"[email protected]" <[email protected]> writes: > That's great news! In-repo configs will speed up development for teams, > with a security caveat for infrastructure team to keep in mind. The > ansible runner CI node which runs playbooks for defined jobs, should not > content sensitive information, like keys and secrets in files or > exported env vars, unless they are a one time or limited in time. The > same applies to the nodepool nodes allocated for a particular CI test > run. Otherwise, a malformed patch could make ansible to cat/echo all of > the secrets to the publicly available build logs.
Indeed that is a risk. To mitigate that, we are building a restricted execution environment for Ansible so that jobs defined in-repo will only be allowed to access a per-job staging area on the runner. And we also plan on running that in a chrooted container. These protections are not complete yet, which is why our test instance at the moment is very limited in scope. -Jim __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
