diff options
author | James E. Blair <jim@acmegating.com> | 2022-03-28 09:40:22 -0700 |
---|---|---|
committer | James E. Blair <jim@acmegating.com> | 2022-03-28 15:44:19 -0700 |
commit | a190e35bb8039dad5336e658ac7947adebbb6da6 (patch) | |
tree | 5fbe9b753fb412a8340ff9f7c0f6e963b3be06aa /zuul/executor | |
parent | 9bd930110955438ca4b6721c39b6e685e33e1fab (diff) | |
download | zuul-a190e35bb8039dad5336e658ac7947adebbb6da6.tar.gz |
Add a note about bwrap and setsid
https://github.com/containers/bubblewrap/issues/142 is relevant to
us, however our use of start_new_session in popen effectively
avoids the issue. Add a note to that effect so that we don't
accidentally open a vulnerability later.
Also, clean up some py2-only code.
Change-Id: Icd4adee32f35c478661dc2d657cf6c9e55e1f7b5
Diffstat (limited to 'zuul/executor')
-rw-r--r-- | zuul/executor/server.py | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/zuul/executor/server.py b/zuul/executor/server.py index 59bee9ddd..158042be4 100644 --- a/zuul/executor/server.py +++ b/zuul/executor/server.py @@ -2829,6 +2829,8 @@ class AnsibleJob(object): stdin=subprocess.DEVNULL, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, + # Either this must be present, or we need the + # --new-session argument for bwrap. start_new_session=True, env=env_copy, ) |