1syntax = "proto3";
2
3package docker.swarmkit.v1;
4
5import "github.com/docker/swarmkit/api/types.proto";
6import "gogoproto/gogo.proto";
7import "google/protobuf/duration.proto";
8import "google/protobuf/any.proto";
9import "google/protobuf/wrappers.proto";
10
11// Specs are container objects for user provided input. All creations and
12// updates are done through spec types. As a convention, user input from a spec
13// is never touched in created objects. This allows one to verify that the
14// users intent has not been modified.
15//
16// Put differently, spec types can be said to represent the desired state of
17// the system. In situations where modifications need to be made to a
18// particular component, API objects will either contain a copy of the spec
19// component or a different representation to reflect allocation or resolution.
20
21message NodeSpec {
22	Annotations annotations = 1 [(gogoproto.nullable) = false];
23
24	enum Membership {
25		option (gogoproto.goproto_enum_prefix) = false;
26
27		PENDING = 0 [(gogoproto.enumvalue_customname) = "NodeMembershipPending"];
28		ACCEPTED = 1 [(gogoproto.enumvalue_customname) = "NodeMembershipAccepted"];
29	}
30
31	enum Availability {
32		option (gogoproto.goproto_enum_prefix) = false;
33
34		// Active nodes.
35		ACTIVE = 0 [(gogoproto.enumvalue_customname) = "NodeAvailabilityActive"];
36
37		// Paused nodes won't be considered by the scheduler, preventing any
38		// further task to run on them.
39		PAUSE = 1 [(gogoproto.enumvalue_customname) = "NodeAvailabilityPause"];
40
41		// Drained nodes are paused and any task already running on them will
42		// be evicted.
43		DRAIN = 2 [(gogoproto.enumvalue_customname) = "NodeAvailabilityDrain"];
44	}
45
46	// DesiredRole defines the role the node should have.
47	NodeRole desired_role = 2;
48
49	// Membership controls the admission of the node into the cluster.
50	Membership membership = 3;
51
52	// Availability allows a user to control the current scheduling status of a
53	// node.
54	Availability availability = 4;
55}
56
57// ServiceSpec defines the properties of a service.
58//
59// A service instructs the cluster in orchestrating repeated instances of a
60// template, implemented as tasks. Based on the number of instances, scheduling
61// strategy and restart policy, a number of application-level behaviors can be
62// defined.
63message ServiceSpec {
64	Annotations annotations = 1 [(gogoproto.nullable) = false];
65
66	// Task defines the task template this service will spawn.
67	TaskSpec task = 2 [(gogoproto.nullable) = false];
68
69	oneof mode {
70		ReplicatedService replicated = 3;
71		GlobalService global = 4;
72	}
73
74	// Update contains settings which affect updates.
75	UpdateConfig update = 6;
76
77	// Rollback contains settings which affect rollbacks of updates.
78	UpdateConfig rollback = 9;
79
80	// ServiceSpec.Networks has been deprecated and is replaced by
81	// Networks field in Task (TaskSpec.Networks).
82	// This field (ServiceSpec.Networks) is kept for compatibility.
83	// In case TaskSpec.Networks does not exist, ServiceSpec.Networks
84	// is still honored if it exists.
85	repeated NetworkAttachmentConfig networks = 7 [deprecated=true];
86
87	// Service endpoint specifies the user provided configuration
88	// to properly discover and load balance a service.
89	EndpointSpec endpoint = 8;
90}
91
92// ReplicatedService sets the reconciliation target to certain number of replicas.
93message ReplicatedService {
94	uint64 replicas = 1;
95}
96
97// GlobalService represents global service.
98message GlobalService {
99	// Empty message for now.
100}
101
102message TaskSpec {
103	oneof runtime {
104		NetworkAttachmentSpec attachment = 8;
105		ContainerSpec container = 1;
106		GenericRuntimeSpec generic = 10;
107	}
108
109	// Resource requirements for the container.
110	ResourceRequirements resources = 2;
111
112	// RestartPolicy specifies what to do when a task fails or finishes.
113	RestartPolicy restart = 4;
114
115	// Placement specifies node selection constraints
116	Placement placement = 5;
117
118	// LogDriver specifies the log driver to use for the task. Any runtime will
119	// direct logs into the specified driver for the duration of the task.
120	Driver log_driver = 6;
121
122	// Networks specifies the list of network attachment
123	// configurations (which specify the network and per-network
124	// aliases) that this task spec is bound to.
125	repeated NetworkAttachmentConfig networks = 7;
126
127	// ForceUpdate is a counter that triggers an update even if no relevant
128	// parameters have been changed. We do this to allow forced restarts
129	// using the same reconciliation-based mechanism that performs rolling
130	// updates.
131	uint64 force_update = 9;
132
133	// ResourceReferences provides a generic way to specify resources that
134	// are used by this task, and should be sent down to agents along with
135	// the task. Inside the runtime field there may be more specific
136	// information about how to use the resource, but ResourceReferences
137	// establishes the relationship at the store level, and instructs the
138	// dispatcher to send the related objects.
139	//
140	// ResourceReferences is a list of ResourceReferences used by the task.
141	repeated ResourceReference resource_references = 11 [(gogoproto.nullable) = false];
142}
143
144message ResourceReference {
145	string resource_id = 1;
146	ResourceType resource_type = 2;
147}
148
149message GenericRuntimeSpec {
150	string kind = 1;
151	google.protobuf.Any payload = 2;
152}
153
154// NetworkAttachmentSpec specifies runtime parameters required to attach
155// a container to a network.
156message NetworkAttachmentSpec {
157	// ContainerID specifies a unique ID of the container for which
158	// this attachment is for.
159	string container_id = 1;
160}
161
162
163// Container specifies runtime parameters for a container.
164message ContainerSpec {
165	// image defines the image reference, as specified in the
166	// distribution/reference package. This may include a registry host, name,
167	// tag or digest.
168	//
169	// The field will be directly passed to the engine pulling. Well-behaved
170	// service definitions will used immutable references, either through tags
171	// that don't change or verifiable digests.
172	string image = 1;
173
174	// Labels defines labels to be added to the container at creation time. If
175	// collisions with system labels occur, these labels will be overridden.
176	//
177	// This field *must* remain compatible with the Labels field of
178	// Annotations.
179	map<string, string> labels = 2;
180
181	// Command to run the the container. The first element is a path to the
182	// executable and the following elements are treated as arguments.
183	//
184	// If command is empty, execution will fall back to the image's entrypoint.
185	//
186	// Command should only be used when overriding entrypoint.
187	repeated string command = 3;
188
189	// Args specifies arguments provided to the image's entrypoint.
190	//
191	// If Command and Args are provided, Args will be appended to Command.
192	repeated string args = 4;
193
194	// Hostname specifies the hostname that will be set on containers created by docker swarm.
195	// All containers for a given service will have the same hostname
196	string hostname = 14;
197
198	// Env specifies the environment variables for the container in NAME=VALUE
199	// format. These must be compliant with  [IEEE Std
200	// 1003.1-2001](http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap08.html).
201	repeated string env = 5;
202
203	// Dir defines the working directory to set for the container process.
204	string dir = 6;
205
206	// User specifies the user that should be employed to run the container.
207	//
208	// Note that the primary group may be specified by appending the group name
209	// or id to the user name, separated by a `:`. This syntax is
210	// `<user>:<group>`.
211	string user = 7;
212
213	// Groups specifies supplementary groups available to the user.
214	repeated string groups = 11;
215
216	// Privileges specifies security configuration/permissions.
217	Privileges privileges = 22;
218
219	// Init declares that a custom init will be running inside the container, if null, use the daemon's configured settings
220	google.protobuf.BoolValue init = 23;
221
222	// TTY declares that a TTY should be attached to the standard streams,
223	// including stdin if it is still open.
224	bool tty = 13 [(gogoproto.customname) = "TTY"];
225
226	// OpenStdin declares that the standard input (stdin) should be open.
227	bool open_stdin = 18;
228
229	// ReadOnly declares that the container root filesystem is read-only.
230	// This only impacts the root filesystem, not additional mounts (including
231	// tmpfs). For additional mounts that are not part of the initial rootfs,
232	// they will be decided by the modes passed in the mount definition.
233	bool read_only = 19;
234
235	// StopSignal defines the signal to stop the container.
236	string stop_signal = 20;
237
238	repeated Mount mounts = 8 [(gogoproto.nullable) = false];
239
240	// StopGracePeriod the grace period for stopping the container before
241	// forcefully killing the container.
242	// Note: Can't use stdduration here because this needs to be nullable.
243	google.protobuf.Duration stop_grace_period = 9;
244
245	// PullOptions allows one to parameterize an image pull.
246	message PullOptions {
247		// RegistryAuth is the registry auth token obtained from the client, required
248		// to pull private images. This is the unmodified JSON used as part of
249		// the `X-Registry-Auth` header.
250		// TODO(nishanttotla): This field will later be deprecated
251		string registry_auth = 64;
252	}
253
254	// PullOptions parameterize the behavior of image pulls.
255	PullOptions pull_options = 10;
256
257	// SecretReference contains references to zero or more secrets that
258	// will be exposed to the container.
259	repeated SecretReference secrets = 12;
260
261	// ConfigReference contains references to zero or more configs that
262	// will be exposed to the container.
263	repeated ConfigReference configs = 21;
264
265	// Hosts allow additional entries to be specified in /etc/hosts
266	// that associates IP addresses with hostnames.
267	// Detailed documentation is available in:
268	// http://man7.org/linux/man-pages/man5/hosts.5.html
269	//   IP_address canonical_hostname [aliases...]
270	//
271	// The format of the Hosts in swarmkit follows the same as
272	// above.
273	// This is different from `docker run --add-host <hostname>:<ip>`
274	// where format is `<hostname>:<ip>`
275	repeated string hosts = 17;
276
277	// DNSConfig specifies DNS related configurations in resolver configuration file (resolv.conf)
278	// Detailed documentation is available in:
279	// http://man7.org/linux/man-pages/man5/resolv.conf.5.html
280	// TODO: domain is not supported yet
281	message DNSConfig {
282		// Nameservers specifies the IP addresses of the name servers
283		repeated string nameservers = 1;
284
285		// Search specifies the search list for host-name lookup
286		repeated string search = 2;
287
288		// Options allows certain internal resolver variables to be modified
289		repeated string options = 3;
290	}
291
292	// DNSConfig allows one to specify DNS related configuration in resolv.conf
293	DNSConfig dns_config = 15 [(gogoproto.customname) = "DNSConfig"];
294
295	// Healthcheck describes how to check the container is healthy. If the
296	// container is considered unhealthy, it will be destroyed, its creating
297	// task will exit and a new task will be rescheduled elsewhere. A container
298	// is considered unhealthy after `Retries` number of consecutive failures.
299	HealthConfig healthcheck = 16;
300
301	enum Isolation {
302		option (gogoproto.goproto_enum_prefix) = false;
303
304		// ISOLATION_DEFAULT uses whatever default value from the container runtime
305		ISOLATION_DEFAULT = 0 [(gogoproto.enumvalue_customname) = "ContainerIsolationDefault"];
306
307		// ISOLATION_PROCESS forces windows container isolation
308		ISOLATION_PROCESS = 1 [(gogoproto.enumvalue_customname) = "ContainerIsolationProcess"];
309
310		// ISOLATION_HYPERV forces Hyper-V isolation
311		ISOLATION_HYPERV = 2 [(gogoproto.enumvalue_customname) = "ContainerIsolationHyperV"];
312	}
313
314	// Isolation defines the isolation level for windows containers (default, process, hyperv).
315	// Runtimes that don't support it ignore that field
316	Isolation isolation = 24;
317
318	// PidsLimit prevents from OS resource damage by applications inside the container
319	// using fork bomb attack.
320	int64 pidsLimit = 25;
321}
322
323// EndpointSpec defines the properties that can be configured to
324// access and loadbalance the service.
325message EndpointSpec {
326	// ResolutionMode specifies the mode of resolution to use for
327	// internal loadbalancing between tasks which are all within
328	// the cluster. This is sometimes calls east-west data path.
329	enum ResolutionMode {
330		option (gogoproto.goproto_enum_prefix) = false;
331
332		// VIP resolution mode specifies that the
333		// service resolves to a logical IP and the requests
334		// are sent to that logical IP. Packets hitting that
335		// logical IP are load balanced to a chosen backend.
336		VIP = 0 [(gogoproto.enumvalue_customname) = "ResolutionModeVirtualIP"];
337
338		// DNSRR resolution mode specifies that the
339		// service directly gets resolved to one of the
340		// backend IP and the client directly initiates a
341		// request towards the actual backend. This requires
342		// that the client does not cache the DNS responses
343		// when the DNS response TTL is 0.
344		DNSRR = 1 [(gogoproto.enumvalue_customname) = "ResolutionModeDNSRoundRobin"];
345	}
346
347	ResolutionMode mode = 1;
348
349	// List of exposed ports that this service is accessible from
350	// external to the cluster.
351	repeated PortConfig ports = 2;
352}
353
354// NetworkSpec specifies user defined network parameters.
355message NetworkSpec {
356	Annotations annotations = 1 [(gogoproto.nullable) = false];
357
358	// DriverConfig specific configuration consumed by the network driver.
359	Driver driver_config = 2;
360
361	// IPv6Enabled enables support for IPv6 on the network.
362	bool ipv6_enabled = 3;
363
364	// internal restricts external access to the network. This may be
365	// accomplished by disabling the default gateway or through other means.
366	bool internal = 4;
367
368	IPAMOptions ipam = 5 [(gogoproto.customname) = "IPAM"];
369
370	// Attachable allows external(to swarm) entities to manually
371	// attach to this network. With this flag enabled, external
372	// entities such as containers running in an worker node in
373	// the cluster can manually attach to this network and access
374	// the services attached to this network. If this flag is not
375	// enabled(default case) no manual attachment to this network
376	// can happen.
377	bool attachable = 6;
378
379	// Ingress indicates this network will provide the routing-mesh.
380	// In older versions, the network providing the routing mesh was
381	// swarm internally created only and it was identified by the name
382	// "ingress" and the label "com.docker.swarm.internal": "true".
383	bool ingress = 7;
384
385	// ConfigFrom is the source of the configuration for this network.
386	oneof config_from {
387		// Network is the name of a network that provides the network
388		// specific configuration for this network, locally on the node
389		// where this network is being plumbed.
390		string network = 8;
391	}
392
393}
394
395// ClusterSpec specifies global cluster settings.
396message ClusterSpec {
397	Annotations annotations = 1 [(gogoproto.nullable) = false];
398
399	// DEPRECATED: AcceptancePolicy defines the certificate issuance policy.
400	// Acceptance policy is no longer customizable, and secrets have been
401	// replaced with join tokens.
402	AcceptancePolicy acceptance_policy = 2 [deprecated=true, (gogoproto.nullable) = false];
403
404	// Orchestration defines cluster-level orchestration settings.
405	OrchestrationConfig orchestration = 3 [(gogoproto.nullable) = false];
406
407	// Raft defines the cluster's raft settings.
408	RaftConfig raft = 4 [(gogoproto.nullable) = false];
409
410	// Dispatcher defines cluster-level dispatcher settings.
411	DispatcherConfig dispatcher = 5 [(gogoproto.nullable) = false];
412
413	// CAConfig defines cluster-level certificate authority settings.
414	CAConfig ca_config = 6 [(gogoproto.nullable) = false, (gogoproto.customname) = "CAConfig"];
415
416	// TaskDefaults specifies the default values to use for task creation.
417	TaskDefaults task_defaults = 7 [(gogoproto.nullable) = false];
418
419	// EncryptionConfig defines the cluster's encryption settings.
420	EncryptionConfig encryption_config = 8 [(gogoproto.nullable) = false];
421}
422
423// SecretSpec specifies a user-provided secret.
424message SecretSpec {
425	Annotations annotations = 1 [(gogoproto.nullable) = false];
426
427	// Data is the secret payload - the maximum size is 500KB (that is, 500*1024 bytes)
428	bytes data = 2;
429
430	// Templating controls whether and how to evaluate the secret payload as
431	// a template. If it is not set, no templating is used.
432	//
433	// The currently recognized values are:
434	// - golang: Go templating
435	Driver templating = 3;
436
437	// Driver is the the secret driver that is used to store the specified secret
438	Driver driver = 4;
439}
440
441// ConfigSpec specifies user-provided configuration files.
442message ConfigSpec {
443	Annotations annotations = 1 [(gogoproto.nullable) = false];
444
445	// Data is the config payload - the maximum size is 500KB (that is, 500*1024 bytes)
446	// TODO(aaronl): Do we want to revise this to include multiple payloads in a single
447	// ConfigSpec? Define this to be a tar? etc...
448	bytes data = 2;
449
450	// Templating controls whether and how to evaluate the secret payload as
451	// a template. If it is not set, no templating is used.
452	//
453	// The currently recognized values are:
454	// - golang: Go templating
455	Driver templating = 3;
456}
457