diff --git a/config-linux.md b/config-linux.md index a954dc2c7..b6921a1b9 100644 --- a/config-linux.md +++ b/config-linux.md @@ -241,7 +241,7 @@ For more information on how these two settings work together, see [the memory cg ###### Example ```json - "oomScoreAdj": 0 + "oomScoreAdj": 100 ``` #### Memory @@ -251,9 +251,9 @@ For more information, see [the memory cgroup man page][cgroup-v1-memory]. The following parameters can be specified to setup the controller: -* **`limit`** *(uint64, optional)* - sets limit of memory usage +* **`limit`** *(uint64, optional)* - sets limit of memory usage in bytes -* **`reservation`** *(uint64, optional)* - sets soft limit of memory usage +* **`reservation`** *(uint64, optional)* - sets soft limit of memory usage in bytes * **`swap`** *(uint64, optional)* - sets limit of memory+Swap usage @@ -267,9 +267,9 @@ The following parameters can be specified to setup the controller: ```json "memory": { - "limit": 0, - "reservation": 0, - "swap": 0, + "limit": 536870912, + "reservation": 536870912, + "swap": 536870912, "kernel": 0, "kernelTCP": 0, "swappiness": 0 @@ -301,13 +301,13 @@ The following parameters can be specified to setup the controller: ```json "cpu": { - "shares": 0, - "quota": 0, - "period": 0, - "realtimeRuntime": 0, - "realtimePeriod": 0, - "cpus": "", - "mems": "" + "shares": 1024, + "quota": 1000000, + "period": 500000, + "realtimeRuntime": 950000, + "realtimePeriod": 1000000, + "cpus": "2-3", + "mems": "0-7" } ``` @@ -337,8 +337,8 @@ The following parameters can be specified to setup the controller: ```json "blockIO": { - "blkioWeight": 0, - "blkioLeafWeight": 0, + "blkioWeight": 10, + "blkioLeafWeight": 10, "blkioWeightDevice": [ { "major": 8, diff --git a/config.md b/config.md index 3201dbb5d..ec34a6754 100644 --- a/config.md +++ b/config.md @@ -232,7 +232,7 @@ If a hook returns a non-zero exit code, then an error is logged and the remainin ], "poststart": [ { - "path": "/usr/bin/notify-start" + "path": "/usr/bin/notify-start", "timeout": 5 } ], @@ -269,7 +269,7 @@ Here is a full example `config.json` for reference. ```json { - "ociVersion": "0.3.0", + "ociVersion": "0.5.0-dev", "platform": { "os": "linux", "arch": "amd64" @@ -284,6 +284,20 @@ Here is a full example `config.json` for reference. 6 ] }, + "uidMappings": [ + { + "hostID": 1000, + "containerID": 0, + "size": 32000 + } + ], + "gidMappings": [ + { + "hostID": 1000, + "containerID": 0, + "size": 32000 + } + ], "args": [ "sh" ], @@ -298,14 +312,20 @@ Here is a full example `config.json` for reference. "CAP_NET_BIND_SERVICE" ], "rlimits": [ + { + "type": "RLIMIT_CORE", + "hard": 1024, + "soft": 1024 + }, { "type": "RLIMIT_NOFILE", "hard": 1024, "soft": 1024 } ], - "apparmorProfile": "", - "selinuxLabel": "" + "apparmorProfile": "acme_secure_profile", + "selinuxLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675", + "noNewPrivileges": true }, "root": { "path": "rootfs", @@ -390,20 +410,166 @@ Here is a full example `config.json` for reference. "hooks": { "prestart": [ { - "path": "/usr/bin/uptime", + "path": "/usr/bin/fix-mounts", "args": [ - "/usr/bin/uptime" + "fix-mounts", + "arg1", + "arg2" ], - "env": [] + "env": [ + "key1=value1" + ] + }, + { + "path": "/usr/bin/setup-network" + } + ], + "poststart": [ + { + "path": "/usr/bin/notify-start", + "timeout": 5 + } + ], + "poststop": [ + { + "path": "/usr/sbin/cleanup.sh", + "args": [ + "cleanup.sh", + "-f" + ] } ] }, "linux": { + "devices": [ + { + "path": "/dev/fuse", + "type": "c", + "major": 10, + "minor": 229, + "fileMode": 438, + "uid": 0, + "gid": 0 + }, + { + "path": "/dev/sda", + "type": "b", + "major": 8, + "minor": 0, + "fileMode": 432, + "uid": 0, + "gid": 0 + } + ], + "sysctl": { + "net.ipv4.ip_forward": "1", + "net.core.somaxconn": "256" + }, + "cgroupsPath": "/myRuntime/myContainer", "resources": { + "network": { + "classID": 1048577, + "priorities": [ + { + "name": "eth0", + "priority": 500 + }, + { + "name": "eth1", + "priority": 1000 + } + ] + }, + "pids": { + "limit": 32771 + }, + "hugepageLimits": [ + { + "pageSize": "2MB", + "limit": 9223372036854772000 + } + ], + "oomScoreAdj": 100, + "memory": { + "limit": 536870912, + "reservation": 536870912, + "swap": 536870912, + "kernel": 0, + "kernelTCP": 0, + "swappiness": 0 + }, + "cpu": { + "shares": 1024, + "quota": 1000000, + "period": 500000, + "realtimeRuntime": 950000, + "realtimePeriod": 1000000, + "cpus": "2-3", + "mems": "0-7" + }, + "disableOOMKiller": false, "devices": [ { "allow": false, "access": "rwm" + }, + { + "allow": true, + "type": "c", + "major": 10, + "minor": 229, + "access": "rw" + }, + { + "allow": true, + "type": "b", + "major": 8, + "minor": 0, + "access": "r" + } + ], + "blockIO": { + "blkioWeight": 10, + "blkioLeafWeight": 10, + "blkioWeightDevice": [ + { + "major": 8, + "minor": 0, + "weight": 500, + "leafWeight": 300 + }, + { + "major": 8, + "minor": 16, + "weight": 500 + } + ], + "blkioThrottleReadBpsDevice": [ + { + "major": 8, + "minor": 0, + "rate": 600 + } + ], + "blkioThrottleWriteIOPSDevice": [ + { + "major": 8, + "minor": 16, + "rate": 300 + } + ] + } + }, + "rootfsPropagation": "slave", + "seccomp": { + "defaultAction": "SCMP_ACT_ALLOW", + "architectures": [ + "SCMP_ARCH_X86" + ], + "syscalls": [ + { + "name": "getcwd", + "action": "SCMP_ACT_ERRNO" } ] }, @@ -423,7 +589,25 @@ Here is a full example `config.json` for reference. { "type": "mount" } + ], + "maskedPaths": [ + "/proc/kcore", + "/proc/latency_stats", + "/proc/timer_stats", + "/proc/sched_debug" + ], + "readonlyPaths": [ + "/proc/asound", + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" ] + }, + "annotations": { + "key1": "value1", + "key2": "value2" } } ``` diff --git a/schema/defs-linux.json b/schema/defs-linux.json index 1f143f020..e77fe92a9 100644 --- a/schema/defs-linux.json +++ b/schema/defs-linux.json @@ -93,7 +93,9 @@ "type": "string" }, "FileType": { - "type": "integer" + "description": "Type of a block or special character device", + "type": "string", + "pattern": "^[cbup]$" }, "Device": { "properties": { diff --git a/schema/schema-linux.json b/schema/schema-linux.json index 869ebbfa4..9eae413a0 100644 --- a/schema/schema-linux.json +++ b/schema/schema-linux.json @@ -61,6 +61,21 @@ "id": "https://opencontainers.org/schema/bundle/linux/resources", "type": "object", "properties": { + "oomScoreAdj": { + "id": "https://opencontainers.org/schema/bundle/linux/resources/oomScoreAdj", + "type": "integer", + "minimum": -1000, + "maximum": 1000 + }, + "pids": { + "id": "https://opencontainers.org/schema/bundle/linux/resources/pids", + "properties": { + "limit": { + "id": "https://opencontainers.org/schema/bundle/linux/resources/pids/limit", + "$ref": "defs.json#/definitions/int64" + } + } + }, "blockIO": { "id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO", "type": "object", @@ -94,11 +109,9 @@ "oneOf": [ { "type": "array", - "items": [ - { - "$ref": "defs-linux.json#/definitions/blockIODeviceThrottlePointer" - } - ] + "items": { + "$ref": "defs-linux.json#/definitions/blockIODeviceThrottlePointer" + } }, { "type": "null" @@ -110,11 +123,9 @@ "oneOf": [ { "type": "array", - "items": [ - { - "$ref": "defs-linux.json#/definitions/blockIODeviceThrottlePointer" - } - ] + "items": { + "$ref": "defs-linux.json#/definitions/blockIODeviceThrottlePointer" + } }, { "type": "null" @@ -126,11 +137,9 @@ "oneOf": [ { "type": "array", - "items": [ - { - "$ref": "defs-linux.json#/definitions/blockIODeviceThrottlePointer" - } - ] + "items": { + "$ref": "defs-linux.json#/definitions/blockIODeviceThrottlePointer" + } }, { "type": "null" @@ -140,11 +149,9 @@ "blkioWeightDevice": { "id": "https://opencontainers.org/schema/bundle/linux/resources/blockIO/blkioWeightDevice", "type": "array", - "items": [ - { - "$ref": "defs-linux.json#/definitions/blockIODeviceWeightPointer" - } - ] + "items": { + "$ref": "defs-linux.json#/definitions/blockIODeviceWeightPointer" + } } } }, @@ -190,13 +197,16 @@ "id": "https://opencontainers.org/schema/bundle/linux/resources/hugepageLimits", "oneOf": [ { - "type": "object", - "properties": { - "pageSize": { - "type": "string" - }, - "limit": { - "$ref": "defs.json#/definitions/uint64" + "type": "array", + "items": { + "type": "object", + "properties": { + "pageSize": { + "type": "string" + }, + "limit": { + "$ref": "defs.json#/definitions/uint64" + } } } }, @@ -235,9 +245,9 @@ "id": "https://opencontainers.org/schema/bundle/linux/resources/network", "type": "object", "properties": { - "classId": { + "classID": { "id": "https://opencontainers.org/schema/bundle/linux/resources/network/classId", - "type": "string" + "$ref": "defs.json#/definitions/uint32" }, "priorities": { "id": "https://opencontainers.org/schema/bundle/linux/resources/network/priorities", @@ -257,31 +267,6 @@ } } }, - "rlimits": { - "id": "https://opencontainers.org/schema/bundle/linux/rlimits", - "items": [ - { - "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0", - "properties": { - "hard": { - "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/hard", - "type": "integer" - }, - "soft": { - "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/soft", - "type": "integer" - }, - "type": { - "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/type", - "type": "string", - "pattern": "^RLIMIT_[A-Z]+$" - } - }, - "type": "object" - } - ], - "type": "array" - }, "cgroupsPath": { "oneOf": [ { diff --git a/schema/schema.json b/schema/schema.json index 16be027c0..23c55bc09 100644 --- a/schema/schema.json +++ b/schema/schema.json @@ -25,7 +25,7 @@ } }, "annotations": { - "id": "https://opencontainers.org/schema/bundle/linux/sysctl", + "id": "https://opencontainers.org/schema/bundle/annotations", "oneOf": [ { "$ref": "defs.json#/definitions/mapStringString" @@ -139,6 +139,29 @@ "noNewPrivileges": { "id": "https://opencontainers.org/schema/bundle/process/linux/noNewPrivileges", "type": "boolean" + }, + "rlimits": { + "id": "https://opencontainers.org/schema/bundle/linux/rlimits", + "type": "array", + "items": { + "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0", + "type": "object", + "properties": { + "hard": { + "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/hard", + "$ref": "defs.json#/definitions/uint64" + }, + "soft": { + "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/soft", + "$ref": "defs.json#/definitions/uint64" + }, + "type": { + "id": "https://opencontainers.org/schema/bundle/linux/rlimits/0/type", + "type": "string", + "pattern": "^RLIMIT_[A-Z]+$" + } + } + } } } },