| tristanC | mordred: clarkb: jeblair: well bubblewrap is specifically designed to be "safely" used by unpriviledge user... what are the problems you are trying to fix with it? | 00:38 |
|---|---|---|
| SpamapS | tristanC: we want to run ansible-playbook in a sandbox where it can't inspect or affect things on the host running it. | 00:43 |
| SpamapS | so, chroot++ | 00:43 |
| *** gk_-1wm_- has joined #zuul | 01:18 | |
| *** gk_-1wm_- has left #zuul | 01:18 | |
| tristanC | SpamapS: filesystem/ipc wise, bwrap can easily isolate an ansible-playbook process, here is a little experiment: http://paste.openstack.org/show/600431/ | 01:23 |
| tristanC | though, further network isolation would need more work, not provided by bwrap afaik | 01:27 |
| SpamapS | tristanC: actual network access can be handled by normal egress firewalling and user separation I think. But we don't want them to be able to read the system configuration like say, 'ip route' would. | 01:44 |
| tristanC | SpamapS: I meant network namespace, bwrap can create them, but it doesn't seems to setup, like create the veth and virtual routes | 01:49 |
| SpamapS | tristanC: Oh, yeah I don't think I'd want it to. | 01:51 |
| SpamapS | that would mean I'd have to plumb that network namespace out to the target machines. | 01:51 |
| SpamapS | though I guess that's the way to do what I ultimately want and hide the details | 01:52 |
| * SpamapS notes this is getting a little dockery | 01:52 | |
| tristanC | SpamapS: not necessarly down to the target machines, it's actually trivial to create a local virtual network so that the sandbox process can't inspect host interfaces or routes | 02:00 |
| SpamapS | tristanC: ah, so just shove a veth into the namespace or something? | 02:02 |
| SpamapS | that would be ideal really | 02:02 |
| tristanC | SpamapS: yes, but this requires additional privileges... at that point, it's probably better to rely on a fully fledge container framework instead of giving extra powers to the parent process | 02:05 |
| SpamapS | tristanC: yeah, I keep falling back to "let's start with lxc and see if that gets us there" | 02:14 |
| SpamapS | and maybe wrap it in a little selinux/apparmor too | 02:15 |
| * SpamapS weekends | 02:15 | |
| *** bstinson has quit IRC | 02:26 | |
| *** bstinson has joined #zuul | 02:26 | |
| tristanC | if it's acceptable to give zuul process such access, then I would recommend runC since it's more flexible :) | 02:35 |
| *** gk__1wm_ has joined #zuul | 04:04 | |
| *** gk__1wm_ has left #zuul | 04:04 | |
| *** gk-----------1wm has joined #zuul | 04:12 | |
| *** gk-----------1wm has quit IRC | 04:13 | |
| *** IRCFrEAK has joined #zuul | 04:23 | |
| *** IRCFrEAK has quit IRC | 04:25 | |
| mordred | SpamapS, tristanC: yah - so, I don't think we're as concerned about networks as we are with filesystems. which is to say - given the choice between being able to run without elevated privs and no network separation, or getting network separation but needing zuul to get root access, I believe we'd prefer to not have network separation | 04:32 |
| mordred | one of the reasons to get to bubblewrap is the fact that runC and lxc _do_ require the calling process to have root | 04:33 |
| mordred | of course, this is all a set of tradeoffs and balances | 04:33 |
| mordred | so we may also want to lay out a comparison of what we get with each approach and what the cost is | 04:33 |
| *** gk_-__-1wm has joined #zuul | 04:43 | |
| *** gk_-__-1wm has quit IRC | 04:44 | |
| *** GK[]\`_^{|}1WM has joined #zuul | 05:00 | |
| *** GK[]\`_^{|}1WM has quit IRC | 05:08 | |
| *** rbergero1 has joined #zuul | 05:14 | |
| *** GK[]\`_^{|}1WM has joined #zuul | 05:15 | |
| *** GK[]\`_^{|}1WM has left #zuul | 05:15 | |
| *** rbergeron has quit IRC | 05:16 | |
| *** EmilienM has quit IRC | 05:16 | |
| *** EmilienM has joined #zuul | 05:20 | |
| *** EmilienM has quit IRC | 05:41 | |
| *** EmilienM has joined #zuul | 05:44 | |
| *** persia has quit IRC | 07:01 | |
| *** persia has joined #zuul | 07:06 | |
| *** saneax-_-|AFK is now known as saneax | 07:22 | |
| *** saneax is now known as saneax-_-|AFK | 07:34 | |
| *** saneax-_-|AFK is now known as saneax | 10:05 | |
| *** saneax is now known as saneax-_-|AFK | 10:35 | |
| *** mgagne has quit IRC | 11:35 | |
| *** mgagne has joined #zuul | 11:36 | |
| *** mgagne is now known as Guest5551 | 11:36 | |
| *** Cibo_ has joined #zuul | 12:20 | |
| *** Cibo_ has quit IRC | 12:29 | |
| *** Cibo_ has joined #zuul | 12:32 | |
| *** Cibo_ has quit IRC | 12:36 | |
| *** rbergero1 is now known as rbergero | 17:30 | |
| *** rbergero is now known as rbergeron | 17:30 | |
| *** rbergeron has quit IRC | 17:30 | |
| *** rbergeron has joined #zuul | 17:30 | |
| *** yolanda has joined #zuul | 17:49 | |
| *** yolanda has quit IRC | 17:51 | |
| *** yolanda has joined #zuul | 18:14 | |
| *** yolanda has quit IRC | 18:17 | |
| *** yolanda has joined #zuul | 20:25 | |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!