Copy disabled (too large)
Download .txt
Showing preview only (14,358K chars total). Download the full file to get everything.
Repository: opencontainers/runc
Branch: main
Commit: 837e98c98422
Files: 1355
Total size: 13.4 MB
Directory structure:
gitextract_htlb8dez/
├── .cirrus.yml
├── .clang-format
├── .codespellrc
├── .editorconfig
├── .github/
│ ├── ISSUE_TEMPLATE/
│ │ ├── bug_report.yaml
│ │ └── config.yml
│ ├── dependabot.yml
│ └── workflows/
│ ├── scheduled.yml
│ ├── test.yml
│ └── validate.yml
├── .gitignore
├── .golangci-extra.yml
├── .golangci.yml
├── CHANGELOG.md
├── CONTRIBUTING.md
├── Dockerfile
├── EMERITUS.md
├── LICENSE
├── MAINTAINERS
├── MAINTAINERS_GUIDE.md
├── Makefile
├── NOTICE
├── PRINCIPLES.md
├── README.md
├── RELEASES.md
├── SECURITY.md
├── VERSION
├── checkpoint.go
├── contrib/
│ └── completions/
│ └── bash/
│ └── runc
├── create.go
├── delete.go
├── docs/
│ ├── cgroup-v2.md
│ ├── checkpoint-restore.md
│ ├── deprecated.md
│ ├── experimental.md
│ ├── spec-conformance.md
│ ├── systemd.md
│ └── terminals.md
├── events.go
├── exec.go
├── features.go
├── go.mod
├── go.sum
├── init.go
├── internal/
│ ├── linux/
│ │ ├── doc.go
│ │ ├── eintr.go
│ │ └── linux.go
│ ├── pathrs/
│ │ ├── doc.go
│ │ ├── mkdirall.go
│ │ ├── mkdirall_pathrslite.go
│ │ ├── path.go
│ │ ├── path_test.go
│ │ ├── procfs_pathrslite.go
│ │ ├── retry.go
│ │ └── root_pathrslite.go
│ ├── sys/
│ │ ├── doc.go
│ │ ├── opath_linux.go
│ │ ├── sysctl_linux.go
│ │ └── verify_inode_unix.go
│ └── third_party/
│ └── systemd/
│ └── activation/
│ └── files_unix.go
├── kill.go
├── libcontainer/
│ ├── README.md
│ ├── SPEC.md
│ ├── apparmor/
│ │ ├── apparmor.go
│ │ ├── apparmor_linux.go
│ │ └── apparmor_unsupported.go
│ ├── capabilities/
│ │ ├── capabilities.go
│ │ ├── capabilities_linux_test.go
│ │ └── capabilities_unsupported.go
│ ├── cmd_clone.go
│ ├── configs/
│ │ ├── config.go
│ │ ├── config_linux.go
│ │ ├── config_linux_test.go
│ │ ├── config_test.go
│ │ ├── configs_fuzzer.go
│ │ ├── doc.go
│ │ ├── intelrdt.go
│ │ ├── memorypolicy.go
│ │ ├── mount.go
│ │ ├── mount_linux.go
│ │ ├── mount_unsupported.go
│ │ ├── namespaces.go
│ │ ├── namespaces_linux.go
│ │ ├── namespaces_syscall.go
│ │ ├── namespaces_syscall_unsupported.go
│ │ ├── namespaces_unsupported.go
│ │ ├── netdevices.go
│ │ ├── network.go
│ │ ├── tocpuset_test.go
│ │ └── validate/
│ │ ├── doc.go
│ │ ├── intelrdt.go
│ │ ├── intelrdt_test.go
│ │ ├── rootless.go
│ │ ├── rootless_test.go
│ │ ├── validator.go
│ │ └── validator_test.go
│ ├── console_linux.go
│ ├── container.go
│ ├── container_linux.go
│ ├── container_linux_test.go
│ ├── criu_disabled_linux.go
│ ├── criu_linux.go
│ ├── criu_opts_linux.go
│ ├── devices/
│ │ ├── device_unix.go
│ │ ├── device_unix_test.go
│ │ └── doc.go
│ ├── env.go
│ ├── env_test.go
│ ├── error.go
│ ├── example_test.go
│ ├── exeseal/
│ │ ├── cloned_binary_linux.go
│ │ ├── doc.go
│ │ └── overlayfs_linux.go
│ ├── factory_linux.go
│ ├── factory_linux_test.go
│ ├── init_linux.go
│ ├── integration/
│ │ ├── bench_test.go
│ │ ├── checkpoint_test.go
│ │ ├── doc.go
│ │ ├── exec_test.go
│ │ ├── execin_test.go
│ │ ├── init_test.go
│ │ ├── seccomp_test.go
│ │ ├── template_test.go
│ │ ├── update_test.go
│ │ └── utils_test.go
│ ├── intelrdt/
│ │ ├── cmt.go
│ │ ├── cmt_test.go
│ │ ├── intelrdt.go
│ │ ├── intelrdt_test.go
│ │ ├── mbm.go
│ │ ├── mbm_test.go
│ │ ├── monitoring.go
│ │ ├── monitoring_test.go
│ │ ├── stats.go
│ │ └── util_test.go
│ ├── internal/
│ │ └── userns/
│ │ ├── doc.go
│ │ ├── userns_maps_linux.c
│ │ ├── userns_maps_linux.go
│ │ ├── usernsfd_linux.go
│ │ └── usernsfd_linux_test.go
│ ├── keys/
│ │ └── keyctl.go
│ ├── logs/
│ │ ├── logs.go
│ │ └── logs_linux_test.go
│ ├── message_linux.go
│ ├── mount_linux.go
│ ├── mount_linux_test.go
│ ├── network_linux.go
│ ├── notify_linux.go
│ ├── notify_linux_test.go
│ ├── notify_v2_linux.go
│ ├── nsenter/
│ │ ├── README.md
│ │ ├── escape.c
│ │ ├── getenv.c
│ │ ├── getenv.h
│ │ ├── log.c
│ │ ├── log.h
│ │ ├── namespace.h
│ │ ├── nsenter.go
│ │ ├── nsenter_gccgo.go
│ │ ├── nsenter_test.go
│ │ ├── nsexec.c
│ │ └── test/
│ │ ├── escape.go
│ │ └── escape_test.go
│ ├── process.go
│ ├── process_linux.go
│ ├── restored_process.go
│ ├── rootfs_linux.go
│ ├── rootfs_linux_test.go
│ ├── seccomp/
│ │ ├── config.go
│ │ ├── doc.go
│ │ ├── patchbpf/
│ │ │ ├── doc.go
│ │ │ ├── enosys_linux.go
│ │ │ ├── enosys_linux_test.go
│ │ │ └── enosys_unsupported.go
│ │ ├── seccomp_linux.go
│ │ └── seccomp_unsupported.go
│ ├── setns_init_linux.go
│ ├── specconv/
│ │ ├── example.go
│ │ ├── spec_linux.go
│ │ └── spec_linux_test.go
│ ├── standard_init_linux.go
│ ├── state_linux.go
│ ├── state_linux_test.go
│ ├── stats_linux.go
│ ├── sync.go
│ ├── sync_unix.go
│ ├── system/
│ │ ├── doc.go
│ │ ├── kernelversion/
│ │ │ ├── kernel_linux.go
│ │ │ └── kernel_linux_test.go
│ │ ├── linux.go
│ │ ├── proc.go
│ │ ├── proc_test.go
│ │ └── rlimit_linux.go
│ └── utils/
│ ├── cmsg.go
│ ├── utils.go
│ ├── utils_test.go
│ └── utils_unix.go
├── list.go
├── main.go
├── man/
│ ├── README.md
│ ├── md2man-all.sh
│ ├── runc-checkpoint.8.md
│ ├── runc-create.8.md
│ ├── runc-delete.8.md
│ ├── runc-events.8.md
│ ├── runc-exec.8.md
│ ├── runc-kill.8.md
│ ├── runc-list.8.md
│ ├── runc-pause.8.md
│ ├── runc-ps.8.md
│ ├── runc-restore.8.md
│ ├── runc-resume.8.md
│ ├── runc-run.8.md
│ ├── runc-spec.8.md
│ ├── runc-start.8.md
│ ├── runc-state.8.md
│ ├── runc-update.8.md
│ └── runc.8.md
├── notify_socket.go
├── notify_socket_test.go
├── pause.go
├── ps.go
├── restore.go
├── rlimit_linux.go
├── rootless_linux.go
├── run.go
├── runc.keyring
├── script/
│ ├── build-libpathrs.sh
│ ├── build-seccomp.sh
│ ├── check-config.sh
│ ├── keyring_addkey.sh
│ ├── keyring_validate.sh
│ ├── lib.sh
│ ├── prepare-cgroup-v2.sh
│ ├── release_build.sh
│ ├── release_sign.sh
│ ├── setup_host_fedora.sh
│ └── setup_rootless.sh
├── signals.go
├── spec.go
├── start.go
├── state.go
├── tests/
│ ├── cmd/
│ │ ├── README.md
│ │ ├── fs-idmap/
│ │ │ └── fs-idmap.go
│ │ ├── key_label/
│ │ │ └── key_label.go
│ │ ├── pidfd-kill/
│ │ │ └── pidfd-kill.go
│ │ ├── recvtty/
│ │ │ └── recvtty.go
│ │ ├── remap-rootfs/
│ │ │ └── remap-rootfs.go
│ │ ├── sd-helper/
│ │ │ └── helper.go
│ │ └── seccompagent/
│ │ ├── README.md
│ │ ├── gen-seccomp-example-cfg.sh
│ │ ├── seccompagent.go
│ │ └── unsupported.go
│ ├── fuzzing/
│ │ └── oss_fuzz_build.sh
│ ├── integration/
│ │ ├── README.md
│ │ ├── bootstrap-get-images.sh
│ │ ├── capabilities.bats
│ │ ├── cgroup_delegation.bats
│ │ ├── cgroups.bats
│ │ ├── checkpoint.bats
│ │ ├── cpu_affinity.bats
│ │ ├── create.bats
│ │ ├── cwd.bats
│ │ ├── debug.bats
│ │ ├── delete.bats
│ │ ├── dev.bats
│ │ ├── env.bats
│ │ ├── events.bats
│ │ ├── exec.bats
│ │ ├── get-images.sh
│ │ ├── help.bats
│ │ ├── helpers.bash
│ │ ├── hooks.bats
│ │ ├── hooks_so.bats
│ │ ├── host-mntns.bats
│ │ ├── idmap.bats
│ │ ├── ioprio.bats
│ │ ├── kill.bats
│ │ ├── list.bats
│ │ ├── mask.bats
│ │ ├── memorypolicy.bats
│ │ ├── mounts.bats
│ │ ├── mounts_propagation.bats
│ │ ├── mounts_recursive.bats
│ │ ├── mounts_sshfs.bats
│ │ ├── netdev.bats
│ │ ├── no_pivot.bats
│ │ ├── pause.bats
│ │ ├── personality.bats
│ │ ├── pidfd-socket.bats
│ │ ├── ps.bats
│ │ ├── rlimits.bats
│ │ ├── root.bats
│ │ ├── run.bats
│ │ ├── scheduler.bats
│ │ ├── seccomp-notify-compat.bats
│ │ ├── seccomp-notify.bats
│ │ ├── seccomp.bats
│ │ ├── selinux.bats
│ │ ├── spec.bats
│ │ ├── start.bats
│ │ ├── start_detached.bats
│ │ ├── start_hello.bats
│ │ ├── state.bats
│ │ ├── testdata/
│ │ │ ├── .gitignore
│ │ │ ├── dev_access_test.c
│ │ │ ├── seccomp_syscall_test1.c
│ │ │ ├── seccomp_syscall_test1.json
│ │ │ ├── seccomp_syscall_test2.c
│ │ │ └── seccomp_syscall_test2.json
│ │ ├── timens.bats
│ │ ├── tty.bats
│ │ ├── umask.bats
│ │ ├── update.bats
│ │ ├── userns.bats
│ │ └── version.bats
│ └── rootless.sh
├── tty.go
├── types/
│ ├── events.go
│ └── features/
│ └── features.go
├── update.go
├── utils.go
├── utils_linux.go
└── vendor/
├── cyphar.com/
│ └── go-pathrs/
│ ├── .golangci.yml
│ ├── COPYING
│ ├── doc.go
│ ├── handle_linux.go
│ ├── internal/
│ │ ├── fdutils/
│ │ │ └── fd_linux.go
│ │ └── libpathrs/
│ │ ├── error_unix.go
│ │ └── libpathrs_linux.go
│ ├── procfs/
│ │ └── procfs_linux.go
│ ├── root_linux.go
│ └── utils_linux.go
├── github.com/
│ ├── checkpoint-restore/
│ │ └── go-criu/
│ │ └── v7/
│ │ ├── .gitignore
│ │ ├── .golangci.yml
│ │ ├── LICENSE
│ │ ├── MAINTAINERS
│ │ ├── Makefile
│ │ ├── README.md
│ │ ├── codecov.yml
│ │ ├── features.go
│ │ ├── main.go
│ │ ├── notify.go
│ │ └── rpc/
│ │ ├── rpc.pb.go
│ │ └── rpc.proto
│ ├── cilium/
│ │ └── ebpf/
│ │ ├── .clang-format
│ │ ├── .gitattributes
│ │ ├── .gitignore
│ │ ├── .golangci.yaml
│ │ ├── .vimto.toml
│ │ ├── CODEOWNERS
│ │ ├── CODE_OF_CONDUCT.md
│ │ ├── CONTRIBUTING.md
│ │ ├── LICENSE
│ │ ├── MAINTAINERS.md
│ │ ├── Makefile
│ │ ├── README.md
│ │ ├── asm/
│ │ │ ├── alu.go
│ │ │ ├── alu_string.go
│ │ │ ├── doc.go
│ │ │ ├── func.go
│ │ │ ├── func_string.go
│ │ │ ├── instruction.go
│ │ │ ├── jump.go
│ │ │ ├── jump_string.go
│ │ │ ├── load_store.go
│ │ │ ├── load_store_string.go
│ │ │ ├── metadata.go
│ │ │ ├── opcode.go
│ │ │ ├── opcode_string.go
│ │ │ └── register.go
│ │ ├── attachtype_string.go
│ │ ├── btf/
│ │ │ ├── btf.go
│ │ │ ├── btf_types.go
│ │ │ ├── btf_types_string.go
│ │ │ ├── core.go
│ │ │ ├── doc.go
│ │ │ ├── ext_info.go
│ │ │ ├── feature.go
│ │ │ ├── format.go
│ │ │ ├── handle.go
│ │ │ ├── kernel.go
│ │ │ ├── marshal.go
│ │ │ ├── strings.go
│ │ │ ├── traversal.go
│ │ │ ├── types.go
│ │ │ └── workarounds.go
│ │ ├── collection.go
│ │ ├── cpu.go
│ │ ├── doc.go
│ │ ├── elf_reader.go
│ │ ├── elf_sections.go
│ │ ├── info.go
│ │ ├── internal/
│ │ │ ├── buffer.go
│ │ │ ├── deque.go
│ │ │ ├── elf.go
│ │ │ ├── endian_be.go
│ │ │ ├── endian_le.go
│ │ │ ├── errors.go
│ │ │ ├── feature.go
│ │ │ ├── goos.go
│ │ │ ├── io.go
│ │ │ ├── kallsyms/
│ │ │ │ ├── cache.go
│ │ │ │ ├── kallsyms.go
│ │ │ │ └── reader.go
│ │ │ ├── kconfig/
│ │ │ │ └── kconfig.go
│ │ │ ├── linux/
│ │ │ │ ├── auxv.go
│ │ │ │ ├── doc.go
│ │ │ │ ├── kconfig.go
│ │ │ │ ├── platform.go
│ │ │ │ ├── statfs.go
│ │ │ │ ├── vdso.go
│ │ │ │ └── version.go
│ │ │ ├── math.go
│ │ │ ├── output.go
│ │ │ ├── prog.go
│ │ │ ├── sys/
│ │ │ │ ├── doc.go
│ │ │ │ ├── fd.go
│ │ │ │ ├── pinning.go
│ │ │ │ ├── ptr.go
│ │ │ │ ├── ptr_32_be.go
│ │ │ │ ├── ptr_32_le.go
│ │ │ │ ├── ptr_64.go
│ │ │ │ ├── signals.go
│ │ │ │ ├── syscall.go
│ │ │ │ └── types.go
│ │ │ ├── sysenc/
│ │ │ │ ├── buffer.go
│ │ │ │ ├── doc.go
│ │ │ │ ├── layout.go
│ │ │ │ └── marshal.go
│ │ │ ├── testutils/
│ │ │ │ └── fdtrace/
│ │ │ │ ├── fd_trace.go
│ │ │ │ └── main.go
│ │ │ ├── tracefs/
│ │ │ │ ├── kprobe.go
│ │ │ │ ├── probetype_string.go
│ │ │ │ └── uprobe.go
│ │ │ ├── unix/
│ │ │ │ ├── doc.go
│ │ │ │ ├── errno_linux.go
│ │ │ │ ├── errno_other.go
│ │ │ │ ├── errno_string_windows.go
│ │ │ │ ├── errno_windows.go
│ │ │ │ ├── error.go
│ │ │ │ ├── strings_other.go
│ │ │ │ ├── strings_windows.go
│ │ │ │ ├── types_linux.go
│ │ │ │ └── types_other.go
│ │ │ └── version.go
│ │ ├── link/
│ │ │ ├── anchor.go
│ │ │ ├── cgroup.go
│ │ │ ├── doc.go
│ │ │ ├── iter.go
│ │ │ ├── kprobe.go
│ │ │ ├── kprobe_multi.go
│ │ │ ├── link.go
│ │ │ ├── netfilter.go
│ │ │ ├── netkit.go
│ │ │ ├── netns.go
│ │ │ ├── perf_event.go
│ │ │ ├── program.go
│ │ │ ├── query.go
│ │ │ ├── raw_tracepoint.go
│ │ │ ├── socket_filter.go
│ │ │ ├── syscalls.go
│ │ │ ├── tcx.go
│ │ │ ├── tracepoint.go
│ │ │ ├── tracing.go
│ │ │ ├── uprobe.go
│ │ │ ├── uprobe_multi.go
│ │ │ └── xdp.go
│ │ ├── linker.go
│ │ ├── map.go
│ │ ├── marshalers.go
│ │ ├── memory.go
│ │ ├── netlify.toml
│ │ ├── prog.go
│ │ ├── syscalls.go
│ │ ├── types.go
│ │ ├── types_string.go
│ │ └── variable.go
│ ├── containerd/
│ │ └── console/
│ │ ├── .golangci.yml
│ │ ├── LICENSE
│ │ ├── README.md
│ │ ├── console.go
│ │ ├── console_linux.go
│ │ ├── console_other.go
│ │ ├── console_unix.go
│ │ ├── console_windows.go
│ │ ├── pty_freebsd_cgo.go
│ │ ├── pty_freebsd_nocgo.go
│ │ ├── pty_unix.go
│ │ ├── pty_zos.go
│ │ ├── tc_darwin.go
│ │ ├── tc_freebsd_cgo.go
│ │ ├── tc_freebsd_nocgo.go
│ │ ├── tc_linux.go
│ │ ├── tc_netbsd.go
│ │ ├── tc_openbsd_cgo.go
│ │ ├── tc_openbsd_nocgo.go
│ │ ├── tc_unix.go
│ │ └── tc_zos.go
│ ├── coreos/
│ │ └── go-systemd/
│ │ └── v22/
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ └── dbus/
│ │ ├── dbus.go
│ │ ├── methods.go
│ │ ├── properties.go
│ │ ├── set.go
│ │ ├── subscription.go
│ │ └── subscription_set.go
│ ├── cpuguy83/
│ │ └── go-md2man/
│ │ └── v2/
│ │ ├── LICENSE.md
│ │ └── md2man/
│ │ ├── debug.go
│ │ ├── md2man.go
│ │ └── roff.go
│ ├── cyphar/
│ │ └── filepath-securejoin/
│ │ ├── .golangci.yml
│ │ ├── CHANGELOG.md
│ │ ├── COPYING.md
│ │ ├── LICENSE.BSD
│ │ ├── LICENSE.MPL-2.0
│ │ ├── README.md
│ │ ├── VERSION
│ │ ├── codecov.yml
│ │ ├── doc.go
│ │ ├── internal/
│ │ │ └── consts/
│ │ │ └── consts.go
│ │ ├── join.go
│ │ ├── pathrs-lite/
│ │ │ ├── README.md
│ │ │ ├── doc.go
│ │ │ ├── internal/
│ │ │ │ ├── assert/
│ │ │ │ │ └── assert.go
│ │ │ │ ├── errors_linux.go
│ │ │ │ ├── fd/
│ │ │ │ │ ├── at_linux.go
│ │ │ │ │ ├── fd.go
│ │ │ │ │ ├── fd_linux.go
│ │ │ │ │ ├── mount_linux.go
│ │ │ │ │ └── openat2_linux.go
│ │ │ │ ├── gocompat/
│ │ │ │ │ ├── README.md
│ │ │ │ │ ├── doc.go
│ │ │ │ │ ├── gocompat_atomic_go119.go
│ │ │ │ │ ├── gocompat_atomic_unsupported.go
│ │ │ │ │ ├── gocompat_errors_go120.go
│ │ │ │ │ ├── gocompat_errors_unsupported.go
│ │ │ │ │ ├── gocompat_generics_go121.go
│ │ │ │ │ └── gocompat_generics_unsupported.go
│ │ │ │ ├── gopathrs/
│ │ │ │ │ ├── doc.go
│ │ │ │ │ ├── lookup_linux.go
│ │ │ │ │ ├── mkdir_linux.go
│ │ │ │ │ ├── open_linux.go
│ │ │ │ │ └── openat2_linux.go
│ │ │ │ ├── kernelversion/
│ │ │ │ │ └── kernel_linux.go
│ │ │ │ ├── linux/
│ │ │ │ │ ├── doc.go
│ │ │ │ │ ├── mount_linux.go
│ │ │ │ │ └── openat2_linux.go
│ │ │ │ └── procfs/
│ │ │ │ ├── procfs_linux.go
│ │ │ │ └── procfs_lookup_linux.go
│ │ │ ├── mkdir.go
│ │ │ ├── mkdir_libpathrs.go
│ │ │ ├── mkdir_purego.go
│ │ │ ├── open.go
│ │ │ ├── open_libpathrs.go
│ │ │ ├── open_purego.go
│ │ │ └── procfs/
│ │ │ ├── procfs_libpathrs.go
│ │ │ └── procfs_purego.go
│ │ └── vfs.go
│ ├── docker/
│ │ └── go-units/
│ │ ├── CONTRIBUTING.md
│ │ ├── LICENSE
│ │ ├── MAINTAINERS
│ │ ├── README.md
│ │ ├── circle.yml
│ │ ├── duration.go
│ │ ├── size.go
│ │ └── ulimit.go
│ ├── godbus/
│ │ └── dbus/
│ │ └── v5/
│ │ ├── .cirrus.yml
│ │ ├── .golangci.yml
│ │ ├── CONTRIBUTING.md
│ │ ├── LICENSE
│ │ ├── MAINTAINERS
│ │ ├── README.md
│ │ ├── SECURITY.md
│ │ ├── auth.go
│ │ ├── auth_anonymous.go
│ │ ├── auth_default_other.go
│ │ ├── auth_default_windows.go
│ │ ├── auth_external.go
│ │ ├── auth_sha1_windows.go
│ │ ├── call.go
│ │ ├── conn.go
│ │ ├── conn_darwin.go
│ │ ├── conn_other.go
│ │ ├── conn_unix.go
│ │ ├── conn_windows.go
│ │ ├── dbus.go
│ │ ├── decoder.go
│ │ ├── default_handler.go
│ │ ├── doc.go
│ │ ├── encoder.go
│ │ ├── escape.go
│ │ ├── export.go
│ │ ├── match.go
│ │ ├── message.go
│ │ ├── object.go
│ │ ├── sequence.go
│ │ ├── sequential_handler.go
│ │ ├── server_interfaces.go
│ │ ├── sig.go
│ │ ├── transport_darwin.go
│ │ ├── transport_generic.go
│ │ ├── transport_nonce_tcp.go
│ │ ├── transport_tcp.go
│ │ ├── transport_unix.go
│ │ ├── transport_unixcred_dragonfly.go
│ │ ├── transport_unixcred_freebsd.go
│ │ ├── transport_unixcred_linux.go
│ │ ├── transport_unixcred_netbsd.go
│ │ ├── transport_unixcred_openbsd.go
│ │ ├── transport_zos.go
│ │ ├── variant.go
│ │ ├── variant_lexer.go
│ │ └── variant_parser.go
│ ├── moby/
│ │ └── sys/
│ │ ├── capability/
│ │ │ ├── CHANGELOG.md
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ ├── capability.go
│ │ │ ├── capability_linux.go
│ │ │ ├── capability_noop.go
│ │ │ ├── enum.go
│ │ │ ├── enum_gen.go
│ │ │ └── syscall_linux.go
│ │ ├── mountinfo/
│ │ │ ├── LICENSE
│ │ │ ├── doc.go
│ │ │ ├── mounted_linux.go
│ │ │ ├── mounted_unix.go
│ │ │ ├── mountinfo.go
│ │ │ ├── mountinfo_bsd.go
│ │ │ ├── mountinfo_filters.go
│ │ │ ├── mountinfo_freebsdlike.go
│ │ │ ├── mountinfo_linux.go
│ │ │ ├── mountinfo_openbsd.go
│ │ │ ├── mountinfo_unsupported.go
│ │ │ └── mountinfo_windows.go
│ │ ├── user/
│ │ │ ├── LICENSE
│ │ │ ├── idtools.go
│ │ │ ├── idtools_unix.go
│ │ │ ├── idtools_windows.go
│ │ │ ├── lookup_unix.go
│ │ │ ├── user.go
│ │ │ └── user_fuzzer.go
│ │ └── userns/
│ │ ├── LICENSE
│ │ ├── userns.go
│ │ ├── userns_linux.go
│ │ ├── userns_linux_fuzzer.go
│ │ └── userns_unsupported.go
│ ├── mrunalp/
│ │ └── fileutils/
│ │ ├── .gitignore
│ │ ├── LICENSE
│ │ ├── MAINTAINERS
│ │ ├── README.md
│ │ ├── fileutils.go
│ │ └── idtools.go
│ ├── opencontainers/
│ │ ├── cgroups/
│ │ │ ├── .golangci-extra.yml
│ │ │ ├── .golangci.yml
│ │ │ ├── CODEOWNERS
│ │ │ ├── CONTRIBUTING.md
│ │ │ ├── GOVERNANCE.md
│ │ │ ├── LICENSE
│ │ │ ├── MAINTAINERS
│ │ │ ├── MAINTAINERS_GUIDE.md
│ │ │ ├── README.md
│ │ │ ├── RELEASES.md
│ │ │ ├── cgroups.go
│ │ │ ├── config_blkio_device.go
│ │ │ ├── config_hugepages.go
│ │ │ ├── config_ifprio_map.go
│ │ │ ├── config_linux.go
│ │ │ ├── config_rdma.go
│ │ │ ├── config_unsupported.go
│ │ │ ├── devices/
│ │ │ │ ├── config/
│ │ │ │ │ ├── device.go
│ │ │ │ │ └── mknod_unix.go
│ │ │ │ ├── devicefilter.go
│ │ │ │ ├── devices.go
│ │ │ │ ├── devices_emulator.go
│ │ │ │ ├── ebpf_linux.go
│ │ │ │ ├── systemd.go
│ │ │ │ ├── v1.go
│ │ │ │ └── v2.go
│ │ │ ├── file.go
│ │ │ ├── fs/
│ │ │ │ ├── blkio.go
│ │ │ │ ├── cpu.go
│ │ │ │ ├── cpuacct.go
│ │ │ │ ├── cpuset.go
│ │ │ │ ├── devices.go
│ │ │ │ ├── error.go
│ │ │ │ ├── freezer.go
│ │ │ │ ├── fs.go
│ │ │ │ ├── hugetlb.go
│ │ │ │ ├── memory.go
│ │ │ │ ├── name.go
│ │ │ │ ├── net_cls.go
│ │ │ │ ├── net_prio.go
│ │ │ │ ├── paths.go
│ │ │ │ ├── perf_event.go
│ │ │ │ ├── pids.go
│ │ │ │ └── rdma.go
│ │ │ ├── fs2/
│ │ │ │ ├── cpu.go
│ │ │ │ ├── cpuset.go
│ │ │ │ ├── create.go
│ │ │ │ ├── defaultpath.go
│ │ │ │ ├── freezer.go
│ │ │ │ ├── fs2.go
│ │ │ │ ├── hugetlb.go
│ │ │ │ ├── io.go
│ │ │ │ ├── memory.go
│ │ │ │ ├── misc.go
│ │ │ │ ├── pids.go
│ │ │ │ └── psi.go
│ │ │ ├── fscommon/
│ │ │ │ ├── rdma.go
│ │ │ │ └── utils.go
│ │ │ ├── getallpids.go
│ │ │ ├── internal/
│ │ │ │ └── path/
│ │ │ │ └── path.go
│ │ │ ├── manager/
│ │ │ │ └── new.go
│ │ │ ├── stats.go
│ │ │ ├── systemd/
│ │ │ │ ├── common.go
│ │ │ │ ├── cpuset.go
│ │ │ │ ├── dbus.go
│ │ │ │ ├── devices.go
│ │ │ │ ├── user.go
│ │ │ │ ├── v1.go
│ │ │ │ └── v2.go
│ │ │ ├── utils.go
│ │ │ └── v1_utils.go
│ │ ├── runtime-spec/
│ │ │ ├── LICENSE
│ │ │ └── specs-go/
│ │ │ ├── config.go
│ │ │ ├── features/
│ │ │ │ └── features.go
│ │ │ ├── state.go
│ │ │ └── version.go
│ │ └── selinux/
│ │ ├── LICENSE
│ │ ├── go-selinux/
│ │ │ ├── doc.go
│ │ │ ├── label/
│ │ │ │ ├── label.go
│ │ │ │ ├── label_linux.go
│ │ │ │ └── label_stub.go
│ │ │ ├── selinux.go
│ │ │ ├── selinux_linux.go
│ │ │ ├── selinux_stub.go
│ │ │ └── xattrs_linux.go
│ │ └── pkg/
│ │ └── pwalkdir/
│ │ ├── README.md
│ │ └── pwalkdir.go
│ ├── russross/
│ │ └── blackfriday/
│ │ └── v2/
│ │ ├── .gitignore
│ │ ├── .travis.yml
│ │ ├── LICENSE.txt
│ │ ├── README.md
│ │ ├── block.go
│ │ ├── doc.go
│ │ ├── entities.go
│ │ ├── esc.go
│ │ ├── html.go
│ │ ├── inline.go
│ │ ├── markdown.go
│ │ ├── node.go
│ │ └── smartypants.go
│ ├── seccomp/
│ │ └── libseccomp-golang/
│ │ ├── .gitignore
│ │ ├── .golangci.yml
│ │ ├── CHANGELOG
│ │ ├── CONTRIBUTING.md
│ │ ├── LICENSE
│ │ ├── Makefile
│ │ ├── README.md
│ │ ├── SECURITY.md
│ │ ├── seccomp.go
│ │ └── seccomp_internal.go
│ └── vishvananda/
│ ├── netlink/
│ │ ├── .gitignore
│ │ ├── CHANGELOG.md
│ │ ├── LICENSE
│ │ ├── Makefile
│ │ ├── README.md
│ │ ├── addr.go
│ │ ├── addr_linux.go
│ │ ├── bpf_linux.go
│ │ ├── bridge_linux.go
│ │ ├── chain.go
│ │ ├── chain_linux.go
│ │ ├── class.go
│ │ ├── class_linux.go
│ │ ├── conntrack_linux.go
│ │ ├── conntrack_unspecified.go
│ │ ├── devlink_linux.go
│ │ ├── filter.go
│ │ ├── filter_linux.go
│ │ ├── fou.go
│ │ ├── fou_linux.go
│ │ ├── fou_unspecified.go
│ │ ├── genetlink_linux.go
│ │ ├── genetlink_unspecified.go
│ │ ├── gtp_linux.go
│ │ ├── handle_linux.go
│ │ ├── handle_unspecified.go
│ │ ├── inet_diag.go
│ │ ├── ioctl_linux.go
│ │ ├── ipset_linux.go
│ │ ├── link.go
│ │ ├── link_linux.go
│ │ ├── link_tuntap_linux.go
│ │ ├── neigh.go
│ │ ├── neigh_linux.go
│ │ ├── netlink.go
│ │ ├── netlink_linux.go
│ │ ├── netlink_unspecified.go
│ │ ├── netns_linux.go
│ │ ├── netns_unspecified.go
│ │ ├── nl/
│ │ │ ├── addr_linux.go
│ │ │ ├── bridge_linux.go
│ │ │ ├── conntrack_linux.go
│ │ │ ├── devlink_linux.go
│ │ │ ├── genetlink_linux.go
│ │ │ ├── ip6tnl_linux.go
│ │ │ ├── ipset_linux.go
│ │ │ ├── link_linux.go
│ │ │ ├── lwt_linux.go
│ │ │ ├── mpls_linux.go
│ │ │ ├── nl_linux.go
│ │ │ ├── nl_unspecified.go
│ │ │ ├── parse_attr_linux.go
│ │ │ ├── rdma_link_linux.go
│ │ │ ├── route_linux.go
│ │ │ ├── seg6_linux.go
│ │ │ ├── seg6local_linux.go
│ │ │ ├── syscall.go
│ │ │ ├── tc_linux.go
│ │ │ ├── vdpa_linux.go
│ │ │ ├── xfrm_linux.go
│ │ │ ├── xfrm_monitor_linux.go
│ │ │ ├── xfrm_policy_linux.go
│ │ │ └── xfrm_state_linux.go
│ │ ├── order.go
│ │ ├── proc_event_linux.go
│ │ ├── protinfo.go
│ │ ├── protinfo_linux.go
│ │ ├── qdisc.go
│ │ ├── qdisc_linux.go
│ │ ├── rdma_link_linux.go
│ │ ├── route.go
│ │ ├── route_linux.go
│ │ ├── route_unspecified.go
│ │ ├── rule.go
│ │ ├── rule_linux.go
│ │ ├── rule_nonlinux.go
│ │ ├── socket.go
│ │ ├── socket_linux.go
│ │ ├── socket_xdp_linux.go
│ │ ├── tcp.go
│ │ ├── tcp_linux.go
│ │ ├── unix_diag.go
│ │ ├── vdpa_linux.go
│ │ ├── virtio.go
│ │ ├── xdp_diag.go
│ │ ├── xdp_linux.go
│ │ ├── xfrm_linux.go
│ │ ├── xfrm_monitor_linux.go
│ │ ├── xfrm_policy_linux.go
│ │ ├── xfrm_state_linux.go
│ │ └── xfrm_unspecified.go
│ └── netns/
│ ├── .golangci.yml
│ ├── .yamllint.yml
│ ├── LICENSE
│ ├── README.md
│ ├── doc.go
│ ├── netns_linux.go
│ ├── netns_others.go
│ ├── nshandle_linux.go
│ └── nshandle_others.go
├── golang.org/
│ └── x/
│ ├── net/
│ │ ├── LICENSE
│ │ ├── PATENTS
│ │ └── bpf/
│ │ ├── asm.go
│ │ ├── constants.go
│ │ ├── doc.go
│ │ ├── instructions.go
│ │ ├── setter.go
│ │ ├── vm.go
│ │ └── vm_instructions.go
│ └── sys/
│ ├── LICENSE
│ ├── PATENTS
│ ├── unix/
│ │ ├── .gitignore
│ │ ├── README.md
│ │ ├── affinity_linux.go
│ │ ├── aliases.go
│ │ ├── asm_aix_ppc64.s
│ │ ├── asm_bsd_386.s
│ │ ├── asm_bsd_amd64.s
│ │ ├── asm_bsd_arm.s
│ │ ├── asm_bsd_arm64.s
│ │ ├── asm_bsd_ppc64.s
│ │ ├── asm_bsd_riscv64.s
│ │ ├── asm_linux_386.s
│ │ ├── asm_linux_amd64.s
│ │ ├── asm_linux_arm.s
│ │ ├── asm_linux_arm64.s
│ │ ├── asm_linux_loong64.s
│ │ ├── asm_linux_mips64x.s
│ │ ├── asm_linux_mipsx.s
│ │ ├── asm_linux_ppc64x.s
│ │ ├── asm_linux_riscv64.s
│ │ ├── asm_linux_s390x.s
│ │ ├── asm_openbsd_mips64.s
│ │ ├── asm_solaris_amd64.s
│ │ ├── asm_zos_s390x.s
│ │ ├── auxv.go
│ │ ├── auxv_unsupported.go
│ │ ├── bluetooth_linux.go
│ │ ├── bpxsvc_zos.go
│ │ ├── bpxsvc_zos.s
│ │ ├── cap_freebsd.go
│ │ ├── constants.go
│ │ ├── dev_aix_ppc.go
│ │ ├── dev_aix_ppc64.go
│ │ ├── dev_darwin.go
│ │ ├── dev_dragonfly.go
│ │ ├── dev_freebsd.go
│ │ ├── dev_linux.go
│ │ ├── dev_netbsd.go
│ │ ├── dev_openbsd.go
│ │ ├── dev_zos.go
│ │ ├── dirent.go
│ │ ├── endian_big.go
│ │ ├── endian_little.go
│ │ ├── env_unix.go
│ │ ├── fcntl.go
│ │ ├── fcntl_darwin.go
│ │ ├── fcntl_linux_32bit.go
│ │ ├── fdset.go
│ │ ├── gccgo.go
│ │ ├── gccgo_c.c
│ │ ├── gccgo_linux_amd64.go
│ │ ├── ifreq_linux.go
│ │ ├── ioctl_linux.go
│ │ ├── ioctl_signed.go
│ │ ├── ioctl_unsigned.go
│ │ ├── ioctl_zos.go
│ │ ├── mkall.sh
│ │ ├── mkerrors.sh
│ │ ├── mmap_nomremap.go
│ │ ├── mremap.go
│ │ ├── pagesize_unix.go
│ │ ├── pledge_openbsd.go
│ │ ├── ptrace_darwin.go
│ │ ├── ptrace_ios.go
│ │ ├── race.go
│ │ ├── race0.go
│ │ ├── readdirent_getdents.go
│ │ ├── readdirent_getdirentries.go
│ │ ├── sockcmsg_dragonfly.go
│ │ ├── sockcmsg_linux.go
│ │ ├── sockcmsg_unix.go
│ │ ├── sockcmsg_unix_other.go
│ │ ├── sockcmsg_zos.go
│ │ ├── symaddr_zos_s390x.s
│ │ ├── syscall.go
│ │ ├── syscall_aix.go
│ │ ├── syscall_aix_ppc.go
│ │ ├── syscall_aix_ppc64.go
│ │ ├── syscall_bsd.go
│ │ ├── syscall_darwin.go
│ │ ├── syscall_darwin_amd64.go
│ │ ├── syscall_darwin_arm64.go
│ │ ├── syscall_darwin_libSystem.go
│ │ ├── syscall_dragonfly.go
│ │ ├── syscall_dragonfly_amd64.go
│ │ ├── syscall_freebsd.go
│ │ ├── syscall_freebsd_386.go
│ │ ├── syscall_freebsd_amd64.go
│ │ ├── syscall_freebsd_arm.go
│ │ ├── syscall_freebsd_arm64.go
│ │ ├── syscall_freebsd_riscv64.go
│ │ ├── syscall_hurd.go
│ │ ├── syscall_hurd_386.go
│ │ ├── syscall_illumos.go
│ │ ├── syscall_linux.go
│ │ ├── syscall_linux_386.go
│ │ ├── syscall_linux_alarm.go
│ │ ├── syscall_linux_amd64.go
│ │ ├── syscall_linux_amd64_gc.go
│ │ ├── syscall_linux_arm.go
│ │ ├── syscall_linux_arm64.go
│ │ ├── syscall_linux_gc.go
│ │ ├── syscall_linux_gc_386.go
│ │ ├── syscall_linux_gc_arm.go
│ │ ├── syscall_linux_gccgo_386.go
│ │ ├── syscall_linux_gccgo_arm.go
│ │ ├── syscall_linux_loong64.go
│ │ ├── syscall_linux_mips64x.go
│ │ ├── syscall_linux_mipsx.go
│ │ ├── syscall_linux_ppc.go
│ │ ├── syscall_linux_ppc64x.go
│ │ ├── syscall_linux_riscv64.go
│ │ ├── syscall_linux_s390x.go
│ │ ├── syscall_linux_sparc64.go
│ │ ├── syscall_netbsd.go
│ │ ├── syscall_netbsd_386.go
│ │ ├── syscall_netbsd_amd64.go
│ │ ├── syscall_netbsd_arm.go
│ │ ├── syscall_netbsd_arm64.go
│ │ ├── syscall_openbsd.go
│ │ ├── syscall_openbsd_386.go
│ │ ├── syscall_openbsd_amd64.go
│ │ ├── syscall_openbsd_arm.go
│ │ ├── syscall_openbsd_arm64.go
│ │ ├── syscall_openbsd_libc.go
│ │ ├── syscall_openbsd_mips64.go
│ │ ├── syscall_openbsd_ppc64.go
│ │ ├── syscall_openbsd_riscv64.go
│ │ ├── syscall_solaris.go
│ │ ├── syscall_solaris_amd64.go
│ │ ├── syscall_unix.go
│ │ ├── syscall_unix_gc.go
│ │ ├── syscall_unix_gc_ppc64x.go
│ │ ├── syscall_zos_s390x.go
│ │ ├── sysvshm_linux.go
│ │ ├── sysvshm_unix.go
│ │ ├── sysvshm_unix_other.go
│ │ ├── timestruct.go
│ │ ├── unveil_openbsd.go
│ │ ├── vgetrandom_linux.go
│ │ ├── vgetrandom_unsupported.go
│ │ ├── xattr_bsd.go
│ │ ├── zerrors_aix_ppc.go
│ │ ├── zerrors_aix_ppc64.go
│ │ ├── zerrors_darwin_amd64.go
│ │ ├── zerrors_darwin_arm64.go
│ │ ├── zerrors_dragonfly_amd64.go
│ │ ├── zerrors_freebsd_386.go
│ │ ├── zerrors_freebsd_amd64.go
│ │ ├── zerrors_freebsd_arm.go
│ │ ├── zerrors_freebsd_arm64.go
│ │ ├── zerrors_freebsd_riscv64.go
│ │ ├── zerrors_linux.go
│ │ ├── zerrors_linux_386.go
│ │ ├── zerrors_linux_amd64.go
│ │ ├── zerrors_linux_arm.go
│ │ ├── zerrors_linux_arm64.go
│ │ ├── zerrors_linux_loong64.go
│ │ ├── zerrors_linux_mips.go
│ │ ├── zerrors_linux_mips64.go
│ │ ├── zerrors_linux_mips64le.go
│ │ ├── zerrors_linux_mipsle.go
│ │ ├── zerrors_linux_ppc.go
│ │ ├── zerrors_linux_ppc64.go
│ │ ├── zerrors_linux_ppc64le.go
│ │ ├── zerrors_linux_riscv64.go
│ │ ├── zerrors_linux_s390x.go
│ │ ├── zerrors_linux_sparc64.go
│ │ ├── zerrors_netbsd_386.go
│ │ ├── zerrors_netbsd_amd64.go
│ │ ├── zerrors_netbsd_arm.go
│ │ ├── zerrors_netbsd_arm64.go
│ │ ├── zerrors_openbsd_386.go
│ │ ├── zerrors_openbsd_amd64.go
│ │ ├── zerrors_openbsd_arm.go
│ │ ├── zerrors_openbsd_arm64.go
│ │ ├── zerrors_openbsd_mips64.go
│ │ ├── zerrors_openbsd_ppc64.go
│ │ ├── zerrors_openbsd_riscv64.go
│ │ ├── zerrors_solaris_amd64.go
│ │ ├── zerrors_zos_s390x.go
│ │ ├── zptrace_armnn_linux.go
│ │ ├── zptrace_linux_arm64.go
│ │ ├── zptrace_mipsnn_linux.go
│ │ ├── zptrace_mipsnnle_linux.go
│ │ ├── zptrace_x86_linux.go
│ │ ├── zsymaddr_zos_s390x.s
│ │ ├── zsyscall_aix_ppc.go
│ │ ├── zsyscall_aix_ppc64.go
│ │ ├── zsyscall_aix_ppc64_gc.go
│ │ ├── zsyscall_aix_ppc64_gccgo.go
│ │ ├── zsyscall_darwin_amd64.go
│ │ ├── zsyscall_darwin_amd64.s
│ │ ├── zsyscall_darwin_arm64.go
│ │ ├── zsyscall_darwin_arm64.s
│ │ ├── zsyscall_dragonfly_amd64.go
│ │ ├── zsyscall_freebsd_386.go
│ │ ├── zsyscall_freebsd_amd64.go
│ │ ├── zsyscall_freebsd_arm.go
│ │ ├── zsyscall_freebsd_arm64.go
│ │ ├── zsyscall_freebsd_riscv64.go
│ │ ├── zsyscall_illumos_amd64.go
│ │ ├── zsyscall_linux.go
│ │ ├── zsyscall_linux_386.go
│ │ ├── zsyscall_linux_amd64.go
│ │ ├── zsyscall_linux_arm.go
│ │ ├── zsyscall_linux_arm64.go
│ │ ├── zsyscall_linux_loong64.go
│ │ ├── zsyscall_linux_mips.go
│ │ ├── zsyscall_linux_mips64.go
│ │ ├── zsyscall_linux_mips64le.go
│ │ ├── zsyscall_linux_mipsle.go
│ │ ├── zsyscall_linux_ppc.go
│ │ ├── zsyscall_linux_ppc64.go
│ │ ├── zsyscall_linux_ppc64le.go
│ │ ├── zsyscall_linux_riscv64.go
│ │ ├── zsyscall_linux_s390x.go
│ │ ├── zsyscall_linux_sparc64.go
│ │ ├── zsyscall_netbsd_386.go
│ │ ├── zsyscall_netbsd_amd64.go
│ │ ├── zsyscall_netbsd_arm.go
│ │ ├── zsyscall_netbsd_arm64.go
│ │ ├── zsyscall_openbsd_386.go
│ │ ├── zsyscall_openbsd_386.s
│ │ ├── zsyscall_openbsd_amd64.go
│ │ ├── zsyscall_openbsd_amd64.s
│ │ ├── zsyscall_openbsd_arm.go
│ │ ├── zsyscall_openbsd_arm.s
│ │ ├── zsyscall_openbsd_arm64.go
│ │ ├── zsyscall_openbsd_arm64.s
│ │ ├── zsyscall_openbsd_mips64.go
│ │ ├── zsyscall_openbsd_mips64.s
│ │ ├── zsyscall_openbsd_ppc64.go
│ │ ├── zsyscall_openbsd_ppc64.s
│ │ ├── zsyscall_openbsd_riscv64.go
│ │ ├── zsyscall_openbsd_riscv64.s
│ │ ├── zsyscall_solaris_amd64.go
│ │ ├── zsyscall_zos_s390x.go
│ │ ├── zsysctl_openbsd_386.go
│ │ ├── zsysctl_openbsd_amd64.go
│ │ ├── zsysctl_openbsd_arm.go
│ │ ├── zsysctl_openbsd_arm64.go
│ │ ├── zsysctl_openbsd_mips64.go
│ │ ├── zsysctl_openbsd_ppc64.go
│ │ ├── zsysctl_openbsd_riscv64.go
│ │ ├── zsysnum_darwin_amd64.go
│ │ ├── zsysnum_darwin_arm64.go
│ │ ├── zsysnum_dragonfly_amd64.go
│ │ ├── zsysnum_freebsd_386.go
│ │ ├── zsysnum_freebsd_amd64.go
│ │ ├── zsysnum_freebsd_arm.go
│ │ ├── zsysnum_freebsd_arm64.go
│ │ ├── zsysnum_freebsd_riscv64.go
│ │ ├── zsysnum_linux_386.go
│ │ ├── zsysnum_linux_amd64.go
│ │ ├── zsysnum_linux_arm.go
│ │ ├── zsysnum_linux_arm64.go
│ │ ├── zsysnum_linux_loong64.go
│ │ ├── zsysnum_linux_mips.go
│ │ ├── zsysnum_linux_mips64.go
│ │ ├── zsysnum_linux_mips64le.go
│ │ ├── zsysnum_linux_mipsle.go
│ │ ├── zsysnum_linux_ppc.go
│ │ ├── zsysnum_linux_ppc64.go
│ │ ├── zsysnum_linux_ppc64le.go
│ │ ├── zsysnum_linux_riscv64.go
│ │ ├── zsysnum_linux_s390x.go
│ │ ├── zsysnum_linux_sparc64.go
│ │ ├── zsysnum_netbsd_386.go
│ │ ├── zsysnum_netbsd_amd64.go
│ │ ├── zsysnum_netbsd_arm.go
│ │ ├── zsysnum_netbsd_arm64.go
│ │ ├── zsysnum_openbsd_386.go
│ │ ├── zsysnum_openbsd_amd64.go
│ │ ├── zsysnum_openbsd_arm.go
│ │ ├── zsysnum_openbsd_arm64.go
│ │ ├── zsysnum_openbsd_mips64.go
│ │ ├── zsysnum_openbsd_ppc64.go
│ │ ├── zsysnum_openbsd_riscv64.go
│ │ ├── zsysnum_zos_s390x.go
│ │ ├── ztypes_aix_ppc.go
│ │ ├── ztypes_aix_ppc64.go
│ │ ├── ztypes_darwin_amd64.go
│ │ ├── ztypes_darwin_arm64.go
│ │ ├── ztypes_dragonfly_amd64.go
│ │ ├── ztypes_freebsd_386.go
│ │ ├── ztypes_freebsd_amd64.go
│ │ ├── ztypes_freebsd_arm.go
│ │ ├── ztypes_freebsd_arm64.go
│ │ ├── ztypes_freebsd_riscv64.go
│ │ ├── ztypes_linux.go
│ │ ├── ztypes_linux_386.go
│ │ ├── ztypes_linux_amd64.go
│ │ ├── ztypes_linux_arm.go
│ │ ├── ztypes_linux_arm64.go
│ │ ├── ztypes_linux_loong64.go
│ │ ├── ztypes_linux_mips.go
│ │ ├── ztypes_linux_mips64.go
│ │ ├── ztypes_linux_mips64le.go
│ │ ├── ztypes_linux_mipsle.go
│ │ ├── ztypes_linux_ppc.go
│ │ ├── ztypes_linux_ppc64.go
│ │ ├── ztypes_linux_ppc64le.go
│ │ ├── ztypes_linux_riscv64.go
│ │ ├── ztypes_linux_s390x.go
│ │ ├── ztypes_linux_sparc64.go
│ │ ├── ztypes_netbsd_386.go
│ │ ├── ztypes_netbsd_amd64.go
│ │ ├── ztypes_netbsd_arm.go
│ │ ├── ztypes_netbsd_arm64.go
│ │ ├── ztypes_openbsd_386.go
│ │ ├── ztypes_openbsd_amd64.go
│ │ ├── ztypes_openbsd_arm.go
│ │ ├── ztypes_openbsd_arm64.go
│ │ ├── ztypes_openbsd_mips64.go
│ │ ├── ztypes_openbsd_ppc64.go
│ │ ├── ztypes_openbsd_riscv64.go
│ │ ├── ztypes_solaris_amd64.go
│ │ └── ztypes_zos_s390x.go
│ └── windows/
│ ├── aliases.go
│ ├── dll_windows.go
│ ├── env_windows.go
│ ├── eventlog.go
│ ├── exec_windows.go
│ ├── memory_windows.go
│ ├── mkerrors.bash
│ ├── mkknownfolderids.bash
│ ├── mksyscall.go
│ ├── race.go
│ ├── race0.go
│ ├── security_windows.go
│ ├── service.go
│ ├── setupapi_windows.go
│ ├── str.go
│ ├── syscall.go
│ ├── syscall_windows.go
│ ├── types_windows.go
│ ├── types_windows_386.go
│ ├── types_windows_amd64.go
│ ├── types_windows_arm.go
│ ├── types_windows_arm64.go
│ ├── zerrors_windows.go
│ ├── zknownfolderids_windows.go
│ └── zsyscall_windows.go
├── google.golang.org/
│ └── protobuf/
│ ├── LICENSE
│ ├── PATENTS
│ ├── encoding/
│ │ ├── prototext/
│ │ │ ├── decode.go
│ │ │ ├── doc.go
│ │ │ └── encode.go
│ │ └── protowire/
│ │ └── wire.go
│ ├── internal/
│ │ ├── descfmt/
│ │ │ └── stringer.go
│ │ ├── descopts/
│ │ │ └── options.go
│ │ ├── detrand/
│ │ │ └── rand.go
│ │ ├── editiondefaults/
│ │ │ ├── defaults.go
│ │ │ └── editions_defaults.binpb
│ │ ├── encoding/
│ │ │ ├── defval/
│ │ │ │ └── default.go
│ │ │ ├── messageset/
│ │ │ │ └── messageset.go
│ │ │ ├── tag/
│ │ │ │ └── tag.go
│ │ │ └── text/
│ │ │ ├── decode.go
│ │ │ ├── decode_number.go
│ │ │ ├── decode_string.go
│ │ │ ├── decode_token.go
│ │ │ ├── doc.go
│ │ │ └── encode.go
│ │ ├── errors/
│ │ │ └── errors.go
│ │ ├── filedesc/
│ │ │ ├── build.go
│ │ │ ├── desc.go
│ │ │ ├── desc_init.go
│ │ │ ├── desc_lazy.go
│ │ │ ├── desc_list.go
│ │ │ ├── desc_list_gen.go
│ │ │ ├── editions.go
│ │ │ ├── placeholder.go
│ │ │ └── presence.go
│ │ ├── filetype/
│ │ │ └── build.go
│ │ ├── flags/
│ │ │ ├── flags.go
│ │ │ ├── proto_legacy_disable.go
│ │ │ └── proto_legacy_enable.go
│ │ ├── genid/
│ │ │ ├── any_gen.go
│ │ │ ├── api_gen.go
│ │ │ ├── descriptor_gen.go
│ │ │ ├── doc.go
│ │ │ ├── duration_gen.go
│ │ │ ├── empty_gen.go
│ │ │ ├── field_mask_gen.go
│ │ │ ├── go_features_gen.go
│ │ │ ├── goname.go
│ │ │ ├── map_entry.go
│ │ │ ├── name.go
│ │ │ ├── source_context_gen.go
│ │ │ ├── struct_gen.go
│ │ │ ├── timestamp_gen.go
│ │ │ ├── type_gen.go
│ │ │ ├── wrappers.go
│ │ │ └── wrappers_gen.go
│ │ ├── impl/
│ │ │ ├── api_export.go
│ │ │ ├── api_export_opaque.go
│ │ │ ├── bitmap.go
│ │ │ ├── bitmap_race.go
│ │ │ ├── checkinit.go
│ │ │ ├── codec_extension.go
│ │ │ ├── codec_field.go
│ │ │ ├── codec_field_opaque.go
│ │ │ ├── codec_gen.go
│ │ │ ├── codec_map.go
│ │ │ ├── codec_message.go
│ │ │ ├── codec_message_opaque.go
│ │ │ ├── codec_messageset.go
│ │ │ ├── codec_tables.go
│ │ │ ├── codec_unsafe.go
│ │ │ ├── convert.go
│ │ │ ├── convert_list.go
│ │ │ ├── convert_map.go
│ │ │ ├── decode.go
│ │ │ ├── encode.go
│ │ │ ├── enum.go
│ │ │ ├── equal.go
│ │ │ ├── extension.go
│ │ │ ├── lazy.go
│ │ │ ├── legacy_enum.go
│ │ │ ├── legacy_export.go
│ │ │ ├── legacy_extension.go
│ │ │ ├── legacy_file.go
│ │ │ ├── legacy_message.go
│ │ │ ├── merge.go
│ │ │ ├── merge_gen.go
│ │ │ ├── message.go
│ │ │ ├── message_opaque.go
│ │ │ ├── message_opaque_gen.go
│ │ │ ├── message_reflect.go
│ │ │ ├── message_reflect_field.go
│ │ │ ├── message_reflect_field_gen.go
│ │ │ ├── message_reflect_gen.go
│ │ │ ├── pointer_unsafe.go
│ │ │ ├── pointer_unsafe_opaque.go
│ │ │ ├── presence.go
│ │ │ └── validate.go
│ │ ├── order/
│ │ │ ├── order.go
│ │ │ └── range.go
│ │ ├── pragma/
│ │ │ └── pragma.go
│ │ ├── protolazy/
│ │ │ ├── bufferreader.go
│ │ │ ├── lazy.go
│ │ │ └── pointer_unsafe.go
│ │ ├── set/
│ │ │ └── ints.go
│ │ ├── strs/
│ │ │ ├── strings.go
│ │ │ └── strings_unsafe.go
│ │ └── version/
│ │ └── version.go
│ ├── proto/
│ │ ├── checkinit.go
│ │ ├── decode.go
│ │ ├── decode_gen.go
│ │ ├── doc.go
│ │ ├── encode.go
│ │ ├── encode_gen.go
│ │ ├── equal.go
│ │ ├── extension.go
│ │ ├── merge.go
│ │ ├── messageset.go
│ │ ├── proto.go
│ │ ├── proto_methods.go
│ │ ├── proto_reflect.go
│ │ ├── reset.go
│ │ ├── size.go
│ │ ├── size_gen.go
│ │ ├── wrapperopaque.go
│ │ └── wrappers.go
│ ├── reflect/
│ │ ├── protoreflect/
│ │ │ ├── methods.go
│ │ │ ├── proto.go
│ │ │ ├── source.go
│ │ │ ├── source_gen.go
│ │ │ ├── type.go
│ │ │ ├── value.go
│ │ │ ├── value_equal.go
│ │ │ ├── value_union.go
│ │ │ └── value_unsafe.go
│ │ └── protoregistry/
│ │ └── registry.go
│ └── runtime/
│ ├── protoiface/
│ │ ├── legacy.go
│ │ └── methods.go
│ └── protoimpl/
│ ├── impl.go
│ └── version.go
└── modules.txt
================================================
FILE CONTENTS
================================================
================================================
FILE: .cirrus.yml
================================================
---
# We use Cirrus for RHEL clones because Cirrus can directly run them
# without depending on nested virtualization.
# NOTE Cirrus execution environments lack a terminal, needed for
# some integration tests. So we use `ssh -tt` command to fake a terminal.
task:
timeout_in: 30m
env:
HOME: /root
CIRRUS_WORKING_DIR: /home/runc
GO_VER_PREFIX: "1.25."
BATS_VERSION: "v1.12.0"
LIBPATHRS_VERSION: "0.2.4"
RPMS: gcc git-core iptables jq glibc-static libseccomp-devel make criu fuse-sshfs container-selinux policycoreutils cargo lld wget
# yamllint disable rule:key-duplicates
matrix:
- DISTRO: almalinux-8
IMAGE_PROJECT: almalinux-cloud
- DISTRO: almalinux-9
IMAGE_PROJECT: almalinux-cloud
- DISTRO: centos-stream-10
IMAGE_PROJECT: centos-cloud
name: ci / $DISTRO
compute_engine_instance:
image_project: $IMAGE_PROJECT
image: family/$DISTRO
platform: linux
cpu: 4
memory: 8G
install_dependencies_script: |
case $DISTRO in
*-8)
dnf config-manager --set-enabled powertools # for glibc-static
;;
*-9|*-10)
dnf config-manager --set-enabled crb # for glibc-static
dnf -y install epel-release # for fuse-sshfs
# Delegate all cgroup v2 controllers to rootless user via --systemd-cgroup.
# The default (since systemd v252) is "pids memory cpu".
mkdir -p /etc/systemd/system/user@.service.d
printf "[Service]\nDelegate=yes\n" > /etc/systemd/system/user@.service.d/delegate.conf
systemctl daemon-reload
;;
esac
# Work around dnf mirror failures by retrying a few times.
for i in $(seq 0 2); do
sleep $i
dnf install -y --setopt=install_weak_deps=False --setopt=tsflags=nodocs $RPMS && break
done
[ $? -eq 0 ] # fail if dnf failed
case $DISTRO in
*-8)
# Use newer criu (with https://github.com/checkpoint-restore/criu/pull/2545).
# Alas we have to disable container-tools for that.
dnf -y module disable container-tools
dnf -y copr enable adrian/criu-el8
dnf -y install criu
esac
# Install libpathrs.
/home/runc/script/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr
# Install Go.
URL_PREFIX="https://go.dev/dl/"
# Find out the latest minor release URL.
filename=$(curl -fsSL "${URL_PREFIX}?mode=json&include=all" | jq -r --arg Ver "go$GO_VER_PREFIX" '. | map(select(.version | contains($Ver))) | first | .files[] | select(.os == "linux" and .arch == "amd64" and .kind == "archive") | .filename')
curl -fsSL "$URL_PREFIX$filename" | tar Cxz /usr/local
# install bats
cd /tmp
git clone https://github.com/bats-core/bats-core
cd bats-core
git checkout $BATS_VERSION
./install.sh /usr/local
cd -
# Setup rootless tests.
/home/runc/script/setup_rootless.sh
# set PATH
echo 'export PATH=/usr/local/go/bin:/usr/local/bin:$PATH' >> /root/.bashrc
# Setup ssh localhost for terminal emulation (script -e did not work)
ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""
cat /root/.ssh/id_ed25519.pub >> /root/.ssh/authorized_keys
chmod 400 /root/.ssh/authorized_keys
ssh-keyscan localhost >> /root/.ssh/known_hosts
echo -e "Host localhost\n\tStrictHostKeyChecking no\t\nIdentityFile /root/.ssh/id_ed25519\n" >> /root/.ssh/config
sed -e "s,PermitRootLogin.*,PermitRootLogin prohibit-password,g" -i /etc/ssh/sshd_config
systemctl restart sshd
host_info_script: |
uname -a
# -----
/usr/local/go/bin/go version
# -----
systemctl --version
# -----
cat /etc/os-release
# -----
df -T
# -----
sestatus
# -----
cat /proc/cpuinfo
check_config_script: |
/home/runc/script/check-config.sh
unit_tests_script: |
ssh -tt localhost "make -C /home/runc localunittest"
integration_systemd_script: |
ssh -tt localhost "make -C /home/runc localintegration RUNC_USE_SYSTEMD=yes"
integration_fs_script: |
ssh -tt localhost "make -C /home/runc localintegration"
integration_systemd_rootless_script: |
case $DISTRO in
*-8)
echo "SKIP: integration_systemd_rootless_script requires cgroup v2"
;;
*)
ssh -tt localhost "make -C /home/runc localrootlessintegration RUNC_USE_SYSTEMD=yes"
esac
integration_fs_rootless_script: |
ssh -tt localhost "make -C /home/runc localrootlessintegration"
================================================
FILE: .clang-format
================================================
---
# We use GNU indent from the Makefile to format C code in this project. Alas,
# there is no way to map indent options to clang-format style options in a way
# to achieve identical results for both formatters.
#
# Therefore, let's disable clang-format entirely.
DisableFormat: true
...
================================================
FILE: .codespellrc
================================================
[codespell]
skip = ./vendor,./.git,./go.sum
ignore-words-list = clos,mis
================================================
FILE: .editorconfig
================================================
# This file is used by shfmt. See https://EditorConfig.org
# This is a top-most EditorConfig file.
root = true
# Ignore the entire "vendor" directory.
[vendor/**]
ignore = true
================================================
FILE: .github/ISSUE_TEMPLATE/bug_report.yaml
================================================
# Forked from https://github.com/containerd/nerdctl/blob/v1.2.1/.github/ISSUE_TEMPLATE/bug_report.yaml
name: Bug report
description: Create a bug report to help improve runc
labels: kind/unconfirmed-bug-claim
body:
- type: markdown
attributes:
value: |
If you are reporting a new issue, make sure that we do not have any duplicates
already open. You can ensure this by searching the issue list for this
repository. If there is a duplicate, please close your issue and add a comment
to the existing issue instead.
When reporting a security issue, do not create an issue or file a pull request on GitHub.
See [`opencontainers/.github/SECURITY.md`](https://github.com/opencontainers/.github/blob/master/SECURITY.md).
- type: textarea
attributes:
label: Description
description: |
Briefly describe the problem you are having in a few paragraphs.
validations:
required: true
- type: textarea
attributes:
label: Steps to reproduce the issue
description: |
As much as possible, try to make steps that would work in a script. This makes the repro unambiguous and easy to follow.
value: |
1.
2.
3.
- type: textarea
attributes:
label: Describe the results you received and expected
validations:
required: true
- type: textarea
attributes:
label: What version of runc are you using?
placeholder: runc --version
validations:
required: true
- type: textarea
attributes:
label: Host OS information
placeholder: cat /etc/os-release
- type: textarea
attributes:
label: Host kernel information
placeholder: uname -a
================================================
FILE: .github/ISSUE_TEMPLATE/config.yml
================================================
# Forked from https://github.com/containerd/nerdctl/blob/main/.github/ISSUE_TEMPLATE/config.yml
blank_issues_enabled: true
contact_links:
- name: Ask a question (GitHub Discussions)
url: https://github.com/opencontainers/runc/discussions
about: |
Please do not submit "a bug report" for asking a question.
In most cases, GitHub Discussions is the best place to ask a question.
If you are not sure whether you are going to report a bug or ask a question,
please consider asking in GitHub Discussions first.
- name: Slack (opencontainers.slack.com)
url: https://communityinviter.com/apps/opencontainers/join-the-oci-community
# GitHub requires the `about` property to be set
about: Slack
- name: Mailing list
url: https://groups.google.com/a/opencontainers.org/forum/#!forum/dev
about: Mailing list
================================================
FILE: .github/dependabot.yml
================================================
# Please see the documentation for all configuration options:
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
# Dependencies listed in go.mod
- package-ecosystem: "gomod"
directory: "/" # Location of package manifests
schedule:
interval: "daily"
# Dependencies listed in .github/workflows/*.yml
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
# Dependencies listed in Dockerfile
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "daily"
================================================
FILE: .github/workflows/scheduled.yml
================================================
# This enables periodical execution of CI jobs in branches we maintain.
#
# CI jobs are triggered through here (instead of adding "schedule:" to the
# appropriate files) because scheduled jobs are only run on the main branch.
# In other words, it's a way to run periodical CI for other branches.
name: scheduled
on:
schedule:
# Runs at 00:00 UTC every Sunday, Tuesday, Thursday.
- cron: '0 0 * * 0,2,4'
workflow_dispatch:
permissions:
contents: read
actions: write
jobs:
trigger-workflow:
strategy:
matrix:
branch: ["main", "release-1.3"]
wf_id: ["validate.yml", "test.yml"]
runs-on: ubuntu-latest
steps:
- name: Trigger ${{ matrix.wf_id }} workflow on ${{ matrix.branch}} branch
uses: actions/github-script@v8
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
await github.rest.actions.createWorkflowDispatch({
owner: context.repo.owner,
repo: context.repo.repo,
workflow_id: '${{ matrix.wf_id }}',
ref: '${{ matrix.branch }}'
});
================================================
FILE: .github/workflows/test.yml
================================================
# NOTE Github Actions execution environments lack a terminal, needed for
# some integration tests. So we use `script` command to fake a terminal.
name: ci
on:
push:
tags:
- v*
branches:
- main
- release-*
pull_request:
workflow_dispatch:
permissions:
contents: read
env:
LIBPATHRS_VERSION: "0.2.4"
# Don't ignore C warnings. Note that the output of "go env CGO_CFLAGS" by default is "-g -O2", so we keep them.
CGO_CFLAGS: -g -O2 -Werror
jobs:
test:
timeout-minutes: 30
strategy:
fail-fast: false
matrix:
os: [ubuntu-24.04, ubuntu-24.04-arm]
go-version: [1.24.x, 1.25.x, 1.26.x]
libpathrs: ["libpathrs", ""]
rootless: ["rootless", ""]
race: ["-race", ""]
criu: ["", "criu-dev"]
exclude:
# Disable most of criu-dev jobs, as they are expensive
# (need to compile criu) and don't add much value/coverage.
- criu: criu-dev
go-version: 1.24.x
- criu: criu-dev
go-version: 1.25.x
- criu: criu-dev
rootless: rootless
# Do race detection only with latest stable Go version.
- race: -race
go-version: 1.24.x
- race: -race
go-version: 1.25.x
runs-on: ${{ matrix.os }}
steps:
- name: checkout
uses: actions/checkout@v6
- name: Show host info
run: |
set -x
# Sync `set -x` outputs with command ouputs
exec 2>&1
# Version
uname -a
cat /etc/os-release
# Hardware
cat /proc/cpuinfo
free -mt
# cgroup
ls -F /sys/fs/cgroup
cat /proc/self/cgroup
if [ -e /sys/fs/cgroup/cgroup.controllers ]; then
cat /sys/fs/cgroup/cgroup.controllers
cat /sys/fs/cgroup/cgroup.subtree_control
ls -F /sys/fs/cgroup$(grep -oP '0::\K.*' /proc/self/cgroup)
fi
# kernel config
script/check-config.sh
- name: install deps
run: |
sudo apt update
sudo apt -y install libseccomp-dev sshfs uidmap lld
- name: install libpathrs ${{ env.LIBPATHRS_VERSION }}
if: ${{ matrix.libpathrs != '' }}
run: |
sudo -E PATH="$PATH" ./script/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr
- name: remove libpathrs build tag
if: ${{ matrix.libpathrs == '' }}
run: |
echo RUNC_BUILDTAGS=-libpathrs >>"$GITHUB_ENV"
- name: install CRIU
if: ${{ matrix.criu == '' }}
env:
PREFIX: https://download.opensuse.org/repositories/devel:/tools:/criu/xUbuntu
run: |
REPO=${PREFIX}_$(. /etc/os-release && echo $VERSION_ID)
curl -fSsLl $REPO/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_tools_criu.gpg > /dev/null
echo "deb $REPO/ /" | sudo tee /etc/apt/sources.list.d/criu.list
sudo apt update
sudo apt -y install criu
- name: install CRIU (${{ matrix.criu }})
if: ${{ matrix.criu != '' }}
run: |
sudo apt -qy install \
libcap-dev libnet1-dev libnl-3-dev uuid-dev \
libprotobuf-c-dev libprotobuf-dev protobuf-c-compiler protobuf-compiler
git clone --depth 1 --branch ${{ matrix.criu }} --single-branch \
https://github.com/checkpoint-restore/criu.git ~/criu
(cd ~/criu && sudo make -j $(nproc) install-criu)
rm -rf ~/criu
criu --version
- name: install go ${{ matrix.go-version }}
uses: actions/setup-go@v6
with:
go-version: ${{ matrix.go-version }}
check-latest: true
- name: build
run: sudo -E PATH="$PATH" make EXTRA_FLAGS="${{ matrix.race }}" all
- name: Setup Bats and bats libs
uses: bats-core/bats-action@4.0.0
with:
bats-version: 1.12.0 # Known as BATS_VERSION in other places.
support-install: false
assert-install: false
detik-install: false
file-install: false
- name: Allow userns for runc
# https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15
if: startsWith(matrix.os, 'ubuntu-24.04')
run: |
sed "s;^profile runc /usr/sbin/;profile runc-test $PWD/;" < /etc/apparmor.d/runc | sudo apparmor_parser
- name: unit test
if: matrix.rootless != 'rootless'
run: sudo -E PATH="$PATH" -- make TESTFLAGS="${{ matrix.race }}" localunittest
- name: add rootless user
if: matrix.rootless == 'rootless'
run: |
./script/setup_rootless.sh
sudo chmod a+X $HOME # for Ubuntu 22.04 and later
- name: integration test (fs driver)
continue-on-error: ${{ matrix.criu != '' }} # Don't let criu-dev errors fail CI.
run: sudo -E PATH="$PATH" script -e -c 'make local${{ matrix.rootless }}integration'
- name: integration test (systemd driver)
continue-on-error: ${{ matrix.criu != '' }} # Don't let criu-dev errors fail CI.
run: |
# Delegate all cgroup v2 controllers to rootless user via --systemd-cgroup.
# The default (since systemd v252) is "pids memory cpu".
sudo mkdir -p /etc/systemd/system/user@.service.d
printf "[Service]\nDelegate=yes\n" | sudo tee /etc/systemd/system/user@.service.d/delegate.conf
sudo systemctl daemon-reload
# Run the tests.
sudo -E PATH="$PATH" script -e -c 'make RUNC_USE_SYSTEMD=yes local${{ matrix.rootless }}integration'
# We need to continue support for 32-bit ARM.
# However, we do not have 32-bit ARM CI, so we use i386 for testing 32bit stuff.
# We are not interested in providing official support for i386.
cross-i386:
timeout-minutes: 15
strategy:
fail-fast: false
runs-on: ubuntu-24.04
steps:
- name: checkout
uses: actions/checkout@v6
- name: install deps
run: |
sudo dpkg --add-architecture i386
# Add criu repo. The web server returns gateway timeout, thus the retry.
sudo add-apt-repository -y ppa:criu/ppa || sudo add-apt-repository -y ppa:criu/ppa
# apt-add-repository runs apt update so we don't have to.
GCC_VERSION="$(gcc -dumpversion)"
sudo apt -qy install \
lld criu \
libseccomp-dev libseccomp-dev:i386 \
libc-dev:i386 libgcc-s1:i386 libgcc-${GCC_VERSION}-dev:i386 gcc-i686-linux-gnu
# When cross-compiling, GCC 13 and earlier will look for a linker that
# is marked for cross-compilation, which the Ubuntu lld package doesn't
# provide. The solution is to create a symlink ourselves. GCC 14 fixed
# this, see <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111605>.
ln -sv "$(which ld.lld)" /usr/local/bin/i686-linux-gnu-ld.lld
- run: rustup target add i686-unknown-linux-gnu
- name: install libpathrs ${{ env.LIBPATHRS_VERSION }}
run: |
sudo -E PATH="$PATH" ./script/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr 386
sudo ldconfig /usr/386/lib
- name: install go
uses: actions/setup-go@v6
with:
go-version: 1.x # Latest stable
check-latest: true
- name: unit test
env:
CC: i686-linux-gnu-gcc
PKG_CONFIG_PATH: /usr/386/lib/pkgconfig
run: sudo -E PATH="$PATH" -- make GOARCH=386 localunittest
fedora:
timeout-minutes: 30
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- uses: lima-vm/lima-actions/setup@v1
id: lima-actions-setup
- uses: actions/cache@v5
with:
path: ~/.cache/lima
key: lima-${{ steps.lima-actions-setup.outputs.version }}
- name: "Start VM"
# --plain is set to disable file sharing, port forwarding, built-in containerd, etc. for faster start up
#
# CPUs: min(4, host CPU cores)
# RAM: min(4 GiB, half of host memory)
# Disk: 100 GiB
run: limactl start --plain --name=default template://fedora
- name: "Initialize VM"
run: |
set -eux -o pipefail
limactl cp -r . default:/tmp/runc
lima sudo /tmp/runc/script/setup_host_fedora.sh
- name: "Show guest info"
run: |
set -eux -o pipefail
lima uname -a
lima systemctl --version
lima df -T
lima cat /etc/os-release
lima go version
lima sestatus
lima rpm -q container-selinux
- name: "Check config"
run: lima /tmp/runc/script/check-config.sh
# NOTE the execution environment lacks a terminal, needed for
# some integration tests. So we use `ssh -tt` command to fake a terminal.
- name: "Run unit tests"
run: ssh -tt lima-default sudo -i make -C /tmp/runc localunittest
- name: "Run integration tests (systemd driver)"
run: ssh -tt lima-default sudo -i make -C /tmp/runc localintegration RUNC_USE_SYSTEMD=yes
- name: "Run integration tests (fs driver)"
run: ssh -tt lima-default sudo -i make -C /tmp/runc localintegration
- name: "Run integration tests (systemd driver, rootless)"
run: ssh -tt lima-default sudo -i make -C /tmp/runc localrootlessintegration RUNC_USE_SYSTEMD=yes
- name: "Run integration tests (fs driver, rootless)"
run: ssh -tt lima-default sudo -i make -C /tmp/runc localrootlessintegration
all-done:
needs:
- test
- cross-i386
- fedora
runs-on: ubuntu-24.04
steps:
- run: echo "All jobs completed"
================================================
FILE: .github/workflows/validate.yml
================================================
name: validate
on:
push:
tags:
- v*
branches:
- main
- release-*
pull_request:
workflow_dispatch:
permissions:
contents: read
env:
GO_VERSION: 1.25
LIBPATHRS_VERSION: "0.2.4"
jobs:
keyring:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: check runc.keyring
run: make validate-keyring
lint:
timeout-minutes: 30
permissions:
contents: read
pull-requests: read
checks: write # to allow the action to annotate code in the PR.
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 2
- uses: actions/setup-go@v6
with:
go-version: "${{ env.GO_VERSION }}"
- name: install deps
run: |
sudo apt -q update
sudo apt -qy install libseccomp-dev
- uses: golangci/golangci-lint-action@v9
with:
version: v2.10
skip-cache: true
# Extra linters, only checking new code from a pull request to main.
- name: lint-extra
if: github.event_name == 'pull_request' && github.base_ref == 'main'
run: |
golangci-lint run --config .golangci-extra.yml --new-from-rev=HEAD~1
modernize:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 2
- uses: actions/setup-go@v6
with:
go-version: stable # modernize@latest may require latest Go.
- name: install deps
run: |
sudo apt -q update
sudo apt -qy install libseccomp-dev
- name: run go fix
run: |
go fix ./...
git diff --exit-code
- name: run modernize
run: |
go run golang.org/x/tools/go/analysis/passes/modernize/cmd/modernize@latest -fix ./...
git diff --exit-code
compile-buildtags:
runs-on: ubuntu-24.04
env:
# Don't ignore C warnings. Note that the output of "go env CGO_CFLAGS" by default is "-g -O2", so we keep them.
CGO_CFLAGS: -g -O2 -Werror
steps:
- uses: actions/checkout@v6
- name: install go
uses: actions/setup-go@v6
with:
go-version: "${{ env.GO_VERSION }}"
- name: install deps
run: |
sudo apt update
sudo apt -y install libseccomp-dev lld
- name: install libpathrs ${{ env.LIBPATHRS_VERSION }}
run: |
sudo -E PATH="$PATH" ./script/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr
- name: compile with no build tags
run: make BUILDTAGS=""
- name: compile with runc_nocriu build tag
run: make RUNC_BUILDTAGS="runc_nocriu"
codespell:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: install deps
# Version of codespell bundled with Ubuntu is way old, so use pip.
run: pip install --break-system-packages codespell==v2.4.1
- name: run codespell
run: codespell
shfmt:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: shfmt
run: make shfmt
shellcheck:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: install shellcheck
env:
VERSION: v0.11.0
BASEURL: https://github.com/koalaman/shellcheck/releases/download
SHA256: 4da528ddb3a4d1b7b24a59d4e16eb2f5fd960f4bd9a3708a15baddbdf1d5a55b
run: |
mkdir ~/bin
curl -sSfL --retry 5 $BASEURL/$VERSION/shellcheck-$VERSION.linux.x86_64.tar.xz |
tar xfJ - -C ~/bin --strip 1 shellcheck-$VERSION/shellcheck
sha256sum --strict --check - <<<"$SHA256 *$HOME/bin/shellcheck"
# make sure to remove the old version
sudo rm -f /usr/bin/shellcheck
# Add ~/bin to $PATH.
echo ~/bin >> $GITHUB_PATH
- uses: lumaxis/shellcheck-problem-matchers@v2
- name: run
run: make shellcheck
- name: check-config.sh
run : ./script/check-config.sh
space-at-eol:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- run: rm -fr vendor
- run: if git -P grep -I -n '\s$'; then echo "^^^ extra whitespace at EOL, please fix"; exit 1; fi
deps:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: install go
uses: actions/setup-go@v6
with:
go-version: "${{ env.GO_VERSION }}"
check-latest: true
- name: verify deps
run: make verify-dependencies
- name: no toolchain in go.mod # See https://github.com/opencontainers/runc/pull/4717, https://github.com/dependabot/dependabot-core/issues/11933.
run: |
if grep -q '^toolchain ' go.mod; then echo "Error: go.mod must not have toolchain directive, please fix"; exit 1; fi
- name: no exclude nor replace in go.mod
run: |
if grep -Eq '^\s*(exclude|replace) ' go.mod; then echo "Error: go.mod must not have exclude/replace directive, it breaks go install. Please fix"; exit 1; fi
commit:
permissions:
contents: read
pull-requests: read
runs-on: ubuntu-24.04
steps:
- name: get pr commits
if: github.event_name == 'pull_request' # Only check commits on pull requests.
id: 'get-pr-commits'
uses: tim-actions/get-pr-commits@v1.3.1
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: check subject line length
if: github.event_name == 'pull_request' # Only check commits on pull requests.
uses: tim-actions/commit-message-checker-with-regex@v0.3.2
with:
commits: ${{ steps.get-pr-commits.outputs.commits }}
pattern: '^.{0,72}(\n.*)*$'
error: 'Subject too long (max 72)'
- name: succeed (not a PR) # Allow all-done to succeed for non-PRs.
if: github.event_name != 'pull_request'
run: echo "Nothing to check here."
cfmt:
runs-on: ubuntu-24.04
steps:
- name: checkout
uses: actions/checkout@v6
- name: install deps
run: |
sudo apt -qq update
sudo apt -qqy install indent
- name: cfmt
run: |
make cfmt
git diff --exit-code
check-go:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: check Go version
run: |
GO_VER=$(awk -F= '/^ARG\s+GO_VERSION=/ {print $2; quit}' Dockerfile)
echo "Go version used in Dockerfile: $GO_VER"
echo -n "Checking if Go $GO_VER is supported ... "
curl -fsSL https://go.dev/dl/?mode=json | jq -e 'any(.[]; .version | startswith("go'$GO_VER'"))'
echo -n "Checking if Go $GO_VER is tested against ... "
yq -e '.jobs.test.strategy.matrix.go-version | contains(["'$GO_VER'.x"])' .github/workflows/test.yml
release:
timeout-minutes: 30
runs-on: ubuntu-24.04
steps:
- name: checkout
uses: actions/checkout@v6
- name: check CHANGELOG.md
run: make verify-changelog
# We have to run this under Docker as Ubuntu (host) does not support all
# the architectures we want to compile test against, and Dockerfile uses
# Debian (which does).
#
# XXX: as currently this is the only job that is using Docker, we are
# building and using the runcimage locally. In case more jobs running
# under Docker will emerge, it will be good to have a separate make
# runcimage job and share its result (the docker image) with whoever
# needs it.
- name: build docker image
run: make runcimage
- name: make releaseall
run: make releaseall
- name: upload artifacts
uses: actions/upload-artifact@v7
with:
name: release-${{ github.run_id }}
path: release/*
get-images:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: install bashbrew
env:
BASEURL: https://github.com/docker-library/bashbrew/releases/download
VERSION: v0.1.7
SHA256: 6b71a6fccfb2025d48a2b23324836b5513c29abfd2d16a57b7a2f89bd02fe53a
run: |
mkdir ~/bin
curl -sSfL --retry 5 -o ~/bin/bashbrew \
$BASEURL/$VERSION/bashbrew-amd64
sha256sum --strict --check - <<<"$SHA256 *$HOME/bin/bashbrew"
chmod a+x ~/bin/bashbrew
# Add ~/bin to $PATH.
echo ~/bin >> $GITHUB_PATH
- name: check that get-images.sh is up to date
run: |
cd tests/integration
./bootstrap-get-images.sh > get-images.sh
git diff --exit-code
conmon:
runs-on: ubuntu-24.04
steps:
- name: checkout
uses: actions/checkout@v6
- name: install runc and conmon deps
# XXX maybe switch to conmon/hack/github-actions-setup if the burden
# to maintain the list of needed packages here is too much to handle.
run: |
sudo apt update
sudo apt -y install libseccomp-dev libglib2.0-dev libsystemd-dev socat
- name: install libpathrs ${{ env.LIBPATHRS_VERSION }}
run: |
sudo -E PATH="$PATH" ./script/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr
- name: install Go
uses: actions/setup-go@v6
with:
go-version: "${{ env.GO_VERSION }}"
- name: build runc
run: make
- name: setup bats
uses: bats-core/bats-action@4.0.0
with:
bats-version: 1.13.0 # As required by conmon in hack/github-actions-setup.
support-install: false
assert-install: false
detik-install: false
file-install: false
- name: checkout conmon
uses: actions/checkout@v6
with:
repository: containers/conmon
path: conmon
ref: v2.2.1
- name: build conmon
run: cd conmon && make
- name: run conmon tests
run: |
RUNTIME_BINARY=$(pwd)/runc ./conmon/test/run-tests.sh -j $(nproc)
all-done:
needs:
- check-go
- cfmt
- codespell
- commit
- compile-buildtags
- conmon
- deps
- get-images
- keyring
- lint
- modernize
- release
- shellcheck
- shfmt
- space-at-eol
runs-on: ubuntu-24.04
steps:
- run: echo "All jobs completed"
================================================
FILE: .gitignore
================================================
vendor/pkg
/runc
/runc-*
/tests/cmd/_bin
man/man8
release
Vagrantfile
.vagrant
================================================
FILE: .golangci-extra.yml
================================================
# This is golangci-lint config file which is used to check new code in
# github PRs only (see lint-extra in .github/workflows/validate.yml).
#
# For the default linter config, see .golangci.yml. This config should
# only enable additional linters not enabled in the default config.
version: "2"
run:
build-tags:
- seccomp
linters:
default: none
enable:
- godot
- revive
- staticcheck
settings:
staticcheck:
checks:
- all
- -QF1008 # https://staticcheck.dev/docs/checks/#QF1008 Omit embedded fields from selector expression.
================================================
FILE: .golangci.yml
================================================
version: "2"
run:
build-tags:
- seccomp
formatters:
enable:
- gofumpt
settings:
gofumpt:
extra-rules: true
linters:
enable:
- errorlint
- forbidigo
- nolintlint
- unconvert
- unparam
settings:
govet:
enable:
- nilness
staticcheck:
checks:
- all
- -ST1000 # https://staticcheck.dev/docs/checks/#ST1000 Incorrect or missing package comment.
- -ST1003 # https://staticcheck.dev/docs/checks/#ST1003 Poorly chosen identifier.
- -ST1005 # https://staticcheck.dev/docs/checks/#ST1005 Incorrectly formatted error string.
- -QF1008 # https://staticcheck.dev/docs/checks/#QF1008 Omit embedded fields from selector expression.
forbidigo:
forbid:
# os.Create implies O_TRUNC without O_CREAT|O_EXCL, which can lead to
# an even more severe attacks than CVE-2024-45310, where host files
# could be wiped. Always use O_EXCL or otherwise ensure we are not
# going to be tricked into overwriting host files.
- pattern: ^os\.Create$
pkg: ^os$
# os.Is* error checking functions predate errors.Is. Therefore, they
# only support errors returned by the os package and subtly fail
# to deal with other wrapped error types.
# New code should use errors.Is(err, error-type) instead.
- pattern: ^os\.Is(Exist|NotExist|Permission|Timeout)$
pkg: ^os$
analyze-types: true
exclusions:
rules:
# forbidigo lints are only relevant for main code.
- path: '(.+)_test\.go'
linters:
- forbidigo
presets:
- std-error-handling
================================================
FILE: CHANGELOG.md
================================================
# Changelog
This file documents all notable changes made to this project since runc 1.0.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [Unreleased]
### Added ###
- When building runc, `RUNC_BUILDTAGS` make or shell environment variable can
be used to add build tags and/or remove existing build tags (when a tag is
prefixed with `-`). (#5171)
### Deprecated ###
- `EXTRA_BUILDTAGS` make variable is deprecated in favor of `RUNC_BUILDTAGS`
and will be removed in runc 1.6. (#5171)
## [1.5.0-rc.1] - 2026-03-12
> 憎しみを束ねてもそれは脆い!
> [!NOTE]
> runc v1.5.0-rc.1 includes all of the patches backported to runc v1.4.1.
### libcontainer API ###
- The following deprecated Go APIs have been removed:
- `CleanPath`, `StripRoot`, and `WithProcfd` from `libcontainer/utils`. Note
that `WithProcfdFile` has not been removed (due to import cycle issues) but
is instead marked as internal in its godoc comment. (#5051)
- All of the cgroup-related types and functions from `libcontainer/configs`
which are now maintained in `github.com/opencontainers/cgroups` (#5141):
- `libcontainer/configs.Cgroup`
- `libcontainer/configs.Resources`
- `libcontainer/configs.FreezerState`
- `libcontainer/configs.LinuxRdma`
- `libcontainer/configs.BlockIODevice`
- `libcontainer/configs.WeightDevice`
- `libcontainer/configs.ThrottleDevice`
- `libcontainer/configs.HugepageLimit`
- `libcontainer/configs.IfPrioMap`
- `libcontainer/configs.Undefined`
- `libcontainer/configs.Frozen`
- `libcontainer/configs.Thawed`
- `libcontainer/configs.NewWeightDevice`
- `libcontainer/configs.NewThrottleDevice`
- `libcontainer/configs.HookList.RunHooks`. (#5141)
- `libcontainer/configs.MPOL_*` (#5141)
- All of the types in `libcontainer/devices` which are now maintained in
`github.com/opencontainers/cgroups/devices/config` (#5141):
- `libcontainer/devices.Wildcard`
- `libcontainer/devices.WildcardDevice`
- `libcontainer/devices.BlockDevice`
- `libcontainer/devices.CharDevice`
- `libcontainer/devices.FifoDevice`
- `libcontainer/devices.Device`
- `libcontainer/devices.Permissions`
- `libcontainer/devices.Type`
- `libcontainer/devices.Rule`
- `libcontainer.Process` methods (`Wait`, `Pid`, `Signal`) and
`libcontainer/configs.Config` methods (`HostUID`, `HostRootUID`, `HostGID`,
`HostRootGID`) now use pointer receivers. (#5088)
- The example code for `libcontainer` has been moved out of a `README` and into
a proper `Example*` test file that will be compile-tested by our CI. As
mentioned elsewhere, we still *do not* recommend users make use of the
`libcontainer` API directly. (#5127)
### Deprecated ###
- The `libcontainer/configs.Mount.Relabel` configuration field (used to relabel
mounts with the `z` and `Z` "pseudo" mount options) was never accessible
outside of the libcontainer API, and in practice the relabel logic has always
lived in higher level runtimes. It has been made into a no-op and the field
will be removed entirely in runc 1.7. (#5152, #5160)
### Removed ###
- The `memfd-bind` helper binary has been removed, as it has never been
particularly useful and was completely obsoleted by the changes to
`/proc/self/exe` sealing we introduced in runc [1.2.0][]. (#5141)
### Added ###
- User-namespaced containers can now configure `user.*` sysctls. (#4889)
- Intel RDT: the RDT subdirectory is now only removed if runc created it,
matching the updated runtime-spec guidance. (#3832, #5155)
### Changed ###
- Our release binaries and default build configuration now use [libpathrs][] by
default, providing better hardening against certain kinds of attacks. Users
of runc should not see any changes as a result of this, but packagers will
need to adjust their packaging accordingly. runc can still be built without
libpathrs (by building without the `libpathrs` build tag), but we currently
plan to make runc 1.6 *require* libpathrs. (#5103)
- `runc exec` will now request systemd to move the `exec` process into the
container cgroup, making the procedure more rootless-friendly. (#4822)
- seccomp: minor documentation updates. (#4902)
- Update spec conformance documentation for OCI runtime-spec v1.3.0. (#4948,
#5150)
- Our release archives now have the name `runc-$version.tar.xz` to make distro
packaging a little easier by matching the filename to the top-level directory
name in the archive. (#5052)
[libpathrs]: https://github.com/cyphar/libpathrs
## [1.4.1] - 2026-03-12
> La guerre n'est pas une aventure. La guerre est une maladie. Comme le typhus.
### Deprecated ###
- `libcontainer/configs.MPOL_*` constants added in runc [1.4.0][]. (#5110,
#5055)
### Added ###
- Preliminary `loong64` support. (#5062, #4938)
### Fixed ###
- libct: fix panic in `initSystemdProps` when processing certain systemd
properties in the OCI spec. (#5161, #5133)
- libct: fix several file descriptor leaks on error paths. (#5168, #5009)
- Remove unnecessary `crypto/tls` dependency by open-coding the systemd socket
activation logic, allowing us to more easily avoid false positive CVE
warnings. (#5093, #5057)
- Remove legacy `os.Is*` error usage, improving error type detection to make
our error fallback paths more robust. (#5162, #5061)
- Go 1.26 has started enforcing a restriction of `os/exec.Cmd` which caused
issues with our usage of `CLONE_INTO_CGROUP` (on newer kernels). This has now
been resolved. (#5116, #5091)
- Recursive `atime`-related mount flags (`rrelatime` et al.) are now applied
properly. (#5114, #5098)
- Fix a regression in `runc exec` due to `CLONE_INTO_CGROUP` in the
(inadvisable) scenario where a container is configured without cgroup
namespaces and with `/sys/fs/cgroup` mounted `rw`. (#5117, #5101)
- On machines with more than 1024 CPU cores, our logic for resetting the CPU
affinity will now correctly reset the affinity onto _all_ available cores
(not just the first 1024). (#5149, #5025)
- PR #4757 caused a regression that resulted in spurious `cannot start a
container that has stopped` errors when running `runc create` and has thus
been reverted. (#5157, #5153, #5151, #4645, #4757)
### Changed ###
- Previously we made an attempt to make our `runc.armhf` release binaries work
with ARMv6 (which would allow runc to work on the original Raspberry Pi).
Unfortunately, this has effectively always been broken (because we
cross-compile `libseccomp` within a Debian container and statically link to
it) and so we are now officially matching [the Debian definition of `armhf`][debian-armhf]
(that is, ARMv7). (#5167, #5103)
- Minor signing keyring updates. (#5147, #5139, #5144, #5148)
[debian-armhf]: https://wiki.debian.org/ArmHardFloatPort
### Added ###
- Support for specs.LinuxSeccompFlagWaitKillableRecv. (#5172)
## [1.4.0] - 2025-11-27
> 路漫漫其修远兮,吾将上下而求索!
### Deprecated ###
- Deprecate cgroup v1. (#4956)
- Deprecate `CleanPath`, `StripRoot`, `WithProcfd`, and `WithProcfdFile` from
`libcontainer/utils`. (#4985)
### Breaking ###
- The handling of `pids.limit` has been updated to match the newer guidance
from the OCI runtime specification. In particular, now a maximum limit value
of `0` will be treated as an actual limit (due to limitations with systemd,
it will be treated the same as a limit value of `1`). We only expect users
that explicitly set `pids.limit` to `0` will see a behaviour change.
(opencontainers/cgroups#48, #4949)
### Fixed ###
- cgroups: provide iocost statistics for cgroupv2. (opencontainers/cgroups#43)
- cgroups: retry DBus connection when it fails with EAGAIN.
(opencontainers/cgroups#45)
- cgroups: improve `cpuacct.usage_all` resilience when parsing data from
patched kernels (such as the Tencent kernels). (opencontainers/cgroups#46,
opencontainers/cgroups#50)
- libct: close child fds on `prepareCgroupFD` error. (#4936)
- libct: fix mips compilation. (#4962, #4967)
- When configuring a `tmpfs` mount, only set the `mode=` argument if the target
path already existed. This fixes a regression introduced in our
[CVE-2025-52881][] mitigation patches. (#4971, #4973, #4976)
- Fix various file descriptor leaks and add additional tests to detect them as
comprehensively as possible. (#5007, #5021, #5026, #5034)
- The "hallucination" helpers added as part of the [CVE-2025-52881][]
mitigation have been made more generic and now apply to all of our `pathrs`
helper functions, which should ensure we will not regress dangling symlink
users. (#4985)
### Changed
- libct: switch to `(*CPUSet).Fill`. (#4927)
- docs/spec-conformance.md: update for spec v1.3.0. (#4948)
- Errors from `runc init` have historically been quite painful to understand
and debug, we have made several improvements to make them more comprehensive
and thus useful when debugging issues. (#5040, #4951, #4928)
[CVE-2025-52881]: https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm
## [1.3.4] - 2025-11-27
> Take me to your heart, take me to your soul.
### Fixed
* libct: fix mips compilation. (#4962, #4966)
* When configuring a `tmpfs` mount, only set the `mode=` argument if the
target path already existed. This fixes a regression introduced in our
[CVE-2025-52881][] mitigation patches. (#4971, #4973, #4976)
* Fix various file descriptor leaks and add additional tests to detect them as
comprehensively as possible. (#5007, #5021, #5026, #5034)
### Changed
* Downgrade `github.com/cyphar/filepath-securejoin` dependency to `v0.5.2`,
which should make it easier for some downstreams to import `runc` without
pulling in too many extra packages. (#5028)
[CVE-2025-52881]: https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm
## [1.2.9] - 2025-11-27
> Stars hide your fires, let me rest tonight.
### Fixed
* libct: fix mips compilation. (#4962, #4965)
* When configuring a `tmpfs` mount, only set the `mode=` argument if the
target path already existed. This fixes a regression introduced in our
[CVE-2025-52881][] mitigation patches. (#4971, #4974)
* Fix various file descriptor leaks and add additional tests to detect them as
comprehensively as possible. (#5007, #5021, #5026, #5027)
### Changed
* Downgrade `github.com/cyphar/filepath-securejoin` dependency to `v0.5.2`,
which should make it easier for some downstreams to import `runc` without
pulling in too many extra packages. (#5027)
[CVE-2025-52881]: https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm
## [1.4.0-rc.3] - 2025-11-05
> その日、人類は思い出した。
### Security
This release includes fixes for the following high-severity security issues:
* [CVE-2025-31133][] exploits an issue with how masked paths are implemented in
runc. When masking files, runc will bind-mount the container's `/dev/null`
inode on top of the file. However, if an attacker can replace `/dev/null`
with a symlink to some other procfs file, runc will instead bind-mount the
symlink target read-write. This issue affected all known runc versions.
* [CVE-2025-52565][] is very similar in concept and application to
[CVE-2025-31133][], except that it exploits a flaw in `/dev/console`
bind-mounts. When creating the `/dev/console` bind-mount (to `/dev/pts/$n`),
if an attacker replaces `/dev/pts/$n` with a symlink then runc will
bind-mount the symlink target over `/dev/console`. This issue affected all
versions of runc >= 1.0.0-rc3.
* [CVE-2025-52881][] is a more sophisticated variant of [CVE-2019-19921][],
which was a flaw that allowed an attacker to trick runc into writing the LSM
process labels for a container process into a dummy tmpfs file and thus not
apply the correct LSM labels to the container process. The mitigation we
applied for [CVE-2019-19921][] was fairly limited and effectively only caused
runc to verify that when we write LSM labels that those labels are actual
procfs files. This issue affects all known runc versions.
### Fixed
* Switched to `(*CPUSet).Fill` rather than our hacky optimisation when
resetting the CPU affinity of runc. (#4926, #4927)
* Correctly close child fds during `(*setns).start` if an error occurs.
(#4930, #4936)
[CVE-2019-19921]: https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw
[CVE-2025-31133]: https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2
[CVE-2025-52565]: https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r
[CVE-2025-52881]: https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm
## [1.3.3] - 2025-11-05
> 奴らに支配されていた恐怖を
### Security
This release includes fixes for the following high-severity security issues:
* [CVE-2025-31133][] exploits an issue with how masked paths are implemented in
runc. When masking files, runc will bind-mount the container's `/dev/null`
inode on top of the file. However, if an attacker can replace `/dev/null`
with a symlink to some other procfs file, runc will instead bind-mount the
symlink target read-write. This issue affected all known runc versions.
* [CVE-2025-52565][] is very similar in concept and application to
[CVE-2025-31133][], except that it exploits a flaw in `/dev/console`
bind-mounts. When creating the `/dev/console` bind-mount (to `/dev/pts/$n`),
if an attacker replaces `/dev/pts/$n` with a symlink then runc will
bind-mount the symlink target over `/dev/console`. This issue affected all
versions of runc >= 1.0.0-rc3.
* [CVE-2025-52881][] is a more sophisticated variant of [CVE-2019-19921][],
which was a flaw that allowed an attacker to trick runc into writing the LSM
process labels for a container process into a dummy tmpfs file and thus not
apply the correct LSM labels to the container process. The mitigation we
applied for [CVE-2019-19921][] was fairly limited and effectively only caused
runc to verify that when we write LSM labels that those labels are actual
procfs files. This issue affects all known runc versions.
### Added
* `runc update` now supports configuring per-device weights and iops. (#4775,
#4807, #4825, #4931)
[CVE-2019-19921]: https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw
[CVE-2025-31133]: https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2
[CVE-2025-52565]: https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r
[CVE-2025-52881]: https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm
## [1.2.8] - 2025-11-05
> 鳥籠の中に囚われた屈辱を
### Security
This release includes fixes for the following high-severity security issues:
* [CVE-2025-31133][] exploits an issue with how masked paths are implemented in
runc. When masking files, runc will bind-mount the container's `/dev/null`
inode on top of the file. However, if an attacker can replace `/dev/null`
with a symlink to some other procfs file, runc will instead bind-mount the
symlink target read-write. This issue affected all known runc versions.
* [CVE-2025-52565][] is very similar in concept and application to
[CVE-2025-31133][], except that it exploits a flaw in `/dev/console`
bind-mounts. When creating the `/dev/console` bind-mount (to `/dev/pts/$n`),
if an attacker replaces `/dev/pts/$n` with a symlink then runc will
bind-mount the symlink target over `/dev/console`. This issue affected all
versions of runc >= 1.0.0-rc3.
* [CVE-2025-52881][] is a more sophisticated variant of [CVE-2019-19921][],
which was a flaw that allowed an attacker to trick runc into writing the LSM
process labels for a container process into a dummy tmpfs file and thus not
apply the correct LSM labels to the container process. The mitigation we
applied for [CVE-2019-19921][] was fairly limited and effectively only caused
runc to verify that when we write LSM labels that those labels are actual
procfs files. This issue affects all known runc versions.
[CVE-2019-19921]: https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw
[CVE-2025-31133]: https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2
[CVE-2025-52565]: https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r
[CVE-2025-52881]: https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm
## [1.4.0-rc.2] - 2025-10-10
> 私の役目は信じるかどうかではない。行うかどうかだ。
### libcontainer API
* The deprecated `libcontainer/userns` package has been removed; use
`github.com/moby/sys/userns` instead. (#4910, #4911)
### Added
* Allow setting `user.*` sysctls for user-namespaced containers, as they are
namespaced and thus safe to configure. (#4889, #4892)
* Add support for using `clone3(2)`'s `CLONE_INTO_CGROUP` flag when
configuring the `runc exec` process. This also included some internal
changes to how we add processes to containers. (#4822, #4812, #4920)
* Add support for configuring the NUMA pmemory policy for a container with
`set_mempolicy(2)`. (opencontainers/runtime-spec#1282, #4726, #4915)
* Add support for `intelRdt.schemata` to allow for configuration of all
schemas in `resctrl`. (opencontainers/runtime-spec#1230, #4830, #4915)
* Add support for `intelRdt.enableMonitoring` to allow for per-container
`resctrl` monitoring. This replaces the old `intelRdt.enableCMT` and
`intelRdt.enableMBM` options which were never implemented by runc and have
been removed from the runtime-spec. (opencontainers/runtime-spec#1287,
#4832, #4921)
### Fixed
* Configure `personality(2)` before applying seccomp profiles. (#4900, #4903)
* Fixed integration test failure on ppc64, caused by 64K page size so the
kernel was rounding memory limit to 64K. (#4841, #4895, #4893)
* seccompagent: fix fd close loop to prevent closing stdio in the error path.
(#4913, #4923)
## [1.4.0-rc.1] - 2025-09-05
> おめェもボスになったんだろぉ?
This version of runc requires Go 1.24 to build.
### libcontainer API
- The deprecated `libcontainer/user` package has been removed; use
`github.com/moby/sys/user` instead. (#3999, #4617)
- `libcontainer/apparmor` variables containing public functions have been
switched to wrapper functions. (#4725)
### Breaking
- runc update no longer allows `--l3-cache-schema` or `--mem-bw-schema` if
`linux.intelRdt` was not present in the container’s original `config.json`.
Without `linux.intelRdt` no CLOS (resctrl group) is created at container
creation, so it is not possible to apply the updated options with `runc
update`.
Previously, this scenario did not work as expected. The `runc update` would
create a new CLOS but fail to apply the schema, move only the init process
(omitting children) to the new group, and leave the CLOS orphaned after
container exit. (#4827)
- The deprecated `--criu` flag has been removed entirely, instead the `criu`
binary in `$PATH` will be used. (#4722)
### Added
* runc now supports the `linux.netDevices` field to allow for devices to be
moved into container network namespaces seamlessly. (#4538)
* `runc update` now supports per-device weight and iops cgroup limits. (#4775)
* intel rdt: allow explicit assignment to root CLOS. (#4854)
### Fixed
* Container processes will no longer inherit the CPU affinity of runc by
default. Instead, the default CPU affinity of container processes will be
the largest set of CPUs permitted by the container's cpuset cgroup and any
other system restrictions (such as isolated CPUs). (#4041, #4815, #4858)
* Use `chown(uid, -1)` when configuring the console inode, to avoid issues
with unmapped GIDs. (#4679)
* Add logging for the cases where failed keyring operations are ignored during
setup. (#4676)
* Optimise `runc exec` by avoiding calling into SELinux's `Set.*Label` when
`processLabel` is not set. (#4354)
* Fix mips64 builds for remap-rootfs. (#4723)
* Setting `linux.rootfsPropagation` to `shared` or `unbindable` now functions
properly. (#1755, #1815, #4724)
* runc delete and runc stop can now correctly handle cases where runc
create was killed during setup. Previously it was possible for the
container to be in such a state that neither runc stop nor runc
delete would be unable to kill or delete the container. (#4534,
#4645, #4757)
* Close seccomp agent connection to prevent resource leaks. (#4796)
* `runc update` will no longer clear intelRdt state information. (#4828)
* runc will now error out earlier if intelRdt is not enabled. (#4829)
* Improve filesystem operations within intelRdt manager. (#4840, #4831)
* Resolve a certain race between `runc create` and `runc delete` that would
previously result in spurious errors. (#4735)
* CI: skip bpf tests on misbehaving udev systems. (#4825)
### Changes
* Use Go's built-in `pidfd_send_signal(2)` support when available. (#4666)
* Make `state.json` 25% smaller. (#4685)
* Migrate to Go 1.22+ features. (#4687, #4703)
* Provide private wrappers around common syscalls to make `-EINTR` handling
less cumbersome for the rest of runc. (#4697)
* Ignore the dmem controller in our cgroup tests, as systemd does not
yet support it. (#4806)
* `/proc/net/dev` is no longer included in the permitted procfs overmount
list. Its inclusion was almost certainly an error, and because
`/proc/net` is a symlink to `/proc/self/net`, overmounting this was
almost certainly never useful (and will be blocked by future kernel
versions). (#4817)
* Simplify the prepareCriuRestoreMounts logic for checkpoint-restore.
(#4765)
* Bump minimum Go version to 1.24. (#4851)
* CI: migrate virtualised Fedora tests from Vagrant + Cirrus to Lima + GHA. We
still use Cirrus for the AlmaLinux tests, since they can be run without
virtualisation. (#4664)
* CI: install fewer dependencies (#4671), bump shellcheck and bats versions
(#4670).
* CI: remove `toolchain` from `go.mod` and add a CI check to make sure it's
never added accidentally. (#4717, #4721)
* CI: do not allow `exclude` or `replace` directives in `go.mod`, to make sure
that `go install` doesn't get accidentally broken. (#4750)
* CI: fix exclusion rules and allow us to run jobs manually. (#4760)
* CI: Switch to GitHub-hosted ARM runners. Thanks again to @alexellis
for supporting runc's ARM CI up until now. (#4844, #4856)
* Various dependency updates. (#4659, #4658, #4662, #4663, #4689, #4694,
#4702, #4701, #4707, #4710, #4746, #4756, #4751, #4758, #4764, #4768, #4779,
#4783, #4785, #4801, #4808, #4803, #4839, #4846, #4847, #4845, #4850, #4861,
#4860)
## [1.3.2] - 2025-10-02
> Ночь, улица, фонарь, аптека...
### Changed
* The conversion from cgroup v1 CPU shares to cgroup v2 CPU weight is
improved to better fit default v1 and v2 values. (#4772, #4785, #4897)
* Dependency github.com/opencontainers/cgroups updated from v0.0.1 to
v0.0.4. (#4897)
### Fixed
* runc state: fix occasional "cgroup.freeze: no such device" error.
(#4798, #4808, #4897)
* Fixed integration test failure on ppc64, caused by 64K page size so the
kernel was rounding memory limit to 64K. (#4841, #4895, #4893)
## [1.3.1] - 2025-09-05
> この瓦礫の山でよぉ
### Fixed
* Container processes will no longer inherit the CPU affinity of runc by
default. Instead, the default CPU affinity of container processes will be
the largest set of CPUs permitted by the container's cpuset cgroup and any
other system restrictions (such as isolated CPUs). (#4041, #4815, #4858)
* Setting `linux.rootfsPropagation` to `shared` or `unbindable` now functions
properly. (#1755, #1815, #4724, #4789)
* Close seccomp agent connection to prevent resource leaks. (#4796, #4799)
* `runc delete` and `runc stop` can now correctly handle cases where `runc
create` was killed during setup. Previously it was possible for the
container to be in such a state that neither `runc stop` nor `runc delete`
would be unable to kill or delete the container. (#4534, #4645, #4757,
#4793)
* `runc update` will no longer clear intelRdt state information. (#4828,
#4833)
* CI: Fix exclusion rules and allow us to run jobs manually. (#4760, #4763)
### Changed
* Improvements to the deprecation warnings as part of the
`github.com/opencontainers/cgroups` split. (#4784, #4788)
* Ignore the dmem controller in our cgroup tests, as systemd does not yet
support it. (#4806, #4811)
* `/proc/net/dev` is no longer included in the permitted procfs overmount
list. Its inclusion was almost certainly an error, and because `/proc/net`
is a symlink to `/proc/self/net`, overmounting this was almost certainly
never useful (and will be blocked by future kernel versions). (#4817, #4820)
* Simplify the `prepareCriuRestoreMounts` logic for checkpoint-restore.
(#4765, #4871)
* CI: Bump `golangci-lint` to v2.1. (#4747, #4754)
* CI: Switch to GitHub-hosted ARM runners. Thanks again to @alexellis for
supporting runc's ARM CI up until now. (#4844, #4856, #4866)
## [1.3.0] - 2025-04-30
> Mr. President, we must not allow a mine shaft gap!
### Fixed
* Removed preemptive "full access to cgroups" warning when calling `runc
pause` or `runc unpause` as an unprivileged user without
`--systemd-cgroups`. Now the warning is only emitted if an actual permission
error was encountered. (#4709)
* Several fixes to our CI, mainly related to AlmaLinux and CRIU. (#4670,
#4728, #4736)
### Changed
* In runc 1.2, we changed our mount behaviour to correctly handle clearing
flags. However, the error messages we returned did not provide as much
information to users about what clearing flags were conflicting with locked
mount flags. We now provide more diagnostic information if there is an error
when in the fallback path to handle locked mount flags. (#4734)
* Upgrade our CI to use golangci-lint v2.0. (#4692)
* `runc version` information is now filled in using `//go:embed` rather than
being set through `Makefile`. This allows `go install` or other non-`make`
builds to contain the correct version information. Note that `make
EXTRA_VERSION=...` still works. (#418)
* Remove `exclude` directives from our `go.mod` for broken `cilium/ebpf`
versions. `v0.17.3` resolved the issue we had, and `exclude` directives are
incompatible with `go install`. (#4748)
## [1.3.0-rc.2] - 2025-04-10
> Eppur si muove.
### Fixed
* Use the container's `/etc/passwd` to set the `HOME` env var. After a refactor
for 1.3, we were setting it reading the host's `/etc/passwd` file instead.
(#4693, #4688)
* Override `HOME` env var if it's set to the empty string. This fixes a
regression after the same refactor for 1.3 and aligns the behavior with older
versions of runc. (#4711)
* Add time namespace to container config after checkpoint/restore. CRIU since
version 3.14 uses a time namespace for checkpoint/restore, however it was not
joining the time namespace in runc. (#4705)
## [1.3.0-rc.1] - 2025-03-04
> No tengo miedo al invierno, con tu recuerdo lleno de sol.
### libcontainer API
* `configs.CommandHook` struct has changed, Command is now a pointer.
Also, `configs.NewCommandHook` now accepts a `*Command`. (#4325)
* The `Process` struct has `User` string field replaced with numeric
`UID` and `GID` fields, and `AdditionalGroups` changed its type from
`[]string` to `[]int`. Essentially, resolution of user and group
names to IDs is no longer performed by libcontainer, so if a libcontainer
user previously relied on this feature, now they have to convert names to
IDs before calling libcontainer; it is recommended to use Go package
github.com/moby/sys/user for that. (#3999)
* Move libcontainer/cgroups to a separate repository. (#4618)
### Fixed
* `runc exec -p` no longer ignores specified `ioPriority` and `scheduler`
settings. Similarly, libcontainer's `Container.Start` and `Container.Run`
methods no longer ignore `Process.IOPriority` and `Process.Scheduler`
settings. (#4585)
* We no longer use `F_SEAL_FUTURE_WRITE` when sealing the runc binary, as it
turns out this had some unfortunate bugs in older kernel versions and was
never necessary in the first place. (#4641, #4640)
* runc now uses a more flexible method of joining namespaces, which better
matches the behaviour of `nsenter(8)`. This is mainly useful for users that
create a container with a runc-managed user namespace but want the container
to join some externally-managed namespace as well. (#4492)
* `runc` now properly handles joining time namespaces (such as with `runc
exec`). Previously we would attempt to set the time offsets when joining,
which would fail. (#4635, #4636)
* Handle `EINTR` retries correctly for socket-related direct
`golang.org/x/sys/unix` system calls. (#4637)
* Handle `close_range(2)` errors more gracefully. (#4596)
* Fix a stall issue that would happen if setting `O_CLOEXEC` with
`CloseExecFrom` failed (#4599).
* Handle errors on older kernels when resetting ambient capabilities more
gracefully. (#4597)
### Changed
* runc now has an official release policy to help provide more consistency
around our release schedules and better define our support policy for old
release branches. See `RELEASES.md` for more details. (#4557)
* Improved performance by switching to `strings.Cut` where appropriate.
(#4470)
* The minimum Go version of runc is now Go 1.23. (#4598)
* Updated builds to libseccomp v2.5.6. (#4625)
### Added
* runc has been updated to support OCI runtime-spec 1.2.1. (#4653)
* CPU affinity support for `runc exec`. (#4327)
* CRIU support can be disabled using the build tag `runc_nocriu`. (#4546)
* Support to get the pidfd of the container via CLI flag `pidfd-socket`.
(#4045)
* Support `skip-in-flight` and `link-remap` options for CRIU. (#4627)
* Support cgroup v1 mounted with `noprefix`. (#4513)
## [1.2.7] - 2025-09-05
> さんをつけろよデコ助野郎!
### Fixed
* Removed preemptive "full access to cgroups" warning when calling `runc
pause` or `runc unpause` as an unprivileged user without
`--systemd-cgroups`. Now the warning is only emitted if an actual permission
error was encountered. (#4709, #4720)
* Add time namespace to container config after checkpoint/restore. CRIU since
version 3.14 uses a time namespace for checkpoint/restore, however it was
not joining the time namespace in runc. (#4696, #4714)
* Container processes will no longer inherit the CPU affinity of runc by
default. Instead, the default CPU affinity of container processes will be
the largest set of CPUs permitted by the container's cpuset cgroup and any
other system restrictions (such as isolated CPUs). (#4041, #4815, #4858)
* Close seccomp agent connection to prevent resource leaks. (#4796, #4800)
* Several fixes to our CI, mainly related to AlmaLinux and CRIU. (#4670,
#4728, #4736, #4742)
* Setting `linux.rootfsPropagation` to `shared` or `unbindable` now functions
properly. (#1755, #1815, #4724, #4791)
* `runc update` will no longer clear intelRdt state information. (#4828,
#4834)
### Changed
* In runc 1.2, we changed our mount behaviour to correctly handle clearing
flags. However, the error messages we returned did not provide as much
information to users about what clearing flags were conflicting with locked
mount flags. We now provide more diagnostic information if there is an error
when in the fallback path to handle locked mount flags. (#4734, #4740)
* Ignore the dmem controller in our cgroup tests, as systemd does not yet
support it. (#4806, #4811)
* `/proc/net/dev` is no longer included in the permitted procfs overmount
list. Its inclusion was almost certainly an error, and because `/proc/net`
is a symlink to `/proc/self/net`, overmounting this was almost certainly
never useful (and will be blocked by future kernel versions). (#4817, #4820)
* CI: Switch to GitHub-hosted ARM runners. Thanks again to @alexellis for
supporting runc's ARM CI up until now. (#4844, #4856, #4867)
* Simplify the `prepareCriuRestoreMounts` logic for checkpoint-restore.
(#4765, #4872)
## [1.2.6] - 2025-03-17
> Hasta la victoria, siempre.
### Fixed
* Fix a stall issue that would happen if setting `O_CLOEXEC` with
`CloseExecFrom` failed (#4647).
* `runc` now properly handles joining time namespaces (such as with `runc
exec`). Previously we would attempt to set the time offsets when joining,
which would fail. (#4635, #4649)
* Handle `EINTR` retries correctly for socket-related direct
`golang.org/x/sys/unix` system calls. (#4650)
* We no longer use `F_SEAL_FUTURE_WRITE` when sealing the runc binary, as it
turns out this had some unfortunate bugs in older kernel versions and was
never necessary in the first place. (#4651, #4640)
### Removed
* Remove `Fexecve` helper from `libcontainer/system`. Runc 1.2.1 removed
runc-dmz, but we forgot to remove this helper added only for that. (#4646)
### Changed
* Use Go 1.23 for official builds, run CI with Go 1.24 and drop Ubuntu 20.04
from CI. We need to drop Ubuntu 20.04 from CI because Github Actions
announced it's already deprecated and it will be discontinued soon. (#4648)
## [1.2.5] - 2025-02-13
> Мороз и солнце; день чудесный!
### Fixed
* There was a regression in systemd v230 which made the way we define device
rule restrictions require a systemctl daemon-reload for our transient
units. This caused issues for workloads using NVIDIA GPUs. Workaround the
upstream regression by re-arranging how the unit properties are defined.
(#4568, #4612, #4615)
* Dependency github.com/cyphar/filepath-securejoin is updated to v0.4.1,
allowing projects that vendor runc to bump it as well. (#4608)
* CI: fixed criu-dev compilation. (#4611)
### Changed
* Dependency golang.org/x/net is updated to 0.33.0. (#4632)
## [1.2.4] - 2025-01-07
> Христос се роди!
### Fixed
* Re-add tun/tap devices to built-in allowed devices lists.
In runc 1.2.0 we removed these devices from the default allow-list (which
were added seemingly by accident early in Docker's history) as a precaution
in order to try to reduce the attack surface of device inodes available to
most containers (#3468). At the time we thought that the vast majority of
users using tun/tap would already be specifying what devices they need (such
as by using `--device` with Docker/Podman) as opposed to doing the `mknod`
manually, and thus there would've been no user-visible change.
Unfortunately, it seems that this regressed a noticeable number of users
(and not all higher-level tools provide easy ways to specify devices to
allow) and so this change needed to be reverted. Users that do not need
these devices are recommended to explicitly disable them by adding deny
rules in their container configuration. (#4555, #4556)
## [1.2.3] - 2024-12-12
> Winter is not a season, it's a celebration.
### Fixed
* Fixed a regression in use of securejoin.MkdirAll, where multiple
runc processes racing to create the same mountpoint in a shared rootfs
would result in spurious EEXIST errors. In particular, this regression
caused issues with BuildKit. (#4543, #4550)
* Fixed a regression in eBPF support for pre-5.6 kernels after upgrading
Cilium's eBPF library version to 0.16 in runc. (#3008, #4548, #4551)
## [1.2.2] - 2024-11-15
> Specialization is for insects.
### Fixed
* Fixed the failure of `runc delete` on a rootless container with no
dedicated cgroup on a system with read-only `/sys/fs/cgroup` mount.
This is a regression in runc 1.2.0, causing a failure when using
rootless buildkit. (#4518, #4531)
* Using runc on a system where /run/runc and /usr/bin are on different
filesystems no longer results in harmless but annoying messages
("overlayfs: "xino" feature enabled using 3 upper inode bits")
appearing in the kernel log. (#4508, #4530)
### Changed
* Better memfd-bind documentation. (#4530)
* CI: bump Fedora 40 -> 41. (#4528)
## [1.2.1] - 2024-11-01
> No existe una escuela que enseñe a vivir.
### Fixed
* Became root after joining an existing user namespace. Otherwise, runc
won't have permissions to configure some mounts when running under
SELinux and runc is not creating the user namespace. (#4466, #4477)
### Removed
* Remove dependency on `golang.org/x/sys/execabs` from go.mod. (#4480)
* Remove runc-dmz, that had many limitations, and is mostly made obsolete by
the new protection mechanism added in v1.2.0. Note that runc-dmz was only
available only in the 1.2.0 release and required to set an environment variable
to opt-in. (#4488)
### Added
* The `script/check-config.sh` script now checks for overlayfs support. (#4494)
* When using cgroups v2, allow to set or update memory limit to "unlimited"
and swap limit to a specific value. (#4501)
## [1.2.0] - 2024-10-22
> できるときにできることをやるんだ。それが今だ。
### Added
* In order to alleviate the remaining concerns around the memory usage and
(arguably somewhat unimportant, but measurable) performance overhead of
memfds for cloning `/proc/self/exe`, we have added a new protection using
`overlayfs` that is used if you have enough privileges and the running
kernel supports it. It has effectively no performance nor memory overhead
(compared to no cloning at all). (#4448)
### Fixed
* The original fix for [CVE-2024-45310][cve-2024-45310] was intentionally very
limited in scope to make it easier to review, however it also did not handle
all possible `os.MkdirAll` cases and thus could lead to regressions. We have
switched to the more complete implementation in the newer versions of
`github.com/cyphar/filepath-securejoin`. (#4393, #4400, #4421, #4430)
* In certain situations (a system with lots of mounts or racing mounts) we
could accidentally end up leaking mounts from the container into the host.
This has been fixed. (#4417)
* The fallback logic for `O_TMPFILE` clones of `/proc/self/exe` had a minor
bug that would cause us to miss non-`noexec` directories and thus fail to
start containers on some systems. (#4444)
* Sometimes the cloned `/proc/self/exe` file descriptor could be placed in a
way that it would get clobbered by the Go runtime. We had a fix for this
already but it turns out it could still break in rare circumstances, but it
has now been fixed. (#4294, #4452)
### Changed
* It is not possible for `runc kill` to work properly in some specific
configurations (such as rootless containers with no cgroups and a shared pid
namespace). We now output a warning for such configurations. (#4398)
* memfd-bind: update the documentation and make path handling with the systemd
unit more idiomatic. (#4428)
* We now use v0.16 of Cilium's eBPF library, including fixes that quite a few
downstreams asked for. (#4397, #4396)
* Some internal `runc init` synchronisation that was no longer necessary (due
to the `/proc/self/exe` cloning move to Go) was removed. (#4441)
[cve-2024-45310]: https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv
## [1.2.0-rc.3] - 2024-09-02
> The supreme happiness of life is the conviction that we are loved.
### Security
* Fix [CVE-2024-45310][cve-2024-45310], a low-severity attack that allowed
maliciously configured containers to create empty files and directories on
the host.
### Added
* Document build prerequisites for different platforms. (#4353)
### Fixed
* Try to delete exec fifo file when failure in creation. (#4319)
* Revert "libcontainer: seccomp: pass around *os.File for notifyfd". (#4337)
* Fix link to gvariant documentation in systemd docs. (#4369)
### Changed
* Remove pre-go1.17 build-tags. (#4329)
* libct/userns: assorted (godoc) improvements. (#4330)
* libct/userns: split userns detection from internal userns code. (#4331)
* rootfs: consolidate mountpoint creation logic. (#4359)
* Add Go 1.23, drop 1.21. (#4360)
* Revert "allow overriding VERSION value in Makefile" and add `EXTRA_VERSION`.
(#4370)
* Mv contrib/cmd tests/cmd (except memfd-bind). (#4377)
* Makefile: Don't read COMMIT, BUILDTAGS, `EXTRA_BUILDTAGS` from env vars.
(#4380)
[cve-2024-45310]: https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv
## [1.2.0-rc.2] - 2024-06-26
> TRUE or FALSE, it's a problem!
### Important Notes
* libcontainer/cgroups users who want to manage cgroup devices need to explicitly
import libcontainer/cgroups/devices. (#3452, #4248)
* If building with Go 1.22.x, make sure to use 1.22.4 or a later version.
(see #4233 for more details)
### Added
* CI: add actuated-arm64. (#4142, #4252, #4276)
### Fixed
* cgroup v2: do not set swap to 0 or unlimited when it's not available. (#4188)
* Set the default value of CpuBurst to nil instead of 0. (#4210, #4211)
* libct/cg: write unified resources line by line. (#4186)
* libct.Start: fix locking, do not allow a second container init. (#4271)
* Fix tests in debian testing (mount_sshfs.bats). (#4245)
* Fix codespell warnings. (#4291)
* libct/cg/dev: fix TestSetV1Allow panic. (#4295)
* tests/int/scheduler: require smp. (#4298)
### Changed
* libct/cg/fs: don't write cpu_burst twice on ENOENT. (#4259)
* Make trimpath optional. (#3908)
* Remove unused system.Execv. (#4268)
* Stop blacklisting Go 1.22+, drop Go < 1.21 support, use Go 1.22 in CI. (#4292)
* Improve some error messages for runc exec. (#4320)
* ci/gha: bump golangci-lint[-action]. (#4255)
* tests/int/tty: increase the timeout. (#4260)
* [ci] use go mod instead of go get in spec.bats. (#4264)
* tests/int/checkpoint: rm double logging. (#4251)
* .cirrus.yml: rm FIXME from rootless fs on CentOS 7. (#4279)
* Dockerfile: bump Debian to 12, Go to 1.21. (#4296)
* ci/gha: switch to ubuntu 24.04. (#4286)
* Vagrantfile.fedora: bump to F40. (#4285)
## [1.2.0-rc.1] - 2024-04-03
> There's a frood who really knows where his towel is.
`runc` now requires a minimum of Go 1.20 to compile.
> **NOTE**: runc currently will not work properly when compiled with Go 1.22 or
> newer. This is due to some unfortunate glibc behaviour that Go 1.22
> exacerbates in a way that results in containers not being able to start on
> some systems. [See this issue for more information.][runc-4233]
[runc-4233]: https://github.com/opencontainers/runc/issues/4233
### Breaking
* Several aspects of how mount options work has been adjusted in a way that
could theoretically break users that have very strange mount option strings.
This was necessary to fix glaring issues in how mount options were being
treated. The key changes are:
- Mount options on bind-mounts that clear a mount flag are now always
applied. Previously, if a user requested a bind-mount with only clearing
options (such as `rw,exec,dev`) the options would be ignored and the
original bind-mount options would be set. Unfortunately this also means
that container configurations which specified only clearing mount options
will now actually get what they asked for, which could break existing
containers (though it seems unlikely that a user who requested a specific
mount option would consider it "broken" to get the mount options they
asked foruser who requested a specific mount option would consider it
"broken" to get the mount options they asked for). This also allows us to
silently add locked mount flags the user *did not explicitly request to be
cleared* in rootless mode, allowing for easier use of bind-mounts for
rootless containers. (#3967)
- Container configurations using bind-mounts with superblock mount flags
(i.e. filesystem-specific mount flags, referred to as "data" in
`mount(2)`, as opposed to VFS generic mount flags like `MS_NODEV`) will
now return an error. This is because superblock mount flags will also
affect the host mount (as the superblock is shared when bind-mounting),
which is obviously not acceptable. Previously, these flags were silently
ignored so this change simply tells users that runc cannot fulfil their
request rather than just ignoring it. (#3990)
If any of these changes cause problems in real-world workloads, please [open
an issue](https://github.com/opencontainers/runc/issues/new/choose) so we
can adjust the behaviour to avoid compatibility issues.
### Added
* runc has been updated to OCI runtime-spec 1.2.0, and supports all Linux
features with a few minor exceptions. See
[`docs/spec-conformance.md`](https://github.com/opencontainers/runc/blob/v1.2.0-rc.1/docs/spec-conformance.md)
for more details.
* runc now supports id-mapped mounts for bind-mounts (with no restrictions on
the mapping used for each mount). Other mount types are not currently
supported. This feature requires `MOUNT_ATTR_IDMAP` kernel support (Linux
5.12 or newer) as well as kernel support for the underlying filesystem used
for the bind-mount. See [`mount_setattr(2)`][mount_setattr.2] for a list of
supported filesystems and other restrictions. (#3717, #3985, #3993)
* Two new mechanisms for reducing the memory usage of our protections against
[CVE-2019-5736][cve-2019-5736] have been introduced:
- `runc-dmz` is a minimal binary (~8K) which acts as an additional execve
stage, allowing us to only need to protect the smaller binary. It should
be noted that there have been several compatibility issues reported with
the usage of `runc-dmz` (namely related to capabilities and SELinux). As
such, this mechanism is **opt-in** and can be enabled by running `runc`
with the environment variable `RUNC_DMZ=true` (setting this environment
variable in `config.json` will have no effect). This feature can be
disabled at build time using the `runc_nodmz` build tag. (#3983, #3987)
- `contrib/memfd-bind` is a helper daemon which will bind-mount a memfd copy
of `/usr/bin/runc` on top of `/usr/bin/runc`. This entirely eliminates
per-container copies of the binary, but requires care to ensure that
upgrades to runc are handled properly, and requires a long-running daemon
(unfortunately memfds cannot be bind-mounted directly and thus require a
daemon to keep them alive). (#3987)
* runc will now use `cgroup.kill` if available to kill all processes in a
container (such as when doing `runc kill`). (#3135, #3825)
* Add support for setting the umask for `runc exec`. (#3661)
* libct/cg: support `SCHED_IDLE` for runc cgroupfs. (#3377)
* checkpoint/restore: implement `--manage-cgroups-mode=ignore`. (#3546)
* seccomp: refactor flags support; add flags to features, set `SPEC_ALLOW` by
default. (#3588)
* libct/cg/sd: use systemd v240+ new `MAJOR:*` syntax. (#3843)
* Support CFS bandwidth burst for CPU. (#3749, #3145)
* Support time namespaces. (#3876)
* Reduce the `runc` binary size by ~11% by updating
`github.com/checkpoint-restore/go-criu`. (#3652)
* Add `--pidfd-socket` to `runc run` and `runc exec` to allow for management
processes to receive a pidfd for the new process, allowing them to avoid pid
reuse attacks. (#4045)
[mount_setattr.2]: https://man7.org/linux/man-pages/man2/mount_setattr.2.html
[cve-2019-5736]: https://github.com/advisories/GHSA-gxmr-w5mj-v8hh
### Deprecated
* `runc` option `--criu` is now ignored (with a warning), and the option will
be removed entirely in a future release. Users who need a non-standard
`criu` binary should rely on the standard way of looking up binaries in
`$PATH`. (#3316)
* `runc kill` option `-a` is now deprecated. Previously, it had to be specified
to kill a container (with SIGKILL) which does not have its own private PID
namespace (so that runc would send SIGKILL to all processes). Now, this is
done automatically. (#3864, #3825)
* `github.com/opencontainers/runc/libcontainer/user` is now deprecated, please
use `github.com/moby/sys/user` instead. It will be removed in a future
release. (#4017)
### Changed
* When Intel RDT feature is not available, its initialization is skipped,
resulting in slightly faster `runc exec` and `runc run`. (#3306)
* `runc features` is no longer experimental. (#3861)
* libcontainer users that create and kill containers from a daemon process
(so that the container init is a child of that process) must now implement
a proper child reaper in case a container does not have its own private PID
namespace, as documented in `container.Signal`. (#3825)
* Sum `anon` and `file` from `memory.stat` for cgroupv2 root usage,
as the root does not have `memory.current` for cgroupv2.
This aligns cgroupv2 root usage more closely with cgroupv1 reporting.
Additionally, report root swap usage as sum of swap and memory usage,
aligned with v1 and existing non-root v2 reporting. (#3933)
* Add `swapOnlyUsage` in `MemoryStats`. This field reports swap-only usage.
For cgroupv1, `Usage` and `Failcnt` are set by subtracting memory usage
from memory+swap usage. For cgroupv2, `Usage`, `Limit`, and `MaxUsage`
are set. (#4010)
* libcontainer users that create and kill containers from a daemon process
(so that the container init is a child of that process) must now implement
a proper child reaper in case a container does not have its own private PID
namespace, as documented in `container.Signal`. (#3825)
* libcontainer: `container.Signal` no longer takes an `all` argument. Whether
or not it is necessary to kill all processes in the container individually
is now determined automatically. (#3825, #3885)
* seccomp: enable seccomp binary tree optimization. (#3405)
* `runc run`/`runc exec`: ignore SIGURG. (#3368)
* Remove tun/tap from the default device allowlist. (#3468)
* `runc --root non-existent-dir list` now reports an error for non-existent
root directory. (#3374)
### Fixed
* In case the runc binary resides on tmpfs, `runc init` no longer re-execs
itself twice. (#3342)
* Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on
s390 and s390x. This solves the issue where syscalls the host kernel did not
support would return `-EPERM` despite the existence of the `-ENOSYS` stub
code (this was due to how s390x does syscall multiplexing). (#3474)
* Remove tun/tap from the default device rules. (#3468)
* specconv: avoid mapping "acl" to `MS_POSIXACL`. (#3739)
* libcontainer: fix private PID namespace detection when killing the
container. (#3866, #3825)
* systemd socket notification: fix race where runc exited before systemd
properly handled the `READY` notification. (#3291, #3293)
* The `-ENOSYS` seccomp stub is now always generated for the native
architecture that `runc` is running on. This is needed to work around some
arguably specification-incompliant behaviour from Docker on architectures
such as ppc64le, where the allowed architecture list is set to `null`. This
ensures that we always generate at least one `-ENOSYS` stub for the native
architecture even with these weird configs. (#4219)
### Removed
* In order to fix performance issues in the "lightweight" bindfd protection
against [CVE-2019-5736][cve-2019-5736], the temporary `ro` bind-mount of
`/proc/self/exe` has been removed. runc now creates a binary copy in all
cases. See the above notes about `memfd-bind` and `runc-dmz` as well as
`contrib/cmd/memfd-bind/README.md` for more information about how this
(minor) change in memory usage can be further reduced. (#3987, #3599, #2532,
#3931)
* libct/cg: Remove `EnterPid` (a function with no users). (#3797)
* libcontainer: Remove `{Pre,Post}MountCmds` which were never used and are
obsoleted by more generic container hooks. (#3350)
[cve-2019-5736]: https://github.com/advisories/GHSA-gxmr-w5mj-v8hh
## [1.1.15] - 2024-10-07
> How, dear sir, did you cross the flood? By not stopping, friend, and by not
> straining I crossed the flood.
### Fixed
* The `-ENOSYS` seccomp stub is now always generated for the native
architecture that `runc` is running on. This is needed to work around some
arguably specification-incompliant behaviour from Docker on architectures
such as ppc64le, where the allowed architecture list is set to `null`. This
ensures that we always generate at least one `-ENOSYS` stub for the native
architecture even with these weird configs. (#4391)
* On a system with older kernel, reading `/proc/self/mountinfo` may skip some
entries, as a consequence runc may not properly set mount propagation,
causing container mounts leak onto the host mount namespace. (#2404, #4425)
### Removed
* In order to fix performance issues in the "lightweight" bindfd protection
against [CVE-2019-5736], the temporary `ro` bind-mount of `/proc/self/exe`
has been removed. runc now creates a binary copy in all cases. (#4392, #2532)
[CVE-2019-5736]: https://www.openwall.com/lists/oss-security/2019/02/11/2
## [1.1.14] - 2024-09-03
> 年を取っていいことは、驚かなくなることね。
### Security
* Fix [CVE-2024-45310][cve-2024-45310], a low-severity attack that allowed
maliciously configured containers to create empty files and directories on
the host.
[cve-2024-45310]: https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv
### Added
* Add support for Go 1.23. (#4360, #4372)
### Fixed
* Revert "allow overriding VERSION value in Makefile" and add `EXTRA_VERSION`.
(#4370, #4382)
* rootfs: consolidate mountpoint creation logic. (#4359)
## [1.1.13] - 2024-06-13
> There is no certainty in the world. This is the only certainty I have.
### Important Notes
* If building with Go 1.22.x, make sure to use 1.22.4 or a later version.
(see #4233 for more details)
### Fixed
* Support go 1.22.4+. (#4313)
* runc list: fix race with runc delete. (#4231)
* Fix set nofile rlimit error. (#4277, #4299)
* libct/cg/fs: fix setting rt_period vs rt_runtime. (#4284)
* Fix a debug msg for user ns in nsexec. (#4315)
* script/*: fix gpg usage wrt keyboxd. (#4316)
* CI fixes and misc backports. (#4241)
* Fix codespell warnings. (#4300)
### Changed
* Silence security false positives from golang/net. (#4244)
* libcontainer: allow containers to make apps think fips is enabled/disabled for testing. (#4257)
* allow overriding VERSION value in Makefile. (#4270)
* Vagrantfile.fedora: bump Fedora to 39. (#4261)
* ci/cirrus: rm centos stream 8. (#4305, #4308)
## [1.1.12] - 2024-01-31
> Now you're thinking with Portals™!
### Security
* Fix [CVE-2024-21626][cve-2024-21626], a container breakout attack that took
advantage of a file descriptor that was leaked internally within runc (but
never leaked to the container process). In addition to fixing the leak,
several strict hardening measures were added to ensure that future internal
leaks could not be used to break out in this manner again. Based on our
research, while no other container runtime had a similar leak, none had any
of the hardening steps we've introduced (and some runtimes would not check
for any file descriptors that a calling process may have leaked to them,
allowing for container breakouts due to basic user error).
[cve-2024-21626]: https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
## [1.1.11] - 2024-01-01
> Happy New Year!
### Fixed
* Fix several issues with userns path handling. (#4122, #4124, #4134, #4144)
### Changed
* Support memory.peak and memory.swap.peak in cgroups v2.
Add `swapOnlyUsage` in `MemoryStats`. This field reports swap-only usage.
For cgroupv1, `Usage` and `Failcnt` are set by subtracting memory usage
from memory+swap usage. For cgroupv2, `Usage`, `Limit`, and `MaxUsage`
are set. (#4000, #4010, #4131)
* build(deps): bump github.com/cyphar/filepath-securejoin. (#4140)
## [1.1.10] - 2023-10-31
> Śruba, przykręcona we śnie, nie zmieni sytuacji, jaka panuje na jawie.
### Added
* Support for `hugetlb.<pagesize>.rsvd` limiting and accounting. Fixes the
issue of postres failing when hugepage limits are set. (#3859, #4077)
### Fixed
* Fixed permissions of a newly created directories to not depend on the value
of umask in tmpcopyup feature implementation. (#3991, #4060)
* libcontainer: cgroup v1 GetStats now ignores missing `kmem.limit_in_bytes`
(fixes the compatibility with Linux kernel 6.1+). (#4028)
* Fix a semi-arbitrary cgroup write bug when given a malicious hugetlb
configuration. This issue is not a security issue because it requires a
malicious `config.json`, which is outside of our threat model. (#4103)
* Various CI fixes. (#4081, #4055)
## [1.1.9] - 2023-08-10
> There is a crack in everything. That's how the light gets in.
### Added
* Added go 1.21 to the CI matrix; other CI updates. (#3976, #3958)
### Fixed
* Fixed losing sticky bit on tmpfs (a regression in 1.1.8). (#3952, #3961)
* intelrdt: fixed ignoring ClosID on some systems. (#3550, #3978)
### Changed
* Sum `anon` and `file` from `memory.stat` for cgroupv2 root usage,
as the root does not have `memory.current` for cgroupv2.
This aligns cgroupv2 root usage more closely with cgroupv1 reporting.
Additionally, report root swap usage as sum of swap and memory usage,
aligned with v1 and existing non-root v2 reporting. (#3933)
## [1.1.8] - 2023-07-20
> 海纳百川 有容乃大
### Added
* Support riscv64. (#3905)
### Fixed
* init: do not print environment variable value. (#3879)
* libct: fix a race with systemd removal. (#3877)
* tests/int: increase num retries for oom tests. (#3891)
* man/runc: fixes. (#3892)
* Fix tmpfs mode opts when dir already exists. (#3916)
* docs/systemd: fix a broken link. (#3917)
* ci/cirrus: enable some rootless tests on cs9. (#3918)
* runc delete: call systemd's reset-failed. (#3932)
* libct/cg/sd/v1: do not update non-frozen cgroup after frozen failed. (#3921)
### Changed
* CI: bump Fedora, Vagrant, bats. (#3878)
* `.codespellrc`: update for 2.2.5. (#3909)
## [1.1.7] - 2023-04-26
> Ночевала тучка золотая на груди утеса-великана.
### Fixed
* When used with systemd v240+, systemd cgroup drivers no longer skip
`DeviceAllow` rules if the device does not exist (a regression introduced
in runc 1.1.3). This fix also reverts the workaround added in runc 1.1.5,
removing an extra warning emitted by runc run/start. (#3845, #3708, #3671)
### Added
* The source code now has a new file, `runc.keyring`, which contains the keys
used to sign runc releases. (#3838)
## [1.1.6] - 2023-04-11
> In this world nothing is certain but death and taxes.
### Compatibility
* This release can no longer be built from sources using Go 1.16. Using a
latest maintained Go 1.20.x or Go 1.19.x release is recommended.
Go 1.17 can still be used.
### Fixed
* systemd cgroup v1 and v2 drivers were deliberately ignoring `UnitExist` error
from systemd while trying to create a systemd unit, which in some scenarios
may result in a container not being added to the proper systemd unit and
cgroup. (#3780, #3806)
* systemd cgroup v2 driver was incorrectly translating cpuset range from spec's
`resources.cpu.cpus` to systemd unit property (`AllowedCPUs`) in case of more
than 8 CPUs, resulting in the wrong AllowedCPUs setting. (#3808)
* systemd cgroup v1 driver was prefixing container's cgroup path with the path
of PID 1 cgroup, resulting in inability to place PID 1 in a non-root cgroup.
(#3811)
* runc run/start may return "permission denied" error when starting a rootless
container when the file to be executed does not have executable bit set for
the user, not taking the `CAP_DAC_OVERRIDE` capability into account. This is
a regression in runc 1.1.4, as well as in Go 1.20 and 1.20.1 (#3715, #3817)
* cgroup v1 drivers are now aware of `misc` controller. (#3823)
* Various CI fixes and improvements, mostly to ensure Go 1.19.x and Go 1.20.x
compatibility.
## [1.1.5] - 2023-03-29
> 囚われた屈辱は
> 反撃の嚆矢だ
### Security
The following CVEs were fixed in this release:
* [CVE-2023-25809][] is a vulnerability involving rootless containers where
(under specific configurations), the container would have write access to the
`/sys/fs/cgroup/user.slice/...` cgroup hierarchy. No other hierarchies on the
host were affected. This vulnerability was discovered by Akihiro Suda.
* [CVE-2023-27561][] was a regression in our protections against tricky `/proc`
and `/sys` configurations (where the container mountpoint is a symlink)
causing us to be tricked into incorrectly configuring the container, which
effectively re-introduced [CVE-2019-19921][]. This regression was present
from v1.0.0-rc95 to v1.1.4 and was discovered by @Beuc. (#3785)
* [CVE-2023-28642][] is a different attack vector using the same regression
as in [CVE-2023-27561][]. This was reported by Lei Wang.
[CVE-2019-19921]: https://github.com/advisories/GHSA-fh74-hm69-rqjw
[CVE-2023-25809]: https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc
[CVE-2023-27561]: https://github.com/advisories/GHSA-vpvm-3wq2-2wvm
[CVE-2023-28642]: https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c
### Fixed
* Fix the inability to use `/dev/null` when inside a container. (#3620)
* Fix changing the ownership of host's `/dev/null` caused by fd redirection
(a regression in 1.1.1). (#3674, #3731)
* Fix rare runc exec/enter unshare error on older kernels, including
CentOS < 7.7. (#3776)
* nsexec: Check for errors in `write_log()`. (#3721)
* Various CI fixes and updates. (#3618, #3630, #3640, #3729)
## [1.1.4] - 2022-08-24
> If you look for perfection, you'll never be content.
### Fixed
* Fix mounting via wrong proc fd.
When the user and mount namespaces are used, and the bind mount is followed by
the cgroup mount in the spec, the cgroup was mounted using the bind mount's
mount fd. (#3511)
* Switch `kill()` in `libcontainer/nsenter` to `sane_kill()`. (#3536)
* Fix "permission denied" error from `runc run` on `noexec` fs. (#3541)
* Fix failed exec after `systemctl daemon-reload`.
Due to a regression in v1.1.3, the `DeviceAllow=char-pts rwm` rule was no
longer added and was causing an error `open /dev/pts/0: operation not permitted: unknown`
when systemd was reloaded. (#3554)
* Various CI fixes. (#3538, #3558, #3562)
## [1.1.3] - 2022-06-09
> In the beginning there was nothing, which exploded.
### Fixed
* Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on
s390 and s390x. This solves the issue where syscalls the host kernel did not
support would return `-EPERM` despite the existence of the `-ENOSYS` stub
code (this was due to how s390x does syscall multiplexing). (#3478)
* Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as
intended; this fix does not affect runc binary itself but is important for
libcontainer users such as Kubernetes. (#3476)
* Inability to compile with recent clang due to an issue with duplicate
constants in libseccomp-golang. (#3477)
* When using systemd cgroup driver, skip adding device paths that don't exist,
to stop systemd from emitting warnings about those paths. (#3504)
* Socket activation was failing when more than 3 sockets were used. (#3494)
* Various CI fixes. (#3472, #3479)
### Added
* Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container. (#3493)
### Changed
* runc static binaries are now linked against libseccomp v2.5.4. (#3481)
## [1.1.2] - 2022-05-11
> I should think I'm going to be a perpetual student.
### Security
* A bug was found in runc where runc exec --cap executed processes with
non-empty inheritable Linux process capabilities, creating an atypical Linux
environment. For more information, see [GHSA-f3fp-gc8g-vw66][] and
CVE-2022-29162.
### Changed
* `runc spec` no longer sets any inheritable capabilities in the created
example OCI spec (`config.json`) file.
[GHSA-f3fp-gc8g-vw66]: https://github.com/opencontainers/runc/security/advisories/GHSA-f3fp-gc8g-vw66
## [1.1.1] - 2022-03-28
> Violence is the last refuge of the incompetent.
### Added
* CI is now also run on centos-stream-9. (#3436)
### Fixed
* `runc run/start` can now run a container with read-only `/dev` in OCI spec,
rather than error out. (#3355)
* `runc exec` now ensures that `--cgroup` argument is a sub-cgroup. (#3403)
* libcontainer systemd v2 manager no longer errors out if one of the files
listed in `/sys/kernel/cgroup/delegate` do not exist in container's cgroup.
(#3387, #3404)
* Loose OCI spec validation to avoid bogus "Intel RDT is not supported" error.
(#3406)
* libcontainer/cgroups no longer panics in cgroup v1 managers if `stat`
of `/sys/fs/cgroup/unified` returns an error other than ENOENT. (#3435)
## [1.1.0] - 2022-01-14
> A plan depends as much upon execution as it does upon concept.
### Changed
* libcontainer will now refuse to build without the nsenter package being
correctly compiled (specifically this requires CGO to be enabled). This
should avoid folks accidentally creating broken runc binaries (and
incorrectly importing our internal libraries into their projects). (#3331)
## [1.1.0-rc.1] - 2021-12-14
> He who controls the spice controls the universe.
### Deprecated
* runc run/start now warns if a new container cgroup is non-empty or frozen;
this warning will become an error in runc 1.2. (#3132, #3223)
* runc can only be built with Go 1.16 or later from this release onwards.
(#3100, #3245, #3325)
### Removed
* `cgroup.GetHugePageSizes` has been removed entirely, and been replaced with
`cgroup.HugePageSizes` which is more efficient. (#3234)
* `intelrdt.GetIntelRdtPath` has been removed. Users who were using this
function to get the intelrdt root should use the new `intelrdt.Root`
instead. (#2920, #3239)
### Added
* Add support for RDMA cgroup added in Linux 4.11. (#2883)
* runc exec now produces exit code of 255 when the exec failed.
This may help in distinguishing between runc exec failures
(such as invalid options, non-running container or non-existent
binary etc.) and failures of the command being executed. (#3073)
* runc run: new `--keep` option to skip removal exited containers artefacts.
This might be useful to check the state (e.g. of cgroup controllers) after
the container has exited. (#2817, #2825)
* seccomp: add support for `SCMP_ACT_KILL_PROCESS` and `SCMP_ACT_KILL_THREAD`
(the latter is just an alias for `SCMP_ACT_KILL`). (#3204)
* seccomp: add support for `SCMP_ACT_NOTIFY` (seccomp actions). This allows
users to create sophisticated seccomp filters where syscalls can be
efficiently emulated by privileged processes on the host. (#2682)
* checkpoint/restore: add an option (`--lsm-mount-context`) to set
a different LSM mount context on restore. (#3068)
* runc releases are now cross-compiled for several architectures. Static
builds for said architectures will be available for all future releases.
(#3197)
* intelrdt: support ClosID parameter. (#2920)
* runc exec --cgroup: an option to specify a (non-top) in-container cgroup
to use for the process being executed. (#3040, #3059)
* cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1
machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc
run/exec now adds the container to the appropriate cgroup under it). (#2087,
#3059)
* sysctl: allow slashes in sysctl names, to better match `sysctl(8)`'s
behaviour. (#3254, #3257)
* mounts: add support for bind-mounts which are inaccessible after switching
the user namespace. Note that this does not permit the container any
additional access to the host filesystem, it simply allows containers to
have bind-mounts configured for paths the user can access but have
restrictive access control settings for other users. (#2576)
* Add support for recursive mount attributes using `mount_setattr(2)`. These
have the same names as the proposed `mount(8)` options -- just prepend `r`
to the option name (such as `rro`). (#3272)
* Add `runc features` subcommand to allow runc users to detect what features
runc has been built with. This includes critical information such as
supported mount flags, hook names, and so on. Note that the output of this
command is subject to change and will not be considered stable until runc
1.2 at the earliest. The runtime-spec specification for this feature is
being developed in [opencontainers/runtime-spec#1130]. (#3296)
[opencontainers/runtime-spec#1130]: https://github.com/opencontainers/runtime-spec/pull/1130
### Changed
* system: improve performance of `/proc/$pid/stat` parsing. (#2696)
* cgroup2: when `/sys/fs/cgroup` is configured as a read-write mount, change
the ownership of certain cgroup control files (as per
`/sys/kernel/cgroup/delegate`) to allow for proper deferral to the container
process. (#3057)
* docs: series of improvements to man pages to make them easier to read and
use. (#3032)
#### libcontainer API
* internal api: remove internal error types and handling system, switch to Go
wrapped errors. (#3033)
* New configs.Cgroup structure fields (#3177):
* Systemd (whether to use systemd cgroup manager); and
* Rootless (whether to use rootless cgroups).
* New cgroups/manager package aiming to simplify cgroup manager instantiation.
(#3177)
* All cgroup managers' instantiation methods now initialize cgroup paths and
can return errors. This allows to use any cgroup manager method (e.g.
Exists, Destroy, Set, GetStats) right after instantiation, which was not
possible before (as paths were initialized in Apply only). (#3178)
### Fixed
* nsenter: do not try to close already-closed fds during container setup and
bail on close(2) failures. (#3058)
* runc checkpoint/restore: fixed for containers with an external bind mount
which destination is a symlink. (#3047).
* cgroup: improve openat2 handling for cgroup directory handle hardening.
(#3030)
* `runc delete -f` now succeeds (rather than timing out) on a paused
container. (#3134)
* runc run/start/exec now refuses a frozen cgroup (paused container in case of
exec). Users can disable this using `--ignore-paused`. (#3132, #3223)
* config: do not permit null bytes in mount fields. (#3287)
## [1.0.3] - 2021-12-06
> If you were waiting for the opportune moment, that was it.
### Security
* A potential vulnerability was discovered in runc (related to an internal
usage of netlink), however upon further investigation we discovered that
while this bug was exploitable on the master branch of runc, no released
version of runc could be exploited using this bug. The exploit required being
able to create a netlink attribute with a length that would overflow a uint16
but this was not possible in any released version of runc. For more
information, see [GHSA-v95c-p5hm-xq8f][] and CVE-2021-43784.
### Fixed
* Fixed inability to start a container with read-write bind mount of a
read-only fuse host mount. (#3283, #3292)
* Fixed inability to start when read-only /dev in set in spec. (#3276, #3277)
* Fixed not removing sub-cgroups upon container delete, when rootless cgroup v2
is used with older systemd. (#3226, #3297)
* Fixed returning error from GetStats when hugetlb is unsupported (which causes
excessive logging for Kubernetes). (#3233, #3295)
* Improved an error message when dbus-user-session is not installed and
rootless + cgroup2 + systemd are used. (#3212)
[GHSA-v95c-p5hm-xq8f]: https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f
## [1.0.2] - 2021-07-16
> Given the right lever, you can move a planet.
### Changed
* Made release builds reproducible from now on. (#3099, #3142)
### Fixed
* Fixed a failure to set CPU quota period in some cases on cgroup v1. (#3090
#3115)
* Fixed the inability to start a container with the "adding seccomp filter
rule for syscall ..." error, caused by redundant seccomp rules (i.e. those
that has action equal to the default one). Such redundant rules are now
skipped. (#3109, #3129)
* Fixed a rare debug log race in runc init, which can result in occasional
harmful "failed to decode ..." errors from runc run or exec. (#3120, #3130)
* Fixed the check in cgroup v1 systemd manager if a container needs to be
frozen before Set, and add a setting to skip such freeze unconditionally.
The previous fix for that issue, done in runc 1.0.1, was not working.
(#3166, #3167)
## [1.0.1] - 2021-07-16
> If in doubt, Meriadoc, always follow your nose.
### Fixed
* Fixed occasional runc exec/run failure ("interrupted system call") on an
Azure volume. (#3045, #3074)
* Fixed "unable to find groups ... token too long" error with /etc/group
containing lines longer than 64K characters. (#3062, #3079)
* cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is
frozen. This is a regression in 1.0.0, not affecting runc itself but some
of libcontainer users (e.g Kubernetes). (#3081, #3085)
* cgroupv2: bpf: Ignore inaccessible existing programs in case of
permission error when handling replacement of existing bpf cgroup
programs. This fixes a regression in 1.0.0, where some SELinux
policies would block runc from being able to run entirely. (#3055, #3087)
* cgroup/systemd/v2: don't freeze cgroup on Set. (#3067, #3092)
* cgroup/systemd/v1: avoid unnecessary freeze on Set. (#3082, #3093)
## [1.0.0] - 2021-06-22
> A wizard is never late, nor is he early, he arrives precisely when he means
> to.
As runc follows Semantic Versioning, we will endeavour to not make any
breaking changes without bumping the major version number of runc.
However, it should be noted that Go API usage of runc's internal
implementation (libcontainer) is *not* covered by this policy.
### Removed
* Removed libcontainer/configs.Device* identifiers (deprecated since rc94,
use libcontainer/devices). (#2999)
* Removed libcontainer/system.RunningInUserNS function (deprecated since
rc94, use libcontainer/userns). (#2999)
### Deprecated
* The usage of relative paths for mountpoints will now produce a warning
(such configurations are outside of the spec, and in future runc will
produce an error when given such configurations). (#2917, #3004)
### Fixed
* cgroupv2: devices: rework the filter generation to produce consistent
results with cgroupv1, and always clobber any existing eBPF
program(s) to fix `runc update` and avoid leaking eBPF programs
(resulting in errors when managing containers). (#2951)
* cgroupv2: correctly convert "number of IOs" statistics in a
cgroupv1-compatible way. (#2965, #2967, #2968, #2964)
* cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
* cgroupv2: wait for freeze to finish before returning from the freezing
code, optimize the method for checking whether a cgroup is frozen. (#2955)
* cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94
* cgroups/systemd: fixed returning "unit already exists" error from a systemd
cgroup manager (regression in rc94). (#2997, #2996)
### Added
* cgroupv2: support SkipDevices with systemd driver. (#2958, #3019)
* cgroup1: blkio: support BFQ weights. (#3010)
* cgroupv2: set per-device io weights if BFQ IO scheduler is available.
(#3022)
### Changed
* cgroup/systemd: return, not ignore, stop unit error from Destroy. (#2946)
* Fix all golangci-lint failures. (#2781, #2962)
* Make `runc --version` output sane even when built with `go get` or
otherwise outside of our build scripts. (#2962)
* cgroups: set SkipDevices during runc update (so we don't modify
cgroups at all during `runc update`). (#2994)
<!-- minor releases -->
[Unreleased]: https://github.com/opencontainers/runc/compare/v1.3.0-rc.1...HEAD
[1.3.0]: https://github.com/opencontainers/runc/compare/v1.3.0-rc.2...v1.3.0
[1.2.0]: https://github.com/opencontainers/runc/compare/v1.2.0-rc.1...v1.2.0
[1.1.0]: https://github.com/opencontainers/runc/compare/v1.1.0-rc.1...v1.1.0
[1.0.0]: https://github.com/opencontainers/runc/releases/tag/v1.0.0
<!-- 1.0.z patch releases -->
[Unreleased 1.0.z]: https://github.com/opencontainers/runc/compare/v1.0.3...release-1.0
[1.0.3]: https://github.com/opencontainers/runc/compare/v1.0.2...v1.0.3
[1.0.2]: https://github.com/opencontainers/runc/compare/v1.0.1...v1.0.2
[1.0.1]: https://github.com/opencontainers/runc/compare/v1.0.0...v1.0.1
<!-- 1.1.z patch releases -->
[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.15...release-1.1
[1.1.15]: https://github.com/opencontainers/runc/compare/v1.1.14...v1.1.15
[1.1.14]: https://github.com/opencontainers/runc/compare/v1.1.13...v1.1.14
[1.1.13]: https://github.com/opencontainers/runc/compare/v1.1.12...v1.1.13
[1.1.12]: https://github.com/opencontainers/runc/compare/v1.1.11...v1.1.12
[1.1.11]: https://github.com/opencontainers/runc/compare/v1.1.10...v1.1.11
[1.1.10]: https://github.com/opencontainers/runc/compare/v1.1.9...v1.1.10
[1.1.9]: https://github.com/opencontainers/runc/compare/v1.1.8...v1.1.9
[1.1.8]: https://github.com/opencontainers/runc/compare/v1.1.7...v1.1.8
[1.1.7]: https://github.com/opencontainers/runc/compare/v1.1.6...v1.1.7
[1.1.6]: https://github.com/opencontainers/runc/compare/v1.1.5...v1.1.6
[1.1.5]: https://github.com/opencontainers/runc/compare/v1.1.4...v1.1.5
[1.1.4]: https://github.com/opencontainers/runc/compare/v1.1.3...v1.1.4
[1.1.3]: https://github.com/opencontainers/runc/compare/v1.1.2...v1.1.3
[1.1.2]: https://github.com/opencontainers/runc/compare/v1.1.1...v1.1.2
[1.1.1]: https://github.com/opencontainers/runc/compare/v1.1.0...v1.1.1
[1.1.0-rc.1]: https://github.com/opencontainers/runc/compare/v1.0.0...v1.1.0-rc.1
<!-- 1.2.z patch releases -->
[Unreleased 1.2.z]: https://github.com/opencontainers/runc/compare/v1.2.9...release-1.2
[1.2.9]: https://github.com/opencontainers/runc/compare/v1.2.8...v1.2.9
[1.2.8]: https://github.com/opencontainers/runc/compare/v1.2.7...v1.2.8
[1.2.7]: https://github.com/opencontainers/runc/compare/v1.2.6...v1.2.7
[1.2.6]: https://github.com/opencontainers/runc/compare/v1.2.5...v1.2.6
[1.2.5]: https://github.com/opencontainers/runc/compare/v1.2.4...v1.2.5
[1.2.4]: https://github.com/opencontainers/runc/compare/v1.2.3...v1.2.4
[1.2.3]: https://github.com/opencontainers/runc/compare/v1.2.2...v1.2.3
[1.2.2]: https://github.com/opencontainers/runc/compare/v1.2.1...v1.2.2
[1.2.1]: https://github.com/opencontainers/runc/compare/v1.2.0...v1.2.1
[1.2.0-rc.3]: https://github.com/opencontainers/runc/compare/v1.2.0-rc.2...v1.2.0-rc.3
[1.2.0-rc.2]: https://github.com/opencontainers/runc/compare/v1.2.0-rc.1...v1.2.0-rc.2
[1.2.0-rc.1]: https://github.com/opencontainers/runc/compare/v1.1.0...v1.2.0-rc.1
<!-- 1.3.z patch releases -->
[Unreleased 1.3.z]: https://github.com/opencontainers/runc/compare/v1.3.4...release-1.3
[1.3.4]: https://github.com/opencontainers/runc/compare/v1.3.3...v1.3.4
[1.3.3]: https://github.com/opencontainers/runc/compare/v1.3.2...v1.3.3
[1.3.2]: https://github.com/opencontainers/runc/compare/v1.3.1...v1.3.2
[1.3.1]: https://github.com/opencontainers/runc/compare/v1.3.0...v1.3.1
[1.3.0]: https://github.com/opencontainers/runc/compare/v1.3.0-rc.2...v1.3.0
[1.3.0-rc.2]: https://github.com/opencontainers/runc/compare/v1.3.0-rc.1...v1.3.0-rc.2
[1.3.0-rc.1]: https://github.com/opencontainers/runc/compare/v1.2.0...v1.3.0-rc.1
<!-- 1.4.z patch releases -->
[Unreleased 1.4.z]: https://github.com/opencontainers/runc/compare/v1.4.1...release-1.4
[1.4.1]: https://github.com/opencontainers/runc/compare/v1.4.0...v1.4.1
[1.4.0]: https://github.com/opencontainers/runc/compare/v1.4.0-rc.3...v1.4.0
[1.4.0-rc.3]: https://github.com/opencontainers/runc/compare/v1.4.0-rc.2...v1.4.0-rc.3
[1.4.0-rc.2]: https://github.com/opencontainers/runc/compare/v1.4.0-rc.1...v1.4.0-rc.2
[1.4.0-rc.1]: https://github.com/opencontainers/runc/compare/v1.3.0...v1.4.0-rc.1
<!-- 1.5.z patch releases -->
[Unreleased 1.5.z]: https://github.com/opencontainers/runc/compare/v1.5.0-rc.1...release-1.5
[1.5.0-rc.1]: https://github.com/opencontainers/runc/compare/v1.4.0...v1.5.0-rc.1
================================================
FILE: CONTRIBUTING.md
================================================
## Contribution Guidelines
### Security issues
If you are reporting a security issue, do not create an issue or file a pull
request on GitHub. Instead, disclose the issue responsibly by sending an email
to security@opencontainers.org (which is inhabited only by the maintainers of
the various OCI projects).
### Pull requests are always welcome
We are always thrilled to receive pull requests, and do our best to
process them as fast as possible. Not sure if that typo is worth a pull
request? Do it! We will appreciate it.
If your pull request is not accepted on the first try, don't be
discouraged! If there's a problem with the implementation, hopefully you
received feedback on what to improve.
We're trying very hard to keep runc lean and focused. We don't want it
to do everything for everybody. This means that we might decide against
incorporating a new feature. However, there might be a way to implement
that feature *on top of* runc.
### Conventions
Fork the repo and make changes on your fork in a feature branch:
- If it's a bugfix branch, name it XXX-something where XXX is the number of the
issue
- If it's a feature branch, create an enhancement issue to announce your
intentions, and name it XXX-something where XXX is the number of the issue.
Submit unit tests for your changes. Go has a great test framework built in; use
it! Take a look at existing tests for inspiration. Run the full test suite on
your branch before submitting a pull request.
Update the documentation when creating or modifying features. Test
your documentation changes for clarity, concision, and correctness, as
well as a clean documentation build. See ``docs/README.md`` for more
information on building the docs and how docs get released.
Write clean code. Universally formatted code promotes ease of writing, reading,
and maintenance. Always run `gofmt -s -w file.go` on each changed file before
committing your changes. Most editors have plugins that do this automatically.
Pull requests descriptions should be as clear as possible and include a
reference to all the issues that they address.
Pull requests must not contain commits from other users or branches.
Commit messages must start with a capitalized and short summary (max. 50
chars) written in the imperative, followed by an optional, more detailed
explanatory text which is separated from the summary by an empty line.
Code review comments may be added to your pull request. Discuss, then make the
suggested modifications and push additional commits to your feature branch. Be
sure to post a comment after pushing. The new commits will show up in the pull
request automatically, but the reviewers will not be notified unless you
comment.
Before the pull request is merged, make sure that you squash your commits into
logical units of work using `git rebase -i` and `git push -f`. After every
commit the test suite should be passing. Include documentation changes in the
same commit so that a revert would remove all traces of the feature or fix.
Commits that fix or close an issue should include a reference like `Closes #XXX`
or `Fixes #XXX`, which will automatically close the issue when merged.
### Sign your work
The sign-off is a simple line at the end of the explanation for the
patch, which certifies that you wrote it or otherwise have the right to
pass it on as an open-source patch. The rules are pretty simple: if you
can certify the below (from
[developercertificate.org](http://developercertificate.org/)):
```
Developer Certificate of Origin
Version 1.1
Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
660 York Street, Suite 102,
San Francisco, CA 94110 USA
Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.
```
then you just add a line to every git commit message:
Signed-off-by: Joe Smith <joe@gmail.com>
using your real name (sorry, no pseudonyms or anonymous contributions.)
You can add the sign off when creating the git commit via `git commit -s`.
================================================
FILE: Dockerfile
================================================
ARG GO_VERSION=1.25
ARG BATS_VERSION=v1.12.0
ARG LIBSECCOMP_VERSION=2.6.0
ARG LIBPATHRS_VERSION=0.2.4
FROM golang:${GO_VERSION}-trixie
ARG DEBIAN_FRONTEND=noninteractive
ARG CRIU_REPO=https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_13
RUN KEYFILE=/usr/share/keyrings/criu-repo-keyring.gpg; \
wget -nv $CRIU_REPO/Release.key -O- | gpg --dearmor > "$KEYFILE" \
&& echo "deb [signed-by=$KEYFILE] $CRIU_REPO/ /" > /etc/apt/sources.list.d/criu.list \
&& printf "%s\n" i386 armel armhf arm64 ppc64el s390x riscv64 | xargs -t -n1 -- dpkg --add-architecture \
&& apt-get update \
&& apt-get install -y --no-install-recommends \
build-essential \
cargo \
cargo-auditable \
clang \
criu \
gcc \
gcc-multilib \
curl \
gawk \
gperf \
iptables \
jq \
kmod \
lld \
pkg-config \
python3-minimal \
sshfs \
sudo \
uidmap \
iproute2 \
&& apt-get install -y --no-install-recommends \
libc-dev:i386 libgcc-s1:i386 gcc-i686-linux-gnu libstd-rust-dev:i386 \
gcc-aarch64-linux-gnu libc-dev-arm64-cross libstd-rust-dev:arm64 \
gcc-arm-linux-gnueabi libc-dev-armel-cross libstd-rust-dev:armel \
gcc-arm-linux-gnueabihf libc-dev-armhf-cross libstd-rust-dev:armhf \
gcc-powerpc64le-linux-gnu libc-dev-ppc64el-cross libstd-rust-dev:ppc64el \
gcc-s390x-linux-gnu libc-dev-s390x-cross libstd-rust-dev:s390x \
gcc-riscv64-linux-gnu libc-dev-riscv64-cross libstd-rust-dev:riscv64 \
&& apt-get clean \
&& rm -rf /var/cache/apt /var/lib/apt/lists/* /etc/apt/sources.list.d/*.list
# Add a dummy user for the rootless integration tests. While runC does
# not require an entry in /etc/passwd to operate, one of the tests uses
# `git clone` -- and `git clone` does not allow you to clone a
# repository if the current uid does not have an entry in /etc/passwd.
RUN useradd -u1000 -m -d/home/rootless -s/bin/bash rootless
# install bats
ARG BATS_VERSION
RUN cd /tmp \
&& git clone https://github.com/bats-core/bats-core.git \
&& cd bats-core \
&& git reset --hard "${BATS_VERSION}" \
&& ./install.sh /usr/local \
&& rm -rf /tmp/bats-core
ARG RELEASE_ARCHES="386 amd64 arm64 armel armhf ppc64le riscv64 s390x"
ENV DYLIB_DIR=/opt/runc-dylibs
# install libseccomp
ARG LIBSECCOMP_VERSION
COPY script/build-seccomp.sh script/lib.sh /tmp/script/
RUN mkdir -p $DYLIB_DIR \
&& /tmp/script/build-seccomp.sh "$LIBSECCOMP_VERSION" $DYLIB_DIR $RELEASE_ARCHES
ENV LIBSECCOMP_VERSION=$LIBSECCOMP_VERSION
# install libpathrs
ARG LIBPATHRS_VERSION
COPY script/build-libpathrs.sh /tmp/script/
RUN mkdir -p $DYLIB_DIR \
&& /tmp/script/build-libpathrs.sh "$LIBPATHRS_VERSION" $DYLIB_DIR $RELEASE_ARCHES
ENV LIBPATHRS_VERSION=$LIBPATHRS_VERSION
ENV LD_LIBRARY_PATH=$DYLIB_DIR/lib
ENV PKG_CONFIG_PATH=$DYLIB_DIR/lib/pkgconfig
# Prevent the "fatal: detected dubious ownership in repository" git complain during build.
RUN git config --global --add safe.directory /go/src/github.com/opencontainers/runc
WORKDIR /go/src/github.com/opencontainers/runc
# Fixup for cgroup v2.
COPY script/prepare-cgroup-v2.sh /
ENTRYPOINT [ "/prepare-cgroup-v2.sh" ]
================================================
FILE: EMERITUS.md
================================================
## Emeritus ##
We would like to acknowledge previous runc maintainers and their huge
contributions to our collective success:
* Alexander Morozov (@lk4d4)
* Andrei Vagin (@avagin)
* Rohit Jnagal (@rjnagal)
* Victor Marmol (@vmarmol)
* Michael Crosby (@crosbymichael)
* Daniel, Dao Quang Minh (@dqminh)
* Qiang Huang (@hqhq)
We thank these members for their service to the OCI community.
================================================
FILE: LICENSE
================================================
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
Copyright 2014 Docker, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
================================================
FILE: MAINTAINERS
================================================
Mrunal Patel <mpatel@redhat.com> (@mrunalp)
Aleksa Sarai <cyphar@cyphar.com> (@cyphar)
Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (@AkihiroSuda)
Kir Kolyshkin <kolyshkin@gmail.com> (@kolyshkin)
Sebastiaan van Stijn <github@gone.nl> (@thaJeztah)
Li Fu Bang <lifubang@acmcoder.com> (@lifubang)
Rodrigo Campos <rodrigo@sdfg.com.ar> (@rata)
================================================
FILE: MAINTAINERS_GUIDE.md
================================================
## Introduction
Dear maintainer. Thank you for investing the time and energy to help
make runc as useful as possible. Maintaining a project is difficult,
sometimes unrewarding work. Sure, you will get to contribute cool
features to the project. But most of your time will be spent reviewing,
cleaning up, documenting, answering questions, justifying design
decisions - while everyone has all the fun! But remember - the quality
of the maintainers work is what distinguishes the good projects from the
great. So please be proud of your work, even the unglamorous parts,
and encourage a culture of appreciation and respect for *every* aspect
of improving the project - not just the hot new features.
This document is a manual for maintainers old and new. It explains what
is expected of maintainers, how they should work, and what tools are
available to them.
This is a living document - if you see something out of date or missing,
speak up!
## What are a maintainer's responsibility?
It is every maintainer's responsibility to:
* 1) Expose a clear roadmap for improving their component.
* 2) Deliver prompt feedback and decisions on pull requests.
* 3) Be available to anyone with questions, bug reports, criticism etc.
on their component. This includes IRC and GitHub issues and pull requests.
* 4) Make sure their component respects the philosophy, design and
roadmap of the project.
## How are decisions made?
Short answer: with pull requests to the runc repository.
runc is an open-source project with an open design philosophy. This
means that the repository is the source of truth for EVERY aspect of the
project, including its philosophy, design, roadmap and APIs. *If it's
part of the project, it's in the repo. It's in the repo, it's part of
the project.*
As a result, all decisions can be expressed as changes to the
repository. An implementation change is a change to the source code. An
API change is a change to the API specification. A philosophy change is
a change to the philosophy manifesto. And so on.
All decisions affecting runc, big and small, follow the same 3 steps:
* Step 1: Open a pull request. Anyone can do this.
* Step 2: Discuss the pull request. Anyone can do this.
* Step 3: Accept (`LGTM`) or refuse a pull request. The relevant maintainers do
this (see below "Who decides what?")
*I'm a maintainer, should I make pull requests too?*
Yes. Nobody should ever push to master directly. All changes should be
made through a pull request.
## Who decides what?
All decisions are pull requests, and the relevant maintainers make
decisions by accepting or refusing the pull request. Review and acceptance
by anyone is denoted by adding a comment in the pull request: `LGTM`.
However, only currently listed `MAINTAINERS` are counted towards the required
two LGTMs.
Overall the maintainer system works because of mutual respect across the
maintainers of the project. The maintainers trust one another to make decisions
in the best interests of the project. Sometimes maintainers can disagree and
this is part of a healthy project to represent the point of views of various people.
### How are maintainers added?
The best maintainers have a vested interest in the project. Maintainers
are first and foremost contributors that have shown they are committed to
the long term success of the project. Contributors wanting to become
maintainers are expected to be deeply involved in contributing code,
pull request review, and triage of issues in the project for more than two months.
Just contributing does not make you a maintainer, it is about building trust
with the current maintainers of the project and being a person that they can
depend on and trust to make decisions in the best interest of the project. The
final vote to add a new maintainer should be approved by over 66% of the current
maintainers. The voting period is five business days on the Pull Request
to add the new maintainer.
### What is expected of maintainers?
Part of a healthy project is to have active maintainers to support the community
in contributions and perform tasks to keep the project running. Maintainers are
expected to be able to respond in a timely manner if their help is required on specific
issues where they are pinged. Being a maintainer is a time consuming commitment and should
not be taken lightly.
When a maintainer is unable to perform the required duties they can be removed with
a vote by 66% of the current maintainers.
The voting period is ten business days. Issues related to a maintainer's performance should
be discussed with them among the other maintainers so that they are not surprised by
a pull request removing them.
================================================
FILE: Makefile
================================================
SHELL = /bin/bash
CONTAINER_ENGINE := docker
GO ?= go
PREFIX ?= /usr/local
BINDIR := $(PREFIX)/sbin
MANDIR := $(PREFIX)/share/man
GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
GIT_BRANCH_CLEAN := $(shell echo $(GIT_BRANCH) | sed -e "s/[^[:alnum:]]/-/g")
RUNC_IMAGE := runc_dev$(if $(GIT_BRANCH_CLEAN),:$(GIT_BRANCH_CLEAN))
PROJECT := github.com/opencontainers/runc
BUILDTAGS := seccomp urfave_cli_no_docs libpathrs
# Tags prefixed with - in RUNC_BUILDTAGS are removed from BUILDTAGS; others are added.
RUNC_BUILDTAGS ?=
BUILDTAGS_REMOVE := $(patsubst -%,%,$(filter -%,$(RUNC_BUILDTAGS)))
BUILDTAGS_ADD := $(filter-out -%,$(RUNC_BUILDTAGS))
BUILDTAGS := $(filter-out $(BUILDTAGS_REMOVE),$(BUILDTAGS)) $(BUILDTAGS_ADD)
# TODO: remove EXTRA_BUILDTAGS for runc 1.6.
ifdef EXTRA_BUILDTAGS
$(warning EXTRA_BUILDTAGS is deprecated; use RUNC_BUILDTAGS instead)
BUILDTAGS += $(EXTRA_BUILDTAGS)
endif
COMMIT := $(shell git describe --dirty --long --always)
EXTRA_VERSION :=
LDFLAGS_COMMON := -X main.gitCommit=$(COMMIT) \
$(if $(strip $(EXTRA_VERSION)),-X main.extraVersion=$(EXTRA_VERSION),)
GOARCH := $(shell $(GO) env GOARCH)
# -trimpath may be required on some platforms to create reproducible builds
# on the other hand, it does strip out build information, like -ldflags, which
# some tools use to infer the version, in the absence of go information,
# which happens when you use `go build`.
# This enables someone to override by doing `make runc TRIMPATH= ` etc.
TRIMPATH := -trimpath
GO_BUILDMODE :=
# Enable dynamic PIE executables on supported platforms.
ifneq (,$(filter $(GOARCH),386 amd64 arm arm64 loong64 ppc64le riscv64 s390x))
ifeq (,$(findstring -race,$(EXTRA_FLAGS)))
GO_BUILDMODE := "-buildmode=pie"
endif
endif
GO_BUILD := $(GO) build $(TRIMPATH) $(GO_BUILDMODE) \
$(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
-ldflags "$(LDFLAGS_COMMON) $(EXTRA_LDFLAGS)"
GO_BUILDMODE_STATIC :=
LDFLAGS_STATIC := -extldflags -static
# Enable static PIE executables on supported platforms.
# This (among the other things) requires libc support (rcrt1.o), which seems
# to be available only for arm64 and amd64 (Debian Bullseye).
ifneq (,$(filter $(GOARCH),arm64 amd64))
ifeq (,$(findstring -race,$(EXTRA_FLAGS)))
GO_BUILDMODE_STATIC := -buildmode=pie
LDFLAGS_STATIC := -linkmode external -extldflags -static-pie
endif
endif
# Enable static PIE binaries on supported platforms.
GO_BUILD_STATIC := $(GO) build $(TRIMPATH) $(GO_BUILDMODE_STATIC) \
$(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \
-ldflags "$(LDFLAGS_COMMON) $(LDFLAGS_STATIC) $(EXTRA_LDFLAGS)"
GPG_KEYID ?= cyphar@cyphar.com
# Some targets need cgo, which is disabled by default when cross compiling.
# Enable cgo explicitly for those.
# Both runc and libcontainer/integration need libcontainer/nsenter.
runc static localunittest: export CGO_ENABLED=1
# seccompagent needs libseccomp (when seccomp build tag is set).
ifneq (,$(filter $(BUILDTAGS),seccomp))
seccompagent: export CGO_ENABLED=1
endif
.DEFAULT: runc
.PHONY: runc
runc: runc-bin
.PHONY: runc-bin
runc-bin:
$(GO_BUILD) -o runc .
.PHONY: all
all: runc
TESTBINDIR := tests/cmd/_bin
$(TESTBINDIR):
mkdir $(TESTBINDIR)
TESTBINS := recvtty sd-helper seccompagent fs-idmap pidfd-kill remap-rootfs key_label
.PHONY: test-binaries $(TESTBINS)
test-binaries: $(TESTBINS)
$(TESTBINS): $(TESTBINDIR)
$(GO_BUILD) -o $(TESTBINDIR) ./tests/cmd/$@
.PHONY: clean
clean:
rm -f runc runc-*
rm -fr $(TESTBINDIR)
sudo rm -rf release
rm -rf man/man8
.PHONY: static
static: static-bin
.PHONY: static-bin
static-bin:
$(GO_BUILD_STATIC) -o runc .
.PHONY: releaseall
releaseall: RELEASE_ARGS := "-a 386 -a amd64 -a arm64 -a armel -a armhf -a ppc64le -a riscv64 -a s390x"
releaseall: release
.PHONY: release
release: runcimage
$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
--rm -v $(CURDIR):/go/src/$(PROJECT) \
-e RELEASE_ARGS=$(RELEASE_ARGS) \
$(RUNC_IMAGE) make localrelease
script/release_sign.sh -S $(GPG_KEYID)
.PHONY: localrelease
localrelease: verify-changelog
script/release_build.sh $(RELEASE_ARGS)
.PHONY: dbuild
dbuild: runcimage
$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
--privileged --rm \
-v $(CURDIR):/go/src/$(PROJECT) \
$(RUNC_IMAGE) make clean runc test-binaries
.PHONY: lint
lint:
golangci-lint run ./...
.PHONY: man
man:
man/md2man-all.sh
.PHONY: runcimage
runcimage:
$(CONTAINER_ENGINE) build $(CONTAINER_ENGINE_BUILD_FLAGS) -t $(RUNC_IMAGE) .
.PHONY: test
test: unittest integration rootlessintegration
.PHONY: localtest
localtest: localunittest localintegration localrootlessintegration
.PHONY: unittest
unittest: runcimage
$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
-t --privileged --rm \
-v /lib/modules:/lib/modules:ro \
-v $(CURDIR):/go/src/$(PROJECT) \
$(RUNC_IMAGE) make localunittest TESTFLAGS="$(TESTFLAGS)"
.PHONY: localunittest
localunittest: test-binaries
$(GO) test -timeout 3m -tags "$(BUILDTAGS)" $(TESTFLAGS) -v ./...
.PHONY: integration
integration: runcimage
$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
-t --privileged --rm \
-v /lib/modules:/lib/modules:ro \
-v $(CURDIR):/go/src/$(PROJECT) \
$(RUNC_IMAGE) make localintegration TESTPATH="$(TESTPATH)"
.PHONY: localintegration
localintegration: runc test-binaries
bats -t tests/integration$(TESTPATH)
.PHONY: rootlessintegration
rootlessintegration: runcimage
$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
-t --privileged --rm \
-v $(CURDIR):/go/src/$(PROJECT) \
-e ROOTLESS_TESTPATH \
$(RUNC_IMAGE) make localrootlessintegration
.PHONY: localrootlessintegration
localrootlessintegration: runc test-binaries
tests/rootless.sh
.PHONY: shell
shell: runcimage
$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
-ti --privileged --rm \
-v $(CURDIR):/go/src/$(PROJECT) \
$(RUNC_IMAGE) bash
.PHONY: install
install:
install -D -m0755 runc $(DESTDIR)$(BINDIR)/runc
.PHONY: install-bash
install-bash:
install -D -m0644 contrib/completions/bash/runc $(DESTDIR)$(PREFIX)/share/bash-completion/completions/runc
.PHONY: install-man
install-man: man
install -d -m 755 $(DESTDIR)$(MANDIR)/man8
install -D -m 644 man/man8/*.8 $(DESTDIR)$(MANDIR)/man8
.PHONY: cfmt
cfmt: C_SRC=$(shell git ls-files '*.c' | grep -v '^vendor/')
cfmt:
indent -linux -l120 -il0 -ppi2 -cp1 -sar -T size_t -T jmp_buf $(C_SRC)
.PHONY: shellcheck
shellcheck:
shellcheck tests/integration/*.bats tests/integration/*.sh \
tests/integration/*.bash tests/*.sh \
man/*.sh script/*
# TODO: add shellcheck for more sh files (contrib/completions/bash/runc).
.PHONY: shfmt
shfmt:
$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
--rm -v $(CURDIR):/src -w /src \
mvdan/shfmt:v3.11.0 -d -w .
.PHONY: localshfmt
localshfmt:
shfmt -d -w .
.PHONY: vendor
vendor:
$(GO) mod tidy
$(GO) mod vendor
$(GO) mod verify
.PHONY: verify-changelog
verify-changelog:
# No space at EOL.
! grep -n '\s$$' CHANGELOG.md
# Period before issue/PR references.
! grep -n '[0-9a-zA-Z][^.] (#[1-9][0-9, #]*)$$' CHANGELOG.md
.PHONY: verify-dependencies
verify-dependencies: vendor
@test -z "$$(git status --porcelain -- go.mod go.sum vendor/)" \
|| (echo -e "git status:\n $$(git status -- go.mod go.sum vendor/)\nerror: vendor/, go.mod and/or go.sum not up to date. Run \"make vendor\" to update"; exit 1) \
&& echo "all vendor files are up to date."
.PHONY: validate-keyring
validate-keyring:
script/keyring_validate.sh
================================================
FILE: NOTICE
================================================
runc
Copyright 2012-2015 Docker, Inc.
This product includes software developed at Docker, Inc. (http://www.docker.com).
The following is courtesy of our legal counsel:
Use and transfer of Docker may be subject to certain restrictions by the
United States and other governments.
It is your responsibility to ensure that your use and/or transfer does not
violate applicable laws.
For more information, please see http://www.bis.doc.gov
See also http://www.apache.org/dev/crypto.html and/or seek legal counsel.
================================================
FILE: PRINCIPLES.md
================================================
# runc principles
In the design and development of runc and libcontainer we try to follow these principles:
(Work in progress)
* Don't try to replace every tool. Instead, be an ingredient to improve them.
* Less code is better.
* Fewer components are better. Do you really need to add one more class?
* 50 lines of straightforward, readable code is better than 10 lines of magic that nobody can understand.
* Don't do later what you can do now. "//TODO: refactor" is not acceptable in new code.
* When hesitating between two options, choose the one that is easier to reverse.
* "No" is temporary; "Yes" is forever. If you're not sure about a new feature, say no. You can change your mind later.
* Containers must be portable to the greatest possible number of machines. Be suspicious of any change which makes machines less interchangeable.
* The fewer moving parts in a container, the better.
* Don't merge it unless you document it.
* Don't document it unless you can keep it up-to-date.
* Don't merge it unless you test it!
* Everyone's problem is slightly different. Focus on the part that is the same for everyone, and solve that.
================================================
FILE: README.md
================================================
# runc
[](https://goreportcard.com/report/github.com/opencontainers/runc)
[](https://pkg.go.dev/github.com/opencontainers/runc)
[](https://bestpractices.coreinfrastructure.org/projects/588)
[](https://github.com/opencontainers/runc/actions?query=workflow%3Avalidate)
[](https://github.com/opencontainers/runc/actions?query=workflow%3Aci)
[](https://cirrus-ci.com/github/opencontainers/runc)
## Introduction
`runc` is a CLI tool for spawning and running containers on Linux according to the OCI specification.
## Releases
You can find official releases of `runc` on the [release](https://github.com/opencontainers/runc/releases) page.
All releases are signed by one of the keys listed in the [`runc.keyring` file in the root of this repository](runc.keyring).
## Security
The reporting process and disclosure communications are outlined [here](https://github.com/opencontainers/org/blob/master/SECURITY.md).
### Security Audit
A third party security audit was performed by Cure53, you can see the full report [here](https://github.com/opencontainers/runc/blob/master/docs/Security-Audit.pdf).
## Building
`runc` only supports Linux. See the header of [`go.mod`](./go.mod) for the minimally required Go version.
### Pre-Requisites
#### Utilities and Libraries
In addition to Go, building `runc` requires multiple utilities and libraries to be installed on your system.
On Ubuntu/Debian, you can install the required dependencies with:
```bash
apt update && apt install -y make gcc linux-libc-dev libseccomp-dev pkg-config git
```
On CentOS/Fedora, you can install the required dependencies with:
```bash
yum install -y make gcc kernel-headers libseccomp-devel pkg-config git
```
On Alpine Linux, you can install the required dependencies with:
```bash
apk --update add bash make gcc libseccomp-dev musl-dev linux-headers git
```
The following dependencies are optional:
* `libseccomp` - only required if you enable seccomp support; to disable, see [Build Tags](#build-tags)
### Build
```bash
# create a 'github.com/opencontainers' in your GOPATH/src
cd github.com/opencontainers
git clone https://github.com/opencontainers/runc
cd runc
make
sudo make install
```
You can also use `go get` to install to your `GOPATH`, assuming that you have a `github.com` parent folder already created under `src`:
```bash
go get github.com/opencontainers/runc
cd $GOPATH/src/github.com/opencontainers/runc
make
sudo make install
```
`runc` will be installed to `/usr/local/sbin/runc` on your system.
#### Version string customization
You can see the runc version by running `runc --version`. You can append a custom string to the
version using the `EXTRA_VERSION` make variable when building, e.g.:
```bash
make EXTRA_VERSION="+build-1"
```
Bear in mind to include some separator for readability.
#### Build Tags
`runc` supports optional build tags for compiling support of various features,
with some of them enabled by default in the top-level Makefile.
The following build tags are currently recognized:
| Build Tag | Feature | Set by Default | Dependencies |
|---------------|---------------------------------------|----------------|---------------------|
| `seccomp` | Syscall filtering using `libseccomp`. | yes | `libseccomp` |
| `libpathrs` | Use [`libpathrs`][] for path safety. | yes | [`libpathrs`][] |
| `runc_nocriu` | **Disables** runc checkpoint/restore. | no | `criu` |
[`libpathrs`]: https://github.com/cyphar/libpathrs
To add or remove build tags from the default set, use the `RUNC_BUILDTAGS`
make or shell variable. Tags prefixed with `-` are removed from the default set;
others are added. For example:
```bash
# Add runc_nocriu and remove seccomp tag.
make RUNC_BUILDTAGS="runc_nocriu -seccomp"
```
The following build tags were used earlier, but are now obsoleted:
- **runc_nodmz** (since runc v1.2.1 runc dmz binary is dropped)
- **nokmem** (since runc v1.0.0-rc94 kernel memory settings are ignored)
- **apparmor** (since runc v1.0.0-rc93 the feature is always enabled)
- **selinux** (since runc v1.0.0-rc93 the feature is always enabled)
### Running the test suite
`runc` currently supports running its test suite via Docker.
To run the suite just type `make test`.
```bash
make test
```
There are additional make targets for running the tests outside of a container but this is not recommended as the tests are written with the expectation that they can write and remove anywhere.
You can run a specific test case by setting the `TESTFLAGS` variable.
```bash
# make test TESTFLAGS="-run=SomeTestFunction"
```
You can run a specific integration test by setting the `TESTPATH` variable.
```bash
# make test TESTPATH="/checkpoint.bats"
```
You can run a specific rootless integration test by setting the `ROOTLESS_TESTPATH` variable.
```bash
# make test ROOTLESS_TESTPATH="/checkpoint.bats"
```
You can run a test using your container engine's flags by setting `CONTAINER_ENGINE_BUILD_FLAGS` and `CONTAINER_ENGINE_RUN_FLAGS` variables.
```bash
# make test CONTAINER_ENGINE_BUILD_FLAGS="--build-arg http_proxy=http://yourproxy/" CONTAINER_ENGINE_RUN_FLAGS="-e http_proxy=http://yourproxy/"
```
### Go Dependencies Management
`runc` uses [Go Modules](https://github.com/golang/go/wiki/Modules) for dependencies management.
Please refer to [Go Modules](https://github.com/golang/go/wiki/Modules) for how to add or update
new dependencies.
```
# Update vendored dependencies
make vendor
# Verify all dependencies
make verify-dependencies
```
## Using runc
Please note that runc is a low level tool not designed with an end user
in mind. It is mostly employed by other higher level container software.
Therefore, unless there is some specific use case that prevents the use
of tools like Docker or Podman, it is not recommended to use runc directly.
If you still want to use runc, here's how.
### Creating an OCI Bundle
In order to use runc you must have your container in the format of an OCI bundle.
If you have Docker installed you can use its `export` method to acquire a root filesystem from an existing Docker container.
```bash
# create the top most bundle directory
mkdir /mycontainer
cd /mycontainer
# create the rootfs directory
mkdir rootfs
# export busybox via Docker into the rootfs directory
docker export $(docker create busybox) | tar -C rootfs -xvf -
```
After a root filesystem is populated you just generate a spec in the format of a `config.json` file inside your bundle.
`runc` provides a `spec` command to generate a base template spec that you are then able to edit.
To find features and documentation for fields in the spec please refer to the [specs](https://github.com/opencontainers/runtime-spec) repository.
```bash
runc spec
```
### Running Containers
Assuming you have an OCI bundle from the previous step you can execute the container in two different ways.
The first way is to use the convenience command `run` that will handle creating, starting, and deleting the container after it exits.
```bash
# run as root
cd /mycontainer
runc run mycontainerid
```
If you used the unmodified `runc spec` template this should give you a `sh` session inside the container.
The second way to start a container is using the specs lifecycle operations.
This gives you more power over how the container is created and managed while it is running.
This will also launch the container in the background so you will have to edit
the `config.json` to remove the `terminal` setting for the simple examples
below (see more details about [runc terminal handling](docs/terminals.md)).
Your process field in the `config.json` should look like this below with `"terminal": false` and `"args": ["sleep", "5"]`.
```json
"process": {
"terminal": false,
"user": {
"uid": 0,
"gid": 0
},
"args": [
"sleep", "5"
],
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm"
],
"cwd": "/",
"capabilities": {
"bounding": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"effective": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"inheritable": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"permitted": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"ambient": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
]
},
"rlimits": [
{
"type": "RLIMIT_NOFILE",
"hard": 1024,
"soft": 1024
}
],
"noNewPrivileges": true
},
```
Now we can go through the lifecycle operations in your shell.
```bash
# run as root
cd /mycontainer
runc create mycontainerid
# view the container is created and in the "created" state
runc list
# start the process inside the container
runc start mycontainerid
# after 5 seconds view that the container has exited and is now in the stopped state
runc list
# now delete the container
runc delete mycontainerid
```
This allows higher level systems to augment the containers creation logic with setup of various settings after the container is created and/or before it is deleted. For example, the container's network stack is commonly set up after `create` but before `start`.
#### Rootless containers
`runc` has the ability to run containers without root privileges. This is called `rootless`. You need to pass some parameters to `runc` in order to run rootless containers. See below and compare with the previous version.
**Note:** In order to use this feature, "User Namespaces" must be compiled and enabled in your kernel. There are various ways to do this depending on your distribution:
- Confirm `CONFIG_USER_NS=y` is set in your kernel configuration (normally found in `/proc/config.gz`)
- Arch/Debian: `echo 1 > /proc/sys/kernel/unprivileged_userns_clone`
- RHEL/CentOS 7: `echo 28633 > /proc/sys/user/max_user_namespaces`
Run the following commands as an ordinary user:
```bash
# Same as the first example
mkdir ~/mycontainer
cd ~/mycontainer
mkdir rootfs
docker export $(docker create busybox) | tar -C rootfs -xvf -
# The --rootless parameter instructs runc spec to generate a configuration for a rootless container, which will allow you to run the container as a non-root user.
runc spec --rootless
# The --root parameter tells runc where to store the container state. It must be writable by the user.
runc --root /tmp/runc run mycontainerid
```
#### Supervisors
`runc` can be used with process supervisors and init systems to ensure that containers are restarted when they exit.
An example systemd unit file looks something like this.
```systemd
[Unit]
Description=Start My Container
[Service]
Type=forking
ExecStart=/usr/local/sbin/runc run -d --pid-file /run/mycontainerid.pid mycontainerid
ExecStopPost=/usr/local/sbin/runc delete mycontainerid
WorkingDirectory=/mycontainer
PIDFile=/run/mycontainerid.pid
[Install]
WantedBy=multi-user.target
```
## More documentation
* [Spec conformance](./docs/spec-conformance.md)
* [cgroup v2](./docs/cgroup-v2.md)
* [Checkpoint and restore](./docs/checkpoint-restore.md)
* [systemd cgroup driver](./docs/systemd.md)
* [Terminals and standard IO](./docs/terminals.md)
* [Experimental features](./docs/experimental.md)
* [Deprecated features](./docs/deprecated.md)
## License
The code and docs are released under the [Apache 2.0 license](LICENSE).
================================================
FILE: RELEASES.md
================================================
## Release Cadence and Support Policy ##
This document describes the release cadence for runc as well as outlining the
support policy for old release branches. Historically, despite runc being the
most widely used Linux container runtime, our release schedule has been very
ad-hoc and has resulted in very long periods of time between minor releases,
causing issues for downstreams that wanted particular features.
### Semantic Versioning ###
runc uses [Semantic Versioning][semver] for releases. However, our
compatibility policy only applies to the runc binary. We will make a
best-effort attempt to reduce the impact to users that make direct use of the
Go packages prefixed with `github.com/opencontainers/runc`, but we do not
formally guarantee that API compatibility will be preserved.
[semver]: https://semver.org/spec/v2.0.0.html
### Release Cadence ###
[new-issue]: https://github.com/opencontainers/runc/issues/new/choose
runc follows a 6-month minor version release schedule, with the aim of releases
happening at the end of April and October each year.
The first release candidate will be created 2 months before the planned release
date (i.e. the end of February and August, respectively), at which point the
release branch will be created and will enter a feature freeze. No new features
will be merged into the release branch, and large features being developed
immediately before the feature freeze may have their merge delayed so as to not
be included in the next release. Most releases will have two or three release
candidates, but this may change depending on the circumstances of the release
at the time.
If a last-minute critical issue is discovered, the release may be delayed.
However, the following release will still go according to schedule (except in
the exceptionally unlikely scenario where the delay is 4-6 months long, in
which case the next release is moved forward to when the subsequent release
would have been).
Here is a hypothetical release timeline to see how this works in practice:
| Date | Release | Notes |
| ---------- | ------------ | ----- |
| 200X-02-28 | `1.3.0-rc.1` | `release-1.3` branch created, feature freeze. |
| 200X-03-12 | `1.3.0-rc.2` | |
| 200X-03-25 | `1.3.0-rc.3` | |
| 200X-04-30 | `1.3.0` | `1.3` release published. |
| 200X-05-10 | `1.3.1` | |
| 200X-06-21 | `1.3.2` | |
| 200X-06-25 | `1.3.3` | |
| 200X-07-02 | `1.3.4` | |
| 200X-08-28 | `1.4.0-rc.1` | `release-1.4` branch created, feature freeze. |
| 200X-09-15 | `1.3.5` | Patch releases in other release branches have no impact on the new release branch. |
| 200X-09-21 | `1.4.0-rc.2` | |
| 200X-10-31 | `1.4.0` | `1.4` release published. |
| 200X-11-10 | `1.4.1` | |
| 200X-12-25 | `1.4.2` | |
(And so on for the next year.)
### Support Policy ###
In order to ease the transition between minor runc releases, previous minor
release branches of runc will be maintained for some time after the newest
minor release is published. In the following text, `latest` refers to the
latest minor (non-release-candidate) runc release published; `latest-1` is the
previous minor release branch; and `latest-2` is the minor release branch
before `latest-1`. For example, if `latest` is `1.4.0` then `latest-1` is
`1.3.z` and `latest-2` is `1.2.z`.
* Once `latest` is released, new features will no longer be merged into
`latest` and only bug and security fixes will be backported, though we will
be fairly liberal with what kinds of bugs will considered candidates for
backporting.
* `latest-1` will only receive security fixes and significant bug fixes (what
bug fixes are "significant" are down to the maintainer's judgement, but
maintainers should err on the side of reducing the number of backports at
this stage). At this stage, users of `latest-1` are encouraged to start
planning the migration to the `latest` release of runc (as well as reporting
any issues they may find).
* `latest-2` will only receive high severity security fixes (i.e. CVEs that
have been assessed as having a CVSS score of 7.0 or higher). At this stage,
users still using `latest-2` would be strongly encouraged to upgrade to
either `latest` or `latest-1`.
* Any older releases will no longer receive any updates, and users are
encouraged to upgrade in the strongest possible terms, as they will not
receive any security fixes regardless of severity or impact.
This policy only applies to minor releases of runc with major version `1`. If
there is a runc `2.0` release in the future, this document will be updated to
reflect the necessary changes to the support policy for the `1.y` major release
branch of runc.
================================================
FILE: SECURITY.md
================================================
# Security
When reporting a security issue, do not create an issue or file a pull request on GitHub.
The reporting process and disclosure communications are outlined [here](https://github.com/opencontainers/org/blob/master/SECURITY.md).
================================================
FILE: VERSION
================================================
1.5.0-rc.1+dev
================================================
FILE: checkpoint.go
================================================
package main
import (
"errors"
"fmt"
"net"
"os"
"path/filepath"
"strconv"
"github.com/moby/sys/userns"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus"
"github.com/urfave/cli"
"golang.org/x/sys/unix"
"github.com/opencontainers/runc/libcontainer"
)
var checkpointCommand = cli.Command{
Name: "checkpoint",
Usage: "checkpoint a running container",
ArgsUsage: `<container-id>
Where "<container-id>" is the name for the instance of the container to be
checkpointed.`,
Description: `The checkpoint command saves the state of the container instance.`,
Flags: []cli.Flag{
cli.StringFlag{Name: "image-path", Value: "", Usage: "path for saving criu image files"},
cli.StringFlag{Name: "work-path", Value: "", Usage: "path for saving work files and logs"},
cli.StringFlag{Name: "parent-path", Value: "", Usage: "path for previous criu image files in pre-dump"},
cli.BoolFlag{Name: "leave-running", Usage: "leave the process running after checkpointing"},
cli.BoolFlag{Name: "tcp-established", Usage: "allow open tcp connections"},
cli.BoolFlag{Name: "tcp-skip-in-flight", Usage: "skip in-flight tcp connections"},
cli.BoolFlag{Name: "link-remap", Usage: "allow one to link unlinked files back when possible"},
cli.BoolFlag{Name: "ext-unix-sk", Usage: "allow external unix sockets"},
cli.BoolFlag{Name: "shell-job", Usage: "allow shell jobs"},
cli.BoolFlag{Name: "lazy-pages", Usage: "use userfaultfd to lazily restore memory pages"},
cli.IntFlag{Name: "status-fd", Value: -1, Usage: "criu writes \\0 to this FD once lazy-pages is ready"},
cli.StringFlag{Name: "page-server", Value: "", Usage: "ADDRESS:PORT of the page server"},
cli.BoolFlag{Name: "file-locks", Usage: "handle file locks, for safety"},
cli.BoolFlag{Name: "pre-dump", Usage: "dump container's memory information only, leave the container running after this"},
cli.StringFlag{Name: "manage-cgroups-mode", Value: "", Usage: "cgroups mode: soft|full|strict|ignore (default: soft)"},
cli.StringSliceFlag{Name: "empty-ns", Usage: "create a namespace, but don't restore its properties"},
cli.BoolFlag{Name: "auto-dedup", Usage: "enable auto deduplication of memory images"},
},
Action: func(context *cli.Context) error {
if err := checkArgs(context, 1, exactArgs); err != nil {
return err
}
// XXX: Currently this is untested with rootless containers.
if os.Geteuid() != 0 || userns.RunningInUserNS() {
logrus.Warn("runc checkpoint is untested with rootless containers")
}
container, err := getContainer(context)
if err != nil {
return err
}
status, err := container.Status()
if err != nil {
return err
}
if status == libcontainer.Created || status == libcontainer.Stopped {
return fmt.Errorf("Container cannot be checkpointed in %s state", status.String())
}
options, err := criuOptions(context)
if err != nil {
return err
}
err = container.Checkpoint(options)
if err == nil && !options.LeaveRunning && !options.PreDump {
// Destroy the container unless we tell CRIU to keep it.
if err := container.Destroy(); err != nil {
logrus.Warn(err)
}
}
return err
},
}
func prepareImagePaths(context *cli.Context) (string, string, error) {
imagePath := context.String("image-path")
if imagePath == "" {
imagePath = getDefaultImagePath()
}
if err := os.MkdirAll(imagePath, 0o600); err != nil {
return "", "", err
}
parentPath := context.String("parent-path")
if parentPath == "" {
return imagePath, parentPath, nil
}
if filepath.IsAbs(parentPath) {
return "", "", errors.New("--parent-path must be relative")
}
realParent := filepath.Join(imagePath, parentPath)
fi, err := os.Stat(realParent)
if err == nil && !fi.IsDir() {
err = &os.PathError{Path: realParent, Err: unix.ENOTDIR}
}
if err != nil {
return "", "", fmt.Errorf("invalid --parent-path: %w", err)
}
return imagePath, parentPath, nil
}
func criuOptions(context *cli.Context) (*libcontainer.CriuOpts, error) {
imagePath, parentPath, err := prepareImagePaths(context)
if err != nil {
return nil, err
}
opts := &libcontainer.CriuOpts{
ImagesDirectory: imagePath,
WorkDirectory: context.String("work-path"),
ParentImage: parentPath,
LeaveRunning: context.Bool("leave-running"),
TcpEstablished: context.Bool("tcp-established"),
TcpSkipInFlight: context.Bool("tcp-skip-in-flight"),
LinkRemap: context.Bool("link-remap"),
ExternalUnixConnections: context.Bool("ext-unix-sk"),
ShellJob: context.Bool("shell-job"),
FileLocks: context.Bool("file-locks"),
PreDump: context.Bool("pre-dump"),
AutoDedup: context.Bool("auto-dedup"),
LazyPages: context.Bool("lazy-pages"),
StatusFd: context.Int("status-fd"),
LsmProfile: context.String("lsm-profile"),
LsmMountContext: context.String("lsm-mount-context"),
ManageCgroupsMode: context.String("manage-cgroups-mode"),
}
// CRIU options below may or may not be set.
if psOpt := context.String("page-server"); psOpt != "" {
address, port, err := net.SplitHostPort(psOpt)
if err != nil || address == "" || port == "" {
return nil, errors.New("Use --page-server ADDRESS:PORT to specify page server")
}
portInt, err := strconv.Atoi(port)
if err != nil {
return nil, errors.New("Invalid port number")
}
opts.PageServer = libcontainer.CriuPageServerInfo{
Address: address,
Port: int32(portInt),
}
}
// runc doesn't manage network devices and their configuration.
nsmask := unix.CLONE_NEWNET
if context.IsSet("empty-ns") {
namespaceMapping := map[specs.LinuxNamespaceType]int{
specs.NetworkNamespace: unix.CLONE_NEWNET,
}
for _, ns := range context.StringSlice("empty-ns") {
f, exists := namespaceMapping[specs.LinuxNamespaceType(ns)]
if !exists {
return nil, fmt.Errorf("namespace %q is not supported", ns)
}
nsmask |= f
}
}
opts.EmptyNs = uint32(nsmask)
return opts, nil
}
================================================
FILE: contrib/completions/bash/runc
================================================
#!/bin/bash
#
# bash completion file for runc command
#
# This script provides completion of:
# - commands and their options
# - filepaths
#
# To enable the completions either:
# - place this file in /usr/share/bash-completion/completions
# or
# - copy this file to e.g. ~/.runc-completion.sh and add the line
# below to your .bashrc after bash completion features are loaded
# . ~/.runc-completion.sh
#
# Configuration:
#
# Note for developers:
# Please arrange options sorted alphabetically by long name with the short
# options immediately following their corresponding long form.
# This order should be applied to lists, alternatives and code blocks.
__runc_previous_extglob_setting=$(shopt -p extglob)
shopt -s extglob
__runc_list_all() {
COMPREPLY=($(compgen -W "$(runc list -q)" -- $cur))
}
__runc_pos_first_nonflag() {
local argument_flags=$1
local counter=$((${subcommand_pos:-${command_pos}} + 1))
while [ $counter -le $cword ]; do
if [ -n "$argument_flags" ] && eval "case '${words[$counter]}' in $argument_flags) true ;; *) false ;; esac"; then
((counter++))
else
case "${words[$counter]}" in
-*) ;;
*)
break
;;
esac
fi
((counter++))
done
echo $counter
}
# Transforms a multiline list of strings into a single line string
# with the words separated by "|".
# This is used to prepare arguments to __runc_pos_first_nonflag().
__runc_to_alternatives() {
local parts=($1)
local IFS='|'
echo "${parts[*]}"
}
# Transforms a multiline list of options into an extglob pattern
# suitable for use in case statements.
__runc_to_extglob() {
local extglob=$(__runc_to_alternatives "$1")
echo "@($extglob)"
}
# Subcommand processing.
# Locates the first occurrence of any of the subcommands contained in the
# first argument. In case of a match, calls the corresponding completion
# function and returns 0.
# If no match is found, 1 is returned. The calling function can then
# continue processing its completion.
#
# TODO if the preceding command has options that accept arguments and an
# argument is equal to one of the subcommands, this is falsely detected as
# a match.
__runc_subcommands() {
local subcommands="$1"
local counter=$(($command_pos + 1))
while [ $counter -lt $cword ]; do
case "${words[$counter]}" in
$(__runc_to_extglob "$subcommands"))
subcommand_pos=$counter
local subcommand=${words[$counter]}
local completions_func=_runc_${command}_${subcommand}
declare -F $completions_func >/dev/null && $completions_func
return 0
;;
esac
((counter++))
done
return 1
}
# List all Signals
__runc_list_signals() {
COMPREPLY=($(compgen -W "$(for i in $(kill -l | xargs); do echo $i; done | grep SIG)"))
}
# suppress trailing whitespace
__runc_nospace() {
# compopt is not available in ancient bash versions
type compopt &>/dev/null && compopt -o nospace
}
# The list of capabilities is defined in types.go, ALL was added manually.
__runc_complete_capabilities() {
COMPREPLY=($(compgen -W "
ALL
AUDIT_CONTROL
AUDIT_WRITE
AUDIT_READ
BLOCK_SUSPEND
BPF
CHECKPOINT_RESTORE
CHOWN
DAC_OVERRIDE
DAC_READ_SEARCH
FOWNER
FSETID
IPC_LOCK
IPC_OWNER
KILL
LEASE
LINUX_IMMUTABLE
MAC_ADMIN
MAC_OVERRIDE
MKNOD
NET_ADMIN
NET_BIND_SERVICE
NET_BROADCAST
NET_RAW
PERFMON
SETFCAP
SETGID
SETPCAP
SETUID
SYS_ADMIN
SYS_BOOT
SYS_CHROOT
SYSLOG
SYS_MODULE
SYS_NICE
SYS_PACCT
SYS_PTRACE
SYS_RAWIO
SYS_RESOURCE
SYS_TIME
SYS_TTY_CONFIG
WAKE_ALARM
" -- "$cur"))
}
_runc_exec() {
local boolean_options="
--help
--no-new-privs
--tty, -t
--detach, -d
"
local options_with_args="
--console-socket
--cwd
--env, -e
--user, -u
--additional-gids, -g
--process, -p
--pid-file
--process-label
--apparmor
--cap, -c
--preserve-fds
--ignore-paused
"
local all_options="$options_with_args $boolean_options"
case "$prev" in
--cap | -c)
__runc_complete_capabilities
return
;;
--console-socket | --cwd | --process | --apparmor)
case "$cur" in
*:*) ;; # TODO somehow do _filedir for stuff inside the image, if it's already specified (which is also somewhat difficult to determine)
'')
COMPREPLY=($(compgen -W '/' -- "$cur"))
__runc_nospace
;;
/*)
_filedir
__runc_nospace
;;
esac
return
;;
--env | -e)
COMPREPLY=($(compgen -e -- "$cur"))
__runc_nospace
return
;;
$(__runc_to_extglob "$options_with_args"))
return
;;
esac
case "$cur" in
-*)
COMPREPLY=($(compgen -W "$all_options" -- "$cur"))
;;
*)
__runc_list_all
;;
esac
}
# global options that may appear after the runc command
_runc_runc() {
local boolean_options="
$global_boolean_options
--help
--version -v
--debug
--systemd-cgroup
"
local options_with_args="
--log
--log-format
--root
--rootless
"
case "$prev" in
--log | --root)
case "$cur" in
*:*) ;; # TODO somehow do _filedir for stuff inside the image, if it's already specified (which is also somewhat difficult to determine)
'')
COMPREPLY=($(compgen -W '/' -- "$cur"))
__runc_nospace
;;
*)
_filedir
__runc_nospace
;;
esac
return
;;
--log-format)
COMPREPLY=($(compgen -W 'text json' -- "$cur"))
return
;;
$(__runc_to_extglob "$options_with_args"))
return
;;
esac
case "$cur" in
-*)
COMPREPLY=($(compgen -W "$boolean_options $options_with_args" -- "$cur"))
;;
*)
local counter=$(__runc_pos_first_nonflag $(__runc_to_extglob "$options_with_args"))
if [ $cword -eq $counter ]; then
COMPREPLY=($(compgen -W "${commands[*]} help" -- "$cur"))
fi
;;
esac
}
_runc_pause() {
local boolean_options="
--help
-h
"
case "$cur" in
-*)
COMPREPLY=($(compgen -W "$boolean_options $options_with_args" -- "$cur"))
;;
*)
__runc_list_all
;;
esac
}
_runc_ps() {
local boolean_options="
--help
-h
"
local options_with_args="
--format, -f
"
case "$cur" in
-*)
COMPREPLY=($(compgen -W "$boolean_options $options_with_args" -- "$cur"))
;;
*)
__runc_list_all
;;
esac
}
_runc_delete() {
local boolean_options="
--help
-h
--format, -f
"
case "$cur" in
-*)
COMPREPLY=($(compgen -W "$boolean_options $options_with_args" -- "$cur"))
;;
*)
__runc_list_all
;;
esac
}
_runc_kill() {
local boolean_options="
--help
-h
--all
-a
"
case "$prev" in
"kill")
__runc_list_all
return
;;
*)
__runc_list_signals
return
;;
esac
case "$cur" in
-*)
COMPREPLY=($(compgen -W "$boolean_options $options_with_args" -- "$cur"))
;;
*)
__runc_list_all
;;
esac
}
_runc_events() {
local boolean_options="
--help
--stats
"
local options_with_args="
--interval
"
case "$prev" in
$(__runc_to_extglob "$options_with_args"))
return
;;
esac
case "$cur" in
-*)
COMPREPLY=($(compgen -W "$boolean_options $options_with_args" -- "$cur"))
;;
*)
__runc_list_all
;;
esac
}
_runc_list() {
local boolean_options="
--help
--quiet
-q
"
local options_with_args="
--format
-f
"
case "$prev" in
--format | -f)
COMPREPLY=($(compgen -W 'text json' -- "$cur"))
return
;;
$(__runc_to_extglob "$options_with_args"))
return
;;
esac
case "$cur" in
-*)
COMPREPLY=($(compgen -W "$boolean_options $options_with_args" -- "$cur"))
;;
*)
local counter=$(__runc_pos_first_nonflag $(__runc_to_extglob "$options_with_args"))
;;
esac
}
_runc_spec() {
local boolean_options="
--help
--rootless
"
local options_with_args="
--bundle
-b
"
case "$prev" in
--bundle | -b)
case "$cur" in
'')
COMPREPLY=($(compgen -W '/' -- "$cur"))
__runc_nospace
;;
/*)
_filedir
__runc_nospace
;;
esac
return
;;
$(__runc_to_extglob "$options_with_args"))
return
;;
esac
case "$cur" in
-*)
COMPREPLY=($(compgen -W "$boolean_options $options_with_args" -- "$cur"))
;;
*)
local counter=$(__runc_pos_first_nonflag $(__runc_to_extglob "$options_with_args"))
;;
esac
}
_runc_run() {
local boolean_options="
--help
--detatch
-d
--no-subreaper
--no-pivot
--no-new-keyring
"
local options_with_args="
--bundle
-b
--console-socket
--pid-file
--preserve-fds
"
case "$prev" in
--bundle | -b | --console-socket | --pid-file)
case "$cur" in
'')
COMPREPLY=($(compgen -W '/' -- "$cur"))
__runc_nospace
;;
/*)
_filedir
__runc_nospace
;;
esac
return
;;
$(__runc_to_extglob "$options_with_args"))
return
;;
esac
case "$cur" in
-*)
COMPREPLY=($(compgen -W "$boolean_options $options_with_args" -- "$cur"))
;;
*)
__runc_list_all
;;
esac
}
_runc_checkpoint() {
local boolean_options="
--help
-h
--leave-running
--tcp-established
--tcp-skip-in-flight
--link-remap
--ext-unix-sk
--shell-job
--lazy-pages
--file-locks
--pre-dump
--auto-dedup
"
local options_with_args="
--image-path
--work-path
--parent-path
--status-fd
--page-server
--manage-cgroups-mode
--empty-ns
"
case "$prev" in
--page-server) ;;
--manage-cgroups-mode)
COMPREPLY=($(compgen -W "soft full strict" -- "$cur"))
return
;;
--image-path | --work-path | --parent-path)
case "$cur" in
*:*) ;; # TODO somehow do _filedir for stuff inside the image, if it's already specified (which is also somewhat difficult to determine)
'')
COMPREPLY=($(compgen -W '/' -- "$cur"))
__runc_nospace
;;
*)
_filedir
__runc_nospace
;;
esac
return
;;
$(__runc_to_extglob "$options_with_args"))
return
;;
esac
case "$cur" in
-*)
COMPREPLY=($(compgen -W "$boolean_options $options_with_args" -- "$cur"))
;;
*)
__runc_list_all
;;
esac
}
_runc_create() {
local boolean_options="
--help
--no-pivot
--no-new-keyring
"
local options_with_args="
--bundle
-b
--console-socket
--pid-file
--preserve-fds
"
case "$prev" in
--bundle | -b | --console-socket | --pid-file)
case "$cur" in
'')
COMPREPLY=($(compgen -W '/' -- "$cur"))
__runc_nospace
;;
/*)
_filedir
__runc_nospace
;;
esac
return
;;
$(__runc_to_extglob "$options_with_args"))
return
;;
esac
case "$cur" in
-*)
COMPREPLY=($(compgen -W "$boolean_options $options_with_args" -- "$cur"))
;;
*)
__runc_list_all
;;
esac
}
_runc_help() {
local counter=$(__runc_pos_first_nonflag)
if [ $cword -eq $counter ]; then
COMPREPLY=($(compgen -W "${commands[*]}" -- "$cur"))
fi
}
_runc_restore() {
local boolean_options="
--help
--tcp-established
--ext-unix-sk
--shell-job
--file-locks
--detach
-d
--no-subreaper
--no-pivot
--auto-dedup
--lazy-pages
"
local options_with_args="
-b
--bundle
--image-path
--work-path
--manage-cgroups-mode
--pid-file
--empty-ns
"
local all_options="$options_with_args $boolean_options"
case "$prev" in
--manage-cgroups-mode)
COMPREPLY=($(compgen -W "soft full strict" -- "$cur"))
return
;;
--pid-file | --image-path | --work-path | --bundle | -b)
case "$cur" in
*:*) ;; # TODO somehow do _filedir for stuff inside the image, if it's already specified (which is also somewhat difficult to determine)
'')
COMPREPLY=($(compgen -W '/' -- "$cur"))
__runc_nospace
;;
/*)
_filedir
__runc_nospace
;;
esac
return
;;
$(__runc_to_extglob "$options_with_args"))
return
;;
esac
case "$cur" in
-*)
COMPREPLY=($(compgen -W "$all_options" -- "$cur"))
;;
*)
__runc_list_all
;;
esac
}
_runc_resume() {
local boolean_options="
--help
-h
"
case "$cur" in
-*)
COMPREPLY=($(compgen -W "$boolean_options $options_with_args" -- "$cur"))
;;
*)
__runc_list_all
;;
esac
}
_runc_state() {
local boolean_options="
--help
-h
"
case "$cur" in
-*)
COMPREPLY=($(compgen -W "$boolean_options $options_with_args" -- "$cur"))
;;
*)
__runc_list_all
;;
esac
}
_runc_start() {
local boolean_options="
--help
-h
"
case "$cur" in
-*)
COMPREPLY=($(compgen -W "$boolean_options $options_with_args" -- "$cur"))
;;
*)
__runc_list_all
;;
esac
}
_runc_update() {
local boolean_options="
--help
"
local options_with_args="
--blkio-weight
--cpu-period
--cpu-quota
--cpu-burst
--cpu-rt-period
--cpu-rt-runtime
--cpu-share
--cpuset-cpus
--cpuset-mems
--memory
--memory-reservation
--memory-swap
--pids-limit
--l3-cache-schema
--mem-bw-schema
--cpu-idle
"
case "$prev" in
$(__runc_to_extglob "$options_with_args"))
return
;;
esac
case "$cur" in
-*)
COMPREPLY=($(compgen -W "$boolean_options $options_with_args" -- "$cur"))
;;
*)
__runc_list_all
;;
esac
}
_runc() {
local previous_extglob_setting=$(shopt -p extglob)
shopt -s extglob
local commands=(
checkpoint
create
delete
events
exec
kill
list
pause
ps
restore
resume
run
spec
start
state
update
help
h
)
# These options are valid as global options for all client commands
# and valid as command options for `runc daemon`
local global_boolean_options="
--help -h
--version -v
"
COMPREPLY=()
local cur prev words cword
_get_comp_words_by_ref -n : cur prev words cword
local command='runc' command_pos=0 subcommand_pos
local counter=1
while [ $counter -lt $cword ]; do
case "${words[$counter]}" in
-*) ;;
=)
((counter++))
;;
*)
command="${words[$counter]}"
command_pos=$counter
break
;;
esac
((counter++))
done
local completions_func=_runc_${command}
declare -F $completions_func >/dev/null && $completions_func
eval "$previous_extglob_setting"
return 0
}
eval "$__runc_previous_extglob_setting"
unset __runc_previous_extglob_setting
complete -F _runc runc
================================================
FILE: create.go
================================================
package main
import (
"fmt"
"os"
"github.com/urfave/cli"
)
var createCommand = cli.Command{
Name: "create",
Usage: "create a container",
ArgsUsage: `<container-id>
Where "<container-id>" is your name for the instance of the container that you
are starting. The name you provide for the container instance must be unique on
your host.`,
Description: `The create command creates an instance of a container for a bundle. The bundle
is a directory with a specification file named "` + specConfig + `" and a root
filesystem.
The specification file includes an args parameter. The args parameter is used
to specify command(s) that get run when the container is started. To change the
command(s) that get executed on start, edit the args parameter of the spec. See
"runc spec --help" for more explanation.`,
Flags: []cli.Flag{
cli.StringFlag{
Name: "bundle, b",
Value: "",
Usage: `path to the root of the bundle directory, defaults to the current directory`,
},
cli.StringFlag{
Name: "console-socket",
Value: "",
Usage: "path to an AF_UNIX socket which will receive a file descriptor referencing the master end of the console's pseudoterminal",
},
cli.StringFlag{
Name: "pidfd-socket",
Usage: "path to an AF_UNIX socket which will receive a file descriptor referencing the init process",
},
cli.StringFlag{
Name: "pid-file",
Value: "",
Usage: "specify the file to write the process id to",
},
cli.BoolFlag{
Name: "no-pivot",
Usage: "do not use pivot root to jail process inside rootfs. This should be used whenever the rootfs is on top of a ramdisk",
},
cli.BoolFlag{
Name: "no-new-keyring",
Usage: "do not create a new session keyring for the container. This will cause the container to inherit the calling processes session key",
},
cli.IntFlag{
Name: "preserve-fds",
Usage: "Pass N additional file descriptors to the container (stdio + $LISTEN_FDS + N in total)",
},
},
Action: func(context *cli.Context) error {
if err := checkArgs(context, 1, exactArgs); err != nil {
return err
}
status, err := startContainer(context, CT_ACT_CREATE, nil)
if err == nil {
// exit with the container's exit status so any external supervisor
// is notified of the exit with the correct exit status.
os.Exit(status)
}
return fmt.Errorf("runc create failed: %w", err)
},
}
================================================
FILE: delete.go
================================================
package main
import (
"errors"
"fmt"
"os"
"path/filepath"
"time"
"github.com/opencontainers/runc/libcontainer"
"github.com/urfave/cli"
"golang.org/x/sys/unix"
)
func killContainer(container *libcontainer.Container) error {
_ = container.Signal(unix.SIGKILL)
for range 100 {
time.Sleep(100 * time.Millisecond)
if err := container.Signal(unix.Signal(0)); err != nil {
return container.Destroy()
}
}
return errors.New("container init still running")
}
var deleteCommand = cli.Command{
Name: "delete",
Usage: "delete any resources held by the container often used with detached container",
ArgsUsage: `<container-id>
Where "<container-id>" is the name for the instance of the container.
EXAMPLE:
For example, if the container id is "ubuntu01" and runc list currently shows the
status of "ubuntu01" as "stopped" the following will delete resources held for
"ubuntu01" removing "ubuntu01" from the runc list of containers:
# runc delete ubuntu01`,
Flags: []cli.Flag{
cli.BoolFlag{
Name: "force, f",
Usage: "Forcibly deletes the container if it is still running (uses SIGKILL)",
},
},
Action: func(context *cli.Context) error {
if err := checkArgs(context, 1, exactArgs); err != nil {
return err
}
id := context.Args().First()
force := context.Bool("force")
container, err := getContainer(context)
if err != nil {
if errors.Is(err, libcontainer.ErrNotExist) {
// if there was an aborted start or something of the sort then the container's directory could exist but
// libcontainer does not see it because the state.json file inside that directory was never created.
path := filepath.Join(context.GlobalString("root"), id)
if e := os.RemoveAll(path); e != nil {
fmt.Fprintf(os.Stderr, "remove %s: %v\n", path, e)
}
if force {
return nil
}
}
return err
}
// When --force is given, we kill all container processes and
// then destroy the container. This is done even for a stopped
// container, because (in case it does not have its own PID
// namespace) there may be some leftover processes in the
// container's cgroup.
if force {
return killContainer(container)
}
s, err := container.Status()
if err != nil {
return err
}
switch s {
case libcontainer.Stopped:
return container.Destroy()
case libcontainer.Created:
return killContainer(container)
default:
return fmt.Errorf("cannot delete container %s that is not stopped: %s", id, s)
}
},
}
================================================
FILE: docs/cgroup-v2.md
================================================
# cgroup v2
runc fully supports cgroup v2 (unified mode) since v1.0.0-rc93.
To use cgroup v2, you might need to change the configuration of the host init system.
The following distributions are known to use cgroup v2 by default:
<!-- the list should be kept in sync with https://github.com/rootless-containers/rootlesscontaine.rs/blob/master/content/getting-started/common/cgroup2.md -->
- Fedora (since 31)
- Arch Linux (since April 2021)
- openSUSE Tumbleweed (since c. 2021)
- Debian GNU/Linux (since 11)
- Ubuntu (since 21.10)
- RHEL and RHEL-like distributions (since 9)
On other systemd-based distros, cgroup v2 can be enabled by adding `systemd.unified_cgroup_hierarchy=1` to the kernel cmdline.
## Am I using cgroup v2?
Yes if `/sys/fs/cgroup/cgroup.controllers` is present.
## Host Requirements
### Kernel
* Recommended version: 5.2 or later
* Minimum version: 4.15
Kernel older than 5.2 is not recommended due to lack of freezer.
Notably, kernel older than 4.15 MUST NOT be used (unless you are running containers with user namespaces), as it lacks support for controlling permissions of devices.
### Systemd
On cgroup v2 hosts, it is highly recommended to run runc with the systemd cgroup driver (`runc --systemd-cgroup`), though not mandatory.
The recommended systemd version is 244 or later. Older systemd does not support delegation of `cpuset` controller.
Make sure you also have the `dbus-user-session` (Debian/Ubuntu) or `dbus-daemon` (CentOS/Fedora) package installed, and that `dbus` is running. On Debian-flavored distros, this can be accomplished like so:
```bash
sudo apt install -y dbus-user-session
systemctl --user start dbus
```
## Rootless
On cgroup v2 hosts, rootless runc can talk to systemd to get cgroup permissions to be delegated.
```bash
runc spec --rootless
jq '.linux.cgroupsPath="user.slice:runc:foo"' config.json | sponge config.json
runc --systemd-cgroup run foo
```
The container processes are executed in a cgroup like `/user.slice/user-$(id -u).slice/user@$(id -u).service/user.slice/runc-foo.scope`.
### Configuring delegation
Typically, only `memory` and `pids` controllers are delegated to non-root users by default.
```console
$ cat /sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service/cgroup.controllers
memory pids
```
To allow delegation of other controllers, you need to change the systemd configuration as follows:
```bash
sudo mkdir -p /etc/systemd/system/user@.service.d
cat <<EOF | sudo tee /etc/systemd/system/user@.service.d/delegate.conf
[Service]
Delegate=cpu cpuset io memory pids
EOF
sudo systemctl daemon-reload
```
================================================
FILE: docs/checkpoint-restore.md
================================================
# Checkpoint and Restore #
For a basic description about checkpointing and restoring containers with
`runc` please see [runc-checkpoint(8)](../man/runc-checkpoint.8.md) and
[runc-restore(8)](../man/runc-restore.8.md).
## Checkpoint/Restore Annotations ##
In addition to specifying options on the command-line like it is described
in the man-pages (see above), it is also possible to influence CRIU's
behaviour using CRIU configuration files. For details about CRIU's
configuration file support please see [CRIU's wiki](https://criu.org/Configuration_files).
In addition to CRIU's default configuration files `runc` tells CRIU to
also evaluate the file `/etc/criu/runc.conf`. Using the annotation
`org.criu.config` it is, however, possible to change this additional
CRIU configuration file.
If the annotation `org.criu.config` is set to an empty string `runc`
will not pass any additional configuration file to CRIU. With an empty
string it is therefore possible to disable the additional CRIU configuration
file. This can be used to make sure that no additional configuration file
changes CRIU's behaviour accidentally.
If the annotation `org.criu.config` is set to a non-empty string `runc` will
pass that string to CRIU to be evaluated as an additional configuration file.
If CRIU cannot open this additional configuration file, it will ignore this
file and continue.
### Annotation Example to disable additional CRIU configuration file ###
```
{
"ociVersion": "1.0.0",
"annotations": {
"org.criu.config": ""
},
"process": {
```
### Annotation Example to set a specific CRIU configuration file ###
```
{
"ociVersion": "1.0.0",
"annotations": {
"org.criu.config": "/etc/special-runc-criu-options"
},
"process": {
```
================================================
FILE: docs/deprecated.md
================================================
# Deprecated features
The following features are deprecated:
Feature | Deprecation release | Removal release
---------------------------------------- | -------------------- | ------------------
cgroup v1 | v1.4.0 | (May 2029)
<!-- TBD: features that were already deprecated and removed -->
- The latest release in May 2029 may not necessarily support cgroup v1, but there will be at least one maintained branch with the support for cgroup v1.
================================================
FILE: docs/experimental.md
================================================
# Experimental features
The following features were experimental in the past:
Feature | Experimental release | Graduation release
---------------------------------------- | -------------------- | ------------------
cgroup v2 | v1.0.0-rc91 | v1.0.0-rc93
The `runc features` command | v1.1.0 | v1.2.0
runc-dmz | v1.2.0-rc1 | Dropped in v1.2.1
================================================
FILE: docs/spec-conformance.md
================================================
# Spec conformance
This branch of runc implements the [OCI Runtime Spec v1.3.0](https://github.com/opencontainers/runtime-spec/tree/v1.3.0)
for the `linux` platform.
## Architectures
The following architectures are supported:
runc binary | seccomp
-------------|-------------------------------------------------------
`amd64` | `SCMP_ARCH_X86`, `SCMP_ARCH_X86_64`, `SCMP_ARCH_X32`
`arm64` | `SCMP_ARCH_ARM`, `SCMP_ARCH_AARCH64`
`armel` | `SCMP_ARCH_ARM`
`armhf` | `SCMP_ARCH_ARM`
`ppc64le` | `SCMP_ARCH_PPC64LE`
`riscv64` | `SCMP_ARCH_RISCV64`
`s390x` | `SCMP_ARCH_S390`, `SCMP_ARCH_S390X`
`loong64` | `SCMP_ARCH_LOONGARCH64`
The runc binary might be compilable for i386, big-endian PPC64,
and several MIPS variants too, but these architectures are not officially supported.
================================================
FILE: docs/systemd.md
================================================
## systemd cgroup driver
By default, runc creates cgroups and sets cgroup limits on its own (this mode
is known as fs cgroup driver). When `--systemd-cgroup` global option is given
(as in e.g. `runc --systemd-cgroup run ...`), runc switches to systemd cgroup
driver. This document describes its features and peculiarities.
### systemd unit name and placement
When creating a container, runc requests systemd (over dbus) to create
a transient unit for the container, and place it into a specified slice.
The name of the unit and the containing slice is derived from the container
runtime spec in the following way:
1. If `Linux.CgroupsPath` is set, it is expected to be in the form
`[slice]:[prefix]:[name]`.
Here `slice` is a systemd slice under which the container is placed.
I
gitextract_htlb8dez/
├── .cirrus.yml
├── .clang-format
├── .codespellrc
├── .editorconfig
├── .github/
│ ├── ISSUE_TEMPLATE/
│ │ ├── bug_report.yaml
│ │ └── config.yml
│ ├── dependabot.yml
│ └── workflows/
│ ├── scheduled.yml
│ ├── test.yml
│ └── validate.yml
├── .gitignore
├── .golangci-extra.yml
├── .golangci.yml
├── CHANGELOG.md
├── CONTRIBUTING.md
├── Dockerfile
├── EMERITUS.md
├── LICENSE
├── MAINTAINERS
├── MAINTAINERS_GUIDE.md
├── Makefile
├── NOTICE
├── PRINCIPLES.md
├── README.md
├── RELEASES.md
├── SECURITY.md
├── VERSION
├── checkpoint.go
├── contrib/
│ └── completions/
│ └── bash/
│ └── runc
├── create.go
├── delete.go
├── docs/
│ ├── cgroup-v2.md
│ ├── checkpoint-restore.md
│ ├── deprecated.md
│ ├── experimental.md
│ ├── spec-conformance.md
│ ├── systemd.md
│ └── terminals.md
├── events.go
├── exec.go
├── features.go
├── go.mod
├── go.sum
├── init.go
├── internal/
│ ├── linux/
│ │ ├── doc.go
│ │ ├── eintr.go
│ │ └── linux.go
│ ├── pathrs/
│ │ ├── doc.go
│ │ ├── mkdirall.go
│ │ ├── mkdirall_pathrslite.go
│ │ ├── path.go
│ │ ├── path_test.go
│ │ ├── procfs_pathrslite.go
│ │ ├── retry.go
│ │ └── root_pathrslite.go
│ ├── sys/
│ │ ├── doc.go
│ │ ├── opath_linux.go
│ │ ├── sysctl_linux.go
│ │ └── verify_inode_unix.go
│ └── third_party/
│ └── systemd/
│ └── activation/
│ └── files_unix.go
├── kill.go
├── libcontainer/
│ ├── README.md
│ ├── SPEC.md
│ ├── apparmor/
│ │ ├── apparmor.go
│ │ ├── apparmor_linux.go
│ │ └── apparmor_unsupported.go
│ ├── capabilities/
│ │ ├── capabilities.go
│ │ ├── capabilities_linux_test.go
│ │ └── capabilities_unsupported.go
│ ├── cmd_clone.go
│ ├── configs/
│ │ ├── config.go
│ │ ├── config_linux.go
│ │ ├── config_linux_test.go
│ │ ├── config_test.go
│ │ ├── configs_fuzzer.go
│ │ ├── doc.go
│ │ ├── intelrdt.go
│ │ ├── memorypolicy.go
│ │ ├── mount.go
│ │ ├── mount_linux.go
│ │ ├── mount_unsupported.go
│ │ ├── namespaces.go
│ │ ├── namespaces_linux.go
│ │ ├── namespaces_syscall.go
│ │ ├── namespaces_syscall_unsupported.go
│ │ ├── namespaces_unsupported.go
│ │ ├── netdevices.go
│ │ ├── network.go
│ │ ├── tocpuset_test.go
│ │ └── validate/
│ │ ├── doc.go
│ │ ├── intelrdt.go
│ │ ├── intelrdt_test.go
│ │ ├── rootless.go
│ │ ├── rootless_test.go
│ │ ├── validator.go
│ │ └── validator_test.go
│ ├── console_linux.go
│ ├── container.go
│ ├── container_linux.go
│ ├── container_linux_test.go
│ ├── criu_disabled_linux.go
│ ├── criu_linux.go
│ ├── criu_opts_linux.go
│ ├── devices/
│ │ ├── device_unix.go
│ │ ├── device_unix_test.go
│ │ └── doc.go
│ ├── env.go
│ ├── env_test.go
│ ├── error.go
│ ├── example_test.go
│ ├── exeseal/
│ │ ├── cloned_binary_linux.go
│ │ ├── doc.go
│ │ └── overlayfs_linux.go
│ ├── factory_linux.go
│ ├── factory_linux_test.go
│ ├── init_linux.go
│ ├── integration/
│ │ ├── bench_test.go
│ │ ├── checkpoint_test.go
│ │ ├── doc.go
│ │ ├── exec_test.go
│ │ ├── execin_test.go
│ │ ├── init_test.go
│ │ ├── seccomp_test.go
│ │ ├── template_test.go
│ │ ├── update_test.go
│ │ └── utils_test.go
│ ├── intelrdt/
│ │ ├── cmt.go
│ │ ├── cmt_test.go
│ │ ├── intelrdt.go
│ │ ├── intelrdt_test.go
│ │ ├── mbm.go
│ │ ├── mbm_test.go
│ │ ├── monitoring.go
│ │ ├── monitoring_test.go
│ │ ├── stats.go
│ │ └── util_test.go
│ ├── internal/
│ │ └── userns/
│ │ ├── doc.go
│ │ ├── userns_maps_linux.c
│ │ ├── userns_maps_linux.go
│ │ ├── usernsfd_linux.go
│ │ └── usernsfd_linux_test.go
│ ├── keys/
│ │ └── keyctl.go
│ ├── logs/
│ │ ├── logs.go
│ │ └── logs_linux_test.go
│ ├── message_linux.go
│ ├── mount_linux.go
│ ├── mount_linux_test.go
│ ├── network_linux.go
│ ├── notify_linux.go
│ ├── notify_linux_test.go
│ ├── notify_v2_linux.go
│ ├── nsenter/
│ │ ├── README.md
│ │ ├── escape.c
│ │ ├── getenv.c
│ │ ├── getenv.h
│ │ ├── log.c
│ │ ├── log.h
│ │ ├── namespace.h
│ │ ├── nsenter.go
│ │ ├── nsenter_gccgo.go
│ │ ├── nsenter_test.go
│ │ ├── nsexec.c
│ │ └── test/
│ │ ├── escape.go
│ │ └── escape_test.go
│ ├── process.go
│ ├── process_linux.go
│ ├── restored_process.go
│ ├── rootfs_linux.go
│ ├── rootfs_linux_test.go
│ ├── seccomp/
│ │ ├── config.go
│ │ ├── doc.go
│ │ ├── patchbpf/
│ │ │ ├── doc.go
│ │ │ ├── enosys_linux.go
│ │ │ ├── enosys_linux_test.go
│ │ │ └── enosys_unsupported.go
│ │ ├── seccomp_linux.go
│ │ └── seccomp_unsupported.go
│ ├── setns_init_linux.go
│ ├── specconv/
│ │ ├── example.go
│ │ ├── spec_linux.go
│ │ └── spec_linux_test.go
│ ├── standard_init_linux.go
│ ├── state_linux.go
│ ├── state_linux_test.go
│ ├── stats_linux.go
│ ├── sync.go
│ ├── sync_unix.go
│ ├── system/
│ │ ├── doc.go
│ │ ├── kernelversion/
│ │ │ ├── kernel_linux.go
│ │ │ └── kernel_linux_test.go
│ │ ├── linux.go
│ │ ├── proc.go
│ │ ├── proc_test.go
│ │ └── rlimit_linux.go
│ └── utils/
│ ├── cmsg.go
│ ├── utils.go
│ ├── utils_test.go
│ └── utils_unix.go
├── list.go
├── main.go
├── man/
│ ├── README.md
│ ├── md2man-all.sh
│ ├── runc-checkpoint.8.md
│ ├── runc-create.8.md
│ ├── runc-delete.8.md
│ ├── runc-events.8.md
│ ├── runc-exec.8.md
│ ├── runc-kill.8.md
│ ├── runc-list.8.md
│ ├── runc-pause.8.md
│ ├── runc-ps.8.md
│ ├── runc-restore.8.md
│ ├── runc-resume.8.md
│ ├── runc-run.8.md
│ ├── runc-spec.8.md
│ ├── runc-start.8.md
│ ├── runc-state.8.md
│ ├── runc-update.8.md
│ └── runc.8.md
├── notify_socket.go
├── notify_socket_test.go
├── pause.go
├── ps.go
├── restore.go
├── rlimit_linux.go
├── rootless_linux.go
├── run.go
├── runc.keyring
├── script/
│ ├── build-libpathrs.sh
│ ├── build-seccomp.sh
│ ├── check-config.sh
│ ├── keyring_addkey.sh
│ ├── keyring_validate.sh
│ ├── lib.sh
│ ├── prepare-cgroup-v2.sh
│ ├── release_build.sh
│ ├── release_sign.sh
│ ├── setup_host_fedora.sh
│ └── setup_rootless.sh
├── signals.go
├── spec.go
├── start.go
├── state.go
├── tests/
│ ├── cmd/
│ │ ├── README.md
│ │ ├── fs-idmap/
│ │ │ └── fs-idmap.go
│ │ ├── key_label/
│ │ │ └── key_label.go
│ │ ├── pidfd-kill/
│ │ │ └── pidfd-kill.go
│ │ ├── recvtty/
│ │ │ └── recvtty.go
│ │ ├── remap-rootfs/
│ │ │ └── remap-rootfs.go
│ │ ├── sd-helper/
│ │ │ └── helper.go
│ │ └── seccompagent/
│ │ ├── README.md
│ │ ├── gen-seccomp-example-cfg.sh
│ │ ├── seccompagent.go
│ │ └── unsupported.go
│ ├── fuzzing/
│ │ └── oss_fuzz_build.sh
│ ├── integration/
│ │ ├── README.md
│ │ ├── bootstrap-get-images.sh
│ │ ├── capabilities.bats
│ │ ├── cgroup_delegation.bats
│ │ ├── cgroups.bats
│ │ ├── checkpoint.bats
│ │ ├── cpu_affinity.bats
│ │ ├── create.bats
│ │ ├── cwd.bats
│ │ ├── debug.bats
│ │ ├── delete.bats
│ │ ├── dev.bats
│ │ ├── env.bats
│ │ ├── events.bats
│ │ ├── exec.bats
│ │ ├── get-images.sh
│ │ ├── help.bats
│ │ ├── helpers.bash
│ │ ├── hooks.bats
│ │ ├── hooks_so.bats
│ │ ├── host-mntns.bats
│ │ ├── idmap.bats
│ │ ├── ioprio.bats
│ │ ├── kill.bats
│ │ ├── list.bats
│ │ ├── mask.bats
│ │ ├── memorypolicy.bats
│ │ ├── mounts.bats
│ │ ├── mounts_propagation.bats
│ │ ├── mounts_recursive.bats
│ │ ├── mounts_sshfs.bats
│ │ ├── netdev.bats
│ │ ├── no_pivot.bats
│ │ ├── pause.bats
│ │ ├── personality.bats
│ │ ├── pidfd-socket.bats
│ │ ├── ps.bats
│ │ ├── rlimits.bats
│ │ ├── root.bats
│ │ ├── run.bats
│ │ ├── scheduler.bats
│ │ ├── seccomp-notify-compat.bats
│ │ ├── seccomp-notify.bats
│ │ ├── seccomp.bats
│ │ ├── selinux.bats
│ │ ├── spec.bats
│ │ ├── start.bats
│ │ ├── start_detached.bats
│ │ ├── start_hello.bats
│ │ ├── state.bats
│ │ ├── testdata/
│ │ │ ├── .gitignore
│ │ │ ├── dev_access_test.c
│ │ │ ├── seccomp_syscall_test1.c
│ │ │ ├── seccomp_syscall_test1.json
│ │ │ ├── seccomp_syscall_test2.c
│ │ │ └── seccomp_syscall_test2.json
│ │ ├── timens.bats
│ │ ├── tty.bats
│ │ ├── umask.bats
│ │ ├── update.bats
│ │ ├── userns.bats
│ │ └── version.bats
│ └── rootless.sh
├── tty.go
├── types/
│ ├── events.go
│ └── features/
│ └── features.go
├── update.go
├── utils.go
├── utils_linux.go
└── vendor/
├── cyphar.com/
│ └── go-pathrs/
│ ├── .golangci.yml
│ ├── COPYING
│ ├── doc.go
│ ├── handle_linux.go
│ ├── internal/
│ │ ├── fdutils/
│ │ │ └── fd_linux.go
│ │ └── libpathrs/
│ │ ├── error_unix.go
│ │ └── libpathrs_linux.go
│ ├── procfs/
│ │ └── procfs_linux.go
│ ├── root_linux.go
│ └── utils_linux.go
├── github.com/
│ ├── checkpoint-restore/
│ │ └── go-criu/
│ │ └── v7/
│ │ ├── .gitignore
│ │ ├── .golangci.yml
│ │ ├── LICENSE
│ │ ├── MAINTAINERS
│ │ ├── Makefile
│ │ ├── README.md
│ │ ├── codecov.yml
│ │ ├── features.go
│ │ ├── main.go
│ │ ├── notify.go
│ │ └── rpc/
│ │ ├── rpc.pb.go
│ │ └── rpc.proto
│ ├── cilium/
│ │ └── ebpf/
│ │ ├── .clang-format
│ │ ├── .gitattributes
│ │ ├── .gitignore
│ │ ├── .golangci.yaml
│ │ ├── .vimto.toml
│ │ ├── CODEOWNERS
│ │ ├── CODE_OF_CONDUCT.md
│ │ ├── CONTRIBUTING.md
│ │ ├── LICENSE
│ │ ├── MAINTAINERS.md
│ │ ├── Makefile
│ │ ├── README.md
│ │ ├── asm/
│ │ │ ├── alu.go
│ │ │ ├── alu_string.go
│ │ │ ├── doc.go
│ │ │ ├── func.go
│ │ │ ├── func_string.go
│ │ │ ├── instruction.go
│ │ │ ├── jump.go
│ │ │ ├── jump_string.go
│ │ │ ├── load_store.go
│ │ │ ├── load_store_string.go
│ │ │ ├── metadata.go
│ │ │ ├── opcode.go
│ │ │ ├── opcode_string.go
│ │ │ └── register.go
│ │ ├── attachtype_string.go
│ │ ├── btf/
│ │ │ ├── btf.go
│ │ │ ├── btf_types.go
│ │ │ ├── btf_types_string.go
│ │ │ ├── core.go
│ │ │ ├── doc.go
│ │ │ ├── ext_info.go
│ │ │ ├── feature.go
│ │ │ ├── format.go
│ │ │ ├── handle.go
│ │ │ ├── kernel.go
│ │ │ ├── marshal.go
│ │ │ ├── strings.go
│ │ │ ├── traversal.go
│ │ │ ├── types.go
│ │ │ └── workarounds.go
│ │ ├── collection.go
│ │ ├── cpu.go
│ │ ├── doc.go
│ │ ├── elf_reader.go
│ │ ├── elf_sections.go
│ │ ├── info.go
│ │ ├── internal/
│ │ │ ├── buffer.go
│ │ │ ├── deque.go
│ │ │ ├── elf.go
│ │ │ ├── endian_be.go
│ │ │ ├── endian_le.go
│ │ │ ├── errors.go
│ │ │ ├── feature.go
│ │ │ ├── goos.go
│ │ │ ├── io.go
│ │ │ ├── kallsyms/
│ │ │ │ ├── cache.go
│ │ │ │ ├── kallsyms.go
│ │ │ │ └── reader.go
│ │ │ ├── kconfig/
│ │ │ │ └── kconfig.go
│ │ │ ├── linux/
│ │ │ │ ├── auxv.go
│ │ │ │ ├── doc.go
│ │ │ │ ├── kconfig.go
│ │ │ │ ├── platform.go
│ │ │ │ ├── statfs.go
│ │ │ │ ├── vdso.go
│ │ │ │ └── version.go
│ │ │ ├── math.go
│ │ │ ├── output.go
│ │ │ ├── prog.go
│ │ │ ├── sys/
│ │ │ │ ├── doc.go
│ │ │ │ ├── fd.go
│ │ │ │ ├── pinning.go
│ │ │ │ ├── ptr.go
│ │ │ │ ├── ptr_32_be.go
│ │ │ │ ├── ptr_32_le.go
│ │ │ │ ├── ptr_64.go
│ │ │ │ ├── signals.go
│ │ │ │ ├── syscall.go
│ │ │ │ └── types.go
│ │ │ ├── sysenc/
│ │ │ │ ├── buffer.go
│ │ │ │ ├── doc.go
│ │ │ │ ├── layout.go
│ │ │ │ └── marshal.go
│ │ │ ├── testutils/
│ │ │ │ └── fdtrace/
│ │ │ │ ├── fd_trace.go
│ │ │ │ └── main.go
│ │ │ ├── tracefs/
│ │ │ │ ├── kprobe.go
│ │ │ │ ├── probetype_string.go
│ │ │ │ └── uprobe.go
│ │ │ ├── unix/
│ │ │ │ ├── doc.go
│ │ │ │ ├── errno_linux.go
│ │ │ │ ├── errno_other.go
│ │ │ │ ├── errno_string_windows.go
│ │ │ │ ├── errno_windows.go
│ │ │ │ ├── error.go
│ │ │ │ ├── strings_other.go
│ │ │ │ ├── strings_windows.go
│ │ │ │ ├── types_linux.go
│ │ │ │ └── types_other.go
│ │ │ └── version.go
│ │ ├── link/
│ │ │ ├── anchor.go
│ │ │ ├── cgroup.go
│ │ │ ├── doc.go
│ │ │ ├── iter.go
│ │ │ ├── kprobe.go
│ │ │ ├── kprobe_multi.go
│ │ │ ├── link.go
│ │ │ ├── netfilter.go
│ │ │ ├── netkit.go
│ │ │ ├── netns.go
│ │ │ ├── perf_event.go
│ │ │ ├── program.go
│ │ │ ├── query.go
│ │ │ ├── raw_tracepoint.go
│ │ │ ├── socket_filter.go
│ │ │ ├── syscalls.go
│ │ │ ├── tcx.go
│ │ │ ├── tracepoint.go
│ │ │ ├── tracing.go
│ │ │ ├── uprobe.go
│ │ │ ├── uprobe_multi.go
│ │ │ └── xdp.go
│ │ ├── linker.go
│ │ ├── map.go
│ │ ├── marshalers.go
│ │ ├── memory.go
│ │ ├── netlify.toml
│ │ ├── prog.go
│ │ ├── syscalls.go
│ │ ├── types.go
│ │ ├── types_string.go
│ │ └── variable.go
│ ├── containerd/
│ │ └── console/
│ │ ├── .golangci.yml
│ │ ├── LICENSE
│ │ ├── README.md
│ │ ├── console.go
│ │ ├── console_linux.go
│ │ ├── console_other.go
│ │ ├── console_unix.go
│ │ ├── console_windows.go
│ │ ├── pty_freebsd_cgo.go
│ │ ├── pty_freebsd_nocgo.go
│ │ ├── pty_unix.go
│ │ ├── pty_zos.go
│ │ ├── tc_darwin.go
│ │ ├── tc_freebsd_cgo.go
│ │ ├── tc_freebsd_nocgo.go
│ │ ├── tc_linux.go
│ │ ├── tc_netbsd.go
│ │ ├── tc_openbsd_cgo.go
│ │ ├── tc_openbsd_nocgo.go
│ │ ├── tc_unix.go
│ │ └── tc_zos.go
│ ├── coreos/
│ │ └── go-systemd/
│ │ └── v22/
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ └── dbus/
│ │ ├── dbus.go
│ │ ├── methods.go
│ │ ├── properties.go
│ │ ├── set.go
│ │ ├── subscription.go
│ │ └── subscription_set.go
│ ├── cpuguy83/
│ │ └── go-md2man/
│ │ └── v2/
│ │ ├── LICENSE.md
│ │ └── md2man/
│ │ ├── debug.go
│ │ ├── md2man.go
│ │ └── roff.go
│ ├── cyphar/
│ │ └── filepath-securejoin/
│ │ ├── .golangci.yml
│ │ ├── CHANGELOG.md
│ │ ├── COPYING.md
│ │ ├── LICENSE.BSD
│ │ ├── LICENSE.MPL-2.0
│ │ ├── README.md
│ │ ├── VERSION
│ │ ├── codecov.yml
│ │ ├── doc.go
│ │ ├── internal/
│ │ │ └── consts/
│ │ │ └── consts.go
│ │ ├── join.go
│ │ ├── pathrs-lite/
│ │ │ ├── README.md
│ │ │ ├── doc.go
│ │ │ ├── internal/
│ │ │ │ ├── assert/
│ │ │ │ │ └── assert.go
│ │ │ │ ├── errors_linux.go
│ │ │ │ ├── fd/
│ │ │ │ │ ├── at_linux.go
│ │ │ │ │ ├── fd.go
│ │ │ │ │ ├── fd_linux.go
│ │ │ │ │ ├── mount_linux.go
│ │ │ │ │ └── openat2_linux.go
│ │ │ │ ├── gocompat/
│ │ │ │ │ ├── README.md
│ │ │ │ │ ├── doc.go
│ │ │ │ │ ├── gocompat_atomic_go119.go
│ │ │ │ │ ├── gocompat_atomic_unsupported.go
│ │ │ │ │ ├── gocompat_errors_go120.go
│ │ │ │ │ ├── gocompat_errors_unsupported.go
│ │ │ │ │ ├── gocompat_generics_go121.go
│ │ │ │ │ └── gocompat_generics_unsupported.go
│ │ │ │ ├── gopathrs/
│ │ │ │ │ ├── doc.go
│ │ │ │ │ ├── lookup_linux.go
│ │ │ │ │ ├── mkdir_linux.go
│ │ │ │ │ ├── open_linux.go
│ │ │ │ │ └── openat2_linux.go
│ │ │ │ ├── kernelversion/
│ │ │ │ │ └── kernel_linux.go
│ │ │ │ ├── linux/
│ │ │ │ │ ├── doc.go
│ │ │ │ │ ├── mount_linux.go
│ │ │ │ │ └── openat2_linux.go
│ │ │ │ └── procfs/
│ │ │ │ ├── procfs_linux.go
│ │ │ │ └── procfs_lookup_linux.go
│ │ │ ├── mkdir.go
│ │ │ ├── mkdir_libpathrs.go
│ │ │ ├── mkdir_purego.go
│ │ │ ├── open.go
│ │ │ ├── open_libpathrs.go
│ │ │ ├── open_purego.go
│ │ │ └── procfs/
│ │ │ ├── procfs_libpathrs.go
│ │ │ └── procfs_purego.go
│ │ └── vfs.go
│ ├── docker/
│ │ └── go-units/
│ │ ├── CONTRIBUTING.md
│ │ ├── LICENSE
│ │ ├── MAINTAINERS
│ │ ├── README.md
│ │ ├── circle.yml
│ │ ├── duration.go
│ │ ├── size.go
│ │ └── ulimit.go
│ ├── godbus/
│ │ └── dbus/
│ │ └── v5/
│ │ ├── .cirrus.yml
│ │ ├── .golangci.yml
│ │ ├── CONTRIBUTING.md
│ │ ├── LICENSE
│ │ ├── MAINTAINERS
│ │ ├── README.md
│ │ ├── SECURITY.md
│ │ ├── auth.go
│ │ ├── auth_anonymous.go
│ │ ├── auth_default_other.go
│ │ ├── auth_default_windows.go
│ │ ├── auth_external.go
│ │ ├── auth_sha1_windows.go
│ │ ├── call.go
│ │ ├── conn.go
│ │ ├── conn_darwin.go
│ │ ├── conn_other.go
│ │ ├── conn_unix.go
│ │ ├── conn_windows.go
│ │ ├── dbus.go
│ │ ├── decoder.go
│ │ ├── default_handler.go
│ │ ├── doc.go
│ │ ├── encoder.go
│ │ ├── escape.go
│ │ ├── export.go
│ │ ├── match.go
│ │ ├── message.go
│ │ ├── object.go
│ │ ├── sequence.go
│ │ ├── sequential_handler.go
│ │ ├── server_interfaces.go
│ │ ├── sig.go
│ │ ├── transport_darwin.go
│ │ ├── transport_generic.go
│ │ ├── transport_nonce_tcp.go
│ │ ├── transport_tcp.go
│ │ ├── transport_unix.go
│ │ ├── transport_unixcred_dragonfly.go
│ │ ├── transport_unixcred_freebsd.go
│ │ ├── transport_unixcred_linux.go
│ │ ├── transport_unixcred_netbsd.go
│ │ ├── transport_unixcred_openbsd.go
│ │ ├── transport_zos.go
│ │ ├── variant.go
│ │ ├── variant_lexer.go
│ │ └── variant_parser.go
│ ├── moby/
│ │ └── sys/
│ │ ├── capability/
│ │ │ ├── CHANGELOG.md
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ ├── capability.go
│ │ │ ├── capability_linux.go
│ │ │ ├── capability_noop.go
│ │ │ ├── enum.go
│ │ │ ├── enum_gen.go
│ │ │ └── syscall_linux.go
│ │ ├── mountinfo/
│ │ │ ├── LICENSE
│ │ │ ├── doc.go
│ │ │ ├── mounted_linux.go
│ │ │ ├── mounted_unix.go
│ │ │ ├── mountinfo.go
│ │ │ ├── mountinfo_bsd.go
│ │ │ ├── mountinfo_filters.go
│ │ │ ├── mountinfo_freebsdlike.go
│ │ │ ├── mountinfo_linux.go
│ │ │ ├── mountinfo_openbsd.go
│ │ │ ├── mountinfo_unsupported.go
│ │ │ └── mountinfo_windows.go
│ │ ├── user/
│ │ │ ├── LICENSE
│ │ │ ├── idtools.go
│ │ │ ├── idtools_unix.go
│ │ │ ├── idtools_windows.go
│ │ │ ├── lookup_unix.go
│ │ │ ├── user.go
│ │ │ └── user_fuzzer.go
│ │ └── userns/
│ │ ├── LICENSE
│ │ ├── userns.go
│ │ ├── userns_linux.go
│ │ ├── userns_linux_fuzzer.go
│ │ └── userns_unsupported.go
│ ├── mrunalp/
│ │ └── fileutils/
│ │ ├── .gitignore
│ │ ├── LICENSE
│ │ ├── MAINTAINERS
│ │ ├── README.md
│ │ ├── fileutils.go
│ │ └── idtools.go
│ ├── opencontainers/
│ │ ├── cgroups/
│ │ │ ├── .golangci-extra.yml
│ │ │ ├── .golangci.yml
│ │ │ ├── CODEOWNERS
│ │ │ ├── CONTRIBUTING.md
│ │ │ ├── GOVERNANCE.md
│ │ │ ├── LICENSE
│ │ │ ├── MAINTAINERS
│ │ │ ├── MAINTAINERS_GUIDE.md
│ │ │ ├── README.md
│ │ │ ├── RELEASES.md
│ │ │ ├── cgroups.go
│ │ │ ├── config_blkio_device.go
│ │ │ ├── config_hugepages.go
│ │ │ ├── config_ifprio_map.go
│ │ │ ├── config_linux.go
│ │ │ ├── config_rdma.go
│ │ │ ├── config_unsupported.go
│ │ │ ├── devices/
│ │ │ │ ├── config/
│ │ │ │ │ ├── device.go
│ │ │ │ │ └── mknod_unix.go
│ │ │ │ ├── devicefilter.go
│ │ │ │ ├── devices.go
│ │ │ │ ├── devices_emulator.go
│ │ │ │ ├── ebpf_linux.go
│ │ │ │ ├── systemd.go
│ │ │ │ ├── v1.go
│ │ │ │ └── v2.go
│ │ │ ├── file.go
│ │ │ ├── fs/
│ │ │ │ ├── blkio.go
│ │ │ │ ├── cpu.go
│ │ │ │ ├── cpuacct.go
│ │ │ │ ├── cpuset.go
│ │ │ │ ├── devices.go
│ │ │ │ ├── error.go
│ │ │ │ ├── freezer.go
│ │ │ │ ├── fs.go
│ │ │ │ ├── hugetlb.go
│ │ │ │ ├── memory.go
│ │ │ │ ├── name.go
│ │ │ │ ├── net_cls.go
│ │ │ │ ├── net_prio.go
│ │ │ │ ├── paths.go
│ │ │ │ ├── perf_event.go
│ │ │ │ ├── pids.go
│ │ │ │ └── rdma.go
│ │ │ ├── fs2/
│ │ │ │ ├── cpu.go
│ │ │ │ ├── cpuset.go
│ │ │ │ ├── create.go
│ │ │ │ ├── defaultpath.go
│ │ │ │ ├── freezer.go
│ │ │ │ ├── fs2.go
│ │ │ │ ├── hugetlb.go
│ │ │ │ ├── io.go
│ │ │ │ ├── memory.go
│ │ │ │ ├── misc.go
│ │ │ │ ├── pids.go
│ │ │ │ └── psi.go
│ │ │ ├── fscommon/
│ │ │ │ ├── rdma.go
│ │ │ │ └── utils.go
│ │ │ ├── getallpids.go
│ │ │ ├── internal/
│ │ │ │ └── path/
│ │ │ │ └── path.go
│ │ │ ├── manager/
│ │ │ │ └── new.go
│ │ │ ├── stats.go
│ │ │ ├── systemd/
│ │ │ │ ├── common.go
│ │ │ │ ├── cpuset.go
│ │ │ │ ├── dbus.go
│ │ │ │ ├── devices.go
│ │ │ │ ├── user.go
│ │ │ │ ├── v1.go
│ │ │ │ └── v2.go
│ │ │ ├── utils.go
│ │ │ └── v1_utils.go
│ │ ├── runtime-spec/
│ │ │ ├── LICENSE
│ │ │ └── specs-go/
│ │ │ ├── config.go
│ │ │ ├── features/
│ │ │ │ └── features.go
│ │ │ ├── state.go
│ │ │ └── version.go
│ │ └── selinux/
│ │ ├── LICENSE
│ │ ├── go-selinux/
│ │ │ ├── doc.go
│ │ │ ├── label/
│ │ │ │ ├── label.go
│ │ │ │ ├── label_linux.go
│ │ │ │ └── label_stub.go
│ │ │ ├── selinux.go
│ │ │ ├── selinux_linux.go
│ │ │ ├── selinux_stub.go
│ │ │ └── xattrs_linux.go
│ │ └── pkg/
│ │ └── pwalkdir/
│ │ ├── README.md
│ │ └── pwalkdir.go
│ ├── russross/
│ │ └── blackfriday/
│ │ └── v2/
│ │ ├── .gitignore
│ │ ├── .travis.yml
│ │ ├── LICENSE.txt
│ │ ├── README.md
│ │ ├── block.go
│ │ ├── doc.go
│ │ ├── entities.go
│ │ ├── esc.go
│ │ ├── html.go
│ │ ├── inline.go
│ │ ├── markdown.go
│ │ ├── node.go
│ │ └── smartypants.go
│ ├── seccomp/
│ │ └── libseccomp-golang/
│ │ ├── .gitignore
│ │ ├── .golangci.yml
│ │ ├── CHANGELOG
│ │ ├── CONTRIBUTING.md
│ │ ├── LICENSE
│ │ ├── Makefile
│ │ ├── README.md
│ │ ├── SECURITY.md
│ │ ├── seccomp.go
│ │ └── seccomp_internal.go
│ └── vishvananda/
│ ├── netlink/
│ │ ├── .gitignore
│ │ ├── CHANGELOG.md
│ │ ├── LICENSE
│ │ ├── Makefile
│ │ ├── README.md
│ │ ├── addr.go
│ │ ├── addr_linux.go
│ │ ├── bpf_linux.go
│ │ ├── bridge_linux.go
│ │ ├── chain.go
│ │ ├── chain_linux.go
│ │ ├── class.go
│ │ ├── class_linux.go
│ │ ├── conntrack_linux.go
│ │ ├── conntrack_unspecified.go
│ │ ├── devlink_linux.go
│ │ ├── filter.go
│ │ ├── filter_linux.go
│ │ ├── fou.go
│ │ ├── fou_linux.go
│ │ ├── fou_unspecified.go
│ │ ├── genetlink_linux.go
│ │ ├── genetlink_unspecified.go
│ │ ├── gtp_linux.go
│ │ ├── handle_linux.go
│ │ ├── handle_unspecified.go
│ │ ├── inet_diag.go
│ │ ├── ioctl_linux.go
│ │ ├── ipset_linux.go
│ │ ├── link.go
│ │ ├── link_linux.go
│ │ ├── link_tuntap_linux.go
│ │ ├── neigh.go
│ │ ├── neigh_linux.go
│ │ ├── netlink.go
│ │ ├── netlink_linux.go
│ │ ├── netlink_unspecified.go
│ │ ├── netns_linux.go
│ │ ├── netns_unspecified.go
│ │ ├── nl/
│ │ │ ├── addr_linux.go
│ │ │ ├── bridge_linux.go
│ │ │ ├── conntrack_linux.go
│ │ │ ├── devlink_linux.go
│ │ │ ├── genetlink_linux.go
│ │ │ ├── ip6tnl_linux.go
│ │ │ ├── ipset_linux.go
│ │ │ ├── link_linux.go
│ │ │ ├── lwt_linux.go
│ │ │ ├── mpls_linux.go
│ │ │ ├── nl_linux.go
│ │ │ ├── nl_unspecified.go
│ │ │ ├── parse_attr_linux.go
│ │ │ ├── rdma_link_linux.go
│ │ │ ├── route_linux.go
│ │ │ ├── seg6_linux.go
│ │ │ ├── seg6local_linux.go
│ │ │ ├── syscall.go
│ │ │ ├── tc_linux.go
│ │ │ ├── vdpa_linux.go
│ │ │ ├── xfrm_linux.go
│ │ │ ├── xfrm_monitor_linux.go
│ │ │ ├── xfrm_policy_linux.go
│ │ │ └── xfrm_state_linux.go
│ │ ├── order.go
│ │ ├── proc_event_linux.go
│ │ ├── protinfo.go
│ │ ├── protinfo_linux.go
│ │ ├── qdisc.go
│ │ ├── qdisc_linux.go
│ │ ├── rdma_link_linux.go
│ │ ├── route.go
│ │ ├── route_linux.go
│ │ ├── route_unspecified.go
│ │ ├── rule.go
│ │ ├── rule_linux.go
│ │ ├── rule_nonlinux.go
│ │ ├── socket.go
│ │ ├── socket_linux.go
│ │ ├── socket_xdp_linux.go
│ │ ├── tcp.go
│ │ ├── tcp_linux.go
│ │ ├── unix_diag.go
│ │ ├── vdpa_linux.go
│ │ ├── virtio.go
│ │ ├── xdp_diag.go
│ │ ├── xdp_linux.go
│ │ ├── xfrm_linux.go
│ │ ├── xfrm_monitor_linux.go
│ │ ├── xfrm_policy_linux.go
│ │ ├── xfrm_state_linux.go
│ │ └── xfrm_unspecified.go
│ └── netns/
│ ├── .golangci.yml
│ ├── .yamllint.yml
│ ├── LICENSE
│ ├── README.md
│ ├── doc.go
│ ├── netns_linux.go
│ ├── netns_others.go
│ ├── nshandle_linux.go
│ └── nshandle_others.go
├── golang.org/
│ └── x/
│ ├── net/
│ │ ├── LICENSE
│ │ ├── PATENTS
│ │ └── bpf/
│ │ ├── asm.go
│ │ ├── constants.go
│ │ ├── doc.go
│ │ ├── instructions.go
│ │ ├── setter.go
│ │ ├── vm.go
│ │ └── vm_instructions.go
│ └── sys/
│ ├── LICENSE
│ ├── PATENTS
│ ├── unix/
│ │ ├── .gitignore
│ │ ├── README.md
│ │ ├── affinity_linux.go
│ │ ├── aliases.go
│ │ ├── asm_aix_ppc64.s
│ │ ├── asm_bsd_386.s
│ │ ├── asm_bsd_amd64.s
│ │ ├── asm_bsd_arm.s
│ │ ├── asm_bsd_arm64.s
│ │ ├── asm_bsd_ppc64.s
│ │ ├── asm_bsd_riscv64.s
│ │ ├── asm_linux_386.s
│ │ ├── asm_linux_amd64.s
│ │ ├── asm_linux_arm.s
│ │ ├── asm_linux_arm64.s
│ │ ├── asm_linux_loong64.s
│ │ ├── asm_linux_mips64x.s
│ │ ├── asm_linux_mipsx.s
│ │ ├── asm_linux_ppc64x.s
│ │ ├── asm_linux_riscv64.s
│ │ ├── asm_linux_s390x.s
│ │ ├── asm_openbsd_mips64.s
│ │ ├── asm_solaris_amd64.s
│ │ ├── asm_zos_s390x.s
│ │ ├── auxv.go
│ │ ├── auxv_unsupported.go
│ │ ├── bluetooth_linux.go
│ │ ├── bpxsvc_zos.go
│ │ ├── bpxsvc_zos.s
│ │ ├── cap_freebsd.go
│ │ ├── constants.go
│ │ ├── dev_aix_ppc.go
│ │ ├── dev_aix_ppc64.go
│ │ ├── dev_darwin.go
│ │ ├── dev_dragonfly.go
│ │ ├── dev_freebsd.go
│ │ ├── dev_linux.go
│ │ ├── dev_netbsd.go
│ │ ├── dev_openbsd.go
│ │ ├── dev_zos.go
│ │ ├── dirent.go
│ │ ├── endian_big.go
│ │ ├── endian_little.go
│ │ ├── env_unix.go
│ │ ├── fcntl.go
│ │ ├── fcntl_darwin.go
│ │ ├── fcntl_linux_32bit.go
│ │ ├── fdset.go
│ │ ├── gccgo.go
│ │ ├── gccgo_c.c
│ │ ├── gccgo_linux_amd64.go
│ │ ├── ifreq_linux.go
│ │ ├── ioctl_linux.go
│ │ ├── ioctl_signed.go
│ │ ├── ioctl_unsigned.go
│ │ ├── ioctl_zos.go
│ │ ├── mkall.sh
│ │ ├── mkerrors.sh
│ │ ├── mmap_nomremap.go
│ │ ├── mremap.go
│ │ ├── pagesize_unix.go
│ │ ├── pledge_openbsd.go
│ │ ├── ptrace_darwin.go
│ │ ├── ptrace_ios.go
│ │ ├── race.go
│ │ ├── race0.go
│ │ ├── readdirent_getdents.go
│ │ ├── readdirent_getdirentries.go
│ │ ├── sockcmsg_dragonfly.go
│ │ ├── sockcmsg_linux.go
│ │ ├── sockcmsg_unix.go
│ │ ├── sockcmsg_unix_other.go
│ │ ├── sockcmsg_zos.go
│ │ ├── symaddr_zos_s390x.s
│ │ ├── syscall.go
│ │ ├── syscall_aix.go
│ │ ├── syscall_aix_ppc.go
│ │ ├── syscall_aix_ppc64.go
│ │ ├── syscall_bsd.go
│ │ ├── syscall_darwin.go
│ │ ├── syscall_darwin_amd64.go
│ │ ├── syscall_darwin_arm64.go
│ │ ├── syscall_darwin_libSystem.go
│ │ ├── syscall_dragonfly.go
│ │ ├── syscall_dragonfly_amd64.go
│ │ ├── syscall_freebsd.go
│ │ ├── syscall_freebsd_386.go
│ │ ├── syscall_freebsd_amd64.go
│ │ ├── syscall_freebsd_arm.go
│ │ ├── syscall_freebsd_arm64.go
│ │ ├── syscall_freebsd_riscv64.go
│ │ ├── syscall_hurd.go
│ │ ├── syscall_hurd_386.go
│ │ ├── syscall_illumos.go
│ │ ├── syscall_linux.go
│ │ ├── syscall_linux_386.go
│ │ ├── syscall_linux_alarm.go
│ │ ├── syscall_linux_amd64.go
│ │ ├── syscall_linux_amd64_gc.go
│ │ ├── syscall_linux_arm.go
│ │ ├── syscall_linux_arm64.go
│ │ ├── syscall_linux_gc.go
│ │ ├── syscall_linux_gc_386.go
│ │ ├── syscall_linux_gc_arm.go
│ │ ├── syscall_linux_gccgo_386.go
│ │ ├── syscall_linux_gccgo_arm.go
│ │ ├── syscall_linux_loong64.go
│ │ ├── syscall_linux_mips64x.go
│ │ ├── syscall_linux_mipsx.go
│ │ ├── syscall_linux_ppc.go
│ │ ├── syscall_linux_ppc64x.go
│ │ ├── syscall_linux_riscv64.go
│ │ ├── syscall_linux_s390x.go
│ │ ├── syscall_linux_sparc64.go
│ │ ├── syscall_netbsd.go
│ │ ├── syscall_netbsd_386.go
│ │ ├── syscall_netbsd_amd64.go
│ │ ├── syscall_netbsd_arm.go
│ │ ├── syscall_netbsd_arm64.go
│ │ ├── syscall_openbsd.go
│ │ ├── syscall_openbsd_386.go
│ │ ├── syscall_openbsd_amd64.go
│ │ ├── syscall_openbsd_arm.go
│ │ ├── syscall_openbsd_arm64.go
│ │ ├── syscall_openbsd_libc.go
│ │ ├── syscall_openbsd_mips64.go
│ │ ├── syscall_openbsd_ppc64.go
│ │ ├── syscall_openbsd_riscv64.go
│ │ ├── syscall_solaris.go
│ │ ├── syscall_solaris_amd64.go
│ │ ├── syscall_unix.go
│ │ ├── syscall_unix_gc.go
│ │ ├── syscall_unix_gc_ppc64x.go
│ │ ├── syscall_zos_s390x.go
│ │ ├── sysvshm_linux.go
│ │ ├── sysvshm_unix.go
│ │ ├── sysvshm_unix_other.go
│ │ ├── timestruct.go
│ │ ├── unveil_openbsd.go
│ │ ├── vgetrandom_linux.go
│ │ ├── vgetrandom_unsupported.go
│ │ ├── xattr_bsd.go
│ │ ├── zerrors_aix_ppc.go
│ │ ├── zerrors_aix_ppc64.go
│ │ ├── zerrors_darwin_amd64.go
│ │ ├── zerrors_darwin_arm64.go
│ │ ├── zerrors_dragonfly_amd64.go
│ │ ├── zerrors_freebsd_386.go
│ │ ├── zerrors_freebsd_amd64.go
│ │ ├── zerrors_freebsd_arm.go
│ │ ├── zerrors_freebsd_arm64.go
│ │ ├── zerrors_freebsd_riscv64.go
│ │ ├── zerrors_linux.go
│ │ ├── zerrors_linux_386.go
│ │ ├── zerrors_linux_amd64.go
│ │ ├── zerrors_linux_arm.go
│ │ ├── zerrors_linux_arm64.go
│ │ ├── zerrors_linux_loong64.go
│ │ ├── zerrors_linux_mips.go
│ │ ├── zerrors_linux_mips64.go
│ │ ├── zerrors_linux_mips64le.go
│ │ ├── zerrors_linux_mipsle.go
│ │ ├── zerrors_linux_ppc.go
│ │ ├── zerrors_linux_ppc64.go
│ │ ├── zerrors_linux_ppc64le.go
│ │ ├── zerrors_linux_riscv64.go
│ │ ├── zerrors_linux_s390x.go
│ │ ├── zerrors_linux_sparc64.go
│ │ ├── zerrors_netbsd_386.go
│ │ ├── zerrors_netbsd_amd64.go
│ │ ├── zerrors_netbsd_arm.go
│ │ ├── zerrors_netbsd_arm64.go
│ │ ├── zerrors_openbsd_386.go
│ │ ├── zerrors_openbsd_amd64.go
│ │ ├── zerrors_openbsd_arm.go
│ │ ├── zerrors_openbsd_arm64.go
│ │ ├── zerrors_openbsd_mips64.go
│ │ ├── zerrors_openbsd_ppc64.go
│ │ ├── zerrors_openbsd_riscv64.go
│ │ ├── zerrors_solaris_amd64.go
│ │ ├── zerrors_zos_s390x.go
│ │ ├── zptrace_armnn_linux.go
│ │ ├── zptrace_linux_arm64.go
│ │ ├── zptrace_mipsnn_linux.go
│ │ ├── zptrace_mipsnnle_linux.go
│ │ ├── zptrace_x86_linux.go
│ │ ├── zsymaddr_zos_s390x.s
│ │ ├── zsyscall_aix_ppc.go
│ │ ├── zsyscall_aix_ppc64.go
│ │ ├── zsyscall_aix_ppc64_gc.go
│ │ ├── zsyscall_aix_ppc64_gccgo.go
│ │ ├── zsyscall_darwin_amd64.go
│ │ ├── zsyscall_darwin_amd64.s
│ │ ├── zsyscall_darwin_arm64.go
│ │ ├── zsyscall_darwin_arm64.s
│ │ ├── zsyscall_dragonfly_amd64.go
│ │ ├── zsyscall_freebsd_386.go
│ │ ├── zsyscall_freebsd_amd64.go
│ │ ├── zsyscall_freebsd_arm.go
│ │ ├── zsyscall_freebsd_arm64.go
│ │ ├── zsyscall_freebsd_riscv64.go
│ │ ├── zsyscall_illumos_amd64.go
│ │ ├── zsyscall_linux.go
│ │ ├── zsyscall_linux_386.go
│ │ ├── zsyscall_linux_amd64.go
│ │ ├── zsyscall_linux_arm.go
│ │ ├── zsyscall_linux_arm64.go
│ │ ├── zsyscall_linux_loong64.go
│ │ ├── zsyscall_linux_mips.go
│ │ ├── zsyscall_linux_mips64.go
│ │ ├── zsyscall_linux_mips64le.go
│ │ ├── zsyscall_linux_mipsle.go
│ │ ├── zsyscall_linux_ppc.go
│ │ ├── zsyscall_linux_ppc64.go
│ │ ├── zsyscall_linux_ppc64le.go
│ │ ├── zsyscall_linux_riscv64.go
│ │ ├── zsyscall_linux_s390x.go
│ │ ├── zsyscall_linux_sparc64.go
│ │ ├── zsyscall_netbsd_386.go
│ │ ├── zsyscall_netbsd_amd64.go
│ │ ├── zsyscall_netbsd_arm.go
│ │ ├── zsyscall_netbsd_arm64.go
│ │ ├── zsyscall_openbsd_386.go
│ │ ├── zsyscall_openbsd_386.s
│ │ ├── zsyscall_openbsd_amd64.go
│ │ ├── zsyscall_openbsd_amd64.s
│ │ ├── zsyscall_openbsd_arm.go
│ │ ├── zsyscall_openbsd_arm.s
│ │ ├── zsyscall_openbsd_arm64.go
│ │ ├── zsyscall_openbsd_arm64.s
│ │ ├── zsyscall_openbsd_mips64.go
│ │ ├── zsyscall_openbsd_mips64.s
│ │ ├── zsyscall_openbsd_ppc64.go
│ │ ├── zsyscall_openbsd_ppc64.s
│ │ ├── zsyscall_openbsd_riscv64.go
│ │ ├── zsyscall_openbsd_riscv64.s
│ │ ├── zsyscall_solaris_amd64.go
│ │ ├── zsyscall_zos_s390x.go
│ │ ├── zsysctl_openbsd_386.go
│ │ ├── zsysctl_openbsd_amd64.go
│ │ ├── zsysctl_openbsd_arm.go
│ │ ├── zsysctl_openbsd_arm64.go
│ │ ├── zsysctl_openbsd_mips64.go
│ │ ├── zsysctl_openbsd_ppc64.go
│ │ ├── zsysctl_openbsd_riscv64.go
│ │ ├── zsysnum_darwin_amd64.go
│ │ ├── zsysnum_darwin_arm64.go
│ │ ├── zsysnum_dragonfly_amd64.go
│ │ ├── zsysnum_freebsd_386.go
│ │ ├── zsysnum_freebsd_amd64.go
│ │ ├── zsysnum_freebsd_arm.go
│ │ ├── zsysnum_freebsd_arm64.go
│ │ ├── zsysnum_freebsd_riscv64.go
│ │ ├── zsysnum_linux_386.go
│ │ ├── zsysnum_linux_amd64.go
│ │ ├── zsysnum_linux_arm.go
│ │ ├── zsysnum_linux_arm64.go
│ │ ├── zsysnum_linux_loong64.go
│ │ ├── zsysnum_linux_mips.go
│ │ ├── zsysnum_linux_mips64.go
│ │ ├── zsysnum_linux_mips64le.go
│ │ ├── zsysnum_linux_mipsle.go
│ │ ├── zsysnum_linux_ppc.go
│ │ ├── zsysnum_linux_ppc64.go
│ │ ├── zsysnum_linux_ppc64le.go
│ │ ├── zsysnum_linux_riscv64.go
│ │ ├── zsysnum_linux_s390x.go
│ │ ├── zsysnum_linux_sparc64.go
│ │ ├── zsysnum_netbsd_386.go
│ │ ├── zsysnum_netbsd_amd64.go
│ │ ├── zsysnum_netbsd_arm.go
│ │ ├── zsysnum_netbsd_arm64.go
│ │ ├── zsysnum_openbsd_386.go
│ │ ├── zsysnum_openbsd_amd64.go
│ │ ├── zsysnum_openbsd_arm.go
│ │ ├── zsysnum_openbsd_arm64.go
│ │ ├── zsysnum_openbsd_mips64.go
│ │ ├── zsysnum_openbsd_ppc64.go
│ │ ├── zsysnum_openbsd_riscv64.go
│ │ ├── zsysnum_zos_s390x.go
│ │ ├── ztypes_aix_ppc.go
│ │ ├── ztypes_aix_ppc64.go
│ │ ├── ztypes_darwin_amd64.go
│ │ ├── ztypes_darwin_arm64.go
│ │ ├── ztypes_dragonfly_amd64.go
│ │ ├── ztypes_freebsd_386.go
│ │ ├── ztypes_freebsd_amd64.go
│ │ ├── ztypes_freebsd_arm.go
│ │ ├── ztypes_freebsd_arm64.go
│ │ ├── ztypes_freebsd_riscv64.go
│ │ ├── ztypes_linux.go
│ │ ├── ztypes_linux_386.go
│ │ ├── ztypes_linux_amd64.go
│ │ ├── ztypes_linux_arm.go
│ │ ├── ztypes_linux_arm64.go
│ │ ├── ztypes_linux_loong64.go
│ │ ├── ztypes_linux_mips.go
│ │ ├── ztypes_linux_mips64.go
│ │ ├── ztypes_linux_mips64le.go
│ │ ├── ztypes_linux_mipsle.go
│ │ ├── ztypes_linux_ppc.go
│ │ ├── ztypes_linux_ppc64.go
│ │ ├── ztypes_linux_ppc64le.go
│ │ ├── ztypes_linux_riscv64.go
│ │ ├── ztypes_linux_s390x.go
│ │ ├── ztypes_linux_sparc64.go
│ │ ├── ztypes_netbsd_386.go
│ │ ├── ztypes_netbsd_amd64.go
│ │ ├── ztypes_netbsd_arm.go
│ │ ├── ztypes_netbsd_arm64.go
│ │ ├── ztypes_openbsd_386.go
│ │ ├── ztypes_openbsd_amd64.go
│ │ ├── ztypes_openbsd_arm.go
│ │ ├── ztypes_openbsd_arm64.go
│ │ ├── ztypes_openbsd_mips64.go
│ │ ├── ztypes_openbsd_ppc64.go
│ │ ├── ztypes_openbsd_riscv64.go
│ │ ├── ztypes_solaris_amd64.go
│ │ └── ztypes_zos_s390x.go
│ └── windows/
│ ├── aliases.go
│ ├── dll_windows.go
│ ├── env_windows.go
│ ├── eventlog.go
│ ├── exec_windows.go
│ ├── memory_windows.go
│ ├── mkerrors.bash
│ ├── mkknownfolderids.bash
│ ├── mksyscall.go
│ ├── race.go
│ ├── race0.go
│ ├── security_windows.go
│ ├── service.go
│ ├── setupapi_windows.go
│ ├── str.go
│ ├── syscall.go
│ ├── syscall_windows.go
│ ├── types_windows.go
│ ├── types_windows_386.go
│ ├── types_windows_amd64.go
│ ├── types_windows_arm.go
│ ├── types_windows_arm64.go
│ ├── zerrors_windows.go
│ ├── zknownfolderids_windows.go
│ └── zsyscall_windows.go
├── google.golang.org/
│ └── protobuf/
│ ├── LICENSE
│ ├── PATENTS
│ ├── encoding/
│ │ ├── prototext/
│ │ │ ├── decode.go
│ │ │ ├── doc.go
│ │ │ └── encode.go
│ │ └── protowire/
│ │ └── wire.go
│ ├── internal/
│ │ ├── descfmt/
│ │ │ └── stringer.go
│ │ ├── descopts/
│ │ │ └── options.go
│ │ ├── detrand/
│ │ │ └── rand.go
│ │ ├── editiondefaults/
│ │ │ ├── defaults.go
│ │ │ └── editions_defaults.binpb
│ │ ├── encoding/
│ │ │ ├── defval/
│ │ │ │ └── default.go
│ │ │ ├── messageset/
│ │ │ │ └── messageset.go
│ │ │ ├── tag/
│ │ │ │ └── tag.go
│ │ │ └── text/
│ │ │ ├── decode.go
│ │ │ ├── decode_number.go
│ │ │ ├── decode_string.go
│ │ │ ├── decode_token.go
│ │ │ ├── doc.go
│ │ │ └── encode.go
│ │ ├── errors/
│ │ │ └── errors.go
│ │ ├── filedesc/
│ │ │ ├── build.go
│ │ │ ├── desc.go
│ │ │ ├── desc_init.go
│ │ │ ├── desc_lazy.go
│ │ │ ├── desc_list.go
│ │ │ ├── desc_list_gen.go
│ │ │ ├── editions.go
│ │ │ ├── placeholder.go
│ │ │ └── presence.go
│ │ ├── filetype/
│ │ │ └── build.go
│ │ ├── flags/
│ │ │ ├── flags.go
│ │ │ ├── proto_legacy_disable.go
│ │ │ └── proto_legacy_enable.go
│ │ ├── genid/
│ │ │ ├── any_gen.go
│ │ │ ├── api_gen.go
│ │ │ ├── descriptor_gen.go
│ │ │ ├── doc.go
│ │ │ ├── duration_gen.go
│ │ │ ├── empty_gen.go
│ │ │ ├── field_mask_gen.go
│ │ │ ├── go_features_gen.go
│ │ │ ├── goname.go
│ │ │ ├── map_entry.go
│ │ │ ├── name.go
│ │ │ ├── source_context_gen.go
│ │ │ ├── struct_gen.go
│ │ │ ├── timestamp_gen.go
│ │ │ ├── type_gen.go
│ │ │ ├── wrappers.go
│ │ │ └── wrappers_gen.go
│ │ ├── impl/
│ │ │ ├── api_export.go
│ │ │ ├── api_export_opaque.go
│ │ │ ├── bitmap.go
│ │ │ ├── bitmap_race.go
│ │ │ ├── checkinit.go
│ │ │ ├── codec_extension.go
│ │ │ ├── codec_field.go
│ │ │ ├── codec_field_opaque.go
│ │ │ ├── codec_gen.go
│ │ │ ├── codec_map.go
│ │ │ ├── codec_message.go
│ │ │ ├── codec_message_opaque.go
│ │ │ ├── codec_messageset.go
│ │ │ ├── codec_tables.go
│ │ │ ├── codec_unsafe.go
│ │ │ ├── convert.go
│ │ │ ├── convert_list.go
│ │ │ ├── convert_map.go
│ │ │ ├── decode.go
│ │ │ ├── encode.go
│ │ │ ├── enum.go
│ │ │ ├── equal.go
│ │ │ ├── extension.go
│ │ │ ├── lazy.go
│ │ │ ├── legacy_enum.go
│ │ │ ├── legacy_export.go
│ │ │ ├── legacy_extension.go
│ │ │ ├── legacy_file.go
│ │ │ ├── legacy_message.go
│ │ │ ├── merge.go
│ │ │ ├── merge_gen.go
│ │ │ ├── message.go
│ │ │ ├── message_opaque.go
│ │ │ ├── message_opaque_gen.go
│ │ │ ├── message_reflect.go
│ │ │ ├── message_reflect_field.go
│ │ │ ├── message_reflect_field_gen.go
│ │ │ ├── message_reflect_gen.go
│ │ │ ├── pointer_unsafe.go
│ │ │ ├── pointer_unsafe_opaque.go
│ │ │ ├── presence.go
│ │ │ └── validate.go
│ │ ├── order/
│ │ │ ├── order.go
│ │ │ └── range.go
│ │ ├── pragma/
│ │ │ └── pragma.go
│ │ ├── protolazy/
│ │ │ ├── bufferreader.go
│ │ │ ├── lazy.go
│ │ │ └── pointer_unsafe.go
│ │ ├── set/
│ │ │ └── ints.go
│ │ ├── strs/
│ │ │ ├── strings.go
│ │ │ └── strings_unsafe.go
│ │ └── version/
│ │ └── version.go
│ ├── proto/
│ │ ├── checkinit.go
│ │ ├── decode.go
│ │ ├── decode_gen.go
│ │ ├── doc.go
│ │ ├── encode.go
│ │ ├── encode_gen.go
│ │ ├── equal.go
│ │ ├── extension.go
│ │ ├── merge.go
│ │ ├── messageset.go
│ │ ├── proto.go
│ │ ├── proto_methods.go
│ │ ├── proto_reflect.go
│ │ ├── reset.go
│ │ ├── size.go
│ │ ├── size_gen.go
│ │ ├── wrapperopaque.go
│ │ └── wrappers.go
│ ├── reflect/
│ │ ├── protoreflect/
│ │ │ ├── methods.go
│ │ │ ├── proto.go
│ │ │ ├── source.go
│ │ │ ├── source_gen.go
│ │ │ ├── type.go
│ │ │ ├── value.go
│ │ │ ├── value_equal.go
│ │ │ ├── value_union.go
│ │ │ └── value_unsafe.go
│ │ └── protoregistry/
│ │ └── registry.go
│ └── runtime/
│ ├── protoiface/
│ │ ├── legacy.go
│ │ └── methods.go
│ └── protoimpl/
│ ├── impl.go
│ └── version.go
└── modules.txt
Showing preview only (9,395K chars total). Download the full file or copy to clipboard to get everything.
SYMBOL INDEX (110857 symbols across 1013 files)
FILE: checkpoint.go
function prepareImagePaths (line 83) | func prepareImagePaths(context *cli.Context) (string, string, error) {
function criuOptions (line 115) | func criuOptions(context *cli.Context) (*libcontainer.CriuOpts, error) {
FILE: delete.go
function killContainer (line 16) | func killContainer(container *libcontainer.Container) error {
FILE: events.go
function convertLibcontainerStats (line 114) | func convertLibcontainerStats(ls *libcontainer.Stats) *types.Stats {
function convertHugtlb (line 184) | func convertHugtlb(c cgroups.HugetlbStats) types.Hugetlb {
function convertMemoryEntry (line 192) | func convertMemoryEntry(c cgroups.MemoryData) types.MemoryEntry {
function convertBlkioEntry (line 201) | func convertBlkioEntry(c []cgroups.BlkioStatEntry) []types.BlkioEntry {
function convertL3CacheInfo (line 209) | func convertL3CacheInfo(i *intelrdt.L3CacheInfo) *types.L3CacheInfo {
function convertMemBwInfo (line 214) | func convertMemBwInfo(i *intelrdt.MemBwInfo) *types.MemBwInfo {
FILE: exec.go
function getSubCgroupPaths (line 126) | func getSubCgroupPaths(args []string) (map[string]string, error) {
function execProcess (line 155) | func execProcess(context *cli.Context) (int, error) {
function getProcess (line 196) | func getProcess(context *cli.Context, c *libcontainer.Container) (*specs...
FILE: init.go
function init (line 10) | func init() {
FILE: internal/linux/eintr.go
function retryOnEINTR (line 11) | func retryOnEINTR(fn func() error) error {
function retryOnEINTR2 (line 21) | func retryOnEINTR2[T any](fn func() (T, error)) (T, error) {
FILE: internal/linux/linux.go
function Dup3 (line 11) | func Dup3(oldfd, newfd, flags int) error {
function Exec (line 19) | func Exec(cmd string, args, env []string) error {
function Getwd (line 30) | func Getwd() (wd string, err error) {
function Open (line 36) | func Open(path string, mode int, perm uint32) (fd int, err error) {
function Openat (line 47) | func Openat(dirfd int, path string, mode int, perm uint32) (fd int, err ...
function Recvfrom (line 58) | func Recvfrom(fd int, p []byte, flags int) (n int, from unix.Sockaddr, e...
function SchedSetaffinity (line 70) | func SchedSetaffinity(pid int, buf []byte) error {
function Sendmsg (line 86) | func Sendmsg(fd int, p, oob []byte, to unix.Sockaddr, flags int) error {
function SetMempolicy (line 94) | func SetMempolicy(mode int, mask *unix.CPUSet) error {
function Readlinkat (line 102) | func Readlinkat(dir *os.File, path string) (string, error) {
function GetPtyPeer (line 121) | func GetPtyPeer(ptyFd uintptr, unsafePeerPath string, flags int) (*os.Fi...
FILE: internal/pathrs/mkdirall.go
function MkdirAllParentInRoot (line 34) | func MkdirAllParentInRoot(root, unsafePath string, mode os.FileMode) (*o...
FILE: internal/pathrs/mkdirall_pathrslite.go
function MkdirAllInRoot (line 51) | func MkdirAllInRoot(root, unsafePath string, mode os.FileMode) (*os.File...
FILE: internal/pathrs/path.go
function IsLexicallyInRoot (line 34) | func IsLexicallyInRoot(root, path string) bool {
function LexicallyCleanPath (line 47) | func LexicallyCleanPath(path string) string {
function LexicallyStripRoot (line 74) | func LexicallyStripRoot(root, path string) string {
function hallucinateUnsafePath (line 108) | func hallucinateUnsafePath(root, unsafePath string) (string, error) {
FILE: internal/pathrs/path_test.go
function TestIsLexicallyInRoot (line 23) | func TestIsLexicallyInRoot(t *testing.T) {
function TestLexicallyCleanPath (line 55) | func TestLexicallyCleanPath(t *testing.T) {
function TestLexicallyStripRoot (line 87) | func TestLexicallyStripRoot(t *testing.T) {
FILE: internal/pathrs/procfs_pathrslite.go
function procOpenReopen (line 29) | func procOpenReopen(openFn func(subpath string) (*os.File, error), subpa...
function ProcSelfOpen (line 48) | func ProcSelfOpen(subpath string, flags int) (*os.File, error) {
function ProcPidOpen (line 59) | func ProcPidOpen(pid int, subpath string, flags int) (*os.File, error) {
function ProcThreadSelfOpen (line 74) | func ProcThreadSelfOpen(subpath string, flags int) (_ *os.File, _ procfs...
function Reopen (line 104) | func Reopen(file *os.File, flags int) (*os.File, error) {
FILE: internal/pathrs/retry.go
constant retryDeadline (line 33) | retryDeadline = 2 * time.Millisecond
function retryEAGAIN (line 39) | func retryEAGAIN[T any](fn func() (T, error)) (T, error) {
function retryEAGAIN2 (line 56) | func retryEAGAIN2[T1, T2 any](fn func() (T1, T2, error)) (T1, T2, error) {
FILE: internal/pathrs/root_pathrslite.go
function OpenInRoot (line 33) | func OpenInRoot(root, subpath string, flags int) (*os.File, error) {
function CreateInRoot (line 50) | func CreateInRoot(root, subpath string, flags int, fileMode uint32) (*os...
FILE: internal/sys/opath_linux.go
function FchmodFile (line 17) | func FchmodFile(f *os.File, mode uint32) error {
function FchownFile (line 49) | func FchownFile(f *os.File, uid, gid int) error {
FILE: internal/sys/sysctl_linux.go
function procfsOpenRoot (line 14) | func procfsOpenRoot(proc *procfs.Handle, subpath string, flags int) (*os...
function WriteSysctls (line 25) | func WriteSysctls(sysctls map[string]string) error {
FILE: internal/sys/verify_inode_unix.go
type VerifyInodeFunc (line 14) | type VerifyInodeFunc
function VerifyInode (line 19) | func VerifyInode(file *os.File, checkFunc VerifyInodeFunc) error {
FILE: internal/third_party/systemd/activation/files_unix.go
constant listenFdsStart (line 33) | listenFdsStart = 3
function Files (line 40) | func Files() []*os.File {
FILE: kill.go
function parseSignal (line 63) | func parseSignal(rawSignal string) (unix.Signal, error) {
FILE: libcontainer/apparmor/apparmor.go
function IsEnabled (line 9) | func IsEnabled() bool {
function ApplyProfile (line 16) | func ApplyProfile(name string) error {
FILE: libcontainer/apparmor/apparmor_linux.go
function isEnabled (line 20) | func isEnabled() bool {
function setProcAttr (line 30) | func setProcAttr(attr, value string) error {
function changeOnExec (line 53) | func changeOnExec(name string) error {
function applyProfile (line 62) | func applyProfile(name string) error {
FILE: libcontainer/apparmor/apparmor_unsupported.go
function isEnabled (line 5) | func isEnabled() bool {
function applyProfile (line 9) | func applyProfile(name string) error {
FILE: libcontainer/capabilities/capabilities.go
function capToStr (line 20) | func capToStr(c capability.Cap) string {
function KnownCapabilities (line 38) | func KnownCapabilities() []string {
function New (line 50) | func New(capConfig *configs.Capabilities) (*Caps, error) {
function capSlice (line 80) | func capSlice(caps []string, unknownCaps map[string]struct{}) []capabili...
type Caps (line 94) | type Caps struct
method ApplyBoundingSet (line 100) | func (c *Caps) ApplyBoundingSet() error {
method ApplyCaps (line 110) | func (c *Caps) ApplyCaps() error {
FILE: libcontainer/capabilities/capabilities_linux_test.go
function TestNew (line 22) | func TestNew(t *testing.T) {
FILE: libcontainer/cmd_clone.go
function cloneCmd (line 17) | func cloneCmd(c *exec.Cmd) *exec.Cmd {
FILE: libcontainer/configs/config.go
type Rlimit (line 24) | type Rlimit struct
type IDMap (line 31) | type IDMap struct
type Seccomp (line 41) | type Seccomp struct
type Action (line 52) | type Action
constant Kill (line 55) | Kill Action = iota + 1
constant Errno (line 56) | Errno
constant Trap (line 57) | Trap
constant Allow (line 58) | Allow
constant Trace (line 59) | Trace
constant Log (line 60) | Log
constant Notify (line 61) | Notify
constant KillThread (line 62) | KillThread
constant KillProcess (line 63) | KillProcess
type Operator (line 67) | type Operator
constant EqualTo (line 70) | EqualTo Operator = iota + 1
constant NotEqualTo (line 71) | NotEqualTo
constant GreaterThan (line 72) | GreaterThan
constant GreaterThanOrEqualTo (line 73) | GreaterThanOrEqualTo
constant LessThan (line 74) | LessThan
constant LessThanOrEqualTo (line 75) | LessThanOrEqualTo
constant MaskEqualTo (line 76) | MaskEqualTo
type Arg (line 80) | type Arg struct
type Syscall (line 88) | type Syscall struct
type Config (line 96) | type Config struct
method HasHook (line 431) | func (c *Config) HasHook(names ...HookName) bool {
function ToSchedAttr (line 250) | func ToSchedAttr(scheduler *Scheduler) (*unix.SchedAttr, error) {
type CPUAffinity (line 307) | type CPUAffinity struct
function ToCPUSet (line 312) | func ToCPUSet(str string) (*unix.CPUSet, error) {
function ConvertCPUAffinity (line 370) | func ConvertCPUAffinity(sa *specs.CPUAffinity) (*CPUAffinity, error) {
type HookName (line 393) | type HookName
type HookList (line 394) | type HookList
method SetDefaultEnv (line 529) | func (hooks HookList) SetDefaultEnv(env []string) {
type Hooks (line 395) | type Hooks
method UnmarshalJSON (line 469) | func (hooks *Hooks) UnmarshalJSON(b []byte) error {
method MarshalJSON (line 491) | func (hooks *Hooks) MarshalJSON() ([]byte, error) {
method Run (line 516) | func (hooks Hooks) Run(name HookName, state *specs.State) error {
constant Prestart (line 403) | Prestart HookName = "prestart"
constant CreateRuntime (line 409) | CreateRuntime HookName = "createRuntime"
constant CreateContainer (line 414) | CreateContainer HookName = "createContainer"
constant StartContainer (line 419) | StartContainer HookName = "startContainer"
constant Poststart (line 423) | Poststart HookName = "poststart"
constant Poststop (line 427) | Poststop HookName = "poststop"
function KnownHookNames (line 445) | func KnownHookNames() []string {
type Capabilities (line 456) | type Capabilities struct
type Hook (line 537) | type Hook interface
function NewFunctionHook (line 543) | func NewFunctionHook(f func(*specs.State) error) FuncHook {
type FuncHook (line 549) | type FuncHook struct
method Run (line 553) | func (f FuncHook) Run(s *specs.State) error {
type Command (line 557) | type Command struct
method Run (line 576) | func (c *Command) Run(s *specs.State) error {
function NewCommandHook (line 566) | func NewCommandHook(cmd *Command) CommandHook {
type CommandHook (line 572) | type CommandHook struct
FILE: libcontainer/configs/config_linux.go
constant PerLinux (line 17) | PerLinux = 0x0000
constant PerLinux32 (line 18) | PerLinux32 = 0x0008
type LinuxPersonality (line 21) | type LinuxPersonality struct
method HostUID (line 29) | func (c *Config) HostUID(containerID int) (int, error) {
method HostRootUID (line 53) | func (c *Config) HostRootUID() (int, error) {
method HostGID (line 59) | func (c *Config) HostGID(containerID int) (int, error) {
method HostRootGID (line 83) | func (c *Config) HostRootGID() (int, error) {
method hostIDFromMapping (line 89) | func (c *Config) hostIDFromMapping(containerID int64, uMap []IDMap) (int...
FILE: libcontainer/configs/config_linux_test.go
function TestRemoveNamespace (line 9) | func TestRemoveNamespace(t *testing.T) {
function TestHostRootUIDNoUSERNS (line 21) | func TestHostRootUIDNoUSERNS(t *testing.T) {
function TestHostRootUIDWithUSERNS (line 34) | func TestHostRootUIDWithUSERNS(t *testing.T) {
function TestHostRootGIDNoUSERNS (line 54) | func TestHostRootGIDNoUSERNS(t *testing.T) {
function TestHostRootGIDWithUSERNS (line 67) | func TestHostRootGIDWithUSERNS(t *testing.T) {
FILE: libcontainer/configs/config_test.go
function TestUnmarshalHooks (line 15) | func TestUnmarshalHooks(t *testing.T) {
function TestUnmarshalHooksWithInvalidData (line 44) | func TestUnmarshalHooksWithInvalidData(t *testing.T) {
function TestMarshalHooks (line 52) | func TestMarshalHooks(t *testing.T) {
function TestMarshalUnmarshalHooks (line 84) | func TestMarshalUnmarshalHooks(t *testing.T) {
function TestMarshalHooksWithUnexpectedType (line 118) | func TestMarshalHooksWithUnexpectedType(t *testing.T) {
function TestFuncHookRun (line 136) | func TestFuncHookRun(t *testing.T) {
function TestCommandHookRun (line 158) | func TestCommandHookRun(t *testing.T) {
function TestCommandHookRunTimeout (line 209) | func TestCommandHookRunTimeout(t *testing.T) {
FILE: libcontainer/configs/configs_fuzzer.go
function FuzzUnmarshalJSON (line 5) | func FuzzUnmarshalJSON(data []byte) int {
FILE: libcontainer/configs/intelrdt.go
type IntelRdt (line 3) | type IntelRdt struct
FILE: libcontainer/configs/memorypolicy.go
type LinuxMemoryPolicy (line 6) | type LinuxMemoryPolicy struct
FILE: libcontainer/configs/mount.go
constant EXT_COPYUP (line 6) | EXT_COPYUP = 1 << iota
FILE: libcontainer/configs/mount_linux.go
type MountIDMapping (line 5) | type MountIDMapping struct
type Mount (line 23) | type Mount struct
method IsBind (line 62) | func (m *Mount) IsBind() bool {
method IsIDMapped (line 66) | func (m *Mount) IsIDMapped() bool {
FILE: libcontainer/configs/mount_unsupported.go
type Mount (line 5) | type Mount struct
method IsBind (line 7) | func (m *Mount) IsBind() bool {
FILE: libcontainer/configs/namespaces.go
type NamespaceType (line 3) | type NamespaceType
type Namespaces (line 5) | type Namespaces
FILE: libcontainer/configs/namespaces_linux.go
constant NEWNET (line 11) | NEWNET NamespaceType = "NEWNET"
constant NEWPID (line 12) | NEWPID NamespaceType = "NEWPID"
constant NEWNS (line 13) | NEWNS NamespaceType = "NEWNS"
constant NEWUTS (line 14) | NEWUTS NamespaceType = "NEWUTS"
constant NEWIPC (line 15) | NEWIPC NamespaceType = "NEWIPC"
constant NEWUSER (line 16) | NEWUSER NamespaceType = "NEWUSER"
constant NEWCGROUP (line 17) | NEWCGROUP NamespaceType = "NEWCGROUP"
constant NEWTIME (line 18) | NEWTIME NamespaceType = "NEWTIME"
function NsName (line 27) | func NsName(ns NamespaceType) string {
function IsNamespaceSupported (line 51) | func IsNamespaceSupported(ns NamespaceType) bool {
function NamespaceTypes (line 73) | func NamespaceTypes() []NamespaceType {
type Namespace (line 88) | type Namespace struct
method GetPath (line 93) | func (n *Namespace) GetPath(pid int) string {
method Remove (line 97) | func (n *Namespaces) Remove(t NamespaceType) bool {
method Add (line 106) | func (n *Namespaces) Add(t NamespaceType, path string) {
method index (line 115) | func (n *Namespaces) index(t NamespaceType) int {
method Contains (line 124) | func (n *Namespaces) Contains(t NamespaceType) bool {
method PathOf (line 128) | func (n *Namespaces) PathOf(t NamespaceType) string {
FILE: libcontainer/configs/namespaces_syscall.go
method Syscall (line 7) | func (n *Namespace) Syscall() int {
method CloneFlags (line 24) | func (n *Namespaces) CloneFlags() uintptr {
method IsPrivate (line 37) | func (n Namespaces) IsPrivate(t NamespaceType) bool {
FILE: libcontainer/configs/namespaces_syscall_unsupported.go
method Syscall (line 5) | func (n *Namespace) Syscall() int {
method CloneFlags (line 11) | func (n *Namespaces) CloneFlags() uintptr {
FILE: libcontainer/configs/namespaces_unsupported.go
type Namespace (line 7) | type Namespace struct
FILE: libcontainer/configs/netdevices.go
type LinuxNetDevice (line 4) | type LinuxNetDevice struct
FILE: libcontainer/configs/network.go
type Network (line 7) | type Network struct
type Route (line 63) | type Route struct
FILE: libcontainer/configs/tocpuset_test.go
function TestToCPUSet (line 9) | func TestToCPUSet(t *testing.T) {
FILE: libcontainer/configs/validate/intelrdt.go
type intelRdtStatus (line 11) | type intelRdtStatus struct
method init (line 20) | func (i *intelRdtStatus) init() {
method isEnabled (line 28) | func (i *intelRdtStatus) isEnabled() bool {
method isCATEnabled (line 33) | func (i *intelRdtStatus) isCATEnabled() bool {
method isMBAEnabled (line 38) | func (i *intelRdtStatus) isMBAEnabled() bool {
FILE: libcontainer/configs/validate/intelrdt_test.go
function TestValidateIntelRdt (line 9) | func TestValidateIntelRdt(t *testing.T) {
FILE: libcontainer/configs/validate/rootless.go
function rootlessEUIDCheck (line 14) | func rootlessEUIDCheck(config *configs.Config) error {
function rootlessEUIDMappings (line 32) | func rootlessEUIDMappings(config *configs.Config) error {
function rootlessEUIDMount (line 50) | func rootlessEUIDMount(config *configs.Config) error {
FILE: libcontainer/configs/validate/rootless_test.go
function rootlessEUIDConfig (line 9) | func rootlessEUIDConfig() *configs.Config {
function TestValidateRootlessEUID (line 36) | func TestValidateRootlessEUID(t *testing.T) {
function TestValidateRootlessEUIDUserns (line 45) | func TestValidateRootlessEUIDUserns(t *testing.T) {
function TestValidateRootlessEUIDMappingUid (line 53) | func TestValidateRootlessEUIDMappingUid(t *testing.T) {
function TestValidateNonZeroEUIDMappingGid (line 61) | func TestValidateNonZeroEUIDMappingGid(t *testing.T) {
function TestValidateRootlessEUIDMountUid (line 71) | func TestValidateRootlessEUIDMountUid(t *testing.T) {
function TestValidateRootlessEUIDMountGid (line 108) | func TestValidateRootlessEUIDMountGid(t *testing.T) {
function BenchmarkRootlessEUIDMount (line 145) | func BenchmarkRootlessEUIDMount(b *testing.B) {
FILE: libcontainer/configs/validate/validator.go
type check (line 19) | type check
function Validate (line 21) | func Validate(config *configs.Config) error {
function rootfs (line 57) | func rootfs(config *configs.Config) error {
function devValidName (line 75) | func devValidName(name string) bool {
function netdevices (line 88) | func netdevices(config *configs.Config) error {
function network (line 111) | func network(config *configs.Config) error {
function uts (line 120) | func uts(config *configs.Config) error {
function security (line 130) | func security(config *configs.Config) error {
function namespaces (line 143) | func namespaces(config *configs.Config) error {
function convertSysctlVariableToDotsSeparator (line 194) | func convertSysctlVariableToDotsSeparator(val string) string {
function sysctl (line 218) | func sysctl(config *configs.Config) error {
function intelrdtCheck (line 308) | func intelrdtCheck(config *configs.Config) error {
function cgroupsCheck (line 330) | func cgroupsCheck(config *configs.Config) error {
function checkBindOptions (line 359) | func checkBindOptions(m *configs.Mount) error {
function checkIDMapMounts (line 379) | func checkIDMapMounts(config *configs.Config, m *configs.Mount) error {
function mountsWarn (line 409) | func mountsWarn(config *configs.Config) error {
function mountsStrict (line 418) | func mountsStrict(config *configs.Config) error {
function isHostNetNS (line 430) | func isHostNetNS(path string) (bool, error) {
function scheduler (line 446) | func scheduler(config *configs.Config) error {
function ioPriority (line 468) | func ioPriority(config *configs.Config) error {
function memoryPolicy (line 487) | func memoryPolicy(config *configs.Config) error {
FILE: libcontainer/configs/validate/validator_test.go
function TestValidate (line 15) | func TestValidate(t *testing.T) {
function TestValidateWithInvalidRootfs (line 26) | func TestValidateWithInvalidRootfs(t *testing.T) {
function TestValidateNetworkWithoutNETNamespace (line 43) | func TestValidateNetworkWithoutNETNamespace(t *testing.T) {
function TestValidateNetworkRoutesWithoutNETNamespace (line 57) | func TestValidateNetworkRoutesWithoutNETNamespace(t *testing.T) {
function TestValidateHostname (line 71) | func TestValidateHostname(t *testing.T) {
function TestValidateUTS (line 88) | func TestValidateUTS(t *testing.T) {
function TestValidateUTSWithoutUTSNamespace (line 106) | func TestValidateUTSWithoutUTSNamespace(t *testing.T) {
function TestValidateSecurityWithMaskPaths (line 128) | func TestValidateSecurityWithMaskPaths(t *testing.T) {
function TestValidateSecurityWithROPaths (line 145) | func TestValidateSecurityWithROPaths(t *testing.T) {
function TestValidateSecurityWithoutNEWNS (line 162) | func TestValidateSecurityWithoutNEWNS(t *testing.T) {
function TestValidateUserNamespace (line 175) | func TestValidateUserNamespace(t *testing.T) {
function TestValidateUsernsMappingWithoutNamespace (line 196) | func TestValidateUsernsMappingWithoutNamespace(t *testing.T) {
function TestValidateTimeNamespace (line 209) | func TestValidateTimeNamespace(t *testing.T) {
function TestValidateTimeNamespaceWithBothPathAndTimeOffset (line 228) | func TestValidateTimeNamespaceWithBothPathAndTimeOffset(t *testing.T) {
function TestValidateTimeOffsetsWithoutTimeNamespace (line 251) | func TestValidateTimeOffsetsWithoutTimeNamespace(t *testing.T) {
function TestConvertSysctlVariableToDotsSeparator (line 268) | func TestConvertSysctlVariableToDotsSeparator(t *testing.T) {
function TestValidateSysctl (line 291) | func TestValidateSysctl(t *testing.T) {
function TestValidateValidSysctl (line 315) | func TestValidateValidSysctl(t *testing.T) {
function TestValidateSysctlWithSameNs (line 347) | func TestValidateSysctlWithSameNs(t *testing.T) {
function TestValidateSysctlWithBindHostNetNS (line 367) | func TestValidateSysctlWithBindHostNetNS(t *testing.T) {
function TestValidateSysctlWithoutNETNamespace (line 407) | func TestValidateSysctlWithoutNETNamespace(t *testing.T) {
function TestValidateMounts (line 420) | func TestValidateMounts(t *testing.T) {
function TestValidateBindMounts (line 451) | func TestValidateBindMounts(t *testing.T) {
function TestValidateIDMapMounts (line 494) | func TestValidateIDMapMounts(t *testing.T) {
function TestValidateScheduler (line 794) | func TestValidateScheduler(t *testing.T) {
function TestValidateIOPriority (line 847) | func TestValidateIOPriority(t *testing.T) {
function TestValidateNetDevices (line 882) | func TestValidateNetDevices(t *testing.T) {
function TestValidateUserSysctlWithUserNamespace (line 1023) | func TestValidateUserSysctlWithUserNamespace(t *testing.T) {
function TestValidateUserSysctlWithoutUserNamespace (line 1045) | func TestValidateUserSysctlWithoutUserNamespace(t *testing.T) {
function TestDevValidName (line 1057) | func TestDevValidName(t *testing.T) {
FILE: libcontainer/console_linux.go
function checkPtmxHandle (line 22) | func checkPtmxHandle(ptmx *os.File) error {
function isPtyNoIoctlError (line 45) | func isPtyNoIoctlError(err error) bool {
function getPtyPeer (line 51) | func getPtyPeer(pty console.Console, unsafePeerPath string, flags int) (...
function safeAllocPty (line 98) | func safeAllocPty() (pty console.Console, peer *os.File, Err error) {
function mountConsole (line 140) | func mountConsole(peerPty *os.File) error {
function dupStdio (line 158) | func dupStdio(peerPty *os.File) error {
FILE: libcontainer/container.go
type Status (line 14) | type Status
method String (line 27) | func (s Status) String() string {
constant Created (line 18) | Created Status = iota
constant Running (line 20) | Running
constant Paused (line 22) | Paused
constant Stopped (line 24) | Stopped
type BaseState (line 44) | type BaseState struct
FILE: libcontainer/container_linux.go
constant stdioFdCount (line 30) | stdioFdCount = 3
type Container (line 33) | type Container struct
method ID (line 83) | func (c *Container) ID() string {
method Config (line 88) | func (c *Container) Config() configs.Config {
method Status (line 93) | func (c *Container) Status() (Status, error) {
method State (line 100) | func (c *Container) State() (*State, error) {
method OCIState (line 107) | func (c *Container) OCIState() (*specs.State, error) {
method ignoreCgroupError (line 115) | func (c *Container) ignoreCgroupError(err error) error {
method Processes (line 131) | func (c *Container) Processes() ([]int, error) {
method Stats (line 140) | func (c *Container) Stats() (*Stats, error) {
method Set (line 168) | func (c *Container) Set(config configs.Config) error {
method Start (line 205) | func (c *Container) Start(process *Process) error {
method Run (line 214) | func (c *Container) Run(process *Process) error {
method Exec (line 227) | func (c *Container) Exec() error {
method exec (line 233) | func (c *Container) exec() error {
method start (line 309) | func (c *Container) start(process *Process) (retErr error) {
method Signal (line 396) | func (c *Container) Signal(s os.Signal) error {
method signal (line 428) | func (c *Container) signal(s os.Signal) error {
method createExecFifo (line 447) | func (c *Container) createExecFifo() (retErr error) {
method deleteExecFifo (line 473) | func (c *Container) deleteExecFifo() {
method includeExecFifo (line 482) | func (c *Container) includeExecFifo(cmd *exec.Cmd) error {
method newParentProcess (line 496) | func (c *Container) newParentProcess(p *Process) (parentProcess, error) {
method newInitProcess (line 625) | func (c *Container) newInitProcess(p *Process, cmd *exec.Cmd, comm *pr...
method newSetnsProcess (line 654) | func (c *Container) newSetnsProcess(p *Process, cmd *exec.Cmd, comm *p...
method newInitConfig (line 680) | func (c *Container) newInitConfig(process *Process) *initConfig {
method Destroy (line 750) | func (c *Container) Destroy() error {
method Pause (line 761) | func (c *Container) Pause() error {
method Resume (line 784) | func (c *Container) Resume() error {
method NotifyOOM (line 804) | func (c *Container) NotifyOOM() (<-chan struct{}, error) {
method NotifyMemoryPressure (line 818) | func (c *Container) NotifyMemoryPressure(level PressureLevel) (<-chan ...
method updateState (line 826) | func (c *Container) updateState(process parentProcess) (*State, error) {
method saveState (line 837) | func (c *Container) saveState(s *State) (retErr error) {
method currentStatus (line 863) | func (c *Container) currentStatus() (Status, error) {
method refreshState (line 874) | func (c *Container) refreshState() error {
method hasInit (line 894) | func (c *Container) hasInit() bool {
method isPaused (line 909) | func (c *Container) isPaused() (bool, error) {
method currentState (line 917) | func (c *Container) currentState() *State {
method currentOCIState (line 967) | func (c *Container) currentOCIState() (*specs.State, error) {
method orderNamespacePaths (line 990) | func (c *Container) orderNamespacePaths(namespaces map[configs.Namespa...
method bootstrapData (line 1043) | func (c *Container) bootstrapData(cloneFlags uintptr, nsMaps map[confi...
type State (line 49) | type State struct
function readFromExecFifo (line 256) | func readFromExecFifo(execFifo io.Reader) error {
function awaitFifoOpen (line 267) | func awaitFifoOpen(path string) <-chan openResult {
function fifoOpen (line 276) | func fifoOpen(path string, block bool) openResult {
function handleFifoResult (line 288) | func handleFifoResult(result openResult) error {
type openResult (line 304) | type openResult struct
function encodeIDMapping (line 1021) | func encodeIDMapping(idMap []configs.IDMap) ([]byte, error) {
type netlinkError (line 1035) | type netlinkError struct
function ignoreTerminateErrors (line 1164) | func ignoreTerminateErrors(err error) error {
function requiresRootOrMappingTool (line 1186) | func requiresRootOrMappingTool(c *configs.Config) bool {
FILE: libcontainer/container_linux_test.go
type mockCgroupManager (line 13) | type mockCgroupManager struct
method GetPids (line 19) | func (m *mockCgroupManager) GetPids() ([]int, error) {
method GetAllPids (line 23) | func (m *mockCgroupManager) GetAllPids() ([]int, error) {
method GetStats (line 27) | func (m *mockCgroupManager) GetStats() (*cgroups.Stats, error) {
method Apply (line 31) | func (m *mockCgroupManager) Apply(pid int) error {
method AddPid (line 35) | func (m *mockCgroupManager) AddPid(_ string, _ int) error {
method Set (line 39) | func (m *mockCgroupManager) Set(_ *cgroups.Resources) error {
method Destroy (line 43) | func (m *mockCgroupManager) Destroy() error {
method Exists (line 47) | func (m *mockCgroupManager) Exists() bool {
method OOMKillCount (line 52) | func (m *mockCgroupManager) OOMKillCount() (uint64, error) {
method GetPaths (line 56) | func (m *mockCgroupManager) GetPaths() map[string]string {
method Path (line 60) | func (m *mockCgroupManager) Path(subsys string) string {
method Freeze (line 64) | func (m *mockCgroupManager) Freeze(_ cgroups.FreezerState) error {
method GetCgroups (line 68) | func (m *mockCgroupManager) GetCgroups() (*cgroups.Cgroup, error) {
method GetFreezerState (line 72) | func (m *mockCgroupManager) GetFreezerState() (cgroups.FreezerState, e...
type mockProcess (line 76) | type mockProcess struct
method terminate (line 81) | func (m *mockProcess) terminate() error {
method pid (line 85) | func (m *mockProcess) pid() int {
method startTime (line 89) | func (m *mockProcess) startTime() (uint64, error) {
method start (line 93) | func (m *mockProcess) start() error {
method wait (line 97) | func (m *mockProcess) wait() (*os.ProcessState, error) {
method signal (line 101) | func (m *mockProcess) signal(_ os.Signal) error {
method externalDescriptors (line 105) | func (m *mockProcess) externalDescriptors() []string {
method setExternalDescriptors (line 109) | func (m *mockProcess) setExternalDescriptors(newFds []string) {
method forwardChildLogs (line 112) | func (m *mockProcess) forwardChildLogs() chan error {
function TestGetContainerPids (line 116) | func TestGetContainerPids(t *testing.T) {
function TestGetContainerState (line 149) | func TestGetContainerState(t *testing.T) {
function TestGetContainerStateAfterUpdate (line 232) | func TestGetContainerStateAfterUpdate(t *testing.T) {
FILE: libcontainer/criu_disabled_linux.go
method Restore (line 9) | func (c *Container) Restore(process *Process, criuOpts *CriuOpts) error {
method Checkpoint (line 13) | func (c *Container) Checkpoint(criuOpts *CriuOpts) error {
FILE: libcontainer/criu_linux.go
method checkCriuFeatures (line 37) | func (c *Container) checkCriuFeatures(criuOpts *CriuOpts, criuFeat *criu...
function compareCriuVersion (line 83) | func compareCriuVersion(criuVersion, minVersion int) error {
method checkCriuVersion (line 93) | func (c *Container) checkCriuVersion(minVersion int) error {
constant descriptorsFilename (line 110) | descriptorsFilename = "descriptors.json"
method addCriuDumpMount (line 112) | func (c *Container) addCriuDumpMount(req *criurpc.CriuReq, m *configs.Mo...
method addMaskPaths (line 124) | func (c *Container) addMaskPaths(req *criurpc.CriuReq) error {
method handleCriuConfigurationFile (line 146) | func (c *Container) handleCriuConfigurationFile(rpcOpts *criurpc.CriuOpt...
method criuSupportsExtNS (line 171) | func (c *Container) criuSupportsExtNS(t configs.NamespaceType) bool {
function criuNsToKey (line 187) | func criuNsToKey(t configs.NamespaceType) string {
method handleCheckpointingExternalNamespaces (line 203) | func (c *Container) handleCheckpointingExternalNamespaces(rpcOpts *criur...
method handleRestoringNamespaces (line 225) | func (c *Container) handleRestoringNamespaces(rpcOpts *criurpc.CriuOpts,...
method handleRestoringExternalNamespaces (line 263) | func (c *Container) handleRestoringExternalNamespaces(rpcOpts *criurpc.C...
method Checkpoint (line 294) | func (c *Container) Checkpoint(criuOpts *CriuOpts) error {
method addCriuRestoreMount (line 508) | func (c *Container) addCriuRestoreMount(req *criurpc.CriuReq, m *configs...
method restoreNetwork (line 520) | func (c *Container) restoreNetwork(req *criurpc.CriuReq, criuOpts *CriuO...
function isOnTmpfs (line 540) | func isOnTmpfs(path string, mounts []*configs.Mount) bool {
method prepareCriuRestoreMounts (line 555) | func (c *Container) prepareCriuRestoreMounts(mounts []*configs.Mount) er...
method Restore (line 629) | func (c *Container) Restore(process *Process, criuOpts *CriuOpts) error {
function logCriuErrors (line 812) | func logCriuErrors(dir, file string) {
method criuApplyCgroups (line 860) | func (c *Container) criuApplyCgroups(pid int, req *criurpc.CriuReq) error {
method criuSwrk (line 894) | func (c *Container) criuSwrk(process *Process, req *criurpc.CriuReq, opt...
function lockNetwork (line 1075) | func lockNetwork(config *configs.Config) error {
function unlockNetwork (line 1089) | func unlockNetwork(config *configs.Config) error {
method criuNotifications (line 1102) | func (c *Container) criuNotifications(resp *criurpc.CriuResp, process *P...
function criuCgMode (line 1207) | func criuCgMode(mode string) (criurpc.CriuCgMode, error) {
FILE: libcontainer/criu_opts_linux.go
type CriuPageServerInfo (line 3) | type CriuPageServerInfo struct
type VethPairName (line 8) | type VethPairName struct
type CriuOpts (line 13) | type CriuOpts struct
FILE: libcontainer/devices/device_unix.go
function DeviceFromPath (line 26) | func DeviceFromPath(path, permissions string) (*config.Device, error) {
function HostDevices (line 65) | func HostDevices() ([]*config.Device, error) {
function GetDevices (line 71) | func GetDevices(path string) ([]*config.Device, error) {
FILE: libcontainer/devices/device_unix_test.go
function cleanupTest (line 15) | func cleanupTest() {
function TestDeviceFromPathLstatFailure (line 20) | func TestDeviceFromPathLstatFailure(t *testing.T) {
function TestHostDevicesIoutilReadDirFailure (line 35) | func TestHostDevicesIoutilReadDirFailure(t *testing.T) {
function TestHostDevicesIoutilReadDirDeepFailure (line 50) | func TestHostDevicesIoutilReadDirDeepFailure(t *testing.T) {
function TestHostDevicesAllValid (line 77) | func TestHostDevicesAllValid(t *testing.T) {
FILE: libcontainer/env.go
function prepareEnv (line 24) | func prepareEnv(env []string, uid int) ([]string, error) {
function getUserHome (line 87) | func getUserHome(uid int) (string, error) {
FILE: libcontainer/env_test.go
function TestPrepareEnv (line 10) | func TestPrepareEnv(t *testing.T) {
FILE: libcontainer/example_test.go
function Example_container (line 25) | func Example_container() {
FILE: libcontainer/exeseal/cloned_binary_linux.go
type SealFunc (line 17) | type SealFunc
function isExecutable (line 24) | func isExecutable(f *os.File) bool {
constant baseMemfdSeals (line 41) | baseMemfdSeals = unix.F_SEAL_SEAL | unix.F_SEAL_SHRINK | unix.F_SEAL_GRO...
function sealMemfd (line 43) | func sealMemfd(f **os.File) error {
function Memfd (line 66) | func Memfd(comment string) (*os.File, SealFunc, error) {
function sealFile (line 71) | func sealFile(f **os.File) error {
function otmpfile (line 86) | func otmpfile(dir string) (*os.File, SealFunc, error) {
function mktemp (line 104) | func mktemp(dir string) (*os.File, SealFunc, error) {
function getSealableFile (line 125) | func getSealableFile(comment, tmpDir string) (file *os.File, sealFn Seal...
function CloneBinary (line 181) | func CloneBinary(src io.Reader, size int64, name, tmpDir string) (*os.Fi...
function IsCloned (line 203) | func IsCloned(exe *os.File) bool {
function CloneSelfExe (line 219) | func CloneSelfExe(tmpDir string) (*os.File, error) {
function IsSelfExeCloned (line 255) | func IsSelfExeCloned() bool {
FILE: libcontainer/exeseal/overlayfs_linux.go
function fsopen (line 15) | func fsopen(fsName string, flags int) (*os.File, error) {
function fsmount (line 25) | func fsmount(ctx *os.File, flags, mountAttrs int) (*os.File, error) {
function escapeOverlayLowerDir (line 36) | func escapeOverlayLowerDir(path string) string {
function sealedOverlayfs (line 53) | func sealedOverlayfs(binPath, tmpDir string) (_ *os.File, Err error) {
FILE: libcontainer/factory_linux.go
constant stateFilename (line 21) | stateFilename = "state.json"
constant execFifoFilename (line 22) | execFifoFilename = "exec.fifo"
function Create (line 35) | func Create(root, id string, config *configs.Config) (*Container, error) {
function Load (line 108) | func Load(root, id string) (*Container, error) {
function loadState (line 150) | func loadState(root string) (*State, error) {
function validateID (line 192) | func validateID(id string) error {
FILE: libcontainer/factory_linux_test.go
function TestFactoryLoadNotExists (line 16) | func TestFactoryLoadNotExists(t *testing.T) {
function TestFactoryLoadContainer (line 27) | func TestFactoryLoadContainer(t *testing.T) {
function marshal (line 84) | func marshal(path string, v any) error {
type unserializableHook (line 93) | type unserializableHook struct
method Run (line 95) | func (unserializableHook) Run(*specs.State) error {
FILE: libcontainer/init_linux.go
type initType (line 32) | type initType
constant initSetns (line 35) | initSetns initType = "setns"
constant initStandard (line 36) | initStandard initType = "standard"
type pid (line 39) | type pid struct
type network (line 45) | type network struct
type initConfig (line 62) | type initConfig struct
function Init (line 105) | func Init() {
function startInitialization (line 127) | func startInitialization() (retErr error) {
function containerInit (line 240) | func containerInit(t initType, config *initConfig, pipe *syncSocket, con...
function verifyCwd (line 272) | func verifyCwd() error {
function finalizeNamespace (line 299) | func finalizeNamespace(config *initConfig) error {
function setupConsole (line 374) | func setupConsole(socket *os.File, config *initConfig, mount bool) error {
function syncParentReady (line 421) | func syncParentReady(pipe *syncSocket) error {
function syncParentHooks (line 433) | func syncParentHooks(pipe *syncSocket) error {
function syncParentSeccomp (line 444) | func syncParentSeccomp(pipe *syncSocket, seccompFd int) error {
function setupUser (line 467) | func setupUser(config *initConfig) error {
function fixStdioPermissions (line 517) | func fixStdioPermissions(uid int) error {
function setupNetwork (line 557) | func setupNetwork(config *initConfig) error {
function setupRoute (line 570) | func setupRoute(config *configs.Config) error {
function maybeClearRlimitNofileCache (line 602) | func maybeClearRlimitNofileCache(limits []configs.Rlimit) {
function setupRlimits (line 614) | func setupRlimits(limits []configs.Rlimit, pid int) error {
function setupScheduler (line 623) | func setupScheduler(config *initConfig) error {
function setupIOPriority (line 640) | func setupIOPriority(config *initConfig) error {
function setupMemoryPolicy (line 669) | func setupMemoryPolicy(config *configs.Config) error {
function setupPersonality (line 677) | func setupPersonality(config *configs.Config) error {
function signalAllProcesses (line 683) | func signalAllProcesses(m cgroups.Manager, s unix.Signal) error {
function setupPidfd (line 723) | func setupPidfd(socket *os.File, initType string) error {
FILE: libcontainer/integration/bench_test.go
function BenchmarkExecTrue (line 13) | func BenchmarkExecTrue(b *testing.B) {
function genBigEnv (line 51) | func genBigEnv(count int) []string {
function BenchmarkExecInBigEnv (line 71) | func BenchmarkExecInBigEnv(b *testing.B) {
FILE: libcontainer/integration/checkpoint_test.go
function criuFeature (line 16) | func criuFeature(feature string) bool {
function TestUsernsCheckpoint (line 20) | func TestUsernsCheckpoint(t *testing.T) {
function TestCheckpoint (line 24) | func TestCheckpoint(t *testing.T) {
function testCheckpoint (line 28) | func testCheckpoint(t *testing.T, userns bool) {
FILE: libcontainer/integration/exec_test.go
function TestExecPS (line 30) | func TestExecPS(t *testing.T) {
function TestUsernsExecPS (line 34) | func TestUsernsExecPS(t *testing.T) {
function testExecPS (line 39) | func testExecPS(t *testing.T, userns bool) {
function TestIPCPrivate (line 57) | func TestIPCPrivate(t *testing.T) {
function TestIPCHost (line 73) | func TestIPCHost(t *testing.T) {
function TestIPCJoinPath (line 90) | func TestIPCJoinPath(t *testing.T) {
function TestIPCBadPath (line 107) | func TestIPCBadPath(t *testing.T) {
function TestRlimit (line 120) | func TestRlimit(t *testing.T) {
function TestUsernsRlimit (line 124) | func TestUsernsRlimit(t *testing.T) {
function testRlimit (line 129) | func testRlimit(t *testing.T, userns bool) {
function TestEnter (line 151) | func TestEnter(t *testing.T) {
function TestProcessEnv (line 234) | func TestProcessEnv(t *testing.T) {
function TestProcessEmptyCaps (line 277) | func TestProcessEmptyCaps(t *testing.T) {
function TestProcessCaps (line 322) | func TestProcessCaps(t *testing.T) {
function TestAdditionalGroups (line 382) | func TestAdditionalGroups(t *testing.T) {
function TestFreeze (line 418) | func TestFreeze(t *testing.T) {
function testFreeze (line 439) | func testFreeze(t *testing.T, withSystemd, useSet bool) {
function TestCpuShares (line 493) | func TestCpuShares(t *testing.T) {
function TestCpuSharesSystemd (line 497) | func TestCpuSharesSystemd(t *testing.T) {
function testCpuShares (line 504) | func testCpuShares(t *testing.T, systemd bool) {
function TestPids (line 520) | func TestPids(t *testing.T) {
function TestPidsSystemd (line 524) | func TestPidsSystemd(t *testing.T) {
function mkPtr (line 531) | func mkPtr[T any](v T) *T { return &v }
function testPids (line 533) | func testPids(t *testing.T, systemd bool) {
function TestCgroupResourcesUnifiedErrorOnV1 (line 579) | func TestCgroupResourcesUnifiedErrorOnV1(t *testing.T) {
function TestCgroupResourcesUnifiedErrorOnV1Systemd (line 583) | func TestCgroupResourcesUnifiedErrorOnV1Systemd(t *testing.T) {
function testCgroupResourcesUnifiedErrorOnV1 (line 590) | func testCgroupResourcesUnifiedErrorOnV1(t *testing.T, systemd bool) {
function TestCgroupResourcesUnified (line 608) | func TestCgroupResourcesUnified(t *testing.T) {
function TestCgroupResourcesUnifiedSystemd (line 612) | func TestCgroupResourcesUnifiedSystemd(t *testing.T) {
function testCgroupResourcesUnified (line 619) | func testCgroupResourcesUnified(t *testing.T, systemd bool) {
function TestContainerState (line 711) | func TestContainerState(t *testing.T) {
function TestPassExtraFiles (line 760) | func TestPassExtraFiles(t *testing.T) {
function TestSysctl (line 810) | func TestSysctl(t *testing.T) {
function TestMountCgroupRO (line 850) | func TestMountCgroupRO(t *testing.T) {
function TestMountCgroupRW (line 884) | func TestMountCgroupRW(t *testing.T) {
function TestOomScoreAdj (line 926) | func TestOomScoreAdj(t *testing.T) {
function TestHook (line 960) | func TestHook(t *testing.T) {
function TestSTDIOPermissions (line 1104) | func TestSTDIOPermissions(t *testing.T) {
function unmountOp (line 1117) | func unmountOp(path string) {
function TestRootfsPropagationSlaveMount (line 1125) | func TestRootfsPropagationSlaveMount(t *testing.T) {
function TestRootfsPropagationSharedMount (line 1238) | func TestRootfsPropagationSharedMount(t *testing.T) {
function TestPIDHost (line 1343) | func TestPIDHost(t *testing.T) {
function TestHostPidnsInitKill (line 1360) | func TestHostPidnsInitKill(t *testing.T) {
function TestSharedPidnsInitKill (line 1367) | func TestSharedPidnsInitKill(t *testing.T) {
function testPidnsInitKill (line 1374) | func testPidnsInitKill(t *testing.T, config *configs.Config) {
function TestInitJoinPID (line 1418) | func TestInitJoinPID(t *testing.T) {
function TestInitJoinNetworkAndUser (line 1515) | func TestInitJoinNetworkAndUser(t *testing.T) {
function TestTmpfsCopyUp (line 1602) | func TestTmpfsCopyUp(t *testing.T) {
function TestCGROUPPrivate (line 1641) | func TestCGROUPPrivate(t *testing.T) {
function TestCGROUPHost (line 1661) | func TestCGROUPHost(t *testing.T) {
function TestFdLeaks (line 1680) | func TestFdLeaks(t *testing.T) {
function TestFdLeaksSystemd (line 1684) | func TestFdLeaksSystemd(t *testing.T) {
function fdList (line 1691) | func fdList(t *testing.T) []string {
function testFdLeaks (line 1707) | func testFdLeaks(t *testing.T, systemd bool) {
function TestBindMountAndUser (line 1766) | func TestBindMountAndUser(t *testing.T) {
FILE: libcontainer/integration/execin_test.go
function TestExecIn (line 22) | func TestExecIn(t *testing.T) {
function TestExecInUsernsRlimit (line 71) | func TestExecInUsernsRlimit(t *testing.T) {
function TestExecInRlimit (line 76) | func TestExecInRlimit(t *testing.T) {
function testExecInRlimit (line 80) | func testExecInRlimit(t *testing.T, userns bool) {
function TestExecInAdditionalGroups (line 130) | func TestExecInAdditionalGroups(t *testing.T) {
function TestExecInError (line 183) | func TestExecInError(t *testing.T) {
function TestExecInTTY (line 228) | func TestExecInTTY(t *testing.T) {
function TestExecInEnvironment (line 320) | func TestExecInEnvironment(t *testing.T) {
function TestExecinPassExtraFiles (line 390) | func TestExecinPassExtraFiles(t *testing.T) {
function TestExecInOomScoreAdj (line 455) | func TestExecInOomScoreAdj(t *testing.T) {
function TestExecInUserns (line 501) | func TestExecInUserns(t *testing.T) {
FILE: libcontainer/integration/init_test.go
function init (line 14) | func init() {
function TestMain (line 20) | func TestMain(m *testing.M) {
FILE: libcontainer/integration/seccomp_test.go
function TestSeccompDenySyslogWithErrno (line 15) | func TestSeccompDenySyslogWithErrno(t *testing.T) {
function TestSeccompDenySyslog (line 66) | func TestSeccompDenySyslog(t *testing.T) {
function TestSeccompPermitWriteConditional (line 114) | func TestSeccompPermitWriteConditional(t *testing.T) {
function TestSeccompDenyWriteConditional (line 159) | func TestSeccompDenyWriteConditional(t *testing.T) {
function TestSeccompPermitWriteMultipleConditions (line 223) | func TestSeccompPermitWriteMultipleConditions(t *testing.T) {
function TestSeccompDenyWriteMultipleConditions (line 259) | func TestSeccompDenyWriteMultipleConditions(t *testing.T) {
function TestSeccompMultipleConditionSameArgDeniesStdout (line 309) | func TestSeccompMultipleConditionSameArgDeniesStdout(t *testing.T) {
function TestSeccompMultipleConditionSameArgDeniesStderr (line 345) | func TestSeccompMultipleConditionSameArgDeniesStderr(t *testing.T) {
FILE: libcontainer/integration/template_test.go
constant defaultMountFlags (line 23) | defaultMountFlags = unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV
type tParam (line 25) | type tParam struct
function newTemplateConfig (line 36) | func newTemplateConfig(t testing.TB, p *tParam) *configs.Config {
FILE: libcontainer/integration/update_test.go
function testUpdateDevices (line 14) | func testUpdateDevices(t *testing.T, systemd bool) {
function TestUpdateDevices (line 89) | func TestUpdateDevices(t *testing.T) {
function TestUpdateDevicesSystemd (line 93) | func TestUpdateDevicesSystemd(t *testing.T) {
FILE: libcontainer/integration/utils_test.go
function init (line 27) | func init() {
function ptrInt (line 52) | func ptrInt(v int) *int {
function newStdBuffers (line 56) | func newStdBuffers() *stdBuffers {
type stdBuffers (line 64) | type stdBuffers struct
method String (line 70) | func (b *stdBuffers) String() string {
function ok (line 82) | func ok(t testing.TB, err error) {
function waitProcess (line 89) | func waitProcess(p *libcontainer.Process, t testing.TB) {
function newRootfs (line 103) | func newRootfs(t testing.TB) string {
function traversePath (line 122) | func traversePath(tPath string) error {
function remove (line 155) | func remove(dir string) {
function copyBusybox (line 161) | func copyBusybox(dest string) error {
function newContainer (line 169) | func newContainer(t testing.TB, config *configs.Config) (*libcontainer.C...
function runContainer (line 180) | func runContainer(t testing.TB, config *configs.Config, args ...string) ...
function runContainerOk (line 218) | func runContainerOk(t testing.TB, config *configs.Config, args ...string...
function destroyContainer (line 232) | func destroyContainer(container *libcontainer.Container) {
function needUserNS (line 236) | func needUserNS(t testing.TB) {
FILE: libcontainer/intelrdt/cmt.go
function IsCMTEnabled (line 6) | func IsCMTEnabled() bool {
function getCMTNumaNodeStats (line 11) | func getCMTNumaNodeStats(numaPath string) (*CMTNumaNodeStats, error) {
FILE: libcontainer/intelrdt/cmt_test.go
function TestGetCMTNumaNodeStats (line 8) | func TestGetCMTNumaNodeStats(t *testing.T) {
function checkCMTStatCorrection (line 38) | func checkCMTStatCorrection(got, expected CMTNumaNodeStats, t *testing.T) {
FILE: libcontainer/intelrdt/intelrdt.go
type Manager (line 149) | type Manager struct
method Apply (line 445) | func (m *Manager) Apply(pid int) (err error) {
method Destroy (line 490) | func (m *Manager) Destroy() error {
method GetPath (line 517) | func (m *Manager) GetPath() string {
method GetMonPath (line 524) | func (m *Manager) GetMonPath() string {
method GetStats (line 537) | func (m *Manager) GetStats() (*Stats, error) {
method Set (line 634) | func (m *Manager) Set(container *configs.Config) error {
function NewManager (line 160) | func NewManager(config *configs.Config, id, path string) *Manager {
function newManager (line 188) | func newManager(config *configs.Config, id, path string) *Manager {
constant intelRdtTasks (line 197) | intelRdtTasks = "tasks"
function featuresInit (line 213) | func featuresInit() {
function findIntelRdtMountpointDir (line 249) | func findIntelRdtMountpointDir() (string, error) {
constant defaultResctrlMountpoint (line 277) | defaultResctrlMountpoint = "/sys/fs/resctrl"
function Root (line 280) | func Root() (string, error) {
function getIntelRdtParamUint (line 306) | func getIntelRdtParamUint(path, file string) (uint64, error) {
function getIntelRdtParamString (line 321) | func getIntelRdtParamString(path, file string) (string, error) {
function getL3CacheInfo (line 331) | func getL3CacheInfo() (*L3CacheInfo, error) {
function getMemBwInfo (line 361) | func getMemBwInfo() (*MemBwInfo, error) {
function getLastCmdStatus (line 396) | func getLastCmdStatus() (string, error) {
function WriteIntelRdtTasks (line 412) | func WriteIntelRdtTasks(dir string, pid int) error {
function IsEnabled (line 427) | func IsEnabled() bool {
function IsCATEnabled (line 433) | func IsCATEnabled() bool {
function IsMBAEnabled (line 439) | func IsMBAEnabled() bool {
function newLastCmdError (line 705) | func newLastCmdError(err error) error {
FILE: libcontainer/intelrdt/intelrdt_test.go
function TestIntelRdtSet (line 14) | func TestIntelRdtSet(t *testing.T) {
function TestApply (line 129) | func TestApply(t *testing.T) {
function TestDestroy (line 210) | func TestDestroy(t *testing.T) {
FILE: libcontainer/intelrdt/mbm.go
function IsMBMEnabled (line 7) | func IsMBMEnabled() bool {
function getMBMNumaNodeStats (line 12) | func getMBMNumaNodeStats(numaPath string) (*MBMNumaNodeStats, error) {
FILE: libcontainer/intelrdt/mbm_test.go
function TestGetMBMNumaNodeStats (line 8) | func TestGetMBMNumaNodeStats(t *testing.T) {
function checkMBMStatCorrection (line 41) | func checkMBMStatCorrection(got, expected MBMNumaNodeStats, t *testing.T) {
FILE: libcontainer/intelrdt/monitoring.go
type monFeatures (line 14) | type monFeatures struct
function getMonFeatures (line 20) | func getMonFeatures(intelRdtRoot string) (monFeatures, error) {
function parseMonFeatures (line 29) | func parseMonFeatures(reader io.Reader) (monFeatures, error) {
function getMonitoringStats (line 50) | func getMonitoringStats(containerPath string, stats *Stats) error {
FILE: libcontainer/intelrdt/monitoring_test.go
function TestParseMonFeatures (line 11) | func TestParseMonFeatures(t *testing.T) {
function mockResctrlL3_MON (line 40) | func mockResctrlL3_MON(t *testing.T, NUMANodes []string, mocks map[strin...
function TestGetMonitoringStats (line 64) | func TestGetMonitoringStats(t *testing.T) {
FILE: libcontainer/intelrdt/stats.go
type L3CacheInfo (line 3) | type L3CacheInfo struct
type MemBwInfo (line 9) | type MemBwInfo struct
type MBMNumaNodeStats (line 16) | type MBMNumaNodeStats struct
type CMTNumaNodeStats (line 24) | type CMTNumaNodeStats struct
type Stats (line 29) | type Stats struct
function newStats (line 58) | func newStats() *Stats {
FILE: libcontainer/intelrdt/util_test.go
type intelRdtTestUtil (line 15) | type intelRdtTestUtil struct
function NewIntelRdtTestUtil (line 25) | func NewIntelRdtTestUtil(t *testing.T) *intelRdtTestUtil {
FILE: libcontainer/internal/userns/userns_maps_linux.c
function bail (line 21) | void bail(int pipefd, const char *fmt, ...)
function spawn_userns_cat (line 32) | int spawn_userns_cat(char *userns_path, char *path, int outfd, int errfd)
FILE: libcontainer/internal/userns/userns_maps_linux.go
function parseIdmapData (line 23) | func parseIdmapData(data []byte) (ms []configs.IDMap, err error) {
function spawnUserNamespaceCat (line 42) | func spawnUserNamespaceCat(nsPath, path string) ([]byte, error) {
function GetUserNamespaceMappings (line 112) | func GetUserNamespaceMappings(nsPath string) (uidMap, gidMap []configs.I...
function IsSameMapping (line 176) | func IsSameMapping(a, b []configs.IDMap) bool {
FILE: libcontainer/internal/userns/usernsfd_linux.go
type Mapping (line 17) | type Mapping struct
method toSys (line 22) | func (m Mapping) toSys() (uids, gids []syscall.SysProcIDMap) {
method id (line 43) | func (m Mapping) id() string {
type Handles (line 58) | type Handles struct
method Release (line 66) | func (hs *Handles) Release() {
method Get (line 123) | func (hs *Handles) Get(req Mapping) (file *os.File, err error) {
function spawnProc (line 77) | func spawnProc(req Mapping) (*os.Process, error) {
function dupFile (line 110) | func dupFile(f *os.File) (*os.File, error) {
FILE: libcontainer/internal/userns/usernsfd_linux_test.go
function BenchmarkSpawnProc (line 10) | func BenchmarkSpawnProc(b *testing.B) {
FILE: libcontainer/keys/keyctl.go
type KeySerial (line 13) | type KeySerial
function JoinSessionKeyring (line 15) | func JoinSessionKeyring(name string) (KeySerial, error) {
function ModKeyringPerm (line 26) | func ModKeyringPerm(ringID KeySerial, mask, setbits uint32) error {
FILE: libcontainer/logs/logs.go
function ForwardLogs (line 17) | func ForwardLogs(logPipe io.ReadCloser) chan error {
function processEntry (line 56) | func processEntry(text []byte, logger *logrus.Logger, fatals []byte) []b...
FILE: libcontainer/logs/logs_linux_test.go
constant msgErr (line 13) | msgErr = `"level":"error"`
function TestLoggingToFile (line 15) | func TestLoggingToFile(t *testing.T) {
function TestLogForwardingDoesNotStopOnJsonDecodeErr (line 24) | func TestLogForwardingDoesNotStopOnJsonDecodeErr(t *testing.T) {
function TestLogForwardingDoesNotStopOnLogLevelParsingErr (line 38) | func TestLogForwardingDoesNotStopOnLogLevelParsingErr(t *testing.T) {
function TestLogForwardingStopsAfterClosingTheWriter (line 53) | func TestLogForwardingStopsAfterClosingTheWriter(t *testing.T) {
function logToLogWriter (line 70) | func logToLogWriter(t *testing.T, l *log, message string) {
type log (line 78) | type log struct
function runLogForwarding (line 84) | func runLogForwarding(t *testing.T) *log {
function finish (line 111) | func finish(t *testing.T, l *log) {
function truncateLogFile (line 119) | func truncateLogFile(t *testing.T, file *os.File) {
function check (line 129) | func check(t *testing.T, l *log, txt, notxt string) {
function checkWait (line 145) | func checkWait(t *testing.T, l *log, txt, notxt string) {
FILE: libcontainer/message_linux.go
constant InitMsg (line 14) | InitMsg uint16 = 62000
constant CloneFlagsAttr (line 15) | CloneFlagsAttr uint16 = 27281
constant NsPathsAttr (line 16) | NsPathsAttr uint16 = 27282
constant UidmapAttr (line 17) | UidmapAttr uint16 = 27283
constant GidmapAttr (line 18) | GidmapAttr uint16 = 27284
constant SetgroupAttr (line 19) | SetgroupAttr uint16 = 27285
constant OomScoreAdjAttr (line 20) | OomScoreAdjAttr uint16 = 27286
constant RootlessEUIDAttr (line 21) | RootlessEUIDAttr uint16 = 27287
constant UidmapPathAttr (line 22) | UidmapPathAttr uint16 = 27288
constant GidmapPathAttr (line 23) | GidmapPathAttr uint16 = 27289
constant TimeOffsetsAttr (line 24) | TimeOffsetsAttr uint16 = 27290
type Int32msg (line 27) | type Int32msg struct
method Serialize (line 36) | func (msg *Int32msg) Serialize() []byte {
method Len (line 45) | func (msg *Int32msg) Len() int {
type Bytemsg (line 52) | type Bytemsg struct
method Serialize (line 57) | func (msg *Bytemsg) Serialize() []byte {
method Len (line 73) | func (msg *Bytemsg) Len() int {
type Boolmsg (line 77) | type Boolmsg struct
method Serialize (line 82) | func (msg *Boolmsg) Serialize() []byte {
method Len (line 95) | func (msg *Boolmsg) Len() int {
FILE: libcontainer/mount_linux.go
type mountSourceType (line 22) | type mountSourceType
constant mountSourceOpenTree (line 27) | mountSourceOpenTree mountSourceType = "open_tree"
constant mountSourcePlain (line 29) | mountSourcePlain mountSourceType = "plain-open"
type mountSource (line 32) | type mountSource struct
type mountError (line 38) | type mountError struct
method Error (line 108) | func (e *mountError) Error() string {
method Unwrap (line 136) | func (e *mountError) Unwrap() error {
type int32plus (line 50) | type int32plus interface
function stringifyMountFlags (line 56) | func stringifyMountFlags[Int int32plus](flags Int) string {
function mount (line 142) | func mount(source, target, fstype string, flags uintptr, data string) er...
function mountViaFds (line 158) | func mountViaFds(source string, srcFile *mountSource, target, dstFd, fst...
function unmount (line 212) | func unmount(target string, flags int) error {
function syscallMode (line 227) | func syscallMode(i fs.FileMode) (o uint32) {
function mountFd (line 253) | func mountFd(nsHandles *userns.Handles, m *configs.Mount) (_ *mountSourc...
FILE: libcontainer/mount_linux_test.go
function TestStringifyMountFlags (line 9) | func TestStringifyMountFlags(t *testing.T) {
FILE: libcontainer/network_linux.go
type networkStrategy (line 27) | type networkStrategy interface
function getStrategy (line 36) | func getStrategy(tpe string) (networkStrategy, error) {
function getNetworkInterfaceStats (line 45) | func getNetworkInterfaceStats(interfaceName string) (*types.NetworkInter...
function readSysfsNetworkStats (line 81) | func readSysfsNetworkStats(ethInterface, statsFile string) (uint64, erro...
type loopback (line 90) | type loopback struct
method create (line 92) | func (l *loopback) create(n *network, nspid int) error {
method initialize (line 96) | func (l *loopback) initialize(config *network) error {
method attach (line 100) | func (l *loopback) attach(n *configs.Network) (err error) {
method detach (line 104) | func (l *loopback) detach(n *configs.Network) (err error) {
function devChangeNetNamespace (line 113) | func devChangeNetNamespace(name, nsPath string, device configs.LinuxNetD...
FILE: libcontainer/notify_linux.go
type PressureLevel (line 12) | type PressureLevel
constant LowPressure (line 15) | LowPressure PressureLevel = iota
constant MediumPressure (line 16) | MediumPressure
constant CriticalPressure (line 17) | CriticalPressure
function registerMemoryEvent (line 20) | func registerMemoryEvent(cgDir, evName, arg string) (<-chan struct{}, er...
function notifyOnOOM (line 65) | func notifyOnOOM(dir string) (<-chan struct{}, error) {
function notifyMemoryPressure (line 73) | func notifyMemoryPressure(dir string, level PressureLevel) (<-chan struc...
FILE: libcontainer/notify_linux_test.go
type notifyFunc (line 14) | type notifyFunc
function testMemoryNotification (line 16) | func testMemoryNotification(t *testing.T, evName string, notify notifyFu...
function TestNotifyOnOOM (line 95) | func TestNotifyOnOOM(t *testing.T) {
function TestNotifyMemoryPressure (line 103) | func TestNotifyMemoryPressure(t *testing.T) {
FILE: libcontainer/notify_v2_linux.go
function registerMemoryEventV2 (line 14) | func registerMemoryEventV2(cgDir, evName, cgEvName string) (<-chan struc...
function notifyOnOOMV2 (line 83) | func notifyOnOOMV2(path string) (<-chan struct{}, error) {
FILE: libcontainer/nsenter/escape.c
function hex (line 17) | static char hex(char i)
function need_escape (line 35) | static int need_escape(char c)
FILE: libcontainer/nsenter/getenv.c
function getenv_int (line 7) | int getenv_int(const char *name)
FILE: libcontainer/nsenter/log.c
function setup_logpipe (line 17) | void setup_logpipe(void)
function log_enabled_for (line 34) | bool log_enabled_for(int level)
function write_log (line 42) | void write_log(int level, const char *format, ...)
FILE: libcontainer/nsenter/nsenter_gccgo.go
function init (line 18) | func init() {
FILE: libcontainer/nsenter/nsenter_test.go
function TestNsenterValidPaths (line 19) | func TestNsenterValidPaths(t *testing.T) {
function TestNsenterInvalidPaths (line 62) | func TestNsenterInvalidPaths(t *testing.T) {
function TestNsenterIncorrectPathType (line 100) | func TestNsenterIncorrectPathType(t *testing.T) {
function TestNsenterChildLogging (line 138) | func TestNsenterChildLogging(t *testing.T) {
function init (line 184) | func init() {
function newPipe (line 190) | func newPipe(t *testing.T) (parent, child *os.File) {
function reapChildren (line 205) | func reapChildren(t *testing.T, parent *os.File) {
function getLogs (line 227) | func getLogs(t *testing.T, logread *os.File) {
FILE: libcontainer/nsenter/nsexec.c
type sync_t (line 35) | enum sync_t {
type clone_t (line 56) | struct clone_t {
type nlconfig_t (line 69) | struct nlconfig_t {
function setns (line 129) | int setns(int fd, int nstype)
function write_file (line 138) | static int write_file(char *data, size_t data_len, char *pathfmt, ...)
type policy_t (line 166) | enum policy_t {
function update_setgroups (line 173) | static void update_setgroups(int pid, enum policy_t setgroup)
function try_mapping_tool (line 200) | static int try_mapping_tool(const char *app, int pid, char *map, size_t ...
function update_uidmap (line 266) | static void update_uidmap(const char *path, int pid, char *map, size_t m...
function update_gidmap (line 281) | static void update_gidmap(const char *path, int pid, char *map, size_t m...
function update_oom_score_adj (line 296) | static void update_oom_score_adj(char *data, size_t len)
function child_func (line 308) | static int child_func(void *arg)
function clone_parent (line 315) | static int clone_parent(jmp_buf *env, int jmpval)
function readint32 (line 325) | static uint32_t readint32(char *buf)
function readint8 (line 330) | static uint8_t readint8(char *buf)
function sane_kill (line 335) | static inline void sane_kill(pid_t pid, int signum)
function iobail (line 345) | __attribute__((noreturn))
function xread (line 356) | static void xread(int fd, void *buf, size_t nbytes, const char *errmsg, ...
function xwrite (line 365) | static void xwrite(int fd, void *buf, size_t nbytes, const char *errmsg,...
function nl_parse (line 374) | static void nl_parse(int fd, struct nlconfig_t *config)
function nl_free (line 453) | void nl_free(struct nlconfig_t *config)
type namespace_t (line 458) | struct namespace_t {
type nsset_t (line 464) | typedef int nsset_t;
type nstype_t (line 466) | struct nstype_t {
function nstype (line 482) | static int nstype(char *name)
function nsset_t (line 497) | static nsset_t __open_namespaces(char *nsspec, struct namespace_t **ns_l...
function nsset_t (line 548) | static nsset_t __join_namespaces(nsset_t allow, struct namespace_t *ns_l...
type nstype_t (line 603) | struct nstype_t
function __close_namespaces (line 613) | static void __close_namespaces(nsset_t to_join, nsset_t joined, struct n...
function join_namespaces (line 640) | void join_namespaces(char *nsspec)
function try_unshare (line 675) | void try_unshare(int flags, const char *msg)
function update_timens_offsets (line 694) | static void update_timens_offsets(pid_t pid, char *map, size_t map_len)
function log_cpu_affinity (line 703) | static void log_cpu_affinity()
function nsexec (line 725) | void nsexec(void)
FILE: libcontainer/nsenter/test/escape.go
function testEscapeJSONString (line 16) | func testEscapeJSONString(t *testing.T, input, want string) {
function testEscapeJSON (line 27) | func testEscapeJSON(t *testing.T) {
FILE: libcontainer/nsenter/test/escape_test.go
function TestEscapeJSON (line 9) | func TestEscapeJSON(t *testing.T) {
FILE: libcontainer/process.go
type processOperations (line 14) | type processOperations interface
type Process (line 25) | type Process struct
method Wait (line 130) | func (p *Process) Wait() (*os.ProcessState, error) {
method Pid (line 138) | func (p *Process) Pid() (int, error) {
method Signal (line 148) | func (p *Process) Signal(sig os.Signal) error {
method closeClonedExes (line 157) | func (p *Process) closeClonedExes() {
type IO (line 165) | type IO struct
FILE: libcontainer/process_linux.go
type parentProcess (line 38) | type parentProcess interface
type processComm (line 59) | type processComm struct
method closeChild (line 106) | func (c *processComm) closeChild() {
method closeParent (line 112) | func (c *processComm) closeParent() {
function newProcessComm (line 72) | func newProcessComm() (_ *processComm, retErr error) {
type containerProcess (line 118) | type containerProcess struct
method pid (line 129) | func (p *containerProcess) pid() int {
method startTime (line 133) | func (p *containerProcess) startTime() (uint64, error) {
method signal (line 138) | func (p *containerProcess) signal(sig os.Signal) error {
method externalDescriptors (line 142) | func (p *containerProcess) externalDescriptors() []string {
method setExternalDescriptors (line 146) | func (p *containerProcess) setExternalDescriptors(newFds []string) {
method forwardChildLogs (line 150) | func (p *containerProcess) forwardChildLogs() chan error {
method terminate (line 156) | func (p *containerProcess) terminate() error {
method wait (line 167) | func (p *containerProcess) wait() (*os.ProcessState, error) { //nolint...
type setnsProcess (line 174) | type setnsProcess struct
method startWithCPUAffinity (line 214) | func (p *setnsProcess) startWithCPUAffinity() error {
method setFinalCPUAffinity (line 241) | func (p *setnsProcess) setFinalCPUAffinity() error {
method addIntoCgroupV1 (line 258) | func (p *setnsProcess) addIntoCgroupV1() error {
method initProcessCgroupPath (line 304) | func (p *setnsProcess) initProcessCgroupPath() string {
method addIntoCgroupV2 (line 321) | func (p *setnsProcess) addIntoCgroupV2() error {
method addIntoCgroup (line 355) | func (p *setnsProcess) addIntoCgroup() error {
method prepareCgroupFD (line 370) | func (p *setnsProcess) prepareCgroupFD() (*os.File, error) {
method startWithCgroupFD (line 431) | func (p *setnsProcess) startWithCgroupFD() error {
method start (line 457) | func (p *setnsProcess) start() (retErr error) {
method execSetns (line 597) | func (p *setnsProcess) execSetns() error {
function tryResetCPUAffinity (line 184) | func tryResetCPUAffinity(pid int) {
type initProcess (line 629) | type initProcess struct
method getChildPid (line 635) | func (p *initProcess) getChildPid() (int, error) {
method waitForChildExit (line 652) | func (p *initProcess) waitForChildExit(childPid int) error {
method goCreateMountSources (line 680) | func (p *initProcess) goCreateMountSources(ctx context.Context) (mount...
method start (line 776) | func (p *initProcess) start() (retErr error) {
method createNetworkInterfaces (line 1063) | func (p *initProcess) createNetworkInterfaces() error {
method setupNetworkDevices (line 1081) | func (p *initProcess) setupNetworkDevices() error {
type mountSourceRequestFn (line 672) | type mountSourceRequestFn
function pidGetFd (line 1104) | func pidGetFd(pid, srcFd int) (*os.File, error) {
function sendContainerProcessState (line 1117) | func sendContainerProcessState(listenerPath string, state *specs.Contain...
function getPipeFds (line 1142) | func getPipeFds(pid int) ([]string, error) {
method InitializeIO (line 1169) | func (p *Process) InitializeIO(rootuid, rootgid int) (i *IO, err error) {
FILE: libcontainer/restored_process.go
function newRestoredProcess (line 11) | func newRestoredProcess(cmd *exec.Cmd, fds []string) (*restoredProcess, ...
type restoredProcess (line 25) | type restoredProcess struct
method start (line 31) | func (p *restoredProcess) start() error {
method pid (line 35) | func (p *restoredProcess) pid() int {
method terminate (line 39) | func (p *restoredProcess) terminate() error {
method wait (line 47) | func (p *restoredProcess) wait() (*os.ProcessState, error) {
method startTime (line 61) | func (p *restoredProcess) startTime() (uint64, error) {
method signal (line 65) | func (p *restoredProcess) signal(s os.Signal) error {
method externalDescriptors (line 69) | func (p *restoredProcess) externalDescriptors() []string {
method setExternalDescriptors (line 73) | func (p *restoredProcess) setExternalDescriptors(newFds []string) {
method forwardChildLogs (line 77) | func (p *restoredProcess) forwardChildLogs() chan error {
type nonChildProcess (line 84) | type nonChildProcess struct
method start (line 90) | func (p *nonChildProcess) start() error {
method pid (line 94) | func (p *nonChildProcess) pid() int {
method terminate (line 98) | func (p *nonChildProcess) terminate() error {
method wait (line 102) | func (p *nonChildProcess) wait() (*os.ProcessState, error) {
method startTime (line 106) | func (p *nonChildProcess) startTime() (uint64, error) {
method signal (line 110) | func (p *nonChildProcess) signal(s os.Signal) error {
method externalDescriptors (line 118) | func (p *nonChildProcess) externalDescriptors() []string {
method setExternalDescriptors (line 122) | func (p *nonChildProcess) setExternalDescriptors(newFds []string) {
method forwardChildLogs (line 126) | func (p *nonChildProcess) forwardChildLogs() chan error {
FILE: libcontainer/rootfs_linux.go
constant defaultMountFlags (line 34) | defaultMountFlags = unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV
type mountConfig (line 37) | type mountConfig struct
type mountEntry (line 46) | type mountEntry struct
method srcName (line 53) | func (m mountEntry) srcName() string {
method srcStat (line 60) | func (m mountEntry) srcStat() (os.FileInfo, *syscall.Stat_t, error) {
method srcStatfs (line 76) | func (m mountEntry) srcStatfs() (*unix.Statfs_t, error) {
method createOpenMountpoint (line 508) | func (m *mountEntry) createOpenMountpoint(rootfs string) (Err error) {
method mountPropagate (line 1396) | func (m *mountEntry) mountPropagate(rootfs, mountLabel string) error {
function needsSetupDev (line 91) | func needsSetupDev(config *configs.Config) bool {
function prepareRootfs (line 103) | func prepareRootfs(pipe *syncSocket, iConfig *initConfig) (err error) {
function finalizeRootfs (line 252) | func finalizeRootfs(config *configs.Config) (err error) {
function prepareTmp (line 282) | func prepareTmp(topTmpDir string) (string, error) {
function cleanupTmp (line 296) | func cleanupTmp(tmpdir string) {
function mountCgroupV1 (line 301) | func mountCgroupV1(m mountEntry, c *mountConfig) error {
function mountCgroupV2 (line 375) | func mountCgroupV2(m mountEntry, c *mountConfig) error {
function doTmpfsCopyUp (line 412) | func doTmpfsCopyUp(m mountEntry, mountLabel string) (Err error) {
constant mntAtimeEnumFlags (line 465) | mntAtimeEnumFlags = unix.MS_NOATIME | unix.MS_RELATIME | unix.MS_STRICTA...
constant mntAtimeFlags (line 467) | mntAtimeFlags = mntAtimeEnumFlags | unix.MS_NODIRATIME
constant mntLockFlags (line 470) | mntLockFlags = unix.MS_RDONLY | unix.MS_NODEV | unix.MS_NOEXEC |
function statfsToMountFlags (line 474) | func statfsToMountFlags(st unix.Statfs_t) int {
function mountToRootfs (line 578) | func mountToRootfs(c *mountConfig, m mountEntry) error {
function getCgroupMounts (line 761) | func getCgroupMounts(m *configs.Mount) ([]*configs.Mount, error) {
constant procRootIno (line 801) | procRootIno = 1
function checkProcMount (line 807) | func checkProcMount(rootfs, dest string, m mountEntry) error {
function setupDevSymlinks (line 872) | func setupDevSymlinks(rootfs string) error {
function reOpenDevNull (line 903) | func reOpenDevNull() error {
function createDevices (line 928) | func createDevices(config *configs.Config) error {
function bindMountDeviceNode (line 946) | func bindMountDeviceNode(destDir *os.File, destName string, node *device...
function createDeviceNode (line 959) | func createDeviceNode(rootfs string, node *devices.Device, bind bool) er...
function mknodDevice (line 984) | func mknodDevice(destDir *os.File, destName string, node *devices.Device...
function rootfsParentMountPrivate (line 1045) | func rootfsParentMountPrivate(path string) error {
function prepareRoot (line 1069) | func prepareRoot(config *configs.Config) error {
function setReadonly (line 1085) | func setReadonly() error {
function setupPtmx (line 1100) | func setupPtmx(config *configs.Config) error {
function pivotRoot (line 1113) | func pivotRoot(rootfs string) error {
function msMoveRoot (line 1170) | func msMoveRoot(rootfs string) error {
function chroot (line 1233) | func chroot() error {
function readonlyPath (line 1244) | func readonlyPath(path string) error {
function remountReadonly (line 1266) | func remountReadonly(m *configs.Mount) error {
function isDevNull (line 1291) | func isDevNull(st *unix.Stat_t) bool {
function verifyDevNull (line 1296) | func verifyDevNull(f *os.File) error {
function maskPaths (line 1310) | func maskPaths(paths []string, mountLabel string) error {
function reopenAfterMount (line 1357) | func reopenAfterMount(rootfs string, f *os.File, flags int) (_ *os.File,...
function setRecAttr (line 1443) | func setRecAttr(m mountEntry) error {
FILE: libcontainer/rootfs_linux_test.go
function TestCheckMountDestInProc (line 11) | func TestCheckMountDestInProc(t *testing.T) {
function TestCheckProcMountOnProc (line 27) | func TestCheckProcMountOnProc(t *testing.T) {
function TestCheckBindMountOnProc (line 42) | func TestCheckBindMountOnProc(t *testing.T) {
function TestCheckTrickyMountOnProc (line 58) | func TestCheckTrickyMountOnProc(t *testing.T) {
function TestCheckTrickyBindMountOnProc (line 75) | func TestCheckTrickyBindMountOnProc(t *testing.T) {
function TestCheckMountDestInSys (line 92) | func TestCheckMountDestInSys(t *testing.T) {
function TestCheckMountDestFalsePositive (line 107) | func TestCheckMountDestFalsePositive(t *testing.T) {
function TestCheckMountDestNsLastPid (line 122) | func TestCheckMountDestNsLastPid(t *testing.T) {
function TestCheckCryptoFipsEnabled (line 137) | func TestCheckCryptoFipsEnabled(t *testing.T) {
function TestNeedsSetupDev (line 152) | func TestNeedsSetupDev(t *testing.T) {
function TestNeedsSetupDevStrangeSource (line 167) | func TestNeedsSetupDevStrangeSource(t *testing.T) {
function TestNeedsSetupDevStrangeDest (line 182) | func TestNeedsSetupDevStrangeDest(t *testing.T) {
function TestNeedsSetupDevStrangeSourceDest (line 197) | func TestNeedsSetupDevStrangeSourceDest(t *testing.T) {
FILE: libcontainer/seccomp/config.go
constant flagTsync (line 14) | flagTsync = "SECCOMP_FILTER_FLAG_TSYNC"
function KnownOperators (line 28) | func KnownOperators() []string {
function KnownActions (line 46) | func KnownActions() []string {
function KnownArchs (line 73) | func KnownArchs() []string {
function ConvertStringToOperator (line 81) | func ConvertStringToOperator(in string) (configs.Operator, error) {
function ConvertStringToAction (line 92) | func ConvertStringToAction(in string) (configs.Action, error) {
function ConvertStringToArch (line 100) | func ConvertStringToArch(in string) (string, error) {
function KnownFlags (line 117) | func KnownFlags() []string {
function SupportedFlags (line 125) | func SupportedFlags() []string {
FILE: libcontainer/seccomp/patchbpf/enosys_linux.go
constant bpfSizeofInt (line 101) | bpfSizeofInt = 4
constant s390xMultiplexSyscall (line 106) | s390xMultiplexSyscall libseccomp.ScmpSyscall = 0
function isAllowAction (line 108) | func isAllowAction(action configs.Action) bool {
function parseProgram (line 120) | func parseProgram(rdr io.Reader) ([]bpf.RawInstruction, error) {
function disassembleFilter (line 148) | func disassembleFilter(filter *libseccomp.ScmpFilter) ([]bpf.Instruction...
type linuxAuditArch (line 186) | type linuxAuditArch
constant invalidArch (line 188) | invalidArch linuxAuditArch = 0
function scmpArchToAuditArch (line 190) | func scmpArchToAuditArch(arch libseccomp.ScmpArch) (linuxAuditArch, erro...
type lastSyscallMap (line 241) | type lastSyscallMap
function findLastSyscalls (line 247) | func findLastSyscalls(config *configs.Seccomp) (lastSyscallMap, error) {
function generateEnosysStub (line 321) | func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction,...
function assemble (line 585) | func assemble(program []bpf.Instruction) ([]unix.SockFilter, error) {
function generatePatch (line 604) | func generatePatch(config *configs.Seccomp) ([]bpf.Instruction, error) {
function enosysPatchFilter (line 627) | func enosysPatchFilter(config *configs.Seccomp, filter *libseccomp.ScmpF...
function filterFlags (line 652) | func filterFlags(config *configs.Seccomp, filter *libseccomp.ScmpFilter)...
function sysSeccompSetFilter (line 694) | func sysSeccompSetFilter(flags uint, filter []unix.SockFilter) (fd int, ...
function PatchAndLoad (line 729) | func PatchAndLoad(config *configs.Seccomp, filter *libseccomp.ScmpFilter...
FILE: libcontainer/seccomp/patchbpf/enosys_linux_test.go
type seccompData (line 17) | type seccompData struct
function mockSyscallPayload (line 25) | func mockSyscallPayload(t *testing.T, sysno libseccomp.ScmpSyscall, arch...
constant retFallthrough (line 49) | retFallthrough uint32 = 0xDEADBEEF
function mockFilter (line 54) | func mockFilter(t *testing.T, config *configs.Seccomp) (*bpf.VM, []bpf.I...
function fakeConfig (line 71) | func fakeConfig(defaultAction configs.Action, explicitSyscalls, arches [...
function testEnosysStub (line 117) | func testEnosysStub(t *testing.T, defaultAction configs.Action, arches [...
function TestEnosysStub_SingleArch (line 281) | func TestEnosysStub_SingleArch(t *testing.T) {
function TestEnosysStub_MultiArch (line 301) | func TestEnosysStub_MultiArch(t *testing.T) {
function TestDisassembleHugeFilterDoesNotHang (line 324) | func TestDisassembleHugeFilterDoesNotHang(t *testing.T) {
FILE: libcontainer/seccomp/seccomp_linux.go
constant syscallMaxArguments (line 25) | syscallMaxArguments int = 6
function InitSeccomp (line 32) | func InitSeccomp(config *configs.Seccomp) (int, error) {
type unknownFlagError (line 134) | type unknownFlagError struct
method Error (line 138) | func (e *unknownFlagError) Error() string {
function setFlag (line 142) | func setFlag(filter *libseccomp.ScmpFilter, flag specs.LinuxSeccompFlag)...
function FlagSupported (line 178) | func FlagSupported(flag specs.LinuxSeccompFlag) error {
function getAction (line 201) | func getAction(act configs.Action, errnoRet *uint) (libseccomp.ScmpActio...
function getOperator (line 231) | func getOperator(op configs.Operator) (libseccomp.ScmpCompareOp, error) {
function getCondition (line 253) | func getCondition(arg *configs.Arg) (libseccomp.ScmpCondition, error) {
function matchCall (line 269) | func matchCall(filter *libseccomp.ScmpFilter, call *configs.Syscall, def...
function Version (line 350) | func Version() (uint, uint, uint) {
constant Enabled (line 355) | Enabled = true
FILE: libcontainer/seccomp/seccomp_unsupported.go
function InitSeccomp (line 15) | func InitSeccomp(config *configs.Seccomp) (int, error) {
function FlagSupported (line 23) | func FlagSupported(_ specs.LinuxSeccompFlag) error {
function Version (line 28) | func Version() (uint, uint, uint) {
constant Enabled (line 33) | Enabled = false
FILE: libcontainer/setns_init_linux.go
type linuxSetnsInit (line 23) | type linuxSetnsInit struct
method getSessionRingName (line 31) | func (l *linuxSetnsInit) getSessionRingName() string {
method Init (line 35) | func (l *linuxSetnsInit) Init() error {
FILE: libcontainer/specconv/example.go
function Example (line 14) | func Example() *specs.Spec {
function ToRootless (line 161) | func ToRootless(spec *specs.Spec) {
FILE: libcontainer/specconv/spec_linux.go
function initMaps (line 49) | func initMaps() {
function KnownNamespaces (line 175) | func KnownNamespaces() []string {
function KnownMountOptions (line 187) | func KnownMountOptions() []string {
function KnownMemoryPolicyModes (line 208) | func KnownMemoryPolicyModes() []string {
function KnownMemoryPolicyFlags (line 215) | func KnownMemoryPolicyFlags() []string {
type CreateOpts (line 372) | type CreateOpts struct
function CreateLibcontainerConfig (line 384) | func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
function toConfigIDMap (line 626) | func toConfigIDMap(specMaps []specs.LinuxIDMapping) []configs.IDMap {
function createLibcontainerMount (line 641) | func createLibcontainerMount(cwd string, m specs.Mount) (*configs.Mount,...
function checkPropertyName (line 688) | func checkPropertyName(s string) error {
function getLinuxPersonalityFromStr (line 705) | func getLinuxPersonalityFromStr(domain string) (int, error) {
function convertSecToUSec (line 717) | func convertSecToUSec(value dbus.Variant) (dbus.Variant, error) {
function initSystemdProps (line 744) | func initSystemdProps(spec *specs.Spec) ([]systemdDbus.Property, error) {
function CreateCgroupConfig (line 778) | func CreateCgroupConfig(opts *CreateOpts, defaultDevs []*devices.Device)...
function stringToCgroupDeviceRune (line 997) | func stringToCgroupDeviceRune(s string) (devices.Type, error) {
function stringToDeviceRune (line 1010) | func stringToDeviceRune(s string) (devices.Type, error) {
function createDevices (line 1023) | func createDevices(spec *specs.Spec, config *configs.Config) ([]*devices...
function setupUserNamespace (line 1080) | func setupUserNamespace(spec *specs.Spec, config *configs.Config) error {
function parseMountOptions (line 1136) | func parseMountOptions(options []string) *configs.Mount {
function SetupSeccomp (line 1195) | func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
function createHooks (line 1286) | func createHooks(rspec *specs.Spec, config *configs.Config) {
function createCommandHook (line 1316) | func createCommandHook(h specs.Hook) *configs.Command {
FILE: libcontainer/specconv/spec_linux_test.go
function TestCreateCommandHookTimeout (line 17) | func TestCreateCommandHookTimeout(t *testing.T) {
function TestCreateHooks (line 32) | func TestCreateHooks(t *testing.T) {
function TestSetupSeccompNil (line 143) | func TestSetupSeccompNil(t *testing.T) {
function TestSetupSeccompEmpty (line 154) | func TestSetupSeccompEmpty(t *testing.T) {
function TestSetupSeccompWrongAction (line 167) | func TestSetupSeccompWrongAction(t *testing.T) {
function TestSetupSeccompWrongArchitecture (line 178) | func TestSetupSeccompWrongArchitecture(t *testing.T) {
function TestSetupSeccomp (line 189) | func TestSetupSeccomp(t *testing.T) {
function TestLinuxCgroupWithMemoryResource (line 342) | func TestLinuxCgroupWithMemoryResource(t *testing.T) {
function TestLinuxCgroupSystemd (line 409) | func TestLinuxCgroupSystemd(t *testing.T) {
function TestLinuxCgroupSystemdWithEmptyPath (line 443) | func TestLinuxCgroupSystemdWithEmptyPath(t *testing.T) {
function TestLinuxCgroupSystemdWithInvalidPath (line 477) | func TestLinuxCgroupSystemdWithInvalidPath(t *testing.T) {
function TestLinuxCgroupsPathSpecified (line 497) | func TestLinuxCgroupsPathSpecified(t *testing.T) {
function TestLinuxCgroupsPathNotSpecified (line 521) | func TestLinuxCgroupsPathNotSpecified(t *testing.T) {
function TestSpecconvExampleValidate (line 539) | func TestSpecconvExampleValidate(t *testing.T) {
function TestSpecconvNoLinuxSection (line 564) | func TestSpecconvNoLinuxSection(t *testing.T) {
function TestDupNamespaces (line 585) | func TestDupNamespaces(t *testing.T) {
function TestUserNamespaceMappingAndPath (line 612) | func TestUserNamespaceMappingAndPath(t *testing.T) {
function TestNonZeroEUIDCompatibleSpecconvValidate (line 646) | func TestNonZeroEUIDCompatibleSpecconvValidate(t *testing.T) {
function TestInitSystemdProps (line 673) | func TestInitSystemdProps(t *testing.T) {
function TestCheckPropertyName (line 820) | func TestCheckPropertyName(t *testing.T) {
function BenchmarkCheckPropertyName (line 845) | func BenchmarkCheckPropertyName(b *testing.B) {
function TestNullProcess (line 853) | func TestNullProcess(t *testing.T) {
function TestCreateDevices (line 865) | func TestCreateDevices(t *testing.T) {
function TestCreateNetDevices (line 969) | func TestCreateNetDevices(t *testing.T) {
FILE: libcontainer/standard_init_linux.go
type linuxStandardInit (line 25) | type linuxStandardInit struct
method getSessionRingParams (line 35) | func (l *linuxStandardInit) getSessionRingParams() (string, uint32, ui...
method Init (line 51) | func (l *linuxStandardInit) Init() error {
FILE: libcontainer/state_linux.go
function newStateTransitionError (line 15) | func newStateTransitionError(from, to containerState) error {
type stateTransitionError (line 24) | type stateTransitionError struct
method Error (line 29) | func (s *stateTransitionError) Error() string {
type containerState (line 33) | type containerState interface
function destroy (line 39) | func destroy(c *Container) error {
function runPoststopHooks (line 69) | func runPoststopHooks(c *Container) error {
type stoppedState (line 85) | type stoppedState struct
method status (line 89) | func (b *stoppedState) status() Status {
method transition (line 93) | func (b *stoppedState) transition(s containerState) error {
method destroy (line 104) | func (b *stoppedState) destroy() error {
type runningState (line 109) | type runningState struct
method status (line 113) | func (r *runningState) status() Status {
method transition (line 117) | func (r *runningState) transition(s containerState) error {
method destroy (line 134) | func (r *runningState) destroy() error {
type createdState (line 141) | type createdState struct
method status (line 145) | func (i *createdState) status() Status {
method transition (line 149) | func (i *createdState) transition(s containerState) error {
method destroy (line 160) | func (i *createdState) destroy() error {
type pausedState (line 167) | type pausedState struct
method status (line 171) | func (p *pausedState) status() Status {
method transition (line 175) | func (p *pausedState) transition(s containerState) error {
method destroy (line 186) | func (p *pausedState) destroy() error {
type restoredState (line 198) | type restoredState struct
method status (line 203) | func (r *restoredState) status() Status {
method transition (line 207) | func (r *restoredState) transition(s containerState) error {
method destroy (line 215) | func (r *restoredState) destroy() error {
type loadedState (line 226) | type loadedState struct
method status (line 231) | func (n *loadedState) status() Status {
method transition (line 235) | func (n *loadedState) transition(s containerState) error {
method destroy (line 240) | func (n *loadedState) destroy() error {
FILE: libcontainer/state_linux_test.go
function TestStateStatus (line 18) | func TestStateStatus(t *testing.T) {
function testTransitions (line 26) | func testTransitions(t *testing.T, initialState containerState, valid []...
function TestStoppedStateTransition (line 53) | func TestStoppedStateTransition(t *testing.T) {
function TestPausedStateTransition (line 65) | func TestPausedStateTransition(t *testing.T) {
function TestRestoredStateTransition (line 77) | func TestRestoredStateTransition(t *testing.T) {
function TestRunningStateTransition (line 88) | func TestRunningStateTransition(t *testing.T) {
function TestCreatedStateTransition (line 100) | func TestCreatedStateTransition(t *testing.T) {
FILE: libcontainer/stats_linux.go
type Stats (line 9) | type Stats struct
FILE: libcontainer/sync.go
type syncType (line 16) | type syncType
constant procError (line 42) | procError syncType = "procError"
constant procReady (line 43) | procReady syncType = "procReady"
constant procRun (line 44) | procRun syncType = "procRun"
constant procHooks (line 45) | procHooks syncType = "procHooks"
constant procHooksDone (line 46) | procHooksDone syncType = "procHooksDone"
constant procMountPlease (line 47) | procMountPlease syncType = "procMountPlease"
constant procMountFd (line 48) | procMountFd syncType = "procMountFd"
constant procSeccomp (line 49) | procSeccomp syncType = "procSeccomp"
constant procSeccompDone (line 50) | procSeccompDone syncType = "procSeccompDone"
type syncFlags (line 53) | type syncFlags
constant syncFlagHasFd (line 56) | syncFlagHasFd syncFlags = (1 << iota)
type syncT (line 59) | type syncT struct
method String (line 66) | func (s syncT) String() string {
type initError (line 82) | type initError struct
method Error (line 86) | func (i initError) Error() string {
function doWriteSync (line 90) | func doWriteSync(pipe *syncSocket, sync syncT) error {
function writeSync (line 112) | func writeSync(pipe *syncSocket, sync syncType) error {
function writeSyncArg (line 116) | func writeSyncArg(pipe *syncSocket, sync syncType, arg any) error {
function doReadSync (line 125) | func doReadSync(pipe *syncSocket) (syncT, error) {
function readSyncFull (line 161) | func readSyncFull(pipe *syncSocket, expected syncType) (syncT, error) {
function readSync (line 172) | func readSync(pipe *syncSocket, expected syncType) error {
function parseSync (line 189) | func parseSync(pipe *syncSocket, fn func(*syncT) error) error {
FILE: libcontainer/sync_unix.go
type syncSocket (line 18) | type syncSocket struct
method File (line 27) | func (s *syncSocket) File() *os.File {
method Close (line 31) | func (s *syncSocket) Close() error {
method isClosed (line 37) | func (s *syncSocket) isClosed() bool {
method WritePacket (line 41) | func (s *syncSocket) WritePacket(b []byte) (int, error) {
method ReadPacket (line 45) | func (s *syncSocket) ReadPacket() ([]byte, error) {
method Shutdown (line 68) | func (s *syncSocket) Shutdown(how int) error {
function newSyncSocket (line 23) | func newSyncSocket(f *os.File) *syncSocket {
function newSyncSockpair (line 77) | func newSyncSockpair(name string) (parent, child *syncSocket, err error) {
FILE: libcontainer/system/kernelversion/kernel_linux.go
type KernelVersion (line 36) | type KernelVersion struct
method String (line 41) | func (k *KernelVersion) String() string {
function getKernelVersion (line 55) | func getKernelVersion() (*KernelVersion, error) {
function parseRelease (line 68) | func parseRelease(release string) (*KernelVersion, error) {
function GreaterEqualThan (line 84) | func GreaterEqualThan(minVersion KernelVersion) (bool, error) {
FILE: libcontainer/system/kernelversion/kernel_linux_test.go
function TestGetKernelVersion (line 27) | func TestGetKernelVersion(t *testing.T) {
function TestParseRelease (line 40) | func TestParseRelease(t *testing.T) {
function TestGreaterEqualThan (line 94) | func TestGreaterEqualThan(t *testing.T) {
FILE: libcontainer/system/linux.go
type ParentDeathSignal (line 15) | type ParentDeathSignal
method Restore (line 17) | func (p ParentDeathSignal) Restore() error {
method Set (line 31) | func (p ParentDeathSignal) Set() error {
function SetParentDeathSignal (line 35) | func SetParentDeathSignal(sig uintptr) error {
function GetParentDeathSignal (line 42) | func GetParentDeathSignal() (ParentDeathSignal, error) {
function SetKeepCaps (line 50) | func SetKeepCaps() error {
function ClearKeepCaps (line 58) | func ClearKeepCaps() error {
function Setctty (line 66) | func Setctty() error {
function SetSubreaper (line 74) | func SetSubreaper(i int) error {
function GetSubreaper (line 79) | func GetSubreaper() (int, error) {
function ExecutableMemfd (line 89) | func ExecutableMemfd(comment string, flags int) (*os.File, error) {
function Copy (line 117) | func Copy(dst io.Writer, src io.Reader) (copied int64, err error) {
function SetLinuxPersonality (line 156) | func SetLinuxPersonality(personality int) error {
function GetPtyPeer (line 165) | func GetPtyPeer(ptyFd uintptr, unsafePeerPath string, flags int) (*os.Fi...
FILE: libcontainer/system/proc.go
type State (line 14) | type State
method String (line 30) | func (s State) String() string {
constant Dead (line 17) | Dead State = 'X'
constant DiskSleep (line 18) | DiskSleep State = 'D'
constant Running (line 19) | Running State = 'R'
constant Sleeping (line 20) | Sleeping State = 'S'
constant Stopped (line 21) | Stopped State = 'T'
constant TracingStop (line 22) | TracingStop State = 't'
constant Zombie (line 23) | Zombie State = 'Z'
constant Parked (line 24) | Parked State = 'P'
constant Idle (line 25) | Idle State = 'I'
type Stat_t (line 58) | type Stat_t struct
function Stat (line 71) | func Stat(pid int) (Stat_t, error) {
function parseStat (line 87) | func parseStat(data string) (stat Stat_t, err error) {
FILE: libcontainer/system/proc_test.go
function TestParseStat (line 46) | func TestParseStat(t *testing.T) {
function TestParseStatBadInput (line 57) | func TestParseStatBadInput(t *testing.T) {
function BenchmarkParseStat (line 118) | func BenchmarkParseStat(b *testing.B) {
function BenchmarkParseRealStat (line 138) | func BenchmarkParseRealStat(b *testing.B) {
FILE: libcontainer/system/rlimit_linux.go
function ClearRlimitNofileCache (line 9) | func ClearRlimitNofileCache(lim *syscall.Rlimit) {
FILE: libcontainer/utils/cmsg.go
constant MaxNameLen (line 31) | MaxNameLen = 4096
function RecvFile (line 41) | func RecvFile(socket *os.File) (_ *os.File, Err error) {
function SendFile (line 117) | func SendFile(socket, file *os.File) error {
function SendRawFd (line 128) | func SendRawFd(socket *os.File, msg string, fd uintptr) error {
FILE: libcontainer/utils/utils.go
constant exitSignalOffset (line 13) | exitSignalOffset = 128
function ExitStatus (line 18) | func ExitStatus(status unix.WaitStatus) int {
function WriteJSON (line 29) | func WriteJSON(w io.Writer, v any) error {
function SearchLabels (line 40) | func SearchLabels(labels []string, key string) (string, bool) {
function Annotations (line 53) | func Annotations(labels []string) (bundle string, userAnnotations map[st...
FILE: libcontainer/utils/utils_test.go
function TestSearchLabels (line 24) | func TestSearchLabels(t *testing.T) {
function TestExitStatus (line 37) | func TestExitStatus(t *testing.T) {
function TestExitStatusSignaled (line 45) | func TestExitStatusSignaled(t *testing.T) {
function TestWriteJSON (line 53) | func TestWriteJSON(t *testing.T) {
FILE: libcontainer/utils/utils_unix.go
function haveCloseRangeCloexec (line 26) | func haveCloseRangeCloexec() bool {
type fdFunc (line 45) | type fdFunc
function fdRangeFrom (line 49) | func fdRangeFrom(minFd int, fn fdFunc) error {
function CloseExecFrom (line 84) | func CloseExecFrom(minFd int) error {
function runtime_IsPollDescriptor (line 107) | func runtime_IsPollDescriptor(fd uintptr) bool
function UnsafeCloseFrom (line 118) | func UnsafeCloseFrom(minFd int) error {
function NewSockPair (line 139) | func NewSockPair(name string) (parent, child *os.File, err error) {
function WithProcfdFile (line 156) | func WithProcfdFile(file *os.File, fn func(procfd string) error) error {
type ProcThreadSelfCloser (line 163) | type ProcThreadSelfCloser
function ProcThreadSelf (line 176) | func ProcThreadSelf(subpath string) (string, ProcThreadSelfCloser) {
function ProcThreadSelfFd (line 230) | func ProcThreadSelfFd(fd uintptr) (string, ProcThreadSelfCloser) {
function Openat (line 235) | func Openat(dir *os.File, path string, flags int, mode uint32) (*os.File...
FILE: list.go
constant formatOptions (line 19) | formatOptions = `table or json`
type containerState (line 23) | type containerState struct
function getContainers (line 113) | func getContainers(context *cli.Context) ([]containerState, error) {
FILE: main.go
function printVersion (line 40) | func printVersion(c *cli.Context) {
constant specConfig (line 57) | specConfig = "config.json"
constant usage (line 58) | usage = `Open Container Initiative runtime
function main (line 83) | func main() {
type FatalWriter (line 178) | type FatalWriter struct
method Write (line 182) | func (f *FatalWriter) Write(p []byte) (n int, err error) {
function configLogrus (line 190) | func configLogrus(context *cli.Context) error {
FILE: notify_socket.go
type notifySocket (line 22) | type notifySocket struct
method Close (line 45) | func (s *notifySocket) Close() error {
method setupSpec (line 51) | func (s *notifySocket) setupSpec(spec *specs.Spec) {
method bindSocket (line 62) | func (s *notifySocket) bindSocket() error {
method setupSocketDirectory (line 83) | func (s *notifySocket) setupSocketDirectory() error {
method waitForContainer (line 99) | func (s *notifySocket) waitForContainer(container *libcontainer.Contai...
method run (line 107) | func (s *notifySocket) run(pid1 int) error {
function newNotifySocket (line 28) | func newNotifySocket(context *cli.Context, notifySocketHost, id string) ...
function notifySocketStart (line 87) | func notifySocketStart(context *cli.Context, notifySocketHost, id string...
function notifyHost (line 156) | func notifyHost(client *net.UnixConn, ready []byte, pid1 int) error {
function sdNotifyBarrier (line 178) | func sdNotifyBarrier(client *net.UnixConn) (retErr error) {
FILE: notify_socket_test.go
function TestNotifyHost (line 14) | func TestNotifyHost(t *testing.T) {
function expectRead (line 44) | func expectRead(t *testing.T, r io.Reader, expected string) {
function expectBarrier (line 55) | func expectBarrier(t *testing.T, conn *net.UnixConn, notifyHostChan <-ch...
function mustExtractFd (line 90) | func mustExtractFd(t *testing.T, buf []byte) int {
FILE: ps.go
function getPidIndex (line 92) | func getPidIndex(title string) (int, error) {
FILE: rlimit_linux.go
function strToRlimit (line 28) | func strToRlimit(key string) (int, error) {
FILE: rootless_linux.go
function shouldUseRootlessCgroupManager (line 13) | func shouldUseRootlessCgroupManager(context *cli.Context) (bool, error) {
function shouldHonorXDGRuntimeDir (line 55) | func shouldHonorXDGRuntimeDir() bool {
FILE: signals.go
constant signalBufferSize (line 15) | signalBufferSize = 2048
function newSignalHandler (line 21) | func newSignalHandler(enableSubreaper bool, notifySocket *notifySocket) ...
type exit (line 49) | type exit struct
type signalHandler (line 54) | type signalHandler struct
method forward (line 61) | func (h *signalHandler) forward(process *libcontainer.Process, tty *tt...
method reap (line 127) | func (h *signalHandler) reap() (exits []exit, err error) {
FILE: spec.go
function loadSpec (line 117) | func loadSpec(cPath string) (spec *specs.Spec, err error) {
function createLibContainerRlimit (line 136) | func createLibContainerRlimit(rlimit specs.POSIXRlimit) (configs.Rlimit,...
FILE: tests/cmd/fs-idmap/fs-idmap.go
function main (line 16) | func main() {
function supportsIDMap (line 28) | func supportsIDMap(src string) error {
FILE: tests/cmd/key_label/key_label.go
function main (line 17) | func main() {
FILE: tests/cmd/pidfd-kill/pidfd-kill.go
constant usage (line 21) | usage = `Open Container Initiative tests/cmd/pidfd-kill
function main (line 34) | func main() {
function recvPidfd (line 93) | func recvPidfd(socketFile string) (*os.File, error) {
FILE: tests/cmd/recvtty/recvtty.go
constant usage (line 50) | usage = `Open Container Initiative tests/cmd/recvtty
function bail (line 72) | func bail(err error) {
function handleSingle (line 77) | func handleSingle(path string, noStdin bool) error {
function handleNull (line 144) | func handleNull(path string) error {
function main (line 180) | func main() {
FILE: tests/cmd/remap-rootfs/remap-rootfs.go
constant usage (line 21) | usage = `tests/cmd/remap-rootfs
function toHostID (line 43) | func toHostID(mappings []specs.LinuxIDMapping, id uint32) (int, bool) {
type inodeID (line 52) | type inodeID struct
function toInodeID (line 56) | func toInodeID(st *syscall.Stat_t) inodeID {
function remapRootfs (line 60) | func remapRootfs(root string, uidMap, gidMap []specs.LinuxIDMapping) err...
function main (line 104) | func main() {
FILE: tests/cmd/sd-helper/helper.go
function usage (line 18) | func usage() {
function main (line 40) | func main() {
function newManager (line 63) | func newManager(config *cgroups.Cgroup) (cgroups.Manager, error) {
function unitCommand (line 70) | func unitCommand(cmd, name, parent string) error {
FILE: tests/cmd/seccompagent/seccompagent.go
function closeStateFds (line 34) | func closeStateFds(recvFds []int) {
function parseStateFds (line 44) | func parseStateFds(stateFds []string, recvFds []int) (uintptr, error) {
function handleNewMessage (line 82) | func handleNewMessage(sockfd int) (uintptr, string, error) {
function readArgString (line 130) | func readArgString(pid uint32, offset int64) (string, error) {
function runMkdirForContainer (line 149) | func runMkdirForContainer(pid uint32, fileName string, mode uint32, meta...
function notifHandler (line 169) | func notifHandler(fd libseccomp.ScmpFd, metadata string) {
function main (line 235) | func main() {
FILE: tests/cmd/seccompagent/unsupported.go
function main (line 7) | func main() {
FILE: tests/integration/testdata/dev_access_test.c
function main (line 4) | int main(int argc, char *argv[])
FILE: tests/integration/testdata/seccomp_syscall_test1.c
function main (line 35) | int main(void)
FILE: tests/integration/testdata/seccomp_syscall_test2.c
function main (line 6) | int main()
FILE: tty.go
type tty (line 16) | type tty struct
method copyIO (line 26) | func (t *tty) copyIO(w io.Writer, r io.ReadCloser) {
method initHostConsole (line 72) | func (t *tty) initHostConsole() error {
method recvtty (line 102) | func (t *tty) recvtty(socket *os.File) (Err error) {
method waitConsole (line 153) | func (t *tty) waitConsole() error {
method ClosePostStart (line 162) | func (t *tty) ClosePostStart() {
method Close (line 170) | func (t *tty) Close() {
method resize (line 189) | func (t *tty) resize() error {
function setupProcessPipes (line 34) | func setupProcessPipes(p *libcontainer.Process, rootuid, rootgid int) (*...
function inheritStdio (line 66) | func inheritStdio(process *libcontainer.Process) {
function handleInterrupt (line 145) | func handleInterrupt(c console.Console) {
FILE: types/events.go
type Event (line 11) | type Event struct
type Stats (line 18) | type Stats struct
type Hugetlb (line 33) | type Hugetlb struct
type BlkioEntry (line 39) | type BlkioEntry struct
type Blkio (line 46) | type Blkio struct
type Pids (line 58) | type Pids struct
type Throttling (line 63) | type Throttling struct
type CpuUsage (line 69) | type CpuUsage struct
type Cpu (line 79) | type Cpu struct
type CPUSet (line 85) | type CPUSet struct
type MemoryEntry (line 99) | type MemoryEntry struct
type Memory (line 106) | type Memory struct
type L3CacheInfo (line 116) | type L3CacheInfo struct
type MemBwInfo (line 122) | type MemBwInfo struct
type IntelRdt (line 129) | type IntelRdt struct
type NetworkInterface (line 158) | type NetworkInterface struct
FILE: types/features/features.go
constant AnnotationRuncVersion (line 8) | AnnotationRuncVersion = "org.opencontainers.runc.version"
constant AnnotationRuncCommit (line 13) | AnnotationRuncCommit = "org.opencontainers.runc.commit"
constant AnnotationRuncCheckpointEnabled (line 20) | AnnotationRuncCheckpointEnabled = "org.opencontainers.runc.checkpoint.en...
constant AnnotationLibseccompVersion (line 24) | AnnotationLibseccompVersion = "io.github.seccomp.libseccomp.version"
FILE: update.go
function mkPtr (line 20) | func mkPtr[T any](v T) *T { return &v }
function upsertWeightDevice (line 399) | func upsertWeightDevice(devices []*cgroups.WeightDevice, wd specs.LinuxW...
function upsertThrottleDevice (line 428) | func upsertThrottleDevice(devices []*cgroups.ThrottleDevice, td specs.Li...
FILE: utils.go
constant exactArgs (line 18) | exactArgs = iota
constant minArgs (line 19) | minArgs
constant maxArgs (line 20) | maxArgs
function checkArgs (line 23) | func checkArgs(context *cli.Context, expected, checkType int) error {
function logrusToStderr (line 49) | func logrusToStderr() bool {
function fatal (line 56) | func fatal(err error) {
function fatalWithCode (line 60) | func fatalWithCode(err error, ret int) {
function setupSpec (line 71) | func setupSpec(context *cli.Context) (*specs.Spec, error) {
function revisePidFile (line 85) | func revisePidFile(context *cli.Context) error {
function reviseRootDir (line 103) | func reviseRootDir(context *cli.Context) error {
function parseBoolOrAuto (line 124) | func parseBoolOrAuto(s string) (*bool, error) {
FILE: utils_linux.go
function getContainer (line 31) | func getContainer(context *cli.Context) (*libcontainer.Container, error) {
function getDefaultImagePath (line 40) | func getDefaultImagePath() string {
function newProcess (line 49) | func newProcess(p *specs.Process) (*libcontainer.Process, error) {
function setupIO (line 99) | func setupIO(process *libcontainer.Process, container *libcontainer.Cont...
function createPidFile (line 162) | func createPidFile(path string, process *libcontainer.Process) error {
function createContainer (line 183) | func createContainer(context *cli.Context, id string, spec *specs.Spec) ...
type runner (line 205) | type runner struct
method run (line 222) | func (r *runner) run(config *specs.Process) (int, error) {
method destroy (line 315) | func (r *runner) destroy() {
method terminate (line 323) | func (r *runner) terminate(p *libcontainer.Process) {
method checkTerminal (line 328) | func (r *runner) checkTerminal(config *specs.Process) error {
function validateProcessSpec (line 340) | func validateProcessSpec(spec *specs.Process) error {
type CtAct (line 359) | type CtAct
constant CT_ACT_CREATE (line 362) | CT_ACT_CREATE CtAct = iota + 1
constant CT_ACT_RUN (line 363) | CT_ACT_RUN
constant CT_ACT_RESTORE (line 364) | CT_ACT_RESTORE
function startContainer (line 367) | func startContainer(context *cli.Context, action CtAct, criuOpts *libcon...
function setupPidfdSocket (line 420) | func setupPidfdSocket(process *libcontainer.Process, sockpath string) (_...
function maybeLogCgroupWarning (line 447) | func maybeLogCgroupWarning(op string, err error) {
FILE: vendor/cyphar.com/go-pathrs/handle_linux.go
type Handle (line 36) | type Handle struct
method Open (line 62) | func (h *Handle) Open() (*os.File, error) {
method OpenFile (line 74) | func (h *Handle) OpenFile(flags int) (*os.File, error) {
method IntoFile (line 93) | func (h *Handle) IntoFile() *os.File {
method Clone (line 103) | func (h *Handle) Clone() (*Handle, error) {
method Close (line 108) | func (h *Handle) Close() error {
function HandleFromFile (line 46) | func HandleFromFile(file *os.File) (*Handle, error) {
FILE: vendor/cyphar.com/go-pathrs/internal/fdutils/fd_linux.go
function DupFd (line 28) | func DupFd(fd uintptr, name string) (*os.File, error) {
function WithFileFd (line 37) | func WithFileFd[T any](file *os.File, fn func(fd uintptr) (T, error)) (T...
function DupFile (line 55) | func DupFile(file *os.File) (*os.File, error) {
function MkFile (line 64) | func MkFile(fd uintptr) (*os.File, error) {
FILE: vendor/cyphar.com/go-pathrs/internal/libpathrs/error_unix.go
type Error (line 23) | type Error struct
method Error (line 29) | func (err *Error) Error() string {
method Unwrap (line 35) | func (err *Error) Unwrap() error {
FILE: vendor/cyphar.com/go-pathrs/internal/libpathrs/libpathrs_linux.go
function fetchError (line 36) | func fetchError(errID C.int) error {
function OpenRoot (line 54) | func OpenRoot(path string) (uintptr, error) {
function Reopen (line 63) | func Reopen(fd uintptr, flags int) (uintptr, error) {
function InRootResolve (line 69) | func InRootResolve(rootFd uintptr, path string) (uintptr, error) {
function InRootResolveNoFollow (line 78) | func InRootResolveNoFollow(rootFd uintptr, path string) (uintptr, error) {
function InRootOpen (line 87) | func InRootOpen(rootFd uintptr, path string, flags int) (uintptr, error) {
function InRootReadlink (line 96) | func InRootReadlink(rootFd uintptr, path string) (string, error) {
function InRootRmdir (line 121) | func InRootRmdir(rootFd uintptr, path string) error {
function InRootUnlink (line 130) | func InRootUnlink(rootFd uintptr, path string) error {
function InRootRemoveAll (line 139) | func InRootRemoveAll(rootFd uintptr, path string) error {
function InRootCreat (line 148) | func InRootCreat(rootFd uintptr, path string, flags int, mode uint32) (u...
function InRootRename (line 157) | func InRootRename(rootFd uintptr, src, dst string, flags uint) error {
function InRootMkdir (line 169) | func InRootMkdir(rootFd uintptr, path string, mode uint32) error {
function InRootMkdirAll (line 178) | func InRootMkdirAll(rootFd uintptr, path string, mode uint32) (uintptr, ...
function InRootMknod (line 187) | func InRootMknod(rootFd uintptr, path string, mode uint32, dev uint64) e...
function InRootSymlink (line 196) | func InRootSymlink(rootFd uintptr, path, target string) error {
function InRootHardlink (line 208) | func InRootHardlink(rootFd uintptr, path, target string) error {
type ProcBase (line 220) | type ProcBase
constant ProcRoot (line 228) | ProcRoot ProcBase = 0xFFFF_FFFE_7072_6F63
constant ProcSelf (line 230) | ProcSelf ProcBase = 0xFFFF_FFFE_091D_5E1F
constant ProcThreadSelf (line 232) | ProcThreadSelf ProcBase = 0xFFFF_FFFE_3EAD_5E1F
constant ProcBaseTypeMask (line 235) | ProcBaseTypeMask ProcBase = 0xFFFF_FFFF_0000_0000
constant ProcBaseTypePid (line 237) | ProcBaseTypePid ProcBase = 0x8000_0000_0000_0000
constant ProcDefaultRootFd (line 240) | ProcDefaultRootFd = -int(syscall.EBADF)
function assertEqual (line 243) | func assertEqual[T comparable](a, b T, msg string) {
function init (line 254) | func init() {
function ProcPid (line 277) | func ProcPid(pid uint32) ProcBase { return ProcBaseTypePid | ProcBase(pi...
function ProcOpenat (line 280) | func ProcOpenat(procRootFd int, base ProcBase, path string, flags int) (...
function ProcReadlinkat (line 291) | func ProcReadlinkat(procRootFd int, base ProcBase, path string) (string,...
type ProcfsOpenHow (line 322) | type ProcfsOpenHow
method Flags (line 331) | func (how *ProcfsOpenHow) Flags() *C.uint64_t { return &how.flags }
constant ProcfsNewUnmasked (line 326) | ProcfsNewUnmasked = C.PATHRS_PROCFS_NEW_UNMASKED
function ProcfsOpen (line 334) | func ProcfsOpen(how *ProcfsOpenHow) (uintptr, error) {
FILE: vendor/cyphar.com/go-pathrs/procfs/procfs_linux.go
type ProcBase (line 27) | type ProcBase struct
function ProcPid (line 58) | func ProcPid(pid int) ProcBase {
type ThreadCloser (line 68) | type ThreadCloser
type Handle (line 72) | type Handle struct
method Close (line 80) | func (proc *Handle) Close() error {
method fd (line 122) | func (proc *Handle) fd() int {
method open (line 130) | func (proc *Handle) open(base ProcBase, path string, flags int) (_ *os...
method OpenRoot (line 157) | func (proc *Handle) OpenRoot(path string, flags int) (*os.File, error) {
method OpenSelf (line 183) | func (proc *Handle) OpenSelf(path string, flags int) (*os.File, error) {
method OpenPid (line 201) | func (proc *Handle) OpenPid(pid int, path string, flags int) (*os.File...
method OpenThreadSelf (line 228) | func (proc *Handle) OpenThreadSelf(path string, flags int) (*os.File, ...
method Readlink (line 237) | func (proc *Handle) Readlink(base ProcBase, path string) (string, erro...
type OpenOption (line 89) | type OpenOption
function UnmaskedProcRoot (line 95) | func UnmaskedProcRoot(how *libpathrs.ProcfsOpenHow) error {
function Open (line 102) | func Open(opts ...OpenOption) (*Handle, error) {
FILE: vendor/cyphar.com/go-pathrs/root_linux.go
type Root (line 35) | type Root struct
method Resolve (line 72) | func (r *Root) Resolve(path string) (*Handle, error) {
method ResolveNoFollow (line 90) | func (r *Root) ResolveNoFollow(path string) (*Handle, error) {
method Open (line 110) | func (r *Root) Open(path string) (*os.File, error) {
method OpenFile (line 126) | func (r *Root) OpenFile(path string, flags int) (*os.File, error) {
method Create (line 142) | func (r *Root) Create(path string, flags int, mode os.FileMode) (*os.F...
method Rename (line 158) | func (r *Root) Rename(src, dst string, flags uint) error {
method RemoveDir (line 168) | func (r *Root) RemoveDir(path string) error {
method RemoveFile (line 177) | func (r *Root) RemoveFile(path string) error {
method Remove (line 189) | func (r *Root) Remove(path string) error {
method RemoveAll (line 212) | func (r *Root) RemoveAll(path string) error {
method Mkdir (line 224) | func (r *Root) Mkdir(path string, mode os.FileMode) error {
method MkdirAll (line 242) | func (r *Root) MkdirAll(path string, mode os.FileMode) (*Handle, error) {
method Mknod (line 266) | func (r *Root) Mknod(path string, mode os.FileMode, dev uint64) error {
method Symlink (line 283) | func (r *Root) Symlink(path, target string) error {
method Hardlink (line 297) | func (r *Root) Hardlink(path, target string) error {
method Readlink (line 308) | func (r *Root) Readlink(path string) (string, error) {
method IntoFile (line 324) | func (r *Root) IntoFile() *os.File {
method Clone (line 334) | func (r *Root) Clone() (*Root, error) {
method Close (line 339) | func (r *Root) Close() error {
function OpenRoot (line 40) | func OpenRoot(path string) (*Root, error) {
function RootFromFile (line 57) | func RootFromFile(file *os.File) (*Root, error) {
FILE: vendor/cyphar.com/go-pathrs/utils_linux.go
function toUnixMode (line 24) | func toUnixMode(mode os.FileMode, needsType bool) (uint32, error) {
FILE: vendor/github.com/checkpoint-restore/go-criu/v7/features.go
method FeatureCheck (line 29) | func (c *Criu) FeatureCheck(features *rpc.CriuFeatures) (*rpc.CriuFeatur...
FILE: vendor/github.com/checkpoint-restore/go-criu/v7/main.go
type Criu (line 16) | type Criu struct
method SetCriuPath (line 31) | func (c *Criu) SetCriuPath(path string) {
method Prepare (line 36) | func (c *Criu) Prepare() error {
method Cleanup (line 64) | func (c *Criu) Cleanup() error {
method sendAndRecv (line 79) | func (c *Criu) sendAndRecv(reqB []byte) ([]byte, int, error) {
method doSwrk (line 95) | func (c *Criu) doSwrk(reqType rpc.CriuReqType, opts *rpc.CriuOpts, nfy...
method doSwrkWithResp (line 108) | func (c *Criu) doSwrkWithResp(reqType rpc.CriuReqType, opts *rpc.CriuO...
method Dump (line 205) | func (c *Criu) Dump(opts *rpc.CriuOpts, nfy Notify) error {
method Restore (line 210) | func (c *Criu) Restore(opts *rpc.CriuOpts, nfy Notify) error {
method PreDump (line 215) | func (c *Criu) PreDump(opts *rpc.CriuOpts, nfy Notify) error {
method StartPageServer (line 220) | func (c *Criu) StartPageServer(opts *rpc.CriuOpts) error {
method StartPageServerChld (line 225) | func (c *Criu) StartPageServerChld(opts *rpc.CriuOpts) (int, int, erro...
method GetCriuVersion (line 236) | func (c *Criu) GetCriuVersion() (int, error) {
method IsCriuAtLeast (line 263) | func (c *Criu) IsCriuAtLeast(version int) (bool, error) {
function MakeCriu (line 23) | func MakeCriu() *Criu {
FILE: vendor/github.com/checkpoint-restore/go-criu/v7/notify.go
type Notify (line 4) | type Notify interface
type NoNotify (line 17) | type NoNotify struct
method PreDump (line 20) | func (c NoNotify) PreDump() error {
method PostDump (line 25) | func (c NoNotify) PostDump() error {
method PreRestore (line 30) | func (c NoNotify) PreRestore() error {
method PostRestore (line 35) | func (c NoNotify) PostRestore(pid int32) error {
method NetworkLock (line 40) | func (c NoNotify) NetworkLock() error {
method NetworkUnlock (line 45) | func (c NoNotify) NetworkUnlock() error {
method SetupNamespaces (line 50) | func (c NoNotify) SetupNamespaces(pid int32) error {
method PostSetupNamespaces (line 55) | func (c NoNotify) PostSetupNamespaces() error {
method PostResume (line 60) | func (c NoNotify) PostResume() error {
FILE: vendor/github.com/checkpoint-restore/go-criu/v7/rpc/rpc.pb.go
constant _ (line 20) | _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
constant _ (line 22) | _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
type CriuCgMode (line 25) | type CriuCgMode
method Enum (line 59) | func (x CriuCgMode) Enum() *CriuCgMode {
method String (line 65) | func (x CriuCgMode) String() string {
method Descriptor (line 69) | func (CriuCgMode) Descriptor() protoreflect.EnumDescriptor {
method Type (line 73) | func (CriuCgMode) Type() protoreflect.EnumType {
method Number (line 77) | func (x CriuCgMode) Number() protoreflect.EnumNumber {
method UnmarshalJSON (line 82) | func (x *CriuCgMode) UnmarshalJSON(b []byte) error {
method EnumDescriptor (line 92) | func (CriuCgMode) EnumDescriptor() ([]byte, []int) {
constant CriuCgMode_IGNORE (line 28) | CriuCgMode_IGNORE CriuCgMode = 0
constant CriuCgMode_CG_NONE (line 29) | CriuCgMode_CG_NONE CriuCgMode = 1
constant CriuCgMode_PROPS (line 30) | CriuCgMode_PROPS CriuCgMode = 2
constant CriuCgMode_SOFT (line 31) | CriuCgMode_SOFT CriuCgMode = 3
constant CriuCgMode_FULL (line 32) | CriuCgMode_FULL CriuCgMode = 4
constant CriuCgMode_STRICT (line 33) | CriuCgMode_STRICT CriuCgMode = 5
constant CriuCgMode_DEFAULT (line 34) | CriuCgMode_DEFAULT CriuCgMode = 6
type CriuNetworkLockMethod (line 96) | type CriuNetworkLockMethod
method Enum (line 118) | func (x CriuNetworkLockMethod) Enum() *CriuNetworkLockMethod {
method String (line 124) | func (x CriuNetworkLockMethod) String() string {
method Descriptor (line 128) | func (CriuNetworkLockMethod) Descriptor() protoreflect.EnumDescriptor {
method Type (line 132) | func (CriuNetworkLockMethod) Type() protoreflect.EnumType {
method Number (line 136) | func (x CriuNetworkLockMethod) Number() protoreflect.EnumNumber {
method UnmarshalJSON (line 141) | func (x *CriuNetworkLockMethod) UnmarshalJSON(b []byte) error {
method EnumDescriptor (line 151) | func (CriuNetworkLockMethod) EnumDescriptor() ([]byte, []int) {
constant CriuNetworkLockMethod_IPTABLES (line 99) | CriuNetworkLockMethod_IPTABLES CriuNetworkLockMethod = 1
constant CriuNetworkLockMethod_NFTABLES (line 100) | CriuNetworkLockMethod_NFTABLES CriuNetworkLockMethod = 2
constant CriuNetworkLockMethod_SKIP (line 101) | CriuNetworkLockMethod_SKIP CriuNetworkLockMethod = 3
type CriuPreDumpMode (line 155) | type CriuPreDumpMode
method Enum (line 174) | func (x CriuPreDumpMode) Enum() *CriuPreDumpMode {
method String (line 180) | func (x CriuPreDumpMode) String() string {
method Descriptor (line 184) | func (CriuPreDumpMode) Descriptor() protoreflect.EnumDescriptor {
method Type (line 188) | func (CriuPreDumpMode) Type() protoreflect.EnumType {
method Number (line 192) | func (x CriuPreDumpMode) Number() protoreflect.EnumNumber {
method UnmarshalJSON (line 197) | func (x *CriuPreDumpMode) UnmarshalJSON(b []byte) error {
method EnumDescriptor (line 207) | func (CriuPreDumpMode) EnumDescriptor() ([]byte, []int) {
constant CriuPreDumpMode_SPLICE (line 158) | CriuPreDumpMode_SPLICE CriuPreDumpMode = 1
constant CriuPreDumpMode_VM_READ (line 159) | CriuPreDumpMode_VM_READ CriuPreDumpMode = 2
type CriuReqType (line 211) | type CriuReqType
method Enum (line 266) | func (x CriuReqType) Enum() *CriuReqType {
method String (line 272) | func (x CriuReqType) String() string {
method Descriptor (line 276) | func (CriuReqType) Descriptor() protoreflect.EnumDescriptor {
method Type (line 280) | func (CriuReqType) Type() protoreflect.EnumType {
method Number (line 284) | func (x CriuReqType) Number() protoreflect.EnumNumber {
method UnmarshalJSON (line 289) | func (x *CriuReqType) UnmarshalJSON(b []byte) error {
method EnumDescriptor (line 299) | func (CriuReqType) EnumDescriptor() ([]byte, []int) {
constant CriuReqType_EMPTY (line 214) | CriuReqType_EMPTY CriuReqType = 0
constant CriuReqType_DUMP (line 215) | CriuReqType_DUMP CriuReqType = 1
constant CriuReqType_RESTORE (line 216) | CriuReqType_RESTORE CriuReqType = 2
constant CriuReqType_CHECK (line 217) | CriuReqType_CHECK CriuReqType = 3
constant CriuReqType_PRE_DUMP (line 218) | CriuReqType_PRE_DUMP CriuReqType = 4
constant CriuReqType_PAGE_SERVER (line 219) | CriuReqType_PAGE_SERVER CriuReqType = 5
constant CriuReqType_NOTIFY (line 220) | CriuReqType_NOTIFY CriuReqType = 6
constant CriuReqType_CPUINFO_DUMP (line 221) | CriuReqType_CPUINFO_DUMP CriuReqType = 7
constant CriuReqType_CPUINFO_CHECK (line 222) | CriuReqType_CPUINFO_CHECK CriuReqType = 8
constant CriuReqType_FEATURE_CHECK (line 223) | CriuReqType_FEATURE_CHECK CriuReqType = 9
constant CriuReqType_VERSION (line 224) | CriuReqType_VERSION CriuReqType = 10
constant CriuReqType_WAIT_PID (line 225) | CriuReqType_WAIT_PID CriuReqType = 11
constant CriuReqType_PAGE_SERVER_CHLD (line 226) | CriuReqType_PAGE_SERVER_CHLD CriuReqType = 12
constant CriuReqType_SINGLE_PRE_DUMP (line 227) | CriuReqType_SINGLE_PRE_DUMP CriuReqType = 13
type CriuPageServerInfo (line 303) | type CriuPageServerInfo struct
method Reset (line 314) | func (x *CriuPageServerInfo) Reset() {
method String (line 323) | func (x *CriuPageServerInfo) String() string {
method ProtoMessage (line 327) | func (*CriuPageServerInfo) ProtoMessage() {}
method ProtoReflect (line 329) | func (x *CriuPageServerInfo) ProtoReflect() protoreflect.Message {
method Descriptor (line 342) | func (*CriuPageServerInfo) Descriptor() ([]byte, []int) {
method GetAddress (line 346) | func (x *CriuPageServerInfo) GetAddress() string {
method GetPort (line 353) | func (x *CriuPageServerInfo) GetPort() int32 {
method GetPid (line 360) | func (x *CriuPageServerInfo) GetPid() int32 {
method GetFd (line 367) | func (x *CriuPageServerInfo) GetFd() int32 {
type CriuVethPair (line 374) | type CriuVethPair struct
method Reset (line 383) | func (x *CriuVethPair) Reset() {
method String (line 392) | func (x *CriuVethPair) String() string {
method ProtoMessage (line 396) | func (*CriuVethPair) ProtoMessage() {}
method ProtoReflect (line 398) | func (x *CriuVethPair) ProtoReflect() protoreflect.Message {
method Descriptor (line 411) | func (*CriuVethPair) Descriptor() ([]byte, []int) {
method GetIfIn (line 415) | func (x *CriuVethPair) GetIfIn() string {
method GetIfOut (line 422) | func (x *CriuVethPair) GetIfOut() string {
type ExtMountMap (line 429) | type ExtMountMap struct
method Reset (line 438) | func (x *ExtMountMap) Reset() {
method String (line 447) | func (x *ExtMountMap) String() string {
method ProtoMessage (line 451) | func (*ExtMountMap) ProtoMessage() {}
method ProtoReflect (line 453) | func (x *ExtMountMap) ProtoReflect() protoreflect.Message {
method Descriptor (line 466) | func (*ExtMountMap) Descriptor() ([]byte, []int) {
method GetKey (line 470) | func (x *ExtMountMap) GetKey() string {
method GetVal (line 477) | func (x *ExtMountMap) GetVal() string {
type JoinNamespace (line 484) | type JoinNamespace struct
method Reset (line 494) | func (x *JoinNamespace) Reset() {
method String (line 503) | func (x *JoinNamespace) String() string {
method ProtoMessage (line 507) | func (*JoinNamespace) ProtoMessage() {}
method ProtoReflect (line 509) | func (x *JoinNamespace) ProtoReflect() protoreflect.Message {
method Descriptor (line 522) | func (*JoinNamespace) Descriptor() ([]byte, []int) {
method GetNs (line 526) | func (x *JoinNamespace) GetNs() string {
method GetNsFile (line 533) | func (x *JoinNamespace) GetNsFile() string {
method GetExtraOpt (line 540) | func (x *JoinNamespace) GetExtraOpt() string {
type InheritFd (line 547) | type InheritFd struct
method Reset (line 556) | func (x *InheritFd) Reset() {
method String (line 565) | func (x *InheritFd) String() string {
method ProtoMessage (line 569) | func (*InheritFd) ProtoMessage() {}
method ProtoReflect (line 571) | func (x *InheritFd) ProtoReflect() protoreflect.Message {
method Descriptor (line 584) | func (*InheritFd) Descriptor() ([]byte, []int) {
method GetKey (line 588) | func (x *InheritFd) GetKey() string {
method GetFd (line 595) | func (x *InheritFd) GetFd() int32 {
type CgroupRoot (line 602) | type CgroupRoot struct
method Reset (line 611) | func (x *CgroupRoot) Reset() {
method String (line 620) | func (x *CgroupRoot) String() string {
method ProtoMessage (line 624) | func (*CgroupRoot) ProtoMessage() {}
method ProtoReflect (line 626) | func (x *CgroupRoot) ProtoReflect() protoreflect.Message {
method Descriptor (line 639) | func (*CgroupRoot) Descriptor() ([]byte, []int) {
method GetCtrl (line 643) | func (x *CgroupRoot) GetCtrl() string {
method GetPath (line 650) | func (x *CgroupRoot) GetPath() string {
type UnixSk (line 657) | type UnixSk struct
method Reset (line 665) | func (x *UnixSk) Reset() {
method String (line 674) | func (x *UnixSk) String() string {
method ProtoMessage (line 678) | func (*UnixSk) ProtoMessage() {}
method ProtoReflect (line 680) | func (x *UnixSk) ProtoReflect() protoreflect.Message {
method Descriptor (line 693) | func (*UnixSk) Descriptor() ([]byte, []int) {
method GetInode (line 697) | func (x *UnixSk) GetInode() uint32 {
type CriuOpts (line 704) | type CriuOpts struct
method Reset (line 791) | func (x *CriuOpts) Reset() {
method String (line 800) | func (x *CriuOpts) String() string {
method ProtoMessage (line 804) | func (*CriuOpts) ProtoMessage() {}
method ProtoReflect (line 806) | func (x *CriuOpts) ProtoReflect() protoreflect.Message {
method Descriptor (line 819) | func (*CriuOpts) Descriptor() ([]byte, []int) {
method GetImagesDirFd (line 823) | func (x *CriuOpts) GetImagesDirFd() int32 {
method GetImagesDir (line 830) | func (x *CriuOpts) GetImagesDir() string {
method GetPid (line 837) | func (x *CriuOpts) GetPid() int32 {
method GetLeaveRunning (line 844) | func (x *CriuOpts) GetLeaveRunning() bool {
method GetExtUnixSk (line 851) | func (x *CriuOpts) GetExtUnixSk() bool {
method GetTcpEstablished (line 858) | func (x *CriuOpts) GetTcpEstablished() bool {
method GetEvasiveDevices (line 865) | func (x *CriuOpts) GetEvasiveDevices() bool {
method GetShellJob (line 872) | func (x *CriuOpts) GetShellJob() bool {
method GetFileLocks (line 879) | func (x *CriuOpts) GetFileLocks() bool {
method GetLogLevel (line 886) | func (x *CriuOpts) GetLogLevel() int32 {
method GetLogFile (line 893) | func (x *CriuOpts) GetLogFile() string {
method GetPs (line 900) | func (x *CriuOpts) GetPs() *CriuPageServerInfo {
method GetNotifyScripts (line 907) | func (x *CriuOpts) GetNotifyScripts() bool {
method GetRoot (line 914) | func (x *CriuOpts) GetRoot() string {
method GetParentImg (line 921) | func (x *CriuOpts) GetParentImg() string {
method GetTrackMem (line 928) | func (x *CriuOpts) GetTrackMem() bool {
method GetAutoDedup (line 935) | func (x *CriuOpts) GetAutoDedup() bool {
method GetWorkDirFd (line 942) | func (x *CriuOpts) GetWorkDirFd() int32 {
method GetLinkRemap (line 949) | func (x *CriuOpts) GetLinkRemap() bool {
method GetVeths (line 956) | func (x *CriuOpts) GetVeths() []*CriuVethPair {
method GetCpuCap (line 963) | func (x *CriuOpts) GetCpuCap() uint32 {
method GetForceIrmap (line 970) | func (x *CriuOpts) GetForceIrmap() bool {
method GetExecCmd (line 977) | func (x *CriuOpts) GetExecCmd() []string {
method GetExtMnt (line 984) | func (x *CriuOpts) GetExtMnt() []*ExtMountMap {
method GetManageCgroups (line 991) | func (x *CriuOpts) GetManageCgroups() bool {
method GetCgRoot (line 998) | func (x *CriuOpts) GetCgRoot() []*CgroupRoot {
method GetRstSibling (line 1005) | func (x *CriuOpts) GetRstSibling() bool {
method GetInheritFd (line 1012) | func (x *CriuOpts) GetInheritFd() []*InheritFd {
method GetAutoExtMnt (line 1019) | func (x *CriuOpts) GetAutoExtMnt() bool {
method GetExtSharing (line 1026) | func (x *CriuOpts) GetExtSharing() bool {
method GetExtMasters (line 1033) | func (x *CriuOpts) GetExtMasters() bool {
method GetSkipMnt (line 1040) | func (x *CriuOpts) GetSkipMnt() []string {
method GetEnableFs (line 1047) | func (x *CriuOpts) GetEnableFs() []string {
method GetUnixSkIno (line 1054) | func (x *CriuOpts) GetUnixSkIno() []*UnixSk {
method GetManageCgroupsMode (line 1061) | func (x *CriuOpts) GetManageCgroupsMode() CriuCgMode {
method GetGhostLimit (line 1068) | func (x *CriuOpts) GetGhostLimit() uint32 {
method GetIrmapScanPaths (line 1075) | func (x *CriuOpts) GetIrmapScanPaths() []string {
method GetExternal (line 1082) | func (x *CriuOpts) GetExternal() []string {
method GetEmptyNs (line 1089) | func (x *CriuOpts) GetEmptyNs() uint32 {
method GetJoinNs (line 1096) | func (x *CriuOpts) GetJoinNs() []*JoinNamespace {
method GetCgroupProps (line 1103) | func (x *CriuOpts) GetCgroupProps() string {
method GetCgroupPropsFile (line 1110) | func (x *CriuOpts) GetCgroupPropsFile() string {
method GetCgroupDumpController (line 1117) | func (x *CriuOpts) GetCgroupDumpController() []string {
method GetFreezeCgroup (line 1124) | func (x *CriuOpts) GetFreezeCgroup() string {
method GetTimeout (line 1131) | func (x *CriuOpts) GetTimeout() uint32 {
method GetTcpSkipInFlight (line 1138) | func (x *CriuOpts) GetTcpSkipInFlight() bool {
method GetWeakSysctls (line 1145) | func (x *CriuOpts) GetWeakSysctls() bool {
method GetLazyPages (line 1152) | func (x *CriuOpts) GetLazyPages() bool {
method GetStatusFd (line 1159) | func (x *CriuOpts) GetStatusFd() int32 {
method GetOrphanPtsMaster (line 1166) | func (x *CriuOpts) GetOrphanPtsMaster() bool {
method GetConfigFile (line 1173) | func (x *CriuOpts) GetConfigFile() string {
method GetTcpClose (line 1180) | func (x *CriuOpts) GetTcpClose() bool {
method GetLsmProfile (line 1187) | func (x *CriuOpts) GetLsmProfile() string {
method GetTlsCacert (line 1194) | func (x *CriuOpts) GetTlsCacert() string {
method GetTlsCacrl (line 1201) | func (x *CriuOpts) GetTlsCacrl() string {
method GetTlsCert (line 1208) | func (x *CriuOpts) GetTlsCert() string {
method GetTlsKey (line 1215) | func (x *CriuOpts) GetTlsKey() string {
method GetTls (line 1222) | func (x *CriuOpts) GetTls() bool {
method GetTlsNoCnVerify (line 1229) | func (x *CriuOpts) GetTlsNoCnVerify() bool {
method GetCgroupYard (line 1236) | func (x *CriuOpts) GetCgroupYard() string {
method GetPreDumpMode (line 1243) | func (x *CriuOpts) GetPreDumpMode() CriuPreDumpMode {
method GetPidfdStoreSk (line 1250) | func (x *CriuOpts) GetPidfdStoreSk() int32 {
method GetLsmMountContext (line 1257) | func (x *CriuOpts) GetLsmMountContext() string {
method GetNetworkLock (line 1264) | func (x *CriuOpts) GetNetworkLock() CriuNetworkLockMethod {
method GetMntnsCompatMode (line 1271) | func (x *CriuOpts) GetMntnsCompatMode() bool {
method GetSkipFileRwxCheck (line 1278) | func (x *CriuOpts) GetSkipFileRwxCheck() bool {
method GetUnprivileged (line 1285) | func (x *CriuOpts) GetUnprivileged() bool {
method GetLeaveStopped (line 1292) | func (x *CriuOpts) GetLeaveStopped() bool {
method GetDisplayStats (line 1299) | func (x *CriuOpts) GetDisplayStats() bool {
method GetLogToStderr (line 1306) | func (x *CriuOpts) GetLogToStderr() bool {
constant Default_CriuOpts_ImagesDirFd (line 783) | Default_CriuOpts_ImagesDirFd = int32(-1)
constant Default_CriuOpts_LogLevel (line 784) | Default_CriuOpts_LogLevel = int32(2)
constant Default_CriuOpts_CpuCap (line 785) | Default_CriuOpts_CpuCap = uint32(4294967295)
constant Default_CriuOpts_GhostLimit (line 786) | Default_CriuOpts_GhostLimit = uint32(1048576)
constant Default_CriuOpts_PreDumpMode (line 787) | Default_CriuOpts_PreDumpMode = CriuPreDumpMode_SPLICE
constant Default_CriuOpts_NetworkLock (line 788) | Default_CriuOpts_NetworkLock = CriuNetworkLockMethod_IPTABLES
type CriuDumpResp (line 1313) | type CriuDumpResp struct
method Reset (line 1321) | func (x *CriuDumpResp) Reset() {
method String (line 1330) | func (x *CriuDumpResp) String() string {
method ProtoMessage (line 1334) | func (*CriuDumpResp) ProtoMessage() {}
method ProtoReflect (line 1336) | func (x *CriuDumpResp) ProtoReflect() protoreflect.Message {
method Descriptor (line 1349) | func (*CriuDumpResp) Descriptor() ([]byte, []int) {
method GetRestored (line 1353) | func (x *CriuDumpResp) GetRestored() bool {
type CriuRestoreResp (line 1360) | type CriuRestoreResp struct
method Reset (line 1368) | func (x *CriuRestoreResp) Reset() {
method String (line 1377) | func (x *CriuRestoreResp) String() string {
method ProtoMessage (line 1381) | func (*CriuRestoreResp) ProtoMessage() {}
method ProtoReflect (line 1383) | func (x *CriuRestoreResp) ProtoReflect() protoreflect.Message {
method Descriptor (line 1396) | func (*CriuRestoreResp) Descriptor() ([]byte, []int) {
method GetPid (line 1400) | func (x *CriuRestoreResp) GetPid() int32 {
type CriuNotify (line 1407) | type CriuNotify struct
method Reset (line 1416) | func (x *CriuNotify) Reset() {
method String (line 1425) | func (x *CriuNotify) String() string {
method ProtoMessage (line 1429) | func (*CriuNotify) ProtoMessage() {}
method ProtoReflect (line 1431) | func (x *CriuNotify) ProtoReflect() protoreflect.Message {
method Descriptor (line 1444) | func (*CriuNotify) Descriptor() ([]byte, []int) {
method GetScript (line 1448) | func (x *CriuNotify) GetScript() string {
method GetPid (line 1455) | func (x *CriuNotify) GetPid() int32 {
type CriuFeatures (line 1464) | type CriuFeatures struct
method Reset (line 1474) | func (x *CriuFeatures) Reset() {
method String (line 1483) | func (x *CriuFeatures) String() string {
method ProtoMessage (line 1487) | func (*CriuFeatures) ProtoMessage() {}
method ProtoReflect (line 1489) | func (x *CriuFeatures) ProtoReflect() protoreflect.Message {
method Descriptor (line 1502) | func (*CriuFeatures) Descriptor() ([]byte, []int) {
method GetMemTrack (line 1506) | func (x *CriuFeatures) GetMemTrack() bool {
method GetLazyPages (line 1513) | func (x *CriuFeatures) GetLazyPages() bool {
method GetPidfdStore (line 1520) | func (x *CriuFeatures) GetPidfdStore() bool {
type CriuReq (line 1527) | type CriuReq struct
method Reset (line 1547) | func (x *CriuReq) Reset() {
method String (line 1556) | func (x *CriuReq) String() string {
method ProtoMessage (line 1560) | func (*CriuReq) ProtoMessage() {}
method ProtoReflect (line 1562) | func (x *CriuReq) ProtoReflect() protoreflect.Message {
method Descriptor (line 1575) | func (*CriuReq) Descriptor() ([]byte, []int) {
method GetType (line 1579) | func (x *CriuReq) GetType() CriuReqType {
method GetOpts (line 1586) | func (x *CriuReq) GetOpts() *CriuOpts {
method GetNotifySuccess (line 1593) | func (x *CriuReq) GetNotifySuccess() bool {
method GetKeepOpen (line 1600) | func (x *CriuReq) GetKeepOpen() bool {
method GetFeatures (line 1607) | func (x *CriuReq) GetFeatures() *CriuFeatures {
method GetPid (line 1614) | func (x *CriuReq) GetPid() uint32 {
type CriuResp (line 1621) | type CriuResp struct
method Reset (line 1639) | func (x *CriuResp) Reset() {
method String (line 1648) | func (x *CriuResp) String() string {
method ProtoMessage (line 1652) | func (*CriuResp) ProtoMessage() {}
method ProtoReflect (line 1654) | func (x *CriuResp) ProtoReflect() protoreflect.Message {
method Descriptor (line 1667) | func (*CriuResp) Descriptor() ([]byte, []int) {
method GetType (line 1671) | func (x *CriuResp) GetType() CriuReqType {
method GetSuccess (line 1678) | func (x *CriuResp) GetSuccess() bool {
method GetDump (line 1685) | func (x *CriuResp) GetDump() *CriuDumpResp {
method GetRestore (line 1692) | func (x *CriuResp) GetRestore() *CriuRestoreResp {
method GetNotify (line 1699) | func (x *CriuResp) GetNotify() *CriuNotify {
method GetPs (line 1706) | func (x *CriuResp) GetPs() *CriuPageServerInfo {
method GetCrErrno (line 1713) | func (x *CriuResp) GetCrErrno() int32 {
method GetFeatures (line 1720) | func (x *CriuResp) GetFeatures() *CriuFeatures {
method GetCrErrmsg (line 1727) | func (x *CriuResp) GetCrErrmsg() string {
method GetVersion (line 1734) | func (x *CriuResp) GetVersion() *CriuVersion {
method GetStatus (line 1741) | func (x *CriuResp) GetStatus() int32 {
type CriuVersion (line 1749) | type CriuVersion struct
method Reset (line 1762) | func (x *CriuVersion) Reset() {
method String (line 1771) | func (x *CriuVersion) String() string {
method ProtoMessage (line 1775) | func (*CriuVersion) ProtoMessage() {}
method ProtoReflect (line 1777) | func (x *CriuVersion) ProtoReflect() protoreflect.Message {
method Descriptor (line 1790) | func (*CriuVersion) Descriptor() ([]byte, []int) {
method GetMajorNumber (line 1794) | func (x *CriuVersion) GetMajorNumber() int32 {
method GetMinorNumber (line 1801) | func (x *CriuVersion) GetMinorNumber() int32 {
method GetGitid (line 1808) | func (x *CriuVersion) GetGitid() string {
method GetSublevel (line 1815) | func (x *CriuVersion) GetSublevel() int32 {
method GetExtra (line 1822) | func (x *CriuVersion) GetExtra() int32 {
method GetName (line 1829) | func (x *CriuVersion) GetName() string {
function file_rpc_rpc_proto_rawDescGZIP (line 2126) | func file_rpc_rpc_proto_rawDescGZIP() []byte {
function init (line 2184) | func init() { file_rpc_rpc_proto_init() }
function file_rpc_rpc_proto_init (line 2185) | func file_rpc_rpc_proto_init() {
FILE: vendor/github.com/cilium/ebpf/asm/alu.go
type Source (line 11) | type Source
constant sourceMask (line 13) | sourceMask OpCode = 0x0008
constant InvalidSource (line 19) | InvalidSource Source = 0xffff
constant ImmSource (line 21) | ImmSource Source = 0x0000
constant RegSource (line 23) | RegSource Source = 0x0008
type Endianness (line 27) | type Endianness
constant endianMask (line 29) | endianMask = sourceMask
constant InvalidEndian (line 33) | InvalidEndian Endianness = 0xff
constant LE (line 35) | LE Endianness = 0x00
constant BE (line 37) | BE Endianness = 0x08
type ALUOp (line 46) | type ALUOp
method Op (line 137) | func (op ALUOp) Op(source Source) OpCode {
method Reg (line 142) | func (op ALUOp) Reg(dst, src Register) Instruction {
method Imm (line 151) | func (op ALUOp) Imm(dst Register, value int32) Instruction {
method Op32 (line 160) | func (op ALUOp) Op32(source Source) OpCode {
method Reg32 (line 165) | func (op ALUOp) Reg32(dst, src Register) Instruction {
method Imm32 (line 174) | func (op ALUOp) Imm32(dst Register, value int32) Instruction {
constant aluMask (line 48) | aluMask OpCode = 0x3ff0
constant InvalidALUOp (line 53) | InvalidALUOp ALUOp = 0xffff
constant Add (line 55) | Add ALUOp = 0x0000
constant Sub (line 57) | Sub ALUOp = 0x0010
constant Mul (line 59) | Mul ALUOp = 0x0020
constant Div (line 61) | Div ALUOp = 0x0030
constant SDiv (line 63) | SDiv ALUOp = Div + 0x0100
constant Or (line 65) | Or ALUOp = 0x0040
constant And (line 67) | And ALUOp = 0x0050
constant LSh (line 69) | LSh ALUOp = 0x0060
constant RSh (line 71) | RSh ALUOp = 0x0070
constant Neg (line 73) | Neg ALUOp = 0x0080
constant Mod (line 75) | Mod ALUOp = 0x0090
constant SMod (line 77) | SMod ALUOp = Mod + 0x0100
constant Xor (line 79) | Xor ALUOp = 0x00a0
constant Mov (line 81) | Mov ALUOp = 0x00b0
constant MovSX8 (line 83) | MovSX8 ALUOp = Mov + 0x0100
constant MovSX16 (line 85) | MovSX16 ALUOp = Mov + 0x0200
constant MovSX32 (line 87) | MovSX32 ALUOp = Mov + 0x0300
constant ArSh (line 89) | ArSh ALUOp = 0x00c0
constant Swap (line 91) | Swap ALUOp = 0x00d0
function HostTo (line 95) | func HostTo(endian Endianness, dst Register, size Size) Instruction {
function BSwap (line 116) | func BSwap(dst Register, size Size) Instruction {
FILE: vendor/github.com/cilium/ebpf/asm/alu_string.go
function _ (line 7) | func _() {
constant _Source_name_0 (line 17) | _Source_name_0 = "ImmSource"
constant _Source_name_1 (line 18) | _Source_name_1 = "RegSource"
constant _Source_name_2 (line 19) | _Source_name_2 = "InvalidSource"
method String (line 22) | func (i Source) String() string {
function _ (line 34) | func _() {
constant _Endianness_name_0 (line 44) | _Endianness_name_0 = "LE"
constant _Endianness_name_1 (line 45) | _Endianness_name_1 = "BE"
constant _Endianness_name_2 (line 46) | _Endianness_name_2 = "InvalidEndian"
method String (line 49) | func (i Endianness) String() string {
function _ (line 61) | func _() {
constant _ALUOp_name (line 87) | _ALUOp_name = "AddSubMulDivOrAndLShRShNegModXorMovArShSwapSDivSModMovSX8...
method String (line 112) | func (i ALUOp) String() string {
FILE: vendor/github.com/cilium/ebpf/asm/func.go
type BuiltinFunc (line 6) | type BuiltinFunc
method Call (line 239) | func (fn BuiltinFunc) Call() Instruction {
constant FnUnspec (line 24) | FnUnspec BuiltinFunc = iota
constant FnMapLookupElem (line 25) | FnMapLookupElem
constant FnMapUpdateElem (line 26) | FnMapUpdateElem
constant FnMapDeleteElem (line 27) | FnMapDeleteElem
constant FnProbeRead (line 28) | FnProbeRead
constant FnKtimeGetNs (line 29) | FnKtimeGetNs
constant FnTracePrintk (line 30) | FnTracePrintk
constant FnGetPrandomU32 (line 31) | FnGetPrandomU32
constant FnGetSmpProcessorId (line 32) | FnGetSmpProcessorId
constant FnSkbStoreBytes (line 33) | FnSkbStoreBytes
constant FnL3CsumReplace (line 34) | FnL3CsumReplace
constant FnL4CsumReplace (line 35) | FnL4CsumReplace
constant FnTailCall (line 36) | FnTailCall
constant FnCloneRedirect (line 37) | FnCloneRedirect
constant FnGetCurrentPidTgid (line 38) | FnGetCurrentPidTgid
constant FnGetCurrentUidGid (line 39) | FnGetCurrentUidGid
constant FnGetCurrentComm (line 40) | FnGetCurrentComm
constant FnGetCgroupClassid (line 41) | FnGetCgroupClassid
constant FnSkbVlanPush (line 42) | FnSkbVlanPush
constant FnSkbVlanPop (line 43) | FnSkbVlanPop
constant FnSkbGetTunnelKey (line 44) | FnSkbGetTunnelKey
constant FnSkbSetTunnelKey (line 45) | FnSkbSetTunnelKey
constant FnPerfEventRead (line 46) | FnPerfEventRead
constant FnRedirect (line 47) | FnRedirect
constant FnGetRouteRealm (line 48) | FnGetRouteRealm
constant FnPerfEventOutput (line 49) | FnPerfEventOutput
constant FnSkbLoadBytes (line 50) | FnSkbLoadBytes
constant FnGetStackid (line 51) | FnGetStackid
constant FnCsumDiff (line 52) | FnCsumDiff
constant FnSkbGetTunnelOpt (line 53) | FnSkbGetTunnelOpt
constant FnSkbSetTunnelOpt (line 54) | FnSkbSetTunnelOpt
constant FnSkbChangeProto (line 55) | FnSkbChangeProto
constant FnSkbChangeType (line 56) | FnSkbChangeType
constant FnSkbUnderCgroup (line 57) | FnSkbUnderCgroup
constant FnGetHashRecalc (line 58) | FnGetHashRecalc
constant FnGetCurrentTask (line 59) | FnGetCurrentTask
constant FnProbeWriteUser (line 60) | FnProbeWriteUser
constant FnCurrentTaskUnderCgroup (line 61) | FnCurrentTaskUnderCgroup
constant FnSkbChangeTail (line 62) | FnSkbChangeTail
constant FnSkbPullData (line 63) | FnSkbPullData
constant FnCsumUpdate (line 64) | FnCsumUpdate
constant FnSetHashInvalid (line 65) | FnSetHashInvalid
constant FnGetNumaNodeId (line 66) | FnGetNumaNodeId
constant FnSkbChangeHead (line 67) | FnSkbChangeHead
constant FnXdpAdjustHead (line 68) | FnXdpAdjustHead
constant FnProbeReadStr (line 69) | FnProbeReadStr
constant FnGetSocketCookie (line 70) | FnGetSocketCookie
constant FnGetSocketUid (line 71) | FnGetSocketUid
constant FnSetHash (line 72) | FnSetHash
constant FnSetsockopt (line 73) | FnSetsockopt
constant FnSkbAdjustRoom (line 74) | FnSkbAdjustRoom
constant FnRedirectMap (line 75) | FnRedirectMap
constant FnSkRedirectMap (line 76) | FnSkRedirectMap
constant FnSockMapUpdate (line 77) | FnSockMapUpdate
constant FnXdpAdjustMeta (line 78) | FnXdpAdjustMeta
constant FnPerfEventReadValue (line 79) | FnPerfEventReadValue
constant FnPerfProgReadValue (line 80) | FnPerfProgReadValue
constant FnGetsockopt (line 81) | FnGetsockopt
constant FnOverrideReturn (line 82) | FnOverrideReturn
constant FnSockOpsCbFlagsSet (line 83) | FnSockOpsCbFlagsSet
constant FnMsgRedirectMap (line 84) | FnMsgRedirectMap
constant FnMsgApplyBytes (line 85) | FnMsgApplyBytes
constant FnMsgCorkBytes (line 86) | FnMsgCorkBytes
constant FnMsgPullData (line 87) | FnMsgPullData
constant FnBind (line 88) | FnBind
constant FnXdpAdjustTail (line 89) | FnXdpAdjustTail
constant FnSkbGetXfrmState (line 90) | FnSkbGetXfrmState
constant FnGetStack (line 91) | FnGetStack
constant FnSkbLoadBytesRelative (line 92) | FnSkbLoadBytesRelative
constant FnFibLookup (line 93) | FnFibLookup
constant FnSockHashUpdate (line 94) | FnSockHashUpdate
constant FnMsgRedirectHash (line 95) | FnMsgRedirectHash
constant FnSkRedirectHash (line 96) | FnSkRedirectHash
constant FnLwtPushEncap (line 97) | FnLwtPushEncap
constant FnLwtSeg6StoreBytes (line 98) | FnLwtSeg6StoreBytes
constant FnLwtSeg6AdjustSrh (line 99) | FnLwtSeg6AdjustSrh
constant FnLwtSeg6Action (line 100) | FnLwtSeg6Action
constant FnRcRepeat (line 101) | FnRcRepeat
constant FnRcKeydown (line 102) | FnRcKeydown
constant FnSkbCgroupId (line 103) | FnSkbCgroupId
constant FnGetCurrentCgroupId (line 104) | FnGetCurrentCgroupId
constant FnGetLocalStorage (line 105) | FnGetLocalStorage
constant FnSkSelectReuseport (line 106) | FnSkSelectReuseport
constant FnSkbAncestorCgroupId (line 107) | FnSkbAncestorCgroupId
constant FnSkLookupTcp (line 108) | FnSkLookupTcp
constant FnSkLookupUdp (line 109) | FnSkLookupUdp
constant FnSkRelease (line 110) | FnSkRelease
constant FnMapPushElem (line 111) | FnMapPushElem
constant FnMapPopElem (line 112) | FnMapPopElem
constant FnMapPeekElem (line 113) | FnMapPeekElem
constant FnMsgPushData (line 114) | FnMsgPushData
constant FnMsgPopData (line 115) | FnMsgPopData
constant FnRcPointerRel (line 116) | FnRcPointerRel
constant FnSpinLock (line 117) | FnSpinLock
constant FnSpinUnlock (line 118) | FnSpinUnlock
constant FnSkFullsock (line 119) | FnSkFullsock
constant FnTcpSock (line 120) | FnTcpSock
constant FnSkbEcnSetCe (line 121) | FnSkbEcnSetCe
constant FnGetListenerSock (line 122) | FnGetListenerSock
constant FnSkcLookupTcp (line 123) | FnSkcLookupTcp
constant FnTcpCheckSyncookie (line 124) | FnTcpCheckSyncookie
constant FnSysctlGetName (line 125) | FnSysctlGetName
constant FnSysctlGetCurrentValue (line 126) | FnSysctlGetCurrentValue
constant FnSysctlGetNewValue (line 127) | FnSysctlGetNewValue
constant FnSysctlSetNewValue (line 128) | FnSysctlSetNewValue
constant FnStrtol (line 129) | FnStrtol
constant FnStrtoul (line 130) | FnStrtoul
constant FnSkStorageGet (line 131) | FnSkStorageGet
constant FnSkStorageDelete (line 132) | FnSkStorageDelete
constant FnSendSignal (line 133) | FnSendSignal
constant FnTcpGenSyncookie (line 134) | FnTcpGenSyncookie
constant FnSkbOutput (line 135) | FnSkbOutput
constant FnProbeReadUser (line 136) | FnProbeReadUser
constant FnProbeReadKernel (line 137) | FnProbeReadKernel
constant FnProbeReadUserStr (line 138) | FnProbeReadUserStr
constant FnProbeReadKernelStr (line 139) | FnProbeReadKernelStr
constant FnTcpSendAck (line 140) | FnTcpSendAck
constant FnSendSignalThread (line 141) | FnSendSignalThread
constant FnJiffies64 (line 142) | FnJiffies64
constant FnReadBranchRecords (line 143) | FnReadBranchRecords
constant FnGetNsCurrentPidTgid (line 144) | FnGetNsCurrentPidTgid
constant FnXdpOutput (line 145) | FnXdpOutput
constant FnGetNetnsCookie (line 146) | FnGetNetnsCookie
constant FnGetCurrentAncestorCgroupId (line 147) | FnGetCurrentAncestorCgroupId
constant FnSkAssign (line 148) | FnSkAssign
constant FnKtimeGetBootNs (line 149) | FnKtimeGetBootNs
constant FnSeqPrintf (line 150) | FnSeqPrintf
constant FnSeqWrite (line 151) | FnSeqWrite
constant FnSkCgroupId (line 152) | FnSkCgroupId
constant FnSkAncestorCgroupId (line 153) | FnSkAncestorCgroupId
constant FnRingbufOutput (line 154) | FnRingbufOutput
constant FnRingbufReserve (line 155) | FnRingbufReserve
constant FnRingbufSubmit (line 156) | FnRingbufSubmit
constant FnRingbufDiscard (line 157) | FnRingbufDiscard
constant FnRingbufQuery (line 158) | FnRingbufQuery
constant FnCsumLevel (line 159) | FnCsumLevel
constant FnSkcToTcp6Sock (line 160) | FnSkcToTcp6Sock
constant FnSkcToTcpSock (line 161) | FnSkcToTcpSock
constant FnSkcToTcpTimewaitSock (line 162) | FnSkcToTcpTimewaitSock
constant FnSkcToTcpRequestSock (line 163) | FnSkcToTcpRequestSock
constant FnSkcToUdp6Sock (line 164) | FnSkcToUdp6Sock
constant FnGetTaskStack (line 165) | FnGetTaskStack
constant FnLoadHdrOpt (line 166) | FnLoadHdrOpt
constant FnStoreHdrOpt (line 167) | FnStoreHdrOpt
constant FnReserveHdrOpt (line 168) | FnReserveHdrOpt
constant FnInodeStorageGet (line 169) | FnInodeStorageGet
constant FnInodeStorageDelete (line 170) | FnInodeStorageDelete
constant FnDPath (line 171) | FnDPath
constant FnCopyFromUser (line 172) | FnCopyFromUser
constant FnSnprintfBtf (line 173) | FnSnprintfBtf
constant FnSeqPrintfBtf (line 174) | FnSeqPrintfBtf
constant FnSkbCgroupClassid (line 175) | FnSkbCgroupClassid
constant FnRedirectNeigh (line 176) | FnRedirectNeigh
constant FnPerCpuPtr (line 177) | FnPerCpuPtr
constant FnThisCpuPtr (line 178) | FnThisCpuPtr
constant FnRedirectPeer (line 179) | FnRedirectPeer
constant FnTaskStorageGet (line 180) | FnTaskStorageGet
constant FnTaskStorageDelete (line 181) | FnTaskStorageDelete
constant FnGetCurrentTaskBtf (line 182) | FnGetCurrentTaskBtf
constant FnBprmOptsSet (line 183) | FnBprmOptsSet
constant FnKtimeGetCoarseNs (line 184) | FnKtimeGetCoarseNs
constant FnImaInodeHash (line 185) | FnImaInodeHash
constant FnSockFromFile (line 186) | FnSockFromFile
constant FnCheckMtu (line 187) | FnCheckMtu
constant FnForEachMapElem (line 188) | FnForEachMapElem
constant FnSnprintf (line 189) | FnSnprintf
constant FnSysBpf (line 190) | FnSysBpf
constant FnBtfFindByNameKind (line 191) | FnBtfFindByNameKind
constant FnSysClose (line 192) | FnSysClose
constant FnTimerInit (line 193) | FnTimerInit
constant FnTimerSetCallback (line 194) | FnTimerSetCallback
constant FnTimerStart (line 195) | FnTimerStart
constant FnTimerCancel (line 196) | FnTimerCancel
constant FnGetFuncIp (line 197) | FnGetFuncIp
constant FnGetAttachCookie (line 198) | FnGetAttachCookie
constant FnTaskPtRegs (line 199) | FnTaskPtRegs
constant FnGetBranchSnapshot (line 200) | FnGetBranchSnapshot
constant FnTraceVprintk (line 201) | FnTraceVprintk
constant FnSkcToUnixSock (line 202) | FnSkcToUnixSock
constant FnKallsymsLookupName (line 203) | FnKallsymsLookupName
constant FnFindVma (line 204) | FnFindVma
constant FnLoop (line 205) | FnLoop
constant FnStrncmp (line 206) | FnStrncmp
constant FnGetFuncArg (line 207) | FnGetFuncArg
constant FnGetFuncRet (line 208) | FnGetFuncRet
constant FnGetFuncArgCnt (line 209) | FnGetFuncArgCnt
constant FnGetRetval (line 210) | FnGetRetval
constant FnSetRetval (line 211) | FnSetRetval
constant FnXdpGetBuffLen (line 212) | FnXdpGetBuffLen
constant FnXdpLoadBytes (line 213) | FnXdpLoadBytes
constant FnXdpStoreBytes (line 214) | FnXdpStoreBytes
constant FnCopyFromUserTask (line 215) | FnCopyFromUserTask
constant FnSkbSetTstamp (line 216) | FnSkbSetTstamp
constant FnImaFileHash (line 217) | FnImaFileHash
constant FnKptrXchg (line 218) | FnKptrXchg
constant FnMapLookupPercpuElem (line 219) | FnMapLookupPercpuElem
constant FnSkcToMptcpSock (line 220) | FnSkcToMptcpSock
constant FnDynptrFromMem (line 221) | FnDynptrFromMem
constant FnRingbufReserveDynptr (line 222) | FnRingbufReserveDynptr
constant FnRingbufSubmitDynptr (line 223) | FnRingbufSubmitDynptr
constant FnRingbufDiscardDynptr (line 224) | FnRingbufDiscardDynptr
constant FnDynptrRead (line 225) | FnDynptrRead
constant FnDynptrWrite (line 226) | FnDynptrWrite
constant FnDynptrData (line 227) | FnDynptrData
constant FnTcpRawGenSyncookieIpv4 (line 228) | FnTcpRawGenSyncookieIpv4
constant FnTcpRawGenSyncookieIpv6 (line 229) | FnTcpRawGenSyncookieIpv6
constant FnTcpRawCheckSyncookieIpv4 (line 230) | FnTcpRawCheckSyncookieIpv4
constant FnTcpRawCheckSyncookieIpv6 (line 231) | FnTcpRawCheckSyncookieIpv6
constant FnKtimeGetTaiNs (line 232) | FnKtimeGetTaiNs
constant FnUserRingbufDrain (line 233) | FnUserRingbufDrain
constant FnCgrpStorageGet (line 234) | FnCgrpStorageGet
constant FnCgrpStorageDelete (line 235) | FnCgrpStorageDelete
FILE: vendor/github.com/cilium/ebpf/asm/func_string.go
function _ (line 7) | func _() {
constant _BuiltinFunc_name (line 225) | _BuiltinFunc_name = "FnUnspecFnMapLookupElemFnMapUpdateElemFnMapDeleteEl...
method String (line 229) | func (i BuiltinFunc) String() string {
FILE: vendor/github.com/cilium/ebpf/asm/instruction.go
constant InstructionSize (line 18) | InstructionSize = 8
type RawInstructionOffset (line 21) | type RawInstructionOffset
method Bytes (line 28) | func (rio RawInstructionOffset) Bytes() uint64 {
type Instruction (line 33) | type Instruction struct
method Unmarshal (line 45) | func (ins *Instruction) Unmarshal(r io.Reader, bo binary.ByteOrder) (u...
method Marshal (line 118) | func (ins Instruction) Marshal(w io.Writer, bo binary.ByteOrder) (uint...
method AssociateMap (line 195) | func (ins *Instruction) AssociateMap(m FDer) error {
method RewriteMapPtr (line 212) | func (ins *Instruction) RewriteMapPtr(fd int) error {
method encodeMapFD (line 222) | func (ins *Instruction) encodeMapFD(fd int) {
method MapPtr (line 235) | func (ins *Instruction) MapPtr() int {
method mapFd (line 247) | func (ins *Instruction) mapFd() int {
method RewriteMapOffset (line 254) | func (ins *Instruction) RewriteMapOffset(offset uint32) error {
method mapOffset (line 268) | func (ins *Instruction) mapOffset() uint32 {
method IsLoadFromMap (line 275) | func (ins *Instruction) IsLoadFromMap() bool {
method IsFunctionCall (line 282) | func (ins *Instruction) IsFunctionCall() bool {
method IsKfuncCall (line 289) | func (ins *Instruction) IsKfuncCall() bool {
method IsLoadOfFunctionPointer (line 294) | func (ins *Instruction) IsLoadOfFunctionPointer() bool {
method IsFunctionReference (line 301) | func (ins *Instruction) IsFunctionReference() bool {
method IsBuiltinCall (line 306) | func (ins *Instruction) IsBuiltinCall() bool {
method IsConstantLoad (line 312) | func (ins *Instruction) IsConstantLoad(size Size) bool {
method Format (line 317) | func (ins Instruction) Format(f fmt.State, c rune) {
method equal (line 430) | func (ins Instruction) equal(other Instruction) bool {
method Size (line 439) | func (ins Instruction) Size() uint64 {
method WithMetadata (line 445) | func (ins Instruction) WithMetadata(meta Metadata) Instruction {
method WithSymbol (line 454) | func (ins Instruction) WithSymbol(name string) Instruction {
method Sym (line 462) | func (ins Instruction) Sym(name string) Instruction {
method Symbol (line 469) | func (ins Instruction) Symbol() string {
method WithReference (line 477) | func (ins Instruction) WithReference(ref string) Instruction {
method Reference (line 483) | func (ins Instruction) Reference() string {
method Map (line 493) | func (ins Instruction) Map() FDer {
method WithSource (line 501) | func (ins Instruction) WithSource(src fmt.Stringer) Instruction {
method Source (line 509) | func (ins Instruction) Source() fmt.Stringer {
type symbolMeta (line 450) | type symbolMeta struct
type referenceMeta (line 474) | type referenceMeta struct
type mapMeta (line 488) | type mapMeta struct
type sourceMeta (line 498) | type sourceMeta struct
type Comment (line 516) | type Comment
method String (line 518) | func (s Comment) String() string {
type FDer (line 525) | type FDer interface
type Instructions (line 530) | type Instructions
method Unmarshal (line 534) | func (insns *Instructions) Unmarshal(r io.Reader, bo binary.ByteOrder)...
method Name (line 558) | func (insns Instructions) Name() string {
method String (line 565) | func (insns Instructions) String() string {
method Size (line 570) | func (insns Instructions) Size() uint64 {
method AssociateMap (line 584) | func (insns Instructions) AssociateMap(symbol string, m FDer) error {
method RewriteMapPtr (line 615) | func (insns Instructions) RewriteMapPtr(symbol string, fd int) error {
method SymbolOffsets (line 645) | func (insns Instructions) SymbolOffsets() (map[string]int, error) {
method FunctionReferences (line 665) | func (insns Instructions) FunctionReferences() []string {
method ReferenceOffsets (line 695) | func (insns Instructions) ReferenceOffsets() map[string][]int {
method Format (line 716) | func (insns Instructions) Format(f fmt.State, c rune) {
method Marshal (line 773) | func (insns Instructions) Marshal(w io.Writer, bo binary.ByteOrder) er...
method Tag (line 795) | func (insns Instructions) Tag(bo binary.ByteOrder) (string, error) {
method encodeFunctionReferences (line 818) | func (insns Instructions) encodeFunctionReferences() error {
method encodeMapPointers (line 874) | func (insns Instructions) encodeMapPointers() error {
method Iterate (line 903) | func (insns Instructions) Iterate() *InstructionIterator {
type InstructionIterator (line 908) | type InstructionIterator struct
method Next (line 920) | func (iter *InstructionIterator) Next() bool {
type bpfRegisters (line 934) | type bpfRegisters
function newBPFRegisters (line 936) | func newBPFRegisters(dst, src Register, bo binary.ByteOrder) (bpfRegiste...
function IsUnreferencedSymbol (line 951) | func IsUnreferencedSymbol(err error) bool {
FILE: vendor/github.com/cilium/ebpf/asm/jump.go
type JumpOp (line 11) | type JumpOp
method Op (line 59) | func (op JumpOp) Op(source Source) OpCode {
method Imm (line 64) | func (op JumpOp) Imm(dst Register, value int32, label string) Instruct...
method Imm32 (line 75) | func (op JumpOp) Imm32(dst Register, value int32, label string) Instru...
method Reg (line 85) | func (op JumpOp) Reg(dst, src Register, label string) Instruction {
method Reg32 (line 96) | func (op JumpOp) Reg32(dst, src Register, label string) Instruction {
method opCode (line 105) | func (op JumpOp) opCode(class Class, source Source) OpCode {
method Label (line 122) | func (op JumpOp) Label(label string) Instruction {
constant jumpMask (line 13) | jumpMask OpCode = 0xf0
constant InvalidJumpOp (line 18) | InvalidJumpOp JumpOp = 0xff
constant Ja (line 20) | Ja JumpOp = 0x00
constant JEq (line 22) | JEq JumpOp = 0x10
constant JGT (line 24) | JGT JumpOp = 0x20
constant JGE (line 26) | JGE JumpOp = 0x30
constant JSet (line 28) | JSet JumpOp = 0x40
constant JNE (line 30) | JNE JumpOp = 0x50
constant JSGT (line 32) | JSGT JumpOp = 0x60
constant JSGE (line 34) | JSGE JumpOp = 0x70
constant Call (line 36) | Call JumpOp = 0x80
constant Exit (line 38) | Exit JumpOp = 0x90
constant JLT (line 40) | JLT JumpOp = 0xa0
constant JLE (line 42) | JLE JumpOp = 0xb0
constant JSLT (line 44) | JSLT JumpOp = 0xc0
constant JSLE (line 46) | JSLE JumpOp = 0xd0
function Return (line 52) | func Return() Instruction {
function LongJump (line 114) | func LongJump(label string) Instruction {
FILE: vendor/github.com/cilium/ebpf/asm/jump_string.go
function _ (line 7) | func _() {
constant _JumpOp_name (line 28) | _JumpOp_name = "JaJEqJGTJGEJSetJNEJSGTJSGECallExitJLTJLEJSLTJSLEInvalidJ...
method String (line 48) | func (i JumpOp) String() string {
FILE: vendor/github.com/cilium/ebpf/asm/load_store.go
type Mode (line 11) | type Mode
constant modeMask (line 13) | modeMask OpCode = 0xe0
constant InvalidMode (line 18) | InvalidMode Mode = 0xff
constant ImmMode (line 20) | ImmMode Mode = 0x00
constant AbsMode (line 22) | AbsMode Mode = 0x20
constant IndMode (line 24) | IndMode Mode = 0x40
constant MemMode (line 26) | MemMode Mode = 0x60
constant MemSXMode (line 28) | MemSXMode Mode = 0x80
constant XAddMode (line 30) | XAddMode Mode = 0xc0
type Size (line 39) | type Size
method Sizeof (line 58) | func (s Size) Sizeof() int {
constant sizeMask (line 41) | sizeMask OpCode = 0x18
constant InvalidSize (line 46) | InvalidSize Size = 0xff
constant DWord (line 48) | DWord Size = 0x18
constant Word (line 50) | Word Size = 0x00
constant Half (line 52) | Half Size = 0x08
constant Byte (line 54) | Byte Size = 0x10
function LoadMemOp (line 74) | func LoadMemOp(size Size) OpCode {
function LoadMemSXOp (line 79) | func LoadMemSXOp(size Size) OpCode {
function LoadMem (line 84) | func LoadMem(dst, src Register, offset int16, size Size) Instruction {
function LoadMemSX (line 94) | func LoadMemSX(dst, src Register, offset int16, size Size) Instruction {
function LoadImmOp (line 110) | func LoadImmOp(size Size) OpCode {
function LoadImm (line 117) | func LoadImm(dst Register, value int64, size Size) Instruction {
function LoadMapPtr (line 126) | func LoadMapPtr(dst Register, fd int) Instruction {
function LoadMapValue (line 140) | func LoadMapValue(dst Register, fd int, offset uint32) Instruction {
function LoadIndOp (line 155) | func LoadIndOp(size Size) OpCode {
function LoadInd (line 160) | func LoadInd(dst, src Register, offset int32, size Size) Instruction {
function LoadAbsOp (line 170) | func LoadAbsOp(size Size) OpCode {
function LoadAbs (line 175) | func LoadAbs(offset int32, size Size) Instruction {
function StoreMemOp (line 184) | func StoreMemOp(size Size) OpCode {
function StoreMem (line 189) | func StoreMem(dst Register, offset int16, src Register, size Size) Instr...
function StoreImmOp (line 199) | func StoreImmOp(size Size) OpCode {
function StoreImm (line 204) | func StoreImm(dst Register, offset int16, value int64, size Size) Instru...
function StoreXAddOp (line 214) | func StoreXAddOp(size Size) OpCode {
function StoreXAdd (line 219) | func StoreXAdd(dst, src Register, size Size) Instruction {
FILE: vendor/github.com/cilium/ebpf/asm/load_store_string.go
function _ (line 7) | func _() {
constant _Mode_name_0 (line 21) | _Mode_name_0 = "ImmMode"
constant _Mode_name_1 (line 22) | _Mode_name_1 = "AbsMode"
constant _Mode_name_2 (line 23) | _Mode_name_2 = "IndMode"
constant _Mode_name_3 (line 24) | _Mode_name_3 = "MemMode"
constant _Mode_name_4 (line 25) | _Mode_name_4 = "MemSXMode"
constant _Mode_name_5 (line 26) | _Mode_name_5 = "XAddMode"
constant _Mode_name_6 (line 27) | _Mode_name_6 = "InvalidMode"
method String (line 30) | func (i Mode) String() string {
function _ (line 50) | func _() {
constant _Size_name_0 (line 62) | _Size_name_0 = "Word"
constant _Size_name_1 (line 63) | _Size_name_1 = "Half"
constant _Size_name_2 (line 64) | _Size_name_2 = "Byte"
constant _Size_name_3 (line 65) | _Size_name_3 = "DWord"
constant _Size_name_4 (line 66) | _Size_name_4 = "InvalidSize"
method String (line 69) | func (i Size) String() string {
FILE: vendor/github.com/cilium/ebpf/asm/metadata.go
type Metadata (line 4) | type Metadata struct
method find (line 16) | func (m *Metadata) find(key interface{}) *metaElement {
method remove (line 29) | func (m *Metadata) remove(r *metaElement) {
method Set (line 52) | func (m *Metadata) Set(key, value interface{}) {
method Get (line 75) | func (m *Metadata) Get(key interface{}) interface{} {
type metaElement (line 8) | type metaElement struct
FILE: vendor/github.com/cilium/ebpf/asm/opcode.go
type Class (line 16) | type Class
method IsLoad (line 42) | func (cls Class) IsLoad() bool {
method IsStore (line 47) | func (cls Class) IsStore() bool {
method isLoadOrStore (line 51) | func (cls Class) isLoadOrStore() bool {
method IsALU (line 56) | func (cls Class) IsALU() bool {
method IsJump (line 61) | func (cls Class) IsJump() bool {
method isJumpOrALU (line 65) | func (cls Class) isJumpOrALU() bool {
constant classMask (line 18) | classMask OpCode = 0x07
constant LdClass (line 23) | LdClass Class = 0x00
constant LdXClass (line 25) | LdXClass Class = 0x01
constant StClass (line 27) | StClass Class = 0x02
constant StXClass (line 29) | StXClass Class = 0x03
constant ALUClass (line 31) | ALUClass Class = 0x04
constant JumpClass (line 33) | JumpClass Class = 0x05
constant Jump32Class (line 36) | Jump32Class Class = 0x06
constant ALU64Class (line 38) | ALU64Class Class = 0x07
type OpCode (line 91) | type OpCode
method bpfOpCode (line 97) | func (op OpCode) bpfOpCode() (byte, error) {
method rawInstructions (line 109) | func (op OpCode) rawInstructions() int {
method IsDWordLoad (line 116) | func (op OpCode) IsDWordLoad() bool {
method Class (line 121) | func (op OpCode) Class() Class {
method Mode (line 126) | func (op OpCode) Mode() Mode {
method Size (line 134) | func (op OpCode) Size() Size {
method Source (line 142) | func (op OpCode) Source() Source {
method ALUOp (line 150) | func (op OpCode) ALUOp() ALUOp {
method Endianness (line 158) | func (op OpCode) Endianness() Endianness {
method JumpOp (line 167) | func (op OpCode) JumpOp() JumpOp {
method SetMode (line 185) | func (op OpCode) SetMode(mode Mode) OpCode {
method SetSize (line 195) | func (op OpCode) SetSize(size Size) OpCode {
method SetSource (line 205) | func (op OpCode) SetSource(source Source) OpCode {
method SetALUOp (line 215) | func (op OpCode) SetALUOp(alu ALUOp) OpCode {
method SetJumpOp (line 225) | func (op OpCode) SetJumpOp(jump JumpOp) OpCode {
method String (line 240) | func (op OpCode) String() string {
constant InvalidOpCode (line 94) | InvalidOpCode OpCode = 0xffff
function valid (line 301) | func valid(value, mask OpCode) bool {
FILE: vendor/github.com/cilium/ebpf/asm/opcode_string.go
function _ (line 7) | func _() {
constant _Class_name (line 21) | _Class_name = "LdClassLdXClassStClassStXClassALUClassJumpClassJump32Clas...
method String (line 25) | func (i Class) String() string {
FILE: vendor/github.com/cilium/ebpf/asm/register.go
type Register (line 8) | type Register
method String (line 45) | func (r Register) String() string {
constant R0 (line 11) | R0 Register = 0
constant R1 (line 15) | R1 Register = R0 + 1 + iota
constant R2 (line 16) | R2
constant R3 (line 17) | R3
constant R4 (line 18) | R4
constant R5 (line 19) | R5
constant R6 (line 24) | R6 Register = R5 + 1 + iota
constant R7 (line 25) | R7
constant R8 (line 26) | R8
constant R9 (line 27) | R9
constant R10 (line 32) | R10 Register = R9 + 1
constant RFP (line 33) | RFP = R10
constant PseudoMapFD (line 38) | PseudoMapFD = R1
constant PseudoMapValue (line 39) | PseudoMapValue = R2
constant PseudoCall (line 40) | PseudoCall = R1
constant PseudoFunc (line 41) | PseudoFunc = R4
constant PseudoKfuncCall (line 42) | PseudoKfuncCall = R2
FILE: vendor/github.com/cilium/ebpf/attachtype_string.go
function _ (line 7) | func _() {
constant _AttachType_name (line 71) | _AttachType_name = "NoneCGroupInetEgressCGroupInetSockCreateCGroupSockOp...
method String (line 75) | func (i AttachType) String() string {
FILE: vendor/github.com/cilium/ebpf/btf/btf.go
constant btfMagic (line 19) | btfMagic = 0xeB9F
type immutableTypes (line 33) | type immutableTypes struct
method typeByID (line 53) | func (s *immutableTypes) typeByID(id TypeID) (Type, bool) {
type mutableTypes (line 67) | type mutableTypes struct
method add (line 78) | func (mt *mutableTypes) add(typ Type, typeIDs map[Type]TypeID) Type {
method copy (line 97) | func (mt *mutableTypes) copy() *mutableTypes {
method typeID (line 124) | func (mt *mutableTypes) typeID(typ Type) (TypeID, error) {
method typeByID (line 141) | func (mt *mutableTypes) typeByID(id TypeID) (Type, bool) {
method anyTypesByName (line 150) | func (mt *mutableTypes) anyTypesByName(name string) ([]Type, error) {
type Spec (line 175) | type Spec struct
method Copy (line 534) | func (s *Spec) Copy() *Spec {
method nextTypeID (line 557) | func (s *Spec) nextTypeID() (TypeID, error) {
method TypeByID (line 569) | func (s *Spec) TypeByID(id TypeID) (Type, error) {
method TypeID (line 581) | func (s *Spec) TypeID(typ Type) (TypeID, error) {
method AnyTypesByName (line 592) | func (s *Spec) AnyTypesByName(name string) ([]Type, error) {
method AnyTypeByName (line 599) | func (s *Spec) AnyTypeByName(name string) (Type, error) {
method TypeByName (line 621) | func (s *Spec) TypeByName(name string, typ interface{}) error {
method Iterate (line 690) | func (s *Spec) Iterate() *TypesIterator {
function LoadSpec (line 183) | func LoadSpec(file string) (*Spec, error) {
function LoadSpecFromReader (line 197) | func LoadSpecFromReader(rd io.ReaderAt) (*Spec, error) {
function LoadSpecAndExtInfosFromReader (line 214) | func LoadSpecAndExtInfosFromReader(rd io.ReaderAt) (*Spec, *ExtInfos, er...
function symbolOffsets (line 240) | func symbolOffsets(file *internal.SafeELFFile) (map[symbol]uint32, error) {
function loadSpecFromELF (line 269) | func loadSpecFromELF(file *internal.SafeELFFile) (*Spec, error) {
function loadRawSpec (line 318) | func loadRawSpec(btf io.ReaderAt, bo binary.ByteOrder, base *Spec) (*Spe...
function indexTypes (line 362) | func indexTypes(types []Type, firstTypeID TypeID) (map[Type]TypeID, map[...
function guessRawBTFByteOrder (line 388) | func guessRawBTFByteOrder(r io.ReaderAt) binary.ByteOrder {
function parseBTF (line 405) | func parseBTF(btf io.ReaderAt, bo binary.ByteOrder, baseStrings *stringT...
type symbol (line 427) | type symbol struct
function fixupDatasec (line 434) | func fixupDatasec(types []Type, sectionSizes map[string]uint32, offsets ...
function fixupDatasecLayout (line 501) | func fixupDatasecLayout(ds *Datasec) error {
type sliceWriter (line 545) | type sliceWriter
method Write (line 547) | func (sw sliceWriter) Write(p []byte) (int, error) {
function LoadSplitSpecFromReader (line 676) | func LoadSplitSpecFromReader(r io.ReaderAt, base *Spec) (*Spec, error) {
type TypesIterator (line 681) | type TypesIterator struct
method Next (line 695) | func (iter *TypesIterator) Next() bool {
FILE: vendor/github.com/cilium/ebpf/btf/btf_types.go
type btfKind (line 16) | type btfKind
constant kindUnknown (line 20) | kindUnknown btfKind = iota
constant kindInt (line 21) | kindInt
constant kindPointer (line 22) | kindPointer
constant kindArray (line 23) | kindArray
constant kindStruct (line 24) | kindStruct
constant kindUnion (line 25) | kindUnion
constant kindEnum (line 26) | kindEnum
constant kindForward (line 27) | kindForward
constant kindTypedef (line 28) | kindTypedef
constant kindVolatile (line 29) | kindVolatile
constant kindConst (line 30) | kindConst
constant kindRestrict (line 31) | kindRestrict
constant kindFunc (line 33) | kindFunc
constant kindFuncProto (line 34) | kindFuncProto
constant kindVar (line 36) | kindVar
constant kindDatasec (line 37) | kindDatasec
constant kindFloat (line 39) | kindFloat
constant kindDeclTag (line 41) | kindDeclTag
constant kindTypeTag (line 43) | kindTypeTag
constant kindEnum64 (line 45) | kindEnum64
type FuncLinkage (line 49) | type FuncLinkage
constant StaticFunc (line 53) | StaticFunc FuncLinkage = iota
constant GlobalFunc (line 54) | GlobalFunc
constant ExternFunc (line 55) | ExternFunc
type VarLinkage (line 59) | type VarLinkage
constant StaticVar (line 62) | StaticVar VarLinkage = iota
constant GlobalVar (line 63) | GlobalVar
constant ExternVar (line 64) | ExternVar
constant btfTypeKindShift (line 68) | btfTypeKindShift = 24
constant btfTypeKindLen (line 69) | btfTypeKindLen = 5
constant btfTypeVlenShift (line 70) | btfTypeVlenShift = 0
constant btfTypeVlenMask (line 71) | btfTypeVlenMask = 16
constant btfTypeKindFlagShift (line 72) | btfTypeKindFlagShift = 31
constant btfTypeKindFlagMask (line 73) | btfTypeKindFlagMask = 1
type btfHeader (line 78) | type btfHeader struct
method typeStart (line 92) | func (h *btfHeader) typeStart() int64 {
method stringStart (line 98) | func (h *btfHeader) stringStart() int64 {
function parseBTFHeader (line 103) | func parseBTFHeader(r io.Reader, bo binary.ByteOrder) (*btfHeader, error) {
type btfType (line 136) | type btfType struct
method info (line 184) | func (bt *btfType) info(len, shift uint32) uint32 {
method setInfo (line 188) | func (bt *btfType) setInfo(value, len, shift uint32) {
method Kind (line 192) | func (bt *btfType) Kind() btfKind {
method SetKind (line 196) | func (bt *btfType) SetKind(kind btfKind) {
method Vlen (line 200) | func (bt *btfType) Vlen() int {
method SetVlen (line 204) | func (bt *btfType) SetVlen(vlen int) {
method kindFlagBool (line 208) | func (bt *btfType) kindFlagBool() bool {
method setKindFlagBool (line 212) | func (bt *btfType) setKindFlagBool(set bool) {
method Bitfield (line 221) | func (bt *btfType) Bitfield() bool {
method SetBitfield (line 225) | func (bt *btfType) SetBitfield(isBitfield bool) {
method FwdKind (line 229) | func (bt *btfType) FwdKind() FwdKind {
method SetFwdKind (line 233) | func (bt *btfType) SetFwdKind(kind FwdKind) {
method Signed (line 237) | func (bt *btfType) Signed() bool {
method SetSigned (line 241) | func (bt *btfType) SetSigned(signed bool) {
method Linkage (line 245) | func (bt *btfType) Linkage() FuncLinkage {
method SetLinkage (line 249) | func (bt *btfType) SetLinkage(linkage FuncLinkage) {
method Type (line 253) | func (bt *btfType) Type() TypeID {
method SetType (line 258) | func (bt *btfType) SetType(id TypeID) {
method Size (line 262) | func (bt *btfType) Size() uint32 {
method SetSize (line 267) | func (bt *btfType) SetSize(size uint32) {
method Marshal (line 271) | func (bt *btfType) Marshal(w io.Writer, bo binary.ByteOrder) error {
function unmarshalBtfType (line 159) | func unmarshalBtfType(bt *btfType, b []byte, bo binary.ByteOrder) (int, ...
function mask (line 170) | func mask(len uint32) uint32 {
function readBits (line 174) | func readBits(value, len, shift uint32) uint32 {
function writeBits (line 178) | func writeBits(value, len, shift, new uint32) uint32 {
type rawType (line 280) | type rawType struct
method Marshal (line 285) | func (rt *rawType) Marshal(w io.Writer, bo binary.ByteOrder) error {
type btfInt (line 304) | type btfInt struct
method Encoding (line 328) | func (bi btfInt) Encoding() IntEncoding {
method SetEncoding (line 332) | func (bi *btfInt) SetEncoding(e IntEncoding) {
method Offset (line 336) | func (bi btfInt) Offset() Bits {
method SetOffset (line 340) | func (bi *btfInt) SetOffset(offset uint32) {
method Bits (line 344) | func (bi btfInt) Bits() Bits {
method SetBits (line 348) | func (bi *btfInt) SetBits(bits byte) {
constant btfIntEncodingLen (line 309) | btfIntEncodingLen = 4
constant btfIntEncodingShift (line 310) | btfIntEncodingShift = 24
constant btfIntOffsetLen (line 311) | btfIntOffsetLen = 8
constant btfIntOffsetShift (line 312) | btfIntOffsetShift = 16
constant btfIntBitsLen (line 313) | btfIntBitsLen = 8
constant btfIntBitsShift (line 314) | btfIntBitsShift = 0
function unmarshalBtfInt (line 319) | func unmarshalBtfInt(bi *btfInt, b []byte, bo binary.ByteOrder) (int, er...
type btfArray (line 352) | type btfArray struct
function unmarshalBtfArray (line 360) | func unmarshalBtfArray(ba *btfArray, b []byte, bo binary.ByteOrder) (int...
type btfMember (line 371) | type btfMember struct
function unmarshalBtfMembers (line 379) | func unmarshalBtfMembers(members []btfMember, b []byte, bo binary.ByteOr...
type btfVarSecinfo (line 396) | type btfVarSecinfo struct
function unmarshalBtfVarSecInfos (line 404) | func unmarshalBtfVarSecInfos(secinfos []btfVarSecinfo, b []byte, bo bina...
type btfVariable (line 421) | type btfVariable struct
function unmarshalBtfVariable (line 427) | func unmarshalBtfVariable(bv *btfVariable, b []byte, bo binary.ByteOrder...
type btfEnum (line 436) | type btfEnum struct
function unmarshalBtfEnums (line 443) | func unmarshalBtfEnums(enums []btfEnum, b []byte, bo binary.ByteOrder) (...
type btfEnum64 (line 459) | type btfEnum64 struct
function unmarshalBtfEnums64 (line 467) | func unmarshalBtfEnums64(enums []btfEnum64, b []byte, bo binary.ByteOrde...
type btfParam (line 484) | type btfParam struct
function unmarshalBtfParams (line 491) | func unmarshalBtfParams(params []btfParam, b []byte, bo binary.ByteOrder...
type btfDeclTag (line 507) | type btfDeclTag struct
function unmarshalBtfDeclTag (line 513) | func unmarshalBtfDeclTag(bdt *btfDeclTag, b []byte, bo binary.ByteOrder)...
FILE: vendor/github.com/cilium/ebpf/btf/btf_types_string.go
function _ (line 7) | func _() {
constant _FuncLinkage_name (line 16) | _FuncLinkage_name = "staticglobalextern"
method String (line 20) | func (i FuncLinkage) String() string {
function _ (line 26) | func _() {
constant _VarLinkage_name (line 35) | _VarLinkage_name = "staticglobalextern"
method String (line 39) | func (i VarLinkage) String() string {
function _ (line 45) | func _() {
constant _btfKind_name (line 71) | _btfKind_name = "UnknownIntPointerArrayStructUnionEnumForwardTypedefVola...
method String (line 75) | func (i btfKind) String() string {
FILE: vendor/github.com/cilium/ebpf/btf/core.go
constant COREBadRelocationSentinel (line 22) | COREBadRelocationSentinel = 0xbad2310
type COREFixup (line 25) | type COREFixup struct
method equal (line 37) | func (f *COREFixup) equal(other COREFixup) bool {
method String (line 41) | func (f *COREFixup) String() string {
method Apply (line 48) | func (f *COREFixup) Apply(ins *asm.Instruction) error {
method isNonExistant (line 121) | func (f COREFixup) isNonExistant() bool {
type coreKind (line 126) | type coreKind
method checksForExistence (line 144) | func (k coreKind) checksForExistence() bool {
method String (line 148) | func (k coreKind) String() string {
constant reloFieldByteOffset (line 129) | reloFieldByteOffset coreKind = iota
constant reloFieldByteSize (line 130) | reloFieldByteSize
constant reloFieldExists (line 131) | reloFieldExists
constant reloFieldSigned (line 132) | reloFieldSigned
constant reloFieldLShiftU64 (line 133) | reloFieldLShiftU64
constant reloFieldRShiftU64 (line 134) | reloFieldRShiftU64
constant reloTypeIDLocal (line 135) | reloTypeIDLocal
constant reloTypeIDTarget (line 136) | reloTypeIDTarget
constant reloTypeExists (line 137) | reloTypeExists
constant reloTypeSize (line 138) | reloTypeSize
constant reloEnumvalExists (line 139) | reloEnumvalExists
constant reloEnumvalValue (line 140) | reloEnumvalValue
constant reloTypeMatches (line 141) | reloTypeMatches
function CORERelocate (line 197) | func CORERelocate(relos []*CORERelocation, targets []*Spec, bo binary.By...
function coreCalculateFixups (line 297) | func coreCalculateFixups(relos []*CORERelocation, targets []Type, bo bin...
function coreCalculateFixup (line 356) | func coreCalculateFixup(relo *CORERelocation, target Type, bo binary.Byt...
function boolToUint64 (line 544) | func boolToUint64(val bool) uint64 {
type coreAccessor (line 579) | type coreAccessor
method String (line 601) | func (ca coreAccessor) String() string {
method enumValue (line 609) | func (ca coreAccessor) enumValue(t Type) (*EnumValue, error) {
function parseCOREAccessor (line 581) | func parseCOREAccessor(accessor string) (coreAccessor, error) {
type coreField (line 633) | type coreField struct
method adjustOffsetToNthElement (line 648) | func (cf *coreField) adjustOffsetToNthElement(n int) error {
method adjustOffsetBits (line 662) | func (cf *coreField) adjustOffsetBits(offset Bits) error {
method sizeBits (line 685) | func (cf *coreField) sizeBits() (Bits, error) {
function coreFindField (line 705) | func coreFindField(localT Type, localAcc coreAccessor, targetT Type) (co...
function coreFindMember (line 849) | func coreFindMember(typ composite, name string) (Member, bool, error) {
function coreFindEnumValue (line 903) | func coreFindEnumValue(local Type, localAcc coreAccessor, target Type) (...
function CheckTypeCompatibility (line 929) | func CheckTypeCompatibility(localType Type, targetType Type) error {
type pair (line 933) | type pair struct
function coreAreTypesCompatible (line 960) | func coreAreTypesCompatible(localType Type, targetType Type, visited map...
function coreAreMembersCompatible (line 1041) | func coreAreMembersCompatible(localType Type, targetType Type) error {
function coreEssentialNamesMatch (line 1084) | func coreEssentialNamesMatch(a, b string) bool {
function coreTypesMatch (line 1122) | func coreTypesMatch(localType Type, targetType Type, visited map[pair]st...
function coreEncodingMatches (line 1231) | func coreEncodingMatches(local, target *Int) bool {
function coreEnumsMatch (line 1238) | func coreEnumsMatch(local *Enum, target *Enum) error {
FILE: vendor/github.com/cilium/ebpf/btf/ext_info.go
type ExtInfos (line 17) | type ExtInfos struct
method Assign (line 111) | func (ei *ExtInfos) Assign(insns asm.Instructions, section string) {
function loadExtInfosFromELF (line 27) | func loadExtInfosFromELF(file *internal.SafeELFFile, spec *Spec) (*ExtIn...
function loadExtInfos (line 41) | func loadExtInfos(r io.ReaderAt, bo binary.ByteOrder, spec *Spec) (*ExtI...
type funcInfoMeta (line 106) | type funcInfoMeta struct
type coreRelocationMeta (line 107) | type coreRelocationMeta struct
function AssignMetadataToInstructions (line 120) | func AssignMetadataToInstructions(
function MarshalExtInfos (line 150) | func MarshalExtInfos(insns asm.Instructions, b *Builder) (funcInfos, lin...
type btfExtHeader (line 201) | type btfExtHeader struct
method funcInfoStart (line 244) | func (h *btfExtHeader) funcInfoStart() int64 {
method lineInfoStart (line 250) | func (h *btfExtHeader) lineInfoStart() int64 {
method coreReloStart (line 256) | func (h *btfExtHeader) coreReloStart(ch *btfExtCOREHeader) int64 {
function parseBTFExtHeader (line 217) | func parseBTFExtHeader(r io.Reader, bo binary.ByteOrder) (*btfExtHeader,...
type btfExtCOREHeader (line 262) | type btfExtCOREHeader struct
function parseBTFExtCOREHeader (line 270) | func parseBTFExtCOREHeader(r io.Reader, bo binary.ByteOrder, extHeader *...
type btfExtInfoSec (line 286) | type btfExtInfoSec struct
function parseExtInfoSec (line 295) | func parseExtInfoSec(r io.Reader, bo binary.ByteOrder, strings *stringTa...
function parseExtInfoRecordSize (line 319) | func parseExtInfoRecordSize(r io.Reader, bo binary.ByteOrder) (uint32, e...
type FuncOffsets (line 339) | type FuncOffsets
type FuncOffset (line 346) | type FuncOffset struct
method marshal (line 414) | func (fi *FuncOffset) marshal(w *bytes.Buffer, b *Builder) error {
type bpfFuncInfo (line 351) | type bpfFuncInfo struct
function newFuncOffset (line 357) | func newFuncOffset(fi bpfFuncInfo, spec *Spec) (*FuncOffset, error) {
function newFuncOffsets (line 379) | func newFuncOffsets(bfis []bpfFuncInfo, spec *Spec) (FuncOffsets, error) {
function LoadFuncInfos (line 398) | func LoadFuncInfos(reader io.Reader, bo binary.ByteOrder, recordNum uint...
function parseFuncInfos (line 432) | func parseFuncInfos(r io.Reader, bo binary.ByteOrder, strings *stringTab...
function parseFuncInfoRecords (line 460) | func parseFuncInfoRecords(r io.Reader, bo binary.ByteOrder, recordSize u...
type Line (line 494) | type Line struct
method FileName (line 501) | func (li *Line) FileName() string {
method Line (line 505) | func (li *Line) Line() string {
method LineNumber (line 509) | func (li *Line) LineNumber() uint32 {
method LineColumn (line 513) | func (li *Line) LineColumn() uint32 {
method String (line 517) | func (li *Line) String() string {
type LineOffsets (line 522) | type LineOffsets
type LineOffset (line 525) | type LineOffset struct
method marshal (line 602) | func (li *LineOffset) marshal(w *bytes.Buffer, b *Builder) error {
constant bpfLineShift (line 532) | bpfLineShift = 10
constant bpfLineMax (line 533) | bpfLineMax = (1 << (32 - bpfLineShift)) - 1
constant bpfColumnMax (line 534) | bpfColumnMax = (1 << bpfLineShift) - 1
type bpfLineInfo (line 537) | type bpfLineInfo struct
function LoadLineInfos (line 546) | func LoadLineInfos(reader io.Reader, bo binary.ByteOrder, recordNum uint...
function newLineInfo (line 561) | func newLineInfo(li bpfLineInfo, strings *stringTable) (LineOffset, erro...
function newLineInfos (line 586) | func newLineInfos(blis []bpfLineInfo, strings *stringTable) (LineOffsets...
function parseLineInfos (line 640) | func parseLineInfos(r io.Reader, bo binary.ByteOrder, strings *stringTab...
function parseLineInfoRecords (line 668) | func parseLineInfoRecords(r io.Reader, bo binary.ByteOrder, recordSize u...
type bpfCORERelo (line 696) | type bpfCORERelo struct
type CORERelocation (line 703) | type CORERelocation struct
method String (line 712) | func (cr *CORERelocation) String() string {
function CORERelocationMetadata (line 716) | func CORERelocationMetadata(ins *asm.Instruction) *CORERelocation {
type CORERelocationInfos (line 722) | type CORERelocationInfos struct
type coreRelocationInfo (line 726) | type coreRelocationInfo struct
function newRelocationInfo (line 731) | func newRelocationInfo(relo bpfCORERelo, spec *Spec, strings *stringTabl...
function newRelocationInfos (line 758) | func newRelocationInfos(brs []bpfCORERelo, spec *Spec, strings *stringTa...
function parseCORERelos (line 779) | func parseCORERelos(r io.Reader, bo binary.ByteOrder, strings *stringTab...
function parseCOREReloRecords (line 811) | func parseCOREReloRecords(r io.Reader, bo binary.ByteOrder, recordNum ui...
FILE: vendor/github.com/cilium/ebpf/btf/feature.go
function probeBTF (line 137) | func probeBTF(typ Type) error {
FILE: vendor/github.com/cilium/ebpf/btf/format.go
type GoFormatter (line 14) | type GoFormatter struct
method TypeDeclaration (line 31) | func (gf *GoFormatter) TypeDeclaration(name string, typ Type) (string,...
method identifier (line 39) | func (gf *GoFormatter) identifier(s string) string {
method enumIdentifier (line 47) | func (gf *GoFormatter) enumIdentifier(name, element string) string {
method writeTypeDecl (line 61) | func (gf *GoFormatter) writeTypeDecl(name string, typ Type) error {
method writeType (line 99) | func (gf *GoFormatter) writeType(typ Type, depth int) error {
method writeTypeLit (line 119) | func (gf *GoFormatter) writeTypeLit(typ Type, depth int) error {
method writeIntLit (line 178) | func (gf *GoFormatter) writeIntLit(i *Int) error {
method writeStructLit (line 210) | func (gf *GoFormatter) writeStructLit(size uint32, members []Member, d...
method writeStructField (line 248) | func (gf *GoFormatter) writeStructField(m Member, depth int) error {
method writeDatasecLit (line 300) | func (gf *GoFormatter) writeDatasecLit(ds *Datasec, depth int) error {
method writePadding (line 336) | func (gf *GoFormatter) writePadding(bytes uint32) {
function skipQualifiers (line 342) | func skipQualifiers(typ Type) Type {
FILE: vendor/github.com/cilium/ebpf/btf/handle.go
type Handle (line 16) | type Handle struct
method Spec (line 133) | func (h *Handle) Spec(base *Spec) (*Spec, error) {
method Close (line 152) | func (h *Handle) Close() error {
method FD (line 161) | func (h *Handle) FD() int {
method Info (line 166) | func (h *Handle) Info() (*HandleInfo, error) {
function NewHandle (line 28) | func NewHandle(b *Builder) (*Handle, error) {
function NewHandleFromRawBTF (line 43) | func NewHandleFromRawBTF(btf []byte) (*Handle, error) {
function NewHandleFromID (line 112) | func NewHandleFromID(id ID) (*Handle, error) {
type HandleInfo (line 171) | type HandleInfo struct
method IsVmlinux (line 221) | func (i *HandleInfo) IsVmlinux() bool {
method IsModule (line 226) | func (i *HandleInfo) IsModule() bool {
function newHandleInfoFromFD (line 188) | func newHandleInfoFromFD(fd *sys.FD) (*HandleInfo, error) {
type HandleIterator (line 231) | type HandleIterator struct
method Next (line 244) | func (it *HandleIterator) Next() bool {
method Take (line 281) | func (it *HandleIterator) Take() *Handle {
method Err (line 288) | func (it *HandleIterator) Err() error {
function FindHandle (line 298) | func FindHandle(predicate func(info *HandleInfo) bool) (*Handle, error) {
FILE: vendor/github.com/cilium/ebpf/btf/kernel.go
function FlushKernelSpec (line 23) | func FlushKernelSpec() {
function LoadKernelSpec (line 35) | func LoadKernelSpec() (*Spec, error) {
function LoadKernelModuleSpec (line 65) | func LoadKernelModuleSpec(module string) (*Spec, error) {
function loadKernelSpec (line 95) | func loadKernelSpec() (_ *Spec, fallback bool, _ error) {
function loadKernelModuleSpec (line 114) | func loadKernelModuleSpec(module string, base *Spec) (*Spec, error) {
function findVMLinux (line 130) | func findVMLinux() (*os.File, error) {
FILE: vendor/github.com/cilium/ebpf/btf/marshal.go
type MarshalOptions (line 16) | type MarshalOptions struct
function KernelMarshalOptions (line 32) | func KernelMarshalOptions() *MarshalOptions {
type encoder (line 44) | type encoder struct
method allocateIDs (line 246) | func (e *encoder) allocateIDs(root Type) (err error) {
method id (line 271) | func (e *encoder) id(typ Type) TypeID {
method deflatePending (line 284) | func (e *encoder) deflatePending() error {
method deflateType (line 305) | func (e *encoder) deflateType(typ Type) (err error) {
method deflateInt (line 420) | func (e *encoder) deflateInt(raw *rawType, i *Int) {
method deflateDeclTag (line 432) | func (e *encoder) deflateDeclTag(raw *rawType, tag *declTag) (err erro...
method deflateConst (line 452) | func (e *encoder) deflateConst(raw *rawType, c *Const) {
method deflateTypeTag (line 457) | func (e *encoder) deflateTypeTag(raw *rawType, tag *TypeTag) (err erro...
method deflateUnion (line 471) | func (e *encoder) deflateUnion(raw *rawType, union *Union) (err error) {
method convertMembers (line 478) | func (e *encoder) convertMembers(header *btfType, members []Member) ([...
method deflateEnum (line 506) | func (e *encoder) deflateEnum(raw *rawType, enum *Enum) (err error) {
method deflateEnumValues (line 516) | func (e *encoder) deflateEnumValues(enum *Enum) ([]btfEnum, error) {
method deflateEnum64 (line 543) | func (e *encoder) deflateEnum64(raw *rawType, enum *Enum) (err error) {
method deflateEnum64Values (line 578) | func (e *encoder) deflateEnum64Values(values []EnumValue) ([]btfEnum64...
method deflateFuncParams (line 596) | func (e *encoder) deflateFuncParams(params []FuncParam) ([]btfParam, e...
method deflateVarSecinfos (line 612) | func (e *encoder) deflateVarSecinfos(vars []VarSecinfo) []btfVarSecinfo {
function getByteSlice (line 62) | func getByteSlice() *[]byte {
function putByteSlice (line 66) | func putByteSlice(buf *[]byte) {
type Builder (line 75) | type Builder struct
method Empty (line 107) | func (b *Builder) Empty() bool {
method Add (line 116) | func (b *Builder) Add(typ Type) (TypeID, error) {
method Marshal (line 151) | func (b *Builder) Marshal(buf []byte, opts *MarshalOptions) ([]byte, e...
method addString (line 238) | func (b *Builder) addString(str string) (uint32, error) {
function NewBuilder (line 89) | func NewBuilder(types []Type) (*Builder, error) {
function MarshalMapKV (line 628) | func MarshalMapKV(key, value Type) (_ *Handle, keyID, valueID TypeID, er...
FILE: vendor/github.com/cilium/ebpf/btf/strings.go
type stringTable (line 14) | type stringTable struct
method Lookup (line 79) | func (st *stringTable) Lookup(offset uint32) (string, error) {
method lookup (line 86) | func (st *stringTable) lookup(offset uint32) (string, error) {
method Num (line 113) | func (st *stringTable) Num() int {
type sizedReader (line 22) | type sizedReader interface
function readStringTable (line 27) | func readStringTable(r sizedReader, base *stringTable) (*stringTable, er...
function splitNull (line 67) | func splitNull(data []byte, atEOF bool) (advance int, token []byte, err ...
type stringTableBuilder (line 118) | type stringTableBuilder struct
method Add (line 144) | func (stb *stringTableBuilder) Add(str string) (uint32, error) {
method append (line 157) | func (stb *stringTableBuilder) append(str string) uint32 {
method Lookup (line 167) | func (stb *stringTableBuilder) Lookup(str string) (uint32, error) {
method Length (line 177) | func (stb *stringTableBuilder) Length() int {
method AppendEncoded (line 182) | func (stb *stringTableBuilder) AppendEncoded(buf []byte) []byte {
method Copy (line 193) | func (stb *stringTableBuilder) Copy() *stringTableBuilder {
function newStringTableBuilder (line 126) | func newStringTableBuilder(capacity int) *stringTableBuilder {
FILE: vendor/github.com/cilium/ebpf/btf/traversal.go
function visitInPostorder (line 15) | func visitInPostorder(root Type, visited map[Type]struct{}, yield func(t...
function children (line 39) | func children(typ Type, yield func(child *Type) bool) bool {
FILE: vendor/github.com/cilium/ebpf/btf/types.go
constant maxResolveDepth (line 19) | maxResolveDepth = 32
type Type (line 36) | type Type interface
type Void (line 75) | type Void struct
method Format (line 77) | func (v *Void) Format(fs fmt.State, verb rune) { formatType(fs, verb, ...
method TypeName (line 78) | func (v *Void) TypeName() string { return "" }
method size (line 79) | func (v *Void) size() uint32 { return 0 }
method copy (line 80) | func (v *Void) copy() Type { return (*Void)(nil) }
type IntEncoding (line 82) | type IntEncoding
method String (line 94) | func (ie IntEncoding) String() string {
constant Unsigned (line 88) | Unsigned IntEncoding = 0
constant Signed (line 89) | Signed IntEncoding = 1
constant Char (line 90) | Char IntEncoding = 2
constant Bool (line 91) | Bool IntEncoding = 4
type Int (line 113) | type Int struct
method Format (line 121) | func (i *Int) Format(fs fmt.State, verb rune) {
method TypeName (line 125) | func (i *Int) TypeName() string { return i.Name }
method size (line 126) | func (i *Int) size() uint32 { return i.Size }
method copy (line 127) | func (i *Int) copy() Type {
type Pointer (line 133) | type Pointer struct
method Format (line 137) | func (p *Pointer) Format(fs fmt.State, verb rune) {
method TypeName (line 141) | func (p *Pointer) TypeName() string { return "" }
method size (line 142) | func (p *Pointer) size() uint32 { return 8 }
method copy (line 143) | func (p *Pointer) copy() Type {
type Array (line 149) | type Array struct
method Format (line 155) | func (arr *Array) Format(fs fmt.State, verb rune) {
method TypeName (line 159) | func (arr *Array) TypeName() string { return "" }
method copy (line 161) | func (arr *Array) copy() Type {
type Struct (line 167) | type Struct struct
method Format (line 175) | func (s *Struct) Format(fs fmt.State, verb rune) {
method TypeName (line 179) | func (s *Struct) TypeName() string { return s.Name }
method size (line 181) | func (s *Struct) size() uint32 { return s.Size }
method copy (line 183) | func (s *Struct) copy() Type {
method members (line 190) | func (s *Struct) members() []Member {
type Union (line
Copy disabled (too large)
Download .json
Condensed preview — 1355 files, each showing path, character count, and a content snippet. Download the .json file for the full structured content (15,105K chars).
[
{
"path": ".cirrus.yml",
"chars": 4427,
"preview": "---\n# We use Cirrus for RHEL clones because Cirrus can directly run them\n# without depending on nested virtualization.\n\n"
},
{
"path": ".clang-format",
"chars": 289,
"preview": "---\n# We use GNU indent from the Makefile to format C code in this project. Alas,\n# there is no way to map indent option"
},
{
"path": ".codespellrc",
"chars": 73,
"preview": "[codespell]\nskip = ./vendor,./.git,./go.sum\nignore-words-list = clos,mis\n"
},
{
"path": ".editorconfig",
"chars": 179,
"preview": "# This file is used by shfmt. See https://EditorConfig.org\n\n# This is a top-most EditorConfig file.\nroot = true\n\n# Ignor"
},
{
"path": ".github/ISSUE_TEMPLATE/bug_report.yaml",
"chars": 1744,
"preview": "# Forked from https://github.com/containerd/nerdctl/blob/v1.2.1/.github/ISSUE_TEMPLATE/bug_report.yaml\nname: Bug report\n"
},
{
"path": ".github/ISSUE_TEMPLATE/config.yml",
"chars": 855,
"preview": "# Forked from https://github.com/containerd/nerdctl/blob/main/.github/ISSUE_TEMPLATE/config.yml\nblank_issues_enabled: tr"
},
{
"path": ".github/dependabot.yml",
"chars": 619,
"preview": "# Please see the documentation for all configuration options:\n# https://help.github.com/github/administering-a-repositor"
},
{
"path": ".github/workflows/scheduled.yml",
"chars": 1116,
"preview": "# This enables periodical execution of CI jobs in branches we maintain.\n#\n# CI jobs are triggered through here (instead "
},
{
"path": ".github/workflows/test.yml",
"chars": 9482,
"preview": "# NOTE Github Actions execution environments lack a terminal, needed for\n# some integration tests. So we use `script` co"
},
{
"path": ".github/workflows/validate.yml",
"chars": 10184,
"preview": "name: validate\non:\n push:\n tags:\n - v*\n branches:\n - main\n - release-*\n pull_request:\n workflow_"
},
{
"path": ".gitignore",
"chars": 79,
"preview": "vendor/pkg\n/runc\n/runc-*\n/tests/cmd/_bin\nman/man8\nrelease\nVagrantfile\n.vagrant\n"
},
{
"path": ".golangci-extra.yml",
"chars": 576,
"preview": "# This is golangci-lint config file which is used to check new code in\n# github PRs only (see lint-extra in .github/work"
},
{
"path": ".golangci.yml",
"chars": 1670,
"preview": "version: \"2\"\n\nrun:\n build-tags:\n - seccomp\n\nformatters:\n enable:\n - gofumpt\n settings:\n gofumpt:\n extra"
},
{
"path": "CHANGELOG.md",
"chars": 80569,
"preview": "# Changelog\nThis file documents all notable changes made to this project since runc 1.0.\n\nThe format is based on [Keep a"
},
{
"path": "CONTRIBUTING.md",
"chars": 5183,
"preview": "## Contribution Guidelines\n\n### Security issues\n\nIf you are reporting a security issue, do not create an issue or file a"
},
{
"path": "Dockerfile",
"chars": 3293,
"preview": "ARG GO_VERSION=1.25\nARG BATS_VERSION=v1.12.0\nARG LIBSECCOMP_VERSION=2.6.0\nARG LIBPATHRS_VERSION=0.2.4\n\nFROM golang:${GO_"
},
{
"path": "EMERITUS.md",
"chars": 397,
"preview": "## Emeritus ##\n\nWe would like to acknowledge previous runc maintainers and their huge\ncontributions to our collective su"
},
{
"path": "LICENSE",
"chars": 10758,
"preview": "\n Apache License\n Version 2.0, January 2004\n "
},
{
"path": "MAINTAINERS",
"chars": 339,
"preview": "Mrunal Patel <mpatel@redhat.com> (@mrunalp)\nAleksa Sarai <cyphar@cyphar.com> (@cyphar)\nAkihiro Suda <akihiro.suda.cz@hco"
},
{
"path": "MAINTAINERS_GUIDE.md",
"chars": 4689,
"preview": "## Introduction\n\nDear maintainer. Thank you for investing the time and energy to help\nmake runc as useful as possible. M"
},
{
"path": "Makefile",
"chars": 7483,
"preview": "SHELL = /bin/bash\n\nCONTAINER_ENGINE := docker\nGO ?= go\n\nPREFIX ?= /usr/local\nBINDIR := $(PREFIX)/sbin\nMANDIR := $(PREFIX"
},
{
"path": "NOTICE",
"chars": 515,
"preview": "runc\n\nCopyright 2012-2015 Docker, Inc.\n\nThis product includes software developed at Docker, Inc. (http://www.docker.com)"
},
{
"path": "PRINCIPLES.md",
"chars": 1139,
"preview": "# runc principles\n\nIn the design and development of runc and libcontainer we try to follow these principles:\n\n(Work in p"
},
{
"path": "README.md",
"chars": 12987,
"preview": "# runc\n\n[](https://goreportcard.com/repo"
},
{
"path": "RELEASES.md",
"chars": 4720,
"preview": "## Release Cadence and Support Policy ##\n\nThis document describes the release cadence for runc as well as outlining the\n"
},
{
"path": "SECURITY.md",
"chars": 238,
"preview": "# Security\n\nWhen reporting a security issue, do not create an issue or file a pull request on GitHub.\nThe reporting proc"
},
{
"path": "VERSION",
"chars": 15,
"preview": "1.5.0-rc.1+dev\n"
},
{
"path": "checkpoint.go",
"chars": 6104,
"preview": "package main\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"net\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strconv\"\n\n\t\"github.com/moby/sys/userns\"\n\t\"github"
},
{
"path": "contrib/completions/bash/runc",
"chars": 13870,
"preview": "#!/bin/bash\n#\n# bash completion file for runc command\n#\n# This script provides completion of:\n# - commands and their op"
},
{
"path": "create.go",
"chars": 2380,
"preview": "package main\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\n\t\"github.com/urfave/cli\"\n)\n\nvar createCommand = cli.Command{\n\tName: \"create\",\n\tUsa"
},
{
"path": "delete.go",
"chars": 2499,
"preview": "package main\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"time\"\n\n\t\"github.com/opencontainers/runc/libcontainer\"\n\t"
},
{
"path": "docs/cgroup-v2.md",
"chars": 2611,
"preview": "# cgroup v2\n\nrunc fully supports cgroup v2 (unified mode) since v1.0.0-rc93.\n\nTo use cgroup v2, you might need to change"
},
{
"path": "docs/checkpoint-restore.md",
"chars": 1740,
"preview": "# Checkpoint and Restore #\n\nFor a basic description about checkpointing and restoring containers with\n`runc` please see "
},
{
"path": "docs/deprecated.md",
"chars": 526,
"preview": "# Deprecated features\n\nThe following features are deprecated:\n\nFeature | Deprecation r"
},
{
"path": "docs/experimental.md",
"chars": 485,
"preview": "# Experimental features\n\nThe following features were experimental in the past:\n\nFeature "
},
{
"path": "docs/spec-conformance.md",
"chars": 815,
"preview": "# Spec conformance\n\nThis branch of runc implements the [OCI Runtime Spec v1.3.0](https://github.com/opencontainers/runti"
},
{
"path": "docs/systemd.md",
"chars": 6094,
"preview": "## systemd cgroup driver\n\nBy default, runc creates cgroups and sets cgroup limits on its own (this mode\nis known as fs c"
},
{
"path": "docs/terminals.md",
"chars": 17370,
"preview": "# Terminals and Standard IO #\n\n*Note that the default configuration of `runc` (foreground, new terminal) is\ngenerally th"
},
{
"path": "events.go",
"chars": 6283,
"preview": "package main\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/opencontainers/cgroups\"\n\t\"g"
},
{
"path": "exec.go",
"chars": 8111,
"preview": "package main\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/opencontainers/runc/l"
},
{
"path": "features.go",
"chars": 2841,
"preview": "package main\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\n\t\"github.com/opencontainers/runc/libcontainer/capabilities\"\n\t\"github.com"
},
{
"path": "go.mod",
"chars": 1104,
"preview": "module github.com/opencontainers/runc\n\ngo 1.24.0\n\nrequire (\n\tgithub.com/checkpoint-restore/go-criu/v7 v7.2.0\n\tgithub.com"
},
{
"path": "go.sum",
"chars": 8377,
"preview": "cyphar.com/go-pathrs v0.2.4 h1:iD/mge36swa1UFKdINkr1Frkpp6wZsy3YYEildj9cLY=\ncyphar.com/go-pathrs v0.2.4/go.mod h1:y8f1EM"
},
{
"path": "init.go",
"chars": 347,
"preview": "package main\n\nimport (\n\t\"os\"\n\n\t\"github.com/opencontainers/runc/libcontainer\"\n\t_ \"github.com/opencontainers/runc/libconta"
},
{
"path": "internal/linux/doc.go",
"chars": 145,
"preview": "// Package linux provides minimal wrappers around Linux system calls, primarily\n// to provide support for automatic EINT"
},
{
"path": "internal/linux/eintr.go",
"chars": 510,
"preview": "package linux\n\nimport (\n\t\"errors\"\n\n\t\"golang.org/x/sys/unix\"\n)\n\n// retryOnEINTR takes a function that returns an error an"
},
{
"path": "internal/linux/linux.go",
"chars": 3617,
"preview": "package linux\n\nimport (\n\t\"os\"\n\t\"unsafe\"\n\n\t\"golang.org/x/sys/unix\"\n)\n\n// Dup3 wraps [unix.Dup3].\nfunc Dup3(oldfd, newfd, "
},
{
"path": "internal/pathrs/doc.go",
"chars": 1023,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\n * Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>\n * Copyright (C) 2"
},
{
"path": "internal/pathrs/mkdirall.go",
"chars": 2035,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\n * Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>\n * Copyright (C) 2"
},
{
"path": "internal/pathrs/mkdirall_pathrslite.go",
"chars": 2950,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\n * Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>\n * Copyright (C) 2"
},
{
"path": "internal/pathrs/path.go",
"chars": 4623,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\n * Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>\n * Copyright (C) 2"
},
{
"path": "internal/pathrs/path_test.go",
"chars": 4199,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\n * Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>\n * Copyright (C) 2"
},
{
"path": "internal/pathrs/procfs_pathrslite.go",
"chars": 3158,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\n * Copyright (C) 2025 Aleksa Sarai <cyphar@cyphar.com>\n * Copyright (C) 2025 S"
},
{
"path": "internal/pathrs/retry.go",
"chars": 2046,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\n * Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>\n * Copyright (C) 2"
},
{
"path": "internal/pathrs/root_pathrslite.go",
"chars": 2295,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\n * Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>\n * Copyright (C) 2"
},
{
"path": "internal/sys/doc.go",
"chars": 317,
"preview": "// Package sys is an internal package that contains helper methods for dealing\n// with Linux that are more complicated t"
},
{
"path": "internal/sys/opath_linux.go",
"chars": 1850,
"preview": "package sys\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"runtime\"\n\t\"strconv\"\n\n\t\"golang.org/x/sys/unix\"\n\n\t\"github.com/opencontainers/runc/int"
},
{
"path": "internal/sys/sysctl_linux.go",
"chars": 1303,
"preview": "package sys\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"strings\"\n\n\t\"golang.org/x/sys/unix\"\n\n\t\"github.com/cyphar/filepath-securejoin/pathrs-"
},
{
"path": "internal/sys/verify_inode_unix.go",
"chars": 957,
"preview": "package sys\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"runtime\"\n\n\t\"golang.org/x/sys/unix\"\n)\n\n// VerifyInodeFunc is the callback passed to "
},
{
"path": "internal/third_party/systemd/activation/files_unix.go",
"chars": 1944,
"preview": "// Copyright 2015 CoreOS, Inc.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use "
},
{
"path": "kill.go",
"chars": 1712,
"preview": "package main\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/opencontainers/runc/libcontainer\"\n\t\"github.c"
},
{
"path": "libcontainer/README.md",
"chars": 2315,
"preview": "# libcontainer\n\n[](https://pkg."
},
{
"path": "libcontainer/SPEC.md",
"chars": 19631,
"preview": "## Container Specification - v1\n\nThis is the standard configuration for version 1 containers. It includes\nnamespaces, s"
},
{
"path": "libcontainer/apparmor/apparmor.go",
"chars": 771,
"preview": "// Package apparmor provides a minimal set of helpers to configure the AppArmor\n// profile of the current process, effec"
},
{
"path": "libcontainer/apparmor/apparmor_linux.go",
"chars": 1651,
"preview": "package apparmor\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"sync\"\n\n\t\"golang.org/x/sys/unix\"\n\n\t\"github.com/opencontainers/runc/in"
},
{
"path": "libcontainer/apparmor/apparmor_unsupported.go",
"chars": 182,
"preview": "//go:build !linux\n\npackage apparmor\n\nfunc isEnabled() bool {\n\treturn false\n}\n\nfunc applyProfile(name string) error {\n\tif"
},
{
"path": "libcontainer/capabilities/capabilities.go",
"chars": 4211,
"preview": "//go:build linux\n\n// Package capabilities provides helpers for managing Linux capabilities.\npackage capabilities\n\nimport"
},
{
"path": "libcontainer/capabilities/capabilities_linux_test.go",
"chars": 1771,
"preview": "package capabilities\n\nimport (\n\t\"io\"\n\t\"os\"\n\t\"testing\"\n\n\t\"github.com/moby/sys/capability\"\n\t\"github.com/opencontainers/run"
},
{
"path": "libcontainer/capabilities/capabilities_unsupported.go",
"chars": 40,
"preview": "//go:build !linux\n\npackage capabilities\n"
},
{
"path": "libcontainer/cmd_clone.go",
"chars": 1013,
"preview": "package libcontainer\n\nimport \"os/exec\"\n\n// cloneCmd creates a copy of exec.Cmd. It is needed because cmd.Start\n// must o"
},
{
"path": "libcontainer/configs/config.go",
"chars": 18993,
"preview": "// Package configs provides various container-related configuration types\n// used by libcontainer.\npackage configs\n\nimpo"
},
{
"path": "libcontainer/configs/config_linux.go",
"chars": 3276,
"preview": "package configs\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"math\"\n)\n\nvar (\n\terrNoUIDMap = errors.New(\"user namespaces enabled, but no u"
},
{
"path": "libcontainer/configs/config_linux_test.go",
"chars": 1644,
"preview": "package configs\n\nimport (\n\t\"testing\"\n)\n\nvar HookNameList = []HookName{Prestart, CreateRuntime, CreateContainer, StartCon"
},
{
"path": "libcontainer/configs/config_test.go",
"chars": 5710,
"preview": "package configs_test\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"os\"\n\t\"reflect\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/opencontainers/"
},
{
"path": "libcontainer/configs/configs_fuzzer.go",
"chars": 139,
"preview": "//go:build gofuzz\n\npackage configs\n\nfunc FuzzUnmarshalJSON(data []byte) int {\n\thooks := Hooks{}\n\t_ = hooks.UnmarshalJSON"
},
{
"path": "libcontainer/configs/doc.go",
"chars": 105,
"preview": "// Package configs defines the structures and constants used for configuring a container\npackage configs\n"
},
{
"path": "libcontainer/configs/intelrdt.go",
"chars": 910,
"preview": "package configs\n\ntype IntelRdt struct {\n\t// The identity for RDT Class of Service\n\tClosID string `json:\"closID,omitempty"
},
{
"path": "libcontainer/configs/memorypolicy.go",
"chars": 454,
"preview": "package configs\n\nimport \"golang.org/x/sys/unix\"\n\n// LinuxMemoryPolicy contains memory policy configuration.\ntype LinuxMe"
},
{
"path": "libcontainer/configs/mount.go",
"chars": 219,
"preview": "package configs\n\nconst (\n\t// EXT_COPYUP is a directive to copy up the contents of a directory when\n\t// a tmpfs is mounte"
},
{
"path": "libcontainer/configs/mount_linux.go",
"chars": 2105,
"preview": "package configs\n\nimport \"golang.org/x/sys/unix\"\n\ntype MountIDMapping struct {\n\t// Recursive indicates if the mapping nee"
},
{
"path": "libcontainer/configs/mount_unsupported.go",
"chars": 105,
"preview": "//go:build !linux\n\npackage configs\n\ntype Mount struct{}\n\nfunc (m *Mount) IsBind() bool {\n\treturn false\n}\n"
},
{
"path": "libcontainer/configs/namespaces.go",
"chars": 72,
"preview": "package configs\n\ntype NamespaceType string\n\ntype Namespaces []Namespace\n"
},
{
"path": "libcontainer/configs/namespaces_linux.go",
"chars": 2749,
"preview": "package configs\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"slices\"\n\t\"sync\"\n)\n\nconst (\n\tNEWNET NamespaceType = \"NEWNET\"\n\tNEWPID Names"
},
{
"path": "libcontainer/configs/namespaces_syscall.go",
"chars": 1082,
"preview": "//go:build linux\n\npackage configs\n\nimport \"golang.org/x/sys/unix\"\n\nfunc (n *Namespace) Syscall() int {\n\treturn namespace"
},
{
"path": "libcontainer/configs/namespaces_syscall_unsupported.go",
"chars": 367,
"preview": "//go:build !linux && !windows\n\npackage configs\n\nfunc (n *Namespace) Syscall() int {\n\tpanic(\"No namespace syscall support"
},
{
"path": "libcontainer/configs/namespaces_unsupported.go",
"chars": 187,
"preview": "//go:build !linux\n\npackage configs\n\n// Namespace defines configuration for each namespace. It specifies an\n// alternate"
},
{
"path": "libcontainer/configs/netdevices.go",
"chars": 239,
"preview": "package configs\n\n// LinuxNetDevice represents a single network device to be added to the container's network namespace.\n"
},
{
"path": "libcontainer/configs/network.go",
"chars": 3126,
"preview": "package configs\n\n// Network defines configuration for a container's networking stack\n//\n// The network configuration can"
},
{
"path": "libcontainer/configs/tocpuset_test.go",
"chars": 2222,
"preview": "package configs\n\nimport (\n\t\"testing\"\n\n\t\"golang.org/x/sys/unix\"\n)\n\nfunc TestToCPUSet(t *testing.T) {\n\tset := func(cpus .."
},
{
"path": "libcontainer/configs/validate/doc.go",
"chars": 84,
"preview": "// Package validate provides helpers for validating configuration.\npackage validate\n"
},
{
"path": "libcontainer/configs/validate/intelrdt.go",
"chars": 759,
"preview": "package validate\n\nimport (\n\t\"sync\"\n\n\t\"github.com/opencontainers/runc/libcontainer/intelrdt\"\n)\n\n// Cache the result of in"
},
{
"path": "libcontainer/configs/validate/intelrdt_test.go",
"chars": 2123,
"preview": "package validate\n\nimport (\n\t\"testing\"\n\n\t\"github.com/opencontainers/runc/libcontainer/configs\"\n)\n\nfunc TestValidateIntelR"
},
{
"path": "libcontainer/configs/validate/rootless.go",
"chars": 2667,
"preview": "package validate\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/opencontainers/runc/libcontainer/configs"
},
{
"path": "libcontainer/configs/validate/rootless_test.go",
"chars": 4095,
"preview": "package validate\n\nimport (\n\t\"testing\"\n\n\t\"github.com/opencontainers/runc/libcontainer/configs\"\n)\n\nfunc rootlessEUIDConfig"
},
{
"path": "libcontainer/configs/validate/validator.go",
"chars": 15565,
"preview": "package validate\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"sync\"\n\n\t\"github.com/opencontainers/cgrou"
},
{
"path": "libcontainer/configs/validate/validator_test.go",
"chars": 24822,
"preview": "package validate\n\nimport (\n\t\"errors\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/opencontainers/runc/libc"
},
{
"path": "libcontainer/console_linux.go",
"chars": 5704,
"preview": "package libcontainer\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"runtime\"\n\n\t\"github.com/containerd/console\"\n\t\"golang.org/x/sys/un"
},
{
"path": "libcontainer/container.go",
"chars": 1704,
"preview": "// Package libcontainer provides a native Go implementation for creating containers\n// with namespaces, cgroups, capabil"
},
{
"path": "libcontainer/container_linux.go",
"chars": 36088,
"preview": "package libcontainer\n\nimport (\n\t\"bytes\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"reflect\"\n\t\"strconv\"\n\t"
},
{
"path": "libcontainer/container_linux_test.go",
"chars": 6703,
"preview": "package libcontainer\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"testing\"\n\n\t\"github.com/opencontainers/cgroups\"\n\t\"github.com/opencontainers"
},
{
"path": "libcontainer/criu_disabled_linux.go",
"chars": 355,
"preview": "//go:build runc_nocriu\n\npackage libcontainer\n\nimport \"errors\"\n\nvar ErrNoCR = errors.New(\"this runc binary has not been c"
},
{
"path": "libcontainer/criu_linux.go",
"chars": 36588,
"preview": "//go:build !runc_nocriu\n\npackage libcontainer\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net\"\n\t\"os\""
},
{
"path": "libcontainer/criu_opts_linux.go",
"chars": 2250,
"preview": "package libcontainer\n\ntype CriuPageServerInfo struct {\n\tAddress string // IP address of CRIU page server\n\tPort int32 "
},
{
"path": "libcontainer/devices/device_unix.go",
"chars": 2749,
"preview": "//go:build !windows\n\npackage devices\n\nimport (\n\t\"errors\"\n\t\"os\"\n\t\"path/filepath\"\n\n\t\"github.com/opencontainers/cgroups/dev"
},
{
"path": "libcontainer/devices/device_unix_test.go",
"chars": 2186,
"preview": "//go:build !windows\n\npackage devices\n\nimport (\n\t\"errors\"\n\t\"io/fs\"\n\t\"os\"\n\t\"testing\"\n\n\t\"github.com/opencontainers/cgroups/"
},
{
"path": "libcontainer/devices/doc.go",
"chars": 242,
"preview": "// Package devices provides some helper functions for constructing device\n// configurations for runc. These are exclusiv"
},
{
"path": "libcontainer/env.go",
"chars": 2636,
"preview": "package libcontainer\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"slices\"\n\t\"strings\"\n\n\t\"github.com/moby/sys/user\"\n\t\"github.com/sir"
},
{
"path": "libcontainer/env_test.go",
"chars": 1217,
"preview": "package libcontainer\n\nimport (\n\t\"os/user\"\n\t\"slices\"\n\t\"strconv\"\n\t\"testing\"\n)\n\nfunc TestPrepareEnv(t *testing.T) {\n\tu, err"
},
{
"path": "libcontainer/error.go",
"chars": 520,
"preview": "package libcontainer\n\nimport \"errors\"\n\nvar (\n\tErrExist = errors.New(\"container with given ID already exists\")\n\t"
},
{
"path": "libcontainer/example_test.go",
"chars": 5548,
"preview": "package libcontainer_test\n\nimport (\n\t\"log\"\n\t\"os\"\n\n\t\"golang.org/x/sys/unix\"\n\n\t\"github.com/opencontainers/cgroups\"\n\t\"githu"
},
{
"path": "libcontainer/exeseal/cloned_binary_linux.go",
"chars": 8846,
"preview": "package exeseal\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"strconv\"\n\n\t\"github.com/sirupsen/logrus\"\n\t\"golang.org/x/sys/unix"
},
{
"path": "libcontainer/exeseal/doc.go",
"chars": 158,
"preview": "// Package exeseal provides mechanisms for sealing /proc/self/exe and thus\n// protecting the runc binary against CVE-201"
},
{
"path": "libcontainer/exeseal/overlayfs_linux.go",
"chars": 5179,
"preview": "package exeseal\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"strings\"\n\n\t\"golang.org/x/sys/unix\"\n\n\t\"github.com/op"
},
{
"path": "libcontainer/factory_linux.go",
"chars": 6216,
"preview": "package libcontainer\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\n\tsecurejoin \"github.com/cyphar/filepath-securejo"
},
{
"path": "libcontainer/factory_linux_test.go",
"chars": 2655,
"preview": "package libcontainer\n\nimport (\n\t\"errors\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"reflect\"\n\t\"testing\"\n\n\t\"github.com/opencontainers/cgrou"
},
{
"path": "libcontainer/init_linux.go",
"chars": 24255,
"preview": "package libcontainer\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"runtime\""
},
{
"path": "libcontainer/integration/bench_test.go",
"chars": 2552,
"preview": "package integration\n\nimport (\n\t\"bytes\"\n\t\"math/rand\"\n\t\"os\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/opencontainers/runc/libcon"
},
{
"path": "libcontainer/integration/checkpoint_test.go",
"chars": 3563,
"preview": "package integration\n\nimport (\n\t\"bytes\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"regexp\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/o"
},
{
"path": "libcontainer/integration/doc.go",
"chars": 92,
"preview": "// Package integration is used for integration testing of libcontainer.\npackage integration\n"
},
{
"path": "libcontainer/integration/exec_test.go",
"chars": 46453,
"preview": "package integration\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"reflect\"\n\t\""
},
{
"path": "libcontainer/integration/execin_test.go",
"chars": 12921,
"preview": "package integration\n\nimport (\n\t\"bytes\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"slices\"\n\t\"strconv\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.c"
},
{
"path": "libcontainer/integration/init_test.go",
"chars": 472,
"preview": "package integration\n\nimport (\n\t\"os\"\n\t\"testing\"\n\n\t\"github.com/opencontainers/runc/libcontainer\"\n\t//nolint:revive // Enabl"
},
{
"path": "libcontainer/integration/seccomp_test.go",
"chars": 8413,
"preview": "//go:build linux && cgo && seccomp\n\npackage integration\n\nimport (\n\t\"strings\"\n\t\"syscall\"\n\t\"testing\"\n\n\t\"github.com/opencon"
},
{
"path": "libcontainer/integration/template_test.go",
"chars": 4792,
"preview": "package integration\n\nimport (\n\t\"strconv\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/opencontainers/cgroups\"\n\tdevices \"g"
},
{
"path": "libcontainer/integration/update_test.go",
"chars": 2190,
"preview": "package integration\n\nimport (\n\t\"bytes\"\n\t\"os\"\n\t\"strings\"\n\t\"testing\"\n\n\tdevices \"github.com/opencontainers/cgroups/devices/"
},
{
"path": "libcontainer/integration/utils_test.go",
"chars": 6155,
"preview": "package integration\n\nimport (\n\t\"bytes\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"regexp\"\n\t\"runtime\"\n\t\"strconv"
},
{
"path": "libcontainer/intelrdt/cmt.go",
"chars": 469,
"preview": "package intelrdt\n\nvar cmtEnabled bool\n\n// IsCMTEnabled checks if Intel RDT/CMT is enabled.\nfunc IsCMTEnabled() bool {\n\tf"
},
{
"path": "libcontainer/intelrdt/cmt_test.go",
"chars": 1142,
"preview": "package intelrdt\n\nimport (\n\t\"path/filepath\"\n\t\"testing\"\n)\n\nfunc TestGetCMTNumaNodeStats(t *testing.T) {\n\tmocksNUMANodesTo"
},
{
"path": "libcontainer/intelrdt/intelrdt.go",
"chars": 22566,
"preview": "package intelrdt\n\nimport (\n\t\"bytes\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strconv\"\n\t\"strings\"\n\t\"sync\"\n\n\tsecurejoin \""
},
{
"path": "libcontainer/intelrdt/intelrdt_test.go",
"chars": 7357,
"preview": "package intelrdt\n\nimport (\n\t\"os\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"strconv\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/opencontainer"
},
{
"path": "libcontainer/intelrdt/mbm.go",
"chars": 722,
"preview": "package intelrdt\n\n// The flag to indicate if Intel RDT/MBM is enabled\nvar mbmEnabled bool\n\n// IsMBMEnabled checks if Int"
},
{
"path": "libcontainer/intelrdt/mbm_test.go",
"chars": 1455,
"preview": "package intelrdt\n\nimport (\n\t\"path/filepath\"\n\t\"testing\"\n)\n\nfunc TestGetMBMNumaNodeStats(t *testing.T) {\n\tmocksNUMANodesTo"
},
{
"path": "libcontainer/intelrdt/monitoring.go",
"chars": 1775,
"preview": "package intelrdt\n\nimport (\n\t\"bufio\"\n\t\"io\"\n\t\"os\"\n\t\"path/filepath\"\n\n\t\"github.com/sirupsen/logrus\"\n)\n\nvar enabledMonFeature"
},
{
"path": "libcontainer/intelrdt/monitoring_test.go",
"chars": 2602,
"preview": "package intelrdt\n\nimport (\n\t\"os\"\n\t\"path/filepath\"\n\t\"strconv\"\n\t\"strings\"\n\t\"testing\"\n)\n\nfunc TestParseMonFeatures(t *testi"
},
{
"path": "libcontainer/intelrdt/stats.go",
"chars": 1949,
"preview": "package intelrdt\n\ntype L3CacheInfo struct {\n\tCbmMask string `json:\"cbm_mask,omitempty\"`\n\tMinCbmBits uint64 `json:\"min"
},
{
"path": "libcontainer/intelrdt/util_test.go",
"chars": 1049,
"preview": "/*\n * Utility for testing Intel RDT operations.\n * Creates a mock of the Intel RDT \"resource control\" filesystem for the"
},
{
"path": "libcontainer/internal/userns/doc.go",
"chars": 94,
"preview": "// Package userns provides helpers for interacting with Linux user namespaces.\npackage userns\n"
},
{
"path": "libcontainer/internal/userns/userns_maps_linux.c",
"chars": 1997,
"preview": "//go:build linux\n\n#define _GNU_SOURCE\n#include <fcntl.h>\n#include <sched.h>\n#include <stdio.h>\n#include <unistd.h>\n#incl"
},
{
"path": "libcontainer/internal/userns/userns_maps_linux.go",
"chars": 5437,
"preview": "//go:build linux\n\npackage userns\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"unsafe\"\n\n\t\"github.com/opencontainers/r"
},
{
"path": "libcontainer/internal/userns/usernsfd_linux.go",
"chars": 5327,
"preview": "package userns\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"sort\"\n\t\"strings\"\n\t\"sync\"\n\t\"syscall\"\n\n\t\"github.com/sirupsen/logrus\"\n\t\"golang.org/"
},
{
"path": "libcontainer/internal/userns/usernsfd_linux_test.go",
"chars": 1288,
"preview": "package userns\n\nimport (\n\t\"os\"\n\t\"testing\"\n\n\t\"github.com/opencontainers/runc/libcontainer/configs\"\n)\n\nfunc BenchmarkSpawn"
},
{
"path": "libcontainer/keys/keyctl.go",
"chars": 1091,
"preview": "// Package keys provides helpers for Linux keyrings.\npackage keys\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"go"
},
{
"path": "libcontainer/logs/logs.go",
"chars": 1913,
"preview": "// Package logs provides helpers for logging used within runc (specifically for\n// forwarding logs from \"runc init\" to t"
},
{
"path": "libcontainer/logs/logs_linux_test.go",
"chars": 3373,
"preview": "package logs\n\nimport (\n\t\"bytes\"\n\t\"io\"\n\t\"os\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/sirupsen/logrus\"\n)\n\nconst msgErr = `\"level\""
},
{
"path": "libcontainer/message_linux.go",
"chars": 2388,
"preview": "package libcontainer\n\nimport (\n\t\"fmt\"\n\t\"math\"\n\n\t\"github.com/vishvananda/netlink/nl\"\n\t\"golang.org/x/sys/unix\"\n)\n\n// list "
},
{
"path": "libcontainer/mount_linux.go",
"chars": 10625,
"preview": "package libcontainer\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"io/fs\"\n\t\"os\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/sirupsen/logrus\"\n\t\"go"
},
{
"path": "libcontainer/mount_linux_test.go",
"chars": 2355,
"preview": "package libcontainer\n\nimport (\n\t\"testing\"\n\n\t\"golang.org/x/sys/unix\"\n)\n\nfunc TestStringifyMountFlags(t *testing.T) {\n\tfor"
},
{
"path": "libcontainer/network_linux.go",
"chars": 8644,
"preview": "package libcontainer\n\nimport (\n\t\"bytes\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strconv\"\n\n\t\"github.com/opencontainers/"
},
{
"path": "libcontainer/notify_linux.go",
"chars": 1978,
"preview": "package libcontainer\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\n\t\"golang.org/x/sys/unix\"\n)\n\ntype PressureLevel u"
},
{
"path": "libcontainer/notify_linux_test.go",
"chars": 2929,
"preview": "package libcontainer\n\nimport (\n\t\"encoding/binary\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"testing\"\n\t\"time\"\n\n\t\"golang.org/x/sys/u"
},
{
"path": "libcontainer/notify_v2_linux.go",
"chars": 2405,
"preview": "package libcontainer\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"unsafe\"\n\n\t\"github.com/opencontainers/cgroups/fscommon\"\n\t\""
},
{
"path": "libcontainer/nsenter/README.md",
"chars": 2254,
"preview": "## nsenter\n\nThe `nsenter` package registers a special init constructor that is called before\nthe Go runtime has a chance"
},
{
"path": "libcontainer/nsenter/escape.c",
"chars": 2936,
"preview": "#include <stdlib.h>\n#include <string.h>\n\n#ifdef ESCAPE_TEST\n# include <assert.h>\n# define test_assert(arg) assert(arg)"
},
{
"path": "libcontainer/nsenter/getenv.c",
"chars": 543,
"preview": "#define _GNU_SOURCE\n#include <errno.h>\n#include <stdlib.h>\n#include \"getenv.h\"\n#include \"log.h\"\n\nint getenv_int(const ch"
},
{
"path": "libcontainer/nsenter/getenv.h",
"chars": 371,
"preview": "#ifndef NSENTER_GETENV_H\n#define NSENTER_GETENV_H\n\n/*\n * Returns an environment variable value as a non-negative integer"
},
{
"path": "libcontainer/nsenter/log.c",
"chars": 1732,
"preview": "#define _GNU_SOURCE\n#include <stdarg.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n\n"
},
{
"path": "libcontainer/nsenter/log.h",
"chars": 1257,
"preview": "#ifndef NSENTER_LOG_H\n#define NSENTER_LOG_H\n\n#include <stdbool.h>\n#include <stdio.h>\n\n/*\n * Log levels are the same as i"
},
{
"path": "libcontainer/nsenter/namespace.h",
"chars": 929,
"preview": "#ifndef NSENTER_NAMESPACE_H\n#define NSENTER_NAMESPACE_H\n\n#ifndef _GNU_SOURCE\n#\tdefine _GNU_SOURCE\n#endif\n#include <sched"
},
{
"path": "libcontainer/nsenter/nsenter.go",
"chars": 468,
"preview": "//go:build linux && !gccgo\n\n// Package nsenter implements the namespace creation and joining logic of runc.\n//\n// This p"
},
{
"path": "libcontainer/nsenter/nsenter_gccgo.go",
"chars": 506,
"preview": "//go:build linux && gccgo\n\npackage nsenter\n\n/*\n#cgo CFLAGS: -Wall\nextern void nsexec();\nvoid __attribute__((constructor)"
},
{
"path": "libcontainer/nsenter/nsenter_test.go",
"chars": 5756,
"preview": "package nsenter\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"os/exec\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"git"
},
{
"path": "libcontainer/nsenter/nsexec.c",
"chars": 36870,
"preview": "\n#define _GNU_SOURCE\n#include <endian.h>\n#include <errno.h>\n#include <fcntl.h>\n#include <grp.h>\n#include <sched.h>\n#incl"
},
{
"path": "libcontainer/nsenter/test/escape.go",
"chars": 1272,
"preview": "// Package escapetest is part of the escape_json_string unit test. It is in a\n// separate package so cgo can be used tog"
},
{
"path": "libcontainer/nsenter/test/escape_test.go",
"chars": 224,
"preview": "package escapetest\n\nimport \"testing\"\n\n// The actual test function is in escape.go\n// so that it can use cgo (import \"C\")"
},
{
"path": "libcontainer/process.go",
"chars": 5022,
"preview": "package libcontainer\n\nimport (\n\t\"errors\"\n\t\"io\"\n\t\"math\"\n\t\"os\"\n\n\t\"github.com/opencontainers/runc/libcontainer/configs\"\n)\n\n"
},
{
"path": "libcontainer/process_linux.go",
"chars": 36589,
"preview": "package libcontainer\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"maps\"\n\t\"net\"\n\t\"os\"\n\t\"os/exe"
},
{
"path": "libcontainer/restored_process.go",
"chars": 2749,
"preview": "package libcontainer\n\nimport (\n\t\"errors\"\n\t\"os\"\n\t\"os/exec\"\n\n\t\"github.com/opencontainers/runc/libcontainer/system\"\n)\n\nfunc"
},
{
"path": "libcontainer/rootfs_linux.go",
"chars": 49033,
"preview": "package libcontainer\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"strconv\"\n\t\"strings\""
},
{
"path": "libcontainer/rootfs_linux_test.go",
"chars": 4770,
"preview": "package libcontainer\n\nimport (\n\t\"testing\"\n\n\t\"github.com/opencontainers/runc/libcontainer/configs\"\n\n\t\"golang.org/x/sys/un"
},
{
"path": "libcontainer/seccomp/config.go",
"chars": 4159,
"preview": "package seccomp\n\nimport (\n\t\"fmt\"\n\t\"maps\"\n\t\"slices\"\n\n\t\"github.com/opencontainers/runc/libcontainer/configs\"\n\t\"github.com/"
},
{
"path": "libcontainer/seccomp/doc.go",
"chars": 112,
"preview": "// Package seccomp provides runc-specific helpers for loading and managing\n// seccomp profiles.\npackage seccomp\n"
},
{
"path": "libcontainer/seccomp/patchbpf/doc.go",
"chars": 171,
"preview": "// Package patchbpf provides utilities for patching libseccomp-generated cBPF\n// programs in order to handle unknown sys"
},
{
"path": "libcontainer/seccomp/patchbpf/enosys_linux.go",
"chars": 25832,
"preview": "//go:build cgo && seccomp\n\npackage patchbpf\n\nimport (\n\t\"bytes\"\n\t\"encoding/binary\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"runtime"
},
{
"path": "libcontainer/seccomp/patchbpf/enosys_linux_test.go",
"chars": 9622,
"preview": "//go:build cgo && seccomp\n\npackage patchbpf\n\nimport (\n\t\"bytes\"\n\t\"encoding/binary\"\n\t\"fmt\"\n\t\"testing\"\n\n\t\"github.com/openco"
},
{
"path": "libcontainer/seccomp/patchbpf/enosys_unsupported.go",
"chars": 56,
"preview": "//go:build !linux || !cgo || !seccomp\n\npackage patchbpf\n"
},
{
"path": "libcontainer/seccomp/seccomp_linux.go",
"chars": 11503,
"preview": "//go:build cgo && seccomp\n\npackage seccomp\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\n\tlibseccomp \"github.com/seccomp/libseccomp-golang"
},
{
"path": "libcontainer/seccomp/seccomp_unsupported.go",
"chars": 797,
"preview": "//go:build !linux || !cgo || !seccomp\n\npackage seccomp\n\nimport (\n\t\"errors\"\n\n\t\"github.com/opencontainers/runc/libcontaine"
},
{
"path": "libcontainer/setns_init_linux.go",
"chars": 5353,
"preview": "package libcontainer\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"os/exec\"\n\n\t\"github.com/opencontainers/selinux/go-selinux\"\n\t\"gith"
},
{
"path": "libcontainer/specconv/example.go",
"chars": 5043,
"preview": "package specconv\n\nimport (\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\n\t\"github.com/opencontainers/cgroups\"\n\t\"github.com/opencont"
},
{
"path": "libcontainer/specconv/spec_linux.go",
"chars": 40603,
"preview": "// Package specconv implements conversion of specifications to libcontainer\n// configurations\npackage specconv\n\nimport ("
},
{
"path": "libcontainer/specconv/spec_linux_test.go",
"chars": 25575,
"preview": "package specconv\n\nimport (\n\t\"errors\"\n\t\"os\"\n\t\"strings\"\n\t\"testing\"\n\n\tdbus \"github.com/godbus/dbus/v5\"\n\tdevices \"github.com"
},
{
"path": "libcontainer/standard_init_linux.go",
"chars": 10422,
"preview": "package libcontainer\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"os/exec\"\n\n\t\"github.com/opencontainers/runtime-spec/specs-go\"\n\t\"g"
},
{
"path": "libcontainer/state_linux.go",
"chars": 5513,
"preview": "package libcontainer\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\n\t\"github.com/opencontainers/cgroups\"\n\t\"github.co"
},
{
"path": "libcontainer/state_linux_test.go",
"chars": 2219,
"preview": "package libcontainer\n\nimport (\n\t\"errors\"\n\t\"reflect\"\n\t\"testing\"\n)\n\nvar states = map[containerState]Status{\n\t&createdState"
},
{
"path": "libcontainer/stats_linux.go",
"chars": 291,
"preview": "package libcontainer\n\nimport (\n\t\"github.com/opencontainers/cgroups\"\n\t\"github.com/opencontainers/runc/libcontainer/intelr"
},
{
"path": "libcontainer/sync.go",
"chars": 5408,
"preview": "package libcontainer\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"strconv\"\n\n\t\"github.com/opencontainers/run"
},
{
"path": "libcontainer/sync_unix.go",
"chars": 2467,
"preview": "package libcontainer\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"sync/atomic\"\n\n\t\"github.com/opencontainers/runc/internal/linux\"\n\t\"gol"
},
{
"path": "libcontainer/system/doc.go",
"chars": 80,
"preview": "// Package system provides wrappers for Linux system operations.\npackage system\n"
},
{
"path": "libcontainer/system/kernelversion/kernel_linux.go",
"chars": 3113,
"preview": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may n"
},
{
"path": "libcontainer/system/kernelversion/kernel_linux_test.go",
"chars": 4620,
"preview": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may n"
},
{
"path": "libcontainer/system/linux.go",
"chars": 5127,
"preview": "//go:build linux\n\npackage system\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"unsafe\"\n\n\t\"github.com/sirupsen/logrus\"\n\t\"golang.org/x/sy"
},
{
"path": "libcontainer/system/proc.go",
"chars": 3678,
"preview": "package system\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/opencontainers/runc/internal/pathrs\"\n)\n\n"
},
{
"path": "libcontainer/system/proc_test.go",
"chars": 4789,
"preview": "package system\n\nimport (\n\t\"errors\"\n\t\"math/bits\"\n\t\"os\"\n\t\"reflect\"\n\t\"strconv\"\n\t\"testing\"\n)\n\nvar procdata = map[string]Stat"
},
{
"path": "libcontainer/system/rlimit_linux.go",
"chars": 416,
"preview": "package system\n\nimport (\n\t\"syscall\"\n)\n\n// ClearRlimitNofileCache clears go runtime's nofile rlimit cache. The argument\n/"
},
{
"path": "libcontainer/utils/cmsg.go",
"chars": 3782,
"preview": "package utils\n\n/*\n * Copyright 2016, 2017 SUSE LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");"
},
{
"path": "libcontainer/utils/utils.go",
"chars": 1776,
"preview": "// Package utils provides general helper utilities used in libcontainer.\npackage utils\n\nimport (\n\t\"encoding/json\"\n\t\"io\"\n"
},
{
"path": "libcontainer/utils/utils_test.go",
"chars": 1566,
"preview": "package utils\n\nimport (\n\t\"bytes\"\n\t\"testing\"\n\n\t\"golang.org/x/sys/unix\"\n)\n\nvar labelTest = []struct {\n\tlabels []string\n\tqu"
},
{
"path": "libcontainer/utils/utils_unix.go",
"chars": 9085,
"preview": "//go:build !windows\n\npackage utils\n\nimport (\n\t\"fmt\"\n\t\"math\"\n\t\"os\"\n\t\"runtime\"\n\t\"strconv\"\n\t\"sync\"\n\t_ \"unsafe\" // for go:li"
},
{
"path": "list.go",
"chars": 4724,
"preview": "package main\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"os/user\"\n\t\"strconv\"\n\t\"syscall\"\n\t\"text/tabwriter\"\n\t\"time"
},
{
"path": "main.go",
"chars": 6453,
"preview": "// runc is a command line client for running applications packaged according to\n// the Open Container Initiative (OCI) f"
}
]
// ... and 1155 more files (download for full content)
About this extraction
This page contains the full source code of the opencontainers/runc GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 1355 files (13.4 MB), approximately 3.6M tokens, and a symbol index with 110857 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.