The Linux ABI includes both syscalls and several special file paths.

| /proc | [procfs][] |

| /sys | [sysfs][] |

| /dev/pts | [devpts][] |

| /dev/shm | [tmpfs][] |

A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource.

Changes to the global resource are visible to other processes that are members of the namespace, but are invisible to other processes.

Namespaces are specified as an array of entries inside the `namespaces` root field.

* **`pid`** processes inside the container will only be able to see other processes inside the same container.

* **`network`** the container will have its own network stack.

* **`mount`** the container will have an isolated mount table.

* **`ipc`** processes inside the container will only be able to communicate to other processes inside the same container via system level IPC.

* **`uts`** the container will be able to have its own hostname and domain name.

* **`user`** the container will be able to remap user and group IDs from the host to local users and groups within the container.

* **`cgroup`** the container will have an isolated view of the cgroup hierarchy.

* **`path`** *(string, OPTIONAL)* - an absolute path to namespace file in the [runtime mount namespace](glossary.md#runtime-namespace).

The runtime MUST place the container process in the namespace associated with that `path`.

The runtime MUST [generate an error](runtime.md#errors) if `path` is not associated with a namespace of type `type`.

If `path` is not specified, the runtime MUST create a new [container namespace](glossary.md#container-namespace) of type `type`.

"namespaces": [

{

"type": "pid",

"path": "/proc/1234/ns/pid"

},

{

"type": "network",

"path": "/var/run/netns/neta"

},

{

"type": "mount"

},

{

"type": "ipc"

},

{

"type": "uts"

},

{

"type": "user"

},

{

"type": "cgroup"

}

]

**`uidMappings`** (array of objects, OPTIONAL) describes the user namespace uid mappings from the host to the container.

**`gidMappings`** (array of objects, OPTIONAL) describes the user namespace gid mappings from the host to the container.

* **`hostID`** *(uint32, REQUIRED)* - is the starting uid/gid on the host to be mapped to *containerID*.

* **`containerID`** *(uint32, REQUIRED)* - is the starting uid/gid in the container.

* **`size`** *(uint32, REQUIRED)* - is the number of ids to be mapped.

The runtime SHOULD NOT modify the ownership of referenced filesystems to realize the mapping.

"uidMappings": [

{

"hostID": 1000,

"containerID": 0,

}

],

"gidMappings": [

{

"hostID": 1000,

"containerID": 0,

}

]

* **`uid`** *(uint32, OPTIONAL)* - id of device owner.

* **`gid`** *(uint32, OPTIONAL)* - id of device group.

The same `type`, `major` and `minor` SHOULD NOT be used for multiple devices.

"major": 10,

"minor": 229,

"uid": 0,

"gid": 0

},

{

"path": "/dev/sda",

"type": "b",

"major": 8,

"uid": 0,

"gid": 0

}

]

In addition to any devices configured with this setting, the runtime MUST also supply:

* [`/dev/null`][null.4]

* [`/dev/zero`][zero.4]

* [`/dev/full`][full.4]

* [`/dev/random`][random.4]

* [`/dev/urandom`][random.4]

* [`/dev/tty`][tty.4]

* [`/dev/ptmx`][pts.4].

A [bind-mount or symlink of the container's `/dev/pts/ptmx`][devpts].

Also known as cgroups, they are used to restrict resource usage for a container and handle device access.

**`cgroupsPath`** (string, OPTIONAL) path to the cgroups.

It can be used to either control the cgroups hierarchy for containers or to run a new process in an existing container.

The value of `cgroupsPath` MUST be either an absolute path or a relative path.

* In the case of an absolute path (starting with `/`), the runtime MUST take the path to be relative to the cgroups mount point.

* In the case of a relative path (not starting with `/`), the runtime MAY interpret the path relative to a runtime-determined location in the cgroups hierarchy.

If the value is specified, the runtime MUST consistently attach to the same place in the cgroups hierarchy given the same value of `cgroupsPath`.

If the value is not specified, the runtime MAY define the default cgroups path.

Runtimes MAY consider certain `cgroupsPath` values to be invalid, and MUST generate an error if this is the case.

Implementations of the Spec can choose to name cgroups in any manner.

The Spec does not include naming schema for cgroups.

The cgroups will be created if they don't exist.

You can configure a container's cgroups via the `resources` field of the Linux configuration.

Do not specify `resources` unless limits have to be updated.

For example, to run a new process in an existing container without updating limits, `resources` need not be specified.

"cgroupsPath": "/myRuntime/myContainer",

"resources": {

"memory": {

"limit": 100000,

"reservation": 200000

},

"devices": [

{

"allow": false,

"access": "rwm"

}

]

The runtime MUST apply entries in the listed order.

{

"allow": false,

"access": "rwm"

},

{

"allow": true,

"type": "c",

"major": 10,

"minor": 229,

"access": "rw"

},

{

"allow": true,

"type": "b",

"major": 8,

"minor": 0,

"access": "r"

}

]

Values for memory specify the limit in bytes, or `-1` for unlimited memory.

* **`limit`** *(int64, OPTIONAL)* - sets limit of memory usage

* **`reservation`** *(int64, OPTIONAL)* - sets soft limit of memory usage

* **`swap`** *(int64, OPTIONAL)* - sets limit of memory+Swap usage

* **`kernel`** *(int64, OPTIONAL)* - sets hard limit for kernel memory

* **`kernelTCP`** *(int64, OPTIONAL)* - sets hard limit for kernel TCP buffer memory

The values are from 0 to 100. Higher means more swappy.

* **`disableOOMKiller`** *(bool, OPTIONAL)* - enables or disables the OOM killer.

If enabled (`false`), tasks that attempt to consume more memory than they are allowed are immediately killed by the OOM killer.

The OOM killer is enabled by default in every cgroup using the `memory` subsystem.

To disable it, specify a value of `true`.

"memory": {

"limit": 536870912,

"reservation": 536870912,

"swap": 536870912,

"kernel": -1,

"kernelTCP": -1,

"swappiness": 0,

"disableOOMKiller": false

}

* **`realtimePeriod`** *(uint64, OPTIONAL)* - same as **`period`** but applies to realtime scheduler only

* **`cpus`** *(string, OPTIONAL)* - list of CPUs the container will run in

* **`mems`** *(string, OPTIONAL)* - list of Memory Nodes the container will run in

"cpu": {

"shares": 1024,

"quota": 1000000,

"period": 500000,

"realtimeRuntime": 950000,

"realtimePeriod": 1000000,

"cpus": "2-3",

"mems": "0-7"

}

* **`weight`** *(uint16, OPTIONAL)* - specifies per-cgroup weight. This is default weight of the group on all devices until and unless overridden by per-device rules.

* **`leafWeight`** *(uint16, OPTIONAL)* - equivalents of `weight` for the purpose of deciding how much weight tasks in the given cgroup has while competing with the cgroup's child cgroups.

* **`weightDevice`** *(array of objects, OPTIONAL)* - specifies the list of devices which will be bandwidth rate limited. The following parameters can be specified per-device:

* **`weight`** *(uint16, OPTIONAL)* - bandwidth rate for the device.

* **`leafWeight`** *(uint16, OPTIONAL)* - bandwidth rate for the device while competing with the cgroup's child cgroups, CFQ scheduler only

"blockIO": {

"weight": 10,

"leafWeight": 10,

"weightDevice": [

{

"major": 8,

"minor": 0,

"weight": 500,

"leafWeight": 300

},

{

"major": 8,

"minor": 16,

"weight": 500

}

],

{

"major": 8,

"minor": 0,

"rate": 600

}

],

{

"major": 8,

"minor": 16,

"rate": 300

}

]

}