Documentation ¶
Index ¶
- Variables
- type CertificateTemplateNamer
- type DataDirectory
- type DataEtcdDirectory
- type DataKubernetesCSIProvisionerDirectory
- type DataKubernetesClusterNetworkingDirectory
- type DataKubernetesDirectory
- type DataKubernetesKubeletDirectory
- type DataKubernetesNetservicesDirectory
- type DataNodeDirectory
- type DataVolumesDirectory
- type ESPBootDirectory
- type ESPClusterDirectory
- type ESPDirectory
- type ESPEFIDirectory
- type ESPEFIMetropolisDirectory
- type ESPMetropolisDirectory
- type ESPNetworkConfiguration
- type ESPNodeParameters
- type ESPSealedConfiguration
- type EphemeralConsensusDirectory
- type EphemeralContainerdDirectory
- type EphemeralDirectory
- type EtcDirectory
- type PKIDirectory
- func (p *PKIDirectory) AllAbsent() (bool, error)
- func (p *PKIDirectory) AllExist() (bool, error)
- func (p *PKIDirectory) GeneratePrivateKey() error
- func (p *PKIDirectory) ReadAll() (ca, cert *x509.Certificate, key ed25519.PrivateKey, err error)
- func (p *PKIDirectory) ReadCertificates() (ca, cert *x509.Certificate, err error)
- func (p *PKIDirectory) ReadPrivateKey() (ed25519.PrivateKey, error)
- func (p *PKIDirectory) WriteAll(cert []byte, key ed25519.PrivateKey, ca []byte) error
- func (p *PKIDirectory) WriteCertificates(ca, cert []byte) error
- func (p *PKIDirectory) WritePrivateKey(key ed25519.PrivateKey) error
- type Root
- type RunDirectory
- type TmpDirectory
Constants ¶
This section is empty.
Variables ¶
var ( ErrNoSealed = errors.New("no sealed configuration exists") ErrSealedCorrupted = errors.New("sealed configuration corrupted") ErrNoParameters = errors.New("no parameters found") ErrParametersCorrupted = errors.New("parameters corrupted") ErrNoDirectory = errors.New("no cluster directory found") ErrDirectoryCorrupted = errors.New("cluster directory corrupted") ErrNetworkConfigCorrupted = errors.New("network configuration corrupted") )
Functions ¶
This section is empty.
Types ¶
type CertificateTemplateNamer ¶
type CertificateTemplateNamer func(pubkey []byte) x509.Certificate
type DataDirectory ¶
type DataDirectory struct { declarative.Directory Containerd declarative.Directory `dir:"containerd"` Etcd DataEtcdDirectory `dir:"etcd"` Kubernetes DataKubernetesDirectory `dir:"kubernetes"` Node DataNodeDirectory `dir:"node"` Volumes DataVolumesDirectory `dir:"volumes"` // contains filtered or unexported fields }
DataDirectory is an xfs partition mounted via cryptsetup/LUKS, with a key derived from {global,local}Unlock keys.
func (*DataDirectory) MountExisting ¶
func (d *DataDirectory) MountExisting(config *ppb.SealedConfiguration, clusterUnlockKey []byte) error
MountExisting mounts the node data partition with the given cluster unlock key. It automatically unseals the node unlock key from the TPM.
func (*DataDirectory) MountNew ¶
func (d *DataDirectory) MountNew(config *ppb.SealedConfiguration, security cpb.NodeStorageSecurity) ([]byte, error)
MountNew initializes the node data partition and returns the cluster unlock key. It seals the local portion into the TPM. This is a potentially slow operation since it touches the whole partition.
type DataEtcdDirectory ¶
type DataEtcdDirectory struct { declarative.Directory PeerPKI PKIDirectory `dir:"peer_pki"` PeerCRL declarative.File `file:"peer_crl"` Data declarative.Directory `dir:"data"` }
type DataKubernetesCSIProvisionerDirectory ¶
type DataKubernetesCSIProvisionerDirectory struct { declarative.Directory PKI PKIDirectory `dir:"pki"` }
type DataKubernetesClusterNetworkingDirectory ¶
type DataKubernetesClusterNetworkingDirectory struct { declarative.Directory Key declarative.File `file:"private.key"` }
type DataKubernetesDirectory ¶
type DataKubernetesDirectory struct { declarative.Directory ClusterNetworking DataKubernetesClusterNetworkingDirectory `dir:"clusternet"` CSIProvisioner DataKubernetesCSIProvisionerDirectory `dir:"csiprovisioner"` Netservices DataKubernetesNetservicesDirectory `dir:"netservices"` Kubelet DataKubernetesKubeletDirectory `dir:"kubelet"` }
type DataKubernetesKubeletDirectory ¶
type DataKubernetesKubeletDirectory struct { declarative.Directory PKI PKIDirectory `dir:"pki"` DevicePlugins struct { declarative.Directory // Used by Kubelet, hardcoded relative to // DataKubernetesKubeletDirectory Kubelet declarative.File `file:"kubelet.sock"` } `dir:"device-plugins"` // Pod logs, hardcoded to /data/kubelet/logs in // @com_github_kubernetes//pkg/kubelet/kuberuntime:kuberuntime_manager.go Logs declarative.Directory `dir:"logs"` Plugins struct { declarative.Directory VFS declarative.File `file:"dev.monogon.metropolis.vfs.sock"` KVM declarative.File `file:"devices.monogon.dev_kvm.sock"` } `dir:"plugins"` PluginsRegistry struct { declarative.Directory VFSReg declarative.File `file:"dev.monogon.metropolis.vfs-reg.sock"` KVMReg declarative.File `file:"devices.monogon.dev_kvm-reg.sock"` } `dir:"plugins_registry"` }
type DataKubernetesNetservicesDirectory ¶
type DataKubernetesNetservicesDirectory struct { declarative.Directory PKI PKIDirectory `dir:"pki"` }
type DataNodeDirectory ¶
type DataNodeDirectory struct { declarative.Directory Credentials PKIDirectory `dir:"credentials"` PersistedRoles declarative.File `file:"roles.pb"` }
type DataVolumesDirectory ¶
type DataVolumesDirectory struct {
declarative.Directory
}
type ESPBootDirectory ¶
type ESPBootDirectory struct {
declarative.Directory
}
type ESPClusterDirectory ¶
type ESPClusterDirectory struct {
declarative.File
}
ESPClusterDirectory is a serialized common.ClusterDirectory protobuf. It contains a list of endpoints a registered node might connect to when joining a cluster.
func (*ESPClusterDirectory) Unmarshal ¶
func (e *ESPClusterDirectory) Unmarshal() (*cpb.ClusterDirectory, error)
type ESPDirectory ¶
type ESPDirectory struct { declarative.Directory Metropolis ESPMetropolisDirectory `dir:"metropolis"` EFI ESPEFIDirectory `dir:"ESP"` }
ESPDirectory is the EFI System Partition. It is a cleartext partition available to the system at early boot, and must contain all data required for the system to bootstrap, register into, or join a cluster.
type ESPEFIDirectory ¶
type ESPEFIDirectory struct { declarative.Directory Boot ESPBootDirectory `dir:"BOOT"` Metropolis ESPEFIMetropolisDirectory `dir:"metropolis"` }
type ESPEFIMetropolisDirectory ¶
type ESPEFIMetropolisDirectory struct { declarative.Directory BootA declarative.File `file:"boot-a.efi"` BootB declarative.File `file:"boot-b.efi"` }
type ESPMetropolisDirectory ¶
type ESPMetropolisDirectory struct { declarative.Directory SealedConfiguration ESPSealedConfiguration `file:"sealed_configuration.pb"` NodeParameters ESPNodeParameters `file:"parameters.pb"` ClusterDirectory ESPClusterDirectory `file:"cluster_directory.pb"` NetworkConfiguration ESPNetworkConfiguration `file:"network_configuration.pb"` }
ESPMetropolisDirectory is the directory inside the EFI System Partition where Metropolis-related data is stored that's not read by EFI itself like bootstrap-related data.
type ESPNetworkConfiguration ¶
type ESPNetworkConfiguration struct {
declarative.File
}
ESPNetworkConfiguration is a serialized net.Net protobuf. If present, it disables automatic network configuration and uses the given configuration to enable network connectivity.
type ESPNodeParameters ¶
type ESPNodeParameters struct {
declarative.File
}
ESPNodeParameters is the configuration for this node when first bootstrapping a cluster or registering into an existing one. It's a api.NodeParameters protobuf message.
func (*ESPNodeParameters) Unmarshal ¶
func (e *ESPNodeParameters) Unmarshal() (*apb.NodeParameters, error)
type ESPSealedConfiguration ¶
type ESPSealedConfiguration struct {
declarative.File
}
ESPSealedConfiguration is a TPM sealed serialized private.SealedConfiguration protobuf. It contains all data required for a node to be able to join a cluster after startup.
func (*ESPSealedConfiguration) SealSecureBoot ¶
func (e *ESPSealedConfiguration) SealSecureBoot(c *ppb.SealedConfiguration, tpmUsage cpb.NodeTPMUsage) error
func (*ESPSealedConfiguration) Unseal ¶
func (e *ESPSealedConfiguration) Unseal(tpmUsage cpb.NodeTPMUsage) (*ppb.SealedConfiguration, error)
type EphemeralConsensusDirectory ¶
type EphemeralConsensusDirectory struct { declarative.Directory ClientSocket declarative.File `file:"client.sock"` ServerLogsFIFO declarative.File `file:"server-logs.fifo"` }
type EphemeralContainerdDirectory ¶
type EphemeralContainerdDirectory struct { declarative.Directory ClientSocket declarative.File `file:"client.sock"` RunSCLogsFIFO declarative.File `file:"runsc-logs.fifo"` Tmp declarative.Directory `dir:"tmp"` RunSC declarative.Directory `dir:"runsc"` IPAM declarative.Directory `dir:"ipam"` CNI declarative.Directory `dir:"cni"` CNICache declarative.Directory `dir:"cni-cache"` // Hardcoded @com_github_containernetworking_cni via patch }
type EphemeralDirectory ¶
type EphemeralDirectory struct { declarative.Directory Consensus EphemeralConsensusDirectory `dir:"consensus"` Containerd EphemeralContainerdDirectory `dir:"containerd"` FlexvolumePlugins declarative.Directory `dir:"flexvolume_plugins"` Hosts declarative.File `file:"hosts"` MachineID declarative.File `file:"machine-id"` }
type EtcDirectory ¶
type EtcDirectory struct { declarative.Directory // Symlinked to /ephemeral/hosts, baked into the erofs system image Hosts declarative.File `file:"hosts"` // Symlinked to /ephemeral/machine-id, baked into the erofs system image MachineID declarative.File `file:"machine-id"` }
type PKIDirectory ¶
type PKIDirectory struct { declarative.Directory CACertificate declarative.File `file:"ca.pem"` Certificate declarative.File `file:"cert.pem"` Key declarative.File `file:"cert-key.pem"` }
func (*PKIDirectory) AllAbsent ¶
func (p *PKIDirectory) AllAbsent() (bool, error)
AllAbsent returns true if all PKI files (cert, key, CA cert) are missing from the backing store.
func (*PKIDirectory) AllExist ¶
func (p *PKIDirectory) AllExist() (bool, error)
AllExist returns true if all PKI files (cert, key, CA cert) are present on the backing store.
func (*PKIDirectory) GeneratePrivateKey ¶
func (p *PKIDirectory) GeneratePrivateKey() error
GeneratePrivateKey will generate an ED25519 private key for this PKIDirectory if it doesn't yet exist.
func (*PKIDirectory) ReadAll ¶
func (p *PKIDirectory) ReadAll() (ca, cert *x509.Certificate, key ed25519.PrivateKey, err error)
ReadAll reads and parses (PEM + PKCS8/X509) the stored certificates and key of this PKIDirectory.
func (*PKIDirectory) ReadCertificates ¶
func (p *PKIDirectory) ReadCertificates() (ca, cert *x509.Certificate, err error)
ReadCertificates reads and parses (PEM + X509) the certificates from a PKIDirectory.
func (*PKIDirectory) ReadPrivateKey ¶
func (p *PKIDirectory) ReadPrivateKey() (ed25519.PrivateKey, error)
ReadPrivateKey loads an ED25519 private key from the PKIDirectory and deserializes it (PEM + PKCS).
func (*PKIDirectory) WriteAll ¶
func (p *PKIDirectory) WriteAll(cert []byte, key ed25519.PrivateKey, ca []byte) error
WriteAll (over)writes the PKI data in this directory with the given private key, certificate and CA certificate.
For ease of use, the accepted certificates are expected to already be in DER-encoded form (eg. from the Raw field in a x509.Certificate).
func (*PKIDirectory) WriteCertificates ¶
func (p *PKIDirectory) WriteCertificates(ca, cert []byte) error
WriteCertificates serializes (PEM) and saves the given certificates into the PKIDirectory, overwriting whatever might already be present there.
For ease of use, the accepted certificates are expected to already be in DER-encoded form (eg. from the Raw field in a x509.Certificate).
func (*PKIDirectory) WritePrivateKey ¶
func (p *PKIDirectory) WritePrivateKey(key ed25519.PrivateKey) error
WritePrivateKey serializes the given private key (PKCS8 + PEM) and writes it to the PKIDirectory, overwriting whatever might already be present there.
type Root ¶
type Root struct { declarative.Directory // UEFI ESP partition, mounted from plaintext storage. ESP ESPDirectory `dir:"esp"` // Persistent Data partition, mounted from encrypted and authenticated storage. Data DataDirectory `dir:"data"` // FHS-standard /etc directory, containes /etc/hosts, /etc/machine-id, and // other compatibility files. Etc EtcDirectory `dir:"etc"` // Ephemeral data, used by runtime, stored in tmpfs. Things like sockets, // temporary config files, etc. Ephemeral EphemeralDirectory `dir:"ephemeral"` // FHS-standard /tmp directory, used by os.MkdirTemp. Tmp TmpDirectory `dir:"tmp"` // FHS-standard /run directory. Used by various services. Run RunDirectory `dir:"run"` }
type RunDirectory ¶
type RunDirectory struct { declarative.Directory // Hardcoded in @com_github_containerd_containerd//pkg/process:utils.go and // @com_github_containerd_containerd//runtime/v2/shim:util_unix.go Containerd declarative.Directory `dir:"containerd"` }
type TmpDirectory ¶
type TmpDirectory struct {
declarative.Directory
}