Update specs

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
This commit is contained in:
Tonis Tiigi 2015-08-11 13:50:57 -07:00
parent 15c709ed73
commit 0f99c20fd0
6 changed files with 208 additions and 18 deletions

2
Godeps/Godeps.json generated
View File

@ -53,7 +53,7 @@
},
{
"ImportPath": "github.com/opencontainers/specs",
"Rev": "5b31bb2b7771e5074a4eb14eca432da1ca5182d6"
"Rev": "da9240a7125f601aef46f66ea615177607b00d39"
},
{
"ImportPath": "github.com/syndtr/gocapability/capability",

View File

@ -0,0 +1,17 @@
language: go
go:
- 1.4.2
- 1.3.3
sudo: false
before_install:
- go get golang.org/x/tools/cmd/vet
- go get github.com/golang/lint/golint
install: true
script:
- go vet -x ./...
- $HOME/gopath/bin/golint ./...

View File

@ -8,6 +8,7 @@ Table of Contents
- [Container Configuration](config.md)
- [Linux Specific Configuration](config-linux.md)
- [Runtime and Lifecycle](runtime.md)
- [Implementations](implementations.md)
## Use Cases
@ -63,10 +64,16 @@ the `LICENSE` file of this repository.
## Weekly Call
The contributors and maintainers of the project have a weekly meeting Wednesdays at 10:00 AM PST.
Everyone is welcome to participate in the call. The link to the call will be posted on the mailing
list each week along with set topics for discussion.
The link to the call will be posted on the mailing list each week along with set topics for discussion.
Everyone is welcome to participate in the call, although there can only be speaking members on the Google Hangout.
Participants who don't get a speaking slot can watch the live broadcast on [this YouTube channel][youtube] and post feedback and questions on [the IRC channel](#irc).
Everyone is welcome to propose additional topics, suggest other agenda alterations, or request a speaking slot via the mailing list.
Minutes for the call will be posted to the mailing list for those who are unable to join the call.
## IRC
OCI discussion happens on #opencontainers on Freenode.
## Markdown style
To keep consistency throughout the Markdown files in the Open Container spec all files should be formatted one sentence per line.
@ -127,3 +134,5 @@ then you just add a line to every git commit message:
using your real name (sorry, no pseudonyms or anonymous contributions.)
You can add the sign off when creating the git commit via `git commit -s`.
[youtube]: https://www.youtube.com/channel/UC1wmLdEYmwWcsFg7bt1s5nw

View File

@ -55,20 +55,82 @@ within the container.
### Access to devices
Devices is an array specifying the list of devices from the host to make available in the container.
By providing a device name within the list the runtime should look up the same device on the host's `/dev`
and collect information about the device node so that it can be recreated for the container. The runtime
should not only create the device inside the container but ensure that the root user inside
the container has access rights for the device.
Devices is an array specifying the list of devices to be created in the container.
Next parameters can be specified:
* type - type of device: 'c', 'b', 'u' or 'p'. More info in `man mknod`
* path - full path to device inside container
* major, minor - major, minor numbers for device. More info in `man mknod`.
There is special value: `-1`, which means `*` for `device`
cgroup setup.
* permissions - cgroup permissions for device. A composition of 'r'
(read), 'w' (write), and 'm' (mknod).
* fileMode - file mode for device file
* uid - uid of device owner
* gid - gid of device owner
```json
"devices": [
"null",
"random",
"full",
"tty",
"zero",
"urandom"
{
"path": "/dev/random",
"type": "c",
"major": 1,
"minor": 8,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
},
{
"path": "/dev/urandom",
"type": "c",
"major": 1,
"minor": 9,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
},
{
"path": "/dev/null",
"type": "c",
"major": 1,
"minor": 3,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
},
{
"path": "/dev/zero",
"type": "c",
"major": 1,
"minor": 5,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
},
{
"path": "/dev/tty",
"type": "c",
"major": 5,
"minor": 0,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
},
{
"path": "/dev/full",
"type": "c",
"major": 1,
"minor": 7,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
}
]
```
@ -146,7 +208,39 @@ rootfsPropagation sets the rootfs's mount propagation. Its value is either slave
"rootfsPropagation": "slave",
```
## Security
## Selinux process label
**TODO:** security profiles
Selinux process label specifies the label with which the processes in a container are run.
For more information about SELinux, see [Selinux documentation](http://selinuxproject.org/page/Main_Page)
```json
"selinuxProcessLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675"
```
## Apparmor profile
Apparmor profile specifies the name of the apparmor profile that will be used for the container.
For more information about Apparmor, see [Apparmor documentation](https://wiki.ubuntu.com/AppArmor)
```json
"apparmorProfile": "acme_secure_profile"
```
## Seccomp
Seccomp provides application sandboxing mechanism in the Linux kernel.
Seccomp configuration allows one to configure actions to take for matched syscalls and furthermore also allows
matching on values passed as arguments to syscalls.
For more information about Seccomp, see [Seccomp kernel documentation](https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt)
The actions and operators are strings that match the definitions in seccomp.h from [libseccomp](https://github.com/seccomp/libseccomp) and are translated to corresponding values.
```json
"seccomp": {
"defaultAction": "SCMP_ACT_ALLOW",
"syscalls": [
{
"name": "getcwd",
"action": "SCMP_ACT_ERRNO"
}
]
}
```

View File

@ -0,0 +1,16 @@
# Implementations
The following sections link to associated projects, some of which are maintained by the OCI and some of which are maintained by external organizations.
If you know of any associated projects that are not listed here, please file a pull request adding a link to that project.
## Runtime (Container)
* [opencontainers/runc](https://github.com/opencontainers/runc) - Reference implementation of OCI runtime
## Runtime (Virtual Machine)
* [hyperhq/runv](https://github.com/hyperhq/runv) - Hypervisor-based runtime for OCI
## Testing
* [huawei-openlab/oct](https://github.com/huawei-openlab/oct) - Open Container Testing framework for OCI configuration and runtime

View File

@ -2,6 +2,8 @@
package specs
import "os"
// LinuxSpec is the full specification for Linux containers
type LinuxSpec struct {
Spec
@ -27,7 +29,13 @@ type Linux struct {
// Capabilities are Linux capabilities that are kept for the container
Capabilities []string `json:"capabilities"`
// Devices are a list of device nodes that are created and enabled for the container
Devices []string `json:"devices"`
Devices []Device `json:"devices"`
// ApparmorProfile specified the apparmor profile for the container.
ApparmorProfile string `json:"apparmorProfile"`
// SelinuxProcessLabel specifies the selinux context that the container process is run as.
SelinuxProcessLabel string `json:"selinuxProcessLabel"`
// Seccomp specifies the seccomp security settings for the container.
Seccomp Seccomp `json:"seccomp"`
// RootfsPropagation is the rootfs mount propagation mode for the container
RootfsPropagation string `json:"rootfsPropagation"`
}
@ -157,3 +165,49 @@ type Resources struct {
// Network restriction configuration
Network Network `json:"network"`
}
type Device struct {
// Device type, block, char, etc.
Type rune `json:"type"`
// Path to the device.
Path string `json:"path"`
// Major is the device's major number.
Major int64 `json:"major"`
// Minor is the device's minor number.
Minor int64 `json:"minor"`
// Cgroup permissions format, rwm.
Permissions string `json:"permissions"`
// FileMode permission bits for the device.
FileMode os.FileMode `json:"fileMode"`
// UID of the device.
UID uint32 `json:"uid"`
// Gid of the device.
GID uint32 `json:"gid"`
}
// Seccomp represents syscall restrictions
type Seccomp struct {
DefaultAction Action `json:"defaultAction"`
Syscalls []*Syscall `json:"syscalls"`
}
// Action taken upon Seccomp rule match
type Action string
// Operator used to match syscall arguments in Seccomp
type Operator string
// Arg used for matching specific syscall arguments in Seccomp
type Arg struct {
Index uint `json:"index"`
Value uint64 `json:"value"`
ValueTwo uint64 `json:"valueTwo"`
Op Operator `json:"op"`
}
// Syscall is used to match a syscall in Seccomp
type Syscall struct {
Name string `json:"name"`
Action Action `json:"action"`
Args []*Arg `json:"args"`
}