Add fd section for linux container process#113
Add fd section for linux container process#113mrunalp wants to merge 1 commit intoopencontainers:masterfrom
Conversation
|
I think we need to specify the mechanism for configuring which file The bundle author might want a way to map file descriptor names to a |
There was a problem hiding this comment.
perhaps pass instead of leak?
There was a problem hiding this comment.
also, I think we should settle on something other than "container process" as the word container means too many things today. "application" seems reasonable to me.
There was a problem hiding this comment.
container process should be container's init process i think. Do we want to pass extra file descriptors for non-init process ?
There was a problem hiding this comment.
@dqminh what is an "init" process? In my mind "init" is /sbin/init and I don't think the runtime should care whether it is a non-init or init process.
There was a problem hiding this comment.
hmm i was thinking of init process as the first process that is running inside the container, as we can execute multiple processes over the lifetime of the container.
There was a problem hiding this comment.
http://man7.org/linux/man-pages/man7/pid_namespaces.7.html calls it as the "init" process for the pid namespace. However, we could be in a situation where we don't use a new pid namespace.
There was a problem hiding this comment.
i'm fine with calling it an application. I think we should standardize one term for it through out the specs. application sounds fine as user may want to run it inside a VM instead of container for example. Then process/init process is not so approriate.
There was a problem hiding this comment.
Well, application implies that there is only one application being run in the container whereas in reality there could be many.
There was a problem hiding this comment.
@mrunalp As defined today an OCI bundle only has a single application.
|
Since the use case here is running services inside containers with a mapped handle between the host and the container, why not use terminology like service, handles and host mapping? |
There was a problem hiding this comment.
stdin, stdout, and stderr only seem to be attached between the runtime and the application when process.terminal is false. When it's true, the applications standard streams are attached to a TTY. See (1).
There was a problem hiding this comment.
Yes, what those fds point to depends on the TTY setting, but the main point being that these are open for the application process.
There was a problem hiding this comment.
On Fri, Aug 28, 2015 at 08:21:14AM -0700, Mrunal Patel wrote:
Yes, what those fds point to depends on the TTY setting, but the
main point being that these are open for the application process.
Ah, good point.
the standard streams should maybe not be in backticks. Alternatively,
these existing occurrences should be in backticks [1,2] ;).
|
LGTM |
|
@LK4D4 That is left as an implementation detail to the runtime. For e.g. using environment variables like in opencontainers/runc#231. What we concluded was that having a serializable field in the spec json for ExtraFields doesn't make much sense as the fds and what values they have is dynamic and determined at runtime. What could make sense instead over there is passing fds for specific files. |
|
@mrunalp Hmm, I don't like implementation detail, why we need anything in spec then? Why this field can't be in runtime? |
|
LGTM |
|
I would like for the section to expand to explain that some of the fds may be opened but connected to /dev/null (like stdin). |
|
@LK4D4 Yeah, so we aren't adding anything to the spec. Just saying that the runtimes may pass additional fds. If we want to standardize that then we may have to prescribe environment variables like OCI_LISTEN_FDS and OCI_LISTEN_FDS_START but they will still have to set from the application specific ones to make sense. |
Signed-off-by: Mrunal Patel <[email protected]>
|
LGTM |
There was a problem hiding this comment.
/dev/null should probably be in backticks.
|
Most everyone has LGTM'd this so I am going to fix the one nit about backticks around the |
|
Merged via e3ee431 |
|
@philips Thanks! |
This landed in runC with [1], but the bundle-author <-> runtime specs explicitly avoid talking about how this is set (since the bundle-author doesn't care about the runtime-caller <-> runtime interface) [2]. However, *this* spec is about the runtime-caller <-> runtime interface, so we need to document it here. I've left LISTEN_PID [3,4] out, since I don't see how the runtime-caller would choose anything other than 1 for its value. It seems like something that a process would have to set for itself (because guessing the PID of a child before spawning it seems racy ;). In any event, the runC implementation seems to set this to 1 regardless of what systemd passes to it [4]. I've borrowed Shishir's wording for the example [4]. [1]: opencontainers/runc#231 [2]: opencontainers/runtime-spec#113 (comment) [3]: http://www.freedesktop.org/software/systemd/man/sd_listen_fds.html [4]: opencontainers/runc#231 (comment) Signed-off-by: W. Trevor King <[email protected]>
This landed in runC with [1], but the bundle-author <-> runtime specs explicitly avoid talking about how this is set (since the bundle-author doesn't care about the runtime-caller <-> runtime interface) [2]. However, *this* spec is about the runtime-caller <-> runtime interface, so we need to document it here. I've left LISTEN_PID [3,4] out, since I don't see how the runtime-caller would choose anything other than 1 for its value. It seems like something that a process would have to set for itself (because guessing the PID of a child before spawning it seems racy ;). In any event, the runC implementation seems to set this to 1 regardless of what systemd passes to it [4]. I've borrowed Shishir's wording for the example [4]. [1]: opencontainers/runc#231 [2]: opencontainers/runtime-spec#113 (comment) [3]: http://www.freedesktop.org/software/systemd/man/sd_listen_fds.html [4]: opencontainers/runc#231 (comment) Signed-off-by: W. Trevor King <[email protected]>
Closes #100
Signed-off-by: Mrunal Patel [email protected]