Passing the whole OCI spec provided through the config.json will not work because not everything will apply properly. Indeed, we are in a virtualized context, meaning that we have to limit what we provide to the agent.
Here is a list of things to do:
[ ] NEWNET has to be removed from libcontainer config.Namespaces
[ ] As a consequence of the previous point, we should not provide anything through config.Networks
[ ] config.Hooks entry has to be nil
[ ] config.Seccomp entry has to be nil
[ ] config.NoNewKeyring has to be true since we don't want to force the kernel to support it
[ ] config.Mounts has to be analyzed to remove unwanted mounts (TBD)
Passing the whole OCI spec provided through the config.json will not work because not everything will apply properly. Indeed, we are in a virtualized context, meaning that we have to limit what we provide to the agent. Here is a list of things to do:
NEWNEThas to be removed from libcontainerconfig.Namespacesconfig.Networksconfig.Hooksentry has to benilconfig.Seccompentry has to benilconfig.NoNewKeyringhas to betruesince we don't want to force the kernel to support itconfig.Mountshas to be analyzed to remove unwanted mounts (TBD)