New upstream version 1.0.2.66.g20a2d97
Shengjing Zhu
2 years ago
134 | 134 | 8. When possible, one keyword to scope the change in the subject (i.e. "README: ...", "runtime: ...") |
135 | 135 | |
136 | 136 | |
137 | [charter]: https://www.opencontainers.org/about/governance | |
137 | [charter]: https://github.com/opencontainers/tob/blob/master/CHARTER.md | |
138 | 138 | [code-of-conduct]: https://github.com/opencontainers/org/blob/master/CODE_OF_CONDUCT.md |
139 | 139 | [dev-list]: https://groups.google.com/a/opencontainers.org/forum/#!forum/dev |
140 | 140 | [how-to-git-commit]: http://chris.beams.io/posts/git-commit |
263 | 263 | * **`limit`** *(int64, OPTIONAL)* - sets limit of memory usage |
264 | 264 | * **`reservation`** *(int64, OPTIONAL)* - sets soft limit of memory usage |
265 | 265 | * **`swap`** *(int64, OPTIONAL)* - sets limit of memory+Swap usage |
266 | * **`kernel`** *(int64, OPTIONAL)* - sets hard limit for kernel memory | |
267 | * **`kernelTCP`** *(int64, OPTIONAL)* - sets hard limit for kernel TCP buffer memory | |
266 | * **`kernel`** *(int64, OPTIONAL, NOT RECOMMENDED)* - sets hard limit for kernel memory | |
267 | * **`kernelTCP`** *(int64, OPTIONAL, NOT RECOMMENDED)* - sets hard limit for kernel TCP buffer memory | |
268 | 268 | |
269 | 269 | The following properties do not specify memory limits, but are covered by the `memory` controller: |
270 | 270 | |
529 | 529 | The following parameters can be specified for the container: |
530 | 530 | |
531 | 531 | * **`closID`** *(string, OPTIONAL)* - specifies the identity for RDT Class of Service (CLOS). |
532 | If `closID` is set, runtimes MUST create `closID` directory in a mounted `resctrl` pseudo-filesystem if it doesn't exist. If not set, runtimes MUST use the container ID from [`start`](runtime.md#start) and create the `<container-id>` directory. | |
533 | 532 | |
534 | 533 | * **`l3CacheSchema`** *(string, OPTIONAL)* - specifies the schema for L3 cache id and capacity bitmask (CBM). |
535 | 534 | The value SHOULD start with `L3:` and SHOULD NOT contain newlines. |
536 | 535 | * **`memBwSchema`** *(string, OPTIONAL)* - specifies the schema of memory bandwidth per L3 cache id. |
537 | * The value MUST start with `MB:` and MUST NOT contain newlines. | |
538 | ||
539 | * If both `l3CacheSchema` and `memBwSchema` are set, runtimes MUST write the combined value to the `schemata` file in that sub-directory discussed in `closID`. | |
540 | ||
541 | * If `l3CacheSchema` contains a line beginning with `MB:`, the value written to `schemata` file MUST be the non-`MB:` line(s) from `l3CacheSchema` and the line from `memBWSchema`. | |
542 | ||
543 | * If either `l3CacheSchema` or `memBwSchema` is set, runtimes MUST write the value to the `schemata` file in the that sub-directory discussed in `closID`. | |
544 | ||
545 | * If neither `l3CacheSchema` nor `memBwSchema` is set, runtimes MUST NOT write to `schemata` files in any `resctrl` pseudo-filesystems. | |
546 | ||
547 | * If `closID` is set, `l3CacheSchema` and/or `memBwSchema` is set, runtimes MUST compare `l3CacheSchema` and/or `memBwSchema` value with `schemata` file, and [generate an error](runtime.md#errors) if doesn't match. | |
548 | ||
549 | * If `closID` is set, and neither of `l3CacheSchema` and `memBwSchema` are set, runtime MUST check if corresponding pre-configured directory `closID` is present in mounted `resctrl`. If such pre-configured directory `closID` exists, runtime MUST assign container to this `closID` and [generate an error](runtime.md#errors) if directory does not exist. | |
536 | The value MUST start with `MB:` and MUST NOT contain newlines. | |
537 | ||
538 | The following rules on parameters MUST be applied: | |
539 | ||
540 | * If both `l3CacheSchema` and `memBwSchema` are set, runtimes MUST write the combined value to the `schemata` file in that sub-directory discussed in `closID`. | |
541 | ||
542 | * If `l3CacheSchema` contains a line beginning with `MB:`, the value written to `schemata` file MUST be the non-`MB:` line(s) from `l3CacheSchema` and the line from `memBWSchema`. | |
543 | ||
544 | * If either `l3CacheSchema` or `memBwSchema` is set, runtimes MUST write the value to the `schemata` file in the that sub-directory discussed in `closID`. | |
545 | ||
546 | * If neither `l3CacheSchema` nor `memBwSchema` is set, runtimes MUST NOT write to `schemata` files in any `resctrl` pseudo-filesystems. | |
547 | ||
548 | * If `closID` is not set, runtimes MUST use the container ID from [`start`](runtime.md#start) and create the `<container-id>` directory. | |
549 | ||
550 | * If `closID` is set, `l3CacheSchema` and/or `memBwSchema` is set | |
551 | * if `closID` directory in a mounted `resctrl` pseudo-filesystem doesn't exist, the runtimes MUST create it. | |
552 | * if `closID` directory in a mounted `resctrl` pseudo-filesystem exists, runtimes MUST compare `l3CacheSchema` and/or `memBwSchema` value with `schemata` file, and [generate an error](runtime.md#errors) if doesn't match. | |
553 | ||
554 | * If `closID` is set, and neither of `l3CacheSchema` and `memBwSchema` are set, runtime MUST check if corresponding pre-configured directory `closID` is present in mounted `resctrl`. If such pre-configured directory `closID` exists, runtime MUST assign container to this `closID` and [generate an error](runtime.md#errors) if directory does not exist. | |
550 | 555 | |
551 | 556 | |
552 | 557 | ### Example |
593 | 598 | The following parameters can be specified to set up seccomp: |
594 | 599 | |
595 | 600 | * **`defaultAction`** *(string, REQUIRED)* - the default action for seccomp. Allowed values are the same as `syscalls[].action`. |
601 | * **`defaultErrnoRet`** *(uint, OPTIONAL)* - the errno return code to use. | |
602 | Some actions like `SCMP_ACT_ERRNO` and `SCMP_ACT_TRACE` allow to specify the errno code to return. | |
603 | When the action doesn't support an errno, the runtime MUST print and error and fail. | |
604 | If not specified then its default value is `EPERM`. | |
596 | 605 | * **`architectures`** *(array of strings, OPTIONAL)* - the architecture used for system calls. |
597 | 606 | A valid list of constants as of libseccomp v2.5.0 is shown below. |
598 | 607 | |
624 | 633 | * `SECCOMP_FILTER_FLAG_LOG` |
625 | 634 | * `SECCOMP_FILTER_FLAG_SPEC_ALLOW` |
626 | 635 | |
636 | * **`listenerPath`** *(string, OPTIONAL)* - specifies the path of UNIX domain socket over which the runtime will send the [container process state](#containerprocessstate) data structure when the `SCMP_ACT_NOTIFY` action is used. | |
637 | This socket MUST use `AF_UNIX` domain and `SOCK_STREAM` type. | |
638 | The runtime MUST send exactly one [container process state](#containerprocessstate) per connection. | |
639 | The connection MUST NOT be reused and it MUST be closed after sending a seccomp state. | |
640 | If sending to this socket fails, the runtime MUST [generate an error](runtime.md#errors). | |
641 | If the `SCMP_ACT_NOTIFY` action is not used this value is ignored. | |
642 | ||
643 | The runtime sends the following file descriptors using `SCM_RIGHTS` and set their names in the `fds` array of the [container process state](#containerprocessstate): | |
644 | ||
645 | * **`seccompFd`** (string, REQUIRED) is the seccomp file descriptor returned by the seccomp syscall. | |
646 | ||
647 | * **`listenerMetadata`** *(string, OPTIONAL)* - specifies an opaque data to pass to the seccomp agent. | |
648 | This string will be sent as the `metadata` field in the [container process state](#containerprocessstate). | |
649 | This field MUST NOT be set if `listenerPath` is not set. | |
650 | ||
627 | 651 | * **`syscalls`** *(array of objects, OPTIONAL)* - match a syscall in seccomp. |
628 | 652 | While this property is OPTIONAL, some values of `defaultAction` are not useful without `syscalls` entries. |
629 | 653 | For example, if `defaultAction` is `SCMP_ACT_KILL` and `syscalls` is empty or unset, the kernel will kill the container process on its first syscall. |
632 | 656 | * **`names`** *(array of strings, REQUIRED)* - the names of the syscalls. |
633 | 657 | `names` MUST contain at least one entry. |
634 | 658 | * **`action`** *(string, REQUIRED)* - the action for seccomp rules. |
635 | A valid list of constants as of libseccomp v2.4.0 is shown below. | |
659 | A valid list of constants as of libseccomp v2.5.0 is shown below. | |
636 | 660 | |
637 | 661 | * `SCMP_ACT_KILL` |
638 | 662 | * `SCMP_ACT_KILL_PROCESS` |
642 | 666 | * `SCMP_ACT_TRACE` |
643 | 667 | * `SCMP_ACT_ALLOW` |
644 | 668 | * `SCMP_ACT_LOG` |
669 | * `SCMP_ACT_NOTIFY` | |
645 | 670 | |
646 | 671 | * **`errnoRet`** *(uint, OPTIONAL)* - the errno return code to use. |
647 | Some actions like `SCMP_ACT_ERRNO` and `SCMP_ACT_TRACE` allow to specify the errno | |
648 | code to return. If not specified its default value is `EPERM`. | |
672 | Some actions like `SCMP_ACT_ERRNO` and `SCMP_ACT_TRACE` allow to specify the errno code to return. | |
673 | When the action doesn't support an errno, the runtime MUST print and error and fail. | |
674 | If not specified its default value is `EPERM`. | |
649 | 675 | |
650 | 676 | * **`args`** *(array of objects, OPTIONAL)* - the specific syscall in seccomp. |
651 | 677 | Each entry has the following structure: |
685 | 711 | } |
686 | 712 | ``` |
687 | 713 | |
714 | ### <a name="containerprocessstate" />The Container Process State | |
715 | ||
716 | The container process state is a data structure passed via a UNIX socket. | |
717 | The container runtime MUST send the container process state over the UNIX socket as regular payload serialized in JSON and file descriptors MUST be sent using `SCM_RIGHTS`. | |
718 | The container runtime MAY use several `sendmsg(2)` calls to send the aforementioned data. | |
719 | If more than one `sendmsg(2)` is used, the file descriptors MUST be sent only in the first call. | |
720 | ||
721 | The container process state includes the following properties: | |
722 | ||
723 | * **`ociVersion`** (string, REQUIRED) is version of the Open Container Initiative Runtime Specification with which the container process state complies. | |
724 | * **`fds`** (array, OPTIONAL) is a string array containing the names of the file descriptors passed. | |
725 | The index of the name in this array corresponds to index of the file descriptors in the `SCM_RIGHTS` array. | |
726 | * **`pid`** (int, REQUIRED) is the container process ID, as seen by the runtime. | |
727 | * **`metadata`** (string, OPTIONAL) opaque metadata. | |
728 | * **`state`** ([state](runtime.md#state), REQUIRED) is the state of the container. | |
729 | ||
730 | Example sending a single `seccompFD` file descriptor in the `SCM_RIGHTS` array: | |
731 | ||
732 | ```json | |
733 | { | |
734 | "ociVersion": "0.2.0", | |
735 | "fds": [ | |
736 | "seccompFd" | |
737 | ], | |
738 | "pid": 4422, | |
739 | "metadata": "MKNOD=/dev/null,/dev/net/tun;BPF_MAP_TYPES=hash,array", | |
740 | "state": { | |
741 | "ociVersion": "0.2.0", | |
742 | "id": "oci-container1", | |
743 | "status": "creating", | |
744 | "pid": 4422, | |
745 | "bundle": "/containers/redis", | |
746 | "annotations": { | |
747 | "myKey": "myValue" | |
748 | } | |
749 | } | |
750 | } | |
751 | ``` | |
752 | ||
688 | 753 | ## <a name="configLinuxRootfsMountPropagation" />Rootfs Mount Propagation |
689 | 754 | |
690 | 755 | **`rootfsPropagation`** (string, OPTIONAL) sets the rootfs's mount propagation. |
746 | 811 | ## <a name="configLinuxPersonality" />Personality |
747 | 812 | |
748 | 813 | **`personality`** (object, OPTIONAL) sets the Linux execution personality. For more information |
749 | see the [personality](personality.2) syscall documentation. As most of the options are | |
814 | see the [personality][personality.2] syscall documentation. As most of the options are | |
750 | 815 | obsolete and rarely used, and some reduce security, the currently supported set is a small |
751 | 816 | subset of the available options. |
752 | 817 |
0 | _This document is a work in progress._ | |
1 | ||
2 | # <a name="ZOSContainerConfiguration" />z/OS Container Configuration | |
3 | ||
4 | This document describes the schema for the [z/OS-specific section](config.md#platform-specific-configuration) of the [container configuration](config.md). | |
5 | ||
6 | ## <a name="configZOSDevices" />Devices | |
7 | ||
8 | **`devices`** (array of objects, OPTIONAL) lists devices that MUST be available in the container. | |
9 | The runtime MAY supply them however it likes. | |
10 | ||
11 | Each entry has the following structure: | |
12 | ||
13 | * **`type`** *(string, REQUIRED)* - type of device: `c`, `b`, `u` or `p`. | |
14 | * **`path`** *(string, REQUIRED)* - full path to device inside container. | |
15 | If a file already exists at `path` that does not match the requested device, the runtime MUST generate an error. | |
16 | * **`major, minor`** *(int64, REQUIRED unless `type` is `p`)* - major, minor numbers for the device. | |
17 | * **`fileMode`** *(uint32, OPTIONAL)* - file mode for the device. | |
18 | ||
19 | The same `type`, `major` and `minor` SHOULD NOT be used for multiple devices. |
189 | 189 | For more information about AppArmor, see [AppArmor documentation][apparmor]. |
190 | 190 | * **`capabilities`** (object, OPTIONAL) is an object containing arrays that specifies the sets of capabilities for the process. |
191 | 191 | Valid values are defined in the [capabilities(7)][capabilities.7] man page, such as `CAP_CHOWN`. |
192 | Any value which cannot be mapped to a relevant kernel interface MUST cause an error. | |
192 | Any value which cannot be mapped to a relevant kernel interface, or cannot | |
193 | be granted otherwise MUST be [logged as a warning](runtime.md#warnings) by | |
194 | the runtime. Runtimes SHOULD NOT fail if the container configuration requests | |
195 | capabilities that cannot be granted, for example, if the runtime operates in | |
196 | a restricted environment with a limited set of capabilities. | |
193 | 197 | `capabilities` contains the following properties: |
194 | 198 | |
195 | 199 | * **`effective`** (array of strings, OPTIONAL) the `effective` field is an array of effective capabilities that are kept for the process. |
355 | 359 | This MAY be set if the target platform of this spec is `solaris`. |
356 | 360 | * **`vm`** (object, OPTIONAL) [Virtual-machine-specific configuration](config-vm.md). |
357 | 361 | This MAY be set if the target platform and architecture of this spec support hardware virtualization. |
362 | * **`zos`** (object, OPTIONAL) [z/OS-specific configuration](config-zos.md). | |
363 | This MAY be set if the target platform of this spec is `zos`. | |
358 | 364 | |
359 | 365 | ### Example (Linux) |
360 | 366 |
17 | 17 | |
18 | 18 | * `creating`: the container is being created (step 2 in the [lifecycle](#lifecycle)) |
19 | 19 | * `created`: the runtime has finished the [create operation](#create) (after step 2 in the [lifecycle](#lifecycle)), and the container process has neither exited nor executed the user-specified program |
20 | * `running`: the container process has executed the user-specified program but has not exited (after step 5 in the [lifecycle](#lifecycle)) | |
21 | * `stopped`: the container process has exited (step 7 in the [lifecycle](#lifecycle)) | |
20 | * `running`: the container process has executed the user-specified program but has not exited (after step 8 in the [lifecycle](#lifecycle)) | |
21 | * `stopped`: the container process has exited (step 10 in the [lifecycle](#lifecycle)) | |
22 | 22 | |
23 | 23 | Additional values MAY be defined by the runtime, however, they MUST be used to represent new runtime states not defined above. |
24 | 24 | * **`pid`** (int, REQUIRED when `status` is `created` or `running` on Linux, OPTIONAL on other platforms) is the ID of the container process. |
202 | 202 | "defaultAction": { |
203 | 203 | "$ref": "defs-linux.json#/definitions/SeccompAction" |
204 | 204 | }, |
205 | "defaultErrnoRet": { | |
206 | "$ref": "defs.json#/definitions/uint32" | |
207 | }, | |
205 | 208 | "flags": { |
206 | 209 | "type": "array", |
207 | 210 | "items": { |
208 | 211 | "$ref": "defs-linux.json#/definitions/SeccompFlag" |
209 | 212 | } |
213 | }, | |
214 | "listenerPath": { | |
215 | "type": "string" | |
216 | }, | |
217 | "listenerMetadata": { | |
218 | "type": "string" | |
210 | 219 | }, |
211 | 220 | "architectures": { |
212 | 221 | "type": "array", |
179 | 179 | }, |
180 | 180 | "vm": { |
181 | 181 | "$ref": "config-vm.json#/vm" |
182 | }, | |
183 | "zos": { | |
184 | "$ref": "config-zos.json#/zos" | |
182 | 185 | } |
183 | 186 | }, |
184 | 187 | "required": [ |
0 | { | |
1 | "zos": { | |
2 | "description": "z/OS platform-specific configurations", | |
3 | "type": "object", | |
4 | "properties": { | |
5 | "devices": { | |
6 | "type": "array", | |
7 | "items": { | |
8 | "$ref": "defs-zos.json#/definitions/Device" | |
9 | } | |
10 | } | |
11 | } | |
12 | } | |
13 | } |
60 | 60 | "SCMP_ACT_ERRNO", |
61 | 61 | "SCMP_ACT_TRACE", |
62 | 62 | "SCMP_ACT_ALLOW", |
63 | "SCMP_ACT_LOG" | |
63 | "SCMP_ACT_LOG", | |
64 | "SCMP_ACT_NOTIFY" | |
64 | 65 | ] |
65 | 66 | }, |
66 | 67 | "SeccompFlag": { |
0 | { | |
1 | "definitions": { | |
2 | "Major": { | |
3 | "description": "major device number", | |
4 | "$ref": "defs.json#/definitions/int64" | |
5 | }, | |
6 | "Minor": { | |
7 | "description": "minor device number", | |
8 | "$ref": "defs.json#/definitions/int64" | |
9 | }, | |
10 | "FileMode": { | |
11 | "description": "File permissions mode (typically an octal value)", | |
12 | "type": "integer", | |
13 | "minimum": 0, | |
14 | "maximum": 512 | |
15 | }, | |
16 | "FileType": { | |
17 | "description": "Type of a block or special character device", | |
18 | "type": "string", | |
19 | "pattern": "^[cbup]$" | |
20 | }, | |
21 | "Device": { | |
22 | "type": "object", | |
23 | "required": [ | |
24 | "type", | |
25 | "path", | |
26 | "major", | |
27 | "minor" | |
28 | ], | |
29 | "properties": { | |
30 | "path": { | |
31 | "$ref": "defs.json#/definitions/FilePath" | |
32 | }, | |
33 | "type": { | |
34 | "$ref": "#/definitions/FileType" | |
35 | }, | |
36 | "major": { | |
37 | "$ref": "#/definitions/Major" | |
38 | }, | |
39 | "minor": { | |
40 | "$ref": "#/definitions/Minor" | |
41 | }, | |
42 | "fileMode": { | |
43 | "$ref": "#/definitions/FileMode" | |
44 | }, | |
45 | "uid": { | |
46 | "$ref": "defs.json#/definitions/UID" | |
47 | }, | |
48 | "gid": { | |
49 | "$ref": "defs.json#/definitions/GID" | |
50 | } | |
51 | } | |
52 | } | |
53 | } | |
54 | } |
16 | 16 | * `solaris`: [runtime.md](runtime.md), [config.md](config.md), and [config-solaris.md](config-solaris.md). |
17 | 17 | * `windows`: [runtime.md](runtime.md), [config.md](config.md), and [config-windows.md](config-windows.md). |
18 | 18 | * `vm`: [runtime.md](runtime.md), [config.md](config.md), and [config-vm.md](config-vm.md). |
19 | * `zos`: [runtime.md](runtime.md), [config.md](config.md), and [config-zos.md](config-zos.md). | |
19 | 20 | |
20 | 21 | # <a name="ociRuntimeSpecTOC" />Table of Contents |
21 | 22 | |
30 | 31 | - [Solaris-specific Configuration](config-solaris.md) |
31 | 32 | - [Windows-specific Configuration](config-windows.md) |
32 | 33 | - [Virtual-Machine-specific Configuration](config-vm.md) |
34 | - [z/OS-specific Configuration](config-zos.md) | |
33 | 35 | - [Glossary](glossary.md) |
34 | 36 | |
35 | 37 | # <a name="ociRuntimeSpecNotationalConventions" />Notational Conventions |
14 | 14 | // Mounts configures additional mounts (on top of Root). |
15 | 15 | Mounts []Mount `json:"mounts,omitempty"` |
16 | 16 | // Hooks configures callbacks for container lifecycle events. |
17 | Hooks *Hooks `json:"hooks,omitempty" platform:"linux,solaris"` | |
17 | Hooks *Hooks `json:"hooks,omitempty" platform:"linux,solaris,zos"` | |
18 | 18 | // Annotations contains arbitrary metadata for the container. |
19 | 19 | Annotations map[string]string `json:"annotations,omitempty"` |
20 | 20 | |
26 | 26 | Windows *Windows `json:"windows,omitempty" platform:"windows"` |
27 | 27 | // VM specifies configuration for virtual-machine-based containers. |
28 | 28 | VM *VM `json:"vm,omitempty" platform:"vm"` |
29 | // ZOS is platform-specific configuration for z/OS based containers. | |
30 | ZOS *ZOS `json:"zos,omitempty" platform:"zos"` | |
29 | 31 | } |
30 | 32 | |
31 | 33 | // Process contains information to start a specific application inside the container. |
48 | 50 | // Capabilities are Linux capabilities that are kept for the process. |
49 | 51 | Capabilities *LinuxCapabilities `json:"capabilities,omitempty" platform:"linux"` |
50 | 52 | // Rlimits specifies rlimit options to apply to the process. |
51 | Rlimits []POSIXRlimit `json:"rlimits,omitempty" platform:"linux,solaris"` | |
53 | Rlimits []POSIXRlimit `json:"rlimits,omitempty" platform:"linux,solaris,zos"` | |
52 | 54 | // NoNewPrivileges controls whether additional privileges could be gained by processes in the container. |
53 | 55 | NoNewPrivileges bool `json:"noNewPrivileges,omitempty" platform:"linux"` |
54 | 56 | // ApparmorProfile specifies the apparmor profile for the container. |
85 | 87 | // User specifies specific user (and group) information for the container process. |
86 | 88 | type User struct { |
87 | 89 | // UID is the user id. |
88 | UID uint32 `json:"uid" platform:"linux,solaris"` | |
90 | UID uint32 `json:"uid" platform:"linux,solaris,zos"` | |
89 | 91 | // GID is the group id. |
90 | GID uint32 `json:"gid" platform:"linux,solaris"` | |
92 | GID uint32 `json:"gid" platform:"linux,solaris,zos"` | |
91 | 93 | // Umask is the umask for the init process. |
92 | Umask *uint32 `json:"umask,omitempty" platform:"linux,solaris"` | |
94 | Umask *uint32 `json:"umask,omitempty" platform:"linux,solaris,zos"` | |
93 | 95 | // AdditionalGids are additional group ids set for the container's process. |
94 | 96 | AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux,solaris"` |
95 | 97 | // Username is the user name. |
109 | 111 | // Destination is the absolute path where the mount will be placed in the container. |
110 | 112 | Destination string `json:"destination"` |
111 | 113 | // Type specifies the mount kind. |
112 | Type string `json:"type,omitempty" platform:"linux,solaris"` | |
114 | Type string `json:"type,omitempty" platform:"linux,solaris,zos"` | |
113 | 115 | // Source specifies the source path of the mount. |
114 | 116 | Source string `json:"source,omitempty"` |
115 | 117 | // Options are fstab style mount options. |
597 | 599 | |
598 | 600 | // LinuxSeccomp represents syscall restrictions |
599 | 601 | type LinuxSeccomp struct { |
600 | DefaultAction LinuxSeccompAction `json:"defaultAction"` | |
601 | Architectures []Arch `json:"architectures,omitempty"` | |
602 | Flags []LinuxSeccompFlag `json:"flags,omitempty"` | |
603 | Syscalls []LinuxSyscall `json:"syscalls,omitempty"` | |
602 | DefaultAction LinuxSeccompAction `json:"defaultAction"` | |
603 | DefaultErrnoRet *uint `json:"defaultErrnoRet,omitempty"` | |
604 | Architectures []Arch `json:"architectures,omitempty"` | |
605 | Flags []LinuxSeccompFlag `json:"flags,omitempty"` | |
606 | ListenerPath string `json:"listenerPath,omitempty"` | |
607 | ListenerMetadata string `json:"listenerMetadata,omitempty"` | |
608 | Syscalls []LinuxSyscall `json:"syscalls,omitempty"` | |
604 | 609 | } |
605 | 610 | |
606 | 611 | // Arch used for additional architectures |
646 | 651 | ActTrace LinuxSeccompAction = "SCMP_ACT_TRACE" |
647 | 652 | ActAllow LinuxSeccompAction = "SCMP_ACT_ALLOW" |
648 | 653 | ActLog LinuxSeccompAction = "SCMP_ACT_LOG" |
654 | ActNotify LinuxSeccompAction = "SCMP_ACT_NOTIFY" | |
649 | 655 | ) |
650 | 656 | |
651 | 657 | // LinuxSeccompOperator used to match syscall arguments in Seccomp |
693 | 699 | // default, and in "MBps" if MBA Software Controller is enabled. |
694 | 700 | MemBwSchema string `json:"memBwSchema,omitempty"` |
695 | 701 | } |
702 | ||
703 | // ZOS contains platform-specific configuration for z/OS based containers. | |
704 | type ZOS struct { | |
705 | // Devices are a list of device nodes that are created for the container | |
706 | Devices []ZOSDevice `json:"devices,omitempty"` | |
707 | } | |
708 | ||
709 | // ZOSDevice represents the mknod information for a z/OS special device file | |
710 | type ZOSDevice struct { | |
711 | // Path to the device. | |
712 | Path string `json:"path"` | |
713 | // Device type, block, char, etc. | |
714 | Type string `json:"type"` | |
715 | // Major is the device's major number. | |
716 | Major int64 `json:"major"` | |
717 | // Minor is the device's minor number. | |
718 | Minor int64 `json:"minor"` | |
719 | // FileMode permission bits for the device. | |
720 | FileMode *os.FileMode `json:"fileMode,omitempty"` | |
721 | // UID of the device. | |
722 | UID *uint32 `json:"uid,omitempty"` | |
723 | // Gid of the device. | |
724 | GID *uint32 `json:"gid,omitempty"` | |
725 | } |
4 | 4 | |
5 | 5 | const ( |
6 | 6 | // StateCreating indicates that the container is being created |
7 | StateCreating ContainerState = "creating" | |
7 | StateCreating ContainerState = "creating" | |
8 | 8 | |
9 | 9 | // StateCreated indicates that the runtime has finished the create operation |
10 | StateCreated ContainerState = "created" | |
10 | StateCreated ContainerState = "created" | |
11 | 11 | |
12 | 12 | // StateRunning indicates that the container process has executed the |
13 | 13 | // user-specified program but has not exited |
14 | StateRunning ContainerState = "running" | |
14 | StateRunning ContainerState = "running" | |
15 | 15 | |
16 | 16 | // StateStopped indicates that the container process has exited |
17 | StateStopped ContainerState = "stopped" | |
17 | StateStopped ContainerState = "stopped" | |
18 | 18 | ) |
19 | 19 | |
20 | 20 | // State holds information about the runtime state of the container. |
32 | 32 | // Annotations are key values associated with the container. |
33 | 33 | Annotations map[string]string `json:"annotations,omitempty"` |
34 | 34 | } |
35 | ||
36 | const ( | |
37 | // SeccompFdName is the name of the seccomp notify file descriptor. | |
38 | SeccompFdName string = "seccompFd" | |
39 | ) | |
40 | ||
41 | // ContainerProcessState holds information about the state of a container process. | |
42 | type ContainerProcessState struct { | |
43 | // Version is the version of the specification that is supported. | |
44 | Version string `json:"ociVersion"` | |
45 | // Fds is a string array containing the names of the file descriptors passed. | |
46 | // The index of the name in this array corresponds to index of the file | |
47 | // descriptor in the `SCM_RIGHTS` array. | |
48 | Fds []string `json:"fds"` | |
49 | // Pid is the process ID as seen by the runtime. | |
50 | Pid int `json:"pid"` | |
51 | // Opaque metadata. | |
52 | Metadata string `json:"metadata,omitempty"` | |
53 | // State of the container. | |
54 | State State `json:"state"` | |
55 | } |