@@ -25,7 +25,7 @@ import (

 	"github.com/opencontainers/runc/libcontainer/configs"

 	"github.com/opencontainers/runc/libcontainer/devices"

 	"github.com/opencontainers/runc/libcontainer/label"

-	"github.com/opencontainers/specs/specs-go"

+	"github.com/opencontainers/runtime-spec/specs-go"

 )

 func u32Ptr(i int64) *uint32     { u := uint32(i); return &u }

@@ -38,7 +38,7 @@ import (

 	"github.com/golang/protobuf/ptypes"

 	"github.com/opencontainers/runc/libcontainer/label"

 	"github.com/opencontainers/runc/libcontainer/user"

-	"github.com/opencontainers/specs/specs-go"

+	"github.com/opencontainers/runtime-spec/specs-go"

 )

 const (

@@ -23,7 +23,7 @@ import (

 	"github.com/opencontainers/runc/libcontainer/apparmor"

 	"github.com/opencontainers/runc/libcontainer/devices"

 	"github.com/opencontainers/runc/libcontainer/user"

-	"github.com/opencontainers/specs/specs-go"

+	"github.com/opencontainers/runtime-spec/specs-go"

 )

 func setResources(s *specs.Spec, r containertypes.Resources) error {

@@ -6,7 +6,7 @@ import (

 	"fmt"

 	"github.com/docker/docker/container"

-	"github.com/opencontainers/specs/specs-go"

+	"github.com/opencontainers/runtime-spec/specs-go"

 )

 var supportsSeccomp = false

@@ -8,7 +8,7 @@ import (

 	"github.com/Sirupsen/logrus"

 	"github.com/docker/docker/container"

 	"github.com/docker/docker/profiles/seccomp"

-	"github.com/opencontainers/specs/specs-go"

+	"github.com/opencontainers/runtime-spec/specs-go"

 )

 var supportsSeccomp = true

@@ -590,7 +590,7 @@ options for `zfs` start with `zfs` and options for `btrfs` start with `btrfs`.

 ## Docker runtime execution options

 The Docker daemon relies on a

-[OCI](https://github.com/opencontainers/specs) compliant runtime

+[OCI](https://github.com/opencontainers/runtime-spec) compliant runtime

 (invoked via the `containerd` daemon) as its interface to the Linux

 kernel `namespaces`, `cgroups`, and `SELinux`.

@@ -103,7 +103,7 @@ clone git github.com/docker/go v1.5.1-1-1-gbaf439e

 clone git github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c

 clone git github.com/opencontainers/runc cc29e3dded8e27ba8f65738f40d251c885030a28 # libcontainer

-clone git github.com/opencontainers/specs v1.0.0-rc1 # specs

+clone git github.com/opencontainers/runtime-spec v1.0.0-rc1 # specs

 clone git github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0

 # libcontainer deps (see src/github.com/opencontainers/runc/Godeps/Godeps.json)

 clone git github.com/coreos/go-systemd v4

@@ -16,7 +16,7 @@ import (

 	"github.com/docker/docker/pkg/mount"

 	"github.com/golang/protobuf/ptypes"

 	"github.com/golang/protobuf/ptypes/timestamp"

-	specs "github.com/opencontainers/specs/specs-go"

+	specs "github.com/opencontainers/runtime-spec/specs-go"

 	"golang.org/x/net/context"

 )

@@ -12,7 +12,7 @@ import (

 	"github.com/Sirupsen/logrus"

 	containerd "github.com/docker/containerd/api/grpc/types"

 	"github.com/docker/docker/restartmanager"

-	"github.com/opencontainers/specs/specs-go"

+	"github.com/opencontainers/runtime-spec/specs-go"

 	"golang.org/x/net/context"

 )

@@ -2,7 +2,7 @@ package libcontainerd

 import (

 	containerd "github.com/docker/containerd/api/grpc/types"

-	"github.com/opencontainers/specs/specs-go"

+	"github.com/opencontainers/runtime-spec/specs-go"

 )

 // Spec is the base configuration for the container.  It specifies platform

@@ -1,7 +1,7 @@

 package libcontainerd

 import (

-	"github.com/opencontainers/specs/specs-go"

+	"github.com/opencontainers/runtime-spec/specs-go"

 )

 // Spec is the base configuration for the container.  It specifies platform

@@ -2,7 +2,7 @@ package libcontainerd

 import (

 	containerd "github.com/docker/containerd/api/grpc/types"

-	"github.com/opencontainers/specs/specs-go"

+	"github.com/opencontainers/runtime-spec/specs-go"

 )

 func getRootIDs(s specs.Spec) (int, int, error) {

@@ -4,7 +4,7 @@ import (

 	"os"

 	"runtime"

-	"github.com/opencontainers/specs/specs-go"

+	"github.com/opencontainers/runtime-spec/specs-go"

 )

 func sPtr(s string) *string      { return &s }

@@ -1,7 +1,7 @@

 package oci

 import (

-	"github.com/opencontainers/specs/specs-go"

+	"github.com/opencontainers/runtime-spec/specs-go"

 )

 // DefaultSpec returns default oci spec used by docker.

@@ -17,7 +17,7 @@ import (

 	"github.com/docker/docker/restartmanager"

 	"github.com/docker/engine-api/types"

 	"github.com/docker/engine-api/types/container"

-	"github.com/opencontainers/specs/specs-go"

+	"github.com/opencontainers/runtime-spec/specs-go"

 )

 func (pm *Manager) enable(p *plugin, force bool) error {

@@ -5,7 +5,7 @@ package plugin

 import (

 	"fmt"

-	"github.com/opencontainers/specs/specs-go"

+	"github.com/opencontainers/runtime-spec/specs-go"

 )

 func (pm *Manager) enable(p *plugin, force bool) error {

@@ -7,7 +7,7 @@ import (

 	"fmt"

 	"github.com/docker/engine-api/types"

-	"github.com/opencontainers/specs/specs-go"

+	"github.com/opencontainers/runtime-spec/specs-go"

 )

 //go:generate go run -tags 'seccomp' generate.go

@@ -6,7 +6,7 @@ import (

 	"syscall"

 	"github.com/docker/engine-api/types"

-	"github.com/opencontainers/specs/specs-go"

+	"github.com/opencontainers/runtime-spec/specs-go"

 	libseccomp "github.com/seccomp/libseccomp-golang"

 )

@@ -4,7 +4,7 @@ package seccomp

 import (

 	"github.com/docker/engine-api/types"

-	"github.com/opencontainers/specs/specs-go"

+	"github.com/opencontainers/runtime-spec/specs-go"

 )

 // DefaultProfile returns a nil pointer on unsupported systems.

new file mode 100644

@@ -0,0 +1,191 @@

+

+                                 Apache License

+                           Version 2.0, January 2004

+                        http://www.apache.org/licenses/

+

+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

+

+   1. Definitions.

+

+      "License" shall mean the terms and conditions for use, reproduction,

+      and distribution as defined by Sections 1 through 9 of this document.

+

+      "Licensor" shall mean the copyright owner or entity authorized by

+      the copyright owner that is granting the License.

+

+      "Legal Entity" shall mean the union of the acting entity and all

+      other entities that control, are controlled by, or are under common

+      control with that entity. For the purposes of this definition,

+      "control" means (i) the power, direct or indirect, to cause the

+      direction or management of such entity, whether by contract or

+      otherwise, or (ii) ownership of fifty percent (50%) or more of the

+      outstanding shares, or (iii) beneficial ownership of such entity.

+

+      "You" (or "Your") shall mean an individual or Legal Entity

+      exercising permissions granted by this License.

+

+      "Source" form shall mean the preferred form for making modifications,

+      including but not limited to software source code, documentation

+      source, and configuration files.

+

+      "Object" form shall mean any form resulting from mechanical

+      transformation or translation of a Source form, including but

+      not limited to compiled object code, generated documentation,

+      and conversions to other media types.

+

+      "Work" shall mean the work of authorship, whether in Source or

+      Object form, made available under the License, as indicated by a

+      copyright notice that is included in or attached to the work

+      (an example is provided in the Appendix below).

+

+      "Derivative Works" shall mean any work, whether in Source or Object

+      form, that is based on (or derived from) the Work and for which the

+      editorial revisions, annotations, elaborations, or other modifications

+      represent, as a whole, an original work of authorship. For the purposes

+      of this License, Derivative Works shall not include works that remain

+      separable from, or merely link (or bind by name) to the interfaces of,

+      the Work and Derivative Works thereof.

+

+      "Contribution" shall mean any work of authorship, including

+      the original version of the Work and any modifications or additions

+      to that Work or Derivative Works thereof, that is intentionally

+      submitted to Licensor for inclusion in the Work by the copyright owner

+      or by an individual or Legal Entity authorized to submit on behalf of

+      the copyright owner. For the purposes of this definition, "submitted"

+      means any form of electronic, verbal, or written communication sent

+      to the Licensor or its representatives, including but not limited to

+      communication on electronic mailing lists, source code control systems,

+      and issue tracking systems that are managed by, or on behalf of, the

+      Licensor for the purpose of discussing and improving the Work, but

+      excluding communication that is conspicuously marked or otherwise

+      designated in writing by the copyright owner as "Not a Contribution."

+

+      "Contributor" shall mean Licensor and any individual or Legal Entity

+      on behalf of whom a Contribution has been received by Licensor and

+      subsequently incorporated within the Work.

+

+   2. Grant of Copyright License. Subject to the terms and conditions of

+      this License, each Contributor hereby grants to You a perpetual,

+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable

+      copyright license to reproduce, prepare Derivative Works of,

+      publicly display, publicly perform, sublicense, and distribute the

+      Work and such Derivative Works in Source or Object form.

+

+   3. Grant of Patent License. Subject to the terms and conditions of

+      this License, each Contributor hereby grants to You a perpetual,

+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable

+      (except as stated in this section) patent license to make, have made,

+      use, offer to sell, sell, import, and otherwise transfer the Work,

+      where such license applies only to those patent claims licensable

+      by such Contributor that are necessarily infringed by their

+      Contribution(s) alone or by combination of their Contribution(s)

+      with the Work to which such Contribution(s) was submitted. If You

+      institute patent litigation against any entity (including a

+      cross-claim or counterclaim in a lawsuit) alleging that the Work

+      or a Contribution incorporated within the Work constitutes direct

+      or contributory patent infringement, then any patent licenses

+      granted to You under this License for that Work shall terminate

+      as of the date such litigation is filed.

+

+   4. Redistribution. You may reproduce and distribute copies of the

+      Work or Derivative Works thereof in any medium, with or without

+      modifications, and in Source or Object form, provided that You

+      meet the following conditions:

+

+      (a) You must give any other recipients of the Work or

+          Derivative Works a copy of this License; and

+

+      (b) You must cause any modified files to carry prominent notices

+          stating that You changed the files; and

+

+      (c) You must retain, in the Source form of any Derivative Works

+          that You distribute, all copyright, patent, trademark, and

+          attribution notices from the Source form of the Work,

+          excluding those notices that do not pertain to any part of

+          the Derivative Works; and

+

+      (d) If the Work includes a "NOTICE" text file as part of its

+          distribution, then any Derivative Works that You distribute must

+          include a readable copy of the attribution notices contained

+          within such NOTICE file, excluding those notices that do not

+          pertain to any part of the Derivative Works, in at least one

+          of the following places: within a NOTICE text file distributed

+          as part of the Derivative Works; within the Source form or

+          documentation, if provided along with the Derivative Works; or,

+          within a display generated by the Derivative Works, if and

+          wherever such third-party notices normally appear. The contents

+          of the NOTICE file are for informational purposes only and

+          do not modify the License. You may add Your own attribution

+          notices within Derivative Works that You distribute, alongside

+          or as an addendum to the NOTICE text from the Work, provided

+          that such additional attribution notices cannot be construed

+          as modifying the License.

+

+      You may add Your own copyright statement to Your modifications and

+      may provide additional or different license terms and conditions

+      for use, reproduction, or distribution of Your modifications, or

+      for any such Derivative Works as a whole, provided Your use,

+      reproduction, and distribution of the Work otherwise complies with

+      the conditions stated in this License.

+

+   5. Submission of Contributions. Unless You explicitly state otherwise,

+      any Contribution intentionally submitted for inclusion in the Work

+      by You to the Licensor shall be under the terms and conditions of

+      this License, without any additional terms or conditions.

+      Notwithstanding the above, nothing herein shall supersede or modify

+      the terms of any separate license agreement you may have executed

+      with Licensor regarding such Contributions.

+

+   6. Trademarks. This License does not grant permission to use the trade

+      names, trademarks, service marks, or product names of the Licensor,

+      except as required for reasonable and customary use in describing the

+      origin of the Work and reproducing the content of the NOTICE file.

+

+   7. Disclaimer of Warranty. Unless required by applicable law or

+      agreed to in writing, Licensor provides the Work (and each

+      Contributor provides its Contributions) on an "AS IS" BASIS,

+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or

+      implied, including, without limitation, any warranties or conditions

+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A

+      PARTICULAR PURPOSE. You are solely responsible for determining the

+      appropriateness of using or redistributing the Work and assume any

+      risks associated with Your exercise of permissions under this License.

+

+   8. Limitation of Liability. In no event and under no legal theory,

+      whether in tort (including negligence), contract, or otherwise,

+      unless required by applicable law (such as deliberate and grossly

+      negligent acts) or agreed to in writing, shall any Contributor be

+      liable to You for damages, including any direct, indirect, special,

+      incidental, or consequential damages of any character arising as a

+      result of this License or out of the use or inability to use the

+      Work (including but not limited to damages for loss of goodwill,

+      work stoppage, computer failure or malfunction, or any and all

+      other commercial damages or losses), even if such Contributor

+      has been advised of the possibility of such damages.

+

+   9. Accepting Warranty or Additional Liability. While redistributing

+      the Work or Derivative Works thereof, You may choose to offer,

+      and charge a fee for, acceptance of support, warranty, indemnity,

+      or other liability obligations and/or rights consistent with this

+      License. However, in accepting such obligations, You may act only

+      on Your own behalf and on Your sole responsibility, not on behalf

+      of any other Contributor, and only if You agree to indemnify,

+      defend, and hold each Contributor harmless for any liability

+      incurred by, or claims asserted against, such Contributor by reason

+      of your accepting any such warranty or additional liability.

+

+   END OF TERMS AND CONDITIONS

+

+   Copyright 2015 The Linux Foundation.

+

+   Licensed under the Apache License, Version 2.0 (the "License");

+   you may not use this file except in compliance with the License.

+   You may obtain a copy of the License at

+

+       http://www.apache.org/licenses/LICENSE-2.0

+

+   Unless required by applicable law or agreed to in writing, software

+   distributed under the License is distributed on an "AS IS" BASIS,

+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+   See the License for the specific language governing permissions and

+   limitations under the License.

new file mode 100644

@@ -0,0 +1,471 @@

+package specs

+

+import "os"

+

+// Spec is the base configuration for the container.

+type Spec struct {

+	// Version is the version of the specification that is supported.

+	Version string `json:"ociVersion"`

+	// Platform is the host information for OS and Arch.

+	Platform Platform `json:"platform"`

+	// Process is the container's main process.

+	Process Process `json:"process"`

+	// Root is the root information for the container's filesystem.

+	Root Root `json:"root"`

+	// Hostname is the container's host name.

+	Hostname string `json:"hostname,omitempty"`

+	// Mounts profile configuration for adding mounts to the container's filesystem.

+	Mounts []Mount `json:"mounts,omitempty"`

+	// Hooks are the commands run at various lifecycle events of the container.

+	Hooks Hooks `json:"hooks"`

+	// Annotations is an unstructured key value map that may be set by external tools to store and retrieve arbitrary metadata.

+	Annotations map[string]string `json:"annotations,omitempty"`

+

+	// Linux is platform specific configuration for Linux based containers.

+	Linux Linux `json:"linux" platform:"linux,omitempty"`

+	// Solaris is platform specific configuration for Solaris containers.

+	Solaris Solaris `json:"solaris" platform:"solaris,omitempty"`

+}

+

+// Process contains information to start a specific application inside the container.

+type Process struct {

+	// Terminal creates an interactive terminal for the container.

+	Terminal bool `json:"terminal,omitempty"`

+	// User specifies user information for the process.

+	User User `json:"user"`

+	// Args specifies the binary and arguments for the application to execute.

+	Args []string `json:"args"`

+	// Env populates the process environment for the process.

+	Env []string `json:"env,omitempty"`

+	// Cwd is the current working directory for the process and must be

+	// relative to the container's root.

+	Cwd string `json:"cwd"`

+	// Capabilities are Linux capabilities that are kept for the container.

+	Capabilities []string `json:"capabilities,omitempty" platform:"linux"`

+	// Rlimits specifies rlimit options to apply to the process.

+	Rlimits []Rlimit `json:"rlimits,omitempty"`

+	// NoNewPrivileges controls whether additional privileges could be gained by processes in the container.

+	NoNewPrivileges bool `json:"noNewPrivileges,omitempty"`

+

+	// ApparmorProfile specified the apparmor profile for the container. (this field is platform dependent)

+	ApparmorProfile string `json:"apparmorProfile,omitempty" platform:"linux"`

+	// SelinuxLabel specifies the selinux context that the container process is run as. (this field is platform dependent)

+	SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"`

+}

+

+// User specifies Linux specific user and group information for the container's

+// main process.

+type User struct {

+	// UID is the user id. (this field is platform dependent)

+	UID uint32 `json:"uid" platform:"linux"`

+	// GID is the group id. (this field is platform dependent)

+	GID uint32 `json:"gid" platform:"linux"`

+	// AdditionalGids are additional group ids set for the container's process. (this field is platform dependent)

+	AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux"`

+}

+

+// Root contains information about the container's root filesystem on the host.

+type Root struct {

+	// Path is the absolute path to the container's root filesystem.

+	Path string `json:"path"`

+	// Readonly makes the root filesystem for the container readonly before the process is executed.

+	Readonly bool `json:"readonly,omitempty"`

+}

+

+// Platform specifies OS and arch information for the host system that the container

+// is created for.

+type Platform struct {

+	// OS is the operating system.

+	OS string `json:"os"`

+	// Arch is the architecture

+	Arch string `json:"arch"`

+}

+

+// Mount specifies a mount for a container.

+type Mount struct {

+	// Destination is the path where the mount will be placed relative to the container's root.  The path and child directories MUST exist, a runtime MUST NOT create directories automatically to a mount point.

+	Destination string `json:"destination"`

+	// Type specifies the mount kind.

+	Type string `json:"type"`

+	// Source specifies the source path of the mount.  In the case of bind mounts on

+	// Linux based systems this would be the file on the host.

+	Source string `json:"source"`

+	// Options are fstab style mount options.

+	Options []string `json:"options,omitempty"`

+}

+

+// Hook specifies a command that is run at a particular event in the lifecycle of a container

+type Hook struct {

+	Path    string   `json:"path"`

+	Args    []string `json:"args,omitempty"`

+	Env     []string `json:"env,omitempty"`

+	Timeout *int     `json:"timeout,omitempty"`

+}

+

+// Hooks for container setup and teardown

+type Hooks struct {

+	// Prestart is a list of hooks to be run before the container process is executed.

+	// On Linux, they are run after the container namespaces are created.

+	Prestart []Hook `json:"prestart,omitempty"`

+	// Poststart is a list of hooks to be run after the container process is started.

+	Poststart []Hook `json:"poststart,omitempty"`

+	// Poststop is a list of hooks to be run after the container process exits.

+	Poststop []Hook `json:"poststop,omitempty"`

+}

+

+// Linux contains platform specific configuration for Linux based containers.

+type Linux struct {

+	// UIDMapping specifies user mappings for supporting user namespaces on Linux.

+	UIDMappings []IDMapping `json:"uidMappings,omitempty"`

+	// GIDMapping specifies group mappings for supporting user namespaces on Linux.

+	GIDMappings []IDMapping `json:"gidMappings,omitempty"`

+	// Sysctl are a set of key value pairs that are set for the container on start

+	Sysctl map[string]string `json:"sysctl,omitempty"`

+	// Resources contain cgroup information for handling resource constraints

+	// for the container

+	Resources *Resources `json:"resources,omitempty"`

+	// CgroupsPath specifies the path to cgroups that are created and/or joined by the container.

+	// The path is expected to be relative to the cgroups mountpoint.

+	// If resources are specified, the cgroups at CgroupsPath will be updated based on resources.

+	CgroupsPath *string `json:"cgroupsPath,omitempty"`

+	// Namespaces contains the namespaces that are created and/or joined by the container

+	Namespaces []Namespace `json:"namespaces,omitempty"`

+	// Devices are a list of device nodes that are created for the container

+	Devices []Device `json:"devices,omitempty"`

+	// Seccomp specifies the seccomp security settings for the container.

+	Seccomp *Seccomp `json:"seccomp,omitempty"`

+	// RootfsPropagation is the rootfs mount propagation mode for the container.

+	RootfsPropagation string `json:"rootfsPropagation,omitempty"`

+	// MaskedPaths masks over the provided paths inside the container.

+	MaskedPaths []string `json:"maskedPaths,omitempty"`

+	// ReadonlyPaths sets the provided paths as RO inside the container.

+	ReadonlyPaths []string `json:"readonlyPaths,omitempty"`

+	// MountLabel specifies the selinux context for the mounts in the container.

+	MountLabel string `json:"mountLabel,omitempty"`

+}

+

+// Namespace is the configuration for a Linux namespace

+type Namespace struct {

+	// Type is the type of Linux namespace

+	Type NamespaceType `json:"type"`

+	// Path is a path to an existing namespace persisted on disk that can be joined

+	// and is of the same type

+	Path string `json:"path,omitempty"`

+}

+

+// NamespaceType is one of the Linux namespaces

+type NamespaceType string

+

+const (

+	// PIDNamespace for isolating process IDs

+	PIDNamespace NamespaceType = "pid"

+	// NetworkNamespace for isolating network devices, stacks, ports, etc

+	NetworkNamespace = "network"

+	// MountNamespace for isolating mount points

+	MountNamespace = "mount"

+	// IPCNamespace for isolating System V IPC, POSIX message queues

+	IPCNamespace = "ipc"

+	// UTSNamespace for isolating hostname and NIS domain name

+	UTSNamespace = "uts"

+	// UserNamespace for isolating user and group IDs

+	UserNamespace = "user"

+	// CgroupNamespace for isolating cgroup hierarchies

+	CgroupNamespace = "cgroup"

+)

+

+// IDMapping specifies UID/GID mappings

+type IDMapping struct {

+	// HostID is the UID/GID of the host user or group

+	HostID uint32 `json:"hostID"`

+	// ContainerID is the UID/GID of the container's user or group

+	ContainerID uint32 `json:"containerID"`

+	// Size is the length of the range of IDs mapped between the two namespaces

+	Size uint32 `json:"size"`

+}

+

+// Rlimit type and restrictions

+type Rlimit struct {

+	// Type of the rlimit to set

+	Type string `json:"type"`

+	// Hard is the hard limit for the specified type

+	Hard uint64 `json:"hard"`

+	// Soft is the soft limit for the specified type

+	Soft uint64 `json:"soft"`

+}

+

+// HugepageLimit structure corresponds to limiting kernel hugepages

+type HugepageLimit struct {

+	// Pagesize is the hugepage size

+	Pagesize *string `json:"pageSize,omitempty"`

+	// Limit is the limit of "hugepagesize" hugetlb usage

+	Limit *uint64 `json:"limit,omitempty"`

+}

+

+// InterfacePriority for network interfaces

+type InterfacePriority struct {

+	// Name is the name of the network interface

+	Name string `json:"name"`

+	// Priority for the interface

+	Priority uint32 `json:"priority"`

+}

+

+// blockIODevice holds major:minor format supported in blkio cgroup

+type blockIODevice struct {

+	// Major is the device's major number.

+	Major int64 `json:"major"`

+	// Minor is the device's minor number.

+	Minor int64 `json:"minor"`

+}

+

+// WeightDevice struct holds a `major:minor weight` pair for blkioWeightDevice

+type WeightDevice struct {

+	blockIODevice

+	// Weight is the bandwidth rate for the device, range is from 10 to 1000

+	Weight *uint16 `json:"weight,omitempty"`

+	// LeafWeight is the bandwidth rate for the device while competing with the cgroup's child cgroups, range is from 10 to 1000, CFQ scheduler only

+	LeafWeight *uint16 `json:"leafWeight,omitempty"`

+}

+

+// ThrottleDevice struct holds a `major:minor rate_per_second` pair

+type ThrottleDevice struct {

+	blockIODevice

+	// Rate is the IO rate limit per cgroup per device

+	Rate *uint64 `json:"rate,omitempty"`

+}

+

+// BlockIO for Linux cgroup 'blkio' resource management

+type BlockIO struct {

+	// Specifies per cgroup weight, range is from 10 to 1000

+	Weight *uint16 `json:"blkioWeight,omitempty"`

+	// Specifies tasks' weight in the given cgroup while competing with the cgroup's child cgroups, range is from 10 to 1000, CFQ scheduler only

+	LeafWeight *uint16 `json:"blkioLeafWeight,omitempty"`

+	// Weight per cgroup per device, can override BlkioWeight

+	WeightDevice []WeightDevice `json:"blkioWeightDevice,omitempty"`

+	// IO read rate limit per cgroup per device, bytes per second

+	ThrottleReadBpsDevice []ThrottleDevice `json:"blkioThrottleReadBpsDevice,omitempty"`

+	// IO write rate limit per cgroup per device, bytes per second

+	ThrottleWriteBpsDevice []ThrottleDevice `json:"blkioThrottleWriteBpsDevice,omitempty"`

+	// IO read rate limit per cgroup per device, IO per second

+	ThrottleReadIOPSDevice []ThrottleDevice `json:"blkioThrottleReadIOPSDevice,omitempty"`

+	// IO write rate limit per cgroup per device, IO per second

+	ThrottleWriteIOPSDevice []ThrottleDevice `json:"blkioThrottleWriteIOPSDevice,omitempty"`

+}

+

+// Memory for Linux cgroup 'memory' resource management

+type Memory struct {

+	// Memory limit (in bytes).

+	Limit *uint64 `json:"limit,omitempty"`

+	// Memory reservation or soft_limit (in bytes).

+	Reservation *uint64 `json:"reservation,omitempty"`

+	// Total memory limit (memory + swap).

+	Swap *uint64 `json:"swap,omitempty"`

+	// Kernel memory limit (in bytes).

+	Kernel *uint64 `json:"kernel,omitempty"`

+	// Kernel memory limit for tcp (in bytes)

+	KernelTCP *uint64 `json:"kernelTCP"`

+	// How aggressive the kernel will swap memory pages. Range from 0 to 100.

+	Swappiness *uint64 `json:"swappiness,omitempty"`

+}

+

+// CPU for Linux cgroup 'cpu' resource management

+type CPU struct {

+	// CPU shares (relative weight (ratio) vs. other cgroups with cpu shares).

+	Shares *uint64 `json:"shares,omitempty"`

+	// CPU hardcap limit (in usecs). Allowed cpu time in a given period.

+	Quota *uint64 `json:"quota,omitempty"`

+	// CPU period to be used for hardcapping (in usecs).

+	Period *uint64 `json:"period,omitempty"`

+	// How much time realtime scheduling may use (in usecs).

+	RealtimeRuntime *uint64 `json:"realtimeRuntime,omitempty"`

+	// CPU period to be used for realtime scheduling (in usecs).

+	RealtimePeriod *uint64 `json:"realtimePeriod,omitempty"`

+	// CPUs to use within the cpuset. Default is to use any CPU available.

+	Cpus *string `json:"cpus,omitempty"`

+	// List of memory nodes in the cpuset. Default is to use any available memory node.

+	Mems *string `json:"mems,omitempty"`

+}

+

+// Pids for Linux cgroup 'pids' resource management (Linux 4.3)

+type Pids struct {

+	// Maximum number of PIDs. Default is "no limit".

+	Limit *int64 `json:"limit,omitempty"`

+}

+

+// Network identification and priority configuration

+type Network struct {

+	// Set class identifier for container's network packets

+	ClassID *uint32 `json:"classID"`

+	// Set priority of network traffic for container

+	Priorities []InterfacePriority `json:"priorities,omitempty"`

+}

+

+// Resources has container runtime resource constraints

+type Resources struct {

+	// Devices are a list of device rules for the whitelist controller

+	Devices []DeviceCgroup `json:"devices"`

+	// DisableOOMKiller disables the OOM killer for out of memory conditions

+	DisableOOMKiller *bool `json:"disableOOMKiller,omitempty"`

+	// Specify an oom_score_adj for the container.

+	OOMScoreAdj *int `json:"oomScoreAdj,omitempty"`

+	// Memory restriction configuration

+	Memory *Memory `json:"memory,omitempty"`

+	// CPU resource restriction configuration

+	CPU *CPU `json:"cpu,omitempty"`

+	// Task resource restriction configuration.

+	Pids *Pids `json:"pids,omitempty"`

+	// BlockIO restriction configuration

+	BlockIO *BlockIO `json:"blockIO,omitempty"`

+	// Hugetlb limit (in bytes)

+	HugepageLimits []HugepageLimit `json:"hugepageLimits,omitempty"`

+	// Network restriction configuration

+	Network *Network `json:"network,omitempty"`

+}

+

+// Device represents the mknod information for a Linux special device file

+type Device struct {

+	// Path to the device.

+	Path string `json:"path"`

+	// Device type, block, char, etc.

+	Type string `json:"type"`

+	// Major is the device's major number.

+	Major int64 `json:"major"`

+	// Minor is the device's minor number.

+	Minor int64 `json:"minor"`

+	// FileMode permission bits for the device.

+	FileMode *os.FileMode `json:"fileMode,omitempty"`

+	// UID of the device.

+	UID *uint32 `json:"uid,omitempty"`

+	// Gid of the device.

+	GID *uint32 `json:"gid,omitempty"`

+}

+

+// DeviceCgroup represents a device rule for the whitelist controller

+type DeviceCgroup struct {

+	// Allow or deny

+	Allow bool `json:"allow"`

+	// Device type, block, char, etc.

+	Type *string `json:"type,omitempty"`

+	// Major is the device's major number.

+	Major *int64 `json:"major,omitempty"`

+	// Minor is the device's minor number.

+	Minor *int64 `json:"minor,omitempty"`

+	// Cgroup access permissions format, rwm.

+	Access *string `json:"access,omitempty"`

+}

+

+// Seccomp represents syscall restrictions

+type Seccomp struct {

+	DefaultAction Action    `json:"defaultAction"`

+	Architectures []Arch    `json:"architectures"`

+	Syscalls      []Syscall `json:"syscalls,omitempty"`

+}

+

+// Solaris contains platform specific configuration for Solaris application containers.

+type Solaris struct {

+	// SMF FMRI which should go "online" before we start the container process.

+	Milestone string `json:"milestone,omitempty"`

+	// Maximum set of privileges any process in this container can obtain.

+	LimitPriv string `json:"limitpriv,omitempty"`

+	// The maximum amount of shared memory allowed for this container.

+	MaxShmMemory string `json:"maxShmMemory,omitempty"`

+	// Specification for automatic creation of network resources for this container.

+	Anet []Anet `json:"anet,omitempty"`

+	// Set limit on the amount of CPU time that can be used by container.

+	CappedCPU CappedCPU `json:"cappedCPU,omitempty"`

+	// The physical and swap caps on the memory that can be used by this container.

+	CappedMemory CappedMemory `json:"cappedMemory,omitempty"`

+}

+

+// CappedCPU allows users to set limit on the amount of CPU time that can be used by container.

+type CappedCPU struct {

+	Ncpus string `json:"ncpus,omitempty"`

+}

+

+// CappedMemory allows users to set the physical and swap caps on the memory that can be used by this container.

+type CappedMemory struct {

+	Physical string `json:"physical,omitempty"`

+	Swap     string `json:"swap,omitempty"`

+}

+

+// Anet provides the specification for automatic creation of network resources for this container.

+type Anet struct {

+	// Specify a name for the automatically created VNIC datalink.

+	Linkname string `json:"linkname,omitempty"`

+	// Specify the link over which the VNIC will be created.

+	Lowerlink string `json:"lowerLink,omitempty"`

+	// The set of IP addresses that the container can use.

+	Allowedaddr string `json:"allowedAddress,omitempty"`

+	// Specifies whether allowedAddress limitation is to be applied to the VNIC.

+	Configallowedaddr string `json:"configureAllowedAddress,omitempty"`

+	// The value of the optional default router.

+	Defrouter string `json:"defrouter,omitempty"`

+	// Enable one or more types of link protection.

+	Linkprotection string `json:"linkProtection,omitempty"`

+	// Set the VNIC's macAddress

+	Macaddress string `json:"macAddress,omitempty"`

+}

+

+// Arch used for additional architectures

+type Arch string

+

+// Additional architectures permitted to be used for system calls

+// By default only the native architecture of the kernel is permitted

+const (

+	ArchX86         Arch = "SCMP_ARCH_X86"

+	ArchX86_64      Arch = "SCMP_ARCH_X86_64"

+	ArchX32         Arch = "SCMP_ARCH_X32"

+	ArchARM         Arch = "SCMP_ARCH_ARM"

+	ArchAARCH64     Arch = "SCMP_ARCH_AARCH64"

+	ArchMIPS        Arch = "SCMP_ARCH_MIPS"

+	ArchMIPS64      Arch = "SCMP_ARCH_MIPS64"

+	ArchMIPS64N32   Arch = "SCMP_ARCH_MIPS64N32"

+	ArchMIPSEL      Arch = "SCMP_ARCH_MIPSEL"

+	ArchMIPSEL64    Arch = "SCMP_ARCH_MIPSEL64"

+	ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32"

+	ArchPPC         Arch = "SCMP_ARCH_PPC"

+	ArchPPC64       Arch = "SCMP_ARCH_PPC64"

+	ArchPPC64LE     Arch = "SCMP_ARCH_PPC64LE"

+	ArchS390        Arch = "SCMP_ARCH_S390"

+	ArchS390X       Arch = "SCMP_ARCH_S390X"

+)

+

+// Action taken upon Seccomp rule match

+type Action string

+

+// Define actions for Seccomp rules

+const (

+	ActKill  Action = "SCMP_ACT_KILL"

+	ActTrap  Action = "SCMP_ACT_TRAP"

+	ActErrno Action = "SCMP_ACT_ERRNO"

+	ActTrace Action = "SCMP_ACT_TRACE"

+	ActAllow Action = "SCMP_ACT_ALLOW"

+)

+

+// Operator used to match syscall arguments in Seccomp

+type Operator string

+

+// Define operators for syscall arguments in Seccomp

+const (

+	OpNotEqual     Operator = "SCMP_CMP_NE"

+	OpLessThan     Operator = "SCMP_CMP_LT"

+	OpLessEqual    Operator = "SCMP_CMP_LE"

+	OpEqualTo      Operator = "SCMP_CMP_EQ"

+	OpGreaterEqual Operator = "SCMP_CMP_GE"

+	OpGreaterThan  Operator = "SCMP_CMP_GT"

+	OpMaskedEqual  Operator = "SCMP_CMP_MASKED_EQ"

+)

+

+// Arg used for matching specific syscall arguments in Seccomp

+type Arg struct {

+	Index    uint     `json:"index"`

+	Value    uint64   `json:"value"`

+	ValueTwo uint64   `json:"valueTwo"`

+	Op       Operator `json:"op"`

+}

+

+// Syscall is used to match a syscall in Seccomp

+type Syscall struct {

+	Name   string `json:"name"`

+	Action Action `json:"action"`

+	Args   []Arg  `json:"args,omitempty"`

+}

new file mode 100644

@@ -0,0 +1,17 @@

+package specs

+

+// State holds information about the runtime state of the container.

+type State struct {

+	// Version is the version of the specification that is supported.

+	Version string `json:"version"`

+	// ID is the container ID

+	ID string `json:"id"`

+	// Status is the runtime state of the container.