Documentation ¶
Overview ¶
Package libcontainer provides a native Go implementation for creating containers with namespaces, cgroups, capabilities, and filesystem access controls. It allows you to manage the lifecycle of the container performing additional operations after the container is created.
Index ¶
- Constants
- Variables
- func Init()
- type BaseState
- type Boolmsg
- type Bytemsg
- type Container
- func (c *Container) Checkpoint(criuOpts *CriuOpts) error
- func (c *Container) Config() configs.Config
- func (c *Container) Destroy() error
- func (c *Container) Exec() error
- func (c *Container) ID() string
- func (c *Container) NotifyMemoryPressure(level PressureLevel) (<-chan struct{}, error)
- func (c *Container) NotifyOOM() (<-chan struct{}, error)
- func (c *Container) OCIState() (*specs.State, error)
- func (c *Container) Pause() error
- func (c *Container) Processes() ([]int, error)
- func (c *Container) Restore(process *Process, criuOpts *CriuOpts) error
- func (c *Container) Resume() error
- func (c *Container) Run(process *Process) error
- func (c *Container) Set(config configs.Config) error
- func (c *Container) Signal(s os.Signal) error
- func (c *Container) Start(process *Process) error
- func (c *Container) State() (*State, error)
- func (c *Container) Stats() (*Stats, error)
- func (c *Container) Status() (Status, error)
- type CriuOpts
- type CriuPageServerInfo
- type IO
- type Int32msg
- type PressureLevel
- type Process
- type State
- type Stats
- type Status
- type VethPairName
Constants ¶
const ( InitMsg uint16 = 62000 CloneFlagsAttr uint16 = 27281 NsPathsAttr uint16 = 27282 UidmapAttr uint16 = 27283 GidmapAttr uint16 = 27284 SetgroupAttr uint16 = 27285 OomScoreAdjAttr uint16 = 27286 RootlessEUIDAttr uint16 = 27287 UidmapPathAttr uint16 = 27288 GidmapPathAttr uint16 = 27289 MountSourcesAttr uint16 = 27290 IdmapSourcesAttr uint16 = 27291 )
list of known message types we want to send to bootstrap program The number is randomly chosen to not conflict with known netlink types
Variables ¶
var ( ErrExist = errors.New("container with given ID already exists") ErrInvalidID = errors.New("invalid container ID format") ErrNotExist = errors.New("container does not exist") ErrPaused = errors.New("container paused") ErrRunning = errors.New("container still running") ErrNotRunning = errors.New("container not running") ErrNotPaused = errors.New("container not paused") )
Functions ¶
Types ¶
type BaseState ¶
type BaseState struct { // ID is the container ID. ID string `json:"id"` // InitProcessPid is the init process id in the parent namespace. InitProcessPid int `json:"init_process_pid"` // InitProcessStartTime is the init process start time in clock cycles since boot time. InitProcessStartTime uint64 `json:"init_process_start"` // Created is the unix timestamp for the creation time of the container in UTC Created time.Time `json:"created"` // Config is the container's configuration. Config configs.Config `json:"config"` }
BaseState represents the platform agnostic pieces relating to a running container's state
type Bytemsg ¶
Bytemsg has the following representation | nlattr len | nlattr type | | value | pad |
type Container ¶
type Container struct {
// contains filtered or unexported fields
}
Container is a libcontainer container object.
func Create ¶
Create creates a new container with the given id inside a given state directory (root), and returns a Container object.
The root is a state directory which many containers can share. It can be used later to get the list of containers, or to get information about a particular container (see Load).
The id must not be empty and consist of only the following characters: ASCII letters, digits, underscore, plus, minus, period. The id must be unique and non-existent for the given root path.
func Load ¶
Load takes a path to the state directory (root) and an id of an existing container, and returns a Container object reconstructed from the saved state. This presents a read only view of the container.
func (*Container) Checkpoint ¶
func (*Container) Destroy ¶
Destroy destroys the container, if its in a valid state.
Any event registrations are removed before the container is destroyed. No error is returned if the container is already destroyed.
Running containers must first be stopped using Signal. Paused containers must first be resumed using Resume.
func (*Container) Exec ¶
Exec signals the container to exec the users process at the end of the init.
func (*Container) NotifyMemoryPressure ¶
func (c *Container) NotifyMemoryPressure(level PressureLevel) (<-chan struct{}, error)
NotifyMemoryPressure returns a read-only channel signaling when the container reaches a given pressure level.
func (*Container) NotifyOOM ¶
NotifyOOM returns a read-only channel signaling when the container receives an OOM notification.
func (*Container) Pause ¶
Pause pauses the container, if its state is RUNNING or CREATED, changing its state to PAUSED. If the state is already PAUSED, does nothing.
func (*Container) Processes ¶
Processes returns the PIDs inside this container. The PIDs are in the namespace of the calling process.
Some of the returned PIDs may no longer refer to processes in the container, unless the container state is PAUSED in which case every PID in the slice is valid.
func (*Container) Restore ¶
Restore restores the checkpointed container to a running state using the criu(8) utility.
func (*Container) Resume ¶
Resume resumes the execution of any user processes in the container before setting the container state to RUNNING. This is only performed if the current state is PAUSED. If the Container state is RUNNING, does nothing.
func (*Container) Run ¶
Run immediately starts the process inside the container. Returns an error if the process fails to start. It does not block waiting for the exec fifo after start returns but opens the fifo after start returns.
func (*Container) Set ¶
Set resources of container as configured. Can be used to change resources when the container is running.
func (*Container) Signal ¶
Signal sends a specified signal to container's init.
When s is SIGKILL and the container does not have its own PID namespace, all the container's processes are killed. In this scenario, the libcontainer user may be required to implement a proper child reaper.
func (*Container) Start ¶
Start starts a process inside the container. Returns error if process fails to start. You can track process lifecycle with passed Process structure.
type CriuOpts ¶
type CriuOpts struct { ImagesDirectory string // directory for storing image files WorkDirectory string // directory to cd and write logs/pidfiles/stats to ParentImage string // directory for storing parent image files in pre-dump and dump LeaveRunning bool // leave container in running state after checkpoint TcpEstablished bool // checkpoint/restore established TCP connections ExternalUnixConnections bool // allow external unix connections ShellJob bool // allow to dump and restore shell jobs FileLocks bool // handle file locks, for safety PreDump bool // call criu predump to perform iterative checkpoint PageServer CriuPageServerInfo // allow to dump to criu page server VethPairs []VethPairName // pass the veth to criu when restore ManageCgroupsMode criu.CriuCgMode // dump or restore cgroup mode EmptyNs uint32 // don't c/r properties for namespace from this mask AutoDedup bool // auto deduplication for incremental dumps LazyPages bool // restore memory pages lazily using userfaultfd StatusFd int // fd for feedback when lazy server is ready LsmProfile string // LSM profile used to restore the container LsmMountContext string // LSM mount context value to use during restore }
type CriuPageServerInfo ¶
type IO ¶
type IO struct { Stdin io.WriteCloser Stdout io.ReadCloser Stderr io.ReadCloser }
IO holds the process's STDIO
type PressureLevel ¶
type PressureLevel uint
const ( LowPressure PressureLevel = iota MediumPressure CriticalPressure )
type Process ¶
type Process struct { // The command to be run followed by any arguments. Args []string // Env specifies the environment variables for the process. Env []string // User will set the uid and gid of the executing process running inside the container // local to the container's user and group configuration. User string // AdditionalGroups specifies the gids that should be added to supplementary groups // in addition to those that the user belongs to. AdditionalGroups []string // Cwd will change the processes current working directory inside the container's rootfs. Cwd string // Stdin is a pointer to a reader which provides the standard input stream. Stdin io.Reader // Stdout is a pointer to a writer which receives the standard output stream. Stdout io.Writer // Stderr is a pointer to a writer which receives the standard error stream. Stderr io.Writer // ExtraFiles specifies additional open files to be inherited by the container ExtraFiles []*os.File // Initial sizings for the console ConsoleWidth uint16 ConsoleHeight uint16 // Capabilities specify the capabilities to keep when executing the process inside the container // All capabilities not specified will be dropped from the processes capability mask Capabilities *configs.Capabilities // AppArmorProfile specifies the profile to apply to the process and is // changed at the time the process is execed AppArmorProfile string // Label specifies the label to apply to the process. It is commonly used by selinux Label string // NoNewPrivileges controls whether processes can gain additional privileges. NoNewPrivileges *bool // Rlimits specifies the resource limits, such as max open files, to set in the container // If Rlimits are not set, the container will inherit rlimits from the parent process Rlimits []configs.Rlimit // ConsoleSocket provides the masterfd console. ConsoleSocket *os.File // Init specifies whether the process is the first process in the container. Init bool // LogLevel is a string containing a numeric representation of the current // log level (i.e. "4", but never "info"). It is passed on to runc init as // _LIBCONTAINER_LOGLEVEL environment variable. LogLevel string // SubCgroupPaths specifies sub-cgroups to run the process in. // Map keys are controller names, map values are paths (relative to // container's top-level cgroup). // // If empty, the default top-level container's cgroup is used. // // For cgroup v2, the only key allowed is "". SubCgroupPaths map[string]string // contains filtered or unexported fields }
Process specifies the configuration and IO for a process inside a container.
func (*Process) InitializeIO ¶
InitializeIO creates pipes for use with the process's stdio and returns the opposite side for each. Do not use this if you want to have a pseudoterminal set up for you by libcontainer (TODO: fix that too). TODO: This is mostly unnecessary, and should be handled by clients.
type State ¶
type State struct { BaseState // Specified if the container was started under the rootless mode. // Set to true if BaseState.Config.RootlessEUID && BaseState.Config.RootlessCgroups Rootless bool `json:"rootless"` // Paths to all the container's cgroups, as returned by (*cgroups.Manager).GetPaths // // For cgroup v1, a key is cgroup subsystem name, and the value is the path // to the cgroup for this subsystem. // // For cgroup v2 unified hierarchy, a key is "", and the value is the unified path. CgroupPaths map[string]string `json:"cgroup_paths"` // NamespacePaths are filepaths to the container's namespaces. Key is the namespace type // with the value as the path. NamespacePaths map[configs.NamespaceType]string `json:"namespace_paths"` // Container's standard descriptors (std{in,out,err}), needed for checkpoint and restore ExternalDescriptors []string `json:"external_descriptors,omitempty"` // Intel RDT "resource control" filesystem path IntelRdtPath string `json:"intel_rdt_path"` }
State represents a running container's state
type Status ¶
type Status int
Status is the status of a container.
const ( // Created is the status that denotes the container exists but has not been run yet. Created Status = iota // Running is the status that denotes the container exists and is running. Running // Paused is the status that denotes the container exists, but all its processes are paused. Paused // Stopped is the status that denotes the container does not have a created or running process. Stopped )
type VethPairName ¶
Source Files ¶
- console_linux.go
- container.go
- container_linux.go
- criu_linux.go
- criu_opts_linux.go
- eaccess_stub.go
- error.go
- factory_linux.go
- init_linux.go
- message_linux.go
- mount_linux.go
- network_linux.go
- notify_linux.go
- notify_v2_linux.go
- process.go
- process_linux.go
- restored_process.go
- rootfs_linux.go
- setns_init_linux.go
- standard_init_linux.go
- state_linux.go
- stats_linux.go
- sync.go
Directories ¶
Path | Synopsis |
---|---|
devices
Implements creation of eBPF device filter program.
|
Implements creation of eBPF device filter program. |
integration is used for integration testing of libcontainer
|
integration is used for integration testing of libcontainer |
Package specconv implements conversion of specifications to libcontainer configurations
|
Package specconv implements conversion of specifications to libcontainer configurations |