diff --git a/config-linux.md b/config-linux.md index b206fa04c..6555f526e 100644 --- a/config-linux.md +++ b/config-linux.md @@ -154,29 +154,48 @@ In addition to any devices configured with this setting, the runtime MUST also s ## Control groups Also known as cgroups, they are used to restrict resource usage for a container and handle device access. -cgroups provide controls to restrict cpu, memory, IO, pids and network for the container. +cgroups provide controls (through controllers) to restrict cpu, memory, IO, pids and network for the container. For more information, see the [kernel cgroups documentation][cgroup-v1]. The path to the cgroups can be specified in the Spec via `cgroupsPath`. -`cgroupsPath` is expected to be relative to the cgroups mount point. -If `cgroupsPath` is not specified, implementations can define the default cgroup path. +`cgroupsPath` can be used to either control the cgroup hierarchy for containers or to run a new process in an existing container. +If `cgroupsPath` is: +* ... an absolute path (starting with `/`), the runtime MUST take the path to be relative to the cgroup mount point. +* ... a relative path (not starting with `/`), the runtime MAY interpret the path relative to a runtime-determined location in the cgroup hierarchy. +* ... not specified, the runtime MAY define the default cgroup path. +Runtimes MAY consider certain `cgroupsPath` values to be invalid, and MUST generate an error if this is the case. +If a `cgroupsPath` value is specified, the runtime MUST consistently attach to the same place in the cgroup hierarchy given the same value of `cgroupsPath`. + Implementations of the Spec can choose to name cgroups in any manner. The Spec does not include naming schema for cgroups. -The Spec does not support [split hierarchy][cgroup-v2]. +The Spec does not support per-controller paths for the reasons discussed in the [cgroupv2 documentation][cgroup-v2]. The cgroups will be created if they don't exist. +You can configure a container's cgroups via the `resources` field of the Linux configuration. +Do not specify `resources` unless limits have to be updated. +For example, to run a new process in an existing container without updating limits, `resources` need not be specified. + +A runtime MUST at least use the minimum set of cgroup controllers required to fulfill the `resources` settings. +However, a runtime MAY attach the container process to additional cgroup controllers supported by the system. + ###### Example ```json - "cgroupsPath": "/myRuntime/myContainer" + "cgroupsPath": "/myRuntime/myContainer", + "resources": { + "memory": { + "limit": 100000, + "reservation": 200000 + }, + "devices": [ + { + "allow": false, + "access": "rwm" + } + ] + } ``` -`cgroupsPath` can be used to either control the cgroups hierarchy for containers or to run a new process in an existing container. - -You can configure a container's cgroups via the `resources` field of the Linux configuration. -Do not specify `resources` unless limits have to be updated. -For example, to run a new process in an existing container without updating limits, `resources` need not be specified. - #### Device whitelist `devices` is an array of entries to control the [device whitelist][cgroup-v1-devices].