Add a note about bwrap and setsid

https://github.com/containers/bubblewrap/issues/142 is relevant to us, however our use of start_new_session in popen effectively avoids the issue. Add a note to that effect so that we don't accidentally open a vulnerability later. Also, clean up some py2-only code. Change-Id: Icd4adee32f35c478661dc2d657cf6c9e55e1f7b5
author: James E. Blair <jim@acmegating.com> 2022-03-28 09:40:22 -0700
committer: James E. Blair <jim@acmegating.com> 2022-03-28 15:44:19 -0700
commit: a190e35bb8039dad5336e658ac7947adebbb6da6 (patch)
tree: 5fbe9b753fb412a8340ff9f7c0f6e963b3be06aa /zuul/executor
parent: 9bd930110955438ca4b6721c39b6e685e33e1fab (diff)
download: zuul-a190e35bb8039dad5336e658ac7947adebbb6da6.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/zuul/executor/server.py b/zuul/executor/server.py
index 59bee9ddd..158042be4 100644
--- a/zuul/executor/server.py
+++ b/zuul/executor/server.py
@@ -2829,6 +2829,8 @@ class AnsibleJob(object):
                 stdin=subprocess.DEVNULL,
                 stdout=subprocess.PIPE,
                 stderr=subprocess.STDOUT,
+                # Either this must be present, or we need the
+                # --new-session argument for bwrap.
                 start_new_session=True,
                 env=env_copy,
             )
author	James E. Blair <jim@acmegating.com>	2022-03-28 09:40:22 -0700
committer	James E. Blair <jim@acmegating.com>	2022-03-28 15:44:19 -0700
commit	a190e35bb8039dad5336e658ac7947adebbb6da6 (patch)
tree	5fbe9b753fb412a8340ff9f7c0f6e963b3be06aa /zuul/executor
parent	9bd930110955438ca4b6721c39b6e685e33e1fab (diff)
download	zuul-a190e35bb8039dad5336e658ac7947adebbb6da6.tar.gz