sandbox

package
v0.1.19 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 14, 2026 License: MIT Imports: 26 Imported by: 0

Documentation

Overview

Package sandbox provides the core sandbox VM management functionality.

Index

Constants

This section is empty.

Variables

View Source 
var (
	// Exec relay errors
	ErrRelayConnect    = errors.New("connect to exec relay")
	ErrRelaySend       = errors.New("send exec request")
	ErrRelayRead       = errors.New("read exec result")
	ErrRelayUnexpected = errors.New("unexpected message type")
	ErrRelayDecode     = errors.New("decode exec result")
	ErrRelayListen     = errors.New("listen on relay socket")

	// Rootfs errors
	ErrGuestAgent   = errors.New("guest-agent not found")
	ErrGuestFused   = errors.New("guest-fused not found")
	ErrResizeRootfs = errors.New("resize rootfs")
	ErrCreateTemp   = errors.New("create temp file")
	ErrWriteTemp    = errors.New("write temp file")
	ErrDebugfs      = errors.New("debugfs")
	ErrStatRootfs   = errors.New("stat rootfs")
	ErrTruncate     = errors.New("truncate rootfs")
	ErrResize2fs    = errors.New("resize2fs")

	// Sandbox lifecycle errors (shared between darwin and linux)
	ErrRegisterState   = errors.New("register VM state")
	ErrAllocateSubnet  = errors.New("allocate subnet")
	ErrCreateCAPool    = errors.New("create CA pool")
	ErrCopyRootfs      = errors.New("copy rootfs")
	ErrPrepareRootfs   = errors.New("prepare rootfs")
	ErrInjectCACert    = errors.New("inject CA cert into rootfs")
	ErrInvalidDiskCfg  = errors.New("invalid extra disk config")
	ErrCreateVM        = errors.New("create VM")
	ErrCreateProxy     = errors.New("create transparent proxy")
	ErrFirewallSetup   = errors.New("setup firewall rules")
	ErrNetworkStack    = errors.New("create network stack")
	ErrVFSListener     = errors.New("setup VFS listener")
	ErrVFSServer       = errors.New("start VFS server")
	ErrMachineClose    = errors.New("machine close")
	ErrFirewallCleanup = errors.New("firewall cleanup")
	ErrNATCleanup      = errors.New("NAT cleanup")
	ErrNetworkFile     = errors.New("get network file")
	ErrReleaseSubnet   = errors.New("release subnet")
	ErrUnregisterState = errors.New("unregister VM state")
	ErrRemoveRootfs    = errors.New("remove rootfs copy")
	ErrProxyClose      = errors.New("proxy close")
	ErrLifecycleInit   = errors.New("initialize lifecycle record")
	ErrLifecycleUpdate = errors.New("update lifecycle record")

	// copyRootfs errors (linux only)
	ErrOpenSource = errors.New("open source")
	ErrCreateDest = errors.New("create dest")
	ErrCopy       = errors.New("copy")
)

Sentinel errors for the sandbox package.

Functions

func DefaultGuestAgentPath 

func DefaultGuestAgentPath() string

DefaultGuestAgentPath returns the default path to guest-agent binary.

func DefaultGuestFusedPath 

func DefaultGuestFusedPath() string

DefaultGuestFusedPath returns the default path to guest-fused binary.

func DefaultInitramfsPath 

func DefaultInitramfsPath() string

DefaultInitramfsPath returns the default path to the initramfs image (optional, mainly for macOS).

func DefaultKernelPath 

func DefaultKernelPath() string

DefaultKernelPath returns the path to the kernel image, downloading if needed. It checks in order: MATCHLOCK_KERNEL env, legacy paths, then downloads from OCI.

func DefaultKernelPathWithVersion 

func DefaultKernelPathWithVersion(version string) (string, error)

DefaultKernelPathWithVersion returns the path to a specific kernel version.

func ExecInteractiveViaRelay 

func ExecInteractiveViaRelay(ctx context.Context, socketPath, command, workingDir, user string, rows, cols uint16, stdin io.Reader, stdout io.Writer) (int, error)

ExecInteractiveViaRelay connects to an exec relay socket and runs an interactive command.

func ExecPipeViaRelay added in v0.1.12 

func ExecPipeViaRelay(ctx context.Context, socketPath, command, workingDir, user string, stdin io.Reader, stdout, stderr io.Writer) (int, error)

ExecPipeViaRelay connects to an exec relay socket and runs a command with bidirectional stdin/stdout/stderr piping (no PTY).

func ExecViaRelay 

func ExecViaRelay(ctx context.Context, socketPath, command, workingDir, user string) (*api.ExecResult, error)

ExecViaRelay connects to an exec relay socket and runs a command. The context controls the lifetime — if cancelled, the connection is closed.

func KernelArch 

func KernelArch() string

KernelArch returns the current kernel architecture.

func KernelVersion 

func KernelVersion() string

KernelVersion returns the current kernel version.

Types

type ExecRelay 

type ExecRelay struct {
	// contains filtered or unexported fields
}

ExecRelay serves exec requests from external processes via a Unix socket. This allows `matchlock exec` to run commands in a VM owned by another process.

func NewExecRelay 

func NewExecRelay(sb *Sandbox) *ExecRelay

func (*ExecRelay) Start 

func (r *ExecRelay) Start(socketPath string) error

func (*ExecRelay) Stop 

func (r *ExecRelay) Stop()

type FirewallRules 

type FirewallRules interface {
	Setup() error
	Cleanup() error
}

FirewallRules is an interface for managing firewall rules.

type Options 

type Options struct {
	// KernelPath overrides the default kernel path
	KernelPath string
	// RootfsPath is the path to the rootfs image (required)
	RootfsPath string
}

Options configures sandbox creation.

type Sandbox 

type Sandbox struct {
	// contains filtered or unexported fields
}

Sandbox represents a running sandbox VM with all associated resources.

func New 

func New(ctx context.Context, config *api.Config, opts *Options) (sb *Sandbox, retErr error)

New creates a new sandbox VM with the given configuration.

func (*Sandbox) CAPool added in v0.1.1 

func (s *Sandbox) CAPool() *sandboxnet.CAPool

func (*Sandbox) Close 

func (s *Sandbox) Close(ctx context.Context) error

Close shuts down the sandbox and releases all resources.

func (*Sandbox) Config 

func (s *Sandbox) Config() *api.Config

Config returns the sandbox configuration.

func (*Sandbox) Events 

func (s *Sandbox) Events() <-chan api.Event

Events returns a channel for receiving sandbox events.

func (*Sandbox) Exec 

func (s *Sandbox) Exec(ctx context.Context, command string, opts *api.ExecOptions) (*api.ExecResult, error)

func (*Sandbox) ID 

func (s *Sandbox) ID() string

ID returns the sandbox identifier.

func (*Sandbox) ListFiles 

func (s *Sandbox) ListFiles(ctx context.Context, path string) ([]api.FileInfo, error)

func (*Sandbox) Machine 

func (s *Sandbox) Machine() vm.Machine

Machine returns the underlying VM machine for advanced operations.

func (*Sandbox) Policy 

func (s *Sandbox) Policy() *policy.Engine

Policy returns the policy engine.

func (*Sandbox) PrepareExecEnv added in v0.1.1 

func (s *Sandbox) PrepareExecEnv() *api.ExecOptions

func (*Sandbox) ReadFile 

func (s *Sandbox) ReadFile(ctx context.Context, path string) ([]byte, error)

func (*Sandbox) ReadFileTo added in v0.1.4 

func (s *Sandbox) ReadFileTo(ctx context.Context, path string, w io.Writer) (int64, error)

func (*Sandbox) Start 

func (s *Sandbox) Start(ctx context.Context) error

Start starts the sandbox VM.

func (*Sandbox) Stop 

func (s *Sandbox) Stop(ctx context.Context) error

Stop stops the sandbox VM.

func (*Sandbox) Workspace 

func (s *Sandbox) Workspace() string

Workspace returns the VFS mount point path.

func (*Sandbox) WriteFile 

func (s *Sandbox) WriteFile(ctx context.Context, path string, content []byte, mode uint32) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.