sandbox

package

v0.1.11 Latest Latest Go to latest Published: Feb 10, 2026 License: MIT Imports: 23 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/jingkaihe/matchlock

Links

Open Source Insights

Documentation ¶

Rendered for

Overview ¶

Package sandbox provides the core sandbox VM management functionality.

Index ¶

func DefaultGuestAgentPath() string
func DefaultGuestFusedPath() string
func DefaultInitramfsPath() string
func DefaultKernelPath() string
func DefaultKernelPathWithVersion(version string) (string, error)
func ExecInteractiveViaRelay(ctx context.Context, socketPath, command, workingDir, user string, ...) (int, error)
func ExecViaRelay(ctx context.Context, socketPath, command, workingDir, user string) (*api.ExecResult, error)
func KernelArch() string
func KernelVersion() string
type ExecRelay
- func NewExecRelay(sb *Sandbox) *ExecRelay
- func (r *ExecRelay) Start(socketPath string) error
- func (r *ExecRelay) Stop()
type FirewallRules
type Options
type Sandbox
- func New(ctx context.Context, config *api.Config, opts *Options) (*Sandbox, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func DefaultGuestAgentPath ¶

func DefaultGuestAgentPath() string

DefaultGuestAgentPath returns the default path to guest-agent binary.

func DefaultGuestFusedPath ¶

func DefaultGuestFusedPath() string

DefaultGuestFusedPath returns the default path to guest-fused binary.

func DefaultInitramfsPath ¶

func DefaultInitramfsPath() string

DefaultInitramfsPath returns the default path to the initramfs image (optional, mainly for macOS).

func DefaultKernelPath ¶

func DefaultKernelPath() string

DefaultKernelPath returns the path to the kernel image, downloading if needed. It checks in order: MATCHLOCK_KERNEL env, legacy paths, then downloads from OCI.

func DefaultKernelPathWithVersion ¶

func DefaultKernelPathWithVersion(version string) (string, error)

DefaultKernelPathWithVersion returns the path to a specific kernel version.

func ExecInteractiveViaRelay ¶

func ExecInteractiveViaRelay(ctx context.Context, socketPath, command, workingDir, user string, rows, cols uint16, stdin io.Reader, stdout io.Writer) (int, error)

ExecInteractiveViaRelay connects to an exec relay socket and runs an interactive command.

func ExecViaRelay ¶

func ExecViaRelay(ctx context.Context, socketPath, command, workingDir, user string) (*api.ExecResult, error)

ExecViaRelay connects to an exec relay socket and runs a command.

func KernelArch ¶

func KernelArch() string

KernelArch returns the current kernel architecture.

func KernelVersion ¶

func KernelVersion() string

KernelVersion returns the current kernel version.

Types ¶

type ExecRelay ¶

type ExecRelay struct {
	// contains filtered or unexported fields
}

ExecRelay serves exec requests from external processes via a Unix socket. This allows `matchlock exec` to run commands in a VM owned by another process.

func NewExecRelay ¶

func NewExecRelay(sb *Sandbox) *ExecRelay

func (*ExecRelay) Start ¶

func (r *ExecRelay) Start(socketPath string) error

func (*ExecRelay) Stop ¶

func (r *ExecRelay) Stop()

type FirewallRules ¶

type FirewallRules interface {
	Setup() error
	Cleanup() error
}

FirewallRules is an interface for managing firewall rules.

type Options ¶

type Options struct {
	// KernelPath overrides the default kernel path
	KernelPath string
	// RootfsPath is the path to the rootfs image (required)
	RootfsPath string
}

Options configures sandbox creation.

type Sandbox ¶

type Sandbox struct {
	// contains filtered or unexported fields
}

Sandbox represents a running sandbox VM with all associated resources.

func New ¶

func New(ctx context.Context, config *api.Config, opts *Options) (*Sandbox, error)

New creates a new sandbox VM with the given configuration.

func (*Sandbox) CAPool ¶ added in v0.1.1

func (s *Sandbox) CAPool() *sandboxnet.CAPool

func (*Sandbox) Close ¶

func (s *Sandbox) Close(ctx context.Context) error

Close shuts down the sandbox and releases all resources.

func (*Sandbox) Config ¶

func (s *Sandbox) Config() *api.Config

Config returns the sandbox configuration.

func (*Sandbox) Events ¶

func (s *Sandbox) Events() <-chan api.Event

Events returns a channel for receiving sandbox events.

func (*Sandbox) Exec ¶

func (s *Sandbox) Exec(ctx context.Context, command string, opts *api.ExecOptions) (*api.ExecResult, error)

func (*Sandbox) ID ¶

func (s *Sandbox) ID() string

ID returns the sandbox identifier.

func (*Sandbox) ListFiles ¶

func (s *Sandbox) ListFiles(ctx context.Context, path string) ([]api.FileInfo, error)

func (*Sandbox) Machine ¶

func (s *Sandbox) Machine() vm.Machine

Machine returns the underlying VM machine for advanced operations.

func (*Sandbox) Policy ¶

func (s *Sandbox) Policy() *policy.Engine

Policy returns the policy engine.

func (*Sandbox) PrepareExecEnv ¶ added in v0.1.1

func (s *Sandbox) PrepareExecEnv() *api.ExecOptions

func (*Sandbox) ReadFile ¶

func (s *Sandbox) ReadFile(ctx context.Context, path string) ([]byte, error)

func (*Sandbox) ReadFileTo ¶ added in v0.1.4

func (s *Sandbox) ReadFileTo(ctx context.Context, path string, w io.Writer) (int64, error)

func (*Sandbox) Start ¶

func (s *Sandbox) Start(ctx context.Context) error

Start starts the sandbox VM.

func (*Sandbox) Stop ¶

func (s *Sandbox) Stop(ctx context.Context) error

Stop stops the sandbox VM.

func (*Sandbox) Workspace ¶

func (s *Sandbox) Workspace() string

Workspace returns the VFS mount point path.

func (*Sandbox) WriteFile ¶

func (s *Sandbox) WriteFile(ctx context.Context, path string, content []byte, mode uint32) error

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL