Documentation
¶
Overview ¶
Package containerd provides a backend that executes code via containerd. Similar to Docker but more infrastructure-native for servers/agents already using containerd.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // ErrContainerdNotAvailable is returned when containerd is not available. ErrContainerdNotAvailable = errors.New("containerd not available") // ErrImageNotFound is returned when the execution image is not found. ErrImageNotFound = errors.New("image not found") // ErrContainerFailed is returned when container creation/execution fails. ErrContainerFailed = errors.New("container execution failed") // ErrClientNotConfigured is returned when no ContainerRunner is configured. ErrClientNotConfigured = errors.New("containerd client not configured") ErrDaemonUnavailable = errors.New("containerd daemon unavailable") // ErrSecurityViolation is returned when a security policy is violated. ErrSecurityViolation = errors.New("security policy violation") )
Errors for containerd backend operations.
Functions ¶
This section is empty.
Types ¶
type Backend ¶
type Backend struct {
// contains filtered or unexported fields
}
Backend executes code via containerd with security isolation.
func (*Backend) Execute ¶
func (b *Backend) Execute(ctx context.Context, req runtime.ExecuteRequest) (runtime.ExecuteResult, error)
Execute runs code via containerd with security isolation.
func (*Backend) Kind ¶
func (b *Backend) Kind() runtime.BackendKind
Kind returns the backend kind identifier.
type Config ¶
type Config struct {
// ImageRef is the image reference to use for execution.
// Default: toolruntime-sandbox:latest
ImageRef string
// Namespace is the containerd namespace to use.
// Default: default
Namespace string
// SocketPath is the path to the containerd socket.
// Default: /run/containerd/containerd.sock
SocketPath string
// Runtime is the containerd runtime to use.
// Examples: "io.containerd.runc.v2", "io.containerd.runsc.v1", "io.containerd.kata.v2", "aws.firecracker".
// Optional.
Runtime string
// SeccompPath is the path to a seccomp profile for hardened mode.
SeccompPath string
// Client executes container specs.
// If nil, Execute() returns ErrClientNotConfigured.
Client ContainerRunner
// ImageResolver optionally resolves/pulls images before execution.
ImageResolver ImageResolver
// HealthChecker optionally verifies containerd availability.
HealthChecker HealthChecker
// Logger is an optional logger for backend events.
Logger Logger
}
Config configures a containerd backend.
type ContainerResult ¶ added in v0.2.0
type ContainerResult struct {
// ExitCode is the container's exit code.
ExitCode int
// Stdout contains the container's stdout output.
Stdout string
// Stderr contains the container's stderr output.
Stderr string
// Duration is the execution time.
Duration time.Duration
}
ContainerResult captures the output of container execution.
type ContainerRunner ¶ added in v0.2.0
type ContainerRunner interface {
Run(ctx context.Context, spec ContainerSpec) (ContainerResult, error)
}
ContainerRunner executes a containerd task for a given spec.
Contract: - Concurrency: Implementations must be safe for concurrent use. - Context: Run must honor cancellation and deadlines. - Ownership: Implementations must not mutate the provided spec.
type ContainerSpec ¶ added in v0.2.0
type ContainerSpec struct {
// Image is the container image reference (required).
Image string
// Runtime is the containerd runtime to use (e.g., "io.containerd.runc.v2").
Runtime string
// Command is the command to execute.
Command []string
// WorkingDir is the working directory inside the container.
WorkingDir string
// Env contains environment variables in KEY=value format.
Env []string
// Resources defines resource limits.
Resources ResourceSpec
// Security defines security settings.
Security SecuritySpec
// Timeout is the maximum execution duration.
Timeout time.Duration
// Labels are container labels for tracking.
Labels map[string]string
}
ContainerSpec defines what to run in a container and how.
func (ContainerSpec) Validate ¶ added in v0.2.0
func (s ContainerSpec) Validate() error
Validate checks ContainerSpec for errors before execution.
type HealthChecker ¶ added in v0.2.0
HealthChecker can verify containerd availability.
type ImageResolver ¶ added in v0.2.0
ImageResolver resolves/pulls images before execution.
type Logger ¶
type Logger interface {
Info(msg string, args ...any)
Warn(msg string, args ...any)
Error(msg string, args ...any)
}
Logger is the interface for logging.
Contract: - Concurrency: implementations must be safe for concurrent use. - Errors: logging must be best-effort and must not panic.
type ResourceSpec ¶ added in v0.2.0
type ResourceSpec struct {
// MemoryBytes is the memory limit in bytes.
// Zero means unlimited.
MemoryBytes int64
// CPUQuota is the CPU quota in microseconds per 100ms period.
// Zero means unlimited.
CPUQuota int64
// PidsLimit is the maximum number of processes.
// Zero means unlimited.
PidsLimit int64
// DiskBytes is the disk limit in bytes.
// Zero means unlimited. Not all runtimes support this.
DiskBytes int64
}
ResourceSpec defines container resource limits.
func (ResourceSpec) Validate ¶ added in v0.2.0
func (r ResourceSpec) Validate() error
Validate checks ResourceSpec for invalid values.
type SecuritySpec ¶ added in v0.2.0
type SecuritySpec struct {
// User is the user to run as (e.g., "nobody:nogroup").
User string
// ReadOnlyRootfs mounts the root filesystem as read-only.
ReadOnlyRootfs bool
// NetworkMode is the network mode: "none", "bridge", "host".
// "host" is not allowed in sandbox contexts.
NetworkMode string
// SeccompProfile is the path to a seccomp profile.
// Empty uses the runtime's default profile.
SeccompProfile string
// Privileged grants extended privileges to the container.
// Must always be false in sandbox contexts.
Privileged bool
}
SecuritySpec defines container security settings.
func (SecuritySpec) Validate ¶ added in v0.2.0
func (s SecuritySpec) Validate() error
Validate checks SecuritySpec for policy violations.
Source Files