Skip to content

config: Clarify capabilities(7) as the canonical source of Linux caps #682

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

config: Clarify capabilities(7) as the canonical source of Linux caps #682

wants to merge 1 commit into from

Conversation

@wking
Copy link
Contributor

@wking wking commented Feb 7, 2017

With the “valid values it chooses to not support” language from #673, the runtime is clearly free to support a subset of the platform's capabilities. But the runtime should not be free to change the semantics of valid values (e.g. CAP_CHOWN should always mean the same thing on Linux, regardless of which runtime you use).

@wking
config: Clarify capabilities(7) as the canonical source of Linux caps
2f0b701 
With the "valid values it chooses to not support" language from
718f9f3 (origin/pr/673) minor narrative cleanup regarding config
compatibility, 2017-01-30, opencontainers#673), the runtime is clearly free to
support a subset of the platform's capabilities.  But the runtime
should not be free to change the semantics of valid values
(e.g. CAP_CHOWN should always mean the same thing on Linux, regardless
of which runtime you use).

Signed-off-by: W. Trevor King <[email protected]>
@wking
Copy link
Contributor Author

wking commented Feb 7, 2017
edited
Loading

Hmm, this is still not quite right. We may need to strengthen “semantics” and bind each property directly to something that can be directly tested for compliance. For example, by saying that values set in process.capabilities MUST be included in the result of a successful capget(2) call on the container process. There has been resistance to tying the spec implementation too tightly to the underlying kernel, but I don't see another way to justify compliance tests based on retrieving the process capabilities.

@crosbymichael
Copy link
Member

crosbymichael commented Feb 27, 2017

@wking You need to separate valid values and compliance from errors. Caps change and you have to defer to the underlying platform for validation. You cannot base compliance on the host system that you are running compliance tests on. The current wording in master is correct for what should happen.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wking @crosbymichael