[openstack-dev] Zuul v3 - What's Coming: What to expect with the Zuul v3 Rollout
James E. Blair
corvus at inaugust.com
Fri Mar 3 15:30:55 UTC 2017
"bogdando at mail.ru" <bogdando at mail.ru> writes:
> That's great news! In-repo configs will speed up development for teams,
> with a security caveat for infrastructure team to keep in mind. The
> ansible runner CI node which runs playbooks for defined jobs, should not
> content sensitive information, like keys and secrets in files or
> exported env vars, unless they are a one time or limited in time. The
> same applies to the nodepool nodes allocated for a particular CI test
> run. Otherwise, a malformed patch could make ansible to cat/echo all of
> the secrets to the publicly available build logs.
Indeed that is a risk. To mitigate that, we are building a restricted
execution environment for Ansible so that jobs defined in-repo will only
be allowed to access a per-job staging area on the runner. And we also
plan on running that in a chrooted container.
These protections are not complete yet, which is why our test instance
at the moment is very limited in scope.
-Jim
More information about the OpenStack-dev
mailing list