From 86262ae2ff82feac37fd34227b4199d642a14247 Mon Sep 17 00:00:00 2001
From: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Date: Tue, 12 Sep 2017 07:18:27 -0600
Subject: [PATCH] Skip host pip installs for ansible bootstrap

The requirements.txt contents do not need to be
installed on to the host. The majority of the
requirements are for ansible, or for release
and management tooling which needs to use the
Ansible runtime venv.

Rather than forcing the installation of pip on
the host, we only install virtualenv via distro
packages (where possible). With virtualenv in
place we can create the runtime venv and install
pip, etc and all requirements into there.

Doing this keeps the system python libraries as
clean as possible, preventing clashes with other
packages (eg: ceph) which try to install other
python libraries which conflict on CentOS.

Change-Id: I0db786645c11649764680697518c97ddf9610cfa
(cherry picked from commit b95eafb0eeaaa8700b1293aec9a68b252602af00)
---
 deploy-guide/source/configure.rst |  4 +--
 lib/manage.py                     |  2 +-
 scripts/bootstrap-ansible.sh      | 50 ++++++++++++++++++++-----------
 scripts/pw-token-gen.py           |  2 +-
 4 files changed, 36 insertions(+), 22 deletions(-)

diff --git a/deploy-guide/source/configure.rst b/deploy-guide/source/configure.rst
index c38675aad2..88611375a6 100644
--- a/deploy-guide/source/configure.rst
+++ b/deploy-guide/source/configure.rst
@@ -174,8 +174,8 @@ values for the variables in each file that contains service credentials:
 
 .. code-block:: shell-session
 
-   # cd /opt/openstack-ansible/scripts
-   # python pw-token-gen.py --file /etc/openstack_deploy/user_secrets.yml
+   # cd /opt/openstack-ansible
+   # ./scripts/pw-token-gen.py --file /etc/openstack_deploy/user_secrets.yml
 
 To regenerate existing passwords, add the ``--regen`` flag.
 
diff --git a/lib/manage.py b/lib/manage.py
index 69b87ba05d..fef794307f 100644
--- a/lib/manage.py
+++ b/lib/manage.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/opt/ansible-runtime/bin/python
 #
 # Copyright 2014, Rackspace US, Inc.
 #
diff --git a/scripts/bootstrap-ansible.sh b/scripts/bootstrap-ansible.sh
index 6dbdd62997..fb6e667227 100755
--- a/scripts/bootstrap-ansible.sh
+++ b/scripts/bootstrap-ansible.sh
@@ -64,6 +64,10 @@ case ${DISTRO_ID} in
           python2 python2-devel \
           openssl-devel libffi-devel \
           libselinux-python
+          # CentOS base does not include a recent
+          # enough version of virtualenv or pip,
+          # so we do not bother trying to install
+          # them.
         ;;
     ubuntu)
         apt-get update
@@ -71,7 +75,7 @@ case ${DISTRO_ID} in
           git-core curl gcc netcat \
           python2.7 python2.7-dev \
           libssl-dev libffi-dev \
-          python-apt
+          python-apt python-virtualenv
         ;;
 esac
 
@@ -93,24 +97,34 @@ UPPER_CONSTRAINTS_PROTO=$([ "$PYTHON_VERSION" == $(echo -e "$PYTHON_VERSION\n2.7
 # Set the location of the constraints to use for all pip installations
 export UPPER_CONSTRAINTS_FILE=${UPPER_CONSTRAINTS_FILE:-"$UPPER_CONSTRAINTS_PROTO://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt?id=$(awk '/requirements_git_install_branch:/ {print $2}' playbooks/defaults/repo_packages/openstack_services.yml)"}
 
-# Install pip on the host if it is not already installed,
-# but also make sure that it is at least version 9.x or above.
-PIP_VERSION=$(pip --version 2>/dev/null | awk '{print $2}' | cut -d. -f1)
-if [[ "${PIP_VERSION}" -lt "9" ]]; then
-  get_pip ${PYTHON_EXEC_PATH}
-  # Ensure that our shell knows about the new pip
-  hash -r pip
-fi
+# Install virtualenv if it is not already installed,
+# but also make sure it is at least version 13.x or above
+# so that it supports using the no-pip, no-setuptools
+# and no-wheels options (the last one was added in v13.0.0).
+VIRTUALENV_VERSION=$(virtualenv --version 2>/dev/null | cut -d. -f1)
+if [[ "${VIRTUALENV_VERSION}" -lt "13" ]]; then
+
+  # Install pip on the host if it is not already installed,
+  # but also make sure that it is at least version 7.x or above
+  # so that it supports the use of the constraint option which
+  # was added in pip 7.1.
+  PIP_VERSION=$(pip --version 2>/dev/null | awk '{print $2}' | cut -d. -f1)
+  if [[ "${PIP_VERSION}" -lt "7" ]]; then
+    get_pip ${PYTHON_EXEC_PATH}
+    # Ensure that our shell knows about the new pip
+    hash -r pip
+  fi
 
-# Install the requirements for the various python scripts
-# on to the host, including virtualenv.
-pip install ${PIP_OPTS} \
-  --requirement requirements.txt \
-  --constraint ${UPPER_CONSTRAINTS_FILE} \
-  || pip install ${PIP_OPTS} \
-       --requirement requirements.txt \
-       --constraint ${UPPER_CONSTRAINTS_FILE} \
-       --isolated
+  pip install ${PIP_OPTS} \
+    --constraint ${UPPER_CONSTRAINTS_FILE} \
+    virtualenv \
+    || pip install ${PIP_OPTS} \
+         --constraint ${UPPER_CONSTRAINTS_FILE} \
+         --isolated \
+         virtualenv
+  # Ensure that our shell knows about the new virtualenv
+  hash -r virtualenv
+fi
 
 # Create a Virtualenv for the Ansible runtime
 virtualenv --python="${PYTHON_EXEC_PATH}" \
diff --git a/scripts/pw-token-gen.py b/scripts/pw-token-gen.py
index 388ce8a195..aee559d585 100755
--- a/scripts/pw-token-gen.py
+++ b/scripts/pw-token-gen.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/opt/ansible-runtime/bin/python
 # Copyright 2014, Rackspace US, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");