Document execution_wrapper setting.
Previously this setting, and the nullwrap/bubblewrap driver difference, were undocumented. Change-Id: I10a283dee44012f6697ddba0c3bd99b3993b1606
This commit is contained in:
Clint Byrum
parent
81433b795a
commit
48b5a674dc
|
|
@ -311,10 +311,10 @@ playbook is in a config project, the executor runs the playbook in the
|
||||||
*trusted* execution context, otherwise, it is run in the *untrusted*
|
*trusted* execution context, otherwise, it is run in the *untrusted*
|
||||||
execution context.
|
execution context.
|
||||||
|
|
||||||
Both execution contexts use `bubblewrap`_ to create a namespace to
|
Both execution contexts use `bubblewrap`_ [#nullwrap]_ to create a
|
||||||
ensure that playbook executions are isolated and are unable to access
|
namespace to ensure that playbook executions are isolated and are unable
|
||||||
files outside of a restricted environment. The administrator may
|
to access files outside of a restricted environment. The administrator
|
||||||
configure additional local directories on the executor to be made
|
may configure additional local directories on the executor to be made
|
||||||
available to the restricted environment.
|
available to the restricted environment.
|
||||||
|
|
||||||
The trusted execution context has access to all Ansible features,
|
The trusted execution context has access to all Ansible features,
|
||||||
|
|
@ -335,6 +335,8 @@ files outside of the restricted execution context. These redundant
|
||||||
protections are made as part of a defense-in-depth strategy.
|
protections are made as part of a defense-in-depth strategy.
|
||||||
|
|
||||||
.. _bubblewrap: https://github.com/projectatomic/bubblewrap
|
.. _bubblewrap: https://github.com/projectatomic/bubblewrap
|
||||||
|
.. [#nullwrap] Unless one has set execution_wrapper to nullwrap in the
|
||||||
|
executor configuration.
|
||||||
|
|
||||||
Configuration
|
Configuration
|
||||||
~~~~~~~~~~~~~
|
~~~~~~~~~~~~~
|
||||||
|
|
@ -437,6 +439,25 @@ The following sections of ``zuul.conf`` are used by the executor:
|
||||||
List of paths, separated by ``:`` to read-write bind mount into
|
List of paths, separated by ``:`` to read-write bind mount into
|
||||||
untrusted bubblewrap contexts.
|
untrusted bubblewrap contexts.
|
||||||
|
|
||||||
|
.. attr:: execution_wrapper
|
||||||
|
:default: bubblewrap
|
||||||
|
|
||||||
|
Name of the execution wrapper to use when executing
|
||||||
|
`ansible-playbook`. The default, `bubblewrap` is recommended for
|
||||||
|
all installations.
|
||||||
|
|
||||||
|
There is also a `nullwrap` driver for situations where one wants
|
||||||
|
to run Zuul without access to bubblewrap or in such a way that
|
||||||
|
bubblewrap may interfere with the jobs themselves. However,
|
||||||
|
`nullwrap` is considered unsafe, as `bubblewrap` provides
|
||||||
|
significant protections against malicious users and accidental
|
||||||
|
breakage in playbooks. As such, `nullwrap` is not recommended
|
||||||
|
for use in production.
|
||||||
|
|
||||||
|
This option, and thus, `nullwrap`, may be removed in the future.
|
||||||
|
`bubblewrap` has become integral to securely operating Zuul. If you
|
||||||
|
have a valid use case for it, we encourage you to let us know.
|
||||||
|
|
||||||
.. attr:: merger
|
.. attr:: merger
|
||||||
|
|
||||||
.. attr:: git_user_email
|
.. attr:: git_user_email
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue