gvisor

module
v0.0.0-...-23e6066 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 3, 2018 License: Apache-2.0

README

gVisor

gVisor is a user-space kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an Open Container Initiative (OCI) runtime called runsc that provides an isolation boundary between the application and the host kernel. The runsc runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.

gVisor takes a distinct approach to container sandboxing and makes a different set of technical trade-offs compared to existing sandbox technologies, thus providing new tools and ideas for the container security landscape.

Why does gVisor exist?

Containers are not a sandbox. While containers have revolutionized how we develop, package, and deploy applications, running untrusted or potentially malicious code without additional isolation is not a good idea. The efficiency and performance gains from using a single, shared kernel also mean that container escape is possible with a single vulnerability.

gVisor is a user-space kernel for containers. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects. Unlike most kernels, gVisor does not assume or require a fixed set of physical resources; instead, it leverages existing host kernel functionality and runs as a normal user-space process. In other words, gVisor implements Linux by way of Linux.

gVisor should not be confused with technologies and tools to harden containers against external threats, provide additional integrity checks, or limit the scope of access for a service. One should always be careful about what data is made available to a container.

How is gVisor different from other container isolation mechanisms?

Two other approaches are commonly taken to provide stronger isolation than native containers.

Machine-level virtualization, such as KVM and Xen, exposes virtualized hardware to a guest kernel via a Virtual Machine Monitor (VMM). This virtualized hardware is generally enlightened (paravirtualized) and additional mechanisms can be used to improve the visibility between the guest and host (e.g. balloon drivers, paravirtualized spinlocks). Running containers in distinct virtual machines can provide great isolation, compatibility and performance (though nested virtualization may bring challenges in this area), but for containers it often requires additional proxies and agents, and may require a larger resource footprint and slower start-up times.

Machine-level virtualization

Rule-based execution, such as seccomp, SELinux and AppArmor, allows the specification of a fine-grained security policy for an application or container. These schemes typically rely on hooks implemented inside the host kernel to enforce the rules. If the surface can be made small enough (i.e. a sufficiently complete policy defined), then this is an excellent way to sandbox applications and maintain native performance. However, in practice it can be extremely difficult (if not impossible) to reliably define a policy for arbitrary, previously unknown applications, making this approach challenging to apply universally.

Rule-based execution

Rule-based execution is often combined with additional layers for defense-in-depth.

gVisor provides a third isolation mechanism, distinct from those mentioned above.

gVisor intercepts application system calls and acts as the guest kernel, without the need for translation through virtualized hardware. gVisor may be thought of as either a merged guest kernel and VMM, or as seccomp on steroids. This architecture allows it to provide a flexible resource footprint (i.e. one based on threads and memory mappings, not fixed guest physical resources) while also lowering the fixed costs of virtualization. However, this comes at the price of reduced application compatibility and higher per-system call overhead.

gVisor

On top of this, gVisor employs rule-based execution to provide defense-in-depth (details below).

gVisor's approach is similar to User Mode Linux (UML), although UML virtualizes hardware internally and thus provides a fixed resource footprint.

Each of the above approaches may excel in distinct scenarios. For example, machine-level virtualization will face challenges achieving high density, while gVisor may provide poor performance for system call heavy workloads.

Why Go?

gVisor was written in Go in order to avoid security pitfalls that can plague kernels. With Go, there are strong types, built-in bounds checks, no uninitialized variables, no use-after-free, no stack overflow, and a built-in race detector. (The use of Go has its challenges too, and isn't free.)

Architecture

gVisor intercepts all system calls made by the application, and does the necessary work to service them. Importantly, gVisor does not simply redirect application system calls through to the host kernel. Instead, gVisor implements most kernel primitives (signals, file systems, futexes, pipes, mm, etc.) and has complete system call handlers built on top of these primitives.

Since gVisor is itself a user-space application, it will make some host system calls to support its operation, but much like a VMM, it will not allow the application to directly control the system calls it makes.

File System Access

In order to provide defense-in-depth and limit the host system surface, the gVisor container runtime is normally split into two separate processes. First, the Sentry process includes the kernel and is responsible for executing user code and handling system calls. Second, file system operations that extend beyond the sandbox (not internal proc or tmp files, pipes, etc.) are sent to a proxy, called a Gofer, via a 9P connection.

Sentry

The Gofer acts as a file system proxy by opening host files on behalf of the application, and passing them to the Sentry process, which has no host file access itself. Furthermore, the Sentry runs in an empty user namespace, and the system calls made by gVisor to the host are restricted using seccomp filters in order to provide defense-in-depth.

Network Access

The Sentry implements its own network stack (also written in Go) called netstack. All aspects of the network stack are handled inside the Sentry — including TCP connection state, control messages, and packet assembly — keeping it isolated from the host network stack. Data link layer packets are written directly to the virtual device inside the network namespace setup by Docker or Kubernetes.

A network passthrough mode is also supported, but comes at the cost of reduced isolation (see below).

Platforms

The Sentry requires a platform to implement basic context switching and memory mapping functionality. Today, gVisor supports two platforms:

  • The Ptrace platform uses SYSEMU functionality to execute user code without executing host system calls. This platform can run anywhere that ptrace works (even VMs without nested virtualization).

  • The KVM platform (experimental) allows the Sentry to act as both guest OS and VMM, switching back and forth between the two worlds seamlessly. The KVM platform can run on bare-metal or on a VM with nested virtualization enabled. While there is no virtualized hardware layer -- the sandbox retains a process model -- gVisor leverages virtualization extensions available on modern processors in order to improve isolation and performance of address space switches.

Performance

There are several factors influencing performance. The platform choice has the largest direct impact that varies depending on the specific workload. There is no best platform: Ptrace works universally, including on VM instances, but applications may perform at a fraction of their original levels. Beyond the platform choice, passthrough modes may be useful for improving perfomance at the cost of some isolation.

Installation

These instructions will get you up-and-running sandboxed containers with gVisor and Docker.

Requirements
Getting the source

Clone the gVisor repo:

git clone https://gvisor.googlesource.com/gvisor gvisor
cd gvisor
Building

Build and install the runsc binary.

It is important to copy this binary to some place that is accessible to all users, since runsc executes itself as user nobody to avoid unnecessary privileges. The /usr/local/bin directory is a good choice.

bazel build runsc
sudo cp ./bazel-bin/runsc/linux_amd64_pure_stripped/runsc /usr/local/bin
Configuring Docker

Next, configure Docker to use runsc by adding a runtime entry to your Docker configuration (/etc/docker/daemon.json). You may have to create this file if it does not exist. Also, some Docker versions also require you to specify the storage-driver field.

In the end, the file should look something like:

{
    "runtimes": {
        "runsc": {
            "path": "/usr/local/bin/runsc"
        }
    }
}

You must restart the Docker daemon after making changes to this file, typically this is done via:

sudo systemctl restart docker

Now run your container in runsc:

docker run --runtime=runsc hello-world

Terminal support works too:

docker run --runtime=runsc -it ubuntu /bin/bash
Kubernetes Support (Experimental)

gVisor can run sandboxed containers in a Kubernetes cluster with cri-o, although this is not recommended for production environments yet. Follow these instructions to run cri-o on a node in a Kubernetes cluster. Build runsc and put it on the node, and set it as the runtime_untrusted_workload in /etc/crio/crio.conf.

Any Pod without the io.kubernetes.cri-o.TrustedSandbox annotation (or with the annotation set to false) will be run with runsc.

Currently, gVisor only supports Pods with a single container (not counting the ever-present pause container). Support for multiple containers within a single Pod is coming soon.

Advanced Usage

Testing

The gVisor test suite can be run with Bazel:

bazel test ...
Debugging

To enable debug + system call logging, add the runtimeArgs below to your Docker configuration (/etc/docker/daemon.json):

{
    "runtimes": {
        "runsc": {
            "path": "/usr/local/bin/runsc"
             "runtimeArgs": [
                "--debug-log-dir=/tmp/runsc",
                "--debug",
                "--strace"
            ]
       }
    }
}

You may also want to pass --log-packets to troubleshoot network problems. Then restart the Docker daemon:

sudo systemctl restart docker

Run your container again, and inspect the files under /tmp/runsc. The log file with name boot will contain the strace logs from your application, which can be useful for identifying missing or broken system calls in gVisor.

Enabling network passthrough

For high-performance networking applications, you may choose to disable the user space network stack and instead use the host network stack. Note that this mode decreases the isolation to the host.

Add the following runtimeArgs to your Docker configuration (/etc/docker/daemon.json) and restart the Docker daemon:

{
    "runtimes": {
        "runsc": {
            "path": "/usr/local/bin/runsc"
             "runtimeArgs": [
                "--network=host"
            ]
       }
    }
}
Selecting a different platform

Depending on hardware and performance characteristics, you may choose to use a different platform. The Ptrace platform is the default, but the KVM platform may be specified by passing the --platform flag to runsc in your Docker configuration (/etc/docker/daemon.json):

{
    "runtimes": {
        "runsc": {
            "path": "/usr/local/bin/runsc"
             "runtimeArgs": [
                "--platform=kvm"
            ]
       }
    }
}

Then restart the Docker daemon.

FAQ & Known Issues

What works?

The following applications/images have been tested:

  • golang
  • httpd
  • java8
  • jenkins
  • mariadb
  • memcached
  • mongo
  • mysql
  • node
  • php
  • prometheus
  • python
  • redis
  • registry
  • tomcat
  • wordpress
What doesn't work yet?

The following applications have been tested and may not yet work:

  • elasticsearch: Requires unimplemented socket ioctls. See bug #2.
  • nginx: Requires ioctl(FIOASYNC), but see workaround in bug #1.
  • postgres: Requires SysV shared memory support. See bug #3.
Will my container work with gVisor?

gVisor implements a large portion of the Linux surface and while we strive to make it broadly compatible, there are (and always will be) unimplemented features and bugs. The only real way to know if it will work is to try. If you find a container that doesn’t work and there is no known issue, please file a bug indicating the full command you used to run the image. Providing the debug logs is also helpful.

My container runs fine with runc but fails with runsc.

If you’re having problems running a container with runsc it’s most likely due to a compatibility issue or a missing feature in gVisor. See Debugging, above.

I can’t see a file copied with docker cp or kubectl cp.

For performance reasons, gVisor caches directory contents, and therefore it may not realize a new file was copied to a given directory. To invalidate the cache and force a refresh, create a file under the directory in question and list the contents again.

This bug is tracked in bug #4.

Technical details

We plan to release a full paper with technical details and will include it here when available.

Community

Join the gvisor-users mailing list to discuss all things gVisor.

Sensitive security-related questions and comments can be sent to the private gvisor-security mailing list.

Contributing

See Contributing.md.

Directories

Path Synopsis
pkg
abi
Package abi describes the interface between a kernel and userspace.
 Package abi describes the interface between a kernel and userspace.
abi/linux
Package linux contains the constants and types needed to inferface with a Linux kernel.
 Package linux contains the constants and types needed to inferface with a Linux kernel.
amutex
Package amutex provides the implementation of an abortable mutex.
 Package amutex provides the implementation of an abortable mutex.
atomicbitops
Package atomicbitops provides basic bitwise operations in an atomic way.
 Package atomicbitops provides basic bitwise operations in an atomic way.
binary
Package binary translates between select fixed-sized types and a binary representation.
 Package binary translates between select fixed-sized types and a binary representation.
bits
Package bits includes all bit related types and operations.
 Package bits includes all bit related types and operations.
bpf
Package bpf provides tools for working with Berkeley Packet Filter (BPF) programs.
 Package bpf provides tools for working with Berkeley Packet Filter (BPF) programs.
compressio
Package compressio provides parallel compression and decompression.
 Package compressio provides parallel compression and decompression.
control/client
Package client provides a basic control client interface.
 Package client provides a basic control client interface.
control/server
Package server provides a basic control server interface.
 Package server provides a basic control server interface.
cpuid
Package cpuid provides basic functionality for creating and adjusting CPU feature sets.
 Package cpuid provides basic functionality for creating and adjusting CPU feature sets.
dhcp
Package dhcp implements a DHCP client and server as described in RFC 2131.
 Package dhcp implements a DHCP client and server as described in RFC 2131.
eventchannel
Package eventchannel contains functionality for sending any protobuf message on a socketpair.
 Package eventchannel contains functionality for sending any protobuf message on a socketpair.
fd
Package fd provides types for working with file descriptors.
 Package fd provides types for working with file descriptors.
gate
Package gate provides a usage Gate synchronization primitive.
 Package gate provides a usage Gate synchronization primitive.
hashio
Package hashio provides hash-verified I/O streams.
 Package hashio provides hash-verified I/O streams.
ilist
Package ilist provides the implementation of intrusive linked lists.
 Package ilist provides the implementation of intrusive linked lists.
linewriter
Package linewriter provides an io.Writer which calls an emitter on each line.
 Package linewriter provides an io.Writer which calls an emitter on each line.
log
Package log implements a library for logging.
 Package log implements a library for logging.
metric
Package metric provides primitives for collecting metrics.
 Package metric provides primitives for collecting metrics.
p9
Package p9 is a 9P2000.L implementation.
 Package p9 is a 9P2000.L implementation.
p9/local_server
Binary local_server provides a local 9P2000.L server for the p9 package.
 Binary local_server provides a local 9P2000.L server for the p9 package.
p9/p9test
refs
Package refs defines an interface for reference counted objects.
 Package refs defines an interface for reference counted objects.
secio
Package secio provides support for sectioned I/O.
 Package secio provides support for sectioned I/O.
segment
Package segment provides tools for working with collections of segments.
 Package segment provides tools for working with collections of segments.
segment/test
sentry/arch
Package arch provides abstractions around architecture-dependent details, such as syscall calling conventions, native types, etc.
 Package arch provides abstractions around architecture-dependent details, such as syscall calling conventions, native types, etc.
sentry/context
Package context defines the sentry's Context type.
 Package context defines the sentry's Context type.
sentry/context/contexttest
Package contexttest builds a test context.Context.
 Package contexttest builds a test context.Context.
sentry/control
Package control contains types that expose control server methods, and can be used to configure and interact with a running sandbox process.
 Package control contains types that expose control server methods, and can be used to configure and interact with a running sandbox process.
sentry/device
Package device defines reserved virtual kernel devices and structures for managing them.
 Package device defines reserved virtual kernel devices and structures for managing them.
sentry/fs
Package fs implements a virtual filesystem layer.
 Package fs implements a virtual filesystem layer.
sentry/fs/anon
Package anon implements an anonymous inode, useful for implementing inodes for pseudo filesystems.
 Package anon implements an anonymous inode, useful for implementing inodes for pseudo filesystems.
sentry/fs/ashmem
Package ashmem implements Android ashmem module (Anonymus Shared Memory).
 Package ashmem implements Android ashmem module (Anonymus Shared Memory).
sentry/fs/binder
Package binder implements Android Binder IPC module.
 Package binder implements Android Binder IPC module.
sentry/fs/dev
Package dev provides a filesystem with simple devices.
 Package dev provides a filesystem with simple devices.
sentry/fs/fdpipe
Package fdpipe implements common namedpipe opening and accessing logic.
 Package fdpipe implements common namedpipe opening and accessing logic.
sentry/fs/filetest
Package filetest provides a test implementation of an fs.File.
 Package filetest provides a test implementation of an fs.File.
sentry/fs/fsutil
Package fsutil provides utilities for implementing fs.InodeOperations and fs.FileOperations:
 Package fsutil provides utilities for implementing fs.InodeOperations and fs.FileOperations:
sentry/fs/gofer
Package gofer implements a remote 9p filesystem.
 Package gofer implements a remote 9p filesystem.
sentry/fs/host
Package host implements an fs.Filesystem for files backed by host file descriptors.
 Package host implements an fs.Filesystem for files backed by host file descriptors.
sentry/fs/lock
Package lock is the API for POSIX-style advisory regional file locks and BSD-style full file locks.
 Package lock is the API for POSIX-style advisory regional file locks and BSD-style full file locks.
sentry/fs/proc
Package proc implements a partial in-memory file system for profs.
 Package proc implements a partial in-memory file system for profs.
sentry/fs/proc/device
Package device contains the proc device to avoid dependency loops.
 Package device contains the proc device to avoid dependency loops.
sentry/fs/proc/seqfile
sentry/fs/ramfs
Package ramfs implements an in-memory file system that can be associated with any device.
 Package ramfs implements an in-memory file system that can be associated with any device.
sentry/fs/ramfs/test
Package test provides a simple ramfs-based filesystem for use in testing.
 Package test provides a simple ramfs-based filesystem for use in testing.
sentry/fs/sys
Package sys implements a sysfs filesystem.
 Package sys implements a sysfs filesystem.
sentry/fs/timerfd
Package timerfd implements the semantics of Linux timerfd objects as described by timerfd_create(2).
 Package timerfd implements the semantics of Linux timerfd objects as described by timerfd_create(2).
sentry/fs/tmpfs
Package tmpfs is a filesystem implementation backed by memory.
 Package tmpfs is a filesystem implementation backed by memory.
sentry/fs/tty
Package tty provide pseudoterminals via a devpts filesystem.
 Package tty provide pseudoterminals via a devpts filesystem.
sentry/hostcpu
Package hostcpu provides utilities for working with CPU information provided by a host Linux kernel.
 Package hostcpu provides utilities for working with CPU information provided by a host Linux kernel.
sentry/inet
Package inet defines semantics for IP stacks.
 Package inet defines semantics for IP stacks.
sentry/kernel
Package kernel provides an emulation of the Linux kernel.
 Package kernel provides an emulation of the Linux kernel.
sentry/kernel/auth
Package auth implements an access control model that is a subset of Linux's.
 Package auth implements an access control model that is a subset of Linux's.
sentry/kernel/epoll
Package epoll provides an implementation of Linux's IO event notification facility.
 Package epoll provides an implementation of Linux's IO event notification facility.
sentry/kernel/eventfd
Package eventfd provides an implementation of Linux's file-based event notification.
 Package eventfd provides an implementation of Linux's file-based event notification.
sentry/kernel/futex
Package futex provides an implementation of the futex interface as found in the Linux kernel.
 Package futex provides an implementation of the futex interface as found in the Linux kernel.
sentry/kernel/kdefs
Package kdefs defines common kernel definitions.
 Package kdefs defines common kernel definitions.
sentry/kernel/memevent
Package memevent implements the memory usage events controller, which periodically emits events via the eventchannel.
 Package memevent implements the memory usage events controller, which periodically emits events via the eventchannel.
sentry/kernel/pipe
Package pipe provides an in-memory implementation of a unidirectional pipe.
 Package pipe provides an in-memory implementation of a unidirectional pipe.
sentry/kernel/sched
Package sched implements scheduler related features.
 Package sched implements scheduler related features.
sentry/kernel/semaphore
Package semaphore implements System V semaphores.
 Package semaphore implements System V semaphores.
sentry/kernel/time
Package time defines the Timer type, which provides a periodic timer that works by sampling a user-provided clock.
 Package time defines the Timer type, which provides a periodic timer that works by sampling a user-provided clock.
sentry/limits
Package limits provides resource limits.
 Package limits provides resource limits.
sentry/loader
Package loader loads a binary into a MemoryManager.
 Package loader loads a binary into a MemoryManager.
sentry/memmap
Package memmap defines semantics for memory mappings.
 Package memmap defines semantics for memory mappings.
sentry/memutil
Package memutil contains the utility functions for memory operations.
 Package memutil contains the utility functions for memory operations.
sentry/mm
Package mm provides a memory management subsystem.
 Package mm provides a memory management subsystem.
sentry/platform
Package platform provides a Platform abstraction.
 Package platform provides a Platform abstraction.
sentry/platform/filemem
Package filemem provides a reusable implementation of platform.Memory.
 Package filemem provides a reusable implementation of platform.Memory.
sentry/platform/interrupt
Package interrupt provides an interrupt helper.
 Package interrupt provides an interrupt helper.
sentry/platform/kvm
Package kvm provides a kvm-based implementation of the platform interface.
 Package kvm provides a kvm-based implementation of the platform interface.
sentry/platform/kvm/testutil
Package testutil provides common assembly stubs for testing.
 Package testutil provides common assembly stubs for testing.
sentry/platform/procid
Package procid provides a way to get the current system thread identifier.
 Package procid provides a way to get the current system thread identifier.
sentry/platform/ptrace
Package ptrace provides a ptrace-based implementation of the platform interface.
 Package ptrace provides a ptrace-based implementation of the platform interface.
sentry/platform/ring0
Package ring0 provides basic operating system-level stubs.
 Package ring0 provides basic operating system-level stubs.
sentry/platform/ring0/gen_offsets
Binary gen_offsets is a helper for generating offset headers.
 Binary gen_offsets is a helper for generating offset headers.
sentry/platform/ring0/pagetables
Package pagetables provides a generic implementation of pagetables.
 Package pagetables provides a generic implementation of pagetables.
sentry/platform/safecopy
Package safecopy provides an efficient implementation of functions to access memory that may result in SIGSEGV or SIGBUS being sent to the accessor.
 Package safecopy provides an efficient implementation of functions to access memory that may result in SIGSEGV or SIGBUS being sent to the accessor.
sentry/safemem
Package safemem provides the Block and BlockSeq types.
 Package safemem provides the Block and BlockSeq types.
sentry/sighandling
Package sighandling contains helpers for handling signals to applications.
 Package sighandling contains helpers for handling signals to applications.
sentry/socket
Package socket provides the interfaces that need to be provided by socket implementations and providers, as well as per family demultiplexing of socket creation.
 Package socket provides the interfaces that need to be provided by socket implementations and providers, as well as per family demultiplexing of socket creation.
sentry/socket/control
Package control provides internal representations of socket control messages.
 Package control provides internal representations of socket control messages.
sentry/socket/epsocket
Package epsocket provides an implementation of the socket.Socket interface that is backed by a tcpip.Endpoint.
 Package epsocket provides an implementation of the socket.Socket interface that is backed by a tcpip.Endpoint.
sentry/socket/hostinet
Package hostinet implements AF_INET and AF_INET6 sockets using the host's network stack.
 Package hostinet implements AF_INET and AF_INET6 sockets using the host's network stack.
sentry/socket/netlink
Package netlink provides core functionality for netlink sockets.
 Package netlink provides core functionality for netlink sockets.
sentry/socket/netlink/port
Package port provides port ID allocation for netlink sockets.
 Package port provides port ID allocation for netlink sockets.
sentry/socket/netlink/route
Package route provides a NETLINK_ROUTE socket protocol.
 Package route provides a NETLINK_ROUTE socket protocol.
sentry/socket/rpcinet
Package rpcinet implements sockets using an RPC for each syscall.
 Package rpcinet implements sockets using an RPC for each syscall.
sentry/socket/rpcinet/conn
Package conn is an RPC connection to a syscall RPC server.
 Package conn is an RPC connection to a syscall RPC server.
sentry/socket/rpcinet/notifier
Package notifier implements an FD notifier implementation over RPC.
 Package notifier implements an FD notifier implementation over RPC.
sentry/socket/unix
Package unix provides an implementation of the socket.Socket interface for the AF_UNIX protocol family.
 Package unix provides an implementation of the socket.Socket interface for the AF_UNIX protocol family.
sentry/state
Package state provides high-level state wrappers.
 Package state provides high-level state wrappers.
sentry/strace
Package strace implements the logic to print out the input and the return value of each traced syscall.
 Package strace implements the logic to print out the input and the return value of each traced syscall.
sentry/syscalls
Package syscalls is the interface from the application to the kernel.
 Package syscalls is the interface from the application to the kernel.
sentry/syscalls/linux
Package linux provides syscall tables for amd64 Linux.
 Package linux provides syscall tables for amd64 Linux.
sentry/time
Package time provides a calibrated clock synchronized to a system reference clock.
 Package time provides a calibrated clock synchronized to a system reference clock.
sentry/uniqueid
Package uniqueid defines context.Context keys for obtaining system-wide unique identifiers.
 Package uniqueid defines context.Context keys for obtaining system-wide unique identifiers.
sentry/usage
Package usage provides representations of resource usage.
 Package usage provides representations of resource usage.
sentry/usermem
Package usermem governs access to user memory.
 Package usermem governs access to user memory.
sentry/watchdog
Package watchdog is responsible for monitoring the sentry for tasks that may potentially be stuck or looping inderterminally causing hard to debug hungs in the untrusted app.
 Package watchdog is responsible for monitoring the sentry for tasks that may potentially be stuck or looping inderterminally causing hard to debug hungs in the untrusted app.
sleep
Package sleep allows goroutines to efficiently sleep on multiple sources of notifications (wakers).
 Package sleep allows goroutines to efficiently sleep on multiple sources of notifications (wakers).
state
Package state provides functionality related to saving and loading object graphs.
 Package state provides functionality related to saving and loading object graphs.
state/statefile
Package statefile defines the state file data stream.
 Package statefile defines the state file data stream.
syserr
Package syserr contains sandbox-internal errors.
 Package syserr contains sandbox-internal errors.
syserror
Package syserror contains syscall error codes exported as error interface instead of Errno.
 Package syserror contains syscall error codes exported as error interface instead of Errno.
tcpip
Package tcpip provides the interfaces and related types that users of the tcpip stack will use in order to create endpoints used to send and receive data over the network stack.
 Package tcpip provides the interfaces and related types that users of the tcpip stack will use in order to create endpoints used to send and receive data over the network stack.
tcpip/adapters/gonet
Package gonet provides a Go net package compatible wrapper for a tcpip stack.
 Package gonet provides a Go net package compatible wrapper for a tcpip stack.
tcpip/buffer
Package buffer provides the implementation of a buffer view.
 Package buffer provides the implementation of a buffer view.
tcpip/checker
Package checker provides helper functions to check networking packets for validity.
 Package checker provides helper functions to check networking packets for validity.
tcpip/header
Package header provides the implementation of the encoding and decoding of network protocol headers.
 Package header provides the implementation of the encoding and decoding of network protocol headers.
tcpip/link/channel
Package channel provides the implemention of channel-based data-link layer endpoints.
 Package channel provides the implemention of channel-based data-link layer endpoints.
tcpip/link/fdbased
Package fdbased provides the implemention of data-link layer endpoints backed by boundary-preserving file descriptors (e.g., TUN devices, seqpacket/datagram sockets).
 Package fdbased provides the implemention of data-link layer endpoints backed by boundary-preserving file descriptors (e.g., TUN devices, seqpacket/datagram sockets).
tcpip/link/loopback
Package loopback provides the implemention of loopback data-link layer endpoints.
 Package loopback provides the implemention of loopback data-link layer endpoints.
tcpip/link/rawfile
Package rawfile contains utilities for using the netstack with raw host files on Linux hosts.
 Package rawfile contains utilities for using the netstack with raw host files on Linux hosts.
tcpip/link/sharedmem
Package sharedmem provides the implemention of data-link layer endpoints backed by shared memory.
 Package sharedmem provides the implemention of data-link layer endpoints backed by shared memory.
tcpip/link/sharedmem/pipe
Package pipe implements a shared memory ring buffer on which a single reader and a single writer can operate (read/write) concurrently.
 Package pipe implements a shared memory ring buffer on which a single reader and a single writer can operate (read/write) concurrently.
tcpip/link/sharedmem/queue
Package queue provides the implementation of transmit and receive queues based on shared memory ring buffers.
 Package queue provides the implementation of transmit and receive queues based on shared memory ring buffers.
tcpip/link/sniffer
Package sniffer provides the implementation of data-link layer endpoints that wrap another endpoint and logs inbound and outbound packets.
 Package sniffer provides the implementation of data-link layer endpoints that wrap another endpoint and logs inbound and outbound packets.
tcpip/link/tun
Package tun contains methods to open TAP and TUN devices.
 Package tun contains methods to open TAP and TUN devices.
tcpip/link/waitable
Package waitable provides the implementation of data-link layer endpoints that wrap other endpoints, and can wait for inflight calls to WritePacket or DeliverNetworkPacket to finish (and new ones to be prevented).
 Package waitable provides the implementation of data-link layer endpoints that wrap other endpoints, and can wait for inflight calls to WritePacket or DeliverNetworkPacket to finish (and new ones to be prevented).
tcpip/network/arp
Package arp implements the ARP network protocol.
 Package arp implements the ARP network protocol.
tcpip/network/fragmentation
Package fragmentation contains the implementation of IP fragmentation.
 Package fragmentation contains the implementation of IP fragmentation.
tcpip/network/hash
Package hash contains utility functions for hashing.
 Package hash contains utility functions for hashing.
tcpip/network/ipv4
Package ipv4 contains the implementation of the ipv4 network protocol.
 Package ipv4 contains the implementation of the ipv4 network protocol.
tcpip/network/ipv6
Package ipv6 contains the implementation of the ipv6 network protocol.
 Package ipv6 contains the implementation of the ipv6 network protocol.
tcpip/ports
Package ports provides PortManager that manages allocating, reserving and releasing ports.
 Package ports provides PortManager that manages allocating, reserving and releasing ports.
tcpip/sample/tun_tcp_connect
This sample creates a stack with TCP and IPv4 protocols on top of a TUN device, and connects to a peer.
 This sample creates a stack with TCP and IPv4 protocols on top of a TUN device, and connects to a peer.
tcpip/sample/tun_tcp_echo
This sample creates a stack with TCP and IPv4 protocols on top of a TUN device, and listens on a port.
 This sample creates a stack with TCP and IPv4 protocols on top of a TUN device, and listens on a port.
tcpip/seqnum
Package seqnum defines the types and methods for TCP sequence numbers such that they fit in 32-bit words and work properly when overflows occur.
 Package seqnum defines the types and methods for TCP sequence numbers such that they fit in 32-bit words and work properly when overflows occur.
tcpip/stack
Package stack provides the glue between networking protocols and the consumers of the networking stack.
 Package stack provides the glue between networking protocols and the consumers of the networking stack.
tcpip/transport/ping
Package ping contains the implementation of the ICMP and IPv6-ICMP transport protocols for use in ping.
 Package ping contains the implementation of the ICMP and IPv6-ICMP transport protocols for use in ping.
tcpip/transport/queue
Package queue provides the implementation of buffer queue and interface of queue entry with Length method.
 Package queue provides the implementation of buffer queue and interface of queue entry with Length method.
tcpip/transport/tcp
Package tcp contains the implementation of the TCP transport protocol.
 Package tcp contains the implementation of the TCP transport protocol.
tcpip/transport/tcp/testing/context
Package context provides a test context for use in tcp tests.
 Package context provides a test context for use in tcp tests.
tcpip/transport/tcpconntrack
Package tcpconntrack implements a TCP connection tracking object.
 Package tcpconntrack implements a TCP connection tracking object.
tcpip/transport/udp
Package udp contains the implementation of the UDP transport protocol.
 Package udp contains the implementation of the UDP transport protocol.
tcpip/transport/unix
Package unix contains the implementation of Unix endpoints.
 Package unix contains the implementation of Unix endpoints.
tmutex
Package tmutex provides the implementation of a mutex that implements an efficient TryLock function in addition to Lock and Unlock.
 Package tmutex provides the implementation of a mutex that implements an efficient TryLock function in addition to Lock and Unlock.
unet
Package unet provides a minimal net package based on Unix Domain Sockets.
 Package unet provides a minimal net package based on Unix Domain Sockets.
urpc
Package urpc provides a minimal RPC package based on unet.
 Package urpc provides a minimal RPC package based on unet.
waiter
Package waiter provides the implementation of a wait queue, where waiters can be enqueued to be notified when an event of interest happens.
 Package waiter provides the implementation of a wait queue, where waiters can be enqueued to be notified when an event of interest happens.
waiter/fdnotifier
Package fdnotifier contains an adapter that translates IO events (e.g., a file became readable/writable) from native FDs to the notifications in the waiter package.
 Package fdnotifier contains an adapter that translates IO events (e.g., a file became readable/writable) from native FDs to the notifications in the waiter package.
Binary runsc is an implementation of the Open Container Initiative Runtime that runs applications inside a sandbox.
 Binary runsc is an implementation of the Open Container Initiative Runtime that runs applications inside a sandbox.
boot
Package boot loads the kernel and runs the application.
 Package boot loads the kernel and runs the application.
boot/filter
Package filter defines all syscalls the sandbox is allowed to make to the host, and installs seccomp filters to prevent prohibited syscalls in case it's compromised.
 Package filter defines all syscalls the sandbox is allowed to make to the host, and installs seccomp filters to prevent prohibited syscalls in case it's compromised.
cmd
Package cmd holds implementations of the runsc commands.
 Package cmd holds implementations of the runsc commands.
fsgofer
Package fsgofer implements p9.File giving access to local files using a simple mapping from a path prefix that is added to the path requested by the sandbox.
 Package fsgofer implements p9.File giving access to local files using a simple mapping from a path prefix that is added to the path requested by the sandbox.
sandbox
Package sandbox creates and manipulates sandboxes.
 Package sandbox creates and manipulates sandboxes.
specutils
Package specutils contains utility functions for working with OCI runtime specs.
 Package specutils contains utility functions for working with OCI runtime specs.
tools
go_generics
go_generics reads a Go source file and writes a new version of that file with a few transformations applied to each.
 go_generics reads a Go source file and writes a new version of that file with a few transformations applied to each.
go_generics/generics_tests/all_stmts
go_generics/generics_tests/all_stmts/output
go_generics/generics_tests/all_types
go_generics/generics_tests/all_types/lib
go_generics/generics_tests/all_types/output
go_generics/generics_tests/consts
go_generics/generics_tests/consts/output
go_generics/generics_tests/imports
go_generics/generics_tests/imports/output
go_generics/generics_tests/remove_typedef
go_generics/generics_tests/remove_typedef/output
go_generics/generics_tests/simple
go_generics/generics_tests/simple/output
go_generics/globals
Package globals provides an AST visitor that calls the visit function for all global identifiers.
 Package globals provides an AST visitor that calls the visit function for all global identifiers.
go_generics/rules_tests
go_stateify
Stateify provides a simple way to generate Load/Save methods based on existing types and struct tags.
 Stateify provides a simple way to generate Load/Save methods based on existing types and struct tags.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.