22.84
22.84 Safety v2.3.2 is scanning for Vulnerabilities...
22.84 Scanning dependencies in your files:
22.84
22.84 -> /tmp/-x-v5uFv0wqfu2bdb_requirements.txt
22.84
22.84 Found and scanned 37 packages
22.84 Timestamp 2024-09-19 16:09:39
22.84 5 vulnerabilities found
22.84 2 vulnerabilities ignored
22.84
22.84 +==============================================================================+
22.84 VULNERABILITIES FOUND
22.84 +==============================================================================+
22.84
22.84 -> Vulnerability found in certifi version 2024.2.2
22.84 Vulnerability ID: 72083
22.84 Affected spec: >=2021.05.30,<2024.07.04
22.84 ADVISORY: Certifi affected versions recognized root certificates from
22.84 GLOBALTRUST. Certifi patch removes these root certificates from the root...
22.84 CVE-2024-39689
22.84 For more information, please visit
22.84 https://data.safetycli.com/v/72083/742
22.84
22.84
22.84 -> Vulnerability found in cryptography version 42.0.7
22.84 Vulnerability ID: 71681
22.84 Affected spec: <42.0.8
22.84 ADVISORY: The `cryptography` library has updated its BoringSSL and
22.84 OpenSSL dependencies in CI due to a security concern. Specifically, the...
22.84 CVE-2024-4603
22.84 For more information, please visit
22.84 https://data.safetycli.com/v/71681/742
22.84
22.84
22.84 -> Vulnerability found in jinja2 version 3.1.4
22.84 Vulnerability ID: 70612
22.84 This vulnerability is being ignored.
22.84 For more information, please visit
22.84 https://data.safetycli.com/v/70612/742
22.84
22.84
22.84 -> Vulnerability found in requests version 2.31.0
22.84 Vulnerability ID: 71064
22.84 This vulnerability is being ignored.
22.84 For more information, please visit
22.84 https://data.safetycli.com/v/71064/742
22.84
22.84
22.84 -> Vulnerability found in setuptools version 69.5.1
22.84 Vulnerability ID: 72236
22.84 Affected spec: <70.0.0
22.84 ADVISORY: Affected versions of Setuptools allow for remote code
22.84 execution via its download functions. These functions, which are used to...
22.84 CVE-2024-6345
22.84 For more information, please visit
22.84 https://data.safetycli.com/v/72236/742
22.84
22.84
22.84 -> Vulnerability found in urllib3 version 1.26.18
22.84 Vulnerability ID: 71608
22.84 Affected spec: <=1.26.18
22.84 ADVISORY: Urllib3's ProxyManager ensures that the Proxy-Authorization
22.84 header is correctly directed only to configured proxies. However, when...
22.84 CVE-2024-37891
22.84 For more information, please visit
22.84 https://data.safetycli.com/v/71608/742
22.84
22.84
22.84 -> Vulnerability found in zipp version 3.18.1
22.84 Vulnerability ID: 72132
22.84 Affected spec: <3.19.1
22.84 ADVISORY: A Denial of Service (DoS) vulnerability exists in the
22.84 jaraco/zipp library. The vulnerability is triggered when processing a...
22.84 CVE-2024-5569
22.84 For more information, please visit
22.84 https://data.safetycli.com/v/72132/742
22.84
22.84 Scan was completed. 5 vulnerabilities were found. 2 vulnerabilities from 2
22.84 packages were ignored.
22.84
22.84 +==============================================================================+
22.84 REMEDIATIONS
22.84
22.84 5 vulnerabilities were found in 5 packages. For detailed remediation & fix
22.84 recommendations, upgrade to a commercial license.
22.84
22.84 +==============================================================================+How should we proceed now?
There was a problem hiding this comment.
I addition to this we have to install cryptography using rpm as it cannot be built using cachito. Following are the versions available for cryptography:
bash-5.1$ yum --showduplicates list python3-cryptography
Last metadata expiration check: 0:03:40 ago on Thu Sep 19 17:10:30 2024.
Installed Packages
python3-cryptography.x86_64 36.0.1-2.el9 @ubi-9-appstream-rpms
Available Packages
python3-cryptography.x86_64 36.0.1-2.el9 ubi-9-appstream-rpms
bash-5.1$ yum --showduplicates list python3.11-cryptography
Last metadata expiration check: 0:03:58 ago on Thu Sep 19 17:10:30 2024.
Available Packages
python3.11-cryptography.x86_64 37.0.2-6.el9 ubi-9-appstream-rpms
bash-5.1$ yum --showduplicates list python3.12-cryptography
Last metadata expiration check: 0:04:01 ago on Thu Sep 19 17:10:30 2024.
Available Packages
python3.12-cryptography.x86_64 41.0.7-1.el9 ubi-9-appstream-rpms
There was a problem hiding this comment.
We can drop c42e6b6 whenever we pull in the changes from upstream after operator-framework/ansible-operator-plugins#92 is merged.
There was a problem hiding this comment.
Updated the Pipfile to pin urllib3 version to 2.31.0 because of this issue:
The requirements.txt file is also updated
There was a problem hiding this comment.
Updated the Pipfile to pin urllib3 version to 2.31.0 because of this issue:
Did you mean requests = "==2.31.0"? Because urllib3 is at urllib3 = "~=1.26.19"
https://github.com/openshift/ansible-operator-plugins/pull/20/files#diff-85c2285c39846cfb1ab26c4373213d7c91c4705e10d590b41c4d9503127fe812L10-L12
There was a problem hiding this comment.
Ah yes. My bad. It's requests package which is pinned to 2.31.0.
arkadeepsen
force-pushed
the
ansible-core
branch
7 times, most recently
from
560c156
to
94d4d98
Compare
|
/lgtm |
|
Adding some documentation with the steps to update the requirements or changing the dependent packages would help. |
…ages with vulnerabilities
…mage Add Dockerfile.requirements for generating the requirements.txt and requirments-build.txt files from the upstream Pipfile Add make target to generate the requirements Add make target to check if the current requirements.txt and requirements-build.txt files are up-to-date Update Dockerfile to use cachito specific env vars for installing the python modules using pip Remove unused shell scripts and inline the user creation script in the Dockerfile Update base images to rhel9 in Dockerfile
arkadeepsen
force-pushed
the
ansible-core
branch
from
532bfba
to
d930942
Compare
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
/lgtm |
|
@arkadeepsen: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
openshift-ci
bot
added
the
qe-approved
|
@arkadeepsen: This pull request references CFE-1124 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.18.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/cherrypick release-4.17 |
|
@arkadeepsen: new pull request created: #21 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[ART PR BUILD NOTIFIER] Distgit: openshift-enterprise-ansible-operator |
Description of the change:
This PR updates the Dockerfile to use pip instead of rpm to install ansible dependencies.
Following changes are made in this PR:
Motivation for the change:
In rhel8, ansible-core rpm uses python3.12, while the other ansible dependencies (ansible-runner, ansible-runner-http, python3-kubenetes, python3-openshit) use python3.6. This is causing ansible-runner to not find ansible during runtime of the operator created using the ansible-operator base image.
In rhel9, the various dependencies of ansible (ansible-runner, ansible-runner-http, python3-kubenetes, python3-openshit) will not be available as part of rpm packages.
For the above reasons ansible is being installed using pip instead of rpm.