config.md: minor changes for process #809
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wking
reviewed
May 12, 2017
config.md
Outdated
| @@ -132,14 +132,14 @@ For Windows, see [mountvol][mountvol] and [SetVolumeMountPoint][set-volume-mount | |||
| * **`env`** (array of strings, OPTIONAL) with the same semantics as [IEEE Std 1003.1-2001's `environ`][ieee-1003.1-2001-xbd-c8.1]. | |||
| * **`args`** (array of strings, REQUIRED) with similar semantics to [IEEE Std 1003.1-2001 `execvp`'s *argv*][ieee-1003.1-2001-xsh-exec]. | |||
| This specification extends the IEEE standard in that at least one entry is REQUIRED, and that entry is used with the same semantics as `execvp`'s *file*. | |||
| * **`capabilities`** (object, OPTIONAL) is an object containing arrays that specifies the sets of capabilities for the process(es) inside the container. Valid values are platform-specific. For example, valid values for Linux are defined in the [capabilities(7)][capabilities.7] man page, such as `CAP_CHOWN`. Any value which cannot be mapped to a relevant kernel interface MUST cause an error. | |||
| * **`capabilities`** (object, OPTIONAL) is an object containing arrays that specifies the sets of capabilities for the processes in the container. Valid values are platform-specific. For example, valid values for Linux are defined in the [capabilities(7)][capabilities.7] man page, such as `CAP_CHOWN`. Any value which cannot be mapped to a relevant kernel interface MUST cause an error. | |||
There was a problem hiding this comment.
They may not all have these caps anyway (e.g. you could inject in a new process into the container with more caps, or drop the caps in the main process or one of its children). This is just setting the caps for the process configured by process, so we should probably follow the earlier properties in this section and replace “the process(es) inside the container” with “the process”.
config.md
Outdated
| * **`terminal`** (bool, OPTIONAL) specifies whether a terminal is attached to that process, defaults to false. | ||
| As an example, if set to true on Linux a pseudoterminal pair is allocated for the container process and the pseudoterminal slave is duplicated on the container process's [standard streams][stdin.3]. | ||
| * **`terminal`** (bool, OPTIONAL) specifies whether a terminal is attached to the process, defaults to false. | ||
| As an example, if set to true on Linux a pseudoterminal pair is allocated for the process and the pseudoterminal slave is duplicated on the process's [standard streams][stdin.3]. |
There was a problem hiding this comment.
While we touch this line, can we shift to four-space indents? Or we can punt that to a PR that just does whitespace adjustment for process (like #724 is doing for hooks).
There was a problem hiding this comment.
Let's punt that to a new PR. There are too many lines starting with two-space indents
Mashimiao
force-pushed
the
config-minor-process-changes
branch
from
3e8ee95
to
641c704
Compare
wking
reviewed
May 13, 2017
config.md
Outdated
| @@ -132,14 +132,14 @@ For Windows, see [mountvol][mountvol] and [SetVolumeMountPoint][set-volume-mount | |||
| * **`env`** (array of strings, OPTIONAL) with the same semantics as [IEEE Std 1003.1-2001's `environ`][ieee-1003.1-2001-xbd-c8.1]. | |||
| * **`args`** (array of strings, REQUIRED) with similar semantics to [IEEE Std 1003.1-2001 `execvp`'s *argv*][ieee-1003.1-2001-xsh-exec]. | |||
| This specification extends the IEEE standard in that at least one entry is REQUIRED, and that entry is used with the same semantics as `execvp`'s *file*. | |||
| * **`capabilities`** (object, OPTIONAL) is an object containing arrays that specifies the sets of capabilities for the process(es) inside the container. Valid values are platform-specific. For example, valid values for Linux are defined in the [capabilities(7)][capabilities.7] man page, such as `CAP_CHOWN`. Any value which cannot be mapped to a relevant kernel interface MUST cause an error. | |||
| * **`capabilities`** (object, OPTIONAL) is an object containing arrays that specifies the sets of capabilities for the process in the container. Valid values are platform-specific. For example, valid values for Linux are defined in the [capabilities(7)][capabilities.7] man page, such as `CAP_CHOWN`. Any value which cannot be mapped to a relevant kernel interface MUST cause an error. | |||
There was a problem hiding this comment.
I still think we want to drop “in(side) the container” here, like you're doing up above for terminal. And we should do that down in rlimits too. The initial process line establishes that the process is inside the container, and all these properties under process can just use “the process”.
Mashimiao
force-pushed
the
config-minor-process-changes
branch
from
641c704
to
9086f1d
Compare
wking
reviewed
May 15, 2017
config.md
Outdated
| As an example, the ['no_new_privs'][no-new-privs] article in the kernel documentation has information on how this is achieved using a prctl system call on Linux. | ||
|
|
||
| For Linux-based systems the process structure supports the following process-specific fields. | ||
|
|
||
| * **`apparmorProfile`** (string, OPTIONAL) specifies the name of the AppArmor profile to be applied to processes in the container. | ||
| * **`apparmorProfile`** (string, OPTIONAL) specifies the name of the AppArmor profile to be applied to process. |
There was a problem hiding this comment.
“to process” → “to the process”.
There was a problem hiding this comment.
fixed, thanks
Still not fixed in 04864b7.
There was a problem hiding this comment.
And maybe "to be applied to" -> "for", to get the same substance in fewer words.
There was a problem hiding this comment.
sorry, may left it behind when doing rebase. updated.
Mashimiao
force-pushed
the
config-minor-process-changes
branch
from
9086f1d
to
2b59a13
Compare
wking
approved these changes
May 16, 2017
wking
added a commit
to wking/opencontainer-runtime-spec
that referenced
this pull request
May 18, 2017
…gain) Roll back the genericization from 718f9f3 (minor narrative cleanup regarding config compatibility, 2017-01-30, opencontainers#673). Lifting the restriction there seems to have been motivated by "Solaris supports capabilities", but that was before the split into a capabilities object which happened in eb114f0 (Add ambient and bounding capability support, 2017-02-02, opencontainers#675). It's not clear if Solaris supports ambient caps, or what Solaris API rlimits or noNewPrivileges were punting to [1]. And John Howard has recently confirmed that Windows does not support capabilities and is unlikely to do so in the future [2]. John's statement didn't directly address rlimits or noNewPrivileges, but we can always restore any of these properties to the Solaris/Windows platforms if/when we get docs about which API we're punting to on those platforms. Also add some backticks, remove the hyphens in "OPTIONAL) - the", standardize lines I touch to use "the process" [3], and use four-space indents here to keep Pandoc happy (see 7795661 (runtime.md: Fix sub-bullet indentation, 2016-06-08, opencontainers#495). [1]: opencontainers#673 (comment) [2]: opencontainers#810 (comment) [3]: opencontainers#809 (comment) Signed-off-by: W. Trevor King <[email protected]>
|
@opencontainers/runtime-spec-maintainers PTAL |
tianon
reviewed
May 23, 2017
config.md
Outdated
| @@ -119,11 +119,11 @@ For Windows, see [mountvol][mountvol] and [SetVolumeMountPoint][set-volume-mount | |||
|
|
|||
| ## <a name="configProcess" />Process | |||
|
|
|||
| **`process`** (object, OPTIONAL) specifies the container process. | |||
| **`process`** (object, OPTIONAL) specifies a process to run inside the container. | |||
There was a problem hiding this comment.
IMO "the container process" has a very different connotation here than simply "a process to run", especially in the context of a PID namespace (which can only exist as long as "the" container process does), so this change doesn't make a lot of sense to me.
Mashimiao
force-pushed
the
config-minor-process-changes
branch
from
2b59a13
to
d3f0b51
Compare
wking
added a commit
to wking/opencontainer-runtime-spec
that referenced
this pull request
May 23, 2017
Roll back the genericization from 718f9f3 (minor narrative cleanup regarding config compatibility, 2017-01-30, opencontainers#673). Lifting the restriction there seems to have been motivated by "Solaris supports capabilities", but that was before the split into a capabilities object which happened in eb114f0 (Add ambient and bounding capability support, 2017-02-02, opencontainers#675). It's not clear if Solaris supports ambient caps, or what Solaris API noNewPrivileges were punting to [1]. And John Howard has recently confirmed that Windows does not support capabilities and is unlikely to do so in the future [2]. He also confirmed that Windows does not support rlimits [3]. John's statement didn't directly address noNewPrivileges, but we can always restore any of these properties to the Solaris/Windows platforms if/when we get docs about which API we're punting to on those platforms. Also add some backticks, remove the hyphens in "OPTIONAL) - the", standardize lines I touch to use "the process" [4], and use four-space indents here to keep Pandoc happy (see 7795661 (runtime.md: Fix sub-bullet indentation, 2016-06-08, opencontainers#495). [1]: opencontainers#673 (comment) [2]: opencontainers#810 (comment) [3]: opencontainers#835 (comment) [4]: opencontainers#809 (comment) Signed-off-by: W. Trevor King <[email protected]>
wking
added a commit
to wking/opencontainer-runtime-spec
that referenced
this pull request
Jun 1, 2017
Roll back the genericization from 718f9f3 (minor narrative cleanup regarding config compatibility, 2017-01-30, opencontainers#673). Lifting the restriction there seems to have been motivated by "Solaris supports capabilities", but that was before the split into a capabilities object which happened in eb114f0 (Add ambient and bounding capability support, 2017-02-02, opencontainers#675). It's not clear if Solaris supports ambient caps, or what Solaris API noNewPrivileges were punting to [1]. And John Howard has recently confirmed that Windows does not support capabilities and is unlikely to do so in the future [2]. He also confirmed that Windows does not support rlimits [3]. John's statement didn't directly address noNewPrivileges, but we can always restore any of these properties to the Solaris/Windows platforms if/when we get docs about which API we're punting to on those platforms. Also add some backticks, remove the hyphens in "OPTIONAL) - the", standardize lines I touch to use "the process" [4], and use four-space indents here to keep Pandoc happy (see 7795661 (runtime.md: Fix sub-bullet indentation, 2016-06-08, opencontainers#495). [1]: opencontainers#673 (comment) [2]: opencontainers#810 (comment) [3]: opencontainers#835 (comment) [4]: opencontainers#809 (comment) Signed-off-by: W. Trevor King <[email protected]>
|
@Mashimiao can you rebase? |
Mashimiao
force-pushed
the
config-minor-process-changes
branch
from
d3f0b51
to
04864b7
Compare
|
@opencontainers/runtime-spec-maintainers rebased. PTAL |
Signed-off-by: Ma Shimiao <[email protected]>
Mashimiao
force-pushed
the
config-minor-process-changes
branch
from
04864b7
to
cbae6d0
Compare
|
LGTM |
1 similar comment
|
LGTM |
dqminh
pushed a commit
to dqminh/runtime-spec
that referenced
this pull request
Jul 5, 2017
Roll back the genericization from 718f9f3 (minor narrative cleanup regarding config compatibility, 2017-01-30, opencontainers#673). Lifting the restriction there seems to have been motivated by "Solaris supports capabilities", but that was before the split into a capabilities object which happened in eb114f0 (Add ambient and bounding capability support, 2017-02-02, opencontainers#675). It's not clear if Solaris supports ambient caps, or what Solaris API noNewPrivileges were punting to [1]. And John Howard has recently confirmed that Windows does not support capabilities and is unlikely to do so in the future [2]. He also confirmed that Windows does not support rlimits [3]. John's statement didn't directly address noNewPrivileges, but we can always restore any of these properties to the Solaris/Windows platforms if/when we get docs about which API we're punting to on those platforms. Also add some backticks, remove the hyphens in "OPTIONAL) - the", standardize lines I touch to use "the process" [4], and use four-space indents here to keep Pandoc happy (see 7795661 (runtime.md: Fix sub-bullet indentation, 2016-06-08, opencontainers#495). [1]: opencontainers#673 (comment) [2]: opencontainers#810 (comment) [3]: opencontainers#835 (comment) [4]: opencontainers#809 (comment) Signed-off-by: W. Trevor King <[email protected]>
Merged
wking
added a commit
to wking/nmbug-oci
that referenced
this pull request
Jul 26, 2017
With [1], which landed on 2016-05-26 [2], 'kill' is signalling "the process in the container". And since [3] (2017-06-04), the only remaining "processes" references have to do with namespaces, where the namespace in question is fairly clear. So I don't think there's much uncertainty left about what "container processes" means, or any implication that it's a single set of processes. [1]: https://github.com/duglin/runtime-spec/blob/be594153b522f52bebd0500cef6fe0f1d77f6a59/runtime.md#kill [2]: opencontainers/runtime-spec#384 (comment) [3]: opencontainers/runtime-spec#809 (comment)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Ma Shimiao [email protected]