Commit Graph

505 Commits

Author SHA1 Message Date
Rob Dolin (MSFT) 4288244a89 ReadMe: Update content to match print order
Update the Table of Contents section of the ReadMe.md to match the order
of the merged MarkDown files in the printable HTML and PDF outputs

Signed-off-by: Rob Dolin <RobDolin@microsoft.com>
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2016-03-09 14:12:59 -05:00
Vishnu kannan 1c49f4d21c Add annotations and labels to the Spec.
Signed-off-by: Vishnu kannan <vishnuk@google.com>
2016-03-09 11:11:28 -08:00
Michael Crosby 3b7c15d90f Merge pull request #334 from mrunalp/remove_state_dir
Remove the state directory as we now have a state operation instead
2016-03-08 10:39:30 -08:00
Mrunal Patel 16c09954b1 Remove the state directory as we now have a state operation instead
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-03-08 13:35:49 -05:00
Vincent Batts 5a606f4604 Merge pull request #333 from mrunalp/optional_seccomp
Seccomp should be optional
2016-03-08 12:48:49 -05:00
Mrunal Patel 36b0b18abf Seccomp should be optional
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-03-07 17:59:30 -08:00
Michael Crosby a1e32a8ead Merge pull request #330 from wking/process-security-indent
config: Fix indents for process.apparmorProfile and .selinuxLabel
2016-03-03 10:12:31 -08:00
W. Trevor King 6b639d2520 config: Fix indents for process.apparmorProfile and .selinuxLabel
These slipped through in 5a8a779f (Move process specific settings to
process, 2016-03-02, #329).

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-03-02 14:35:24 -08:00
Vincent Batts 0c2892bf82 Merge pull request #329 from crosbymichael/process
Move process specific settings to process
2016-03-02 15:26:55 -05:00
Michael Crosby 5a8a779fb0 Move process specific settings to process
This moves process specific settings like caps, apparmor, and selinux
process label onto the process structure to allow the same settings to
be changed at exec time.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-03-02 11:40:09 -08:00
Mrunal Patel 95e12594fc Merge pull request #323 from hqhq/hq_fix_devices_example
Fix type of devices type
2016-02-29 09:47:05 -08:00
Mrunal Patel 9a3cc9a10c Merge pull request #326 from RobDolinMS/patch-8
ReadMe: Replace BlueJeans with UberConference
2016-02-28 08:34:15 -08:00
Rob Dolin (MSFT) 15a43acd26 ReadMe: Replace BlueJeans with UberConference
BlueJeans requires a moderator while UberConference does not

Signed-off-by: Rob Dolin <robdolin@microsoft.com>
2016-02-24 10:23:05 -08:00
Qiang Huang ccf3a246ca Fix fileMode json example
In json, os.FileMode would be presented as a uint32, which
is decimal. Otherwise we'll get error:
`invalid character '6' after object key:value pair`
when unmarshal the json file.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-02-23 13:34:20 +08:00
Qiang Huang 9bab930044 Fix type of devices type
Fixes: opencontainers/runc#566

For type rune, we can assign char as 'c' in struct, but after
marshal, it'll be presented as int32. So in json config it needs
to be presented as a number which is not friendly to be identified.

Change it to string so that you can actually write "b", "c" in json
spec and you can easily know what type of device it is.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-02-23 13:33:57 +08:00
Alexander Morozov fed01f4d97 Merge pull request #225 from duglin/RuntimeOps
Expand on the definition of our ops
2016-02-22 09:00:50 -08:00
Doug Davis 7117ede74b Expand on the definition of our ops
Signed-off-by: Doug Davis <dug@us.ibm.com>
2016-02-22 06:43:28 -08:00
Michael Crosby abca05ea99 Merge pull request #317 from wking/no-pointers-for-slices-or-maps
style: Document recent Go-pointer exceptions
2016-02-17 10:51:56 -08:00
Vish Kannan b6d9ebf38c Merge pull request #321 from vbatts/v0.3.0
v0.3.0
2016-02-04 17:28:33 -08:00
Vincent Batts c450676625 version: v0.4.0-dev
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2016-02-04 18:31:33 -05:00
Vincent Batts 25cbfc427b version: v0.3.0
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2016-02-04 18:31:31 -05:00
Mrunal Patel 80322b9fe8 Merge pull request #318 from wking/cgroup-v1-links
config-linux: Update links to cgroups documentation
2016-02-04 10:24:30 +05:30
W. Trevor King 1b0056cbff config-linux: Update links to cgroups documentation
With 34a9304a (Merge branch 'for-4.5' of
git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup, 2016-01-13,
[1]), Linux restructured their cgroups documentation.  This updated
all of our Documentation/cgroups references to match the new layout,
using reference-style links [2] which let us collect link label
definitions at the bottom of the file.  That makes the spec source
easier to read (no distracting URLs in the middle of a sentence) and
makes the URLs easier to update (only one place to check / fix).

[1]: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=34a9304a96d6351c2d35dcdc9293258378fc0bd8
[2]: http://daringfireball.net/projects/markdown/syntax#link

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-01-27 20:14:33 -08:00
Mrunal Patel 608cb7b58a Merge pull request #298 from wking/separate-device-cgroups-from-mknod
runtime-config-linux: Separate mknod from cgroups
2016-01-27 19:02:03 -08:00
W. Trevor King 7d5b027673 runtime-config-linux: Separate mknod from cgroups
With mknod entries in linux.devices and cgroups entries in
linux.resources.devices.  Background discussion in [1].

For specifying device cgroups independent of device creation.  This
makes it easy to distinguish between configs that call for cgroup
adjustments (which have linux.resources entries) from those that
don't.  Without this split, folks interested in making that
distinction would have to parse the device section to determine if it
included cgroup changes.  This will also make it easy to drop either
portion (mknod [2] or cgroups [3]) independently of the other if the
project decides to do so.

Using seperate sections for mknod and cgroups also allows us to avoid
the complicated validation rules needed for the combined format
mknod/cgroup [4].

Now that there is a section specific to supplying devices, I shifted
the default device listing over from config-linux [5].  The /dev/ptmx
entry is a bit awkward, since it's not a device, but it seemed to fit
better over here.  But I would also be fine leaving it with the other
mounts in config-linux.

fileMode, uid, and gid are optional, because mknod(2) doesn't need
them and specifies the handling when they aren't set [6,7].
Similarly, major/minor numbers are only required for S_IFCHR and
S_IFBLK [6].  I've left off wording about required runtime behavior
for unset values, because I'd rather address that with a blanket rule
[8].

For the cgroup, access is optional because the kernel docs show an
example that doesn't write an access field to the devices.deny file
[9].  The current kernel docs don't go into much detail on this
behavior (I expect unset and 'rwm' are equivalent), but if the kernel
doesn't need a value written, the spec should get out of the way and
allow users to not specify a value.

The reference links are sorted into two blocks, with kernel-doc links
sorted alphabetically followed by man pages sorted alphabetically by
section.  The cgroup link is new since 2016-01-13 [10].

[1]: https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/y_Fsa2_jJaM
     Subject: Separate config entries for device mknod and cgroups?
     Date: Mon, 5 Oct 2015 12:46:55 -0700
     Message-ID: <20151005194655.GN28418@odin.tremily.us>
[2]: https://github.com/opencontainers/specs/pull/98
[3]: https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/qWHoKs8Fsrk
     Subject: removal of cgroups from the OCI Linux spec
     Date: Wed, 28 Oct 2015 17:01:59 +0000
     Message-ID: <CAD2oYtO1RMCcUp52w-xXemzDTs+J6t4hS5Mm4mX+uBnVONGDfA@mail.gmail.com>
[4]: https://github.com/opencontainers/specs/pull/101
[5]: https://github.com/opencontainers/specs/pull/171#discussion_r41190655
[6]: http://man7.org/linux/man-pages/man2/mknod.2.html#DESCRIPTION
[7]: https://github.com/opencontainers/specs/pull/298/files#r51053835
[8]: https://github.com/opencontainers/specs/pull/285#issuecomment-167823651
[9]: https://kernel.org/doc/Documentation/cgroup-v1/devices.txt
[10]: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=34a9304a96d6351c2d35dcdc9293258378fc0bd8

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-01-27 13:52:15 -08:00
Vincent Batts 9017a6c7e1 Merge pull request #284 from wking/single-config
config: Single, unified config file
2016-01-27 12:58:45 -05:00
W. Trevor King cb2da5430a config: Single, unified config file
Reverting 7232e4b1 (specs: introduce the concept of a runtime.json,
2015-07-30, #88) after discussion on the mailing list [1].  The main
reason is that it's hard to draw a clear line around "inherently
runtime-specific" or "non-portable", so we shouldn't try to do that in
the spec.  Folks who want to flag settings as non-portable for their
own system are welcome to do so (e.g. "we will clobber 'hooks' in
bundles we run") are welcome to do so, but we don't have to have
to split the config into multiple files to do that.

There have been a number of additional changes since #88, so this
isn't a pure Git reversion.  Besides copy-pasting and the associated
link-target updates, I've:

* Restored path -> destination, now that the mount type contains both
  source and target paths again.  I'd prefer 'target' to 'destination'
  to match mount(2), but the pre-7232e4b1 phrasing was 'destination'
  (possibly due to Windows using 'target' for the source?).

* Restored the Windows mount example to its pre-7232e4b1 content.

* Removed required mounts from the config example (requirements landed
  in 3848a238, config-linux: specify the default devices/filesystems
  available, 2015-09-09, #164), because specifying those mounts in the
  config is now redundant.

* Used headers (vs. bold paragraphs) to set off mount examples so we
  get link anchors in the rendered Markdown.

* Replaced references to runtime.json with references to config.json.

[1]: https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/0QbyJDM9fWY
     Subject: Single, unified config file (i.e. rolling back specs#88)
     Date: Wed, 4 Nov 2015 09:53:20 -0800
     Message-ID: <20151104175320.GC24652@odin.tremily.us>

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-01-27 09:51:54 -08:00
W. Trevor King d715acfc1e style: Document recent Go-pointer exceptions
The general rule seems to be:

  If Go's default value has the same semantics we'd use for an unset
  value, don't bother with a pointer.

I'm not sure how well that squares with [1]:

  We want a consistent way to identify unset settings.

But if the falsy values count as "unset", maybe the "null is a
consistent identifier for unset" approach was never really viable.

Qiang points out that pointers are required to opt-out of boolean
settings where both true and false would require action [2], so I've
worded the exception to only apply when the Go default for the type is
expicitly a no-op in the spec.

I'm also not sure if the new style extends to integers where zero has
the same semantics as unset values.  It sounds like Michael was ok
with no pointers for those values [3], but OOMScoreAdj (where zero
clearly means "do nothing") got a pointer in #233 [4].  More clarity
on the threshold would be nice; in this commit I've laid out the logic
and not explicitly listed the types it applies to.

[1]: https://github.com/opencontainers/specs/pull/233#discussion_r47829711
[2]: https://github.com/opencontainers/specs/pull/317/files#r50932706
[3]: https://github.com/opencontainers/specs/pull/233#issuecomment-155250592
[4]: https://github.com/opencontainers/specs/pull/233/files#diff-34c30be66233f08b447fb608ea0e66bbR206

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-01-26 21:23:49 -08:00
Vish Kannan 07bce393d0 Merge pull request #316 from mrunalp/cgroup_ptrs
Remove pointers for slices preferring omitempty tag instead
2016-01-26 10:25:44 -08:00
Mrunal Patel af055bd914 Remove pointers for slices preferring omitempty tag instead
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-01-25 20:09:40 -05:00
Michael Crosby a7b50925d8 Merge pull request #314 from mrunalp/update_go_version
Update the go version to 1.5.3
2016-01-21 13:51:03 -08:00
Mrunal Patel ca1b5727b4 Update the go version to 1.5.3
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-01-21 15:30:41 -05:00
Vincent Batts acc1c63752 Merge pull request #290 from mrunalp/no_new_priv
Add NoNewPrivileges setting for linux
2016-01-20 17:45:55 -05:00
Mrunal Patel 5f327ba339 Add NoNewPrivileges setting for linux
This is a security setting that could be used to prevent processes in the
container from gaining additional privileges.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-01-20 14:30:29 -05:00
Vincent Batts c8de60be8a Merge pull request #295 from vbatts/vbatts-test
Makefile: add a target to run tests
2016-01-20 13:41:02 -05:00
Vish Kannan 72e7cf9daf Merge pull request #280 from philips/try-and-add-some-use-cases
README: add some user stories
2016-01-19 12:57:00 -08:00
Brandon Philips 9289afe113 README: add runtime, bundle, and hook author user
Lets call out some users directly and give them titles. Then define what
they is trying to do.

Signed-off-by: Brandon Philips <brandon.philips@coreos.com>
2016-01-19 12:23:42 -08:00
Qiang Huang ec7ca919b7 Merge pull request #309 from vbatts/version_name
config: qualify the name of the version field
2016-01-18 12:07:51 +08:00
Mrunal Patel ed08c12e1a Merge pull request #312 from duglin/AbsCWD
Make cwd an abs path to avoid ambiguity
2016-01-15 16:02:54 -08:00
Vincent Batts 4e63ee0a1e config: qualify the name of the version field
https://github.com/opencontainers/specs/issues/110

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2016-01-15 10:51:53 -05:00
Doug Davis 5fb3203f6d Make cwd an abs path to avoid abiguity
Signed-off-by: Doug Davis <dug@us.ibm.com>
2016-01-15 06:10:21 -08:00
Mrunal Patel d61af700d4 Merge pull request #311 from vbatts/unicode
style: remove unicode character
2016-01-14 16:12:31 -08:00
Vincent Batts 0e904c904f style: remove unicode character
pandoc/LaTeX is not happy with this shady character.

```
! Package inputenc Error: Unicode char \u8:↔ not set up for use with
LaTeX.
```

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2016-01-14 15:18:52 -05:00
Vincent Batts 0cd1ca4d1d Makefile: git-validation from an arbitrary epoch
Since we can't go from the first commit, choosing an arbitrary epoch commit

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2016-01-14 10:31:40 -05:00
Vincent Batts 70e725cedd Makefile: add a target to run tests
For now, just vet and lint. But would like to include the commit
validator, once a good range is selectable.

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2016-01-13 18:54:58 -05:00
Mrunal Patel 52cbf479f2 Merge pull request #308 from vbatts/more-cwd
config: corresponding change for required field
2016-01-13 14:30:57 -08:00
Vincent Batts 111e69668b config: corresponding change for required field
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2016-01-13 17:18:39 -05:00
Vincent Batts 353631ab5e Merge pull request #253 from hqhq/hq_version_compat
Clarify backwards compatibility for major version 0
2016-01-13 16:46:02 -05:00
Mrunal Patel d2617a1203 Merge pull request #307 from vbatts/carry-cwd
Clarify cwd
2016-01-13 13:42:46 -08:00
Vincent Batts 1f519091e2 Merge pull request #304 from mrunalp/clarify_rootfs
Remove clarify rootfs item from the ROADMAP
2016-01-13 16:42:23 -05:00