diff --git a/cmd/oci-runtime-tool/generate.go b/cmd/oci-runtime-tool/generate.go index c47b940c0..6fa972a40 100644 --- a/cmd/oci-runtime-tool/generate.go +++ b/cmd/oci-runtime-tool/generate.go @@ -13,65 +13,65 @@ import ( ) var generateFlags = []cli.Flag{ - cli.StringFlag{Name: "output", Usage: "output file (defaults to stdout)"}, - cli.StringFlag{Name: "rootfs", Value: "rootfs", Usage: "path to the rootfs"}, - cli.BoolFlag{Name: "read-only", Usage: "make the container's rootfs read-only"}, - cli.BoolFlag{Name: "privileged", Usage: "enable privileged container settings"}, - cli.BoolFlag{Name: "no-new-privileges", Usage: "set no new privileges bit for the container process"}, - cli.BoolFlag{Name: "tty", Usage: "allocate a new tty for the container process"}, - cli.StringFlag{Name: "hostname", Usage: "hostname value for the container"}, - cli.IntFlag{Name: "uid", Usage: "uid for the process"}, - cli.IntFlag{Name: "gid", Usage: "gid for the process"}, - cli.StringSliceFlag{Name: "groups", Usage: "supplementary groups for the process"}, + cli.StringFlag{Name: "apparmor", Usage: "specifies the the apparmor profile for the container"}, + cli.StringFlag{Name: "arch", Value: runtime.GOARCH, Usage: "architecture the container is created for"}, + cli.StringSliceFlag{Name: "args", Usage: "command to run in the container"}, + cli.StringSliceFlag{Name: "bind", Usage: "bind mount directories src:dest:(rw,ro)"}, cli.StringSliceFlag{Name: "cap-add", Usage: "add Linux capabilities"}, cli.StringSliceFlag{Name: "cap-drop", Usage: "drop Linux capabilities"}, cli.StringFlag{Name: "cgroup", Usage: "cgroup namespace"}, - cli.StringFlag{Name: "network", Usage: "network namespace"}, - cli.StringFlag{Name: "mount", Usage: "mount namespace"}, - cli.StringFlag{Name: "pid", Usage: "pid namespace"}, - cli.StringFlag{Name: "ipc", Usage: "ipc namespace"}, - cli.StringFlag{Name: "user", Usage: "user namespace"}, - cli.StringFlag{Name: "uts", Usage: "uts namespace"}, - cli.StringFlag{Name: "selinux-label", Usage: "process selinux label"}, - cli.StringFlag{Name: "mount-label", Usage: "selinux mount context label"}, - cli.StringSliceFlag{Name: "tmpfs", Usage: "mount tmpfs"}, - cli.StringSliceFlag{Name: "args", Usage: "command to run in the container"}, - cli.StringSliceFlag{Name: "env", Usage: "add environment variable e.g. key=value"}, cli.StringFlag{Name: "cgroups-path", Usage: "specify the path to the cgroups"}, - cli.StringFlag{Name: "mount-cgroups", Value: "no", Usage: "mount cgroups (rw,ro,no)"}, - cli.StringSliceFlag{Name: "bind", Usage: "bind mount directories src:dest:(rw,ro)"}, - cli.StringSliceFlag{Name: "prestart", Usage: "path to prestart hooks"}, - cli.StringSliceFlag{Name: "poststart", Usage: "path to poststart hooks"}, - cli.StringSliceFlag{Name: "poststop", Usage: "path to poststop hooks"}, - cli.StringFlag{Name: "root-propagation", Usage: "mount propagation for root"}, - cli.StringFlag{Name: "os", Value: runtime.GOOS, Usage: "operating system the container is created for"}, - cli.StringFlag{Name: "arch", Value: runtime.GOARCH, Usage: "architecture the container is created for"}, cli.StringFlag{Name: "cwd", Value: "/", Usage: "current working directory for the process"}, - cli.StringSliceFlag{Name: "uidmappings", Usage: "add UIDMappings e.g HostID:ContainerID:Size"}, + cli.StringSliceFlag{Name: "env", Usage: "add environment variable e.g. key=value"}, + cli.IntFlag{Name: "gid", Usage: "gid for the process"}, cli.StringSliceFlag{Name: "gidmappings", Usage: "add GIDMappings e.g HostID:ContainerID:Size"}, - cli.StringSliceFlag{Name: "sysctl", Usage: "add sysctl settings e.g net.ipv4.forward=1"}, - cli.StringFlag{Name: "apparmor", Usage: "specifies the the apparmor profile for the container"}, - cli.StringFlag{Name: "seccomp-default", Usage: "specifies the the defaultaction of Seccomp syscall restrictions"}, - cli.StringSliceFlag{Name: "seccomp-arch", Usage: "specifies Additional architectures permitted to be used for system calls"}, - cli.StringSliceFlag{Name: "seccomp-syscalls", Usage: "specifies Additional architectures permitted to be used for system calls, e.g Name:Action:Arg1_index/Arg1_value/Arg1_valuetwo/Arg1_op, Arg2_index/Arg2_value/Arg2_valuetwo/Arg2_op "}, - cli.StringSliceFlag{Name: "seccomp-allow", Usage: "specifies syscalls to be added to allowed"}, - cli.StringSliceFlag{Name: "seccomp-errno", Usage: "specifies syscalls to be added to list that returns an error"}, - cli.StringFlag{Name: "template", Usage: "base template to use for creating the configuration"}, + cli.StringSliceFlag{Name: "groups", Usage: "supplementary groups for the process"}, + cli.StringFlag{Name: "hostname", Usage: "hostname value for the container"}, + cli.StringFlag{Name: "ipc", Usage: "ipc namespace"}, cli.StringSliceFlag{Name: "label", Usage: "add annotations to the configuration e.g. key=value"}, - cli.IntFlag{Name: "oom-score-adj", Usage: "oom_score_adj for the container"}, cli.Uint64Flag{Name: "linux-cpu-shares", Usage: "the relative share of CPU time available to the tasks in a cgroup"}, cli.Uint64Flag{Name: "linux-cpu-period", Usage: "the CPU period to be used for hardcapping (in usecs)"}, cli.Uint64Flag{Name: "linux-cpu-quota", Usage: "the allowed CPU time in a given period (in usecs)"}, - cli.Uint64Flag{Name: "linux-realtime-runtime", Usage: "the time realtime scheduling may use (in usecs)"}, - cli.Uint64Flag{Name: "linux-realtime-period", Usage: "CPU period to be used for realtime scheduling (in usecs)"}, cli.StringFlag{Name: "linux-cpus", Usage: "CPUs to use within the cpuset (default is to use any CPU available)"}, - cli.StringFlag{Name: "linux-mems", Usage: "list of memory nodes in the cpuset (default is to use any available memory node)"}, + cli.Uint64Flag{Name: "linux-mem-kernel-limit", Usage: "kernel memory limit (in bytes)"}, + cli.Uint64Flag{Name: "linux-mem-kernel-tcp", Usage: "kernel memory limit for tcp (in bytes)"}, cli.Uint64Flag{Name: "linux-mem-limit", Usage: "memory limit (in bytes)"}, cli.Uint64Flag{Name: "linux-mem-reservation", Usage: "memory reservation or soft limit (in bytes)"}, cli.Uint64Flag{Name: "linux-mem-swap", Usage: "total memory limit (memory + swap) (in bytes)"}, - cli.Uint64Flag{Name: "linux-mem-kernel-limit", Usage: "kernel memory limit (in bytes)"}, - cli.Uint64Flag{Name: "linux-mem-kernel-tcp", Usage: "kernel memory limit for tcp (in bytes)"}, cli.Uint64Flag{Name: "linux-mem-swappiness", Usage: "how aggressive the kernel will swap memory pages (Range from 0 to 100)"}, + cli.StringFlag{Name: "linux-mems", Usage: "list of memory nodes in the cpuset (default is to use any available memory node)"}, + cli.Uint64Flag{Name: "linux-realtime-period", Usage: "CPU period to be used for realtime scheduling (in usecs)"}, + cli.Uint64Flag{Name: "linux-realtime-runtime", Usage: "the time realtime scheduling may use (in usecs)"}, + cli.StringFlag{Name: "mount", Usage: "mount namespace"}, + cli.StringFlag{Name: "mount-cgroups", Value: "no", Usage: "mount cgroups (rw,ro,no)"}, + cli.StringFlag{Name: "mount-label", Usage: "selinux mount context label"}, + cli.StringFlag{Name: "network", Usage: "network namespace"}, + cli.BoolFlag{Name: "no-new-privileges", Usage: "set no new privileges bit for the container process"}, + cli.IntFlag{Name: "oom-score-adj", Usage: "oom_score_adj for the container"}, + cli.StringFlag{Name: "os", Value: runtime.GOOS, Usage: "operating system the container is created for"}, + cli.StringFlag{Name: "output", Usage: "output file (defaults to stdout)"}, + cli.StringFlag{Name: "pid", Usage: "pid namespace"}, + cli.StringSliceFlag{Name: "poststart", Usage: "path to poststart hooks"}, + cli.StringSliceFlag{Name: "poststop", Usage: "path to poststop hooks"}, + cli.StringSliceFlag{Name: "prestart", Usage: "path to prestart hooks"}, + cli.BoolFlag{Name: "privileged", Usage: "enable privileged container settings"}, + cli.BoolFlag{Name: "read-only", Usage: "make the container's rootfs read-only"}, + cli.StringFlag{Name: "root-propagation", Usage: "mount propagation for root"}, + cli.StringFlag{Name: "rootfs", Value: "rootfs", Usage: "path to the rootfs"}, + cli.StringSliceFlag{Name: "seccomp-arch", Usage: "specifies Additional architectures permitted to be used for system calls"}, + cli.StringSliceFlag{Name: "seccomp-allow", Usage: "specifies syscalls to be added to allowed"}, + cli.StringFlag{Name: "seccomp-default", Usage: "specifies the the defaultaction of Seccomp syscall restrictions"}, + cli.StringSliceFlag{Name: "seccomp-errno", Usage: "specifies syscalls to be added to list that returns an error"}, + cli.StringSliceFlag{Name: "seccomp-syscalls", Usage: "specifies Additional architectures permitted to be used for system calls, e.g Name:Action:Arg1_index/Arg1_value/Arg1_valuetwo/Arg1_op, Arg2_index/Arg2_value/Arg2_valuetwo/Arg2_op "}, + cli.StringFlag{Name: "selinux-label", Usage: "process selinux label"}, + cli.StringSliceFlag{Name: "sysctl", Usage: "add sysctl settings e.g net.ipv4.forward=1"}, + cli.StringFlag{Name: "template", Usage: "base template to use for creating the configuration"}, + cli.StringSliceFlag{Name: "tmpfs", Usage: "mount tmpfs"}, + cli.BoolFlag{Name: "tty", Usage: "allocate a new tty for the container process"}, + cli.IntFlag{Name: "uid", Usage: "uid for the process"}, + cli.StringSliceFlag{Name: "uidmappings", Usage: "add UIDMappings e.g HostID:ContainerID:Size"}, + cli.StringFlag{Name: "user", Usage: "user namespace"}, + cli.StringFlag{Name: "uts", Usage: "uts namespace"}, } var generateCommand = cli.Command{ diff --git a/cmd/oci-runtime-tool/main.go b/cmd/oci-runtime-tool/main.go index f0aef1201..600d540da 100644 --- a/cmd/oci-runtime-tool/main.go +++ b/cmd/oci-runtime-tool/main.go @@ -13,15 +13,15 @@ func main() { app.Version = "0.0.1" app.Usage = "OCI (Open Container Initiative) runtime tools" app.Flags = []cli.Flag{ + cli.BoolFlag{ + Name: "host-specific", + Usage: "generate host-specific configs or do host-specific validations", + }, cli.StringFlag{ Name: "log-level", Value: "error", Usage: "Log level (panic, fatal, error, warn, info, or debug)", }, - cli.BoolFlag{ - Name: "host-specific", - Usage: "generate host-specific configs or do host-specific validations", - }, } app.Commands = []cli.Command{ diff --git a/man/oci-runtime-tool-generate.1.md b/man/oci-runtime-tool-generate.1.md index 205dbbe8a..fbfe668be 100644 --- a/man/oci-runtime-tool-generate.1.md +++ b/man/oci-runtime-tool-generate.1.md @@ -96,17 +96,14 @@ read the configuration from `config.json`. **--linux-cpu-quota**=CPUQUOTA Specifies the total amount of time in microseconds for which all tasks in a cgroup can run during one period. -**--linux-realtime-runtime**=REALTIMERUNTIME - Specifies a period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. - -**--linux-realtime-period**=REALTIMEPERIOD - Sets the CPU period to be used for realtime scheduling (in usecs). Same as **--linux-cpu-period** but applies to realtime scheduler only. - **--linux-cpus**=CPUS Sets the CPUs to use within the cpuset (default is to use any CPU available). -**--linux-mems**=MEMS - Sets the list of memory nodes in the cpuset (default is to use any available memory node). +**--linux-mem-kernel-limit**=MEMKERNELLIMIT + Sets the hard limit of kernel memory in bytes. + +**--linux-mem-kernel-tcp**=MEMKERNELTCP + Sets the hard limit of kernel TCP buffer memory in bytes. **--linux-mem-limit**=MEMLIMIT Sets the limit of memory usage in bytes. @@ -117,15 +114,18 @@ read the configuration from `config.json`. **--linux-mem-swap**=MEMSWAP Sets the total memory limit (memory + swap) in bytes. -**--linux-mem-kernel-limit**=MEMKERNELLIMIT - Sets the hard limit of kernel memory in bytes. - -**--linux-mem-kernel-tcp**=MEMKERNELTCP - Sets the hard limit of kernel TCP buffer memory in bytes. - **--linux-mem-swappiness**=MEMSWAPPINESS Sets the swappiness of how the kernel will swap memory pages (Range from 0 to 100). +**--linux-mems**=MEMS + Sets the list of memory nodes in the cpuset (default is to use any available memory node). + +**--linux-realtime-period**=REALTIMEPERIOD + Sets the CPU period to be used for realtime scheduling (in usecs). Same as **--linux-cpu-period** but applies to realtime scheduler only. + +**--linux-realtime-runtime**=REALTIMERUNTIME + Specifies a period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. + **--mount**=*PATH* Use a mount namespace where *PATH* is an existing mount namespace file to join. The special *PATH* empty-string creates a new namespace. @@ -162,14 +162,14 @@ read the configuration from `config.json`. **--oom-score-adj**=adj Specifies oom_score_adj for the container. +**--os**=OS + Operating system used within the container + **--output**=PATH Instead of writing the configuration JSON to stdout, write it to a file at *PATH* (overwriting the existing content if a file already exists at *PATH*). -**--os**=OS - Operating system used within the container - **--pid**=*PATH* Use a PID namespace where *PATH* is an existing PID namespace file to join. The special *PATH* empty-string creates a new namespace. @@ -213,23 +213,23 @@ read the configuration from `config.json`. Specifies Additional architectures permitted to be used for system calls. By default if you turn on seccomp, only the host architecture will be allowed. +**--seccomp-allow**=SYSCALL + Specifies syscalls to be added to the ALLOW list. + See --seccomp-syscalls for setting limits on arguments. + **--seccomp-default**=ACTION Specifies the the default action of Seccomp syscall restrictions Values: KILL,ERRNO,TRACE,ALLOW +**--seccomp-errno**=SYSCALL + Specifies syscalls to be added to the ERRNO list. + See --seccomp-syscalls for setting limits on arguments. + **--seccomp-syscalls**=SYSCALLS Specifies Additional syscalls permitted to be used for system calls, e.g Name:Action:Arg1_index/Arg1_value/Arg1_valuetwo/Arg1_op, Arg2_index/Arg2_value/Arg2_valuetwo/Arg2_op See --seccomp-allow and --seccomp-errno for convenient way to set seccomp syscall options. -**--seccomp-allow**=SYSCALL - Specifies syscalls to be added to the ALLOW list. - See --seccomp-syscalls for setting limits on arguments. - -**--seccomp-errno**=SYSCALL - Specifies syscalls to be added to the ERRNO list. - See --seccomp-syscalls for setting limits on arguments. - **--selinux-label**=PROCESSLABEL SELinux Label Depending on your SELinux policy, you would specify a label that looks like diff --git a/man/oci-runtime-tool.1.md b/man/oci-runtime-tool.1.md index b07f1fe9c..46341a648 100644 --- a/man/oci-runtime-tool.1.md +++ b/man/oci-runtime-tool.1.md @@ -17,12 +17,6 @@ oci-runtime-tool is a collection of tools for working with the [OCI runtime spec **--help** Print usage statement. -**-v**, **--version** - Print version information. - -**--log-level** - Log level (panic, fatal, error, warn, info, or debug) (default: "error"). - **--host-specific** Generate host-specific configs or do host-specific validations. @@ -35,6 +29,12 @@ oci-runtime-tool is a collection of tools for working with the [OCI runtime spec With this flag, validation will also run more specific tests to see whether the current host is capable of launching a container from the configuration. +**--log-level** + Log level (panic, fatal, error, warn, info, or debug) (default: "error"). + +**-v**, **--version** + Print version information. + # COMMANDS **validate** Validating OCI bundle