Add proc to bubblewrap
And set the AFS pag.
We would like to use AFS within our playbooks (generally in trusted
jobs on the executor). Ideally, such usage should be, like everything
else in bubblewrap, completely separate from any other processes.
However, by default OpenAFS stores authentication credentials by UID,
meaning that once any process obtained tokens, any other process on
the executor would be able to use them.
Fortunately, the concept of a PAG (process authentication group) helps
us out here. That scopes tokens to a single process and its children.
Normally this is done by PAM when a user logs in, but there is an ioctl
that we can use to request a new PAG at any time. It is this method that
we use to ensure each ansible process runs in its own PAG.
When a new PAG is created, it is actually bound to the *thread* that
created it. Because of this, we don't need to be concerned with thread
synchronization around PAG creation. This is useful in the executor which
has potentially hundreds of threads in various stages of preparing to
execute a subprocess. It is sufficient to request the new PAG at any time
before the Popen call, and that thread will use it during the next
invocation.
The --proc argument is added to the bubblewrap invocation in order to
permit aklog to run (it needs to access /proc/fs/openafs/afs_ioctl
in order to store the tokens).
Change-Id: I2687629f964af11c9da261875f2ec735082b8836
1 file changed