common

package
v1.20.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 24, 2016 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// FlavorFile names the file storing the pod's flavor
	FlavorFile    = "flavor"
	SharedVolPerm = os.FileMode(0755)
)
View Source 
const MaxMilliValue = int64(((1 << 63) - 1) / 1000)

The maximum value for the MilliValue of an appc resource limit.

View Source 
const (
	// UnitsDir is the default path to systemd systemd unit directory
	UnitsDir = "/usr/lib/systemd/system"
)

Variables

View Source 
var (
	// DockerDefaultSeccompWhitelist contains a default whitelist of syscalls,
	// used by docker for seccomp filtering.
	// See https://github.com/docker/docker/blob/master/profiles/seccomp/default.json
	DockerDefaultSeccompWhitelist = []string{}/* 309 elements not displayed */

	// DockerDefaultSeccompBlacklist contains a default blacklist of syscalls,
	// used by docker for seccomp filtering.
	// See https://github.com/docker/docker/blob/master/docs/security/seccomp.md
	DockerDefaultSeccompBlacklist = []string{
		"acct",
		"add_key",
		"adjtimex",
		"bpf",
		"clock_adjtime",
		"clock_settime",

		"create_module",
		"delete_module",
		"finit_module",
		"get_kernel_syms",
		"get_mempolicy",
		"init_module",
		"ioperm",
		"iopl",
		"kcmp",
		"kexec_file_load",
		"kexec_load",
		"keyctl",
		"lookup_dcookie",
		"mbind",
		"mount",
		"move_pages",
		"name_to_handle_at",
		"nfsservctl",
		"open_by_handle_at",
		"perf_event_open",

		"pivot_root",
		"process_vm_readv",
		"process_vm_writev",
		"ptrace",
		"query_module",
		"quotactl",
		"reboot",
		"request_key",
		"set_mempolicy",
		"setns",
		"settimeofday",
		"stime",
		"swapon",
		"swapoff",
		"sysfs",
		"_sysctl",
		"umount",
		"umount2",
		"unshare",
		"uselib",
		"userfaultfd",
		"ustat",
		"vm86",
		"vm86old",
	}

	// RktDefaultSeccompBlacklist contains a default blacklist of syscalls,
	// used by rkt for seccomp filtering.
	RktDefaultSeccompBlacklist = DockerDefaultSeccompBlacklist
	// RktDefaultSeccompWhitelist contains a default whitelist of syscalls,
	// used by rkt for seccomp filtering.
	RktDefaultSeccompWhitelist = DockerDefaultSeccompWhitelist
)
View Source 
var (
	ErrTooManySeccompIsolators = errors.New("too many seccomp isolators specified")
)

Functions

func AppAddMounts added in v1.19.0 

func AppAddMounts(p *stage1commontypes.Pod, ra *schema.RuntimeApp, enterCmd []string)

func AppAddOneMount added in v1.19.0 

func AppAddOneMount(p *stage1commontypes.Pod, ra *schema.RuntimeApp, sourcePath string, dstPath string, readOnly bool, enterCmd []string)

AppAddOneMount bind-mounts "sourcePath" from the host into "dstPath" in * the container. * * We use the propagation mechanism of systemd-nspawn. In all systemd-nspawn * containers, the directory "/run/systemd/nspawn/propagate/$MACHINE_ID" on * the host is propagating mounts to the directory * "/run/systemd/nspawn/incoming/" in the container mount namespace. Once a * bind mount is propagated, we simply move to its correct location. * * The algorithm is the same as in "machinectl bind": * https://github.com/systemd/systemd/blob/v231/src/machine/machine-dbus.c#L865 * except that we don't use setns() to enter the mount namespace of the pod * because Linux does not allow multithreaded applications (such as Go * programs) to change mount namespaces with setns. Instead, we fork another * process written in C (single-threaded) to enter the mount namespace. The * command used is specified by the "enterCmd" parameter. * * Users might request a bind mount to be set up read-only. This complicates * things a bit because on Linux, setting up a read-only bind mount involves * two mount() calls, so it is not atomic. We don't want the container to see * the mount in read-write mode, even for a short time, so we don't create the * bind mount directly in "/run/systemd/nspawn/propagate/$MACHINE_ID" to avoid * an immediate propagation to the container. Instead, we create a temporary * playground in "/tmp/rkt.propagate.XXXX" and create the bind mount in * "/tmp/rkt.propagate.XXXX/mount" with the correct read-only attribute before * moving it. * * Another complication is that the playground cannot be on a shared mount * because Linux does not allow MS_MOVE to be applied to mounts with MS_SHARED * parent mounts. But by default, systemd mounts everything as shared, see: * https://github.com/systemd/systemd/blob/v231/src/core/mount-setup.c#L392 * We set up the temporary playground as a slave bind mount to avoid this * limitation.

func BindMount added in v1.15.0 

func BindMount(source, destination string, readOnly bool) error

BindMount, well, bind mounts a source in to a destination. This will do some bookkeeping: * evaluate all symlinks * ensure the source exists * recursively create the destination

func ConvertedFromDocker added in v1.19.0 

func ConvertedFromDocker(im *schema.ImageManifest) bool

ConvertedFromDocker determines if an app's image has been converted from docker. This is needed because implicit docker empty volumes have different behavior from AppC

func EnvFilePath added in v0.14.0 

func EnvFilePath(root string, appName types.ACName) string

EnvFilePath returns the path to the environment file for the given app name.

func EvaluateSymlinksInsideApp added in v1.5.1 

func EvaluateSymlinksInsideApp(appRootfs, path string) (string, error)

EvaluateSymlinksInsideApp tries to resolve symlinks within the path. It returns the actual path relative to the app rootfs for the given path.

func FindBinPath added in v1.16.0 

func FindBinPath(p *stage1commontypes.Pod, ra *schema.RuntimeApp) (string, error)

FindBinPath takes a binary path and returns a the absolute path of the binary relative to the app rootfs. This can be passed to ExecStart on the app's systemd service file directly.

func GenerateMounts 

func GenerateMounts(ra *schema.RuntimeApp, podVolumes []types.Volume, convertedFromDocker bool) ([]mountWrapper, error)

GenerateMounts maps MountPoint paths to volumes, returning a list of mounts, each with a parameter indicating if it's an implicit empty volume from a Docker image.

func GetAppHashes added in v0.14.0 

func GetAppHashes(p *stage1commontypes.Pod) []types.Hash

GetAppHashes returns a list of hashes of the apps in this pod

func GetFlavor added in v0.14.0 

func GetFlavor(p *stage1commontypes.Pod) (flavor string, systemdVersion int, err error)

GetFlavor populates a flavor string based on the flavor itself and respectively the systemd version If the systemd version couldn't be guessed, it will be set to 0.

func GetMachineID added in v0.14.0 

func GetMachineID(p *stage1commontypes.Pod) string

GetMachineID returns the machine id string of the pod to be passed to systemd-nspawn

func ImmutableEnv added in v1.16.0 

func ImmutableEnv(p *stage1commontypes.Pod, interactive bool, privateUsers string, insecureOptions Stage1InsecureOptions) error

func InitDebug added in v1.0.0 

func InitDebug(debug bool)

func InstantiatedPrepareAppUnitName added in v0.14.0 

func InstantiatedPrepareAppUnitName(appName types.ACName) string

InstantiatedPrepareAppUnitName returns the systemd service unit name for prepare-app instantiated for the given root.

func MutableEnv added in v1.16.0 

func MutableEnv(p *stage1commontypes.Pod) error

func PodToNspawnArgs added in v0.14.0 

func PodToNspawnArgs(p *stage1commontypes.Pod, insecureOptions Stage1InsecureOptions) ([]string, error)

PodToNspawnArgs renders a prepared Pod as a systemd-nspawn argument list ready to be executed

func PrepareMountpoints added in v1.1.0 

func PrepareMountpoints(volPath string, targetPath string, vol *types.Volume, dockerImplicit bool) error

PrepareMountpoints creates and sets permissions for empty volumes. If the mountpoint comes from a Docker image and it is an implicit empty volume, we copy files from the image to the volume, see https://docs.docker.com/engine/userguide/containers/dockervolumes/#data-volumes

func RelEnvFilePath added in v0.14.0 

func RelEnvFilePath(appName types.ACName) string

RelEnvFilePath returns the path to the environment file for the given app name relative to the pod's root.

func ServiceUnitName added in v0.14.0 

func ServiceUnitName(appName types.ACName) string

ServiceUnitName returns a systemd service unit name for the given app name.

func ServiceUnitPath added in v0.14.0 

func ServiceUnitPath(root string, appName types.ACName) string

ServiceUnitPath returns the path to the systemd service file for the given app name.

func ServiceWantPath added in v0.14.0 

func ServiceWantPath(root string, appName types.ACName) string

ServiceWantPath returns the systemd default.target want symlink path for the given app name.

func SetJournalPermissions added in v0.15.0 

func SetJournalPermissions(p *stage1commontypes.Pod) error

SetJournalPermissions sets ACLs and permissions so the rkt group can access the pod's logs

func SocketUnitName added in v0.14.0 

func SocketUnitName(appName types.ACName) string

SocketUnitName returns a systemd socket unit name for the given app name.

func SocketUnitPath added in v0.14.0 

func SocketUnitPath(root string, appName types.ACName) string

SocketUnitPath returns the path to the systemd socket file for the given app name.

func SocketWantPath added in v0.14.0 

func SocketWantPath(root string, appName types.ACName) string

SocketWantPath returns the systemd sockets.target.wants symlink path for the given app name.

func TargetUnitPath added in v1.16.0 

func TargetUnitPath(root string, name string) string

ServiceUnitPath returns the path to the systemd service file for the given app name.

func UseHostHosts added in v1.15.0 

func UseHostHosts(podRoot string) error

Bind-mount the hosts /etc/hosts in to the stage1's /etc/rkt-hosts That file will then be bind-mounted in to the stage2 by perpare-app.c

func UseHostResolv added in v1.15.0 

func UseHostResolv(podRoot string) error

Bind-mount the hosts /etc/resolv.conf in to the stage1's /etc/rkt-resolv.conf. That file will then be bind-mounted in to the stage2 by perpare-app.c

Types

type Stage1InsecureOptions added in v1.13.0 

type Stage1InsecureOptions struct {
	DisablePaths        bool
	DisableCapabilities bool
	DisableSeccomp      bool
}

type UnitWriter added in v1.16.0 

type UnitWriter struct {
	// contains filtered or unexported fields
}

UnitWriter is the type that writes systemd units preserving the first previously occured error. Any method of this type can be invoked multiple times without error checking. If a previous invocation generated an error, any invoked method will be skipped. If an error occured during method invocations, it can be retrieved using Error().

func NewUnitWriter added in v1.16.0 

func NewUnitWriter(p *stage1commontypes.Pod) *UnitWriter

NewUnitWriter returns a new UnitWriter for the given pod.

func (*UnitWriter) Activate added in v1.16.0 

func (uw *UnitWriter) Activate(unit, wantPath string)

Activate actives the given unit in the given wantPath.

func (*UnitWriter) AppReaperUnit added in v1.16.0 

func (uw *UnitWriter) AppReaperUnit(appName types.ACName, binPath string, opts ...*unit.UnitOption)

AppReaperUnit writes an app reaper service unit for the given app in the given path using the given unit options.

func (*UnitWriter) AppUnit added in v1.16.0 

func (uw *UnitWriter) AppUnit(
	ra *schema.RuntimeApp, binPath, privateUsers string, insecureOptions Stage1InsecureOptions,
	opts ...*unit.UnitOption,
)

func (*UnitWriter) Error added in v1.16.0 

func (uw *UnitWriter) Error() error

error returns the first error that occured during write* invocations.

func (*UnitWriter) WriteUnit added in v1.16.0 

func (uw *UnitWriter) WriteUnit(path string, errmsg string, opts ...*unit.UnitOption)

WriteUnit writes a systemd unit in the given path with the given unit options if no previous error occured.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.