Skip to content

Add FreeBSD as a platform #1286

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+386 −10
Open

Add FreeBSD as a platform #1286

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
128 changes: 128 additions & 0 deletions config-freebsd.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
# <a name="FreeBSDContainerConfiguration" />FreeBSD Container Configuration

This document describes the schema for the [FreeBSD-specific section](config.md#platform-specific-configuration) of the [container configuration](config.md).

## <a name="configFreeBSDDevices" />Devices

Devices in FreeBSD are accessed via the `devfs` filesystem. Each container SHOULD have a `devfs` filesystem mounted into its `/dev` directory. Often, a minimal set of devices is exposed to the container using ruleset 4 from `/etc/defaults/devfs.rules` - the ruleset is specified as a mount option.

Optionally, additional devices can be exposed to the container using an array of entries inside the `devices` root field:

* **`path`** _(string, REQUIRED)_ - the device path relative to `/dev`
* **`mode`** _(uint32, OPTIONAL)_ - file mode for the device.

### Example
```json
"devices": [
{
"path": "pf",
"mode": 448
}
]
```

## <a name="configFreeBSDJail" />Jail

On FreeBSD, containers are implemented using the platform's jail subsystem.
Each jail is configured using a set of name/value pairs passed to the kernel using the `jail(2)` system calls.
The `jail` root field contains values which are passed to the kernel when the container is created.

* **`parent`** _(string, OPTIONAL)_ - parent jail.
The value is the name of a jail which should be this container's parent (defaults to none). This can be used to share namespaces such as `vnet` with another container.
* **`host`** _(string, OPTIONAL)_ - allow overriding hostname, domainname, hostuuid and hostid.
The value can be "new" which allows these values to be overridden in the container or "inherit" to use the host values (or parent container values). If set to "new", the values for hostname and domainname are taken from the base config, if present.
* **`ip4`** _(string, OPTIONAL)_ - control the availability of IPv4 addresses.
This is typically left unset if the container has a vnet, set to "inherit" to allow access to host (or parent container) addresses or set to "disable" to stop use of IPv4 entirely.
* **`ip6`** _(string, OPTIONAL)_ - control the availability of IPv6 addresses.
This is typically left unset if the container has a vnet, set to "inherit" to allow access to host (or parent container) addresses or set to "disable" to stop use of IPv6 entirely.
* **`vnet`** _(string, OPTIONAL)_ - control the vnet used for this container.
The value can be "new" which causes a new vnet to be created for the container or "inherit" which shares the vnet for the parent container (or host if there is no parent).
* **`sysvmsg`** _(string, OPTIONAL)_ - allow access to SYSV IPC message primitives.
If set to "inherit", all IPC objects in the host (or parent container) are visible to this container, whether they were created by the container itself, the base system, or other containers. If set to "new", the container will have its own key namespace, and can only see the objects that it has created; the system (or parent container) has access to the container's objects, but not to its keys. If set to "disable", the container cannot perform any sysvmsg-related system calls. Defaults to "new".
* **`sysvsem`** _(string, OPTIONAL)_ - allow access to SYSV IPC semaphore primitives, in the same manner as sysvmsg. Defaults to "new".
* **`sysvshm`** _(string, OPTIONAL)_ - allow access to SYSV IPC shared memory primitives, in the same manner as sysvmsg. Defaults to "new".
* **`enforceStatfs`** _(integer, OPTIONAL)_ - control visibility of mounts in the container.
A value of 0 allows visibility of all host mounts, 1 allows visibility of mounts nested under the container's root and 2 only allows the container root to be visible. If unset, the default value is 2.
* **`allow`** _(object, OPTIONAL)_ - Some restrictions of the container environment may be set on a per-container basis. With the exception of **`setHostname`** and **`reservedPorts`**, these boolean parameters are off by default.
- **`setHostname`** _(bool, OPTIONAL)_ - Allow the container's hostname to be changed. Defaults to `false`.
- **`rawSockets`** _(bool, OPTIONAL)_ - Allow the container to use raw sockets to support network utilities such as ping and traceroute. Defaults to `false`.
- **`chflags`** _(bool, OPTIONAL)_ - Allow the system file flags to be changed. Defaults to `false`.
- **`mount`** _(array of strings, OPTIONAL)_ - Allow the listed filesystem types to be mounted and unmounted in the container.
- **`quotas`** _(bool, OPTIONAL)_ - Allow the filesystem quotas to be changed in the container. Defaults to `false`.
- **`socketAf`** _(bool, OPTIONAL)_ - Allow socket types other than IPv4, IPv6 and unix. Defaults to `false`.
- **`reservedPorts`** _(bool, OPTIONAL)_ - Allow the jail to bind to ports lower than 1024. Defaults to `false`.
- **`suser`** _(bool, OPTIONAL)_ - The value of the jail's security.bsd.suser_enabled sysctl. The super-user will be disabled automatically if its parent system has it disabled. The super-user is enabled by default.

These fields SHOULD be mapped to a corresponding set of `jail(8)` parameters which can be used to create the container jail.
A typical jail-based OCI implementation on FreeBSD MAY use the following mapping:

| Jail parameter | JSON equivalent |
| -------------- | -------------------- |
| `jid` | - |
| `name` | see below |
| `path` | `root.path` |
| `ip4.addr` | - |
| `ip4.saddrsel` | - |
| `ip4` | `freebsd.jail.ip4` |
| `ip6.addr` | - |
| `ip6.saddrsel` | - |
| `ip6` | `freebsd.jail.ip6` |
| `vnet` | `freebsd.jail.vnet` |
| `host.hostname` | `hostname` |
| `host` | `freebsd.jail.host` |
| `sysvmsg` | `freebsd.jail.sysvmsg` |
| `sysvsem` | `freebsd.jail.sysvsem` |
| `sysvshm` | `freebsd.jail.sysvshm` |
| `securelevel` | - |
| `devfs_ruleset` | see below |
| `children.max` | see below |
| `enforce_statfs` | `freebsd.jail.enforceStatfs` |
| `persist` | - |
| `parent` | `freebsd.jail.parent` |
| `osrelease` | - |
| `osreldate` | - |
| `allow.set_hostname` | `freebsd.jail.allow.setHostname` |
| `allow.sysvipc` | `freebsd.jail.allow.sysvipc` |
| `allow.raw_sockets` | `freebsd.jail.allow.rawSockets` |
| `allow.chflags` | `freebsd.jail.allow.chflags` |
| `allow.mount` | `freebsd.jail.allow.mount` |
| `allow.quotas` | `freebsd.jail.allow.quotas` |
| `allow.read_msgbuf` | - |
| `allow.socket_af` | `freebsd.jail.allow.socketAf` |
| `allow.mlock` | - |
| `allow.nfsd` | - |
| `allow.reserved_ports` | `freebsd.jail.allow.reservedPorts` |
| `allow.unprivileged_proc_debug` | - |
| `allow.suser` | `freebsd.jail.allow.suser` |
| `allow.mount.*` | see below |

The jail name SHOULD be set to the create command's `container-id` argument.

Network addresses are typically managed by the host (e.g. using CNI or netavark) so we do not include a mapping for `ip4.addr` or `ip6.addr`.

A container which needs its own network namespace SHOULD set `"vnet"` to `"new"` and leave `"ip4"` and `"ip6"` unchanged.
A container which shares the parent/host vnet SHOULD leave `"vnet"` unchanged and set `"ip4"` and `"ip6"` to `"inherit"`.

The `devfs_ruleset` parameter is only required for jails which create new `devfs` mounts - typically OCI runtimes will mount `devfs` on the host. The value is a rule set number - these rule sets are defined on the host, typically via `/etc/defaults/devfs.rules` or using the `devfs` command line utility.

The `children.max` parameter SHOULD be managed by the OCI runtime e.g. when a new container shares namespaces with an existing container.

The `allow.mount.*` parameter set is extensible - allowed mount types are listed as an array. As with `devfs`, typically the OCI runtime will manage mounts for the container by performing mount operations on the host.

Jail parameters not supported by this runtime extension are marked with "-". These parameters will have their default values - see the `jail(8)` man page for details.

### Example
```json
"jail": {
"host": "new",
"vnet": "new",
"enforceStatfs": 1,
"allow": {
"rawSockets": true,
"chflags": true,
"mount": [
"tmpfs"
]
}
}
```
6 changes: 4 additions & 2 deletions config.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -518,14 +518,16 @@ For Windows based systems the user structure has the following fields:

## <a name="configPlatformSpecificConfiguration" />Platform-specific configuration

* **`freebsd`** (object, OPTIONAL) [FreeBSD-specific configuration](config-freebsd.md).
This MAY be set if the target platform of this spec is `freebsd`.
* **`linux`** (object, OPTIONAL) [Linux-specific configuration](config-linux.md).
This MAY be set if the target platform of this spec is `linux`.
* **`windows`** (object, OPTIONAL) [Windows-specific configuration](config-windows.md).
This MUST be set if the target platform of this spec is `windows`.
* **`solaris`** (object, OPTIONAL) [Solaris-specific configuration](config-solaris.md).
This MAY be set if the target platform of this spec is `solaris`.
* **`vm`** (object, OPTIONAL) [Virtual-machine-specific configuration](config-vm.md).
This MAY be set if the target platform and architecture of this spec support hardware virtualization.
* **`windows`** (object, OPTIONAL) [Windows-specific configuration](config-windows.md).
This MUST be set if the target platform of this spec is `windows`.
* **`zos`** (object, OPTIONAL) [z/OS-specific configuration](config-zos.md).
This MAY be set if the target platform of this spec is `zos`.

Expand Down
1 change: 1 addition & 0 deletions schema/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ The layout of the files is as follows:
* [config-linux.json](config-linux.json) - the [Linux-specific configuration sub-structure](../config-linux.md)
* [config-solaris.json](config-solaris.json) - the [Solaris-specific configuration sub-structure](../config-solaris.md)
* [config-windows.json](config-windows.json) - the [Windows-specific configuration sub-structure](../config-windows.md)
* [config-freebsd.json](config-freebsd.json) - the [FreeBSD-specific configuration sub-structure](../config-freebsd.md)
* [state-schema.json](state-schema.json) - the primary entrypoint for the [state JSON](../runtime.md#state) schema
* [defs.json](defs.json) - definitions for general types
* [defs-linux.json](defs-linux.json) - definitions for Linux-specific types
Expand Down
75 changes: 75 additions & 0 deletions schema/config-freebsd.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
{
"freebsd": {
"description": "FreeBSD platform-specific configurations",
"type": "object",
"properties": {
"devices": {
"type": "array",
"items": {
"$ref": "defs-freebsd.json#/definitions/Device"
}
},
"jail": {
"type": "object",
"properties": {
"parent": {
"type": "string"
},
"host": {
"$ref": "defs-freebsd.json#/definitions/SharingModeNoDisable"
},
"ip4": {
"$ref": "defs-freebsd.json#/definitions/SharingMode"
},
"ip6": {
"$ref": "defs-freebsd.json#/definitions/SharingMode"
},
"vnet": {
"$ref": "defs-freebsd.json#/definitions/SharingModeNoDisable"
},
"sysvmsg": {
"$ref": "defs-freebsd.json#/definitions/SharingMode"
},
"sysvsem": {
"$ref": "defs-freebsd.json#/definitions/SharingMode"
},
"sysvshm": {
"$ref": "defs-freebsd.json#/definitions/SharingMode"
},
"enforceStatfs": {
"$ref": "defs.json#/definitions/uint8"
},
"allow": {
"type": "object",
"properties": {
"setHostname": {
"type": "boolean"
},
"rawSockets": {
"type": "boolean"
},
"chflags": {
"type": "boolean"
},
"mount": {
"$ref": "defs.json#/definitions/ArrayOfStrings"
},
"quotas": {
"type": "boolean"
},
"socketAf": {
"type": "boolean"
},
"reservedPorts": {
"type": "boolean"
},
"suser": {
"type": "boolean"
}
}
}
}
}
}
}
}
3 changes: 3 additions & 0 deletions schema/config-schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,9 @@
},
"zos": {
"$ref": "config-zos.json#/zos"
},
"freebsd": {
"$ref": "config-freebsd.json#/freebsd"
}
},
"required": [
Expand Down
30 changes: 30 additions & 0 deletions schema/defs-freebsd.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{
"definitions": {
"Device": {
"type": "object",
"properties": {
"path": {
"type": "string"
},
"mode": {
"$ref": "defs.json#/definitions/FileMode"
}
}
},
"SharingMode": {
"type": "string",
"enum": [
"disable",
"new",
"inherit"
]
},
"SharingModeNoDisable": {
"type": "string",
"enum": [
"new",
"inherit"
]
}
}
}
8 changes: 1 addition & 7 deletions schema/defs-linux.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,12 +148,6 @@
"description": "minor device number",
"$ref": "defs.json#/definitions/int64"
},
"FileMode": {
"description": "File permissions mode (typically an octal value)",
"type": "integer",
"minimum": 0,
"maximum": 512
},
"FileType": {
"description": "Type of a block or special character device",
"type": "string",
Expand All @@ -173,7 +167,7 @@
"$ref": "defs.json#/definitions/FilePath"
},
"fileMode": {
"$ref": "#/definitions/FileMode"
"$ref": "defs.json#/definitions/FileMode"
},
"major": {
"$ref": "#/definitions/Major"
Expand Down
6 changes: 6 additions & 0 deletions schema/defs.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,12 @@
"type": "string"
}
},
"FileMode": {
"description": "File permissions mode (typically an octal value)",
"type": "integer",
"minimum": 0,
"maximum": 512
},
"FilePath": {
"type": "string"
},
Expand Down
11 changes: 11 additions & 0 deletions schema/test/config/bad/freebsd-vnet-disable.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"ociVersion": "1.3.0",
"root": {
"path": "rootfs"
},
"freebsd": {
"jail": {
"vnet": "disable"
}
}
}
54 changes: 54 additions & 0 deletions schema/test/config/good/freebsd-example.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
{
"ociVersion": "1.3.0",
"process": {
"terminal": true,
"args": [
"sh"
],
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm"
],
"cwd": "/"
},
"root": {
"path": "rootfs"
},
"hostname": "slartibartfast",
"mounts": [
{
"destination": "/dev",
"type": "devfs",
"source": "devfs",
"options": [
"ruleset=4"
]
},
{
"destination": "/dev/fd",
"type": "fdescfs",
"source": "fdescfs",
"options": []
}
],
"freebsd": {
"devices": [
{
"path": "pf",
"mode": 448
}
],
"jail": {
"host": "new",
"vnet": "new",
"enforceStatfs": 1,
"allow": {
"rawSockets": true,
"chflags": true,
"mount": [
"tmpfs"
]
}
}
}
}
7 changes: 7 additions & 0 deletions schema/test/config/good/freebsd-minimal.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"ociVersion": "1.3.0",
"root": {
"path": "rootfs"
},
"freebsd": {}
}
Loading
Loading