2015-07-03 01:01:27 +08:00
package specs
2016-03-09 05:52:44 +08:00
import "os"
2016-05-04 11:23:25 +08:00
// Spec is the base configuration for the container.
2015-07-03 01:01:27 +08:00
type Spec struct {
2016-08-03 14:32:43 +08:00
// Version of the Open Container Runtime Specification with which the bundle complies.
2016-01-14 07:10:54 +08:00
Version string ` json:"ociVersion" `
2016-08-03 14:37:47 +08:00
// Platform specifies the configuration's target platform.
2015-07-03 01:01:27 +08:00
Platform Platform ` json:"platform" `
2016-08-03 14:45:11 +08:00
// Process configures the container process.
2015-07-03 01:01:27 +08:00
Process Process ` json:"process" `
2016-08-03 14:53:32 +08:00
// Root configures the container's root filesystem.
2015-07-03 01:01:27 +08:00
Root Root ` json:"root" `
2016-08-03 14:55:22 +08:00
// Hostname configures the container's hostname.
2015-12-23 18:52:47 +08:00
Hostname string ` json:"hostname,omitempty" `
2016-08-03 15:04:20 +08:00
// Mounts configures additional mounts (on top of Root).
2016-04-28 21:46:54 +08:00
Mounts [ ] Mount ` json:"mounts,omitempty" `
2016-08-03 15:12:39 +08:00
// Hooks configures callbacks for container lifecycle events.
config: Single, unified config file
Reverting 7232e4b1 (specs: introduce the concept of a runtime.json,
2015-07-30, #88) after discussion on the mailing list [1]. The main
reason is that it's hard to draw a clear line around "inherently
runtime-specific" or "non-portable", so we shouldn't try to do that in
the spec. Folks who want to flag settings as non-portable for their
own system are welcome to do so (e.g. "we will clobber 'hooks' in
bundles we run") are welcome to do so, but we don't have to have
to split the config into multiple files to do that.
There have been a number of additional changes since #88, so this
isn't a pure Git reversion. Besides copy-pasting and the associated
link-target updates, I've:
* Restored path -> destination, now that the mount type contains both
source and target paths again. I'd prefer 'target' to 'destination'
to match mount(2), but the pre-7232e4b1 phrasing was 'destination'
(possibly due to Windows using 'target' for the source?).
* Restored the Windows mount example to its pre-7232e4b1 content.
* Removed required mounts from the config example (requirements landed
in 3848a238, config-linux: specify the default devices/filesystems
available, 2015-09-09, #164), because specifying those mounts in the
config is now redundant.
* Used headers (vs. bold paragraphs) to set off mount examples so we
get link anchors in the rendered Markdown.
* Replaced references to runtime.json with references to config.json.
[1]: https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/0QbyJDM9fWY
Subject: Single, unified config file (i.e. rolling back specs#88)
Date: Wed, 4 Nov 2015 09:53:20 -0800
Message-ID: <20151104175320.GC24652@odin.tremily.us>
Signed-off-by: W. Trevor King <wking@tremily.us>
2015-12-29 02:06:40 +08:00
Hooks Hooks ` json:"hooks" `
2016-08-03 15:18:07 +08:00
// Annotations contains arbitrary metadata for the container.
2016-03-05 03:10:48 +08:00
Annotations map [ string ] string ` json:"annotations,omitempty" `
2016-03-09 05:52:44 +08:00
// Linux is platform specific configuration for Linux based containers.
specs-go/config: Make Linux and Solaris omitempty (again)
I'd added some omitempties in 5c2193f3 (specs-go/config: Make Linux
and Solaris omitempty, 2016-05-06, #431), but it turns out to not have
the intended effect unless the field is also a pointer type (even
after I shifted the 'omitempty' from the platform tag to the json
tag). Before this commit:
$ ./ocitools generate --template <(echo '{}')
$ jq . config.json
{
"ociVersion": "1.0.0-rc1-dev",
"platform": {
"os": "linux",
"arch": "amd64"
},
"process": {
"user": {
"uid": 0,
"gid": 0
},
"args": [],
"cwd": "/"
},
"root": {
"path": "rootfs"
},
"hooks": {},
"linux": {
"cgroupsPath": ""
},
"solaris": {
"cappedCPU": {},
"cappedMemory": {}
}
}
And after this commit:
$ ./ocitools generate --template <(echo '{}')
$ jq . config.json
{
"ociVersion": "1.0.0-rc1-dev",
"platform": {
"os": "linux",
"arch": "amd64"
},
"process": {
"user": {
"uid": 0,
"gid": 0
},
"args": [],
"cwd": "/"
},
"root": {
"path": "rootfs"
},
"hooks": {},
}
The remaining useless properties are addressed by other in-flight pull
requests:
* 5ca74df (config: Make 'process.args' optional, 2016-06-04, #489)
* ad33f9c (config: Explicitly list 'hooks' as optional, 2016-05-06,
#427)
So I've left them alone here.
Signed-off-by: W. Trevor King <wking@tremily.us>
2016-06-18 12:45:23 +08:00
Linux * Linux ` json:"linux,omitempty" platform:"linux" `
2016-04-26 11:03:09 +08:00
// Solaris is platform specific configuration for Solaris containers.
specs-go/config: Make Linux and Solaris omitempty (again)
I'd added some omitempties in 5c2193f3 (specs-go/config: Make Linux
and Solaris omitempty, 2016-05-06, #431), but it turns out to not have
the intended effect unless the field is also a pointer type (even
after I shifted the 'omitempty' from the platform tag to the json
tag). Before this commit:
$ ./ocitools generate --template <(echo '{}')
$ jq . config.json
{
"ociVersion": "1.0.0-rc1-dev",
"platform": {
"os": "linux",
"arch": "amd64"
},
"process": {
"user": {
"uid": 0,
"gid": 0
},
"args": [],
"cwd": "/"
},
"root": {
"path": "rootfs"
},
"hooks": {},
"linux": {
"cgroupsPath": ""
},
"solaris": {
"cappedCPU": {},
"cappedMemory": {}
}
}
And after this commit:
$ ./ocitools generate --template <(echo '{}')
$ jq . config.json
{
"ociVersion": "1.0.0-rc1-dev",
"platform": {
"os": "linux",
"arch": "amd64"
},
"process": {
"user": {
"uid": 0,
"gid": 0
},
"args": [],
"cwd": "/"
},
"root": {
"path": "rootfs"
},
"hooks": {},
}
The remaining useless properties are addressed by other in-flight pull
requests:
* 5ca74df (config: Make 'process.args' optional, 2016-06-04, #489)
* ad33f9c (config: Explicitly list 'hooks' as optional, 2016-05-06,
#427)
So I've left them alone here.
Signed-off-by: W. Trevor King <wking@tremily.us>
2016-06-18 12:45:23 +08:00
Solaris * Solaris ` json:"solaris,omitempty" platform:"solaris" `
2015-07-03 01:01:27 +08:00
}
// Process contains information to start a specific application inside the container.
type Process struct {
// Terminal creates an interactive terminal for the container.
2016-05-07 12:36:39 +08:00
Terminal bool ` json:"terminal,omitempty" `
2015-07-03 01:01:27 +08:00
// User specifies user information for the process.
User User ` json:"user" `
// Args specifies the binary and arguments for the application to execute.
Args [ ] string ` json:"args" `
// Env populates the process environment for the process.
2015-12-23 18:52:47 +08:00
Env [ ] string ` json:"env,omitempty" `
2015-07-03 01:01:27 +08:00
// Cwd is the current working directory for the process and must be
// relative to the container's root.
2016-01-14 06:18:39 +08:00
Cwd string ` json:"cwd" `
2016-03-09 05:52:44 +08:00
// Capabilities are Linux capabilities that are kept for the container.
Capabilities [ ] string ` json:"capabilities,omitempty" platform:"linux" `
2016-03-10 17:44:09 +08:00
// Rlimits specifies rlimit options to apply to the process.
2016-09-15 04:18:16 +08:00
Rlimits [ ] Rlimit ` json:"rlimits,omitempty" platform:"linux" `
2016-03-03 03:40:09 +08:00
// NoNewPrivileges controls whether additional privileges could be gained by processes in the container.
2016-09-15 04:18:16 +08:00
NoNewPrivileges bool ` json:"noNewPrivileges,omitempty" platform:"linux" `
2016-09-15 07:21:45 +08:00
// ApparmorProfile specifies the apparmor profile for the container.
2016-03-09 05:52:44 +08:00
ApparmorProfile string ` json:"apparmorProfile,omitempty" platform:"linux" `
2016-09-15 07:21:45 +08:00
// SelinuxLabel specifies the selinux context that the container process is run as.
2016-03-09 05:52:44 +08:00
SelinuxLabel string ` json:"selinuxLabel,omitempty" platform:"linux" `
}
2016-09-15 04:57:38 +08:00
// User specifies specific user (and group) information for the container process.
2016-03-09 05:52:44 +08:00
type User struct {
2016-09-15 07:21:45 +08:00
// UID is the user id.
2016-06-10 02:42:30 +08:00
UID uint32 ` json:"uid" platform:"linux,solaris" `
2016-09-15 07:21:45 +08:00
// GID is the group id.
2016-06-10 02:42:30 +08:00
GID uint32 ` json:"gid" platform:"linux,solaris" `
2016-09-15 07:21:45 +08:00
// AdditionalGids are additional group ids set for the container's process.
2016-06-10 02:42:30 +08:00
AdditionalGids [ ] uint32 ` json:"additionalGids,omitempty" platform:"linux,solaris" `
2016-09-15 23:27:10 +08:00
// Username is the user name.
2016-09-15 04:57:38 +08:00
Username string ` json:"username,omitempty" platform:"windows" `
2015-07-03 01:01:27 +08:00
}
// Root contains information about the container's root filesystem on the host.
type Root struct {
// Path is the absolute path to the container's root filesystem.
Path string ` json:"path" `
// Readonly makes the root filesystem for the container readonly before the process is executed.
2016-05-07 13:16:10 +08:00
Readonly bool ` json:"readonly,omitempty" `
2015-07-03 01:01:27 +08:00
}
// Platform specifies OS and arch information for the host system that the container
// is created for.
type Platform struct {
// OS is the operating system.
OS string ` json:"os" `
// Arch is the architecture
Arch string ` json:"arch" `
}
2015-08-04 01:52:52 +08:00
config: Single, unified config file
Reverting 7232e4b1 (specs: introduce the concept of a runtime.json,
2015-07-30, #88) after discussion on the mailing list [1]. The main
reason is that it's hard to draw a clear line around "inherently
runtime-specific" or "non-portable", so we shouldn't try to do that in
the spec. Folks who want to flag settings as non-portable for their
own system are welcome to do so (e.g. "we will clobber 'hooks' in
bundles we run") are welcome to do so, but we don't have to have
to split the config into multiple files to do that.
There have been a number of additional changes since #88, so this
isn't a pure Git reversion. Besides copy-pasting and the associated
link-target updates, I've:
* Restored path -> destination, now that the mount type contains both
source and target paths again. I'd prefer 'target' to 'destination'
to match mount(2), but the pre-7232e4b1 phrasing was 'destination'
(possibly due to Windows using 'target' for the source?).
* Restored the Windows mount example to its pre-7232e4b1 content.
* Removed required mounts from the config example (requirements landed
in 3848a238, config-linux: specify the default devices/filesystems
available, 2015-09-09, #164), because specifying those mounts in the
config is now redundant.
* Used headers (vs. bold paragraphs) to set off mount examples so we
get link anchors in the rendered Markdown.
* Replaced references to runtime.json with references to config.json.
[1]: https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/0QbyJDM9fWY
Subject: Single, unified config file (i.e. rolling back specs#88)
Date: Wed, 4 Nov 2015 09:53:20 -0800
Message-ID: <20151104175320.GC24652@odin.tremily.us>
Signed-off-by: W. Trevor King <wking@tremily.us>
2015-12-29 02:06:40 +08:00
// Mount specifies a mount for a container.
type Mount struct {
// Destination is the path where the mount will be placed relative to the container's root. The path and child directories MUST exist, a runtime MUST NOT create directories automatically to a mount point.
Destination string ` json:"destination" `
// Type specifies the mount kind.
Type string ` json:"type" `
// Source specifies the source path of the mount. In the case of bind mounts on
2016-03-09 05:52:44 +08:00
// Linux based systems this would be the file on the host.
config: Single, unified config file
Reverting 7232e4b1 (specs: introduce the concept of a runtime.json,
2015-07-30, #88) after discussion on the mailing list [1]. The main
reason is that it's hard to draw a clear line around "inherently
runtime-specific" or "non-portable", so we shouldn't try to do that in
the spec. Folks who want to flag settings as non-portable for their
own system are welcome to do so (e.g. "we will clobber 'hooks' in
bundles we run") are welcome to do so, but we don't have to have
to split the config into multiple files to do that.
There have been a number of additional changes since #88, so this
isn't a pure Git reversion. Besides copy-pasting and the associated
link-target updates, I've:
* Restored path -> destination, now that the mount type contains both
source and target paths again. I'd prefer 'target' to 'destination'
to match mount(2), but the pre-7232e4b1 phrasing was 'destination'
(possibly due to Windows using 'target' for the source?).
* Restored the Windows mount example to its pre-7232e4b1 content.
* Removed required mounts from the config example (requirements landed
in 3848a238, config-linux: specify the default devices/filesystems
available, 2015-09-09, #164), because specifying those mounts in the
config is now redundant.
* Used headers (vs. bold paragraphs) to set off mount examples so we
get link anchors in the rendered Markdown.
* Replaced references to runtime.json with references to config.json.
[1]: https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/0QbyJDM9fWY
Subject: Single, unified config file (i.e. rolling back specs#88)
Date: Wed, 4 Nov 2015 09:53:20 -0800
Message-ID: <20151104175320.GC24652@odin.tremily.us>
Signed-off-by: W. Trevor King <wking@tremily.us>
2015-12-29 02:06:40 +08:00
Source string ` json:"source" `
// Options are fstab style mount options.
Options [ ] string ` json:"options,omitempty" `
}
// Hook specifies a command that is run at a particular event in the lifecycle of a container
type Hook struct {
2016-03-17 07:51:29 +08:00
Path string ` json:"path" `
Args [ ] string ` json:"args,omitempty" `
Env [ ] string ` json:"env,omitempty" `
Timeout * int ` json:"timeout,omitempty" `
config: Single, unified config file
Reverting 7232e4b1 (specs: introduce the concept of a runtime.json,
2015-07-30, #88) after discussion on the mailing list [1]. The main
reason is that it's hard to draw a clear line around "inherently
runtime-specific" or "non-portable", so we shouldn't try to do that in
the spec. Folks who want to flag settings as non-portable for their
own system are welcome to do so (e.g. "we will clobber 'hooks' in
bundles we run") are welcome to do so, but we don't have to have
to split the config into multiple files to do that.
There have been a number of additional changes since #88, so this
isn't a pure Git reversion. Besides copy-pasting and the associated
link-target updates, I've:
* Restored path -> destination, now that the mount type contains both
source and target paths again. I'd prefer 'target' to 'destination'
to match mount(2), but the pre-7232e4b1 phrasing was 'destination'
(possibly due to Windows using 'target' for the source?).
* Restored the Windows mount example to its pre-7232e4b1 content.
* Removed required mounts from the config example (requirements landed
in 3848a238, config-linux: specify the default devices/filesystems
available, 2015-09-09, #164), because specifying those mounts in the
config is now redundant.
* Used headers (vs. bold paragraphs) to set off mount examples so we
get link anchors in the rendered Markdown.
* Replaced references to runtime.json with references to config.json.
[1]: https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/0QbyJDM9fWY
Subject: Single, unified config file (i.e. rolling back specs#88)
Date: Wed, 4 Nov 2015 09:53:20 -0800
Message-ID: <20151104175320.GC24652@odin.tremily.us>
Signed-off-by: W. Trevor King <wking@tremily.us>
2015-12-29 02:06:40 +08:00
}
// Hooks for container setup and teardown
type Hooks struct {
// Prestart is a list of hooks to be run before the container process is executed.
// On Linux, they are run after the container namespaces are created.
Prestart [ ] Hook ` json:"prestart,omitempty" `
// Poststart is a list of hooks to be run after the container process is started.
Poststart [ ] Hook ` json:"poststart,omitempty" `
// Poststop is a list of hooks to be run after the container process exits.
Poststop [ ] Hook ` json:"poststop,omitempty" `
2015-08-04 01:52:52 +08:00
}
2016-03-09 05:52:44 +08:00
// Linux contains platform specific configuration for Linux based containers.
type Linux struct {
// UIDMapping specifies user mappings for supporting user namespaces on Linux.
UIDMappings [ ] IDMapping ` json:"uidMappings,omitempty" `
// GIDMapping specifies group mappings for supporting user namespaces on Linux.
GIDMappings [ ] IDMapping ` json:"gidMappings,omitempty" `
// Sysctl are a set of key value pairs that are set for the container on start
Sysctl map [ string ] string ` json:"sysctl,omitempty" `
// Resources contain cgroup information for handling resource constraints
// for the container
Resources * Resources ` json:"resources,omitempty" `
// CgroupsPath specifies the path to cgroups that are created and/or joined by the container.
// The path is expected to be relative to the cgroups mountpoint.
// If resources are specified, the cgroups at CgroupsPath will be updated based on resources.
CgroupsPath * string ` json:"cgroupsPath,omitempty" `
// Namespaces contains the namespaces that are created and/or joined by the container
2016-03-10 19:52:56 +08:00
Namespaces [ ] Namespace ` json:"namespaces,omitempty" `
2016-03-09 05:52:44 +08:00
// Devices are a list of device nodes that are created for the container
2016-03-10 19:52:56 +08:00
Devices [ ] Device ` json:"devices,omitempty" `
2016-03-09 05:52:44 +08:00
// Seccomp specifies the seccomp security settings for the container.
Seccomp * Seccomp ` json:"seccomp,omitempty" `
// RootfsPropagation is the rootfs mount propagation mode for the container.
RootfsPropagation string ` json:"rootfsPropagation,omitempty" `
2016-04-01 08:14:44 +08:00
// MaskedPaths masks over the provided paths inside the container.
MaskedPaths [ ] string ` json:"maskedPaths,omitempty" `
// ReadonlyPaths sets the provided paths as RO inside the container.
ReadonlyPaths [ ] string ` json:"readonlyPaths,omitempty" `
2016-04-22 05:01:40 +08:00
// MountLabel specifies the selinux context for the mounts in the container.
MountLabel string ` json:"mountLabel,omitempty" `
2016-03-09 05:52:44 +08:00
}
// Namespace is the configuration for a Linux namespace
type Namespace struct {
// Type is the type of Linux namespace
Type NamespaceType ` json:"type" `
// Path is a path to an existing namespace persisted on disk that can be joined
// and is of the same type
Path string ` json:"path,omitempty" `
}
// NamespaceType is one of the Linux namespaces
type NamespaceType string
const (
// PIDNamespace for isolating process IDs
PIDNamespace NamespaceType = "pid"
// NetworkNamespace for isolating network devices, stacks, ports, etc
NetworkNamespace = "network"
// MountNamespace for isolating mount points
MountNamespace = "mount"
// IPCNamespace for isolating System V IPC, POSIX message queues
IPCNamespace = "ipc"
// UTSNamespace for isolating hostname and NIS domain name
UTSNamespace = "uts"
// UserNamespace for isolating user and group IDs
UserNamespace = "user"
2016-05-28 13:02:35 +08:00
// CgroupNamespace for isolating cgroup hierarchies
CgroupNamespace = "cgroup"
2016-03-09 05:52:44 +08:00
)
// IDMapping specifies UID/GID mappings
type IDMapping struct {
// HostID is the UID/GID of the host user or group
HostID uint32 ` json:"hostID" `
// ContainerID is the UID/GID of the container's user or group
ContainerID uint32 ` json:"containerID" `
// Size is the length of the range of IDs mapped between the two namespaces
Size uint32 ` json:"size" `
}
// Rlimit type and restrictions
type Rlimit struct {
// Type of the rlimit to set
Type string ` json:"type" `
// Hard is the hard limit for the specified type
Hard uint64 ` json:"hard" `
// Soft is the soft limit for the specified type
Soft uint64 ` json:"soft" `
}
// HugepageLimit structure corresponds to limiting kernel hugepages
type HugepageLimit struct {
// Pagesize is the hugepage size
Pagesize * string ` json:"pageSize,omitempty" `
// Limit is the limit of "hugepagesize" hugetlb usage
Limit * uint64 ` json:"limit,omitempty" `
}
// InterfacePriority for network interfaces
type InterfacePriority struct {
// Name is the name of the network interface
Name string ` json:"name" `
// Priority for the interface
Priority uint32 ` json:"priority" `
}
// blockIODevice holds major:minor format supported in blkio cgroup
type blockIODevice struct {
// Major is the device's major number.
Major int64 ` json:"major" `
// Minor is the device's minor number.
Minor int64 ` json:"minor" `
}
// WeightDevice struct holds a `major:minor weight` pair for blkioWeightDevice
type WeightDevice struct {
blockIODevice
// Weight is the bandwidth rate for the device, range is from 10 to 1000
Weight * uint16 ` json:"weight,omitempty" `
// LeafWeight is the bandwidth rate for the device while competing with the cgroup's child cgroups, range is from 10 to 1000, CFQ scheduler only
LeafWeight * uint16 ` json:"leafWeight,omitempty" `
}
// ThrottleDevice struct holds a `major:minor rate_per_second` pair
type ThrottleDevice struct {
blockIODevice
// Rate is the IO rate limit per cgroup per device
Rate * uint64 ` json:"rate,omitempty" `
}
// BlockIO for Linux cgroup 'blkio' resource management
type BlockIO struct {
// Specifies per cgroup weight, range is from 10 to 1000
Weight * uint16 ` json:"blkioWeight,omitempty" `
// Specifies tasks' weight in the given cgroup while competing with the cgroup's child cgroups, range is from 10 to 1000, CFQ scheduler only
LeafWeight * uint16 ` json:"blkioLeafWeight,omitempty" `
// Weight per cgroup per device, can override BlkioWeight
WeightDevice [ ] WeightDevice ` json:"blkioWeightDevice,omitempty" `
// IO read rate limit per cgroup per device, bytes per second
ThrottleReadBpsDevice [ ] ThrottleDevice ` json:"blkioThrottleReadBpsDevice,omitempty" `
// IO write rate limit per cgroup per device, bytes per second
ThrottleWriteBpsDevice [ ] ThrottleDevice ` json:"blkioThrottleWriteBpsDevice,omitempty" `
// IO read rate limit per cgroup per device, IO per second
ThrottleReadIOPSDevice [ ] ThrottleDevice ` json:"blkioThrottleReadIOPSDevice,omitempty" `
// IO write rate limit per cgroup per device, IO per second
ThrottleWriteIOPSDevice [ ] ThrottleDevice ` json:"blkioThrottleWriteIOPSDevice,omitempty" `
}
// Memory for Linux cgroup 'memory' resource management
type Memory struct {
// Memory limit (in bytes).
Limit * uint64 ` json:"limit,omitempty" `
// Memory reservation or soft_limit (in bytes).
Reservation * uint64 ` json:"reservation,omitempty" `
// Total memory limit (memory + swap).
Swap * uint64 ` json:"swap,omitempty" `
// Kernel memory limit (in bytes).
Kernel * uint64 ` json:"kernel,omitempty" `
// Kernel memory limit for tcp (in bytes)
2016-08-14 00:40:47 +08:00
KernelTCP * uint64 ` json:"kernelTCP,omitempty" `
2016-03-09 05:52:44 +08:00
// How aggressive the kernel will swap memory pages. Range from 0 to 100.
Swappiness * uint64 ` json:"swappiness,omitempty" `
}
// CPU for Linux cgroup 'cpu' resource management
type CPU struct {
// CPU shares (relative weight (ratio) vs. other cgroups with cpu shares).
Shares * uint64 ` json:"shares,omitempty" `
// CPU hardcap limit (in usecs). Allowed cpu time in a given period.
Quota * uint64 ` json:"quota,omitempty" `
// CPU period to be used for hardcapping (in usecs).
Period * uint64 ` json:"period,omitempty" `
// How much time realtime scheduling may use (in usecs).
RealtimeRuntime * uint64 ` json:"realtimeRuntime,omitempty" `
// CPU period to be used for realtime scheduling (in usecs).
RealtimePeriod * uint64 ` json:"realtimePeriod,omitempty" `
// CPUs to use within the cpuset. Default is to use any CPU available.
Cpus * string ` json:"cpus,omitempty" `
// List of memory nodes in the cpuset. Default is to use any available memory node.
Mems * string ` json:"mems,omitempty" `
}
// Pids for Linux cgroup 'pids' resource management (Linux 4.3)
type Pids struct {
// Maximum number of PIDs. Default is "no limit".
Limit * int64 ` json:"limit,omitempty" `
}
// Network identification and priority configuration
type Network struct {
// Set class identifier for container's network packets
2016-08-14 00:40:47 +08:00
ClassID * uint32 ` json:"classID,omitempty" `
2016-03-09 05:52:44 +08:00
// Set priority of network traffic for container
Priorities [ ] InterfacePriority ` json:"priorities,omitempty" `
}
// Resources has container runtime resource constraints
type Resources struct {
2016-08-04 00:11:53 +08:00
// Devices configures the device whitelist.
Devices [ ] DeviceCgroup ` json:"devices,omitempty" `
2016-03-09 05:52:44 +08:00
// DisableOOMKiller disables the OOM killer for out of memory conditions
DisableOOMKiller * bool ` json:"disableOOMKiller,omitempty" `
// Specify an oom_score_adj for the container.
OOMScoreAdj * int ` json:"oomScoreAdj,omitempty" `
// Memory restriction configuration
Memory * Memory ` json:"memory,omitempty" `
// CPU resource restriction configuration
CPU * CPU ` json:"cpu,omitempty" `
// Task resource restriction configuration.
Pids * Pids ` json:"pids,omitempty" `
// BlockIO restriction configuration
BlockIO * BlockIO ` json:"blockIO,omitempty" `
// Hugetlb limit (in bytes)
HugepageLimits [ ] HugepageLimit ` json:"hugepageLimits,omitempty" `
// Network restriction configuration
Network * Network ` json:"network,omitempty" `
}
// Device represents the mknod information for a Linux special device file
type Device struct {
// Path to the device.
Path string ` json:"path" `
// Device type, block, char, etc.
Type string ` json:"type" `
// Major is the device's major number.
Major int64 ` json:"major" `
// Minor is the device's minor number.
Minor int64 ` json:"minor" `
// FileMode permission bits for the device.
FileMode * os . FileMode ` json:"fileMode,omitempty" `
// UID of the device.
UID * uint32 ` json:"uid,omitempty" `
// Gid of the device.
GID * uint32 ` json:"gid,omitempty" `
}
// DeviceCgroup represents a device rule for the whitelist controller
type DeviceCgroup struct {
// Allow or deny
Allow bool ` json:"allow" `
// Device type, block, char, etc.
Type * string ` json:"type,omitempty" `
// Major is the device's major number.
Major * int64 ` json:"major,omitempty" `
// Minor is the device's minor number.
Minor * int64 ` json:"minor,omitempty" `
// Cgroup access permissions format, rwm.
Access * string ` json:"access,omitempty" `
}
// Seccomp represents syscall restrictions
type Seccomp struct {
DefaultAction Action ` json:"defaultAction" `
Architectures [ ] Arch ` json:"architectures" `
Syscalls [ ] Syscall ` json:"syscalls,omitempty" `
}
2016-04-26 11:03:09 +08:00
// Solaris contains platform specific configuration for Solaris application containers.
type Solaris struct {
// SMF FMRI which should go "online" before we start the container process.
Milestone string ` json:"milestone,omitempty" `
// Maximum set of privileges any process in this container can obtain.
LimitPriv string ` json:"limitpriv,omitempty" `
// The maximum amount of shared memory allowed for this container.
MaxShmMemory string ` json:"maxShmMemory,omitempty" `
// Specification for automatic creation of network resources for this container.
Anet [ ] Anet ` json:"anet,omitempty" `
// Set limit on the amount of CPU time that can be used by container.
specs-go/config: Make Linux and Solaris omitempty (again)
I'd added some omitempties in 5c2193f3 (specs-go/config: Make Linux
and Solaris omitempty, 2016-05-06, #431), but it turns out to not have
the intended effect unless the field is also a pointer type (even
after I shifted the 'omitempty' from the platform tag to the json
tag). Before this commit:
$ ./ocitools generate --template <(echo '{}')
$ jq . config.json
{
"ociVersion": "1.0.0-rc1-dev",
"platform": {
"os": "linux",
"arch": "amd64"
},
"process": {
"user": {
"uid": 0,
"gid": 0
},
"args": [],
"cwd": "/"
},
"root": {
"path": "rootfs"
},
"hooks": {},
"linux": {
"cgroupsPath": ""
},
"solaris": {
"cappedCPU": {},
"cappedMemory": {}
}
}
And after this commit:
$ ./ocitools generate --template <(echo '{}')
$ jq . config.json
{
"ociVersion": "1.0.0-rc1-dev",
"platform": {
"os": "linux",
"arch": "amd64"
},
"process": {
"user": {
"uid": 0,
"gid": 0
},
"args": [],
"cwd": "/"
},
"root": {
"path": "rootfs"
},
"hooks": {},
}
The remaining useless properties are addressed by other in-flight pull
requests:
* 5ca74df (config: Make 'process.args' optional, 2016-06-04, #489)
* ad33f9c (config: Explicitly list 'hooks' as optional, 2016-05-06,
#427)
So I've left them alone here.
Signed-off-by: W. Trevor King <wking@tremily.us>
2016-06-18 12:45:23 +08:00
CappedCPU * CappedCPU ` json:"cappedCPU,omitempty" `
2016-04-26 11:03:09 +08:00
// The physical and swap caps on the memory that can be used by this container.
specs-go/config: Make Linux and Solaris omitempty (again)
I'd added some omitempties in 5c2193f3 (specs-go/config: Make Linux
and Solaris omitempty, 2016-05-06, #431), but it turns out to not have
the intended effect unless the field is also a pointer type (even
after I shifted the 'omitempty' from the platform tag to the json
tag). Before this commit:
$ ./ocitools generate --template <(echo '{}')
$ jq . config.json
{
"ociVersion": "1.0.0-rc1-dev",
"platform": {
"os": "linux",
"arch": "amd64"
},
"process": {
"user": {
"uid": 0,
"gid": 0
},
"args": [],
"cwd": "/"
},
"root": {
"path": "rootfs"
},
"hooks": {},
"linux": {
"cgroupsPath": ""
},
"solaris": {
"cappedCPU": {},
"cappedMemory": {}
}
}
And after this commit:
$ ./ocitools generate --template <(echo '{}')
$ jq . config.json
{
"ociVersion": "1.0.0-rc1-dev",
"platform": {
"os": "linux",
"arch": "amd64"
},
"process": {
"user": {
"uid": 0,
"gid": 0
},
"args": [],
"cwd": "/"
},
"root": {
"path": "rootfs"
},
"hooks": {},
}
The remaining useless properties are addressed by other in-flight pull
requests:
* 5ca74df (config: Make 'process.args' optional, 2016-06-04, #489)
* ad33f9c (config: Explicitly list 'hooks' as optional, 2016-05-06,
#427)
So I've left them alone here.
Signed-off-by: W. Trevor King <wking@tremily.us>
2016-06-18 12:45:23 +08:00
CappedMemory * CappedMemory ` json:"cappedMemory,omitempty" `
2016-04-26 11:03:09 +08:00
}
// CappedCPU allows users to set limit on the amount of CPU time that can be used by container.
type CappedCPU struct {
Ncpus string ` json:"ncpus,omitempty" `
}
// CappedMemory allows users to set the physical and swap caps on the memory that can be used by this container.
type CappedMemory struct {
Physical string ` json:"physical,omitempty" `
Swap string ` json:"swap,omitempty" `
}
// Anet provides the specification for automatic creation of network resources for this container.
type Anet struct {
// Specify a name for the automatically created VNIC datalink.
Linkname string ` json:"linkname,omitempty" `
// Specify the link over which the VNIC will be created.
Lowerlink string ` json:"lowerLink,omitempty" `
// The set of IP addresses that the container can use.
Allowedaddr string ` json:"allowedAddress,omitempty" `
// Specifies whether allowedAddress limitation is to be applied to the VNIC.
Configallowedaddr string ` json:"configureAllowedAddress,omitempty" `
// The value of the optional default router.
Defrouter string ` json:"defrouter,omitempty" `
// Enable one or more types of link protection.
Linkprotection string ` json:"linkProtection,omitempty" `
// Set the VNIC's macAddress
Macaddress string ` json:"macAddress,omitempty" `
}
2016-03-09 05:52:44 +08:00
// Arch used for additional architectures
type Arch string
// Additional architectures permitted to be used for system calls
// By default only the native architecture of the kernel is permitted
const (
ArchX86 Arch = "SCMP_ARCH_X86"
ArchX86_64 Arch = "SCMP_ARCH_X86_64"
ArchX32 Arch = "SCMP_ARCH_X32"
ArchARM Arch = "SCMP_ARCH_ARM"
ArchAARCH64 Arch = "SCMP_ARCH_AARCH64"
ArchMIPS Arch = "SCMP_ARCH_MIPS"
ArchMIPS64 Arch = "SCMP_ARCH_MIPS64"
ArchMIPS64N32 Arch = "SCMP_ARCH_MIPS64N32"
ArchMIPSEL Arch = "SCMP_ARCH_MIPSEL"
ArchMIPSEL64 Arch = "SCMP_ARCH_MIPSEL64"
ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32"
2016-05-31 20:38:49 +08:00
ArchPPC Arch = "SCMP_ARCH_PPC"
ArchPPC64 Arch = "SCMP_ARCH_PPC64"
ArchPPC64LE Arch = "SCMP_ARCH_PPC64LE"
ArchS390 Arch = "SCMP_ARCH_S390"
ArchS390X Arch = "SCMP_ARCH_S390X"
2016-03-09 05:52:44 +08:00
)
// Action taken upon Seccomp rule match
type Action string
// Define actions for Seccomp rules
const (
ActKill Action = "SCMP_ACT_KILL"
ActTrap Action = "SCMP_ACT_TRAP"
ActErrno Action = "SCMP_ACT_ERRNO"
ActTrace Action = "SCMP_ACT_TRACE"
ActAllow Action = "SCMP_ACT_ALLOW"
)
// Operator used to match syscall arguments in Seccomp
type Operator string
// Define operators for syscall arguments in Seccomp
const (
OpNotEqual Operator = "SCMP_CMP_NE"
OpLessThan Operator = "SCMP_CMP_LT"
OpLessEqual Operator = "SCMP_CMP_LE"
OpEqualTo Operator = "SCMP_CMP_EQ"
OpGreaterEqual Operator = "SCMP_CMP_GE"
OpGreaterThan Operator = "SCMP_CMP_GT"
OpMaskedEqual Operator = "SCMP_CMP_MASKED_EQ"
)
// Arg used for matching specific syscall arguments in Seccomp
type Arg struct {
Index uint ` json:"index" `
Value uint64 ` json:"value" `
ValueTwo uint64 ` json:"valueTwo" `
Op Operator ` json:"op" `
}
// Syscall is used to match a syscall in Seccomp
type Syscall struct {
Name string ` json:"name" `
Action Action ` json:"action" `
Args [ ] Arg ` json:"args,omitempty" `
}