Documentation
¶
Overview ¶
Package registry tracks the network namespaces that npte manages.
A netns is "managed by npte" when an empty marker file exists at /run/npte/netns/<name>. Markers are created at the end of `netns create` and removed at the end of `netns destroy`. Every other verb that touches a named netns calls RequireManaged before doing anything, so the privileged surface exposed via the NOPASSWD sudoers grant is bounded to the namespaces npte itself created.
Concurrency: every state-touching verb takes the global lock via Lock at the top of its run, after shape validators and before any kernel or marker operation. The lock serializes all npte invocations so that "kernel op then marker op" is observable as atomic to other npte processes.
Index ¶
- Variables
- func List(env *testable.Environ) ([]string, error)
- func Lock(ctx context.Context, env *testable.Environ, dryRun bool) (func(), error)
- func MustLock(ctx context.Context, env *testable.Environ, dryRun bool) func()
- func MustRegister(ctx context.Context, dryRun bool, name string)
- func MustUnregister(ctx context.Context, dryRun bool, name string)
- func Register(ctx context.Context, dryRun bool, name string) error
- func RequireManaged(env *testable.Environ, dryRun bool, name string) error
- func Unregister(ctx context.Context, dryRun bool, name string) error
Constants ¶
This section is empty.
Variables ¶
var ErrNotManaged = errors.New("namespace not managed by npte")
ErrNotManaged is the sentinel returned by RequireManaged when a name has no marker. Callers can match it with errors.Is.
Functions ¶
func List ¶
List returns the sorted names of all regular-file markers under /run/npte/netns/ whose name passes validate.NetnsName. If the directory does not yet exist (no netns has ever been registered on this host), List returns an empty slice and no error. Non-regular entries (directories, symlinks) and entries with malformed names are silently skipped; the latter would otherwise flow into downstream registry calls and trip [markerPath]'s panic guard.
Callers MUST hold the global lock (see Lock).
func Lock ¶
Lock acquires the global npte state lock and ensures /run/npte/netns/ exists with mode 0755. Callers MUST defer the returned unlock function.
In dry-run mode, the install command is printed to env.Stdout and the kernel lock is not taken (dry-run is a side-effect-free preview and does not need to be serialized against concurrent npte invocations). The returned unlock function is a no-op in that case.
func MustLock ¶
MustLock is like Lock but logs and exits on failure. Returns the unlock function, which the caller MUST defer.
func MustRegister ¶
MustRegister is like Register but logs and exits on failure.
func MustUnregister ¶
MustUnregister is like Unregister but logs and exits on failure.
func Register ¶
Register creates the marker for name. With dryRun=true, the equivalent shell command is printed on env.Stdout instead of being executed.
The directory /run/npte/netns/ is created by Lock; Register only writes the marker file. Callers MUST validate name (e.g. via validate.NetnsName) and hold the global lock before calling.
func RequireManaged ¶
RequireManaged enforces the ownership predicate for name.
In live mode it returns nil if a regular-file marker exists for name, ErrNotManaged (wrapped with the name) if no marker is present, or another error if the marker path resolves to something other than a regular file (which should never arise in practice and is worth surfacing rather than silently treating as "not managed").
In dry-run mode it does NOT Stat the filesystem: a dry-run after a dry-run `netns create` would otherwise spuriously fail because no real marker was written. Instead it emits a POSIX shell guard on env.Stdout — `test -f "<marker>" || { echo ... >&2; exit 2; }` — so the rendered script is paste-into-shell faithful: when run as one piece it succeeds (the prior `netns create` lines write the marker), and when run against a topology that does not exist it fails at the same point a live invocation would.
Callers MUST validate name (e.g. via validate.NetnsName) and hold the global lock (see Lock) before calling.
func Unregister ¶
Unregister removes the marker for name. With dryRun=true, the equivalent shell command is printed on env.Stdout instead of being executed.
Callers MUST validate name (e.g. via validate.NetnsName) and hold the global lock (see Lock) before calling.
Types ¶
This section is empty.
Source Files