Update upstream source from tag 'upstream/1.0.2.118.g5cfc4c3'
Update to upstream version '1.0.2.118.g5cfc4c3'
with Debian dir df2c42e584ead091ed782f637cf386047e9f9ca0
Faidon Liambotis
1 year, 3 months ago
| 0 | * @crosbymichael @cyphar @dqminh @giuseppe @hqhq @mrunalp @tianon @vbatts | |
| 0 | * @AkihiroSuda @crosbymichael @cyphar @dqminh @giuseppe @hqhq @kolyshkin @mrunalp @thaJeztah @tianon @vbatts |
| 66 | 66 | |
| 67 | 67 | > [runtime-spec adopted]: Tag 0647920 as 1.0.0-rc (+6 -0 #3) |
| 68 | 68 | |
| 69 | [charter]: https://www.opencontainers.org/about/governance | |
| 69 | [charter]: https://github.com/opencontainers/tob/blob/main/CHARTER.md |
| 5 | 5 | Qiang Huang <h.huangqiang@huawei.com> (@hqhq) |
| 6 | 6 | Aleksa Sarai <asarai@suse.de> (@cyphar) |
| 7 | 7 | Giuseppe Scrivano <gscrivan@redhat.com> (@giuseppe) |
| 8 | Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (@AkihiroSuda) | |
| 9 | Kir Kolyshkin <kolyshkin@gmail.com> (@kolyshkin) | |
| 10 | Sebastiaan van Stijn <github@gone.nl> (@thaJeztah) |
| 47 | 47 | For example if a breaking change is introduced in v1.0.0-rc2 then the series would end with v1.0.0-rc4 and v1.0.0. |
| 48 | 48 | * Minor and patch releases SHOULD be made on an as-needed basis. |
| 49 | 49 | |
| 50 | [charter]: https://www.opencontainers.org/about/governance | |
| 50 | [charter]: https://github.com/opencontainers/tob/blob/main/CHARTER.md | |
| 51 | 51 | |
| 52 | 52 | ## Checklist |
| 53 | 53 |
| 335 | 335 | To disable it, specify a value of `true`. |
| 336 | 336 | * **`useHierarchy`** *(bool, OPTIONAL)* - enables or disables hierarchical memory accounting. |
| 337 | 337 | If enabled (`true`), child cgroups will share the memory limits of this cgroup. |
| 338 | * **`checkBeforeUpdate`** *(bool, OPTIONAL)* - enables container memory usage check before setting a new limit. | |
| 339 | If enabled (`true`), runtime MAY check if a new memory limit is lower than the current usage, and MUST | |
| 340 | reject the new limit. Practically, when cgroup v1 is used, the kernel rejects the limit lower than the | |
| 341 | current usage, and when cgroup v2 is used, an OOM killer is invoked. This setting can be used on | |
| 342 | cgroup v2 to mimic the cgroup v1 behavior. | |
| 338 | 343 | |
| 339 | 344 | #### Example |
| 340 | 345 | |
| 359 | 364 | |
| 360 | 365 | * **`shares`** *(uint64, OPTIONAL)* - specifies a relative share of CPU time available to the tasks in a cgroup |
| 361 | 366 | * **`quota`** *(int64, OPTIONAL)* - specifies the total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by **`period`** below) |
| 367 | If specified with any (valid) positive value, it MUST be no smaller than `burst` (runtimes MAY generate an error). | |
| 368 | * **`burst`** *(uint64, OPTIONAL)* - specifies the maximum amount of accumulated time in microseconds for which all tasks in a cgroup can run additionally for burst during one period (as defined by **`period`** below) | |
| 369 | If specified, this value MUST be no larger than any positive `quota` (runtimes MAY generate an error). | |
| 362 | 370 | * **`period`** *(uint64, OPTIONAL)* - specifies a period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated (CFS scheduler only) |
| 363 | 371 | * **`realtimeRuntime`** *(int64, OPTIONAL)* - specifies a period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources |
| 364 | 372 | * **`realtimePeriod`** *(uint64, OPTIONAL)* - same as **`period`** but applies to realtime scheduler only |
| 372 | 380 | "cpu": { |
| 373 | 381 | "shares": 1024, |
| 374 | 382 | "quota": 1000000, |
| 383 | "burst": 1000000, | |
| 375 | 384 | "period": 500000, |
| 376 | 385 | "realtimeRuntime": 950000, |
| 377 | 386 | "realtimePeriod": 1000000, |
| 700 | 709 | * `SECCOMP_FILTER_FLAG_TSYNC` |
| 701 | 710 | * `SECCOMP_FILTER_FLAG_LOG` |
| 702 | 711 | * `SECCOMP_FILTER_FLAG_SPEC_ALLOW` |
| 712 | * `SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV` | |
| 703 | 713 | |
| 704 | 714 | * **`listenerPath`** *(string, OPTIONAL)* - specifies the path of UNIX domain socket over which the runtime will send the [container process state](#containerprocessstate) data structure when the `SCMP_ACT_NOTIFY` action is used. |
| 705 | 715 | This socket MUST use `AF_UNIX` domain and `SOCK_STREAM` type. |
| 352 | 352 | |
| 353 | 353 | ```json |
| 354 | 354 | "hostname": "mrsdalloway" |
| 355 | ``` | |
| 356 | ||
| 357 | ## <a name="configDomainname" />Domainname | |
| 358 | ||
| 359 | * **`domainname`** (string, OPTIONAL) specifies the container's domainname as seen by processes running inside the container. | |
| 360 | On Linux, for example, this will change the domainname in the [container](glossary.md#container-namespace) [UTS namespace][uts-namespace.7]. | |
| 361 | Depending on your [namespace configuration](config-linux.md#namespaces), the container UTS namespace may be the [runtime](glossary.md#runtime-namespace) [UTS namespace][uts-namespace.7]. | |
| 362 | ||
| 363 | ### Example | |
| 364 | ||
| 365 | ```json | |
| 366 | "domainname": "foobarbaz.test" | |
| 355 | 367 | ``` |
| 356 | 368 | |
| 357 | 369 | ## <a name="configPlatformSpecificConfiguration" />Platform-specific configuration |
| 429 | 441 | |
| 430 | 442 | ### <a name="configHooksPrestart" />Prestart |
| 431 | 443 | |
| 432 | The `prestart` hooks MUST be called after the [`start`](runtime.md#start) operation is called but [before the user-specified program command is executed](runtime.md#lifecycle). | |
| 444 | The `prestart` hooks MUST be called as part of the [`create`](runtime.md#create) operation after the runtime environment has been created (according to the configuration in config.json) but before the `pivot_root` or any equivalent operation has been executed. | |
| 433 | 445 | On Linux, for example, they are called after the container namespaces are created, so they provide an opportunity to customize the container (e.g. the network namespace could be specified in this hook). |
| 446 | The `prestart` hooks MUST be called before the `createRuntime` hooks. | |
| 434 | 447 | |
| 435 | 448 | Note: `prestart` hooks were deprecated in favor of `createRuntime`, `createContainer` and `startContainer` hooks, which allow more granular hook control during the create and start phase. |
| 436 | 449 | |
| 447 | 460 | On Linux, for example, they are called after the container namespaces are created, so they provide an opportunity to customize the container (e.g. the network namespace could be specified in this hook). |
| 448 | 461 | |
| 449 | 462 | The definition of `createRuntime` hooks is currently underspecified and hooks authors, should only expect from the runtime that the mount namespace have been created and the mount operations performed. Other operations such as cgroups and SELinux/AppArmor labels might not have been performed by the runtime. |
| 450 | ||
| 451 | Note: `runc` originally implemented `prestart` hooks contrary to the spec, namely as part of the `create` operation (instead of during the `start` operation). This incorrect implementation actually corresponds to `createRuntime` hooks. For runtimes that implement the deprecated `prestart` hooks as `createRuntime` hooks, `createRuntime` hooks MUST be called after the `prestart` hooks. | |
| 452 | 463 | |
| 453 | 464 | ### <a name="configHooksCreateContainer" />CreateContainer Hooks |
| 454 | 465 | |
| 108 | 108 | }, |
| 109 | 109 | "quota": { |
| 110 | 110 | "$ref": "defs.json#/definitions/int64" |
| 111 | }, | |
| 112 | "burst": { | |
| 113 | "$ref": "defs.json#/definitions/uint64" | |
| 111 | 114 | }, |
| 112 | 115 | "realtimePeriod": { |
| 113 | 116 | "$ref": "defs.json#/definitions/uint64" |
| 168 | 171 | }, |
| 169 | 172 | "useHierarchy": { |
| 170 | 173 | "type": "boolean" |
| 174 | }, | |
| 175 | "checkBeforeUpdate": { | |
| 176 | "type": "boolean" | |
| 171 | 177 | } |
| 172 | 178 | } |
| 173 | 179 | }, |
| 32 | 32 | "$ref": "defs.json#/definitions/annotations" |
| 33 | 33 | }, |
| 34 | 34 | "hostname": { |
| 35 | "type": "string" | |
| 36 | }, | |
| 37 | "domainname": { | |
| 35 | 38 | "type": "string" |
| 36 | 39 | }, |
| 37 | 40 | "mounts": { |
| 69 | 69 | "enum": [ |
| 70 | 70 | "SECCOMP_FILTER_FLAG_TSYNC", |
| 71 | 71 | "SECCOMP_FILTER_FLAG_LOG", |
| 72 | "SECCOMP_FILTER_FLAG_SPEC_ALLOW" | |
| 72 | "SECCOMP_FILTER_FLAG_SPEC_ALLOW", | |
| 73 | "SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV" | |
| 73 | 74 | ] |
| 74 | 75 | }, |
| 75 | 76 | "SeccompOperators": { |
| 62 | 62 | "readonly": true |
| 63 | 63 | }, |
| 64 | 64 | "hostname": "slartibartfast", |
| 65 | "domainname": "foobarbaz.test", | |
| 65 | 66 | "mounts": [ |
| 66 | 67 | { |
| 67 | 68 | "destination": "/proc", |
| 268 | 269 | "kernelTCP": -1, |
| 269 | 270 | "swappiness": 0, |
| 270 | 271 | "disableOOMKiller": false, |
| 271 | "useHierarchy": false | |
| 272 | "useHierarchy": false, | |
| 273 | "checkBeforeUpdate": false | |
| 272 | 274 | }, |
| 273 | 275 | "cpu": { |
| 274 | 276 | "shares": 1024, |
| 275 | 277 | "quota": 1000000, |
| 278 | "burst": 1000000, | |
| 276 | 279 | "period": 500000, |
| 277 | 280 | "realtimeRuntime": 950000, |
| 278 | 281 | "realtimePeriod": 1000000, |
| 11 | 11 | Root *Root `json:"root,omitempty"` |
| 12 | 12 | // Hostname configures the container's hostname. |
| 13 | 13 | Hostname string `json:"hostname,omitempty"` |
| 14 | // Domainname configures the container's domainname. | |
| 15 | Domainname string `json:"domainname,omitempty"` | |
| 14 | 16 | // Mounts configures additional mounts (on top of Root). |
| 15 | 17 | Mounts []Mount `json:"mounts,omitempty"` |
| 16 | 18 | // Hooks configures callbacks for container lifecycle events. |
| 316 | 318 | DisableOOMKiller *bool `json:"disableOOMKiller,omitempty"` |
| 317 | 319 | // Enables hierarchical memory accounting |
| 318 | 320 | UseHierarchy *bool `json:"useHierarchy,omitempty"` |
| 321 | // CheckBeforeUpdate enables checking if a new memory limit is lower | |
| 322 | // than the current usage during update, and if so, rejecting the new | |
| 323 | // limit. | |
| 324 | CheckBeforeUpdate *bool `json:"checkBeforeUpdate,omitempty"` | |
| 319 | 325 | } |
| 320 | 326 | |
| 321 | 327 | // LinuxCPU for Linux cgroup 'cpu' resource management |
| 324 | 330 | Shares *uint64 `json:"shares,omitempty"` |
| 325 | 331 | // CPU hardcap limit (in usecs). Allowed cpu time in a given period. |
| 326 | 332 | Quota *int64 `json:"quota,omitempty"` |
| 333 | // CPU hardcap burst limit (in usecs). Allowed accumulated cpu time additionally for burst in a | |
| 334 | // given period. | |
| 335 | Burst *uint64 `json:"burst,omitempty"` | |
| 327 | 336 | // CPU period to be used for hardcapping (in usecs). |
| 328 | 337 | Period *uint64 `json:"period,omitempty"` |
| 329 | 338 | // How much time realtime scheduling may use (in usecs). |
| 642 | 651 | // LinuxSeccompFlagSpecAllow can be used to disable Speculative Store |
| 643 | 652 | // Bypass mitigation. (since Linux 4.17) |
| 644 | 653 | LinuxSeccompFlagSpecAllow LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_SPEC_ALLOW" |
| 654 | ||
| 655 | // LinuxSeccompFlagWaitKillableRecv can be used to switch to the wait | |
| 656 | // killable semantics. (since Linux 5.19) | |
| 657 | LinuxSeccompFlagWaitKillableRecv LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV" | |
| 645 | 658 | ) |
| 646 | 659 | |
| 647 | 660 | // Additional architectures permitted to be used for system calls |