Aleksa Sarai
Aleksa Sarai
If anything it should be SHOULD, but I'm still not a fan of this...
Yeah I'm not sure that it makes sense since it only is related to the loading mechanism of a container runtime and not the final container process. Though you could...
The reason that this isn't the case in Docker is because Docker implements the configuration stuff as though `--user` overwrites the `User` parameter in the image configuration (so the conversion...
@vbatts Currently the OCI spec doesn't default to `0` -- it defaults to whatever is in `/etc/passwd` and `/etc/groups` for the `user` (or `uid`) specified. To be fair, doing it...
If we do add an option, it needs to have a really scary name (`disableSetgroupSecurity` or something). Not dropping supplementary groups weakens the userns security boundary, and really is something...
(Also I would seriously suggest that this is functionality that should be exposed through a runtime-specific annotation and not a first-class field in `config.json` -- the runtime-spec already has lots...
The slight issue with `set -e` in bats is that bats internally works by `source`ing the test files, which might cause us to mess up its internal error handling (then...
I had some discussion about possibilities of how a runtime could implement namespace-agnostic ways. opencontainers/runc#1224. I'm not sure if it makes sense to define this in the spec, but it's...
> I'd suggest to remove pipes from the spec, unless the expected behaviour is clarified. I don't see a use case for it. I think excluding FIFOs wouldn't make much...
Actually, we need some changes for runc 1.0: * A version field to the hook state JSON, so that users can differentiate between spec versions in hooks. * More hooks...