diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json index f2949526..87d94f72 100644 --- a/Godeps/Godeps.json +++ b/Godeps/Godeps.json @@ -57,9 +57,9 @@ "Rev": "f7137ae6b19afbfd61a94b746fda3b3fe0491874" }, { - "ImportPath": "github.com/opencontainers/specs", - "Comment": "v0.3.0-15-ga1e32a8", - "Rev": "a1e32a8ead2ba57adce3e36e956b4dc32c1b85c4" + "ImportPath": "github.com/opencontainers/specs/specs-go", + "Comment": "v0.4.0", + "Rev": "3ce138b1934bf227a418e241ead496c383eaba1c" }, { "ImportPath": "github.com/seccomp/libseccomp-golang", diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/ChangeLog b/Godeps/_workspace/src/github.com/opencontainers/specs/ChangeLog index 865de0b6..8c511ad9 100644 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/ChangeLog +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/ChangeLog @@ -1,21 +1,53 @@ OpenContainers Specifications +Changes with v0.4.0: + Breaking changes: + + * config: Move capabilities, selinuxProcessLabel, apparmorProfile, + and noNewPrivileges from the linux setting to the process setting + and make them optional, renaming selinuxProcessLabel to + selinuxLabel, #329, #330, #339 + * runtime: Rename version to ociVerison in the state JSON, #225 + * runtime: Remove the directory requirement for storing state, now + that there is a 'state' operation, #225, #334 + * go: Shift *.go to specs-go/*.go, #276 + * config: Move rlimits to process, #341 + * go: Move config_linux.go content into config.go, removing + LinuxSpec, #310 + + Additions: + + * schema: Add JSON Schema (and validator) for `config.json`, #313 + * config: Add annotations for opaque-to-the-runtime data, #331 + * config-linux: Make seccomp optional, #333 + * runtime: Added additional operations: state, stop, and exec. + #225 + + Minor fixes and documentation: + + * config-linux: Change mount type from *rune to *string and fix + octal fileMode examples, #323 + * runtime: RFC 2119 phrasing for the lifecycle, #225 + * README: Add a full example of config.json, #276 + * README: Replace BlueJeans with UberConference, #326, #338 + * style: Document Go-pointer exceptions, #317 + Changes with v0.3.0: Breaking changes: - + * config: Single, unified config file, #284 * config: cwd is a required default, and must be absolute, #286, #307, #308, #312 * config: qualify the name of the version field, #309 * config-linux: Convert classID from hex to uint32, #296 * config-linux: Separate mknod from cgroups, #298 - + Additions: - + * config-linux: Add NoNewPrivileges setting for linux, #290 - + Minor fixes and documentation: - + * config-linux: clarify oom_score_adj, #236, #292 * config-linux: Update links to cgroups documentation, #318 * config-linux: Remove pointers for slices preferring omitempty diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/README.md b/Godeps/_workspace/src/github.com/opencontainers/specs/README.md index 00552529..253a7827 100644 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/README.md +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/README.md @@ -5,15 +5,18 @@ Table of Contents -- [Container Principles](principles.md) -- [Specification Style](style.md) +- [Introduction](README.md) + - [Code of Conduct](code-of-conduct.md) + - [Container Principles](principles.md) + - [Style and Conventions](style.md) + - [Roadmap](ROADMAP.md) + - [Implementations](implementations.md) - [Filesystem Bundle](bundle.md) +- [Runtime and Lifecycle](runtime.md) + - [Linux Specific Runtime](runtime-linux.md) - Configuration - [General](config.md) - [Linux-specific](config-linux.md) -- [Runtime and Lifecycle](runtime.md) - - [Linux Specific Runtime](runtime-linux.md) -- [Implementations](implementations.md) - [Glossary](glossary.md) In the specifications in the above table of contents, the keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in [RFC 2119](http://tools.ietf.org/html/rfc2119) (Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997). @@ -154,5 +157,4 @@ Read more on [How to Write a Git Commit Message](http://chris.beams.io/posts/git * If there was important/useful/essential conversation or information, copy or include a reference 8. When possible, one keyword to scope the change in the subject (i.e. "README: ...", "runtime: ...") -[BlueJeans]: https://bluejeans.com/1771332256/ [UberConference]: https://www.uberconference.com/ssaul diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/config-linux.md b/Godeps/_workspace/src/github.com/opencontainers/specs/config-linux.md index c226ee85..5e77c113 100644 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/config-linux.md +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/config-linux.md @@ -455,24 +455,6 @@ For more information, see [the man page](http://man7.org/linux/man-pages/man8/sy } ``` -## Rlimits - -rlimits allow setting resource limits. -`type` is a string with a value from those defined in [the man page](http://man7.org/linux/man-pages/man2/setrlimit.2.html). -The kernel enforces the `soft` limit for a resource while the `hard` limit acts as a ceiling for that value that could be set by an unprivileged process. - -###### Example - -```json - "rlimits": [ - { - "type": "RLIMIT_NPROC", - "soft": 1024, - "hard": 102400 - } - ] -``` - ## seccomp Seccomp provides application sandboxing mechanism in the Linux kernel. diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/config.go b/Godeps/_workspace/src/github.com/opencontainers/specs/config.go deleted file mode 100644 index 8fd6b4d5..00000000 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/config.go +++ /dev/null @@ -1,92 +0,0 @@ -package specs - -// Spec is the base configuration for the container. It specifies platform -// independent configuration. This information must be included when the -// bundle is packaged for distribution. -type Spec struct { - // Version is the version of the specification that is supported. - Version string `json:"ociVersion"` - // Platform is the host information for OS and Arch. - Platform Platform `json:"platform"` - // Process is the container's main process. - Process Process `json:"process"` - // Root is the root information for the container's filesystem. - Root Root `json:"root"` - // Hostname is the container's host name. - Hostname string `json:"hostname,omitempty"` - // Mounts profile configuration for adding mounts to the container's filesystem. - Mounts []Mount `json:"mounts"` - // Hooks are the commands run at various lifecycle events of the container. - Hooks Hooks `json:"hooks"` -} - -// Process contains information to start a specific application inside the container. -type Process struct { - // Terminal creates an interactive terminal for the container. - Terminal bool `json:"terminal"` - // User specifies user information for the process. - User User `json:"user"` - // Args specifies the binary and arguments for the application to execute. - Args []string `json:"args"` - // Env populates the process environment for the process. - Env []string `json:"env,omitempty"` - // Cwd is the current working directory for the process and must be - // relative to the container's root. - Cwd string `json:"cwd"` - // Capabilities are linux capabilities that are kept for the container. - Capabilities []string `json:"capabilities,omitempty"` - // ApparmorProfile specified the apparmor profile for the container. - ApparmorProfile string `json:"apparmorProfile,omitempty"` - // SelinuxProcessLabel specifies the selinux context that the container process is run as. - SelinuxLabel string `json:"selinuxLabel,omitempty"` - // NoNewPrivileges controls whether additional privileges could be gained by processes in the container. - NoNewPrivileges bool `json:"noNewPrivileges,omitempty"` -} - -// Root contains information about the container's root filesystem on the host. -type Root struct { - // Path is the absolute path to the container's root filesystem. - Path string `json:"path"` - // Readonly makes the root filesystem for the container readonly before the process is executed. - Readonly bool `json:"readonly"` -} - -// Platform specifies OS and arch information for the host system that the container -// is created for. -type Platform struct { - // OS is the operating system. - OS string `json:"os"` - // Arch is the architecture - Arch string `json:"arch"` -} - -// Mount specifies a mount for a container. -type Mount struct { - // Destination is the path where the mount will be placed relative to the container's root. The path and child directories MUST exist, a runtime MUST NOT create directories automatically to a mount point. - Destination string `json:"destination"` - // Type specifies the mount kind. - Type string `json:"type"` - // Source specifies the source path of the mount. In the case of bind mounts on - // linux based systems this would be the file on the host. - Source string `json:"source"` - // Options are fstab style mount options. - Options []string `json:"options,omitempty"` -} - -// Hook specifies a command that is run at a particular event in the lifecycle of a container -type Hook struct { - Path string `json:"path"` - Args []string `json:"args,omitempty"` - Env []string `json:"env,omitempty"` -} - -// Hooks for container setup and teardown -type Hooks struct { - // Prestart is a list of hooks to be run before the container process is executed. - // On Linux, they are run after the container namespaces are created. - Prestart []Hook `json:"prestart,omitempty"` - // Poststart is a list of hooks to be run after the container process is started. - Poststart []Hook `json:"poststart,omitempty"` - // Poststop is a list of hooks to be run after the container process exits. - Poststop []Hook `json:"poststop,omitempty"` -} diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/config.md b/Godeps/_workspace/src/github.com/opencontainers/specs/config.md index d0a13886..a832bdde 100644 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/config.md +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/config.md @@ -90,10 +90,13 @@ See links for details about [mountvol](http://ss64.com/nt/mountvol.html) and [Se * **`env`** (array of strings, optional) contains a list of variables that will be set in the process's environment prior to execution. Elements in the array are specified as Strings in the form "KEY=value". The left hand side must consist solely of letters, digits, and underscores `_` as outlined in [IEEE Std 1003.1-2001](http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap08.html). * **`args`** (string, required) executable to launch and any flags as an array. The executable is the first element and must be available at the given path inside of the rootfs. If the executable path is not an absolute path then the search $PATH is interpreted to find the executable. -For Linux-based systemd the process structure supports the following process specific fields: +For Linux-based systems the process structure supports the following process specific fields: * **`capabilities`** (array of strings, optional) capabilities is an array that specifies Linux capabilities that can be provided to the process inside the container. Valid values are the strings for capabilities defined in [the man page](http://man7.org/linux/man-pages/man7/capabilities.7.html) +* **`rlimits`** (array of rlimits, optional) rlimits is an array of rlimits that allows setting resource limits for a process inside the container. +The kernel enforces the `soft` limit for a resource while the `hard` limit acts as a ceiling for that value that could be set by an unprivileged process. +Valid values for the 'type' field are the resources defined in [the man page](http://man7.org/linux/man-pages/man2/setrlimit.2.html). * **`apparmorProfile`** (string, optional) apparmor profile specifies the name of the apparmor profile that will be used for the container. For more information about Apparmor, see [Apparmor documentation](https://wiki.ubuntu.com/AppArmor) * **`selinuxLabel`** (string, optional) SELinux process label specifies the label with which the processes in a container are run. @@ -133,6 +136,13 @@ For Linux-based systems the user structure has the following fields: "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE" + ], + "rlimits": [ + { + "type": "RLIMIT_NOFILE", + "hard": 1024, + "soft": 1024 + } ] } ``` @@ -231,4 +241,188 @@ If a hook returns a non-zero exit code, then an error is logged and the remainin `args` and `env` are optional. The semantics are the same as `Path`, `Args` and `Env` in [golang Cmd](https://golang.org/pkg/os/exec/#Cmd). +## Annotations + +Annotations are optional arbitrary non-identifying metadata that can be attached to containers. +This information may be large, may be structured or unstructured. +Annotations are key-value maps. + +```json +"annotations": { + "key1" : "value1", + "key2" : "value2" +} +``` + +## Configuration Schema Example + +Here is a full example `config.json` for reference. + +```json +{ + "ociVersion": "0.3.0", + "platform": { + "os": "linux", + "arch": "amd64" + }, + "process": { + "terminal": true, + "user": { + "uid": 1, + "gid": 1, + "additionalGids": [ + 5, + 6 + ] + }, + "args": [ + "sh" + ], + "env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "TERM=xterm" + ], + "cwd": "/", + "capabilities": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE" + ], + "rlimits": [ + { + "type": "RLIMIT_NOFILE", + "hard": 1024, + "soft": 1024 + } + ], + "apparmorProfile": "", + "selinuxLabel": "" + }, + "root": { + "path": "rootfs", + "readonly": true + }, + "hostname": "slartibartfast", + "mounts": [ + { + "destination": "/proc", + "type": "proc", + "source": "proc" + }, + { + "destination": "/dev", + "type": "tmpfs", + "source": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "type": "devpts", + "source": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "type": "tmpfs", + "source": "shm", + "options": [ + "nosuid", + "noexec", + "nodev", + "mode=1777", + "size=65536k" + ] + }, + { + "destination": "/dev/mqueue", + "type": "mqueue", + "source": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "type": "sysfs", + "source": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys/fs/cgroup", + "type": "cgroup", + "source": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "ro" + ] + } + ], + "hooks": { + "prestart": [ + { + "path": "/usr/bin/uptime", + "args": [ + "/usr/bin/uptime" + ], + "env": [] + } + ] + }, + "linux": { + "resources": { + "devices": [ + { + "allow": false, + "access": "rwm" + } + ] + }, + "namespaces": [ + { + "type": "pid" + }, + { + "type": "network" + }, + { + "type": "ipc" + }, + { + "type": "uts" + }, + { + "type": "mount" + } + ], + "devices": null, + "seccomp": { + "defaultAction": "", + "architectures": null + } + } +} +``` + + [uts-namespace]: http://man7.org/linux/man-pages/man7/namespaces.7.html diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/config_linux.go b/Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/config.go similarity index 68% rename from Godeps/_workspace/src/github.com/opencontainers/specs/config_linux.go rename to Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/config.go index f798a441..ba66ff1c 100644 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/config_linux.go +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/config.go @@ -2,24 +2,122 @@ package specs import "os" -// LinuxStateDirectory holds the container's state information -const LinuxStateDirectory = "/run/opencontainer/containers" +// Spec is the base configuration for the container. It specifies platform +// independent configuration. This information must be included when the +// bundle is packaged for distribution. +type Spec struct { + // Version is the version of the specification that is supported. + Version string `json:"ociVersion"` + // Platform is the host information for OS and Arch. + Platform Platform `json:"platform"` + // Process is the container's main process. + Process Process `json:"process"` + // Root is the root information for the container's filesystem. + Root Root `json:"root"` + // Hostname is the container's host name. + Hostname string `json:"hostname,omitempty"` + // Mounts profile configuration for adding mounts to the container's filesystem. + Mounts []Mount `json:"mounts"` + // Hooks are the commands run at various lifecycle events of the container. + Hooks Hooks `json:"hooks"` + // Annotations is an unstructured key value map that may be set by external tools to store and retrieve arbitrary metadata. + Annotations map[string]string `json:"annotations,omitempty"` -// LinuxSpec is the full specification for linux containers. -type LinuxSpec struct { - Spec - // Linux is platform specific configuration for linux based containers. - Linux Linux `json:"linux"` + // Linux is platform specific configuration for Linux based containers. + Linux Linux `json:"linux" platform:"linux"` } -// Linux contains platform specific configuration for linux based containers. -type Linux struct { - // UIDMapping specifies user mappings for supporting user namespaces on linux. - UIDMappings []IDMapping `json:"uidMappings,omitempty"` - // GIDMapping specifies group mappings for supporting user namespaces on linux. - GIDMappings []IDMapping `json:"gidMappings,omitempty"` - // Rlimits specifies rlimit options to apply to the container's process. +// Process contains information to start a specific application inside the container. +type Process struct { + // Terminal creates an interactive terminal for the container. + Terminal bool `json:"terminal"` + // User specifies user information for the process. + User User `json:"user"` + // Args specifies the binary and arguments for the application to execute. + Args []string `json:"args"` + // Env populates the process environment for the process. + Env []string `json:"env,omitempty"` + // Cwd is the current working directory for the process and must be + // relative to the container's root. + Cwd string `json:"cwd"` + // Capabilities are Linux capabilities that are kept for the container. + Capabilities []string `json:"capabilities,omitempty" platform:"linux"` + // Rlimits specifies rlimit options to apply to the process. Rlimits []Rlimit `json:"rlimits,omitempty"` + // NoNewPrivileges controls whether additional privileges could be gained by processes in the container. + NoNewPrivileges bool `json:"noNewPrivileges,omitempty"` + + // ApparmorProfile specified the apparmor profile for the container. (this field is platform dependent) + ApparmorProfile string `json:"apparmorProfile,omitempty" platform:"linux"` + // SelinuxProcessLabel specifies the selinux context that the container process is run as. (this field is platform dependent) + SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"` +} + +// User specifies Linux specific user and group information for the container's +// main process. +type User struct { + // UID is the user id. (this field is platform dependent) + UID uint32 `json:"uid,omitempty" platform:"linux"` + // GID is the group id. (this field is platform dependent) + GID uint32 `json:"gid,omitempty" platform:"linux"` + // AdditionalGids are additional group ids set for the container's process. (this field is platform dependent) + AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux"` +} + +// Root contains information about the container's root filesystem on the host. +type Root struct { + // Path is the absolute path to the container's root filesystem. + Path string `json:"path"` + // Readonly makes the root filesystem for the container readonly before the process is executed. + Readonly bool `json:"readonly"` +} + +// Platform specifies OS and arch information for the host system that the container +// is created for. +type Platform struct { + // OS is the operating system. + OS string `json:"os"` + // Arch is the architecture + Arch string `json:"arch"` +} + +// Mount specifies a mount for a container. +type Mount struct { + // Destination is the path where the mount will be placed relative to the container's root. The path and child directories MUST exist, a runtime MUST NOT create directories automatically to a mount point. + Destination string `json:"destination"` + // Type specifies the mount kind. + Type string `json:"type"` + // Source specifies the source path of the mount. In the case of bind mounts on + // Linux based systems this would be the file on the host. + Source string `json:"source"` + // Options are fstab style mount options. + Options []string `json:"options,omitempty"` +} + +// Hook specifies a command that is run at a particular event in the lifecycle of a container +type Hook struct { + Path string `json:"path"` + Args []string `json:"args,omitempty"` + Env []string `json:"env,omitempty"` +} + +// Hooks for container setup and teardown +type Hooks struct { + // Prestart is a list of hooks to be run before the container process is executed. + // On Linux, they are run after the container namespaces are created. + Prestart []Hook `json:"prestart,omitempty"` + // Poststart is a list of hooks to be run after the container process is started. + Poststart []Hook `json:"poststart,omitempty"` + // Poststop is a list of hooks to be run after the container process exits. + Poststop []Hook `json:"poststop,omitempty"` +} + +// Linux contains platform specific configuration for Linux based containers. +type Linux struct { + // UIDMapping specifies user mappings for supporting user namespaces on Linux. + UIDMappings []IDMapping `json:"uidMappings,omitempty"` + // GIDMapping specifies group mappings for supporting user namespaces on Linux. + GIDMappings []IDMapping `json:"gidMappings,omitempty"` // Sysctl are a set of key value pairs that are set for the container on start Sysctl map[string]string `json:"sysctl,omitempty"` // Resources contain cgroup information for handling resource constraints @@ -34,23 +132,12 @@ type Linux struct { // Devices are a list of device nodes that are created for the container Devices []Device `json:"devices"` // Seccomp specifies the seccomp security settings for the container. - Seccomp Seccomp `json:"seccomp"` + Seccomp *Seccomp `json:"seccomp,omitempty"` // RootfsPropagation is the rootfs mount propagation mode for the container. RootfsPropagation string `json:"rootfsPropagation,omitempty"` } -// User specifies linux specific user and group information for the container's -// main process. -type User struct { - // UID is the user id. - UID uint32 `json:"uid"` - // GID is the group id. - GID uint32 `json:"gid"` - // AdditionalGids are additional group ids set for the container's process. - AdditionalGids []uint32 `json:"additionalGids,omitempty"` -} - -// Namespace is the configuration for a linux namespace +// Namespace is the configuration for a Linux namespace type Namespace struct { // Type is the type of Linux namespace Type NamespaceType `json:"type"` @@ -59,7 +146,7 @@ type Namespace struct { Path string `json:"path,omitempty"` } -// NamespaceType is one of the linux namespaces +// NamespaceType is one of the Linux namespaces type NamespaceType string const ( diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/state.go b/Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/state.go similarity index 67% rename from Godeps/_workspace/src/github.com/opencontainers/specs/state.go rename to Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/state.go index a6633815..d3ad79d9 100644 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/state.go +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/state.go @@ -1,9 +1,6 @@ package specs // State holds information about the runtime state of the container. -// This information will be stored in a file called `state.json`. -// The location of this file will be operating system specific. On Linux -// it will be in `/run/opencontainers/runc//state.json` type State struct { // Version is the version of the specification that is supported. Version string `json:"version"` diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/version.go b/Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/version.go similarity index 96% rename from Godeps/_workspace/src/github.com/opencontainers/specs/version.go rename to Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/version.go index 35785d70..f11c8978 100644 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/version.go +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/version.go @@ -11,7 +11,7 @@ const ( VersionPatch = 0 // VersionDev indicates development branch. Releases will be empty string. - VersionDev = "-dev" + VersionDev = "" ) // Version is the specification version that the package types support.