1 package libcontainer 2 3 import ( 4 "errors" 5 "io" 6 "math" 7 "os" 8 9 "github.com/opencontainers/runc/libcontainer/configs" 10 ) 11 12 var errInvalidProcess = errors.New("invalid process") 13 14 type processOperations interface { 15 wait() (*os.ProcessState, error) 16 signal(sig os.Signal) error 17 pid() int 18 } 19 20 // Process specifies the configuration and IO for a process inside 21 // a container. 22 type Process struct { 23 // The command to be run followed by any arguments. 24 Args []string 25 26 // Env specifies the environment variables for the process. 27 Env []string 28 29 // User will set the uid and gid of the executing process running inside the container 30 // local to the container's user and group configuration. 31 User string 32 33 // AdditionalGroups specifies the gids that should be added to supplementary groups 34 // in addition to those that the user belongs to. 35 AdditionalGroups []string 36 37 // Cwd will change the processes current working directory inside the container's rootfs. 38 Cwd string 39 40 // Stdin is a pointer to a reader which provides the standard input stream. 41 Stdin io.Reader 42 43 // Stdout is a pointer to a writer which receives the standard output stream. 44 Stdout io.Writer 45 46 // Stderr is a pointer to a writer which receives the standard error stream. 47 Stderr io.Writer 48 49 // ExtraFiles specifies additional open files to be inherited by the container 50 ExtraFiles []*os.File 51 52 // Initial sizings for the console 53 ConsoleWidth uint16 54 ConsoleHeight uint16 55 56 // Capabilities specify the capabilities to keep when executing the process inside the container 57 // All capabilities not specified will be dropped from the processes capability mask 58 Capabilities *configs.Capabilities 59 60 // AppArmorProfile specifies the profile to apply to the process and is 61 // changed at the time the process is execed 62 AppArmorProfile string 63 64 // Label specifies the label to apply to the process. It is commonly used by selinux 65 Label string 66 67 // NoNewPrivileges controls whether processes can gain additional privileges. 68 NoNewPrivileges *bool 69 70 // Rlimits specifies the resource limits, such as max open files, to set in the container 71 // If Rlimits are not set, the container will inherit rlimits from the parent process 72 Rlimits []configs.Rlimit 73 74 // ConsoleSocket provides the masterfd console. 75 ConsoleSocket *os.File 76 77 // Init specifies whether the process is the first process in the container. 78 Init bool 79 80 ops processOperations 81 82 LogLevel string 83 84 // SubCgroupPaths specifies sub-cgroups to run the process in. 85 // Map keys are controller names, map values are paths (relative to 86 // container's top-level cgroup). 87 // 88 // If empty, the default top-level container's cgroup is used. 89 // 90 // For cgroup v2, the only key allowed is "". 91 SubCgroupPaths map[string]string 92 } 93 94 // Wait waits for the process to exit. 95 // Wait releases any resources associated with the Process 96 func (p Process) Wait() (*os.ProcessState, error) { 97 if p.ops == nil { 98 return nil, errInvalidProcess 99 } 100 return p.ops.wait() 101 } 102 103 // Pid returns the process ID 104 func (p Process) Pid() (int, error) { 105 // math.MinInt32 is returned here, because it's invalid value 106 // for the kill() system call. 107 if p.ops == nil { 108 return math.MinInt32, errInvalidProcess 109 } 110 return p.ops.pid(), nil 111 } 112 113 // Signal sends a signal to the Process. 114 func (p Process) Signal(sig os.Signal) error { 115 if p.ops == nil { 116 return errInvalidProcess 117 } 118 return p.ops.signal(sig) 119 } 120 121 // IO holds the process's STDIO 122 type IO struct { 123 Stdin io.WriteCloser 124 Stdout io.ReadCloser 125 Stderr io.ReadCloser 126 } 127