本文整理汇总了Golang中github.com/syndtr/gocapability/capability.NewPid函数的典型用法代码示例。如果您正苦于以下问题:Golang NewPid函数的具体用法?Golang NewPid怎么用?Golang NewPid使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了NewPid函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Golang代码示例。
示例1: setupCapabilities
func setupCapabilities(args *DockerInitArgs) error {
if args.privileged {
return nil
}
drop := []capability.Cap{
capability.CAP_SETPCAP,
capability.CAP_SYS_MODULE,
capability.CAP_SYS_RAWIO,
capability.CAP_SYS_PACCT,
capability.CAP_SYS_ADMIN,
capability.CAP_SYS_NICE,
capability.CAP_SYS_RESOURCE,
capability.CAP_SYS_TIME,
capability.CAP_SYS_TTY_CONFIG,
capability.CAP_MKNOD,
capability.CAP_AUDIT_WRITE,
capability.CAP_AUDIT_CONTROL,
capability.CAP_MAC_OVERRIDE,
capability.CAP_MAC_ADMIN,
}
c, err := capability.NewPid(os.Getpid())
if err != nil {
return err
}
c.Unset(capability.CAPS|capability.BOUNDS, drop...)
if err := c.Apply(capability.CAPS | capability.BOUNDS); err != nil {
return err
}
return nil
}示例2: haveMacAdmin
func haveMacAdmin() bool {
c, err := capability.NewPid(0)
if err != nil {
return false
}
if c.Get(capability.EFFECTIVE, capability.CAP_MAC_ADMIN) {
return true
}
return false
}示例3: HasChrootCapability
// HasChrootCapability checks if the current process has the CAP_SYS_CHROOT
// capability
func HasChrootCapability() bool {
// Checking the capabilities should be enough, but in case there're
// problem retrieving them, fallback checking for the effective uid
// (hoping it hasn't dropped its CAP_SYS_CHROOT).
caps, err := capability.NewPid(0)
if err == nil {
return caps.Get(capability.EFFECTIVE, capability.CAP_SYS_CHROOT)
} else {
return os.Geteuid() == 0
}
}示例4: PrintCap
func PrintCap(capName string, cap capability.Cap) {
caps, err := capability.NewPid(0)
if err != nil {
panic(err)
}
b := caps.Get(capability.BOUNDING, cap)
p := caps.Get(capability.PERMITTED, cap)
e := caps.Get(capability.EFFECTIVE, cap)
i := caps.Get(capability.INHERITABLE, cap)
fmt.Printf("%s bounding=%t, permitted=%t, effective=%t, inheritable=%t\n", capName, b, p, e, i)
}示例5: DropCapabilities
// DropCapabilities drops capabilities for the current process based
// on the container's configuration.
func DropCapabilities(container *libcontainer.Container) error {
if drop := getCapabilities(container); len(drop) > 0 {
c, err := capability.NewPid(os.Getpid())
if err != nil {
return err
}
c.Unset(capability.CAPS|capability.BOUNDS, drop...)
if err := c.Apply(capability.CAPS | capability.BOUNDS); err != nil {
return err
}
}
return nil
}示例6: DropCapabilities
// DropCapabilities drops all capabilities for the current process expect those specified in the container configuration.
func DropCapabilities(container *libcontainer.Container) error {
c, err := capability.NewPid(os.Getpid())
if err != nil {
return err
}
keep := getEnabledCapabilities(container)
c.Clear(allCapabilityTypes)
c.Set(allCapabilityTypes, keep...)
if err := c.Apply(allCapabilityTypes); err != nil {
return err
}
return nil
}示例7: DropCapabilities
// DropCapabilities drops all capabilities for the current process except those specified in the container configuration.
func DropCapabilities(capList []string) error {
c, err := capability.NewPid(0)
if err != nil {
return err
}
keep := getEnabledCapabilities(capList)
c.Clear(allCapabilityTypes)
c.Set(allCapabilityTypes, keep...)
if err := c.Apply(allCapabilityTypes); err != nil {
return err
}
return nil
}示例8: DropBoundingSet
// DropBoundingSet drops the capability bounding set to those specified in the
// container configuration.
func DropBoundingSet(container *libcontainer.Container) error {
c, err := capability.NewPid(os.Getpid())
if err != nil {
return err
}
keep := getEnabledCapabilities(container)
c.Clear(capability.BOUNDS)
c.Set(capability.BOUNDS, keep...)
if err := c.Apply(capability.BOUNDS); err != nil {
return err
}
return nil
}示例9: DropBoundingSet
// DropBoundingSet drops the capability bounding set to those specified in the
// container configuration.
func DropBoundingSet(capabilities []string) error {
c, err := capability.NewPid(0)
if err != nil {
return err
}
keep := getEnabledCapabilities(capabilities)
c.Clear(capability.BOUNDS)
c.Set(capability.BOUNDS, keep...)
if err := c.Apply(capability.BOUNDS); err != nil {
return err
}
return nil
}示例10: newCapWhitelist
func newCapWhitelist(caps []string) (*whitelist, error) {
l := []capability.Cap{}
for _, c := range caps {
v, ok := capabilityList[c]
if !ok {
return nil, fmt.Errorf("unknown capability %q", c)
}
l = append(l, v)
}
pid, err := capability.NewPid(os.Getpid())
if err != nil {
return nil, err
}
return &whitelist{
keep: l,
pid: pid,
}, nil
}示例11: validateCapabilities
func validateCapabilities(spec *specs.LinuxSpec, rspec *specs.LinuxRuntimeSpec) error {
fmt.Println("validating capabilities")
capabilityMap := make(map[string]capability.Cap)
expectedCaps := make(map[capability.Cap]bool)
last := capability.CAP_LAST_CAP
// workaround for RHEL6 which has no /proc/sys/kernel/cap_last_cap
if last == capability.Cap(63) {
last = capability.CAP_BLOCK_SUSPEND
}
for _, cap := range capability.List() {
if cap > last {
continue
}
capKey := fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String()))
capabilityMap[capKey] = cap
expectedCaps[cap] = false
}
for _, ec := range spec.Linux.Capabilities {
cap := capabilityMap[ec]
expectedCaps[cap] = true
}
processCaps, err := capability.NewPid(1)
if err != nil {
return err
}
for _, cap := range capability.List() {
expectedSet := expectedCaps[cap]
actuallySet := processCaps.Get(capability.EFFECTIVE, cap)
if expectedSet != actuallySet {
if expectedSet {
return fmt.Errorf("Expected Capability %v not set for process", cap.String())
} else {
return fmt.Errorf("Unexpected Capability %v set for process", cap.String())
}
}
}
return nil
}示例12: validateCapabilities
func validateCapabilities(spec *rspec.Spec) error {
logrus.Debugf("validating capabilities")
last := capability.CAP_LAST_CAP
// workaround for RHEL6 which has no /proc/sys/kernel/cap_last_cap
if last == capability.Cap(63) {
last = capability.CAP_BLOCK_SUSPEND
}
processCaps, err := capability.NewPid(1)
if err != nil {
return err
}
expectedCaps := make(map[string]bool)
for _, ec := range spec.Process.Capabilities {
expectedCaps[ec] = true
}
for _, cap := range capability.List() {
if cap > last {
continue
}
capKey := fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String()))
expectedSet := expectedCaps[capKey]
actuallySet := processCaps.Get(capability.EFFECTIVE, cap)
if expectedSet != actuallySet {
if expectedSet {
return fmt.Errorf("Expected Capability %v not set for process", cap.String())
}
return fmt.Errorf("Unexpected Capability %v set for process", cap.String())
}
}
return nil
}示例13: checkPrerequisite
func checkPrerequisite(cfg config.Config) error {
dummyPID := 0
capInst, err := cap.NewPid(dummyPID)
if err != nil {
return err
}
if cfg.GetBool("containerParam.enableEthernetInspector") {
if !capInst.Get(cap.EFFECTIVE, cap.CAP_NET_ADMIN) {
return fmt.Errorf("CAP_NET_ADMIN is needed.")
}
if !capInst.Get(cap.EFFECTIVE, cap.CAP_SYS_ADMIN) {
return fmt.Errorf("CAP_SYS_ADMIN is needed.")
}
}
if cfg.GetBool("containerParam.enableProcInspector") {
if !capInst.Get(cap.EFFECTIVE, cap.CAP_SYS_NICE) {
return fmt.Errorf("CAP_SYS_NICE is needed.")
}
}
return nil
}示例14: Limit
func (c ProcessCapabilities) Limit(extendedWhitelist bool) error {
caps, err := capability.NewPid(c.Pid)
if err != nil {
return fmt.Errorf("system: getting capabilities: %s", err)
}
sets := capability.BOUNDING | capability.CAPS
caps.Clear(sets)
caps.Set(sets,
capability.CAP_CHOWN,
capability.CAP_DAC_OVERRIDE,
capability.CAP_FSETID,
capability.CAP_FOWNER,
capability.CAP_MKNOD,
capability.CAP_NET_RAW,
capability.CAP_SETGID,
capability.CAP_SETUID,
capability.CAP_SETFCAP,
capability.CAP_SETPCAP,
capability.CAP_NET_BIND_SERVICE,
capability.CAP_SYS_CHROOT,
capability.CAP_KILL,
capability.CAP_AUDIT_WRITE,
)
if extendedWhitelist {
caps.Set(sets, capability.CAP_SYS_ADMIN)
}
err = caps.Apply(sets)
if err != nil {
return fmt.Errorf("system: applying capabilities: %s", err)
}
return nil
}示例15: run
func run(s *options.KubeletServer, kcfg *KubeletConfig) (err error) {
if s.ExitOnLockContention && s.LockFilePath == "" {
return errors.New("cannot exit on lock file contention: no lock file specified")
}
done := make(chan struct{})
if s.LockFilePath != "" {
glog.Infof("acquiring lock on %q", s.LockFilePath)
if err := flock.Acquire(s.LockFilePath); err != nil {
return fmt.Errorf("unable to acquire file lock on %q: %v", s.LockFilePath, err)
}
if s.ExitOnLockContention {
glog.Infof("watching for inotify events for: %v", s.LockFilePath)
if err := watchForLockfileContention(s.LockFilePath, done); err != nil {
return err
}
}
}
if c, err := configz.New("componentconfig"); err == nil {
c.Set(s.KubeletConfiguration)
} else {
glog.Errorf("unable to register configz: %s", err)
}
// check if we have CAP_SYS_ADMIN to setgroup properly
pid, err := capability.NewPid(os.Getpid())
if err != nil {
return err
}
if !pid.Get(capability.EFFECTIVE, capability.CAP_SYS_ADMIN) {
return fmt.Errorf("Kubelet needs the CAP_SYS_ADMIN capability. Please run kubelet as root or in a privileged container")
}
if kcfg == nil {
cfg, err := UnsecuredKubeletConfig(s)
if err != nil {
return err
}
kcfg = cfg
clientConfig, err := CreateAPIServerClientConfig(s)
if err == nil {
kcfg.KubeClient, err = clientset.NewForConfig(clientConfig)
// make a separate client for events
eventClientConfig := *clientConfig
eventClientConfig.QPS = float32(s.EventRecordQPS)
eventClientConfig.Burst = int(s.EventBurst)
kcfg.EventClient, err = clientset.NewForConfig(&eventClientConfig)
}
if err != nil && len(s.APIServerList) > 0 {
glog.Warningf("No API client: %v", err)
}
if s.CloudProvider == kubeExternal.AutoDetectCloudProvider {
kcfg.AutoDetectCloudProvider = true
} else {
cloud, err := cloudprovider.InitCloudProvider(s.CloudProvider, s.CloudConfigFile)
if err != nil {
return err
}
if cloud == nil {
glog.V(2).Infof("No cloud provider specified: %q from the config file: %q\n", s.CloudProvider, s.CloudConfigFile)
} else {
glog.V(2).Infof("Successfully initialized cloud provider: %q from the config file: %q\n", s.CloudProvider, s.CloudConfigFile)
kcfg.Cloud = cloud
}
}
}
if kcfg.CAdvisorInterface == nil {
kcfg.CAdvisorInterface, err = cadvisor.New(uint(s.CAdvisorPort), kcfg.ContainerRuntime)
if err != nil {
return err
}
}
if kcfg.ContainerManager == nil {
if kcfg.SystemCgroups != "" && kcfg.CgroupRoot == "" {
return fmt.Errorf("invalid configuration: system container was specified and cgroup root was not specified")
}
kcfg.ContainerManager, err = cm.NewContainerManager(kcfg.Mounter, kcfg.CAdvisorInterface, cm.NodeConfig{
RuntimeCgroupsName: kcfg.RuntimeCgroups,
SystemCgroupsName: kcfg.SystemCgroups,
KubeletCgroupsName: kcfg.KubeletCgroups,
ContainerRuntime: kcfg.ContainerRuntime,
CgroupsPerQOS: kcfg.CgroupsPerQOS,
CgroupRoot: kcfg.CgroupRoot,
})
if err != nil {
return err
}
}
runtime.ReallyCrash = s.ReallyCrashForTesting
rand.Seed(time.Now().UTC().UnixNano())
// TODO(vmarmol): Do this through container config.
oomAdjuster := kcfg.OOMAdjuster
if err := oomAdjuster.ApplyOOMScoreAdj(0, int(s.OOMScoreAdj)); err != nil {
//.........这里部分代码省略.........