-
Notifications
You must be signed in to change notification settings - Fork 553
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add features.md
to formalize the runc features
JSON
#1130
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,211 @@ | ||||||
# <a name="linuxFeatures" />Linux Features Document | ||||||
|
||||||
This document describes the [Linux-specific section](features.md#platform-specific-features) of the [features document](features.md). | ||||||
|
||||||
## <a name="linuxFeaturesNamespaces" />Namespaces | ||||||
|
||||||
* **`namespaces`** (array of strings, OPTIONAL) The recognized names of the namespaces, including namespaces that might not be supported by the host operating system. | ||||||
The runtime MUST recognize the elements in this array as the [`type` of `linux.namespaces` objects in `config.json`](config-linux.md#namespaces). | ||||||
|
||||||
### Example | ||||||
|
||||||
```json | ||||||
"namespaces": [ | ||||||
"cgroup", | ||||||
"ipc", | ||||||
"mount", | ||||||
"network", | ||||||
"pid", | ||||||
"user", | ||||||
"uts" | ||||||
] | ||||||
``` | ||||||
|
||||||
## <a name="linuxFeaturesCapabilities" />Capabilities | ||||||
|
||||||
* **`capabilities`** (array of strings, OPTIONAL) The recognized names of the capabilities, including capabilities that might not be supported by the host operating system. | ||||||
The runtime MUST recognize the elements in this array in the [`process.capabilities` object of `config.json`](config.md#linux-process). | ||||||
|
||||||
### Example | ||||||
|
||||||
```json | ||||||
"capabilities": [ | ||||||
"CAP_CHOWN", | ||||||
"CAP_DAC_OVERRIDE", | ||||||
"CAP_DAC_READ_SEARCH", | ||||||
"CAP_FOWNER", | ||||||
"CAP_FSETID", | ||||||
"CAP_KILL", | ||||||
"CAP_SETGID", | ||||||
"CAP_SETUID", | ||||||
"CAP_SETPCAP", | ||||||
"CAP_LINUX_IMMUTABLE", | ||||||
"CAP_NET_BIND_SERVICE", | ||||||
"CAP_NET_BROADCAST", | ||||||
"CAP_NET_ADMIN", | ||||||
"CAP_NET_RAW", | ||||||
"CAP_IPC_LOCK", | ||||||
"CAP_IPC_OWNER", | ||||||
"CAP_SYS_MODULE", | ||||||
"CAP_SYS_RAWIO", | ||||||
"CAP_SYS_CHROOT", | ||||||
"CAP_SYS_PTRACE", | ||||||
"CAP_SYS_PACCT", | ||||||
"CAP_SYS_ADMIN", | ||||||
"CAP_SYS_BOOT", | ||||||
"CAP_SYS_NICE", | ||||||
"CAP_SYS_RESOURCE", | ||||||
"CAP_SYS_TIME", | ||||||
"CAP_SYS_TTY_CONFIG", | ||||||
"CAP_MKNOD", | ||||||
"CAP_LEASE", | ||||||
"CAP_AUDIT_WRITE", | ||||||
"CAP_AUDIT_CONTROL", | ||||||
"CAP_SETFCAP", | ||||||
"CAP_MAC_OVERRIDE", | ||||||
"CAP_MAC_ADMIN", | ||||||
"CAP_SYSLOG", | ||||||
"CAP_WAKE_ALARM", | ||||||
"CAP_BLOCK_SUSPEND", | ||||||
"CAP_AUDIT_READ", | ||||||
"CAP_PERFMON", | ||||||
"CAP_BPF", | ||||||
"CAP_CHECKPOINT_RESTORE" | ||||||
] | ||||||
``` | ||||||
|
||||||
## <a name="linuxFeaturesCgroup" />Cgroup | ||||||
|
||||||
**`cgroup`** (object, OPTIONAL) represents the runtime's implementation status of cgroup managers. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should there be any field to list down which controllers are implemented by Again not sure about just adding it here. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It's hard to define the set of the controller names. e.g., "freezer" is a real controller in v1 but not a real controller in v2. And the name of the block I/O controller differs across V1 ("blkio") and V2 ("io"). There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @AkihiroSuda hmm I agree and fair point but just a small doubt if there is a feature info, A practical use case would be.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. How about using an array to specify which controllers are supported by a cgroup manager instead? This would solve that the controller names are different. Also not all controllers might be supported by all cgroup manager implementations. "cgroup": {
"v1": ["cpu", "cpuset", "blkio"],
"v2": ["io", "memory", "devices"]
"systemd": ["cpu", "memory", "cpuset"],
"systemdUser": ["cpu", "memory", "cpuset"]
} In youki we already have the concept of a pseudo controller for devices, unified and freezer, so in my opinion a name in that array must not always map to a real controller in all implementations. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Updated PR to add There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. could we also add a |
||||||
Irrelevant to the cgroup version of the host operating system. | ||||||
|
||||||
* **`v1`** (bool, OPTIONAL) represents whether the runtime supports cgroup v1. | ||||||
* **`v2`** (bool, OPTIONAL) represents whether the runtime supports cgroup v2. | ||||||
* **`systemd`** (bool, OPTIONAL) represents whether the runtime supports system-wide systemd cgroup manager. | ||||||
* **`systemdUser`** (bool, OPTIONAL) represents whether the runtime supports user-scoped systemd cgroup manager. | ||||||
* **`rdma`** (bool, OPTIONAL) represents whether the runtime supports RDMA cgroup controller. | ||||||
|
||||||
### Example | ||||||
|
||||||
```json | ||||||
"cgroup": { | ||||||
"v1": true, | ||||||
"v2": true, | ||||||
"systemd": true, | ||||||
"systemdUser": true, | ||||||
"rdma": false | ||||||
} | ||||||
``` | ||||||
|
||||||
## <a name="linuxFeaturesSeccomp" />Seccomp | ||||||
|
||||||
**`seccomp`** (object, OPTIONAL) represents the runtime's implementation status of seccomp. | ||||||
Irrelevant to the kernel version of the host operating system. | ||||||
|
||||||
* **`enabled`** (bool, OPTIONAL) represents whether the runtime supports seccomp. | ||||||
* **`actions`** (array of strings, OPTIONAL) The recognized names of the seccomp actions. | ||||||
The runtime MUST recognize the elements in this array in the [`syscalls[].action` property of the `linux.seccomp` object in `config.json`](config-linux.md#seccomp). | ||||||
* **`operators`** (array of strings, OPTIONAL) The recognized names of the seccomp operators. | ||||||
The runtime MUST recognize the elements in this array in the [`syscalls[].args[].op` property of the `linux.seccomp` object in `config.json`](config-linux.md#seccomp). | ||||||
* **`archs`** (array of strings, OPTIONAL) The recognized names of the seccomp architectures. | ||||||
The runtime MUST recognize the elements in this array in the [`architectures` property of the `linux.seccomp` object in `config.json`](config-linux.md#seccomp). | ||||||
* **`knownFlags`** (array of strings, OPTIONAL) The recognized names of the seccomp flags. | ||||||
The runtime MUST recognize the elements in this array in the [`flags` property of the `linux.seccomp` object in `config.json`](config-linux.md#seccomp). | ||||||
* **`supportedFlags`** (array of strings, OPTIONAL) The recognized and supported names of the seccomp flags. | ||||||
This list may be a subset of `knownFlags` due to some flags not supported by the current kernel and/or libseccomp. | ||||||
The runtime MUST recognize and support the elements in this array in the [`flags` property of the `linux.seccomp` object in `config.json`](config-linux.md#seccomp). | ||||||
|
||||||
### Example | ||||||
|
||||||
```json | ||||||
"seccomp": { | ||||||
"enabled": true, | ||||||
"actions": [ | ||||||
"SCMP_ACT_ALLOW", | ||||||
"SCMP_ACT_ERRNO", | ||||||
"SCMP_ACT_KILL", | ||||||
"SCMP_ACT_LOG", | ||||||
"SCMP_ACT_NOTIFY", | ||||||
"SCMP_ACT_TRACE", | ||||||
"SCMP_ACT_TRAP" | ||||||
], | ||||||
"operators": [ | ||||||
"SCMP_CMP_EQ", | ||||||
"SCMP_CMP_GE", | ||||||
"SCMP_CMP_GT", | ||||||
"SCMP_CMP_LE", | ||||||
"SCMP_CMP_LT", | ||||||
"SCMP_CMP_MASKED_EQ", | ||||||
"SCMP_CMP_NE" | ||||||
], | ||||||
"archs": [ | ||||||
"SCMP_ARCH_AARCH64", | ||||||
"SCMP_ARCH_ARM", | ||||||
"SCMP_ARCH_MIPS", | ||||||
"SCMP_ARCH_MIPS64", | ||||||
"SCMP_ARCH_MIPS64N32", | ||||||
"SCMP_ARCH_MIPSEL", | ||||||
"SCMP_ARCH_MIPSEL64", | ||||||
"SCMP_ARCH_MIPSEL64N32", | ||||||
"SCMP_ARCH_PPC", | ||||||
"SCMP_ARCH_PPC64", | ||||||
"SCMP_ARCH_PPC64LE", | ||||||
"SCMP_ARCH_S390", | ||||||
"SCMP_ARCH_S390X", | ||||||
"SCMP_ARCH_X32", | ||||||
"SCMP_ARCH_X86", | ||||||
"SCMP_ARCH_X86_64" | ||||||
], | ||||||
Comment on lines
+141
to
+158
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. how is the runtime supposed to query this list from libseccomp? Is it expected to hardcode the list? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Yes: https://github.com/opencontainers/runc/blob/v1.1.7/libcontainer/seccomp/config.go#L54-L71 You can also keep the list nil. |
||||||
"knownFlags": [ | ||||||
"SECCOMP_FILTER_FLAG_LOG" | ||||||
], | ||||||
"supportedFlags": [ | ||||||
"SECCOMP_FILTER_FLAG_LOG" | ||||||
] | ||||||
} | ||||||
``` | ||||||
|
||||||
## <a name="linuxFeaturesApparmor" />AppArmor | ||||||
|
||||||
**`apparmor`** (object, OPTIONAL) represents the runtime's implementation status of AppArmor. | ||||||
Irrelevant to the availability of AppArmor on the host operating system. | ||||||
|
||||||
* **`enabled`** (bool, OPTIONAL) represents whether the runtime supports AppArmor. | ||||||
|
||||||
### Example | ||||||
|
||||||
```json | ||||||
"apparmor": { | ||||||
"enabled": true | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not sure but should this be
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The JSON is already implemented in runc (experimentally, though), so I'm reluctant to change the field names. IIRC, I avoided "supported" to avoid confusion with enterprise commercial "support". There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Oh i see. This is a really small To me it just feels that Again i am thinking this too much and its not a big thing. 😅 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Perhaps "available" ? (IMO "enabled" feels like a configuration toggle where most/many of these will really be capabilities that are either usable or they aren't) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ah, I guess https://github.com/opencontainers/runtime-spec/pull/1130/files#diff-445e6d0dc97b93a0f04d914ad7816114ddc175dc462c7eec7961921af17ff0d0R6-R7 is the context I was missing:
I redact my suggestion ("enabled" seems fine for what this describes), but then also wonder which specific problem this functionality is solving. 🙈 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Examples of specific problems solved in this PR:
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. BTW we can have As a maintainer of containerd/Moby and its relevant projects, I don't see necessity of having There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
My original doubt was to replace +1 for keeping |
||||||
} | ||||||
``` | ||||||
|
||||||
## <a name="linuxFeaturesApparmor" />SELinux | ||||||
|
||||||
**`selinux`** (object, OPTIONAL) represents the runtime's implementation status of SELinux. | ||||||
Irrelevant to the availability of SELinux on the host operating system. | ||||||
|
||||||
* **`enabled`** (bool, OPTIONAL) represents whether the runtime supports SELinux. | ||||||
|
||||||
### Example | ||||||
|
||||||
```json | ||||||
"selinux": { | ||||||
"enabled": true | ||||||
AkihiroSuda marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
} | ||||||
``` | ||||||
|
||||||
## <a name="linuxFeaturesIntelRdt" />Intel RDT | ||||||
|
||||||
**`intelRdt`** (object, OPTIONAL) represents the runtime's implementation status of Intel RDT. | ||||||
Irrelevant to the availability of Intel RDT on the host operating system. | ||||||
|
||||||
* **`enabled`** (bool, OPTIONAL) represents whether the runtime supports Intel RDT. | ||||||
|
||||||
### Example | ||||||
|
||||||
```json | ||||||
"intelRdt": { | ||||||
"enabled": true | ||||||
} | ||||||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a missing feature flag for
IntelRDT
, some runtimes supports restricting bandwidth using that. Alsoruntime-spec
has a definition for it.Not sure maybe something like
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added
.linux.intelRdt.enabled
field