Skip to content

config: Shift Linux-namespace no-tweaking rule to a generic rule #540

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wking wants to merge 1 commit into from
Closed

config: Shift Linux-namespace no-tweaking rule to a generic rule #540

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion config-linux.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,6 @@ The following parameters can be specified to setup namespaces:

If a path is specified, that particular file is used to join that type of namespace.
If a namespace type is not specified in the `namespaces` array, the container MUST inherit the [runtime namespace](glossary.md#runtime-namespace) of that type.
If a new namespace is not created (because the namespace type is not listed, or because it is listed with a `path`), runtimes MUST assume that the setup for that namespace has already been done and error out if the config specifies anything else related to that namespace.

###### Example

Expand Down
16 changes: 16 additions & 0 deletions config.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,22 @@ This includes the process to run, environment variables to inject, sandboxing fe

Below is a detailed description of each field defined in the configuration format.

## Ownership

This specification treats system attributes as belonging to a particular container.
It does not support one container adjusting attributes that belong to another container.
Runtimes MUST generate an error if the configuration sets an attribute that belongs to another container.

For example, the following are valid:

* A Linux configuration that creates a new [UTS namespace](config-linux.md#namespaces) and sets [`hostname`](#hostname).
* A Linux configuration that sets [network limits][config-linux.md#network] with a new [control group][config-linux.md#control-groups], regardless of whether it creates a new [network namespace](config-linux.md#namespaces).

While the following are invalid:

* A Linux configuration that sets [`hostname`](#hostname) but does not create a new [UTS namespace](config-linux.md#namespaces).
* A Linux configuration that sets [network limits][config-linux.md#network] with an existing [control group][config-linux.md#control-groups].
Copy link
Copy Markdown

@Mashimiao Mashimiao Aug 26, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How to judge a cgroup is an existing one or a new one?

Copy link
Copy Markdown
Contributor Author

@wking wking Aug 26, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On Fri, Aug 26, 2016 at 01:24:04AM -0700, Ma Shimiao wrote:

+* A Linux configuration that sets [network limits][config-linux.md#network] with an existing [control group][config-linux.md#control-groups].

How to judge a cgroup is an existing one or a new one?

If cgroupsPath is absolute, you can require no cgroups to exist at
that relative path from the controller mount points 1. You can also
compare cgroupsPath with values set for other running containers 2,
if you happen to know which other containers are running and which
runtime was used to launch them. In other cases, external tooling
like ocitools should probably skip this test.

Runtimes creating a container, on the other hand, have an easy way to
tell: they're using a new cgroup if they try to mkdir the leaf group
and it does not return EEXIST or other error.


## Specification version

* **`ociVersion`** (string, required) MUST be in [SemVer v2.0.0](http://semver.org/spec/v2.0.0.html) format and specifies the version of the Open Container Runtime Specification with which the bundle complies.
Expand Down