Browse Source

Move tmpdir into work root

Ansible 2.4 changes the way the template module works. It now
processes the template and writes it into a temporary file in a newly
created temporary dir. After that it reuses the copy plugin to copy
this onto the node. This fails for untrusted jobs because the
temporary file is created outside of the work root which fails the
safe path validation of the copy plugin [1].

There are two issues with this behavior. First Ansible doesn't use the
configured local_tmp dir for this temporary file. This can be fixed by
setting the TMP variable.

Second our current local_tmp setting is outside of the work dir so
this needs to be moved into the work dir.

[1] Failed log:
TASK [gitlint : Ensure project has a fallback default config]
node | ERROR
node | {
node |   "msg": "Accessing files from outside the working dir /tmp/54614d6f189a48968648c4e68c05bdba/work is prohibited",
node |   "path": "/tmp/tmpssae4qfb/gitlint.j2"
node | }

Change-Id: Ie2c7518973fc81f51826fa16021b95590e08749e
changes/98/546698/5
Tobias Henkel 3 years ago
parent
commit
2bc13cdfaf
No known key found for this signature in database GPG Key ID: 3750DEC158E5FA2
1 changed files with 9 additions and 2 deletions
  1. +9
    -2
      zuul/executor/server.py

+ 9
- 2
zuul/executor/server.py View File

@ -310,6 +310,7 @@ class JobDir(object):
# <project>
# logs
# job-output.txt
# tmp
# results.json
self.keep = keep
if root:
@ -324,6 +325,12 @@ class JobDir(object):
os.makedirs(self.src_root)
self.log_root = os.path.join(self.work_root, 'logs')
os.makedirs(self.log_root)
# Create local tmp directory
# NOTE(tobiash): This must live within the work root as it can be used
# by ansible for temporary files which are path checked in untrusted
# jobs.
self.local_tmp = os.path.join(self.work_root, 'tmp')
os.makedirs(self.local_tmp)
self.ansible_root = os.path.join(self.root, 'ansible')
os.makedirs(self.ansible_root)
self.trusted_root = os.path.join(self.root, 'trusted')
@ -1261,8 +1268,7 @@ class AnsibleJob(object):
with open(jobdir_playbook.ansible_config, 'w') as config:
config.write('[defaults]\n')
config.write('inventory = %s\n' % self.jobdir.inventory)
config.write('local_tmp = %s/local_tmp\n' %
self.jobdir.ansible_cache_root)
config.write('local_tmp = %s\n' % self.jobdir.local_tmp)
config.write('retry_files_enabled = False\n')
config.write('gathering = smart\n')
config.write('fact_caching = jsonfile\n')
@ -1345,6 +1351,7 @@ class AnsibleJob(object):
env_copy['ARA_LOG_CONFIG'] = self.jobdir.logging_json
env_copy['ZUUL_JOB_LOG_CONFIG'] = self.jobdir.logging_json
env_copy['ZUUL_JOBDIR'] = self.jobdir.root
env_copy['TMP'] = self.jobdir.local_tmp
pythonpath = env_copy.get('PYTHONPATH')
if pythonpath:
pythonpath = [pythonpath]


Loading…
Cancel
Save