go.mod: runtime-spec v1.1.0-rc.2

See https://github.com/opencontainers/runtime-spec/releases/tag/v1.1.0-rc.2 for the spec changes. The `runc features` json is now defined in https://github.com/opencontainers/runtime-spec/blob/v1.1.0-rc.2/specs-go/features/features.go Replaces PR 3829 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2025-09-26 19:41:35 +08:00 · 2023-04-18 14:31:00 +09:00
parent 8eb801dff5
commit 6beb3c6a3e
9 changed files with 165 additions and 136 deletions
--- a/docs/spec-conformance.md
+++ b/docs/spec-conformance.md
@@ -1,6 +1,6 @@
 # Spec conformance

-This branch of runc implements the [OCI Runtime Spec v1.1.0-rc.1](https://github.com/opencontainers/runtime-spec/tree/v1.1.0-rc.1)
+This branch of runc implements the [OCI Runtime Spec v1.1.0-rc.2](https://github.com/opencontainers/runtime-spec/tree/v1.1.0-rc.2)
 for the `linux` platform.

 The following features are not implemented yet:
@@ -10,8 +10,9 @@ Spec version | Feature                                  | PR
 v1.0.0       | `SCMP_ARCH_PARISC`                       | Unplanned, due to lack of users
 v1.0.0       | `SCMP_ARCH_PARISC64`                     | Unplanned, due to lack of users
 v1.0.2       | `.linux.personality`                     | [#3126](https://github.com/opencontainers/runc/pull/3126)
-v1.1.0-rc.1  | `.linux.resources.cpu.burst`             | [#3205](https://github.com/opencontainers/runc/pull/3205)
-v1.1.0-rc.1  | `.domainname`                            | [#3600](https://github.com/opencontainers/runc/pull/3600)
+v1.1.0-rc.1  | `.linux.resources.cpu.burst`             | [#3749](https://github.com/opencontainers/runc/pull/3749)
 v1.1.0-rc.1  | `.[]mounts.uidMappings`                  | [#3717](https://github.com/opencontainers/runc/pull/3717)
 v1.1.0-rc.1  | `.[]mounts.gidMappings`                  | [#3717](https://github.com/opencontainers/runc/pull/3717)
-v1.1.0-rc.1  | `SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV` | TODO
+v1.1.0-rc.1  | `SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV` | TODO ([#3860](https://github.com/opencontainers/runc/issues/3860))
+v1.1.0-rc.2  | time namespaces                          | TODO ([#2345](https://github.com/opencontainers/runc/issues/2345))
+v1.1.0-rc.2  | rsvd hugetlb cgroup                      | TODO ([#3859](https://github.com/opencontainers/runc/issues/3859))
--- a/features.go
+++ b/features.go
@@ -8,8 +8,9 @@ import (
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/seccomp"
 	"github.com/opencontainers/runc/libcontainer/specconv"
-	"github.com/opencontainers/runc/types/features"
+	runcfeatures "github.com/opencontainers/runc/types/features"
 	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/runtime-spec/specs-go/features"
 	"github.com/urfave/cli"
 )

@@ -33,9 +34,9 @@ var featuresCommand = cli.Command{
 			OCIVersionMin: "1.0.0",
 			OCIVersionMax: specs.Version,
 			Annotations: map[string]string{
-				features.AnnotationRuncVersion:           version,
-				features.AnnotationRuncCommit:            gitCommit,
-				features.AnnotationRuncCheckpointEnabled: "true",
+				runcfeatures.AnnotationRuncVersion:           version,
+				runcfeatures.AnnotationRuncCommit:            gitCommit,
+				runcfeatures.AnnotationRuncCheckpointEnabled: "true",
 			},
 			Hooks:        configs.KnownHookNames(),
 			MountOptions: specconv.KnownMountOptions(),
@@ -47,6 +48,7 @@ var featuresCommand = cli.Command{
 					V2:          &tru,
 					Systemd:     &tru,
 					SystemdUser: &tru,
+					Rdma:        &tru,
 				},
 				Apparmor: &features.Apparmor{
 					Enabled: &tru,
@@ -54,6 +56,9 @@ var featuresCommand = cli.Command{
 				Selinux: &features.Selinux{
 					Enabled: &tru,
 				},
+				IntelRdt: &features.IntelRdt{
+					Enabled: &tru,
+				},
 			},
 		}

@@ -67,7 +72,7 @@ var featuresCommand = cli.Command{
 				SupportedFlags: seccomp.SupportedFlags(),
 			}
 			major, minor, patch := seccomp.Version()
-			feat.Annotations[features.AnnotationLibseccompVersion] = fmt.Sprintf("%d.%d.%d", major, minor, patch)
+			feat.Annotations[runcfeatures.AnnotationLibseccompVersion] = fmt.Sprintf("%d.%d.%d", major, minor, patch)
 		}

 		enc := json.NewEncoder(context.App.Writer)
--- a/go.mod
+++ b/go.mod
@@ -12,7 +12,7 @@ require (
 	github.com/godbus/dbus/v5 v5.1.0
 	github.com/moby/sys/mountinfo v0.6.2
 	github.com/mrunalp/fileutils v0.5.0
-	github.com/opencontainers/runtime-spec v1.1.0-rc.1
+	github.com/opencontainers/runtime-spec v1.1.0-rc.2
 	github.com/opencontainers/selinux v1.11.0
 	github.com/seccomp/libseccomp-golang v0.10.0
 	github.com/sirupsen/logrus v1.9.0
--- a/go.sum
+++ b/go.sum
@@ -30,8 +30,8 @@ github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vyg
 github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
 github.com/mrunalp/fileutils v0.5.0 h1:NKzVxiH7eSk+OQ4M+ZYW1K6h27RUV3MI6NUTsHhU6Z4=
 github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
-github.com/opencontainers/runtime-spec v1.1.0-rc.1 h1:wHa9jroFfKGQqFHj0I1fMRKLl0pfj+ynAqBxo3v6u9w=
-github.com/opencontainers/runtime-spec v1.1.0-rc.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.1.0-rc.2 h1:ucBtEms2tamYYW/SvGpvq9yUN0NEVL6oyLEwDcTSrk8=
+github.com/opencontainers/runtime-spec v1.1.0-rc.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
 github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
--- a/types/features/features.go
+++ b/types/features/features.go
@@ -1,122 +1,6 @@
-// Package features provides the JSON structure that is printed by `runc features` (since runc v1.1.0).
-// The types in this package are experimental and subject to change.
+// Package features provides the annotations for [github.com/opencontainers/runtime-spec/specs-go/features].
 package features

-// Features represents the supported features of the runtime.
-type Features struct {
-	// OCIVersionMin is the minimum OCI Runtime Spec version recognized by the runtime, e.g., "1.0.0".
-	OCIVersionMin string `json:"ociVersionMin,omitempty"`
-
-	// OCIVersionMax is the maximum OCI Runtime Spec version recognized by the runtime, e.g., "1.0.2-dev".
-	OCIVersionMax string `json:"ociVersionMax,omitempty"`
-
-	// Hooks is the list of the recognized hook names, e.g., "createRuntime".
-	// Nil value means "unknown", not "no support for any hook".
-	Hooks []string `json:"hooks,omitempty"`
-
-	// MountOptions is the list of the recognized mount options, e.g., "ro".
-	// Nil value means "unknown", not "no support for any mount option".
-	// This list does not contain filesystem-specific options passed to mount(2) syscall as (const void *).
-	MountOptions []string `json:"mountOptions,omitempty"`
-
-	// Linux is specific to Linux.
-	Linux *Linux `json:"linux,omitempty"`
-
-	// Annotations contains implementation-specific annotation strings,
-	// such as the implementation version, and third-party extensions.
-	Annotations map[string]string `json:"annotations,omitempty"`
-}
-
-// Linux is specific to Linux.
-type Linux struct {
-	// Namespaces is the list of the recognized namespaces, e.g., "mount".
-	// Nil value means "unknown", not "no support for any namespace".
-	Namespaces []string `json:"namespaces,omitempty"`
-
-	// Capabilities is the list of the recognized capabilities , e.g., "CAP_SYS_ADMIN".
-	// Nil value means "unknown", not "no support for any capability".
-	Capabilities []string `json:"capabilities,omitempty"`
-
-	Cgroup   *Cgroup   `json:"cgroup,omitempty"`
-	Seccomp  *Seccomp  `json:"seccomp,omitempty"`
-	Apparmor *Apparmor `json:"apparmor,omitempty"`
-	Selinux  *Selinux  `json:"selinux,omitempty"`
-}
-
-// Seccomp represents the "seccomp" field.
-type Seccomp struct {
-	// Enabled is true if seccomp support is compiled in.
-	// Nil value means "unknown", not "false".
-	Enabled *bool `json:"enabled,omitempty"`
-
-	// Actions is the list of the recognized actions, e.g., "SCMP_ACT_NOTIFY".
-	// Nil value means "unknown", not "no support for any action".
-	Actions []string `json:"actions,omitempty"`
-
-	// Operators is the list of the recognized operators, e.g., "SCMP_CMP_NE".
-	// Nil value means "unknown", not "no support for any operator".
-	Operators []string `json:"operators,omitempty"`
-
-	// Archs is the list of the recognized archs, e.g., "SCMP_ARCH_X86_64".
-	// Nil value means "unknown", not "no support for any arch".
-	Archs []string `json:"archs,omitempty"`
-
-	// KnownFlags is the list of the recognized filter flags, e.g., "SECCOMP_FILTER_FLAG_LOG".
-	// Nil value means "unknown", not "no flags are recognized".
-	KnownFlags []string `json:"knownFlags,omitempty"`
-
-	// SupportedFlags is the list of the supported filter flags, e.g., "SECCOMP_FILTER_FLAG_LOG".
-	// This list may be a subset of KnownFlags due to some flags
-	// not supported by the current kernel and/or libseccomp.
-	// Nil value means "unknown", not "no flags are supported".
-	SupportedFlags []string `json:"supportedFlags,omitempty"`
-}
-
-// Apparmor represents the "apparmor" field.
-type Apparmor struct {
-	// Enabled is true if AppArmor support is compiled in.
-	// Unrelated to whether the host supports AppArmor or not.
-	// Nil value means "unknown", not "false".
-	// Always true in the current version of runc.
-	Enabled *bool `json:"enabled,omitempty"`
-}
-
-// Selinux represents the "selinux" field.
-type Selinux struct {
-	// Enabled is true if SELinux support is compiled in.
-	// Unrelated to whether the host supports SELinux or not.
-	// Nil value means "unknown", not "false".
-	// Always true in the current version of runc.
-	Enabled *bool `json:"enabled,omitempty"`
-}
-
-// Cgroup represents the "cgroup" field.
-type Cgroup struct {
-	// V1 represents whether Cgroup v1 support is compiled in.
-	// Unrelated to whether the host uses cgroup v1 or not.
-	// Nil value means "unknown", not "false".
-	// Always true in the current version of runc.
-	V1 *bool `json:"v1,omitempty"`
-
-	// V2 represents whether Cgroup v2 support is compiled in.
-	// Unrelated to whether the host uses cgroup v2 or not.
-	// Nil value means "unknown", not "false".
-	// Always true in the current version of runc.
-	V2 *bool `json:"v2,omitempty"`
-
-	// Systemd represents whether systemd-cgroup support is compiled in.
-	// Unrelated to whether the host uses systemd or not.
-	// Nil value means "unknown", not "false".
-	// Always true in the current version of runc.
-	Systemd *bool `json:"systemd,omitempty"`
-
-	// SystemdUser represents whether user-scoped systemd-cgroup support is compiled in.
-	// Unrelated to whether the host uses systemd or not.
-	// Nil value means "unknown", not "false".
-	// Always true in the current version of runc.
-	SystemdUser *bool `json:"systemdUser,omitempty"`
-}
-
 const (
 	// AnnotationRuncVersion represents the version of runc, e.g., "1.2.3", "1.2.3+dev", "1.2.3-rc.4.", "1.2.3-rc.4+dev".
 	// Third party implementations such as crun and runsc MAY use this annotation to report the most compatible runc version,
--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
@@ -191,6 +191,8 @@ type Linux struct {
 	IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"`
 	// Personality contains configuration for the Linux personality syscall
 	Personality *LinuxPersonality `json:"personality,omitempty"`
+	// TimeOffsets specifies the offset for supporting time namespaces.
+	TimeOffsets map[string]LinuxTimeOffset `json:"timeOffsets,omitempty"`
 }

 // LinuxNamespace is the configuration for a Linux namespace
@@ -220,6 +222,8 @@ const (
 	UserNamespace LinuxNamespaceType = "user"
 	// CgroupNamespace for isolating cgroup hierarchies
 	CgroupNamespace LinuxNamespaceType = "cgroup"
+	// TimeNamespace for isolating the clocks
+	TimeNamespace LinuxNamespaceType = "time"
 )

 // LinuxIDMapping specifies UID/GID mappings
@@ -232,6 +236,14 @@ type LinuxIDMapping struct {
 	Size uint32 `json:"size"`
 }

+// LinuxTimeOffset specifies the offset for Time Namespace
+type LinuxTimeOffset struct {
+	// Secs is the offset of clock (in secs) in the container
+	Secs int64 `json:"secs,omitempty"`
+	// Nanosecs is the additional offset for Secs (in nanosecs)
+	Nanosecs uint32 `json:"nanosecs,omitempty"`
+}
+
 // POSIXRlimit type and restrictions
 type POSIXRlimit struct {
 	// Type of the rlimit to set
@@ -242,12 +254,13 @@ type POSIXRlimit struct {
 	Soft uint64 `json:"soft"`
 }

-// LinuxHugepageLimit structure corresponds to limiting kernel hugepages
+// LinuxHugepageLimit structure corresponds to limiting kernel hugepages.
+// Default to reservation limits if supported. Otherwise fallback to page fault limits.
 type LinuxHugepageLimit struct {
-	// Pagesize is the hugepage size
-	// Format: "<size><unit-prefix>B' (e.g. 64KB, 2MB, 1GB, etc.)
+	// Pagesize is the hugepage size.
+	// Format: "<size><unit-prefix>B' (e.g. 64KB, 2MB, 1GB, etc.).
 	Pagesize string `json:"pageSize"`
-	// Limit is the limit of "hugepagesize" hugetlb usage
+	// Limit is the limit of "hugepagesize" hugetlb reservations (if supported) or usage.
 	Limit uint64 `json:"limit"`
 }

@@ -382,7 +395,7 @@ type LinuxResources struct {
 	Pids *LinuxPids `json:"pids,omitempty"`
 	// BlockIO restriction configuration
 	BlockIO *LinuxBlockIO `json:"blockIO,omitempty"`
-	// Hugetlb limit (in bytes)
+	// Hugetlb limits (in bytes). Default to reservation limits if supported.
 	HugepageLimits []LinuxHugepageLimit `json:"hugepageLimits,omitempty"`
 	// Network restriction configuration
 	Network *LinuxNetwork `json:"network,omitempty"`
--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/features/features.go
+++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/features/features.go
@@ -0,0 +1,125 @@
+// Package features provides the Features struct.
+package features
+
+// Features represents the supported features of the runtime.
+type Features struct {
+	// OCIVersionMin is the minimum OCI Runtime Spec version recognized by the runtime, e.g., "1.0.0".
+	OCIVersionMin string `json:"ociVersionMin,omitempty"`
+
+	// OCIVersionMax is the maximum OCI Runtime Spec version recognized by the runtime, e.g., "1.0.2-dev".
+	OCIVersionMax string `json:"ociVersionMax,omitempty"`
+
+	// Hooks is the list of the recognized hook names, e.g., "createRuntime".
+	// Nil value means "unknown", not "no support for any hook".
+	Hooks []string `json:"hooks,omitempty"`
+
+	// MountOptions is the list of the recognized mount options, e.g., "ro".
+	// Nil value means "unknown", not "no support for any mount option".
+	// This list does not contain filesystem-specific options passed to mount(2) syscall as (const void *).
+	MountOptions []string `json:"mountOptions,omitempty"`
+
+	// Linux is specific to Linux.
+	Linux *Linux `json:"linux,omitempty"`
+
+	// Annotations contains implementation-specific annotation strings,
+	// such as the implementation version, and third-party extensions.
+	Annotations map[string]string `json:"annotations,omitempty"`
+}
+
+// Linux is specific to Linux.
+type Linux struct {
+	// Namespaces is the list of the recognized namespaces, e.g., "mount".
+	// Nil value means "unknown", not "no support for any namespace".
+	Namespaces []string `json:"namespaces,omitempty"`
+
+	// Capabilities is the list of the recognized capabilities , e.g., "CAP_SYS_ADMIN".
+	// Nil value means "unknown", not "no support for any capability".
+	Capabilities []string `json:"capabilities,omitempty"`
+
+	Cgroup   *Cgroup   `json:"cgroup,omitempty"`
+	Seccomp  *Seccomp  `json:"seccomp,omitempty"`
+	Apparmor *Apparmor `json:"apparmor,omitempty"`
+	Selinux  *Selinux  `json:"selinux,omitempty"`
+	IntelRdt *IntelRdt `json:"intelRdt,omitempty"`
+}
+
+// Cgroup represents the "cgroup" field.
+type Cgroup struct {
+	// V1 represents whether Cgroup v1 support is compiled in.
+	// Unrelated to whether the host uses cgroup v1 or not.
+	// Nil value means "unknown", not "false".
+	V1 *bool `json:"v1,omitempty"`
+
+	// V2 represents whether Cgroup v2 support is compiled in.
+	// Unrelated to whether the host uses cgroup v2 or not.
+	// Nil value means "unknown", not "false".
+	V2 *bool `json:"v2,omitempty"`
+
+	// Systemd represents whether systemd-cgroup support is compiled in.
+	// Unrelated to whether the host uses systemd or not.
+	// Nil value means "unknown", not "false".
+	Systemd *bool `json:"systemd,omitempty"`
+
+	// SystemdUser represents whether user-scoped systemd-cgroup support is compiled in.
+	// Unrelated to whether the host uses systemd or not.
+	// Nil value means "unknown", not "false".
+	SystemdUser *bool `json:"systemdUser,omitempty"`
+
+	// Rdma represents whether RDMA cgroup support is compiled in.
+	// Unrelated to whether the host supports RDMA or not.
+	// Nil value means "unknown", not "false".
+	Rdma *bool `json:"rdma,omitempty"`
+}
+
+// Seccomp represents the "seccomp" field.
+type Seccomp struct {
+	// Enabled is true if seccomp support is compiled in.
+	// Nil value means "unknown", not "false".
+	Enabled *bool `json:"enabled,omitempty"`
+
+	// Actions is the list of the recognized actions, e.g., "SCMP_ACT_NOTIFY".
+	// Nil value means "unknown", not "no support for any action".
+	Actions []string `json:"actions,omitempty"`
+
+	// Operators is the list of the recognized operators, e.g., "SCMP_CMP_NE".
+	// Nil value means "unknown", not "no support for any operator".
+	Operators []string `json:"operators,omitempty"`
+
+	// Archs is the list of the recognized archs, e.g., "SCMP_ARCH_X86_64".
+	// Nil value means "unknown", not "no support for any arch".
+	Archs []string `json:"archs,omitempty"`
+
+	// KnownFlags is the list of the recognized filter flags, e.g., "SECCOMP_FILTER_FLAG_LOG".
+	// Nil value means "unknown", not "no flags are recognized".
+	KnownFlags []string `json:"knownFlags,omitempty"`
+
+	// SupportedFlags is the list of the supported filter flags, e.g., "SECCOMP_FILTER_FLAG_LOG".
+	// This list may be a subset of KnownFlags due to some flags
+	// not supported by the current kernel and/or libseccomp.
+	// Nil value means "unknown", not "no flags are supported".
+	SupportedFlags []string `json:"supportedFlags,omitempty"`
+}
+
+// Apparmor represents the "apparmor" field.
+type Apparmor struct {
+	// Enabled is true if AppArmor support is compiled in.
+	// Unrelated to whether the host supports AppArmor or not.
+	// Nil value means "unknown", not "false".
+	Enabled *bool `json:"enabled,omitempty"`
+}
+
+// Selinux represents the "selinux" field.
+type Selinux struct {
+	// Enabled is true if SELinux support is compiled in.
+	// Unrelated to whether the host supports SELinux or not.
+	// Nil value means "unknown", not "false".
+	Enabled *bool `json:"enabled,omitempty"`
+}
+
+// IntelRdt represents the "intelRdt" field.
+type IntelRdt struct {
+	// Enabled is true if Intel RDT support is compiled in.
+	// Unrelated to whether the host supports Intel RDT or not.
+	// Nil value means "unknown", not "false".
+	Enabled *bool `json:"enabled,omitempty"`
+}
--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go
+++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go
@@ -11,7 +11,7 @@ const (
 	VersionPatch = 0

 	// VersionDev indicates development branch. Releases will be empty string.
-	VersionDev = "-rc.1"
+	VersionDev = "-rc.2"
 )

 // Version is the specification version that the package types support.
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -36,9 +36,10 @@ github.com/moby/sys/mountinfo
 # github.com/mrunalp/fileutils v0.5.0
 ## explicit; go 1.13
 github.com/mrunalp/fileutils
-# github.com/opencontainers/runtime-spec v1.1.0-rc.1
+# github.com/opencontainers/runtime-spec v1.1.0-rc.2
 ## explicit
 github.com/opencontainers/runtime-spec/specs-go
+github.com/opencontainers/runtime-spec/specs-go/features
 # github.com/opencontainers/selinux v1.11.0
 ## explicit; go 1.19
 github.com/opencontainers/selinux/go-selinux