*: add support for cgroup namespace

[cyphar]

The cgroup namespace is a new kernel feature available in 4.6+ that
allows a container to isolate its cgroup hierarchy. This currently only
allows you to hide information from /proc/self/cgroup. But I'm currently
working with upstream on expanding it so that you can modify your
hierarchy inside a user namespace (even a rootless container).

Signed-off-by: Aleksa Sarai asarai@suse.de

[vbatts]

seems fine. Is this needing to wait on upstream linux or runc?

[cyphar]

This has been merged into Linux and will be released in 4.6. I'd still recommend waiting on the release. The great thing about this API is that its compile-time switch is CONFIG_CGROUPS, so if you have a >=4.6 kernel with cgroups you automatically get this namespace.

[vbatts]

oh nice. That smooth the transition for sure.

On Mon, Apr 25, 2016 at 11:35 AM, Aleksa Sarai notifications@github.com
wrote:

This has been merged into Linux and will be released in 4.6. I'd still
recommend waiting on the release. The great thing about this API is that
its compile-time switch is CONFIG_CGROUPS, so if you have a >=4.6 kernel
with cgroups you automatically get this namespace.

—
You are receiving this because you commented.
Reply to this email directly or view it on GitHub
#397 (comment)

[mrunalp]

👍 We can merge this and add it to runc once released.

[wking]

On Mon, Apr 25, 2016 at 08:14:24AM -0700, Aleksa Sarai wrote:

M schema/defs-linux.json (3)
M specs-go/config.go (2)

We also want docs in config-linux.md#namespaces, and possibly an
addition to the example in that section and the full example in
config.md.

[cyphar]

@wking I've added examples and explanations in the docs.

[wking]

Reference 4.6 as the release that landed this feature?

[cyphar]

Done.

[vishh]

How do we handle incompatibility with new kernel features as of now? Is the Spec attempting to provide some means of discovery of the features that a given kernel supports?

[mrunalp]

@vishh I think probably leave that to the runtime.

[vishh]

@mrunalp: That would affect client portability right? Is cross-runtime
portability a goal?

On Mon, Apr 25, 2016 at 2:30 PM, Mrunal Patel notifications@github.com
wrote:

@vishh https://github.com/vishh I think probably leave that to the
runtime.

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#397 (comment)

[cyphar]

@vishh We can make it clear in the spec that a runtime implementation must fail if it can't create all of the requested namespaces. Anything outside of that should be left to the runtime to handle (such as figuring out whether or not it can create the namespaces).

[wking]

9926619 looks good to me. I don't mind whether the
fail-if-not-supported language 1 lands via this PR or a separate PR.

[mrunalp]

Can we modify the text here - that it sees an isolated/virtualized view of the cgroup heirarchy? The manage portion doesn't quite work well yet ;)

We can use text from here https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d4021f6cd41f03017f831b3d40b0067bed54893d

[cyphar]

Heh, it was a bit ambitious for a description. ;)

[cyphar]

@mrunalp Updated. I've also added the "must fail" wording as @wking requested.

[mrunalp]

I think we can drop 'so as not to lull the user into a false sense of security'. Otherwise looks fine.

[cyphar]

Fix'd.

[mrunalp]

LGTM

[wking]

For consistency withruntime.md`, we should probably use “generate an error”. Although @vishh's concern was broader than namespaces, so I think we might want to put this language in step 2 of the lifecycle.

Also, one line per sentence ;).

[cyphar]

Also, one line per sentence ;).

Eww. 80 characters is objectively the right wrapping. ;)
But yes, I'll update the lifecycle documentation then.

[cyphar]

@wking @mrunalp I've updated things as requested. The documentation is now accurate about what the cgroup namespace does -- and I've added an extra line to the lifecycle documentation to make clear that a runtime must generate an error if it can't set up the environment requested by a container.

[wking]

On Fri, May 27, 2016 at 05:02:18AM -0700, Aleksa Sarai wrote:

@wking @mrunalp I've updated things as requested.

Heh, f0e4d33 → a021e63 becomes much more excited about isolation (from
“only really hides” to “invaluable for hiding” ;).

Anyhow, the tip commit (058860b) looks good (and can be cherry-picked
into a new PR and landed now as far in my view, although I'm not a
maintainer).

I'm not sure about the penultimate commit; will leave an inline comment.

[wking]

This is new with your recent reroll, and rolls back #158. What has changed since #158? The motivation for this line was “we may support join-and-tweak if someone gives a convincing use-case, but we're banning it for now”, but you're removing it (in a drive-by change?) while adding a cgroup namespace, and I don't see the connection.

[cyphar]

Urgh, looks like it was a dodgy rebase. I'll fix this up.

EDIT: Fixed.

[wking]

“runtimme” → “runtime”.

[wking]

Or maybe just drop that second “runtime” instances and say “… the environment specified…”.

[wking]

Also, you probably want a comma after config.json: “If … config.json, it MUST generate an error.”

[cyphar]

Fixed. And I fixed up the email madness.

[wking]

Everything through 5d3c351 looks pretty good to me (just a few copy-edit suggestions for the tip commit). And you're using two different emails, in case you wanted to adjust those before this lands.

[wking]

Everything through 3ce281c looks good to me.

[mrunalp]

One sentence per line. Otherwise looks good.

[cyphar]

Damn, I swore I fixed this.

[philips]

I don't know if you can do this with lists in md @mrunalp

[tianon]

As discussed in the call, my $0.02 on whether to include kernel versions of required features in the spec, I don't think it's really strictly necessary for the spec -- having a separate "cheat sheet" might make sense (mapping features to minimum kernel versions), but if the information is reasonably readily available elsewhere, then I think it's sufficient for the tools to simply error out when unsupported features are used (relying more on the runtime check than fuzzy kernel version matching, which RedHat has a habit of throwing a wrench in 😄).

[crosbymichael]

Yes, we are not recording the history of the linux kernel in this spec.

[mrunalp]

@cyphar could you update the PR to address the comments? We kinda need this for 1.0 :)
Thanks!

[crosbymichael]

I wouldn't say that this is a blocker for 1.0. Its adding an option and does not affect schema or anything so it can come at any time.

[mrunalp]

Yeah, not a hard blocker but will be nice to have since it is so close to being merged.

[cyphar]

So you want me to remove all of the "This is available since Linux X.Y.Z" sentences?

[mrunalp]

@cyphar Yes. That's what we discussed and agreed to in the OCI call yesterday.

[philips]

LGTM

Agreed on removing the kernel versions. It is meaningless given some Linux distros do tons of backporting.

[cyphar]

@opencontainers/runtime-spec-maintainers There, I've removed the kernel versions.

[mrunalp]

LGTM

[crosbymichael]

LGTM

[crosbymichael]

@mrunalp @philips you have to LGTM again because the commits were updated

[vbatts]

LGTM