plugincontainer

package module

v0.2.1 Latest Latest Go to latest Published: Sep 13, 2023 License: MPL-2.0 Imports: 20 Imported by: 3

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/hashicorp/go-secure-stdlib

Links

Open Source Insights

Documentation ¶

Index ¶

func ReattachFunc(logger hclog.Logger, id, hostSocketDir string) (runner.AttachedRunner, error)
type Config
- func (cfg *Config) NewContainerRunner(logger hclog.Logger, cmd *exec.Cmd, hostSocketDir string) (runner.Runner, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ReattachFunc ¶

func ReattachFunc(logger hclog.Logger, id, hostSocketDir string) (runner.AttachedRunner, error)

Types ¶

type Config ¶ added in v0.2.0

type Config struct {
	// GroupAdd sets an additional group that the container should run as. Should
	// match the UnixSocketConfig Group passed to go-plugin. Needs to be set if
	// the container runtime is not rootless.
	GroupAdd int

	// Container command/env
	Entrypoint []string // If specified, replaces the container entrypoint.
	Args       []string // If specified, replaces the container args.
	Env        []string // A slice of x=y environment variables to add to the container.

	// container.Config options
	Image          string            // Image to run (without the tag), e.g. hashicorp/vault-plugin-auth-jwt
	Tag            string            // Tag of the image to run, e.g. 0.16.0
	SHA256         string            // SHA256 digest of the image. Can be a plain sha256 or prefixed with sha256:
	DisableNetwork bool              // Whether to disable the networking stack.
	Labels         map[string]string // Arbitrary metadata to facilitate querying containers.

	// container.HostConfig options
	Runtime      string // OCI runtime.
	CgroupParent string // Parent Cgroup for the container
	NanoCpus     int64  // CPU quota in billionths of a CPU core
	Memory       int64  // Memory quota in bytes

	// network.NetworkConfig options
	EndpointsConfig map[string]*network.EndpointSettings // Endpoint configs for each connecting network

	// When set, prints additional debug information when a plugin fails to start.
	// Debug changes the way the plugin is run so that more information can be
	// extracted from the plugin container before it is cleaned up. It will also
	// include plugin environment variables in the error output. Not recommended
	// for production use.
	Debug bool
}

Config is used to opt in to running plugins inside a container. Currently only compatible with Linux due to the requirements we have for establishing communication over a unix socket.

A temporary directory will be mounted into the container and both the host and the plugin will create unix sockets that need to be writable from the other side. To achieve this, there are broadly 2 runtime options (i.e. not including build-time options):

Set up a uid or gid common to both the host and container processes, and ensure the unix socket is writable by that shared id. Set GroupAdd in this config and go-plugin ClientConfig's UnixSocketConfig Group with the same numeric gid to set up a common group. go-plugin will handle making all sockets writable by the gid.
Use a rootless container runtime, in which case the container process will be run as the same unpriveleged user as the client.

func (*Config) NewContainerRunner ¶ added in v0.2.0

func (cfg *Config) NewContainerRunner(logger hclog.Logger, cmd *exec.Cmd, hostSocketDir string) (runner.Runner, error)

NewContainerRunner must be passed a cmd that hasn't yet been started.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
examples
container command
container/plugin-counter command
container/proto
container/shared

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL