yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

vars/fact: isolate secret generation better from the system

Browse Source
This commit is contained in:
Jörg Thalheim
2024-12-25 18:33:00 +01:00
committed by Mic92
parent 24fea19344
commit 14fdf2debd
2 changed files with 18 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
pkgs/clan-cli/clan_cli/facts/generate.py
View File

@@ -46,14 +46,20 @@ def bubblewrap_cmd(generator: str, facts_dir: Path, secrets_dir: Path) -> list[s
],
[
"bwrap",
"--unshare-all",
"--tmpfs", "/",
"--ro-bind", "/nix/store", "/nix/store",
"--tmpfs", "/usr/lib/systemd",
"--dev", "/dev",
# not allowed to bind procfs in some sandboxes
"--bind", str(facts_dir), str(facts_dir),
"--bind", str(secrets_dir), str(secrets_dir),
"--unshare-all",
"--unshare-user",
"--chdir", "/",
# Doesn't work in our CI?
#"--proc", "/proc",
#"--hostname", "facts",
"--bind", "/proc", "/proc",
"--uid", "1000",
"--gid", "1000",
"--",
"bash", "-c", generator
],

12
pkgs/clan-cli/clan_cli/vars/generate.py
View File

@@ -88,14 +88,20 @@ def bubblewrap_cmd(generator: str, tmpdir: Path) -> list[str]:
],
[
"bwrap",
"--unshare-all",
"--tmpfs", "/",
"--ro-bind", "/nix/store", "/nix/store",
*(["--ro-bind", str(test_store), str(test_store)] if test_store else []),
"--tmpfs", "/usr/lib/systemd",
"--dev", "/dev",
# not allowed to bind procfs in some sandboxes
"--bind", str(tmpdir), str(tmpdir),
"--unshare-all",
"--unshare-user",
"--chdir", "/",
# Doesn't work in our CI?
#"--proc", "/proc",
#"--hostname", "facts",
"--bind", "/proc", "/proc",
"--uid", "1000",
"--gid", "1000",
"--",
"bash", "-c", generator
],