# <a name="containerConfigurationFile" />Container Configuration file

The container's top-level directory MUST contain a configuration file called `config.json`.

The canonical schema is defined in this document, but there is a JSON Schema in [`schema/config-schema.json`](schema/config-schema.json) and Go bindings in [`specs-go/config.go`](specs-go/config.go).

## <a name="configSpecificationVersion" />Specification version

* **`ociVersion`** (string, REQUIRED) MUST be in [SemVer v2.0.0][semver-v2.0.0] format and specifies the version of the Open Container Runtime Specification with which the bundle complies.

The Open Container Runtime Specification follows semantic versioning and retains forward and backward compatibility within major versions.

For example, if a configuration is compliant with version 1.1 of this specification, it is compatible with all runtimes that support any 1.1 or later release of this specification, but is not compatible with a runtime that supports 1.0 and not 1.1.

### Example

```json

"ociVersion": "0.1.0"

## <a name="configRoot" />Root

**`root`** (object, REQUIRED) specifies the container's root filesystem.

* **`path`** (string, REQUIRED) Specifies the path to the root filesystem for the container.

A directory MUST exist at the path declared by the field.

* **`readonly`** (bool, OPTIONAL) If true then the root filesystem MUST be read-only inside the container, defaults to false.

### Example

```json

## <a name="configMounts" />Mounts

**`mounts`** (array, OPTIONAL) specifies additional mounts beyond [`root`](#root-configuration).

The runtime MUST mount entries in the listed order.

* **`destination`** (string, REQUIRED) Destination of mount point: path inside container.

This value MUST be an absolute path.

* Windows: one mount destination MUST NOT be nested within another mount (e.g., c:\\foo and c:\\foo\\bar).

* Solaris: corresponds to "dir" of the fs resource in [zonecfg(1M)][zonecfg.1m].

* **`type`** (string, OPTIONAL) The filesystem type of the filesystem to be mounted.

* Solaris: corresponds to "type" of the fs resource in [zonecfg(1M)][zonecfg.1m].

* **`source`** (string, OPTIONAL) A device name, but can also be a directory name or a dummy.

* Windows: the volume name that is the target of the mount point, \\?\Volume\{GUID}\ (on Windows source is called target).

* Solaris: corresponds to "special" of the fs resource in [zonecfg(1M)][zonecfg.1m].

* **`options`** (list of strings, OPTIONAL) Mount options of the filesystem to be used.

### Example (Linux)

### Example (Windows)

## <a name="configProcess" />Process

**`process`** (object, REQUIRED) specifies the container process.

* **`terminal`** (bool, OPTIONAL) specifies whether a terminal is attached to that process, defaults to false.

As an example, if set to true on Linux a pseudoterminal pair is allocated for the container process and the pseudoterminal slave is duplicated on the container process's [standard streams][stdin.3].

* **`cwd`** (string, REQUIRED) is the working directory that will be set for the executable.

This value MUST be an absolute path.

* **`env`** (array of strings, OPTIONAL) with the same semantics as [IEEE Std 1003.1-2001's `environ`][ieee-1003.1-2001-xbd-c8.1].

* **`capabilities`** (object, OPTIONAL) is an object containing arrays that specifies the sets of capabilities for the process(es) inside the container. Valid values are platform-specific. For example, valid values for Linux are defined in the [capabilities(7)][capabilities.7] man page.

* **`type`** (string, REQUIRED) - the platform resource being limited, for example on Linux as defined in the [setrlimit(2)][setrlimit.2] man page.

* **`noNewPrivileges`** (bool, OPTIONAL) setting `noNewPrivileges` to true prevents the processes in the container from gaining additional privileges.

As an example, the ['no_new_privs'][no-new-privs] article in the kernel documentation has information on how this is achieved using a prctl system call on Linux.

For more information about AppArmor, see [AppArmor documentation][apparmor].

* **`selinuxLabel`** (string, OPTIONAL) specifies the SELinux label to be applied to the processes in the container.

For more information about SELinux, see [SELinux documentation][selinux].

### <a name="configUser" />User

The user for the process is a platform-specific structure that allows specific control over which user the process runs as.

#### <a name="configLinuxAndSolarisUser" />Linux and Solaris User

For Linux and Solaris based systems the user structure has the following fields:

### Example (Linux)

```json

"additionalGids": [5, 6]

},

"cwd": "/root",

],

"noNewPrivileges": true,

```

#### <a name="configWindowsUser" />Windows User

* **`username`** (string, OPTIONAL) specifies the user name for the process.

],

## <a name="configHostname" />Hostname

* **`hostname`** (string, OPTIONAL) specifies the container's hostname as seen by processes running inside the container.

### Example

```json

"hostname": "mrsdalloway"

## <a name="configPlatform" />Platform

**`platform`** (object, REQUIRED) specifies the configuration's target platform.

```json

## <a name="configPlatformSpecificConfiguration" />Platform-specific configuration

* **`linux`** (object, OPTIONAL) [Linux-specific configuration](config-linux.md).

This MAY be set if **`platform.os`** is `linux` and MUST NOT be set otherwise.

* **`windows`** (object, OPTIONAL) [Windows-specific configuration](config-windows.md).

## <a name="configHooks" />Hooks

Hooks allow for the configuration of custom actions related to the [lifecycle](runtime.md#lifecycle) of the container.

* **`args`** (array of strings, OPTIONAL) with the same semantics as [IEEE Std 1003.1-2001 `execv`'s *argv*][ieee-1003.1-2001-xsh-exec].

Hooks allow users to specify programs to run before or after various lifecycle events.

Hooks MUST be called in the listed order.

The [state](runtime.md#state) of the container MUST be passed to hooks over stdin so that they may do work appropriate to the current state of the container.

### <a name="configHooksPrestart" />Prestart

The pre-start hooks MUST be called after the [`start`](runtime.md#start) operation is called but [before the user-specified program command is executed](runtime.md#lifecycle).

On Linux, for example, they are called after the container namespaces are created, so they provide an opportunity to customize the container (e.g. the network namespace could be specified in this hook).

### <a name="configHooksPoststart" />Poststart

The post-start hooks MUST be called [after the user-specified process is executed](runtime#lifecycle) but before the [`start`](runtime.md#start) operation returns.

For example, this hook can notify the user that the container process is spawned.

### <a name="configHooksPoststop" />Poststop

The post-stop hooks MUST be called [after the container is deleted](runtime#lifecycle) but before the [`delete`](runtime.md#delete) operation returns.

Cleanup or debugging functions are examples of such a hook.

### Example

"hooks": {

"path": "/usr/bin/notify-start",

"timeout": 5

## <a name="configAnnotations" />Annotations

**`annotations`** (object, OPTIONAL) contains arbitrary metadata for the container.

This information MAY be structured or unstructured.

"com.example.gpu-cores": "2"

## <a name="configExtensibility" />Extensibility

Implementations that are reading/processing this configuration file MUST NOT generate an error if they encounter an unknown property.

"ociVersion": "0.5.0-dev",