On Tue, Jul 28, 2020 at 03:15:25PM -0400, Daniel Walsh wrote: > On 7/28/20 11:32, Stefan Hajnoczi wrote: > > On Tue, Jul 28, 2020 at 12:00:20PM +0200, Roman Mohr wrote: > >> On Tue, Jul 28, 2020 at 3:07 AM misono.tomoh...@fujitsu.com < > >> misono.tomoh...@fujitsu.com> wrote: > >> > >>>> Subject: [PATCH v2 3/3] virtiofsd: probe unshare(CLONE_FS) and print an > >>> error > >> "Just" pointing docker to a different seccomp.json file is something which > >> k8s users/admin in many cases can't do. > > There is a Moby PR to change the default seccomp.json file here but it's > > unclear if it will be merged: > > https://github.com/moby/moby/pull/41244 > > > > Stefan > > Why not try Podman?
Absolutely, Podman allows unshare(2) in its default seccomp policy so it does not have this problem. I think Roman's point was mainly about the upstream user experience where Docker is common. Stefan
signature.asc
Description: PGP signature
