Add support for time namespace

Kenta Tada · Kenta Tada · commit a2e38faf8e9a · 2020-08-18T23:24:40.000+09:00
The time namespace is a new kernel feature available in 5.6+ to
isolate the system monotonic and boot-time clocks.

Signed-off-by: Kenta Tada &lt;Kenta.Tada@sony.com&gt;
diff --git a/config-linux.md b/config-linux.md
@@ -34,6 +34,7 @@ The following parameters can be specified to set up namespaces:
     * **`uts`** the container will be able to have its own hostname and domain name.
     * **`user`** the container will be able to remap user and group IDs from the host to local users and groups within the container.
     * **`cgroup`** the container will have an isolated view of the cgroup hierarchy.
+    * **`time`** the container will be able to have its own system monotonic and boot-time clocks.
 * **`path`** *(string, OPTIONAL)* - namespace file.
     This value MUST be an absolute path in the [runtime mount namespace](glossary.md#runtime-namespace).
     The runtime MUST place the container process in the namespace associated with that `path`.
@@ -70,6 +71,9 @@ If a `namespaces` field contains duplicated namespaces with same `type`, the run
     },
     {
         "type": "cgroup"
+    },
+    {
+        "type": "time"
     }
 ]
 ```
@@ -107,6 +111,16 @@ Note that the number of mapping entries MAY be limited by the [kernel][user-name
 ]
 ```
 
+## <a name="configLinuxTimeOffset" />Offset for Time Namespace
+
+**`timeOffset`** (object, OPTIONAL) sets the offset for Time Namespace. For more information
+see the [time_namespaces](time_namespaces.7).
+
+* **`monotonicSecs`** *(int64, REQUIRED)* - is the offset of clock monotonic (in secs) in the container.
+* **`monotonicNanosecs`** *(int64, OPTIONAL)* - is the additional offset for MonotonicSecs (in nanosecs). The actual offset is monotonicSecs plus monotonicNanosecs.
+* **`boottimeSecs`** *(int64, REQUIRED)* - is the offset of clock boottime (in secs) in the container.
+* **`boottimeNanosecs`** *(int64, OPTIONAL)* - the additional offset for BoottimeSecs (in nanosecs). The actual offset is boottimeSecs plus boottimeNanosecs.
+
 ## <a name="configLinuxDevices" />Devices
 
 **`devices`** (array of objects, OPTIONAL) lists devices that MUST be available in the container.
@@ -770,3 +784,4 @@ subset of the available options.
 [zero.4]: http://man7.org/linux/man-pages/man4/zero.4.html
 [user-namespaces]: http://man7.org/linux/man-pages/man7/user_namespaces.7.html
 [intel-rdt-cat-kernel-interface]: https://www.kernel.org/doc/Documentation/x86/intel_rdt_ui.txt
+[time_namespaces.7]: https://man7.org/linux/man-pages/man7/time_namespaces.7.html
diff --git a/config.md b/config.md
@@ -905,6 +905,12 @@ Here is a full example `config.json` for reference.
                 }
             ]
         },
+        "timeOffset": {
+            "monotonicSecs": 172800,
+            "monotonicNanosecs": 0,
+            "boottimeSecs": 604800
+            "boottimeNanosecs": 0
+        },
         "namespaces": [
             {
                 "type": "pid"
@@ -926,6 +932,9 @@ Here is a full example `config.json` for reference.
             },
             {
                 "type": "cgroup"
+            },
+            {
+                "type": "time"
             }
         ],
         "maskedPaths": [
diff --git a/schema/config-linux.json b/schema/config-linux.json
@@ -253,6 +253,27 @@
             "personality": {
                 "type": "object",
                 "$ref": "defs-linux.json#/definitions/Personality"
+            },
+            "timeOffset": {
+                "type": "object",
+                "properties": {
+                    "monotonicSecs": {
+                        "$ref": "defs.json#/definitions/int64"
+                    },
+                    "monotonicNanosecs": {
+                        "$ref": "defs.json#/definitions/int64"
+                    },
+                    "boottimeSecs": {
+                        "$ref": "defs.json#/definitions/int64"
+                    },
+                    "boottimeNanosecs": {
+                        "$ref": "defs.json#/definitions/int64"
+                    }
+                },
+                "required": [
+                    "monotonicSecs",
+                    "boottimeSecs"
+                ]
             }
         }
     }
diff --git a/schema/defs-linux.json b/schema/defs-linux.json
@@ -292,7 +292,8 @@
                 "uts",
                 "ipc",
                 "user",
-                "cgroup"
+                "cgroup",
+                "time"
             ]
         },
         "NamespaceReference": {
diff --git a/schema/test/config/good/spec-example.json b/schema/test/config/good/spec-example.json
@@ -349,6 +349,12 @@
                 }
             ]
         },
+        "timeOffset": {
+            "monotonicSecs": 172800,
+            "monotonicNanosecs": 0,
+            "boottimeSecs": 604800,
+            "boottimeNanosecs": 0
+        },
         "namespaces": [
             {
                 "type": "pid"
@@ -370,6 +376,9 @@
             },
             {
                 "type": "cgroup"
+            },
+            {
+                "type": "time"
             }
         ],
         "maskedPaths": [
diff --git a/specs-go/config.go b/specs-go/config.go
@@ -182,6 +182,8 @@ type Linux struct {
 	IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"`
 	// Personality contains configuration for the Linux personality syscall
 	Personality *LinuxPersonality `json:"personality,omitempty"`
+	// LinuxTimeOffset specifies the offset for supporting time namespaces.
+	TimeOffset *LinuxTimeOffset `json:"timeOffset,omitempty"`
 }
 
 // LinuxNamespace is the configuration for a Linux namespace
@@ -211,6 +213,8 @@ const (
 	UserNamespace LinuxNamespaceType = "user"
 	// CgroupNamespace for isolating cgroup hierarchies
 	CgroupNamespace LinuxNamespaceType = "cgroup"
+	// TimeNamespace for isolating the system monotonic and boot-time clocks
+	TimeNamespace LinuxNamespaceType = "time"
 )
 
 // LinuxIDMapping specifies UID/GID mappings
@@ -223,6 +227,18 @@ type LinuxIDMapping struct {
 	Size uint32 `json:"size"`
 }
 
+// LinuxTimeOffset specifies the offset for Time Namespace
+type LinuxTimeOffset struct {
+	// MonotonicSecs is the offset of clock monotonic (in secs) in the container
+	MonotonicSecs int64 `json:"monotonicSecs"`
+	// MonotonicNanosecs is the additional offset for MonotonicSecs (in nanosecs)
+	MonotonicNanosecs int64 `json:"monotonicNanosecs,omitempty"`
+	// BoottimeSecs is the offset of clock boottime (in secs) in the container
+	BoottimeSecs uint64 `json:"boottimeSecs"`
+	// BoottimeNanosecs is the additional offset for BoottimeSecs (in nanosecs)
+	BoottimeNanosecs int64 `json:"boottimeNanosecs,omitempty"`
+}
+
 // POSIXRlimit type and restrictions
 type POSIXRlimit struct {
 	// Type of the rlimit to set

Original file line number	Diff line number	Diff line change
@@ -905,6 +905,12 @@ Here is a full example `config.json` for reference.
`905`	`905`	`}`
`906`	`906`	`]`
`907`	`907`	`},`
	`908`	`+ "timeOffset": {`
	`909`	`+ "monotonicSecs": 172800,`
	`910`	`+ "monotonicNanosecs": 0,`
	`911`	`+ "boottimeSecs": 604800`
	`912`	`+ "boottimeNanosecs": 0`
	`913`	`+ },`
`908`	`914`	`"namespaces": [`
`909`	`915`	`{`
`910`	`916`	`"type": "pid"`
@@ -926,6 +932,9 @@ Here is a full example `config.json` for reference.
`926`	`932`	`},`
`927`	`933`	`{`
`928`	`934`	`"type": "cgroup"`
	`935`	`+ },`
	`936`	`+ {`
	`937`	`+ "type": "time"`
`929`	`938`	`}`
`930`	`939`	`],`
`931`	`940`	`"maskedPaths": [`
Original file line number	Diff line number	Diff line change
`@@ -349,6 +349,12 @@`
`349`	`349`	`}`
`350`	`350`	`]`
`351`	`351`	`},`
	`352`	`+ "timeOffset": {`
	`353`	`+ "monotonicSecs": 172800,`
	`354`	`+ "monotonicNanosecs": 0,`
	`355`	`+ "boottimeSecs": 604800,`
	`356`	`+ "boottimeNanosecs": 0`
	`357`	`+ },`
`352`	`358`	`"namespaces": [`
`353`	`359`	`{`
`354`	`360`	`"type": "pid"`
`@@ -370,6 +376,9 @@`
`370`	`376`	`},`
`371`	`377`	`{`
`372`	`378`	`"type": "cgroup"`
	`379`	`+ },`
	`380`	`+ {`
	`381`	`+ "type": "time"`
`373`	`382`	`}`
`374`	`383`	`],`
`375`	`384`	`"maskedPaths": [`