diff options
Diffstat (limited to 'releasenotes/notes/bwrap-disable-userns-bbb3f3a2932415c4.yaml')
-rw-r--r-- | releasenotes/notes/bwrap-disable-userns-bbb3f3a2932415c4.yaml | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/releasenotes/notes/bwrap-disable-userns-bbb3f3a2932415c4.yaml b/releasenotes/notes/bwrap-disable-userns-bbb3f3a2932415c4.yaml new file mode 100644 index 000000000..acf7b1f23 --- /dev/null +++ b/releasenotes/notes/bwrap-disable-userns-bbb3f3a2932415c4.yaml @@ -0,0 +1,8 @@ +--- +security: + - | + Zuul will execute bwrap with --disable-userns set if two conditions + hold. 1) The version of bwrap is 0.8.0 or newer and 2) User namespaces + are enabled in the zuul-executor runtime context. Doing so will + prevent the zuul-executor bwrap runtimes from creating additional + user namespaces which fortifies Zuul's security position. |