containercollection

package
v0.28.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 6, 2024 License: Apache-2.0 Imports: 37 Imported by: 19

Documentation

Overview

Package containercollection provides the ContainerCollection struct to keep track of the set of running containers and primitives to query that set with various criteria.

It is used by the Gadget Tracer Manager to keep track of containers part of Kubernetes pods and by IG Manager to keep track of containers on a Linux system.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ContainerSelectorMatches 

func ContainerSelectorMatches(s *ContainerSelector, c *Container) bool

ContainerSelectorMatches tells if a container matches the criteria in a container selector.

func GetColumns 

func GetColumns() *columns.Columns[Container]

Types

type Container 

type Container struct {
	// Runtime contains the metadata of the container runtime
	Runtime RuntimeMetadata `json:"runtime,omitempty" column:"runtime" columnTags:"runtime"`

	// K8s contains the Kubernetes metadata of the container.
	K8s K8sMetadata `json:"k8s,omitempty" column:"k8s" columnTags:"kubernetes"`

	// Pid is the process id of the container
	Pid uint32 `json:"pid,omitempty" column:"pid,template:pid,hide"`

	// Container's configuration is the config.json from the OCI runtime
	// spec
	OciConfig *ocispec.Spec `json:"ociConfig,omitempty"`

	// Bundle is the directory containing the config.json from the OCI
	// runtime spec
	// See https://github.com/opencontainers/runtime-spec/blob/main/bundle.md
	Bundle string `json:"bundle,omitempty"`

	// SandboxId is the sandbox id for the corresponding pod
	SandboxId string `json:"sandboxId,omitempty"`

	// Linux metadata can be derived from the pid via /proc/$pid/...
	Mntns       uint64 `json:"mntns,omitempty" column:"mntns,template:ns"`
	Netns       uint64 `json:"netns,omitempty" column:"netns,template:ns"`
	HostNetwork bool   `json:"hostNetwork,omitempty" column:"hostNetwork,width:11,fixed,hide"`
	CgroupPath  string `json:"cgroupPath,omitempty"`
	CgroupID    uint64 `json:"cgroupID,omitempty"`
	// Data required to find the container to Pod association in the
	// gadgettracermanager.
	CgroupV1 string `json:"cgroupV1,omitempty"`
	CgroupV2 string `json:"cgroupV2,omitempty"`
	// contains filtered or unexported fields
}

Container represents a container with its metadata.

func (*Container) GetOwnerReference 

func (c *Container) GetOwnerReference() (*metav1.OwnerReference, error)

GetOwnerReference returns the owner reference information of the container. Currently it's added to the seccomp profile as annotations to help users to identify the workflow of the profile. We "lazily enrich" this information because this operation is expensive and this information is only needed in some cases.

func (*Container) K8sMetadata added in v0.28.0 

func (c *Container) K8sMetadata() *types.BasicK8sMetadata

func (*Container) RuntimeMetadata added in v0.28.0 

func (c *Container) RuntimeMetadata() *types.BasicRuntimeMetadata

func (*Container) UsesHostNetwork added in v0.28.0 

func (c *Container) UsesHostNetwork() bool

type ContainerCollection 

type ContainerCollection struct {
	// contains filtered or unexported fields
}

ContainerCollection holds a set of containers. It can be embedded as an anonymous struct to help other structs implement the ContainerResolver interface. For this reason, some methods are namespaced with 'Container' to make this clear.

func (*ContainerCollection) AddContainer 

func (cc *ContainerCollection) AddContainer(container *Container)

AddContainer adds a container to the collection.

func (*ContainerCollection) Close 

func (cc *ContainerCollection) Close()

func (*ContainerCollection) ContainerLen 

func (cc *ContainerCollection) ContainerLen() (count int)

ContainerLen returns how many containers are stored in the collection.

func (*ContainerCollection) ContainerRange 

func (cc *ContainerCollection) ContainerRange(f func(*Container))

ContainerRange iterates over the containers of the collection and calls the callback function for each of them.

func (*ContainerCollection) ContainerRangeWithSelector 

func (cc *ContainerCollection) ContainerRangeWithSelector(
	containerSelector *ContainerSelector,
	f func(*Container),
)

ContainerRangeWithSelector iterates over the containers of the collection and calls the callback function for each of those that matches the container selector.

func (*ContainerCollection) EnrichByMntNs added in v0.13.0 

func (cc *ContainerCollection) EnrichByMntNs(event *eventtypes.CommonData, mountnsid uint64)

func (*ContainerCollection) EnrichByNetNs added in v0.13.0 

func (cc *ContainerCollection) EnrichByNetNs(event *eventtypes.CommonData, netnsid uint64)

func (*ContainerCollection) EnrichEventByMntNs added in v0.14.0 

func (cc *ContainerCollection) EnrichEventByMntNs(event operators.ContainerInfoFromMountNSID)

func (*ContainerCollection) EnrichEventByNetNs added in v0.14.0 

func (cc *ContainerCollection) EnrichEventByNetNs(event operators.ContainerInfoFromNetNSID)

func (*ContainerCollection) EnrichNode added in v0.13.0 

func (cc *ContainerCollection) EnrichNode(event *eventtypes.CommonData)

func (*ContainerCollection) GetContainer 

func (cc *ContainerCollection) GetContainer(id string) *Container

GetContainer looks up a container by the container id and return it if found, or return nil if not found.

func (*ContainerCollection) GetContainersBySelector 

func (cc *ContainerCollection) GetContainersBySelector(
	containerSelector *ContainerSelector,
) []*Container

GetContainersBySelector returns a slice of containers that match the selector or an empty slice if there are not matches

func (*ContainerCollection) Initialize 

func (cc *ContainerCollection) Initialize(options ...ContainerCollectionOption) error

Initialize initializes a ContainerCollection. It is useful when ContainerCollection is embedded as an anonymous struct because we don't use a contructor in that case.

func (*ContainerCollection) LookupContainerByMntns 

func (cc *ContainerCollection) LookupContainerByMntns(mntnsid uint64) *Container

LookupContainerByMntns returns a container by its mount namespace inode id. If not found nil is returned.

func (*ContainerCollection) LookupContainersByNetns added in v0.13.0 

func (cc *ContainerCollection) LookupContainersByNetns(netnsid uint64) []*Container

LookupContainersByNetns returns a slice of containers that run in a given network namespace. Or an empty slice if there are no containers running in that network namespace.

func (*ContainerCollection) LookupMntnsByContainer 

func (cc *ContainerCollection) LookupMntnsByContainer(namespace, pod, container string) (mntns uint64)

LookupMntnsByContainer returns the mount namespace inode of the container specified in arguments or zero if not found

func (*ContainerCollection) LookupMntnsByPod 

func (cc *ContainerCollection) LookupMntnsByPod(namespace, pod string) map[string]uint64

LookupMntnsByPod returns the mount namespace inodes of all containers belonging to the pod specified in arguments, indexed by the name of the containers or an empty map if not found

func (*ContainerCollection) LookupOwnerReferenceByMntns 

func (cc *ContainerCollection) LookupOwnerReferenceByMntns(mntns uint64) *metav1.OwnerReference

LookupOwnerReferenceByMntns returns a pointer to the owner reference of the container identified by the mount namespace, or nil if not found

func (*ContainerCollection) LookupPIDByContainer 

func (cc *ContainerCollection) LookupPIDByContainer(namespace, pod, container string) (pid uint32)

LookupPIDByContainer returns the PID of the container specified in arguments or zero if not found

func (*ContainerCollection) LookupPIDByPod 

func (cc *ContainerCollection) LookupPIDByPod(namespace, pod string) map[string]uint32

LookupPIDByPod returns the PID of all containers belonging to the pod specified in arguments, indexed by the name of the containers or an empty map if not found

func (*ContainerCollection) RemoveContainer 

func (cc *ContainerCollection) RemoveContainer(id string)

RemoveContainer removes a container from the collection, but only after notifying all the subscribers.

func (*ContainerCollection) Subscribe 

func (cc *ContainerCollection) Subscribe(key interface{}, selector ContainerSelector, f FuncNotify) []*Container

Subscribe returns the list of existing containers and registers a callback for notifications about additions and deletions of containers

func (*ContainerCollection) Unsubscribe 

func (cc *ContainerCollection) Unsubscribe(key interface{})

Unsubscribe undoes a previous call to Subscribe

type ContainerCollectionOption 

type ContainerCollectionOption func(*ContainerCollection) error

ContainerCollectionOption are options to pass to Initialize using the functional option code pattern.

func WithCgroupEnrichment 

func WithCgroupEnrichment() ContainerCollectionOption

WithCgroupEnrichment enables an enricher to add the cgroup metadata

func WithContainerFanotifyEbpf added in v0.18.0 

func WithContainerFanotifyEbpf() ContainerCollectionOption

WithContainerFanotifyEbpf uses fanotify and eBPF to detect when containers are created and add them in the ContainerCollection.

This works either in the host pid namespace or in a container pid namespace.

ContainerCollection.Initialize(WithContainerFanotifyEbpf())

func WithContainerRuntimeEnrichment 

func WithContainerRuntimeEnrichment(runtime *containerutilsTypes.RuntimeConfig) ContainerCollectionOption

WithContainerRuntimeEnrichment automatically adds the container name using the requested container runtime.

Pay attention if you want to use it with other enrichers that set the Kubernetes metadata as this enricher also collects such info from the runtime. Notice also that, if such info is missing in the runtime, it hardcodes the namespace to "default" and the podname equal to the container name because some gadgets need those two values to be set.

ContainerCollection.Initialize(WithContainerRuntimeEnrichment(*RuntimeConfig))

func WithDisableContainerRuntimeWarnings added in v0.17.0 

func WithDisableContainerRuntimeWarnings() ContainerCollectionOption

WithDisableContainerRuntimeWarnings disables the warnings about container runtime.

func WithFallbackPodInformer 

func WithFallbackPodInformer(nodeName string) ContainerCollectionOption

WithFallbackPodInformer uses a pod informer as a fallback mechanism to a main hook. If the podinformer detects a new container and it hasn't been added to the list of containers it means the main hook is not working fine. We warn the user about it.

func WithHost added in v0.14.0 

func WithHost() ContainerCollectionOption

WithHost adds the host as a virtual/fake container; TODO: Just for testing

func WithInitialKubernetesContainers 

func WithInitialKubernetesContainers(nodeName string) ContainerCollectionOption

WithInitialKubernetesContainers gets initial containers from the Kubernetes API with the process ID from CRI.

This cannot be used together with WithPodInformer() since the pod informer already gets initial containers.

func WithKubernetesEnrichment 

func WithKubernetesEnrichment(nodeName string, kubeconfig *rest.Config) ContainerCollectionOption

WithKubernetesEnrichment automatically adds pod metadata

ContainerCollection.Initialize(WithKubernetesEnrichment())

func WithLinuxNamespaceEnrichment 

func WithLinuxNamespaceEnrichment() ContainerCollectionOption

WithLinuxNamespaceEnrichment enables an enricher to add the namespaces metadata

func WithMultipleContainerRuntimesEnrichment 

func WithMultipleContainerRuntimesEnrichment(runtimes []*containerutilsTypes.RuntimeConfig) ContainerCollectionOption

WithMultipleContainerRuntimesEnrichment is a wrapper for WithContainerRuntimeEnrichment() to allow caller to add multiple runtimes in one single call.

ContainerCollection.Initialize(WithMultipleContainerRuntimesEnrichment([]*RuntimeConfig)...)

func WithNodeName 

func WithNodeName(nodeName string) ContainerCollectionOption

func WithOCIConfigEnrichment added in v0.11.0 

func WithOCIConfigEnrichment() ContainerCollectionOption

WithOCIConfigEnrichment enriches container using provided OCI config

func WithPodInformer 

func WithPodInformer(nodeName string) ContainerCollectionOption

WithPodInformer uses a pod informer to get both initial containers and the stream of container events. It then uses the CRI interface to get the process ID.

This cannot be used together with WithInitialKubernetesContainers() since the pod informer already gets initial containers.

func WithPubSub 

func WithPubSub(funcs ...FuncNotify) ContainerCollectionOption

WithPubSub enables subscription with container events with Subscribe(). Optionally, a list of callbacks can be registered from the beginning, so they would get called for initial containers too.

func WithRuncFanotify 

func WithRuncFanotify() ContainerCollectionOption

WithRuncFanotify uses fanotify to detect when containers are created and add them in the ContainerCollection.

This requires execution in the host pid namespace. For this reason, it is preferable to use WithContainerFanotifyEbpf() instead.

ContainerCollection.Initialize(WithRuncFanotify())

func WithTracerCollection added in v0.13.0 

func WithTracerCollection(tc TracerCollection) ContainerCollectionOption

WithTracerCollection enables the interation between the TracerCollection and ContainerCollection packages. When this option is used: - A cache mechanism to keep containers after they are removed is enabled. - The tracer collection TracerMapsUpdater() receives notifications from containers created / removed.

type ContainerResolver 

type ContainerResolver interface {
	// LookupMntnsByContainer returns the mount namespace inode of the container
	// specified in arguments or zero if not found
	LookupMntnsByContainer(namespace, pod, container string) uint64

	// LookupContainerByMntns returns a container by its mount namespace
	// inode id. If not found nil is returned.
	LookupContainerByMntns(mntnsid uint64) *Container

	// LookupContainersByNetns returns a slice of containers that run in a given
	// network namespace. Or an empty slice if there are no containers running
	// in that network namespace.
	LookupContainersByNetns(netnsid uint64) []*Container

	// LookupMntnsByPod returns the mount namespace inodes of all containers
	// belonging to the pod specified in arguments, indexed by the name of the
	// containers or an empty map if not found
	LookupMntnsByPod(namespace, pod string) map[string]uint64

	// LookupPIDByContainer returns the PID of the container
	// specified in arguments or zero if not found
	LookupPIDByContainer(namespace, pod, container string) uint32

	// LookupPIDByPod returns the PID of all containers belonging to
	// the pod specified in arguments, indexed by the name of the
	// containers or an empty map if not found
	LookupPIDByPod(namespace, pod string) map[string]uint32

	// LookupOwnerReferenceByMntns returns a pointer to the owner reference of the
	// container identified by the mount namespace, or nil if not found
	LookupOwnerReferenceByMntns(mntns uint64) *metav1.OwnerReference

	// GetContainersBySelector returns a slice of containers that match
	// the selector or an empty slice if there are not matches
	GetContainersBySelector(containerSelector *ContainerSelector) []*Container

	// Subscribe returns the list of existing containers and registers a
	// callback for notifications about additions and deletions of
	// containers
	Subscribe(key interface{}, s ContainerSelector, f FuncNotify) []*Container

	// Unsubscribe undoes a previous call to Subscribe
	Unsubscribe(key interface{})
}

ContainerResolver offers primitives to look up running containers with various criteria, and to subscribe to container creation and termination.

type ContainerSelector 

type ContainerSelector struct {
	K8s     K8sSelector
	Runtime RuntimeSelector
}

type EventType 

type EventType int
const (
	EventTypeAddContainer EventType = iota
	EventTypeRemoveContainer
)

func EventTypeFromString added in v0.12.0 

func EventTypeFromString(s string) EventType

func (*EventType) MarshalText added in v0.12.0 

func (e *EventType) MarshalText() (text []byte, err error)

func (*EventType) String added in v0.12.0 

func (e *EventType) String() string

func (*EventType) UnmarshalText added in v0.12.0 

func (e *EventType) UnmarshalText(bytes []byte) error

type FuncNotify 

type FuncNotify func(event PubSubEvent)

type GadgetPubSub 

type GadgetPubSub struct {
	// contains filtered or unexported fields
}

GadgetPubSub provides a synchronous publish subscribe mechanism for gadgets to be informed of container creation and deletion. It needs to be synchronous so that gadgets have time to attach their tracer before the container is started.

func NewGadgetPubSub 

func NewGadgetPubSub() *GadgetPubSub

func (*GadgetPubSub) Publish 

func (g *GadgetPubSub) Publish(eventType EventType, container *Container)

func (*GadgetPubSub) Subscribe 

func (g *GadgetPubSub) Subscribe(key interface{}, callback FuncNotify, initializer func())

Subscribe registers the callback to be called for every container event published with Publish(). Optionally, the caller can pass an initializer() function that is guaranteed to be called before any new container events are published.

func (*GadgetPubSub) Unsubscribe 

func (g *GadgetPubSub) Unsubscribe(key interface{})

type K8sClient 

type K8sClient struct {
	// contains filtered or unexported fields
}

func NewK8sClient 

func NewK8sClient(nodeName string) (*K8sClient, error)

func (*K8sClient) Close 

func (k *K8sClient) Close()

func (*K8sClient) GetNonRunningContainers 

func (k *K8sClient) GetNonRunningContainers(pod *v1.Pod) []string

GetNonRunningContainers returns the list of containers IDs that are not running.

func (*K8sClient) GetRunningContainers added in v0.18.0 

func (k *K8sClient) GetRunningContainers(pod *v1.Pod) []Container

GetRunningContainers returns a list of the containers of a given Pod that are running.

func (*K8sClient) ListContainers 

func (k *K8sClient) ListContainers() (arr []Container, err error)

ListContainers return a list of the current containers that are running in the node.

type K8sMetadata added in v0.19.0 

type K8sMetadata struct {
	types.BasicK8sMetadata `json:",inline"`
	PodUID                 string `json:"podUID,omitempty"`
	// contains filtered or unexported fields
}

type K8sSelector added in v0.19.0 

type K8sSelector struct {
	types.BasicK8sMetadata
}

type PodInformer 

type PodInformer struct {
	// contains filtered or unexported fields
}

func NewPodInformer 

func NewPodInformer(node string) (*PodInformer, error)

func (*PodInformer) DeletedChan 

func (p *PodInformer) DeletedChan() <-chan string

func (*PodInformer) Run 

func (p *PodInformer) Run(threadiness int, stopCh chan struct{})

func (*PodInformer) Stop 

func (p *PodInformer) Stop()

func (*PodInformer) UpdatedChan added in v0.18.0 

func (p *PodInformer) UpdatedChan() <-chan *v1.Pod

type PubSubEvent 

type PubSubEvent struct {
	Timestamp string     `json:"timestamp,omitempty" column:"timestamp,maxWidth:30" columnTags:"runtime"`
	Type      EventType  `json:"event" column:"event,maxWidth:10" columnTags:"runtime"`
	Container *Container `json:"container"`
}

type RuntimeMetadata added in v0.19.0 

type RuntimeMetadata struct {
	types.BasicRuntimeMetadata `json:",inline"`
}

type RuntimeSelector added in v0.19.0 

type RuntimeSelector struct {
	// TODO: Support filtering by all the fields in BasicRuntimeMetadata
	ContainerName string
}

type TracerCollection added in v0.13.0 

type TracerCollection interface {
	TracerMapsUpdater() FuncNotify
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.