containerdx

func GetIPCNamespace ¶

func GetIPCNamespace(pid uint32) string

GetIPCNamespace returns the ipc namespace of a process.

func GetNetworkNamespace ¶

func GetNetworkNamespace(pid uint32) string

GetNetworkNamespace returns the network namespace of a process.

func GetPIDNamespace ¶

func GetPIDNamespace(pid uint32) string

GetPIDNamespace returns the pid namespace of a process.

func GetUTSNamespace ¶

func GetUTSNamespace(pid uint32) string

GetUTSNamespace returns the uts namespace of a process.

func IsCgroup2UnifiedMode ¶

func IsCgroup2UnifiedMode() bool

IsCgroup2UnifiedMode returns whether we are running in cgroup v2 unified mode.

func NormalizeImageReference ¶

func NormalizeImageReference(image string) string

NormalizeImageReference converts short image references to fully qualified names. Examples:

• "postgres:15" -> "docker.io/library/postgres:15"
• "myuser/myimage:tag" -> "docker.io/myuser/myimage:tag"
• "gcr.io/project/image:tag" -> "gcr.io/project/image:tag" (unchanged)
• "localhost:5000/image:tag" -> "localhost:5000/image:tag" (unchanged)

func WithAdditionalGIDs ¶

func WithAdditionalGIDs(userstr string) oci.SpecOpts

WithAdditionalGIDs adds any additional groups listed for a particular user in the /etc/groups file of the image's root filesystem to the OCI spec's additionalGids array.

func WithAnnotation ¶

func WithAnnotation(k, v string) oci.SpecOpts

WithAnnotation sets the provided annotation

func WithDefaultSandboxShares ¶

func WithDefaultSandboxShares(ctx context.Context, client oci.Client, c *containers.Container, s *runtimespec.Spec) error

WithDefaultSandboxShares sets the default sandbox CPU shares

func WithDisabledCgroups ¶

func WithDisabledCgroups(_ context.Context, _ oci.Client, c *containers.Container, s *runtimespec.Spec) error

WithDisabledCgroups clears the Cgroups Path from the spec

func WithOOMScoreAdj ¶

func WithOOMScoreAdj(adj int, restrict bool) oci.SpecOpts

WithOOMScoreAdj sets the oom score

func WithPodNamespaces ¶

func WithPodNamespaces(sandboxPid uint32, targetPid uint32) oci.SpecOpts

WithPodNamespaces sets the pod namespaces for the container

func WithPodOOMScoreAdj ¶

func WithPodOOMScoreAdj(adj int, restrict bool) oci.SpecOpts

WithPodOOMScoreAdj sets the oom score for the pod sandbox

func WithRelativeRoot ¶

func WithRelativeRoot(root string) oci.SpecOpts

WithRelativeRoot sets the root for the container

func WithRlimitNOFILE ¶ added in v0.5.0

func WithRlimitNOFILE(n uint64) oci.SpecOpts

WithRlimitNOFILE sets the RLIMIT_NOFILE (max open files) for the container process. Uses upsert semantics to avoid duplicate entries, which violate the OCI spec.

func WithSelinuxLabels ¶

func WithSelinuxLabels(process, mount string) oci.SpecOpts

WithSelinuxLabels sets the mount and process labels

func WithSupplementalGroups ¶

func WithSupplementalGroups(groups []int64) oci.SpecOpts

WithSupplementalGroups sets the supplemental groups for the process

func WithSysctls ¶

func WithSysctls(sysctls map[string]string) oci.SpecOpts

WithSysctls sets the provided sysctls onto the spec

func WithoutAmbientCaps ¶

func WithoutAmbientCaps(_ context.Context, _ oci.Client, c *containers.Container, s *runtimespec.Spec) error

WithoutAmbientCaps removes the ambient caps from the spec

func WithoutDefaultSecuritySettings ¶

func WithoutDefaultSecuritySettings(_ context.Context, _ oci.Client, c *containers.Container, s *runtimespec.Spec) error

WithoutDefaultSecuritySettings removes the default security settings generated on a spec

func WithoutNamespace ¶

func WithoutNamespace(t runtimespec.LinuxNamespaceType) oci.SpecOpts

WithoutNamespace removes the provided namespace

func WithoutRoot ¶

func WithoutRoot(ctx context.Context, client oci.Client, c *containers.Container, s *runtimespec.Spec) error

WithoutRoot sets the root to nil for the container.