Codebase list golang-github-opencontainers-specs / 839d206
New upstream version 1.0.1+git20181111.1722abf Dmitry Smirnov 4 years ago
29 changed file(s) with 468 addition(s) and 191 deletion(s). Raw diff Collapse all Expand all
+4
-3
.travis.yml less more
00 language: go
11 go:
2 - 1.7
3 - 1.6.3
4 - 1.5.4
2 - "1.11.x"
3 - "1.10.x"
4 - "1.9.x"
55
66 sudo: required
77
1111 before_install:
1212 - make install.tools
1313 - docker pull vbatts/pandoc
14 - go get -d ./schema/...
1415
1516 install: true
1617
+3
-3
Makefile less more
6161
6262 # `go get github.com/golang/lint/golint`
6363 .golint:
64 ifeq ($(call ALLOWED_GO_VERSION,1.6,$(HOST_GOLANG_VERSION)),true)
64 ifeq ($(call ALLOWED_GO_VERSION,1.7,$(HOST_GOLANG_VERSION)),true)
6565 @which golint > /dev/null 2>/dev/null || (echo "ERROR: golint not found. Consider 'make install.tools' target" && false)
6666 golint ./...
6767 endif
7878
7979 install.tools: .install.golint .install.gitvalidation
8080
81 # golint does not even build for <go1.6
81 # golint does not even build for <go1.7
8282 .install.golint:
83 ifeq ($(call ALLOWED_GO_VERSION,1.6,$(HOST_GOLANG_VERSION)),true)
83 ifeq ($(call ALLOWED_GO_VERSION,1.7,$(HOST_GOLANG_VERSION)),true)
8484 go get -u github.com/golang/lint/golint
8585 endif
8686
+3
-3
README.md less more
2121 ### Application Bundle Builders
2222
2323 Application bundle builders can create a [bundle](bundle.md) directory that includes all of the files required for launching an application as a container.
24 The bundle contains an OCI [configuration file](config.md) where the builder can specify host-independent details such as [which executable to launch](config.md#process) and host-specific settings such as [mount](config.md#mounts) locations, [hook](config.md#hooks) paths, Linux [namespaces](config-linux.md#namespaces) and [cgroups](config-linux.md#control-groups).
24 The bundle contains an OCI [configuration file](config.md) where the builder can specify host-independent details such as [which executable to launch](config.md#process) and host-specific settings such as [mount](config.md#mounts) locations, [hook](config.md#posix-platform-hooks) paths, Linux [namespaces](config-linux.md#namespaces) and [cgroups](config-linux.md#control-groups).
2525 Because the configuration includes host-specific settings, application bundle directories copied between two hosts may require configuration adjustments.
2626
2727 ### Hook Developers
2828
29 [Hook](config.md#hooks) developers can extend the functionality of an OCI-compliant runtime by hooking into a container's lifecycle with an external application.
29 [Hook](config.md#posix-platform-hooks) developers can extend the functionality of an OCI-compliant runtime by hooking into a container's lifecycle with an external application.
3030 Example use cases include sophisticated network configuration, volume garbage collection, etc.
3131
3232 ### Runtime Developers
5353
5454 ### Meetings
5555
56 The contributors and maintainers of all OCI projects have monthly meetings at 2:00 PM (USA Pacific) on the first Wednesday of every month.
56 The contributors and maintainers of all OCI projects have monthly meetings, which are usually at 2:00 PM (USA Pacific) on the first Wednesday of every month.
5757 There is an [iCalendar][rfc5545] format for the meetings [here](meeting.ics).
5858 Everyone is welcome to participate via [UberConference web][uberconference] or audio-only: +1 415 968 0849 (no PIN needed).
5959 An initial agenda will be posted to the [mailing list](#mailing-list) in the week before each meeting, and everyone is welcome to propose additional topics or suggest other agenda alterations there.
+66
-19
config-linux.md less more
8181
8282 Each entry has the following structure:
8383
84 * **`containerID`** *(uint32, REQUIRED)* - is the starting uid/gid in the container.
8485 * **`hostID`** *(uint32, REQUIRED)* - is the starting uid/gid on the host to be mapped to *containerID*.
85 * **`containerID`** *(uint32, REQUIRED)* - is the starting uid/gid in the container.
8686 * **`size`** *(uint32, REQUIRED)* - is the number of ids to be mapped.
8787
8888 The runtime SHOULD NOT modify the ownership of referenced filesystems to realize the mapping.
9393 ```json
9494 "uidMappings": [
9595 {
96 "containerID": 0,
9697 "hostID": 1000,
97 "containerID": 0,
9898 "size": 32000
9999 }
100100 ],
101101 "gidMappings": [
102102 {
103 "containerID": 0,
103104 "hostID": 1000,
104 "containerID": 0,
105105 "size": 32000
106106 }
107107 ]
121121 * **`major, minor`** *(int64, REQUIRED unless `type` is `p`)* - [major, minor numbers][devices] for the device.
122122 * **`fileMode`** *(uint32, OPTIONAL)* - file mode for the device.
123123 You can also control access to devices [with cgroups](#device-whitelist).
124 * **`uid`** *(uint32, OPTIONAL)* - id of device owner.
125 * **`gid`** *(uint32, OPTIONAL)* - id of device group.
124 * **`uid`** *(uint32, OPTIONAL)* - id of device owner in the [container namespace](glossary.md#container-namespace).
125 * **`gid`** *(uint32, OPTIONAL)* - id of device group in the [container namespace](glossary.md#container-namespace).
126126
127127 The same `type`, `major` and `minor` SHOULD NOT be used for multiple devices.
128128
161161 * [`/dev/random`][random.4]
162162 * [`/dev/urandom`][random.4]
163163 * [`/dev/tty`][tty.4]
164 * [`/dev/console`][console.4] is set up if terminal is enabled in the config by bind mounting the pseudoterminal slave to /dev/console.
164 * `/dev/console` is set up if [`terminal`](config.md#process) is enabled in the config by bind mounting the pseudoterminal slave to `/dev/console`.
165165 * [`/dev/ptmx`][pts.4].
166166 A [bind-mount or symlink of the container's `/dev/pts/ptmx`][devpts].
167167
168168 ## <a name="configLinuxControlGroups" />Control groups
169169
170170 Also known as cgroups, they are used to restrict resource usage for a container and handle device access.
171 cgroups provide controls (through controllers) to restrict cpu, memory, IO, pids and network for the container.
171 cgroups provide controls (through controllers) to restrict cpu, memory, IO, pids, network and RDMA resources for the container.
172172 For more information, see the [kernel cgroups documentation][cgroup-v1].
173173
174174 ### <a name="configLinuxCgroupsPath" />Cgroups Path
454454 }
455455 ```
456456
457 ### <a name="configLinuxRDMA" />RDMA
458
459 **`rdma`** (object, OPTIONAL) represents the cgroup subsystem `rdma`.
460 For more information, see the kernel cgroups documentation about [rdma][cgroup-v1-rdma].
461
462 The name of the device to limit is the entry key.
463 Entry values are objects with the following properties:
464
465 * **`hcaHandles`** *(uint32, OPTIONAL)* - specifies the maximum number of hca_handles in the cgroup
466 * **`hcaObjects`** *(uint32, OPTIONAL)* - specifies the maximum number of hca_objects in the cgroup
467
468 You MUST specify at least one of the `hcaHandles` or `hcaObjects` in a given entry, and MAY specify both.
469
470 #### Example
471
472 ```json
473 "rdma": {
474 "mlx5_1": {
475 "hcaHandles": 3,
476 "hcaObjects": 10000
477 },
478 "mlx4_0": {
479 "hcaObjects": 1000
480 },
481 "rxe3": {
482 "hcaObjects": 10000
483 }
484 }
485 ```
486
457487 ## <a name="configLinuxIntelRdt" />IntelRdt
458488
459489 **`intelRdt`** (object, OPTIONAL) represents the [Intel Resource Director Technology][intel-rdt-cat-kernel-interface].
460 If `intelRdt` is set, the runtime MUST write the container process ID to the `<container-id>/tasks` file in a mounted `resctrl` pseudo-filesystem, using the container ID from [`start`](runtime.md#start) and creating the `<container-id>` directory if necessary.
490 If `intelRdt` is set, the runtime MUST write the container process ID to the `tasks` file in a proper sub-directory in a mounted `resctrl` pseudo-filesystem. That sub-directory name is specified by `closID` parameter.
461491 If no mounted `resctrl` pseudo-filesystem is available in the [runtime mount namespace](glossary.md#runtime-namespace), the runtime MUST [generate an error](runtime.md#errors).
462492
463 If `intelRdt` is not set, the runtime MUST NOT manipulate any `resctrl` pseudo-filesystems.
493 If `intelRdt` is not set, the runtime MUST NOT manipulate any `resctrl` pseudo-filesystems.
464494
465495 The following parameters can be specified for the container:
466496
497 * **`closID`** *(string, OPTIONAL)* - specifies the identity for RDT Class of Service (CLOS).
498 If `closID` is set, runtimes MUST create `closID` directory in a mounted `resctrl` pseudo-filesystem if it doesn't exist. If not set, runtimes MUST use the container ID from [`start`](runtime.md#start) and create the `<container-id>` directory.
499
467500 * **`l3CacheSchema`** *(string, OPTIONAL)* - specifies the schema for L3 cache id and capacity bitmask (CBM).
468 If `l3CacheSchema` is set, runtimes MUST write the value to the `schemata` file in the `<container-id>` directory discussed in `intelRdt`.
469
470 If `l3CacheSchema` is not set, runtimes MUST NOT write to `schemata` files in any `resctrl` pseudo-filesystems.
471
472 ### Example
473
474 Consider a two-socket machine with two L3 caches where the default CBM is 0xfffff and the max CBM length is 20 bits.
475 Tasks inside the container only have access to the "upper" 80% of L3 cache id 0 and the "lower" 50% L3 cache id 1:
501 The value SHOULD start with `L3:` and SHOULD NOT contain newlines.
502 * **`memBwSchema`** *(string, OPTIONAL)* - specifies the schema of memory bandwidth per L3 cache id.
503 The value MUST start with `MB:` and MUST NOT contain newlines.
504
505 If both `l3CacheSchema` and `memBwSchema` are set, runtimes MUST write the combined value to the `schemata` file in that sub-directory discussed in `closID`.
506 If `l3CacheSchema` contains a line beginning with `MB:`, the value written to `schemata` file MUST be the non-`MB:` line(s) from `l3CacheSchema` and the line from `memBWSchema`.
507
508 If either `l3CacheSchema` or `memBwSchema` is set, runtimes MUST write the value to the `schemata` file in the that sub-directory discussed in `closID`.
509
510 If neither `l3CacheSchema` nor `memBwSchema` is set, runtimes MUST NOT write to `schemata` files in any `resctrl` pseudo-filesystems.
511
512 If `closID` is set, `l3CacheSchema` and/or `memBwSchema` is set, runtimes MUST compare `l3CacheSchema` and/or `memBwSchema` value with `schemata` file, and [generate an error](runtime.md#errors) if doesn't match.
513
514 ### Example
515
516 Consider a two-socket machine with two L3 caches where the default CBM is 0x7ff and the max CBM length is 11 bits,
517 and minimum memory bandwidth of 10% with a memory bandwidth granularity of 10%.
518
519 Tasks inside the container only have access to the "upper" 7/11 of L3 cache on socket 0 and the "lower" 5/11 L3 cache on socket 1,
520 and may use a maximum memory bandwidth of 20% on socket 0 and 70% on socket 1.
476521
477522 ```json
478523 "linux": {
479524 "intelRdt": {
480 "l3CacheSchema": "L3:0=ffff0;1=3ff"
525 "closID": "guaranteed_group",
526 "l3CacheSchema": "L3:0=7f0;1=1f",
527 "memBwSchema": "MB:0=20;1=70"
481528 }
482529 }
483530 ```
646693 [cgroup-v1-net-cls]: https://www.kernel.org/doc/Documentation/cgroup-v1/net_cls.txt
647694 [cgroup-v1-net-prio]: https://www.kernel.org/doc/Documentation/cgroup-v1/net_prio.txt
648695 [cgroup-v1-pids]: https://www.kernel.org/doc/Documentation/cgroup-v1/pids.txt
696 [cgroup-v1-rdma]: https://www.kernel.org/doc/Documentation/cgroup-v1/rdma.txt
649697 [cgroup-v2]: https://www.kernel.org/doc/Documentation/cgroup-v2.txt
650698 [devices]: https://www.kernel.org/doc/Documentation/admin-guide/devices.txt
651699 [devpts]: https://www.kernel.org/doc/Documentation/filesystems/devpts.txt
657705 [sysfs]: https://www.kernel.org/doc/Documentation/filesystems/sysfs.txt
658706 [tmpfs]: https://www.kernel.org/doc/Documentation/filesystems/tmpfs.txt
659707
660 [console.4]: http://man7.org/linux/man-pages/man4/console.4.html
661708 [full.4]: http://man7.org/linux/man-pages/man4/full.4.html
662709 [mknod.1]: http://man7.org/linux/man-pages/man1/mknod.1.html
663710 [mknod.2]: http://man7.org/linux/man-pages/man2/mknod.2.html
+68
-0
config-vm.md less more
0 # <a name="VirtualMachineSpecificContainerConfiguration" /> Virtual-machine-specific Container Configuration
1
2 This section describes the schema for the [virtual-machine-specific section](config.md#platform-specific-configuration) of the [container configuration](config.md).
3 The virtual-machine container specification provides additional configuration for the hypervisor, kernel, and image.
4
5 ## <a name="HypervisorObject" /> Hypervisor Object
6
7 **`hypervisor`** (object, OPTIONAL) specifies details of the hypervisor that manages the container virtual machine.
8 * **`path`** (string, REQUIRED) path to the hypervisor binary that manages the container virtual machine.
9 This value MUST be an absolute path in the [runtime mount namespace](glossary.md#runtime-namespace).
10 * **`parameters`** (array of strings, OPTIONAL) specifies an array of parameters to pass to the hypervisor.
11
12 ### Example
13
14 ```json
15 "hypervisor": {
16 "path": "/path/to/vmm",
17 "parameters": ["opts1=foo", "opts2=bar"]
18 }
19 ```
20
21 ## <a name="KernelObject" /> Kernel Object
22
23 **`kernel`** (object, REQUIRED) specifies details of the kernel to boot the container virtual machine with.
24 * **`path`** (string, REQUIRED) path to the kernel used to boot the container virtual machine.
25 This value MUST be an absolute path in the [runtime mount namespace](glossary.md#runtime-namespace).
26 * **`parameters`** (array of strings, OPTIONAL) specifies an array of parameters to pass to the kernel.
27 * **`initrd`** (string, OPTIONAL) path to an initial ramdisk to be used by the container virtual machine.
28 This value MUST be an absolute path in the [runtime mount namespace](glossary.md#runtime-namespace).
29
30 ### Example
31
32 ```json
33 "kernel": {
34 "path": "/path/to/vmlinuz",
35 "parameters": ["foo=bar", "hello world"],
36 "initrd": "/path/to/initrd.img"
37 }
38 ```
39
40 ## <a name="ImageObject" /> Image Object
41
42 **`image`** (object, OPTIONAL) specifies details of the image that contains the root filesystem for the container virtual machine.
43 * **`path`** (string, REQUIRED) path to the container virtual machine root image.
44 This value MUST be an absolute path in the [runtime mount namespace](glossary.md#runtime-namespace).
45 * **`format`** (string, REQUIRED) format of the container virtual machine root image. Commonly supported formats are:
46 * **`raw`** [raw disk image format][raw-image-format]. Unset values for `format` will default to that format.
47 * **`qcow2`** [QEMU image format][qcow2-image-format].
48 * **`vdi`** [VirtualBox 1.1 compatible image format][vdi-image-format].
49 * **`vmdk`** [VMware compatible image format][vmdk-image-format].
50 * **`vhd`** [Virtual Hard Disk image format][vhd-image-format].
51
52 This image contains the root filesystem that the virtual machine **`kernel`** will boot into, not to be confused with the container root filesystem itself. The latter, as specified by **`path`** from the [Root Configuration](config.md#Root-Configuration) section, will be mounted inside the virtual machine at a location chosen by the virtual-machine-based runtime.
53
54 ### Example
55
56 ```json
57 "image": {
58 "path": "/path/to/vm/rootfs.img",
59 "format": "raw"
60 }
61 ```
62
63 [raw-image-format]: https://en.wikipedia.org/wiki/IMG_(file_format)
64 [qcow2-image-format]: https://git.qemu.org/?p=qemu.git;a=blob_plain;f=docs/interop/qcow2.txt;hb=HEAD
65 [vdi-image-format]: https://forensicswiki.org/wiki/Virtual_Disk_Image_(VDI)
66 [vmdk-image-format]: http://www.vmware.com/app/vmdk/?src=vmdk
67 [vhd-image-format]: https://github.com/libyal/libvhdi/blob/master/documentation/Virtual%20Hard%20Disk%20(VHD)%20image%20format.asciidoc
+31
-1
config-windows.md less more
1818 }
1919 ```
2020
21 ## <a name="configWindowsDevices" />Devices
22
23 **`devices`** (array of objects, OPTIONAL) lists devices that MUST be available in the container.
24
25 Each entry has the following structure:
26
27 * **`id`** *(string, REQUIRED)* - specifies the device which the runtime MUST make available in the container.
28 * **`idType`** *(string, REQUIRED)* - tells the runtime how to interpret `id`. Today, Windows only supports a value of `class`, which identifies `id` as a [device interface class GUID][interfaceGUID].
29
30 [interfaceGUID]: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/overview-of-device-interface-classes
31
32 ### Example
33
34 ```json
35 "windows": {
36 "devices": [
37 {
38 "id": "24E552D7-6523-47F7-A647-D3465BF1F5CA",
39 "idType": "class"
40 },
41 {
42 "id": "5175d334-c371-4806-b3ba-71fd53c9258d",
43 "idType": "class"
44 }
45 ]
46 }
47 ```
48
2149 ## <a name="configWindowsResources" />Resources
2250
2351 You can configure a container's resource limits via the OPTIONAL `resources` field of the Windows configuration.
96124 * **`allowUnqualifiedDNSQuery`** *(bool, OPTIONAL)* - specifies if unqualified DNS name resolution is allowed.
97125 * **`DNSSearchList`** *(array of strings, OPTIONAL)* - comma separated list of DNS suffixes to use for name resolution.
98126 * **`networkSharedContainerName`** *(string, OPTIONAL)* - name (ID) of the container that we will share with the network stack.
127 * **`networkNamespace`** *(string, OPTIONAL)* - name (ID) of the network namespace that will be used for the container. If a network namespace is specified no other parameter must be specified.
99128
100129 ### Example
101130
110139 "a.com",
111140 "b.com"
112141 ],
113 "networkSharedContainerName": "containerName"
142 "networkSharedContainerName": "containerName",
143 "networkNamespace": "168f3daf-efc6-4377-b20a-2c86764ba892"
114144 }
115145 }
116146 ```
+21
-16
config.md less more
2626 ## <a name="configRoot" />Root
2727
2828 **`root`** (object, OPTIONAL) specifies the container's root filesystem.
29 On Windows, for Windows Server Containers, this field is REQUIRED.
30 For [Hyper-V Containers](config-windows.md#hyperv), this field MUST NOT be set.
31
32 On all other platforms, this field is REQUIRED.
29 On Windows, for Windows Server Containers, this field is REQUIRED.
30 For [Hyper-V Containers](config-windows.md#hyperv), this field MUST NOT be set.
31
32 On all other platforms, this field is REQUIRED.
3333
3434 * **`path`** (string, REQUIRED) Specifies the path to the root filesystem for the container.
3535
7272 This value MUST be an absolute path.
7373 * Windows: one mount destination MUST NOT be nested within another mount (e.g., c:\\foo and c:\\foo\\bar).
7474 * Solaris: corresponds to "dir" of the fs resource in [zonecfg(1M)][zonecfg.1m].
75 * **`source`** (string, OPTIONAL) A device name, but can also be a directory name or a dummy.
76 Path values are either absolute or relative to the bundle.
75 * **`source`** (string, OPTIONAL) A device name, but can also be a file or directory name for bind mounts or a dummy.
76 Path values for bind mounts are either absolute or relative to the bundle.
77 A mount is a bind mount if it has either `bind` or `rbind` in the options.
7778 * Windows: a local directory on the filesystem of the container host. UNC paths and mapped drives are not supported.
7879 * Solaris: corresponds to "special" of the fs resource in [zonecfg(1M)][zonecfg.1m].
7980 * **`options`** (array of strings, OPTIONAL) Mount options of the filesystem to be used.
99100 For POSIX platforms the `mounts` structure has the following fields:
100101
101102 * **`type`** (string, OPTIONAL) The type of the filesystem to be mounted.
102 * Linux: filesystem types supported by the kernel as listed in */proc/filesystems* (e.g., "minix", "ext2", "ext3", "jfs", "xfs", "reiserfs", "msdos", "proc", "nfs", "iso9660").
103 * Linux: filesystem types supported by the kernel as listed in */proc/filesystems* (e.g., "minix", "ext2", "ext3", "jfs", "xfs", "reiserfs", "msdos", "proc", "nfs", "iso9660"). For bind mounts (when `options` include either `bind` or `rbind`), the type is a dummy, often "none" (not listed in */proc/filesystems*).
103104 * Solaris: corresponds to "type" of the fs resource in [zonecfg(1M)][zonecfg.1m].
104105
105106 ### Example (Linux)
114115 },
115116 {
116117 "destination": "/data",
117 "type": "bind",
118 "type": "none",
118119 "source": "/volumes/testing",
119120 "options": ["rbind","rw"]
120121 }
348349 This MUST be set if the target platform of this spec is `windows`.
349350 * **`solaris`** (object, OPTIONAL) [Solaris-specific configuration](config-solaris.md).
350351 This MAY be set if the target platform of this spec is `solaris`.
352 * **`vm`** (object, OPTIONAL) [Virtual-machine-specific configuration](config-vm.md).
353 This MAY be set if the target platform and architecture of this spec support hardware virtualization.
351354
352355 ### Example (Linux)
353356
372375 Entries in the array contain the following properties:
373376 * **`path`** (string, REQUIRED) with similar semantics to [IEEE Std 1003.1-2008 `execv`'s *path*][ieee-1003.1-2008-functions-exec].
374377 This specification extends the IEEE standard in that **`path`** MUST be absolute.
378 Runtimes MUST resolve this value in the [runtime namespace](glossary.md#runtime-namespace).
375379 * **`args`** (array of strings, OPTIONAL) with the same semantics as [IEEE Std 1003.1-2008 `execv`'s *argv*][ieee-1003.1-2008-functions-exec].
376380 * **`env`** (array of strings, OPTIONAL) with the same semantics as [IEEE Std 1003.1-2008's `environ`][ieee-1003.1-2008-xbd-c8.1].
377381 * **`timeout`** (int, OPTIONAL) is the number of seconds before aborting the hook.
383387
384388 Hooks allow users to specify programs to run before or after various lifecycle events.
385389 Hooks MUST be called in the listed order.
390 Hooks MUST be executed in the [runtime namespace](glossary.md#runtime-namespace).
386391 The [state](runtime.md#state) of the container MUST be passed to hooks over stdin so that they may do work appropriate to the current state of the container.
387392
388393 ### <a name="configHooksPrestart" />Prestart
663668 ],
664669 "uidMappings": [
665670 {
671 "containerID": 0,
666672 "hostID": 1000,
673 "size": 32000
674 }
675 ],
676 "gidMappings": [
677 {
667678 "containerID": 0,
668 "size": 32000
669 }
670 ],
671 "gidMappings": [
672 {
673679 "hostID": 1000,
674 "containerID": 0,
675680 "size": 32000
676681 }
677682 ],
850855 [capabilities.7]: http://man7.org/linux/man-pages/man7/capabilities.7.html
851856 [mount.2]: http://man7.org/linux/man-pages/man2/mount.2.html
852857 [mount.8]: http://man7.org/linux/man-pages/man8/mount.8.html
853 [mount.8-filesystem-independent]: http://man7.org/linux/man-pages/man8/mount.8.html#FILESYSTEM-INDEPENDENT_MOUNT%20OPTIONS
854 [mount.8-filesystem-specific]: http://man7.org/linux/man-pages/man8/mount.8.html#FILESYSTEM-SPECIFIC_MOUNT%20OPTIONS
858 [mount.8-filesystem-independent]: http://man7.org/linux/man-pages/man8/mount.8.html#FILESYSTEM-INDEPENDENT_MOUNT_OPTIONS
859 [mount.8-filesystem-specific]: http://man7.org/linux/man-pages/man8/mount.8.html#FILESYSTEM-SPECIFIC_MOUNT_OPTIONS
855860 [getrlimit.2]: http://man7.org/linux/man-pages/man2/getrlimit.2.html
856861 [getrlimit.3]: http://pubs.opengroup.org/onlinepubs/9699919799/functions/getrlimit.html
857862 [stdin.3]: http://man7.org/linux/man-pages/man3/stdin.3.html
+1
-1
glossary.md less more
3131
3232 On Linux, the namespaces from which new [container namespaces](#container-namespace) are [created](config-linux.md#namespaces) and from which some configured resources are accessed.
3333
34 [JSON]: https://tools.ietf.org/html/rfc7159
34 [JSON]: https://tools.ietf.org/html/rfc8259
3535 [UTF-8]: http://www.unicode.org/versions/Unicode8.0.0/ch03.pdf
3636
3737 [namespaces.7]: http://man7.org/linux/man-pages/man7/namespaces.7.html
+4
-0
implementations.md less more
1212
1313 * [hyperhq/runv][runv] - Hypervisor-based runtime for OCI
1414 * [clearcontainers/runtime][cc-runtime] - Hypervisor-based OCI runtime utilising [virtcontainers][virtcontainers] by Intel®.
15 * [google/gvisor][gvisor] - gVisor is a user-space kernel, contains runsc to run sandboxed containers.
16 * [kata-containers/runtime][kata-runtime] - Hypervisor-based OCI runtime combining technology from [clearcontainers/runtime][cc-runtime] and [hyperhq/runv][runv].
1517
1618 ## <a name="implementationsTestingTools" />Testing & Tools
1719
2325 [runc]: https://github.com/opencontainers/runc
2426 [runv]: https://github.com/hyperhq/runv
2527 [cc-runtime]: https://github.com/clearcontainers/runtime
28 [kata-runtime]: https://github.com/kata-containers/runtime
2629 [virtcontainers]: https://github.com/containers/virtcontainers
2730 [octool]: https://github.com/kunalkushwaha/octool
2831 [oct]: https://github.com/huawei-openlab/oct
3033 [bwrap-oci]: https://github.com/projectatomic/bwrap-oci
3134 [bubblewrap]: https://github.com/projectatomic/bubblewrap
3235 [crun]: https://github.com/giuseppe/crun
36 [gvisor]: https://github.com/google/gvisor
+5
-1
meeting.ics less more
2020 END:VTIMEZONE
2121 BEGIN:VEVENT
2222 UID:tdc-meeting@opencontainers.org
23 DTSTAMP:20170821T200000Z
23 DTSTAMP:20180628T170000Z
2424 DTSTART;TZID=America/Los_Angeles:20170906T140000
2525 RRULE:FREQ=MONTHLY;INTERVAL=1;BYDAY=1WE
26 RDATE;TZID=America/Los_Angeles:20180110T140000
27 EXDATE;TZIP=America/Los_Angeles:20180103T140000
28 RDATE;TZID=America/Los_Angeles:20180711T140000
29 EXDATE;TZIP=America/Los_Angeles:20180704T140000
2630 DURATION:PT1H
2731 SUMMARY:OCI TDC Meeting
2832 DESCRIPTION;ALTREP="https://github.com/opencontainers/runtime-spec#
+1
-1
runtime.md less more
136136
137137 ## <a name="runtimeHooks" />Hooks
138138 Many of the operations specified in this specification have "hooks" that allow for additional actions to be taken before or after each operation.
139 See [runtime configuration for hooks](./config.md#hooks) for more information.
139 See [runtime configuration for hooks](./config.md#posix-platform-hooks) for more information.
+1
-1
schema/Makefile less more
3535 for FILE in $$(ls "test/$${TYPE}/bad"); \
3636 do \
3737 echo " testing test/$${TYPE}/bad/$${FILE}"; \
38 if ./validate "$${TYPE}-schema.json" "test/$${TYPE}/good/$${FILE}" ; \
38 if ./validate "$${TYPE}-schema.json" "test/$${TYPE}/bad/$${FILE}" ; \
3939 then \
4040 echo " received unexpected validation success" ; \
4141 exit 1; \
+1
-0
schema/README.md less more
1212 * [state-schema.json](state-schema.json) - the primary entrypoint for the [state JSON](../runtime.md#state) schema
1313 * [defs.json](defs.json) - definitions for general types
1414 * [defs-linux.json](defs-linux.json) - definitions for Linux-specific types
15 * [defs-windows.json](defs-windows.json) - definitions for Windows-specific types
1516 * [validate.go](validate.go) - validation utility source code
1617
1718
+14
-50
schema/config-linux.json less more
00 {
11 "linux": {
22 "description": "Linux platform-specific configurations",
3 "id": "https://opencontainers.org/schema/bundle/linux",
43 "type": "object",
54 "properties": {
65 "devices": {
7 "id": "https://opencontainers.org/schema/bundle/linux/devices",
86 "type": "array",
97 "items": {
108 "$ref": "defs-linux.json#/definitions/Device"
119 }
1210 },
1311 "uidMappings": {
14 "id": "https://opencontainers.org/schema/bundle/linux/uidMappings",
1512 "type": "array",
1613 "items": {
1714 "$ref": "defs.json#/definitions/IDMapping"
1815 }
1916 },
2017 "gidMappings": {
21 "id": "https://opencontainers.org/schema/bundle/linux/gidMappings",
2218 "type": "array",
2319 "items": {
2420 "$ref": "defs.json#/definitions/IDMapping"
2521 }
2622 },
2723 "namespaces": {
28 "id": "https://opencontainers.org/schema/bundle/linux/namespaces",
2924 "type": "array",
3025 "items": {
3126 "anyOf": [
3631 }
3732 },
3833 "resources": {
39 "id": "https://opencontainers.org/schema/bundle/linux/resources",
4034 "type": "object",
4135 "properties": {
4236 "devices": {
43 "id": "https://opencontainers.org/schema/bundle/linux/resources/devices",
4437 "type": "array",
4538 "items": {
4639 "$ref": "defs-linux.json#/definitions/DeviceCgroup"
4740 }
4841 },
4942 "pids": {
50 "id": "https://opencontainers.org/schema/bundle/linux/resources/pids",
5143 "type": "object",
5244 "properties": {
5345 "limit": {
54 "id": "https://opencontainers.org/schema/bundle/linux/resources/pids/limit",
5546 "$ref": "defs.json#/definitions/int64"
5647 }
5748 },
6051 ]
6152 },
6253 "blockIO": {
63 "id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO",
6454 "type": "object",
6555 "properties": {
6656 "weight": {
67 "id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/weight",
6857 "$ref": "defs-linux.json#/definitions/weight"
6958 },
7059 "leafWeight": {
71 "id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/leafWeight",
7260 "$ref": "defs-linux.json#/definitions/weight"
7361 },
7462 "throttleReadBpsDevice": {
75 "id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/throttleReadBpsDevice",
7663 "type": "array",
7764 "items": {
7865 "$ref": "defs-linux.json#/definitions/blockIODeviceThrottle"
7966 }
8067 },
8168 "throttleWriteBpsDevice": {
82 "id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/throttleWriteBpsDevice",
8369 "type": "array",
8470 "items": {
8571 "$ref": "defs-linux.json#/definitions/blockIODeviceThrottle"
8672 }
8773 },
8874 "throttleReadIOPSDevice": {
89 "id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/throttleReadIOPSDevice",
9075 "type": "array",
9176 "items": {
9277 "$ref": "defs-linux.json#/definitions/blockIODeviceThrottle"
9378 }
9479 },
9580 "throttleWriteIOPSDevice": {
96 "id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/throttleWriteIOPSDevice",
9781 "type": "array",
9882 "items": {
9983 "$ref": "defs-linux.json#/definitions/blockIODeviceThrottle"
10084 }
10185 },
10286 "weightDevice": {
103 "id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/weightDevice",
10487 "type": "array",
10588 "items": {
10689 "$ref": "defs-linux.json#/definitions/blockIODeviceWeight"
10992 }
11093 },
11194 "cpu": {
112 "id": "https://opencontainers.org/schema/bundle/linux/resources/cpu",
11395 "type": "object",
11496 "properties": {
11597 "cpus": {
116 "id": "https://opencontainers.org/schema/bundle/linux/resources/cpu/cpus",
11798 "type": "string"
11899 },
119100 "mems": {
120 "id": "https://opencontainers.org/schema/bundle/linux/resources/cpu/mems",
121101 "type": "string"
122102 },
123103 "period": {
124 "id": "https://opencontainers.org/schema/bundle/linux/resources/cpu/period",
125104 "$ref": "defs.json#/definitions/uint64"
126105 },
127106 "quota": {
128 "id": "https://opencontainers.org/schema/bundle/linux/resources/cpu/quota",
129107 "$ref": "defs.json#/definitions/int64"
130108 },
131109 "realtimePeriod": {
132 "id": "https://opencontainers.org/schema/bundle/linux/resources/cpu/realtimePeriod",
133110 "$ref": "defs.json#/definitions/uint64"
134111 },
135112 "realtimeRuntime": {
136 "id": "https://opencontainers.org/schema/bundle/linux/resources/cpu/realtimeRuntime",
137113 "$ref": "defs.json#/definitions/int64"
138114 },
139115 "shares": {
140 "id": "https://opencontainers.org/schema/bundle/linux/resources/cpu/shares",
141116 "$ref": "defs.json#/definitions/uint64"
142117 }
143118 }
144119 },
145120 "hugepageLimits": {
146 "id": "https://opencontainers.org/schema/bundle/linux/resources/hugepageLimits",
147121 "type": "array",
148122 "items": {
149123 "type": "object",
162136 }
163137 },
164138 "memory": {
165 "id": "https://opencontainers.org/schema/bundle/linux/resources/memory",
166139 "type": "object",
167140 "properties": {
168141 "kernel": {
169 "id": "https://opencontainers.org/schema/bundle/linux/resources/memory/kernel",
170142 "$ref": "defs.json#/definitions/int64"
171143 },
172144 "kernelTCP": {
173 "id": "https://opencontainers.org/schema/bundle/linux/resources/memory/kernelTCP",
174145 "$ref": "defs.json#/definitions/int64"
175146 },
176147 "limit": {
177 "id": "https://opencontainers.org/schema/bundle/linux/resources/memory/limit",
178148 "$ref": "defs.json#/definitions/int64"
179149 },
180150 "reservation": {
181 "id": "https://opencontainers.org/schema/bundle/linux/resources/memory/reservation",
182151 "$ref": "defs.json#/definitions/int64"
183152 },
184153 "swap": {
185 "id": "https://opencontainers.org/schema/bundle/linux/resources/memory/swap",
186154 "$ref": "defs.json#/definitions/int64"
187155 },
188156 "swappiness": {
189 "id": "https://opencontainers.org/schema/bundle/linux/resources/memory/swappiness",
190157 "$ref": "defs.json#/definitions/uint64"
191158 },
192159 "disableOOMKiller": {
193 "id": "https://opencontainers.org/schema/bundle/linux/resources/memory/disableOOMKiller",
194160 "type": "boolean"
195161 }
196162 }
197163 },
198164 "network": {
199 "id": "https://opencontainers.org/schema/bundle/linux/resources/network",
200165 "type": "object",
201166 "properties": {
202167 "classID": {
203 "id": "https://opencontainers.org/schema/bundle/linux/resources/network/classId",
204168 "$ref": "defs.json#/definitions/uint32"
205169 },
206170 "priorities": {
207 "id": "https://opencontainers.org/schema/bundle/linux/resources/network/priorities",
208171 "type": "array",
209172 "items": {
210173 "$ref": "defs-linux.json#/definitions/NetworkInterfacePriority"
211174 }
212175 }
213176 }
177 },
178 "rdma": {
179 "type": "object",
180 "additionalProperties": {
181 "$ref": "defs-linux.json#/definitions/Rdma"
182 }
214183 }
215184 }
216185 },
217186 "cgroupsPath": {
218 "id": "https://opencontainers.org/schema/bundle/linux/cgroupsPath",
219187 "type": "string"
220188 },
221189 "rootfsPropagation": {
222 "id": "https://opencontainers.org/schema/bundle/linux/rootfsPropagation",
223190 "$ref": "defs-linux.json#/definitions/RootfsPropagation"
224191 },
225192 "seccomp": {
226 "id": "https://opencontainers.org/schema/bundle/linux/seccomp",
227193 "type": "object",
228194 "properties": {
229195 "defaultAction": {
230 "id": "https://opencontainers.org/schema/bundle/linux/seccomp/defaultAction",
231 "type": "string"
196 "$ref": "defs-linux.json#/definitions/SeccompAction"
232197 },
233198 "architectures": {
234 "id": "https://opencontainers.org/schema/bundle/linux/seccomp/architectures",
235199 "type": "array",
236200 "items": {
237201 "$ref": "defs-linux.json#/definitions/SeccompArch"
238202 }
239203 },
240204 "syscalls": {
241 "id": "https://opencontainers.org/schema/bundle/linux/seccomp/syscalls",
242205 "type": "array",
243206 "items": {
244207 "$ref": "defs-linux.json#/definitions/Syscall"
250213 ]
251214 },
252215 "sysctl": {
253 "id": "https://opencontainers.org/schema/bundle/linux/sysctl",
254216 "$ref": "defs.json#/definitions/mapStringString"
255217 },
256218 "maskedPaths": {
257 "id": "https://opencontainers.org/schema/bundle/linux/maskedPaths",
258219 "$ref": "defs.json#/definitions/ArrayOfStrings"
259220 },
260221 "readonlyPaths": {
261 "id": "https://opencontainers.org/schema/bundle/linux/readonlyPaths",
262222 "$ref": "defs.json#/definitions/ArrayOfStrings"
263223 },
264224 "mountLabel": {
265 "id": "https://opencontainers.org/schema/bundle/linux/mountLabel",
266225 "type": "string"
267226 },
268227 "intelRdt": {
269 "id": "https://opencontainers.org/schema/bundle/linux/intelRdt",
270228 "type": "object",
271229 "properties": {
230 "closID": {
231 "type": "string"
232 },
272233 "l3CacheSchema": {
273 "id": "https://opencontainers.org/schema/bundle/linux/intelRdt/l3CacheSchema",
274234 "type": "string"
235 },
236 "memBwSchema": {
237 "type": "string",
238 "pattern": "^MB:[^\\n]*$"
275239 }
276240 }
277241 }
+3
-36
schema/config-schema.json less more
00 {
11 "description": "Open Container Initiative Runtime Specification Container Configuration Schema",
22 "$schema": "http://json-schema.org/draft-04/schema#",
3 "id": "https://opencontainers.org/schema/bundle",
43 "type": "object",
54 "properties": {
65 "ociVersion": {
7 "id": "https://opencontainers.org/schema/bundle/ociVersion",
86 "$ref": "defs.json#/definitions/ociVersion"
97 },
108 "hooks": {
11 "id": "https://opencontainers.org/schema/bundle/hooks",
129 "type": "object",
1310 "properties": {
1411 "prestart": {
2623 "$ref": "defs.json#/definitions/annotations"
2724 },
2825 "hostname": {
29 "id": "https://opencontainers.org/schema/bundle/hostname",
3026 "type": "string"
3127 },
3228 "mounts": {
33 "id": "https://opencontainers.org/schema/bundle/mounts",
3429 "type": "array",
3530 "items": {
3631 "$ref": "defs.json#/definitions/Mount"
3833 },
3934 "root": {
4035 "description": "Configures the container's root filesystem.",
41 "id": "https://opencontainers.org/schema/bundle/root",
4236 "type": "object",
4337 "required": [
4438 "path"
4539 ],
4640 "properties": {
4741 "path": {
48 "id": "https://opencontainers.org/schema/bundle/root/path",
4942 "$ref": "defs.json#/definitions/FilePath"
5043 },
5144 "readonly": {
52 "id": "https://opencontainers.org/schema/bundle/root/readonly",
5345 "type": "boolean"
5446 }
5547 }
5648 },
5749 "process": {
58 "id": "https://opencontainers.org/schema/bundle/process",
5950 "type": "object",
6051 "required": [
6152 "cwd",
6354 ],
6455 "properties": {
6556 "args": {
66 "id": "https://opencontainers.org/schema/bundle/process/args",
6757 "$ref": "defs.json#/definitions/ArrayOfStrings"
6858 },
6959 "consoleSize": {
70 "id": "https://opencontainers.org/schema/bundle/process/consoleSize",
7160 "type": "object",
7261 "required": [
7362 "height",
7564 ],
7665 "properties": {
7766 "height": {
78 "id": "https://opencontainers.org/schema/bundle/process/consoleSize/height",
7967 "$ref": "defs.json#/definitions/uint64"
8068 },
8169 "width": {
82 "id": "https://opencontainers.org/schema/bundle/process/consoleSize/width",
8370 "$ref": "defs.json#/definitions/uint64"
8471 }
8572 }
8673 },
8774 "cwd": {
88 "id": "https://opencontainers.org/schema/bundle/process/cwd",
8975 "type": "string"
9076 },
9177 "env": {
92 "id": "https://opencontainers.org/schema/bundle/process/env",
9378 "$ref": "defs.json#/definitions/Env"
9479 },
9580 "terminal": {
96 "id": "https://opencontainers.org/schema/bundle/process/terminal",
9781 "type": "boolean"
9882 },
9983 "user": {
100 "id": "https://opencontainers.org/schema/bundle/process/user",
10184 "type": "object",
10285 "properties": {
10386 "uid": {
104 "id": "https://opencontainers.org/schema/bundle/process/user/uid",
10587 "$ref": "defs.json#/definitions/UID"
10688 },
10789 "gid": {
108 "id": "https://opencontainers.org/schema/bundle/process/user/gid",
10990 "$ref": "defs.json#/definitions/GID"
11091 },
11192 "additionalGids": {
112 "id": "https://opencontainers.org/schema/bundle/process/user/additionalGids",
11393 "$ref": "defs.json#/definitions/ArrayOfGIDs"
11494 },
11595 "username": {
116 "id": "https://opencontainers.org/schema/bundle/process/user/username",
11796 "type": "string"
11897 }
11998 }
12099 },
121100 "capabilities": {
122 "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities",
123101 "type": "object",
124102 "properties": {
125103 "bounding": {
126 "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities/bounding",
127104 "$ref": "defs.json#/definitions/ArrayOfStrings"
128105 },
129106 "permitted": {
130 "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities/permitted",
131107 "$ref": "defs.json#/definitions/ArrayOfStrings"
132108 },
133109 "effective": {
134 "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities/effective",
135110 "$ref": "defs.json#/definitions/ArrayOfStrings"
136111 },
137112 "inheritable": {
138 "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities/inheritable",
139113 "$ref": "defs.json#/definitions/ArrayOfStrings"
140114 },
141115 "ambient": {
142 "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities/ambient",
143116 "$ref": "defs.json#/definitions/ArrayOfStrings"
144117 }
145118 }
146119 },
147120 "apparmorProfile": {
148 "id": "https://opencontainers.org/schema/bundle/process/linux/apparmorProfile",
149121 "type": "string"
150122 },
151123 "oomScoreAdj": {
152 "id": "https://opencontainers.org/schema/bundle/process/linux/oomScoreAdj",
153124 "type": "integer"
154125 },
155126 "selinuxLabel": {
156 "id": "https://opencontainers.org/schema/bundle/process/linux/selinuxLabel",
157127 "type": "string"
158128 },
159129 "noNewPrivileges": {
160 "id": "https://opencontainers.org/schema/bundle/process/linux/noNewPrivileges",
161130 "type": "boolean"
162131 },
163132 "rlimits": {
164 "id": "https://opencontainers.org/schema/bundle/linux/rlimits",
165133 "type": "array",
166134 "items": {
167 "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0",
168135 "type": "object",
169136 "required": [
170137 "type",
173140 ],
174141 "properties": {
175142 "hard": {
176 "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/hard",
177143 "$ref": "defs.json#/definitions/uint64"
178144 },
179145 "soft": {
180 "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/soft",
181146 "$ref": "defs.json#/definitions/uint64"
182147 },
183148 "type": {
184 "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/type",
185149 "type": "string",
186150 "pattern": "^RLIMIT_[A-Z]+$"
187151 }
198162 },
199163 "windows": {
200164 "$ref": "config-windows.json#/windows"
165 },
166 "vm": {
167 "$ref": "config-vm.json#/vm"
201168 }
202169 },
203170 "required": [
+0
-10
schema/config-solaris.json less more
00 {
11 "solaris": {
22 "description": "Solaris platform-specific configurations",
3 "id": "https://opencontainers.org/schema/bundle/solaris",
43 "type": "object",
54 "properties": {
65 "milestone": {
7 "id": "https://opencontainers.org/schema/bundle/solaris/milestone",
86 "type": "string"
97 },
108 "limitpriv": {
11 "id": "https://opencontainers.org/schema/bundle/solaris/limitpriv",
129 "type": "string"
1310 },
1411 "maxShmMemory": {
15 "id": "https://opencontainers.org/schema/bundle/solaris/maxShmMemory",
1612 "type": "string"
1713 },
1814 "cappedCPU": {
19 "id": "https://opencontainers.org/schema/bundle/solaris/cappedCPU",
2015 "type": "object",
2116 "properties": {
2217 "ncpus": {
23 "id": "https://opencontainers.org/schema/bundle/solaris/cappedCPU/ncpus",
2418 "type": "string"
2519 }
2620 }
2721 },
2822 "cappedMemory": {
29 "id": "https://opencontainers.org/schema/bundle/solaris/cappedMemory",
3023 "type": "object",
3124 "properties": {
3225 "physical": {
33 "id": "https://opencontainers.org/schema/bundle/solaris/cappedMemory/physical",
3426 "type": "string"
3527 },
3628 "swap": {
37 "id": "https://opencontainers.org/schema/bundle/solaris/cappedMemory/swap",
3829 "type": "string"
3930 }
4031 }
4132 },
4233 "anet": {
43 "id": "https://opencontainers.org/schema/bundle/solaris/anet",
4434 "type": "array",
4535 "items": {
4636 "type": "object",
+60
-0
schema/config-vm.json less more
0 {
1 "vm": {
2 "description": "configuration for virtual-machine-based containers",
3 "type": "object",
4 "required": [
5 "kernel"
6 ],
7 "properties": {
8 "hypervisor": {
9 "description": "hypervisor config used by VM-based containers",
10 "type": "object",
11 "required": [
12 "path"
13 ],
14 "properties": {
15 "path": {
16 "$ref": "defs.json#/definitions/FilePath"
17 },
18 "parameters": {
19 "$ref": "defs.json#/definitions/ArrayOfStrings"
20 }
21 }
22 },
23 "kernel": {
24 "description": "kernel config used by VM-based containers",
25 "type": "object",
26 "required": [
27 "path"
28 ],
29 "properties": {
30 "path": {
31 "$ref": "defs.json#/definitions/FilePath"
32 },
33 "parameters": {
34 "$ref": "defs.json#/definitions/ArrayOfStrings"
35 },
36 "initrd": {
37 "$ref": "defs.json#/definitions/FilePath"
38 }
39 }
40 },
41 "image": {
42 "description": "root image config used by VM-based containers",
43 "type": "object",
44 "required": [
45 "path",
46 "format"
47 ],
48 "properties": {
49 "path": {
50 "$ref": "defs.json#/definitions/FilePath"
51 },
52 "format": {
53 "$ref": "defs-vm.json#/definitions/RootImageFormat"
54 }
55 }
56 }
57 }
58 }
59 }
+9
-23
schema/config-windows.json less more
00 {
11 "windows": {
22 "description": "Windows platform-specific configurations",
3 "id": "https://opencontainers.org/schema/bundle/windows",
43 "type": "object",
54 "properties": {
65 "layerFolders": {
7 "id": "https://opencontainers.org/schema/bundle/windows/layerFolders",
86 "type": "array",
97 "items": {
108 "$ref": "defs.json#/definitions/FilePath"
119 },
1210 "minItems": 1
1311 },
12 "devices": {
13 "type": "array",
14 "items": {
15 "$ref": "defs-windows.json#/definitions/Device"
16 }
17 },
1418 "resources": {
15 "id": "https://opencontainers.org/schema/bundle/windows/resources",
1619 "type": "object",
1720 "properties": {
1821 "memory": {
19 "id": "https://opencontainers.org/schema/bundle/windows/resources/memory",
2022 "type": "object",
2123 "properties": {
2224 "limit": {
23 "id": "https://opencontainers.org/schema/bundle/windows/resources/memory/limit",
2425 "$ref": "defs.json#/definitions/uint64"
2526 }
2627 }
2728 },
2829 "cpu": {
29 "id": "https://opencontainers.org/schema/bundle/windows/resources/cpu",
3030 "type": "object",
3131 "properties": {
3232 "count": {
33 "id": "https://opencontainers.org/schema/bundle/windows/resources/cpu/count",
3433 "$ref": "defs.json#/definitions/uint64"
3534 },
3635 "shares": {
37 "id": "https://opencontainers.org/schema/bundle/windows/resources/cpu/shares",
3836 "$ref": "defs.json#/definitions/uint16"
3937 },
4038 "maximum": {
41 "id": "https://opencontainers.org/schema/bundle/windows/resources/cpu/maximum",
4239 "$ref": "defs.json#/definitions/uint16"
4340 }
4441 }
4542 },
4643 "storage": {
47 "id": "https://opencontainers.org/schema/bundle/windows/resources/storage",
4844 "type": "object",
4945 "properties": {
5046 "iops": {
51 "id": "https://opencontainers.org/schema/bundle/windows/resources/storage/iops",
5247 "$ref": "defs.json#/definitions/uint64"
5348 },
5449 "bps": {
55 "id": "https://opencontainers.org/schema/bundle/windows/resources/storage/bps",
5650 "$ref": "defs.json#/definitions/uint64"
5751 },
5852 "sandboxSize": {
59 "id": "https://opencontainers.org/schema/bundle/windows/resources/storage/sandboxSize",
6053 "$ref": "defs.json#/definitions/uint64"
6154 }
6255 }
6457 }
6558 },
6659 "network": {
67 "id": "https://opencontainers.org/schema/bundle/windows/network",
6860 "type": "object",
6961 "properties": {
7062 "endpointList": {
71 "id": "https://opencontainers.org/schema/bundle/windows/network/endpointList",
7263 "$ref": "defs.json#/definitions/ArrayOfStrings"
7364 },
7465 "allowUnqualifiedDNSQuery": {
75 "id": "https://opencontainers.org/schema/bundle/windows/network/allowUnqualifiedDNSQuery",
7666 "type": "boolean"
7767 },
7868 "DNSSearchList": {
79 "id": "https://opencontainers.org/schema/bundle/windows/network/DNSSearchList",
8069 "$ref": "defs.json#/definitions/ArrayOfStrings"
8170 },
8271 "networkSharedContainerName": {
83 "id": "https://opencontainers.org/schema/bundle/windows/network/networkSharedContainerName",
72 "type": "string"
73 },
74 "networkNamespace": {
8475 "type": "string"
8576 }
8677 }
8778 },
8879 "credentialSpec": {
89 "id": "https://opencontainers.org/schema/bundle/windows/credentialSpec",
9080 "type": "object"
9181 },
9282 "servicing": {
93 "id": "https://opencontainers.org/schema/bundle/windows/servicing",
9483 "type": "boolean"
9584 },
9685 "ignoreFlushesDuringBoot": {
97 "id": "https://opencontainers.org/schema/bundle/windows/ignoreFlushesDuringBoot",
9886 "type": "boolean"
9987 },
10088 "hyperv": {
101 "id": "https://opencontainers.org/schema/bundle/windows/hyperv",
10289 "type": "object",
10390 "properties": {
10491 "utilityVMPath": {
105 "id": "https://opencontainers.org/schema/bundle/windows/hyperv/utilityVMPath",
10692 "type": "string"
10793 }
10894 }
+11
-0
schema/defs-linux.json less more
239239 "priority"
240240 ]
241241 },
242 "Rdma": {
243 "type": "object",
244 "properties": {
245 "hcaHandles": {
246 "$ref": "defs.json#/definitions/uint32"
247 },
248 "hcaObjects": {
249 "$ref": "defs.json#/definitions/uint32"
250 }
251 }
252 },
242253 "NamespaceType": {
243254 "type": "string",
244255 "enum": [
+14
-0
schema/defs-vm.json less more
0 {
1 "definitions": {
2 "RootImageFormat": {
3 "type": "string",
4 "enum": [
5 "raw",
6 "qcow2",
7 "vdi",
8 "vmdk",
9 "vhd"
10 ]
11 }
12 }
13 }
+22
-0
schema/defs-windows.json less more
0 {
1 "definitions": {
2 "Device": {
3 "type": "object",
4 "properties": {
5 "id": {
6 "type": "string"
7 },
8 "idType": {
9 "type": "string",
10 "enum": [
11 "class"
12 ]
13 }
14 },
15 "required": [
16 "id",
17 "idType"
18 ]
19 }
20 }
21 }
+3
-3
schema/defs.json less more
107107 "IDMapping": {
108108 "type": "object",
109109 "properties": {
110 "hostID": {
110 "containerID": {
111111 "$ref": "#/definitions/uint32"
112112 },
113 "containerID": {
113 "hostID": {
114114 "$ref": "#/definitions/uint32"
115115 },
116116 "size": {
118118 }
119119 },
120120 "required": [
121 "containerID",
121122 "hostID",
122 "containerID",
123123 "size"
124124 ]
125125 },
+0
-6
schema/state-schema.json less more
00 {
11 "description": "Open Container Runtime State Schema",
22 "$schema": "http://json-schema.org/draft-04/schema#",
3 "id": "https://opencontainers.org/schema/state",
43 "type": "object",
54 "properties": {
65 "ociVersion": {
7 "id": "https://opencontainers.org/schema/runtime/state/ociVersion",
86 "$ref": "defs.json#/definitions/ociVersion"
97 },
108 "id": {
11 "id": "https://opencontainers.org/schema/runtime/state/id",
129 "description": "the container's ID",
1310 "type": "string"
1411 },
1512 "status": {
16 "id": "https://opencontainers.org/schema/runtime/state/status",
1713 "type": "string",
1814 "enum": [
1915 "creating",
2319 ]
2420 },
2521 "pid": {
26 "id": "https://opencontainers.org/schema/runtime/state/pid",
2722 "type": "integer",
2823 "minimum": 0
2924 },
3025 "bundle": {
31 "id": "https://opencontainers.org/schema/runtime/state/bundle",
3226 "type": "string"
3327 },
3428 "annotations": {
+15
-0
schema/test/config/bad/linux-rdma.json less more
0 {
1 "ociVersion": "1.0.0",
2 "root": {
3 "path": "rootfs"
4 },
5 "linux": {
6 "resources": {
7 "rdma": {
8 "mlx5_1": {
9 "hcaHandles": "not a uint32"
10 }
11 }
12 }
13 }
14 }
+22
-0
schema/test/config/good/linux-rdma.json less more
0 {
1 "ociVersion": "1.0.0",
2 "root": {
3 "path": "rootfs"
4 },
5 "linux": {
6 "resources": {
7 "rdma": {
8 "mlx5_1": {
9 "hcaHandles": 3,
10 "hcaObjects": 10000
11 },
12 "mlx4_0": {
13 "hcaObjects": 1000
14 },
15 "rxe3": {
16 "hcaObjects": 10000
17 }
18 }
19 }
20 }
21 }
+6
-6
schema/test/config/good/spec-example.json less more
193193 ],
194194 "uidMappings": [
195195 {
196 "containerID": 0,
196197 "hostID": 1000,
198 "size": 32000
199 }
200 ],
201 "gidMappings": [
202 {
197203 "containerID": 0,
198 "size": 32000
199 }
200 ],
201 "gidMappings": [
202 {
203204 "hostID": 1000,
204 "containerID": 0,
205205 "size": 32000
206206 }
207207 ],
+2
-0
spec.md less more
1515 * `linux`: [runtime.md](runtime.md), [config.md](config.md), [config-linux.md](config-linux.md), and [runtime-linux.md](runtime-linux.md).
1616 * `solaris`: [runtime.md](runtime.md), [config.md](config.md), and [config-solaris.md](config-solaris.md).
1717 * `windows`: [runtime.md](runtime.md), [config.md](config.md), and [config-windows.md](config-windows.md).
18 * `vm`: [runtime.md](runtime.md), [config.md](config.md), and [config-vm.md](config-vm.md).
1819
1920 # <a name="ociRuntimeSpecTOC" />Table of Contents
2021
2829 - [Linux-specific Configuration](config-linux.md)
2930 - [Solaris-specific Configuration](config-solaris.md)
3031 - [Windows-specific Configuration](config-windows.md)
32 - [Virtual-Machine-specific Configuration](config-vm.md)
3133 - [Glossary](glossary.md)
3234
3335 # <a name="ociRuntimeSpecNotationalConventions" />Notational Conventions
+77
-7
specs-go/config.go less more
2424 Solaris *Solaris `json:"solaris,omitempty" platform:"solaris"`
2525 // Windows is platform-specific configuration for Windows based containers.
2626 Windows *Windows `json:"windows,omitempty" platform:"windows"`
27 // VM specifies configuration for virtual-machine-based containers.
28 VM *VM `json:"vm,omitempty" platform:"vm"`
2729 }
2830
2931 // Process contains information to start a specific application inside the container.
157159 ReadonlyPaths []string `json:"readonlyPaths,omitempty"`
158160 // MountLabel specifies the selinux context for the mounts in the container.
159161 MountLabel string `json:"mountLabel,omitempty"`
160 // IntelRdt contains Intel Resource Director Technology (RDT) information
161 // for handling resource constraints (e.g., L3 cache) for the container
162 // IntelRdt contains Intel Resource Director Technology (RDT) information for
163 // handling resource constraints (e.g., L3 cache, memory bandwidth) for the container
162164 IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"`
163165 }
164166
193195
194196 // LinuxIDMapping specifies UID/GID mappings
195197 type LinuxIDMapping struct {
198 // ContainerID is the starting UID/GID in the container
199 ContainerID uint32 `json:"containerID"`
196200 // HostID is the starting UID/GID on the host to be mapped to 'ContainerID'
197201 HostID uint32 `json:"hostID"`
198 // ContainerID is the starting UID/GID in the container
199 ContainerID uint32 `json:"containerID"`
200202 // Size is the number of IDs to be mapped
201203 Size uint32 `json:"size"`
202204 }
319321 Priorities []LinuxInterfacePriority `json:"priorities,omitempty"`
320322 }
321323
324 // LinuxRdma for Linux cgroup 'rdma' resource management (Linux 4.11)
325 type LinuxRdma struct {
326 // Maximum number of HCA handles that can be opened. Default is "no limit".
327 HcaHandles *uint32 `json:"hcaHandles,omitempty"`
328 // Maximum number of HCA objects that can be created. Default is "no limit".
329 HcaObjects *uint32 `json:"hcaObjects,omitempty"`
330 }
331
322332 // LinuxResources has container runtime resource constraints
323333 type LinuxResources struct {
324334 // Devices configures the device whitelist.
335345 HugepageLimits []LinuxHugepageLimit `json:"hugepageLimits,omitempty"`
336346 // Network restriction configuration
337347 Network *LinuxNetwork `json:"network,omitempty"`
348 // Rdma resource restriction configuration.
349 // Limits are a set of key value pairs that define RDMA resource limits,
350 // where the key is device name and value is resource limits.
351 Rdma map[string]LinuxRdma `json:"rdma,omitempty"`
338352 }
339353
340354 // LinuxDevice represents the mknod information for a Linux special device file
418432 type Windows struct {
419433 // LayerFolders contains a list of absolute paths to directories containing image layers.
420434 LayerFolders []string `json:"layerFolders"`
435 // Devices are the list of devices to be mapped into the container.
436 Devices []WindowsDevice `json:"devices,omitempty"`
421437 // Resources contains information for handling resource constraints for the container.
422438 Resources *WindowsResources `json:"resources,omitempty"`
423439 // CredentialSpec contains a JSON object describing a group Managed Service Account (gMSA) specification.
432448 Network *WindowsNetwork `json:"network,omitempty"`
433449 }
434450
451 // WindowsDevice represents information about a host device to be mapped into the container.
452 type WindowsDevice struct {
453 // Device identifier: interface class GUID, etc.
454 ID string `json:"id"`
455 // Device identifier type: "class", etc.
456 IDType string `json:"idType"`
457 }
458
435459 // WindowsResources has container runtime resource constraints for containers running on Windows.
436460 type WindowsResources struct {
437461 // Memory restriction configuration.
478502 DNSSearchList []string `json:"DNSSearchList,omitempty"`
479503 // Name (ID) of the container that we will share with the network stack.
480504 NetworkSharedContainerName string `json:"networkSharedContainerName,omitempty"`
505 // name (ID) of the network namespace that will be used for the container.
506 NetworkNamespace string `json:"networkNamespace,omitempty"`
481507 }
482508
483509 // WindowsHyperV contains information for configuring a container to run with Hyper-V isolation.
484510 type WindowsHyperV struct {
485511 // UtilityVMPath is an optional path to the image used for the Utility VM.
486512 UtilityVMPath string `json:"utilityVMPath,omitempty"`
513 }
514
515 // VM contains information for virtual-machine-based containers.
516 type VM struct {
517 // Hypervisor specifies hypervisor-related configuration for virtual-machine-based containers.
518 Hypervisor VMHypervisor `json:"hypervisor,omitempty"`
519 // Kernel specifies kernel-related configuration for virtual-machine-based containers.
520 Kernel VMKernel `json:"kernel"`
521 // Image specifies guest image related configuration for virtual-machine-based containers.
522 Image VMImage `json:"image,omitempty"`
523 }
524
525 // VMHypervisor contains information about the hypervisor to use for a virtual machine.
526 type VMHypervisor struct {
527 // Path is the host path to the hypervisor used to manage the virtual machine.
528 Path string `json:"path"`
529 // Parameters specifies parameters to pass to the hypervisor.
530 Parameters []string `json:"parameters,omitempty"`
531 }
532
533 // VMKernel contains information about the kernel to use for a virtual machine.
534 type VMKernel struct {
535 // Path is the host path to the kernel used to boot the virtual machine.
536 Path string `json:"path"`
537 // Parameters specifies parameters to pass to the kernel.
538 Parameters []string `json:"parameters,omitempty"`
539 // InitRD is the host path to an initial ramdisk to be used by the kernel.
540 InitRD string `json:"initrd,omitempty"`
541 }
542
543 // VMImage contains information about the virtual machine root image.
544 type VMImage struct {
545 // Path is the host path to the root image that the VM kernel would boot into.
546 Path string `json:"path"`
547 // Format is the root image format type (e.g. "qcow2", "raw", "vhd", etc).
548 Format string `json:"format"`
487549 }
488550
489551 // LinuxSeccomp represents syscall restrictions
560622 Args []LinuxSeccompArg `json:"args,omitempty"`
561623 }
562624
563 // LinuxIntelRdt has container runtime resource constraints
564 // for Intel RDT/CAT which introduced in Linux 4.10 kernel
625 // LinuxIntelRdt has container runtime resource constraints for Intel RDT
626 // CAT and MBA features which introduced in Linux 4.10 and 4.12 kernel
565627 type LinuxIntelRdt struct {
628 // The identity for RDT Class of Service
629 ClosID string `json:"closID,omitempty"`
566630 // The schema for L3 cache id and capacity bitmask (CBM)
567631 // Format: "L3:<cache_id0>=<cbm0>;<cache_id1>=<cbm1>;..."
568632 L3CacheSchema string `json:"l3CacheSchema,omitempty"`
569 }
633
634 // The schema of memory bandwidth per L3 cache id
635 // Format: "MB:<cache_id0>=bandwidth0;<cache_id1>=bandwidth1;..."
636 // The unit of memory bandwidth is specified in "percentages" by
637 // default, and in "MBps" if MBA Software Controller is enabled.
638 MemBwSchema string `json:"memBwSchema,omitempty"`
639 }
+1
-1
specs-go/version.go less more
1010 VersionPatch = 1
1111
1212 // VersionDev indicates development branch. Releases will be empty string.
13 VersionDev = ""
13 VersionDev = "-dev"
1414 )
1515
1616 // Version is the specification version that the package types support.