From 977939850b7c8b081a4eeb48cbb90539a5c25e7c Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Tue, 21 Mar 2017 11:57:06 -0700 Subject: [PATCH] Update runtime spec to 035da1dca3dfbb00d752eb58b0b Signed-off-by: Michael Crosby --- cmd/ctr/run.go | 2 +- vendor.conf | 2 +- .../opencontainers/runtime-spec/README.md | 54 +++++++++------- .../runtime-spec/specs-go/config.go | 62 ++++++++++++------- .../runtime-spec/specs-go/state.go | 10 +-- .../runtime-spec/specs-go/version.go | 2 +- 6 files changed, 80 insertions(+), 52 deletions(-) diff --git a/cmd/ctr/run.go b/cmd/ctr/run.go index 51f703e..6ebce25 100644 --- a/cmd/ctr/run.go +++ b/cmd/ctr/run.go @@ -113,7 +113,7 @@ func spec(id string, args []string, tty bool) *specs.Spec { Devices: []specs.LinuxDeviceCgroup{ { Allow: false, - Access: &rwm, + Access: rwm, }, }, }, diff --git a/vendor.conf b/vendor.conf index e83b0b7..ca0bb6a 100644 --- a/vendor.conf +++ b/vendor.conf @@ -11,7 +11,7 @@ github.com/docker/go-units v0.3.1 github.com/gogo/protobuf d2e1ade2d719b78fe5b061b4c18a9f7111b5bdc8 github.com/golang/protobuf 8ee79997227bf9b34611aee7946ae64735e6fd93 github.com/opencontainers/runc ce450bcc6c135cae93ee2a99d41a308c179ff6dc -github.com/opencontainers/runtime-spec v1.0.0-rc3 +github.com/opencontainers/runtime-spec 035da1dca3dfbb00d752eb58b0b158d6129f3776 github.com/Sirupsen/logrus v0.11.0 github.com/stevvooe/go-btrfs 8539a1d04898663b8eda14982e24b74e7a12388e github.com/stretchr/testify v1.1.4 diff --git a/vendor/github.com/opencontainers/runtime-spec/README.md b/vendor/github.com/opencontainers/runtime-spec/README.md index 20f2908..6da5f6d 100644 --- a/vendor/github.com/opencontainers/runtime-spec/README.md +++ b/vendor/github.com/opencontainers/runtime-spec/README.md @@ -1,12 +1,14 @@ # Open Container Initiative Runtime Specification -The [Open Container Initiative](http://www.opencontainers.org/) develops specifications for standards on Operating System process and application containers. +The [Open Container Initiative][oci] develops specifications for standards on Operating System process and application containers. The specification can be found [here](spec.md). +## Table of Contents + Additional documentation about how this group operates: -- [Code of Conduct](https://github.com/opencontainers/tob/blob/d2f9d68c1332870e40693fe077d311e0742bc73d/code-of-conduct.md) +- [Code of Conduct][code-of-conduct] - [Style and Conventions](style.md) - [Roadmap](ROADMAP.md) - [Implementations](implementations.md) @@ -14,38 +16,38 @@ Additional documentation about how this group operates: - [project](project.md) - [charter][charter] -# Use Cases +## Use Cases To provide context for users the following section gives example use cases for each part of the spec. -#### Application Bundle Builders +### Application Bundle Builders Application bundle builders can create a [bundle](bundle.md) directory that includes all of the files required for launching an application as a container. The bundle contains an OCI [configuration file](config.md) where the builder can specify host-independent details such as [which executable to launch](config.md#process) and host-specific settings such as [mount](config.md#mounts) locations, [hook](config.md#hooks) paths, Linux [namespaces](config-linux.md#namespaces) and [cgroups](config-linux.md#control-groups). Because the configuration includes host-specific settings, application bundle directories copied between two hosts may require configuration adjustments. -#### Hook Developers +### Hook Developers [Hook](config.md#hooks) developers can extend the functionality of an OCI-compliant runtime by hooking into a container's lifecycle with an external application. Example use cases include sophisticated network configuration, volume garbage collection, etc. -#### Runtime Developers +### Runtime Developers Runtime developers can build runtime implementations that run OCI-compliant bundles and container configuration, containing low-level OS and host specific details, on a particular platform. -# Releases +## Releases There is a loose [Road Map](./ROADMAP.md). During the `0.x` series of OCI releases we make no backwards compatibility guarantees and intend to break the schema during this series. -# Contributing +## Contributing Development happens on GitHub for the spec. Issues are used for bugs and actionable items and longer discussions can happen on the [mailing list](#mailing-list). The specification and code is licensed under the Apache 2.0 license found in the [LICENSE](./LICENSE) file. -## Discuss your design +### Discuss your design The project welcomes submissions, but please let everyone know what you are working on. @@ -56,27 +58,27 @@ It also guarantees that the design is sound before code is written; a GitHub pul Typos and grammatical errors can go straight to a pull-request. When in doubt, start on the [mailing-list](#mailing-list). -## Weekly Call +### Weekly Call The contributors and maintainers of all OCI projects have a weekly meeting Wednesdays at 2:00 PM (USA Pacific). -Everyone is welcome to participate via [UberConference web][UberConference] or audio-only: 415-968-0849 (no PIN needed.) +Everyone is welcome to participate via [UberConference web][uberconference] or audio-only: 415-968-0849 (no PIN needed.) An initial agenda will be posted to the [mailing list](#mailing-list) earlier in the week, and everyone is welcome to propose additional topics or suggest other agenda alterations there. -Minutes are posted to the [mailing list](#mailing-list) and minutes from past calls are archived to the [wiki](https://github.com/opencontainers/runtime-spec/wiki) for those who are unable to join the call. +Minutes are posted to the [mailing list](#mailing-list) and minutes from past calls are archived to the [wiki][runtime-wiki]. -## Mailing List +### Mailing List -You can subscribe and join the mailing list on [Google Groups](https://groups.google.com/a/opencontainers.org/forum/#!forum/dev). +You can subscribe and join the mailing list on [Google Groups][dev-list]. -## IRC +### IRC OCI discussion happens on #opencontainers on Freenode ([logs][irc-logs]). -## Git commit +### Git commit -### Sign your work +#### Sign your work The sign-off is a simple line at the end of the explanation for the patch, which certifies that you wrote it or otherwise have the right to pass it on as an open-source patch. -The rules are pretty simple: if you can certify the below (from [developercertificate.org](http://developercertificate.org/)): +The rules are pretty simple: if you can certify the below (from http://developercertificate.org): ``` Developer Certificate of Origin @@ -125,10 +127,10 @@ using your real name (sorry, no pseudonyms or anonymous contributions.) You can add the sign off when creating the git commit via `git commit -s`. -### Commit Style +#### Commit Style Simple house-keeping for clean git history. -Read more on [How to Write a Git Commit Message](http://chris.beams.io/posts/git-commit/) or the Discussion section of [`git-commit(1)`](http://git-scm.com/docs/git-commit). +Read more on [How to Write a Git Commit Message][how-to-git-commit] or the Discussion section of [git-commit(1)][git-commit.1]. 1. Separate the subject from body with a blank line 2. Limit the subject line to 50 characters @@ -140,6 +142,14 @@ Read more on [How to Write a Git Commit Message](http://chris.beams.io/posts/git * If there was important/useful/essential conversation or information, copy or include a reference 8. When possible, one keyword to scope the change in the subject (i.e. "README: ...", "runtime: ...") -[UberConference]: https://www.uberconference.com/opencontainers -[irc-logs]: http://ircbot.wl.linuxfoundation.org/eavesdrop/%23opencontainers/ + [charter]: https://www.opencontainers.org/about/governance +[code-of-conduct]: https://github.com/opencontainers/tob/blob/master/code-of-conduct.md +[dev-list]: https://groups.google.com/a/opencontainers.org/forum/#!forum/dev +[how-to-git-commit]: http://chris.beams.io/posts/git-commit +[irc-logs]: http://ircbot.wl.linuxfoundation.org/eavesdrop/%23opencontainers/ +[oci]: https://www.opencontainers.org +[runtime-wiki]: https://github.com/opencontainers/runtime-spec/wiki +[uberconference]: https://www.uberconference.com/opencontainers + +[git-commit.1]: http://git-scm.com/docs/git-commit diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go index 0166f46..bd8e96a 100644 --- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go +++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go @@ -17,7 +17,7 @@ type Spec struct { // Mounts configures additional mounts (on top of Root). Mounts []Mount `json:"mounts,omitempty"` // Hooks configures callbacks for container lifecycle events. - Hooks Hooks `json:"hooks"` + Hooks *Hooks `json:"hooks,omitempty"` // Annotations contains arbitrary metadata for the container. Annotations map[string]string `json:"annotations,omitempty"` @@ -44,8 +44,8 @@ type Process struct { // Cwd is the current working directory for the process and must be // relative to the container's root. Cwd string `json:"cwd"` - // Capabilities are Linux capabilities that are kept for the container. - Capabilities []string `json:"capabilities,omitempty" platform:"linux"` + // Capabilities are Linux capabilities that are kept for the process. + Capabilities *LinuxCapabilities `json:"capabilities,omitempty" platform:"linux"` // Rlimits specifies rlimit options to apply to the process. Rlimits []LinuxRlimit `json:"rlimits,omitempty" platform:"linux"` // NoNewPrivileges controls whether additional privileges could be gained by processes in the container. @@ -56,6 +56,21 @@ type Process struct { SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"` } +// LinuxCapabilities specifies the whitelist of capabilities that are kept for a process. +// http://man7.org/linux/man-pages/man7/capabilities.7.html +type LinuxCapabilities struct { + // Bounding is the set of capabilities checked by the kernel. + Bounding []string `json:"bounding,omitempty" platform:"linux"` + // Effective is the set of capabilities checked by the kernel. + Effective []string `json:"effective,omitempty" platform:"linux"` + // Inheritable is the capabilities preserved across execve. + Inheritable []string `json:"inheritable,omitempty" platform:"linux"` + // Permitted is the limiting superset for effective capabilities. + Permitted []string `json:"permitted,omitempty" platform:"linux"` + // Ambient is the ambient set of capabilities that are kept. + Ambient []string `json:"ambient,omitempty" platform:"linux"` +} + // Box specifies dimensions of a rectangle. Used for specifying the size of a console. type Box struct { // Height is the vertical dimension of a box. @@ -98,10 +113,10 @@ type Mount struct { // Destination is the path where the mount will be placed relative to the container's root. The path and child directories MUST exist, a runtime MUST NOT create directories automatically to a mount point. Destination string `json:"destination"` // Type specifies the mount kind. - Type string `json:"type"` + Type string `json:"type,omitempty"` // Source specifies the source path of the mount. In the case of bind mounts on // Linux based systems this would be the file on the host. - Source string `json:"source"` + Source string `json:"source,omitempty"` // Options are fstab style mount options. Options []string `json:"options,omitempty"` } @@ -139,7 +154,7 @@ type Linux struct { // CgroupsPath specifies the path to cgroups that are created and/or joined by the container. // The path is expected to be relative to the cgroups mountpoint. // If resources are specified, the cgroups at CgroupsPath will be updated based on resources. - CgroupsPath *string `json:"cgroupsPath,omitempty"` + CgroupsPath string `json:"cgroupsPath,omitempty"` // Namespaces contains the namespaces that are created and/or joined by the container Namespaces []LinuxNamespace `json:"namespaces,omitempty"` // Devices are a list of device nodes that are created for the container @@ -284,17 +299,17 @@ type LinuxCPU struct { // CPU shares (relative weight (ratio) vs. other cgroups with cpu shares). Shares *uint64 `json:"shares,omitempty"` // CPU hardcap limit (in usecs). Allowed cpu time in a given period. - Quota *uint64 `json:"quota,omitempty"` + Quota *int64 `json:"quota,omitempty"` // CPU period to be used for hardcapping (in usecs). Period *uint64 `json:"period,omitempty"` // How much time realtime scheduling may use (in usecs). - RealtimeRuntime *uint64 `json:"realtimeRuntime,omitempty"` + RealtimeRuntime *int64 `json:"realtimeRuntime,omitempty"` // CPU period to be used for realtime scheduling (in usecs). RealtimePeriod *uint64 `json:"realtimePeriod,omitempty"` // CPUs to use within the cpuset. Default is to use any CPU available. - Cpus *string `json:"cpus,omitempty"` + Cpus string `json:"cpus,omitempty"` // List of memory nodes in the cpuset. Default is to use any available memory node. - Mems *string `json:"mems,omitempty"` + Mems string `json:"mems,omitempty"` } // LinuxPids for Linux cgroup 'pids' resource management (Linux 4.3) @@ -356,20 +371,13 @@ type LinuxDeviceCgroup struct { // Allow or deny Allow bool `json:"allow"` // Device type, block, char, etc. - Type *string `json:"type,omitempty"` + Type string `json:"type,omitempty"` // Major is the device's major number. Major *int64 `json:"major,omitempty"` // Minor is the device's minor number. Minor *int64 `json:"minor,omitempty"` // Cgroup access permissions format, rwm. - Access *string `json:"access,omitempty"` -} - -// LinuxSeccomp represents syscall restrictions -type LinuxSeccomp struct { - DefaultAction LinuxSeccompAction `json:"defaultAction"` - Architectures []Arch `json:"architectures"` - Syscalls []LinuxSyscall `json:"syscalls,omitempty"` + Access string `json:"access,omitempty"` } // Solaris contains platform specific configuration for Solaris application containers. @@ -469,6 +477,13 @@ type WindowsNetworkResources struct { EgressBandwidth *uint64 `json:"egressBandwidth,omitempty"` } +// LinuxSeccomp represents syscall restrictions +type LinuxSeccomp struct { + DefaultAction LinuxSeccompAction `json:"defaultAction"` + Architectures []Arch `json:"architectures,omitempty"` + Syscalls []LinuxSyscall `json:"syscalls"` +} + // Arch used for additional architectures type Arch string @@ -491,6 +506,8 @@ const ( ArchPPC64LE Arch = "SCMP_ARCH_PPC64LE" ArchS390 Arch = "SCMP_ARCH_S390" ArchS390X Arch = "SCMP_ARCH_S390X" + ArchPARISC Arch = "SCMP_ARCH_PARISC" + ArchPARISC64 Arch = "SCMP_ARCH_PARISC64" ) // LinuxSeccompAction taken upon Seccomp rule match @@ -529,7 +546,8 @@ type LinuxSeccompArg struct { // LinuxSyscall is used to match a syscall in Seccomp type LinuxSyscall struct { - Name string `json:"name"` - Action LinuxSeccompAction `json:"action"` - Args []LinuxSeccompArg `json:"args,omitempty"` + Names []string `json:"names"` + Action LinuxSeccompAction `json:"action"` + Args []LinuxSeccompArg `json:"args"` + Comment string `json:"comment"` } diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/state.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/state.go index a74874e..b5dd3be 100644 --- a/vendor/github.com/opencontainers/runtime-spec/specs-go/state.go +++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/state.go @@ -6,12 +6,12 @@ type State struct { Version string `json:"ociVersion"` // ID is the container ID ID string `json:"id"` - // Status is the runtime state of the container. + // Status is the runtime status of the container. Status string `json:"status"` // Pid is the process ID for the container process. Pid int `json:"pid"` - // BundlePath is the path to the container's bundle directory. - BundlePath string `json:"bundlePath"` - // Annotations are the annotations associated with the container. - Annotations map[string]string `json:"annotations"` + // Bundle is the path to the container's bundle directory. + Bundle string `json:"bundle"` + // Annotations are key values associated with the container. + Annotations map[string]string `json:"annotations,omitempty"` } diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go index 9d1612a..26b34c2 100644 --- a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go +++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go @@ -11,7 +11,7 @@ const ( VersionPatch = 0 // VersionDev indicates development branch. Releases will be empty string. - VersionDev = "-rc3" + VersionDev = "-rc5" ) // Version is the specification version that the package types support.