runner

package
v0.2.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 14, 2026 License: BSD-3-Clause Imports: 30 Imported by: 2

Documentation

Index

Constants

View Source 
const Option_Do_Main bool = false
View Source 
const Option_Embed_Main bool = false

Variables

View Source 
var (

	// Seccomp options (Linux only) - using pure Go library
	SeccompProfile = flag.String("seccomp-profile", "", "Seccomp profile to use: strict, readonly")
	SeccompAction  = flag.String("seccomp-action", "errno", "Action on restricted syscalls: errno, kill, trap, log")

	// Landlock options (Linux only) - using landlock-go library
	LandlockEnabled = flag.Bool("landlock", false, "Enable landlock filesystem access control")
	LandlockProfile = flag.String("landlock-profile", "readonly", "Landlock profile: readonly, readexec, custom")
	LandlockPaths   = flag.String("landlock-paths", "", "Comma-separated list of paths to allow access to (for custom profile)")

	// HTTP options
	HttpPort = flag.String("http", "", "Start Rye in HTTP REPL mode on specified port (localhost only)")

	// Code signing options
	CodeSigEnforced = flag.Bool("codesig", false, "Enforce code signature verification")

	// Unshare options (Linux only) - namespace isolation via re-exec
	UnshareEnabled = flag.Bool("unshare", false, "Run script in isolated Linux namespaces via re-exec (Linux only)")
	UnshareFs      = flag.Bool("unshare-fs", true, "Isolate filesystem when using --unshare (bind-mounts current dir read-only as /app)")
	UnshareNet     = flag.Bool("unshare-net", true, "Isolate network namespace when using --unshare (no network access)")
	UnsharePid     = flag.Bool("unshare-pid", true, "Isolate PID namespace when using --unshare (hides host processes)")
	UnshareUts     = flag.Bool("unshare-uts", true, "Isolate UTS/hostname namespace when using --unshare")

	// Inspect/debugging options
	NoInspect = flag.Bool("noinspect", false, "Exit immediately on error without showing debugging options")
)
View Source 
var CurrentScriptDirectory string

CurrentScriptDirectory stores the directory of the currently executing script

View Source 
var Rye_files embed.FS
View Source 
var Version = "development"

Version variable is set during build using -ldflags eg in Goreleaser: https://goreleaser.com/cookbooks/using-main.version

Functions

func ClearCurrentProgramState added in v0.0.88 

func ClearCurrentProgramState()

ClearCurrentProgramState unregisters the program state

func DoMain 

func DoMain(regfn func(*env.ProgramState) error)

func DoReexecInUnshare added in v0.2.3 

func DoReexecInUnshare(_ UnshareConfig)

DoReexecInUnshare prints an error and exits on non-Linux systems because Linux namespaces are not available.

func GetScriptDirectory added in v0.0.81 

func GetScriptDirectory() string

GetScriptDirectory returns the directory of the currently executing script

func IsUnshareChild added in v0.2.3 

func IsUnshareChild() bool

IsUnshareChild always returns false on non-Linux systems.

func SetCurrentProgramState added in v0.0.88 

func SetCurrentProgramState(ps *env.ProgramState)

SetCurrentProgramState registers the currently executing program state for signal handling

func SetupUnshareFilesystem added in v0.2.3 

func SetupUnshareFilesystem() error

SetupUnshareFilesystem is a no-op on non-Linux systems.

Types

type UnshareConfig added in v0.2.3 

type UnshareConfig struct {
	Fs  bool
	Net bool
	Pid bool
	Uts bool
}

UnshareConfig holds the namespace isolation options. On non-Linux systems these options are parsed but have no effect.

func ReadUnshareChildConfig added in v0.2.3 

func ReadUnshareChildConfig() UnshareConfig

ReadUnshareChildConfig returns a zero-value config on non-Linux systems.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.