Merge pull request #411 from anuthan/solarisSpec
Introducing Solaris in OCI
This commit is contained in:
commit
bf58a8f544
1
Makefile
1
Makefile
|
@ -15,6 +15,7 @@ DOC_FILES := \
|
||||||
runtime-linux.md \
|
runtime-linux.md \
|
||||||
config.md \
|
config.md \
|
||||||
config-linux.md \
|
config-linux.md \
|
||||||
|
config-solaris.md \
|
||||||
glossary.md
|
glossary.md
|
||||||
EPOCH_TEST_COMMIT := 78e6667ae2d67aad100b28ee9580b41b7a24e667
|
EPOCH_TEST_COMMIT := 78e6667ae2d67aad100b28ee9580b41b7a24e667
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,116 @@
|
||||||
|
# Solaris Application Container Configuration
|
||||||
|
|
||||||
|
Solaris application containers can be configured using the following properties, all of the below properties have mappings to properties specified under zonecfg(1M) man page, except milestone.
|
||||||
|
The Solaris specification is entirely optional.
|
||||||
|
|
||||||
|
## milestone
|
||||||
|
The SMF(Service Management Facility) FMRI which should go to "online" state before we start the desired process within the container.
|
||||||
|
|
||||||
|
**`milestone`** *(string, optional)*
|
||||||
|
|
||||||
|
### Example
|
||||||
|
```json
|
||||||
|
"milestone": "svc:/milestone/container:default"
|
||||||
|
```
|
||||||
|
|
||||||
|
## limitpriv
|
||||||
|
The maximum set of privileges any process in this container can obtain.
|
||||||
|
The property should consist of a comma-separated privilege set specification as described in priv_str_to_set(3C) man page for the respective release of Solaris.
|
||||||
|
|
||||||
|
**`limitpriv`** *(string, optional)*
|
||||||
|
|
||||||
|
### Example
|
||||||
|
```json
|
||||||
|
"limitpriv": "default"
|
||||||
|
```
|
||||||
|
|
||||||
|
## maxShmMemory
|
||||||
|
The maximum amount of shared memory allowed for this application container.
|
||||||
|
A scale (K, M, G, T) can be applied to the value for each of these numbers (for example, 1M is one megabyte).
|
||||||
|
Mapped to max-shm-memory in zonecfg(1M) man page.
|
||||||
|
|
||||||
|
**`maxShmMemory`** *(string, optional)*
|
||||||
|
|
||||||
|
### Example
|
||||||
|
```json
|
||||||
|
"maxShmMemory": "512m"
|
||||||
|
```
|
||||||
|
|
||||||
|
## cappedCPU
|
||||||
|
Sets a limit on the amount of CPU time that can be used by a container.
|
||||||
|
The unit used translates to the percentage of a single CPU that can be used by all user threads in a container, expressed as a fraction (for example, .75) or a mixed number (whole number and fraction, for example, 1.25).
|
||||||
|
An ncpu value of 1 means 100% of a CPU, a value of 1.25 means 125%, .75 mean 75%, and so forth.
|
||||||
|
When projects within a capped container have their own caps, the minimum value takes precedence.
|
||||||
|
cappedCPU is mapped to capped-cpu in zonecfg(1M) man page.
|
||||||
|
|
||||||
|
* **`ncpus`** *(string, optional)*
|
||||||
|
|
||||||
|
### Example
|
||||||
|
```json
|
||||||
|
"cappedCPU": {
|
||||||
|
"ncpus": "8"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## cappedMemory
|
||||||
|
The physical and swap caps on the memory that can be used by this application container.
|
||||||
|
A scale (K, M, G, T) can be applied to the value for each of these numbers (for example, 1M is one megabyte).
|
||||||
|
cappedMemory is mapped to capped-memory in zonecfg(1M) man page.
|
||||||
|
|
||||||
|
* **`physical`** *(string, optional)*
|
||||||
|
* **`swap`** *(string, optional)*
|
||||||
|
|
||||||
|
### Example
|
||||||
|
```json
|
||||||
|
"cappedMemory": {
|
||||||
|
"physical": "512m",
|
||||||
|
"swap": "512m"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Network
|
||||||
|
|
||||||
|
### Automatic Network (anet)
|
||||||
|
anet is specified as an array that is used to setup networking for Solaris application containers.
|
||||||
|
The anet resource represents the automatic creation of a network resource for an application container.
|
||||||
|
The zones administration daemon, zoneadmd, is the primary process for managing the container's virtual platform.
|
||||||
|
One of the daemons is responsibilities is creation and teardown of the networks for the container.
|
||||||
|
For more information on the daemon check the zoneadmd(1M) man page.
|
||||||
|
When such a container is started, a temporary VNIC(Virtual NIC) is automatically created for the container.
|
||||||
|
The VNIC is deleted when the container is torn down.
|
||||||
|
The following properties can be used to setup automatic networks.
|
||||||
|
For additional information on properties check zonecfg(1M) man page for the respective release of Solaris.
|
||||||
|
|
||||||
|
* **`linkname`** *(string, optional)* Specify a name for the automatically created VNIC datalink.
|
||||||
|
* **`lowerLink`** *(string, optional)* Specify the link over which the VNIC will be created.
|
||||||
|
Mapped to lower-link in the zonecfg(1M) man page.
|
||||||
|
* **`allowedAddress`** *(string, optional)* The set of IP addresses that the container can use might be constrained by specifying the allowedAddress property.
|
||||||
|
If allowedAddress has not been specified, then they can use any IP address on the associated physical interface for the network resource.
|
||||||
|
Otherwise, when allowedAddress is specified, the container cannot use IP addresses that are not in the allowedAddress list for the physical address.
|
||||||
|
Mapped to allowed-address in the zonecfg(1M) man page.
|
||||||
|
* **`configureAllowedAddress`** *(string, optional)* If configureAllowedAddress is set to true, the addresses specified by allowedAddress are automatically configured on the interface each time the container starts.
|
||||||
|
When it is set to false, the allowedAddress will not be configured on container start.
|
||||||
|
Mapped to configure-allowed-address in the zonecfg(1M) man page.
|
||||||
|
* **`defrouter`** *(string, optional)* The value for the optional default router.
|
||||||
|
* **`macAddress`** *(string, optional)* Set the VNIC's MAC addresses based on the specified value or keyword.
|
||||||
|
If not a keyword, it is interpreted as a unicast MAC address.
|
||||||
|
For a list of the supported keywords please refer to the zonecfg(1M) man page of the respective Solaris release.
|
||||||
|
Mapped to mac-address in the zonecfg(1M) man page.
|
||||||
|
* **`linkProtection`** *(string, optional)* Enables one or more types of link protection using comma-separated values.
|
||||||
|
See the protection property in dladm(8) for supported values in respective release of Solaris.
|
||||||
|
Mapped to link-protection in the zonecfg(1M) man page.
|
||||||
|
|
||||||
|
#### Example
|
||||||
|
```json
|
||||||
|
"anet": [
|
||||||
|
{
|
||||||
|
"allowedAddress": "172.17.0.2/16",
|
||||||
|
"configureAllowedAddress": "true",
|
||||||
|
"defrouter": "172.17.0.1/16",
|
||||||
|
"linkProtection": "mac-nospoof, ip-nospoof",
|
||||||
|
"linkname": "net0",
|
||||||
|
"lowerLink": "net2",
|
||||||
|
"macAddress": "02:42:f8:52:c7:16"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
```
|
49
config.md
49
config.md
|
@ -108,9 +108,9 @@ For more information about SELinux, see [Selinux documentation](http://selinuxp
|
||||||
|
|
||||||
The user for the process is a platform-specific structure that allows specific control over which user the process runs as.
|
The user for the process is a platform-specific structure that allows specific control over which user the process runs as.
|
||||||
|
|
||||||
#### Linux User
|
#### Linux and Solaris User
|
||||||
|
|
||||||
For Linux-based systems the user structure has the following fields:
|
For Linux and Solaris based systems the user structure has the following fields:
|
||||||
|
|
||||||
* **`uid`** (int, required) specifies the user id.
|
* **`uid`** (int, required) specifies the user id.
|
||||||
* **`gid`** (int, required) specifies the group id.
|
* **`gid`** (int, required) specifies the group id.
|
||||||
|
@ -118,6 +118,8 @@ For Linux-based systems the user structure has the following fields:
|
||||||
|
|
||||||
_Note: symbolic name for uid and gid, such as uname and gname respectively, are left to upper levels to derive (i.e. `/etc/passwd` parsing, NSS, etc)_
|
_Note: symbolic name for uid and gid, such as uname and gname respectively, are left to upper levels to derive (i.e. `/etc/passwd` parsing, NSS, etc)_
|
||||||
|
|
||||||
|
_Note: For Solaris, uid and gid specify the uid and gid of the process inside the container and need not be same as in the host._
|
||||||
|
|
||||||
### Example (Linux)
|
### Example (Linux)
|
||||||
|
|
||||||
```json
|
```json
|
||||||
|
@ -153,6 +155,26 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
### Example (Solaris)
|
||||||
|
|
||||||
|
```json
|
||||||
|
"process": {
|
||||||
|
"terminal": true,
|
||||||
|
"user": {
|
||||||
|
"uid": 1,
|
||||||
|
"gid": 1,
|
||||||
|
"additionalGids": [2, 8]
|
||||||
|
},
|
||||||
|
"env": [
|
||||||
|
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
|
||||||
|
"TERM=xterm"
|
||||||
|
],
|
||||||
|
"cwd": "/root",
|
||||||
|
"args": [
|
||||||
|
"/usr/bin/bash"
|
||||||
|
],
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Hostname
|
## Hostname
|
||||||
|
@ -630,6 +652,29 @@ Here is a full example `config.json` for reference.
|
||||||
],
|
],
|
||||||
"mountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c715,c811"
|
"mountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c715,c811"
|
||||||
},
|
},
|
||||||
|
"solaris": {
|
||||||
|
"anet": [
|
||||||
|
{
|
||||||
|
"allowedAddress": "172.17.0.2/16",
|
||||||
|
"configureAllowedAddress": "true",
|
||||||
|
"defrouter": "172.17.0.1/16",
|
||||||
|
"linkProtection": "mac-nospoof, ip-nospoof",
|
||||||
|
"linkname": "net0",
|
||||||
|
"lowerLink": "net2",
|
||||||
|
"macAddress": "02:42:f8:52:c7:16"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"cappedCPU": {
|
||||||
|
"ncpus": "0.8"
|
||||||
|
},
|
||||||
|
"cappedMemory": {
|
||||||
|
"physical": "1G",
|
||||||
|
"swap": "512m"
|
||||||
|
},
|
||||||
|
"maxShmMemory": "256m",
|
||||||
|
"limitpriv": "default",
|
||||||
|
"milestone": "svc:/milestone/container:default"
|
||||||
|
},
|
||||||
"annotations": {
|
"annotations": {
|
||||||
"key1": "value1",
|
"key1": "value1",
|
||||||
"key2": "value2"
|
"key2": "value2"
|
||||||
|
|
|
@ -8,6 +8,7 @@ validating the `config.json` of this container runtime specification.
|
||||||
The layout of the files is as follows:
|
The layout of the files is as follows:
|
||||||
* [schema.json](schema.json) - the primary entrypoint for the whole schema document
|
* [schema.json](schema.json) - the primary entrypoint for the whole schema document
|
||||||
* [schema-linux.json](schema-linux.json) - this schema is for the Linux-specific sub-structure
|
* [schema-linux.json](schema-linux.json) - this schema is for the Linux-specific sub-structure
|
||||||
|
* [schema-solaris.json](schema-solaris.json) - this schema is for the Solaris-specific sub-structure
|
||||||
* [defs.json](defs.json) - definitions for general types
|
* [defs.json](defs.json) - definitions for general types
|
||||||
* [defs-linux.json](defs-linux.json) - definitions for Linux-specific types
|
* [defs-linux.json](defs-linux.json) - definitions for Linux-specific types
|
||||||
* [validate.go](validate.go) - validation utility source code
|
* [validate.go](validate.go) - validation utility source code
|
||||||
|
|
|
@ -0,0 +1,36 @@
|
||||||
|
{
|
||||||
|
"solaris": {
|
||||||
|
"description": "Solaris platform-specific configurations",
|
||||||
|
"id": "https://opencontainers.org/schema/bundle/solaris",
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"milestone": {
|
||||||
|
"id": "https://opencontainers.org/schema/bundle/solaris/milestone",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"limitpriv": {
|
||||||
|
"id": "https://opencontainers.org/schema/bundle/solaris/limitpriv",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"maxShmMemory": {
|
||||||
|
"id": "https://opencontainers.org/schema/bundle/solaris/maxShmMemory",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"cappedCPU": {
|
||||||
|
"id": "https://opencontainers.org/schema/bundle/solaris/cappedCPU",
|
||||||
|
"$ref": "defs.json#/definitions/mapStringString"
|
||||||
|
},
|
||||||
|
"cappedMemory": {
|
||||||
|
"id": "https://opencontainers.org/schema/bundle/solaris/cappedMemory",
|
||||||
|
"$ref": "defs.json#/definitions/mapStringString"
|
||||||
|
},
|
||||||
|
"anet": {
|
||||||
|
"id": "https://opencontainers.org/schema/bundle/solaris/anet",
|
||||||
|
"type": "array",
|
||||||
|
"items": {
|
||||||
|
"$ref": "defs.json#/definitions/mapStringString"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -167,6 +167,9 @@
|
||||||
},
|
},
|
||||||
"linux": {
|
"linux": {
|
||||||
"$ref": "schema-linux.json#/linux"
|
"$ref": "schema-linux.json#/linux"
|
||||||
|
},
|
||||||
|
"solaris": {
|
||||||
|
"$ref": "schema-solaris.json#/solaris"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"required": [
|
"required": [
|
||||||
|
|
|
@ -25,6 +25,8 @@ type Spec struct {
|
||||||
|
|
||||||
// Linux is platform specific configuration for Linux based containers.
|
// Linux is platform specific configuration for Linux based containers.
|
||||||
Linux Linux `json:"linux" platform:"linux"`
|
Linux Linux `json:"linux" platform:"linux"`
|
||||||
|
// Solaris is platform specific configuration for Solaris containers.
|
||||||
|
Solaris Solaris `json:"solaris" platform:"solaris"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// Process contains information to start a specific application inside the container.
|
// Process contains information to start a specific application inside the container.
|
||||||
|
@ -358,6 +360,51 @@ type Seccomp struct {
|
||||||
Syscalls []Syscall `json:"syscalls,omitempty"`
|
Syscalls []Syscall `json:"syscalls,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Solaris contains platform specific configuration for Solaris application containers.
|
||||||
|
type Solaris struct {
|
||||||
|
// SMF FMRI which should go "online" before we start the container process.
|
||||||
|
Milestone string `json:"milestone,omitempty"`
|
||||||
|
// Maximum set of privileges any process in this container can obtain.
|
||||||
|
LimitPriv string `json:"limitpriv,omitempty"`
|
||||||
|
// The maximum amount of shared memory allowed for this container.
|
||||||
|
MaxShmMemory string `json:"maxShmMemory,omitempty"`
|
||||||
|
// Specification for automatic creation of network resources for this container.
|
||||||
|
Anet []Anet `json:"anet,omitempty"`
|
||||||
|
// Set limit on the amount of CPU time that can be used by container.
|
||||||
|
CappedCPU CappedCPU `json:"cappedCPU,omitempty"`
|
||||||
|
// The physical and swap caps on the memory that can be used by this container.
|
||||||
|
CappedMemory CappedMemory `json:"cappedMemory,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// CappedCPU allows users to set limit on the amount of CPU time that can be used by container.
|
||||||
|
type CappedCPU struct {
|
||||||
|
Ncpus string `json:"ncpus,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// CappedMemory allows users to set the physical and swap caps on the memory that can be used by this container.
|
||||||
|
type CappedMemory struct {
|
||||||
|
Physical string `json:"physical,omitempty"`
|
||||||
|
Swap string `json:"swap,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// Anet provides the specification for automatic creation of network resources for this container.
|
||||||
|
type Anet struct {
|
||||||
|
// Specify a name for the automatically created VNIC datalink.
|
||||||
|
Linkname string `json:"linkname,omitempty"`
|
||||||
|
// Specify the link over which the VNIC will be created.
|
||||||
|
Lowerlink string `json:"lowerLink,omitempty"`
|
||||||
|
// The set of IP addresses that the container can use.
|
||||||
|
Allowedaddr string `json:"allowedAddress,omitempty"`
|
||||||
|
// Specifies whether allowedAddress limitation is to be applied to the VNIC.
|
||||||
|
Configallowedaddr string `json:"configureAllowedAddress,omitempty"`
|
||||||
|
// The value of the optional default router.
|
||||||
|
Defrouter string `json:"defrouter,omitempty"`
|
||||||
|
// Enable one or more types of link protection.
|
||||||
|
Linkprotection string `json:"linkProtection,omitempty"`
|
||||||
|
// Set the VNIC's macAddress
|
||||||
|
Macaddress string `json:"macAddress,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
// Arch used for additional architectures
|
// Arch used for additional architectures
|
||||||
type Arch string
|
type Arch string
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue