func IsNamespaceSupported(nsNamespaceType)bool

func KnownHookNames() []string

func NsName(nsNamespaceType)string

func ToSchedAttr(scheduler *Scheduler) (*unix.SchedAttr,error)

type Actionint

type Arg struct {Indexuint     `json:"index"`Valueuint64   `json:"value"`ValueTwouint64   `json:"value_two"`OpOperator `json:"op"`}

type BlockIODevice =cgroups.BlockIODevice

type CPUAffinity struct {Initial, Final *unix.CPUSet}

funcConvertCPUAffinity¶added inv1.3.0

func ConvertCPUAffinity(sa *specs.CPUAffinity) (*CPUAffinity,error)

ConvertCPUAffinity convertsspecs.CPUAffinity toCPUAffinity.

type Capabilities struct {// Bounding is the set of capabilities checked by the kernel.Bounding []string// Effective is the set of capabilities checked by the kernel.Effective []string// Inheritable is the capabilities preserved across execve.Inheritable []string// Permitted is the limiting superset for effective capabilities.Permitted []string// Ambient is the ambient set of capabilities that are kept.Ambient []string}

type Cgroup =cgroups.Cgroup

type Command struct {Pathstring         `json:"path"`Args    []string       `json:"args"`Env     []string       `json:"env"`Dirstring         `json:"dir"`Timeout *time.Duration `json:"timeout"`}

func (*Command)Run¶added inv0.0.4

func (c *Command) Run(s *specs.State)error

type CommandHook struct {*Command}

funcNewCommandHook¶added inv0.0.4

func NewCommandHook(cmd *Command)CommandHook

NewCommandHook will execute the provided command when the hook is run.

type Config struct {// NoPivotRoot will use MS_MOVE and a chroot to jail the process into the container's rootfs// This is a common option when the container is running in ramdiskNoPivotRootbool `json:"no_pivot_root"`// ParentDeathSignal specifies the signal that is sent to the container's process in the case// that the parent process dies.ParentDeathSignalint `json:"parent_death_signal"`// Path to a directory containing the container's root filesystem.Rootfsstring `json:"rootfs"`// Umask is the umask to use inside of the container.Umask *uint32 `json:"umask"`// Readonlyfs will remount the container's rootfs as readonly where only externally mounted// bind mounts are writtable.Readonlyfsbool `json:"readonlyfs"`// Specifies the mount propagation flags to be applied to /.RootPropagationint `json:"rootPropagation"`// Mounts specify additional source and destination paths that will be mounted inside the container's// rootfs and mount namespace if specifiedMounts []*Mount `json:"mounts"`// The device nodes that should be automatically created within the container upon container start.  Note, make sure that the node is marked as allowed in the cgroup as well!Devices []*devices.Device `json:"devices"`MountLabelstring `json:"mount_label"`// Hostname optionally sets the container's hostname if providedHostnamestring `json:"hostname"`// Domainname optionally sets the container's domainname if providedDomainnamestring `json:"domainname"`// Namespaces specifies the container's namespaces that it should setup when cloning the init process// If a namespace is not provided that namespace is shared from the container's parent processNamespacesNamespaces `json:"namespaces"`// Capabilities specify the capabilities to keep when executing the process inside the container// All capabilities not specified will be dropped from the processes capability maskCapabilities *Capabilities `json:"capabilities"`// Networks specifies the container's network setup to be createdNetworks []*Network `json:"networks"`// Routes can be specified to create entries in the route table as the container is startedRoutes []*Route `json:"routes"`// Cgroups specifies specific cgroup settings for the various subsystems that the container is// placed into to limit the resources the container has availableCgroups *Cgroup `json:"cgroups"`// AppArmorProfile specifies the profile to apply to the process running in the container and is// change at the time the process is execedAppArmorProfilestring `json:"apparmor_profile,omitempty"`// ProcessLabel specifies the label to apply to the process running in the container.  It is// commonly used by selinuxProcessLabelstring `json:"process_label,omitempty"`// Rlimits specifies the resource limits, such as max open files, to set in the container// If Rlimits are not set, the container will inherit rlimits from the parent processRlimits []Rlimit `json:"rlimits,omitempty"`// OomScoreAdj specifies the adjustment to be made by the kernel when calculating oom scores// for a process. Valid values are between the range [-1000, '1000'], where processes with// higher scores are preferred for being killed. If it is unset then we don't touch the current// value.// More information about kernel oom score calculation here:https://lwn.net/Articles/317814/OomScoreAdj *int `json:"oom_score_adj,omitempty"`// UIDMappings is an array of User ID mappings for User NamespacesUIDMappings []IDMap `json:"uid_mappings"`// GIDMappings is an array of Group ID mappings for User NamespacesGIDMappings []IDMap `json:"gid_mappings"`// MaskPaths specifies paths within the container's rootfs to mask over with a bind// mount pointing to /dev/null as to prevent reads of the file.MaskPaths []string `json:"mask_paths"`// ReadonlyPaths specifies paths within the container's rootfs to remount as read-only// so that these files prevent any writes.ReadonlyPaths []string `json:"readonly_paths"`// Sysctl is a map of properties and their values. It is the equivalent of using// sysctl -w my.property.name value in Linux.Sysctl map[string]string `json:"sysctl"`// Seccomp allows actions to be taken whenever a syscall is made within the container.// A number of rules are given, each having an action to be taken if a syscall matches it.// A default action to be taken if no rules match is also given.Seccomp *Seccomp `json:"seccomp"`// NoNewPrivileges controls whether processes in the container can gain additional privileges.NoNewPrivilegesbool `json:"no_new_privileges,omitempty"`// Hooks are a collection of actions to perform at various container lifecycle events.// CommandHooks are serialized to JSON, but other hooks are not.HooksHooks// Version is the version of opencontainer specification that is supported.Versionstring `json:"version"`// Labels are user defined metadata that is stored in the config and populated on the stateLabels []string `json:"labels"`// NoNewKeyring will not allocated a new session keyring for the container.  It will use the// callers keyring in this case.NoNewKeyringbool `json:"no_new_keyring"`// IntelRdt specifies settings for Intel RDT group that the container is placed into// to limit the resources (e.g., L3 cache, memory bandwidth) the container has availableIntelRdt *IntelRdt `json:"intel_rdt,omitempty"`// RootlessEUID is set when the runc was launched with non-zero EUID.// Note that RootlessEUID is set to false when launched with EUID=0 in userns.// When RootlessEUID is set, runc creates a new userns for the container.// (config.json needs to contain userns settings)RootlessEUIDbool `json:"rootless_euid,omitempty"`// RootlessCgroups is set when unlikely to have the full access to cgroups.// When RootlessCgroups is set, cgroups errors are ignored.RootlessCgroupsbool `json:"rootless_cgroups,omitempty"`// TimeOffsets specifies the offset for supporting time namespaces.TimeOffsets map[string]specs.LinuxTimeOffset `json:"time_offsets,omitempty"`// Scheduler represents the scheduling attributes for a process.Scheduler *Scheduler `json:"scheduler,omitempty"`// Personality contains configuration for the Linux personality syscall.Personality *LinuxPersonality `json:"personality,omitempty"`// IOPriority is the container's I/O priority.IOPriority *IOPriority `json:"io_priority,omitempty"`// ExecCPUAffinity is CPU affinity for a non-init process to be run in the container.ExecCPUAffinity *CPUAffinity `json:"exec_cpu_affinity,omitempty"`}

func (*Config)HasHook¶added inv1.3.0

func (c *Config) HasHook(names ...HookName)bool

HasHook checks if config has any hooks with any given names configured.

func (Config)HostGID¶

func (cConfig) HostGID(containerIdint) (int,error)

HostGID gets the translated gid for the process on host which could bedifferent when user namespaces are enabled.

func (Config)HostRootGID¶added inv1.0.0

func (cConfig) HostRootGID() (int,error)

HostRootGID gets the root gid for the process on host which could be non-zerowhen user namespaces are enabled.

func (Config)HostRootUID¶added inv1.0.0

func (cConfig) HostRootUID() (int,error)

HostRootUID gets the root uid for the process on host which could be non-zerowhen user namespaces are enabled.

func (Config)HostUID¶

func (cConfig) HostUID(containerIdint) (int,error)

HostUID gets the translated uid for the process on host which could bedifferent when user namespaces are enabled.

type FreezerState =cgroups.FreezerState

type FuncHook struct {// contains filtered or unexported fields}

funcNewFunctionHook¶added inv0.0.4

func NewFunctionHook(f func(*specs.State)error)FuncHook

NewFunctionHook will call the provided function when the hook is run.

func (FuncHook)Run¶added inv0.0.4

func (fFuncHook) Run(s *specs.State)error

type Hook interface {// Run executes the hook with the provided state.Run(*specs.State)error}

type HookList []Hook

func (HookList)SetDefaultEnv¶added inv1.3.0

func (hooksHookList) SetDefaultEnv(env []string)

SetDefaultEnv sets the environment for those CommandHook entriesthat do not have one set.

type HookNamestring

type Hooks map[HookName]HookList

func (*Hooks)MarshalJSON¶added inv0.0.9

func (hooks *Hooks) MarshalJSON() ([]byte,error)

func (Hooks)Run¶added inv1.2.0

func (hooksHooks) Run(nameHookName, state *specs.State)error

Run executes all hooks for the given hook name.

func (*Hooks)UnmarshalJSON¶added inv0.0.9

func (hooks *Hooks) UnmarshalJSON(b []byte)error

type HugepageLimit =cgroups.HugepageLimit

type IDMap struct {ContainerIDint64 `json:"container_id"`HostIDint64 `json:"host_id"`Sizeint64 `json:"size"`}

type IOPriority = specs.LinuxIOPriority

type IfPrioMap =cgroups.IfPrioMap

type IntelRdt struct {// The identity for RDT Class of ServiceClosIDstring `json:"closID,omitempty"`// The schema for L3 cache id and capacity bitmask (CBM)// Format: "L3:<cache_id0>=<cbm0>;<cache_id1>=<cbm1>;..."L3CacheSchemastring `json:"l3_cache_schema,omitempty"`// The schema of memory bandwidth per L3 cache id// Format: "MB:<cache_id0>=bandwidth0;<cache_id1>=bandwidth1;..."// The unit of memory bandwidth is specified in "percentages" by// default, and in "MBps" if MBA Software Controller is enabled.MemBwSchemastring `json:"memBwSchema,omitempty"`}

type LinuxPersonality struct {// Domain for the personality// can only contain values "LINUX" and "LINUX32"Domainint `json:"domain"`}

type LinuxRdma =cgroups.LinuxRdma

type Mount struct {// Source path for the mount.Sourcestring `json:"source"`// Destination path for the mount inside the container.Destinationstring `json:"destination"`// Device the mount is for.Devicestring `json:"device"`// Mount flags.Flagsint `json:"flags"`// Mount flags that were explicitly cleared in the configuration (meaning// the user explicitly requested that these flags *not* be set).ClearedFlagsint `json:"cleared_flags"`// Propagation FlagsPropagationFlags []int `json:"propagation_flags"`// Mount data applied to the mount.Datastring `json:"data"`// Relabel source if set, "z" indicates shared, "Z" indicates unshared.Relabelstring `json:"relabel"`// RecAttr represents mount properties to be applied recursively (AT_RECURSIVE), see mount_setattr(2).RecAttr *unix.MountAttr `json:"rec_attr"`// Extensions are additional flags that are specific to runc.Extensionsint `json:"extensions"`// Mapping is the MOUNT_ATTR_IDMAP configuration for the mount. If non-nil,// the mount is configured to use MOUNT_ATTR_IDMAP-style id mappings.IDMapping *MountIDMapping `json:"id_mapping,omitempty"`}

func (*Mount)IsBind¶added inv1.1.0

func (m *Mount) IsBind()bool

func (*Mount)IsIDMapped¶added inv1.2.0

func (m *Mount) IsIDMapped()bool

type MountIDMapping struct {// Recursive indicates if the mapping needs to be recursive.Recursivebool `json:"recursive"`// UserNSPath is a path to a user namespace that indicates the necessary// id-mappings for MOUNT_ATTR_IDMAP. If set to non-"", UIDMappings and// GIDMappings must be set to nil.UserNSPathstring `json:"userns_path,omitempty"`// UIDMappings is the uid mapping set for this mount, to be used with// MOUNT_ATTR_IDMAP.UIDMappings []IDMap `json:"uid_mappings,omitempty"`// GIDMappings is the gid mapping set for this mount, to be used with// MOUNT_ATTR_IDMAP.GIDMappings []IDMap `json:"gid_mappings,omitempty"`}

type Namespace struct {TypeNamespaceType `json:"type"`Pathstring        `json:"path"`}

func (*Namespace)GetPath¶

func (n *Namespace) GetPath(pidint)string

func (*Namespace)Syscall¶

func (n *Namespace) Syscall()int

type NamespaceTypestring

funcNamespaceTypes¶

func NamespaceTypes() []NamespaceType

type Namespaces []Namespace

func (*Namespaces)Add¶

func (n *Namespaces) Add(tNamespaceType, pathstring)

func (*Namespaces)CloneFlags¶

func (n *Namespaces) CloneFlags()uintptr

CloneFlags parses the container's Namespaces options to set the correctflags on clone, unshare. This function returns flags only for new namespaces.

func (*Namespaces)Contains¶

func (n *Namespaces) Contains(tNamespaceType)bool

func (Namespaces)IsPrivate¶added inv1.2.0

func (nNamespaces) IsPrivate(tNamespaceType)bool

IsPrivate tells whether the namespace of type t is configured as private(i.e. it exists and is not shared).

func (*Namespaces)PathOf¶added inv0.0.9

func (n *Namespaces) PathOf(tNamespaceType)string

func (*Namespaces)Remove¶

func (n *Namespaces) Remove(tNamespaceType)bool

type Network struct {// Type sets the networks type, commonly veth and loopbackTypestring `json:"type"`// Name of the network interfaceNamestring `json:"name"`// The bridge to use.Bridgestring `json:"bridge"`// MacAddress contains the MAC address to set on the network interfaceMacAddressstring `json:"mac_address"`// Address contains the IPv4 and mask to set on the network interfaceAddressstring `json:"address"`// Gateway sets the gateway address that is used as the default for the interfaceGatewaystring `json:"gateway"`// IPv6Address contains the IPv6 and mask to set on the network interfaceIPv6Addressstring `json:"ipv6_address"`// IPv6Gateway sets the ipv6 gateway address that is used as the default for the interfaceIPv6Gatewaystring `json:"ipv6_gateway"`// Mtu sets the mtu value for the interface and will be mirrored on both the host and// container's interfaces if a pair is created, specifically in the case of type veth// Note: This does not apply to loopback interfaces.Mtuint `json:"mtu"`// TxQueueLen sets the tx_queuelen value for the interface and will be mirrored on both the host and// container's interfaces if a pair is created, specifically in the case of type veth// Note: This does not apply to loopback interfaces.TxQueueLenint `json:"txqueuelen"`// HostInterfaceName is a unique name of a veth pair that resides on in the host interface of the// container.HostInterfaceNamestring `json:"host_interface_name"`// HairpinMode specifies if hairpin NAT should be enabled on the virtual interface// bridge port in the case of type veth// Note: This is unsupported on some systems.// Note: This does not apply to loopback interfaces.HairpinModebool `json:"hairpin_mode"`}

type Operatorint

type Resources =cgroups.Resources

type Rlimit struct {Typeint    `json:"type"`Harduint64 `json:"hard"`Softuint64 `json:"soft"`}

type Route struct {// Destination specifies the destination IP address and mask in the CIDR form.Destinationstring `json:"destination"`// Source specifies the source IP address and mask in the CIDR form.Sourcestring `json:"source"`// Gateway specifies the gateway IP address.Gatewaystring `json:"gateway"`// InterfaceName specifies the device to set this route up for, for example eth0.InterfaceNamestring `json:"interface_name"`}

type Scheduler = specs.Scheduler

type Seccomp struct {DefaultActionAction                   `json:"default_action"`Architectures    []string                 `json:"architectures"`Flags            []specs.LinuxSeccompFlag `json:"flags"`Syscalls         []*Syscall               `json:"syscalls"`DefaultErrnoRet  *uint                    `json:"default_errno_ret"`ListenerPathstring                   `json:"listener_path,omitempty"`ListenerMetadatastring                   `json:"listener_metadata,omitempty"`}

type Syscall struct {Namestring `json:"name"`ActionAction `json:"action"`ErrnoRet *uint  `json:"errnoRet"`Args     []*Arg `json:"args"`}

type ThrottleDevice =cgroups.ThrottleDevice

type WeightDevice =cgroups.WeightDevice