Remove exec from required runtime functionalities. #388
Conversation
|
On Tue, Apr 19, 2016 at 10:53:58AM -0700, Vish Kannan wrote: Probably want two newlines instead of the period to avoid the |
|
Do we want to put suggestions about implementing exec in an { The namespace paths and cgroupsPath would come from a procfs entry,
The namespace paths would be from /proc/{pid}/ns/…, and the Any ideas about ‘root’? |
|
LGTM after travis is happy |
|
@wking We need blessed cookbook for the Spec. |
Signed-off-by: Vishnu kannan <vishnuk@google.com>
|
On Tue, Apr 19, 2016 at 03:20:51PM -0700, Vish Kannan wrote:
Sounds good to me. And that can certainly happen in a separate |
|
We can work on that stuff later, we just need to get the spec finalized and in good shape before we start talking about how ppl should implement something |
|
On Tue, Apr 19, 2016 at 04:09:13PM -0700, Michael Crosby wrote:
Agreed, I just think “in good shape” includes exec-like behavior. To For example, making ‘root’ optional 1 would be one way to address a |
|
@wking I think we can handle examples/cookbook etc. after this PR. To answer your question about |
|
LGTM |
Spun off from discussion here [1]. There seemed to be consensus that we need something like this but that it should be it's own pull request [2,3,4]. [1]: opencontainers#388 (comment) [2]: opencontainers#388 (comment) [3]: opencontainers#388 (comment) [4]: opencontainers#388 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
Spun off from discussion here [1]. There seemed to be consensus that we need something like this but that it should be its own pull request [2,3,4]. [1]: opencontainers#388 (comment) [2]: opencontainers#388 (comment) [3]: opencontainers#388 (comment) [4]: opencontainers#388 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
Spun off from discussion here [1]. There seemed to be consensus that we need something like this but that it should be its own pull request [2,3,4]. [1]: opencontainers#388 (comment) [2]: opencontainers#388 (comment) [3]: opencontainers#388 (comment) [4]: opencontainers#388 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
Addressed by 7117ede (Expand on the definition of our ops, 2015-10-13, opencontainers#225), although there has been additional discussion in a7a366b (Remove exec from required runtime functionalities, 2016-04-19, opencontainers#388) and 0430aaf (Split create and start, 2016-04-01, opencontainers#384). Signed-off-by: W. Trevor King <wking@tremily.us>
# digest/hashing target Most of this has spun off with [1], and I haven't heard of anyone talking about verifying the on-disk filesystem in a while. My personal take is on-disk verification doesn't add much over serialized verification unless you have a local attacker (or unreliable disk), and you'll need some careful threat modeling if you want to do anything productive about the local attacker case. For some more on-disk verification discussion, see the thread starting with [2]. # distributable-format target This spun off with [1]. # lifecycle target I think this is resolved since 7713efc (Add lifecycle for containers, 2015-10-22, opencontainers#231), which was committed on the same day as the ROADMAP entry (4859f6d, Add initial roadmap, 2015-10-22, opencontainers#230). # container-action target Addressed by 7117ede (Expand on the definition of our ops, 2015-10-13, opencontainers#225), although there has been additional discussion in a7a366b (Remove exec from required runtime functionalities, 2016-04-19, opencontainers#388) and 0430aaf (Split create and start, 2016-04-01, opencontainers#384). # validation and testing targets Validation is partly covered by cdcabde (schema: JSON Schema and validator for `config.json`, 2016-01-19, opencontainers#313) and subequent JSON Schema work. The remainder of these targets are handled by ocitools [3]. # printable/compiled-spec target The bulk of this was addressed by 4ee036f (*: printable documents, 2015-12-09, opencontainers#263). Any remaining polishing of that workflow seems like a GitHub-issue thing and not a ROADMAP thing. And publishing these to opencontainers.org certainly seems like it's outside the scope of this repository (although I think that such publishing is a good idea). [1]: /~https://github.com/opencontainers/image-spec [2]: https://groups.google.com/a/opencontainers.org/d/msg/dev/xo4SQ92aWJ8/NHpSQ19KCAAJ Subject: OCI Bundle Digests Summary Date: Wed, 14 Oct 2015 17:09:15 +0000 Message-ID: <CAD2oYtN-9yLLhG_STO3F1h58Bn5QovK+u3wOBa=t+7TQi-hP1Q@mail.gmail.com> [3]: /~https://github.com/opencontainers/ocitools Signed-off-by: W. Trevor King <wking@tremily.us>
# digest/hashing target Most of this has spun off with [1], and I haven't heard of anyone talking about verifying the on-disk filesystem in a while. My personal take is on-disk verification doesn't add much over serialized verification unless you have a local attacker (or unreliable disk), and you'll need some careful threat modeling if you want to do anything productive about the local attacker case. For some more on-disk verification discussion, see the thread starting with [2]. # distributable-format target This spun off with [1]. # lifecycle target I think this is resolved since 7713efc (Add lifecycle for containers, 2015-10-22, opencontainers#231), which was committed on the same day as the ROADMAP entry (4859f6d, Add initial roadmap, 2015-10-22, opencontainers#230). # container-action target Addressed by 7117ede (Expand on the definition of our ops, 2015-10-13, opencontainers#225), although there has been additional discussion in a7a366b (Remove exec from required runtime functionalities, 2016-04-19, opencontainers#388) and 0430aaf (Split create and start, 2016-04-01, opencontainers#384). # validation and testing targets Validation is partly covered by cdcabde (schema: JSON Schema and validator for `config.json`, 2016-01-19, opencontainers#313) and subequent JSON Schema work. The remainder of these targets are handled by ocitools [3]. # printable/compiled-spec target The bulk of this was addressed by 4ee036f (*: printable documents, 2015-12-09, opencontainers#263). Any remaining polishing of that workflow seems like a GitHub-issue thing and not a ROADMAP thing. And publishing these to opencontainers.org certainly seems like it's outside the scope of this repository (although I think that such publishing is a good idea). [1]: /~https://github.com/opencontainers/image-spec [2]: https://groups.google.com/a/opencontainers.org/d/msg/dev/xo4SQ92aWJ8/NHpSQ19KCAAJ Subject: OCI Bundle Digests Summary Date: Wed, 14 Oct 2015 17:09:15 +0000 Message-ID: <CAD2oYtN-9yLLhG_STO3F1h58Bn5QovK+u3wOBa=t+7TQi-hP1Q@mail.gmail.com> [3]: /~https://github.com/opencontainers/ocitools Signed-off-by: W. Trevor King <wking@tremily.us>
Exec can be implemented as running additional containers.
For #345