The:
"type": [
"string"
]
syntax added in 652323cd (improve seccomp format to be more
expressive, 2017-01-13, #657) is not valid:
$ ./validate ./config-schema.json <../config.json
The document is not valid. see errors :
- linux.seccomp.syscalls.0.names: Invalid type. Expected: string, given: array
Signed-off-by: W. Trevor King <wking@tremily.us>
I expect the lifecycle information was removed accidentally in
be594153 (Split create and start, 2016-04-01, #384), because for a
time it seemed like that PR would also be removing hooks. Putting the
lifecycle information back in, I made some tweaks to adjust to the new
environment, for example:
* Put the pre-start hooks after the 'start' call, but before the meat
of the start call (the container-process exec trigger). Folks who
want a post-create hook can add one with that name. I'd like to
have renamed poststop to post-delete to avoid confusion like [1].
But the motivation for keeping hooks was backwards compatibility [2]
so I've left the name alone.
* Put each "...command is invoked..." lifecycle entry in its own list
entry, to match the 'create' list entry.
* Move the rules about what happens on hook failure into the
lifecycle. This matches pre-split entries like:
If any prestart hook fails, then the container MUST be stopped and
the lifecycle continues at step 7.
and avoids respecifying that information in a second location
(config.md).
* I added the warning section to try and follow post-split's generic
"generates an error" approach while respecting the pre-split desire
to see what failed (we had "then an error including the exit code
and the stderr is returned to the caller" and "then an error is
logged").
* I left the state 'id' context out, since Michael didn't want it [3].
* Make runtime.md references to "generate an error" and "log a
warning" links, so readers have an easier time finding more detail
on that wording.
Where I reference a section, I'm still using the auto-generated anchor
for that header and not the anchors which were added in 41839d7 (Merge
pull request #707 from mrunalp/anchor_tags, 2017-03-03) and similar.
Mrunal suggested that the manually-added anchors were mainly intended
for the validation tooling [4].
[1]: https://github.com/opencontainers/runtime-spec/pull/395
Subject: Run post-stop hooks before the container sandbox is deleted.
[2]: https://github.com/opencontainers/runtime-spec/pull/483#issuecomment-240568422
Subject: *: Remove hooks
[3]: https://github.com/opencontainers/runtime-spec/pull/532#discussion_r99232480
Subject: Restore hook language removed by create/start split
[4]: http://ircbot.wl.linuxfoundation.org/eavesdrop/%23opencontainers/%23opencontainers.2017-03-03.log.html#t2017-03-03T18:02:12
Signed-off-by: W. Trevor King <wking@tremily.us>
This partially revert #648 , after a second thought, I think we
should use specs value the same as kernel API input, see:
https://github.com/opencontainers/runtime-spec/issues/692#issuecomment-281889852
For memory and hugetlb limits *.limit_in_bytes, cgroup APIs take the values
as string, but the parsed values are unsigned long, see:
https://github.com/torvalds/linux/blob/v4.10/mm/page_counter.c#L175-L193
For `cpu.cfs_quota_us` and `cpu.rt_runtime_us`, cgroup APIs take the input
value as signed long long, while `cpu.cfs_period_us` and `cpu.rt_periof_us`
take the input value as unsigned long long.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
These are optional on multiple platforms and should be left up to the
runtime/host system for validation.
Closes#470
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
So that the semantics of the tags are clear.
The platform/protocol disconnect is unfortunate. "Protocol" was
chosen in de3f1af6 (Remove language around Solaris being optional as
it is covered in compliance language, 2016-08-17, #527) because we may
have compliance subsets that aren't linked to platforms [1]. I'd be
open to renaming the JSON tag from platform:"..." -> protocol:"...",
but that's probably more change than it's worth. The approach taken
in this commit, on the other hand, renames "protocol" to "platform".
I think that unnecessarily limits (or sets up confusing semantics for)
the platform/protocol values you can use, but two maintainers both
prefer "platform" [2,3].
[1]: https://github.com/opencontainers/runtime-spec/pull/527#issuecomment-238979250
[2]: https://github.com/opencontainers/runtime-spec/pull/570#discussion_r99227202
[3]: https://github.com/opencontainers/runtime-spec/pull/570#discussion_r100013014
Signed-off-by: W. Trevor King <wking@tremily.us>
We'll be referring to these in code, and using a slug everywhere
avoids having to define both a slug form (linux) and an English form
(Linux containers).
Signed-off-by: W. Trevor King <wking@tremily.us>
this commit contains:
* add explicit usage message to validate
* schemaPath was overrided by filepath.Abs(), schemaLoader would not get
* the abs path.
* check local scheme and document file path with os.Stat()
Signed-off-by: Deng Guangxing <dengguangxing@huawei.com>
W. Trevor King
Michael Crosby
Jesse Butler
Mrunal Patel
Mrunal Patel
zhouhao
Qiang Huang
grantseltzer
Ma Shimiao
Vincent Batts
Deng Guangxing