Let's write a document explaining what happens (with example what really happens when trying to run it) and why we do not allow it.
Some context for the document:
sched_setattr() is the syscall that the service stalld uses behind the scenes. The QM container/partition won't allow to use it via namespaces (seccomp), so if a program try to use it (calling the system call) won't work, it will be blocked. However, if the sysadmin decide to run stalld in the main partition (let's assume in the Host machine, not in the QM partition which is a running container inside the host) it will work and can even read the files under the QM partition (/usr/lib/qm/rootfs).
You might ask, why we did that? We followed the Risk Assessment team requests.
See-Also:
seccomp: The use of SCHED_DEADLINE inside QM is not supported
https://github.com/containers/qm/issues/375
Let's write a document explaining what happens (with example what really happens when trying to run it) and why we do not allow it.
Some context for the document: