runtime-spec icon indicating copy to clipboard operation
runtime-spec copied to clipboard

Published 20 hours ago verified publisher icon opencontainers

Should linux fields be in process directly, or a level down?

Open lowenna opened this issue 8 years ago • 2 comments

Looking at the spec all-up, it seems that the Process struct is imbalanced relative to the spec in general, and shouldn't directly contain the Linux-specific fields, namely Capabilities, Rlimits, NoNewPrivileges, ApparmorProfile, OOMScoreAdj, SelinuxLabel and instead mirror the top-level Spec structure and have a LinuxProcess struct with those fields.

Something like

// Process contains information to start a specific application inside the container.
type Process struct {
	// Terminal creates an interactive terminal for the container.
	Terminal bool `json:"terminal,omitempty"`
	// ConsoleSize specifies the size of the console.
	ConsoleSize *Box `json:"consoleSize,omitempty"`
	// User specifies user information for the process.
	User User `json:"user"`
	// Args specifies the binary and arguments for the application to execute.
	Args []string `json:"args"`
	// Env populates the process environment for the process.
	Env []string `json:"env,omitempty"`
	// Cwd is the current working directory for the process and must be
	// relative to the container's root.
	Cwd string `json:"cwd"`
	// LinuxProcess is platform-specific configuration for Linux processes.
	LinuxProcess *LinuxProcess `json:"linuxprocess,omitempty" platform:"linux"`
}

// LinuxProcess contains platform-specific configurations for Linux processes in containers.
type LinuxProcess struct {	
	// Capabilities are Linux capabilities that are kept for the process.
	Capabilities *LinuxCapabilities `json:"capabilities,omitempty" platform:"linux"`
	// Rlimits specifies rlimit options to apply to the process.
	Rlimits []LinuxRlimit `json:"rlimits,omitempty" platform:"linux"`
	// NoNewPrivileges controls whether additional privileges could be gained by processes in the container.
	NoNewPrivileges bool `json:"noNewPrivileges,omitempty" platform:"linux"`
	// ApparmorProfile specifies the apparmor profile for the container.
	ApparmorProfile string `json:"apparmorProfile,omitempty" platform:"linux"`
	// Specify an oom_score_adj for the container.
	OOMScoreAdj *int `json:"oomScoreAdj,omitempty"`
	// SelinuxLabel specifies the selinux context that the container process is run as.
	SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"`
}

Thoughts?

lowenna avatar May 16 '17 17:05 lowenna

we've gone back on forth on this. I'm sure @wking could give a historical breakdown.

vbatts avatar May 16 '17 17:05 vbatts

On Tue, May 16, 2017 at 10:54:40AM -0700, v1.0.0.batts wrote:

I'm sure @wking could give a historical breakdown.

The current policy (since at least 2016-05-18) seems to be 1:

If any platform cannot use your setting, namespace it, unless that would seem weird for aesthetic reasons we're punting on defining.

Maybe this is a call to define those aesthetic reasons or drop the loophole? The initial shift of Linux-specific stuff into ‘process’ happened in #329, and there was a more recent shift in #789, neither of which has a lot of discussion about whether namespacing is appropriate. There is some previous discussion about namespacing in #405; for example, see [2,3,4].

wking avatar May 16 '17 18:05 wking