Documentation ¶
Index ¶
- Constants
- Variables
- func AddHostsEntry(filename string, ip string, hostname string) error
- func BindMount(mnt fs.MountUnmounter, source, destination string, readOnly bool) error
- func ConvertedFromDocker(im *schema.ImageManifest) bool
- func EnsureTargetExists(source, destination string) error
- func EnvFilePath(root string, appName types.ACName) string
- func EvaluateSymlinksInsideApp(appRootfs, path string) (string, error)
- func FindBinPath(p *stage1commontypes.Pod, ra *schema.RuntimeApp) (string, error)
- func GetAppHashes(p *stage1commontypes.Pod) []types.Hash
- func GetFlavor(p *stage1commontypes.Pod) (flavor string, systemdVersion int, err error)
- func GetMachineID(p *stage1commontypes.Pod) string
- func IOMuxDir(root string, appName types.ACName) string
- func ImmutableEnv(p *stage1commontypes.Pod) error
- func InitDebug(debug bool)
- func InstantiatedPrepareAppUnitName(appName types.ACName) string
- func MutableEnv(p *stage1commontypes.Pod) error
- func PodToNspawnArgs(p *stage1commontypes.Pod) ([]string, error)
- func PrepareMountpoints(volPath string, targetPath string, vol *types.Volume, dockerImplicit bool) error
- func RelEnvFilePath(appName types.ACName) string
- func ServiceUnitName(appName types.ACName) string
- func ServiceUnitPath(root string, appName types.ACName) string
- func ServiceWantPath(root string, appName types.ACName) string
- func SetJournalPermissions(p *stage1commontypes.Pod) error
- func SocketUnitName(appName types.ACName) string
- func SocketUnitPath(root string, appName types.ACName) string
- func SocketWantPath(root string, appName types.ACName) string
- func TargetUnitPath(root string, name string) string
- func TypedUnitPath(root string, unitName string, unitType string) string
- func UseHostHosts(mnt fs.MountUnmounter, podRoot string) error
- func UseHostResolv(mnt fs.MountUnmounter, podRoot string) error
- type Mount
- type UnitWriter
- func (uw *UnitWriter) Activate(unit, wantPath string)
- func (uw *UnitWriter) AppReaperUnit(appName types.ACName, binPath string, opts ...*unit.UnitOption)
- func (uw *UnitWriter) AppSocketUnit(appName types.ACName, binPath string, streamName string, ...)
- func (uw *UnitWriter) AppUnit(ra *schema.RuntimeApp, binPath string, opts ...*unit.UnitOption)
- func (uw *UnitWriter) Error() error
- func (uw *UnitWriter) SetupAppIO(p *stage1commontypes.Pod, ra *schema.RuntimeApp, binPath string, ...) []*unit.UnitOption
- func (uw *UnitWriter) WriteUnit(path string, errmsg string, opts ...*unit.UnitOption)
Constants ¶
const ( ModeBlacklist filterType = iota ModeWhitelist )
const (
// FlavorFile names the file storing the pod's flavor
FlavorFile = "flavor"
)
const MaxMilliValue = int64(((1 << 63) - 1) / 1000)
The maximum value for the MilliValue of an appc resource limit.
const (
// UnitsDir is the default path to systemd systemd unit directory
UnitsDir = "/usr/lib/systemd/system"
)
Variables ¶
var ( // DockerDefaultSeccompWhitelist contains a default whitelist of syscalls, // used by docker for seccomp filtering. // See https://github.com/docker/docker/blob/master/profiles/seccomp/default.json DockerDefaultSeccompWhitelist = []string{}/* 309 elements not displayed */ // DockerDefaultSeccompBlacklist contains a default blacklist of syscalls, // used by docker for seccomp filtering. // See https://github.com/docker/docker/blob/master/docs/security/seccomp.md DockerDefaultSeccompBlacklist = []string{ "acct", "add_key", "adjtimex", "bpf", "clock_adjtime", "clock_settime", "create_module", "delete_module", "finit_module", "get_kernel_syms", "get_mempolicy", "init_module", "ioperm", "iopl", "kcmp", "kexec_file_load", "kexec_load", "keyctl", "lookup_dcookie", "mbind", "mount", "move_pages", "name_to_handle_at", "nfsservctl", "open_by_handle_at", "perf_event_open", "pivot_root", "process_vm_readv", "process_vm_writev", "ptrace", "query_module", "quotactl", "reboot", "request_key", "set_mempolicy", "setns", "settimeofday", "stime", "swapon", "swapoff", "sysfs", "_sysctl", "umount", "umount2", "unshare", "uselib", "userfaultfd", "ustat", "vm86", "vm86old", } //RktDefaultSeccompArmWhitelist contains the additional needed syscalls for arm support RktDefaultSeccompArmWhitelist = []string{ "arm_fadvise64_64", "arm_sync_file_range", "breakpoint", "cacheflush", "set_tls", "sync_file_range2", } // RktDefaultSeccompBlacklist contains a default blacklist of syscalls, // used by rkt for seccomp filtering. RktDefaultSeccompBlacklist = DockerDefaultSeccompBlacklist // RktDefaultSeccompWhitelist contains a default whitelist of syscalls, // used by rkt for seccomp filtering. RktDefaultSeccompWhitelist = DockerDefaultSeccompWhitelist )
var (
ErrTooManySeccompIsolators = errors.New("too many seccomp isolators specified")
)
Functions ¶
func AddHostsEntry ¶ added in v1.23.0
AddHostsEntry adds an entry to an *existing* hosts file, appending to the existing IP if needed
func BindMount ¶ added in v1.15.0
func BindMount(mnt fs.MountUnmounter, source, destination string, readOnly bool) error
BindMount, well, bind mounts a source in to a destination. This will do some bookkeeping: * evaluate all symlinks * ensure the source exists * recursively create the destination
func ConvertedFromDocker ¶ added in v1.19.0
func ConvertedFromDocker(im *schema.ImageManifest) bool
ConvertedFromDocker determines if an app's image has been converted from docker. This is needed because implicit docker empty volumes have different behavior from AppC
func EnsureTargetExists ¶ added in v1.23.0
EnsureTargetExists will recursively create a given mountpoint. If directories are created, their permissions are initialized to common.SharedVolumePerm
func EnvFilePath ¶ added in v0.14.0
EnvFilePath returns the path to the environment file for the given app name.
func EvaluateSymlinksInsideApp ¶ added in v1.5.1
EvaluateSymlinksInsideApp tries to resolve symlinks within the path. It returns the actual path relative to the app rootfs for the given path. This is needed for absolute symlinks - we are in a different rootfs.
func FindBinPath ¶ added in v1.16.0
func FindBinPath(p *stage1commontypes.Pod, ra *schema.RuntimeApp) (string, error)
FindBinPath takes a binary path and returns a the absolute path of the binary relative to the app rootfs. This can be passed to ExecStart on the app's systemd service file directly.
func GetAppHashes ¶ added in v0.14.0
func GetAppHashes(p *stage1commontypes.Pod) []types.Hash
GetAppHashes returns a list of hashes of the apps in this pod
func GetFlavor ¶ added in v0.14.0
func GetFlavor(p *stage1commontypes.Pod) (flavor string, systemdVersion int, err error)
GetFlavor populates a flavor string based on the flavor itself and respectively the systemd version If the systemd version couldn't be guessed, it will be set to 0.
func GetMachineID ¶ added in v0.14.0
func GetMachineID(p *stage1commontypes.Pod) string
GetMachineID returns the machine id string of the pod to be passed to systemd-nspawn
func IOMuxDir ¶ added in v1.24.0
IOMUxFilePath returns the path to the environment file for the given app name.
func ImmutableEnv ¶ added in v1.16.0
func ImmutableEnv(p *stage1commontypes.Pod) error
func InstantiatedPrepareAppUnitName ¶ added in v0.14.0
InstantiatedPrepareAppUnitName returns the systemd service unit name for prepare-app instantiated for the given root.
func MutableEnv ¶ added in v1.16.0
func MutableEnv(p *stage1commontypes.Pod) error
func PodToNspawnArgs ¶ added in v0.14.0
func PodToNspawnArgs(p *stage1commontypes.Pod) ([]string, error)
PodToNspawnArgs renders a prepared Pod as a systemd-nspawn argument list ready to be executed
func PrepareMountpoints ¶ added in v1.1.0
func PrepareMountpoints(volPath string, targetPath string, vol *types.Volume, dockerImplicit bool) error
PrepareMountpoints creates and sets permissions for empty volumes. If the mountpoint comes from a Docker image and it is an implicit empty volume, we copy files from the image to the volume, see https://docs.docker.com/engine/userguide/containers/dockervolumes/#data-volumes
func RelEnvFilePath ¶ added in v0.14.0
RelEnvFilePath returns the path to the environment file for the given app name relative to the pod's root.
func ServiceUnitName ¶ added in v0.14.0
ServiceUnitName returns a systemd service unit name for the given app name.
func ServiceUnitPath ¶ added in v0.14.0
ServiceUnitPath returns the path to the systemd service file for the given app name.
func ServiceWantPath ¶ added in v0.14.0
ServiceWantPath returns the systemd default.target want symlink path for the given app name.
func SetJournalPermissions ¶ added in v0.15.0
func SetJournalPermissions(p *stage1commontypes.Pod) error
SetJournalPermissions sets ACLs and permissions so the rkt group can access the pod's logs
func SocketUnitName ¶ added in v0.14.0
SocketUnitName returns a systemd socket unit name for the given app name.
func SocketUnitPath ¶ added in v0.14.0
SocketUnitPath returns the path to the systemd socket file for the given app name.
func SocketWantPath ¶ added in v0.14.0
SocketWantPath returns the systemd sockets.target.wants symlink path for the given app name.
func TargetUnitPath ¶ added in v1.16.0
ServiceUnitPath returns the path to the systemd service file for the given app name.
func TypedUnitPath ¶ added in v1.24.0
TypedUnitPath returns the path to a custom-typed unit file
func UseHostHosts ¶ added in v1.15.0
func UseHostHosts(mnt fs.MountUnmounter, podRoot string) error
Bind-mount the hosts /etc/hosts in to the stage1's /etc/rkt-hosts That file will then be bind-mounted in to the stage2 by perpare-app.c
func UseHostResolv ¶ added in v1.15.0
func UseHostResolv(mnt fs.MountUnmounter, podRoot string) error
Bind-mount the hosts /etc/resolv.conf in to the stage1's /etc/rkt-resolv.conf. That file will then be bind-mounted in to the stage2 by perpare-app.c
Types ¶
type Mount ¶ added in v1.23.0
Mount extends schema.Mount with additional rkt specific fields.
func GenerateMounts ¶
func GenerateMounts(ra *schema.RuntimeApp, podVolumes []types.Volume, convertedFromDocker bool) ([]Mount, error)
GenerateMounts maps MountPoint paths to volumes, returning a list of mounts, each with a parameter indicating if it's an implicit empty volume from a Docker image.
type UnitWriter ¶ added in v1.16.0
type UnitWriter struct {
// contains filtered or unexported fields
}
UnitWriter is the type that writes systemd units preserving the first previously occured error. Any method of this type can be invoked multiple times without error checking. If a previous invocation generated an error, any invoked method will be skipped. If an error occured during method invocations, it can be retrieved using Error().
func NewUnitWriter ¶ added in v1.16.0
func NewUnitWriter(p *stage1commontypes.Pod) *UnitWriter
NewUnitWriter returns a new UnitWriter for the given pod.
func (*UnitWriter) Activate ¶ added in v1.16.0
func (uw *UnitWriter) Activate(unit, wantPath string)
Activate actives the given unit in the given wantPath.
func (*UnitWriter) AppReaperUnit ¶ added in v1.16.0
func (uw *UnitWriter) AppReaperUnit(appName types.ACName, binPath string, opts ...*unit.UnitOption)
AppReaperUnit writes an app reaper service unit for the given app in the given path using the given unit options.
func (*UnitWriter) AppSocketUnit ¶ added in v1.24.0
func (uw *UnitWriter) AppSocketUnit(appName types.ACName, binPath string, streamName string, opts ...*unit.UnitOption)
AppSocketUnits writes a stream socket-unit for the given app in the given path.
func (*UnitWriter) AppUnit ¶ added in v1.16.0
func (uw *UnitWriter) AppUnit(ra *schema.RuntimeApp, binPath string, opts ...*unit.UnitOption)
AppUnit sets up the main systemd service unit for the application.
func (*UnitWriter) Error ¶ added in v1.16.0
func (uw *UnitWriter) Error() error
error returns the first error that occured during write* invocations.
func (*UnitWriter) SetupAppIO ¶ added in v1.24.0
func (uw *UnitWriter) SetupAppIO(p *stage1commontypes.Pod, ra *schema.RuntimeApp, binPath string, opts ...*unit.UnitOption) []*unit.UnitOption
SetupAppIO prepares all properties related to streams (stdin/stdout/stderr) and TTY for an application service unit.
It works according to the following steps:
- short-circuit interactive pods and legacy systemd, for backward compatibility
- parse app-level annotations to determine stdin/stdout/stderr mode 2a. if an annotation is missing/invalid, it fallbacks to legacy mode (in: null, out/err: journald) 2b. if a valid annotation is found, it prepares: - TTY and stream properties for the systemd service unit - env variables for iottymux binary
- if any of stdin/stdout/stderr is in TTY or streaming mode: 3a. the env file for iottymux is written to `/rkt/iottymux/<appname>/env` with the above content 3b. for TTY mode, a `TTYPath` property and an `After=ttymux@<appname>.service` dependency are added 3c. for streaming mode, a `Before=iomux@<appname>.service` dependency is added
For complete details, see dev-docs at Documentation/devel/log-attach-design.md
func (*UnitWriter) WriteUnit ¶ added in v1.16.0
func (uw *UnitWriter) WriteUnit(path string, errmsg string, opts ...*unit.UnitOption)
WriteUnit writes a systemd unit in the given path with the given unit options if no previous error occured.