Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Merged] features-linux: Expose idmap information #1219

Closed
wants to merge 1 commit into from
Closed

[Merged] features-linux: Expose idmap information #1219

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
19 changes: 19 additions & 0 deletions features-linux.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -209,3 +209,22 @@ Irrelevant to the availability of Intel RDT on the host operating system.
"enabled": true
}
```

## <a name="linuxFeaturesMountExtensions" />MountExtensions

**`mountExtensions`** (object, OPTIONAL) represents whether the runtime supports certain mount features, irrespective of the availability of the features on the host operating system.

* **`idmap`** (object, OPTIONAL) represents whether the runtime supports idmap mounts using the `uidMappings` and `gidMappings` properties of the mount.
* **`enabled`** (bool, OPTIONAL) represents whether the runtime parses and attempts to use the `uidMappings` and `gidMappings` properties of mounts if provided.
Note that it is possible for runtimes to have partial implementations of id-mapped mounts support (such as only allowing mounts which have mappings matching the container's user namespace, or only allowing the id-mapped bind-mounts).
In such cases, runtimes MUST still set this value to `true`, to indicate that the runtime recognises the `uidMappings` and `gidMappings` properties.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How to detect whether the runtime supports arbitrary mapping?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AkihiroSuda We can add other fields for that.

I'm not convinced it is useful, though. From the high-level container runtime, it is not that you will choose different mappings if that is supported or not. You need the mappings you need, and all you care about is that runc will not just ignore the setting and create a big mess (as files in volumes will be owned by the hostUID/GID, etc.).

If that is not supported, what you want is runc to throw an error, not discover it via features IMHO. So, I don't see why exposing that would be useful.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Knowing the support level is useful for the same reason the rest of the features subcommand is useful -- it means you don't have to trial-and-error test which features are available.

@AkihiroSuda I will open an issue where we can flesh out which extra fields we want (based on the above discussion). I felt that merging this as-is is okay, as we can discuss the details of extending it separately.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cyphar can you cc me?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, it is already open


### Example

```json
"mountExtensions": {
"idmap":{
"enabled": true
}
}
```
13 changes: 13 additions & 0 deletions schema/features-linux.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,19 @@
"type": "boolean"
}
}
},
"mountExtensions": {
"type": "object",
"properties": {
"idmap": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
}
}
}
}
}
}
}
Expand Down
24 changes: 19 additions & 5 deletions specs-go/features/features.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,11 +36,12 @@ type Linux struct {
// Nil value means "unknown", not "no support for any capability".
Capabilities []string `json:"capabilities,omitempty"`

Cgroup *Cgroup `json:"cgroup,omitempty"`
Seccomp *Seccomp `json:"seccomp,omitempty"`
Apparmor *Apparmor `json:"apparmor,omitempty"`
Selinux *Selinux `json:"selinux,omitempty"`
IntelRdt *IntelRdt `json:"intelRdt,omitempty"`
Cgroup *Cgroup `json:"cgroup,omitempty"`
Seccomp *Seccomp `json:"seccomp,omitempty"`
Apparmor *Apparmor `json:"apparmor,omitempty"`
Selinux *Selinux `json:"selinux,omitempty"`
IntelRdt *IntelRdt `json:"intelRdt,omitempty"`
MountExtensions *MountExtensions `json:"mountExtensions,omitempty"`
AkihiroSuda marked this conversation as resolved.
Show resolved Hide resolved
}

// Cgroup represents the "cgroup" field.
Expand Down Expand Up @@ -123,3 +124,16 @@ type IntelRdt struct {
// Nil value means "unknown", not "false".
Enabled *bool `json:"enabled,omitempty"`
}

// MountExtensions represents the "mountExtensions" field.
type MountExtensions struct {
// IDMap represents the status of idmap mounts support.
IDMap *IDMap `json:"idmap,omitempty"`
}

type IDMap struct {
// Enabled represents whether idmap mounts supports is compiled in.
// Unrelated to whether the host supports it or not.
// Nil value means "unknown", not "false".
Enabled *bool `json:"enabled,omitempty"`
}