Import upstream version 1.1.0.rc.1.4.g7301c34
Debian Janitor
1 year, 3 months ago
0 | 0 | OpenContainers Specifications |
1 | ||
2 | Changes with v1.1.0-rc.1: | |
3 | ||
4 | Breaking changes (but rather conforms to the existing runc implementation): | |
5 | ||
6 | * config: change prestart hook spec to match reality (#1169) | |
7 | ||
8 | Deprecations: | |
9 | ||
10 | * config-linux: mark memory.kernel[TCP] as NOT RECOMMENDED (#1093) | |
11 | ||
12 | Additions: | |
13 | ||
14 | * cgroup: add cgroup v2 support (#1040) | |
15 | * seccomp: allow to override errno return code (#1041) | |
16 | * seccomp: Add support for SCMP_ACT_KILL_PROCESS (#1044) | |
17 | * Update seccomp architectures to support RISCV64 (#1059) | |
18 | * Add support for SCMP_ACT_KILL_THREAD (#1064) | |
19 | * Add Seccomp Notify support using UNIX sockets and container metadata (#1074) | |
20 | * config-linux: Add Intel RDT CMT and MBM Linux support (#1076) | |
21 | * seccomp: allow to override default errno return code (#1087) | |
22 | * Introduce zos as platform (#1095) | |
23 | * config-linux: add idle option for container cgroup (#1136) | |
24 | * config-linux: add CFS bandwidth burst (#1120) | |
25 | * IDMapping field for mount point (#1143) | |
26 | * schema: add cpu idle (#1145) | |
27 | * add domainname spec entity (#1156) | |
28 | * config-linux: add memory.checkBeforeUpdate (#1158) | |
29 | * seccomp: Add flag SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV (#1161) | |
30 | ||
31 | Minor fixes and documentation: | |
32 | ||
33 | * seccomp: fix go-specs for errnoRet (#1042) | |
34 | * MAINTAINERS: Add @cyphar as maintainer (#1043) | |
35 | * Define State for container and runtime namespace (#1045) | |
36 | * Add Giuseppe Scrivano as a runtime spec maintainer (#1048) | |
37 | * Remove superfluous 'an' (#1049) | |
38 | * Add State status constants to spec-go (#1046) | |
39 | * config.go: make umask a pointer (#1058) | |
40 | * Update State structure to use the new ContainerState type (#1056) | |
41 | * docs: Added enclave OCI runtime rune to implementations (#1055) | |
42 | * Change all references from whitelist to allowlist (#1054) | |
43 | * Fix int64 and uint64 type value ranges (#1060) | |
44 | * MAINTAINERS: update vbatts email (#1065) | |
45 | * travis: fix go_import_path (#1072) | |
46 | * Makefile: Fix golint URL used in go get (#1075) | |
47 | * config-linux: fix personality link (#1086) | |
48 | * README: Fix broken link for charter (#1091) | |
49 | * Fix seccomp notify inconsistencies (#1096) | |
50 | * runtime should WARN / ignore capabilities that cannot be granted (#1094) | |
51 | * config-linux: clarify the handling of ClosID RDT parameter (#1104) | |
52 | * defs-zos: [Fix] prevent schema parsers from hitting recursion-loop while resolving types. (#1117) | |
53 | * fix the lifecycle reference in the states listing (#1118) | |
54 | * add youki to implementations.md (#1126) | |
55 | * Switch to GitHub Actions, CODEOWNERS, etc. (#1128) | |
56 | * specify cgroup ownership semantics (#1123) | |
57 | * config-linux: MAY reject an unfit cgroup (#1125) | |
58 | * cgroup ownership: clarify that some files may not exist (#1137) | |
59 | * typo: seccompFD -> seccompFd (#1133) | |
60 | * schema: update README.md (#1083) | |
61 | * schema: make with golang 1.16 (#1084) | |
62 | * Update Windows CPU comments (#1144) | |
63 | * specs-go: export LinuxBlockIODevice (#1103) | |
64 | * config-linux: update type of LinuxCPU.Idle to *int64 (#1146) | |
65 | * fix RFC link (#1153) | |
66 | * Add available LinuxSeccompFlags (#1138) | |
67 | * maintainer updates as per (#1101 (#1150) | |
68 | * GOVERNANCE: correct the Charter URL (#1157) | |
69 | * CODEOWNERS: sync with MAINTAINERS (#1160) | |
1 | 70 | |
2 | 71 | Changes with v1.0.2: |
3 | 72 |
33 | 33 | * **`uts`** the container will be able to have its own hostname and domain name. |
34 | 34 | * **`user`** the container will be able to remap user and group IDs from the host to local users and groups within the container. |
35 | 35 | * **`cgroup`** the container will have an isolated view of the cgroup hierarchy. |
36 | * **`time`** the container will be able to have its own clocks. | |
36 | 37 | * **`path`** *(string, OPTIONAL)* - namespace file. |
37 | 38 | This value MUST be an absolute path in the [runtime mount namespace](glossary.md#runtime-namespace). |
38 | 39 | The runtime MUST place the container process in the namespace associated with that `path`. |
69 | 70 | }, |
70 | 71 | { |
71 | 72 | "type": "cgroup" |
73 | }, | |
74 | { | |
75 | "type": "time" | |
72 | 76 | } |
73 | 77 | ] |
74 | 78 | ``` |
105 | 109 | } |
106 | 110 | ] |
107 | 111 | ``` |
112 | ||
113 | ## <a name="configLinuxTimeOffset" />Offset for Time Namespace | |
114 | ||
115 | **`timeOffsets`** (object, OPTIONAL) sets the offset for Time Namespace. For more information | |
116 | see the [time_namespaces](time_namespaces.7). | |
117 | ||
118 | The name of the clock is the entry key. | |
119 | Entry values are objects with the following properties: | |
120 | ||
121 | * **`secs`** *(int64, OPTIONAL)* - is the offset of clock (in seconds) in the container. | |
122 | * **`nanosecs`** *(uint32, OPTIONAL)* - is the offset of clock (in nanoseconds) in the container. | |
108 | 123 | |
109 | 124 | ## <a name="configLinuxDevices" />Devices |
110 | 125 | |
938 | 953 | [zero.4]: http://man7.org/linux/man-pages/man4/zero.4.html |
939 | 954 | [user-namespaces]: http://man7.org/linux/man-pages/man7/user_namespaces.7.html |
940 | 955 | [intel-rdt-cat-kernel-interface]: https://www.kernel.org/doc/Documentation/x86/intel_rdt_ui.txt |
956 | [time_namespaces.7]: https://man7.org/linux/man-pages/man7/time_namespaces.7.html |
927 | 927 | } |
928 | 928 | ] |
929 | 929 | }, |
930 | "timeOffsets": { | |
931 | "monotonic": { | |
932 | "secs": 172800, | |
933 | "nanosecs": 0 | |
934 | }, | |
935 | "boottime": { | |
936 | "secs": 604800, | |
937 | "nanosecs": 0 | |
938 | } | |
939 | }, | |
930 | 940 | "namespaces": [ |
931 | 941 | { |
932 | 942 | "type": "pid" |
948 | 958 | }, |
949 | 959 | { |
950 | 960 | "type": "cgroup" |
961 | }, | |
962 | { | |
963 | "type": "time" | |
951 | 964 | } |
952 | 965 | ], |
953 | 966 | "maskedPaths": [ |
0 | BEGIN:VCALENDAR | |
1 | VERSION:2.0 | |
2 | PRODID:-//Open Containers Initiative//Developer Meeting//EN | |
3 | BEGIN:VTIMEZONE | |
4 | TZID:America/Los_Angeles | |
5 | LAST-MODIFIED:20050809T050000Z | |
6 | BEGIN:STANDARD | |
7 | DTSTART:20071104T020000 | |
8 | RRULE:FREQ=YEARLY;BYMONTH=11;BYDAY=1SU | |
9 | TZOFFSETFROM:-0700 | |
10 | TZOFFSETTO:-0800 | |
11 | TZNAME:PST | |
12 | END:STANDARD | |
13 | BEGIN:DAYLIGHT | |
14 | DTSTART:20070311T020000 | |
15 | RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=2SU | |
16 | TZOFFSETFROM:-0800 | |
17 | TZOFFSETTO:-0700 | |
18 | TZNAME:PDT | |
19 | END:DAYLIGHT | |
20 | END:VTIMEZONE | |
21 | BEGIN:VEVENT | |
22 | UID:tdc-meeting@opencontainers.org | |
23 | DTSTAMP:20180628T170000Z | |
24 | DTSTART;TZID=America/Los_Angeles:20170906T140000 | |
25 | RRULE:FREQ=MONTHLY;INTERVAL=1;BYDAY=1WE | |
26 | RDATE;TZID=America/Los_Angeles:20180110T140000 | |
27 | EXDATE;TZIP=America/Los_Angeles:20180103T140000 | |
28 | RDATE;TZID=America/Los_Angeles:20180711T140000 | |
29 | EXDATE;TZIP=America/Los_Angeles:20180704T140000 | |
30 | DURATION:PT1H | |
31 | SUMMARY:OCI TDC Meeting | |
32 | DESCRIPTION;ALTREP="https://github.com/opencontainers/runtime-spec# | |
33 | meetings":Open Containers Initiative Developer Meeting\n | |
34 | https://github.com/opencontainers/runtime-spec#meetings\n | |
35 | Web: https://www.uberconference.com/opencontainers\n | |
36 | Audio-only: +1 415 968 0849 (no PIN needed) | |
37 | LOCATION:https://www.uberconference.com/opencontainers | |
38 | URL:https://github.com/opencontainers/runtime-spec/blob/master/meeting.ics | |
39 | END:VEVENT | |
40 | END:VCALENDAR | |
0 | BEGIN:VCALENDAR | |
1 | VERSION:2.0 | |
2 | PRODID:-//Open Containers Initiative//Developer Meeting//EN | |
3 | BEGIN:VTIMEZONE | |
4 | TZID:America/Los_Angeles | |
5 | LAST-MODIFIED:20050809T050000Z | |
6 | BEGIN:STANDARD | |
7 | DTSTART:20071104T020000 | |
8 | RRULE:FREQ=YEARLY;BYMONTH=11;BYDAY=1SU | |
9 | TZOFFSETFROM:-0700 | |
10 | TZOFFSETTO:-0800 | |
11 | TZNAME:PST | |
12 | END:STANDARD | |
13 | BEGIN:DAYLIGHT | |
14 | DTSTART:20070311T020000 | |
15 | RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=2SU | |
16 | TZOFFSETFROM:-0800 | |
17 | TZOFFSETTO:-0700 | |
18 | TZNAME:PDT | |
19 | END:DAYLIGHT | |
20 | END:VTIMEZONE | |
21 | BEGIN:VEVENT | |
22 | UID:tdc-meeting@opencontainers.org | |
23 | DTSTAMP:20180628T170000Z | |
24 | DTSTART;TZID=America/Los_Angeles:20170906T140000 | |
25 | RRULE:FREQ=MONTHLY;INTERVAL=1;BYDAY=1WE | |
26 | RDATE;TZID=America/Los_Angeles:20180110T140000 | |
27 | EXDATE;TZIP=America/Los_Angeles:20180103T140000 | |
28 | RDATE;TZID=America/Los_Angeles:20180711T140000 | |
29 | EXDATE;TZIP=America/Los_Angeles:20180704T140000 | |
30 | DURATION:PT1H | |
31 | SUMMARY:OCI TDC Meeting | |
32 | DESCRIPTION;ALTREP="https://github.com/opencontainers/runtime-spec# | |
33 | meetings":Open Containers Initiative Developer Meeting\n | |
34 | https://github.com/opencontainers/runtime-spec#meetings\n | |
35 | Web: https://www.uberconference.com/opencontainers\n | |
36 | Audio-only: +1 415 968 0849 (no PIN needed) | |
37 | LOCATION:https://www.uberconference.com/opencontainers | |
38 | URL:https://github.com/opencontainers/runtime-spec/blob/master/meeting.ics | |
39 | END:VEVENT | |
40 | END:VCALENDAR |
279 | 279 | "personality": { |
280 | 280 | "type": "object", |
281 | 281 | "$ref": "defs-linux.json#/definitions/Personality" |
282 | }, | |
283 | "timeOffsets": { | |
284 | "type": "object", | |
285 | "additionalProperties": { | |
286 | "$ref": "defs-linux.json#/definitions/TimeOffsets" | |
287 | } | |
282 | 288 | } |
283 | 289 | } |
284 | 290 | } |
294 | 294 | "uts", |
295 | 295 | "ipc", |
296 | 296 | "user", |
297 | "cgroup" | |
297 | "cgroup", | |
298 | "time" | |
298 | 299 | ] |
299 | 300 | }, |
300 | 301 | "NamespaceReference": { |
310 | 311 | "required": [ |
311 | 312 | "type" |
312 | 313 | ] |
314 | }, | |
315 | "TimeOffsets": { | |
316 | "type": "object", | |
317 | "properties": { | |
318 | "secs": { | |
319 | "$ref": "defs.json#/definitions/int64" | |
320 | }, | |
321 | "nanosecs": { | |
322 | "$ref": "defs.json#/definitions/uint32" | |
323 | } | |
324 | } | |
313 | 325 | } |
314 | 326 | } |
315 | 327 | } |
351 | 351 | } |
352 | 352 | ] |
353 | 353 | }, |
354 | "timeOffsets": { | |
355 | "monotonic": { | |
356 | "secs": 172800, | |
357 | "nanosecs": 0 | |
358 | }, | |
359 | "boottime": { | |
360 | "secs": 604800, | |
361 | "nanosecs": 0 | |
362 | } | |
363 | }, | |
354 | 364 | "namespaces": [ |
355 | 365 | { |
356 | 366 | "type": "pid" |
372 | 382 | }, |
373 | 383 | { |
374 | 384 | "type": "cgroup" |
385 | }, | |
386 | { | |
387 | "type": "time" | |
375 | 388 | } |
376 | 389 | ], |
377 | 390 | "maskedPaths": [ |
190 | 190 | IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"` |
191 | 191 | // Personality contains configuration for the Linux personality syscall |
192 | 192 | Personality *LinuxPersonality `json:"personality,omitempty"` |
193 | // TimeOffsets specifies the offset for supporting time namespaces. | |
194 | TimeOffsets map[string]LinuxTimeOffset `json:"timeOffsets,omitempty"` | |
193 | 195 | } |
194 | 196 | |
195 | 197 | // LinuxNamespace is the configuration for a Linux namespace |
219 | 221 | UserNamespace LinuxNamespaceType = "user" |
220 | 222 | // CgroupNamespace for isolating cgroup hierarchies |
221 | 223 | CgroupNamespace LinuxNamespaceType = "cgroup" |
224 | // TimeNamespace for isolating the clocks | |
225 | TimeNamespace LinuxNamespaceType = "time" | |
222 | 226 | ) |
223 | 227 | |
224 | 228 | // LinuxIDMapping specifies UID/GID mappings |
229 | 233 | HostID uint32 `json:"hostID"` |
230 | 234 | // Size is the number of IDs to be mapped |
231 | 235 | Size uint32 `json:"size"` |
236 | } | |
237 | ||
238 | // LinuxTimeOffset specifies the offset for Time Namespace | |
239 | type LinuxTimeOffset struct { | |
240 | // Secs is the offset of clock (in secs) in the container | |
241 | Secs int64 `json:"secs,omitempty"` | |
242 | // Nanosecs is the additional offset for Secs (in nanosecs) | |
243 | Nanosecs uint32 `json:"nanosecs,omitempty"` | |
232 | 244 | } |
233 | 245 | |
234 | 246 | // POSIXRlimit type and restrictions |
5 | 5 | // VersionMajor is for an API incompatible changes |
6 | 6 | VersionMajor = 1 |
7 | 7 | // VersionMinor is for functionality in a backwards-compatible manner |
8 | VersionMinor = 0 | |
8 | VersionMinor = 1 | |
9 | 9 | // VersionPatch is for backwards-compatible bug fixes |
10 | VersionPatch = 2 | |
10 | VersionPatch = 0 | |
11 | 11 | |
12 | 12 | // VersionDev indicates development branch. Releases will be empty string. |
13 | VersionDev = "-dev" | |
13 | VersionDev = "-rc.1-dev" | |
14 | 14 | ) |
15 | 15 | |
16 | 16 | // Version is the specification version that the package types support. |