diff options
author | Zuul <zuul@review.opendev.org> | 2023-05-17 18:42:53 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2023-05-17 18:42:53 +0000 |
commit | deab00c8bd37b2d8e8c223cb10e7585e54282250 (patch) | |
tree | 9ac0a387037bfa2d8a06d7b8bb6ecd0a13269597 /releasenotes/notes | |
parent | 38423ed88373b909b864fc0bdf5d7268137b242e (diff) | |
parent | 0937872119e642b3fc689fc2bf156e44dccf140d (diff) | |
download | zuul-deab00c8bd37b2d8e8c223cb10e7585e54282250.tar.gz |
Merge "Use bwrap --disable-userns if possible"
Diffstat (limited to 'releasenotes/notes')
-rw-r--r-- | releasenotes/notes/bwrap-disable-userns-bbb3f3a2932415c4.yaml | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/releasenotes/notes/bwrap-disable-userns-bbb3f3a2932415c4.yaml b/releasenotes/notes/bwrap-disable-userns-bbb3f3a2932415c4.yaml new file mode 100644 index 000000000..acf7b1f23 --- /dev/null +++ b/releasenotes/notes/bwrap-disable-userns-bbb3f3a2932415c4.yaml @@ -0,0 +1,8 @@ +--- +security: + - | + Zuul will execute bwrap with --disable-userns set if two conditions + hold. 1) The version of bwrap is 0.8.0 or newer and 2) User namespaces + are enabled in the zuul-executor runtime context. Doing so will + prevent the zuul-executor bwrap runtimes from creating additional + user namespaces which fortifies Zuul's security position. |