本文整理汇总了Golang中github.com/cloudfoundry/gunk/command_runner/linux_command_runner.New函数的典型用法代码示例。如果您正苦于以下问题:Golang New函数的具体用法?Golang New怎么用?Golang New使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了New函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Golang代码示例。
示例1: wireContainerizer
func wireContainerizer(log lager.Logger, depotPath, iodaemonPath, nstarPath, tarPath, defaultRootFSPath string) *rundmc.Containerizer {
depot := depot.New(depotPath)
startChecker := rundmc.StartChecker{Expect: "Pid 1 Running", Timeout: 3 * time.Second}
stateChecker := rundmc.StateChecker{StateFileDir: OciStateDir}
commandRunner := linux_command_runner.New()
runcrunner := runrunc.New(
process_tracker.New(path.Join(os.TempDir(), fmt.Sprintf("garden-%s", *tag), "processes"), iodaemonPath, commandRunner),
commandRunner,
wireUidGenerator(),
goci.RuncBinary("runc"),
&goci.BndlLoader{},
runrunc.LookupFunc(runrunc.LookupUser),
)
baseBundle := goci.Bundle().
WithNamespaces(PrivilegedContainerNamespaces...).
WithResources(&specs.Resources{}).
WithMounts(
goci.Mount{Name: "proc", Type: "proc", Source: "proc", Destination: "/proc"},
goci.Mount{Name: "tmp", Type: "tmpfs", Source: "tmpfs", Destination: "/tmp"},
).WithRootFS(defaultRootFSPath).
WithProcess(goci.Process("/bin/sh", "-c", `echo "Pid 1 Running"; read x`)).
WithDevices(specs.Device{Path: "/dev/null", Type: 'c', Major: 1, Minor: 3, UID: 0, GID: 0, Permissions: "rwm", FileMode: 0666})
nstar := rundmc.NewNstarRunner(nstarPath, tarPath, linux_command_runner.New())
return rundmc.New(depot, &rundmc.BundleTemplate{Bndl: baseBundle}, runcrunner, startChecker, stateChecker, nstar)
}
示例2: wireNetworker
func (cmd *GuardianCommand) wireNetworker(log lager.Logger, propManager kawasaki.ConfigStore, portPool *ports.PortPool) (gardener.Networker, gardener.Starter, error) {
externalIP, err := defaultExternalIP(cmd.Network.ExternalIP)
if err != nil {
return nil, nil, err
}
dnsServers := make([]net.IP, len(cmd.Network.DNSServers))
for i, ip := range cmd.Network.DNSServers {
dnsServers[i] = ip.IP()
}
if cmd.Network.Plugin.Path() != "" {
resolvConfigurer := &kawasaki.ResolvConfigurer{
HostsFileCompiler: &dns.HostsFileCompiler{},
ResolvFileCompiler: &dns.ResolvFileCompiler{},
FileWriter: &dns.RootfsWriter{},
IDMapReader: &kawasaki.RootIdMapReader{},
}
externalNetworker := netplugin.New(
linux_command_runner.New(),
propManager,
externalIP,
dnsServers,
resolvConfigurer,
cmd.Network.Plugin.Path(),
cmd.Network.PluginExtraArgs,
)
return externalNetworker, externalNetworker, nil
}
var denyNetworksList []string
for _, network := range cmd.Network.DenyNetworks {
denyNetworksList = append(denyNetworksList, network.String())
}
interfacePrefix := fmt.Sprintf("w%s", cmd.Server.Tag)
chainPrefix := fmt.Sprintf("w-%s-", cmd.Server.Tag)
idGenerator := kawasaki.NewSequentialIDGenerator(time.Now().UnixNano())
iptRunner := &logging.Runner{CommandRunner: linux_command_runner.New(), Logger: log.Session("iptables-runner")}
locksmith := &locksmithpkg.FileSystem{}
ipTables := iptables.New(cmd.Bin.IPTables.Path(), cmd.Bin.IPTablesRestore.Path(), iptRunner, locksmith, chainPrefix)
ipTablesStarter := iptables.NewStarter(ipTables, cmd.Network.AllowHostAccess, interfacePrefix, denyNetworksList, cmd.Containers.DestroyContainersOnStartup)
ruleTranslator := iptables.NewRuleTranslator()
networker := kawasaki.New(
kawasaki.SpecParserFunc(kawasaki.ParseSpec),
subnets.NewPool(cmd.Network.Pool.CIDR()),
kawasaki.NewConfigCreator(idGenerator, interfacePrefix, chainPrefix, externalIP, dnsServers, cmd.Network.Mtu),
propManager,
factory.NewDefaultConfigurer(ipTables),
portPool,
iptables.NewPortForwarder(ipTables),
iptables.NewFirewallOpener(ruleTranslator, ipTables),
)
return networker, ipTablesStarter, nil
}
示例3: wireStarter
func wireStarter(logger lager.Logger, iptablesMgr *iptables.Manager) gardener.Starter {
runner := &logging.Runner{CommandRunner: linux_command_runner.New(), Logger: logger.Session("runner")}
return &StartAll{starters: []gardener.Starter{
rundmc.NewStarter(logger, mustOpen("/proc/cgroups"), path.Join(os.TempDir(), fmt.Sprintf("cgroups-%s", *tag)), runner),
iptablesMgr,
}}
}
示例4: wireNetworker
func wireNetworker(
log lager.Logger,
tag string,
networkPoolCIDR *net.IPNet,
externalIP net.IP,
iptablesMgr kawasaki.IPTablesConfigurer,
interfacePrefix string,
chainPrefix string,
propManager *properties.Manager,
networkModulePath string) gardener.Networker {
runner := &logging.Runner{CommandRunner: linux_command_runner.New(), Logger: log.Session("network-runner")}
hostConfigurer := &configure.Host{
Veth: &devices.VethCreator{},
Link: &devices.Link{Name: "guardian"},
Bridge: &devices.Bridge{},
Logger: log.Session("network-host-configurer"),
}
containerCfgApplier := &configure.Container{
Logger: log.Session("network-container-configurer"),
Link: &devices.Link{Name: "guardian"},
}
idGenerator := kawasaki.NewSequentialIDGenerator(time.Now().UnixNano())
portPool, err := ports.NewPool(uint32(*portPoolStart), uint32(*portPoolSize), ports.State{})
if err != nil {
log.Fatal("invalid pool range", err)
}
switch networkModulePath {
case "":
return kawasaki.New(
kawasaki.NewManager(runner, "/var/run/netns"),
kawasaki.SpecParserFunc(kawasaki.ParseSpec),
subnets.NewPool(networkPoolCIDR),
kawasaki.NewConfigCreator(idGenerator, interfacePrefix, chainPrefix, externalIP),
kawasaki.NewConfigurer(
hostConfigurer,
containerCfgApplier,
iptablesMgr,
&netns.Execer{},
),
propManager,
iptables.NewPortForwarder(runner),
portPool,
)
default:
if _, err := os.Stat(networkModulePath); err != nil {
log.Fatal("failed-to-stat-network-module", err)
return nil
}
return gardener.ForeignNetworkAdaptor{
ForeignNetworker: genclient.New(networkModulePath),
}
}
}
示例5: wireContainerizer
func wireContainerizer(depotPath, iodaemonPath, defaultRootFSPath string) *rundmc.Containerizer {
depot := depot.New(depotPath)
startCheck := rundmc.StartChecker{Expect: "Pid 1 Running", Timeout: 3 * time.Second}
runcrunner := runrunc.New(
process_tracker.New(path.Join(os.TempDir(), fmt.Sprintf("garden-%s", *tag), "processes"), iodaemonPath, linux_command_runner.New()),
linux_command_runner.New(),
wireUidGenerator(),
goci.RuncBinary("runc"),
)
baseBundle := goci.Bundle().
WithNamespaces(PrivilegedContainerNamespaces...).
WithResources(&specs.Resources{}).
WithMounts(goci.Mount{Name: "proc", Type: "proc", Source: "proc", Destination: "/proc"}).
WithRootFS(defaultRootFSPath).
WithProcess(goci.Process("/bin/sh", "-c", `echo "Pid 1 Running"; read x`))
return rundmc.New(depot, &rundmc.BundleTemplate{baseBundle}, runcrunner, startCheck)
}
示例6: main
func main() {
cf_lager.AddFlags(flag.CommandLine)
flag.Parse()
logger, _ := cf_lager.New("hook")
oldWd, err := os.Getwd()
if err != nil {
panic(err)
}
cwd := path.Dir(os.Args[0])
os.Chdir(cwd)
defer os.Chdir(oldWd)
config, err := process.EnvFromFile("../etc/config")
if err != nil {
panic(fmt.Sprintf("error reading config file in hook: %s", err))
}
runner := &logging.Runner{linux_command_runner.New(), logger}
configurer := network.NewConfigurer(logger.Session("linux_backend: hook.CHILD_AFTER_PIVOT"))
linux_backend.RegisterHooks(hook.DefaultHookSet, runner, config, configurer)
hook.Main(os.Args[1:])
}
示例7: wireIptables
func wireIptables(logger lager.Logger, tag string, allowHostAccess bool, interfacePrefix, chainPrefix string) *iptables.Manager {
runner := &logging.Runner{CommandRunner: linux_command_runner.New(), Logger: logger.Session("iptables-runner")}
filterConfig := iptables.FilterConfig{
AllowHostAccess: allowHostAccess,
InputChain: fmt.Sprintf("w-%s-input", tag),
ForwardChain: fmt.Sprintf("w-%s-forward", tag),
DefaultChain: fmt.Sprintf("w-%s-default", tag),
}
natConfig := iptables.NATConfig{
PreroutingChain: fmt.Sprintf("w-%s-prerouting", tag),
PostroutingChain: fmt.Sprintf("w-%s-postrouting", tag),
}
return iptables.NewManager(
filterConfig,
natConfig,
interfacePrefix,
chainPrefix,
runner,
logger,
)
}
示例8: wireVolumeCreator
func (cmd *GuardianCommand) wireVolumeCreator(logger lager.Logger, graphRoot string, insecureRegistries, persistentImages []string) gardener.VolumeCreator {
if graphRoot == "" {
return gardener.NoopVolumeCreator{}
}
if cmd.Bin.ImagePlugin.Path() != "" {
defaultRootFS, err := url.Parse(cmd.Containers.DefaultRootFSDir.Path())
if err != nil {
logger.Fatal("failed-to-parse-default-rootfs", err)
}
return imageplugin.New(cmd.Bin.ImagePlugin.Path(), linux_command_runner.New(), defaultRootFS, idMappings)
}
logger = logger.Session("volume-creator", lager.Data{"graphRoot": graphRoot})
runner := &logging.Runner{CommandRunner: linux_command_runner.New(), Logger: logger}
if err := os.MkdirAll(graphRoot, 0755); err != nil {
logger.Fatal("failed-to-create-graph-directory", err)
}
dockerGraphDriver, err := graphdriver.New(graphRoot, nil)
if err != nil {
logger.Fatal("failed-to-construct-graph-driver", err)
}
backingStoresPath := filepath.Join(graphRoot, "backing_stores")
if err := os.MkdirAll(backingStoresPath, 0660); err != nil {
logger.Fatal("failed-to-mkdir-backing-stores", err)
}
quotaedGraphDriver := "aed_aufs.QuotaedDriver{
GraphDriver: dockerGraphDriver,
Unmount: quotaed_aufs.Unmount,
BackingStoreMgr: "aed_aufs.BackingStore{
RootPath: backingStoresPath,
Logger: logger.Session("backing-store-mgr"),
},
LoopMounter: "aed_aufs.Loop{
Retrier: retrier.New(retrier.ConstantBackoff(200, 500*time.Millisecond), nil),
Logger: logger.Session("loop-mounter"),
},
Retrier: retrier.New(retrier.ConstantBackoff(200, 500*time.Millisecond), nil),
RootPath: graphRoot,
Logger: logger.Session("quotaed-driver"),
}
dockerGraph, err := graph.NewGraph(graphRoot, quotaedGraphDriver)
if err != nil {
logger.Fatal("failed-to-construct-graph", err)
}
var cake layercake.Cake = &layercake.Docker{
Graph: dockerGraph,
Driver: quotaedGraphDriver,
}
if cake.DriverName() == "aufs" {
cake = &layercake.AufsCake{
Cake: cake,
Runner: runner,
GraphRoot: graphRoot,
}
}
repoFetcher := repository_fetcher.Retryable{
RepositoryFetcher: &repository_fetcher.CompositeFetcher{
LocalFetcher: &repository_fetcher.Local{
Cake: cake,
DefaultRootFSPath: cmd.Containers.DefaultRootFSDir.Path(),
IDProvider: repository_fetcher.LayerIDProvider{},
},
RemoteFetcher: repository_fetcher.NewRemote(
logger,
cmd.Docker.Registry,
cake,
distclient.NewDialer(insecureRegistries),
repository_fetcher.VerifyFunc(repository_fetcher.Verify),
),
},
Logger: logger,
}
rootFSNamespacer := &rootfs_provider.UidNamespacer{
Translator: rootfs_provider.NewUidTranslator(
idMappings, // uid
idMappings, // gid
),
}
retainer := cleaner.NewRetainer()
ovenCleaner := cleaner.NewOvenCleaner(retainer,
cleaner.NewThreshold(int64(cmd.Graph.CleanupThresholdInMegabytes)*1024*1024),
)
imageRetainer := &repository_fetcher.ImageRetainer{
GraphRetainer: retainer,
DirectoryRootfsIDProvider: repository_fetcher.LayerIDProvider{},
DockerImageIDFetcher: repoFetcher,
NamespaceCacheKey: rootFSNamespacer.CacheKey(),
//.........这里部分代码省略.........
示例9: wireRunDMCStarter
func (cmd *GuardianCommand) wireRunDMCStarter(logger lager.Logger) gardener.Starter {
var cgroupsMountpoint string
if cmd.Server.Tag != "" {
cgroupsMountpoint = filepath.Join(os.TempDir(), fmt.Sprintf("cgroups-%s", cmd.Server.Tag))
} else {
cgroupsMountpoint = "/sys/fs/cgroup"
}
return rundmc.NewStarter(logger, mustOpen("/proc/cgroups"), mustOpen("/proc/self/cgroup"), cgroupsMountpoint, linux_command_runner.New())
}
示例10: main
func main() {
if reexec.Init() {
return
}
cf_debug_server.AddFlags(flag.CommandLine)
cf_lager.AddFlags(flag.CommandLine)
flag.Parse()
runtime.GOMAXPROCS(runtime.NumCPU())
logger, reconfigurableSink := cf_lager.New("garden-linux")
if dbgAddr := cf_debug_server.DebugAddress(flag.CommandLine); dbgAddr != "" {
debug.Run(dbgAddr, reconfigurableSink)
}
initializeDropsonde(logger)
if *binPath == "" {
missing("-bin")
}
if *depotPath == "" {
missing("-depot")
}
if len(*tag) > 2 {
println("-tag parameter must be less than 3 characters long")
println()
flag.Usage()
return
}
_, dynamicRange, err := net.ParseCIDR(*networkPool)
if err != nil {
logger.Fatal("failed-to-parse-network-pool", err)
}
subnetPool, err := subnets.NewSubnets(dynamicRange)
if err != nil {
logger.Fatal("failed-to-create-subnet-pool", err)
}
// TODO: use /proc/sys/net/ipv4/ip_local_port_range by default (end + 1)
portPool, err := port_pool.New(uint32(*portPoolStart), uint32(*portPoolSize))
if err != nil {
logger.Fatal("invalid pool range", err)
}
useKernelLogging := true
switch *iptablesLogMethod {
case "nflog":
useKernelLogging = false
case "kernel":
/* noop */
default:
println("-iptablesLogMethod value not recognized")
println()
flag.Usage()
return
}
config := sysconfig.NewConfig(*tag, *allowHostAccess)
runner := sysconfig.NewRunner(config, linux_command_runner.New())
if err := os.MkdirAll(*graphRoot, 0755); err != nil {
logger.Fatal("failed-to-create-graph-directory", err)
}
dockerGraphDriver, err := graphdriver.New(*graphRoot, nil)
if err != nil {
logger.Fatal("failed-to-construct-graph-driver", err)
}
dockerGraph, err := graph.NewGraph(*graphRoot, dockerGraphDriver)
if err != nil {
logger.Fatal("failed-to-construct-graph", err)
}
graphMountPoint := mountPoint(logger, *graphRoot)
var cake layercake.Cake = &layercake.Docker{
Graph: dockerGraph,
Driver: dockerGraphDriver,
}
if cake.DriverName() == "btrfs" {
cake = &layercake.BtrfsCleaningCake{
Cake: cake,
Runner: runner,
BtrfsMountPoint: graphMountPoint,
RemoveAll: os.RemoveAll,
Logger: logger.Session("btrfs-cleanup"),
}
}
retainer := layercake.NewRetainer()
cake = &layercake.OvenCleaner{
Cake: cake,
//.........这里部分代码省略.........
示例11: main
func main() {
flag.Parse()
maxProcs := runtime.NumCPU()
prevMaxProcs := runtime.GOMAXPROCS(maxProcs)
log.Println("set GOMAXPROCS to", maxProcs, "was", prevMaxProcs)
if *binPath == "" {
log.Fatalln("must specify -bin with linux backend")
}
if *depotPath == "" {
log.Fatalln("must specify -depot with linux backend")
}
if *rootFSPath == "" {
log.Fatalln("must specify -rootfs with linux backend")
}
uidPool := uid_pool.New(uint32(*uidPoolStart), uint32(*uidPoolSize))
_, ipNet, err := net.ParseCIDR(*networkPool)
if err != nil {
log.Fatalln("error parsing CIDR:", err)
}
networkPool := network_pool.New(ipNet)
// TODO: use /proc/sys/net/ipv4/ip_local_port_range by default (end + 1)
portPool := port_pool.New(uint32(*portPoolStart), uint32(*portPoolSize))
runner := linux_command_runner.New(*debug)
quotaManager, err := quota_manager.New(*depotPath, *binPath, runner)
if err != nil {
log.Fatalln("error creating quota manager:", err)
}
if *disableQuotas {
quotaManager.Disable()
}
graphDriver, err := graphdriver.New(*graphRoot)
if err != nil {
log.Fatalln("error constructing graph driver:", err)
}
graph, err := graph.NewGraph(*graphRoot, graphDriver)
if err != nil {
log.Fatalln("error constructing graph:", err)
}
reg, err := registry.NewRegistry(nil, nil, *dockerRegistry)
if err != nil {
log.Fatalln(err)
}
pool := container_pool.New(
*binPath,
*depotPath,
*rootFSPath,
repository_fetcher.Retryable{repository_fetcher.New(reg, graph)},
graphDriver,
uidPool,
networkPool,
portPool,
strings.Split(*denyNetworks, ","),
strings.Split(*allowNetworks, ","),
runner,
quotaManager,
)
systemInfo := system_info.NewProvider(*depotPath)
backend := linux_backend.New(pool, systemInfo, *snapshotsPath)
log.Println("setting up backend")
err = backend.Setup()
if err != nil {
log.Fatalln("failed to set up backend:", err)
}
log.Println("starting server; listening with", *listenNetwork, "on", *listenAddr)
graceTime := *containerGraceTime
wardenServer := server.New(*listenNetwork, *listenAddr, graceTime, backend)
err = wardenServer.Start()
if err != nil {
log.Fatalln("failed to start:", err)
}
signals := make(chan os.Signal, 1)
go func() {
<-signals
log.Println("stopping...")
//.........这里部分代码省略.........
示例12: main
func main() {
libPath := flag.String("lib", "./lib", "Directory containing hooks")
rootFsPath := flag.String("root", "", "Directory that will become root in the new mount namespace")
runPath := flag.String("run", "./run", "Directory where server socket is placed")
userNsFlag := flag.String("userns", "enabled", "If specified, use user namespacing")
title := flag.String("title", "", "")
flag.Parse()
if *rootFsPath == "" {
missing("--root")
}
binPath, err := filepath.Abs(filepath.Dir(os.Args[0]))
if err != nil {
fmt.Fprintf(os.Stderr, "wshd: obtain absolute path: %s", err)
os.Exit(6)
}
socketPath := path.Join(*runPath, "wshd.sock")
privileged := false
if *userNsFlag == "" || *userNsFlag == "disabled" {
privileged = true
}
containerReader, hostWriter, err := os.Pipe()
if err != nil {
fmt.Fprintf(os.Stderr, "wshd: create pipe: %s", err)
os.Exit(5)
}
hostReader, containerWriter, err := os.Pipe()
if err != nil {
fmt.Fprintf(os.Stderr, "wshd: create pipe: %s", err)
os.Exit(4)
}
sync := &containerizer.PipeSynchronizer{
Reader: hostReader,
Writer: hostWriter,
}
listener, err := unix_socket.NewListenerFromPath(socketPath)
if err != nil {
fmt.Fprintf(os.Stderr, "wshd: create listener: %s", err)
os.Exit(8)
}
socketFile, err := listener.File()
if err != nil {
fmt.Fprintf(os.Stderr, "wshd: obtain listener file: %s", err)
os.Exit(9)
}
beforeCloneInitializer := &system.Initializer{Steps: []system.StepRunner{
&containerizer.FuncStep{
(&container_daemon.RlimitsManager{}).Init,
},
}}
maxUID := sysinfo.Min(sysinfo.MustGetMaxValidUID(), sysinfo.MustGetMaxValidGID())
cz := containerizer.Containerizer{
BeforeCloneInitializer: beforeCloneInitializer,
InitBinPath: path.Join(binPath, "initc"),
InitArgs: []string{
"--root", *rootFsPath,
"--config", path.Join(*libPath, "../etc/config"),
"--title", *title,
},
Execer: &system.NamespacingExecer{
CommandRunner: linux_command_runner.New(),
ExtraFiles: []*os.File{containerReader, containerWriter, socketFile},
Privileged: privileged,
MaxUID: maxUID,
},
Signaller: sync,
Waiter: sync,
// Temporary until we merge the hook scripts functionality in Golang
CommandRunner: linux_command_runner.New(),
LibPath: *libPath,
RootfsPath: *rootFsPath,
}
err = cz.Create()
if err != nil {
fmt.Fprintf(os.Stderr, "Failed to create container: %s", err)
os.Exit(2)
}
}
示例13: main
func main() {
depotDir := flag.String(
"depot",
"/var/vcap/data/garden-runc/depot",
"the depot directory to store containers in",
)
listenNetwork := flag.String(
"listenNetwork",
"tcp",
"how to listen on the address (unix, tcp, etc.)",
)
listenAddr := flag.String(
"listenAddr",
"0.0.0.0:7777",
"address to listen on",
)
containerGraceTime := flag.Duration(
"containerGraceTime",
0,
"time after which to destroy idle containers",
)
cf_lager.AddFlags(flag.CommandLine)
flag.Parse()
logger, _ := cf_lager.New("garden-runc")
runner := &logging.Runner{
CommandRunner: linux_command_runner.New(),
Logger: logger,
}
iodaemonBin, err := gexec.Build("github.com/cloudfoundry-incubator/garden-linux/iodaemon/cmd/iodaemon")
if err != nil {
panic(err)
}
gdnr := &gardener.Gardener{
Volumizer: &gardenshed.Shed{},
Containerizer: &rundmc.Containerizer{
Repo: rundmc.Depot{
Dir: *depotDir,
ActualContainerProvider: &rundmc.RuncContainerFactory{
Tracker: process_tracker.New("/tmp", iodaemonBin, runner),
},
},
},
}
server := server.New(*listenNetwork, *listenAddr, *containerGraceTime, gdnr, logger)
if err := server.Start(); err != nil {
logger.Fatal("failed-to-start-server", err)
}
logger.Info("started", lager.Data{
"network": *listenNetwork,
"addr": *listenAddr,
})
signals := make(chan os.Signal, 1)
go func() {
<-signals
server.Stop()
os.Exit(0)
}()
signal.Notify(signals, syscall.SIGINT, syscall.SIGTERM, syscall.SIGHUP)
select {}
}
示例14: wireStarter
func wireStarter() *rundmc.Starter {
runner := &log.Runner{CommandRunner: linux_command_runner.New(), Logger: log.Session("runner")}
return rundmc.NewStarter(mustOpen("/proc/cgroups"), path.Join(os.TempDir(), fmt.Sprintf("cgroups-%s", *tag)), runner)
}
示例15: wireContainerizer
func (cmd *GuardianCommand) wireContainerizer(log lager.Logger, depotPath, dadooPath, runcPath, nstarPath, tarPath, defaultRootFSPath, appArmorProfile string, properties gardener.PropertyManager) *rundmc.Containerizer {
depot := depot.New(depotPath)
commandRunner := linux_command_runner.New()
chrootMkdir := bundlerules.ChrootMkdir{
Command: preparerootfs.Command,
CommandRunner: commandRunner,
}
pidFileReader := &dadoo.PidFileReader{
Clock: clock.NewClock(),
Timeout: 10 * time.Second,
SleepInterval: time.Millisecond * 100,
}
runcrunner := runrunc.New(
commandRunner,
runrunc.NewLogRunner(commandRunner, runrunc.LogDir(os.TempDir()).GenerateLogFile),
goci.RuncBinary(runcPath),
dadooPath,
runcPath,
runrunc.NewExecPreparer(&goci.BndlLoader{}, runrunc.LookupFunc(runrunc.LookupUser), chrootMkdir, NonRootMaxCaps),
dadoo.NewExecRunner(
dadooPath,
runcPath,
cmd.wireUidGenerator(),
pidFileReader,
linux_command_runner.New()),
)
mounts := []specs.Mount{
{Type: "sysfs", Source: "sysfs", Destination: "/sys", Options: []string{"nosuid", "noexec", "nodev", "ro"}},
{Type: "tmpfs", Source: "tmpfs", Destination: "/dev/shm"},
{Type: "devpts", Source: "devpts", Destination: "/dev/pts",
Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"}},
{Type: "bind", Source: cmd.Bin.Init.Path(), Destination: "/tmp/garden-init", Options: []string{"bind"}},
}
privilegedMounts := append(mounts,
specs.Mount{Type: "proc", Source: "proc", Destination: "/proc", Options: []string{"nosuid", "noexec", "nodev"}},
)
unprivilegedMounts := append(mounts,
specs.Mount{Type: "proc", Source: "proc", Destination: "/proc", Options: []string{"nosuid", "noexec", "nodev"}},
)
rwm := "rwm"
character := "c"
var majorMinor = func(i int64) *int64 {
return &i
}
var worldReadWrite os.FileMode = 0666
fuseDevice := specs.LinuxDevice{
Path: "/dev/fuse",
Type: "c",
Major: 10,
Minor: 229,
FileMode: &worldReadWrite,
}
denyAll := specs.LinuxDeviceCgroup{Allow: false, Access: &rwm}
allowedDevices := []specs.LinuxDeviceCgroup{
{Access: &rwm, Type: &character, Major: majorMinor(1), Minor: majorMinor(3), Allow: true},
{Access: &rwm, Type: &character, Major: majorMinor(5), Minor: majorMinor(0), Allow: true},
{Access: &rwm, Type: &character, Major: majorMinor(1), Minor: majorMinor(8), Allow: true},
{Access: &rwm, Type: &character, Major: majorMinor(1), Minor: majorMinor(9), Allow: true},
{Access: &rwm, Type: &character, Major: majorMinor(1), Minor: majorMinor(5), Allow: true},
{Access: &rwm, Type: &character, Major: majorMinor(1), Minor: majorMinor(7), Allow: true},
{Access: &rwm, Type: &character, Major: majorMinor(1), Minor: majorMinor(7), Allow: true},
{Access: &rwm, Type: &character, Major: majorMinor(fuseDevice.Major), Minor: majorMinor(fuseDevice.Minor), Allow: true},
}
baseProcess := specs.Process{
Capabilities: UnprivilegedMaxCaps,
Args: []string{"/tmp/garden-init"},
Cwd: "/",
}
baseBundle := goci.Bundle().
WithNamespaces(PrivilegedContainerNamespaces...).
WithResources(&specs.LinuxResources{Devices: append([]specs.LinuxDeviceCgroup{denyAll}, allowedDevices...)}).
WithRootFS(defaultRootFSPath).
WithDevices(fuseDevice).
WithProcess(baseProcess)
unprivilegedBundle := baseBundle.
WithNamespace(goci.UserNamespace).
WithUIDMappings(idMappings...).
WithGIDMappings(idMappings...).
WithMounts(unprivilegedMounts...).
WithMaskedPaths(defaultMaskedPaths())
unprivilegedBundle.Spec.Linux.Seccomp = seccomp
if appArmorProfile != "" {
unprivilegedBundle.Spec.Process.ApparmorProfile = appArmorProfile
}
privilegedBundle := baseBundle.
WithMounts(privilegedMounts...).
//.........这里部分代码省略.........