Add flag to ctr for running with NoNewPrivileges: false

Add flag and With-helper to set NoNewPrivileges to false since it is on by default in the default UNIX spec for containerd, but off by default in Docker and CRI plugin use. This allows for easy testing with it off for comparison. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2018-09-14 11:03:58 -04:00
parent 05984a966d
commit c28ce39cea
3 changed files with 15 additions and 0 deletions
--- a/cmd/ctr/commands/commands.go
+++ b/cmd/ctr/commands/commands.go
@@ -124,6 +124,10 @@ var (
 			Name:  "gpus",
 			Usage: "add gpus to the container",
 		},
+		cli.BoolFlag{
+			Name:  "allow-new-privs",
+			Usage: "turn off OCI spec's NoNewPrivileges feature flag",
+		},
 	}
 )