proto: Flesh out runtime.json (and pass it through example_cpp)

wking · wking · commit 5f422ee6ae20 · 2015-09-27T00:36:42.000-07:00
So it matches (modulo key order) our examples from the runtime-config.md series. To get as much matching up as possible, I've converted externally-visible runtime_config.proto entries from under_scores to camelCase. We're still not matching some cases well, and I've interspersed my notes on why in the diff: $ diff -u <(cat config.json runtime.json) <(./example_cpp | jq .) --- /dev/fd/63 2015-09-27 00:04:18.464247761 -0700 +++ /dev/fd/62 2015-09-27 00:04:18.463247761 -0700 @@ -34,43 +34,9 @@ } } { - "mounts": { - "proc": { - "type": "proc", - "source": "proc", - "options": [] - }, - ... - }, + "mounts": [ + {} + ], Protobuf doesn't like objects with arbitrary keys (or at least we haven't found a way to set that up). So we probably need a pre-processer to convert mount entries into: "mounts": [ { "key": "proc", "value": { "type": "proc", "source": "proc", "options": [] }, } ] You can do that with jq [1], and that makes the mount difference much smaller (sysctl need the same change): $ mv runtime.json runtime.json-orig $ jq '.mounts |= to_entries | .linuxx.sysctl |= to_entries' <runtime.json-orig >runtime.json $ diff -u <(cat config.json runtime.json) <(./example_cpp | jq .) --- /dev/fd/63 2015-09-27 00:15:56.656282533 -0700 +++ /dev/fd/62 2015-09-27 00:15:56.656282533 -0700 @@ -78,8 +78,7 @@ "key": "proc", "value": { "type": "proc", - "source": "proc", - "options": [] + "source": "proc" } } ], ... The difference here is that protobuf isn't serializing default values, so it drops the empty array [2] (which I'd suggested we do anyway [3] ;) ... "rlimits": [ { "type": "RLIMIT_NPROC", - "soft": 1024, - "hard": 102400 + "hard": "102400", + "soft": "1024" } ], ... Protobuf uses strings when writing 64-bit-wide numbers [2], but it reads both numbers and strings, so this isn't a big deal. @@ -198,63 +171,44 @@ "devices": [ { "path": "/dev/random", - "type": "c", - "major": 1, - "minor": 8, - "permissions": "rwm", - "fileMode": 666, - "uid": 0, - "gid": 0 + "major": "1", + "minor": "8", + "permissions": "rwm", + "fileMode": 666 }, ... This has some of the default-dropping and number-string issues mentioned earlier, as well as the effect of runtime_config.proto's: // TODO(vbatts) ensure int32 is fine here, instead of golang's rune optional int32 type = 2; [1]: https://stedolan.github.io/jq/ [2]: https://developers.google.com/protocol-buffers/docs/proto3#json [3]: opencontainers#123 Signed-off-by: W. Trevor King <wking@tremily.us>
diff --git a/proto/example.cc b/proto/example.cc
@@ -10,6 +10,7 @@
 #include <google/protobuf/util/type_resolver_util.h>
 
 #include "config.pb.h"
+#include "runtime_config.pb.h"
 
 using namespace std;
 
@@ -65,6 +66,7 @@ int main(int argc, char* argv[]) {
   GOOGLE_PROTOBUF_VERIFY_VERSION;
 
   oci::Spec config;
+  oci::RuntimeSpec runtime;
 
   if (!ReadMessage("config.json", &config)) {
     cerr << "config.json: Failed to load." << endl;
@@ -85,6 +87,16 @@ int main(int argc, char* argv[]) {
     return -1;
   }
 
+  if (!ReadMessage("runtime.json", &runtime)) {
+    cerr << "runtime.json: Failed to load." << endl;
+    return -1;
+  }
+
+  if (!WriteMessage(runtime)) {
+    cerr << "runtime.json: Failed to write to stdout." << endl;
+    return -1;
+  }
+
   // Optional:  Delete all global objects allocated by libprotobuf.
   google::protobuf::ShutdownProtobufLibrary();
 
diff --git a/proto/runtime.json b/proto/runtime.json
@@ -0,0 +1,220 @@
+{
+  "mounts": {
+    "proc": {
+      "type": "proc",
+      "source": "proc",
+      "options": []
+    },
+    "dev": {
+      "type": "tmpfs",
+      "source": "tmpfs",
+      "options": [
+        "nosuid",
+        "strictatime",
+        "mode=755",
+        "size=65536k"
+      ]
+    },
+    "devpts": {
+      "type": "devpts",
+      "source": "devpts",
+      "options": [
+        "nosuid",
+        "noexec",
+        "newinstance",
+        "ptmxmode=0666",
+        "mode=0620",
+        "gid=5"
+      ]
+    },
+    "data": {
+      "type": "bind",
+      "source": "/volumes/testing",
+      "options": [
+        "rbind",
+        "rw"
+      ]
+    }
+  },
+  "hooks": {
+    "prestart": [
+      {
+        "path": "/usr/bin/fix-mounts",
+        "args": [
+          "arg1",
+          "arg2"
+        ],
+        "env": [
+          "key1=value1"
+        ]
+      },
+      {
+        "path": "/usr/bin/setup-network"
+      }
+    ],
+    "poststop": [
+      {
+        "path": "/usr/sbin/cleanup.sh",
+        "args": [
+          "-f"
+        ]
+      }
+    ]
+  },
+  "linuxx": {
+    "uidMappings": [
+      {
+        "hostID": 1000,
+        "containerID": 0,
+        "size": 10
+      }
+    ],
+    "gidMappings": [
+      {
+        "hostID": 1000,
+        "containerID": 0,
+        "size": 10
+      }
+    ],
+    "rlimits": [
+      {
+        "type": "RLIMIT_NPROC",
+        "soft": 1024,
+        "hard": 102400
+      }
+    ],
+    "sysctl": {
+      "net.ipv4.ip_forward": "1",
+      "net.core.somaxconn": "256"
+    },
+    "resources": {
+      "disableOOMKiller": false,
+      "memory": {
+        "limit": 0,
+        "reservation": 0,
+        "swap": 0,
+        "kernel": 0,
+        "swappiness": -1
+      },
+      "cpu": {
+        "shares": 0,
+        "quota": 0,
+        "period": 0,
+        "realtimeRuntime": 0,
+        "realtimePeriod": 0,
+        "cpus": "",
+        "mems": ""
+      },
+      "blockIO": {
+        "blkioWeight": 0,
+        "blkioWeightDevice": "",
+        "blkioThrottleReadBpsDevice": "",
+        "blkioThrottleWriteBpsDevice": "",
+        "blkioThrottleReadIopsDevice": "",
+        "blkioThrottleWriteIopsDevice": ""
+      },
+      "hugepageLimits": null,
+      "network": {
+        "classId": "",
+        "priorities": null
+      }
+    },
+    "cgroupsPath": "/myRuntime/myContainer",
+    "namespaces": [
+      {
+        "type": "pid",
+        "path": "/proc/1234/ns/pid"
+      },
+      {
+        "type": "network",
+        "path": "/var/run/netns/neta"
+      },
+      {
+        "type": "mount"
+      },
+      {
+        "type": "ipc"
+      },
+      {
+        "type": "uts"
+      },
+      {
+        "type": "user"
+      }
+    ],
+    "devices": [
+      {
+        "path": "/dev/random",
+        "type": "c",
+        "major": 1,
+        "minor": 8,
+        "permissions": "rwm",
+        "fileMode": 666,
+        "uid": 0,
+        "gid": 0
+      },
+      {
+        "path": "/dev/urandom",
+        "type": "c",
+        "major": 1,
+        "minor": 9,
+        "permissions": "rwm",
+        "fileMode": 666,
+        "uid": 0,
+        "gid": 0
+      },
+      {
+        "path": "/dev/null",
+        "type": "c",
+        "major": 1,
+        "minor": 3,
+        "permissions": "rwm",
+        "fileMode": 666,
+        "uid": 0,
+        "gid": 0
+      },
+      {
+        "path": "/dev/zero",
+        "type": "c",
+        "major": 1,
+        "minor": 5,
+        "permissions": "rwm",
+        "fileMode": 666,
+        "uid": 0,
+        "gid": 0
+      },
+      {
+        "path": "/dev/tty",
+        "type": "c",
+        "major": 5,
+        "minor": 0,
+        "permissions": "rwm",
+        "fileMode": 666,
+        "uid": 0,
+        "gid": 0
+      },
+      {
+        "path": "/dev/full",
+        "type": "c",
+        "major": 1,
+        "minor": 7,
+        "permissions": "rwm",
+        "fileMode": 666,
+        "uid": 0,
+        "gid": 0
+      }
+    ],
+    "apparmorProfile": "acme_secure_profile",
+    "selinuxProcessLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675",
+    "seccomp": {
+      "defaultAction": "SCMP_ACT_ALLOW",
+      "syscalls": [
+        {
+          "name": "getcwd",
+          "action": "SCMP_ACT_ERRNO"
+        }
+      ]
+    },
+    "rootfsPropagation": "slave"
+  }
+}
diff --git a/proto/runtime_config.proto b/proto/runtime_config.proto
@@ -54,9 +54,9 @@ BEGIN Linux specific runtime
 // LinuxRuntime hosts the Linux-only runtime information
 message LinuxRuntime {
 	// UidMapping specifies user mappings for supporting user namespaces on linux.
-	repeated IDMapping uid_mapping = 1;
+	repeated IDMapping uidMappings = 1;
 	// GidMapping specifies group mappings for supporting user namespaces on linux.
-	repeated IDMapping gid_mapping = 2;
+	repeated IDMapping gidMappings = 2;
 	// Rlimits specifies rlimit options to apply to the container's process.
 	repeated Rlimit rlimits = 3;
 	// Sysctl are a set of key value pairs that are set for the container on start
@@ -67,27 +67,27 @@ message LinuxRuntime {
 	// CgroupsPath specifies the path to cgroups that are created and/or joined by the container.
 	// The path is expected to be relative to the cgroups mountpoint.
 	// If resources are specified, the cgroups at CgroupsPath will be updated based on resources.
-	string cgroups_path = 6;
+	string cgroupsPath = 6;
 	// Namespaces contains the namespaces that are created and/or joined by the container
 	repeated Namespace namespaces = 7;
 	// Devices are a list of device nodes that are created and enabled for the container
 	repeated Device devices = 8;
 	// ApparmorProfile specified the apparmor profile for the container.
-	string apparmor_profile = 9;
+	string apparmorProfile = 9;
 	// SelinuxProcessLabel specifies the selinux context that the container process is run as.
-	string selinux_process_label = 10;
+	string selinuxProcessLabel = 10;
 	// Seccomp specifies the seccomp security settings for the container.
 	Seccomp seccomp = 11;
 	// RootfsPropagation is the rootfs mount propagation mode for the container
-	string rootfs_propagation = 12;
+	string rootfsPropagation = 12;
 }
 
 // IDMapping specifies UID/GID mappings
 message IDMapping {
 	// HostID is the UID/GID of the host user or group
-	int32 host_id = 1;
+	int32 hostID = 1;
 	// ContainerID is the UID/GID of the container's user or group
-	int32 container_id = 2;
+	int32 containerID = 2;
 	// Size is the length of the range of IDs mapped between the two namespaces
 	int32 size = 3;
 }
@@ -111,17 +111,17 @@ message StringStringEntry {
 // Resources has container runtime resource constraints
 message Resources {
 	// DisableOOMKiller disables the OOM killer for out of memory conditions
-	bool disable_oom_killer = 1;
+	bool disableOomKiller = 1;
 	// Memory restriction configuration
 	Memory memory = 2;
 	// CPU resource restriction configuration
 	CPU cpu = 3;
 	// Task resource restriction configuration.
 	Pids pids = 4;
 	// BlockIO restriction configuration
-	BlockIO block_io = 5;
+	BlockIO blockIO = 5;
 	// Hugetlb limit (in bytes)
-	repeated HugepageLimit hugepage_limits = 6;
+	repeated HugepageLimit hugepageLimits = 6;
 	// Network restriction configuration
 	Network network = 7;
 }
@@ -149,9 +149,9 @@ message CPU {
 	// CPU period to be used for hardcapping (in usecs). 0 to use system default
 	int64 period = 3;
 	// How many time CPU will use in realtime scheduling (in usecs)
-	int64 realtime_runtime = 4;
+	int64 realtimeRuntime = 4;
 	// CPU period to be used for realtime scheduling (in usecs)
-	int64 realtime_period = 5;
+	int64 realtimePeriod = 5;
 	// CPU to use within the cpuset
 	string cpus = 6;
 	// MEM to use within the cpuset
@@ -169,15 +169,15 @@ message BlockIO {
 	// Specifies per cgroup weight, range is from 10 to 1000
 	int64 weight = 1;
 	// Weight per cgroup per device, can override BlkioWeight
-	string weight_device = 2;
+	string weightDevice = 2;
 	// IO read rate limit per cgroup per device, bytes per second
-	string throttle_read_bps_device = 3;
+	string throttleReadBpsDevice = 3;
 	// IO write rate limit per cgroup per divice, bytes per second
-	string throttle_write_bps_device = 4;
+	string throttleWriteBpsDevice = 4;
 	// IO read rate limit per cgroup per device, IO per second
-	string throttle_read_iops_device = 5;
+	string throttleReadIopsDevice = 5;
 	// IO write rate limit per cgroup per device, IO per second
-	string throttle_write_iops_device = 6;
+	string throttleWriteIopsDevice = 6;
 }
 
 // HugepageLimit structure corresponds to limiting kernel hugepages
@@ -189,7 +189,7 @@ message HugepageLimit {
 // Network identification and priority configuration
 message Network {
 	// Set class identifier for container's network packets
-	string class_id = 1;
+	string classId = 1;
 	// Set priority of network traffic for container
 	repeated InterfacePriority priorities = 2;
 }
@@ -226,7 +226,7 @@ message Device {
 	string permissions = 5;
 	// FileMode permission bits for the device.
 	// TODO(vbatts) os.FileMode is an octal uint32
-	uint32 file_mode = 6;
+	uint32 fileMode = 6;
 	// Uid of the device.
 	uint32 uid = 7;
 	// Gid of the device.
@@ -236,7 +236,7 @@ message Device {
 // Seccomp represents syscall restrictions
 message Seccomp {
 	// TODO(vbatts) string instead of "Action" type
-	string default_action = 1;
+	string defaultAction = 1;
 	repeated Syscall syscalls = 2;
 }
 
