Documentation ¶
Index ¶
- Variables
- func GenerateSpec(ctx context.Context, client Client, c *containers.Container, opts ...SpecOpts) (*specs.Spec, error)
- func WithHostHostsFile(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error
- func WithHostLocaltime(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error
- func WithHostResolvconf(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error
- func WithNewPrivileges(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error
- func WithNoNewPrivileges(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error
- func WithSeccompUnconfined(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error
- func WithTTY(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error
- func WithWriteableCgroupfs(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error
- func WithWriteableSysfs(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error
- type Client
- type Image
- type SpecOpts
- func Compose(opts ...SpecOpts) SpecOpts
- func WithAdditionalGIDs(userstr string) SpecOpts
- func WithApparmorProfile(profile string) SpecOpts
- func WithCapabilities(caps []string) SpecOpts
- func WithCgroup(path string) SpecOpts
- func WithEnv(environmentVariables []string) SpecOpts
- func WithHostNamespace(ns specs.LinuxNamespaceType) SpecOpts
- func WithHostname(name string) SpecOpts
- func WithImageConfig(image Image) SpecOpts
- func WithLinuxNamespace(ns specs.LinuxNamespace) SpecOpts
- func WithMaskedPaths(paths []string) SpecOpts
- func WithMounts(mounts []specs.Mount) SpecOpts
- func WithNamespacedCgroup() SpecOpts
- func WithProcessArgs(args ...string) SpecOpts
- func WithProcessCwd(cwd string) SpecOpts
- func WithReadonlyPaths(paths []string) SpecOpts
- func WithRootFSPath(path string) SpecOpts
- func WithRootFSReadonly() SpecOpts
- func WithSelinuxLabel(label string) SpecOpts
- func WithUIDGID(uid, gid uint32) SpecOpts
- func WithUser(userstr string) SpecOpts
- func WithUserID(uid uint32) SpecOpts
- func WithUserNamespace(container, host, size uint32) SpecOpts
- func WithUsername(username string) SpecOpts
Constants ¶
This section is empty.
Variables ¶
var WithAllCapabilities = WithCapabilities(getAllCapabilities())
WithAllCapabilities sets all linux capabilities for the process
var WithPrivileged = Compose( WithAllCapabilities, WithMaskedPaths(nil), WithReadonlyPaths(nil), WithWriteableSysfs, WithWriteableCgroupfs, WithSelinuxLabel(""), WithApparmorProfile(""), WithSeccompUnconfined, )
WithPrivileged sets up options for a privileged container TODO(justincormack) device handling
Functions ¶
func GenerateSpec ¶
func GenerateSpec(ctx context.Context, client Client, c *containers.Container, opts ...SpecOpts) (*specs.Spec, error)
GenerateSpec will generate a default spec from the provided image for use as a containerd container
func WithHostHostsFile ¶
WithHostHostsFile bind-mounts the host's /etc/hosts into the container as readonly
func WithHostLocaltime ¶
WithHostLocaltime bind-mounts the host's /etc/localtime into the container as readonly
func WithHostResolvconf ¶
WithHostResolvconf bind-mounts the host's /etc/resolv.conf into the container as readonly
func WithNewPrivileges ¶ added in v1.1.4
WithNewPrivileges turns off the NoNewPrivileges feature flag in the spec
func WithNoNewPrivileges ¶
WithNoNewPrivileges sets no_new_privileges on the process for the container
func WithSeccompUnconfined ¶ added in v1.1.0
func WithSeccompUnconfined(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error
WithSeccompUnconfined clears the seccomp profile
func WithTTY ¶
WithTTY sets the information on the spec as well as the environment variables for using a TTY
func WithWriteableCgroupfs ¶ added in v1.1.0
func WithWriteableCgroupfs(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error
WithWriteableCgroupfs makes any cgroup mounts writeable
func WithWriteableSysfs ¶ added in v1.1.0
WithWriteableSysfs makes any sysfs mounts writeable
Types ¶
type Client ¶
type Client interface {
SnapshotService(snapshotterName string) snapshots.Snapshotter
}
Client interface used by SpecOpt
type Image ¶
type Image interface { // Config descriptor for the image. Config(ctx context.Context) (ocispec.Descriptor, error) // ContentStore provides a content store which contains image blob data ContentStore() content.Store }
Image interface used by some SpecOpt to query image configuration
type SpecOpts ¶
SpecOpts sets spec specific information to a newly generated OCI spec
func Compose ¶ added in v1.1.0
Compose converts a sequence of spec operations into a single operation
func WithAdditionalGIDs ¶ added in v1.1.4
WithAdditionalGIDs sets the OCI spec's additionalGids array to any additional groups listed for a particular user in the /etc/groups file of the image's root filesystem The passed in user can be either a uid or a username.
func WithApparmorProfile ¶ added in v1.1.0
WithApparmorProfile sets the Apparmor profile for the process
func WithCapabilities ¶ added in v1.1.0
WithCapabilities sets Linux capabilities on the process
func WithHostNamespace ¶
func WithHostNamespace(ns specs.LinuxNamespaceType) SpecOpts
WithHostNamespace allows a task to run inside the host's linux namespace
func WithHostname ¶
WithHostname sets the container's hostname
func WithImageConfig ¶
WithImageConfig configures the spec to from the configuration of an Image
func WithLinuxNamespace ¶
func WithLinuxNamespace(ns specs.LinuxNamespace) SpecOpts
WithLinuxNamespace uses the passed in namespace for the spec. If a namespace of the same type already exists in the spec, the existing namespace is replaced by the one provided.
func WithMaskedPaths ¶ added in v1.1.0
WithMaskedPaths sets the masked paths option
func WithMounts ¶ added in v1.1.0
WithMounts appends mounts
func WithNamespacedCgroup ¶
func WithNamespacedCgroup() SpecOpts
WithNamespacedCgroup uses the namespace set on the context to create a root directory for containers in the cgroup with the id as the subcgroup
func WithProcessArgs ¶
WithProcessArgs replaces the args on the generated spec
func WithProcessCwd ¶
WithProcessCwd replaces the current working directory on the generated spec
func WithReadonlyPaths ¶ added in v1.1.0
WithReadonlyPaths sets the read only paths option
func WithRootFSPath ¶
WithRootFSPath specifies unmanaged rootfs path.
func WithRootFSReadonly ¶
func WithRootFSReadonly() SpecOpts
WithRootFSReadonly sets specs.Root.Readonly to true
func WithSelinuxLabel ¶ added in v1.1.0
WithSelinuxLabel sets the process SELinux label
func WithUIDGID ¶
WithUIDGID allows the UID and GID for the Process to be set
func WithUser ¶ added in v1.1.0
WithUser sets the user to be used within the container. It accepts a valid user string in OCI Image Spec v1.0.0:
user, uid, user:group, uid:gid, uid:group, user:gid
func WithUserID ¶
WithUserID sets the correct UID and GID for the container based on the image's /etc/passwd contents. If /etc/passwd does not exist, or uid is not found in /etc/passwd, it sets the requested uid, additionally sets the gid to 0, and does not return an error.
func WithUserNamespace ¶
WithUserNamespace sets the uid and gid mappings for the task this can be called multiple times to add more mappings to the generated spec
func WithUsername ¶
WithUsername sets the correct UID and GID for the container based on the the image's /etc/passwd contents. If /etc/passwd does not exist, or the username is not found in /etc/passwd, it returns error.