-
Notifications
You must be signed in to change notification settings - Fork 541
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
config-linux: Require no cgroup tweaks when linux.resources is unset #576
config-linux: Require no cgroup tweaks when linux.resources is unset #576
Conversation
a56530d
to
fc992aa
Compare
For example, to run a new process in an existing container without updating limits, `resources` need not be specified. | ||
You can configure a container's cgroups via the OPTIONAL `resources` property. | ||
When `resources` is empty or unset, the runtime MUST NOT alter properties of existing cgroups. | ||
When a subset of `resources` is empty or unset, the runtime MUST not alter the properties of existing cgroups covered by that subset. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/MUST not/MUST NOT
Or empty. Using: "resources": {} should mean the same thing as: "resources": null or as not specifying 'resources' at all, so we can drop the "Do not specify" requirement. It's good to be clear about what leaving the properties unset/empty means though. I'd prefer a config-wide rule like [1], but if that is too much to bite off I expect we can at least do that for cases where a new container is joining an existing cgroup. [1]: https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/DWdystx5X3A Subject: Exposing platform defaults Date: Thu, 14 Jan 2016 15:36:26 -0800 Message-ID: <20160114233625.GN6362@odin.tremily.us> Signed-off-by: W. Trevor King <wking@tremily.us>
fc992aa
to
cca6b65
Compare
|
On Wed, Sep 21, 2016 at 03:20:28PM -0700, Michael Crosby wrote:
At the JSON level, I agree. If you're talking about the semantics of
I agree that null gives you a more convenient check for “the If a runtime implementation previously only updated existing cgroup |
REJECT |
On Thu, Sep 22, 2016 at 09:12:36AM -0700, Michael Crosby wrote:
Because… ? |
@wking My issue with this is that it means that (for example), we cannot set device restrictions on a container if the user hasn't set any device restrictions. My main issue is this sentence:
Maybe if it's So I also REJECT this. |
On Tue, Oct 18, 2016 at 01:00:05AM -0700, Aleksa Sarai wrote:
I'm fine with that. For security options that are covered by the With your approach (not forbidding the runtime to alter controllers |
They set configurations for the controller that explicitly is the value they want. Anything less is subject to interpretation anyway, because you could have other services running on the machine that add restrictions that are counter to what a user might expect. What is the point of allowing for "system defaults" with There is a valid concern about list-based settings like devices, and I'm not sure what to do with that case (should the runtime be allowed to append to it). But I think that allowing appending to lists is fine for The whole reason I argued for
"Helpful hinting" while restricting runtimes is not the solution to making containers secure. |
On Tue, Oct 18, 2016 at 03:38:45AM -0700, Aleksa Sarai wrote:
I think “the runtime defines the system defaults” is not what we want, Say I launch container-1 with whatever settings. Now I launch Or say you have an external cgroup-manager whose config syntax you I think the implementation is easier, and the result is easier to use,
With the current phrasing in this PR, the runtime is still free to do
We're all consenting adults here. If you don't trust yourself to |
Sorry, I misread the last part of the sentence of this PR. I read it as "at all" not as "pre-existing cgroups", which is why I reacted against it like that. I'm going to think more about this... However I just want to mention that the runtime is an authority to decide what a system default is, simply because the runtime is part of the system. If you want, I can open a PR to change the word "system" to "runtime" if you don't agree with my reading of the phrase "system default" (which is why I used that phrasing in the initial discussions for cgroup settings).
But some of us are more aware and experienced with the security risks than others. 😉 |
If you don't agree with the runtime defaults then a runtime flag or not using the runtime is a better option for your instead of trying to do some da vinci code logic on what is |
On Wed, Oct 19, 2016 at 10:06AM -0700, Michael Crosby wrote:
I can accept unspecified (or hopefully implementation-defined) runtime What I really don't want is the runtime mucking about with an
As I said earlier 2, if a runtime implementation previously only |
Or empty. Using:
should mean the same thing as:
or as not specifying
resources
at all, so we can drop the “Do not specify” requirement.It's good to be clear about what leaving the properties unset/empty means though. I'd prefer a config-wide rule about explosing platform defaults for empty/unset properties, but if that is too much to bite off I expect we can at least do that for cases where a new container is joining an existing cgroup. With the wording I'm proposing here, runtimes would still be free to clobber settings on new cgroups in an unspecified manner as they see fit.
Spun off from the Windows discussion. #540 is also in-flight in the no-tweaking space, although it is orthogonal to this change.