README
¶
libcontainer - reference implementation for containers
background
libcontainer specifies configuration options for what a container is. It provides a native Go implementation for using Linux namespaces with no external dependencies. libcontainer provides many convenience functions for working with namespaces, networking, and management.
container
A container is a self contained directory that is able to run one or more processes without
affecting the host system. The directory is usually a full system tree. Inside the directory
a container.json file is placed with the runtime configuration for how the processes
should be contained and ran. Environment, networking, and different capabilities for the
process are specified in this file. The configuration is used for each process executed inside the container.
See the container.json file for what the configuration should look like.
Using this configuration and the current directory holding the rootfs for a process, one can use libcontainer to exec the container. Running the life of the namespace, a pid file
is written to the current directory with the pid of the namespaced process to the external world. A client can use this pid to wait, kill, or perform other operation with the container. If a user tries to run a new process inside an existing container with a live namespace, the namespace will be joined by the new process.
You may also specify an alternate root place where the container.json file is read and where the pid file will be saved.
nsinit
nsinit is a cli application used as the reference implementation of libcontainer. It is able to
spawn or join new containers giving the current directory. To use nsinit cd into a Linux
rootfs and copy a container.json file into the directory with your specified configuration.
To execute /bin/bash in the current directory as a container just run:
nsinit exec /bin/bash
If you wish to spawn another process inside the container while your current bash session is running just run the exact same command again to get another bash shell or change the command. If the original process dies, PID 1, all other processes spawned inside the container will also be killed and the namespace will be removed.
You can identify if a process is running in a container by looking to see if pid is in the root of the directory.
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
Functions ¶
func GetAllCapabilities ¶
func GetAllCapabilities() []string
Types ¶
type Capabilities ¶
type Capabilities []*Capability
func (Capabilities) Contains ¶
func (c Capabilities) Contains(capp string) bool
Contains returns true if the specified Capability is in the slice
func (Capabilities) Get ¶
func (c Capabilities) Get(capp string) *Capability
type Capability ¶
type Capability struct {
Key string `json:"key,omitempty"`
Value capability.Cap `json:"value,omitempty"`
}
func GetCapability ¶
func GetCapability(key string) *Capability
func (*Capability) String ¶
func (c *Capability) String() string
type Container ¶
type Container struct {
// Hostname optionally sets the container's hostname if provided
Hostname string `json:"hostname,omitempty"`
// ReadonlyFs will remount the container's rootfs as readonly where only externally mounted
// bind mounts are writtable
ReadonlyFs bool `json:"readonly_fs,omitempty"`
// NoPivotRoot will use MS_MOVE and a chroot to jail the process into the container's rootfs
// This is a common option when the container is running in ramdisk
NoPivotRoot bool `json:"no_pivot_root,omitempty"`
// User will set the uid and gid of the executing process running inside the container
User string `json:"user,omitempty"`
// WorkingDir will change the processes current working directory inside the container's rootfs
WorkingDir string `json:"working_dir,omitempty"`
// Env will populate the processes environment with the provided values
// Any values from the parent processes will be cleared before the values
// provided in Env are provided to the process
Env []string `json:"environment,omitempty"`
// Tty when true will allocate a pty slave on the host for access by the container's process
// and ensure that it is mounted inside the container's rootfs
Tty bool `json:"tty,omitempty"`
// Namespaces specifies the container's namespaces that it should setup when cloning the init process
// If a namespace is not provided that namespace is shared from the container's parent process
Namespaces map[string]bool `json:"namespaces,omitempty"`
// Capabilities specify the capabilities to keep when executing the process inside the container
// All capbilities not specified will be dropped from the processes capability mask
Capabilities []string `json:"capabilities,omitempty"`
// Networks specifies the container's network setup to be created
Networks []*Network `json:"networks,omitempty"`
// Cgroups specifies specific cgroup settings for the various subsystems that the container is
// placed into to limit the resources the container has available
Cgroups *cgroups.Cgroup `json:"cgroups,omitempty"`
// Context is a generic key value format that allows for additional settings to be passed
// on the container's creation
// This is commonly used to specify apparmor profiles, selinux labels, and different restrictions
// placed on the container's processes
Context Context `json:"context,omitempty"`
// Mounts specify additional source and destination paths that will be mounted inside the container's
// rootfs and mount namespace if specified
Mounts Mounts `json:"mounts,omitempty"`
// RequiredDeviceNodes are a list of device nodes that will be mknod into the container's rootfs at /dev
// If the host system does not support the device that the container requests an error is returned
RequiredDeviceNodes []string `json:"required_device_nodes,omitempty"`
// OptionalDeviceNodes are a list of device nodes that will be mknod into the container's rootfs at /dev
// If the host system does not support the device that the container requests the error is ignored
OptionalDeviceNodes []string `json:"optional_device_nodes,omitempty"`
}
Container defines configuration options for executing a process inside a contained environment
type Mount ¶
type Mount struct {
Type string `json:"type,omitempty"`
Source string `json:"source,omitempty"` // Source path, in the host namespace
Destination string `json:"destination,omitempty"` // Destination path, in the container
Writable bool `json:"writable,omitempty"`
Private bool `json:"private,omitempty"`
}
type Namespace ¶
type Namespace struct {
Key string `json:"key,omitempty"`
Value int `json:"value,omitempty"`
File string `json:"file,omitempty"`
}
func GetNamespace ¶
type Namespaces ¶
type Namespaces []*Namespace
func (Namespaces) Contains ¶
func (n Namespaces) Contains(ns string) bool
Contains returns true if the specified Namespace is in the slice
func (Namespaces) Get ¶
func (n Namespaces) Get(ns string) *Namespace
type Network ¶
type Network struct {
// Type sets the networks type, commonly veth and loopback
Type string `json:"type,omitempty"`
// Context is a generic key value format for setting additional options that are specific to
// the network type
Context Context `json:"context,omitempty"`
// Address contains the IP and mask to set on the network interface
Address string `json:"address,omitempty"`
// Gateway sets the gateway address that is used as the default for the interface
Gateway string `json:"gateway,omitempty"`
// Mtu sets the mtu value for the interface and will be mirrored on both the host and
// container's interfaces if a pair is created, specifically in the case of type veth
Mtu int `json:"mtu,omitempty"`
}
Network defines configuration for a container's networking stack
The network configuration can be omited from a container causing the container to be setup with the host's networking stack
Source Files
Directories