Clean-up the use of RFC2119 keywords #4550
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -9,10 +9,10 @@ workloads. In contrast to general-purpose containers, stateless | |
| request-triggered (i.e. on-demand) autoscaled containers have the following | ||
| properties: | ||
|
|
||
| - Little or no long-term runtime state (especially in cases where code might be | ||
| scaled to zero in the absence of request traffic). | ||
| - Logging and monitoring aggregation (telemetry) is important for understanding | ||
| and debugging the system, as containers might be created or deleted at any time | ||
| in response to autoscaling. | ||
| - Multitenancy is highly desirable to allow cost sharing for bursty applications | ||
| on relatively stable underlying hardware resources. | ||
|
|
@@ -35,16 +35,16 @@ The | |
| ([v1.0.1](https://github.com/opencontainers/runtime-spec/blob/v1.0.1/spec.md)) | ||
| is the basis for this document. When this document and the OCI specification | ||
| conflict, this document is assumed to override the general OCI recommendations. | ||
| Where this document does not specify behavior, runtime implementations SHOULD | ||
| be OCI compliant with respect to those features. Additionally, the core Knative definition | ||
| assumes the | ||
| [Linux Container Configuration](https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md). | ||
|
|
||
| In particular, the default Knative implementation relies on Kubernetes behavior | ||
| to implement container operation. In some cases, current Kubernetes behavior in | ||
| 2018 is not as performant as envisioned in this documentation. The goal of the | ||
| Knative authors is to push as much of the needed functionality into Kubernetes | ||
| and/or HTTP routers as possible, rather than implementing reach-around layers. | ||
|
|
||
| This document considers two users of a given Knative environment, and is | ||
| particularly concerned with the expectations of _developers_ (and _language and | ||
|
|
@@ -62,7 +62,7 @@ tooling developers_, by extension) running code in the environment. | |
| ## Runtime and Lifecycle | ||
|
|
||
| Knative aims to minimize the amount of tuning and production configuration | ||
| needed to run a service. Some of these production-friendly features include: | ||
|
|
||
| 1. Stateless computation at request-scale or event-scale granularity. | ||
| 1. Automatic scaling between 0 and many instances (the process scale-out | ||
|
|
@@ -71,7 +71,7 @@ required to run a service. Some of these production-friendly features include: | |
| where possible. | ||
|
|
||
| In order to achieve these properties, containers which are operated as part of a | ||
| serverless platform are expected to observe the following properties: | ||
|
|
||
| - Fast startup time (<1s until a request or event can be processed, given | ||
| container image layer caching), | ||
|
|
@@ -82,9 +82,7 @@ serverless platform SHOULD observe the following properties: | |
|
|
||
|
duglin marked this conversation as resolved.
|
||
| ### State | ||
|
|
||
| In a highly-shared environment, containers might experience the following: | ||
|
|
||
| - Containers with `status` of `stopped` MAY be immediately reclaimed by the | ||
| system. | ||
|
|
@@ -103,12 +101,12 @@ In a highly-shared environment, containers may experience the following: | |
| - The environment MAY restrict the use of `prestart`, `poststart`, and | ||
| `poststop` hooks to platform operators rather than developers. All of these | ||
| hooks are defined in the context of the runtime namespace, rather than the | ||
| container namespace, and might expose system-level information (and are | ||
| non-portable). | ||
| - Failures of the developer-specified process MUST be logged to a | ||
| developer-visible logging system. | ||
|
|
||
| In addition, some serverless environments MAY use an execution model other than | ||
| docker in linux (for example, [runv](https://github.com/hyperhq/runv) or | ||
| [Kata Containers](https://katacontainers.io/)). Implementations using an | ||
| execution model beyond docker in linux MAY alter the lifecycle contract beyond | ||
|
|
@@ -126,11 +124,6 @@ the OCI specification as long as: | |
| contents from a particular execution. Because containers (particularly failing | ||
| containers) can experience frequent starts, operators or platform providers | ||
| SHOULD limit the total space consumed by these failures. | ||
|
|
||
| ### Warnings | ||
|
|
||
|
|
@@ -165,7 +158,7 @@ always result in `EOF`. The `stdout` and `stderr` file descriptors on the | |
| container SHOULD be collected and retained in a developer-accessible logging | ||
| repository. (TODO:[docs#902](https://github.com/knative/docs/issues/902)). | ||
|
|
||
| Within the container, pipes and file descriptors can be used to communicate | ||
| between processes running in the same container. | ||
|
|
||
| #### Dev symbolic links | ||
|
|
@@ -204,7 +197,7 @@ available in the `PORT` environment variable. | |
|
|
||
| The platform provider SHOULD configure the platform to perform HTTPS termination | ||
| and protocol transformation e.g. between QUIC or HTTP/2 and HTTP/1.1. Developers | ||
| ought not need to implement multiple transports between the platform and their | ||
| code. Unless overridden by setting the | ||
| [`name`](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#containerport-v1-core) | ||
| field on the inbound port, the platform will perform automatic detection as | ||
|
|
@@ -217,10 +210,10 @@ following protocol will be used: | |
| - `h2c`: HTTP/2 transport, as described in | ||
| [section 3.4 of the HTTP2 spec (Starting HTTP/2 with Prior Knowledge)](https://http2.github.io/http2-spec/#known-http) | ||
|
|
||
| Developers ought to use automatic content negotiation where available, | ||
| and MUST NOT set the `name` field to arbitrary values, as additional transports | ||
|
Author
There was a problem hiding this comment. @dgerd is the "MUST NOT" here overstepping too? Seems like it given we're removing the other keywords from this paragraph. There was a problem hiding this comment. The "MUST NOT" is important to allow us to reserve the 'name' field for future usage. It could be argued that this is more of an API constraint than a runtime constraint, but it is important and I am okay with duplicating it here for clarity. For example, if HTTP/3.0 comes along and we want to allow people to specify "http3" we can only enable this we know that no existing Knative Configurations allow "http3"; otherwise this will be a breaking change. I am okay rephrasing this if you think it is unclear as is.
Member
There was a problem hiding this comment. I think the "MUST NOT" suggests that validation during admission control is allowed here, and containers with other port names may be rejected. |
||
| might be defined in the future. Developers can assume all traffic is | ||
|
Member
There was a problem hiding this comment. Why did we remove MUST here? I think #4035 moves these to a "advice to the developer" section, but the requirement here is intended to include:
Author
There was a problem hiding this comment. I removed the MUST because we can't really control what the developers "assume". If we want to add something normative here then it needs to be a constraint on the Kn impl - so something like: There was a problem hiding this comment. I am fine with this change. This runtime contract is still pretty long and I don't expect developers to read through it. The language is meant for operators and contributors. I would eventually like to move these suggestions to a shorter user-focused document. I intend to break this file out into its own PR ( https://github.com/knative/serving/pull/4035/files#diff-2b3ccedac0c1b327ad7d674942f6cf56 ). |
||
| intermediated by an L7 proxy. Developers can not assume a direct network | ||
| connection between their server process and client processes. | ||
|
|
||
| #### Headers | ||
|
|
@@ -282,7 +275,7 @@ target the inbound container port; platform providers SHOULD disallow other | |
| probe methods. | ||
|
|
||
| Because serverless platforms automatically scale instances based on inbound | ||
| requests, and because noncompliant (or even failing) containers might be provided | ||
| by developers, the following defaults SHOULD be applied by the platform provider | ||
| if not set by the developer. The probes are intended to be trivially supportable | ||
| by naive conforming containers while preventing interference with developer | ||
|
|
@@ -292,9 +285,9 @@ code. These settings apply to both `livenessProbe` and `readinessProbe`: | |
| - `initialDelaySeconds` set to 0 | ||
| - `periodSeconds` set to platform-specific value | ||
|
|
||
| Setting `initialDelaySeconds` to a value greater than 0 impacts container | ||
| startup time (aka cold start time) as a container will not serve traffic until | ||
| the probe succeeds. | ||
|
|
||
| ##### Deployment probe | ||
|
|
||
|
|
@@ -321,7 +314,7 @@ be run at least once despite scale-to-zero guarantees. | |
|
|
||
| OCI does not specify any properties of the network environment in which a | ||
| container runs. The following items are OPTIONAL additions to the runtime | ||
| contract which describe services which might be of particular value to platform | ||
| providers. | ||
|
|
||
| #### DNS | ||
|
|
@@ -355,9 +348,9 @@ serverless workloads. Containers MUST use the provided temporary storage areas | |
|
|
||
| ### Mounts | ||
|
|
||
| In general, stateless applications package their dependencies within the | ||
| container and do not rely on mutable external state for templates, logging | ||
| configuration, etc. In some cases, it might be necessary for certain application | ||
| settings to be overridden at deploy time (for example, database backends or | ||
| authentication credentials). When these settings need to be loaded via a file, | ||
| read-only mounts of application configuration and secrets are supported by | ||
|
|
@@ -406,7 +399,7 @@ such variables will follow demonstrated usage and utility. | |
|
|
||
| ### User | ||
|
|
||
| Developers MAY specify that containers be run as a specific user or group | ||
| ID using the `runAsUser` container property. If specified, the runtime | ||
| [MUST](https://github.com/knative/serving/blob/master/test/conformance/runtime/user_test.go) | ||
| run the container as the specified user ID if allowed by the platform (see | ||
|
|
@@ -421,12 +414,12 @@ be failed. | |
|
|
||
| ### Default Filesystems | ||
|
|
||
| The OCI specification describes a default container environment which can be | ||
| used for many different purposes, including containerization of existing legacy | ||
| or stateful processes which might store substantial amounts of on-disk state. In a | ||
| scaled-out, stateless environment, container startup and teardown is accelerated | ||
| when on-disk resources are kept to a minimum. Additionally, developers might not | ||
| have access to the container's filesystems (or the containers might be rapidly | ||
| recycled), so log aggregation SHOULD be provided. | ||
|
|
||
| In addition to the filesystems recommended in the OCI, the following filesystems | ||
|
|
@@ -438,13 +431,12 @@ be provided: | |
| | `/tmp` | MUST be Read-write.<p>SHOULD be backed by tmpfs if disk load is a concern. | | ||
| | `/var/log` | MUST be a directory with write permissions for logs storage. Implementations MAY permit the creation of additional subdirectories and log rotation and renaming. | | ||
|
|
||
| To enable DNS resolution, the following files might be overwritten at runtime: | ||
|
|
||
| | File | Description | | ||
| | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | `/etc/hosts` | MAY be overridden to provide host mappings for well-known or provider-specific resources. | | ||
| | `/etc/hostname` | some environments MAY set this to a different value for each container, but other environments might use the same value for all containers. | | ||
| | `/etc/resolv.conf` | SHOULD be set to a valid cluster-specific recursive resolver. Providers MAY provide additional default search domains to improve customer experience in the cluster. | | ||
|
|
||
| Platform providers MAY provide additional platform-specific mount points | ||
|
|
@@ -503,9 +495,9 @@ Seccomp provides a mechanism for further restricting the set of linux syscalls | |
| permitted to the processes running inside the container environment. A seccomp | ||
| sandbox MAY be enforced by the platform operator; any such application profiles | ||
| SHOULD be configured and applied in a consistent mechanism outside of the | ||
| container specification. A seccomp policy MAY be part of the platform | ||
| security configuration that operators can tune over time as the | ||
| threat environment changes. | ||
|
|
||
| ### Rootfs Mount Propagation | ||
|
|
||
|
|
@@ -517,17 +509,17 @@ From the OCI spec: | |
| > article in the kernel documentation has more information about mount | ||
| > propagation. | ||
|
|
||
| This option MAY be set by the operator or platform provider, and MUST | ||
| NOT be configurable by the developer. Mount propagation MAY be part of the | ||
| platform security configuration that operators can tune over time | ||
| as the threat environment changes. | ||
|
|
||
| ### Masked Paths | ||
|
|
||
| This option MAY be set by the operator or platform provider, and MUST NOT | ||
| be configurable by the developer. Masked paths MAY be part of the platform | ||
| security configuration that operators can tune over time as the | ||
| threat environment changes. | ||
|
|
||
| ### Readonly Paths | ||
|
|
||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.