Documentation
¶
Index ¶
- Constants
- func AddUidGidMappings(sys *syscall.SysProcAttr, container *libcontainer.Config)
- func DefaultCreateCommand(container *libcontainer.Config, console, dataPath, init string, pipe *os.File, ...) *exec.Cmd
- func DefaultSetupCommand(container *libcontainer.Config, console, dataPath, init string) *exec.Cmd
- func EnterCgroups(state *libcontainer.State, pid int) error
- func Exec(container *libcontainer.Config, stdin io.Reader, stdout, stderr io.Writer, ...) (int, error)
- func ExecIn(container *libcontainer.Config, state *libcontainer.State, userArgs []string, ...) (int, error)
- func FinalizeNamespace(container *libcontainer.Config) error
- func FinalizeSetns(container *libcontainer.Config, args []string) error
- func GetHostRootGid(container *libcontainer.Config) (int, error)
- func GetHostRootUid(container *libcontainer.Config) (int, error)
- func GetNamespaceFlags(namespaces libcontainer.Namespaces) (flag int)
- func Init(container *libcontainer.Config, uncleanRootfs, consolePath string, ...) (err error)
- func InitializeNetworking(container *libcontainer.Config, nspid int, networkState *network.NetworkState) error
- func LoadContainerEnvironment(container *libcontainer.Config) error
- func RestoreParentDeathSignal(old int) error
- func SetupCgroups(container *libcontainer.Config, nspid int) (map[string]string, error)
- func SetupContainer(container *libcontainer.Config, dataPath, uncleanRootfs, consolePath string) error
- func SetupUser(container *libcontainer.Config) error
- type CreateCommand
- type SetupCommand
Constants ¶
const (
EXIT_SIGNAL_OFFSET = 128
)
Variables ¶
This section is empty.
Functions ¶
func AddUidGidMappings ¶
func AddUidGidMappings(sys *syscall.SysProcAttr, container *libcontainer.Config)
Converts IDMap to SysProcIDMap array and adds it to SysProcAttr.
func DefaultCreateCommand ¶
func DefaultCreateCommand(container *libcontainer.Config, console, dataPath, init string, pipe *os.File, args []string) *exec.Cmd
DefaultCreateCommand will return an exec.Cmd with the Cloneflags set to the proper namespaces defined on the container's configuration and use the current binary as the init with the args provided
console: the /dev/console to setup inside the container init: the program executed inside the namespaces dataPath: the path to the directory under which the container's state file is stored pipe: sync pipe to synchronize the parent and child processes args: the arguments to pass to the container to run as the user's program
func DefaultSetupCommand ¶
func DefaultSetupCommand(container *libcontainer.Config, console, dataPath, init string) *exec.Cmd
DefaultSetupCommand will return an exec.Cmd that joins the init process to set it up.
console: the /dev/console to setup inside the container dataPath: the path to the directory under which the container's state file is stored init: the program executed inside the namespaces
func EnterCgroups ¶
func EnterCgroups(state *libcontainer.State, pid int) error
func Exec ¶
func Exec(container *libcontainer.Config, stdin io.Reader, stdout, stderr io.Writer, console, dataPath string, args []string, createCommand CreateCommand, setupCommand SetupCommand, startCallback func()) (int, error)
TODO(vishh): This is part of the libcontainer API and it does much more than just namespaces related work. Move this to libcontainer package. Exec performs setup outside of a namespace so that a container can be executed. Exec is a high level function for working with container namespaces.
func ExecIn ¶
func ExecIn(container *libcontainer.Config, state *libcontainer.State, userArgs []string, initPath, action string, stdin io.Reader, stdout, stderr io.Writer, console string, startCallback func(*exec.Cmd)) (int, error)
ExecIn reexec's the initPath with the argv 0 rewrite to "nsenter" so that it is able to run the setns code in a single threaded environment joining the existing containers' namespaces.
func FinalizeNamespace ¶
func FinalizeNamespace(container *libcontainer.Config) error
FinalizeNamespace drops the caps, sets the correct user and working dir, and closes any leaky file descriptors before execing the command inside the namespace
func FinalizeSetns ¶
func FinalizeSetns(container *libcontainer.Config, args []string) error
Finalize expects that the setns calls have been setup and that is has joined an existing namespace
func GetHostRootGid ¶
func GetHostRootGid(container *libcontainer.Config) (int, error)
Gets the root gid for the process on host which could be non-zero when user namespaces are enabled.
func GetHostRootUid ¶
func GetHostRootUid(container *libcontainer.Config) (int, error)
Gets the root uid for the process on host which could be non-zero when user namespaces are enabled.
func GetNamespaceFlags ¶
func GetNamespaceFlags(namespaces libcontainer.Namespaces) (flag int)
GetNamespaceFlags parses the container's Namespaces options to set the correct flags on clone, unshare. This functions returns flags only for new namespaces.
func Init ¶
func Init(container *libcontainer.Config, uncleanRootfs, consolePath string, pipe *os.File, args []string) (err error)
TODO(vishh): This is part of the libcontainer API and it does much more than just namespaces related work. Move this to libcontainer package. Init is the init process that first runs inside a new namespace to setup mounts, users, networking, and other options required for the new container. The caller of Init function has to ensure that the go runtime is locked to an OS thread (using runtime.LockOSThread) else system calls like setns called within Init may not work as intended.
func InitializeNetworking ¶
func InitializeNetworking(container *libcontainer.Config, nspid int, networkState *network.NetworkState) error
InitializeNetworking creates the container's network stack outside of the namespace and moves interfaces into the container's net namespaces if necessary
func LoadContainerEnvironment ¶
func LoadContainerEnvironment(container *libcontainer.Config) error
func RestoreParentDeathSignal ¶
RestoreParentDeathSignal sets the parent death signal to old.
func SetupCgroups ¶
SetupCgroups applies the cgroup restrictions to the process running in the container based on the container's configuration
func SetupContainer ¶
func SetupContainer(container *libcontainer.Config, dataPath, uncleanRootfs, consolePath string) error
SetupContainer is run to setup mounts and networking related operations for a user namespace enabled process as a user namespace root doesn't have permissions to perform these operations. The setup process joins all the namespaces of user namespace enabled init except the user namespace, so it run as root in the root user namespace to perform these operations.
func SetupUser ¶
func SetupUser(container *libcontainer.Config) error
SetupUser changes the groups, gid, and uid for the user inside the container
Types ¶
type CreateCommand ¶
type SetupCommand ¶
type SetupCommand func(container *libcontainer.Config, console, dataPath, init string) *exec.Cmd
Source Files
Directories