Add support for time namespace

The time namespace is a new kernel feature available in 5.6+ to isolate the system monotonic and boot-time clocks. Signed-off-by: Kenta Tada <[email protected]>
opencontainers · Aug 18, 2020 · 6ffc520 · 6ffc520
1 parent d438e29
commit 6ffc520
Show file tree

Hide file tree

Showing 6 changed files with 72 additions and 1 deletion.
diff --git a/config-linux.md b/config-linux.md
@@ -34,6 +34,7 @@ The following parameters can be specified to set up namespaces:
     * **`uts`** the container will be able to have its own hostname and domain name.
     * **`user`** the container will be able to remap user and group IDs from the host to local users and groups within the container.
     * **`cgroup`** the container will have an isolated view of the cgroup hierarchy.
+    * **`time`** the container will be able to have its own system monotonic and boot-time clocks.
 * **`path`** *(string, OPTIONAL)* - namespace file.
     This value MUST be an absolute path in the [runtime mount namespace](glossary.md#runtime-namespace).
     The runtime MUST place the container process in the namespace associated with that `path`.
@@ -70,6 +71,9 @@ If a `namespaces` field contains duplicated namespaces with same `type`, the run
     },
     {
         "type": "cgroup"
+    },
+    {
+        "type": "time"
     }
 ]
 ```
@@ -107,6 +111,16 @@ Note that the number of mapping entries MAY be limited by the [kernel][user-name
 ]
 ```
 
+## <a name="configLinuxTimeOffset" />Offset for Time Namespace
+
+**`timeOffset`** (object, OPTIONAL) sets the offset for Time Namespace. For more information
+see the [time_namespaces](time_namespaces.7).
+
+* **`monotonicSecs`** *(int64, REQUIRED)* - is the offset of clock monotonic (in secs) in the container.
+* **`monotonicNanosecs`** *(int64, OPTIONAL)* - is the additional offset for MonotonicSecs (in nanosecs). The actual offset is monotonicSecs plus monotonicNanosecs.
+* **`boottimeSecs`** *(int64, REQUIRED)* - is the offset of clock boottime (in secs) in the container.
+* **`boottimeNanosecs`** *(int64, OPTIONAL)* - the additional offset for BoottimeSecs (in nanosecs). The actual offset is boottimeSecs plus boottimeNanosecs.
+
 ## <a name="configLinuxDevices" />Devices
 
 **`devices`** (array of objects, OPTIONAL) lists devices that MUST be available in the container.
@@ -770,3 +784,4 @@ subset of the available options.
 [zero.4]: http://man7.org/linux/man-pages/man4/zero.4.html
 [user-namespaces]: http://man7.org/linux/man-pages/man7/user_namespaces.7.html
 [intel-rdt-cat-kernel-interface]: https://www.kernel.org/doc/Documentation/x86/intel_rdt_ui.txt
+[time_namespaces.7]: https://man7.org/linux/man-pages/man7/time_namespaces.7.html
diff --git a/config.md b/config.md
@@ -905,6 +905,12 @@ Here is a full example `config.json` for reference.
                 }
             ]
         },
+        "timeOffset": {
+            "monotonicSecs": 172800,
+            "monotonicNanosecs": 0,
+            "boottimeSecs": 604800,
+            "boottimeNanosecs": 0
+        },
         "namespaces": [
             {
                 "type": "pid"
@@ -926,6 +932,9 @@ Here is a full example `config.json` for reference.
             },
             {
                 "type": "cgroup"
+            },
+            {
+                "type": "time"
             }
         ],
         "maskedPaths": [

diff --git a/schema/config-linux.json b/schema/config-linux.json
@@ -253,6 +253,27 @@
             "personality": {
                 "type": "object",
                 "$ref": "defs-linux.json#/definitions/Personality"
+            },
+            "timeOffset": {
+                "type": "object",
+                "properties": {
+                    "monotonicSecs": {
+                        "$ref": "defs.json#/definitions/int64"
+                    },
+                    "monotonicNanosecs": {
+                        "$ref": "defs.json#/definitions/int64"
+                    },
+                    "boottimeSecs": {
+                        "$ref": "defs.json#/definitions/int64"
+                    },
+                    "boottimeNanosecs": {
+                        "$ref": "defs.json#/definitions/int64"
+                    }
+                },
+                "required": [
+                    "monotonicSecs",
+                    "boottimeSecs"
+                ]
             }
         }
     }

diff --git a/schema/defs-linux.json b/schema/defs-linux.json
@@ -292,7 +292,8 @@
                 "uts",
                 "ipc",
                 "user",
-                "cgroup"
+                "cgroup",
+                "time"
             ]
         },
         "NamespaceReference": {

diff --git a/schema/test/config/good/spec-example.json b/schema/test/config/good/spec-example.json
@@ -349,6 +349,12 @@
                 }
             ]
         },
+        "timeOffset": {
+            "monotonicSecs": 172800,
+            "monotonicNanosecs": 0,
+            "boottimeSecs": 604800,
+            "boottimeNanosecs": 0
+        },
         "namespaces": [
             {
                 "type": "pid"
@@ -370,6 +376,9 @@
             },
             {
                 "type": "cgroup"
+            },
+            {
+                "type": "time"
             }
         ],
         "maskedPaths": [

diff --git a/specs-go/config.go b/specs-go/config.go
@@ -182,6 +182,8 @@ type Linux struct {
 	IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"`
 	// Personality contains configuration for the Linux personality syscall
 	Personality *LinuxPersonality `json:"personality,omitempty"`
+	// LinuxTimeOffset specifies the offset for supporting time namespaces.
+	TimeOffset *LinuxTimeOffset `json:"timeOffset,omitempty"`
 }
 
 // LinuxNamespace is the configuration for a Linux namespace
@@ -211,6 +213,8 @@ const (
 	UserNamespace LinuxNamespaceType = "user"
 	// CgroupNamespace for isolating cgroup hierarchies
 	CgroupNamespace LinuxNamespaceType = "cgroup"
+	// TimeNamespace for isolating the system monotonic and boot-time clocks
+	TimeNamespace LinuxNamespaceType = "time"
 )
 
 // LinuxIDMapping specifies UID/GID mappings
@@ -223,6 +227,18 @@ type LinuxIDMapping struct {
 	Size uint32 `json:"size"`
 }
 
+// LinuxTimeOffset specifies the offset for Time Namespace
+type LinuxTimeOffset struct {
+	// MonotonicSecs is the offset of clock monotonic (in secs) in the container
+	MonotonicSecs int64 `json:"monotonicSecs"`
+	// MonotonicNanosecs is the additional offset for MonotonicSecs (in nanosecs)
+	MonotonicNanosecs int64 `json:"monotonicNanosecs,omitempty"`
+	// BoottimeSecs is the offset of clock boottime (in secs) in the container
+	BoottimeSecs uint64 `json:"boottimeSecs"`
+	// BoottimeNanosecs is the additional offset for BoottimeSecs (in nanosecs)
+	BoottimeNanosecs int64 `json:"boottimeNanosecs,omitempty"`
+}
+
 // POSIXRlimit type and restrictions
 type POSIXRlimit struct {
 	// Type of the rlimit to set
-Original file line number
+Diff line change
@@ Expand Up / @@ -292,7 +292,8 @@ @@
                     "uts",
                     "ipc",
                     "user",
-                    "cgroup"
+                    "cgroup",
+                    "time"
                 ]
             },
             "NamespaceReference": {
@@ Expand Down @@