Replace Linux.Device with more specific config #94
Conversation
| "zero", | ||
| "urandom" | ||
| { | ||
| "path": "/dev/random", |
There was a problem hiding this comment.
We should probably specify or describe in this doc what each of the fields mean. But overall this PR looks good
There was a problem hiding this comment.
I'll combine description from docstrings.
There was a problem hiding this comment.
Is there ever a reason not to include null, random, full, tty, zero and urandom? It seems like we should just say every container can expect to have those device nodes available without specifying.
There was a problem hiding this comment.
Ah, okay, thought about this just like about json example, not real config :) I'll add all from runc defaults.
There was a problem hiding this comment.
@LK4D4 Yes, I will file a separate issue on this one.
|
LGTM overall, I do think we should consider making the "obvious" device nodes available as they are a pretty accepted part of the POSIX API. |
LK4D4
force-pushed
the
expose_more_about_device
branch
from
62ba998
to
0512e7e
Compare
|
On Wed, Aug 05, 2015 at 03:26:47PM -0700, Alexander Morozov wrote:
Can you elaborate on this or provide a concrete example? I'd guess |
| // FileMode permission bits for the device. | ||
| FileMode os.FileMode `json:"fileMode"` | ||
| // Uid of the device. | ||
| Uid uint32 `json:"uid"` |
LK4D4
force-pushed
the
expose_more_about_device
branch
2 times, most recently
from
e923f70
to
85586b4
Compare
|
@wking For example we want different cgroups permissions for devices. Another case is to creating device in paths which doesn't exists on host. Also this interface maps pretty well to device creation process on the host, I don't see why we should try to cut it off. |
|
I don't think a full exhaustive list of many devices is necessary in the spec to illustrate but it LGTM. |
LK4D4
force-pushed
the
expose_more_about_device
branch
from
85586b4
to
456c6bd
Compare
| Devices is an array specifying the list of devices to be created in the container. | ||
| Next parameters can be specified: | ||
|
|
||
| * type - type of device: 'c', 'b', 'u' or 'p'. More info in `man mknod` |
There was a problem hiding this comment.
From my instinct, the abbreviation of r/w/m is OK for permissions. But here, I think we should use "character", "block" and "fifo". I don't have strong reason, just feeling.
There was a problem hiding this comment.
I think this is okay as more information could be looked up in the man page.
|
On Wed, Aug 05, 2015 at 05:37:28PM -0700, Alexander Morozov wrote:
For “devices in paths which don't exist on the host”, it seems like For “I want special cgroups on $PATH”, it seems like that would be { As this PR stands, I'm not sure how you'd use wildcards for |
|
@wking I can add to description, that -1 will mean wildcard. |
|
On Thu, Aug 06, 2015 at 10:10:30AM -0700, Alexander Morozov wrote:
If you have a -1 in the spec, and the device doesn't exist on the |
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
LK4D4
force-pushed
the
expose_more_about_device
branch
from
456c6bd
to
5273b3d
Compare
|
@wking It's up to you which value you will pass, I don't like any |
|
On Thu, Aug 06, 2015 at 10:29:10AM -0700, Alexander Morozov wrote:
No, I meant “assuming the -1 wildcard 1, if I put a -1 major value
I'm ok dropping that section, since bundle authors that want to copy Maybe it would help if I just PRed my suggestion… |
|
@wking Yup, example of your thoughts in code would be perfect. |
|
LGTM |
Replace Linux.Device with more specific config
|
@wking Basically, if you want to use wildcard, then you need to skip Path, because otherwise runtime will try to mknod. If Permissions is not empty - then device is allowed. That's whole relationship between devices and cgroup as I see it. I don't see a big problem if it'll be documented. |
|
On Thu, Aug 06, 2015 at 05:32:17PM -0700, Alexander Morozov wrote:
I started working on a PR documenting this, but I'm not sure how to |
I'd prefer to handle mknod and device cgroups independently [1,2], to avoid all this "If path is given..." and "If parameters is given..." special casing. But the overloaded approach has landed [3], so this commit documents the indended semantics [4]. I'm not sure how bundle authors are supposed to register deny cgroups rules [5]. [1]: opencontainers#98 [2]: opencontainers#99 [3]: opencontainers#94 (comment) [4]: opencontainers#94 (comment) [5]: opencontainers#94 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
|
@wking basically idea was to |
|
On Fri, Aug 07, 2015 at 10:10:38AM -0700, Alexander Morozov wrote:
That may be overly strict for child containers. What if you want to |
|
I've floated some more explicit docs in #101, if we want to talk about
the semantics and docs for allow vs. deny there.
|
|
@wking Maybe it's better to discuss this in IRC. It's too much for closed PR. |
I filed a PR to keep this separate [1], but it was closed after [2] landed. See also [3], where I point out that putting the mknod stuff in the “control groups” section is awkward. [1]: opencontainers/runtime-spec#99 Add linux.resources.devices [2]: opencontainers/runtime-spec#94 Replace Linux.Device with more specific config [3]: opencontainers/runtime-spec#171 (comment) move the description of user ns mapping and default files to proper file
It appeared that we need more control over devices, for example different permissions and choosing path on caller side.