Skip to content

Commit 7979d20

Browse files
wkingwking
committed
config: Clarify capabilities(7) as the canonical source of Linux caps
With the "valid values it chooses to not support" language from 718f9f3 (origin/pr/673) minor narrative cleanup regarding config compatibility, 2017-01-30, opencontainers#673), the runtime is clearly free to support a subset of the platform's capabilities. But the runtime should not be free to change the semantics of valid values (e.g. CAP_CHOWN should always mean the same thing on Linux, regardless of which runtime you use). Signed-off-by: W. Trevor King <[email protected]>
1 parent e8d689d commit 7979d20

File tree

1 file changed

+4
-1
lines changed

1 file changed

+4
-1
lines changed

config.md

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -131,7 +131,9 @@ For Windows, see links for details about [mountvol](http://ss64.com/nt/mountvol.
131131
* **`env`** (array of strings, OPTIONAL) with the same semantics as [IEEE Std 1003.1-2001's `environ`][ieee-1003.1-2001-xbd-c8.1].
132132
* **`args`** (array of strings, REQUIRED) with similar semantics to [IEEE Std 1003.1-2001 `execvp`'s *argv*][ieee-1003.1-2001-xsh-exec].
133133
This specification extends the IEEE standard in that at least one entry is REQUIRED, and that entry is used with the same semantics as `execvp`'s *file*.
134-
* **`capabilities`** (array of strings, OPTIONAL) is an array that specifies the set of capabilities of the process(es) inside the container. Valid values are platform-specific. For example, valid values for Linux are defined in the [CAPABILITIES(7)](http://man7.org/linux/man-pages/man7/capabilities.7.html) man page.
134+
* **`capabilities`** (array of strings, OPTIONAL) is an array that specifies the set of capabilities of the process(es) inside the container.
135+
Valid values are platform-specific.
136+
On Linux, valid values and their semantics are defined in the [capabilies(7) man page][capabilities.7].
135137
* **`rlimits`** (array of objects, OPTIONAL) allows setting resource limits for a process inside the container.
136138
Each entry has the following structure:
137139

@@ -775,6 +777,7 @@ Here is a full example `config.json` for reference.
775777
}
776778
```
777779

780+
[capabilities.7]: http://man7.org/linux/man-pages/man7/capabilities.7.html
778781
[container-namespace]: glossary.md#container-namespace
779782
[go-environment]: https://golang.org/doc/install/source#environment
780783
[ieee-1003.1-2001-xbd-c8.1]: http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap08.html#tag_08_01

0 commit comments

Comments
 (0)