summaryrefslogtreecommitdiff
path: root/pkg/spec
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/spec')
-rw-r--r--pkg/spec/spec.go8
1 files changed, 7 insertions, 1 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index c2c5e0900..0d953ff6f 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -268,7 +268,9 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
// SECURITY OPTS
g.SetProcessNoNewPrivileges(config.NoNewPrivs)
- g.SetProcessApparmorProfile(config.ApparmorProfile)
+ if !config.Privileged {
+ g.SetProcessApparmorProfile(config.ApparmorProfile)
+ }
blockAccessToKernelFilesystems(config, &g)
@@ -355,6 +357,10 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
if addedResources && !cgroup2 {
return nil, errors.New("invalid configuration, cannot set resources with rootless containers not using cgroups v2 unified mode")
}
+ if !cgroup2 {
+ // Force the resources block to be empty instead of having default values.
+ configSpec.Linux.Resources = &spec.LinuxResources{}
+ }
}
// Make sure that the bind mounts keep options like nosuid, noexec, nodev.