Struct Container 

pub struct Container { /* private fields */ }

Safe and isolated environment for executing command.

A default environment can be generated using Container::new, which will unshare necessary namespaces. Then use bindmount_ro or bindmount_rw to mount directories to the container root.

use hakoniwa::Container;

let mut container = Container::new();
container.bindmount_ro("/bin", "/bin")
    .bindmount_ro("/lib", "/lib")
    .bindmount_ro("/lib64", "/lib64")
    .bindmount_ro("/usr", "/usr");

And now, we can execute Command in the container.

let mut command = container.command("/bin/echo");
let output = command.arg("hello")
    .output()
    .expect("failed to execute process witnin container");

Implementations

impl Container

pub fn new() -> Self

Constructs a new Container with following steps:

• Create a new MOUNT namespace
• Create a new USER namespace and map current user to itself
• Create a new PID namespace and mount a new procfs on /proc

pub fn empty() -> Self

Constructs a new Container with a completely empty environment.

pub fn unshare(&mut self, namespace: Namespace) -> &mut Self

Create a new namespace.

pub fn rootdir<P: AsRef<Path>>(&mut self, host_path: P) -> &mut Self

Use host_path as the mount point for the container root fs.

By default the mount point is a tmpdir, and will be automatically cleaned up when the last process exits.

This method is mainly useful if you set it to a directory that contains a file system hierarchy, and want chroot into it.

Caveats

Some empty directories/files that were used as mount point targets may be left behind even when the last process exits.

pub fn rootfs<P: AsRef<Path>>(&mut self, host_path: P) -> Result<&mut Self>

Bind mount all subdirectories in host_path to the container with read-only access in new MOUNT namespace.

Caveats

When use / as rootfs, it only mount following subdirectories: /bin, /etc, /lib, /lib64, /lib32, /sbin, /usr.

pub fn bindmount_ro( &mut self, host_path: &str, container_path: &str, ) -> &mut Self

Bind mount the host_path on container_path with read-only access in new MOUNT namespace.

pub fn bindmount_rw( &mut self, host_path: &str, container_path: &str, ) -> &mut Self

Bind mount the host_path on container_path with read-write access in new MOUNT namespace.

pub fn devfsmount(&mut self, container_path: &str) -> &mut Self

Mount new devfs on container_path in new MOUNT namespace.

Caveats

This is not a real linux filesystem type. It just bind mount a minimal set of device files in container_path, such as /dev/null.

pub fn tmpfsmount(&mut self, container_path: &str) -> &mut Self

Mount new tmpfs on container_path in new MOUNT namespace.

pub fn procfsmount(&mut self, container_path: &str) -> &mut Self

Mount new procfs on container_path in new MOUNT namespace.

pub fn file(&mut self, target: &str, contents: &str) -> &mut Self

Creates a new file with contents on the filesystem in new MOUNT namespace.

pub fn dir(&mut self, target: &str, mode: u32) -> &mut Self

Creates a new dir with mode in new MOUNT namespace.

pub fn symlink(&mut self, original: &str, link: &str) -> &mut Self

Creates a new symbolic link on the filesystem in new MOUNT namespace.

pub fn uidmap(&mut self, uid: u32) -> &mut Self

Map current user to uid in new USER namespace.

This is a shorthand for uidmaps(&[(uid, Uid::current().as_raw(), 1)])

pub fn gidmap(&mut self, gid: u32) -> &mut Self

Map current group to gid in new USER namespace.

This is a shorthand for gidmaps(&[(gid, Gid::current().as_raw(), 1)])

pub fn uidmaps(&mut self, idmaps: &[(u32, u32, u32)]) -> &Self

Create new UID maps in new USER namespace.

pub fn gidmaps(&mut self, idmaps: &[(u32, u32, u32)]) -> &Self

Create new GID maps in new USER namespace.

pub fn user( &mut self, user: &str, group: Option<&str>, supplementary_groups: &[&str], ) -> &mut Self

Changes the user in the new USER namespace.

Caveats

It uses the /etc/passwd and /etc/group files in the container to check and determine the user and group.

pub fn hostname(&mut self, hostname: &str) -> &mut Self

Changes the hostname in the new UTS namespace.

pub fn network<T: Into<Network>>(&mut self, network: T) -> &mut Self

Change the network mode in new NETWORK namespace.

pub fn setrlimit( &mut self, resource: Rlimit, soft_limit: u64, hard_limit: u64, ) -> &mut Self

Set resource limit.

pub fn landlock_ruleset(&mut self, ruleset: Ruleset) -> &mut Self

Set landlock ruleset.

pub fn seccomp_filter(&mut self, filter: Filter) -> &mut Self

Set seccomp filter.

pub fn runctl(&mut self, ctl: Runctl) -> &mut Self

Manipulates various aspects of the behavior of the container.

pub fn command(&self, program: &str) -> Command

Constructs a new Command for launching the program at path program within container.

Trait Implementations

impl Clone for Container

fn clone(&self) -> Container

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Container

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.