Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / openstack-infra / zuul / 69eab24d1d2f80bed3a804c45eee986be3bf994a^! / .
commit69eab24d1d2f80bed3a804c45eee986be3bf994a[log] [tgz]
authorJames E. Blair <jeblair@redhat.com>Mon Jul 24 14:37:43 2017 -0700
committerJames E. Blair <jeblair@redhat.com>Mon Jul 24 14:45:31 2017 -0700
tree973ca7172439130c0597533c97365df8969efbc5
parente63dcc62a5a791fa5a50fffab93cf673131ead21 [diff]
Remove state_dir from setMountsMap

The setMountsMap command required the state_dir argument, presumably
so that the zuul ansible path (ie, our custom modules) is available.

Unfortunately, it set it as a read-write bind, not read-only.  We
certainly don't want jobs (even trusted jobs) modifying the ansible
code that we run.

Switch it to a read-only bind mount.

Also, remove it from special handling inside of the setMountsMap
method and instead, handle it on the executor site for increased
visibility.

Finally, add options to the zuul-bwrap command to set the ro and
rw binds to make interactive testing easier.

Change-Id: I4a0fdae546a2307d78a5c29b5a62a6d223ecb9e9

diff --git a/zuul/driver/bubblewrap/__init__.py b/zuul/driver/bubblewrap/__init__.py
index 3609a71..ee81bb1 100644
--- a/zuul/driver/bubblewrap/__init__.py
+++ b/zuul/driver/bubblewrap/__init__.py

@@ -81,8 +81,8 @@
     def stop(self):
         pass
 
-    def setMountsMap(self, state_dir, ro_dirs=[], rw_dirs=[]):
-        self.mounts_map = {'ro': ro_dirs, 'rw': [state_dir] + rw_dirs}
+    def setMountsMap(self, ro_dirs=[], rw_dirs=[]):
+        self.mounts_map = {'ro': ro_dirs, 'rw': [] + rw_dirs}
 
     def getPopen(self, **kwargs):
         # Set zuul_dir if it was not passed in
@@ -180,12 +180,16 @@
     driver = BubblewrapDriver()
 
     parser = argparse.ArgumentParser()
+    parser.add_argument('--ro-bind', nargs='+')
+    parser.add_argument('--rw-bind', nargs='+')
     parser.add_argument('work_dir')
     parser.add_argument('run_args', nargs='+')
     cli_args = parser.parse_args()
 
     ssh_auth_sock = os.environ.get('SSH_AUTH_SOCK')
 
+    driver.setMountsMap(cli_args.ro_bind, cli_args.rw_bind)
+
     popen = driver.getPopen(work_dir=cli_args.work_dir,
                             ssh_auth_sock=ssh_auth_sock)
     x = popen(cli_args.run_args)

diff --git a/zuul/executor/server.py b/zuul/executor/server.py
index ef5363c..9a07b5a 100644
--- a/zuul/executor/server.py
+++ b/zuul/executor/server.py

@@ -1370,11 +1370,12 @@
                               '%s_ro_dirs' % opt_prefix)
         rw_dirs = get_default(self.executor_server.config, 'executor',
                               '%s_rw_dirs' % opt_prefix)
-        state_dir = get_default(self.executor_server.config, 'executor',
-                                'state_dir', '/var/lib/zuul', expand_user=True)
         ro_dirs = ro_dirs.split(":") if ro_dirs else []
         rw_dirs = rw_dirs.split(":") if rw_dirs else []
-        self.executor_server.execution_wrapper.setMountsMap(state_dir, ro_dirs,
+
+        ro_dirs.append(self.executor_server.ansible_dir)
+
+        self.executor_server.execution_wrapper.setMountsMap(ro_dirs,
                                                             rw_dirs)
 
         popen = self.executor_server.execution_wrapper.getPopen(