@@ -84,7 +84,7 @@ google.golang.org/grpc                              f495f5b15ae7ccda3b38c53a1bfc

 # This commit does not need to match RUNC_COMMIT as it is used for helper

 # packages but should be newer or equal.

 github.com/opencontainers/runc                      dc9208a3303feef5b3839f4323d9beb36df0a9dd # v1.0.0-rc10

-github.com/opencontainers/runtime-spec              29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db

+github.com/opencontainers/runtime-spec              c4ee7d12c742ffe806cd9350b6af3b4b19faed6f # v1.0.2

 github.com/opencontainers/image-spec                d60099175f88c47cd379c4738d158884749ed235 # v1.0.1

 github.com/seccomp/libseccomp-golang                689e3c1541a84461afc49c1c87352a6cedf72e9c # v0.9.1

@@ -12,7 +12,6 @@ Additional documentation about how this group operates:

 - [Style and Conventions](style.md)

 - [Implementations](implementations.md)

 - [Releases](RELEASES.md)

-- [project](project.md)

 - [charter][charter]

 ## Use Cases

@@ -54,11 +53,9 @@ When in doubt, start on the [mailing-list](#mailing-list).

 ### Meetings

-The contributors and maintainers of all OCI projects have monthly meetings, which are usually at 2:00 PM (USA Pacific) on the first Wednesday of every month.

-There is an [iCalendar][rfc5545] format for the meetings [here](meeting.ics).

-Everyone is welcome to participate via [UberConference web][uberconference] or audio-only: +1 415 968 0849 (no PIN needed).

-An initial agenda will be posted to the [mailing list](#mailing-list) in the week before each meeting, and everyone is welcome to propose additional topics or suggest other agenda alterations there.

-Minutes are posted to the [mailing list](#mailing-list) and minutes from past calls are archived [here][minutes], with minutes from especially old meetings (September 2015 and earlier) archived [here][runtime-wiki].

+Please see the [OCI org repository README](https://github.com/opencontainers/org#meetings) for the most up-to-date

+information on OCI contributor and maintainer meeting schedules. You can also find links to meeting agendas and

+minutes for all prior meetings.

 ### Mailing List

@@ -139,7 +136,7 @@ Read more on [How to Write a Git Commit Message][how-to-git-commit] or the Discu

 [charter]: https://www.opencontainers.org/about/governance

-[code-of-conduct]: https://github.com/opencontainers/tob/blob/master/code-of-conduct.md

+[code-of-conduct]: https://github.com/opencontainers/org/blob/master/CODE_OF_CONDUCT.md

 [dev-list]: https://groups.google.com/a/opencontainers.org/forum/#!forum/dev

 [how-to-git-commit]: http://chris.beams.io/posts/git-commit

 [irc-logs]: http://ircbot.wl.linuxfoundation.org/eavesdrop/%23opencontainers/

@@ -89,6 +89,8 @@ type User struct {

 	UID uint32 `json:"uid" platform:"linux,solaris"`

 	// GID is the group id.

 	GID uint32 `json:"gid" platform:"linux,solaris"`

+	// Umask is the umask for the init process.

+	Umask uint32 `json:"umask,omitempty" platform:"linux,solaris"`

 	// AdditionalGids are additional group ids set for the container's process.

 	AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux,solaris"`

 	// Username is the user name.

@@ -123,13 +125,26 @@ type Hook struct {

 	Timeout *int     `json:"timeout,omitempty"`

 }

+// Hooks specifies a command that is run in the container at a particular event in the lifecycle of a container

 // Hooks for container setup and teardown

 type Hooks struct {

-	// Prestart is a list of hooks to be run before the container process is executed.

+	// Prestart is Deprecated. Prestart is a list of hooks to be run before the container process is executed.

+	// It is called in the Runtime Namespace

 	Prestart []Hook `json:"prestart,omitempty"`

+	// CreateRuntime is a list of hooks to be run after the container has been created but before pivot_root or any equivalent operation has been called

+	// It is called in the Runtime Namespace

+	CreateRuntime []Hook `json:"createRuntime,omitempty"`

+	// CreateContainer is a list of hooks to be run after the container has been created but before pivot_root or any equivalent operation has been called

+	// It is called in the Container Namespace

+	CreateContainer []Hook `json:"createContainer,omitempty"`

+	// StartContainer is a list of hooks to be run after the start operation is called but before the container process is started

+	// It is called in the Container Namespace

+	StartContainer []Hook `json:"startContainer,omitempty"`

 	// Poststart is a list of hooks to be run after the container process is started.

+	// It is called in the Runtime Namespace

 	Poststart []Hook `json:"poststart,omitempty"`

 	// Poststop is a list of hooks to be run after the container process exits.

+	// It is called in the Runtime Namespace

 	Poststop []Hook `json:"poststop,omitempty"`

 }

@@ -165,6 +180,8 @@ type Linux struct {

 	// IntelRdt contains Intel Resource Director Technology (RDT) information for

 	// handling resource constraints (e.g., L3 cache, memory bandwidth) for the container

 	IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"`

+	// Personality contains configuration for the Linux personality syscall

+	Personality *LinuxPersonality `json:"personality,omitempty"`

 }

 // LinuxNamespace is the configuration for a Linux namespace

@@ -183,17 +200,17 @@ const (

 	// PIDNamespace for isolating process IDs

 	PIDNamespace LinuxNamespaceType = "pid"

 	// NetworkNamespace for isolating network devices, stacks, ports, etc

-	NetworkNamespace = "network"

+	NetworkNamespace LinuxNamespaceType = "network"

 	// MountNamespace for isolating mount points

-	MountNamespace = "mount"

+	MountNamespace LinuxNamespaceType = "mount"

 	// IPCNamespace for isolating System V IPC, POSIX message queues

-	IPCNamespace = "ipc"

+	IPCNamespace LinuxNamespaceType = "ipc"

 	// UTSNamespace for isolating hostname and NIS domain name

-	UTSNamespace = "uts"

+	UTSNamespace LinuxNamespaceType = "uts"

 	// UserNamespace for isolating user and group IDs

-	UserNamespace = "user"

+	UserNamespace LinuxNamespaceType = "user"

 	// CgroupNamespace for isolating cgroup hierarchies

-	CgroupNamespace = "cgroup"

+	CgroupNamespace LinuxNamespaceType = "cgroup"

 )

 // LinuxIDMapping specifies UID/GID mappings

@@ -219,6 +236,7 @@ type POSIXRlimit struct {

 // LinuxHugepageLimit structure corresponds to limiting kernel hugepages

 type LinuxHugepageLimit struct {

 	// Pagesize is the hugepage size

+	// Format: "<size><unit-prefix>B' (e.g. 64KB, 2MB, 1GB, etc.)

 	Pagesize string `json:"pageSize"`

 	// Limit is the limit of "hugepagesize" hugetlb usage

 	Limit uint64 `json:"limit"`

@@ -290,6 +308,8 @@ type LinuxMemory struct {

 	Swappiness *uint64 `json:"swappiness,omitempty"`

 	// DisableOOMKiller disables the OOM killer for out of memory conditions

 	DisableOOMKiller *bool `json:"disableOOMKiller,omitempty"`

+	// Enables hierarchical memory accounting

+	UseHierarchy *bool `json:"useHierarchy,omitempty"`

 }

 // LinuxCPU for Linux cgroup 'cpu' resource management

@@ -386,6 +406,28 @@ type LinuxDeviceCgroup struct {

 	Access string `json:"access,omitempty"`

 }

+// LinuxPersonalityDomain refers to a personality domain.

+type LinuxPersonalityDomain string

+

+// LinuxPersonalityFlag refers to an additional personality flag. None are currently defined.

+type LinuxPersonalityFlag string

+

+// Define domain and flags for Personality

+const (

+	// PerLinux is the standard Linux personality

+	PerLinux LinuxPersonalityDomain = "LINUX"

+	// PerLinux32 sets personality to 32 bit

+	PerLinux32 LinuxPersonalityDomain = "LINUX32"

+)

+

+// LinuxPersonality represents the Linux personality syscall input

+type LinuxPersonality struct {

+	// Domain for the personality

+	Domain LinuxPersonalityDomain `json:"domain"`

+	// Additional flags

+	Flags []LinuxPersonalityFlag `json:"flags,omitempty"`

+}

+

 // Solaris contains platform-specific configuration for Solaris application containers.

 type Solaris struct {

 	// SMF FMRI which should go "online" before we start the container process.

@@ -555,12 +597,16 @@ type VMImage struct {

 type LinuxSeccomp struct {

 	DefaultAction LinuxSeccompAction `json:"defaultAction"`

 	Architectures []Arch             `json:"architectures,omitempty"`

+	Flags         []LinuxSeccompFlag `json:"flags,omitempty"`

 	Syscalls      []LinuxSyscall     `json:"syscalls,omitempty"`

 }

 // Arch used for additional architectures

 type Arch string

+// LinuxSeccompFlag is a flag to pass to seccomp(2).

+type LinuxSeccompFlag string

+

 // Additional architectures permitted to be used for system calls

 // By default only the native architecture of the kernel is permitted

 const (

@@ -594,6 +640,7 @@ const (

 	ActErrno LinuxSeccompAction = "SCMP_ACT_ERRNO"

 	ActTrace LinuxSeccompAction = "SCMP_ACT_TRACE"

 	ActAllow LinuxSeccompAction = "SCMP_ACT_ALLOW"

+	ActLog   LinuxSeccompAction = "SCMP_ACT_LOG"

 )

 // LinuxSeccompOperator used to match syscall arguments in Seccomp

@@ -8,10 +8,10 @@ const (

 	// VersionMinor is for functionality in a backwards-compatible manner

 	VersionMinor = 0

 	// VersionPatch is for backwards-compatible bug fixes

-	VersionPatch = 1

+	VersionPatch = 2

 	// VersionDev indicates development branch. Releases will be empty string.

-	VersionDev = "-dev"

+	VersionDev = ""

 )

 // Version is the specification version that the package types support.