jasder
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #411 from anuthan/solarisSpec 

Introducing Solaris in OCI
This commit is contained in:
Vincent Batts 2016-05-04 16:17:37 -04:00
parent 07126441b3 7c9daebaa7
commit bf58a8f544
7 changed files with 251 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Makefile
View File

@ -15,6 +15,7 @@ DOC_FILES := \
runtime-linux.md \
config.md \
config-linux.md \
config-solaris.md \
glossary.md
EPOCH_TEST_COMMIT := 78e6667ae2d67aad100b28ee9580b41b7a24e667

116
config-solaris.md Normal file
View File

@ -0,0 +1,116 @@
# Solaris Application Container Configuration
Solaris application containers can be configured using the following properties, all of the below properties have mappings to properties specified under zonecfg(1M) man page, except milestone.
The Solaris specification is entirely optional.
## milestone
The SMF(Service Management Facility) FMRI which should go to "online" state before we start the desired process within the container.
**`milestone`** *(string, optional)*
### Example
```json
"milestone": "svc:/milestone/container:default"
```
## limitpriv
The maximum set of privileges any process in this container can obtain.
The property should consist of a comma-separated privilege set specification as described in priv_str_to_set(3C) man page for the respective release of Solaris.
**`limitpriv`** *(string, optional)*
### Example
```json
"limitpriv": "default"
```
## maxShmMemory
The maximum amount of shared memory allowed for this application container.
A scale (K, M, G, T) can be applied to the value for each of these numbers (for example, 1M is one megabyte).
Mapped to max-shm-memory in zonecfg(1M) man page.
**`maxShmMemory`** *(string, optional)*
### Example
```json
"maxShmMemory": "512m"
```
## cappedCPU
Sets a limit on the amount of CPU time that can be used by a container.
The unit used translates to the percentage of a single CPU that can be used by all user threads in a container, expressed as a fraction (for example, .75) or a mixed number (whole number and fraction, for example, 1.25).
An ncpu value of 1 means 100% of a CPU, a value of 1.25 means 125%, .75 mean 75%, and so forth.
When projects within a capped container have their own caps, the minimum value takes precedence.
cappedCPU is mapped to capped-cpu in zonecfg(1M) man page.
* **`ncpus`** *(string, optional)*
### Example
```json
"cappedCPU": {
"ncpus": "8"
}
```
## cappedMemory
The physical and swap caps on the memory that can be used by this application container.
A scale (K, M, G, T) can be applied to the value for each of these numbers (for example, 1M is one megabyte).
cappedMemory is mapped to capped-memory in zonecfg(1M) man page.
* **`physical`** *(string, optional)*
* **`swap`** *(string, optional)*
### Example
```json
"cappedMemory": {
"physical": "512m",
"swap": "512m"
}
```
## Network
### Automatic Network (anet)
anet is specified as an array that is used to setup networking for Solaris application containers.
The anet resource represents the automatic creation of a network resource for an application container.
The zones administration daemon, zoneadmd, is the primary process for managing the container's virtual platform.
One of the daemons is responsibilities is creation and teardown of the networks for the container.
For more information on the daemon check the zoneadmd(1M) man page.
When such a container is started, a temporary VNIC(Virtual NIC) is automatically created for the container.
The VNIC is deleted when the container is torn down.
The following properties can be used to setup automatic networks.
For additional information on properties check zonecfg(1M) man page for the respective release of Solaris.
* **`linkname`** *(string, optional)* Specify a name for the automatically created VNIC datalink.
* **`lowerLink`** *(string, optional)* Specify the link over which the VNIC will be created.
Mapped to lower-link in the zonecfg(1M) man page.
* **`allowedAddress`** *(string, optional)* The set of IP addresses that the container can use might be constrained by specifying the allowedAddress property.
If allowedAddress has not been specified, then they can use any IP address on the associated physical interface for the network resource.
Otherwise, when allowedAddress is specified, the container cannot use IP addresses that are not in the allowedAddress list for the physical address.
Mapped to allowed-address in the zonecfg(1M) man page.
* **`configureAllowedAddress`** *(string, optional)* If configureAllowedAddress is set to true, the addresses specified by allowedAddress are automatically configured on the interface each time the container starts.
When it is set to false, the allowedAddress will not be configured on container start.
Mapped to configure-allowed-address in the zonecfg(1M) man page.
* **`defrouter`** *(string, optional)* The value for the optional default router.
* **`macAddress`** *(string, optional)* Set the VNIC's MAC addresses based on the specified value or keyword.
If not a keyword, it is interpreted as a unicast MAC address.
For a list of the supported keywords please refer to the zonecfg(1M) man page of the respective Solaris release.
Mapped to mac-address in the zonecfg(1M) man page.
* **`linkProtection`** *(string, optional)* Enables one or more types of link protection using comma-separated values.
See the protection property in dladm(8) for supported values in respective release of Solaris.
Mapped to link-protection in the zonecfg(1M) man page.
#### Example
```json
"anet": [
{
"allowedAddress": "172.17.0.2/16",
"configureAllowedAddress": "true",
"defrouter": "172.17.0.1/16",
"linkProtection": "mac-nospoof, ip-nospoof",
"linkname": "net0",
"lowerLink": "net2",
"macAddress": "02:42:f8:52:c7:16"
}
]
```

49
config.md
View File

@ -108,9 +108,9 @@ For more information about SELinux, see [Selinux documentation](http://selinuxp
The user for the process is a platform-specific structure that allows specific control over which user the process runs as.
#### Linux User
#### Linux and Solaris User
For Linux-based systems the user structure has the following fields:
For Linux and Solaris based systems the user structure has the following fields:
* **`uid`** (int, required) specifies the user id.
* **`gid`** (int, required) specifies the group id.
@ -118,6 +118,8 @@ For Linux-based systems the user structure has the following fields:
_Note: symbolic name for uid and gid, such as uname and gname respectively, are left to upper levels to derive (i.e. `/etc/passwd` parsing, NSS, etc)_
_Note: For Solaris, uid and gid specify the uid and gid of the process inside the container and need not be same as in the host._
### Example (Linux)
```json
@ -153,6 +155,26 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are
]
}
```
### Example (Solaris)
```json
"process": {
"terminal": true,
"user": {
"uid": 1,
"gid": 1,
"additionalGids": [2, 8]
},
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm"
],
"cwd": "/root",
"args": [
"/usr/bin/bash"
],
}
```
## Hostname
@ -630,6 +652,29 @@ Here is a full example `config.json` for reference.
],
"mountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c715,c811"
},
"solaris": {
"anet": [
{
"allowedAddress": "172.17.0.2/16",
"configureAllowedAddress": "true",
"defrouter": "172.17.0.1/16",
"linkProtection": "mac-nospoof, ip-nospoof",
"linkname": "net0",
"lowerLink": "net2",
"macAddress": "02:42:f8:52:c7:16"
}
],
"cappedCPU": {
"ncpus": "0.8"
},
"cappedMemory": {
"physical": "1G",
"swap": "512m"
},
"maxShmMemory": "256m",
"limitpriv": "default",
"milestone": "svc:/milestone/container:default"
},
"annotations": {
"key1": "value1",
"key2": "value2"

1
schema/README.md
View File

@ -8,6 +8,7 @@ validating the `config.json` of this container runtime specification.
The layout of the files is as follows:
* [schema.json](schema.json) - the primary entrypoint for the whole schema document
* [schema-linux.json](schema-linux.json) - this schema is for the Linux-specific sub-structure
* [schema-solaris.json](schema-solaris.json) - this schema is for the Solaris-specific sub-structure
* [defs.json](defs.json) - definitions for general types
* [defs-linux.json](defs-linux.json) - definitions for Linux-specific types
* [validate.go](validate.go) - validation utility source code

36
schema/schema-solaris.json Normal file
View File

@ -0,0 +1,36 @@
{
"solaris": {
"description": "Solaris platform-specific configurations",
"id": "https://opencontainers.org/schema/bundle/solaris",
"type": "object",
"properties": {
"milestone": {
"id": "https://opencontainers.org/schema/bundle/solaris/milestone",
"type": "string"
},
"limitpriv": {
"id": "https://opencontainers.org/schema/bundle/solaris/limitpriv",
"type": "string"
},
"maxShmMemory": {
"id": "https://opencontainers.org/schema/bundle/solaris/maxShmMemory",
"type": "string"
},
"cappedCPU": {
"id": "https://opencontainers.org/schema/bundle/solaris/cappedCPU",
"$ref": "defs.json#/definitions/mapStringString"
},
"cappedMemory": {
"id": "https://opencontainers.org/schema/bundle/solaris/cappedMemory",
"$ref": "defs.json#/definitions/mapStringString"
},
"anet": {
"id": "https://opencontainers.org/schema/bundle/solaris/anet",
"type": "array",
"items": {
"$ref": "defs.json#/definitions/mapStringString"
}
}
}
}
}

3
schema/schema.json
View File

@ -167,6 +167,9 @@
},
"linux": {
"$ref": "schema-linux.json#/linux"
},
"solaris": {
"$ref": "schema-solaris.json#/solaris"
}
},
"required": [

47
specs-go/config.go
View File

@ -25,6 +25,8 @@ type Spec struct {
// Linux is platform specific configuration for Linux based containers.
Linux Linux `json:"linux" platform:"linux"`
// Solaris is platform specific configuration for Solaris containers.
Solaris Solaris `json:"solaris" platform:"solaris"`
}
// Process contains information to start a specific application inside the container.
@ -358,6 +360,51 @@ type Seccomp struct {
Syscalls []Syscall `json:"syscalls,omitempty"`
}
// Solaris contains platform specific configuration for Solaris application containers.
type Solaris struct {
// SMF FMRI which should go "online" before we start the container process.
Milestone string `json:"milestone,omitempty"`
// Maximum set of privileges any process in this container can obtain.
LimitPriv string `json:"limitpriv,omitempty"`
// The maximum amount of shared memory allowed for this container.
MaxShmMemory string `json:"maxShmMemory,omitempty"`
// Specification for automatic creation of network resources for this container.
Anet []Anet `json:"anet,omitempty"`
// Set limit on the amount of CPU time that can be used by container.
CappedCPU CappedCPU `json:"cappedCPU,omitempty"`
// The physical and swap caps on the memory that can be used by this container.
CappedMemory CappedMemory `json:"cappedMemory,omitempty"`
}
// CappedCPU allows users to set limit on the amount of CPU time that can be used by container.
type CappedCPU struct {
Ncpus string `json:"ncpus,omitempty"`
}
// CappedMemory allows users to set the physical and swap caps on the memory that can be used by this container.
type CappedMemory struct {
Physical string `json:"physical,omitempty"`
Swap string `json:"swap,omitempty"`
}
// Anet provides the specification for automatic creation of network resources for this container.
type Anet struct {
// Specify a name for the automatically created VNIC datalink.
Linkname string `json:"linkname,omitempty"`
// Specify the link over which the VNIC will be created.
Lowerlink string `json:"lowerLink,omitempty"`
// The set of IP addresses that the container can use.
Allowedaddr string `json:"allowedAddress,omitempty"`
// Specifies whether allowedAddress limitation is to be applied to the VNIC.
Configallowedaddr string `json:"configureAllowedAddress,omitempty"`
// The value of the optional default router.
Defrouter string `json:"defrouter,omitempty"`
// Enable one or more types of link protection.
Linkprotection string `json:"linkProtection,omitempty"`
// Set the VNIC's macAddress
Macaddress string `json:"macAddress,omitempty"`
}
// Arch used for additional architectures
type Arch string