isolation

package
v0.47.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 10, 2021 License: Apache-2.0 Imports: 26 Imported by: 2

Documentation

Index

Constants

View Source 
const (
	QEMUIMGPath = "/usr/bin/qemu-img"
)

Variables

This section is empty.

Functions

func AdjustQemuProcessMemoryLimits added in v0.42.0 

func AdjustQemuProcessMemoryLimits(podIsoDetector PodIsolationDetector, vmi *v1.VirtualMachineInstance) error

AdjustQemuProcessMemoryLimits adjusts QEMU process MEMLOCK rlimits that runs inside virt-launcher pod on the given VMI according to its spec. Only VMI's with VFIO devices (e.g: SRIOV, GPU) or RealTime workloads require QEMU process MEMLOCK adjustment.

func GetFileSize added in v0.36.4 

func GetFileSize(imagePath string, context IsolationResult) (int64, error)

func GetImageInfo added in v0.20.0 

func GetImageInfo(imagePath string, context IsolationResult, config *v1.DiskVerification) (*containerdisk.DiskInfo, error)

func MountInfoRoot added in v0.42.0 

func MountInfoRoot(r IsolationResult) (mountInfo *mount.Info, err error)

MountInfoRoot returns the mount information for the root mount point

func ParentPathForRootMount added in v0.42.0 

func ParentPathForRootMount(parent IsolationResult, child IsolationResult) (string, error)

ParentPathForRootMount takes a container (child) and composes a path to the root mount point in the context of the parent.

Types

type IsolationResult 

type IsolationResult interface {
	// cgroup slice
	Slice() string
	// process ID
	Pid() int
	// parent process ID
	PPid() int
	// full path to the process namespace
	PIDNamespace() string
	// full path to the process root mount
	MountRoot() string
	// full path to the mount namespace
	MountNamespace() string
	// full path to the network namespace
	NetNamespace() string
	// execute a function in the process network namespace
	DoNetNS(func() error) error
	// mounts for the process
	Mounts(mount.FilterFunc) ([]*mount.Info, error)
}

IsolationResult is the result of a successful PodIsolationDetector.Detect

func NewIsolationResult 

func NewIsolationResult(pid, ppid int, slice string, controller []string) IsolationResult

type MockIsolationResult added in v0.27.0 

type MockIsolationResult struct {
	// contains filtered or unexported fields
}

Mock of IsolationResult interface

func NewMockIsolationResult added in v0.27.0 

func NewMockIsolationResult(ctrl *gomock.Controller) *MockIsolationResult

func (*MockIsolationResult) DoNetNS added in v0.27.0 

func (_m *MockIsolationResult) DoNetNS(_param0 func() error) error

func (*MockIsolationResult) EXPECT added in v0.27.0 

func (_m *MockIsolationResult) EXPECT() *_MockIsolationResultRecorder

func (*MockIsolationResult) MountNamespace added in v0.27.0 

func (_m *MockIsolationResult) MountNamespace() string

func (*MockIsolationResult) MountRoot added in v0.27.0 

func (_m *MockIsolationResult) MountRoot() string

func (*MockIsolationResult) Mounts added in v0.42.0 

func (_m *MockIsolationResult) Mounts(_param0 mountinfo.FilterFunc) ([]*mountinfo.Info, error)

func (*MockIsolationResult) NetNamespace added in v0.27.0 

func (_m *MockIsolationResult) NetNamespace() string

func (*MockIsolationResult) PIDNamespace added in v0.27.0 

func (_m *MockIsolationResult) PIDNamespace() string

func (*MockIsolationResult) PPid added in v0.42.0 

func (_m *MockIsolationResult) PPid() int

func (*MockIsolationResult) Pid added in v0.27.0 

func (_m *MockIsolationResult) Pid() int

func (*MockIsolationResult) Slice added in v0.27.0 

func (_m *MockIsolationResult) Slice() string

type MockPodIsolationDetector 

type MockPodIsolationDetector struct {
	// contains filtered or unexported fields
}

Mock of PodIsolationDetector interface

func NewMockPodIsolationDetector 

func NewMockPodIsolationDetector(ctrl *gomock.Controller) *MockPodIsolationDetector

func (*MockPodIsolationDetector) AdjustResources added in v0.21.0 

func (_m *MockPodIsolationDetector) AdjustResources(vm *v1.VirtualMachineInstance) error

func (*MockPodIsolationDetector) Detect 

func (_m *MockPodIsolationDetector) Detect(vm *v1.VirtualMachineInstance) (IsolationResult, error)

func (*MockPodIsolationDetector) DetectForSocket added in v0.20.0 

func (_m *MockPodIsolationDetector) DetectForSocket(vm *v1.VirtualMachineInstance, socket string) (IsolationResult, error)

func (*MockPodIsolationDetector) EXPECT 

func (_m *MockPodIsolationDetector) EXPECT() *_MockPodIsolationDetectorRecorder

func (*MockPodIsolationDetector) Whitelist 

func (_m *MockPodIsolationDetector) Whitelist(controller []string) PodIsolationDetector

type PodIsolationDetector 

type PodIsolationDetector interface {
	// Detect takes a vm, looks up a socket based the VM and detects pid, cgroups and namespaces of the owner of that socket.
	// It returns an IsolationResult containing all isolation information
	Detect(vm *v1.VirtualMachineInstance) (IsolationResult, error)

	DetectForSocket(vm *v1.VirtualMachineInstance, socket string) (IsolationResult, error)

	// Whitelist allows specifying cgroup controller which should be considered to detect the cgroup slice
	// It returns a PodIsolationDetector to allow configuring the PodIsolationDetector via the builder pattern.
	Whitelist(controller []string) PodIsolationDetector

	// Adjust system resources to run the passed VM
	AdjustResources(vm *v1.VirtualMachineInstance) error
}

PodIsolationDetector helps detecting cgroups, namespaces and PIDs of Pods from outside of them. Different strategies may be applied to do that.

func NewSocketBasedIsolationDetector 

func NewSocketBasedIsolationDetector(socketDir string, cgroupParser cgroup.Parser) PodIsolationDetector

NewSocketBasedIsolationDetector takes socketDir and creates a socket based IsolationDetector It returns a PodIsolationDetector which detects pid, cgroups and namespaces of the socket owner.

type RealIsolationResult added in v0.42.0 

type RealIsolationResult struct {
	// contains filtered or unexported fields
}

func NodeIsolationResult 

func NodeIsolationResult() *RealIsolationResult

func (*RealIsolationResult) AreMounted added in v0.42.0 

func (r *RealIsolationResult) AreMounted(mountPoints ...string) (isMounted bool, err error)

AreMounted checks if given paths are mounted by calling IsMounted. If error occurs, the first error is returned.

func (*RealIsolationResult) Controller added in v0.42.0 

func (r *RealIsolationResult) Controller() []string

func (*RealIsolationResult) DoNetNS added in v0.42.0 

func (r *RealIsolationResult) DoNetNS(f func() error) error

func (*RealIsolationResult) IsBlockDevice added in v0.42.0 

func (r *RealIsolationResult) IsBlockDevice(path string) (bool, error)

IsBlockDevice checks if the given path is a block device or not.

func (*RealIsolationResult) IsMounted added in v0.42.0 

func (r *RealIsolationResult) IsMounted(mountPoint string) (isMounted bool, err error)

IsMounted checks if the given path is a mount point or not. Works with symlinks.

func (*RealIsolationResult) MountNamespace added in v0.42.0 

func (r *RealIsolationResult) MountNamespace() string

func (*RealIsolationResult) MountRoot added in v0.42.0 

func (r *RealIsolationResult) MountRoot() string

func (*RealIsolationResult) Mounts added in v0.42.0 

func (r *RealIsolationResult) Mounts(filter mount.FilterFunc) ([]*mount.Info, error)

Mounts returns mounts for the given process based on the supplied filter

func (*RealIsolationResult) NetNamespace added in v0.42.0 

func (r *RealIsolationResult) NetNamespace() string

func (*RealIsolationResult) PIDNamespace added in v0.42.0 

func (r *RealIsolationResult) PIDNamespace() string

func (*RealIsolationResult) PPid added in v0.42.0 

func (r *RealIsolationResult) PPid() int

func (*RealIsolationResult) Pid added in v0.42.0 

func (r *RealIsolationResult) Pid() int

func (*RealIsolationResult) Slice added in v0.42.0 

func (r *RealIsolationResult) Slice() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.