Documentation ¶
Overview ¶
Package sandbox creates and manipulates sandboxes.
Index ¶
- func ConfigureCmdForRootless(cmd *exec.Cmd, donations *donation.Agency) (*os.File, error)
- func SetCloExeOnAllFDs() (retErr error)
- func SetUserMappings(spec *specs.Spec, pid int) error
- type Args
- type Sandbox
- func (s *Sandbox) BlockProfile(f *os.File, duration time.Duration) error
- func (s *Sandbox) CPUProfile(f *os.File, duration time.Duration) error
- func (s *Sandbox) CgroupsReadControlFile(file control.CgroupControlFile) (string, error)
- func (s *Sandbox) CgroupsWriteControlFile(file control.CgroupControlFile, value string) error
- func (s *Sandbox) ChangeLogging(args control.LoggingArgs) error
- func (s *Sandbox) Checkpoint(cid string, imagePath string, direct bool, sfOpts statefile.Options, ...) error
- func (s *Sandbox) ContainerRuntimeState(cid string) (boot.ContainerRuntimeState, error)
- func (s *Sandbox) CreateSubcontainer(conf *config.Config, cid string, tty *os.File) error
- func (s *Sandbox) CreateTraceSession(config *seccheck.SessionConfig, force bool) error
- func (s *Sandbox) DeleteTraceSession(name string) error
- func (s *Sandbox) DestroyContainer(cid string) error
- func (s *Sandbox) Event(cid string) (*boot.EventOut, error)
- func (s *Sandbox) Execute(conf *config.Config, args *control.ExecArgs) (int32, error)
- func (s *Sandbox) ExportMetrics(opts control.MetricsExportOpts) (*prometheus.Snapshot, error)
- func (s *Sandbox) GetRegisteredMetrics() (*metricpb.MetricRegistration, error)
- func (s *Sandbox) Getpid() int
- func (s *Sandbox) HeapProfile(f *os.File, delay time.Duration) error
- func (s *Sandbox) IsRootContainer(cid string) bool
- func (s *Sandbox) IsRunning() bool
- func (s *Sandbox) ListTraceSessions() ([]seccheck.SessionConfig, error)
- func (s *Sandbox) Mount(cid, fstype, src, dest string) error
- func (s *Sandbox) MutexProfile(f *os.File, duration time.Duration) error
- func (s *Sandbox) NewCGroup() (cgroup.Cgroup, error)
- func (s *Sandbox) Pause(cid string) error
- func (s *Sandbox) PortForward(opts *boot.PortForwardOpts) error
- func (s *Sandbox) Processes(cid string) ([]*control.Process, error)
- func (s *Sandbox) ProcfsDump() ([]procfs.ProcessProcfsDump, error)
- func (s *Sandbox) Restore(conf *config.Config, cid string, imagePath string, direct, background bool) error
- func (s *Sandbox) RestoreSubcontainer(spec *specs.Spec, conf *config.Config, cid string, ...) error
- func (s *Sandbox) Resume(cid string) error
- func (s *Sandbox) SetRootDir(rootDir string)
- func (s *Sandbox) SignalContainer(cid string, sig unix.Signal, all bool) error
- func (s *Sandbox) SignalProcess(cid string, pid int32, sig unix.Signal, fgProcess bool) error
- func (s *Sandbox) Stacks() (string, error)
- func (s *Sandbox) StartRoot(conf *config.Config) error
- func (s *Sandbox) StartSubcontainer(spec *specs.Spec, conf *config.Config, cid string, ...) error
- func (s *Sandbox) Trace(f *os.File, duration time.Duration) error
- func (s *Sandbox) Usage(Full bool) (control.MemoryUsage, error)
- func (s *Sandbox) UsageFD() (*control.MemoryUsageRecord, error)
- func (s *Sandbox) Wait(cid string) (unix.WaitStatus, error)
- func (s *Sandbox) WaitCheckpoint(n uint32) error
- func (s *Sandbox) WaitPID(cid string, pid int32) (unix.WaitStatus, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ConfigureCmdForRootless ¶
ConfigureCmdForRootless configures cmd to donate a socket FD that can be used to synchronize userns configuration.
func SetCloExeOnAllFDs ¶
func SetCloExeOnAllFDs() (retErr error)
SetCloExeOnAllFDs sets CLOEXEC on all FDs in /proc/self/fd. This avoids leaking inherited FDs from the parent (caller) to subprocesses created.
Types ¶
type Args ¶
type Args struct { // ID is the sandbox unique identifier. ID string // Spec is the OCI spec that describes the container. Spec *specs.Spec // BundleDir is the directory containing the container bundle. BundleDir string // ConsoleSocket is the path to a unix domain socket that will receive // the console FD. It may be empty. ConsoleSocket string // UserLog is the filename to send user-visible logs to. It may be empty. UserLog string // IOFiles is the list of image files and/or socket files that connect to // a gofer endpoint for the mount points using Gofers. They must be in the // same order as mounts appear in the spec. IOFiles []*os.File // File that connects to a gofer endpoint for a device mount point at /dev. DevIOFile *os.File // GoferFilestoreFiles are the regular files that will back the overlayfs or // tmpfs mount if a gofer mount is to be overlaid. GoferFilestoreFiles []*os.File // GoferMountConfs contains information about how the gofer mounts have been // configured. The first entry is for rootfs and the following entries are // for bind mounts in Spec.Mounts (in the same order). GoferMountConfs boot.GoferMountConfFlags // MountHints provides extra information about containers mounts that apply // to the entire pod. MountHints *boot.PodMountHints // MountsFile is a file container mount information from the spec. It's // equivalent to the mounts from the spec, except that all paths have been // resolved to their final absolute location. MountsFile *os.File // Gcgroup is the cgroup that the sandbox is part of. Cgroup cgroup.Cgroup // Attached indicates that the sandbox lifecycle is attached with the caller. // If the caller exits, the sandbox should exit too. Attached bool // SinkFiles is the an ordered array of files to be used by seccheck sinks // configured from the --pod-init-config file. SinkFiles []*os.File // PassFiles are user-supplied files from the host to be exposed to the // sandboxed app. PassFiles map[int]*os.File // ExecFile is the file from the host used for program execution. ExecFile *os.File }
Args is used to configure a new sandbox.
type Sandbox ¶
type Sandbox struct { // ID is the id of the sandbox (immutable). By convention, this is the same // ID as the first container run in the sandbox. ID string `json:"id"` // PodName is the name of the Kubernetes Pod (if any) that this sandbox // represents. Unset if not running under containerd or Kubernetes. PodName string `json:"podName"` // Namespace is the Kubernetes namespace (if any) of the pod that this // sandbox represents. Unset if not running under containerd or Kubernetes. Namespace string `json:"namespace"` // Pid is the pid of the running sandbox. May be 0 if the sandbox // is not running. Pid pid `json:"pid"` // UID is the user ID in the parent namespace that the sandbox is running as. UID int `json:"uid"` // GID is the group ID in the parent namespace that the sandbox is running as. GID int `json:"gid"` // CgroupJSON contains the cgroup configuration that the sandbox is part of // and allow serialization of the configuration into json CgroupJSON cgroup.CgroupJSON `json:"cgroup"` // OriginalOOMScoreAdj stores the value of oom_score_adj when the sandbox // started, before it may be modified. OriginalOOMScoreAdj int `json:"originalOomScoreAdj"` // RegisteredMetrics is the set of metrics registered in the sandbox. // Used for verifying metric data integrity after containers are started. // Only populated if exporting metrics was requested when the sandbox was // created. RegisteredMetrics *metricpb.MetricRegistration `json:"registeredMetrics"` // MetricMetadata are key-value pairs that are useful to export about this // sandbox, but not part of the set of labels that uniquely identify it. // They are static once initialized, and typically contain high-level // configuration information about the sandbox. MetricMetadata map[string]string `json:"metricMetadata"` // MetricServerAddress is the address of the metric server that this sandbox // intends to export metrics for. // Only populated if exporting metrics was requested when the sandbox was // created. MetricServerAddress string `json:"metricServerAddress"` // ControlSocketPath is the path to the sandbox's uRPC server socket. // Connections to the sandbox are made through this. // DO NOT access this directly, use getControlSocketPath() instead. ControlSocketPath string `json:"controlSocketPath"` // MountHints provides extra information about container mounts that apply // to the entire pod. MountHints *boot.PodMountHints `json:"mountHints"` // StartTime is the time the sandbox was started. StartTime time.Time `json:"startTime"` // contains filtered or unexported fields }
Sandbox wraps a sandbox process.
It is used to start/stop sandbox process (and associated processes like gofers), as well as for running and manipulating containers inside a running sandbox.
Note: Sandbox must be immutable because a copy of it is saved for each container and changes would not be synchronized to all of them.
func (*Sandbox) BlockProfile ¶
BlockProfile writes a block profile to the given file.
func (*Sandbox) CPUProfile ¶
CPUProfile collects a CPU profile.
func (*Sandbox) CgroupsReadControlFile ¶
func (s *Sandbox) CgroupsReadControlFile(file control.CgroupControlFile) (string, error)
CgroupsReadControlFile reads a single cgroupfs control file in the sandbox.
func (*Sandbox) CgroupsWriteControlFile ¶
func (s *Sandbox) CgroupsWriteControlFile(file control.CgroupControlFile, value string) error
CgroupsWriteControlFile writes a single cgroupfs control file in the sandbox.
func (*Sandbox) ChangeLogging ¶
func (s *Sandbox) ChangeLogging(args control.LoggingArgs) error
ChangeLogging changes logging options.
func (*Sandbox) Checkpoint ¶
func (s *Sandbox) Checkpoint(cid string, imagePath string, direct bool, sfOpts statefile.Options, mfOpts pgalloc.SaveOpts) error
Checkpoint sends the checkpoint call for a container in the sandbox. The statefile will be written to f.
func (*Sandbox) ContainerRuntimeState ¶
func (s *Sandbox) ContainerRuntimeState(cid string) (boot.ContainerRuntimeState, error)
ContainerRuntimeState returns the runtime state of a container.
func (*Sandbox) CreateSubcontainer ¶
CreateSubcontainer creates a container inside the sandbox.
func (*Sandbox) CreateTraceSession ¶
func (s *Sandbox) CreateTraceSession(config *seccheck.SessionConfig, force bool) error
CreateTraceSession creates a new trace session.
func (*Sandbox) DeleteTraceSession ¶
DeleteTraceSession deletes an existing trace session.
func (*Sandbox) DestroyContainer ¶
DestroyContainer destroys the given container. If it is the root container, then the entire sandbox is destroyed.
func (*Sandbox) Execute ¶
Execute runs the specified command in the container. It returns the PID of the newly created process.
func (*Sandbox) ExportMetrics ¶
func (s *Sandbox) ExportMetrics(opts control.MetricsExportOpts) (*prometheus.Snapshot, error)
ExportMetrics returns a snapshot of metric values from the sandbox in Prometheus format.
func (*Sandbox) GetRegisteredMetrics ¶
func (s *Sandbox) GetRegisteredMetrics() (*metricpb.MetricRegistration, error)
GetRegisteredMetrics returns metric registration data from the sandbox. This data is meant to be used as a way to sanity-check any exported metrics data during the lifetime of the sandbox in order to avoid a compromised sandbox from being able to produce bogus metrics. This returns an error if the sandbox has not requested instrumentation during creation time.
func (*Sandbox) HeapProfile ¶
HeapProfile writes a heap profile to the given file.
func (*Sandbox) IsRootContainer ¶
IsRootContainer returns true if the specified container ID belongs to the root container.
func (*Sandbox) ListTraceSessions ¶
func (s *Sandbox) ListTraceSessions() ([]seccheck.SessionConfig, error)
ListTraceSessions lists all trace sessions.
func (*Sandbox) MutexProfile ¶
MutexProfile writes a mutex profile to the given file.
func (*Sandbox) NewCGroup ¶
NewCGroup returns the sandbox's Cgroup, or an error if it does not have one.
func (*Sandbox) PortForward ¶
func (s *Sandbox) PortForward(opts *boot.PortForwardOpts) error
PortForward starts port forwarding to the sandbox.
func (*Sandbox) Processes ¶
Processes retrieves the list of processes and associated metadata for a given container in this sandbox.
func (*Sandbox) ProcfsDump ¶
func (s *Sandbox) ProcfsDump() ([]procfs.ProcessProcfsDump, error)
ProcfsDump collects and returns a procfs dump for the sandbox.
func (*Sandbox) Restore ¶
func (s *Sandbox) Restore(conf *config.Config, cid string, imagePath string, direct, background bool) error
Restore sends the restore call for a container in the sandbox.
func (*Sandbox) RestoreSubcontainer ¶
func (s *Sandbox) RestoreSubcontainer(spec *specs.Spec, conf *config.Config, cid string, stdios, goferFiles, goferFilestoreFiles []*os.File, devIOFile *os.File, goferMountConf []boot.GoferMountConf) error
RestoreSubcontainer sends the restore call for a sub-container in the sandbox.
func (*Sandbox) SetRootDir ¶
SetRootDir sets the root directory from the current runsc invocation.
func (*Sandbox) SignalContainer ¶
SignalContainer sends the signal to a container in the sandbox. If all is true and signal is SIGKILL, then waits for all processes to exit before returning.
func (*Sandbox) SignalProcess ¶
SignalProcess sends the signal to a particular process in the container. If fgProcess is true, then the signal is sent to the foreground process group in the same session that PID belongs to. This is only valid if the process is attached to a host TTY.
func (*Sandbox) StartSubcontainer ¶
func (s *Sandbox) StartSubcontainer(spec *specs.Spec, conf *config.Config, cid string, stdios, goferFiles, goferFilestores []*os.File, devIOFile *os.File, goferConfs []boot.GoferMountConf) error
StartSubcontainer starts running a sub-container inside the sandbox.
func (*Sandbox) Usage ¶
func (s *Sandbox) Usage(Full bool) (control.MemoryUsage, error)
Usage sends the collect call for a container in the sandbox.
func (*Sandbox) UsageFD ¶
func (s *Sandbox) UsageFD() (*control.MemoryUsageRecord, error)
UsageFD sends the usagefd call for a container in the sandbox.
func (*Sandbox) Wait ¶
func (s *Sandbox) Wait(cid string) (unix.WaitStatus, error)
Wait waits for the containerized process to exit, and returns its WaitStatus.
func (*Sandbox) WaitCheckpoint ¶
WaitCheckpoint waits for the Kernel to have been successfully checkpointed n-1 times, then waits for either the n-th successful checkpoint (in which case it returns nil) or any number of failed checkpoints (in which case it returns an error returned by any such failure).