Documentation
¶
Overview ¶
Package security provides Linux security primitives for the sandbox runtime. These include seccomp profiles, cgroup resource limits, and capability management.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func BuildResources ¶
func BuildResources(lim ResourceLimitsConfig) container.Resources
BuildResources converts a ResourceLimitsConfig into the Docker container.Resources struct that is embedded in container.HostConfig.
func DefaultProfileJSON ¶
DefaultProfileJSON serialises the built-in seccomp profile to JSON.]
The result is suitable for passing directly to Docker's security-opt seccomp=<inline-json> or writing to a file.
func LoadOrDefault ¶
LoadOrDefault returns the raw JSON of a seccomp profile.
If profilePath is non-empty the file is read; otherwise DefaultProfileJSON is returned.
func ParseMemoryBytes ¶
ParseMemoryBytes converts a human-readable memory string to bytes. Supported suffixes: B, KB, MB, GB, TB (case-insensitive). Returns 0 (no limit) when s is empty or "0".
Types ¶
type ResourceLimitsConfig ¶
type ResourceLimitsConfig struct {
// MemoryBytes is the hard memory limit; 0 means no limit.
MemoryBytes int64
// CPUQuota is the CFS quota in microseconds per 100ms period; 0 means unlimited.
CPUQuota int64
// PidsLimit is the maximum number of PIDs in the container; 0 means unlimited.
PidsLimit int64
}
ResourceLimitsConfig carries the parsed cgroup parameters we care about.
Source Files