kata

package
v0.2.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 3, 2026 License: MIT Imports: 7 Imported by: 0

Documentation

Overview

Package kata provides a backend that executes code in Kata Containers. Provides VM-level isolation stronger than plain containers.

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrKataNotAvailable is returned when Kata Containers is not available.
	ErrKataNotAvailable = errors.New("kata containers not available")

	// ErrVMCreationFailed is returned when VM creation fails.
	ErrVMCreationFailed = errors.New("vm creation failed")

	// ErrVMExecutionFailed is returned when VM execution fails.
	ErrVMExecutionFailed = errors.New("vm execution failed")

	// ErrClientNotConfigured is returned when no SandboxRunner is configured.
	ErrClientNotConfigured = errors.New("kata runner not configured")

	// ErrDaemonUnavailable is returned when kata-runtime is not reachable.
	ErrDaemonUnavailable = errors.New("kata runtime unavailable")

	// ErrSecurityViolation is returned when a security policy is violated.
	ErrSecurityViolation = errors.New("security policy violation")
)

Errors for Kata backend operations.

Functions

This section is empty.

Types

type Backend 

type Backend struct {
	// contains filtered or unexported fields
}

Backend executes code in Kata Containers for VM-level isolation.

func New 

func New(cfg Config) *Backend

New creates a new Kata backend with the given configuration.

func (*Backend) Execute 

func (b *Backend) Execute(ctx context.Context, req runtime.ExecuteRequest) (runtime.ExecuteResult, error)

Execute runs code in a Kata Container with VM-level isolation.

func (*Backend) Kind 

func (b *Backend) Kind() runtime.BackendKind

Kind returns the backend kind identifier.

type Config 

type Config struct {
	// RuntimePath is the path to the kata-runtime binary.
	// Default: kata-runtime (uses PATH)
	RuntimePath string

	// Image is the container image to use for execution.
	// Default: toolruntime-sandbox:latest
	Image string

	// Hypervisor specifies the hypervisor to use.
	// Options: qemu, cloud-hypervisor, firecracker
	// Default: qemu
	Hypervisor string

	// KernelPath is the path to the guest kernel.
	KernelPath string

	// ImagePath is the path to the guest image/rootfs.
	ImagePath string

	// Client executes sandbox specs.
	// If nil, Execute() returns ErrClientNotConfigured.
	Client SandboxRunner

	// ImageResolver optionally resolves/pulls images before execution.
	ImageResolver ImageResolver

	// HealthChecker optionally verifies kata availability.
	HealthChecker HealthChecker

	// Logger is an optional logger for backend events.
	Logger Logger
}

Config configures a Kata backend.

type HealthChecker added in v0.2.0 

type HealthChecker interface {
	Ping(ctx context.Context) error
}

HealthChecker can verify kata-runtime availability.

type ImageResolver added in v0.2.0 

type ImageResolver interface {
	Resolve(ctx context.Context, image string) (string, error)
}

ImageResolver resolves/pulls images before execution.

type Logger 

type Logger interface {
	Info(msg string, args ...any)
	Warn(msg string, args ...any)
	Error(msg string, args ...any)
}

Logger is the interface for logging.

Contract: - Concurrency: implementations must be safe for concurrent use. - Errors: logging must be best-effort and must not panic.

type ResourceSpec added in v0.2.0 

type ResourceSpec struct {
	MemoryBytes int64
	CPUQuota    int64
	PidsLimit   int64
	DiskBytes   int64
}

ResourceSpec defines Kata resource limits.

func (ResourceSpec) Validate added in v0.2.0 

func (r ResourceSpec) Validate() error

Validate checks ResourceSpec for invalid values.

type SandboxResult added in v0.2.0 

type SandboxResult struct {
	ExitCode int
	Stdout   string
	Stderr   string
	Duration time.Duration
}

SandboxResult captures the output of a Kata execution.

type SandboxRunner added in v0.2.0 

type SandboxRunner interface {
	Run(ctx context.Context, spec SandboxSpec) (SandboxResult, error)
}

SandboxRunner executes Kata containers for a given spec.

Contract: - Concurrency: Implementations must be safe for concurrent use. - Context: Run must honor cancellation and deadlines. - Ownership: Implementations must not mutate the provided spec.

type SandboxSpec added in v0.2.0 

type SandboxSpec struct {
	Image      string
	Runtime    string
	Hypervisor string
	KernelPath string
	ImagePath  string
	Command    []string
	WorkingDir string
	Env        []string
	Resources  ResourceSpec
	Security   SecuritySpec
	Timeout    time.Duration
	Labels     map[string]string
}

SandboxSpec defines what to run inside Kata Containers.

func (SandboxSpec) Validate added in v0.2.0 

func (s SandboxSpec) Validate() error

Validate checks SandboxSpec for errors before execution.

type SecuritySpec added in v0.2.0 

type SecuritySpec struct {
	User           string
	ReadOnlyRootfs bool
	NetworkMode    string
	SeccompProfile string
	Privileged     bool
}

SecuritySpec defines Kata security settings.

func (SecuritySpec) Validate added in v0.2.0 

func (s SecuritySpec) Validate() error

Validate checks SecuritySpec for policy violations.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.