Pre-open directories and other capabilities #266
Labels
enhancement
New feature or request
Comments
|
discussion with some historical context in https://cloud-native.slack.com/archives/C04LTPB6Z0V/p1692799401937929 Is this another area where having specific wasi runtime configuration might be helpful? |
This was referenced Sep 18, 2023
|
related: spinkube/containerd-shim-spin#108 see @jsturtevant comment at the bottom |
|
This might be shim specific and we want to provide some guidance on how to do it |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In this Slack conversation and #265, we have started to discuss the fact that we are pre-opening the container root filesystem (fs) to the Wasm guest application. Pre-opening the root fs for use by the guest Wasm app is intended to enable users to build Wasm apps that feel more like the apps they know and love running in containers.
The default for many Wasm runtimes is to offer the guest no capabilities. This least privileged approach is one of the key features of Wasm.
We may want to reconsider pre-opening the container root fs in the future. Perhaps, we can replace the default behavior with a user specified behavior, opt'ing in to the pre-open. Additionally, we may also want to consider how other capabilities could be expressed by the user.
The text was updated successfully, but these errors were encountered: