Documentation ¶
Index ¶
- Constants
- func AddPrivilegedDevices(g *generate.Generator) error
- func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, g *generate.Generator)
- func CreateContainerFromCreateConfig(ctx context.Context, r *libpod.Runtime, createConfig *CreateConfig, ...) (*libpod.Container, error)
- func CreatePortBinding(hostPort int, hostIP string) []nat.PortBinding
- func Device(d *configs.Device) spec.LinuxDevice
- func DevicesFromPath(g *generate.Generator, devicePath string) error
- func ExposedPorts(expose, publish []string, publishAll bool, ...) (map[nat.Port][]nat.PortBinding, error)
- func GetAvailableGids() (int64, error)
- func GetStatFromPath(path string) (unix.Stat_t, error)
- func InitFSMounts(mounts []spec.Mount) error
- func IsNS(s string) bool
- func IsPod(s string) bool
- func IsValidDeviceMode(mode string) bool
- func NS(s string) string
- func NatToOCIPortBindings(ports nat.PortMap) ([]ocicni.PortMapping, error)
- func ParseDevice(device string) (string, string, string, error)
- func SupercedeUserMounts(mounts []spec.Mount, configMount []spec.Mount) []spec.Mount
- func Valid(s string, ns LinuxNS) bool
- func ValidateweightDevice(val string) (*weightDevice, error)
- type CgroupConfig
- type CreateConfig
- type CreateResourceConfig
- type IpcConfig
- type LinuxNS
- type NetworkConfig
- type PidConfig
- type SecurityConfig
- func (c *SecurityConfig) ConfigureGenerator(g *generate.Generator, user *UserConfig) error
- func (c *SecurityConfig) SetLabelOpts(runtime *libpod.Runtime, pidConfig *PidConfig, ipcConfig *IpcConfig) error
- func (c *SecurityConfig) SetSecurityOpts(runtime *libpod.Runtime, securityOpts []string) error
- func (c *SecurityConfig) ToCreateOptions() ([]libpod.CtrCreateOption, error)
- type UserConfig
- type UtsConfig
Constants ¶
const ( // TypeBind is the type for mounting host dir TypeBind = "bind" // TypeVolume is the type for named volumes TypeVolume = "volume" // TypeTmpfs is the type for mounting tmpfs TypeTmpfs = "tmpfs" )
const CpuPeriod = 100000
const DefaultKernelNamespaces = "cgroup,ipc,net,uts"
DefaultKernelNamespaces is a comma-separated list of default kernel namespaces.
const Pod = "pod"
Pod signifies a kernel namespace is being shared by a container with the pod it is associated with
Variables ¶
This section is empty.
Functions ¶
func AddPrivilegedDevices ¶
AddPrivilegedDevices iterates through host devices and adds all host devices to the spec
func CreatePortBinding ¶
func CreatePortBinding(hostPort int, hostIP string) []nat.PortBinding
CreatePortBinding takes port (int) and IP (string) and creates an array of portbinding structs
func Device ¶
func Device(d *configs.Device) spec.LinuxDevice
Device transforms a libcontainer configs.Device to a specs.LinuxDevice object.
func DevicesFromPath ¶
DevicesFromPath computes a list of devices
func ExposedPorts ¶
func ExposedPorts(expose, publish []string, publishAll bool, imageExposedPorts map[string]struct{}) (map[nat.Port][]nat.PortBinding, error)
ExposedPorts parses user and image ports and returns binding information
func GetAvailableGids ¶
func InitFSMounts ¶
Ensure mount options on all mounts are correct
func IsValidDeviceMode ¶
IsValidDeviceMode checks if the mode for device is valid or not. IsValid mode is a composition of r (read), w (write), and m (mknod).
func NatToOCIPortBindings ¶
func NatToOCIPortBindings(ports nat.PortMap) ([]ocicni.PortMapping, error)
NatToOCIPortBindings iterates a nat.portmap slice and creates []ocicni portmapping slice
func ParseDevice ¶
ParseDevice parses device mapping string to a src, dest & permissions string
func SupercedeUserMounts ¶
Supersede existing mounts in the spec with new, user-specified mounts. TODO: Should we unmount subtree mounts? E.g., if /tmp/ is mounted by one mount, and we already have /tmp/a and /tmp/b, should we remove the /tmp/a and /tmp/b mounts in favor of the more general /tmp?
func Valid ¶
Valid checks the validity of a linux namespace s should be the string representation of ns
func ValidateweightDevice ¶
ValidateweightDevice validates that the specified string has a valid device-weight format for blkio-weight-device flag
Types ¶
type CgroupConfig ¶
type CgroupConfig struct { Cgroups string Cgroupns string CgroupParent string // cgroup-parent CgroupMode namespaces.CgroupMode //cgroup }
CgroupConfig configures the cgroup namespace for the container
func (*CgroupConfig) ConfigureGenerator ¶
func (c *CgroupConfig) ConfigureGenerator(g *generate.Generator) error
ConfigureGenerator configures the generator according to the current state of the CgroupConfig.
func (*CgroupConfig) ToCreateOptions ¶
func (c *CgroupConfig) ToCreateOptions(runtime *libpod.Runtime) ([]libpod.CtrCreateOption, error)
ToCreateOptions converts the input to container create options.
type CreateConfig ¶
type CreateConfig struct { Annotations map[string]string Args []string CidFile string ConmonPidFile string Command []string // Full command that will be used UserCommand []string // User-entered command (or image CMD) Detach bool // detach Devices []string // device Entrypoint []string //entrypoint Env map[string]string //env HealthCheck *manifest.Schema2HealthConfig Init bool // init InitPath string //init-path Image string ImageID string RawImageName string BuiltinImgVolumes map[string]struct{} // volumes defined in the image config ImageVolumeType string // how to handle the image volume, either bind, tmpfs, or ignore Interactive bool //interactive Labels map[string]string //label LogDriver string // log-driver LogDriverOpt []string // log-opt Name string //name PodmanPath string Pod string //pod Quiet bool //quiet Resources CreateResourceConfig RestartPolicy string Rm bool //rm Rmi bool //rmi StopSignal syscall.Signal // stop-signal StopTimeout uint // stop-timeout Systemd bool Tmpfs []string // tmpfs Tty bool //tty Mounts []spec.Mount MountsFlag []string // mounts NamedVolumes []*libpod.ContainerNamedVolume Volumes []string //volume VolumesFrom []string WorkDir string //workdir Rootfs string Security SecurityConfig Syslog bool // Whether to enable syslog on exit commands // Namespaces Pid PidConfig Ipc IpcConfig Cgroup CgroupConfig User UserConfig Uts UtsConfig Network NetworkConfig }
CreateConfig is a pre OCI spec structure. It represents user input from varlink or the CLI swagger:model CreateConfig
func (*CreateConfig) CreateBlockIO ¶
func (c *CreateConfig) CreateBlockIO() (*spec.LinuxBlockIO, error)
CreateBlockIO returns a LinuxBlockIO struct from a CreateConfig
func (*CreateConfig) MakeContainerConfig ¶
func (config *CreateConfig) MakeContainerConfig(runtime *libpod.Runtime, pod *libpod.Pod) (*spec.Spec, []libpod.CtrCreateOption, error)
MakeContainerConfig generates all configuration necessary to start a container with libpod from a completed CreateConfig struct.
type CreateResourceConfig ¶
type CreateResourceConfig struct { BlkioWeight uint16 // blkio-weight BlkioWeightDevice []string // blkio-weight-device CPUPeriod uint64 // cpu-period CPUQuota int64 // cpu-quota CPURtPeriod uint64 // cpu-rt-period CPURtRuntime int64 // cpu-rt-runtime CPUs float64 // cpus CPUsetCPUs string CPUsetMems string // cpuset-mems DeviceCgroupRules []string //device-cgroup-rule DeviceReadBps []string // device-read-bps DeviceReadIOps []string // device-read-iops DeviceWriteBps []string // device-write-bps DeviceWriteIOps []string // device-write-iops DisableOomKiller bool // oom-kill-disable KernelMemory int64 // kernel-memory Memory int64 //memory MemoryReservation int64 // memory-reservation MemorySwap int64 //memory-swap MemorySwappiness int // memory-swappiness OomScoreAdj int //oom-score-adj PidsLimit int64 // pids-limit ShmSize int64 Ulimit []string //ulimit }
CreateResourceConfig represents resource elements in CreateConfig structures
type IpcConfig ¶
type IpcConfig struct {
IpcMode namespaces.IpcMode //ipc
}
IpcConfig configures the ipc namespace for the container
func (*IpcConfig) ConfigureGenerator ¶
ConfigureGenerator configures the generator according to the current state of the IpcConfig.
func (*IpcConfig) ToCreateOptions ¶
ToCreateOptions converts the input to container create options.
type LinuxNS ¶
type LinuxNS interface {
Valid() bool
}
LinuxNS is a struct that contains namespace information It implemented Valid to show it is a valid namespace
type NetworkConfig ¶
type NetworkConfig struct { DNSOpt []string //dns-opt DNSSearch []string //dns-search DNSServers []string //dns ExposedPorts map[nat.Port]struct{} HTTPProxy bool IP6Address string //ipv6 IPAddress string //ip LinkLocalIP []string // link-local-ip MacAddress string //mac-address NetMode namespaces.NetworkMode //net Network string //network NetworkAlias []string //network-alias PortBindings nat.PortMap Publish []string //publish PublishAll bool //publish-all }
NetworkConfig configures the network namespace for the container
func (*NetworkConfig) ConfigureGenerator ¶
func (c *NetworkConfig) ConfigureGenerator(g *generate.Generator) error
ConfigureGenerator configures the generator based according to the current state of the NetworkConfig.
func (*NetworkConfig) ToCreateOptions ¶
func (c *NetworkConfig) ToCreateOptions(runtime *libpod.Runtime, userns *UserConfig) ([]libpod.CtrCreateOption, error)
ToCreateOptions converts the input to a slice of container create options.
type PidConfig ¶
type PidConfig struct {
PidMode namespaces.PidMode //pid
}
PidConfig configures the pid namespace for the container
func (*PidConfig) ConfigureGenerator ¶
ConfigureGenerator configures the generator according to the current state of the PidConfig.
func (*PidConfig) ToCreateOptions ¶
ToCreateOptions converts the input to container create options.
type SecurityConfig ¶
type SecurityConfig struct { CapAdd []string // cap-add CapDrop []string // cap-drop CapRequired []string // cap-required LabelOpts []string //SecurityOpts NoNewPrivs bool //SecurityOpts ApparmorProfile string //SecurityOpts SeccompProfilePath string //SecurityOpts SeccompProfileFromImage string // seccomp profile from the container image SeccompPolicy seccomp.Policy SecurityOpts []string Privileged bool //privileged ReadOnlyRootfs bool //read-only ReadOnlyTmpfs bool //read-only-tmpfs Sysctl map[string]string //sysctl }
SecurityConfig configures the security features for the container
func (*SecurityConfig) ConfigureGenerator ¶
func (c *SecurityConfig) ConfigureGenerator(g *generate.Generator, user *UserConfig) error
ConfigureGenerator configures the generator according to the input.
func (*SecurityConfig) SetLabelOpts ¶
func (c *SecurityConfig) SetLabelOpts(runtime *libpod.Runtime, pidConfig *PidConfig, ipcConfig *IpcConfig) error
SetLabelOpts sets the label options of the SecurityConfig according to the input.
func (*SecurityConfig) SetSecurityOpts ¶
func (c *SecurityConfig) SetSecurityOpts(runtime *libpod.Runtime, securityOpts []string) error
SetSecurityOpts the the security options (labels, apparmor, seccomp, etc.).
func (*SecurityConfig) ToCreateOptions ¶
func (c *SecurityConfig) ToCreateOptions() ([]libpod.CtrCreateOption, error)
ToCreateOptions convert the SecurityConfig to a slice of container create options.
type UserConfig ¶
type UserConfig struct { GroupAdd []string // group-add IDMappings *storage.IDMappingOptions UsernsMode namespaces.UsernsMode //userns User string //user }
UserConfig configures the user namespace for the container
func (*UserConfig) ConfigureGenerator ¶
func (c *UserConfig) ConfigureGenerator(g *generate.Generator) error
ConfigureGenerator configures the generator according to the current state of the UserConfig.
func (*UserConfig) InNS ¶
func (c *UserConfig) InNS(isRootless bool) bool
InNS returns true if the UserConfig indicates to be in a dedicated user namespace.
func (*UserConfig) ToCreateOptions ¶
func (c *UserConfig) ToCreateOptions(runtime *libpod.Runtime) ([]libpod.CtrCreateOption, error)
ToCreateOptions converts the input to container create options.
type UtsConfig ¶
type UtsConfig struct { UtsMode namespaces.UTSMode //uts NoHosts bool HostAdd []string //add-host Hostname string }
UtsConfig configures the uts namespace for the container
func (*UtsConfig) ConfigureGenerator ¶
func (c *UtsConfig) ConfigureGenerator(g *generate.Generator, net *NetworkConfig, runtime *libpod.Runtime) error
ConfigureGenerator configures the generator according to the current state of the UtsConfig.
func (*UtsConfig) ToCreateOptions ¶
func (c *UtsConfig) ToCreateOptions(runtime *libpod.Runtime, pod *libpod.Pod) ([]libpod.CtrCreateOption, error)
ToCreateOptions converts the input to container create options.