21:03:16 #startmeeting 2017-05-10 runtime-spec 1.0 preparation 21:03:16 Meeting started Wed May 10 21:03:16 2017 UTC. The chair is wking. Information about MeetBot at http://wiki.debian.org/MeetBot. 21:03:16 Useful Commands: #action #agreed #help #info #idea #link #topic. 21:03:16 The meeting name has been set to '2017_05_10_runtime_spec_1_0_preparation' 21:03:21 #chair mrunalp 21:03:21 Current chairs: mrunalp wking 21:03:54 #topic spec.md: add MUST NOT and SHALL NOT for judging compliance 21:04:40 https://tools.ietf.org/html/rfc2616#section-1.2 21:05:16 ^ That doesn't have the NOT forms, but it does talk about "level" which aren't formally defined in RFC 2119 21:05:35 #link https://github.com/opencontainers/runtime-spec/pull/797 21:05:45 #topic Makefile: Add .install.* to .PHONY 21:05:50 #link https://github.com/opencontainers/runtime-spec/pull/791 21:07:54 If folks don't want to list .PHONY entries for all phony targets, we probably want to drop all the unnecessary .PHONY entries 21:07:59 tianon: +1 21:08:12 #topic config: Document 'rbind' and 'bind' mount options extensions 21:08:18 #link https://github.com/opencontainers/runtime-spec/pull/771 21:09:43 mrunalp: do we want all of these? 21:10:52 crosbymichael: does this exactly match runC 21:10:57 no, see the last comment 21:11:27 What dial-in is being used for the ConCall? 21:12:22 RobDolinMS: https://bluejeans.com/1771332256/ 21:12:36 https://github.com/opencontainers/runtime-spec/pull/771#issuecomment-300559556 21:12:51 The current spec punts to mount(8), which includes entries like 'silent' which are not covered in runC 21:13:14 #topic config-linux: RFC 2119 tightening for namespaces 21:13:21 #link https://github.com/opencontainers/runtime-spec/pull/767 21:14:17 #topic https://github.com/opencontainers/runtime-spec/pull/747 21:14:57 crosbymichael: this is redundant with the filenames defining platform support 21:15:12 But the single-file spec forms don't expose the source filenames. Do we have a plan for that? 21:15:21 I'm trying to dial-in but BlueJeans does not seem to be working :( 21:16:10 #topic runtime-linux: Condition /proc/self/fd symlinks on source existence 21:16:17 #link https://github.com/opencontainers/runtime-spec/pull/736 21:16:38 RobDolinMS, Try calling in? 21:16:57 +1.408.740.7256 21:17:22 #topic config: Clarify mounts[].source relative path anchor 21:17:27 #link https://github.com/opencontainers/runtime-spec/pull/735 21:18:20 mrunalp: do relative paths make sense here? 21:18:36 yeah, for example you may have ./home you want mounted under /root 21:18:41 mrunalp: do we support that in runC? 21:19:01 crosbymichael: I dunno. It's extremely hard to figure out what it's relative to (the bundle or the cwd) 21:19:19 crosbymichael: I'd have to check if we support it, but I doubt anyone ever uses it 21:19:35 tianon: there are some examples where it looks like a relative path (e.g. "proc") that are just dummy values 21:20:09 tianon: we'd need a static list of dummy paths if we were validating absolute paths 21:20:33 crosbymichael: I think we always run it through absolute path 21:20:59 How do you identify dummies? 21:22:08 https://github.com/opencontainers/runc/blob/653207bc29a6d2d62b5d4f55b596467cb715a128/libcontainer/specconv/spec_linux.go#L253-L257 21:22:26 crosbymichael: and the cwd may or may not be the bundle path 21:23:32 does runC have different code for root.path? 21:24:46 crosbymichael: mount namespaces have nothing to do with files on disk 21:24:54 but paths are resolved in a particular mount namespace 21:26:45 crosbymichael: "runtime root" would be a lot better 21:29:59 https://github.com/opencontainers/runtime-spec/blame/v1.0.0-rc5/config-linux.md#L38 21:30:48 still current: https://github.com/opencontainers/runtime-spec/blame/844f392f3924ce172e1559859864eefc2f06ae85/config-linux.md#L38 21:32:08 tianon: in that context it seems fine, since it's talking about namespaces 21:33:34 say you have "/home/you" in source, "rootfs" in root.path. Do you bind mount /home/you or rootfs/home/you? 21:34:25 If my wording is not clarifying that, can someone else take a stab at breaking that tie? 21:34:29 mrunalp: crosbymichael? 21:35:29 #topic https://github.com/opencontainers/runtime-spec/pull/734 21:35:39 #topic runtime: Container-scope-wide uniqueness for container IDs 21:35:44 #link https://github.com/opencontainers/runtime-spec/pull/734 21:36:48 #link 21:36:51 #link https://github.com/opencontainers/runtime-spec/blob/844f392f3924ce172e1559859864eefc2f06ae85/runtime.md#scope-of-a-container 21:37:04 ^"Scope of a Container" (in master) 21:38:07 basically this is "the ID has to be unique across your shared state" 21:38:28 We don't want ID-uniqueness constraints that are stronger than your state-sharing constraints 21:38:44 mrunalp: should we rename this to "Scope of a runtime"? 21:39:21 crosbymichael: I know the contents of this PR are not what we want, and the original is correct and straightforward 21:39:52 mrunalp: if you have two instances of a runtime with different state directories, the IDs may or may not overlap 21:40:20 exactly. That's what I'm trying to allow because I see no way to forbid it 21:41:05 mrunalp: let me take this one 21:43:14 #topic runtime: Drop "not supported by the base OS" loophole 21:43:19 #link https://github.com/opencontainers/runtime-spec/pull/733 21:44:45 I don't see the point in drilling a big, generic hole 21:44:59 Just poke holes where you need them (and runtimes can always error out with "I can't do that") 21:45:23 crosbymichael: It's more an issue for compliance testing where you have a stable base 21:45:33 mrunalp: compliance testing should be on a new/stable enough kernel 21:46:01 #topic runtime: Remove "features the runtime chooses to support 21:46:06 #link https://github.com/opencontainers/runtime-spec/pull/732 21:57:53 [lots of talk ;)] 21:58:21 I'll keep the removal of the old step 3, remove the trailing paragraph, and crosbymichael will follow up with a leading paragraph about these kinds of jumps 21:58:47 #topic runtime: Remove status redefinitions from operations 21:58:53 #link https://github.com/opencontainers/runtime-spec/pull/702 22:00:45 #topic config: Make process optional 22:00:51 #link https://github.com/opencontainers/runtime-spec/pull/701 22:01:44 For example, if you're running a shell container to hold namespaces open for a more meaty container 22:02:00 It sounded like "I'm never going to call 'start'" was a workflow we were interested in supporting 22:02:05 crosbymichael: It's up to you 22:02:13 mrunalp: I think the Garden folks are doing this? 22:02:19 crosbymichael: they just don't add the process information 22:02:40 crosbymichael: we just have to update the pointer to the process struct again. tianon? 22:02:43 tianon: I'm tired 22:03:15 #topic runtime: Explicitly make process.* timing implementation-defined 22:03:20 #link https://github.com/opencontainers/runtime-spec/pull/700 22:07:35 mrunalp: in runC we set it in create? 22:07:48 crosbymichael: we try to do everything we can in create (e.g. dropping caps) 22:07:58 I'm fine requiring all of that to happen at create 22:08:21 crosbymichael: I don't want the spec saying anything about that, because I want to fix any security issues without worrying about compliance 22:10:40 crosbymichael: why isn't 94 enough? 22:10:51 I feel like they add clarity, but if they're adding confusion I can drop them 22:10:55 mrunalp: I'm fine either way 22:11:03 crosbymichael: I'm fine either way 22:11:08 I'll rebase it 22:11:24 #topic config: Move valid-value rules to their own section 22:11:38 #link https://github.com/opencontainers/runtime-spec/pull/681 22:14:21 #topic config: Do not allow runtimes to ignore properties defined by the spec 22:14:27 #link https://github.com/opencontainers/runtime-spec/pull/680 22:17:37 If folks want to file a replacement PR with a different sentence, that's fine with me 22:17:50 crosbymichael: I think it can be worded better 22:19:33 I'm happy to field suggestion comments or replacement PRs 22:19:41 mrunalp: lets revisit this once we have suggestions 22:20:18 #topic Update to Windows network options 22:20:25 #link https://github.com/opencontainers/runtime-spec/pull/801 22:20:49 tianon: don't we need Markdown updates too? 22:20:56 crosbymichael: yeah, I'm adding a reply 22:23:06 795 22:23:32 #topic config-linux: Specify relationships for new namespaces 22:37:00 [lots of talk ;)] 22:37:34 mrunalp: can we punt on this for now? 22:38:39 mrunalp: crosbymichael are you free on 2pm Friday? 22:38:41 crosbymichael: yeah 22:38:44 #endmeeting