RDK Resources
[*RDK Preferred*]
Code Management Facility
RDK Forums
[RDK Conferences]
RDK Support
Archives
Papers & Presentations Archive
The below table contains all possible runtime configuration properties, prepared based on https://github.com/opencontainers/runtime-spec/blob/master/config.md.
| parent:property | image configuration counterpart | type, (whether optional for DAC on Linux) | meaning | DAC constraints | source | remarks |
|---|---|---|---|---|---|---|
| :root | object | |||||
| root:path | string | rootfs path (in a bundle) | relative within the bundle | generator (bundle generator), constant: rootfs | ||
| root:readonly | bool, optional | rootfs is read-only | always true | generator, constant: true | security constraints:
| |
| mounts | array of objects | additional mounts beyond root | generator, platform-specific (from platform's template config), runtime | used for:
| ||
mounts:destination mounts:type mounts:source mount:options | Config.Volumes | see mounts | ||||
| process | object | specifies the container process | ||||
process:terminal process:consoleSize:height process:consoleSize:width | bool uint uint | consoleSize: default to w80xh24 | generator or runtime (rel/dbg) | false for production/release, true for debug/development config | ||
| process:cwd | Config.WorkingDir | string | developer/sdk | |||
| process:env | Config.Env | string | Environment variables, only additions allowed | developer/sdk, appended by generator and runtime | ||
| process:args | Config.Entrypoint Config.Cmd | If both Config.Entrypoint and Config.Cmd are specified, the converter MUST append the value of Config.Cmd to the value of Config.Entrypoint and set process.args to that combined value. | Config.Entrypoint contains executable Config.Cmd contains params of executables | developer/sdk | ||
| process:commandLine | string | full command line to be executed on Windows. | not used (use process:args instead) | developer/sdk | ||
| process:rlimits | array of objects | allows setting resource limits for the process, see https://man7.org/linux/man-pages/man2/getrlimit.2.html | TBD: soft and hard limits provided by the app developer should be validated/limited by generator based on provided platform configuration. | developer/sdk, validated (ceiled) by generator and runtime | ||
| process:apparmorProfile | string | MAC mandatory access control | Not used (future) | |||
| process:capabilities | object | arrays that specifies the sets of capabilities for the process | TBD: caps provided by the app developer should be validated/limited by generator based on provided platform configuration. | developer/sdk, validated (ceiled) by generator and runtime | ||
| process:noNewPrivileges | bool | prevents the process from gaining additional privileges | true | |||
| process:oomScoreAdj | int | adjusts the oom-killer score in [pid]/oom_score_adj for the process's [pid] in a proc pseudo-filesystem | TBD | |||
| process:selinuxLabel | string | SELinux label for the process | Not used (future) | |||
| hostname | string | specifies the container's hostname as seen by processes running inside the container | TBD (locally-generated?) | |||
| hooks | object | custom actions related to the lifecycle of the container | handled by Dobby | generator and runtime | ||
| namespaces | object | configuration of the namespaces (visibility of the resources) | TBD:
| generator and runtime | ||
uidMappings gidMappings | array of objects array of objects | describes the user namespace uid mappings from the host to the container | TBD (see process:user.uid). May be generated based on platform configuration | generator and runtime | ||
| devices | array of objects | lists devices that MUST be available in the container. The runtime MAY supply them however it likes (with mknod, by bind mounting from the runtime mount namespace, using symlinks, etc.) | TBD: populated by generator based on platform configuration | generator and runtime | ||
cgroupsPath resources (memory, devices, CPU, BlockIO, hugePageLimits, network, pigs, rdma), | string object | configuration of the groups (limits on the resources usage) | TBD | |||
| interRdt | object | - | Not used | |||
| sysctl | object | kernel parameters modification | TBD | |||
| seccomp | object | application sandboxing mechanism (restrictions on syscalls) | TBD (additional security) | |||
rootfsPropagation | string | TBD | ||||
| maskedPaths | array of strings | not used | ||||
| readonlyPaths | array of strings | TBD (maybe /proc ?) - set be the generator | ||||
| mountLabel | string | not used | ||||
| personality | string | not used | ||||
process:user.uid process:user.gid process:user.umask process:user.additionalGids | Config.User | string | user (group) which the process run as (in container namespace)
| TBD:
| ||
annotations: org.opencontainers.image.os | os | string | linux | |||
annotations: org.opencontainers.image.architecture | architecture | string | 386 amd64 arm arm64 mips mips64 | |||
annotations: org.opencontainers.image.author | author | string | person or entity which created and is responsible for maintaining the image. | Whoever was responsible for creating the image manifest:
| ||
annotations: org.opencontainers.image.created | created | string | An combined date and time at which the image was created, https://tools.ietf.org/html/rfc3339#section-5.6 | date of creation | ||
annotations: * | Config.Labels.* | annotations | TBD, required annotations:
| |||
annotations: org.opencontainers.image.stopSignal | Config.StopSignal | string | system call signal that will be sent to the container to exit | TBD: Dobby should be able to send the proper signal | ||
annotations: | Config.ExposedPorts | object | set of ports to expose from a container running this image
| TBD: use case and how to handle:
|
Overview
Community Forums
Content Tools
Tasks