diff --git a/docs/spec-conformance.md b/docs/spec-conformance.md index 4f9d228aafe..1c5964b76a3 100644 --- a/docs/spec-conformance.md +++ b/docs/spec-conformance.md @@ -1,6 +1,6 @@ # Spec conformance -This branch of runc implements the [OCI Runtime Spec v1.1.0-rc.1](/~https://github.com/opencontainers/runtime-spec/tree/v1.1.0-rc.1) +This branch of runc implements the [OCI Runtime Spec v1.1.0-rc.2](/~https://github.com/opencontainers/runtime-spec/tree/v1.1.0-rc.2) for the `linux` platform. The following features are not implemented yet: @@ -10,8 +10,9 @@ Spec version | Feature | PR v1.0.0 | `SCMP_ARCH_PARISC` | Unplanned, due to lack of users v1.0.0 | `SCMP_ARCH_PARISC64` | Unplanned, due to lack of users v1.0.2 | `.linux.personality` | [#3126](/~https://github.com/opencontainers/runc/pull/3126) -v1.1.0-rc.1 | `.linux.resources.cpu.burst` | [#3205](/~https://github.com/opencontainers/runc/pull/3205) -v1.1.0-rc.1 | `.domainname` | [#3600](/~https://github.com/opencontainers/runc/pull/3600) +v1.1.0-rc.1 | `.linux.resources.cpu.burst` | [#3749](/~https://github.com/opencontainers/runc/pull/3749) v1.1.0-rc.1 | `.[]mounts.uidMappings` | [#3717](/~https://github.com/opencontainers/runc/pull/3717) v1.1.0-rc.1 | `.[]mounts.gidMappings` | [#3717](/~https://github.com/opencontainers/runc/pull/3717) -v1.1.0-rc.1 | `SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV` | TODO +v1.1.0-rc.1 | `SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV` | TODO ([#3860](/~https://github.com/opencontainers/runc/issues/3860)) +v1.1.0-rc.2 | time namespaces | TODO ([#2345](/~https://github.com/opencontainers/runc/issues/2345)) +v1.1.0-rc.2 | rsvd hugetlb cgroup | TODO ([#3859](/~https://github.com/opencontainers/runc/issues/3859)) diff --git a/features.go b/features.go index c86adc0a266..a01b4ae3e90 100644 --- a/features.go +++ b/features.go @@ -8,8 +8,9 @@ import ( "github.com/opencontainers/runc/libcontainer/configs" "github.com/opencontainers/runc/libcontainer/seccomp" "github.com/opencontainers/runc/libcontainer/specconv" - "github.com/opencontainers/runc/types/features" + runcfeatures "github.com/opencontainers/runc/types/features" "github.com/opencontainers/runtime-spec/specs-go" + "github.com/opencontainers/runtime-spec/specs-go/features" "github.com/urfave/cli" ) @@ -33,9 +34,9 @@ var featuresCommand = cli.Command{ OCIVersionMin: "1.0.0", OCIVersionMax: specs.Version, Annotations: map[string]string{ - features.AnnotationRuncVersion: version, - features.AnnotationRuncCommit: gitCommit, - features.AnnotationRuncCheckpointEnabled: "true", + runcfeatures.AnnotationRuncVersion: version, + runcfeatures.AnnotationRuncCommit: gitCommit, + runcfeatures.AnnotationRuncCheckpointEnabled: "true", }, Hooks: configs.KnownHookNames(), MountOptions: specconv.KnownMountOptions(), @@ -47,6 +48,7 @@ var featuresCommand = cli.Command{ V2: &tru, Systemd: &tru, SystemdUser: &tru, + Rdma: &tru, }, Apparmor: &features.Apparmor{ Enabled: &tru, @@ -54,6 +56,9 @@ var featuresCommand = cli.Command{ Selinux: &features.Selinux{ Enabled: &tru, }, + IntelRdt: &features.IntelRdt{ + Enabled: &tru, + }, }, } @@ -67,7 +72,7 @@ var featuresCommand = cli.Command{ SupportedFlags: seccomp.SupportedFlags(), } major, minor, patch := seccomp.Version() - feat.Annotations[features.AnnotationLibseccompVersion] = fmt.Sprintf("%d.%d.%d", major, minor, patch) + feat.Annotations[runcfeatures.AnnotationLibseccompVersion] = fmt.Sprintf("%d.%d.%d", major, minor, patch) } enc := json.NewEncoder(context.App.Writer) diff --git a/go.mod b/go.mod index bd5640bfbd8..a000d2569d8 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/godbus/dbus/v5 v5.1.0 github.com/moby/sys/mountinfo v0.6.2 github.com/mrunalp/fileutils v0.5.0 - github.com/opencontainers/runtime-spec v1.1.0-rc.1 + github.com/opencontainers/runtime-spec v1.1.0-rc.2 github.com/opencontainers/selinux v1.11.0 github.com/seccomp/libseccomp-golang v0.10.0 github.com/sirupsen/logrus v1.9.0 diff --git a/go.sum b/go.sum index e01ea06de0a..0dc992136e4 100644 --- a/go.sum +++ b/go.sum @@ -30,8 +30,8 @@ github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vyg github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI= github.com/mrunalp/fileutils v0.5.0 h1:NKzVxiH7eSk+OQ4M+ZYW1K6h27RUV3MI6NUTsHhU6Z4= github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= -github.com/opencontainers/runtime-spec v1.1.0-rc.1 h1:wHa9jroFfKGQqFHj0I1fMRKLl0pfj+ynAqBxo3v6u9w= -github.com/opencontainers/runtime-spec v1.1.0-rc.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.1.0-rc.2 h1:ucBtEms2tamYYW/SvGpvq9yUN0NEVL6oyLEwDcTSrk8= +github.com/opencontainers/runtime-spec v1.1.0-rc.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU= github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= diff --git a/types/features/features.go b/types/features/features.go index 4ea629eeaf4..a81893c8d45 100644 --- a/types/features/features.go +++ b/types/features/features.go @@ -1,122 +1,6 @@ -// Package features provides the JSON structure that is printed by `runc features` (since runc v1.1.0). -// The types in this package are experimental and subject to change. +// Package features provides the annotations for [github.com/opencontainers/runtime-spec/specs-go/features]. package features -// Features represents the supported features of the runtime. -type Features struct { - // OCIVersionMin is the minimum OCI Runtime Spec version recognized by the runtime, e.g., "1.0.0". - OCIVersionMin string `json:"ociVersionMin,omitempty"` - - // OCIVersionMax is the maximum OCI Runtime Spec version recognized by the runtime, e.g., "1.0.2-dev". - OCIVersionMax string `json:"ociVersionMax,omitempty"` - - // Hooks is the list of the recognized hook names, e.g., "createRuntime". - // Nil value means "unknown", not "no support for any hook". - Hooks []string `json:"hooks,omitempty"` - - // MountOptions is the list of the recognized mount options, e.g., "ro". - // Nil value means "unknown", not "no support for any mount option". - // This list does not contain filesystem-specific options passed to mount(2) syscall as (const void *). - MountOptions []string `json:"mountOptions,omitempty"` - - // Linux is specific to Linux. - Linux *Linux `json:"linux,omitempty"` - - // Annotations contains implementation-specific annotation strings, - // such as the implementation version, and third-party extensions. - Annotations map[string]string `json:"annotations,omitempty"` -} - -// Linux is specific to Linux. -type Linux struct { - // Namespaces is the list of the recognized namespaces, e.g., "mount". - // Nil value means "unknown", not "no support for any namespace". - Namespaces []string `json:"namespaces,omitempty"` - - // Capabilities is the list of the recognized capabilities , e.g., "CAP_SYS_ADMIN". - // Nil value means "unknown", not "no support for any capability". - Capabilities []string `json:"capabilities,omitempty"` - - Cgroup *Cgroup `json:"cgroup,omitempty"` - Seccomp *Seccomp `json:"seccomp,omitempty"` - Apparmor *Apparmor `json:"apparmor,omitempty"` - Selinux *Selinux `json:"selinux,omitempty"` -} - -// Seccomp represents the "seccomp" field. -type Seccomp struct { - // Enabled is true if seccomp support is compiled in. - // Nil value means "unknown", not "false". - Enabled *bool `json:"enabled,omitempty"` - - // Actions is the list of the recognized actions, e.g., "SCMP_ACT_NOTIFY". - // Nil value means "unknown", not "no support for any action". - Actions []string `json:"actions,omitempty"` - - // Operators is the list of the recognized operators, e.g., "SCMP_CMP_NE". - // Nil value means "unknown", not "no support for any operator". - Operators []string `json:"operators,omitempty"` - - // Archs is the list of the recognized archs, e.g., "SCMP_ARCH_X86_64". - // Nil value means "unknown", not "no support for any arch". - Archs []string `json:"archs,omitempty"` - - // KnownFlags is the list of the recognized filter flags, e.g., "SECCOMP_FILTER_FLAG_LOG". - // Nil value means "unknown", not "no flags are recognized". - KnownFlags []string `json:"knownFlags,omitempty"` - - // SupportedFlags is the list of the supported filter flags, e.g., "SECCOMP_FILTER_FLAG_LOG". - // This list may be a subset of KnownFlags due to some flags - // not supported by the current kernel and/or libseccomp. - // Nil value means "unknown", not "no flags are supported". - SupportedFlags []string `json:"supportedFlags,omitempty"` -} - -// Apparmor represents the "apparmor" field. -type Apparmor struct { - // Enabled is true if AppArmor support is compiled in. - // Unrelated to whether the host supports AppArmor or not. - // Nil value means "unknown", not "false". - // Always true in the current version of runc. - Enabled *bool `json:"enabled,omitempty"` -} - -// Selinux represents the "selinux" field. -type Selinux struct { - // Enabled is true if SELinux support is compiled in. - // Unrelated to whether the host supports SELinux or not. - // Nil value means "unknown", not "false". - // Always true in the current version of runc. - Enabled *bool `json:"enabled,omitempty"` -} - -// Cgroup represents the "cgroup" field. -type Cgroup struct { - // V1 represents whether Cgroup v1 support is compiled in. - // Unrelated to whether the host uses cgroup v1 or not. - // Nil value means "unknown", not "false". - // Always true in the current version of runc. - V1 *bool `json:"v1,omitempty"` - - // V2 represents whether Cgroup v2 support is compiled in. - // Unrelated to whether the host uses cgroup v2 or not. - // Nil value means "unknown", not "false". - // Always true in the current version of runc. - V2 *bool `json:"v2,omitempty"` - - // Systemd represents whether systemd-cgroup support is compiled in. - // Unrelated to whether the host uses systemd or not. - // Nil value means "unknown", not "false". - // Always true in the current version of runc. - Systemd *bool `json:"systemd,omitempty"` - - // SystemdUser represents whether user-scoped systemd-cgroup support is compiled in. - // Unrelated to whether the host uses systemd or not. - // Nil value means "unknown", not "false". - // Always true in the current version of runc. - SystemdUser *bool `json:"systemdUser,omitempty"` -} - const ( // AnnotationRuncVersion represents the version of runc, e.g., "1.2.3", "1.2.3+dev", "1.2.3-rc.4.", "1.2.3-rc.4+dev". // Third party implementations such as crun and runsc MAY use this annotation to report the most compatible runc version, diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go index 5b4f691c70b..25f4e6e823a 100644 --- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go +++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go @@ -191,6 +191,8 @@ type Linux struct { IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"` // Personality contains configuration for the Linux personality syscall Personality *LinuxPersonality `json:"personality,omitempty"` + // TimeOffsets specifies the offset for supporting time namespaces. + TimeOffsets map[string]LinuxTimeOffset `json:"timeOffsets,omitempty"` } // LinuxNamespace is the configuration for a Linux namespace @@ -220,6 +222,8 @@ const ( UserNamespace LinuxNamespaceType = "user" // CgroupNamespace for isolating cgroup hierarchies CgroupNamespace LinuxNamespaceType = "cgroup" + // TimeNamespace for isolating the clocks + TimeNamespace LinuxNamespaceType = "time" ) // LinuxIDMapping specifies UID/GID mappings @@ -232,6 +236,14 @@ type LinuxIDMapping struct { Size uint32 `json:"size"` } +// LinuxTimeOffset specifies the offset for Time Namespace +type LinuxTimeOffset struct { + // Secs is the offset of clock (in secs) in the container + Secs int64 `json:"secs,omitempty"` + // Nanosecs is the additional offset for Secs (in nanosecs) + Nanosecs uint32 `json:"nanosecs,omitempty"` +} + // POSIXRlimit type and restrictions type POSIXRlimit struct { // Type of the rlimit to set @@ -242,12 +254,13 @@ type POSIXRlimit struct { Soft uint64 `json:"soft"` } -// LinuxHugepageLimit structure corresponds to limiting kernel hugepages +// LinuxHugepageLimit structure corresponds to limiting kernel hugepages. +// Default to reservation limits if supported. Otherwise fallback to page fault limits. type LinuxHugepageLimit struct { - // Pagesize is the hugepage size - // Format: "B' (e.g. 64KB, 2MB, 1GB, etc.) + // Pagesize is the hugepage size. + // Format: "B' (e.g. 64KB, 2MB, 1GB, etc.). Pagesize string `json:"pageSize"` - // Limit is the limit of "hugepagesize" hugetlb usage + // Limit is the limit of "hugepagesize" hugetlb reservations (if supported) or usage. Limit uint64 `json:"limit"` } @@ -382,7 +395,7 @@ type LinuxResources struct { Pids *LinuxPids `json:"pids,omitempty"` // BlockIO restriction configuration BlockIO *LinuxBlockIO `json:"blockIO,omitempty"` - // Hugetlb limit (in bytes) + // Hugetlb limits (in bytes). Default to reservation limits if supported. HugepageLimits []LinuxHugepageLimit `json:"hugepageLimits,omitempty"` // Network restriction configuration Network *LinuxNetwork `json:"network,omitempty"` diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/features/features.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/features/features.go new file mode 100644 index 00000000000..230e88f568e --- /dev/null +++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/features/features.go @@ -0,0 +1,125 @@ +// Package features provides the Features struct. +package features + +// Features represents the supported features of the runtime. +type Features struct { + // OCIVersionMin is the minimum OCI Runtime Spec version recognized by the runtime, e.g., "1.0.0". + OCIVersionMin string `json:"ociVersionMin,omitempty"` + + // OCIVersionMax is the maximum OCI Runtime Spec version recognized by the runtime, e.g., "1.0.2-dev". + OCIVersionMax string `json:"ociVersionMax,omitempty"` + + // Hooks is the list of the recognized hook names, e.g., "createRuntime". + // Nil value means "unknown", not "no support for any hook". + Hooks []string `json:"hooks,omitempty"` + + // MountOptions is the list of the recognized mount options, e.g., "ro". + // Nil value means "unknown", not "no support for any mount option". + // This list does not contain filesystem-specific options passed to mount(2) syscall as (const void *). + MountOptions []string `json:"mountOptions,omitempty"` + + // Linux is specific to Linux. + Linux *Linux `json:"linux,omitempty"` + + // Annotations contains implementation-specific annotation strings, + // such as the implementation version, and third-party extensions. + Annotations map[string]string `json:"annotations,omitempty"` +} + +// Linux is specific to Linux. +type Linux struct { + // Namespaces is the list of the recognized namespaces, e.g., "mount". + // Nil value means "unknown", not "no support for any namespace". + Namespaces []string `json:"namespaces,omitempty"` + + // Capabilities is the list of the recognized capabilities , e.g., "CAP_SYS_ADMIN". + // Nil value means "unknown", not "no support for any capability". + Capabilities []string `json:"capabilities,omitempty"` + + Cgroup *Cgroup `json:"cgroup,omitempty"` + Seccomp *Seccomp `json:"seccomp,omitempty"` + Apparmor *Apparmor `json:"apparmor,omitempty"` + Selinux *Selinux `json:"selinux,omitempty"` + IntelRdt *IntelRdt `json:"intelRdt,omitempty"` +} + +// Cgroup represents the "cgroup" field. +type Cgroup struct { + // V1 represents whether Cgroup v1 support is compiled in. + // Unrelated to whether the host uses cgroup v1 or not. + // Nil value means "unknown", not "false". + V1 *bool `json:"v1,omitempty"` + + // V2 represents whether Cgroup v2 support is compiled in. + // Unrelated to whether the host uses cgroup v2 or not. + // Nil value means "unknown", not "false". + V2 *bool `json:"v2,omitempty"` + + // Systemd represents whether systemd-cgroup support is compiled in. + // Unrelated to whether the host uses systemd or not. + // Nil value means "unknown", not "false". + Systemd *bool `json:"systemd,omitempty"` + + // SystemdUser represents whether user-scoped systemd-cgroup support is compiled in. + // Unrelated to whether the host uses systemd or not. + // Nil value means "unknown", not "false". + SystemdUser *bool `json:"systemdUser,omitempty"` + + // Rdma represents whether RDMA cgroup support is compiled in. + // Unrelated to whether the host supports RDMA or not. + // Nil value means "unknown", not "false". + Rdma *bool `json:"rdma,omitempty"` +} + +// Seccomp represents the "seccomp" field. +type Seccomp struct { + // Enabled is true if seccomp support is compiled in. + // Nil value means "unknown", not "false". + Enabled *bool `json:"enabled,omitempty"` + + // Actions is the list of the recognized actions, e.g., "SCMP_ACT_NOTIFY". + // Nil value means "unknown", not "no support for any action". + Actions []string `json:"actions,omitempty"` + + // Operators is the list of the recognized operators, e.g., "SCMP_CMP_NE". + // Nil value means "unknown", not "no support for any operator". + Operators []string `json:"operators,omitempty"` + + // Archs is the list of the recognized archs, e.g., "SCMP_ARCH_X86_64". + // Nil value means "unknown", not "no support for any arch". + Archs []string `json:"archs,omitempty"` + + // KnownFlags is the list of the recognized filter flags, e.g., "SECCOMP_FILTER_FLAG_LOG". + // Nil value means "unknown", not "no flags are recognized". + KnownFlags []string `json:"knownFlags,omitempty"` + + // SupportedFlags is the list of the supported filter flags, e.g., "SECCOMP_FILTER_FLAG_LOG". + // This list may be a subset of KnownFlags due to some flags + // not supported by the current kernel and/or libseccomp. + // Nil value means "unknown", not "no flags are supported". + SupportedFlags []string `json:"supportedFlags,omitempty"` +} + +// Apparmor represents the "apparmor" field. +type Apparmor struct { + // Enabled is true if AppArmor support is compiled in. + // Unrelated to whether the host supports AppArmor or not. + // Nil value means "unknown", not "false". + Enabled *bool `json:"enabled,omitempty"` +} + +// Selinux represents the "selinux" field. +type Selinux struct { + // Enabled is true if SELinux support is compiled in. + // Unrelated to whether the host supports SELinux or not. + // Nil value means "unknown", not "false". + Enabled *bool `json:"enabled,omitempty"` +} + +// IntelRdt represents the "intelRdt" field. +type IntelRdt struct { + // Enabled is true if Intel RDT support is compiled in. + // Unrelated to whether the host supports Intel RDT or not. + // Nil value means "unknown", not "false". + Enabled *bool `json:"enabled,omitempty"` +} diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go index 8ae4227b9ba..1b81f3c9d6d 100644 --- a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go +++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go @@ -11,7 +11,7 @@ const ( VersionPatch = 0 // VersionDev indicates development branch. Releases will be empty string. - VersionDev = "-rc.1" + VersionDev = "-rc.2" ) // Version is the specification version that the package types support. diff --git a/vendor/modules.txt b/vendor/modules.txt index a38884fc931..3fb85c3071e 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -36,9 +36,10 @@ github.com/moby/sys/mountinfo # github.com/mrunalp/fileutils v0.5.0 ## explicit; go 1.13 github.com/mrunalp/fileutils -# github.com/opencontainers/runtime-spec v1.1.0-rc.1 +# github.com/opencontainers/runtime-spec v1.1.0-rc.2 ## explicit github.com/opencontainers/runtime-spec/specs-go +github.com/opencontainers/runtime-spec/specs-go/features # github.com/opencontainers/selinux v1.11.0 ## explicit; go 1.19 github.com/opencontainers/selinux/go-selinux