1 package specs 2 3 import "os" 4 5 // Spec is the base configuration for the container. 6 type Spec struct { 7 // Version of the Open Container Initiative Runtime Specification with which the bundle complies. 8 Version string `json:"ociVersion"` 9 // Process configures the container process. 10 Process *Process `json:"process,omitempty"` 11 // Root configures the container's root filesystem. 12 Root *Root `json:"root,omitempty"` 13 // Hostname configures the container's hostname. 14 Hostname string `json:"hostname,omitempty"` 15 // Domainname configures the container's domainname. 16 Domainname string `json:"domainname,omitempty"` 17 // Mounts configures additional mounts (on top of Root). 18 Mounts []Mount `json:"mounts,omitempty"` 19 // Hooks configures callbacks for container lifecycle events. 20 Hooks *Hooks `json:"hooks,omitempty" platform:"linux,solaris,zos"` 21 // Annotations contains arbitrary metadata for the container. 22 Annotations map[string]string `json:"annotations,omitempty"` 23 24 // Linux is platform-specific configuration for Linux based containers. 25 Linux *Linux `json:"linux,omitempty" platform:"linux"` 26 // Solaris is platform-specific configuration for Solaris based containers. 27 Solaris *Solaris `json:"solaris,omitempty" platform:"solaris"` 28 // Windows is platform-specific configuration for Windows based containers. 29 Windows *Windows `json:"windows,omitempty" platform:"windows"` 30 // VM specifies configuration for virtual-machine-based containers. 31 VM *VM `json:"vm,omitempty" platform:"vm"` 32 // ZOS is platform-specific configuration for z/OS based containers. 33 ZOS *ZOS `json:"zos,omitempty" platform:"zos"` 34 } 35 36 // Scheduler represents the scheduling attributes for a process. It is based on 37 // the Linux sched_setattr(2) syscall. 38 type Scheduler struct { 39 // Policy represents the scheduling policy (e.g., SCHED_FIFO, SCHED_RR, SCHED_OTHER). 40 Policy LinuxSchedulerPolicy `json:"policy"` 41 42 // Nice is the nice value for the process, which affects its priority. 43 Nice int32 `json:"nice,omitempty"` 44 45 // Priority represents the static priority of the process. 46 Priority int32 `json:"priority,omitempty"` 47 48 // Flags is an array of scheduling flags. 49 Flags []LinuxSchedulerFlag `json:"flags,omitempty"` 50 51 // The following ones are used by the DEADLINE scheduler. 52 53 // Runtime is the amount of time in nanoseconds during which the process 54 // is allowed to run in a given period. 55 Runtime uint64 `json:"runtime,omitempty"` 56 57 // Deadline is the absolute deadline for the process to complete its execution. 58 Deadline uint64 `json:"deadline,omitempty"` 59 60 // Period is the length of the period in nanoseconds used for determining the process runtime. 61 Period uint64 `json:"period,omitempty"` 62 } 63 64 // Process contains information to start a specific application inside the container. 65 type Process struct { 66 // Terminal creates an interactive terminal for the container. 67 Terminal bool `json:"terminal,omitempty"` 68 // ConsoleSize specifies the size of the console. 69 ConsoleSize *Box `json:"consoleSize,omitempty"` 70 // User specifies user information for the process. 71 User User `json:"user"` 72 // Args specifies the binary and arguments for the application to execute. 73 Args []string `json:"args,omitempty"` 74 // CommandLine specifies the full command line for the application to execute on Windows. 75 CommandLine string `json:"commandLine,omitempty" platform:"windows"` 76 // Env populates the process environment for the process. 77 Env []string `json:"env,omitempty"` 78 // Cwd is the current working directory for the process and must be 79 // relative to the container's root. 80 Cwd string `json:"cwd"` 81 // Capabilities are Linux capabilities that are kept for the process. 82 Capabilities *LinuxCapabilities `json:"capabilities,omitempty" platform:"linux"` 83 // Rlimits specifies rlimit options to apply to the process. 84 Rlimits []POSIXRlimit `json:"rlimits,omitempty" platform:"linux,solaris,zos"` 85 // NoNewPrivileges controls whether additional privileges could be gained by processes in the container. 86 NoNewPrivileges bool `json:"noNewPrivileges,omitempty" platform:"linux"` 87 // ApparmorProfile specifies the apparmor profile for the container. 88 ApparmorProfile string `json:"apparmorProfile,omitempty" platform:"linux"` 89 // Specify an oom_score_adj for the container. 90 OOMScoreAdj *int `json:"oomScoreAdj,omitempty" platform:"linux"` 91 // Scheduler specifies the scheduling attributes for a process 92 Scheduler *Scheduler `json:"scheduler,omitempty" platform:"linux"` 93 // SelinuxLabel specifies the selinux context that the container process is run as. 94 SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"` 95 // IOPriority contains the I/O priority settings for the cgroup. 96 IOPriority *LinuxIOPriority `json:"ioPriority,omitempty" platform:"linux"` 97 } 98 99 // LinuxCapabilities specifies the list of allowed capabilities that are kept for a process. 100 // http://man7.org/linux/man-pages/man7/capabilities.7.html 101 type LinuxCapabilities struct { 102 // Bounding is the set of capabilities checked by the kernel. 103 Bounding []string `json:"bounding,omitempty" platform:"linux"` 104 // Effective is the set of capabilities checked by the kernel. 105 Effective []string `json:"effective,omitempty" platform:"linux"` 106 // Inheritable is the capabilities preserved across execve. 107 Inheritable []string `json:"inheritable,omitempty" platform:"linux"` 108 // Permitted is the limiting superset for effective capabilities. 109 Permitted []string `json:"permitted,omitempty" platform:"linux"` 110 // Ambient is the ambient set of capabilities that are kept. 111 Ambient []string `json:"ambient,omitempty" platform:"linux"` 112 } 113 114 // IOPriority represents I/O priority settings for the container's processes within the process group. 115 type LinuxIOPriority struct { 116 Class IOPriorityClass `json:"class"` 117 Priority int `json:"priority"` 118 } 119 120 // IOPriorityClass represents an I/O scheduling class. 121 type IOPriorityClass string 122 123 // Possible values for IOPriorityClass. 124 const ( 125 IOPRIO_CLASS_RT IOPriorityClass = "IOPRIO_CLASS_RT" 126 IOPRIO_CLASS_BE IOPriorityClass = "IOPRIO_CLASS_BE" 127 IOPRIO_CLASS_IDLE IOPriorityClass = "IOPRIO_CLASS_IDLE" 128 ) 129 130 // Box specifies dimensions of a rectangle. Used for specifying the size of a console. 131 type Box struct { 132 // Height is the vertical dimension of a box. 133 Height uint `json:"height"` 134 // Width is the horizontal dimension of a box. 135 Width uint `json:"width"` 136 } 137 138 // User specifies specific user (and group) information for the container process. 139 type User struct { 140 // UID is the user id. 141 UID uint32 `json:"uid" platform:"linux,solaris,zos"` 142 // GID is the group id. 143 GID uint32 `json:"gid" platform:"linux,solaris,zos"` 144 // Umask is the umask for the init process. 145 Umask *uint32 `json:"umask,omitempty" platform:"linux,solaris,zos"` 146 // AdditionalGids are additional group ids set for the container's process. 147 AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux,solaris"` 148 // Username is the user name. 149 Username string `json:"username,omitempty" platform:"windows"` 150 } 151 152 // Root contains information about the container's root filesystem on the host. 153 type Root struct { 154 // Path is the absolute path to the container's root filesystem. 155 Path string `json:"path"` 156 // Readonly makes the root filesystem for the container readonly before the process is executed. 157 Readonly bool `json:"readonly,omitempty"` 158 } 159 160 // Mount specifies a mount for a container. 161 type Mount struct { 162 // Destination is the absolute path where the mount will be placed in the container. 163 Destination string `json:"destination"` 164 // Type specifies the mount kind. 165 Type string `json:"type,omitempty" platform:"linux,solaris,zos"` 166 // Source specifies the source path of the mount. 167 Source string `json:"source,omitempty"` 168 // Options are fstab style mount options. 169 Options []string `json:"options,omitempty"` 170 171 // UID/GID mappings used for changing file owners w/o calling chown, fs should support it. 172 // Every mount point could have its own mapping. 173 UIDMappings []LinuxIDMapping `json:"uidMappings,omitempty" platform:"linux"` 174 GIDMappings []LinuxIDMapping `json:"gidMappings,omitempty" platform:"linux"` 175 } 176 177 // Hook specifies a command that is run at a particular event in the lifecycle of a container 178 type Hook struct { 179 Path string `json:"path"` 180 Args []string `json:"args,omitempty"` 181 Env []string `json:"env,omitempty"` 182 Timeout *int `json:"timeout,omitempty"` 183 } 184 185 // Hooks specifies a command that is run in the container at a particular event in the lifecycle of a container 186 // Hooks for container setup and teardown 187 type Hooks struct { 188 // Prestart is Deprecated. Prestart is a list of hooks to be run before the container process is executed. 189 // It is called in the Runtime Namespace 190 Prestart []Hook `json:"prestart,omitempty"` 191 // CreateRuntime is a list of hooks to be run after the container has been created but before pivot_root or any equivalent operation has been called 192 // It is called in the Runtime Namespace 193 CreateRuntime []Hook `json:"createRuntime,omitempty"` 194 // CreateContainer is a list of hooks to be run after the container has been created but before pivot_root or any equivalent operation has been called 195 // It is called in the Container Namespace 196 CreateContainer []Hook `json:"createContainer,omitempty"` 197 // StartContainer is a list of hooks to be run after the start operation is called but before the container process is started 198 // It is called in the Container Namespace 199 StartContainer []Hook `json:"startContainer,omitempty"` 200 // Poststart is a list of hooks to be run after the container process is started. 201 // It is called in the Runtime Namespace 202 Poststart []Hook `json:"poststart,omitempty"` 203 // Poststop is a list of hooks to be run after the container process exits. 204 // It is called in the Runtime Namespace 205 Poststop []Hook `json:"poststop,omitempty"` 206 } 207 208 // Linux contains platform-specific configuration for Linux based containers. 209 type Linux struct { 210 // UIDMapping specifies user mappings for supporting user namespaces. 211 UIDMappings []LinuxIDMapping `json:"uidMappings,omitempty"` 212 // GIDMapping specifies group mappings for supporting user namespaces. 213 GIDMappings []LinuxIDMapping `json:"gidMappings,omitempty"` 214 // Sysctl are a set of key value pairs that are set for the container on start 215 Sysctl map[string]string `json:"sysctl,omitempty"` 216 // Resources contain cgroup information for handling resource constraints 217 // for the container 218 Resources *LinuxResources `json:"resources,omitempty"` 219 // CgroupsPath specifies the path to cgroups that are created and/or joined by the container. 220 // The path is expected to be relative to the cgroups mountpoint. 221 // If resources are specified, the cgroups at CgroupsPath will be updated based on resources. 222 CgroupsPath string `json:"cgroupsPath,omitempty"` 223 // Namespaces contains the namespaces that are created and/or joined by the container 224 Namespaces []LinuxNamespace `json:"namespaces,omitempty"` 225 // Devices are a list of device nodes that are created for the container 226 Devices []LinuxDevice `json:"devices,omitempty"` 227 // Seccomp specifies the seccomp security settings for the container. 228 Seccomp *LinuxSeccomp `json:"seccomp,omitempty"` 229 // RootfsPropagation is the rootfs mount propagation mode for the container. 230 RootfsPropagation string `json:"rootfsPropagation,omitempty"` 231 // MaskedPaths masks over the provided paths inside the container. 232 MaskedPaths []string `json:"maskedPaths,omitempty"` 233 // ReadonlyPaths sets the provided paths as RO inside the container. 234 ReadonlyPaths []string `json:"readonlyPaths,omitempty"` 235 // MountLabel specifies the selinux context for the mounts in the container. 236 MountLabel string `json:"mountLabel,omitempty"` 237 // IntelRdt contains Intel Resource Director Technology (RDT) information for 238 // handling resource constraints and monitoring metrics (e.g., L3 cache, memory bandwidth) for the container 239 IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"` 240 // Personality contains configuration for the Linux personality syscall 241 Personality *LinuxPersonality `json:"personality,omitempty"` 242 // TimeOffsets specifies the offset for supporting time namespaces. 243 TimeOffsets map[string]LinuxTimeOffset `json:"timeOffsets,omitempty"` 244 } 245 246 // LinuxNamespace is the configuration for a Linux namespace 247 type LinuxNamespace struct { 248 // Type is the type of namespace 249 Type LinuxNamespaceType `json:"type"` 250 // Path is a path to an existing namespace persisted on disk that can be joined 251 // and is of the same type 252 Path string `json:"path,omitempty"` 253 } 254 255 // LinuxNamespaceType is one of the Linux namespaces 256 type LinuxNamespaceType string 257 258 const ( 259 // PIDNamespace for isolating process IDs 260 PIDNamespace LinuxNamespaceType = "pid" 261 // NetworkNamespace for isolating network devices, stacks, ports, etc 262 NetworkNamespace LinuxNamespaceType = "network" 263 // MountNamespace for isolating mount points 264 MountNamespace LinuxNamespaceType = "mount" 265 // IPCNamespace for isolating System V IPC, POSIX message queues 266 IPCNamespace LinuxNamespaceType = "ipc" 267 // UTSNamespace for isolating hostname and NIS domain name 268 UTSNamespace LinuxNamespaceType = "uts" 269 // UserNamespace for isolating user and group IDs 270 UserNamespace LinuxNamespaceType = "user" 271 // CgroupNamespace for isolating cgroup hierarchies 272 CgroupNamespace LinuxNamespaceType = "cgroup" 273 // TimeNamespace for isolating the clocks 274 TimeNamespace LinuxNamespaceType = "time" 275 ) 276 277 // LinuxIDMapping specifies UID/GID mappings 278 type LinuxIDMapping struct { 279 // ContainerID is the starting UID/GID in the container 280 ContainerID uint32 `json:"containerID"` 281 // HostID is the starting UID/GID on the host to be mapped to 'ContainerID' 282 HostID uint32 `json:"hostID"` 283 // Size is the number of IDs to be mapped 284 Size uint32 `json:"size"` 285 } 286 287 // LinuxTimeOffset specifies the offset for Time Namespace 288 type LinuxTimeOffset struct { 289 // Secs is the offset of clock (in secs) in the container 290 Secs int64 `json:"secs,omitempty"` 291 // Nanosecs is the additional offset for Secs (in nanosecs) 292 Nanosecs uint32 `json:"nanosecs,omitempty"` 293 } 294 295 // POSIXRlimit type and restrictions 296 type POSIXRlimit struct { 297 // Type of the rlimit to set 298 Type string `json:"type"` 299 // Hard is the hard limit for the specified type 300 Hard uint64 `json:"hard"` 301 // Soft is the soft limit for the specified type 302 Soft uint64 `json:"soft"` 303 } 304 305 // LinuxHugepageLimit structure corresponds to limiting kernel hugepages. 306 // Default to reservation limits if supported. Otherwise fallback to page fault limits. 307 type LinuxHugepageLimit struct { 308 // Pagesize is the hugepage size. 309 // Format: "<size><unit-prefix>B' (e.g. 64KB, 2MB, 1GB, etc.). 310 Pagesize string `json:"pageSize"` 311 // Limit is the limit of "hugepagesize" hugetlb reservations (if supported) or usage. 312 Limit uint64 `json:"limit"` 313 } 314 315 // LinuxInterfacePriority for network interfaces 316 type LinuxInterfacePriority struct { 317 // Name is the name of the network interface 318 Name string `json:"name"` 319 // Priority for the interface 320 Priority uint32 `json:"priority"` 321 } 322 323 // LinuxBlockIODevice holds major:minor format supported in blkio cgroup 324 type LinuxBlockIODevice struct { 325 // Major is the device's major number. 326 Major int64 `json:"major"` 327 // Minor is the device's minor number. 328 Minor int64 `json:"minor"` 329 } 330 331 // LinuxWeightDevice struct holds a `major:minor weight` pair for weightDevice 332 type LinuxWeightDevice struct { 333 LinuxBlockIODevice 334 // Weight is the bandwidth rate for the device. 335 Weight *uint16 `json:"weight,omitempty"` 336 // LeafWeight is the bandwidth rate for the device while competing with the cgroup's child cgroups, CFQ scheduler only 337 LeafWeight *uint16 `json:"leafWeight,omitempty"` 338 } 339 340 // LinuxThrottleDevice struct holds a `major:minor rate_per_second` pair 341 type LinuxThrottleDevice struct { 342 LinuxBlockIODevice 343 // Rate is the IO rate limit per cgroup per device 344 Rate uint64 `json:"rate"` 345 } 346 347 // LinuxBlockIO for Linux cgroup 'blkio' resource management 348 type LinuxBlockIO struct { 349 // Specifies per cgroup weight 350 Weight *uint16 `json:"weight,omitempty"` 351 // Specifies tasks' weight in the given cgroup while competing with the cgroup's child cgroups, CFQ scheduler only 352 LeafWeight *uint16 `json:"leafWeight,omitempty"` 353 // Weight per cgroup per device, can override BlkioWeight 354 WeightDevice []LinuxWeightDevice `json:"weightDevice,omitempty"` 355 // IO read rate limit per cgroup per device, bytes per second 356 ThrottleReadBpsDevice []LinuxThrottleDevice `json:"throttleReadBpsDevice,omitempty"` 357 // IO write rate limit per cgroup per device, bytes per second 358 ThrottleWriteBpsDevice []LinuxThrottleDevice `json:"throttleWriteBpsDevice,omitempty"` 359 // IO read rate limit per cgroup per device, IO per second 360 ThrottleReadIOPSDevice []LinuxThrottleDevice `json:"throttleReadIOPSDevice,omitempty"` 361 // IO write rate limit per cgroup per device, IO per second 362 ThrottleWriteIOPSDevice []LinuxThrottleDevice `json:"throttleWriteIOPSDevice,omitempty"` 363 } 364 365 // LinuxMemory for Linux cgroup 'memory' resource management 366 type LinuxMemory struct { 367 // Memory limit (in bytes). 368 Limit *int64 `json:"limit,omitempty"` 369 // Memory reservation or soft_limit (in bytes). 370 Reservation *int64 `json:"reservation,omitempty"` 371 // Total memory limit (memory + swap). 372 Swap *int64 `json:"swap,omitempty"` 373 // Kernel memory limit (in bytes). 374 Kernel *int64 `json:"kernel,omitempty"` 375 // Kernel memory limit for tcp (in bytes) 376 KernelTCP *int64 `json:"kernelTCP,omitempty"` 377 // How aggressive the kernel will swap memory pages. 378 Swappiness *uint64 `json:"swappiness,omitempty"` 379 // DisableOOMKiller disables the OOM killer for out of memory conditions 380 DisableOOMKiller *bool `json:"disableOOMKiller,omitempty"` 381 // Enables hierarchical memory accounting 382 UseHierarchy *bool `json:"useHierarchy,omitempty"` 383 // CheckBeforeUpdate enables checking if a new memory limit is lower 384 // than the current usage during update, and if so, rejecting the new 385 // limit. 386 CheckBeforeUpdate *bool `json:"checkBeforeUpdate,omitempty"` 387 } 388 389 // LinuxCPU for Linux cgroup 'cpu' resource management 390 type LinuxCPU struct { 391 // CPU shares (relative weight (ratio) vs. other cgroups with cpu shares). 392 Shares *uint64 `json:"shares,omitempty"` 393 // CPU hardcap limit (in usecs). Allowed cpu time in a given period. 394 Quota *int64 `json:"quota,omitempty"` 395 // CPU hardcap burst limit (in usecs). Allowed accumulated cpu time additionally for burst in a 396 // given period. 397 Burst *uint64 `json:"burst,omitempty"` 398 // CPU period to be used for hardcapping (in usecs). 399 Period *uint64 `json:"period,omitempty"` 400 // How much time realtime scheduling may use (in usecs). 401 RealtimeRuntime *int64 `json:"realtimeRuntime,omitempty"` 402 // CPU period to be used for realtime scheduling (in usecs). 403 RealtimePeriod *uint64 `json:"realtimePeriod,omitempty"` 404 // CPUs to use within the cpuset. Default is to use any CPU available. 405 Cpus string `json:"cpus,omitempty"` 406 // List of memory nodes in the cpuset. Default is to use any available memory node. 407 Mems string `json:"mems,omitempty"` 408 // cgroups are configured with minimum weight, 0: default behavior, 1: SCHED_IDLE. 409 Idle *int64 `json:"idle,omitempty"` 410 } 411 412 // LinuxPids for Linux cgroup 'pids' resource management (Linux 4.3) 413 type LinuxPids struct { 414 // Maximum number of PIDs. Default is "no limit". 415 Limit int64 `json:"limit"` 416 } 417 418 // LinuxNetwork identification and priority configuration 419 type LinuxNetwork struct { 420 // Set class identifier for container's network packets 421 ClassID *uint32 `json:"classID,omitempty"` 422 // Set priority of network traffic for container 423 Priorities []LinuxInterfacePriority `json:"priorities,omitempty"` 424 } 425 426 // LinuxRdma for Linux cgroup 'rdma' resource management (Linux 4.11) 427 type LinuxRdma struct { 428 // Maximum number of HCA handles that can be opened. Default is "no limit". 429 HcaHandles *uint32 `json:"hcaHandles,omitempty"` 430 // Maximum number of HCA objects that can be created. Default is "no limit". 431 HcaObjects *uint32 `json:"hcaObjects,omitempty"` 432 } 433 434 // LinuxResources has container runtime resource constraints 435 type LinuxResources struct { 436 // Devices configures the device allowlist. 437 Devices []LinuxDeviceCgroup `json:"devices,omitempty"` 438 // Memory restriction configuration 439 Memory *LinuxMemory `json:"memory,omitempty"` 440 // CPU resource restriction configuration 441 CPU *LinuxCPU `json:"cpu,omitempty"` 442 // Task resource restriction configuration. 443 Pids *LinuxPids `json:"pids,omitempty"` 444 // BlockIO restriction configuration 445 BlockIO *LinuxBlockIO `json:"blockIO,omitempty"` 446 // Hugetlb limits (in bytes). Default to reservation limits if supported. 447 HugepageLimits []LinuxHugepageLimit `json:"hugepageLimits,omitempty"` 448 // Network restriction configuration 449 Network *LinuxNetwork `json:"network,omitempty"` 450 // Rdma resource restriction configuration. 451 // Limits are a set of key value pairs that define RDMA resource limits, 452 // where the key is device name and value is resource limits. 453 Rdma map[string]LinuxRdma `json:"rdma,omitempty"` 454 // Unified resources. 455 Unified map[string]string `json:"unified,omitempty"` 456 } 457 458 // LinuxDevice represents the mknod information for a Linux special device file 459 type LinuxDevice struct { 460 // Path to the device. 461 Path string `json:"path"` 462 // Device type, block, char, etc. 463 Type string `json:"type"` 464 // Major is the device's major number. 465 Major int64 `json:"major"` 466 // Minor is the device's minor number. 467 Minor int64 `json:"minor"` 468 // FileMode permission bits for the device. 469 FileMode *os.FileMode `json:"fileMode,omitempty"` 470 // UID of the device. 471 UID *uint32 `json:"uid,omitempty"` 472 // Gid of the device. 473 GID *uint32 `json:"gid,omitempty"` 474 } 475 476 // LinuxDeviceCgroup represents a device rule for the devices specified to 477 // the device controller 478 type LinuxDeviceCgroup struct { 479 // Allow or deny 480 Allow bool `json:"allow"` 481 // Device type, block, char, etc. 482 Type string `json:"type,omitempty"` 483 // Major is the device's major number. 484 Major *int64 `json:"major,omitempty"` 485 // Minor is the device's minor number. 486 Minor *int64 `json:"minor,omitempty"` 487 // Cgroup access permissions format, rwm. 488 Access string `json:"access,omitempty"` 489 } 490 491 // LinuxPersonalityDomain refers to a personality domain. 492 type LinuxPersonalityDomain string 493 494 // LinuxPersonalityFlag refers to an additional personality flag. None are currently defined. 495 type LinuxPersonalityFlag string 496 497 // Define domain and flags for Personality 498 const ( 499 // PerLinux is the standard Linux personality 500 PerLinux LinuxPersonalityDomain = "LINUX" 501 // PerLinux32 sets personality to 32 bit 502 PerLinux32 LinuxPersonalityDomain = "LINUX32" 503 ) 504 505 // LinuxPersonality represents the Linux personality syscall input 506 type LinuxPersonality struct { 507 // Domain for the personality 508 Domain LinuxPersonalityDomain `json:"domain"` 509 // Additional flags 510 Flags []LinuxPersonalityFlag `json:"flags,omitempty"` 511 } 512 513 // Solaris contains platform-specific configuration for Solaris application containers. 514 type Solaris struct { 515 // SMF FMRI which should go "online" before we start the container process. 516 Milestone string `json:"milestone,omitempty"` 517 // Maximum set of privileges any process in this container can obtain. 518 LimitPriv string `json:"limitpriv,omitempty"` 519 // The maximum amount of shared memory allowed for this container. 520 MaxShmMemory string `json:"maxShmMemory,omitempty"` 521 // Specification for automatic creation of network resources for this container. 522 Anet []SolarisAnet `json:"anet,omitempty"` 523 // Set limit on the amount of CPU time that can be used by container. 524 CappedCPU *SolarisCappedCPU `json:"cappedCPU,omitempty"` 525 // The physical and swap caps on the memory that can be used by this container. 526 CappedMemory *SolarisCappedMemory `json:"cappedMemory,omitempty"` 527 } 528 529 // SolarisCappedCPU allows users to set limit on the amount of CPU time that can be used by container. 530 type SolarisCappedCPU struct { 531 Ncpus string `json:"ncpus,omitempty"` 532 } 533 534 // SolarisCappedMemory allows users to set the physical and swap caps on the memory that can be used by this container. 535 type SolarisCappedMemory struct { 536 Physical string `json:"physical,omitempty"` 537 Swap string `json:"swap,omitempty"` 538 } 539 540 // SolarisAnet provides the specification for automatic creation of network resources for this container. 541 type SolarisAnet struct { 542 // Specify a name for the automatically created VNIC datalink. 543 Linkname string `json:"linkname,omitempty"` 544 // Specify the link over which the VNIC will be created. 545 Lowerlink string `json:"lowerLink,omitempty"` 546 // The set of IP addresses that the container can use. 547 Allowedaddr string `json:"allowedAddress,omitempty"` 548 // Specifies whether allowedAddress limitation is to be applied to the VNIC. 549 Configallowedaddr string `json:"configureAllowedAddress,omitempty"` 550 // The value of the optional default router. 551 Defrouter string `json:"defrouter,omitempty"` 552 // Enable one or more types of link protection. 553 Linkprotection string `json:"linkProtection,omitempty"` 554 // Set the VNIC's macAddress 555 Macaddress string `json:"macAddress,omitempty"` 556 } 557 558 // Windows defines the runtime configuration for Windows based containers, including Hyper-V containers. 559 type Windows struct { 560 // LayerFolders contains a list of absolute paths to directories containing image layers. 561 LayerFolders []string `json:"layerFolders"` 562 // Devices are the list of devices to be mapped into the container. 563 Devices []WindowsDevice `json:"devices,omitempty"` 564 // Resources contains information for handling resource constraints for the container. 565 Resources *WindowsResources `json:"resources,omitempty"` 566 // CredentialSpec contains a JSON object describing a group Managed Service Account (gMSA) specification. 567 CredentialSpec interface{} `json:"credentialSpec,omitempty"` 568 // Servicing indicates if the container is being started in a mode to apply a Windows Update servicing operation. 569 Servicing bool `json:"servicing,omitempty"` 570 // IgnoreFlushesDuringBoot indicates if the container is being started in a mode where disk writes are not flushed during its boot process. 571 IgnoreFlushesDuringBoot bool `json:"ignoreFlushesDuringBoot,omitempty"` 572 // HyperV contains information for running a container with Hyper-V isolation. 573 HyperV *WindowsHyperV `json:"hyperv,omitempty"` 574 // Network restriction configuration. 575 Network *WindowsNetwork `json:"network,omitempty"` 576 } 577 578 // WindowsDevice represents information about a host device to be mapped into the container. 579 type WindowsDevice struct { 580 // Device identifier: interface class GUID, etc. 581 ID string `json:"id"` 582 // Device identifier type: "class", etc. 583 IDType string `json:"idType"` 584 } 585 586 // WindowsResources has container runtime resource constraints for containers running on Windows. 587 type WindowsResources struct { 588 // Memory restriction configuration. 589 Memory *WindowsMemoryResources `json:"memory,omitempty"` 590 // CPU resource restriction configuration. 591 CPU *WindowsCPUResources `json:"cpu,omitempty"` 592 // Storage restriction configuration. 593 Storage *WindowsStorageResources `json:"storage,omitempty"` 594 } 595 596 // WindowsMemoryResources contains memory resource management settings. 597 type WindowsMemoryResources struct { 598 // Memory limit in bytes. 599 Limit *uint64 `json:"limit,omitempty"` 600 } 601 602 // WindowsCPUResources contains CPU resource management settings. 603 type WindowsCPUResources struct { 604 // Count is the number of CPUs available to the container. It represents the 605 // fraction of the configured processor `count` in a container in relation 606 // to the processors available in the host. The fraction ultimately 607 // determines the portion of processor cycles that the threads in a 608 // container can use during each scheduling interval, as the number of 609 // cycles per 10,000 cycles. 610 Count *uint64 `json:"count,omitempty"` 611 // Shares limits the share of processor time given to the container relative 612 // to other workloads on the processor. The processor `shares` (`weight` at 613 // the platform level) is a value between 0 and 10000. 614 Shares *uint16 `json:"shares,omitempty"` 615 // Maximum determines the portion of processor cycles that the threads in a 616 // container can use during each scheduling interval, as the number of 617 // cycles per 10,000 cycles. Set processor `maximum` to a percentage times 618 // 100. 619 Maximum *uint16 `json:"maximum,omitempty"` 620 } 621 622 // WindowsStorageResources contains storage resource management settings. 623 type WindowsStorageResources struct { 624 // Specifies maximum Iops for the system drive. 625 Iops *uint64 `json:"iops,omitempty"` 626 // Specifies maximum bytes per second for the system drive. 627 Bps *uint64 `json:"bps,omitempty"` 628 // Sandbox size specifies the minimum size of the system drive in bytes. 629 SandboxSize *uint64 `json:"sandboxSize,omitempty"` 630 } 631 632 // WindowsNetwork contains network settings for Windows containers. 633 type WindowsNetwork struct { 634 // List of HNS endpoints that the container should connect to. 635 EndpointList []string `json:"endpointList,omitempty"` 636 // Specifies if unqualified DNS name resolution is allowed. 637 AllowUnqualifiedDNSQuery bool `json:"allowUnqualifiedDNSQuery,omitempty"` 638 // Comma separated list of DNS suffixes to use for name resolution. 639 DNSSearchList []string `json:"DNSSearchList,omitempty"` 640 // Name (ID) of the container that we will share with the network stack. 641 NetworkSharedContainerName string `json:"networkSharedContainerName,omitempty"` 642 // name (ID) of the network namespace that will be used for the container. 643 NetworkNamespace string `json:"networkNamespace,omitempty"` 644 } 645 646 // WindowsHyperV contains information for configuring a container to run with Hyper-V isolation. 647 type WindowsHyperV struct { 648 // UtilityVMPath is an optional path to the image used for the Utility VM. 649 UtilityVMPath string `json:"utilityVMPath,omitempty"` 650 } 651 652 // VM contains information for virtual-machine-based containers. 653 type VM struct { 654 // Hypervisor specifies hypervisor-related configuration for virtual-machine-based containers. 655 Hypervisor VMHypervisor `json:"hypervisor,omitempty"` 656 // Kernel specifies kernel-related configuration for virtual-machine-based containers. 657 Kernel VMKernel `json:"kernel"` 658 // Image specifies guest image related configuration for virtual-machine-based containers. 659 Image VMImage `json:"image,omitempty"` 660 } 661 662 // VMHypervisor contains information about the hypervisor to use for a virtual machine. 663 type VMHypervisor struct { 664 // Path is the host path to the hypervisor used to manage the virtual machine. 665 Path string `json:"path"` 666 // Parameters specifies parameters to pass to the hypervisor. 667 Parameters []string `json:"parameters,omitempty"` 668 } 669 670 // VMKernel contains information about the kernel to use for a virtual machine. 671 type VMKernel struct { 672 // Path is the host path to the kernel used to boot the virtual machine. 673 Path string `json:"path"` 674 // Parameters specifies parameters to pass to the kernel. 675 Parameters []string `json:"parameters,omitempty"` 676 // InitRD is the host path to an initial ramdisk to be used by the kernel. 677 InitRD string `json:"initrd,omitempty"` 678 } 679 680 // VMImage contains information about the virtual machine root image. 681 type VMImage struct { 682 // Path is the host path to the root image that the VM kernel would boot into. 683 Path string `json:"path"` 684 // Format is the root image format type (e.g. "qcow2", "raw", "vhd", etc). 685 Format string `json:"format"` 686 } 687 688 // LinuxSeccomp represents syscall restrictions 689 type LinuxSeccomp struct { 690 DefaultAction LinuxSeccompAction `json:"defaultAction"` 691 DefaultErrnoRet *uint `json:"defaultErrnoRet,omitempty"` 692 Architectures []Arch `json:"architectures,omitempty"` 693 Flags []LinuxSeccompFlag `json:"flags,omitempty"` 694 ListenerPath string `json:"listenerPath,omitempty"` 695 ListenerMetadata string `json:"listenerMetadata,omitempty"` 696 Syscalls []LinuxSyscall `json:"syscalls,omitempty"` 697 } 698 699 // Arch used for additional architectures 700 type Arch string 701 702 // LinuxSeccompFlag is a flag to pass to seccomp(2). 703 type LinuxSeccompFlag string 704 705 const ( 706 // LinuxSeccompFlagLog is a seccomp flag to request all returned 707 // actions except SECCOMP_RET_ALLOW to be logged. An administrator may 708 // override this filter flag by preventing specific actions from being 709 // logged via the /proc/sys/kernel/seccomp/actions_logged file. (since 710 // Linux 4.14) 711 LinuxSeccompFlagLog LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_LOG" 712 713 // LinuxSeccompFlagSpecAllow can be used to disable Speculative Store 714 // Bypass mitigation. (since Linux 4.17) 715 LinuxSeccompFlagSpecAllow LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_SPEC_ALLOW" 716 717 // LinuxSeccompFlagWaitKillableRecv can be used to switch to the wait 718 // killable semantics. (since Linux 5.19) 719 LinuxSeccompFlagWaitKillableRecv LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV" 720 ) 721 722 // Additional architectures permitted to be used for system calls 723 // By default only the native architecture of the kernel is permitted 724 const ( 725 ArchX86 Arch = "SCMP_ARCH_X86" 726 ArchX86_64 Arch = "SCMP_ARCH_X86_64" 727 ArchX32 Arch = "SCMP_ARCH_X32" 728 ArchARM Arch = "SCMP_ARCH_ARM" 729 ArchAARCH64 Arch = "SCMP_ARCH_AARCH64" 730 ArchMIPS Arch = "SCMP_ARCH_MIPS" 731 ArchMIPS64 Arch = "SCMP_ARCH_MIPS64" 732 ArchMIPS64N32 Arch = "SCMP_ARCH_MIPS64N32" 733 ArchMIPSEL Arch = "SCMP_ARCH_MIPSEL" 734 ArchMIPSEL64 Arch = "SCMP_ARCH_MIPSEL64" 735 ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32" 736 ArchPPC Arch = "SCMP_ARCH_PPC" 737 ArchPPC64 Arch = "SCMP_ARCH_PPC64" 738 ArchPPC64LE Arch = "SCMP_ARCH_PPC64LE" 739 ArchS390 Arch = "SCMP_ARCH_S390" 740 ArchS390X Arch = "SCMP_ARCH_S390X" 741 ArchPARISC Arch = "SCMP_ARCH_PARISC" 742 ArchPARISC64 Arch = "SCMP_ARCH_PARISC64" 743 ArchRISCV64 Arch = "SCMP_ARCH_RISCV64" 744 ) 745 746 // LinuxSeccompAction taken upon Seccomp rule match 747 type LinuxSeccompAction string 748 749 // Define actions for Seccomp rules 750 const ( 751 ActKill LinuxSeccompAction = "SCMP_ACT_KILL" 752 ActKillProcess LinuxSeccompAction = "SCMP_ACT_KILL_PROCESS" 753 ActKillThread LinuxSeccompAction = "SCMP_ACT_KILL_THREAD" 754 ActTrap LinuxSeccompAction = "SCMP_ACT_TRAP" 755 ActErrno LinuxSeccompAction = "SCMP_ACT_ERRNO" 756 ActTrace LinuxSeccompAction = "SCMP_ACT_TRACE" 757 ActAllow LinuxSeccompAction = "SCMP_ACT_ALLOW" 758 ActLog LinuxSeccompAction = "SCMP_ACT_LOG" 759 ActNotify LinuxSeccompAction = "SCMP_ACT_NOTIFY" 760 ) 761 762 // LinuxSeccompOperator used to match syscall arguments in Seccomp 763 type LinuxSeccompOperator string 764 765 // Define operators for syscall arguments in Seccomp 766 const ( 767 OpNotEqual LinuxSeccompOperator = "SCMP_CMP_NE" 768 OpLessThan LinuxSeccompOperator = "SCMP_CMP_LT" 769 OpLessEqual LinuxSeccompOperator = "SCMP_CMP_LE" 770 OpEqualTo LinuxSeccompOperator = "SCMP_CMP_EQ" 771 OpGreaterEqual LinuxSeccompOperator = "SCMP_CMP_GE" 772 OpGreaterThan LinuxSeccompOperator = "SCMP_CMP_GT" 773 OpMaskedEqual LinuxSeccompOperator = "SCMP_CMP_MASKED_EQ" 774 ) 775 776 // LinuxSeccompArg used for matching specific syscall arguments in Seccomp 777 type LinuxSeccompArg struct { 778 Index uint `json:"index"` 779 Value uint64 `json:"value"` 780 ValueTwo uint64 `json:"valueTwo,omitempty"` 781 Op LinuxSeccompOperator `json:"op"` 782 } 783 784 // LinuxSyscall is used to match a syscall in Seccomp 785 type LinuxSyscall struct { 786 Names []string `json:"names"` 787 Action LinuxSeccompAction `json:"action"` 788 ErrnoRet *uint `json:"errnoRet,omitempty"` 789 Args []LinuxSeccompArg `json:"args,omitempty"` 790 } 791 792 // LinuxIntelRdt has container runtime resource constraints for Intel RDT CAT and MBA 793 // features and flags enabling Intel RDT CMT and MBM features. 794 // Intel RDT features are available in Linux 4.14 and newer kernel versions. 795 type LinuxIntelRdt struct { 796 // The identity for RDT Class of Service 797 ClosID string `json:"closID,omitempty"` 798 // The schema for L3 cache id and capacity bitmask (CBM) 799 // Format: "L3:<cache_id0>=<cbm0>;<cache_id1>=<cbm1>;..." 800 L3CacheSchema string `json:"l3CacheSchema,omitempty"` 801 802 // The schema of memory bandwidth per L3 cache id 803 // Format: "MB:<cache_id0>=bandwidth0;<cache_id1>=bandwidth1;..." 804 // The unit of memory bandwidth is specified in "percentages" by 805 // default, and in "MBps" if MBA Software Controller is enabled. 806 MemBwSchema string `json:"memBwSchema,omitempty"` 807 808 // EnableCMT is the flag to indicate if the Intel RDT CMT is enabled. CMT (Cache Monitoring Technology) supports monitoring of 809 // the last-level cache (LLC) occupancy for the container. 810 EnableCMT bool `json:"enableCMT,omitempty"` 811 812 // EnableMBM is the flag to indicate if the Intel RDT MBM is enabled. MBM (Memory Bandwidth Monitoring) supports monitoring of 813 // total and local memory bandwidth for the container. 814 EnableMBM bool `json:"enableMBM,omitempty"` 815 } 816 817 // ZOS contains platform-specific configuration for z/OS based containers. 818 type ZOS struct { 819 // Devices are a list of device nodes that are created for the container 820 Devices []ZOSDevice `json:"devices,omitempty"` 821 } 822 823 // ZOSDevice represents the mknod information for a z/OS special device file 824 type ZOSDevice struct { 825 // Path to the device. 826 Path string `json:"path"` 827 // Device type, block, char, etc. 828 Type string `json:"type"` 829 // Major is the device's major number. 830 Major int64 `json:"major"` 831 // Minor is the device's minor number. 832 Minor int64 `json:"minor"` 833 // FileMode permission bits for the device. 834 FileMode *os.FileMode `json:"fileMode,omitempty"` 835 // UID of the device. 836 UID *uint32 `json:"uid,omitempty"` 837 // Gid of the device. 838 GID *uint32 `json:"gid,omitempty"` 839 } 840 841 // LinuxSchedulerPolicy represents different scheduling policies used with the Linux Scheduler 842 type LinuxSchedulerPolicy string 843 844 const ( 845 // SchedOther is the default scheduling policy 846 SchedOther LinuxSchedulerPolicy = "SCHED_OTHER" 847 // SchedFIFO is the First-In-First-Out scheduling policy 848 SchedFIFO LinuxSchedulerPolicy = "SCHED_FIFO" 849 // SchedRR is the Round-Robin scheduling policy 850 SchedRR LinuxSchedulerPolicy = "SCHED_RR" 851 // SchedBatch is the Batch scheduling policy 852 SchedBatch LinuxSchedulerPolicy = "SCHED_BATCH" 853 // SchedISO is the Isolation scheduling policy 854 SchedISO LinuxSchedulerPolicy = "SCHED_ISO" 855 // SchedIdle is the Idle scheduling policy 856 SchedIdle LinuxSchedulerPolicy = "SCHED_IDLE" 857 // SchedDeadline is the Deadline scheduling policy 858 SchedDeadline LinuxSchedulerPolicy = "SCHED_DEADLINE" 859 ) 860 861 // LinuxSchedulerFlag represents the flags used by the Linux Scheduler. 862 type LinuxSchedulerFlag string 863 864 const ( 865 // SchedFlagResetOnFork represents the reset on fork scheduling flag 866 SchedFlagResetOnFork LinuxSchedulerFlag = "SCHED_FLAG_RESET_ON_FORK" 867 // SchedFlagReclaim represents the reclaim scheduling flag 868 SchedFlagReclaim LinuxSchedulerFlag = "SCHED_FLAG_RECLAIM" 869 // SchedFlagDLOverrun represents the deadline overrun scheduling flag 870 SchedFlagDLOverrun LinuxSchedulerFlag = "SCHED_FLAG_DL_OVERRUN" 871 // SchedFlagKeepPolicy represents the keep policy scheduling flag 872 SchedFlagKeepPolicy LinuxSchedulerFlag = "SCHED_FLAG_KEEP_POLICY" 873 // SchedFlagKeepParams represents the keep parameters scheduling flag 874 SchedFlagKeepParams LinuxSchedulerFlag = "SCHED_FLAG_KEEP_PARAMS" 875 // SchedFlagUtilClampMin represents the utilization clamp minimum scheduling flag 876 SchedFlagUtilClampMin LinuxSchedulerFlag = "SCHED_FLAG_UTIL_CLAMP_MIN" 877 // SchedFlagUtilClampMin represents the utilization clamp maximum scheduling flag 878 SchedFlagUtilClampMax LinuxSchedulerFlag = "SCHED_FLAG_UTIL_CLAMP_MAX" 879 ) 880