Skip to content

Commit

Permalink
move the description of user ns mapping and default files to proper f…
Browse files Browse the repository at this point in the history
…ilea

They should stay in runtime not config.

Signed-off-by: Gao feng <[email protected]>
  • Loading branch information
gao-feng committed Sep 14, 2015
1 parent dca1dfd commit 4dc623c
Show file tree
Hide file tree
Showing 3 changed files with 89 additions and 70 deletions.
46 changes: 0 additions & 46 deletions config-linux.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,49 +15,3 @@ Valid values are the strings for capabilities defined in [the man page](http://m
"CAP_NET_BIND_SERVICE"
]
```

## User namespace mappings

```json
"uidMappings": [
{
"hostID": 1000,
"containerID": 0,
"size": 10
}
],
"gidMappings": [
{
"hostID": 1000,
"containerID": 0,
"size": 10
}
]
```

uid/gid mappings describe the user namespace mappings from the host to the container.
The mappings represent how the bundle `rootfs` expects the user namespace to be setup and the runtime SHOULD NOT modify the permissions on the rootfs to realize the mapping.
*hostID* is the starting uid/gid on the host to be mapped to *containerID* which is the starting uid/gid in the container and *size* refers to the number of ids to be mapped.
There is a limit of 5 mappings which is the Linux kernel hard limit.

## Default Devices and File Systems

The Linux ABI includes both syscalls and several special file paths.
Applications expecting a Linux environment will very likely expect these files paths to be setup correctly.

The following devices and filesystems MUST be made available in each application's filesystem

| Path | Type | Notes |
| ------------ | ------ | ------- |
| /proc | [procfs](https://www.kernel.org/doc/Documentation/filesystems/proc.txt) | |
| /sys | [sysfs](https://www.kernel.org/doc/Documentation/filesystems/sysfs.txt) | |
| /dev/null | [device](http://man7.org/linux/man-pages/man4/null.4.html) | |
| /dev/zero | [device](http://man7.org/linux/man-pages/man4/zero.4.html) | |
| /dev/full | [device](http://man7.org/linux/man-pages/man4/full.4.html) | |
| /dev/random | [device](http://man7.org/linux/man-pages/man4/random.4.html) | |
| /dev/urandom | [device](http://man7.org/linux/man-pages/man4/random.4.html) | |
| /dev/tty | [device](http://man7.org/linux/man-pages/man4/tty.4.html) | |
| /dev/console | [device](http://man7.org/linux/man-pages/man4/console.4.html) | |
| /dev/pts | [devpts](https://www.kernel.org/doc/Documentation/filesystems/devpts.txt) | |
| /dev/ptmx | [device](https://www.kernel.org/doc/Documentation/filesystems/devpts.txt) | Bind-mount or symlink of /dev/pts/ptmx |
| /dev/shm | [tmpfs](https://www.kernel.org/doc/Documentation/filesystems/tmpfs.txt) | |
88 changes: 88 additions & 0 deletions runtime-config-linux.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ Each entry has a type field with possible values described below and an optional
If a path is specified, that particular file is used to join that type of namespace.
Also, when a path is specified, a runtime MUST assume that the setup for that particular namespace has already been done and error out if the config specifies anything else related to that namespace.

*Example*
```json
"namespaces": [
{
Expand Down Expand Up @@ -45,6 +46,31 @@ container via system level IPC.
* **user** the container will be able to remap user and group IDs from the host to local users and groups
within the container.

## User namespace mappings

uid/gid mappings describe the user namespace mappings from the host to the container.
The mappings represent how the bundle `rootfs` expects the user namespace to be setup and the runtime SHOULD NOT modify the permissions on the rootfs to realize the mapping.
*hostID* is the starting uid/gid on the host to be mapped to *containerID* which is the starting uid/gid in the container and *size* refers to the number of ids to be mapped.
There is a limit of 5 mappings which is the Linux kernel hard limit.

*Example*
```json
"uidMappings": [
{
"hostID": 1000,
"containerID": 0,
"size": 10
}
],
"gidMappings": [
{
"hostID": 1000,
"containerID": 0,
"size": 10
}
]
```

## Devices

Devices is an array specifying the list of devices to be created in the container.
Expand All @@ -61,6 +87,20 @@ Next parameters can be specified:
* uid - uid of device owner
* gid - gid of device owner

Note: The following devices MUST be made available in each Linux application's filesystem

| Path | Type | Notes |
| ------------ | ------ | ------- |
| /dev/null | [device](http://man7.org/linux/man-pages/man4/null.4.html) | |
| /dev/zero | [device](http://man7.org/linux/man-pages/man4/zero.4.html) | |
| /dev/full | [device](http://man7.org/linux/man-pages/man4/full.4.html) | |
| /dev/random | [device](http://man7.org/linux/man-pages/man4/random.4.html) | |
| /dev/urandom | [device](http://man7.org/linux/man-pages/man4/random.4.html) | |
| /dev/tty | [device](http://man7.org/linux/man-pages/man4/tty.4.html) | |
| /dev/console | [device](http://man7.org/linux/man-pages/man4/console.4.html) | |
| /dev/ptmx | [device](https://www.kernel.org/doc/Documentation/filesystems/devpts.txt) | Bind-mount or symlink of /dev/pts/ptmx |

*Example*
```json
"devices": [
{
Expand Down Expand Up @@ -126,6 +166,45 @@ Next parameters can be specified:
]
```

## Mounts

See the [description](runtime-config.md#mount_configuration) of Mounts.

Note: The following filesystems MUST be made available in each Linux application's filesystem

| Path | Type |
| ------------ | ------ |
| /proc | [procfs](https://www.kernel.org/doc/Documentation/filesystems/proc.txt) |
| /sys | [sysfs](https://www.kernel.org/doc/Documentation/filesystems/sysfs.txt) |
| /dev/pts | [devpts](https://www.kernel.org/doc/Documentation/filesystems/devpts.txt) |
| /dev/shm | [tmpfs](https://www.kernel.org/doc/Documentation/filesystems/tmpfs.txt) |

*Example*
```json
"mounts": {
"proc": {
"type": "proc",
"source": "proc",
"options": []
},
"dev": {
"type": "tmpfs",
"source": "tmpfs",
"options": ["nosuid","strictatime","mode=755","size=65536k"]
},
"devpts": {
"type": "devpts",
"source": "devpts",
"options": ["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]
},
"data": {
"type": "bind",
"source": "/volumes/testing",
"options": ["rbind","rw"]
}
}
```

## Control groups

Also known as cgroups, they are used to restrict resource usage for a container and handle device access.
Expand All @@ -140,6 +219,7 @@ The Spec does not include naming schema for cgroups.
The Spec does not support [split hierarchy](https://www.kernel.org/doc/Documentation/cgroups/unified-hierarchy.txt).
The cgroups will be created if they don't exist.

*Example*
```json
"cgroupsPath": "/myRuntime/myContainer"
```
Expand All @@ -148,6 +228,7 @@ The cgroups will be created if they don't exist.

Optionally, cgroups limits can be specified via `resources`.

*Example*
```json
"resources": {
"disableOOMKiller": false,
Expand Down Expand Up @@ -191,6 +272,7 @@ For example, to run a new process in an existing container without updating limi
sysctl allows kernel parameters to be modified at runtime for the container.
For more information, see [the man page](http://man7.org/linux/man-pages/man8/sysctl.8.html)

*Example*
```json
"sysctl": {
"net.ipv4.ip_forward": "1",
Expand All @@ -200,6 +282,7 @@ For more information, see [the man page](http://man7.org/linux/man-pages/man8/sy

## Rlimits

*Example*
```json
"rlimits": [
{
Expand All @@ -218,6 +301,8 @@ The kernel enforces the `soft` limit for a resource while the `hard` limit acts

SELinux process label specifies the label with which the processes in a container are run.
For more information about SELinux, see [Selinux documentation](http://selinuxproject.org/page/Main_Page)

*Example*
```json
"selinuxProcessLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675"
```
Expand All @@ -227,6 +312,7 @@ For more information about SELinux, see [Selinux documentation](http://selinuxp
Apparmor profile specifies the name of the apparmor profile that will be used for the container.
For more information about Apparmor, see [Apparmor documentation](https://wiki.ubuntu.com/AppArmor)

*Example*
```json
"apparmorProfile": "acme_secure_profile"
```
Expand All @@ -238,6 +324,7 @@ Seccomp configuration allows one to configure actions to take for matched syscal
For more information about Seccomp, see [Seccomp kernel documentation](https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt)
The actions and operators are strings that match the definitions in seccomp.h from [libseccomp](https://github.com/seccomp/libseccomp) and are translated to corresponding values.

*Example*
```json
"seccomp": {
"defaultAction": "SCMP_ACT_ALLOW",
Expand All @@ -256,6 +343,7 @@ rootfsPropagation sets the rootfs's mount propagation.
Its value is either slave, private, or shared.
[The kernel doc](https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt) has more information about mount propagation.

*Example*
```json
"rootfsPropagation": "slave",
```
25 changes: 1 addition & 24 deletions runtime-config.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,30 +12,7 @@ Only [mounts from the portable config](config.md#mount-points) will be mounted.

*Example (Linux)*

```json
"mounts": {
"proc": {
"type": "proc",
"source": "proc",
"options": []
},
"dev": {
"type": "tmpfs",
"source": "tmpfs",
"options": ["nosuid","strictatime","mode=755","size=65536k"]
},
"devpts": {
"type": "devpts",
"source": "devpts",
"options": ["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]
},
"data": {
"type": "bind",
"source": "/volumes/testing",
"options": ["rbind","rw"]
}
}
```
See Mounts [example](runtime-config-linux.md#mounts-in-linux) in Linux

*Example (Windows)*

Expand Down

0 comments on commit 4dc623c

Please sign in to comment.