We recently began altering the mount map used by the wrapper driver
for each execution run (so that we can only include the current
playbook). However, the setMountsMap method operates on the global
driver object rather than an object more closely bound to the lifetime
of the playbook run. The fact that this works at all is just luck
(executing process is slow enough that hitting a race condition where
the wrong directories are mounted is unlikely).
To correct this, add a new layer which contains the context for the
current playbook execution.
We've seen this test return a false positive, presumably because
the sleep process is not immediately reaped by the bubblewrap
pid 1 process. To compensate, sleep for much longer (60s), and
give bwrap 30 seconds to actually terminate the sleep. As long
as we verify the sleep ends early, this test should be valid.
This change renames untrusted_wrapper to execution_wrapper and uses
bubblewrap for both trusted and untrusted playbooks by default.
This change adds new options to the zuul.conf executor section to let
operators define what directories to mount ro or rw for both context:
* trusted_ro_dirs/trusted_rw_dirs, and
This will be the minimum "batteries included" bubblwrap driver. It does
not do any MAC configuration, since these vary by system. Operators
may wish to wrap it further in a MAC wrapper driver.
Because we set bubblewrap as the default wrapper, test_playbooks tests
it. However, it lacks a negative test, so we won't know if we're not
actually containing things.
Users who don't have bubblewrap or don't wish to use it can set the
untrusted_wrapper to 'nullwrap' which will just execute things as
they're done before this change.
Signed-off-by: Paul Belanger <email@example.com>