Documentation
¶
Index ¶
- Constants
- Variables
- func ParseEnvFile(path string) (map[string]string, error)
- func ParseEnvVar(spec string) (string, string, error)
- func ParseEnvs(envSpecs []string, envFiles []string) (map[string]string, error)
- func ParseVolumeMount(vol string, workspace string) (hostPath, guestPath string, readonly bool, err error)
- func ShellQuoteArgs(args []string) string
- func ValidateAddHost(mapping HostIPMapping) error
- func ValidateGuestMount(path string) error
- func ValidateGuestPathWithinWorkspace(guestPath string, workspace string) error
- func ValidateVFSMountsWithinWorkspace(mounts map[string]MountConfig, workspace string) error
- type Config
- type DirectMount
- type DiskMount
- type Event
- type ExecEvent
- type ExecOptions
- type ExecResult
- type FileEvent
- type FileInfo
- type HTTPHooks
- type HostIPMapping
- type ImageConfig
- type MountConfig
- type NetworkConfig
- type NetworkEvent
- type PortForward
- type PortForwardBinding
- type Resources
- type Secret
- type VFSConfig
- type VFSHookRule
- type VFSHooks
- type VFSInterceptionConfig
- type VM
- type VolumeMountSpec
Constants ¶
const ( DefaultCPUs = 1 DefaultMemoryMB = 512 DefaultDiskSizeMB = 5120 DefaultTimeoutSeconds = 300 DefaultNetworkMTU = 1500 DefaultGracefulShutdownPeriod = 0 )
const ( MountTypeMemory = "memory" MountTypeHostFS = "host_fs" MountTypeOverlay = "overlay" MountOptionReadonlyShort = "ro" MountOptionReadonly = "readonly" )
const DefaultWorkspace = "/workspace"
DefaultWorkspace is the default mount point for the VFS in the guest
Variables ¶
var ( ErrBlocked = errors.New("request blocked by policy") ErrHostNotAllowed = errors.New("host not in allowlist") ErrSecretLeak = errors.New("secret placeholder sent to unauthorized host") ErrVMNotRunning = errors.New("VM is not running") ErrVMNotFound = errors.New("VM not found") ErrTimeout = errors.New("operation timed out") ErrInvalidConfig = errors.New("invalid configuration") ErrInvalidVolumeFormat = errors.New("expected format host:guest or host:guest:" + MountOptionReadonlyShort) ErrResolvePath = errors.New("failed to resolve path") ErrHostPathNotExist = errors.New("host path does not exist") ErrUnknownMountOption = errors.New("unknown option") ErrGuestPathNotAbs = errors.New("guest path must be absolute") ErrGuestPathOutside = errors.New("guest path must be within workspace") ErrEnvNameEmpty = errors.New("environment variable name cannot be empty") ErrEnvNameInvalid = errors.New("environment variable name is invalid") ErrEnvVarNotSet = errors.New("environment variable is not set") ErrReadEnvFile = errors.New("read env file") ErrEnvFileLine = errors.New("parse env file line") ErrPortForwardSpecFormat = errors.New("invalid port-forward spec format") ErrPortForwardPort = errors.New("invalid port") ErrAddHostSpecFormat = errors.New("invalid add-host format") ErrAddHostHost = errors.New("invalid add-host hostname") ErrAddHostIP = errors.New("invalid add-host ip") )
var DefaultDNSServers = []string{"8.8.8.8", "8.8.4.4"}
DefaultDNSServers are used when no custom DNS servers are configured.
Functions ¶
func ParseEnvFile ¶ added in v0.1.19
ParseEnvFile parses an env file with one variable per line using the same semantics as ParseEnvVar. Blank lines and lines starting with '#' are ignored.
func ParseEnvVar ¶ added in v0.1.19
ParseEnvVar parses an environment variable in Docker-style format: "KEY=VALUE" (inline value) or "KEY" (read from host environment).
func ParseEnvs ¶ added in v0.1.19
ParseEnvs merges env files and explicit env flags into one map. Later values override earlier ones: 1) env files in provided order, then 2) explicit env specs in provided order.
func ParseVolumeMount ¶
func ParseVolumeMount(vol string, workspace string) (hostPath, guestPath string, readonly bool, err error)
ParseVolumeMount parses a volume mount string in format: - "host:guest" - "host:guest:ro" - "host:guest:overlay" - "host:guest:host_fs"
This is kept for backward compatibility with existing callers that only need host/guest/readonly. Use ParseVolumeMountSpec for mount type aware parsing.
Guest paths are resolved within workspace; absolute guest paths must already be under workspace.
func ShellQuoteArgs ¶ added in v0.1.1
ShellQuoteArgs joins command arguments into a single shell-safe string using POSIX shell quoting rules.
func ValidateAddHost ¶ added in v0.1.20
func ValidateAddHost(mapping HostIPMapping) error
func ValidateGuestMount ¶ added in v0.1.6
ValidateGuestMount checks that a guest mount path is safe for use in kernel cmdline args and shell scripts.
func ValidateGuestPathWithinWorkspace ¶ added in v0.1.19
ValidateGuestPathWithinWorkspace checks that guestPath is absolute and inside workspace.
func ValidateVFSMountsWithinWorkspace ¶ added in v0.1.19
func ValidateVFSMountsWithinWorkspace(mounts map[string]MountConfig, workspace string) error
ValidateVFSMountsWithinWorkspace checks that all VFS mount paths are valid guest paths under the configured workspace.
Types ¶
type Config ¶
type Config struct {
ID string `json:"id,omitempty"`
Image string `json:"image,omitempty"`
Privileged bool `json:"privileged,omitempty"`
Resources *Resources `json:"resources,omitempty"`
Network *NetworkConfig `json:"network,omitempty"`
VFS *VFSConfig `json:"vfs,omitempty"`
Env map[string]string `json:"env,omitempty"`
ExtraDisks []DiskMount `json:"extra_disks,omitempty"`
ImageCfg *ImageConfig `json:"image_config,omitempty"`
}
func DefaultConfig ¶
func DefaultConfig() *Config
func ParseConfig ¶
func (*Config) GetHostname ¶ added in v0.1.20
GetHostname returns hostname from config or default to ID if not set
func (*Config) GetID ¶ added in v0.1.20
GetID returns the VM ID from config. Creates a new random ID if not set.
func (*Config) GetWorkspace ¶
GetWorkspace returns the workspace path from config, or default if not set
type DirectMount ¶
type DiskMount ¶ added in v0.1.6
type DiskMount struct {
HostPath string `json:"host_path"`
GuestMount string `json:"guest_mount"`
ReadOnly bool `json:"readonly,omitempty"`
}
DiskMount describes a persistent ext4 disk image to attach as a block device.
type Event ¶
type Event struct {
Type string `json:"type"`
Timestamp int64 `json:"timestamp"`
Network *NetworkEvent `json:"network,omitempty"`
File *FileEvent `json:"file,omitempty"`
Exec *ExecEvent `json:"exec,omitempty"`
}
type ExecOptions ¶
type ExecResult ¶
type HostIPMapping ¶ added in v0.1.20
func ParseAddHost ¶ added in v0.1.20
func ParseAddHost(spec string) (HostIPMapping, error)
func ParseAddHosts ¶ added in v0.1.20
func ParseAddHosts(specs []string) ([]HostIPMapping, error)
type ImageConfig ¶ added in v0.1.10
type ImageConfig struct {
User string `json:"user,omitempty"`
WorkingDir string `json:"working_dir,omitempty"`
Entrypoint []string `json:"entrypoint,omitempty"`
Cmd []string `json:"cmd,omitempty"`
Env map[string]string `json:"env,omitempty"`
}
func (*ImageConfig) ComposeCommand ¶ added in v0.1.10
func (ic *ImageConfig) ComposeCommand(userArgs []string) []string
ComposeCommand builds a shell command from image ENTRYPOINT/CMD and user-provided args. Follows Docker semantics: if user provides args, they replace CMD; ENTRYPOINT is always prepended.
type MountConfig ¶
type MountConfig struct {
Type string `json:"type"`
HostPath string `json:"host_path,omitempty"`
Readonly bool `json:"readonly,omitempty"`
Upper *MountConfig `json:"upper,omitempty"`
Lower *MountConfig `json:"lower,omitempty"`
}
type NetworkConfig ¶
type NetworkConfig struct {
AllowedHosts []string `json:"allowed_hosts,omitempty"`
AddHosts []HostIPMapping `json:"add_hosts,omitempty"`
BlockPrivateIPs bool `json:"block_private_ips,omitempty"`
Secrets map[string]Secret `json:"secrets,omitempty"`
PolicyScript string `json:"policy_script,omitempty"`
DNSServers []string `json:"dns_servers,omitempty"`
Hostname string `json:"hostname,omitempty"`
MTU int `json:"mtu,omitempty"`
}
func (*NetworkConfig) GetDNSServers ¶ added in v0.1.7
func (n *NetworkConfig) GetDNSServers() []string
GetDNSServers returns the configured DNS servers or defaults.
func (*NetworkConfig) GetMTU ¶ added in v0.1.20
func (n *NetworkConfig) GetMTU() int
GetMTU returns the configured network MTU or the default.
type NetworkEvent ¶
type NetworkEvent struct {
Method string `json:"method"`
URL string `json:"url"`
Host string `json:"host"`
StatusCode int `json:"status_code"`
RequestBytes int64 `json:"request_bytes"`
ResponseBytes int64 `json:"response_bytes"`
DurationMS int64 `json:"duration_ms"`
Blocked bool `json:"blocked"`
BlockReason string `json:"block_reason,omitempty"`
}
type PortForward ¶ added in v0.1.20
PortForward maps a local host port to a remote guest port.
func ParsePortForward ¶ added in v0.1.20
func ParsePortForward(spec string) (PortForward, error)
ParsePortForward parses a single spec in the form [LOCAL_PORT:]REMOTE_PORT.
func ParsePortForwards ¶ added in v0.1.20
func ParsePortForwards(specs []string) ([]PortForward, error)
ParsePortForwards parses specs in the form [LOCAL_PORT:]REMOTE_PORT.
type PortForwardBinding ¶ added in v0.1.20
type PortForwardBinding struct {
Address string `json:"address"`
LocalPort int `json:"local_port"`
RemotePort int `json:"remote_port"`
}
PortForwardBinding is a realized local listener binding.
type Secret ¶
type VFSConfig ¶
type VFSConfig struct {
Workspace string `json:"workspace,omitempty"`
DirectMounts map[string]DirectMount `json:"direct_mounts,omitempty"`
Mounts map[string]MountConfig `json:"mounts,omitempty"`
Interception *VFSInterceptionConfig `json:"interception,omitempty"`
}
func (*VFSConfig) GetWorkspace ¶
GetWorkspace returns the configured workspace path or the default
type VFSHookRule ¶ added in v0.1.19
type VFSHookRule struct {
Name string `json:"name,omitempty"`
// Phase is either "before" or "after".
// Empty defaults to "before".
Phase string `json:"phase,omitempty"`
// Ops filters operations (for example: read, write, create, open).
// Empty matches all operations.
Ops []string `json:"ops,omitempty"`
// Path is a filepath-style glob pattern (for example: /workspace/*).
// Empty matches all paths.
Path string `json:"path,omitempty"`
// Action is one of: allow, block.
Action string `json:"action"`
// TimeoutMS is interpreted by SDK-local callback execution and ignored by
// host wire rules.
TimeoutMS int `json:"timeout_ms,omitempty"`
}
VFSHookRule describes a single interception rule.
type VFSInterceptionConfig ¶ added in v0.1.19
type VFSInterceptionConfig struct {
// EmitEvents enables file-operation event notifications.
EmitEvents bool `json:"emit_events,omitempty"`
Rules []VFSHookRule `json:"rules,omitempty"`
}
VFSInterceptionConfig configures host-side VFS interception rules.
type VM ¶
type VM interface {
ID() string
Config() *Config
Start(ctx context.Context) error
Stop(ctx context.Context) error
Exec(ctx context.Context, command string, opts *ExecOptions) (*ExecResult, error)
WriteFile(ctx context.Context, path string, content []byte, mode uint32) error
ReadFile(ctx context.Context, path string) ([]byte, error)
ListFiles(ctx context.Context, path string) ([]FileInfo, error)
Events() <-chan Event
Close() error
}
type VolumeMountSpec ¶ added in v0.1.21
VolumeMountSpec is a parsed -v/--volume specification.
func ParseVolumeMountSpec ¶ added in v0.1.21
func ParseVolumeMountSpec(vol string, workspace string) (VolumeMountSpec, error)
ParseVolumeMountSpec parses a volume mount string and returns a typed spec.
Source Files