# <a name="linuxContainerConfiguration" />Linux Container Configuration

This document describes the schema for the [Linux-specific section](config.md#platform-specific-configuration) of the [container configuration](config.md).

The Linux container specification uses various kernel features like namespaces, cgroups, capabilities, LSM, and filesystem jails to fulfill the spec.

## <a name="configLinuxDefaultFilesystems" />Default Filesystems

Applications expecting a Linux environment will very likely expect these file paths to be set up correctly.

The following filesystems SHOULD be made available in each container's filesystem:

| Path | Type |

| -------- | ------ |

| /proc | [proc][] |

## <a name="configLinuxNamespaces" />Namespaces

For more information, see the [namespaces(7)][namespaces.7_2] man page.

The following parameters can be specified to set up namespaces:

* **`type`** *(string, REQUIRED)* - namespace type. The following namespace types are supported:

If a namespace type is not specified in the `namespaces` array, the container MUST inherit the [runtime namespace](glossary.md#runtime-namespace) of that type.

If a `namespaces` field contains duplicated namespaces with same `type`, the runtime MUST [generate an error](runtime.md#errors).

### Example

## <a name="configLinuxUserNamespaceMappings" />User namespace mappings

Each entry has the following structure:

Note that the number of mapping entries MAY be limited by the [kernel][user-namespaces].

### Example

"size": 32000

"size": 32000

## <a name="configLinuxDevices" />Devices

**`devices`** (array of objects, OPTIONAL) lists devices that MUST be available in the container.

The runtime MAY supply them however it likes (with [`mknod`][mknod.2], by bind mounting from the runtime mount namespace, using symlinks, etc.).

Each entry has the following structure:

* **`type`** *(string, REQUIRED)* - type of device: `c`, `b`, `u` or `p`.

More info in [mknod(1)][mknod.1].

* **`path`** *(string, REQUIRED)* - full path to device inside container.

If a [file][] already exists at `path` that does not match the requested device, the runtime MUST generate an error.

* **`major, minor`** *(int64, REQUIRED unless `type` is `p`)* - [major, minor numbers][devices] for the device.

* **`fileMode`** *(uint32, OPTIONAL)* - file mode for the device.

You can also control access to devices [with cgroups](#device-whitelist).

### Example

"devices": [

{

"path": "/dev/fuse",

"type": "c",

"fileMode": 438,

"minor": 0,

"fileMode": 432,

### <a name="configLinuxDefaultDevices" />Default Devices

* [`/dev/console`][console.4] is set up if terminal is enabled in the config by bind mounting the pseudoterminal slave to /dev/console.

## <a name="configLinuxControlGroups" />Control groups

cgroups provide controls (through controllers) to restrict cpu, memory, IO, pids and network for the container.

For more information, see the [kernel cgroups documentation][cgroup-v1].

The Spec does not support per-controller paths for the reasons discussed in the [cgroupv2 documentation][cgroup-v2].

Runtimes MAY attach the container process to additional cgroup controllers beyond those necessary to fulfill the `resources` settings.

### Example

}

### <a name="configLinuxDeviceWhitelist" />Device whitelist

**`devices`** (array of objects, OPTIONAL) configures the [device whitelist][cgroup-v1-devices].

Each entry has the following structure:

* **`allow`** *(boolean, REQUIRED)* - whether the entry is allowed or denied.

* **`type`** *(string, OPTIONAL)* - type of device: `a` (all), `c` (char), or `b` (block).

Unset values mean "all", mapping to `a`.

* **`major, minor`** *(int64, OPTIONAL)* - [major, minor numbers][devices] for the device.

Unset values mean "all", mapping to [`*` in the filesystem API][cgroup-v1-devices].

* **`access`** *(string, OPTIONAL)* - cgroup permissions for device.

A composition of `r` (read), `w` (write), and `m` (mknod).

#### Example

"devices": [

### <a name="configLinuxMemory" />Memory

**`memory`** (object, OPTIONAL) represents the cgroup subsystem `memory` and it's used to set limits on the container's memory usage.

For more information, see the kernel cgroups documentation about [memory][cgroup-v1-memory].

The following properties do not specify memory limits, but are covered by the `memory` controller:

* **`swappiness`** *(uint64, OPTIONAL)* - sets swappiness parameter of vmscan (See sysctl's vm.swappiness)

#### Example

### <a name="configLinuxCPU" />CPU

**`cpu`** (object, OPTIONAL) represents the cgroup subsystems `cpu` and `cpusets`.

For more information, see the kernel cgroups documentation about [cpusets][cgroup-v1-cpusets].

The following parameters can be specified to set up the controller:

* **`shares`** *(uint64, OPTIONAL)* - specifies a relative share of CPU time available to the tasks in a cgroup

* **`quota`** *(int64, OPTIONAL)* - specifies the total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by **`period`** below)

* **`period`** *(uint64, OPTIONAL)* - specifies a period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated (CFS scheduler only)

* **`realtimeRuntime`** *(int64, OPTIONAL)* - specifies a period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources

#### Example

### <a name="configLinuxBlockIO" />Block IO

**`blockIO`** (object, OPTIONAL) represents the cgroup subsystem `blkio` which implements the block IO controller.

For more information, see the kernel cgroups documentation about [blkio][cgroup-v1-blkio].

The following parameters can be specified to set up the controller:

You MUST specify at least one of `weight` or `leafWeight` in a given entry, and MAY specify both.

* **`rate`** *(uint64, REQUIRED)* - IO rate limit for the device

#### Example

"throttleReadBpsDevice": [

"throttleWriteIOPSDevice": [

### <a name="configLinuxHugePageLimits" />Huge page limits

**`hugepageLimits`** (array of objects, OPTIONAL) represents the `hugetlb` controller which allows to limit the

HugeTLB usage per control group and enforces the controller limit during page fault.

For more information, see the kernel cgroups documentation about [HugeTLB][cgroup-v1-hugetlb].

Each entry has the following structure:

* **`pageSize`** *(string, REQUIRED)* - hugepage size

* **`limit`** *(uint64, REQUIRED)* - limit in bytes of *hugepagesize* HugeTLB usage

#### Example

"hugepageLimits": [

"limit": 209715200

### <a name="configLinuxNetwork" />Network

**`network`** (object, OPTIONAL) represents the cgroup subsystems `net_cls` and `net_prio`.

For more information, see the kernel cgroups documentations about [net\_cls cgroup][cgroup-v1-net-cls] and [net\_prio cgroup][cgroup-v1-net-prio].

The following parameters can be specified to set up the controller:

* **`classID`** *(uint32, OPTIONAL)* - is the network class identifier the cgroup's network packets will be tagged with

* **`priorities`** *(array of objects, OPTIONAL)* - specifies a list of objects of the priorities assigned to traffic originating from processes in the group and egressing the system on various interfaces.

The following parameters can be specified per-priority:

* **`name`** *(string, REQUIRED)* - interface name in [runtime network namespace](glossary.md#runtime-namespace)

* **`priority`** *(uint32, REQUIRED)* - priority applied to the interface

#### Example

"network": {

### <a name="configLinuxPIDS" />PIDs