本文整理汇总了Golang中github.com/coreos/rkt/pkg/user.NewBlankUidRange函数的典型用法代码示例。如果您正苦于以下问题:Golang NewBlankUidRange函数的具体用法?Golang NewBlankUidRange怎么用?Golang NewBlankUidRange使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了NewBlankUidRange函数的20个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于我们的系统推荐出更棒的Golang代码示例。
示例1: TestCopyTree
func TestCopyTree(t *testing.T) {
td, err := ioutil.TempDir("", tstprefix)
if err != nil {
t.Fatal(err)
}
defer os.RemoveAll(td)
src := filepath.Join(td, "src")
dst := filepath.Join(td, "dst")
if err := os.MkdirAll(filepath.Join(td, "src"), 0755); err != nil {
panic(err)
}
tr := []tree{
{
path: "dir1",
dir: true,
},
{
path: "dir2",
dir: true,
},
{
path: "dir1/foo",
dir: false,
},
{
path: "dir1/bar",
dir: false,
},
}
createTree(t, src, tr)
// absolute paths
if err := CopyTree(src, dst, user.NewBlankUidRange()); err != nil {
t.Fatal(err)
}
checkTree(t, dst, tr)
// relative paths
if err := os.Chdir(td); err != nil {
t.Fatal(err)
}
dst = "dst-rel1"
if err := CopyTree("././src/", dst, user.NewBlankUidRange()); err != nil {
t.Fatal(err)
}
checkTree(t, dst, tr)
dst = "./dst-rel2"
if err := CopyTree("./src", dst, user.NewBlankUidRange()); err != nil {
t.Fatal(err)
}
checkTree(t, dst, tr)
}
开发者ID:intelsdi-x,项目名称:rkt,代码行数:57,代码来源:fileutil_test.go
示例2: ExtractImage
// ExtractImage will extract the contents of the image at path to the directory
// at dst. If fileMap is set, only files in it will be extracted.
func ExtractImage(path, dst string, fileMap map[string]struct{}) error {
dst, err := filepath.Abs(dst)
if err != nil {
return err
}
file, err := os.Open(path)
if err != nil {
return err
}
defer file.Close()
dr, err := aci.NewCompressedReader(file)
if err != nil {
return fmt.Errorf("error decompressing image: %v", err)
}
defer dr.Close()
uidRange := user.NewBlankUidRange()
if os.Geteuid() == 0 {
return rkttar.ExtractTar(dr, dst, true, uidRange, fileMap)
}
editor, err := rkttar.NewUidShiftingFilePermEditor(uidRange)
if err != nil {
return fmt.Errorf("error determining current user: %v", err)
}
return rkttar.ExtractTarInsecure(tar.NewReader(dr), dst, true, fileMap, editor)
}
开发者ID:joshix,项目名称:acbuild,代码行数:31,代码来源:files.go
示例3: CopyToDir
// CopyToDir will copy all elements specified in the froms slice into the
// directory inside the current ACI specified by the to string.
func (a *ACBuild) CopyToDir(froms []string, to string) (err error) {
if err = a.lock(); err != nil {
return err
}
defer func() {
if err1 := a.unlock(); err == nil {
err = err1
}
}()
target := path.Join(a.CurrentACIPath, aci.RootfsDir, to)
targetInfo, err := os.Stat(target)
switch {
case os.IsNotExist(err):
err := os.MkdirAll(target, 0755)
if err != nil {
return err
}
case err != nil:
return err
case !targetInfo.IsDir():
return fmt.Errorf("target %q is not a directory", to)
}
for _, from := range froms {
_, file := path.Split(from)
tmptarget := path.Join(target, file)
err := fileutil.CopyTree(from, tmptarget, user.NewBlankUidRange())
if err != nil {
return err
}
}
return nil
}
开发者ID:joshix,项目名称:acbuild,代码行数:37,代码来源:copy.go
示例4: extractTarInsecureHelperPWL
func extractTarInsecureHelperPWL(rdr io.Reader, target string, pwl PathWhitelistMap) error {
editor, err := NewUidShiftingFilePermEditor(user.NewBlankUidRange())
if err != nil {
return err
}
return ExtractTarInsecure(tar.NewReader(rdr), target, true, pwl, editor)
}
开发者ID:nak3,项目名称:rkt,代码行数:7,代码来源:tar_test.go
示例5: LoadPod
// LoadPod loads a Pod Manifest (as prepared by stage0), the runtime data, and
// its associated Application Manifests, under $root/stage1/opt/stage1/$apphash
func LoadPod(root string, uuid *types.UUID, rp *RuntimePod) (*Pod, error) {
p := &Pod{
Root: root,
UUID: *uuid,
Images: make(map[string]*schema.ImageManifest),
UidRange: *user.NewBlankUidRange(),
}
// Unserialize runtime parameters
if rp != nil {
p.RuntimePod = *rp
} else {
buf, err := ioutil.ReadFile(filepath.Join(p.Root, RuntimeConfigPath))
if err != nil {
return nil, errwrap.Wrap(errors.New("failed reading runtime params"), err)
}
if err := json.Unmarshal(buf, &p.RuntimePod); err != nil {
return nil, errwrap.Wrap(errors.New("failed unmarshalling runtime params"), err)
}
}
buf, err := ioutil.ReadFile(common.PodManifestPath(p.Root))
if err != nil {
return nil, errwrap.Wrap(errors.New("failed reading pod manifest"), err)
}
pm := &schema.PodManifest{}
if err := json.Unmarshal(buf, pm); err != nil {
return nil, errwrap.Wrap(errors.New("failed unmarshalling pod manifest"), err)
}
p.Manifest = pm
for i, app := range p.Manifest.Apps {
impath := common.ImageManifestPath(p.Root, app.Name)
buf, err := ioutil.ReadFile(impath)
if err != nil {
return nil, errwrap.Wrap(fmt.Errorf("failed reading image manifest %q", impath), err)
}
im := &schema.ImageManifest{}
if err = json.Unmarshal(buf, im); err != nil {
return nil, errwrap.Wrap(fmt.Errorf("failed unmarshalling image manifest %q", impath), err)
}
if _, ok := p.Images[app.Name.String()]; ok {
return nil, fmt.Errorf("got multiple definitions for app: %v", app.Name)
}
if app.App == nil {
p.Manifest.Apps[i].App = im.App
}
p.Images[app.Name.String()] = im
}
if err := p.UidRange.Deserialize([]byte(p.PrivateUsers)); err != nil {
return nil, err
}
return p, nil
}
开发者ID:intelsdi-x,项目名称:rkt,代码行数:61,代码来源:pod.go
示例6: Run
func (e Engine) Run(command string, args []string, environment types.Environment, chroot, workingDir string) error {
resolvConfFile := filepath.Join(chroot, "/etc/resolv.conf")
_, err := os.Stat(resolvConfFile)
switch {
case os.IsNotExist(err):
err := os.MkdirAll(filepath.Dir(resolvConfFile), 0755)
if err != nil {
return err
}
err = fileutil.CopyTree("/etc/resolv.conf", resolvConfFile, user.NewBlankUidRange())
if err != nil {
return err
}
defer os.RemoveAll(resolvConfFile)
case err != nil:
return err
}
var serializedArgs string
for _, arg := range args {
if serializedArgs != "" {
serializedArgs += ","
}
serializedArgs += arg
}
var serializedEnv string
for _, envvar := range environment {
if serializedEnv != "" {
serializedEnv += ","
}
serializedEnv += envvar.Name + "=" + envvar.Value
}
path := "PATH="
for _, p := range engine.Pathlist {
if path != "PATH=" {
path += ":"
}
path += p
}
chrootArgs := []string{
"--cmd", command,
"--chroot", chroot,
"--working-dir", workingDir,
}
if len(serializedArgs) > 0 {
chrootArgs = append(chrootArgs, "--args", serializedArgs)
}
if len(serializedEnv) > 0 {
chrootArgs = append(chrootArgs, "--env", serializedEnv)
}
cmd := exec.Command("acbuild-chroot", chrootArgs...)
cmd.Stdin = os.Stdin
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
cmd.Env = []string{path}
return cmd.Run()
}
开发者ID:dgonyeo,项目名称:acbuild,代码行数:56,代码来源:chroot.go
示例7: beginFromLocalDirectory
func (a *ACBuild) beginFromLocalDirectory(start string) error {
err := os.MkdirAll(a.CurrentACIPath, 0755)
if err != nil {
return err
}
err = fileutil.CopyTree(start, path.Join(a.CurrentACIPath, aci.RootfsDir), user.NewBlankUidRange())
if err != nil {
return err
}
return a.writeEmptyManifest()
}
开发者ID:joshix,项目名称:acbuild,代码行数:13,代码来源:begin.go
示例8: PrepareMountpoints
// PrepareMountpoints creates and sets permissions for empty volumes.
// If the mountpoint comes from a Docker image and it is an implicit empty
// volume, we copy files from the image to the volume, see
// https://docs.docker.com/engine/userguide/containers/dockervolumes/#data-volumes
func PrepareMountpoints(volPath string, targetPath string, vol *types.Volume, dockerImplicit bool) error {
if vol.Kind != "empty" {
return nil
}
diag.Printf("creating an empty volume folder for sharing: %q", volPath)
m, err := strconv.ParseUint(*vol.Mode, 8, 32)
if err != nil {
return errwrap.Wrap(fmt.Errorf("invalid mode %q for volume %q", *vol.Mode, vol.Name), err)
}
mode := os.FileMode(m)
Uid := *vol.UID
Gid := *vol.GID
if dockerImplicit {
fi, err := os.Stat(targetPath)
if err == nil {
// the directory exists in the image, let's set the same
// permissions and copy files from there to the empty volume
mode = fi.Mode()
Uid = int(fi.Sys().(*syscall.Stat_t).Uid)
Gid = int(fi.Sys().(*syscall.Stat_t).Gid)
if err := fileutil.CopyTree(targetPath, volPath, user.NewBlankUidRange()); err != nil {
return errwrap.Wrap(fmt.Errorf("error copying image files to empty volume %q", volPath), err)
}
}
}
if err := os.MkdirAll(volPath, 0770); err != nil {
return errwrap.Wrap(fmt.Errorf("error creating %q", volPath), err)
}
if err := os.Chown(volPath, Uid, Gid); err != nil {
return errwrap.Wrap(fmt.Errorf("could not change owner of %q", volPath), err)
}
if err := os.Chmod(volPath, mode); err != nil {
return errwrap.Wrap(fmt.Errorf("could not change permissions of %q", volPath), err)
}
return nil
}
开发者ID:nhlfr,项目名称:rkt,代码行数:45,代码来源:mount.go
示例9: CreateBackup
// CreateBackup backs a directory up in a given directory. It basically
// copies this directory into a given backups directory. The backups
// directory has a simple structure - a directory inside named "0" is
// the most recent backup. A directory name for oldest backup is
// deduced from a given limit. For instance, for limit being 5 the
// name for the oldest backup would be "4". If a backups number
// exceeds the given limit then only newest ones are kept and the rest
// is removed.
func CreateBackup(dir, backupsDir string, limit int) error {
tmpBackupDir := filepath.Join(backupsDir, "tmp")
if err := os.MkdirAll(backupsDir, 0750); err != nil {
return err
}
if err := fileutil.CopyTree(dir, tmpBackupDir, user.NewBlankUidRange()); err != nil {
return err
}
defer os.RemoveAll(tmpBackupDir)
// prune backups
if err := pruneOldBackups(backupsDir, limit-1); err != nil {
return err
}
if err := shiftBackups(backupsDir, limit-2); err != nil {
return err
}
if err := os.Rename(tmpBackupDir, filepath.Join(backupsDir, "0")); err != nil {
return err
}
return nil
}
开发者ID:intelsdi-x,项目名称:rkt,代码行数:29,代码来源:backup.go
示例10: CopyToTarget
// CopyToTarget will copy a single file/directory from the from string to the
// path specified by the to string inside the current ACI.
func (a *ACBuild) CopyToTarget(from string, to string) (err error) {
if err = a.lock(); err != nil {
return err
}
defer func() {
if err1 := a.unlock(); err == nil {
err = err1
}
}()
target := path.Join(a.CurrentACIPath, aci.RootfsDir, to)
dir, _ := path.Split(target)
if dir != "" {
err := os.MkdirAll(dir, 0755)
if err != nil {
return err
}
}
return fileutil.CopyTree(from, target, user.NewBlankUidRange())
}
开发者ID:joshix,项目名称:acbuild,代码行数:24,代码来源:copy.go
示例11: AddApp
func AddApp(cfg AddConfig) error {
// there should be only one app in the config
app := cfg.Apps.Last()
if app == nil {
return errors.New("no image specified")
}
am, err := cfg.Store.GetImageManifest(cfg.Image.String())
if err != nil {
return err
}
var appName *types.ACName
if app.Name != "" {
appName, err = types.NewACName(app.Name)
if err != nil {
return err
}
} else {
appName, err = imageNameToAppName(am.Name)
if err != nil {
return err
}
}
pod, err := pkgPod.PodFromUUIDString(cfg.DataDir, cfg.UUID.String())
if err != nil {
return errwrap.Wrap(errors.New("error loading pod"), err)
}
defer pod.Close()
debug("locking pod manifest")
if err := pod.ExclusiveLockManifest(); err != nil {
return errwrap.Wrap(errors.New("failed to lock pod manifest"), err)
}
defer pod.UnlockManifest()
pm, err := pod.SandboxManifest()
if err != nil {
return errwrap.Wrap(errors.New("cannot add application"), err)
}
if pm.Apps.Get(*appName) != nil {
return fmt.Errorf("error: multiple apps with name %s", *appName)
}
if am.App == nil && app.Exec == "" {
return fmt.Errorf("error: image %s has no app section and --exec argument is not provided", cfg.Image)
}
appInfoDir := common.AppInfoPath(cfg.PodPath, *appName)
if err := os.MkdirAll(appInfoDir, common.DefaultRegularDirPerm); err != nil {
return errwrap.Wrap(errors.New("error creating apps info directory"), err)
}
pcfg := PrepareConfig{
CommonConfig: cfg.CommonConfig,
PrivateUsers: user.NewBlankUidRange(),
}
if cfg.UsesOverlay {
privateUsers, err := preparedWithPrivateUsers(cfg.PodPath)
if err != nil {
log.FatalE("error reading user namespace information", err)
}
if err := pcfg.PrivateUsers.Deserialize([]byte(privateUsers)); err != nil {
return err
}
}
treeStoreID, err := prepareAppImage(pcfg, *appName, cfg.Image, cfg.PodPath, cfg.UsesOverlay)
if err != nil {
return errwrap.Wrap(fmt.Errorf("error preparing image %s", cfg.Image), err)
}
rcfg := RunConfig{
CommonConfig: cfg.CommonConfig,
UseOverlay: cfg.UsesOverlay,
RktGid: cfg.RktGid,
}
if err := setupAppImage(rcfg, *appName, cfg.Image, cfg.PodPath, cfg.UsesOverlay); err != nil {
return fmt.Errorf("error setting up app image: %v", err)
}
if cfg.UsesOverlay {
imgDir := filepath.Join(cfg.PodPath, "overlay", treeStoreID)
if err := os.Chown(imgDir, -1, cfg.RktGid); err != nil {
return err
}
}
ra := schema.RuntimeApp{
Name: *appName,
App: am.App,
Image: schema.RuntimeImage{
Name: &am.Name,
ID: cfg.Image,
Labels: am.Labels,
//.........这里部分代码省略.........
开发者ID:kinvolk,项目名称:rkt,代码行数:101,代码来源:app.go
示例12: runAppSandbox
func runAppSandbox(cmd *cobra.Command, args []string) int {
s, err := imagestore.NewStore(storeDir())
if err != nil {
stderr.PrintE("cannot open store", err)
return 1
}
ts, err := treestore.NewStore(treeStoreDir(), s)
if err != nil {
stderr.PrintE("cannot open treestore", err)
return 1
}
config, err := getConfig()
if err != nil {
stderr.PrintE("cannot get configuration", err)
return 1
}
s1img, err := getStage1Hash(s, ts, config)
if err != nil {
stderr.Error(err)
return 1
}
p, err := pod.NewPod(getDataDir())
if err != nil {
stderr.PrintE("error creating new pod", err)
return 1
}
if flagUUIDFileSave != "" {
if err := pod.WriteUUIDToFile(p.UUID, flagUUIDFileSave); err != nil {
stderr.PrintE("error saving pod UUID to file", err)
return 1
}
}
processLabel, mountLabel, err := label.InitLabels("/var/run/rkt/mcs", []string{})
if err != nil {
stderr.PrintE("error initialising SELinux", err)
return 1
}
p.MountLabel = mountLabel
cfg := stage0.CommonConfig{
DataDir: getDataDir(),
MountLabel: mountLabel,
ProcessLabel: processLabel,
Store: s,
TreeStore: ts,
Stage1Image: *s1img,
UUID: p.UUID,
Debug: globalFlags.Debug,
Mutable: true,
}
ovlOk := true
if err := common.PathSupportsOverlay(getDataDir()); err != nil {
if oerr, ok := err.(common.ErrOverlayUnsupported); ok {
stderr.Printf("disabling overlay support: %q", oerr.Error())
ovlOk = false
} else {
stderr.PrintE("error determining overlay support", err)
return 1
}
}
useOverlay := !flagNoOverlay && ovlOk
pcfg := stage0.PrepareConfig{
CommonConfig: &cfg,
UseOverlay: useOverlay,
PrivateUsers: user.NewBlankUidRange(),
SkipTreeStoreCheck: globalFlags.InsecureFlags.SkipOnDiskCheck(),
Apps: &rktApps,
Ports: []types.ExposedPort(flagAppPorts),
UserAnnotations: parseAnnotations(&flagAnnotations),
UserLabels: parseLabels(&flagLabels),
}
if globalFlags.Debug {
stage0.InitDebug()
}
keyLock, err := lock.SharedKeyLock(lockDir(), common.PrepareLock)
if err != nil {
stderr.PrintE("cannot get shared prepare lock", err)
return 1
}
err = stage0.Prepare(pcfg, p.Path(), p.UUID)
if err != nil {
stderr.PrintE("error setting up stage0", err)
keyLock.Close()
return 1
}
keyLock.Close()
// get the lock fd for run
//.........这里部分代码省略.........
开发者ID:intelsdi-x,项目名称:rkt,代码行数:101,代码来源:app_sandbox.go
示例13: runPrepare
func runPrepare(cmd *cobra.Command, args []string) (exit int) {
var err error
origStdout := os.Stdout
privateUsers := user.NewBlankUidRange()
if flagQuiet {
if os.Stdout, err = os.Open("/dev/null"); err != nil {
stderr.PrintE("unable to open /dev/null", err)
return 254
}
}
if flagStoreOnly && flagNoStore {
stderr.Print("both --store-only and --no-store specified")
return 254
}
if flagPrivateUsers {
if !common.SupportsUserNS() {
stderr.Print("--private-users is not supported, kernel compiled without user namespace support")
return 254
}
privateUsers.SetRandomUidRange(user.DefaultRangeCount)
}
if err = parseApps(&rktApps, args, cmd.Flags(), true); err != nil {
stderr.PrintE("error parsing app image arguments", err)
return 254
}
if len(flagPodManifest) > 0 && (rktApps.Count() > 0 ||
(*appsVolume)(&rktApps).String() != "" || (*appMount)(&rktApps).String() != "" ||
len(flagPorts) > 0 || flagStoreOnly || flagNoStore ||
flagInheritEnv || !flagExplicitEnv.IsEmpty() || !flagEnvFromFile.IsEmpty()) {
stderr.Print("conflicting flags set with --pod-manifest (see --help)")
return 254
}
if rktApps.Count() < 1 && len(flagPodManifest) == 0 {
stderr.Print("must provide at least one image or specify the pod manifest")
return 254
}
s, err := imagestore.NewStore(storeDir())
if err != nil {
stderr.PrintE("cannot open store", err)
return 254
}
ts, err := treestore.NewStore(treeStoreDir(), s)
if err != nil {
stderr.PrintE("cannot open treestore", err)
return 254
}
config, err := getConfig()
if err != nil {
stderr.PrintE("cannot get configuration", err)
return 254
}
s1img, err := getStage1Hash(s, ts, config)
if err != nil {
stderr.Error(err)
return 254
}
fn := &image.Finder{
S: s,
Ts: ts,
Ks: getKeystore(),
Headers: config.AuthPerHost,
DockerAuth: config.DockerCredentialsPerRegistry,
InsecureFlags: globalFlags.InsecureFlags,
Debug: globalFlags.Debug,
TrustKeysFromHTTPS: globalFlags.TrustKeysFromHTTPS,
StoreOnly: flagStoreOnly,
NoStore: flagNoStore,
WithDeps: true,
}
if err := fn.FindImages(&rktApps); err != nil {
stderr.PrintE("error finding images", err)
return 254
}
p, err := pkgPod.NewPod(getDataDir())
if err != nil {
stderr.PrintE("error creating new pod", err)
return 254
}
cfg := stage0.CommonConfig{
DataDir: getDataDir(),
Store: s,
TreeStore: ts,
Stage1Image: *s1img,
UUID: p.UUID,
Debug: globalFlags.Debug,
}
//.........这里部分代码省略.........
开发者ID:intelsdi-x,项目名称:rkt,代码行数:101,代码来源:prepare.go
示例14: appToSystemd
// appToSystemd transforms the provided RuntimeApp+ImageManifest into systemd units
func appToSystemd(p *stage1commontypes.Pod, ra *schema.RuntimeApp, interactive bool, flavor string, privateUsers string) error {
app := ra.App
appName := ra.Name
imgName := p.AppNameToImageName(appName)
if len(app.Exec) == 0 {
return fmt.Errorf(`image %q has an empty "exec" (try --exec=BINARY)`, imgName)
}
workDir := "/"
if app.WorkingDirectory != "" {
workDir = app.WorkingDirectory
}
env := app.Environment
env.Set("AC_APP_NAME", appName.String())
if p.MetadataServiceURL != "" {
env.Set("AC_METADATA_URL", p.MetadataServiceURL)
}
envFilePath := EnvFilePath(p.Root, appName)
uidRange := user.NewBlankUidRange()
if err := uidRange.Deserialize([]byte(privateUsers)); err != nil {
return err
}
if err := writeEnvFile(p, env, appName, uidRange, '\n', envFilePath); err != nil {
return errwrap.Wrap(errors.New("unable to write environment file for systemd"), err)
}
u, g, err := parseUserGroup(p, ra, uidRange)
if err != nil {
return err
}
if err := generateSysusers(p, ra, u, g, uidRange); err != nil {
return errwrap.Wrap(errors.New("unable to generate sysusers"), err)
}
binPath, err := findBinPath(p, appName, *app, workDir, app.Exec[0])
if err != nil {
return err
}
var supplementaryGroups []string
for _, g := range app.SupplementaryGIDs {
supplementaryGroups = append(supplementaryGroups, strconv.Itoa(g))
}
capabilitiesStr, err := getAppCapabilities(app.Isolators)
if err != nil {
return err
}
noNewPrivileges := getAppNoNewPrivileges(app.Isolators)
execStart := append([]string{binPath}, app.Exec[1:]...)
execStartString := quoteExec(execStart)
opts := []*unit.UnitOption{
unit.NewUnitOption("Unit", "Description", fmt.Sprintf("Application=%v Image=%v", appName, imgName)),
unit.NewUnitOption("Unit", "DefaultDependencies", "false"),
unit.NewUnitOption("Unit", "Wants", fmt.Sprintf("reaper-%s.service", appName)),
unit.NewUnitOption("Service", "Restart", "no"),
unit.NewUnitOption("Service", "ExecStart", execStartString),
unit.NewUnitOption("Service", "RootDirectory", common.RelAppRootfsPath(appName)),
// MountFlags=shared creates a new mount namespace and (as unintuitive
// as it might seem) makes sure the mount is slave+shared.
unit.NewUnitOption("Service", "MountFlags", "shared"),
unit.NewUnitOption("Service", "WorkingDirectory", workDir),
unit.NewUnitOption("Service", "EnvironmentFile", RelEnvFilePath(appName)),
unit.NewUnitOption("Service", "User", strconv.Itoa(u)),
unit.NewUnitOption("Service", "Group", strconv.Itoa(g)),
unit.NewUnitOption("Service", "SupplementaryGroups", strings.Join(supplementaryGroups, " ")),
unit.NewUnitOption("Service", "CapabilityBoundingSet", strings.Join(capabilitiesStr, " ")),
unit.NewUnitOption("Service", "NoNewPrivileges", strconv.FormatBool(noNewPrivileges)),
// This helps working around a race
// (https://github.com/systemd/systemd/issues/2913) that causes the
// systemd unit name not getting written to the journal if the unit is
// short-lived and runs as non-root.
unit.NewUnitOption("Service", "SyslogIdentifier", appName.String()),
}
// Restrict access to sensitive paths (eg. procfs)
opts = protectSystemFiles(opts, appName)
if ra.ReadOnlyRootFS {
opts = append(opts, unit.NewUnitOption("Service", "ReadOnlyDirectories", common.RelAppRootfsPath(appName)))
}
// TODO(tmrts): Extract this logic into a utility function.
vols := make(map[types.ACName]types.Volume)
for _, v := range p.Manifest.Volumes {
vols[v.Name] = v
}
absRoot, err := filepath.Abs(p.Root) // Absolute path to the pod's rootfs.
if err != nil {
//.........这里部分代码省略.........
开发者ID:yanghongkjxy,项目名称:rkt,代码行数:101,代码来源:pod.go
示例15: runRun
func runRun(cmd *cobra.Command, args []string) (exit int) {
privateUsers := user.NewBlankUidRange()
err := parseApps(&rktApps, args, cmd.Flags(), true)
if err != nil {
stderr.PrintE("error parsing app image arguments", err)
return 1
}
if flagStoreOnly && flagNoStore {
stderr.Print("both --store-only and --no-store specified")
return 1
}
if flagPrivateUsers {
if !common.SupportsUserNS() {
stderr.Print("--private-users is not supported, kernel compiled without user namespace support")
return 1
}
privateUsers.SetRandomUidRange(user.DefaultRangeCount)
}
if len(flagPorts) > 0 && flagNet.None() {
stderr.Print("--port flag does not work with 'none' networking")
return 1
}
if len(flagPorts) > 0 && flagNet.Host() {
stderr.Print("--port flag does not work with 'host' networking")
return 1
}
if flagMDSRegister && flagNet.None() {
stderr.Print("--mds-register flag does not work with --net=none. Please use 'host', 'default' or an equivalent network")
return 1
}
if len(flagPodManifest) > 0 && (len(flagPorts) > 0 || rktApps.Count() > 0 || flagStoreOnly || flagNoStore ||
flagInheritEnv || !flagExplicitEnv.IsEmpty() || !flagEnvFromFile.IsEmpty() ||
(*appsVolume)(&rktApps).String() != "" || (*appMount)(&rktApps).String() != "" || (*appExec)(&rktApps).String() != "" ||
(*appUser)(&rktApps).String() != "" || (*appGroup)(&rktApps).String() != "" ||
(*appCapsRetain)(&rktApps).String() != "" || (*appCapsRemove)(&rktApps).String() != "") {
stderr.Print("conflicting flags set with --pod-manifest (see --help)")
return 1
}
if flagInteractive && rktApps.Count() > 1 {
stderr.Print("interactive option only supports one image")
return 1
}
if rktApps.Count() < 1 && len(flagPodManifest) == 0 {
stderr.Print("must provide at least one image or specify the pod manifest")
return 1
}
s, err := imagestore.NewStore(storeDir())
if err != nil {
stderr.PrintE("cannot open store", err)
return 1
}
ts, err := treestore.NewStore(treeStoreDir(), s)
if err != nil {
stderr.PrintE("cannot open treestore", err)
return 1
}
config, err := getConfig()
if err != nil {
stderr.PrintE("cannot get configuration", err)
return 1
}
s1img, err := getStage1Hash(s, ts, config)
if err != nil {
stderr.Error(err)
return 1
}
fn := &image.Finder{
S: s,
Ts: ts,
Ks: getKeystore(),
Headers: config.AuthPerHost,
DockerAuth: config.DockerCredentialsPerRegistry,
InsecureFlags: globalFlags.InsecureFlags,
Debug: globalFlags.Debug,
TrustKeysFromHTTPS: globalFlags.TrustKeysFromHTTPS,
StoreOnly: flagStoreOnly,
NoStore: flagNoStore,
WithDeps: true,
}
if err := fn.FindImages(&rktApps); err != nil {
stderr.Error(err)
return 1
}
p, err := newPod()
if err != nil {
stderr.PrintE("error creating new pod", err)
//.........这里部分代码省略.........
开发者ID:yanghongkjxy,项目名称:rkt,代码行数:101,代码来源:run.go
示例16: TestStat
func TestStat(t *testing.T) {
tmp, err := ioutil.TempFile("", "rkt-TestStat-")
if err != nil {
panic(err)
}
defer os.Remove(tmp.Name())
rng := user.NewBlankUidRange()
rng.SetRandomUidRange(100)
u, err := osuser.Current()
if err != nil {
panic(err)
}
procUid, err := strconv.Atoi(u.Uid)
if err != nil {
panic(err)
}
procGid, err := strconv.Atoi(u.Gid)
if err != nil {
panic(err)
}
for i, tt := range []struct {
root, path string
// expected
errIDs, err bool
uid, gid int
}{
{
root: "",
path: "",
err: true,
},
{
root: "unknown",
path: "",
err: true,
},
{
root: "",
path: "unknown",
err: true,
},
{
root: "",
path: tmp.Name(),
uid: procUid,
gid: procGid,
},
{
root: "/",
path: tmp.Name(),
uid: procUid,
gid: procGid,
},
{
root: "unknown",
path: tmp.Name(),
errIDs: true,
uid: -1,
gid: -1,
},
{
root: filepath.Dir(tmp.Name()),
path: "",
err: true,
},
{
root: filepath.Dir(tmp.Name()),
path: "/" + filepath.Base(tmp.Name()),
uid: procUid,
gid: procGid,
},
{
root: filepath.Dir(tmp.Name()),
path: "/unknown",
errIDs: true,
uid: -1,
gid: -1,
},
{
root: filepath.Dir(tmp.Name()),
path: "unknown",
err: true,
},
//.........这里部分代码省略.........
开发者ID:intelsdi-x,项目名称:rkt,代码行数:101,代码来源:resolver_test.go
示例17: extractTarOverwriteHelper
func extractTarOverwriteHelper(rdr io.Reader, target string) error {
return ExtractTar(rdr, target, true, user.NewBlankUidRange(), nil)
}
开发者ID:nak3,项目名称:rkt,代码行数:3,代码来源:tar_test.go
示例18: extractTarHelperPWL
func extractTarHelperPWL(rdr io.Reader, target string, pwl PathWhitelistMap) error {
return ExtractTar(rdr, target, false, user.NewBlankUidRange(), pwl)
}
开发者ID:nak3,项目名称:rkt,代码行数:3,代码来源:tar_test.go
示例19: runImageRender
func runImageRender(cmd *cobra.Command, args []string) (exit int) {
if len(args) != 2 {
cmd.Usage()
return 254
}
outputDir := args[1]
s, err := imagestore.NewStore(storeDir())
if err != nil {
stderr.PrintE("cannot open store", err)
return 254
}
ts, err := treestore.NewStore(treeStoreDir(), s)
if err != nil {
stderr.PrintE("cannot open store", err)
return
}
key, err := getStoreKeyFromAppOrHash(s, args[0])
if err != nil {
stderr.Error(err)
return 254
}
id, _, err := ts.Render(key, false)
if err != nil {
stderr.PrintE("error rendering ACI", err)
return 254
}
if _, err := ts.Check(id); err != nil {
stderr.Print("warning: tree cache is in a bad state. Rebuilding...")
var err error
if id, _, err = ts.Render(key, true); err != nil {
stderr.PrintE("error rendering ACI", err)
return 254
}
}
if _, err := os.Stat(outputDir); err == nil {
if !flagRenderOverwrite {
stderr.Print("output directory exists (try --overwrite)")
return 254
}
// don't allow the user to delete the root filesystem by mistake
if outputDir == "/" {
stderr.Print("this would delete your root filesystem. Refusing.")
return 254
}
if err := os.RemoveAll(outputDir); err != nil {
stderr.PrintE("error removing existing output dir", err)
return 254
}
}
rootfsOutDir := outputDir
if !flagRenderRootfsOnly {
if err := os.MkdirAll(outputDir, 0755); err != nil {
stderr.PrintE("error creating output directory", err)
return 254
}
rootfsOutDir = filepath.Join(rootfsOutDir, "rootfs")
manifest, err := s.GetImageManifest(key)
if err != nil {
stderr.PrintE("error getting manifest", err)
return 254
}
mb, err := json.Marshal(manifest)
if err != nil {
stderr.PrintE("error marshalling image manifest", err)
return 254
}
if err := ioutil.WriteFile(filepath.Join(outputDir, "manifest"), mb, 0700); err != nil {
stderr.PrintE("error writing image manifest", err)
return 254
}
}
cachedTreePath := ts.GetRootFS(id)
if err := fileutil.CopyTree(cachedTreePath, rootfsOutDir, user.NewBlankUidRange()); err != nil {
stderr.PrintE("error copying ACI rootfs", err)
return 254
}
return 0
}
开发者ID:nhlfr,项目名称:rkt,代码行数:90,代码来源:image_render.go
示例20: render
// render renders the ACI with the provided key in the treestore. id references
// that specific tree store rendered image.
// render, to avoid having a rendered ACI with old stale files, requires that
// the destination directory doesn't exist (usually remove should be called
// before render)
func (ts *Store) render(id string, key string) (string, error) {
treepath := ts.GetPath(id)
fi, _ := os.Stat(treepath)
if fi != nil {
return "", fmt.Errorf("path %s already exists", treepath)
}
imageID, err := types.NewHash(key)
if err != nil {
return "", errwrap.Wrap(errors.New("cannot convert key to imageID"), err)
}
if err := os.MkdirAll(treepath, 0755); err != nil {
return "", errwrap.Wrap(fmt.Errorf("cannot create treestore directory %s", treepath), err)
}
err = aci.RenderACIWithImageID(*imageID, treepath, ts.store, user.NewBlankUidRange())
if err != nil {
return "", errwrap.Wrap(errors.New("cannot render aci"), err)
}
hash, err := ts.Hash(id)
if err != nil {
return "", errwrap.Wrap(errors.New("cannot calculate tree hash"), err)
}
err = ioutil.WriteFile(filepath.Join(treepath, hashfilename), []byte(hash), 0644)
if err != nil {
return "", errwrap.Wrap(errors.New("cannot write hash file"), err)
}
// before creating the "rendered" flag file we need to ensure that all data is fsynced
dfd, err := syscall.Open(treepath, syscall.O_RDONLY, 0)
if err != nil {
return "", err
}
defer syscall.Close(dfd)
if err := sys.Syncfs(dfd); err != nil {
return "", errwrap.Wrap(errors.New("failed to sync data"), err)
}
// Create rendered file
f, err := os.Create(filepath.Join(treepath, renderedfilename))
if err != nil {
return "", errwrap.Wrap(errors.New("failed to write rendered file"), err)
}
f.Close()
// Write the hash of the image that will use this tree store
err = ioutil.WriteFile(filepath.Join(treepath, imagefilename), []byte(key), 0644)
if err != nil {
return "", errwrap.Wrap(errors.New("cannot write image file"), err)
}
if err := syscall.Fsync(dfd); err != nil {
return "", errwrap.Wrap(errors.New("failed to sync tree store directory"), err)
}
// TODO(sgotti) this is wrong for various reasons:
// * Doesn't consider that can there can be multiple treestore per ACI
// (and fixing this adding/subtracting sizes is bad since cannot be
// atomic and could bring to duplicated/missing subtractions causing
// wrong sizes)
// * ImageStore and TreeStore are decoupled (TreeStore should just use acirenderer.ACIRegistry interface)
treeSize, err := ts.Size(id)
if err != nil {
return "", err
}
if err := ts.store.UpdateTreeStoreSize(key, treeSize); err != nil {
return "", err
}
return string(hash), nil
}
开发者ID:intelsdi-x,项目名称:rkt,代码行数:73,代码来源:tree.go
注:本文中的github.com/coreos/rkt/pkg/user.NewBlankUidRange函数示例整理自Github/MSDocs等源码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。 |
客服电话
APP下载
官方微信
请发表评论