[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: [atomic-devel] I am working on seccomp integration into docker for project Atomic.
- From: Daniel J Walsh <dwalsh redhat com>
- To: SGhosh <sghosh redhat com>, Jon Stanley <jonstanley gmail com>
- Cc: atomic-devel projectatomic io
- Subject: Re: [atomic-devel] I am working on seccomp integration into docker for project Atomic.
- Date: Tue, 28 Oct 2014 10:14:55 -0400
On 10/28/2014 09:33 AM, SGhosh wrote:
> On 10/28/2014 08:47 AM, Jon Stanley wrote:
>> On Tue, Oct 28, 2014 at 7:59 AM, Daniel J Walsh<dwalsh redhat com>
>> wrote:
>>
>>> >syscalls, by default. On an X86_64 system x32 and i686 syscalls
>>> will be
>>> >eliminated.
>> This seems problematic in the fact that you couldn't then run a 32-bit
>> application in a container, unless I'm missing something.
>>
>
> Dan
>
> - would it be possible to have runtime instantiated seccomp profiles?
> eg. decide early on whether the i686 syscalls will be allowed or not?
>
> additive profiles like tuned?
>
> -subhendu
Not sure what that means. Adding i686 support would require you to do
something like
docker run --security-opt seccomp:add_arch:i686 ...
I would love it if we could get to the point where the packager of the
app could describe the requirements of the application in the json meta
data. But I am not sure if docker upstream would take this kind of patch.
Sort of a meta { "requires": "seccomp:add_arch:i686" }
Doing this for capabilities, seccomp, SELinux types, would be nice, as
well as specifying which volume mounts need to be mounted into the
container.
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]