The proposed "netdevices" field provides a declarative way to
specify which host network devices should be moved into a container's
network namespace.
This approach is similar than the existing "devices" field used for block
devices but uses a dictionary keyed by the interface name instead.
The proposed scheme is based on the existing representation of network
device by the `struct net_device`
https://docs.kernel.org/networking/netdevices.html.
This proposal focuses solely on moving existing network devices into
the container namespace. It does not cover the complexities of
network configuration or network interface creation, emphasizing the
separation of device management and network configuration.
Signed-off-by: Antonio Ojea <aojea@google.com>
This PR proposes updates to the OCI runtime spec with
z/OS platform-specific details, including adding
namespaces, adding noNewPrivileges flag, and removing
devices. These changes are currently in use by the
IBM z/OS Container Platform (zOSCP) product - details
can be found here:
https://www.ibm.com/products/zos-container-platform.
Signed-off-by: Neil Johnson <najohnsn@us.ibm.com>
Signed-off-by: Kershaw Mehta <kershaw@us.ibm.com>
Correct `prestart` hook description in summary
It looks like the previous description was copied from the wrong line.
Update the `prestart (Deprecated)` hook's timing from being called
"after the start operation is invoked but before the user-specified command executes"
to "during the create operation, after the runtime environment is created and before pivot root or any equivalent operation."
Signed-off-by: Lei Wang <ssst0n3@gmail.com>
The following constants are defined in the main branch of libseccomp,
but not included in its latest release (v2.5) yet:
* SCMP_ARCH_LOONGARCH64 (seccomp/libseccomp@6966ec7)
* SCMP_ARCH_M68K (seccomp/libseccomp@dd5c9c2)
* SCMP_ARCH_SH (seccomp/libseccomp@c12945d)
* SCMP_ARCH_SHEB (seccomp/libseccomp@c12945d)
These constant names are unlikely to change before v2.6 GA,
so we can safely refer to them in specs-go.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Most of these either redirect (so changing saves an extra redirect),
or have a TLS version available.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Description of execCPUAffinity.final said that if it's not set or empty,
the final affinity is the one of container's cgroup. This was done
because we thought the kernel changes process' CPU affinity to one of
cgroup. It's not the case.
To keep the runtime simple, it makes sense to not do anything if the
final affinity is not explicitly set. This change does just that.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This allows to set initial and final CPU affinity for a process being
run in a container, which is needed to solve the issue described in [1].
[1] https://github.com/opencontainers/runc/issues/3922
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Happy to still be brought into conversations, but do not want to slow
progress of the active maintainers.
🐐🧁🧡
Also, building out the EMERITUS from the past folks that have already
retired out of being maintainers.
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
This change adds Go v1.21 and v1.22 to the CI matrix and drops Go v1.19
and v1.20 since they will no longer be getting updates.
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
This change updates actions/checkout to v4, actions/setup-go to v5, and
golangci/golangci-lint-action to v4 to resolve NodeJS 16 deprecation
warnings in CI.
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
crun currently allows to specify an empty mapping for [r]idmap, and to
default to the mappings specified for the container user namespace.
Change the specifications to allow such behavior.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Support for kernel-memory limits was deprecated in the kernel, and documented
as "NOT RECOMMENDED" (or "SHOULD NOT" use) in v1.1.0-rc.1 through commit
f02cd4a4273f5cf4898df4feee7dcf0d08756029.
This patch marks the field as deprecated in the go implementation of the
spec, so that linters and editors produces a warning and consumers get
notified of its status.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
