Aleksa Sarai
Aleksa Sarai
I don't think this is really necessary, I ended up closing most of the dependabot issues.
FWIW, I sent a patch to improve the performance of `os.Clearenv` (with the patch it's ~30% faster for an environment with 1000 variables set), though this is fixing other issues...
> Maybe we should add this break to CHANGELOG because we may forget it when making a release. I think we need to start adding things to the changelog in...
This PR just makes it so that setting `_LIBCONTAINER_INIT` will cause the same issue you are describing. Why do you need to set environment variables with the name `_LIBCONTAINER_`? Those...
> I try to let nsexec receive args, but I can't find any way, because args must received in main func in c code. You could use `/proc/self/cmdline` to get...
Also, this isn't a golang issue -- our usage of `__attribute__((constructor))` is something Go doesn't really like supporting, so opening issues against the Go repo won't get a positive reaction...
@ningmingxiao Modifying the `config.json` to allow host access is not a security issue, it's a misconfiguration. You can also bind-mount the entire host filesystem into the container if you really...
I would prefer the code be moved to `libcontainer/internal/userns` instead of `libcontainer/idmap`. `idmap` isn't a good name for the new package IMHO, because the code you're moving is all about...
Given #3028, I suspect we should move forward with the general principle that any new package for libcontainer should be `internal` by default and we can always expose it later.
tl;dr: It would be nice to fix this in the spec, however solving this is more complicated than you expect and libseccomp is missing necessary features (not to mention this...