github.com/rish1988/moby@v25.0.2+incompatible/api/types/container/hostconfig.go (about) 1 package container // import "github.com/docker/docker/api/types/container" 2 3 import ( 4 "fmt" 5 "strings" 6 7 "github.com/docker/docker/api/types/blkiodev" 8 "github.com/docker/docker/api/types/mount" 9 "github.com/docker/docker/api/types/network" 10 "github.com/docker/docker/api/types/strslice" 11 "github.com/docker/go-connections/nat" 12 units "github.com/docker/go-units" 13 ) 14 15 // CgroupnsMode represents the cgroup namespace mode of the container 16 type CgroupnsMode string 17 18 // cgroup namespace modes for containers 19 const ( 20 CgroupnsModeEmpty CgroupnsMode = "" 21 CgroupnsModePrivate CgroupnsMode = "private" 22 CgroupnsModeHost CgroupnsMode = "host" 23 ) 24 25 // IsPrivate indicates whether the container uses its own private cgroup namespace 26 func (c CgroupnsMode) IsPrivate() bool { 27 return c == CgroupnsModePrivate 28 } 29 30 // IsHost indicates whether the container shares the host's cgroup namespace 31 func (c CgroupnsMode) IsHost() bool { 32 return c == CgroupnsModeHost 33 } 34 35 // IsEmpty indicates whether the container cgroup namespace mode is unset 36 func (c CgroupnsMode) IsEmpty() bool { 37 return c == CgroupnsModeEmpty 38 } 39 40 // Valid indicates whether the cgroup namespace mode is valid 41 func (c CgroupnsMode) Valid() bool { 42 return c.IsEmpty() || c.IsPrivate() || c.IsHost() 43 } 44 45 // Isolation represents the isolation technology of a container. The supported 46 // values are platform specific 47 type Isolation string 48 49 // Isolation modes for containers 50 const ( 51 IsolationEmpty Isolation = "" // IsolationEmpty is unspecified (same behavior as default) 52 IsolationDefault Isolation = "default" // IsolationDefault is the default isolation mode on current daemon 53 IsolationProcess Isolation = "process" // IsolationProcess is process isolation mode 54 IsolationHyperV Isolation = "hyperv" // IsolationHyperV is HyperV isolation mode 55 ) 56 57 // IsDefault indicates the default isolation technology of a container. On Linux this 58 // is the native driver. On Windows, this is a Windows Server Container. 59 func (i Isolation) IsDefault() bool { 60 // TODO consider making isolation-mode strict (case-sensitive) 61 v := Isolation(strings.ToLower(string(i))) 62 return v == IsolationDefault || v == IsolationEmpty 63 } 64 65 // IsHyperV indicates the use of a Hyper-V partition for isolation 66 func (i Isolation) IsHyperV() bool { 67 // TODO consider making isolation-mode strict (case-sensitive) 68 return Isolation(strings.ToLower(string(i))) == IsolationHyperV 69 } 70 71 // IsProcess indicates the use of process isolation 72 func (i Isolation) IsProcess() bool { 73 // TODO consider making isolation-mode strict (case-sensitive) 74 return Isolation(strings.ToLower(string(i))) == IsolationProcess 75 } 76 77 // IpcMode represents the container ipc stack. 78 type IpcMode string 79 80 // IpcMode constants 81 const ( 82 IPCModeNone IpcMode = "none" 83 IPCModeHost IpcMode = "host" 84 IPCModeContainer IpcMode = "container" 85 IPCModePrivate IpcMode = "private" 86 IPCModeShareable IpcMode = "shareable" 87 ) 88 89 // IsPrivate indicates whether the container uses its own private ipc namespace which can not be shared. 90 func (n IpcMode) IsPrivate() bool { 91 return n == IPCModePrivate 92 } 93 94 // IsHost indicates whether the container shares the host's ipc namespace. 95 func (n IpcMode) IsHost() bool { 96 return n == IPCModeHost 97 } 98 99 // IsShareable indicates whether the container's ipc namespace can be shared with another container. 100 func (n IpcMode) IsShareable() bool { 101 return n == IPCModeShareable 102 } 103 104 // IsContainer indicates whether the container uses another container's ipc namespace. 105 func (n IpcMode) IsContainer() bool { 106 _, ok := containerID(string(n)) 107 return ok 108 } 109 110 // IsNone indicates whether container IpcMode is set to "none". 111 func (n IpcMode) IsNone() bool { 112 return n == IPCModeNone 113 } 114 115 // IsEmpty indicates whether container IpcMode is empty 116 func (n IpcMode) IsEmpty() bool { 117 return n == "" 118 } 119 120 // Valid indicates whether the ipc mode is valid. 121 func (n IpcMode) Valid() bool { 122 // TODO(thaJeztah): align with PidMode, and consider container-mode without a container name/ID to be invalid. 123 return n.IsEmpty() || n.IsNone() || n.IsPrivate() || n.IsHost() || n.IsShareable() || n.IsContainer() 124 } 125 126 // Container returns the name of the container ipc stack is going to be used. 127 func (n IpcMode) Container() (idOrName string) { 128 idOrName, _ = containerID(string(n)) 129 return idOrName 130 } 131 132 // NetworkMode represents the container network stack. 133 type NetworkMode string 134 135 // IsNone indicates whether container isn't using a network stack. 136 func (n NetworkMode) IsNone() bool { 137 return n == network.NetworkNone 138 } 139 140 // IsDefault indicates whether container uses the default network stack. 141 func (n NetworkMode) IsDefault() bool { 142 return n == network.NetworkDefault 143 } 144 145 // IsPrivate indicates whether container uses its private network stack. 146 func (n NetworkMode) IsPrivate() bool { 147 return !(n.IsHost() || n.IsContainer()) 148 } 149 150 // IsContainer indicates whether container uses a container network stack. 151 func (n NetworkMode) IsContainer() bool { 152 _, ok := containerID(string(n)) 153 return ok 154 } 155 156 // ConnectedContainer is the id of the container which network this container is connected to. 157 func (n NetworkMode) ConnectedContainer() (idOrName string) { 158 idOrName, _ = containerID(string(n)) 159 return idOrName 160 } 161 162 // UserDefined indicates user-created network 163 func (n NetworkMode) UserDefined() string { 164 if n.IsUserDefined() { 165 return string(n) 166 } 167 return "" 168 } 169 170 // UsernsMode represents userns mode in the container. 171 type UsernsMode string 172 173 // IsHost indicates whether the container uses the host's userns. 174 func (n UsernsMode) IsHost() bool { 175 return n == "host" 176 } 177 178 // IsPrivate indicates whether the container uses the a private userns. 179 func (n UsernsMode) IsPrivate() bool { 180 return !n.IsHost() 181 } 182 183 // Valid indicates whether the userns is valid. 184 func (n UsernsMode) Valid() bool { 185 return n == "" || n.IsHost() 186 } 187 188 // CgroupSpec represents the cgroup to use for the container. 189 type CgroupSpec string 190 191 // IsContainer indicates whether the container is using another container cgroup 192 func (c CgroupSpec) IsContainer() bool { 193 _, ok := containerID(string(c)) 194 return ok 195 } 196 197 // Valid indicates whether the cgroup spec is valid. 198 func (c CgroupSpec) Valid() bool { 199 // TODO(thaJeztah): align with PidMode, and consider container-mode without a container name/ID to be invalid. 200 return c == "" || c.IsContainer() 201 } 202 203 // Container returns the ID or name of the container whose cgroup will be used. 204 func (c CgroupSpec) Container() (idOrName string) { 205 idOrName, _ = containerID(string(c)) 206 return idOrName 207 } 208 209 // UTSMode represents the UTS namespace of the container. 210 type UTSMode string 211 212 // IsPrivate indicates whether the container uses its private UTS namespace. 213 func (n UTSMode) IsPrivate() bool { 214 return !n.IsHost() 215 } 216 217 // IsHost indicates whether the container uses the host's UTS namespace. 218 func (n UTSMode) IsHost() bool { 219 return n == "host" 220 } 221 222 // Valid indicates whether the UTS namespace is valid. 223 func (n UTSMode) Valid() bool { 224 return n == "" || n.IsHost() 225 } 226 227 // PidMode represents the pid namespace of the container. 228 type PidMode string 229 230 // IsPrivate indicates whether the container uses its own new pid namespace. 231 func (n PidMode) IsPrivate() bool { 232 return !(n.IsHost() || n.IsContainer()) 233 } 234 235 // IsHost indicates whether the container uses the host's pid namespace. 236 func (n PidMode) IsHost() bool { 237 return n == "host" 238 } 239 240 // IsContainer indicates whether the container uses a container's pid namespace. 241 func (n PidMode) IsContainer() bool { 242 _, ok := containerID(string(n)) 243 return ok 244 } 245 246 // Valid indicates whether the pid namespace is valid. 247 func (n PidMode) Valid() bool { 248 return n == "" || n.IsHost() || validContainer(string(n)) 249 } 250 251 // Container returns the name of the container whose pid namespace is going to be used. 252 func (n PidMode) Container() (idOrName string) { 253 idOrName, _ = containerID(string(n)) 254 return idOrName 255 } 256 257 // DeviceRequest represents a request for devices from a device driver. 258 // Used by GPU device drivers. 259 type DeviceRequest struct { 260 Driver string // Name of device driver 261 Count int // Number of devices to request (-1 = All) 262 DeviceIDs []string // List of device IDs as recognizable by the device driver 263 Capabilities [][]string // An OR list of AND lists of device capabilities (e.g. "gpu") 264 Options map[string]string // Options to pass onto the device driver 265 } 266 267 // DeviceMapping represents the device mapping between the host and the container. 268 type DeviceMapping struct { 269 PathOnHost string 270 PathInContainer string 271 CgroupPermissions string 272 } 273 274 // RestartPolicy represents the restart policies of the container. 275 type RestartPolicy struct { 276 Name RestartPolicyMode 277 MaximumRetryCount int 278 } 279 280 type RestartPolicyMode string 281 282 const ( 283 RestartPolicyDisabled RestartPolicyMode = "no" 284 RestartPolicyAlways RestartPolicyMode = "always" 285 RestartPolicyOnFailure RestartPolicyMode = "on-failure" 286 RestartPolicyUnlessStopped RestartPolicyMode = "unless-stopped" 287 ) 288 289 // IsNone indicates whether the container has the "no" restart policy. 290 // This means the container will not automatically restart when exiting. 291 func (rp *RestartPolicy) IsNone() bool { 292 return rp.Name == RestartPolicyDisabled || rp.Name == "" 293 } 294 295 // IsAlways indicates whether the container has the "always" restart policy. 296 // This means the container will automatically restart regardless of the exit status. 297 func (rp *RestartPolicy) IsAlways() bool { 298 return rp.Name == RestartPolicyAlways 299 } 300 301 // IsOnFailure indicates whether the container has the "on-failure" restart policy. 302 // This means the container will automatically restart of exiting with a non-zero exit status. 303 func (rp *RestartPolicy) IsOnFailure() bool { 304 return rp.Name == RestartPolicyOnFailure 305 } 306 307 // IsUnlessStopped indicates whether the container has the 308 // "unless-stopped" restart policy. This means the container will 309 // automatically restart unless user has put it to stopped state. 310 func (rp *RestartPolicy) IsUnlessStopped() bool { 311 return rp.Name == RestartPolicyUnlessStopped 312 } 313 314 // IsSame compares two RestartPolicy to see if they are the same 315 func (rp *RestartPolicy) IsSame(tp *RestartPolicy) bool { 316 return rp.Name == tp.Name && rp.MaximumRetryCount == tp.MaximumRetryCount 317 } 318 319 // ValidateRestartPolicy validates the given RestartPolicy. 320 func ValidateRestartPolicy(policy RestartPolicy) error { 321 switch policy.Name { 322 case RestartPolicyAlways, RestartPolicyUnlessStopped, RestartPolicyDisabled: 323 if policy.MaximumRetryCount != 0 { 324 msg := "invalid restart policy: maximum retry count can only be used with 'on-failure'" 325 if policy.MaximumRetryCount < 0 { 326 msg += " and cannot be negative" 327 } 328 return &errInvalidParameter{fmt.Errorf(msg)} 329 } 330 return nil 331 case RestartPolicyOnFailure: 332 if policy.MaximumRetryCount < 0 { 333 return &errInvalidParameter{fmt.Errorf("invalid restart policy: maximum retry count cannot be negative")} 334 } 335 return nil 336 case "": 337 // Versions before v25.0.0 created an empty restart-policy "name" as 338 // default. Allow an empty name with "any" MaximumRetryCount for 339 // backward-compatibility. 340 return nil 341 default: 342 return &errInvalidParameter{fmt.Errorf("invalid restart policy: unknown policy '%s'; use one of '%s', '%s', '%s', or '%s'", policy.Name, RestartPolicyDisabled, RestartPolicyAlways, RestartPolicyOnFailure, RestartPolicyUnlessStopped)} 343 } 344 } 345 346 // LogMode is a type to define the available modes for logging 347 // These modes affect how logs are handled when log messages start piling up. 348 type LogMode string 349 350 // Available logging modes 351 const ( 352 LogModeUnset LogMode = "" 353 LogModeBlocking LogMode = "blocking" 354 LogModeNonBlock LogMode = "non-blocking" 355 ) 356 357 // LogConfig represents the logging configuration of the container. 358 type LogConfig struct { 359 Type string 360 Config map[string]string 361 } 362 363 // Resources contains container's resources (cgroups config, ulimits...) 364 type Resources struct { 365 // Applicable to all platforms 366 CPUShares int64 `json:"CpuShares"` // CPU shares (relative weight vs. other containers) 367 Memory int64 // Memory limit (in bytes) 368 NanoCPUs int64 `json:"NanoCpus"` // CPU quota in units of 10<sup>-9</sup> CPUs. 369 370 // Applicable to UNIX platforms 371 CgroupParent string // Parent cgroup. 372 BlkioWeight uint16 // Block IO weight (relative weight vs. other containers) 373 BlkioWeightDevice []*blkiodev.WeightDevice 374 BlkioDeviceReadBps []*blkiodev.ThrottleDevice 375 BlkioDeviceWriteBps []*blkiodev.ThrottleDevice 376 BlkioDeviceReadIOps []*blkiodev.ThrottleDevice 377 BlkioDeviceWriteIOps []*blkiodev.ThrottleDevice 378 CPUPeriod int64 `json:"CpuPeriod"` // CPU CFS (Completely Fair Scheduler) period 379 CPUQuota int64 `json:"CpuQuota"` // CPU CFS (Completely Fair Scheduler) quota 380 CPURealtimePeriod int64 `json:"CpuRealtimePeriod"` // CPU real-time period 381 CPURealtimeRuntime int64 `json:"CpuRealtimeRuntime"` // CPU real-time runtime 382 CpusetCpus string // CpusetCpus 0-2, 0,1 383 CpusetMems string // CpusetMems 0-2, 0,1 384 Devices []DeviceMapping // List of devices to map inside the container 385 DeviceCgroupRules []string // List of rule to be added to the device cgroup 386 DeviceRequests []DeviceRequest // List of device requests for device drivers 387 388 // KernelMemory specifies the kernel memory limit (in bytes) for the container. 389 // Deprecated: kernel 5.4 deprecated kmem.limit_in_bytes. 390 KernelMemory int64 `json:",omitempty"` 391 KernelMemoryTCP int64 `json:",omitempty"` // Hard limit for kernel TCP buffer memory (in bytes) 392 MemoryReservation int64 // Memory soft limit (in bytes) 393 MemorySwap int64 // Total memory usage (memory + swap); set `-1` to enable unlimited swap 394 MemorySwappiness *int64 // Tuning container memory swappiness behaviour 395 OomKillDisable *bool // Whether to disable OOM Killer or not 396 PidsLimit *int64 // Setting PIDs limit for a container; Set `0` or `-1` for unlimited, or `null` to not change. 397 Ulimits []*units.Ulimit // List of ulimits to be set in the container 398 399 // Applicable to Windows 400 CPUCount int64 `json:"CpuCount"` // CPU count 401 CPUPercent int64 `json:"CpuPercent"` // CPU percent 402 IOMaximumIOps uint64 // Maximum IOps for the container system drive 403 IOMaximumBandwidth uint64 // Maximum IO in bytes per second for the container system drive 404 } 405 406 // UpdateConfig holds the mutable attributes of a Container. 407 // Those attributes can be updated at runtime. 408 type UpdateConfig struct { 409 // Contains container's resources (cgroups, ulimits) 410 Resources 411 RestartPolicy RestartPolicy 412 } 413 414 // HostConfig the non-portable Config structure of a container. 415 // Here, "non-portable" means "dependent of the host we are running on". 416 // Portable information *should* appear in Config. 417 type HostConfig struct { 418 // Applicable to all platforms 419 Binds []string // List of volume bindings for this container 420 ContainerIDFile string // File (path) where the containerId is written 421 LogConfig LogConfig // Configuration of the logs for this container 422 NetworkMode NetworkMode // Network mode to use for the container 423 PortBindings nat.PortMap // Port mapping between the exposed port (container) and the host 424 RestartPolicy RestartPolicy // Restart policy to be used for the container 425 AutoRemove bool // Automatically remove container when it exits 426 VolumeDriver string // Name of the volume driver used to mount volumes 427 VolumesFrom []string // List of volumes to take from other container 428 ConsoleSize [2]uint // Initial console size (height,width) 429 Annotations map[string]string `json:",omitempty"` // Arbitrary non-identifying metadata attached to container and provided to the runtime 430 431 // Applicable to UNIX platforms 432 CapAdd strslice.StrSlice // List of kernel capabilities to add to the container 433 CapDrop strslice.StrSlice // List of kernel capabilities to remove from the container 434 CgroupnsMode CgroupnsMode // Cgroup namespace mode to use for the container 435 DNS []string `json:"Dns"` // List of DNS server to lookup 436 DNSOptions []string `json:"DnsOptions"` // List of DNSOption to look for 437 DNSSearch []string `json:"DnsSearch"` // List of DNSSearch to look for 438 ExtraHosts []string // List of extra hosts 439 GroupAdd []string // List of additional groups that the container process will run as 440 IpcMode IpcMode // IPC namespace to use for the container 441 Cgroup CgroupSpec // Cgroup to use for the container 442 Links []string // List of links (in the name:alias form) 443 OomScoreAdj int // Container preference for OOM-killing 444 PidMode PidMode // PID namespace to use for the container 445 Privileged bool // Is the container in privileged mode 446 PublishAllPorts bool // Should docker publish all exposed port for the container 447 ReadonlyRootfs bool // Is the container root filesystem in read-only 448 SecurityOpt []string // List of string values to customize labels for MLS systems, such as SELinux. 449 StorageOpt map[string]string `json:",omitempty"` // Storage driver options per container. 450 Tmpfs map[string]string `json:",omitempty"` // List of tmpfs (mounts) used for the container 451 UTSMode UTSMode // UTS namespace to use for the container 452 UsernsMode UsernsMode // The user namespace to use for the container 453 ShmSize int64 // Total shm memory usage 454 Sysctls map[string]string `json:",omitempty"` // List of Namespaced sysctls used for the container 455 Runtime string `json:",omitempty"` // Runtime to use with this container 456 457 // Applicable to Windows 458 Isolation Isolation // Isolation technology of the container (e.g. default, hyperv) 459 460 // Contains container's resources (cgroups, ulimits) 461 Resources 462 463 // Mounts specs used by the container 464 Mounts []mount.Mount `json:",omitempty"` 465 466 // MaskedPaths is the list of paths to be masked inside the container (this overrides the default set of paths) 467 MaskedPaths []string 468 469 // ReadonlyPaths is the list of paths to be set as read-only inside the container (this overrides the default set of paths) 470 ReadonlyPaths []string 471 472 // Run a custom init inside the container, if null, use the daemon's configured settings 473 Init *bool `json:",omitempty"` 474 } 475 476 // containerID splits "container:<ID|name>" values. It returns the container 477 // ID or name, and whether an ID/name was found. It returns an empty string and 478 // a "false" if the value does not have a "container:" prefix. Further validation 479 // of the returned, including checking if the value is empty, should be handled 480 // by the caller. 481 func containerID(val string) (idOrName string, ok bool) { 482 k, v, hasSep := strings.Cut(val, ":") 483 if !hasSep || k != "container" { 484 return "", false 485 } 486 return v, true 487 } 488 489 // validContainer checks if the given value is a "container:" mode with 490 // a non-empty name/ID. 491 func validContainer(val string) bool { 492 id, ok := containerID(val) 493 return ok && id != "" 494 }