21:01:33 #startmeeting 2017-05-12 runtime-spec 1.0 burn-down 21:01:33 Meeting started Fri May 12 21:01:33 2017 UTC. The chair is wking. Information about MeetBot at http://wiki.debian.org/MeetBot. 21:01:33 Useful Commands: #action #agreed #help #info #idea #link #topic. 21:01:33 The meeting name has been set to '2017_05_12_runtime_spec_1_0_burn_down' 21:01:38 #chair mrunalp 21:01:38 Current chairs: mrunalp wking 21:03:17 #topic config.md: lifecycle broken links fix 21:03:22 #link https://github.com/opencontainers/runtime-spec/pull/812 21:03:33 #topic consistency and style fix 21:03:50 #link https://github.com/opencontainers/runtime-spec/pull/811 21:04:05 crosbymichael: let's let this one cook longer 21:04:07 mrunalp: yeah 21:04:49 #topic config.go: platform-specific properties of process fix 21:06:14 #link https://github.com/opencontainers/runtime-spec/pull/810 21:06:32 mrunalp: should we make this Linux-specific again and have other platforms add their own caps? 21:07:03 crosbymichael: I think with caps split up, I think it's Linux-specific 21:08:18 I think bounding/effective and such (but prob. not ambient) were part of the withdrawn POSIX spec, so Solaris might support them 21:08:28 mrunalp: should we ping Windows/Solaris folks and ask? 21:08:35 crosbymichael: yeah, let's ping them and wait on it 21:08:49 #topic config.md: minor changes for process 21:08:54 #link https://github.com/opencontainers/runtime-spec/pull/809 21:10:49 crosbymichael: we can wait on this one too 21:11:22 crosbymichael: for responses to the existing feedback 21:12:08 #topic config.md: specify mount source 21:12:14 #link https://github.com/opencontainers/runtime-spec/pull/808 21:12:48 crosbymichael: I don't think we need the absolute-path restriction anyway 21:12:53 mrunalp: lets leave it to the runtime for now 21:13:11 crosbymichael: runc makes it absolute to protect against chcwd()s during setup 21:14:16 there is a possible security issue floating in this area 21:14:41 link in #735 21:15:00 crosbymichael: that's up to the config author (e.g. caps also have security impact) 21:15:29 crosbymichael: runc is only doing this for chdir() protection, not for the FUSE exploit 21:15:50 #topic config.md: fix typo of context 21:15:56 #link https://github.com/opencontainers/runtime-spec/pull/807 21:17:34 I think neither master or the current tip of this PR are quite where we want. Either `filesystemtype` or my suggestion in that comment thread 21:17:40 crosbymichael: I'm fine splitting it 21:20:06 #topic question about valid values runtime choose to support 21:20:14 #link https://github.com/opencontainers/runtime-spec/issues/813 21:20:32 mrunalp: if the runtime doesn't support some new feature, that's fine. But if the runtime doesn't support 90% of the features, that's probably not right 21:24:54 [some talk] <-- I'll add a comment to #807 with this 21:25:09 #topic config.md: specify config usage 21:25:15 #link https://github.com/opencontainers/runtime-spec/pull/803 21:25:23 mrunalp: I'm not sure what to do with this 21:28:59 mrunalp: you need the config for 'create', and you need 'create' to work before you can call 'kill' 21:29:47 #topic Update to Windows network options 21:29:53 #link https://github.com/opencontainers/runtime-spec/pull/801 21:30:49 crosbymichael: H might be correct 21:30:56 mrunalp: do we have a link to backing docs somewhere? 21:30:59 crosbymichael: I don't think so 21:32:35 I'm not sure how this PR fits into 1.0 (I'll add a comment to the PR) 21:33:38 #topic specs-go/round_trip_test: Add round-trip testing for the config 21:33:43 #link https://github.com/opencontainers/runtime-spec/pull/759 21:33:55 We just need to close this with motivation for not pointerizing UID/GID 21:37:31 It's hard for me to write the comment because I don't understand the pattern 21:37:53 crosbymichael: if we push through a node serializer, we won't change the spec 21:38:51 crosbymichael: let's just remove the types from the repo and I'll maintain them myself 21:39:10 I can file that PR, but that sounds like a bottomless pit 21:41:56 mrunalp: I'll add a comment with the style pattern 21:43:24 #topic config-linux: Require no cgroup tweaks when linux.resources is unset 21:43:29 https://github.com/opencontainers/runtime-spec/pull/576 21:47:00 mrunalp: let me file a replacement PR 21:47:04 sounds good 21:48:46 #topic WIP: config: Clarify mounts[].source relative path anchor 21:48:54 #link https://github.com/opencontainers/runtime-spec/pull/735 21:49:16 crosbymichael: people are interacting with this at a higher level 21:49:36 but people who are writing the config JSON know where the bundle is (same dir as config.json) 21:49:56 crosbymichael: so chdir to the bundle path and run the mounts 21:50:47 crosbymichael: yeah, we do anchor to bundle in .... line 58 21:50:53 mrunalp: in exec.go? 21:51:01 crosbymichael: in the root of the repo-utils.go 21:51:28 crosbymichael: so I'm fine anchoring to the bundle 21:57:42 #topic config.md: format changes 21:57:48 #link https://github.com/opencontainers/runtime-spec/pull/724 21:57:49 crosbymichael: merging 22:00:27 #topic schema/config-linux: add pattern limit for deviceCgroup 22:01:14 #link https://github.com/opencontainers/runtime-spec/pull/690 22:03:00 #link https://github.com/opencontainers/runtime-spec/blame/6cc08c24289854bf7a1f48865e49aa4601c5bb60/config-linux.md#L220 22:08:14 we can leave this close and I can work up a PR that adjust the Markdown side to be more permissive 22:09:21 #topic schema/defs-linux: Drop 'Capability' type 22:09:26 #link https://github.com/opencontainers/runtime-spec/pull/766 22:12:03 the master JSON Schema is saying "the Linux kernel will always use CAP_" (which may be true, but doesn't seem like grounds for a invalidating a config) 22:17:02 #endmeeting