You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: config.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -140,8 +140,8 @@ For Linux and Solaris based systems the mounts structure has the following field
140
140
**`process`** (object, OPTIONAL) specifies the container process.
141
141
This property is REQUIRED when [`start`](runtime.md#start) is called.
142
142
143
-
***`terminal`** (bool, OPTIONAL) specifies whether a terminal is attached to that process, defaults to false.
144
-
As an example, if set to true on Linux a pseudoterminal pair is allocated for the container process and the pseudoterminal slave is duplicated on the container process's [standard streams][stdin.3].
143
+
***`terminal`** (bool, OPTIONAL) specifies whether a terminal is attached to the process, defaults to false.
144
+
As an example, if set to true on Linux a pseudoterminal pair is allocated for the process and the pseudoterminal slave is duplicated on the process's [standard streams][stdin.3].
145
145
***`consoleSize`** (object, OPTIONAL) specifies the console size in characters of the terminal.
146
146
Runtimes MUST ignore `consoleSize` if `terminal` is `false` or unset.
147
147
***`height`** (uint, REQUIRED)
@@ -151,7 +151,7 @@ For Linux and Solaris based systems the mounts structure has the following field
151
151
***`env`** (array of strings, OPTIONAL) with the same semantics as [IEEE Std 1003.1-2008's `environ`][ieee-1003.1-2008-xbd-c8.1].
152
152
***`args`** (array of strings, REQUIRED) with similar semantics to [IEEE Std 1003.1-2008 `execvp`'s *argv*][ieee-1003.1-2008-xsh-exec].
153
153
This specification extends the IEEE standard in that at least one entry is REQUIRED, and that entry is used with the same semantics as `execvp`'s *file*.
154
-
***`capabilities`** (object, OPTIONAL) is an object containing arrays that specifies the sets of capabilities for the process(es) inside the container.
154
+
***`capabilities`** (object, OPTIONAL) is an object containing arrays that specifies the sets of capabilities for the process.
155
155
Valid values are platform-specific.
156
156
For example, valid values for Linux are defined in the [capabilities(7)][capabilities.7] man page, such as `CAP_CHOWN`.
157
157
Any value which cannot be mapped to a relevant kernel interface MUST cause an error.
@@ -161,7 +161,7 @@ For Linux and Solaris based systems the mounts structure has the following field
161
161
***`inheritable`** (array of strings, OPTIONAL) - the `inheritable` field is an array of inheritable capabilities that are kept for the process.
162
162
***`permitted`** (array of strings, OPTIONAL) - the `permitted` field is an array of permitted capabilities that are kept for the process.
163
163
***`ambient`** (array of strings, OPTIONAL) - the `ambient` field is an array of ambient capabilities that are kept for the process.
164
-
***`rlimits`** (array of objects, OPTIONAL) allows setting resource limits for a process inside the container.
164
+
***`rlimits`** (array of objects, OPTIONAL) allows setting resource limits for the process.
165
165
Each entry has the following structure:
166
166
167
167
***`type`** (string, REQUIRED) - the platform resource being limited, for example on Linux as defined in the [setrlimit(2)][setrlimit.2] man page.
@@ -171,20 +171,20 @@ For Linux and Solaris based systems the mounts structure has the following field
171
171
172
172
If `rlimits` contains duplicated entries with same `type`, the runtime MUST error out.
173
173
174
-
***`noNewPrivileges`** (bool, OPTIONAL) setting `noNewPrivileges` to true prevents the processes in the container from gaining additional privileges.
174
+
***`noNewPrivileges`** (bool, OPTIONAL) setting `noNewPrivileges` to true prevents the process from gaining additional privileges.
175
175
As an example, the ['no_new_privs'][no-new-privs] article in the kernel documentation has information on how this is achieved using a prctl system call on Linux.
176
176
177
177
For Linux-based systems the process structure supports the following process-specific fields.
178
178
179
-
***`apparmorProfile`** (string, OPTIONAL) specifies the name of the AppArmor profile to be applied to processes in the container.
179
+
***`apparmorProfile`** (string, OPTIONAL) specifies the name of the AppArmor profile for the process.
180
180
For more information about AppArmor, see [AppArmor documentation][apparmor].
181
-
***`oomScoreAdj`***(int, OPTIONAL)* adjusts the oom-killer score in `[pid]/oom_score_adj` for the container process's `[pid]` in a [proc pseudo-filesystem][procfs].
181
+
***`oomScoreAdj`***(int, OPTIONAL)* adjusts the oom-killer score in `[pid]/oom_score_adj` for the process's `[pid]` in a [proc pseudo-filesystem][procfs].
182
182
If `oomScoreAdj` is set, the runtime MUST set `oom_score_adj` to the given value.
183
183
If `oomScoreAdj` is not set, the runtime MUST NOT change the value of `oom_score_adj`.
184
184
185
185
This is a per-process setting, where as [`disableOOMKiller`](config-linux.md#disable-out-of-memory-killer) is scoped for a memory cgroup.
186
186
For more information on how these two settings work together, see [the memory cgroup documentation section 10. OOM Contol][cgroup-v1-memory_2].
187
-
***`selinuxLabel`** (string, OPTIONAL) specifies the SELinux label to be applied to the processes in the container.
187
+
***`selinuxLabel`** (string, OPTIONAL) specifies the SELinux label for the process.
188
188
For more information about SELinux, see [SELinux documentation][selinux].
0 commit comments