Import upstream version 1.0.2.114.g494a5a6
Debian Janitor
1 year, 6 months ago
| 0 | * @crosbymichael @cyphar @dqminh @giuseppe @hqhq @mrunalp @tianon @vbatts | |
| 0 | * @AkihiroSuda @crosbymichael @cyphar @dqminh @giuseppe @hqhq @kolyshkin @mrunalp @thaJeztah @tianon @vbatts |
| 66 | 66 | |
| 67 | 67 | > [runtime-spec adopted]: Tag 0647920 as 1.0.0-rc (+6 -0 #3) |
| 68 | 68 | |
| 69 | [charter]: https://www.opencontainers.org/about/governance | |
| 69 | [charter]: https://github.com/opencontainers/tob/blob/main/CHARTER.md |
| 5 | 5 | Qiang Huang <h.huangqiang@huawei.com> (@hqhq) |
| 6 | 6 | Aleksa Sarai <asarai@suse.de> (@cyphar) |
| 7 | 7 | Giuseppe Scrivano <gscrivan@redhat.com> (@giuseppe) |
| 8 | Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (@AkihiroSuda) | |
| 9 | Kir Kolyshkin <kolyshkin@gmail.com> (@kolyshkin) | |
| 10 | Sebastiaan van Stijn <github@gone.nl> (@thaJeztah) |
| 47 | 47 | For example if a breaking change is introduced in v1.0.0-rc2 then the series would end with v1.0.0-rc4 and v1.0.0. |
| 48 | 48 | * Minor and patch releases SHOULD be made on an as-needed basis. |
| 49 | 49 | |
| 50 | [charter]: https://www.opencontainers.org/about/governance | |
| 50 | [charter]: https://github.com/opencontainers/tob/blob/main/CHARTER.md | |
| 51 | 51 | |
| 52 | 52 | ## Checklist |
| 53 | 53 |
| 335 | 335 | To disable it, specify a value of `true`. |
| 336 | 336 | * **`useHierarchy`** *(bool, OPTIONAL)* - enables or disables hierarchical memory accounting. |
| 337 | 337 | If enabled (`true`), child cgroups will share the memory limits of this cgroup. |
| 338 | * **`checkBeforeUpdate`** *(bool, OPTIONAL)* - enables container memory usage check before setting a new limit. | |
| 339 | If enabled (`true`), runtime MAY check if a new memory limit is lower than the current usage, and MUST | |
| 340 | reject the new limit. Practically, when cgroup v1 is used, the kernel rejects the limit lower than the | |
| 341 | current usage, and when cgroup v2 is used, an OOM killer is invoked. This setting can be used on | |
| 342 | cgroup v2 to mimic the cgroup v1 behavior. | |
| 338 | 343 | |
| 339 | 344 | #### Example |
| 340 | 345 | |
| 700 | 705 | * `SECCOMP_FILTER_FLAG_TSYNC` |
| 701 | 706 | * `SECCOMP_FILTER_FLAG_LOG` |
| 702 | 707 | * `SECCOMP_FILTER_FLAG_SPEC_ALLOW` |
| 708 | * `SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV` | |
| 703 | 709 | |
| 704 | 710 | * **`listenerPath`** *(string, OPTIONAL)* - specifies the path of UNIX domain socket over which the runtime will send the [container process state](#containerprocessstate) data structure when the `SCMP_ACT_NOTIFY` action is used. |
| 705 | 711 | This socket MUST use `AF_UNIX` domain and `SOCK_STREAM` type. |
| 352 | 352 | |
| 353 | 353 | ```json |
| 354 | 354 | "hostname": "mrsdalloway" |
| 355 | ``` | |
| 356 | ||
| 357 | ## <a name="configDomainname" />Domainname | |
| 358 | ||
| 359 | * **`domainname`** (string, OPTIONAL) specifies the container's domainname as seen by processes running inside the container. | |
| 360 | On Linux, for example, this will change the domainname in the [container](glossary.md#container-namespace) [UTS namespace][uts-namespace.7]. | |
| 361 | Depending on your [namespace configuration](config-linux.md#namespaces), the container UTS namespace may be the [runtime](glossary.md#runtime-namespace) [UTS namespace][uts-namespace.7]. | |
| 362 | ||
| 363 | ### Example | |
| 364 | ||
| 365 | ```json | |
| 366 | "domainname": "foobarbaz.test" | |
| 355 | 367 | ``` |
| 356 | 368 | |
| 357 | 369 | ## <a name="configPlatformSpecificConfiguration" />Platform-specific configuration |
| 0 | BEGIN:VCALENDAR | |
| 1 | VERSION:2.0 | |
| 2 | PRODID:-//Open Containers Initiative//Developer Meeting//EN | |
| 3 | BEGIN:VTIMEZONE | |
| 4 | TZID:America/Los_Angeles | |
| 5 | LAST-MODIFIED:20050809T050000Z | |
| 6 | BEGIN:STANDARD | |
| 7 | DTSTART:20071104T020000 | |
| 8 | RRULE:FREQ=YEARLY;BYMONTH=11;BYDAY=1SU | |
| 9 | TZOFFSETFROM:-0700 | |
| 10 | TZOFFSETTO:-0800 | |
| 11 | TZNAME:PST | |
| 12 | END:STANDARD | |
| 13 | BEGIN:DAYLIGHT | |
| 14 | DTSTART:20070311T020000 | |
| 15 | RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=2SU | |
| 16 | TZOFFSETFROM:-0800 | |
| 17 | TZOFFSETTO:-0700 | |
| 18 | TZNAME:PDT | |
| 19 | END:DAYLIGHT | |
| 20 | END:VTIMEZONE | |
| 21 | BEGIN:VEVENT | |
| 22 | UID:tdc-meeting@opencontainers.org | |
| 23 | DTSTAMP:20180628T170000Z | |
| 24 | DTSTART;TZID=America/Los_Angeles:20170906T140000 | |
| 25 | RRULE:FREQ=MONTHLY;INTERVAL=1;BYDAY=1WE | |
| 26 | RDATE;TZID=America/Los_Angeles:20180110T140000 | |
| 27 | EXDATE;TZIP=America/Los_Angeles:20180103T140000 | |
| 28 | RDATE;TZID=America/Los_Angeles:20180711T140000 | |
| 29 | EXDATE;TZIP=America/Los_Angeles:20180704T140000 | |
| 30 | DURATION:PT1H | |
| 31 | SUMMARY:OCI TDC Meeting | |
| 32 | DESCRIPTION;ALTREP="https://github.com/opencontainers/runtime-spec# | |
| 33 | meetings":Open Containers Initiative Developer Meeting\n | |
| 34 | https://github.com/opencontainers/runtime-spec#meetings\n | |
| 35 | Web: https://www.uberconference.com/opencontainers\n | |
| 36 | Audio-only: +1 415 968 0849 (no PIN needed) | |
| 37 | LOCATION:https://www.uberconference.com/opencontainers | |
| 38 | URL:https://github.com/opencontainers/runtime-spec/blob/master/meeting.ics | |
| 39 | END:VEVENT | |
| 40 | END:VCALENDAR | |
| 0 | BEGIN:VCALENDAR | |
| 1 | VERSION:2.0 | |
| 2 | PRODID:-//Open Containers Initiative//Developer Meeting//EN | |
| 3 | BEGIN:VTIMEZONE | |
| 4 | TZID:America/Los_Angeles | |
| 5 | LAST-MODIFIED:20050809T050000Z | |
| 6 | BEGIN:STANDARD | |
| 7 | DTSTART:20071104T020000 | |
| 8 | RRULE:FREQ=YEARLY;BYMONTH=11;BYDAY=1SU | |
| 9 | TZOFFSETFROM:-0700 | |
| 10 | TZOFFSETTO:-0800 | |
| 11 | TZNAME:PST | |
| 12 | END:STANDARD | |
| 13 | BEGIN:DAYLIGHT | |
| 14 | DTSTART:20070311T020000 | |
| 15 | RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=2SU | |
| 16 | TZOFFSETFROM:-0800 | |
| 17 | TZOFFSETTO:-0700 | |
| 18 | TZNAME:PDT | |
| 19 | END:DAYLIGHT | |
| 20 | END:VTIMEZONE | |
| 21 | BEGIN:VEVENT | |
| 22 | UID:tdc-meeting@opencontainers.org | |
| 23 | DTSTAMP:20180628T170000Z | |
| 24 | DTSTART;TZID=America/Los_Angeles:20170906T140000 | |
| 25 | RRULE:FREQ=MONTHLY;INTERVAL=1;BYDAY=1WE | |
| 26 | RDATE;TZID=America/Los_Angeles:20180110T140000 | |
| 27 | EXDATE;TZIP=America/Los_Angeles:20180103T140000 | |
| 28 | RDATE;TZID=America/Los_Angeles:20180711T140000 | |
| 29 | EXDATE;TZIP=America/Los_Angeles:20180704T140000 | |
| 30 | DURATION:PT1H | |
| 31 | SUMMARY:OCI TDC Meeting | |
| 32 | DESCRIPTION;ALTREP="https://github.com/opencontainers/runtime-spec# | |
| 33 | meetings":Open Containers Initiative Developer Meeting\n | |
| 34 | https://github.com/opencontainers/runtime-spec#meetings\n | |
| 35 | Web: https://www.uberconference.com/opencontainers\n | |
| 36 | Audio-only: +1 415 968 0849 (no PIN needed) | |
| 37 | LOCATION:https://www.uberconference.com/opencontainers | |
| 38 | URL:https://github.com/opencontainers/runtime-spec/blob/master/meeting.ics | |
| 39 | END:VEVENT | |
| 40 | END:VCALENDAR |
| 168 | 168 | }, |
| 169 | 169 | "useHierarchy": { |
| 170 | 170 | "type": "boolean" |
| 171 | }, | |
| 172 | "checkBeforeUpdate": { | |
| 173 | "type": "boolean" | |
| 171 | 174 | } |
| 172 | 175 | } |
| 173 | 176 | }, |
| 32 | 32 | "$ref": "defs.json#/definitions/annotations" |
| 33 | 33 | }, |
| 34 | 34 | "hostname": { |
| 35 | "type": "string" | |
| 36 | }, | |
| 37 | "domainname": { | |
| 35 | 38 | "type": "string" |
| 36 | 39 | }, |
| 37 | 40 | "mounts": { |
| 69 | 69 | "enum": [ |
| 70 | 70 | "SECCOMP_FILTER_FLAG_TSYNC", |
| 71 | 71 | "SECCOMP_FILTER_FLAG_LOG", |
| 72 | "SECCOMP_FILTER_FLAG_SPEC_ALLOW" | |
| 72 | "SECCOMP_FILTER_FLAG_SPEC_ALLOW", | |
| 73 | "SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV" | |
| 73 | 74 | ] |
| 74 | 75 | }, |
| 75 | 76 | "SeccompOperators": { |
| 62 | 62 | "readonly": true |
| 63 | 63 | }, |
| 64 | 64 | "hostname": "slartibartfast", |
| 65 | "domainname": "foobarbaz.test", | |
| 65 | 66 | "mounts": [ |
| 66 | 67 | { |
| 67 | 68 | "destination": "/proc", |
| 268 | 269 | "kernelTCP": -1, |
| 269 | 270 | "swappiness": 0, |
| 270 | 271 | "disableOOMKiller": false, |
| 271 | "useHierarchy": false | |
| 272 | "useHierarchy": false, | |
| 273 | "checkBeforeUpdate": false | |
| 272 | 274 | }, |
| 273 | 275 | "cpu": { |
| 274 | 276 | "shares": 1024, |
| 11 | 11 | Root *Root `json:"root,omitempty"` |
| 12 | 12 | // Hostname configures the container's hostname. |
| 13 | 13 | Hostname string `json:"hostname,omitempty"` |
| 14 | // Domainname configures the container's domainname. | |
| 15 | Domainname string `json:"domainname,omitempty"` | |
| 14 | 16 | // Mounts configures additional mounts (on top of Root). |
| 15 | 17 | Mounts []Mount `json:"mounts,omitempty"` |
| 16 | 18 | // Hooks configures callbacks for container lifecycle events. |
| 316 | 318 | DisableOOMKiller *bool `json:"disableOOMKiller,omitempty"` |
| 317 | 319 | // Enables hierarchical memory accounting |
| 318 | 320 | UseHierarchy *bool `json:"useHierarchy,omitempty"` |
| 321 | // CheckBeforeUpdate enables checking if a new memory limit is lower | |
| 322 | // than the current usage during update, and if so, rejecting the new | |
| 323 | // limit. | |
| 324 | CheckBeforeUpdate *bool `json:"checkBeforeUpdate,omitempty"` | |
| 319 | 325 | } |
| 320 | 326 | |
| 321 | 327 | // LinuxCPU for Linux cgroup 'cpu' resource management |
| 642 | 648 | // LinuxSeccompFlagSpecAllow can be used to disable Speculative Store |
| 643 | 649 | // Bypass mitigation. (since Linux 4.17) |
| 644 | 650 | LinuxSeccompFlagSpecAllow LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_SPEC_ALLOW" |
| 651 | ||
| 652 | // LinuxSeccompFlagWaitKillableRecv can be used to switch to the wait | |
| 653 | // killable semantics. (since Linux 5.19) | |
| 654 | LinuxSeccompFlagWaitKillableRecv LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV" | |
| 645 | 655 | ) |
| 646 | 656 | |
| 647 | 657 | // Additional architectures permitted to be used for system calls |