contrib/cmd/memfd-bind: Mention runc-dmz needs RUNC_DMZ=true

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
opencontainers · Feb 2, 2024 · eb67815 · eb67815
1 parent 17df91b
commit eb67815
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/contrib/cmd/memfd-bind/README.md b/contrib/cmd/memfd-bind/README.md
@@ -36,12 +36,12 @@ much memory usage they can use:
 
 * `runc-dmz` is (depending on which libc it was compiled with) between 10kB and
   1MB in size, and a copy is created once per process spawned inside a
-  container by runc (both the pid1 and every `runc exec`). There are
-  circumstances where using `runc-dmz` will fail in ways that runc cannot
-  predict ahead of time (such as restrictive LSMs applied to containers), in
-  which case users can disable it with the `RUNC_DMZ=legacy` setting.
-  `runc-dmz` also requires an additional `execve` over the other options,
-  though since the binary is so small the cost is probably not even noticeable.
+  container by runc (both the pid1 and every `runc exec`). The `RUNC_DMZ=true`
+  environment variable needs to be set to opt-in. There are circumstances where
+  using `runc-dmz` will fail in ways that runc cannot predict ahead of time (such
+  as restrictive LSMs applied to containers).  `runc-dmz` also requires an
+  additional `execve` over the other options, though since the binary is so small
+  the cost is probably not even noticeable.
 
 * The classic method of making a copy of the entire `runc` binary during
   container process setup takes up about 10MB per process spawned inside the