config.go 39 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889
  1. package specs
  2. import "os"
  3. // Spec is the base configuration for the container.
  4. type Spec struct {
  5. // Version of the Open Container Initiative Runtime Specification with which the bundle complies.
  6. Version string `json:"ociVersion"`
  7. // Process configures the container process.
  8. Process *Process `json:"process,omitempty"`
  9. // Root configures the container's root filesystem.
  10. Root *Root `json:"root,omitempty"`
  11. // Hostname configures the container's hostname.
  12. Hostname string `json:"hostname,omitempty"`
  13. // Domainname configures the container's domainname.
  14. Domainname string `json:"domainname,omitempty"`
  15. // Mounts configures additional mounts (on top of Root).
  16. Mounts []Mount `json:"mounts,omitempty"`
  17. // Hooks configures callbacks for container lifecycle events.
  18. Hooks *Hooks `json:"hooks,omitempty" platform:"linux,solaris,zos"`
  19. // Annotations contains arbitrary metadata for the container.
  20. Annotations map[string]string `json:"annotations,omitempty"`
  21. // Linux is platform-specific configuration for Linux based containers.
  22. Linux *Linux `json:"linux,omitempty" platform:"linux"`
  23. // Solaris is platform-specific configuration for Solaris based containers.
  24. Solaris *Solaris `json:"solaris,omitempty" platform:"solaris"`
  25. // Windows is platform-specific configuration for Windows based containers.
  26. Windows *Windows `json:"windows,omitempty" platform:"windows"`
  27. // VM specifies configuration for virtual-machine-based containers.
  28. VM *VM `json:"vm,omitempty" platform:"vm"`
  29. // ZOS is platform-specific configuration for z/OS based containers.
  30. ZOS *ZOS `json:"zos,omitempty" platform:"zos"`
  31. }
  32. // Scheduler represents the scheduling attributes for a process. It is based on
  33. // the Linux sched_setattr(2) syscall.
  34. type Scheduler struct {
  35. // Policy represents the scheduling policy (e.g., SCHED_FIFO, SCHED_RR, SCHED_OTHER).
  36. Policy LinuxSchedulerPolicy `json:"policy"`
  37. // Nice is the nice value for the process, which affects its priority.
  38. Nice int32 `json:"nice,omitempty"`
  39. // Priority represents the static priority of the process.
  40. Priority int32 `json:"priority,omitempty"`
  41. // Flags is an array of scheduling flags.
  42. Flags []LinuxSchedulerFlag `json:"flags,omitempty"`
  43. // The following ones are used by the DEADLINE scheduler.
  44. // Runtime is the amount of time in nanoseconds during which the process
  45. // is allowed to run in a given period.
  46. Runtime uint64 `json:"runtime,omitempty"`
  47. // Deadline is the absolute deadline for the process to complete its execution.
  48. Deadline uint64 `json:"deadline,omitempty"`
  49. // Period is the length of the period in nanoseconds used for determining the process runtime.
  50. Period uint64 `json:"period,omitempty"`
  51. }
  52. // Process contains information to start a specific application inside the container.
  53. type Process struct {
  54. // Terminal creates an interactive terminal for the container.
  55. Terminal bool `json:"terminal,omitempty"`
  56. // ConsoleSize specifies the size of the console.
  57. ConsoleSize *Box `json:"consoleSize,omitempty"`
  58. // User specifies user information for the process.
  59. User User `json:"user"`
  60. // Args specifies the binary and arguments for the application to execute.
  61. Args []string `json:"args,omitempty"`
  62. // CommandLine specifies the full command line for the application to execute on Windows.
  63. CommandLine string `json:"commandLine,omitempty" platform:"windows"`
  64. // Env populates the process environment for the process.
  65. Env []string `json:"env,omitempty"`
  66. // Cwd is the current working directory for the process and must be
  67. // relative to the container's root.
  68. Cwd string `json:"cwd"`
  69. // Capabilities are Linux capabilities that are kept for the process.
  70. Capabilities *LinuxCapabilities `json:"capabilities,omitempty" platform:"linux"`
  71. // Rlimits specifies rlimit options to apply to the process.
  72. Rlimits []POSIXRlimit `json:"rlimits,omitempty" platform:"linux,solaris,zos"`
  73. // NoNewPrivileges controls whether additional privileges could be gained by processes in the container.
  74. NoNewPrivileges bool `json:"noNewPrivileges,omitempty" platform:"linux"`
  75. // ApparmorProfile specifies the apparmor profile for the container.
  76. ApparmorProfile string `json:"apparmorProfile,omitempty" platform:"linux"`
  77. // Specify an oom_score_adj for the container.
  78. OOMScoreAdj *int `json:"oomScoreAdj,omitempty" platform:"linux"`
  79. // Scheduler specifies the scheduling attributes for a process
  80. Scheduler *Scheduler `json:"scheduler,omitempty" platform:"linux"`
  81. // SelinuxLabel specifies the selinux context that the container process is run as.
  82. SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"`
  83. // IOPriority contains the I/O priority settings for the cgroup.
  84. IOPriority *LinuxIOPriority `json:"ioPriority,omitempty" platform:"linux"`
  85. }
  86. // LinuxCapabilities specifies the list of allowed capabilities that are kept for a process.
  87. // http://man7.org/linux/man-pages/man7/capabilities.7.html
  88. type LinuxCapabilities struct {
  89. // Bounding is the set of capabilities checked by the kernel.
  90. Bounding []string `json:"bounding,omitempty" platform:"linux"`
  91. // Effective is the set of capabilities checked by the kernel.
  92. Effective []string `json:"effective,omitempty" platform:"linux"`
  93. // Inheritable is the capabilities preserved across execve.
  94. Inheritable []string `json:"inheritable,omitempty" platform:"linux"`
  95. // Permitted is the limiting superset for effective capabilities.
  96. Permitted []string `json:"permitted,omitempty" platform:"linux"`
  97. // Ambient is the ambient set of capabilities that are kept.
  98. Ambient []string `json:"ambient,omitempty" platform:"linux"`
  99. }
  100. // IOPriority represents I/O priority settings for the container's processes within the process group.
  101. type LinuxIOPriority struct {
  102. Class IOPriorityClass `json:"class"`
  103. Priority int `json:"priority"`
  104. }
  105. // IOPriorityClass represents an I/O scheduling class.
  106. type IOPriorityClass string
  107. // Possible values for IOPriorityClass.
  108. const (
  109. IOPRIO_CLASS_RT IOPriorityClass = "IOPRIO_CLASS_RT"
  110. IOPRIO_CLASS_BE IOPriorityClass = "IOPRIO_CLASS_BE"
  111. IOPRIO_CLASS_IDLE IOPriorityClass = "IOPRIO_CLASS_IDLE"
  112. )
  113. // Box specifies dimensions of a rectangle. Used for specifying the size of a console.
  114. type Box struct {
  115. // Height is the vertical dimension of a box.
  116. Height uint `json:"height"`
  117. // Width is the horizontal dimension of a box.
  118. Width uint `json:"width"`
  119. }
  120. // User specifies specific user (and group) information for the container process.
  121. type User struct {
  122. // UID is the user id.
  123. UID uint32 `json:"uid" platform:"linux,solaris,zos"`
  124. // GID is the group id.
  125. GID uint32 `json:"gid" platform:"linux,solaris,zos"`
  126. // Umask is the umask for the init process.
  127. Umask *uint32 `json:"umask,omitempty" platform:"linux,solaris,zos"`
  128. // AdditionalGids are additional group ids set for the container's process.
  129. AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux,solaris"`
  130. // Username is the user name.
  131. Username string `json:"username,omitempty" platform:"windows"`
  132. }
  133. // Root contains information about the container's root filesystem on the host.
  134. type Root struct {
  135. // Path is the absolute path to the container's root filesystem.
  136. Path string `json:"path"`
  137. // Readonly makes the root filesystem for the container readonly before the process is executed.
  138. Readonly bool `json:"readonly,omitempty"`
  139. }
  140. // Mount specifies a mount for a container.
  141. type Mount struct {
  142. // Destination is the absolute path where the mount will be placed in the container.
  143. Destination string `json:"destination"`
  144. // Type specifies the mount kind.
  145. Type string `json:"type,omitempty" platform:"linux,solaris,zos"`
  146. // Source specifies the source path of the mount.
  147. Source string `json:"source,omitempty"`
  148. // Options are fstab style mount options.
  149. Options []string `json:"options,omitempty"`
  150. // UID/GID mappings used for changing file owners w/o calling chown, fs should support it.
  151. // Every mount point could have its own mapping.
  152. UIDMappings []LinuxIDMapping `json:"uidMappings,omitempty" platform:"linux"`
  153. GIDMappings []LinuxIDMapping `json:"gidMappings,omitempty" platform:"linux"`
  154. }
  155. // Hook specifies a command that is run at a particular event in the lifecycle of a container
  156. type Hook struct {
  157. Path string `json:"path"`
  158. Args []string `json:"args,omitempty"`
  159. Env []string `json:"env,omitempty"`
  160. Timeout *int `json:"timeout,omitempty"`
  161. }
  162. // Hooks specifies a command that is run in the container at a particular event in the lifecycle of a container
  163. // Hooks for container setup and teardown
  164. type Hooks struct {
  165. // Prestart is Deprecated. Prestart is a list of hooks to be run before the container process is executed.
  166. // It is called in the Runtime Namespace
  167. //
  168. // Deprecated: use [Hooks.CreateRuntime], [Hooks.CreateContainer], and
  169. // [Hooks.StartContainer] instead, which allow more granular hook control
  170. // during the create and start phase.
  171. Prestart []Hook `json:"prestart,omitempty"`
  172. // CreateRuntime is a list of hooks to be run after the container has been created but before pivot_root or any equivalent operation has been called
  173. // It is called in the Runtime Namespace
  174. CreateRuntime []Hook `json:"createRuntime,omitempty"`
  175. // CreateContainer is a list of hooks to be run after the container has been created but before pivot_root or any equivalent operation has been called
  176. // It is called in the Container Namespace
  177. CreateContainer []Hook `json:"createContainer,omitempty"`
  178. // StartContainer is a list of hooks to be run after the start operation is called but before the container process is started
  179. // It is called in the Container Namespace
  180. StartContainer []Hook `json:"startContainer,omitempty"`
  181. // Poststart is a list of hooks to be run after the container process is started.
  182. // It is called in the Runtime Namespace
  183. Poststart []Hook `json:"poststart,omitempty"`
  184. // Poststop is a list of hooks to be run after the container process exits.
  185. // It is called in the Runtime Namespace
  186. Poststop []Hook `json:"poststop,omitempty"`
  187. }
  188. // Linux contains platform-specific configuration for Linux based containers.
  189. type Linux struct {
  190. // UIDMapping specifies user mappings for supporting user namespaces.
  191. UIDMappings []LinuxIDMapping `json:"uidMappings,omitempty"`
  192. // GIDMapping specifies group mappings for supporting user namespaces.
  193. GIDMappings []LinuxIDMapping `json:"gidMappings,omitempty"`
  194. // Sysctl are a set of key value pairs that are set for the container on start
  195. Sysctl map[string]string `json:"sysctl,omitempty"`
  196. // Resources contain cgroup information for handling resource constraints
  197. // for the container
  198. Resources *LinuxResources `json:"resources,omitempty"`
  199. // CgroupsPath specifies the path to cgroups that are created and/or joined by the container.
  200. // The path is expected to be relative to the cgroups mountpoint.
  201. // If resources are specified, the cgroups at CgroupsPath will be updated based on resources.
  202. CgroupsPath string `json:"cgroupsPath,omitempty"`
  203. // Namespaces contains the namespaces that are created and/or joined by the container
  204. Namespaces []LinuxNamespace `json:"namespaces,omitempty"`
  205. // Devices are a list of device nodes that are created for the container
  206. Devices []LinuxDevice `json:"devices,omitempty"`
  207. // Seccomp specifies the seccomp security settings for the container.
  208. Seccomp *LinuxSeccomp `json:"seccomp,omitempty"`
  209. // RootfsPropagation is the rootfs mount propagation mode for the container.
  210. RootfsPropagation string `json:"rootfsPropagation,omitempty"`
  211. // MaskedPaths masks over the provided paths inside the container.
  212. MaskedPaths []string `json:"maskedPaths,omitempty"`
  213. // ReadonlyPaths sets the provided paths as RO inside the container.
  214. ReadonlyPaths []string `json:"readonlyPaths,omitempty"`
  215. // MountLabel specifies the selinux context for the mounts in the container.
  216. MountLabel string `json:"mountLabel,omitempty"`
  217. // IntelRdt contains Intel Resource Director Technology (RDT) information for
  218. // handling resource constraints and monitoring metrics (e.g., L3 cache, memory bandwidth) for the container
  219. IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"`
  220. // Personality contains configuration for the Linux personality syscall
  221. Personality *LinuxPersonality `json:"personality,omitempty"`
  222. // TimeOffsets specifies the offset for supporting time namespaces.
  223. TimeOffsets map[string]LinuxTimeOffset `json:"timeOffsets,omitempty"`
  224. }
  225. // LinuxNamespace is the configuration for a Linux namespace
  226. type LinuxNamespace struct {
  227. // Type is the type of namespace
  228. Type LinuxNamespaceType `json:"type"`
  229. // Path is a path to an existing namespace persisted on disk that can be joined
  230. // and is of the same type
  231. Path string `json:"path,omitempty"`
  232. }
  233. // LinuxNamespaceType is one of the Linux namespaces
  234. type LinuxNamespaceType string
  235. const (
  236. // PIDNamespace for isolating process IDs
  237. PIDNamespace LinuxNamespaceType = "pid"
  238. // NetworkNamespace for isolating network devices, stacks, ports, etc
  239. NetworkNamespace LinuxNamespaceType = "network"
  240. // MountNamespace for isolating mount points
  241. MountNamespace LinuxNamespaceType = "mount"
  242. // IPCNamespace for isolating System V IPC, POSIX message queues
  243. IPCNamespace LinuxNamespaceType = "ipc"
  244. // UTSNamespace for isolating hostname and NIS domain name
  245. UTSNamespace LinuxNamespaceType = "uts"
  246. // UserNamespace for isolating user and group IDs
  247. UserNamespace LinuxNamespaceType = "user"
  248. // CgroupNamespace for isolating cgroup hierarchies
  249. CgroupNamespace LinuxNamespaceType = "cgroup"
  250. // TimeNamespace for isolating the clocks
  251. TimeNamespace LinuxNamespaceType = "time"
  252. )
  253. // LinuxIDMapping specifies UID/GID mappings
  254. type LinuxIDMapping struct {
  255. // ContainerID is the starting UID/GID in the container
  256. ContainerID uint32 `json:"containerID"`
  257. // HostID is the starting UID/GID on the host to be mapped to 'ContainerID'
  258. HostID uint32 `json:"hostID"`
  259. // Size is the number of IDs to be mapped
  260. Size uint32 `json:"size"`
  261. }
  262. // LinuxTimeOffset specifies the offset for Time Namespace
  263. type LinuxTimeOffset struct {
  264. // Secs is the offset of clock (in secs) in the container
  265. Secs int64 `json:"secs,omitempty"`
  266. // Nanosecs is the additional offset for Secs (in nanosecs)
  267. Nanosecs uint32 `json:"nanosecs,omitempty"`
  268. }
  269. // POSIXRlimit type and restrictions
  270. type POSIXRlimit struct {
  271. // Type of the rlimit to set
  272. Type string `json:"type"`
  273. // Hard is the hard limit for the specified type
  274. Hard uint64 `json:"hard"`
  275. // Soft is the soft limit for the specified type
  276. Soft uint64 `json:"soft"`
  277. }
  278. // LinuxHugepageLimit structure corresponds to limiting kernel hugepages.
  279. // Default to reservation limits if supported. Otherwise fallback to page fault limits.
  280. type LinuxHugepageLimit struct {
  281. // Pagesize is the hugepage size.
  282. // Format: "<size><unit-prefix>B' (e.g. 64KB, 2MB, 1GB, etc.).
  283. Pagesize string `json:"pageSize"`
  284. // Limit is the limit of "hugepagesize" hugetlb reservations (if supported) or usage.
  285. Limit uint64 `json:"limit"`
  286. }
  287. // LinuxInterfacePriority for network interfaces
  288. type LinuxInterfacePriority struct {
  289. // Name is the name of the network interface
  290. Name string `json:"name"`
  291. // Priority for the interface
  292. Priority uint32 `json:"priority"`
  293. }
  294. // LinuxBlockIODevice holds major:minor format supported in blkio cgroup
  295. type LinuxBlockIODevice struct {
  296. // Major is the device's major number.
  297. Major int64 `json:"major"`
  298. // Minor is the device's minor number.
  299. Minor int64 `json:"minor"`
  300. }
  301. // LinuxWeightDevice struct holds a `major:minor weight` pair for weightDevice
  302. type LinuxWeightDevice struct {
  303. LinuxBlockIODevice
  304. // Weight is the bandwidth rate for the device.
  305. Weight *uint16 `json:"weight,omitempty"`
  306. // LeafWeight is the bandwidth rate for the device while competing with the cgroup's child cgroups, CFQ scheduler only
  307. LeafWeight *uint16 `json:"leafWeight,omitempty"`
  308. }
  309. // LinuxThrottleDevice struct holds a `major:minor rate_per_second` pair
  310. type LinuxThrottleDevice struct {
  311. LinuxBlockIODevice
  312. // Rate is the IO rate limit per cgroup per device
  313. Rate uint64 `json:"rate"`
  314. }
  315. // LinuxBlockIO for Linux cgroup 'blkio' resource management
  316. type LinuxBlockIO struct {
  317. // Specifies per cgroup weight
  318. Weight *uint16 `json:"weight,omitempty"`
  319. // Specifies tasks' weight in the given cgroup while competing with the cgroup's child cgroups, CFQ scheduler only
  320. LeafWeight *uint16 `json:"leafWeight,omitempty"`
  321. // Weight per cgroup per device, can override BlkioWeight
  322. WeightDevice []LinuxWeightDevice `json:"weightDevice,omitempty"`
  323. // IO read rate limit per cgroup per device, bytes per second
  324. ThrottleReadBpsDevice []LinuxThrottleDevice `json:"throttleReadBpsDevice,omitempty"`
  325. // IO write rate limit per cgroup per device, bytes per second
  326. ThrottleWriteBpsDevice []LinuxThrottleDevice `json:"throttleWriteBpsDevice,omitempty"`
  327. // IO read rate limit per cgroup per device, IO per second
  328. ThrottleReadIOPSDevice []LinuxThrottleDevice `json:"throttleReadIOPSDevice,omitempty"`
  329. // IO write rate limit per cgroup per device, IO per second
  330. ThrottleWriteIOPSDevice []LinuxThrottleDevice `json:"throttleWriteIOPSDevice,omitempty"`
  331. }
  332. // LinuxMemory for Linux cgroup 'memory' resource management
  333. type LinuxMemory struct {
  334. // Memory limit (in bytes).
  335. Limit *int64 `json:"limit,omitempty"`
  336. // Memory reservation or soft_limit (in bytes).
  337. Reservation *int64 `json:"reservation,omitempty"`
  338. // Total memory limit (memory + swap).
  339. Swap *int64 `json:"swap,omitempty"`
  340. // Kernel memory limit (in bytes).
  341. //
  342. // Deprecated: kernel-memory limits are not supported in cgroups v2, and
  343. // were obsoleted in [kernel v5.4]. This field should no longer be used,
  344. // as it may be ignored by runtimes.
  345. //
  346. // [kernel v5.4]: https://github.com/torvalds/linux/commit/0158115f702b0ba208ab0
  347. Kernel *int64 `json:"kernel,omitempty"`
  348. // Kernel memory limit for tcp (in bytes)
  349. KernelTCP *int64 `json:"kernelTCP,omitempty"`
  350. // How aggressive the kernel will swap memory pages.
  351. Swappiness *uint64 `json:"swappiness,omitempty"`
  352. // DisableOOMKiller disables the OOM killer for out of memory conditions
  353. DisableOOMKiller *bool `json:"disableOOMKiller,omitempty"`
  354. // Enables hierarchical memory accounting
  355. UseHierarchy *bool `json:"useHierarchy,omitempty"`
  356. // CheckBeforeUpdate enables checking if a new memory limit is lower
  357. // than the current usage during update, and if so, rejecting the new
  358. // limit.
  359. CheckBeforeUpdate *bool `json:"checkBeforeUpdate,omitempty"`
  360. }
  361. // LinuxCPU for Linux cgroup 'cpu' resource management
  362. type LinuxCPU struct {
  363. // CPU shares (relative weight (ratio) vs. other cgroups with cpu shares).
  364. Shares *uint64 `json:"shares,omitempty"`
  365. // CPU hardcap limit (in usecs). Allowed cpu time in a given period.
  366. Quota *int64 `json:"quota,omitempty"`
  367. // CPU hardcap burst limit (in usecs). Allowed accumulated cpu time additionally for burst in a
  368. // given period.
  369. Burst *uint64 `json:"burst,omitempty"`
  370. // CPU period to be used for hardcapping (in usecs).
  371. Period *uint64 `json:"period,omitempty"`
  372. // How much time realtime scheduling may use (in usecs).
  373. RealtimeRuntime *int64 `json:"realtimeRuntime,omitempty"`
  374. // CPU period to be used for realtime scheduling (in usecs).
  375. RealtimePeriod *uint64 `json:"realtimePeriod,omitempty"`
  376. // CPUs to use within the cpuset. Default is to use any CPU available.
  377. Cpus string `json:"cpus,omitempty"`
  378. // List of memory nodes in the cpuset. Default is to use any available memory node.
  379. Mems string `json:"mems,omitempty"`
  380. // cgroups are configured with minimum weight, 0: default behavior, 1: SCHED_IDLE.
  381. Idle *int64 `json:"idle,omitempty"`
  382. }
  383. // LinuxPids for Linux cgroup 'pids' resource management (Linux 4.3)
  384. type LinuxPids struct {
  385. // Maximum number of PIDs. Default is "no limit".
  386. Limit int64 `json:"limit"`
  387. }
  388. // LinuxNetwork identification and priority configuration
  389. type LinuxNetwork struct {
  390. // Set class identifier for container's network packets
  391. ClassID *uint32 `json:"classID,omitempty"`
  392. // Set priority of network traffic for container
  393. Priorities []LinuxInterfacePriority `json:"priorities,omitempty"`
  394. }
  395. // LinuxRdma for Linux cgroup 'rdma' resource management (Linux 4.11)
  396. type LinuxRdma struct {
  397. // Maximum number of HCA handles that can be opened. Default is "no limit".
  398. HcaHandles *uint32 `json:"hcaHandles,omitempty"`
  399. // Maximum number of HCA objects that can be created. Default is "no limit".
  400. HcaObjects *uint32 `json:"hcaObjects,omitempty"`
  401. }
  402. // LinuxResources has container runtime resource constraints
  403. type LinuxResources struct {
  404. // Devices configures the device allowlist.
  405. Devices []LinuxDeviceCgroup `json:"devices,omitempty"`
  406. // Memory restriction configuration
  407. Memory *LinuxMemory `json:"memory,omitempty"`
  408. // CPU resource restriction configuration
  409. CPU *LinuxCPU `json:"cpu,omitempty"`
  410. // Task resource restriction configuration.
  411. Pids *LinuxPids `json:"pids,omitempty"`
  412. // BlockIO restriction configuration
  413. BlockIO *LinuxBlockIO `json:"blockIO,omitempty"`
  414. // Hugetlb limits (in bytes). Default to reservation limits if supported.
  415. HugepageLimits []LinuxHugepageLimit `json:"hugepageLimits,omitempty"`
  416. // Network restriction configuration
  417. Network *LinuxNetwork `json:"network,omitempty"`
  418. // Rdma resource restriction configuration.
  419. // Limits are a set of key value pairs that define RDMA resource limits,
  420. // where the key is device name and value is resource limits.
  421. Rdma map[string]LinuxRdma `json:"rdma,omitempty"`
  422. // Unified resources.
  423. Unified map[string]string `json:"unified,omitempty"`
  424. }
  425. // LinuxDevice represents the mknod information for a Linux special device file
  426. type LinuxDevice struct {
  427. // Path to the device.
  428. Path string `json:"path"`
  429. // Device type, block, char, etc.
  430. Type string `json:"type"`
  431. // Major is the device's major number.
  432. Major int64 `json:"major"`
  433. // Minor is the device's minor number.
  434. Minor int64 `json:"minor"`
  435. // FileMode permission bits for the device.
  436. FileMode *os.FileMode `json:"fileMode,omitempty"`
  437. // UID of the device.
  438. UID *uint32 `json:"uid,omitempty"`
  439. // Gid of the device.
  440. GID *uint32 `json:"gid,omitempty"`
  441. }
  442. // LinuxDeviceCgroup represents a device rule for the devices specified to
  443. // the device controller
  444. type LinuxDeviceCgroup struct {
  445. // Allow or deny
  446. Allow bool `json:"allow"`
  447. // Device type, block, char, etc.
  448. Type string `json:"type,omitempty"`
  449. // Major is the device's major number.
  450. Major *int64 `json:"major,omitempty"`
  451. // Minor is the device's minor number.
  452. Minor *int64 `json:"minor,omitempty"`
  453. // Cgroup access permissions format, rwm.
  454. Access string `json:"access,omitempty"`
  455. }
  456. // LinuxPersonalityDomain refers to a personality domain.
  457. type LinuxPersonalityDomain string
  458. // LinuxPersonalityFlag refers to an additional personality flag. None are currently defined.
  459. type LinuxPersonalityFlag string
  460. // Define domain and flags for Personality
  461. const (
  462. // PerLinux is the standard Linux personality
  463. PerLinux LinuxPersonalityDomain = "LINUX"
  464. // PerLinux32 sets personality to 32 bit
  465. PerLinux32 LinuxPersonalityDomain = "LINUX32"
  466. )
  467. // LinuxPersonality represents the Linux personality syscall input
  468. type LinuxPersonality struct {
  469. // Domain for the personality
  470. Domain LinuxPersonalityDomain `json:"domain"`
  471. // Additional flags
  472. Flags []LinuxPersonalityFlag `json:"flags,omitempty"`
  473. }
  474. // Solaris contains platform-specific configuration for Solaris application containers.
  475. type Solaris struct {
  476. // SMF FMRI which should go "online" before we start the container process.
  477. Milestone string `json:"milestone,omitempty"`
  478. // Maximum set of privileges any process in this container can obtain.
  479. LimitPriv string `json:"limitpriv,omitempty"`
  480. // The maximum amount of shared memory allowed for this container.
  481. MaxShmMemory string `json:"maxShmMemory,omitempty"`
  482. // Specification for automatic creation of network resources for this container.
  483. Anet []SolarisAnet `json:"anet,omitempty"`
  484. // Set limit on the amount of CPU time that can be used by container.
  485. CappedCPU *SolarisCappedCPU `json:"cappedCPU,omitempty"`
  486. // The physical and swap caps on the memory that can be used by this container.
  487. CappedMemory *SolarisCappedMemory `json:"cappedMemory,omitempty"`
  488. }
  489. // SolarisCappedCPU allows users to set limit on the amount of CPU time that can be used by container.
  490. type SolarisCappedCPU struct {
  491. Ncpus string `json:"ncpus,omitempty"`
  492. }
  493. // SolarisCappedMemory allows users to set the physical and swap caps on the memory that can be used by this container.
  494. type SolarisCappedMemory struct {
  495. Physical string `json:"physical,omitempty"`
  496. Swap string `json:"swap,omitempty"`
  497. }
  498. // SolarisAnet provides the specification for automatic creation of network resources for this container.
  499. type SolarisAnet struct {
  500. // Specify a name for the automatically created VNIC datalink.
  501. Linkname string `json:"linkname,omitempty"`
  502. // Specify the link over which the VNIC will be created.
  503. Lowerlink string `json:"lowerLink,omitempty"`
  504. // The set of IP addresses that the container can use.
  505. Allowedaddr string `json:"allowedAddress,omitempty"`
  506. // Specifies whether allowedAddress limitation is to be applied to the VNIC.
  507. Configallowedaddr string `json:"configureAllowedAddress,omitempty"`
  508. // The value of the optional default router.
  509. Defrouter string `json:"defrouter,omitempty"`
  510. // Enable one or more types of link protection.
  511. Linkprotection string `json:"linkProtection,omitempty"`
  512. // Set the VNIC's macAddress
  513. Macaddress string `json:"macAddress,omitempty"`
  514. }
  515. // Windows defines the runtime configuration for Windows based containers, including Hyper-V containers.
  516. type Windows struct {
  517. // LayerFolders contains a list of absolute paths to directories containing image layers.
  518. LayerFolders []string `json:"layerFolders"`
  519. // Devices are the list of devices to be mapped into the container.
  520. Devices []WindowsDevice `json:"devices,omitempty"`
  521. // Resources contains information for handling resource constraints for the container.
  522. Resources *WindowsResources `json:"resources,omitempty"`
  523. // CredentialSpec contains a JSON object describing a group Managed Service Account (gMSA) specification.
  524. CredentialSpec interface{} `json:"credentialSpec,omitempty"`
  525. // Servicing indicates if the container is being started in a mode to apply a Windows Update servicing operation.
  526. Servicing bool `json:"servicing,omitempty"`
  527. // IgnoreFlushesDuringBoot indicates if the container is being started in a mode where disk writes are not flushed during its boot process.
  528. IgnoreFlushesDuringBoot bool `json:"ignoreFlushesDuringBoot,omitempty"`
  529. // HyperV contains information for running a container with Hyper-V isolation.
  530. HyperV *WindowsHyperV `json:"hyperv,omitempty"`
  531. // Network restriction configuration.
  532. Network *WindowsNetwork `json:"network,omitempty"`
  533. }
  534. // WindowsDevice represents information about a host device to be mapped into the container.
  535. type WindowsDevice struct {
  536. // Device identifier: interface class GUID, etc.
  537. ID string `json:"id"`
  538. // Device identifier type: "class", etc.
  539. IDType string `json:"idType"`
  540. }
  541. // WindowsResources has container runtime resource constraints for containers running on Windows.
  542. type WindowsResources struct {
  543. // Memory restriction configuration.
  544. Memory *WindowsMemoryResources `json:"memory,omitempty"`
  545. // CPU resource restriction configuration.
  546. CPU *WindowsCPUResources `json:"cpu,omitempty"`
  547. // Storage restriction configuration.
  548. Storage *WindowsStorageResources `json:"storage,omitempty"`
  549. }
  550. // WindowsMemoryResources contains memory resource management settings.
  551. type WindowsMemoryResources struct {
  552. // Memory limit in bytes.
  553. Limit *uint64 `json:"limit,omitempty"`
  554. }
  555. // WindowsCPUResources contains CPU resource management settings.
  556. type WindowsCPUResources struct {
  557. // Count is the number of CPUs available to the container. It represents the
  558. // fraction of the configured processor `count` in a container in relation
  559. // to the processors available in the host. The fraction ultimately
  560. // determines the portion of processor cycles that the threads in a
  561. // container can use during each scheduling interval, as the number of
  562. // cycles per 10,000 cycles.
  563. Count *uint64 `json:"count,omitempty"`
  564. // Shares limits the share of processor time given to the container relative
  565. // to other workloads on the processor. The processor `shares` (`weight` at
  566. // the platform level) is a value between 0 and 10000.
  567. Shares *uint16 `json:"shares,omitempty"`
  568. // Maximum determines the portion of processor cycles that the threads in a
  569. // container can use during each scheduling interval, as the number of
  570. // cycles per 10,000 cycles. Set processor `maximum` to a percentage times
  571. // 100.
  572. Maximum *uint16 `json:"maximum,omitempty"`
  573. }
  574. // WindowsStorageResources contains storage resource management settings.
  575. type WindowsStorageResources struct {
  576. // Specifies maximum Iops for the system drive.
  577. Iops *uint64 `json:"iops,omitempty"`
  578. // Specifies maximum bytes per second for the system drive.
  579. Bps *uint64 `json:"bps,omitempty"`
  580. // Sandbox size specifies the minimum size of the system drive in bytes.
  581. SandboxSize *uint64 `json:"sandboxSize,omitempty"`
  582. }
  583. // WindowsNetwork contains network settings for Windows containers.
  584. type WindowsNetwork struct {
  585. // List of HNS endpoints that the container should connect to.
  586. EndpointList []string `json:"endpointList,omitempty"`
  587. // Specifies if unqualified DNS name resolution is allowed.
  588. AllowUnqualifiedDNSQuery bool `json:"allowUnqualifiedDNSQuery,omitempty"`
  589. // Comma separated list of DNS suffixes to use for name resolution.
  590. DNSSearchList []string `json:"DNSSearchList,omitempty"`
  591. // Name (ID) of the container that we will share with the network stack.
  592. NetworkSharedContainerName string `json:"networkSharedContainerName,omitempty"`
  593. // name (ID) of the network namespace that will be used for the container.
  594. NetworkNamespace string `json:"networkNamespace,omitempty"`
  595. }
  596. // WindowsHyperV contains information for configuring a container to run with Hyper-V isolation.
  597. type WindowsHyperV struct {
  598. // UtilityVMPath is an optional path to the image used for the Utility VM.
  599. UtilityVMPath string `json:"utilityVMPath,omitempty"`
  600. }
  601. // VM contains information for virtual-machine-based containers.
  602. type VM struct {
  603. // Hypervisor specifies hypervisor-related configuration for virtual-machine-based containers.
  604. Hypervisor VMHypervisor `json:"hypervisor,omitempty"`
  605. // Kernel specifies kernel-related configuration for virtual-machine-based containers.
  606. Kernel VMKernel `json:"kernel"`
  607. // Image specifies guest image related configuration for virtual-machine-based containers.
  608. Image VMImage `json:"image,omitempty"`
  609. }
  610. // VMHypervisor contains information about the hypervisor to use for a virtual machine.
  611. type VMHypervisor struct {
  612. // Path is the host path to the hypervisor used to manage the virtual machine.
  613. Path string `json:"path"`
  614. // Parameters specifies parameters to pass to the hypervisor.
  615. Parameters []string `json:"parameters,omitempty"`
  616. }
  617. // VMKernel contains information about the kernel to use for a virtual machine.
  618. type VMKernel struct {
  619. // Path is the host path to the kernel used to boot the virtual machine.
  620. Path string `json:"path"`
  621. // Parameters specifies parameters to pass to the kernel.
  622. Parameters []string `json:"parameters,omitempty"`
  623. // InitRD is the host path to an initial ramdisk to be used by the kernel.
  624. InitRD string `json:"initrd,omitempty"`
  625. }
  626. // VMImage contains information about the virtual machine root image.
  627. type VMImage struct {
  628. // Path is the host path to the root image that the VM kernel would boot into.
  629. Path string `json:"path"`
  630. // Format is the root image format type (e.g. "qcow2", "raw", "vhd", etc).
  631. Format string `json:"format"`
  632. }
  633. // LinuxSeccomp represents syscall restrictions
  634. type LinuxSeccomp struct {
  635. DefaultAction LinuxSeccompAction `json:"defaultAction"`
  636. DefaultErrnoRet *uint `json:"defaultErrnoRet,omitempty"`
  637. Architectures []Arch `json:"architectures,omitempty"`
  638. Flags []LinuxSeccompFlag `json:"flags,omitempty"`
  639. ListenerPath string `json:"listenerPath,omitempty"`
  640. ListenerMetadata string `json:"listenerMetadata,omitempty"`
  641. Syscalls []LinuxSyscall `json:"syscalls,omitempty"`
  642. }
  643. // Arch used for additional architectures
  644. type Arch string
  645. // LinuxSeccompFlag is a flag to pass to seccomp(2).
  646. type LinuxSeccompFlag string
  647. const (
  648. // LinuxSeccompFlagLog is a seccomp flag to request all returned
  649. // actions except SECCOMP_RET_ALLOW to be logged. An administrator may
  650. // override this filter flag by preventing specific actions from being
  651. // logged via the /proc/sys/kernel/seccomp/actions_logged file. (since
  652. // Linux 4.14)
  653. LinuxSeccompFlagLog LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_LOG"
  654. // LinuxSeccompFlagSpecAllow can be used to disable Speculative Store
  655. // Bypass mitigation. (since Linux 4.17)
  656. LinuxSeccompFlagSpecAllow LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_SPEC_ALLOW"
  657. // LinuxSeccompFlagWaitKillableRecv can be used to switch to the wait
  658. // killable semantics. (since Linux 5.19)
  659. LinuxSeccompFlagWaitKillableRecv LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV"
  660. )
  661. // Additional architectures permitted to be used for system calls
  662. // By default only the native architecture of the kernel is permitted
  663. const (
  664. ArchX86 Arch = "SCMP_ARCH_X86"
  665. ArchX86_64 Arch = "SCMP_ARCH_X86_64"
  666. ArchX32 Arch = "SCMP_ARCH_X32"
  667. ArchARM Arch = "SCMP_ARCH_ARM"
  668. ArchAARCH64 Arch = "SCMP_ARCH_AARCH64"
  669. ArchMIPS Arch = "SCMP_ARCH_MIPS"
  670. ArchMIPS64 Arch = "SCMP_ARCH_MIPS64"
  671. ArchMIPS64N32 Arch = "SCMP_ARCH_MIPS64N32"
  672. ArchMIPSEL Arch = "SCMP_ARCH_MIPSEL"
  673. ArchMIPSEL64 Arch = "SCMP_ARCH_MIPSEL64"
  674. ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32"
  675. ArchPPC Arch = "SCMP_ARCH_PPC"
  676. ArchPPC64 Arch = "SCMP_ARCH_PPC64"
  677. ArchPPC64LE Arch = "SCMP_ARCH_PPC64LE"
  678. ArchS390 Arch = "SCMP_ARCH_S390"
  679. ArchS390X Arch = "SCMP_ARCH_S390X"
  680. ArchPARISC Arch = "SCMP_ARCH_PARISC"
  681. ArchPARISC64 Arch = "SCMP_ARCH_PARISC64"
  682. ArchRISCV64 Arch = "SCMP_ARCH_RISCV64"
  683. )
  684. // LinuxSeccompAction taken upon Seccomp rule match
  685. type LinuxSeccompAction string
  686. // Define actions for Seccomp rules
  687. const (
  688. ActKill LinuxSeccompAction = "SCMP_ACT_KILL"
  689. ActKillProcess LinuxSeccompAction = "SCMP_ACT_KILL_PROCESS"
  690. ActKillThread LinuxSeccompAction = "SCMP_ACT_KILL_THREAD"
  691. ActTrap LinuxSeccompAction = "SCMP_ACT_TRAP"
  692. ActErrno LinuxSeccompAction = "SCMP_ACT_ERRNO"
  693. ActTrace LinuxSeccompAction = "SCMP_ACT_TRACE"
  694. ActAllow LinuxSeccompAction = "SCMP_ACT_ALLOW"
  695. ActLog LinuxSeccompAction = "SCMP_ACT_LOG"
  696. ActNotify LinuxSeccompAction = "SCMP_ACT_NOTIFY"
  697. )
  698. // LinuxSeccompOperator used to match syscall arguments in Seccomp
  699. type LinuxSeccompOperator string
  700. // Define operators for syscall arguments in Seccomp
  701. const (
  702. OpNotEqual LinuxSeccompOperator = "SCMP_CMP_NE"
  703. OpLessThan LinuxSeccompOperator = "SCMP_CMP_LT"
  704. OpLessEqual LinuxSeccompOperator = "SCMP_CMP_LE"
  705. OpEqualTo LinuxSeccompOperator = "SCMP_CMP_EQ"
  706. OpGreaterEqual LinuxSeccompOperator = "SCMP_CMP_GE"
  707. OpGreaterThan LinuxSeccompOperator = "SCMP_CMP_GT"
  708. OpMaskedEqual LinuxSeccompOperator = "SCMP_CMP_MASKED_EQ"
  709. )
  710. // LinuxSeccompArg used for matching specific syscall arguments in Seccomp
  711. type LinuxSeccompArg struct {
  712. Index uint `json:"index"`
  713. Value uint64 `json:"value"`
  714. ValueTwo uint64 `json:"valueTwo,omitempty"`
  715. Op LinuxSeccompOperator `json:"op"`
  716. }
  717. // LinuxSyscall is used to match a syscall in Seccomp
  718. type LinuxSyscall struct {
  719. Names []string `json:"names"`
  720. Action LinuxSeccompAction `json:"action"`
  721. ErrnoRet *uint `json:"errnoRet,omitempty"`
  722. Args []LinuxSeccompArg `json:"args,omitempty"`
  723. }
  724. // LinuxIntelRdt has container runtime resource constraints for Intel RDT CAT and MBA
  725. // features and flags enabling Intel RDT CMT and MBM features.
  726. // Intel RDT features are available in Linux 4.14 and newer kernel versions.
  727. type LinuxIntelRdt struct {
  728. // The identity for RDT Class of Service
  729. ClosID string `json:"closID,omitempty"`
  730. // The schema for L3 cache id and capacity bitmask (CBM)
  731. // Format: "L3:<cache_id0>=<cbm0>;<cache_id1>=<cbm1>;..."
  732. L3CacheSchema string `json:"l3CacheSchema,omitempty"`
  733. // The schema of memory bandwidth per L3 cache id
  734. // Format: "MB:<cache_id0>=bandwidth0;<cache_id1>=bandwidth1;..."
  735. // The unit of memory bandwidth is specified in "percentages" by
  736. // default, and in "MBps" if MBA Software Controller is enabled.
  737. MemBwSchema string `json:"memBwSchema,omitempty"`
  738. // EnableCMT is the flag to indicate if the Intel RDT CMT is enabled. CMT (Cache Monitoring Technology) supports monitoring of
  739. // the last-level cache (LLC) occupancy for the container.
  740. EnableCMT bool `json:"enableCMT,omitempty"`
  741. // EnableMBM is the flag to indicate if the Intel RDT MBM is enabled. MBM (Memory Bandwidth Monitoring) supports monitoring of
  742. // total and local memory bandwidth for the container.
  743. EnableMBM bool `json:"enableMBM,omitempty"`
  744. }
  745. // ZOS contains platform-specific configuration for z/OS based containers.
  746. type ZOS struct {
  747. // Devices are a list of device nodes that are created for the container
  748. Devices []ZOSDevice `json:"devices,omitempty"`
  749. }
  750. // ZOSDevice represents the mknod information for a z/OS special device file
  751. type ZOSDevice struct {
  752. // Path to the device.
  753. Path string `json:"path"`
  754. // Device type, block, char, etc.
  755. Type string `json:"type"`
  756. // Major is the device's major number.
  757. Major int64 `json:"major"`
  758. // Minor is the device's minor number.
  759. Minor int64 `json:"minor"`
  760. // FileMode permission bits for the device.
  761. FileMode *os.FileMode `json:"fileMode,omitempty"`
  762. // UID of the device.
  763. UID *uint32 `json:"uid,omitempty"`
  764. // Gid of the device.
  765. GID *uint32 `json:"gid,omitempty"`
  766. }
  767. // LinuxSchedulerPolicy represents different scheduling policies used with the Linux Scheduler
  768. type LinuxSchedulerPolicy string
  769. const (
  770. // SchedOther is the default scheduling policy
  771. SchedOther LinuxSchedulerPolicy = "SCHED_OTHER"
  772. // SchedFIFO is the First-In-First-Out scheduling policy
  773. SchedFIFO LinuxSchedulerPolicy = "SCHED_FIFO"
  774. // SchedRR is the Round-Robin scheduling policy
  775. SchedRR LinuxSchedulerPolicy = "SCHED_RR"
  776. // SchedBatch is the Batch scheduling policy
  777. SchedBatch LinuxSchedulerPolicy = "SCHED_BATCH"
  778. // SchedISO is the Isolation scheduling policy
  779. SchedISO LinuxSchedulerPolicy = "SCHED_ISO"
  780. // SchedIdle is the Idle scheduling policy
  781. SchedIdle LinuxSchedulerPolicy = "SCHED_IDLE"
  782. // SchedDeadline is the Deadline scheduling policy
  783. SchedDeadline LinuxSchedulerPolicy = "SCHED_DEADLINE"
  784. )
  785. // LinuxSchedulerFlag represents the flags used by the Linux Scheduler.
  786. type LinuxSchedulerFlag string
  787. const (
  788. // SchedFlagResetOnFork represents the reset on fork scheduling flag
  789. SchedFlagResetOnFork LinuxSchedulerFlag = "SCHED_FLAG_RESET_ON_FORK"
  790. // SchedFlagReclaim represents the reclaim scheduling flag
  791. SchedFlagReclaim LinuxSchedulerFlag = "SCHED_FLAG_RECLAIM"
  792. // SchedFlagDLOverrun represents the deadline overrun scheduling flag
  793. SchedFlagDLOverrun LinuxSchedulerFlag = "SCHED_FLAG_DL_OVERRUN"
  794. // SchedFlagKeepPolicy represents the keep policy scheduling flag
  795. SchedFlagKeepPolicy LinuxSchedulerFlag = "SCHED_FLAG_KEEP_POLICY"
  796. // SchedFlagKeepParams represents the keep parameters scheduling flag
  797. SchedFlagKeepParams LinuxSchedulerFlag = "SCHED_FLAG_KEEP_PARAMS"
  798. // SchedFlagUtilClampMin represents the utilization clamp minimum scheduling flag
  799. SchedFlagUtilClampMin LinuxSchedulerFlag = "SCHED_FLAG_UTIL_CLAMP_MIN"
  800. // SchedFlagUtilClampMin represents the utilization clamp maximum scheduling flag
  801. SchedFlagUtilClampMax LinuxSchedulerFlag = "SCHED_FLAG_UTIL_CLAMP_MAX"
  802. )