boot

package
v0.0.0-...-4ba931d Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 11, 2025 License: Apache-2.0, MIT Imports: 124 Imported by: 13

Documentation

Overview

Package boot loads the kernel and runs a container.

Index

Constants

View Source
const (
	// ContMgrCheckpoint checkpoints a container.
	ContMgrCheckpoint = "containerManager.Checkpoint"

	// ContMgrCreateSubcontainer creates a sub-container.
	ContMgrCreateSubcontainer = "containerManager.CreateSubcontainer"

	// ContMgrDestroySubcontainer is used to stop a sub-container and free all
	// associated resources in the sandbox.
	ContMgrDestroySubcontainer = "containerManager.DestroySubcontainer"

	// ContMgrEvent gets stats about the container used by "runsc events".
	ContMgrEvent = "containerManager.Event"

	// ContMgrExecuteAsync executes a command in a container.
	ContMgrExecuteAsync = "containerManager.ExecuteAsync"

	// ContMgrPortForward starts port forwarding with the sandbox.
	ContMgrPortForward = "containerManager.PortForward"

	// ContMgrProcesses lists processes running in a container.
	ContMgrProcesses = "containerManager.Processes"

	// ContMgrRestore restores a container from a statefile.
	ContMgrRestore = "containerManager.Restore"

	// ContMgrRestoreSubcontainer restores a container from a statefile.
	ContMgrRestoreSubcontainer = "containerManager.RestoreSubcontainer"

	// ContMgrPause pauses all tasks, blocking until they are stopped.
	ContMgrPause = "containerManager.Pause"

	// ContMgrResume resumes all tasks.
	ContMgrResume = "containerManager.Resume"

	// ContMgrSignal sends a signal to a container.
	ContMgrSignal = "containerManager.Signal"

	// ContMgrStartSubcontainer starts a sub-container inside a running sandbox.
	ContMgrStartSubcontainer = "containerManager.StartSubcontainer"

	// ContMgrWait waits on the init process of the container and returns its
	// ExitStatus.
	ContMgrWait = "containerManager.Wait"

	// ContMgrWaitPID waits on a process with a certain PID in the sandbox and
	// return its ExitStatus.
	ContMgrWaitPID = "containerManager.WaitPID"

	// ContMgrWaitCheckpoint waits for the Kernel to have been successfully
	// checkpointed n-1 times, then waits for either the n-th successful
	// checkpoint (in which case it returns nil) or any number of failed
	// checkpoints (in which case it returns an error returned by any such
	// failure).
	ContMgrWaitCheckpoint = "containerManager.WaitCheckpoint"

	// ContMgrRootContainerStart starts a new sandbox with a root container.
	ContMgrRootContainerStart = "containerManager.StartRoot"

	// ContMgrCreateTraceSession starts a trace session.
	ContMgrCreateTraceSession = "containerManager.CreateTraceSession"

	// ContMgrDeleteTraceSession deletes a trace session.
	ContMgrDeleteTraceSession = "containerManager.DeleteTraceSession"

	// ContMgrListTraceSessions lists a trace session.
	ContMgrListTraceSessions = "containerManager.ListTraceSessions"

	// ContMgrProcfsDump dumps sandbox procfs state.
	ContMgrProcfsDump = "containerManager.ProcfsDump"

	// ContMgrMount mounts a filesystem in a container.
	ContMgrMount = "containerManager.Mount"

	// ContMgrContainerRuntimeState returns the runtime state of a container.
	ContMgrContainerRuntimeState = "containerManager.ContainerRuntimeState"
)
View Source
const (
	// NetworkCreateLinksAndRoutes creates links and routes in a network stack.
	NetworkCreateLinksAndRoutes = "Network.CreateLinksAndRoutes"

	// NetworkInitPluginStack initializes third-party network stack.
	NetworkInitPluginStack = "Network.InitPluginStack"

	// DebugStacks collects sandbox stacks for debugging.
	DebugStacks = "debug.Stacks"
)
View Source
const (
	ProfileCPU   = "Profile.CPU"
	ProfileHeap  = "Profile.Heap"
	ProfileBlock = "Profile.Block"
	ProfileMutex = "Profile.Mutex"
	ProfileTrace = "Profile.Trace"
)

Profiling related commands (see pprof.go for more details).

View Source
const (
	UsageCollect = "Usage.Collect"
	UsageUsageFD = "Usage.UsageFD"
)

Usage related commands (see usage.go for more details).

View Source
const (
	MetricsGetRegistered = "Metrics.GetRegisteredMetrics"
	MetricsExport        = "Metrics.Export"
)

Metrics related commands (see metrics.go).

View Source
const (
	CgroupsReadControlFiles  = "Cgroups.ReadControlFiles"
	CgroupsWriteControlFiles = "Cgroups.WriteControlFiles"
)

Commands for interacting with cgroupfs within the sandbox.

View Source
const (
	// MountPrefix is the annotation prefix for mount hints applied at the pod level.
	MountPrefix = "dev.gvisor.spec.mount."

	// RootfsPrefix is the annotation prefix for rootfs hint applied at the container level.
	RootfsPrefix = "dev.gvisor.spec.rootfs."
)
View Source
const (
	// CheckpointStateFileName is the file within the given image-path's
	// directory which contains the container's saved state.
	CheckpointStateFileName = "checkpoint.img"
	// CheckpointPagesMetadataFileName is the file within the given image-path's
	// directory containing the container's MemoryFile metadata.
	CheckpointPagesMetadataFileName = "pages_meta.img"
	// CheckpointPagesFileName is the file within the given image-path's
	// directory containing the container's MemoryFile pages.
	CheckpointPagesFileName = "pages.img"
)
View Source
const (
	Bind   = "bind"
	Nonefs = "none"
)

Supported filesystems that map to different internal filesystems.

View Source
const (
	LoggingChange = "Logging.Change"
)

Logging related commands (see logging.go for more details).

View Source
const SelfFilestorePrefix = ".gvisor.filestore."

SelfFilestorePrefix is the prefix of the self filestore file name.

Variables

View Source
var (
	// DefaultLoopbackLink contains IP addresses and routes of "127.0.0.1/8" and
	// "::1/8" on "lo" interface.
	DefaultLoopbackLink = LoopbackLink{
		Name: "lo",
		Addresses: []IPWithPrefix{
			{Address: net.IP("\x7f\x00\x00\x01"), PrefixLen: 8},
			{Address: net.IPv6loopback, PrefixLen: 128},
		},
		Routes: []Route{
			{
				Destination: net.IPNet{
					IP:   net.IPv4(0x7f, 0, 0, 0),
					Mask: net.IPv4Mask(0xff, 0, 0, 0),
				},
			},
			{
				Destination: net.IPNet{
					IP:   net.IPv6loopback,
					Mask: net.IPMask(strings.Repeat("\xff", net.IPv6len)),
				},
			},
		},
	}
)

Functions

func ParseMountOptions

func ParseMountOptions(opts []string) *vfs.MountOptions

ParseMountOptions converts specs.Mount.Options to vfs.MountOptions.

func SelfFilestorePath

func SelfFilestorePath(mountSrc, sandboxID string) string

SelfFilestorePath returns the path at which the self filestore file is stored for a given mount.

Types

type Args

type Args struct {
	// Id is the sandbox ID.
	ID string
	// Spec is the sandbox specification.
	Spec *specs.Spec
	// Conf is the system configuration.
	Conf *config.Config
	// ControllerFD is the FD to the URPC controller. The Loader takes ownership
	// of this FD and may close it at any time.
	ControllerFD int
	// Device is an optional argument that is passed to the platform. The Loader
	// takes ownership of this file and may close it at any time.
	Device *fd.FD
	// GoferFDs is an array of FDs used to connect with the Gofer. The Loader
	// takes ownership of these FDs and may close them at any time.
	GoferFDs []int
	// DevGoferFD is the FD for the dev gofer connection. The Loader takes
	// ownership of this FD and may close it at any time.
	DevGoferFD int
	// StdioFDs is the stdio for the application. The Loader takes ownership of
	// these FDs and may close them at any time.
	StdioFDs []int
	// PassFDs are user-supplied FD mappings from host to guest descriptors.
	// The Loader takes ownership of these FDs and may close them at any time.
	PassFDs []FDMapping
	// ExecFD is the host file descriptor used for program execution.
	ExecFD int
	// GoferFilestoreFDs are FDs to the regular files that will back the tmpfs or
	// overlayfs mount for certain gofer mounts.
	GoferFilestoreFDs []int
	// GoferMountConfs contains information about how the gofer mounts have been
	// configured. The first entry is for rootfs and the following entries are
	// for bind mounts in Spec.Mounts (in the same order).
	GoferMountConfs []GoferMountConf
	// NumCPU is the number of CPUs to create inside the sandbox.
	NumCPU int
	// TotalMem is the initial amount of total memory to report back to the
	// container.
	TotalMem uint64
	// TotalHostMem is the total memory reported by host /proc/meminfo.
	TotalHostMem uint64
	// UserLogFD is the file descriptor to write user logs to.
	UserLogFD int
	// ProductName is the value to show in
	// /sys/devices/virtual/dmi/id/product_name.
	ProductName string
	// PodInitConfigFD is the file descriptor to a file passed in the
	//	--pod-init-config flag
	PodInitConfigFD int
	// SinkFDs is an ordered array of file descriptors to be used by seccheck
	// sinks configured from the --pod-init-config file.
	SinkFDs []int
	// ProfileOpts contains the set of profiles to enable and the
	// corresponding FDs where profile data will be written.
	ProfileOpts profile.Opts
	// NvidiaDriverVersion is the NVIDIA driver ABI version to use for
	// communicating with NVIDIA devices on the host.
	NvidiaDriverVersion string
	// HostShmemHuge is the host's value of
	// /sys/kernel/mm/transparent_hugepage/shmem_enabled, or empty if this is
	// unknown.
	HostShmemHuge string

	SaveFDs []*fd.FD
}

Args are the arguments for New().

type BindOpt

type BindOpt int

BindOpt indicates whether the sentry or runsc process is responsible for binding the AF_XDP socket.

const (
	// BindSentry indicates the sentry process must call bind.
	BindSentry BindOpt = iota

	// BindRunsc indicates the runsc process must call bind.
	BindRunsc
)

type CPU

type CPU struct {
	Usage CPUUsage `json:"usage"`
}

CPU contains stats on the CPU.

type CPUUsage

type CPUUsage struct {
	Kernel uint64   `json:"kernel,omitempty"`
	User   uint64   `json:"user,omitempty"`
	Total  uint64   `json:"total,omitempty"`
	PerCPU []uint64 `json:"percpu,omitempty"`
}

CPUUsage contains stats on CPU usage.

type ContainerRuntimeState

type ContainerRuntimeState int

ContainerRuntimeState is the runtime state of a container.

const (
	// RuntimeStateInvalid used just in case of error.
	RuntimeStateInvalid ContainerRuntimeState = iota
	// RuntimeStateCreating indicates that the container is being
	// created, but has not started running yet.
	RuntimeStateCreating
	// RuntimeStateRunning indicates that the container is running.
	RuntimeStateRunning
	// RuntimeStateStopped indicates that the container has stopped.
	RuntimeStateStopped
)

type CreateArgs

type CreateArgs struct {
	// CID is the ID of the container to start.
	CID string

	// FilePayload may contain a TTY file for the terminal, if enabled.
	urpc.FilePayload
}

CreateArgs contains arguments to the Create method.

type CreateLinksAndRoutesArgs

type CreateLinksAndRoutesArgs struct {
	// FilePayload contains the fds associated with the FDBasedLinks. The
	// number of fd's should match the sum of the NumChannels field of the
	// FDBasedLink entries below.
	urpc.FilePayload

	LoopbackLinks []LoopbackLink
	FDBasedLinks  []FDBasedLink
	XDPLinks      []XDPLink

	Defaultv4Gateway DefaultRoute
	Defaultv6Gateway DefaultRoute

	// PCAP indicates that FilePayload also contains a PCAP log file.
	PCAP bool

	// LogPackets indicates that packets should be logged.
	LogPackets bool

	// NATBlob indicates whether FilePayload also contains an iptables NAT
	// ruleset.
	NATBlob bool

	// DisconnectOk indicates that link endpoints should have the capability
	// CapabilityDisconnectOk set.
	DisconnectOk bool
}

CreateLinksAndRoutesArgs are arguments to CreateLinkAndRoutes.

type CreateTraceSessionArgs

type CreateTraceSessionArgs struct {
	Config seccheck.SessionConfig
	Force  bool
	urpc.FilePayload
}

CreateTraceSessionArgs are arguments to the CreateTraceSession method.

type DefaultRoute

type DefaultRoute struct {
	Route Route
	Name  string
}

DefaultRoute represents a catch all route to the default gateway.

type Event

type Event struct {
	Type string `json:"type"`
	ID   string `json:"id"`
	Data Stats  `json:"data"`
}

Event struct for encoding the event data to JSON. Corresponds to runc's main.event struct.

type EventOut

type EventOut struct {
	Event Event `json:"event"`

	// ContainerUsage maps each container ID to its total CPU usage.
	ContainerUsage map[string]uint64 `json:"containerUsage"`
}

EventOut is the return type of the Event command.

type FDBasedLink struct {
	Name              string
	InterfaceIndex    int
	MTU               int
	Addresses         []IPWithPrefix
	Routes            []Route
	GSOMaxSize        uint32
	GVisorGSOEnabled  bool
	GVisorGRO         bool
	TXChecksumOffload bool
	RXChecksumOffload bool
	LinkAddress       net.HardwareAddr
	QDisc             config.QueueingDiscipline
	Neighbors         []Neighbor

	// NumChannels controls how many underlying FDs are to be used to
	// create this endpoint.
	NumChannels int

	// ProcessorsPerChannel controls how many goroutines are used to handle
	// packets on each channel.
	ProcessorsPerChannel int
}

FDBasedLink configures an fd-based link.

type FDMapping

type FDMapping struct {
	Guest int
	Host  int
}

FDMapping is a helper type to represent a mapping from guest to host file descriptors. In contrast to the unexported fdMapping type, it does not imply file ownership.

type GoferMountConf

type GoferMountConf struct {
	Upper GoferMountConfUpperType `json:"upper"`
	Lower GoferMountConfLowerType `json:"lower"`
}

GoferMountConf describes how a gofer mount is configured in the sandbox.

func (GoferMountConf) IsFilestorePresent

func (g GoferMountConf) IsFilestorePresent() bool

IsFilestorePresent returns true if a filestore file was associated with this.

func (GoferMountConf) IsSelfBacked

func (g GoferMountConf) IsSelfBacked() bool

IsSelfBacked returns true if this mount is backed by a filestore in itself.

func (*GoferMountConf) Set

func (g *GoferMountConf) Set(v string) error

Set sets the value. Set(String()) should be idempotent.

func (GoferMountConf) ShouldUseErofs

func (g GoferMountConf) ShouldUseErofs() bool

ShouldUseErofs returns true if an EROFS should be applied.

func (GoferMountConf) ShouldUseLisafs

func (g GoferMountConf) ShouldUseLisafs() bool

ShouldUseLisafs returns true if a lisafs client/server should be set up.

func (GoferMountConf) ShouldUseOverlayfs

func (g GoferMountConf) ShouldUseOverlayfs() bool

ShouldUseOverlayfs returns true if an overlayfs should be applied.

func (GoferMountConf) ShouldUseTmpfs

func (g GoferMountConf) ShouldUseTmpfs() bool

ShouldUseTmpfs returns true if a tmpfs should be applied.

func (GoferMountConf) String

func (g GoferMountConf) String() string

String returns a human-readable string representing the gofer mount config.

type GoferMountConfFlags

type GoferMountConfFlags []GoferMountConf

GoferMountConfFlags can be used with GoferMountConf flags that appear multiple times.

func (*GoferMountConfFlags) Get

func (g *GoferMountConfFlags) Get() any

Get implements flag.Value.

func (*GoferMountConfFlags) GetArray

func (g *GoferMountConfFlags) GetArray() []GoferMountConf

GetArray returns an array of mappings.

func (*GoferMountConfFlags) Set

func (g *GoferMountConfFlags) Set(s string) error

Set implements flag.Value and appends a gofer configuration from the command line to the configs array. Set(String()) should be idempotent.

func (*GoferMountConfFlags) String

func (g *GoferMountConfFlags) String() string

String implements flag.Value.

type GoferMountConfLowerType

type GoferMountConfLowerType byte

GoferMountConfLowerType describes how lower layer is configured for the gofer mount.

const (
	// NoneLower indicates that this gofer mount has no lower layer.
	NoneLower GoferMountConfLowerType = iota

	// Lisafs indicates that this gofer mount has a LISAFS lower layer.
	Lisafs

	// Erofs indicates that this gofer mount has an EROFS lower layer.
	Erofs

	// LowerMax indicates the number of the valid lower layer types.
	LowerMax
)

func (*GoferMountConfLowerType) Set

Set sets the value. Set(String()) should be idempotent.

func (GoferMountConfLowerType) String

func (l GoferMountConfLowerType) String() string

String returns a human-readable string representing the lower layer type.

type GoferMountConfUpperType

type GoferMountConfUpperType byte

GoferMountConfUpperType describes how upper layer is configured for the gofer mount.

const (
	// NoOverlay indicates that this gofer mount has no upper layer. In this case,
	// this gofer mount must have a lower layer (i.e. lower != NoneLower).
	NoOverlay GoferMountConfUpperType = iota

	// MemoryOverlay indicates that this gofer mount should be overlaid with a
	// tmpfs backed by application memory.
	MemoryOverlay

	// SelfOverlay indicates that this gofer mount should be overlaid with a
	// tmpfs backed by a host file in the mount's source directory.
	SelfOverlay

	// AnonOverlay indicates that this gofer mount should be overlaid with a
	// tmpfs backed by a host file in an anonymous directory.
	AnonOverlay

	// UpperMax indicates the number of the valid upper layer types.
	UpperMax
)

func (*GoferMountConfUpperType) Set

Set sets the value. Set(String()) should be idempotent.

func (GoferMountConfUpperType) String

func (u GoferMountConfUpperType) String() string

String returns a human-readable string representing the upper layer type.

type IPWithPrefix

type IPWithPrefix struct {
	// Address is a network address.
	Address net.IP

	// PrefixLen is the subnet prefix length.
	PrefixLen int
}

IPWithPrefix is an address with its subnet prefix length.

func (IPWithPrefix) String

func (ip IPWithPrefix) String() string

type InitConfig

type InitConfig struct {
	TraceSession seccheck.SessionConfig `json:"trace_session"`
}

InitConfig represents the configuration to apply during pod creation. For now, it supports setting up a seccheck session.

func LoadInitConfig

func LoadInitConfig(path string) (*InitConfig, error)

LoadInitConfig loads an InitConfig struct from a json formatted file.

func (*InitConfig) Setup

func (c *InitConfig) Setup() ([]*os.File, error)

Setup performs the actions defined in the InitConfig, e.g. setup seccheck session.

type InitPluginStackArgs

type InitPluginStackArgs struct {
	urpc.FilePayload

	InitStr string
}

InitPluginStackArgs are arguments to InitPluginStack.

type Loader

type Loader struct {

	// PreSeccompCallback is called right before installing seccomp filters.
	PreSeccompCallback func()
	// contains filtered or unexported fields
}

Loader keeps state needed to start the kernel and run the container.

func New

func New(args Args) (*Loader, error)

New initializes a new kernel loader configured by spec. New also handles setting up a kernel for restoring a container.

func (*Loader) Destroy

func (l *Loader) Destroy()

Destroy cleans up all resources used by the loader.

Note that this will block until all open control server connections have been closed. For that reason, this should NOT be called in a defer, because a panic in a control server rpc would then hang forever.

func (*Loader) Run

func (l *Loader) Run() error

Run runs the root container.

func (*Loader) WaitExit

func (l *Loader) WaitExit() linux.WaitStatus

WaitExit waits for the root container to exit, and returns its exit status.

func (*Loader) WaitForStartSignal

func (l *Loader) WaitForStartSignal()

WaitForStartSignal waits for a start signal from the control server.

type LoopbackLink struct {
	Name      string
	Addresses []IPWithPrefix
	Routes    []Route
	GVisorGRO bool
}

LoopbackLink configures a loopback link.

type Memory

type Memory struct {
	Cache     uint64            `json:"cache,omitempty"`
	Usage     MemoryEntry       `json:"usage,omitempty"`
	Swap      MemoryEntry       `json:"swap,omitempty"`
	Kernel    MemoryEntry       `json:"kernel,omitempty"`
	KernelTCP MemoryEntry       `json:"kernelTCP,omitempty"`
	Raw       map[string]uint64 `json:"raw,omitempty"`
}

Memory contains stats on memory.

type MemoryEntry

type MemoryEntry struct {
	Limit   uint64 `json:"limit"`
	Usage   uint64 `json:"usage,omitempty"`
	Max     uint64 `json:"max,omitempty"`
	Failcnt uint64 `json:"failcnt"`
}

MemoryEntry contains stats on a kind of memory.

type MountArgs

type MountArgs struct {
	// ContainerID is the container in which we will mount the filesystem.
	ContainerID string

	// Source is the mount source.
	Source string

	// Destination is the mount target.
	Destination string

	// FsType is the filesystem type.
	FsType string

	// FilePayload contains the source image FD, if required by the filesystem.
	urpc.FilePayload
}

MountArgs contains arguments to the Mount method.

type MountHint

type MountHint struct {
	Name  string      `json:"name"`
	Share ShareType   `json:"share"`
	Mount specs.Mount `json:"mount"`
}

MountHint represents extra information about mounts that are provided via annotations. They can override mount type, and provide sharing information so that mounts can be correctly shared inside the pod. It is part of the sandbox.Sandbox struct, so it must be serializable.

func (*MountHint) ShouldShareMount

func (m *MountHint) ShouldShareMount() bool

ShouldShareMount returns true if this mount should be configured as a shared mount that is shared among multiple containers in a pod.

type Neighbor

type Neighbor struct {
	IP           net.IP
	HardwareAddr net.HardwareAddr
}

type Network

type Network struct {
	Stack  *stack.Stack
	Kernel *kernel.Kernel

	// PluginStack is a third-party network stack to use in place of
	// netstack when non-nil.
	PluginStack plugin.PluginStack
}

Network exposes methods that can be used to configure a network stack.

func (*Network) CreateLinksAndRoutes

func (n *Network) CreateLinksAndRoutes(args *CreateLinksAndRoutesArgs, _ *struct{}) error

CreateLinksAndRoutes creates links and routes in a network stack. It should only be called once.

func (*Network) InitPluginStack

func (n *Network) InitPluginStack(args *InitPluginStackArgs, _ *struct{}) error

InitPluginStack initializes plugin network stack. It will invoke Init() that is registered by current plugin stack.

type NetworkInterface

type NetworkInterface struct {
	// Name is the name of the network interface.
	Name      string
	RxBytes   uint64
	RxPackets uint64
	RxErrors  uint64
	RxDropped uint64
	TxBytes   uint64
	TxPackets uint64
	TxErrors  uint64
	TxDropped uint64
}

NetworkInterface is the network statistics of the particular network interface

type Pids

type Pids struct {
	Current uint64 `json:"current,omitempty"`
	Limit   uint64 `json:"limit,omitempty"`
}

Pids contains stats on processes.

type PodMountHints

type PodMountHints struct {
	Mounts map[string]*MountHint `json:"mounts"`
}

PodMountHints contains a collection of mountHints for the pod.

func NewPodMountHints

func NewPodMountHints(spec *specs.Spec) (*PodMountHints, error)

NewPodMountHints instantiates PodMountHints using spec.

func (*PodMountHints) FindMount

func (p *PodMountHints) FindMount(mountSrc string) *MountHint

FindMount finds the MountHint that applies to this mount.

type PortForwardOpts

type PortForwardOpts struct {
	// FilePayload contains one fd for a UDS (or local port) used for port
	// forwarding.
	urpc.FilePayload

	// ContainerID is the container for the process being executed.
	ContainerID string
	// Port is the port to to forward.
	Port uint16
}

PortForwardOpts contains options for port forwarding to a port in a container.

type RestoreOpts

type RestoreOpts struct {
	// FilePayload contains the state file to be restored, followed in order by:
	// 1. checkpoint state file.
	// 2. optional checkpoint pages metadata file.
	// 3. optional checkpoint pages file.
	// 4. optional platform device file.
	urpc.FilePayload
	HavePagesFile  bool
	HaveDeviceFile bool
	Background     bool
}

RestoreOpts contains options related to restoring a container's file system.

type RootfsHint

type RootfsHint struct {
	Mount   specs.Mount
	Overlay config.OverlayMedium
}

RootfsHint represents extra information about rootfs that are provided via annotations. They can provide mount source, mount type and overlay config.

func NewRootfsHint

func NewRootfsHint(spec *specs.Spec) (*RootfsHint, error)

NewRootfsHint instantiates RootfsHint using spec.

type Route

type Route struct {
	Destination net.IPNet
	Gateway     net.IP
}

Route represents a route in the network stack.

func (*Route) Empty

func (r *Route) Empty() bool

Empty returns true if route hasn't been set.

type ShareType

type ShareType int

ShareType indicates who can access/mutate the volume contents.

func (ShareType) String

func (s ShareType) String() string

type SignalArgs

type SignalArgs struct {
	// CID is the container ID.
	CID string

	// Signo is the signal to send to the process.
	Signo int32

	// PID is the process ID in the given container that will be signaled,
	// relative to the root PID namespace, not the container's.
	// If 0, the root container will be signalled.
	PID int32

	// Mode is the signal delivery mode.
	Mode SignalDeliveryMode
}

SignalArgs are arguments to the Signal method.

type SignalDeliveryMode

type SignalDeliveryMode int

SignalDeliveryMode enumerates different signal delivery modes.

const (
	// DeliverToProcess delivers the signal to the container process with
	// the specified PID. If PID is 0, then the container init process is
	// signaled.
	DeliverToProcess SignalDeliveryMode = iota

	// DeliverToAllProcesses delivers the signal to all processes in the
	// container. PID must be 0.
	DeliverToAllProcesses

	// DeliverToForegroundProcessGroup delivers the signal to the
	// foreground process group in the same TTY session as the specified
	// process. If PID is 0, then the signal is delivered to the foreground
	// process group for the TTY for the init process.
	DeliverToForegroundProcessGroup
)

func (SignalDeliveryMode) String

func (s SignalDeliveryMode) String() string

type StartArgs

type StartArgs struct {
	// Spec is the spec of the container to start.
	Spec *specs.Spec

	// Config is the runsc-specific configuration for the sandbox.
	Conf *config.Config

	// CID is the ID of the container to start.
	CID string

	// NumGoferFilestoreFDs is the number of gofer filestore FDs donated.
	NumGoferFilestoreFDs int

	// IsDevIoFilePresent indicates whether the dev gofer FD is present.
	IsDevIoFilePresent bool

	// GoferMountConfs contains information about how the gofer mounts have been
	// configured. The first entry is for rootfs and the following entries are
	// for bind mounts in Spec.Mounts (in the same order).
	GoferMountConfs []GoferMountConf

	// FilePayload contains, in order:
	//   * stdin, stdout, and stderr (optional: if terminal is disabled).
	//   * file descriptors to gofer-backing host files (optional).
	//   * file descriptor for /dev gofer connection (optional)
	//   * file descriptors to connect to gofer to serve the root filesystem.
	urpc.FilePayload
}

StartArgs contains arguments to the Start method.

type Stats

type Stats struct {
	CPU               CPU                 `json:"cpu"`
	Memory            Memory              `json:"memory"`
	Pids              Pids                `json:"pids"`
	NetworkInterfaces []*NetworkInterface `json:"network_interfaces"`
}

Stats is the runc specific stats structure for stability when encoding and decoding stats.

type WaitPIDArgs

type WaitPIDArgs struct {
	// PID is the PID in the container's PID namespace.
	PID int32

	// CID is the container ID.
	CID string
}

WaitPIDArgs are arguments to the WaitPID method.

type XDPLink struct {
	Name              string
	InterfaceIndex    int
	MTU               int
	Addresses         []IPWithPrefix
	Routes            []Route
	TXChecksumOffload bool
	RXChecksumOffload bool
	LinkAddress       net.HardwareAddr
	QDisc             config.QueueingDiscipline
	Neighbors         []Neighbor
	GVisorGRO         bool
	Bind              BindOpt

	// NumChannels controls how many underlying FDs are to be used to
	// create this endpoint.
	NumChannels int
}

XDPLink configures an XDP link.

Directories

Path Synopsis
Package filter installs seccomp filters to prevent prohibited syscalls in case it's compromised.
Package filter installs seccomp filters to prevent prohibited syscalls in case it's compromised.
config
Package config defines all syscalls the sandbox is allowed to make to the host.
Package config defines all syscalls the sandbox is allowed to make to the host.
dumpfilter
dumpfilter dumps the seccomp-bpf program used by the Sentry.
dumpfilter dumps the seccomp-bpf program used by the Sentry.
Package portforward holds the infrastructure to support the port forward command.
Package portforward holds the infrastructure to support the port forward command.
Package pprof provides a stub to initialize custom profilers.
Package pprof provides a stub to initialize custom profilers.
Package procfs holds utilities for getting procfs information for sandboxed processes.
Package procfs holds utilities for getting procfs information for sandboxed processes.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL