Browse Source

Remove nullwrap config option

In [1] we discussed removing the nullwrap option because it is an
important line of defense in Zuul security.  It is also not a
full-featured execution wrapper (it doesn't support secrets).

This removes the configuration option, and the documentation, except
to indicate that bubblewrap is required, and if folks have problems
with it, contact us.

Nullwrap itself is not removed as it may prove useful in the future
and is currently used in the setup phase of the job where we must
not use bubblewrap in order to establish the long-running ssh control
socket server.

[1] http://lists.zuul-ci.org/pipermail/zuul-discuss/2018-March/000072.html

Change-Id: I4abf3e5c4c5726bc06a41b7dc464c3790c3f3730
changes/50/557350/1
James E. Blair 3 years ago
parent
commit
fddf8f9d5a
2 changed files with 15 additions and 27 deletions
  1. +12
    -25
      doc/source/admin/components.rst
  2. +3
    -2
      zuul/executor/server.py

+ 12
- 25
doc/source/admin/components.rst View File

@ -399,10 +399,10 @@ playbook is in a config project, the executor runs the playbook in the
*trusted* execution context, otherwise, it is run in the *untrusted*
execution context.
Both execution contexts use `bubblewrap`_ [#nullwrap]_ to create a
namespace to ensure that playbook executions are isolated and are unable
to access files outside of a restricted environment. The administrator
may configure additional local directories on the executor to be made
Both execution contexts use `bubblewrap`_ [#nullwrap]_ to create a namespace to
ensure that playbook executions are isolated and are unable to access
files outside of a restricted environment. The administrator may
configure additional local directories on the executor to be made
available to the restricted environment.
The trusted execution context has access to all Ansible features,
@ -423,8 +423,14 @@ files outside of the restricted execution context. These redundant
protections are made as part of a defense-in-depth strategy.
.. _bubblewrap: https://github.com/projectatomic/bubblewrap
.. [#nullwrap] Unless one has set execution_wrapper to nullwrap in the
executor configuration.
.. _zuul-discuss: http://lists.zuul-ci.org/cgi-bin/mailman/listinfo/zuul-discuss
.. [#nullwrap] `bubblewrap` is integral to securely operating Zuul.
If it is difficult for you to use it in your environment, we
encourage you to let us know via the `zuul-discuss`_ mailing
list.
Configuration
~~~~~~~~~~~~~
@ -530,25 +536,6 @@ The following sections of ``zuul.conf`` are used by the executor:
List of paths, separated by ``:`` to read-write bind mount into
untrusted bubblewrap contexts.
.. attr:: execution_wrapper
:default: bubblewrap
Name of the execution wrapper to use when executing
`ansible-playbook`. The default, `bubblewrap` is recommended for
all installations.
There is also a `nullwrap` driver for situations where one wants
to run Zuul without access to bubblewrap or in such a way that
bubblewrap may interfere with the jobs themselves. However,
`nullwrap` is considered unsafe, as `bubblewrap` provides
significant protections against malicious users and accidental
breakage in playbooks. As such, `nullwrap` is not recommended
for use in production.
This option, and thus, `nullwrap`, may be removed in the future.
`bubblewrap` has become integral to securely operating Zuul. If you
have a valid use case for it, we encourage you to let us know.
.. attr:: load_multiplier
:default: 2.5


+ 3
- 2
zuul/executor/server.py View File

@ -1717,8 +1717,9 @@ class ExecutorServer(object):
config, 'merger', 'git_http_low_speed_limit', '1000')
self.merge_speed_time = get_default(
config, 'merger', 'git_http_low_speed_time', '30')
execution_wrapper_name = get_default(self.config, 'executor',
'execution_wrapper', 'bubblewrap')
# If the execution driver ever becomes configurable again,
# this is where it would happen.
execution_wrapper_name = 'bubblewrap'
load_multiplier = float(get_default(self.config, 'executor',
'load_multiplier', '2.5'))
self.max_load_avg = multiprocessing.cpu_count() * load_multiplier


Loading…
Cancel
Save