hcsv2

package
v0.12.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 5, 2024 License: MIT Imports: 60 Imported by: 0

Documentation

Index

Constants

View Source
const UVMContainerID = "00000000-0000-0000-0000-000000000000"

UVMContainerID is the ContainerID that will be sent on any prot.MessageBase for V2 where the specific message is targeted at the UVM itself.

Variables

This section is empty.

Functions

func GetOrAddNetworkNamespace added in v0.10.0

func GetOrAddNetworkNamespace(id string) *namespace

GetOrAddNetworkNamespace returns the namespace found by `id` or creates a new one and assigns `id.

func RemoveNetworkNamespace added in v0.10.0

func RemoveNetworkNamespace(ctx context.Context, id string) (err error)

RemoveNetworkNamespace removes the in-memory `namespace` found by `id`.

Types

type Container

type Container struct {
	// contains filtered or unexported fields
}

func (*Container) Delete

func (c *Container) Delete(ctx context.Context) error

func (*Container) ExecProcess

func (c *Container) ExecProcess(ctx context.Context, process *oci.Process, conSettings stdio.ConnectionSettings) (int, error)

func (*Container) GetAllProcessPids

func (c *Container) GetAllProcessPids(ctx context.Context) ([]int, error)

GetAllProcessPids returns all process pids in the container namespace.

func (*Container) GetProcess

func (c *Container) GetProcess(pid uint32) (Process, error)

GetProcess returns the Process with the matching 'pid'. If the 'pid' does not exit returns error.

func (*Container) GetStats

func (c *Container) GetStats(ctx context.Context) (*v1.Metrics, error)

GetStats returns the cgroup metrics for the container.

func (*Container) ID added in v0.10.0

func (c *Container) ID() string

func (*Container) InitProcess added in v0.10.0

func (c *Container) InitProcess() Process

InitProcess returns the container's init process

func (*Container) Kill

func (c *Container) Kill(ctx context.Context, signal syscall.Signal) error

Kill sends 'signal' to the container process.

func (*Container) Start

func (c *Container) Start(ctx context.Context, conSettings stdio.ConnectionSettings) (int, error)

func (*Container) Update

func (c *Container) Update(ctx context.Context, resources interface{}) error

func (*Container) Wait

func (c *Container) Wait() prot.NotificationType

Wait waits for the container's init process to exit.

type Host

type Host struct {
	// contains filtered or unexported fields
}

Host is the structure tracking all UVM host state including all containers and processes.

func NewHost

func NewHost(rtime runtime.Runtime, vsock transport.Transport, initialEnforcer securitypolicy.SecurityPolicyEnforcer, logWriter io.Writer) *Host

func (*Host) AddContainer added in v0.10.0

func (h *Host) AddContainer(id string, c *Container) error

func (*Host) CreateContainer

func (h *Host) CreateContainer(ctx context.Context, id string, settings *prot.VMHostedContainerSettingsV2) (_ *Container, err error)

func (*Host) ExecProcess added in v0.10.0

func (h *Host) ExecProcess(ctx context.Context, containerID string, params prot.ProcessParameters, conSettings stdio.ConnectionSettings) (_ int, err error)

func (*Host) GetCreatedContainer added in v0.10.0

func (h *Host) GetCreatedContainer(id string) (*Container, error)

func (*Host) GetExternalProcess

func (h *Host) GetExternalProcess(pid int) (Process, error)

func (*Host) GetProperties added in v0.10.0

func (h *Host) GetProperties(ctx context.Context, containerID string, query prot.PropertyQuery) (*prot.PropertiesV2, error)

func (*Host) GetStacks added in v0.10.0

func (h *Host) GetStacks(ctx context.Context) (string, error)

func (*Host) InjectFragment added in v0.10.0

func (h *Host) InjectFragment(ctx context.Context, fragment *guestresource.LCOWSecurityPolicyFragment) (err error)

InjectFragment extends current security policy with additional constraints from the incoming fragment. Note that it is base64 encoded over the bridge/

There are three checking steps: 1 - Unpack the cose document and check it was actually signed with the cert chain inside its header 2 - Check that the issuer field did:x509 identifier is for that cert chain (ie fingerprint of a non leaf cert and the subject matches the leaf cert) 3 - Check that this issuer/feed match the requirement of the user provided security policy (done in the regoby LoadFragment)

func (*Host) ModifySettings

func (h *Host) ModifySettings(ctx context.Context, containerID string, req *guestrequest.ModificationRequest) error

func (*Host) RemoveContainer

func (h *Host) RemoveContainer(id string)

func (*Host) SecurityPolicyEnforcer added in v0.10.0

func (h *Host) SecurityPolicyEnforcer() securitypolicy.SecurityPolicyEnforcer

func (*Host) SetConfidentialUVMOptions added in v0.10.0

func (h *Host) SetConfidentialUVMOptions(ctx context.Context, r *guestresource.LCOWConfidentialOptions) error

SetConfidentialUVMOptions takes guestresource.LCOWConfidentialOptions to set up our internal data structures we use to store and enforce security policy. The options can contain security policy enforcer type, encoded security policy and signed UVM reference information The security policy and uvm reference information can be further presented to workload containers for validation and attestation purposes.

func (*Host) Shutdown

func (*Host) Shutdown()

Shutdown terminates this UVM. This is a destructive call and will destroy all state that has not been cleaned before calling this function.

func (*Host) ShutdownContainer added in v0.10.0

func (h *Host) ShutdownContainer(ctx context.Context, containerID string, graceful bool) error

Called to shutdown a container

func (*Host) SignalContainerProcess added in v0.10.0

func (h *Host) SignalContainerProcess(ctx context.Context, containerID string, processID uint32, signal syscall.Signal) error

func (*Host) Transport added in v0.10.0

func (h *Host) Transport() transport.Transport

type Process

type Process interface {
	// Kill sends `signal` to the process.
	//
	// If the process has already exited returns `gcserr.HrErrNotFound` by contract.
	Kill(ctx context.Context, signal syscall.Signal) error
	// Pid returns the process id of the process.
	Pid() int
	// ResizeConsole resizes the tty to `height`x`width` for the process.
	ResizeConsole(ctx context.Context, height, width uint16) error
	// Wait returns a channel that can be used to wait for the process to exit
	// and gather the exit code. The second channel must be signaled from the
	// caller when the caller has completed its use of this call to Wait.
	Wait() (<-chan int, chan<- bool)
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL