config: Make capabilities, noNewPrivileges, and rlimits Linux-only (again) #835
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Looks conflicted with https://github.com/opencontainers/runtime-spec/pull/845/files ( rlimits is not linux-specific ) The changes to capabilities and nonewprivileges looks sane though. |
|
On Tue, May 23, 2017 at 07:43:14AM -0700, Daniel, Dao Quang Minh wrote:
Looks conflicted with
https://github.com/opencontainers/runtime-spec/pull/845/files (
rlimits is not linux-specific )
|
|
|
On Tue, May 23, 2017 at 09:23:37AM -0700, John Howard wrote:
> Do you have Solaris and/or Windows docs for what API they'll use to
> implement rlimits?
`rlimits` are meaningless on Windows certainly.
So I can reroll this to make rlimits Linux or Solaris, and just punt
to POSIX for the Solaris values until we hear from some Solaris person
with Solaris-specific docs?
|
|
I can only comment on the windows part, but makes sense to me.... |
wking
force-pushed
the
linux-only-capabilities-again
branch
from
550db9f to
15f5fd6
Compare
wking
added a commit
to wking/opencontainer-runtime-spec
that referenced
this pull request
May 23, 2017
Roll back the genericization from 718f9f3 (minor narrative cleanup regarding config compatibility, 2017-01-30, opencontainers#673). Lifting the restriction there seems to have been motivated by "Solaris supports capabilities", but that was before the split into a capabilities object which happened in eb114f0 (Add ambient and bounding capability support, 2017-02-02, opencontainers#675). It's not clear if Solaris supports ambient caps, or what Solaris API noNewPrivileges were punting to [1]. And John Howard has recently confirmed that Windows does not support capabilities and is unlikely to do so in the future [2]. He also confirmed that Windows does not support rlimits [3]. John's statement didn't directly address noNewPrivileges, but we can always restore any of these properties to the Solaris/Windows platforms if/when we get docs about which API we're punting to on those platforms. Also add some backticks, remove the hyphens in "OPTIONAL) - the", standardize lines I touch to use "the process" [4], and use four-space indents here to keep Pandoc happy (see 7795661 (runtime.md: Fix sub-bullet indentation, 2016-06-08, opencontainers#495). [1]: opencontainers#673 (comment) [2]: opencontainers#810 (comment) [3]: opencontainers#835 (comment) [4]: opencontainers#809 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
wking
added a commit
to wking/opencontainer-runtime-spec
that referenced
this pull request
May 23, 2017
This property was initially Linux-specific. 718f9f3 (minor narrative cleanup regarding config compatibility, 2017-01-30, opencontainers#673) removed the Linux restriction, but the rlimit concept is from POSIX and Windows doesn't support it [1]. This commit adds new subsections for the POSIX-specific and Linux-specific process entries (to match the approach we currently use for process.user), and punts to POSIX for the Solaris values and compliance testing approach. If/when we get a Solaris-specific doc for valid values, we can replace the POSIX punt there, but we probably want to continue punting to POSIX for getrlimit(3)-based compliance testing. [1]: opencontainers#835 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
wking
force-pushed
the
linux-only-capabilities-again
branch
from
15f5fd6 to
b4d7fae
Compare
wking
added a commit
to wking/opencontainer-runtime-spec
that referenced
this pull request
May 23, 2017
This property was initially Linux-specific. 718f9f3 (minor narrative cleanup regarding config compatibility, 2017-01-30, opencontainers#673) removed the Linux restriction, but the rlimit concept is from POSIX and Windows doesn't support it [1]. This commit adds new subsections for the POSIX-specific and Linux-specific process entries (to match the approach we currently use for process.user), and punts to POSIX for the Solaris values and compliance testing approach. If/when we get a Solaris-specific doc for valid values, we can replace the POSIX punt there, but we probably want to continue punting to POSIX for getrlimit(3)-based compliance testing. I've renamed the overly-specific LinuxRlimit to POSIXRlimit. We could use the generic Rlimit, but then we'd be stuck if/when Windows adds support for some rlimit-like thing that doesn't match up cleanly enough for us to use the POSIX structure. [1]: opencontainers#835 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
|
Ok, I've rerolled this with 550db9f → b4d7fae, which makes It also renames the Go When adding the POSIX link for rlimits, I also added wording for RFC 2119 compliance testing, styled after the approach I'd floated for devices in #829 and some wording we already use for valid If we want to focus on just the capabilities change, I'm happy to spin off the first commit into its own PR, and we can get back to this PR and the rlimits change if/when that cap PR lands. |
|
This is a breaking change for Solaris and Windows (removing
process.capabilities for those configs) and allows Windows runtimes
(which have no API to implement the
currently-required-in-master-for-them process.capabilities) and
Solaris runtimes (which may not have an API to implement the
currently-required-in-master-for-them process.capabilities.ambient) to
be certified compliant. I think that's sufficient grounds to
milestone it 1.0 freeze [1] unless we preview those platforms [2].
[1]: https://github.com/opencontainers/runtime-spec/milestone/15
[2]: #817 (comment)
|
lowenna
reviewed
May 25, 2017
| // LinuxRlimit type and restrictions | ||
| type LinuxRlimit struct { | ||
| // POSIXRlimit type and restrictions | ||
| type POSIXRlimit struct { |
There was a problem hiding this comment.
Wondering if this should be moved out of the bunch of Linux structures which surround it so that there are POSIX, Linux, Solaris and Windows sections grouped together. Otherwise LGTM (not a maintainer)
There was a problem hiding this comment.
Wondering if this should be moved out of the bunch of Linux structures which surround…
I don't care and am happy to do whatever maintainers want for type ordering.
Roll back the genericization from 718f9f3 (minor narrative cleanup regarding config compatibility, 2017-01-30, opencontainers#673). Lifting the restriction there seems to have been motivated by "Solaris supports capabilities", but that was before the split into a capabilities object which happened in eb114f0 (Add ambient and bounding capability support, 2017-02-02, opencontainers#675). It's not clear if Solaris supports ambient caps, or what Solaris API noNewPrivileges were punting to [1]. And John Howard has recently confirmed that Windows does not support capabilities and is unlikely to do so in the future [2]. He also confirmed that Windows does not support rlimits [3]. John's statement didn't directly address noNewPrivileges, but we can always restore any of these properties to the Solaris/Windows platforms if/when we get docs about which API we're punting to on those platforms. Also add some backticks, remove the hyphens in "OPTIONAL) - the", standardize lines I touch to use "the process" [4], and use four-space indents here to keep Pandoc happy (see 7795661 (runtime.md: Fix sub-bullet indentation, 2016-06-08, opencontainers#495). [1]: opencontainers#673 (comment) [2]: opencontainers#810 (comment) [3]: opencontainers#835 (comment) [4]: opencontainers#809 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
This property was initially Linux-specific. 718f9f3 (minor narrative cleanup regarding config compatibility, 2017-01-30, opencontainers#673) removed the Linux restriction, but the rlimit concept is from POSIX and Windows doesn't support it [1]. This commit adds new subsections for the POSIX-specific and Linux-specific process entries (to match the approach we currently use for process.user), and punts to POSIX for the Solaris values and compliance testing approach. If/when we get a Solaris-specific doc for valid values, we can replace the POSIX punt there, but we probably want to continue punting to POSIX for getrlimit(3)-based compliance testing. I've renamed the overly-specific LinuxRlimit to POSIXRlimit. We could use the generic Rlimit, but then we'd be stuck if/when Windows adds support for some rlimit-like thing that doesn't match up cleanly enough for us to use the POSIX structure. [1]: opencontainers#835 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
wking
force-pushed
the
linux-only-capabilities-again
branch
from
b4d7fae to
cb8df7b
Compare
|
We should make this change less about linux && solaris and more about unix vs windows as most of the things we have generally apply to unixes and we only need to point out exceptions for windows |
I'll rebase this one after #838 lands, since I've covered the rest of the POSIX-ification there. |
|
I agree with @crosbymichael -- using "POSIX" to mean "not Windows" is a bit off the mark, especially since Windows is largely POSIX-compliant in many areas (or at least has been in the past). +1 for Unix or Unix-like instead |
|
@wking pls2rebase |
|
no idea when @wking will be back to rebase this. Wednesday the 5th is drawing close ... |
|
if @wking doesnt get to this tomorrow, i can carry this change. |
dqminh
pushed a commit
to dqminh/runtime-spec
that referenced
this pull request
Jul 5, 2017
Roll back the genericization from 718f9f3 (minor narrative cleanup regarding config compatibility, 2017-01-30, opencontainers#673). Lifting the restriction there seems to have been motivated by "Solaris supports capabilities", but that was before the split into a capabilities object which happened in eb114f0 (Add ambient and bounding capability support, 2017-02-02, opencontainers#675). It's not clear if Solaris supports ambient caps, or what Solaris API noNewPrivileges were punting to [1]. And John Howard has recently confirmed that Windows does not support capabilities and is unlikely to do so in the future [2]. He also confirmed that Windows does not support rlimits [3]. John's statement didn't directly address noNewPrivileges, but we can always restore any of these properties to the Solaris/Windows platforms if/when we get docs about which API we're punting to on those platforms. Also add some backticks, remove the hyphens in "OPTIONAL) - the", standardize lines I touch to use "the process" [4], and use four-space indents here to keep Pandoc happy (see 7795661 (runtime.md: Fix sub-bullet indentation, 2016-06-08, opencontainers#495). [1]: opencontainers#673 (comment) [2]: opencontainers#810 (comment) [3]: opencontainers#835 (comment) [4]: opencontainers#809 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
dqminh
pushed a commit
to dqminh/runtime-spec
that referenced
this pull request
Jul 5, 2017
This property was initially Linux-specific. 718f9f3 (minor narrative cleanup regarding config compatibility, 2017-01-30, opencontainers#673) removed the Linux restriction, but the rlimit concept is from POSIX and Windows doesn't support it [1]. This commit adds new subsections for the POSIX-specific and Linux-specific process entries (to match the approach we currently use for process.user), and punts to POSIX for the Solaris values and compliance testing approach. If/when we get a Solaris-specific doc for valid values, we can replace the POSIX punt there, but we probably want to continue punting to POSIX for getrlimit(3)-based compliance testing. I've renamed the overly-specific LinuxRlimit to POSIXRlimit. We could use the generic Rlimit, but then we'd be stuck if/when Windows adds support for some rlimit-like thing that doesn't match up cleanly enough for us to use the POSIX structure. [1]: opencontainers#835 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
|
I have opened #880 to replace this. |
dqminh
pushed a commit
to dqminh/runtime-spec
that referenced
this pull request
Jul 5, 2017
This property was initially Linux-specific. 718f9f3 (minor narrative cleanup regarding config compatibility, 2017-01-30, opencontainers#673) removed the Linux restriction, but the rlimit concept is from POSIX and Windows doesn't support it [1]. This commit adds new subsections for the POSIX-specific and Linux-specific process entries (to match the approach we currently use for process.user), and punts to POSIX for the Solaris values and compliance testing approach. If/when we get a Solaris-specific doc for valid values, we can replace the POSIX punt there, but we probably want to continue punting to POSIX for getrlimit(3)-based compliance testing. I've renamed the overly-specific LinuxRlimit to POSIXRlimit. We could use the generic Rlimit, but then we'd be stuck if/when Windows adds support for some rlimit-like thing that doesn't match up cleanly enough for us to use the POSIX structure. [1]: opencontainers#835 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
This was referenced Oct 10, 2017
Merged
wking
added a commit
to wking/ocitools-v2
that referenced
this pull request
Nov 3, 2017
This isn't a question of not being implemented yet. Windows does not, and is unlikely to ever, support rlimits [1]. And the spec only defines process.rlimits for POSIX platforms [2]. Folks writing Windows configs will only be setting process.rlimits as an out-of-spec extention. We, as runtime validators, are unlikely to write such configs. But if we use runtimetest in a container launched from such a config, we should silently ignore that out-of-spec extention, just like we silently ignore all other out-of-spec extentions, instead of logging a warning. [1]: opencontainers/runtime-spec#835 (comment) [2]: https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#posix-process Signed-off-by: W. Trevor King <wking@tremily.us>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the alternative to the recently-closed #810.
Roll back the genericization from #673. Lifting the restriction there seems to have been motivated by “Solaris supports capabilities”, but that was before the split into a capabilities object which happened in #675. It's not clear if Solaris supports ambient caps, or what Solaris API
rlimitsornoNewPrivilegeswere punting to. @jhowardmsft has recently confirmed that Windows does not support capabilities and is unlikely to do so in the future. John's statement didn't directly addressrlimitsornoNewPrivileges, but we can always restore any of these properties to the Solaris/Windows platforms if/when we get docs about which API we're punting to on those platforms.Also add some backticks, remove the hyphens in
OPTIONAL) - the, standardize lines I touch to use “the process”, and use four-space indents here to keep Pandoc happy (see #495).This PR will conflict with #809, and I'm happy to rebase if that one lands first.