README
¶
Open Container Specifications
This project is where the Open Container Initiative Specifications are written. This is a work in progress.
Table of Contents
Use Cases
To provide context for users the following section gives example use cases for each part of the spec.
Filesystem Bundle & Configuration
- A user can create a root filesystem and configuration, with low-level OS and host specific details, and launch it as a container under an Open Container runtime.
Releases
There is a loose Road Map on the wiki.
During the 0.x series of OCI releases we make no backwards compatibility guarantees and intend to break the schema during this series.
The 5 principles of Standard Containers
Define a unit of software delivery called a Standard Container. The goal of a Standard Container is to encapsulate a software component and all its dependencies in a format that is self-describing and portable, so that any compliant runtime can run it without extra dependencies, regardless of the underlying machine and the contents of the container.
The specification for Standard Containers is straightforward. It mostly defines 1) a file format, 2) a set of standard operations, and 3) an execution environment.
A great analogy for this is the shipping container. Just like how Standard Containers are a fundamental unit of software delivery, shipping containers are a fundamental unit of physical delivery.
1. Standard operations
Just like shipping containers, Standard Containers define a set of STANDARD OPERATIONS. Shipping containers can be lifted, stacked, locked, loaded, unloaded and labelled. Similarly, Standard Containers can be created, started, and stopped using standard container tools (what this spec is about); copied and snapshotted using standard filesystem tools; and downloaded and uploaded using standard network tools.
2. Content-agnostic
Just like shipping containers, Standard Containers are CONTENT-AGNOSTIC: all standard operations have the same effect regardless of the contents. A shipping container will be stacked in exactly the same way whether it contains Vietnamese powder coffee or spare Maserati parts. Similarly, Standard Containers are started or uploaded in the same way whether they contain a postgres database, a php application with its dependencies and application server, or Java build artifacts.
3. Infrastructure-agnostic
Both types of containers are INFRASTRUCTURE-AGNOSTIC: they can be transported to thousands of facilities around the world, and manipulated by a wide variety of equipment. A shipping container can be packed in a factory in Ukraine, transported by truck to the nearest routing center, stacked onto a train, loaded into a German boat by an Australian-built crane, stored in a warehouse at a US facility, etc. Similarly, a standard container can be bundled on my laptop, uploaded to S3, downloaded, run and snapshotted by a build server at Equinix in Virginia, uploaded to 10 staging servers in a home-made Openstack cluster, then sent to 30 production instances across 3 EC2 regions.
4. Designed for automation
Because they offer the same standard operations regardless of content and infrastructure, Standard Containers, just like their physical counterparts, are extremely well-suited for automation. In fact, you could say automation is their secret weapon.
Many things that once required time-consuming and error-prone human effort can now be programmed. Before shipping containers, a bag of powder coffee was hauled, dragged, dropped, rolled and stacked by 10 different people in 10 different locations by the time it reached its destination. 1 out of 50 disappeared. 1 out of 20 was damaged. The process was slow, inefficient and cost a fortune - and was entirely different depending on the facility and the type of goods.
Similarly, before Standard Containers, by the time a software component ran in production, it had been individually built, configured, bundled, documented, patched, vendored, templated, tweaked and instrumented by 10 different people on 10 different computers. Builds failed, libraries conflicted, mirrors crashed, post-it notes were lost, logs were misplaced, cluster updates were half-broken. The process was slow, inefficient and cost a fortune - and was entirely different depending on the language and infrastructure provider.
5. Industrial-grade delivery
There are 17 million shipping containers in existence, packed with every physical good imaginable. Every single one of them can be loaded onto the same boats, by the same cranes, in the same facilities, and sent anywhere in the World with incredible efficiency. It is embarrassing to think that a 30 ton shipment of coffee can safely travel half-way across the World in less time than it takes a software team to deliver its code from one datacenter to another sitting 10 miles away.
With Standard Containers we can put an end to that embarrassment, by making INDUSTRIAL-GRADE DELIVERY of software a reality.
Contributing
Development happens on GitHub for the spec. Issues are used for bugs and actionable items and longer discussions can happen on the mailing list.
The specification and code is licensed under the Apache 2.0 license found in the LICENSE file of this repository.
Code of Conduct
Participation in the OpenContainers community is governed by OpenContainer's Code of Conduct.
Discuss your design
The project welcomes submissions, but please let everyone know what you are working on.
Before undertaking a nontrivial change to this specification, send mail to the mailing list to discuss what you plan to do. This gives everyone a chance to validate the design, helps prevent duplication of effort, and ensures that the idea fits. It also guarantees that the design is sound before code is written; a GitHub pull-request is not the place for high-level discussions.
Typos and grammatical errors can go straight to a pull-request. When in doubt, start on the mailing-list.
Weekly Call
The contributors and maintainers of the project have a weekly meeting Wednesdays at 10:00 AM PST. Everyone is welcome to participate in the BlueJeans call. An initial agenda will be posted to the mailing list earlier in the week, and everyone is welcome to propose additional topics or suggest other agenda alterations there. Minutes for the call will be posted to the mailing list for those who are unable to join the call.
Mailing List
You can subscribe and join the mailing list on Google Groups.
IRC
OCI discussion happens on #opencontainers on Freenode.
Markdown style
To keep consistency throughout the Markdown files in the Open Container spec all files should be formatted one sentence per line. This fixes two things: it makes diffing easier with git and it resolves fights about line wrapping length. For example, this paragraph will span three lines in the Markdown source.
Git commit
Sign your work
The sign-off is a simple line at the end of the explanation for the patch, which certifies that you wrote it or otherwise have the right to pass it on as an open-source patch. The rules are pretty simple: if you can certify the below (from developercertificate.org):
Developer Certificate of Origin
Version 1.1
Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
660 York Street, Suite 102,
San Francisco, CA 94110 USA
Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.
then you just add a line to every git commit message:
Signed-off-by: Joe Smith <[email protected]>
using your real name (sorry, no pseudonyms or anonymous contributions.)
You can add the sign off when creating the git commit via git commit -s.
Commit Style
Simple house-keeping for clean git history.
Read more on How to Write a Git Commit Message or the Discussion section of git-commit(1).
- Separate the subject from body with a blank line
- Limit the subject line to 50 characters
- Capitalize the subject line
- Do not end the subject line with a period
- Use the imperative mood in the subject line
- Wrap the body at 72 characters
- Use the body to explain what and why vs. how
- If there was important/useful/essential conversation or information, copy or include a reference
- When possible, one keyword to scope the change in the subject (i.e. "README: ...", "runtime: ...")
Documentation
¶
Index ¶
- Constants
- Variables
- type Action
- type Arg
- type BlockIO
- type CPU
- type Device
- type Hook
- type Hooks
- type HugepageLimit
- type IDMapping
- type InterfacePriority
- type Linux
- type LinuxRuntime
- type LinuxRuntimeSpec
- type LinuxSpec
- type Memory
- type Mount
- type MountPoint
- type Namespace
- type NamespaceType
- type Network
- type Operator
- type Pids
- type Platform
- type Process
- type Resources
- type Rlimit
- type Root
- type RuntimeSpec
- type Seccomp
- type Spec
- type State
- type Syscall
- type ThrottleDevice
- type User
- type WeightDevice
Constants ¶
const ( // PIDNamespace for isolating process IDs PIDNamespace NamespaceType = "pid" // NetworkNamespace for isolating network devices, stacks, ports, etc NetworkNamespace = "network" // MountNamespace for isolating mount points MountNamespace = "mount" // IPCNamespace for isolating System V IPC, POSIX message queues IPCNamespace = "ipc" // UTSNamespace for isolating hostname and NIS domain name UTSNamespace = "uts" // UserNamespace for isolating user and group IDs UserNamespace = "user" )
const ( // VersionMajor is for an API incompatible changes VersionMajor = 0 // VersionMinor is for functionality in a backwards-compatible manner VersionMinor = 1 // VersionPatch is for backwards-compatible bug fixes VersionPatch = 0 )
const LinuxStateDirectory = "/run/opencontainer/containers"
LinuxStateDirectory holds the container's state information
Variables ¶
var Version = fmt.Sprintf("%d.%d.%d", VersionMajor, VersionMinor, VersionPatch)
Version is the specification version that the package types support.
Functions ¶
This section is empty.
Types ¶
type Arg ¶
type Arg struct {
Index uint `json:"index"`
Value uint64 `json:"value"`
ValueTwo uint64 `json:"valueTwo"`
Op Operator `json:"op"`
}
Arg used for matching specific syscall arguments in Seccomp
type BlockIO ¶
type BlockIO struct {
// Specifies per cgroup weight, range is from 10 to 1000
Weight uint16 `json:"blkioWeight"`
// Specifies tasks' weight in the given cgroup while competing with the cgroup's child cgroups, range is from 10 to 1000, cfq scheduler only
LeafWeight uint16 `json:"blkioLeafWeight"`
// Weight per cgroup per device, can override BlkioWeight
WeightDevice []*WeightDevice `json:"blkioWeightDevice"`
// IO read rate limit per cgroup per device, bytes per second
ThrottleReadBpsDevice []*ThrottleDevice `json:"blkioThrottleReadBpsDevice"`
// IO write rate limit per cgroup per device, bytes per second
ThrottleWriteBpsDevice []*ThrottleDevice `json:"blkioThrottleWriteBpsDevice"`
// IO read rate limit per cgroup per device, IO per second
ThrottleReadIOPSDevice []*ThrottleDevice `json:"blkioThrottleReadIOPSDevice"`
// IO write rate limit per cgroup per device, IO per second
ThrottleWriteIOPSDevice []*ThrottleDevice `json:"blkioThrottleWriteIOPSDevice"`
}
BlockIO for Linux cgroup 'blkio' resource management
type CPU ¶
type CPU struct {
Shares int64 `json:"shares"`
// CPU hardcap limit (in usecs). Allowed cpu time in a given period
Quota int64 `json:"quota"`
// CPU period to be used for hardcapping (in usecs). 0 to use system default
Period int64 `json:"period"`
// How many time CPU will use in realtime scheduling (in usecs)
RealtimeRuntime int64 `json:"realtimeRuntime"`
// CPU period to be used for realtime scheduling (in usecs)
RealtimePeriod int64 `json:"realtimePeriod"`
// CPU to use within the cpuset
Cpus string `json:"cpus"`
// MEM to use within the cpuset
Mems string `json:"mems"`
}
CPU for Linux cgroup 'cpu' resource management
type Device ¶
type Device struct {
// Path to the device.
Path string `json:"path"`
// Device type, block, char, etc.
Type rune `json:"type"`
// Major is the device's major number.
Major int64 `json:"major"`
// Minor is the device's minor number.
Minor int64 `json:"minor"`
// Cgroup permissions format, rwm.
Permissions string `json:"permissions"`
// FileMode permission bits for the device.
FileMode os.FileMode `json:"fileMode"`
// UID of the device.
UID uint32 `json:"uid"`
// Gid of the device.
GID uint32 `json:"gid"`
}
Device represents the information on a Linux special device file
type Hook ¶
type Hook struct {
Path string `json:"path"`
Args []string `json:"args"`
Env []string `json:"env"`
}
Hook specifies a command that is run at a particular event in the lifecycle of a container
type Hooks ¶
type Hooks struct {
// Prestart is a list of hooks to be run before the container process is executed.
// On Linux, they are run after the container namespaces are created.
Prestart []Hook `json:"prestart"`
// Poststop is a list of hooks to be run after the container process exits.
Poststop []Hook `json:"poststop"`
}
Hooks for container setup and teardown
type HugepageLimit ¶
type HugepageLimit struct {
// Pagesize is the hugepage size
Pagesize string `json:"pageSize"`
// Limit is the limit of "hugepagesize" hugetlb usage
Limit uint64 `json:"limit"`
}
HugepageLimit structure corresponds to limiting kernel hugepages
type IDMapping ¶
type IDMapping struct {
// HostID is the UID/GID of the host user or group
HostID int32 `json:"hostID"`
// ContainerID is the UID/GID of the container's user or group
ContainerID int32 `json:"containerID"`
// Size is the length of the range of IDs mapped between the two namespaces
Size int32 `json:"size"`
}
IDMapping specifies UID/GID mappings
type InterfacePriority ¶
type InterfacePriority struct {
// Name is the name of the network interface
Name string `json:"name"`
// Priority for the interface
Priority int64 `json:"priority"`
}
InterfacePriority for network interfaces
type Linux ¶
type Linux struct {
// Capabilities are linux capabilities that are kept for the container.
Capabilities []string `json:"capabilities"`
}
Linux contains platform specific configuration for linux based containers.
type LinuxRuntime ¶
type LinuxRuntime struct {
// UIDMapping specifies user mappings for supporting user namespaces on linux.
UIDMappings []IDMapping `json:"uidMappings"`
// GIDMapping specifies group mappings for supporting user namespaces on linux.
GIDMappings []IDMapping `json:"gidMappings"`
// Rlimits specifies rlimit options to apply to the container's process.
Rlimits []Rlimit `json:"rlimits"`
// Sysctl are a set of key value pairs that are set for the container on start
Sysctl map[string]string `json:"sysctl"`
// Resources contain cgroup information for handling resource constraints
// for the container
Resources *Resources `json:"resources"`
// CgroupsPath specifies the path to cgroups that are created and/or joined by the container.
// The path is expected to be relative to the cgroups mountpoint.
// If resources are specified, the cgroups at CgroupsPath will be updated based on resources.
CgroupsPath string `json:"cgroupsPath"`
// Namespaces contains the namespaces that are created and/or joined by the container
Namespaces []Namespace `json:"namespaces"`
// Devices are a list of device nodes that are created and enabled for the container
Devices []Device `json:"devices"`
// ApparmorProfile specified the apparmor profile for the container.
ApparmorProfile string `json:"apparmorProfile"`
// SelinuxProcessLabel specifies the selinux context that the container process is run as.
SelinuxProcessLabel string `json:"selinuxProcessLabel"`
// Seccomp specifies the seccomp security settings for the container.
Seccomp Seccomp `json:"seccomp"`
// RootfsPropagation is the rootfs mount propagation mode for the container
RootfsPropagation string `json:"rootfsPropagation"`
}
LinuxRuntime hosts the Linux-only runtime information
type LinuxRuntimeSpec ¶
type LinuxRuntimeSpec struct {
RuntimeSpec
// LinuxRuntime is platform specific configuration for linux based containers.
Linux LinuxRuntime `json:"linux"`
}
LinuxRuntimeSpec is the full specification for linux containers.
type LinuxSpec ¶
type LinuxSpec struct {
Spec
// Linux is platform specific configuration for linux based containers.
Linux Linux `json:"linux"`
}
LinuxSpec is the full specification for linux containers.
type Memory ¶
type Memory struct {
// Memory limit (in bytes)
Limit int64 `json:"limit"`
// Memory reservation or soft_limit (in bytes)
Reservation int64 `json:"reservation"`
// Total memory usage (memory + swap); set `-1' to disable swap
Swap int64 `json:"swap"`
// Kernel memory limit (in bytes)
Kernel int64 `json:"kernel"`
// How aggressive the kernel will swap memory pages. Range from 0 to 100. Set -1 to use system default
Swappiness int64 `json:"swappiness"`
}
Memory for Linux cgroup 'memory' resource management
type Mount ¶
type Mount struct {
// Type specifies the mount kind.
Type string `json:"type"`
// Source specifies the source path of the mount. In the case of bind mounts on
// linux based systems this would be the file on the host.
Source string `json:"source"`
// Options are fstab style mount options.
Options []string `json:"options"`
}
Mount specifies a mount for a container
type MountPoint ¶
type MountPoint struct {
// Name is a unique descriptive identifier for this mount point.
Name string `json:"name"`
// Path specifies the path of the mount. The path and child directories MUST exist, a runtime MUST NOT create directories automatically to a mount point.
Path string `json:"path"`
}
MountPoint describes a directory that may be fullfilled by a mount in the runtime.json.
type Namespace ¶
type Namespace struct {
// Type is the type of Linux namespace
Type NamespaceType `json:"type"`
// Path is a path to an existing namespace persisted on disk that can be joined
// and is of the same type
Path string `json:"path"`
}
Namespace is the configuration for a linux namespace
type Network ¶
type Network struct {
// Set class identifier for container's network packets
ClassID string `json:"classId"`
// Set priority of network traffic for container
Priorities []InterfacePriority `json:"priorities"`
}
Network identification and priority configuration
type Pids ¶
type Pids struct {
// Maximum number of PIDs. A value < 0 implies "no limit".
Limit int64 `json:"limit"`
}
Pids for Linux cgroup 'pids' resource management (Linux 4.3)
type Platform ¶
type Platform struct {
// OS is the operating system.
OS string `json:"os"`
// Arch is the architecture
Arch string `json:"arch"`
}
Platform specifies OS and arch information for the host system that the container is created for.
type Process ¶
type Process struct {
// Terminal creates an interactive terminal for the container.
Terminal bool `json:"terminal"`
// User specifies user information for the process.
User User `json:"user"`
// Args specifies the binary and arguments for the application to execute.
Args []string `json:"args"`
// Env populates the process environment for the process.
Env []string `json:"env"`
// Cwd is the current working directory for the process and must be
// relative to the container's root.
Cwd string `json:"cwd"`
}
Process contains information to start a specific application inside the container.
type Resources ¶
type Resources struct {
// DisableOOMKiller disables the OOM killer for out of memory conditions
DisableOOMKiller bool `json:"disableOOMKiller"`
// Memory restriction configuration
Memory Memory `json:"memory"`
// CPU resource restriction configuration
CPU CPU `json:"cpu"`
// Task resource restriction configuration.
Pids Pids `json:"pids"`
// BlockIO restriction configuration
BlockIO BlockIO `json:"blockIO"`
// Hugetlb limit (in bytes)
HugepageLimits []HugepageLimit `json:"hugepageLimits"`
// Network restriction configuration
Network Network `json:"network"`
}
Resources has container runtime resource constraints
type Rlimit ¶
type Rlimit struct {
// Type of the rlimit to set
Type string `json:"type"`
// Hard is the hard limit for the specified type
Hard uint64 `json:"hard"`
// Soft is the soft limit for the specified type
Soft uint64 `json:"soft"`
}
Rlimit type and restrictions
type Root ¶
type Root struct {
// Path is the absolute path to the container's root filesystem.
Path string `json:"path"`
// Readonly makes the root filesystem for the container readonly before the process is executed.
Readonly bool `json:"readonly"`
}
Root contains information about the container's root filesystem on the host.
type RuntimeSpec ¶
type RuntimeSpec struct {
// Mounts is a mapping of names to mount configurations.
// Which mounts will be mounted and where should be chosen with MountPoints
// in Spec.
Mounts map[string]Mount `json:"mounts"`
// Hooks are the commands run at various lifecycle events of the container.
Hooks Hooks `json:"hooks"`
}
RuntimeSpec is the generic runtime state information on a running container
type Seccomp ¶
type Seccomp struct {
DefaultAction Action `json:"defaultAction"`
Syscalls []*Syscall `json:"syscalls"`
}
Seccomp represents syscall restrictions
type Spec ¶
type Spec struct {
// Version is the version of the specification that is supported.
Version string `json:"version"`
// Platform is the host information for OS and Arch.
Platform Platform `json:"platform"`
// Process is the container's main process.
Process Process `json:"process"`
// Root is the root information for the container's filesystem.
Root Root `json:"root"`
// Hostname is the container's host name.
Hostname string `json:"hostname"`
// Mounts profile configuration for adding mounts to the container's filesystem.
Mounts []MountPoint `json:"mounts"`
}
Spec is the base configuration for the container. It specifies platform independent configuration.
type State ¶
type State struct {
// Version is the version of the specification that is supported.
Version string `json:"version"`
// ID is the container ID
ID string `json:"id"`
// Pid is the process id for the container's main process.
Pid int `json:"pid"`
// Root is the path to the container's bundle directory.
Root string `json:"root"`
}
State holds information about the runtime state of the container.
type Syscall ¶
type Syscall struct {
Name string `json:"name"`
Action Action `json:"action"`
Args []*Arg `json:"args"`
}
Syscall is used to match a syscall in Seccomp
type ThrottleDevice ¶
type ThrottleDevice struct {
// Rate is the IO rate limit per cgroup per device
Rate uint64 `json:"rate"`
// contains filtered or unexported fields
}
ThrottleDevice struct holds a `major:minor rate_per_second` pair
type User ¶
type User struct {
// UID is the user id.
UID int32 `json:"uid"`
// GID is the group id.
GID int32 `json:"gid"`
// AdditionalGids are additional group ids set for the container's process.
AdditionalGids []int32 `json:"additionalGids"`
}
User specifies linux specific user and group information for the container's main process.
type WeightDevice ¶
type WeightDevice struct {
// Weight is the bandwidth rate for the device, range is from 10 to 1000
Weight uint16 `json:"weight"`
// LeafWeight is the bandwidth rate for the device while competing with the cgroup's child cgroups, range is from 10 to 1000, cfq scheduler only
LeafWeight uint16 `json:"leafWeight"`
// contains filtered or unexported fields
}
WeightDevice struct holds a `major:minor weight` pair for blkioWeightDevice
Source Files