UVMContainerID is the ContainerID that will be sent on any prot.MessageBase for V2 where the specific message is targeted at the UVM itself.
const UVMContainerID = "00000000-0000-0000-0000-000000000000"
func GetOrAddNetworkNamespace(id string) *namespace
GetOrAddNetworkNamespace returns the namespace found by `id` or creates a new one and assigns `id.
func RemoveNetworkNamespace(ctx context.Context, id string) (err error)
RemoveNetworkNamespace removes the in-memory `namespace` found by `id`.
type Container struct {
// contains filtered or unexported fields
}
func (c *Container) Delete(ctx context.Context) error
func (c *Container) ExecProcess(ctx context.Context, process *oci.Process, conSettings stdio.ConnectionSettings) (int, error)
func (c *Container) GetAllProcessPids(ctx context.Context) ([]int, error)
GetAllProcessPids returns all process pids in the container namespace.
func (c *Container) GetProcess(pid uint32) (Process, error)
GetProcess returns the Process with the matching 'pid'. If the 'pid' does not exit returns error.
func (c *Container) GetStats(ctx context.Context) (*v1.Metrics, error)
GetStats returns the cgroup metrics for the container.
func (c *Container) ID() string
func (c *Container) InitProcess() Process
InitProcess returns the container's init process
func (c *Container) Kill(ctx context.Context, signal syscall.Signal) error
Kill sends 'signal' to the container process.
func (c *Container) Start(ctx context.Context, conSettings stdio.ConnectionSettings) (int, error)
func (c *Container) Update(ctx context.Context, resources interface{}) error
func (c *Container) Wait() prot.NotificationType
Wait waits for the container's init process to exit.
Host is the structure tracking all UVM host state including all containers and processes.
type Host struct {
// contains filtered or unexported fields
}
func NewHost(rtime runtime.Runtime, vsock transport.Transport, initialEnforcer securitypolicy.SecurityPolicyEnforcer, logWriter io.Writer) *Host
func (h *Host) AddContainer(id string, c *Container) error
func (h *Host) CreateContainer(ctx context.Context, id string, settings *prot.VMHostedContainerSettingsV2) (_ *Container, err error)
func (h *Host) ExecProcess(ctx context.Context, containerID string, params prot.ProcessParameters, conSettings stdio.ConnectionSettings) (_ int, err error)
func (h *Host) GetCreatedContainer(id string) (*Container, error)
func (h *Host) GetExternalProcess(pid int) (Process, error)
func (h *Host) GetProperties(ctx context.Context, containerID string, query prot.PropertyQuery) (*prot.PropertiesV2, error)
func (h *Host) GetStacks(ctx context.Context) (string, error)
func (h *Host) InjectFragment(ctx context.Context, fragment *guestresource.LCOWSecurityPolicyFragment) (err error)
InjectFragment extends current security policy with additional constraints from the incoming fragment. Note that it is base64 encoded over the bridge/
There are three checking steps: 1 - Unpack the cose document and check it was actually signed with the cert chain inside its header 2 - Check that the issuer field did:x509 identifier is for that cert chain (ie fingerprint of a non leaf cert and the subject matches the leaf cert) 3 - Check that this issuer/feed match the requirement of the user provided security policy (done in the regoby LoadFragment)
func (h *Host) ModifySettings(ctx context.Context, containerID string, req *guestrequest.ModificationRequest) error
func (h *Host) RemoveContainer(id string)
func (h *Host) SecurityPolicyEnforcer() securitypolicy.SecurityPolicyEnforcer
func (h *Host) SetConfidentialUVMOptions(ctx context.Context, r *guestresource.LCOWConfidentialOptions) error
SetConfidentialUVMOptions takes guestresource.LCOWConfidentialOptions to set up our internal data structures we use to store and enforce security policy. The options can contain security policy enforcer type, encoded security policy and signed UVM reference information The security policy and uvm reference information can be further presented to workload containers for validation and attestation purposes.
func (*Host) Shutdown()
Shutdown terminates this UVM. This is a destructive call and will destroy all state that has not been cleaned before calling this function.
func (h *Host) ShutdownContainer(ctx context.Context, containerID string, graceful bool) error
Called to shutdown a container
func (h *Host) SignalContainerProcess(ctx context.Context, containerID string, processID uint32, signal syscall.Signal) error
func (h *Host) Transport() transport.Transport
type Process interface {
// Kill sends `signal` to the process.
//
// If the process has already exited returns `gcserr.HrErrNotFound` by contract.
Kill(ctx context.Context, signal syscall.Signal) error
// Pid returns the process id of the process.
Pid() int
// ResizeConsole resizes the tty to `height`x`width` for the process.
ResizeConsole(ctx context.Context, height, width uint16) error
// Wait returns a channel that can be used to wait for the process to exit
// and gather the exit code. The second channel must be signaled from the
// caller when the caller has completed its use of this call to Wait.
Wait() (<-chan int, chan<- bool)
}