From fddf8f9d5a37b8fc8a2fc0752122358df03c17ae Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jeblair@redhat.com>
Date: Wed, 28 Mar 2018 07:22:36 -0700
Subject: [PATCH] Remove nullwrap config option

In [1] we discussed removing the nullwrap option because it is an
important line of defense in Zuul security.  It is also not a
full-featured execution wrapper (it doesn't support secrets).

This removes the configuration option, and the documentation, except
to indicate that bubblewrap is required, and if folks have problems
with it, contact us.

Nullwrap itself is not removed as it may prove useful in the future
and is currently used in the setup phase of the job where we must
not use bubblewrap in order to establish the long-running ssh control
socket server.

[1] http://lists.zuul-ci.org/pipermail/zuul-discuss/2018-March/000072.html

Change-Id: I4abf3e5c4c5726bc06a41b7dc464c3790c3f3730
---
 doc/source/admin/components.rst | 37 +++++++++++----------------------
 zuul/executor/server.py         |  5 +++--
 2 files changed, 15 insertions(+), 27 deletions(-)

diff --git a/doc/source/admin/components.rst b/doc/source/admin/components.rst
index c0c840ea0b..cacacc60a0 100644
--- a/doc/source/admin/components.rst
+++ b/doc/source/admin/components.rst
@@ -399,10 +399,10 @@ playbook is in a config project, the executor runs the playbook in the
 *trusted* execution context, otherwise, it is run in the *untrusted*
 execution context.
 
-Both execution contexts use `bubblewrap`_ [#nullwrap]_ to create a
-namespace to ensure that playbook executions are isolated and are unable
-to access files outside of a restricted environment.  The administrator
-may configure additional local directories on the executor to be made
+Both execution contexts use `bubblewrap`_ [#nullwrap]_ to create a namespace to
+ensure that playbook executions are isolated and are unable to access
+files outside of a restricted environment.  The administrator may
+configure additional local directories on the executor to be made
 available to the restricted environment.
 
 The trusted execution context has access to all Ansible features,
@@ -423,8 +423,14 @@ files outside of the restricted execution context.  These redundant
 protections are made as part of a defense-in-depth strategy.
 
 .. _bubblewrap: https://github.com/projectatomic/bubblewrap
-.. [#nullwrap] Unless one has set execution_wrapper to nullwrap in the
-               executor configuration.
+
+.. _zuul-discuss: http://lists.zuul-ci.org/cgi-bin/mailman/listinfo/zuul-discuss
+
+.. [#nullwrap] `bubblewrap` is integral to securely operating Zuul.
+      If it is difficult for you to use it in your environment, we
+      encourage you to let us know via the `zuul-discuss`_ mailing
+      list.
+
 
 Configuration
 ~~~~~~~~~~~~~
@@ -530,25 +536,6 @@ The following sections of ``zuul.conf`` are used by the executor:
       List of paths, separated by ``:`` to read-write bind mount into
       untrusted bubblewrap contexts.
 
-   .. attr:: execution_wrapper
-      :default: bubblewrap
-
-      Name of the execution wrapper to use when executing
-      `ansible-playbook`. The default, `bubblewrap` is recommended for
-      all installations.
-
-      There is also a `nullwrap` driver for situations where one wants
-      to run Zuul without access to bubblewrap or in such a way that
-      bubblewrap may interfere with the jobs themselves. However,
-      `nullwrap` is considered unsafe, as `bubblewrap` provides
-      significant protections against malicious users and accidental
-      breakage in playbooks. As such,  `nullwrap` is not recommended
-      for use in production.
-
-      This option, and thus, `nullwrap`, may be removed in the future.
-      `bubblewrap` has become integral to securely operating Zuul.  If you
-      have a valid use case for it, we encourage you to let us know.
-
    .. attr:: load_multiplier
       :default: 2.5
 
diff --git a/zuul/executor/server.py b/zuul/executor/server.py
index 68c35b4051..4823acf11b 100644
--- a/zuul/executor/server.py
+++ b/zuul/executor/server.py
@@ -1717,8 +1717,9 @@ class ExecutorServer(object):
             config, 'merger', 'git_http_low_speed_limit', '1000')
         self.merge_speed_time = get_default(
             config, 'merger', 'git_http_low_speed_time', '30')
-        execution_wrapper_name = get_default(self.config, 'executor',
-                                             'execution_wrapper', 'bubblewrap')
+        # If the execution driver ever becomes configurable again,
+        # this is where it would happen.
+        execution_wrapper_name = 'bubblewrap'
         load_multiplier = float(get_default(self.config, 'executor',
                                             'load_multiplier', '2.5'))
         self.max_load_avg = multiprocessing.cpu_count() * load_multiplier