sandbox

package
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 2, 2026 License: MIT Imports: 4 Imported by: 0

Documentation

Overview

Package sandbox defines backend-agnostic interfaces for container lifecycle, execution, and network policy. Concrete implementations live in separate packages and register themselves via Register.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Register 

func Register(name string, f Factory)

Register makes a backend available by name. It is intended to be called from init() in backend implementation packages.

Types

type Backend 

type Backend interface {
	Create(ctx context.Context, opts CreateOpts) (*Instance, error)
	Get(ctx context.Context, name string) (*Instance, error)
	List(ctx context.Context) ([]Instance, error)
	Start(ctx context.Context, name string) error
	Stop(ctx context.Context, name string) error
	Delete(ctx context.Context, name string) error

	CreateSnapshot(ctx context.Context, name, label string) error
	ListSnapshots(ctx context.Context, name string) ([]Snapshot, error)
	DeleteSnapshot(ctx context.Context, name, label string) error
	RestoreSnapshot(ctx context.Context, name, label string) error
	CloneFrom(ctx context.Context, source, label, newName string) error

	Capabilities() Capabilities
	Close() error
}

Backend manages the lifecycle of sandbox instances and their snapshots.

type Capabilities 

type Capabilities struct {
	Snapshots     bool
	CloneFrom     bool
	EgressControl bool
}

Capabilities advertises optional features a backend supports.

type ConsoleOpts 

type ConsoleOpts struct {
	Env       []string
	RemoteCmd []string
}

ConsoleOpts holds parameters for attaching an interactive console.

type CreateOpts 

type CreateOpts struct {
	Name   string
	Image  string
	CPU    string
	Memory int64
	Bare   bool // create instance only, skip provisioning and SSH wait
}

CreateOpts holds parameters for creating a new sandbox instance.

type EgressMode 

type EgressMode string

EgressMode controls what network traffic a sandbox may initiate. 

const (
	EgressUnrestricted EgressMode = "unrestricted"
	EgressAgent        EgressMode = "agent"
	EgressAllowlist    EgressMode = "allowlist"
)

type Exec 

type Exec interface {
	Run(ctx context.Context, name string, opts ExecOpts) (exitCode int, err error)
	Output(ctx context.Context, name string, cmd []string) ([]byte, error)
	Console(ctx context.Context, name string, opts ConsoleOpts) error
	Ready(ctx context.Context, name string, timeout time.Duration) error
}

Exec runs commands and interactive sessions inside a sandbox instance.

type ExecOpts 

type ExecOpts struct {
	Cmd    []string
	Env    []string
	Stdin  io.Reader
	Stdout io.Writer
	Stderr io.Writer
	Root   bool // run as root instead of the configured sandbox user
}

ExecOpts holds parameters for running a command inside a sandbox.

type Factory 

type Factory func(cfg map[string]string) (Sandbox, error)

Factory constructs a Sandbox from backend-specific configuration. The cfg map is interpreted by each backend (e.g. "host" and "api_key" for TrueNAS, "socket" for Incus).

type Instance 

type Instance struct {
	Name      string
	Status    Status
	Addresses []string
}

Instance is the backend-agnostic representation of a container.

type NetworkPolicy 

type NetworkPolicy interface {
	SetEgressMode(ctx context.Context, name string, mode EgressMode) error
	AllowDomain(ctx context.Context, name, domain string) error
	DenyDomain(ctx context.Context, name, domain string) error
	GetPolicy(ctx context.Context, name string) (*Policy, error)
}

NetworkPolicy controls egress filtering for a sandbox instance.

type Policy 

type Policy struct {
	Mode    EgressMode
	Domains []string
}

Policy describes the current egress policy for a sandbox instance.

type Sandbox 

type Sandbox interface {
	Backend
	Exec
	NetworkPolicy
}

Sandbox composes all sandbox capabilities into a single interface.

func Open 

func Open(name string, cfg map[string]string) (Sandbox, error)

Open returns a Sandbox for the named backend, configured with cfg. If no backend is registered under that name, it returns an error.

type Snapshot 

type Snapshot struct {
	Label string
	Size  int64
}

Snapshot is a point-in-time capture of an instance's filesystem.

type Status 

type Status string

Status represents a container's lifecycle state. 

const (
	StatusRunning Status = "RUNNING"
	StatusStopped Status = "STOPPED"
)

func (Status) IsRunning 

func (s Status) IsRunning() bool

IsRunning reports whether the container is in a running state.

Source Files

View all Source files

Directories

Path Synopsis
Package incus implements the sandbox.Sandbox interface using a native Incus daemon connection (local unix socket or remote HTTPS).
 Package incus implements the sandbox.Sandbox interface using a native Incus daemon connection (local unix socket or remote HTTPS).
Package truenas implements the sandbox.Sandbox interface using TrueNAS Incus containers via the WebSocket API.
 Package truenas implements the sandbox.Sandbox interface using TrueNAS Incus containers via the WebSocket API.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.