runc/schema/config-linux.json

272 lines
13 KiB
JSON
Raw Normal View History

{
"linux": {
"description": "Linux platform-specific configurations",
"id": "https://opencontainers.org/schema/bundle/linux",
"type": "object",
"properties": {
"devices": {
"id": "https://opencontainers.org/schema/bundle/linux/devices",
"type": "array",
"items": {
"$ref": "defs-linux.json#/definitions/Device"
}
},
"uidMappings": {
"id": "https://opencontainers.org/schema/bundle/linux/uidMappings",
"type": "array",
"items": {
"$ref": "defs.json#/definitions/IDMapping"
}
},
"gidMappings": {
"id": "https://opencontainers.org/schema/bundle/linux/gidMappings",
"type": "array",
"items": {
"$ref": "defs.json#/definitions/IDMapping"
}
},
"namespaces": {
"id": "https://opencontainers.org/schema/bundle/linux/namespaces",
"type": "array",
"items": {
"anyOf": [
{
"$ref": "defs-linux.json#/definitions/NamespaceReference"
}
]
}
},
"resources": {
"id": "https://opencontainers.org/schema/bundle/linux/resources",
"type": "object",
"properties": {
"devices": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/devices",
"type": "array",
"items": {
"$ref": "defs-linux.json#/definitions/DeviceCgroup"
}
},
"pids": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/pids",
"type": "object",
"properties": {
"limit": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/pids/limit",
"$ref": "defs.json#/definitions/int64"
}
},
"required": [
"limit"
]
},
"blockIO": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO",
"type": "object",
"properties": {
"blkioWeight": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/blkioWeight",
"$ref": "defs-linux.json#/definitions/blkioWeight"
},
"blkioLeafWeight": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/blkioLeafWeight",
"$ref": "defs-linux.json#/definitions/blkioWeight"
},
"blkioThrottleReadBpsDevice": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/blkioThrottleReadBpsDevice",
"type": "array",
"items": {
"$ref": "defs-linux.json#/definitions/blockIODeviceThrottle"
}
},
"blkioThrottleWriteBpsDevice": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/blkioThrottleWriteBpsDevice",
"type": "array",
"items": {
"$ref": "defs-linux.json#/definitions/blockIODeviceThrottle"
}
},
"blkioThrottleReadIopsDevice": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/blkioThrottleReadIopsDevice",
"type": "array",
"items": {
"$ref": "defs-linux.json#/definitions/blockIODeviceThrottle"
}
},
"blkioThrottleWriteIopsDevice": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/blkioThrottleWriteIopsDevice",
"type": "array",
"items": {
"$ref": "defs-linux.json#/definitions/blockIODeviceThrottle"
}
},
"blkioWeightDevice": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/blkioWeightDevice",
"type": "array",
"items": {
"$ref": "defs-linux.json#/definitions/blockIODeviceWeight"
}
}
}
},
"cpu": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/cpu",
"type": "object",
"properties": {
"cpus": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/cpu/cpus",
"type": "string"
},
"mems": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/cpu/mems",
"type": "string"
},
"period": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/cpu/period",
"$ref": "defs.json#/definitions/uint64"
},
"quota": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/cpu/quota",
"$ref": "defs.json#/definitions/int64"
},
"realtimePeriod": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/cpu/realtimePeriod",
"$ref": "defs.json#/definitions/uint64"
},
"realtimeRuntime": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/cpu/realtimeRuntime",
"$ref": "defs.json#/definitions/int64"
},
"shares": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/cpu/shares",
"$ref": "defs.json#/definitions/uint64"
}
}
},
"disableOOMKiller": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/disableOOMKiller",
"type": "boolean"
},
"hugepageLimits": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/hugepageLimits",
"type": "array",
"items": {
"type": "object",
"properties": {
"pageSize": {
"type": "string"
},
"limit": {
"$ref": "defs.json#/definitions/uint64"
}
},
"required": [
"pageSize",
"limit"
]
}
},
"memory": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/memory",
"type": "object",
"properties": {
"kernel": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/memory/kernel",
"$ref": "defs.json#/definitions/uint64"
},
"kernelTCP": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/memory/kernelTCP",
"$ref": "defs.json#/definitions/uint64"
},
"limit": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/memory/limit",
"$ref": "defs.json#/definitions/uint64"
},
"reservation": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/memory/reservation",
"$ref": "defs.json#/definitions/uint64"
},
"swap": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/memory/swap",
"$ref": "defs.json#/definitions/uint64"
},
"swappiness": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/memory/swappiness",
"$ref": "defs.json#/definitions/uint64"
}
}
},
"network": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/network",
"type": "object",
"properties": {
"classID": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/network/classId",
"$ref": "defs.json#/definitions/uint32"
},
"priorities": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/network/priorities",
"type": "array",
"items": {
"$ref": "defs-linux.json#/definitions/NetworkInterfacePriority"
}
}
}
}
}
},
"cgroupsPath": {
"id": "https://opencontainers.org/schema/bundle/linux/cgroupsPath",
"type": "string"
},
"rootfsPropagation": {
"id": "https://opencontainers.org/schema/bundle/linux/rootfsPropagation",
"$ref": "defs-linux.json#/definitions/RootfsPropagation"
},
"seccomp": {
"id": "https://opencontainers.org/schema/bundle/linux/seccomp",
"type": "object",
"properties": {
"defaultAction": {
"id": "https://opencontainers.org/schema/bundle/linux/seccomp/defaultAction",
"type": "string"
},
"architectures": {
"id": "https://opencontainers.org/schema/bundle/linux/seccomp/architectures",
"type": "array",
"items": {
"$ref": "defs-linux.json#/definitions/SeccompArch"
}
},
"syscalls": {
"id": "https://opencontainers.org/schema/bundle/linux/seccomp/syscalls",
"type": "array",
"items": {
"$ref": "defs-linux.json#/definitions/Syscall"
}
}
config-linux: Make linux.seccomp.syscalls OPTIONAL Before this commit, linux.seccomp.sycalls was required, but we didn't require an entry in the array. That means '"syscalls": []' would be technically valid, and I'm pretty sure that's not what we want. If it makes sense to have a seccomp property that does not need syscalls entries, then syscalls should be optional (which is what this commit is doing). If it does not makes sense to have an empty/unset syscalls then it should be required and have a minimum length of one. Before 652323c (improve seccomp format to be more expressive, 2017-01-13, #657), syscalls was omitempty (and therefore more optional-feeling, although there was no real Markdown spec for seccomp before 3ca5c6c, config-linux.md: fix seccomp, 2017-03-02, #706, so it's hard to know). This commit has gone with OPTIONAL, because a seccomp config which only sets defaultAction seems potentially valid. The SCMP_ACT_KILL example is prompted by: On Tue, Apr 25, 2017 at 01:32:26PM -0700, David Lyle wrote [1]: > Technically, OPTIONAL is the right value, but unless you specify the > default action for seccomp to be SCMP_ACT_ALLOW the result will be > an error at run time. > > I would suggest an additional clarification to this fact in > config-linux.md would be very helpful if marking syscall as > OPTIONAL. I've phrased the example more conservatively, because I'm not sure that SCMP_ACT_ALLOW is the only possible value to avoid an error. For example, perhaps a SCMP_ACT_TRACE default with an empty syscalls array would not die on the first syscall. The point of the example is to remind config authors that without a useful syscalls array, the default value is very important ;). Also add the previously-missing 'required' property to the seccomp JSON Schema entry. [1]: https://github.com/opencontainers/runtime-spec/pull/768#issuecomment-297156102 Signed-off-by: W. Trevor King <wking@tremily.us>
2017-04-13 01:03:10 +08:00
},
"required": [
"defaultAction"
]
},
"sysctl": {
"id": "https://opencontainers.org/schema/bundle/linux/sysctl",
"$ref": "defs.json#/definitions/mapStringString"
},
"maskedPaths": {
"id": "https://opencontainers.org/schema/bundle/linux/maskedPaths",
"$ref": "defs.json#/definitions/ArrayOfStrings"
},
"readonlyPaths": {
"id": "https://opencontainers.org/schema/bundle/linux/readonlyPaths",
"$ref": "defs.json#/definitions/ArrayOfStrings"
},
"mountLabel": {
"id": "https://opencontainers.org/schema/bundle/linux/mountLabel",
"type": "string"
}
}
}
}