Documentation
¶
Overview ¶
Devicefilter containes eBPF device filter program
The implementation is based on https://github.com/containers/crun/blob/0.10.2/src/libcrun/ebpf.c
Although ebpf.c is originally licensed under LGPL-3.0-or-later, the author (Giuseppe Scrivano) agreed to relicense the file in Apache License 2.0: https://github.com/opencontainers/runc/issues/2144#issuecomment-543116397
This particular Go implementation based on runc version https://github.com/opencontainers/runc/blob/master/libcontainer/cgroups/ebpf/devicefilter/devicefilter.go
Index ¶
- Variables
- func DeviceFilter(devices []specs.LinuxDeviceCgroup) (asm.Instructions, string, error)
- func IgnoreNotExist(err error) error
- func LoadAttachCgroupDeviceFilter(insts asm.Instructions, license string, dirFD int) (func() error, error)
- func NestedGroupPath(suffix string) (string, error)
- func PidGroupPath(pid int) (string, error)
- func VerifyGroupPath(g string) error
- type BFQ
- type CPU
- type CPUMax
- type ControllerToggle
- type Entry
- type ErrorHandler
- type Event
- type HugeTlb
- type HugeTlbEntry
- type IO
- type IOType
- type Manager
- func (c *Manager) AddProc(pid uint64) error
- func (c *Manager) Controllers() ([]string, error)
- func (c *Manager) Delete() error
- func (c *Manager) DeleteSystemd() error
- func (c *Manager) EventChan() (<-chan Event, <-chan error)
- func (c *Manager) Freeze() error
- func (c *Manager) MemoryEventFD() (int, uint32, error)
- func (c *Manager) NewChild(name string, resources *Resources) (*Manager, error)
- func (c *Manager) Procs(recursive bool) ([]uint64, error)
- func (c *Manager) RootControllers() ([]string, error)
- func (c *Manager) Stat() (*stats.Metrics, error)
- func (c *Manager) Thaw() error
- func (c *Manager) ToggleControllers(controllers []string, t ControllerToggle) error
- type Memory
- type Pids
- type RDMA
- type RDMAEntry
- type Resources
- type State
- type Value
Constants ¶
This section is empty.
Variables ¶
var ( ErrInvalidPid = errors.New("cgroups: pid must be greater than 0") ErrMountPointNotExist = errors.New("cgroups: cgroup mountpoint does not exist") ErrInvalidFormat = errors.New("cgroups: parsing file with invalid format failed") ErrFreezerNotSupported = errors.New("cgroups: freezer cgroup (v2) not supported on this system") ErrMemoryNotSupported = errors.New("cgroups: memory cgroup (v2) not supported on this system") ErrPidsNotSupported = errors.New("cgroups: pids cgroup (v2) not supported on this system") ErrCPUNotSupported = errors.New("cgroups: cpu cgroup (v2) not supported on this system") ErrCgroupDeleted = errors.New("cgroups: cgroup deleted") ErrNoCgroupMountDestination = errors.New("cgroups: cannot find cgroup mount destination") ErrInvalidGroupPath = errors.New("cgroups: invalid group path") )
Functions ¶
func DeviceFilter ¶
func DeviceFilter(devices []specs.LinuxDeviceCgroup) (asm.Instructions, string, error)
DeviceFilter returns eBPF device filter program and its license string
func IgnoreNotExist ¶
IgnoreNotExist ignores any errors that are for not existing files
func LoadAttachCgroupDeviceFilter ¶
func LoadAttachCgroupDeviceFilter(insts asm.Instructions, license string, dirFD int) (func() error, error)
LoadAttachCgroupDeviceFilter installs eBPF device filter program to /sys/fs/cgroup/<foo> directory.
Requires the system to be running in cgroup2 unified-mode with kernel >= 4.15 .
https://github.com/torvalds/linux/commit/ebc614f687369f9df99828572b1d85a7c2de3d92
func NestedGroupPath ¶
NestedGroupPath will nest the cgroups based on the calling processes cgroup placing its child processes inside its own path
func PidGroupPath ¶
PidGroupPath will return the correct cgroup paths for an existing process running inside a cgroup This is commonly used for the Load function to restore an existing container
func VerifyGroupPath ¶
VerifyGroupPath verifies the format of group path string g. The format is same as the third field in /proc/PID/cgroup. e.g. "/user.slice/user-1001.slice/session-1.scope"
g must be a "clean" absolute path starts with "/", and must not contain "/sys/fs/cgroup" prefix.
VerifyGroupPath doesn't verify whether g actually exists on the system.
Types ¶
type ControllerToggle ¶
type ControllerToggle int
const ( Enable ControllerToggle = iota + 1 Disable )
type ErrorHandler ¶
ErrorHandler is a function that handles and acts on errors
type HugeTlb ¶
type HugeTlb []HugeTlbEntry
type HugeTlbEntry ¶
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
func LoadSystemd ¶
func NewManager ¶
func NewSystemd ¶
func (*Manager) Controllers ¶
func (*Manager) DeleteSystemd ¶
func (*Manager) MemoryEventFD ¶
MemoryEventFD returns inotify file descriptor and 'memory.events' inotify watch descriptor
func (*Manager) RootControllers ¶
func (*Manager) ToggleControllers ¶
func (c *Manager) ToggleControllers(controllers []string, t ControllerToggle) error
type Resources ¶
type Resources struct {
CPU *CPU
Memory *Memory
Pids *Pids
IO *IO
RDMA *RDMA
HugeTlb *HugeTlb
// When len(Devices) is zero, devices are not controlled
Devices []specs.LinuxDeviceCgroup
}
Resources for a cgroups v2 unified hierarchy
func ToResources ¶
func ToResources(spec *specs.LinuxResources) *Resources
ToResources converts the oci LinuxResources struct into a v2 Resources type for use with this package.
converting cgroups configuration from v1 to v2 ref: https://github.com/containers/crun/blob/master/crun.1.md#cgroup-v2
func (*Resources) EnabledControllers ¶
EnabledControllers returns the list of all not nil resource controllers
Source Files
Directories