From 324f30ae44bc7a73f23a9e7069517e98f8a3574a Mon Sep 17 00:00:00 2001 From: Kenta Tada Date: Thu, 13 Aug 2020 13:38:45 +0900 Subject: [PATCH] Add support for time namespace The time namespace is a new kernel feature available in 5.6+ to isolate the system monotonic and boot-time clocks. Signed-off-by: Kenta Tada --- config-linux.md | 16 ++++++++++++++++ config.md | 13 +++++++++++++ schema/config-linux.json | 6 ++++++ schema/defs-linux.json | 14 +++++++++++++- schema/test/config/good/spec-example.json | 13 +++++++++++++ specs-go/config.go | 12 ++++++++++++ 6 files changed, 73 insertions(+), 1 deletion(-) diff --git a/config-linux.md b/config-linux.md index fb04e0e8e..4791f2178 100644 --- a/config-linux.md +++ b/config-linux.md @@ -34,6 +34,7 @@ The following parameters can be specified to set up namespaces: * **`uts`** the container will be able to have its own hostname and domain name. * **`user`** the container will be able to remap user and group IDs from the host to local users and groups within the container. * **`cgroup`** the container will have an isolated view of the cgroup hierarchy. + * **`time`** the container will be able to have its own clocks. * **`path`** *(string, OPTIONAL)* - namespace file. This value MUST be an absolute path in the [runtime mount namespace](glossary.md#runtime-namespace). The runtime MUST place the container process in the namespace associated with that `path`. @@ -70,6 +71,9 @@ If a `namespaces` field contains duplicated namespaces with same `type`, the run }, { "type": "cgroup" + }, + { + "type": "time" } ] ``` @@ -107,6 +111,17 @@ Note that the number of mapping entries MAY be limited by the [kernel][user-name ] ``` +## Offset for Time Namespace + +**`timeOffsets`** (object, OPTIONAL) sets the offset for Time Namespace. For more information +see the [time_namespaces](time_namespaces.7). + +The name of the clock is the entry key. +Entry values are objects with the following properties: + +* **`secs`** *(int64, OPTIONAL)* - is the offset of clock (in secs) in the container. +* **`nanosecs`** *(uint32, OPTIONAL)* - is the additional offset for secs (in nanosecs). The actual offset is secs plus nanosecs. + ## Devices **`devices`** (array of objects, OPTIONAL) lists devices that MUST be available in the container. @@ -770,3 +785,4 @@ subset of the available options. [zero.4]: http://man7.org/linux/man-pages/man4/zero.4.html [user-namespaces]: http://man7.org/linux/man-pages/man7/user_namespaces.7.html [intel-rdt-cat-kernel-interface]: https://www.kernel.org/doc/Documentation/x86/intel_rdt_ui.txt +[time_namespaces.7]: https://man7.org/linux/man-pages/man7/time_namespaces.7.html diff --git a/config.md b/config.md index 48ff0d729..5283cabf5 100644 --- a/config.md +++ b/config.md @@ -905,6 +905,16 @@ Here is a full example `config.json` for reference. } ] }, + "timeOffsets": { + "monotonic": { + "secs": 172800, + "nanosecs": 0 + }, + "boottime": { + "secs": 604800, + "nanosecs": 0 + } + }, "namespaces": [ { "type": "pid" @@ -926,6 +936,9 @@ Here is a full example `config.json` for reference. }, { "type": "cgroup" + }, + { + "type": "time" } ], "maskedPaths": [ diff --git a/schema/config-linux.json b/schema/config-linux.json index 98295c4cf..23600aa8c 100644 --- a/schema/config-linux.json +++ b/schema/config-linux.json @@ -253,6 +253,12 @@ "personality": { "type": "object", "$ref": "defs-linux.json#/definitions/Personality" + }, + "timeOffsets": { + "type": "object", + "additionalProperties": { + "$ref": "defs-linux.json#/definitions/TimeOffsets" + } } } } diff --git a/schema/defs-linux.json b/schema/defs-linux.json index 73a14fc53..5ceaea171 100644 --- a/schema/defs-linux.json +++ b/schema/defs-linux.json @@ -292,7 +292,8 @@ "uts", "ipc", "user", - "cgroup" + "cgroup", + "time" ] }, "NamespaceReference": { @@ -308,6 +309,17 @@ "required": [ "type" ] + }, + "TimeOffsets": { + "type": "object", + "properties": { + "secs": { + "$ref": "defs.json#/definitions/int64" + }, + "nanosecs": { + "$ref": "defs.json#/definitions/uint32" + } + } } } } diff --git a/schema/test/config/good/spec-example.json b/schema/test/config/good/spec-example.json index a784d1d74..8f09f4816 100644 --- a/schema/test/config/good/spec-example.json +++ b/schema/test/config/good/spec-example.json @@ -349,6 +349,16 @@ } ] }, + "timeOffsets": { + "monotonic": { + "secs": 172800, + "nanosecs": 0 + }, + "boottime": { + "secs": 604800, + "nanosecs": 0 + } + }, "namespaces": [ { "type": "pid" @@ -370,6 +380,9 @@ }, { "type": "cgroup" + }, + { + "type": "time" } ], "maskedPaths": [ diff --git a/specs-go/config.go b/specs-go/config.go index 8faacc982..7e54c2ae0 100644 --- a/specs-go/config.go +++ b/specs-go/config.go @@ -182,6 +182,8 @@ type Linux struct { IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"` // Personality contains configuration for the Linux personality syscall Personality *LinuxPersonality `json:"personality,omitempty"` + // TimeOffsets specifies the offset for supporting time namespaces. + TimeOffsets map[string]LinuxTimeOffset `json:"timeOffsets,omitempty"` } // LinuxNamespace is the configuration for a Linux namespace @@ -211,6 +213,8 @@ const ( UserNamespace LinuxNamespaceType = "user" // CgroupNamespace for isolating cgroup hierarchies CgroupNamespace LinuxNamespaceType = "cgroup" + // TimeNamespace for isolating the clocks + TimeNamespace LinuxNamespaceType = "time" ) // LinuxIDMapping specifies UID/GID mappings @@ -223,6 +227,14 @@ type LinuxIDMapping struct { Size uint32 `json:"size"` } +// LinuxTimeOffset specifies the offset for Time Namespace +type LinuxTimeOffset struct { + // Secs is the offset of clock (in secs) in the container + Secs int64 `json:"secs,omitempty"` + // Nanosecs is the additional offset for Secs (in nanosecs) + Nanosecs uint32 `json:"nanosecs,omitempty"` +} + // POSIXRlimit type and restrictions type POSIXRlimit struct { // Type of the rlimit to set