Add support for bwrap

This will be the minimum "batteries included" bubblwrap driver. It does not do any MAC configuration, since these vary by system. Operators may wish to wrap it further in a MAC wrapper driver. Because we set bubblewrap as the default wrapper, test_playbooks tests it. However, it lacks a negative test, so we won't know if we're not actually containing things. Users who don't have bubblewrap or don't wish to use it can set the untrusted_wrapper to 'nullwrap' which will just execute things as they're done before this change. Change-Id: I84dd7c8cc55d2110b58609784007ffda0d135716 Story: 2000910 Task: 3540 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-04-04 16:20:00 -07:00
parent 50c69d8957
commit 5870ccae62
7 changed files with 294 additions and 1 deletions
--- a/tests/unit/test_bubblewrap.py
+++ b/tests/unit/test_bubblewrap.py
@@ -0,0 +1,54 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import fixtures
+import logging
+import subprocess
+import tempfile
+import testtools
+
+from zuul.driver import bubblewrap
+from zuul.executor.server import SshAgent
+
+
+class TestBubblewrap(testtools.TestCase):
+    def setUp(self):
+        super(TestBubblewrap, self).setUp()
+        self.log_fixture = self.useFixture(
+            fixtures.FakeLogger(level=logging.DEBUG))
+        self.useFixture(fixtures.NestedTempfile())
+
+    def test_bubblewrap_wraps(self):
+        bwrap = bubblewrap.BubblewrapDriver()
+        work_dir = tempfile.mkdtemp()
+        ansible_dir = tempfile.mkdtemp()
+        ssh_agent = SshAgent()
+        self.addCleanup(ssh_agent.stop)
+        ssh_agent.start()
+        po = bwrap.getPopen(work_dir=work_dir,
+                            ansible_dir=ansible_dir,
+                            ssh_auth_sock=ssh_agent.env['SSH_AUTH_SOCK'])
+        self.assertTrue(po.passwd_r > 2)
+        self.assertTrue(po.group_r > 2)
+        self.assertTrue(work_dir in po.command)
+        self.assertTrue(ansible_dir in po.command)
+        # Now run /usr/bin/id to verify passwd/group entries made it in
+        true_proc = po(['/usr/bin/id'], stdout=subprocess.PIPE,
+                       stderr=subprocess.PIPE)
+        (output, errs) = true_proc.communicate()
+        # Make sure it printed things on stdout
+        self.assertTrue(len(output.strip()))
+        # And that it did not print things on stderr
+        self.assertEqual(0, len(errs.strip()))
+        # Make sure the _r's are closed
+        self.assertIsNone(po.passwd_r)
+        self.assertIsNone(po.group_r)