# <a name="linuxContainerConfiguration" />Linux Container Configuration

This document describes the schema for the [Linux-specific section](config.md#platform-specific-configuration) of the [container configuration](config.md).

The Linux container specification uses various kernel features like namespaces, cgroups, capabilities, LSM, and filesystem jails to fulfill the spec.

## <a name="configLinuxDefaultFilesystems" />Default Filesystems

Applications expecting a Linux environment will very likely expect these file paths to be setup correctly.

The following filesystems SHOULD be made available in each container's filesystem:

| Path | Type |

| -------- | ------ |

## <a name="configLinuxNamespaces" />Namespaces

For more information, see the [namespaces(7)][namespaces.7_2] man page.

* **`type`** *(string, REQUIRED)* - namespace type. The following namespace types are supported:

* **`path`** *(string, OPTIONAL)* - path to namespace file in the [runtime mount namespace](glossary.md#runtime-namespace)

If a namespace type is not specified in the `namespaces` array, the container MUST inherit the [runtime namespace](glossary.md#runtime-namespace) of that type.

If a `namespaces` field contains duplicated namespaces with same `type`, the runtime MUST error out.

## <a name="configLinuxUserNamespaceMappings" />User namespace mappings

Each entry has the following structure:

Note that the number of mapping entries MAY be limited by the [kernel][user-namespaces].

"size": 32000

"size": 32000

## <a name="configLinuxDevices" />Devices

**`devices`** (array of objects, OPTIONAL) lists devices that MUST be available in the container.

The runtime may supply them however it likes (with [mknod][mknod.2], by bind mounting from the runtime mount namespace, etc.).

Each entry has the following structure:

* **`type`** *(string, REQUIRED)* - type of device: `c`, `b`, `u` or `p`.

More info in [mknod(1)][mknod.1].

* **`path`** *(string, REQUIRED)* - full path to device inside container.

If a [file][file.1] already exists at `path` that does not match the requested device, the runtime MUST generate an error.

* **`major, minor`** *(int64, REQUIRED unless `type` is `p`)* - [major, minor numbers][devices] for the device.

* **`fileMode`** *(uint32, OPTIONAL)* - file mode for the device.

You can also control access to devices [with cgroups](#device-whitelist).

"path": "/dev/fuse",

"type": "c",

"fileMode": 438,

"minor": 0,

"fileMode": 432,

###### <a name="configLinuxDefaultDevices" />Default Devices

* [`/dev/console`][console.4] is setup if terminal is enabled in the config by bind mounting the pseudoterminal slave to /dev/console.

## <a name="configLinuxControlGroups" />Control groups

cgroups provide controls (through controllers) to restrict cpu, memory, IO, pids and network for the container.

For more information, see the [kernel cgroups documentation][cgroup-v1].

`cgroupsPath` can be used to either control the cgroup hierarchy for containers or to run a new process in an existing container.

The Spec does not support per-controller paths for the reasons discussed in the [cgroupv2 documentation][cgroup-v2].

#### <a name="configLinuxDeviceWhitelist" />Device whitelist

**`devices`** (array of objects, OPTIONAL) configures the [device whitelist][cgroup-v1-devices].

Each entry has the following structure:

* **`allow`** *(boolean, REQUIRED)* - whether the entry is allowed or denied.

* **`type`** *(string, OPTIONAL)* - type of device: `a` (all), `c` (char), or `b` (block).

`null` or unset values mean "all", mapping to `a`.

* **`major, minor`** *(int64, OPTIONAL)* - [major, minor numbers][devices] for the device.

`null` or unset values mean "all", mapping to [`*` in the filesystem API][cgroup-v1-devices].

* **`access`** *(string, OPTIONAL)* - cgroup permissions for device.

#### <a name="configLinuxDisableOutOfMemoryKiller" />Disable out-of-memory killer

For more information, see [the memory cgroup man page][cgroup-v1-memory].

* **`disableOOMKiller`** *(bool, OPTIONAL)* - enables or disables the OOM killer

#### <a name="configLinuxSetOomScoreAdj" />Set oom_score_adj

For more information, see [the proc filesystem documentation section 3.1][procfs].

This is a kernel/system level setting, where as `disableOOMKiller` is scoped for a memory cgroup.

For more information on how these two settings work together, see [the memory cgroup documentation section 10. OOM Contol][cgroup-v1-memory].

* **`oomScoreAdj`** *(int, OPTIONAL)* - adjust the oom-killer score

"oomScoreAdj": 100

#### <a name="configLinuxMemory" />Memory

**`memory`** (object, OPTIONAL) represents the cgroup subsystem `memory` and it's used to set limits on the container's memory usage.

For more information, see [the memory cgroup man page][cgroup-v1-memory].

* **`limit`** *(uint64, OPTIONAL)* - sets limit of memory usage in bytes

* **`reservation`** *(uint64, OPTIONAL)* - sets soft limit of memory usage in bytes

* **`swap`** *(uint64, OPTIONAL)* - sets limit of memory+Swap usage

* **`kernel`** *(uint64, OPTIONAL)* - sets hard limit for kernel memory

* **`kernelTCP`** *(uint64, OPTIONAL)* - sets hard limit in bytes for kernel TCP buffer memory

* **`swappiness`** *(uint64, OPTIONAL)* - sets swappiness parameter of vmscan (See sysctl's vm.swappiness)

#### <a name="configLinuxCPU" />CPU

**`cpu`** (object, OPTIONAL) represents the cgroup subsystems `cpu` and `cpusets`.

For more information, see [the cpusets cgroup man page][cgroup-v1-cpusets].

* **`shares`** *(uint64, OPTIONAL)* - specifies a relative share of CPU time available to the tasks in a cgroup

* **`quota`** *(int64, OPTIONAL)* - specifies the total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by **`period`** below)

* **`period`** *(uint64, OPTIONAL)* - specifies a period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated (CFS scheduler only)

* **`realtimeRuntime`** *(int64, OPTIONAL)* - specifies a period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources

* **`realtimePeriod`** *(uint64, OPTIONAL)* - same as **`period`** but applies to realtime scheduler only

* **`cpus`** *(string, OPTIONAL)* - list of CPUs the container will run in

* **`mems`** *(string, OPTIONAL)* - list of Memory Nodes the container will run in

#### <a name="configLinuxBlockIO" />Block IO

**`blockIO`** (object, OPTIONAL) represents the cgroup subsystem `blkio` which implements the block IO controller.

For more information, see [the kernel cgroups documentation about blkio][cgroup-v1-blkio].

* **`blkioWeight`** *(uint16, OPTIONAL)* - specifies per-cgroup weight. This is default weight of the group on all devices until and unless overridden by per-device rules. The range is from 10 to 1000.

* **`blkioLeafWeight`** *(uint16, OPTIONAL)* - equivalents of `blkioWeight` for the purpose of deciding how much weight tasks in the given cgroup has while competing with the cgroup's child cgroups. The range is from 10 to 1000.

* **`blkioWeightDevice`** *(array, OPTIONAL)* - specifies the list of devices which will be bandwidth rate limited. The following parameters can be specified per-device:

* **`major, minor`** *(int64, REQUIRED)* - major, minor numbers for device. More info in `man mknod`.

#### <a name="configLinuxHugePageLimits" />Huge page limits

**`hugepageLimits`** (array of objects, OPTIONAL) represents the `hugetlb` controller which allows to limit the

HugeTLB usage per control group and enforces the controller limit during page fault.

For more information, see the [kernel cgroups documentation about HugeTLB][cgroup-v1-hugetlb].

Each entry has the following structure:

* **`pageSize`** *(string, REQUIRED)* - hugepage size

* **`limit`** *(uint64, REQUIRED)* - limit in bytes of *hugepagesize* HugeTLB usage

"limit": 209715200

#### <a name="configLinuxNetwork" />Network

**`network`** (object, OPTIONAL) represents the cgroup subsystems `net_cls` and `net_prio`.

For more information, see [the net\_cls cgroup man page][cgroup-v1-net-cls] and [the net\_prio cgroup man page][cgroup-v1-net-prio].

The following parameters can be specified to setup the controller:

* **`classID`** *(uint32, OPTIONAL)* - is the network class identifier the cgroup's network packets will be tagged with

#### <a name="configLinuxPIDS" />PIDs