secureoverlay2

package
v3.5.0+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 8, 2021 License: BSD-3-Clause Imports: 46 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// ConstCryptsetupBin : Path to the cryptsetup binary
	ConstCryptsetupBin = "/sbin/cryptsetup"
	// ConstDevMapperPrefix : Path to the mapper devices
	ConstDevMapperPrefix = "/dev/mapper"
	// ConstMinImageSize : Minimum size for a Docker Image layer
	ConstMinImageSize = 10 * 1024 * 1024 // 10 MB
	// ConstCryptsetupOverhead : Extra free space allocated to an image layer for any overruns
	ConstCryptsetupOverhead = 2 * 1024 * 1024 // 4 MB
	// ConstFsOverhead : Percentage of layer size allocate for overhead
	ConstFsOverhead = 50 // (in %) 5%
	// ConstLuksCmdFormat : Command for formatting dmcrypt devices
	ConstLuksCmdFormat = "luks-format"
	// ConstLuksCmdOpen : Command for opening dmcrypt devices
	ConstLuksCmdOpen = "luks-open"
	// ConstLuksCmdClose : Command for closing dmcrypt devices
	ConstLuksCmdClose = "luks-close"
	// ConstLuksCmdRemove : Command for deleting dmcrypt devices
	ConstLuksCmdRemove = "luks-remove"

	// ConstTypeCrypt : String denoting an dmcrypt encrypted device
	ConstTypeCrypt = "type-crypt"

	// ConstFsBlockSize : Higher values of this setting e.g., 4096, will increase relative filesystem overhead
	// and increase likelihood the overhead estimation will to small resulting on overflow
	// of filesystem during securityTransform
	ConstFsBlockSize = "1024"

	// ConstFsReservedBlocks : Number of FS blocks reserved per image layer mount
	ConstFsReservedBlocks = "0"

	// ConstFsTypeExt4 : String denoting the ext4 filesystem
	ConstFsTypeExt4 = "ext4"

	// ConstBlockDevBasePath : Path to the block devices
	ConstBlockDevBasePath = "/sys/dev/block"
	// ConstLoopMajorNum : Major device number for loopback device
	ConstLoopMajorNum = 7
	// ConstBackingFilePath : Path within the loopback filesystem for backing_file storage
	ConstBackingFilePath = "loop/backing_file"
	// ConstMaxLoopDevices : Ceiling on the number of loopback devices that can be opened simulataneously
	ConstMaxLoopDevices = 256
)
View Source
const (
	KiB = 1024
	MiB = 1024 * KiB
	GiB = 1024 * MiB
	TiB = 1024 * GiB
	PiB = 1024 * TiB
)
View Source
const (
	MAXKEYPOLL        = 90
	RPCSocketFilePath = "/var/run/workload-agent/wlagent.sock"
)

the key will be polled from wlagent fetch-key rpc calls maximum 90 times till get the key from wlagent fetch-key rpc call. if the count reaches 90 and not able to get key from wlagent fetch-key the error will be thrown

View Source
const (

	// ConstDefaultStringKeyLength represents the number of random characters
	// which can be used to set a default string key if the KeyType is
	// set to key-type-string and no value is passed for KeyHandle
	ConstDefaultStringKeyLength = 12

	// ConstDefaultHashType : set the hashing algorithm used by dmcrypt
	ConstDefaultHashType = "sha256"
	// ConstDefaultCipher : set the crypt cipher used by dmcrypt
	ConstDefaultCipher = "aes-xts-plain"
	// ConstDefaultKeySize : set the key size in bits used by dmcrypt
	ConstDefaultKeySize = "256"
)

Variables

This section is empty.

Functions

func Init

func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (graphdriver.Driver, error)

Init returns the a native diff driver for overlay filesystem. If overlay filesystem is not supported on the host, graphdriver.ErrNotSupported is returned as error. If an overlay filesystem is not supported over an existing filesystem then error graphdriver.ErrIncompatibleFS is returned.

func RAMInBytes

func RAMInBytes(size string) (int64, error)

RAMInBytes parses a human-readable string representing an amount of RAM in bytes, kibibytes, mebibytes, gibibytes, or tebibytes and returns the number of bytes, or -1 if the string is unparseable. Units are case-insensitive, and the 'b' suffix is optional.

Types

type CryptParams

type CryptParams struct {
	Cipher   string
	Key      string
	KeySize  string
	HashType string
	ReadOnly bool
}

CryptParams : Information passed to dmcrypt for encrypt/decrypt operations

type DeviceAPI

type DeviceAPI interface {
	Create(size int64) error

	Get() error
	Put() error
	Remove() error

	ImportData(diffTar io.Reader) error
}

DeviceAPI : Enumerates methods to be implemented by a encrypted mount store

type DeviceParams

type DeviceParams struct {
	FsType  string
	Mnt     string
	UIDMaps []idtools.IDMap
	GIDMaps []idtools.IDMap
}

DeviceParams : Information required to tie the image to the dmcrypt mount device

type Driver

type Driver struct {
	// contains filtered or unexported fields
}

Driver contains information about the home directory and the list of active mounts that are created using this driver.

func (*Driver) ApplyDiff

func (d *Driver) ApplyDiff(id string, parent string, diff io.Reader) (size int64, err error)

ApplyDiff applies the new layer into a root ASSUMPTIONS:

  • either that layer didn't have any security options (and hence no meta-data file) or there is a security meta-data file and the security transform was already applied

func (*Driver) Changes

func (d *Driver) Changes(id, parent string) ([]archive.Change, error)

Changes produces a list of changes between the specified layer and its parent layer. If parent is "", then all changes will be ADD changes. ASSUMPTIONS:

  • will not be called with passed parent not being id's immediate parent iff the involved layers have security options implying transformations.

func (*Driver) Cleanup

func (d *Driver) Cleanup() error

Cleanup any state created by overlay which should be cleaned when daemon is being shutdown. For now, we just have to unmount the bind mounted we had created.

func (*Driver) Create

func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) (retErr error)

Create is used to create the upper, lower, and merge directories required for overlay fs for a given id. The parent filesystem is used to configure these directories for the overlay.

func (*Driver) CreateReadWrite

func (d *Driver) CreateReadWrite(id, parent string, opts *graphdriver.CreateOpts) error

CreateReadWrite creates a layer that is writable for use as a container file system.

func (*Driver) Diff

func (d *Driver) Diff(id, parent string) (io.ReadCloser, error)

Diff produces an archive of the changes between the specified layer and its parent layer which may be "". It will apply the security transformation as specified in security meta data ASSUMPTIONS:

  • Diff is called only on frozen layers (i.e, no file state will ever change after first call to Diff())
  • if parent passed is not immediate parent of id/self, then all layers between id/self and (excluding) parent must have consisten security settings (including same key(id)!) If above is not true security transformations might be lost as-of-now that should be true as Diff is only called only once per layer as part of commit and multi-layer happens in the case of SquashImage which should operates on a per-dockerfile level which always should imply consistent security meta data

func (*Driver) DiffGetter

func (d *Driver) DiffGetter(id string) (graphdriver.FileGetCloser, error)

DiffGetter : Get the diff of the two layers

func (*Driver) DiffSize

func (d *Driver) DiffSize(id, parent string) (size int64, err error)

DiffSize calculates the changes between the specified id and its parent and returns the size in bytes of the changes relative to its base filesystem directory. Notes

  • will current report different size before and after security transform is done! If called early the reported size will be smaller than it eventually will be due to transform overhead. This will violate some tests in test suite: graphtest.DriverTestDiffApply DOES test for equality of this with size returned by ApplyDiff (graphtest.BenchamrkDiffN also tests but does not enforce; For now these tests are disabled (as they are when naivediff is used!).

func (*Driver) Exists

func (d *Driver) Exists(id string) bool

Exists checks to see if the id is already mounted.

func (*Driver) Get

func (d *Driver) Get(id string, mountLabel string) (_ containerfs.ContainerFS, err error)

Get creates and mounts the required file system for the given id and returns the mount path.

func (*Driver) GetMetadata

func (d *Driver) GetMetadata(id string) (map[string]string, error)

GetMetadata returns meta data about the overlay driver such as LowerDir, UpperDir, WorkDir and MergeDir used to store data.

func (*Driver) Put

func (d *Driver) Put(id string) error

Put unmounts the mount path created for the give id.

func (*Driver) Remove

func (d *Driver) Remove(id string) error

Remove cleans the directories that are created for this id.

func (*Driver) Status

func (d *Driver) Status() [][2]string

Status returns current driver information in a two dimensional string array. Output contains "Backing Filesystem" used in this implementation.

func (*Driver) String

func (d *Driver) String() string

type KeyInfo

type KeyInfo struct {
	KeyID      string
	Key        []byte
	ReturnCode bool
}

type RawImage

type RawImage struct {
	ImagePath string
	// TODO: this object can be removed after taking care of DevPath() API
	LoDev losetup.Device
}

RawImage : This represents an image mount with a loopback device

func (RawImage) Create

func (i RawImage) Create(size int64) error

Create : Creates the overlay image file

func (*RawImage) Get

func (i *RawImage) Get() error

Get : Creates the overlay image file

func (RawImage) Put

func (i RawImage) Put() error

Put : Detaches the image mount from the filesystem

func (RawImage) Remove

func (i RawImage) Remove() error

Remove : Removes the image file on deletion

type VirtualDevice

type VirtualDevice struct {
	Image        RawImage
	Name         string
	Type         string
	Deviceparams DeviceParams
	Cryptparams  CryptParams
}

VirtualDevice : An encapsulation of an encrypted docker image

func (*VirtualDevice) Create

func (d *VirtualDevice) Create(size int64) error

Create : Creates a virtual device with the specified properties

func (*VirtualDevice) Get

func (d *VirtualDevice) Get() error

Get : Open the encrypted mount for IO operations

func (*VirtualDevice) ImportData

func (d *VirtualDevice) ImportData(diffTar io.Reader) error

ImportData : Move data from a diff-tarball into a mount device

func (*VirtualDevice) Init

func (d *VirtualDevice) Init()

Init : Initialize the virtual device

func (*VirtualDevice) Put

func (d *VirtualDevice) Put() error

Put : Unmount the encrypted mount

func (*VirtualDevice) Remove

func (d *VirtualDevice) Remove() error

Remove : Remove the encrypted mount from the filesystem on deletion

Directories

Path Synopsis
* Copyright (C) 2019 Intel Corporation * SPDX-License-Identifier: BSD-3-Clause
* Copyright (C) 2019 Intel Corporation * SPDX-License-Identifier: BSD-3-Clause

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL