package configs

const (
	// Prestart commands are executed after the container namespaces are created,
	// but before the user supplied command is executed from init.
	// Note: This hook is now deprecated
	// Prestart commands are called in the Runtime namespace.
	Prestart HookName = "prestart"

	// CreateRuntime commands MUST be called as part of the create operation after
	// the runtime environment has been created but before the pivot_root has been executed.
	// CreateRuntime is called immediately after the deprecated Prestart hook.
	// CreateRuntime commands are called in the Runtime Namespace.
	CreateRuntime = "createRuntime"

	// CreateContainer commands MUST be called as part of the create operation after
	// the runtime environment has been created but before the pivot_root has been executed.
	// CreateContainer commands are called in the Container namespace.
	CreateContainer = "createContainer"

	// StartContainer commands MUST be called as part of the start operation and before
	// the container process is started.
	// StartContainer commands are called in the Container namespace.
	StartContainer = "startContainer"

	// Poststart commands are executed after the container init process starts.
	// Poststart commands are called in the Runtime Namespace.
	Poststart = "poststart"

	// Poststop commands are executed after the container init process exits.
	// Poststop commands are called in the Runtime Namespace.
	Poststop = "poststop"
)

const (
	Creating = "creating"
	Created  = "created"
	Running  = "running"
	Stopped  = "stopped"
)

TODO move this to runtime-spec See: https://github.com/opencontainers/runtime-spec/pull/1046

const (
	// EXT_COPYUP is a directive to copy up the contents of a directory when
	// a tmpfs is mounted over it.
	EXT_COPYUP = 1 << iota
)

const (
	Wildcard = -1
)

Types ¶

type Action ¶

type Action int

Action is taken upon rule match in Seccomp

const (
	Kill Action = iota + 1
	Errno
	Trap
	Allow
	Trace
	Log
)

type Arg ¶

type Arg struct {
	Index    uint     `json:"index"`
	Value    uint64   `json:"value"`
	ValueTwo uint64   `json:"value_two"`
	Op       Operator `json:"op"`
}

Arg is a rule to match a specific syscall argument in Seccomp

type Capabilities ¶

type Capabilities struct {
	// Bounding is the set of capabilities checked by the kernel.
	Bounding []string
	// Effective is the set of capabilities checked by the kernel.
	Effective []string
	// Inheritable is the capabilities preserved across execve.
	Inheritable []string
	// Permitted is the limiting superset for effective capabilities.
	Permitted []string
	// Ambient is the ambient set of capabilities that are kept.
	Ambient []string
}

type Cgroup ¶

type Cgroup struct {
}

TODO Windows: This can ultimately be entirely factored out on Windows as cgroups are a Unix-specific construct.

type Command ¶

type Command struct {
	Path    string         `json:"path"`
	Args    []string       `json:"args"`
	Env     []string       `json:"env"`
	Dir     string         `json:"dir"`
	Timeout *time.Duration `json:"timeout"`
}

func (Command) Run ¶

func (c Command) Run(s *specs.State) error

type CommandHook ¶

type CommandHook struct {
	Command
}

func NewCommandHook ¶

func NewCommandHook(cmd Command) CommandHook

NewCommandHook will execute the provided command when the hook is run.

type Config ¶

type Config struct {
	// NoPivotRoot will use MS_MOVE and a chroot to jail the process into the container's rootfs
	// This is a common option when the container is running in ramdisk
	NoPivotRoot bool `json:"no_pivot_root"`

	// ParentDeathSignal specifies the signal that is sent to the container's process in the case
	// that the parent process dies.
	ParentDeathSignal int `json:"parent_death_signal"`

	// Path to a directory containing the container's root filesystem.
	Rootfs string `json:"rootfs"`

	// Readonlyfs will remount the container's rootfs as readonly where only externally mounted
	// bind mounts are writtable.
	Readonlyfs bool `json:"readonlyfs"`

	// Specifies the mount propagation flags to be applied to /.
	RootPropagation int `json:"rootPropagation"`

	// Mounts specify additional source and destination paths that will be mounted inside the container's
	// rootfs and mount namespace if specified
	Mounts []*Mount `json:"mounts"`

	// The device nodes that should be automatically created within the container upon container start.  Note, make sure that the node is marked as allowed in the cgroup as well!
	Devices []*Device `json:"devices"`

	MountLabel string `json:"mount_label"`

	// Hostname optionally sets the container's hostname if provided
	Hostname string `json:"hostname"`

	// Namespaces specifies the container's namespaces that it should setup when cloning the init process
	// If a namespace is not provided that namespace is shared from the container's parent process
	Namespaces Namespaces `json:"namespaces"`

	// Capabilities specify the capabilities to keep when executing the process inside the container
	// All capabilities not specified will be dropped from the processes capability mask
	Capabilities *Capabilities `json:"capabilities"`

	// Networks specifies the container's network setup to be created
	Networks []*Network `json:"networks"`

	// Routes can be specified to create entries in the route table as the container is started
	Routes []*Route `json:"routes"`

	// Cgroups specifies specific cgroup settings for the various subsystems that the container is
	// placed into to limit the resources the container has available
	Cgroups *Cgroup `json:"cgroups"`

	// AppArmorProfile specifies the profile to apply to the process running in the container and is
	// change at the time the process is execed
	AppArmorProfile string `json:"apparmor_profile,omitempty"`

	// ProcessLabel specifies the label to apply to the process running in the container.  It is
	// commonly used by selinux
	ProcessLabel string `json:"process_label,omitempty"`

	// Rlimits specifies the resource limits, such as max open files, to set in the container
	// If Rlimits are not set, the container will inherit rlimits from the parent process
	Rlimits []Rlimit `json:"rlimits,omitempty"`

	// OomScoreAdj specifies the adjustment to be made by the kernel when calculating oom scores
	// for a process. Valid values are between the range [-1000, '1000'], where processes with
	// higher scores are preferred for being killed. If it is unset then we don't touch the current
	// value.
	// More information about kernel oom score calculation here: https://lwn.net/Articles/317814/
	OomScoreAdj *int `json:"oom_score_adj,omitempty"`

	// UidMappings is an array of User ID mappings for User Namespaces
	UidMappings []IDMap `json:"uid_mappings"`

	// GidMappings is an array of Group ID mappings for User Namespaces
	GidMappings []IDMap `json:"gid_mappings"`

	// MaskPaths specifies paths within the container's rootfs to mask over with a bind
	// mount pointing to /dev/null as to prevent reads of the file.
	MaskPaths []string `json:"mask_paths"`

	// ReadonlyPaths specifies paths within the container's rootfs to remount as read-only
	// so that these files prevent any writes.
	ReadonlyPaths []string `json:"readonly_paths"`

	// Sysctl is a map of properties and their values. It is the equivalent of using
	// sysctl -w my.property.name value in Linux.
	Sysctl map[string]string `json:"sysctl"`

	// Seccomp allows actions to be taken whenever a syscall is made within the container.
	// A number of rules are given, each having an action to be taken if a syscall matches it.
	// A default action to be taken if no rules match is also given.
	Seccomp *Seccomp `json:"seccomp"`

	// NoNewPrivileges controls whether processes in the container can gain additional privileges.
	NoNewPrivileges bool `json:"no_new_privileges,omitempty"`

	// Hooks are a collection of actions to perform at various container lifecycle events.
	// CommandHooks are serialized to JSON, but other hooks are not.
	Hooks Hooks

	// Version is the version of opencontainer specification that is supported.
	Version string `json:"version"`

	// Labels are user defined metadata that is stored in the config and populated on the state
	Labels []string `json:"labels"`

	// NoNewKeyring will not allocated a new session keyring for the container.  It will use the
	// callers keyring in this case.
	NoNewKeyring bool `json:"no_new_keyring"`

	// IntelRdt specifies settings for Intel RDT group that the container is placed into
	// to limit the resources (e.g., L3 cache, memory bandwidth) the container has available
	IntelRdt *IntelRdt `json:"intel_rdt,omitempty"`

	// RootlessEUID is set when the runc was launched with non-zero EUID.
	// Note that RootlessEUID is set to false when launched with EUID=0 in userns.
	// When RootlessEUID is set, runc creates a new userns for the container.
	// (config.json needs to contain userns settings)
	RootlessEUID bool `json:"rootless_euid,omitempty"`

	// RootlessCgroups is set when unlikely to have the full access to cgroups.
	// When RootlessCgroups is set, cgroups errors are ignored.
	RootlessCgroups bool `json:"rootless_cgroups,omitempty"`
}

Config defines configuration options for executing a process inside a contained environment.

type Device ¶

type Device struct {
	DeviceRule

	// Path to the device.
	Path string `json:"path"`

	// FileMode permission bits for the device.
	FileMode os.FileMode `json:"file_mode"`

	// Uid of the device.
	Uid uint32 `json:"uid"`

	// Gid of the device.
	Gid uint32 `json:"gid"`
}

type DevicePermissions ¶

type DevicePermissions string

DevicePermissions is a cgroupv1-style string to represent device access. It has to be a string for backward compatibility reasons, hence why it has methods to do set operations.

func (DevicePermissions) Difference ¶

func (p DevicePermissions) Difference(o DevicePermissions) DevicePermissions

Difference returns the set difference of the two sets of DevicePermissions. In set notation, A.Difference(B) gives you A\B.

func (DevicePermissions) Intersection ¶

func (p DevicePermissions) Intersection(o DevicePermissions) DevicePermissions

Intersection computes the intersection of the two sets of DevicePermissions.

func (DevicePermissions) IsEmpty ¶

func (p DevicePermissions) IsEmpty() bool

IsEmpty returns whether the set of permissions in a DevicePermissions is empty.

func (DevicePermissions) IsValid ¶

func (p DevicePermissions) IsValid() bool

IsValid returns whether the set of permissions is a subset of valid permissions (namely, {r,w,m}).

func (DevicePermissions) Union ¶

func (p DevicePermissions) Union(o DevicePermissions) DevicePermissions

Union returns the union of the two sets of DevicePermissions.

type DeviceRule ¶

type DeviceRule struct {
	// Type of device ('c' for char, 'b' for block). If set to 'a', this rule
	// acts as a wildcard and all fields other than Allow are ignored.
	Type DeviceType `json:"type"`

	// Major is the device's major number.
	Major int64 `json:"major"`

	// Minor is the device's minor number.
	Minor int64 `json:"minor"`

	// Permissions is the set of permissions that this rule applies to (in the
	// cgroupv1 format -- any combination of "rwm").
	Permissions DevicePermissions `json:"permissions"`

	// Allow specifies whether this rule is allowed.
	Allow bool `json:"allow"`
}

func (*DeviceRule) CgroupString ¶

func (d *DeviceRule) CgroupString() string

func (*DeviceRule) Mkdev ¶

func (d *DeviceRule) Mkdev() (uint64, error)

type DeviceType ¶

type DeviceType rune

const (
	WildcardDevice DeviceType = 'a'
	BlockDevice    DeviceType = 'b'
	CharDevice     DeviceType = 'c' // or 'u'
	FifoDevice     DeviceType = 'p'
)

func (DeviceType) CanCgroup ¶

func (t DeviceType) CanCgroup() bool

func (DeviceType) CanMknod ¶

func (t DeviceType) CanMknod() bool

func (DeviceType) IsValid ¶

func (t DeviceType) IsValid() bool

type FuncHook ¶

type FuncHook struct {
	// contains filtered or unexported fields
}

func NewFunctionHook ¶

func NewFunctionHook(f func(*specs.State) error) FuncHook

NewFunctionHook will call the provided function when the hook is run.

func (FuncHook) Run ¶

func (f FuncHook) Run(s *specs.State) error

type Hook ¶

type Hook interface {
	// Run executes the hook with the provided state.
	Run(*specs.State) error
}

type HookList ¶

type HookList []Hook

func (HookList) RunHooks ¶

func (hooks HookList) RunHooks(state *specs.State) error

type HookName ¶

type HookName string

type Hooks ¶

type Hooks map[HookName]HookList

func (*Hooks) MarshalJSON ¶

func (hooks *Hooks) MarshalJSON() ([]byte, error)

func (*Hooks) UnmarshalJSON ¶

func (hooks *Hooks) UnmarshalJSON(b []byte) error

type HugepageLimit ¶

type HugepageLimit struct {
	// which type of hugepage to limit.
	Pagesize string `json:"page_size"`

	// usage limit for hugepage.
	Limit uint64 `json:"limit"`
}

type IDMap ¶

type IDMap struct {
	ContainerID int `json:"container_id"`
	HostID      int `json:"host_id"`
	Size        int `json:"size"`
}

IDMap represents UID/GID Mappings for User Namespaces.

type IfPrioMap ¶

type IfPrioMap struct {
	Interface string `json:"interface"`
	Priority  int64  `json:"priority"`
}

func (*IfPrioMap) CgroupString ¶

func (i *IfPrioMap) CgroupString() string

type IntelRdt ¶

type IntelRdt struct {
	// The schema for L3 cache id and capacity bitmask (CBM)
	// Format: "L3:<cache_id0>=<cbm0>;<cache_id1>=<cbm1>;..."
	L3CacheSchema string `json:"l3_cache_schema,omitempty"`

	// The schema of memory bandwidth per L3 cache id
	// Format: "MB:<cache_id0>=bandwidth0;<cache_id1>=bandwidth1;..."
	// The unit of memory bandwidth is specified in "percentages" by
	// default, and in "MBps" if MBA Software Controller is enabled.
	MemBwSchema string `json:"memBwSchema,omitempty"`
}

type Mount ¶

type Mount struct {
	// Source path for the mount.
	Source string `json:"source"`

	// Destination path for the mount inside the container.
	Destination string `json:"destination"`

	// Device the mount is for.
	Device string `json:"device"`

	// Mount flags.
	Flags int `json:"flags"`

	// Propagation Flags
	PropagationFlags []int `json:"propagation_flags"`

	// Mount data applied to the mount.
	Data string `json:"data"`

	// Relabel source if set, "z" indicates shared, "Z" indicates unshared.
	Relabel string `json:"relabel"`

	// Extensions are additional flags that are specific to runc.
	Extensions int `json:"extensions"`

	// Optional Command to be run before Source is mounted.
	PremountCmds []Command `json:"premount_cmds"`

	// Optional Command to be run after Source is mounted.
	PostmountCmds []Command `json:"postmount_cmds"`
}

type Namespace ¶

type Namespace struct {
}

Namespace defines configuration for each namespace. It specifies an alternate path that is able to be joined via setns.

func (*Namespace) Syscall ¶

func (n *Namespace) Syscall() int

type NamespaceType ¶

type NamespaceType string

type Namespaces ¶

type Namespaces []Namespace

func (*Namespaces) CloneFlags ¶

func (n *Namespaces) CloneFlags() uintptr

CloneFlags parses the container's Namespaces options to set the correct flags on clone, unshare. This function returns flags only for new namespaces.

type Network ¶

type Network struct {
	// Type sets the networks type, commonly veth and loopback
	Type string `json:"type"`

	// Name of the network interface
	Name string `json:"name"`

	// The bridge to use.
	Bridge string `json:"bridge"`

	// MacAddress contains the MAC address to set on the network interface
	MacAddress string `json:"mac_address"`

	// Address contains the IPv4 and mask to set on the network interface
	Address string `json:"address"`

	// Gateway sets the gateway address that is used as the default for the interface
	Gateway string `json:"gateway"`

	// IPv6Address contains the IPv6 and mask to set on the network interface
	IPv6Address string `json:"ipv6_address"`

	// IPv6Gateway sets the ipv6 gateway address that is used as the default for the interface
	IPv6Gateway string `json:"ipv6_gateway"`

	// Mtu sets the mtu value for the interface and will be mirrored on both the host and
	// container's interfaces if a pair is created, specifically in the case of type veth
	// Note: This does not apply to loopback interfaces.
	Mtu int `json:"mtu"`

	// TxQueueLen sets the tx_queuelen value for the interface and will be mirrored on both the host and
	// container's interfaces if a pair is created, specifically in the case of type veth
	// Note: This does not apply to loopback interfaces.
	TxQueueLen int `json:"txqueuelen"`

	// HostInterfaceName is a unique name of a veth pair that resides on in the host interface of the
	// container.
	HostInterfaceName string `json:"host_interface_name"`

	// HairpinMode specifies if hairpin NAT should be enabled on the virtual interface
	// bridge port in the case of type veth
	// Note: This is unsupported on some systems.
	// Note: This does not apply to loopback interfaces.
	HairpinMode bool `json:"hairpin_mode"`
}

Network defines configuration for a container's networking stack

The network configuration can be omitted from a container causing the container to be setup with the host's networking stack

type Operator ¶

type Operator int

Operator is a comparison operator to be used when matching syscall arguments in Seccomp

const (
	EqualTo Operator = iota + 1
	NotEqualTo
	GreaterThan
	GreaterThanOrEqualTo
	LessThan
	LessThanOrEqualTo
	MaskEqualTo
)

type Rlimit ¶

type Rlimit struct {
	Type int    `json:"type"`
	Hard uint64 `json:"hard"`
	Soft uint64 `json:"soft"`
}

type Route ¶

type Route struct {
	// Sets the destination and mask, should be a CIDR.  Accepts IPv4 and IPv6
	Destination string `json:"destination"`

	// Sets the source and mask, should be a CIDR.  Accepts IPv4 and IPv6
	Source string `json:"source"`

	// Sets the gateway.  Accepts IPv4 and IPv6
	Gateway string `json:"gateway"`

	// The device to set this route up for, for example: eth0
	InterfaceName string `json:"interface_name"`
}

Routes can be specified to create entries in the route table as the container is started

All of destination, source, and gateway should be either IPv4 or IPv6. One of the three options must be present, and omitted entries will use their IP family default for the route table. For IPv4 for example, setting the gateway to 1.2.3.4 and the interface to eth0 will set up a standard destination of 0.0.0.0(or *) when viewed in the route table.

type Seccomp ¶

type Seccomp struct {
	DefaultAction Action     `json:"default_action"`
	Architectures []string   `json:"architectures"`
	Syscalls      []*Syscall `json:"syscalls"`
}

Seccomp represents syscall restrictions By default, only the native architecture of the kernel is allowed to be used for syscalls. Additional architectures can be added by specifying them in Architectures.

type Syscall ¶

type Syscall struct {
	Name     string `json:"name"`
	Action   Action `json:"action"`
	ErrnoRet *uint  `json:"errnoRet"`
	Args     []*Arg `json:"args"`
}

Syscall is a rule to match a syscall in Seccomp

type ThrottleDevice ¶

type ThrottleDevice struct {

	// Rate is the IO rate limit per cgroup per device
	Rate uint64 `json:"rate"`
	// contains filtered or unexported fields
}

ThrottleDevice struct holds a `major:minor rate_per_second` pair

func NewThrottleDevice ¶

func NewThrottleDevice(major, minor int64, rate uint64) *ThrottleDevice

NewThrottleDevice returns a configured ThrottleDevice pointer

func (*ThrottleDevice) String ¶

func (td *ThrottleDevice) String() string

String formats the struct to be writable to the cgroup specific file

func (*ThrottleDevice) StringName ¶

func (td *ThrottleDevice) StringName(name string) string

StringName formats the struct to be writable to the cgroup specific file

type WeightDevice ¶

type WeightDevice struct {

	// Weight is the bandwidth rate for the device, range is from 10 to 1000
	Weight uint16 `json:"weight"`
	// LeafWeight is the bandwidth rate for the device while competing with the cgroup's child cgroups, range is from 10 to 1000, cfq scheduler only
	LeafWeight uint16 `json:"leafWeight"`
	// contains filtered or unexported fields
}

WeightDevice struct holds a `major:minor weight`|`major:minor leaf_weight` pair

func NewWeightDevice ¶

func NewWeightDevice(major, minor int64, weight, leafWeight uint16) *WeightDevice

NewWeightDevice returns a configured WeightDevice pointer

func (*WeightDevice) LeafWeightString ¶

func (wd *WeightDevice) LeafWeightString() string

LeafWeightString formats the struct to be writable to the cgroup specific file

func (*WeightDevice) WeightString ¶

func (wd *WeightDevice) WeightString() string

WeightString formats the struct to be writable to the cgroup specific file

Source Files ¶

blkio_device.go cgroup_unsupported.go config.go device.go hugepage_limit.go intelrdt.go interface_priority_map.go mount.go namespaces.go namespaces_syscall_unsupported.go namespaces_unsupported.go network.go

Directories ¶

Path	Synopsis
libcontainer/configs/validate

Version: v1.0.0-rc91
Published: Jun 30, 2020
Platform: js/wasm
Imports: 12 packages
Last checked: 7 minutes ago –

Tools for package owners.

?	: This menu
/	: Search site
f	: Jump to identifier
g then g	: Go to top of page
g then b	: Go to end of page
G	: Go to end of page
g then i	: Go to index
g then e	: Go to examples