Make explicit that runtimes only have to attach to the bare minimum
number of cgroups in order to fulfil the users' requirements. However,
runtimes are of course allowed to attach to more than the bare minimum.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Clarify some of the confusion with cgroupsPath. Due to systemd, we
cannot require that relative paths be treated in any specific way. In
addition, add a line stating that not all values of cgroupsPath are
required to be valid (and that runtimes must error out if they have an
invalid cgroup path). However, any given value of cgroupsPath should
provide consistent results.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Some of the wording was a bit clumsy (and incorrect, by conflating
different concepts in control groups as "cgroups").
Signed-off-by: Aleksa Sarai <asarai@suse.de>
This slipped through the rename in 2a5986f7 (schema/state-schema.json:
Add a JSON Schema for the state JSON, 2016-06-01, #481) and the first
round of fixes in dfb85b16 (schema/README: Fix links to
(config|state)-schema.json, 2016-06-13, #498). Reported by hapnermw
[1].
[1]: https://github.com/opencontainers/runtime-spec/issues/517
Signed-off-by: W. Trevor King <wking@tremily.us>
On Thu, Jul 14, 2016 at 06:27:50PM -0700, Chris Aniszczyk wrote [1]:
> There was a change in the phone number for the conference line, URL
> is the same.
>
> Join the call: https://www.uberconference.com/opencontainers
> Optional dial in number: 415-968-0849
> No PIN needed
[1]: https://github.com/opencontainers/runtime-spec/issues/514
Reported-by: Chris Aniszczyk <caniszczyk@gmail.com>
Signed-off-by: W. Trevor King <wking@tremily.us>
I'd added some omitempties in 5c2193f3 (specs-go/config: Make Linux
and Solaris omitempty, 2016-05-06, #431), but it turns out to not have
the intended effect unless the field is also a pointer type (even
after I shifted the 'omitempty' from the platform tag to the json
tag). Before this commit:
$ ./ocitools generate --template <(echo '{}')
$ jq . config.json
{
"ociVersion": "1.0.0-rc1-dev",
"platform": {
"os": "linux",
"arch": "amd64"
},
"process": {
"user": {
"uid": 0,
"gid": 0
},
"args": [],
"cwd": "/"
},
"root": {
"path": "rootfs"
},
"hooks": {},
"linux": {
"cgroupsPath": ""
},
"solaris": {
"cappedCPU": {},
"cappedMemory": {}
}
}
And after this commit:
$ ./ocitools generate --template <(echo '{}')
$ jq . config.json
{
"ociVersion": "1.0.0-rc1-dev",
"platform": {
"os": "linux",
"arch": "amd64"
},
"process": {
"user": {
"uid": 0,
"gid": 0
},
"args": [],
"cwd": "/"
},
"root": {
"path": "rootfs"
},
"hooks": {},
}
The remaining useless properties are addressed by other in-flight pull
requests:
* 5ca74df (config: Make 'process.args' optional, 2016-06-04, #489)
* ad33f9c (config: Explicitly list 'hooks' as optional, 2016-05-06,
#427)
So I've left them alone here.
Signed-off-by: W. Trevor King <wking@tremily.us>
Fix regression respectively introduced in 59ede1a and 59ede1a
The config-schema.json and state-schema.json references were missing "-schema".
Signed-off-by: Lee Calcote <leecalcote@gmail.com>
The IDs namespace the fields within the OCI, with /runtime to select
the opencontainers/runtime-spec project, and /state to select the
state JSON within runtime-spec.
Signed-off-by: W. Trevor King <wking@tremily.us>
So we can use it in the coming state-schema.json without duplication.
I dropped the "id" because none of the other defs.json entries had an
ID.
Signed-off-by: W. Trevor King <wking@tremily.us>
So we can use it in the coming state-schema.json without duplication.
While I'm touching it, I updated the spec title to match the project
README's header. I also dropped the "id" because none of the other
defs.json entries had an ID.
Signed-off-by: W. Trevor King <wking@tremily.us>
The indentation of the sub bullets for the status entries under State were not
indented by the 4 spaces required by markdown. They did not render well in
the pdf, at least with my native build with pandoc v1.13.2. Change them to 4
spaces, which now renders well.
Signed-off-by: Graham Whaley <graham.whaley@linux.intel.com>
The JSON Schema requirement dates back to cdcabdeb (schema: JSON
Schema and validator for `config.json`, 2016-01-19, #313), but the
property has been explicitly optional in the Markdown spec since
7ac41c69 (config.md: reformat into a standard style, 2015-06-30).
Signed-off-by: W. Trevor King <wking@tremily.us>
This reverts commit 0f25f18b9b, #253.
Now that we're on to 1.0, we don't need to talk about 0.x. And the
lack of 0.x backwards compatability is covered by SemVer 2.0 section 4
[1]:
Major version zero (0.y.z) is for initial development. Anything may
change at any time. The public API should not be considered stable.
so removing the echo from our spec doesn't actually change anything.
The conflict is due to 4e63ee0a (config: qualify the name of the
version field, 2016-01-13, #309), and only impacted the context and
line-wrapping around the sentence I'm removing.
Conflicts:
config.md
[1]: http://semver.org/spec/v2.0.0.html
Signed-off-by: W. Trevor King <wking@tremily.us>
These distribution requirements belong in image-spec or similar. They
don't apply to runtimes or filesystem bundles (the latter are covered
by the earlier "This MUST include the following artifacts"), which are
the two entities tested for compliance with this spec.
Signed-off-by: W. Trevor King <wking@tremily.us>
Make it clear that if a runtime cannot set up an environment that
*precisely* matches the config.json provided, it must generate an error.
This is important because not doing this can cause security issues.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
The cgroup namespace is a new kernel feature available in 4.6+ that
allows a container to isolate its cgroup hierarchy. This currently only
allows for hiding information from /proc/self/cgroup, and mounting
cgroupfs as an unprivileged user. In the future, this namespace may
allow for subtree management by a container.
Signed-off-by: Aleksa Sarai <asarai@suse.de>