boot

package
v0.0.0-...-522126a Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 23, 2019 License: Apache-2.0 Imports: 80 Imported by: 0

Documentation

Overview

Package boot loads the kernel and runs a container.

Index

Constants

View Source
const (
	// ContainerCheckpoint checkpoints a container.
	ContainerCheckpoint = "containerManager.Checkpoint"

	// ContainerCreate creates a container.
	ContainerCreate = "containerManager.Create"

	// ContainerDestroy is used to stop a non-root container and free all
	// associated resources in the sandbox.
	ContainerDestroy = "containerManager.Destroy"

	// ContainerEvent is the URPC endpoint for getting stats about the
	// container used by "runsc events".
	ContainerEvent = "containerManager.Event"

	// ContainerExecuteAsync is the URPC endpoint for executing a command in a
	// container.
	ContainerExecuteAsync = "containerManager.ExecuteAsync"

	// ContainerPause pauses the container.
	ContainerPause = "containerManager.Pause"

	// ContainerProcesses is the URPC endpoint for getting the list of
	// processes running in a container.
	ContainerProcesses = "containerManager.Processes"

	// ContainerRestore restores a container from a statefile.
	ContainerRestore = "containerManager.Restore"

	// ContainerResume unpauses the paused container.
	ContainerResume = "containerManager.Resume"

	// ContainerSignal is used to send a signal to a container.
	ContainerSignal = "containerManager.Signal"

	// ContainerSignalProcess is used to send a signal to a particular
	// process in a container.
	ContainerSignalProcess = "containerManager.SignalProcess"

	// ContainerStart is the URPC endpoint for running a non-root container
	// within a sandbox.
	ContainerStart = "containerManager.Start"

	// ContainerWait is used to wait on the init process of the container
	// and return its ExitStatus.
	ContainerWait = "containerManager.Wait"

	// ContainerWaitPID is used to wait on a process with a certain PID in
	// the sandbox and return its ExitStatus.
	ContainerWaitPID = "containerManager.WaitPID"

	// NetworkCreateLinksAndRoutes is the URPC endpoint for creating links
	// and routes in a network stack.
	NetworkCreateLinksAndRoutes = "Network.CreateLinksAndRoutes"

	// RootContainerStart is the URPC endpoint for starting a new sandbox
	// with root container.
	RootContainerStart = "containerManager.StartRoot"

	// SandboxStacks collects sandbox stacks for debugging.
	SandboxStacks = "debug.Stacks"
)
View Source
const (
	StartCPUProfile = "Profile.StartCPUProfile"
	StopCPUProfile  = "Profile.StopCPUProfile"
	HeapProfile     = "Profile.HeapProfile"
	StartTrace      = "Profile.StartTrace"
	StopTrace       = "Profile.StopTrace"
)

Profiling related commands (see pprof.go for more details).

View Source
const (
	ChangeLogging = "Logging.Change"
)

Logging related commands (see logging.go for more details).

View Source
const (

	// MountPrefix is the annotation prefix for mount hints.
	MountPrefix = "dev.gvisor.spec.mount."
)

Variables

This section is empty.

Functions

func ControlSocketAddr

func ControlSocketAddr(id string) string

ControlSocketAddr generates an abstract unix socket name for the given ID.

func MakeRefsLeakMode

func MakeRefsLeakMode(s string) (refs.LeakMode, error)

MakeRefsLeakMode converts type from string.

func MakeWatchdogAction

func MakeWatchdogAction(s string) (watchdog.Action, error)

MakeWatchdogAction converts type from string.

Types

type Args

type Args struct {
	// Id is the sandbox ID.
	ID string
	// Spec is the sandbox specification.
	Spec *specs.Spec
	// Conf is the system configuration.
	Conf *Config
	// ControllerFD is the FD to the URPC controller.
	ControllerFD int
	// Device is an optional argument that is passed to the platform.
	Device *os.File
	// GoferFDs is an array of FDs used to connect with the Gofer.
	GoferFDs []int
	// StdioFDs is the stdio for the application.
	StdioFDs []int
	// Console is set to true if using TTY.
	Console bool
	// NumCPU is the number of CPUs to create inside the sandbox.
	NumCPU int
	// TotalMem is the initial amount of total memory to report back to the
	// container.
	TotalMem uint64
	// UserLogFD is the file descriptor to write user logs to.
	UserLogFD int
}

Args are the arguments for New().

type Config

type Config struct {
	// RootDir is the runtime root directory.
	RootDir string

	// Debug indicates that debug logging should be enabled.
	Debug bool

	// LogFilename is the filename to log to, if not empty.
	LogFilename string

	// LogFormat is the log format.
	LogFormat string

	// DebugLog is the path to log debug information to, if not empty.
	DebugLog string

	// DebugLogFormat is the log format for debug.
	DebugLogFormat string

	// FileAccess indicates how the filesystem is accessed.
	FileAccess FileAccessType

	// Overlay is whether to wrap the root filesystem in an overlay.
	Overlay bool

	// FSGoferHostUDS enables the gofer to mount a host UDS.
	FSGoferHostUDS bool

	// Network indicates what type of network to use.
	Network NetworkType

	// EnableRaw indicates whether raw sockets should be enabled. Raw
	// sockets are disabled by stripping CAP_NET_RAW from the list of
	// capabilities.
	EnableRaw bool

	// HardwareGSO indicates that hardware segmentation offload is enabled.
	HardwareGSO bool

	// SoftwareGSO indicates that software segmentation offload is enabled.
	SoftwareGSO bool

	// LogPackets indicates that all network packets should be logged.
	LogPackets bool

	// Platform is the platform to run on.
	Platform string

	// Strace indicates that strace should be enabled.
	Strace bool

	// StraceSyscalls is the set of syscalls to trace.  If StraceEnable is
	// true and this list is empty, then all syscalls will be traced.
	StraceSyscalls []string

	// StraceLogSize is the max size of data blobs to display.
	StraceLogSize uint

	// DisableSeccomp indicates whether seccomp syscall filters should be
	// disabled. Pardon the double negation, but default to enabled is important.
	DisableSeccomp bool

	// WatchdogAction sets what action the watchdog takes when triggered.
	WatchdogAction watchdog.Action

	// PanicSignal registers signal handling that panics. Usually set to
	// SIGUSR2(12) to troubleshoot hangs. -1 disables it.
	PanicSignal int

	// ProfileEnable is set to prepare the sandbox to be profiled.
	ProfileEnable bool

	// RestoreFile is the path to the saved container image
	RestoreFile string

	// NumNetworkChannels controls the number of AF_PACKET sockets that map
	// to the same underlying network device. This allows netstack to better
	// scale for high throughput use cases.
	NumNetworkChannels int

	// Rootless allows the sandbox to be started with a user that is not root.
	// Defense is depth measures are weaker with rootless. Specifically, the
	// sandbox and Gofer process run as root inside a user namespace with root
	// mapped to the caller's user.
	Rootless bool

	// AlsoLogToStderr allows to send log messages to stderr.
	AlsoLogToStderr bool

	// ReferenceLeakMode sets reference leak check mode
	ReferenceLeakMode refs.LeakMode

	// OverlayfsStaleRead causes cached FDs to reopen after a file is opened for
	// write to workaround overlayfs limitation on kernels before 4.19.
	OverlayfsStaleRead bool

	// TestOnlyAllowRunAsCurrentUserWithoutChroot should only be used in
	// tests. It allows runsc to start the sandbox process as the current
	// user, and without chrooting the sandbox process. This can be
	// necessary in test environments that have limited capabilities.
	TestOnlyAllowRunAsCurrentUserWithoutChroot bool

	// TestOnlyTestNameEnv should only be used in tests. It looks up for the
	// test name in the container environment variables and adds it to the debug
	// log file name. This is done to help identify the log with the test when
	// multiple tests are run in parallel, since there is no way to pass
	// parameters to the runtime from docker.
	TestOnlyTestNameEnv string

	// CPUNumFromQuota sets CPU number count to available CPU quota, using
	// least integer value greater than or equal to quota.
	//
	// E.g. 0.2 CPU quota will result in 1, and 1.9 in 2.
	CPUNumFromQuota bool
}

Config holds configuration that is not part of the runtime spec.

func (*Config) ToFlags

func (c *Config) ToFlags() []string

ToFlags returns a slice of flags that correspond to the given Config.

type CreateLinksAndRoutesArgs

type CreateLinksAndRoutesArgs struct {
	// FilePayload contains the fds associated with the FDBasedLinks. The
	// number of fd's should match the sum of the NumChannels field of the
	// FDBasedLink entries below.
	urpc.FilePayload

	LoopbackLinks []LoopbackLink
	FDBasedLinks  []FDBasedLink

	Defaultv4Gateway DefaultRoute
	Defaultv6Gateway DefaultRoute
}

CreateLinksAndRoutesArgs are arguments to CreateLinkAndRoutes.

type DefaultRoute

type DefaultRoute struct {
	Route Route
	Name  string
}

DefaultRoute represents a catch all route to the default gateway.

type Event

type Event struct {
	Type string      `json:"type"`
	ID   string      `json:"id"`
	Data interface{} `json:"data,omitempty"`
}

Event struct for encoding the event data to JSON. Corresponds to runc's main.event struct.

type FDBasedLink struct {
	Name               string
	MTU                int
	Addresses          []net.IP
	Routes             []Route
	GSOMaxSize         uint32
	SoftwareGSOEnabled bool
	LinkAddress        net.HardwareAddr

	// NumChannels controls how many underlying FD's are to be used to
	// create this endpoint.
	NumChannels int
}

FDBasedLink configures an fd-based link.

type FileAccessType

type FileAccessType int

FileAccessType tells how the filesystem is accessed.

const (
	// FileAccessShared sends IO requests to a Gofer process that validates the
	// requests and forwards them to the host.
	FileAccessShared FileAccessType = iota

	// FileAccessExclusive is the same as FileAccessShared, but enables
	// extra caching for improved performance. It should only be used if
	// the sandbox has exclusive access to the filesystem.
	FileAccessExclusive
)

func MakeFileAccessType

func MakeFileAccessType(s string) (FileAccessType, error)

MakeFileAccessType converts type from string.

func (FileAccessType) String

func (f FileAccessType) String() string

type Loader

type Loader struct {
	// contains filtered or unexported fields
}

Loader keeps state needed to start the kernel and run the container..

func New

func New(args Args) (*Loader, error)

New initializes a new kernel loader configured by spec. New also handles setting up a kernel for restoring a container.

func (*Loader) Destroy

func (l *Loader) Destroy()

Destroy cleans up all resources used by the loader.

Note that this will block until all open control server connections have been closed. For that reason, this should NOT be called in a defer, because a panic in a control server rpc would then hang forever.

func (*Loader) Run

func (l *Loader) Run() error

Run runs the root container.

func (*Loader) WaitExit

func (l *Loader) WaitExit() kernel.ExitStatus

WaitExit waits for the root container to exit, and returns its exit status.

func (*Loader) WaitForStartSignal

func (l *Loader) WaitForStartSignal()

WaitForStartSignal waits for a start signal from the control server.

type LoopbackLink struct {
	Name      string
	Addresses []net.IP
	Routes    []Route
}

LoopbackLink configures a loopback li nk.

type Memory

type Memory struct {
	Cache     uint64            `json:"cache,omitempty"`
	Usage     MemoryEntry       `json:"usage,omitempty"`
	Swap      MemoryEntry       `json:"swap,omitempty"`
	Kernel    MemoryEntry       `json:"kernel,omitempty"`
	KernelTCP MemoryEntry       `json:"kernelTCP,omitempty"`
	Raw       map[string]uint64 `json:"raw,omitempty"`
}

Memory contains stats on memory.

type MemoryEntry

type MemoryEntry struct {
	Limit   uint64 `json:"limit"`
	Usage   uint64 `json:"usage,omitempty"`
	Max     uint64 `json:"max,omitempty"`
	Failcnt uint64 `json:"failcnt"`
}

MemoryEntry contains stats on a kind of memory.

type Network

type Network struct {
	Stack *stack.Stack
}

Network exposes methods that can be used to configure a network stack.

func (*Network) CreateLinksAndRoutes

func (n *Network) CreateLinksAndRoutes(args *CreateLinksAndRoutesArgs, _ *struct{}) error

CreateLinksAndRoutes creates links and routes in a network stack. It should only be called once.

type NetworkType

type NetworkType int

NetworkType tells which network stack to use.

const (
	// NetworkSandbox uses internal network stack, isolated from the host.
	NetworkSandbox NetworkType = iota

	// NetworkHost redirects network related syscalls to the host network.
	NetworkHost

	// NetworkNone sets up just loopback using netstack.
	NetworkNone
)

func MakeNetworkType

func MakeNetworkType(s string) (NetworkType, error)

MakeNetworkType converts type from string.

func (NetworkType) String

func (n NetworkType) String() string

type Pids

type Pids struct {
	Current uint64 `json:"current,omitempty"`
	Limit   uint64 `json:"limit,omitempty"`
}

Pids contains stats on processes.

type RestoreOpts

type RestoreOpts struct {
	// FilePayload contains the state file to be restored, followed by the
	// platform device file if necessary.
	urpc.FilePayload

	// SandboxID contains the ID of the sandbox.
	SandboxID string
}

RestoreOpts contains options related to restoring a container's file system.

type Route

type Route struct {
	Destination net.IPNet
	Gateway     net.IP
}

Route represents a route in the network stack.

func (*Route) Empty

func (r *Route) Empty() bool

Empty returns true if route hasn't been set.

type SignalArgs

type SignalArgs struct {
	// CID is the container ID.
	CID string

	// Signo is the signal to send to the process.
	Signo int32

	// PID is the process ID in the given container that will be signaled.
	// If 0, the root container will be signalled.
	PID int32

	// Mode is the signal delivery mode.
	Mode SignalDeliveryMode
}

SignalArgs are arguments to the Signal method.

type SignalDeliveryMode

type SignalDeliveryMode int

SignalDeliveryMode enumerates different signal delivery modes.

const (
	// DeliverToProcess delivers the signal to the container process with
	// the specified PID. If PID is 0, then the container init process is
	// signaled.
	DeliverToProcess SignalDeliveryMode = iota

	// DeliverToAllProcesses delivers the signal to all processes in the
	// container. PID must be 0.
	DeliverToAllProcesses

	// DeliverToForegroundProcessGroup delivers the signal to the
	// foreground process group in the same TTY session as the specified
	// process. If PID is 0, then the signal is delivered to the foreground
	// process group for the TTY for the init process.
	DeliverToForegroundProcessGroup
)

func (SignalDeliveryMode) String

func (s SignalDeliveryMode) String() string

type StartArgs

type StartArgs struct {
	// Spec is the spec of the container to start.
	Spec *specs.Spec

	// Config is the runsc-specific configuration for the sandbox.
	Conf *Config

	// CID is the ID of the container to start.
	CID string

	// FilePayload contains, in order:
	//   * stdin, stdout, and stderr.
	//   * the file descriptor over which the sandbox will
	//     request files from its root filesystem.
	urpc.FilePayload
}

StartArgs contains arguments to the Start method.

type Stats

type Stats struct {
	Memory Memory `json:"memory"`
	Pids   Pids   `json:"pids"`
}

Stats is the runc specific stats structure for stability when encoding and decoding stats.

type WaitPIDArgs

type WaitPIDArgs struct {
	// PID is the PID in the container's PID namespace.
	PID int32

	// CID is the container ID.
	CID string
}

WaitPIDArgs are arguments to the WaitPID method.

Directories

Path Synopsis
Package filter defines all syscalls the sandbox is allowed to make to the host, and installs seccomp filters to prevent prohibited syscalls in case it's compromised.
Package filter defines all syscalls the sandbox is allowed to make to the host, and installs seccomp filters to prevent prohibited syscalls in case it's compromised.
Package platforms imports all available platform packages.
Package platforms imports all available platform packages.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL