runtime-tools: Handle errors in specerror

There are some declared errors in specerror that have not been called to validate them. Now they are listed below, and we can discuss what needs to be done and what does not. If there’s anything you need to add or remove, you can edit directly.

Bundle

  • ConfigConstName: This REQUIRED file MUST be named config.json.

Config-linux

Namespace

  • NSProcInPath: The runtime MUST place the container process in the namespace associated with that path.
  • NSPathMatchTypeError: The runtime MUST generate an error if path is not associated with a namespace of type type.
  • NSNewNSWithoutPath: If path is not specified, the runtime MUST create a new container namespace of type type.
  • NSInheritWithoutType: If a namespace type is not specified in the namespaces array, the container MUST inherit the runtime namespace of that type.

User namespace mappings

  • ❌ UserNSMapOwnershipRO: The runtime SHOULD NOT modify the ownership of referenced filesystems to realize the mapping.

Devices

  • ❌ DevicesMajMinRequired: major, minor (int64, REQUIRED unless type is p) - major, minor numbers for the device.
  • DevicesErrorOnDup: The same type, major and minor SHOULD NOT be used for multiple devices.

Cgroups

  • ❌ CgroupsPathAbsOrRel: The value of cgroupsPath MUST be either an absolute path or a relative path.
  • CgroupsAbsPathRelToMount: In the case of an absolute path (starting with /), the runtime MUST take the path to be relative to the cgroups mount point.
  • CgroupsPathAttach: If the value is specified, the runtime MUST consistently attach to the same place in the cgroups hierarchy given the same value of cgroupsPath.
  • ❌ CgroupsPathError: Runtimes MAY consider certain cgroupsPath values to be invalid, and MUST generate an error if this is the case.

Device whitelist

  • DevicesApplyInOrder: The runtime MUST apply entries in the listed order.

Block IO

  • BlkIOWeightOrLeafWeightExist: You MUST specify at least one of weight or leafWeight in a given entry, and MAY specify both.

IntelRdt

  • ❌ IntelRdtPIDWrite: If intelRdt is set, the runtime MUST write the container process ID to the <container-id>/tasks file in a mounted resctrl pseudo-filesystem, using the container ID from start and creating the container-id directory if necessary.
  • ❌ IntelRdtNoMountedResctrlError: If no mounted resctrl pseudo-filesystem is available in the runtime mount namespace, the runtime MUST generate an error.
  • ❌ NotManipResctrlWithoutIntelRdt: If intelRdt is not set, the runtime MUST NOT manipulate any resctrl pseudo-filesystems.
  • ❌ IntelRdtL3CacheSchemaWrite: If l3CacheSchema is set, runtimes MUST write the value to the schemata file in the <container-id> directory discussed in intelRdt.
  • ❌ IntelRdtL3CacheSchemaNotWrite: If l3CacheSchema is not set, runtimes MUST NOT write to schemata files in any resctrl pseudo-filesystems.

Config-Windows

HyperV

  • ❌ WindowsHyperVPresent: If present, the container MUST be run with Hyper-V isolation.
  • ❌ WindowsHyperVOmit: If omitted, the container MUST be run as a Windows Server container.

Config

Root

  • RootOnWindowsRequired: On Windows, for Windows Server Containers, this field is REQUIRED.

Mounts

  • ❌ MountsOptionsOnWindowsROSupport: Windows: runtimes MUST support ro, mounting the filesystem read-only when ro is given.

Process

  • ❌ ProcRequiredAtStart: This property is REQUIRED when start is called. (same with StartWithProcUnsetGenError)
  • ❌ ProcConsoleSizeIgnore: Runtimes MUST ignore consoleSize if terminal is false or unset.

POSIX process

  • PosixProcRlimitsTypeGenError: The runtime MUST generate an error for any values which cannot be mapped to a relevant kernel interface.
  • ❌ PosixProcRlimitsTypeGet: For each entry in rlimits, a getrlimit(3) on type MUST succeed.
  • PosixProcRlimitsSoftMatchCur: rlim.rlim_cur MUST match the configured value.
  • PosixProcRlimitsHardMatchMax: rlim.rlim_max MUST match the configured value.

Linux Process

  • LinuxProcCapError: Any value which cannot be mapped to a relevant kernel interface MUST cause an error.
  • ❌ LinuxProcOomScoreAdjNotSet: If oomScoreAdj is not set, the runtime MUST NOT change the value of oom_score_adj.

POSIX-platform Hooks

  • PosixHooksCalledInOrder: Hooks MUST be called in the listed order.
  • PosixHooksStateToStdin: The state of the container MUST be passed to hooks over stdin so that they may do work appropriate to the current state of the container.

Annotations

  • ❌ AnnotationsKeyValueMap: Annotations MUST be a key-value map.
  • ❌ AnnotationsKeyRequired: Keys MUST NOT be an empty string.
  • AnnotationsKeyReversedDomain: Keys SHOULD be named using a reverse domain notation - e.g. com.example.myKey.
  • AnnotationsKeyReservedNS: Keys using the org.opencontainers namespace are reserved and MUST NOT be used by subsequent specifications.
  • AnnotationsKeyIgnoreUnknown: Implementations that are reading/processing this configuration file MUST NOT generate an error if they encounter an unknown annotation key.
  • ❌ AnnotationsValueString: Values MUST be strings.

Extensibility

  • ExtensibilityIgnoreUnknownProp: Runtimes that are reading or processing this configuration file MUST NOT generate an error if they encounter an unknown property.

Valid values

  • ValidValues: Runtimes that are reading or processing this configuration file MUST generate an error when invalid or unsupported values are encountered.

Runtime-Linux

  • DefaultRuntimeLinuxSymlinks: While creating the container (step 2 in the lifecycle), runtimes MUST create default symlinks if the source file exists after processing mounts.

Runtime

  • ❌ EntityOperSameContainer: The entity using a runtime to create a container MUST be able to use the operations defined in this specification against that same container.

State

  • ❌ StateIDUniq: id (string, REQUIRED) is the container’s ID. This MUST be unique across all containers on this host.
  • ❌ StateNewStatus: Additional values MAY be defined by the runtime, however, they MUST be used to represent new runtime states not defined above.
  • DefaultStateJSONPattern: When serialized in JSON, the format MUST adhere to the default pattern.

Lifecycle

  • ❌ EnvCreateImplement: The container’s runtime environment MUST be created according to the configuration in config.json.
  • ❌ EnvCreateError: If the runtime is unable to create the environment specified in the config.json, it MUST generate an error.
  • ConfigUpdatesWithoutAffect: Any updates to config.json after this step MUST NOT affect the container.
  • PrestartHookFailGenError: If any prestart hook fails, the runtime MUST generate an error, stop the container, and continue the lifecycle at step 9.
  • ❌ UndoCreateSteps: The container MUST be destroyed by undoing the steps performed during create phase (step 2).

Errors

  • ❌ ErrorsLeaveStateUnchange: Unless otherwise stated, generating an error MUST leave the state of the environment as if the operation were never attempted - modulo any possible trivial ancillary changes such as logging.

Warnings

  • ❌ WarnsLeaveFlowUnchange: Unless otherwise stated, logging a warning does not change the flow of the operation; it MUST continue as if the warning had not been logged.

Operations

  • ❌ DefaultOperations: Unless otherwise stated, runtimes MUST support the default operations.

Create

  • PropsApplyExceptProcOnCreate: All of the properties configured in config.json except for process MUST be applied.
  • ProcArgsApplyUntilStart: process.args MUST NOT be applied until triggered by the start operation.
  • PropApplyFailGenError: If the runtime cannot apply a property as specified in the configuration, it MUST generate an error.
  • PropApplyFailNotCreate: If the runtime cannot apply a property as specified in the configuration, a new container MUST NOT be created.

Start

  • StartWithoutIDGenError: start operation MUST generate an error if it is not provided the container ID.
  • StartNonCreateHaveNoEffect: Attempting to start a container that is not created MUST have no effect on the container.
  • StartNonCreateGenError: Attempting to start a container that is not created MUST generate an error.
  • StartProcImplement: start operation MUST run the user-specified program as specified by process.
  • StartWithProcUnsetGenError: start operation MUST generate an error if process was not set.

Kill

  • KillWithoutIDGenError: kill operation MUST generate an error if it is not provided the container ID.
  • KillNonCreateRunGenError: Attempting to send a signal to a container that is neither created nor running MUST generate an error.
  • KillSignalImplement: kill operation MUST send the specified signal to the container process.
  • KillNonCreateRunHaveNoEffect: Attempting to send a signal to a container that is neither created nor running MUST have no effect.

Delete

  • DeleteWithoutIDGenError: delete operation MUST generate an error if it is not provided the container ID.
  • DeleteNonStopHaveNoEffect: Attempting to delete a container that is not stopped MUST have no effect on the container.
  • DeleteNonStopGenError: Attempting to delete a container that is not stopped MUST generate an error.
  • DeleteResImplement: Deleting a container MUST delete the resources that were created during the create step.
  • DeleteOnlyCreatedRes: Note that resources associated with the container, but not created by this container, MUST NOT be deleted.

About this issue

  • Original URL
  • State: open
  • Created 6 years ago
  • Reactions: 1
  • Comments: 46 (22 by maintainers)

Commits related to this issue

Most upvoted comments

Currently, two parts of specerror are not verified: Namespaces and Cgroups. I don’t have any good ideas. @wking @alban Do you have any ideas?

Ideas how to implement the tests?

  • NSProcInPath: a test can bind mount a unshared ns on a specific path and do a readlink() + stat() on /proc/$pid/ns/{net,ipc...} and check that it is the same inode +same major/minor from the nsfs dev.
  • NSPathMatchTypeError: a test can do the bind mount, so it knows it would try to use the wrong type of namespace. It could also try a regular file and that should fail as well.
  • NSNewNSWithoutPath: we could at least test that the container ns is not the same as the runtime’s ns
  • NSInheritWithoutType: we could check that the container ns is the same as the runtime ns

We could either

  • use util.RuntimeOutsideValidate()
  • or pass environment variables/annotations on what to expect to the container process and use util.RuntimeInsideValidate.

UserNSMapOwnershipRO is marked as unverifiable ❌ but we could check by running a stat() from outside on a file in the rootfs, to check the UID & GID that the runtime didn’t do any chown.

I can give this a try. Edit: WIP branch

+2
alban on Mar 21, 2018

@q384566678 and I remove the ‘[ ]’ to list valid tasks only.

+1
liangchenye on Feb 8, 2018

I think this is done

ConfigConstName: This REQUIRED file MUST be named config.json.

We have ‘specConfig’ in validate.go. So these two ‘MUST’ are actually the same thing.

This REQUIRED file MUST reside in the root of the bundle directory and MUST be named config.json.
+1
liangchenye on Feb 7, 2018
Read more comments on GitHub
← runc: starting container process caused 'process_linux.go:245: running exec setns process for init caused "exit status 6"'
umoci: layer: Xattr unpack code is broken on Fedora/RHEL →