Documentation ¶
Overview ¶
Package container creates and manipulates containers.
Index ¶
- Constants
- Variables
- func Run(conf *config.Config, args Args) (unix.WaitStatus, error)
- type Args
- type Container
- func (c *Container) Checkpoint(f *os.File) error
- func (c *Container) Destroy() error
- func (c *Container) Event() (*boot.EventOut, error)
- func (c *Container) Execute(conf *config.Config, args *control.ExecArgs) (int32, error)
- func (c *Container) ForwardSignals(pid int32, fgProcess bool) func()
- func (c *Container) HasCapabilityInAnySet(capability linux.Capability) bool
- func (c *Container) IsSandboxRoot() bool
- func (c *Container) IsSandboxRunning() bool
- func (c *Container) Pause() error
- func (c *Container) PortForward(opts *boot.PortForwardOpts) error
- func (c *Container) Processes() ([]*control.Process, error)
- func (c *Container) Restore(conf *config.Config, restoreFile string) error
- func (c *Container) Resume() error
- func (c *Container) RunsAsUID0() bool
- func (c *Container) SandboxPid() int
- func (c *Container) SignalContainer(sig unix.Signal, all bool) error
- func (c *Container) SignalProcess(sig unix.Signal, pid int32) error
- func (c *Container) Start(conf *config.Config) error
- func (c *Container) State() specs.State
- func (c *Container) Wait() (unix.WaitStatus, error)
- func (c *Container) WaitPID(pid int32) (unix.WaitStatus, error)
- func (c *Container) WaitRootPID(pid int32) (unix.WaitStatus, error)
- type FullID
- type LoadOpts
- type StateFile
- type Status
- type TryLock
Constants ¶
const ( // Created indicates "the runtime has finished the create operation and // the container process has neither exited nor executed the // user-specified program" Created = specs.StateCreated // Creating indicates "the container is being created". Creating = specs.StateCreating // Running indicates "the container process has executed the // user-specified program but has not exited". Running = specs.StateRunning // Stopped indicates "the container process has exited". Stopped = specs.StateStopped // Paused indicates that the process within the container has been // suspended. This is a local status, not part of the spec. Paused = Status("paused") )
Variables ¶
var ErrStateFileLocked = errors.New("state file locked")
ErrStateFileLocked is returned by Load() when the state file is locked and TryLock is enabled.
Functions ¶
Types ¶
type Args ¶
type Args struct { // ID is the container unique identifier. ID string // Spec is the OCI spec that describes the container. Spec *specs.Spec // BundleDir is the directory containing the container bundle. BundleDir string // ConsoleSocket is the path to a unix domain socket that will receive // the console FD. It may be empty. ConsoleSocket string // PIDFile is the filename where the container's root process PID will be // written to. It may be empty. PIDFile string // UserLog is the filename to send user-visible logs to. It may be empty. // // It only applies for the init container. UserLog string // Attached indicates that the sandbox lifecycle is attached with the caller. // If the caller exits, the sandbox should exit too. // // It only applies for the init container. Attached bool // PassFiles are user-supplied files from the host to be exposed to the // sandboxed app. PassFiles map[int]*os.File // ExecFile is the host file used for program execution. ExecFile *os.File }
Args is used to configure a new container.
type Container ¶
type Container struct { // ID is the container ID. ID string `json:"id"` // Spec is the OCI runtime spec that configures this container. Spec *specs.Spec `json:"spec"` // BundleDir is the directory containing the container bundle. BundleDir string `json:"bundleDir"` // CreatedAt is the time the container was created. CreatedAt time.Time `json:"createdAt"` // Owner is the container owner. Owner string `json:"owner"` // ConsoleSocket is the path to a unix domain socket that will receive // the console FD. ConsoleSocket string `json:"consoleSocket"` // Status is the current container Status. Status Status `json:"status"` // GoferPid is the PID of the gofer running along side the sandbox. May // be 0 if the gofer has been killed. GoferPid int `json:"goferPid"` // Sandbox is the sandbox this container is running in. It's set when the // container is created and reset when the sandbox is destroyed. Sandbox *sandbox.Sandbox `json:"sandbox"` // CompatCgroup has the cgroup configuration for the container. For the single // container case, container cgroup is set in `c.Sandbox` only. CompactCgroup // is only set for multi-container, where the `c.Sandbox` cgroup represents // the entire pod. // // Note that CompatCgroup is created only for compatibility with tools // that expect container cgroups to exist. Setting limits here makes no change // to the container in question. CompatCgroup cgroup.CgroupJSON `json:"compatCgroup"` // Saver handles load from/save to the state file safely from multiple // processes. Saver StateFile `json:"saver"` // OverlayConf is the overlay configuration with which this container was // started. OverlayConf config.Overlay2 `json:"overlayConf"` // OverlayMediums contains information about how the gofer mounts have been // overlaid. The first entry is for rootfs and the following entries are for // bind mounts in Spec.Mounts (in the same order). OverlayMediums []boot.OverlayMedium `json:"overlayMediums"` // contains filtered or unexported fields }
Container represents a containerized application. When running, the container is associated with a single Sandbox.
Container metadata can be saved and loaded to disk. Within a root directory, we maintain subdirectories for each container named with the container id. The container metadata is stored as a json within the container directory in a file named "meta.json". This metadata format is defined by us and is not part of the OCI spec.
Containers must write their metadata files after any change to their internal states. The entire container directory is deleted when the container is destroyed.
When the container is stopped, all processes that belong to the container must be stopped before Destroy() returns. containerd makes roughly the following calls to stop a container:
- First it attempts to kill the container process with 'runsc kill SIGTERM'. After some time, it escalates to SIGKILL. In a separate thread, it's waiting on the container. As soon as the wait returns, it moves on to the next step:
- It calls 'runsc kill --all SIGKILL' to stop every process that belongs to the container. 'kill --all SIGKILL' waits for all processes before returning.
- Containerd waits for stdin, stdout and stderr to drain and be closed.
- It calls 'runsc delete'. runc implementation kills --all SIGKILL once again just to be sure, waits, and then proceeds with remaining teardown.
Container is thread-unsafe.
func Load ¶
Load loads a container with the given id from a metadata file. "id" may be an abbreviation of the full container id in case LoadOpts.Exact if not set. It also checks if the container is still running, in order to return an error to the caller earlier. This check is skipped if LoadOpts.SkipCheck is set.
Returns ErrNotExist if no container is found. Returns error in case more than one containers matching the ID prefix is found.
func LoadSandbox ¶
LoadSandbox loads all containers that belong to the sandbox with the given ID.
func New ¶
New creates the container in a new Sandbox process, unless the metadata indicates that an existing Sandbox should be used. The caller must call Destroy() on the container.
func (*Container) Checkpoint ¶
Checkpoint sends the checkpoint call to the container. The statefile will be written to f, the file at the specified image-path.
func (*Container) Destroy ¶
Destroy stops all processes and frees all resources associated with the container.
func (*Container) Execute ¶
Execute runs the specified command in the container. It returns the PID of the newly created process.
func (*Container) ForwardSignals ¶
ForwardSignals forwards all signals received by the current process to the container process inside the sandbox. It returns a function that will stop forwarding signals.
func (*Container) HasCapabilityInAnySet ¶
func (c *Container) HasCapabilityInAnySet(capability linux.Capability) bool
HasCapabilityInAnySet returns true if the given capability is in any of the capability sets of the container process.
func (*Container) IsSandboxRoot ¶
IsSandboxRoot returns true if this container is its sandbox's root container.
func (*Container) IsSandboxRunning ¶
IsSandboxRunning returns true if the sandbox exists and is running.
func (*Container) Pause ¶
Pause suspends the container and its kernel. The call only succeeds if the container's status is created or running.
func (*Container) PortForward ¶
func (c *Container) PortForward(opts *boot.PortForwardOpts) error
PortForward starts port forwarding to the container.
func (*Container) Processes ¶
Processes retrieves the list of processes and associated metadata inside a container.
func (*Container) Restore ¶
Restore takes a container and replaces its kernel and file system to restore a container from its state file.
func (*Container) Resume ¶
Resume unpauses the container and its kernel. The call only succeeds if the container's status is paused.
func (*Container) RunsAsUID0 ¶
RunsAsUID0 returns true if the container process runs with UID 0 (root).
func (*Container) SandboxPid ¶
SandboxPid returns the Getpid of the sandbox the container is running in, or -1 if the container is not running.
func (*Container) SignalContainer ¶
SignalContainer sends the signal to the container. If all is true and signal is SIGKILL, then waits for all processes to exit before returning. SignalContainer returns an error if the container is already stopped. TODO(b/113680494): Distinguish different error types.
func (*Container) SignalProcess ¶
SignalProcess sends sig to a specific process in the container.
func (*Container) Wait ¶
func (c *Container) Wait() (unix.WaitStatus, error)
Wait waits for the container to exit, and returns its WaitStatus. Call to wait on a stopped container is needed to retrieve the exit status and wait returns immediately.
func (*Container) WaitPID ¶
func (c *Container) WaitPID(pid int32) (unix.WaitStatus, error)
WaitPID waits for process 'pid' in the container's PID namespace and returns its WaitStatus.
func (*Container) WaitRootPID ¶
func (c *Container) WaitRootPID(pid int32) (unix.WaitStatus, error)
WaitRootPID waits for process 'pid' in the sandbox's PID namespace and returns its WaitStatus.
type FullID ¶
FullID combines sandbox and container ID to identify a container. Sandbox ID is used to allow all containers for a given sandbox to be loaded by matching sandbox ID in the file name.
func ListSandboxes ¶
ListSandboxes returns all sandbox ids in the given root directory.
type LoadOpts ¶
type LoadOpts struct { // Exact tells whether the search should be exact. See Load() for more. Exact bool // SkipCheck tells Load() to skip checking if container is runnning. SkipCheck bool // TryLock tells Load() to fail if the container state file cannot be locked, // as opposed to blocking until it is available. // When the state file cannot be locked, it will error with ErrStateFileLocked. TryLock TryLock // RootContainer when true matches the search only with the root container of // a sandbox. This is used when looking for a sandbox given that root // container and sandbox share the same ID. RootContainer bool }
LoadOpts provides options for Load()ing a container.
type StateFile ¶
type StateFile struct { // RootDir is the directory containing the container metadata file. RootDir string `json:"rootDir"` // ID is the sandbox+container ID. ID FullID `json:"id"` // contains filtered or unexported fields }
StateFile handles load from/save to container state safely from multiple processes. It uses a lock file to provide synchronization between operations.
The lock file is located at: "${s.RootDir}/${containerd-id}_sand:{sandbox-id}.lock". The state file is located at: "${s.RootDir}/${containerd-id}_sand:{sandbox-id}.state".
func (*StateFile) Destroy ¶
Destroy deletes all state created by the stateFile. It may be called with the lock file held. In that case, the lock file must still be unlocked and properly closed after destroy returns.
func (*StateFile) LockForNew ¶
LockForNew acquires the lock and checks if the state file doesn't exist. This is done to ensure that more than one creation didn't race to create containers with the same ID.
func (*StateFile) SaveLocked ¶
SaveLocked saves 'v' to the state file.
Preconditions: lock(*) must been called before.
func (*StateFile) Stat ¶
Stat returns the result of calling stat() on the state file. Doing so does not require locking.
func (*StateFile) UnlockOrDie ¶
func (s *StateFile) UnlockOrDie()
UnlockOrDie is the same as unlock() but panics in case of failure.