jasder
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
runc/runtime-config-linux.md

196 lines
6.1 KiB
Markdown
Raw Normal View History

runtime-config-linux: Drop 'Linux' from headers The fact that these are Linux-specific entities should be obvious from the context (this whole file is only about Linux-specific entities). Signed-off-by: W. Trevor King <wking@tremily.us>
2015-08-27 04:32:27 +08:00
## Namespaces
specs: introduce the concept of a runtime.json Based on our discussion in-person yesterday it seems necessary to separate the concept of runtime configuration from application configuration. There are a few motivators: - To support runtime updates of things like cgroups, rlimits, etc we should separate things that are inherently runtime specific from things that are static to the application running in the container. - To support the goal of being able to move a bundle between hosts we should make it clear what parts of the spec are and are not portable between hosts so that upon landing on a new host the non-portable options may be rewritten or removed. - In order to attach a cryptographic identity to a bundle we must not include details in the bundle that are host specific.
2015-07-31 03:17:04 +08:00
runtime-config-linux: One sentence per line for opening two paragraphs I touched these paragraphs while removing trailing whitespace in the previous commit. Since I was touching them in this branch, it seemed better to rewrap them using the "Markdown style" suggestions in the README. I also added a missing period after the namespaces(7) link. Signed-off-by: W. Trevor King <wking@tremily.us>
2015-08-27 06:15:16 +08:00
A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource.
Changes to the global resource are visible to other processes that are members of the namespace, but are invisible to other processes.
For more information, see [the man page](http://man7.org/linux/man-pages/man7/namespaces.7.html).
specs: introduce the concept of a runtime.json Based on our discussion in-person yesterday it seems necessary to separate the concept of runtime configuration from application configuration. There are a few motivators: - To support runtime updates of things like cgroups, rlimits, etc we should separate things that are inherently runtime specific from things that are static to the application running in the container. - To support the goal of being able to move a bundle between hosts we should make it clear what parts of the spec are and are not portable between hosts so that upon landing on a new host the non-portable options may be rewritten or removed. - In order to attach a cryptographic identity to a bundle we must not include details in the bundle that are host specific.
2015-07-31 03:17:04 +08:00
runtime-config-linux: One sentence per line for opening two paragraphs I touched these paragraphs while removing trailing whitespace in the previous commit. Since I was touching them in this branch, it seemed better to rewrap them using the "Markdown style" suggestions in the README. I also added a missing period after the namespaces(7) link. Signed-off-by: W. Trevor King <wking@tremily.us>
2015-08-27 06:15:16 +08:00
Namespaces are specified in the spec as an array of entries.
Each entry has a type field with possible values described below and an optional path element.
specs: introduce the concept of a runtime.json Based on our discussion in-person yesterday it seems necessary to separate the concept of runtime configuration from application configuration. There are a few motivators: - To support runtime updates of things like cgroups, rlimits, etc we should separate things that are inherently runtime specific from things that are static to the application running in the container. - To support the goal of being able to move a bundle between hosts we should make it clear what parts of the spec are and are not portable between hosts so that upon landing on a new host the non-portable options may be rewritten or removed. - In order to attach a cryptographic identity to a bundle we must not include details in the bundle that are host specific.
2015-07-31 03:17:04 +08:00
If a path is specified, that particular file is used to join that type of namespace.
```json
"namespaces": [
{
"type": "pid",
"path": "/proc/1234/ns/pid"
},
{
"type": "net",
"path": "/var/run/netns/neta"
},
{
"type": "mnt",
},
{
"type": "ipc",
},
{
"type": "uts",
},
{
"type": "user",
},
]
```
#### Namespace types
* **pid** processes inside the container will only be able to see other processes inside the same container.
* **network** the container will have its own network stack.
* **mnt** the container will have an isolated mount table.
* **ipc** processes inside the container will only be able to communicate to other processes inside the same
container via system level IPC.
* **uts** the container will be able to have its own hostname and domain name.
* **user** the container will be able to remap user and group IDs from the host to local users and groups
within the container.
Rename the header "Access to devices" to "Devices" to fit with the config And also fix the header size Signed-off-by: Lai Jiangshan <jiangshanlai@gmail.com>
2015-09-03 07:12:10 +08:00
## Devices
specs: introduce the concept of a runtime.json Based on our discussion in-person yesterday it seems necessary to separate the concept of runtime configuration from application configuration. There are a few motivators: - To support runtime updates of things like cgroups, rlimits, etc we should separate things that are inherently runtime specific from things that are static to the application running in the container. - To support the goal of being able to move a bundle between hosts we should make it clear what parts of the spec are and are not portable between hosts so that upon landing on a new host the non-portable options may be rewritten or removed. - In order to attach a cryptographic identity to a bundle we must not include details in the bundle that are host specific.
2015-07-31 03:17:04 +08:00
Devices is an array specifying the list of devices to be created in the container.
Next parameters can be specified:
* type - type of device: 'c', 'b', 'u' or 'p'. More info in `man mknod`
* path - full path to device inside container
* major, minor - major, minor numbers for device. More info in `man mknod`.
There is special value: `-1`, which means `*` for `device`
cgroup setup.
* permissions - cgroup permissions for device. A composition of 'r'
(read), 'w' (write), and 'm' (mknod).
* fileMode - file mode for device file
* uid - uid of device owner
* gid - gid of device owner
```json
"devices": [
{
"path": "/dev/random",
"type": "c",
"major": 1,
"minor": 8,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
},
{
"path": "/dev/urandom",
"type": "c",
"major": 1,
"minor": 9,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
},
{
"path": "/dev/null",
"type": "c",
"major": 1,
"minor": 3,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
},
{
"path": "/dev/zero",
"type": "c",
"major": 1,
"minor": 5,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
},
{
"path": "/dev/tty",
"type": "c",
"major": 5,
"minor": 0,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
},
{
"path": "/dev/full",
"type": "c",
"major": 1,
"minor": 7,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
}
]
```
runtime-config-linux: Drop 'Linux' from headers The fact that these are Linux-specific entities should be obvious from the context (this whole file is only about Linux-specific entities). Signed-off-by: W. Trevor King <wking@tremily.us>
2015-08-27 04:32:27 +08:00
## Control groups
specs: introduce the concept of a runtime.json Based on our discussion in-person yesterday it seems necessary to separate the concept of runtime configuration from application configuration. There are a few motivators: - To support runtime updates of things like cgroups, rlimits, etc we should separate things that are inherently runtime specific from things that are static to the application running in the container. - To support the goal of being able to move a bundle between hosts we should make it clear what parts of the spec are and are not portable between hosts so that upon landing on a new host the non-portable options may be rewritten or removed. - In order to attach a cryptographic identity to a bundle we must not include details in the bundle that are host specific.
2015-07-31 03:17:04 +08:00
Also known as cgroups, they are used to restrict resource usage for a container and handle
spec: linux: add support for the PIDs cgroup Add support for the PIDs cgroup as a cgroup resource constraint in the Linux container specification. Since PIDs are a real resource, we need to support the ability to limit them. The PIDs cgroup subsystem is available in Linux 4.3+. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2015-07-08 18:08:25 +08:00
device access. cgroups provide controls to restrict cpu, memory, IO, pids and network for
bundle: Move 'Linux sysctl' header to its own line This fixes a copy/paste issue with 7232e4b1 (specs: introduce the concept of a runtime.json, 2015-07-30, #88). Signed-off-by: W. Trevor King <wking@tremily.us>
2015-08-27 04:29:46 +08:00
the container. For more information, see the [kernel cgroups documentation](https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt).
runtime-config-linux: Drop 'Linux' from headers The fact that these are Linux-specific entities should be obvious from the context (this whole file is only about Linux-specific entities). Signed-off-by: W. Trevor King <wking@tremily.us>
2015-08-27 04:32:27 +08:00
## Sysctl
specs: introduce the concept of a runtime.json Based on our discussion in-person yesterday it seems necessary to separate the concept of runtime configuration from application configuration. There are a few motivators: - To support runtime updates of things like cgroups, rlimits, etc we should separate things that are inherently runtime specific from things that are static to the application running in the container. - To support the goal of being able to move a bundle between hosts we should make it clear what parts of the spec are and are not portable between hosts so that upon landing on a new host the non-portable options may be rewritten or removed. - In order to attach a cryptographic identity to a bundle we must not include details in the bundle that are host specific.
2015-07-31 03:17:04 +08:00
sysctl allows kernel parameters to be modified at runtime for the container.
For more information, see [the man page](http://man7.org/linux/man-pages/man8/sysctl.8.html)
```json
"sysctl": {
"net.ipv4.ip_forward": "1",
"net.core.somaxconn": "256"
}
```
runtime-config-linux: Drop 'Linux' from headers The fact that these are Linux-specific entities should be obvious from the context (this whole file is only about Linux-specific entities). Signed-off-by: W. Trevor King <wking@tremily.us>
2015-08-27 04:32:27 +08:00
## Rlimits
specs: introduce the concept of a runtime.json Based on our discussion in-person yesterday it seems necessary to separate the concept of runtime configuration from application configuration. There are a few motivators: - To support runtime updates of things like cgroups, rlimits, etc we should separate things that are inherently runtime specific from things that are static to the application running in the container. - To support the goal of being able to move a bundle between hosts we should make it clear what parts of the spec are and are not portable between hosts so that upon landing on a new host the non-portable options may be rewritten or removed. - In order to attach a cryptographic identity to a bundle we must not include details in the bundle that are host specific.
2015-07-31 03:17:04 +08:00
```json
"rlimits": [
{
"type": "RLIMIT_NPROC",
"soft": 1024,
"hard": 102400
}
]
```
rlimits allow setting resource limits. The type is from the values defined in [the man page](http://man7.org/linux/man-pages/man2/setrlimit.2.html). The kernel enforces the soft limit for a resource while the hard limit acts as a ceiling for that value that could be set by an unprivileged process.
## SELinux process label
SELinux process label specifies the label with which the processes in a container are run.
For more information about SELinux, see [Selinux documentation](http://selinuxproject.org/page/Main_Page)
```json
"selinuxProcessLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675"
```
## Apparmor profile
Apparmor profile specifies the name of the apparmor profile that will be used for the container.
For more information about Apparmor, see [Apparmor documentation](https://wiki.ubuntu.com/AppArmor)
```json
"apparmorProfile": "acme_secure_profile"
```
## seccomp
Seccomp provides application sandboxing mechanism in the Linux kernel.
Seccomp configuration allows one to configure actions to take for matched syscalls and furthermore also allows
matching on values passed as arguments to syscalls.
For more information about Seccomp, see [Seccomp kernel documentation](https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt)
The actions and operators are strings that match the definitions in seccomp.h from [libseccomp](https://github.com/seccomp/libseccomp) and are translated to corresponding values.
```json
"seccomp": {
"defaultAction": "SCMP_ACT_ALLOW",
"syscalls": [
{
"name": "getcwd",
"action": "SCMP_ACT_ERRNO"
}
]
}
```