1 package annotations 2 3 const ( 4 // ContainerMemorySizeInMB overrides the container memory size set 5 // via the OCI spec. 6 // 7 // Note: This annotation is in MB. OCI is in Bytes. When using this override 8 // the caller MUST use MB or sizing will be wrong. 9 // 10 // Note: This is only present because CRI does not (currently) have a 11 // `WindowsPodSandboxConfig` for setting this correctly. It should not be 12 // used via OCI runtimes and rather use 13 // `spec.Windows.Resources.Memory.Limit`. 14 ContainerMemorySizeInMB = "io.microsoft.container.memory.sizeinmb" 15 16 // ContainerProcessorCount overrides the container processor count 17 // set via the OCI spec. 18 // 19 // Note: For Windows Process Containers CPU Count/Limit/Weight are mutually 20 // exclusive and the caller MUST only set one of the values. 21 // 22 // Note: This is only present because CRI does not (currently) have a 23 // `WindowsPodSandboxConfig` for setting this correctly. It should not be 24 // used via OCI runtimes and rather use `spec.Windows.Resources.CPU.Count`. 25 ContainerProcessorCount = "io.microsoft.container.processor.count" 26 27 // ContainerProcessorLimit overrides the container processor limit 28 // set via the OCI spec. 29 // 30 // Limit allows values 1 - 10,000 where 10,000 means 100% CPU. (And is the 31 // default if omitted) 32 // 33 // Note: For Windows Process Containers CPU Count/Limit/Weight are mutually 34 // exclusive and the caller MUST only set one of the values. 35 // 36 // Note: This is only present because CRI does not (currently) have a 37 // `WindowsPodSandboxConfig` for setting this correctly. It should not be 38 // used via OCI runtimes and rather use 39 // `spec.Windows.Resources.CPU.Maximum`. 40 ContainerProcessorLimit = "io.microsoft.container.processor.limit" 41 42 // ContainerProcessorWeight overrides the container processor 43 // weight set via the OCI spec. 44 // 45 // Weight allows values 0 - 10,000. (100 is the default) 46 // 47 // Note: For Windows Process Containers CPU Count/Limit/Weight are mutually 48 // exclusive and the caller MUST only set one of the values. 49 // 50 // Note: This is only present because CRI does not (currently) have a 51 // `WindowsPodSandboxConfig` for setting this correctly. It should not be 52 // used via OCI runtimes and rather use `spec.Windows.Resources.CPU.Shares`. 53 ContainerProcessorWeight = "io.microsoft.container.processor.weight" 54 55 // ContainerStorageQoSBandwidthMaximum overrides the container 56 // storage bandwidth per second set via the OCI spec. 57 // 58 // Note: This is only present because CRI does not (currently) have a 59 // `WindowsPodSandboxConfig` for setting this correctly. It should not be 60 // used via OCI runtimes and rather use 61 // `spec.Windows.Resources.Storage.Bps`. 62 ContainerStorageQoSBandwidthMaximum = "io.microsoft.container.storage.qos.bandwidthmaximum" 63 64 // ContainerStorageQoSIopsMaximum overrides the container storage 65 // maximum iops set via the OCI spec. 66 // 67 // Note: This is only present because CRI does not (currently) have a 68 // `WindowsPodSandboxConfig` for setting this correctly. It should not be 69 // used via OCI runtimes and rather use 70 // `spec.Windows.Resources.Storage.Iops`. 71 ContainerStorageQoSIopsMaximum = "io.microsoft.container.storage.qos.iopsmaximum" 72 73 // GPUVHDPath overrides the default path to search for the gpu vhd 74 GPUVHDPath = "io.microsoft.lcow.gpuvhdpath" 75 76 // ContainerGPUCapabilities is used to find the gpu capabilities on the container spec 77 ContainerGPUCapabilities = "io.microsoft.container.gpu.capabilities" 78 79 // VirtualMachineKernelDrivers indicates what drivers to install in the pod. 80 // This value should contain a list of comma separated directories containing all 81 // files and information needed to install given driver(s). For windows, this may 82 // include .sys, .inf, .cer, and/or other files used during standard installation with pnputil. 83 // For LCOW, this may include a vhd file that contains kernel modules as *.ko files. 84 VirtualMachineKernelDrivers = "io.microsoft.virtualmachine.kerneldrivers" 85 86 // DeviceExtensions contains a comma separated list of full paths to device extension files. 87 // The content of these are added to a container's hcs create document. 88 DeviceExtensions = "io.microsoft.container.wcow.deviceextensions" 89 90 // HostProcessInheritUser indicates whether to ignore the username passed in to run a host process 91 // container as and instead inherit the user token from the executable that is launching the container process. 92 HostProcessInheritUser = "microsoft.com/hostprocess-inherit-user" 93 94 // HostProcessContainer indicates to launch a host process container (job container in this repository). 95 HostProcessContainer = "microsoft.com/hostprocess-container" 96 97 // HostProcessRootfsLocation indicates where the rootfs for a host process container should be located. If file binding support is 98 // available (Windows versions 20H1 and up) this will be the absolute path where the rootfs for a container will be located on the host 99 // and will be unique per container. On < 20H1 hosts, the location will be C:\<path-supplied>\<containerID>. So for example, if the value 100 // supplied was C:\rootfs and the container's ID is 12345678 the rootfs will be located at C:\rootfs\12345678. 101 HostProcessRootfsLocation = "microsoft.com/hostprocess-rootfs-location" 102 103 // AllowOvercommit indicates if we should allow over commit memory for UVM. 104 // Defaults to true. For physical backed memory, set to false. 105 AllowOvercommit = "io.microsoft.virtualmachine.computetopology.memory.allowovercommit" 106 107 // EnableDeferredCommit indicates if we should allow deferred memory commit for UVM. 108 // Defaults to false. For virtual memory with deferred commit, set to true. 109 EnableDeferredCommit = "io.microsoft.virtualmachine.computetopology.memory.enabledeferredcommit" 110 111 // EnableColdDiscardHint indicates whether to enable cold discard hint, which allows the UVM 112 // to trim non-zeroed pages from the working set (if supported by the guest operating system). 113 EnableColdDiscardHint = "io.microsoft.virtualmachine.computetopology.memory.enablecolddiscardhint" 114 115 // MemorySizeInMB overrides the container memory size set via the 116 // OCI spec. 117 // 118 // Note: This annotation is in MB. OCI is in Bytes. When using this override 119 // the caller MUST use MB or sizing will be wrong. 120 MemorySizeInMB = "io.microsoft.virtualmachine.computetopology.memory.sizeinmb" 121 122 // MemoryLowMMIOGapInMB indicates the low MMIO gap in MB 123 MemoryLowMMIOGapInMB = "io.microsoft.virtualmachine.computetopology.memory.lowmmiogapinmb" 124 125 // MemoryHighMMIOBaseInMB indicates the high MMIO base in MB 126 MemoryHighMMIOBaseInMB = "io.microsoft.virtualmachine.computetopology.memory.highmmiobaseinmb" 127 128 // MemoryHighMMIOBaseInMB indicates the high MMIO gap in MB 129 MemoryHighMMIOGapInMB = "io.microsoft.virtualmachine.computetopology.memory.highmmiogapinmb" 130 131 // ProcessorCount overrides the hypervisor isolated vCPU count set 132 // via the OCI spec. 133 // 134 // Note: Unlike Windows process isolated container QoS Count/Limt/Weight on 135 // the UVM are not mutually exclusive and can be set together. 136 ProcessorCount = "io.microsoft.virtualmachine.computetopology.processor.count" 137 138 // ProcessorLimit overrides the hypervisor isolated vCPU limit set 139 // via the OCI spec. 140 // 141 // Limit allows values 1 - 100,000 where 100,000 means 100% CPU. (And is the 142 // default if omitted) 143 // 144 // Note: Unlike Windows process isolated container QoS Count/Limt/Weight on 145 // the UVM are not mutually exclusive and can be set together. 146 ProcessorLimit = "io.microsoft.virtualmachine.computetopology.processor.limit" 147 148 // ProcessorWeight overrides the hypervisor isolated vCPU weight set 149 // via the OCI spec. 150 // 151 // Weight allows values 0 - 10,000. (100 is the default if omitted) 152 // 153 // Note: Unlike Windows process isolated container QoS Count/Limt/Weight on 154 // the UVM are not mutually exclusive and can be set together. 155 ProcessorWeight = "io.microsoft.virtualmachine.computetopology.processor.weight" 156 157 // VPMemCount indicates the max number of vpmem devices that can be used on the UVM 158 VPMemCount = "io.microsoft.virtualmachine.devices.virtualpmem.maximumcount" 159 160 // VPMemSize indicates the size of the VPMem devices. 161 VPMemSize = "io.microsoft.virtualmachine.devices.virtualpmem.maximumsizebytes" 162 163 // PreferredRootFSType indicates what the preferred rootfs type should be for an LCOW UVM. 164 // valid values are "initrd" or "vhd" 165 PreferredRootFSType = "io.microsoft.virtualmachine.lcow.preferredrootfstype" 166 167 // BootFilesRootPath indicates the path to find the LCOW boot files to use when creating the UVM 168 BootFilesRootPath = "io.microsoft.virtualmachine.lcow.bootfilesrootpath" 169 170 // KernelDirectBoot indicates that we should skip UEFI and boot directly to `kernel` 171 KernelDirectBoot = "io.microsoft.virtualmachine.lcow.kerneldirectboot" 172 173 // VPCIEnabled indicates that pci support should be enabled for the LCOW UVM 174 VPCIEnabled = "io.microsoft.virtualmachine.lcow.vpcienabled" 175 176 // VPMemNoMultiMapping indicates that we should disable LCOW vpmem layer multi mapping 177 VPMemNoMultiMapping = "io.microsoft.virtualmachine.lcow.vpmem.nomultimapping" 178 179 // KernelBootOptions is used to specify kernel options used while booting a linux kernel 180 KernelBootOptions = "io.microsoft.virtualmachine.lcow.kernelbootoptions" 181 182 // StorageQoSBandwidthMaximum indicates the maximum number of bytes per second. If `0` 183 // will default to the platform default. 184 StorageQoSBandwidthMaximum = "io.microsoft.virtualmachine.storageqos.bandwidthmaximum" 185 186 // StorageQoSIopsMaximum indicates the maximum number of Iops. If `0` will 187 // default to the platform default. 188 StorageQoSIopsMaximum = "io.microsoft.virtualmachine.storageqos.iopsmaximum" 189 190 // FullyPhysicallyBacked indicates that the UVM should use physically backed memory only, 191 // including for additional devices added later. 192 FullyPhysicallyBacked = "io.microsoft.virtualmachine.fullyphysicallybacked" 193 194 // DisableCompartmentNamespace sets whether to disable namespacing the network compartment in the UVM 195 // for WCOW. 196 DisableCompartmentNamespace = "io.microsoft.virtualmachine.disablecompartmentnamespace" 197 198 // VSMBNoDirectMap specifies that no direct mapping should be used for any VSMBs added to the UVM 199 VSMBNoDirectMap = "io.microsoft.virtualmachine.wcow.virtualSMB.nodirectmap" 200 201 // DisableWritableFileShares disables adding any writable fileshares to the UVM 202 DisableWritableFileShares = "io.microsoft.virtualmachine.fileshares.disablewritable" 203 204 // CPUGroupID specifies the cpugroup ID that a UVM should be assigned to if any 205 CPUGroupID = "io.microsoft.virtualmachine.cpugroup.id" 206 207 // NetworkConfigProxy holds the address of the network config proxy service. 208 // If set, network setup will be attempted via ncproxy. 209 NetworkConfigProxy = "io.microsoft.network.ncproxy" 210 211 // NcproxyContainerID indicates whether or not to use the hcsshim container ID 212 // when setting up ncproxy and computeagent 213 NcproxyContainerID = "io.microsoft.network.ncproxy.containerid" 214 215 // EncryptedScratchDisk indicates whether or not the container scratch disks 216 // should be encrypted or not 217 EncryptedScratchDisk = "io.microsoft.virtualmachine.storage.scratch.encrypted" 218 219 // SecurityPolicy is used to specify a security policy for opengcs to enforce 220 SecurityPolicy = "io.microsoft.virtualmachine.lcow.securitypolicy" 221 222 // SecurityPolicyEnforcer is used to specify which enforcer to initialize (open-door, standard or rego). 223 // This allows for better fallback mechanics. 224 SecurityPolicyEnforcer = "io.microsoft.virtualmachine.lcow.enforcer" 225 226 // ContainerProcessDumpLocation specifies a path inside of containers to save process dumps to. As 227 // the scratch space for a container is generally cleaned up after exit, this is best set to a volume mount of 228 // some kind (vhd, bind mount, fileshare mount etc.) 229 ContainerProcessDumpLocation = "io.microsoft.container.processdumplocation" 230 231 // WCOWProcessDumpType specifies the type of dump to create when generating a local user mode 232 // process dump for Windows containers. The supported options are "mini", and "full". 233 // See DumpType: https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps 234 WCOWProcessDumpType = "io.microsoft.wcow.processdumptype" 235 236 // WCOWProcessDumpCount specifies the maximum number of dumps to be collected in the specified 237 // ContainerProcessDumpLocation path. When the maximum value is exceeded, the oldest dump file in the 238 // folder will be replaced by the new dump file. The default value is 10. 239 WCOWProcessDumpCount = "io.microsoft.wcow.processdumpcount" 240 241 // RLimitCore specifies the core rlimit value for a container. This will need to be set 242 // in order to have core dumps generated for a given container. 243 RLimitCore = "io.microsoft.lcow.rlimitcore" 244 245 // LCOWDevShmSizeInKb specifies the size of LCOW /dev/shm. 246 LCOWDevShmSizeInKb = "io.microsoft.lcow.shm.size-kb" 247 248 // LCOWPrivileged is used to specify that the container should be run in privileged mode 249 LCOWPrivileged = "io.microsoft.virtualmachine.lcow.privileged" 250 251 // KubernetesContainerType is the annotation used by CRI to define the `ContainerType`. 252 KubernetesContainerType = "io.kubernetes.cri.container-type" 253 254 // KubernetesSandboxID is the annotation used by CRI to define the 255 // KubernetesContainerType == "sandbox"` ID. 256 KubernetesSandboxID = "io.kubernetes.cri.sandbox-id" 257 258 // NoSecurityHardware allows us, when it is set to true, to do testing and development without requiring SNP hardware 259 NoSecurityHardware = "io.microsoft.virtualmachine.lcow.no_security_hardware" 260 261 // GuestStateFile specifies the path of the vmgs file to use if required. Only applies in SNP mode. 262 GuestStateFile = "io.microsoft.virtualmachine.lcow.gueststatefile" 263 264 // UVMSecurityPolicyEnv specifies if confidential containers' related information 265 // should be written to containers' rootfs. The filenames and location are defined 266 // by securitypolicy.PolicyFilename, securitypolicy.HostAMDCertFilename and 267 // securitypolicy.ReferenceInfoFilename. 268 UVMSecurityPolicyEnv = "io.microsoft.virtualmachine.lcow.securitypolicy.env" 269 270 // UVMReferenceInfoFile specifies the filename of a signed UVM reference file to be passed to UVM. 271 UVMReferenceInfoFile = "io.microsoft.virtualmachine.lcow.uvm-reference-info-file" 272 273 // HostAMDCertificate specifies the filename of the AMD certificates to be passed to UVM. 274 // The certificate is expected to be located in the same directory as the shim executable. 275 HostAMDCertificate = "io.microsoft.virtualmachine.lcow.amd-certificate" 276 277 // DisableLCOWTimeSyncService is used to disable the chronyd time 278 // synchronization service inside the LCOW UVM. 279 DisableLCOWTimeSyncService = "io.microsoft.virtualmachine.lcow.timesync.disable" 280 281 // NoInheritHostTimezone specifies for the hosts timezone to not be inherited by the WCOW UVM. The UVM will be set to UTC time 282 // as a default. 283 NoInheritHostTimezone = "io.microsoft.virtualmachine.wcow.timezone.noinherit" 284 285 // WCOWDisableGMSA disables providing gMSA (Group Managed Service Accounts) to 286 // a WCOW container 287 WCOWDisableGMSA = "io.microsoft.container.wcow.gmsa.disable" 288 289 // DisableUnsafeOperations disables several unsafe operations, such as writable 290 // file share mounts, for hostile multi-tenant environments. See `AnnotationExpansions` 291 // for more information 292 DisableUnsafeOperations = "io.microsoft.disable-unsafe-operations" 293 294 // DumpDirectoryPath provides a path to the directory in which dumps for a UVM will be collected in 295 // case the UVM crashes. 296 DumpDirectoryPath = "io.microsoft.virtualmachine.dump-directory-path" 297 ) 298 299 // AnnotationExpansions maps annotations that will be expanded into an array of 300 // other annotations. The expanded annotations will have the same value as the 301 // original. It is an error for the expansions to already exist and have a value 302 // that differs from the original. 303 var AnnotationExpansions = map[string][]string{ 304 DisableUnsafeOperations: { 305 WCOWDisableGMSA, 306 DisableWritableFileShares, 307 VSMBNoDirectMap, 308 }, 309 } 310