Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

keyring configuration #754

Open
cyphar opened this issue Apr 5, 2017 · 3 comments · May be fixed by #1112
Open

keyring configuration #754

cyphar opened this issue Apr 5, 2017 · 3 comments · May be fixed by #1112
Labels
v1.NEXT-maybe
Milestone
(Outdated)

Comments

@cyphar
Copy link
Member

cyphar commented Apr 5, 2017

With runC we have a special flag for runc run that enables/disables the creation of a new kernel keyring. The main reason we have the option is that older kernels had issues with allocating a lot of keyrings (so in order to run containers on old kernels you need to disable the creation of a new keyring).

However, while keyrings aren't containerised on Linux, maybe it makes sense for us to include some keyring information in config-linux?
@tianon
Copy link
Member

tianon commented May 24, 2017

@cyphar do you think this is something we'd be safe to think/discuss about post-1.0? (it sounds like it's something that'd be fine to add in a 1.1, for example)

@cyphar
Copy link
Member Author

cyphar commented May 24, 2017

Yeah, this would be post-1.0. As an aside, it looks like there's some (worrying) move to namespace these as well as a few other things in a pretty insane way.

@tianon tianon added this to the 1.1.0 milestone May 24, 2017
@justincormack
Copy link
Contributor

See proposal in #950

kailun-qin added a commit to kailun-qin/runtime-spec that referenced this issue Aug 3, 2021
@kailun-qin
specs-go/config: add keyring support
0a35229 
Currently, with `runc` we have a special cmdline flag `--no-new-keyring`
for `runc run` that enables/disables the creation of a new kernel
keyring. The main reason we have the option is that older kernels had
issues with allocating a lot of keyrings (so in order to run containers
on old kernels you need to disable the creation of a new keyring).

This patch adds keyring support into part of the OCI spec which allows
managers to drive this behavior in a runtime-agnostic way and helps make
swapping in other runtimes easier.

Fixes opencontainers#754
Fixes opencontainers#950

Signed-off-by: Kailun Qin <[email protected]>
@kailun-qin kailun-qin linked a pull request Aug 3, 2021 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
v1.NEXT-maybe
Projects
None yet
Milestone
(Outdated)
Development

Successfully merging a pull request may close this issue.

specs-go/config: add keyring support kailun-qin/runtime-spec
3 participants
@tianon @justincormack @cyphar