Bug 1420855 - ceph-ansible installs six and docker-py from PyPI with pip
Summary: ceph-ansible installs six and docker-py from PyPI with pip
Alias: None
Product: Red Hat Storage Console
Classification: Red Hat
Component: ceph-ansible
Version: 3
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 2
Assignee: Sébastien Han
QA Contact: Rachana Patel
Depends On:
TreeView+ depends on / blocked
Reported: 2017-02-09 16:07 UTC by Ken Dreyer (Red Hat)
Modified: 2017-06-19 13:16 UTC (History)
8 users (show)

Fixed In Version: ceph-ansible-2.2.1-1.el7scon
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-06-19 13:16:50 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1496 0 normal SHIPPED_LIVE ceph-installer, ceph-ansible, and ceph-iscsi-ansible update 2017-06-19 17:14:02 UTC

Description Ken Dreyer (Red Hat) 2017-02-09 16:07:39 UTC
Description of problem:
roles/ceph-osd/tasks/docker/pre_requisite.yml contains the following:

 - name: install docker-py
      name: docker-py
     state: latest
   when: ansible_version['full'] | version_compare('', '>=')

Version-Release number of selected component (if applicable):
ceph-ansible master

How reproducible:

Steps to Reproduce:
1. Enable docker support in ceph-ansible config as documented at https://docs.google.com/document/d/1Ef5a_-Yjozy5Ue3C0M7mMQNn6zWZe0-514bhxKwFHI8/edit?ts=576a3d95
2. Run ceph-ansible

Actual results:
Ansible tries to install docker-py from PyPI

Expected results:
Ansible should use an RPM-packaged version of docker-py that Red Hat ships and GPG-signs for security and stability. Third party libraries are not installed on a customer's system.

Additional info:

Comment 2 Ken Dreyer (Red Hat) 2017-02-09 16:10:30 UTC
The "six" module is also installed from PyPI.

 # NOTE (jimcurtis): need at least version 1.9.0 of six or we get:
 # re:NameError: global name 'DEFAULT_DOCKER_API_VERSION' is not defined
 - name: install six
     name: six
     version: 1.9.0

Comment 3 seb 2017-02-09 17:51:28 UTC
Ken, just to make sure I understand, getting python package from pip is not something we allow?
All python packages should come from a package with a source of trust? Like our repos, right? :)

Comment 4 Ken Dreyer (Red Hat) 2017-02-09 17:59:45 UTC
Right. Currently we must not download anything directly from PyPI or other non-Red Hat locations on the internet for our downstream product.

Comment 5 Andrew Schoen 2017-03-03 17:39:46 UTC
This should be in the next version after the 2.1 series.

Upstream PR: https://github.com/ceph/ceph-ansible/pull/1328

Comment 9 errata-xmlrpc 2017-06-19 13:16:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.