hcsv2

package
v0.0.0-...-1359b6c Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 18, 2024 License: MIT Imports: 60 Imported by: 0

Documentation

Index

Constants

View Source
const UVMContainerID = "00000000-0000-0000-0000-000000000000"

UVMContainerID is the ContainerID that will be sent on any prot.MessageBase for V2 where the specific message is targeted at the UVM itself.

Variables

This section is empty.

Functions

func GetOrAddNetworkNamespace

func GetOrAddNetworkNamespace(id string) *namespace

GetOrAddNetworkNamespace returns the namespace found by `id` or creates a new one and assigns `id.

func RemoveNetworkNamespace

func RemoveNetworkNamespace(ctx context.Context, id string) (err error)

RemoveNetworkNamespace removes the in-memory `namespace` found by `id`.

Types

type Container

type Container struct {
	// contains filtered or unexported fields
}

func (*Container) Delete

func (c *Container) Delete(ctx context.Context) error

func (*Container) ExecProcess

func (c *Container) ExecProcess(ctx context.Context, process *oci.Process, conSettings stdio.ConnectionSettings) (int, error)

func (*Container) GetAllProcessPids

func (c *Container) GetAllProcessPids(ctx context.Context) ([]int, error)

GetAllProcessPids returns all process pids in the container namespace.

func (*Container) GetProcess

func (c *Container) GetProcess(pid uint32) (Process, error)

GetProcess returns the Process with the matching 'pid'. If the 'pid' does not exit returns error.

func (*Container) GetStats

func (c *Container) GetStats(ctx context.Context) (*v1.Metrics, error)

GetStats returns the cgroup metrics for the container.

func (*Container) ID

func (c *Container) ID() string

func (*Container) InitProcess

func (c *Container) InitProcess() Process

InitProcess returns the container's init process

func (*Container) Kill

func (c *Container) Kill(ctx context.Context, signal syscall.Signal) error

Kill sends 'signal' to the container process.

func (*Container) Start

func (c *Container) Start(ctx context.Context, conSettings stdio.ConnectionSettings) (int, error)

func (*Container) Update

func (c *Container) Update(ctx context.Context, resources interface{}) error

func (*Container) Wait

func (c *Container) Wait() prot.NotificationType

Wait waits for the container's init process to exit.

type Host

type Host struct {
	// contains filtered or unexported fields
}

Host is the structure tracking all UVM host state including all containers and processes.

func NewHost

func NewHost(rtime runtime.Runtime, vsock transport.Transport, initialEnforcer securitypolicy.SecurityPolicyEnforcer, logWriter io.Writer) *Host

func (*Host) AddContainer

func (h *Host) AddContainer(id string, c *Container) error

func (*Host) CreateContainer

func (h *Host) CreateContainer(ctx context.Context, id string, settings *prot.VMHostedContainerSettingsV2) (_ *Container, err error)

func (*Host) ExecProcess

func (h *Host) ExecProcess(ctx context.Context, containerID string, params prot.ProcessParameters, conSettings stdio.ConnectionSettings) (_ int, err error)

func (*Host) GetCreatedContainer

func (h *Host) GetCreatedContainer(id string) (*Container, error)

func (*Host) GetExternalProcess

func (h *Host) GetExternalProcess(pid int) (Process, error)

func (*Host) GetProperties

func (h *Host) GetProperties(ctx context.Context, containerID string, query prot.PropertyQuery) (*prot.PropertiesV2, error)

func (*Host) GetStacks

func (h *Host) GetStacks(ctx context.Context) (string, error)

func (*Host) InjectFragment

func (h *Host) InjectFragment(ctx context.Context, fragment *guestresource.LCOWSecurityPolicyFragment) (err error)

InjectFragment extends current security policy with additional constraints from the incoming fragment. Note that it is base64 encoded over the bridge/

There are three checking steps: 1 - Unpack the cose document and check it was actually signed with the cert chain inside its header 2 - Check that the issuer field did:x509 identifier is for that cert chain (ie fingerprint of a non leaf cert and the subject matches the leaf cert) 3 - Check that this issuer/feed match the requirement of the user provided security policy (done in the regoby LoadFragment)

func (*Host) ModifySettings

func (h *Host) ModifySettings(ctx context.Context, containerID string, req *guestrequest.ModificationRequest) error

func (*Host) RemoveContainer

func (h *Host) RemoveContainer(id string)

func (*Host) SecurityPolicyEnforcer

func (h *Host) SecurityPolicyEnforcer() securitypolicy.SecurityPolicyEnforcer

func (*Host) SetConfidentialUVMOptions

func (h *Host) SetConfidentialUVMOptions(ctx context.Context, r *guestresource.LCOWConfidentialOptions) error

SetConfidentialUVMOptions takes guestresource.LCOWConfidentialOptions to set up our internal data structures we use to store and enforce security policy. The options can contain security policy enforcer type, encoded security policy and signed UVM reference information The security policy and uvm reference information can be further presented to workload containers for validation and attestation purposes.

func (*Host) Shutdown

func (*Host) Shutdown()

Shutdown terminates this UVM. This is a destructive call and will destroy all state that has not been cleaned before calling this function.

func (*Host) ShutdownContainer

func (h *Host) ShutdownContainer(ctx context.Context, containerID string, graceful bool) error

Called to shutdown a container

func (*Host) SignalContainerProcess

func (h *Host) SignalContainerProcess(ctx context.Context, containerID string, processID uint32, signal syscall.Signal) error

func (*Host) Transport

func (h *Host) Transport() transport.Transport

type Process

type Process interface {
	// Kill sends `signal` to the process.
	//
	// If the process has already exited returns `gcserr.HrErrNotFound` by contract.
	Kill(ctx context.Context, signal syscall.Signal) error
	// Pid returns the process id of the process.
	Pid() int
	// ResizeConsole resizes the tty to `height`x`width` for the process.
	ResizeConsole(ctx context.Context, height, width uint16) error
	// Wait returns a channel that can be used to wait for the process to exit
	// and gather the exit code. The second channel must be signaled from the
	// caller when the caller has completed its use of this call to Wait.
	Wait() (<-chan int, chan<- bool)
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL