By default, Seccomp filters will only permit syscalls to be made using the
native architecture of the kernel. This is fine for most use cases, but breaks
others (such as running 32-bit code in a container on a host with a 64-bit
kernel). This patch adds a field to specify additional architectures which may
make syscalls.
Signed-off-by: Matthew Heon <mheon@redhat.com>
`WeightDevice`, `ThrottleReadBpsDevice`, `ThrottleWriteBpsDevice`,
`ThrottleReadIOpsDevice`, `ThrottleWriteIOpsDevice` are now slices to
well defined structs to allow setting multiple devices in their respective
blkio file. By using a string to represents those values it wasn't possible
to set correct values when multiple devices were passed in the config
(either newline separated or comma separated).
Signed-off-by: Antonio Murdaca <runcom@linux.com>
In an effort to be more discoverable and self-describing change out the
term "oci" for "opencontainer". We should consider using this as the
prefix for global namespaces going forward as oc has conflicts with
existing tools and oci is the name of the initiative not the specs.
Add support for the PIDs cgroup as a cgroup resource constraint in the
Linux container specification. Since PIDs are a real resource, we need
to support the ability to limit them.
The PIDs cgroup subsystem is available in Linux 4.3+.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This adds runtime state information for oci container's so that it can
be persisted and used by external tools.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Based on our discussion in-person yesterday it seems necessary to
separate the concept of runtime configuration from application
configuration. There are a few motivators:
- To support runtime updates of things like cgroups, rlimits, etc we
should separate things that are inherently runtime specific from
things that are static to the application running in the container.
- To support the goal of being able to move a bundle between hosts we
should make it clear what parts of the spec are and are not portable
between hosts so that upon landing on a new host the non-portable
options may be rewritten or removed.
- In order to attach a cryptographic identity to a bundle we must not
include details in the bundle that are host specific.
Matthew Heon
Antonio Murdaca
Vishnu Kannan
Mrunal Patel
Vincent Batts
Julian Friedman
Alexander Morozov
Brandon Philips
Aleksa Sarai
Michael Crosby
Alexander Morozov
W. Trevor King