Merge "Use bwrap --disable-userns if possible"

author: Zuul <zuul@review.opendev.org> 2023-05-17 18:42:53 +0000
committer: Gerrit Code Review <review@openstack.org> 2023-05-17 18:42:53 +0000
commit: deab00c8bd37b2d8e8c223cb10e7585e54282250 (patch)
tree: 9ac0a387037bfa2d8a06d7b8bb6ecd0a13269597 /releasenotes/notes
parent: 38423ed88373b909b864fc0bdf5d7268137b242e (diff)
parent: 0937872119e642b3fc689fc2bf156e44dccf140d (diff)
download: zuul-deab00c8bd37b2d8e8c223cb10e7585e54282250.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/releasenotes/notes/bwrap-disable-userns-bbb3f3a2932415c4.yaml b/releasenotes/notes/bwrap-disable-userns-bbb3f3a2932415c4.yaml
new file mode 100644
index 000000000..acf7b1f23
--- /dev/null
+++ b/releasenotes/notes/bwrap-disable-userns-bbb3f3a2932415c4.yaml
@@ -0,0 +1,8 @@
+---
+security:
+  - |
+    Zuul will execute bwrap with --disable-userns set if two conditions
+    hold. 1) The version of bwrap is 0.8.0 or newer and 2) User namespaces
+    are enabled in the zuul-executor runtime context. Doing so will
+    prevent the zuul-executor bwrap runtimes from creating additional
+    user namespaces which fortifies Zuul's security position.
author	Zuul <zuul@review.opendev.org>	2023-05-17 18:42:53 +0000
committer	Gerrit Code Review <review@openstack.org>	2023-05-17 18:42:53 +0000
commit	deab00c8bd37b2d8e8c223cb10e7585e54282250 (patch)
tree	9ac0a387037bfa2d8a06d7b8bb6ecd0a13269597 /releasenotes/notes
parent	38423ed88373b909b864fc0bdf5d7268137b242e (diff)
parent	0937872119e642b3fc689fc2bf156e44dccf140d (diff)
download	zuul-deab00c8bd37b2d8e8c223cb10e7585e54282250.tar.gz