Aleksa Sarai
Aleksa Sarai
My only question is whether we should put this in `internal/third_party/systemd` to make the provenence more obvious.
@pdziuba This is due to a design flaw in AppArmor. https://github.com/opencontainers/runc/issues/4968 lists the necessary workarounds. @abhi4u1947 The error you are getting is different and would be caused by a bind...
@cruizba Are you asking about https://github.com/opencontainers/runc/issues/4968 (the **permission error** due to `/proc/sys` writes being treated as though they were `/sys` writes with AppArmor)? I am going to be speaking at...
> Drop sane_helper since the output of the command is shown in case of an error, and we show the command itself in runc wrapper (unless -N or ! is...
~~The nvidia-container-runtime uses runc hooks to reconfigure the cgroup without giving runc any information about the changed configuration, meaning that systemd is not aware of the NVIDIA devices being added...
@zhoaxiaohu Did you mean to link #3842 in the description? As discussed in that PR, systemd 240 switched to parsing `/dev/char/A:B` directly so that issue should be solved for newer...
So, `nvidia-container-runtime` is supposed to be setting them in our `config.json` and so they should be in `DeviceAllow` (those are set based on our configuration of the transient unit). I...
The devils-advocate argument against putting this in the actual spec would be that `org.securitytxt.url` would be another reasonable annotation to use for this. Of course, I doubt they have an...
To be honest, the more I think about it, the more I like `org.securitytxt.url`...
I think we should still have `Must` versions of some of these functions -- most programs register algorithms in `init` so the usual concerns about panics causing issues for long-running...