specs-go/config: add keyring support

[kailun-qin]

Currently, with runc we have a special cmdline flag --no-new-keyring for runc run that enables/disables the creation of a new kernel keyring. The main reason we have the option is that older kernels had issues with allocating a lot of keyrings (so in order to run containers on old kernels you need to disable the creation of a new keyring).

This patch adds keyring support into part of the OCI spec which allows managers to drive this behavior in a runtime-agnostic way and helps make swapping in other runtimes easier.

Fixes https://github.com/opencontainers/runtime-spec/issues/754 Fixes https://github.com/opencontainers/runtime-spec/issues/950

Signed-off-by: Kailun Qin [email protected]