common

package
v1.15.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 15, 2016 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// FlavorFile names the file storing the pod's flavor
	FlavorFile    = "flavor"
	SharedVolPerm = os.FileMode(0755)
)
View Source
const (
	// UnitsDir is the default path to systemd systemd unit directory
	UnitsDir = "/usr/lib/systemd/system"
)

Variables

View Source
var (
	// DockerDefaultSeccompWhitelist contains a default whitelist of syscalls,
	// used by docker for seccomp filtering.
	// See https://github.com/docker/docker/blob/master/profiles/seccomp/default.json
	DockerDefaultSeccompWhitelist = []string{}/* 309 elements not displayed */

	// DockerDefaultSeccompBlacklist contains a default blacklist of syscalls,
	// used by docker for seccomp filtering.
	// See https://github.com/docker/docker/blob/master/docs/security/seccomp.md
	DockerDefaultSeccompBlacklist = []string{
		"acct",
		"add_key",
		"adjtimex",
		"bpf",
		"clock_adjtime",
		"clock_settime",

		"create_module",
		"delete_module",
		"finit_module",
		"get_kernel_syms",
		"get_mempolicy",
		"init_module",
		"ioperm",
		"iopl",
		"kcmp",
		"kexec_file_load",
		"kexec_load",
		"keyctl",
		"lookup_dcookie",
		"mbind",
		"mount",
		"move_pages",
		"name_to_handle_at",
		"nfsservctl",
		"open_by_handle_at",
		"perf_event_open",

		"pivot_root",
		"process_vm_readv",
		"process_vm_writev",
		"ptrace",
		"query_module",
		"quotactl",
		"reboot",
		"request_key",
		"set_mempolicy",
		"setns",
		"settimeofday",
		"stime",
		"swapon",
		"swapoff",
		"sysfs",
		"_sysctl",
		"umount",
		"umount2",
		"unshare",
		"uselib",
		"userfaultfd",
		"ustat",
		"vm86",
		"vm86old",
	}

	// RktDefaultSeccompBlacklist contains a default blacklist of syscalls,
	// used by rkt for seccomp filtering.
	RktDefaultSeccompBlacklist = DockerDefaultSeccompBlacklist
	// RktDefaultSeccompWhitelist contains a default whitelist of syscalls,
	// used by rkt for seccomp filtering.
	RktDefaultSeccompWhitelist = DockerDefaultSeccompWhitelist
)
View Source
var (
	ErrTooManySeccompIsolators = errors.New("too many seccomp isolators specified")
)

Functions

func BindMount added in v1.15.0

func BindMount(source, destination string, readOnly bool) error

BindMount, well, bind mounts a source in to a destination. This will do some bookkeeping: * evaluate all symlinks * ensure the source exists * recursively create the destination

func EnvFilePath added in v0.14.0

func EnvFilePath(root string, appName types.ACName) string

EnvFilePath returns the path to the environment file for the given app name.

func EvaluateSymlinksInsideApp added in v1.5.1

func EvaluateSymlinksInsideApp(appRootfs, path string) (string, error)

EvaluateSymlinksInsideApp tries to resolve symlinks within the path. It returns the actual path relative to the app rootfs for the given path.

func GenerateMounts

func GenerateMounts(ra *schema.RuntimeApp, volumes map[types.ACName]types.Volume, imageManifest *schema.ImageManifest) []mountWrapper

GenerateMounts maps MountPoint paths to volumes, returning a list of mounts, each with a parameter indicating if it's an implicit empty volume from a Docker image.

func GetAppHashes added in v0.14.0

func GetAppHashes(p *stage1commontypes.Pod) []types.Hash

GetAppHashes returns a list of hashes of the apps in this pod

func GetFlavor added in v0.14.0

func GetFlavor(p *stage1commontypes.Pod) (flavor string, systemdVersion int, err error)

GetFlavor populates a flavor string based on the flavor itself and respectively the systemd version If the systemd version couldn't be guessed, it will be set to 0.

func GetMachineID added in v0.14.0

func GetMachineID(p *stage1commontypes.Pod) string

GetMachineID returns the machine id string of the pod to be passed to systemd-nspawn

func InitDebug added in v1.0.0

func InitDebug(debug bool)

func InstantiatedPrepareAppUnitName added in v0.14.0

func InstantiatedPrepareAppUnitName(appName types.ACName) string

InstantiatedPrepareAppUnitName returns the systemd service unit name for prepare-app instantiated for the given root.

func IsMountReadOnly

func IsMountReadOnly(vol types.Volume, mountPoints []types.MountPoint) bool

IsMountReadOnly returns if a mount should be readOnly. If the readOnly flag in the pod manifest is not nil, it overrides the readOnly flag in the image manifest.

func PodToNspawnArgs added in v0.14.0

func PodToNspawnArgs(p *stage1commontypes.Pod, insecureOptions Stage1InsecureOptions) ([]string, error)

PodToNspawnArgs renders a prepared Pod as a systemd-nspawn argument list ready to be executed

func PodToSystemd added in v0.14.0

func PodToSystemd(p *stage1commontypes.Pod, interactive bool, flavor string, privateUsers string, insecureOptions Stage1InsecureOptions) error

PodToSystemd creates the appropriate systemd service unit files for all the constituent apps of the Pod

func PrepareMountpoints added in v1.1.0

func PrepareMountpoints(volPath string, targetPath string, vol *types.Volume, dockerImplicit bool) error

PrepareMountpoints creates and sets permissions for empty volumes. If the mountpoint comes from a Docker image and it is an implicit empty volume, we copy files from the image to the volume, see https://docs.docker.com/engine/userguide/containers/dockervolumes/#data-volumes

func RelEnvFilePath added in v0.14.0

func RelEnvFilePath(appName types.ACName) string

RelEnvFilePath returns the path to the environment file for the given app name relative to the pod's root.

func ServiceUnitName added in v0.14.0

func ServiceUnitName(appName types.ACName) string

ServiceUnitName returns a systemd service unit name for the given app name.

func ServiceUnitPath added in v0.14.0

func ServiceUnitPath(root string, appName types.ACName) string

ServiceUnitPath returns the path to the systemd service file for the given app name.

func ServiceWantPath added in v0.14.0

func ServiceWantPath(root string, appName types.ACName) string

ServiceWantPath returns the systemd default.target want symlink path for the given app name.

func SetJournalPermissions added in v0.15.0

func SetJournalPermissions(p *stage1commontypes.Pod) error

SetJournalPermissions sets ACLs and permissions so the rkt group can access the pod's logs

func SocketUnitName added in v0.14.0

func SocketUnitName(appName types.ACName) string

SocketUnitName returns a systemd socket unit name for the given app name.

func SocketUnitPath added in v0.14.0

func SocketUnitPath(root string, appName types.ACName) string

SocketUnitPath returns the path to the systemd socket file for the given app name.

func SocketWantPath added in v0.14.0

func SocketWantPath(root string, appName types.ACName) string

SocketWantPath returns the systemd sockets.target.wants symlink path for the given app name.

func UseHostHosts added in v1.15.0

func UseHostHosts(podRoot string) error

Bind-mount the hosts /etc/hosts in to the stage1's /etc/rkt-hosts That file will then be bind-mounted in to the stage2 by perpare-app.c

func UseHostResolv added in v1.15.0

func UseHostResolv(podRoot string) error

Bind-mount the hosts /etc/resolv.conf in to the stage1's /etc/rkt-resolv.conf. That file will then be bind-mounted in to the stage2 by perpare-app.c

func WriteDefaultTarget added in v0.14.0

func WriteDefaultTarget(p *stage1commontypes.Pod) error

WriteDefaultTarget writes the default.target unit file which is responsible for bringing up the applications

func WritePrepareAppTemplate added in v0.14.0

func WritePrepareAppTemplate(p *stage1commontypes.Pod) error

WritePrepareAppTemplate writes service unit files for preparing the pod's applications

Types

type Stage1InsecureOptions added in v1.13.0

type Stage1InsecureOptions struct {
	DisablePaths        bool
	DisableCapabilities bool
	DisableSeccomp      bool
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL