diff -pruN 1.2.0-2/.github/workflows/build-pr.yml 1.2.1-1/.github/workflows/build-pr.yml --- 1.2.0-2/.github/workflows/build-pr.yml 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/.github/workflows/build-pr.yml 1970-01-01 00:00:00.000000000 +0000 @@ -1,47 +0,0 @@ -name: build-pr - -on: - pull_request: - branches: - - main - -jobs: - run: - runs-on: ubuntu-latest - - strategy: - matrix: - go: [1.19.x, 1.20.x] - - steps: - - name: checkout source code - uses: actions/checkout@v3 - - - name: setup go environment - uses: actions/setup-go@v4 - with: - go-version: ${{ matrix.go }} - - - name: create go.mod - run: | - # Fix for "cannot find main module" issue - go mod init github.com/opencontainers/runtime-spec - - go get -d ./schema/... - - - name: run golangci-lint - uses: golangci/golangci-lint-action@v3 - with: - version: v1.51.2 - args: --verbose - - - name: run tests - run: | - set -x - make install.tools - - make .govet - - make .gitvalidation - make docs - make -C schema test diff -pruN 1.2.0-2/.github/workflows/build.yml 1.2.1-1/.github/workflows/build.yml --- 1.2.0-2/.github/workflows/build.yml 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/.github/workflows/build.yml 2025-02-25 22:46:15.000000000 +0000 @@ -4,6 +4,9 @@ on: push: branches: - main + pull_request: + branches: + - main jobs: run: @@ -11,14 +14,14 @@ jobs: strategy: matrix: - go: [1.19.x, 1.20.x] + go: [1.21.x, 1.22.x] steps: - name: checkout source code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: setup go environment - uses: actions/setup-go@v4 + uses: actions/setup-go@v5 with: go-version: ${{ matrix.go }} @@ -30,9 +33,9 @@ jobs: go get -d ./schema/... - name: run golangci-lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@v4 with: - version: v1.51.2 + version: v1.56.1 args: --verbose - name: run tests diff -pruN 1.2.0-2/.github/workflows/lint.yml 1.2.1-1/.github/workflows/lint.yml --- 1.2.0-2/.github/workflows/lint.yml 1970-01-01 00:00:00.000000000 +0000 +++ 1.2.1-1/.github/workflows/lint.yml 2025-02-25 22:46:15.000000000 +0000 @@ -0,0 +1,14 @@ +name: Lint + +on: [push, pull_request] + +jobs: + check-format: + runs-on: ubuntu-24.04 + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Run make -C schema fmt + run: make -C schema fmt + - name: Check for changes + run: git diff --exit-code diff -pruN 1.2.0-2/CODEOWNERS 1.2.1-1/CODEOWNERS --- 1.2.0-2/CODEOWNERS 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/CODEOWNERS 2025-02-25 22:46:15.000000000 +0000 @@ -1 +1 @@ -* @AkihiroSuda @crosbymichael @cyphar @dqminh @giuseppe @hqhq @kolyshkin @mrunalp @thaJeztah @tianon @vbatts @utam0k +* @AkihiroSuda @crosbymichael @cyphar @dqminh @giuseppe @hqhq @kolyshkin @mrunalp @thaJeztah @tianon @utam0k diff -pruN 1.2.0-2/ChangeLog 1.2.1-1/ChangeLog --- 1.2.0-2/ChangeLog 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/ChangeLog 2025-02-25 22:46:15.000000000 +0000 @@ -1,5 +1,34 @@ OpenContainers Specifications +Changes with v1.2.1: + + Additions: + + * zos updates (#1273) + * Add support for windows CPU affinity (#1258) + * specs-go: sync SCMP_ARCH_* constants with libseccomp main (#1229) + * Add CPU affinity to executed processes (#1253, #1261) + * config-linux: describe the format of cpus and mems (#1253) + + Minor fixes: + + * Fix description of errnoRet in Seccomp (#1277) + * config-linux: update for libseccomp v2.6.0 (#1276) + * Correct `prestart` hook description in summary (#1275) + + Documentation, CI & Governance: + + * ci: Add a github actions workflow for lint (#1257) + * update http links to https (#1269) + * doc: fix the invalid hyperlink naming-a-volume (#1268) + * ci: remove redundunt actions (#1256) + * chore: format JSON file `make -C schema fmt` (#1255) + * CODEOWNERS: remove vbatts (#1248) + * MAINTAINERS: move vbatts to EMERITUS (#1248) + * Update golangci-lint to v1.56.1 in CI (#1245) + * Add Go v1.21 and v1.22 to GitHub Actions CI matrix (#1245) + * Update GitHub Actions packages to resolve warnings in CI (#1244) + Changes with v1.2.0: Additions: diff -pruN 1.2.0-2/EMERITUS.md 1.2.1-1/EMERITUS.md --- 1.2.0-2/EMERITUS.md 1970-01-01 00:00:00.000000000 +0000 +++ 1.2.1-1/EMERITUS.md 2025-02-25 22:46:15.000000000 +0000 @@ -0,0 +1,12 @@ +# Emeritus + +We would like to acknowledge previous OCI runtime spec maintainers and their huge contributions to our collective success: + +- Rohit Jnagal (@rjnagal) +- Victor Marmol (@vmarmol) +- Alexander Morozov (@LK4D4) +- Vishnu Kannan (@vishh) +- Brandon Philips (@philips) +- Vincent Batts (@vbatts) + +We thank these members for their service to the OCI community. diff -pruN 1.2.0-2/MAINTAINERS 1.2.1-1/MAINTAINERS --- 1.2.0-2/MAINTAINERS 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/MAINTAINERS 2025-02-25 22:46:15.000000000 +0000 @@ -1,6 +1,5 @@ Michael Crosby (@crosbymichael) Mrunal Patel (@mrunalp) -Vincent Batts (@vbatts) Daniel, Dao Quang Minh (@dqminh) Tianon Gravi (@tianon) Qiang Huang (@hqhq) diff -pruN 1.2.0-2/README.md 1.2.1-1/README.md --- 1.2.0-2/README.md 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/README.md 2025-02-25 22:46:15.000000000 +0000 @@ -75,7 +75,7 @@ OCI discussion happens in the following #### Sign your work The sign-off is a simple line at the end of the explanation for the patch, which certifies that you wrote it or otherwise have the right to pass it on as an open-source patch. -The rules are pretty simple: if you can certify the below (from http://developercertificate.org): +The rules are pretty simple: if you can certify the below (from https://developercertificate.org): ``` Developer Certificate of Origin @@ -143,12 +143,12 @@ Read more on [How to Write a Git Commit [charter]: https://github.com/opencontainers/tob/blob/master/CHARTER.md [code-of-conduct]: https://github.com/opencontainers/org/blob/master/CODE_OF_CONDUCT.md [dev-list]: https://groups.google.com/a/opencontainers.org/forum/#!forum/dev -[how-to-git-commit]: http://chris.beams.io/posts/git-commit +[how-to-git-commit]: https://cbea.ms/git-commit/ [iso-week]: https://en.wikipedia.org/wiki/ISO_week_date#Calculating_the_week_number_of_a_given_date -[minutes]: http://ircbot.wl.linuxfoundation.org/meetings/opencontainers/ +[minutes]: https://ircbot.wl.linuxfoundation.org/meetings/opencontainers/ [oci]: https://www.opencontainers.org [rfc5545]: https://tools.ietf.org/html/rfc5545 [runtime-wiki]: https://github.com/opencontainers/runtime-spec/wiki [uberconference]: https://www.uberconference.com/opencontainers -[git-commit.1]: http://git-scm.com/docs/git-commit +[git-commit.1]: https://git-scm.com/docs/git-commit diff -pruN 1.2.0-2/config-linux.md 1.2.1-1/config-linux.md --- 1.2.0-2/config-linux.md 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/config-linux.md 2025-02-25 22:46:15.000000000 +0000 @@ -395,8 +395,8 @@ The following parameters can be specifie * **`period`** *(uint64, OPTIONAL)* - specifies a period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated (CFS scheduler only) * **`realtimeRuntime`** *(int64, OPTIONAL)* - specifies a period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources * **`realtimePeriod`** *(uint64, OPTIONAL)* - same as **`period`** but applies to realtime scheduler only -* **`cpus`** *(string, OPTIONAL)* - list of CPUs the container will run in -* **`mems`** *(string, OPTIONAL)* - list of Memory Nodes the container will run in +* **`cpus`** *(string, OPTIONAL)* - list of CPUs the container will run on. This is a comma-separated list, with dashes to represent ranges. For example, `0-3,7` represents CPUs 0,1,2,3, and 7. +* **`mems`** *(string, OPTIONAL)* - list of memory nodes the container will run on. This is a comma-separated list, with dashes to represent ranges. For example, `0-3,7` represents memory nodes 0,1,2,3, and 7. * **`idle`** *(int64, OPTIONAL)* - cgroups are configured with minimum weight, 0: default behavior, 1: SCHED_IDLE. #### Example @@ -719,9 +719,9 @@ The following parameters can be specifie * **`defaultErrnoRet`** *(uint, OPTIONAL)* - the errno return code to use. Some actions like `SCMP_ACT_ERRNO` and `SCMP_ACT_TRACE` allow to specify the errno code to return. When the action doesn't support an errno, the runtime MUST print and error and fail. - If not specified then its default value is `EPERM`. + The default is `EPERM`. * **`architectures`** *(array of strings, OPTIONAL)* - the architecture used for system calls. - A valid list of constants as of libseccomp v2.5.0 is shown below. + A valid list of constants as of libseccomp v2.6.0 is shown below. * `SCMP_ARCH_X86` * `SCMP_ARCH_X86_64` @@ -742,6 +742,10 @@ The following parameters can be specifie * `SCMP_ARCH_PARISC` * `SCMP_ARCH_PARISC64` * `SCMP_ARCH_RISCV64` + * `SCMP_ARCH_LOONGARCH64` + * `SCMP_ARCH_M68K` + * `SCMP_ARCH_SH` + * `SCMP_ARCH_SHEB` * **`flags`** *(array of strings, OPTIONAL)* - list of flags to use with seccomp(2). @@ -775,7 +779,7 @@ The following parameters can be specifie * **`names`** *(array of strings, REQUIRED)* - the names of the syscalls. `names` MUST contain at least one entry. * **`action`** *(string, REQUIRED)* - the action for seccomp rules. - A valid list of constants as of libseccomp v2.5.0 is shown below. + A valid list of constants as of libseccomp v2.6.0 is shown below. * `SCMP_ACT_KILL` * `SCMP_ACT_KILL_PROCESS` @@ -790,7 +794,7 @@ The following parameters can be specifie * **`errnoRet`** *(uint, OPTIONAL)* - the errno return code to use. Some actions like `SCMP_ACT_ERRNO` and `SCMP_ACT_TRACE` allow to specify the errno code to return. When the action doesn't support an errno, the runtime MUST print and error and fail. - If not specified its default value is `EPERM`. + The default is `EPERM`. * **`args`** *(array of objects, OPTIONAL)* - the specific syscall in seccomp. Each entry has the following structure: @@ -799,7 +803,7 @@ The following parameters can be specifie * **`value`** *(uint64, REQUIRED)* - the value for syscall arguments in seccomp. * **`valueTwo`** *(uint64, OPTIONAL)* - the value for syscall arguments in seccomp. * **`op`** *(string, REQUIRED)* - the operator for syscall arguments in seccomp. - A valid list of constants as of libseccomp v2.3.2 is shown below. + A valid list of constants as of libseccomp v2.6.0 is shown below. * `SCMP_CMP_NE` * `SCMP_CMP_LT` @@ -959,7 +963,7 @@ subset of the available options. [cgroup-v2-io]: https://docs.kernel.org/admin-guide/cgroup-v2.html#io [devices]: https://www.kernel.org/doc/Documentation/admin-guide/devices.txt [devpts]: https://www.kernel.org/doc/Documentation/filesystems/devpts.txt -[file]: http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_164 +[file]: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_164 [libseccomp]: https://github.com/seccomp/libseccomp [proc]: https://www.kernel.org/doc/Documentation/filesystems/proc.txt [seccomp]: https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt @@ -967,17 +971,17 @@ subset of the available options. [sysfs]: https://www.kernel.org/doc/Documentation/filesystems/sysfs.txt [tmpfs]: https://www.kernel.org/doc/Documentation/filesystems/tmpfs.txt -[full.4]: http://man7.org/linux/man-pages/man4/full.4.html -[mknod.1]: http://man7.org/linux/man-pages/man1/mknod.1.html -[mknod.2]: http://man7.org/linux/man-pages/man2/mknod.2.html -[namespaces.7_2]: http://man7.org/linux/man-pages/man7/namespaces.7.html -[null.4]: http://man7.org/linux/man-pages/man4/null.4.html -[personality.2]: http://man7.org/linux/man-pages/man2/personality.2.html -[pts.4]: http://man7.org/linux/man-pages/man4/pts.4.html -[random.4]: http://man7.org/linux/man-pages/man4/random.4.html -[sysctl.8]: http://man7.org/linux/man-pages/man8/sysctl.8.html -[tty.4]: http://man7.org/linux/man-pages/man4/tty.4.html -[zero.4]: http://man7.org/linux/man-pages/man4/zero.4.html -[user-namespaces]: http://man7.org/linux/man-pages/man7/user_namespaces.7.html +[full.4]: https://man7.org/linux/man-pages/man4/full.4.html +[mknod.1]: https://man7.org/linux/man-pages/man1/mknod.1.html +[mknod.2]: https://man7.org/linux/man-pages/man2/mknod.2.html +[namespaces.7_2]: https://man7.org/linux/man-pages/man7/namespaces.7.html +[null.4]: https://man7.org/linux/man-pages/man4/null.4.html +[personality.2]: https://man7.org/linux/man-pages/man2/personality.2.html +[pts.4]: https://man7.org/linux/man-pages/man4/pts.4.html +[random.4]: https://man7.org/linux/man-pages/man4/random.4.html +[sysctl.8]: https://man7.org/linux/man-pages/man8/sysctl.8.html +[tty.4]: https://man7.org/linux/man-pages/man4/tty.4.html +[zero.4]: https://man7.org/linux/man-pages/man4/zero.4.html +[user-namespaces]: https://man7.org/linux/man-pages/man7/user_namespaces.7.html [intel-rdt-cat-kernel-interface]: https://www.kernel.org/doc/Documentation/x86/intel_rdt_ui.txt [time_namespaces.7]: https://man7.org/linux/man-pages/man7/time_namespaces.7.html diff -pruN 1.2.0-2/config-solaris.md 1.2.1-1/config-solaris.md --- 1.2.0-2/config-solaris.md 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/config-solaris.md 2025-02-25 22:46:15.000000000 +0000 @@ -115,6 +115,6 @@ Mapped to `lower-link` in the [zonecfg(1 ``` -[priv-str-to-set.3c]: http://docs.oracle.com/cd/E86824_01/html/E54766/priv-str-to-set-3c.html -[zoneadmd.1m]: http://docs.oracle.com/cd/E86824_01/html/E54764/zoneadmd-1m.html -[zonecfg.1m_2]: http://docs.oracle.com/cd/E86824_01/html/E54764/zonecfg-1m.html +[priv-str-to-set.3c]: https://docs.oracle.com/cd/E86824_01/html/E54766/priv-str-to-set-3c.html +[zoneadmd.1m]: https://docs.oracle.com/cd/E86824_01/html/E54764/zoneadmd-1m.html +[zonecfg.1m_2]: https://docs.oracle.com/cd/E86824_01/html/E54764/zonecfg-1m.html diff -pruN 1.2.0-2/config-windows.md 1.2.1-1/config-windows.md --- 1.2.0-2/config-windows.md 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/config-windows.md 2025-02-25 22:46:15.000000000 +0000 @@ -82,6 +82,14 @@ The following parameters can be specifie * **`count`** *(uint64, OPTIONAL)* - specifies the number of CPUs available to the container. It represents the fraction of the configured processor `count` in a container in relation to the processors available in the host. The fraction ultimately determines the portion of processor cycles that the threads in a container can use during each scheduling interval, as the number of cycles per 10,000 cycles. * **`shares`** *(uint16, OPTIONAL)* - limits the share of processor time given to the container relative to other workloads on the processor. The processor `shares` (`weight` at the platform level) is a value between 0 and 10,000. * **`maximum`** *(uint16, OPTIONAL)* - determines the portion of processor cycles that the threads in a container can use during each scheduling interval, as the number of cycles per 10,000 cycles. Set processor `maximum` to a percentage times 100. +* **`affinity`** *(array of objects, OPTIONAL)* - specifies the set of CPU to affinitize for this container. + + Each entry has the following structure: + + Ref: https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/miniport/ns-miniport-_group_affinity + + * **`mask`** *(uint64, REQUIRED)* - specifies the CPU mask relative to this CPU group. + * **`group`** *(uint32, REQUIRED)* - specifies the processor group this mask refers to, as returned by GetLogicalProcessorInformationEx. Ref: https://docs.microsoft.com/en-us/virtualization/api/hcs/schemareference#Container_Processor diff -pruN 1.2.0-2/config-zos.md 1.2.1-1/config-zos.md --- 1.2.0-2/config-zos.md 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/config-zos.md 2025-02-25 22:46:15.000000000 +0000 @@ -1,20 +1,56 @@ -_This document is a work in progress._ - # z/OS Container Configuration This document describes the schema for the [z/OS-specific section](config.md#platform-specific-configuration) of the [container configuration](config.md). +The z/OS container specification uses z/OS UNIX kernel features like namespaces and filesystem jails to fulfill the spec. -## Devices - -**`devices`** (array of objects, OPTIONAL) lists devices that MUST be available in the container. -The runtime MAY supply them however it likes. - -Each entry has the following structure: +Applications expecting a z/OS environment will very likely expect these file paths to be set up correctly. -* **`type`** *(string, REQUIRED)* - type of device: `c`, `b`, `u` or `p`. -* **`path`** *(string, REQUIRED)* - full path to device inside container. - If a file already exists at `path` that does not match the requested device, the runtime MUST generate an error. -* **`major, minor`** *(int64, REQUIRED unless `type` is `p`)* - major, minor numbers for the device. -* **`fileMode`** *(uint32, OPTIONAL)* - file mode for the device. +The following filesystems SHOULD be made available in each container's filesystem: -The same `type`, `major` and `minor` SHOULD NOT be used for multiple devices. +| Path | Type | +| -------- | ------ | +| /proc | [proc][] | + +## Namespaces + +A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. +Changes to the global resource are visible to other processes that are members of the namespace, but are invisible to other processes. +For more information, see https://www.ibm.com/docs/zos/latest?topic=planning-namespaces-zos-unix. + +Namespaces are specified as an array of entries inside the `namespaces` root field. +The following parameters can be specified to set up namespaces: + +* **`type`** *(string, REQUIRED)* - namespace type. The following namespace types SHOULD be supported: + * **`pid`** processes inside the container will only be able to see other processes inside the same container or inside the same pid namespace. + * **`mount`** the container will have an isolated mount table. + * **`ipc`** processes inside the container will only be able to communicate to other processes inside the same container via system level IPC. + * **`uts`** the container will be able to have its own hostname and domain name. +* **`path`** *(string, OPTIONAL)* - namespace file. + This value MUST be an absolute path in the [runtime mount namespace](glossary.md#runtime-namespace). + The runtime MUST place the container process in the namespace associated with that `path`. + The runtime MUST [generate an error](runtime.md#errors) if `path` is not associated with a namespace of type `type`. + + If `path` is not specified, the runtime MUST create a new [container namespace](glossary.md#container-namespace) of type `type`. + +If a namespace type is not specified in the `namespaces` array, the container MUST inherit the [runtime namespace](glossary.md#runtime-namespace) of that type. +If a `namespaces` field contains duplicated namespaces with same `type`, the runtime MUST [generate an error](runtime.md#errors). + +### Example + +```json +"namespaces": [ + { + "type": "pid", + "path": "/proc/1234/ns/pid" + }, + { + "type": "mount" + }, + { + "type": "ipc" + }, + { + "type": "uts" + } +] +``` diff -pruN 1.2.0-2/config.md 1.2.1-1/config.md --- 1.2.0-2/config.md 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/config.md 2025-02-25 22:46:15.000000000 +0000 @@ -340,6 +340,24 @@ For Linux-based systems, the `process` o * **`class`** (string, REQUIRED) specifies the I/O scheduling class. Possible values are `IOPRIO_CLASS_RT`, `IOPRIO_CLASS_BE`, and `IOPRIO_CLASS_IDLE`. * **`priority`** (int, REQUIRED) specifies the priority level within the class. The value should be an integer ranging from 0 (highest) to 7 (lowest). +* **`execCPUAffinity`** (object, OPTIONAL) specifies CPU affinity used to execute the process. + This setting is not applicable to the container's init process. + The following properties are available: + * **`initial`** (string, OPTIONAL) is a list of CPUs a runtime parent + process to be run on initially, before the transition to container's + cgroup. This is a a comma-separated list, with dashes to represent + ranges. For example, `0-3,7` represents CPUs 0,1,2,3, and 7. + * **`final`** (string, OPTIONAL) is a list of CPUs the process will be run + on after the transition to container's cgroup. The format is the same as + for `initial`. If omitted or empty, runtime SHOULD NOT change process' + CPU affinity after the process is moved to container's cgroup, and the + final affinity is determined by the Linux kernel. + +### z/OS Process + +For z/OS-based systems, the `process` object supports the following process-specific properties. + +* **`noNewPrivileges`** (bool, OPTIONAL) setting `noNewPrivileges` to true prevents the process from gaining additional privileges. ### User @@ -416,7 +434,11 @@ _Note: symbolic name for uid and gid, su "hard": 1024, "soft": 1024 } - ] + ], + "execCPUAffinity": { + "initial": "7", + "final": "0-3,7" + } } ``` ### Example (Solaris) @@ -631,7 +653,7 @@ See the below table for a summary of hoo | Name | Namespace | When | | ----------------------- | --------- | -----------------------------------------------------------------------------------------------------------------------------------| -| `prestart` (Deprecated) | runtime | After the start operation is called but before the user-specified program command is executed. | +| `prestart` (Deprecated) | runtime | During the create operation, after the runtime environment has been created and before the pivot root or any equivalent operation. | | `createRuntime` | runtime | During the create operation, after the runtime environment has been created and before the pivot root or any equivalent operation. | | `createContainer` | container | During the create operation, after the runtime environment has been created and before the pivot root or any equivalent operation. | | `startContainer` | container | After the start operation is called but before the user-specified program command is executed. | @@ -1135,26 +1157,26 @@ Here is a full example `config.json` for [apparmor]: https://wiki.ubuntu.com/AppArmor [cgroup-v1-memory_2]: https://www.kernel.org/doc/Documentation/cgroup-v1/memory.txt -[selinux]:http://selinuxproject.org/page/Main_Page +[selinux]:https://selinuxproject.org/page/Main_Page [no-new-privs]: https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt [proc_2]: https://www.kernel.org/doc/Documentation/filesystems/proc.txt -[umask.2]: http://pubs.opengroup.org/onlinepubs/009695399/functions/umask.html -[semver-v2.0.0]: http://semver.org/spec/v2.0.0.html -[ieee-1003.1-2008-xbd-c8.1]: http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_01 -[ieee-1003.1-2008-functions-exec]: http://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html -[naming-a-volume]: https://aka.ms/nb3hqb +[umask.2]: https://pubs.opengroup.org/onlinepubs/009695399/functions/umask.html +[semver-v2.0.0]: https://semver.org/spec/v2.0.0.html +[ieee-1003.1-2008-xbd-c8.1]: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_01 +[ieee-1003.1-2008-functions-exec]: https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html +[naming-a-volume]: https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-volume [oci-image-config-properties]: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc2/config.md#properties [oci-image-conversion]: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc2/conversion.md -[capabilities.7]: http://man7.org/linux/man-pages/man7/capabilities.7.html -[mount.2]: http://man7.org/linux/man-pages/man2/mount.2.html -[mount.8]: http://man7.org/linux/man-pages/man8/mount.8.html -[mount.8-filesystem-independent]: http://man7.org/linux/man-pages/man8/mount.8.html#FILESYSTEM-INDEPENDENT_MOUNT_OPTIONS -[mount.8-filesystem-specific]: http://man7.org/linux/man-pages/man8/mount.8.html#FILESYSTEM-SPECIFIC_MOUNT_OPTIONS -[mount_setattr.2]: http://man7.org/linux/man-pages/man2/mount_setattr.2.html +[capabilities.7]: https://man7.org/linux/man-pages/man7/capabilities.7.html +[mount.2]: https://man7.org/linux/man-pages/man2/mount.2.html +[mount.8]: https://man7.org/linux/man-pages/man8/mount.8.html +[mount.8-filesystem-independent]: https://man7.org/linux/man-pages/man8/mount.8.html#FILESYSTEM-INDEPENDENT_MOUNT_OPTIONS +[mount.8-filesystem-specific]: https://man7.org/linux/man-pages/man8/mount.8.html#FILESYSTEM-SPECIFIC_MOUNT_OPTIONS +[mount_setattr.2]: https://man7.org/linux/man-pages/man2/mount_setattr.2.html [mount-bind]: https://docs.kernel.org/filesystems/sharedsubtree.html -[getrlimit.2]: http://man7.org/linux/man-pages/man2/getrlimit.2.html -[getrlimit.3]: http://pubs.opengroup.org/onlinepubs/9699919799/functions/getrlimit.html -[stdin.3]: http://man7.org/linux/man-pages/man3/stdin.3.html -[uts-namespace.7]: http://man7.org/linux/man-pages/man7/namespaces.7.html -[zonecfg.1m]: http://docs.oracle.com/cd/E86824_01/html/E54764/zonecfg-1m.html +[getrlimit.2]: https://man7.org/linux/man-pages/man2/getrlimit.2.html +[getrlimit.3]: https://pubs.opengroup.org/onlinepubs/9699919799/functions/getrlimit.html +[stdin.3]: https://man7.org/linux/man-pages/man3/stdin.3.html +[uts-namespace.7]: https://man7.org/linux/man-pages/man7/namespaces.7.html +[zonecfg.1m]: https://docs.oracle.com/cd/E86824_01/html/E54764/zonecfg-1m.html diff -pruN 1.2.0-2/debian/changelog 1.2.1-1/debian/changelog --- 1.2.0-2/debian/changelog 2025-01-04 09:40:53.000000000 +0000 +++ 1.2.1-1/debian/changelog 2025-08-11 00:06:54.000000000 +0000 @@ -1,3 +1,12 @@ +golang-github-opencontainers-specs (1.2.1-1) unstable; urgency=medium + + * Team upload + * New upstream release + * Bump standards version, no changes needed + * Drop patches, merged upstream + + -- Reinhard Tartler Sun, 10 Aug 2025 20:06:54 -0400 + golang-github-opencontainers-specs (1.2.0-2) unstable; urgency=medium * Team upload. diff -pruN 1.2.0-2/debian/control 1.2.1-1/debian/control --- 1.2.0-2/debian/control 2024-05-02 13:29:39.000000000 +0000 +++ 1.2.1-1/debian/control 2025-08-11 00:06:54.000000000 +0000 @@ -1,7 +1,7 @@ Source: golang-github-opencontainers-specs Section: golang Priority: optional -Standards-Version: 4.7.0 +Standards-Version: 4.7.2 Maintainer: Debian Go Packaging Team Uploaders: Dmitry Smirnov , diff -pruN 1.2.0-2/debian/gbp.conf 1.2.1-1/debian/gbp.conf --- 1.2.0-2/debian/gbp.conf 2023-01-25 03:33:55.000000000 +0000 +++ 1.2.1-1/debian/gbp.conf 2025-08-11 00:06:54.000000000 +0000 @@ -1,2 +1,5 @@ [DEFAULT] pristine-tar = True +debian-branch = master +dist = DEP14 +upstream-vcs-tag = v%(version%~%-)s diff -pruN 1.2.0-2/debian/gitlab-ci.yml 1.2.1-1/debian/gitlab-ci.yml --- 1.2.0-2/debian/gitlab-ci.yml 2023-01-25 03:33:55.000000000 +0000 +++ 1.2.1-1/debian/gitlab-ci.yml 2025-08-11 00:06:54.000000000 +0000 @@ -1,6 +1,47 @@ -# auto-generated, DO NOT MODIFY. -# The authoritative copy of this file lives at: +# DO NOT MODIFY +# This file was automatically generated from the authoritative copy at: # https://salsa.debian.org/go-team/infra/pkg-go-tools/blob/master/config/gitlabciyml.go --- +stages: + - test + - package + include: - - https://salsa.debian.org/go-team/infra/pkg-go-tools/-/raw/master/pipeline/test-archive.yml + - project: go-team/infra/pkg-go-tools + ref: master + file: pipeline/test-archive.yml + # Run the Go team CI only in the go-team project that has access to GitLab + # CI runners tagged 'go-ci' + rules: + - if: $CI_PROJECT_ROOT_NAMESPACE == "go-team" + +Salsa CI: + stage: package + trigger: + include: + - project: salsa-ci-team/pipeline + ref: master + file: recipes/debian.yml + strategy: depend + rules: + # Do not create a pipeline for tags unless SALSA_CI_ENABLE_PIPELINE_ON_TAGS is set + - if: $CI_COMMIT_TAG != null && $SALSA_CI_ENABLE_PIPELINE_ON_TAGS !~ /^(1|yes|true)$/ + when: never + # Avoid duplicated pipelines, do not run detached pipelines + - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' + when: never + # Run Salsa CI only if the Play button is pressed on the pipeline + - if: $CI_PIPELINE_SOURCE == "push" + when: manual + variables: + SALSA_CI_DISABLE_REPROTEST: 1 # Disable to save CI runner resources + +# If Salsa CI is not running at +# https://salsa.debian.org/%{project_path}/-/pipelines, ensure that +# https://salsa.debian.org/%{project_path}/-/settings/ci_cd has in field "CI/CD +# configuration file" the same filename as this file. +# +# If Salsa CI is running, but first job is stuck because the project doesn't +# have any runners online assigned to it, ensure that +# https://salsa.debian.org/%{project_path}/-/settings/ci_cd has under "Runners" +# the setting for "Enable instance runners for this project" enabled. diff -pruN 1.2.0-2/debian/patches/Add-CPU-affinity-to-executed-processes.patch 1.2.1-1/debian/patches/Add-CPU-affinity-to-executed-processes.patch --- 1.2.0-2/debian/patches/Add-CPU-affinity-to-executed-processes.patch 2025-01-04 09:40:10.000000000 +0000 +++ 1.2.1-1/debian/patches/Add-CPU-affinity-to-executed-processes.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,107 +0,0 @@ -From 119ae426a12298a57b5d0828017c878f34fb7cf0 Mon Sep 17 00:00:00 2001 -From: Kir Kolyshkin -Date: Fri, 17 May 2024 18:16:27 -0700 -Subject: [PATCH 10/15] Add CPU affinity to executed processes - -This allows to set initial and final CPU affinity for a process being -run in a container, which is needed to solve the issue described in [1]. - -[1] https://github.com/opencontainers/runc/issues/3922 - -Signed-off-by: Kir Kolyshkin ---- - config.md | 17 ++++++++++++++++- - schema/config-schema.json | 15 ++++++++++++++- - specs-go/config.go | 8 ++++++++ - 3 files changed, 38 insertions(+), 2 deletions(-) - -diff --git a/config.md b/config.md -index a1b39ad..b9b5573 100644 ---- a/config.md -+++ b/config.md -@@ -340,6 +340,17 @@ For Linux-based systems, the `process` object supports the following process-spe - - * **`class`** (string, REQUIRED) specifies the I/O scheduling class. Possible values are `IOPRIO_CLASS_RT`, `IOPRIO_CLASS_BE`, and `IOPRIO_CLASS_IDLE`. - * **`priority`** (int, REQUIRED) specifies the priority level within the class. The value should be an integer ranging from 0 (highest) to 7 (lowest). -+* **`execCPUAffinity`** (object, OPTIONAL) specifies CPU affinity used to execute the process. -+ This setting is not applicable to the container's init process. -+ The following properties are available: -+ * **`initial`** (string, OPTIONAL) is a list of CPUs a runtime parent -+ process to be run on initially, before the transition to container's -+ cgroup. This is a a comma-separated list, with dashes to represent -+ ranges. For example, `0-3,7` represents CPUs 0,1,2,3, and 7. -+ * **`final`** (string, OPTIONAL) is a list of CPUs the process will be run -+ on after the transition to container's cgroup. The format is the same as -+ for `initial`. If omitted or empty, the container's default CPU affinity, -+ as defined by [cpu.cpus property](./config.md#configLinuxCPUs)), is used. - - ### User - -@@ -416,7 +427,11 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are - "hard": 1024, - "soft": 1024 - } -- ] -+ ], -+ "execCPUAffinity": { -+ "initial": "7", -+ "final": "0-3,7" -+ } - } - ``` - ### Example (Solaris) -diff --git a/schema/config-schema.json b/schema/config-schema.json -index 4d549bf..cb74342 100644 ---- a/schema/config-schema.json -+++ b/schema/config-schema.json -@@ -220,7 +220,20 @@ - } - } - } -- } -+ }, -+ "execCPUAffinity": { -+ "type": "object", -+ "properties": { -+ "initial": { -+ "type": "string", -+ "pattern": "^[0-9, -]*$" -+ }, -+ "final": { -+ "type": "string", -+ "pattern": "^[0-9, -]*$" -+ } -+ } -+ } - } - }, - "linux": { -diff --git a/specs-go/config.go b/specs-go/config.go -index d1236ba..671f0d0 100644 ---- a/specs-go/config.go -+++ b/specs-go/config.go -@@ -94,6 +94,8 @@ type Process struct { - SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"` - // IOPriority contains the I/O priority settings for the cgroup. - IOPriority *LinuxIOPriority `json:"ioPriority,omitempty" platform:"linux"` -+ // ExecCPUAffinity specifies CPU affinity for exec processes. -+ ExecCPUAffinity *CPUAffinity `json:"execCPUAffinity,omitempty" platform:"linux"` - } - - // LinuxCapabilities specifies the list of allowed capabilities that are kept for a process. -@@ -127,6 +129,12 @@ const ( - IOPRIO_CLASS_IDLE IOPriorityClass = "IOPRIO_CLASS_IDLE" - ) - -+// CPUAffinity specifies process' CPU affinity. -+type CPUAffinity struct { -+ Initial string `json:"initial,omitempty"` -+ Final string `json:"final,omitempty"` -+} -+ - // Box specifies dimensions of a rectangle. Used for specifying the size of a console. - type Box struct { - // Height is the vertical dimension of a box. --- -2.45.2 - diff -pruN 1.2.0-2/debian/patches/series 1.2.1-1/debian/patches/series --- 1.2.0-2/debian/patches/series 2025-01-04 09:40:53.000000000 +0000 +++ 1.2.1-1/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -Add-CPU-affinity-to-executed-processes.patch diff -pruN 1.2.0-2/glossary.md 1.2.1-1/glossary.md --- 1.2.0-2/glossary.md 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/glossary.md 2025-02-25 22:46:15.000000000 +0000 @@ -46,7 +46,7 @@ Runtime callers often execute a runtime On Linux, the namespaces from which new [container namespaces](#container-namespace) are [created](config-linux.md#namespaces) and from which some configured resources are accessed. [JSON]: https://tools.ietf.org/html/rfc8259 -[UTF-8]: http://www.unicode.org/versions/Unicode8.0.0/ch03.pdf +[UTF-8]: https://www.unicode.org/versions/Unicode8.0.0/ch03.pdf [runc]: https://github.com/opencontainers/runc -[namespaces.7]: http://man7.org/linux/man-pages/man7/namespaces.7.html +[namespaces.7]: https://man7.org/linux/man-pages/man7/namespaces.7.html diff -pruN 1.2.0-2/runtime-linux.md 1.2.1-1/runtime-linux.md --- 1.2.0-2/runtime-linux.md 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/runtime-linux.md 2025-02-25 22:46:15.000000000 +0000 @@ -18,4 +18,4 @@ While creating the container (step 2 in | /proc/self/fd/2 | /dev/stderr | -[socket-activated-containers]: http://0pointer.de/blog/projects/socket-activated-containers.html +[socket-activated-containers]: https://0pointer.de/blog/projects/socket-activated-containers.html diff -pruN 1.2.0-2/schema/README.md 1.2.1-1/schema/README.md --- 1.2.0-2/schema/README.md 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/schema/README.md 2025-02-25 22:46:15.000000000 +0000 @@ -2,7 +2,7 @@ ## Overview -This directory contains the [JSON Schema](http://json-schema.org/) for validating JSON covered by this specification. +This directory contains the [JSON Schema](https://json-schema.org) for validating JSON covered by this specification. The layout of the files is as follows: diff -pruN 1.2.0-2/schema/config-schema.json 1.2.1-1/schema/config-schema.json --- 1.2.0-2/schema/config-schema.json 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/schema/config-schema.json 2025-02-25 22:46:15.000000000 +0000 @@ -181,11 +181,11 @@ "priority": { "$ref": "defs.json#/definitions/int32" }, - "flags": { - "type": "array", - "items": { - "$ref": "defs-linux.json#/definitions/SchedulerFlag" - } + "flags": { + "type": "array", + "items": { + "$ref": "defs-linux.json#/definitions/SchedulerFlag" + } }, "runtime": { "$ref": "defs.json#/definitions/uint64" @@ -220,6 +220,19 @@ } } } + }, + "execCPUAffinity": { + "type": "object", + "properties": { + "initial": { + "type": "string", + "pattern": "^[0-9, -]*$" + }, + "final": { + "type": "string", + "pattern": "^[0-9, -]*$" + } + } } } }, diff -pruN 1.2.0-2/schema/config-windows.json 1.2.1-1/schema/config-windows.json --- 1.2.0-2/schema/config-windows.json 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/schema/config-windows.json 2025-02-25 22:46:15.000000000 +0000 @@ -38,6 +38,17 @@ }, "maximum": { "$ref": "defs.json#/definitions/uint16" + }, + "affinity": { + "type": "object", + "properties": { + "mask": { + "$ref": "defs.json#/definitions/uint64" + }, + "group": { + "$ref": "defs.json#/definitions/uint32" + } + } } } }, diff -pruN 1.2.0-2/schema/config-zos.json 1.2.1-1/schema/config-zos.json --- 1.2.0-2/schema/config-zos.json 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/schema/config-zos.json 2025-02-25 22:46:15.000000000 +0000 @@ -3,10 +3,14 @@ "description": "z/OS platform-specific configurations", "type": "object", "properties": { - "devices": { + "namespaces": { "type": "array", "items": { - "$ref": "defs-zos.json#/definitions/Device" + "anyOf": [ + { + "$ref": "defs-zos.json#/definitions/NamespaceReference" + } + ] } } } diff -pruN 1.2.0-2/schema/defs-linux.json 1.2.1-1/schema/defs-linux.json --- 1.2.0-2/schema/defs-linux.json 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/schema/defs-linux.json 2025-02-25 22:46:15.000000000 +0000 @@ -35,6 +35,8 @@ "SCMP_ARCH_X32", "SCMP_ARCH_ARM", "SCMP_ARCH_AARCH64", + "SCMP_ARCH_LOONGARCH64", + "SCMP_ARCH_M68K", "SCMP_ARCH_MIPS", "SCMP_ARCH_MIPS64", "SCMP_ARCH_MIPS64N32", @@ -46,6 +48,8 @@ "SCMP_ARCH_PPC64LE", "SCMP_ARCH_S390", "SCMP_ARCH_S390X", + "SCMP_ARCH_SH", + "SCMP_ARCH_SHEB", "SCMP_ARCH_PARISC", "SCMP_ARCH_PARISC64", "SCMP_ARCH_RISCV64" diff -pruN 1.2.0-2/schema/defs-zos.json 1.2.1-1/schema/defs-zos.json --- 1.2.0-2/schema/defs-zos.json 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/schema/defs-zos.json 2025-02-25 22:46:15.000000000 +0000 @@ -1,55 +1,27 @@ { "definitions": { - "Major": { - "description": "major device number", - "$ref": "defs.json#/definitions/int64" - }, - "Minor": { - "description": "minor device number", - "$ref": "defs.json#/definitions/int64" - }, - "FileMode": { - "description": "File permissions mode (typically an octal value)", - "type": "integer", - "minimum": 0, - "maximum": 512 - }, - "FileType": { - "description": "Type of a block or special character device", + "NamespaceType": { "type": "string", - "pattern": "^[cbup]$" + "enum": [ + "mount", + "pid", + "uts", + "ipc" + ] }, - "Device": { + "NamespaceReference": { "type": "object", - "required": [ - "type", - "path", - "major", - "minor" - ], "properties": { - "path": { - "$ref": "defs.json#/definitions/FilePath" - }, "type": { - "$ref": "#/definitions/FileType" + "$ref": "#/definitions/NamespaceType" }, - "major": { - "$ref": "#/definitions/Major" - }, - "minor": { - "$ref": "#/definitions/Minor" - }, - "fileMode": { - "$ref": "#/definitions/FileMode" - }, - "uid": { - "$ref": "defs.json#/definitions/UID" - }, - "gid": { - "$ref": "defs.json#/definitions/GID" + "path": { + "$ref": "defs.json#/definitions/FilePath" } - } + }, + "required": [ + "type" + ] } } } diff -pruN 1.2.0-2/schema/features-linux.json 1.2.1-1/schema/features-linux.json --- 1.2.0-2/schema/features-linux.json 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/schema/features-linux.json 2025-02-25 22:46:15.000000000 +0000 @@ -104,10 +104,10 @@ "idmap": { "type": "object", "properties": { - "enabled": { + "enabled": { "type": "boolean" } - } + } } } } diff -pruN 1.2.0-2/schema/features-schema.json 1.2.1-1/schema/features-schema.json --- 1.2.0-2/schema/features-schema.json 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/schema/features-schema.json 2025-02-25 22:46:15.000000000 +0000 @@ -21,7 +21,7 @@ "potentiallyUnsafeConfigAnnotations": { "$ref": "defs.json#/definitions/ArrayOfStrings" }, - "linux": { + "linux": { "$ref": "features-linux.json#/linux" } }, diff -pruN 1.2.0-2/schema/test/config/good/spec-example.json 1.2.1-1/schema/test/config/good/spec-example.json --- 1.2.0-2/schema/test/config/good/spec-example.json 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/schema/test/config/good/spec-example.json 2025-02-25 22:46:15.000000000 +0000 @@ -159,8 +159,14 @@ "createRuntime": [ { "path": "/usr/bin/fix-mounts", - "args": ["fix-mounts", "arg1", "arg2"], - "env": [ "key1=value1"] + "args": [ + "fix-mounts", + "arg1", + "arg2" + ], + "env": [ + "key1=value1" + ] }, { "path": "/usr/bin/setup-network" @@ -169,8 +175,14 @@ "createContainer": [ { "path": "/usr/bin/mount-hook", - "args": ["-mount", "arg1", "arg2"], - "env": [ "key1=value1"] + "args": [ + "-mount", + "arg1", + "arg2" + ], + "env": [ + "key1=value1" + ] } ], "startContainer": [ diff -pruN 1.2.0-2/schema/test/config/good/zos-example.json 1.2.1-1/schema/test/config/good/zos-example.json --- 1.2.0-2/schema/test/config/good/zos-example.json 1970-01-01 00:00:00.000000000 +0000 +++ 1.2.1-1/schema/test/config/good/zos-example.json 2025-02-25 22:46:15.000000000 +0000 @@ -0,0 +1,138 @@ +{ + "ociVersion": "0.5.0-dev", + "process": { + "terminal": true, + "user": { + "uid": 1, + "gid": 1, + "additionalGids": [ + 5, + 6 + ] + }, + "args": [ + "sh" + ], + "env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin", + "TERM=xterm" + ], + "cwd": "/", + "rlimits": [ + { + "type": "RLIMIT_NOFILE", + "hard": 1024, + "soft": 1024 + } + ], + "noNewPrivileges": true + }, + "root": { + "path": "rootfs" + }, + "hostname": "slartibartfast", + "mounts": [ + { + "destination": "/proc", + "type": "proc", + "source": "proc" + }, + { + "destination": "/dev", + "type": "tfs", + "source": "tmpfs", + "options": [ + "nosuid", + "-p 1755", + "-s 64" + ] + } + ], + "hooks": { + "prestart": [ + { + "path": "/usr/bin/fix-mounts", + "args": [ + "fix-mounts", + "arg1", + "arg2" + ], + "env": [ + "key1=value1" + ] + }, + { + "path": "/usr/bin/setup-network" + } + ], + "createRuntime": [ + { + "path": "/usr/bin/fix-mounts", + "args": [ + "fix-mounts", + "arg1", + "arg2" + ], + "env": [ + "key1=value1" + ] + }, + { + "path": "/usr/bin/setup-network" + } + ], + "createContainer": [ + { + "path": "/usr/bin/mount-hook", + "args": [ + "-mount", + "arg1", + "arg2" + ], + "env": [ + "key1=value1" + ] + } + ], + "startContainer": [ + { + "path": "/usr/bin/refresh-ldcache" + } + ], + "poststart": [ + { + "path": "/usr/bin/notify-start", + "timeout": 5 + } + ], + "poststop": [ + { + "path": "/usr/sbin/cleanup.sh", + "args": [ + "cleanup.sh", + "-f" + ] + } + ] + }, + "zos": { + "namespaces": [ + { + "type": "pid" + }, + { + "type": "ipc" + }, + { + "type": "uts" + }, + { + "type": "mount" + } + ] + }, + "annotations": { + "com.example.key1": "value1", + "com.example.key2": "value2" + } +} diff -pruN 1.2.0-2/schema/test/config/good/zos-minimal.json 1.2.1-1/schema/test/config/good/zos-minimal.json --- 1.2.0-2/schema/test/config/good/zos-minimal.json 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/schema/test/config/good/zos-minimal.json 2025-02-25 22:46:15.000000000 +0000 @@ -3,6 +3,5 @@ "root": { "path": "rootfs" }, - "zos": { - } + "zos": {} } diff -pruN 1.2.0-2/schema/test/features/good/runc.json 1.2.1-1/schema/test/features/good/runc.json --- 1.2.0-2/schema/test/features/good/runc.json 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/schema/test/features/good/runc.json 2025-02-25 22:46:15.000000000 +0000 @@ -171,10 +171,10 @@ "SCMP_ARCH_X86_64" ], "knownFlags": [ - "SECCOMP_FILTER_FLAG_LOG" + "SECCOMP_FILTER_FLAG_LOG" ], "supportedFlags": [ - "SECCOMP_FILTER_FLAG_LOG" + "SECCOMP_FILTER_FLAG_LOG" ] }, "apparmor": { diff -pruN 1.2.0-2/spec.md 1.2.1-1/spec.md --- 1.2.0-2/spec.md 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/spec.md 2025-02-25 22:46:15.000000000 +0000 @@ -47,6 +47,6 @@ An implementation is not compliant for a An implementation is compliant for a given CPU architecture if it satisfies all the MUST, REQUIRED, and SHALL requirements for the [platforms](#platforms) it implements. -[c99-unspecified]: http://www.open-std.org/jtc1/sc22/wg14/www/C99RationaleV5.10.pdf#page=18 -[oci]: http://www.opencontainers.org +[c99-unspecified]: https://www.open-std.org/jtc1/sc22/wg14/www/C99RationaleV5.10.pdf#page=18 +[oci]: https://opencontainers.org [rfc2119]: https://www.rfc-editor.org/rfc/rfc2119.html diff -pruN 1.2.0-2/specs-go/config.go 1.2.1-1/specs-go/config.go --- 1.2.0-2/specs-go/config.go 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/specs-go/config.go 2025-02-25 22:46:15.000000000 +0000 @@ -83,7 +83,7 @@ type Process struct { // Rlimits specifies rlimit options to apply to the process. Rlimits []POSIXRlimit `json:"rlimits,omitempty" platform:"linux,solaris,zos"` // NoNewPrivileges controls whether additional privileges could be gained by processes in the container. - NoNewPrivileges bool `json:"noNewPrivileges,omitempty" platform:"linux"` + NoNewPrivileges bool `json:"noNewPrivileges,omitempty" platform:"linux,zos"` // ApparmorProfile specifies the apparmor profile for the container. ApparmorProfile string `json:"apparmorProfile,omitempty" platform:"linux"` // Specify an oom_score_adj for the container. @@ -94,10 +94,12 @@ type Process struct { SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"` // IOPriority contains the I/O priority settings for the cgroup. IOPriority *LinuxIOPriority `json:"ioPriority,omitempty" platform:"linux"` + // ExecCPUAffinity specifies CPU affinity for exec processes. + ExecCPUAffinity *CPUAffinity `json:"execCPUAffinity,omitempty" platform:"linux"` } // LinuxCapabilities specifies the list of allowed capabilities that are kept for a process. -// http://man7.org/linux/man-pages/man7/capabilities.7.html +// https://man7.org/linux/man-pages/man7/capabilities.7.html type LinuxCapabilities struct { // Bounding is the set of capabilities checked by the kernel. Bounding []string `json:"bounding,omitempty" platform:"linux"` @@ -127,6 +129,12 @@ const ( IOPRIO_CLASS_IDLE IOPriorityClass = "IOPRIO_CLASS_IDLE" ) +// CPUAffinity specifies process' CPU affinity. +type CPUAffinity struct { + Initial string `json:"initial,omitempty"` + Final string `json:"final,omitempty"` +} + // Box specifies dimensions of a rectangle. Used for specifying the size of a console. type Box struct { // Height is the vertical dimension of a box. @@ -627,6 +635,17 @@ type WindowsCPUResources struct { // cycles per 10,000 cycles. Set processor `maximum` to a percentage times // 100. Maximum *uint16 `json:"maximum,omitempty"` + // Set of CPUs to affinitize for this container. + Affinity []WindowsCPUGroupAffinity `json:"affinity,omitempty"` +} + +// Similar to _GROUP_AFFINITY struct defined in +// https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/miniport/ns-miniport-_group_affinity +type WindowsCPUGroupAffinity struct { + // CPU mask relative to this CPU group. + Mask uint64 `json:"mask,omitempty"` + // Processor group the mask refers to, as returned by GetLogicalProcessorInformationEx. + Group uint32 `json:"group,omitempty"` } // WindowsStorageResources contains storage resource management settings. @@ -751,6 +770,10 @@ const ( ArchPARISC Arch = "SCMP_ARCH_PARISC" ArchPARISC64 Arch = "SCMP_ARCH_PARISC64" ArchRISCV64 Arch = "SCMP_ARCH_RISCV64" + ArchLOONGARCH64 Arch = "SCMP_ARCH_LOONGARCH64" + ArchM68K Arch = "SCMP_ARCH_M68K" + ArchSH Arch = "SCMP_ARCH_SH" + ArchSHEB Arch = "SCMP_ARCH_SHEB" ) // LinuxSeccompAction taken upon Seccomp rule match @@ -826,28 +849,33 @@ type LinuxIntelRdt struct { // ZOS contains platform-specific configuration for z/OS based containers. type ZOS struct { - // Devices are a list of device nodes that are created for the container - Devices []ZOSDevice `json:"devices,omitempty"` + // Namespaces contains the namespaces that are created and/or joined by the container + Namespaces []ZOSNamespace `json:"namespaces,omitempty"` } -// ZOSDevice represents the mknod information for a z/OS special device file -type ZOSDevice struct { - // Path to the device. - Path string `json:"path"` - // Device type, block, char, etc. - Type string `json:"type"` - // Major is the device's major number. - Major int64 `json:"major"` - // Minor is the device's minor number. - Minor int64 `json:"minor"` - // FileMode permission bits for the device. - FileMode *os.FileMode `json:"fileMode,omitempty"` - // UID of the device. - UID *uint32 `json:"uid,omitempty"` - // Gid of the device. - GID *uint32 `json:"gid,omitempty"` +// ZOSNamespace is the configuration for a z/OS namespace +type ZOSNamespace struct { + // Type is the type of namespace + Type ZOSNamespaceType `json:"type"` + // Path is a path to an existing namespace persisted on disk that can be joined + // and is of the same type + Path string `json:"path,omitempty"` } +// ZOSNamespaceType is one of the z/OS namespaces +type ZOSNamespaceType string + +const ( + // PIDNamespace for isolating process IDs + ZOSPIDNamespace ZOSNamespaceType = "pid" + // MountNamespace for isolating mount points + ZOSMountNamespace ZOSNamespaceType = "mount" + // IPCNamespace for isolating System V IPC, POSIX message queues + ZOSIPCNamespace ZOSNamespaceType = "ipc" + // UTSNamespace for isolating hostname and NIS domain name + ZOSUTSNamespace ZOSNamespaceType = "uts" +) + // LinuxSchedulerPolicy represents different scheduling policies used with the Linux Scheduler type LinuxSchedulerPolicy string diff -pruN 1.2.0-2/specs-go/version.go 1.2.1-1/specs-go/version.go --- 1.2.0-2/specs-go/version.go 2024-01-26 12:55:39.000000000 +0000 +++ 1.2.1-1/specs-go/version.go 2025-02-25 22:46:15.000000000 +0000 @@ -8,7 +8,7 @@ const ( // VersionMinor is for functionality in a backwards-compatible manner VersionMinor = 2 // VersionPatch is for backwards-compatible bug fixes - VersionPatch = 0 + VersionPatch = 1 // VersionDev indicates development branch. Releases will be empty string. VersionDev = ""