incusd

Overview ¶

*

• This file is a bit funny. The goal here is to use setns() to manipulate
• files inside the container, so we don't have to reason about the paths to
• make sure they don't escape (we can simply rely on the kernel for
• correctness). Unfortunately, you can't setns() to a mount namespace with a
• multi-threaded program, which every golang binary is. However, by declaring
• our init as an initializer, we can capture process control before it is
• transferred to the golang runtime, so we can then setns() as we'd like
• before golang has a chance to set up any threads. So, we implement two new
• fork* commands which are captured here, and take a file on the host fs
• and copy it into the container ns. *
• An alternative to this would be to move this code into a separate binary,
• which of course has problems of its own when it comes to packaging (how do
• we find the binary, what do we do if someone does file push and it is
• missing, etc.). After some discussion, even though the embedded method is
• somewhat convoluted, it was preferred.

Incus external REST API ¶

This is the REST API used by all Incus clients. Internal endpoints aren't included in this documentation.

The Incus API is available over both a local unix+http and remote https API. Authentication for local users relies on group membership and access to the unix socket. For remote users, the default authentication method is TLS client certificates.

Version: 1.0
License: Apache-2.0 https://www.apache.org/licenses/LICENSE-2.0
Contact: Incus upstream <lxc-devel@lists.linuxcontainers.org> https://github.com/lxc/incus

swagger:meta