schema/features-linux.json

{
    "linux": {
        "description": "Linux platform-specific features",
        "type": "object",
        "properties": {
            "namespaces": {
                "type": "array",
                "items": {
                    "$ref": "defs-linux.json#/definitions/NamespaceType"
                }
            },
            "capabilities": {
                "type": "array",
                "items": {
                    "type": "string",
                    "pattern": "^CAP_[A-Z_]+$"
                }
            },
            "cgroup": {
                "type": "object",
                "properties": {
                    "v1": {
                        "type": "boolean"
                    },
                    "v2": {
                        "type": "boolean"
                    },
                    "systemd": {
                        "type": "boolean"
                    },
                    "systemdUser": {
                        "type": "boolean"
                    },
                    "rdma": {
                        "type": "boolean"
                    }
                }
            },
            "seccomp": {
                "type": "object",
                "properties": {
                    "enabled": {
                        "type": "boolean"
                    },
                    "actions": {
                        "type": "array",
                        "items": {
                            "$ref": "defs-linux.json#/definitions/SeccompAction"
                        }
                    },
                    "operators": {
                        "type": "array",
                        "items": {
                            "$ref": "defs-linux.json#/definitions/SeccompOperators"
                        }
                    },
                    "archs": {
                        "type": "array",
                        "items": {
                            "$ref": "defs-linux.json#/definitions/SeccompArch"
                        }
                    },
                    "knownFlags": {
                        "type": "array",
                        "items": {
                            "$ref": "defs-linux.json#/definitions/SeccompFlag"
                        }
                    },
                    "supportedFlags": {
                        "type": "array",
                        "items": {
                            "$ref": "defs-linux.json#/definitions/SeccompFlag"
                        }
                    }
                }
            },
            "apparmor": {
                "type": "object",
                "properties": {
                    "enabled": {
                        "type": "boolean"
                    }
                }
            },
            "selinux": {
                "type": "object",
                "properties": {
                    "enabled": {
                        "type": "boolean"
                    }
                }
            },
            "intelRdt": {
                "type": "object",
                "properties": {
                    "enabled": {
                        "type": "boolean"
                    }
                }
            },
            "mountExtensions": {
                "type": "object",
                "properties": {
                    "idmap": {
                        "type": "object",
                        "properties": {
                            "enabled": {
                                "type": "boolean"
                            }
                        }
                    }
                }
            }
        }
    }
}
Add `features.md` to formalize the `runc features` JSON Add `features.md` and `features-linux.md`, to formalize the `runc features` JSON that was introduced in runc v1.1.0. A runtime caller MAY use this JSON to detect the features implemented by the runtime. The spec corresponds to https://github.com/opencontainers/runc/blob/v1.1.0/types/features/features.go (opencontainers/runc PR 3296, opencontainers/runc PR 3310) Differences since runc v1.1.0: - Add `.linux.intelRdt.enabled` field - Add `.linux.cgroup.rdma` field - Add `.linux.seccomp.knownFlags` and `.linux.seccomp.supportedFlags` fields (Implemented in runc PR 3588) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> 2021-12-09 16:45:04 +09:00			`{`
			`"linux": {`
			`"description": "Linux platform-specific features",`
			`"type": "object",`
			`"properties": {`
			`"namespaces": {`
			`"type": "array",`
			`"items": {`
			`"$ref": "defs-linux.json#/definitions/NamespaceType"`
			`}`
			`},`
			`"capabilities": {`
			`"type": "array",`
			`"items": {`
			`"type": "string",`
			`"pattern": "^CAP_[A-Z_]+$"`
			`}`
			`},`
			`"cgroup": {`
			`"type": "object",`
			`"properties": {`
			`"v1": {`
			`"type": "boolean"`
			`},`
			`"v2": {`
			`"type": "boolean"`
			`},`
			`"systemd": {`
			`"type": "boolean"`
			`},`
			`"systemdUser": {`
			`"type": "boolean"`
			`},`
			`"rdma": {`
			`"type": "boolean"`
			`}`
			`}`
			`},`
			`"seccomp": {`
			`"type": "object",`
			`"properties": {`
			`"enabled": {`
			`"type": "boolean"`
			`},`
			`"actions": {`
			`"type": "array",`
			`"items": {`
			`"$ref": "defs-linux.json#/definitions/SeccompAction"`
			`}`
			`},`
			`"operators": {`
			`"type": "array",`
			`"items": {`
			`"$ref": "defs-linux.json#/definitions/SeccompOperators"`
			`}`
			`},`
			`"archs": {`
			`"type": "array",`
			`"items": {`
			`"$ref": "defs-linux.json#/definitions/SeccompArch"`
			`}`
			`},`
			`"knownFlags": {`
			`"type": "array",`
			`"items": {`
			`"$ref": "defs-linux.json#/definitions/SeccompFlag"`
			`}`
			`},`
			`"supportedFlags": {`
			`"type": "array",`
			`"items": {`
			`"$ref": "defs-linux.json#/definitions/SeccompFlag"`
			`}`
			`}`
			`}`
			`},`
			`"apparmor": {`
			`"type": "object",`
			`"properties": {`
			`"enabled": {`
			`"type": "boolean"`
			`}`
			`}`
			`},`
			`"selinux": {`
			`"type": "object",`
			`"properties": {`
			`"enabled": {`
			`"type": "boolean"`
			`}`
			`}`
			`},`
			`"intelRdt": {`
			`"type": "object",`
			`"properties": {`
			`"enabled": {`
			`"type": "boolean"`
			`}`
			`}`
features-linux: Expose idmap information High level container runtimes sometimes need to know if the OCI runtime supports idmap mounts or not, as the OCI runtime silently ignores unknown fields. This means that if it doesn't support idmap mounts, a container with userns will be started, without idmap mounts, and the files created on the volumes will have a "garbage" owner/group. Furthermore, as the userns mapping is not guaranteed to be stable over time, it will be completely unusable. Let's expose idmap support in the features subcommand, so high level container runtimes use the feature safely. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com> 2023-08-21 16:21:07 +02:00			`},`
			`"mountExtensions": {`
			`"type": "object",`
			`"properties": {`
			`"idmap": {`
			`"type": "object",`
			`"properties": {`
chore: format JSON file `make -C schema fmt` Signed-off-by: Kijima Daigo <norimaking777@gmail.com> 2024-06-10 22:06:05 +09:00			`"enabled": {`
features-linux: Expose idmap information High level container runtimes sometimes need to know if the OCI runtime supports idmap mounts or not, as the OCI runtime silently ignores unknown fields. This means that if it doesn't support idmap mounts, a container with userns will be started, without idmap mounts, and the files created on the volumes will have a "garbage" owner/group. Furthermore, as the userns mapping is not guaranteed to be stable over time, it will be completely unusable. Let's expose idmap support in the features subcommand, so high level container runtimes use the feature safely. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com> 2023-08-21 16:21:07 +02:00			`"type": "boolean"`
			`}`
chore: format JSON file `make -C schema fmt` Signed-off-by: Kijima Daigo <norimaking777@gmail.com> 2024-06-10 22:06:05 +09:00			`}`
features-linux: Expose idmap information High level container runtimes sometimes need to know if the OCI runtime supports idmap mounts or not, as the OCI runtime silently ignores unknown fields. This means that if it doesn't support idmap mounts, a container with userns will be started, without idmap mounts, and the files created on the volumes will have a "garbage" owner/group. Furthermore, as the userns mapping is not guaranteed to be stable over time, it will be completely unusable. Let's expose idmap support in the features subcommand, so high level container runtimes use the feature safely. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com> 2023-08-21 16:21:07 +02:00			`}`
			`}`
Add `features.md` to formalize the `runc features` JSON Add `features.md` and `features-linux.md`, to formalize the `runc features` JSON that was introduced in runc v1.1.0. A runtime caller MAY use this JSON to detect the features implemented by the runtime. The spec corresponds to https://github.com/opencontainers/runc/blob/v1.1.0/types/features/features.go (opencontainers/runc PR 3296, opencontainers/runc PR 3310) Differences since runc v1.1.0: - Add `.linux.intelRdt.enabled` field - Add `.linux.cgroup.rdma` field - Add `.linux.seccomp.knownFlags` and `.linux.seccomp.supportedFlags` fields (Implemented in runc PR 3588) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> 2021-12-09 16:45:04 +09:00			`}`
			`}`
			`}`
			`}`