Clean-up the use of RFC2119 keywords

[duglin]

Please check each change carefully. I tried to not change the semantics
meaning of anything, rather just wanted to make sure each use of an
RFC2119 keyword was actually used correctly - meaing it's "normative".
RFC2119 does not distinguish between lower-case and upper-case use of the
words, so "may" and "MAY" have the same meaning. However, in most cases
people use upper-case versions of the words so the 1) they stand-out, and
2) it's more obvious that the author used the RFC2119 keyword on purpose and
didn't just use it by mistake as part of the descriptive english text.

We should add an RFC2119 keyword checker to docs like this to catch
mis-uses of the keywords going forward (meaning using lower-case by mistake).

Signed-off-by: Doug Davis [email protected]

/lint

[markusthoemmes]

/assign @evankanderson @dgerd

[evankanderson]

Thanks for the cleanup and the careful eye!

A few suggested deltas, but this overall helps clarify what is in and out of scope for testing.

[evankanderson]

I don't think this is "recommended", I think this is "envisioned".

[duglin]

fixed

[evankanderson]

Here's a line which hasn't aged well. How about:

Suggested change

	and/or Istio as possible, rather than implementing reach-around layers.
	and/or HTTP routers as possible, rather than implementing reach-around layers.

[evankanderson]

You should probably make this edit yourself rather than relying on Github suggestion, since that will anger the mighty CLA-bot.

[duglin]

done

[evankanderson]

I think MAY might be correct here, but I think @dgerd has thought about this more recently than I.

[dgerd]

I would actually prefer removing this as it:

1. Seems duplicative with https://github.com/knative/serving/blob/master/docs/runtime-contract.md#operations
2. Provides little guidance/value to users or platform providers

[duglin]

Since I thought it was non-normative anyway, I'm ok with removing it - done!

[evankanderson]

Suggested change

	The OCI specification describes a default container environment which might be
	The OCI specification describes a default container environment which can be

I think "can" reads more clearly here.

[duglin]

done

[evankanderson]

I think this is RECOMMENDED if it's coming from OCI.

[dgerd]

+1

[duglin]

OCI might recommend them, but I'm not sure the use of the word here is normative since we're not actually adding a new constraint we're just saying "they tell us to do this". But let me think about it....

[dgerd]

IMO it would be great to add the OCI recommended filesystems inline with a link to where they come from. No one is going to click out to find what are the recommended filesystems.

[evankanderson]

Ha! The OCI spec is actually SHOULD:

https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#default-filesystems

[evankanderson]

If 474 is MAY, this should be MAY as well.

[dgerd]

+1 I would make both of these MAY

[duglin]

Are we really adding constraints here or just stating how things are? It didn't come across to me like we were being normative. For example, the phrase "person X might do something over time" comes across to me more like "guidance" or explaining what's going on in the system rather than saying "make sure person X is given the option of doing ....". If we really are saying "make sure the operation is given the option of doing this" then I think we need to word it more strongly so it's not so ad hoc-ish.

[evankanderson]

I think we want to explicitly word it so that these tools are available for operators.

Would "Operators MAY disable or force this setting to a particular value" be better?

[duglin]

see if the new text is ok

[evankanderson]

Ditto.

[duglin]

same concern as above - is this guidance/explanatory text or constraints?

[duglin]

added new text to align with the other 2 things like this. SWYT

[dgerd]

I would actually prefer removing this as it:

1. Seems duplicative with https://github.com/knative/serving/blob/master/docs/runtime-contract.md#operations
2. Provides little guidance/value to users or platform providers

[dgerd]

I would make this 'ought'.

Personally I would like to see us remove this in a future change. See discussion here: https://github.com/knative/serving/pull/4035/files#r283528430

[duglin]

yep - we have no say over this. Fixed.

[dgerd]

We don't do this today and I don't think we plan to do this. K8s exposes this on the Pod which is not part of the Knative API and is difficult to aggregate up to the Revision.

[duglin]

hmm, who is supposed to "report this error" ? Knative? the OCI runtime?

[dgerd]

I have read it in the past as Knative. A Knative user does not have interaction with the OCI runtime. A user is able to see what is visible through our API, monitoring/logging extension points, anything observable within the container, and anything observable about the lifecycle of the container.

If this is only visible in the OCI API then it is not visible to the end user and is thus could be omitted from the runtime without consequence to user experience.

[evankanderson]

See the discussion in #4035 -- it turns out that this information is collected at the Pod level, but is not aggregated beyond that level.

Having looked into it further, I'm concerned about the cascading update scenario that aggregating this to status information in the apiserver above the Pod level enables. Consider 1000 containers which crash in a coordinated manner -- that's a lot of extra updates (and possibly conflicts which need to be retried) that put load on the apiserver at exactly the wrong time.

[evankanderson]

I think the discussion in #4035 is leaning towards removing this text altogether -- there's no place in the API for these errors to be surfaced beyond the Pod level, and Pods are really ephemeral, so the termination message isn't so helpful.

[duglin]

I'm trying to limit the semantic changes made to this PR but I'll remove this text anyway since you guys are convinced it's wrong. I removed the entire bullet since if I remove the last sentence then there's no normative text left - so there's no point in keeping the rest of it.

[dgerd]

The MAY keyword doesn't seem appropriate here. If a container MAY be able to do this it implies that the platform MUST allow pipes and file descriptors for IPC. Using MUST and phrasing from the platform point-of-view seems like the more appropriate wording, but the statement seems like overkill.

I cannot think of a container runtime that doesn't allow this and I cannot think of a good reason for a future runtime to disable this.

@evankanderson Any thoughts on why this is here?

[duglin]

changing it to a "can" since we have no say over what happens within the container w.r.t. these pipes - IOW, I think this statement is out of scope of Knative.

[dgerd]

If we are going to change to "can" I would prefer removal of it. Keeping this document concise keeps it readable and usable. I don't think it clarifies much for platform providers or users as a "can" statement.

[evankanderson]

I think this was added at one point due to an internal discussion about required gvisor capabilities. In any case, it was a point-in-time thing, and I agree with removing it, unless we're going to spell out a complete set of linux syscalls which are in-scope.

[dgerd]

/etc/resolve.conf is listed as "SHOULD be set". It is somewhat confusing to have the MAY paragraph prefix this table.

I would opt to change the word 'may' in the leading paragraph and rely on the Description to specify the keywords.

[duglin]

I was a bit bothered too as I was tweaking this... I'll do that.

[dgerd]

Why not 'MAY'?

[duglin]

I may have read it wrong, but I didn't think the "may" here was our way of saying "you can do this if you want" but rather it was trying to explain that something this thing happens and we're not really making a statement as to whether it's ok or not. Was it intended to introduce a constraint or was it just explaining the state of the world?

[evankanderson]

I think we want to say that it is okay; sharing a kernel is sufficiently exciting from a security perspective that we should be clear that enabling defense mechanisms here is prudent (though not required -- something like Kata Containers or gvisor has different mechanisms for protection).

[duglin]

if we want MAY in there, then I think we need to remove the "As the..." part, because then it reads kind of weird as a normative statement. See what you think of the new text

[dgerd]

Suggested change

	This option SHOULD only be set by the operator or platform provider, and MUST
	This option MAY be set by the operator or platform provider, and MUST

The second part of the sentence clarifies the 'only' part so that is unnecessary. We don't provide any real guidance or requirement here so SHOULD seems to be too strong of a word choice.

[duglin]

ok done

[dgerd]

+1 I would make both of these MAY

[dgerd]

Suggested change

	This option SHOULD only be set by the operator or platform provider, and MUST NOT
	This option MAY be set by the operator or platform provider, and MUST NOT

[duglin]

done

[duglin]

@dgerd is the "MUST NOT" here overstepping too? Seems like it given we're removing the other keywords from this paragraph.

[dgerd]

The "MUST NOT" is important to allow us to reserve the 'name' field for future usage. It could be argued that this is more of an API constraint than a runtime constraint, but it is important and I am okay with duplicating it here for clarity.

For example, if HTTP/3.0 comes along and we want to allow people to specify "http3" we can only enable this we know that no existing Knative Configurations allow "http3"; otherwise this will be a breaking change.

I am okay rephrasing this if you think it is unclear as is.

[evankanderson]

I think the "MUST NOT" suggests that validation during admission control is allowed here, and containers with other port names may be rejected.

[duglin]

ok I'll leave it as-is.

[duglin]

@evankanderson @dgerd thanks for the review - couple of questions for ya...

[dgerd]

Took a pass through the comments. Need to take another pass through the diff.

[evankanderson]

I think we're shrinking the document with edits, which seems like a good sign.

Thanks!

[evankanderson]

I think the discussion in #4035 is leaning towards removing this text altogether -- there's no place in the API for these errors to be surfaced beyond the Pod level, and Pods are really ephemeral, so the termination message isn't so helpful.

[evankanderson]

I think the "MUST NOT" suggests that validation during admission control is allowed here, and containers with other port names may be rejected.

[evankanderson]

Why did we remove MUST here? I think #4035 moves these to a "advice to the developer" section, but the requirement here is intended to include:

1. Don't assume that the other end of the TCP connection is the client
2. Don't need to implement SSL in the container

[duglin]

I removed the MUST because we can't really control what the developers "assume". If we want to add something normative here then it needs to be a constraint on the Kn impl - so something like: Implementations MUST send all traffic through L7 proxies. Do you want that instead?

[dgerd]

I am fine with this change.

This runtime contract is still pretty long and I don't expect developers to read through it. The language is meant for operators and contributors.

I would eventually like to move these suggestions to a shorter user-focused document. I intend to break this file out into its own PR ( https://github.com/knative/serving/pull/4035/files#diff-2b3ccedac0c1b327ad7d674942f6cf56 ).

[evankanderson]

I think this sentence now reads backwards -- it suggests that initialDelaySeconds > 0 may improve scaling response, which is almost certainly not true.

[duglin]

oops, yeah I got that backwards.... let me fix that

[evankanderson]

I just noticed that this sentence doesn't make sense with "container filesystems". I think it was meant to say "durable storage" or "durable filesystems" (i.e. it would be fine to put all the container writes into tmpfs and throw them away when the container exits).

[duglin]

I'm reading this as trying to say that the developer might not be able to see the container's filesystem so they can't look at log files, etc... I think the issue might be that it should be "container's" not "container". WDYT?

[dgerd]

I think the container -> container's change is sufficient here, but it could be updated further for clarity.

My understanding here is that: (1) Developers don't necessarily have access to the underlying host so you can't go looking at the stopped container contents locally. (2) Unlike docker which relies on a user to rm a stopped container or run prune, containers in this environment are likely to be cleaned up quickly after exiting.

[duglin]

added the apostrophe

[evankanderson]

This rewrite removes the DNS rationale. What about:

"To enable DNS resolution, the following files might be overwritten at runtime:"

[duglin]

much better - done

[duglin]

next round of rfc edits are ready for review

[duglin]

@dgerd @evankanderson any other comments on this one?

[dgerd]

Some minor comments. Overall looks really good. Thanks for the iteration on this one.

[dgerd]

I am fine with this change.

This runtime contract is still pretty long and I don't expect developers to read through it. The language is meant for operators and contributors.

I would eventually like to move these suggestions to a shorter user-focused document. I intend to break this file out into its own PR ( https://github.com/knative/serving/pull/4035/files#diff-2b3ccedac0c1b327ad7d674942f6cf56 ).

[dgerd]

I like the removal of SHOULD NOT. Two nits:

(1) While line 275 explains that 0 is the default this line seems to encourage explicitly setting to 0.
(2) This explains what happens when it is set to 0, but does not explain what happens when it goes past zero or why a developer should prefer to keep it unset/0.

Here is what I suggest:

Setting `initialDelaySeconds` to a value greater than 0 impacts container startup time (aka cold start time) as a container will not serve traffic until the probe succeeds.

[evankanderson]

Agree with @dgerd but s/will not serve traffic until the probe succeeds/cannot receive traffic until the probe has started/, I think.

[duglin]

Done

[dgerd]

I think the container -> container's change is sufficient here, but it could be updated further for clarity.

My understanding here is that: (1) Developers don't necessarily have access to the underlying host so you can't go looking at the stopped container contents locally. (2) Unlike docker which relies on a user to rm a stopped container or run prune, containers in this environment are likely to be cleaned up quickly after exiting.

[dgerd]

Suggested change

	container specification. Seccomp policy MAY be part of the platform
	container specification. A Seccomp policy MAY be part of the platform

[duglin]

done

[dgerd]

Suggested change

	security configuration so that operators can tune this over time as the
	security configuration that operators can tune over time as the

[duglin]

done

[dgerd]

Suggested change

	platform security configuration so that operators can tune this over time
	platform security configuration that operators can tune over time

[duglin]

done

[dgerd]

Suggested change

	security configuration so operators can tune this from time to time as the
	security configuration that operators can tune over time as the

[duglin]

done

[evankanderson]

/approve

I'll leave @dgerd to give the final /lgtm.

[evankanderson]

Agree with @dgerd but s/will not serve traffic until the probe succeeds/cannot receive traffic until the probe has started/, I think.

[knative-prow-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: duglin, evankanderson

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [evankanderson]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[duglin]

@dgerd @evankanderson I think I got all of 'em - PTAL

[evankanderson]

/lgtm