[TripleO] gate blocker - impacting all quickstart-based jobs - openstack-ansible-os_tempest

Jeremy Stanley fungi at yuggoth.org
Mon Apr 4 13:18:55 UTC 2022

On 2022-04-04 15:58:19 +0300 (+0300), Marios Andreou wrote:
> from a quick skim it doesn't appear to be completely unrestricted
> but will allow you to add some files/roles/collections into a
> special ("bubblewrap") env ? adding to reading list for more
> careful scanning later ;)

Currently, the Zuul executors run Ansible in per-build containers in
order to provide some separation so that jobs hopefully won't
interfere with one another. In addition, Zuul uses a forked copy of
Ansible's stdlib in order to prevent "unsafe" modules from being
called in that container, or to remove "unsafe" features from some
allowed modules.

What the spec proposes, in summary, is to drop that separate fork
we're maintaining of the Ansible stdlib, and just allow jobs to call
any module within the existing container on the executor.
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220404/ed8c0db2/attachment.sig>

More information about the openstack-discuss mailing list