runwasi
runwasi copied to clipboard
containerd
Pre-open directories and other capabilities
In this Slack conversation and #265, we have started to discuss the fact that we are pre-opening the container root filesystem (fs) to the Wasm guest application. Pre-opening the root fs for use by the guest Wasm app is intended to enable users to build Wasm apps that feel more like the apps they know and love running in containers.
The default for many Wasm runtimes is to offer the guest no capabilities. This least privileged approach is one of the key features of Wasm.
We may want to reconsider pre-opening the container root fs in the future. Perhaps, we can replace the default behavior with a user specified behavior, opt'ing in to the pre-open. Additionally, we may also want to consider how other capabilities could be expressed by the user.
discussion with some historical context in https://cloud-native.slack.com/archives/C04LTPB6Z0V/p1692799401937929
Is this another area where having specific wasi runtime configuration might be helpful?
related: https://github.com/spinkube/containerd-shim-spin/issues/108
see @jsturtevant comment at the bottom
This might be shim specific and we want to provide some guidance on how to do it