Umbrella: youki spec vs runc spec generated config differences

[nayuta723]

Overview

youki spec and runc spec generate different default config.json values in several fields. Some differences are intentional and spec-correct (e.g. terminal), but others may have security or compatibility implications.

This umbrella issue tracks the investigation and resolution of each discrepancy.

Background

When comparing the output of runc spec (via libcontainer/specconv/example.go) against youki spec (via oci-spec crate Spec::default()), the following differences were identified:

Field	runc spec	youki spec
process.terminal	true	false
process.capabilities.inheritable	not set	[CAP_AUDIT_WRITE, CAP_KILL, CAP_NET_BIND_SERVICE]
process.capabilities.ambient	not set	[CAP_AUDIT_WRITE, CAP_KILL, CAP_NET_BIND_SERVICE]
linux.resources.devices	[{allow: false, access: "rwm"}]	[] (empty)
linux.namespaces (cgroup)	added only when cgroupv2	always included

Tracked Items

• process.terminal default — runc generates true, youki generates false. OCI spec defines default as false, so youki is correct. Decide whether to document this intentional difference or align with runc for usability.

  • Related: Discussion: terminal field default value differs between runc spec and youki spec #3559

• process.capabilities.inheritable and ambient not set by default — runc deliberately omits these from the generated spec. Having inheritable capabilities allows them to be inherited across execve, and ambient capabilities can be retained when executing setuid binaries. youki uses oci-spec crate's LinuxCapabilities::default() which sets both. This is a potential security concern and is also related to the youki exec failure bug.

  • Related: [Bug]: failed to drop capabilities in youki exec #3434

• linux.resources.devices default deny rule — runc includes {allow: false, access: "rwm"} to deny all device access by default, with individual allows added per device. youki generates an empty list, leaving device access unrestricted in the generated config.

• linux.namespaces cgroup namespace — conditional vs unconditional — runc only adds the cgroup namespace when cgroupv2 is detected (cgroups.IsCgroup2UnifiedMode()). youki always includes it via get_default_namespaces(). On cgroupv1 kernels older than 4.6, this could cause issues.

Related Issues

• [Bug]: failed to drop capabilities in youki exec #3434 — youki exec fails with "failed to drop capabilities" when inheritable is set (directly triggered by the inheritable/ambient default difference)
• Investigate validation differences between youki and runc #3553 — Validation differences between youki and runc (missing validation for capabilities bounding set vs inheritable)
• Discussion: terminal field default value differs between runc spec and youki spec #3559 — Discussion: terminal default value