On 2022-04-04 15:58:19 +0300 (+0300), Marios Andreou wrote: [...]
from a quick skim it doesn't appear to be completely unrestricted but will allow you to add some files/roles/collections into a special ("bubblewrap") env ? adding to reading list for more careful scanning later ;)
Currently, the Zuul executors run Ansible in per-build containers in order to provide some separation so that jobs hopefully won't interfere with one another. In addition, Zuul uses a forked copy of Ansible's stdlib in order to prevent "unsafe" modules from being called in that container, or to remove "unsafe" features from some allowed modules. What the spec proposes, in summary, is to drop that separate fork we're maintaining of the Ansible stdlib, and just allow jobs to call any module within the existing container on the executor. -- Jeremy Stanley