Barring access control concerns, the entity using a runtime to create a container MUST be able to use the operations defined in this specification against that same container. Whether other entities using the same, or other, instance of the runtime can see that container is out of scope of this specification.
The state of a container MUST include, at least, the following propeties:
ociVersion
: (string) is the OCI specification version used when creating the container.id
: (string) is the container's ID.
This MUST be unique across all containers on this host.
There is no requirement that it be unique across hosts.
The ID is provided in the state because hooks will be executed with the state as the payload.
This allows the hooks to perform cleanup and teardown logic after the runtime destroys its own state.pid
: (int) is the ID of the main process within the container, as seen by the host.bundlePath
: (string) is the absolute path to the container's bundle directory.
This is provided so that consumers can find the container's configuration and root filesystem on the host.When serialized in JSON, the format MUST adhere to the following pattern:
{
"ociVersion": "0.2.0",
"id": "oci-container1",
"pid": 4422,
"bundlePath": "/containers/redis"
}
See Query State for information on retrieving the state of a container.
The lifecycle describes the timeline of events that happen from when a container is created to when it ceases to exist.
config.json
.
Any updates to config.json
after container is running MUST not affect the container.Note: The lifecycle is a WIP and it will evolve as we have more use cases and more information on the viability of a separate create phase.
OCI compliant runtimes MUST support the following operations, unless the operation is not supported by the base operating system.
In cases where the specified operation generates an error, this specification does not mandate how, or even if, that error is returned or exposed to the user of an implementation. Unless otherwise stated, generating an error MUST leave the state of the environment as if the operation were never attempted - modulo any possible trivial ancillary changes such as logging.
state <container-id>
This operation MUST generate an error if it is not provided the ID of a container. This operation MUST return the state of a container as specified in the State section. In particular, the state MUST be serialized as JSON.
start <container-id> <path-to-bundle>
This operation MUST generate an error if it is not provided a path to the bundle and the container ID to associate with the container.
If the ID provided is not unique across all containers within the scope of the runtime, or is not valid in any other way, the implementation MUST generate an error.
Using the data in config.json
, that are in the bundle's directory, this operation MUST create a new container.
This includes creating the relevant namespaces, resource limits, etc and configuring the appropriate capabilities for the container.
A new process within the scope of the container MUST be created as specified by the config.json
file otherwise an error MUST be generated.
Attempting to start an already running container MUST have no effect on the container and MUST generate an error.
stop <container-id>
This operation MUST generate an error if it is not provided the container ID.
This operation MUST stop and delete a running container.
Stopping a container MUST stop all of the processes running within the scope of the container.
Deleting a container MUST delete the associated namespaces and resources associated with the container.
Once a container is deleted, its id
MAY be used by subsequent containers.
Attempting to stop a container that is not running MUST have no effect on the container and MUST generate an error.
Many of the operations specified in this specification have "hooks" that allow for additional actions to be taken before or after each operation. See runtime configuration for hooks for more information.