For simple testing a containers via ctr run there should be an easy way to run without "NoNewPrivileges: true" in the OCI spec. Right now it defaults to true in all containerd default configs on Linux, even though via Docker and via the CRI plugin it is set to false.
Either we should also default to false, or, if we want the additional default security, give a way for it to be turned off via flag.
Opinions? @containerd/containerd-maintainers
For simple testing a containers via
ctr runthere should be an easy way to run without "NoNewPrivileges: true" in the OCI spec. Right now it defaults to true in all containerd default configs on Linux, even though via Docker and via the CRI plugin it is set to false.Either we should also default to false, or, if we want the additional default security, give a way for it to be turned off via flag.
Opinions? @containerd/containerd-maintainers