Update github.com/opencontainers/specs to a7b50925d8

This leaves out the internal conversions as we may need to consider
docker backward compatibility for those changes.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
This commit is contained in:
Mrunal Patel 2016-01-25 19:09:08 -05:00
parent 3268a1ea00
commit 9cd641486a
24 changed files with 910 additions and 234 deletions

4
Godeps/Godeps.json generated
View File

@ -53,8 +53,8 @@
},
{
"ImportPath": "github.com/opencontainers/specs",
"Comment": "v0.1.1-55-gcf8dd12",
"Rev": "cf8dd120937acc3593708f99304c51cfd0f73240"
"Comment": "v0.2.0-40-ga7b5092",
"Rev": "a7b50925d8996923d99e1c50750131e20b743067"
},
{
"ImportPath": "github.com/seccomp/libseccomp-golang",

View File

@ -1,6 +1,6 @@
language: go
go:
- 1.5.1
- 1.5.3
- 1.4.3
- 1.3.3

View File

@ -0,0 +1,192 @@
OpenContainers Specifications
Changes with v0.2.0:
* Add Apparmor, Selinux and Seccomp
* Add Apparmor, Selinux and Seccomp sections
* Add bind mount example
* Add fd section for linux container process
* Add Go types for specification
* *: adding a code of conduct
* Adding cgroups path to the Spec.
* .: Adding listing of implementations
* .: adding travis file for future CI
* Add license and DCO information for contributions
* Add linux spec description
* Add MAINTAINERS file
* Add memory swappiness to linux spec
* Add runtime state configuration and structs
* Adds a section for user namespace mappings
* Adds link to kernel cgroups documentation
* Adds section for Linux Rlimits
* Adds section for Linux Sysctl.
* Adds user namespace to the list of namespaces
* bundle: add initial run use case
* bundle: Fix 'and any number of and other related' typo
* bundle.md: clarify arbitrary/conventional dirnames
* bundle.md: fix link formatting
* bundle.md: fix off-by-one error
* bundle.md: various updates to latest spec
* bundle: Move 'Linux sysctl' header to its own line
* Change commiter to committer
* Change Device field order in spec_linux.go, 'Path' should be top of the 'Type' field, according to the different of the config-linux.md, 'Path' field is the unique key.
* Change layout of mountpoints and mounts
* Change the rlimit type to string instead of int
* Clarify behavior around namespaces paths.
* config: Add example additionalGids
* config: Add example cwd
* config: cleanup language on readonly parameter
* config: fix links to go files
* config-linux: specify the default devices/filesystems available
* config.md: clarify destination for mounts
* config.md: make the version a semver
* config.md: make the version field example a semver
* config.md: minor clean up of process specification
* config.md: reformat into a standard style
* config.md: update links to spec schema code
* config.md: various cleanup/consistency fixes
* config: minor cleanup
* Deduplicate the field of RootfsPropagation
* Define constants for Linux Namespace names
* Fix LinuxRuntime field
* Fix root object keys
* Fix typos in config.md
* Fix typos in the "Namespace types" section
* Fix typos in the rlimits section
* Fix Windows path escaping in example mount JSON
* JSON objects are easier to parse/manipulate
* made repo public. Added warning in README
* Make namespaces match runc
* make rootfs mount propagation mode settable
* Makes namespaces description linux specific
* *.md: markdown formatting
* Modify the capabilities constants to match header files like other constants
* Move linux specific options to linux spec
* README: add a rule for paragraph formatting in markdown
* README: Document BlueJeans and wiki archive for meetings
* README: Document pre-meeting agenda alteration
* README: Document YouTube and IRC backchannel for meetings
* README: Focus on local runtime (create/start/stop)
* README.md: Add a git commit style guide
* README.md: contribution about discussion
* README: releases section
* README: Remove blank line from infrastructure-agnostic paragraph
* removed boilerplate file
* *: remove superfluous comma in code-of-conduct
* Remove trailing whitespace
* Rename SystemProperties to Sysctl
* Rename the header "Access to devices" to "Devices" to fit with the config
* *: re-org the spec
* Replace Linux.Device with more specific config
* restore formatting
* Return golang compliant names for UID and GID in User
* Return golint-compliant naming for mappings
* runtime: Add prestart/poststop hooks
* runtime_config: comments for golint
* runtime-config-linux: Drop 'Linux' from headers
* runtime_config_linux: Fix 'LinuxSpec' -> 'LinuxRuntimeSpec' in comment
* runtime-config-linux: One sentence per line for opening two paragraphs
* runtime-config: Remove blank lines from the end of files
* runtime-config: Remove 'destination' docs from mounts
* runtime.md: convert oc to runc
* runtime: use opencontainer vs oci
* *: small spelling fixes
* Specific platform specific user struct for spec
* spec: linux: add support for the PIDs cgroup
* spec_linux: conform to `golint`
* spec_linux.go: Rename IDMapping fields to follow syscall.SysProcIDMap
* spec_linux: remove ending periods on one-line comments
* spec: rename ocp to oci and add a link
* specs: add json notation
* specs: align the ascii graph
* specs: fix the description for the [ug]idMappings
* specs: introduce the concept of a runtime.json
* .tools: cleanup the commit entry
* .tools: repo validation tool
* travis: fix DCO validation for merges
* typo: containers -> container's
* typo: the -> for
* Update config-linux for better formatting on values
* Update README.md
* Update readme with weekly call and mailing list
* Update runtime.md
* Update runtime.md
* Update runtime.md
* version: more explicit version for comparison
Changes with v0.1.0:
* Add Architecture field to Seccomp configuration in Linux runtime
* Add @hqhq as maintainer
* Add hyphen for host specific
* Adding Vishnu Kannan as a Maintainer.
* Add initial roadmap
* Add lifecycle for containers
* Add oom_score_adj to the runtime Spec.
* Add post-start hooks
* Add Seccomp constants to description of Linux runtime spec
* Add Seccomp constants to Linux runtime config
* Add some clarity around the state.json file
* adds text describing the upper-case keywords used in the spec
* add testing framework to ROADMAP
* Appropriately mark optional fields as omitempty
* cgroup: Add support for memory.kmem.tcp.limit_in_bytes
* Change HugepageLimit.Limit type to uint64
* Change the behavior when cgroupsPath is absent
* Change version from 0.1.0 to 0.2.0
* Clarify the semantics of hook elements
* Cleanup bundle.md
* Cleanup principles
* config: linux: update description of PidsLimit
* config: Require a new UTS namespace for config.json's hostname
* config: Require the runtime to mount Spec.Mounts in order
* convert **name** to **`name`**
* Example lists "root' but text mentions "bundlePath"
* Fix an extra space in VersionMinor
* Fix golint warnings
* Fix typo in BlockIO struct comment
* Fix typo in Filesystem Bundle
* Fix value of swappiness
* glossary: Provide a quick overview of important terms
* glossary: Specify UTF-8 for all our JSON
* hooks: deduplicate the hooks docs
* implementations: Link to kunalkushwaha/octool
* implementations: Link to mrunalp/ocitools
* lifecycle: Don't require /run/opencontainer/<runtime>/containers
* lifecycle: Mention runtime.json
* lifecycle: no hypens
* MAINTAINERS: add tianon per the charter
* MAINTAINERS: correct Vish's github account
* Makefile: Add glossary to DOC_FILES
* Make optional Cgroup related config params pointers along with `omitempty` json tag.
* Mark RootfsPropagation as omitempty
* *.md: update TOC and links
* move the description of Rlimits before example
* move the description of user ns mapping to proper file
* principles: Give principles their own home
* *: printable documents
* Project: document release process
* README: Fix some headers
* README: make header more concise
* remove blank char from blank line
* Remove the unneeded build tag from the config_linux.go
* Remove trailing comma in hooks json example
* Rename State's Root to Bundle
* ROADMAP.md: remove the tail spaces
* roadmap: update links and add wiki reference
* runtime: Add 'version' to the state.json example
* runtime-config: add example label before json exmaple
* runtime-config: add section about Hooks
* runtime: config: linux: add cgroups information
* runtime: config: linux: Edit BlockIO struct
* runtime: config: linux: Fix typo and trailing commas in json example
* runtime_config_linux.go: add missing pointer
* runtime-config-linux.md: fix the type of cpus and mems
* runtime.md: fix spacing
* Talk about host specific/independent instead of mutability
* .tools: commit validator is a separate project
* .tools: make GetFetchHeadCommit do what it says
* .travis.yml: add go 1.5.1, update from 1.4.2 to 1.4.3
* Update readme with wiki link to minutes
* Update Typo in ROADMAP.md
* Use unsigned for IDs
* version: introduce a string for dev indication

View File

@ -1,9 +1,9 @@
Michael Crosby <michael@docker.com> (@crosbymichael)
Alexander Morozov <lk4d4@docker.com> (@LK4D4)
Rohit Jnagal <jnagal@google.com> (@rjnagal)
Victor Marmol <vmarmol@google.com> (@vmarmol)
Vishnu Kannan <vishnuk@google.com> (@vishh)
Mrunal Patel <mpatel@redhat.com> (@mrunalp)
Vincent Batts <vbatts@redhat.com> (@vbatts)
Daniel, Dao Quang Minh <dqminh89@gmail.com> (@dqminh)
Brandon Philips <brandon.philips@coreos.com> (@philips)
Tianon Gravi <admwiggin@gmail.com> (@tianon)
Qiang Huang <h.huangqiang@huawei.com> (@hqhq)

View File

@ -0,0 +1,63 @@
DOCKER ?= $(shell which docker)
DOC_FILES := \
README.md \
code-of-conduct.md \
principles.md \
style.md \
ROADMAP.md \
implementations.md \
bundle.md \
runtime.md \
runtime-linux.md \
config.md \
config-linux.md \
runtime-config.md \
runtime-config-linux.md \
glossary.md
EPOCH_TEST_COMMIT := 041eb73d2e0391463894c04c8ac938036143eba3
docs: pdf html
.PHONY: docs
pdf:
@mkdir -p output/ && \
$(DOCKER) run \
-it \
--rm \
-v $(shell pwd)/:/input/:ro \
-v $(shell pwd)/output/:/output/ \
-u $(shell id -u) \
vbatts/pandoc -f markdown_github -t latex -o /output/docs.pdf $(patsubst %,/input/%,$(DOC_FILES)) && \
ls -sh $(shell readlink -f output/docs.pdf)
html:
@mkdir -p output/ && \
$(DOCKER) run \
-it \
--rm \
-v $(shell pwd)/:/input/:ro \
-v $(shell pwd)/output/:/output/ \
-u $(shell id -u) \
vbatts/pandoc -f markdown_github -t html5 -o /output/docs.html $(patsubst %,/input/%,$(DOC_FILES)) && \
ls -sh $(shell readlink -f output/docs.html)
.PHONY: test .govet .golint .gitvalidation
test: .govet .golint .gitvalidation
# `go get golang.org/x/tools/cmd/vet`
.govet:
go vet -x ./...
# `go get github.com/golang/lint/golint`
.golint:
golint ./...
# `go get github.com/vbatts/git-validation`
.gitvalidation:
git-validation -q -run DCO,short-subject -v -range $(EPOCH_TEST_COMMIT)..HEAD
clean:
rm -rf output/ *~

View File

@ -6,6 +6,7 @@
Table of Contents
- [Container Principles](principles.md)
- [Specification Style](style.md)
- [Filesystem Bundle](bundle.md)
- Configuration
- [Container Configuration](config.md)
@ -15,18 +16,32 @@ Table of Contents
- [Runtime and Lifecycle](runtime.md)
- [Linux Specific Runtime](runtime-linux.md)
- [Implementations](implementations.md)
- [Glossary](glossary.md)
In the specifications in the above table of contents, the keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in [RFC 2119](http://tools.ietf.org/html/rfc2119) (Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997).
# Use Cases
To provide context for users the following section gives example use cases for each part of the spec.
### Filesystem Bundle & Configuration
#### Application Bundle Builders
- A user can create a root filesystem and configuration, with low-level OS and host specific details, and launch it as a container under an Open Container runtime.
Application bundle builders can create a [bundle](bundle.md) directory that includes all of the files required for launching an application as a container.
The bundle contains OCI [configuration files](config.md) where the builder can specify host-independent details such as [which executable to launch](config.md#process-configuration) and host-specific settings such as [mount](runtime-config.md#mount-configuration) locations, [hook](runtime-config.md#hooks) paths, Linux [namespaces](runtime-config-linux.md#namespaces) and [cgroups](runtime-config-linux.md#control-groups).
Because the configuration includes host-specific settings, application bundle directories copied between two hosts may require configuration adjustments.
## Releases
#### Hook Developers
There is a loose [Road Map](https://github.com/opencontainers/specs/wiki/RoadMap:) on the wiki.
[Hook](runtime-config.md#hooks) developers can extend the functionality of an OCI-compliant runtime by hooking into a container's lifecycle with an external application.
Example use cases include sophisticated network configuration, volume garbage collection, etc.
#### Runtime Developers
Runtime developers can build runtime implementations that run OCI-compliant bundles and container configuration, containing low-level OS and host specific details, on a particular platform.
# Releases
There is a loose [Road Map](./ROADMAP.md).
During the `0.x` series of OCI releases we make no backwards compatibility guarantees and intend to break the schema during this series.
# Contributing

View File

@ -0,0 +1,110 @@
# OCI Specs Roadmap
This document serves to provide a long term roadmap on our quest to a 1.0 version of the OCI container specification.
Its goal is to help both maintainers and contributors find meaningful tasks to focus on and create a low noise environment.
The items in the 1.0 roadmap can be broken down into smaller milestones that are easy to accomplish.
The topics below are broad and small working groups will be needed for each to define scope and requirements or if the feature is required at all for the OCI level.
Topics listed in the roadmap do not mean that they will be implemented or added but are areas that need discussion to see if they fit in to the goals of the OCI.
Listed topics may defer to the [project wiki](https://github.com/opencontainers/specs/wiki/RoadMap:) for collaboration.
## 1.0
### Digest and Hashing
A bundle is designed to be moved between hosts.
Although OCI doesn't define a transport method we should have a cryptographic digest of the on-disk bundle that can be used to verify that a bundle is not corrupted and in an expected configuration.
*Owner:* philips
### Review the need for runtime.json (Target release: v0.3.0)
There are some discussions about having `runtime.json` being optional for containers and specifying defaults.
Runtimes would use this standard set of defaults for containers and `runtime.json` would provide overrides for fine tuning of these extra host or platform specific settings.
*Owner:* mrunalp
### Define Container Lifecycle
Containers have a lifecycle and being able to identify and document the lifecycle of a container is very helpful for implementations of the spec.
The lifecycle events of a container also help identify areas to implement hooks that are portable across various implementations and platforms.
*Owner:* mrunalp
### Define Standard Container Actions (Target release: v0.3.0)
Define what type of actions a runtime can perform on a container without imposing hardships on authors of platforms that do not support advanced options.
*Owner:* duglin
### Container Definition
Define what a software container is and its attributes in a cross platform way.
Could be solved by lifecycle/ops and create/start split discussions
*Owner:* vishh & duglin
### Live Container Updates
Should we allow dynamic container updates to runtime options?
Proposal: make it an optional feature
*Owner:* hqhq (was vishh) robdolinms, bcorrie
### Validation Tooling (Target release: v0.3.0)
Provide validation tooling for compliance with OCI spec and runtime environment.
*Owner:* mrunalp
### Testing Framework
Provide a testing framework for compliance with OCI spec and runtime environment.
*Owner:* liangchenye
### Version Schema
Decide on a robust versioning schema for the spec as it evolves.
Resolved but release process could evolve. Resolved for v0.2.0, expect to revisit near v1.0.0
*Owner:* vbatts
### Printable/Compiled Spec
Regardless of how the spec is written, ensure that it is easy to read and follow for first time users.
Part of this is resolved. Produces an html & pdf.
Done
Would be nice to publish to the OCI web site as part of our release process.
*Owner:* vbatts
### Base Config Compatibility
Ensure that the base configuration format is viable for various platforms.
Systems:
* Solaris
* Windows
* Linux
*Owner:* robdolinms as lead coordinator
### Full Lifecycle Hooks
Ensure that we have lifecycle hooks in the correct places with full coverage over the container lifecycle.
Will probably go away with Vish's work on splitting create and start, and if we have exec.
*Owner:*
### Distributable Format
A common format for serializing and distributing bundles.
*Owner:* vbatts

View File

@ -10,18 +10,21 @@ The definition of a bundle is only concerned with how a container, and its confi
A Standard Container bundle contains all the information needed to load and run a container.
This includes the following three artifacts which MUST all reside in the same directory on the local filesystem:
1. `config.json` : immutable, host independent configuration.
This REQUIRED file, which MUST be named `config.json`, contains settings that are host independent and application specific such as security permissions, environment variables and arguments.
1. `config.json` : contains host-independent configuration data.
This REQUIRED file, which MUST be named `config.json`, contains settings that are host-independent and application-specific such as security permissions, environment variables and arguments.
When the bundle is packaged up for distribution, this file MUST be included.
See [`config.json`](config.md) for more details.
2. `runtime.json` : mutable, host dependent configuration.
This REQUIRED file, which MUST be named `runtime.json`, contains settings that are host specific such as memory limits, local device access and mount sources.
The goal is that the bundle can be moved as a unit to another runtime and run the same application if `runtime.json` is reconfigured.
2. `runtime.json` : contains host-specific configuration data.
This REQUIRED file, which MUST be named `runtime.json`, contains settings that are host-specific such as mount sources and hooks.
The goal is that the bundle can be moved as a unit to another runtime and run the same application once a host-specific `runtime.json` is defined.
When the bundle is packaged up for distribution, this file MUST NOT be included.
See [`runtime.json`](runtime-config.md) for more details.
3. A directory representing the root filesystem of the container.
While the name of this REQUIRED directory may be arbitrary, users should consider using a conventional name, such as `rootfs`.
When the bundle is packaged up for distribution, this directory MUST be included.
This directory MUST be referenced from within the `config.json` file.
While these three artifacts MUST all be present in a single directory on the local filesytem, that directory itself is not part of the bundle.
While these three artifacts MUST all be present in a single directory on the local filesystem, that directory itself is not part of the bundle.
In other words, a tar archive of a *bundle* will have these artifacts at the root of the archive, not nested within a top-level directory.

View File

@ -16,30 +16,6 @@ Valid values are the strings for capabilities defined in [the man page](http://m
]
```
## User namespace mappings
```json
"uidMappings": [
{
"hostID": 1000,
"containerID": 0,
"size": 10
}
],
"gidMappings": [
{
"hostID": 1000,
"containerID": 0,
"size": 10
}
]
```
uid/gid mappings describe the user namespace mappings from the host to the container.
The mappings represent how the bundle `rootfs` expects the user namespace to be setup and the runtime SHOULD NOT modify the permissions on the rootfs to realize the mapping.
*hostID* is the starting uid/gid on the host to be mapped to *containerID* which is the starting uid/gid in the container and *size* refers to the number of ids to be mapped.
There is a limit of 5 mappings which is the Linux kernel hard limit.
## Default Devices and File Systems
The Linux ABI includes both syscalls and several special file paths.

View File

@ -1,10 +1,11 @@
package specs
// Spec is the base configuration for the container. It specifies platform
// independent configuration.
// independent configuration. This information must be included when the
// bundle is packaged for distribution.
type Spec struct {
// Version is the version of the specification that is supported.
Version string `json:"version"`
Version string `json:"ociVersion"`
// Platform is the host information for OS and Arch.
Platform Platform `json:"platform"`
// Process is the container's main process.
@ -12,7 +13,7 @@ type Spec struct {
// Root is the root information for the container's filesystem.
Root Root `json:"root"`
// Hostname is the container's host name.
Hostname string `json:"hostname"`
Hostname string `json:"hostname,omitempty"`
// Mounts profile configuration for adding mounts to the container's filesystem.
Mounts []MountPoint `json:"mounts"`
}
@ -26,7 +27,7 @@ type Process struct {
// Args specifies the binary and arguments for the application to execute.
Args []string `json:"args"`
// Env populates the process environment for the process.
Env []string `json:"env"`
Env []string `json:"env,omitempty"`
// Cwd is the current working directory for the process and must be
// relative to the container's root.
Cwd string `json:"cwd"`
@ -56,15 +57,3 @@ type MountPoint struct {
// Path specifies the path of the mount. The path and child directories MUST exist, a runtime MUST NOT create directories automatically to a mount point.
Path string `json:"path"`
}
// State holds information about the runtime state of the container.
type State struct {
// Version is the version of the specification that is supported.
Version string `json:"version"`
// ID is the container ID
ID string `json:"id"`
// Pid is the process id for the container's main process.
Pid int `json:"pid"`
// BundlePath is the path to the container's bundle directory.
BundlePath string `json:"bundlePath"`
}

View File

@ -8,14 +8,17 @@ This includes the process to run, environment variables to inject, sandboxing fe
Below is a detailed description of each field defined in the configuration format.
## Manifest version
## Specification version
* **`version`** (string, required) must be in [SemVer v2.0.0](http://semver.org/spec/v2.0.0.html) format and specifies the version of the OCF specification with which the container bundle complies. The Open Container spec follows semantic versioning and retains forward and backward compatibility within major versions. For example, if an implementation is compliant with version 1.0.1 of the spec, it is compatible with the complete 1.x series.
* **`ociVersion`** (string, required) must be in [SemVer v2.0.0](http://semver.org/spec/v2.0.0.html) format and specifies the version of the OpenContainer specification with which the bundle complies.
The OpenContainer spec follows semantic versioning and retains forward and backward compatibility within major versions.
For example, if an implementation is compliant with version 1.0.1 of the spec, it is compatible with the complete 1.x series.
NOTE that there is no guarantee for forward or backward compatibility for version 0.x.
*Example*
```json
"version": "0.1.0"
"ociVersion": "0.1.0"
```
## Root Configuration
@ -69,7 +72,7 @@ The runtime MUST mount entries in the listed order.
## Process configuration
* **`terminal`** (bool, optional) specifies whether you want a terminal attached to that process. Defaults to false.
* **`cwd`** (string, optional) is the working directory that will be set for the executable.
* **`cwd`** (string, required) is the working directory that will be set for the executable. This value MUST be an absolute path.
* **`env`** (array of strings, optional) contains a list of variables that will be set in the process's environment prior to execution. Elements in the array are specified as Strings in the form "KEY=value". The left hand side must consist solely of letters, digits, and underscores `_` as outlined in [IEEE Std 1003.1-2001](http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap08.html).
* **`args`** (string, required) executable to launch and any flags as an array. The executable is the first element and must be available at the given path inside of the rootfs. If the executable path is not an absolute path then the search $PATH is interpreted to find the executable.
@ -104,7 +107,7 @@ For Linux-based systems the user structure has the following fields:
## Hostname
* **`hostname`** (string, optional) as it is accessible to processes running inside.
* **`hostname`** (string, optional) as it is accessible to processes running inside. On Linux, you can only set this if your bundle creates a new [UTS namespace][uts-namespace].
*Example*
@ -126,3 +129,5 @@ For Linux-based systems the user structure has the following fields:
Interpretation of the platform section of the JSON file is used to find which platform-specific sections may be available in the document.
For example, if `os` is set to `linux`, then a JSON object conforming to the [Linux-specific schema](config-linux.md) SHOULD be found at the key `linux` in the `config.json`.
[uts-namespace]: http://man7.org/linux/man-pages/man7/namespaces.7.html

View File

@ -21,5 +21,5 @@ type User struct {
// GID is the group id.
GID uint32 `json:"gid"`
// AdditionalGids are additional group ids set for the container's process.
AdditionalGids []uint32 `json:"additionalGids"`
AdditionalGids []uint32 `json:"additionalGids,omitempty"`
}

View File

@ -0,0 +1,26 @@
# Glossary
## Bundle
A [directory structure](bundle.md) that is written ahead of time, distributed, and used to seed the runtime for creating a [container](#container) and launching a process within it.
## Configuration
The [`config.json`](config.md) and [`runtime.json`](runtime-config.md) files in a [bundle](#bundle) which define the intended [container](#container) and container process.
## Container
An environment for executing processes with configurable isolation and resource limitations.
For example, namespaces, resource limits, and mounts are all part of the container environment.
## JSON
All configuration [JSON][] MUST be encoded in [UTF-8][].
## Runtime
An implementation of this specification.
It reads the [configuration files](#configuration) from a [bundle](#bundle), uses that information to create a [container](#container), launches a process inside the container, and performs other [lifecycle actions](runtime.md).
[JSON]: http://json.org/
[UTF-8]: http://www.unicode.org/versions/Unicode8.0.0/ch03.pdf

View File

@ -11,6 +11,11 @@ If you know of any associated projects that are not listed here, please file a p
* [hyperhq/runv](https://github.com/hyperhq/runv) - Hypervisor-based runtime for OCI
## Bundle authoring
* [kunalkushwaha/octool](https://github.com/kunalkushwaha/octool) - A config linter and validator.
* [mrunalp/ocitools](https://github.com/mrunalp/ocitools) - A config generator.
## Testing
* [huawei-openlab/oct](https://github.com/huawei-openlab/oct) - Open Container Testing framework for OCI configuration and runtime

View File

@ -0,0 +1,10 @@
# Project docs
## Release Process
* Increment version in version.go
* `git commit` version increment
* `git tag` the prior commit (preferrably signed tag)
* `make docs` to produce PDF and HTML copies of the spec
* Make a release on [github.com/opencontainers/specs](https://github.com/opencontainers/specs/releases) for the version. Attach the produced docs.

View File

@ -6,11 +6,24 @@ A namespace wraps a global system resource in an abstraction that makes it appea
Changes to the global resource are visible to other processes that are members of the namespace, but are invisible to other processes.
For more information, see [the man page](http://man7.org/linux/man-pages/man7/namespaces.7.html).
Namespaces are specified in the spec as an array of entries.
Each entry has a type field with possible values described below and an optional path element.
Namespaces are specified as an array of entries inside the `namespaces` root field.
The following parameters can be specified to setup namespaces:
* **`type`** *(string, required)* - namespace type. The following namespaces types are supported:
* **`pid`** processes inside the container will only be able to see other processes inside the same container
* **`network`** the container will have its own network stack
* **`mount`** the container will have an isolated mount table
* **`ipc`** processes inside the container will only be able to communicate to other processes inside the same container via system level IPC
* **`uts`** the container will be able to have its own hostname and domain name
* **`user`** the container will be able to remap user and group IDs from the host to local users and groups within the container
* **`path`** *(string, optional)* - path to namespace file
If a path is specified, that particular file is used to join that type of namespace.
Also, when a path is specified, a runtime MUST assume that the setup for that particular namespace has already been done and error out if the config specifies anything else related to that namespace.
###### Example
```json
"namespaces": [
{
@ -36,32 +49,55 @@ Also, when a path is specified, a runtime MUST assume that the setup for that pa
]
```
#### Namespace types
## User namespace mappings
* **`pid`** processes inside the container will only be able to see other processes inside the same container.
* **`network`** the container will have its own network stack.
* **`mount`** the container will have an isolated mount table.
* **`ipc`** processes inside the container will only be able to communicate to other processes inside the same
container via system level IPC.
* **`uts`** the container will be able to have its own hostname and domain name.
* **`user`** the container will be able to remap user and group IDs from the host to local users and groups
within the container.
###### Example
```json
"uidMappings": [
{
"hostID": 1000,
"containerID": 0,
"size": 10
}
],
"gidMappings": [
{
"hostID": 1000,
"containerID": 0,
"size": 10
}
]
```
uid/gid mappings describe the user namespace mappings from the host to the container.
The mappings represent how the bundle `rootfs` expects the user namespace to be setup and the runtime SHOULD NOT modify the permissions on the rootfs to realize the mapping.
*hostID* is the starting uid/gid on the host to be mapped to *containerID* which is the starting uid/gid in the container and *size* refers to the number of ids to be mapped.
There is a limit of 5 mappings which is the Linux kernel hard limit.
## Devices
Devices is an array specifying the list of devices to be created in the container.
Next parameters can be specified:
`devices` is an array specifying the list of devices to be created in the container.
* **`type`** - type of device: `c`, `b`, `u` or `p`. More info in `man mknod`
* **`path`** - full path to device inside container
* **`major, minor`** - major, minor numbers for device. More info in `man mknod`.
There is special value: `-1`, which means `*` for `device`
cgroup setup.
* **`permissions`** - cgroup permissions for device. A composition of `r`
(read), `w` (write), and `m` (mknod).
* **`fileMode`** - file mode for device file
* **`uid`** - uid of device owner
* **`gid`** - gid of device owner
The following parameters can be specified:
* **`type`** *(char, required)* - type of device: `c`, `b`, `u` or `p`. More info in `man mknod`.
* **`path`** *(string, optional)* - full path to device inside container
* **`major, minor`** *(int64, required)* - major, minor numbers for device. More info in `man mknod`. There is a special value: `-1`, which means `*` for `device` cgroup setup.
* **`permissions`** *(string, optional)* - cgroup permissions for device. A composition of `r` (*read*), `w` (*write*), and `m` (*mknod*).
* **`fileMode`** *(uint32, optional)* - file mode for device file
* **`uid`** *(uint32, optional)* - uid of device owner
* **`gid`** *(uint32, optional)* - gid of device owner
**`fileMode`**, **`uid`** and **`gid`** are required if **`path`** is given and are otherwise not allowed.
###### Example
```json
"devices": [
@ -136,12 +172,14 @@ For more information, see the [kernel cgroups documentation](https://www.kernel.
The path to the cgroups can be specified in the Spec via `cgroupsPath`.
`cgroupsPath` is expected to be relative to the cgroups mount point.
If not specified, cgroups will be created under '/'.
If `cgroupsPath` is not specified, implementations can define the default cgroup path.
Implementations of the Spec can choose to name cgroups in any manner.
The Spec does not include naming schema for cgroups.
The Spec does not support [split hierarchy](https://www.kernel.org/doc/Documentation/cgroups/unified-hierarchy.txt).
The cgroups will be created if they don't exist.
###### Example
```json
"cgroupsPath": "/myRuntime/myContainer"
```
@ -154,24 +192,92 @@ For example, to run a new process in an existing container without updating limi
#### Disable out-of-memory killer
`disableOOMKiller` contains a boolean (`true` or `false`) that enables or disables the Out of Memory killer for a cgroup.
If enabled (`false`), tasks that attempt to consume more memory than they are allowed are immediately killed by the OOM killer.
The OOM killer is enabled by default in every cgroup using the `memory` subsystem.
To disable it, specify a value of `true`.
For more information, see [the memory cgroup man page](https://www.kernel.org/doc/Documentation/cgroups/memory.txt).
* **`disableOOMKiller`** *(bool, optional)* - enables or disables the OOM killer
###### Example
```json
"disableOOMKiller": false
```
#### Set oom_score_adj
`oomScoreAdj` sets heuristic regarding how the process is evaluated by the kernel during memory pressure.
For more information, see [the proc filesystem documentation section 3.1](https://www.kernel.org/doc/Documentation/filesystems/proc.txt).
This is a kernel/system level setting, where as `disableOOMKiller` is scoped for a memory cgroup.
For more information on how these two settings work together, see [the memory cgroup documentation section 10. OOM Contol](https://www.kernel.org/doc/Documentation/cgroups/memory.txt).
* **`oomScoreAdj`** *(int, optional)* - adjust the oom-killer score
###### Example
###### Example
```json
"oomScoreAdj": 0
```
#### Memory
`memory` represents the cgroup subsystem `memory` and it's used to set limits on the container's memory usage.
For more information, see [the memory cgroup man page](https://www.kernel.org/doc/Documentation/cgroups/memory.txt).
The following parameters can be specified to setup the controller:
* **`limit`** *(uint64, optional)* - sets limit of memory usage
* **`reservation`** *(uint64, optional)* - sets soft limit of memory usage
* **`swap`** *(uint64, optional)* - sets limit of memory+Swap usage
* **`kernel`** *(uint64, optional)* - sets hard limit for kernel memory
* **`kernelTCP`** *(uint64, optional)* - sets hard limit for kernel memory in tcp using
* **`swappiness`** *(uint64, optional)* - sets swappiness parameter of vmscan (See sysctl's vm.swappiness)
###### Example
```json
"memory": {
"limit": 0,
"reservation": 0,
"swap": 0,
"kernel": 0,
"swappiness": -1
"kernelTCP": 0,
"swappiness": 0
}
```
#### CPU
`cpu` represents the cgroup subsystems `cpu` and `cpusets`.
For more information, see [the cpusets cgroup man page](https://www.kernel.org/doc/Documentation/cgroups/cpusets.txt).
The following parameters can be specified to setup the controller:
* **`shares`** *(uint64, optional)* - specifies a relative share of CPU time available to the tasks in a cgroup
* **`quota`** *(uint64, optional)* - specifies the total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by **`period`** below)
* **`period`** *(uint64, optional)* - specifies a period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated (CFS scheduler only)
* **`realtimeRuntime`** *(uint64, optional)* - specifies a period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources
* **`realtimePeriod`** *(uint64, optional)* - same as **`period`** but applies to realtime scheduler only
* **`cpus`** *(string, optional)* - list of CPUs the container will run in
* **`mems`** *(string, optional)* - list of Memory Nodes the container will run in
###### Example
```json
"cpu": {
"shares": 0,
@ -187,9 +293,9 @@ For example, to run a new process in an existing container without updating limi
#### Block IO Controller
`blockIO` represents the cgroup subsystem `blkio` which implements the block io controller.
For more information, see the [kernel cgroups documentation about `blkio`](https://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt).
For more information, see [the kernel cgroups documentation about blkio](https://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt).
The following parameters can be specified to setup the block io controller:
The following parameters can be specified to setup the controller:
* **`blkioWeight`** *(uint16, optional)* - specifies per-cgroup weight. This is default weight of the group on all devices until and unless overridden by per-device rules. The range is from 10 to 1000.
@ -197,8 +303,8 @@ The following parameters can be specified to setup the block io controller:
* **`blkioWeightDevice`** *(array, optional)* - specifies the list of devices which will be bandwidth rate limited. The following parameters can be specified per-device:
* **`major, minor`** *(int64, required)* - major, minor numbers for device. More info in `man mknod`.
* **`weight`** *(uint16, optional)* - bandwidth rate for the device, range is from 10 to 1000.
* **`leafWeight`** *(uint16, optional)* - bandwidth rate for the device while competing with the cgroup's child cgroups, range is from 10 to 1000, cfq scheduler only.
* **`weight`** *(uint16, optional)* - bandwidth rate for the device, range is from 10 to 1000
* **`leafWeight`** *(uint16, optional)* - bandwidth rate for the device while competing with the cgroup's child cgroups, range is from 10 to 1000, CFQ scheduler only
You must specify at least one of `weight` or `leafWeight` in a given entry, and can specify both.
@ -244,6 +350,18 @@ The following parameters can be specified to setup the block io controller:
#### Huge page limits
`hugepageLimits` represents the `hugetlb` controller which allows to limit the
HugeTLB usage per control group and enforces the controller limit during page fault.
For more information, see the [kernel cgroups documentation about HugeTLB](https://www.kernel.org/doc/Documentation/cgroups/hugetlb.txt).
`hugepageLimits` is an array of entries, each having the following structure:
* **`pageSize`** *(string, required)* - hugepage size
* **`limit`** *(uint64, required)* - limit in bytes of *hugepagesize* HugeTLB usage
###### Example
```json
"hugepageLimits": [
{
@ -255,9 +373,23 @@ The following parameters can be specified to setup the block io controller:
#### Network
`network` represents the cgroup subsystems `net_cls` and `net_prio`.
For more information, see [the net\_cls cgroup man page](https://www.kernel.org/doc/Documentation/cgroups/net_cls.txt) and [the net\_prio cgroup man page](https://www.kernel.org/doc/Documentation/cgroups/net_prio.txt).
The following parameters can be specified to setup these cgroup controllers:
* **`classID`** *(uint32, optional)* - is the network class identifier the cgroup's network packets will be tagged with
* **`priorities`** *(array, optional)* - specifies a list of objects of the priorities assigned to traffic originating from
processes in the group and egressing the system on various interfaces. The following parameters can be specified per-priority:
* **`name`** *(string, required)* - interface name
* **`priority`** *(uint32, required)* - priority applied to the interface
###### Example
```json
"network": {
"classId": "ClassId",
"classID": 1048577,
"priorities": [
{
"name": "eth0",
@ -271,11 +403,31 @@ The following parameters can be specified to setup the block io controller:
}
```
#### PIDs
`pids` represents the cgroup subsystem `pids`.
For more information, see [the pids cgroup man page](https://www.kernel.org/doc/Documentation/cgroups/pids.txt
).
The following paramters can be specified to setup the controller:
* **`limit`** *(int64, required)* - specifies the maximum number of tasks in the cgroup
###### Example
```json
"pids": {
"limit": 32771
}
```
## Sysctl
sysctl allows kernel parameters to be modified at runtime for the container.
For more information, see [the man page](http://man7.org/linux/man-pages/man8/sysctl.8.html)
###### Example
```json
"sysctl": {
"net.ipv4.ip_forward": "1",
@ -289,6 +441,8 @@ rlimits allow setting resource limits.
`type` is a string with a value from those defined in [the man page](http://man7.org/linux/man-pages/man2/setrlimit.2.html).
The kernel enforces the `soft` limit for a resource while the `hard` limit acts as a ceiling for that value that could be set by an unprivileged process.
###### Example
```json
"rlimits": [
{
@ -303,6 +457,9 @@ The kernel enforces the `soft` limit for a resource while the `hard` limit acts
SELinux process label specifies the label with which the processes in a container are run.
For more information about SELinux, see [Selinux documentation](http://selinuxproject.org/page/Main_Page)
###### Example
```json
"selinuxProcessLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675"
```
@ -312,6 +469,8 @@ For more information about SELinux, see [Selinux documentation](http://selinuxp
Apparmor profile specifies the name of the apparmor profile that will be used for the container.
For more information about Apparmor, see [Apparmor documentation](https://wiki.ubuntu.com/AppArmor)
###### Example
```json
"apparmorProfile": "acme_secure_profile"
```
@ -353,6 +512,8 @@ Operator Constants:
* `SCMP_CMP_GT`
* `SCMP_CMP_MASKED_EQ`
###### Example
```json
"seccomp": {
"defaultAction": "SCMP_ACT_ALLOW",
@ -374,6 +535,19 @@ rootfsPropagation sets the rootfs's mount propagation.
Its value is either slave, private, or shared.
[The kernel doc](https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt) has more information about mount propagation.
###### Example
```json
"rootfsPropagation": "slave",
```
## No new privileges
Setting `noNewPrivileges` to true prevents the processes in the container from gaining additional privileges.
[The kernel doc](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt) has more information on how this is achieved using a prctl system call.
###### Example
```json
"noNewPrivileges": true,
```

View File

@ -5,9 +5,9 @@
Lifecycle hooks allow custom events for different points in a container's runtime.
Presently there are `Prestart`, `Poststart` and `Poststop`.
* [`Prestart`](#pre-start) is a list of hooks to be run before the container process is executed
* [`Poststart`](#post-start) is a list of hooks to be run immediately after the container process is started
* [`Poststop`](#post-stop) is a list of hooks to be run after the container process exits
* [`Prestart`](#prestart) is a list of hooks to be run before the container process is executed
* [`Poststart`](#poststart) is a list of hooks to be run immediately after the container process is started
* [`Poststop`](#poststop) is a list of hooks to be run after the container process exits
Hooks allow one to run code before/after various lifecycle events of the container.
Hooks MUST be called in the listed order.
@ -15,7 +15,7 @@ The state of the container is passed to the hooks over stdin, so the hooks could
Hook paths are absolute and are executed from the host's filesystem.
### Pre-start
### Prestart
The pre-start hooks are called after the container process is spawned, but before the user supplied command is executed.
They are called after the container namespaces are created on Linux, so they provide an opportunity to customize the container.
@ -23,14 +23,14 @@ In Linux, for e.g., the network namespace could be configured in this hook.
If a hook returns a non-zero exit code, then an error including the exit code and the stderr is returned to the caller and the container is torn down.
### Post-start
### Poststart
The post-start hooks are called after the user process is started.
For example this hook can notify user that real process is spawned.
If a hook returns a non-zero exit code, then an error is logged and the remaining hooks are executed.
### Post-stop
### Poststop
The post-stop hooks are called after the container process is stopped.
Cleanup or debugging could be performed in such a hook.
@ -43,7 +43,7 @@ If a hook returns a non-zero exit code, then an error is logged and the remainin
"prestart": [
{
"path": "/usr/bin/fix-mounts",
"args": ["arg1", "arg2"],
"args": ["fix-mounts", "arg1", "arg2"],
"env": [ "key1=value1"]
},
{
@ -58,7 +58,7 @@ If a hook returns a non-zero exit code, then an error is logged and the remainin
"poststop": [
{
"path": "/usr/sbin/cleanup.sh",
"args": ["-f"]
"args": ["cleanup.sh", "-f"]
}
]
}
@ -66,6 +66,7 @@ If a hook returns a non-zero exit code, then an error is logged and the remainin
`path` is required for a hook.
`args` and `env` are optional.
The semantics are the same as `Path`, `Args` and `Env` in [golang Cmd](https://golang.org/pkg/os/exec/#Cmd).
## Mount Configuration

View File

@ -27,29 +27,32 @@ This is provided so that consumers can find the container's configuration and ro
```json
{
"version": "0.2.0",
"id": "oc-container",
"pid": 4422,
"root": "/containers/redis"
"bundlePath": "/containers/redis"
}
```
## Lifecycle
The lifecycle describes the timeline of events that happen from when a container is created to when it ceases to exist.
### Create
1. OCI compliant runtime is invoked by passing the bundle path as argument.
2. The container's runtime environment is created according to the configuration in `config.json` and `runtime.json`.
Any updates to `config.json` or `runtime.json` after container is running do not affect the container.
3. The container's state.json file is written to the filesystem.
4. The prestart hooks are invoked by the runtime.
If any prestart hook fails, then the container is stopped and the lifecycle continues at step 8.
5. The user specified process is executed in the container.
6. The poststart hooks are invoked by the runtime.
If any poststart hook fails, then the container is stopped and the lifecycle continues at step 8.
7. Additional actions such as pausing the container, resuming the container or signaling the container may be performed using the runtime interface.
The container could also error out or crash.
8. The container is destroyed by undoing the steps performed during create phase (step 2).
9. The poststop hooks are invoked by the runtime and errors, if any, are logged.
10. The state.json file associated with the container is removed and the return code of the container's user specified process is returned or logged.
Creates the container: file system, namespaces, cgroups, capabilities.
### Start (process)
Runs a process in a container.
Can be invoked several times.
### Stop (process)
Not sure we need that from runc cli.
Process is killed from the outside.
This event needs to be captured by runc to run onstop event handlers.
Note: The lifecycle is a WIP and it will evolve as we have more use cases and more information on the viability of a separate create phase.
## Hooks

View File

@ -1,6 +1,8 @@
package specs
// RuntimeSpec is the generic runtime state information on a running container
// RuntimeSpec contains host-specific configuration information for
// a container. This information must not be included when the bundle
// is packaged for distribution.
type RuntimeSpec struct {
// Mounts is a mapping of names to mount configurations.
// Which mounts will be mounted and where should be chosen with MountPoints
@ -13,19 +15,19 @@ type RuntimeSpec struct {
// Hook specifies a command that is run at a particular event in the lifecycle of a container
type Hook struct {
Path string `json:"path"`
Args []string `json:"args"`
Env []string `json:"env"`
Args []string `json:"args,omitempty"`
Env []string `json:"env,omitempty"`
}
// Hooks for container setup and teardown
type Hooks struct {
// Prestart is a list of hooks to be run before the container process is executed.
// On Linux, they are run after the container namespaces are created.
Prestart []Hook `json:"prestart"`
Prestart []Hook `json:"prestart,omitempty"`
// Poststart is a list of hooks to be run after the container process is started.
Poststart []Hook `json:"poststart"`
Poststart []Hook `json:"poststart,omitempty"`
// Poststop is a list of hooks to be run after the container process exits.
Poststop []Hook `json:"poststop"`
Poststop []Hook `json:"poststop,omitempty"`
}
// Mount specifies a mount for a container
@ -36,5 +38,5 @@ type Mount struct {
// linux based systems this would be the file on the host.
Source string `json:"source"`
// Options are fstab style mount options.
Options []string `json:"options"`
Options []string `json:"options,omitempty"`
}

View File

@ -15,20 +15,20 @@ type LinuxRuntimeSpec struct {
// LinuxRuntime hosts the Linux-only runtime information
type LinuxRuntime struct {
// UIDMapping specifies user mappings for supporting user namespaces on linux.
UIDMappings []IDMapping `json:"uidMappings"`
UIDMappings []IDMapping `json:"uidMappings,omitempty"`
// GIDMapping specifies group mappings for supporting user namespaces on linux.
GIDMappings []IDMapping `json:"gidMappings"`
GIDMappings []IDMapping `json:"gidMappings,omitempty"`
// Rlimits specifies rlimit options to apply to the container's process.
Rlimits []Rlimit `json:"rlimits"`
Rlimits []Rlimit `json:"rlimits,omitempty"`
// Sysctl are a set of key value pairs that are set for the container on start
Sysctl map[string]string `json:"sysctl"`
Sysctl map[string]string `json:"sysctl,omitempty"`
// Resources contain cgroup information for handling resource constraints
// for the container
Resources *Resources `json:"resources"`
Resources *Resources `json:"resources,omitempty"`
// CgroupsPath specifies the path to cgroups that are created and/or joined by the container.
// The path is expected to be relative to the cgroups mountpoint.
// If resources are specified, the cgroups at CgroupsPath will be updated based on resources.
CgroupsPath string `json:"cgroupsPath"`
CgroupsPath *string `json:"cgroupsPath,omitempty"`
// Namespaces contains the namespaces that are created and/or joined by the container
Namespaces []Namespace `json:"namespaces"`
// Devices are a list of device nodes that are created and enabled for the container
@ -39,8 +39,10 @@ type LinuxRuntime struct {
SelinuxProcessLabel string `json:"selinuxProcessLabel"`
// Seccomp specifies the seccomp security settings for the container.
Seccomp Seccomp `json:"seccomp"`
// RootfsPropagation is the rootfs mount propagation mode for the container
RootfsPropagation string `json:"rootfsPropagation"`
// RootfsPropagation is the rootfs mount propagation mode for the container.
RootfsPropagation string `json:"rootfsPropagation,omitempty"`
// NoNewPrivileges controls whether additional privileges could be gained by processes in the container.
NoNewPrivileges bool `json:"noNewPrivileges,omitempty"`
}
// Namespace is the configuration for a linux namespace
@ -49,7 +51,7 @@ type Namespace struct {
Type NamespaceType `json:"type"`
// Path is a path to an existing namespace persisted on disk that can be joined
// and is of the same type
Path string `json:"path"`
Path string `json:"path,omitempty"`
}
// NamespaceType is one of the linux namespaces
@ -93,9 +95,9 @@ type Rlimit struct {
// HugepageLimit structure corresponds to limiting kernel hugepages
type HugepageLimit struct {
// Pagesize is the hugepage size
Pagesize string `json:"pageSize"`
Pagesize *string `json:"pageSize,omitempty"`
// Limit is the limit of "hugepagesize" hugetlb usage
Limit uint64 `json:"limit"`
Limit *uint64 `json:"limit,omitempty"`
}
// InterfacePriority for network interfaces
@ -103,7 +105,7 @@ type InterfacePriority struct {
// Name is the name of the network interface
Name string `json:"name"`
// Priority for the interface
Priority int64 `json:"priority"`
Priority uint32 `json:"priority"`
}
// blockIODevice holds major:minor format supported in blkio cgroup
@ -118,78 +120,80 @@ type blockIODevice struct {
type WeightDevice struct {
blockIODevice
// Weight is the bandwidth rate for the device, range is from 10 to 1000
Weight uint16 `json:"weight"`
// LeafWeight is the bandwidth rate for the device while competing with the cgroup's child cgroups, range is from 10 to 1000, cfq scheduler only
LeafWeight uint16 `json:"leafWeight"`
Weight *uint16 `json:"weight,omitempty"`
// LeafWeight is the bandwidth rate for the device while competing with the cgroup's child cgroups, range is from 10 to 1000, CFQ scheduler only
LeafWeight *uint16 `json:"leafWeight,omitempty"`
}
// ThrottleDevice struct holds a `major:minor rate_per_second` pair
type ThrottleDevice struct {
blockIODevice
// Rate is the IO rate limit per cgroup per device
Rate uint64 `json:"rate"`
Rate *uint64 `json:"rate,omitempty"`
}
// BlockIO for Linux cgroup 'blkio' resource management
type BlockIO struct {
// Specifies per cgroup weight, range is from 10 to 1000
Weight uint16 `json:"blkioWeight"`
// Specifies tasks' weight in the given cgroup while competing with the cgroup's child cgroups, range is from 10 to 1000, cfq scheduler only
LeafWeight uint16 `json:"blkioLeafWeight"`
Weight *uint16 `json:"blkioWeight,omitempty"`
// Specifies tasks' weight in the given cgroup while competing with the cgroup's child cgroups, range is from 10 to 1000, CFQ scheduler only
LeafWeight *uint16 `json:"blkioLeafWeight,omitempty"`
// Weight per cgroup per device, can override BlkioWeight
WeightDevice []*WeightDevice `json:"blkioWeightDevice"`
WeightDevice []*WeightDevice `json:"blkioWeightDevice,omitempty"`
// IO read rate limit per cgroup per device, bytes per second
ThrottleReadBpsDevice []*ThrottleDevice `json:"blkioThrottleReadBpsDevice"`
ThrottleReadBpsDevice []*ThrottleDevice `json:"blkioThrottleReadBpsDevice,omitempty"`
// IO write rate limit per cgroup per device, bytes per second
ThrottleWriteBpsDevice []*ThrottleDevice `json:"blkioThrottleWriteBpsDevice"`
ThrottleWriteBpsDevice []*ThrottleDevice `json:"blkioThrottleWriteBpsDevice,omitempty"`
// IO read rate limit per cgroup per device, IO per second
ThrottleReadIOPSDevice []*ThrottleDevice `json:"blkioThrottleReadIOPSDevice"`
ThrottleReadIOPSDevice []*ThrottleDevice `json:"blkioThrottleReadIOPSDevice,omitempty"`
// IO write rate limit per cgroup per device, IO per second
ThrottleWriteIOPSDevice []*ThrottleDevice `json:"blkioThrottleWriteIOPSDevice"`
ThrottleWriteIOPSDevice []*ThrottleDevice `json:"blkioThrottleWriteIOPSDevice,omitempty"`
}
// Memory for Linux cgroup 'memory' resource management
type Memory struct {
// Memory limit (in bytes)
Limit int64 `json:"limit"`
// Memory reservation or soft_limit (in bytes)
Reservation int64 `json:"reservation"`
// Total memory usage (memory + swap); set `-1' to disable swap
Swap int64 `json:"swap"`
// Kernel memory limit (in bytes)
Kernel int64 `json:"kernel"`
// How aggressive the kernel will swap memory pages. Range from 0 to 100. Set -1 to use system default
Swappiness int64 `json:"swappiness"`
// Memory limit (in bytes).
Limit *uint64 `json:"limit,omitempty"`
// Memory reservation or soft_limit (in bytes).
Reservation *uint64 `json:"reservation,omitempty"`
// Total memory limit (memory + swap).
Swap *uint64 `json:"swap,omitempty"`
// Kernel memory limit (in bytes).
Kernel *uint64 `json:"kernel,omitempty"`
// Kernel memory limit for tcp (in bytes)
KernelTCP *uint64 `json:"kernelTCP"`
// How aggressive the kernel will swap memory pages. Range from 0 to 100.
Swappiness *uint64 `json:"swappiness,omitempty"`
}
// CPU for Linux cgroup 'cpu' resource management
type CPU struct {
// CPU shares (relative weight vs. other cgroups with cpu shares)
Shares int64 `json:"shares"`
// CPU hardcap limit (in usecs). Allowed cpu time in a given period
Quota int64 `json:"quota"`
// CPU period to be used for hardcapping (in usecs). 0 to use system default
Period int64 `json:"period"`
// How many time CPU will use in realtime scheduling (in usecs)
RealtimeRuntime int64 `json:"realtimeRuntime"`
// CPU period to be used for realtime scheduling (in usecs)
RealtimePeriod int64 `json:"realtimePeriod"`
// CPU to use within the cpuset
Cpus string `json:"cpus"`
// MEM to use within the cpuset
Mems string `json:"mems"`
// CPU shares (relative weight (ratio) vs. other cgroups with cpu shares).
Shares *uint64 `json:"shares,omitempty"`
// CPU hardcap limit (in usecs). Allowed cpu time in a given period.
Quota *uint64 `json:"quota,omitempty"`
// CPU period to be used for hardcapping (in usecs).
Period *uint64 `json:"period,omitempty"`
// How much time realtime scheduling may use (in usecs).
RealtimeRuntime *uint64 `json:"realtimeRuntime,omitempty"`
// CPU period to be used for realtime scheduling (in usecs).
RealtimePeriod *uint64 `json:"realtimePeriod,omitempty"`
// CPUs to use within the cpuset. Default is to use any CPU available.
Cpus *string `json:"cpus,omitempty"`
// List of memory nodes in the cpuset. Default is to use any available memory node.
Mems *string `json:"mems,omitempty"`
}
// Pids for Linux cgroup 'pids' resource management (Linux 4.3)
type Pids struct {
// Maximum number of PIDs. A value < 0 implies "no limit".
Limit int64 `json:"limit"`
// Maximum number of PIDs. Default is "no limit".
Limit *int64 `json:"limit,omitempty"`
}
// Network identification and priority configuration
type Network struct {
// Set class identifier for container's network packets
ClassID string `json:"classId"`
ClassID *uint32 `json:"classID"`
// Set priority of network traffic for container
Priorities []InterfacePriority `json:"priorities"`
}
@ -197,19 +201,21 @@ type Network struct {
// Resources has container runtime resource constraints
type Resources struct {
// DisableOOMKiller disables the OOM killer for out of memory conditions
DisableOOMKiller bool `json:"disableOOMKiller"`
DisableOOMKiller *bool `json:"disableOOMKiller,omitempty"`
// Specify an oom_score_adj for the container.
OOMScoreAdj *int `json:"oomScoreAdj,omitempty"`
// Memory restriction configuration
Memory Memory `json:"memory"`
Memory *Memory `json:"memory,omitempty"`
// CPU resource restriction configuration
CPU CPU `json:"cpu"`
CPU *CPU `json:"cpu,omitempty"`
// Task resource restriction configuration.
Pids Pids `json:"pids"`
Pids *Pids `json:"pids,omitempty"`
// BlockIO restriction configuration
BlockIO BlockIO `json:"blockIO"`
BlockIO *BlockIO `json:"blockIO,omitempty"`
// Hugetlb limit (in bytes)
HugepageLimits []HugepageLimit `json:"hugepageLimits"`
HugepageLimits []HugepageLimit `json:"hugepageLimits,omitempty"`
// Network restriction configuration
Network Network `json:"network"`
Network *Network `json:"network,omitempty"`
}
// Device represents the information on a Linux special device file
@ -239,10 +245,11 @@ type Seccomp struct {
Syscalls []*Syscall `json:"syscalls"`
}
// Additional architectures permitted to be used for system calls
// By default only the native architecture of the kernel is permitted
// Arch used for additional architectures
type Arch string
// Additional architectures permitted to be used for system calls
// By default only the native architecture of the kernel is permitted
const (
ArchX86 Arch = "SCMP_ARCH_X86"
ArchX86_64 Arch = "SCMP_ARCH_X86_64"
@ -260,6 +267,7 @@ const (
// Action taken upon Seccomp rule match
type Action string
// Define actions for Seccomp rules
const (
ActKill Action = "SCMP_ACT_KILL"
ActTrap Action = "SCMP_ACT_TRAP"
@ -271,6 +279,7 @@ const (
// Operator used to match syscall arguments in Seccomp
type Operator string
// Define operators for syscall arguments in Seccomp
const (
OpNotEqual Operator = "SCMP_CMP_NE"
OpLessThan Operator = "SCMP_CMP_LT"

View File

@ -0,0 +1,16 @@
package specs
// State holds information about the runtime state of the container.
// This information will be stored in a file called `state.json`.
// The location of this file will be operating system specific. On Linux
// it will be in `/run/opencontainers/runc/<containerID>/state.json`
type State struct {
// Version is the version of the specification that is supported.
Version string `json:"version"`
// ID is the container ID
ID string `json:"id"`
// Pid is the process id for the container's main process.
Pid int `json:"pid"`
// BundlePath is the path to the container's bundle directory.
BundlePath string `json:"bundlePath"`
}

View File

@ -0,0 +1,21 @@
# Style and conventions
## Traditionally hex settings should use JSON integers, not JSON strings
For example, [`"classID": 1048577`][class-id] instead of `"classID": "0x100001"`.
The config JSON isn't enough of a UI to be worth jumping through string <-> integer hoops to support an 0x… form ([source][integer-over-hex]).
## Constant names should keep redundant prefixes
For example, `CAP_KILL` instead of `KILL` in [**`linux.capabilities`**][capabilities]).
The redundancy reduction from removing the namespacing prefix is not useful enough to be worth trimming the upstream identifier ([source][keep-prefix]).
## Optional settings should have pointer Go types
So we have a consistent way to identify unset values ([source][optional-pointer]).
[capabilities]: config-linux.md#capabilities
[class-id]: runtime-config-linux.md#network
[integer-over-hex]: https://github.com/opencontainers/specs/pull/267#discussion_r48360013
[keep-prefix]: https://github.com/opencontainers/specs/pull/159#issuecomment-138728337
[optional-pointer]: https://github.com/opencontainers/specs/pull/233#discussion_r47829711

View File

@ -6,10 +6,13 @@ const (
// VersionMajor is for an API incompatible changes
VersionMajor = 0
// VersionMinor is for functionality in a backwards-compatible manner
VersionMinor = 2
VersionMinor = 3
// VersionPatch is for backwards-compatible bug fixes
VersionPatch = 0
// VersionDev indicates development branch. Releases will be empty string.
VersionDev = "-dev"
)
// Version is the specification version that the package types support.
var Version = fmt.Sprintf("%d.%d.%d", VersionMajor, VersionMinor, VersionPatch)
var Version = fmt.Sprintf("%d.%d.%d%s", VersionMajor, VersionMinor, VersionPatch, VersionDev)

109
spec.go
View File

@ -223,9 +223,7 @@ var specCommand = cli.Command{
},
},
Resources: &specs.Resources{
Memory: specs.Memory{
Swappiness: -1,
},
Memory: &specs.Memory{},
},
Seccomp: specs.Seccomp{
DefaultAction: "SCMP_ACT_ALLOW",
@ -460,55 +458,110 @@ func createCgroupConfig(name string, spec *specs.LinuxRuntimeSpec, devices []*co
}
c.Resources.AllowedDevices = append(devices, allowedDevices...)
r := spec.Linux.Resources
c.Resources.Memory = r.Memory.Limit
c.Resources.MemoryReservation = r.Memory.Reservation
c.Resources.MemorySwap = r.Memory.Swap
c.Resources.KernelMemory = r.Memory.Kernel
c.Resources.MemorySwappiness = r.Memory.Swappiness
c.Resources.CpuShares = r.CPU.Shares
c.Resources.CpuQuota = r.CPU.Quota
c.Resources.CpuPeriod = r.CPU.Period
c.Resources.CpuRtRuntime = r.CPU.RealtimeRuntime
c.Resources.CpuRtPeriod = r.CPU.RealtimePeriod
c.Resources.CpusetCpus = r.CPU.Cpus
c.Resources.CpusetMems = r.CPU.Mems
c.Resources.PidsLimit = r.Pids.Limit
c.Resources.BlkioWeight = r.BlockIO.Weight
c.Resources.BlkioLeafWeight = r.BlockIO.LeafWeight
if r != nil {
if r.Memory != nil {
if r.Memory.Limit != nil {
c.Resources.Memory = int64(*r.Memory.Limit)
}
if r.Memory.Reservation != nil {
c.Resources.MemoryReservation = int64(*r.Memory.Reservation)
}
if r.Memory.Swap != nil {
c.Resources.MemorySwap = int64(*r.Memory.Swap)
}
if r.Memory.Kernel != nil {
c.Resources.KernelMemory = int64(*r.Memory.Kernel)
}
if r.Memory.Swappiness != nil {
c.Resources.MemorySwappiness = int64(*r.Memory.Swappiness)
}
}
if r.CPU != nil {
if r.CPU.Shares != nil {
c.Resources.CpuShares = int64(*r.CPU.Shares)
}
if r.CPU.Quota != nil {
c.Resources.CpuQuota = int64(*r.CPU.Quota)
}
if r.CPU.Period != nil {
c.Resources.CpuPeriod = int64(*r.CPU.Period)
}
if r.CPU.RealtimeRuntime != nil {
c.Resources.CpuRtRuntime = int64(*r.CPU.RealtimeRuntime)
}
if r.CPU.RealtimePeriod != nil {
c.Resources.CpuRtPeriod = int64(*r.CPU.RealtimePeriod)
}
if r.CPU.Cpus != nil {
c.Resources.CpusetCpus = *r.CPU.Cpus
}
if r.CPU.Mems != nil {
c.Resources.CpusetMems = *r.CPU.Mems
}
}
if r.Pids != nil {
c.Resources.PidsLimit = *r.Pids.Limit
}
if r.BlockIO != nil {
if r.BlockIO.Weight != nil {
c.Resources.BlkioWeight = *r.BlockIO.Weight
}
if r.BlockIO.LeafWeight != nil {
c.Resources.BlkioLeafWeight = *r.BlockIO.LeafWeight
}
if r.BlockIO.WeightDevice != nil {
for _, wd := range r.BlockIO.WeightDevice {
weightDevice := configs.NewWeightDevice(wd.Major, wd.Minor, wd.Weight, wd.LeafWeight)
weightDevice := configs.NewWeightDevice(wd.Major, wd.Minor, *wd.Weight, *wd.LeafWeight)
c.Resources.BlkioWeightDevice = append(c.Resources.BlkioWeightDevice, weightDevice)
}
}
if r.BlockIO.ThrottleReadBpsDevice != nil {
for _, td := range r.BlockIO.ThrottleReadBpsDevice {
throttleDevice := configs.NewThrottleDevice(td.Major, td.Minor, td.Rate)
throttleDevice := configs.NewThrottleDevice(td.Major, td.Minor, *td.Rate)
c.Resources.BlkioThrottleReadBpsDevice = append(c.Resources.BlkioThrottleReadBpsDevice, throttleDevice)
}
}
if r.BlockIO.ThrottleWriteBpsDevice != nil {
for _, td := range r.BlockIO.ThrottleWriteBpsDevice {
throttleDevice := configs.NewThrottleDevice(td.Major, td.Minor, td.Rate)
throttleDevice := configs.NewThrottleDevice(td.Major, td.Minor, *td.Rate)
c.Resources.BlkioThrottleWriteBpsDevice = append(c.Resources.BlkioThrottleWriteBpsDevice, throttleDevice)
}
}
if r.BlockIO.ThrottleReadIOPSDevice != nil {
for _, td := range r.BlockIO.ThrottleReadIOPSDevice {
throttleDevice := configs.NewThrottleDevice(td.Major, td.Minor, td.Rate)
throttleDevice := configs.NewThrottleDevice(td.Major, td.Minor, *td.Rate)
c.Resources.BlkioThrottleReadIOPSDevice = append(c.Resources.BlkioThrottleReadIOPSDevice, throttleDevice)
}
}
if r.BlockIO.ThrottleWriteIOPSDevice != nil {
for _, td := range r.BlockIO.ThrottleWriteIOPSDevice {
throttleDevice := configs.NewThrottleDevice(td.Major, td.Minor, td.Rate)
throttleDevice := configs.NewThrottleDevice(td.Major, td.Minor, *td.Rate)
c.Resources.BlkioThrottleWriteIOPSDevice = append(c.Resources.BlkioThrottleWriteIOPSDevice, throttleDevice)
}
}
}
for _, l := range r.HugepageLimits {
c.Resources.HugetlbLimit = append(c.Resources.HugetlbLimit, &configs.HugepageLimit{
Pagesize: l.Pagesize,
Limit: l.Limit,
Pagesize: *l.Pagesize,
Limit: *l.Limit,
})
}
c.Resources.OomKillDisable = r.DisableOOMKiller
c.Resources.NetClsClassid = r.Network.ClassID
if r.DisableOOMKiller != nil {
c.Resources.OomKillDisable = *r.DisableOOMKiller
}
if r.Network != nil {
if r.Network.ClassID != nil {
c.Resources.NetClsClassid = string(*r.Network.ClassID)
}
for _, m := range r.Network.Priorities {
c.Resources.NetPrioIfpriomap = append(c.Resources.NetPrioIfpriomap, &configs.IfPrioMap{
Interface: m.Name,
Priority: m.Priority,
Priority: int64(m.Priority),
})
}
}
}
return c, nil
}