zuul/zuul/executor
Tobias Henkel bf4e9893d0
Block localhost shell tasks in untrusted playbooks
Zuul was designed to block local code execution in untrusted
environments to not only rely on bwrap to contain a job. This got
broken since the creation of a command plugin that injects the
zuul_job_id which is required for log streaming. However this plugin
doesn't do a check if the task is a localhost task. Further it is
required in trusted and untrusted environments due to log
streaming. Thus we need to fork this plugin and restrict the variant
that is used in untrusted environments.

We do this by moving actiongeneral/command.py back to action/*. We
further introduce a new catecory actiontrusted which gets the
unrestricted version of this plugin.

Change-Id: If81cc46bcae466f4c071badf09a8a88469ae6779
Story: 2007935
Task: 40391
2020-07-21 19:18:10 +02:00
..
sensors Enable starting executors in paused mode 2019-11-04 13:13:38 +01:00
__init__.py Rename zuul-launcher to zuul-executor 2017-03-15 12:21:24 -04:00
client.py Report retried builds in a build set via mqtt. 2020-04-09 11:57:29 +02:00
server.py Block localhost shell tasks in untrusted playbooks 2020-07-21 19:18:10 +02:00