github.com/containers/podman/v2@v2.2.2-0.20210501105131-c1e07d070c4c/pkg/specgen/specgen.go (about) 1 package specgen 2 3 import ( 4 "net" 5 "syscall" 6 7 "github.com/containers/image/v5/manifest" 8 "github.com/containers/storage" 9 spec "github.com/opencontainers/runtime-spec/specs-go" 10 "github.com/pkg/errors" 11 ) 12 13 // LogConfig describes the logging characteristics for a container 14 type LogConfig struct { 15 // LogDriver is the container's log driver. 16 // Optional. 17 Driver string `json:"driver,omitempty"` 18 // LogPath is the path the container's logs will be stored at. 19 // Only available if LogDriver is set to "json-file" or "k8s-file". 20 // Optional. 21 Path string `json:"path,omitempty"` 22 // Size is the maximimup size of the log file 23 // Optional. 24 Size int64 `json:"size,omitempty"` 25 // A set of options to accompany the log driver. 26 // Optional. 27 Options map[string]string `json:"options,omitempty"` 28 } 29 30 // ContainerBasicConfig contains the basic parts of a container. 31 type ContainerBasicConfig struct { 32 // Name is the name the container will be given. 33 // If no name is provided, one will be randomly generated. 34 // Optional. 35 Name string `json:"name,omitempty"` 36 // Pod is the ID of the pod the container will join. 37 // Optional. 38 Pod string `json:"pod,omitempty"` 39 // Entrypoint is the container's entrypoint. 40 // If not given and Image is specified, this will be populated by the 41 // image's configuration. 42 // Optional. 43 Entrypoint []string `json:"entrypoint,omitempty"` 44 // Command is the container's command. 45 // If not given and Image is specified, this will be populated by the 46 // image's configuration. 47 // Optional. 48 Command []string `json:"command,omitempty"` 49 // EnvHost indicates that the host environment should be added to container 50 // Optional. 51 EnvHost bool `json:"env_host,omitempty"` 52 // EnvHTTPProxy indicates that the http host proxy environment variables 53 // should be added to container 54 // Optional. 55 HTTPProxy bool `json:"httpproxy,omitempty"` 56 // Env is a set of environment variables that will be set in the 57 // container. 58 // Optional. 59 Env map[string]string `json:"env,omitempty"` 60 // Terminal is whether the container will create a PTY. 61 // Optional. 62 Terminal bool `json:"terminal,omitempty"` 63 // Stdin is whether the container will keep its STDIN open. 64 Stdin bool `json:"stdin,omitempty"` 65 // Labels are key-value pairs that are used to add metadata to 66 // containers. 67 // Optional. 68 Labels map[string]string `json:"labels,omitempty"` 69 // Annotations are key-value options passed into the container runtime 70 // that can be used to trigger special behavior. 71 // Optional. 72 Annotations map[string]string `json:"annotations,omitempty"` 73 // StopSignal is the signal that will be used to stop the container. 74 // Must be a non-zero integer below SIGRTMAX. 75 // If not provided, the default, SIGTERM, will be used. 76 // Will conflict with Systemd if Systemd is set to "true" or "always". 77 // Optional. 78 StopSignal *syscall.Signal `json:"stop_signal,omitempty"` 79 // StopTimeout is a timeout between the container's stop signal being 80 // sent and SIGKILL being sent. 81 // If not provided, the default will be used. 82 // If 0 is used, stop signal will not be sent, and SIGKILL will be sent 83 // instead. 84 // Optional. 85 StopTimeout *uint `json:"stop_timeout,omitempty"` 86 // LogConfiguration describes the logging for a container including 87 // driver, path, and options. 88 // Optional 89 LogConfiguration *LogConfig `json:"log_configuration,omitempty"` 90 // ConmonPidFile is a path at which a PID file for Conmon will be 91 // placed. 92 // If not given, a default location will be used. 93 // Optional. 94 ConmonPidFile string `json:"conmon_pid_file,omitempty"` 95 // RawImageName is the user-specified and unprocessed input referring 96 // to a local or a remote image. 97 RawImageName string `json:"raw_image_name,omitempty"` 98 // RestartPolicy is the container's restart policy - an action which 99 // will be taken when the container exits. 100 // If not given, the default policy, which does nothing, will be used. 101 // Optional. 102 RestartPolicy string `json:"restart_policy,omitempty"` 103 // RestartRetries is the number of attempts that will be made to restart 104 // the container. 105 // Only available when RestartPolicy is set to "on-failure". 106 // Optional. 107 RestartRetries *uint `json:"restart_tries,omitempty"` 108 // OCIRuntime is the name of the OCI runtime that will be used to create 109 // the container. 110 // If not specified, the default will be used. 111 // Optional. 112 OCIRuntime string `json:"oci_runtime,omitempty"` 113 // Systemd is whether the container will be started in systemd mode. 114 // Valid options are "true", "false", and "always". 115 // "true" enables this mode only if the binary run in the container is 116 // /sbin/init or systemd. "always" unconditionally enables systemd mode. 117 // "false" unconditionally disables systemd mode. 118 // If enabled, mounts and stop signal will be modified. 119 // If set to "always" or set to "true" and conditionally triggered, 120 // conflicts with StopSignal. 121 // If not specified, "false" will be assumed. 122 // Optional. 123 Systemd string `json:"systemd,omitempty"` 124 // Determine how to handle the NOTIFY_SOCKET - do we participate or pass it through 125 // "container" - let the OCI runtime deal with it, advertise conmon's MAINPID 126 // "conmon-only" - advertise conmon's MAINPID, send READY when started, don't pass to OCI 127 // "ignore" - unset NOTIFY_SOCKET 128 SdNotifyMode string `json:"sdnotifyMode,omitempty"` 129 // Namespace is the libpod namespace the container will be placed in. 130 // Optional. 131 Namespace string `json:"namespace,omitempty"` 132 // PidNS is the container's PID namespace. 133 // It defaults to private. 134 // Mandatory. 135 PidNS Namespace `json:"pidns,omitempty"` 136 // UtsNS is the container's UTS namespace. 137 // It defaults to private. 138 // Must be set to Private to set Hostname. 139 // Mandatory. 140 UtsNS Namespace `json:"utsns,omitempty"` 141 // Hostname is the container's hostname. If not set, the hostname will 142 // not be modified (if UtsNS is not private) or will be set to the 143 // container ID (if UtsNS is private). 144 // Conflicts with UtsNS if UtsNS is not set to private. 145 // Optional. 146 Hostname string `json:"hostname,omitempty"` 147 // Sysctl sets kernel parameters for the container 148 Sysctl map[string]string `json:"sysctl,omitempty"` 149 // Remove indicates if the container should be removed once it has been started 150 // and exits 151 Remove bool `json:"remove,omitempty"` 152 // ContainerCreateCommand is the command that was used to create this 153 // container. 154 // This will be shown in the output of Inspect() on the container, and 155 // may also be used by some tools that wish to recreate the container 156 // (e.g. `podman generate systemd --new`). 157 // Optional. 158 ContainerCreateCommand []string `json:"containerCreateCommand,omitempty"` 159 // PreserveFDs is a number of additional file descriptors (in addition 160 // to 0, 1, 2) that will be passed to the executed process. The total FDs 161 // passed will be 3 + PreserveFDs. 162 // set tags as `json:"-"` for not supported remote 163 PreserveFDs uint `json:"-"` 164 // Timezone is the timezone inside the container. 165 // Local means it has the same timezone as the host machine 166 Timezone string `json:"timezone,omitempty"` 167 } 168 169 // ContainerStorageConfig contains information on the storage configuration of a 170 // container. 171 type ContainerStorageConfig struct { 172 // Image is the image the container will be based on. The image will be 173 // used as the container's root filesystem, and its environment vars, 174 // volumes, and other configuration will be applied to the container. 175 // Conflicts with Rootfs. 176 // At least one of Image or Rootfs must be specified. 177 Image string `json:"image"` 178 // Rootfs is the path to a directory that will be used as the 179 // container's root filesystem. No modification will be made to the 180 // directory, it will be directly mounted into the container as root. 181 // Conflicts with Image. 182 // At least one of Image or Rootfs must be specified. 183 Rootfs string `json:"rootfs,omitempty"` 184 // ImageVolumeMode indicates how image volumes will be created. 185 // Supported modes are "ignore" (do not create), "tmpfs" (create as 186 // tmpfs), and "anonymous" (create as anonymous volumes). 187 // The default if unset is anonymous. 188 // Optional. 189 ImageVolumeMode string `json:"image_volume_mode,omitempty"` 190 // VolumesFrom is a set of containers whose volumes will be added to 191 // this container. The name or ID of the container must be provided, and 192 // may optionally be followed by a : and then one or more 193 // comma-separated options. Valid options are 'ro', 'rw', and 'z'. 194 // Options will be used for all volumes sourced from the container. 195 VolumesFrom []string `json:"volumes_from,omitempty"` 196 // Init specifies that an init binary will be mounted into the 197 // container, and will be used as PID1. 198 Init bool `json:"init,omitempty"` 199 // InitPath specifies the path to the init binary that will be added if 200 // Init is specified above. If not specified, the default set in the 201 // Libpod config will be used. Ignored if Init above is not set. 202 // Optional. 203 InitPath string `json:"init_path,omitempty"` 204 // Mounts are mounts that will be added to the container. 205 // These will supersede Image Volumes and VolumesFrom volumes where 206 // there are conflicts. 207 // Optional. 208 Mounts []spec.Mount `json:"mounts,omitempty"` 209 // Volumes are named volumes that will be added to the container. 210 // These will supersede Image Volumes and VolumesFrom volumes where 211 // there are conflicts. 212 // Optional. 213 Volumes []*NamedVolume `json:"volumes,omitempty"` 214 // Overlay volumes are named volumes that will be added to the container. 215 // Optional. 216 OverlayVolumes []*OverlayVolume `json:"overlay_volumes,omitempty"` 217 // Image volumes bind-mount a container-image mount into the container. 218 // Optional. 219 ImageVolumes []*ImageVolume `json:"image_volumes,omitempty"` 220 // Devices are devices that will be added to the container. 221 // Optional. 222 Devices []spec.LinuxDevice `json:"devices,omitempty"` 223 // IpcNS is the container's IPC namespace. 224 // Default is private. 225 // Conflicts with ShmSize if not set to private. 226 // Mandatory. 227 IpcNS Namespace `json:"ipcns,omitempty"` 228 // ShmSize is the size of the tmpfs to mount in at /dev/shm, in bytes. 229 // Conflicts with ShmSize if IpcNS is not private. 230 // Optional. 231 ShmSize *int64 `json:"shm_size,omitempty"` 232 // WorkDir is the container's working directory. 233 // If unset, the default, /, will be used. 234 // Optional. 235 WorkDir string `json:"work_dir,omitempty"` 236 // RootfsPropagation is the rootfs propagation mode for the container. 237 // If not set, the default of rslave will be used. 238 // Optional. 239 RootfsPropagation string `json:"rootfs_propagation,omitempty"` 240 } 241 242 // ContainerSecurityConfig is a container's security features, including 243 // SELinux, Apparmor, and Seccomp. 244 type ContainerSecurityConfig struct { 245 // Privileged is whether the container is privileged. 246 // Privileged does the following: 247 // - Adds all devices on the system to the container. 248 // - Adds all capabilities to the container. 249 // - Disables Seccomp, SELinux, and Apparmor confinement. 250 // (Though SELinux can be manually re-enabled). 251 // TODO: this conflicts with things. 252 // TODO: this does more. 253 Privileged bool `json:"privileged,omitempty"` 254 // User is the user the container will be run as. 255 // Can be given as a UID or a username; if a username, it will be 256 // resolved within the container, using the container's /etc/passwd. 257 // If unset, the container will be run as root. 258 // Optional. 259 User string `json:"user,omitempty"` 260 // Groups are a list of supplemental groups the container's user will 261 // be granted access to. 262 // Optional. 263 Groups []string `json:"groups,omitempty"` 264 // CapAdd are capabilities which will be added to the container. 265 // Conflicts with Privileged. 266 // Optional. 267 CapAdd []string `json:"cap_add,omitempty"` 268 // CapDrop are capabilities which will be removed from the container. 269 // Conflicts with Privileged. 270 // Optional. 271 CapDrop []string `json:"cap_drop,omitempty"` 272 // SelinuxProcessLabel is the process label the container will use. 273 // If SELinux is enabled and this is not specified, a label will be 274 // automatically generated if not specified. 275 // Optional. 276 SelinuxOpts []string `json:"selinux_opts,omitempty"` 277 // ApparmorProfile is the name of the Apparmor profile the container 278 // will use. 279 // Optional. 280 ApparmorProfile string `json:"apparmor_profile,omitempty"` 281 // SeccompPolicy determines which seccomp profile gets applied 282 // the container. valid values: empty,default,image 283 SeccompPolicy string `json:"seccomp_policy,omitempty"` 284 // SeccompProfilePath is the path to a JSON file containing the 285 // container's Seccomp profile. 286 // If not specified, no Seccomp profile will be used. 287 // Optional. 288 SeccompProfilePath string `json:"seccomp_profile_path,omitempty"` 289 // NoNewPrivileges is whether the container will set the no new 290 // privileges flag on create, which disables gaining additional 291 // privileges (e.g. via setuid) in the container. 292 NoNewPrivileges bool `json:"no_new_privileges,omitempty"` 293 // UserNS is the container's user namespace. 294 // It defaults to host, indicating that no user namespace will be 295 // created. 296 // If set to private, IDMappings must be set. 297 // Mandatory. 298 UserNS Namespace `json:"userns,omitempty"` 299 // IDMappings are UID and GID mappings that will be used by user 300 // namespaces. 301 // Required if UserNS is private. 302 IDMappings *storage.IDMappingOptions `json:"idmappings,omitempty"` 303 // ReadOnlyFilesystem indicates that everything will be mounted 304 // as read-only 305 ReadOnlyFilesystem bool `json:"read_only_filesystem,omittempty"` 306 // Umask is the umask the init process of the container will be run with. 307 Umask string `json:"umask,omitempty"` 308 // ProcOpts are the options used for the proc mount. 309 ProcOpts []string `json:"procfs_opts,omitempty"` 310 } 311 312 // ContainerCgroupConfig contains configuration information about a container's 313 // cgroups. 314 type ContainerCgroupConfig struct { 315 // CgroupNS is the container's cgroup namespace. 316 // It defaults to private. 317 // Mandatory. 318 CgroupNS Namespace `json:"cgroupns,omitempty"` 319 // CgroupsMode sets a policy for how cgroups will be created in the 320 // container, including the ability to disable creation entirely. 321 CgroupsMode string `json:"cgroups_mode,omitempty"` 322 // CgroupParent is the container's CGroup parent. 323 // If not set, the default for the current cgroup driver will be used. 324 // Optional. 325 CgroupParent string `json:"cgroup_parent,omitempty"` 326 } 327 328 // ContainerNetworkConfig contains information on a container's network 329 // configuration. 330 type ContainerNetworkConfig struct { 331 // Aliases are a list of network-scoped aliases for container 332 // Optional 333 Aliases map[string][]string `json:"aliases"` 334 // NetNS is the configuration to use for the container's network 335 // namespace. 336 // Mandatory. 337 NetNS Namespace `json:"netns,omitempty"` 338 // StaticIP is the a IPv4 address of the container. 339 // Only available if NetNS is set to Bridge. 340 // Optional. 341 StaticIP *net.IP `json:"static_ip,omitempty"` 342 // StaticIPv6 is a static IPv6 address to set in the container. 343 // Only available if NetNS is set to Bridge. 344 // Optional. 345 StaticIPv6 *net.IP `json:"static_ipv6,omitempty"` 346 // StaticMAC is a static MAC address to set in the container. 347 // Only available if NetNS is set to bridge. 348 // Optional. 349 StaticMAC *net.HardwareAddr `json:"static_mac,omitempty"` 350 // PortBindings is a set of ports to map into the container. 351 // Only available if NetNS is set to bridge or slirp. 352 // Optional. 353 PortMappings []PortMapping `json:"portmappings,omitempty"` 354 // PublishExposedPorts will publish ports specified in the image to 355 // random unused ports (guaranteed to be above 1024) on the host. 356 // This is based on ports set in Expose below, and any ports specified 357 // by the Image (if one is given). 358 // Only available if NetNS is set to Bridge or Slirp. 359 PublishExposedPorts bool `json:"publish_image_ports,omitempty"` 360 // Expose is a number of ports that will be forwarded to the container 361 // if PublishExposedPorts is set. 362 // Expose is a map of uint16 (port number) to a string representing 363 // protocol. Allowed protocols are "tcp", "udp", and "sctp", or some 364 // combination of the three separated by commas. 365 // If protocol is set to "" we will assume TCP. 366 // Only available if NetNS is set to Bridge or Slirp, and 367 // PublishExposedPorts is set. 368 // Optional. 369 Expose map[uint16]string `json:"expose,omitempty"` 370 // CNINetworks is a list of CNI networks to join the container to. 371 // If this list is empty, the default CNI network will be joined 372 // instead. If at least one entry is present, we will not join the 373 // default network (unless it is part of this list). 374 // Only available if NetNS is set to bridge. 375 // Optional. 376 CNINetworks []string `json:"cni_networks,omitempty"` 377 // UseImageResolvConf indicates that resolv.conf should not be managed 378 // by Podman, but instead sourced from the image. 379 // Conflicts with DNSServer, DNSSearch, DNSOption. 380 UseImageResolvConf bool `json:"use_image_resolve_conf,omitempty"` 381 // DNSServers is a set of DNS servers that will be used in the 382 // container's resolv.conf, replacing the host's DNS Servers which are 383 // used by default. 384 // Conflicts with UseImageResolvConf. 385 // Optional. 386 DNSServers []net.IP `json:"dns_server,omitempty"` 387 // DNSSearch is a set of DNS search domains that will be used in the 388 // container's resolv.conf, replacing the host's DNS search domains 389 // which are used by default. 390 // Conflicts with UseImageResolvConf. 391 // Optional. 392 DNSSearch []string `json:"dns_search,omitempty"` 393 // DNSOptions is a set of DNS options that will be used in the 394 // container's resolv.conf, replacing the host's DNS options which are 395 // used by default. 396 // Conflicts with UseImageResolvConf. 397 // Optional. 398 DNSOptions []string `json:"dns_option,omitempty"` 399 // UseImageHosts indicates that /etc/hosts should not be managed by 400 // Podman, and instead sourced from the image. 401 // Conflicts with HostAdd. 402 UseImageHosts bool `json:"use_image_hosts,omitempty"` 403 // HostAdd is a set of hosts which will be added to the container's 404 // /etc/hosts file. 405 // Conflicts with UseImageHosts. 406 // Optional. 407 HostAdd []string `json:"hostadd,omitempty"` 408 // NetworkOptions are additional options for each network 409 // Optional. 410 NetworkOptions map[string][]string `json:"network_options,omitempty"` 411 } 412 413 // ContainerResourceConfig contains information on container resource limits. 414 type ContainerResourceConfig struct { 415 // ResourceLimits are resource limits to apply to the container., 416 // Can only be set as root on cgroups v1 systems, but can be set as 417 // rootless as well for cgroups v2. 418 // Optional. 419 ResourceLimits *spec.LinuxResources `json:"resource_limits,omitempty"` 420 // Rlimits are POSIX rlimits to apply to the container. 421 // Optional. 422 Rlimits []spec.POSIXRlimit `json:"r_limits,omitempty"` 423 // OOMScoreAdj adjusts the score used by the OOM killer to determine 424 // processes to kill for the container's process. 425 // Optional. 426 OOMScoreAdj *int `json:"oom_score_adj,omitempty"` 427 // Weight per cgroup per device, can override BlkioWeight 428 WeightDevice map[string]spec.LinuxWeightDevice `json:"weightDevice,omitempty"` 429 // IO read rate limit per cgroup per device, bytes per second 430 ThrottleReadBpsDevice map[string]spec.LinuxThrottleDevice `json:"throttleReadBpsDevice,omitempty"` 431 // IO write rate limit per cgroup per device, bytes per second 432 ThrottleWriteBpsDevice map[string]spec.LinuxThrottleDevice `json:"throttleWriteBpsDevice,omitempty"` 433 // IO read rate limit per cgroup per device, IO per second 434 ThrottleReadIOPSDevice map[string]spec.LinuxThrottleDevice `json:"throttleReadIOPSDevice,omitempty"` 435 // IO write rate limit per cgroup per device, IO per second 436 ThrottleWriteIOPSDevice map[string]spec.LinuxThrottleDevice `json:"throttleWriteIOPSDevice,omitempty"` 437 // CgroupConf are key-value options passed into the container runtime 438 // that are used to configure cgroup v2. 439 // Optional. 440 CgroupConf map[string]string `json:"unified,omitempty"` 441 } 442 443 // ContainerHealthCheckConfig describes a container healthcheck with attributes 444 // like command, retries, interval, start period, and timeout. 445 type ContainerHealthCheckConfig struct { 446 HealthConfig *manifest.Schema2HealthConfig `json:"healthconfig,omitempty"` 447 } 448 449 // SpecGenerator creates an OCI spec and Libpod configuration options to create 450 // a container based on the given configuration. 451 // swagger:model SpecGenerator 452 type SpecGenerator struct { 453 ContainerBasicConfig 454 ContainerStorageConfig 455 ContainerSecurityConfig 456 ContainerCgroupConfig 457 ContainerNetworkConfig 458 ContainerResourceConfig 459 ContainerHealthCheckConfig 460 } 461 462 // PortMapping is one or more ports that will be mapped into the container. 463 type PortMapping struct { 464 // HostIP is the IP that we will bind to on the host. 465 // If unset, assumed to be 0.0.0.0 (all interfaces). 466 HostIP string `json:"host_ip,omitempty"` 467 // ContainerPort is the port number that will be exposed from the 468 // container. 469 // Mandatory. 470 ContainerPort uint16 `json:"container_port"` 471 // HostPort is the port number that will be forwarded from the host into 472 // the container. 473 // If omitted, a random port on the host (guaranteed to be over 1024) 474 // will be assigned. 475 HostPort uint16 `json:"host_port,omitempty"` 476 // Range is the number of ports that will be forwarded, starting at 477 // HostPort and ContainerPort and counting up. 478 // This is 1-indexed, so 1 is assumed to be a single port (only the 479 // Hostport:Containerport mapping will be added), 2 is two ports (both 480 // Hostport:Containerport and Hostport+1:Containerport+1), etc. 481 // If unset, assumed to be 1 (a single port). 482 // Both hostport + range and containerport + range must be less than 483 // 65536. 484 Range uint16 `json:"range,omitempty"` 485 // Protocol is the protocol forward. 486 // Must be either "tcp", "udp", and "sctp", or some combination of these 487 // separated by commas. 488 // If unset, assumed to be TCP. 489 Protocol string `json:"protocol,omitempty"` 490 } 491 492 var ( 493 // ErrNoStaticIPRootless is used when a rootless user requests to assign a static IP address 494 // to a pod or container 495 ErrNoStaticIPRootless error = errors.New("rootless containers and pods cannot be assigned static IP addresses") 496 // ErrNoStaticMACRootless is used when a rootless user requests to assign a static MAC address 497 // to a pod or container 498 ErrNoStaticMACRootless error = errors.New("rootless containers and pods cannot be assigned static MAC addresses") 499 ) 500 501 // NewSpecGenerator returns a SpecGenerator struct given one of two mandatory inputs 502 func NewSpecGenerator(arg string, rootfs bool) *SpecGenerator { 503 csc := ContainerStorageConfig{} 504 if rootfs { 505 csc.Rootfs = arg 506 } else { 507 csc.Image = arg 508 } 509 return &SpecGenerator{ 510 ContainerStorageConfig: csc, 511 } 512 } 513 514 // NewSpecGenerator returns a SpecGenerator struct given one of two mandatory inputs 515 func NewSpecGeneratorWithRootfs(rootfs string) *SpecGenerator { 516 csc := ContainerStorageConfig{Rootfs: rootfs} 517 return &SpecGenerator{ContainerStorageConfig: csc} 518 }