jonboulle
commented
9 years ago The reference to Linux namespaces is illustrative, not prescriptive, I just changed the wording on that to try make that clearer. I think if we try to describe things like the pod execution environment without referencing (as examples, not prescriptions) actual technologies it's going to be impossibly vague.
On Wed, May 6, 2015 at 9:23 AM, Walter Stanish notifications@github.com wrote:
- "Each app in a pod will start chrooted into its own unique read-write rootfs before execution."
chroot is far from Linux specific, but I am definitely sympathetic to phrasing this differently, perhaps "each app needs to be started within its root filesystem, with all entries in the filesystem available at their absolute paths. For example, on POSIX systems, this could be accomplished via the chroot system call" or something
- "A Pod must have a layer 3 (commonly called the IP layer) network interface [...] with an IPv4/IPv6 address that is reachable from other pods."
are you really suggesting we need to be more agnostic than IP?! what would you propose?
- stderr/stdout logging
Yeah I am not happy with how this is mentioned currently, we should tweak
- "Network limits MUST NOT apply to localhost communication between apps in a pod." (ie. there is apparently limited support for shielding containers from one another within pods)
I am not sure what you're asking for here. Apps within a pod are by and large intended to be cooperative, I have no idea how this is a "security posture"...
globalcitizen
Purely IP, linux and LXC-oriented (pod definition explicitly references a subset of linux kernel namespaces), with additional environment and security posture assumptions: