3f01dc11f7
Complete a lingering TODO in run-buildset-registry to use a less guessable password for the intermediate registry service. Timestamps (even with microsecond precision and even running through a hash algorithm) are inherently guessable. Someone watching a console stream of the job could probably narrow down the time that task ran to at least second precision, which then requires at most a million guesses to be able to pollute or otherwise compromise the content jobs are relying on. With reasonable network access and a typical personal computer this is a rather small work factor to overcome. Luckily, the Ansible community maintains an in-tree lookup plugin[*] for strong password generation. Its default is 20 mixed-case letters, numbers and punctuation, so the same length as the truncated hash we're replacing. [*] https://docs.ansible.com/ansible/latest/plugins/lookup/password.html Depends-On: https://review.opendev.org/662870 Change-Id: I66e60f767328cc3af540ec4b755121da989b5e56 |
||
---|---|---|
doc | ||
playbooks | ||
roles | ||
test-playbooks/registry | ||
tests | ||
tools | ||
.gitignore | ||
.gitreview | ||
.stestr.conf | ||
LICENSE | ||
README.rst | ||
bindep.txt | ||
setup.cfg | ||
setup.py | ||
test-requirements.txt | ||
tox.ini | ||
zuul.yaml |
README.rst
Zuul Jobs
This repo contains a set of Zuul jobs and Ansible roles suitable for use by any Zuul system.