zuul/zuul-jobs
Code Issues Proposed changes
2cc836a320
zuul-jobs/roles/use-buildset-registry/tasks/main.yaml
Clark Boylan 4c40b92950 Prevent leaks of buildset registry credentials 
Because buildset registries may be used by jobs that finish before other
jobs are finished using the buildset registry we must be careful not to
expose the registry credentials in the jobs that finish sooner.
Otherwise logs for the earlier job runs could potentially be used to
poison the registry for later jobs.

This is likely currently incomplete. Other Zuulians should look over it
carefully to ensure we're covering all the bases here.

The cases I've identified so far are:

* Setting facts that include passwords
* Reading and writing to files that include passwords (as content may be
  logged)
* Calling modules with passwords passed as arguments (the module
  invocation is logged)

I've also set no_log on zuul_return that passes up credentials because
while the logging for zuul_return is minimal today, I don't want to
count on it remaining that way.

We also use the yet to be merged secret_data attribute on zuul_return to
ensure that zuul_return itself does not expose anything unwanted.

Finally it would be great if others could check over the use of
buildset_registry variables to make sure there aren't any that got
missed. One thing I'm not sure of is whether or not when conditionals
get logged and if we need to be careful about their use too.

Temporarily remove some buildset-regitry jobs which are in a catch-22.

Change-Id: I2dea683e27f00b99a7766bf830981bf91b925265
2021-06-24 09:56:19 -07:00

152 lines
4.7 KiB
YAML
Raw Blame History

- name: Include OS-specific variables
include_vars: "{{ zj_distro_os }}"
with_first_found:
- "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yaml"
- "{{ ansible_distribution }}.{{ ansible_architecture }}.yaml"
- "{{ ansible_distribution }}.yaml"
- "{{ ansible_os_family }}.yaml"
- "default.yaml"
loop_control:
loop_var: zj_distro_os
# Docker doesn't understand docker push [1234:5678::]:5000/image/path:tag
# so we set up /etc/hosts with a registry alias name to support ipv6 and 4.
- name: Configure /etc/hosts for buildset_registry to workaround docker not understanding ipv6 addresses
become: yes
lineinfile:
path: /etc/hosts
state: present
regex: "^{{ buildset_registry.host }}\tzuul-jobs.buildset-registry$"
line: "{{ buildset_registry.host }}\tzuul-jobs.buildset-registry"
insertafter: EOF
when: buildset_registry.host | ipaddr
- name: Set buildset_registry alias variable when using ip
set_fact:
buildset_registry_alias: zuul-jobs.buildset-registry
when: buildset_registry.host | ipaddr
- name: Set buildset_registry alias variable when using name
set_fact:
buildset_registry_alias: "{{ buildset_registry.host }}"
when: not ( buildset_registry.host | ipaddr )
- name: Ensure docker directory exists
become: yes
file:
state: directory
path: /etc/docker
mode: 0755
- name: Write buildset registry TLS certificate
become: true
copy:
content: "{{ buildset_registry.cert }}"
dest: "{{ ca_dir }}/{{ buildset_registry_alias }}.crt"
mode: 0644
register: _tls_ca
- name: Update CA certs # noqa: no-handler
command: "{{ ca_command }}"
become: true
when: _tls_ca is changed
# Update daemon config
- name: Check if docker daemon configuration exists
stat:
path: /etc/docker/daemon.json
register: docker_config_stat
- name: Load docker daemon configuration
when: docker_config_stat.stat.exists
slurp:
path: /etc/docker/daemon.json
register: docker_config
- name: Parse docker daemon configuration
when: docker_config_stat.stat.exists
set_fact:
docker_config: "{{ docker_config.content | b64decode | from_json }}"
- name: Set default docker daemon configuration
when: not docker_config_stat.stat.exists
set_fact:
docker_config:
registry-mirrors: []
- name: Add registry to docker daemon configuration
vars:
new_config:
registry-mirrors: "['https://{{ buildset_registry_alias }}:{{ buildset_registry.port }}/']"
set_fact:
docker_config: "{{ docker_config | combine(new_config) }}"
- name: Save docker daemon configuration
copy:
content: "{{ docker_config | to_nice_json }}"
dest: /etc/docker/daemon.json
mode: 0644
become: true
- name: Restart docker daemon
service:
name: docker
state: restarted
become: true
register: docker_restart
failed_when: docker_restart is failed and not 'Could not find the requested service' in docker_restart.msg
- name: Ensure containers directory exists
become: yes
file:
state: directory
path: /etc/containers
mode: 0755
- name: Modify registries.conf
become: yes
modify_registries_conf:
path: /etc/containers/registries.conf
buildset_registry: "{{ buildset_registry }}"
buildset_registry_alias: "{{ buildset_registry_alias }}"
namespaces: "{{ buildset_registry_namespaces }}"
no_log: true
- name: Ensure buildkit directory exists
become: yes
file:
state: directory
path: /etc/buildkit/
mode: 0755
- name: Modify buildkitd.toml
become: yes
modify_buildkitd_toml:
path: /etc/buildkit/buildkitd.toml
buildset_registry: "{{ buildset_registry }}"
buildset_registry_alias: "{{ buildset_registry_alias }}"
namespaces: "{{ buildset_registry_namespaces }}"
no_log: true
# We use 'block' here to cause the become to apply to all the tasks
# (which does not automatically happen with include_tasks).
- name: Update docker user config to use buildset registry
become: true
become_user: "{{ buildset_registry_docker_user }}"
when: buildset_registry_docker_user is defined
block:
- include_tasks: user-config.yaml
- name: Update docker user config to use buildset registry
when: buildset_registry_docker_user is not defined
block:
- include_tasks: user-config.yaml
- name: Check if cri-o is installed
stat:
path: /etc/crio/crio.conf
register: crio_path
# TODO: with cri-o >= 1.16, change this to a SIGHUP of the crio process
- name: Restart cri-o
when: crio_path.stat.exists
service:
name: crio
state: restarted
become: true
- name: Wait for kubernetes connection to come back
command: timeout 10s kubectl get pods
when: kubelet_config.stat.exists or crio_path.stat.exists
register: _api_ready
until: _api_ready.rc == 0
retries: 6
delay: 10
View Git Blame Copy Permalink