├── .gitattributes ├── .github └── workflows │ ├── build.yml │ └── lint.yml ├── .gitignore ├── .mailmap ├── .tool └── version-doc.go ├── CODEOWNERS ├── ChangeLog ├── EMERITUS.md ├── GOVERNANCE.md ├── LICENSE ├── MAINTAINERS ├── Makefile ├── README.md ├── RELEASES.md ├── bundle.md ├── config-linux.md ├── config-solaris.md ├── config-vm.md ├── config-windows.md ├── config-zos.md ├── config.md ├── features-linux.md ├── features.md ├── glossary.md ├── implementations.md ├── principles.md ├── runtime-linux.md ├── runtime.md ├── schema ├── Makefile ├── README.md ├── config-linux.json ├── config-schema.json ├── config-solaris.json ├── config-vm.json ├── config-windows.json ├── config-zos.json ├── defs-linux.json ├── defs-vm.json ├── defs-windows.json ├── defs-zos.json ├── defs.json ├── features-linux.json ├── features-schema.json ├── state-schema.json ├── test │ ├── config │ │ ├── bad │ │ │ ├── invalid-json.json │ │ │ ├── linux-hugepage.json │ │ │ ├── linux-netdevice.json │ │ │ └── linux-rdma.json │ │ └── good │ │ │ ├── linux-netdevice.json │ │ │ ├── linux-rdma.json │ │ │ ├── minimal-for-start.json │ │ │ ├── minimal.json │ │ │ ├── spec-example.json │ │ │ ├── zos-example.json │ │ │ └── zos-minimal.json │ ├── features │ │ ├── bad │ │ │ └── missing-ociVersionMax.json │ │ └── good │ │ │ ├── minimal.json │ │ │ └── runc.json │ └── state │ │ ├── bad │ │ └── invalid-json.json │ │ └── good │ │ └── spec-example.json └── validate.go ├── spec.md ├── specs-go ├── config.go ├── features │ └── features.go ├── state.go └── version.go └── style.md /.gitattributes: -------------------------------------------------------------------------------- 1 | # https://tools.ietf.org/html/rfc5545#section-3.1 2 | *.ics text eol=crlf 3 | -------------------------------------------------------------------------------- /.github/workflows/build.yml: -------------------------------------------------------------------------------- 1 | name: build 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | pull_request: 8 | branches: 9 | - main 10 | 11 | jobs: 12 | run: 13 | runs-on: ubuntu-latest 14 | 15 | strategy: 16 | matrix: 17 | go: [1.21.x, 1.22.x] 18 | 19 | steps: 20 | - name: checkout source code 21 | uses: actions/checkout@v4 22 | 23 | - name: setup go environment 24 | uses: actions/setup-go@v5 25 | with: 26 | go-version: ${{ matrix.go }} 27 | 28 | - name: create go.mod 29 | run: | 30 | # Fix for "cannot find main module" issue 31 | go mod init github.com/opencontainers/runtime-spec 32 | 33 | go get -d ./schema/... 34 | 35 | - name: run golangci-lint 36 | uses: golangci/golangci-lint-action@v4 37 | with: 38 | version: v1.56.1 39 | args: --verbose 40 | 41 | - name: run tests 42 | run: | 43 | set -x 44 | make install.tools 45 | 46 | make .govet 47 | 48 | make .gitvalidation 49 | make docs 50 | make -C schema test 51 | -------------------------------------------------------------------------------- /.github/workflows/lint.yml: -------------------------------------------------------------------------------- 1 | name: Lint 2 | 3 | on: [push, pull_request] 4 | 5 | jobs: 6 | check-format: 7 | runs-on: ubuntu-24.04 8 | steps: 9 | - name: Checkout code 10 | uses: actions/checkout@v4 11 | - name: Run make -C schema fmt 12 | run: make -C schema fmt 13 | - name: Check for changes 14 | run: git diff --exit-code 15 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | output 2 | schema/validate 3 | version.md 4 | -------------------------------------------------------------------------------- /.mailmap: -------------------------------------------------------------------------------- 1 | Aleksa Sarai 2 | Alexander Morozov 3 | Amit Saha 4 | Antonio Murdaca 5 | Brandon Philips 6 | Brandon Philips 7 | ChengTiesheng 8 | Daniel, Dao Quang Minh 9 | Doug Davis 10 | James O. D. Hunt 11 | John Howard 12 | LinZhinan(Zen Lin) 13 | Mrunal Patel 14 | Mrunal Patel 15 | Mrunal Patel 16 | Vincent Batts 17 | Vincent Batts 18 | Vishnu Kannan 19 | Vishnu Kannan 20 | Zefan Li 21 | 梁辰晔 (Liang Chenye) 22 | -------------------------------------------------------------------------------- /.tool/version-doc.go: -------------------------------------------------------------------------------- 1 | //go:build ignore 2 | // +build ignore 3 | 4 | package main 5 | 6 | import ( 7 | "fmt" 8 | "html/template" 9 | "os" 10 | 11 | "github.com/opencontainers/runtime-spec/specs-go" 12 | ) 13 | 14 | var markdownTemplateString = ` 15 | 16 | **Specification Version:** *{{.}}* 17 | 18 | ` 19 | 20 | var markdownTemplate = template.Must(template.New("markdown").Parse(markdownTemplateString)) 21 | 22 | func main() { 23 | if err := markdownTemplate.Execute(os.Stdout, specs.Version); err != nil { 24 | fmt.Fprintln(os.Stderr, err) 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @AkihiroSuda @crosbymichael @cyphar @dqminh @giuseppe @hqhq @kolyshkin @mrunalp @thaJeztah @tianon @utam0k 2 | -------------------------------------------------------------------------------- /EMERITUS.md: -------------------------------------------------------------------------------- 1 | # Emeritus 2 | 3 | We would like to acknowledge previous OCI runtime spec maintainers and their huge contributions to our collective success: 4 | 5 | - Rohit Jnagal (@rjnagal) 6 | - Victor Marmol (@vmarmol) 7 | - Alexander Morozov (@LK4D4) 8 | - Vishnu Kannan (@vishh) 9 | - Brandon Philips (@philips) 10 | - Vincent Batts (@vbatts) 11 | 12 | We thank these members for their service to the OCI community. 13 | -------------------------------------------------------------------------------- /GOVERNANCE.md: -------------------------------------------------------------------------------- 1 | # Project governance 2 | 3 | The [OCI charter][charter] §5.b.viii tasks an OCI Project's maintainers (listed in the repository's MAINTAINERS file and sometimes referred to as "the TDC", [§5.e][charter]) with: 4 | 5 | > Creating, maintaining and enforcing governance guidelines for the TDC, approved by the maintainers, and which shall be posted visibly for the TDC. 6 | 7 | This section describes generic rules and procedures for fulfilling that mandate. 8 | 9 | ## Proposing a motion 10 | 11 | A maintainer SHOULD propose a motion on the dev@opencontainers.org mailing list (except [security issues](#security-issues)) with another maintainer as a co-sponsor. 12 | 13 | ## Voting 14 | 15 | Voting on a proposed motion SHOULD happen on the dev@opencontainers.org mailing list (except [security issues](#security-issues)) with maintainers posting LGTM or REJECT. 16 | Maintainers MAY also explicitly not vote by posting ABSTAIN (which is useful to revert a previous vote). 17 | Maintainers MAY post multiple times (e.g. as they revise their position based on feedback), but only their final post counts in the tally. 18 | A proposed motion is adopted if two-thirds of votes cast, a quorum having voted, are in favor of the release. 19 | 20 | Voting SHOULD remain open for a week to collect feedback from the wider community and allow the maintainers to digest the proposed motion. 21 | Under exceptional conditions (e.g. non-major security fix releases) proposals which reach quorum with unanimous support MAY be adopted earlier. 22 | 23 | A maintainer MAY choose to reply with REJECT. 24 | A maintainer posting a REJECT MUST include a list of concerns or links to written documentation for those concerns (e.g. GitHub issues or mailing-list threads). 25 | The maintainers SHOULD try to resolve the concerns and wait for the rejecting maintainer to change their opinion to LGTM. 26 | However, a motion MAY be adopted with REJECTs, as outlined in the previous paragraphs. 27 | 28 | ## Quorum 29 | 30 | A quorum is established when at least two-thirds of maintainers have voted. 31 | 32 | For projects that are not specifications, a [motion to release](#release-approval) MAY be adopted if the tally is at least three LGTMs and no REJECTs, even if three votes does not meet the usual two-thirds quorum. 33 | 34 | ## Security issues 35 | 36 | Motions with sensitive security implications MUST be proposed on the security@opencontainers.org mailing list instead of dev@opencontainers.org, but should otherwise follow the standard [proposal](#proposing-a-motion) process. 37 | The security@opencontainers.org mailing list includes all members of the TOB. 38 | The TOB will contact the project maintainers and provide a channel for discussing and voting on the motion, but voting will otherwise follow the standard [voting](#voting) and [quorum](#quorum) rules. 39 | The TOB and project maintainers will work together to notify affected parties before making an adopted motion public. 40 | 41 | ## Amendments 42 | 43 | The [project governance](#project-governance) rules and procedures MAY be amended or replaced using the procedures themselves. 44 | The MAINTAINERS of this project governance document is the total set of MAINTAINERS from all Open Containers projects (runC, runtime-spec, and image-spec). 45 | 46 | ## Subject templates 47 | 48 | Maintainers are busy and get lots of email. 49 | To make project proposals recognizable, proposed motions SHOULD use the following subject templates. 50 | 51 | ### Proposing a motion 52 | 53 | > [{project} VOTE]: {motion description} (closes {end of voting window}) 54 | 55 | For example: 56 | 57 | > [runtime-spec VOTE]: Tag 0647920 as 1.0.0-rc (closes 2016-06-03 20:00 UTC) 58 | 59 | ### Tallying results 60 | 61 | After voting closes, a maintainer SHOULD post a tally to the motion thread with a subject template like: 62 | 63 | > [{project} {status}]: {motion description} (+{LGTMs} -{REJECTs} #{ABSTAINs}) 64 | 65 | Where `{status}` is either `adopted` or `rejected`. 66 | For example: 67 | 68 | > [runtime-spec adopted]: Tag 0647920 as 1.0.0-rc (+6 -0 #3) 69 | 70 | [charter]: https://github.com/opencontainers/tob/blob/main/CHARTER.md 71 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | Copyright 2015 The Linux Foundation. 180 | 181 | Licensed under the Apache License, Version 2.0 (the "License"); 182 | you may not use this file except in compliance with the License. 183 | You may obtain a copy of the License at 184 | 185 | http://www.apache.org/licenses/LICENSE-2.0 186 | 187 | Unless required by applicable law or agreed to in writing, software 188 | distributed under the License is distributed on an "AS IS" BASIS, 189 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 190 | See the License for the specific language governing permissions and 191 | limitations under the License. 192 | -------------------------------------------------------------------------------- /MAINTAINERS: -------------------------------------------------------------------------------- 1 | Michael Crosby (@crosbymichael) 2 | Mrunal Patel (@mrunalp) 3 | Daniel, Dao Quang Minh (@dqminh) 4 | Tianon Gravi (@tianon) 5 | Qiang Huang (@hqhq) 6 | Aleksa Sarai (@cyphar) 7 | Giuseppe Scrivano (@giuseppe) 8 | Akihiro Suda (@AkihiroSuda) 9 | Kir Kolyshkin (@kolyshkin) 10 | Sebastiaan van Stijn (@thaJeztah) 11 | Toru Komatsu (@utam0k) 12 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | 2 | EPOCH_TEST_COMMIT := 78e6667ae2d67aad100b28ee9580b41b7a24e667 3 | OUTPUT_DIRNAME ?= output 4 | DOC_FILENAME ?= oci-runtime-spec 5 | DOCKER ?= $(shell command -v docker 2>/dev/null) 6 | PANDOC ?= $(shell command -v pandoc 2>/dev/null) 7 | PANDOC_IMAGE ?= ghcr.io/opencontainers/pandoc:2.9.2.1-9.fc34.x86_64@sha256:590c5c7aaa6e8e7a4debae7e9102c837daa0c8a76f8f5b5c9831ea5f755e3e95 8 | ifeq "$(strip $(PANDOC))" '' 9 | ifneq "$(strip $(DOCKER))" '' 10 | PANDOC = $(DOCKER) run \ 11 | --security-opt label=disable \ 12 | --rm \ 13 | -v $(shell pwd)/:/input/:ro \ 14 | -v $(shell pwd)/$(OUTPUT_DIRNAME)/:/$(OUTPUT_DIRNAME)/ \ 15 | -u $(shell id -u) \ 16 | $(PANDOC_IMAGE) 17 | PANDOC_SRC := /input/ 18 | PANDOC_DST := / 19 | endif 20 | endif 21 | 22 | # These docs are in an order that determines how they show up in the PDF/HTML docs. 23 | DOC_FILES := \ 24 | version.md \ 25 | spec.md \ 26 | principles.md \ 27 | bundle.md \ 28 | runtime.md \ 29 | runtime-linux.md \ 30 | config.md \ 31 | config-linux.md \ 32 | config-solaris.md \ 33 | features.md \ 34 | features-linux.md \ 35 | glossary.md 36 | 37 | default: docs 38 | 39 | docs: $(OUTPUT_DIRNAME)/$(DOC_FILENAME).pdf $(OUTPUT_DIRNAME)/$(DOC_FILENAME).html 40 | 41 | ifeq "$(strip $(PANDOC))" '' 42 | $(OUTPUT_DIRNAME)/$(DOC_FILENAME).pdf $(OUTPUT_DIRNAME)/$(DOC_FILENAME).html: 43 | $(error cannot build $@ without either pandoc or docker) 44 | else 45 | $(OUTPUT_DIRNAME)/$(DOC_FILENAME).pdf: $(DOC_FILES) 46 | mkdir -p $(OUTPUT_DIRNAME)/ && \ 47 | $(PANDOC) -f markdown_github -t latex -o $(PANDOC_DST)$@ $(patsubst %,$(PANDOC_SRC)%,$(DOC_FILES)) 48 | 49 | $(OUTPUT_DIRNAME)/$(DOC_FILENAME).html: $(DOC_FILES) 50 | mkdir -p $(OUTPUT_DIRNAME)/ && \ 51 | $(PANDOC) -f markdown_github -t html5 -o $(PANDOC_DST)$@ $(patsubst %,$(PANDOC_SRC)%,$(DOC_FILES)) 52 | endif 53 | 54 | version.md: ./specs-go/version.go 55 | go run ./.tool/version-doc.go > $@ 56 | 57 | HOST_GOLANG_VERSION = $(shell go version | cut -d ' ' -f3 | cut -c 3-) 58 | # this variable is used like a function. First arg is the minimum version, Second arg is the version to be checked. 59 | ALLOWED_GO_VERSION = $(shell test '$(shell /bin/echo -e "$(1)\n$(2)" | sort -V | head -n1)' = '$(1)' && echo 'true') 60 | 61 | test: .govet .golint .gitvalidation 62 | 63 | .govet: 64 | go vet -x ./... 65 | 66 | # When this is running in GitHub, it will only check the GitHub commit range 67 | .gitvalidation: 68 | @which git-validation > /dev/null 2>/dev/null || (echo "ERROR: git-validation not found. Consider 'make install.tools' target" && false) 69 | ifdef GITHUB_SHA 70 | git-validation -q -run DCO,short-subject,dangling-whitespace -range $(GITHUB_SHA)..HEAD 71 | else 72 | git-validation -v -run DCO,short-subject,dangling-whitespace -range $(EPOCH_TEST_COMMIT)..HEAD 73 | endif 74 | 75 | install.tools: .install.gitvalidation 76 | 77 | .install.gitvalidation: 78 | go install github.com/vbatts/git-validation@v1.2.0 79 | 80 | clean: 81 | rm -rf $(OUTPUT_DIRNAME) *~ 82 | rm -f version.md 83 | 84 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Open Container Initiative Runtime Specification 2 | 3 | [![GitHub Actions status](https://github.com/opencontainers/runtime-spec/workflows/build/badge.svg)](https://github.com/opencontainers/runtime-spec/actions?query=workflow%3Abuild) 4 | 5 | The [Open Container Initiative][oci] develops specifications for standards on Operating System process and application containers. 6 | 7 | The specification can be found [here](spec.md). 8 | 9 | ## Table of Contents 10 | 11 | Additional documentation about how this group operates: 12 | 13 | - [Code of Conduct][code-of-conduct] 14 | - [Style and Conventions](style.md) 15 | - [Implementations](implementations.md) 16 | - [Releases](RELEASES.md) 17 | - [charter][charter] 18 | 19 | ## Use Cases 20 | 21 | To provide context for users the following section gives example use cases for each part of the spec. 22 | 23 | ### Application Bundle Builders 24 | 25 | Application bundle builders can create a [bundle](bundle.md) directory that includes all of the files required for launching an application as a container. 26 | The bundle contains an OCI [configuration file](config.md) where the builder can specify host-independent details such as [which executable to launch](config.md#process) and host-specific settings such as [mount](config.md#mounts) locations, [hook](config.md#posix-platform-hooks) paths, Linux [namespaces](config-linux.md#namespaces) and [cgroups](config-linux.md#control-groups). 27 | Because the configuration includes host-specific settings, application bundle directories copied between two hosts may require configuration adjustments. 28 | 29 | ### Hook Developers 30 | 31 | [Hook](config.md#posix-platform-hooks) developers can extend the functionality of an OCI-compliant runtime by hooking into a container's lifecycle with an external application. 32 | Example use cases include sophisticated network configuration, volume garbage collection, etc. 33 | 34 | ### Runtime Developers 35 | 36 | Runtime developers can build runtime implementations that run OCI-compliant bundles and container configuration, containing low-level OS and host-specific details, on a particular platform. 37 | 38 | ## Contributing 39 | 40 | Development happens on GitHub for the spec. 41 | Issues are used for bugs and actionable items and longer discussions can happen on the [mailing list](#mailing-list). 42 | 43 | The specification and code is licensed under the Apache 2.0 license found in the [LICENSE](./LICENSE) file. 44 | 45 | ### Discuss your design 46 | 47 | The project welcomes submissions, but please let everyone know what you are working on. 48 | 49 | Before undertaking a nontrivial change to this specification, send mail to the [mailing list](#mailing-list) to discuss what you plan to do. 50 | This gives everyone a chance to validate the design, helps prevent duplication of effort, and ensures that the idea fits. 51 | It also guarantees that the design is sound before code is written; a GitHub pull-request is not the place for high-level discussions. 52 | 53 | Typos and grammatical errors can go straight to a pull-request. 54 | When in doubt, start on the [mailing-list](#mailing-list). 55 | 56 | ### Meetings 57 | 58 | Please see the [OCI org repository README](https://github.com/opencontainers/org#meetings) for the most up-to-date 59 | information on OCI contributor and maintainer meeting schedules. You can also find links to meeting agendas and 60 | minutes for all prior meetings. 61 | 62 | ### Mailing List 63 | 64 | You can subscribe and join the mailing list on [Google Groups][dev-list]. 65 | 66 | ### Chat 67 | 68 | OCI discussion happens in the following chat rooms, which are all bridged together: 69 | 70 | - #general channel on [OCI Slack](https://opencontainers.org/community/overview/#chat) 71 | - #opencontainers:matrix.org 72 | 73 | ### Git commit 74 | 75 | #### Sign your work 76 | 77 | The sign-off is a simple line at the end of the explanation for the patch, which certifies that you wrote it or otherwise have the right to pass it on as an open-source patch. 78 | The rules are pretty simple: if you can certify the below (from https://developercertificate.org): 79 | 80 | ``` 81 | Developer Certificate of Origin 82 | Version 1.1 83 | 84 | Copyright (C) 2004, 2006 The Linux Foundation and its contributors. 85 | 660 York Street, Suite 102, 86 | San Francisco, CA 94110 USA 87 | 88 | Everyone is permitted to copy and distribute verbatim copies of this 89 | license document, but changing it is not allowed. 90 | 91 | 92 | Developer's Certificate of Origin 1.1 93 | 94 | By making a contribution to this project, I certify that: 95 | 96 | (a) The contribution was created in whole or in part by me and I 97 | have the right to submit it under the open source license 98 | indicated in the file; or 99 | 100 | (b) The contribution is based upon previous work that, to the best 101 | of my knowledge, is covered under an appropriate open source 102 | license and I have the right under that license to submit that 103 | work with modifications, whether created in whole or in part 104 | by me, under the same open source license (unless I am 105 | permitted to submit under a different license), as indicated 106 | in the file; or 107 | 108 | (c) The contribution was provided directly to me by some other 109 | person who certified (a), (b) or (c) and I have not modified 110 | it. 111 | 112 | (d) I understand and agree that this project and the contribution 113 | are public and that a record of the contribution (including all 114 | personal information I submit with it, including my sign-off) is 115 | maintained indefinitely and may be redistributed consistent with 116 | this project or the open source license(s) involved. 117 | ``` 118 | 119 | then you just add a line to every git commit message: 120 | 121 | Signed-off-by: Joe Smith 122 | 123 | using your real name (sorry, no pseudonyms or anonymous contributions.) 124 | 125 | You can add the sign off when creating the git commit via `git commit -s`. 126 | 127 | #### Commit Style 128 | 129 | Simple house-keeping for clean git history. 130 | Read more on [How to Write a Git Commit Message][how-to-git-commit] or the Discussion section of [git-commit(1)][git-commit.1]. 131 | 132 | 1. Separate the subject from body with a blank line 133 | 2. Limit the subject line to 50 characters 134 | 3. Capitalize the subject line 135 | 4. Do not end the subject line with a period 136 | 5. Use the imperative mood in the subject line 137 | 6. Wrap the body at 72 characters 138 | 7. Use the body to explain what and why vs. how 139 | * If there was important/useful/essential conversation or information, copy or include a reference 140 | 8. When possible, one keyword to scope the change in the subject (i.e. "README: ...", "runtime: ...") 141 | 142 | 143 | [charter]: https://github.com/opencontainers/tob/blob/master/CHARTER.md 144 | [code-of-conduct]: https://github.com/opencontainers/org/blob/master/CODE_OF_CONDUCT.md 145 | [dev-list]: https://groups.google.com/a/opencontainers.org/forum/#!forum/dev 146 | [how-to-git-commit]: https://cbea.ms/git-commit/ 147 | [iso-week]: https://en.wikipedia.org/wiki/ISO_week_date#Calculating_the_week_number_of_a_given_date 148 | [minutes]: https://ircbot.wl.linuxfoundation.org/meetings/opencontainers/ 149 | [oci]: https://www.opencontainers.org 150 | [rfc5545]: https://tools.ietf.org/html/rfc5545 151 | [runtime-wiki]: https://github.com/opencontainers/runtime-spec/wiki 152 | [uberconference]: https://www.uberconference.com/opencontainers 153 | 154 | [git-commit.1]: https://git-scm.com/docs/git-commit 155 | -------------------------------------------------------------------------------- /RELEASES.md: -------------------------------------------------------------------------------- 1 | # Releases 2 | 3 | The release process hopes to encourage early, consistent consensus-building during project development. 4 | The mechanisms used are regular community communication on the mailing list about progress, scheduled meetings for issue resolution and release triage, and regularly paced and communicated releases. 5 | Releases are proposed and adopted or rejected using the usual [project governance](GOVERNANCE.md) rules and procedures. 6 | 7 | An anti-pattern that we want to avoid is heavy development or discussions "late cycle" around major releases. 8 | We want to build a community that is involved and communicates consistently through all releases instead of relying on "silent periods" as a judge of stability. 9 | 10 | ## Parallel releases 11 | 12 | A single project MAY consider several motions to release in parallel. 13 | However each motion to release after the initial 0.1.0 MUST be based on a previous release that has already landed. 14 | 15 | For example, runtime-spec maintainers may propose a v1.0.0-rc2 on the 1st of the month and a v0.9.1 bugfix on the 2nd of the month. 16 | They may not propose a v1.0.0-rc3 until the v1.0.0-rc2 is accepted (on the 7th if the vote initiated on the 1st passes). 17 | 18 | ## Specifications 19 | 20 | The OCI maintains three categories of projects: specifications, applications, and conformance-testing tools. 21 | However, specification releases have special restrictions in the [OCI charter][charter]: 22 | 23 | * They are the target of backwards compatibility (§7.g), and 24 | * They are subject to the OFWa patent grant (§8.d and e). 25 | 26 | To avoid unfortunate side effects (onerous backwards compatibility requirements or Member resignations), the following additional procedures apply to specification releases: 27 | 28 | ### Planning a release 29 | 30 | Every OCI specification project SHOULD hold meetings that involve maintainers reviewing pull requests, debating outstanding issues, and planning releases. 31 | This meeting MUST be advertised on the project README and MAY happen on a phone call, video conference, or on IRC. 32 | Maintainers MUST send updates to the dev@opencontainers.org with results of these meetings. 33 | 34 | Before the specification reaches v1.0.0, the meetings SHOULD be weekly. 35 | Once a specification has reached v1.0.0, the maintainers may alter the cadence, but a meeting MUST be held within four weeks of the previous meeting. 36 | 37 | The release plans, corresponding milestones and estimated due dates MUST be published on GitHub (e.g. https://github.com/opencontainers/runtime-spec/milestones). 38 | GitHub milestones and issues are only used for community organization and all releases MUST follow the [project governance](GOVERNANCE.md) rules and procedures. 39 | 40 | ### Timelines 41 | 42 | Specifications have a variety of different timelines in their lifecycle. 43 | 44 | * Pre-v1.0.0 specifications SHOULD release on a monthly cadence to garner feedback. 45 | * Major specification releases MUST release at least three release candidates spaced a minimum of one week apart. 46 | This means a major release like a v1.0.0 or v2.0.0 release will take 1 month at minimum: one week for rc1, one week for rc2, one week for rc3, and one week for the major release itself. 47 | Maintainers SHOULD strive to make zero breaking changes during this cycle of release candidates and SHOULD restart the three-candidate count when a breaking change is introduced. 48 | For example if a breaking change is introduced in v1.0.0-rc2 then the series would end with v1.0.0-rc4 and v1.0.0. 49 | * Minor and patch releases SHOULD be made on an as-needed basis. 50 | 51 | [charter]: https://github.com/opencontainers/tob/blob/main/CHARTER.md 52 | 53 | ## Checklist 54 | 55 | Releases usually follow a few steps: 56 | 57 | * [ ] prepare a pull-request for the release 58 | * [ ] a commit updating `./ChangeLog` 59 | * [ ] `git log --oneline --no-merges --decorate --name-status v1.0.1..HEAD | vim -` 60 | * [ ] `:% s/(pr\/\(\d*\))\(.*\)/\2 (#\1)/` to move the PR to the end of line and match previous formatting 61 | * [ ] review `(^M|^A|^D)` for impact of the commit 62 | * [ ] group commits to `Additions:`, `Minor fixes and documentation:`, `Breaking changes:` 63 | * [ ] delete the `(^M|^A|^D)` lines, `:%!grep -vE '(^M|^A|^D)'` 64 | * [ ] merge multi-commit PRs (so each line has a `(#num)` suffix) 65 | * [ ] drop hash and indent, `:'<,'> s/^\w* /^I* /` 66 | * [ ] a commit bumping `./specs-go/version.go` to next version and empty the `VersionDev` variable 67 | * [ ] a commit adding back the "+dev" to `VersionDev` 68 | * [ ] send email to dev@opencontainers.org 69 | * [ ] copy the exact commit hash for bumping the version from the pull-request (since master always stays as "-dev") 70 | * [ ] count the PRs since last release (that this version is tracking, in the cases of multiple branching), like `git log --pretty=oneline --no-merges --decorate $priorTag..$versionBumpCommit | grep \(pr\/ | wc -l` 71 | * [ ] get the date for a week from now, like `TZ=UTC date --date='next week'` 72 | * [ ] OPTIONAL find a cute animal gif to attach to the email, and subsequently the release description 73 | * [ ] subject line like `[runtime-spec VOTE] tag $versionBumpCommit as $version (closes $dateWeekFromNowUTC)` 74 | * [ ] email body like 75 | ``` 76 | Hey everyone, 77 | 78 | There have been $numPRs PRs merged since $priorTag release (https://github.com/opencontainers/runtime-spec/compare/$priorTag...$versionBumpCommit). 79 | 80 | $linkToPullRequest 81 | 82 | Please respond LGTM or REJECT (with reasoning). 83 | 84 | $sig 85 | ``` 86 | * [ ] edit/update the pull-request to link to the VOTE thread, from https://groups.google.com/a/opencontainers.org/forum/#!forum/dev 87 | * [ ] a week later, if the vote passes, merge the PR 88 | * [ ] `git tag -s $version $versionBumpCommit` 89 | * [ ] `git push --tags` 90 | * [ ] produce release documents 91 | * [ ] git checkout the release tag, like `git checkout $version` 92 | * [ ] `make docs` 93 | * [ ] rename the output PDF and HTML file to include version, like `mv output/oci-runtime-spec.pdf output/oci-runtime-spec-$version.pdf`` 94 | * [ ] attach these docs to the release on https://github.com/opencontainers/runtime-spec/releases 95 | * [ ] link to the the VOTE thread and include the passing vote count 96 | * [ ] link to the pull request that merged the release 97 | -------------------------------------------------------------------------------- /bundle.md: -------------------------------------------------------------------------------- 1 | # Filesystem Bundle 2 | 3 | ## Container Format 4 | 5 | This section defines a format for encoding a container as a *filesystem bundle* - a set of files organized in a certain way, and containing all the necessary data and metadata for any compliant runtime to perform all standard operations against it. 6 | See also [MacOS application bundles][macos_bundle] for a similar use of the term *bundle*. 7 | 8 | The definition of a bundle is only concerned with how a container, and its configuration data, are stored on a local filesystem so that it can be consumed by a compliant runtime. 9 | 10 | A Standard Container bundle contains all the information needed to load and run a container. 11 | This includes the following artifacts: 12 | 13 | 1. `config.json`: contains configuration data. 14 | This REQUIRED file MUST reside in the root of the bundle directory and MUST be named `config.json`. 15 | See [`config.json`](config.md) for more details. 16 | 17 | 2. container's root filesystem: the directory referenced by [`root.path`](config.md#root), if that property is set in `config.json`. 18 | 19 | When supplied, while these artifacts MUST all be present in a single directory on the local filesystem, that directory itself is not part of the bundle. 20 | In other words, a tar archive of a *bundle* will have these artifacts at the root of the archive, not nested within a top-level directory. 21 | 22 | [macos_bundle]: https://en.wikipedia.org/wiki/Bundle_%28macOS%29 23 | -------------------------------------------------------------------------------- /config-solaris.md: -------------------------------------------------------------------------------- 1 | # Solaris Application Container Configuration 2 | 3 | Solaris application containers can be configured using the following properties, all of the below properties have mappings to properties specified under [zonecfg(1M)][zonecfg.1m_2] man page, except milestone. 4 | 5 | ## milestone 6 | The SMF(Service Management Facility) FMRI which should go to "online" state before we start the desired process within the container. 7 | 8 | **`milestone`** *(string, OPTIONAL)* 9 | 10 | ### Example 11 | ```json 12 | "milestone": "svc:/milestone/container:default" 13 | ``` 14 | 15 | ## limitpriv 16 | The maximum set of privileges any process in this container can obtain. 17 | The property should consist of a comma-separated privilege set specification as described in [priv_str_to_set(3C)][priv-str-to-set.3c] man page for the respective release of Solaris. 18 | 19 | **`limitpriv`** *(string, OPTIONAL)* 20 | 21 | ### Example 22 | ```json 23 | "limitpriv": "default" 24 | ``` 25 | 26 | ## maxShmMemory 27 | The maximum amount of shared memory allowed for this application container. 28 | A scale (K, M, G, T) can be applied to the value for each of these numbers (for example, 1M is one megabyte). 29 | Mapped to `max-shm-memory` in [zonecfg(1M)][zonecfg.1m_2] man page. 30 | 31 | **`maxShmMemory`** *(string, OPTIONAL)* 32 | 33 | ### Example 34 | ```json 35 | "maxShmMemory": "512m" 36 | ``` 37 | 38 | ## cappedCPU 39 | Sets a limit on the amount of CPU time that can be used by a container. 40 | The unit used translates to the percentage of a single CPU that can be used by all user threads in a container, expressed as a fraction (for example, .75) or a mixed number (whole number and fraction, for example, 1.25). 41 | An ncpu value of 1 means 100% of a CPU, a value of 1.25 means 125%, .75 mean 75%, and so forth. 42 | When projects within a capped container have their own caps, the minimum value takes precedence. 43 | cappedCPU is mapped to `capped-cpu` in [zonecfg(1M)][zonecfg.1m_2] man page. 44 | 45 | * **`ncpus`** *(string, OPTIONAL)* 46 | 47 | ### Example 48 | ```json 49 | "cappedCPU": { 50 | "ncpus": "8" 51 | } 52 | ``` 53 | 54 | ## cappedMemory 55 | The physical and swap caps on the memory that can be used by this application container. 56 | A scale (K, M, G, T) can be applied to the value for each of these numbers (for example, 1M is one megabyte). 57 | cappedMemory is mapped to `capped-memory` in [zonecfg(1M)][zonecfg.1m_2] man page. 58 | 59 | * **`physical`** *(string, OPTIONAL)* 60 | * **`swap`** *(string, OPTIONAL)* 61 | 62 | ### Example 63 | ```json 64 | "cappedMemory": { 65 | "physical": "512m", 66 | "swap": "512m" 67 | } 68 | ``` 69 | 70 | ## Network 71 | 72 | ### Automatic Network (anet) 73 | anet is specified as an array that is used to set up networking for Solaris application containers. 74 | The anet resource represents the automatic creation of a network resource for an application container. 75 | The zones administration daemon, zoneadmd, is the primary process for managing the container's virtual platform. 76 | One of the daemon's responsibilities is creation and teardown of the networks for the container. 77 | For more information on the daemon see the [zoneadmd(1M)][zoneadmd.1m] man page. 78 | When such a container is started, a temporary VNIC(Virtual NIC) is automatically created for the container. 79 | The VNIC is deleted when the container is torn down. 80 | The following properties can be used to set up automatic networks. 81 | For additional information on properties, check the [zonecfg(1M)][zonecfg.1m_2] man page for the respective release of Solaris. 82 | 83 | * **`linkname`** *(string, OPTIONAL)* Specify a name for the automatically created VNIC datalink. 84 | * **`lowerLink`** *(string, OPTIONAL)* Specify the link over which the VNIC will be created. 85 | Mapped to `lower-link` in the [zonecfg(1M)][zonecfg.1m_2] man page. 86 | * **`allowedAddress`** *(string, OPTIONAL)* The set of IP addresses that the container can use might be constrained by specifying the `allowedAddress` property. 87 | If `allowedAddress` has not been specified, then they can use any IP address on the associated physical interface for the network resource. 88 | Otherwise, when `allowedAddress` is specified, the container cannot use IP addresses that are not in the `allowedAddress` list for the physical address. 89 | Mapped to `allowed-address` in the [zonecfg(1M)][zonecfg.1m_2] man page. 90 | * **`configureAllowedAddress`** *(string, OPTIONAL)* If `configureAllowedAddress` is set to true, the addresses specified by `allowedAddress` are automatically configured on the interface each time the container starts. 91 | When it is set to false, the `allowedAddress` will not be configured on container start. 92 | Mapped to `configure-allowed-address` in the [zonecfg(1M)][zonecfg.1m_2] man page. 93 | * **`defrouter`** *(string, OPTIONAL)* The value for the OPTIONAL default router. 94 | * **`macAddress`** *(string, OPTIONAL)* Set the VNIC's MAC addresses based on the specified value or keyword. 95 | If not a keyword, it is interpreted as a unicast MAC address. 96 | For a list of the supported keywords please refer to the [zonecfg(1M)][zonecfg.1m_2] man page of the respective Solaris release. 97 | Mapped to `mac-address` in the [zonecfg(1M)][zonecfg.1m_2] man page. 98 | * **`linkProtection`** *(string, OPTIONAL)* Enables one or more types of link protection using comma-separated values. 99 | See the protection property in dladm(8) for supported values in respective release of Solaris. 100 | Mapped to `link-protection` in the [zonecfg(1M)][zonecfg.1m_2] man page. 101 | 102 | #### Example 103 | ```json 104 | "anet": [ 105 | { 106 | "allowedAddress": "172.17.0.2/16", 107 | "configureAllowedAddress": "true", 108 | "defrouter": "172.17.0.1/16", 109 | "linkProtection": "mac-nospoof, ip-nospoof", 110 | "linkname": "net0", 111 | "lowerLink": "net2", 112 | "macAddress": "02:42:f8:52:c7:16" 113 | } 114 | ] 115 | ``` 116 | 117 | 118 | [priv-str-to-set.3c]: https://docs.oracle.com/cd/E86824_01/html/E54766/priv-str-to-set-3c.html 119 | [zoneadmd.1m]: https://docs.oracle.com/cd/E86824_01/html/E54764/zoneadmd-1m.html 120 | [zonecfg.1m_2]: https://docs.oracle.com/cd/E86824_01/html/E54764/zonecfg-1m.html 121 | -------------------------------------------------------------------------------- /config-vm.md: -------------------------------------------------------------------------------- 1 | # Virtual-machine-specific Container Configuration 2 | 3 | This section describes the schema for the [virtual-machine-specific section](config.md#platform-specific-configuration) of the [container configuration](config.md). 4 | The virtual-machine container specification provides additional configuration for the hypervisor, kernel, and image. 5 | 6 | ## Hypervisor Object 7 | 8 | **`hypervisor`** (object, OPTIONAL) specifies details of the hypervisor that manages the container virtual machine. 9 | * **`path`** (string, REQUIRED) path to the hypervisor binary that manages the container virtual machine. 10 | This value MUST be an absolute path in the [runtime mount namespace](glossary.md#runtime-namespace). 11 | * **`parameters`** (array of strings, OPTIONAL) specifies an array of parameters to pass to the hypervisor. 12 | 13 | ### Example 14 | 15 | ```json 16 | "hypervisor": { 17 | "path": "/path/to/vmm", 18 | "parameters": ["opts1=foo", "opts2=bar"] 19 | } 20 | ``` 21 | 22 | ## Kernel Object 23 | 24 | **`kernel`** (object, REQUIRED) specifies details of the kernel to boot the container virtual machine with. 25 | * **`path`** (string, REQUIRED) path to the kernel used to boot the container virtual machine. 26 | This value MUST be an absolute path in the [runtime mount namespace](glossary.md#runtime-namespace). 27 | * **`parameters`** (array of strings, OPTIONAL) specifies an array of parameters to pass to the kernel. 28 | * **`initrd`** (string, OPTIONAL) path to an initial ramdisk to be used by the container virtual machine. 29 | This value MUST be an absolute path in the [runtime mount namespace](glossary.md#runtime-namespace). 30 | 31 | ### Example 32 | 33 | ```json 34 | "kernel": { 35 | "path": "/path/to/vmlinuz", 36 | "parameters": ["foo=bar", "hello world"], 37 | "initrd": "/path/to/initrd.img" 38 | } 39 | ``` 40 | 41 | ## Image Object 42 | 43 | **`image`** (object, OPTIONAL) specifies details of the image that contains the root filesystem for the container virtual machine. 44 | * **`path`** (string, REQUIRED) path to the container virtual machine root image. 45 | This value MUST be an absolute path in the [runtime mount namespace](glossary.md#runtime-namespace). 46 | * **`format`** (string, REQUIRED) format of the container virtual machine root image. Commonly supported formats are: 47 | * **`raw`** [raw disk image format][raw-image-format]. Unset values for `format` will default to that format. 48 | * **`qcow2`** [QEMU image format][qcow2-image-format]. 49 | * **`vdi`** [VirtualBox 1.1 compatible image format][vdi-image-format]. 50 | * **`vmdk`** [VMware compatible image format][vmdk-image-format]. 51 | * **`vhd`** [Virtual Hard Disk image format][vhd-image-format]. 52 | 53 | This image contains the root filesystem that the virtual machine **`kernel`** will boot into, not to be confused with the container root filesystem itself. The latter, as specified by **`path`** from the [Root Configuration](config.md#Root-Configuration) section, will be mounted inside the virtual machine at a location chosen by the virtual-machine-based runtime. 54 | 55 | ### Example 56 | 57 | ```json 58 | "image": { 59 | "path": "/path/to/vm/rootfs.img", 60 | "format": "raw" 61 | } 62 | ``` 63 | 64 | [raw-image-format]: https://en.wikipedia.org/wiki/IMG_(file_format) 65 | [qcow2-image-format]: https://git.qemu.org/?p=qemu.git;a=blob_plain;f=docs/interop/qcow2.txt;hb=HEAD 66 | [vdi-image-format]: https://forensicswiki.org/wiki/Virtual_Disk_Image_(VDI) 67 | [vmdk-image-format]: http://www.vmware.com/app/vmdk/?src=vmdk 68 | [vhd-image-format]: https://github.com/libyal/libvhdi/blob/master/documentation/Virtual%20Hard%20Disk%20(VHD)%20image%20format.asciidoc 69 | -------------------------------------------------------------------------------- /config-windows.md: -------------------------------------------------------------------------------- 1 | # Windows-specific Container Configuration 2 | 3 | This document describes the schema for the [Windows-specific section](config.md#platform-specific-configuration) of the [container configuration](config.md). 4 | The Windows container specification uses APIs provided by the Windows Host Compute Service (HCS) to fulfill the spec. 5 | 6 | ## LayerFolders 7 | 8 | **`layerFolders`** (array of strings, REQUIRED) specifies a list of layer folders the container image relies on. The list is ordered from topmost layer to base layer with the last entry being the scratch. 9 | `layerFolders` MUST contain at least one entry. 10 | 11 | ### Example 12 | 13 | ```json 14 | "windows": { 15 | "layerFolders": [ 16 | "C:\\Layers\\layer2", 17 | "C:\\Layers\\layer1", 18 | "C:\\Layers\\layer-base", 19 | "C:\\scratch", 20 | ] 21 | } 22 | ``` 23 | 24 | ## Devices 25 | 26 | **`devices`** (array of objects, OPTIONAL) lists devices that MUST be available in the container. 27 | 28 | Each entry has the following structure: 29 | 30 | * **`id`** *(string, REQUIRED)* - specifies the device which the runtime MUST make available in the container. 31 | * **`idType`** *(string, REQUIRED)* - tells the runtime how to interpret `id`. Today, Windows only supports a value of `class`, which identifies `id` as a [device interface class GUID][interfaceGUID]. 32 | 33 | [interfaceGUID]: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/overview-of-device-interface-classes 34 | 35 | ### Example 36 | 37 | ```json 38 | "windows": { 39 | "devices": [ 40 | { 41 | "id": "24E552D7-6523-47F7-A647-D3465BF1F5CA", 42 | "idType": "class" 43 | }, 44 | { 45 | "id": "5175d334-c371-4806-b3ba-71fd53c9258d", 46 | "idType": "class" 47 | } 48 | ] 49 | } 50 | ``` 51 | 52 | ## Resources 53 | 54 | You can configure a container's resource limits via the OPTIONAL `resources` field of the Windows configuration. 55 | 56 | ### Memory 57 | 58 | `memory` is an OPTIONAL configuration for the container's memory usage. 59 | 60 | The following parameters can be specified: 61 | 62 | * **`limit`** *(uint64, OPTIONAL)* - sets limit of memory usage in bytes. 63 | 64 | #### Example 65 | 66 | ```json 67 | "windows": { 68 | "resources": { 69 | "memory": { 70 | "limit": 2097152 71 | } 72 | } 73 | } 74 | ``` 75 | 76 | ### CPU 77 | 78 | `cpu` is an OPTIONAL configuration for the container's CPU usage. 79 | 80 | The following parameters can be specified (mutually exclusive): 81 | 82 | * **`count`** *(uint64, OPTIONAL)* - specifies the number of CPUs available to the container. It represents the fraction of the configured processor `count` in a container in relation to the processors available in the host. The fraction ultimately determines the portion of processor cycles that the threads in a container can use during each scheduling interval, as the number of cycles per 10,000 cycles. 83 | * **`shares`** *(uint16, OPTIONAL)* - limits the share of processor time given to the container relative to other workloads on the processor. The processor `shares` (`weight` at the platform level) is a value between 0 and 10,000. 84 | * **`maximum`** *(uint16, OPTIONAL)* - determines the portion of processor cycles that the threads in a container can use during each scheduling interval, as the number of cycles per 10,000 cycles. Set processor `maximum` to a percentage times 100. 85 | * **`affinity`** *(array of objects, OPTIONAL)* - specifies the set of CPU to affinitize for this container. 86 | 87 | Each entry has the following structure: 88 | 89 | Ref: https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/miniport/ns-miniport-_group_affinity 90 | 91 | * **`mask`** *(uint64, REQUIRED)* - specifies the CPU mask relative to this CPU group. 92 | * **`group`** *(uint32, REQUIRED)* - specifies the processor group this mask refers to, as returned by GetLogicalProcessorInformationEx. 93 | 94 | Ref: https://docs.microsoft.com/en-us/virtualization/api/hcs/schemareference#Container_Processor 95 | 96 | #### Example 97 | 98 | ```json 99 | "windows": { 100 | "resources": { 101 | "cpu": { 102 | "maximum": 5000 103 | } 104 | } 105 | } 106 | ``` 107 | 108 | ### Storage 109 | 110 | `storage` is an OPTIONAL configuration for the container's storage usage. 111 | 112 | The following parameters can be specified: 113 | 114 | * **`iops`** *(uint64, OPTIONAL)* - specifies the maximum IO operations per second for the system drive of the container. 115 | * **`bps`** *(uint64, OPTIONAL)* - specifies the maximum bytes per second for the system drive of the container. 116 | * **`sandboxSize`** *(uint64, OPTIONAL)* - specifies the minimum size of the system drive in bytes. 117 | 118 | #### Example 119 | 120 | ```json 121 | "windows": { 122 | "resources": { 123 | "storage": { 124 | "iops": 50 125 | } 126 | } 127 | } 128 | ``` 129 | 130 | ## Network 131 | 132 | You can configure a container's networking options via the OPTIONAL `network` field of the Windows configuration. 133 | 134 | The following parameters can be specified: 135 | 136 | * **`endpointList`** *(array of strings, OPTIONAL)* - list of HNS (Host Network Service) endpoints that the container should connect to. 137 | * **`allowUnqualifiedDNSQuery`** *(bool, OPTIONAL)* - specifies if unqualified DNS name resolution is allowed. 138 | * **`DNSSearchList`** *(array of strings, OPTIONAL)* - comma separated list of DNS suffixes to use for name resolution. 139 | * **`networkSharedContainerName`** *(string, OPTIONAL)* - name (ID) of the container that we will share with the network stack. 140 | * **`networkNamespace`** *(string, OPTIONAL)* - name (ID) of the network namespace that will be used for the container. If a network namespace is specified no other parameter must be specified. 141 | 142 | ### Example 143 | 144 | ```json 145 | "windows": { 146 | "network": { 147 | "endpointList": [ 148 | "7a010682-17e0-4455-a838-02e5d9655fe6" 149 | ], 150 | "allowUnqualifiedDNSQuery": true, 151 | "DNSSearchList": [ 152 | "a.com", 153 | "b.com" 154 | ], 155 | "networkSharedContainerName": "containerName", 156 | "networkNamespace": "168f3daf-efc6-4377-b20a-2c86764ba892" 157 | } 158 | } 159 | ``` 160 | 161 | ## Credential Spec 162 | 163 | You can configure a container's group Managed Service Account (gMSA) via the OPTIONAL `credentialSpec` field of the Windows configuration. 164 | The `credentialSpec` is a JSON object whose properties are implementation-defined. 165 | For more information about gMSAs, see [Active Directory Service Accounts for Windows Containers][gMSAOverview]. 166 | For more information about tooling to generate a gMSA, see [Deployment Overview][gMSATooling]. 167 | 168 | 169 | [gMSAOverview]: https://aka.ms/windowscontainers/manage-serviceaccounts 170 | [gMSATooling]: https://aka.ms/windowscontainers/credentialspec-tools 171 | 172 | ## Servicing 173 | 174 | When a container terminates, the Host Compute Service indicates if a Windows update servicing operation is pending. 175 | You can indicate that a container should be started in a mode to apply pending servicing operations via the OPTIONAL `servicing` field of the Windows configuration. 176 | 177 | ### Example 178 | 179 | ```json 180 | "windows": { 181 | "servicing": true 182 | } 183 | ``` 184 | 185 | ## IgnoreFlushesDuringBoot 186 | 187 | You can indicate that a container should be started in a mode where disk flushes are not performed during container boot via the OPTIONAL `ignoreFlushesDuringBoot` field of the Windows configuration. 188 | 189 | ### Example 190 | 191 | ```json 192 | "windows": { 193 | "ignoreFlushesDuringBoot": true 194 | } 195 | ``` 196 | 197 | ## HyperV 198 | 199 | `hyperv` is an OPTIONAL field of the Windows configuration. 200 | If present, the container MUST be run with Hyper-V isolation. 201 | If omitted, the container MUST be run as a Windows Server container. 202 | 203 | The following parameters can be specified: 204 | 205 | * **`utilityVMPath`** *(string, OPTIONAL)* - specifies the path to the image used for the utility VM. 206 | This would be specified if using a base image which does not contain a utility VM image. 207 | If not supplied, the runtime will search the container filesystem layers from the bottom-most layer upwards, until it locates "UtilityVM", and default to that path. 208 | 209 | ### Example 210 | 211 | ```json 212 | "windows": { 213 | "hyperv": { 214 | "utilityVMPath": "C:\\path\\to\\utilityvm" 215 | } 216 | } 217 | ``` 218 | -------------------------------------------------------------------------------- /config-zos.md: -------------------------------------------------------------------------------- 1 | # z/OS Container Configuration 2 | 3 | This document describes the schema for the [z/OS-specific section](config.md#platform-specific-configuration) of the [container configuration](config.md). 4 | The z/OS container specification uses z/OS UNIX kernel features like namespaces and filesystem jails to fulfill the spec. 5 | 6 | Applications expecting a z/OS environment will very likely expect these file paths to be set up correctly. 7 | 8 | The following filesystems SHOULD be made available in each container's filesystem: 9 | 10 | | Path | Type | 11 | | -------- | ------ | 12 | | /proc | [proc][] | 13 | 14 | ## Namespaces 15 | 16 | A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. 17 | Changes to the global resource are visible to other processes that are members of the namespace, but are invisible to other processes. 18 | For more information, see https://www.ibm.com/docs/zos/latest?topic=planning-namespaces-zos-unix. 19 | 20 | Namespaces are specified as an array of entries inside the `namespaces` root field. 21 | The following parameters can be specified to set up namespaces: 22 | 23 | * **`type`** *(string, REQUIRED)* - namespace type. The following namespace types SHOULD be supported: 24 | * **`pid`** processes inside the container will only be able to see other processes inside the same container or inside the same pid namespace. 25 | * **`mount`** the container will have an isolated mount table. 26 | * **`ipc`** processes inside the container will only be able to communicate to other processes inside the same container via system level IPC. 27 | * **`uts`** the container will be able to have its own hostname and domain name. 28 | * **`path`** *(string, OPTIONAL)* - namespace file. 29 | This value MUST be an absolute path in the [runtime mount namespace](glossary.md#runtime-namespace). 30 | The runtime MUST place the container process in the namespace associated with that `path`. 31 | The runtime MUST [generate an error](runtime.md#errors) if `path` is not associated with a namespace of type `type`. 32 | 33 | If `path` is not specified, the runtime MUST create a new [container namespace](glossary.md#container-namespace) of type `type`. 34 | 35 | If a namespace type is not specified in the `namespaces` array, the container MUST inherit the [runtime namespace](glossary.md#runtime-namespace) of that type. 36 | If a `namespaces` field contains duplicated namespaces with same `type`, the runtime MUST [generate an error](runtime.md#errors). 37 | 38 | ### Example 39 | 40 | ```json 41 | "namespaces": [ 42 | { 43 | "type": "pid", 44 | "path": "/proc/1234/ns/pid" 45 | }, 46 | { 47 | "type": "mount" 48 | }, 49 | { 50 | "type": "ipc" 51 | }, 52 | { 53 | "type": "uts" 54 | } 55 | ] 56 | ``` 57 | -------------------------------------------------------------------------------- /features-linux.md: -------------------------------------------------------------------------------- 1 | # Linux Features Structure 2 | 3 | This document describes the [Linux-specific section](features.md#platform-specific-features) of the [Features structure](features.md). 4 | 5 | ## Namespaces 6 | 7 | * **`namespaces`** (array of strings, OPTIONAL) The recognized names of the namespaces, including namespaces that might not be supported by the host operating system. 8 | The runtime MUST recognize the elements in this array as the [`type` of `linux.namespaces` objects in `config.json`](config-linux.md#namespaces). 9 | 10 | ### Example 11 | 12 | ```json 13 | "namespaces": [ 14 | "cgroup", 15 | "ipc", 16 | "mount", 17 | "network", 18 | "pid", 19 | "user", 20 | "uts" 21 | ] 22 | ``` 23 | 24 | ## Capabilities 25 | 26 | * **`capabilities`** (array of strings, OPTIONAL) The recognized names of the capabilities, including capabilities that might not be supported by the host operating system. 27 | The runtime MUST recognize the elements in this array in the [`process.capabilities` object of `config.json`](config.md#linux-process). 28 | 29 | ### Example 30 | 31 | ```json 32 | "capabilities": [ 33 | "CAP_CHOWN", 34 | "CAP_DAC_OVERRIDE", 35 | "CAP_DAC_READ_SEARCH", 36 | "CAP_FOWNER", 37 | "CAP_FSETID", 38 | "CAP_KILL", 39 | "CAP_SETGID", 40 | "CAP_SETUID", 41 | "CAP_SETPCAP", 42 | "CAP_LINUX_IMMUTABLE", 43 | "CAP_NET_BIND_SERVICE", 44 | "CAP_NET_BROADCAST", 45 | "CAP_NET_ADMIN", 46 | "CAP_NET_RAW", 47 | "CAP_IPC_LOCK", 48 | "CAP_IPC_OWNER", 49 | "CAP_SYS_MODULE", 50 | "CAP_SYS_RAWIO", 51 | "CAP_SYS_CHROOT", 52 | "CAP_SYS_PTRACE", 53 | "CAP_SYS_PACCT", 54 | "CAP_SYS_ADMIN", 55 | "CAP_SYS_BOOT", 56 | "CAP_SYS_NICE", 57 | "CAP_SYS_RESOURCE", 58 | "CAP_SYS_TIME", 59 | "CAP_SYS_TTY_CONFIG", 60 | "CAP_MKNOD", 61 | "CAP_LEASE", 62 | "CAP_AUDIT_WRITE", 63 | "CAP_AUDIT_CONTROL", 64 | "CAP_SETFCAP", 65 | "CAP_MAC_OVERRIDE", 66 | "CAP_MAC_ADMIN", 67 | "CAP_SYSLOG", 68 | "CAP_WAKE_ALARM", 69 | "CAP_BLOCK_SUSPEND", 70 | "CAP_AUDIT_READ", 71 | "CAP_PERFMON", 72 | "CAP_BPF", 73 | "CAP_CHECKPOINT_RESTORE" 74 | ] 75 | ``` 76 | 77 | ## Cgroup 78 | 79 | **`cgroup`** (object, OPTIONAL) represents the runtime's implementation status of cgroup managers. 80 | Irrelevant to the cgroup version of the host operating system. 81 | 82 | * **`v1`** (bool, OPTIONAL) represents whether the runtime supports cgroup v1. 83 | * **`v2`** (bool, OPTIONAL) represents whether the runtime supports cgroup v2. 84 | * **`systemd`** (bool, OPTIONAL) represents whether the runtime supports system-wide systemd cgroup manager. 85 | * **`systemdUser`** (bool, OPTIONAL) represents whether the runtime supports user-scoped systemd cgroup manager. 86 | * **`rdma`** (bool, OPTIONAL) represents whether the runtime supports RDMA cgroup controller. 87 | 88 | ### Example 89 | 90 | ```json 91 | "cgroup": { 92 | "v1": true, 93 | "v2": true, 94 | "systemd": true, 95 | "systemdUser": true, 96 | "rdma": false 97 | } 98 | ``` 99 | 100 | ## Seccomp 101 | 102 | **`seccomp`** (object, OPTIONAL) represents the runtime's implementation status of seccomp. 103 | Irrelevant to the kernel version of the host operating system. 104 | 105 | * **`enabled`** (bool, OPTIONAL) represents whether the runtime supports seccomp. 106 | * **`actions`** (array of strings, OPTIONAL) The recognized names of the seccomp actions. 107 | The runtime MUST recognize the elements in this array in the [`syscalls[].action` property of the `linux.seccomp` object in `config.json`](config-linux.md#seccomp). 108 | * **`operators`** (array of strings, OPTIONAL) The recognized names of the seccomp operators. 109 | The runtime MUST recognize the elements in this array in the [`syscalls[].args[].op` property of the `linux.seccomp` object in `config.json`](config-linux.md#seccomp). 110 | * **`archs`** (array of strings, OPTIONAL) The recognized names of the seccomp architectures. 111 | The runtime MUST recognize the elements in this array in the [`architectures` property of the `linux.seccomp` object in `config.json`](config-linux.md#seccomp). 112 | * **`knownFlags`** (array of strings, OPTIONAL) The recognized names of the seccomp flags. 113 | The runtime MUST recognize the elements in this array in the [`flags` property of the `linux.seccomp` object in `config.json`](config-linux.md#seccomp). 114 | * **`supportedFlags`** (array of strings, OPTIONAL) The recognized and supported names of the seccomp flags. 115 | This list may be a subset of `knownFlags` due to some flags not supported by the current kernel and/or libseccomp. 116 | The runtime MUST recognize and support the elements in this array in the [`flags` property of the `linux.seccomp` object in `config.json`](config-linux.md#seccomp). 117 | 118 | ### Example 119 | 120 | ```json 121 | "seccomp": { 122 | "enabled": true, 123 | "actions": [ 124 | "SCMP_ACT_ALLOW", 125 | "SCMP_ACT_ERRNO", 126 | "SCMP_ACT_KILL", 127 | "SCMP_ACT_LOG", 128 | "SCMP_ACT_NOTIFY", 129 | "SCMP_ACT_TRACE", 130 | "SCMP_ACT_TRAP" 131 | ], 132 | "operators": [ 133 | "SCMP_CMP_EQ", 134 | "SCMP_CMP_GE", 135 | "SCMP_CMP_GT", 136 | "SCMP_CMP_LE", 137 | "SCMP_CMP_LT", 138 | "SCMP_CMP_MASKED_EQ", 139 | "SCMP_CMP_NE" 140 | ], 141 | "archs": [ 142 | "SCMP_ARCH_AARCH64", 143 | "SCMP_ARCH_ARM", 144 | "SCMP_ARCH_MIPS", 145 | "SCMP_ARCH_MIPS64", 146 | "SCMP_ARCH_MIPS64N32", 147 | "SCMP_ARCH_MIPSEL", 148 | "SCMP_ARCH_MIPSEL64", 149 | "SCMP_ARCH_MIPSEL64N32", 150 | "SCMP_ARCH_PPC", 151 | "SCMP_ARCH_PPC64", 152 | "SCMP_ARCH_PPC64LE", 153 | "SCMP_ARCH_S390", 154 | "SCMP_ARCH_S390X", 155 | "SCMP_ARCH_X32", 156 | "SCMP_ARCH_X86", 157 | "SCMP_ARCH_X86_64" 158 | ], 159 | "knownFlags": [ 160 | "SECCOMP_FILTER_FLAG_LOG" 161 | ], 162 | "supportedFlags": [ 163 | "SECCOMP_FILTER_FLAG_LOG" 164 | ] 165 | } 166 | ``` 167 | 168 | ## AppArmor 169 | 170 | **`apparmor`** (object, OPTIONAL) represents the runtime's implementation status of AppArmor. 171 | Irrelevant to the availability of AppArmor on the host operating system. 172 | 173 | * **`enabled`** (bool, OPTIONAL) represents whether the runtime supports AppArmor. 174 | 175 | ### Example 176 | 177 | ```json 178 | "apparmor": { 179 | "enabled": true 180 | } 181 | ``` 182 | 183 | ## SELinux 184 | 185 | **`selinux`** (object, OPTIONAL) represents the runtime's implementation status of SELinux. 186 | Irrelevant to the availability of SELinux on the host operating system. 187 | 188 | * **`enabled`** (bool, OPTIONAL) represents whether the runtime supports SELinux. 189 | 190 | ### Example 191 | 192 | ```json 193 | "selinux": { 194 | "enabled": true 195 | } 196 | ``` 197 | 198 | ## Intel RDT 199 | 200 | **`intelRdt`** (object, OPTIONAL) represents the runtime's implementation status of Intel RDT. 201 | Irrelevant to the availability of Intel RDT on the host operating system. 202 | 203 | * **`enabled`** (bool, OPTIONAL) represents whether the runtime supports Intel RDT. 204 | * **`schemata`** (bool, OPTIONAL) represents whether the 205 | (`schemata` field of `linux.intelRdt` in `config.json`)[config-linux.md#intelrdt] is supported. 206 | 207 | ### Example 208 | 209 | ```json 210 | "intelRdt": { 211 | "enabled": true, 212 | "schemata": true 213 | } 214 | ``` 215 | 216 | ## MountExtensions 217 | 218 | **`mountExtensions`** (object, OPTIONAL) represents whether the runtime supports certain mount features, irrespective of the availability of the features on the host operating system. 219 | 220 | * **`idmap`** (object, OPTIONAL) represents whether the runtime supports idmap mounts using the `uidMappings` and `gidMappings` properties of the mount. 221 | * **`enabled`** (bool, OPTIONAL) represents whether the runtime parses and attempts to use the `uidMappings` and `gidMappings` properties of mounts if provided. 222 | Note that it is possible for runtimes to have partial implementations of id-mapped mounts support (such as only allowing mounts which have mappings matching the container's user namespace, or only allowing the id-mapped bind-mounts). 223 | In such cases, runtimes MUST still set this value to `true`, to indicate that the runtime recognises the `uidMappings` and `gidMappings` properties. 224 | 225 | ### Example 226 | 227 | ```json 228 | "mountExtensions": { 229 | "idmap":{ 230 | "enabled": true 231 | } 232 | } 233 | ``` 234 | 235 | ## NetDevices 236 | 237 | **`netDevices`** (object, OPTIONAL) represents the runtime's implementation status of Linux network devices. 238 | 239 | * **`enabled`** (bool, OPTIONAL) represents whether the runtime supports the capability to move Linux network devices into the container's network namespace. 240 | 241 | ### Example 242 | 243 | ```json 244 | "netDevices": { 245 | "enabled": true 246 | } 247 | ``` 248 | -------------------------------------------------------------------------------- /features.md: -------------------------------------------------------------------------------- 1 | # Features Structure 2 | 3 | A [runtime](glossary.md#runtime) MAY provide a JSON structure about its implemented features to [runtime callers](glossary.md#runtime-caller). 4 | This JSON structure is called ["Features structure"](glossary.md#features-structure). 5 | 6 | The Features structure is irrelevant to the actual availability of the features in the host operating system. 7 | Hence, the content of the Features structure SHOULD be determined on the compilation time of the runtime, not on the execution time. 8 | 9 | All properties in the Features structure except `ociVersionMin` and `ociVersionMax` MAY either be absent or have the `null` value. 10 | The `null` value MUST NOT be confused with an empty value such as `0`, `false`, `""`, `[]`, and `{}`. 11 | 12 | ## Specification version 13 | 14 | * **`ociVersionMin`** (string, REQUIRED) The minimum recognized version of the Open Container Initiative Runtime Specification. 15 | The runtime MUST accept this value as the [`ociVersion` property of `config.json`](config.md#specification-version). 16 | 17 | * **`ociVersionMax`** (string, REQUIRED) The maximum recognized version of the Open Container Initiative Runtime Specification. 18 | The runtime MUST accept this value as the [`ociVersion` property of `config.json`](config.md#specification-version). 19 | The value MUST NOT be less than the value of the `ociVersionMin` property. 20 | The Features structure MUST NOT contain properties that are not defined in this version of the Open Container Initiative Runtime Specification. 21 | 22 | ### Example 23 | ```json 24 | { 25 | "ociVersionMin": "1.0.0", 26 | "ociVersionMax": "1.1.0" 27 | } 28 | ``` 29 | 30 | ## Hooks 31 | * **`hooks`** (array of strings, OPTIONAL) The recognized names of the [hooks](config.md#posix-platform-hooks). 32 | The runtime MUST support the elements in this array as the [`hooks` property of `config.json`](config.md#posix-platform-hooks). 33 | 34 | ### Example 35 | ```json 36 | "hooks": [ 37 | "prestart", 38 | "createRuntime", 39 | "createContainer", 40 | "startContainer", 41 | "poststart", 42 | "poststop" 43 | ] 44 | ``` 45 | 46 | ## Mount Options 47 | 48 | * **`mountOptions`** (array of strings, OPTIONAL) The recognized names of the mount options, including options that might not be supported by the host operating system. 49 | The runtime MUST recognize the elements in this array as the [`options` of `mounts` objects in `config.json`](config.md#mounts). 50 | * Linux: this array SHOULD NOT contain filesystem-specific mount options that are passed to the [mount(2)][mount.2] syscall as `const void *data`. 51 | 52 | ### Example 53 | 54 | ```json 55 | "mountOptions": [ 56 | "acl", 57 | "async", 58 | "atime", 59 | "bind", 60 | "defaults", 61 | "dev", 62 | "diratime", 63 | "dirsync", 64 | "exec", 65 | "iversion", 66 | "lazytime", 67 | "loud", 68 | "mand", 69 | "noacl", 70 | "noatime", 71 | "nodev", 72 | "nodiratime", 73 | "noexec", 74 | "noiversion", 75 | "nolazytime", 76 | "nomand", 77 | "norelatime", 78 | "nostrictatime", 79 | "nosuid", 80 | "nosymfollow", 81 | "private", 82 | "ratime", 83 | "rbind", 84 | "rdev", 85 | "rdiratime", 86 | "relatime", 87 | "remount", 88 | "rexec", 89 | "rnoatime", 90 | "rnodev", 91 | "rnodiratime", 92 | "rnoexec", 93 | "rnorelatime", 94 | "rnostrictatime", 95 | "rnosuid", 96 | "rnosymfollow", 97 | "ro", 98 | "rprivate", 99 | "rrelatime", 100 | "rro", 101 | "rrw", 102 | "rshared", 103 | "rslave", 104 | "rstrictatime", 105 | "rsuid", 106 | "rsymfollow", 107 | "runbindable", 108 | "rw", 109 | "shared", 110 | "silent", 111 | "slave", 112 | "strictatime", 113 | "suid", 114 | "symfollow", 115 | "sync", 116 | "tmpcopyup", 117 | "unbindable" 118 | ] 119 | ``` 120 | 121 | 122 | ## Platform-specific features 123 | 124 | * **`linux`** (object, OPTIONAL) [Linux-specific features](features-linux.md). 125 | This MAY be set if the runtime supports `linux` platform. 126 | 127 | ## Annotations 128 | 129 | **`annotations`** (object, OPTIONAL) contains arbitrary metadata of the runtime. 130 | This information MAY be structured or unstructured. 131 | Annotations MUST be a key-value map that follows the same convention as the Key and Values of the [`annotations` property of `config.json`](config.md#annotations). 132 | However, annotations do not need to contain the possible values of the [`annotations` property of `config.json`](config.md#annotations). 133 | The current version of the spec do not provide a way to enumerate the possible values of the [`annotations` property of `config.json`](config.md#annotations). 134 | 135 | ### Example 136 | ```json 137 | "annotations": { 138 | "org.opencontainers.runc.checkpoint.enabled": "true", 139 | "org.opencontainers.runc.version": "1.1.0" 140 | } 141 | ``` 142 | 143 | ## Unsafe annotations in `config.json` 144 | 145 | **`potentiallyUnsafeConfigAnnotations`** (array of strings, OPTIONAL) contains values of [`annotations` property of `config.json`](config.md#annotations) 146 | that may potentially change the behavior of the runtime. 147 | 148 | A value that ends with "." is interpreted as a prefix of annotations. 149 | 150 | ### Example 151 | ```json 152 | "potentiallyUnsafeConfigAnnotations": [ 153 | "com.example.foo.bar", 154 | "org.systemd.property." 155 | ] 156 | ``` 157 | 158 | The example above matches `com.example.foo.bar`, `org.systemd.property.ExecStartPre`, etc. 159 | The example does not match `com.example.foo.bar.baz`. 160 | 161 | # Example 162 | 163 | Here is a full example for reference. 164 | 165 | ```json 166 | { 167 | "ociVersionMin": "1.0.0", 168 | "ociVersionMax": "1.1.0-rc.2", 169 | "hooks": [ 170 | "prestart", 171 | "createRuntime", 172 | "createContainer", 173 | "startContainer", 174 | "poststart", 175 | "poststop" 176 | ], 177 | "mountOptions": [ 178 | "async", 179 | "atime", 180 | "bind", 181 | "defaults", 182 | "dev", 183 | "diratime", 184 | "dirsync", 185 | "exec", 186 | "iversion", 187 | "lazytime", 188 | "loud", 189 | "mand", 190 | "noatime", 191 | "nodev", 192 | "nodiratime", 193 | "noexec", 194 | "noiversion", 195 | "nolazytime", 196 | "nomand", 197 | "norelatime", 198 | "nostrictatime", 199 | "nosuid", 200 | "nosymfollow", 201 | "private", 202 | "ratime", 203 | "rbind", 204 | "rdev", 205 | "rdiratime", 206 | "relatime", 207 | "remount", 208 | "rexec", 209 | "rnoatime", 210 | "rnodev", 211 | "rnodiratime", 212 | "rnoexec", 213 | "rnorelatime", 214 | "rnostrictatime", 215 | "rnosuid", 216 | "rnosymfollow", 217 | "ro", 218 | "rprivate", 219 | "rrelatime", 220 | "rro", 221 | "rrw", 222 | "rshared", 223 | "rslave", 224 | "rstrictatime", 225 | "rsuid", 226 | "rsymfollow", 227 | "runbindable", 228 | "rw", 229 | "shared", 230 | "silent", 231 | "slave", 232 | "strictatime", 233 | "suid", 234 | "symfollow", 235 | "sync", 236 | "tmpcopyup", 237 | "unbindable" 238 | ], 239 | "linux": { 240 | "namespaces": [ 241 | "cgroup", 242 | "ipc", 243 | "mount", 244 | "network", 245 | "pid", 246 | "user", 247 | "uts" 248 | ], 249 | "capabilities": [ 250 | "CAP_CHOWN", 251 | "CAP_DAC_OVERRIDE", 252 | "CAP_DAC_READ_SEARCH", 253 | "CAP_FOWNER", 254 | "CAP_FSETID", 255 | "CAP_KILL", 256 | "CAP_SETGID", 257 | "CAP_SETUID", 258 | "CAP_SETPCAP", 259 | "CAP_LINUX_IMMUTABLE", 260 | "CAP_NET_BIND_SERVICE", 261 | "CAP_NET_BROADCAST", 262 | "CAP_NET_ADMIN", 263 | "CAP_NET_RAW", 264 | "CAP_IPC_LOCK", 265 | "CAP_IPC_OWNER", 266 | "CAP_SYS_MODULE", 267 | "CAP_SYS_RAWIO", 268 | "CAP_SYS_CHROOT", 269 | "CAP_SYS_PTRACE", 270 | "CAP_SYS_PACCT", 271 | "CAP_SYS_ADMIN", 272 | "CAP_SYS_BOOT", 273 | "CAP_SYS_NICE", 274 | "CAP_SYS_RESOURCE", 275 | "CAP_SYS_TIME", 276 | "CAP_SYS_TTY_CONFIG", 277 | "CAP_MKNOD", 278 | "CAP_LEASE", 279 | "CAP_AUDIT_WRITE", 280 | "CAP_AUDIT_CONTROL", 281 | "CAP_SETFCAP", 282 | "CAP_MAC_OVERRIDE", 283 | "CAP_MAC_ADMIN", 284 | "CAP_SYSLOG", 285 | "CAP_WAKE_ALARM", 286 | "CAP_BLOCK_SUSPEND", 287 | "CAP_AUDIT_READ", 288 | "CAP_PERFMON", 289 | "CAP_BPF", 290 | "CAP_CHECKPOINT_RESTORE" 291 | ], 292 | "cgroup": { 293 | "v1": true, 294 | "v2": true, 295 | "systemd": true, 296 | "systemdUser": true, 297 | "rdma": true 298 | }, 299 | "seccomp": { 300 | "enabled": true, 301 | "actions": [ 302 | "SCMP_ACT_ALLOW", 303 | "SCMP_ACT_ERRNO", 304 | "SCMP_ACT_KILL", 305 | "SCMP_ACT_KILL_PROCESS", 306 | "SCMP_ACT_KILL_THREAD", 307 | "SCMP_ACT_LOG", 308 | "SCMP_ACT_NOTIFY", 309 | "SCMP_ACT_TRACE", 310 | "SCMP_ACT_TRAP" 311 | ], 312 | "operators": [ 313 | "SCMP_CMP_EQ", 314 | "SCMP_CMP_GE", 315 | "SCMP_CMP_GT", 316 | "SCMP_CMP_LE", 317 | "SCMP_CMP_LT", 318 | "SCMP_CMP_MASKED_EQ", 319 | "SCMP_CMP_NE" 320 | ], 321 | "archs": [ 322 | "SCMP_ARCH_AARCH64", 323 | "SCMP_ARCH_ARM", 324 | "SCMP_ARCH_MIPS", 325 | "SCMP_ARCH_MIPS64", 326 | "SCMP_ARCH_MIPS64N32", 327 | "SCMP_ARCH_MIPSEL", 328 | "SCMP_ARCH_MIPSEL64", 329 | "SCMP_ARCH_MIPSEL64N32", 330 | "SCMP_ARCH_PPC", 331 | "SCMP_ARCH_PPC64", 332 | "SCMP_ARCH_PPC64LE", 333 | "SCMP_ARCH_RISCV64", 334 | "SCMP_ARCH_S390", 335 | "SCMP_ARCH_S390X", 336 | "SCMP_ARCH_X32", 337 | "SCMP_ARCH_X86", 338 | "SCMP_ARCH_X86_64" 339 | ], 340 | "knownFlags": [ 341 | "SECCOMP_FILTER_FLAG_TSYNC", 342 | "SECCOMP_FILTER_FLAG_SPEC_ALLOW", 343 | "SECCOMP_FILTER_FLAG_LOG" 344 | ], 345 | "supportedFlags": [ 346 | "SECCOMP_FILTER_FLAG_TSYNC", 347 | "SECCOMP_FILTER_FLAG_SPEC_ALLOW", 348 | "SECCOMP_FILTER_FLAG_LOG" 349 | ] 350 | }, 351 | "apparmor": { 352 | "enabled": true 353 | }, 354 | "selinux": { 355 | "enabled": true 356 | }, 357 | "intelRdt": { 358 | "enabled": true, 359 | "schemata": true 360 | } 361 | }, 362 | "annotations": { 363 | "io.github.seccomp.libseccomp.version": "2.5.4", 364 | "org.opencontainers.runc.checkpoint.enabled": "true", 365 | "org.opencontainers.runc.commit": "v1.1.0-534-g26851168", 366 | "org.opencontainers.runc.version": "1.1.0+dev" 367 | } 368 | } 369 | ``` 370 | 371 | [mount.2]: https://man7.org/linux/man-pages/man2/mount.2.html 372 | -------------------------------------------------------------------------------- /glossary.md: -------------------------------------------------------------------------------- 1 | # Glossary 2 | 3 | ## Bundle 4 | 5 | A [directory structure](bundle.md) that is written ahead of time, distributed, and used to seed the runtime for creating a [container](#container) and launching a process within it. 6 | 7 | ## Configuration 8 | 9 | The [`config.json`](config.md) file in a [bundle](#bundle) which defines the intended [container](#container) and container process. 10 | 11 | ## Container 12 | 13 | An environment for executing processes with configurable isolation and resource limitations. 14 | For example, namespaces, resource limits, and mounts are all part of the container environment. 15 | 16 | ## Container namespace 17 | 18 | On Linux,the [namespaces][namespaces.7] in which the [configured process](config.md#process) executes. 19 | 20 | ## Features Structure 21 | 22 | A [JSON][] structure that represents [the implemented features](#features.md) of the [runtime](#runtime). 23 | Irrelevant to the actual availability of the features in the host operating system. 24 | 25 | ## JSON 26 | 27 | All configuration [JSON][] MUST be encoded in [UTF-8][]. 28 | JSON objects MUST NOT include duplicate names. 29 | The order of entries in JSON objects is not significant. 30 | 31 | ## Runtime 32 | 33 | An implementation of this specification. 34 | It reads the [configuration files](#configuration) from a [bundle](#bundle), uses that information to create a [container](#container), launches a process inside the container, and performs other [lifecycle actions](runtime.md). 35 | 36 | ## Runtime caller 37 | An external program to execute a [runtime](#runtime), directly or indirectly. 38 | 39 | Examples of direct callers include containerd, CRI-O, and Podman. 40 | Examples of indirect callers include Docker/Moby and Kubernetes. 41 | 42 | Runtime callers often execute a runtime via [runc][]-compatible command line interface, however, its interaction interface is currently out of the scope of the Open Container Initiative Runtime Specification. 43 | 44 | ## Runtime namespace 45 | 46 | On Linux, the namespaces from which new [container namespaces](#container-namespace) are [created](config-linux.md#namespaces) and from which some configured resources are accessed. 47 | 48 | [JSON]: https://tools.ietf.org/html/rfc8259 49 | [UTF-8]: https://www.unicode.org/versions/Unicode8.0.0/ch03.pdf 50 | [runc]: https://github.com/opencontainers/runc 51 | 52 | [namespaces.7]: https://man7.org/linux/man-pages/man7/namespaces.7.html 53 | -------------------------------------------------------------------------------- /implementations.md: -------------------------------------------------------------------------------- 1 | # Implementations 2 | 3 | The following sections link to associated projects, some of which are maintained by the OCI and some of which are maintained by external organizations. 4 | If you know of any associated projects that are not listed here, please file a pull request adding a link to that project. 5 | 6 | ## Runtime (Container) 7 | 8 | * [alibaba/inclavare-containers][rune] - Enclave OCI runtime for confidential computing 9 | * [containers/crun][crun] - Runtime implementation in C 10 | * [containers/youki][youki] - Runtime implementation in Rust 11 | * [opencontainers/runc][runc] - Reference implementation of OCI runtime 12 | * [projectatomic/bwrap-oci][bwrap-oci] - Convert the OCI spec file to a command line for [bubblewrap][bubblewrap] 13 | * [systemd/systemd][systemd] - Contains [systemd-nspawn][nspawn], runtime implementation in C (via `--oci-bundle` option since systemd v242) 14 | 15 | ## Runtime (Virtual Machine) 16 | 17 | * [clearcontainers/runtime][cc-runtime] - Hypervisor-based OCI runtime utilising [virtcontainers][virtcontainers] by Intel®. 18 | * [google/gvisor][gvisor] - gVisor is a user-space kernel, contains runsc to run sandboxed containers. 19 | * [hyperhq/runv][runv] - Hypervisor-based runtime for OCI 20 | * [kata-containers/runtime][kata-runtime] - Hypervisor-based OCI runtime combining technology from [clearcontainers/runtime][cc-runtime] and [hyperhq/runv][runv]. 21 | 22 | ## Testing & Tools 23 | 24 | * [huawei-openlab/oct][oct] - Open Container Testing framework for OCI configuration and runtime 25 | * [kunalkushwaha/octool][octool] - A config linter and validator. 26 | * [opencontainers/runtime-tools][runtime-tools] - A config generator and runtime/bundle testing framework. 27 | 28 | [bubblewrap]: https://github.com/projectatomic/bubblewrap 29 | [bwrap-oci]: https://github.com/projectatomic/bwrap-oci 30 | [cc-runtime]: https://github.com/clearcontainers/runtime 31 | [crun]: https://github.com/containers/crun 32 | [gvisor]: https://github.com/google/gvisor 33 | [kata-runtime]: https://github.com/kata-containers/runtime 34 | [nspawn]: https://www.freedesktop.org/software/systemd/man/latest/systemd-nspawn.html 35 | [oct]: https://github.com/huawei-openlab/oct 36 | [octool]: https://github.com/kunalkushwaha/octool 37 | [runc]: https://github.com/opencontainers/runc 38 | [rune]: https://github.com/alibaba/inclavare-containers 39 | [runtime-tools]: https://github.com/opencontainers/runtime-tools 40 | [runv]: https://github.com/hyperhq/runv 41 | [systemd]: https://github.com/systemd/systemd 42 | [virtcontainers]: https://github.com/containers/virtcontainers 43 | [youki]: https://github.com/containers/youki 44 | -------------------------------------------------------------------------------- /principles.md: -------------------------------------------------------------------------------- 1 | # The 5 principles of Standard Containers 2 | 3 | Define a unit of software delivery called a Standard Container. 4 | The goal of a Standard Container is to encapsulate a software component and all its dependencies in a format that is self-describing and portable, so that any compliant runtime can run it without extra dependencies, regardless of the underlying machine and the contents of the container. 5 | 6 | The specification for Standard Containers defines: 7 | 8 | 1. configuration file formats 9 | 2. a set of standard operations 10 | 3. an execution environment. 11 | 12 | A great analogy for this is the physical shipping container used by the transportation industry. 13 | Shipping containers are a fundamental unit of delivery, they can be lifted, stacked, locked, loaded, unloaded and labelled. 14 | Irrespective of their contents, by standardizing the container itself it allowed for a consistent, more streamlined and efficient set of processes to be defined. 15 | For software Standard Containers offer similar functionality by being the fundamental, standardized, unit of delivery for a software package. 16 | 17 | ## 1. Standard operations 18 | 19 | Standard Containers define a set of STANDARD OPERATIONS. 20 | They can be created, started, and stopped using standard container tools; copied and snapshotted using standard filesystem tools; and downloaded and uploaded using standard network tools. 21 | 22 | ## 2. Content-agnostic 23 | 24 | Standard Containers are CONTENT-AGNOSTIC: all standard operations have the same effect regardless of the contents. 25 | They are started in the same way whether they contain a postgres database, a php application with its dependencies and application server, or Java build artifacts. 26 | 27 | ## 3. Infrastructure-agnostic 28 | 29 | Standard Containers are INFRASTRUCTURE-AGNOSTIC: they can be run in any OCI supported infrastructure. 30 | For example, a standard container can be bundled on a laptop, uploaded to cloud storage, downloaded, run and snapshotted by a build server at a fiber hotel in Virginia, uploaded to 10 staging servers in a home-made private cloud cluster, then sent to 30 production instances across 3 public cloud regions. 31 | 32 | ## 4. Designed for automation 33 | 34 | Standard Containers are DESIGNED FOR AUTOMATION: because they offer the same standard operations regardless of content and infrastructure, Standard Containers, are extremely well-suited for automation. 35 | In fact, you could say automation is their secret weapon. 36 | 37 | Many things that once required time-consuming and error-prone human effort can now be programmed. 38 | Before Standard Containers, by the time a software component ran in production, it had been individually built, configured, bundled, documented, patched, vendored, templated, tweaked and instrumented by 10 different people on 10 different computers. 39 | Builds failed, libraries conflicted, mirrors crashed, post-it notes were lost, logs were misplaced, cluster updates were half-broken. 40 | The process was slow, inefficient and cost a fortune - and was entirely different depending on the language and infrastructure provider. 41 | 42 | ## 5. Industrial-grade delivery 43 | 44 | Standard Containers make INDUSTRIAL-GRADE DELIVERY of software a reality. 45 | Leveraging all of the properties listed above, Standard Containers are enabling large and small enterprises to streamline and automate their software delivery pipelines. 46 | Whether it is in-house devOps flows, or external customer-based software delivery mechanisms, Standard Containers are changing the way the community thinks about software packaging and delivery. 47 | -------------------------------------------------------------------------------- /runtime-linux.md: -------------------------------------------------------------------------------- 1 | # Linux Runtime 2 | 3 | ## File descriptors 4 | 5 | By default, only the `stdin`, `stdout` and `stderr` file descriptors are kept open for the application by the runtime. 6 | The runtime MAY pass additional file descriptors to the application to support features such as [socket activation][socket-activated-containers]. 7 | Some of the file descriptors MAY be redirected to `/dev/null` even though they are open. 8 | 9 | ## Dev symbolic links 10 | 11 | While creating the container (step 2 in the [lifecycle](runtime.md#lifecycle)), runtimes MUST create the following symlinks if the source file exists after processing [`mounts`](config.md#mounts): 12 | 13 | | Source | Destination | 14 | | --------------- | ----------- | 15 | | /proc/self/fd | /dev/fd | 16 | | /proc/self/fd/0 | /dev/stdin | 17 | | /proc/self/fd/1 | /dev/stdout | 18 | | /proc/self/fd/2 | /dev/stderr | 19 | 20 | 21 | [socket-activated-containers]: https://0pointer.de/blog/projects/socket-activated-containers.html 22 | -------------------------------------------------------------------------------- /runtime.md: -------------------------------------------------------------------------------- 1 | # Runtime and Lifecycle 2 | 3 | ## Scope of a Container 4 | 5 | The entity using a runtime to create a container MUST be able to use the operations defined in this specification against that same container. 6 | Whether other entities using the same, or other, instance of the runtime can see that container is out of scope of this specification. 7 | 8 | ## State 9 | 10 | The state of a container includes the following properties: 11 | 12 | * **`ociVersion`** (string, REQUIRED) is version of the Open Container Initiative Runtime Specification with which the state complies. 13 | * **`id`** (string, REQUIRED) is the container's ID. 14 | This MUST be unique across all containers on this host. 15 | There is no requirement that it be unique across hosts. 16 | * **`status`** (string, REQUIRED) is the runtime state of the container. 17 | The value MAY be one of: 18 | 19 | * `creating`: the container is being created (step 2 in the [lifecycle](#lifecycle)) 20 | * `created`: the runtime has finished the [create operation](#create) (after step 2 in the [lifecycle](#lifecycle)), and the container process has neither exited nor executed the user-specified program 21 | * `running`: the container process has executed the user-specified program but has not exited (after step 8 in the [lifecycle](#lifecycle)) 22 | * `stopped`: the container process has exited (step 10 in the [lifecycle](#lifecycle)) 23 | 24 | Additional values MAY be defined by the runtime, however, they MUST be used to represent new runtime states not defined above. 25 | * **`pid`** (int, REQUIRED when `status` is `created` or `running` on Linux, OPTIONAL on other platforms) is the ID of the container process. 26 | For hooks executed in the runtime namespace, it is the pid as seen by the runtime. 27 | For hooks executed in the container namespace, it is the pid as seen by the container. 28 | * **`bundle`** (string, REQUIRED) is the absolute path to the container's bundle directory. 29 | This is provided so that consumers can find the container's configuration and root filesystem on the host. 30 | * **`annotations`** (map, OPTIONAL) contains the list of annotations associated with the container. 31 | If no annotations were provided then this property MAY either be absent or an empty map. 32 | 33 | The state MAY include additional properties. 34 | 35 | When serialized in JSON, the format MUST adhere to the JSON Schema [`schema/state-schema.json`](schema/state-schema.json). 36 | 37 | See [Query State](#query-state) for information on retrieving the state of a container. 38 | 39 | ### Example 40 | 41 | ```json 42 | { 43 | "ociVersion": "0.2.0", 44 | "id": "oci-container1", 45 | "status": "running", 46 | "pid": 4422, 47 | "bundle": "/containers/redis", 48 | "annotations": { 49 | "myKey": "myValue" 50 | } 51 | } 52 | ``` 53 | 54 | ## Lifecycle 55 | The lifecycle describes the timeline of events that happen from when a container is created to when it ceases to exist. 56 | 57 | 1. OCI compliant runtime's [`create`](runtime.md#create) command is invoked with a reference to the location of the bundle and a unique identifier. 58 | 2. The container's runtime environment MUST be created according to the configuration in [`config.json`](config.md). 59 | If the runtime is unable to create the environment specified in the [`config.json`](config.md), it MUST [generate an error](#errors). 60 | While the resources requested in the [`config.json`](config.md) MUST be created, the user-specified program (from [`process`](config.md#process)) MUST NOT be run at this time. 61 | Any updates to [`config.json`](config.md) after this step MUST NOT affect the container. 62 | 3. The [`prestart` hooks](config.md#prestart) MUST be invoked by the runtime. 63 | If any `prestart` hook fails, the runtime MUST [generate an error](#errors), stop the container, and continue the lifecycle at step 12. 64 | 4. The [`createRuntime` hooks](config.md#createRuntime-hooks) MUST be invoked by the runtime. 65 | If any `createRuntime` hook fails, the runtime MUST [generate an error](#errors), stop the container, and continue the lifecycle at step 12. 66 | 5. The [`createContainer` hooks](config.md#createContainer-hooks) MUST be invoked by the runtime. 67 | If any `createContainer` hook fails, the runtime MUST [generate an error](#errors), stop the container, and continue the lifecycle at step 12. 68 | 6. Runtime's [`start`](runtime.md#start) command is invoked with the unique identifier of the container. 69 | 7. The [`startContainer` hooks](config.md#startContainer-hooks) MUST be invoked by the runtime. 70 | If any `startContainer` hook fails, the runtime MUST [generate an error](#errors), stop the container, and continue the lifecycle at step 12. 71 | 8. The runtime MUST run the user-specified program, as specified by [`process`](config.md#process). 72 | 9. The [`poststart` hooks](config.md#poststart) MUST be invoked by the runtime. 73 | If any `poststart` hook fails, the runtime MUST [log a warning](#warnings), but the remaining hooks and lifecycle continue as if the hook had succeeded. 74 | 10. The container process exits. 75 | This MAY happen due to erroring out, exiting, crashing or the runtime's [`kill`](runtime.md#kill) operation being invoked. 76 | 11. Runtime's [`delete`](runtime.md#delete) command is invoked with the unique identifier of the container. 77 | 12. The container MUST be destroyed by undoing the steps performed during create phase (step 2). 78 | 13. The [`poststop` hooks](config.md#poststop) MUST be invoked by the runtime. 79 | If any `poststop` hook fails, the runtime MUST [log a warning](#warnings), but the remaining hooks and lifecycle continue as if the hook had succeeded. 80 | 81 | ## Errors 82 | 83 | In cases where the specified operation generates an error, this specification does not mandate how, or even if, that error is returned or exposed to the user of an implementation. 84 | Unless otherwise stated, generating an error MUST leave the state of the environment as if the operation were never attempted - modulo any possible trivial ancillary changes such as logging. 85 | 86 | ## Warnings 87 | 88 | In cases where the specified operation logs a warning, this specification does not mandate how, or even if, that warning is returned or exposed to the user of an implementation. 89 | Unless otherwise stated, logging a warning does not change the flow of the operation; it MUST continue as if the warning had not been logged. 90 | 91 | ## Operations 92 | 93 | Unless otherwise stated, runtimes MUST support the following operations. 94 | 95 | Note: these operations are not specifying any command-line APIs, and the parameters are inputs for general operations. 96 | 97 | ### Query State 98 | 99 | `state ` 100 | 101 | This operation MUST [generate an error](#errors) if it is not provided the ID of a container. 102 | Attempting to query a container that does not exist MUST [generate an error](#errors). 103 | This operation MUST return the state of a container as specified in the [State](#state) section. 104 | 105 | ### Create 106 | 107 | `create ` 108 | 109 | This operation MUST [generate an error](#errors) if it is not provided a path to the bundle and the container ID to associate with the container. 110 | If the ID provided is not unique across all containers within the scope of the runtime, or is not valid in any other way, the implementation MUST [generate an error](#errors) and a new container MUST NOT be created. 111 | This operation MUST create a new container. 112 | 113 | All of the properties configured in [`config.json`](config.md) except for [`process`](config.md#process) MUST be applied. 114 | [`process.args`](config.md#process) MUST NOT be applied until triggered by the [`start`](#start) operation. 115 | The remaining `process` properties MAY be applied by this operation. 116 | If the runtime cannot apply a property as specified in the [configuration](config.md), it MUST [generate an error](#errors) and a new container MUST NOT be created. 117 | 118 | The runtime MAY validate `config.json` against this spec, either generically or with respect to the local system capabilities, before creating the container ([step 2](#lifecycle)). 119 | [Runtime callers](glossary.md#runtime-caller) who are interested in pre-create validation can run [bundle-validation tools](implementations.md#testing--tools) before invoking the create operation. 120 | 121 | Any changes made to the [`config.json`](config.md) file after this operation will not have an effect on the container. 122 | 123 | ### Start 124 | `start ` 125 | 126 | This operation MUST [generate an error](#errors) if it is not provided the container ID. 127 | Attempting to `start` a container that is not [`created`](#state) MUST have no effect on the container and MUST [generate an error](#errors). 128 | This operation MUST run the user-specified program as specified by [`process`](config.md#process). 129 | This operation MUST generate an error if `process` was not set. 130 | 131 | ### Kill 132 | `kill ` 133 | 134 | This operation MUST [generate an error](#errors) if it is not provided the container ID. 135 | Attempting to send a signal to a container that is neither [`created` nor `running`](#state) MUST have no effect on the container and MUST [generate an error](#errors). 136 | This operation MUST send the specified signal to the container process. 137 | 138 | ### Delete 139 | `delete ` 140 | 141 | This operation MUST [generate an error](#errors) if it is not provided the container ID. 142 | Attempting to `delete` a container that is not [`stopped`](#state) MUST have no effect on the container and MUST [generate an error](#errors). 143 | Deleting a container MUST delete the resources that were created during the `create` step. 144 | Note that resources associated with the container, but not created by this container, MUST NOT be deleted. 145 | Once a container is deleted its ID MAY be used by a subsequent container. 146 | 147 | 148 | ## Hooks 149 | Many of the operations specified in this specification have "hooks" that allow for additional actions to be taken before or after each operation. 150 | See [runtime configuration for hooks](./config.md#posix-platform-hooks) for more information. 151 | -------------------------------------------------------------------------------- /schema/Makefile: -------------------------------------------------------------------------------- 1 | GOOD_TESTS = $(wildcard test/good/*.json) 2 | BAD_TESTS = $(wildcard test/bad/*.json) 3 | 4 | default: validate 5 | 6 | help: 7 | @echo "Usage: make [target]" 8 | @echo 9 | @echo " * 'fmt' - format the json with indentation" 10 | @echo " * 'help' - show this help information" 11 | @echo " * 'validate' - build the validation tool" 12 | 13 | fmt: 14 | find . -name '*.json' -exec bash -c 'jq --indent 4 -M . {} > xx && mv xx {} || echo "skipping invalid {}"' \; 15 | 16 | .PHONY: validate 17 | validate: validate.go 18 | GO111MODULE=auto go get github.com/xeipuuv/gojsonschema 19 | GO111MODULE=auto go build ./validate.go 20 | 21 | test: validate $(TESTS) 22 | for TYPE in $$(ls test); \ 23 | do \ 24 | echo "testing $${TYPE}"; \ 25 | for FILE in $$(ls "test/$${TYPE}/good"); \ 26 | do \ 27 | echo " testing test/$${TYPE}/good/$${FILE}"; \ 28 | if ./validate "$${TYPE}-schema.json" "test/$${TYPE}/good/$${FILE}" ; \ 29 | then \ 30 | echo " received expected validation success" ; \ 31 | else \ 32 | echo " received unexpected validation failure" ; \ 33 | exit 1; \ 34 | fi \ 35 | done; \ 36 | for FILE in $$(ls "test/$${TYPE}/bad"); \ 37 | do \ 38 | echo " testing test/$${TYPE}/bad/$${FILE}"; \ 39 | if ./validate "$${TYPE}-schema.json" "test/$${TYPE}/bad/$${FILE}" ; \ 40 | then \ 41 | echo " received unexpected validation success" ; \ 42 | exit 1; \ 43 | else \ 44 | echo " received expected validation failure" ; \ 45 | fi \ 46 | done; \ 47 | done 48 | 49 | clean: 50 | rm -f validate 51 | -------------------------------------------------------------------------------- /schema/README.md: -------------------------------------------------------------------------------- 1 | # JSON schema 2 | 3 | ## Overview 4 | 5 | This directory contains the [JSON Schema](https://json-schema.org) for validating JSON covered by this specification. 6 | 7 | The layout of the files is as follows: 8 | 9 | * [config-schema.json](config-schema.json) - the primary entrypoint for the [configuration](../config.md) schema 10 | * [config-linux.json](config-linux.json) - the [Linux-specific configuration sub-structure](../config-linux.md) 11 | * [config-solaris.json](config-solaris.json) - the [Solaris-specific configuration sub-structure](../config-solaris.md) 12 | * [config-windows.json](config-windows.json) - the [Windows-specific configuration sub-structure](../config-windows.md) 13 | * [state-schema.json](state-schema.json) - the primary entrypoint for the [state JSON](../runtime.md#state) schema 14 | * [defs.json](defs.json) - definitions for general types 15 | * [defs-linux.json](defs-linux.json) - definitions for Linux-specific types 16 | * [defs-windows.json](defs-windows.json) - definitions for Windows-specific types 17 | * [validate.go](validate.go) - validation utility source code 18 | 19 | 20 | ## Utility 21 | 22 | There is also included a simple utility for facilitating validation. 23 | To build it: 24 | 25 | ```bash 26 | go get github.com/xeipuuv/gojsonschema 27 | go build ./validate.go 28 | ``` 29 | 30 | Or you can just use make command to create the utility: 31 | 32 | ```bash 33 | make validate 34 | ``` 35 | 36 | Then use it like: 37 | 38 | ```bash 39 | ./validate config-schema.json /config.json 40 | ``` 41 | 42 | Or like: 43 | 44 | ```bash 45 | ./validate https://raw.githubusercontent.com/opencontainers/runtime-spec//schema/config-schema.json /config.json 46 | ``` 47 | -------------------------------------------------------------------------------- /schema/config-linux.json: -------------------------------------------------------------------------------- 1 | { 2 | "linux": { 3 | "description": "Linux platform-specific configurations", 4 | "type": "object", 5 | "properties": { 6 | "devices": { 7 | "type": "array", 8 | "items": { 9 | "$ref": "defs-linux.json#/definitions/Device" 10 | } 11 | }, 12 | "netDevices": { 13 | "type": "object", 14 | "additionalProperties": { 15 | "$ref": "defs-linux.json#/definitions/NetDevice" 16 | } 17 | }, 18 | "uidMappings": { 19 | "type": "array", 20 | "items": { 21 | "$ref": "defs.json#/definitions/IDMapping" 22 | } 23 | }, 24 | "gidMappings": { 25 | "type": "array", 26 | "items": { 27 | "$ref": "defs.json#/definitions/IDMapping" 28 | } 29 | }, 30 | "namespaces": { 31 | "type": "array", 32 | "items": { 33 | "anyOf": [ 34 | { 35 | "$ref": "defs-linux.json#/definitions/NamespaceReference" 36 | } 37 | ] 38 | } 39 | }, 40 | "resources": { 41 | "type": "object", 42 | "properties": { 43 | "unified": { 44 | "$ref": "defs.json#/definitions/mapStringString" 45 | }, 46 | "devices": { 47 | "type": "array", 48 | "items": { 49 | "$ref": "defs-linux.json#/definitions/DeviceCgroup" 50 | } 51 | }, 52 | "pids": { 53 | "type": "object", 54 | "properties": { 55 | "limit": { 56 | "$ref": "defs.json#/definitions/int64" 57 | } 58 | }, 59 | "required": [ 60 | "limit" 61 | ] 62 | }, 63 | "blockIO": { 64 | "type": "object", 65 | "properties": { 66 | "weight": { 67 | "$ref": "defs-linux.json#/definitions/weight" 68 | }, 69 | "leafWeight": { 70 | "$ref": "defs-linux.json#/definitions/weight" 71 | }, 72 | "throttleReadBpsDevice": { 73 | "type": "array", 74 | "items": { 75 | "$ref": "defs-linux.json#/definitions/blockIODeviceThrottle" 76 | } 77 | }, 78 | "throttleWriteBpsDevice": { 79 | "type": "array", 80 | "items": { 81 | "$ref": "defs-linux.json#/definitions/blockIODeviceThrottle" 82 | } 83 | }, 84 | "throttleReadIOPSDevice": { 85 | "type": "array", 86 | "items": { 87 | "$ref": "defs-linux.json#/definitions/blockIODeviceThrottle" 88 | } 89 | }, 90 | "throttleWriteIOPSDevice": { 91 | "type": "array", 92 | "items": { 93 | "$ref": "defs-linux.json#/definitions/blockIODeviceThrottle" 94 | } 95 | }, 96 | "weightDevice": { 97 | "type": "array", 98 | "items": { 99 | "$ref": "defs-linux.json#/definitions/blockIODeviceWeight" 100 | } 101 | } 102 | } 103 | }, 104 | "cpu": { 105 | "type": "object", 106 | "properties": { 107 | "cpus": { 108 | "type": "string" 109 | }, 110 | "mems": { 111 | "type": "string" 112 | }, 113 | "period": { 114 | "$ref": "defs.json#/definitions/uint64" 115 | }, 116 | "quota": { 117 | "$ref": "defs.json#/definitions/int64" 118 | }, 119 | "burst": { 120 | "$ref": "defs.json#/definitions/uint64" 121 | }, 122 | "realtimePeriod": { 123 | "$ref": "defs.json#/definitions/uint64" 124 | }, 125 | "realtimeRuntime": { 126 | "$ref": "defs.json#/definitions/int64" 127 | }, 128 | "shares": { 129 | "$ref": "defs.json#/definitions/uint64" 130 | }, 131 | "idle": { 132 | "$ref": "defs.json#/definitions/int64" 133 | } 134 | } 135 | }, 136 | "hugepageLimits": { 137 | "type": "array", 138 | "items": { 139 | "type": "object", 140 | "properties": { 141 | "pageSize": { 142 | "type": "string", 143 | "pattern": "^[1-9][0-9]*[KMG]B$" 144 | }, 145 | "limit": { 146 | "$ref": "defs.json#/definitions/uint64" 147 | } 148 | }, 149 | "required": [ 150 | "pageSize", 151 | "limit" 152 | ] 153 | } 154 | }, 155 | "memory": { 156 | "type": "object", 157 | "properties": { 158 | "kernel": { 159 | "$ref": "defs.json#/definitions/int64" 160 | }, 161 | "kernelTCP": { 162 | "$ref": "defs.json#/definitions/int64" 163 | }, 164 | "limit": { 165 | "$ref": "defs.json#/definitions/int64" 166 | }, 167 | "reservation": { 168 | "$ref": "defs.json#/definitions/int64" 169 | }, 170 | "swap": { 171 | "$ref": "defs.json#/definitions/int64" 172 | }, 173 | "swappiness": { 174 | "$ref": "defs.json#/definitions/uint64" 175 | }, 176 | "disableOOMKiller": { 177 | "type": "boolean" 178 | }, 179 | "useHierarchy": { 180 | "type": "boolean" 181 | }, 182 | "checkBeforeUpdate": { 183 | "type": "boolean" 184 | } 185 | } 186 | }, 187 | "network": { 188 | "type": "object", 189 | "properties": { 190 | "classID": { 191 | "$ref": "defs.json#/definitions/uint32" 192 | }, 193 | "priorities": { 194 | "type": "array", 195 | "items": { 196 | "$ref": "defs-linux.json#/definitions/NetworkInterfacePriority" 197 | } 198 | } 199 | } 200 | }, 201 | "rdma": { 202 | "type": "object", 203 | "additionalProperties": { 204 | "$ref": "defs-linux.json#/definitions/Rdma" 205 | } 206 | } 207 | } 208 | }, 209 | "cgroupsPath": { 210 | "type": "string" 211 | }, 212 | "rootfsPropagation": { 213 | "$ref": "defs-linux.json#/definitions/RootfsPropagation" 214 | }, 215 | "seccomp": { 216 | "type": "object", 217 | "properties": { 218 | "defaultAction": { 219 | "$ref": "defs-linux.json#/definitions/SeccompAction" 220 | }, 221 | "defaultErrnoRet": { 222 | "$ref": "defs.json#/definitions/uint32" 223 | }, 224 | "flags": { 225 | "type": "array", 226 | "items": { 227 | "$ref": "defs-linux.json#/definitions/SeccompFlag" 228 | } 229 | }, 230 | "listenerPath": { 231 | "type": "string" 232 | }, 233 | "listenerMetadata": { 234 | "type": "string" 235 | }, 236 | "architectures": { 237 | "type": "array", 238 | "items": { 239 | "$ref": "defs-linux.json#/definitions/SeccompArch" 240 | } 241 | }, 242 | "syscalls": { 243 | "type": "array", 244 | "items": { 245 | "$ref": "defs-linux.json#/definitions/Syscall" 246 | } 247 | } 248 | }, 249 | "required": [ 250 | "defaultAction" 251 | ] 252 | }, 253 | "sysctl": { 254 | "$ref": "defs.json#/definitions/mapStringString" 255 | }, 256 | "maskedPaths": { 257 | "$ref": "defs.json#/definitions/ArrayOfStrings" 258 | }, 259 | "readonlyPaths": { 260 | "$ref": "defs.json#/definitions/ArrayOfStrings" 261 | }, 262 | "mountLabel": { 263 | "type": "string" 264 | }, 265 | "intelRdt": { 266 | "type": "object", 267 | "properties": { 268 | "closID": { 269 | "type": "string" 270 | }, 271 | "schemata": { 272 | "$ref": "defs.json#/definitions/ArrayOfStrings" 273 | }, 274 | "l3CacheSchema": { 275 | "type": "string" 276 | }, 277 | "memBwSchema": { 278 | "type": "string", 279 | "pattern": "^MB:[^\\n]*$" 280 | }, 281 | "enableCMT": { 282 | "type": "boolean" 283 | }, 284 | "enableMBM": { 285 | "type": "boolean" 286 | } 287 | } 288 | }, 289 | "personality": { 290 | "type": "object", 291 | "$ref": "defs-linux.json#/definitions/Personality" 292 | }, 293 | "timeOffsets": { 294 | "type": "object", 295 | "properties": { 296 | "boottime": { 297 | "$ref": "defs-linux.json#/definitions/TimeOffsets" 298 | }, 299 | "monotonic": { 300 | "$ref": "defs-linux.json#/definitions/TimeOffsets" 301 | } 302 | } 303 | } 304 | } 305 | } 306 | } 307 | -------------------------------------------------------------------------------- /schema/config-schema.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Open Container Initiative Runtime Specification Container Configuration Schema", 3 | "$schema": "http://json-schema.org/draft-04/schema#", 4 | "type": "object", 5 | "properties": { 6 | "ociVersion": { 7 | "$ref": "defs.json#/definitions/ociVersion" 8 | }, 9 | "hooks": { 10 | "type": "object", 11 | "properties": { 12 | "prestart": { 13 | "$ref": "defs.json#/definitions/ArrayOfHooks" 14 | }, 15 | "createRuntime": { 16 | "$ref": "defs.json#/definitions/ArrayOfHooks" 17 | }, 18 | "createContainer": { 19 | "$ref": "defs.json#/definitions/ArrayOfHooks" 20 | }, 21 | "startContainer": { 22 | "$ref": "defs.json#/definitions/ArrayOfHooks" 23 | }, 24 | "poststart": { 25 | "$ref": "defs.json#/definitions/ArrayOfHooks" 26 | }, 27 | "poststop": { 28 | "$ref": "defs.json#/definitions/ArrayOfHooks" 29 | } 30 | } 31 | }, 32 | "annotations": { 33 | "$ref": "defs.json#/definitions/annotations" 34 | }, 35 | "hostname": { 36 | "type": "string" 37 | }, 38 | "domainname": { 39 | "type": "string" 40 | }, 41 | "mounts": { 42 | "type": "array", 43 | "items": { 44 | "$ref": "defs.json#/definitions/Mount" 45 | } 46 | }, 47 | "root": { 48 | "description": "Configures the container's root filesystem.", 49 | "type": "object", 50 | "required": [ 51 | "path" 52 | ], 53 | "properties": { 54 | "path": { 55 | "$ref": "defs.json#/definitions/FilePath" 56 | }, 57 | "readonly": { 58 | "type": "boolean" 59 | } 60 | } 61 | }, 62 | "process": { 63 | "type": "object", 64 | "required": [ 65 | "cwd" 66 | ], 67 | "properties": { 68 | "args": { 69 | "$ref": "defs.json#/definitions/ArrayOfStrings" 70 | }, 71 | "commandLine": { 72 | "type": "string" 73 | }, 74 | "consoleSize": { 75 | "type": "object", 76 | "required": [ 77 | "height", 78 | "width" 79 | ], 80 | "properties": { 81 | "height": { 82 | "$ref": "defs.json#/definitions/uint64" 83 | }, 84 | "width": { 85 | "$ref": "defs.json#/definitions/uint64" 86 | } 87 | } 88 | }, 89 | "cwd": { 90 | "type": "string" 91 | }, 92 | "env": { 93 | "$ref": "defs.json#/definitions/Env" 94 | }, 95 | "terminal": { 96 | "type": "boolean" 97 | }, 98 | "user": { 99 | "type": "object", 100 | "properties": { 101 | "uid": { 102 | "$ref": "defs.json#/definitions/UID" 103 | }, 104 | "gid": { 105 | "$ref": "defs.json#/definitions/GID" 106 | }, 107 | "umask": { 108 | "$ref": "defs.json#/definitions/Umask" 109 | }, 110 | "additionalGids": { 111 | "$ref": "defs.json#/definitions/ArrayOfGIDs" 112 | }, 113 | "username": { 114 | "type": "string" 115 | } 116 | } 117 | }, 118 | "capabilities": { 119 | "type": "object", 120 | "properties": { 121 | "bounding": { 122 | "$ref": "defs.json#/definitions/ArrayOfStrings" 123 | }, 124 | "permitted": { 125 | "$ref": "defs.json#/definitions/ArrayOfStrings" 126 | }, 127 | "effective": { 128 | "$ref": "defs.json#/definitions/ArrayOfStrings" 129 | }, 130 | "inheritable": { 131 | "$ref": "defs.json#/definitions/ArrayOfStrings" 132 | }, 133 | "ambient": { 134 | "$ref": "defs.json#/definitions/ArrayOfStrings" 135 | } 136 | } 137 | }, 138 | "apparmorProfile": { 139 | "type": "string" 140 | }, 141 | "oomScoreAdj": { 142 | "type": "integer" 143 | }, 144 | "selinuxLabel": { 145 | "type": "string" 146 | }, 147 | "ioPriority": { 148 | "type": "object", 149 | "required": [ 150 | "class" 151 | ], 152 | "properties": { 153 | "class": { 154 | "type": "string", 155 | "enum": [ 156 | "IOPRIO_CLASS_RT", 157 | "IOPRIO_CLASS_BE", 158 | "IOPRIO_CLASS_IDLE" 159 | ] 160 | }, 161 | "priority": { 162 | "$ref": "defs.json#/definitions/int32" 163 | } 164 | } 165 | }, 166 | "noNewPrivileges": { 167 | "type": "boolean" 168 | }, 169 | "scheduler": { 170 | "type": "object", 171 | "required": [ 172 | "policy" 173 | ], 174 | "properties": { 175 | "policy": { 176 | "$ref": "defs-linux.json#/definitions/SchedulerPolicy" 177 | }, 178 | "nice": { 179 | "$ref": "defs.json#/definitions/int32" 180 | }, 181 | "priority": { 182 | "$ref": "defs.json#/definitions/int32" 183 | }, 184 | "flags": { 185 | "type": "array", 186 | "items": { 187 | "$ref": "defs-linux.json#/definitions/SchedulerFlag" 188 | } 189 | }, 190 | "runtime": { 191 | "$ref": "defs.json#/definitions/uint64" 192 | }, 193 | "deadline": { 194 | "$ref": "defs.json#/definitions/uint64" 195 | }, 196 | "period": { 197 | "$ref": "defs.json#/definitions/uint64" 198 | } 199 | } 200 | }, 201 | "rlimits": { 202 | "type": "array", 203 | "items": { 204 | "type": "object", 205 | "required": [ 206 | "type", 207 | "soft", 208 | "hard" 209 | ], 210 | "properties": { 211 | "hard": { 212 | "$ref": "defs.json#/definitions/uint64" 213 | }, 214 | "soft": { 215 | "$ref": "defs.json#/definitions/uint64" 216 | }, 217 | "type": { 218 | "type": "string", 219 | "pattern": "^RLIMIT_[A-Z]+$" 220 | } 221 | } 222 | } 223 | }, 224 | "execCPUAffinity": { 225 | "type": "object", 226 | "properties": { 227 | "initial": { 228 | "type": "string", 229 | "pattern": "^[0-9, -]*$" 230 | }, 231 | "final": { 232 | "type": "string", 233 | "pattern": "^[0-9, -]*$" 234 | } 235 | } 236 | } 237 | } 238 | }, 239 | "linux": { 240 | "$ref": "config-linux.json#/linux" 241 | }, 242 | "solaris": { 243 | "$ref": "config-solaris.json#/solaris" 244 | }, 245 | "windows": { 246 | "$ref": "config-windows.json#/windows" 247 | }, 248 | "vm": { 249 | "$ref": "config-vm.json#/vm" 250 | }, 251 | "zos": { 252 | "$ref": "config-zos.json#/zos" 253 | } 254 | }, 255 | "required": [ 256 | "ociVersion" 257 | ] 258 | } 259 | -------------------------------------------------------------------------------- /schema/config-solaris.json: -------------------------------------------------------------------------------- 1 | { 2 | "solaris": { 3 | "description": "Solaris platform-specific configurations", 4 | "type": "object", 5 | "properties": { 6 | "milestone": { 7 | "type": "string" 8 | }, 9 | "limitpriv": { 10 | "type": "string" 11 | }, 12 | "maxShmMemory": { 13 | "type": "string" 14 | }, 15 | "cappedCPU": { 16 | "type": "object", 17 | "properties": { 18 | "ncpus": { 19 | "type": "string" 20 | } 21 | } 22 | }, 23 | "cappedMemory": { 24 | "type": "object", 25 | "properties": { 26 | "physical": { 27 | "type": "string" 28 | }, 29 | "swap": { 30 | "type": "string" 31 | } 32 | } 33 | }, 34 | "anet": { 35 | "type": "array", 36 | "items": { 37 | "type": "object", 38 | "properties": { 39 | "linkname": { 40 | "type": "string" 41 | }, 42 | "lowerLink": { 43 | "type": "string" 44 | }, 45 | "allowedAddress": { 46 | "type": "string" 47 | }, 48 | "configureAllowedAddress": { 49 | "type": "string" 50 | }, 51 | "defrouter": { 52 | "type": "string" 53 | }, 54 | "macAddress": { 55 | "type": "string" 56 | }, 57 | "linkProtection": { 58 | "type": "string" 59 | } 60 | } 61 | } 62 | } 63 | } 64 | } 65 | } 66 | -------------------------------------------------------------------------------- /schema/config-vm.json: -------------------------------------------------------------------------------- 1 | { 2 | "vm": { 3 | "description": "configuration for virtual-machine-based containers", 4 | "type": "object", 5 | "required": [ 6 | "kernel" 7 | ], 8 | "properties": { 9 | "hypervisor": { 10 | "description": "hypervisor config used by VM-based containers", 11 | "type": "object", 12 | "required": [ 13 | "path" 14 | ], 15 | "properties": { 16 | "path": { 17 | "$ref": "defs.json#/definitions/FilePath" 18 | }, 19 | "parameters": { 20 | "$ref": "defs.json#/definitions/ArrayOfStrings" 21 | } 22 | } 23 | }, 24 | "kernel": { 25 | "description": "kernel config used by VM-based containers", 26 | "type": "object", 27 | "required": [ 28 | "path" 29 | ], 30 | "properties": { 31 | "path": { 32 | "$ref": "defs.json#/definitions/FilePath" 33 | }, 34 | "parameters": { 35 | "$ref": "defs.json#/definitions/ArrayOfStrings" 36 | }, 37 | "initrd": { 38 | "$ref": "defs.json#/definitions/FilePath" 39 | } 40 | } 41 | }, 42 | "image": { 43 | "description": "root image config used by VM-based containers", 44 | "type": "object", 45 | "required": [ 46 | "path", 47 | "format" 48 | ], 49 | "properties": { 50 | "path": { 51 | "$ref": "defs.json#/definitions/FilePath" 52 | }, 53 | "format": { 54 | "$ref": "defs-vm.json#/definitions/RootImageFormat" 55 | } 56 | } 57 | } 58 | } 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /schema/config-windows.json: -------------------------------------------------------------------------------- 1 | { 2 | "windows": { 3 | "description": "Windows platform-specific configurations", 4 | "type": "object", 5 | "properties": { 6 | "layerFolders": { 7 | "type": "array", 8 | "items": { 9 | "$ref": "defs.json#/definitions/FilePath" 10 | }, 11 | "minItems": 1 12 | }, 13 | "devices": { 14 | "type": "array", 15 | "items": { 16 | "$ref": "defs-windows.json#/definitions/Device" 17 | } 18 | }, 19 | "resources": { 20 | "type": "object", 21 | "properties": { 22 | "memory": { 23 | "type": "object", 24 | "properties": { 25 | "limit": { 26 | "$ref": "defs.json#/definitions/uint64" 27 | } 28 | } 29 | }, 30 | "cpu": { 31 | "type": "object", 32 | "properties": { 33 | "count": { 34 | "$ref": "defs.json#/definitions/uint64" 35 | }, 36 | "shares": { 37 | "$ref": "defs.json#/definitions/uint16" 38 | }, 39 | "maximum": { 40 | "$ref": "defs.json#/definitions/uint16" 41 | }, 42 | "affinity": { 43 | "type": "object", 44 | "properties": { 45 | "mask": { 46 | "$ref": "defs.json#/definitions/uint64" 47 | }, 48 | "group": { 49 | "$ref": "defs.json#/definitions/uint32" 50 | } 51 | } 52 | } 53 | } 54 | }, 55 | "storage": { 56 | "type": "object", 57 | "properties": { 58 | "iops": { 59 | "$ref": "defs.json#/definitions/uint64" 60 | }, 61 | "bps": { 62 | "$ref": "defs.json#/definitions/uint64" 63 | }, 64 | "sandboxSize": { 65 | "$ref": "defs.json#/definitions/uint64" 66 | } 67 | } 68 | } 69 | } 70 | }, 71 | "network": { 72 | "type": "object", 73 | "properties": { 74 | "endpointList": { 75 | "$ref": "defs.json#/definitions/ArrayOfStrings" 76 | }, 77 | "allowUnqualifiedDNSQuery": { 78 | "type": "boolean" 79 | }, 80 | "DNSSearchList": { 81 | "$ref": "defs.json#/definitions/ArrayOfStrings" 82 | }, 83 | "networkSharedContainerName": { 84 | "type": "string" 85 | }, 86 | "networkNamespace": { 87 | "type": "string" 88 | } 89 | } 90 | }, 91 | "credentialSpec": { 92 | "type": "object" 93 | }, 94 | "servicing": { 95 | "type": "boolean" 96 | }, 97 | "ignoreFlushesDuringBoot": { 98 | "type": "boolean" 99 | }, 100 | "hyperv": { 101 | "type": "object", 102 | "properties": { 103 | "utilityVMPath": { 104 | "type": "string" 105 | } 106 | } 107 | } 108 | }, 109 | "required": [ 110 | "layerFolders" 111 | ] 112 | } 113 | } 114 | -------------------------------------------------------------------------------- /schema/config-zos.json: -------------------------------------------------------------------------------- 1 | { 2 | "zos": { 3 | "description": "z/OS platform-specific configurations", 4 | "type": "object", 5 | "properties": { 6 | "namespaces": { 7 | "type": "array", 8 | "items": { 9 | "anyOf": [ 10 | { 11 | "$ref": "defs-zos.json#/definitions/NamespaceReference" 12 | } 13 | ] 14 | } 15 | } 16 | } 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /schema/defs-linux.json: -------------------------------------------------------------------------------- 1 | { 2 | "definitions": { 3 | "PersonalityDomain": { 4 | "type": "string", 5 | "enum": [ 6 | "LINUX", 7 | "LINUX32" 8 | ] 9 | }, 10 | "Personality": { 11 | "type": "object", 12 | "properties": { 13 | "domain": { 14 | "$ref": "#/definitions/PersonalityDomain" 15 | }, 16 | "flags": { 17 | "$ref": "defs.json#/definitions/ArrayOfStrings" 18 | } 19 | } 20 | }, 21 | "RootfsPropagation": { 22 | "type": "string", 23 | "enum": [ 24 | "private", 25 | "shared", 26 | "slave", 27 | "unbindable" 28 | ] 29 | }, 30 | "SeccompArch": { 31 | "type": "string", 32 | "enum": [ 33 | "SCMP_ARCH_X86", 34 | "SCMP_ARCH_X86_64", 35 | "SCMP_ARCH_X32", 36 | "SCMP_ARCH_ARM", 37 | "SCMP_ARCH_AARCH64", 38 | "SCMP_ARCH_LOONGARCH64", 39 | "SCMP_ARCH_M68K", 40 | "SCMP_ARCH_MIPS", 41 | "SCMP_ARCH_MIPS64", 42 | "SCMP_ARCH_MIPS64N32", 43 | "SCMP_ARCH_MIPSEL", 44 | "SCMP_ARCH_MIPSEL64", 45 | "SCMP_ARCH_MIPSEL64N32", 46 | "SCMP_ARCH_PPC", 47 | "SCMP_ARCH_PPC64", 48 | "SCMP_ARCH_PPC64LE", 49 | "SCMP_ARCH_S390", 50 | "SCMP_ARCH_S390X", 51 | "SCMP_ARCH_SH", 52 | "SCMP_ARCH_SHEB", 53 | "SCMP_ARCH_PARISC", 54 | "SCMP_ARCH_PARISC64", 55 | "SCMP_ARCH_RISCV64" 56 | ] 57 | }, 58 | "SeccompAction": { 59 | "type": "string", 60 | "enum": [ 61 | "SCMP_ACT_KILL", 62 | "SCMP_ACT_KILL_PROCESS", 63 | "SCMP_ACT_KILL_THREAD", 64 | "SCMP_ACT_TRAP", 65 | "SCMP_ACT_ERRNO", 66 | "SCMP_ACT_TRACE", 67 | "SCMP_ACT_ALLOW", 68 | "SCMP_ACT_LOG", 69 | "SCMP_ACT_NOTIFY" 70 | ] 71 | }, 72 | "SeccompFlag": { 73 | "type": "string", 74 | "enum": [ 75 | "SECCOMP_FILTER_FLAG_TSYNC", 76 | "SECCOMP_FILTER_FLAG_LOG", 77 | "SECCOMP_FILTER_FLAG_SPEC_ALLOW", 78 | "SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV" 79 | ] 80 | }, 81 | "SeccompOperators": { 82 | "type": "string", 83 | "enum": [ 84 | "SCMP_CMP_NE", 85 | "SCMP_CMP_LT", 86 | "SCMP_CMP_LE", 87 | "SCMP_CMP_EQ", 88 | "SCMP_CMP_GE", 89 | "SCMP_CMP_GT", 90 | "SCMP_CMP_MASKED_EQ" 91 | ] 92 | }, 93 | "SyscallArg": { 94 | "type": "object", 95 | "properties": { 96 | "index": { 97 | "$ref": "defs.json#/definitions/uint32" 98 | }, 99 | "value": { 100 | "$ref": "defs.json#/definitions/uint64" 101 | }, 102 | "valueTwo": { 103 | "$ref": "defs.json#/definitions/uint64" 104 | }, 105 | "op": { 106 | "$ref": "#/definitions/SeccompOperators" 107 | } 108 | }, 109 | "required": [ 110 | "index", 111 | "value", 112 | "op" 113 | ] 114 | }, 115 | "Syscall": { 116 | "type": "object", 117 | "properties": { 118 | "names": { 119 | "type": "array", 120 | "items": { 121 | "type": "string" 122 | }, 123 | "minItems": 1 124 | }, 125 | "action": { 126 | "$ref": "#/definitions/SeccompAction" 127 | }, 128 | "errnoRet": { 129 | "$ref": "defs.json#/definitions/uint32" 130 | }, 131 | "args": { 132 | "type": "array", 133 | "items": { 134 | "$ref": "#/definitions/SyscallArg" 135 | } 136 | } 137 | }, 138 | "required": [ 139 | "names", 140 | "action" 141 | ] 142 | }, 143 | "Major": { 144 | "description": "major device number", 145 | "$ref": "defs.json#/definitions/int64" 146 | }, 147 | "Minor": { 148 | "description": "minor device number", 149 | "$ref": "defs.json#/definitions/int64" 150 | }, 151 | "FileMode": { 152 | "description": "File permissions mode (typically an octal value)", 153 | "type": "integer", 154 | "minimum": 0, 155 | "maximum": 512 156 | }, 157 | "FileType": { 158 | "description": "Type of a block or special character device", 159 | "type": "string", 160 | "pattern": "^[cbup]$" 161 | }, 162 | "Device": { 163 | "type": "object", 164 | "required": [ 165 | "type", 166 | "path" 167 | ], 168 | "properties": { 169 | "type": { 170 | "$ref": "#/definitions/FileType" 171 | }, 172 | "path": { 173 | "$ref": "defs.json#/definitions/FilePath" 174 | }, 175 | "fileMode": { 176 | "$ref": "#/definitions/FileMode" 177 | }, 178 | "major": { 179 | "$ref": "#/definitions/Major" 180 | }, 181 | "minor": { 182 | "$ref": "#/definitions/Minor" 183 | }, 184 | "uid": { 185 | "$ref": "defs.json#/definitions/UID" 186 | }, 187 | "gid": { 188 | "$ref": "defs.json#/definitions/GID" 189 | } 190 | } 191 | }, 192 | "NetDevice": { 193 | "type": "object", 194 | "properties": { 195 | "name": { 196 | "type": "string" 197 | } 198 | } 199 | }, 200 | "weight": { 201 | "$ref": "defs.json#/definitions/uint16" 202 | }, 203 | "blockIODevice": { 204 | "type": "object", 205 | "properties": { 206 | "major": { 207 | "$ref": "#/definitions/Major" 208 | }, 209 | "minor": { 210 | "$ref": "#/definitions/Minor" 211 | } 212 | }, 213 | "required": [ 214 | "major", 215 | "minor" 216 | ] 217 | }, 218 | "blockIODeviceWeight": { 219 | "type": "object", 220 | "allOf": [ 221 | { 222 | "$ref": "#/definitions/blockIODevice" 223 | }, 224 | { 225 | "type": "object", 226 | "properties": { 227 | "weight": { 228 | "$ref": "#/definitions/weight" 229 | }, 230 | "leafWeight": { 231 | "$ref": "#/definitions/weight" 232 | } 233 | } 234 | } 235 | ] 236 | }, 237 | "blockIODeviceThrottle": { 238 | "allOf": [ 239 | { 240 | "$ref": "#/definitions/blockIODevice" 241 | }, 242 | { 243 | "type": "object", 244 | "properties": { 245 | "rate": { 246 | "$ref": "defs.json#/definitions/uint64" 247 | } 248 | } 249 | } 250 | ] 251 | }, 252 | "DeviceCgroup": { 253 | "type": "object", 254 | "properties": { 255 | "allow": { 256 | "type": "boolean" 257 | }, 258 | "type": { 259 | "type": "string" 260 | }, 261 | "major": { 262 | "$ref": "#/definitions/Major" 263 | }, 264 | "minor": { 265 | "$ref": "#/definitions/Minor" 266 | }, 267 | "access": { 268 | "type": "string" 269 | } 270 | }, 271 | "required": [ 272 | "allow" 273 | ] 274 | }, 275 | "NetworkInterfacePriority": { 276 | "type": "object", 277 | "properties": { 278 | "name": { 279 | "type": "string" 280 | }, 281 | "priority": { 282 | "$ref": "defs.json#/definitions/uint32" 283 | } 284 | }, 285 | "required": [ 286 | "name", 287 | "priority" 288 | ] 289 | }, 290 | "Rdma": { 291 | "type": "object", 292 | "properties": { 293 | "hcaHandles": { 294 | "$ref": "defs.json#/definitions/uint32" 295 | }, 296 | "hcaObjects": { 297 | "$ref": "defs.json#/definitions/uint32" 298 | } 299 | } 300 | }, 301 | "NamespaceType": { 302 | "type": "string", 303 | "enum": [ 304 | "mount", 305 | "pid", 306 | "network", 307 | "uts", 308 | "ipc", 309 | "user", 310 | "cgroup", 311 | "time" 312 | ] 313 | }, 314 | "NamespaceReference": { 315 | "type": "object", 316 | "properties": { 317 | "type": { 318 | "$ref": "#/definitions/NamespaceType" 319 | }, 320 | "path": { 321 | "$ref": "defs.json#/definitions/FilePath" 322 | } 323 | }, 324 | "required": [ 325 | "type" 326 | ] 327 | }, 328 | "TimeOffsets": { 329 | "type": "object", 330 | "properties": { 331 | "secs": { 332 | "$ref": "defs.json#/definitions/int64" 333 | }, 334 | "nanosecs": { 335 | "$ref": "defs.json#/definitions/uint32" 336 | } 337 | } 338 | }, 339 | "SchedulerPolicy": { 340 | "type": "string", 341 | "enum": [ 342 | "SCHED_OTHER", 343 | "SCHED_FIFO", 344 | "SCHED_RR", 345 | "SCHED_BATCH", 346 | "SCHED_ISO", 347 | "SCHED_IDLE", 348 | "SCHED_DEADLINE" 349 | ] 350 | }, 351 | "SchedulerFlag": { 352 | "type": "string", 353 | "enum": [ 354 | "SCHED_FLAG_RESET_ON_FORK", 355 | "SCHED_FLAG_RECLAIM", 356 | "SCHED_FLAG_DL_OVERRUN", 357 | "SCHED_FLAG_KEEP_POLICY", 358 | "SCHED_FLAG_KEEP_PARAMS", 359 | "SCHED_FLAG_UTIL_CLAMP_MIN", 360 | "SCHED_FLAG_UTIL_CLAMP_MAX" 361 | ] 362 | } 363 | } 364 | } 365 | -------------------------------------------------------------------------------- /schema/defs-vm.json: -------------------------------------------------------------------------------- 1 | { 2 | "definitions": { 3 | "RootImageFormat": { 4 | "type": "string", 5 | "enum": [ 6 | "raw", 7 | "qcow2", 8 | "vdi", 9 | "vmdk", 10 | "vhd" 11 | ] 12 | } 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /schema/defs-windows.json: -------------------------------------------------------------------------------- 1 | { 2 | "definitions": { 3 | "Device": { 4 | "type": "object", 5 | "properties": { 6 | "id": { 7 | "type": "string" 8 | }, 9 | "idType": { 10 | "type": "string", 11 | "enum": [ 12 | "class" 13 | ] 14 | } 15 | }, 16 | "required": [ 17 | "id", 18 | "idType" 19 | ] 20 | } 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /schema/defs-zos.json: -------------------------------------------------------------------------------- 1 | { 2 | "definitions": { 3 | "NamespaceType": { 4 | "type": "string", 5 | "enum": [ 6 | "mount", 7 | "pid", 8 | "uts", 9 | "ipc" 10 | ] 11 | }, 12 | "NamespaceReference": { 13 | "type": "object", 14 | "properties": { 15 | "type": { 16 | "$ref": "#/definitions/NamespaceType" 17 | }, 18 | "path": { 19 | "$ref": "defs.json#/definitions/FilePath" 20 | } 21 | }, 22 | "required": [ 23 | "type" 24 | ] 25 | } 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /schema/defs.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Definitions used throughout the Open Container Initiative Runtime Specification", 3 | "definitions": { 4 | "int8": { 5 | "type": "integer", 6 | "minimum": -128, 7 | "maximum": 127 8 | }, 9 | "int16": { 10 | "type": "integer", 11 | "minimum": -32768, 12 | "maximum": 32767 13 | }, 14 | "int32": { 15 | "type": "integer", 16 | "minimum": -2147483648, 17 | "maximum": 2147483647 18 | }, 19 | "int64": { 20 | "type": "integer", 21 | "minimum": -9223372036854775808, 22 | "maximum": 9223372036854775807 23 | }, 24 | "uint8": { 25 | "type": "integer", 26 | "minimum": 0, 27 | "maximum": 255 28 | }, 29 | "uint16": { 30 | "type": "integer", 31 | "minimum": 0, 32 | "maximum": 65535 33 | }, 34 | "uint32": { 35 | "type": "integer", 36 | "minimum": 0, 37 | "maximum": 4294967295 38 | }, 39 | "uint64": { 40 | "type": "integer", 41 | "minimum": 0, 42 | "maximum": 18446744073709551615 43 | }, 44 | "percent": { 45 | "type": "integer", 46 | "minimum": 0, 47 | "maximum": 100 48 | }, 49 | "mapStringString": { 50 | "type": "object", 51 | "patternProperties": { 52 | ".{1,}": { 53 | "type": "string" 54 | } 55 | } 56 | }, 57 | "UID": { 58 | "$ref": "#/definitions/uint32" 59 | }, 60 | "GID": { 61 | "$ref": "#/definitions/uint32" 62 | }, 63 | "Umask": { 64 | "$ref": "#/definitions/uint32" 65 | }, 66 | "ArrayOfGIDs": { 67 | "type": "array", 68 | "items": { 69 | "$ref": "#/definitions/GID" 70 | } 71 | }, 72 | "ArrayOfStrings": { 73 | "type": "array", 74 | "items": { 75 | "type": "string" 76 | } 77 | }, 78 | "FilePath": { 79 | "type": "string" 80 | }, 81 | "Env": { 82 | "$ref": "#/definitions/ArrayOfStrings" 83 | }, 84 | "Hook": { 85 | "type": "object", 86 | "properties": { 87 | "path": { 88 | "$ref": "#/definitions/FilePath" 89 | }, 90 | "args": { 91 | "$ref": "#/definitions/ArrayOfStrings" 92 | }, 93 | "env": { 94 | "$ref": "#/definitions/Env" 95 | }, 96 | "timeout": { 97 | "type": "integer", 98 | "minimum": 1 99 | } 100 | }, 101 | "required": [ 102 | "path" 103 | ] 104 | }, 105 | "ArrayOfHooks": { 106 | "type": "array", 107 | "items": { 108 | "$ref": "#/definitions/Hook" 109 | } 110 | }, 111 | "IDMapping": { 112 | "type": "object", 113 | "properties": { 114 | "containerID": { 115 | "$ref": "#/definitions/uint32" 116 | }, 117 | "hostID": { 118 | "$ref": "#/definitions/uint32" 119 | }, 120 | "size": { 121 | "$ref": "#/definitions/uint32" 122 | } 123 | }, 124 | "required": [ 125 | "containerID", 126 | "hostID", 127 | "size" 128 | ] 129 | }, 130 | "Mount": { 131 | "type": "object", 132 | "properties": { 133 | "source": { 134 | "$ref": "#/definitions/FilePath" 135 | }, 136 | "destination": { 137 | "$ref": "#/definitions/FilePath" 138 | }, 139 | "options": { 140 | "$ref": "#/definitions/ArrayOfStrings" 141 | }, 142 | "type": { 143 | "type": "string" 144 | }, 145 | "uidMappings": { 146 | "type": "array", 147 | "items": { 148 | "$ref": "#/definitions/IDMapping" 149 | } 150 | }, 151 | "gidMappings": { 152 | "type": "array", 153 | "items": { 154 | "$ref": "#/definitions/IDMapping" 155 | } 156 | } 157 | }, 158 | "required": [ 159 | "destination" 160 | ] 161 | }, 162 | "ociVersion": { 163 | "description": "The version of Open Container Initiative Runtime Specification that the document complies with", 164 | "type": "string" 165 | }, 166 | "annotations": { 167 | "$ref": "#/definitions/mapStringString" 168 | } 169 | } 170 | } 171 | -------------------------------------------------------------------------------- /schema/features-linux.json: -------------------------------------------------------------------------------- 1 | { 2 | "linux": { 3 | "description": "Linux platform-specific features", 4 | "type": "object", 5 | "properties": { 6 | "namespaces": { 7 | "type": "array", 8 | "items": { 9 | "$ref": "defs-linux.json#/definitions/NamespaceType" 10 | } 11 | }, 12 | "capabilities": { 13 | "type": "array", 14 | "items": { 15 | "type": "string", 16 | "pattern": "^CAP_[A-Z_]+$" 17 | } 18 | }, 19 | "cgroup": { 20 | "type": "object", 21 | "properties": { 22 | "v1": { 23 | "type": "boolean" 24 | }, 25 | "v2": { 26 | "type": "boolean" 27 | }, 28 | "systemd": { 29 | "type": "boolean" 30 | }, 31 | "systemdUser": { 32 | "type": "boolean" 33 | }, 34 | "rdma": { 35 | "type": "boolean" 36 | } 37 | } 38 | }, 39 | "seccomp": { 40 | "type": "object", 41 | "properties": { 42 | "enabled": { 43 | "type": "boolean" 44 | }, 45 | "actions": { 46 | "type": "array", 47 | "items": { 48 | "$ref": "defs-linux.json#/definitions/SeccompAction" 49 | } 50 | }, 51 | "operators": { 52 | "type": "array", 53 | "items": { 54 | "$ref": "defs-linux.json#/definitions/SeccompOperators" 55 | } 56 | }, 57 | "archs": { 58 | "type": "array", 59 | "items": { 60 | "$ref": "defs-linux.json#/definitions/SeccompArch" 61 | } 62 | }, 63 | "knownFlags": { 64 | "type": "array", 65 | "items": { 66 | "$ref": "defs-linux.json#/definitions/SeccompFlag" 67 | } 68 | }, 69 | "supportedFlags": { 70 | "type": "array", 71 | "items": { 72 | "$ref": "defs-linux.json#/definitions/SeccompFlag" 73 | } 74 | } 75 | } 76 | }, 77 | "apparmor": { 78 | "type": "object", 79 | "properties": { 80 | "enabled": { 81 | "type": "boolean" 82 | } 83 | } 84 | }, 85 | "selinux": { 86 | "type": "object", 87 | "properties": { 88 | "enabled": { 89 | "type": "boolean" 90 | } 91 | } 92 | }, 93 | "intelRdt": { 94 | "type": "object", 95 | "properties": { 96 | "enabled": { 97 | "type": "boolean" 98 | } 99 | } 100 | }, 101 | "mountExtensions": { 102 | "type": "object", 103 | "properties": { 104 | "idmap": { 105 | "type": "object", 106 | "properties": { 107 | "enabled": { 108 | "type": "boolean" 109 | } 110 | } 111 | } 112 | } 113 | }, 114 | "netDevices": { 115 | "type": "object", 116 | "properties": { 117 | "enabled": { 118 | "type": "boolean" 119 | } 120 | } 121 | } 122 | } 123 | } 124 | } 125 | -------------------------------------------------------------------------------- /schema/features-schema.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Open Container Initiative Runtime Specification Runtime Features Schema", 3 | "$schema": "http://json-schema.org/draft-04/schema#", 4 | "type": "object", 5 | "properties": { 6 | "ociVersionMin": { 7 | "$ref": "defs.json#/definitions/ociVersion" 8 | }, 9 | "ociVersionMax": { 10 | "$ref": "defs.json#/definitions/ociVersion" 11 | }, 12 | "hooks": { 13 | "$ref": "defs.json#/definitions/ArrayOfStrings" 14 | }, 15 | "mountOptions": { 16 | "$ref": "defs.json#/definitions/ArrayOfStrings" 17 | }, 18 | "annotations": { 19 | "$ref": "defs.json#/definitions/annotations" 20 | }, 21 | "potentiallyUnsafeConfigAnnotations": { 22 | "$ref": "defs.json#/definitions/ArrayOfStrings" 23 | }, 24 | "linux": { 25 | "$ref": "features-linux.json#/linux" 26 | } 27 | }, 28 | "required": [ 29 | "ociVersionMin", 30 | "ociVersionMax" 31 | ] 32 | } 33 | -------------------------------------------------------------------------------- /schema/state-schema.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Open Container Runtime State Schema", 3 | "$schema": "http://json-schema.org/draft-04/schema#", 4 | "type": "object", 5 | "properties": { 6 | "ociVersion": { 7 | "$ref": "defs.json#/definitions/ociVersion" 8 | }, 9 | "id": { 10 | "description": "the container's ID", 11 | "type": "string" 12 | }, 13 | "status": { 14 | "type": "string", 15 | "enum": [ 16 | "creating", 17 | "created", 18 | "running", 19 | "stopped" 20 | ] 21 | }, 22 | "pid": { 23 | "type": "integer", 24 | "minimum": 0 25 | }, 26 | "bundle": { 27 | "type": "string" 28 | }, 29 | "annotations": { 30 | "$ref": "defs.json#/definitions/annotations" 31 | } 32 | }, 33 | "required": [ 34 | "ociVersion", 35 | "id", 36 | "status", 37 | "bundle" 38 | ] 39 | } 40 | -------------------------------------------------------------------------------- /schema/test/config/bad/invalid-json.json: -------------------------------------------------------------------------------- 1 | {] 2 | -------------------------------------------------------------------------------- /schema/test/config/bad/linux-hugepage.json: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "1.0.0", 3 | "root": { 4 | "path": "rootfs" 5 | }, 6 | "linux": { 7 | "resources": { 8 | "hugepageLimits": [ 9 | { 10 | "limit": 1234123, 11 | "pageSize": "64kB" 12 | } 13 | ] 14 | } 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /schema/test/config/bad/linux-netdevice.json: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "1.0.0", 3 | "root": { 4 | "path": "rootfs" 5 | }, 6 | "linux": { 7 | "netDevices": { 8 | "eth0": { 9 | "name": 23 10 | } 11 | } 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /schema/test/config/bad/linux-rdma.json: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "1.0.0", 3 | "root": { 4 | "path": "rootfs" 5 | }, 6 | "linux": { 7 | "resources": { 8 | "rdma": { 9 | "mlx5_1": { 10 | "hcaHandles": "not a uint32" 11 | } 12 | } 13 | } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /schema/test/config/good/linux-netdevice.json: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "1.0.0", 3 | "root": { 4 | "path": "rootfs" 5 | }, 6 | "linux": { 7 | "netDevices": { 8 | "eth0": { 9 | "name": "container_eth0" 10 | }, 11 | "ens4": {}, 12 | "ens5": {} 13 | } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /schema/test/config/good/linux-rdma.json: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "1.0.0", 3 | "root": { 4 | "path": "rootfs" 5 | }, 6 | "linux": { 7 | "resources": { 8 | "rdma": { 9 | "mlx5_1": { 10 | "hcaHandles": 3, 11 | "hcaObjects": 10000 12 | }, 13 | "mlx4_0": { 14 | "hcaObjects": 1000 15 | }, 16 | "rxe3": { 17 | "hcaObjects": 10000 18 | } 19 | } 20 | } 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /schema/test/config/good/minimal-for-start.json: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "1.0.0", 3 | "root": { 4 | "path": "rootfs" 5 | }, 6 | "process": { 7 | "cwd": "/", 8 | "args": [ 9 | "sh" 10 | ], 11 | "user": { 12 | "uid": 0, 13 | "gid": 0 14 | } 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /schema/test/config/good/minimal.json: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "1.0.0", 3 | "root": { 4 | "path": "rootfs" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /schema/test/config/good/spec-example.json: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "0.5.0-dev", 3 | "process": { 4 | "terminal": true, 5 | "user": { 6 | "uid": 1, 7 | "gid": 1, 8 | "additionalGids": [ 9 | 5, 10 | 6 11 | ] 12 | }, 13 | "args": [ 14 | "sh" 15 | ], 16 | "env": [ 17 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 18 | "TERM=xterm" 19 | ], 20 | "cwd": "/", 21 | "capabilities": { 22 | "bounding": [ 23 | "CAP_AUDIT_WRITE", 24 | "CAP_KILL", 25 | "CAP_NET_BIND_SERVICE" 26 | ], 27 | "permitted": [ 28 | "CAP_AUDIT_WRITE", 29 | "CAP_KILL", 30 | "CAP_NET_BIND_SERVICE" 31 | ], 32 | "inheritable": [ 33 | "CAP_AUDIT_WRITE", 34 | "CAP_KILL", 35 | "CAP_NET_BIND_SERVICE" 36 | ], 37 | "effective": [ 38 | "CAP_AUDIT_WRITE", 39 | "CAP_KILL" 40 | ], 41 | "ambient": [ 42 | "CAP_NET_BIND_SERVICE" 43 | ] 44 | }, 45 | "rlimits": [ 46 | { 47 | "type": "RLIMIT_CORE", 48 | "hard": 1024, 49 | "soft": 1024 50 | }, 51 | { 52 | "type": "RLIMIT_NOFILE", 53 | "hard": 1024, 54 | "soft": 1024 55 | } 56 | ], 57 | "apparmorProfile": "acme_secure_profile", 58 | "selinuxLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675", 59 | "noNewPrivileges": true 60 | }, 61 | "root": { 62 | "path": "rootfs", 63 | "readonly": true 64 | }, 65 | "hostname": "slartibartfast", 66 | "domainname": "foobarbaz.test", 67 | "mounts": [ 68 | { 69 | "destination": "/proc", 70 | "type": "proc", 71 | "source": "proc" 72 | }, 73 | { 74 | "destination": "/dev", 75 | "type": "tmpfs", 76 | "source": "tmpfs", 77 | "options": [ 78 | "nosuid", 79 | "strictatime", 80 | "mode=755", 81 | "size=65536k" 82 | ] 83 | }, 84 | { 85 | "destination": "/dev/pts", 86 | "type": "devpts", 87 | "source": "devpts", 88 | "options": [ 89 | "nosuid", 90 | "noexec", 91 | "newinstance", 92 | "ptmxmode=0666", 93 | "mode=0620", 94 | "gid=5" 95 | ] 96 | }, 97 | { 98 | "destination": "/dev/shm", 99 | "type": "tmpfs", 100 | "source": "shm", 101 | "options": [ 102 | "nosuid", 103 | "noexec", 104 | "nodev", 105 | "mode=1777", 106 | "size=65536k" 107 | ] 108 | }, 109 | { 110 | "destination": "/dev/mqueue", 111 | "type": "mqueue", 112 | "source": "mqueue", 113 | "options": [ 114 | "nosuid", 115 | "noexec", 116 | "nodev" 117 | ] 118 | }, 119 | { 120 | "destination": "/sys", 121 | "type": "sysfs", 122 | "source": "sysfs", 123 | "options": [ 124 | "nosuid", 125 | "noexec", 126 | "nodev" 127 | ] 128 | }, 129 | { 130 | "destination": "/sys/fs/cgroup", 131 | "type": "cgroup", 132 | "source": "cgroup", 133 | "options": [ 134 | "nosuid", 135 | "noexec", 136 | "nodev", 137 | "relatime", 138 | "ro" 139 | ] 140 | } 141 | ], 142 | "hooks": { 143 | "prestart": [ 144 | { 145 | "path": "/usr/bin/fix-mounts", 146 | "args": [ 147 | "fix-mounts", 148 | "arg1", 149 | "arg2" 150 | ], 151 | "env": [ 152 | "key1=value1" 153 | ] 154 | }, 155 | { 156 | "path": "/usr/bin/setup-network" 157 | } 158 | ], 159 | "createRuntime": [ 160 | { 161 | "path": "/usr/bin/fix-mounts", 162 | "args": [ 163 | "fix-mounts", 164 | "arg1", 165 | "arg2" 166 | ], 167 | "env": [ 168 | "key1=value1" 169 | ] 170 | }, 171 | { 172 | "path": "/usr/bin/setup-network" 173 | } 174 | ], 175 | "createContainer": [ 176 | { 177 | "path": "/usr/bin/mount-hook", 178 | "args": [ 179 | "-mount", 180 | "arg1", 181 | "arg2" 182 | ], 183 | "env": [ 184 | "key1=value1" 185 | ] 186 | } 187 | ], 188 | "startContainer": [ 189 | { 190 | "path": "/usr/bin/refresh-ldcache" 191 | } 192 | ], 193 | "poststart": [ 194 | { 195 | "path": "/usr/bin/notify-start", 196 | "timeout": 5 197 | } 198 | ], 199 | "poststop": [ 200 | { 201 | "path": "/usr/sbin/cleanup.sh", 202 | "args": [ 203 | "cleanup.sh", 204 | "-f" 205 | ] 206 | } 207 | ] 208 | }, 209 | "linux": { 210 | "devices": [ 211 | { 212 | "path": "/dev/fuse", 213 | "type": "c", 214 | "major": 10, 215 | "minor": 229, 216 | "fileMode": 438, 217 | "uid": 0, 218 | "gid": 0 219 | }, 220 | { 221 | "path": "/dev/sda", 222 | "type": "b", 223 | "major": 8, 224 | "minor": 0, 225 | "fileMode": 432, 226 | "uid": 0, 227 | "gid": 0 228 | } 229 | ], 230 | "uidMappings": [ 231 | { 232 | "containerID": 0, 233 | "hostID": 1000, 234 | "size": 32000 235 | } 236 | ], 237 | "gidMappings": [ 238 | { 239 | "containerID": 0, 240 | "hostID": 1000, 241 | "size": 32000 242 | } 243 | ], 244 | "sysctl": { 245 | "net.ipv4.ip_forward": "1", 246 | "net.core.somaxconn": "256" 247 | }, 248 | "cgroupsPath": "/myRuntime/myContainer", 249 | "resources": { 250 | "network": { 251 | "classID": 1048577, 252 | "priorities": [ 253 | { 254 | "name": "eth0", 255 | "priority": 500 256 | }, 257 | { 258 | "name": "eth1", 259 | "priority": 1000 260 | } 261 | ] 262 | }, 263 | "pids": { 264 | "limit": 32771 265 | }, 266 | "hugepageLimits": [ 267 | { 268 | "pageSize": "2MB", 269 | "limit": 9223372036854772000 270 | }, 271 | { 272 | "pageSize": "64KB", 273 | "limit": 1000000 274 | } 275 | ], 276 | "oomScoreAdj": 100, 277 | "memory": { 278 | "limit": 536870912, 279 | "reservation": 536870912, 280 | "swap": 536870912, 281 | "kernel": -1, 282 | "kernelTCP": -1, 283 | "swappiness": 0, 284 | "disableOOMKiller": false, 285 | "useHierarchy": false, 286 | "checkBeforeUpdate": false 287 | }, 288 | "cpu": { 289 | "shares": 1024, 290 | "quota": 1000000, 291 | "burst": 1000000, 292 | "period": 500000, 293 | "realtimeRuntime": 950000, 294 | "realtimePeriod": 1000000, 295 | "cpus": "2-3", 296 | "mems": "0-7" 297 | }, 298 | "devices": [ 299 | { 300 | "allow": false, 301 | "access": "rwm" 302 | }, 303 | { 304 | "allow": true, 305 | "type": "c", 306 | "major": 10, 307 | "minor": 229, 308 | "access": "rw" 309 | }, 310 | { 311 | "allow": true, 312 | "type": "b", 313 | "major": 8, 314 | "minor": 0, 315 | "access": "r" 316 | } 317 | ], 318 | "blockIO": { 319 | "weight": 10, 320 | "leafWeight": 10, 321 | "weightDevice": [ 322 | { 323 | "major": 8, 324 | "minor": 0, 325 | "weight": 500, 326 | "leafWeight": 300 327 | }, 328 | { 329 | "major": 8, 330 | "minor": 16, 331 | "weight": 500 332 | } 333 | ], 334 | "throttleReadBpsDevice": [ 335 | { 336 | "major": 8, 337 | "minor": 0, 338 | "rate": 600 339 | } 340 | ], 341 | "throttleWriteIOPSDevice": [ 342 | { 343 | "major": 8, 344 | "minor": 16, 345 | "rate": 300 346 | } 347 | ] 348 | } 349 | }, 350 | "rootfsPropagation": "slave", 351 | "seccomp": { 352 | "defaultAction": "SCMP_ACT_ALLOW", 353 | "architectures": [ 354 | "SCMP_ARCH_X86", 355 | "SCMP_ARCH_X32" 356 | ], 357 | "syscalls": [ 358 | { 359 | "names": [ 360 | "getcwd", 361 | "chmod" 362 | ], 363 | "action": "SCMP_ACT_ERRNO" 364 | } 365 | ] 366 | }, 367 | "timeOffsets": { 368 | "monotonic": { 369 | "secs": 172800, 370 | "nanosecs": 0 371 | }, 372 | "boottime": { 373 | "secs": 604800, 374 | "nanosecs": 0 375 | } 376 | }, 377 | "namespaces": [ 378 | { 379 | "type": "pid" 380 | }, 381 | { 382 | "type": "network" 383 | }, 384 | { 385 | "type": "ipc" 386 | }, 387 | { 388 | "type": "uts" 389 | }, 390 | { 391 | "type": "mount" 392 | }, 393 | { 394 | "type": "user" 395 | }, 396 | { 397 | "type": "cgroup" 398 | }, 399 | { 400 | "type": "time" 401 | } 402 | ], 403 | "maskedPaths": [ 404 | "/proc/kcore", 405 | "/proc/latency_stats", 406 | "/proc/timer_stats", 407 | "/proc/sched_debug" 408 | ], 409 | "readonlyPaths": [ 410 | "/proc/asound", 411 | "/proc/bus", 412 | "/proc/fs", 413 | "/proc/irq", 414 | "/proc/sys", 415 | "/proc/sysrq-trigger" 416 | ], 417 | "mountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c715,c811" 418 | }, 419 | "annotations": { 420 | "com.example.key1": "value1", 421 | "com.example.key2": "value2" 422 | } 423 | } 424 | -------------------------------------------------------------------------------- /schema/test/config/good/zos-example.json: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "0.5.0-dev", 3 | "process": { 4 | "terminal": true, 5 | "user": { 6 | "uid": 1, 7 | "gid": 1, 8 | "additionalGids": [ 9 | 5, 10 | 6 11 | ] 12 | }, 13 | "args": [ 14 | "sh" 15 | ], 16 | "env": [ 17 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin", 18 | "TERM=xterm" 19 | ], 20 | "cwd": "/", 21 | "rlimits": [ 22 | { 23 | "type": "RLIMIT_NOFILE", 24 | "hard": 1024, 25 | "soft": 1024 26 | } 27 | ], 28 | "noNewPrivileges": true 29 | }, 30 | "root": { 31 | "path": "rootfs" 32 | }, 33 | "hostname": "slartibartfast", 34 | "mounts": [ 35 | { 36 | "destination": "/proc", 37 | "type": "proc", 38 | "source": "proc" 39 | }, 40 | { 41 | "destination": "/dev", 42 | "type": "tfs", 43 | "source": "tmpfs", 44 | "options": [ 45 | "nosuid", 46 | "-p 1755", 47 | "-s 64" 48 | ] 49 | } 50 | ], 51 | "hooks": { 52 | "prestart": [ 53 | { 54 | "path": "/usr/bin/fix-mounts", 55 | "args": [ 56 | "fix-mounts", 57 | "arg1", 58 | "arg2" 59 | ], 60 | "env": [ 61 | "key1=value1" 62 | ] 63 | }, 64 | { 65 | "path": "/usr/bin/setup-network" 66 | } 67 | ], 68 | "createRuntime": [ 69 | { 70 | "path": "/usr/bin/fix-mounts", 71 | "args": [ 72 | "fix-mounts", 73 | "arg1", 74 | "arg2" 75 | ], 76 | "env": [ 77 | "key1=value1" 78 | ] 79 | }, 80 | { 81 | "path": "/usr/bin/setup-network" 82 | } 83 | ], 84 | "createContainer": [ 85 | { 86 | "path": "/usr/bin/mount-hook", 87 | "args": [ 88 | "-mount", 89 | "arg1", 90 | "arg2" 91 | ], 92 | "env": [ 93 | "key1=value1" 94 | ] 95 | } 96 | ], 97 | "startContainer": [ 98 | { 99 | "path": "/usr/bin/refresh-ldcache" 100 | } 101 | ], 102 | "poststart": [ 103 | { 104 | "path": "/usr/bin/notify-start", 105 | "timeout": 5 106 | } 107 | ], 108 | "poststop": [ 109 | { 110 | "path": "/usr/sbin/cleanup.sh", 111 | "args": [ 112 | "cleanup.sh", 113 | "-f" 114 | ] 115 | } 116 | ] 117 | }, 118 | "zos": { 119 | "namespaces": [ 120 | { 121 | "type": "pid" 122 | }, 123 | { 124 | "type": "ipc" 125 | }, 126 | { 127 | "type": "uts" 128 | }, 129 | { 130 | "type": "mount" 131 | } 132 | ] 133 | }, 134 | "annotations": { 135 | "com.example.key1": "value1", 136 | "com.example.key2": "value2" 137 | } 138 | } 139 | -------------------------------------------------------------------------------- /schema/test/config/good/zos-minimal.json: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "1.0.0", 3 | "root": { 4 | "path": "rootfs" 5 | }, 6 | "zos": {} 7 | } 8 | -------------------------------------------------------------------------------- /schema/test/features/bad/missing-ociVersionMax.json: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersionMin": "1.1.0" 3 | } 4 | -------------------------------------------------------------------------------- /schema/test/features/good/minimal.json: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersionMin": "1.0.0", 3 | "ociVersionMax": "1.1.0" 4 | } 5 | -------------------------------------------------------------------------------- /schema/test/features/good/runc.json: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersionMin": "1.0.0", 3 | "ociVersionMax": "1.0.2-dev", 4 | "hooks": [ 5 | "prestart", 6 | "createRuntime", 7 | "createContainer", 8 | "startContainer", 9 | "poststart", 10 | "poststop" 11 | ], 12 | "mountOptions": [ 13 | "acl", 14 | "async", 15 | "atime", 16 | "bind", 17 | "defaults", 18 | "dev", 19 | "diratime", 20 | "dirsync", 21 | "exec", 22 | "iversion", 23 | "lazytime", 24 | "loud", 25 | "mand", 26 | "noacl", 27 | "noatime", 28 | "nodev", 29 | "nodiratime", 30 | "noexec", 31 | "noiversion", 32 | "nolazytime", 33 | "nomand", 34 | "norelatime", 35 | "nostrictatime", 36 | "nosuid", 37 | "nosymfollow", 38 | "private", 39 | "ratime", 40 | "rbind", 41 | "rdev", 42 | "rdiratime", 43 | "relatime", 44 | "remount", 45 | "rexec", 46 | "rnoatime", 47 | "rnodev", 48 | "rnodiratime", 49 | "rnoexec", 50 | "rnorelatime", 51 | "rnostrictatime", 52 | "rnosuid", 53 | "rnosymfollow", 54 | "ro", 55 | "rprivate", 56 | "rrelatime", 57 | "rro", 58 | "rrw", 59 | "rshared", 60 | "rslave", 61 | "rstrictatime", 62 | "rsuid", 63 | "rsymfollow", 64 | "runbindable", 65 | "rw", 66 | "shared", 67 | "silent", 68 | "slave", 69 | "strictatime", 70 | "suid", 71 | "symfollow", 72 | "sync", 73 | "tmpcopyup", 74 | "unbindable" 75 | ], 76 | "linux": { 77 | "namespaces": [ 78 | "cgroup", 79 | "ipc", 80 | "mount", 81 | "network", 82 | "pid", 83 | "user", 84 | "uts" 85 | ], 86 | "capabilities": [ 87 | "CAP_CHOWN", 88 | "CAP_DAC_OVERRIDE", 89 | "CAP_DAC_READ_SEARCH", 90 | "CAP_FOWNER", 91 | "CAP_FSETID", 92 | "CAP_KILL", 93 | "CAP_SETGID", 94 | "CAP_SETUID", 95 | "CAP_SETPCAP", 96 | "CAP_LINUX_IMMUTABLE", 97 | "CAP_NET_BIND_SERVICE", 98 | "CAP_NET_BROADCAST", 99 | "CAP_NET_ADMIN", 100 | "CAP_NET_RAW", 101 | "CAP_IPC_LOCK", 102 | "CAP_IPC_OWNER", 103 | "CAP_SYS_MODULE", 104 | "CAP_SYS_RAWIO", 105 | "CAP_SYS_CHROOT", 106 | "CAP_SYS_PTRACE", 107 | "CAP_SYS_PACCT", 108 | "CAP_SYS_ADMIN", 109 | "CAP_SYS_BOOT", 110 | "CAP_SYS_NICE", 111 | "CAP_SYS_RESOURCE", 112 | "CAP_SYS_TIME", 113 | "CAP_SYS_TTY_CONFIG", 114 | "CAP_MKNOD", 115 | "CAP_LEASE", 116 | "CAP_AUDIT_WRITE", 117 | "CAP_AUDIT_CONTROL", 118 | "CAP_SETFCAP", 119 | "CAP_MAC_OVERRIDE", 120 | "CAP_MAC_ADMIN", 121 | "CAP_SYSLOG", 122 | "CAP_WAKE_ALARM", 123 | "CAP_BLOCK_SUSPEND", 124 | "CAP_AUDIT_READ", 125 | "CAP_PERFMON", 126 | "CAP_BPF", 127 | "CAP_CHECKPOINT_RESTORE" 128 | ], 129 | "cgroup": { 130 | "v1": true, 131 | "v2": true, 132 | "systemd": true, 133 | "systemdUser": true 134 | }, 135 | "seccomp": { 136 | "enabled": true, 137 | "actions": [ 138 | "SCMP_ACT_ALLOW", 139 | "SCMP_ACT_ERRNO", 140 | "SCMP_ACT_KILL", 141 | "SCMP_ACT_LOG", 142 | "SCMP_ACT_NOTIFY", 143 | "SCMP_ACT_TRACE", 144 | "SCMP_ACT_TRAP" 145 | ], 146 | "operators": [ 147 | "SCMP_CMP_EQ", 148 | "SCMP_CMP_GE", 149 | "SCMP_CMP_GT", 150 | "SCMP_CMP_LE", 151 | "SCMP_CMP_LT", 152 | "SCMP_CMP_MASKED_EQ", 153 | "SCMP_CMP_NE" 154 | ], 155 | "archs": [ 156 | "SCMP_ARCH_AARCH64", 157 | "SCMP_ARCH_ARM", 158 | "SCMP_ARCH_MIPS", 159 | "SCMP_ARCH_MIPS64", 160 | "SCMP_ARCH_MIPS64N32", 161 | "SCMP_ARCH_MIPSEL", 162 | "SCMP_ARCH_MIPSEL64", 163 | "SCMP_ARCH_MIPSEL64N32", 164 | "SCMP_ARCH_PPC", 165 | "SCMP_ARCH_PPC64", 166 | "SCMP_ARCH_PPC64LE", 167 | "SCMP_ARCH_S390", 168 | "SCMP_ARCH_S390X", 169 | "SCMP_ARCH_X32", 170 | "SCMP_ARCH_X86", 171 | "SCMP_ARCH_X86_64" 172 | ], 173 | "knownFlags": [ 174 | "SECCOMP_FILTER_FLAG_LOG" 175 | ], 176 | "supportedFlags": [ 177 | "SECCOMP_FILTER_FLAG_LOG" 178 | ] 179 | }, 180 | "apparmor": { 181 | "enabled": true 182 | }, 183 | "selinux": { 184 | "enabled": true 185 | }, 186 | "netDevices": { 187 | "enabled": true 188 | } 189 | }, 190 | "annotations": { 191 | "io.github.seccomp.libseccomp.version": "2.5.4", 192 | "org.opencontainers.runc.checkpoint.enabled": "true", 193 | "org.opencontainers.runc.commit": "v1.1.0-368-ga1c51c56", 194 | "org.opencontainers.runc.version": "1.1.0+dev" 195 | } 196 | } 197 | -------------------------------------------------------------------------------- /schema/test/state/bad/invalid-json.json: -------------------------------------------------------------------------------- 1 | {] 2 | -------------------------------------------------------------------------------- /schema/test/state/good/spec-example.json: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "0.2.0", 3 | "id": "oci-container1", 4 | "status": "running", 5 | "pid": 4422, 6 | "bundle": "/containers/redis", 7 | "annotations": { 8 | "myKey": "myValue" 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /schema/validate.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "io" 6 | "os" 7 | "path/filepath" 8 | "strings" 9 | 10 | "github.com/xeipuuv/gojsonschema" 11 | ) 12 | 13 | const usage = `Validate is used to check document with specified schema. 14 | You can use validate in following ways: 15 | 16 | 1.specify document file as an argument 17 | validate 18 | 19 | 2.pass document content through a pipe 20 | cat | validate 21 | 22 | 3.input document content manually, ended with ctrl+d(or your self-defined EOF keys) 23 | validate 24 | [INPUT DOCUMENT CONTENT HERE] 25 | ` 26 | 27 | func main() { 28 | nargs := len(os.Args[1:]) 29 | if nargs == 0 || nargs > 2 { 30 | fmt.Printf("ERROR: invalid arguments number\n\n%s\n", usage) 31 | os.Exit(1) 32 | } 33 | 34 | if os.Args[1] == "help" || 35 | os.Args[1] == "--help" || 36 | os.Args[1] == "-h" { 37 | fmt.Printf("%s\n", usage) 38 | os.Exit(1) 39 | } 40 | 41 | schemaPath := os.Args[1] 42 | if !strings.Contains(schemaPath, "://") { 43 | var err error 44 | schemaPath, err = formatFilePath(schemaPath) 45 | if err != nil { 46 | fmt.Printf("ERROR: invalid schema-file path: %s\n", err) 47 | os.Exit(1) 48 | } 49 | schemaPath = "file://" + schemaPath 50 | } 51 | 52 | schemaLoader := gojsonschema.NewReferenceLoader(schemaPath) 53 | 54 | var documentLoader gojsonschema.JSONLoader 55 | 56 | if nargs > 1 { 57 | documentPath, err := formatFilePath(os.Args[2]) 58 | if err != nil { 59 | fmt.Printf("ERROR: invalid document-file path: %s\n", err) 60 | os.Exit(1) 61 | } 62 | documentLoader = gojsonschema.NewReferenceLoader("file://" + documentPath) 63 | } else { 64 | documentBytes, err := io.ReadAll(os.Stdin) 65 | if err != nil { 66 | fmt.Println(err) 67 | os.Exit(1) 68 | } 69 | documentString := string(documentBytes) 70 | documentLoader = gojsonschema.NewStringLoader(documentString) 71 | } 72 | 73 | result, err := gojsonschema.Validate(schemaLoader, documentLoader) 74 | if err != nil { 75 | fmt.Println(err) 76 | os.Exit(1) 77 | } 78 | 79 | if result.Valid() { 80 | fmt.Printf("The document is valid\n") 81 | } else { 82 | fmt.Printf("The document is not valid. see errors :\n") 83 | for _, desc := range result.Errors() { 84 | fmt.Printf("- %s\n", desc) 85 | } 86 | os.Exit(1) 87 | } 88 | } 89 | 90 | func formatFilePath(path string) (string, error) { 91 | if _, err := os.Stat(path); err != nil { 92 | return "", err 93 | } 94 | 95 | absPath, err := filepath.Abs(path) 96 | if err != nil { 97 | return "", err 98 | } 99 | return absPath, nil 100 | } 101 | -------------------------------------------------------------------------------- /spec.md: -------------------------------------------------------------------------------- 1 | # Open Container Initiative Runtime Specification 2 | 3 | The [Open Container Initiative][oci] develops specifications for standards on Operating System process and application containers. 4 | 5 | # Abstract 6 | 7 | The Open Container Initiative Runtime Specification aims to specify the configuration, execution environment, and lifecycle of a container. 8 | 9 | A container's configuration is specified as the `config.json` for the supported platforms and details the fields that enable the creation of a container. 10 | The execution environment is specified to ensure that applications running inside a container have a consistent environment between runtimes along with common actions defined for the container's lifecycle. 11 | 12 | # Platforms 13 | 14 | Platforms defined by this specification are: 15 | 16 | * `linux`: [runtime.md](runtime.md), [config.md](config.md), [features.md](features.md), [config-linux.md](config-linux.md), [runtime-linux.md](runtime-linux.md), and [features-linux.md](features-linux.md). 17 | * `solaris`: [runtime.md](runtime.md), [config.md](config.md), [features.md](features.md), and [config-solaris.md](config-solaris.md). 18 | * `windows`: [runtime.md](runtime.md), [config.md](config.md), [features.md](features.md), and [config-windows.md](config-windows.md). 19 | * `vm`: [runtime.md](runtime.md), [config.md](config.md), [features.md](features.md), and [config-vm.md](config-vm.md). 20 | * `zos`: [runtime.md](runtime.md), [config.md](config.md), [features.md](features.md), and [config-zos.md](config-zos.md). 21 | 22 | # Table of Contents 23 | 24 | - [Introduction](spec.md) 25 | - [Notational Conventions](#notational-conventions) 26 | - [Container Principles](principles.md) 27 | - [Filesystem Bundle](bundle.md) 28 | - [Runtime and Lifecycle](runtime.md) 29 | - [Linux-specific Runtime and Lifecycle](runtime-linux.md) 30 | - [Configuration](config.md) 31 | - [Linux-specific Configuration](config-linux.md) 32 | - [Solaris-specific Configuration](config-solaris.md) 33 | - [Windows-specific Configuration](config-windows.md) 34 | - [Virtual-Machine-specific Configuration](config-vm.md) 35 | - [z/OS-specific Configuration](config-zos.md) 36 | - [Features Structure](features.md) 37 | - [Linux-specific Features Structure](features-linux.md) 38 | - [Glossary](glossary.md) 39 | 40 | # Notational Conventions 41 | 42 | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in [RFC 2119][rfc2119]. 43 | 44 | The key words "unspecified", "undefined", and "implementation-defined" are to be interpreted as described in the [rationale for the C99 standard][c99-unspecified]. 45 | 46 | An implementation is not compliant for a given CPU architecture if it fails to satisfy one or more of the MUST, REQUIRED, or SHALL requirements for the [platforms](#platforms) it implements. 47 | An implementation is compliant for a given CPU architecture if it satisfies all the MUST, REQUIRED, and SHALL requirements for the [platforms](#platforms) it implements. 48 | 49 | 50 | [c99-unspecified]: https://www.open-std.org/jtc1/sc22/wg14/www/C99RationaleV5.10.pdf#page=18 51 | [oci]: https://opencontainers.org 52 | [rfc2119]: https://www.rfc-editor.org/rfc/rfc2119.html 53 | -------------------------------------------------------------------------------- /specs-go/features/features.go: -------------------------------------------------------------------------------- 1 | // Package features provides the Features struct. 2 | package features 3 | 4 | // Features represents the supported features of the runtime. 5 | type Features struct { 6 | // OCIVersionMin is the minimum OCI Runtime Spec version recognized by the runtime, e.g., "1.0.0". 7 | OCIVersionMin string `json:"ociVersionMin,omitempty"` 8 | 9 | // OCIVersionMax is the maximum OCI Runtime Spec version recognized by the runtime, e.g., "1.0.2-dev". 10 | OCIVersionMax string `json:"ociVersionMax,omitempty"` 11 | 12 | // Hooks is the list of the recognized hook names, e.g., "createRuntime". 13 | // Nil value means "unknown", not "no support for any hook". 14 | Hooks []string `json:"hooks,omitempty"` 15 | 16 | // MountOptions is the list of the recognized mount options, e.g., "ro". 17 | // Nil value means "unknown", not "no support for any mount option". 18 | // This list does not contain filesystem-specific options passed to mount(2) syscall as (const void *). 19 | MountOptions []string `json:"mountOptions,omitempty"` 20 | 21 | // Linux is specific to Linux. 22 | Linux *Linux `json:"linux,omitempty"` 23 | 24 | // Annotations contains implementation-specific annotation strings, 25 | // such as the implementation version, and third-party extensions. 26 | Annotations map[string]string `json:"annotations,omitempty"` 27 | 28 | // PotentiallyUnsafeConfigAnnotations the list of the potential unsafe annotations 29 | // that may appear in `config.json`. 30 | // 31 | // A value that ends with "." is interpreted as a prefix of annotations. 32 | PotentiallyUnsafeConfigAnnotations []string `json:"potentiallyUnsafeConfigAnnotations,omitempty"` 33 | } 34 | 35 | // Linux is specific to Linux. 36 | type Linux struct { 37 | // Namespaces is the list of the recognized namespaces, e.g., "mount". 38 | // Nil value means "unknown", not "no support for any namespace". 39 | Namespaces []string `json:"namespaces,omitempty"` 40 | 41 | // Capabilities is the list of the recognized capabilities , e.g., "CAP_SYS_ADMIN". 42 | // Nil value means "unknown", not "no support for any capability". 43 | Capabilities []string `json:"capabilities,omitempty"` 44 | 45 | Cgroup *Cgroup `json:"cgroup,omitempty"` 46 | Seccomp *Seccomp `json:"seccomp,omitempty"` 47 | Apparmor *Apparmor `json:"apparmor,omitempty"` 48 | Selinux *Selinux `json:"selinux,omitempty"` 49 | IntelRdt *IntelRdt `json:"intelRdt,omitempty"` 50 | MountExtensions *MountExtensions `json:"mountExtensions,omitempty"` 51 | NetDevices *NetDevices `json:"netDevices,omitempty"` 52 | } 53 | 54 | // Cgroup represents the "cgroup" field. 55 | type Cgroup struct { 56 | // V1 represents whether Cgroup v1 support is compiled in. 57 | // Unrelated to whether the host uses cgroup v1 or not. 58 | // Nil value means "unknown", not "false". 59 | V1 *bool `json:"v1,omitempty"` 60 | 61 | // V2 represents whether Cgroup v2 support is compiled in. 62 | // Unrelated to whether the host uses cgroup v2 or not. 63 | // Nil value means "unknown", not "false". 64 | V2 *bool `json:"v2,omitempty"` 65 | 66 | // Systemd represents whether systemd-cgroup support is compiled in. 67 | // Unrelated to whether the host uses systemd or not. 68 | // Nil value means "unknown", not "false". 69 | Systemd *bool `json:"systemd,omitempty"` 70 | 71 | // SystemdUser represents whether user-scoped systemd-cgroup support is compiled in. 72 | // Unrelated to whether the host uses systemd or not. 73 | // Nil value means "unknown", not "false". 74 | SystemdUser *bool `json:"systemdUser,omitempty"` 75 | 76 | // Rdma represents whether RDMA cgroup support is compiled in. 77 | // Unrelated to whether the host supports RDMA or not. 78 | // Nil value means "unknown", not "false". 79 | Rdma *bool `json:"rdma,omitempty"` 80 | } 81 | 82 | // Seccomp represents the "seccomp" field. 83 | type Seccomp struct { 84 | // Enabled is true if seccomp support is compiled in. 85 | // Nil value means "unknown", not "false". 86 | Enabled *bool `json:"enabled,omitempty"` 87 | 88 | // Actions is the list of the recognized actions, e.g., "SCMP_ACT_NOTIFY". 89 | // Nil value means "unknown", not "no support for any action". 90 | Actions []string `json:"actions,omitempty"` 91 | 92 | // Operators is the list of the recognized operators, e.g., "SCMP_CMP_NE". 93 | // Nil value means "unknown", not "no support for any operator". 94 | Operators []string `json:"operators,omitempty"` 95 | 96 | // Archs is the list of the recognized archs, e.g., "SCMP_ARCH_X86_64". 97 | // Nil value means "unknown", not "no support for any arch". 98 | Archs []string `json:"archs,omitempty"` 99 | 100 | // KnownFlags is the list of the recognized filter flags, e.g., "SECCOMP_FILTER_FLAG_LOG". 101 | // Nil value means "unknown", not "no flags are recognized". 102 | KnownFlags []string `json:"knownFlags,omitempty"` 103 | 104 | // SupportedFlags is the list of the supported filter flags, e.g., "SECCOMP_FILTER_FLAG_LOG". 105 | // This list may be a subset of KnownFlags due to some flags 106 | // not supported by the current kernel and/or libseccomp. 107 | // Nil value means "unknown", not "no flags are supported". 108 | SupportedFlags []string `json:"supportedFlags,omitempty"` 109 | } 110 | 111 | // Apparmor represents the "apparmor" field. 112 | type Apparmor struct { 113 | // Enabled is true if AppArmor support is compiled in. 114 | // Unrelated to whether the host supports AppArmor or not. 115 | // Nil value means "unknown", not "false". 116 | Enabled *bool `json:"enabled,omitempty"` 117 | } 118 | 119 | // Selinux represents the "selinux" field. 120 | type Selinux struct { 121 | // Enabled is true if SELinux support is compiled in. 122 | // Unrelated to whether the host supports SELinux or not. 123 | // Nil value means "unknown", not "false". 124 | Enabled *bool `json:"enabled,omitempty"` 125 | } 126 | 127 | // IntelRdt represents the "intelRdt" field. 128 | type IntelRdt struct { 129 | // Enabled is true if Intel RDT support is compiled in. 130 | // Unrelated to whether the host supports Intel RDT or not. 131 | // Nil value means "unknown", not "false". 132 | Enabled *bool `json:"enabled,omitempty"` 133 | } 134 | 135 | // MountExtensions represents the "mountExtensions" field. 136 | type MountExtensions struct { 137 | // IDMap represents the status of idmap mounts support. 138 | IDMap *IDMap `json:"idmap,omitempty"` 139 | } 140 | 141 | type IDMap struct { 142 | // Enabled represents whether idmap mounts supports is compiled in. 143 | // Unrelated to whether the host supports it or not. 144 | // Nil value means "unknown", not "false". 145 | Enabled *bool `json:"enabled,omitempty"` 146 | } 147 | 148 | // NetDevices represents the "netDevices" field. 149 | type NetDevices struct { 150 | // Enabled is true if network devices support is compiled in. 151 | // Nil value means "unknown", not "false". 152 | Enabled *bool `json:"enabled,omitempty"` 153 | } 154 | -------------------------------------------------------------------------------- /specs-go/state.go: -------------------------------------------------------------------------------- 1 | package specs 2 | 3 | // ContainerState represents the state of a container. 4 | type ContainerState string 5 | 6 | const ( 7 | // StateCreating indicates that the container is being created 8 | StateCreating ContainerState = "creating" 9 | 10 | // StateCreated indicates that the runtime has finished the create operation 11 | StateCreated ContainerState = "created" 12 | 13 | // StateRunning indicates that the container process has executed the 14 | // user-specified program but has not exited 15 | StateRunning ContainerState = "running" 16 | 17 | // StateStopped indicates that the container process has exited 18 | StateStopped ContainerState = "stopped" 19 | ) 20 | 21 | // State holds information about the runtime state of the container. 22 | type State struct { 23 | // Version is the version of the specification that is supported. 24 | Version string `json:"ociVersion"` 25 | // ID is the container ID 26 | ID string `json:"id"` 27 | // Status is the runtime status of the container. 28 | Status ContainerState `json:"status"` 29 | // Pid is the process ID for the container process. 30 | Pid int `json:"pid,omitempty"` 31 | // Bundle is the path to the container's bundle directory. 32 | Bundle string `json:"bundle"` 33 | // Annotations are key values associated with the container. 34 | Annotations map[string]string `json:"annotations,omitempty"` 35 | } 36 | 37 | const ( 38 | // SeccompFdName is the name of the seccomp notify file descriptor. 39 | SeccompFdName string = "seccompFd" 40 | ) 41 | 42 | // ContainerProcessState holds information about the state of a container process. 43 | type ContainerProcessState struct { 44 | // Version is the version of the specification that is supported. 45 | Version string `json:"ociVersion"` 46 | // Fds is a string array containing the names of the file descriptors passed. 47 | // The index of the name in this array corresponds to index of the file 48 | // descriptor in the `SCM_RIGHTS` array. 49 | Fds []string `json:"fds"` 50 | // Pid is the process ID as seen by the runtime. 51 | Pid int `json:"pid"` 52 | // Opaque metadata. 53 | Metadata string `json:"metadata,omitempty"` 54 | // State of the container. 55 | State State `json:"state"` 56 | } 57 | -------------------------------------------------------------------------------- /specs-go/version.go: -------------------------------------------------------------------------------- 1 | package specs 2 | 3 | import "fmt" 4 | 5 | const ( 6 | // VersionMajor is for an API incompatible changes 7 | VersionMajor = 1 8 | // VersionMinor is for functionality in a backwards-compatible manner 9 | VersionMinor = 2 10 | // VersionPatch is for backwards-compatible bug fixes 11 | VersionPatch = 1 12 | 13 | // VersionDev indicates development branch. Releases will be empty string. 14 | VersionDev = "+dev" 15 | ) 16 | 17 | // Version is the specification version that the package types support. 18 | var Version = fmt.Sprintf("%d.%d.%d%s", VersionMajor, VersionMinor, VersionPatch, VersionDev) 19 | -------------------------------------------------------------------------------- /style.md: -------------------------------------------------------------------------------- 1 | # Style and conventions 2 | 3 | ## One sentence per line 4 | 5 | To keep consistency throughout the Markdown files in the Open Container spec all files should be formatted one sentence per line. 6 | This fixes two things: it makes diffing easier with git and it resolves fights about line wrapping length. 7 | For example, this paragraph will span three lines in the Markdown source. 8 | 9 | ## Traditionally hex settings should use JSON integers, not JSON strings 10 | 11 | For example, [`"classID": 1048577`](config-linux.md#network) instead of `"classID": "0x100001"`. 12 | The config JSON isn't enough of a UI to be worth jumping through string <-> integer hoops to support an 0x… form ([source][integer-over-hex]). 13 | 14 | ## Constant names should keep redundant prefixes 15 | 16 | For example, `CAP_KILL` instead of `KILL` in [**`process.capabilities`**](config.md#process). 17 | The redundancy reduction from removing the namespacing prefix is not useful enough to be worth trimming the upstream identifier ([source][keep-prefix]). 18 | 19 | ## Optional settings should not have pointer Go types 20 | 21 | Because in many cases the Go default for the type is a no-op in the spec (sources [here][no-pointer-for-strings], [here][no-pointer-for-slices], and [here][no-pointer-for-boolean]). 22 | The exceptions are entries where we need to distinguish between “not set” and “set to the Go default for that type” ([source][pointer-when-updates-require-changes]), and this decision should be made on a per-setting case. 23 | 24 | ## Links 25 | 26 | Internal links should be [relative links][markdown-relative-links] when linking to content within the repository. 27 | Internal links should be used inline. 28 | 29 | External links should be collected at the bottom of a markdown file and used as referenced links. 30 | See 'Referenced Links' in this [markdown quick reference][markdown-quick-reference]. 31 | The use of referenced links in the markdown body helps to keep files clean and organized. 32 | This also facilitates updates of external link targets on a per-file basis. 33 | 34 | Referenced links should be kept in two alphabetically sorted sets, a general reference section followed by a man page section. 35 | To keep Pandoc happy, duplicate naming of links within pages listed in the Makefile's `DOC_FILES` variable should be avoided by appending an `_N` to the link tagname, where `N` is some number not currently in use. 36 | The organization and style of an existing reference section should be maintained unless it violates these style guidelines. 37 | 38 | An exception to these rules is when a URL is needed contextually, for example when showing an explicit link to the reader. 39 | 40 | ## Examples 41 | 42 | ### Anchoring 43 | 44 | For any given section that provides a notable example, it is ideal to have it denoted with [markdown headers][markdown-headers]. 45 | The level of header should be such that it is a subheader of the header it is an example of. 46 | 47 | #### Example 48 | 49 | ```markdown 50 | ## Some Topic 51 | 52 | ### Some Subheader 53 | 54 | #### Further Subheader 55 | 56 | ##### Example 57 | 58 | To use Further Subheader, ... 59 | 60 | ### Example 61 | 62 | To use Some Topic, ... 63 | 64 | ``` 65 | 66 | ### Content 67 | 68 | Where necessary, the values in the example can be empty or unset, but accommodate with comments regarding this intention. 69 | 70 | Where feasible, the content and values used in an example should convey the fullest use of the data structures concerned. 71 | Most commonly onlookers will intend to copy-and-paste a "working example". 72 | If the intention of the example is to be a fully utilized example, rather than a copy-and-paste example, perhaps add a comment as such. 73 | 74 | ```markdown 75 | ### Example 76 | ``` 77 | ```json 78 | { 79 | "foo": null, 80 | "bar": "" 81 | } 82 | ``` 83 | 84 | **vs.** 85 | 86 | ```markdown 87 | ### Example 88 | 89 | Following is a fully populated example (not necessarily for copy/paste use) 90 | ``` 91 | ```json 92 | { 93 | "foo": [ 94 | 1, 95 | 2, 96 | 3 97 | ], 98 | "bar": "waffles", 99 | "bif": { 100 | "baz": "potatoes" 101 | } 102 | } 103 | ``` 104 | 105 | ### Links 106 | 107 | The following is an example of different types of links. 108 | This is shown as a complete markdown file, where the referenced links are at the bottom. 109 | 110 | ```markdown 111 | The specification repository's [glossary](glossary.md) is where readers can find definitions of commonly used terms. 112 | 113 | Readers may click through to the [Open Containers namespace][open-containers] on [GitHub][github]. 114 | 115 | The URL for the Open Containers link above is: https://github.com/opencontainers 116 | 117 | 118 | [github]: https://github.com 119 | [open-containers]: https://github.com/opencontainers 120 | ``` 121 | 122 | 123 | [integer-over-hex]: https://github.com/opencontainers/runtime-spec/pull/267#r48360013 124 | [keep-prefix]: https://github.com/opencontainers/runtime-spec/pull/159#issuecomment-138728337 125 | [no-pointer-for-boolean]: https://github.com/opencontainers/runtime-spec/pull/290#r50296396 126 | [no-pointer-for-slices]: https://github.com/opencontainers/runtime-spec/pull/316#r50782982 127 | [no-pointer-for-strings]: https://github.com/opencontainers/runtime-spec/pull/653#issue-200439192 128 | [pointer-when-updates-require-changes]: https://github.com/opencontainers/runtime-spec/pull/317#r50932706 129 | [markdown-headers]: https://help.github.com/articles/basic-writing-and-formatting-syntax/#headings 130 | [markdown-quick-reference]: https://en.support.wordpress.com/markdown-quick-reference 131 | [markdown-relative-links]: https://help.github.com/articles/basic-writing-and-formatting-syntax/#relative-links 132 | --------------------------------------------------------------------------------