runtime

package
v6.4.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 17, 2020 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Overview

Package backend provides the implementation of a Garden server backed by containerd.

See https://containerd.io/, and https://github.com/cloudfoundry/garden.

Index

Constants

View Source 
const (
	// GracefulSignal is the signal sent to processes when giving them the
	// opportunity to shut themselves down by their own means.
	//
	GracefulSignal = syscall.SIGTERM

	// UngracefulSignal is the signal sent to the init process in the pid
	// namespace to force its shutdown.
	//
	UngracefulSignal = syscall.SIGKILL

	// GracePeriod is the duration by which a graceful killer would let a
	// set of processes finish by themselves before going ungraceful.
	//
	GracePeriod = 10 * time.Second
)
View Source 
const GraceTimeKey = "garden.grace-time"

Variables

View Source 
var (
	// ErrGracePeriodTimeout indicates that the grace period for a graceful
	// termination has been reached.
	//
	ErrGracePeriodTimeout = errors.New("grace period timeout")

	// ErrNotImplemented indicates that a method is not implemented.
	//
	ErrNotImplemented = errors.New("not implemented")
)

Functions

func MaxValid 

func MaxValid(r io.Reader) (uint32, error)

MaxValid computes what the highest possible id in a permission map is.

For example, given the following mapping from /proc/self/uid_map: 

0 1001 10
| |    |
| |    max number of ids inside this mapping (3)
| id outside (usually, the host)             (2)
id inside the container                      (1)

it determines that the maximum valid user id in this mapping is 9.

More information about semantics of `uid_map` and `gid_map` can be found in user_namespaces, but here's a summary assuming the processes reading the file is in the same usernamespace as `$pid`:

  • each line specifies a 1:1 mapping of a range of contiguous user/group IDs between two user namespaces

  • (1) is the start of the range of ids in the user namespace of the process $pid

  • (2) is the start of the range of ids to which the user IDs specified in (1) map to in the parent user namespace

  • (3) is the length of the range of user/group IDs that is mapped between the two user namespaces

    where: i. (1), (2), and (3) are uint32, with (3) having to be > 0 ii. the max number of lines is eiter 5 (linux <= 4.14) or 350 (linux > 4.14) iii. range of ids in each line cannot overlap with the ranges in any other lines iv. at least one line must exist

func NewCNINetwork 

func NewCNINetwork(opts ...CNINetworkOpt) (*cniNetwork, error)

func NewFileStore 

func NewFileStore(root string) *fileStore

func NewKiller 

func NewKiller(opts ...KillerOpt) *killer

func NewProcessKiller 

func NewProcessKiller() *processKiller

func NewRootfsManager 

func NewRootfsManager(opts ...RootfsManagerOpt) *rootfsManager

NewRootfsManager instantiates a rootfsManager

Types

type CNINetworkConfig 

type CNINetworkConfig struct {
	// BridgeName is the name that the bridge set up in the current network
	// namespace to connect the veth's to.
	//
	BridgeName string

	// NetworkName is the virtual name used to identify the managed network.
	//
	NetworkName string

	// Subnet is the subnet (in CIDR notation) which the veths should be
	// added to.
	//
	Subnet string
}

CNINetworkConfig provides configuration for CNINetwork to override the defaults.

func (CNINetworkConfig) ToJSON 

func (c CNINetworkConfig) ToJSON() string

type CNINetworkOpt 

type CNINetworkOpt func(n *cniNetwork)

CNINetworkOpt defines a functional option that when applied, modifies the configuration of a CNINetwork.

func WithCNIBinariesDir 

func WithCNIBinariesDir(dir string) CNINetworkOpt

WithCNIBinariesDir is the directory where the binaries necessary for setting up the network live.

func WithCNIClient 

func WithCNIClient(c cni.CNI) CNINetworkOpt

WithCNIClient is an implementor of the CNI interface for reaching out to CNI plugins.

func WithCNIFileStore 

func WithCNIFileStore(f FileStore) CNINetworkOpt

WithCNIFileStore changes the default FileStore used to store files that belong to network configurations for containers.

func WithCNINetworkConfig 

func WithCNINetworkConfig(c CNINetworkConfig) CNINetworkOpt

WithCNINetworkConfig provides a custom CNINetworkConfig to be used by the CNI client at startup time.

func WithIptables 

func WithIptables(ipt iptables.Iptables) CNINetworkOpt

WithIptables allows for a custom implementation of the iptables.Iptables interface to be provided.

func WithNameServers 

func WithNameServers(nameservers []string) CNINetworkOpt

WithNameServers sets the set of nameservers to be configured for the /etc/resolv.conf inside the containers.

func WithRestrictedNetworks 

func WithRestrictedNetworks(restrictedNetworks []string) CNINetworkOpt

WithRestrictedNetworks defines the network ranges that containers will be restricted from accessing.

type Container 

type Container struct {
	// contains filtered or unexported fields
}

func NewContainer 

func NewContainer(
	container containerd.Container,
	killer Killer,
	rootfsManager RootfsManager,
) *Container

func (*Container) Attach 

func (c *Container) Attach(pid string, processIO garden.ProcessIO) (process garden.Process, err error)

Attach starts streaming the output back to the client from a specified process.

func (*Container) BulkNetOut 

func (c *Container) BulkNetOut(netOutRules []garden.NetOutRule) (err error)

BulkNetOut - Not Implemented

func (*Container) CurrentBandwidthLimits 

func (c *Container) CurrentBandwidthLimits() (garden.BandwidthLimits, error)

CurrentBandwidthLimits returns no limits (achieves parity with Guardian)

func (*Container) CurrentCPULimits 

func (c *Container) CurrentCPULimits() (garden.CPULimits, error)

CurrentCPULimits returns the CPU shares allocated to the container

func (*Container) CurrentDiskLimits 

func (c *Container) CurrentDiskLimits() (garden.DiskLimits, error)

CurrentDiskLimits returns no limits (achieves parity with Guardian)

func (*Container) CurrentMemoryLimits 

func (c *Container) CurrentMemoryLimits() (limits garden.MemoryLimits, err error)

CurrentMemoryLimits returns the memory limit in bytes allocated to the container

func (*Container) Handle 

func (c *Container) Handle() string

func (*Container) Info 

func (c *Container) Info() (info garden.ContainerInfo, err error)

Info - Not Implemented

func (*Container) Metrics 

func (c *Container) Metrics() (metrics garden.Metrics, err error)

Metrics - Not Implemented

func (*Container) NetIn 

func (c *Container) NetIn(hostPort, containerPort uint32) (a, b uint32, err error)

NetIn - Not Implemented

func (*Container) NetOut 

func (c *Container) NetOut(netOutRule garden.NetOutRule) (err error)

NetOut - Not Implemented

func (*Container) Properties 

func (c *Container) Properties() (garden.Properties, error)

Properties returns the current set of properties

func (*Container) Property 

func (c *Container) Property(name string) (string, error)

Property returns the value of the property with the specified name.

func (*Container) RemoveProperty 

func (c *Container) RemoveProperty(name string) (err error)

RemoveProperty - Not Implemented

func (*Container) Run 

func (c *Container) Run(
	spec garden.ProcessSpec,
	processIO garden.ProcessIO,
) (garden.Process, error)

Run a process inside the container.

func (*Container) SetGraceTime 

func (c *Container) SetGraceTime(graceTime time.Duration) error

SetGraceTime stores the grace time as a containerd label with key "garden.grace-time"

func (*Container) SetProperty 

func (c *Container) SetProperty(name string, value string) error

Set a named property on a container to a specified value.

func (*Container) Stop 

func (c *Container) Stop(kill bool) error

Stop stops a container.

func (*Container) StreamIn 

func (c *Container) StreamIn(spec garden.StreamInSpec) (err error)

StreamIn - Not Implemented

func (*Container) StreamOut 

func (c *Container) StreamOut(spec garden.StreamOutSpec) (readCloser io.ReadCloser, err error)

StreamOut - Not Implemented

type ErrInvalidInput 

type ErrInvalidInput string

ErrInvalidInput indicates a bad input was supplied.

func (ErrInvalidInput) Error 

func (e ErrInvalidInput) Error() string

type ErrNotFound 

type ErrNotFound string

ErrNotFound indicates that something wasn't found.

func (ErrNotFound) Error 

func (e ErrNotFound) Error() string

type FileStore 

type FileStore interface {
	// CreateFile creates a file with a particular content in the store.
	//
	Create(name string, content []byte) (absPath string, err error)

	// DeleteFile removes a file previously created in the store.
	//
	Delete(name string) (err error)
}

FileStore is responsible for managing files associated with containers.

type GardenBackend 

type GardenBackend struct {
	// contains filtered or unexported fields
}

GardenBackend implements a Garden backend backed by `containerd`.

func NewGardenBackend 

func NewGardenBackend(client libcontainerd.Client, opts ...GardenBackendOpt) (b GardenBackend, err error)

NewGardenBackend instantiates a GardenBackend with tweakable configurations passed as Config.

func (*GardenBackend) BulkInfo 

func (b *GardenBackend) BulkInfo(handles []string) (info map[string]garden.ContainerInfoEntry, err error)

BulkInfo - Not Implemented

func (*GardenBackend) BulkMetrics 

func (b *GardenBackend) BulkMetrics(handles []string) (metrics map[string]garden.ContainerMetricsEntry, err error)

BulkMetrics - Not Implemented

func (*GardenBackend) Capacity 

func (b *GardenBackend) Capacity() (capacity garden.Capacity, err error)

Capacity - Not Implemented

func (*GardenBackend) Containers 

func (b *GardenBackend) Containers(properties garden.Properties) (containers []garden.Container, err error)

Containers lists all containers filtered by properties (which are ANDed together).

func (*GardenBackend) Create 

func (b *GardenBackend) Create(gdnSpec garden.ContainerSpec) (garden.Container, error)

Create creates a new container.

func (*GardenBackend) Destroy 

func (b *GardenBackend) Destroy(handle string) error

Destroy gracefully destroys a container.

func (*GardenBackend) GraceTime 

func (b *GardenBackend) GraceTime(container garden.Container) (duration time.Duration)

GraceTime returns the value of the "garden.grace-time" property

func (*GardenBackend) Lookup 

func (b *GardenBackend) Lookup(handle string) (garden.Container, error)

Lookup returns the container with the specified handle.

func (*GardenBackend) Ping 

func (b *GardenBackend) Ping() (err error)

Ping pings the garden server in order to check connectivity.

func (*GardenBackend) Start 

func (b *GardenBackend) Start() (err error)

Start initializes the client.

func (*GardenBackend) Stop 

func (b *GardenBackend) Stop()

Stop closes the client's underlying connections and frees any resources associated with it.

type GardenBackendOpt 

type GardenBackendOpt func(b *GardenBackend)

GardenBackendOpt defines a functional option that when applied, modifies the configuration of a GardenBackend.

func WithKiller 

func WithKiller(k Killer) GardenBackendOpt

WithKiller configures the killer used to terminate tasks.

func WithMaxContainers 

func WithMaxContainers(limit int) GardenBackendOpt

WithMaxContainers configures the max number of containers that can be created

func WithNetwork 

func WithNetwork(n Network) GardenBackendOpt

WithNetwork configures the network used by the backend.

func WithRequestTimeout 

func WithRequestTimeout(requestTimeout time.Duration) GardenBackendOpt

WithRequestTimeout configures the request timeout Currently only used as timeout for acquiring the create container lock

func WithRootfsManager 

func WithRootfsManager(r RootfsManager) GardenBackendOpt

WithRootfsManager configures the RootfsManager used by the backend.

func WithUserNamespace 

func WithUserNamespace(s UserNamespace) GardenBackendOpt

type InvalidGidError 

type InvalidGidError struct {
	GID string
}

func (InvalidGidError) Error 

func (e InvalidGidError) Error() string

type InvalidUidError 

type InvalidUidError struct {
	UID string
}

func (InvalidUidError) Error 

func (e InvalidUidError) Error() string

type KillBehaviour 

type KillBehaviour bool
const (
	KillGracefully   KillBehaviour = false
	KillUngracefully KillBehaviour = true
)

type Killer 

type Killer interface {
	// Kill terminates a task either with a specific behaviour.
	//
	Kill(
		ctx context.Context,
		task containerd.Task,
		behaviour KillBehaviour,
	) error
}

Killer terminates tasks.

type KillerOpt 

type KillerOpt func(k *killer)

KillerOpt is a functional option that modifies the behavior of a killer.

func WithGracePeriod 

func WithGracePeriod(p time.Duration) KillerOpt

WithGracePeriod configures the grace period used when waiting for a process to be gracefully finished.

func WithProcessKiller 

func WithProcessKiller(f ProcessKiller) KillerOpt

WithProcessKiller modifies the default process killer used by the task killer.

type Network 

type Network interface {
	// SetupMounts prepares mounts that might be necessary for proper
	// networking functionality.
	//
	SetupMounts(handle string) (mounts []specs.Mount, err error)

	// SetupRestrictedNetworks sets up networking rules to prevent
	// container access to specified network ranges
	//
	SetupRestrictedNetworks() (err error)

	// Add adds a task to the network.
	//
	Add(ctx context.Context, task containerd.Task) (err error)

	// Removes a task from the network.
	//
	Remove(ctx context.Context, task containerd.Task) (err error)
}

type Process 

type Process struct {
	// contains filtered or unexported fields
}

func NewProcess 

func NewProcess(
	p containerd.Process,
	ch <-chan containerd.ExitStatus,
) *Process

func (*Process) ID 

func (p *Process) ID() string

Id retrieves the ID associated with this process.

func (*Process) SetTTY 

func (p *Process) SetTTY(spec garden.TTYSpec) error

SetTTY resizes the process' terminal dimensions.

func (*Process) Signal 

func (p *Process) Signal(signal garden.Signal) (err error)

Signal - Not Implemented

func (*Process) Wait 

func (p *Process) Wait() (int, error)

Wait for the process to terminate (either naturally, or from a signal), and once done, delete it.

type ProcessKiller 

type ProcessKiller interface {

	// Kill terminates a single process.
	//
	Kill(
		ctx context.Context,
		proc containerd.Process,
		signal syscall.Signal,
		waitPeriod time.Duration,
	) error
}

type RootfsManager 

type RootfsManager interface {
	// SetupCwd mutates the root filesystem to guarantee the presence of a
	// directory to be used as `cwd`.
	//
	SetupCwd(rootfsPath string, cwd string) (err error)

	// LookupUser scans the /etc/passwd file from the root filesystem for the
	// UID and GID of the specified username.
	//
	LookupUser(rootfsPath string, username string) (specs.User, bool, error)
}

RootfsManager is responsible for mutating and reading from the rootfs of a container.

type RootfsManagerOpt 

type RootfsManagerOpt func(m *rootfsManager)

RootfsManagerOpt defines a functional option that when applied, modifies the configuration of a rootfsManager.

func WithMkdirAll 

func WithMkdirAll(f func(path string, mode os.FileMode) error) RootfsManagerOpt

WithMkdirAll configures the function to be used for creating directories recursively.

type TimeoutWithByPassLock 

type TimeoutWithByPassLock struct {
	// contains filtered or unexported fields
}

func NewTimeoutLimitLock 

func NewTimeoutLimitLock(timeout time.Duration, enabled bool) TimeoutWithByPassLock

func (TimeoutWithByPassLock) Acquire 

func (tl TimeoutWithByPassLock) Acquire(ctx context.Context) error

func (TimeoutWithByPassLock) Release 

func (tl TimeoutWithByPassLock) Release()

type UserNamespace 

type UserNamespace interface {
	MaxValidIds() (uid, gid uint32, err error)
}

func NewUserNamespace 

func NewUserNamespace() UserNamespace

type UserNotFoundError 

type UserNotFoundError struct {
	User string
}

func (UserNotFoundError) Error 

func (u UserNotFoundError) Error() string

Source Files

View all Source files

Directories

Path Synopsis
integration
sample
iptablesfakes
Code generated by counterfeiter.
 Code generated by counterfeiter.
libcontainerdfakes
Code generated by counterfeiter.
 Code generated by counterfeiter.
Code generated by counterfeiter.
 Code generated by counterfeiter.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.