proto: runtime and linux runtime done

There are a couple of concessions, but is pretty much lined up.

Signed-off-by: Vincent Batts <[email protected]>

Author: vbatts

proto/config.proto

@@ -1,7 +1,6 @@
+//package oci.config.bundle;
 package oci;
 
-//import "config_user.proto";
-
 // Spec is the base configuration for the container.  It specifies platform
 // independent configuration.
 message Spec {
@@ -19,6 +18,20 @@ message Spec {
   repeated MountPoint Mounts = 6;
 }
 
+
+// LinuxSpec is the full specification for linux containers.
+message LinuxSpec {
+	optional Spec Spec = 1;
+	// LinuxConfig is platform specific configuration for linux based containers.
+	optional LinuxConfig LinuxConfig = 2;
+}
+
+// LinuxConfig contains platform specific configuration for linux based containers.
+message LinuxConfig {
+	// Capabilities are linux capabilities that are kept for the container.
+	repeated string Capabilities = 1;
+}
+
 // Platform specifies OS and arch information for the host system that the container
 // is created for.
 message Platform {

proto/runtime_config.proto

@@ -0,0 +1,54 @@
+//package oci.config.runtime;
+package oci;
+
+import "runtime_config_linux.proto";
+
+// RuntimeSpec is the generic runtime state information on a running container
+message RuntimeSpec {
+	// Mounts is a mapping of names to mount configurations.
+	// Which mounts will be mounted and where should be chosen with MountPoints
+	// in Spec.
+  repeated MountFieldEntry Mounts = 1;
+	// Hooks are the commands run at various lifecycle events of the container.
+	optional Hooks Hooks = 2;
+}
+
+// LinuxRuntimeSpec is the full specification for linux containers.
+message LinuxRuntimeSpec {
+	optional RuntimeSpec RuntimeSpec = 1;
+	// LinuxRuntime is platform specific configuration for linux based containers.
+	optional oci.LinuxRuntime Linux = 2;
+}
+
+// MountFieldEntry is more backwards compatible protobuf associative map (than map<string, Mount>)
+message MountFieldEntry {
+  required string key = 1;
+  required Mount value = 2;
+}
+
+// Mount specifies a mount for a container
+message Mount {
+	// Type specifies the mount kind.
+  optional string Type = 1;
+	// Source specifies the source path of the mount.  In the case of bind mounts on
+	// linux based systems this would be the file on the host.
+  optional string Source = 2;
+	// Options are fstab style mount options.
+  repeated string Options = 3;
+}
+
+// Hook specifies a command that is run at a particular event in the lifecycle of a container
+message Hook {
+	optional string Path = 1;
+	repeated string Args = 2;
+	repeated string Env = 3;
+}
+
+// Hooks for container setup and teardown
+message Hooks {
+	// Prestart is a list of hooks to be run before the container process is executed.
+	// On Linux, they are run after the container namespaces are created.
+  repeated Hook Prestart = 1;
+	// Poststop is a list of hooks to be run after the container process exits.
+  repeated Hook Poststop = 2;
+}

proto/runtime_config_linux.proto

@@ -0,0 +1,213 @@
+package oci;
+
+// LinuxStateDirectory holds the container's state information
+message DefaultState {
+  // TODO(vbatts) not as elegant in some ways, but there is not a concept of const here
+  optional string Directory = 1 [default =  "/run/opencontainer/containers"];
+}
+
+// LinuxRuntime hosts the Linux-only runtime information
+message LinuxRuntime {
+	// UIDMapping specifies user mappings for supporting user namespaces on linux.
+  repeated IDMapping UIDMapping = 1;
+	// GIDMapping specifies group mappings for supporting user namespaces on linux.
+  repeated IDMapping GIDMapping = 2;
+	// Rlimits specifies rlimit options to apply to the container's process.
+  repeated Rlimit Rlimits = 3;
+	// Sysctl are a set of key value pairs that are set for the container on start
+  repeated StringStringEntry Sysctl = 4;
+	// Resources contain cgroup information for handling resource constraints
+	// for the container
+	optional Resources Resources = 5;
+	// CgroupsPath specifies the path to cgroups that are created and/or joined by the container.
+	// The path is expected to be relative to the cgroups mountpoint.
+	// If resources are specified, the cgroups at CgroupsPath will be updated based on resources.
+	optional string CgroupsPath = 6;
+	// Namespaces contains the namespaces that are created and/or joined by the container
+	repeated Namespace Namespaces = 7;
+	// Devices are a list of device nodes that are created and enabled for the container
+	repeated Device Devices = 8;
+	// ApparmorProfile specified the apparmor profile for the container.
+	optional string ApparmorProfile = 9;
+	// SelinuxProcessLabel specifies the selinux context that the container process is run as.
+	optional string SelinuxProcessLabel = 10;
+	// Seccomp specifies the seccomp security settings for the container.
+	optional Seccomp Seccomp = 11;
+	// RootfsPropagation is the rootfs mount propagation mode for the container
+	optional string RootfsPropagation = 12;
+}
+
+// IDMapping specifies UID/GID mappings
+message IDMapping {
+	// HostID is the UID/GID of the host user or group
+  optional int32 HostID = 1;
+	// ContainerID is the UID/GID of the container's user or group
+  optional int32 ContainerID = 2;
+	// Size is the length of the range of IDs mapped between the two namespaces
+  optional int32 Size = 3;
+}
+
+// Rlimit type and restrictions
+message Rlimit {
+	// Type of the rlimit to set
+	optional string Type = 1;
+	// Hard is the hard limit for the specified type
+	optional uint64 Hard = 2;
+	// Soft is the soft limit for the specified type
+	optional uint64 Soft = 3;
+}
+
+// StringStringEntry is more backwards compatible protobuf associative map (than map<string, Mount>)
+message StringStringEntry {
+  required string key = 1;
+  required string value = 2;
+}
+
+// Resources has container runtime resource constraints
+message Resources {
+	// DisableOOMKiller disables the OOM killer for out of memory conditions
+	optional bool DisableOOMKiller = 1;
+	// Memory restriction configuration
+	optional Memory Memory = 2;
+	// CPU resource restriction configuration
+	optional CPU CPU = 3;
+	// Task resource restriction configuration.
+	optional Pids Pids = 4;
+	// BlockIO restriction configuration
+	optional BlockIO BlockIO = 5;
+	// Hugetlb limit (in bytes)
+	repeated HugepageLimit HugepageLimits = 6;
+	// Network restriction configuration
+	optional Network Network = 7;
+}
+
+// Memory for Linux cgroup 'memory' resource management
+message Memory {
+	// Memory limit (in bytes)
+	optional int64 Limit = 1;
+	// Memory reservation or soft_limit (in bytes)
+	optional int64 Reservation = 2;
+	// Total memory usage (memory + swap); set `-1' to disable swap
+	optional int64 Swap = 3;
+	// Kernel memory limit (in bytes)
+	optional int64 Kernel = 4;
+	// How aggressive the kernel will swap memory pages. Range from 0 to 100. Set -1 to use system default
+	optional int64 Swappiness = 5;
+}
+
+// CPU for Linux cgroup 'cpu' resource management
+message CPU {
+	// CPU shares (relative weight vs. other cgroups with cpu shares)
+	optional int64 Shares = 1;
+	// CPU hardcap limit (in usecs). Allowed cpu time in a given period
+	optional int64 Quota = 2;
+	// CPU period to be used for hardcapping (in usecs). 0 to use system default
+	optional int64 Period = 3;
+	// How many time CPU will use in realtime scheduling (in usecs)
+	optional int64 RealtimeRuntime = 4;
+	// CPU period to be used for realtime scheduling (in usecs)
+	optional int64 RealtimePeriod = 5;
+	// CPU to use within the cpuset
+	optional string Cpus = 6;
+	// MEM to use within the cpuset
+	optional string Mems = 7;
+}
+
+// Pids for Linux cgroup 'pids' resource management (Linux 4.3)
+message Pids {
+	// Maximum number of PIDs. A value < 0 implies "no limit".
+	optional int64 Limit = 1;
+}
+
+// BlockIO for Linux cgroup 'blockio' resource management
+message BlockIO {
+	// Specifies per cgroup weight, range is from 10 to 1000
+	optional int64 Weight = 1;
+	// Weight per cgroup per device, can override BlkioWeight
+	optional string WeightDevice = 2;
+	// IO read rate limit per cgroup per device, bytes per second
+	optional string ThrottleReadBpsDevice = 3;
+	// IO write rate limit per cgroup per divice, bytes per second
+	optional string ThrottleWriteBpsDevice = 4;
+	// IO read rate limit per cgroup per device, IO per second
+	optional string ThrottleReadIOpsDevice = 5;
+	// IO write rate limit per cgroup per device, IO per second
+	optional string ThrottleWriteIOpsDevice = 6;
+}
+
+// HugepageLimit structure corresponds to limiting kernel hugepages
+message HugepageLimit {
+	optional string Pagesize = 1;
+	optional int32 Limit = 2;
+}
+
+// Network identification and priority configuration
+message Network {
+	// Set class identifier for container's network packets
+	optional string ClassID = 1;
+	// Set priority of network traffic for container
+	repeated InterfacePriority Priorities = 2;
+}
+
+// InterfacePriority for network interfaces
+message InterfacePriority {
+	// Name is the name of the network interface
+	optional string Name = 1;
+	// Priority for the interface
+	optional int64 Priority = 2;
+}
+
+// Namespace is the configuration for a linux namespace
+message Namespace {
+	// Type is the type of Linux namespace
+	optional string Type = 1;
+	// Path is a path to an existing namespace persisted on disk that can be joined
+	// and is of the same type
+	optional string Path = 2;
+}
+
+// Device represents the information on a Linux special device file
+message Device {
+	// Path to the device.
+	optional string Path = 1;
+	// Device type, block, char, etc.
+  // TODO(vbatts) ensure int32 is fine here, instead of golang's rune
+	optional int32 Type = 2;
+	// Major is the device's major number.
+	optional int64 Major = 3;
+	// Minor is the device's minor number.
+	optional int64 Minor = 4;
+	// Cgroup permissions format, rwm.
+	optional string Permissions = 5;
+	// FileMode permission bits for the device.
+  // TODO(vbatts) os.FileMode is an octal uint32
+	optional uint32 FileMode = 6;
+	// UID of the device.
+	optional uint32 UID = 7;
+	// Gid of the device.
+	optional uint32 GID = 8;
+}
+
+// Seccomp represents syscall restrictions
+message Seccomp {
+  // TODO(vbatts) string instead of "Action" type
+	optional string DefaultAction = 1;
+	repeated Syscall Syscalls = 2;
+}
+
+// Syscall is used to match a syscall in Seccomp
+message Syscall {
+	optional string Name = 1;
+	optional string Action = 2;
+	repeated Arg Args = 3;
+}
+
+// Arg used for matching specific syscall arguments in Seccomp
+message Arg {
+	optional uint32 Index = 1;
+	optional uint64 Value = 2;
+	optional uint64 ValueTwo = 3;
+  // Op is the operator string
+	optional string Op = 4;
+}
+