func DefaultCreateCommand

func DefaultCreateCommand(container *libcontainer.Config, console, dataPath, init string, pipe *os.File, args []string) *exec.Cmd

DefaultCreateCommand will return an exec.Cmd with the Cloneflags set to the proper namespaces defined on the container's configuration and use the current binary as the init with the args provided

console: the /dev/console to setup inside the container init: the program executed inside the namespaces root: the path to the container json file and information pipe: sync pipe to synchronize the parent and child processes args: the arguments to pass to the container to run as the user's program

func EnterCgroups

func EnterCgroups(state *libcontainer.State, pid int) error

func Exec

func Exec(container *libcontainer.Config, stdin io.Reader, stdout, stderr io.Writer, console, dataPath string, args []string, createCommand CreateCommand, startCallback func()) (int, error)

TODO(vishh): This is part of the libcontainer API and it does much more than just namespaces related work. Move this to libcontainer package. Exec performs setup outside of a namespace so that a container can be executed. Exec is a high level function for working with container namespaces.

func ExecIn

func ExecIn(container *libcontainer.Config, state *libcontainer.State, userArgs []string, initPath, action string,
	stdin io.Reader, stdout, stderr io.Writer, console string, startCallback func(*exec.Cmd)) (int, error)

ExecIn reexec's the initPath with the argv 0 rewrite to "nsenter" so that it is able to run the setns code in a single threaded environment joining the existing containers' namespaces.

func FinalizeNamespace

func FinalizeNamespace(container *libcontainer.Config) error

FinalizeNamespace drops the caps, sets the correct user and working dir, and closes any leaky file descriptors before execing the command inside the namespace

func FinalizeSetns

func FinalizeSetns(container *libcontainer.Config, args []string) error

Finalize expects that the setns calls have been setup and that is has joined an existing namespace

func GetNamespaceFlags

func GetNamespaceFlags(namespaces libcontainer.Namespaces) (flag int)

GetNamespaceFlags parses the container's Namespaces options to set the correct flags on clone, unshare, and setns

func Init

func Init(container *libcontainer.Config, uncleanRootfs, consolePath string, pipe *os.File, args []string) (err error)

TODO(vishh): This is part of the libcontainer API and it does much more than just namespaces related work. Move this to libcontainer package. Init is the init process that first runs inside a new namespace to setup mounts, users, networking, and other options required for the new container. The caller of Init function has to ensure that the go runtime is locked to an OS thread (using runtime.LockOSThread) else system calls like setns called within Init may not work as intended.

func InitializeNetworking

func InitializeNetworking(container *libcontainer.Config, nspid int, networkState *network.NetworkState) error

InitializeNetworking creates the container's network stack outside of the namespace and moves interfaces into the container's net namespaces if necessary

func LoadContainerEnvironment

func LoadContainerEnvironment(container *libcontainer.Config) error

func RestoreParentDeathSignal

func RestoreParentDeathSignal(old int) error

RestoreParentDeathSignal sets the parent death signal to old.

func SetupCgroups

func SetupCgroups(container *libcontainer.Config, nspid int) (map[string]string, error)

SetupCgroups applies the cgroup restrictions to the process running in the container based on the container's configuration

func SetupUser

func SetupUser(u string) error

SetupUser changes the groups, gid, and uid for the user inside the container


type CreateCommand

type CreateCommand func(container *libcontainer.Config, console, dataPath, init string, childPipe *os.File, args []string) *exec.Cmd


