isolation

package
v0.49.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 23, 2022 License: Apache-2.0 Imports: 26 Imported by: 2

Documentation

Index

Constants

View Source 
const (
	QEMUIMGPath = "/usr/bin/qemu-img"
)

Variables

This section is empty.

Functions

func AdjustQemuProcessMemoryLimits added in v0.42.0 

func AdjustQemuProcessMemoryLimits(podIsoDetector PodIsolationDetector, vmi *v1.VirtualMachineInstance) error

AdjustQemuProcessMemoryLimits adjusts QEMU process MEMLOCK rlimits that runs inside virt-launcher pod on the given VMI according to its spec. Only VMI's with VFIO devices (e.g: SRIOV, GPU), SEV or RealTime workloads require QEMU process MEMLOCK adjustment.

func GetImageInfo added in v0.20.0 

func GetImageInfo(imagePath string, context IsolationResult, config *v1.DiskVerification) (*containerdisk.DiskInfo, error)

func IsBlockDevice added in v0.49.1 

func IsBlockDevice(path *safepath.Path) (bool, error)

IsBlockDevice checks if the given path is a block device or not.

func IsMounted added in v0.49.1 

func IsMounted(mountPoint *safepath.Path) (isMounted bool, err error)

IsMounted checks if the given path is a mount point or not.

func MountInfoRoot added in v0.42.0 

func MountInfoRoot(r IsolationResult) (mountInfo *mount.Info, err error)

MountInfoRoot returns the mount information for the root mount point

func ParentPathForRootMount added in v0.42.0 

func ParentPathForRootMount(parent IsolationResult, child IsolationResult) (*safepath.Path, error)

ParentPathForRootMount takes a container (child) and composes a path to the root mount point in the context of the parent.

func SafeJoin added in v0.49.1 

func SafeJoin(res IsolationResult, elems ...string) (*safepath.Path, error)

Types

type IsolationResult 

type IsolationResult interface {
	// cgroup slice
	Slice() string
	// process ID
	Pid() int
	// parent process ID
	PPid() int
	// full path to the process namespace
	PIDNamespace() string
	// full path to the process root mount
	MountRoot() (*safepath.Path, error)
	// full path to the mount namespace
	MountNamespace() string
	// mounts for the process
	Mounts(mount.FilterFunc) ([]*mount.Info, error)
}

IsolationResult is the result of a successful PodIsolationDetector.Detect

func NewIsolationResult 

func NewIsolationResult(pid, ppid int, slice string, controller []string) IsolationResult

type MockIsolationResult added in v0.27.0 

type MockIsolationResult struct {
	// contains filtered or unexported fields
}

Mock of IsolationResult interface

func NewMockIsolationResult added in v0.27.0 

func NewMockIsolationResult(ctrl *gomock.Controller) *MockIsolationResult

func (*MockIsolationResult) EXPECT added in v0.27.0 

func (_m *MockIsolationResult) EXPECT() *_MockIsolationResultRecorder

func (*MockIsolationResult) MountNamespace added in v0.27.0 

func (_m *MockIsolationResult) MountNamespace() string

func (*MockIsolationResult) MountRoot added in v0.27.0 

func (_m *MockIsolationResult) MountRoot() (*safepath.Path, error)

func (*MockIsolationResult) Mounts added in v0.42.0 

func (_m *MockIsolationResult) Mounts(_param0 mountinfo.FilterFunc) ([]*mountinfo.Info, error)

func (*MockIsolationResult) PIDNamespace added in v0.27.0 

func (_m *MockIsolationResult) PIDNamespace() string

func (*MockIsolationResult) PPid added in v0.42.0 

func (_m *MockIsolationResult) PPid() int

func (*MockIsolationResult) Pid added in v0.27.0 

func (_m *MockIsolationResult) Pid() int

func (*MockIsolationResult) Slice added in v0.27.0 

func (_m *MockIsolationResult) Slice() string

type MockPodIsolationDetector 

type MockPodIsolationDetector struct {
	// contains filtered or unexported fields
}

Mock of PodIsolationDetector interface

func NewMockPodIsolationDetector 

func NewMockPodIsolationDetector(ctrl *gomock.Controller) *MockPodIsolationDetector

func (*MockPodIsolationDetector) AdjustResources added in v0.21.0 

func (_m *MockPodIsolationDetector) AdjustResources(vm *v1.VirtualMachineInstance) error

func (*MockPodIsolationDetector) Allowlist added in v0.48.0 

func (_m *MockPodIsolationDetector) Allowlist(controller []string) PodIsolationDetector

func (*MockPodIsolationDetector) Detect 

func (_m *MockPodIsolationDetector) Detect(vm *v1.VirtualMachineInstance) (IsolationResult, error)

func (*MockPodIsolationDetector) DetectForSocket added in v0.20.0 

func (_m *MockPodIsolationDetector) DetectForSocket(vm *v1.VirtualMachineInstance, socket string) (IsolationResult, error)

func (*MockPodIsolationDetector) EXPECT 

func (_m *MockPodIsolationDetector) EXPECT() *_MockPodIsolationDetectorRecorder

type PodIsolationDetector 

type PodIsolationDetector interface {
	// Detect takes a vm, looks up a socket based the VM and detects pid, cgroups and namespaces of the owner of that socket.
	// It returns an IsolationResult containing all isolation information
	Detect(vm *v1.VirtualMachineInstance) (IsolationResult, error)

	DetectForSocket(vm *v1.VirtualMachineInstance, socket string) (IsolationResult, error)

	// Allowlist allows specifying cgroup controller which should be considered to detect the cgroup slice
	// It returns a PodIsolationDetector to allow configuring the PodIsolationDetector via the builder pattern.
	Allowlist(controller []string) PodIsolationDetector

	// Adjust system resources to run the passed VM
	AdjustResources(vm *v1.VirtualMachineInstance) error
}

PodIsolationDetector helps detecting cgroups, namespaces and PIDs of Pods from outside of them. Different strategies may be applied to do that.

func NewSocketBasedIsolationDetector 

func NewSocketBasedIsolationDetector(socketDir string, cgroupParser cgroup.Parser) PodIsolationDetector

NewSocketBasedIsolationDetector takes socketDir and creates a socket based IsolationDetector It returns a PodIsolationDetector which detects pid, cgroups and namespaces of the socket owner.

type RealIsolationResult added in v0.42.0 

type RealIsolationResult struct {
	// contains filtered or unexported fields
}

func NodeIsolationResult 

func NodeIsolationResult() *RealIsolationResult

func (*RealIsolationResult) AreMounted added in v0.42.0 

func (r *RealIsolationResult) AreMounted(mountPoints ...*safepath.Path) (isMounted bool, err error)

AreMounted checks if given paths are mounted by calling IsMounted. If error occurs, the first error is returned.

func (*RealIsolationResult) Controller added in v0.42.0 

func (r *RealIsolationResult) Controller() []string

func (*RealIsolationResult) MountNamespace added in v0.42.0 

func (r *RealIsolationResult) MountNamespace() string

func (*RealIsolationResult) MountRoot added in v0.42.0 

func (r *RealIsolationResult) MountRoot() (*safepath.Path, error)

func (*RealIsolationResult) MountRootRelative added in v0.49.1 

func (r *RealIsolationResult) MountRootRelative(relativePath string) (*safepath.Path, error)

func (*RealIsolationResult) Mounts added in v0.42.0 

func (r *RealIsolationResult) Mounts(filter mount.FilterFunc) ([]*mount.Info, error)

Mounts returns mounts for the given process based on the supplied filter

func (*RealIsolationResult) PIDNamespace added in v0.42.0 

func (r *RealIsolationResult) PIDNamespace() string

func (*RealIsolationResult) PPid added in v0.42.0 

func (r *RealIsolationResult) PPid() int

func (*RealIsolationResult) Pid added in v0.42.0 

func (r *RealIsolationResult) Pid() int

func (*RealIsolationResult) Slice added in v0.42.0 

func (r *RealIsolationResult) Slice() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.