From cca6b658037644f9b39a21b6673faa2d965814d6 Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Mon, 19 Sep 2016 13:58:18 -0700 Subject: [PATCH] config-linux: Require no cgroup tweaks when linux.resources is unset Or empty. Using: "resources": {} should mean the same thing as: "resources": null or as not specifying 'resources' at all, so we can drop the "Do not specify" requirement. It's good to be clear about what leaving the properties unset/empty means though. I'd prefer a config-wide rule like [1], but if that is too much to bite off I expect we can at least do that for cases where a new container is joining an existing cgroup. [1]: https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/DWdystx5X3A Subject: Exposing platform defaults Date: Thu, 14 Jan 2016 15:36:26 -0800 Message-ID: <20160114233625.GN6362@odin.tremily.us> Signed-off-by: W. Trevor King --- config-linux.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config-linux.md b/config-linux.md index 996b546a5..29b1194e9 100644 --- a/config-linux.md +++ b/config-linux.md @@ -172,9 +172,9 @@ The Spec does not include naming schema for cgroups. The Spec does not support per-controller paths for the reasons discussed in the [cgroupv2 documentation][cgroup-v2]. The cgroups will be created if they don't exist. -You can configure a container's cgroups via the `resources` field of the Linux configuration. -Do not specify `resources` unless limits have to be updated. -For example, to run a new process in an existing container without updating limits, `resources` need not be specified. +You can configure a container's cgroups via the OPTIONAL `resources` property. +When `resources` is empty or unset, the runtime MUST NOT alter properties of existing cgroups. +When a subset of `resources` is empty or unset, the runtime MUST NOT alter the properties of existing cgroups covered by that subset. A runtime MUST at least use the minimum set of cgroup controllers required to fulfill the `resources` settings. However, a runtime MAY attach the container process to additional cgroup controllers supported by the system.