Make it clear that if a runtime cannot set up an environment that
*precisely* matches the config.json provided, it must generate an error.
This is important because not doing this can cause security issues.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
The cgroup namespace is a new kernel feature available in 4.6+ that
allows a container to isolate its cgroup hierarchy. This currently only
allows for hiding information from /proc/self/cgroup, and mounting
cgroupfs as an unprivileged user. In the future, this namespace may
allow for subtree management by a container.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
In the degenerate case where the container does not create a user
namespace, the "container namespace" distinction is unimportant, but
the phrasing is still accurate (the container and runtime namespaces
are the same).
Signed-off-by: W. Trevor King <wking@tremily.us>
When this repo was only 'specs', then the generic name was not so bad.
But now there is also the oci-image-spec, so this lines up it's unique
name as well.
This also variablizes the output filename so it will be easier for
release specific names.
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
The shorter-than-normal (for the rest of this list) indent landed with
the line in be594153 (Split create and start, 2016-04-01, #384).
Signed-off-by: W. Trevor King <wking@tremily.us>
Restore the line removed by be594153 (Split create and start,
2016-04-01, #384). Without this, GitHub renders the list as a single
paragraph.
Signed-off-by: W. Trevor King <wking@tremily.us>
This wording is descended from 7117ede7 (Expand on the definition of
our ops, 2015-10-13, #225), but the idea is covered generically by
e53a72b (Clarify the operation is not for command-line api,
2016-05-24, #450), so we no longer need a create-specific note.
Especially in the lifecycle docs, where there's already enough going
on without this low-level detail.
Signed-off-by: W. Trevor King <wking@tremily.us>
The README title is:
Open Container Runtime Specification
And the config.md title is:
Container Configuration file
The JSON Schema covering that configuration file should have a
description that combines those two titles without introducing new
language.
Signed-off-by: W. Trevor King <wking@tremily.us>
Use wording from config.md, since the JSON Schema doesn't seem like a
good place to be picking new words.
Signed-off-by: W. Trevor King <wking@tremily.us>
The user-namespace restriction isn't about the root filesystem in
particular. For example, if you bind mount in a second filesystem,
the runtime shouldn't adjust ownership on that filesystem either.
I've also adjusted the old "permissions" to "ownership", since that
more clearly reflects the fields (user and group) that you would
modify if you wanted to adjust for user namespacing.
Signed-off-by: W. Trevor King <wking@tremily.us>
This has been stale since cb2da543 (config: Single, unified config
file, 2015-12-28, #284), when we dropped the attempt to distinguish
between platform-independent and platform-dependent configuration.
Signed-off-by: W. Trevor King <wking@tremily.us>
W. Trevor King
Michael Crosby
Vincent Batts
Mrunal Patel
Aleksa Sarai
Qiang Huang
Doug Davis
Michael Holzheu
Chris Aniszczyk