access of device cgroup is optional depends on type#914
Closed
Mashimiao wants to merge 1 commit intoopencontainers:masterfrom
Closed
access of device cgroup is optional depends on type#914Mashimiao wants to merge 1 commit intoopencontainers:masterfrom
Mashimiao wants to merge 1 commit intoopencontainers:masterfrom
Conversation
Member
|
We usually error towards secure and explicit. This change would be the opposite of both. |
Contributor
|
On Fri, Aug 25, 2017 at 07:37:59AM +0000, Ma Shimiao wrote:
In Linux, only when type is a, access can be unset. So, I think if
we have to make access as OPTIONAL, let it to be `rwm` as default
may be better.
Or REQUIRE it when type is equivalent to ‘a’?
|
Author
|
On 08/26/2017 12:32 AM, W. Trevor King wrote:
Or REQUIRE it when type is equivalent to ‘a’?
Just the opposite.
When type is `a`, access can be OPTIONAL.
Otherwise, access must be REQURIE.
|
Mashimiao
force-pushed
the
device-cgroup-default
branch
from
f50c5dd to
0a245ef
Compare
Mashimiao
changed the title
Author
|
updated, PTAL |
wking
reviewed
Aug 31, 2017
config-linux.md
Outdated
| Unset value means "all", mapping to [`*` in the filesystem API][cgroup-v1-devices]. | ||
| * **`access`** *(string, OPTIONAL)* - cgroup permissions for device. | ||
| A composition of `r` (read), `w` (write), and `m` (mknod). | ||
| * When type is not `a`, `access` is REQUIRED. |
Contributor
There was a problem hiding this comment.
We don't define our property-specification syntax (I'd taken a stab at that in #747, see requirement-condition here), but our current pattern for conditionally-required properties would be:
access(string, REQUIRED whentypeisborc) - cgroup permissions for device.
A composition…
Existing examples are:
$ git grep 'REQUIRED \(when\|unless\)' v1.0.0 --
v1.0.0:config-linux.md:* **`major, minor`** *(int64, REQUIRED unless `type` is `p`)* - [major, minor numbers][devices] for the device.
v1.0.0:config.md: This property is REQUIRED when [`start`](runtime.md#start) is called.
v1.0.0:runtime.md:* **`pid`** (int, REQUIRED when `status` is `created` or `running` on Linux, OPTIONAL on other platforms) is the ID of the container process, as seen by the host.
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
Mashimiao
force-pushed
the
device-cgroup-default
branch
from
0a245ef to
c997e61
Compare
Author
|
On 09/01/2017 04:38 AM, W. Trevor King wrote:
|v1.0.0:config-linux.md:* **`major, minor`** *(int64, REQUIRED unless `type` is `p`)* - [major, minor numbers][devices] for the device.|
I think the first one seems more elegant.
|
wking
reviewed
Sep 1, 2017
| Unset values mean "all", mapping to [`*` in the filesystem API][cgroup-v1-devices]. | ||
| * **`access`** *(string, OPTIONAL)* - cgroup permissions for device. | ||
| Unset value means "all", mapping to [`*` in the filesystem API][cgroup-v1-devices]. | ||
| * **`access`** *(string, REQUIRED unless `type` is `a`)* - cgroup permissions for device. |
Contributor
There was a problem hiding this comment.
I think this phrasing leaves the type-unset case (where type is only effectively a) less clear than my earlier recomendation. But whatever, I expect folks will get the idea.
Author
There was a problem hiding this comment.
I prefer this one, because when type is unset it mapped to a, so we may can say type is always set.
Author
|
ping @opencontainers/runtime-spec-maintainers |
1 similar comment
Author
|
ping @opencontainers/runtime-spec-maintainers |
Member
|
👎 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In Linux, only when type is a, access can be unset. So, I think if we have to make access as OPTIONAL, let it to be
rwmas default may be better.Signed-off-by: Ma Shimiao mashimiao.fnst@cn.fujitsu.com