1syntax = "proto3"; 2 3package docker.swarmkit.v1; 4 5import "github.com/docker/swarmkit/api/types.proto"; 6import "gogoproto/gogo.proto"; 7import "google/protobuf/duration.proto"; 8import "google/protobuf/any.proto"; 9import "google/protobuf/wrappers.proto"; 10 11// Specs are container objects for user provided input. All creations and 12// updates are done through spec types. As a convention, user input from a spec 13// is never touched in created objects. This allows one to verify that the 14// users intent has not been modified. 15// 16// Put differently, spec types can be said to represent the desired state of 17// the system. In situations where modifications need to be made to a 18// particular component, API objects will either contain a copy of the spec 19// component or a different representation to reflect allocation or resolution. 20 21message NodeSpec { 22 Annotations annotations = 1 [(gogoproto.nullable) = false]; 23 24 enum Membership { 25 option (gogoproto.goproto_enum_prefix) = false; 26 27 PENDING = 0 [(gogoproto.enumvalue_customname) = "NodeMembershipPending"]; 28 ACCEPTED = 1 [(gogoproto.enumvalue_customname) = "NodeMembershipAccepted"]; 29 } 30 31 enum Availability { 32 option (gogoproto.goproto_enum_prefix) = false; 33 34 // Active nodes. 35 ACTIVE = 0 [(gogoproto.enumvalue_customname) = "NodeAvailabilityActive"]; 36 37 // Paused nodes won't be considered by the scheduler, preventing any 38 // further task to run on them. 39 PAUSE = 1 [(gogoproto.enumvalue_customname) = "NodeAvailabilityPause"]; 40 41 // Drained nodes are paused and any task already running on them will 42 // be evicted. 43 DRAIN = 2 [(gogoproto.enumvalue_customname) = "NodeAvailabilityDrain"]; 44 } 45 46 // DesiredRole defines the role the node should have. 47 NodeRole desired_role = 2; 48 49 // Membership controls the admission of the node into the cluster. 50 Membership membership = 3; 51 52 // Availability allows a user to control the current scheduling status of a 53 // node. 54 Availability availability = 4; 55} 56 57// ServiceSpec defines the properties of a service. 58// 59// A service instructs the cluster in orchestrating repeated instances of a 60// template, implemented as tasks. Based on the number of instances, scheduling 61// strategy and restart policy, a number of application-level behaviors can be 62// defined. 63message ServiceSpec { 64 Annotations annotations = 1 [(gogoproto.nullable) = false]; 65 66 // Task defines the task template this service will spawn. 67 TaskSpec task = 2 [(gogoproto.nullable) = false]; 68 69 oneof mode { 70 ReplicatedService replicated = 3; 71 GlobalService global = 4; 72 } 73 74 // Update contains settings which affect updates. 75 UpdateConfig update = 6; 76 77 // Rollback contains settings which affect rollbacks of updates. 78 UpdateConfig rollback = 9; 79 80 // ServiceSpec.Networks has been deprecated and is replaced by 81 // Networks field in Task (TaskSpec.Networks). 82 // This field (ServiceSpec.Networks) is kept for compatibility. 83 // In case TaskSpec.Networks does not exist, ServiceSpec.Networks 84 // is still honored if it exists. 85 repeated NetworkAttachmentConfig networks = 7 [deprecated=true]; 86 87 // Service endpoint specifies the user provided configuration 88 // to properly discover and load balance a service. 89 EndpointSpec endpoint = 8; 90} 91 92// ReplicatedService sets the reconciliation target to certain number of replicas. 93message ReplicatedService { 94 uint64 replicas = 1; 95} 96 97// GlobalService represents global service. 98message GlobalService { 99 // Empty message for now. 100} 101 102message TaskSpec { 103 oneof runtime { 104 NetworkAttachmentSpec attachment = 8; 105 ContainerSpec container = 1; 106 GenericRuntimeSpec generic = 10; 107 } 108 109 // Resource requirements for the container. 110 ResourceRequirements resources = 2; 111 112 // RestartPolicy specifies what to do when a task fails or finishes. 113 RestartPolicy restart = 4; 114 115 // Placement specifies node selection constraints 116 Placement placement = 5; 117 118 // LogDriver specifies the log driver to use for the task. Any runtime will 119 // direct logs into the specified driver for the duration of the task. 120 Driver log_driver = 6; 121 122 // Networks specifies the list of network attachment 123 // configurations (which specify the network and per-network 124 // aliases) that this task spec is bound to. 125 repeated NetworkAttachmentConfig networks = 7; 126 127 // ForceUpdate is a counter that triggers an update even if no relevant 128 // parameters have been changed. We do this to allow forced restarts 129 // using the same reconciliation-based mechanism that performs rolling 130 // updates. 131 uint64 force_update = 9; 132 133 // ResourceReferences provides a generic way to specify resources that 134 // are used by this task, and should be sent down to agents along with 135 // the task. Inside the runtime field there may be more specific 136 // information about how to use the resource, but ResourceReferences 137 // establishes the relationship at the store level, and instructs the 138 // dispatcher to send the related objects. 139 // 140 // ResourceReferences is a list of ResourceReferences used by the task. 141 repeated ResourceReference resource_references = 11 [(gogoproto.nullable) = false]; 142} 143 144message ResourceReference { 145 string resource_id = 1; 146 ResourceType resource_type = 2; 147} 148 149message GenericRuntimeSpec { 150 string kind = 1; 151 google.protobuf.Any payload = 2; 152} 153 154// NetworkAttachmentSpec specifies runtime parameters required to attach 155// a container to a network. 156message NetworkAttachmentSpec { 157 // ContainerID specifies a unique ID of the container for which 158 // this attachment is for. 159 string container_id = 1; 160} 161 162 163// Container specifies runtime parameters for a container. 164message ContainerSpec { 165 // image defines the image reference, as specified in the 166 // distribution/reference package. This may include a registry host, name, 167 // tag or digest. 168 // 169 // The field will be directly passed to the engine pulling. Well-behaved 170 // service definitions will used immutable references, either through tags 171 // that don't change or verifiable digests. 172 string image = 1; 173 174 // Labels defines labels to be added to the container at creation time. If 175 // collisions with system labels occur, these labels will be overridden. 176 // 177 // This field *must* remain compatible with the Labels field of 178 // Annotations. 179 map<string, string> labels = 2; 180 181 // Command to run the the container. The first element is a path to the 182 // executable and the following elements are treated as arguments. 183 // 184 // If command is empty, execution will fall back to the image's entrypoint. 185 // 186 // Command should only be used when overriding entrypoint. 187 repeated string command = 3; 188 189 // Args specifies arguments provided to the image's entrypoint. 190 // 191 // If Command and Args are provided, Args will be appended to Command. 192 repeated string args = 4; 193 194 // Hostname specifies the hostname that will be set on containers created by docker swarm. 195 // All containers for a given service will have the same hostname 196 string hostname = 14; 197 198 // Env specifies the environment variables for the container in NAME=VALUE 199 // format. These must be compliant with [IEEE Std 200 // 1003.1-2001](http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap08.html). 201 repeated string env = 5; 202 203 // Dir defines the working directory to set for the container process. 204 string dir = 6; 205 206 // User specifies the user that should be employed to run the container. 207 // 208 // Note that the primary group may be specified by appending the group name 209 // or id to the user name, separated by a `:`. This syntax is 210 // `<user>:<group>`. 211 string user = 7; 212 213 // Groups specifies supplementary groups available to the user. 214 repeated string groups = 11; 215 216 // Privileges specifies security configuration/permissions. 217 Privileges privileges = 22; 218 219 // Init declares that a custom init will be running inside the container, if null, use the daemon's configured settings 220 google.protobuf.BoolValue init = 23; 221 222 // TTY declares that a TTY should be attached to the standard streams, 223 // including stdin if it is still open. 224 bool tty = 13 [(gogoproto.customname) = "TTY"]; 225 226 // OpenStdin declares that the standard input (stdin) should be open. 227 bool open_stdin = 18; 228 229 // ReadOnly declares that the container root filesystem is read-only. 230 // This only impacts the root filesystem, not additional mounts (including 231 // tmpfs). For additional mounts that are not part of the initial rootfs, 232 // they will be decided by the modes passed in the mount definition. 233 bool read_only = 19; 234 235 // StopSignal defines the signal to stop the container. 236 string stop_signal = 20; 237 238 repeated Mount mounts = 8 [(gogoproto.nullable) = false]; 239 240 // StopGracePeriod the grace period for stopping the container before 241 // forcefully killing the container. 242 // Note: Can't use stdduration here because this needs to be nullable. 243 google.protobuf.Duration stop_grace_period = 9; 244 245 // PullOptions allows one to parameterize an image pull. 246 message PullOptions { 247 // RegistryAuth is the registry auth token obtained from the client, required 248 // to pull private images. This is the unmodified JSON used as part of 249 // the `X-Registry-Auth` header. 250 // TODO(nishanttotla): This field will later be deprecated 251 string registry_auth = 64; 252 } 253 254 // PullOptions parameterize the behavior of image pulls. 255 PullOptions pull_options = 10; 256 257 // SecretReference contains references to zero or more secrets that 258 // will be exposed to the container. 259 repeated SecretReference secrets = 12; 260 261 // ConfigReference contains references to zero or more configs that 262 // will be exposed to the container. 263 repeated ConfigReference configs = 21; 264 265 // Hosts allow additional entries to be specified in /etc/hosts 266 // that associates IP addresses with hostnames. 267 // Detailed documentation is available in: 268 // http://man7.org/linux/man-pages/man5/hosts.5.html 269 // IP_address canonical_hostname [aliases...] 270 // 271 // The format of the Hosts in swarmkit follows the same as 272 // above. 273 // This is different from `docker run --add-host <hostname>:<ip>` 274 // where format is `<hostname>:<ip>` 275 repeated string hosts = 17; 276 277 // DNSConfig specifies DNS related configurations in resolver configuration file (resolv.conf) 278 // Detailed documentation is available in: 279 // http://man7.org/linux/man-pages/man5/resolv.conf.5.html 280 // TODO: domain is not supported yet 281 message DNSConfig { 282 // Nameservers specifies the IP addresses of the name servers 283 repeated string nameservers = 1; 284 285 // Search specifies the search list for host-name lookup 286 repeated string search = 2; 287 288 // Options allows certain internal resolver variables to be modified 289 repeated string options = 3; 290 } 291 292 // DNSConfig allows one to specify DNS related configuration in resolv.conf 293 DNSConfig dns_config = 15 [(gogoproto.customname) = "DNSConfig"]; 294 295 // Healthcheck describes how to check the container is healthy. If the 296 // container is considered unhealthy, it will be destroyed, its creating 297 // task will exit and a new task will be rescheduled elsewhere. A container 298 // is considered unhealthy after `Retries` number of consecutive failures. 299 HealthConfig healthcheck = 16; 300 301 enum Isolation { 302 option (gogoproto.goproto_enum_prefix) = false; 303 304 // ISOLATION_DEFAULT uses whatever default value from the container runtime 305 ISOLATION_DEFAULT = 0 [(gogoproto.enumvalue_customname) = "ContainerIsolationDefault"]; 306 307 // ISOLATION_PROCESS forces windows container isolation 308 ISOLATION_PROCESS = 1 [(gogoproto.enumvalue_customname) = "ContainerIsolationProcess"]; 309 310 // ISOLATION_HYPERV forces Hyper-V isolation 311 ISOLATION_HYPERV = 2 [(gogoproto.enumvalue_customname) = "ContainerIsolationHyperV"]; 312 } 313 314 // Isolation defines the isolation level for windows containers (default, process, hyperv). 315 // Runtimes that don't support it ignore that field 316 Isolation isolation = 24; 317 318 // PidsLimit prevents from OS resource damage by applications inside the container 319 // using fork bomb attack. 320 int64 pidsLimit = 25; 321} 322 323// EndpointSpec defines the properties that can be configured to 324// access and loadbalance the service. 325message EndpointSpec { 326 // ResolutionMode specifies the mode of resolution to use for 327 // internal loadbalancing between tasks which are all within 328 // the cluster. This is sometimes calls east-west data path. 329 enum ResolutionMode { 330 option (gogoproto.goproto_enum_prefix) = false; 331 332 // VIP resolution mode specifies that the 333 // service resolves to a logical IP and the requests 334 // are sent to that logical IP. Packets hitting that 335 // logical IP are load balanced to a chosen backend. 336 VIP = 0 [(gogoproto.enumvalue_customname) = "ResolutionModeVirtualIP"]; 337 338 // DNSRR resolution mode specifies that the 339 // service directly gets resolved to one of the 340 // backend IP and the client directly initiates a 341 // request towards the actual backend. This requires 342 // that the client does not cache the DNS responses 343 // when the DNS response TTL is 0. 344 DNSRR = 1 [(gogoproto.enumvalue_customname) = "ResolutionModeDNSRoundRobin"]; 345 } 346 347 ResolutionMode mode = 1; 348 349 // List of exposed ports that this service is accessible from 350 // external to the cluster. 351 repeated PortConfig ports = 2; 352} 353 354// NetworkSpec specifies user defined network parameters. 355message NetworkSpec { 356 Annotations annotations = 1 [(gogoproto.nullable) = false]; 357 358 // DriverConfig specific configuration consumed by the network driver. 359 Driver driver_config = 2; 360 361 // IPv6Enabled enables support for IPv6 on the network. 362 bool ipv6_enabled = 3; 363 364 // internal restricts external access to the network. This may be 365 // accomplished by disabling the default gateway or through other means. 366 bool internal = 4; 367 368 IPAMOptions ipam = 5 [(gogoproto.customname) = "IPAM"]; 369 370 // Attachable allows external(to swarm) entities to manually 371 // attach to this network. With this flag enabled, external 372 // entities such as containers running in an worker node in 373 // the cluster can manually attach to this network and access 374 // the services attached to this network. If this flag is not 375 // enabled(default case) no manual attachment to this network 376 // can happen. 377 bool attachable = 6; 378 379 // Ingress indicates this network will provide the routing-mesh. 380 // In older versions, the network providing the routing mesh was 381 // swarm internally created only and it was identified by the name 382 // "ingress" and the label "com.docker.swarm.internal": "true". 383 bool ingress = 7; 384 385 // ConfigFrom is the source of the configuration for this network. 386 oneof config_from { 387 // Network is the name of a network that provides the network 388 // specific configuration for this network, locally on the node 389 // where this network is being plumbed. 390 string network = 8; 391 } 392 393} 394 395// ClusterSpec specifies global cluster settings. 396message ClusterSpec { 397 Annotations annotations = 1 [(gogoproto.nullable) = false]; 398 399 // DEPRECATED: AcceptancePolicy defines the certificate issuance policy. 400 // Acceptance policy is no longer customizable, and secrets have been 401 // replaced with join tokens. 402 AcceptancePolicy acceptance_policy = 2 [deprecated=true, (gogoproto.nullable) = false]; 403 404 // Orchestration defines cluster-level orchestration settings. 405 OrchestrationConfig orchestration = 3 [(gogoproto.nullable) = false]; 406 407 // Raft defines the cluster's raft settings. 408 RaftConfig raft = 4 [(gogoproto.nullable) = false]; 409 410 // Dispatcher defines cluster-level dispatcher settings. 411 DispatcherConfig dispatcher = 5 [(gogoproto.nullable) = false]; 412 413 // CAConfig defines cluster-level certificate authority settings. 414 CAConfig ca_config = 6 [(gogoproto.nullable) = false, (gogoproto.customname) = "CAConfig"]; 415 416 // TaskDefaults specifies the default values to use for task creation. 417 TaskDefaults task_defaults = 7 [(gogoproto.nullable) = false]; 418 419 // EncryptionConfig defines the cluster's encryption settings. 420 EncryptionConfig encryption_config = 8 [(gogoproto.nullable) = false]; 421} 422 423// SecretSpec specifies a user-provided secret. 424message SecretSpec { 425 Annotations annotations = 1 [(gogoproto.nullable) = false]; 426 427 // Data is the secret payload - the maximum size is 500KB (that is, 500*1024 bytes) 428 bytes data = 2; 429 430 // Templating controls whether and how to evaluate the secret payload as 431 // a template. If it is not set, no templating is used. 432 // 433 // The currently recognized values are: 434 // - golang: Go templating 435 Driver templating = 3; 436 437 // Driver is the the secret driver that is used to store the specified secret 438 Driver driver = 4; 439} 440 441// ConfigSpec specifies user-provided configuration files. 442message ConfigSpec { 443 Annotations annotations = 1 [(gogoproto.nullable) = false]; 444 445 // Data is the config payload - the maximum size is 500KB (that is, 500*1024 bytes) 446 // TODO(aaronl): Do we want to revise this to include multiple payloads in a single 447 // ConfigSpec? Define this to be a tar? etc... 448 bytes data = 2; 449 450 // Templating controls whether and how to evaluate the secret payload as 451 // a template. If it is not set, no templating is used. 452 // 453 // The currently recognized values are: 454 // - golang: Go templating 455 Driver templating = 3; 456} 457