You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: config.md
+14-7Lines changed: 14 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -132,16 +132,23 @@ See links for details about [mountvol](http://ss64.com/nt/mountvol.html) and [Se
132
132
For Linux-based systems the process structure supports the following process specific fields:
133
133
134
134
***`capabilities`** (array of strings, OPTIONAL) capabilities is an array that specifies Linux capabilities that can be provided to the process inside the container.
135
-
Valid values are the strings for capabilities defined in [the man page](http://man7.org/linux/man-pages/man7/capabilities.7.html)
136
-
***`rlimits`** (array of rlimits, OPTIONAL) rlimits is an array of rlimits that allows setting resource limits for a process inside the container.
137
-
The kernel enforces the `soft` limit for a resource while the `hard` limit acts as a ceiling for that value that could be set by an unprivileged process.
138
-
Valid values for the 'type' field are the resources defined in [the man page](http://man7.org/linux/man-pages/man2/setrlimit.2.html).
135
+
Valid values are the strings for capabilities defined in [the man page](http://man7.org/linux/man-pages/man7/capabilities.7.html).
136
+
***`rlimits`** (array of objects, OPTIONAL) allows setting resource limits for a process inside the container.
137
+
Each entry has the following structure:
138
+
139
+
***`type`** (string, REQUIRED) - the 'type' field are the resources defined in [the man page](http://man7.org/linux/man-pages/man2/setrlimit.2.html).
140
+
***`soft`** (uint64, REQUIRED) - the value that the kernel enforces for the corresponding resource.
141
+
***`hard`** (uint64, REQUIRED) - the ceiling for the soft limit that could be set by an unprivileged process.
142
+
Only privileged process (under Linux: one with the CAP_SYS_RESOURCE capability) can raise a hard limit.
143
+
144
+
If `rlimits` contains duplicated entries with same `type`, the runtime MUST error out.
145
+
139
146
***`apparmorProfile`** (string, OPTIONAL) apparmor profile specifies the name of the apparmor profile that will be used for the container.
140
-
For more information about Apparmor, see [Apparmor documentation](https://wiki.ubuntu.com/AppArmor)
147
+
For more information about Apparmor, see [Apparmor documentation](https://wiki.ubuntu.com/AppArmor)
141
148
***`selinuxLabel`** (string, OPTIONAL) SELinux process label specifies the label with which the processes in a container are run.
142
-
For more information about SELinux, see [Selinux documentation](http://selinuxproject.org/page/Main_Page)
149
+
For more information about SELinux, see [Selinux documentation](http://selinuxproject.org/page/Main_Page)
143
150
***`noNewPrivileges`** (bool, OPTIONAL) setting `noNewPrivileges` to true prevents the processes in the container from gaining additional privileges.
144
-
[The kernel doc](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt) has more information on how this is achieved using a prctl system call.
151
+
[The kernel doc](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt) has more information on how this is achieved using a prctl system call.
0 commit comments