guardiancmd

package
v0.0.0-...-fd60faa Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 7, 2026 License: Apache-2.0 Imports: 72 Imported by: 7

Documentation

Index

Constants

View Source 
const (
	LogLevelDebug = "debug"
	LogLevelInfo  = "info"
	LogLevelError = "error"
	LogLevelFatal = "fatal"
)

Variables

View Source 
var PrivilegedContainerNamespaces = []specs.LinuxNamespace{
	goci.NetworkNamespace, goci.PIDNamespace, goci.UTSNamespace, goci.IPCNamespace, goci.MountNamespace,
}

Functions

func AllowSyscall 

func AllowSyscall(syscall string, args ...specs.LinuxSeccompArg) specs.LinuxSyscall

func MinPtraceKernelVersion 

func MinPtraceKernelVersion() (uint16, uint16, uint16)

Types

type CIDRFlag 

type CIDRFlag struct {
	// contains filtered or unexported fields
}

func (CIDRFlag) CIDR 

func (f CIDRFlag) CIDR() *net.IPNet

func (CIDRFlag) String 

func (f CIDRFlag) String() string

func (*CIDRFlag) UnmarshalFlag 

func (f *CIDRFlag) UnmarshalFlag(value string) error

type CleanupCommand 

type CleanupCommand struct {
	*CommonCommand
}

func (*CleanupCommand) Execute 

func (cmd *CleanupCommand) Execute(args []string) error

type CommonCommand 

type CommonCommand struct {
	Logger LagerFlag

	Server struct {
		BindIP   IPFlag `long:"bind-ip"   description:"Bind with TCP on the given IP."`
		BindPort uint16 `long:"bind-port" description:"Bind with TCP on the given port."`

		BindSocket string `long:"bind-socket" default:"/tmp/garden.sock" description:"Bind with Unix on the given socket path."`

		DebugBindIP   IPFlag `long:"debug-bind-ip"                   description:"Bind the debug server on the given IP."`
		DebugBindPort uint16 `long:"debug-bind-port" default:"17013" description:"Bind the debug server to the given port."`

		Tag       string `hidden:"true" long:"tag" description:"Optional 2-character identifier used for namespacing global configuration."`
		SkipSetup bool   `long:"skip-setup" description:"Skip the preparation part of the host that requires root privileges"`

		ReadHeaderTimeout time.Duration `long:"read-header-timeout" description:"The amount of time allowed to read request headers"`
	} `group:"Server Configuration"`

	Containers struct {
		Dir                        string                 `long:"depot" default:"/var/run/gdn/depot" description:"Directory in which to store container data."`
		PropertiesPath             string                 `long:"properties-path" description:"Path in which to store properties."`
		ConsoleSocketsPath         string                 `long:"console-sockets-path" description:"Path in which to store temporary sockets"`
		CleanupProcessDirsOnWait   bool                   `long:"cleanup-process-dirs-on-wait" description:"Clean up proccess dirs on first invocation of wait"`
		DisablePrivilgedContainers bool                   `long:"disable-privileged-containers" description:"Disable creation of privileged containers"`
		DeviceCgroupRules          []DeviceCgroupRuleFlag `long:"device-cgroup-rule" description:"Device cgroup rules that will be applied to privileged containers"`

		UIDMapStart  uint32 `long:"uid-map-start"  default:"1" description:"The lowest numerical subordinate user ID the user is allowed to map"`
		UIDMapLength uint32 `long:"uid-map-length" description:"The number of numerical subordinate user IDs the user is allowed to map"`
		GIDMapStart  uint32 `long:"gid-map-start"  default:"1" description:"The lowest numerical subordinate group ID the user is allowed to map"`
		GIDMapLength uint32 `long:"gid-map-length" description:"The number of numerical subordinate group IDs the user is allowed to map"`

		DefaultRootFS              string        `long:"default-rootfs"     description:"Default rootfs to use when not specified on container creation."`
		DefaultGraceTime           time.Duration `long:"default-grace-time" description:"Default time after which idle containers should expire."`
		DestroyContainersOnStartup bool          `long:"destroy-containers-on-startup" description:"Clean up all the existing containers on startup."`
		ApparmorProfile            string        `long:"apparmor" description:"Apparmor profile to use for unprivileged container processes"`
	} `group:"Container Lifecycle"`

	Bin struct {
		AssetsDir       string   `long:"assets-dir"     default:"/var/gdn/assets" description:"Directory in which to extract packaged assets"`
		Dadoo           FileFlag `long:"dadoo-bin"      description:"Path to the 'dadoo' binary."`
		NSTar           FileFlag `long:"nstar-bin"      description:"Path to the 'nstar' binary."`
		Tar             FileFlag `long:"tar-bin"        description:"Path to the 'tar' binary."`
		IPTables        FileFlag `long:"iptables-bin"  default:"/sbin/iptables" description:"path to the iptables binary"`
		IPTablesRestore FileFlag `long:"iptables-restore-bin"  default:"/sbin/iptables-restore" description:"path to the iptables-restore binary"`
		Init            FileFlag `long:"init-bin"       description:"Path execute as pid 1 inside each container."`
	} `group:"Binary Tools"`

	Runtime struct {
		Plugin          string   `long:"runtime-plugin"       default:"runc" description:"Path to the runtime plugin binary."`
		PluginExtraArgs []string `long:"runtime-plugin-extra-arg" description:"Extra argument to pass to the runtime plugin. Can be specified multiple times."`
	} `group:"Runtime"`

	Image struct {
		NoPlugin bool `long:"no-image-plugin" description:"Do not use the embedded 'grootfs' image plugin."`

		Plugin          FileFlag `long:"image-plugin"           description:"Path to image plugin binary."`
		PluginExtraArgs []string `` /* 150-byte string literal not displayed */

		PrivilegedPlugin          FileFlag `long:"privileged-image-plugin"           description:"Path to privileged image plugin binary."`
		PrivilegedPluginExtraArgs []string `` /* 159-byte string literal not displayed */
	} `group:"Image"`

	Docker struct {
		Registry           string   `long:"docker-registry" default:"registry-1.docker.io" description:"Docker registry API endpoint."`
		InsecureRegistries []string `` /* 137-byte string literal not displayed */
	} `group:"Docker Image Fetching"`

	Network struct {
		Pool CIDRFlag `long:"network-pool" default:"10.254.0.0/22" description:"Network range to use for dynamically allocated container subnets."`

		AllowHostAccess bool       `long:"allow-host-access" description:"Allow network access to the host machine."`
		DenyNetworks    []CIDRFlag `` /* 135-byte string literal not displayed */

		DNSServers           []IPFlag `` /* 138-byte string literal not displayed */
		AdditionalDNSServers []IPFlag `` /* 148-byte string literal not displayed */

		AdditionalHostEntries []string `` /* 151-byte string literal not displayed */

		ExternalIP             IPFlag `` /* 136-byte string literal not displayed */
		PortPoolStart          uint32 `long:"port-pool-start" default:"61001" description:"Start of the ephemeral port range used for mapped container ports."`
		PortPoolSize           uint32 `long:"port-pool-size"  default:"4534"  description:"Size of the port pool used for mapped container ports."`
		PortPoolPropertiesPath string `long:"port-pool-properties-path" description:"Path in which to store port pool properties."`

		Mtu int `` /* 169-byte string literal not displayed */

		Plugin          FileFlag `long:"network-plugin"           description:"Path to network plugin binary."`
		PluginExtraArgs []string `long:"network-plugin-extra-arg" description:"Extra argument to pass to the network plugin. Can be specified multiple times."`

		EnableMetrics bool `` /* 128-byte string literal not displayed */
	} `group:"Container Networking"`

	Limits struct {
		CPUQuotaPerShare     uint64 `` /* 146-byte string literal not displayed */
		DefaultBlockIOWeight uint16 `long:"default-container-blockio-weight" default:"0" description:"Default block IO weight assigned to a container"`
		MaxContainers        uint64 `long:"max-containers" default:"0" description:"Maximum number of containers that can be created."`
		DisableSwapLimit     bool   `long:"disable-swap-limit" description:"Disable swap memory limit"`
	} `group:"Limits"`

	Metrics struct {
		EmissionInterval time.Duration `long:"metrics-emission-interval" default:"1m" description:"Interval on which to emit metrics."`

		DropsondeOrigin        string  `long:"dropsonde-origin"      default:"garden-linux"   description:"Origin identifier for Dropsonde-emitted metrics."`
		DropsondeDestination   string  `long:"dropsonde-destination" default:"127.0.0.1:3457" description:"Destination for Dropsonde-emitted metrics."`
		CPUEntitlementPerShare float64 `long:"cpu-entitlement-per-share" description:"CPU percentage entitled to a container for a single CPU share"`
	} `group:"Metrics"`

	Containerd struct {
		Socket                    string `long:"containerd-socket" description:"Path to a containerd socket."`
		UseContainerdForProcesses bool   `long:"use-containerd-for-processes" description:"Use containerd to run processes in containers."`
	} `group:"Containerd"`

	CPUThrottling struct {
		Enabled       bool   `long:"enable-cpu-throttling" description:"Enable CPU throttling."`
		CheckInterval uint32 `` /* 127-byte string literal not displayed */
	} `group:"CPU Throttling"`

	Sysctl struct {
		TCPKeepaliveTime     uint32 `long:"tcp-keepalive-time" description:"The net.ipv4.tcp_keepalive_time sysctl parameter that will be used inside containers"`
		TCPKeepaliveInterval uint32 `` /* 129-byte string literal not displayed */
		TCPKeepaliveProbes   uint32 `` /* 128-byte string literal not displayed */
		TCPRetries1          uint32 `long:"tcp-retries1" description:"The net.ipv4.tcp_retries1 sysctl parameter that will be used inside containers"`
		TCPRetries2          uint32 `long:"tcp-retries2" description:"The net.ipv4.tcp_retries2 sysctl parameter that will be used inside containers"`
	} `group:"Sysctl"`
}

func (*CommonCommand) NewGardenFactory 

func (cmd *CommonCommand) NewGardenFactory() GardenFactory

type DeviceCgroupRuleFlag 

type DeviceCgroupRuleFlag specs.LinuxDeviceCgroup

func (DeviceCgroupRuleFlag) LinuxDeviceCgroup 

func (f DeviceCgroupRuleFlag) LinuxDeviceCgroup() specs.LinuxDeviceCgroup

func (*DeviceCgroupRuleFlag) UnmarshalFlag 

func (f *DeviceCgroupRuleFlag) UnmarshalFlag(value string) error

type FileFlag 

type FileFlag string

func (FileFlag) Path 

func (f FileFlag) Path() string

func (*FileFlag) UnmarshalFlag 

func (f *FileFlag) UnmarshalFlag(value string) error

type GardenFactory 

type GardenFactory interface {
	WireResolvConfigurer() kawasaki.DnsResolvConfigurer
	WireMkdirer() runrunc.Mkdirer
	CommandRunner() commandrunner.CommandRunner
	WireVolumizer(logger lager.Logger) gardener.Volumizer
	WireCgroupsStarter(logger lager.Logger) gardener.Starter
	WireExecRunner(runcRoot string, containerRootUID, containerRootGID uint32, bundleSaver depot.BundleSaver, bundleLookupper depot.BundleLookupper, processDepot execrunner.ProcessDepot) runrunc.ExecRunner
	WireContainerd(*processes.ProcBuilder, users.UserLookupper, func(runrunc.PidGetter) *runrunc.Execer, runcontainerd.Statser, lager.Logger, peas.Volumizer, runcontainerd.PeaHandlesGetter, *metrics.MetricsProvider) (*runcontainerd.RunContainerd, *runcontainerd.RunContainerPea, *runcontainerd.PidGetter, *containerdprivchecker.PrivilegeChecker, peas.BundleLoader, error)

	WireCPUCgrouper() (rundmc.CPUCgrouper, error)
	WireContainerNetworkMetricsProvider(containerizer gardener.Containerizer, propertyManager gardener.PropertyManager) gardener.ContainerNetworkMetricsProvider
}

type GdnCommand 

type GdnCommand struct {
	SetupCommand   *SetupCommand   `command:"setup"`
	ServerCommand  *ServerCommand  `command:"server"`
	CleanupCommand *CleanupCommand `command:"cleanup"`

	// This must be present to stop go-flags complaining, but it's not actually
	// used. We parse this flag outside of the go-flags framework.
	ConfigFilePath string `long:"config" description:"Config file path."`
}

type IPFlag 

type IPFlag net.IP

func (IPFlag) IP 

func (f IPFlag) IP() net.IP

func (*IPFlag) UnmarshalFlag 

func (f *IPFlag) UnmarshalFlag(value string) error

type KernelMinVersionChecker 

type KernelMinVersionChecker struct {
	// contains filtered or unexported fields
}

func NewKernelMinVersionChecker 

func NewKernelMinVersionChecker(sysctlGetter SysctlGetter) KernelMinVersionChecker

func (KernelMinVersionChecker) CheckVersionIsAtLeast 

func (c KernelMinVersionChecker) CheckVersionIsAtLeast(maj, min, patch uint16) (bool, error)

type LagerFlag 

type LagerFlag struct {
	//lint:ignore SA5008 github.com/jesse-vdk/go-flag requires duplicate struct tags for 'choice'
	LogLevel string `` /* 134-byte string literal not displayed */
}

func (LagerFlag) Logger 

func (f LagerFlag) Logger(component string) (lager.Logger, *lager.ReconfigurableSink)

type LinuxFactory 

type LinuxFactory struct {
	// contains filtered or unexported fields
}

func (*LinuxFactory) CommandRunner 

func (f *LinuxFactory) CommandRunner() commandrunner.CommandRunner

func (*LinuxFactory) WireCPUCgrouper 

func (f *LinuxFactory) WireCPUCgrouper() (rundmc.CPUCgrouper, error)

func (*LinuxFactory) WireCgroupsStarter 

func (f *LinuxFactory) WireCgroupsStarter(logger lager.Logger) gardener.Starter

func (*LinuxFactory) WireContainerNetworkMetricsProvider 

func (f *LinuxFactory) WireContainerNetworkMetricsProvider(containerizer gardener.Containerizer, propertyManager gardener.PropertyManager) gardener.ContainerNetworkMetricsProvider

func (*LinuxFactory) WireContainerd 

func (f *LinuxFactory) WireContainerd(processBuilder *processes.ProcBuilder, userLookupper users.UserLookupper, wireExecer func(pidGetter runrunc.PidGetter) *runrunc.Execer, statser runcontainerd.Statser, log lager.Logger, volumizer peas.Volumizer, peaHandlesGetter runcontainerd.PeaHandlesGetter, metricsProvider *metrics.MetricsProvider) (*runcontainerd.RunContainerd, *runcontainerd.RunContainerPea, *runcontainerd.PidGetter, *privchecker.PrivilegeChecker, peas.BundleLoader, error)

func (*LinuxFactory) WireExecRunner 

func (f *LinuxFactory) WireExecRunner(runcRoot string, containerRootHostUID, containerRootHostGID uint32, bundleSaver depot.BundleSaver, bundleLookupper depot.BundleLookupper, processDepot execrunner.ProcessDepot) runrunc.ExecRunner

func (*LinuxFactory) WireMkdirer 

func (f *LinuxFactory) WireMkdirer() runrunc.Mkdirer

func (*LinuxFactory) WireResolvConfigurer 

func (f *LinuxFactory) WireResolvConfigurer() kawasaki.DnsResolvConfigurer

func (*LinuxFactory) WireVolumizer 

func (f *LinuxFactory) WireVolumizer(logger lager.Logger) gardener.Volumizer

type NoopMkdirer 

type NoopMkdirer struct{}

func (NoopMkdirer) MkdirAs 

func (NoopMkdirer) MkdirAs(rootFSPathFile string, uid, gid int, mode os.FileMode, recreate bool, path ...string) error

type PidGetter 

type PidGetter interface {
	GetPid(logger lager.Logger, containerID string) (int, error)
	GetPeaPid(logger lager.Logger, _, peaID string) (int, error)
}

type ServerCommand 

type ServerCommand struct {
	*CommonCommand
}

func (*ServerCommand) Execute 

func (cmd *ServerCommand) Execute([]string) error

func (*ServerCommand) Run 

func (cmd *ServerCommand) Run(signals <-chan os.Signal, ready chan<- struct{}) error

type Service 

type Service interface {
	Start()
	Stop()
}

type SetupCommand 

type SetupCommand struct {
	LogLevel LagerFlag
	Logger   lager.Logger

	Tag                 string `hidden:"true" long:"tag" description:"Optional 2-character identifier used for namespacing global configuration."`
	EnableCPUThrottling bool   `hidden:"true" long:"enable-cpu-throttling" description:"Throttle CPU of containers using more than their CPU entitlement"`
}

func (*SetupCommand) Execute 

func (cmd *SetupCommand) Execute(args []string) error

func (*SetupCommand) WireCgroupsStarter 

func (cmd *SetupCommand) WireCgroupsStarter(logger lager.Logger) gardener.Starter

type SysctlGetter 

type SysctlGetter interface {
	GetString(key string) (string, error)
}

Source Files

View all Source files

Directories

Path Synopsis
Code generated by counterfeiter.
 Code generated by counterfeiter.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.