diff --git a/.travis.yml b/.travis.yml
index 7f6c11f11..7c2de7e71 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -22,3 +22,4 @@ script:
- echo "${TRAVIS_COMMIT_RANGE} -> ${TRAVIS_COMMIT_RANGE/.../..} (travis-ci/travis-ci#4596)"
- TRAVIS_COMMIT_RANGE="${TRAVIS_COMMIT_RANGE/.../..}" make .gitvalidation
- make docs
+ - make -C schema test
diff --git a/config-linux.md b/config-linux.md
index 52c0791cd..2269c4d42 100644
--- a/config-linux.md
+++ b/config-linux.md
@@ -263,21 +263,6 @@ For more information, see [the memory cgroup man page][cgroup-v1-memory].
"disableOOMKiller": false
```
-#### Set oom_score_adj
-
-`oomScoreAdj` sets heuristic regarding how the process is evaluated by the kernel during memory pressure.
-For more information, see [the proc filesystem documentation section 3.1][procfs].
-This is a kernel/system level setting, where as `disableOOMKiller` is scoped for a memory cgroup.
-For more information on how these two settings work together, see [the memory cgroup documentation section 10. OOM Contol][cgroup-v1-memory].
-
-* **`oomScoreAdj`** *(int, OPTIONAL)* - adjust the oom-killer score
-
-###### Example
-
-```json
- "oomScoreAdj": 100
-```
-
#### Memory
**`memory`** (object, OPTIONAL) represents the cgroup subsystem `memory` and it's used to set limits on the container's memory usage.
@@ -478,86 +463,29 @@ The following parameters can be specified to setup the controller:
## IntelRdt
-Intel platforms with new Xeon CPU support Intel Resource Director Technology
-(RDT). Cache Allocation Technology (CAT) is a sub-feature of RDT, which
-currently supports L3 cache resource allocation.
-
-This feature provides a way for the software to restrict cache allocation to a
-defined 'subset' of L3 cache which may be overlapping with other 'subsets'.
-The different subsets are identified by class of service (CLOS) and each CLOS
-has a capacity bitmask (CBM).
-
-In Linux kernel, it is exposed via "resource control" filesystem, which is a
-"cgroup-like" interface.
-
-Comparing with cgroups, it has similar process management lifecycle and
-interfaces in a container. But unlike cgroups' hierarchy, it has single level
-filesystem layout.
-
-Intel RDT "resource control" filesystem hierarchy:
-```
-mount -t resctrl resctrl /sys/fs/resctrl
-tree /sys/fs/resctrl
-/sys/fs/resctrl/
-|-- info
-| |-- L3
-| |-- cbm_mask
-| |-- min_cbm_bits
-| |-- num_closids
-|-- cpus
-|-- schemata
-|-- tasks
-|--
- |-- cpus
- |-- schemata
- |-- tasks
-
-```
+**`intelRdt`** (object, OPTIONAL) represents the [Intel Resource Director Technology][intel-rdt-cat-kernel-interface].
+ If `intelRdt` is set, the runtime MUST write the container process ID to the `/tasks` file in a mounted `resctrl` pseudo-filesystem, using the container ID from [`start`](runtime.md#start) and creating the `` directory if necessary.
+ If no mounted `resctrl` pseudo-filesystem is available in the [runtime mount namespace](glossary.md#runtime-namespace), the runtime MUST [generate an error](runtime.md#errors).
-For containers, we can make use of `tasks` and `schemata` configuration for
-L3 cache resource constraints if hardware and kernel support Intel RDT/CAT.
-
-The file `tasks` has a list of tasks that belongs to this group (e.g.,
-" group). Tasks can be added to a group by writing the task ID
-to the "tasks" file (which will automatically remove them from the previous
-group to which they belonged). New tasks created by fork(2) and clone(2) are
-added to the same group as their parent. If a pid is not in any sub group, it
-is in root group.
-
-The file `schemata` has allocation masks/values for L3 cache on each socket,
-which contains L3 cache id and capacity bitmask (CBM).
-```
- Format: "L3:=;=;..."
-```
-For example, on a two-socket machine, L3's schema line could be `L3:0=ff;1=c0`
-Which means L3 cache id 0's CBM is 0xff, and L3 cache id 1's CBM is 0xc0.
+ If `intelRdt` is not set, the runtime MUST NOT manipulate any `resctrl` psuedo-filesystems.
-The valid L3 cache CBM is a *contiguous bits set* and number of bits that can
-be set is less than the max bit. The max bits in the CBM is varied among
-supported Intel Xeon platforms. In Intel RDT "resource control" filesystem
-layout, the CBM in a group should be a subset of the CBM in root. Kernel will
-check if it is valid when writing. e.g., 0xfffff in root indicates the max bits
-of CBM is 20 bits, which mapping to entire L3 cache capacity. Some valid CBM
-values to set in a group: 0xf, 0xf0, 0x3ff, 0x1f00 and etc.
+The following parameters can be specified for the container:
-**`intelRdt`** (object, OPTIONAL) represents the L3 cache resource constraints in Intel Xeon platforms.
+* **`l3CacheSchema`** *(string, OPTIONAL)* - specifies the schema for L3 cache id and capacity bitmask (CBM).
+ If `l3CacheSchema` is set, runtimes MUST write the value to the `schemata` file in the `` directory discussed in `intelRdt`.
-For more information, see [Intel RDT/CAT kernel interface][intel-rdt-cat-kernel-interface].
+ If `l3CacheSchema` is not set, runtimes MUST NOT write to `schemata` files in any `resctrl` psuedo-filesystems.
-The following parameters can be specified for the container:
+### Example
-* **`l3CacheSchema`** *(string, OPTIONAL)* - specifies the schema for L3 cache id and capacity bitmask (CBM)
+Consider a two-socket machine with two L3 caches where the default CBM is 0xfffff and the max CBM length is 20 bits.
+Tasks inside the container only have access to the "upper" 80% of L3 cache id 0 and the "lower" 50% L3 cache id 1:
-###### Example
```json
-There are two L3 caches in the two-socket machine, the default CBM is 0xfffff
-and the max CBM length is 20 bits. This configuration assigns 4/5 of L3 cache
-id 0 and the whole L3 cache id 1 for the container:
-
"linux": {
- "intelRdt": {
- "l3CacheSchema": "L3:0=ffff0;1=fffff"
- }
+ "intelRdt": {
+ "l3CacheSchema": "L3:0=ffff0;1=3ff"
+ }
}
```
diff --git a/config-solaris.md b/config-solaris.md
index 7654b6b00..34dbd1b64 100644
--- a/config-solaris.md
+++ b/config-solaris.md
@@ -1,6 +1,6 @@
# Solaris Application Container Configuration
-Solaris application containers can be configured using the following properties, all of the below properties have mappings to properties specified under [zonecfg(1M)][zonecfg.1m_2] man page, except milestone.
+Solaris application containers can be configured using the following properties, all of the below properties have mappings to properties specified under [zonecfg(1M)][zonecfg.1m] man page, except milestone.
## milestone
The SMF(Service Management Facility) FMRI which should go to "online" state before we start the desired process within the container.
@@ -117,4 +117,4 @@ Mapped to `link-protection` in the [zonecfg(1M)][zonecfg.1m] man page.
[priv-str-to-set.3c]: http://docs.oracle.com/cd/E53394_01/html/E54766/priv-str-to-set-3c.html
[zoneadmd.1m]: http://docs.oracle.com/cd/E53394_01/html/E54764/zoneadmd-1m.html
-[zonecfg.1m_2]: http://docs.oracle.com/cd/E53394_01/html/E54764/zonecfg-1m.html
+[zonecfg.1m]: https://docs.oracle.com/cd/E36784_01/html/E36871/zonecfg-1m.html
diff --git a/config.md b/config.md
index efaf0a0e5..b89d4c5fc 100644
--- a/config.md
+++ b/config.md
@@ -1,6 +1,5 @@
# Container Configuration file
-The container's top-level directory MUST contain a configuration file called `config.json`.
The canonical schema is defined in this document, but there is a JSON Schema in [`schema/config-schema.json`](schema/config-schema.json) and Go bindings in [`specs-go/config.go`](specs-go/config.go).
[Platform](spec.md#platforms)-specific configuration schema are defined in the [platform-specific documents](#platform-specific-configuration) linked below.
For properties that are only defined for some [platforms](spec.md#platforms), the Go property has a `platform` tag listing those protocols (e.g. `platform:"linux,solaris"`).
@@ -155,6 +154,12 @@ For Linux-based systems the process structure supports the following process spe
* **`apparmorProfile`** (string, OPTIONAL) specifies the name of the AppArmor profile to be applied to processes in the container.
For more information about AppArmor, see [AppArmor documentation][apparmor].
+* **`oomScoreAdj`** *(int, OPTIONAL)* adjusts the oom-killer score in `[pid]/oom_score_adj` for the container process's `[pid]` in a [proc pseudo-filesystem][procfs].
+ If `oomScoreAdj` is set, the runtime MUST set `oom_score_adj` to the given value.
+ If `oomScoreAdj` is not set, the runtime MUST NOT change the value of `oom_score_adj`.
+
+ This is a per-process setting, where as [`disableOOMKiller`](config-linux.md#disable-out-of-memory-killer) is scoped for a memory cgroup.
+ For more information on how these two settings work together, see [the memory cgroup documentation section 10. OOM Contol][cgroup-v1-memory_2].
* **`selinuxLabel`** (string, OPTIONAL) specifies the SELinux label to be applied to the processes in the container.
For more information about SELinux, see [SELinux documentation][selinux].
@@ -357,6 +362,7 @@ Hooks allow for the configuration of custom actions related to the [lifecycle](r
* **`args`** (array of strings, OPTIONAL) with the same semantics as [IEEE Std 1003.1-2001 `execv`'s *argv*][ieee-1003.1-2001-xsh-exec].
* **`env`** (array of strings, OPTIONAL) with the same semantics as [IEEE Std 1003.1-2001's `environ`][ieee-1003.1-2001-xbd-c8.1].
* **`timeout`** (int, OPTIONAL) is the number of seconds before aborting the hook.
+ If set, `timeout` MUST be greater than zero.
* **`poststart`** (array of objects, OPTIONAL) is an array of [post-start hooks](#poststart).
Entries in the array have the same schema as pre-start entries.
* **`poststop`** (array of objects, OPTIONAL) is an array of [post-stop hooks](#poststop).
@@ -503,6 +509,7 @@ Here is a full example `config.json` for reference.
}
],
"apparmorProfile": "acme_secure_profile",
+ "oomScoreAdj": 100,
"selinuxLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675",
"noNewPrivileges": true
},
@@ -682,7 +689,6 @@ Here is a full example `config.json` for reference.
"limit": 9223372036854772000
}
],
- "oomScoreAdj": 100,
"memory": {
"limit": 536870912,
"reservation": 536870912,
@@ -818,8 +824,10 @@ Here is a full example `config.json` for reference.
[apparmor]: https://wiki.ubuntu.com/AppArmor
+[cgroup-v1-memory_2]: https://www.kernel.org/doc/Documentation/cgroup-v1/memory.txt
[selinux]:http://selinuxproject.org/page/Main_Page
[no-new-privs]: https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt
+[procfs_2]: https://www.kernel.org/doc/Documentation/filesystems/proc.txt
[semver-v2.0.0]: http://semver.org/spec/v2.0.0.html
[go-environment]: https://golang.org/doc/install/source#environment
[ieee-1003.1-2001-xbd-c8.1]: http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap08.html#tag_08_01
diff --git a/schema/Makefile b/schema/Makefile
index 0a0b04084..bc9e30270 100644
--- a/schema/Makefile
+++ b/schema/Makefile
@@ -1,3 +1,5 @@
+GOOD_TESTS = $(wildcard test/good/*.json)
+BAD_TESTS = $(wildcard test/bad/*.json)
.PHONY: default
default: validate
@@ -12,13 +14,42 @@ help:
.PHONY: fmt
fmt:
- for i in *.json ; do jq --indent 4 -M . "$${i}" > xx && cat xx > "$${i}" && rm xx ; done
+ find . -name '*.json' -exec bash -c 'jq --indent 4 -M . {} > xx && mv xx {} || echo "skipping invalid {}"' \;
.PHONY: validate
validate: validate.go
go get -d ./...
go build ./validate.go
+.PHONY: test
+test: validate $(TESTS)
+ for TYPE in $$(ls test); \
+ do \
+ echo "testing $${TYPE}"; \
+ for FILE in $$(ls "test/$${TYPE}/good"); \
+ do \
+ echo " testing test/$${TYPE}/good/$${FILE}"; \
+ if ./validate "$${TYPE}-schema.json" "test/$${TYPE}/good/$${FILE}" ; \
+ then \
+ echo " received expected validation success" ; \
+ else \
+ echo " received unexpected validation failure" ; \
+ exit 1; \
+ fi \
+ done; \
+ for FILE in $$(ls "test/$${TYPE}/bad"); \
+ do \
+ echo " testing test/$${TYPE}/bad/$${FILE}"; \
+ if ./validate "$${TYPE}-schema.json" "test/$${TYPE}/good/$${FILE}" ; \
+ then \
+ echo " received unexpected validation success" ; \
+ exit 1; \
+ else \
+ echo " received expected validation failure" ; \
+ fi \
+ done; \
+ done
+
.PHONY: clean
clean:
rm -f validate
diff --git a/schema/config-linux.json b/schema/config-linux.json
index c0f649778..dd5bac013 100644
--- a/schema/config-linux.json
+++ b/schema/config-linux.json
@@ -47,10 +47,6 @@
"$ref": "defs-linux.json#/definitions/DeviceCgroup"
}
},
- "oomScoreAdj": {
- "id": "https://opencontainers.org/schema/bundle/linux/resources/oomScoreAdj",
- "type": "integer",
- },
"pids": {
"id": "https://opencontainers.org/schema/bundle/linux/resources/pids",
"type": "object",
diff --git a/schema/config-schema.json b/schema/config-schema.json
index 87e46dfef..5f36c4e0d 100644
--- a/schema/config-schema.json
+++ b/schema/config-schema.json
@@ -178,6 +178,10 @@
"id": "https://opencontainers.org/schema/bundle/process/linux/apparmorProfile",
"type": "string"
},
+ "oomScoreAdj": {
+ "id": "https://opencontainers.org/schema/bundle/process/linux/oomScoreAdj",
+ "type": "integer",
+ },
"selinuxLabel": {
"id": "https://opencontainers.org/schema/bundle/process/linux/selinuxLabel",
"type": "string"
diff --git a/schema/config-windows.json b/schema/config-windows.json
index 85bbd030f..6d3f223bf 100644
--- a/schema/config-windows.json
+++ b/schema/config-windows.json
@@ -28,7 +28,7 @@
},
"shares": {
"id": "https://opencontainers.org/schema/bundle/windows/resources/cpu/shares",
- "$ref": "defs-windows.json#/definitions/cpuShares"
+ "$ref": "defs.json#/definitions/uint16"
},
"maximum": {
"id": "https://opencontainers.org/schema/bundle/windows/resources/cpu/maximum",
diff --git a/schema/defs-linux.json b/schema/defs-linux.json
index 9e5466a0f..2ac6eeb2c 100644
--- a/schema/defs-linux.json
+++ b/schema/defs-linux.json
@@ -150,7 +150,7 @@
}
},
"blkioWeight": {
- "type": "integer",
+ "type": "integer"
},
"blockIODevice": {
"type": "object",
diff --git a/schema/defs-windows.json b/schema/defs-windows.json
deleted file mode 100644
index c9cfde0e5..000000000
--- a/schema/defs-windows.json
+++ /dev/null
@@ -1,8 +0,0 @@
-{
- "definitions": {
- "cpuShares": {
- "description": "Relative weight to other containers with CPU Shares defined",
- "type": "integer",
- }
- }
-}
diff --git a/schema/defs.json b/schema/defs.json
index 126e285b4..b8161ac87 100644
--- a/schema/defs.json
+++ b/schema/defs.json
@@ -91,7 +91,8 @@
"$ref": "#/definitions/Env"
},
"timeout": {
- "type": "integer"
+ "type": "integer",
+ "minimum": 1
}
},
"required": [
diff --git a/schema/test/config/bad/invalid-json.json b/schema/test/config/bad/invalid-json.json
new file mode 100644
index 000000000..8e9352830
--- /dev/null
+++ b/schema/test/config/bad/invalid-json.json
@@ -0,0 +1 @@
+{]
diff --git a/schema/test/config/good/minimal.json b/schema/test/config/good/minimal.json
new file mode 100644
index 000000000..4d8f177a3
--- /dev/null
+++ b/schema/test/config/good/minimal.json
@@ -0,0 +1,18 @@
+{
+ "ociVersion": "1.0.0",
+ "platform": {
+ "os": "linux",
+ "arch": "amd64"
+ },
+ "root": {
+ "path": "rootfs"
+ },
+ "process": {
+ "cwd": "/",
+ "args": ["sh"],
+ "user": {
+ "uid": 0,
+ "gid": 0
+ }
+ }
+}
diff --git a/schema/test/config/good/spec-example.json b/schema/test/config/good/spec-example.json
new file mode 100644
index 000000000..309183c6f
--- /dev/null
+++ b/schema/test/config/good/spec-example.json
@@ -0,0 +1,372 @@
+{
+ "ociVersion": "0.5.0-dev",
+ "platform": {
+ "os": "linux",
+ "arch": "amd64"
+ },
+ "process": {
+ "terminal": true,
+ "user": {
+ "uid": 1,
+ "gid": 1,
+ "additionalGids": [
+ 5,
+ 6
+ ]
+ },
+ "args": [
+ "sh"
+ ],
+ "env": [
+ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+ "TERM=xterm"
+ ],
+ "cwd": "/",
+ "capabilities": {
+ "bounding": [
+ "CAP_AUDIT_WRITE",
+ "CAP_KILL",
+ "CAP_NET_BIND_SERVICE"
+ ],
+ "permitted": [
+ "CAP_AUDIT_WRITE",
+ "CAP_KILL",
+ "CAP_NET_BIND_SERVICE"
+ ],
+ "inheritable": [
+ "CAP_AUDIT_WRITE",
+ "CAP_KILL",
+ "CAP_NET_BIND_SERVICE"
+ ],
+ "effective": [
+ "CAP_AUDIT_WRITE",
+ "CAP_KILL"
+ ],
+ "ambient": [
+ "CAP_NET_BIND_SERVICE"
+ ]
+ },
+ "rlimits": [
+ {
+ "type": "RLIMIT_CORE",
+ "hard": 1024,
+ "soft": 1024
+ },
+ {
+ "type": "RLIMIT_NOFILE",
+ "hard": 1024,
+ "soft": 1024
+ }
+ ],
+ "apparmorProfile": "acme_secure_profile",
+ "selinuxLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675",
+ "noNewPrivileges": true
+ },
+ "root": {
+ "path": "rootfs",
+ "readonly": true
+ },
+ "hostname": "slartibartfast",
+ "mounts": [
+ {
+ "destination": "/proc",
+ "type": "proc",
+ "source": "proc"
+ },
+ {
+ "destination": "/dev",
+ "type": "tmpfs",
+ "source": "tmpfs",
+ "options": [
+ "nosuid",
+ "strictatime",
+ "mode=755",
+ "size=65536k"
+ ]
+ },
+ {
+ "destination": "/dev/pts",
+ "type": "devpts",
+ "source": "devpts",
+ "options": [
+ "nosuid",
+ "noexec",
+ "newinstance",
+ "ptmxmode=0666",
+ "mode=0620",
+ "gid=5"
+ ]
+ },
+ {
+ "destination": "/dev/shm",
+ "type": "tmpfs",
+ "source": "shm",
+ "options": [
+ "nosuid",
+ "noexec",
+ "nodev",
+ "mode=1777",
+ "size=65536k"
+ ]
+ },
+ {
+ "destination": "/dev/mqueue",
+ "type": "mqueue",
+ "source": "mqueue",
+ "options": [
+ "nosuid",
+ "noexec",
+ "nodev"
+ ]
+ },
+ {
+ "destination": "/sys",
+ "type": "sysfs",
+ "source": "sysfs",
+ "options": [
+ "nosuid",
+ "noexec",
+ "nodev"
+ ]
+ },
+ {
+ "destination": "/sys/fs/cgroup",
+ "type": "cgroup",
+ "source": "cgroup",
+ "options": [
+ "nosuid",
+ "noexec",
+ "nodev",
+ "relatime",
+ "ro"
+ ]
+ }
+ ],
+ "hooks": {
+ "prestart": [
+ {
+ "path": "/usr/bin/fix-mounts",
+ "args": [
+ "fix-mounts",
+ "arg1",
+ "arg2"
+ ],
+ "env": [
+ "key1=value1"
+ ]
+ },
+ {
+ "path": "/usr/bin/setup-network"
+ }
+ ],
+ "poststart": [
+ {
+ "path": "/usr/bin/notify-start",
+ "timeout": 5
+ }
+ ],
+ "poststop": [
+ {
+ "path": "/usr/sbin/cleanup.sh",
+ "args": [
+ "cleanup.sh",
+ "-f"
+ ]
+ }
+ ]
+ },
+ "linux": {
+ "devices": [
+ {
+ "path": "/dev/fuse",
+ "type": "c",
+ "major": 10,
+ "minor": 229,
+ "fileMode": 438,
+ "uid": 0,
+ "gid": 0
+ },
+ {
+ "path": "/dev/sda",
+ "type": "b",
+ "major": 8,
+ "minor": 0,
+ "fileMode": 432,
+ "uid": 0,
+ "gid": 0
+ }
+ ],
+ "uidMappings": [
+ {
+ "hostID": 1000,
+ "containerID": 0,
+ "size": 32000
+ }
+ ],
+ "gidMappings": [
+ {
+ "hostID": 1000,
+ "containerID": 0,
+ "size": 32000
+ }
+ ],
+ "sysctl": {
+ "net.ipv4.ip_forward": "1",
+ "net.core.somaxconn": "256"
+ },
+ "cgroupsPath": "/myRuntime/myContainer",
+ "resources": {
+ "network": {
+ "classID": 1048577,
+ "priorities": [
+ {
+ "name": "eth0",
+ "priority": 500
+ },
+ {
+ "name": "eth1",
+ "priority": 1000
+ }
+ ]
+ },
+ "pids": {
+ "limit": 32771
+ },
+ "hugepageLimits": [
+ {
+ "pageSize": "2MB",
+ "limit": 9223372036854772000
+ }
+ ],
+ "oomScoreAdj": 100,
+ "memory": {
+ "limit": 536870912,
+ "reservation": 536870912,
+ "swap": 536870912,
+ "kernel": 0,
+ "kernelTCP": 0,
+ "swappiness": 0
+ },
+ "cpu": {
+ "shares": 1024,
+ "quota": 1000000,
+ "period": 500000,
+ "realtimeRuntime": 950000,
+ "realtimePeriod": 1000000,
+ "cpus": "2-3",
+ "mems": "0-7"
+ },
+ "disableOOMKiller": false,
+ "devices": [
+ {
+ "allow": false,
+ "access": "rwm"
+ },
+ {
+ "allow": true,
+ "type": "c",
+ "major": 10,
+ "minor": 229,
+ "access": "rw"
+ },
+ {
+ "allow": true,
+ "type": "b",
+ "major": 8,
+ "minor": 0,
+ "access": "r"
+ }
+ ],
+ "blockIO": {
+ "blkioWeight": 10,
+ "blkioLeafWeight": 10,
+ "blkioWeightDevice": [
+ {
+ "major": 8,
+ "minor": 0,
+ "weight": 500,
+ "leafWeight": 300
+ },
+ {
+ "major": 8,
+ "minor": 16,
+ "weight": 500
+ }
+ ],
+ "blkioThrottleReadBpsDevice": [
+ {
+ "major": 8,
+ "minor": 0,
+ "rate": 600
+ }
+ ],
+ "blkioThrottleWriteIOPSDevice": [
+ {
+ "major": 8,
+ "minor": 16,
+ "rate": 300
+ }
+ ]
+ }
+ },
+ "rootfsPropagation": "slave",
+ "seccomp": {
+ "defaultAction": "SCMP_ACT_ALLOW",
+ "architectures": [
+ "SCMP_ARCH_X86",
+ "SCMP_ARCH_X32"
+ ],
+ "syscalls": [
+ {
+ "names": [
+ "getcwd",
+ "chmod"
+ ],
+ "action": "SCMP_ACT_ERRNO"
+ }
+ ]
+ },
+ "namespaces": [
+ {
+ "type": "pid"
+ },
+ {
+ "type": "network"
+ },
+ {
+ "type": "ipc"
+ },
+ {
+ "type": "uts"
+ },
+ {
+ "type": "mount"
+ },
+ {
+ "type": "user"
+ },
+ {
+ "type": "cgroup"
+ }
+ ],
+ "maskedPaths": [
+ "/proc/kcore",
+ "/proc/latency_stats",
+ "/proc/timer_stats",
+ "/proc/sched_debug"
+ ],
+ "readonlyPaths": [
+ "/proc/asound",
+ "/proc/bus",
+ "/proc/fs",
+ "/proc/irq",
+ "/proc/sys",
+ "/proc/sysrq-trigger"
+ ],
+ "mountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c715,c811"
+ },
+ "annotations": {
+ "com.example.key1": "value1",
+ "com.example.key2": "value2"
+ }
+}
diff --git a/schema/test/state/bad/invalid-json.json b/schema/test/state/bad/invalid-json.json
new file mode 100644
index 000000000..8e9352830
--- /dev/null
+++ b/schema/test/state/bad/invalid-json.json
@@ -0,0 +1 @@
+{]
diff --git a/schema/test/state/good/spec-example.json b/schema/test/state/good/spec-example.json
new file mode 100644
index 000000000..a49faee56
--- /dev/null
+++ b/schema/test/state/good/spec-example.json
@@ -0,0 +1,10 @@
+{
+ "ociVersion": "0.2.0",
+ "id": "oci-container1",
+ "status": "running",
+ "pid": 4422,
+ "bundle": "/containers/redis",
+ "annotations": {
+ "myKey": "myValue"
+ }
+}
diff --git a/specs-go/config.go b/specs-go/config.go
index 3e3161259..615016dbb 100644
--- a/specs-go/config.go
+++ b/specs-go/config.go
@@ -52,6 +52,8 @@ type Process struct {
NoNewPrivileges bool `json:"noNewPrivileges,omitempty" platform:"linux"`
// ApparmorProfile specifies the apparmor profile for the container.
ApparmorProfile string `json:"apparmorProfile,omitempty" platform:"linux"`
+ // Specify an oom_score_adj for the container.
+ OOMScoreAdj *int `json:"oomScoreAdj,omitempty"`
// SelinuxLabel specifies the selinux context that the container process is run as.
SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"`
}
@@ -293,7 +295,7 @@ type LinuxMemory struct {
Kernel *uint64 `json:"kernel,omitempty"`
// Kernel memory limit for tcp (in bytes)
KernelTCP *uint64 `json:"kernelTCP,omitempty"`
- // How aggressive the kernel will swap memory pages. Range from 0 to 100.
+ // How aggressive the kernel will swap memory pages.
Swappiness *uint64 `json:"swappiness,omitempty"`
}
@@ -335,8 +337,6 @@ type LinuxResources struct {
Devices []LinuxDeviceCgroup `json:"devices,omitempty"`
// DisableOOMKiller disables the OOM killer for out of memory conditions
DisableOOMKiller *bool `json:"disableOOMKiller,omitempty"`
- // Specify an oom_score_adj for the container.
- OOMScoreAdj *int `json:"oomScoreAdj,omitempty"`
// Memory restriction configuration
Memory *LinuxMemory `json:"memory,omitempty"`
// CPU resource restriction configuration
@@ -456,7 +456,7 @@ type WindowsMemoryResources struct {
type WindowsCPUResources struct {
// Number of CPUs available to the container.
Count *uint64 `json:"count,omitempty"`
- // CPU shares (relative weight to other containers with cpu shares). Range is from 1 to 10000.
+ // CPU shares (relative weight to other containers with cpu shares).
Shares *uint16 `json:"shares,omitempty"`
// Specifies the portion of processor cycles that this container can use as a percentage times 100.
Maximum *uint16 `json:"maximum,omitempty"`