From c872dc74ff9271526af38c80d76957d371b1ed8c Mon Sep 17 00:00:00 2001 From: John Howard Date: Fri, 12 May 2017 16:05:31 -0700 Subject: [PATCH] Windows: Add Hyper-V isolation fields Signed-off-by: John Howard --- config-windows.md | 23 ++++++++++++++++++++++- schema/config-windows.json | 14 ++++++++++++++ specs-go/config.go | 10 ++++++++++ 3 files changed, 46 insertions(+), 1 deletion(-) diff --git a/config-windows.md b/config-windows.md index 761f2a79a..5634265ee 100644 --- a/config-windows.md +++ b/config-windows.md @@ -104,4 +104,25 @@ For more information about tooling to generate a gMSA, see [Deployment Overview] [gMSAOverview]: https://aka.ms/windowscontainers/manage-serviceaccounts -[gMSATooling]: https://aka.ms/windowscontainers/credentialspec-tools \ No newline at end of file +[gMSATooling]: https://aka.ms/windowscontainers/credentialspec-tools + + +## HyperV + +`hyperv` is an OPTIONAL field of the Windows configuration. If present, the container MUST be run with Hyper-V isolation. If omitted, the container MUST be run as a Windows Server container. + +The following parameters can be specified: + +* **`utilityvmpath`** *(string, OPTIONAL)* - specifies the path to the image used for the utility VM. If not supplied, the runtime will search the container filesystem layers from the bottom-most layer upwards, until it locates "UtilityVM", and default to that path. + +* **`sandboxpath`** *(string, REQUIRED)* - specifies the root of the path to the sandbox to be used for the container. + +### Example + +```json + "windows": { + "hyperv": { + "sandboxpath": "C:\\\\programdata\\\\docker\\\\windowsfilter" + } + } +``` diff --git a/schema/config-windows.json b/schema/config-windows.json index 5ecd6dbd6..ed0fe9d1b 100644 --- a/schema/config-windows.json +++ b/schema/config-windows.json @@ -69,6 +69,20 @@ "credentialspec": { "id": "https://opencontainers.org/schema/bundle/windows/credentialspec", "type": "object" + }, + "hyperv": { + "id": "https://opencontainers.org/schema/bundle/windows/hyperv", + "type": "object", + "properties": { + "utilityvmpath": { + "id": "https://opencontainers.org/schema/bundle/windows/hyperv/utilityvmpath", + "type": "string" + }, + "sandboxpath": { + "id": "https://opencontainers.org/schema/bundle/windows/hyperv/sandboxpath", + "type": "string" + } + } } } } diff --git a/specs-go/config.go b/specs-go/config.go index 716821523..c05d24d5d 100644 --- a/specs-go/config.go +++ b/specs-go/config.go @@ -434,6 +434,8 @@ type Windows struct { Resources *WindowsResources `json:"resources,omitempty"` // CredentialSpec contains a JSON object describing a group Managed Service Account (gMSA) specification. CredentialSpec interface{} `json:"credentialspec,omitempty"` + // HyperV contains information for running a container with Hyper-V isolation. + HyperV *WindowsHyperV `json:"hyperv,omitempty"` } // WindowsResources has container runtime resource constraints for containers running on Windows. @@ -480,6 +482,14 @@ type WindowsNetworkResources struct { EgressBandwidth *uint64 `json:"egressBandwidth,omitempty"` } +// WindowsHyperV contains information for configuring a container to run with Hyper-V isolation. +type WindowsHyperV struct { + // UtilityVMPath is an optional path to the image used for the Utility VM. + UtilityVMPath string `json:"utilityvmpath,omitempty"` + // SandboxPath is a required host-path to the sandbox to be used by the container. + SandboxPath string `json:"sandboxpath"` +} + // LinuxSeccomp represents syscall restrictions type LinuxSeccomp struct { DefaultAction LinuxSeccompAction `json:"defaultAction"`