Remove state_dir from setMountsMap

The setMountsMap command required the state_dir argument, presumably
so that the zuul ansible path (ie, our custom modules) is available.

Unfortunately, it set it as a read-write bind, not read-only.  We
certainly don't want jobs (even trusted jobs) modifying the ansible
code that we run.

Switch it to a read-only bind mount.

Also, remove it from special handling inside of the setMountsMap
method and instead, handle it on the executor site for increased
visibility.

Finally, add options to the zuul-bwrap command to set the ro and
rw binds to make interactive testing easier.

Change-Id: I4a0fdae546a2307d78a5c29b5a62a6d223ecb9e9
changes/66/486766/1
James E. Blair 5 years ago
parent e63dcc62a5
commit 69eab24d1d
  1. 8
      zuul/driver/bubblewrap/__init__.py
  2. 7
      zuul/executor/server.py

@ -81,8 +81,8 @@ class BubblewrapDriver(Driver, WrapperInterface):
def stop(self):
pass
def setMountsMap(self, state_dir, ro_dirs=[], rw_dirs=[]):
self.mounts_map = {'ro': ro_dirs, 'rw': [state_dir] + rw_dirs}
def setMountsMap(self, ro_dirs=[], rw_dirs=[]):
self.mounts_map = {'ro': ro_dirs, 'rw': [] + rw_dirs}
def getPopen(self, **kwargs):
# Set zuul_dir if it was not passed in
@ -180,12 +180,16 @@ def main(args=None):
driver = BubblewrapDriver()
parser = argparse.ArgumentParser()
parser.add_argument('--ro-bind', nargs='+')
parser.add_argument('--rw-bind', nargs='+')
parser.add_argument('work_dir')
parser.add_argument('run_args', nargs='+')
cli_args = parser.parse_args()
ssh_auth_sock = os.environ.get('SSH_AUTH_SOCK')
driver.setMountsMap(cli_args.ro_bind, cli_args.rw_bind)
popen = driver.getPopen(work_dir=cli_args.work_dir,
ssh_auth_sock=ssh_auth_sock)
x = popen(cli_args.run_args)

@ -1370,11 +1370,12 @@ class AnsibleJob(object):
'%s_ro_dirs' % opt_prefix)
rw_dirs = get_default(self.executor_server.config, 'executor',
'%s_rw_dirs' % opt_prefix)
state_dir = get_default(self.executor_server.config, 'executor',
'state_dir', '/var/lib/zuul', expand_user=True)
ro_dirs = ro_dirs.split(":") if ro_dirs else []
rw_dirs = rw_dirs.split(":") if rw_dirs else []
self.executor_server.execution_wrapper.setMountsMap(state_dir, ro_dirs,
ro_dirs.append(self.executor_server.ansible_dir)
self.executor_server.execution_wrapper.setMountsMap(ro_dirs,
rw_dirs)
popen = self.executor_server.execution_wrapper.getPopen(

Loading…
Cancel
Save