runc/config-linux.md

# Linux-specific configuration

The Linux container specification uses various kernel features like namespaces,
cgroups, capabilities, LSM, and file system jails to fulfill the spec.
Additional information is needed for Linux over the [default spec configuration](config.md)
in order to configure these various kernel features.

## Linux namespaces

A namespace wraps a global system resource in an abstraction that makes it 
appear to the processes within the namespace that they have their own isolated 
instance of the global resource.  Changes to the global resource are visible to 
other processes that are members of the namespace, but are invisible to other 
processes. For more information, see [the man page](http://man7.org/linux/man-pages/man7/namespaces.7.html)

Namespaces are specified in the spec as an array of entries. Each entry has a 
type field with possible values described below and an optional path element. 
If a path is specified, that particular file is used to join that type of namespace.

```json
    "namespaces": [
        {
            "type": "pid",
            "path": "/proc/1234/ns/pid"
        },
        {
            "type": "net",
            "path": "/var/run/netns/neta"
        },
        {
            "type": "mnt",
        },
        {
            "type": "ipc",
        },
        {
            "type": "uts",
        },
        {
            "type": "user",
        },
    ]
```

#### Namespace types

* **pid** processes inside the container will only be able to see other processes inside the same container.
* **network** the container will have it's own network stack.
* **mnt** the container will have an isolated mount table.
* **ipc** processes inside the container will only be able to communicate to other processes inside the same
container via system level IPC.
* **uts** the container will be able to have it's own hostname and domain name.
* **user** the container will be able to remap user and group IDs from the host to local users and groups
within the container.

### Access to devices

Devices is an array specifying the list of devices from the host to make available in the container.
By providing a device name within the list the runtime should look up the same device on the host's `/dev`
and collect information about the device node so that it can be recreated for the container.  The runtime
should not only create the device inside the container but ensure that the root user inside 
the container has access rights for the device.

```json
   "devices": [
        "null",
        "random",
        "full",
        "tty",
        "zero",
        "urandom"
    ]
```

## Linux control groups

Also known as cgroups, they are used to restrict resource usage for a container and handle
device access.  cgroups provide controls to restrict cpu, memory, IO, and network for
the container. For more information, see the [kernel cgroups documentation](https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt)

## Linux capabilities

Capabilities is an array that specifies Linux capabilities that can be provided to the process
inside the container. Valid values are the string after `CAP_` for capabilities defined 
in [the man page](http://man7.org/linux/man-pages/man7/capabilities.7.html)

```json
   "capabilities": [
        "AUDIT_WRITE",
        "KILL",
        "NET_BIND_SERVICE"
    ]
```

## Linux sysctl

sysctl allows kernel parameters to be modified at runtime for the container.
For more information, see [the man page](http://man7.org/linux/man-pages/man8/sysctl.8.html)

```
   "sysctl": {
        "net.ipv4.ip_forward": "1",
        "net.core.somaxconn": "256"
   }
```

## Linux rlimits

```
   "rlimits": [
        {
            "type": "RLIMIT_NPROC",
            "soft": 1024,
            "hard": 102400
        }
   ]
```

rlimits allow setting resource limits. The type is from the values defined in [the man page](http://man7.org/linux/man-pages/man2/setrlimit.2.html). The kernel enforces the soft limit for a resource while the hard limit acts as a ceiling for that value that could be set by an unprivileged process.

## Linux user namespace mappings

```
    "uidMappings": [
        {
            "from"  : 1000,
            "to"    : 0,
            "count" : 10
        }
    ],
    "gidMappings": [
        {
            "from"  : 1000,
            "to"    : 0,
            "count" : 10
        }
    ]
```

uid/gid mappings describe the user namespace mappings from the host to the container. *from* is the starting uid/gid on the host to be mapped to *to* which is the starting uid/gid in the container and *count* refers to the number of ids to be mapped. The Linux kernel has a limit of 5 such mappings that can be specified.

## Security

**TODO:** security profiles
config: minor cleanup - link to official SemVer page - link between config.md and config-linux.md and explain relationship - fix typo (arch -> os) - tweak formatting of some special characters 2015-07-07 08:35:32 +08:00			`# Linux-specific configuration`
*: re-org the spec We had an in-person spec discussion, lets separate the spec into some high-level sections to clarify future discussion. Crosby agreed to let me merge to master :) 2015-06-25 08:15:48 +08:00
Add linux spec description Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-07-01 06:18:40 +08:00			`The Linux container specification uses various kernel features like namespaces,`
config: minor cleanup - link to official SemVer page - link between config.md and config-linux.md and explain relationship - fix typo (arch -> os) - tweak formatting of some special characters 2015-07-07 08:35:32 +08:00			`cgroups, capabilities, LSM, and file system jails to fulfill the spec.`
			`Additional information is needed for Linux over the [default spec configuration](config.md)`
Add linux spec description Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-07-01 06:18:40 +08:00			`in order to configure these various kernel features.`

Update config-linux for better formatting on values Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-07-01 06:13:13 +08:00			`## Linux namespaces`

			`A namespace wraps a global system resource in an abstraction that makes it`
			`appear to the processes within the namespace that they have their own isolated`
			`instance of the global resource. Changes to the global resource are visible to`
			`other processes that are members of the namespace, but are invisible to other`
			`processes. For more information, see [the man page](http://man7.org/linux/man-pages/man7/namespaces.7.html)`

			`Namespaces are specified in the spec as an array of entries. Each entry has a`
			`type field with possible values described below and an optional path element.`
			`If a path is specified, that particular file is used to join that type of namespace.`

Move linux specific options to linux spec This moves some of the linux specific options like namespaces and devices to the linux config document. It also removes processes as an array and replaces it with a single process. It adds the "platform" struct for OS and Arch and updates many of the examples to match the changes. I also remove some of the redundant windows examples on the portable spec document because they did not add any extra value and many values were the same. Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-06-30 02:54:10 +08:00			```json
*: re-org the spec We had an in-person spec discussion, lets separate the spec into some high-level sections to clarify future discussion. Crosby agreed to let me merge to master :) 2015-06-25 08:15:48 +08:00			`"namespaces": [`
Makes namespaces description linux specific Signed-off-by: Mrunal Patel <mrunalp@gmail.com> 2015-06-28 07:19:27 +08:00			`{`
			`"type": "pid",`
			`"path": "/proc/1234/ns/pid"`
			`},`
			`{`
			`"type": "net",`
			`"path": "/var/run/netns/neta"`
			`},`
			`{`
			`"type": "mnt",`
			`},`
			`{`
			`"type": "ipc",`
			`},`
			`{`
			`"type": "uts",`
			`},`
			`{`
			`"type": "user",`
			`},`
Move linux specific options to linux spec This moves some of the linux specific options like namespaces and devices to the linux config document. It also removes processes as an array and replaces it with a single process. It adds the "platform" struct for OS and Arch and updates many of the examples to match the changes. I also remove some of the redundant windows examples on the portable spec document because they did not add any extra value and many values were the same. Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-06-30 02:54:10 +08:00			`]`
*: re-org the spec We had an in-person spec discussion, lets separate the spec into some high-level sections to clarify future discussion. Crosby agreed to let me merge to master :) 2015-06-25 08:15:48 +08:00			```

Update config-linux for better formatting on values Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-07-01 06:13:13 +08:00			`#### Namespace types`
*: re-org the spec We had an in-person spec discussion, lets separate the spec into some high-level sections to clarify future discussion. Crosby agreed to let me merge to master :) 2015-06-25 08:15:48 +08:00
Update config-linux for better formatting on values Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-07-01 06:13:13 +08:00			`* pid processes inside the container will only be able to see other processes inside the same container.`
			`* network the container will have it's own network stack.`
			`* mnt the container will have an isolated mount table.`
			`* ipc processes inside the container will only be able to communicate to other processes inside the same`
			`container via system level IPC.`
			`* uts the container will be able to have it's own hostname and domain name.`
			`* user the container will be able to remap user and group IDs from the host to local users and groups`
			`within the container.`
*: re-org the spec We had an in-person spec discussion, lets separate the spec into some high-level sections to clarify future discussion. Crosby agreed to let me merge to master :) 2015-06-25 08:15:48 +08:00
Update config-linux for better formatting on values Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-07-01 06:13:13 +08:00			`### Access to devices`
*: re-org the spec We had an in-person spec discussion, lets separate the spec into some high-level sections to clarify future discussion. Crosby agreed to let me merge to master :) 2015-06-25 08:15:48 +08:00
Update config-linux for better formatting on values Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-07-01 06:13:13 +08:00			`Devices is an array specifying the list of devices from the host to make available in the container.`
*: small spelling fixes 2015-07-02 01:03:17 +08:00			By providing a device name within the list the runtime should look up the same device on the host's `/dev`
Update config-linux for better formatting on values Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-07-01 06:13:13 +08:00			`and collect information about the device node so that it can be recreated for the container. The runtime`
			`should not only create the device inside the container but ensure that the root user inside`
			`the container has access rights for the device.`
Adds user namespace to the list of namespaces Signed-off-by: Mrunal Patel <mrunalp@gmail.com> 2015-06-25 12:14:35 +08:00
Move linux specific options to linux spec This moves some of the linux specific options like namespaces and devices to the linux config document. It also removes processes as an array and replaces it with a single process. It adds the "platform" struct for OS and Arch and updates many of the examples to match the changes. I also remove some of the redundant windows examples on the portable spec document because they did not add any extra value and many values were the same. Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-06-30 02:54:10 +08:00			```json
			`"devices": [`
			`"null",`
			`"random",`
			`"full",`
			`"tty",`
			`"zero",`
			`"urandom"`
			`]`
			```

Update config-linux for better formatting on values Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-07-01 06:13:13 +08:00			`## Linux control groups`
Move linux specific options to linux spec This moves some of the linux specific options like namespaces and devices to the linux config document. It also removes processes as an array and replaces it with a single process. It adds the "platform" struct for OS and Arch and updates many of the examples to match the changes. I also remove some of the redundant windows examples on the portable spec document because they did not add any extra value and many values were the same. Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-06-30 02:54:10 +08:00
Update config-linux for better formatting on values Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-07-01 06:13:13 +08:00			`Also known as cgroups, they are used to restrict resource usage for a container and handle`
Add linux spec description Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-07-01 06:18:40 +08:00			`device access. cgroups provide controls to restrict cpu, memory, IO, and network for`
Adds link to kernel cgroups documentation Signed-off-by: Mrunal Patel <mrunalp@gmail.com> 2015-07-01 06:45:10 +08:00			`the container. For more information, see the [kernel cgroups documentation](https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt)`
*: re-org the spec We had an in-person spec discussion, lets separate the spec into some high-level sections to clarify future discussion. Crosby agreed to let me merge to master :) 2015-06-25 08:15:48 +08:00
Update config-linux for better formatting on values Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-07-01 06:13:13 +08:00			`## Linux capabilities`
*: re-org the spec We had an in-person spec discussion, lets separate the spec into some high-level sections to clarify future discussion. Crosby agreed to let me merge to master :) 2015-06-25 08:15:48 +08:00
Update config-linux for better formatting on values Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-07-01 06:13:13 +08:00			`Capabilities is an array that specifies Linux capabilities that can be provided to the process`
			inside the container. Valid values are the string after `CAP_` for capabilities defined
			`in [the man page](http://man7.org/linux/man-pages/man7/capabilities.7.html)`
*: re-org the spec We had an in-person spec discussion, lets separate the spec into some high-level sections to clarify future discussion. Crosby agreed to let me merge to master :) 2015-06-25 08:15:48 +08:00
Move linux specific options to linux spec This moves some of the linux specific options like namespaces and devices to the linux config document. It also removes processes as an array and replaces it with a single process. It adds the "platform" struct for OS and Arch and updates many of the examples to match the changes. I also remove some of the redundant windows examples on the portable spec document because they did not add any extra value and many values were the same. Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-06-30 02:54:10 +08:00			```json
*: re-org the spec We had an in-person spec discussion, lets separate the spec into some high-level sections to clarify future discussion. Crosby agreed to let me merge to master :) 2015-06-25 08:15:48 +08:00			`"capabilities": [`
			`"AUDIT_WRITE",`
			`"KILL",`
			`"NET_BIND_SERVICE"`
Move linux specific options to linux spec This moves some of the linux specific options like namespaces and devices to the linux config document. It also removes processes as an array and replaces it with a single process. It adds the "platform" struct for OS and Arch and updates many of the examples to match the changes. I also remove some of the redundant windows examples on the portable spec document because they did not add any extra value and many values were the same. Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-06-30 02:54:10 +08:00			`]`
*: re-org the spec We had an in-person spec discussion, lets separate the spec into some high-level sections to clarify future discussion. Crosby agreed to let me merge to master :) 2015-06-25 08:15:48 +08:00			```

Update config-linux for better formatting on values Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-07-01 06:13:13 +08:00			`## Linux sysctl`
*: re-org the spec We had an in-person spec discussion, lets separate the spec into some high-level sections to clarify future discussion. Crosby agreed to let me merge to master :) 2015-06-25 08:15:48 +08:00
*: small spelling fixes 2015-07-02 01:03:17 +08:00			`sysctl allows kernel parameters to be modified at runtime for the container.`
Update config-linux for better formatting on values Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-07-01 06:13:13 +08:00			`For more information, see [the man page](http://man7.org/linux/man-pages/man8/sysctl.8.html)`
Adds section for Linux Sysctl. Signed-off-by: Mrunal Patel <mrunalp@gmail.com> 2015-06-27 02:20:17 +08:00
			```
			`"sysctl": {`
			`"net.ipv4.ip_forward": "1",`
			`"net.core.somaxconn": "256"`
			`}`
			```

Adds section for Linux Rlimits Signed-off-by: Mrunal Patel <mrunalp@gmail.com> 2015-07-01 06:02:58 +08:00			`## Linux rlimits`

			```
			`"rlimits": [`
			`{`
Fix typos in the rlimits section Signed-off-by: Zefan Li <lizefan@huawei.com> 2015-07-01 10:25:46 +08:00			`"type": "RLIMIT_NPROC",`
Adds section for Linux Rlimits Signed-off-by: Mrunal Patel <mrunalp@gmail.com> 2015-07-01 06:02:58 +08:00			`"soft": 1024,`
			`"hard": 102400`
			`}`
			`]`
			```

Fix typos in the rlimits section Signed-off-by: Zefan Li <lizefan@huawei.com> 2015-07-01 10:25:46 +08:00			`rlimits allow setting resource limits. The type is from the values defined in [the man page](http://man7.org/linux/man-pages/man2/setrlimit.2.html). The kernel enforces the soft limit for a resource while the hard limit acts as a ceiling for that value that could be set by an unprivileged process.`
Adds section for Linux Rlimits Signed-off-by: Mrunal Patel <mrunalp@gmail.com> 2015-07-01 06:02:58 +08:00
Adds a section for user namespace mappings Signed-off-by: Mrunal Patel <mrunalp@gmail.com> 2015-07-02 05:32:03 +08:00			`## Linux user namespace mappings`

			```
			`"uidMappings": [`
			`{`
			`"from" : 1000,`
			`"to" : 0,`
			`"count" : 10`
			`}`
			`],`
			`"gidMappings": [`
			`{`
			`"from" : 1000,`
			`"to" : 0,`
			`"count" : 10`
			`}`
			`]`
			```

			`uid/gid mappings describe the user namespace mappings from the host to the container. from is the starting uid/gid on the host to be mapped to to which is the starting uid/gid in the container and count refers to the number of ids to be mapped. The Linux kernel has a limit of 5 such mappings that can be specified.`

Adds section for Linux Rlimits Signed-off-by: Mrunal Patel <mrunalp@gmail.com> 2015-07-01 06:02:58 +08:00			`## Security`
*: re-org the spec We had an in-person spec discussion, lets separate the spec into some high-level sections to clarify future discussion. Crosby agreed to let me merge to master :) 2015-06-25 08:15:48 +08:00
Update config-linux for better formatting on values Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-07-01 06:13:13 +08:00			`TODO: security profiles`
*: re-org the spec We had an in-person spec discussion, lets separate the spec into some high-level sections to clarify future discussion. Crosby agreed to let me merge to master :) 2015-06-25 08:15:48 +08:00