everzakov
everzakov
Sorry for interrupting. However, only setting necessary uid/gid for the device won't work (if container has user ns) because now runc don't do anything with devices if container has a...
> Ping @everzakov @rata. What do you guys think ? Should we take this in ? Sorry for a late answer. Can i try this change with mount which does...
/cc @kolyshkin
runc support vtpm is part of the following solution: container remote assertation solution. In this solution, vtpm is a device for storage usage of assertion result. In this PR, atomic...
> So in short, why is the runtime layer the appropriate place for this and not, say, the orchestrators like containerd, Docker, kubernetes, etc? This is a good question. If...
> Another aspect is how non-container runtimes (VMs, etc) are expected to implement this. we assign runc to create vtpm because we want to allign the same architecture design as...
> If they can't support this, they should probably simply error, right? The same if `swtpm` is not installed? If the runtime do not have a vTPM feature / swtpm...
Sorry for late reply I was on PTO :(
> If we take a similar approach in `runc`, then the `swtpm` devices or sockets are no different than anything else you might share with the container in the bundle...
> My biggest concern is the lifecycle management of that `swtpm` process, because again, `runc` is _not_ running anymore once the container is up, so from the perspective of `runc`...