Implements "make clean" target #3532
Conversation
conorsch
force-pushed
the
makefile-clean-target
branch
from
8f5445c to
227d949
Compare
Codecov Report
@@ Coverage Diff @@
## develop #3532 +/- ##
===========================================
- Coverage 85.12% 85.04% -0.09%
===========================================
Files 37 37
Lines 2367 2367
Branches 260 260
===========================================
- Hits 2015 2013 -2
- Misses 289 290 +1
- Partials 63 64 +1
Continue to review full report at Codecov.
|
| @@ -147,6 +147,18 @@ self-signed-https-certs: ## Generates self-signed certs for TESTING the HTTPS co | |||
| vagrant-package: ## Package up a vagrant box of the last stable SD release | |||
| @devops/scripts/vagrant_package.sh | |||
|
|
|||
| .PHONY: clean | |||
| clean: ## DANGER! Purges all site-specific info and developer files from project. | |||
There was a problem hiding this comment.
what about adding a wee confirmation prompt (something like this) such that we minimize chance of someone accidentally running make clean not understanding what they are doing? Admittedly unlikely but since it's a simple change it's probably worthwhile
|
Would it not also make sense to make this reset a dev env by adding something like if hash vagrant &> /dev/null; then
vagrand destroy -f
fi |
|
i would also like to target blowing away docker containers here .. im happy to add it but ill also make another ticket if you think its out of scope. We'll have to add labels to all the containers first so we can better target them for removal |
|
Implemented the suggestions requested by @redshiftzero and @heartsucker. Example output: Only the string |
devops/clean
Outdated
| printf "\\n" | ||
| case "${user_confirmation}" in | ||
| yes ) remove_unwanted_files;; | ||
| * ) printf "Action declined, exiting...\\n" |
There was a problem hiding this comment.
I would vote for an exit 1 here.
There was a problem hiding this comment.
Motivated by https://github.com/koalaman/shellcheck/wiki/SC1117, but I agree it's confusing. Will revise.
There was a problem hiding this comment.
Hmm I guess either way works then? Damn bash is so weird. I swear I will never fully understand it.
| # Cleans all build artifacts and custom config from the repo. | ||
| # Intended for use on developer workstations. Should NOT be run | ||
| # on production Admin Workstations. | ||
| set -e |
There was a problem hiding this comment.
This set -e doesn't propagate to the remove_unwanted_files function which is probably where we want it?
There was a problem hiding this comment.
Oh, but it does!
$ git diff
diff --git a/devops/clean b/devops/clean
index 6ccdbb8ff..99243c3f3 100755
--- a/devops/clean
+++ b/devops/clean
@@ -8,6 +8,11 @@ set -u
function remove_unwanted_files() {
+ echo "BEFORE FALSE"
+ false
+ echo "AFTER FALSE"
+ exit 5
+
# Remove any Onion URL info from previous instances.
rm -vf install_files/ansible-base/app-source-ths \
install_files/ansible-base/app-ssh-aths \
$ make clean
WARNING: Proceeding will destroy all local customizations, including
application configuration, user credentials, Onion URLs, static assets,
VMs, and all git-ignored files. It is NOT possible to undo these changes!
To proceed, type 'yes': yes
BEFORE FALSE
Makefile:152: recipe for target 'clean' failed
make: *** [clean] Error 1
The "AFTER FALSE" message never appears, due to set -e halting execution of the script.
There was a problem hiding this comment.
Wow, I learned that wrong ages ago and just never relied on it in functions. Well never mind then :)
Resets the project to a pristine state. Explicitly removes dangling files from previous VM incarnations, such as "app-source-ths", "config.py", and "build/*.deb". Additionally runs `git clean -f -x`, which will purge all gitignored files from the directory. Anything prod-related, such as a pubkey for OSSEC email alerts, or the *site-specific vars file* will be removed. Admins should never run this command, since it will destroy site-specific info. The project documentation instructs Admins to use the `securedrop-admin` script, and the `Makefile` is only for developers. Therefore it seems safe to include a destructive action like this, given that it is not included in Admin-facing documentation. Closes #2395.
Allows us a bit more flexibility, e.g. prompting user for confirmation, to avoid mistakes. Sprinkled in liberal comments to make it obvious to future maintainers what's what.
More comprehensive "make clean" behavior, including removal of: * Vagrant VMs * Molecule VMs * temporary git repos cloned by Molecule (for upgrade testing) * git-clean even gitignored directories The output is fairly verbose, so it's obvious to the developer what's been changed in the environment.
conorsch
force-pushed
the
makefile-clean-target
branch
from
7984b65 to
1c12363
Compare
|
Revised, according to feedback from @redshiftzero and @heartsucker. |
devops/clean
Outdated
| if hash vagrant &> /dev/null && [[ -d .vagrant/ ]] | ||
| then | ||
| printf "Removing vagrant VMs\\n" | ||
| vagrant destroy -f > /dev/null |
There was a problem hiding this comment.
So my initial recommendation was a little off. vagrant destroy -f returns non-zero if there are no live VMs (which is counter to what -f mean for most remove commands). This needs to be guarded with || echo 'No VMs removed.' perhaps.
There was a problem hiding this comment.
@heartsucker The conditional block avoids the non-zero exit, since it checks for existence of the .vagrant/ dir. In general I'm a fan of verbose scripts, but the rest of the script prints deletions if-and-only-if they occurred, so I'm inclined to omit further changes here in the interest of consistency.
There was a problem hiding this comment.
Hmm even with set -x, I get some failures.
$ vagrant up /staging/ --no-provision && make clean
Bringing machine 'mon-staging' up with 'virtualbox' provider...
Bringing machine 'app-staging' up with 'virtualbox' provider...
==> mon-staging: Importing base box 'bento/ubuntu-14.04'...
==> mon-staging: Matching MAC address for NAT networking...
==> mon-staging: Checking if box 'bento/ubuntu-14.04' is up to date...
==> mon-staging: A newer version of the box 'bento/ubuntu-14.04' is available! You currently
==> mon-staging: have version '201803.24.0'. The latest is version '201806.08.0'. Run
==> mon-staging: `vagrant box update` to update.
==> mon-staging: Setting the name of the VM: securedrop_mon-staging_1530607282211_90442
==> mon-staging: Clearing any previously set network interfaces...
==> mon-staging: Preparing network interfaces based on configuration...
mon-staging: Adapter 1: nat
mon-staging: Adapter 2: hostonly
==> mon-staging: Forwarding ports...
mon-staging: 22 (guest) => 2222 (host) (adapter 1)
==> mon-staging: Booting VM...
==> mon-staging: Waiting for machine to boot. This may take a few minutes...
mon-staging: SSH address: 127.0.0.1:2222
mon-staging: SSH username: vagrant
mon-staging: SSH auth method: private key
==> mon-staging: Machine booted and ready!
==> mon-staging: Checking for guest additions in VM...
==> mon-staging: Setting hostname...
==> mon-staging: Configuring and enabling network interfaces...
==> mon-staging: Machine not provisioned because `--no-provision` is specified.
==> app-staging: Importing base box 'bento/ubuntu-14.04'...
==> app-staging: Matching MAC address for NAT networking...
==> app-staging: Checking if box 'bento/ubuntu-14.04' is up to date...
==> app-staging: A newer version of the box 'bento/ubuntu-14.04' is available! You currently
==> app-staging: have version '201803.24.0'. The latest is version '201806.08.0'. Run
==> app-staging: `vagrant box update` to update.
==> app-staging: Setting the name of the VM: securedrop_app-staging_1530607313654_20237
==> app-staging: Fixed port collision for 22 => 2222. Now on port 2200.
==> app-staging: Clearing any previously set network interfaces...
==> app-staging: Preparing network interfaces based on configuration...
app-staging: Adapter 1: nat
app-staging: Adapter 2: hostonly
==> app-staging: Forwarding ports...
app-staging: 22 (guest) => 2200 (host) (adapter 1)
==> app-staging: Running 'pre-boot' VM customizations...
==> app-staging: Booting VM...
==> app-staging: Waiting for machine to boot. This may take a few minutes...
app-staging: SSH address: 127.0.0.1:2200
app-staging: SSH username: vagrant
app-staging: SSH auth method: private key
==> app-staging: Machine booted and ready!
==> app-staging: Checking for guest additions in VM...
==> app-staging: Setting hostname...
==> app-staging: Configuring and enabling network interfaces...
==> app-staging: Machine not provisioned because `--no-provision` is specified.
+ confirmation_prompt
+ cat
WARNING: Proceeding will destroy all local customizations, including
application configuration, user credentials, Onion URLs, static assets,
VMs, and all git-ignored files. It is NOT possible to undo these changes!
+ read -r -p 'To proceed, type '\''yes'\'': ' user_confirmation
To proceed, type 'yes': yes
+ case "${user_confirmation}" in
+ remove_unwanted_files
+ rm -vf install_files/ansible-base/app-source-ths install_files/ansible-base/app-ssh-aths install_files/ansible-base/app-journalist-aths install_files/ansible-base/mon-ssh-aths 'build/*.deb'
+ rm -rf molecule/upgrade/.molecule/sd-orig molecule/vagrant_packager/.molecule/sd-orig
+ find /home/heartsucker/code/freedomofpress/securedrop -type f -iname '*.pyc' -delete
+ find /home/heartsucker/code/freedomofpress/securedrop -type f -iname '*.retry' -delete
+ rm -rvf securedrop/static/.webassets-cache .venv
+ hash vagrant
+ [[ -d .vagrant/ ]]
+ printf 'Removing vagrant VMs\n'
Removing vagrant VMs
+ vagrant destroy -f
==> app-prod: VM not created. Moving on...
==> mon-prod: VM not created. Moving on...
==> app-staging: Forcing shutdown of VM...
==> app-staging: Destroying VM and associated drives...
==> mon-staging: Forcing shutdown of VM...
==> mon-staging: Destroying VM and associated drives...
Makefile:152: recipe for target 'clean' failed
make: *** [clean] Error 2
There was a problem hiding this comment.
@heartsucker I'm unable to reproduce your results:
$ vagrant up /staging/ --no-provision && make clean
Bringing machine 'mon-staging' up with 'libvirt' provider...
Bringing machine 'app-staging' up with 'libvirt' provider...
==> app-staging: Creating image (snapshot of base box volume).
==> mon-staging: Creating image (snapshot of base box volume).
==> app-staging: Creating domain with the following settings...
==> mon-staging: Creating domain with the following settings...
[...snip...]
WARNING: Proceeding will destroy all local customizations, including
application configuration, user credentials, Onion URLs, static assets,
VMs, and all git-ignored files. It is NOT possible to undo these changes!
To proceed, type 'yes': yes
Removing vagrant VMs
Removing .vagrant/
$ vagrant --version
Vagrant 1.9.1
Out of curiosity, which version of vagrant are you using? I don't mind adding the || you suggest! Just trying to figure out the cause, since if we have divergence, we should probably pin a version of vagrant to support (cf. #3350).
N.B. the vagrant changelog notes that in 2.0.1, the exit code for destroy changed:
commands/destroy: Exit 0 if vagrant destroy finds no running vms [GH-9251]
but that description doesn't match what you're seeing.
There was a problem hiding this comment.
So on vagrant 2.0.1, I saw the same as @heartsucker:
$ make clean
WARNING: Proceeding will destroy all local customizations, including
application configuration, user credentials, Onion URLs, static assets,
VMs, and all git-ignored files. It is NOT possible to undo these changes!
To proceed, type 'yes': yes
Removing vagrant VMs
make: *** [clean] Error 2
Which confused me. So I upgraded to latest vagrant, which should be fine since the changelog indicates the exit codes were fixed after 2.0.2 (which apparently was the version that modified the exit code behavior).
Unfortunately, it turns out that even on latest, if I have a vagrant VM up and i make clean, it will still exit 2, due to the logic here, where vagrant destroy still returns 2 (see the bugfix they applied in 2.0.2 here: https://github.com/hashicorp/vagrant/pull/9251/files which doesn't fix this). I filed hashicorp/vagrant#10024 to figure out if this is a bug or not.
In the meantime, what about removing set -e?
There was a problem hiding this comment.
Great debugging, @redshiftzero ! How frustrating.
In the meantime, what about removing set -e?
I'd vastly prefer @heartsucker's suggestion of || true simply on the vagrant destroy command. Acceptable?
There was a problem hiding this comment.
Honestly, I don't really have any strong feelings about this as long as make clean does not produce an error when:
- No VMs are deleted (@heartsucker's first case)
- One VM is deleted (my case)
The guard proposed would address case one, but produce inaccurate output if the suggested || echo 'No VMs removed.' text is used, so as long as we change that text to be more general I'm cool with it
There was a problem hiding this comment.
Try again, @redshiftzero ? I revised the logic to ignore errors, and made the messaging more general. For me, the following are true:
make cleanwith VMs displays "Removing VMs... done" with no errormake cleanwithout VMs displays nothing, with no error.
Again, I'm on vagrant 1.9.1. If you see different results, happy to investigate further.
There was a problem hiding this comment.
(Verified this behavior in both these cases 👍)
After some spelunking by @redshiftzero, turns out that Vagrant versions vary widely in the status codes reported by the destroy action. Let's simply ignore any errors returned rather than trying to inform the developer exactly what happened based on a specific status code and Vagrant version. The logic here should work equally well across all versions of Vagrant.
Status
Work in progress.
Description of Changes
Fixes #2395. Marking as WIP because I haven't yet confirmed it resolves all the cleanup we want. Special attention should be given to e.g.
git clean -xfor consideration.Changes proposed in this pull request:
Testing
Try running this on your local dev repo, and see what gets removed! Warning: destructive action! rsync the repo elsewhere if you want rollback capability during review.
Deployment
Mostly affects the dev env. Technically admins could run
make cleanand break SSH access to servers—that would be bad. As it stands, they can still manuallyrmimportant files, so I think it's worth the cost to avoid potential problems like #3528.Checklist
If you made changes to the server application code:
make ci-lint) and tests (make -C securedrop test) pass in the development containerIf you made changes to
securedrop-admin:make -C admin test) pass in the admin development containerIf you made changes to the system configuration:
If you made non-trivial code changes:
If you made changes to documentation:
make docs-lint) passed locally