keyring configuration

[cyphar]

With runC we have a special flag for runc run that enables/disables the creation of a new kernel keyring. The main reason we have the option is that older kernels had issues with allocating a lot of keyrings (so in order to run containers on old kernels you need to disable the creation of a new keyring).

However, while keyrings aren't containerised on Linux, maybe it makes sense for us to include some keyring information in config-linux?

[tianon]

@cyphar do you think this is something we'd be safe to think/discuss about post-1.0? (it sounds like it's something that'd be fine to add in a 1.1, for example)

[cyphar]

Yeah, this would be post-1.0. As an aside, it looks like there's some (worrying) move to namespace these as well as a few other things in a pretty insane way.

[justincormack]

See proposal in #950