Codebase list golang-github-opencontainers-specs / 588a89b
Imported Upstream version 0.5.0 Dmitry Smirnov 8 years ago
17 changed file(s) with 412 addition(s) and 129 deletion(s). Raw diff Collapse all Expand all
+3
-5
.travis.yml less more
00 language: go
11 go:
2 - 1.6
23 - 1.5.3
3 - 1.4.3
4 - 1.3.3
54
65 sudo: false
76
87 before_install:
9 - go get golang.org/x/tools/cmd/vet
10 - go get github.com/golang/lint/golint
8 - go version | (grep -q 'go1.[56]' || exit 0 && go get -u github.com/golang/lint/golint )
119 - go get github.com/vbatts/git-validation
1210
1311 install: true
1412
1513 script:
1614 - go vet -x ./...
17 - $HOME/gopath/bin/golint ./...
15 - make .golint
1816 - $HOME/gopath/bin/git-validation -run DCO,short-subject -v -range ${TRAVIS_COMMIT_RANGE}
1917
+32
-1
ChangeLog less more
00 OpenContainers Specifications
1
2 Changes with v0.5.0:
3 Breaking changes:
4
5 * specs-go: Renamed the repository from opencontainers/specs to
6 opencontainers/runtime-spec, #365
7
8 Additions:
9
10 * config: Add 'timeout' for hooks, #346
11 * config-linux: Add 'maskedPaths' and 'readonlyPaths', #364
12
13 Minor fixes and documentation:
14
15 * JSON Schema bug-fixes and improved examples, #370
16 * README: Define "unconditionally compliant", #374
17 * config: Make Markdown canonical, #342
18 * config: Explicitly list mapping from symbolic names to UID/GIDs as
19 out-of-scope, #347
20 * config-linux: Require the runtime mount namespace for namespace
21 'path' values, #275
22 * config-linux: Reword kernelTCP docs, #377
23 * specs-go: Add omitempty to 'Device' and 'Namespace', #340
24 * .travis.yml: Use built-in 'go vet' and current 'go lint', dropping
25 Go < 1.5, #372, #352
26 * implementations: Expand ocitools scope to include testing, #328
27 * style: Move one-sentence-per-line rule from the README, #369
28 * style: Remove dangling parenthesis, #359
29 * README: Add a link to the IRC logs, #358
30 * Fix "manadate", "exmaple", "paramters", and "preferrably" typos,
31 #353, #354
132
233 Changes with v0.4.0:
334 Breaking changes:
229260 * ROADMAP.md: remove the tail spaces
230261 * roadmap: update links and add wiki reference
231262 * runtime: Add 'version' to the state.json example
232 * runtime-config: add example label before json exmaple
263 * runtime-config: add example label before json example
233264 * runtime-config: add section about Hooks
234265 * runtime: config: linux: add cgroups information
235266 * runtime: config: linux: Edit BlockIO struct
+8
-0
Makefile less more
3939 vbatts/pandoc -f markdown_github -t html5 -o /output/docs.html $(patsubst %,/input/%,$(DOC_FILES)) && \
4040 ls -sh $(shell readlink -f output/docs.html)
4141
42
43 HOST_GOLANG_VERSION = $(shell go version | cut -d ' ' -f3 | cut -c 3-)
44 # this variable is used like a function. First arg is the minimum version, Second arg is the version to be checked.
45 ALLOWED_GO_VERSION = $(shell test '$(shell /bin/echo -e "$(1)\n$(2)" | sort -V | head -n1)' == '$(1)' && echo 'true')
46
4247 .PHONY: test .govet .golint .gitvalidation
4348
4449 test: .govet .golint .gitvalidation
4954
5055 # `go get github.com/golang/lint/golint`
5156 .golint:
57 ifeq ($(call ALLOWED_GO_VERSION,1.5,$(HOST_GOLANG_VERSION)),true)
5258 golint ./...
59 endif
60
5361
5462 # `go get github.com/vbatts/git-validation`
5563 .gitvalidation:
+8
-10
README.md less more
0 # Open Container Specifications
0 # Open Container Runtime Specification
11
2 [Open Container Initiative](http://www.opencontainers.org/) Specifications for standards on Operating System process and application containers.
2 The [Open Container Initiative](http://www.opencontainers.org/) develops specifications for standards on Operating System process and application containers.
33
44
55 Table of Contents
1919 - [Glossary](glossary.md)
2020
2121 In the specifications in the above table of contents, the keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in [RFC 2119](http://tools.ietf.org/html/rfc2119) (Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997).
22
23 An implementation is not compliant if it fails to satisfy one or more of the MUST or REQUIRED requirements for the protocols it implements.
24 An implementation that satisfies all the MUST or REQUIRED and all the SHOULD requirements for its protocols is said to be "unconditionally compliant".
2225
2326 # Use Cases
2427
7174 The contributors and maintainers of the project have a weekly meeting Wednesdays at 10:00 AM PST.
7275 Everyone is welcome to participate via [UberConference web][UberConference] or audio-only: 646-494-8704 (no PIN needed.)
7376 An initial agenda will be posted to the [mailing list](#mailing-list) earlier in the week, and everyone is welcome to propose additional topics or suggest other agenda alterations there.
74 Minutes are posted to the [mailing list](#mailing-list) and minutes from past calls are archived to the [wiki](https://github.com/opencontainers/specs/wiki) for those who are unable to join the call.
77 Minutes are posted to the [mailing list](#mailing-list) and minutes from past calls are archived to the [wiki](https://github.com/opencontainers/runtime-spec/wiki) for those who are unable to join the call.
7578
7679 ## Mailing List
7780
7982
8083 ## IRC
8184
82 OCI discussion happens on #opencontainers on Freenode.
83
84 ## Markdown style
85
86 To keep consistency throughout the Markdown files in the Open Container spec all files should be formatted one sentence per line.
87 This fixes two things: it makes diffing easier with git and it resolves fights about line wrapping length.
88 For example, this paragraph will span three lines in the Markdown source.
85 OCI discussion happens on #opencontainers on Freenode ([logs][irc-logs]).
8986
9087 ## Git commit
9188
157154 8. When possible, one keyword to scope the change in the subject (i.e. "README: ...", "runtime: ...")
158155
159156 [UberConference]: https://www.uberconference.com/ssaul
157 [irc-logs]: http://ircbot.wl.linuxfoundation.org/eavesdrop/%23opencontainers/
+1
-1
ROADMAP.md less more
55 The topics below are broad and small working groups will be needed for each to define scope and requirements or if the feature is required at all for the OCI level.
66 Topics listed in the roadmap do not mean that they will be implemented or added but are areas that need discussion to see if they fit in to the goals of the OCI.
77
8 Listed topics may defer to the [project wiki](https://github.com/opencontainers/specs/wiki/RoadMap:) for collaboration.
8 Listed topics may defer to the [project wiki](https://github.com/opencontainers/runtime-spec/wiki/RoadMap:) for collaboration.
99
1010 ## 1.0
1111
+45
-21
config-linux.md less more
3333 * **`uts`** the container will be able to have its own hostname and domain name
3434 * **`user`** the container will be able to remap user and group IDs from the host to local users and groups within the container
3535
36 * **`path`** *(string, optional)* - path to namespace file
36 * **`path`** *(string, optional)* - path to namespace file in the [runtime mount namespace](glossary.md#runtime-namespace)
3737
3838 If a path is specified, that particular file is used to join that type of namespace.
3939 Also, when a path is specified, a runtime MUST assume that the setup for that particular namespace has already been done and error out if the config specifies anything else related to that namespace.
240240 ###### Example
241241
242242 ```json
243 "oomScoreAdj": 0
243 "oomScoreAdj": 100
244244 ```
245245
246246 #### Memory
250250
251251 The following parameters can be specified to setup the controller:
252252
253 * **`limit`** *(uint64, optional)* - sets limit of memory usage
254
255 * **`reservation`** *(uint64, optional)* - sets soft limit of memory usage
253 * **`limit`** *(uint64, optional)* - sets limit of memory usage in bytes
254
255 * **`reservation`** *(uint64, optional)* - sets soft limit of memory usage in bytes
256256
257257 * **`swap`** *(uint64, optional)* - sets limit of memory+Swap usage
258258
259259 * **`kernel`** *(uint64, optional)* - sets hard limit for kernel memory
260260
261 * **`kernelTCP`** *(uint64, optional)* - sets hard limit for kernel memory in tcp using
261 * **`kernelTCP`** *(uint64, optional)* - sets hard limit in bytes for kernel TCP buffer memory
262262
263263 * **`swappiness`** *(uint64, optional)* - sets swappiness parameter of vmscan (See sysctl's vm.swappiness)
264264
266266
267267 ```json
268268 "memory": {
269 "limit": 0,
270 "reservation": 0,
271 "swap": 0,
269 "limit": 536870912,
270 "reservation": 536870912,
271 "swap": 536870912,
272272 "kernel": 0,
273273 "kernelTCP": 0,
274274 "swappiness": 0
300300
301301 ```json
302302 "cpu": {
303 "shares": 0,
304 "quota": 0,
305 "period": 0,
306 "realtimeRuntime": 0,
307 "realtimePeriod": 0,
308 "cpus": "",
309 "mems": ""
303 "shares": 1024,
304 "quota": 1000000,
305 "period": 500000,
306 "realtimeRuntime": 950000,
307 "realtimePeriod": 1000000,
308 "cpus": "2-3",
309 "mems": "0-7"
310310 }
311311 ```
312312
336336
337337 ```json
338338 "blockIO": {
339 "blkioWeight": 0,
340 "blkioLeafWeight": 0,
339 "blkioWeight": 10,
340 "blkioLeafWeight": 10,
341341 "blkioWeightDevice": [
342342 {
343343 "major": 8,
428428 `pids` represents the cgroup subsystem `pids`.
429429 For more information, see [the pids cgroup man page][cgroup-v1-pids].
430430
431 The following paramters can be specified to setup the controller:
431 The following parameters can be specified to setup the controller:
432432
433433 * **`limit`** *(int64, required)* - specifies the maximum number of tasks in the cgroup
434434
442442
443443 ## Sysctl
444444
445 sysctl allows kernel parameters to be modified at runtime for the container.
445 `sysctl` allows kernel parameters to be modified at runtime for the container.
446446 For more information, see [the man page](http://man7.org/linux/man-pages/man8/sysctl.8.html)
447447
448448 ###### Example
510510
511511 ## Rootfs Mount Propagation
512512
513 rootfsPropagation sets the rootfs's mount propagation.
513 `rootfsPropagation` sets the rootfs's mount propagation.
514514 Its value is either slave, private, or shared.
515515 [The kernel doc](https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt) has more information about mount propagation.
516516
518518
519519 ```json
520520 "rootfsPropagation": "slave",
521 ```
522
523 ## Masked Paths
524
525 `maskedPaths` will mask over the provided paths inside the container so that they cannot be read.
526
527 ###### Example
528
529 ```json
530 "maskedPaths": [
531 "/proc/kcore"
532 ]
533 ```
534
535 ## Readonly Paths
536
537 `readonlyPaths` will set the provided paths as readonly inside the container.
538
539 ###### Example
540
541 ```json
542 "readonlyPaths": [
543 "/proc/sys"
544 ]
521545 ```
522546
523547 [cgroup-v1]: https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt
+201
-13
config.md less more
00 # Container Configuration file
11
22 The container's top-level directory MUST contain a configuration file called `config.json`.
3 For now the canonical schema is defined in [config.go](config.go) and [config_linux.go](config_linux.go), but this will be moved to a formal JSON schema over time.
3 The canonical schema is defined in this document, but there is a JSON Schema in [`schema/schema.json`](schema/schema.json) and Go bindings in [`specs-go/config.go`](specs-go/config.go).
44
55 The configuration file contains metadata necessary to implement standard operations against the container.
66 This includes the process to run, environment variables to inject, sandboxing features to use, etc.
103103 * **`noNewPrivileges`** (bool, optional) setting `noNewPrivileges` to true prevents the processes in the container from gaining additional privileges.
104104 [The kernel doc](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt) has more information on how this is achieved using a prctl system call.
105105
106 ### User
107
106108 The user for the process is a platform-specific structure that allows specific control over which user the process runs as.
109
110 #### Linux User
111
107112 For Linux-based systems the user structure has the following fields:
108113
109114 * **`uid`** (int, required) specifies the user id.
110115 * **`gid`** (int, required) specifies the group id.
111116 * **`additionalGids`** (array of ints, optional) specifies additional group ids to be added to the process.
117
118 _Note: symbolic name for uid and gid, such as uname and gname respectively, are left to upper levels to derive (i.e. `/etc/passwd` parsing, NSS, etc)_
112119
113120 *Example (Linux)*
114121
224231 ],
225232 "poststart": [
226233 {
227 "path": "/usr/bin/notify-start"
234 "path": "/usr/bin/notify-start",
235 "timeout": 5
228236 }
229237 ],
230238 "poststop": [
238246
239247 `path` is required for a hook.
240248 `args` and `env` are optional.
249 `timeout` is the number of seconds before aborting the hook.
241250 The semantics are the same as `Path`, `Args` and `Env` in [golang Cmd](https://golang.org/pkg/os/exec/#Cmd).
242251
243252 ## Annotations
259268
260269 ```json
261270 {
262 "ociVersion": "0.3.0",
271 "ociVersion": "0.5.0-dev",
263272 "platform": {
264273 "os": "linux",
265274 "arch": "amd64"
274283 6
275284 ]
276285 },
286 "uidMappings": [
287 {
288 "hostID": 1000,
289 "containerID": 0,
290 "size": 32000
291 }
292 ],
293 "gidMappings": [
294 {
295 "hostID": 1000,
296 "containerID": 0,
297 "size": 32000
298 }
299 ],
277300 "args": [
278301 "sh"
279302 ],
289312 ],
290313 "rlimits": [
291314 {
315 "type": "RLIMIT_CORE",
316 "hard": 1024,
317 "soft": 1024
318 },
319 {
292320 "type": "RLIMIT_NOFILE",
293321 "hard": 1024,
294322 "soft": 1024
295323 }
296324 ],
297 "apparmorProfile": "",
298 "selinuxLabel": ""
325 "apparmorProfile": "acme_secure_profile",
326 "selinuxLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675",
327 "noNewPrivileges": true
299328 },
300329 "root": {
301330 "path": "rootfs",
380409 "hooks": {
381410 "prestart": [
382411 {
383 "path": "/usr/bin/uptime",
412 "path": "/usr/bin/fix-mounts",
384413 "args": [
385 "/usr/bin/uptime"
414 "fix-mounts",
415 "arg1",
416 "arg2"
386417 ],
387 "env": []
418 "env": [
419 "key1=value1"
420 ]
421 },
422 {
423 "path": "/usr/bin/setup-network"
424 }
425 ],
426 "poststart": [
427 {
428 "path": "/usr/bin/notify-start",
429 "timeout": 5
430 }
431 ],
432 "poststop": [
433 {
434 "path": "/usr/sbin/cleanup.sh",
435 "args": [
436 "cleanup.sh",
437 "-f"
438 ]
388439 }
389440 ]
390441 },
391442 "linux": {
443 "devices": [
444 {
445 "path": "/dev/fuse",
446 "type": "c",
447 "major": 10,
448 "minor": 229,
449 "fileMode": 438,
450 "uid": 0,
451 "gid": 0
452 },
453 {
454 "path": "/dev/sda",
455 "type": "b",
456 "major": 8,
457 "minor": 0,
458 "fileMode": 432,
459 "uid": 0,
460 "gid": 0
461 }
462 ],
463 "sysctl": {
464 "net.ipv4.ip_forward": "1",
465 "net.core.somaxconn": "256"
466 },
467 "cgroupsPath": "/myRuntime/myContainer",
392468 "resources": {
469 "network": {
470 "classID": 1048577,
471 "priorities": [
472 {
473 "name": "eth0",
474 "priority": 500
475 },
476 {
477 "name": "eth1",
478 "priority": 1000
479 }
480 ]
481 },
482 "pids": {
483 "limit": 32771
484 },
485 "hugepageLimits": [
486 {
487 "pageSize": "2MB",
488 "limit": 9223372036854772000
489 }
490 ],
491 "oomScoreAdj": 100,
492 "memory": {
493 "limit": 536870912,
494 "reservation": 536870912,
495 "swap": 536870912,
496 "kernel": 0,
497 "kernelTCP": 0,
498 "swappiness": 0
499 },
500 "cpu": {
501 "shares": 1024,
502 "quota": 1000000,
503 "period": 500000,
504 "realtimeRuntime": 950000,
505 "realtimePeriod": 1000000,
506 "cpus": "2-3",
507 "mems": "0-7"
508 },
509 "disableOOMKiller": false,
393510 "devices": [
394511 {
395512 "allow": false,
396513 "access": "rwm"
514 },
515 {
516 "allow": true,
517 "type": "c",
518 "major": 10,
519 "minor": 229,
520 "access": "rw"
521 },
522 {
523 "allow": true,
524 "type": "b",
525 "major": 8,
526 "minor": 0,
527 "access": "r"
397528 }
529 ],
530 "blockIO": {
531 "blkioWeight": 10,
532 "blkioLeafWeight": 10,
533 "blkioWeightDevice": [
534 {
535 "major": 8,
536 "minor": 0,
537 "weight": 500,
538 "leafWeight": 300
539 },
540 {
541 "major": 8,
542 "minor": 16,
543 "weight": 500
544 }
545 ],
546 "blkioThrottleReadBpsDevice": [
547 {
548 "major": 8,
549 "minor": 0,
550 "rate": 600
551 }
552 ],
553 "blkioThrottleWriteIOPSDevice": [
554 {
555 "major": 8,
556 "minor": 16,
557 "rate": 300
558 }
559 ]
560 }
561 },
562 "rootfsPropagation": "slave",
563 "seccomp": {
564 "defaultAction": "SCMP_ACT_ALLOW",
565 "architectures": [
566 "SCMP_ARCH_X86"
567 ],
568 "syscalls": [
569 {
570 "name": "getcwd",
571 "action": "SCMP_ACT_ERRNO"
572 }
398573 ]
399574 },
400575 "namespaces": [
414589 "type": "mount"
415590 }
416591 ],
417 "devices": null,
418 "seccomp": {
419 "defaultAction": "",
420 "architectures": null
421 }
592 "maskedPaths": [
593 "/proc/kcore",
594 "/proc/latency_stats",
595 "/proc/timer_stats",
596 "/proc/sched_debug"
597 ],
598 "readonlyPaths": [
599 "/proc/asound",
600 "/proc/bus",
601 "/proc/fs",
602 "/proc/irq",
603 "/proc/sys",
604 "/proc/sysrq-trigger"
605 ]
606 },
607 "annotations": {
608 "key1": "value1",
609 "key2": "value2"
422610 }
423611 }
424612 ```
+10
-0
glossary.md less more
1212 An environment for executing processes with configurable isolation and resource limitations.
1313 For example, namespaces, resource limits, and mounts are all part of the container environment.
1414
15 ## Container namespace
16
17 On Linux, a leaf in the [namespace][namespaces.7] hierarchy in which the [configured process](config.md#process-configuration) executes.
18
1519 ## JSON
1620
1721 All configuration [JSON][] MUST be encoded in [UTF-8][].
2125 An implementation of this specification.
2226 It reads the [configuration files](#configuration) from a [bundle](#bundle), uses that information to create a [container](#container), launches a process inside the container, and performs other [lifecycle actions](runtime.md).
2327
28 ## Runtime namespace
29
30 On Linux, a leaf in the [namespace][namespaces.7] hierarchy from which the [runtime](#runtime) process is executed.
31 New container namespaces will be created as children of the runtime namespaces.
32
2433 [JSON]: http://json.org/
2534 [UTF-8]: http://www.unicode.org/versions/Unicode8.0.0/ch03.pdf
35 [namespaces.7]: http://man7.org/linux/man-pages/man7/namespaces.7.html
+2
-5
implementations.md less more
1010
1111 * [hyperhq/runv](https://github.com/hyperhq/runv) - Hypervisor-based runtime for OCI
1212
13 ## Bundle authoring
13 ## Testing & Tools
1414
1515 * [kunalkushwaha/octool](https://github.com/kunalkushwaha/octool) - A config linter and validator.
16 * [mrunalp/ocitools](https://github.com/mrunalp/ocitools) - A config generator.
17
18 ## Testing
19
16 * [opencontainers/ocitools](https://github.com/opencontainers/ocitools) - A config generator and runtime/bundle testing framework.
2017 * [huawei-openlab/oct](https://github.com/huawei-openlab/oct) - Open Container Testing framework for OCI configuration and runtime
+3
-3
project.md less more
11
22 ## Release Process
33
4 * Increment version in version.go
4 * Increment version in [`specs-go/version.go`](specs-go/version.go)
55 * `git commit` version increment
6 * `git tag` the prior commit (preferrably signed tag)
6 * `git tag` the prior commit (preferably signed tag)
77 * `make docs` to produce PDF and HTML copies of the spec
8 * Make a release on [github.com/opencontainers/specs](https://github.com/opencontainers/specs/releases) for the version. Attach the produced docs.
8 * Make a release on [github.com/opencontainers/runtime-spec](https://github.com/opencontainers/runtime-spec/releases) for the version. Attach the produced docs.
99
+1
-1
runtime.md less more
117117 "cwd": "...",
118118 }
119119 ```
120 This specification does not manadate the name of this JSON file.
120 This specification does not mandate the name of this JSON file.
121121 See the specification of the `config.json` file for the definition of these fields.
122122 The stopping, or exiting, of these secondary process MUST have no effect on the state of the container.
123123 In other words, a container (and its PID 1 process) MUST NOT be stopped due to the exiting of a secondary process.
+3
-1
schema/defs-linux.json less more
9292 "type": "string"
9393 },
9494 "FileType": {
95 "type": "integer"
95 "description": "Type of a block or special character device",
96 "type": "string",
97 "pattern": "^[cbup]$"
9698 },
9799 "Device": {
98100 "properties": {
+47
-54
schema/schema-linux.json less more
6060 "id": "https://opencontainers.org/schema/bundle/linux/resources",
6161 "type": "object",
6262 "properties": {
63 "oomScoreAdj": {
64 "id": "https://opencontainers.org/schema/bundle/linux/resources/oomScoreAdj",
65 "type": "integer",
66 "minimum": -1000,
67 "maximum": 1000
68 },
69 "pids": {
70 "id": "https://opencontainers.org/schema/bundle/linux/resources/pids",
71 "properties": {
72 "limit": {
73 "id": "https://opencontainers.org/schema/bundle/linux/resources/pids/limit",
74 "$ref": "defs.json#/definitions/int64"
75 }
76 }
77 },
6378 "blockIO": {
6479 "id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO",
6580 "type": "object",
93108 "oneOf": [
94109 {
95110 "type": "array",
96 "items": [
97 {
98 "$ref": "defs-linux.json#/definitions/blockIODeviceThrottlePointer"
99 }
100 ]
111 "items": {
112 "$ref": "defs-linux.json#/definitions/blockIODeviceThrottlePointer"
113 }
101114 },
102115 {
103116 "type": "null"
109122 "oneOf": [
110123 {
111124 "type": "array",
112 "items": [
113 {
114 "$ref": "defs-linux.json#/definitions/blockIODeviceThrottlePointer"
115 }
116 ]
125 "items": {
126 "$ref": "defs-linux.json#/definitions/blockIODeviceThrottlePointer"
127 }
117128 },
118129 {
119130 "type": "null"
125136 "oneOf": [
126137 {
127138 "type": "array",
128 "items": [
129 {
130 "$ref": "defs-linux.json#/definitions/blockIODeviceThrottlePointer"
131 }
132 ]
139 "items": {
140 "$ref": "defs-linux.json#/definitions/blockIODeviceThrottlePointer"
141 }
133142 },
134143 {
135144 "type": "null"
139148 "blkioWeightDevice": {
140149 "id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/blkioWeightDevice",
141150 "type": "array",
142 "items": [
143 {
144 "$ref": "defs-linux.json#/definitions/blockIODeviceWeightPointer"
145 }
146 ]
151 "items": {
152 "$ref": "defs-linux.json#/definitions/blockIODeviceWeightPointer"
153 }
147154 }
148155 }
149156 },
189196 "id": "https://opencontainers.org/schema/bundle/linux/resources/hugepageLimits",
190197 "oneOf": [
191198 {
192 "type": "object",
193 "properties": {
194 "pageSize": {
195 "type": "string"
196 },
197 "limit": {
198 "$ref": "defs.json#/definitions/uint64"
199 "type": "array",
200 "items": {
201 "type": "object",
202 "properties": {
203 "pageSize": {
204 "type": "string"
205 },
206 "limit": {
207 "$ref": "defs.json#/definitions/uint64"
208 }
199209 }
200210 }
201211 },
234244 "id": "https://opencontainers.org/schema/bundle/linux/resources/network",
235245 "type": "object",
236246 "properties": {
237 "classId": {
247 "classID": {
238248 "id": "https://opencontainers.org/schema/bundle/linux/resources/network/classId",
239 "type": "string"
249 "$ref": "defs.json#/definitions/uint32"
240250 },
241251 "priorities": {
242252 "id": "https://opencontainers.org/schema/bundle/linux/resources/network/priorities",
255265 }
256266 }
257267 }
258 },
259 "rlimits": {
260 "id": "https://opencontainers.org/schema/bundle/linux/rlimits",
261 "items": [
262 {
263 "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0",
264 "properties": {
265 "hard": {
266 "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/hard",
267 "type": "integer"
268 },
269 "soft": {
270 "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/soft",
271 "type": "integer"
272 },
273 "type": {
274 "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/type",
275 "type": "string",
276 "pattern": "^RLIMIT_[A-Z]+$"
277 }
278 },
279 "type": "object"
280 }
281 ],
282 "type": "array"
283268 },
284269 "cgroupsPath": {
285270 "oneOf": [
336321 "type": "null"
337322 }
338323 ]
324 },
325 "maskedPaths": {
326 "id": "https://opencontainers.org/schema/bundle/linux/maskedPaths",
327 "$ref": "defs.json#/definitions/ArrayOfStrings"
328 },
329 "readonlyPaths": {
330 "id": "https://opencontainers.org/schema/bundle/linux/readonlyPaths",
331 "$ref": "defs.json#/definitions/ArrayOfStrings"
339332 }
340333 }
341334 }
+24
-1
schema/schema.json less more
2424 }
2525 },
2626 "annotations": {
27 "id": "https://opencontainers.org/schema/bundle/linux/sysctl",
27 "id": "https://opencontainers.org/schema/bundle/annotations",
2828 "oneOf": [
2929 {
3030 "$ref": "defs.json#/definitions/mapStringString"
138138 "noNewPrivileges": {
139139 "id": "https://opencontainers.org/schema/bundle/process/linux/noNewPrivileges",
140140 "type": "boolean"
141 },
142 "rlimits": {
143 "id": "https://opencontainers.org/schema/bundle/linux/rlimits",
144 "type": "array",
145 "items": {
146 "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0",
147 "type": "object",
148 "properties": {
149 "hard": {
150 "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/hard",
151 "$ref": "defs.json#/definitions/uint64"
152 },
153 "soft": {
154 "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/soft",
155 "$ref": "defs.json#/definitions/uint64"
156 },
157 "type": {
158 "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/type",
159 "type": "string",
160 "pattern": "^RLIMIT_[A-Z]+$"
161 }
162 }
163 }
141164 }
142165 }
143166 },
+10
-5
specs-go/config.go less more
9595
9696 // Hook specifies a command that is run at a particular event in the lifecycle of a container
9797 type Hook struct {
98 Path string `json:"path"`
99 Args []string `json:"args,omitempty"`
100 Env []string `json:"env,omitempty"`
98 Path string `json:"path"`
99 Args []string `json:"args,omitempty"`
100 Env []string `json:"env,omitempty"`
101 Timeout *int `json:"timeout,omitempty"`
101102 }
102103
103104 // Hooks for container setup and teardown
127128 // If resources are specified, the cgroups at CgroupsPath will be updated based on resources.
128129 CgroupsPath *string `json:"cgroupsPath,omitempty"`
129130 // Namespaces contains the namespaces that are created and/or joined by the container
130 Namespaces []Namespace `json:"namespaces"`
131 Namespaces []Namespace `json:"namespaces,omitempty"`
131132 // Devices are a list of device nodes that are created for the container
132 Devices []Device `json:"devices"`
133 Devices []Device `json:"devices,omitempty"`
133134 // Seccomp specifies the seccomp security settings for the container.
134135 Seccomp *Seccomp `json:"seccomp,omitempty"`
135136 // RootfsPropagation is the rootfs mount propagation mode for the container.
136137 RootfsPropagation string `json:"rootfsPropagation,omitempty"`
138 // MaskedPaths masks over the provided paths inside the container.
139 MaskedPaths []string `json:"maskedPaths,omitempty"`
140 // ReadonlyPaths sets the provided paths as RO inside the container.
141 ReadonlyPaths []string `json:"readonlyPaths,omitempty"`
137142 }
138143
139144 // Namespace is the configuration for a Linux namespace
+1
-1
specs-go/version.go less more
55 // VersionMajor is for an API incompatible changes
66 VersionMajor = 0
77 // VersionMinor is for functionality in a backwards-compatible manner
8 VersionMinor = 4
8 VersionMinor = 5
99 // VersionPatch is for backwards-compatible bug fixes
1010 VersionPatch = 0
1111
+13
-7
style.md less more
00 # Style and conventions
1
2 ## One sentence per line
3
4 To keep consistency throughout the Markdown files in the Open Container spec all files should be formatted one sentence per line.
5 This fixes two things: it makes diffing easier with git and it resolves fights about line wrapping length.
6 For example, this paragraph will span three lines in the Markdown source.
17
28 ## Traditionally hex settings should use JSON integers, not JSON strings
39
612
713 ## Constant names should keep redundant prefixes
814
9 For example, `CAP_KILL` instead of `KILL` in [**`linux.capabilities`**][capabilities]).
15 For example, `CAP_KILL` instead of `KILL` in [**`linux.capabilities`**][capabilities].
1016 The redundancy reduction from removing the namespacing prefix is not useful enough to be worth trimming the upstream identifier ([source][keep-prefix]).
1117
1218 ## Optional settings should have pointer Go types
1723
1824 [capabilities]: config-linux.md#capabilities
1925 [class-id]: config-linux.md#network
20 [integer-over-hex]: https://github.com/opencontainers/specs/pull/267#discussion_r48360013
21 [keep-prefix]: https://github.com/opencontainers/specs/pull/159#issuecomment-138728337
22 [no-pointer-for-boolean]: https://github.com/opencontainers/specs/pull/290#discussion_r50296396
23 [no-pointer-for-slices]: https://github.com/opencontainers/specs/pull/316/files#r50782982
24 [optional-pointer]: https://github.com/opencontainers/specs/pull/233#discussion_r47829711
25 [pointer-when-updates-require-changes]: https://github.com/opencontainers/specs/pull/317/files#r50932706
26 [integer-over-hex]: https://github.com/opencontainers/runtime-spec/pull/267#discussion_r48360013
27 [keep-prefix]: https://github.com/opencontainers/runtime-spec/pull/159#issuecomment-138728337
28 [no-pointer-for-boolean]: https://github.com/opencontainers/runtime-spec/pull/290#discussion_r50296396
29 [no-pointer-for-slices]: https://github.com/opencontainers/runtime-spec/pull/316/files#r50782982
30 [optional-pointer]: https://github.com/opencontainers/runtime-spec/pull/233#discussion_r47829711
31 [pointer-when-updates-require-changes]: https://github.com/opencontainers/runtime-spec/pull/317/files#r50932706