From a78934672738ffc3a74495172534ed50c6f7f658 Mon Sep 17 00:00:00 2001
From: Steven Dake <stdake@cisco.com>
Date: Sat, 26 Mar 2016 10:11:32 -0700
Subject: [PATCH] Fix gate to use world writeable docker socket

A recent change related to sudo securepath broke how sudo -E
works.  Now the PATH is reset by sudo as set by tox.  As a result
we can no longer rely on sudo -E anywhere in our gating system
relating to path inheritence from the parent shell.

This patch uses a shell operation in the setup_nodes.yml code
to chmod the docker socket to 666 so docker containers can build
properly.  Now docker operations don't return a permission denied
and we no longer require the sudo -E operation in any of our tox
scripts.  This isn't a security vulnerability because our gate
scripts are only meant to be run in OpenStack infrastructure.
To make this more clear I recommend moving these shell scripts to
tests/gate.

Change-Id: I5b3d6e280e3c12a25defedb14b5589ba642043fa
Closes-Bug: #1562383
---
 tools/setup_nodes.yml |  3 +++
 tox.ini               | 28 +++++++++++-----------------
 2 files changed, 14 insertions(+), 17 deletions(-)

diff --git a/tools/setup_nodes.yml b/tools/setup_nodes.yml
index 82ca8ae6c..d37cdaab3 100644
--- a/tools/setup_nodes.yml
+++ b/tools/setup_nodes.yml
@@ -26,3 +26,6 @@
 
   - name: Run node setup
     shell: sudo /tmp/setup.sh
+
+  - name: Changing permissions of docker socket to 666
+    shell: sudo chmod 0666 /run/docker.sock
diff --git a/tox.ini b/tox.ini
index 40fa81bc1..eaddde96a 100644
--- a/tox.ini
+++ b/tox.ini
@@ -42,61 +42,56 @@ commands =
 [testenv:build-centos-binary]
 whitelist_externals = find
                       bash
-                      sudo
 setenv =
   DOCKER_BUILD_TEST=1
 commands =
   find . -type f -name "*.pyc" -delete
   bash -c "if [ ! -d .testrepository ]; then testr init; fi"
-  sudo -E -g docker testr run test_build.BuildTestCentosBinary
+  testr run test_build.BuildTestCentosBinary
   {toxinidir}/tools/dump_info.sh
 
 [testenv:build-centos-source]
 whitelist_externals = find
                       bash
-                      sudo
 setenv =
   DOCKER_BUILD_TEST=1
 commands =
   find . -type f -name "*.pyc" -delete
   bash -c "if [ ! -d .testrepository ]; then testr init; fi"
-  sudo -E -g docker testr run test_build.BuildTestCentosSource
+  testr run test_build.BuildTestCentosSource
   {toxinidir}/tools/dump_info.sh
 
 [testenv:build-ubuntu-source]
 whitelist_externals = find
                       bash
-                      sudo
 setenv =
   DOCKER_BUILD_TEST=1
 commands =
   find . -type f -name "*.pyc" -delete
   bash -c "if [ ! -d .testrepository ]; then testr init; fi"
-  sudo -E -g docker testr run test_build.BuildTestUbuntuSource
+  testr run test_build.BuildTestUbuntuSource
   {toxinidir}/tools/dump_info.sh
 
 [testenv:build-oraclelinux-binary]
 whitelist_externals = find
                       bash
-                      sudo
 setenv =
   DOCKER_BUILD_TEST=1
 commands =
   find . -type f -name "*.pyc" -delete
   bash -c "if [ ! -d .testrepository ]; then testr init; fi"
-  sudo -E -g docker testr run test_build.BuildTestOracleLinuxBinary
+  testr run test_build.BuildTestOracleLinuxBinary
   {toxinidir}/tools/dump_info.sh
 
 [testenv:build-oraclelinux-source]
 whitelist_externals = find
                       bash
-                      sudo
 setenv =
   DOCKER_BUILD_TEST=1
 commands =
   find . -type f -name "*.pyc" -delete
   bash -c "if [ ! -d .testrepository ]; then testr init; fi"
-  sudo -E -g docker testr run test_build.BuildTestOracleLinuxSource
+  testr run test_build.BuildTestOracleLinuxSource
   {toxinidir}/tools/dump_info.sh
 
 [testenv:deploy-centos-binary]
@@ -108,7 +103,7 @@ setenv =
 commands =
   find . -type f -name "*.pyc" -delete
   bash -c "if [ ! -d .testrepository ]; then testr init; fi"
-  sudo -E -g docker testr run test_build.DeployTestCentosBinary
+  testr run test_build.DeployTestCentosBinary
   sudo {toxinidir}/tools/deploy_aio.sh centos binary
   {toxinidir}/tools/dump_info.sh
 
@@ -121,7 +116,7 @@ setenv =
 commands =
   find . -type f -name "*.pyc" -delete
   bash -c "if [ ! -d .testrepository ]; then testr init; fi"
-  sudo -E -g docker testr run test_build.DeployTestCentosSource
+  testr run test_build.DeployTestCentosSource
   sudo {toxinidir}/tools/deploy_aio.sh centos source
   {toxinidir}/tools/dump_info.sh
 
@@ -134,7 +129,7 @@ setenv =
 commands =
   find . -type f -name "*.pyc" -delete
   bash -c "if [ ! -d .testrepository ]; then testr init; fi"
-  sudo -E -g docker testr run test_build.DeployTestOracleLinuxBinary
+  testr run test_build.DeployTestOracleLinuxBinary
   sudo {toxinidir}/tools/deploy_aio.sh oraclelinux binary
   {toxinidir}/tools/dump_info.sh
 
@@ -147,7 +142,7 @@ setenv =
 commands =
   find . -type f -name "*.pyc" -delete
   bash -c "if [ ! -d .testrepository ]; then testr init; fi"
-  sudo -E -g docker testr run test_build.DeployTestOracleLinuxSource
+  testr run test_build.DeployTestOracleLinuxSource
   sudo {toxinidir}/tools/deploy_aio.sh oraclelinux source
   {toxinidir}/tools/dump_info.sh
 
@@ -160,20 +155,19 @@ setenv =
 commands =
   find . -type f -name "*.pyc" -delete
   bash -c "if [ ! -d .testrepository ]; then testr init; fi"
-  sudo -E -g docker testr run test_build.DeployTestUbuntuSource
+  testr run test_build.DeployTestUbuntuSource
   sudo {toxinidir}/tools/deploy_aio.sh ubuntu source
   {toxinidir}/tools/dump_info.sh
 
 [testenv:deploy-multinode-ubuntu-source]
 whitelist_externals = find
                       bash
-                      sudo
 setenv =
   DOCKER_BUILD_TEST=1
 commands =
   find . -type f -name "*.pyc" -delete
   bash -c "if [ ! -d .testrepository ]; then testr init; fi"
-  sudo -E -g docker testr run test_build.BuildTestUbuntuSource
+  testr run test_build.BuildTestUbuntuSource
   {toxinidir}/tools/dump_info.sh
 
 [testenv:genconfig]
-- 
GitLab