address Albin Kerouanton comments

- Remove reference to rootless containers, the feature flag will be used by the corredponding runtime to indicate if the feature is supported. - Clarify the runtime MUST set the interface UP when moving it to the container network namesapce - Clarify the runtime MUST revert back the original name if the interface is renamed to guarantee idempotence - Clarify the runtime MAY choose to revert the other original attributes like addresses, mtu and hardware address. Signed-off-by: Antonio Ojea <[email protected]>
opencontainers · Nov 24, 2024 · 989ba3d · 989ba3d
1 parent d955d38
commit 989ba3d
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/config-linux.md b/config-linux.md
@@ -199,20 +199,25 @@ This schema focuses solely on moving existing network devices identified by name
 
 **`netDevices`** (object, OPTIONAL) set of network devices that MUST be available in the container. The runtime is responsible for providing these devices; the underlying mechanism is implementation-defined.
 
-Only privileged containers with a dedicated network namespace can have network devices directly assigned to them. This is required because moving network devices requires CAP_NET_ADMIN capabilities, not present on rootless containers, and to ensure security and avoid conflicts manipulate interfaces in the runtime network namespace.
 The runtime MUST check that is possible to move the network interface to the container namespace and MUST [generate an error](runtime.md#errors) if the check fails.
 
+The runtime MUST set the network device state to "up" after moving it to the network namespace to allow the container to send and receive network traffic through that device.
+
 Notice that after deleting a network namespace, all its migratable network devices are moved to the default network namespace, unmoveable devices (NETIF_F_NETNS_LOCAL) and virtual devices (veth, macvlan, ...) are destroyed.
 The runtime MAY decide to move back or destroy the network device before the network namespace is deleted. If the network device is moved back, the runtime MUST set its state to "down" before moving it back to ensure that the interface is no longer active and won't interfere with other network operations or cause IP address conflicts.
 
 The name of the network device is the entry key.
 Entry values are objects with the following properties:
 
 * **`name`** *(string, OPTIONAL)* - the name of the network device inside the container namespace. If not specified, the host name is used. The network device name is unique per network namespace, if an existing network with the same name exist that rename operation will fail. The runtime MAY check that the name is unique before the rename operation.
+The runtime MUST revert back the original name to guarantee the idempotence of operations, so a container that moves an interfaces and renames it can be created and destroyed multiple times with the same result.
 * **`addresses`** *(array of strings, OPTIONAL)* - the IP addresses, IPv4 and or IPv6, of the device within the container in CIDR format (IP address / Prefix). All IPv4 addresses SHOULD be expressed in their decimal format, consisting of four decimal numbers separated by periods. Each number ranges from 0 to 255 and represents an octet of the address. IPv6 addresses SHOULD be represented in their canonical form as defined in RFC 5952.
 The runtime MAY limit the number of addresses allowed.
+The runtime MAY decide to revert back the original addreses.
 * **`hardwareAddress`** *(string, OPTIONAL)* - represents the hardware address (e.g. MAC Address) of the device's network interface.
+The runtime MAY decide to revert back the original hardware address.
 * **`mtu`** *(uint32, OPTIONAL)* - the MTU (Maximum Transmission Unit) size for the device.
+The runtime MAY decide to revert back the original MTU value.
 
 ### Example