From 2088da7ee7fb8325d1c30c55fabbc9e419311f50 Mon Sep 17 00:00:00 2001 From: liangchenye Date: Thu, 10 Mar 2016 19:43:11 +0800 Subject: [PATCH] update to 0.4.0; modify codes accordingly Signed-off-by: liangchenye --- Godeps/Godeps.json | 10 +- .../opencontainers/specs/.travis.yml | 20 - .../github.com/opencontainers/specs/LICENSE | 191 ------ .../opencontainers/specs/MAINTAINERS | 9 - .../github.com/opencontainers/specs/README.md | 157 ----- .../github.com/opencontainers/specs/bundle.md | 24 - .../opencontainers/specs/code-of-conduct.md | 37 -- .../opencontainers/specs/config-linux.md | 609 ------------------ .../github.com/opencontainers/specs/config.go | 84 --- .../github.com/opencontainers/specs/config.md | 215 ------- .../opencontainers/specs/implementations.md | 21 - .../opencontainers/specs/principles.md | 46 -- .../opencontainers/specs/runtime-linux.md | 8 - .../opencontainers/specs/runtime.md | 59 -- .../{config_linux.go => specs-go/config.go} | 153 +++-- .../opencontainers/specs/specs-go/state.go | 13 + .../specs/{ => specs-go}/version.go | 4 +- bvalidate.go | 57 +- cmd/runtimetest/main.go | 20 +- generate.go | 119 ++-- 20 files changed, 238 insertions(+), 1618 deletions(-) delete mode 100644 Godeps/_workspace/src/github.com/opencontainers/specs/.travis.yml delete mode 100644 Godeps/_workspace/src/github.com/opencontainers/specs/LICENSE delete mode 100644 Godeps/_workspace/src/github.com/opencontainers/specs/MAINTAINERS delete mode 100644 Godeps/_workspace/src/github.com/opencontainers/specs/README.md delete mode 100644 Godeps/_workspace/src/github.com/opencontainers/specs/bundle.md delete mode 100644 Godeps/_workspace/src/github.com/opencontainers/specs/code-of-conduct.md delete mode 100644 Godeps/_workspace/src/github.com/opencontainers/specs/config-linux.md delete mode 100644 Godeps/_workspace/src/github.com/opencontainers/specs/config.go delete mode 100644 Godeps/_workspace/src/github.com/opencontainers/specs/config.md delete mode 100644 Godeps/_workspace/src/github.com/opencontainers/specs/implementations.md delete mode 100644 Godeps/_workspace/src/github.com/opencontainers/specs/principles.md delete mode 100644 Godeps/_workspace/src/github.com/opencontainers/specs/runtime-linux.md delete mode 100644 Godeps/_workspace/src/github.com/opencontainers/specs/runtime.md rename Godeps/_workspace/src/github.com/opencontainers/specs/{config_linux.go => specs-go/config.go} (70%) create mode 100644 Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/state.go rename Godeps/_workspace/src/github.com/opencontainers/specs/{ => specs-go}/version.go (92%) diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json index 7fd4eb399..ee8f5bf36 100644 --- a/Godeps/Godeps.json +++ b/Godeps/Godeps.json @@ -1,6 +1,6 @@ { - "ImportPath": "github.com/mrunalp/ocitools", - "GoVersion": "go1.4.2", + "ImportPath": "github.com/opencontainers/ocitools", + "GoVersion": "go1.4", "Deps": [ { "ImportPath": "github.com/Sirupsen/logrus", @@ -13,9 +13,9 @@ "Rev": "bca61c476e3c752594983e4c9bcd5f62fb09f157" }, { - "ImportPath": "github.com/opencontainers/specs", - "Comment": "v0.3.0", - "Rev": "25cbfc427ba6154016f33c7ed1b8ed43b8b7b7ed" + "ImportPath": "github.com/opencontainers/specs/specs-go", + "Comment": "v0.4.0-2-g4103108", + "Rev": "41031086f1a84a1040911b286e522615206e4fee" }, { "ImportPath": "github.com/syndtr/gocapability/capability", diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/.travis.yml b/Godeps/_workspace/src/github.com/opencontainers/specs/.travis.yml deleted file mode 100644 index 5e1b19df0..000000000 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/.travis.yml +++ /dev/null @@ -1,20 +0,0 @@ -language: go -go: - - 1.5.3 - - 1.4.3 - - 1.3.3 - -sudo: false - -before_install: - - go get golang.org/x/tools/cmd/vet - - go get github.com/golang/lint/golint - - go get github.com/vbatts/git-validation - -install: true - -script: - - go vet -x ./... - - $HOME/gopath/bin/golint ./... - - $HOME/gopath/bin/git-validation -run DCO,short-subject -v -range ${TRAVIS_COMMIT_RANGE} - diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/LICENSE b/Godeps/_workspace/src/github.com/opencontainers/specs/LICENSE deleted file mode 100644 index bdc403653..000000000 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/LICENSE +++ /dev/null @@ -1,191 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - Copyright 2015 The Linux Foundation. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/MAINTAINERS b/Godeps/_workspace/src/github.com/opencontainers/specs/MAINTAINERS deleted file mode 100644 index ac88dd51a..000000000 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/MAINTAINERS +++ /dev/null @@ -1,9 +0,0 @@ -Michael Crosby (@crosbymichael) -Alexander Morozov (@LK4D4) -Vishnu Kannan (@vishh) -Mrunal Patel (@mrunalp) -Vincent Batts (@vbatts) -Daniel, Dao Quang Minh (@dqminh) -Brandon Philips (@philips) -Tianon Gravi (@tianon) -Qiang Huang (@hqhq) diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/README.md b/Godeps/_workspace/src/github.com/opencontainers/specs/README.md deleted file mode 100644 index bfff859e5..000000000 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/README.md +++ /dev/null @@ -1,157 +0,0 @@ -# Open Container Specifications - -[Open Container Initiative](http://www.opencontainers.org/) Specifications for standards on Operating System process and application containers. - - -Table of Contents - -- [Container Principles](principles.md) -- [Specification Style](style.md) -- [Filesystem Bundle](bundle.md) -- Configuration - - [General](config.md) - - [Linux-specific](config-linux.md) -- [Runtime and Lifecycle](runtime.md) - - [Linux Specific Runtime](runtime-linux.md) -- [Implementations](implementations.md) -- [Glossary](glossary.md) - -In the specifications in the above table of contents, the keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in [RFC 2119](http://tools.ietf.org/html/rfc2119) (Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997). - -# Use Cases - -To provide context for users the following section gives example use cases for each part of the spec. - -#### Application Bundle Builders - -Application bundle builders can create a [bundle](bundle.md) directory that includes all of the files required for launching an application as a container. -The bundle contains an OCI [configuration file](config.md) where the builder can specify host-independent details such as [which executable to launch](config.md#process-configuration) and host-specific settings such as [mount](config.md#mounts) locations, [hook](config.md#hooks) paths, Linux [namespaces](config-linux.md#namespaces) and [cgroups](config-linux.md#control-groups). -Because the configuration includes host-specific settings, application bundle directories copied between two hosts may require configuration adjustments. - -#### Hook Developers - -[Hook](config.md#hooks) developers can extend the functionality of an OCI-compliant runtime by hooking into a container's lifecycle with an external application. -Example use cases include sophisticated network configuration, volume garbage collection, etc. - -#### Runtime Developers - -Runtime developers can build runtime implementations that run OCI-compliant bundles and container configuration, containing low-level OS and host specific details, on a particular platform. - -# Releases - -There is a loose [Road Map](./ROADMAP.md). -During the `0.x` series of OCI releases we make no backwards compatibility guarantees and intend to break the schema during this series. - -# Contributing - -Development happens on GitHub for the spec. -Issues are used for bugs and actionable items and longer discussions can happen on the [mailing list](#mailing-list). - -The specification and code is licensed under the Apache 2.0 license found in the `LICENSE` file of this repository. - -## Code of Conduct - -Participation in the OpenContainers community is governed by [OpenContainer's Code of Conduct](code-of-conduct.md). - -## Discuss your design - -The project welcomes submissions, but please let everyone know what you are working on. - -Before undertaking a nontrivial change to this specification, send mail to the [mailing list](#mailing-list) to discuss what you plan to do. -This gives everyone a chance to validate the design, helps prevent duplication of effort, and ensures that the idea fits. -It also guarantees that the design is sound before code is written; a GitHub pull-request is not the place for high-level discussions. - -Typos and grammatical errors can go straight to a pull-request. -When in doubt, start on the [mailing-list](#mailing-list). - -## Weekly Call - -The contributors and maintainers of the project have a weekly meeting Wednesdays at 10:00 AM PST. -Everyone is welcome to participate in the [BlueJeans call][BlueJeans]. -An initial agenda will be posted to the [mailing list](#mailing-list) earlier in the week, and everyone is welcome to propose additional topics or suggest other agenda alterations there. -Minutes are posted to the [mailing list](#mailing-list) and minutes from past calls are archived to the [wiki](https://github.com/opencontainers/specs/wiki) for those who are unable to join the call. - -## Mailing List - -You can subscribe and join the mailing list on [Google Groups](https://groups.google.com/a/opencontainers.org/forum/#!forum/dev). - -## IRC - -OCI discussion happens on #opencontainers on Freenode. - -## Markdown style - -To keep consistency throughout the Markdown files in the Open Container spec all files should be formatted one sentence per line. -This fixes two things: it makes diffing easier with git and it resolves fights about line wrapping length. -For example, this paragraph will span three lines in the Markdown source. - -## Git commit - -### Sign your work - -The sign-off is a simple line at the end of the explanation for the patch, which certifies that you wrote it or otherwise have the right to pass it on as an open-source patch. -The rules are pretty simple: if you can certify the below (from [developercertificate.org](http://developercertificate.org/)): - -``` -Developer Certificate of Origin -Version 1.1 - -Copyright (C) 2004, 2006 The Linux Foundation and its contributors. -660 York Street, Suite 102, -San Francisco, CA 94110 USA - -Everyone is permitted to copy and distribute verbatim copies of this -license document, but changing it is not allowed. - - -Developer's Certificate of Origin 1.1 - -By making a contribution to this project, I certify that: - -(a) The contribution was created in whole or in part by me and I - have the right to submit it under the open source license - indicated in the file; or - -(b) The contribution is based upon previous work that, to the best - of my knowledge, is covered under an appropriate open source - license and I have the right under that license to submit that - work with modifications, whether created in whole or in part - by me, under the same open source license (unless I am - permitted to submit under a different license), as indicated - in the file; or - -(c) The contribution was provided directly to me by some other - person who certified (a), (b) or (c) and I have not modified - it. - -(d) I understand and agree that this project and the contribution - are public and that a record of the contribution (including all - personal information I submit with it, including my sign-off) is - maintained indefinitely and may be redistributed consistent with - this project or the open source license(s) involved. -``` - -then you just add a line to every git commit message: - - Signed-off-by: Joe Smith - -using your real name (sorry, no pseudonyms or anonymous contributions.) - -You can add the sign off when creating the git commit via `git commit -s`. - -### Commit Style - -Simple house-keeping for clean git history. -Read more on [How to Write a Git Commit Message](http://chris.beams.io/posts/git-commit/) or the Discussion section of [`git-commit(1)`](http://git-scm.com/docs/git-commit). - -1. Separate the subject from body with a blank line -2. Limit the subject line to 50 characters -3. Capitalize the subject line -4. Do not end the subject line with a period -5. Use the imperative mood in the subject line -6. Wrap the body at 72 characters -7. Use the body to explain what and why vs. how - * If there was important/useful/essential conversation or information, copy or include a reference -8. When possible, one keyword to scope the change in the subject (i.e. "README: ...", "runtime: ...") - -[BlueJeans]: https://bluejeans.com/1771332256/ diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/bundle.md b/Godeps/_workspace/src/github.com/opencontainers/specs/bundle.md deleted file mode 100644 index 5b1925b2e..000000000 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/bundle.md +++ /dev/null @@ -1,24 +0,0 @@ -# Filesystem Bundle - -## Container Format - -This section defines a format for encoding a container as a *filesystem bundle* - a set of files organized in a certain way, and containing all the necessary data and metadata for any compliant runtime to perform all standard operations against it. -See also [OS X application bundles](http://en.wikipedia.org/wiki/Bundle_%28OS_X%29) for a similar use of the term *bundle*. - -The definition of a bundle is only concerned with how a container, and its configuration data, are stored on a local file system so that it can be consumed by a compliant runtime. - -A Standard Container bundle contains all the information needed to load and run a container. -This includes the following artifacts which MUST all reside in the same directory on the local filesystem: - -1. `config.json` : contains configuration data. -This REQUIRED file, which MUST be named `config.json`. -When the bundle is packaged up for distribution, this file MUST be included. -See [`config.json`](config.md) for more details. - -2. A directory representing the root filesystem of the container. -While the name of this REQUIRED directory may be arbitrary, users should consider using a conventional name, such as `rootfs`. -When the bundle is packaged up for distribution, this directory MUST be included. -This directory MUST be referenced from within the `config.json` file. - -While these artifacts MUST all be present in a single directory on the local filesystem, that directory itself is not part of the bundle. -In other words, a tar archive of a *bundle* will have these artifacts at the root of the archive, not nested within a top-level directory. diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/code-of-conduct.md b/Godeps/_workspace/src/github.com/opencontainers/specs/code-of-conduct.md deleted file mode 100644 index 06cb2b83a..000000000 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/code-of-conduct.md +++ /dev/null @@ -1,37 +0,0 @@ -# OpenContainers Code of Conduct - -Behave as a community member, follow the code of conduct. - -## Code of Conduct - -The OpenContainers community is made up of a mixture of professionals and volunteers from all over the world. - -When we disagree, we try to understand why. -Disagreements, both social and technical, happen all the time and OpenContainers is no exception. -It is important that we resolve disagreements and differing views constructively. - -This code of conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. -Participants should be aware of these concerns. - -We are committed to making participation in this project a harassment-free experience for everyone, regardless of level of experience, gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, religion, or nationality. - -Examples of unacceptable behavior by participants include: - -* The use of sexualized language or imagery -* Personal attacks -* Trolling or insulting/derogatory comments -* Public or private harassment -* Publishing other's private information, such as physical or electronic addresses, without explicit permission -* Other unethical or unprofessional conduct - -The OpenContainers team does not condone any statements by speakers contrary to these standards. -The OpenContainers team reserves the right to deny participation any individual found to be engaging in discriminatory or harassing actions. - -Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct. -By adopting this Code of Conduct, project maintainers commit themselves to fairly and consistently applying these principles to every aspect of managing this project. - -## Thanks - -Thanks to the [Fedora Code of Conduct](https://getfedora.org/code-of-conduct) and [Contributor Covenant](http://contributor-covenant.org) for inspiration and ideas. - -Portions of this Code of Conduct are adapted from the Contributor Covenant, version 1.2.0, available at http://contributor-covenant.org/version/1/2/0/ diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/config-linux.md b/Godeps/_workspace/src/github.com/opencontainers/specs/config-linux.md deleted file mode 100644 index f7723c74c..000000000 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/config-linux.md +++ /dev/null @@ -1,609 +0,0 @@ -# Linux-specific Container Configuration - -The Linux container specification uses various kernel features like namespaces, cgroups, capabilities, LSM, and file system jails to fulfill the spec. -Additional information is needed for Linux over the [default spec configuration](config.md) in order to configure these various kernel features. - -## Capabilities - -Capabilities is an array that specifies Linux capabilities that can be provided to the process inside the container. -Valid values are the strings for capabilities defined in [the man page](http://man7.org/linux/man-pages/man7/capabilities.7.html) - -```json - "capabilities": [ - "CAP_AUDIT_WRITE", - "CAP_KILL", - "CAP_NET_BIND_SERVICE" - ] -``` - -## Default File Systems - -The Linux ABI includes both syscalls and several special file paths. -Applications expecting a Linux environment will very likely expect these files paths to be setup correctly. - -The following filesystems MUST be made available in each application's filesystem - -| Path | Type | -| -------- | ------ | -| /proc | [procfs](https://www.kernel.org/doc/Documentation/filesystems/proc.txt) | -| /sys | [sysfs](https://www.kernel.org/doc/Documentation/filesystems/sysfs.txt) | -| /dev/pts | [devpts](https://www.kernel.org/doc/Documentation/filesystems/devpts.txt) | -| /dev/shm | [tmpfs](https://www.kernel.org/doc/Documentation/filesystems/tmpfs.txt) | - -## Namespaces - -A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. -Changes to the global resource are visible to other processes that are members of the namespace, but are invisible to other processes. -For more information, see [the man page](http://man7.org/linux/man-pages/man7/namespaces.7.html). - -Namespaces are specified as an array of entries inside the `namespaces` root field. -The following parameters can be specified to setup namespaces: - -* **`type`** *(string, required)* - namespace type. The following namespaces types are supported: - * **`pid`** processes inside the container will only be able to see other processes inside the same container - * **`network`** the container will have its own network stack - * **`mount`** the container will have an isolated mount table - * **`ipc`** processes inside the container will only be able to communicate to other processes inside the same container via system level IPC - * **`uts`** the container will be able to have its own hostname and domain name - * **`user`** the container will be able to remap user and group IDs from the host to local users and groups within the container - -* **`path`** *(string, optional)* - path to namespace file - -If a path is specified, that particular file is used to join that type of namespace. -Also, when a path is specified, a runtime MUST assume that the setup for that particular namespace has already been done and error out if the config specifies anything else related to that namespace. - -###### Example - -```json - "namespaces": [ - { - "type": "pid", - "path": "/proc/1234/ns/pid" - }, - { - "type": "network", - "path": "/var/run/netns/neta" - }, - { - "type": "mount" - }, - { - "type": "ipc" - }, - { - "type": "uts" - }, - { - "type": "user" - } - ] -``` - -## User namespace mappings - -###### Example - -```json - "uidMappings": [ - { - "hostID": 1000, - "containerID": 0, - "size": 10 - } - ], - "gidMappings": [ - { - "hostID": 1000, - "containerID": 0, - "size": 10 - } - ] -``` - -uid/gid mappings describe the user namespace mappings from the host to the container. -The mappings represent how the bundle `rootfs` expects the user namespace to be setup and the runtime SHOULD NOT modify the permissions on the rootfs to realize the mapping. -*hostID* is the starting uid/gid on the host to be mapped to *containerID* which is the starting uid/gid in the container and *size* refers to the number of ids to be mapped. -There is a limit of 5 mappings which is the Linux kernel hard limit. - -## Devices - -`devices` is an array specifying the list of devices that MUST be available in the container. -The runtime may supply them however it likes (with [mknod][mknod.2], by bind mounting from the runtime mount namespace, etc.). - -The following parameters can be specified: - -* **`type`** *(char, required)* - type of device: `c`, `b`, `u` or `p`. - More info in [mknod(1)][mknod.1]. -* **`path`** *(string, required)* - full path to device inside container. -* **`major, minor`** *(int64, required unless **`type`** is `p`)* - [major, minor numbers][devices] for the device. -* **`fileMode`** *(uint32, optional)* - file mode for the device. - You can also control access to devices [with cgroups](#device-whitelist). -* **`uid`** *(uint32, optional)* - id of device owner. -* **`gid`** *(uint32, optional)* - id of device group. - -###### Example - -```json - "devices": [ - { - "path": "/dev/fuse", - "type": "c", - "major": 10, - "minor": 229, - "fileMode": 0666, - "uid": 0, - "gid": 0 - }, - { - "path": "/dev/sda", - "type": "b", - "major": 8, - "minor": 0, - "fileMode": 0660, - "uid": 0, - "gid": 0 - } - ] -``` - -###### Default Devices - -In addition to any devices configured with this setting, the runtime MUST also supply: - -* [`/dev/null`][null.4] -* [`/dev/zero`][zero.4] -* [`/dev/full`][full.4] -* [`/dev/random`][random.4] -* [`/dev/urandom`][random.4] -* [`/dev/tty`][tty.4] -* [`/dev/console`][console.4] -* [`/dev/ptmx`][pts.4]. - A [bind-mount or symlink of the container's `/dev/pts/ptmx`][devpts]. - -## Control groups - -Also known as cgroups, they are used to restrict resource usage for a container and handle device access. -cgroups provide controls to restrict cpu, memory, IO, pids and network for the container. -For more information, see the [kernel cgroups documentation][cgroup-v1]. - -The path to the cgroups can be specified in the Spec via `cgroupsPath`. -`cgroupsPath` is expected to be relative to the cgroups mount point. -If `cgroupsPath` is not specified, implementations can define the default cgroup path. -Implementations of the Spec can choose to name cgroups in any manner. -The Spec does not include naming schema for cgroups. -The Spec does not support [split hierarchy][cgroup-v2]. -The cgroups will be created if they don't exist. - -###### Example - -```json - "cgroupsPath": "/myRuntime/myContainer" -``` - -`cgroupsPath` can be used to either control the cgroups hierarchy for containers or to run a new process in an existing container. - -You can configure a container's cgroups via the `resources` field of the Linux configuration. -Do not specify `resources` unless limits have to be updated. -For example, to run a new process in an existing container without updating limits, `resources` need not be specified. - -#### Device whitelist - -`devices` is an array of entries to control the [device whitelist][cgroup-v1-devices]. -The runtime MUST apply entries in the listed order. - -The following parameters can be specified: - -* **`allow`** *(boolean, required)* - whether the entry is allowed or denied. -* **`type`** *(char, optional)* - type of device: `a` (all), `c` (char), or `b` (block). - `null` or unset values mean "all", mapping to `a`. -* **`major, minor`** *(int64, optional)* - [major, minor numbers][devices] for the device. - `null` or unset values mean "all", mapping to [`*` in the filesystem API][cgroup-v1-devices]. -* **`access`** *(string, optional)* - cgroup permissions for device. - A composition of `r` (read), `w` (write), and `m` (mknod). - -###### Example - -```json - "devices": [ - { - "allow": false, - "access": "rwm" - }, - { - "allow": true, - "type": "c", - "major": 10, - "minor": 229, - "access": "rw" - }, - { - "allow": true, - "type": "b", - "major": 8, - "minor": 0, - "access": "r" - } - ] -``` - -#### Disable out-of-memory killer - -`disableOOMKiller` contains a boolean (`true` or `false`) that enables or disables the Out of Memory killer for a cgroup. -If enabled (`false`), tasks that attempt to consume more memory than they are allowed are immediately killed by the OOM killer. -The OOM killer is enabled by default in every cgroup using the `memory` subsystem. -To disable it, specify a value of `true`. -For more information, see [the memory cgroup man page][cgroup-v1-memory]. - -* **`disableOOMKiller`** *(bool, optional)* - enables or disables the OOM killer - -###### Example - -```json - "disableOOMKiller": false -``` - -#### Set oom_score_adj - -`oomScoreAdj` sets heuristic regarding how the process is evaluated by the kernel during memory pressure. -For more information, see [the proc filesystem documentation section 3.1](https://www.kernel.org/doc/Documentation/filesystems/proc.txt). -This is a kernel/system level setting, where as `disableOOMKiller` is scoped for a memory cgroup. -For more information on how these two settings work together, see [the memory cgroup documentation section 10. OOM Contol][cgroup-v1-memory]. - -* **`oomScoreAdj`** *(int, optional)* - adjust the oom-killer score - -###### Example - -```json - "oomScoreAdj": 0 -``` - -#### Memory - -`memory` represents the cgroup subsystem `memory` and it's used to set limits on the container's memory usage. -For more information, see [the memory cgroup man page][cgroup-v1-memory]. - -The following parameters can be specified to setup the controller: - -* **`limit`** *(uint64, optional)* - sets limit of memory usage - -* **`reservation`** *(uint64, optional)* - sets soft limit of memory usage - -* **`swap`** *(uint64, optional)* - sets limit of memory+Swap usage - -* **`kernel`** *(uint64, optional)* - sets hard limit for kernel memory - -* **`kernelTCP`** *(uint64, optional)* - sets hard limit for kernel memory in tcp using - -* **`swappiness`** *(uint64, optional)* - sets swappiness parameter of vmscan (See sysctl's vm.swappiness) - -###### Example - -```json - "memory": { - "limit": 0, - "reservation": 0, - "swap": 0, - "kernel": 0, - "kernelTCP": 0, - "swappiness": 0 - } -``` - -#### CPU - -`cpu` represents the cgroup subsystems `cpu` and `cpusets`. -For more information, see [the cpusets cgroup man page][cgroup-v1-cpusets]. - -The following parameters can be specified to setup the controller: - -* **`shares`** *(uint64, optional)* - specifies a relative share of CPU time available to the tasks in a cgroup - -* **`quota`** *(uint64, optional)* - specifies the total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by **`period`** below) - -* **`period`** *(uint64, optional)* - specifies a period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated (CFS scheduler only) - -* **`realtimeRuntime`** *(uint64, optional)* - specifies a period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources - -* **`realtimePeriod`** *(uint64, optional)* - same as **`period`** but applies to realtime scheduler only - -* **`cpus`** *(string, optional)* - list of CPUs the container will run in - -* **`mems`** *(string, optional)* - list of Memory Nodes the container will run in - -###### Example - -```json - "cpu": { - "shares": 0, - "quota": 0, - "period": 0, - "realtimeRuntime": 0, - "realtimePeriod": 0, - "cpus": "", - "mems": "" - } -``` - -#### Block IO Controller - -`blockIO` represents the cgroup subsystem `blkio` which implements the block io controller. -For more information, see [the kernel cgroups documentation about blkio][cgroup-v1-blkio]. - -The following parameters can be specified to setup the controller: - -* **`blkioWeight`** *(uint16, optional)* - specifies per-cgroup weight. This is default weight of the group on all devices until and unless overridden by per-device rules. The range is from 10 to 1000. - -* **`blkioLeafWeight`** *(uint16, optional)* - equivalents of `blkioWeight` for the purpose of deciding how much weight tasks in the given cgroup has while competing with the cgroup's child cgroups. The range is from 10 to 1000. - -* **`blkioWeightDevice`** *(array, optional)* - specifies the list of devices which will be bandwidth rate limited. The following parameters can be specified per-device: - * **`major, minor`** *(int64, required)* - major, minor numbers for device. More info in `man mknod`. - * **`weight`** *(uint16, optional)* - bandwidth rate for the device, range is from 10 to 1000 - * **`leafWeight`** *(uint16, optional)* - bandwidth rate for the device while competing with the cgroup's child cgroups, range is from 10 to 1000, CFQ scheduler only - - You must specify at least one of `weight` or `leafWeight` in a given entry, and can specify both. - -* **`blkioThrottleReadBpsDevice`**, **`blkioThrottleWriteBpsDevice`**, **`blkioThrottleReadIOPSDevice`**, **`blkioThrottleWriteIOPSDevice`** *(array, optional)* - specify the list of devices which will be IO rate limited. The following parameters can be specified per-device: - * **`major, minor`** *(int64, required)* - major, minor numbers for device. More info in `man mknod`. - * **`rate`** *(uint64, required)* - IO rate limit for the device - -###### Example - -```json - "blockIO": { - "blkioWeight": 0, - "blkioLeafWeight": 0, - "blkioWeightDevice": [ - { - "major": 8, - "minor": 0, - "weight": 500, - "leafWeight": 300 - }, - { - "major": 8, - "minor": 16, - "weight": 500 - } - ], - "blkioThrottleReadBpsDevice": [ - { - "major": 8, - "minor": 0, - "rate": 600 - } - ], - "blkioThrottleWriteIOPSDevice": [ - { - "major": 8, - "minor": 16, - "rate": 300 - } - ] - } -``` - -#### Huge page limits - -`hugepageLimits` represents the `hugetlb` controller which allows to limit the -HugeTLB usage per control group and enforces the controller limit during page fault. -For more information, see the [kernel cgroups documentation about HugeTLB][cgroup-v1-hugetlb]. - -`hugepageLimits` is an array of entries, each having the following structure: - -* **`pageSize`** *(string, required)* - hugepage size - -* **`limit`** *(uint64, required)* - limit in bytes of *hugepagesize* HugeTLB usage - -###### Example - -```json - "hugepageLimits": [ - { - "pageSize": "2MB", - "limit": 9223372036854771712 - } - ] -``` - -#### Network - -`network` represents the cgroup subsystems `net_cls` and `net_prio`. -For more information, see [the net\_cls cgroup man page][cgroup-v1-net-cls] and [the net\_prio cgroup man page][cgroup-v1-net-prio]. - -The following parameters can be specified to setup these cgroup controllers: - -* **`classID`** *(uint32, optional)* - is the network class identifier the cgroup's network packets will be tagged with - -* **`priorities`** *(array, optional)* - specifies a list of objects of the priorities assigned to traffic originating from -processes in the group and egressing the system on various interfaces. The following parameters can be specified per-priority: - * **`name`** *(string, required)* - interface name - * **`priority`** *(uint32, required)* - priority applied to the interface - -###### Example - -```json - "network": { - "classID": 1048577, - "priorities": [ - { - "name": "eth0", - "priority": 500 - }, - { - "name": "eth1", - "priority": 1000 - } - ] - } -``` - -#### PIDs - -`pids` represents the cgroup subsystem `pids`. -For more information, see [the pids cgroup man page][cgroup-v1-pids]. - -The following paramters can be specified to setup the controller: - -* **`limit`** *(int64, required)* - specifies the maximum number of tasks in the cgroup - -###### Example - -```json - "pids": { - "limit": 32771 - } -``` - -## Sysctl - -sysctl allows kernel parameters to be modified at runtime for the container. -For more information, see [the man page](http://man7.org/linux/man-pages/man8/sysctl.8.html) - -###### Example - -```json - "sysctl": { - "net.ipv4.ip_forward": "1", - "net.core.somaxconn": "256" - } -``` - -## Rlimits - -rlimits allow setting resource limits. -`type` is a string with a value from those defined in [the man page](http://man7.org/linux/man-pages/man2/setrlimit.2.html). -The kernel enforces the `soft` limit for a resource while the `hard` limit acts as a ceiling for that value that could be set by an unprivileged process. - -###### Example - -```json - "rlimits": [ - { - "type": "RLIMIT_NPROC", - "soft": 1024, - "hard": 102400 - } - ] -``` - -## SELinux process label - -SELinux process label specifies the label with which the processes in a container are run. -For more information about SELinux, see [Selinux documentation](http://selinuxproject.org/page/Main_Page) - -###### Example - -```json - "selinuxProcessLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675" -``` - -## Apparmor profile - -Apparmor profile specifies the name of the apparmor profile that will be used for the container. -For more information about Apparmor, see [Apparmor documentation](https://wiki.ubuntu.com/AppArmor) - -###### Example - -```json - "apparmorProfile": "acme_secure_profile" -``` - -## seccomp - -Seccomp provides application sandboxing mechanism in the Linux kernel. -Seccomp configuration allows one to configure actions to take for matched syscalls and furthermore also allows matching on values passed as arguments to syscalls. -For more information about Seccomp, see [Seccomp kernel documentation](https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt) -The actions, architectures, and operators are strings that match the definitions in seccomp.h from [libseccomp](https://github.com/seccomp/libseccomp) and are translated to corresponding values. -A valid list of constants as of Libseccomp v2.2.3 is contained below. - -Architecture Constants -* `SCMP_ARCH_X86` -* `SCMP_ARCH_X86_64` -* `SCMP_ARCH_X32` -* `SCMP_ARCH_ARM` -* `SCMP_ARCH_AARCH64` -* `SCMP_ARCH_MIPS` -* `SCMP_ARCH_MIPS64` -* `SCMP_ARCH_MIPS64N32` -* `SCMP_ARCH_MIPSEL` -* `SCMP_ARCH_MIPSEL64` -* `SCMP_ARCH_MIPSEL64N32` - -Action Constants: -* `SCMP_ACT_KILL` -* `SCMP_ACT_TRAP` -* `SCMP_ACT_ERRNO` -* `SCMP_ACT_TRACE` -* `SCMP_ACT_ALLOW` - -Operator Constants: -* `SCMP_CMP_NE` -* `SCMP_CMP_LT` -* `SCMP_CMP_LE` -* `SCMP_CMP_EQ` -* `SCMP_CMP_GE` -* `SCMP_CMP_GT` -* `SCMP_CMP_MASKED_EQ` - -###### Example - -```json - "seccomp": { - "defaultAction": "SCMP_ACT_ALLOW", - "architectures": [ - "SCMP_ARCH_X86" - ], - "syscalls": [ - { - "name": "getcwd", - "action": "SCMP_ACT_ERRNO" - } - ] - } -``` - -## Rootfs Mount Propagation - -rootfsPropagation sets the rootfs's mount propagation. -Its value is either slave, private, or shared. -[The kernel doc](https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt) has more information about mount propagation. - -###### Example - -```json - "rootfsPropagation": "slave", -``` - -## No new privileges - -Setting `noNewPrivileges` to true prevents the processes in the container from gaining additional privileges. -[The kernel doc](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt) has more information on how this is achieved using a prctl system call. - -###### Example - -```json - "noNewPrivileges": true, -``` - -[cgroup-v1]: https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt -[cgroup-v1-blkio]: https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt -[cgroup-v1-cpusets]: https://www.kernel.org/doc/Documentation/cgroup-v1/cpusets.txt -[cgroup-v1-devices]: https://www.kernel.org/doc/Documentation/cgroup-v1/devices.txt -[cgroup-v1-hugetlb]: https://www.kernel.org/doc/Documentation/cgroup-v1/hugetlb.txt -[cgroup-v1-memory]: https://www.kernel.org/doc/Documentation/cgroup-v1/memory.txt -[cgroup-v1-net-cls]: https://www.kernel.org/doc/Documentation/cgroup-v1/net_cls.txt -[cgroup-v1-net-prio]: https://www.kernel.org/doc/Documentation/cgroup-v1/net_prio.txt -[cgroup-v1-pids]: https://www.kernel.org/doc/Documentation/cgroup-v1/pids.txt -[cgroup-v2]: https://www.kernel.org/doc/Documentation/cgroup-v2.txt -[devices]: https://www.kernel.org/doc/Documentation/devices.txt -[devpts]: https://www.kernel.org/doc/Documentation/filesystems/devpts.txt - -[mknod.1]: http://man7.org/linux/man-pages/man1/mknod.1.html -[mknod.2]: http://man7.org/linux/man-pages/man2/mknod.2.html -[console.4]: http://man7.org/linux/man-pages/man4/console.4.html -[full.4]: http://man7.org/linux/man-pages/man4/full.4.html -[null.4]: http://man7.org/linux/man-pages/man4/null.4.html -[pts.4]: http://man7.org/linux/man-pages/man4/pts.4.html -[random.4]: http://man7.org/linux/man-pages/man4/random.4.html -[tty.4]: http://man7.org/linux/man-pages/man4/tty.4.html -[zero.4]: http://man7.org/linux/man-pages/man4/zero.4.html diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/config.go b/Godeps/_workspace/src/github.com/opencontainers/specs/config.go deleted file mode 100644 index 7861c5638..000000000 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/config.go +++ /dev/null @@ -1,84 +0,0 @@ -package specs - -// Spec is the base configuration for the container. It specifies platform -// independent configuration. This information must be included when the -// bundle is packaged for distribution. -type Spec struct { - // Version is the version of the specification that is supported. - Version string `json:"ociVersion"` - // Platform is the host information for OS and Arch. - Platform Platform `json:"platform"` - // Process is the container's main process. - Process Process `json:"process"` - // Root is the root information for the container's filesystem. - Root Root `json:"root"` - // Hostname is the container's host name. - Hostname string `json:"hostname,omitempty"` - // Mounts profile configuration for adding mounts to the container's filesystem. - Mounts []Mount `json:"mounts"` - // Hooks are the commands run at various lifecycle events of the container. - Hooks Hooks `json:"hooks"` -} - -// Process contains information to start a specific application inside the container. -type Process struct { - // Terminal creates an interactive terminal for the container. - Terminal bool `json:"terminal"` - // User specifies user information for the process. - User User `json:"user"` - // Args specifies the binary and arguments for the application to execute. - Args []string `json:"args"` - // Env populates the process environment for the process. - Env []string `json:"env,omitempty"` - // Cwd is the current working directory for the process and must be - // relative to the container's root. - Cwd string `json:"cwd"` -} - -// Root contains information about the container's root filesystem on the host. -type Root struct { - // Path is the absolute path to the container's root filesystem. - Path string `json:"path"` - // Readonly makes the root filesystem for the container readonly before the process is executed. - Readonly bool `json:"readonly"` -} - -// Platform specifies OS and arch information for the host system that the container -// is created for. -type Platform struct { - // OS is the operating system. - OS string `json:"os"` - // Arch is the architecture - Arch string `json:"arch"` -} - -// Mount specifies a mount for a container. -type Mount struct { - // Destination is the path where the mount will be placed relative to the container's root. The path and child directories MUST exist, a runtime MUST NOT create directories automatically to a mount point. - Destination string `json:"destination"` - // Type specifies the mount kind. - Type string `json:"type"` - // Source specifies the source path of the mount. In the case of bind mounts on - // linux based systems this would be the file on the host. - Source string `json:"source"` - // Options are fstab style mount options. - Options []string `json:"options,omitempty"` -} - -// Hook specifies a command that is run at a particular event in the lifecycle of a container -type Hook struct { - Path string `json:"path"` - Args []string `json:"args,omitempty"` - Env []string `json:"env,omitempty"` -} - -// Hooks for container setup and teardown -type Hooks struct { - // Prestart is a list of hooks to be run before the container process is executed. - // On Linux, they are run after the container namespaces are created. - Prestart []Hook `json:"prestart,omitempty"` - // Poststart is a list of hooks to be run after the container process is started. - Poststart []Hook `json:"poststart,omitempty"` - // Poststop is a list of hooks to be run after the container process exits. - Poststop []Hook `json:"poststop,omitempty"` -} diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/config.md b/Godeps/_workspace/src/github.com/opencontainers/specs/config.md deleted file mode 100644 index 884fe32cb..000000000 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/config.md +++ /dev/null @@ -1,215 +0,0 @@ -# Container Configuration file - -The container's top-level directory MUST contain a configuration file called `config.json`. -For now the canonical schema is defined in [config.go](config.go) and [config_linux.go](config_linux.go), but this will be moved to a formal JSON schema over time. - -The configuration file contains metadata necessary to implement standard operations against the container. -This includes the process to run, environment variables to inject, sandboxing features to use, etc. - -Below is a detailed description of each field defined in the configuration format. - -## Specification version - -* **`ociVersion`** (string, required) must be in [SemVer v2.0.0](http://semver.org/spec/v2.0.0.html) format and specifies the version of the OpenContainer specification with which the bundle complies. -The OpenContainer spec follows semantic versioning and retains forward and backward compatibility within major versions. -For example, if an implementation is compliant with version 1.0.1 of the spec, it is compatible with the complete 1.x series. -NOTE that there is no guarantee for forward or backward compatibility for version 0.x. - -*Example* - -```json - "ociVersion": "0.1.0" -``` - -## Root Configuration - -Each container has exactly one *root filesystem*, specified in the *root* object: - -* **`path`** (string, required) Specifies the path to the root filesystem for the container, relative to the path where the manifest is. A directory MUST exist at the relative path declared by the field. -* **`readonly`** (bool, optional) If true then the root filesystem MUST be read-only inside the container. Defaults to false. - -*Example* - -```json -"root": { - "path": "rootfs", - "readonly": true -} -``` - -## Mounts - -You can add array of mount points inside container as `mounts`. -The runtime MUST mount entries in the listed order. -The parameters are similar to the ones in [the Linux mount system call](http://man7.org/linux/man-pages/man2/mount.2.html). - -* **`destination`** (string, required) Destination of mount point: path inside container. -* **`type`** (string, required) Linux, *filesystemtype* argument supported by the kernel are listed in */proc/filesystems* (e.g., "minix", "ext2", "ext3", "jfs", "xfs", "reiserfs", "msdos", "proc", "nfs", "iso9660"). Windows: ntfs -* **`source`** (string, required) a device name, but can also be a directory name or a dummy. Windows, the volume name that is the target of the mount point. \\?\Volume\{GUID}\ (on Windows source is called target) -* **`options`** (list of strings, optional) in the fstab format [https://wiki.archlinux.org/index.php/Fstab](https://wiki.archlinux.org/index.php/Fstab). - -### Linux Example - -```json -"mounts": [ - { - "destination": "/tmp", - "type": "tmpfs", - "source": "tmpfs", - "options": ["nosuid","strictatime","mode=755","size=65536k"] - }, - { - "destination": "/data", - "type": "bind", - "source": "/volumes/testing", - "options": ["rbind","rw"] - } -] -``` - -### Windows Example - -```json -"mounts": [ - "myfancymountpoint": { - "destination": "C:\\Users\\crosbymichael\\My Fancy Mount Point\\", - "type": "ntfs", - "source": "\\\\?\\Volume\\{2eca078d-5cbc-43d3-aff8-7e8511f60d0e}\\", - "options": [] - } -] -``` - -See links for details about [mountvol](http://ss64.com/nt/mountvol.html) and [SetVolumeMountPoint](https://msdn.microsoft.com/en-us/library/windows/desktop/aa365561(v=vs.85).aspx) in Windows. - - -## Process configuration - -* **`terminal`** (bool, optional) specifies whether you want a terminal attached to that process. Defaults to false. -* **`cwd`** (string, required) is the working directory that will be set for the executable. This value MUST be an absolute path. -* **`env`** (array of strings, optional) contains a list of variables that will be set in the process's environment prior to execution. Elements in the array are specified as Strings in the form "KEY=value". The left hand side must consist solely of letters, digits, and underscores `_` as outlined in [IEEE Std 1003.1-2001](http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap08.html). -* **`args`** (string, required) executable to launch and any flags as an array. The executable is the first element and must be available at the given path inside of the rootfs. If the executable path is not an absolute path then the search $PATH is interpreted to find the executable. - -The user for the process is a platform-specific structure that allows specific control over which user the process runs as. -For Linux-based systems the user structure has the following fields: - -* **`uid`** (int, required) specifies the user id. -* **`gid`** (int, required) specifies the group id. -* **`additionalGids`** (array of ints, optional) specifies additional group ids to be added to the process. - -*Example (Linux)* - -```json -"process": { - "terminal": true, - "user": { - "uid": 1, - "gid": 1, - "additionalGids": [5, 6] - }, - "env": [ - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", - "TERM=xterm" - ], - "cwd": "/root", - "args": [ - "sh" - ] -} -``` - - -## Hostname - -* **`hostname`** (string, optional) as it is accessible to processes running inside. On Linux, you can only set this if your bundle creates a new [UTS namespace][uts-namespace]. - -*Example* - -```json -"hostname": "mrsdalloway" -``` - -## Platform-specific configuration - -* **`os`** (string, required) specifies the operating system family this image must run on. Values for os must be in the list specified by the Go Language document for [`$GOOS`](https://golang.org/doc/install/source#environment). -* **`arch`** (string, required) specifies the instruction set for which the binaries in the image have been compiled. Values for arch must be in the list specified by the Go Language document for [`$GOARCH`](https://golang.org/doc/install/source#environment). - -```json -"platform": { - "os": "linux", - "arch": "amd64" -} -``` - -Interpretation of the platform section of the JSON file is used to find which platform-specific sections may be available in the document. -For example, if `os` is set to `linux`, then a JSON object conforming to the [Linux-specific schema](config-linux.md) SHOULD be found at the key `linux` in the `config.json`. - -## Hooks - -Lifecycle hooks allow custom events for different points in a container's runtime. -Presently there are `Prestart`, `Poststart` and `Poststop`. - -* [`Prestart`](#prestart) is a list of hooks to be run before the container process is executed -* [`Poststart`](#poststart) is a list of hooks to be run immediately after the container process is started -* [`Poststop`](#poststop) is a list of hooks to be run after the container process exits - -Hooks allow one to run code before/after various lifecycle events of the container. -Hooks MUST be called in the listed order. -The state of the container is passed to the hooks over stdin, so the hooks could get the information they need to do their work. - -Hook paths are absolute and are executed from the host's filesystem. - -### Prestart - -The pre-start hooks are called after the container process is spawned, but before the user supplied command is executed. -They are called after the container namespaces are created on Linux, so they provide an opportunity to customize the container. -In Linux, for e.g., the network namespace could be configured in this hook. - -If a hook returns a non-zero exit code, then an error including the exit code and the stderr is returned to the caller and the container is torn down. - -### Poststart - -The post-start hooks are called after the user process is started. -For example this hook can notify user that real process is spawned. - -If a hook returns a non-zero exit code, then an error is logged and the remaining hooks are executed. - -### Poststop - -The post-stop hooks are called after the container process is stopped. -Cleanup or debugging could be performed in such a hook. -If a hook returns a non-zero exit code, then an error is logged and the remaining hooks are executed. - -*Example* - -```json - "hooks" : { - "prestart": [ - { - "path": "/usr/bin/fix-mounts", - "args": ["fix-mounts", "arg1", "arg2"], - "env": [ "key1=value1"] - }, - { - "path": "/usr/bin/setup-network" - } - ], - "poststart": [ - { - "path": "/usr/bin/notify-start" - } - ], - "poststop": [ - { - "path": "/usr/sbin/cleanup.sh", - "args": ["cleanup.sh", "-f"] - } - ] - } -``` - -`path` is required for a hook. -`args` and `env` are optional. -The semantics are the same as `Path`, `Args` and `Env` in [golang Cmd](https://golang.org/pkg/os/exec/#Cmd). - -[uts-namespace]: http://man7.org/linux/man-pages/man7/namespaces.7.html diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/implementations.md b/Godeps/_workspace/src/github.com/opencontainers/specs/implementations.md deleted file mode 100644 index 5cd16b987..000000000 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/implementations.md +++ /dev/null @@ -1,21 +0,0 @@ -# Implementations - -The following sections link to associated projects, some of which are maintained by the OCI and some of which are maintained by external organizations. -If you know of any associated projects that are not listed here, please file a pull request adding a link to that project. - -## Runtime (Container) - -* [opencontainers/runc](https://github.com/opencontainers/runc) - Reference implementation of OCI runtime - -## Runtime (Virtual Machine) - -* [hyperhq/runv](https://github.com/hyperhq/runv) - Hypervisor-based runtime for OCI - -## Bundle authoring - -* [kunalkushwaha/octool](https://github.com/kunalkushwaha/octool) - A config linter and validator. -* [mrunalp/ocitools](https://github.com/mrunalp/ocitools) - A config generator. - -## Testing - -* [huawei-openlab/oct](https://github.com/huawei-openlab/oct) - Open Container Testing framework for OCI configuration and runtime diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/principles.md b/Godeps/_workspace/src/github.com/opencontainers/specs/principles.md deleted file mode 100644 index 5dbab1699..000000000 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/principles.md +++ /dev/null @@ -1,46 +0,0 @@ -# The 5 principles of Standard Containers - -Define a unit of software delivery called a Standard Container. -The goal of a Standard Container is to encapsulate a software component and all its dependencies in a format that is self-describing and portable, so that any compliant runtime can run it without extra dependencies, regardless of the underlying machine and the contents of the container. - -The specification for Standard Containers defines: - -1. configuration file formats -2. a set of standard operations -3. an execution environment. - -A great analogy for this is the physical shipping container used by the transportation industry. -Shipping containers are a fundamental unit of delivery, they can be lifted, stacked, locked, loaded, unloaded and labelled. -Irrespective of their contents, by standardizing the container itself it allowed for a consistent, more streamlined and efficient set of processes to be defined. -For software Standard Containers offer similar functionality by being the fundamental, standardized, unit of delivery for a software package. - -## 1. Standard operations - -Standard Containers define a set of STANDARD OPERATIONS. -They can be created, started, and stopped using standard container tools; copied and snapshotted using standard filesystem tools; and downloaded and uploaded using standard network tools. - -## 2. Content-agnostic - -Standard Containers are CONTENT-AGNOSTIC: all standard operations have the same effect regardless of the contents. -They are started in the same way whether they contain a postgres database, a php application with its dependencies and application server, or Java build artifacts. - -## 3. Infrastructure-agnostic - -Standard Containers are INFRASTRUCTURE-AGNOSTIC: they can be run in any OCI supported infrastructure. -For example, a standard container can be bundled on a laptop, uploaded to cloud storage, downloaded, run and snapshotted by a build server at a fiber hotel in Virginia, uploaded to 10 staging servers in a home-made private cloud cluster, then sent to 30 production instances across 3 public cloud regions. - -## 4. Designed for automation - -Standard Containers are DESIGNED FOR AUTOMATION: because they offer the same standard operations regardless of content and infrastructure, Standard Containers, are extremely well-suited for automation. -In fact, you could say automation is their secret weapon. - -Many things that once required time-consuming and error-prone human effort can now be programmed. -Before Standard Containers, by the time a software component ran in production, it had been individually built, configured, bundled, documented, patched, vendored, templated, tweaked and instrumented by 10 different people on 10 different computers. -Builds failed, libraries conflicted, mirrors crashed, post-it notes were lost, logs were misplaced, cluster updates were half-broken. -The process was slow, inefficient and cost a fortune - and was entirely different depending on the language and infrastructure provider. - -## 5. Industrial-grade delivery - -Standard Containers make INDUSTRIAL-GRADE DELIVERY of software a reality. -Leveraging all of the properties listed above, Standard Containers are enabling large and small enterprises to streamline and automate their software delivery pipelines. -Whether it is in-house devOps flows, or external customer-based software delivery mechanisms, Standard Containers are changing the way the community thinks about software packaging and delivery. diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/runtime-linux.md b/Godeps/_workspace/src/github.com/opencontainers/specs/runtime-linux.md deleted file mode 100644 index 36277a19d..000000000 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/runtime-linux.md +++ /dev/null @@ -1,8 +0,0 @@ -# Linux Runtime - -## File descriptors -By default, only the `stdin`, `stdout` and `stderr` file descriptors are kept open for the application by the runtime. - -The runtime may pass additional file descriptors to the application to support features such as [socket activation](http://0pointer.de/blog/projects/socket-activated-containers.html). - -Some of the file descriptors may be redirected to `/dev/null` even though they are open. diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/runtime.md b/Godeps/_workspace/src/github.com/opencontainers/specs/runtime.md deleted file mode 100644 index 12d6c94cf..000000000 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/runtime.md +++ /dev/null @@ -1,59 +0,0 @@ -# Runtime and Lifecycle - -## State - -Runtime MUST store container metadata on disk so that external tools can consume and act on this information. -It is recommended that this data be stored in a temporary filesystem so that it can be removed on a system reboot. -On Linux/Unix based systems the metadata MUST be stored under `/run/opencontainer/containers`. -For non-Linux/Unix based systems the location of the root metadata directory is currently undefined. -Within that directory there MUST be one directory for each container created, where the name of the directory MUST be the ID of the container. -For example: for a Linux container with an ID of `173975398351`, there will be a corresponding directory: `/run/opencontainer/containers/173975398351`. -Within each container's directory, there MUST be a JSON encoded file called `state.json` that contains the runtime state of the container. -For example: `/run/opencontainer/containers/173975398351/state.json`. - -The `state.json` file MUST contain all of the following properties: - -* **`version`**: (string) is the OCF specification version used when creating the container. -* **`id`**: (string) is the container's ID. -This MUST be unique across all containers on this host. -There is no requirement that it be unique across hosts. -The ID is provided in the state because hooks will be executed with the state as the payload. -This allows the hooks to perform cleanup and teardown logic after the runtime destroys its own state. -* **`pid`**: (int) is the ID of the main process within the container, as seen by the host. -* **`bundlePath`**: (string) is the absolute path to the container's bundle directory. -This is provided so that consumers can find the container's configuration and root filesystem on the host. - -*Example* - -```json -{ - "version": "0.2.0", - "id": "oc-container", - "pid": 4422, - "bundlePath": "/containers/redis" -} -``` - -## Lifecycle -The lifecycle describes the timeline of events that happen from when a container is created to when it ceases to exist. - -1. OCI compliant runtime is invoked by passing the bundle path as argument. -2. The container's runtime environment is created according to the configuration in [`config.json`](config.md). - Any updates to `config.json` after container is running do not affect the container. -3. The container's state.json file is written to the filesystem. -4. The prestart hooks are invoked by the runtime. - If any prestart hook fails, then the container is stopped and the lifecycle continues at step 8. -5. The user specified process is executed in the container. -6. The poststart hooks are invoked by the runtime. - If any poststart hook fails, then the container is stopped and the lifecycle continues at step 8. -7. Additional actions such as pausing the container, resuming the container or signaling the container may be performed using the runtime interface. - The container could also error out or crash. -8. The container is destroyed by undoing the steps performed during create phase (step 2). -9. The poststop hooks are invoked by the runtime and errors, if any, are logged. -10. The state.json file associated with the container is removed and the return code of the container's user specified process is returned or logged. - -Note: The lifecycle is a WIP and it will evolve as we have more use cases and more information on the viability of a separate create phase. - -## Hooks - -See [runtime configuration for hooks](./config.md#hooks) diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/config_linux.go b/Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/config.go similarity index 70% rename from Godeps/_workspace/src/github.com/opencontainers/specs/config_linux.go rename to Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/config.go index 72027112f..ba66ff1c6 100644 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/config_linux.go +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/config.go @@ -2,26 +2,122 @@ package specs import "os" -// LinuxStateDirectory holds the container's state information -const LinuxStateDirectory = "/run/opencontainer/containers" - -// LinuxSpec is the full specification for linux containers. -type LinuxSpec struct { - Spec - // Linux is platform specific configuration for linux based containers. - Linux Linux `json:"linux"` +// Spec is the base configuration for the container. It specifies platform +// independent configuration. This information must be included when the +// bundle is packaged for distribution. +type Spec struct { + // Version is the version of the specification that is supported. + Version string `json:"ociVersion"` + // Platform is the host information for OS and Arch. + Platform Platform `json:"platform"` + // Process is the container's main process. + Process Process `json:"process"` + // Root is the root information for the container's filesystem. + Root Root `json:"root"` + // Hostname is the container's host name. + Hostname string `json:"hostname,omitempty"` + // Mounts profile configuration for adding mounts to the container's filesystem. + Mounts []Mount `json:"mounts"` + // Hooks are the commands run at various lifecycle events of the container. + Hooks Hooks `json:"hooks"` + // Annotations is an unstructured key value map that may be set by external tools to store and retrieve arbitrary metadata. + Annotations map[string]string `json:"annotations,omitempty"` + + // Linux is platform specific configuration for Linux based containers. + Linux Linux `json:"linux" platform:"linux"` } -// Linux contains platform specific configuration for linux based containers. +// Process contains information to start a specific application inside the container. +type Process struct { + // Terminal creates an interactive terminal for the container. + Terminal bool `json:"terminal"` + // User specifies user information for the process. + User User `json:"user"` + // Args specifies the binary and arguments for the application to execute. + Args []string `json:"args"` + // Env populates the process environment for the process. + Env []string `json:"env,omitempty"` + // Cwd is the current working directory for the process and must be + // relative to the container's root. + Cwd string `json:"cwd"` + // Capabilities are Linux capabilities that are kept for the container. + Capabilities []string `json:"capabilities,omitempty" platform:"linux"` + // Rlimits specifies rlimit options to apply to the process. + Rlimits []Rlimit `json:"rlimits,omitempty"` + // NoNewPrivileges controls whether additional privileges could be gained by processes in the container. + NoNewPrivileges bool `json:"noNewPrivileges,omitempty"` + + // ApparmorProfile specified the apparmor profile for the container. (this field is platform dependent) + ApparmorProfile string `json:"apparmorProfile,omitempty" platform:"linux"` + // SelinuxProcessLabel specifies the selinux context that the container process is run as. (this field is platform dependent) + SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"` +} + +// User specifies Linux specific user and group information for the container's +// main process. +type User struct { + // UID is the user id. (this field is platform dependent) + UID uint32 `json:"uid,omitempty" platform:"linux"` + // GID is the group id. (this field is platform dependent) + GID uint32 `json:"gid,omitempty" platform:"linux"` + // AdditionalGids are additional group ids set for the container's process. (this field is platform dependent) + AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux"` +} + +// Root contains information about the container's root filesystem on the host. +type Root struct { + // Path is the absolute path to the container's root filesystem. + Path string `json:"path"` + // Readonly makes the root filesystem for the container readonly before the process is executed. + Readonly bool `json:"readonly"` +} + +// Platform specifies OS and arch information for the host system that the container +// is created for. +type Platform struct { + // OS is the operating system. + OS string `json:"os"` + // Arch is the architecture + Arch string `json:"arch"` +} + +// Mount specifies a mount for a container. +type Mount struct { + // Destination is the path where the mount will be placed relative to the container's root. The path and child directories MUST exist, a runtime MUST NOT create directories automatically to a mount point. + Destination string `json:"destination"` + // Type specifies the mount kind. + Type string `json:"type"` + // Source specifies the source path of the mount. In the case of bind mounts on + // Linux based systems this would be the file on the host. + Source string `json:"source"` + // Options are fstab style mount options. + Options []string `json:"options,omitempty"` +} + +// Hook specifies a command that is run at a particular event in the lifecycle of a container +type Hook struct { + Path string `json:"path"` + Args []string `json:"args,omitempty"` + Env []string `json:"env,omitempty"` +} + +// Hooks for container setup and teardown +type Hooks struct { + // Prestart is a list of hooks to be run before the container process is executed. + // On Linux, they are run after the container namespaces are created. + Prestart []Hook `json:"prestart,omitempty"` + // Poststart is a list of hooks to be run after the container process is started. + Poststart []Hook `json:"poststart,omitempty"` + // Poststop is a list of hooks to be run after the container process exits. + Poststop []Hook `json:"poststop,omitempty"` +} + +// Linux contains platform specific configuration for Linux based containers. type Linux struct { - // Capabilities are linux capabilities that are kept for the container. - Capabilities []string `json:"capabilities"` - // UIDMapping specifies user mappings for supporting user namespaces on linux. + // UIDMapping specifies user mappings for supporting user namespaces on Linux. UIDMappings []IDMapping `json:"uidMappings,omitempty"` - // GIDMapping specifies group mappings for supporting user namespaces on linux. + // GIDMapping specifies group mappings for supporting user namespaces on Linux. GIDMappings []IDMapping `json:"gidMappings,omitempty"` - // Rlimits specifies rlimit options to apply to the container's process. - Rlimits []Rlimit `json:"rlimits,omitempty"` // Sysctl are a set of key value pairs that are set for the container on start Sysctl map[string]string `json:"sysctl,omitempty"` // Resources contain cgroup information for handling resource constraints @@ -35,30 +131,13 @@ type Linux struct { Namespaces []Namespace `json:"namespaces"` // Devices are a list of device nodes that are created for the container Devices []Device `json:"devices"` - // ApparmorProfile specified the apparmor profile for the container. - ApparmorProfile string `json:"apparmorProfile"` - // SelinuxProcessLabel specifies the selinux context that the container process is run as. - SelinuxProcessLabel string `json:"selinuxProcessLabel"` // Seccomp specifies the seccomp security settings for the container. - Seccomp Seccomp `json:"seccomp"` + Seccomp *Seccomp `json:"seccomp,omitempty"` // RootfsPropagation is the rootfs mount propagation mode for the container. RootfsPropagation string `json:"rootfsPropagation,omitempty"` - // NoNewPrivileges controls whether additional privileges could be gained by processes in the container. - NoNewPrivileges bool `json:"noNewPrivileges,omitempty"` } -// User specifies linux specific user and group information for the container's -// main process. -type User struct { - // UID is the user id. - UID uint32 `json:"uid"` - // GID is the group id. - GID uint32 `json:"gid"` - // AdditionalGids are additional group ids set for the container's process. - AdditionalGids []uint32 `json:"additionalGids,omitempty"` -} - -// Namespace is the configuration for a linux namespace +// Namespace is the configuration for a Linux namespace type Namespace struct { // Type is the type of Linux namespace Type NamespaceType `json:"type"` @@ -67,7 +146,7 @@ type Namespace struct { Path string `json:"path,omitempty"` } -// NamespaceType is one of the linux namespaces +// NamespaceType is one of the Linux namespaces type NamespaceType string const ( @@ -238,7 +317,7 @@ type Device struct { // Path to the device. Path string `json:"path"` // Device type, block, char, etc. - Type rune `json:"type"` + Type string `json:"type"` // Major is the device's major number. Major int64 `json:"major"` // Minor is the device's minor number. @@ -256,7 +335,7 @@ type DeviceCgroup struct { // Allow or deny Allow bool `json:"allow"` // Device type, block, char, etc. - Type *rune `json:"type,omitempty"` + Type *string `json:"type,omitempty"` // Major is the device's major number. Major *int64 `json:"major,omitempty"` // Minor is the device's minor number. diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/state.go b/Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/state.go new file mode 100644 index 000000000..d3ad79d9c --- /dev/null +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/state.go @@ -0,0 +1,13 @@ +package specs + +// State holds information about the runtime state of the container. +type State struct { + // Version is the version of the specification that is supported. + Version string `json:"version"` + // ID is the container ID + ID string `json:"id"` + // Pid is the process id for the container's main process. + Pid int `json:"pid"` + // BundlePath is the path to the container's bundle directory. + BundlePath string `json:"bundlePath"` +} diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/version.go b/Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/version.go similarity index 92% rename from Godeps/_workspace/src/github.com/opencontainers/specs/version.go rename to Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/version.go index f236a693e..27f45e08b 100644 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/version.go +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/version.go @@ -6,12 +6,12 @@ const ( // VersionMajor is for an API incompatible changes VersionMajor = 0 // VersionMinor is for functionality in a backwards-compatible manner - VersionMinor = 3 + VersionMinor = 5 // VersionPatch is for backwards-compatible bug fixes VersionPatch = 0 // VersionDev indicates development branch. Releases will be empty string. - VersionDev = "" + VersionDev = "-dev" ) // Version is the specification version that the package types support. diff --git a/bvalidate.go b/bvalidate.go index ba61177e5..1add54b60 100644 --- a/bvalidate.go +++ b/bvalidate.go @@ -11,7 +11,7 @@ import ( "github.com/Sirupsen/logrus" "github.com/codegangsta/cli" - "github.com/opencontainers/specs" + "github.com/opencontainers/specs/specs-go" ) var bundleValidateFlags = []cli.Flag{ @@ -60,7 +60,7 @@ var bundleValidateCommand = cli.Command{ defer sf.Close() - var spec specs.LinuxSpec + var spec specs.Spec if err = json.NewDecoder(sf).Decode(&spec); err != nil { logrus.Fatal(err) } else { @@ -80,9 +80,10 @@ var bundleValidateCommand = cli.Command{ }, } -func bundleValidate(spec specs.LinuxSpec, rootfs string) { +func bundleValidate(spec specs.Spec, rootfs string) { CheckMandatoryField(spec) CheckSemVer(spec.Version) + CheckProcess(spec.Process, rootfs) CheckMounts(spec.Mounts, rootfs) CheckLinux(spec.Linux, rootfs) } @@ -105,15 +106,31 @@ func CheckMounts(mounts []specs.Mount, rootfs string) { } } -//Linux only -func CheckLinux(spec specs.Linux, rootfs string) { - for index := 0; index < len(spec.Capabilities); index++ { - capability := spec.Capabilities[index] +func CheckProcess(process specs.Process, rootfs string) { + for index := 0; index < len(process.Capabilities); index++ { + capability := process.Capabilities[index] if !capValid(capability) { - logrus.Fatalf("%s is not valid, man capabilities(7)", spec.Capabilities[index]) + logrus.Fatalf("%s is not valid, man capabilities(7)", process.Capabilities[index]) + } + } + + for index := 0; index < len(process.Rlimits); index++ { + if !rlimitValid(process.Rlimits[index].Type) { + logrus.Fatalf("Rlimit %s is invalid.", process.Rlimits[index]) + } + } + + if len(process.ApparmorProfile) > 0 { + profilePath := path.Join(rootfs, "/etc/apparmor.d", process.ApparmorProfile) + _, err := os.Stat(profilePath) + if err != nil { + logrus.Fatal(err) } } +} +//Linux only +func CheckLinux(spec specs.Linux, rootfs string) { if len(spec.UIDMappings) > 5 { logrus.Fatalf("Only 5 UID mappings are allowed (linux kernel restriction).") } @@ -121,12 +138,6 @@ func CheckLinux(spec specs.Linux, rootfs string) { logrus.Fatalf("Only 5 GID mappings are allowed (linux kernel restriction).") } - for index := 0; index < len(spec.Rlimits); index++ { - if !rlimitValid(spec.Rlimits[index].Type) { - logrus.Fatalf("Rlimit %s is invalid.", spec.Rlimits[index]) - } - } - for index := 0; index < len(spec.Namespaces); index++ { if !namespaceValid(spec.Namespaces[index]) { logrus.Fatalf("Namespace %s is invalid.", spec.Namespaces[index]) @@ -139,16 +150,10 @@ func CheckLinux(spec specs.Linux, rootfs string) { } } - if len(spec.ApparmorProfile) > 0 { - profilePath := path.Join(rootfs, "/etc/apparmor.d", spec.ApparmorProfile) - _, err := os.Stat(profilePath) - if err != nil { - logrus.Fatal(err) - } + if spec.Seccomp != nil { + CheckSeccomp(*spec.Seccomp) } - CheckSeccomp(spec.Seccomp) - switch spec.RootfsPropagation { case "": case "private": @@ -224,16 +229,16 @@ func namespaceValid(ns specs.Namespace) bool { func deviceValid(d specs.Device) bool { switch d.Type { - case 'b': - case 'c': - case 'u': + case "b": + case "c": + case "u": if d.Major <= 0 { return false } if d.Minor <= 0 { return false } - case 'p': + case "p": if d.Major > 0 || d.Minor > 0 { return false } diff --git a/cmd/runtimetest/main.go b/cmd/runtimetest/main.go index d12f351dd..1b77e89b2 100644 --- a/cmd/runtimetest/main.go +++ b/cmd/runtimetest/main.go @@ -11,13 +11,13 @@ import ( "syscall" "github.com/Sirupsen/logrus" - "github.com/opencontainers/specs" + "github.com/opencontainers/specs/specs-go" "github.com/syndtr/gocapability/capability" ) -type validation func(*specs.LinuxSpec) error +type validation func(*specs.Spec) error -func loadSpecConfig() (spec *specs.LinuxSpec, err error) { +func loadSpecConfig() (spec *specs.Spec, err error) { cPath := "config.json" cf, err := os.Open(cPath) if err != nil { @@ -33,7 +33,7 @@ func loadSpecConfig() (spec *specs.LinuxSpec, err error) { return spec, nil } -func validateProcess(spec *specs.LinuxSpec) error { +func validateProcess(spec *specs.Spec) error { fmt.Println("validating container process") uid := os.Getuid() if uint32(uid) != spec.Process.User.UID { @@ -98,7 +98,7 @@ func validateProcess(spec *specs.LinuxSpec) error { return nil } -func validateCapabilities(spec *specs.LinuxSpec) error { +func validateCapabilities(spec *specs.Spec) error { fmt.Println("validating capabilities") capabilityMap := make(map[string]capability.Cap) expectedCaps := make(map[capability.Cap]bool) @@ -116,7 +116,7 @@ func validateCapabilities(spec *specs.LinuxSpec) error { expectedCaps[cap] = false } - for _, ec := range spec.Linux.Capabilities { + for _, ec := range spec.Process.Capabilities { cap := capabilityMap[ec] expectedCaps[cap] = true } @@ -140,7 +140,7 @@ func validateCapabilities(spec *specs.LinuxSpec) error { return nil } -func validateHostname(spec *specs.LinuxSpec) error { +func validateHostname(spec *specs.Spec) error { fmt.Println("validating hostname") hostname, err := os.Hostname() if err != nil { @@ -152,9 +152,9 @@ func validateHostname(spec *specs.LinuxSpec) error { return nil } -func validateRlimits(spec *specs.LinuxSpec) error { +func validateRlimits(spec *specs.Spec) error { fmt.Println("validating rlimits") - for _, r := range spec.Linux.Rlimits { + for _, r := range spec.Process.Rlimits { rl, err := strToRlimit(r.Type) if err != nil { return err @@ -175,7 +175,7 @@ func validateRlimits(spec *specs.LinuxSpec) error { return nil } -func validateSysctls(spec *specs.LinuxSpec) error { +func validateSysctls(spec *specs.Spec) error { fmt.Println("validating sysctls") for k, v := range spec.Linux.Sysctl { keyPath := filepath.Join("/proc/sys", strings.Replace(k, ".", "/", -1)) diff --git a/generate.go b/generate.go index e83145c84..11633b388 100644 --- a/generate.go +++ b/generate.go @@ -10,7 +10,7 @@ import ( "github.com/Sirupsen/logrus" "github.com/codegangsta/cli" - "github.com/opencontainers/specs" + "github.com/opencontainers/specs/specs-go" "github.com/syndtr/gocapability/capability" ) @@ -90,17 +90,17 @@ var generateCommand = cli.Command{ }, } -func modify(spec *specs.LinuxSpec, context *cli.Context) error { +func modify(spec *specs.Spec, context *cli.Context) error { spec.Root.Path = context.String("rootfs") spec.Root.Readonly = context.Bool("read-only") spec.Hostname = context.String("hostname") spec.Process.User.UID = uint32(context.Int("uid")) spec.Process.User.GID = uint32(context.Int("gid")) - spec.Linux.SelinuxProcessLabel = context.String("selinux-label") + spec.Process.SelinuxLabel = context.String("selinux-label") spec.Platform.OS = context.String("os") spec.Platform.Arch = context.String("arch") spec.Process.Cwd = context.String("cwd") - spec.Linux.ApparmorProfile = context.String("apparmor") + spec.Process.ApparmorProfile = context.String("apparmor") for i, a := range context.StringSlice("args") { if a != "" { @@ -158,7 +158,7 @@ func modify(spec *specs.LinuxSpec, context *cli.Context) error { return nil } -func addSeccompDefault(spec *specs.LinuxSpec, sdefault string) error { +func addSeccompDefault(spec *specs.Spec, sdefault string, secc *specs.Seccomp) error { switch sdefault { case "": case "SCMP_ACT_KILL": @@ -171,11 +171,11 @@ func addSeccompDefault(spec *specs.LinuxSpec, sdefault string) error { "SCMP_ACT_KILL|SCMP_ACT_TRAP|SCMP_ACT_ERRNO|SCMP_ACT_TRACE|" + "SCMP_ACT_ALLOW") } - spec.Linux.Seccomp.DefaultAction = specs.Action(sdefault) + secc.DefaultAction = specs.Action(sdefault) return nil } -func addSeccompArch(spec *specs.LinuxSpec, sArch []string) error { +func addSeccompArch(spec *specs.Spec, sArch []string, secc *specs.Seccomp) error { for _, archs := range sArch { switch archs { case "": @@ -197,13 +197,13 @@ func addSeccompArch(spec *specs.LinuxSpec, sArch []string) error { "SCMP_ARCH_MIPS64N32|SCMP_ARCH_MIPSEL|SCMP_ARCH_MIPSEL64|" + "SCMP_ARCH_MIPSEL64N32") } - spec.Linux.Seccomp.Architectures = append(spec.Linux.Seccomp.Architectures, specs.Arch(archs)) + secc.Architectures = append(secc.Architectures, specs.Arch(archs)) } return nil } -func addSeccompSyscall(spec *specs.LinuxSpec, sSyscall []string) error { +func addSeccompSyscall(spec *specs.Spec, sSyscall []string, secc *specs.Seccomp) error { for _, syscalls := range sSyscall { syscall := strings.Split(syscalls, ":") if len(syscall) == 3 { @@ -271,7 +271,7 @@ func addSeccompSyscall(spec *specs.LinuxSpec, sSyscall []string) error { Action: action, Args: Args, } - spec.Linux.Seccomp.Syscalls = append(spec.Linux.Seccomp.Syscalls, syscallstruct) + secc.Syscalls = append(secc.Syscalls, syscallstruct) } else { return fmt.Errorf("seccomp sysctl must consist of 3 parameters") } @@ -280,20 +280,24 @@ func addSeccompSyscall(spec *specs.LinuxSpec, sSyscall []string) error { return nil } -func addSeccomp(spec *specs.LinuxSpec, context *cli.Context) error { - +func addSeccomp(spec *specs.Spec, context *cli.Context) error { + var secc specs.Seccomp sd := context.String("seccomp-default") sa := context.StringSlice("seccomp-arch") ss := context.StringSlice("seccomp-syscalls") + if sd == "" && len(sa) == 0 && len(ss) == 0 { + return nil + } + // Set the DefaultAction of seccomp - err := addSeccompDefault(spec, sd) + err := addSeccompDefault(spec, sd, &secc) if err != nil { return err } // Add the additional architectures permitted to be used for system calls - err = addSeccompArch(spec, sa) + err = addSeccompArch(spec, sa, &secc) if err != nil { return err } @@ -301,11 +305,12 @@ func addSeccomp(spec *specs.LinuxSpec, context *cli.Context) error { // Set syscall restrict in Seccomp // The format of input syscall string is Name:Action:Args[1],Args[2],...,Args[n] // The format of Args string is Index/Value/ValueTwo/Operator,and is parsed by function parseArgs() - err = addSeccompSyscall(spec, ss) + err = addSeccompSyscall(spec, ss, &secc) if err != nil { return err } + spec.Linux.Seccomp = &secc return nil } @@ -348,7 +353,7 @@ func parseArgs(args2parse string) ([]*specs.Arg, error) { return Args, nil } -func addIDMappings(spec *specs.LinuxSpec, context *cli.Context) error { +func addIDMappings(spec *specs.Spec, context *cli.Context) error { for _, uidms := range context.StringSlice("uidmappings") { idm := strings.Split(uidms, ":") if len(idm) == 3 { @@ -396,7 +401,7 @@ func addIDMappings(spec *specs.LinuxSpec, context *cli.Context) error { return nil } -func addRootPropagation(spec *specs.LinuxSpec, context *cli.Context) error { +func addRootPropagation(spec *specs.Spec, context *cli.Context) error { rp := context.String("root-propagation") switch rp { case "": @@ -413,7 +418,7 @@ func addRootPropagation(spec *specs.LinuxSpec, context *cli.Context) error { return nil } -func addHooks(spec *specs.LinuxSpec, context *cli.Context) error { +func addHooks(spec *specs.Spec, context *cli.Context) error { for _, pre := range context.StringSlice("prestart") { parts := strings.Split(pre, ":") args := []string{} @@ -444,7 +449,7 @@ func addHooks(spec *specs.LinuxSpec, context *cli.Context) error { return nil } -func addTmpfsMounts(spec *specs.LinuxSpec, context *cli.Context) error { +func addTmpfsMounts(spec *specs.Spec, context *cli.Context) error { for _, dest := range context.StringSlice("tmpfs") { mnt := specs.Mount{ Destination: dest, @@ -457,7 +462,7 @@ func addTmpfsMounts(spec *specs.LinuxSpec, context *cli.Context) error { return nil } -func mountCgroups(spec *specs.LinuxSpec, context *cli.Context) error { +func mountCgroups(spec *specs.Spec, context *cli.Context) error { mountCgroupOption := context.String("mount-cgroups") switch mountCgroupOption { case "ro": @@ -479,7 +484,7 @@ func mountCgroups(spec *specs.LinuxSpec, context *cli.Context) error { return nil } -func addBindMounts(spec *specs.LinuxSpec, context *cli.Context) error { +func addBindMounts(spec *specs.Spec, context *cli.Context) error { for _, b := range context.StringSlice("bind") { var source, dest string options := "ro" @@ -504,7 +509,7 @@ func addBindMounts(spec *specs.LinuxSpec, context *cli.Context) error { return nil } -func setupCapabilities(spec *specs.LinuxSpec, context *cli.Context) error { +func setupCapabilities(spec *specs.Spec, context *cli.Context) error { var finalCapList []string // Add all capabilities in privileged mode. @@ -513,7 +518,7 @@ func setupCapabilities(spec *specs.LinuxSpec, context *cli.Context) error { for _, cap := range capability.List() { finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String()))) } - spec.Linux.Capabilities = finalCapList + spec.Process.Capabilities = finalCapList return nil } @@ -556,7 +561,7 @@ func setupCapabilities(spec *specs.LinuxSpec, context *cli.Context) error { finalCapList = append(finalCapList, c) } } - spec.Linux.Capabilities = finalCapList + spec.Process.Capabilities = finalCapList return nil } @@ -580,7 +585,7 @@ func mapStrToNamespace(ns string, path string) specs.Namespace { return specs.Namespace{} } -func setupNamespaces(spec *specs.LinuxSpec, context *cli.Context) { +func setupNamespaces(spec *specs.Spec, context *cli.Context) { namespaces := []string{"network", "pid", "mount", "ipc", "uts"} var linuxNs []specs.Namespace for _, nsName := range namespaces { @@ -594,34 +599,28 @@ func setupNamespaces(spec *specs.LinuxSpec, context *cli.Context) { spec.Linux.Namespaces = linuxNs } -func getDefaultTemplate() specs.LinuxSpec { - spec := specs.LinuxSpec{ - Spec: specs.Spec{ - Version: specs.Version, - Platform: specs.Platform{ - OS: runtime.GOOS, - Arch: runtime.GOARCH, - }, - Root: specs.Root{ - Path: "", - Readonly: false, +func getDefaultTemplate() specs.Spec { + spec := specs.Spec{ + Version: specs.Version, + Platform: specs.Platform{ + OS: runtime.GOOS, + Arch: runtime.GOARCH, + }, + Root: specs.Root{ + Path: "", + Readonly: false, + }, + Process: specs.Process{ + Terminal: true, + User: specs.User{}, + Args: []string{ + "sh", }, - Process: specs.Process{ - Terminal: true, - User: specs.User{}, - Args: []string{ - "sh", - }, - Env: []string{ - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", - "TERM=xterm", - }, - Cwd: "/", + Env: []string{ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "TERM=xterm", }, - Hostname: "shell", - Mounts: []specs.Mount{}, - }, - Linux: specs.Linux{ + Cwd: "/", Capabilities: []string{ "CAP_CHOWN", "CAP_DAC_OVERRIDE", @@ -638,6 +637,17 @@ func getDefaultTemplate() specs.LinuxSpec { "CAP_KILL", "CAP_AUDIT_WRITE", }, + Rlimits: []specs.Rlimit{ + { + Type: "RLIMIT_NOFILE", + Hard: uint64(1024), + Soft: uint64(1024), + }, + }, + }, + Hostname: "shell", + Mounts: []specs.Mount{}, + Linux: specs.Linux{ Namespaces: []specs.Namespace{ { Type: "pid", @@ -655,13 +665,6 @@ func getDefaultTemplate() specs.LinuxSpec { Type: "mount", }, }, - Rlimits: []specs.Rlimit{ - { - Type: "RLIMIT_NOFILE", - Hard: uint64(1024), - Soft: uint64(1024), - }, - }, Devices: []specs.Device{}, }, }