spec

func AddAssignedDevice ¶ added in v0.13.0

func AddAssignedDevice(ctx context.Context, spec *oci.Spec) error

AddAssignedDevice goes through the assigned devices that have been enumerated on the spec and updates the spec so that the correct device nodes can be mounted into the resulting container by the runtime.

func AddDevSev ¶ added in v0.13.0

func AddDevSev(ctx context.Context, spec *oci.Spec) error

AddDevSev adds SEV device to container spec. On 5.x kernel the device is /dev/sev, however this changed in 6.x where the device is /dev/sev-guest.

func AddLinuxDeviceToSpec ¶ added in v0.13.0

func AddLinuxDeviceToSpec(ctx context.Context, hostDevice *devices.Device, spec *oci.Spec, addCgroupDevice bool)

func ApplyAnnotationsToSpec ¶ added in v0.13.0

func ApplyAnnotationsToSpec(ctx context.Context, spec *oci.Spec) error

ApplyAnnotationsToSpec modifies the spec based on additional information from annotations

func GenerateWorkloadContainerNetworkMounts ¶

func GenerateWorkloadContainerNetworkMounts(sandboxID string, spec *oci.Spec) []oci.Mount

GenerateWorkloadContainerNetworkMounts generates an array of specs.Mount required for container networking. Original spec is left untouched and it's the responsibility of a caller to update it.

func GetNetworkNamespaceID ¶ added in v0.13.0

func GetNetworkNamespaceID(spec *oci.Spec) string

GetNetworkNamespaceID returns the `ToLower` of `spec.Windows.Network.NetworkNamespace` or `""`.

func HugePagesMountSource ¶

func HugePagesMountSource(sandboxID, path string) string

HugePagesMountSource returns hugepages mount path inside UVM

func HugePagesMountsDir ¶

func HugePagesMountsDir(sandboxID string) string

HugePagesMountsDir returns hugepages mounts directory inside UVM.

func IsRootReadonly ¶ added in v0.13.0

func IsRootReadonly(spec *oci.Spec) bool

IsRootReadonly returns `true` if the spec specifies the rootfs is readonly.

func MountPresent ¶

func MountPresent(mountPath string, specMounts []oci.Mount) bool

MountPresent checks if mountPath is present in the specMounts array.

func OutOfUint32Bounds ¶ added in v0.13.0

func OutOfUint32Bounds(v int) bool

func ParseUserStr ¶ added in v0.13.0

func ParseUserStr(rootPath, userStr string) (uint32, uint32, error)

ParseUserStr parses `userStr`, looks up container filesystem's /etc/passwd and /etc/group files for UID and GID for the process.

NB: When `userStr` represents a UID, which doesn't exist, return UID as is with GID set to 0.

func SandboxMountSource ¶

func SandboxMountSource(sandboxID, path string) string

SandboxMountSource returns sandbox mount path inside UVM

func SandboxMountsDir ¶

func SandboxMountsDir(sandboxID string) string

SandboxMountsDir returns sandbox mounts directory inside UVM/host.

func SandboxRootDir ¶

func SandboxRootDir(sandboxID string) string

SandboxRootDir returns the sandbox container root directory inside UVM/host.

func SetCoreRLimit ¶ added in v0.13.0

func SetCoreRLimit(spec *oci.Spec, value string) error

func SetUserStr ¶ added in v0.13.0

func SetUserStr(spec *oci.Spec, userstr string) error

SetUserStr sets `spec.Process` to the valid `userstr` based on the OCI Image Spec v1.0.0 `userstr`.

Valid values are: user, uid, user:group, uid:gid, uid:group, user:gid. If uid is provided instead of the username then that value is not checked against the /etc/passwd file to verify if the user with given uid actually exists.

Since UID and GID are parsed as ints, but will ultimately end up as uint32 in the OCI spec, an error is returned if the the IDs are not within the uint32 bounds ([0, math.MathUint32]). This avoid unexpected results if the ID is first parsed as an int and then overflows around when downcast (eg, math.MaxUint32 + 1 will become 0). Notes:

• Per the Go spec, we have no indication of overflow when converting between integer types.
• "man 5 passwd" and "man 5 group" (as well as user.ParsePasswdFileFilter and [user.ParseGroupFilter)) do not specify any limits on the UID and GID range.