Commit Graph

412 Commits

Author SHA1 Message Date
Michael Crosby 9f909ab9d0 Merge pull request #339 from wking/selinux-key
specs-go/config: Fix 'SelinuxProcessLabel' -> 'SelinuxLabel'
2016-03-09 12:05:28 -08:00
W. Trevor King 59333dcf45 specs-go/config: Fix 'SelinuxProcessLabel' -> 'SelinuxLabel'
The label changed in 5a8a779f (Move process specific settings to
process, 2016-03-02, #329) and 7bf06d53 (source and schema:
differentiate with examples, 2015-12-18, #276) missed this instance
when rebasing around #329.

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-03-09 12:00:51 -08:00
Mrunal Patel fae9a3e3ac Merge pull request #276 from vbatts/schema
source and schema: differentiate with examples
2016-03-09 11:52:55 -08:00
Michael Crosby d199438999 Merge pull request #338 from wking/drop-bluejeans
README: Drop BlueJeans link label definition
2016-03-09 11:46:13 -08:00
W. Trevor King ccc7e2fb53 README: Drop BlueJeans link label definition
The only reference was removed in 15a43acd (ReadMe: Replace BlueJeans
with UberConference, 2016-02-24, #326).

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-03-09 11:45:47 -08:00
Vincent Batts cfbf70c0ab config: formatted example json
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2016-03-09 19:40:34 +00:00
Vincent Batts 7bf06d53dd source and schema: differentiate with examples
The standard is on the JSON schema (not yet IETF spec JSON-schema), such
that it is not implemenations specific. Thus far, the reference has been
in how golang source renders the JSON documents.

Having the JSON source and the markdown documents in sync has been an
ongoing step to keep in sync.

Separating these two allows the golang source to continue being _a_
reference, but the JSON schema in the documentation to be _the_
reference.

As validation tooling is refined, then it will facilitate ensuring
the available golang source conforms to the reference JSON.

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2016-03-09 19:18:20 +00:00
Mrunal Patel dae09c6a7d Merge pull request #331 from vishh/labels-annotations
Add annotations and labels to the Spec.
2016-03-09 11:15:53 -08:00
Vishnu kannan 1c49f4d21c Add annotations and labels to the Spec.
Signed-off-by: Vishnu kannan <vishnuk@google.com>
2016-03-09 11:11:28 -08:00
Michael Crosby 3b7c15d90f Merge pull request #334 from mrunalp/remove_state_dir
Remove the state directory as we now have a state operation instead
2016-03-08 10:39:30 -08:00
Mrunal Patel 16c09954b1 Remove the state directory as we now have a state operation instead
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-03-08 13:35:49 -05:00
Vincent Batts 5a606f4604 Merge pull request #333 from mrunalp/optional_seccomp
Seccomp should be optional
2016-03-08 12:48:49 -05:00
Mrunal Patel 36b0b18abf Seccomp should be optional
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-03-07 17:59:30 -08:00
Michael Crosby a1e32a8ead Merge pull request #330 from wking/process-security-indent
config: Fix indents for process.apparmorProfile and .selinuxLabel
2016-03-03 10:12:31 -08:00
W. Trevor King 6b639d2520 config: Fix indents for process.apparmorProfile and .selinuxLabel
These slipped through in 5a8a779f (Move process specific settings to
process, 2016-03-02, #329).

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-03-02 14:35:24 -08:00
Vincent Batts 0c2892bf82 Merge pull request #329 from crosbymichael/process
Move process specific settings to process
2016-03-02 15:26:55 -05:00
Michael Crosby 5a8a779fb0 Move process specific settings to process
This moves process specific settings like caps, apparmor, and selinux
process label onto the process structure to allow the same settings to
be changed at exec time.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-03-02 11:40:09 -08:00
Mrunal Patel 95e12594fc Merge pull request #323 from hqhq/hq_fix_devices_example
Fix type of devices type
2016-02-29 09:47:05 -08:00
Mrunal Patel 9a3cc9a10c Merge pull request #326 from RobDolinMS/patch-8
ReadMe: Replace BlueJeans with UberConference
2016-02-28 08:34:15 -08:00
Rob Dolin (MSFT) 15a43acd26 ReadMe: Replace BlueJeans with UberConference
BlueJeans requires a moderator while UberConference does not

Signed-off-by: Rob Dolin <robdolin@microsoft.com>
2016-02-24 10:23:05 -08:00
Qiang Huang ccf3a246ca Fix fileMode json example
In json, os.FileMode would be presented as a uint32, which
is decimal. Otherwise we'll get error:
`invalid character '6' after object key:value pair`
when unmarshal the json file.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-02-23 13:34:20 +08:00
Qiang Huang 9bab930044 Fix type of devices type
Fixes: opencontainers/runc#566

For type rune, we can assign char as 'c' in struct, but after
marshal, it'll be presented as int32. So in json config it needs
to be presented as a number which is not friendly to be identified.

Change it to string so that you can actually write "b", "c" in json
spec and you can easily know what type of device it is.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-02-23 13:33:57 +08:00
Alexander Morozov fed01f4d97 Merge pull request #225 from duglin/RuntimeOps
Expand on the definition of our ops
2016-02-22 09:00:50 -08:00
Doug Davis 7117ede74b Expand on the definition of our ops
Signed-off-by: Doug Davis <dug@us.ibm.com>
2016-02-22 06:43:28 -08:00
Michael Crosby abca05ea99 Merge pull request #317 from wking/no-pointers-for-slices-or-maps
style: Document recent Go-pointer exceptions
2016-02-17 10:51:56 -08:00
Vish Kannan b6d9ebf38c Merge pull request #321 from vbatts/v0.3.0
v0.3.0
2016-02-04 17:28:33 -08:00
Vincent Batts c450676625 version: v0.4.0-dev
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2016-02-04 18:31:33 -05:00
Vincent Batts 25cbfc427b version: v0.3.0
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2016-02-04 18:31:31 -05:00
Mrunal Patel 80322b9fe8 Merge pull request #318 from wking/cgroup-v1-links
config-linux: Update links to cgroups documentation
2016-02-04 10:24:30 +05:30
W. Trevor King 1b0056cbff config-linux: Update links to cgroups documentation
With 34a9304a (Merge branch 'for-4.5' of
git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup, 2016-01-13,
[1]), Linux restructured their cgroups documentation.  This updated
all of our Documentation/cgroups references to match the new layout,
using reference-style links [2] which let us collect link label
definitions at the bottom of the file.  That makes the spec source
easier to read (no distracting URLs in the middle of a sentence) and
makes the URLs easier to update (only one place to check / fix).

[1]: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=34a9304a96d6351c2d35dcdc9293258378fc0bd8
[2]: http://daringfireball.net/projects/markdown/syntax#link

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-01-27 20:14:33 -08:00
Mrunal Patel 608cb7b58a Merge pull request #298 from wking/separate-device-cgroups-from-mknod
runtime-config-linux: Separate mknod from cgroups
2016-01-27 19:02:03 -08:00
W. Trevor King 7d5b027673 runtime-config-linux: Separate mknod from cgroups
With mknod entries in linux.devices and cgroups entries in
linux.resources.devices.  Background discussion in [1].

For specifying device cgroups independent of device creation.  This
makes it easy to distinguish between configs that call for cgroup
adjustments (which have linux.resources entries) from those that
don't.  Without this split, folks interested in making that
distinction would have to parse the device section to determine if it
included cgroup changes.  This will also make it easy to drop either
portion (mknod [2] or cgroups [3]) independently of the other if the
project decides to do so.

Using seperate sections for mknod and cgroups also allows us to avoid
the complicated validation rules needed for the combined format
mknod/cgroup [4].

Now that there is a section specific to supplying devices, I shifted
the default device listing over from config-linux [5].  The /dev/ptmx
entry is a bit awkward, since it's not a device, but it seemed to fit
better over here.  But I would also be fine leaving it with the other
mounts in config-linux.

fileMode, uid, and gid are optional, because mknod(2) doesn't need
them and specifies the handling when they aren't set [6,7].
Similarly, major/minor numbers are only required for S_IFCHR and
S_IFBLK [6].  I've left off wording about required runtime behavior
for unset values, because I'd rather address that with a blanket rule
[8].

For the cgroup, access is optional because the kernel docs show an
example that doesn't write an access field to the devices.deny file
[9].  The current kernel docs don't go into much detail on this
behavior (I expect unset and 'rwm' are equivalent), but if the kernel
doesn't need a value written, the spec should get out of the way and
allow users to not specify a value.

The reference links are sorted into two blocks, with kernel-doc links
sorted alphabetically followed by man pages sorted alphabetically by
section.  The cgroup link is new since 2016-01-13 [10].

[1]: https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/y_Fsa2_jJaM
     Subject: Separate config entries for device mknod and cgroups?
     Date: Mon, 5 Oct 2015 12:46:55 -0700
     Message-ID: <20151005194655.GN28418@odin.tremily.us>
[2]: https://github.com/opencontainers/specs/pull/98
[3]: https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/qWHoKs8Fsrk
     Subject: removal of cgroups from the OCI Linux spec
     Date: Wed, 28 Oct 2015 17:01:59 +0000
     Message-ID: <CAD2oYtO1RMCcUp52w-xXemzDTs+J6t4hS5Mm4mX+uBnVONGDfA@mail.gmail.com>
[4]: https://github.com/opencontainers/specs/pull/101
[5]: https://github.com/opencontainers/specs/pull/171#discussion_r41190655
[6]: http://man7.org/linux/man-pages/man2/mknod.2.html#DESCRIPTION
[7]: https://github.com/opencontainers/specs/pull/298/files#r51053835
[8]: https://github.com/opencontainers/specs/pull/285#issuecomment-167823651
[9]: https://kernel.org/doc/Documentation/cgroup-v1/devices.txt
[10]: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=34a9304a96d6351c2d35dcdc9293258378fc0bd8

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-01-27 13:52:15 -08:00
Vincent Batts 9017a6c7e1 Merge pull request #284 from wking/single-config
config: Single, unified config file
2016-01-27 12:58:45 -05:00
W. Trevor King cb2da5430a config: Single, unified config file
Reverting 7232e4b1 (specs: introduce the concept of a runtime.json,
2015-07-30, #88) after discussion on the mailing list [1].  The main
reason is that it's hard to draw a clear line around "inherently
runtime-specific" or "non-portable", so we shouldn't try to do that in
the spec.  Folks who want to flag settings as non-portable for their
own system are welcome to do so (e.g. "we will clobber 'hooks' in
bundles we run") are welcome to do so, but we don't have to have
to split the config into multiple files to do that.

There have been a number of additional changes since #88, so this
isn't a pure Git reversion.  Besides copy-pasting and the associated
link-target updates, I've:

* Restored path -> destination, now that the mount type contains both
  source and target paths again.  I'd prefer 'target' to 'destination'
  to match mount(2), but the pre-7232e4b1 phrasing was 'destination'
  (possibly due to Windows using 'target' for the source?).

* Restored the Windows mount example to its pre-7232e4b1 content.

* Removed required mounts from the config example (requirements landed
  in 3848a238, config-linux: specify the default devices/filesystems
  available, 2015-09-09, #164), because specifying those mounts in the
  config is now redundant.

* Used headers (vs. bold paragraphs) to set off mount examples so we
  get link anchors in the rendered Markdown.

* Replaced references to runtime.json with references to config.json.

[1]: https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/0QbyJDM9fWY
     Subject: Single, unified config file (i.e. rolling back specs#88)
     Date: Wed, 4 Nov 2015 09:53:20 -0800
     Message-ID: <20151104175320.GC24652@odin.tremily.us>

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-01-27 09:51:54 -08:00
W. Trevor King d715acfc1e style: Document recent Go-pointer exceptions
The general rule seems to be:

  If Go's default value has the same semantics we'd use for an unset
  value, don't bother with a pointer.

I'm not sure how well that squares with [1]:

  We want a consistent way to identify unset settings.

But if the falsy values count as "unset", maybe the "null is a
consistent identifier for unset" approach was never really viable.

Qiang points out that pointers are required to opt-out of boolean
settings where both true and false would require action [2], so I've
worded the exception to only apply when the Go default for the type is
expicitly a no-op in the spec.

I'm also not sure if the new style extends to integers where zero has
the same semantics as unset values.  It sounds like Michael was ok
with no pointers for those values [3], but OOMScoreAdj (where zero
clearly means "do nothing") got a pointer in #233 [4].  More clarity
on the threshold would be nice; in this commit I've laid out the logic
and not explicitly listed the types it applies to.

[1]: https://github.com/opencontainers/specs/pull/233#discussion_r47829711
[2]: https://github.com/opencontainers/specs/pull/317/files#r50932706
[3]: https://github.com/opencontainers/specs/pull/233#issuecomment-155250592
[4]: https://github.com/opencontainers/specs/pull/233/files#diff-34c30be66233f08b447fb608ea0e66bbR206

Signed-off-by: W. Trevor King <wking@tremily.us>
2016-01-26 21:23:49 -08:00
Vish Kannan 07bce393d0 Merge pull request #316 from mrunalp/cgroup_ptrs
Remove pointers for slices preferring omitempty tag instead
2016-01-26 10:25:44 -08:00
Mrunal Patel af055bd914 Remove pointers for slices preferring omitempty tag instead
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-01-25 20:09:40 -05:00
Michael Crosby a7b50925d8 Merge pull request #314 from mrunalp/update_go_version
Update the go version to 1.5.3
2016-01-21 13:51:03 -08:00
Mrunal Patel ca1b5727b4 Update the go version to 1.5.3
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-01-21 15:30:41 -05:00
Vincent Batts acc1c63752 Merge pull request #290 from mrunalp/no_new_priv
Add NoNewPrivileges setting for linux
2016-01-20 17:45:55 -05:00
Mrunal Patel 5f327ba339 Add NoNewPrivileges setting for linux
This is a security setting that could be used to prevent processes in the
container from gaining additional privileges.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-01-20 14:30:29 -05:00
Vincent Batts c8de60be8a Merge pull request #295 from vbatts/vbatts-test
Makefile: add a target to run tests
2016-01-20 13:41:02 -05:00
Vish Kannan 72e7cf9daf Merge pull request #280 from philips/try-and-add-some-use-cases
README: add some user stories
2016-01-19 12:57:00 -08:00
Brandon Philips 9289afe113 README: add runtime, bundle, and hook author user
Lets call out some users directly and give them titles. Then define what
they is trying to do.

Signed-off-by: Brandon Philips <brandon.philips@coreos.com>
2016-01-19 12:23:42 -08:00
Qiang Huang ec7ca919b7 Merge pull request #309 from vbatts/version_name
config: qualify the name of the version field
2016-01-18 12:07:51 +08:00
Mrunal Patel ed08c12e1a Merge pull request #312 from duglin/AbsCWD
Make cwd an abs path to avoid ambiguity
2016-01-15 16:02:54 -08:00
Vincent Batts 4e63ee0a1e config: qualify the name of the version field
https://github.com/opencontainers/specs/issues/110

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2016-01-15 10:51:53 -05:00
Doug Davis 5fb3203f6d Make cwd an abs path to avoid abiguity
Signed-off-by: Doug Davis <dug@us.ibm.com>
2016-01-15 06:10:21 -08:00
Mrunal Patel d61af700d4 Merge pull request #311 from vbatts/unicode
style: remove unicode character
2016-01-14 16:12:31 -08:00
Vincent Batts 0e904c904f style: remove unicode character
pandoc/LaTeX is not happy with this shady character.

```
! Package inputenc Error: Unicode char \u8:↔ not set up for use with
LaTeX.
```

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2016-01-14 15:18:52 -05:00