Text file src/github.com/opencontainers/runtime-spec/features-linux.md

Documentation: github.com/opencontainers/runtime-spec

     1# <a name="linuxFeatures" />Linux Features Structure
     2
     3This document describes the [Linux-specific section](features.md#platform-specific-features) of the [Features structure](features.md).
     4
     5## <a name="linuxFeaturesNamespaces" />Namespaces
     6
     7* **`namespaces`** (array of strings, OPTIONAL) The recognized names of the namespaces, including namespaces that might not be supported by the host operating system.
     8  The runtime MUST recognize the elements in this array as the [`type` of `linux.namespaces` objects in `config.json`](config-linux.md#namespaces).
     9
    10### Example
    11
    12```json
    13"namespaces": [
    14  "cgroup",
    15  "ipc",
    16  "mount",
    17  "network",
    18  "pid",
    19  "user",
    20  "uts"
    21]
    22```
    23
    24## <a name="linuxFeaturesCapabilities" />Capabilities
    25
    26* **`capabilities`** (array of strings, OPTIONAL) The recognized names of the capabilities, including capabilities that might not be supported by the host operating system.
    27  The runtime MUST recognize the elements in this array in the [`process.capabilities` object of `config.json`](config.md#linux-process).
    28
    29### Example
    30
    31```json
    32"capabilities": [
    33  "CAP_CHOWN",
    34  "CAP_DAC_OVERRIDE",
    35  "CAP_DAC_READ_SEARCH",
    36  "CAP_FOWNER",
    37  "CAP_FSETID",
    38  "CAP_KILL",
    39  "CAP_SETGID",
    40  "CAP_SETUID",
    41  "CAP_SETPCAP",
    42  "CAP_LINUX_IMMUTABLE",
    43  "CAP_NET_BIND_SERVICE",
    44  "CAP_NET_BROADCAST",
    45  "CAP_NET_ADMIN",
    46  "CAP_NET_RAW",
    47  "CAP_IPC_LOCK",
    48  "CAP_IPC_OWNER",
    49  "CAP_SYS_MODULE",
    50  "CAP_SYS_RAWIO",
    51  "CAP_SYS_CHROOT",
    52  "CAP_SYS_PTRACE",
    53  "CAP_SYS_PACCT",
    54  "CAP_SYS_ADMIN",
    55  "CAP_SYS_BOOT",
    56  "CAP_SYS_NICE",
    57  "CAP_SYS_RESOURCE",
    58  "CAP_SYS_TIME",
    59  "CAP_SYS_TTY_CONFIG",
    60  "CAP_MKNOD",
    61  "CAP_LEASE",
    62  "CAP_AUDIT_WRITE",
    63  "CAP_AUDIT_CONTROL",
    64  "CAP_SETFCAP",
    65  "CAP_MAC_OVERRIDE",
    66  "CAP_MAC_ADMIN",
    67  "CAP_SYSLOG",
    68  "CAP_WAKE_ALARM",
    69  "CAP_BLOCK_SUSPEND",
    70  "CAP_AUDIT_READ",
    71  "CAP_PERFMON",
    72  "CAP_BPF",
    73  "CAP_CHECKPOINT_RESTORE"
    74]
    75```
    76
    77## <a name="linuxFeaturesCgroup" />Cgroup
    78
    79**`cgroup`** (object, OPTIONAL) represents the runtime's implementation status of cgroup managers.
    80Irrelevant to the cgroup version of the host operating system.
    81
    82* **`v1`** (bool, OPTIONAL) represents whether the runtime supports cgroup v1.
    83* **`v2`** (bool, OPTIONAL) represents whether the runtime supports cgroup v2.
    84* **`systemd`** (bool, OPTIONAL) represents whether the runtime supports system-wide systemd cgroup manager.
    85* **`systemdUser`** (bool, OPTIONAL) represents whether the runtime supports user-scoped systemd cgroup manager.
    86* **`rdma`** (bool, OPTIONAL) represents whether the runtime supports RDMA cgroup controller.
    87
    88### Example
    89
    90```json
    91"cgroup": {
    92  "v1": true,
    93  "v2": true,
    94  "systemd": true,
    95  "systemdUser": true,
    96  "rdma": false
    97}
    98```
    99
   100## <a name="linuxFeaturesSeccomp" />Seccomp
   101
   102**`seccomp`** (object, OPTIONAL) represents the runtime's implementation status of seccomp.
   103Irrelevant to the kernel version of the host operating system.
   104
   105* **`enabled`** (bool, OPTIONAL) represents whether the runtime supports seccomp.
   106* **`actions`** (array of strings, OPTIONAL) The recognized names of the seccomp actions.
   107  The runtime MUST recognize the elements in this array in the [`syscalls[].action` property of the `linux.seccomp` object in `config.json`](config-linux.md#seccomp).
   108* **`operators`** (array of strings, OPTIONAL) The recognized names of the seccomp operators.
   109  The runtime MUST recognize the elements in this array in the [`syscalls[].args[].op` property of the `linux.seccomp` object in `config.json`](config-linux.md#seccomp).
   110* **`archs`** (array of strings, OPTIONAL) The recognized names of the seccomp architectures.
   111  The runtime MUST recognize the elements in this array in the [`architectures` property of the `linux.seccomp` object in `config.json`](config-linux.md#seccomp).
   112* **`knownFlags`** (array of strings, OPTIONAL) The recognized names of the seccomp flags.
   113  The runtime MUST recognize the elements in this array in the [`flags` property of the `linux.seccomp` object in `config.json`](config-linux.md#seccomp).
   114* **`supportedFlags`** (array of strings, OPTIONAL) The recognized and supported names of the seccomp flags.
   115  This list may be a subset of `knownFlags` due to some flags not supported by the current kernel and/or libseccomp.
   116  The runtime MUST recognize and support the elements in this array in the [`flags` property of the `linux.seccomp` object in `config.json`](config-linux.md#seccomp).
   117
   118### Example
   119
   120```json
   121"seccomp": {
   122  "enabled": true,
   123  "actions": [
   124    "SCMP_ACT_ALLOW",
   125    "SCMP_ACT_ERRNO",
   126    "SCMP_ACT_KILL",
   127    "SCMP_ACT_LOG",
   128    "SCMP_ACT_NOTIFY",
   129    "SCMP_ACT_TRACE",
   130    "SCMP_ACT_TRAP"
   131  ],
   132  "operators": [
   133    "SCMP_CMP_EQ",
   134    "SCMP_CMP_GE",
   135    "SCMP_CMP_GT",
   136    "SCMP_CMP_LE",
   137    "SCMP_CMP_LT",
   138    "SCMP_CMP_MASKED_EQ",
   139    "SCMP_CMP_NE"
   140  ],
   141  "archs": [
   142    "SCMP_ARCH_AARCH64",
   143    "SCMP_ARCH_ARM",
   144    "SCMP_ARCH_MIPS",
   145    "SCMP_ARCH_MIPS64",
   146    "SCMP_ARCH_MIPS64N32",
   147    "SCMP_ARCH_MIPSEL",
   148    "SCMP_ARCH_MIPSEL64",
   149    "SCMP_ARCH_MIPSEL64N32",
   150    "SCMP_ARCH_PPC",
   151    "SCMP_ARCH_PPC64",
   152    "SCMP_ARCH_PPC64LE",
   153    "SCMP_ARCH_S390",
   154    "SCMP_ARCH_S390X",
   155    "SCMP_ARCH_X32",
   156    "SCMP_ARCH_X86",
   157    "SCMP_ARCH_X86_64"
   158  ],
   159  "knownFlags": [
   160    "SECCOMP_FILTER_FLAG_LOG"
   161  ],
   162  "supportedFlags": [
   163    "SECCOMP_FILTER_FLAG_LOG"
   164  ]
   165}
   166```
   167
   168## <a name="linuxFeaturesApparmor" />AppArmor
   169
   170**`apparmor`** (object, OPTIONAL) represents the runtime's implementation status of AppArmor.
   171Irrelevant to the availability of AppArmor on the host operating system.
   172
   173* **`enabled`** (bool, OPTIONAL) represents whether the runtime supports AppArmor.
   174
   175### Example
   176
   177```json
   178"apparmor": {
   179  "enabled": true
   180}
   181```
   182
   183## <a name="linuxFeaturesApparmor" />SELinux
   184
   185**`selinux`** (object, OPTIONAL) represents the runtime's implementation status of SELinux.
   186Irrelevant to the availability of SELinux on the host operating system.
   187
   188* **`enabled`** (bool, OPTIONAL) represents whether the runtime supports SELinux.
   189
   190### Example
   191
   192```json
   193"selinux": {
   194  "enabled": true
   195}
   196```
   197
   198## <a name="linuxFeaturesIntelRdt" />Intel RDT
   199
   200**`intelRdt`** (object, OPTIONAL) represents the runtime's implementation status of Intel RDT.
   201Irrelevant to the availability of Intel RDT on the host operating system.
   202
   203* **`enabled`** (bool, OPTIONAL) represents whether the runtime supports Intel RDT.
   204
   205### Example
   206
   207```json
   208"intelRdt": {
   209  "enabled": true
   210}
   211```

View as plain text