Documentation
¶
Overview ¶
Package storage provides storage management for den sandboxes, including tmpfs mounts, Docker named volumes, and S3 synchronization.
Index ¶
- Constants
- func BuildTmpfsMap(storage *runtime.StorageConfig, defaults []config.TmpfsDefault) (map[string]string, error)
- func FUSEContainerRequirements() (capAdd []string, devices []string)
- func NamespacedVolumeName(name string) string
- func ParseSize(s string) (int64, error)
- func SetupFUSEInContainer(ctx context.Context, rt runtime.Runtime, sandboxID string, fuseCfg *FUSEConfig, ...) error
- func ValidateTmpfsOptions(opts string) error
- func ValidateVolumeMountPath(path string) error
- func ValidateVolumeName(name string) error
- type FUSEConfig
- type S3Client
- func (c *S3Client) Download(ctx context.Context, bucket, key string) (io.ReadCloser, int64, error)
- func (c *S3Client) ListObjects(ctx context.Context, bucket, prefix string, maxKeys int) ([]string, error)
- func (c *S3Client) Upload(ctx context.Context, bucket, key string, body io.Reader, size int64) error
- type S3Credentials
Constants ¶
const (
// MaxTmpfsSizeBytes is the maximum allowed tmpfs size (4GB).
MaxTmpfsSizeBytes = 4 * 1024 * 1024 * 1024
)
const (
// VolumePrefix is prepended to all volume names for namespace isolation.
VolumePrefix = "den-"
)
Variables ¶
This section is empty.
Functions ¶
func BuildTmpfsMap ¶
func BuildTmpfsMap(storage *runtime.StorageConfig, defaults []config.TmpfsDefault) (map[string]string, error)
BuildTmpfsMap merges per-sandbox tmpfs overrides with server defaults and returns a map suitable for Docker's HostConfig.Tmpfs field.
func FUSEContainerRequirements ¶
FUSEContainerRequirements returns the additional capabilities and devices needed for FUSE mount support.
func NamespacedVolumeName ¶
NamespacedVolumeName returns the Docker volume name with den- prefix.
func SetupFUSEInContainer ¶
func SetupFUSEInContainer(ctx context.Context, rt runtime.Runtime, sandboxID string, fuseCfg *FUSEConfig, logger *slog.Logger) error
SetupFUSEInContainer executes s3fs/goofys mount inside a running container. This requires SYS_ADMIN capability and /dev/fuse device access on the container.
func ValidateTmpfsOptions ¶
ValidateTmpfsOptions checks that all tmpfs options are in the allowed set.
func ValidateVolumeMountPath ¶
ValidateVolumeMountPath checks that a mount path is safe.
func ValidateVolumeName ¶
ValidateVolumeName checks that a volume name is safe for Docker.
Types ¶
type FUSEConfig ¶
type FUSEConfig struct {
Endpoint string
Bucket string
Region string
AccessKey string
SecretKey string
MountPath string
}
FUSEConfig holds configuration for setting up an S3 FUSE mount inside a container.
func PrepareFUSEMount ¶
func PrepareFUSEMount(s3Cfg *runtime.S3SyncConfig) (*FUSEConfig, error)
PrepareFUSEMount returns the container modifications needed for FUSE mount support. The caller is responsible for applying these to the container config.
type S3Client ¶
type S3Client struct {
// contains filtered or unexported fields
}
S3Client wraps the AWS S3 client with den-specific operations.
func NewS3Client ¶
NewS3Client creates a new S3Client from resolved credentials.
type S3Credentials ¶
type S3Credentials struct {
Endpoint string
Bucket string
Prefix string
Region string
AccessKey string
SecretKey string
}
S3Credentials holds the resolved credentials for an S3 operation.
func ResolveS3Credentials ¶
func ResolveS3Credentials(sandbox *runtime.S3SyncConfig, server serverconfig.S3Config) (*S3Credentials, error)
ResolveS3Credentials resolves credentials from per-sandbox config falling back to server-wide defaults.
Source Files