diff --git a/Makefile b/Makefile index 559d6179..e353d8eb 100644 --- a/Makefile +++ b/Makefile @@ -15,6 +15,7 @@ DOC_FILES := \ runtime-linux.md \ config.md \ config-linux.md \ + config-solaris.md \ glossary.md EPOCH_TEST_COMMIT := 78e6667ae2d67aad100b28ee9580b41b7a24e667 diff --git a/config-solaris.md b/config-solaris.md new file mode 100644 index 00000000..06311253 --- /dev/null +++ b/config-solaris.md @@ -0,0 +1,116 @@ +# Solaris Application Container Configuration + +Solaris application containers can be configured using the following properties, all of the below properties have mappings to properties specified under zonecfg(1M) man page, except milestone. +The Solaris specification is entirely optional. + +## milestone +The SMF(Service Management Facility) FMRI which should go to "online" state before we start the desired process within the container. + +**`milestone`** *(string, optional)* + +### Example +```json +"milestone": "svc:/milestone/container:default" +``` + +## limitpriv +The maximum set of privileges any process in this container can obtain. +The property should consist of a comma-separated privilege set specification as described in priv_str_to_set(3C) man page for the respective release of Solaris. + +**`limitpriv`** *(string, optional)* + +### Example +```json +"limitpriv": "default" +``` + +## maxShmMemory +The maximum amount of shared memory allowed for this application container. +A scale (K, M, G, T) can be applied to the value for each of these numbers (for example, 1M is one megabyte). +Mapped to max-shm-memory in zonecfg(1M) man page. + +**`maxShmMemory`** *(string, optional)* + +### Example +```json +"maxShmMemory": "512m" +``` + +## cappedCPU +Sets a limit on the amount of CPU time that can be used by a container. +The unit used translates to the percentage of a single CPU that can be used by all user threads in a container, expressed as a fraction (for example, .75) or a mixed number (whole number and fraction, for example, 1.25). +An ncpu value of 1 means 100% of a CPU, a value of 1.25 means 125%, .75 mean 75%, and so forth. +When projects within a capped container have their own caps, the minimum value takes precedence. +cappedCPU is mapped to capped-cpu in zonecfg(1M) man page. + +* **`ncpus`** *(string, optional)* + +### Example +```json +"cappedCPU": { + "ncpus": "8" +} +``` + +## cappedMemory +The physical and swap caps on the memory that can be used by this application container. +A scale (K, M, G, T) can be applied to the value for each of these numbers (for example, 1M is one megabyte). +cappedMemory is mapped to capped-memory in zonecfg(1M) man page. + +* **`physical`** *(string, optional)* +* **`swap`** *(string, optional)* + +### Example +```json +"cappedMemory": { + "physical": "512m", + "swap": "512m" +} +``` + +## Network + +### Automatic Network (anet) +anet is specified as an array that is used to setup networking for Solaris application containers. +The anet resource represents the automatic creation of a network resource for an application container. +The zones administration daemon, zoneadmd, is the primary process for managing the container's virtual platform. +One of the daemons is responsibilities is creation and teardown of the networks for the container. +For more information on the daemon check the zoneadmd(1M) man page. +When such a container is started, a temporary VNIC(Virtual NIC) is automatically created for the container. +The VNIC is deleted when the container is torn down. +The following properties can be used to setup automatic networks. +For additional information on properties check zonecfg(1M) man page for the respective release of Solaris. + +* **`linkname`** *(string, optional)* Specify a name for the automatically created VNIC datalink. +* **`lowerLink`** *(string, optional)* Specify the link over which the VNIC will be created. +Mapped to lower-link in the zonecfg(1M) man page. +* **`allowedAddress`** *(string, optional)* The set of IP addresses that the container can use might be constrained by specifying the allowedAddress property. +If allowedAddress has not been specified, then they can use any IP address on the associated physical interface for the network resource. +Otherwise, when allowedAddress is specified, the container cannot use IP addresses that are not in the allowedAddress list for the physical address. +Mapped to allowed-address in the zonecfg(1M) man page. +* **`configureAllowedAddress`** *(string, optional)* If configureAllowedAddress is set to true, the addresses specified by allowedAddress are automatically configured on the interface each time the container starts. +When it is set to false, the allowedAddress will not be configured on container start. +Mapped to configure-allowed-address in the zonecfg(1M) man page. +* **`defrouter`** *(string, optional)* The value for the optional default router. +* **`macAddress`** *(string, optional)* Set the VNIC's MAC addresses based on the specified value or keyword. +If not a keyword, it is interpreted as a unicast MAC address. +For a list of the supported keywords please refer to the zonecfg(1M) man page of the respective Solaris release. +Mapped to mac-address in the zonecfg(1M) man page. +* **`linkProtection`** *(string, optional)* Enables one or more types of link protection using comma-separated values. +See the protection property in dladm(8) for supported values in respective release of Solaris. +Mapped to link-protection in the zonecfg(1M) man page. + +#### Example +```json +"anet": [ + { + "allowedAddress": "172.17.0.2/16", + "configureAllowedAddress": "true", + "defrouter": "172.17.0.1/16", + "linkProtection": "mac-nospoof, ip-nospoof", + "linkname": "net0", + "lowerLink": "net2", + "macAddress": "02:42:f8:52:c7:16" + } +] +``` diff --git a/config.md b/config.md index 1a533324..ce239757 100644 --- a/config.md +++ b/config.md @@ -108,9 +108,9 @@ For more information about SELinux, see [Selinux documentation](http://selinuxp The user for the process is a platform-specific structure that allows specific control over which user the process runs as. -#### Linux User +#### Linux and Solaris User -For Linux-based systems the user structure has the following fields: +For Linux and Solaris based systems the user structure has the following fields: * **`uid`** (int, required) specifies the user id. * **`gid`** (int, required) specifies the group id. @@ -118,6 +118,8 @@ For Linux-based systems the user structure has the following fields: _Note: symbolic name for uid and gid, such as uname and gname respectively, are left to upper levels to derive (i.e. `/etc/passwd` parsing, NSS, etc)_ +_Note: For Solaris, uid and gid specify the uid and gid of the process inside the container and need not be same as in the host._ + ### Example (Linux) ```json @@ -153,6 +155,26 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are ] } ``` +### Example (Solaris) + +```json +"process": { + "terminal": true, + "user": { + "uid": 1, + "gid": 1, + "additionalGids": [2, 8] + }, + "env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "TERM=xterm" + ], + "cwd": "/root", + "args": [ + "/usr/bin/bash" + ], +} +``` ## Hostname @@ -630,6 +652,29 @@ Here is a full example `config.json` for reference. ], "mountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c715,c811" }, + "solaris": { + "anet": [ + { + "allowedAddress": "172.17.0.2/16", + "configureAllowedAddress": "true", + "defrouter": "172.17.0.1/16", + "linkProtection": "mac-nospoof, ip-nospoof", + "linkname": "net0", + "lowerLink": "net2", + "macAddress": "02:42:f8:52:c7:16" + } + ], + "cappedCPU": { + "ncpus": "0.8" + }, + "cappedMemory": { + "physical": "1G", + "swap": "512m" + }, + "maxShmMemory": "256m", + "limitpriv": "default", + "milestone": "svc:/milestone/container:default" + }, "annotations": { "key1": "value1", "key2": "value2" diff --git a/schema/README.md b/schema/README.md index e81898a0..01a3e5ed 100644 --- a/schema/README.md +++ b/schema/README.md @@ -8,6 +8,7 @@ validating the `config.json` of this container runtime specification. The layout of the files is as follows: * [schema.json](schema.json) - the primary entrypoint for the whole schema document * [schema-linux.json](schema-linux.json) - this schema is for the Linux-specific sub-structure +* [schema-solaris.json](schema-solaris.json) - this schema is for the Solaris-specific sub-structure * [defs.json](defs.json) - definitions for general types * [defs-linux.json](defs-linux.json) - definitions for Linux-specific types * [validate.go](validate.go) - validation utility source code diff --git a/schema/schema-solaris.json b/schema/schema-solaris.json new file mode 100644 index 00000000..fbc5977e --- /dev/null +++ b/schema/schema-solaris.json @@ -0,0 +1,36 @@ +{ + "solaris": { + "description": "Solaris platform-specific configurations", + "id": "https://opencontainers.org/schema/bundle/solaris", + "type": "object", + "properties": { + "milestone": { + "id": "https://opencontainers.org/schema/bundle/solaris/milestone", + "type": "string" + }, + "limitpriv": { + "id": "https://opencontainers.org/schema/bundle/solaris/limitpriv", + "type": "string" + }, + "maxShmMemory": { + "id": "https://opencontainers.org/schema/bundle/solaris/maxShmMemory", + "type": "string" + }, + "cappedCPU": { + "id": "https://opencontainers.org/schema/bundle/solaris/cappedCPU", + "$ref": "defs.json#/definitions/mapStringString" + }, + "cappedMemory": { + "id": "https://opencontainers.org/schema/bundle/solaris/cappedMemory", + "$ref": "defs.json#/definitions/mapStringString" + }, + "anet": { + "id": "https://opencontainers.org/schema/bundle/solaris/anet", + "type": "array", + "items": { + "$ref": "defs.json#/definitions/mapStringString" + } + } + } + } +} diff --git a/schema/schema.json b/schema/schema.json index ddfa5be4..5211c141 100644 --- a/schema/schema.json +++ b/schema/schema.json @@ -167,6 +167,9 @@ }, "linux": { "$ref": "schema-linux.json#/linux" + }, + "solaris": { + "$ref": "schema-solaris.json#/solaris" } }, "required": [ diff --git a/specs-go/config.go b/specs-go/config.go index 81902399..269819d8 100644 --- a/specs-go/config.go +++ b/specs-go/config.go @@ -25,6 +25,8 @@ type Spec struct { // Linux is platform specific configuration for Linux based containers. Linux Linux `json:"linux" platform:"linux"` + // Solaris is platform specific configuration for Solaris containers. + Solaris Solaris `json:"solaris" platform:"solaris"` } // Process contains information to start a specific application inside the container. @@ -358,6 +360,51 @@ type Seccomp struct { Syscalls []Syscall `json:"syscalls,omitempty"` } +// Solaris contains platform specific configuration for Solaris application containers. +type Solaris struct { + // SMF FMRI which should go "online" before we start the container process. + Milestone string `json:"milestone,omitempty"` + // Maximum set of privileges any process in this container can obtain. + LimitPriv string `json:"limitpriv,omitempty"` + // The maximum amount of shared memory allowed for this container. + MaxShmMemory string `json:"maxShmMemory,omitempty"` + // Specification for automatic creation of network resources for this container. + Anet []Anet `json:"anet,omitempty"` + // Set limit on the amount of CPU time that can be used by container. + CappedCPU CappedCPU `json:"cappedCPU,omitempty"` + // The physical and swap caps on the memory that can be used by this container. + CappedMemory CappedMemory `json:"cappedMemory,omitempty"` +} + +// CappedCPU allows users to set limit on the amount of CPU time that can be used by container. +type CappedCPU struct { + Ncpus string `json:"ncpus,omitempty"` +} + +// CappedMemory allows users to set the physical and swap caps on the memory that can be used by this container. +type CappedMemory struct { + Physical string `json:"physical,omitempty"` + Swap string `json:"swap,omitempty"` +} + +// Anet provides the specification for automatic creation of network resources for this container. +type Anet struct { + // Specify a name for the automatically created VNIC datalink. + Linkname string `json:"linkname,omitempty"` + // Specify the link over which the VNIC will be created. + Lowerlink string `json:"lowerLink,omitempty"` + // The set of IP addresses that the container can use. + Allowedaddr string `json:"allowedAddress,omitempty"` + // Specifies whether allowedAddress limitation is to be applied to the VNIC. + Configallowedaddr string `json:"configureAllowedAddress,omitempty"` + // The value of the optional default router. + Defrouter string `json:"defrouter,omitempty"` + // Enable one or more types of link protection. + Linkprotection string `json:"linkProtection,omitempty"` + // Set the VNIC's macAddress + Macaddress string `json:"macAddress,omitempty"` +} + // Arch used for additional architectures type Arch string