Skip to content

Commit

Permalink
Update config-linux for better formatting on values
Browse files Browse the repository at this point in the history 
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
  • Loading branch information
@crosbymichael
crosbymichael committed Jun 30, 2015
1 parent 106bc8e commit f2569d1
Showing 1 changed file with 40 additions and 26 deletions.
66 changes: 40 additions & 26 deletions config-linux.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,17 @@
# Linux

## Linux Namespaces
## Linux namespaces

A namespace wraps a global system resource in an abstraction that makes it
appear to the processes within the namespace that they have their own isolated
instance of the global resource. Changes to the global resource are visible to
other processes that are members of the namespace, but are invisible to other
processes. For more information, see [the man page](http://man7.org/linux/man-pages/man7/namespaces.7.html)

Namespaces are specified in the spec as an array of entries. Each entry has a
type field with possible values described below and an optional path element.
If a path is specified, that particular file is used to join that type of namespace.

```json
"namespaces": [
{
Expand All @@ -26,23 +37,25 @@
]
```

A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. Changes to the global resource are visible to other processes that are members of the namespace, but are invisible to other processes. For more information, see http://man7.org/linux/man-pages/man7/namespaces.7.html

Namespaces are specified in the spec as an array of entries. Each entry has a type field with possible values described below and an optional path element. If a path is specified, that particular fd is used to join that type of namespace.

* pid: the process ID number space is specific to the container, meaning that processes in different PID namespaces can have the same PID

* network: the container will have an isolated network stack

* mnt: container can only access mounts local to itself
#### Namespace types

* ipc: processes in the container can only communicate with other processes inside same container
* **pid** processes inside the container will only be able to see other processes inside the same container.
* **network** the container will have it's own network stack.
* **mnt** the container will have an isolated mount table.
* **ipc** processes inside the container will only be able to communicate to other processes inside the same
container via system level IPC.
* **uts** the container will be able to have it's own hostname and domain name.
* **user** the container will be able to remap user and group IDs from the host to local users and groups
within the container.

* uts: Hostname and NIS domain name are specific to the container
### Access to devices

* user: uids/gids on the host are mapped to different uids/gids in the container, so root in a container could be a non-root, unprivileged uid on the host
Devices is an array specifying the list of devices from the host to make available in the container.
By providing a device name within the list the runtime should lookup the same device on the host's `/dev`
and collect information about the device node so that it can be recreated for the container. The runtime
should not only create the device inside the container but ensure that the root user inside
the container has access rights for the device.

### Access to devices
```json
"devices": [
"null",
Expand All @@ -54,15 +67,17 @@ Namespaces are specified in the spec as an array of entries. Each entry has a ty
]
```

Devices is an array specifying the list of devices from the host to make available in the container.

The array contains names: for each name, the device /dev/<name> will be made available inside the container.
## Linux control groups

## Linux Control groups
Also known as cgroups, they are used to restrict resource usage for a container and handle
device access. cgroups provide controls to restruct cpu, memory, IO, and network for
the container.

## Linux Seccomp
## Linux capabilities

## Linux Process Capabilities
Capabilities is an array that specifies Linux capabilities that can be provided to the process
inside the container. Valid values are the string after `CAP_` for capabilities defined
in [the man page](http://man7.org/linux/man-pages/man7/capabilities.7.html)

```json
"capabilities": [
Expand All @@ -72,9 +87,10 @@ The array contains names: for each name, the device /dev/<name> will be made ava
]
```

capabilities is an array of Linux process capabilities. Valid values are the string after `CAP_` for capabilities defined in http://man7.org/linux/man-pages/man7/capabilities.7.html
## Linux sysctl

## Linux Sysctl
sysctl allows kernel parameters to be modified at runtime for the container.
For more information, see [the man page](http://man7.org/linux/man-pages/man8/sysctl.8.html)

```
"sysctl": {
Expand All @@ -83,9 +99,7 @@ capabilities is an array of Linux process capabilities. Valid values are the str
}
```

sysctl allows kernel parameters to be modified at runtime. For more information, see http://man7.org/linux/man-pages/man8/sysctl.8.html

## SELinux
## Security

## Apparmor
**TODO:** security profiles

0 comments on commit f2569d1

Please sign in to comment.