boot

package
v0.0.0-...-73a4147 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 5, 2024 License: Apache-2.0, MIT Imports: 111 Imported by: 0

Documentation

Overview

Package boot loads the kernel and runs a container.

Index

Constants

View Source 
const (
	// ContMgrCheckpoint checkpoints a container.
	ContMgrCheckpoint = "containerManager.Checkpoint"

	// ContMgrCreateSubcontainer creates a sub-container.
	ContMgrCreateSubcontainer = "containerManager.CreateSubcontainer"

	// ContMgrDestroySubcontainer is used to stop a sub-container and free all
	// associated resources in the sandbox.
	ContMgrDestroySubcontainer = "containerManager.DestroySubcontainer"

	// ContMgrEvent gets stats about the container used by "runsc events".
	ContMgrEvent = "containerManager.Event"

	// ContMgrExecuteAsync executes a command in a container.
	ContMgrExecuteAsync = "containerManager.ExecuteAsync"

	// ContMgrPortForward starts port forwarding with the sandbox.
	ContMgrPortForward = "containerManager.PortForward"

	// ContMgrProcesses lists processes running in a container.
	ContMgrProcesses = "containerManager.Processes"

	// ContMgrRestore restores a container from a statefile.
	ContMgrRestore = "containerManager.Restore"

	// ContMgrSignal sends a signal to a container.
	ContMgrSignal = "containerManager.Signal"

	// ContMgrStartSubcontainer starts a sub-container inside a running sandbox.
	ContMgrStartSubcontainer = "containerManager.StartSubcontainer"

	// ContMgrWait waits on the init process of the container and returns its
	// ExitStatus.
	ContMgrWait = "containerManager.Wait"

	// ContMgrWaitPID waits on a process with a certain PID in the sandbox and
	// return its ExitStatus.
	ContMgrWaitPID = "containerManager.WaitPID"

	// ContMgrRootContainerStart starts a new sandbox with a root container.
	ContMgrRootContainerStart = "containerManager.StartRoot"

	// ContMgrCreateTraceSession starts a trace session.
	ContMgrCreateTraceSession = "containerManager.CreateTraceSession"

	// ContMgrDeleteTraceSession deletes a trace session.
	ContMgrDeleteTraceSession = "containerManager.DeleteTraceSession"

	// ContMgrListTraceSessions lists a trace session.
	ContMgrListTraceSessions = "containerManager.ListTraceSessions"

	// ContMgrProcfsDump dumps sandbox procfs state.
	ContMgrProcfsDump = "containerManager.ProcfsDump"
)
View Source 
const (
	// NetworkCreateLinksAndRoutes creates links and routes in a network stack.
	NetworkCreateLinksAndRoutes = "Network.CreateLinksAndRoutes"

	// DebugStacks collects sandbox stacks for debugging.
	DebugStacks = "debug.Stacks"
)
View Source 
const (
	ProfileCPU   = "Profile.CPU"
	ProfileHeap  = "Profile.Heap"
	ProfileBlock = "Profile.Block"
	ProfileMutex = "Profile.Mutex"
	ProfileTrace = "Profile.Trace"
)

Profiling related commands (see pprof.go for more details).

View Source 
const (
	LifecyclePause  = "Lifecycle.Pause"
	LifecycleResume = "Lifecycle.Resume"
)

Lifecycle related commands (see lifecycle.go for more details).

View Source 
const (
	UsageCollect = "Usage.Collect"
	UsageUsageFD = "Usage.UsageFD"
)

Usage related commands (see usage.go for more details).

View Source 
const (
	MetricsGetRegistered = "Metrics.GetRegisteredMetrics"
	MetricsExport        = "Metrics.Export"
)

Metrics related commands (see metrics.go).

View Source 
const (
	CgroupsReadControlFiles  = "Cgroups.ReadControlFiles"
	CgroupsWriteControlFiles = "Cgroups.WriteControlFiles"
)

Commands for interacting with cgroupfs within the sandbox.

View Source 
const (
	Bind   = "bind"
	Nonefs = "none"
)

Supported filesystems that map to different internal filesystems.

View Source 
const (
	LoggingChange = "Logging.Change"
)

Logging related commands (see logging.go for more details).

View Source 
const MountPrefix = "dev.gvisor.spec.mount."

MountPrefix is the annotation prefix for mount hints.

View Source 
const SelfOverlayFilestorePrefix = ".gvisor.overlay.img."

SelfOverlayFilestorePrefix is the prefix in the file name of the self overlay filestore file.

Variables

View Source 
var (
	// DefaultLoopbackLink contains IP addresses and routes of "127.0.0.1/8" and
	// "::1/8" on "lo" interface.
	DefaultLoopbackLink = LoopbackLink{
		Name: "lo",
		Addresses: []IPWithPrefix{
			{Address: net.IP("\x7f\x00\x00\x01"), PrefixLen: 8},
			{Address: net.IPv6loopback, PrefixLen: 128},
		},
		Routes: []Route{
			{
				Destination: net.IPNet{
					IP:   net.IPv4(0x7f, 0, 0, 0),
					Mask: net.IPv4Mask(0xff, 0, 0, 0),
				},
			},
			{
				Destination: net.IPNet{
					IP:   net.IPv6loopback,
					Mask: net.IPMask(strings.Repeat("\xff", net.IPv6len)),
				},
			},
		},
	}
)

Functions

func ParseMountOptions 

func ParseMountOptions(opts []string) *vfs.MountOptions

ParseMountOptions converts specs.Mount.Options to vfs.MountOptions.

func SelfOverlayFilestorePath 

func SelfOverlayFilestorePath(mountSrc, sandboxID string) string

SelfOverlayFilestorePath returns the path at which the self overlay filestore file is stored for a given mount.

func ToOverlayMediumFlags 

func ToOverlayMediumFlags(mediums []OverlayMedium) string

ToOverlayMediumFlags converts []OverlayMedium to string format which can be unpacked by OverlayMediumFlags.Set().

Types

type Args 

type Args struct {
	// Id is the sandbox ID.
	ID string
	// Spec is the sandbox specification.
	Spec *specs.Spec
	// Conf is the system configuration.
	Conf *config.Config
	// ControllerFD is the FD to the URPC controller. The Loader takes ownership
	// of this FD and may close it at any time.
	ControllerFD int
	// Device is an optional argument that is passed to the platform. The Loader
	// takes ownership of this file and may close it at any time.
	Device *os.File
	// GoferFDs is an array of FDs used to connect with the Gofer. The Loader
	// takes ownership of these FDs and may close them at any time.
	GoferFDs []int
	// StdioFDs is the stdio for the application. The Loader takes ownership of
	// these FDs and may close them at any time.
	StdioFDs []int
	// PassFDs are user-supplied FD mappings from host to guest descriptors.
	// The Loader takes ownership of these FDs and may close them at any time.
	PassFDs []FDMapping
	// ExecFD is the host file descriptor used for program execution.
	ExecFD int
	// OverlayFilestoreFDs are the FDs to the regular files that will back the
	// tmpfs upper mount in the overlay mounts.
	OverlayFilestoreFDs []int
	// OverlayMediums contains information about how the gofer mounts have been
	// overlaid. The first entry is for rootfs and the following entries are for
	// bind mounts in Spec.Mounts (in the same order).
	OverlayMediums []OverlayMedium
	// NumCPU is the number of CPUs to create inside the sandbox.
	NumCPU int
	// TotalMem is the initial amount of total memory to report back to the
	// container.
	TotalMem uint64
	// TotalHostMem is the total memory reported by host /proc/meminfo.
	TotalHostMem uint64
	// UserLogFD is the file descriptor to write user logs to.
	UserLogFD int
	// ProductName is the value to show in
	// /sys/devices/virtual/dmi/id/product_name.
	ProductName string
	// PodInitConfigFD is the file descriptor to a file passed in the
	//	--pod-init-config flag
	PodInitConfigFD int
	// SinkFDs is an ordered array of file descriptors to be used by seccheck
	// sinks configured from the --pod-init-config file.
	SinkFDs []int
	// ProfileOpts contains the set of profiles to enable and the
	// corresponding FDs where profile data will be written.
	ProfileOpts profile.Opts
}

Args are the arguments for New().

type CPU 

type CPU struct {
	Usage CPUUsage `json:"usage"`
}

CPU contains stats on the CPU.

type CPUUsage 

type CPUUsage struct {
	Kernel uint64   `json:"kernel,omitempty"`
	User   uint64   `json:"user,omitempty"`
	Total  uint64   `json:"total,omitempty"`
	PerCPU []uint64 `json:"percpu,omitempty"`
}

CPUUsage contains stats on CPU usage.

type CreateArgs 

type CreateArgs struct {
	// CID is the ID of the container to start.
	CID string

	// FilePayload may contain a TTY file for the terminal, if enabled.
	urpc.FilePayload
}

CreateArgs contains arguments to the Create method.

type CreateLinksAndRoutesArgs 

type CreateLinksAndRoutesArgs struct {
	// FilePayload contains the fds associated with the FDBasedLinks. The
	// number of fd's should match the sum of the NumChannels field of the
	// FDBasedLink entries below.
	urpc.FilePayload

	LoopbackLinks []LoopbackLink
	FDBasedLinks  []FDBasedLink
	XDPLinks      []XDPLink

	Defaultv4Gateway DefaultRoute
	Defaultv6Gateway DefaultRoute

	// PCAP indicates that FilePayload also contains a PCAP log file.
	PCAP bool
}

CreateLinksAndRoutesArgs are arguments to CreateLinkAndRoutes.

type CreateTraceSessionArgs 

type CreateTraceSessionArgs struct {
	Config seccheck.SessionConfig
	Force  bool
	urpc.FilePayload
}

CreateTraceSessionArgs are arguments to the CreateTraceSession method.

type DefaultRoute 

type DefaultRoute struct {
	Route Route
	Name  string
}

DefaultRoute represents a catch all route to the default gateway.

type Event 

type Event struct {
	Type string `json:"type"`
	ID   string `json:"id"`
	Data Stats  `json:"data"`
}

Event struct for encoding the event data to JSON. Corresponds to runc's main.event struct.

type EventOut 

type EventOut struct {
	Event Event `json:"event"`

	// ContainerUsage maps each container ID to its total CPU usage.
	ContainerUsage map[string]uint64 `json:"containerUsage"`
}

EventOut is the return type of the Event command. 

type FDBasedLink struct {
	Name              string
	InterfaceIndex    int
	MTU               int
	Addresses         []IPWithPrefix
	Routes            []Route
	GSOMaxSize        uint32
	GvisorGSOEnabled  bool
	GvisorGROTimeout  time.Duration
	TXChecksumOffload bool
	RXChecksumOffload bool
	LinkAddress       net.HardwareAddr
	QDisc             config.QueueingDiscipline
	Neighbors         []Neighbor

	// NumChannels controls how many underlying FDs are to be used to
	// create this endpoint.
	NumChannels int
}

FDBasedLink configures an fd-based link.

type FDMapping 

type FDMapping struct {
	Guest int
	Host  int
}

FDMapping is a helper type to represent a mapping from guest to host file descriptors. In contrast to the unexported fdMapping type, it does not imply file ownership.

type IPWithPrefix 

type IPWithPrefix struct {
	// Address is a network address.
	Address net.IP

	// PrefixLen is the subnet prefix length.
	PrefixLen int
}

IPWithPrefix is an address with its subnet prefix length.

func (IPWithPrefix) String 

func (ip IPWithPrefix) String() string

type InitConfig 

type InitConfig struct {
	TraceSession seccheck.SessionConfig `json:"trace_session"`
}

InitConfig represents the configuration to apply during pod creation. For now, it supports setting up a seccheck session.

func LoadInitConfig 

func LoadInitConfig(path string) (*InitConfig, error)

LoadInitConfig loads an InitConfig struct from a json formatted file.

func (*InitConfig) Setup 

func (c *InitConfig) Setup() ([]*os.File, error)

Setup performs the actions defined in the InitConfig, e.g. setup seccheck session.

type Loader 

type Loader struct {

	// PreSeccompCallback is called right before installing seccomp filters.
	PreSeccompCallback func()
	// contains filtered or unexported fields
}

Loader keeps state needed to start the kernel and run the container.

func New 

func New(args Args) (*Loader, error)

New initializes a new kernel loader configured by spec. New also handles setting up a kernel for restoring a container.

func (*Loader) Destroy 

func (l *Loader) Destroy()

Destroy cleans up all resources used by the loader.

Note that this will block until all open control server connections have been closed. For that reason, this should NOT be called in a defer, because a panic in a control server rpc would then hang forever.

func (*Loader) Run 

func (l *Loader) Run() error

Run runs the root container.

func (*Loader) WaitExit 

func (l *Loader) WaitExit() linux.WaitStatus

WaitExit waits for the root container to exit, and returns its exit status.

func (*Loader) WaitForStartSignal 

func (l *Loader) WaitForStartSignal()

WaitForStartSignal waits for a start signal from the control server. 

type LoopbackLink struct {
	Name             string
	Addresses        []IPWithPrefix
	Routes           []Route
	GvisorGROTimeout time.Duration
}

LoopbackLink configures a loopback link.

type Memory 

type Memory struct {
	Cache     uint64            `json:"cache,omitempty"`
	Usage     MemoryEntry       `json:"usage,omitempty"`
	Swap      MemoryEntry       `json:"swap,omitempty"`
	Kernel    MemoryEntry       `json:"kernel,omitempty"`
	KernelTCP MemoryEntry       `json:"kernelTCP,omitempty"`
	Raw       map[string]uint64 `json:"raw,omitempty"`
}

Memory contains stats on memory.

type MemoryEntry 

type MemoryEntry struct {
	Limit   uint64 `json:"limit"`
	Usage   uint64 `json:"usage,omitempty"`
	Max     uint64 `json:"max,omitempty"`
	Failcnt uint64 `json:"failcnt"`
}

MemoryEntry contains stats on a kind of memory.

type MountHint 

type MountHint struct {
	// contains filtered or unexported fields
}

MountHint represents extra information about mounts that are provided via annotations. They can override mount type, and provide sharing information so that mounts can be correctly shared inside the pod.

func (*MountHint) ShouldOverlay 

func (m *MountHint) ShouldOverlay() bool

ShouldOverlay returns true if this mount should be overlaid.

type Neighbor 

type Neighbor struct {
	IP           net.IP
	HardwareAddr net.HardwareAddr
}

type Network 

type Network struct {
	Stack *stack.Stack
}

Network exposes methods that can be used to configure a network stack.

func (*Network) CreateLinksAndRoutes 

func (n *Network) CreateLinksAndRoutes(args *CreateLinksAndRoutesArgs, _ *struct{}) error

CreateLinksAndRoutes creates links and routes in a network stack. It should only be called once.

type OverlayMedium 

type OverlayMedium int

OverlayMedium describes the medium that will be used to back the overlay mount's upper layer. 

const (
	// NoOverlay indicates that this mount should not be overlaid.
	NoOverlay OverlayMedium = iota

	// MemoryMedium indicates that this mount should be overlaid with an
	// upper layer backed by application memory.
	MemoryMedium

	// SelfMedium indicates that this mount should be overlaid with an upper
	// layer backed by a host file in the mount's source directory.
	SelfMedium

	// AnonDirMedium indicates that this mount should be overlaid with an upper
	// layer backed by a host file in an anonymous directory.
	AnonDirMedium
)

func (*OverlayMedium) IsBackedByHostFile 

func (o *OverlayMedium) IsBackedByHostFile() bool

IsBackedByHostFile returns true if the overlay is backed by a host file.

func (*OverlayMedium) IsEnabled 

func (o *OverlayMedium) IsEnabled() bool

IsEnabled returns true if an overlay is applied.

type OverlayMediumFlags 

type OverlayMediumFlags []OverlayMedium

OverlayMediumFlags can be used with OverlayMedium flags that appear multiple times.

func (*OverlayMediumFlags) Get 

func (o *OverlayMediumFlags) Get() any

Get implements flag.Value.

func (*OverlayMediumFlags) GetArray 

func (o *OverlayMediumFlags) GetArray() []OverlayMedium

GetArray returns an array of mappings.

func (*OverlayMediumFlags) Set 

func (o *OverlayMediumFlags) Set(s string) error

Set implements flag.Value and appends an overlay medium from the command line to the mediums array.

func (*OverlayMediumFlags) String 

func (o *OverlayMediumFlags) String() string

String implements flag.Value.

type Pids 

type Pids struct {
	Current uint64 `json:"current,omitempty"`
	Limit   uint64 `json:"limit,omitempty"`
}

Pids contains stats on processes.

type PodMountHints 

type PodMountHints struct {
	// contains filtered or unexported fields
}

PodMountHints contains a collection of mountHints for the pod.

func NewPodMountHints 

func NewPodMountHints(spec *specs.Spec) (*PodMountHints, error)

NewPodMountHints instantiates PodMountHints using spec.

func (*PodMountHints) FindMount 

func (p *PodMountHints) FindMount(mount *specs.Mount) *MountHint

FindMount finds the MountHint that applies to this mount.

type PortForwardOpts 

type PortForwardOpts struct {
	// FilePayload contains one fd for a UDS (or local port) used for port
	// forwarding.
	urpc.FilePayload

	// ContainerID is the container for the process being executed.
	ContainerID string
	// Port is the port to to forward.
	Port uint16
}

PortForwardOpts contains options for port forwarding to a port in a container.

type RestoreOpts 

type RestoreOpts struct {
	// FilePayload contains the state file to be restored, followed by the
	// platform device file if necessary.
	urpc.FilePayload

	// SandboxID contains the ID of the sandbox.
	SandboxID string
}

RestoreOpts contains options related to restoring a container's file system.

type Route 

type Route struct {
	Destination net.IPNet
	Gateway     net.IP
}

Route represents a route in the network stack.

func (*Route) Empty 

func (r *Route) Empty() bool

Empty returns true if route hasn't been set.

type SignalArgs 

type SignalArgs struct {
	// CID is the container ID.
	CID string

	// Signo is the signal to send to the process.
	Signo int32

	// PID is the process ID in the given container that will be signaled,
	// relative to the root PID namespace, not the container's.
	// If 0, the root container will be signalled.
	PID int32

	// Mode is the signal delivery mode.
	Mode SignalDeliveryMode
}

SignalArgs are arguments to the Signal method.

type SignalDeliveryMode 

type SignalDeliveryMode int

SignalDeliveryMode enumerates different signal delivery modes. 

const (
	// DeliverToProcess delivers the signal to the container process with
	// the specified PID. If PID is 0, then the container init process is
	// signaled.
	DeliverToProcess SignalDeliveryMode = iota

	// DeliverToAllProcesses delivers the signal to all processes in the
	// container. PID must be 0.
	DeliverToAllProcesses

	// DeliverToForegroundProcessGroup delivers the signal to the
	// foreground process group in the same TTY session as the specified
	// process. If PID is 0, then the signal is delivered to the foreground
	// process group for the TTY for the init process.
	DeliverToForegroundProcessGroup
)

func (SignalDeliveryMode) String 

func (s SignalDeliveryMode) String() string

type StartArgs 

type StartArgs struct {
	// Spec is the spec of the container to start.
	Spec *specs.Spec

	// Config is the runsc-specific configuration for the sandbox.
	Conf *config.Config

	// CID is the ID of the container to start.
	CID string

	// NumOverlayFilestoreFDs is the number of overlay filestore FDs donated.
	// Optionally configured with the overlay2 flag.
	NumOverlayFilestoreFDs int

	// OverlayMediums contains information about how the gofer mounts have been
	// overlaid. The first entry is for rootfs and the following entries are for
	// bind mounts in Spec.Mounts (in the same order).
	OverlayMediums []OverlayMedium

	// FilePayload contains, in order:
	//   * stdin, stdout, and stderr (optional: if terminal is disabled).
	//   * file descriptors to overlay-backing host files (optional: for overlay2).
	//   * file descriptors to connect to gofer to serve the root filesystem.
	urpc.FilePayload
}

StartArgs contains arguments to the Start method.

type Stats 

type Stats struct {
	CPU    CPU    `json:"cpu"`
	Memory Memory `json:"memory"`
	Pids   Pids   `json:"pids"`
}

Stats is the runc specific stats structure for stability when encoding and decoding stats.

type WaitPIDArgs 

type WaitPIDArgs struct {
	// PID is the PID in the container's PID namespace.
	PID int32

	// CID is the container ID.
	CID string
}

WaitPIDArgs are arguments to the WaitPID method. 

type XDPLink struct {
	Name              string
	InterfaceIndex    int
	MTU               int
	Addresses         []IPWithPrefix
	Routes            []Route
	TXChecksumOffload bool
	RXChecksumOffload bool
	LinkAddress       net.HardwareAddr
	QDisc             config.QueueingDiscipline
	Neighbors         []Neighbor
	GvisorGROTimeout  time.Duration

	// NumChannels controls how many underlying FDs are to be used to
	// create this endpoint.
	NumChannels int
}

XDPLink configures an XDP link.

Source Files

View all Source files

Directories

Path Synopsis
Package filter defines all syscalls the sandbox is allowed to make to the host, and installs seccomp filters to prevent prohibited syscalls in case it's compromised.
 Package filter defines all syscalls the sandbox is allowed to make to the host, and installs seccomp filters to prevent prohibited syscalls in case it's compromised.
Package platforms imports all available platform packages.
 Package platforms imports all available platform packages.
Package portforward holds the infrastructure to support the port forward command.
 Package portforward holds the infrastructure to support the port forward command.
Package pprof provides a stub to initialize custom profilers.
 Package pprof provides a stub to initialize custom profilers.
Package procfs holds utilities for getting procfs information for sandboxed processes.
 Package procfs holds utilities for getting procfs information for sandboxed processes.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.