| *** jamesmcarthur has joined #zuul | 00:42 | |
| *** jamesmcarthur has joined #zuul | 00:45 | |
| *** jamesmcarthur has quit IRC | 00:49 | |
| fungi | so's stuff as basic as chroot on linux without granting non-default capabilities | 01:47 |
|---|---|---|
| SpamapS | tristanC:well I didn't say it was exactly like bubblewrap :) | 02:02 |
| fungi | bubblewrap would need superuser invocation too by default | 02:03 |
| tristanC | fungi: right, though bubblewrap (and rootless containers by extension) are meant to be used by regular user, assuming they don't weaken the system security. | 02:07 |
| fungi | it's invoked setuid=0 in our deployment at least | 02:07 |
| *** saneax has joined #zuul | 02:08 | |
| fungi | so invoked by a normal user but runs in the context of the root superuser anyway | 02:08 |
| tristanC | if the kernel support user namespace, then you bwrap can still work without setuid | 02:08 |
| tristanC | at least by default, further isolation system like docker block user namespace creation with seccomp | 02:16 |
| tristanC | you can try that with the "unshare" tool, e.g. "unshare --pid --mount --user --map-root-user --fork" let a regular user become root in a namespace, without using any setuid | 02:33 |
| tristanC | and i think this is the relevant policy that blocks that in docker: https://github.com/moby/moby/blob/master/profiles/seccomp/default.json#L592-L603 | 02:43 |
| SpamapS | Yep, bubblewrap is only installed w/o setuid bits in distros whose kernels support USERNS | 03:00 |
| SpamapS | Which does not include Debian Jessie or CentOS 7 | 03:01 |
| *** jamesmcarthur has joined #zuul | 03:47 | |
| *** jamesmcarthur has quit IRC | 03:50 | |
| *** altlogbot_3 has quit IRC | 06:29 | |
| *** altlogbot_1 has joined #zuul | 06:31 | |
| *** tobiash has quit IRC | 08:58 | |
| *** etp has quit IRC | 09:03 | |
| *** tobiash has joined #zuul | 09:05 | |
| *** tobiash has quit IRC | 09:09 | |
| *** tobiash has joined #zuul | 09:10 | |
| *** etp has joined #zuul | 09:33 | |
| *** etp has quit IRC | 09:48 | |
| *** tosky has joined #zuul | 13:05 | |
| *** lennyb has quit IRC | 14:02 | |
| *** lennyb has joined #zuul | 14:03 | |
| *** lennyb has quit IRC | 14:03 | |
| *** lennyb has joined #zuul | 14:04 | |
| *** sanjayu_ has joined #zuul | 14:24 | |
| *** saneax has quit IRC | 14:26 | |
| *** sanjayu__ has joined #zuul | 14:30 | |
| *** sanjayu_ has quit IRC | 14:32 | |
| *** jamesmcarthur has joined #zuul | 16:14 | |
| *** jamesmcarthur has quit IRC | 16:33 | |
| *** jamesmcarthur has joined #zuul | 16:34 | |
| *** jamesmcarthur has quit IRC | 16:38 | |
| *** jamesmcarthur has joined #zuul | 17:05 | |
| openstackgerrit | Tobias Henkel proposed zuul/zuul master: Annotate logs around build states https://review.opendev.org/661489 | 17:39 |
| openstackgerrit | Tobias Henkel proposed zuul/zuul master: Annotate logs around reporting https://review.opendev.org/661490 | 17:39 |
| openstackgerrit | Tobias Henkel proposed zuul/zuul master: Annotate logs around finished builds https://review.opendev.org/661491 | 17:39 |
| *** jamesmcarthur has quit IRC | 17:46 | |
| *** tosky has quit IRC | 17:48 | |
| *** tosky has joined #zuul | 17:49 | |
| *** jamesmcarthur has joined #zuul | 18:02 | |
| *** jamesmcarthur has quit IRC | 18:07 | |
| *** jamesmcarthur has joined #zuul | 18:17 | |
| *** jamesmcarthur has quit IRC | 18:40 | |
| openstackgerrit | Tobias Henkel proposed zuul/zuul master: Annotate logs around build states https://review.opendev.org/661489 | 18:42 |
| openstackgerrit | Tobias Henkel proposed zuul/zuul master: Annotate logs around reporting https://review.opendev.org/661490 | 18:42 |
| openstackgerrit | Tobias Henkel proposed zuul/zuul master: Annotate logs around finished builds https://review.opendev.org/661491 | 18:42 |
| *** jamesmcarthur has joined #zuul | 18:43 | |
| *** jamesmcarthur has quit IRC | 18:45 | |
| *** jamesmcarthur has joined #zuul | 18:46 | |
| *** jamesmcarthur has quit IRC | 18:59 | |
| *** jamesmcarthur has joined #zuul | 19:00 | |
| openstackgerrit | Tobias Henkel proposed zuul/zuul master: Create zuul/web/static on demand https://review.opendev.org/661498 | 19:02 |
| *** sanjayu__ has quit IRC | 19:34 | |
| *** jamesmcarthur has quit IRC | 19:38 | |
| *** tosky has quit IRC | 20:18 | |
| *** jamesmcarthur has joined #zuul | 20:25 | |
| *** tosky has joined #zuul | 20:26 | |
| *** jamesmcarthur has quit IRC | 20:45 | |
| *** tosky has quit IRC | 21:17 | |
| openstackgerrit | Tristan Cacqueray proposed zuul/zuul master: Skip file matcher for pipeline using timer trigger https://review.opendev.org/660856 | 22:40 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!