Documentation ¶
Index ¶
- Constants
- func GetOrAddNetworkNamespace(id string) *namespace
- func RemoveNetworkNamespace(ctx context.Context, id string) (err error)
- type Container
- func (c *Container) Delete(ctx context.Context) error
- func (c *Container) ExecProcess(ctx context.Context, process *oci.Process, ...) (int, error)
- func (c *Container) GetAllProcessPids(ctx context.Context) ([]int, error)
- func (c *Container) GetProcess(pid uint32) (Process, error)
- func (c *Container) GetStats(ctx context.Context) (*v1.Metrics, error)
- func (c *Container) ID() string
- func (c *Container) InitProcess() Process
- func (c *Container) Kill(ctx context.Context, signal syscall.Signal) error
- func (c *Container) Start(ctx context.Context, conSettings stdio.ConnectionSettings) (int, error)
- func (c *Container) Update(ctx context.Context, resources interface{}) error
- func (c *Container) Wait() prot.NotificationType
- type Host
- func (h *Host) AddContainer(id string, c *Container) error
- func (h *Host) CreateContainer(ctx context.Context, id string, settings *prot.VMHostedContainerSettingsV2) (_ *Container, err error)
- func (h *Host) ExecProcess(ctx context.Context, containerID string, params prot.ProcessParameters, ...) (_ int, err error)
- func (h *Host) GetCreatedContainer(id string) (*Container, error)
- func (h *Host) GetExternalProcess(pid int) (Process, error)
- func (h *Host) GetProperties(ctx context.Context, containerID string, query prot.PropertyQuery) (*prot.PropertiesV2, error)
- func (h *Host) GetStacks(ctx context.Context) (string, error)
- func (h *Host) InjectFragment(ctx context.Context, fragment *guestresource.LCOWSecurityPolicyFragment) (err error)
- func (h *Host) ModifySettings(ctx context.Context, containerID string, req *guestrequest.ModificationRequest) error
- func (h *Host) RemoveContainer(id string)
- func (h *Host) SecurityPolicyEnforcer() securitypolicy.SecurityPolicyEnforcer
- func (h *Host) SetConfidentialUVMOptions(ctx context.Context, r *guestresource.LCOWConfidentialOptions) error
- func (*Host) Shutdown()
- func (h *Host) ShutdownContainer(ctx context.Context, containerID string, graceful bool) error
- func (h *Host) SignalContainerProcess(ctx context.Context, containerID string, processID uint32, ...) error
- func (h *Host) Transport() transport.Transport
- type Process
Constants ¶
const UVMContainerID = "00000000-0000-0000-0000-000000000000"
UVMContainerID is the ContainerID that will be sent on any prot.MessageBase for V2 where the specific message is targeted at the UVM itself.
Variables ¶
This section is empty.
Functions ¶
func GetOrAddNetworkNamespace ¶
func GetOrAddNetworkNamespace(id string) *namespace
GetOrAddNetworkNamespace returns the namespace found by `id` or creates a new one and assigns `id.
Types ¶
type Container ¶
type Container struct {
// contains filtered or unexported fields
}
func (*Container) ExecProcess ¶
func (*Container) GetAllProcessPids ¶
GetAllProcessPids returns all process pids in the container namespace.
func (*Container) GetProcess ¶
GetProcess returns the Process with the matching 'pid'. If the 'pid' does not exit returns error.
func (*Container) InitProcess ¶
InitProcess returns the container's init process
func (*Container) Wait ¶
func (c *Container) Wait() prot.NotificationType
Wait waits for the container's init process to exit.
type Host ¶
type Host struct {
// contains filtered or unexported fields
}
Host is the structure tracking all UVM host state including all containers and processes.
func NewHost ¶
func NewHost(rtime runtime.Runtime, vsock transport.Transport, initialEnforcer securitypolicy.SecurityPolicyEnforcer, logWriter io.Writer) *Host
func (*Host) CreateContainer ¶
func (*Host) ExecProcess ¶
func (h *Host) ExecProcess(ctx context.Context, containerID string, params prot.ProcessParameters, conSettings stdio.ConnectionSettings) (_ int, err error)
func (*Host) GetCreatedContainer ¶
func (*Host) GetProperties ¶
func (h *Host) GetProperties(ctx context.Context, containerID string, query prot.PropertyQuery) (*prot.PropertiesV2, error)
func (*Host) InjectFragment ¶
func (h *Host) InjectFragment(ctx context.Context, fragment *guestresource.LCOWSecurityPolicyFragment) (err error)
InjectFragment extends current security policy with additional constraints from the incoming fragment. Note that it is base64 encoded over the bridge/
There are three checking steps: 1 - Unpack the cose document and check it was actually signed with the cert chain inside its header 2 - Check that the issuer field did:x509 identifier is for that cert chain (ie fingerprint of a non leaf cert and the subject matches the leaf cert) 3 - Check that this issuer/feed match the requirement of the user provided security policy (done in the regoby LoadFragment)
func (*Host) ModifySettings ¶
func (h *Host) ModifySettings(ctx context.Context, containerID string, req *guestrequest.ModificationRequest) error
func (*Host) RemoveContainer ¶
func (*Host) SecurityPolicyEnforcer ¶
func (h *Host) SecurityPolicyEnforcer() securitypolicy.SecurityPolicyEnforcer
func (*Host) SetConfidentialUVMOptions ¶
func (h *Host) SetConfidentialUVMOptions(ctx context.Context, r *guestresource.LCOWConfidentialOptions) error
SetConfidentialUVMOptions takes guestresource.LCOWConfidentialOptions to set up our internal data structures we use to store and enforce security policy. The options can contain security policy enforcer type, encoded security policy and signed UVM reference information The security policy and uvm reference information can be further presented to workload containers for validation and attestation purposes.
func (*Host) Shutdown ¶
func (*Host) Shutdown()
Shutdown terminates this UVM. This is a destructive call and will destroy all state that has not been cleaned before calling this function.
func (*Host) ShutdownContainer ¶
Called to shutdown a container
func (*Host) SignalContainerProcess ¶
type Process ¶
type Process interface { // Kill sends `signal` to the process. // // If the process has already exited returns `gcserr.HrErrNotFound` by contract. Kill(ctx context.Context, signal syscall.Signal) error // Pid returns the process id of the process. Pid() int // ResizeConsole resizes the tty to `height`x`width` for the process. ResizeConsole(ctx context.Context, height, width uint16) error // Wait returns a channel that can be used to wait for the process to exit // and gather the exit code. The second channel must be signaled from the // caller when the caller has completed its use of this call to Wait. Wait() (<-chan int, chan<- bool) }