New upstream version 1.0.1+git20181111.1722abf
Dmitry Smirnov
4 years ago
0 | 0 | language: go |
1 | 1 | go: |
2 | - 1.7 | |
3 | - 1.6.3 | |
4 | - 1.5.4 | |
2 | - "1.11.x" | |
3 | - "1.10.x" | |
4 | - "1.9.x" | |
5 | 5 | |
6 | 6 | sudo: required |
7 | 7 | |
11 | 11 | before_install: |
12 | 12 | - make install.tools |
13 | 13 | - docker pull vbatts/pandoc |
14 | - go get -d ./schema/... | |
14 | 15 | |
15 | 16 | install: true |
16 | 17 |
61 | 61 | |
62 | 62 | # `go get github.com/golang/lint/golint` |
63 | 63 | .golint: |
64 | ifeq ($(call ALLOWED_GO_VERSION,1.6,$(HOST_GOLANG_VERSION)),true) | |
64 | ifeq ($(call ALLOWED_GO_VERSION,1.7,$(HOST_GOLANG_VERSION)),true) | |
65 | 65 | @which golint > /dev/null 2>/dev/null || (echo "ERROR: golint not found. Consider 'make install.tools' target" && false) |
66 | 66 | golint ./... |
67 | 67 | endif |
78 | 78 | |
79 | 79 | install.tools: .install.golint .install.gitvalidation |
80 | 80 | |
81 | # golint does not even build for <go1.6 | |
81 | # golint does not even build for <go1.7 | |
82 | 82 | .install.golint: |
83 | ifeq ($(call ALLOWED_GO_VERSION,1.6,$(HOST_GOLANG_VERSION)),true) | |
83 | ifeq ($(call ALLOWED_GO_VERSION,1.7,$(HOST_GOLANG_VERSION)),true) | |
84 | 84 | go get -u github.com/golang/lint/golint |
85 | 85 | endif |
86 | 86 |
21 | 21 | ### Application Bundle Builders |
22 | 22 | |
23 | 23 | Application bundle builders can create a [bundle](bundle.md) directory that includes all of the files required for launching an application as a container. |
24 | The bundle contains an OCI [configuration file](config.md) where the builder can specify host-independent details such as [which executable to launch](config.md#process) and host-specific settings such as [mount](config.md#mounts) locations, [hook](config.md#hooks) paths, Linux [namespaces](config-linux.md#namespaces) and [cgroups](config-linux.md#control-groups). | |
24 | The bundle contains an OCI [configuration file](config.md) where the builder can specify host-independent details such as [which executable to launch](config.md#process) and host-specific settings such as [mount](config.md#mounts) locations, [hook](config.md#posix-platform-hooks) paths, Linux [namespaces](config-linux.md#namespaces) and [cgroups](config-linux.md#control-groups). | |
25 | 25 | Because the configuration includes host-specific settings, application bundle directories copied between two hosts may require configuration adjustments. |
26 | 26 | |
27 | 27 | ### Hook Developers |
28 | 28 | |
29 | [Hook](config.md#hooks) developers can extend the functionality of an OCI-compliant runtime by hooking into a container's lifecycle with an external application. | |
29 | [Hook](config.md#posix-platform-hooks) developers can extend the functionality of an OCI-compliant runtime by hooking into a container's lifecycle with an external application. | |
30 | 30 | Example use cases include sophisticated network configuration, volume garbage collection, etc. |
31 | 31 | |
32 | 32 | ### Runtime Developers |
53 | 53 | |
54 | 54 | ### Meetings |
55 | 55 | |
56 | The contributors and maintainers of all OCI projects have monthly meetings at 2:00 PM (USA Pacific) on the first Wednesday of every month. | |
56 | The contributors and maintainers of all OCI projects have monthly meetings, which are usually at 2:00 PM (USA Pacific) on the first Wednesday of every month. | |
57 | 57 | There is an [iCalendar][rfc5545] format for the meetings [here](meeting.ics). |
58 | 58 | Everyone is welcome to participate via [UberConference web][uberconference] or audio-only: +1 415 968 0849 (no PIN needed). |
59 | 59 | An initial agenda will be posted to the [mailing list](#mailing-list) in the week before each meeting, and everyone is welcome to propose additional topics or suggest other agenda alterations there. |
81 | 81 | |
82 | 82 | Each entry has the following structure: |
83 | 83 | |
84 | * **`containerID`** *(uint32, REQUIRED)* - is the starting uid/gid in the container. | |
84 | 85 | * **`hostID`** *(uint32, REQUIRED)* - is the starting uid/gid on the host to be mapped to *containerID*. |
85 | * **`containerID`** *(uint32, REQUIRED)* - is the starting uid/gid in the container. | |
86 | 86 | * **`size`** *(uint32, REQUIRED)* - is the number of ids to be mapped. |
87 | 87 | |
88 | 88 | The runtime SHOULD NOT modify the ownership of referenced filesystems to realize the mapping. |
93 | 93 | ```json |
94 | 94 | "uidMappings": [ |
95 | 95 | { |
96 | "containerID": 0, | |
96 | 97 | "hostID": 1000, |
97 | "containerID": 0, | |
98 | 98 | "size": 32000 |
99 | 99 | } |
100 | 100 | ], |
101 | 101 | "gidMappings": [ |
102 | 102 | { |
103 | "containerID": 0, | |
103 | 104 | "hostID": 1000, |
104 | "containerID": 0, | |
105 | 105 | "size": 32000 |
106 | 106 | } |
107 | 107 | ] |
121 | 121 | * **`major, minor`** *(int64, REQUIRED unless `type` is `p`)* - [major, minor numbers][devices] for the device. |
122 | 122 | * **`fileMode`** *(uint32, OPTIONAL)* - file mode for the device. |
123 | 123 | You can also control access to devices [with cgroups](#device-whitelist). |
124 | * **`uid`** *(uint32, OPTIONAL)* - id of device owner. | |
125 | * **`gid`** *(uint32, OPTIONAL)* - id of device group. | |
124 | * **`uid`** *(uint32, OPTIONAL)* - id of device owner in the [container namespace](glossary.md#container-namespace). | |
125 | * **`gid`** *(uint32, OPTIONAL)* - id of device group in the [container namespace](glossary.md#container-namespace). | |
126 | 126 | |
127 | 127 | The same `type`, `major` and `minor` SHOULD NOT be used for multiple devices. |
128 | 128 | |
161 | 161 | * [`/dev/random`][random.4] |
162 | 162 | * [`/dev/urandom`][random.4] |
163 | 163 | * [`/dev/tty`][tty.4] |
164 | * [`/dev/console`][console.4] is set up if terminal is enabled in the config by bind mounting the pseudoterminal slave to /dev/console. | |
164 | * `/dev/console` is set up if [`terminal`](config.md#process) is enabled in the config by bind mounting the pseudoterminal slave to `/dev/console`. | |
165 | 165 | * [`/dev/ptmx`][pts.4]. |
166 | 166 | A [bind-mount or symlink of the container's `/dev/pts/ptmx`][devpts]. |
167 | 167 | |
168 | 168 | ## <a name="configLinuxControlGroups" />Control groups |
169 | 169 | |
170 | 170 | Also known as cgroups, they are used to restrict resource usage for a container and handle device access. |
171 | cgroups provide controls (through controllers) to restrict cpu, memory, IO, pids and network for the container. | |
171 | cgroups provide controls (through controllers) to restrict cpu, memory, IO, pids, network and RDMA resources for the container. | |
172 | 172 | For more information, see the [kernel cgroups documentation][cgroup-v1]. |
173 | 173 | |
174 | 174 | ### <a name="configLinuxCgroupsPath" />Cgroups Path |
454 | 454 | } |
455 | 455 | ``` |
456 | 456 | |
457 | ### <a name="configLinuxRDMA" />RDMA | |
458 | ||
459 | **`rdma`** (object, OPTIONAL) represents the cgroup subsystem `rdma`. | |
460 | For more information, see the kernel cgroups documentation about [rdma][cgroup-v1-rdma]. | |
461 | ||
462 | The name of the device to limit is the entry key. | |
463 | Entry values are objects with the following properties: | |
464 | ||
465 | * **`hcaHandles`** *(uint32, OPTIONAL)* - specifies the maximum number of hca_handles in the cgroup | |
466 | * **`hcaObjects`** *(uint32, OPTIONAL)* - specifies the maximum number of hca_objects in the cgroup | |
467 | ||
468 | You MUST specify at least one of the `hcaHandles` or `hcaObjects` in a given entry, and MAY specify both. | |
469 | ||
470 | #### Example | |
471 | ||
472 | ```json | |
473 | "rdma": { | |
474 | "mlx5_1": { | |
475 | "hcaHandles": 3, | |
476 | "hcaObjects": 10000 | |
477 | }, | |
478 | "mlx4_0": { | |
479 | "hcaObjects": 1000 | |
480 | }, | |
481 | "rxe3": { | |
482 | "hcaObjects": 10000 | |
483 | } | |
484 | } | |
485 | ``` | |
486 | ||
457 | 487 | ## <a name="configLinuxIntelRdt" />IntelRdt |
458 | 488 | |
459 | 489 | **`intelRdt`** (object, OPTIONAL) represents the [Intel Resource Director Technology][intel-rdt-cat-kernel-interface]. |
460 | If `intelRdt` is set, the runtime MUST write the container process ID to the `<container-id>/tasks` file in a mounted `resctrl` pseudo-filesystem, using the container ID from [`start`](runtime.md#start) and creating the `<container-id>` directory if necessary. | |
490 | If `intelRdt` is set, the runtime MUST write the container process ID to the `tasks` file in a proper sub-directory in a mounted `resctrl` pseudo-filesystem. That sub-directory name is specified by `closID` parameter. | |
461 | 491 | If no mounted `resctrl` pseudo-filesystem is available in the [runtime mount namespace](glossary.md#runtime-namespace), the runtime MUST [generate an error](runtime.md#errors). |
462 | 492 | |
463 | If `intelRdt` is not set, the runtime MUST NOT manipulate any `resctrl` pseudo-filesystems. | |
493 | If `intelRdt` is not set, the runtime MUST NOT manipulate any `resctrl` pseudo-filesystems. | |
464 | 494 | |
465 | 495 | The following parameters can be specified for the container: |
466 | 496 | |
497 | * **`closID`** *(string, OPTIONAL)* - specifies the identity for RDT Class of Service (CLOS). | |
498 | If `closID` is set, runtimes MUST create `closID` directory in a mounted `resctrl` pseudo-filesystem if it doesn't exist. If not set, runtimes MUST use the container ID from [`start`](runtime.md#start) and create the `<container-id>` directory. | |
499 | ||
467 | 500 | * **`l3CacheSchema`** *(string, OPTIONAL)* - specifies the schema for L3 cache id and capacity bitmask (CBM). |
468 | If `l3CacheSchema` is set, runtimes MUST write the value to the `schemata` file in the `<container-id>` directory discussed in `intelRdt`. | |
469 | ||
470 | If `l3CacheSchema` is not set, runtimes MUST NOT write to `schemata` files in any `resctrl` pseudo-filesystems. | |
471 | ||
472 | ### Example | |
473 | ||
474 | Consider a two-socket machine with two L3 caches where the default CBM is 0xfffff and the max CBM length is 20 bits. | |
475 | Tasks inside the container only have access to the "upper" 80% of L3 cache id 0 and the "lower" 50% L3 cache id 1: | |
501 | The value SHOULD start with `L3:` and SHOULD NOT contain newlines. | |
502 | * **`memBwSchema`** *(string, OPTIONAL)* - specifies the schema of memory bandwidth per L3 cache id. | |
503 | The value MUST start with `MB:` and MUST NOT contain newlines. | |
504 | ||
505 | If both `l3CacheSchema` and `memBwSchema` are set, runtimes MUST write the combined value to the `schemata` file in that sub-directory discussed in `closID`. | |
506 | If `l3CacheSchema` contains a line beginning with `MB:`, the value written to `schemata` file MUST be the non-`MB:` line(s) from `l3CacheSchema` and the line from `memBWSchema`. | |
507 | ||
508 | If either `l3CacheSchema` or `memBwSchema` is set, runtimes MUST write the value to the `schemata` file in the that sub-directory discussed in `closID`. | |
509 | ||
510 | If neither `l3CacheSchema` nor `memBwSchema` is set, runtimes MUST NOT write to `schemata` files in any `resctrl` pseudo-filesystems. | |
511 | ||
512 | If `closID` is set, `l3CacheSchema` and/or `memBwSchema` is set, runtimes MUST compare `l3CacheSchema` and/or `memBwSchema` value with `schemata` file, and [generate an error](runtime.md#errors) if doesn't match. | |
513 | ||
514 | ### Example | |
515 | ||
516 | Consider a two-socket machine with two L3 caches where the default CBM is 0x7ff and the max CBM length is 11 bits, | |
517 | and minimum memory bandwidth of 10% with a memory bandwidth granularity of 10%. | |
518 | ||
519 | Tasks inside the container only have access to the "upper" 7/11 of L3 cache on socket 0 and the "lower" 5/11 L3 cache on socket 1, | |
520 | and may use a maximum memory bandwidth of 20% on socket 0 and 70% on socket 1. | |
476 | 521 | |
477 | 522 | ```json |
478 | 523 | "linux": { |
479 | 524 | "intelRdt": { |
480 | "l3CacheSchema": "L3:0=ffff0;1=3ff" | |
525 | "closID": "guaranteed_group", | |
526 | "l3CacheSchema": "L3:0=7f0;1=1f", | |
527 | "memBwSchema": "MB:0=20;1=70" | |
481 | 528 | } |
482 | 529 | } |
483 | 530 | ``` |
646 | 693 | [cgroup-v1-net-cls]: https://www.kernel.org/doc/Documentation/cgroup-v1/net_cls.txt |
647 | 694 | [cgroup-v1-net-prio]: https://www.kernel.org/doc/Documentation/cgroup-v1/net_prio.txt |
648 | 695 | [cgroup-v1-pids]: https://www.kernel.org/doc/Documentation/cgroup-v1/pids.txt |
696 | [cgroup-v1-rdma]: https://www.kernel.org/doc/Documentation/cgroup-v1/rdma.txt | |
649 | 697 | [cgroup-v2]: https://www.kernel.org/doc/Documentation/cgroup-v2.txt |
650 | 698 | [devices]: https://www.kernel.org/doc/Documentation/admin-guide/devices.txt |
651 | 699 | [devpts]: https://www.kernel.org/doc/Documentation/filesystems/devpts.txt |
657 | 705 | [sysfs]: https://www.kernel.org/doc/Documentation/filesystems/sysfs.txt |
658 | 706 | [tmpfs]: https://www.kernel.org/doc/Documentation/filesystems/tmpfs.txt |
659 | 707 | |
660 | [console.4]: http://man7.org/linux/man-pages/man4/console.4.html | |
661 | 708 | [full.4]: http://man7.org/linux/man-pages/man4/full.4.html |
662 | 709 | [mknod.1]: http://man7.org/linux/man-pages/man1/mknod.1.html |
663 | 710 | [mknod.2]: http://man7.org/linux/man-pages/man2/mknod.2.html |
0 | # <a name="VirtualMachineSpecificContainerConfiguration" /> Virtual-machine-specific Container Configuration | |
1 | ||
2 | This section describes the schema for the [virtual-machine-specific section](config.md#platform-specific-configuration) of the [container configuration](config.md). | |
3 | The virtual-machine container specification provides additional configuration for the hypervisor, kernel, and image. | |
4 | ||
5 | ## <a name="HypervisorObject" /> Hypervisor Object | |
6 | ||
7 | **`hypervisor`** (object, OPTIONAL) specifies details of the hypervisor that manages the container virtual machine. | |
8 | * **`path`** (string, REQUIRED) path to the hypervisor binary that manages the container virtual machine. | |
9 | This value MUST be an absolute path in the [runtime mount namespace](glossary.md#runtime-namespace). | |
10 | * **`parameters`** (array of strings, OPTIONAL) specifies an array of parameters to pass to the hypervisor. | |
11 | ||
12 | ### Example | |
13 | ||
14 | ```json | |
15 | "hypervisor": { | |
16 | "path": "/path/to/vmm", | |
17 | "parameters": ["opts1=foo", "opts2=bar"] | |
18 | } | |
19 | ``` | |
20 | ||
21 | ## <a name="KernelObject" /> Kernel Object | |
22 | ||
23 | **`kernel`** (object, REQUIRED) specifies details of the kernel to boot the container virtual machine with. | |
24 | * **`path`** (string, REQUIRED) path to the kernel used to boot the container virtual machine. | |
25 | This value MUST be an absolute path in the [runtime mount namespace](glossary.md#runtime-namespace). | |
26 | * **`parameters`** (array of strings, OPTIONAL) specifies an array of parameters to pass to the kernel. | |
27 | * **`initrd`** (string, OPTIONAL) path to an initial ramdisk to be used by the container virtual machine. | |
28 | This value MUST be an absolute path in the [runtime mount namespace](glossary.md#runtime-namespace). | |
29 | ||
30 | ### Example | |
31 | ||
32 | ```json | |
33 | "kernel": { | |
34 | "path": "/path/to/vmlinuz", | |
35 | "parameters": ["foo=bar", "hello world"], | |
36 | "initrd": "/path/to/initrd.img" | |
37 | } | |
38 | ``` | |
39 | ||
40 | ## <a name="ImageObject" /> Image Object | |
41 | ||
42 | **`image`** (object, OPTIONAL) specifies details of the image that contains the root filesystem for the container virtual machine. | |
43 | * **`path`** (string, REQUIRED) path to the container virtual machine root image. | |
44 | This value MUST be an absolute path in the [runtime mount namespace](glossary.md#runtime-namespace). | |
45 | * **`format`** (string, REQUIRED) format of the container virtual machine root image. Commonly supported formats are: | |
46 | * **`raw`** [raw disk image format][raw-image-format]. Unset values for `format` will default to that format. | |
47 | * **`qcow2`** [QEMU image format][qcow2-image-format]. | |
48 | * **`vdi`** [VirtualBox 1.1 compatible image format][vdi-image-format]. | |
49 | * **`vmdk`** [VMware compatible image format][vmdk-image-format]. | |
50 | * **`vhd`** [Virtual Hard Disk image format][vhd-image-format]. | |
51 | ||
52 | This image contains the root filesystem that the virtual machine **`kernel`** will boot into, not to be confused with the container root filesystem itself. The latter, as specified by **`path`** from the [Root Configuration](config.md#Root-Configuration) section, will be mounted inside the virtual machine at a location chosen by the virtual-machine-based runtime. | |
53 | ||
54 | ### Example | |
55 | ||
56 | ```json | |
57 | "image": { | |
58 | "path": "/path/to/vm/rootfs.img", | |
59 | "format": "raw" | |
60 | } | |
61 | ``` | |
62 | ||
63 | [raw-image-format]: https://en.wikipedia.org/wiki/IMG_(file_format) | |
64 | [qcow2-image-format]: https://git.qemu.org/?p=qemu.git;a=blob_plain;f=docs/interop/qcow2.txt;hb=HEAD | |
65 | [vdi-image-format]: https://forensicswiki.org/wiki/Virtual_Disk_Image_(VDI) | |
66 | [vmdk-image-format]: http://www.vmware.com/app/vmdk/?src=vmdk | |
67 | [vhd-image-format]: https://github.com/libyal/libvhdi/blob/master/documentation/Virtual%20Hard%20Disk%20(VHD)%20image%20format.asciidoc |
18 | 18 | } |
19 | 19 | ``` |
20 | 20 | |
21 | ## <a name="configWindowsDevices" />Devices | |
22 | ||
23 | **`devices`** (array of objects, OPTIONAL) lists devices that MUST be available in the container. | |
24 | ||
25 | Each entry has the following structure: | |
26 | ||
27 | * **`id`** *(string, REQUIRED)* - specifies the device which the runtime MUST make available in the container. | |
28 | * **`idType`** *(string, REQUIRED)* - tells the runtime how to interpret `id`. Today, Windows only supports a value of `class`, which identifies `id` as a [device interface class GUID][interfaceGUID]. | |
29 | ||
30 | [interfaceGUID]: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/overview-of-device-interface-classes | |
31 | ||
32 | ### Example | |
33 | ||
34 | ```json | |
35 | "windows": { | |
36 | "devices": [ | |
37 | { | |
38 | "id": "24E552D7-6523-47F7-A647-D3465BF1F5CA", | |
39 | "idType": "class" | |
40 | }, | |
41 | { | |
42 | "id": "5175d334-c371-4806-b3ba-71fd53c9258d", | |
43 | "idType": "class" | |
44 | } | |
45 | ] | |
46 | } | |
47 | ``` | |
48 | ||
21 | 49 | ## <a name="configWindowsResources" />Resources |
22 | 50 | |
23 | 51 | You can configure a container's resource limits via the OPTIONAL `resources` field of the Windows configuration. |
96 | 124 | * **`allowUnqualifiedDNSQuery`** *(bool, OPTIONAL)* - specifies if unqualified DNS name resolution is allowed. |
97 | 125 | * **`DNSSearchList`** *(array of strings, OPTIONAL)* - comma separated list of DNS suffixes to use for name resolution. |
98 | 126 | * **`networkSharedContainerName`** *(string, OPTIONAL)* - name (ID) of the container that we will share with the network stack. |
127 | * **`networkNamespace`** *(string, OPTIONAL)* - name (ID) of the network namespace that will be used for the container. If a network namespace is specified no other parameter must be specified. | |
99 | 128 | |
100 | 129 | ### Example |
101 | 130 | |
110 | 139 | "a.com", |
111 | 140 | "b.com" |
112 | 141 | ], |
113 | "networkSharedContainerName": "containerName" | |
142 | "networkSharedContainerName": "containerName", | |
143 | "networkNamespace": "168f3daf-efc6-4377-b20a-2c86764ba892" | |
114 | 144 | } |
115 | 145 | } |
116 | 146 | ``` |
26 | 26 | ## <a name="configRoot" />Root |
27 | 27 | |
28 | 28 | **`root`** (object, OPTIONAL) specifies the container's root filesystem. |
29 | On Windows, for Windows Server Containers, this field is REQUIRED. | |
30 | For [Hyper-V Containers](config-windows.md#hyperv), this field MUST NOT be set. | |
31 | ||
32 | On all other platforms, this field is REQUIRED. | |
29 | On Windows, for Windows Server Containers, this field is REQUIRED. | |
30 | For [Hyper-V Containers](config-windows.md#hyperv), this field MUST NOT be set. | |
31 | ||
32 | On all other platforms, this field is REQUIRED. | |
33 | 33 | |
34 | 34 | * **`path`** (string, REQUIRED) Specifies the path to the root filesystem for the container. |
35 | 35 | |
72 | 72 | This value MUST be an absolute path. |
73 | 73 | * Windows: one mount destination MUST NOT be nested within another mount (e.g., c:\\foo and c:\\foo\\bar). |
74 | 74 | * Solaris: corresponds to "dir" of the fs resource in [zonecfg(1M)][zonecfg.1m]. |
75 | * **`source`** (string, OPTIONAL) A device name, but can also be a directory name or a dummy. | |
76 | Path values are either absolute or relative to the bundle. | |
75 | * **`source`** (string, OPTIONAL) A device name, but can also be a file or directory name for bind mounts or a dummy. | |
76 | Path values for bind mounts are either absolute or relative to the bundle. | |
77 | A mount is a bind mount if it has either `bind` or `rbind` in the options. | |
77 | 78 | * Windows: a local directory on the filesystem of the container host. UNC paths and mapped drives are not supported. |
78 | 79 | * Solaris: corresponds to "special" of the fs resource in [zonecfg(1M)][zonecfg.1m]. |
79 | 80 | * **`options`** (array of strings, OPTIONAL) Mount options of the filesystem to be used. |
99 | 100 | For POSIX platforms the `mounts` structure has the following fields: |
100 | 101 | |
101 | 102 | * **`type`** (string, OPTIONAL) The type of the filesystem to be mounted. |
102 | * Linux: filesystem types supported by the kernel as listed in */proc/filesystems* (e.g., "minix", "ext2", "ext3", "jfs", "xfs", "reiserfs", "msdos", "proc", "nfs", "iso9660"). | |
103 | * Linux: filesystem types supported by the kernel as listed in */proc/filesystems* (e.g., "minix", "ext2", "ext3", "jfs", "xfs", "reiserfs", "msdos", "proc", "nfs", "iso9660"). For bind mounts (when `options` include either `bind` or `rbind`), the type is a dummy, often "none" (not listed in */proc/filesystems*). | |
103 | 104 | * Solaris: corresponds to "type" of the fs resource in [zonecfg(1M)][zonecfg.1m]. |
104 | 105 | |
105 | 106 | ### Example (Linux) |
114 | 115 | }, |
115 | 116 | { |
116 | 117 | "destination": "/data", |
117 | "type": "bind", | |
118 | "type": "none", | |
118 | 119 | "source": "/volumes/testing", |
119 | 120 | "options": ["rbind","rw"] |
120 | 121 | } |
348 | 349 | This MUST be set if the target platform of this spec is `windows`. |
349 | 350 | * **`solaris`** (object, OPTIONAL) [Solaris-specific configuration](config-solaris.md). |
350 | 351 | This MAY be set if the target platform of this spec is `solaris`. |
352 | * **`vm`** (object, OPTIONAL) [Virtual-machine-specific configuration](config-vm.md). | |
353 | This MAY be set if the target platform and architecture of this spec support hardware virtualization. | |
351 | 354 | |
352 | 355 | ### Example (Linux) |
353 | 356 | |
372 | 375 | Entries in the array contain the following properties: |
373 | 376 | * **`path`** (string, REQUIRED) with similar semantics to [IEEE Std 1003.1-2008 `execv`'s *path*][ieee-1003.1-2008-functions-exec]. |
374 | 377 | This specification extends the IEEE standard in that **`path`** MUST be absolute. |
378 | Runtimes MUST resolve this value in the [runtime namespace](glossary.md#runtime-namespace). | |
375 | 379 | * **`args`** (array of strings, OPTIONAL) with the same semantics as [IEEE Std 1003.1-2008 `execv`'s *argv*][ieee-1003.1-2008-functions-exec]. |
376 | 380 | * **`env`** (array of strings, OPTIONAL) with the same semantics as [IEEE Std 1003.1-2008's `environ`][ieee-1003.1-2008-xbd-c8.1]. |
377 | 381 | * **`timeout`** (int, OPTIONAL) is the number of seconds before aborting the hook. |
383 | 387 | |
384 | 388 | Hooks allow users to specify programs to run before or after various lifecycle events. |
385 | 389 | Hooks MUST be called in the listed order. |
390 | Hooks MUST be executed in the [runtime namespace](glossary.md#runtime-namespace). | |
386 | 391 | The [state](runtime.md#state) of the container MUST be passed to hooks over stdin so that they may do work appropriate to the current state of the container. |
387 | 392 | |
388 | 393 | ### <a name="configHooksPrestart" />Prestart |
663 | 668 | ], |
664 | 669 | "uidMappings": [ |
665 | 670 | { |
671 | "containerID": 0, | |
666 | 672 | "hostID": 1000, |
673 | "size": 32000 | |
674 | } | |
675 | ], | |
676 | "gidMappings": [ | |
677 | { | |
667 | 678 | "containerID": 0, |
668 | "size": 32000 | |
669 | } | |
670 | ], | |
671 | "gidMappings": [ | |
672 | { | |
673 | 679 | "hostID": 1000, |
674 | "containerID": 0, | |
675 | 680 | "size": 32000 |
676 | 681 | } |
677 | 682 | ], |
850 | 855 | [capabilities.7]: http://man7.org/linux/man-pages/man7/capabilities.7.html |
851 | 856 | [mount.2]: http://man7.org/linux/man-pages/man2/mount.2.html |
852 | 857 | [mount.8]: http://man7.org/linux/man-pages/man8/mount.8.html |
853 | [mount.8-filesystem-independent]: http://man7.org/linux/man-pages/man8/mount.8.html#FILESYSTEM-INDEPENDENT_MOUNT%20OPTIONS | |
854 | [mount.8-filesystem-specific]: http://man7.org/linux/man-pages/man8/mount.8.html#FILESYSTEM-SPECIFIC_MOUNT%20OPTIONS | |
858 | [mount.8-filesystem-independent]: http://man7.org/linux/man-pages/man8/mount.8.html#FILESYSTEM-INDEPENDENT_MOUNT_OPTIONS | |
859 | [mount.8-filesystem-specific]: http://man7.org/linux/man-pages/man8/mount.8.html#FILESYSTEM-SPECIFIC_MOUNT_OPTIONS | |
855 | 860 | [getrlimit.2]: http://man7.org/linux/man-pages/man2/getrlimit.2.html |
856 | 861 | [getrlimit.3]: http://pubs.opengroup.org/onlinepubs/9699919799/functions/getrlimit.html |
857 | 862 | [stdin.3]: http://man7.org/linux/man-pages/man3/stdin.3.html |
31 | 31 | |
32 | 32 | On Linux, the namespaces from which new [container namespaces](#container-namespace) are [created](config-linux.md#namespaces) and from which some configured resources are accessed. |
33 | 33 | |
34 | [JSON]: https://tools.ietf.org/html/rfc7159 | |
34 | [JSON]: https://tools.ietf.org/html/rfc8259 | |
35 | 35 | [UTF-8]: http://www.unicode.org/versions/Unicode8.0.0/ch03.pdf |
36 | 36 | |
37 | 37 | [namespaces.7]: http://man7.org/linux/man-pages/man7/namespaces.7.html |
12 | 12 | |
13 | 13 | * [hyperhq/runv][runv] - Hypervisor-based runtime for OCI |
14 | 14 | * [clearcontainers/runtime][cc-runtime] - Hypervisor-based OCI runtime utilising [virtcontainers][virtcontainers] by Intel®. |
15 | * [google/gvisor][gvisor] - gVisor is a user-space kernel, contains runsc to run sandboxed containers. | |
16 | * [kata-containers/runtime][kata-runtime] - Hypervisor-based OCI runtime combining technology from [clearcontainers/runtime][cc-runtime] and [hyperhq/runv][runv]. | |
15 | 17 | |
16 | 18 | ## <a name="implementationsTestingTools" />Testing & Tools |
17 | 19 | |
23 | 25 | [runc]: https://github.com/opencontainers/runc |
24 | 26 | [runv]: https://github.com/hyperhq/runv |
25 | 27 | [cc-runtime]: https://github.com/clearcontainers/runtime |
28 | [kata-runtime]: https://github.com/kata-containers/runtime | |
26 | 29 | [virtcontainers]: https://github.com/containers/virtcontainers |
27 | 30 | [octool]: https://github.com/kunalkushwaha/octool |
28 | 31 | [oct]: https://github.com/huawei-openlab/oct |
30 | 33 | [bwrap-oci]: https://github.com/projectatomic/bwrap-oci |
31 | 34 | [bubblewrap]: https://github.com/projectatomic/bubblewrap |
32 | 35 | [crun]: https://github.com/giuseppe/crun |
36 | [gvisor]: https://github.com/google/gvisor |
20 | 20 | END:VTIMEZONE |
21 | 21 | BEGIN:VEVENT |
22 | 22 | UID:tdc-meeting@opencontainers.org |
23 | DTSTAMP:20170821T200000Z | |
23 | DTSTAMP:20180628T170000Z | |
24 | 24 | DTSTART;TZID=America/Los_Angeles:20170906T140000 |
25 | 25 | RRULE:FREQ=MONTHLY;INTERVAL=1;BYDAY=1WE |
26 | RDATE;TZID=America/Los_Angeles:20180110T140000 | |
27 | EXDATE;TZIP=America/Los_Angeles:20180103T140000 | |
28 | RDATE;TZID=America/Los_Angeles:20180711T140000 | |
29 | EXDATE;TZIP=America/Los_Angeles:20180704T140000 | |
26 | 30 | DURATION:PT1H |
27 | 31 | SUMMARY:OCI TDC Meeting |
28 | 32 | DESCRIPTION;ALTREP="https://github.com/opencontainers/runtime-spec# |
136 | 136 | |
137 | 137 | ## <a name="runtimeHooks" />Hooks |
138 | 138 | Many of the operations specified in this specification have "hooks" that allow for additional actions to be taken before or after each operation. |
139 | See [runtime configuration for hooks](./config.md#hooks) for more information. | |
139 | See [runtime configuration for hooks](./config.md#posix-platform-hooks) for more information. |
35 | 35 | for FILE in $$(ls "test/$${TYPE}/bad"); \ |
36 | 36 | do \ |
37 | 37 | echo " testing test/$${TYPE}/bad/$${FILE}"; \ |
38 | if ./validate "$${TYPE}-schema.json" "test/$${TYPE}/good/$${FILE}" ; \ | |
38 | if ./validate "$${TYPE}-schema.json" "test/$${TYPE}/bad/$${FILE}" ; \ | |
39 | 39 | then \ |
40 | 40 | echo " received unexpected validation success" ; \ |
41 | 41 | exit 1; \ |
12 | 12 | * [state-schema.json](state-schema.json) - the primary entrypoint for the [state JSON](../runtime.md#state) schema |
13 | 13 | * [defs.json](defs.json) - definitions for general types |
14 | 14 | * [defs-linux.json](defs-linux.json) - definitions for Linux-specific types |
15 | * [defs-windows.json](defs-windows.json) - definitions for Windows-specific types | |
15 | 16 | * [validate.go](validate.go) - validation utility source code |
16 | 17 | |
17 | 18 |
0 | 0 | { |
1 | 1 | "linux": { |
2 | 2 | "description": "Linux platform-specific configurations", |
3 | "id": "https://opencontainers.org/schema/bundle/linux", | |
4 | 3 | "type": "object", |
5 | 4 | "properties": { |
6 | 5 | "devices": { |
7 | "id": "https://opencontainers.org/schema/bundle/linux/devices", | |
8 | 6 | "type": "array", |
9 | 7 | "items": { |
10 | 8 | "$ref": "defs-linux.json#/definitions/Device" |
11 | 9 | } |
12 | 10 | }, |
13 | 11 | "uidMappings": { |
14 | "id": "https://opencontainers.org/schema/bundle/linux/uidMappings", | |
15 | 12 | "type": "array", |
16 | 13 | "items": { |
17 | 14 | "$ref": "defs.json#/definitions/IDMapping" |
18 | 15 | } |
19 | 16 | }, |
20 | 17 | "gidMappings": { |
21 | "id": "https://opencontainers.org/schema/bundle/linux/gidMappings", | |
22 | 18 | "type": "array", |
23 | 19 | "items": { |
24 | 20 | "$ref": "defs.json#/definitions/IDMapping" |
25 | 21 | } |
26 | 22 | }, |
27 | 23 | "namespaces": { |
28 | "id": "https://opencontainers.org/schema/bundle/linux/namespaces", | |
29 | 24 | "type": "array", |
30 | 25 | "items": { |
31 | 26 | "anyOf": [ |
36 | 31 | } |
37 | 32 | }, |
38 | 33 | "resources": { |
39 | "id": "https://opencontainers.org/schema/bundle/linux/resources", | |
40 | 34 | "type": "object", |
41 | 35 | "properties": { |
42 | 36 | "devices": { |
43 | "id": "https://opencontainers.org/schema/bundle/linux/resources/devices", | |
44 | 37 | "type": "array", |
45 | 38 | "items": { |
46 | 39 | "$ref": "defs-linux.json#/definitions/DeviceCgroup" |
47 | 40 | } |
48 | 41 | }, |
49 | 42 | "pids": { |
50 | "id": "https://opencontainers.org/schema/bundle/linux/resources/pids", | |
51 | 43 | "type": "object", |
52 | 44 | "properties": { |
53 | 45 | "limit": { |
54 | "id": "https://opencontainers.org/schema/bundle/linux/resources/pids/limit", | |
55 | 46 | "$ref": "defs.json#/definitions/int64" |
56 | 47 | } |
57 | 48 | }, |
60 | 51 | ] |
61 | 52 | }, |
62 | 53 | "blockIO": { |
63 | "id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO", | |
64 | 54 | "type": "object", |
65 | 55 | "properties": { |
66 | 56 | "weight": { |
67 | "id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/weight", | |
68 | 57 | "$ref": "defs-linux.json#/definitions/weight" |
69 | 58 | }, |
70 | 59 | "leafWeight": { |
71 | "id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/leafWeight", | |
72 | 60 | "$ref": "defs-linux.json#/definitions/weight" |
73 | 61 | }, |
74 | 62 | "throttleReadBpsDevice": { |
75 | "id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/throttleReadBpsDevice", | |
76 | 63 | "type": "array", |
77 | 64 | "items": { |
78 | 65 | "$ref": "defs-linux.json#/definitions/blockIODeviceThrottle" |
79 | 66 | } |
80 | 67 | }, |
81 | 68 | "throttleWriteBpsDevice": { |
82 | "id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/throttleWriteBpsDevice", | |
83 | 69 | "type": "array", |
84 | 70 | "items": { |
85 | 71 | "$ref": "defs-linux.json#/definitions/blockIODeviceThrottle" |
86 | 72 | } |
87 | 73 | }, |
88 | 74 | "throttleReadIOPSDevice": { |
89 | "id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/throttleReadIOPSDevice", | |
90 | 75 | "type": "array", |
91 | 76 | "items": { |
92 | 77 | "$ref": "defs-linux.json#/definitions/blockIODeviceThrottle" |
93 | 78 | } |
94 | 79 | }, |
95 | 80 | "throttleWriteIOPSDevice": { |
96 | "id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/throttleWriteIOPSDevice", | |
97 | 81 | "type": "array", |
98 | 82 | "items": { |
99 | 83 | "$ref": "defs-linux.json#/definitions/blockIODeviceThrottle" |
100 | 84 | } |
101 | 85 | }, |
102 | 86 | "weightDevice": { |
103 | "id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/weightDevice", | |
104 | 87 | "type": "array", |
105 | 88 | "items": { |
106 | 89 | "$ref": "defs-linux.json#/definitions/blockIODeviceWeight" |
109 | 92 | } |
110 | 93 | }, |
111 | 94 | "cpu": { |
112 | "id": "https://opencontainers.org/schema/bundle/linux/resources/cpu", | |
113 | 95 | "type": "object", |
114 | 96 | "properties": { |
115 | 97 | "cpus": { |
116 | "id": "https://opencontainers.org/schema/bundle/linux/resources/cpu/cpus", | |
117 | 98 | "type": "string" |
118 | 99 | }, |
119 | 100 | "mems": { |
120 | "id": "https://opencontainers.org/schema/bundle/linux/resources/cpu/mems", | |
121 | 101 | "type": "string" |
122 | 102 | }, |
123 | 103 | "period": { |
124 | "id": "https://opencontainers.org/schema/bundle/linux/resources/cpu/period", | |
125 | 104 | "$ref": "defs.json#/definitions/uint64" |
126 | 105 | }, |
127 | 106 | "quota": { |
128 | "id": "https://opencontainers.org/schema/bundle/linux/resources/cpu/quota", | |
129 | 107 | "$ref": "defs.json#/definitions/int64" |
130 | 108 | }, |
131 | 109 | "realtimePeriod": { |
132 | "id": "https://opencontainers.org/schema/bundle/linux/resources/cpu/realtimePeriod", | |
133 | 110 | "$ref": "defs.json#/definitions/uint64" |
134 | 111 | }, |
135 | 112 | "realtimeRuntime": { |
136 | "id": "https://opencontainers.org/schema/bundle/linux/resources/cpu/realtimeRuntime", | |
137 | 113 | "$ref": "defs.json#/definitions/int64" |
138 | 114 | }, |
139 | 115 | "shares": { |
140 | "id": "https://opencontainers.org/schema/bundle/linux/resources/cpu/shares", | |
141 | 116 | "$ref": "defs.json#/definitions/uint64" |
142 | 117 | } |
143 | 118 | } |
144 | 119 | }, |
145 | 120 | "hugepageLimits": { |
146 | "id": "https://opencontainers.org/schema/bundle/linux/resources/hugepageLimits", | |
147 | 121 | "type": "array", |
148 | 122 | "items": { |
149 | 123 | "type": "object", |
162 | 136 | } |
163 | 137 | }, |
164 | 138 | "memory": { |
165 | "id": "https://opencontainers.org/schema/bundle/linux/resources/memory", | |
166 | 139 | "type": "object", |
167 | 140 | "properties": { |
168 | 141 | "kernel": { |
169 | "id": "https://opencontainers.org/schema/bundle/linux/resources/memory/kernel", | |
170 | 142 | "$ref": "defs.json#/definitions/int64" |
171 | 143 | }, |
172 | 144 | "kernelTCP": { |
173 | "id": "https://opencontainers.org/schema/bundle/linux/resources/memory/kernelTCP", | |
174 | 145 | "$ref": "defs.json#/definitions/int64" |
175 | 146 | }, |
176 | 147 | "limit": { |
177 | "id": "https://opencontainers.org/schema/bundle/linux/resources/memory/limit", | |
178 | 148 | "$ref": "defs.json#/definitions/int64" |
179 | 149 | }, |
180 | 150 | "reservation": { |
181 | "id": "https://opencontainers.org/schema/bundle/linux/resources/memory/reservation", | |
182 | 151 | "$ref": "defs.json#/definitions/int64" |
183 | 152 | }, |
184 | 153 | "swap": { |
185 | "id": "https://opencontainers.org/schema/bundle/linux/resources/memory/swap", | |
186 | 154 | "$ref": "defs.json#/definitions/int64" |
187 | 155 | }, |
188 | 156 | "swappiness": { |
189 | "id": "https://opencontainers.org/schema/bundle/linux/resources/memory/swappiness", | |
190 | 157 | "$ref": "defs.json#/definitions/uint64" |
191 | 158 | }, |
192 | 159 | "disableOOMKiller": { |
193 | "id": "https://opencontainers.org/schema/bundle/linux/resources/memory/disableOOMKiller", | |
194 | 160 | "type": "boolean" |
195 | 161 | } |
196 | 162 | } |
197 | 163 | }, |
198 | 164 | "network": { |
199 | "id": "https://opencontainers.org/schema/bundle/linux/resources/network", | |
200 | 165 | "type": "object", |
201 | 166 | "properties": { |
202 | 167 | "classID": { |
203 | "id": "https://opencontainers.org/schema/bundle/linux/resources/network/classId", | |
204 | 168 | "$ref": "defs.json#/definitions/uint32" |
205 | 169 | }, |
206 | 170 | "priorities": { |
207 | "id": "https://opencontainers.org/schema/bundle/linux/resources/network/priorities", | |
208 | 171 | "type": "array", |
209 | 172 | "items": { |
210 | 173 | "$ref": "defs-linux.json#/definitions/NetworkInterfacePriority" |
211 | 174 | } |
212 | 175 | } |
213 | 176 | } |
177 | }, | |
178 | "rdma": { | |
179 | "type": "object", | |
180 | "additionalProperties": { | |
181 | "$ref": "defs-linux.json#/definitions/Rdma" | |
182 | } | |
214 | 183 | } |
215 | 184 | } |
216 | 185 | }, |
217 | 186 | "cgroupsPath": { |
218 | "id": "https://opencontainers.org/schema/bundle/linux/cgroupsPath", | |
219 | 187 | "type": "string" |
220 | 188 | }, |
221 | 189 | "rootfsPropagation": { |
222 | "id": "https://opencontainers.org/schema/bundle/linux/rootfsPropagation", | |
223 | 190 | "$ref": "defs-linux.json#/definitions/RootfsPropagation" |
224 | 191 | }, |
225 | 192 | "seccomp": { |
226 | "id": "https://opencontainers.org/schema/bundle/linux/seccomp", | |
227 | 193 | "type": "object", |
228 | 194 | "properties": { |
229 | 195 | "defaultAction": { |
230 | "id": "https://opencontainers.org/schema/bundle/linux/seccomp/defaultAction", | |
231 | "type": "string" | |
196 | "$ref": "defs-linux.json#/definitions/SeccompAction" | |
232 | 197 | }, |
233 | 198 | "architectures": { |
234 | "id": "https://opencontainers.org/schema/bundle/linux/seccomp/architectures", | |
235 | 199 | "type": "array", |
236 | 200 | "items": { |
237 | 201 | "$ref": "defs-linux.json#/definitions/SeccompArch" |
238 | 202 | } |
239 | 203 | }, |
240 | 204 | "syscalls": { |
241 | "id": "https://opencontainers.org/schema/bundle/linux/seccomp/syscalls", | |
242 | 205 | "type": "array", |
243 | 206 | "items": { |
244 | 207 | "$ref": "defs-linux.json#/definitions/Syscall" |
250 | 213 | ] |
251 | 214 | }, |
252 | 215 | "sysctl": { |
253 | "id": "https://opencontainers.org/schema/bundle/linux/sysctl", | |
254 | 216 | "$ref": "defs.json#/definitions/mapStringString" |
255 | 217 | }, |
256 | 218 | "maskedPaths": { |
257 | "id": "https://opencontainers.org/schema/bundle/linux/maskedPaths", | |
258 | 219 | "$ref": "defs.json#/definitions/ArrayOfStrings" |
259 | 220 | }, |
260 | 221 | "readonlyPaths": { |
261 | "id": "https://opencontainers.org/schema/bundle/linux/readonlyPaths", | |
262 | 222 | "$ref": "defs.json#/definitions/ArrayOfStrings" |
263 | 223 | }, |
264 | 224 | "mountLabel": { |
265 | "id": "https://opencontainers.org/schema/bundle/linux/mountLabel", | |
266 | 225 | "type": "string" |
267 | 226 | }, |
268 | 227 | "intelRdt": { |
269 | "id": "https://opencontainers.org/schema/bundle/linux/intelRdt", | |
270 | 228 | "type": "object", |
271 | 229 | "properties": { |
230 | "closID": { | |
231 | "type": "string" | |
232 | }, | |
272 | 233 | "l3CacheSchema": { |
273 | "id": "https://opencontainers.org/schema/bundle/linux/intelRdt/l3CacheSchema", | |
274 | 234 | "type": "string" |
235 | }, | |
236 | "memBwSchema": { | |
237 | "type": "string", | |
238 | "pattern": "^MB:[^\\n]*$" | |
275 | 239 | } |
276 | 240 | } |
277 | 241 | } |
0 | 0 | { |
1 | 1 | "description": "Open Container Initiative Runtime Specification Container Configuration Schema", |
2 | 2 | "$schema": "http://json-schema.org/draft-04/schema#", |
3 | "id": "https://opencontainers.org/schema/bundle", | |
4 | 3 | "type": "object", |
5 | 4 | "properties": { |
6 | 5 | "ociVersion": { |
7 | "id": "https://opencontainers.org/schema/bundle/ociVersion", | |
8 | 6 | "$ref": "defs.json#/definitions/ociVersion" |
9 | 7 | }, |
10 | 8 | "hooks": { |
11 | "id": "https://opencontainers.org/schema/bundle/hooks", | |
12 | 9 | "type": "object", |
13 | 10 | "properties": { |
14 | 11 | "prestart": { |
26 | 23 | "$ref": "defs.json#/definitions/annotations" |
27 | 24 | }, |
28 | 25 | "hostname": { |
29 | "id": "https://opencontainers.org/schema/bundle/hostname", | |
30 | 26 | "type": "string" |
31 | 27 | }, |
32 | 28 | "mounts": { |
33 | "id": "https://opencontainers.org/schema/bundle/mounts", | |
34 | 29 | "type": "array", |
35 | 30 | "items": { |
36 | 31 | "$ref": "defs.json#/definitions/Mount" |
38 | 33 | }, |
39 | 34 | "root": { |
40 | 35 | "description": "Configures the container's root filesystem.", |
41 | "id": "https://opencontainers.org/schema/bundle/root", | |
42 | 36 | "type": "object", |
43 | 37 | "required": [ |
44 | 38 | "path" |
45 | 39 | ], |
46 | 40 | "properties": { |
47 | 41 | "path": { |
48 | "id": "https://opencontainers.org/schema/bundle/root/path", | |
49 | 42 | "$ref": "defs.json#/definitions/FilePath" |
50 | 43 | }, |
51 | 44 | "readonly": { |
52 | "id": "https://opencontainers.org/schema/bundle/root/readonly", | |
53 | 45 | "type": "boolean" |
54 | 46 | } |
55 | 47 | } |
56 | 48 | }, |
57 | 49 | "process": { |
58 | "id": "https://opencontainers.org/schema/bundle/process", | |
59 | 50 | "type": "object", |
60 | 51 | "required": [ |
61 | 52 | "cwd", |
63 | 54 | ], |
64 | 55 | "properties": { |
65 | 56 | "args": { |
66 | "id": "https://opencontainers.org/schema/bundle/process/args", | |
67 | 57 | "$ref": "defs.json#/definitions/ArrayOfStrings" |
68 | 58 | }, |
69 | 59 | "consoleSize": { |
70 | "id": "https://opencontainers.org/schema/bundle/process/consoleSize", | |
71 | 60 | "type": "object", |
72 | 61 | "required": [ |
73 | 62 | "height", |
75 | 64 | ], |
76 | 65 | "properties": { |
77 | 66 | "height": { |
78 | "id": "https://opencontainers.org/schema/bundle/process/consoleSize/height", | |
79 | 67 | "$ref": "defs.json#/definitions/uint64" |
80 | 68 | }, |
81 | 69 | "width": { |
82 | "id": "https://opencontainers.org/schema/bundle/process/consoleSize/width", | |
83 | 70 | "$ref": "defs.json#/definitions/uint64" |
84 | 71 | } |
85 | 72 | } |
86 | 73 | }, |
87 | 74 | "cwd": { |
88 | "id": "https://opencontainers.org/schema/bundle/process/cwd", | |
89 | 75 | "type": "string" |
90 | 76 | }, |
91 | 77 | "env": { |
92 | "id": "https://opencontainers.org/schema/bundle/process/env", | |
93 | 78 | "$ref": "defs.json#/definitions/Env" |
94 | 79 | }, |
95 | 80 | "terminal": { |
96 | "id": "https://opencontainers.org/schema/bundle/process/terminal", | |
97 | 81 | "type": "boolean" |
98 | 82 | }, |
99 | 83 | "user": { |
100 | "id": "https://opencontainers.org/schema/bundle/process/user", | |
101 | 84 | "type": "object", |
102 | 85 | "properties": { |
103 | 86 | "uid": { |
104 | "id": "https://opencontainers.org/schema/bundle/process/user/uid", | |
105 | 87 | "$ref": "defs.json#/definitions/UID" |
106 | 88 | }, |
107 | 89 | "gid": { |
108 | "id": "https://opencontainers.org/schema/bundle/process/user/gid", | |
109 | 90 | "$ref": "defs.json#/definitions/GID" |
110 | 91 | }, |
111 | 92 | "additionalGids": { |
112 | "id": "https://opencontainers.org/schema/bundle/process/user/additionalGids", | |
113 | 93 | "$ref": "defs.json#/definitions/ArrayOfGIDs" |
114 | 94 | }, |
115 | 95 | "username": { |
116 | "id": "https://opencontainers.org/schema/bundle/process/user/username", | |
117 | 96 | "type": "string" |
118 | 97 | } |
119 | 98 | } |
120 | 99 | }, |
121 | 100 | "capabilities": { |
122 | "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities", | |
123 | 101 | "type": "object", |
124 | 102 | "properties": { |
125 | 103 | "bounding": { |
126 | "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities/bounding", | |
127 | 104 | "$ref": "defs.json#/definitions/ArrayOfStrings" |
128 | 105 | }, |
129 | 106 | "permitted": { |
130 | "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities/permitted", | |
131 | 107 | "$ref": "defs.json#/definitions/ArrayOfStrings" |
132 | 108 | }, |
133 | 109 | "effective": { |
134 | "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities/effective", | |
135 | 110 | "$ref": "defs.json#/definitions/ArrayOfStrings" |
136 | 111 | }, |
137 | 112 | "inheritable": { |
138 | "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities/inheritable", | |
139 | 113 | "$ref": "defs.json#/definitions/ArrayOfStrings" |
140 | 114 | }, |
141 | 115 | "ambient": { |
142 | "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities/ambient", | |
143 | 116 | "$ref": "defs.json#/definitions/ArrayOfStrings" |
144 | 117 | } |
145 | 118 | } |
146 | 119 | }, |
147 | 120 | "apparmorProfile": { |
148 | "id": "https://opencontainers.org/schema/bundle/process/linux/apparmorProfile", | |
149 | 121 | "type": "string" |
150 | 122 | }, |
151 | 123 | "oomScoreAdj": { |
152 | "id": "https://opencontainers.org/schema/bundle/process/linux/oomScoreAdj", | |
153 | 124 | "type": "integer" |
154 | 125 | }, |
155 | 126 | "selinuxLabel": { |
156 | "id": "https://opencontainers.org/schema/bundle/process/linux/selinuxLabel", | |
157 | 127 | "type": "string" |
158 | 128 | }, |
159 | 129 | "noNewPrivileges": { |
160 | "id": "https://opencontainers.org/schema/bundle/process/linux/noNewPrivileges", | |
161 | 130 | "type": "boolean" |
162 | 131 | }, |
163 | 132 | "rlimits": { |
164 | "id": "https://opencontainers.org/schema/bundle/linux/rlimits", | |
165 | 133 | "type": "array", |
166 | 134 | "items": { |
167 | "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0", | |
168 | 135 | "type": "object", |
169 | 136 | "required": [ |
170 | 137 | "type", |
173 | 140 | ], |
174 | 141 | "properties": { |
175 | 142 | "hard": { |
176 | "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/hard", | |
177 | 143 | "$ref": "defs.json#/definitions/uint64" |
178 | 144 | }, |
179 | 145 | "soft": { |
180 | "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/soft", | |
181 | 146 | "$ref": "defs.json#/definitions/uint64" |
182 | 147 | }, |
183 | 148 | "type": { |
184 | "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/type", | |
185 | 149 | "type": "string", |
186 | 150 | "pattern": "^RLIMIT_[A-Z]+$" |
187 | 151 | } |
198 | 162 | }, |
199 | 163 | "windows": { |
200 | 164 | "$ref": "config-windows.json#/windows" |
165 | }, | |
166 | "vm": { | |
167 | "$ref": "config-vm.json#/vm" | |
201 | 168 | } |
202 | 169 | }, |
203 | 170 | "required": [ |
0 | 0 | { |
1 | 1 | "solaris": { |
2 | 2 | "description": "Solaris platform-specific configurations", |
3 | "id": "https://opencontainers.org/schema/bundle/solaris", | |
4 | 3 | "type": "object", |
5 | 4 | "properties": { |
6 | 5 | "milestone": { |
7 | "id": "https://opencontainers.org/schema/bundle/solaris/milestone", | |
8 | 6 | "type": "string" |
9 | 7 | }, |
10 | 8 | "limitpriv": { |
11 | "id": "https://opencontainers.org/schema/bundle/solaris/limitpriv", | |
12 | 9 | "type": "string" |
13 | 10 | }, |
14 | 11 | "maxShmMemory": { |
15 | "id": "https://opencontainers.org/schema/bundle/solaris/maxShmMemory", | |
16 | 12 | "type": "string" |
17 | 13 | }, |
18 | 14 | "cappedCPU": { |
19 | "id": "https://opencontainers.org/schema/bundle/solaris/cappedCPU", | |
20 | 15 | "type": "object", |
21 | 16 | "properties": { |
22 | 17 | "ncpus": { |
23 | "id": "https://opencontainers.org/schema/bundle/solaris/cappedCPU/ncpus", | |
24 | 18 | "type": "string" |
25 | 19 | } |
26 | 20 | } |
27 | 21 | }, |
28 | 22 | "cappedMemory": { |
29 | "id": "https://opencontainers.org/schema/bundle/solaris/cappedMemory", | |
30 | 23 | "type": "object", |
31 | 24 | "properties": { |
32 | 25 | "physical": { |
33 | "id": "https://opencontainers.org/schema/bundle/solaris/cappedMemory/physical", | |
34 | 26 | "type": "string" |
35 | 27 | }, |
36 | 28 | "swap": { |
37 | "id": "https://opencontainers.org/schema/bundle/solaris/cappedMemory/swap", | |
38 | 29 | "type": "string" |
39 | 30 | } |
40 | 31 | } |
41 | 32 | }, |
42 | 33 | "anet": { |
43 | "id": "https://opencontainers.org/schema/bundle/solaris/anet", | |
44 | 34 | "type": "array", |
45 | 35 | "items": { |
46 | 36 | "type": "object", |
0 | { | |
1 | "vm": { | |
2 | "description": "configuration for virtual-machine-based containers", | |
3 | "type": "object", | |
4 | "required": [ | |
5 | "kernel" | |
6 | ], | |
7 | "properties": { | |
8 | "hypervisor": { | |
9 | "description": "hypervisor config used by VM-based containers", | |
10 | "type": "object", | |
11 | "required": [ | |
12 | "path" | |
13 | ], | |
14 | "properties": { | |
15 | "path": { | |
16 | "$ref": "defs.json#/definitions/FilePath" | |
17 | }, | |
18 | "parameters": { | |
19 | "$ref": "defs.json#/definitions/ArrayOfStrings" | |
20 | } | |
21 | } | |
22 | }, | |
23 | "kernel": { | |
24 | "description": "kernel config used by VM-based containers", | |
25 | "type": "object", | |
26 | "required": [ | |
27 | "path" | |
28 | ], | |
29 | "properties": { | |
30 | "path": { | |
31 | "$ref": "defs.json#/definitions/FilePath" | |
32 | }, | |
33 | "parameters": { | |
34 | "$ref": "defs.json#/definitions/ArrayOfStrings" | |
35 | }, | |
36 | "initrd": { | |
37 | "$ref": "defs.json#/definitions/FilePath" | |
38 | } | |
39 | } | |
40 | }, | |
41 | "image": { | |
42 | "description": "root image config used by VM-based containers", | |
43 | "type": "object", | |
44 | "required": [ | |
45 | "path", | |
46 | "format" | |
47 | ], | |
48 | "properties": { | |
49 | "path": { | |
50 | "$ref": "defs.json#/definitions/FilePath" | |
51 | }, | |
52 | "format": { | |
53 | "$ref": "defs-vm.json#/definitions/RootImageFormat" | |
54 | } | |
55 | } | |
56 | } | |
57 | } | |
58 | } | |
59 | } |
0 | 0 | { |
1 | 1 | "windows": { |
2 | 2 | "description": "Windows platform-specific configurations", |
3 | "id": "https://opencontainers.org/schema/bundle/windows", | |
4 | 3 | "type": "object", |
5 | 4 | "properties": { |
6 | 5 | "layerFolders": { |
7 | "id": "https://opencontainers.org/schema/bundle/windows/layerFolders", | |
8 | 6 | "type": "array", |
9 | 7 | "items": { |
10 | 8 | "$ref": "defs.json#/definitions/FilePath" |
11 | 9 | }, |
12 | 10 | "minItems": 1 |
13 | 11 | }, |
12 | "devices": { | |
13 | "type": "array", | |
14 | "items": { | |
15 | "$ref": "defs-windows.json#/definitions/Device" | |
16 | } | |
17 | }, | |
14 | 18 | "resources": { |
15 | "id": "https://opencontainers.org/schema/bundle/windows/resources", | |
16 | 19 | "type": "object", |
17 | 20 | "properties": { |
18 | 21 | "memory": { |
19 | "id": "https://opencontainers.org/schema/bundle/windows/resources/memory", | |
20 | 22 | "type": "object", |
21 | 23 | "properties": { |
22 | 24 | "limit": { |
23 | "id": "https://opencontainers.org/schema/bundle/windows/resources/memory/limit", | |
24 | 25 | "$ref": "defs.json#/definitions/uint64" |
25 | 26 | } |
26 | 27 | } |
27 | 28 | }, |
28 | 29 | "cpu": { |
29 | "id": "https://opencontainers.org/schema/bundle/windows/resources/cpu", | |
30 | 30 | "type": "object", |
31 | 31 | "properties": { |
32 | 32 | "count": { |
33 | "id": "https://opencontainers.org/schema/bundle/windows/resources/cpu/count", | |
34 | 33 | "$ref": "defs.json#/definitions/uint64" |
35 | 34 | }, |
36 | 35 | "shares": { |
37 | "id": "https://opencontainers.org/schema/bundle/windows/resources/cpu/shares", | |
38 | 36 | "$ref": "defs.json#/definitions/uint16" |
39 | 37 | }, |
40 | 38 | "maximum": { |
41 | "id": "https://opencontainers.org/schema/bundle/windows/resources/cpu/maximum", | |
42 | 39 | "$ref": "defs.json#/definitions/uint16" |
43 | 40 | } |
44 | 41 | } |
45 | 42 | }, |
46 | 43 | "storage": { |
47 | "id": "https://opencontainers.org/schema/bundle/windows/resources/storage", | |
48 | 44 | "type": "object", |
49 | 45 | "properties": { |
50 | 46 | "iops": { |
51 | "id": "https://opencontainers.org/schema/bundle/windows/resources/storage/iops", | |
52 | 47 | "$ref": "defs.json#/definitions/uint64" |
53 | 48 | }, |
54 | 49 | "bps": { |
55 | "id": "https://opencontainers.org/schema/bundle/windows/resources/storage/bps", | |
56 | 50 | "$ref": "defs.json#/definitions/uint64" |
57 | 51 | }, |
58 | 52 | "sandboxSize": { |
59 | "id": "https://opencontainers.org/schema/bundle/windows/resources/storage/sandboxSize", | |
60 | 53 | "$ref": "defs.json#/definitions/uint64" |
61 | 54 | } |
62 | 55 | } |
64 | 57 | } |
65 | 58 | }, |
66 | 59 | "network": { |
67 | "id": "https://opencontainers.org/schema/bundle/windows/network", | |
68 | 60 | "type": "object", |
69 | 61 | "properties": { |
70 | 62 | "endpointList": { |
71 | "id": "https://opencontainers.org/schema/bundle/windows/network/endpointList", | |
72 | 63 | "$ref": "defs.json#/definitions/ArrayOfStrings" |
73 | 64 | }, |
74 | 65 | "allowUnqualifiedDNSQuery": { |
75 | "id": "https://opencontainers.org/schema/bundle/windows/network/allowUnqualifiedDNSQuery", | |
76 | 66 | "type": "boolean" |
77 | 67 | }, |
78 | 68 | "DNSSearchList": { |
79 | "id": "https://opencontainers.org/schema/bundle/windows/network/DNSSearchList", | |
80 | 69 | "$ref": "defs.json#/definitions/ArrayOfStrings" |
81 | 70 | }, |
82 | 71 | "networkSharedContainerName": { |
83 | "id": "https://opencontainers.org/schema/bundle/windows/network/networkSharedContainerName", | |
72 | "type": "string" | |
73 | }, | |
74 | "networkNamespace": { | |
84 | 75 | "type": "string" |
85 | 76 | } |
86 | 77 | } |
87 | 78 | }, |
88 | 79 | "credentialSpec": { |
89 | "id": "https://opencontainers.org/schema/bundle/windows/credentialSpec", | |
90 | 80 | "type": "object" |
91 | 81 | }, |
92 | 82 | "servicing": { |
93 | "id": "https://opencontainers.org/schema/bundle/windows/servicing", | |
94 | 83 | "type": "boolean" |
95 | 84 | }, |
96 | 85 | "ignoreFlushesDuringBoot": { |
97 | "id": "https://opencontainers.org/schema/bundle/windows/ignoreFlushesDuringBoot", | |
98 | 86 | "type": "boolean" |
99 | 87 | }, |
100 | 88 | "hyperv": { |
101 | "id": "https://opencontainers.org/schema/bundle/windows/hyperv", | |
102 | 89 | "type": "object", |
103 | 90 | "properties": { |
104 | 91 | "utilityVMPath": { |
105 | "id": "https://opencontainers.org/schema/bundle/windows/hyperv/utilityVMPath", | |
106 | 92 | "type": "string" |
107 | 93 | } |
108 | 94 | } |
239 | 239 | "priority" |
240 | 240 | ] |
241 | 241 | }, |
242 | "Rdma": { | |
243 | "type": "object", | |
244 | "properties": { | |
245 | "hcaHandles": { | |
246 | "$ref": "defs.json#/definitions/uint32" | |
247 | }, | |
248 | "hcaObjects": { | |
249 | "$ref": "defs.json#/definitions/uint32" | |
250 | } | |
251 | } | |
252 | }, | |
242 | 253 | "NamespaceType": { |
243 | 254 | "type": "string", |
244 | 255 | "enum": [ |
0 | { | |
1 | "definitions": { | |
2 | "RootImageFormat": { | |
3 | "type": "string", | |
4 | "enum": [ | |
5 | "raw", | |
6 | "qcow2", | |
7 | "vdi", | |
8 | "vmdk", | |
9 | "vhd" | |
10 | ] | |
11 | } | |
12 | } | |
13 | } |
0 | { | |
1 | "definitions": { | |
2 | "Device": { | |
3 | "type": "object", | |
4 | "properties": { | |
5 | "id": { | |
6 | "type": "string" | |
7 | }, | |
8 | "idType": { | |
9 | "type": "string", | |
10 | "enum": [ | |
11 | "class" | |
12 | ] | |
13 | } | |
14 | }, | |
15 | "required": [ | |
16 | "id", | |
17 | "idType" | |
18 | ] | |
19 | } | |
20 | } | |
21 | } |
107 | 107 | "IDMapping": { |
108 | 108 | "type": "object", |
109 | 109 | "properties": { |
110 | "hostID": { | |
110 | "containerID": { | |
111 | 111 | "$ref": "#/definitions/uint32" |
112 | 112 | }, |
113 | "containerID": { | |
113 | "hostID": { | |
114 | 114 | "$ref": "#/definitions/uint32" |
115 | 115 | }, |
116 | 116 | "size": { |
118 | 118 | } |
119 | 119 | }, |
120 | 120 | "required": [ |
121 | "containerID", | |
121 | 122 | "hostID", |
122 | "containerID", | |
123 | 123 | "size" |
124 | 124 | ] |
125 | 125 | }, |
0 | 0 | { |
1 | 1 | "description": "Open Container Runtime State Schema", |
2 | 2 | "$schema": "http://json-schema.org/draft-04/schema#", |
3 | "id": "https://opencontainers.org/schema/state", | |
4 | 3 | "type": "object", |
5 | 4 | "properties": { |
6 | 5 | "ociVersion": { |
7 | "id": "https://opencontainers.org/schema/runtime/state/ociVersion", | |
8 | 6 | "$ref": "defs.json#/definitions/ociVersion" |
9 | 7 | }, |
10 | 8 | "id": { |
11 | "id": "https://opencontainers.org/schema/runtime/state/id", | |
12 | 9 | "description": "the container's ID", |
13 | 10 | "type": "string" |
14 | 11 | }, |
15 | 12 | "status": { |
16 | "id": "https://opencontainers.org/schema/runtime/state/status", | |
17 | 13 | "type": "string", |
18 | 14 | "enum": [ |
19 | 15 | "creating", |
23 | 19 | ] |
24 | 20 | }, |
25 | 21 | "pid": { |
26 | "id": "https://opencontainers.org/schema/runtime/state/pid", | |
27 | 22 | "type": "integer", |
28 | 23 | "minimum": 0 |
29 | 24 | }, |
30 | 25 | "bundle": { |
31 | "id": "https://opencontainers.org/schema/runtime/state/bundle", | |
32 | 26 | "type": "string" |
33 | 27 | }, |
34 | 28 | "annotations": { |
0 | { | |
1 | "ociVersion": "1.0.0", | |
2 | "root": { | |
3 | "path": "rootfs" | |
4 | }, | |
5 | "linux": { | |
6 | "resources": { | |
7 | "rdma": { | |
8 | "mlx5_1": { | |
9 | "hcaHandles": "not a uint32" | |
10 | } | |
11 | } | |
12 | } | |
13 | } | |
14 | } |
0 | { | |
1 | "ociVersion": "1.0.0", | |
2 | "root": { | |
3 | "path": "rootfs" | |
4 | }, | |
5 | "linux": { | |
6 | "resources": { | |
7 | "rdma": { | |
8 | "mlx5_1": { | |
9 | "hcaHandles": 3, | |
10 | "hcaObjects": 10000 | |
11 | }, | |
12 | "mlx4_0": { | |
13 | "hcaObjects": 1000 | |
14 | }, | |
15 | "rxe3": { | |
16 | "hcaObjects": 10000 | |
17 | } | |
18 | } | |
19 | } | |
20 | } | |
21 | } |
193 | 193 | ], |
194 | 194 | "uidMappings": [ |
195 | 195 | { |
196 | "containerID": 0, | |
196 | 197 | "hostID": 1000, |
198 | "size": 32000 | |
199 | } | |
200 | ], | |
201 | "gidMappings": [ | |
202 | { | |
197 | 203 | "containerID": 0, |
198 | "size": 32000 | |
199 | } | |
200 | ], | |
201 | "gidMappings": [ | |
202 | { | |
203 | 204 | "hostID": 1000, |
204 | "containerID": 0, | |
205 | 205 | "size": 32000 |
206 | 206 | } |
207 | 207 | ], |
15 | 15 | * `linux`: [runtime.md](runtime.md), [config.md](config.md), [config-linux.md](config-linux.md), and [runtime-linux.md](runtime-linux.md). |
16 | 16 | * `solaris`: [runtime.md](runtime.md), [config.md](config.md), and [config-solaris.md](config-solaris.md). |
17 | 17 | * `windows`: [runtime.md](runtime.md), [config.md](config.md), and [config-windows.md](config-windows.md). |
18 | * `vm`: [runtime.md](runtime.md), [config.md](config.md), and [config-vm.md](config-vm.md). | |
18 | 19 | |
19 | 20 | # <a name="ociRuntimeSpecTOC" />Table of Contents |
20 | 21 | |
28 | 29 | - [Linux-specific Configuration](config-linux.md) |
29 | 30 | - [Solaris-specific Configuration](config-solaris.md) |
30 | 31 | - [Windows-specific Configuration](config-windows.md) |
32 | - [Virtual-Machine-specific Configuration](config-vm.md) | |
31 | 33 | - [Glossary](glossary.md) |
32 | 34 | |
33 | 35 | # <a name="ociRuntimeSpecNotationalConventions" />Notational Conventions |
24 | 24 | Solaris *Solaris `json:"solaris,omitempty" platform:"solaris"` |
25 | 25 | // Windows is platform-specific configuration for Windows based containers. |
26 | 26 | Windows *Windows `json:"windows,omitempty" platform:"windows"` |
27 | // VM specifies configuration for virtual-machine-based containers. | |
28 | VM *VM `json:"vm,omitempty" platform:"vm"` | |
27 | 29 | } |
28 | 30 | |
29 | 31 | // Process contains information to start a specific application inside the container. |
157 | 159 | ReadonlyPaths []string `json:"readonlyPaths,omitempty"` |
158 | 160 | // MountLabel specifies the selinux context for the mounts in the container. |
159 | 161 | MountLabel string `json:"mountLabel,omitempty"` |
160 | // IntelRdt contains Intel Resource Director Technology (RDT) information | |
161 | // for handling resource constraints (e.g., L3 cache) for the container | |
162 | // IntelRdt contains Intel Resource Director Technology (RDT) information for | |
163 | // handling resource constraints (e.g., L3 cache, memory bandwidth) for the container | |
162 | 164 | IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"` |
163 | 165 | } |
164 | 166 | |
193 | 195 | |
194 | 196 | // LinuxIDMapping specifies UID/GID mappings |
195 | 197 | type LinuxIDMapping struct { |
198 | // ContainerID is the starting UID/GID in the container | |
199 | ContainerID uint32 `json:"containerID"` | |
196 | 200 | // HostID is the starting UID/GID on the host to be mapped to 'ContainerID' |
197 | 201 | HostID uint32 `json:"hostID"` |
198 | // ContainerID is the starting UID/GID in the container | |
199 | ContainerID uint32 `json:"containerID"` | |
200 | 202 | // Size is the number of IDs to be mapped |
201 | 203 | Size uint32 `json:"size"` |
202 | 204 | } |
319 | 321 | Priorities []LinuxInterfacePriority `json:"priorities,omitempty"` |
320 | 322 | } |
321 | 323 | |
324 | // LinuxRdma for Linux cgroup 'rdma' resource management (Linux 4.11) | |
325 | type LinuxRdma struct { | |
326 | // Maximum number of HCA handles that can be opened. Default is "no limit". | |
327 | HcaHandles *uint32 `json:"hcaHandles,omitempty"` | |
328 | // Maximum number of HCA objects that can be created. Default is "no limit". | |
329 | HcaObjects *uint32 `json:"hcaObjects,omitempty"` | |
330 | } | |
331 | ||
322 | 332 | // LinuxResources has container runtime resource constraints |
323 | 333 | type LinuxResources struct { |
324 | 334 | // Devices configures the device whitelist. |
335 | 345 | HugepageLimits []LinuxHugepageLimit `json:"hugepageLimits,omitempty"` |
336 | 346 | // Network restriction configuration |
337 | 347 | Network *LinuxNetwork `json:"network,omitempty"` |
348 | // Rdma resource restriction configuration. | |
349 | // Limits are a set of key value pairs that define RDMA resource limits, | |
350 | // where the key is device name and value is resource limits. | |
351 | Rdma map[string]LinuxRdma `json:"rdma,omitempty"` | |
338 | 352 | } |
339 | 353 | |
340 | 354 | // LinuxDevice represents the mknod information for a Linux special device file |
418 | 432 | type Windows struct { |
419 | 433 | // LayerFolders contains a list of absolute paths to directories containing image layers. |
420 | 434 | LayerFolders []string `json:"layerFolders"` |
435 | // Devices are the list of devices to be mapped into the container. | |
436 | Devices []WindowsDevice `json:"devices,omitempty"` | |
421 | 437 | // Resources contains information for handling resource constraints for the container. |
422 | 438 | Resources *WindowsResources `json:"resources,omitempty"` |
423 | 439 | // CredentialSpec contains a JSON object describing a group Managed Service Account (gMSA) specification. |
432 | 448 | Network *WindowsNetwork `json:"network,omitempty"` |
433 | 449 | } |
434 | 450 | |
451 | // WindowsDevice represents information about a host device to be mapped into the container. | |
452 | type WindowsDevice struct { | |
453 | // Device identifier: interface class GUID, etc. | |
454 | ID string `json:"id"` | |
455 | // Device identifier type: "class", etc. | |
456 | IDType string `json:"idType"` | |
457 | } | |
458 | ||
435 | 459 | // WindowsResources has container runtime resource constraints for containers running on Windows. |
436 | 460 | type WindowsResources struct { |
437 | 461 | // Memory restriction configuration. |
478 | 502 | DNSSearchList []string `json:"DNSSearchList,omitempty"` |
479 | 503 | // Name (ID) of the container that we will share with the network stack. |
480 | 504 | NetworkSharedContainerName string `json:"networkSharedContainerName,omitempty"` |
505 | // name (ID) of the network namespace that will be used for the container. | |
506 | NetworkNamespace string `json:"networkNamespace,omitempty"` | |
481 | 507 | } |
482 | 508 | |
483 | 509 | // WindowsHyperV contains information for configuring a container to run with Hyper-V isolation. |
484 | 510 | type WindowsHyperV struct { |
485 | 511 | // UtilityVMPath is an optional path to the image used for the Utility VM. |
486 | 512 | UtilityVMPath string `json:"utilityVMPath,omitempty"` |
513 | } | |
514 | ||
515 | // VM contains information for virtual-machine-based containers. | |
516 | type VM struct { | |
517 | // Hypervisor specifies hypervisor-related configuration for virtual-machine-based containers. | |
518 | Hypervisor VMHypervisor `json:"hypervisor,omitempty"` | |
519 | // Kernel specifies kernel-related configuration for virtual-machine-based containers. | |
520 | Kernel VMKernel `json:"kernel"` | |
521 | // Image specifies guest image related configuration for virtual-machine-based containers. | |
522 | Image VMImage `json:"image,omitempty"` | |
523 | } | |
524 | ||
525 | // VMHypervisor contains information about the hypervisor to use for a virtual machine. | |
526 | type VMHypervisor struct { | |
527 | // Path is the host path to the hypervisor used to manage the virtual machine. | |
528 | Path string `json:"path"` | |
529 | // Parameters specifies parameters to pass to the hypervisor. | |
530 | Parameters []string `json:"parameters,omitempty"` | |
531 | } | |
532 | ||
533 | // VMKernel contains information about the kernel to use for a virtual machine. | |
534 | type VMKernel struct { | |
535 | // Path is the host path to the kernel used to boot the virtual machine. | |
536 | Path string `json:"path"` | |
537 | // Parameters specifies parameters to pass to the kernel. | |
538 | Parameters []string `json:"parameters,omitempty"` | |
539 | // InitRD is the host path to an initial ramdisk to be used by the kernel. | |
540 | InitRD string `json:"initrd,omitempty"` | |
541 | } | |
542 | ||
543 | // VMImage contains information about the virtual machine root image. | |
544 | type VMImage struct { | |
545 | // Path is the host path to the root image that the VM kernel would boot into. | |
546 | Path string `json:"path"` | |
547 | // Format is the root image format type (e.g. "qcow2", "raw", "vhd", etc). | |
548 | Format string `json:"format"` | |
487 | 549 | } |
488 | 550 | |
489 | 551 | // LinuxSeccomp represents syscall restrictions |
560 | 622 | Args []LinuxSeccompArg `json:"args,omitempty"` |
561 | 623 | } |
562 | 624 | |
563 | // LinuxIntelRdt has container runtime resource constraints | |
564 | // for Intel RDT/CAT which introduced in Linux 4.10 kernel | |
625 | // LinuxIntelRdt has container runtime resource constraints for Intel RDT | |
626 | // CAT and MBA features which introduced in Linux 4.10 and 4.12 kernel | |
565 | 627 | type LinuxIntelRdt struct { |
628 | // The identity for RDT Class of Service | |
629 | ClosID string `json:"closID,omitempty"` | |
566 | 630 | // The schema for L3 cache id and capacity bitmask (CBM) |
567 | 631 | // Format: "L3:<cache_id0>=<cbm0>;<cache_id1>=<cbm1>;..." |
568 | 632 | L3CacheSchema string `json:"l3CacheSchema,omitempty"` |
569 | } | |
633 | ||
634 | // The schema of memory bandwidth per L3 cache id | |
635 | // Format: "MB:<cache_id0>=bandwidth0;<cache_id1>=bandwidth1;..." | |
636 | // The unit of memory bandwidth is specified in "percentages" by | |
637 | // default, and in "MBps" if MBA Software Controller is enabled. | |
638 | MemBwSchema string `json:"memBwSchema,omitempty"` | |
639 | } |