forked from neuvector/neuvector
/
types.go
235 lines (209 loc) · 5.26 KB
/
types.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
package container
import (
"errors"
"io"
"net"
"os"
"strings"
"time"
log "github.com/sirupsen/logrus"
"github.com/neuvector/neuvector/share"
"github.com/neuvector/neuvector/share/system"
"github.com/neuvector/neuvector/share/utils"
)
type Event string
type EventCallback func(event Event, id string, pid int)
type Runtime interface {
String() string
MonitorEvent(cb EventCallback, cpath bool) error
StopMonitorEvent()
GetHost() (*share.CLUSHost, error)
GetDevice(id string) (*share.CLUSDevice, *ContainerMetaExtra, error)
GetContainer(id string) (*ContainerMetaExtra, error)
ListContainers(runningOnly bool) ([]*ContainerMeta, error)
ListContainerIDs() utils.Set
GetImageHistory(name string) ([]*ImageHistory, error)
GetImage(name string) (*ImageMeta, error)
GetImageFile(id string) (io.ReadCloser, error)
GetNetworkEndpoint(netName, container, epName string) (*NetworkEndpoint, error)
ListNetworks() (map[string]*Network, error)
GetService(id string) (*Service, error)
ListServices() ([]*Service, error)
// Return if container is child and parent container id. If pidMap is nil, only return if it's child.
GetParent(meta *ContainerMetaExtra, pidMap map[int]string) (bool, string)
IsDaemonProcess(proc string, cmds []string) bool
IsRuntimeProcess(proc string, cmds []string) bool
GetProxy() (string, string, string)
GetDefaultRegistries() []string
GetStorageDriver() string
}
var (
ErrUnknownRuntime = errors.New("Unknown container runtime")
ErrMethodNotSupported = errors.New("Method not supported")
ErrNotFound = errors.New("Not found")
)
const (
RuntimeDocker = "docker"
RuntimeContainerd = "containerd"
RuntimeCriO = "cri-o"
)
const (
DockerNetworkGlobal = "global"
DockerNetworkSwarm = "swarm"
DockerNetworkLocal = "local"
)
const (
EventContainerStart = "start"
EventContainerStop = "stop"
EventContainerDelete = "delete"
EventContainerCopyIn = "copy-in"
EventContainerCopyOut = "copy-out"
EventSocketError = "socket-err"
EventServiceCreate = "create-service"
EventServiceUpdate = "update-service"
EventServiceDelete = "delete-service"
EventNetworkCreate = "create-network"
EventNetworkDelete = "delete-network"
)
type Network struct {
Name string
ID string
Scope string
Driver string
Subnets []*net.IPNet
Gateways []net.IP
}
type NetworkEndpoint struct {
ID string
Name string
MAC net.HardwareAddr
IPNet *net.IPNet
}
type Service struct {
ID string
Name string
Labels map[string]string
VIPs []net.IP
}
type ImageMeta struct {
ID string
Digest string
CreatedAt time.Time
Size int64
Env []string
Author string
Labels map[string]string
RepoTags []string
Layers []string
}
type ImageHistory struct {
ID string
Cmd string
Size int64
}
type ContainerMeta struct {
ID string
Name string
Image string
Labels map[string]string
Hostname string
Pid int
Envs []string
PidMode string
NetMode string
Sandbox string
isChild bool
}
type ContainerMetaExtra struct {
ContainerMeta
ImageID string
ImageDigest string
Author string
Privileged bool
ExitCode int
Running bool
CreatedAt time.Time
StartedAt time.Time
FinishedAt time.Time
MemoryLimit int64
CPUs string
ProxyMesh bool
Sidecar bool
RunAsRoot bool
// network
IPAddress string
IPPrefixLen int
MappedPorts map[share.CLUSProtoPort]*share.CLUSMappedPort
Networks utils.Set
LogPath string
}
func ConnectDocker(endpoint string, sys *system.SystemTools) (Runtime, error) {
log.WithFields(log.Fields{"endpoint": endpoint}).Info()
if endpoint != "" {
rt, err := dockerConnect(endpoint, sys)
if err == nil {
return rt, nil
}
} else {
if isUnixSockFile(defaultDockerSocket) {
rt, err := dockerConnect(defaultDockerSocket, sys)
if err == nil {
return rt, nil
}
}
}
return nil, ErrUnknownRuntime
}
func Connect(endpoint string, sys *system.SystemTools) (Runtime, error) {
log.WithFields(log.Fields{"endpoint": endpoint}).Info()
if endpoint != "" {
if _, err := os.Stat(endpoint); err != nil {
return nil, err
}
rt, err := dockerConnect(endpoint, sys)
if err == nil {
return rt, nil
}
rt, err = containerdConnect(endpoint, sys)
if err == nil {
return rt, nil
}
rt, err = crioConnect(endpoint, sys)
if err == nil {
return rt, nil
}
} else {
if isUnixSockFile(defaultDockerSocket) {
rt, err := dockerConnect(defaultDockerSocket, sys)
if err == nil {
return rt, nil
}
}
if isUnixSockFile(defaultContainerdSock) {
rt, err := containerdConnect(defaultContainerdSock, sys)
if err == nil {
return rt, nil
}
}
if isUnixSockFile(defaultCriOSock) {
rt, err := crioConnect(defaultCriOSock, sys)
if err == nil {
return rt, nil
}
}
}
return nil, ErrUnknownRuntime
}
// Unlike named pipes which allow only unidirectional data flow, sockets are fully duplex-capable.
// A UNIX socket is marked with an s as the first letter of the mode string, e.g.
// srwxrwxrwx /tmp/.X11-unix/X0
func isUnixSockFile(filename string) bool {
if strings.HasPrefix(filename, "unix://") {
filename = filename[len("unix://"):]
}
info, err := os.Stat(filename)
if err != nil {
return false
}
return (info.Mode() & os.ModeSocket) != 0
}