Reasons that can't use runc-dmz #4158

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Open

lifubang opened this issue Jan 1, 2024 · 0 comments

Member

lifubang commented Jan 1, 2024

When we were introducing dmz to runc, we have realized that there were 3 reasons we should disable runc-dmz:

runc-dmz does not play well with selinux #4057, fixed by Add selinux-vs-dmz test case and a workaround #4053.
The container process has a CAP_SYS_PTRACE ability, fixed by nsexec: cloned binary rework #3987.
If the container process is not root and the capabilities are not in the ambient set #4125, will be fixed by dmz: don't use runc-dmz in complicated capability setups #4137.

Maybe there are some more scenarios that can't use runc-dmz, please provide to help us improve or deprecate it. Thanks.

The text was updated successfully, but these errors were encountered:

lifubang mentioned this issue

dmz: don't use runc-dmz in complicated capability setups #4137

Closed

This was referenced Jan 12, 2024

runc-dmz masks the error from unix.SYS_EXECVEAT #4170

Closed

Fix runc-dmz error printing #4172

Merged

# for free to join this conversation on GitHub. Already have an account? # to comment