ctr

package
v0.2.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 25, 2026 License: Apache-2.0 Imports: 35 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// AttachableBinaryPath is where the static sbsh binary is bind-mounted
	// read-only inside the container.
	AttachableBinaryPath = "/.kukeon/bin/sbsh"

	// AttachableTTYDir is where the per-container tty directory is
	// bind-mounted inside the container. sbsh creates and owns the socket,
	// capture, and log files inside this directory; because it is a
	// directory bind mount (not a file mount), sbsh's unlink-and-recreate
	// of the socket inode stays host-visible.
	AttachableTTYDir = "/run/kukeon/tty"

	// AttachableSocketPath is the in-container path of the sbsh terminal
	// socket. sbsh listens here; the host peer is the bind-mount source
	// directory's `socket` entry, which `kuke attach` connects to.
	AttachableSocketPath = AttachableTTYDir + "/socket"

	// AttachableCapturePath is the in-container path of the sbsh capture
	// file. Surfacing it to `kuke logs` is a follow-up.
	AttachableCapturePath = AttachableTTYDir + "/capture"

	// AttachableLogfilePath is the in-container path of the sbsh terminal
	// log file. Surfacing it to `kuke logs` is a follow-up.
	AttachableLogfilePath = AttachableTTYDir + "/log"

	// AttachableSubcommand is the sbsh entrypoint subcommand used to wrap
	// the workload's process. Hard-coded for the foundation slice; the
	// resolver in #67 will not change it.
	AttachableSubcommand = "terminal"
)

Reserved in-container paths that the Attachable wrapper claims. Documented as such in pkg/api/model/v1beta1/container.go. The binary path is configurable in spirit (see #67) but fixed for this slice.

View Source 
const (
	// DefaultRootContainerImage is the image used when none is provided.
	DefaultRootContainerImage = "docker.io/library/busybox:latest"
)
View Source 
const DefaultSecretsStagingDir = "/run/kukeon/secrets"

DefaultSecretsStagingDir is the host directory the daemon uses to stage file-mounted secrets before bind-mounting them into containers. The directory lives under /run so contents are ephemeral across reboots on typical deployments.

View Source 
const SbshBinaryName = "sbsh"

SbshBinaryName is the basename of the static sbsh binary inside each per-arch cache directory.

View Source 
const SbshCacheSubdir = "cache/sbsh"

SbshCacheSubdir is the host-side directory under the run path that holds per-arch sbsh binaries. The full layout is: 

<runPath>/cache/sbsh/<arch>/sbsh

The foundation slice (#57) ships a stub: the daemon expects a single host-arch binary placed manually. The multi-arch resolver lands in #67.

Variables

This section is empty.

Functions

func ConvertContainerdStatusToContainerState 

func ConvertContainerdStatusToContainerState(status containerd.Status) intmodel.ContainerState

ConvertContainerdStatusToContainerState converts a containerd task status to internal ContainerState.

func DefaultRootContainerSpec 

func DefaultRootContainerSpec(
	containerdID,
	cellID,
	realmID,
	spaceID,
	stackID,
	cniConfigPath string,
) intmodel.ContainerSpec

DefaultRootContainerSpec returns a minimal ContainerSpec suitable for keeping the root container alive while other workload containers are managed. containerdID is the hierarchical ID used for containerd operations. The ID field will be set to "root" (base name).

func NormalizeImageReference 

func NormalizeImageReference(image string) string

NormalizeImageReference normalizes an image reference to a fully qualified format. Examples:

  • "debian:latest" -> "docker.io/library/debian:latest"
  • "alpine" -> "docker.io/library/alpine:latest"
  • "user/image:tag" -> "docker.io/user/image:tag"
  • "docker.io/library/debian:latest" -> "docker.io/library/debian:latest" (unchanged)
  • "registry.example.com/image:tag" -> "registry.example.com/image:tag" (unchanged)

func SbshCachePath added in v0.2.0 

func SbshCachePath(baseRunPath, arch string) string

SbshCachePath returns the host path of the sbsh binary for the given architecture under the configured run path. Architecture is the GOARCH- style string ("amd64", "arm64") that comes from the image's ocispec.Image.Architecture, not the host's runtime.GOARCH — the cache must match the *image* it'll be injected into, since the image and the binary share the in-container ELF interpreter.

Types

type AttachableInjection added in v0.2.0 

type AttachableInjection struct {
	// SbshBinaryPath is the host path of the static sbsh binary that will be
	// bind-mounted RO at AttachableBinaryPath inside the container.
	SbshBinaryPath string

	// HostTTYDir is the host path of the per-container tty directory that
	// will be bind-mounted at AttachableTTYDir inside the container. The
	// host-visible socket that `kuke attach` (#66) connects to is the
	// `socket` entry inside this directory.
	HostTTYDir string
}

AttachableInjection carries the host-side paths needed to wrap a container's OCI spec so it runs under sbsh. The caller (the daemon) computes both paths from the cell/container identity and the configured run path. Both fields are required when Attachable=true; an empty struct disables injection.

type BuildOption added in v0.2.0 

type BuildOption func(*buildOpts)

BuildOption customizes BuildContainerSpec without changing its return type. Used for caller-provided values that don't live on the model spec — today just the host-side paths required when ContainerSpec.Attachable is true.

func WithAttachableInjection added in v0.2.0 

func WithAttachableInjection(inj AttachableInjection) BuildOption

WithAttachableInjection configures the host-side paths used when wrapping an Attachable container. Has no effect on a spec where Attachable is false; in that case the option is silently ignored so callers can pass it unconditionally.

type CPUResources 

type CPUResources struct {
	Weight *uint64
	Quota  *int64
	Period *uint64
	Cpus   string
	Mems   string
}

CPUResources maps to cpu*, cpuset* controllers.

type CgroupResources 

type CgroupResources struct {
	CPU    *CPUResources
	Memory *MemoryResources
	IO     *IOResources
}

CgroupResources represents the subset of controllers we expose.

type CgroupSpec 

type CgroupSpec struct {
	// Group is the target cgroup path, e.g. /kukeon/workloads/runner.
	Group string
	// Mountpoint overrides the default cgroup mount (/sys/fs/cgroup) when non-empty.
	Mountpoint string
	// Resources defines the controller knobs that should be configured for the cgroup.
	Resources CgroupResources
}

CgroupSpec describes how to create a new cgroup.

func DefaultCellSpec 

func DefaultCellSpec(cell intmodel.Cell) CgroupSpec

func DefaultRealmSpec 

func DefaultRealmSpec(realm intmodel.Realm) CgroupSpec

func DefaultSpaceSpec 

func DefaultSpaceSpec(space intmodel.Space) CgroupSpec

func DefaultStackSpec 

func DefaultStackSpec(stack intmodel.Stack) CgroupSpec

type Client 

type Client interface {
	Connect() error
	Close() error

	Namespace() string
	CreateNamespace(namespace string) error
	DeleteNamespace(namespace string) error
	ListNamespaces() ([]string, error)
	GetNamespace(namespace string) (string, error)
	ExistsNamespace(namespace string) (bool, error)
	SetNamespace(namespace string)
	SetNamespaceWithCredentials(namespace string, creds []RegistryCredentials)
	CleanupNamespaceResources(namespace, snapshotter string) error
	GetRegistryCredentials() []RegistryCredentials

	GetCgroupMountpoint() string
	GetCurrentCgroupPath() (string, error)
	CgroupPath(group, mountpoint string) (string, error)
	NewCgroup(spec CgroupSpec) (*cgroup2.Manager, error)
	LoadCgroup(group string, mountpoint string) (*cgroup2.Manager, error)
	DeleteCgroup(group, mountpoint string) error
	CreateContainerFromSpec(spec intmodel.ContainerSpec, opts ...BuildOption) (containerd.Container, error)

	CreateContainer(spec ContainerSpec) (containerd.Container, error)
	GetContainer(id string) (containerd.Container, error)
	ListContainers(filters ...string) ([]containerd.Container, error)
	ExistsContainer(id string) (bool, error)
	DeleteContainer(id string, opts ContainerDeleteOptions) error
	StartContainer(spec ContainerSpec, taskSpec TaskSpec) (containerd.Task, error)
	StopContainer(id string, opts StopContainerOptions) (*containerd.ExitStatus, error)

	TaskStatus(id string) (containerd.Status, error)
	TaskMetrics(id string) (*apitypes.Metric, error)

	ResolveSbshCachePath(imageRef, baseRunPath string) (string, error)
}

func NewClient 

func NewClient(ctx context.Context, logger *slog.Logger, socket string) Client

type ContainerDeleteOptions 

type ContainerDeleteOptions struct {
	// SnapshotCleanup indicates whether to clean up snapshots.
	SnapshotCleanup bool
}

ContainerDeleteOptions describes options for deleting a container.

type ContainerRuntime 

type ContainerRuntime struct {
	// Name is the runtime name (e.g., "io.containerd.runc.v2").
	Name string
	// Options are runtime-specific options.
	Options interface{}
}

ContainerRuntime describes the runtime configuration.

type ContainerSpec 

type ContainerSpec struct {
	// ID is the unique identifier for the container.
	ID string
	// Image is the image reference to use for the container.
	Image string
	// SnapshotKey is the key for the snapshot. If empty, defaults to ID.
	SnapshotKey string
	// Snapshotter is the snapshotter to use. If empty, uses default.
	Snapshotter string
	// Runtime is the runtime configuration.
	Runtime *ContainerRuntime
	// SpecOpts are OCI spec options to apply.
	SpecOpts []oci.SpecOpts
	// Labels are key-value pairs to attach to the container.
	Labels map[string]string
	// CNIConfigPath is the path to the CNI configuration to use for this container.
	CNIConfigPath string
}

ContainerSpec describes how to create a new container.

func BuildContainerSpec 

func BuildContainerSpec(
	containerSpec intmodel.ContainerSpec,
	options ...BuildOption,
) ContainerSpec

BuildContainerSpec converts an internal ContainerSpec to ctr.ContainerSpec with the expected defaults applied. Uses ContainerdID if available, otherwise falls back to ID.

func BuildRootContainerSpec 

func BuildRootContainerSpec(
	rootSpec intmodel.ContainerSpec,
	labels map[string]string,
) ContainerSpec

BuildRootContainerSpec converts the internal root container spec into an internal ctr.ContainerSpec with the expected defaults applied. Uses ContainerdID if available, otherwise falls back to ID.

func JoinContainerNamespaces 

func JoinContainerNamespaces(spec ContainerSpec, ns NamespacePaths) ContainerSpec

JoinContainerNamespaces returns a copy of spec with namespace spec options applied.

type IOResources 

type IOResources struct {
	Weight   uint16
	Throttle []IOThrottleEntry
}

IOResources exposes IO weight + throttling.

type IOThrottleEntry 

type IOThrottleEntry struct {
	Type  IOThrottleType
	Major int64
	Minor int64
	Rate  uint64
}

IOThrottleEntry represents a single io.max entry.

type IOThrottleType 

type IOThrottleType string

IOThrottleType identifies the throttle file to target. 

const (
	IOTypeReadBPS   IOThrottleType = IOThrottleType(cgroup2.ReadBPS)
	IOTypeWriteBPS  IOThrottleType = IOThrottleType(cgroup2.WriteBPS)
	IOTypeReadIOPS  IOThrottleType = IOThrottleType(cgroup2.ReadIOPS)
	IOTypeWriteIOPS IOThrottleType = IOThrottleType(cgroup2.WriteIOPS)
)

type MemoryResources 

type MemoryResources struct {
	Min  *int64
	Max  *int64
	Low  *int64
	High *int64
	Swap *int64
}

MemoryResources maps to memory controller knobs.

type NamespacePaths 

type NamespacePaths struct {
	Net string
	IPC string
	UTS string
	PID string
}

NamespacePaths describes the namespace file paths a container should join.

type RegistryCredentials 

type RegistryCredentials struct {
	// Username is the registry username.
	Username string
	// Password is the registry password or token.
	Password string
	// ServerAddress is the registry server address (e.g., "docker.io", "registry.example.com").
	// If empty, credentials apply to the registry extracted from the image reference.
	ServerAddress string
}

RegistryCredentials contains authentication information for a container registry. This type matches the modelhub RegistryCredentials structure for use in the ctr package.

func ConvertRealmCredentials 

func ConvertRealmCredentials(creds []intmodel.RegistryCredentials) []RegistryCredentials

ConvertRealmCredentials converts modelhub RegistryCredentials slice to ctr RegistryCredentials slice.

type StopContainerOptions 

type StopContainerOptions struct {
	// Signal is the signal to send (defaults to SIGTERM).
	Signal string
	// Timeout is the timeout for graceful shutdown.
	Timeout *time.Duration
	// Force indicates whether to force kill if timeout is exceeded.
	Force bool
}

StopContainerOptions describes options for stopping a container.

type TaskIO 

type TaskIO struct {
	// Stdin is the path to stdin (if any).
	Stdin string
	// Stdout is the path to stdout (if any).
	Stdout string
	// Stderr is the path to stderr (if any).
	Stderr string
	// Terminal indicates if the task should have a TTY.
	Terminal bool
}

TaskIO describes the IO configuration for a task.

type TaskSpec 

type TaskSpec struct {
	// IO is the IO configuration for the task.
	IO *TaskIO
	// Options are task creation options.
	Options []containerd.NewTaskOpts
}

TaskSpec describes how to create a new task.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.