* Aleksa Sarai: > As I mentioned in the runc thread[1], this is really down to Docker's > default policy configuration. The EPERM-everything behaviour in OCI was > inherited from Docker, and it boils down to not having an additional > seccomp rule which does ENOSYS for unknown syscall numbers (Docker can > just add the rule without modifying the OCI runtime-spec -- so it's > something Docker can fix entirely on their own). I'll prepare a patch > for Docker this week. Appreciated, thanks. > IMHO it's also slightly overkill to change the kernel API design > guidelines in response to this issue. > > [1]: https://github.com/opencontainers/runc/issues/2151 Won't this cause docker to lose OCI compliance? Or is the compliance testing not that good? Thanks, Florian -- Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill
