This PR proposes updates to the OCI runtime spec with
z/OS platform-specific details, including adding
namespaces, adding noNewPrivileges flag, and removing
devices. These changes are currently in use by the
IBM z/OS Container Platform (zOSCP) product - details
can be found here:
https://www.ibm.com/products/zos-container-platform.
Signed-off-by: Neil Johnson <najohnsn@us.ibm.com>
Signed-off-by: Kershaw Mehta <kershaw@us.ibm.com>
Correct `prestart` hook description in summary
It looks like the previous description was copied from the wrong line.
Update the `prestart (Deprecated)` hook's timing from being called
"after the start operation is invoked but before the user-specified command executes"
to "during the create operation, after the runtime environment is created and before pivot root or any equivalent operation."
Signed-off-by: Lei Wang <ssst0n3@gmail.com>
Most of these either redirect (so changing saves an extra redirect),
or have a TLS version available.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Description of execCPUAffinity.final said that if it's not set or empty,
the final affinity is the one of container's cgroup. This was done
because we thought the kernel changes process' CPU affinity to one of
cgroup. It's not the case.
To keep the runtime simple, it makes sense to not do anything if the
final affinity is not explicitly set. This change does just that.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Happy to still be brought into conversations, but do not want to slow
progress of the active maintainers.
🐐🧁🧡
Also, building out the EMERITUS from the past folks that have already
retired out of being maintainers.
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
This change adds Go v1.21 and v1.22 to the CI matrix and drops Go v1.19
and v1.20 since they will no longer be getting updates.
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
This change updates actions/checkout to v4, actions/setup-go to v5, and
golangci/golangci-lint-action to v4 to resolve NodeJS 16 deprecation
warnings in CI.
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
crun currently allows to specify an empty mapping for [r]idmap, and to
default to the mappings specified for the container user namespace.
Change the specifications to allow such behavior.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Support for kernel-memory limits was deprecated in the kernel, and documented
as "NOT RECOMMENDED" (or "SHOULD NOT" use) in v1.1.0-rc.1 through commit
f02cd4a427.
This patch marks the field as deprecated in the go implementation of the
spec, so that linters and editors produces a warning and consumers get
notified of its status.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Hooks.Prestart was deprecated in c1662686cf
(v1.0.2), but the field did not have a correctly formatted deprecation comment.
This patch updates the field's GoDoc to have a correctly formatted deprecation
comment, which will allow linters and IDEs to detect the deprecation status
of this feature.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Current documentation talks about bind/rbind and various propagation
flags (shared, slave, private, unbindable etc.) as being filesystem-
specific options, and refers to mount(8) section describing
filesystem-specific options.
That is wrong, because bind mounts are a separate class of mounts,
not related to file systems.
Fix the confusion, and link to sharedsubtree.txt kernel document
as it happens to be the best source of information about the topic
(not counting the kernel sources).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
