diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json index b362fdc1..0d408f9d 100644 --- a/Godeps/Godeps.json +++ b/Godeps/Godeps.json @@ -48,7 +48,7 @@ }, { "ImportPath": "github.com/opencontainers/specs", - "Rev": "08873003592da169f89ec7c671ed34e1a2333ef8" + "Rev": "5b31bb2b7771e5074a4eb14eca432da1ca5182d6" }, { "ImportPath": "github.com/syndtr/gocapability/capability", diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/LICENSE b/Godeps/_workspace/src/github.com/opencontainers/specs/LICENSE new file mode 100644 index 00000000..bdc40365 --- /dev/null +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/LICENSE @@ -0,0 +1,191 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright 2015 The Linux Foundation. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/README.md b/Godeps/_workspace/src/github.com/opencontainers/specs/README.md index a3ae9587..f5e57d9b 100644 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/README.md +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/README.md @@ -1,6 +1,6 @@ # Open Container Specifications -This project is where the Open Container Project Specifications are written. This is a work in progress. We should have a first draft by end of July 2015. +This project is where the [Open Container Initiative](http://www.opencontainers.org/) Specifications are written. This is a work in progress. We should have a first draft by end of July 2015. Table of Contents @@ -9,6 +9,14 @@ Table of Contents - [Linux Specific Configuration](config-linux.md) - [Runtime and Lifecycle](runtime.md) +## Use Cases + +To provide context for users the following section gives example use cases for each part of the spec. + +### Filesystem Bundle & Configuration + +- A user can create a root filesystem and configuration, with low-level OS and host specific details, and launch it as a container under an Open Container runtime. + # The 5 principles of Standard Containers Define a unit of software delivery called a Standard Container. The goal of a Standard Container is to encapsulate a software component and all its dependencies in a format that is self-describing and portable, so that any compliant runtime can run it without extra dependencies, regardless of the underlying machine and the contents of the container. @@ -43,3 +51,79 @@ There are 17 million shipping containers in existence, packed with every physica With Standard Containers we can put an end to that embarrassment, by making INDUSTRIAL-GRADE DELIVERY of software a reality. +# Contributing + +Development happens on github for the spec. Issues are used for bugs and actionable items and longer +discussions can happen on the mailing list. You can subscribe and join the mailing list on +[google groups](https://groups.google.com/a/opencontainers.org/forum/#!forum/dev). + +The specification and code is licensed under the Apache 2.0 license found in +the `LICENSE` file of this repository. + +## Weekly Call + +The contributors and maintainers of the project have a weekly meeting Wednesdays at 10:00 AM PST. +Everyone is welcome to participate in the call. The link to the call will be posted on the mailing +list each week along with set topics for discussion. +Minutes for the call will be posted to the mailing list for those who are unable to join the call. + +## Markdown style + +To keep consistency throughout the Markdown files in the Open Container spec all files should be formatted one sentence per line. +This fixes two things: it makes diffing easier with git and it resolves fights about line wrapping length. +For example, this paragraph will span three lines in the Markdown source. + +### Sign your work + +The sign-off is a simple line at the end of the explanation for the +patch, which certifies that you wrote it or otherwise have the right to +pass it on as an open-source patch. The rules are pretty simple: if you +can certify the below (from +[developercertificate.org](http://developercertificate.org/)): + +``` +Developer Certificate of Origin +Version 1.1 + +Copyright (C) 2004, 2006 The Linux Foundation and its contributors. +660 York Street, Suite 102, +San Francisco, CA 94110 USA + +Everyone is permitted to copy and distribute verbatim copies of this +license document, but changing it is not allowed. + + +Developer's Certificate of Origin 1.1 + +By making a contribution to this project, I certify that: + +(a) The contribution was created in whole or in part by me and I + have the right to submit it under the open source license + indicated in the file; or + +(b) The contribution is based upon previous work that, to the best + of my knowledge, is covered under an appropriate open source + license and I have the right under that license to submit that + work with modifications, whether created in whole or in part + by me, under the same open source license (unless I am + permitted to submit under a different license), as indicated + in the file; or + +(c) The contribution was provided directly to me by some other + person who certified (a), (b) or (c) and I have not modified + it. + +(d) I understand and agree that this project and the contribution + are public and that a record of the contribution (including all + personal information I submit with it, including my sign-off) is + maintained indefinitely and may be redistributed consistent with + this project or the open source license(s) involved. +``` + +then you just add a line to every git commit message: + + Signed-off-by: Joe Smith + +using your real name (sorry, no pseudonyms or anonymous contributions.) + +You can add the sign off when creating the git commit via `git commit -s`. diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/bundle.md b/Godeps/_workspace/src/github.com/opencontainers/specs/bundle.md index 1948e486..ff6906f0 100644 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/bundle.md +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/bundle.md @@ -21,7 +21,7 @@ One or more *content directories* may be adjacent to the configuration file. Thi ``` / ! --- config.json +--- config.json ! --- rootfs ! diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/config-linux.md b/Godeps/_workspace/src/github.com/opencontainers/specs/config-linux.md index 765a0cb9..1927dae5 100644 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/config-linux.md +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/config-linux.md @@ -97,7 +97,7 @@ in [the man page](http://man7.org/linux/man-pages/man7/capabilities.7.html) sysctl allows kernel parameters to be modified at runtime for the container. For more information, see [the man page](http://man7.org/linux/man-pages/man8/sysctl.8.html) -``` +```json "sysctl": { "net.ipv4.ip_forward": "1", "net.core.somaxconn": "256" @@ -106,7 +106,7 @@ For more information, see [the man page](http://man7.org/linux/man-pages/man8/sy ## Linux rlimits -``` +```json "rlimits": [ { "type": "RLIMIT_NPROC", @@ -120,7 +120,7 @@ rlimits allow setting resource limits. The type is from the values defined in [t ## Linux user namespace mappings -``` +```json "uidMappings": [ { "hostID": 1000, @@ -137,7 +137,14 @@ rlimits allow setting resource limits. The type is from the values defined in [t ] ``` -uid/gid mappings describe the user namespace mappings from the host to the container. *from* is the starting uid/gid on the host to be mapped to *to* which is the starting uid/gid in the container and *count* refers to the number of ids to be mapped. The Linux kernel has a limit of 5 such mappings that can be specified. +uid/gid mappings describe the user namespace mappings from the host to the container. *hostID* is the starting uid/gid on the host to be mapped to *containerID* which is the starting uid/gid in the container and *size* refers to the number of ids to be mapped. The Linux kernel has a limit of 5 such mappings that can be specified. + +## Rootfs Mount Propagation +rootfsPropagation sets the rootfs's mount propagation. Its value is either slave, private, or shared. [The kernel doc](https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt) has more information about mount propagation. + +```json + "rootfsPropagation": "slave", +``` ## Security diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/config.md b/Godeps/_workspace/src/github.com/opencontainers/specs/config.md index 6f5d4bb9..f0adcb44 100644 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/config.md +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/config.md @@ -80,8 +80,8 @@ Additional filesystems can be declared as "mounts", specified in the *mounts* ar "mounts": [ { "type": "ntfs", - "source": "\\?\Volume\{2eca078d-5cbc-43d3-aff8-7e8511f60d0e}\", - "destination": "C:\Users\crosbymichael\My Fancy Mount Point\", + "source": "\\\\?\\Volume\\{2eca078d-5cbc-43d3-aff8-7e8511f60d0e}\\", + "destination": "C:\\Users\\crosbymichael\\My Fancy Mount Point\\", "options": "" } ] diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/runtime.md b/Godeps/_workspace/src/github.com/opencontainers/specs/runtime.md index c5583089..dbd055f0 100644 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/runtime.md +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/runtime.md @@ -12,6 +12,48 @@ Runs a process in a container. Can be invoked several times. ### Stop (process) -Not sure we need that from oc cli. Process is killed from the outside. +Not sure we need that from runc cli. Process is killed from the outside. -This event needs to be captured by oc to run onstop event handlers. +This event needs to be captured by runc to run onstop event handlers. + +## Hooks +Hooks allow one to run code before/after various lifecycle events of the container. +The state of the container is passed to the hooks over stdin, so the hooks could get the information they need to do their work. + +Hook paths are absolute and are executed from the host's filesystem. + +### Pre-start +The pre-start hooks are called after the container process is spawned, but before the user supplied command is executed. +They are called after the container namespaces are created on Linux, so they provide an opportunity to customize the container. +In Linux, for e.g., the network namespace could be configured in this hook. + +If a hook returns a non-zero exit code, then an error including the exit code and the stderr is returned to the caller and the container is torn down. + +### Post-stop +The post-stop hooks are called after the container process is stopped. Cleanup or debugging could be performed in such a hook. +If a hook returns a non-zero exit code, then an error is logged and the remaining hooks are executed. + +*Example* + +```json + "hooks" : { + "prestart": [ + { + "path": "/usr/bin/fix-mounts", + "args": ["arg1", "arg2"], + "env": [ "key1=value1"] + }, + { + "path": "/usr/bin/setup-network" + } + ], + "poststop": [ + { + "path": "/usr/sbin/cleanup.sh", + "args": ["-f"] + } + ] + } +``` + +`path` is required for a hook. `args` and `env` are optional. diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/spec.go b/Godeps/_workspace/src/github.com/opencontainers/specs/spec.go index 30b3c1b9..2100cca3 100644 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/spec.go +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/spec.go @@ -11,10 +11,20 @@ type Spec struct { Process Process `json:"process"` // Root is the root information for the container's filesystem. Root Root `json:"root"` - // Hostname is the containers host name. + // Hostname is the container's host name. Hostname string `json:"hostname"` // Mounts profile configuration for adding mounts to the container's filesystem. Mounts []Mount `json:"mounts"` + // Hooks are the commands run at various lifecycle events of the container. + Hooks Hooks `json:"hooks"` +} + +type Hooks struct { + // Prestart is a list of hooks to be run before the container process is executed. + // On Linux, they are run after the container namespaces are created. + Prestart []Hook `json:"prestart"` + // Poststop is a list of hooks to be run after the container process exits. + Poststop []Hook `json:"poststop"` } // Mount specifies a mount for a container. @@ -61,3 +71,10 @@ type Platform struct { // Arch is the architecture Arch string `json:"arch"` } + +// Hook specifies a command that is run at a particular event in the lifecycle of a container. +type Hook struct { + Path string `json:"path"` + Args []string `json:"args"` + Env []string `json:"env"` +} diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/spec_linux.go b/Godeps/_workspace/src/github.com/opencontainers/specs/spec_linux.go index f5f561bf..3c82db4b 100644 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/spec_linux.go +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/spec_linux.go @@ -2,101 +2,107 @@ package specs -// LinuxSpec is the full specification for linux containers. +// LinuxSpec is the full specification for Linux containers type LinuxSpec struct { Spec - // Linux is platform specific configuration for linux based containers. + // Linux is platform specific configuration for Linux based containers Linux Linux `json:"linux"` } -// Linux contains platform specific configuration for linux based containers. +// Linux contains platform specific configuration for Linux based containers type Linux struct { - // UidMapping specifies user mappings for supporting user namespaces on linux. - UidMappings []IDMapping `json:"uidMappings"` - // UidMapping specifies group mappings for supporting user namespaces on linux. - GidMappings []IDMapping `json:"gidMappings"` - // Rlimits specifies rlimit options to apply to the container's process. + // UIDMapping specifies user mappings for supporting user namespaces on Linux + UIDMappings []IDMapping `json:"uidMappings"` + // GIDMapping specifies group mappings for supporting user namespaces on Linux + GIDMappings []IDMapping `json:"gidMappings"` + // Rlimits specifies rlimit options to apply to the container's process Rlimits []Rlimit `json:"rlimits"` - // Sysctl are a set of key value pairs that are set for the container on start. + // Sysctl are a set of key value pairs that are set for the container on start Sysctl map[string]string `json:"sysctl"` // Resources contain cgroup information for handling resource constraints - // for the container. + // for the container Resources Resources `json:"resources"` - // Namespaces contains the namespaces that are created and/or joined by the container. + // Namespaces contains the namespaces that are created and/or joined by the container Namespaces []Namespace `json:"namespaces"` - // Capabilities are linux capabilities that are kept for the container. + // Capabilities are Linux capabilities that are kept for the container Capabilities []string `json:"capabilities"` - // Devices are a list of device nodes that are created and enabled for the container. + // Devices are a list of device nodes that are created and enabled for the container Devices []string `json:"devices"` + // RootfsPropagation is the rootfs mount propagation mode for the container + RootfsPropagation string `json:"rootfsPropagation"` } -// User specifies linux specific user and group information for the container's -// main process. +// User specifies Linux specific user and group information for the container's +// main process type User struct { - // Uid is the user id. - Uid int32 `json:"uid"` - // Gid is the group id. - Gid int32 `json:"gid"` - // AdditionalGids are additional group ids set the the container's process. + // Uid is the user id + UID int32 `json:"uid"` + // Gid is the group id + GID int32 `json:"gid"` + // AdditionalGids are additional group ids set for the container's process AdditionalGids []int32 `json:"additionalGids"` } -// Namespace is the configuration for a linux namespace. +// Namespace is the configuration for a Linux namespace type Namespace struct { - // Type is the type of linux namespace. + // Type is the type of Linux namespace Type string `json:"type"` // Path is a path to an existing namespace persisted on disk that can be joined - // and is of the same type. + // and is of the same type Path string `json:"path"` } -// IDMapping specifies uid/gid mappings. +// IDMapping specifies UID/GID mappings type IDMapping struct { - // HostID is the uid/gid of the host user or group. + // HostID is the UID/GID of the host user or group HostID int32 `json:"hostID"` - // ContainerID is the uid/gid of the container's user or group. + // ContainerID is the UID/GID of the container's user or group ContainerID int32 `json:"containerID"` - // Size is the length of the range of IDs mapped between the two namespaces. + // Size is the length of the range of IDs mapped between the two namespaces Size int32 `json:"size"` } -// Rlimit type and restrictions. +// Rlimit type and restrictions type Rlimit struct { - // Type of the rlimit to set. + // Type of the rlimit to set Type int `json:"type"` - // Hard is the hard limit for the specified type. + // Hard is the hard limit for the specified type Hard uint64 `json:"hard"` - // Soft is the soft limit for the specified type. + // Soft is the soft limit for the specified type Soft uint64 `json:"soft"` } +// HugepageLimit structure corresponds to limiting kernel hugepages type HugepageLimit struct { Pagesize string `json:"pageSize"` Limit int `json:"limit"` } +// InterfacePriority for network interfaces type InterfacePriority struct { - // Name is the name of the network interface. + // Name is the name of the network interface Name string `json:"name"` - // Priority for the interface. + // Priority for the interface Priority int64 `json:"priority"` } +// BlockIO for Linux cgroup 'blockio' resource management type BlockIO struct { - // Specifies per cgroup weight, range is from 10 to 1000. + // Specifies per cgroup weight, range is from 10 to 1000 Weight int64 `json:"blkioWeight"` - // Weight per cgroup per device, can override BlkioWeight. + // Weight per cgroup per device, can override BlkioWeight WeightDevice string `json:"blkioWeightDevice"` - // IO read rate limit per cgroup per device, bytes per second. + // IO read rate limit per cgroup per device, bytes per second ThrottleReadBpsDevice string `json:"blkioThrottleReadBpsDevice"` - // IO write rate limit per cgroup per divice, bytes per second. + // IO write rate limit per cgroup per divice, bytes per second ThrottleWriteBpsDevice string `json:"blkioThrottleWriteBpsDevice"` - // IO read rate limit per cgroup per device, IO per second. + // IO read rate limit per cgroup per device, IO per second ThrottleReadIOpsDevice string `json:"blkioThrottleReadIopsDevice"` - // IO write rate limit per cgroup per device, IO per second. + // IO write rate limit per cgroup per device, IO per second ThrottleWriteIOpsDevice string `json:"blkioThrottleWriteIopsDevice"` } +// Memory for Linux cgroup 'memory' resource management type Memory struct { // Memory limit (in bytes) Limit int64 `json:"limit"` @@ -106,45 +112,48 @@ type Memory struct { Swap int64 `json:"swap"` // Kernel memory limit (in bytes) Kernel int64 `json:"kernel"` - // How aggressive the kernel will swap memory pages. Range from 0 to 100. Set -1 to use system default. + // How aggressive the kernel will swap memory pages. Range from 0 to 100. Set -1 to use system default Swappiness int64 `json:"swappiness"` } +// CPU for Linux cgroup 'cpu' resource management type CPU struct { - // CPU shares (relative weight vs. other cgroups with cpu shares). + // CPU shares (relative weight vs. other cgroups with cpu shares) Shares int64 `json:"shares"` - // CPU hardcap limit (in usecs). Allowed cpu time in a given period. + // CPU hardcap limit (in usecs). Allowed cpu time in a given period Quota int64 `json:"quota"` - // CPU period to be used for hardcapping (in usecs). 0 to use system default. + // CPU period to be used for hardcapping (in usecs). 0 to use system default Period int64 `json:"period"` - // How many time CPU will use in realtime scheduling (in usecs). + // How many time CPU will use in realtime scheduling (in usecs) RealtimeRuntime int64 `json:"realtimeRuntime"` - // CPU period to be used for realtime scheduling (in usecs). + // CPU period to be used for realtime scheduling (in usecs) RealtimePeriod int64 `json:"realtimePeriod"` - // CPU to use within the cpuset. + // CPU to use within the cpuset Cpus string `json:"cpus"` - // MEM to use within the cpuset. + // MEM to use within the cpuset Mems string `json:"mems"` } +// Network identification and priority configuration type Network struct { - // Set class identifier for container's network packets. + // Set class identifier for container's network packets ClassID string `json:"classId"` - // Set priority of network traffic for container. + // Set priority of network traffic for container Priorities []InterfacePriority `json:"priorities"` } +// Resources has container runtime resource constraints type Resources struct { - // DisableOOMKiller disables the OOM killer for out of memory conditions. + // DisableOOMKiller disables the OOM killer for out of memory conditions DisableOOMKiller bool `json:"disableOOMKiller"` - // Memory restriction configuration. + // Memory restriction configuration Memory Memory `json:"memory"` - // CPU resource restriction configuration. + // CPU resource restriction configuration CPU CPU `json:"cpu"` - // BlockIO restriction configuration. + // BlockIO restriction configuration BlockIO BlockIO `json:"blockIO"` // Hugetlb limit (in bytes) HugepageLimits []HugepageLimit `json:"hugepageLimits"` - // Network restriction configuration. + // Network restriction configuration Network Network `json:"network"` } diff --git a/spec.go b/spec.go index a70e8581..2a025cd2 100644 --- a/spec.go +++ b/spec.go @@ -316,7 +316,7 @@ func setReadonly(config *configs.Config) { } func setupUserNamespace(spec *specs.LinuxSpec, config *configs.Config) error { - if len(spec.Linux.UidMappings) == 0 { + if len(spec.Linux.UIDMappings) == 0 { return nil } config.Namespaces.Add(configs.NEWUSER, "") @@ -327,10 +327,10 @@ func setupUserNamespace(spec *specs.LinuxSpec, config *configs.Config) error { Size: int(m.Size), } } - for _, m := range spec.Linux.UidMappings { + for _, m := range spec.Linux.UIDMappings { config.UidMappings = append(config.UidMappings, create(m)) } - for _, m := range spec.Linux.GidMappings { + for _, m := range spec.Linux.GIDMappings { config.GidMappings = append(config.GidMappings, create(m)) } rootUid, err := config.HostUID() diff --git a/utils.go b/utils.go index 9f59b0da..151705e6 100644 --- a/utils.go +++ b/utils.go @@ -168,7 +168,7 @@ func newProcess(p specs.Process) *libcontainer.Process { Args: p.Args, Env: p.Env, // TODO: fix libcontainer's API to better support uid/gid in a typesafe way. - User: fmt.Sprintf("%d:%d", p.User.Uid, p.User.Gid), + User: fmt.Sprintf("%d:%d", p.User.UID, p.User.GID), Cwd: p.Cwd, Stdin: os.Stdin, Stdout: os.Stdout,