oci

package
v1.3.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 16, 2020 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var ErrNoShmMount = errors.New("no /dev/shm mount specified")

ErrNoShmMount is returned when there is no /dev/shm mount specified in the config and an Opts was trying to set a configuration value on the mount.

View Source
var ErrNotADevice = errors.New("not a device node")
View Source
var WithAllCapabilities = func(ctx context.Context, client Client, c *containers.Container, s *Spec) error {
	return WithCapabilities(GetAllCapabilities())(ctx, client, c, s)
}

WithAllCapabilities sets all linux capabilities for the process

WithPrivileged sets up options for a privileged container TODO(justincormack) device handling

Functions

func ApplyOpts added in v1.2.0

func ApplyOpts(ctx context.Context, client Client, c *containers.Container, s *Spec, opts ...SpecOpts) error

ApplyOpts applies the options to the given spec, injecting data from the context, client and container instance.

func GetAllCapabilities added in v1.3.0

func GetAllCapabilities() []string

GetAllCapabilities returns all caps up to CAP_LAST_CAP or CAP_BLOCK_SUSPEND on RHEL6

func WithDefaultPathEnv added in v1.2.8

func WithDefaultPathEnv(_ context.Context, _ Client, _ *containers.Container, s *Spec) error

WithDefaultPathEnv sets the $PATH environment variable to the default PATH defined in this package.

func WithDefaultUnixDevices added in v1.2.0

func WithDefaultUnixDevices(_ context.Context, _ Client, _ *containers.Container, s *Spec) error

WithDefaultUnixDevices adds the default devices for unix such as /dev/null, /dev/random to the container's resource cgroup spec

func WithHostHostsFile

func WithHostHostsFile(_ context.Context, _ Client, _ *containers.Container, s *Spec) error

WithHostHostsFile bind-mounts the host's /etc/hosts into the container as readonly

func WithHostLocaltime

func WithHostLocaltime(_ context.Context, _ Client, _ *containers.Container, s *Spec) error

WithHostLocaltime bind-mounts the host's /etc/localtime into the container as readonly

func WithHostResolvconf

func WithHostResolvconf(_ context.Context, _ Client, _ *containers.Container, s *Spec) error

WithHostResolvconf bind-mounts the host's /etc/resolv.conf into the container as readonly

func WithNewPrivileges added in v1.1.4

func WithNewPrivileges(_ context.Context, _ Client, _ *containers.Container, s *Spec) error

WithNewPrivileges turns off the NoNewPrivileges feature flag in the spec

func WithNoNewPrivileges

func WithNoNewPrivileges(_ context.Context, _ Client, _ *containers.Container, s *Spec) error

WithNoNewPrivileges sets no_new_privileges on the process for the container

func WithParentCgroupDevices added in v1.2.0

func WithParentCgroupDevices(_ context.Context, _ Client, _ *containers.Container, s *Spec) error

WithParentCgroupDevices uses the default cgroup setup to inherit the container's parent cgroup's allowed and denied devices

func WithSeccompUnconfined

func WithSeccompUnconfined(_ context.Context, _ Client, _ *containers.Container, s *Spec) error

WithSeccompUnconfined clears the seccomp profile

func WithTTY

func WithTTY(_ context.Context, _ Client, _ *containers.Container, s *Spec) error

WithTTY sets the information on the spec as well as the environment variables for using a TTY

func WithWindowsHyperV added in v1.2.0

func WithWindowsHyperV(_ context.Context, _ Client, _ *containers.Container, s *Spec) error

WithWindowsHyperV sets the Windows.HyperV section for HyperV isolation of containers.

func WithWriteableCgroupfs

func WithWriteableCgroupfs(_ context.Context, _ Client, _ *containers.Container, s *Spec) error

WithWriteableCgroupfs makes any cgroup mounts writeable

func WithWriteableSysfs

func WithWriteableSysfs(_ context.Context, _ Client, _ *containers.Container, s *Spec) error

WithWriteableSysfs makes any sysfs mounts writeable

Types

type Client

type Client interface {
	SnapshotService(snapshotterName string) snapshots.Snapshotter
}

Client interface used by SpecOpt

type Image

type Image interface {
	// Config descriptor for the image.
	Config(ctx context.Context) (ocispec.Descriptor, error)
	// ContentStore provides a content store which contains image blob data
	ContentStore() content.Store
}

Image interface used by some SpecOpt to query image configuration

type Spec added in v1.2.0

type Spec = specs.Spec

Spec is a type alias to the OCI runtime spec to allow third part SpecOpts to be created without the "issues" with go vendoring and package imports

func GenerateSpec

func GenerateSpec(ctx context.Context, client Client, c *containers.Container, opts ...SpecOpts) (*Spec, error)

GenerateSpec will generate a default spec from the provided image for use as a containerd container

func GenerateSpecWithPlatform added in v1.2.0

func GenerateSpecWithPlatform(ctx context.Context, client Client, platform string, c *containers.Container, opts ...SpecOpts) (*Spec, error)

GenerateSpecWithPlatform will generate a default spec from the provided image for use as a containerd container in the platform requested.

type SpecOpts

type SpecOpts func(context.Context, Client, *containers.Container, *Spec) error

SpecOpts sets spec specific information to a newly generated OCI spec

func Compose

func Compose(opts ...SpecOpts) SpecOpts

Compose converts a sequence of spec operations into a single operation

func WithAddedCapabilities added in v1.3.0

func WithAddedCapabilities(caps []string) SpecOpts

WithAddedCapabilities adds the provided capabilities

func WithAdditionalGIDs added in v1.1.4

func WithAdditionalGIDs(userstr string) SpecOpts

WithAdditionalGIDs sets the OCI spec's additionalGids array to any additional groups listed for a particular user in the /etc/groups file of the image's root filesystem The passed in user can be either a uid or a username.

func WithAmbientCapabilities added in v1.2.0

func WithAmbientCapabilities(caps []string) SpecOpts

WithAmbientCapabilities set the Linux ambient capabilities for the process Ambient capabilities should only be set for non-root users or the caller should understand how these capabilities are used and set

func WithAnnotations added in v1.3.0

func WithAnnotations(annotations map[string]string) SpecOpts

WithAnnotations appends or replaces the annotations on the spec with the provided annotations

func WithApparmorProfile

func WithApparmorProfile(profile string) SpecOpts

WithApparmorProfile sets the Apparmor profile for the process

func WithCapabilities

func WithCapabilities(caps []string) SpecOpts

WithCapabilities sets Linux capabilities on the process

func WithCgroup

func WithCgroup(path string) SpecOpts

WithCgroup sets the container's cgroup path

func WithDefaultSpec added in v1.2.0

func WithDefaultSpec() SpecOpts

WithDefaultSpec returns a SpecOpts that will populate the spec with default values.

Use as the first option to clear the spec, then apply options afterwards.

func WithDefaultSpecForPlatform added in v1.2.0

func WithDefaultSpecForPlatform(platform string) SpecOpts

WithDefaultSpecForPlatform returns a SpecOpts that will populate the spec with default values for a given platform.

Use as the first option to clear the spec, then apply options afterwards.

func WithDevShmSize added in v1.3.0

func WithDevShmSize(kb int64) SpecOpts

WithDevShmSize sets the size of the /dev/shm mount for the container.

The size value is specified in kb, kilobytes.

func WithDroppedCapabilities added in v1.3.0

func WithDroppedCapabilities(caps []string) SpecOpts

WithDroppedCapabilities removes the provided capabilities

func WithEnv

func WithEnv(environmentVariables []string) SpecOpts

WithEnv appends environment variables

func WithEnvFile added in v1.3.0

func WithEnvFile(path string) SpecOpts

WithEnvFile adds environment variables from a file to the container's spec

func WithHostNamespace

func WithHostNamespace(ns specs.LinuxNamespaceType) SpecOpts

WithHostNamespace allows a task to run inside the host's linux namespace

func WithHostname

func WithHostname(name string) SpecOpts

WithHostname sets the container's hostname

func WithImageConfig

func WithImageConfig(image Image) SpecOpts

WithImageConfig configures the spec to from the configuration of an Image

func WithImageConfigArgs added in v1.2.0

func WithImageConfigArgs(image Image, args []string) SpecOpts

WithImageConfigArgs configures the spec to from the configuration of an Image with additional args that replaces the CMD of the image

func WithLinuxDevice added in v1.3.0

func WithLinuxDevice(path, permissions string) SpecOpts

WithLinuxDevice adds the device specified by path to the spec

func WithLinuxDevices added in v1.3.0

func WithLinuxDevices(devices []specs.LinuxDevice) SpecOpts

WithLinuxDevices adds the provided linux devices to the spec

func WithLinuxNamespace

func WithLinuxNamespace(ns specs.LinuxNamespace) SpecOpts

WithLinuxNamespace uses the passed in namespace for the spec. If a namespace of the same type already exists in the spec, the existing namespace is replaced by the one provided.

func WithMaskedPaths

func WithMaskedPaths(paths []string) SpecOpts

WithMaskedPaths sets the masked paths option

func WithMemoryLimit added in v1.3.0

func WithMemoryLimit(limit uint64) SpecOpts

WithMemoryLimit sets the `Linux.LinuxResources.Memory.Limit` section to the `limit` specified if the `Linux` section is not `nil`. Additionally sets the `Windows.WindowsResources.Memory.Limit` section if the `Windows` section is not `nil`.

func WithMounts

func WithMounts(mounts []specs.Mount) SpecOpts

WithMounts appends mounts

func WithNamespacedCgroup

func WithNamespacedCgroup() SpecOpts

WithNamespacedCgroup uses the namespace set on the context to create a root directory for containers in the cgroup with the id as the subcgroup

func WithProcessArgs

func WithProcessArgs(args ...string) SpecOpts

WithProcessArgs replaces the args on the generated spec

func WithProcessCwd

func WithProcessCwd(cwd string) SpecOpts

WithProcessCwd replaces the current working directory on the generated spec

func WithReadonlyPaths

func WithReadonlyPaths(paths []string) SpecOpts

WithReadonlyPaths sets the read only paths option

func WithRootFSPath

func WithRootFSPath(path string) SpecOpts

WithRootFSPath specifies unmanaged rootfs path.

func WithRootFSReadonly

func WithRootFSReadonly() SpecOpts

WithRootFSReadonly sets specs.Root.Readonly to true

func WithSelinuxLabel

func WithSelinuxLabel(label string) SpecOpts

WithSelinuxLabel sets the process SELinux label

func WithSpecFromBytes added in v1.2.0

func WithSpecFromBytes(p []byte) SpecOpts

WithSpecFromBytes loads the spec from the provided byte slice.

func WithSpecFromFile added in v1.2.0

func WithSpecFromFile(filename string) SpecOpts

WithSpecFromFile loads the specification from the provided filename.

func WithTTYSize added in v1.2.0

func WithTTYSize(width, height int) SpecOpts

WithTTYSize sets the information on the spec as well as the environment variables for using a TTY

func WithUIDGID

func WithUIDGID(uid, gid uint32) SpecOpts

WithUIDGID allows the UID and GID for the Process to be set

func WithUser

func WithUser(userstr string) SpecOpts

WithUser sets the user to be used within the container. It accepts a valid user string in OCI Image Spec v1.0.0:

user, uid, user:group, uid:gid, uid:group, user:gid

func WithUserID

func WithUserID(uid uint32) SpecOpts

WithUserID sets the correct UID and GID for the container based on the image's /etc/passwd contents. If /etc/passwd does not exist, or uid is not found in /etc/passwd, it sets the requested uid, additionally sets the gid to 0, and does not return an error.

func WithUserNamespace

func WithUserNamespace(container, host, size uint32) SpecOpts

WithUserNamespace sets the uid and gid mappings for the task this can be called multiple times to add more mappings to the generated spec

func WithUsername

func WithUsername(username string) SpecOpts

WithUsername sets the correct UID and GID for the container based on the image's /etc/passwd contents. If /etc/passwd does not exist, or the username is not found in /etc/passwd, it returns error.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL