runtime-config-linux: Separate mknod from cgroups

[wking]

This is #99 rebased onto the current master, because the idea seems
to have new life. It leaves mknod entries in linux.devices
and moves cgroups entries into linux.resources.devices. Quiet
thread on the issue here.

This makes it easy to distinguish between configs that call for cgroup
adjustments (which have linux.resources entries) from those that
don't. Without this split, folks interested in making that
distinction would have to parse the device section to determine if it
included cgroup changes. This will also make it easy to drop either
portion (mknod or cgroups) independently of the other if the
project decides to do so.

Using seperate sections for mknod and cgroups also allows us to avoid
the complicated validation rules needed for the combined format
mknod/cgroup (#101).

Now that there is a section specific to supplying devices, I shifted
the default device listing over from config-linux. The /dev/ptmx
entry is a bit awkward, since it's not a device, but it seemed to fit
better over here. But I would also be fine leaving it with the other
mounts in config-linux.

The reference links are sorted into two blocks, with kernel-doc links
sorted alphabetically followed by man pages sorted alphabetically by
section.

[wking]

@mrunalp, you were going to write up some more motivation for this? It's also possible that you intended to post that motivation to the thread, and that I'm jumping the gun with this reroll. If so, feel free to table/close this PR until the thread has reached a consensus.

[mrunalp]

We can continue using this PR. i have responded to the mailing list discussion.

[mrunalp]

There are two use cases for this separation:

1. The user doesn't want to specify any cgroup configuration. This is easy for the other values but the device cgroups are tied up the device configuration.
2. Running containers under a non-host usernamespace is an issue, because one can't modify the device cgroups in such a scenario.

So, separation will be good for consistency as well as technical reasons.

[vishh]

Can devices be setup using hooks?

[wking]

On Wed, Jan 20, 2016 at 10:15:41AM -0800, Vish Kannan wrote:

-devices is an array specifying the list of devices to be created in the container.
+devices is an array specifying the list of devices that the MUST be available in the container.

Can devices be setup using hooks?

Yeah. Or with bind-mounts, or by putting the device nodes in the
rootfs (#98). My attempt to summarize the pushback for dropping the
mknod section is in 1.

[wking]

Rerolled dfb5dad → 3f8105e adding @vishh's ‘omitempty’s [1,2,3].

[wking]

In today's meeting there was talk about where default-device creation
happens in the container-setup timeline 1, and whether/how config
authors should be able to opt-out of default-device creation 2.
Addressing either of those seems orthogonal to the split in this PR
3, but I'd thought I'd mention them here in case anyone else
disagrees about their orthogonality.

[mrunalp]

Needs rebase.

[wking]

On Mon, Jan 25, 2016 at 11:57:44AM -0800, Mrunal Patel wrote:

Needs rebase.

I'll wait until #284 lands.

[wking]

On Mon, Jan 25, 2016 at 12:27:43PM -0800, W. Trevor King wrote:

Mon, Jan 25, 2016 at 11:57:44AM -0800, Mrunal Patel:

Needs rebase.

I'll wait until #284 lands.

Rebased around #284 with 3f8105e → 81f726e.

$ diff -u <(git show 3f8105e) <(git show 81f726e)

shows no changes outside of diff context.

[mrunalp]

s/that the/that/

[wking]

On Wed, Jan 27, 2016 at 10:47:11AM -0800, Mrunal Patel wrote:

-devices is an array specifying the list of devices to be created in the container.
+devices is an array specifying the list of devices that the MUST be available in the container.

s/that the/that/

Fixed in 81f726e → a855883.

[mrunalp]

Should we call it an access list instead of a whitelist?

[wking]

On Wed, Jan 27, 2016 at 12:13:03PM -0800, Mrunal Patel wrote:

+#### Device whitelist

Should we call it an access list instead of a whitelist?

I'm just echoing the kernel docs [1](which moved! [2]). I've pushed
a855883 → ddd56d8 updating the link target.

[vishh]

Whitelist typically carries a positive connotation. In this case, this whitelist can be used to deny access to devices as well.

[vishh]

Are the following fields required?

[wking]

On Wed, Jan 27, 2016 at 01:13:14PM -0800, Vish Kannan wrote:

+* fileMode (uint32, required) - file mode for the device.

• You can also control access to devices with cgroups.

Are the following fields required?

I'm fine making fileMode, uid, and gid optional. Would they default
to the effective uid/gid/umask of the runtime process? Of the
container process as it will be when it execs any user-configured
arguments?

[vishh]

Defaults can also depend on it setgid bit is set on the parent dir I think.
But it shouldn't matter from the Spec level.

On Wed, Jan 27, 2016 at 1:31 PM W. Trevor King notifications@github.com
wrote:

In config-linux.md
#298 (comment):

-* permissions (string, optional) - cgroup permissions for device. A composition of r (read), w (write), and m (mknod).

-* fileMode (uint32, optional) - file mode for device file

-* uid (uint32, optional) - uid of device owner

-* gid (uint32, optional) - gid of device owner

-fileMode, uid and gid are required if path is given and are otherwise not allowed.
+* type (char, required) - type of device: c, b, u or p.

• More info in [mknod(1)][mknod.1].
  +* path (string, required) - full path to device inside container.
  +* major, minor (int64, required) - [major, minor numbers][devices] for the device.
  +* fileMode (uint32, required) - file mode for the device.
• You can also control access to devices with cgroups.

On Wed, Jan 27, 2016 at 01:13:14PM -0800, Vish Kannan wrote: > +*
fileMode (uint32, required) - file mode for the device. > + You can
also control access to devices with cgroups. Are the
following fields required?
I'm fine making fileMode, uid, and gid optional. Would they default to the
effective uid/gid/umask of the runtime process? Of the container process as
it will be when it execs any user-configured arguments?

—
Reply to this email directly or view it on GitHub
https://github.com/opencontainers/specs/pull/298/files#r51053200.

[vishh]

What I was saying was that, it is possible to use the struct without
specifying this field. Hence it is optional.
On Wed, Jan 27, 2016 at 1:35 PM Vishnu Kannan vishnuk@google.com wrote:

Defaults can also depend on it setgid bit is set on the parent dir I
think. But it shouldn't matter from the Spec level.

On Wed, Jan 27, 2016 at 1:31 PM W. Trevor King notifications@github.com
wrote:

In config-linux.md
#298 (comment):

-* permissions (string, optional) - cgroup permissions for device. A composition of r (read), w (write), and m (mknod).

-* fileMode (uint32, optional) - file mode for device file

-* uid (uint32, optional) - uid of device owner

-* gid (uint32, optional) - gid of device owner

-fileMode, uid and gid are required if path is given and are otherwise not allowed.
+* type (char, required) - type of device: c, b, u or p.

• More info in [mknod(1)][mknod.1].
  +* path (string, required) - full path to device inside container.
  +* major, minor (int64, required) - [major, minor numbers][devices] for the device.
  +* fileMode (uint32, required) - file mode for the device.
• You can also control access to devices with cgroups.

On Wed, Jan 27, 2016 at 01:13:14PM -0800, Vish Kannan wrote: > +*
fileMode (uint32, required) - file mode for the device. > + You can
also control access to devices with cgroups. Are the
following fields required?
I'm fine making fileMode, uid, and gid optional. Would they default to
the effective uid/gid/umask of the runtime process? Of the container
process as it will be when it execs any user-configured arguments?

—
Reply to this email directly or view it on GitHub
https://github.com/opencontainers/specs/pull/298/files#r51053200.

[wking]

Ok, I just pushed ddd56d8 → 7d5b027, which I think addresses all the optional/required issues. I put some comments on the changes with references, etc., in the new commit message if reviewers want to look those over alongside the diff. The commit message cites mknod, but obviously the bind-mount approach to supplying devices would also work without fileMode, uid, or gid specified.

[crosbymichael]

I don't really understand this allow and access and how they work together. Can you explain better to me?

[tonistiigi]

I think allow is devices.allow vs devices.deny and rwm is read, write, mknod.

[wking]

On Wed, Jan 27, 2016 at 03:30:42PM -0800, Tõnis Tiigi wrote:

+* allow (boolean, required) - whether the entry is allowed or denied.

I think allow is devices.allow vs devices.deny and 'rwm` is
read, write, mknod.

That's right. What wording should I add to make it more clear?

[crosbymichael]

ahh, i guess i get what would happen

[crosbymichael]

LGTM

[mrunalp]

LGTM