#opencontainers log

21:03:16 <wking> #startmeeting 2017-05-10 runtime-spec 1.0 preparation
21:03:16 <collabot> Meeting started Wed May 10 21:03:16 2017 UTC.  The chair is wking. Information about MeetBot at http://wiki.debian.org/MeetBot.
21:03:16 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic.
21:03:16 <collabot> The meeting name has been set to '2017_05_10_runtime_spec_1_0_preparation'
21:03:21 <wking> #chair mrunalp
21:03:21 <collabot> Current chairs: mrunalp wking
21:03:54 <wking> #topic spec.md: add MUST NOT and SHALL NOT for judging compliance
21:04:40 <wking> https://tools.ietf.org/html/rfc2616#section-1.2
21:05:16 <wking> ^ That doesn't have the NOT forms, but it does talk about "level" which aren't formally defined in RFC 2119
21:05:35 <wking> #link https://github.com/opencontainers/runtime-spec/pull/797
21:05:45 <wking> #topic Makefile: Add .install.* to .PHONY
21:05:50 <wking> #link https://github.com/opencontainers/runtime-spec/pull/791
21:07:54 <wking> If folks don't want to list .PHONY entries for all phony targets, we probably want to drop all the unnecessary .PHONY entries
21:07:59 <wking> tianon: +1
21:08:12 <wking> #topic config: Document 'rbind' and 'bind' mount options extensions
21:08:18 <wking> #link https://github.com/opencontainers/runtime-spec/pull/771
21:09:43 <wking> mrunalp: do we want all of these?
21:10:52 <wking> crosbymichael: does this exactly match runC
21:10:57 <wking> no, see the last comment
21:11:27 <RobDolinMS> What dial-in is being used for the ConCall?
21:12:22 <wking> RobDolinMS: https://bluejeans.com/1771332256/
21:12:36 <wking> https://github.com/opencontainers/runtime-spec/pull/771#issuecomment-300559556
21:12:51 <wking> The current spec punts to mount(8), which includes entries like 'silent' which are not covered in runC
21:13:14 <wking> #topic config-linux: RFC 2119 tightening for namespaces
21:13:21 <wking> #link https://github.com/opencontainers/runtime-spec/pull/767
21:14:17 <wking> #topic https://github.com/opencontainers/runtime-spec/pull/747
21:14:57 <wking> crosbymichael: this is redundant with the filenames defining platform support
21:15:12 <wking> But the single-file spec forms don't expose the source filenames.  Do we have a plan for that?
21:15:21 <RobDolinMS> I'm trying to dial-in but BlueJeans does not seem to be working :(
21:16:10 <wking> #topic runtime-linux: Condition /proc/self/fd symlinks on source existence
21:16:17 <wking> #link https://github.com/opencontainers/runtime-spec/pull/736
21:16:38 <mrunalp> RobDolinMS, Try calling in?
21:16:57 <mrunalp> +1.408.740.7256
21:17:22 <wking> #topic config: Clarify mounts[].source relative path anchor
21:17:27 <wking> #link https://github.com/opencontainers/runtime-spec/pull/735
21:18:20 <wking> mrunalp: do relative paths make sense here?
21:18:36 <wking> yeah, for example you may have ./home you want mounted under /root
21:18:41 <wking> mrunalp: do we support that in runC?
21:19:01 <wking> crosbymichael: I dunno.  It's extremely hard to figure out what it's relative to (the bundle or the cwd)
21:19:19 <wking> crosbymichael: I'd have to check if we support it, but I doubt anyone ever uses it
21:19:35 <wking> tianon: there are some examples where it looks like a relative path (e.g. "proc") that are just dummy values
21:20:09 <wking> tianon: we'd need a static list of dummy paths if we were validating absolute paths
21:20:33 <wking> crosbymichael: I think we always run it through absolute path
21:20:59 <wking> How do you identify dummies?
21:22:08 <tianon> https://github.com/opencontainers/runc/blob/653207bc29a6d2d62b5d4f55b596467cb715a128/libcontainer/specconv/spec_linux.go#L253-L257
21:22:26 <wking> crosbymichael: and the cwd may or may not be the bundle path
21:23:32 <wking> does runC have different code for root.path?
21:24:46 <wking> crosbymichael: mount namespaces have nothing to do with files on disk
21:24:54 <wking> but paths are resolved in a particular mount namespace
21:26:45 <wking> crosbymichael: "runtime root" would be a lot better
21:29:59 <wking> https://github.com/opencontainers/runtime-spec/blame/v1.0.0-rc5/config-linux.md#L38
21:30:48 <wking> still current: https://github.com/opencontainers/runtime-spec/blame/844f392f3924ce172e1559859864eefc2f06ae85/config-linux.md#L38
21:32:08 <wking> tianon: in that context it seems fine, since it's talking about namespaces
21:33:34 <wking> say you have "/home/you" in source, "rootfs" in root.path.  Do you bind mount /home/you or rootfs/home/you?
21:34:25 <wking> If my wording is not clarifying that, can someone else take a stab at breaking that tie?
21:34:29 <wking> mrunalp: crosbymichael?
21:35:29 <wking> #topic https://github.com/opencontainers/runtime-spec/pull/734
21:35:39 <wking> #topic runtime: Container-scope-wide uniqueness for container IDs
21:35:44 <wking> #link https://github.com/opencontainers/runtime-spec/pull/734
21:36:48 <wking> #link
21:36:51 <wking> #link https://github.com/opencontainers/runtime-spec/blob/844f392f3924ce172e1559859864eefc2f06ae85/runtime.md#scope-of-a-container
21:37:04 <wking> ^"Scope of a Container" (in master)
21:38:07 <wking> basically this is "the ID has to be unique across your shared state"
21:38:28 <wking> We don't want ID-uniqueness constraints that are stronger than your state-sharing constraints
21:38:44 <wking> mrunalp: should we rename this to "Scope of a runtime"?
21:39:21 <wking> crosbymichael: I know the contents of this PR are not what we want, and the original is correct and straightforward
21:39:52 <wking> mrunalp: if you have two instances of a runtime with different state directories, the IDs may or may not overlap
21:40:20 <wking> exactly.  That's what I'm trying to allow because I see no way to forbid it
21:41:05 <wking> mrunalp: let me take this one
21:43:14 <wking> #topic runtime: Drop "not supported by the base OS" loophole
21:43:19 <wking> #link https://github.com/opencontainers/runtime-spec/pull/733
21:44:45 <wking> I don't see the point in drilling a big, generic hole
21:44:59 <wking> Just poke holes where you need them (and runtimes can always error out with "I can't do that")
21:45:23 <wking> crosbymichael: It's more an issue for compliance testing where you have a stable base
21:45:33 <wking> mrunalp: compliance testing should be on a new/stable enough kernel
21:46:01 <wking> #topic runtime: Remove "features the runtime chooses to support
21:46:06 <wking> #link https://github.com/opencontainers/runtime-spec/pull/732
21:57:53 <wking> [lots of talk ;)]
21:58:21 <wking> I'll keep the removal of the old step 3, remove the trailing paragraph, and crosbymichael will follow up with a leading paragraph about these kinds of jumps
21:58:47 <wking> #topic runtime: Remove status redefinitions from operations
21:58:53 <wking> #link https://github.com/opencontainers/runtime-spec/pull/702
22:00:45 <wking> #topic config: Make process optional
22:00:51 <wking> #link https://github.com/opencontainers/runtime-spec/pull/701
22:01:44 <wking> For example, if you're running a shell container to hold namespaces open for a more meaty container
22:02:00 <wking> It sounded like "I'm never going to call 'start'" was a workflow we were interested in supporting
22:02:05 <wking> crosbymichael: It's up to you
22:02:13 <wking> mrunalp: I think the Garden folks are doing this?
22:02:19 <wking> crosbymichael: they just don't add the process information
22:02:40 <wking> crosbymichael: we just have to update the pointer to the process struct again.  tianon?
22:02:43 <wking> tianon: I'm tired
22:03:15 <wking> #topic runtime: Explicitly make process.* timing implementation-defined
22:03:20 <wking> #link https://github.com/opencontainers/runtime-spec/pull/700
22:07:35 <wking> mrunalp: in runC we set it in create?
22:07:48 <wking> crosbymichael: we try to do everything we can in create (e.g. dropping caps)
22:07:58 <wking> I'm fine requiring all of that to happen at create
22:08:21 <wking> crosbymichael: I don't want the spec saying anything about that, because I want to fix any security issues without worrying about compliance
22:10:40 <wking> crosbymichael: why isn't 94 enough?
22:10:51 <wking> I feel like they add clarity, but if they're adding confusion I can drop them
22:10:55 <wking> mrunalp: I'm fine either way
22:11:03 <wking> crosbymichael: I'm fine either way
22:11:08 <wking> I'll rebase it
22:11:24 <wking> #topic config: Move valid-value rules to their own section
22:11:38 <wking> #link https://github.com/opencontainers/runtime-spec/pull/681
22:14:21 <wking> #topic config: Do not allow runtimes to ignore properties defined by the spec
22:14:27 <wking> #link https://github.com/opencontainers/runtime-spec/pull/680
22:17:37 <wking> If folks want to file a replacement PR with a different sentence, that's fine with me
22:17:50 <wking> crosbymichael: I think it can be worded better
22:19:33 <wking> I'm happy to field suggestion comments or replacement PRs
22:19:41 <wking> mrunalp: lets revisit this once we have suggestions
22:20:18 <wking> #topic Update to Windows network options
22:20:25 <wking> #link https://github.com/opencontainers/runtime-spec/pull/801
22:20:49 <wking> tianon: don't we need Markdown updates too?
22:20:56 <wking> crosbymichael: yeah, I'm adding a reply
22:23:06 <crosbymichael> 795
22:23:32 <wking> #topic config-linux: Specify relationships for new namespaces
22:37:00 <wking> [lots of talk ;)]
22:37:34 <wking> mrunalp: can we punt on this for now?
22:38:39 <wking> mrunalp: crosbymichael are you free on 2pm Friday?
22:38:41 <wking> crosbymichael: yeah
22:38:44 <wking> #endmeeting