Skip to content

Commit a3ef036

Browse files
wkingwking
committed
config: process.user.username is implementation-defined on Windows
On POSIX (currently Linux and Solaris), `uid` and `gid` are required. My preferred approach here is to make those optional and use platform defaults [1,2]: If unset, the runtime will not attempt to manipulate the user ID (e.g. not calling setuid(2) or similar). But the maintainer consensus is that they want those to be explicitly required properties [3,4,5]. The Windows `username`, on the other hand, was optional, although the default behavior is unclear. I see no discussion in f9e48e0 (Windows: User struct changes, 2016-09-14, #565) or its pull-request discussion to suggest whether this was intentionally approved or not. When I asked whether the optional-ness was intentional, Michael said [6]: No, both should be made explicit unless there is something on windows that prohibits this. However, when I filed a pull request to make the property required, John pushed back [7] and prefered implementation-defined default behavior. I'm still not clear if that satisfies Michael's "prohibits" condition, but having optional user values is closer to my personal preference than requiring the property, and John seems to be fairly strongly against requiring the property, so this commit documents the default value to make the OPTIONAL-ness useful. I've also added the property to the JSON Schema for validation. The empty-string bit follows wording from 'annotations', and avoids ambiguity with the non-pointer Go property. I doubt empty-string usernames would work, and having the restriction in the spec allows for us to validate this in runtime-tools (vs. passing validation and then failing to launch a container when the runtime chokes on the empty string). [1]: https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/DWdystx5X3A [2]: #417 (comment) Subject: Exposing platform defaults Date: Thu, 14 Jan 2016 15:36:26 -0800 Message-ID: <[email protected]> [3]: http://ircbot.wl.linuxfoundation.org/meetings/opencontainers/2016/opencontainers.2016-05-04-17.00.log.html#l-44 [4]: #417 (comment) [5]: #417 (comment) [6]: #618 (comment) [7]: #760 (comment) [8]: #760 (comment) Signed-off-by: W. Trevor King <[email protected]>
1 parent 4754b55 commit a3ef036

2 files changed

Lines changed: 7 additions & 0 deletions

File tree

config.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -260,6 +260,8 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are
260260
For Windows based systems the user structure has the following fields:
261261

262262
* **`username`** (string, OPTIONAL) specifies the user name for the process.
263+
The value MUST NOT be an empty string.
264+
The default `username` is implementation-defined.
263265

264266
### Example (Windows)
265267

schema/config-schema.json

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -130,6 +130,11 @@
130130
"additionalGids": {
131131
"id": "https://opencontainers.org/schema/bundle/process/user/additionalGids",
132132
"$ref": "defs.json#/definitions/ArrayOfGIDs"
133+
},
134+
"username": {
135+
"id": "https://opencontainers.org/schema/bundle/process/user/username",
136+
"type": "string",
137+
"minLength": 1
133138
}
134139
}
135140
},

0 commit comments

Comments
 (0)