Imported Upstream version 0.5.0
Dmitry Smirnov
8 years ago
0 | 0 | language: go |
1 | 1 | go: |
2 | - 1.6 | |
2 | 3 | - 1.5.3 |
3 | - 1.4.3 | |
4 | - 1.3.3 | |
5 | 4 | |
6 | 5 | sudo: false |
7 | 6 | |
8 | 7 | before_install: |
9 | - go get golang.org/x/tools/cmd/vet | |
10 | - go get github.com/golang/lint/golint | |
8 | - go version | (grep -q 'go1.[56]' || exit 0 && go get -u github.com/golang/lint/golint ) | |
11 | 9 | - go get github.com/vbatts/git-validation |
12 | 10 | |
13 | 11 | install: true |
14 | 12 | |
15 | 13 | script: |
16 | 14 | - go vet -x ./... |
17 | - $HOME/gopath/bin/golint ./... | |
15 | - make .golint | |
18 | 16 | - $HOME/gopath/bin/git-validation -run DCO,short-subject -v -range ${TRAVIS_COMMIT_RANGE} |
19 | 17 |
0 | 0 | OpenContainers Specifications |
1 | ||
2 | Changes with v0.5.0: | |
3 | Breaking changes: | |
4 | ||
5 | * specs-go: Renamed the repository from opencontainers/specs to | |
6 | opencontainers/runtime-spec, #365 | |
7 | ||
8 | Additions: | |
9 | ||
10 | * config: Add 'timeout' for hooks, #346 | |
11 | * config-linux: Add 'maskedPaths' and 'readonlyPaths', #364 | |
12 | ||
13 | Minor fixes and documentation: | |
14 | ||
15 | * JSON Schema bug-fixes and improved examples, #370 | |
16 | * README: Define "unconditionally compliant", #374 | |
17 | * config: Make Markdown canonical, #342 | |
18 | * config: Explicitly list mapping from symbolic names to UID/GIDs as | |
19 | out-of-scope, #347 | |
20 | * config-linux: Require the runtime mount namespace for namespace | |
21 | 'path' values, #275 | |
22 | * config-linux: Reword kernelTCP docs, #377 | |
23 | * specs-go: Add omitempty to 'Device' and 'Namespace', #340 | |
24 | * .travis.yml: Use built-in 'go vet' and current 'go lint', dropping | |
25 | Go < 1.5, #372, #352 | |
26 | * implementations: Expand ocitools scope to include testing, #328 | |
27 | * style: Move one-sentence-per-line rule from the README, #369 | |
28 | * style: Remove dangling parenthesis, #359 | |
29 | * README: Add a link to the IRC logs, #358 | |
30 | * Fix "manadate", "exmaple", "paramters", and "preferrably" typos, | |
31 | #353, #354 | |
1 | 32 | |
2 | 33 | Changes with v0.4.0: |
3 | 34 | Breaking changes: |
229 | 260 | * ROADMAP.md: remove the tail spaces |
230 | 261 | * roadmap: update links and add wiki reference |
231 | 262 | * runtime: Add 'version' to the state.json example |
232 | * runtime-config: add example label before json exmaple | |
263 | * runtime-config: add example label before json example | |
233 | 264 | * runtime-config: add section about Hooks |
234 | 265 | * runtime: config: linux: add cgroups information |
235 | 266 | * runtime: config: linux: Edit BlockIO struct |
39 | 39 | vbatts/pandoc -f markdown_github -t html5 -o /output/docs.html $(patsubst %,/input/%,$(DOC_FILES)) && \ |
40 | 40 | ls -sh $(shell readlink -f output/docs.html) |
41 | 41 | |
42 | ||
43 | HOST_GOLANG_VERSION = $(shell go version | cut -d ' ' -f3 | cut -c 3-) | |
44 | # this variable is used like a function. First arg is the minimum version, Second arg is the version to be checked. | |
45 | ALLOWED_GO_VERSION = $(shell test '$(shell /bin/echo -e "$(1)\n$(2)" | sort -V | head -n1)' == '$(1)' && echo 'true') | |
46 | ||
42 | 47 | .PHONY: test .govet .golint .gitvalidation |
43 | 48 | |
44 | 49 | test: .govet .golint .gitvalidation |
49 | 54 | |
50 | 55 | # `go get github.com/golang/lint/golint` |
51 | 56 | .golint: |
57 | ifeq ($(call ALLOWED_GO_VERSION,1.5,$(HOST_GOLANG_VERSION)),true) | |
52 | 58 | golint ./... |
59 | endif | |
60 | ||
53 | 61 | |
54 | 62 | # `go get github.com/vbatts/git-validation` |
55 | 63 | .gitvalidation: |
0 | # Open Container Specifications | |
0 | # Open Container Runtime Specification | |
1 | 1 | |
2 | [Open Container Initiative](http://www.opencontainers.org/) Specifications for standards on Operating System process and application containers. | |
2 | The [Open Container Initiative](http://www.opencontainers.org/) develops specifications for standards on Operating System process and application containers. | |
3 | 3 | |
4 | 4 | |
5 | 5 | Table of Contents |
19 | 19 | - [Glossary](glossary.md) |
20 | 20 | |
21 | 21 | In the specifications in the above table of contents, the keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in [RFC 2119](http://tools.ietf.org/html/rfc2119) (Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997). |
22 | ||
23 | An implementation is not compliant if it fails to satisfy one or more of the MUST or REQUIRED requirements for the protocols it implements. | |
24 | An implementation that satisfies all the MUST or REQUIRED and all the SHOULD requirements for its protocols is said to be "unconditionally compliant". | |
22 | 25 | |
23 | 26 | # Use Cases |
24 | 27 | |
71 | 74 | The contributors and maintainers of the project have a weekly meeting Wednesdays at 10:00 AM PST. |
72 | 75 | Everyone is welcome to participate via [UberConference web][UberConference] or audio-only: 646-494-8704 (no PIN needed.) |
73 | 76 | An initial agenda will be posted to the [mailing list](#mailing-list) earlier in the week, and everyone is welcome to propose additional topics or suggest other agenda alterations there. |
74 | Minutes are posted to the [mailing list](#mailing-list) and minutes from past calls are archived to the [wiki](https://github.com/opencontainers/specs/wiki) for those who are unable to join the call. | |
77 | Minutes are posted to the [mailing list](#mailing-list) and minutes from past calls are archived to the [wiki](https://github.com/opencontainers/runtime-spec/wiki) for those who are unable to join the call. | |
75 | 78 | |
76 | 79 | ## Mailing List |
77 | 80 | |
79 | 82 | |
80 | 83 | ## IRC |
81 | 84 | |
82 | OCI discussion happens on #opencontainers on Freenode. | |
83 | ||
84 | ## Markdown style | |
85 | ||
86 | To keep consistency throughout the Markdown files in the Open Container spec all files should be formatted one sentence per line. | |
87 | This fixes two things: it makes diffing easier with git and it resolves fights about line wrapping length. | |
88 | For example, this paragraph will span three lines in the Markdown source. | |
85 | OCI discussion happens on #opencontainers on Freenode ([logs][irc-logs]). | |
89 | 86 | |
90 | 87 | ## Git commit |
91 | 88 | |
157 | 154 | 8. When possible, one keyword to scope the change in the subject (i.e. "README: ...", "runtime: ...") |
158 | 155 | |
159 | 156 | [UberConference]: https://www.uberconference.com/ssaul |
157 | [irc-logs]: http://ircbot.wl.linuxfoundation.org/eavesdrop/%23opencontainers/ |
5 | 5 | The topics below are broad and small working groups will be needed for each to define scope and requirements or if the feature is required at all for the OCI level. |
6 | 6 | Topics listed in the roadmap do not mean that they will be implemented or added but are areas that need discussion to see if they fit in to the goals of the OCI. |
7 | 7 | |
8 | Listed topics may defer to the [project wiki](https://github.com/opencontainers/specs/wiki/RoadMap:) for collaboration. | |
8 | Listed topics may defer to the [project wiki](https://github.com/opencontainers/runtime-spec/wiki/RoadMap:) for collaboration. | |
9 | 9 | |
10 | 10 | ## 1.0 |
11 | 11 |
33 | 33 | * **`uts`** the container will be able to have its own hostname and domain name |
34 | 34 | * **`user`** the container will be able to remap user and group IDs from the host to local users and groups within the container |
35 | 35 | |
36 | * **`path`** *(string, optional)* - path to namespace file | |
36 | * **`path`** *(string, optional)* - path to namespace file in the [runtime mount namespace](glossary.md#runtime-namespace) | |
37 | 37 | |
38 | 38 | If a path is specified, that particular file is used to join that type of namespace. |
39 | 39 | Also, when a path is specified, a runtime MUST assume that the setup for that particular namespace has already been done and error out if the config specifies anything else related to that namespace. |
240 | 240 | ###### Example |
241 | 241 | |
242 | 242 | ```json |
243 | "oomScoreAdj": 0 | |
243 | "oomScoreAdj": 100 | |
244 | 244 | ``` |
245 | 245 | |
246 | 246 | #### Memory |
250 | 250 | |
251 | 251 | The following parameters can be specified to setup the controller: |
252 | 252 | |
253 | * **`limit`** *(uint64, optional)* - sets limit of memory usage | |
254 | ||
255 | * **`reservation`** *(uint64, optional)* - sets soft limit of memory usage | |
253 | * **`limit`** *(uint64, optional)* - sets limit of memory usage in bytes | |
254 | ||
255 | * **`reservation`** *(uint64, optional)* - sets soft limit of memory usage in bytes | |
256 | 256 | |
257 | 257 | * **`swap`** *(uint64, optional)* - sets limit of memory+Swap usage |
258 | 258 | |
259 | 259 | * **`kernel`** *(uint64, optional)* - sets hard limit for kernel memory |
260 | 260 | |
261 | * **`kernelTCP`** *(uint64, optional)* - sets hard limit for kernel memory in tcp using | |
261 | * **`kernelTCP`** *(uint64, optional)* - sets hard limit in bytes for kernel TCP buffer memory | |
262 | 262 | |
263 | 263 | * **`swappiness`** *(uint64, optional)* - sets swappiness parameter of vmscan (See sysctl's vm.swappiness) |
264 | 264 | |
266 | 266 | |
267 | 267 | ```json |
268 | 268 | "memory": { |
269 | "limit": 0, | |
270 | "reservation": 0, | |
271 | "swap": 0, | |
269 | "limit": 536870912, | |
270 | "reservation": 536870912, | |
271 | "swap": 536870912, | |
272 | 272 | "kernel": 0, |
273 | 273 | "kernelTCP": 0, |
274 | 274 | "swappiness": 0 |
300 | 300 | |
301 | 301 | ```json |
302 | 302 | "cpu": { |
303 | "shares": 0, | |
304 | "quota": 0, | |
305 | "period": 0, | |
306 | "realtimeRuntime": 0, | |
307 | "realtimePeriod": 0, | |
308 | "cpus": "", | |
309 | "mems": "" | |
303 | "shares": 1024, | |
304 | "quota": 1000000, | |
305 | "period": 500000, | |
306 | "realtimeRuntime": 950000, | |
307 | "realtimePeriod": 1000000, | |
308 | "cpus": "2-3", | |
309 | "mems": "0-7" | |
310 | 310 | } |
311 | 311 | ``` |
312 | 312 | |
336 | 336 | |
337 | 337 | ```json |
338 | 338 | "blockIO": { |
339 | "blkioWeight": 0, | |
340 | "blkioLeafWeight": 0, | |
339 | "blkioWeight": 10, | |
340 | "blkioLeafWeight": 10, | |
341 | 341 | "blkioWeightDevice": [ |
342 | 342 | { |
343 | 343 | "major": 8, |
428 | 428 | `pids` represents the cgroup subsystem `pids`. |
429 | 429 | For more information, see [the pids cgroup man page][cgroup-v1-pids]. |
430 | 430 | |
431 | The following paramters can be specified to setup the controller: | |
431 | The following parameters can be specified to setup the controller: | |
432 | 432 | |
433 | 433 | * **`limit`** *(int64, required)* - specifies the maximum number of tasks in the cgroup |
434 | 434 | |
442 | 442 | |
443 | 443 | ## Sysctl |
444 | 444 | |
445 | sysctl allows kernel parameters to be modified at runtime for the container. | |
445 | `sysctl` allows kernel parameters to be modified at runtime for the container. | |
446 | 446 | For more information, see [the man page](http://man7.org/linux/man-pages/man8/sysctl.8.html) |
447 | 447 | |
448 | 448 | ###### Example |
510 | 510 | |
511 | 511 | ## Rootfs Mount Propagation |
512 | 512 | |
513 | rootfsPropagation sets the rootfs's mount propagation. | |
513 | `rootfsPropagation` sets the rootfs's mount propagation. | |
514 | 514 | Its value is either slave, private, or shared. |
515 | 515 | [The kernel doc](https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt) has more information about mount propagation. |
516 | 516 | |
518 | 518 | |
519 | 519 | ```json |
520 | 520 | "rootfsPropagation": "slave", |
521 | ``` | |
522 | ||
523 | ## Masked Paths | |
524 | ||
525 | `maskedPaths` will mask over the provided paths inside the container so that they cannot be read. | |
526 | ||
527 | ###### Example | |
528 | ||
529 | ```json | |
530 | "maskedPaths": [ | |
531 | "/proc/kcore" | |
532 | ] | |
533 | ``` | |
534 | ||
535 | ## Readonly Paths | |
536 | ||
537 | `readonlyPaths` will set the provided paths as readonly inside the container. | |
538 | ||
539 | ###### Example | |
540 | ||
541 | ```json | |
542 | "readonlyPaths": [ | |
543 | "/proc/sys" | |
544 | ] | |
521 | 545 | ``` |
522 | 546 | |
523 | 547 | [cgroup-v1]: https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt |
0 | 0 | # Container Configuration file |
1 | 1 | |
2 | 2 | The container's top-level directory MUST contain a configuration file called `config.json`. |
3 | For now the canonical schema is defined in [config.go](config.go) and [config_linux.go](config_linux.go), but this will be moved to a formal JSON schema over time. | |
3 | The canonical schema is defined in this document, but there is a JSON Schema in [`schema/schema.json`](schema/schema.json) and Go bindings in [`specs-go/config.go`](specs-go/config.go). | |
4 | 4 | |
5 | 5 | The configuration file contains metadata necessary to implement standard operations against the container. |
6 | 6 | This includes the process to run, environment variables to inject, sandboxing features to use, etc. |
103 | 103 | * **`noNewPrivileges`** (bool, optional) setting `noNewPrivileges` to true prevents the processes in the container from gaining additional privileges. |
104 | 104 | [The kernel doc](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt) has more information on how this is achieved using a prctl system call. |
105 | 105 | |
106 | ### User | |
107 | ||
106 | 108 | The user for the process is a platform-specific structure that allows specific control over which user the process runs as. |
109 | ||
110 | #### Linux User | |
111 | ||
107 | 112 | For Linux-based systems the user structure has the following fields: |
108 | 113 | |
109 | 114 | * **`uid`** (int, required) specifies the user id. |
110 | 115 | * **`gid`** (int, required) specifies the group id. |
111 | 116 | * **`additionalGids`** (array of ints, optional) specifies additional group ids to be added to the process. |
117 | ||
118 | _Note: symbolic name for uid and gid, such as uname and gname respectively, are left to upper levels to derive (i.e. `/etc/passwd` parsing, NSS, etc)_ | |
112 | 119 | |
113 | 120 | *Example (Linux)* |
114 | 121 | |
224 | 231 | ], |
225 | 232 | "poststart": [ |
226 | 233 | { |
227 | "path": "/usr/bin/notify-start" | |
234 | "path": "/usr/bin/notify-start", | |
235 | "timeout": 5 | |
228 | 236 | } |
229 | 237 | ], |
230 | 238 | "poststop": [ |
238 | 246 | |
239 | 247 | `path` is required for a hook. |
240 | 248 | `args` and `env` are optional. |
249 | `timeout` is the number of seconds before aborting the hook. | |
241 | 250 | The semantics are the same as `Path`, `Args` and `Env` in [golang Cmd](https://golang.org/pkg/os/exec/#Cmd). |
242 | 251 | |
243 | 252 | ## Annotations |
259 | 268 | |
260 | 269 | ```json |
261 | 270 | { |
262 | "ociVersion": "0.3.0", | |
271 | "ociVersion": "0.5.0-dev", | |
263 | 272 | "platform": { |
264 | 273 | "os": "linux", |
265 | 274 | "arch": "amd64" |
274 | 283 | 6 |
275 | 284 | ] |
276 | 285 | }, |
286 | "uidMappings": [ | |
287 | { | |
288 | "hostID": 1000, | |
289 | "containerID": 0, | |
290 | "size": 32000 | |
291 | } | |
292 | ], | |
293 | "gidMappings": [ | |
294 | { | |
295 | "hostID": 1000, | |
296 | "containerID": 0, | |
297 | "size": 32000 | |
298 | } | |
299 | ], | |
277 | 300 | "args": [ |
278 | 301 | "sh" |
279 | 302 | ], |
289 | 312 | ], |
290 | 313 | "rlimits": [ |
291 | 314 | { |
315 | "type": "RLIMIT_CORE", | |
316 | "hard": 1024, | |
317 | "soft": 1024 | |
318 | }, | |
319 | { | |
292 | 320 | "type": "RLIMIT_NOFILE", |
293 | 321 | "hard": 1024, |
294 | 322 | "soft": 1024 |
295 | 323 | } |
296 | 324 | ], |
297 | "apparmorProfile": "", | |
298 | "selinuxLabel": "" | |
325 | "apparmorProfile": "acme_secure_profile", | |
326 | "selinuxLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675", | |
327 | "noNewPrivileges": true | |
299 | 328 | }, |
300 | 329 | "root": { |
301 | 330 | "path": "rootfs", |
380 | 409 | "hooks": { |
381 | 410 | "prestart": [ |
382 | 411 | { |
383 | "path": "/usr/bin/uptime", | |
412 | "path": "/usr/bin/fix-mounts", | |
384 | 413 | "args": [ |
385 | "/usr/bin/uptime" | |
414 | "fix-mounts", | |
415 | "arg1", | |
416 | "arg2" | |
386 | 417 | ], |
387 | "env": [] | |
418 | "env": [ | |
419 | "key1=value1" | |
420 | ] | |
421 | }, | |
422 | { | |
423 | "path": "/usr/bin/setup-network" | |
424 | } | |
425 | ], | |
426 | "poststart": [ | |
427 | { | |
428 | "path": "/usr/bin/notify-start", | |
429 | "timeout": 5 | |
430 | } | |
431 | ], | |
432 | "poststop": [ | |
433 | { | |
434 | "path": "/usr/sbin/cleanup.sh", | |
435 | "args": [ | |
436 | "cleanup.sh", | |
437 | "-f" | |
438 | ] | |
388 | 439 | } |
389 | 440 | ] |
390 | 441 | }, |
391 | 442 | "linux": { |
443 | "devices": [ | |
444 | { | |
445 | "path": "/dev/fuse", | |
446 | "type": "c", | |
447 | "major": 10, | |
448 | "minor": 229, | |
449 | "fileMode": 438, | |
450 | "uid": 0, | |
451 | "gid": 0 | |
452 | }, | |
453 | { | |
454 | "path": "/dev/sda", | |
455 | "type": "b", | |
456 | "major": 8, | |
457 | "minor": 0, | |
458 | "fileMode": 432, | |
459 | "uid": 0, | |
460 | "gid": 0 | |
461 | } | |
462 | ], | |
463 | "sysctl": { | |
464 | "net.ipv4.ip_forward": "1", | |
465 | "net.core.somaxconn": "256" | |
466 | }, | |
467 | "cgroupsPath": "/myRuntime/myContainer", | |
392 | 468 | "resources": { |
469 | "network": { | |
470 | "classID": 1048577, | |
471 | "priorities": [ | |
472 | { | |
473 | "name": "eth0", | |
474 | "priority": 500 | |
475 | }, | |
476 | { | |
477 | "name": "eth1", | |
478 | "priority": 1000 | |
479 | } | |
480 | ] | |
481 | }, | |
482 | "pids": { | |
483 | "limit": 32771 | |
484 | }, | |
485 | "hugepageLimits": [ | |
486 | { | |
487 | "pageSize": "2MB", | |
488 | "limit": 9223372036854772000 | |
489 | } | |
490 | ], | |
491 | "oomScoreAdj": 100, | |
492 | "memory": { | |
493 | "limit": 536870912, | |
494 | "reservation": 536870912, | |
495 | "swap": 536870912, | |
496 | "kernel": 0, | |
497 | "kernelTCP": 0, | |
498 | "swappiness": 0 | |
499 | }, | |
500 | "cpu": { | |
501 | "shares": 1024, | |
502 | "quota": 1000000, | |
503 | "period": 500000, | |
504 | "realtimeRuntime": 950000, | |
505 | "realtimePeriod": 1000000, | |
506 | "cpus": "2-3", | |
507 | "mems": "0-7" | |
508 | }, | |
509 | "disableOOMKiller": false, | |
393 | 510 | "devices": [ |
394 | 511 | { |
395 | 512 | "allow": false, |
396 | 513 | "access": "rwm" |
514 | }, | |
515 | { | |
516 | "allow": true, | |
517 | "type": "c", | |
518 | "major": 10, | |
519 | "minor": 229, | |
520 | "access": "rw" | |
521 | }, | |
522 | { | |
523 | "allow": true, | |
524 | "type": "b", | |
525 | "major": 8, | |
526 | "minor": 0, | |
527 | "access": "r" | |
397 | 528 | } |
529 | ], | |
530 | "blockIO": { | |
531 | "blkioWeight": 10, | |
532 | "blkioLeafWeight": 10, | |
533 | "blkioWeightDevice": [ | |
534 | { | |
535 | "major": 8, | |
536 | "minor": 0, | |
537 | "weight": 500, | |
538 | "leafWeight": 300 | |
539 | }, | |
540 | { | |
541 | "major": 8, | |
542 | "minor": 16, | |
543 | "weight": 500 | |
544 | } | |
545 | ], | |
546 | "blkioThrottleReadBpsDevice": [ | |
547 | { | |
548 | "major": 8, | |
549 | "minor": 0, | |
550 | "rate": 600 | |
551 | } | |
552 | ], | |
553 | "blkioThrottleWriteIOPSDevice": [ | |
554 | { | |
555 | "major": 8, | |
556 | "minor": 16, | |
557 | "rate": 300 | |
558 | } | |
559 | ] | |
560 | } | |
561 | }, | |
562 | "rootfsPropagation": "slave", | |
563 | "seccomp": { | |
564 | "defaultAction": "SCMP_ACT_ALLOW", | |
565 | "architectures": [ | |
566 | "SCMP_ARCH_X86" | |
567 | ], | |
568 | "syscalls": [ | |
569 | { | |
570 | "name": "getcwd", | |
571 | "action": "SCMP_ACT_ERRNO" | |
572 | } | |
398 | 573 | ] |
399 | 574 | }, |
400 | 575 | "namespaces": [ |
414 | 589 | "type": "mount" |
415 | 590 | } |
416 | 591 | ], |
417 | "devices": null, | |
418 | "seccomp": { | |
419 | "defaultAction": "", | |
420 | "architectures": null | |
421 | } | |
592 | "maskedPaths": [ | |
593 | "/proc/kcore", | |
594 | "/proc/latency_stats", | |
595 | "/proc/timer_stats", | |
596 | "/proc/sched_debug" | |
597 | ], | |
598 | "readonlyPaths": [ | |
599 | "/proc/asound", | |
600 | "/proc/bus", | |
601 | "/proc/fs", | |
602 | "/proc/irq", | |
603 | "/proc/sys", | |
604 | "/proc/sysrq-trigger" | |
605 | ] | |
606 | }, | |
607 | "annotations": { | |
608 | "key1": "value1", | |
609 | "key2": "value2" | |
422 | 610 | } |
423 | 611 | } |
424 | 612 | ``` |
12 | 12 | An environment for executing processes with configurable isolation and resource limitations. |
13 | 13 | For example, namespaces, resource limits, and mounts are all part of the container environment. |
14 | 14 | |
15 | ## Container namespace | |
16 | ||
17 | On Linux, a leaf in the [namespace][namespaces.7] hierarchy in which the [configured process](config.md#process-configuration) executes. | |
18 | ||
15 | 19 | ## JSON |
16 | 20 | |
17 | 21 | All configuration [JSON][] MUST be encoded in [UTF-8][]. |
21 | 25 | An implementation of this specification. |
22 | 26 | It reads the [configuration files](#configuration) from a [bundle](#bundle), uses that information to create a [container](#container), launches a process inside the container, and performs other [lifecycle actions](runtime.md). |
23 | 27 | |
28 | ## Runtime namespace | |
29 | ||
30 | On Linux, a leaf in the [namespace][namespaces.7] hierarchy from which the [runtime](#runtime) process is executed. | |
31 | New container namespaces will be created as children of the runtime namespaces. | |
32 | ||
24 | 33 | [JSON]: http://json.org/ |
25 | 34 | [UTF-8]: http://www.unicode.org/versions/Unicode8.0.0/ch03.pdf |
35 | [namespaces.7]: http://man7.org/linux/man-pages/man7/namespaces.7.html |
10 | 10 | |
11 | 11 | * [hyperhq/runv](https://github.com/hyperhq/runv) - Hypervisor-based runtime for OCI |
12 | 12 | |
13 | ## Bundle authoring | |
13 | ## Testing & Tools | |
14 | 14 | |
15 | 15 | * [kunalkushwaha/octool](https://github.com/kunalkushwaha/octool) - A config linter and validator. |
16 | * [mrunalp/ocitools](https://github.com/mrunalp/ocitools) - A config generator. | |
17 | ||
18 | ## Testing | |
19 | ||
16 | * [opencontainers/ocitools](https://github.com/opencontainers/ocitools) - A config generator and runtime/bundle testing framework. | |
20 | 17 | * [huawei-openlab/oct](https://github.com/huawei-openlab/oct) - Open Container Testing framework for OCI configuration and runtime |
1 | 1 | |
2 | 2 | ## Release Process |
3 | 3 | |
4 | * Increment version in version.go | |
4 | * Increment version in [`specs-go/version.go`](specs-go/version.go) | |
5 | 5 | * `git commit` version increment |
6 | * `git tag` the prior commit (preferrably signed tag) | |
6 | * `git tag` the prior commit (preferably signed tag) | |
7 | 7 | * `make docs` to produce PDF and HTML copies of the spec |
8 | * Make a release on [github.com/opencontainers/specs](https://github.com/opencontainers/specs/releases) for the version. Attach the produced docs. | |
8 | * Make a release on [github.com/opencontainers/runtime-spec](https://github.com/opencontainers/runtime-spec/releases) for the version. Attach the produced docs. | |
9 | 9 |
117 | 117 | "cwd": "...", |
118 | 118 | } |
119 | 119 | ``` |
120 | This specification does not manadate the name of this JSON file. | |
120 | This specification does not mandate the name of this JSON file. | |
121 | 121 | See the specification of the `config.json` file for the definition of these fields. |
122 | 122 | The stopping, or exiting, of these secondary process MUST have no effect on the state of the container. |
123 | 123 | In other words, a container (and its PID 1 process) MUST NOT be stopped due to the exiting of a secondary process. |
92 | 92 | "type": "string" |
93 | 93 | }, |
94 | 94 | "FileType": { |
95 | "type": "integer" | |
95 | "description": "Type of a block or special character device", | |
96 | "type": "string", | |
97 | "pattern": "^[cbup]$" | |
96 | 98 | }, |
97 | 99 | "Device": { |
98 | 100 | "properties": { |
60 | 60 | "id": "https://opencontainers.org/schema/bundle/linux/resources", |
61 | 61 | "type": "object", |
62 | 62 | "properties": { |
63 | "oomScoreAdj": { | |
64 | "id": "https://opencontainers.org/schema/bundle/linux/resources/oomScoreAdj", | |
65 | "type": "integer", | |
66 | "minimum": -1000, | |
67 | "maximum": 1000 | |
68 | }, | |
69 | "pids": { | |
70 | "id": "https://opencontainers.org/schema/bundle/linux/resources/pids", | |
71 | "properties": { | |
72 | "limit": { | |
73 | "id": "https://opencontainers.org/schema/bundle/linux/resources/pids/limit", | |
74 | "$ref": "defs.json#/definitions/int64" | |
75 | } | |
76 | } | |
77 | }, | |
63 | 78 | "blockIO": { |
64 | 79 | "id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO", |
65 | 80 | "type": "object", |
93 | 108 | "oneOf": [ |
94 | 109 | { |
95 | 110 | "type": "array", |
96 | "items": [ | |
97 | { | |
98 | "$ref": "defs-linux.json#/definitions/blockIODeviceThrottlePointer" | |
99 | } | |
100 | ] | |
111 | "items": { | |
112 | "$ref": "defs-linux.json#/definitions/blockIODeviceThrottlePointer" | |
113 | } | |
101 | 114 | }, |
102 | 115 | { |
103 | 116 | "type": "null" |
109 | 122 | "oneOf": [ |
110 | 123 | { |
111 | 124 | "type": "array", |
112 | "items": [ | |
113 | { | |
114 | "$ref": "defs-linux.json#/definitions/blockIODeviceThrottlePointer" | |
115 | } | |
116 | ] | |
125 | "items": { | |
126 | "$ref": "defs-linux.json#/definitions/blockIODeviceThrottlePointer" | |
127 | } | |
117 | 128 | }, |
118 | 129 | { |
119 | 130 | "type": "null" |
125 | 136 | "oneOf": [ |
126 | 137 | { |
127 | 138 | "type": "array", |
128 | "items": [ | |
129 | { | |
130 | "$ref": "defs-linux.json#/definitions/blockIODeviceThrottlePointer" | |
131 | } | |
132 | ] | |
139 | "items": { | |
140 | "$ref": "defs-linux.json#/definitions/blockIODeviceThrottlePointer" | |
141 | } | |
133 | 142 | }, |
134 | 143 | { |
135 | 144 | "type": "null" |
139 | 148 | "blkioWeightDevice": { |
140 | 149 | "id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/blkioWeightDevice", |
141 | 150 | "type": "array", |
142 | "items": [ | |
143 | { | |
144 | "$ref": "defs-linux.json#/definitions/blockIODeviceWeightPointer" | |
145 | } | |
146 | ] | |
151 | "items": { | |
152 | "$ref": "defs-linux.json#/definitions/blockIODeviceWeightPointer" | |
153 | } | |
147 | 154 | } |
148 | 155 | } |
149 | 156 | }, |
189 | 196 | "id": "https://opencontainers.org/schema/bundle/linux/resources/hugepageLimits", |
190 | 197 | "oneOf": [ |
191 | 198 | { |
192 | "type": "object", | |
193 | "properties": { | |
194 | "pageSize": { | |
195 | "type": "string" | |
196 | }, | |
197 | "limit": { | |
198 | "$ref": "defs.json#/definitions/uint64" | |
199 | "type": "array", | |
200 | "items": { | |
201 | "type": "object", | |
202 | "properties": { | |
203 | "pageSize": { | |
204 | "type": "string" | |
205 | }, | |
206 | "limit": { | |
207 | "$ref": "defs.json#/definitions/uint64" | |
208 | } | |
199 | 209 | } |
200 | 210 | } |
201 | 211 | }, |
234 | 244 | "id": "https://opencontainers.org/schema/bundle/linux/resources/network", |
235 | 245 | "type": "object", |
236 | 246 | "properties": { |
237 | "classId": { | |
247 | "classID": { | |
238 | 248 | "id": "https://opencontainers.org/schema/bundle/linux/resources/network/classId", |
239 | "type": "string" | |
249 | "$ref": "defs.json#/definitions/uint32" | |
240 | 250 | }, |
241 | 251 | "priorities": { |
242 | 252 | "id": "https://opencontainers.org/schema/bundle/linux/resources/network/priorities", |
255 | 265 | } |
256 | 266 | } |
257 | 267 | } |
258 | }, | |
259 | "rlimits": { | |
260 | "id": "https://opencontainers.org/schema/bundle/linux/rlimits", | |
261 | "items": [ | |
262 | { | |
263 | "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0", | |
264 | "properties": { | |
265 | "hard": { | |
266 | "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/hard", | |
267 | "type": "integer" | |
268 | }, | |
269 | "soft": { | |
270 | "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/soft", | |
271 | "type": "integer" | |
272 | }, | |
273 | "type": { | |
274 | "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/type", | |
275 | "type": "string", | |
276 | "pattern": "^RLIMIT_[A-Z]+$" | |
277 | } | |
278 | }, | |
279 | "type": "object" | |
280 | } | |
281 | ], | |
282 | "type": "array" | |
283 | 268 | }, |
284 | 269 | "cgroupsPath": { |
285 | 270 | "oneOf": [ |
336 | 321 | "type": "null" |
337 | 322 | } |
338 | 323 | ] |
324 | }, | |
325 | "maskedPaths": { | |
326 | "id": "https://opencontainers.org/schema/bundle/linux/maskedPaths", | |
327 | "$ref": "defs.json#/definitions/ArrayOfStrings" | |
328 | }, | |
329 | "readonlyPaths": { | |
330 | "id": "https://opencontainers.org/schema/bundle/linux/readonlyPaths", | |
331 | "$ref": "defs.json#/definitions/ArrayOfStrings" | |
339 | 332 | } |
340 | 333 | } |
341 | 334 | } |
24 | 24 | } |
25 | 25 | }, |
26 | 26 | "annotations": { |
27 | "id": "https://opencontainers.org/schema/bundle/linux/sysctl", | |
27 | "id": "https://opencontainers.org/schema/bundle/annotations", | |
28 | 28 | "oneOf": [ |
29 | 29 | { |
30 | 30 | "$ref": "defs.json#/definitions/mapStringString" |
138 | 138 | "noNewPrivileges": { |
139 | 139 | "id": "https://opencontainers.org/schema/bundle/process/linux/noNewPrivileges", |
140 | 140 | "type": "boolean" |
141 | }, | |
142 | "rlimits": { | |
143 | "id": "https://opencontainers.org/schema/bundle/linux/rlimits", | |
144 | "type": "array", | |
145 | "items": { | |
146 | "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0", | |
147 | "type": "object", | |
148 | "properties": { | |
149 | "hard": { | |
150 | "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/hard", | |
151 | "$ref": "defs.json#/definitions/uint64" | |
152 | }, | |
153 | "soft": { | |
154 | "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/soft", | |
155 | "$ref": "defs.json#/definitions/uint64" | |
156 | }, | |
157 | "type": { | |
158 | "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/type", | |
159 | "type": "string", | |
160 | "pattern": "^RLIMIT_[A-Z]+$" | |
161 | } | |
162 | } | |
163 | } | |
141 | 164 | } |
142 | 165 | } |
143 | 166 | }, |
95 | 95 | |
96 | 96 | // Hook specifies a command that is run at a particular event in the lifecycle of a container |
97 | 97 | type Hook struct { |
98 | Path string `json:"path"` | |
99 | Args []string `json:"args,omitempty"` | |
100 | Env []string `json:"env,omitempty"` | |
98 | Path string `json:"path"` | |
99 | Args []string `json:"args,omitempty"` | |
100 | Env []string `json:"env,omitempty"` | |
101 | Timeout *int `json:"timeout,omitempty"` | |
101 | 102 | } |
102 | 103 | |
103 | 104 | // Hooks for container setup and teardown |
127 | 128 | // If resources are specified, the cgroups at CgroupsPath will be updated based on resources. |
128 | 129 | CgroupsPath *string `json:"cgroupsPath,omitempty"` |
129 | 130 | // Namespaces contains the namespaces that are created and/or joined by the container |
130 | Namespaces []Namespace `json:"namespaces"` | |
131 | Namespaces []Namespace `json:"namespaces,omitempty"` | |
131 | 132 | // Devices are a list of device nodes that are created for the container |
132 | Devices []Device `json:"devices"` | |
133 | Devices []Device `json:"devices,omitempty"` | |
133 | 134 | // Seccomp specifies the seccomp security settings for the container. |
134 | 135 | Seccomp *Seccomp `json:"seccomp,omitempty"` |
135 | 136 | // RootfsPropagation is the rootfs mount propagation mode for the container. |
136 | 137 | RootfsPropagation string `json:"rootfsPropagation,omitempty"` |
138 | // MaskedPaths masks over the provided paths inside the container. | |
139 | MaskedPaths []string `json:"maskedPaths,omitempty"` | |
140 | // ReadonlyPaths sets the provided paths as RO inside the container. | |
141 | ReadonlyPaths []string `json:"readonlyPaths,omitempty"` | |
137 | 142 | } |
138 | 143 | |
139 | 144 | // Namespace is the configuration for a Linux namespace |
5 | 5 | // VersionMajor is for an API incompatible changes |
6 | 6 | VersionMajor = 0 |
7 | 7 | // VersionMinor is for functionality in a backwards-compatible manner |
8 | VersionMinor = 4 | |
8 | VersionMinor = 5 | |
9 | 9 | // VersionPatch is for backwards-compatible bug fixes |
10 | 10 | VersionPatch = 0 |
11 | 11 |
0 | 0 | # Style and conventions |
1 | ||
2 | ## One sentence per line | |
3 | ||
4 | To keep consistency throughout the Markdown files in the Open Container spec all files should be formatted one sentence per line. | |
5 | This fixes two things: it makes diffing easier with git and it resolves fights about line wrapping length. | |
6 | For example, this paragraph will span three lines in the Markdown source. | |
1 | 7 | |
2 | 8 | ## Traditionally hex settings should use JSON integers, not JSON strings |
3 | 9 | |
6 | 12 | |
7 | 13 | ## Constant names should keep redundant prefixes |
8 | 14 | |
9 | For example, `CAP_KILL` instead of `KILL` in [**`linux.capabilities`**][capabilities]). | |
15 | For example, `CAP_KILL` instead of `KILL` in [**`linux.capabilities`**][capabilities]. | |
10 | 16 | The redundancy reduction from removing the namespacing prefix is not useful enough to be worth trimming the upstream identifier ([source][keep-prefix]). |
11 | 17 | |
12 | 18 | ## Optional settings should have pointer Go types |
17 | 23 | |
18 | 24 | [capabilities]: config-linux.md#capabilities |
19 | 25 | [class-id]: config-linux.md#network |
20 | [integer-over-hex]: https://github.com/opencontainers/specs/pull/267#discussion_r48360013 | |
21 | [keep-prefix]: https://github.com/opencontainers/specs/pull/159#issuecomment-138728337 | |
22 | [no-pointer-for-boolean]: https://github.com/opencontainers/specs/pull/290#discussion_r50296396 | |
23 | [no-pointer-for-slices]: https://github.com/opencontainers/specs/pull/316/files#r50782982 | |
24 | [optional-pointer]: https://github.com/opencontainers/specs/pull/233#discussion_r47829711 | |
25 | [pointer-when-updates-require-changes]: https://github.com/opencontainers/specs/pull/317/files#r50932706 | |
26 | [integer-over-hex]: https://github.com/opencontainers/runtime-spec/pull/267#discussion_r48360013 | |
27 | [keep-prefix]: https://github.com/opencontainers/runtime-spec/pull/159#issuecomment-138728337 | |
28 | [no-pointer-for-boolean]: https://github.com/opencontainers/runtime-spec/pull/290#discussion_r50296396 | |
29 | [no-pointer-for-slices]: https://github.com/opencontainers/runtime-spec/pull/316/files#r50782982 | |
30 | [optional-pointer]: https://github.com/opencontainers/runtime-spec/pull/233#discussion_r47829711 | |
31 | [pointer-when-updates-require-changes]: https://github.com/opencontainers/runtime-spec/pull/317/files#r50932706 |