container

package
v0.24.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 18, 2025 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrContainerFSUnreachable = errors.New("container file system is unreachable in mount namespace because there are not living children")
	ErrNonAbsolutePath        = errors.New("file path is not absolute in its container mount point")
)

Functions

This section is empty.

Types

type CgroupDir 

type CgroupDir struct {
	Path          string
	ContainerId   string
	ContainerRoot bool // is the cgroup directory the root of its container
	Ctime         time.Time
	Dead          bool // is the cgroup deleted
	// contains filtered or unexported fields
}

CgroupDir represents a cgroup dir (which may be a container cgroup dir).

type Container 

type Container struct {
	ContainerId string
	CreatedAt   time.Time
	Runtime     runtime.RuntimeId
	Name        string
	Image       string
	ImageDigest string
	Pod         Pod
}

type ContainerPathResolver 

type ContainerPathResolver struct {
	// contains filtered or unexported fields
}

ContainerPathResolver generates an accessible absolute path from the root mount namespace to a relative path in a container. **NOTE**: to resolve host mount namespace, tracee reads from /proc/1/ns, requiring CAP_SYS_PTRACE capability.

func InitContainerPathResolver 

func InitContainerPathResolver(mountNSPIDsCache *bucketcache.BucketCache) *ContainerPathResolver

InitContainerPathResolver creates a resolver for paths from within containers.

func (*ContainerPathResolver) GetHostAbsPath 

func (cPathRes *ContainerPathResolver) GetHostAbsPath(mountNSAbsolutePath string, mountNS uint32) (
	string, error,
)

GetHostAbsPath translates an absolute path, which might be inside a container, to the correspondent abs path in the host mount namespace.

func (*ContainerPathResolver) GetProcMounts 

func (cPathRes *ContainerPathResolver) GetProcMounts(mountNS uint32) (string, error)

GetProcMounts returns the path of a /proc/<pid>/mounts file for any process in the given mount namespace. It first tries to use cached PIDs for the namespace, and falls back to searching procfs.

Parameters:

  • mountNS: mount namespace ID

Returns the path to a valid /proc/<pid>/mounts file for the namespace. 

func (cPathRes *ContainerPathResolver) ResolveAllLinks(mountNSAbsolutePath string, mountNS uint32) (
	string, error,
)

ResolveAllLinks resolves all symlinks in a path component by component. This method processes each path component individually, resolving any symlinks encountered at each level. This provides comprehensive symlink resolution for the entire path.

Parameters:

  • mountNSAbsolutePath: absolute path within the mount namespace
  • mountNS: mount namespace ID

Returns the fully resolved path with all symlinks resolved. 

func (cPathRes *ContainerPathResolver) ResolveLink(mountNSAbsolutePath string, mountNS uint32) (
	string, error,
)

ResolveLink resolves a single symlink to its final destination within the specified mount namespace. It follows symlinks until it reaches a non-symlink target or detects a loop. The resolution is performed from the perspective of the mount namespace, ensuring security by validating that resolved paths don't escape the namespace boundary.

Parameters:

  • mountNSAbsolutePath: absolute path within the mount namespace
  • mountNS: mount namespace ID

Returns the resolved path within the mount namespace context.

type ContainersSymbolsLoader 

type ContainersSymbolsLoader struct {
	// contains filtered or unexported fields
}

ContainersSymbolsLoader is a decorator for SO loaders that resolves containers-relative paths to absolute host paths. This object operation requires the CAP_DAC_OVERRIDE to access files across the system.

func InitContainersSymbolsLoader 

func InitContainersSymbolsLoader(pathResolver *ContainerPathResolver, cacheSize int) *ContainersSymbolsLoader

func (*ContainersSymbolsLoader) GetDynamicSymbols 

func (cLoader *ContainersSymbolsLoader) GetDynamicSymbols(soInfo sharedobjs.ObjInfo) (map[string]bool, error)

func (*ContainersSymbolsLoader) GetExportedSymbols 

func (cLoader *ContainersSymbolsLoader) GetExportedSymbols(soInfo sharedobjs.ObjInfo) (map[string]bool, error)

func (*ContainersSymbolsLoader) GetImportedSymbols 

func (cLoader *ContainersSymbolsLoader) GetImportedSymbols(soInfo sharedobjs.ObjInfo) (map[string]bool, error)

func (*ContainersSymbolsLoader) GetLocalSymbols 

func (cLoader *ContainersSymbolsLoader) GetLocalSymbols(soInfo sharedobjs.ObjInfo) (map[string]bool, error)

type Manager 

type Manager struct {
	// contains filtered or unexported fields
}

Manager contains information about running containers in the host.

func New 

func New(
	noContainersEnrich bool,
	cgroups *cgroup.Cgroups,
	sockets runtime.Sockets,
	mapName string,
) (
	*Manager,
	error,
)

New initializes a Containers object and returns a pointer to it. User should further call "Populate" and iterate with Containers data.

func (*Manager) AddContainer 

func (c *Manager) AddContainer(cont Container) error

func (*Manager) CgroupExists 

func (c *Manager) CgroupExists(cgroupId uint64) bool

CgroupExists checks if there is a cgroupInfo data of a given cgroupId.

func (*Manager) CgroupMkdir 

func (c *Manager) CgroupMkdir(cgroupId uint64, subPath string, hierarchyID uint32) (CgroupDir, Container, error)

CgroupMkdir adds cgroupInfo of a created cgroup dir to Containers struct.

func (*Manager) CgroupRemove 

func (c *Manager) CgroupRemove(cgroupId uint64, hierarchyID uint32)

CgroupRemove removes cgroupInfo of deleted cgroup dir from Containers struct. There is an expiration logic of 30 seconds to avoid race conditions (if cgroup dir event arrives too fast and its cgroupInfo data is still needed).

func (*Manager) Close 

func (c *Manager) Close() error

Close executes cleanup logic for Containers object.

func (*Manager) EnrichCgroupInfo 

func (c *Manager) EnrichCgroupInfo(cgroupId uint64) (Container, error)

EnrichCgroupInfo checks for a given cgroupId if it is relevant to some running container. It then calls the runtime info service to gather additional data from the container's runtime. Should not be called twice for the same cgroupId unless attempting a retry.

Returns the retrieved metadata and a relevant error. If the given cgroup does not belong to a container, no error will be returned, but the returned metadata's containerId will be empty. This should be checked separately.

func (*Manager) FindContainerCgroupID32LSB 

func (c *Manager) FindContainerCgroupID32LSB(containerID string) ([]uint32, error)

FindContainerCgroupID32LSB returns the 32 LSB of the Cgroup ID for a given container ID.

func (*Manager) GetCgroupInfo 

func (c *Manager) GetCgroupInfo(cgroupId uint64) (CgroupDir, Container)

GetCgroupInfo returns the contents of the Containers struct cgroupInfo data of a given cgroupId.

func (*Manager) GetCgroupVersion 

func (c *Manager) GetCgroupVersion() cgroup.CgroupVersion

func (*Manager) GetContainer 

func (c *Manager) GetContainer(containerId string) (Container, error)

func (*Manager) GetDefaultCgroupHierarchyID 

func (c *Manager) GetDefaultCgroupHierarchyID() int

func (*Manager) GetLiveContainers 

func (c *Manager) GetLiveContainers() map[uint32]Container

GetLiveContainers provides a list of all existing containers mapped by their cgroup id.

func (*Manager) Populate 

func (c *Manager) Populate() error

Populate populates Containers struct by reading mounted proc and cgroups fs.

func (*Manager) PopulateBpfMap 

func (c *Manager) PopulateBpfMap(bpfModule *libbpfgo.Module) error

PopulateBpfMap populates the map with all the existing containers so eBPF programs can orchestrate new ones with the correct state.

func (*Manager) RemoveContainer 

func (c *Manager) RemoveContainer(cont Container) error

func (*Manager) RemoveFromBPFMap 

func (c *Manager) RemoveFromBPFMap(bpfModule *libbpfgo.Module, cgroupId uint64, hierarchyID uint32) error

RemoveFromBPFMap removes a container from the map so eBPF programs can stop tracking it.

type Pod 

type Pod struct {
	Name      string
	Namespace string
	UID       string
	Sandbox   bool
}

type SignaturesDataSource 

type SignaturesDataSource struct {
	// contains filtered or unexported fields
}

func NewDataSource 

func NewDataSource(c *Manager) *SignaturesDataSource

func (SignaturesDataSource) Get 

func (ctx SignaturesDataSource) Get(key interface{}) (map[string]interface{}, error)

func (SignaturesDataSource) ID 

func (ctx SignaturesDataSource) ID() string

func (SignaturesDataSource) Keys 

func (ctx SignaturesDataSource) Keys() []string

func (SignaturesDataSource) Namespace 

func (ctx SignaturesDataSource) Namespace() string

func (SignaturesDataSource) Schema 

func (ctx SignaturesDataSource) Schema() string

func (SignaturesDataSource) Version 

func (ctx SignaturesDataSource) Version() uint

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.