mirror of https://github.com/containers/podman.git
309 lines
11 KiB
Go
309 lines
11 KiB
Go
package libkpod
|
|
|
|
import (
|
|
"bytes"
|
|
"io/ioutil"
|
|
|
|
"github.com/BurntSushi/toml"
|
|
"github.com/opencontainers/selinux/go-selinux"
|
|
"github.com/projectatomic/libpod/oci"
|
|
)
|
|
|
|
// Default paths if none are specified
|
|
const (
|
|
crioRoot = "/var/lib/containers/storage"
|
|
crioRunRoot = "/var/run/containers/storage"
|
|
conmonPath = "/usr/local/libexec/crio/conmon"
|
|
pauseImage = "kubernetes/pause"
|
|
pauseCommand = "/pause"
|
|
defaultTransport = "docker://"
|
|
seccompProfilePath = "/etc/crio/seccomp.json"
|
|
apparmorProfileName = "crio-default"
|
|
cniConfigDir = "/etc/cni/net.d/"
|
|
cniBinDir = "/opt/cni/bin/"
|
|
cgroupManager = oci.CgroupfsCgroupsManager
|
|
lockPath = "/run/crio.lock"
|
|
containerExitsDir = oci.ContainerExitsDir
|
|
)
|
|
|
|
// Config represents the entire set of configuration values that can be set for
|
|
// the server. This is intended to be loaded from a toml-encoded config file.
|
|
type Config struct {
|
|
RootConfig
|
|
RuntimeConfig
|
|
ImageConfig
|
|
NetworkConfig
|
|
}
|
|
|
|
// ImageVolumesType describes image volume handling strategies
|
|
type ImageVolumesType string
|
|
|
|
const (
|
|
// ImageVolumesMkdir option is for using mkdir to handle image volumes
|
|
ImageVolumesMkdir ImageVolumesType = "mkdir"
|
|
// ImageVolumesIgnore option is for ignoring image volumes altogether
|
|
ImageVolumesIgnore ImageVolumesType = "ignore"
|
|
// ImageVolumesBind option is for using bind mounted volumes
|
|
ImageVolumesBind ImageVolumesType = "bind"
|
|
)
|
|
|
|
const (
|
|
// DefaultPidsLimit is the default value for maximum number of processes
|
|
// allowed inside a container
|
|
DefaultPidsLimit = 1024
|
|
|
|
// DefaultLogSizeMax is the default value for the maximum log size
|
|
// allowed for a container. Negative values mean that no limit is imposed.
|
|
DefaultLogSizeMax = -1
|
|
)
|
|
|
|
// This structure is necessary to fake the TOML tables when parsing,
|
|
// while also not requiring a bunch of layered structs for no good
|
|
// reason.
|
|
|
|
// RootConfig represents the root of the "crio" TOML config table.
|
|
type RootConfig struct {
|
|
// Root is a path to the "root directory" where data not
|
|
// explicitly handled by other options will be stored.
|
|
Root string `toml:"root"`
|
|
|
|
// RunRoot is a path to the "run directory" where state information not
|
|
// explicitly handled by other options will be stored.
|
|
RunRoot string `toml:"runroot"`
|
|
|
|
// Storage is the name of the storage driver which handles actually
|
|
// storing the contents of containers.
|
|
Storage string `toml:"storage_driver"`
|
|
|
|
// StorageOption is a list of storage driver specific options.
|
|
StorageOptions []string `toml:"storage_option"`
|
|
|
|
// LogDir is the default log directory were all logs will go unless kubelet
|
|
// tells us to put them somewhere else.
|
|
LogDir string `toml:"log_dir"`
|
|
|
|
// FileLocking specifies whether to use file-based or in-memory locking
|
|
// File-based locking is required when multiple users of libkpod are
|
|
// present on the same system
|
|
FileLocking bool `toml:"file_locking"`
|
|
}
|
|
|
|
// RuntimeConfig represents the "crio.runtime" TOML config table.
|
|
type RuntimeConfig struct {
|
|
// Runtime is the OCI compatible runtime used for trusted container workloads.
|
|
// This is a mandatory setting as this runtime will be the default one and
|
|
// will also be used for untrusted container workloads if
|
|
// RuntimeUntrustedWorkload is not set.
|
|
Runtime string `toml:"runtime"`
|
|
|
|
// RuntimeUntrustedWorkload is the OCI compatible runtime used for untrusted
|
|
// container workloads. This is an optional setting, except if
|
|
// DefaultWorkloadTrust is set to "untrusted".
|
|
RuntimeUntrustedWorkload string `toml:"runtime_untrusted_workload"`
|
|
|
|
// DefaultWorkloadTrust is the default level of trust crio puts in container
|
|
// workloads. This can either be "trusted" or "untrusted" and the default
|
|
// is "trusted"
|
|
// Containers can be run through different container runtimes, depending on
|
|
// the trust hints we receive from kubelet:
|
|
// - If kubelet tags a container workload as untrusted, crio will try first
|
|
// to run it through the untrusted container workload runtime. If it is not
|
|
// set, crio will use the trusted runtime.
|
|
// - If kubelet does not provide any information about the container workload trust
|
|
// level, the selected runtime will depend on the DefaultWorkloadTrust setting.
|
|
// If it is set to "untrusted", then all containers except for the host privileged
|
|
// ones, will be run by the RuntimeUntrustedWorkload runtime. Host privileged
|
|
// containers are by definition trusted and will always use the trusted container
|
|
// runtime. If DefaultWorkloadTrust is set to "trusted", crio will use the trusted
|
|
// container runtime for all containers.
|
|
DefaultWorkloadTrust string `toml:"default_workload_trust"`
|
|
|
|
// NoPivot instructs the runtime to not use `pivot_root`, but instead use `MS_MOVE`
|
|
NoPivot bool `toml:"no_pivot"`
|
|
|
|
// Conmon is the path to conmon binary, used for managing the runtime.
|
|
Conmon string `toml:"conmon"`
|
|
|
|
// ConmonEnv is the environment variable list for conmon process.
|
|
ConmonEnv []string `toml:"conmon_env"`
|
|
|
|
// SELinux determines whether or not SELinux is used for pod separation.
|
|
SELinux bool `toml:"selinux"`
|
|
|
|
// SeccompProfile is the seccomp json profile path which is used as the
|
|
// default for the runtime.
|
|
SeccompProfile string `toml:"seccomp_profile"`
|
|
|
|
// ApparmorProfile is the apparmor profile name which is used as the
|
|
// default for the runtime.
|
|
ApparmorProfile string `toml:"apparmor_profile"`
|
|
|
|
// CgroupManager is the manager implementation name which is used to
|
|
// handle cgroups for containers.
|
|
CgroupManager string `toml:"cgroup_manager"`
|
|
|
|
// HooksDirPath location of oci hooks config files
|
|
HooksDirPath string `toml:"hooks_dir_path"`
|
|
|
|
// DefaultMounts is the list of mounts to be mounted for each container
|
|
// The format of each mount is "host-path:container-path"
|
|
DefaultMounts []string `toml:"default_mounts"`
|
|
|
|
// Hooks List of hooks to run with container
|
|
Hooks map[string]HookParams
|
|
|
|
// PidsLimit is the number of processes each container is restricted to
|
|
// by the cgroup process number controller.
|
|
PidsLimit int64 `toml:"pids_limit"`
|
|
|
|
// LogSizeMax is the maximum number of bytes after which the log file
|
|
// will be truncated. It can be expressed as a human-friendly string
|
|
// that is parsed to bytes.
|
|
// Negative values indicate that the log file won't be truncated.
|
|
LogSizeMax int64 `toml:"log_size_max"`
|
|
|
|
// ContainerExitsDir is the directory in which container exit files are
|
|
// written to by conmon.
|
|
ContainerExitsDir string `toml:"container_exits_dir"`
|
|
}
|
|
|
|
// ImageConfig represents the "crio.image" TOML config table.
|
|
type ImageConfig struct {
|
|
// DefaultTransport is a value we prefix to image names that fail to
|
|
// validate source references.
|
|
DefaultTransport string `toml:"default_transport"`
|
|
// PauseImage is the name of an image which we use to instantiate infra
|
|
// containers.
|
|
PauseImage string `toml:"pause_image"`
|
|
// PauseCommand is the path of the binary we run in an infra
|
|
// container that's been instantiated using PauseImage.
|
|
PauseCommand string `toml:"pause_command"`
|
|
// SignaturePolicyPath is the name of the file which decides what sort
|
|
// of policy we use when deciding whether or not to trust an image that
|
|
// we've pulled. Outside of testing situations, it is strongly advised
|
|
// that this be left unspecified so that the default system-wide policy
|
|
// will be used.
|
|
SignaturePolicyPath string `toml:"signature_policy"`
|
|
// InsecureRegistries is a list of registries that must be contacted w/o
|
|
// TLS verification.
|
|
InsecureRegistries []string `toml:"insecure_registries"`
|
|
// ImageVolumes controls how volumes specified in image config are handled
|
|
ImageVolumes ImageVolumesType `toml:"image_volumes"`
|
|
// Registries holds a list of registries used to pull unqualified images
|
|
Registries []string `toml:"registries"`
|
|
}
|
|
|
|
// NetworkConfig represents the "crio.network" TOML config table
|
|
type NetworkConfig struct {
|
|
// NetworkDir is where CNI network configuration files are stored.
|
|
NetworkDir string `toml:"network_dir"`
|
|
|
|
// PluginDir is where CNI plugin binaries are stored.
|
|
PluginDir string `toml:"plugin_dir"`
|
|
}
|
|
|
|
// tomlConfig is another way of looking at a Config, which is
|
|
// TOML-friendly (it has all of the explicit tables). It's just used for
|
|
// conversions.
|
|
type tomlConfig struct {
|
|
Crio struct {
|
|
RootConfig
|
|
Runtime struct{ RuntimeConfig } `toml:"runtime"`
|
|
Image struct{ ImageConfig } `toml:"image"`
|
|
Network struct{ NetworkConfig } `toml:"network"`
|
|
} `toml:"crio"`
|
|
}
|
|
|
|
func (t *tomlConfig) toConfig(c *Config) {
|
|
c.RootConfig = t.Crio.RootConfig
|
|
c.RuntimeConfig = t.Crio.Runtime.RuntimeConfig
|
|
c.ImageConfig = t.Crio.Image.ImageConfig
|
|
c.NetworkConfig = t.Crio.Network.NetworkConfig
|
|
}
|
|
|
|
func (t *tomlConfig) fromConfig(c *Config) {
|
|
t.Crio.RootConfig = c.RootConfig
|
|
t.Crio.Runtime.RuntimeConfig = c.RuntimeConfig
|
|
t.Crio.Image.ImageConfig = c.ImageConfig
|
|
t.Crio.Network.NetworkConfig = c.NetworkConfig
|
|
}
|
|
|
|
// UpdateFromFile populates the Config from the TOML-encoded file at the given path.
|
|
// Returns errors encountered when reading or parsing the files, or nil
|
|
// otherwise.
|
|
func (c *Config) UpdateFromFile(path string) error {
|
|
data, err := ioutil.ReadFile(path)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
t := new(tomlConfig)
|
|
t.fromConfig(c)
|
|
|
|
_, err = toml.Decode(string(data), t)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
t.toConfig(c)
|
|
return nil
|
|
}
|
|
|
|
// ToFile outputs the given Config as a TOML-encoded file at the given path.
|
|
// Returns errors encountered when generating or writing the file, or nil
|
|
// otherwise.
|
|
func (c *Config) ToFile(path string) error {
|
|
var w bytes.Buffer
|
|
e := toml.NewEncoder(&w)
|
|
|
|
t := new(tomlConfig)
|
|
t.fromConfig(c)
|
|
|
|
if err := e.Encode(*t); err != nil {
|
|
return err
|
|
}
|
|
|
|
return ioutil.WriteFile(path, w.Bytes(), 0644)
|
|
}
|
|
|
|
// DefaultConfig returns the default configuration for crio.
|
|
func DefaultConfig() *Config {
|
|
return &Config{
|
|
RootConfig: RootConfig{
|
|
Root: crioRoot,
|
|
RunRoot: crioRunRoot,
|
|
LogDir: "/var/log/crio/pods",
|
|
FileLocking: true,
|
|
},
|
|
RuntimeConfig: RuntimeConfig{
|
|
Runtime: "/usr/bin/runc",
|
|
RuntimeUntrustedWorkload: "",
|
|
DefaultWorkloadTrust: "trusted",
|
|
|
|
Conmon: conmonPath,
|
|
ConmonEnv: []string{
|
|
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
|
|
},
|
|
SELinux: selinux.GetEnabled(),
|
|
SeccompProfile: seccompProfilePath,
|
|
ApparmorProfile: apparmorProfileName,
|
|
CgroupManager: cgroupManager,
|
|
PidsLimit: DefaultPidsLimit,
|
|
ContainerExitsDir: containerExitsDir,
|
|
HooksDirPath: DefaultHooksDirPath,
|
|
LogSizeMax: DefaultLogSizeMax,
|
|
},
|
|
ImageConfig: ImageConfig{
|
|
DefaultTransport: defaultTransport,
|
|
PauseImage: pauseImage,
|
|
PauseCommand: pauseCommand,
|
|
SignaturePolicyPath: "",
|
|
ImageVolumes: ImageVolumesMkdir,
|
|
},
|
|
NetworkConfig: NetworkConfig{
|
|
NetworkDir: cniConfigDir,
|
|
PluginDir: cniBinDir,
|
|
},
|
|
}
|
|
}
|