Merge pull request #27196 from mlaventure/update-containerd-1.12.x

[1.12.2] Update containerd and runc
2016-10-06 11:46:20 -07:00 · 2016-10-06 11:46:20 -07:00 · 1863675001
commit 1863675001
parent d82e3bf952 3377b4b9b7
21 changed files with 185 additions and 123 deletions
--- a/4
+++ b/4
@ -242,7 +242,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install runc
-ENV RUNC_COMMIT cc29e3dded8e27ba8f65738f40d251c885030a28
+ENV RUNC_COMMIT 02f8fa7863dd3f82909a73e2061897828460d52f
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
@ -253,7 +253,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install containerd
-ENV CONTAINERD_COMMIT v0.2.4
+ENV CONTAINERD_COMMIT 0366d7e9693c930cf18c0f50cc16acec064e96c5
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@ -181,7 +181,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install runc
-ENV RUNC_COMMIT cc29e3dded8e27ba8f65738f40d251c885030a28
+ENV RUNC_COMMIT 02f8fa7863dd3f82909a73e2061897828460d52f
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
@ -192,7 +192,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install containerd
-ENV CONTAINERD_COMMIT v0.2.4
+ENV CONTAINERD_COMMIT 0366d7e9693c930cf18c0f50cc16acec064e96c5
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \
--- a/Dockerfile.armhf
+++ b/Dockerfile.armhf
@ -190,7 +190,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install runc
-ENV RUNC_COMMIT cc29e3dded8e27ba8f65738f40d251c885030a28
+ENV RUNC_COMMIT 02f8fa7863dd3f82909a73e2061897828460d52f
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
@ -201,7 +201,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install containerd
-ENV CONTAINERD_COMMIT v0.2.4
+ENV CONTAINERD_COMMIT 0366d7e9693c930cf18c0f50cc16acec064e96c5
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \
--- a/Dockerfile.gccgo
+++ b/Dockerfile.gccgo
@ -74,7 +74,7 @@ WORKDIR /go/src/github.com/docker/docker
 ENV DOCKER_BUILDTAGS apparmor seccomp selinux

 # Install runc
-ENV RUNC_COMMIT cc29e3dded8e27ba8f65738f40d251c885030a28
+ENV RUNC_COMMIT 02f8fa7863dd3f82909a73e2061897828460d52f
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
    && git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
@ -85,7 +85,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install containerd
-ENV CONTAINERD_COMMIT v0.2.4
+ENV CONTAINERD_COMMIT 0366d7e9693c930cf18c0f50cc16acec064e96c5
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \
--- a/Dockerfile.ppc64le
+++ b/Dockerfile.ppc64le
@ -202,7 +202,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install runc
-ENV RUNC_COMMIT cc29e3dded8e27ba8f65738f40d251c885030a28
+ENV RUNC_COMMIT 02f8fa7863dd3f82909a73e2061897828460d52f
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
@ -213,7 +213,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install containerd
-ENV CONTAINERD_COMMIT v0.2.4
+ENV CONTAINERD_COMMIT 0366d7e9693c930cf18c0f50cc16acec064e96c5
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \
--- a/Dockerfile.s390x
+++ b/Dockerfile.s390x
@ -197,7 +197,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install runc
-ENV RUNC_COMMIT cc29e3dded8e27ba8f65738f40d251c885030a28
+ENV RUNC_COMMIT 02f8fa7863dd3f82909a73e2061897828460d52f
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
@ -208,7 +208,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install containerd
-ENV CONTAINERD_COMMIT v0.2.4
+ENV CONTAINERD_COMMIT 0366d7e9693c930cf18c0f50cc16acec064e96c5
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \
--- a/Dockerfile.simple
+++ b/Dockerfile.simple
@ -57,7 +57,7 @@ ENV GOPATH /go:/go/src/github.com/docker/docker/vendor
 ENV CGO_LDFLAGS -L/lib

 # Install runc
-ENV RUNC_COMMIT cc29e3dded8e27ba8f65738f40d251c885030a28
+ENV RUNC_COMMIT 02f8fa7863dd3f82909a73e2061897828460d52f
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
@ -68,7 +68,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install containerd
-ENV CONTAINERD_COMMIT v0.2.4
+ENV CONTAINERD_COMMIT 0366d7e9693c930cf18c0f50cc16acec064e96c5
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \
--- a/hack/vendor.sh
+++ b/hack/vendor.sh
@ -102,8 +102,8 @@ clone git github.com/miekg/pkcs11 df8ae6ca730422dba20c768ff38ef7d79077a59f
 clone git github.com/docker/go v1.5.1-1-1-gbaf439e
 clone git github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c

-clone git github.com/opencontainers/runc cc29e3dded8e27ba8f65738f40d251c885030a28 # libcontainer
-clone git github.com/opencontainers/specs v1.0.0-rc1 # specs
+clone git github.com/opencontainers/runc 02f8fa7863dd3f82909a73e2061897828460d52f # libcontainer
+clone git github.com/opencontainers/specs 1c7c27d043c2a5e513a44084d2b10d77d1402b8c # specs
 clone git github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0
 # libcontainer deps (see src/github.com/opencontainers/runc/Godeps/Godeps.json)
 clone git github.com/coreos/go-systemd v4
@ -136,7 +136,7 @@ clone git google.golang.org/cloud dae7e3d993bc3812a2185af60552bb6b847e52a0 https
 clone git github.com/docker/docker-credential-helpers v0.3.0

 # containerd
-clone git github.com/docker/containerd v0.2.4
+clone git github.com/docker/containerd 0366d7e9693c930cf18c0f50cc16acec064e96c5

 # cluster
 clone git github.com/docker/swarmkit e239bc901fd6f5c85b36904e89f1b64c8c0635f2
--- a/oci/defaults_linux.go
+++ b/oci/defaults_linux.go
@ -4,7 +4,7 @@ import (
 	"os"
 	"runtime"

-	"github.com/opencontainers/specs/specs-go"
+	specs "github.com/opencontainers/specs/specs-go"
 )

 func sPtr(s string) *string      { return &s }
@ -77,7 +77,7 @@ func DefaultSpec() specs.Spec {
 		"CAP_AUDIT_WRITE",
 	}

-	s.Linux = specs.Linux{
+	s.Linux = &specs.Linux{
 		MaskedPaths: []string{
 			"/proc/kcore",
 			"/proc/latency_stats",
--- a/pkg/sysinfo/sysinfo_linux.go
+++ b/pkg/sysinfo/sysinfo_linux.go
@ -18,7 +18,7 @@ const (
 )

 func findCgroupMountpoints() (map[string]string, error) {
-	cgMounts, err := cgroups.GetCgroupMounts()
+	cgMounts, err := cgroups.GetCgroupMounts(false)
 	if err != nil {
 		return nil, fmt.Errorf("Failed to parse cgroup information: %v", err)
 	}
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go
@ -37,7 +37,7 @@ type Manager interface {
 	// restore the object later.
 	GetPaths() map[string]string

-	// Set the cgroup as configured.
+	// Sets the cgroup as configured.
 	Set(container *configs.Config) error
 }

--- a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
@ -16,7 +16,10 @@ import (
 	"github.com/docker/go-units"
 )

-const cgroupNamePrefix = "name="
+const (
+	cgroupNamePrefix = "name="
+	CgroupProcesses  = "cgroup.procs"
+)

 // https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt
 func FindCgroupMountpoint(subsystem string) (string, error) {
@ -136,7 +139,7 @@ func (m Mount) GetThisCgroupDir(cgroups map[string]string) (string, error) {
 	return getControllerPath(m.Subsystems[0], cgroups)
 }

-func getCgroupMountsHelper(ss map[string]bool, mi io.Reader) ([]Mount, error) {
+func getCgroupMountsHelper(ss map[string]bool, mi io.Reader, all bool) ([]Mount, error) {
 	res := make([]Mount, 0, len(ss))
 	scanner := bufio.NewScanner(mi)
 	numFound := 0
@ -163,7 +166,9 @@ func getCgroupMountsHelper(ss map[string]bool, mi io.Reader) ([]Mount, error) {
 			} else {
 				m.Subsystems = append(m.Subsystems, opt)
 			}
-			numFound++
+			if !all {
+				numFound++
+			}
 		}
 		res = append(res, m)
 	}
@ -173,23 +178,25 @@ func getCgroupMountsHelper(ss map[string]bool, mi io.Reader) ([]Mount, error) {
 	return res, nil
 }

-func GetCgroupMounts() ([]Mount, error) {
+// GetCgroupMounts returns the mounts for the cgroup subsystems.
+// all indicates whether to return just the first instance or all the mounts.
+func GetCgroupMounts(all bool) ([]Mount, error) {
 	f, err := os.Open("/proc/self/mountinfo")
 	if err != nil {
 		return nil, err
 	}
 	defer f.Close()

-	all, err := ParseCgroupFile("/proc/self/cgroup")
+	allSubsystems, err := ParseCgroupFile("/proc/self/cgroup")
 	if err != nil {
 		return nil, err
 	}

 	allMap := make(map[string]bool)
-	for s := range all {
+	for s := range allSubsystems {
 		allMap[s] = true
 	}
-	return getCgroupMountsHelper(allMap, f)
+	return getCgroupMountsHelper(allMap, f, all)
 }

 // GetAllSubsystems returns all the cgroup subsystems supported by the kernel
@ -239,7 +246,7 @@ func GetInitCgroupDir(subsystem string) (string, error) {
 }

 func readProcsFile(dir string) ([]int, error) {
-	f, err := os.Open(filepath.Join(dir, "cgroup.procs"))
+	f, err := os.Open(filepath.Join(dir, CgroupProcesses))
 	if err != nil {
 		return nil, err
 	}
@ -326,8 +333,7 @@ func PathExists(path string) bool {
 func EnterPid(cgroupPaths map[string]string, pid int) error {
 	for _, path := range cgroupPaths {
 		if PathExists(path) {
-			if err := ioutil.WriteFile(filepath.Join(path, "cgroup.procs"),
-				[]byte(strconv.Itoa(pid)), 0700); err != nil {
+			if err := WriteCgroupProc(path, pid); err != nil {
 				return err
 			}
 		}
@ -396,7 +402,7 @@ func GetAllPids(path string) ([]int, error) {
 	// collect pids from all sub-cgroups
 	err := filepath.Walk(path, func(p string, info os.FileInfo, iErr error) error {
 		dir, file := filepath.Split(p)
-		if file != "cgroup.procs" {
+		if file != CgroupProcesses {
 			return nil
 		}
 		if iErr != nil {
@ -411,3 +417,20 @@ func GetAllPids(path string) ([]int, error) {
 	})
 	return pids, err
 }
+
+// WriteCgroupProc writes the specified pid into the cgroup's cgroup.procs file
+func WriteCgroupProc(dir string, pid int) error {
+	// Normally dir should not be empty, one case is that cgroup subsystem
+	// is not mounted, we will get empty dir, and we want it fail here.
+	if dir == "" {
+		return fmt.Errorf("no such directory for %s", CgroupProcesses)
+	}
+
+	// Dont attach any pid to the cgroup if -1 is specified as a pid
+	if pid != -1 {
+		if err := ioutil.WriteFile(filepath.Join(dir, CgroupProcesses), []byte(strconv.Itoa(pid)), 0700); err != nil {
+			return fmt.Errorf("failed to write %v to %v: %v", pid, CgroupProcesses, err)
+		}
+	}
+	return nil
+}
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/configs/cgroup_unix.go
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/configs/cgroup_unix.go
@ -36,7 +36,7 @@ type Cgroup struct {
 type Resources struct {
 	// If this is true allow access to any kind of device within the container.  If false, allow access only to devices explicitly listed in the allowed_devices list.
 	// Deprecated
-	AllowAllDevices bool `json:"allow_all_devices,omitempty"`
+	AllowAllDevices *bool `json:"allow_all_devices,omitempty"`
 	// Deprecated
 	AllowedDevices []*Device `json:"allowed_devices,omitempty"`
 	// Deprecated
@ -69,10 +69,10 @@ type Resources struct {
 	CpuPeriod int64 `json:"cpu_period"`

 	// How many time CPU will use in realtime scheduling (in usecs).
-	CpuRtRuntime int64 `json:"cpu_quota"`
+	CpuRtRuntime int64 `json:"cpu_rt_quota"`

 	// CPU period to be used for realtime scheduling (in usecs).
-	CpuRtPeriod int64 `json:"cpu_period"`
+	CpuRtPeriod int64 `json:"cpu_rt_period"`

 	// CPU to use
 	CpusetCpus string `json:"cpuset_cpus"`
@ -120,5 +120,5 @@ type Resources struct {
 	NetPrioIfpriomap []*IfPrioMap `json:"net_prio_ifpriomap"`

 	// Set class identifier for container's network packets
-	NetClsClassid string `json:"net_cls_classid"`
+	NetClsClassid uint32 `json:"net_cls_classid_u"`
 }
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/configs/config.go
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/configs/config.go
@ -148,10 +148,6 @@ type Config struct {
 	// More information about kernel oom score calculation here: https://lwn.net/Articles/317814/
 	OomScoreAdj int `json:"oom_score_adj"`

-	// AdditionalGroups specifies the gids that should be added to supplementary groups
-	// in addition to those that the user belongs to.
-	AdditionalGroups []string `json:"additional_groups"`
-
 	// UidMappings is an array of User ID mappings for User Namespaces
 	UidMappings []IDMap `json:"uid_mappings"`

@ -304,29 +300,38 @@ func (c Command) Run(s HookState) error {
 	if err != nil {
 		return err
 	}
+	var stdout, stderr bytes.Buffer
 	cmd := exec.Cmd{
-		Path:  c.Path,
-		Args:  c.Args,
-		Env:   c.Env,
-		Stdin: bytes.NewReader(b),
+		Path:   c.Path,
+		Args:   c.Args,
+		Env:    c.Env,
+		Stdin:  bytes.NewReader(b),
+		Stdout: &stdout,
+		Stderr: &stderr,
+	}
+	if err := cmd.Start(); err != nil {
+		return err
 	}
 	errC := make(chan error, 1)
 	go func() {
-		out, err := cmd.CombinedOutput()
+		err := cmd.Wait()
 		if err != nil {
-			err = fmt.Errorf("%s: %s", err, out)
+			err = fmt.Errorf("error running hook: %v, stdout: %s, stderr: %s", err, stdout.String(), stderr.String())
 		}
 		errC <- err
 	}()
+	var timerCh <-chan time.Time
 	if c.Timeout != nil {
-		select {
-		case err := <-errC:
-			return err
-		case <-time.After(*c.Timeout):
-			cmd.Process.Kill()
-			cmd.Wait()
-			return fmt.Errorf("hook ran past specified timeout of %.1fs", c.Timeout.Seconds())
-		}
+		timer := time.NewTimer(*c.Timeout)
+		defer timer.Stop()
+		timerCh = timer.C
+	}
+	select {
+	case err := <-errC:
+		return err
+	case <-timerCh:
+		cmd.Process.Kill()
+		cmd.Wait()
+		return fmt.Errorf("hook ran past specified timeout of %.1fs", c.Timeout.Seconds())
 	}
-	return <-errC
 }
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go
@ -107,19 +107,5 @@ var (
 			Permissions: "rwm",
 		},
 	}, DefaultSimpleDevices...)
-	DefaultAutoCreatedDevices = append([]*Device{
-		{
-			// /dev/fuse is created but not allowed.
-			// This is to allow java to work.  Because java
-			// Insists on there being a /dev/fuse
-			// https://github.com/docker/docker/issues/514
-			// https://github.com/docker/docker/issues/2393
-			//
-			Path:        "/dev/fuse",
-			Type:        'c',
-			Major:       10,
-			Minor:       229,
-			Permissions: "rwm",
-		},
-	}, DefaultSimpleDevices...)
+	DefaultAutoCreatedDevices = append([]*Device{}, DefaultSimpleDevices...)
 )
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/label/label_selinux.go
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/label/label_selinux.go
@ -129,7 +129,7 @@ func Relabel(path string, fileLabel string, shared bool) error {

 	exclude_paths := map[string]bool{"/": true, "/usr": true, "/etc": true}
 	if exclude_paths[path] {
-		return fmt.Errorf("Relabeling of %s is not allowed", path)
+		return fmt.Errorf("SELinux relabeling of %s is not allowed", path)
 	}

 	if shared {
@ -137,7 +137,10 @@ func Relabel(path string, fileLabel string, shared bool) error {
 		c["level"] = "s0"
 		fileLabel = c.Get()
 	}
-	return selinux.Chcon(path, fileLabel, true)
+	if err := selinux.Chcon(path, fileLabel, true); err != nil {
+		return fmt.Errorf("SELinux relabeling of %s is not allowed: %q", path, err)
+	}
+	return nil
 }

 // GetPidLabel will return the label of the process running with the specified pid
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/system/syscall_linux_386.go
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/system/syscall_linux_386.go
@ -8,7 +8,7 @@ import (

 // Setuid sets the uid of the calling thread to the specified uid.
 func Setuid(uid int) (err error) {
-	_, _, e1 := syscall.RawSyscall(syscall.SYS_SETUID, uintptr(uid), 0, 0)
+	_, _, e1 := syscall.RawSyscall(syscall.SYS_SETUID32, uintptr(uid), 0, 0)
 	if e1 != 0 {
 		err = e1
 	}
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/system/sysconfig.go
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/system/sysconfig.go
@ -4,28 +4,9 @@ package system

 /*
 #include <unistd.h>
-#include <limits.h>
-
-int GetLongBit() {
-#ifdef _SC_LONG_BIT
-    int longbits;
-
-    longbits = sysconf(_SC_LONG_BIT);
-    if (longbits <  0) {
-        longbits = (CHAR_BIT * sizeof(long));
-    }
-    return longbits;
-#else
-    return (CHAR_BIT * sizeof(long));
-#endif
-}
 */
 import "C"

 func GetClockTicks() int {
 	return int(C.sysconf(C._SC_CLK_TCK))
 }
-
-func GetLongBit() int {
-	return int(C.GetLongBit())
-}
--- a/vendor/src/github.com/opencontainers/specs/specs-go/config.go
+++ b/vendor/src/github.com/opencontainers/specs/specs-go/config.go
@ -4,33 +4,37 @@ import "os"

 // Spec is the base configuration for the container.
 type Spec struct {
-	// Version is the version of the specification that is supported.
+	// Version of the Open Container Runtime Specification with which the bundle complies.
 	Version string `json:"ociVersion"`
-	// Platform is the host information for OS and Arch.
+	// Platform specifies the configuration's target platform.
 	Platform Platform `json:"platform"`
-	// Process is the container's main process.
+	// Process configures the container process.
 	Process Process `json:"process"`
-	// Root is the root information for the container's filesystem.
+	// Root configures the container's root filesystem.
 	Root Root `json:"root"`
-	// Hostname is the container's host name.
+	// Hostname configures the container's hostname.
 	Hostname string `json:"hostname,omitempty"`
-	// Mounts profile configuration for adding mounts to the container's filesystem.
+	// Mounts configures additional mounts (on top of Root).
 	Mounts []Mount `json:"mounts,omitempty"`
-	// Hooks are the commands run at various lifecycle events of the container.
+	// Hooks configures callbacks for container lifecycle events.
 	Hooks Hooks `json:"hooks"`
-	// Annotations is an unstructured key value map that may be set by external tools to store and retrieve arbitrary metadata.
+	// Annotations contains arbitrary metadata for the container.
 	Annotations map[string]string `json:"annotations,omitempty"`

 	// Linux is platform specific configuration for Linux based containers.
-	Linux Linux `json:"linux" platform:"linux,omitempty"`
+	Linux *Linux `json:"linux,omitempty" platform:"linux"`
 	// Solaris is platform specific configuration for Solaris containers.
-	Solaris Solaris `json:"solaris" platform:"solaris,omitempty"`
+	Solaris *Solaris `json:"solaris,omitempty" platform:"solaris"`
+	// Windows is platform specific configuration for Windows based containers, including Hyper-V containers.
+	Windows *Windows `json:"windows,omitempty" platform:"windows"`
 }

 // Process contains information to start a specific application inside the container.
 type Process struct {
 	// Terminal creates an interactive terminal for the container.
 	Terminal bool `json:"terminal,omitempty"`
+	// ConsoleSize specifies the size of the console.
+	ConsoleSize Box `json:"consoleSize,omitempty"`
 	// User specifies user information for the process.
 	User User `json:"user"`
 	// Args specifies the binary and arguments for the application to execute.
@ -43,25 +47,33 @@ type Process struct {
 	// Capabilities are Linux capabilities that are kept for the container.
 	Capabilities []string `json:"capabilities,omitempty" platform:"linux"`
 	// Rlimits specifies rlimit options to apply to the process.
-	Rlimits []Rlimit `json:"rlimits,omitempty"`
+	Rlimits []Rlimit `json:"rlimits,omitempty" platform:"linux"`
 	// NoNewPrivileges controls whether additional privileges could be gained by processes in the container.
-	NoNewPrivileges bool `json:"noNewPrivileges,omitempty"`
-
-	// ApparmorProfile specified the apparmor profile for the container. (this field is platform dependent)
+	NoNewPrivileges bool `json:"noNewPrivileges,omitempty" platform:"linux"`
+	// ApparmorProfile specifies the apparmor profile for the container.
 	ApparmorProfile string `json:"apparmorProfile,omitempty" platform:"linux"`
-	// SelinuxLabel specifies the selinux context that the container process is run as. (this field is platform dependent)
+	// SelinuxLabel specifies the selinux context that the container process is run as.
 	SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"`
 }

-// User specifies Linux specific user and group information for the container's
-// main process.
+// Box specifies dimensions of a rectangle. Used for specifying the size of a console.
+type Box struct {
+	// Height is the vertical dimension of a box.
+	Height uint `json:"height"`
+	// Width is the horizontal dimension of a box.
+	Width uint `json:"width"`
+}
+
+// User specifies specific user (and group) information for the container process.
 type User struct {
-	// UID is the user id. (this field is platform dependent)
-	UID uint32 `json:"uid" platform:"linux"`
-	// GID is the group id. (this field is platform dependent)
-	GID uint32 `json:"gid" platform:"linux"`
-	// AdditionalGids are additional group ids set for the container's process. (this field is platform dependent)
-	AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux"`
+	// UID is the user id.
+	UID uint32 `json:"uid" platform:"linux,solaris"`
+	// GID is the group id.
+	GID uint32 `json:"gid" platform:"linux,solaris"`
+	// AdditionalGids are additional group ids set for the container's process.
+	AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux,solaris"`
+	// Username is the user name.
+	Username string `json:"username,omitempty" platform:"windows"`
 }

 // Root contains information about the container's root filesystem on the host.
@ -262,7 +274,7 @@ type Memory struct {
 	// Kernel memory limit (in bytes).
 	Kernel *uint64 `json:"kernel,omitempty"`
 	// Kernel memory limit for tcp (in bytes)
-	KernelTCP *uint64 `json:"kernelTCP"`
+	KernelTCP *uint64 `json:"kernelTCP,omitempty"`
 	// How aggressive the kernel will swap memory pages. Range from 0 to 100.
 	Swappiness *uint64 `json:"swappiness,omitempty"`
 }
@ -294,15 +306,15 @@ type Pids struct {
 // Network identification and priority configuration
 type Network struct {
 	// Set class identifier for container's network packets
-	ClassID *uint32 `json:"classID"`
+	ClassID *uint32 `json:"classID,omitempty"`
 	// Set priority of network traffic for container
 	Priorities []InterfacePriority `json:"priorities,omitempty"`
 }

 // Resources has container runtime resource constraints
 type Resources struct {
-	// Devices are a list of device rules for the whitelist controller
-	Devices []DeviceCgroup `json:"devices"`
+	// Devices configures the device whitelist.
+	Devices []DeviceCgroup `json:"devices,omitempty"`
 	// DisableOOMKiller disables the OOM killer for out of memory conditions
 	DisableOOMKiller *bool `json:"disableOOMKiller,omitempty"`
 	// Specify an oom_score_adj for the container.
@ -371,9 +383,9 @@ type Solaris struct {
 	// Specification for automatic creation of network resources for this container.
 	Anet []Anet `json:"anet,omitempty"`
 	// Set limit on the amount of CPU time that can be used by container.
-	CappedCPU CappedCPU `json:"cappedCPU,omitempty"`
+	CappedCPU *CappedCPU `json:"cappedCPU,omitempty"`
 	// The physical and swap caps on the memory that can be used by this container.
-	CappedMemory CappedMemory `json:"cappedMemory,omitempty"`
+	CappedMemory *CappedMemory `json:"cappedMemory,omitempty"`
 }

 // CappedCPU allows users to set limit on the amount of CPU time that can be used by container.
@ -405,6 +417,58 @@ type Anet struct {
 	Macaddress string `json:"macAddress,omitempty"`
 }

+// Windows defines the runtime configuration for Windows based containers, including Hyper-V containers.
+type Windows struct {
+	// Resources contains information for handling resource constraints for the container.
+	Resources *WindowsResources `json:"resources,omitempty"`
+}
+
+// WindowsResources has container runtime resource constraints for containers running on Windows.
+type WindowsResources struct {
+	// Memory restriction configuration.
+	Memory *WindowsMemoryResources `json:"memory,omitempty"`
+	// CPU resource restriction configuration.
+	CPU *WindowsCPUResources `json:"cpu,omitempty"`
+	// Storage restriction configuration.
+	Storage *WindowsStorageResources `json:"storage,omitempty"`
+	// Network restriction configuration.
+	Network *WindowsNetworkResources `json:"network,omitempty"`
+}
+
+// WindowsMemoryResources contains memory resource management settings.
+type WindowsMemoryResources struct {
+	// Memory limit in bytes.
+	Limit *uint64 `json:"limit,omitempty"`
+	// Memory reservation in bytes.
+	Reservation *uint64 `json:"reservation,omitempty"`
+}
+
+// WindowsCPUResources contains CPU resource management settings.
+type WindowsCPUResources struct {
+	// Number of CPUs available to the container.
+	Count *uint64 `json:"count,omitempty"`
+	// CPU shares (relative weight to other containers with cpu shares). Range is from 1 to 10000.
+	Shares *uint16 `json:"shares,omitempty"`
+	// Percent of available CPUs usable by the container.
+	Percent *uint8 `json:"percent,omitempty"`
+}
+
+// WindowsStorageResources contains storage resource management settings.
+type WindowsStorageResources struct {
+	// Specifies maximum Iops for the system drive.
+	Iops *uint64 `json:"iops,omitempty"`
+	// Specifies maximum bytes per second for the system drive.
+	Bps *uint64 `json:"bps,omitempty"`
+	// Sandbox size specifies the minimum size of the system drive in bytes.
+	SandboxSize *uint64 `json:"sandboxSize,omitempty"`
+}
+
+// WindowsNetworkResources contains network resource management settings.
+type WindowsNetworkResources struct {
+	// EgressBandwidth is the maximum egress bandwidth in bytes per second.
+	EgressBandwidth *uint64 `json:"egressBandwidth,omitempty"`
+}
+
 // Arch used for additional architectures
 type Arch string

--- a/vendor/src/github.com/opencontainers/specs/specs-go/state.go
+++ b/vendor/src/github.com/opencontainers/specs/specs-go/state.go
@ -8,7 +8,7 @@ type State struct {
 	ID string `json:"id"`
 	// Status is the runtime state of the container.
 	Status string `json:"status"`
-	// Pid is the process id for the container's main process.
+	// Pid is the process ID for the container process.
 	Pid int `json:"pid"`
 	// BundlePath is the path to the container's bundle directory.
 	BundlePath string `json:"bundlePath"`
--- a/vendor/src/github.com/opencontainers/specs/specs-go/version.go
+++ b/vendor/src/github.com/opencontainers/specs/specs-go/version.go
@ -11,7 +11,7 @@ const (
 	VersionPatch = 0

 	// VersionDev indicates development branch. Releases will be empty string.
-	VersionDev = "-rc1"
+	VersionDev = "-rc2-dev"
 )

 // Version is the specification version that the package types support.