Build succeeded.

• containerd-build-arm64 : SUCCESS in 5m 21s (non-voting)

Currently, there is no provision to pass a custom seccomp profile using the containerd CLI (ctr).

The current PR introduces a new flag to ctr container create command: seccomp-profile
seccomp must be set to true in order to use this flag [This is to maintain backward compatibility]

1. Tested this on a ubuntu 18.04.3.

$ ctr container create --help

   --seccomp                 enable the default seccomp profile
   --seccomp-profile value   file path to custom seccomp profile. seccomp must be set to true, before using seccomp-profile

2. Saved the default seccomp profile provided by docker at /opt/seccomp/seccomp.json

Removed chmod syscall from /opt/seccomp/seccomp.json

3. Create the container

ctr container create --seccomp=true --seccomp-profile="/opt/seccomp/seccomp.json" docker.io/library/redis:alpine redis

4. Start the task

ctr task start redis

5. Exec into the container, and check if Seccomp is enabled, and verify you cannot chmod.

root@vagrant:~/go/src/github.com/containerd# ctr task exec -t --exec-id 123 redis /bin/sh
/data # cat /proc/1/status|grep Seccomp
Seccomp:	2
/data # touch hello.txt
/data # ls -lt
total 0
-rw-r--r--    1 root     root             0 Sep  2 23:02 hello.txt
/data # chmod 0755 hello.txt
chmod: hello.txt: Operation not permitted
/data #

ping @cpuguy83 We discussed this briefly on slack.

Build succeeded.

• containerd-build-arm64 : SUCCESS in 5m 20s (non-voting)