nsenter

package

v0.0.0-...-f15b9f9 Latest Latest Go to latest Published: Feb 1, 2024 License: Apache-2.0 Imports: 9 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kinvolk/seccompagent

Links

Open Source Insights

README ¶

nsenter

Credits

This package was taken from runc and adapted for the needs of the seccomp agent.

Source: https://github.com/opencontainers/runc/blob/master/libcontainer/nsenter/README.md

How does it work?

The nsenter package registers a special init constructor that is called before the Go runtime has a chance to boot. This provides us the ability to setns on existing namespaces and avoid the issues that the Go runtime has with multiple threads. This constructor will be called if this package is registered, imported, in your go application.

The nsenter package will import "C" and it uses cgo package. In cgo, if the import of "C" is immediately preceded by a comment, that comment, called the preamble, is used as a header when compiling the C parts of the package. So every time we import package nsenter, the C code function nsexec() would be called.

Because nsexec() must be run before the Go runtime in order to use the Linux kernel namespace, you must import this library into a package if you plan to use libcontainer directly. Otherwise Go will not execute the nsexec() constructor, which means that the re-exec will not cause the namespaces to be joined.

Documentation ¶

Rendered for

Index ¶

func Init()
func OpenCwd(pid uint32) (*os.File, error)
func OpenNamespace(pid uint32, nstype string) (*os.File, error)
func OpenRoot(pid uint32) (*os.File, error)
func RegisterModule(name string, f RunFunc) bool
func Run(root, cwd, mntns, netns, pidns *os.File, i interface{}) ([]byte, error)
type ModuleXXX
type RunFunc

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func Init ¶

func Init()

Init checks if the process has re-executed itself and must run a registered module. Init() needs to be called explicitely from main() to ensure it is called after all other init() functions.

func OpenCwd ¶

func OpenCwd(pid uint32) (*os.File, error)

OpenCwd opens a /proc/pid/cwd file. It is done separately to Run() so that the caller can call libseccomp.NotifIDValid() in between.

func OpenNamespace ¶

func OpenNamespace(pid uint32, nstype string) (*os.File, error)

OpenNamespaces opens a namespace file. It is done separately to Run() so that the caller can call libseccomp.NotifIDValid() in between.

func OpenRoot ¶

func OpenRoot(pid uint32) (*os.File, error)

OpenRoot opens a /proc/pid/root file. It is done separately to Run() so that the caller can call libseccomp.NotifIDValid() in between.

func RegisterModule ¶

func RegisterModule(name string, f RunFunc) bool

func Run ¶

func Run(root, cwd, mntns, netns, pidns *os.File, i interface{}) ([]byte, error)

Run executes a module in other namespaces

Types ¶

type ModuleXXX ¶

type ModuleXXX interface {
	Run([]byte)
}

type RunFunc ¶

type RunFunc func([]byte) string

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL