Introducing Solaris in OCI

Makefile

@@ -14,6 +14,7 @@ DOC_FILES := \
 	runtime-linux.md \
 	config.md \
 	config-linux.md \
+	config-solaris.md \
 	glossary.md
 EPOCH_TEST_COMMIT := 78e6667ae2d67aad100b28ee9580b41b7a24e667
 

config-solaris.md

@@ -0,0 +1,116 @@
+# Solaris Application Container Configuration
+
+Solaris application containers can be configured using the following properties, all of the below properties have mappings to properties specified under zonecfg(1M) man page, except milestone.
+The Solaris specification is entirely optional.
+
+## milestone
+The SMF(Service Management Facility) FMRI which should go to "online" state before we start the desired process within the container.
+
+**`milestone`** *(string, optional)*
+
+### Example
+```json
+"milestone": "svc:/milestone/container:default"
+```
+
+## limitpriv
+The maximum set of privileges any process in this container can obtain.
+The property should consist of a comma-separated privilege set specification as described in priv_str_to_set(3C) man page for the respective release of Solaris.
+
+**`limitpriv`** *(string, optional)*
+
+### Example
+```json
+"limitpriv": "default"
+```
+
+## maxShmMemory
+The maximum amount of shared memory allowed for this application container.
+A scale (K, M, G, T) can be applied to the value for each of these numbers (for example, 1M is one megabyte).
+Mapped to max-shm-memory in zonecfg(1M) man page.
+
+**`maxShmMemory`** *(string, optional)*
+
+### Example
+```json
+"maxShmMemory": "512m"
+```
+
+## cappedCPU
+Sets a limit on the amount of CPU time that can be used by a container.
+The unit used translates to the percentage of a single CPU that can be used by all user threads in a container, expressed as a fraction (for example, .75) or a mixed number (whole number and fraction, for example, 1.25).
+An ncpu value of 1 means 100% of a CPU, a value of 1.25 means 125%, .75 mean 75%, and so forth.
+When projects within a capped container have their own caps, the minimum value takes precedence.
+cappedCPU is mapped to capped-cpu in zonecfg(1M) man page.
+
+* **`ncpus`** *(string, optional)*
+
+### Example
+```json
+"cappedCPU": {
+        "ncpus": "8"
+}
+```
+
+## cappedMemory
+The physical and swap caps on the memory that can be used by this application container.
+A scale (K, M, G, T) can be applied to the value for each of these numbers (for example, 1M is one megabyte).
+cappedMemory is mapped to capped-memory in zonecfg(1M) man page.
+
+* **`physical`** *(string, optional)*
+* **`swap`** *(string, optional)*
+
+### Example
+```json
+"cappedMemory": {
+        "physical": "512m",
+        "swap": "512m"
+}
+```
+
+## Network
+
+### Automatic Network (anet)
+anet is specified as an array that is used to setup networking for Solaris application containers.
+The anet resource represents the automatic creation of a network resource for an application container.
+The zones administration daemon, zoneadmd, is the primary process for managing the container's virtual platform.
+One of the daemons is responsibilities is creation and teardown of the networks for the container.
+For more information on the daemon check the zoneadmd(1M) man page.
+When such a container is started, a temporary VNIC(Virtual NIC) is automatically created for the container.
+The VNIC is deleted when the container is torn down.
+The following properties can be used to setup automatic networks.
+For additional information on properties check zonecfg(1M) man page for the respective release of Solaris.
+
+* **`linkname`** *(string, optional)* Specify a name for the automatically created VNIC datalink.
+* **`lowerLink`** *(string, optional)* Specify the link over which the VNIC will be created.
+Mapped to lower-link in the zonecfg(1M) man page.
+* **`allowedAddress`** *(string, optional)* The set of IP addresses that the container can use might be constrained by specifying the allowedAddress property.
+If allowedAddress has not been specified, then they can use any IP address on the associated physical interface for the network resource.
+Otherwise, when allowedAddress is specified, the container cannot use IP addresses that are not in the allowedAddress list for the physical address.
+Mapped to allowed-address in the zonecfg(1M) man page.
+* **`configureAllowedAddress`** *(string, optional)* If configureAllowedAddress is set to true, the addresses specified by allowedAddress are automatically configured on the interface each time the container starts.
+When it is set to false, the allowedAddress will not be configured on container start.
+Mapped to configure-allowed-address in the zonecfg(1M) man page.
+* **`defrouter`** *(string, optional)* The value for the optional default router.
+* **`macAddress`** *(string, optional)* Set the VNIC's MAC addresses based on the specified value or keyword.
+If not a keyword, it is interpreted as a unicast MAC address.
+For a list of the supported keywords please refer to the zonecfg(1M) man page of the respective Solaris release.
+Mapped to mac-address in the zonecfg(1M) man page.
+* **`linkProtection`** *(string, optional)* Enables one or more types of link protection using comma-separated values.
+See the protection property in dladm(8) for supported values in respective release of Solaris.
+Mapped to link-protection in the zonecfg(1M) man page.
+
+#### Example
+```json
+"anet": [
+    {
+        "allowedAddress": "172.17.0.2/16",
+        "configureAllowedAddress": "true",
+        "defrouter": "172.17.0.1/16",
+        "linkProtection": "mac-nospoof, ip-nospoof",
+        "linkname": "net0",
+        "lowerLink": "net2",
+        "macAddress": "02:42:f8:52:c7:16"
+    }
+]
+```

config.md

@@ -108,16 +108,18 @@ For more information about SELinux, see  [Selinux documentation](http://selinuxp
 
 The user for the process is a platform-specific structure that allows specific control over which user the process runs as.
 
-#### Linux User
+#### Linux and Solaris User
 
-For Linux-based systems the user structure has the following fields:
+For Linux and Solaris based systems the user structure has the following fields:
 
 * **`uid`** (int, required) specifies the user id.
 * **`gid`** (int, required) specifies the group id.
 * **`additionalGids`** (array of ints, optional) specifies additional group ids to be added to the process.
 
 _Note: symbolic name for uid and gid, such as uname and gname respectively, are left to upper levels to derive (i.e. `/etc/passwd` parsing, NSS, etc)_
 
+_Note: For Solaris, uid and gid specify the uid and gid of the process inside the container and need not be same as in the host._
+
 ### Example (Linux)
 
 ```json
@@ -153,6 +155,26 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are
     ]
 }
 ```
+### Example (Solaris)
+
+```json
+"process": {
+    "terminal": true,
+    "user": {
+        "uid": 1,
+        "gid": 1,
+        "additionalGids": [2, 8]
+    },
+    "env": [
+        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+        "TERM=xterm"
+    ],
+    "cwd": "/root",
+    "args": [
+        "/usr/bin/bash"
+    ],
+}
+```
 
 
 ## Hostname
@@ -608,6 +630,29 @@ Here is a full example `config.json` for reference.
         ],
         "mountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c715,c811"
     },
+    "solaris": {
+        "anet": [
+            {
+                "allowedAddress": "172.17.0.2/16",
+                "configureAllowedAddress": "true",
+                "defrouter": "172.17.0.1/16",
+                "linkProtection": "mac-nospoof, ip-nospoof",
+                "linkname": "net0",
+                "lowerLink": "net2",
+                "macAddress": "02:42:f8:52:c7:16"
+            }
+        ],
+        "cappedCPU": {
+            "ncpus": "0.8"
+        },
+        "cappedMemory": {
+            "physical": "1G",
+            "swap": "512m"
+        },
+        "maxShmMemory": "256m",
+        "limitpriv": "default",
+        "milestone": "svc:/milestone/container:default"
+    },
     "annotations": {
         "key1": "value1",
         "key2": "value2"

schema/README.md

@@ -8,6 +8,7 @@ validating the `config.json` of this container runtime specification.
 The layout of the files is as follows:
 * [schema.json](schema.json) - the primary entrypoint for the whole schema document
 * [schema-linux.json](schema-linux.json) - this schema is for the Linux-specific sub-structure
+* [schema-solaris.json](schema-solaris.json) - this schema is for the Solaris-specific sub-structure
 * [defs.json](defs.json) - definitions for general types
 * [defs-linux.json](defs-linux.json) - definitions for Linux-specific types
 * [validate.go](validate.go) - validation utility source code

schema/schema-solaris.json

@@ -0,0 +1,36 @@
+{
+    "solaris": {
+        "description": "Solaris platform-specific configurations",
+        "id": "https://opencontainers.org/schema/bundle/solaris",
+        "type": "object",
+        "properties": {
+            "milestone": {
+                "id": "https://opencontainers.org/schema/bundle/solaris/milestone",
+                "type": "string"
+            },
+            "limitpriv": {
+                "id": "https://opencontainers.org/schema/bundle/solaris/limitpriv",
+                "type": "string"
+            },
+            "maxShmMemory": {
+                "id": "https://opencontainers.org/schema/bundle/solaris/maxShmMemory",
+                "type": "string"
+            },
+            "cappedCPU": {
+                "id": "https://opencontainers.org/schema/bundle/solaris/cappedCPU",
+                "$ref": "defs.json#/definitions/mapStringString"
+            },
+            "cappedMemory": {
+                "id": "https://opencontainers.org/schema/bundle/solaris/cappedMemory",
+                "$ref": "defs.json#/definitions/mapStringString"
+            },
+            "anet": {
+                "id": "https://opencontainers.org/schema/bundle/solaris/anet",
+                "type": "array",
+                "items": {
+                    "$ref": "defs.json#/definitions/mapStringString"
+                }
+            }
+        }
+    }
+}

schema/schema.json

@@ -167,6 +167,9 @@
         },
         "linux": {
             "$ref": "schema-linux.json#/linux"
+        },
+        "solaris": {
+            "$ref": "schema-solaris.json#/solaris"
         }
     },
     "required": [

specs-go/config.go

@@ -25,6 +25,8 @@ type Spec struct {
 
 	// Linux is platform specific configuration for Linux based containers.
 	Linux Linux `json:"linux" platform:"linux"`
+	// Solaris is platform specific configuration for Solaris containers.
+	Solaris Solaris `json:"solaris" platform:"solaris"`
 }
 
 // Process contains information to start a specific application inside the container.
@@ -358,6 +360,51 @@ type Seccomp struct {
 	Syscalls      []Syscall `json:"syscalls,omitempty"`
 }
 
+// Solaris contains platform specific configuration for Solaris application containers.
+type Solaris struct {
+	// SMF FMRI which should go "online" before we start the container process.
+	Milestone string `json:"milestone,omitempty"`
+	// Maximum set of privileges any process in this container can obtain.
+	LimitPriv string `json:"limitpriv,omitempty"`
+	// The maximum amount of shared memory allowed for this container.
+	MaxShmMemory string `json:"maxShmMemory,omitempty"`
+	// Specification for automatic creation of network resources for this container.
+	Anet []Anet `json:"anet,omitempty"`
+	// Set limit on the amount of CPU time that can be used by container.
+	CappedCPU CappedCPU `json:"cappedCPU,omitempty"`
+	// The physical and swap caps on the memory that can be used by this container.
+	CappedMemory CappedMemory `json:"cappedMemory,omitempty"`
+}
+
+// CappedCPU allows users to set limit on the amount of CPU time that can be used by container.
+type CappedCPU struct {
+	Ncpus string `json:"ncpus,omitempty"`
+}
+
+// CappedMemory allows users to set the physical and swap caps on the memory that can be used by this container.
+type CappedMemory struct {
+	Physical string `json:"physical,omitempty"`
+	Swap     string `json:"swap,omitempty"`
+}
+
+// Anet provides the specification for automatic creation of network resources for this container.
+type Anet struct {
+	// Specify a name for the automatically created VNIC datalink.
+	Linkname string `json:"linkname,omitempty"`
+	// Specify the link over which the VNIC will be created.
+	Lowerlink string `json:"lowerLink,omitempty"`
+	// The set of IP addresses that the container can use.
+	Allowedaddr string `json:"allowedAddress,omitempty"`
+	// Specifies whether allowedAddress limitation is to be applied to the VNIC.
+	Configallowedaddr string `json:"configureAllowedAddress,omitempty"`
+	// The value of the optional default router.
+	Defrouter string `json:"defrouter,omitempty"`
+	// Enable one or more types of link protection.
+	Linkprotection string `json:"linkProtection,omitempty"`
+	// Set the VNIC's macAddress
+	Macaddress string `json:"macAddress,omitempty"`
+}
+
 // Arch used for additional architectures
 type Arch string