package devices

import "github.com/opencontainers/runc/libcontainer/cgroups/devices"

Index ¶

• type Emulator
• func EmulatorFromList(list io.Reader) (*Emulator, error)
• func (e *Emulator) Apply(rule devices.Rule) error
• func (e *Emulator) IsAllowAll() bool
• func (e *Emulator) IsBlacklist() bool
• func (source *Emulator) Transition(target *Emulator) ([]*devices.Rule, error)

Types ¶

type Emulator ¶

type Emulator struct {
	// contains filtered or unexported fields
}

func EmulatorFromList ¶

func EmulatorFromList(list io.Reader) (*Emulator, error)

EmulatorFromList takes a reader to a "devices.list"-like source, and returns a new Emulator that represents the state of the devices cgroup. Note that black-list devices cgroups cannot be fully reconstructed, due to limitations in the devices cgroup API. Instead, such cgroups are always treated as "allow all" cgroups.

func (*Emulator) Apply ¶

func (e *Emulator) Apply(rule devices.Rule) error

func (*Emulator) IsAllowAll ¶

func (e *Emulator) IsAllowAll() bool

func (*Emulator) IsBlacklist ¶

func (e *Emulator) IsBlacklist() bool

func (*Emulator) Transition ¶

func (source *Emulator) Transition(target *Emulator) ([]*devices.Rule, error)

Transition calculates what is the minimally-disruptive set of rules need to be applied to a devices cgroup in order to transition to the given target. This means that any already-existing rules will not be applied, and disruptive rules (like denying all device access) will only be applied if necessary.

This function is the sole reason for all of Emulator -- to allow us to figure out how to update a containers' cgroups without causing spurrious device errors (if possible).

Source Files ¶

devices_emulator.go