Clarify how OCI configuration ("config.json") will be handled

[jamesodhunt]

Now that we know Docker 1.11 will integrate with containerd (#20361), I'd like to understand how the OCI configuration (config.json) will be handled in docker 1.11.

Specifically,

• Who will "own" config.json?
• What will generate config.json?
• When will config.json be generated?

Assuming docker as the answer to the first 2 questions above, how will docker allow runtime-specific metadata be specified so that it ends up in "config.json"?

There are a few categories of runtime-specific (or even container-specific) metadata that might need to be passed to the OCI runtime:

• Hook configuration:

  • Prestart
  • Poststart
  • Poststop

• Annotations.

• VM-specific metadata

  For VM-based OCI runtimes (such as Clear Containers and runV, there is a need to specify extra meta-data such as:

  • rootfs path
  • kernel path
  • kernel options
  • initrd path
  • hypervisor options

  This is currently being discussed on the opencontainers mailing list. It's possible that the above could be handled entirely by Annotations but having a more structured approach that is formally part of the specification is desirable.

OCI Annotations sound remarkably like docker labels, however labels are not visible to the container.

In the OCI world, will that change (slightly) such that docker will add the labels into config.json as annotations which the runtime can choose to consume? That would seem like a convenient solution to the above requirements, however there may be security concerns (?) around passing all labels to the runtime via config.json.

I'm wondering therefore if docker would make a "privileged label namespace" such that any labels in that namespace are guaranteed to be exported to config.json (say "org.opencontainers.*"?) whilst all others would not.

[cpuguy83]

Passing configuration down-level via labels is (quite intentionally) not something we do.
I'm not sure how we'd handle extra info, but afaict we shouldn't have to. Having to pass extra information down to make it work on 1 platform or another seems to defeat the purpose of the standard.

[jamesodhunt]

I appreciate labels aren't exported now, but with OCI, the container is further removed from the the docker daemon compared to containers managed by docker today. As such, some decisions will not be able to be made purely at the docker daemon level and must instead by made by the runtime.

Note that the standard explicitly supports platforms-specific configuration: https://github.com/opencontainers/specs/blob/master/config.md#platform-specific-configuration.

The OCI spec already allows a "bundle" to specify, say, "platform.os=windows" or "platform.arch=arm64" such that if the runtime is unable to satisfy those requirements, the runtime must fail the container start. Note that even if docker were creating "config.json" itself, it could not know in advance of the container start what the precise capabilities of the runtime are (maybe the runtime can emulate different architectures to the host for example).

If the VM-runtime-specific metadata gets added to the OCI spec, we need a way to get that VM-runtime-specific information into the configuration file. If docker manages the config, that information is going to have to be either passed directly to docker, or some convention created to allow docker to "find" it such that docker can include that metadata in config.json when docker generates that file.

Note that some of the VM-runtime-specific metadata may effectively be "static" and hence a JSON snippet could conceivably be read by the docker daemon and added to the resulting config.json. But some runtimes may have a more dynamic requirement.

Maybe it would be better to specify this extra metadata to containerd - since it can now be told to use an alternate runtime, why not also tell containerd what metadata is required in the final config.json? But that implies containerd would manage config.json such that docker could request containerd generate config.json on demand.

[cpuguy83]

@jamesodhunt configuration != metadata.
If a runtime needs specific information, this is not metadata it's configuration.

[thaJeztah]

Looks like there's some answers here, and 1.11 has been released; I'll close this issue, but if you have more questions, let me know