From 235610dd3bd703e7c268aae7207c65e164019403 Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Fri, 3 Feb 2017 11:43:15 -0800 Subject: [PATCH] config: Make default Linux filesystems an example The MUST default-filesystem wording altered in 279c3c09 (linux: relax filesystem requirements for container, 2017-01-23, #666) had read (to me, anyway) as: The runtime MUST supply these even if the config doesn't call for them in mounts. with 279c3c09 weaking it to: The runtime SHOULD supply these even if the config doesn't call for them in mounts. But that's not very useful (callers that *need* a given mount will still have to configure it explicitly). However, one interpretation of the 279c3c09 wording seems to be something like [1]: Config authors probably want to include mounts entries for these. That's fine, and this commit tries to make that interpretation more obvious by shifting the config recommendation over to the Linux 'mounts' example. The values I'm using are straight from [2]. [1]: https://github.com/opencontainers/runtime-spec/pull/666#issuecomment-277067251 [2]: https://github.com/opencontainers/runtime-tools/pull/24 Signed-off-by: W. Trevor King --- config-linux.md | 14 -------------- config.md | 41 +++++++++++++++++++++++++++++++++++------ 2 files changed, 35 insertions(+), 20 deletions(-) diff --git a/config-linux.md b/config-linux.md index 404072f7b..9a1f50333 100644 --- a/config-linux.md +++ b/config-linux.md @@ -3,20 +3,6 @@ This document describes the schema for the [Linux-specific section](config.md#platform-specific-configuration) of the [container configuration](config.md). The Linux container specification uses various kernel features like namespaces, cgroups, capabilities, LSM, and filesystem jails to fulfill the spec. -## Default Filesystems - -The Linux ABI includes both syscalls and several special file paths. -Applications expecting a Linux environment will very likely expect these file paths to be setup correctly. - -The following filesystems SHOULD be made available in each container's filesystem: - -| Path | Type | -| -------- | ------ | -| /proc | [procfs](https://www.kernel.org/doc/Documentation/filesystems/proc.txt) | -| /sys | [sysfs](https://www.kernel.org/doc/Documentation/filesystems/sysfs.txt) | -| /dev/pts | [devpts](https://www.kernel.org/doc/Documentation/filesystems/devpts.txt) | -| /dev/shm | [tmpfs](https://www.kernel.org/doc/Documentation/filesystems/tmpfs.txt) | - ## Namespaces A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. diff --git a/config.md b/config.md index 8925318e1..5419b1e10 100644 --- a/config.md +++ b/config.md @@ -63,19 +63,48 @@ For Solaris, the mounts corresponds to fs resource in zonecfg(8). ### Example (Linux) +## Common Linux Filesystems + +The Linux ABI includes both syscalls and several special file paths. +Applications expecting a Linux environment will very likely expect these file paths to be setup correctly. +Configuration authors interested in providing common filesystems can consider entries like: + ```json "mounts": [ { - "destination": "/tmp", + "destination": "/proc", + "type": "proc", + "source": "proc" + }, + { + "destination": "/dev", "type": "tmpfs", "source": "tmpfs", - "options": ["nosuid","strictatime","mode=755","size=65536k"] + "options": ["nosuid", "strictatime", "mode=755", "size=65536k"] + }, + { + "destination": "/dev/pts", + "type": "devpts", + "source": "devpts", + "options": ["nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"] + }, + { + "destination": "/dev/shm", + "type": "tmpfs", + "source": "shm", + "options": ["nosuid", "noexec", "nodev", "mode=1777", "size=65536k"] + }, + { + "destination": "/dev/mqueue", + "type": "mqueue", + "source": "mqueue", + "options": ["nosuid", "noexec", "nodev"] }, { - "destination": "/data", - "type": "bind", - "source": "/volumes/testing", - "options": ["rbind","rw"] + "destination": "/sys", + "type": "sysfs", + "source": "sysfs", + "options": ["nosuid", "noexec", "nodev", "ro"] } ] ```