linuxkit_image.md

linuxkit_image

Argument Reference

The following arguments are supported:

• additional_gid_names - list (Optional) A list of additional group names for the process
• additional_gids - list (Optional) A list of additional groups for the process
• ambient - list (Optional) The Linux ambient capabilities (capabilities passed to non root users) that are required
• annotations - list (Optional) The map of key value pairs as OCI metadata
• binds - list (Optional) A Simpler interface to specify bind mounts, accepting a string like /src:/dest:opt1,opt2
• capabilities - list (Optional) The Linux capabilities required, for example CAP_SYS_ADMIN, if there is a single capability 'all' then all capabilities are added
• cgroups_path - string (Optional) The path for cgroups
• command - list (Optional) This will override the command and entrypoint in the image with a new list of commands
• cwd - string (Optional) The working directory, defaults to /
• env - list (Optional) This will override the environment in the image with a new environment list. Specify variables as VAR=value
• gid - number (Optional) The group id of the process
• gid_mappings - gid_mappings (Optional) (Experemental) gid mappings for user namespaces
• gid_name - string (Optional) The group name of the process
• hostname - string (Optional) The hostname inside the image
• image - string (Required) The Docker image to use for the filesystem
• ipc - string (Optional) The ipc namespace, either to a path, or if new is specified it will use a new namespace
• masked_paths - list (Optional) The paths which should be hidden
• mounts - mounts (Optional) The full form for specifying a mount, which requires type, source, destination and a list of options
• name - string (Required) A unique name for the program being executed, used as the containerd id
• net - string (Optional) The network namespace, either to a path, or if none or new is specified it will use a new namespace
• no_new_privileges - bool (Optional) If set to true means no additional capabilities can be acquired and suid binaries do not work
• oom_score_adj - number (Optional) This changes the OOM score
• pid - string (Optional) The pid namespace, either to a path, or if host is specified it will use the host namespace
• readonly - bool (Optional) The root filesystem to read only, and changes the other default filesystems to read only
• readonly_paths - list (Optional) The paths which should be read only
• resources - resources (Optional) The cgroup resource limits as per the OCI spec
• rlimits - list (Optional) The list of rlimit values in the form name,soft,hard, eg nofile,100,200. You can use unlimited as a value too
• rootfs_propagation - string (Optional) The rootfs propagation, eg shared, slave or (default) private
• runtime - runtime (Optional) Actions to take place when the container is being started
• sysctl - map (Optional) The map of sysctl key value pairs that are set inside the container namespace
• tmpfs - list (Optional) A simpler interface to mount a tmpfs, like --tmpfs in Docker, taking /dest:opt1,opt2
• uid - number (Optional) The user id of the process
• uid_mappings - uid_mappings (Optional) (Experemental) uid mappings for user namespaces
• uid_name - string (Optional) The user name of the process
• uts - string (Optional) The uts namespace, either to a path, or if new is specified it will use a new namespace

Attributes Reference

No additional attributes are exported by this resource.

Block Reference

Below is the documentation for the argument/attribute blocks in use by this resource:

bind_ns

• cgroups - string (Optional)
• ipc - string (Optional)
• mnt - string (Optional)
• net - string (Optional)
• pid - string (Optional)
• user - string (Optional)
• uts - string (Optional)

block_io

• leaf_weight - number (Optional) The tasks' weight in the given cgroup while competing with the cgroup's child cgroups, CFQ scheduler only
• throttle_read_bps_device - throttle_read_bps_device (Optional) IO read rate limit per cgroup per device, bytes per second
• throttle_read_iops_device - throttle_read_iops_device (Optional) IO read rate limit per cgroup per device, IO per second
• throttle_write_bps_device - throttle_write_bps_device (Optional) IO write rate limit per cgroup per device, bytes per second
• throttle_write_iops_device - throttle_write_iops_device (Optional) IO read rate limit per cgroup per device, IO per second
• weight - number (Optional) The per cgroup weight
• weight_device - weight_device (Optional) The weight per cgroup per device, can override BlkioWeight

cpu

• cpus - string (Optional) CPUs to use within the cpuset
• mems - string (Optional) List of memory nodes in the cpuset
• period - number (Optional) CPU period to be used for hardcapping in usecs
• quota - number (Optional) CPU hardcap limit in usecs
• realtime_period - number (Optional) CPU period to be used for realtime scheduling in usecs
• realtime_runtime - number (Optional) How much time realtime scheduling may use in usecs
• shares - number (Optional) CPU shares (relative weight vs. other cgroups with cpu shares)

devices

• access - string (Optional) Cgroup access permissions format, rwm
• allow - bool (Required) Allow or deny device
• major - number (Optional) The device's major number
• minor - number (Optional) The device's minor number
• type - string (Optional) The device type, block, char, etc

gid_mappings

• container_id - number (Optional) The starting GID in the container
• host_id - number (Optional) The starting GID on the host to be mapped to 'ContainerID'
• size - number (Optional) The number of IDs to be mapped

hugepage_limits

• limit - number (Optional) The limit of 'hugepagesize' hugetlb usage
• page_size - string (Optional) The hugepage size

interfaces

• add - string (Optional) The type of interface to be created in the containers namespace, with the specified name
• create_in_root - bool (Optional) The interface being added should be created in the root namespace first, then moved. This is needed for wireguard interfaces
• name - string (Optional) The name of an interface. An existing interface with this name will be moved into the container's network namespace
• peer - string (Optional) The name of the other end when creating a veth interface. This end will remain in the root namespace, where it can be attached to a bridge. Specifying this implies add: veth

memory

• disable_oom_killer - bool (Optional) This disables the OOM killer for out of memory conditions
• kernel - number (Optional) The kernel memory limit (in bytes)
• kernel_tcp - number (Optional) The kernel memory limit for tcp (in bytes)
• limit - number (Optional) The memory limit (in bytes)
• reservation - number (Optional) The memory reservation or soft_limit (in bytes)
• swap - number (Optional) The total memory limit (memory + swap)
• swappiness - number (Optional) How aggressive the kernel will swap memory pages

mounts

• destination - list (Optional) The destination path of the mount
• options - list (Optional) The fstab style mount options
• source - list (Optional) The source path of the mount
• type - list (Required) The mount kind

mounts

• destination - string (Optional) The destination directory to mount onto
• options - list (Optional) The options to use when mounting the directory
• source - string (Optional) The source for the directory you want to mount
• type - string (Optional) The type of the mount

network

• class_id - number (Optional) The class identifier for container's network packets
• priorities - priorities (Optional) The priority of network traffic for container

pids

• limit - number (Optional) Maximum number of PIDs

priorities

• name - string (Optional) The name of the network interface
• priority - number (Optional) The priority for the interface

resources

• block_io - block_io (Optional) The BlockIO restriction configuration
• cpu - cpu (Optional) The CPU restriction configuration
• devices - devices (Optional) This configures the device whitelist
• hugepage_limits - hugepage_limits (Optional) Hugetlb limit (in bytes)
• memory - memory (Optional) The memory restriction configuration
• network - network (Optional) The network restriction configuration
• pids - pids (Optional) The task resource restriction configuration

runtime

• bind_ns - bind_ns (Optional) Specifies a namespace type and a path where the namespace from the container being created will be bound. This allows a namespace to be set up in an onboot container, and then using net: path for a service container to use that network namespace later
• cgroups - list (Optional) A list of cgroups that will be created before the container is run
• interfaces - interfaces (Optional) A list of mount specifications
• mkdir - list (Optional) A list of directories to create at runtime, in the root mount namespace
• mounts - mounts (Optional) A list of mount specifications
• namespace - string (Optional) Overrides the LinuxKit default containerd namespace to put the container in; only applicable to services

throttle_read_bps_device

• rate - number (Optional) The IO rate limit per cgroup per device

throttle_read_iops_device

• rate - number (Optional) The IO rate limit per cgroup per device

throttle_write_bps_device

• rate - number (Optional) The IO rate limit per cgroup per device

throttle_write_iops_device

• rate - number (Optional) The IO rate limit per cgroup per device

uid_mappings

• container_id - number (Optional) The starting UID in the container
• host_id - number (Optional) The starting UID on the host to be mapped to 'ContainerID'
• size - number (Optional) The number of IDs to be mapped

weight_device

• leaf_weight - number (Optional) The tasks' weight in the given cgroup while competing with the cgroup's child cgroups, CFQ scheduler only
• weight - number (Optional) The weight is the bandwidth rate for the device