Documentation ¶
Overview ¶
Package config provides basic infrastructure to set configuration settings for runsc. The configuration is set by flags to the command line. They can also propagate to a different process using the same flags.
Index ¶
- Variables
- func RegisterFlags(flagSet *flag.FlagSet)
- type Bundle
- type BundleName
- type Config
- func (c *Config) ApplyBundles(flagSet *flag.FlagSet, bundleNames ...BundleName) error
- func (c *Config) GetHostUDS() HostUDS
- func (c *Config) GetOverlay2() Overlay2
- func (c *Config) MetricMetadata() map[string]string
- func (c *Config) Override(flagSet *flag.FlagSet, name string, value string, force bool) error
- func (c *Config) ToContainerdConfigTOML(opts ContainerdConfigOptions) (string, error)
- func (c *Config) ToFlags() []string
- type ContainerdConfigOptions
- type FileAccessType
- type HostFifo
- type HostUDS
- type KeyVal
- type NetworkType
- type Overlay2
- func (o *Overlay2) Enabled() bool
- func (o *Overlay2) Get() any
- func (o *Overlay2) HostFileDir() string
- func (o *Overlay2) IsBackedByMemory() bool
- func (o *Overlay2) IsBackedBySelf() bool
- func (o *Overlay2) RootEnabled() bool
- func (o *Overlay2) Set(v string) error
- func (o Overlay2) String() string
- func (o *Overlay2) SubMountEnabled() bool
- type QueueingDiscipline
Constants ¶
This section is empty.
Variables ¶
var Bundles = map[BundleName]Bundle{
"experimental-high-performance": {
"directfs": "true",
"overlay2": "root:self",
"platform": "systrap",
},
}
Bundles is the set of each Bundle. Each bundle is a named set of flag names and flag values. Bundles may be turned on using pod annotations. Bundles have lower precedence than flag pod annotation and command-line flags. Bundles are mutually exclusive iff their flag values overlap and differ.
var MetricMetadataKeys = []string{
"version",
"platform",
"network",
"numcores",
"coretags",
"overlay",
"fsmode",
"cpuarch",
"go",
"experiment",
}
MetricMetadataKeys is the set of keys of metric metadata labels as returned by `Config.MetricMetadata`.
Functions ¶
func RegisterFlags ¶
RegisterFlags registers flags used to populate Config.
Types ¶
type BundleName ¶
type BundleName string
BundleName is a human-friendly name for a Bundle. It is used as part of an annotation to specify that the user wants to apply a Bundle.
type Config ¶
type Config struct { // RootDir is the runtime root directory. RootDir string `flag:"root"` // Traceback changes the Go runtime's traceback level. Traceback string `flag:"traceback"` // Debug indicates that debug logging should be enabled. Debug bool `flag:"debug"` // LogFilename is the filename to log to, if not empty. LogFilename string `flag:"log"` // LogFormat is the log format. LogFormat string `flag:"log-format"` // DebugLog is the path to log debug information to, if not empty. DebugLog string `flag:"debug-log"` // DebugCommand is a comma-separated list of commands to be debugged if // --debug-log is also set. Empty means debug all. "!" negates the expression. // E.g. "create,start" or "!boot,events". DebugCommand string `flag:"debug-command"` // PanicLog is the path to log GO's runtime messages, if not empty. PanicLog string `flag:"panic-log"` // CoverageReport is the path to write Go coverage information, if not empty. CoverageReport string `flag:"coverage-report"` // DebugLogFormat is the log format for debug. DebugLogFormat string `flag:"debug-log-format"` // FileAccess indicates how the root filesystem is accessed. FileAccess FileAccessType `flag:"file-access"` // FileAccessMounts indicates how non-root volumes are accessed. FileAccessMounts FileAccessType `flag:"file-access-mounts"` // Overlay is whether to wrap all mounts in an overlay. The upper tmpfs layer // will be backed by application memory. Overlay bool `flag:"overlay"` // Overlay2 holds configuration about wrapping mounts in overlayfs. // DO NOT call it directly, use GetOverlay2() instead. Overlay2 Overlay2 `flag:"overlay2"` // FSGoferHostUDS is deprecated: use host-uds=all. FSGoferHostUDS bool `flag:"fsgofer-host-uds"` // HostUDS controls permission to access host Unix-domain sockets. // DO NOT call it directly, use GetHostUDS() instead. HostUDS HostUDS `flag:"host-uds"` // HostFifo controls permission to access host FIFO (or named pipes). HostFifo HostFifo `flag:"host-fifo"` // Network indicates what type of network to use. Network NetworkType `flag:"network"` // EnableRaw indicates whether raw sockets should be enabled. Raw // sockets are disabled by stripping CAP_NET_RAW from the list of // capabilities. EnableRaw bool `flag:"net-raw"` // AllowPacketEndpointWrite enables write operations on packet endpoints. AllowPacketEndpointWrite bool `flag:"TESTONLY-allow-packet-endpoint-write"` // HostGSO indicates that host segmentation offload is enabled. HostGSO bool `flag:"gso"` // GvisorGSO indicates that gVisor segmentation offload is enabled. The flag // retains its old name of "software" GSO for API consistency. GvisorGSO bool `flag:"software-gso"` // GvisorGROTimeout sets gVisor's generic receive offload timeout. Zero // bypasses GRO. GvisorGROTimeout time.Duration `flag:"gvisor-gro"` // TXChecksumOffload indicates that TX Checksum Offload is enabled. TXChecksumOffload bool `flag:"tx-checksum-offload"` // RXChecksumOffload indicates that RX Checksum Offload is enabled. RXChecksumOffload bool `flag:"rx-checksum-offload"` // QDisc indicates the type of queuening discipline to use by default // for non-loopback interfaces. QDisc QueueingDiscipline `flag:"qdisc"` // LogPackets indicates that all network packets should be logged. LogPackets bool `flag:"log-packets"` // PCAP is a file to which network packets should be logged in PCAP format. PCAP string `flag:"pcap-log"` // Platform is the platform to run on. Platform string `flag:"platform"` // PlatformDevicePath is the path to the device file used by the platform. // e.g. "/dev/kvm" for the KVM platform. // If unset, a sane platform-specific default will be used. PlatformDevicePath string `flag:"platform_device_path"` // MetricServer, if set, indicates that metrics should be exported on this address. // This may either be 1) "addr:port" to export metrics on a specific network interface address, // 2) ":port" for exporting metrics on all addresses, or 3) an absolute path to a Unix Domain // Socket. // The substring "%ID%" will be replaced by the container ID, and "%RUNTIME_ROOT%" by the root. // This flag must be specified *both* as part of the `runsc metric-server` arguments (so that the // metric server knows which address to bind to), and as part of the `runsc create` arguments (as // an indication that the container being created wishes that its metrics should be exported). // The value of this flag must also match across the two command lines. MetricServer string `flag:"metric-server"` // ProfilingMetrics is a comma separated list of metric names which are // going to be written to the ProfilingMetricsLog file from within the // sentry in CSV format. ProfilingMetrics will be snapshotted at a rate // specified by ProfilingMetricsRate. Requires ProfilingMetricsLog to be // set. ProfilingMetrics string `flag:"profiling-metrics"` // ProfilingMetricsLog is the file name to use for ProfilingMetrics // output. ProfilingMetricsLog string `flag:"profiling-metrics-log"` // ProfilingMetricsRate is the target rate (in microseconds) at which // profiling metrics will be snapshotted. ProfilingMetricsRate int `flag:"profiling-metrics-rate-us"` // Strace indicates that strace should be enabled. Strace bool `flag:"strace"` // StraceSyscalls is the set of syscalls to trace (comma-separated values). // If StraceEnable is true and this string is empty, then all syscalls will // be traced. StraceSyscalls string `flag:"strace-syscalls"` // StraceLogSize is the max size of data blobs to display. StraceLogSize uint `flag:"strace-log-size"` // StraceEvent indicates sending strace to events if true. Strace is // sent to log if false. StraceEvent bool `flag:"strace-event"` // DisableSeccomp indicates whether seccomp syscall filters should be // disabled. Pardon the double negation, but default to enabled is important. DisableSeccomp bool // EnableCoreTags indicates whether the Sentry process and children will be // run in a core tagged process. This isolates the sentry from sharing // physical cores with other core tagged processes. This is useful as a // mitigation for hyperthreading side channel based attacks. Requires host // linux kernel >= 5.14. EnableCoreTags bool `flag:"enable-core-tags"` // WatchdogAction sets what action the watchdog takes when triggered. WatchdogAction watchdog.Action `flag:"watchdog-action"` // PanicSignal registers signal handling that panics. Usually set to // SIGUSR2(12) to troubleshoot hangs. -1 disables it. PanicSignal int `flag:"panic-signal"` // ProfileEnable is set to prepare the sandbox to be profiled. ProfileEnable bool `flag:"profile"` // ProfileBlock collects a block profile to the passed file for the // duration of the container execution. Requires ProfileEnabled. ProfileBlock string `flag:"profile-block"` // ProfileCPU collects a CPU profile to the passed file for the // duration of the container execution. Requires ProfileEnabled. ProfileCPU string `flag:"profile-cpu"` // ProfileHeap collects a heap profile to the passed file for the // duration of the container execution. Requires ProfileEnabled. ProfileHeap string `flag:"profile-heap"` // ProfileMutex collects a mutex profile to the passed file for the // duration of the container execution. Requires ProfileEnabled. ProfileMutex string `flag:"profile-mutex"` // TraceFile collects a Go runtime execution trace to the passed file // for the duration of the container execution. TraceFile string `flag:"trace"` // RestoreFile is the path to the saved container image. RestoreFile string // NumNetworkChannels controls the number of AF_PACKET sockets that map // to the same underlying network device. This allows netstack to better // scale for high throughput use cases. NumNetworkChannels int `flag:"num-network-channels"` // Rootless allows the sandbox to be started with a user that is not root. // Defense in depth measures are weaker in rootless mode. Specifically, the // sandbox and Gofer process run as root inside a user namespace with root // mapped to the caller's user. When using rootless, the container root path // should not have a symlink. Rootless bool `flag:"rootless"` // AlsoLogToStderr allows to send log messages to stderr. AlsoLogToStderr bool `flag:"alsologtostderr"` // ReferenceLeakMode sets reference leak check mode ReferenceLeak refs.LeakMode `flag:"ref-leak-mode"` // CPUNumFromQuota sets CPU number count to available CPU quota, using // least integer value greater than or equal to quota. // // E.g. 0.2 CPU quota will result in 1, and 1.9 in 2. CPUNumFromQuota bool `flag:"cpu-num-from-quota"` // Allows overriding of flags in OCI annotations. AllowFlagOverride bool `flag:"allow-flag-override"` // Enables seccomp inside the sandbox. OCISeccomp bool `flag:"oci-seccomp"` // Mounts the cgroup filesystem backed by the sentry's cgroupfs. Cgroupfs bool `flag:"cgroupfs"` // Don't configure cgroups. IgnoreCgroups bool `flag:"ignore-cgroups"` // Use systemd to configure cgroups. SystemdCgroup bool `flag:"systemd-cgroup"` // PodInitConfig is the path to configuration file with additional steps to // take during pod creation. PodInitConfig string `flag:"pod-init-config"` // Use pools to manage buffer memory instead of heap. BufferPooling bool `flag:"buffer-pooling"` // AFXDP defines whether to use an AF_XDP socket to receive packets // (rather than AF_PACKET). Enabling it disables RX checksum offload. AFXDP bool `flag:"EXPERIMENTAL-afxdp"` // FDLimit specifies a limit on the number of host file descriptors that can // be open simultaneously by the sentry and gofer. It applies separately to // each. FDLimit int `flag:"fdlimit"` // DCache sets the global dirent cache size. If zero, per-mount caches are // used. DCache int `flag:"dcache"` // IOUring enables support for the IO_URING API calls to perform // asynchronous I/O operations. IOUring bool `flag:"iouring"` // DirectFS sets up the sandbox to directly access/mutate the filesystem from // the sentry. Sentry runs with escalated privileges. Gofer process still // exists, but is mostly idle. Not supported in rootless mode. DirectFS bool `flag:"directfs"` // NVProxy enables support for Nvidia GPUs. NVProxy bool `flag:"nvproxy"` // NVProxyDocker exposes GPUs to containers based on the // NVIDIA_VISIBLE_DEVICES container environment variable, as requested by // containers or set by `docker --gpus`. NVProxyDocker bool `flag:"nvproxy-docker"` // TPUProxy enables support for TPUs. TPUProxy bool `flag:"tpuproxy"` // TestOnlyAllowRunAsCurrentUserWithoutChroot should only be used in // tests. It allows runsc to start the sandbox process as the current // user, and without chrooting the sandbox process. This can be // necessary in test environments that have limited capabilities. When // disabling chroot, the container root path should not have a symlink. TestOnlyAllowRunAsCurrentUserWithoutChroot bool `flag:"TESTONLY-unsafe-nonroot"` // TestOnlyTestNameEnv should only be used in tests. It looks up for the // test name in the container environment variables and adds it to the debug // log file name. This is done to help identify the log with the test when // multiple tests are run in parallel, since there is no way to pass // parameters to the runtime from docker. TestOnlyTestNameEnv string `flag:"TESTONLY-test-name-env"` // TestOnlyAFSSyscallPanic should only be used in tests. It enables the // alternate behaviour for afs_syscall to trigger a Go-runtime panic upon being // called. This is useful for tests exercising gVisor panic-reporting. TestOnlyAFSSyscallPanic bool `flag:"TESTONLY-afs-syscall-panic"` // contains filtered or unexported fields }
Config holds configuration that is not part of the runtime spec.
Follow these steps to add a new flag:
- Create a new field in Config.
- Add a field tag with the flag name
- Register a new flag in flags.go, with same name and add a description
- Add any necessary validation into validate()
- If adding an enum, follow the same pattern as FileAccessType
- Evaluate if the flag can be changed with OCI annotations. See overrideAllowlist for more details
func NewFromBundle ¶
NewFromBundle makes a new config from a Bundle.
func NewFromFlags ¶
NewFromFlags creates a new Config with values coming from command line flags.
func (*Config) ApplyBundles ¶
func (c *Config) ApplyBundles(flagSet *flag.FlagSet, bundleNames ...BundleName) error
ApplyBundles applies the given bundles by name. It returns an error if a bundle doesn't exist, or if the given bundles have conflicting flag values. Config values which are already specified prior to calling ApplyBundles are overridden.
func (*Config) GetHostUDS ¶
GetHostUDS returns the FS gofer communication that is allowed, taking into consideration all flags what affect the result.
func (*Config) GetOverlay2 ¶
GetOverlay2 returns the overlay configuration, taking into consideration all flags that affect the result.
func (*Config) MetricMetadata ¶
MetricMetadata returns key-value pairs that are useful to include in metrics exported about the sandbox this config represents. It must return the same set of labels as listed in `MetricMetadataKeys`.
func (*Config) ToContainerdConfigTOML ¶
func (c *Config) ToContainerdConfigTOML(opts ContainerdConfigOptions) (string, error)
ToContainerdConfigTOML turns a given config into a format for a k8s containerd config.toml file. See: https://gvisor.dev/docs/user_guide/containerd/quick_start/
type ContainerdConfigOptions ¶
type ContainerdConfigOptions struct { BinaryPath string RootPath string Options map[string]string RunscFlags []KeyVal }
ContainerdConfigOptions contains arguments for ToContainerdConfigTOML.
type FileAccessType ¶
type FileAccessType int
FileAccessType tells how the filesystem is accessed.
const ( // FileAccessExclusive gives the sandbox exclusive access over files and // directories in the filesystem. No external modifications are permitted and // can lead to undefined behavior. // // Exclusive filesystem access enables more aggressive caching and offers // significantly better performance. This is the default mode for the root // volume. FileAccessExclusive FileAccessType = iota // requires revalidation on every filesystem access to detect external // changes, and reduces the amount of caching that can be done. This is the // default mode for non-root volumes. FileAccessShared )
func (*FileAccessType) Set ¶
func (f *FileAccessType) Set(v string) error
Set implements flag.Value. Set(String()) should be idempotent.
func (FileAccessType) String ¶
func (f FileAccessType) String() string
String implements flag.Value.
type HostFifo ¶
type HostFifo int
HostFifo tells how much of the host FIFO (or named pipes) the file system has access to.
type HostUDS ¶
type HostUDS int
HostUDS tells how much of the host UDS the file system has access to.
const ( // HostUDSNone doesn't allows UDS from the host to be manipulated. HostUDSNone HostUDS = 0x0 // HostUDSOpen allows UDS from the host to be opened, e.g. connect(2). HostUDSOpen HostUDS = 0x1 // HostUDSCreate allows UDS from the host to be created, e.g. bind(2). HostUDSCreate HostUDS = 0x2 // HostUDSAll allows all form of communication with the host through UDS. HostUDSAll = HostUDSOpen | HostUDSCreate )
func (HostUDS) AllowCreate ¶
AllowCreate returns true if it can create UDS in the host.
type KeyVal ¶
KeyVal is a key value pair. It is used so ToContainerdConfigTOML returns predictable ordering for runsc flags.
type NetworkType ¶
type NetworkType int
NetworkType tells which network stack to use.
const ( // NetworkSandbox uses internal network stack, isolated from the host. NetworkSandbox NetworkType = iota // NetworkHost redirects network related syscalls to the host network. NetworkHost // NetworkNone sets up just loopback using netstack. NetworkNone )
func (*NetworkType) Set ¶
func (n *NetworkType) Set(v string) error
Set implements flag.Value. Set(String()) should be idempotent.
type Overlay2 ¶
type Overlay2 struct {
// contains filtered or unexported fields
}
Overlay2 holds the configuration for setting up overlay filesystems for the container.
func (*Overlay2) HostFileDir ¶
HostFileDir indicates the directory in which the overlay-backing host file should be created.
Precondition: o.IsBackedByHostFile() && !o.IsBackedBySelf().
func (*Overlay2) IsBackedByMemory ¶
IsBackedByMemory indicates whether the overlay is backed by app memory.
func (*Overlay2) IsBackedBySelf ¶
IsBackedBySelf indicates whether the overlaid mounts are backed by themselves.
func (*Overlay2) RootEnabled ¶
RootEnabled returns true if the overlay is enabled for the root mount.
func (*Overlay2) SubMountEnabled ¶
SubMountEnabled returns true if the overlay is enabled for submounts.
type QueueingDiscipline ¶
type QueueingDiscipline int
QueueingDiscipline is used to specify the kind of Queueing Discipline to apply for a give FDBasedLink.
const ( // QDiscNone disables any queueing for the underlying FD. QDiscNone QueueingDiscipline = iota // QDiscFIFO applies a simple fifo based queue to the underlying FD. QDiscFIFO )
func (*QueueingDiscipline) Set ¶
func (q *QueueingDiscipline) Set(v string) error
Set implements flag.Value. Set(String()) should be idempotent.
func (QueueingDiscipline) String ¶
func (q QueueingDiscipline) String() string
String implements flag.Value.