github.com/containers/podman/v4@v4.9.4/pkg/specgen/specgen.go (about) 1 package specgen 2 3 import ( 4 "errors" 5 "net" 6 "strings" 7 "syscall" 8 9 nettypes "github.com/containers/common/libnetwork/types" 10 "github.com/containers/image/v5/manifest" 11 "github.com/containers/podman/v4/libpod/define" 12 "github.com/containers/storage/types" 13 spec "github.com/opencontainers/runtime-spec/specs-go" 14 ) 15 16 // LogConfig describes the logging characteristics for a container 17 // swagger:model LogConfigLibpod 18 type LogConfig struct { 19 // LogDriver is the container's log driver. 20 // Optional. 21 Driver string `json:"driver,omitempty"` 22 // LogPath is the path the container's logs will be stored at. 23 // Only available if LogDriver is set to "json-file" or "k8s-file". 24 // Optional. 25 Path string `json:"path,omitempty"` 26 // Size is the maximum size of the log file 27 // Optional. 28 Size int64 `json:"size,omitempty"` 29 // A set of options to accompany the log driver. 30 // Optional. 31 Options map[string]string `json:"options,omitempty"` 32 } 33 34 // ContainerBasicConfig contains the basic parts of a container. 35 type ContainerBasicConfig struct { 36 // Name is the name the container will be given. 37 // If no name is provided, one will be randomly generated. 38 // Optional. 39 Name string `json:"name,omitempty"` 40 // Pod is the ID of the pod the container will join. 41 // Optional. 42 Pod string `json:"pod,omitempty"` 43 // Entrypoint is the container's entrypoint. 44 // If not given and Image is specified, this will be populated by the 45 // image's configuration. 46 // Optional. 47 Entrypoint []string `json:"entrypoint,omitempty"` 48 // Command is the container's command. 49 // If not given and Image is specified, this will be populated by the 50 // image's configuration. 51 // Optional. 52 Command []string `json:"command,omitempty"` 53 // EnvHost indicates that the host environment should be added to container 54 // Optional. 55 EnvHost bool `json:"env_host,omitempty"` 56 // EnvHTTPProxy indicates that the http host proxy environment variables 57 // should be added to container 58 // Optional. 59 HTTPProxy bool `json:"httpproxy,omitempty"` 60 // Env is a set of environment variables that will be set in the 61 // container. 62 // Optional. 63 Env map[string]string `json:"env,omitempty"` 64 // Terminal is whether the container will create a PTY. 65 // Optional. 66 Terminal bool `json:"terminal,omitempty"` 67 // Stdin is whether the container will keep its STDIN open. 68 Stdin bool `json:"stdin,omitempty"` 69 // Labels are key-value pairs that are used to add metadata to 70 // containers. 71 // Optional. 72 Labels map[string]string `json:"labels,omitempty"` 73 // Annotations are key-value options passed into the container runtime 74 // that can be used to trigger special behavior. 75 // Optional. 76 Annotations map[string]string `json:"annotations,omitempty"` 77 // StopSignal is the signal that will be used to stop the container. 78 // Must be a non-zero integer below SIGRTMAX. 79 // If not provided, the default, SIGTERM, will be used. 80 // Will conflict with Systemd if Systemd is set to "true" or "always". 81 // Optional. 82 StopSignal *syscall.Signal `json:"stop_signal,omitempty"` 83 // StopTimeout is a timeout between the container's stop signal being 84 // sent and SIGKILL being sent. 85 // If not provided, the default will be used. 86 // If 0 is used, stop signal will not be sent, and SIGKILL will be sent 87 // instead. 88 // Optional. 89 StopTimeout *uint `json:"stop_timeout,omitempty"` 90 // Timeout is a maximum time in seconds the container will run before 91 // main process is sent SIGKILL. 92 // If 0 is used, signal will not be sent. Container can run indefinitely 93 // Optional. 94 Timeout uint `json:"timeout,omitempty"` 95 // LogConfiguration describes the logging for a container including 96 // driver, path, and options. 97 // Optional 98 LogConfiguration *LogConfig `json:"log_configuration,omitempty"` 99 // ConmonPidFile is a path at which a PID file for Conmon will be 100 // placed. 101 // If not given, a default location will be used. 102 // Optional. 103 ConmonPidFile string `json:"conmon_pid_file,omitempty"` 104 // RawImageName is the user-specified and unprocessed input referring 105 // to a local or a remote image. 106 RawImageName string `json:"raw_image_name,omitempty"` 107 // ImageOS is the user-specified image OS 108 ImageOS string `json:"image_os,omitempty"` 109 // ImageArch is the user-specified image architecture 110 ImageArch string `json:"image_arch,omitempty"` 111 // ImageVariant is the user-specified image variant 112 ImageVariant string `json:"image_variant,omitempty"` 113 // RestartPolicy is the container's restart policy - an action which 114 // will be taken when the container exits. 115 // If not given, the default policy, which does nothing, will be used. 116 // Optional. 117 RestartPolicy string `json:"restart_policy,omitempty"` 118 // RestartRetries is the number of attempts that will be made to restart 119 // the container. 120 // Only available when RestartPolicy is set to "on-failure". 121 // Optional. 122 RestartRetries *uint `json:"restart_tries,omitempty"` 123 // OCIRuntime is the name of the OCI runtime that will be used to create 124 // the container. 125 // If not specified, the default will be used. 126 // Optional. 127 OCIRuntime string `json:"oci_runtime,omitempty"` 128 // Systemd is whether the container will be started in systemd mode. 129 // Valid options are "true", "false", and "always". 130 // "true" enables this mode only if the binary run in the container is 131 // /sbin/init or systemd. "always" unconditionally enables systemd mode. 132 // "false" unconditionally disables systemd mode. 133 // If enabled, mounts and stop signal will be modified. 134 // If set to "always" or set to "true" and conditionally triggered, 135 // conflicts with StopSignal. 136 // If not specified, "false" will be assumed. 137 // Optional. 138 Systemd string `json:"systemd,omitempty"` 139 // Determine how to handle the NOTIFY_SOCKET - do we participate or pass it through 140 // "container" - let the OCI runtime deal with it, advertise conmon's MAINPID 141 // "conmon-only" - advertise conmon's MAINPID, send READY when started, don't pass to OCI 142 // "ignore" - unset NOTIFY_SOCKET 143 SdNotifyMode string `json:"sdnotifyMode,omitempty"` 144 // Namespace is the libpod namespace the container will be placed in. 145 // Optional. 146 Namespace string `json:"namespace,omitempty"` 147 // PidNS is the container's PID namespace. 148 // It defaults to private. 149 // Mandatory. 150 PidNS Namespace `json:"pidns,omitempty"` 151 // UtsNS is the container's UTS namespace. 152 // It defaults to private. 153 // Must be set to Private to set Hostname. 154 // Mandatory. 155 UtsNS Namespace `json:"utsns,omitempty"` 156 // Hostname is the container's hostname. If not set, the hostname will 157 // not be modified (if UtsNS is not private) or will be set to the 158 // container ID (if UtsNS is private). 159 // Conflicts with UtsNS if UtsNS is not set to private. 160 // Optional. 161 Hostname string `json:"hostname,omitempty"` 162 // HostUsers is a list of host usernames or UIDs to add to the container 163 // /etc/passwd file 164 HostUsers []string `json:"hostusers,omitempty"` 165 // Sysctl sets kernel parameters for the container 166 Sysctl map[string]string `json:"sysctl,omitempty"` 167 // Remove indicates if the container should be removed once it has been started 168 // and exits 169 Remove bool `json:"remove,omitempty"` 170 // ContainerCreateCommand is the command that was used to create this 171 // container. 172 // This will be shown in the output of Inspect() on the container, and 173 // may also be used by some tools that wish to recreate the container 174 // (e.g. `podman generate systemd --new`). 175 // Optional. 176 ContainerCreateCommand []string `json:"containerCreateCommand,omitempty"` 177 // PreserveFDs is a number of additional file descriptors (in addition 178 // to 0, 1, 2) that will be passed to the executed process. The total FDs 179 // passed will be 3 + PreserveFDs. 180 // set tags as `json:"-"` for not supported remote 181 // Optional. 182 PreserveFDs uint `json:"-"` 183 // Timezone is the timezone inside the container. 184 // Local means it has the same timezone as the host machine 185 // Optional. 186 Timezone string `json:"timezone,omitempty"` 187 // DependencyContainers is an array of containers this container 188 // depends on. Dependency containers must be started before this 189 // container. Dependencies can be specified by name or full/partial ID. 190 // Optional. 191 DependencyContainers []string `json:"dependencyContainers,omitempty"` 192 // PidFile is the file that saves container process id. 193 // set tags as `json:"-"` for not supported remote 194 // Optional. 195 PidFile string `json:"-"` 196 // EnvSecrets are secrets that will be set as environment variables 197 // Optional. 198 EnvSecrets map[string]string `json:"secret_env,omitempty"` 199 // InitContainerType describes if this container is an init container 200 // and if so, what type: always or once 201 InitContainerType string `json:"init_container_type"` 202 // Personality allows users to configure different execution domains. 203 // Execution domains tell Linux how to map signal numbers into signal actions. 204 // The execution domain system allows Linux to provide limited support 205 // for binaries compiled under other UNIX-like operating systems. 206 Personality *spec.LinuxPersonality `json:"personality,omitempty"` 207 // EnvMerge takes the specified environment variables from image and preprocess them before injecting them into the 208 // container. 209 EnvMerge []string `json:"envmerge,omitempty"` 210 // UnsetEnv unsets the specified default environment variables from the image or from buildin or containers.conf 211 // Optional. 212 UnsetEnv []string `json:"unsetenv,omitempty"` 213 // UnsetEnvAll unsetall default environment variables from the image or from buildin or containers.conf 214 // UnsetEnvAll unsets all default environment variables from the image or from buildin 215 // Optional. 216 UnsetEnvAll bool `json:"unsetenvall,omitempty"` 217 // Passwd is a container run option that determines if we are validating users/groups before running the container 218 Passwd *bool `json:"manage_password,omitempty"` 219 // PasswdEntry specifies arbitrary data to append to a file. 220 PasswdEntry string `json:"passwd_entry,omitempty"` 221 // GroupEntry specifies arbitrary data to append to a file. 222 GroupEntry string `json:"group_entry,omitempty"` 223 } 224 225 // ContainerStorageConfig contains information on the storage configuration of a 226 // container. 227 type ContainerStorageConfig struct { 228 // Image is the image the container will be based on. The image will be 229 // used as the container's root filesystem, and its environment vars, 230 // volumes, and other configuration will be applied to the container. 231 // Conflicts with Rootfs. 232 // At least one of Image or Rootfs must be specified. 233 Image string `json:"image"` 234 // Rootfs is the path to a directory that will be used as the 235 // container's root filesystem. No modification will be made to the 236 // directory, it will be directly mounted into the container as root. 237 // Conflicts with Image. 238 // At least one of Image or Rootfs must be specified. 239 Rootfs string `json:"rootfs,omitempty"` 240 // RootfsOverlay tells if rootfs is actually an overlay on top of base path 241 RootfsOverlay bool `json:"rootfs_overlay,omitempty"` 242 // RootfsMapping specifies if there are mappings to apply to the rootfs. 243 RootfsMapping *string `json:"rootfs_mapping,omitempty"` 244 // ImageVolumeMode indicates how image volumes will be created. 245 // Supported modes are "ignore" (do not create), "tmpfs" (create as 246 // tmpfs), and "anonymous" (create as anonymous volumes). 247 // The default if unset is anonymous. 248 // Optional. 249 ImageVolumeMode string `json:"image_volume_mode,omitempty"` 250 // VolumesFrom is a set of containers whose volumes will be added to 251 // this container. The name or ID of the container must be provided, and 252 // may optionally be followed by a : and then one or more 253 // comma-separated options. Valid options are 'ro', 'rw', and 'z'. 254 // Options will be used for all volumes sourced from the container. 255 VolumesFrom []string `json:"volumes_from,omitempty"` 256 // Init specifies that an init binary will be mounted into the 257 // container, and will be used as PID1. 258 Init bool `json:"init,omitempty"` 259 // InitPath specifies the path to the init binary that will be added if 260 // Init is specified above. If not specified, the default set in the 261 // Libpod config will be used. Ignored if Init above is not set. 262 // Optional. 263 InitPath string `json:"init_path,omitempty"` 264 // Mounts are mounts that will be added to the container. 265 // These will supersede Image Volumes and VolumesFrom volumes where 266 // there are conflicts. 267 // Optional. 268 Mounts []spec.Mount `json:"mounts,omitempty"` 269 // Volumes are named volumes that will be added to the container. 270 // These will supersede Image Volumes and VolumesFrom volumes where 271 // there are conflicts. 272 // Optional. 273 Volumes []*NamedVolume `json:"volumes,omitempty"` 274 // Overlay volumes are named volumes that will be added to the container. 275 // Optional. 276 OverlayVolumes []*OverlayVolume `json:"overlay_volumes,omitempty"` 277 // Image volumes bind-mount a container-image mount into the container. 278 // Optional. 279 ImageVolumes []*ImageVolume `json:"image_volumes,omitempty"` 280 // Devices are devices that will be added to the container. 281 // Optional. 282 Devices []spec.LinuxDevice `json:"devices,omitempty"` 283 // DeviceCgroupRule are device cgroup rules that allow containers 284 // to use additional types of devices. 285 DeviceCgroupRule []spec.LinuxDeviceCgroup `json:"device_cgroup_rule,omitempty"` 286 // DevicesFrom is a way to ensure your container inherits device specific information from another container 287 DevicesFrom []string `json:"devices_from,omitempty"` 288 // HostDeviceList is used to recreate the mounted device on inherited containers 289 HostDeviceList []spec.LinuxDevice `json:"host_device_list,omitempty"` 290 // IpcNS is the container's IPC namespace. 291 // Default is private. 292 // Conflicts with ShmSize if not set to private. 293 // Mandatory. 294 IpcNS Namespace `json:"ipcns,omitempty"` 295 // ShmSize is the size of the tmpfs to mount in at /dev/shm, in bytes. 296 // Conflicts with ShmSize if IpcNS is not private. 297 // Optional. 298 ShmSize *int64 `json:"shm_size,omitempty"` 299 // ShmSizeSystemd is the size of systemd-specific tmpfs mounts 300 // specifically /run, /run/lock, /var/log/journal and /tmp. 301 // Optional 302 ShmSizeSystemd *int64 `json:"shm_size_systemd,omitempty"` 303 // WorkDir is the container's working directory. 304 // If unset, the default, /, will be used. 305 // Optional. 306 WorkDir string `json:"work_dir,omitempty"` 307 // Create the working directory if it doesn't exist. 308 // If unset, it doesn't create it. 309 // Optional. 310 CreateWorkingDir bool `json:"create_working_dir,omitempty"` 311 // StorageOpts is the container's storage options 312 // Optional. 313 StorageOpts map[string]string `json:"storage_opts,omitempty"` 314 // RootfsPropagation is the rootfs propagation mode for the container. 315 // If not set, the default of rslave will be used. 316 // Optional. 317 RootfsPropagation string `json:"rootfs_propagation,omitempty"` 318 // Secrets are the secrets that will be added to the container 319 // Optional. 320 Secrets []Secret `json:"secrets,omitempty"` 321 // Volatile specifies whether the container storage can be optimized 322 // at the cost of not syncing all the dirty files in memory. 323 Volatile bool `json:"volatile,omitempty"` 324 // ChrootDirs is an additional set of directories that need to be 325 // treated as root directories. Standard bind mounts will be mounted 326 // into paths relative to these directories. 327 ChrootDirs []string `json:"chroot_directories,omitempty"` 328 } 329 330 // ContainerSecurityConfig is a container's security features, including 331 // SELinux, Apparmor, and Seccomp. 332 type ContainerSecurityConfig struct { 333 // Privileged is whether the container is privileged. 334 // Privileged does the following: 335 // - Adds all devices on the system to the container. 336 // - Adds all capabilities to the container. 337 // - Disables Seccomp, SELinux, and Apparmor confinement. 338 // (Though SELinux can be manually re-enabled). 339 // TODO: this conflicts with things. 340 // TODO: this does more. 341 Privileged bool `json:"privileged,omitempty"` 342 // User is the user the container will be run as. 343 // Can be given as a UID or a username; if a username, it will be 344 // resolved within the container, using the container's /etc/passwd. 345 // If unset, the container will be run as root. 346 // Optional. 347 User string `json:"user,omitempty"` 348 // Groups are a list of supplemental groups the container's user will 349 // be granted access to. 350 // Optional. 351 Groups []string `json:"groups,omitempty"` 352 // CapAdd are capabilities which will be added to the container. 353 // Conflicts with Privileged. 354 // Optional. 355 CapAdd []string `json:"cap_add,omitempty"` 356 // CapDrop are capabilities which will be removed from the container. 357 // Conflicts with Privileged. 358 // Optional. 359 CapDrop []string `json:"cap_drop,omitempty"` 360 // SelinuxProcessLabel is the process label the container will use. 361 // If SELinux is enabled and this is not specified, a label will be 362 // automatically generated if not specified. 363 // Optional. 364 SelinuxOpts []string `json:"selinux_opts,omitempty"` 365 // ApparmorProfile is the name of the Apparmor profile the container 366 // will use. 367 // Optional. 368 ApparmorProfile string `json:"apparmor_profile,omitempty"` 369 // SeccompPolicy determines which seccomp profile gets applied 370 // the container. valid values: empty,default,image 371 SeccompPolicy string `json:"seccomp_policy,omitempty"` 372 // SeccompProfilePath is the path to a JSON file containing the 373 // container's Seccomp profile. 374 // If not specified, no Seccomp profile will be used. 375 // Optional. 376 SeccompProfilePath string `json:"seccomp_profile_path,omitempty"` 377 // NoNewPrivileges is whether the container will set the no new 378 // privileges flag on create, which disables gaining additional 379 // privileges (e.g. via setuid) in the container. 380 NoNewPrivileges bool `json:"no_new_privileges,omitempty"` 381 // UserNS is the container's user namespace. 382 // It defaults to host, indicating that no user namespace will be 383 // created. 384 // If set to private, IDMappings must be set. 385 // Mandatory. 386 UserNS Namespace `json:"userns,omitempty"` 387 // IDMappings are UID and GID mappings that will be used by user 388 // namespaces. 389 // Required if UserNS is private. 390 IDMappings *types.IDMappingOptions `json:"idmappings,omitempty"` 391 // ReadOnlyFilesystem indicates that everything will be mounted 392 // as read-only 393 ReadOnlyFilesystem bool `json:"read_only_filesystem,omitempty"` 394 // ReadWriteTmpfs indicates that when running with a ReadOnlyFilesystem 395 // mount temporary file systems 396 ReadWriteTmpfs bool `json:"read_write_tmpfs,omitempty"` 397 398 // LabelNested indicates whether or not the container is allowed to 399 // run fully nested containers including labelling 400 LabelNested bool `json:"label_nested,omitempty"` 401 402 // Umask is the umask the init process of the container will be run with. 403 Umask string `json:"umask,omitempty"` 404 // ProcOpts are the options used for the proc mount. 405 ProcOpts []string `json:"procfs_opts,omitempty"` 406 // Mask is the path we want to mask in the container. This masks the paths 407 // given in addition to the default list. 408 // Optional 409 Mask []string `json:"mask,omitempty"` 410 // Unmask is the path we want to unmask in the container. To override 411 // all the default paths that are masked, set unmask=ALL. 412 Unmask []string `json:"unmask,omitempty"` 413 } 414 415 // ContainerCgroupConfig contains configuration information about a container's 416 // cgroups. 417 type ContainerCgroupConfig struct { 418 // CgroupNS is the container's cgroup namespace. 419 // It defaults to private. 420 // Mandatory. 421 CgroupNS Namespace `json:"cgroupns,omitempty"` 422 // CgroupsMode sets a policy for how cgroups will be created in the 423 // container, including the ability to disable creation entirely. 424 CgroupsMode string `json:"cgroups_mode,omitempty"` 425 // CgroupParent is the container's Cgroup parent. 426 // If not set, the default for the current cgroup driver will be used. 427 // Optional. 428 CgroupParent string `json:"cgroup_parent,omitempty"` 429 } 430 431 // ContainerNetworkConfig contains information on a container's network 432 // configuration. 433 type ContainerNetworkConfig struct { 434 // NetNS is the configuration to use for the container's network 435 // namespace. 436 // Mandatory. 437 NetNS Namespace `json:"netns,omitempty"` 438 // PortBindings is a set of ports to map into the container. 439 // Only available if NetNS is set to bridge, slirp, or pasta. 440 // Optional. 441 PortMappings []nettypes.PortMapping `json:"portmappings,omitempty"` 442 // PublishExposedPorts will publish ports specified in the image to 443 // random unused ports (guaranteed to be above 1024) on the host. 444 // This is based on ports set in Expose below, and any ports specified 445 // by the Image (if one is given). 446 // Only available if NetNS is set to Bridge or Slirp. 447 PublishExposedPorts bool `json:"publish_image_ports,omitempty"` 448 // Expose is a number of ports that will be forwarded to the container 449 // if PublishExposedPorts is set. 450 // Expose is a map of uint16 (port number) to a string representing 451 // protocol i.e map[uint16]string. Allowed protocols are "tcp", "udp", and "sctp", or some 452 // combination of the three separated by commas. 453 // If protocol is set to "" we will assume TCP. 454 // Only available if NetNS is set to Bridge or Slirp, and 455 // PublishExposedPorts is set. 456 // Optional. 457 Expose map[uint16]string `json:"expose,omitempty"` 458 // Map of networks names or ids that the container should join. 459 // You can request additional settings for each network, you can 460 // set network aliases, static ips, static mac address and the 461 // network interface name for this container on the specific network. 462 // If the map is empty and the bridge network mode is set the container 463 // will be joined to the default network. 464 Networks map[string]nettypes.PerNetworkOptions 465 // CNINetworks is a list of CNI networks to join the container to. 466 // If this list is empty, the default CNI network will be joined 467 // instead. If at least one entry is present, we will not join the 468 // default network (unless it is part of this list). 469 // Only available if NetNS is set to bridge. 470 // Optional. 471 // Deprecated: as of podman 4.0 use "Networks" instead. 472 CNINetworks []string `json:"cni_networks,omitempty"` 473 // UseImageResolvConf indicates that resolv.conf should not be managed 474 // by Podman, but instead sourced from the image. 475 // Conflicts with DNSServer, DNSSearch, DNSOption. 476 UseImageResolvConf bool `json:"use_image_resolve_conf,omitempty"` 477 // DNSServers is a set of DNS servers that will be used in the 478 // container's resolv.conf, replacing the host's DNS Servers which are 479 // used by default. 480 // Conflicts with UseImageResolvConf. 481 // Optional. 482 DNSServers []net.IP `json:"dns_server,omitempty"` 483 // DNSSearch is a set of DNS search domains that will be used in the 484 // container's resolv.conf, replacing the host's DNS search domains 485 // which are used by default. 486 // Conflicts with UseImageResolvConf. 487 // Optional. 488 DNSSearch []string `json:"dns_search,omitempty"` 489 // DNSOptions is a set of DNS options that will be used in the 490 // container's resolv.conf, replacing the host's DNS options which are 491 // used by default. 492 // Conflicts with UseImageResolvConf. 493 // Optional. 494 DNSOptions []string `json:"dns_option,omitempty"` 495 // UseImageHosts indicates that /etc/hosts should not be managed by 496 // Podman, and instead sourced from the image. 497 // Conflicts with HostAdd. 498 // Do not set omitempty here, if this is false it should be set to not get 499 // the server default. 500 // Ideally this would be a pointer so we could differentiate between an 501 // explicitly false/true and unset (containers.conf default). However 502 // specgen is stable so we can not change this right now. 503 // TODO (5.0): change to pointer 504 UseImageHosts bool `json:"use_image_hosts"` 505 // HostAdd is a set of hosts which will be added to the container's 506 // /etc/hosts file. 507 // Conflicts with UseImageHosts. 508 // Optional. 509 HostAdd []string `json:"hostadd,omitempty"` 510 // NetworkOptions are additional options for each network 511 // Optional. 512 NetworkOptions map[string][]string `json:"network_options,omitempty"` 513 } 514 515 // ContainerResourceConfig contains information on container resource limits. 516 type ContainerResourceConfig struct { 517 // IntelRdt defines the Intel RDT CAT Class of Service (COS) that all processes 518 // of the container should run in. 519 // Optional. 520 IntelRdt *spec.LinuxIntelRdt `json:"intelRdt,omitempty"` 521 // ResourceLimits are resource limits to apply to the container., 522 // Can only be set as root on cgroups v1 systems, but can be set as 523 // rootless as well for cgroups v2. 524 // Optional. 525 ResourceLimits *spec.LinuxResources `json:"resource_limits,omitempty"` 526 // Rlimits are POSIX rlimits to apply to the container. 527 // Optional. 528 Rlimits []spec.POSIXRlimit `json:"r_limits,omitempty"` 529 // OOMScoreAdj adjusts the score used by the OOM killer to determine 530 // processes to kill for the container's process. 531 // Optional. 532 OOMScoreAdj *int `json:"oom_score_adj,omitempty"` 533 // Weight per cgroup per device, can override BlkioWeight 534 WeightDevice map[string]spec.LinuxWeightDevice `json:"weightDevice,omitempty"` 535 // IO read rate limit per cgroup per device, bytes per second 536 ThrottleReadBpsDevice map[string]spec.LinuxThrottleDevice `json:"throttleReadBpsDevice,omitempty"` 537 // IO write rate limit per cgroup per device, bytes per second 538 ThrottleWriteBpsDevice map[string]spec.LinuxThrottleDevice `json:"throttleWriteBpsDevice,omitempty"` 539 // IO read rate limit per cgroup per device, IO per second 540 ThrottleReadIOPSDevice map[string]spec.LinuxThrottleDevice `json:"throttleReadIOPSDevice,omitempty"` 541 // IO write rate limit per cgroup per device, IO per second 542 ThrottleWriteIOPSDevice map[string]spec.LinuxThrottleDevice `json:"throttleWriteIOPSDevice,omitempty"` 543 // CgroupConf are key-value options passed into the container runtime 544 // that are used to configure cgroup v2. 545 // Optional. 546 CgroupConf map[string]string `json:"unified,omitempty"` 547 // CPU period of the cpuset, determined by --cpus 548 CPUPeriod uint64 `json:"cpu_period,omitempty"` 549 // CPU quota of the cpuset, determined by --cpus 550 CPUQuota int64 `json:"cpu_quota,omitempty"` 551 } 552 553 // ContainerHealthCheckConfig describes a container healthcheck with attributes 554 // like command, retries, interval, start period, and timeout. 555 type ContainerHealthCheckConfig struct { 556 HealthConfig *manifest.Schema2HealthConfig `json:"healthconfig,omitempty"` 557 HealthCheckOnFailureAction define.HealthCheckOnFailureAction `json:"health_check_on_failure_action,omitempty"` 558 // Startup healthcheck for a container. 559 // Requires that HealthConfig be set. 560 // Optional. 561 StartupHealthConfig *define.StartupHealthCheck `json:"startupHealthConfig,omitempty"` 562 } 563 564 // SpecGenerator creates an OCI spec and Libpod configuration options to create 565 // a container based on the given configuration. 566 // swagger:model SpecGenerator 567 type SpecGenerator struct { 568 ContainerBasicConfig 569 ContainerStorageConfig 570 ContainerSecurityConfig 571 ContainerCgroupConfig 572 ContainerNetworkConfig 573 ContainerResourceConfig 574 ContainerHealthCheckConfig 575 576 //nolint:unused // this is needed for the local client but golangci-lint 577 // does not seems to happy when we test the remote stub 578 cacheLibImage 579 } 580 581 func (s *SpecGenerator) IsInitContainer() bool { 582 return len(s.InitContainerType) != 0 583 } 584 585 type Secret struct { 586 Source string 587 Target string 588 UID uint32 589 GID uint32 590 Mode uint32 591 } 592 593 var ( 594 // ErrNoStaticIPRootless is used when a rootless user requests to assign a static IP address 595 // to a pod or container 596 ErrNoStaticIPRootless = errors.New("rootless containers and pods cannot be assigned static IP addresses") 597 // ErrNoStaticMACRootless is used when a rootless user requests to assign a static MAC address 598 // to a pod or container 599 ErrNoStaticMACRootless = errors.New("rootless containers and pods cannot be assigned static MAC addresses") 600 // Multiple volume mounts to the same destination is not allowed 601 ErrDuplicateDest = errors.New("duplicate mount destination") 602 ) 603 604 // NewSpecGenerator returns a SpecGenerator struct given one of two mandatory inputs 605 func NewSpecGenerator(arg string, rootfs bool) *SpecGenerator { 606 csc := ContainerStorageConfig{} 607 if rootfs { 608 csc.Rootfs = arg 609 // check if rootfs should use overlay 610 lastColonIndex := strings.LastIndex(csc.Rootfs, ":") 611 if lastColonIndex != -1 { 612 lastPart := csc.Rootfs[lastColonIndex+1:] 613 if lastPart == "O" { 614 csc.RootfsOverlay = true 615 csc.Rootfs = csc.Rootfs[:lastColonIndex] 616 } else if lastPart == "idmap" || strings.HasPrefix(lastPart, "idmap=") { 617 csc.RootfsMapping = &lastPart 618 csc.Rootfs = csc.Rootfs[:lastColonIndex] 619 } 620 } 621 } else { 622 csc.Image = arg 623 } 624 return &SpecGenerator{ 625 ContainerStorageConfig: csc, 626 } 627 } 628 629 // NewSpecGenerator returns a SpecGenerator struct given one of two mandatory inputs 630 func NewSpecGeneratorWithRootfs(rootfs string) *SpecGenerator { 631 csc := ContainerStorageConfig{Rootfs: rootfs} 632 return &SpecGenerator{ContainerStorageConfig: csc} 633 } 634 635 func StringSlicesEqual(a, b []string) bool { 636 if len(a) != len(b) { 637 return false 638 } 639 for i, v := range a { 640 if v != b[i] { 641 return false 642 } 643 } 644 return true 645 }