Commit Graph

933 Commits

Author SHA1 Message Date
Vincent Batts f3fdf03a59 Makefile: prefer bash
https://github.com/opencontainers/runtime-spec/issues/454

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2016-05-25 08:20:03 -04:00
Vincent Batts 23bf8e9519 Merge pull request from wking/host-pandoc
Makefile: Fix native pandoc invocation
2016-05-25 08:15:26 -04:00
Mrunal Patel 878fac1f30 Merge pull request from wking/do-not-modify-filesystem-owners
config-linux: Make “don't modify filesystem permissions” generic
2016-05-24 15:18:46 -07:00
Mrunal Patel d359ff3189 Merge pull request from wking/spec-not-platform-independent
specs-go/config: Drop platform-independent comment
2016-05-24 15:18:01 -07:00
W. Trevor King f830d50a52 config-linux: Make "don't modify filesystem permissions" generic
The user-namespace restriction isn't about the root filesystem in
particular.  For example, if you bind mount in a second filesystem,
the runtime shouldn't adjust ownership on that filesystem either.

I've also adjusted the old "permissions" to "ownership", since that
more clearly reflects the fields (user and group) that you would
modify if you wanted to adjust for user namespacing.

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-05-24 14:27:38 -07:00
W. Trevor King 1fa80d2ca6 specs-go/config: Drop platform-independent comment
This has been stale since cb2da543 (config: Single, unified config
file, 2015-12-28, ), when we dropped the attempt to distinguish
between platform-independent and platform-dependent configuration.

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-05-24 14:18:53 -07:00
Michael Crosby 3a386261e9 Merge pull request from hqhq/hq_specify_operation
Clarify the operation is not for command-line api
2016-05-24 13:32:04 -07:00
Qiang Huang e53a72b7c9 Clarify the operation is not for command-line api
Replace: https://github.com/opencontainers/runtime-spec/pull/447

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-05-24 15:12:36 +08:00
Qiang Huang e5be0f8813 Add dev symbolic links in runtime_linux.md
This is adapted from:
https://github.com/opencontainers/runc/blob/master/libcontainer/SPEC.md

Addresses: https://github.com/opencontainers/runc/issues/760

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-05-24 15:05:08 +08:00
Qiang Huang 9266b239f7 Use RFC_2119 style for runtime_linux.md
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-05-24 14:43:30 +08:00
W. Trevor King 2e2073b362 Makefile: Fix native pandoc invocation
In dc9daf9 (Makefile: Replace vbatts/pandoc with a PANDOC variable
2016-05-06, ) I'd misunderstood vbatts/pandoc as a call to a
locally-installed pandoc, when it's actually the name of a Docker
image [1,2].  With this commit, we prefer a local pandoc if one
exists, fall back to Docker and vbatts/pandoc if a local 'docker'
exists, and raise an error if neither 'pandoc' nor 'docker' exist.

[1]: https://github.com/opencontainers/runtime-spec/pull/440
[2]: https://github.com/opencontainers/runtime-spec/pull/428#discussion_r63987603

Reported-by: Qiang Huang <h.huangqiang@huawei.com>
Reported-by: Lai Jiangshan <jiangshanlai@gmail.com>
Signed-off-by: W. Trevor King <wking@tremily.us>
2016-05-23 22:34:04 -07:00
W. Trevor King 633f7cf957 Makefile: Hide stderr for 'command -v' calls
Don't spam people with:

  make: command: Command not found

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-05-23 22:31:42 -07:00
Michael Crosby b30d97eca0 Merge pull request from hqhq/hq_move_out_error
Move errors section out of operations
2016-05-23 13:00:52 -07:00
Michael Crosby 8a9d9733a1 Merge pull request from hqhq/hq_use_RFC2119_config
Use RFC_2119 style for config.md
2016-05-23 12:53:28 -07:00
Vincent Batts 19789640f5 Merge pull request from hqhq/hq_link_license
Reference LICENSE file to keep consistency with others
2016-05-23 15:24:31 -04:00
Qiang Huang 95f106ed9d Remove one JSON related MUST requirement
JSON is not a mandatory format, we should not use MUST
requirement on this.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-05-23 16:13:53 +08:00
Qiang Huang 6d879c81d5 Move errors section out of operations
The `Errors` section is more like a general description about
runtime, if it's a sub-section of `Operations`, it'll be hard
for both implementations and tests to define what this
`errors` operation really is.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-05-23 15:48:20 +08:00
Qiang Huang bf9b050790 Use RFC_2119 style for config.md
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-05-23 14:30:06 +08:00
Qiang Huang e137488722 Reference LICENSE file to keep consistency with others
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-05-23 09:19:34 +08:00
Mrunal Patel 173b7e2b09 Merge pull request from wking/runtime-os-compatibility
config: Clarify MUST for platform.os and .arch
2016-05-20 11:19:22 -07:00
W. Trevor King 35b0e9ee8c config: Clarify MUST for platform.os and .arch
The old platform.os text had two MUST conditions.  The first could
have been read "the runtime MUST generate an error if invoked with a
config.json whose platform.os is incompatible with the host platform"
(which is the direction I'm going with this commit).  However, it
could also have been read "the bundle-validator MUST generate an error
if platform.os is incompatible with the content the bundle's other
content (e.g. 'linux' in platform.os, but only Windows binaries in the
bundle's rootfs).

For the second MUST, I doubt we want to require a compliant runtime
support all Go architectures itself.  And there is a benefit to
pointing runtime/bundle authors at the Go set, but not much benefit in
making that a hard limit [1,2].  The rewording here follows [2] in
acknowledging that process.arch-matching is something that the config
author and runtime caller have to sort out between themselves and
pointing them at the Go docs and a registration process to avoid
fragmenting the community.

[1]: https://github.com/opencontainers/image-spec/pull/29
[2]: https://github.com/opencontainers/image-spec/pull/60

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-05-20 00:02:58 -07:00
Mrunal Patel 5d27f3aa0d Merge pull request from RobDolinMS/patch-2
[Config] Capitalize MUST in config.md
2016-05-19 18:12:50 -07:00
Mrunal Patel d8d0bc6f60 Merge pull request from RobDolinMS/patch-1
[Config] Mount destinations MUST NOT be nested in Windows
2016-05-19 07:33:33 -07:00
Rob Dolin (MSFT) 035713e3bf [Config] Capitalize MUST in config.md
"must" --> "MUST" for RFC 2119 compliance

This replaces PR  which required a rebase

Signed-off-by: Rob Dolin <RobDolin@microsoft.com>
2016-05-18 11:22:48 -07:00
Rob Dolin (MSFT) bef035ce49 [Config] Mount destinations MUST NOT be nested in Windows
This was raised during reviews with folks working on Windows Containers.  

This squashes commits from PR 

Signed-off-by: Rob Dolin <RobDolin@microsoft.com>
2016-05-18 11:04:55 -07:00
Michael Crosby 4436094090 Merge pull request from wking/optional-start-validation
runtime: Explicitly allow 'start' to not validate config.json
2016-05-18 10:30:56 -07:00
Mrunal Patel 7cdb70fc35 Merge pull request from wking/remove-solaris-from-full-config
config.md: Remove 'solaris' from full example
2016-05-18 10:09:59 -07:00
Mrunal Patel 3220f194cf Merge pull request from wking/roadmap-cleanup
ROADMAP: Remove stale targets (landed PRs, image-spec, ocitools, etc.)
2016-05-18 07:12:35 -07:00
W. Trevor King a044e07006 config.md: Remove 'solaris' from full example
This should have been part of 759ee79c (config: Add
platform-specific entry for 'solaris', 2016-05-06, ), since
the example has platform.os set to 'linux'.

There was some (brief) discussion of this point before the 'solaris'
section landed [1], but the "should only be set if" wording landed in
parallel via b373a15 (config: Split platform-specific configuration
into its own section, 2016-05-02, ), and I'd forgotten to go back
and apply that logic to .

Having a full Solaris example would be useful, but I think it should
be a separate, Solaris-only example.

[1]: https://github.com/opencontainers/runtime-spec/pull/411#discussion_r61621001

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-05-15 23:05:53 -07:00
W. Trevor King 23e03f9de3 ROADMAP: Remove stale targets (landed PRs, image-spec, ocitools, etc.)
# digest/hashing target

Most of this has spun off with [1], and I haven't heard of anyone
talking about verifying the on-disk filesystem in a while.  My
personal take is on-disk verification doesn't add much over serialized
verification unless you have a local attacker (or unreliable disk),
and you'll need some careful threat modeling if you want to do
anything productive about the local attacker case.  For some more
on-disk verification discussion, see the thread starting with [2].

# distributable-format target

This spun off with [1].

# lifecycle target

I think this is resolved since 7713efc1 (Add lifecycle for containers,
2015-10-22, ), which was committed on the same day as the ROADMAP
entry (4859f6da, Add initial roadmap, 2015-10-22, ).

# container-action target

Addressed by 7117ede7 (Expand on the definition of our ops,
2015-10-13, ), although there has been additional discussion in
a7a366b3 (Remove exec from required runtime functionalities,
2016-04-19, ) and 0430aaf1 (Split create and start, 2016-04-01,
).

# validation and testing targets

Validation is partly covered by cdcabdeb (schema: JSON Schema and
validator for `config.json`, 2016-01-19, ) and subequent JSON
Schema work.  The remainder of these targets are handled by ocitools
[3].

# printable/compiled-spec target

The bulk of this was addressed by 4ee036fc (*: printable documents,
2015-12-09, ).  Any remaining polishing of that workflow seems
like a GitHub-issue thing and not a ROADMAP thing.  And publishing
these to opencontainers.org certainly seems like it's outside the
scope of this repository (although I think that such publishing is a
good idea).

[1]: https://github.com/opencontainers/image-spec
[2]: https://groups.google.com/a/opencontainers.org/d/msg/dev/xo4SQ92aWJ8/NHpSQ19KCAAJ
     Subject: OCI Bundle Digests Summary
     Date: Wed, 14 Oct 2015 17:09:15 +0000
     Message-ID: <CAD2oYtN-9yLLhG_STO3F1h58Bn5QovK+u3wOBa=t+7TQi-hP1Q@mail.gmail.com>
[3]: https://github.com/opencontainers/ocitools

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-05-15 15:21:43 -07:00
Qiang Huang be7676409b Merge pull request from wking/terminal-omitempty
specs-go/config.go: Make Process.Terminal omitempty
2016-05-10 17:23:43 +08:00
Qiang Huang d33a8e17cb Merge pull request from wking/readonly-omitempty
specs-go/config.go: Make Root.Readonly omitempty
2016-05-10 17:21:30 +08:00
Mrunal Patel adea03f51c Merge pull request from wking/platform-specific-solaris
specs-go/config: Make Linux and Solaris omitempty
2016-05-09 13:18:46 -07:00
Vincent Batts 040712af18 Merge pull request from wking/tk/system-pandoc
Makefile: Replace vbatts/pandoc with a PANDOC variable
2016-05-07 17:50:35 +02:00
W. Trevor King 5c2193f357 specs-go/config: Make Linux and Solaris omitempty
Both fields are optional, so you could conceivably have neither.
However, in most cases folks will populate the one corresponding to
their platform.  The one that *doesn't* match their platform must not
show up, in order to avoid violating the:

  This should only be set if **`platform.os`** is ...

phrasing.

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-05-06 23:58:09 -07:00
W. Trevor King 759ee79c85 config: Add platform-specific entry for 'solaris'
Fixup for 7c9daeb (Introducing Solaris in OCI, 2016-04-25, ) along
the lines of b373a15 (config: Split platform-specific configuration
into its own section, 2016-05-02, ).

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-05-06 23:57:14 -07:00
W. Trevor King f307cfc939 specs-go/config.go: Make Root.Readonly omitempty
It's an optional setting, and this change will fix the wordy:

  $ ocitools generate --template <(echo '{}')
  $ grep readonly config.json
      "readonly": false,

Instead, config.json will not contain a 'readonly' entry at all.

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-05-06 22:16:10 -07:00
W. Trevor King 41e94ae3d5 specs-go/config.go: Make Process.Terminal omitempty
It's an optional setting, and this change will fix the wordy:

  $ ocitools generate --template <(echo '{}')
  $ grep terminal config.json
      "terminal": false,

Instead, config.json will not contain a 'terminal' entry at all.

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-05-06 21:38:23 -07:00
W. Trevor King dc9daf9e58 Makefile: Replace vbatts/pandoc with a PANDOC variable
Defaulting to whichever PANDOC is first in your path.  This mirrors
the existing DOCKER handling.  Folks who want to use the old path can
run:

  $ make PANDOC=vbatts/pandoc ...

I'm not sure why 4ee036fc (*: printable documents, 2015-12-09, )
went with a variable for 'docker' but a hard-coded path for 'pandoc'.
I expect it was just oversight.

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-05-06 14:51:06 -07:00
W. Trevor King 1ac46cbd9f Makefile: Use 'command -v' instead of 'which'
The former is in POSIX [1], but the latter is not [2].

[1]: http://pubs.opengroup.org/onlinepubs/9699919799/utilities/command.html
[2]: http://pubs.opengroup.org/onlinepubs/9699919799/idx/utilities.html

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-05-06 14:48:40 -07:00
Michael Crosby dbce512cec Merge pull request from amitsaha/uid_gid_fix
UID and GID for the main process are not optional
2016-05-06 10:39:54 -07:00
Michael Crosby 9066491ef8 Merge pull request from wking/no-tab-indents
config: Use spaces (not tabs) to indent JSON
2016-05-06 10:39:01 -07:00
W. Trevor King 41cddd7b8a config: Use spaces (not tabs) to indent JSON
Change made with:

  $ sed -i 's/\t/    /g' config.md

fixing tabs that were added with 1c49f4d2 (Add annotations and labels
to the Spec, 2016-03-04, ).

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-05-05 19:23:32 -07:00
Amit Saha 815ce4e2eb UID and GID for the main process are not optional
The spec requires UID and GID to be specified, so we shouldn't
ignore if they are not specified.

Signed-off-by: Amit Saha <amitsaha.in@gmail.com>
2016-05-06 10:41:51 +10:00
Vincent Batts 38dd2fdc30 Merge pull request from anuthan/configlink
Adding link in README.md to Solaris configuration.
2016-05-05 12:47:16 -04:00
Abhijeeth Nuthan ebcf9cb653 Adding link in README.md to Solaris configuration.
Signed-off-by: Abhijeeth Nuthan <abhijeeth.nuthan@oracle.com>
2016-05-05 09:17:38 -07:00
Vincent Batts bf58a8f544 Merge pull request from anuthan/solarisSpec
Introducing Solaris in OCI
2016-05-04 16:17:37 -04:00
Abhijeeth Nuthan 7c9daebaa7 Introducing Solaris in OCI
Signed-off-by: Abhijeeth Nuthan <abhijeeth.nuthan@oracle.com>
2016-05-04 12:19:27 -07:00
Michael Crosby 07126441b3 Merge pull request from wking/explicit-hook-namespace
config: Explicitly put hooks in the runtime namespace
2016-05-04 10:18:56 -07:00
Vincent Batts cbea66a275 Merge pull request from vbatts/travis_make_target
travis: have make target be travis sensitive
2016-05-03 16:35:52 -04:00