From @jonboulle on December 3, 2014 3:2

Copied from original issue: rkt/rkt#185

From @jonboulle on November 27, 2014 9:9

Copied from original issue: rkt/rkt#76

From @jonboulle on December 9, 2014 10:22

Noticed in #248. GNU tar and probably most other implementations do this, we should likely too:

However, if a file was stored with a directory name as part of its file name, and that directory does not exist under the working directory when the file is extracted, tar will create the directory.

Copied from original issue: rkt/rkt#250

What's the pourpose of multiple discovery meta tags?

1. Support different aci names formats:

Example (see also #61):

I'm imagining that in my repository I can have also some "noarch" packages.
For getting this, using meta discovery, I should provide two meta tags like these:

<meta name="ac-discovery" content="example.com https://storage.example.com/{name}-{version}-{os}-{arch}.{ext}">
<meta name="ac-discovery" content="example.com https://storage.example.com/{name}-{version}.{ext}">

Trying to discover an aci without providing os and arch, there can be two options:

• If the ACE, on discovery, automatically sets os and arch to default values (like rocket does), the first template should fail download as there isn't an ACI with that name and the second will work.
• If the ACE, on discovery, doesn't set default values for os and arch, the first template will fail to render and the second will succeed and will be downloaded.

Both gives the expected result to get "noarch" acis.

A possible downside is that the user can get various warning as some downloads will "correctly" fail.

1. Multiple mirrors.

<meta name="ac-discovery" content="example.com https://storage.example.com/{name}-{version}-{os}-{arch}.{ext}">
<meta name="ac-discovery" content="example.com https://mirror.storage.example.com/{name}-{version}-{os}-{arch}.{ext}">

For this to fully work there should be a mirror choosing logic done from the ACE during fetching.

1. Both 1 and 2.

<meta name="ac-discovery" content="example.com https://storage.example.com/{name}-{version}-{os}-{arch}.{ext}">
<meta name="ac-discovery" content="example.com https://mirror.storage.example.com/{name}-{version}-{os}-{arch}.{ext}">
<meta name="ac-discovery" content="example.com https://storage.example.com/{name}-{version}.{ext}">
<meta name="ac-discovery" content="example.com https://mirror.storage.example.com/{name}-{version}.{ext}">

I think that all these use cases should work with the above downsides:

• various warning as some downloads will "correctly" fail.

Do you see other problems or better solutions for the various points?

If so, do you think that the spec should be enhanced with some examples to clarify the various use cases.

From @philips on December 8, 2014 17:6

We implemented a serialization format for the app and labels in the discovery package but never documented it. It isn't really necessary in the appc spec itself but is a reasonable suggestion:

https://github.com/coreos/rocket/blob/master/app-container/discovery/parse.go#L37

Copied from original issue: rkt/rkt#239

From @sgotti on December 8, 2014 16:33

Hi,

I'd like to help on #140 and #142 as they are the base for other features that I'd like to share (and also for #223) but first I have some doubts about the "files" entry in the fileset manifest.

The "files" entry is a list of all the files provided by this fileset.

Looking it from another point of view, taking an incremental approach (like, if I understand it correctly, docker does and also like gnu tar incremental archives) won't fit correctly as a fileset can have multiple dependencies applied on different paths (dependencies.root entry). So the solution is to record in the fileset the files provided.

A typical example should be a fileset containing a base distro image. Than on top of it you create another fileset with some new packages installed and other packages removed. This fileset will have all the changed and new files and a fileset manifest where "files" is the list of all the provided files.

So just considering this simpe example (a fileset having 1 dependency with "rootfs": "/")

• If "files" isn't empty than all the files (and maybe strange, also the one provided by this fileset) not listed should be removed from the final layout.
• if "files" is empty (as the specs defines it as optional) that nothing is removed.

Some questions:

1. What to do if all the files inside a directory from a parent fileset are removed leaving an empty directory? The implementation should also remove the directory or leave an empty directory?
2. If the empty directory should be removed how to keep empty dirs? (sometime it's needed to leave empty directories)

I was thinking about a possibile solutions:

*) specify inside "files" also the needed directories (if a name is ending with a slash than it's a directory). To be clear, it doesn't mean the all the files starting from the directory should be whitelisted but just that that the directory shouldn't be removed.

Any other ideas or am I missing something?

Copied from original issue: rkt/rkt#236

From @grossws on December 2, 2014 11:58

Currently (as of spec) runtime manifest supports only overriding isolators config.

I think, some reasonable (and configurable) isolation defaults support should be present both in container runtime manifest and in system-wide config.

Copied from original issue: rkt/rkt#160

Hello, would it be possible to add to specification usecase of passgin host device into container? I am buildling appliance where a custom device for high computation card is created via kernel module. I would like to pass this device to container.

something like

docker run --device /dev/dev.XX container-app

From @philips on December 1, 2014 23:52

It would be interesting to make the app-container spec inter-op with docker registries. The pkg should have an entry point where the user can start with a docker registry URL and tag (e.g. quay.io/coreos/etcd:v0.4.6) then:

• Talk to the registry API and fetch the layers
• Download the layers and convert them to images (How do we label these images? name={url},layer={layerid})
• For the root image use the version as the final tag

Copied from original issue: rkt/rkt#142

The spec in the "Dependency matching" chapter says that every dependency should be discovered using the ACI discovery process and then, just the downloaded image should be verified with the requested labels or matching ImageID.

But, in #16 this process is split in two phases: ACI fetching and ACI rendering.
I think that the splitting between the fetching phase and the rendering phase is good. Someone can, for example, not fetch the image from a repository but just import an aci manually in the store. Or there can be an offline/caching mode.

So the ACI rendering will be executed independently from the ACI fetching.
In the ACI rendering phase the ACI will be requested to the store providing an imageID or an app name and some labels. In the latter case the store can find more than one ACI that matches the requested App name and labels.

Which one should be returned?

I have some possible cases in mind:

Case 1

If I'm requesting to the store an App name without any label, all the ACIs with that App Name will match your request.

Which one should be returned?
Should it be implementation dependent or should it be defined in the spec?

The current implementation i tried to do in rkt/rkt#297 uses the latest aci imported in the store.

Case 2

Another example can be the "latest" pattern: If I'm requesting to the store an App without any version label, how can I satisfy the "latest" pattern?

• Fetch phase: In this phase, as I'm not passing a specific version label, the aci discovery will download something like https://example.com/appname-latest-linux-amd64.aci. On the http server it can be a link to an aci called appname-2.0.1-linux-amd64.aci and in its manifest the version label will be "2.0.1".
• Rendering phase: I'm requesting from the store an ACI named appname and without any version label. The store can have other ACIs previously downloaded or imported for this app name with different version (for example "1.0.0" "strangereleasename" etc...).
  As the version label is just a string without any SemVer or lexical ordering rule there isn't an ordering in these labels.

As in [Case 1](#Case 1) the implementation i tried to do in rkt/rkt#297 chooses the latest imported ACI but prefers ACIs imported with the "latest" flag (its saved in an appinfo additional index):

On fetching, if downloaded with the "latest" pattern, the ACI is saved in the store with the "latest" flag. When requesting an aci without specifying a version label the ones with the latest flag are preferred over the others (or perhaps only the one with the latest flag should be choosed?).

• Are my thoughts correct?
• If so, there should be possible ACI choosing logics other then the one I tried to implement? Should this logics be clarified in the SPEC?
• If so, should the spec be clarified (also with some examples)?

The discovery spec says:

If the first attempt at fetching the discovery URL returns a status code other than 200 OK or does not contain any ac-discovery meta tags then the next higher path in the name should be tried.

I think the spec should specifically state what it does if it receives a 3xx response.

I'd vote for following redirects as while good URLs should work forever, we all know that's not how the real world works.

From @philips on December 1, 2014 23:45

AC images can have dependent images however we don't have a library for finding, fetching and assembling these dependent images.

• Add a library to fetch dependent sets
• Add a library that given all of the images are in the store renders the correct filesystem to disk

Copied from original issue: rkt/rkt#140

The spec should describe how executors are able to update isolators dynamically during the lifetime of a container.

The aci package should provide a way to get metadata from a given ACI image.

From @mikeal on December 1, 2014 23:40

I hate to be "that guy" but I would like to know what the plan is here in terms of ownership, governance, and the trademark, although I'm skeptical you could actually trademark "rocket" :P

The post announcing this project cited some divergences in philosophy from Docker (the project and the company). It would be good to know if this project intends to be a pure community effort or if this is just CoreOS disagreeing with Docker.

It would be great to see a contribution policy that laid out how people get involved in the project and contribute to decision making and how contentious issues like the ones that have coalesced in Docker that lead to this project would be resolved. If not it would seem like people are just trading Docker (the company) for CoreOS (the company).

Copied from original issue: rkt/rkt#139

While the spec specifies how acis are being extracted on one another (as long as ̀pathWhitelist allows it), it does not gives informations about the manifest.

As first proposal what about these "merge strategy" options :

• none : keep original manifest unmodified,
• array : assembles a value from every matching level of the hierarchy,
• hash : recursively merge hash keys.

The behaviour description must be shipped inside the image but (and that's the part I don't like!!) the option it self should never be overwritten.

(I think we loose here the simplicity we want for the spec, but the problem do exists so I'm just hoping this proposal will help as a starting point for a better answer)

CRMs have a uuid but it is underspecified; we should explicate the purpose and how it might be generated.

Also, in the metadata server it's referred to as uid, so this should be changed to uuid for consistency.

When doing the Simple Discovery one is supposed to take the template https://{name}-{version}-{os}-{arch}.aci and fill in the variables. In the image manifest only the name is defined. The others are optional.

From @sarnowski on December 8, 2014 15:23

Hi,

is there a list of standard naming for the "os" and "arch" definitions?

os:

• linux
• windows(?)
• macosx (?)
• ... (?)

arch:

• amd64
• i386 (?)
• armel (?)
• ...

One cannot and should not cover all cases but I think to avoid some chaos, it makes sense to suggest some defaults.

Copied from original issue: rkt/rkt#234

Is there an actual reason why the application is required to start in the container's root directory, or is it just scope reduction for first version of the spec?

There is no standard utility that I know of, which would do chdir() and then exec() the provided command; if the command to run needs a specific working directory, it would need to be wrapped in a shell script, or its exec would be something like ["/bin/sh", "-c", "cd /work/dir && exec \"${@}\"", "arvg0", ACTUAL_COMMAND…], which does work, but is kind of ugly, as the app executor could take care of that.

(This is partly leading on from the discussion in rkt/rkt#294)

A Container Runtime Manifest declares one or more apps to be executed. At the time of writing the format of declaration looks like this:

• apps the list of apps that will execute inside of this container
  • app the name of the app (string, restricted to AC Name formatting)
  • imageID the content hash of the image that this app will execute inside of (string, must be of the format "type-value", where "type" is "sha512" and value is the hex encoded string of the hash)
  • isolators the list of isolators that should be applied to this app (key is restricted to the AC Name formatting and the value can be a freeform string)
  • annotations arbitrary metadata appended to the app (key is restricted to the AC Name formatting and the value can be a freeform string)

There are several issues with this schema:

• Each "app" technically refers to an app image (ACI), which may or may not actually contain an app declaration (since "app" is an optional section of the Image Manifest). The spec is unclear as to what will occur if the referenced image does not contain an app declaration. (Relatedly, "app" should likely more accurately be called "name")
• "app" references are not unique. There is a fairly simple use case of wanting to use a particular app-image multiple times within a container, but it is unclear how this behaviour should be represented in the spec, or at least how implementations should go about handling it (currently in Rocket we actually mandate that apps within a CRM must be unique)
• For each app, there is only a partial ability to override some of the parameters defined in the Image Manifest. For example, currently isolators (from the app section of the Image Manifest) and annotations can be overridden/extended; but there is no such ability to override the exec, eventHandlers or environment

This is closely related to, but not the same as, #83

One possible solution is to extend the schema of app references in the CRM to match that of the Image Manifest. In this way, all of the parameters in the Image Manifest could be explicitly overridden at a later stage. However, this does potentially mean a lot of duplication between the information contained in the IM and the CRM.

Hello, would it be possible to specify some IPC mechanisims for containers? Something like --ipc switch to docker does. Basically I need more than one container to have access to a shared memory.

There is a possible conflation between the CRM and the ACE runtime environment, which might need to be teased apart. In the lifecycle of an app image, between the points of "image manifest creation" (when it is bundled into an ACI) and "application execution" (when the ACE actually executes app(s) in a container), there are conceptually two points at which parameters from the image manifest can potentially be overridden/extended:
1. when the CRM is generated
2. at runtime by the ACE

Currently, in rocket, we generate a CRM at runtime and use that as the final artefact to be executed (let's call that the executed unit). That is, rocket essentially conflates 1) and 2), by encoding all of its "ACE overriding" into the generated CRM.

There is a lot of value in this model because it means the CRM is essentially immutable, and so for a given executor, two invocations of the same CRM should be effectively identical. (It also makes it convenient because the executor can make various assumptions about the environment - for example where images are located, whether they are unique, etc - when generating the CRM.

However, critically, it makes it impossible to use CRMs as a portable config (let's call that a deployable unit), because it inherently contains executor-specific information.

Here are two potential solutions:

• Have the CRM be the deployable unit, and allow ACEs to override parameters at runtime. This has the disadvantage that there is now a discrepancy between what the CRM defines and what is actually being executed.
• Have the CRM be the deployable unit and introduce another CRM as the executable unit (which may or may not be identical to the deployable unit); the ACE consumes a CRM and then must generate a new CRM (overriding/extending whatever parameters it desires) to execute. This retains the advantage of the CRM-that-is-executed being immutable, but introduces the potentially confusing discrepancy between the CRM supplied to the ACE (deployable unit) and the CRM that is actually run (executable unit).

1. If multiple event handlers of the same name are defined, should they be executed in parallel, or one after another?
2. Are event handlers executed as root, or as parent application's user/group? A good use case for handlers would be privileged initialization (e.g. creating and chown-ing workspace for process, which requires root) to let the main process run as a non-privileged user.
3. Do event handlers run with parent app's environment, or with a clean one?

It may be useful to have event handlers more parameterized: it should be possible to specify at least user, group, and environment for the handler. If you are not opposed to that idea, I will prepare a pull request.

From @philips on December 3, 2014 2:48

Right now volumes in the container can fulfill particular labels. This is a bit troublesome because there might be colliding names for the same volume.

https://github.com/coreos/rocket/blob/master/app-container/SPEC.md#container-runtime-manifest-schema

Instead of doing this give each volume a name and each app will get volumes filled in by name to its mountpoints.

    "apps": [
        {
            "app": "example.com/reduce-worker-1.0.0",
            "imageID": "sha256-277205b3ae3eb3a8e042a62ae46934b470e431ac",
            "mountPoints": [{"src": "work", "dest": "data"}]
        },
        {
            "app": "example.com/worker-backup-1.0.0",
            "imageID": "sha256-3e86b59982e49066c5d813af1c2e2579cbf573de",
             "mountPoints": [{"src": "buildoutput", "dest": "backup"}]
        },
    ],
    "volumes": [
        {"name": "work", "kind": "host", "source": "/opt/tenant1/work", "readOnly": true},
        {"name": "buildoutput", "kind": "empty"}
    ],

Copied from original issue: rkt/rkt#182

From @philips on December 2, 2014 0:0

Currently ACI's can be compressed with xz or bzip2 but actool build can only do gzip compression because Go libraries don't exist for xz or bzip2.

This feature would require implementing these specs in pure-go. Shelling out or linking to a C library won't fix this bug.

Copied from original issue: rkt/rkt#143

The items in the ContainerRuntimeManifest apps list refer to images. The app key in the ImageManifest is optional. What should be the behavior when the image has no app defined?

From @brosner on December 3, 2014 21:27

I am attempting to build an ACI from a rootfs built by debootstrap. This is failing:

$ debootstrap --verbose --variant=minbase --include=iproute,iputils-ping,gpgv --arch=amd64 lucid rootfs http://mirror.rackspace.com/ubuntu
...
I: Base system installed successfully.

$ actool build --app-manifest manifest.json rootfs ubuntu.aci
build: Error walking rootfs: open rootfs/dev/agpgart: no such device

I believe I tracked this issue down to the handling of files here: https://github.com/coreos/rocket/blob/master/app-container/actool/build.go#L60-L73

Copied from original issue: rkt/rkt#198

It would be convenient to be able to create a single image and then use it in different environments (production, staging, qa, ...). This is currently not possible because there is no way to parametrize the executables which are running inside a container. The executable, its arguments, and environment variables are defined in the ImageManifest and the CRM can not override those.

I propose adding a new field to CRM apps.app with the name environment and value same as ImageManifest app.environment. The executor would then merge the CRM app environment into the IM app environment (allowing the former to override the environment of the later).

From @davidstrauss on December 3, 2014 4:32

A modern 64-bit processor can compute a SHA-512 hash in about 50-75% of the time it takes to create a SHA-256 hash. (This is because SHA-512 primarily uses 64-bit data types.) Considering that container images can become rather large, this is substantial.

If the concern is over the length of the hash output, SHA-512/256 is a nice standard; it's based on computing a SHA-512 and only using half of the resulting hash.

Copied from original issue: rkt/rkt#187

dupe

I know we must think simplicity, but while thinking of real life use cases, I though we'll end up to be able to specify the from and to between dependencies ?

Image Manifest sample (example)

...
        "dependencies": [
        {
            "app": "example.com/reduce-worker-base",
            "imageID": "sha512-...",
            "srcPath": "rootfs/opt/mylib/",
            "dstPath" : "rootfs/opt/myapp/vendors/reduce-worker-base",
            "labels": [
                {
                    "name": "os",
                    "value": "linux"
                },
                {
                    "name": "env",
                    "value": "canary"
                }
            ]
        }
    ],
...

What do you think ?

Already asked at rocket, but moved over to the appc project.

It would be great to have versioned container as seen in docker where we have a versioned filesystem like described here:

http://0pointer.net/blog/revisiting-how-we-put-together-linux-systems.html

specially the use of sub volumes and the way how to send and receive the changes could be interesting.

I'm a bit in hurry but promised to at least open the issue. Some ideas will follow.

Log metadata about the container log. Retrievable at http://$AC_METADATA_URL/acMetadata/v1/log

App log metadata about the process log run in the container. Retrievable at http://$AC_METADATA_URL/acMetadata/v1/apps/${ac_app_name}/log

From @philips on December 9, 2014 18:42

test

Copied from original issue: rkt/rkt#254

From @philips on December 8, 2014 21:3

@blalor said "I feel like there should be a DNS component to this, as well. Perhaps a TXT record?" in #210.

Lets discuss that topic here.

/cc @geekgonecrazy

Copied from original issue: rkt/rkt#242

From @sarnowski on December 8, 2014 15:4

Hello,

I am currently implementing writing and reading of ACIs and I am unsure about the exact ordering where encryption fits in. I think I know how its meant in the specification but maybe it makes sense to make it more clear. From my understanding the procedure is as follows:

Writing:

1. write tarball
2. hash tarball with sha256 for *.sig file (currently, maybe 512 in the future?)
3. [optionally] compress with gzip/bzip2/xz
4. [optionally] encrypt

Reading:

1. [optionally] unencrypt with a key (how do I determine the key and algorithm for it? how do I find out that I have to decrypt first, try it out if no compression file format is detected?)
2. [optionally] uncompress the ACI (is there any way planned how to more easily detect the file format besides besides introspection?)
3. hash tarball and compare with hash from the *.sig file
4. unpack tarball

Thanks,
Tobi

Copied from original issue: rkt/rkt#233

From @eparis on December 1, 2014 20:26

https://github.com/coreos/rocket/blob/master/app-container/SPEC.md#container-runtime-manifest

States that all apps in a container share the same mount namespace. But then goes on to talk about how volumes are mounted into specific apps.

Apps sharing the mount namespace seems really hard to get right, so I'm assuming that different apps in the same container have different mount namespaces?

Copied from original issue: rkt/rkt#127

For the apps to be able to have reasonable expectations of what to find at places like /dev and /proc, the spec should probably explicitly state what the execution environment must provide.

For linux we could just conform to http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/, though there's quite a bit going on there, some of which probably isn't necessary in the app's root. Perhaps we should instead require LSB conformance: http://refspecs.linuxfoundation.org/LSB_2.0.0/LSB-Core/LSB-Core/execenvfhs.html

What about the other operating systems?

Is it considered beyond the scope of the spec?

The spec says:

Image archives MUST be a tar formatted file. The image may be optionally compressed with gzip, bzip2, or xz. After compression, images may also be encrypted with AES symmetric encryption.

tar cvf reduce-worker.tar app rootfs
gpg --output reduce-worker.sig --detach-sig reduce-worker.tar
gzip reduce-worker.tar -c > reduce-worker.aci

At the same time, there is no mention of the second line command. Putting the signature on tar. Is it optional or mandatory?

From @thockin on December 2, 2014 2:25

Collected notes as I read through. Sorry for the length. If any of these become worth discussing, we can fork to different topics.

This changes the established naming from what Docker calls a container to what Kubernetes calls a pod. I think that changing the meaning of "container" at this point might be detrimental to the overall comprehension of the system. I would propose to keep container to mean what you call app-container and define a different word for a set of containers.

Example use case talks about "puts them into its local on-disk cache" and "extracts two copies". This sets off immediate alarm bells for me - disk IO is the single most contended resource, in our experience. To be successful, this spec really must be implementable with a minimum of disk IO. For example, I should be able to mount a pre-built cache of images and satisfy container run requests. That's not to say that disk IO can not satisfy the spec, but it must not be a requirement.

SIGTERM should be just one kind of termination signal

Files in an images "must maintain all of their original properties" - can this include capabilities?

One thing Docker does well is differentiate WHAT to run from HOW to run it. Does this address that idea? There's some overlap in lifecycle stuff, but some other things like resources are clearly dependent on how a container will be used. How about command line flags? Being able to take a pre-built container, such as ubuntu, and run things in it without creating and pushing a new container is powerful.

That rkt is not a daemon is very similar to what we were pushing with lmctfy. However, there are things that (currently) are hard to do without any daemon - an example we run up against is prioritized OOM handling. This spec should carefully consider the strata of the overall system and how some things cross between them.

Volumes are under-specified. Can I mount them at different places in each app? Can I not mount them in some apps?

Network: Does each APP get a network or each container? I'm a bit unclear on the naming and distinction between container and app. Does rkt provide "out of the box" network at all? Docker's got this part pretty well, even if it is terribly slow.

AC_APP_NAME - what does "the entrypoint that this process was defined from" mean?

Isolators: Who do I have to beg to NOT reinvent this, and instead use something derived from LMCTFY? We have captured YEARS of development in LMCTFY's concepts. For example, exposing CPU shares is a mess. If there are things about LMCTFY's structures that don't work, let's iron those out instead..

You say "if the ACE is looking for example.com/reduce-worker-1.0.0 it will request: https://example.com/reduce-worker?ac-discovery=1". What principle lead to some piece of software knowing where to split that string?

You make some remark about /etc/hosts being assumed present and parsed by libc. Does this mean you won't provide /etc/hosts, /etc/resolv.conf, etc? That seems like a bad idea.

meanYou say config-drives "make assumptions about filesystems which are not appropriate for all environments" - can you explain? Why is it not sufficient to say that config can also be found in a volume, if the user so prefers? The host environment should be able to provide that.

"name": "example.com/reduce-worker-1.0.0" - why is version just jammed in there? Or are you trying to say "version is opaque" and if you want it, you have to embed it in the name?

Can we define user and group as name strings, not as numerics (and why are they string numbers?)

Why do you need a private network flag? This hasn't really answered how networking will work. This has been a huge PITA with Docker because EVERYONE has a different idea of what they want in networks. You can NOT support flags for all of them, so I'd argue to support none of them and instead define that as a plugin, and ship some examples of network plugins but leave it open.

Copied from original issue: rkt/rkt#151

From @philips on December 1, 2014 7:43

For example if the user has example.com/project/subproject and we first try example.com/project/subproject but don't find a meta tag then try example.com/project then try example.com.

Copied from original issue: rkt/rkt#111

Hi,

should the spec define that, during the aci discovery process, if the version label isn't specified it should default to "latest" (as done in discovery/parse.go?)?

Thanks!

The manifest of the ACI at https://github.com/coreos/etcd/releases/download/v0.5.0-alpha.4/etcd-v0.5.0-alpha.4-linux-amd64.aci encodes empty lists (mountPoints, annotations etc) as null. I propose to change the encoding to use an empty list ([]) or even leave out the key alltogether. I prefer the former because size doesn't really matter here (it's only a few dozen bytes anyways).

When the ace-validator-sidekick image is run per the instructions on the Rocket "App Container Basics" https://github.com/coreos/rocket#app-container-basics it will leave a file /tmp/sidekick. A subsequent run will fail noting "/db/sidekick unexpectedly exists".

Either the ace-validator-sidekick aci post run should remove the file so that subsequent runs will pass
or it should make a note to STDOUT that the file must be removed before a follow up run will pass.

This is more like a general purpose issue to mention that the specs lacks of informations on expected behaviours. While reading the spec, many times I thought "how would I handle it with this particular use case if I had to implement it ?"

For example for pathWhitelist :

• does the runtime (container executor) juste filter out the allowed paths from dependency acis, or will it raise an error if some dependency container contains files outside the allowed paths ?
• "This field is only required if the app has dependencies and you wish to remove files from the rootfs before running the container" => Ok i now have my answer (files from dependency container but outside the folder path are just dropped) but will it raise an error if the field is missing ? (does "required" means "mandatory" here, not sure..)
• "an empty value means that all files in this image and any dependencies will be available in the rootfs." => here again : what about a missing value ?

From @philips on December 3, 2014 18:30

JSON is difficult for people to write and a number of people have asked for
another format for the manifest. Instead of complicating the spec with multiple
serialization formats for the ACI manifests add a feature to actool build to
take manifest files with a .yaml extension and convert the YAML to JSON before
laying the manifest down.

/cc @jonboulle thoughts on this?

Copied from original issue: rkt/rkt#195

I know we just created this repo, but I propose moving the tools such as the schema and validator to separate repos called appc-tools-golang and/or appc-schema-golang.

That way, we can keep spec issues isolated here, and bugs in the tools in the other repos.

I can possibly do this, if there is a consensus.

From @bacongobbler on December 4, 2014 17:36

I was sifting through the app-container spec on image discovery when I stumbled across this:

If simple discovery fails, then we use HTTPS+HTML meta tags to resolve an app name to a downloadable URL.

This works for the general use case, but some URLs may not have a content type of text/html e.g. in the case of an API.

For example, if I had a SaaS product and I wanted to have a discoverable URL to our API's ACI, I'd like a URL like https://example.com/api. The top-level domain (https://example.com/) would be our landing page (implying text/html), but https://example.com/api may be where our SaaS's API begins (in this case, application/json or some equivalent).

Would it be possible to extend the image discovery to use HTTP headers (HTTP_X_AC_DISCOVERY?) in the case that the content-type is not text/html? Is there a way to work around this, or would a PR for this type of extension be appreciated? :)

Copied from original issue: rkt/rkt#210

Right now discovery just recursively walks up the tree on any error, alternately trying https and http. For example, when discovering the name example.com/foo/bar/baz, it will make requests like so:
https://example.com/foo/bar/baz
http://example.com/foo/bar/baz
https://example.com/foo/bar/
http://example.com/foo/bar/
...

However for a certain class of errors, it doesn't make much sense to do this; for example if dialing example.com:443 times out the first time it's probably not worth retrying it for every branch. Some errors should just propagate directly (fail early)