Skip to content

Commit

Permalink
config-linux: Convert linux.namespaces from an array to an object
Browse files Browse the repository at this point in the history
Namespaces do not need repeated entries and the ordering is handled by
the runtime regardless of the spec ordering (e.g. in runC [1]).  Using
an object leans on the new wording from eeaccfa (glossary: Make
objects explicitly unordered and forbid duplicate names, 2016-09-27,
#584) to make both of those points explicit.

[1]: opencontainers/runc#977
     Subject: nsenter: guarantee correct user namespace ordering

Signed-off-by: W. Trevor King <wking@tremily.us>
  • Loading branch information
wking committed Oct 27, 2016
1 parent 81888fe commit 2d83782
Show file tree
Hide file tree
Showing 5 changed files with 50 additions and 78 deletions.
39 changes: 14 additions & 25 deletions config-linux.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,9 @@ A namespace wraps a global system resource in an abstraction that makes it appea
Changes to the global resource are visible to other processes that are members of the namespace, but are invisible to other processes.
For more information, see [the man page](http://man7.org/linux/man-pages/man7/namespaces.7.html).

Namespaces are specified as an array of entries inside the `namespaces` root field.
The following parameters can be specified to setup namespaces:
* **`namespaces`** (object, OPTIONAL) specifies the container namespaces.
Valid keys are:

* **`type`** *(string, REQUIRED)* - namespace type. The following namespaces types are supported:
* **`pid`** processes inside the container will only be able to see other processes inside the same container.
* **`network`** the container will have its own network stack.
* **`mount`** the container will have an isolated mount table.
Expand All @@ -35,39 +34,29 @@ The following parameters can be specified to setup namespaces:
* **`user`** the container will be able to remap user and group IDs from the host to local users and groups within the container.
* **`cgroup`** the container will have an isolated view of the cgroup hierarchy.

* **`path`** *(string, OPTIONAL)* - path to namespace file in the [runtime mount namespace](glossary.md#runtime-namespace)
Values have the following properties:

* **`path`** *(string, OPTIONAL)* - path to namespace file in the [runtime mount namespace](glossary.md#runtime-namespace)

If a path is specified, that particular file is used to join that type of namespace.
If a namespace type is not specified in the `namespaces` array, the container MUST inherit the [runtime namespace](glossary.md#runtime-namespace) of that type.
If a namespace type is not specified in the `namespaces` object, the container MUST inherit the [runtime namespace](glossary.md#runtime-namespace) of that type.
If a new namespace is not created (because the namespace type is not listed, or because it is listed with a `path`), runtimes MUST assume that the setup for that namespace has already been done and error out if the config specifies anything else related to that namespace.

###### Example

```json
"namespaces": [
{
"type": "pid",
"namespaces": {
"pid": {
"path": "/proc/1234/ns/pid"
},
{
"type": "network",
"network": {
"path": "/var/run/netns/neta"
},
{
"type": "mount"
},
{
"type": "ipc"
},
{
"type": "uts"
},
{
"type": "user"
},
{
"type": "cgroup"
}
"mount": {},
"ipc": {},
"uts": {},
"user": {},
"cgroup": {}
]
```

Expand Down
38 changes: 11 additions & 27 deletions config.md
Original file line number Diff line number Diff line change
Expand Up @@ -279,11 +279,9 @@ For Windows based systems the user structure has the following fields:
"arch": "amd64"
},
"linux": {
"namespaces": [
{
"type": "pid"
}
]
"namespaces": {
"pid": {}
}
}
}
```
Expand Down Expand Up @@ -691,28 +689,14 @@ Here is a full example `config.json` for reference.
}
]
},
"namespaces": [
{
"type": "pid"
},
{
"type": "network"
},
{
"type": "ipc"
},
{
"type": "uts"
},
{
"type": "mount"
},
{
"type": "user"
},
{
"type": "cgroup"
}
"namespaces": {
"pid": {},
"network": {},
"ipc": {},
"uts": {},
"mount": {},
"user": {},
"cgroup": {}
],
"maskedPaths": [
"/proc/kcore",
Expand Down
30 changes: 23 additions & 7 deletions schema/config-linux.json
Original file line number Diff line number Diff line change
Expand Up @@ -48,13 +48,29 @@
},
"namespaces": {
"id": "https://opencontainers.org/schema/bundle/linux/namespaces",
"type": "array",
"items": {
"anyOf": [
{
"$ref": "defs-linux.json#/definitions/NamespaceReference"
}
]
"type": "object",
"properties": {
"cgroup": {
"$ref": "defs-linux.json#/definitions/Namespace"
},
"ipc": {
"$ref": "defs-linux.json#/definitions/Namespace"
},
"mount": {
"$ref": "defs-linux.json#/definitions/Namespace"
},
"network": {
"$ref": "defs-linux.json#/definitions/Namespace"
},
"pid": {
"$ref": "defs-linux.json#/definitions/Namespace"
},
"user": {
"$ref": "defs-linux.json#/definitions/Namespace"
},
"uts": {
"$ref": "defs-linux.json#/definitions/Namespace"
}
}
},
"resources": {
Expand Down
17 changes: 1 addition & 16 deletions schema/defs-linux.json
Original file line number Diff line number Diff line change
Expand Up @@ -262,24 +262,9 @@
}
}
},
"NamespaceType": {
"type": "string",
"enum": [
"mount",
"pid",
"network",
"uts",
"ipc",
"user",
"cgroup"
]
},
"NamespaceReference": {
"Namespace": {
"type": "object",
"properties": {
"type": {
"$ref": "#/definitions/NamespaceType"
},
"path": {
"$ref": "defs.json#/definitions/FilePath"
}
Expand Down
4 changes: 1 addition & 3 deletions specs-go/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,7 @@ type Linux struct {
// If resources are specified, the cgroups at CgroupsPath will be updated based on resources.
CgroupsPath *string `json:"cgroupsPath,omitempty"`
// Namespaces contains the namespaces that are created and/or joined by the container
Namespaces []LinuxNamespace `json:"namespaces,omitempty"`
Namespaces map[LinuxNamespaceType]LinuxNamespace `json:"namespaces,omitempty"`
// Devices are a list of device nodes that are created for the container
Devices []LinuxDevice `json:"devices,omitempty"`
// Seccomp specifies the seccomp security settings for the container.
Expand All @@ -158,8 +158,6 @@ type Linux struct {

// LinuxNamespace is the configuration for a Linux namespace
type LinuxNamespace struct {
// Type is the type of Linux namespace
Type LinuxNamespaceType `json:"type"`
// Path is a path to an existing namespace persisted on disk that can be joined
// and is of the same type
Path string `json:"path,omitempty"`
Expand Down

0 comments on commit 2d83782

Please sign in to comment.