From 3e79c75d1f85c1328045b588328c17aefcd48415 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Thu, 19 Nov 2020 09:29:51 -0500
Subject: [PATCH] Add support for enabling/disabling kernel keyring in engines

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 docs/containers.conf.5.md  |  7 ++++++-
 pkg/config/config.go       |  4 ++++
 pkg/config/containers.conf | 10 +++++++---
 pkg/config/default.go      |  1 +
 4 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/docs/containers.conf.5.md b/docs/containers.conf.5.md
index bb9f14b7a..7a8e6b8fc 100644
--- a/docs/containers.conf.5.md
+++ b/docs/containers.conf.5.md
@@ -164,9 +164,14 @@ Options are:
   `private` Create private IPC Namespace for the container.
   `host`    Share host IPC Namespace with the container.
 
+**keyring**=true
+
+Indicates whether the container engines create a kernel keyring for use within
+the container.
+
 **label**=true
 
-Indicates whether the container engines use MAC(SELinux) container separation via via labeling. Flag is ignored on disabled systems.
+Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems.
 
 **log_driver**="k8s-file"
 
diff --git a/pkg/config/config.go b/pkg/config/config.go
index c6a9a660e..2769781f2 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -113,6 +113,10 @@ type ContainersConfig struct {
 	// DNSSearches set default DNS search domains.
 	DNSSearches []string `toml:"dns_searches,omitempty"`
 
+	// EnableKeyring tells the container engines whether to create
+	// a kernel keyring for use within the container
+	EnableKeyring bool `toml:"keyring,omitempty"`
+
 	// EnableLabeling tells the container engines whether to use MAC
 	// Labeling to separate containers (SELinux)
 	EnableLabeling bool `toml:"label,omitempty"`
diff --git a/pkg/config/containers.conf b/pkg/config/containers.conf
index e8519b251..ed7c91931 100644
--- a/pkg/config/containers.conf
+++ b/pkg/config/containers.conf
@@ -146,9 +146,13 @@ default_sysctls = [
 #
 # ipcns = "private"
 
-# Flag tells container engine to whether to use container separation using
-# MAC(SELinux)labeling or not.
-# Flag is ignored on label disabled systems.
+# keyring tells the container engine whether to create
+# a kernel keyring for use within the container.
+# keyring = true
+
+# label tells the container engine whether to use container separation using
+# MAC(SELinux) labeling or not.
+# The label flag is ignored on label disabled systems.
 #
 # label = true
 
diff --git a/pkg/config/default.go b/pkg/config/default.go
index 29eb3c3a0..4f1460e3b 100644
--- a/pkg/config/default.go
+++ b/pkg/config/default.go
@@ -177,6 +177,7 @@ func DefaultConfig() (*Config, error) {
 			DNSServers:          []string{},
 			DNSOptions:          []string{},
 			DNSSearches:         []string{},
+			EnableKeyring:       true,
 			EnableLabeling:      selinuxEnabled(),
 			Env: []string{
 				"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",