Add support for the PIDs cgroup as a cgroup resource constraint in the
Linux container specification. Since PIDs are a real resource, we need
to support the ability to limit them.
The PIDs cgroup subsystem is available in Linux 4.3+.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
These snuck in with 7232e4b1 (specs: introduce the concept of a
runtime.json, 2015-07-30, #88) and 73bf1ba8 (JSON objects are easier
to parse/manipulate, 2015-08-27, #120).
Signed-off-by: W. Trevor King <wking@tremily.us>
I touched these paragraphs while removing trailing whitespace in the
previous commit. Since I was touching them in this branch, it seemed
better to rewrap them using the "Markdown style" suggestions in the
README.
I also added a missing period after the namespaces(7) link.
Signed-off-by: W. Trevor King <wking@tremily.us>
The fact that these are Linux-specific entities should be obvious from
the context (this whole file is only about Linux-specific entities).
Signed-off-by: W. Trevor King <wking@tremily.us>
This fixes a copy/paste issue with 7232e4b1 (specs: introduce the
concept of a runtime.json, 2015-07-30, #88).
Signed-off-by: W. Trevor King <wking@tremily.us>
Based on our discussion in-person yesterday it seems necessary to
separate the concept of runtime configuration from application
configuration. There are a few motivators:
- To support runtime updates of things like cgroups, rlimits, etc we
should separate things that are inherently runtime specific from
things that are static to the application running in the container.
- To support the goal of being able to move a bundle between hosts we
should make it clear what parts of the spec are and are not portable
between hosts so that upon landing on a new host the non-portable
options may be rewritten or removed.
- In order to attach a cryptographic identity to a bundle we must not
include details in the bundle that are host specific.