Documentation
¶
Index ¶
Constants ¶
View Source
const ( LogLevelDebug = "debug" LogLevelInfo = "info" LogLevelError = "error" LogLevelFatal = "fatal" )
Variables ¶
View Source
var NonRootMaxCaps = append(UnprivilegedMaxCaps, "CAP_SYS_ADMIN")
These are the maximum capabilities a non-root user gets whether privileged or unprivileged In other words in a privileged container a non-root user still only gets the unprivileged set plus CAP_SYS_ADMIN.
View Source
var PrivilegedContainerNamespaces = []specs.LinuxNamespace{ goci.NetworkNamespace, goci.PIDNamespace, goci.UTSNamespace, goci.IPCNamespace, goci.MountNamespace, }
View Source
var PrivilegedMaxCaps = []string{
"CAP_AUDIT_CONTROL",
"CAP_AUDIT_READ",
"CAP_AUDIT_WRITE",
"CAP_BLOCK_SUSPEND",
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_DAC_READ_SEARCH",
"CAP_FOWNER",
"CAP_FSETID",
"CAP_IPC_LOCK",
"CAP_IPC_OWNER",
"CAP_KILL",
"CAP_LEASE",
"CAP_LINUX_IMMUTABLE",
"CAP_MAC_ADMIN",
"CAP_MAC_OVERRIDE",
"CAP_MKNOD",
"CAP_NET_ADMIN",
"CAP_NET_BIND_SERVICE",
"CAP_NET_BROADCAST",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_SETUID",
"CAP_SYS_ADMIN",
"CAP_SYS_BOOT",
"CAP_SYS_CHROOT",
"CAP_SYS_MODULE",
"CAP_SYS_NICE",
"CAP_SYS_PACCT",
"CAP_SYS_PTRACE",
"CAP_SYS_RAWIO",
"CAP_SYS_RESOURCE",
"CAP_SYS_TIME",
"CAP_SYS_TTY_CONFIG",
"CAP_SYSLOG",
"CAP_WAKE_ALARM",
}
These are the maximum caps a privileged container process ever gets (it may get less if the user is not root, see NonRootMaxCaps)
View Source
var UnprivilegedMaxCaps = []string{
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE",
}
These are the maximum caps an unprivileged container process ever gets (it may get less if the user is not root, see NonRootMaxCaps)
Functions ¶
This section is empty.
Types ¶
type CIDRFlag ¶
type CIDRFlag struct {
// contains filtered or unexported fields
}
func (*CIDRFlag) UnmarshalFlag ¶
type GdnCommand ¶
type GdnCommand struct {
SetupCommand *SetupCommand `command:"setup"`
ServerCommand *ServerCommand `command:"server"`
}
type IPFlag ¶
func (*IPFlag) UnmarshalFlag ¶
type LagerFlag ¶
type LagerFlag struct {
LogLevel string `` /* 134-byte string literal not displayed */
}
type ServerCommand ¶
type ServerCommand struct {
Logger LagerFlag
Server struct {
BindIP IPFlag `long:"bind-ip" description:"Bind with TCP on the given IP."`
BindPort uint16 `long:"bind-port" description:"Bind with TCP on the given port."`
BindSocket string `long:"bind-socket" default:"/tmp/garden.sock" description:"Bind with Unix on the given socket path."`
DebugBindIP IPFlag `long:"debug-bind-ip" description:"Bind the debug server on the given IP."`
DebugBindPort uint16 `long:"debug-bind-port" default:"17013" description:"Bind the debug server to the given port."`
Tag string `hidden:"true" long:"tag" description:"Optional 2-character identifier used for namespacing global configuration."`
SkipSetup bool `long:"skip-setup" description:"Skip the preparation part of the host that requires root privileges"`
} `group:"Server Configuration"`
Containers struct {
Dir string `long:"depot" default:"/var/run/gdn/depot" description:"Directory in which to store container data."`
PropertiesPath string `long:"properties-path" description:"Path in which to store properties."`
ConsoleSocketsPath string `long:"console-sockets-path" description:"Path in which to store temporary sockets"`
DefaultRootFS string `long:"default-rootfs" description:"Default rootfs to use when not specified on container creation."`
DefaultGraceTime time.Duration `long:"default-grace-time" description:"Default time after which idle containers should expire."`
DestroyContainersOnStartup bool `long:"destroy-containers-on-startup" description:"Clean up all the existing containers on startup."`
ApparmorProfile string `long:"apparmor" description:"Apparmor profile to use for unprivileged container processes"`
} `group:"Container Lifecycle"`
Bin struct {
AssetsDir string `long:"assets-dir" default:"/var/gdn/assets" description:"Directory in which to extract packaged assets"`
Dadoo FileFlag `long:"dadoo-bin" description:"Path to the 'dadoo' binary."`
NSTar FileFlag `long:"nstar-bin" description:"Path to the 'nstar' binary."`
Tar FileFlag `long:"tar-bin" description:"Path to the 'tar' binary."`
IPTables FileFlag `long:"iptables-bin" default:"/sbin/iptables" description:"path to the iptables binary"`
IPTablesRestore FileFlag `long:"iptables-restore-bin" default:"/sbin/iptables-restore" description:"path to the iptables-restore binary"`
Init FileFlag `long:"init-bin" description:"Path execute as pid 1 inside each container."`
Runc string `long:"runc-bin" default:"runc" description:"Path to the 'runc' binary."`
} `group:"Binary Tools"`
Graph struct {
Dir string `` /* 138-byte string literal not displayed */
CleanupThresholdInMegabytes int `` /* 163-byte string literal not displayed */
PersistentImages []string `long:"persistent-image" description:"Image that should never be garbage collected. Can be specified multiple times."`
} `group:"Image Graph"`
Image struct {
Plugin FileFlag `long:"image-plugin" description:"Path to image plugin binary."`
PluginExtraArgs []string `` /* 150-byte string literal not displayed */
PrivilegedPlugin FileFlag `long:"privileged-image-plugin" description:"Path to privileged image plugin binary."`
PrivilegedPluginExtraArgs []string `` /* 159-byte string literal not displayed */
} `group:"Image"`
Docker struct {
Registry string `long:"docker-registry" default:"registry-1.docker.io" description:"Docker registry API endpoint."`
InsecureRegistries []string `` /* 137-byte string literal not displayed */
} `group:"Docker Image Fetching"`
Network struct {
Pool CIDRFlag `long:"network-pool" default:"10.254.0.0/22" description:"Network range to use for dynamically allocated container subnets."`
AllowHostAccess bool `long:"allow-host-access" description:"Allow network access to the host machine."`
DenyNetworks []CIDRFlag `` /* 135-byte string literal not displayed */
AllowNetworks []CIDRFlag `` /* 136-byte string literal not displayed */
DNSServers []IPFlag `` /* 138-byte string literal not displayed */
ExternalIP IPFlag `` /* 136-byte string literal not displayed */
PortPoolStart uint32 `long:"port-pool-start" default:"60000" description:"Start of the ephemeral port range used for mapped container ports."`
PortPoolSize uint32 `long:"port-pool-size" default:"5000" description:"Size of the port pool used for mapped container ports."`
PortPoolPropertiesPath string `long:"port-pool-properties-path" description:"Path in which to store port pool properties."`
Mtu int `long:"mtu" default:"1500" description:"MTU size for container network interfaces."`
Plugin FileFlag `long:"network-plugin" description:"Path to network plugin binary."`
PluginExtraArgs []string `long:"network-plugin-extra-arg" description:"Extra argument to pass to the network plugin. Can be specified multiple times."`
} `group:"Container Networking"`
Limits struct {
CpuQuotaPerShare uint64 `` /* 146-byte string literal not displayed */
MaxContainers uint64 `long:"max-containers" default:"0" description:"Maximum number of containers that can be created."`
} `group:"Limits"`
Metrics struct {
EmissionInterval time.Duration `long:"metrics-emission-interval" default:"1m" description:"Interval on which to emit metrics."`
DropsondeOrigin string `long:"dropsonde-origin" default:"garden-linux" description:"Origin identifier for Dropsonde-emitted metrics."`
DropsondeDestination string `long:"dropsonde-destination" default:"127.0.0.1:3457" description:"Destination for Dropsonde-emitted metrics."`
} `group:"Metrics"`
}
func (*ServerCommand) Execute ¶
func (cmd *ServerCommand) Execute([]string) error
type SetupCommand ¶
type SetupCommand struct {
LogLevel LagerFlag
Logger lager.Logger
Tag string `hidden:"true" long:"tag" description:"Optional 2-character identifier used for namespacing global configuration."`
Network struct {
IPTables FileFlag `long:"iptables-bin" default:"/sbin/iptables" description:"path to the iptables binary"`
AllowHostAccess bool `long:"allow-host-access" description:"Allow network access to the host machine."`
DenyNetworks []CIDRFlag `` /* 135-byte string literal not displayed */
ResetIPTablesRules bool `` /* 143-byte string literal not displayed */
}
}
func (*SetupCommand) Execute ¶
func (cmd *SetupCommand) Execute(args []string) error
Source Files
Click to show internal directories.
Click to hide internal directories.