json-schema: initial pass at schema and validator #313
Conversation
|
I am working through making usable definitions like has been done for |
|
looks good but makes my head hurt, oy. |
vbatts
force-pushed
the
json-schema
branch
3 times, most recently
from
bda07e0
to
c5521a5
Compare
|
It is something to behold, but it is allowing decently flexible validation. |
vbatts
changed the title
|
Food for thought: I see you're already using schema references ( |
|
I wondered about that, but didn't see a way to "source" or "include", and On Tue, Jan 19, 2016 at 6:20 PM, Nathaniel Kofalt notifications@github.com
|
$ref is the way to source/include other content 1. |
|
how quaint. let me revisit this. |
| "type": "array", | ||
| "items": { | ||
| "oneOf": [ { "$ref": "#/definitions/GID" } ] | ||
| } |
There was a problem hiding this comment.
I don't think you need oneOf for arrays. Is there a reason:
"items": {
"$ref": "/definitions/GID"
}
doesn't work?
There was a problem hiding this comment.
it is a typed array. Otherwise it would allow ["foo", 1, false]
There was a problem hiding this comment.
On Thu, Mar 03, 2016 at 12:27:46PM -0800, Vincent Batts wrote:
"items": {"oneOf": [ { "$ref": "#/definitions/GID" } ]}it is a typed array. Otherwise it would allow
["foo", 1, false]
I'm pretty sure that's what the $ref-only phrasing 1 means.
|
This is just a drive-by suggestion, but you might want to look at https://github.com/common-workflow-language/schema_salad as a possible alternative to JSON Schema. |
|
@tetron thanks, but that seems too niche and less of a standard even than JSON-schema is. |
|
rebased again |
|
I feel this is about ready for review too. |
|
On Thu, Mar 03, 2016 at 12:05:54PM -0800, Vincent Batts wrote:
Any comments on my three still-applicable comments: |
|
Done. PTAL |
|
On Thu, Mar 03, 2016 at 02:06:57PM -0800, Vincent Batts wrote:
Indent and oneOfs look good with 5e656f4. I'd still like |
| { | ||
| "$ref": "#/definitions/SyscallArg" | ||
| } | ||
| ] |
There was a problem hiding this comment.
Remaining unnecessary oneOf (see 5e656f4).
| } | ||
| }, | ||
| "CapabilityString": { | ||
| "description": "File permissions mode (typically an octal value)", |
There was a problem hiding this comment.
This is not the right description for CapabilityString.
And we can probably use Capability instead of CapabilityString (like we don't use MajorUInt); I don't foresee other singular capability types.
|
rebased and updated |
vbatts
changed the title
|
LGTM |
|
Can we squash or re-order the commits? |
|
@mrunalp ah yeah. the commits were just as I made progress. Let me clean them up. |
Conforming to https://tools.ietf.org/html/draft-zyp-json-schema-03 and http://json-schema.org/latest/json-schema-core.html * Utilizes a number of JSON schema features, including 'pattern' * Defined primitives, like integers, that we'll use * Split out definitions for primitives and platform-specific * Provide a Makefile for: - "fmt" target for *.json - "validate" target for building the validation tool Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
|
@mrunalp fully squashed |
|
LGTM |
json-schema: initial pass at schema and validator
Also: * Update the link to Go bindings after 7bf06d5 (source and schema: differentiate with examples, 2015-12-18, opencontainers#276). * Add a reference to the JSON Schema after cdcabde (schema: JSON Schema and validator for `config.json`, 2016-01-19, opencontainers#313). It's pretty clear that the Go bindings cannot be canonical on their own, because they do not define limits (e.g. the 0 through 512 range for FileMode). The JSON Schema is closer, but still does not cover everything (e.g. "a directory must exist at root.path"). Both the Go bindings and the JSON Schema could grow to cover the full spec by adding that sort of thing to comments and descriptions, but that's not how things seem to be working now. Signed-off-by: W. Trevor King <wking@tremily.us>
Also: * Update the link to Go bindings after 7bf06d5 (source and schema: differentiate with examples, 2015-12-18, opencontainers#276). * Add a reference to the JSON Schema after cdcabde (schema: JSON Schema and validator for `config.json`, 2016-01-19, opencontainers#313). It's pretty clear that the Go bindings cannot be canonical on their own, because they do not define limits (e.g. the 0 through 512 range for FileMode). The JSON Schema is closer, but still does not cover everything (e.g. "a directory must exist at root.path"). Both the Go bindings and the JSON Schema could grow to cover the full spec by adding that sort of thing to comments and descriptions, but that's not how things seem to be working now. Signed-off-by: W. Trevor King <wking@tremily.us>
Validation is partly covered by cdcabde (schema: JSON Schema and validator for `config.json`, 2016-01-19, opencontainers#313) and subequent JSON Schema work. The remainder of these targets are handled by ocitools [1]. [1]: https://github.com/opencontainers/ocitools Signed-off-by: W. Trevor King <wking@tremily.us>
# digest/hashing target Most of this has spun off with [1], and I haven't heard of anyone talking about verifying the on-disk filesystem in a while. My personal take is on-disk verification doesn't add much over serialized verification unless you have a local attacker (or unreliable disk), and you'll need some careful threat modeling if you want to do anything productive about the local attacker case. For some more on-disk verification discussion, see the thread starting with [2]. # distributable-format target This spun off with [1]. # lifecycle target I think this is resolved since 7713efc (Add lifecycle for containers, 2015-10-22, opencontainers#231), which was committed on the same day as the ROADMAP entry (4859f6d, Add initial roadmap, 2015-10-22, opencontainers#230). # container-action target Addressed by 7117ede (Expand on the definition of our ops, 2015-10-13, opencontainers#225), although there has been additional discussion in a7a366b (Remove exec from required runtime functionalities, 2016-04-19, opencontainers#388) and 0430aaf (Split create and start, 2016-04-01, opencontainers#384). # validation and testing targets Validation is partly covered by cdcabde (schema: JSON Schema and validator for `config.json`, 2016-01-19, opencontainers#313) and subequent JSON Schema work. The remainder of these targets are handled by ocitools [3]. # printable/compiled-spec target The bulk of this was addressed by 4ee036f (*: printable documents, 2015-12-09, opencontainers#263). Any remaining polishing of that workflow seems like a GitHub-issue thing and not a ROADMAP thing. And publishing these to opencontainers.org certainly seems like it's outside the scope of this repository (although I think that such publishing is a good idea). [1]: https://github.com/opencontainers/image-spec [2]: https://groups.google.com/a/opencontainers.org/d/msg/dev/xo4SQ92aWJ8/NHpSQ19KCAAJ Subject: OCI Bundle Digests Summary Date: Wed, 14 Oct 2015 17:09:15 +0000 Message-ID: <CAD2oYtN-9yLLhG_STO3F1h58Bn5QovK+u3wOBa=t+7TQi-hP1Q@mail.gmail.com> [3]: https://github.com/opencontainers/ocitools Signed-off-by: W. Trevor King <wking@tremily.us>
The JSON Schema requirement dates back to cdcabde (schema: JSON Schema and validator for `config.json`, 2016-01-19, opencontainers#313), but the property has been explicitly optional in the Markdown spec since 7ac41c6 (config.md: reformat into a standard style, 2015-06-30). Signed-off-by: W. Trevor King <wking@tremily.us>
Also: * Update the link to Go bindings after 7bf06d5 (source and schema: differentiate with examples, 2015-12-18, opencontainers#276). * Add a reference to the JSON Schema after cdcabde (schema: JSON Schema and validator for `config.json`, 2016-01-19, opencontainers#313). It's pretty clear that the Go bindings cannot be canonical on their own, because they do not define limits (e.g. the 0 through 512 range for FileMode). The JSON Schema is closer, but still does not cover everything (e.g. "a directory must exist at root.path"). Both the Go bindings and the JSON Schema could grow to cover the full spec by adding that sort of thing to comments and descriptions, but that's not how things seem to be working now. Signed-off-by: W. Trevor King <wking@tremily.us>
# digest/hashing target Most of this has spun off with [1], and I haven't heard of anyone talking about verifying the on-disk filesystem in a while. My personal take is on-disk verification doesn't add much over serialized verification unless you have a local attacker (or unreliable disk), and you'll need some careful threat modeling if you want to do anything productive about the local attacker case. For some more on-disk verification discussion, see the thread starting with [2]. # distributable-format target This spun off with [1]. # lifecycle target I think this is resolved since 7713efc (Add lifecycle for containers, 2015-10-22, opencontainers#231), which was committed on the same day as the ROADMAP entry (4859f6d, Add initial roadmap, 2015-10-22, opencontainers#230). # container-action target Addressed by 7117ede (Expand on the definition of our ops, 2015-10-13, opencontainers#225), although there has been additional discussion in a7a366b (Remove exec from required runtime functionalities, 2016-04-19, opencontainers#388) and 0430aaf (Split create and start, 2016-04-01, opencontainers#384). # validation and testing targets Validation is partly covered by cdcabde (schema: JSON Schema and validator for `config.json`, 2016-01-19, opencontainers#313) and subequent JSON Schema work. The remainder of these targets are handled by ocitools [3]. # printable/compiled-spec target The bulk of this was addressed by 4ee036f (*: printable documents, 2015-12-09, opencontainers#263). Any remaining polishing of that workflow seems like a GitHub-issue thing and not a ROADMAP thing. And publishing these to opencontainers.org certainly seems like it's outside the scope of this repository (although I think that such publishing is a good idea). [1]: https://github.com/opencontainers/image-spec [2]: https://groups.google.com/a/opencontainers.org/d/msg/dev/xo4SQ92aWJ8/NHpSQ19KCAAJ Subject: OCI Bundle Digests Summary Date: Wed, 14 Oct 2015 17:09:15 +0000 Message-ID: <CAD2oYtN-9yLLhG_STO3F1h58Bn5QovK+u3wOBa=t+7TQi-hP1Q@mail.gmail.com> [3]: https://github.com/opencontainers/ocitools Signed-off-by: W. Trevor King <wking@tremily.us>
The JSON Schema requirement dates back to cdcabde (schema: JSON Schema and validator for `config.json`, 2016-01-19, opencontainers#313), but the property has been explicitly optional in the Markdown spec since 7ac41c6 (config.md: reformat into a standard style, 2015-06-30). Signed-off-by: W. Trevor King <wking@tremily.us>
Conforming to https://tools.ietf.org/html/draft-zyp-json-schema-03
and http://json-schema.org/latest/json-schema-core.html
This work would ideally pair with separating the current reference source effort #276
The gist of the
config.jsonbeing tested with (may change periodically): https://gist.github.com/vbatts/5ac2723c9598875ffb0eSigned-off-by: Vincent Batts vbatts@hashbangbash.com