summaryrefslogtreecommitdiff
path: root/libkpod/config.go
diff options
context:
space:
mode:
Diffstat (limited to 'libkpod/config.go')
-rw-r--r--libkpod/config.go308
1 files changed, 308 insertions, 0 deletions
diff --git a/libkpod/config.go b/libkpod/config.go
new file mode 100644
index 000000000..687b4b380
--- /dev/null
+++ b/libkpod/config.go
@@ -0,0 +1,308 @@
+package libkpod
+
+import (
+ "bytes"
+ "io/ioutil"
+
+ "github.com/BurntSushi/toml"
+ "github.com/kubernetes-incubator/cri-o/oci"
+ "github.com/opencontainers/selinux/go-selinux"
+)
+
+// Default paths if none are specified
+const (
+ crioRoot = "/var/lib/containers/storage"
+ crioRunRoot = "/var/run/containers/storage"
+ conmonPath = "/usr/local/libexec/crio/conmon"
+ pauseImage = "kubernetes/pause"
+ pauseCommand = "/pause"
+ defaultTransport = "docker://"
+ seccompProfilePath = "/etc/crio/seccomp.json"
+ apparmorProfileName = "crio-default"
+ cniConfigDir = "/etc/cni/net.d/"
+ cniBinDir = "/opt/cni/bin/"
+ cgroupManager = oci.CgroupfsCgroupsManager
+ lockPath = "/run/crio.lock"
+ containerExitsDir = oci.ContainerExitsDir
+)
+
+// Config represents the entire set of configuration values that can be set for
+// the server. This is intended to be loaded from a toml-encoded config file.
+type Config struct {
+ RootConfig
+ RuntimeConfig
+ ImageConfig
+ NetworkConfig
+}
+
+// ImageVolumesType describes image volume handling strategies
+type ImageVolumesType string
+
+const (
+ // ImageVolumesMkdir option is for using mkdir to handle image volumes
+ ImageVolumesMkdir ImageVolumesType = "mkdir"
+ // ImageVolumesIgnore option is for ignoring image volumes altogether
+ ImageVolumesIgnore ImageVolumesType = "ignore"
+ // ImageVolumesBind option is for using bind mounted volumes
+ ImageVolumesBind ImageVolumesType = "bind"
+)
+
+const (
+ // DefaultPidsLimit is the default value for maximum number of processes
+ // allowed inside a container
+ DefaultPidsLimit = 1024
+
+ // DefaultLogSizeMax is the default value for the maximum log size
+ // allowed for a container. Negative values mean that no limit is imposed.
+ DefaultLogSizeMax = -1
+)
+
+// This structure is necessary to fake the TOML tables when parsing,
+// while also not requiring a bunch of layered structs for no good
+// reason.
+
+// RootConfig represents the root of the "crio" TOML config table.
+type RootConfig struct {
+ // Root is a path to the "root directory" where data not
+ // explicitly handled by other options will be stored.
+ Root string `toml:"root"`
+
+ // RunRoot is a path to the "run directory" where state information not
+ // explicitly handled by other options will be stored.
+ RunRoot string `toml:"runroot"`
+
+ // Storage is the name of the storage driver which handles actually
+ // storing the contents of containers.
+ Storage string `toml:"storage_driver"`
+
+ // StorageOption is a list of storage driver specific options.
+ StorageOptions []string `toml:"storage_option"`
+
+ // LogDir is the default log directory were all logs will go unless kubelet
+ // tells us to put them somewhere else.
+ LogDir string `toml:"log_dir"`
+
+ // FileLocking specifies whether to use file-based or in-memory locking
+ // File-based locking is required when multiple users of libkpod are
+ // present on the same system
+ FileLocking bool `toml:"file_locking"`
+}
+
+// RuntimeConfig represents the "crio.runtime" TOML config table.
+type RuntimeConfig struct {
+ // Runtime is the OCI compatible runtime used for trusted container workloads.
+ // This is a mandatory setting as this runtime will be the default one and
+ // will also be used for untrusted container workloads if
+ // RuntimeUntrustedWorkload is not set.
+ Runtime string `toml:"runtime"`
+
+ // RuntimeUntrustedWorkload is the OCI compatible runtime used for untrusted
+ // container workloads. This is an optional setting, except if
+ // DefaultWorkloadTrust is set to "untrusted".
+ RuntimeUntrustedWorkload string `toml:"runtime_untrusted_workload"`
+
+ // DefaultWorkloadTrust is the default level of trust crio puts in container
+ // workloads. This can either be "trusted" or "untrusted" and the default
+ // is "trusted"
+ // Containers can be run through different container runtimes, depending on
+ // the trust hints we receive from kubelet:
+ // - If kubelet tags a container workload as untrusted, crio will try first
+ // to run it through the untrusted container workload runtime. If it is not
+ // set, crio will use the trusted runtime.
+ // - If kubelet does not provide any information about the container workload trust
+ // level, the selected runtime will depend on the DefaultWorkloadTrust setting.
+ // If it is set to "untrusted", then all containers except for the host privileged
+ // ones, will be run by the RuntimeUntrustedWorkload runtime. Host privileged
+ // containers are by definition trusted and will always use the trusted container
+ // runtime. If DefaultWorkloadTrust is set to "trusted", crio will use the trusted
+ // container runtime for all containers.
+ DefaultWorkloadTrust string `toml:"default_workload_trust"`
+
+ // NoPivot instructs the runtime to not use `pivot_root`, but instead use `MS_MOVE`
+ NoPivot bool `toml:"no_pivot"`
+
+ // Conmon is the path to conmon binary, used for managing the runtime.
+ Conmon string `toml:"conmon"`
+
+ // ConmonEnv is the environment variable list for conmon process.
+ ConmonEnv []string `toml:"conmon_env"`
+
+ // SELinux determines whether or not SELinux is used for pod separation.
+ SELinux bool `toml:"selinux"`
+
+ // SeccompProfile is the seccomp json profile path which is used as the
+ // default for the runtime.
+ SeccompProfile string `toml:"seccomp_profile"`
+
+ // ApparmorProfile is the apparmor profile name which is used as the
+ // default for the runtime.
+ ApparmorProfile string `toml:"apparmor_profile"`
+
+ // CgroupManager is the manager implementation name which is used to
+ // handle cgroups for containers.
+ CgroupManager string `toml:"cgroup_manager"`
+
+ // HooksDirPath location of oci hooks config files
+ HooksDirPath string `toml:"hooks_dir_path"`
+
+ // DefaultMounts is the list of mounts to be mounted for each container
+ // The format of each mount is "host-path:container-path"
+ DefaultMounts []string `toml:"default_mounts"`
+
+ // Hooks List of hooks to run with container
+ Hooks map[string]HookParams
+
+ // PidsLimit is the number of processes each container is restricted to
+ // by the cgroup process number controller.
+ PidsLimit int64 `toml:"pids_limit"`
+
+ // LogSizeMax is the maximum number of bytes after which the log file
+ // will be truncated. It can be expressed as a human-friendly string
+ // that is parsed to bytes.
+ // Negative values indicate that the log file won't be truncated.
+ LogSizeMax int64 `toml:"log_size_max"`
+
+ // ContainerExitsDir is the directory in which container exit files are
+ // written to by conmon.
+ ContainerExitsDir string `toml:"container_exits_dir"`
+}
+
+// ImageConfig represents the "crio.image" TOML config table.
+type ImageConfig struct {
+ // DefaultTransport is a value we prefix to image names that fail to
+ // validate source references.
+ DefaultTransport string `toml:"default_transport"`
+ // PauseImage is the name of an image which we use to instantiate infra
+ // containers.
+ PauseImage string `toml:"pause_image"`
+ // PauseCommand is the path of the binary we run in an infra
+ // container that's been instantiated using PauseImage.
+ PauseCommand string `toml:"pause_command"`
+ // SignaturePolicyPath is the name of the file which decides what sort
+ // of policy we use when deciding whether or not to trust an image that
+ // we've pulled. Outside of testing situations, it is strongly advised
+ // that this be left unspecified so that the default system-wide policy
+ // will be used.
+ SignaturePolicyPath string `toml:"signature_policy"`
+ // InsecureRegistries is a list of registries that must be contacted w/o
+ // TLS verification.
+ InsecureRegistries []string `toml:"insecure_registries"`
+ // ImageVolumes controls how volumes specified in image config are handled
+ ImageVolumes ImageVolumesType `toml:"image_volumes"`
+ // Registries holds a list of registries used to pull unqualified images
+ Registries []string `toml:"registries"`
+}
+
+// NetworkConfig represents the "crio.network" TOML config table
+type NetworkConfig struct {
+ // NetworkDir is where CNI network configuration files are stored.
+ NetworkDir string `toml:"network_dir"`
+
+ // PluginDir is where CNI plugin binaries are stored.
+ PluginDir string `toml:"plugin_dir"`
+}
+
+// tomlConfig is another way of looking at a Config, which is
+// TOML-friendly (it has all of the explicit tables). It's just used for
+// conversions.
+type tomlConfig struct {
+ Crio struct {
+ RootConfig
+ Runtime struct{ RuntimeConfig } `toml:"runtime"`
+ Image struct{ ImageConfig } `toml:"image"`
+ Network struct{ NetworkConfig } `toml:"network"`
+ } `toml:"crio"`
+}
+
+func (t *tomlConfig) toConfig(c *Config) {
+ c.RootConfig = t.Crio.RootConfig
+ c.RuntimeConfig = t.Crio.Runtime.RuntimeConfig
+ c.ImageConfig = t.Crio.Image.ImageConfig
+ c.NetworkConfig = t.Crio.Network.NetworkConfig
+}
+
+func (t *tomlConfig) fromConfig(c *Config) {
+ t.Crio.RootConfig = c.RootConfig
+ t.Crio.Runtime.RuntimeConfig = c.RuntimeConfig
+ t.Crio.Image.ImageConfig = c.ImageConfig
+ t.Crio.Network.NetworkConfig = c.NetworkConfig
+}
+
+// UpdateFromFile populates the Config from the TOML-encoded file at the given path.
+// Returns errors encountered when reading or parsing the files, or nil
+// otherwise.
+func (c *Config) UpdateFromFile(path string) error {
+ data, err := ioutil.ReadFile(path)
+ if err != nil {
+ return err
+ }
+
+ t := new(tomlConfig)
+ t.fromConfig(c)
+
+ _, err = toml.Decode(string(data), t)
+ if err != nil {
+ return err
+ }
+
+ t.toConfig(c)
+ return nil
+}
+
+// ToFile outputs the given Config as a TOML-encoded file at the given path.
+// Returns errors encountered when generating or writing the file, or nil
+// otherwise.
+func (c *Config) ToFile(path string) error {
+ var w bytes.Buffer
+ e := toml.NewEncoder(&w)
+
+ t := new(tomlConfig)
+ t.fromConfig(c)
+
+ if err := e.Encode(*t); err != nil {
+ return err
+ }
+
+ return ioutil.WriteFile(path, w.Bytes(), 0644)
+}
+
+// DefaultConfig returns the default configuration for crio.
+func DefaultConfig() *Config {
+ return &Config{
+ RootConfig: RootConfig{
+ Root: crioRoot,
+ RunRoot: crioRunRoot,
+ LogDir: "/var/log/crio/pods",
+ FileLocking: true,
+ },
+ RuntimeConfig: RuntimeConfig{
+ Runtime: "/usr/bin/runc",
+ RuntimeUntrustedWorkload: "",
+ DefaultWorkloadTrust: "trusted",
+
+ Conmon: conmonPath,
+ ConmonEnv: []string{
+ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+ },
+ SELinux: selinux.GetEnabled(),
+ SeccompProfile: seccompProfilePath,
+ ApparmorProfile: apparmorProfileName,
+ CgroupManager: cgroupManager,
+ PidsLimit: DefaultPidsLimit,
+ ContainerExitsDir: containerExitsDir,
+ HooksDirPath: DefaultHooksDirPath,
+ LogSizeMax: DefaultLogSizeMax,
+ },
+ ImageConfig: ImageConfig{
+ DefaultTransport: defaultTransport,
+ PauseImage: pauseImage,
+ PauseCommand: pauseCommand,
+ SignaturePolicyPath: "",
+ ImageVolumes: ImageVolumesMkdir,
+ },
+ NetworkConfig: NetworkConfig{
+ NetworkDir: cniConfigDir,
+ PluginDir: cniBinDir,
+ },
+ }
+}