diff --git a/Dockerfile b/Dockerfile index 064502f4e7..4a18995177 100644 --- a/Dockerfile +++ b/Dockerfile @@ -242,7 +242,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install runc -ENV RUNC_COMMIT cc29e3dded8e27ba8f65738f40d251c885030a28 +ENV RUNC_COMMIT 02f8fa7863dd3f82909a73e2061897828460d52f RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \ @@ -253,7 +253,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install containerd -ENV CONTAINERD_COMMIT v0.2.4 +ENV CONTAINERD_COMMIT 0366d7e9693c930cf18c0f50cc16acec064e96c5 RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index c3199a2e9f..06211903f7 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -181,7 +181,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install runc -ENV RUNC_COMMIT cc29e3dded8e27ba8f65738f40d251c885030a28 +ENV RUNC_COMMIT 02f8fa7863dd3f82909a73e2061897828460d52f RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \ @@ -192,7 +192,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install containerd -ENV CONTAINERD_COMMIT v0.2.4 +ENV CONTAINERD_COMMIT 0366d7e9693c930cf18c0f50cc16acec064e96c5 RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \ diff --git a/Dockerfile.armhf b/Dockerfile.armhf index ba9026e5ef..d1bb2771d9 100644 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -190,7 +190,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install runc -ENV RUNC_COMMIT cc29e3dded8e27ba8f65738f40d251c885030a28 +ENV RUNC_COMMIT 02f8fa7863dd3f82909a73e2061897828460d52f RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \ @@ -201,7 +201,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install containerd -ENV CONTAINERD_COMMIT v0.2.4 +ENV CONTAINERD_COMMIT 0366d7e9693c930cf18c0f50cc16acec064e96c5 RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \ diff --git a/Dockerfile.gccgo b/Dockerfile.gccgo index 1f6420d638..fe2cef519e 100644 --- a/Dockerfile.gccgo +++ b/Dockerfile.gccgo @@ -74,7 +74,7 @@ WORKDIR /go/src/github.com/docker/docker ENV DOCKER_BUILDTAGS apparmor seccomp selinux # Install runc -ENV RUNC_COMMIT cc29e3dded8e27ba8f65738f40d251c885030a28 +ENV RUNC_COMMIT 02f8fa7863dd3f82909a73e2061897828460d52f RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \ @@ -85,7 +85,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install containerd -ENV CONTAINERD_COMMIT v0.2.4 +ENV CONTAINERD_COMMIT 0366d7e9693c930cf18c0f50cc16acec064e96c5 RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \ diff --git a/Dockerfile.ppc64le b/Dockerfile.ppc64le index 294d11d41d..ae473d995c 100644 --- a/Dockerfile.ppc64le +++ b/Dockerfile.ppc64le @@ -202,7 +202,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install runc -ENV RUNC_COMMIT cc29e3dded8e27ba8f65738f40d251c885030a28 +ENV RUNC_COMMIT 02f8fa7863dd3f82909a73e2061897828460d52f RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \ @@ -213,7 +213,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install containerd -ENV CONTAINERD_COMMIT v0.2.4 +ENV CONTAINERD_COMMIT 0366d7e9693c930cf18c0f50cc16acec064e96c5 RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \ diff --git a/Dockerfile.s390x b/Dockerfile.s390x index 20d10bb5e7..d5e1dde042 100644 --- a/Dockerfile.s390x +++ b/Dockerfile.s390x @@ -197,7 +197,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install runc -ENV RUNC_COMMIT cc29e3dded8e27ba8f65738f40d251c885030a28 +ENV RUNC_COMMIT 02f8fa7863dd3f82909a73e2061897828460d52f RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \ @@ -208,7 +208,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install containerd -ENV CONTAINERD_COMMIT v0.2.4 +ENV CONTAINERD_COMMIT 0366d7e9693c930cf18c0f50cc16acec064e96c5 RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \ diff --git a/Dockerfile.simple b/Dockerfile.simple index 708289e3b0..dc244ef3ca 100644 --- a/Dockerfile.simple +++ b/Dockerfile.simple @@ -57,7 +57,7 @@ ENV GOPATH /go:/go/src/github.com/docker/docker/vendor ENV CGO_LDFLAGS -L/lib # Install runc -ENV RUNC_COMMIT cc29e3dded8e27ba8f65738f40d251c885030a28 +ENV RUNC_COMMIT 02f8fa7863dd3f82909a73e2061897828460d52f RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \ @@ -68,7 +68,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install containerd -ENV CONTAINERD_COMMIT v0.2.4 +ENV CONTAINERD_COMMIT 0366d7e9693c930cf18c0f50cc16acec064e96c5 RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \ diff --git a/hack/vendor.sh b/hack/vendor.sh index 632dc1e77a..76170e70fe 100755 --- a/hack/vendor.sh +++ b/hack/vendor.sh @@ -102,8 +102,8 @@ clone git github.com/miekg/pkcs11 df8ae6ca730422dba20c768ff38ef7d79077a59f clone git github.com/docker/go v1.5.1-1-1-gbaf439e clone git github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c -clone git github.com/opencontainers/runc cc29e3dded8e27ba8f65738f40d251c885030a28 # libcontainer -clone git github.com/opencontainers/specs v1.0.0-rc1 # specs +clone git github.com/opencontainers/runc 02f8fa7863dd3f82909a73e2061897828460d52f # libcontainer +clone git github.com/opencontainers/specs 1c7c27d043c2a5e513a44084d2b10d77d1402b8c # specs clone git github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0 # libcontainer deps (see src/github.com/opencontainers/runc/Godeps/Godeps.json) clone git github.com/coreos/go-systemd v4 @@ -136,7 +136,7 @@ clone git google.golang.org/cloud dae7e3d993bc3812a2185af60552bb6b847e52a0 https clone git github.com/docker/docker-credential-helpers v0.3.0 # containerd -clone git github.com/docker/containerd v0.2.4 +clone git github.com/docker/containerd 0366d7e9693c930cf18c0f50cc16acec064e96c5 # cluster clone git github.com/docker/swarmkit e239bc901fd6f5c85b36904e89f1b64c8c0635f2 diff --git a/oci/defaults_linux.go b/oci/defaults_linux.go index 5f93a9af94..e8c410aa54 100644 --- a/oci/defaults_linux.go +++ b/oci/defaults_linux.go @@ -4,7 +4,7 @@ import ( "os" "runtime" - "github.com/opencontainers/specs/specs-go" + specs "github.com/opencontainers/specs/specs-go" ) func sPtr(s string) *string { return &s } @@ -77,7 +77,7 @@ func DefaultSpec() specs.Spec { "CAP_AUDIT_WRITE", } - s.Linux = specs.Linux{ + s.Linux = &specs.Linux{ MaskedPaths: []string{ "/proc/kcore", "/proc/latency_stats", diff --git a/pkg/sysinfo/sysinfo_linux.go b/pkg/sysinfo/sysinfo_linux.go index 8ba3ce4d39..7dce3a3ec0 100644 --- a/pkg/sysinfo/sysinfo_linux.go +++ b/pkg/sysinfo/sysinfo_linux.go @@ -18,7 +18,7 @@ const ( ) func findCgroupMountpoints() (map[string]string, error) { - cgMounts, err := cgroups.GetCgroupMounts() + cgMounts, err := cgroups.GetCgroupMounts(false) if err != nil { return nil, fmt.Errorf("Failed to parse cgroup information: %v", err) } diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go index 274ab47dd8..35fc8eb961 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go @@ -37,7 +37,7 @@ type Manager interface { // restore the object later. GetPaths() map[string]string - // Set the cgroup as configured. + // Sets the cgroup as configured. Set(container *configs.Config) error } diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/utils.go b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/utils.go index 1a7c4e1a05..8946dd5959 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/utils.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/utils.go @@ -16,7 +16,10 @@ import ( "github.com/docker/go-units" ) -const cgroupNamePrefix = "name=" +const ( + cgroupNamePrefix = "name=" + CgroupProcesses = "cgroup.procs" +) // https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt func FindCgroupMountpoint(subsystem string) (string, error) { @@ -136,7 +139,7 @@ func (m Mount) GetThisCgroupDir(cgroups map[string]string) (string, error) { return getControllerPath(m.Subsystems[0], cgroups) } -func getCgroupMountsHelper(ss map[string]bool, mi io.Reader) ([]Mount, error) { +func getCgroupMountsHelper(ss map[string]bool, mi io.Reader, all bool) ([]Mount, error) { res := make([]Mount, 0, len(ss)) scanner := bufio.NewScanner(mi) numFound := 0 @@ -163,7 +166,9 @@ func getCgroupMountsHelper(ss map[string]bool, mi io.Reader) ([]Mount, error) { } else { m.Subsystems = append(m.Subsystems, opt) } - numFound++ + if !all { + numFound++ + } } res = append(res, m) } @@ -173,23 +178,25 @@ func getCgroupMountsHelper(ss map[string]bool, mi io.Reader) ([]Mount, error) { return res, nil } -func GetCgroupMounts() ([]Mount, error) { +// GetCgroupMounts returns the mounts for the cgroup subsystems. +// all indicates whether to return just the first instance or all the mounts. +func GetCgroupMounts(all bool) ([]Mount, error) { f, err := os.Open("/proc/self/mountinfo") if err != nil { return nil, err } defer f.Close() - all, err := ParseCgroupFile("/proc/self/cgroup") + allSubsystems, err := ParseCgroupFile("/proc/self/cgroup") if err != nil { return nil, err } allMap := make(map[string]bool) - for s := range all { + for s := range allSubsystems { allMap[s] = true } - return getCgroupMountsHelper(allMap, f) + return getCgroupMountsHelper(allMap, f, all) } // GetAllSubsystems returns all the cgroup subsystems supported by the kernel @@ -239,7 +246,7 @@ func GetInitCgroupDir(subsystem string) (string, error) { } func readProcsFile(dir string) ([]int, error) { - f, err := os.Open(filepath.Join(dir, "cgroup.procs")) + f, err := os.Open(filepath.Join(dir, CgroupProcesses)) if err != nil { return nil, err } @@ -326,8 +333,7 @@ func PathExists(path string) bool { func EnterPid(cgroupPaths map[string]string, pid int) error { for _, path := range cgroupPaths { if PathExists(path) { - if err := ioutil.WriteFile(filepath.Join(path, "cgroup.procs"), - []byte(strconv.Itoa(pid)), 0700); err != nil { + if err := WriteCgroupProc(path, pid); err != nil { return err } } @@ -396,7 +402,7 @@ func GetAllPids(path string) ([]int, error) { // collect pids from all sub-cgroups err := filepath.Walk(path, func(p string, info os.FileInfo, iErr error) error { dir, file := filepath.Split(p) - if file != "cgroup.procs" { + if file != CgroupProcesses { return nil } if iErr != nil { @@ -411,3 +417,20 @@ func GetAllPids(path string) ([]int, error) { }) return pids, err } + +// WriteCgroupProc writes the specified pid into the cgroup's cgroup.procs file +func WriteCgroupProc(dir string, pid int) error { + // Normally dir should not be empty, one case is that cgroup subsystem + // is not mounted, we will get empty dir, and we want it fail here. + if dir == "" { + return fmt.Errorf("no such directory for %s", CgroupProcesses) + } + + // Dont attach any pid to the cgroup if -1 is specified as a pid + if pid != -1 { + if err := ioutil.WriteFile(filepath.Join(dir, CgroupProcesses), []byte(strconv.Itoa(pid)), 0700); err != nil { + return fmt.Errorf("failed to write %v to %v: %v", pid, CgroupProcesses, err) + } + } + return nil +} diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/configs/cgroup_unix.go b/vendor/src/github.com/opencontainers/runc/libcontainer/configs/cgroup_unix.go index f2eff91cf4..94b38879ed 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/configs/cgroup_unix.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/configs/cgroup_unix.go @@ -36,7 +36,7 @@ type Cgroup struct { type Resources struct { // If this is true allow access to any kind of device within the container. If false, allow access only to devices explicitly listed in the allowed_devices list. // Deprecated - AllowAllDevices bool `json:"allow_all_devices,omitempty"` + AllowAllDevices *bool `json:"allow_all_devices,omitempty"` // Deprecated AllowedDevices []*Device `json:"allowed_devices,omitempty"` // Deprecated @@ -69,10 +69,10 @@ type Resources struct { CpuPeriod int64 `json:"cpu_period"` // How many time CPU will use in realtime scheduling (in usecs). - CpuRtRuntime int64 `json:"cpu_quota"` + CpuRtRuntime int64 `json:"cpu_rt_quota"` // CPU period to be used for realtime scheduling (in usecs). - CpuRtPeriod int64 `json:"cpu_period"` + CpuRtPeriod int64 `json:"cpu_rt_period"` // CPU to use CpusetCpus string `json:"cpuset_cpus"` @@ -120,5 +120,5 @@ type Resources struct { NetPrioIfpriomap []*IfPrioMap `json:"net_prio_ifpriomap"` // Set class identifier for container's network packets - NetClsClassid string `json:"net_cls_classid"` + NetClsClassid uint32 `json:"net_cls_classid_u"` } diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/configs/config.go b/vendor/src/github.com/opencontainers/runc/libcontainer/configs/config.go index 806e0be960..a56d12bdb9 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/configs/config.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/configs/config.go @@ -148,10 +148,6 @@ type Config struct { // More information about kernel oom score calculation here: https://lwn.net/Articles/317814/ OomScoreAdj int `json:"oom_score_adj"` - // AdditionalGroups specifies the gids that should be added to supplementary groups - // in addition to those that the user belongs to. - AdditionalGroups []string `json:"additional_groups"` - // UidMappings is an array of User ID mappings for User Namespaces UidMappings []IDMap `json:"uid_mappings"` @@ -304,29 +300,38 @@ func (c Command) Run(s HookState) error { if err != nil { return err } + var stdout, stderr bytes.Buffer cmd := exec.Cmd{ - Path: c.Path, - Args: c.Args, - Env: c.Env, - Stdin: bytes.NewReader(b), + Path: c.Path, + Args: c.Args, + Env: c.Env, + Stdin: bytes.NewReader(b), + Stdout: &stdout, + Stderr: &stderr, + } + if err := cmd.Start(); err != nil { + return err } errC := make(chan error, 1) go func() { - out, err := cmd.CombinedOutput() + err := cmd.Wait() if err != nil { - err = fmt.Errorf("%s: %s", err, out) + err = fmt.Errorf("error running hook: %v, stdout: %s, stderr: %s", err, stdout.String(), stderr.String()) } errC <- err }() + var timerCh <-chan time.Time if c.Timeout != nil { - select { - case err := <-errC: - return err - case <-time.After(*c.Timeout): - cmd.Process.Kill() - cmd.Wait() - return fmt.Errorf("hook ran past specified timeout of %.1fs", c.Timeout.Seconds()) - } + timer := time.NewTimer(*c.Timeout) + defer timer.Stop() + timerCh = timer.C + } + select { + case err := <-errC: + return err + case <-timerCh: + cmd.Process.Kill() + cmd.Wait() + return fmt.Errorf("hook ran past specified timeout of %.1fs", c.Timeout.Seconds()) } - return <-errC } diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go b/vendor/src/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go index ba1f437f3b..4d348d217e 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go @@ -107,19 +107,5 @@ var ( Permissions: "rwm", }, }, DefaultSimpleDevices...) - DefaultAutoCreatedDevices = append([]*Device{ - { - // /dev/fuse is created but not allowed. - // This is to allow java to work. Because java - // Insists on there being a /dev/fuse - // https://github.com/docker/docker/issues/514 - // https://github.com/docker/docker/issues/2393 - // - Path: "/dev/fuse", - Type: 'c', - Major: 10, - Minor: 229, - Permissions: "rwm", - }, - }, DefaultSimpleDevices...) + DefaultAutoCreatedDevices = append([]*Device{}, DefaultSimpleDevices...) ) diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/label/label_selinux.go b/vendor/src/github.com/opencontainers/runc/libcontainer/label/label_selinux.go index 4493bda774..1d9d78a390 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/label/label_selinux.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/label/label_selinux.go @@ -129,7 +129,7 @@ func Relabel(path string, fileLabel string, shared bool) error { exclude_paths := map[string]bool{"/": true, "/usr": true, "/etc": true} if exclude_paths[path] { - return fmt.Errorf("Relabeling of %s is not allowed", path) + return fmt.Errorf("SELinux relabeling of %s is not allowed", path) } if shared { @@ -137,7 +137,10 @@ func Relabel(path string, fileLabel string, shared bool) error { c["level"] = "s0" fileLabel = c.Get() } - return selinux.Chcon(path, fileLabel, true) + if err := selinux.Chcon(path, fileLabel, true); err != nil { + return fmt.Errorf("SELinux relabeling of %s is not allowed: %q", path, err) + } + return nil } // GetPidLabel will return the label of the process running with the specified pid diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/system/syscall_linux_386.go b/vendor/src/github.com/opencontainers/runc/libcontainer/system/syscall_linux_386.go index c990065189..bb44d895ce 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/system/syscall_linux_386.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/system/syscall_linux_386.go @@ -8,7 +8,7 @@ import ( // Setuid sets the uid of the calling thread to the specified uid. func Setuid(uid int) (err error) { - _, _, e1 := syscall.RawSyscall(syscall.SYS_SETUID, uintptr(uid), 0, 0) + _, _, e1 := syscall.RawSyscall(syscall.SYS_SETUID32, uintptr(uid), 0, 0) if e1 != 0 { err = e1 } diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/system/sysconfig.go b/vendor/src/github.com/opencontainers/runc/libcontainer/system/sysconfig.go index 4fba6c2b70..b3a07cba3e 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/system/sysconfig.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/system/sysconfig.go @@ -4,28 +4,9 @@ package system /* #include -#include - -int GetLongBit() { -#ifdef _SC_LONG_BIT - int longbits; - - longbits = sysconf(_SC_LONG_BIT); - if (longbits < 0) { - longbits = (CHAR_BIT * sizeof(long)); - } - return longbits; -#else - return (CHAR_BIT * sizeof(long)); -#endif -} */ import "C" func GetClockTicks() int { return int(C.sysconf(C._SC_CLK_TCK)) } - -func GetLongBit() int { - return int(C.GetLongBit()) -} diff --git a/vendor/src/github.com/opencontainers/specs/specs-go/config.go b/vendor/src/github.com/opencontainers/specs/specs-go/config.go index ec99035bbc..491b734c93 100644 --- a/vendor/src/github.com/opencontainers/specs/specs-go/config.go +++ b/vendor/src/github.com/opencontainers/specs/specs-go/config.go @@ -4,33 +4,37 @@ import "os" // Spec is the base configuration for the container. type Spec struct { - // Version is the version of the specification that is supported. + // Version of the Open Container Runtime Specification with which the bundle complies. Version string `json:"ociVersion"` - // Platform is the host information for OS and Arch. + // Platform specifies the configuration's target platform. Platform Platform `json:"platform"` - // Process is the container's main process. + // Process configures the container process. Process Process `json:"process"` - // Root is the root information for the container's filesystem. + // Root configures the container's root filesystem. Root Root `json:"root"` - // Hostname is the container's host name. + // Hostname configures the container's hostname. Hostname string `json:"hostname,omitempty"` - // Mounts profile configuration for adding mounts to the container's filesystem. + // Mounts configures additional mounts (on top of Root). Mounts []Mount `json:"mounts,omitempty"` - // Hooks are the commands run at various lifecycle events of the container. + // Hooks configures callbacks for container lifecycle events. Hooks Hooks `json:"hooks"` - // Annotations is an unstructured key value map that may be set by external tools to store and retrieve arbitrary metadata. + // Annotations contains arbitrary metadata for the container. Annotations map[string]string `json:"annotations,omitempty"` // Linux is platform specific configuration for Linux based containers. - Linux Linux `json:"linux" platform:"linux,omitempty"` + Linux *Linux `json:"linux,omitempty" platform:"linux"` // Solaris is platform specific configuration for Solaris containers. - Solaris Solaris `json:"solaris" platform:"solaris,omitempty"` + Solaris *Solaris `json:"solaris,omitempty" platform:"solaris"` + // Windows is platform specific configuration for Windows based containers, including Hyper-V containers. + Windows *Windows `json:"windows,omitempty" platform:"windows"` } // Process contains information to start a specific application inside the container. type Process struct { // Terminal creates an interactive terminal for the container. Terminal bool `json:"terminal,omitempty"` + // ConsoleSize specifies the size of the console. + ConsoleSize Box `json:"consoleSize,omitempty"` // User specifies user information for the process. User User `json:"user"` // Args specifies the binary and arguments for the application to execute. @@ -43,25 +47,33 @@ type Process struct { // Capabilities are Linux capabilities that are kept for the container. Capabilities []string `json:"capabilities,omitempty" platform:"linux"` // Rlimits specifies rlimit options to apply to the process. - Rlimits []Rlimit `json:"rlimits,omitempty"` + Rlimits []Rlimit `json:"rlimits,omitempty" platform:"linux"` // NoNewPrivileges controls whether additional privileges could be gained by processes in the container. - NoNewPrivileges bool `json:"noNewPrivileges,omitempty"` - - // ApparmorProfile specified the apparmor profile for the container. (this field is platform dependent) + NoNewPrivileges bool `json:"noNewPrivileges,omitempty" platform:"linux"` + // ApparmorProfile specifies the apparmor profile for the container. ApparmorProfile string `json:"apparmorProfile,omitempty" platform:"linux"` - // SelinuxLabel specifies the selinux context that the container process is run as. (this field is platform dependent) + // SelinuxLabel specifies the selinux context that the container process is run as. SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"` } -// User specifies Linux specific user and group information for the container's -// main process. +// Box specifies dimensions of a rectangle. Used for specifying the size of a console. +type Box struct { + // Height is the vertical dimension of a box. + Height uint `json:"height"` + // Width is the horizontal dimension of a box. + Width uint `json:"width"` +} + +// User specifies specific user (and group) information for the container process. type User struct { - // UID is the user id. (this field is platform dependent) - UID uint32 `json:"uid" platform:"linux"` - // GID is the group id. (this field is platform dependent) - GID uint32 `json:"gid" platform:"linux"` - // AdditionalGids are additional group ids set for the container's process. (this field is platform dependent) - AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux"` + // UID is the user id. + UID uint32 `json:"uid" platform:"linux,solaris"` + // GID is the group id. + GID uint32 `json:"gid" platform:"linux,solaris"` + // AdditionalGids are additional group ids set for the container's process. + AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux,solaris"` + // Username is the user name. + Username string `json:"username,omitempty" platform:"windows"` } // Root contains information about the container's root filesystem on the host. @@ -262,7 +274,7 @@ type Memory struct { // Kernel memory limit (in bytes). Kernel *uint64 `json:"kernel,omitempty"` // Kernel memory limit for tcp (in bytes) - KernelTCP *uint64 `json:"kernelTCP"` + KernelTCP *uint64 `json:"kernelTCP,omitempty"` // How aggressive the kernel will swap memory pages. Range from 0 to 100. Swappiness *uint64 `json:"swappiness,omitempty"` } @@ -294,15 +306,15 @@ type Pids struct { // Network identification and priority configuration type Network struct { // Set class identifier for container's network packets - ClassID *uint32 `json:"classID"` + ClassID *uint32 `json:"classID,omitempty"` // Set priority of network traffic for container Priorities []InterfacePriority `json:"priorities,omitempty"` } // Resources has container runtime resource constraints type Resources struct { - // Devices are a list of device rules for the whitelist controller - Devices []DeviceCgroup `json:"devices"` + // Devices configures the device whitelist. + Devices []DeviceCgroup `json:"devices,omitempty"` // DisableOOMKiller disables the OOM killer for out of memory conditions DisableOOMKiller *bool `json:"disableOOMKiller,omitempty"` // Specify an oom_score_adj for the container. @@ -371,9 +383,9 @@ type Solaris struct { // Specification for automatic creation of network resources for this container. Anet []Anet `json:"anet,omitempty"` // Set limit on the amount of CPU time that can be used by container. - CappedCPU CappedCPU `json:"cappedCPU,omitempty"` + CappedCPU *CappedCPU `json:"cappedCPU,omitempty"` // The physical and swap caps on the memory that can be used by this container. - CappedMemory CappedMemory `json:"cappedMemory,omitempty"` + CappedMemory *CappedMemory `json:"cappedMemory,omitempty"` } // CappedCPU allows users to set limit on the amount of CPU time that can be used by container. @@ -405,6 +417,58 @@ type Anet struct { Macaddress string `json:"macAddress,omitempty"` } +// Windows defines the runtime configuration for Windows based containers, including Hyper-V containers. +type Windows struct { + // Resources contains information for handling resource constraints for the container. + Resources *WindowsResources `json:"resources,omitempty"` +} + +// WindowsResources has container runtime resource constraints for containers running on Windows. +type WindowsResources struct { + // Memory restriction configuration. + Memory *WindowsMemoryResources `json:"memory,omitempty"` + // CPU resource restriction configuration. + CPU *WindowsCPUResources `json:"cpu,omitempty"` + // Storage restriction configuration. + Storage *WindowsStorageResources `json:"storage,omitempty"` + // Network restriction configuration. + Network *WindowsNetworkResources `json:"network,omitempty"` +} + +// WindowsMemoryResources contains memory resource management settings. +type WindowsMemoryResources struct { + // Memory limit in bytes. + Limit *uint64 `json:"limit,omitempty"` + // Memory reservation in bytes. + Reservation *uint64 `json:"reservation,omitempty"` +} + +// WindowsCPUResources contains CPU resource management settings. +type WindowsCPUResources struct { + // Number of CPUs available to the container. + Count *uint64 `json:"count,omitempty"` + // CPU shares (relative weight to other containers with cpu shares). Range is from 1 to 10000. + Shares *uint16 `json:"shares,omitempty"` + // Percent of available CPUs usable by the container. + Percent *uint8 `json:"percent,omitempty"` +} + +// WindowsStorageResources contains storage resource management settings. +type WindowsStorageResources struct { + // Specifies maximum Iops for the system drive. + Iops *uint64 `json:"iops,omitempty"` + // Specifies maximum bytes per second for the system drive. + Bps *uint64 `json:"bps,omitempty"` + // Sandbox size specifies the minimum size of the system drive in bytes. + SandboxSize *uint64 `json:"sandboxSize,omitempty"` +} + +// WindowsNetworkResources contains network resource management settings. +type WindowsNetworkResources struct { + // EgressBandwidth is the maximum egress bandwidth in bytes per second. + EgressBandwidth *uint64 `json:"egressBandwidth,omitempty"` +} + // Arch used for additional architectures type Arch string diff --git a/vendor/src/github.com/opencontainers/specs/specs-go/state.go b/vendor/src/github.com/opencontainers/specs/specs-go/state.go index 445f8c5c0c..ad31b893bb 100644 --- a/vendor/src/github.com/opencontainers/specs/specs-go/state.go +++ b/vendor/src/github.com/opencontainers/specs/specs-go/state.go @@ -8,7 +8,7 @@ type State struct { ID string `json:"id"` // Status is the runtime state of the container. Status string `json:"status"` - // Pid is the process id for the container's main process. + // Pid is the process ID for the container process. Pid int `json:"pid"` // BundlePath is the path to the container's bundle directory. BundlePath string `json:"bundlePath"` diff --git a/vendor/src/github.com/opencontainers/specs/specs-go/version.go b/vendor/src/github.com/opencontainers/specs/specs-go/version.go index 2dbd302e3c..8b5ec89089 100644 --- a/vendor/src/github.com/opencontainers/specs/specs-go/version.go +++ b/vendor/src/github.com/opencontainers/specs/specs-go/version.go @@ -11,7 +11,7 @@ const ( VersionPatch = 0 // VersionDev indicates development branch. Releases will be empty string. - VersionDev = "-rc1" + VersionDev = "-rc2-dev" ) // Version is the specification version that the package types support.