pungi/0004-kojiwrapper-Make-result-of-runroot-world-readable.patch

From c8e03cfba196719e80c953c3d197653ef84716ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubom=C3=ADr=20Sedl=C3=A1=C5=99?= <lsedlar@redhat.com>
Date: Tue, 29 May 2018 08:38:09 +0200
Subject: [PATCH 4/4] kojiwrapper: Make result of runroot world readable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The commands in runroot run as root every time. If they create files
that are not readable to other users, the reset of compose could have
problems with it if it does not run as root too. Particularly updates
composes in Bodhi run under apache user.

Relates: https://pagure.io/pungi/issue/932
Signed-off-by: Lubomír Sedlář <lsedlar@redhat.com>
---
 pungi/phases/ostree_installer.py     |  3 ++-
 pungi/wrappers/kojiwrapper.py        |  7 ++++++-
 tests/test_koji_wrapper.py           | 18 ++++++++++++++++++
 tests/test_ostree_installer_phase.py |  3 ++-
 4 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/pungi/phases/ostree_installer.py b/pungi/phases/ostree_installer.py
index abcb1572..572edbbb 100644
--- a/pungi/phases/ostree_installer.py
+++ b/pungi/phases/ostree_installer.py
@@ -174,7 +174,8 @@ class OstreeInstallerThread(WorkerThread):
                                         channel=runroot_channel,
                                         use_shell=True, task_id=True,
                                         packages=packages, mounts=[compose.topdir],
-                                        weight=compose.conf['runroot_weights'].get('ostree_installer'))
+                                        weight=compose.conf['runroot_weights'].get('ostree_installer'),
+                                        destdir=output_dir)
         output = koji.run_runroot_cmd(koji_cmd, log_file=log_file)
         if output["retcode"] != 0:
             raise RuntimeError("Runroot task failed: %s. See %s for more details."
diff --git a/pungi/wrappers/kojiwrapper.py b/pungi/wrappers/kojiwrapper.py
index f89640ca..b8d56791 100644
--- a/pungi/wrappers/kojiwrapper.py
+++ b/pungi/wrappers/kojiwrapper.py
@@ -66,7 +66,9 @@ class KojiWrapper(object):
     def _get_cmd(self, *args):
         return ["koji", "--profile=%s" % self.profile] + list(args)
 
-    def get_runroot_cmd(self, target, arch, command, quiet=False, use_shell=True, channel=None, packages=None, mounts=None, weight=None, task_id=True, new_chroot=False):
+    def get_runroot_cmd(self, target, arch, command, quiet=False, use_shell=True,
+                        channel=None, packages=None, mounts=None, weight=None,
+                        task_id=True, new_chroot=False, destdir=None):
         cmd = self._get_cmd("runroot")
 
         if quiet:
@@ -109,6 +111,9 @@ class KojiWrapper(object):
 
         # HACK: remove rpmdb and yum cache
         command = "rm -f /var/lib/rpm/__db*; rm -rf /var/cache/yum/*; set -x; " + command
+
+        if destdir:
+            command += "; chmod a+r %s" % shlex_quote(destdir)
         cmd.append(command)
 
         return cmd
diff --git a/tests/test_koji_wrapper.py b/tests/test_koji_wrapper.py
index 7bf13773..4a14aed6 100644
--- a/tests/test_koji_wrapper.py
+++ b/tests/test_koji_wrapper.py
@@ -416,6 +416,24 @@ class RunrootKojiWrapperTest(KojiWrapperBaseTestCase):
                                '--task-id', '--weight=1000', '--package=some_other_package',
                                '--package=lorax', '--mount=/tmp'])
 
+    def test_with_destdir(self):
+        cmd = self.koji.get_runroot_cmd('tgt', 's390x', ['/bin/echo', '&'],
+                                        quiet=True, channel='chan',
+                                        packages=['lorax', 'some_other_package'],
+                                        mounts=['/tmp'], weight=1000, destdir="/output dir")
+        self.assertEqual(len(cmd), 14)
+        self.assertEqual(cmd[:3], ['koji', '--profile=custom-koji', 'runroot'])
+        self.assertEqual(cmd[-3], 'tgt')
+        self.assertEqual(cmd[-2], 's390x')
+        self.assertEqual(
+            cmd[-1],
+            "rm -f /var/lib/rpm/__db*; rm -rf /var/cache/yum/*; set -x; /bin/echo '&'; chmod a+r '/output dir'"
+        )
+        self.assertItemsEqual(cmd[3:-3],
+                              ['--channel-override=chan', '--quiet', '--use-shell',
+                               '--task-id', '--weight=1000', '--package=some_other_package',
+                               '--package=lorax', '--mount=/tmp'])
+
     @mock.patch('pungi.wrappers.kojiwrapper.run')
     def test_run_runroot_cmd_no_task_id(self, run):
         cmd = ['koji', 'runroot']
diff --git a/tests/test_ostree_installer_phase.py b/tests/test_ostree_installer_phase.py
index f44ca4ef..859b18da 100644
--- a/tests/test_ostree_installer_phase.py
+++ b/tests/test_ostree_installer_phase.py
@@ -142,7 +142,8 @@ class OstreeThreadTest(helpers.PungiTestCase):
                                     'rm -rf %s && %s' % (outdir, ' '.join(lorax_cmd)),
                                     channel=None, mounts=[self.topdir],
                                     packages=['pungi', 'lorax', 'ostree'],
-                                    task_id=True, use_shell=True, weight=weight)])
+                                    task_id=True, use_shell=True, weight=weight,
+                                    destdir=outdir)])
         self.assertEqual(koji.run_runroot_cmd.call_args_list,
                          [mock.call(koji.get_runroot_cmd.return_value,
                                     log_file='%s/%s/runroot.log' % (self.topdir, LOG_PATH))])
-- 
2.14.3