Documentation
¶
Overview ¶
Package specki provides helper functions to process OCI container specs. These functions should not contain any code that is `lxcri` specific.
Index ¶
- Variables
- func AllowEssentialDevices(spec *specs.Spec) error
- func BindMount(src string, dest string, opts ...string) specs.Mount
- func DecodeJSONFile(filename string, v interface{}) error
- func EncodeJSONFile(filename string, v interface{}, flags int, perm os.FileMode) error
- func Getenv(env []string, key string) (string, bool)
- func InitHook(r io.Reader) (rootfs string, state *specs.State, spec *specs.Spec, err error)
- func IsDeviceEnabled(spec *specs.Spec, dev specs.LinuxDevice) (bool, error)
- func LoadSpecJSON(p string) (*specs.Spec, error)
- func LoadSpecProcessJSON(src string) (*specs.Process, error)
- func LoadSpecStateJSON(filename string) (*specs.State, error)
- func NewSpec(rootfs string, cmd string, args ...string) *specs.Spec
- func NewSpecProcess(cmd string, args ...string) *specs.Process
- func ReadSpecStateJSON(r io.Reader) (*specs.State, error)
- func RunHook(ctx context.Context, stateJSON []byte, hook specs.Hook) error
- func RunHooks(ctx context.Context, state *specs.State, hooks []specs.Hook, ...) error
- func Setenv(env []string, val string, overwrite bool) ([]string, bool)
- func UnmapContainerID(id uint32, idmaps []specs.LinuxIDMapping) uint32
Constants ¶
This section is empty.
Variables ¶
var ( // EssentialDevices is the minimum set of device files that must exist in an OCI compliant container. // https://github.com/opencontainers/runtime-spec/blob/v1.0.2/config-linux.md#default-devices EssentialDevices = []specs.LinuxDevice{ specs.LinuxDevice{Type: "c", Major: 1, Minor: 3, FileMode: modep(0666), Path: "/dev/null"}, specs.LinuxDevice{Type: "c", Major: 1, Minor: 5, FileMode: modep(0666), Path: "/dev/zero"}, specs.LinuxDevice{Type: "c", Major: 1, Minor: 7, FileMode: modep(0666), Path: "/dev/full"}, specs.LinuxDevice{Type: "c", Major: 1, Minor: 8, FileMode: modep(0666), Path: "/dev/random"}, specs.LinuxDevice{Type: "c", Major: 1, Minor: 9, FileMode: modep(0666), Path: "/dev/urandom"}, specs.LinuxDevice{Type: "c", Major: 5, Minor: 0, FileMode: modep(0666), Path: "/dev/tty"}, } // EssentialDevicesAllow are the cgroup device permissions required for EssentialDevices. EssentialDevicesAllow = []specs.LinuxDeviceCgroup{ specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: int64p(1), Minor: int64p(3), Access: "rwm"}, specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: int64p(1), Minor: int64p(5), Access: "rwm"}, specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: int64p(1), Minor: int64p(7), Access: "rwm"}, specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: int64p(1), Minor: int64p(8), Access: "rwm"}, specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: int64p(1), Minor: int64p(9), Access: "rwm"}, specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: int64p(5), Minor: int64p(0), Access: "rwm"}, specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: int64p(5), Minor: int64p(2), Access: "rwm"}, specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: int64p(88), Access: "rwm"}, } )
Functions ¶
func AllowEssentialDevices ¶
func AllowEssentialDevices(spec *specs.Spec) error
AllowEssentialDevices adds and allows access to EssentialDevices which are required by the [runtime spec](https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#default-devices)
func BindMount ¶
BindMount returns a specs.Mount to bind mount src to dest. The given mount options opts are merged with the predefined options ("bind", "nosuid", "nodev", "relatime")
func DecodeJSONFile ¶
DecodeJSONFile reads the next JSON-encoded value from the file with the given filename and stores it in the value pointed to by v.
func EncodeJSONFile ¶
EncodeJSONFile writes the JSON encoding of v followed by a newline character to the file with the given filename. The file is opened read-write with the (optional) provided flags. The permission bits perm (not affected by umask) are set after the file was closed.
func InitHook ¶
InitHook is a convenience function for OCI hooks. It parses specs.State from the given reader and loads specs.Spec from the specs.State.Bundle path.
func IsDeviceEnabled ¶
IsDeviceEnabled checks if the LinuxDevice dev is enabled in the Spec spec. An error is returned if the device Path matches and Type, Major or Minor don't match.
func LoadSpecJSON ¶ added in v0.12.1
LoadSpecJSON reads the JSON encoded OCI spec from the given path. This is a convenience function for the cli.
func LoadSpecProcessJSON ¶ added in v0.12.1
LoadSpecProcessJSON reads the JSON encoded OCI spec process definition from the given path. This is a convenience function for the cli.
func LoadSpecStateJSON ¶
LoadSpecStateJSON parses specs.State from the JSON encoded file filename.
func NewSpec ¶
NewSpec returns a minimal spec.Spec instance, which is required to run the given process within a container using the given rootfs. NOTE /proc and /dev folders must be present within the given rootfs.
func NewSpecProcess ¶
NewSpecProcess creates a specs.Process instance from the given command cmd and the command arguments args.
func ReadSpecStateJSON ¶
ReadSpecStateJSON parses the JSON encoded specs.State from the given reader.
func RunHook ¶
RunHook executes the command defined by the given hook. The given runtime state is passed over stdin to the executed command. The command is executed with the given context ctx, or a sub-context of it if Hook.Timeout is not nil.
func RunHooks ¶
func RunHooks(ctx context.Context, state *specs.State, hooks []specs.Hook, continueOnError bool) error
RunHooks calls RunHook for each of the given runtime hooks. The given runtime state is serialized as JSON and passed to each RunHook call.
func Setenv ¶
Setenv adds the given variable to the environment env. The variable is only added if it is not yet defined or if overwrite is set to true. Setenv returns the modified environment and true if the variable is already defined or false otherwise.
func UnmapContainerID ¶
UnmapContainerID returns the (user/group) ID to which the given ID is mapped to by the given idmaps. The returned id will be equal to the given id if it is not mapped by the given idmaps.
Types ¶
This section is empty.
Source Files