add RFC requirement for mountLabel #934
Conversation
There was a problem hiding this comment.
This is adding a new runtime MUST, but I think it's still a patch-level change because our semver only protects config authors. The semantics of mountLabel have not changed, and there would be no need for config authors to adjust configurations to account for this PR. The only thing that changes is that authors of compliant runtimes will have to add mountLabel support if they were missing it already (or begin erroring out in create for configurations that set mountLabel if they choose to continue to not support it, #813, #927).
config-linux.md
Outdated
| @@ -629,7 +629,8 @@ The following parameters can be specified to set up seccomp: | |||
|
|
|||
| ## <a name="configLinuxMountLabel" />Mount Label | |||
|
|
|||
| **`mountLabel`** (string, OPTIONAL) will set the Selinux context for the mounts in the container. | |||
| **`mountLabel`** (string, OPTIONAL) specifies SELinux context for the mounts in the container. | |||
| If `mountLabel` is set, the runtime MUST set SELinux context of the mounts in the container to the given value. | |||
There was a problem hiding this comment.
I think you want to keep “the” before “SELinux context”.
Mashimiao
force-pushed
the
add-rfc-mountlabel
branch
from
ebc5fd4
to
3e62de6
Compare
|
ping @opencontainers/runtime-spec-maintainers |
|
LGTM |
config-linux.md
Outdated
| @@ -629,7 +629,8 @@ The following parameters can be specified to set up seccomp: | |||
|
|
|||
| ## <a name="configLinuxMountLabel" />Mount Label | |||
|
|
|||
| **`mountLabel`** (string, OPTIONAL) will set the Selinux context for the mounts in the container. | |||
| **`mountLabel`** (string, OPTIONAL) specifies the SELinux context for the mounts in the container. | |||
| If `mountLabel` is set, the runtime MUST set the SELinux context of the mounts in the container to the given value. | |||
There was a problem hiding this comment.
You want to drop this indent (I've made that mistake before, #936 ;).
There was a problem hiding this comment.
updated, it seems we should submit a PR to fix other places.
Mashimiao
force-pushed
the
add-rfc-mountlabel
branch
from
3e62de6
to
e421fd8
Compare
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
|
@opencontainers/runtime-spec-maintainers PTAL |
Like 5d9bbad (config: Dedent root paragraphs, since they aren't a list entry, 2017-11-08, opencontainers#936). Ma Shimiao pointed out that there may be more instances of this [1], and this commit fixes all instances turned up with: $ git grep -B1 '^ [^ ]' | grep -A1 '[:-]\*\*' [1]: opencontainers#934 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
|
LGTM |
There was a problem hiding this comment.
I'm fine with this change in the short term, although I'd prefer a more comprehensive fix for this issue. I think we need something like #680 for properties, something that addresses #813 for values (#927 is a partial fix), something that tightens the “cannot apply a property as specified” loophole, and per-property docs that point out exactly what is being checked for that property.
The new line here doesn't add more detail about what is being checked for this property. It seems like the new line is a per-property alternative to #680?
|
@opencontainers/runtime-spec-maintainers PTAL |
|
NACK |
Wouldn't that compatibility issue arise anyway due to deprecating the |
Signed-off-by: Ma Shimiao mashimiao.fnst@cn.fujitsu.com