The Linux container specification uses various kernel features like namespaces, cgroups, capabilities, LSM, and file system jails to fulfill the spec. Additional information is needed for Linux over the default spec configuration in order to configure these various kernel features.
The Linux ABI includes both syscalls and several special file paths. Applications expecting a Linux environment will very likely expect these files paths to be setup correctly.
The following filesystems MUST be made available in each application's filesystem
Path | Type |
---|---|
/proc | procfs |
/sys | sysfs |
/dev/pts | devpts |
/dev/shm | tmpfs |
A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. Changes to the global resource are visible to other processes that are members of the namespace, but are invisible to other processes. For more information, see the man page.
Namespaces are specified as an array of entries inside the namespaces
root field.
The following parameters can be specified to setup namespaces:
type
(string, required) - namespace type. The following namespaces types are supported:
pid
processes inside the container will only be able to see other processes inside the same containernetwork
the container will have its own network stackmount
the container will have an isolated mount tableipc
processes inside the container will only be able to communicate to other processes inside the same container via system level IPCuts
the container will be able to have its own hostname and domain nameuser
the container will be able to remap user and group IDs from the host to local users and groups within the containerpath
(string, optional) - path to namespace file in the runtime mount namespace
If a path is specified, that particular file is used to join that type of namespace. Also, when a path is specified, a runtime MUST assume that the setup for that particular namespace has already been done and error out if the config specifies anything else related to that namespace.
"namespaces": [
{
"type": "pid",
"path": "/proc/1234/ns/pid"
},
{
"type": "network",
"path": "/var/run/netns/neta"
},
{
"type": "mount"
},
{
"type": "ipc"
},
{
"type": "uts"
},
{
"type": "user"
}
]
"uidMappings": [
{
"hostID": 1000,
"containerID": 0,
"size": 10
}
],
"gidMappings": [
{
"hostID": 1000,
"containerID": 0,
"size": 10
}
]
uid/gid mappings describe the user namespace mappings from the host to the container.
The mappings represent how the bundle rootfs
expects the user namespace to be setup and the runtime SHOULD NOT modify the permissions on the rootfs to realize the mapping.
hostID is the starting uid/gid on the host to be mapped to containerID which is the starting uid/gid in the container and size refers to the number of ids to be mapped.
There is a limit of 5 mappings which is the Linux kernel hard limit.
devices
is an array specifying the list of devices that MUST be available in the container.
The runtime may supply them however it likes (with mknod, by bind mounting from the runtime mount namespace, etc.).
The following parameters can be specified:
type
(string, required) - type of device: c
, b
, u
or p
.
More info in mknod(1).path
(string, required) - full path to device inside container.major, minor
*(int64, required unless type
is p
)* - major, minor numbers for the device.fileMode
(uint32, optional) - file mode for the device.
You can also control access to devices with cgroups.uid
(uint32, optional) - id of device owner.gid
(uint32, optional) - id of device group. "devices": [
{
"path": "/dev/fuse",
"type": "c",
"major": 10,
"minor": 229,
"fileMode": 438,
"uid": 0,
"gid": 0
},
{
"path": "/dev/sda",
"type": "b",
"major": 8,
"minor": 0,
"fileMode": 432,
"uid": 0,
"gid": 0
}
]
In addition to any devices configured with this setting, the runtime MUST also supply:
/dev/null
/dev/zero
/dev/full
/dev/random
/dev/urandom
/dev/tty
/dev/console
/dev/ptmx
.
A bind-mount or symlink of the container's /dev/pts/ptmx
.Also known as cgroups, they are used to restrict resource usage for a container and handle device access. cgroups provide controls to restrict cpu, memory, IO, pids and network for the container. For more information, see the kernel cgroups documentation.
The path to the cgroups can be specified in the Spec via cgroupsPath
.
cgroupsPath
is expected to be relative to the cgroups mount point.
If cgroupsPath
is not specified, implementations can define the default cgroup path.
Implementations of the Spec can choose to name cgroups in any manner.
The Spec does not include naming schema for cgroups.
The Spec does not support split hierarchy.
The cgroups will be created if they don't exist.
"cgroupsPath": "/myRuntime/myContainer"
cgroupsPath
can be used to either control the cgroups hierarchy for containers or to run a new process in an existing container.
You can configure a container's cgroups via the resources
field of the Linux configuration.
Do not specify resources
unless limits have to be updated.
For example, to run a new process in an existing container without updating limits, resources
need not be specified.
devices
is an array of entries to control the device whitelist.
The runtime MUST apply entries in the listed order.
The following parameters can be specified:
allow
(boolean, required) - whether the entry is allowed or denied.type
(string, optional) - type of device: a
(all), c
(char), or b
(block).
null
or unset values mean "all", mapping to a
.major, minor
(int64, optional) - major, minor numbers for the device.
null
or unset values mean "all", mapping to *
in the filesystem API.access
(string, optional) - cgroup permissions for device.
A composition of r
(read), w
(write), and m
(mknod). "devices": [
{
"allow": false,
"access": "rwm"
},
{
"allow": true,
"type": "c",
"major": 10,
"minor": 229,
"access": "rw"
},
{
"allow": true,
"type": "b",
"major": 8,
"minor": 0,
"access": "r"
}
]
disableOOMKiller
contains a boolean (true
or false
) that enables or disables the Out of Memory killer for a cgroup.
If enabled (false
), tasks that attempt to consume more memory than they are allowed are immediately killed by the OOM killer.
The OOM killer is enabled by default in every cgroup using the memory
subsystem.
To disable it, specify a value of true
.
For more information, see the memory cgroup man page.
disableOOMKiller
(bool, optional) - enables or disables the OOM killer "disableOOMKiller": false
oomScoreAdj
sets heuristic regarding how the process is evaluated by the kernel during memory pressure.
For more information, see the proc filesystem documentation section 3.1.
This is a kernel/system level setting, where as disableOOMKiller
is scoped for a memory cgroup.
For more information on how these two settings work together, see the memory cgroup documentation section 10. OOM Contol.
oomScoreAdj
(int, optional) - adjust the oom-killer score "oomScoreAdj": 100
memory
represents the cgroup subsystem memory
and it's used to set limits on the container's memory usage.
For more information, see the memory cgroup man page.
The following parameters can be specified to setup the controller:
limit
(uint64, optional) - sets limit of memory usage in bytes
reservation
(uint64, optional) - sets soft limit of memory usage in bytes
swap
(uint64, optional) - sets limit of memory+Swap usage
kernel
(uint64, optional) - sets hard limit for kernel memory
kernelTCP
(uint64, optional) - sets hard limit in bytes for kernel TCP buffer memory
swappiness
(uint64, optional) - sets swappiness parameter of vmscan (See sysctl's vm.swappiness)
"memory": {
"limit": 536870912,
"reservation": 536870912,
"swap": 536870912,
"kernel": 0,
"kernelTCP": 0,
"swappiness": 0
}
cpu
represents the cgroup subsystems cpu
and cpusets
.
For more information, see the cpusets cgroup man page.
The following parameters can be specified to setup the controller:
shares
(uint64, optional) - specifies a relative share of CPU time available to the tasks in a cgroup
quota
(uint64, optional) - specifies the total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by period
below)
period
(uint64, optional) - specifies a period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated (CFS scheduler only)
realtimeRuntime
(uint64, optional) - specifies a period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources
realtimePeriod
(uint64, optional) - same as period
but applies to realtime scheduler only
cpus
(string, optional) - list of CPUs the container will run in
mems
(string, optional) - list of Memory Nodes the container will run in
"cpu": {
"shares": 1024,
"quota": 1000000,
"period": 500000,
"realtimeRuntime": 950000,
"realtimePeriod": 1000000,
"cpus": "2-3",
"mems": "0-7"
}
blockIO
represents the cgroup subsystem blkio
which implements the block io controller.
For more information, see the kernel cgroups documentation about blkio.
The following parameters can be specified to setup the controller:
blkioWeight
(uint16, optional) - specifies per-cgroup weight. This is default weight of the group on all devices until and unless overridden by per-device rules. The range is from 10 to 1000.
blkioLeafWeight
(uint16, optional) - equivalents of blkioWeight
for the purpose of deciding how much weight tasks in the given cgroup has while competing with the cgroup's child cgroups. The range is from 10 to 1000.
blkioWeightDevice
(array, optional) - specifies the list of devices which will be bandwidth rate limited. The following parameters can be specified per-device:
major, minor
(int64, required) - major, minor numbers for device. More info in man mknod
.weight
(uint16, optional) - bandwidth rate for the device, range is from 10 to 1000leafWeight
(uint16, optional) - bandwidth rate for the device while competing with the cgroup's child cgroups, range is from 10 to 1000, CFQ scheduler onlyYou must specify at least one of weight
or leafWeight
in a given entry, and can specify both.
blkioThrottleReadBpsDevice
, blkioThrottleWriteBpsDevice
, blkioThrottleReadIOPSDevice
, blkioThrottleWriteIOPSDevice
(array, optional) - specify the list of devices which will be IO rate limited. The following parameters can be specified per-device:
major, minor
(int64, required) - major, minor numbers for device. More info in man mknod
.rate
(uint64, required) - IO rate limit for the device "blockIO": {
"blkioWeight": 10,
"blkioLeafWeight": 10,
"blkioWeightDevice": [
{
"major": 8,
"minor": 0,
"weight": 500,
"leafWeight": 300
},
{
"major": 8,
"minor": 16,
"weight": 500
}
],
"blkioThrottleReadBpsDevice": [
{
"major": 8,
"minor": 0,
"rate": 600
}
],
"blkioThrottleWriteIOPSDevice": [
{
"major": 8,
"minor": 16,
"rate": 300
}
]
}
hugepageLimits
represents the hugetlb
controller which allows to limit the
HugeTLB usage per control group and enforces the controller limit during page fault.
For more information, see the kernel cgroups documentation about HugeTLB.
hugepageLimits
is an array of entries, each having the following structure:
pageSize
(string, required) - hugepage size
limit
(uint64, required) - limit in bytes of hugepagesize HugeTLB usage
"hugepageLimits": [
{
"pageSize": "2MB",
"limit": 9223372036854771712
}
]
network
represents the cgroup subsystems net_cls
and net_prio
.
For more information, see the net_cls cgroup man page and the net_prio cgroup man page.
The following parameters can be specified to setup these cgroup controllers:
classID
(uint32, optional) - is the network class identifier the cgroup's network packets will be tagged with
priorities
(array, optional) - specifies a list of objects of the priorities assigned to traffic originating from
processes in the group and egressing the system on various interfaces. The following parameters can be specified per-priority:
name
(string, required) - interface namepriority
(uint32, required) - priority applied to the interface "network": {
"classID": 1048577,
"priorities": [
{
"name": "eth0",
"priority": 500
},
{
"name": "eth1",
"priority": 1000
}
]
}
pids
represents the cgroup subsystem pids
.
For more information, see the pids cgroup man page.
The following parameters can be specified to setup the controller:
limit
(int64, required) - specifies the maximum number of tasks in the cgroup "pids": {
"limit": 32771
}
sysctl
allows kernel parameters to be modified at runtime for the container.
For more information, see the man page
"sysctl": {
"net.ipv4.ip_forward": "1",
"net.core.somaxconn": "256"
}
Seccomp provides application sandboxing mechanism in the Linux kernel. Seccomp configuration allows one to configure actions to take for matched syscalls and furthermore also allows matching on values passed as arguments to syscalls. For more information about Seccomp, see Seccomp kernel documentation The actions, architectures, and operators are strings that match the definitions in seccomp.h from libseccomp and are translated to corresponding values. A valid list of constants as of Libseccomp v2.2.3 is contained below.
Architecture Constants
SCMP_ARCH_X86
SCMP_ARCH_X86_64
SCMP_ARCH_X32
SCMP_ARCH_ARM
SCMP_ARCH_AARCH64
SCMP_ARCH_MIPS
SCMP_ARCH_MIPS64
SCMP_ARCH_MIPS64N32
SCMP_ARCH_MIPSEL
SCMP_ARCH_MIPSEL64
SCMP_ARCH_MIPSEL64N32
Action Constants:
SCMP_ACT_KILL
SCMP_ACT_TRAP
SCMP_ACT_ERRNO
SCMP_ACT_TRACE
SCMP_ACT_ALLOW
Operator Constants:
SCMP_CMP_NE
SCMP_CMP_LT
SCMP_CMP_LE
SCMP_CMP_EQ
SCMP_CMP_GE
SCMP_CMP_GT
SCMP_CMP_MASKED_EQ
"seccomp": {
"defaultAction": "SCMP_ACT_ALLOW",
"architectures": [
"SCMP_ARCH_X86"
],
"syscalls": [
{
"name": "getcwd",
"action": "SCMP_ACT_ERRNO"
}
]
}
rootfsPropagation
sets the rootfs's mount propagation.
Its value is either slave, private, or shared.
The kernel doc has more information about mount propagation.
"rootfsPropagation": "slave",
maskedPaths
will mask over the provided paths inside the container so that they cannot be read.
"maskedPaths": [
"/proc/kcore"
]
readonlyPaths
will set the provided paths as readonly inside the container.
"readonlyPaths": [
"/proc/sys"
]
mountLabel
will set the Selinux context for the mounts in the container.
"mountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c715,c811"