Browse Source

Drop ambient capabilities when running bwrap

Having ambient capabilties causes bwrap to error on start [1]
unless the bwrap executable also has the setuid bit set or is run as
root.

This can cause issues in openshift or podman unless ambient
capabilities are dropped [2].

[1] - bae85baf72/bubblewrap.c (L742)
[2] - https://github.com/containers/bubblewrap/issues/380

Change-Id: I15455fb400448d7672638f911d6cf045fa683a9b
changes/76/816176/5
Albin Vass 1 month ago
committed by Albin Vass
parent
commit
39305393c0
  1. 3
      bindep.txt
  2. 3
      zuul/driver/bubblewrap/__init__.py

3
bindep.txt

@ -61,3 +61,6 @@ coreutils [platform:apk]
openafs-krb5 [platform:debian]
openafs-client [platform:debian]
krb5-user [platform:debian]
setpriv [platform:ubuntu-bionic]
util-linux [platform:apt platform:rpm platform:apk !platform:ubuntu-bionic]

3
zuul/driver/bubblewrap/__init__.py

@ -172,6 +172,9 @@ class BubblewrapDriver(Driver, WrapperInterface):
def _bwrap_command(self):
bwrap_command = [
'setpriv',
'--ambient-caps',
'-all',
'bwrap',
'--dir', '/tmp',
'--tmpfs', '/tmp',

Loading…
Cancel
Save