jasder
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #587 from Mashimiao/config-fix-and-value-require-paths 

config-linux: fix format and definitely require value of masked and r…
This commit is contained in:
Vincent Batts 2016-10-25 17:13:31 +00:00 committed by GitHub
parent 1e7faf0c4c 25f44dd0e8
commit 6dfc682237
1 changed files with 17 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
config-linux.md
View File

@ -99,7 +99,7 @@ There is a limit of 5 mappings which is the Linux kernel hard limit.
## Devices ## Devices
**`devices`** (array, OPTIONAL) lists devices that MUST be available in the container. **`devices`** (array of objects, OPTIONAL) lists devices that MUST be available in the container.
The runtime may supply them however it likes (with [mknod][mknod.2], by bind mounting from the runtime mount namespace, etc.). The runtime may supply them however it likes (with [mknod][mknod.2], by bind mounting from the runtime mount namespace, etc.).
The following parameters can be specified: The following parameters can be specified:
@ -199,7 +199,7 @@ However, a runtime MAY attach the container process to additional cgroup control
#### Device whitelist #### Device whitelist
**`devices`** (array, OPTIONAL) configures the [device whitelist][cgroup-v1-devices]. **`devices`** (array of objects, OPTIONAL) configures the [device whitelist][cgroup-v1-devices].
The runtime MUST apply entries in the listed order. The runtime MUST apply entries in the listed order.
The following parameters can be specified: The following parameters can be specified:
@ -270,7 +270,7 @@ For more information on how these two settings work together, see [the memory cg
#### Memory #### Memory
`memory` represents the cgroup subsystem `memory` and it's used to set limits on the container's memory usage. **`memory`** (object, OPTIONAL) represents the cgroup subsystem `memory` and it's used to set limits on the container's memory usage.
For more information, see [the memory cgroup man page][cgroup-v1-memory]. For more information, see [the memory cgroup man page][cgroup-v1-memory].
The following parameters can be specified to setup the controller: The following parameters can be specified to setup the controller:
@ -302,7 +302,7 @@ The following parameters can be specified to setup the controller:
#### CPU #### CPU
`cpu` represents the cgroup subsystems `cpu` and `cpusets`. **`cpu`** (object, OPTIONAL) represents the cgroup subsystems `cpu` and `cpusets`.
For more information, see [the cpusets cgroup man page][cgroup-v1-cpusets]. For more information, see [the cpusets cgroup man page][cgroup-v1-cpusets].
The following parameters can be specified to setup the controller: The following parameters can be specified to setup the controller:
@ -337,7 +337,7 @@ The following parameters can be specified to setup the controller:
#### Block IO Controller #### Block IO Controller
`blockIO` represents the cgroup subsystem `blkio` which implements the block io controller. **`blockIO`** (object, OPTIONAL) represents the cgroup subsystem `blkio` which implements the block io controller.
For more information, see [the kernel cgroups documentation about blkio][cgroup-v1-blkio]. For more information, see [the kernel cgroups documentation about blkio][cgroup-v1-blkio].
The following parameters can be specified to setup the controller: The following parameters can be specified to setup the controller:
@ -395,11 +395,11 @@ The following parameters can be specified to setup the controller:
#### Huge page limits #### Huge page limits
`hugepageLimits` represents the `hugetlb` controller which allows to limit the **`hugepageLimits`** (array of objects, OPTIONAL) represents the `hugetlb` controller which allows to limit the
HugeTLB usage per control group and enforces the controller limit during page fault. HugeTLB usage per control group and enforces the controller limit during page fault.
For more information, see the [kernel cgroups documentation about HugeTLB][cgroup-v1-hugetlb]. For more information, see the [kernel cgroups documentation about HugeTLB][cgroup-v1-hugetlb].
`hugepageLimits` is an array of entries, each having the following structure: Each entry has the following structure:
* **`pageSize`** *(string, REQUIRED)* - hugepage size * **`pageSize`** *(string, REQUIRED)* - hugepage size
@ -418,7 +418,7 @@ For more information, see the [kernel cgroups documentation about HugeTLB][cgrou
#### Network #### Network
`network` represents the cgroup subsystems `net_cls` and `net_prio`. **`network`** (object, OPTIONAL) represents the cgroup subsystems `net_cls` and `net_prio`.
For more information, see [the net\_cls cgroup man page][cgroup-v1-net-cls] and [the net\_prio cgroup man page][cgroup-v1-net-prio]. For more information, see [the net\_cls cgroup man page][cgroup-v1-net-cls] and [the net\_prio cgroup man page][cgroup-v1-net-prio].
The following parameters can be specified to setup these cgroup controllers: The following parameters can be specified to setup these cgroup controllers:
@ -450,7 +450,7 @@ processes in the group and egressing the system on various interfaces. The follo
#### PIDs #### PIDs
`pids` represents the cgroup subsystem `pids`. **`pids`** (object, OPTIONAL) represents the cgroup subsystem `pids`.
For more information, see [the pids cgroup man page][cgroup-v1-pids]. For more information, see [the pids cgroup man page][cgroup-v1-pids].
The following parameters can be specified to setup the controller: The following parameters can be specified to setup the controller:
@ -467,7 +467,7 @@ The following parameters can be specified to setup the controller:
## Sysctl ## Sysctl
`sysctl` allows kernel parameters to be modified at runtime for the container. **`sysctl`** (object, OPTIONAL) allows kernel parameters to be modified at runtime for the container.
For more information, see [the man page](http://man7.org/linux/man-pages/man8/sysctl.8.html) For more information, see [the man page](http://man7.org/linux/man-pages/man8/sysctl.8.html)
###### Example ###### Example
@ -540,7 +540,7 @@ Operator Constants:
## Rootfs Mount Propagation ## Rootfs Mount Propagation
`rootfsPropagation` sets the rootfs's mount propagation. **`rootfsPropagation`** (string, OPTIONAL) sets the rootfs's mount propagation.
Its value is either slave, private, or shared. Its value is either slave, private, or shared.
[The kernel doc](https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt) has more information about mount propagation. [The kernel doc](https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt) has more information about mount propagation.
@ -552,7 +552,8 @@ Its value is either slave, private, or shared.
## Masked Paths ## Masked Paths
`maskedPaths` will mask over the provided paths inside the container so that they cannot be read. **`maskedPaths`** (array of strings, OPTIONAL) will mask over the provided paths inside the container so that they cannot be read.
The values MUST be absolute paths in the [container namespace][container-namespace].
###### Example ###### Example
@ -564,7 +565,8 @@ Its value is either slave, private, or shared.
## Readonly Paths ## Readonly Paths
`readonlyPaths` will set the provided paths as readonly inside the container. **`readonlyPaths`** (array of strings, OPTIONAL) will set the provided paths as readonly inside the container.
The values MUST be absolute paths in the [container namespace][container-namespace].
###### Example ###### Example
@ -576,7 +578,7 @@ Its value is either slave, private, or shared.
## Mount Label ## Mount Label
`mountLabel` will set the Selinux context for the mounts in the container. **`mountLabel`** (string, OPTIONAL) will set the Selinux context for the mounts in the container.
###### Example ###### Example
@ -584,6 +586,7 @@ Its value is either slave, private, or shared.
"mountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c715,c811" "mountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c715,c811"
``` ```
[container-namespace]: glossary.md#container_namespace
[cgroup-v1]: https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt [cgroup-v1]: https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt
[cgroup-v1-blkio]: https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt [cgroup-v1-blkio]: https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt
[cgroup-v1-cpusets]: https://www.kernel.org/doc/Documentation/cgroup-v1/cpusets.txt [cgroup-v1-cpusets]: https://www.kernel.org/doc/Documentation/cgroup-v1/cpusets.txt