mirror of
https://github.com/opencontainers/runc.git
synced 2026-04-24 08:35:53 +08:00
Kir Kolyshkin
0079bee17f
This adds support for WaitKillableRecv seccomp flag (also known as SCMP_FLTATR_CTL_WAITKILL in libseccomp and as SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV in the kernel). This requires: - libseccomp >= 2.6.0 - libseccomp-golang >= 0.11.0 - linux kernel >= 5.19 Note that this flag does not make sense without NEW_LISTENER, and the kernel returns EINVAL when SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV is set but SECCOMP_FILTER_FLAG_NEW_LISTENER is not set. For runc this means that .linux.seccomp.listenerPath should also be set, and some of the seccomp rules should have SCMP_ACT_NOTIFY action. This is why the flag is tested separately in seccomp-notify.bats. At the moment the only adequate CI environment for this functionality is Fedora 43. On all other platforms (including CentOS 10 and Ubuntu 24.04) it is skipped similar to this: > ok 251 runc run [seccomp] (SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV) # skip requires libseccomp >= 2.6.0 and API level >= 7 (current version: 2.5.6, API level: 6) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
23 lines
815 B
Markdown
23 lines
815 B
Markdown
# Spec conformance
|
|
|
|
This branch of runc implements the [OCI Runtime Spec v1.3.0](https://github.com/opencontainers/runtime-spec/tree/v1.3.0)
|
|
for the `linux` platform.
|
|
|
|
## Architectures
|
|
|
|
The following architectures are supported:
|
|
|
|
runc binary | seccomp
|
|
-------------|-------------------------------------------------------
|
|
`amd64` | `SCMP_ARCH_X86`, `SCMP_ARCH_X86_64`, `SCMP_ARCH_X32`
|
|
`arm64` | `SCMP_ARCH_ARM`, `SCMP_ARCH_AARCH64`
|
|
`armel` | `SCMP_ARCH_ARM`
|
|
`armhf` | `SCMP_ARCH_ARM`
|
|
`ppc64le` | `SCMP_ARCH_PPC64LE`
|
|
`riscv64` | `SCMP_ARCH_RISCV64`
|
|
`s390x` | `SCMP_ARCH_S390`, `SCMP_ARCH_S390X`
|
|
`loong64` | `SCMP_ARCH_LOONGARCH64`
|
|
|
|
The runc binary might be compilable for i386, big-endian PPC64,
|
|
and several MIPS variants too, but these architectures are not officially supported.
|