Skip to main content

ContainerConfig

nucleus::container

Struct ContainerConfig 

Source 
pub struct ContainerConfig {
Show 46 fields
    pub id: String,
    pub name: String,
    pub command: Vec<String>,
    pub context_dir: Option<PathBuf>,
    pub limits: ResourceLimits,
    pub namespaces: NamespaceConfig,
    pub user_ns_config: Option<UserNamespaceConfig>,
    pub hostname: Option<String>,
    pub use_gvisor: bool,
    pub trust_level: TrustLevel,
    pub network: NetworkMode,
    pub context_mode: ContextMode,
    pub allow_degraded_security: bool,
    pub allow_chroot_fallback: bool,
    pub allow_host_network: bool,
    pub proc_readonly: bool,
    pub service_mode: ServiceMode,
    pub rootfs_path: Option<PathBuf>,
    pub egress_policy: Option<EgressPolicy>,
    pub health_check: Option<HealthCheck>,
    pub readiness_probe: Option<ReadinessProbe>,
    pub secrets: Vec<SecretMount>,
    pub volumes: Vec<VolumeMount>,
    pub environment: Vec<(String, String)>,
    pub process_identity: ProcessIdentity,
    pub config_hash: Option<u64>,
    pub sd_notify: bool,
    pub required_kernel_lockdown: Option<KernelLockdownMode>,
    pub verify_context_integrity: bool,
    pub verify_rootfs_attestation: bool,
    pub seccomp_log_denied: bool,
    pub gvisor_platform: GVisorPlatform,
    pub seccomp_profile: Option<PathBuf>,
    pub seccomp_profile_sha256: Option<String>,
    pub seccomp_mode: SeccompMode,
    pub seccomp_trace_log: Option<PathBuf>,
    pub seccomp_allow_syscalls: Vec<String>,
    pub caps_policy: Option<PathBuf>,
    pub caps_policy_sha256: Option<String>,
    pub landlock_policy: Option<PathBuf>,
    pub landlock_policy_sha256: Option<String>,
    pub hooks: Option<OciHooks>,
    pub pid_file: Option<PathBuf>,
    pub console_socket: Option<PathBuf>,
    pub bundle_dir: Option<PathBuf>,
    pub state_root: Option<PathBuf>,

}
Expand description

Container configuration

Fields§

§id: String

Unique container ID (auto-generated 32 hex chars, 128-bit)

§name: String

User-supplied container name (optional, defaults to ID)

§command: Vec<String>

Command to execute in the container

§context_dir: Option<PathBuf>

Context directory to pre-populate (optional)

§limits: ResourceLimits

Resource limits

§namespaces: NamespaceConfig

Namespace configuration

§user_ns_config: Option<UserNamespaceConfig>

User namespace configuration (for rootless mode)

§hostname: Option<String>

Hostname to set in UTS namespace (optional)

§use_gvisor: bool

Whether to use gVisor runtime

§trust_level: TrustLevel

Trust level for this workload

§network: NetworkMode

Network mode

§context_mode: ContextMode

Context mode (copy or bind mount)

§allow_degraded_security: bool

Allow degraded security behavior if a hardening layer cannot be applied

§allow_chroot_fallback: bool

Allow chroot fallback when pivot_root fails (weaker isolation)

§allow_host_network: bool

Require explicit opt-in for host networking

§proc_readonly: bool

Mount /proc read-only inside the container

§service_mode: ServiceMode

Service mode (agent vs production)

§rootfs_path: Option<PathBuf>

Pre-built rootfs path (Nix store path). When set, this is bind-mounted as the container root instead of bind-mounting host /bin, /usr, /lib, etc.

§egress_policy: Option<EgressPolicy>

Egress policy for audited outbound network access.

§health_check: Option<HealthCheck>

Health check configuration for long-running services.

§readiness_probe: Option<ReadinessProbe>

Readiness probe for service startup detection.

§secrets: Vec<SecretMount>

Secret files to mount into the container.

§volumes: Vec<VolumeMount>

Volume mounts to attach to the container filesystem.

§environment: Vec<(String, String)>

Environment variables to pass to the container process.

§process_identity: ProcessIdentity

Runtime uid/gid and supplementary groups for the workload process.

§config_hash: Option<u64>

Desired topology config hash for reconciliation change detection.

§sd_notify: bool

Enable sd_notify integration (pass NOTIFY_SOCKET into container).

§required_kernel_lockdown: Option<KernelLockdownMode>

Require the host kernel to be in at least this lockdown mode.

§verify_context_integrity: bool

Verify context contents before executing the workload.

§verify_rootfs_attestation: bool

Verify rootfs attestation manifest before mounting it.

§seccomp_log_denied: bool

Request kernel logging for denied seccomp decisions when supported.

§gvisor_platform: GVisorPlatform

Select the gVisor platform backend.

§seccomp_profile: Option<PathBuf>

Path to a per-service seccomp profile (JSON, OCI subset format). When set, this profile is used instead of the built-in allowlist.

§seccomp_profile_sha256: Option<String>

Expected SHA-256 hash of the seccomp profile file for integrity verification.

§seccomp_mode: SeccompMode

Seccomp operating mode.

§seccomp_trace_log: Option<PathBuf>

Path to write seccomp trace log (NDJSON) when seccomp_mode == Trace.

§seccomp_allow_syscalls: Vec<String>

Additional syscalls to allow beyond the built-in default allowlist. Each entry is a syscall name (e.g. “io_uring_setup”, “sysinfo”). These are merged into the built-in filter; they do NOT replace it.

§caps_policy: Option<PathBuf>

Path to capability policy file (TOML).

§caps_policy_sha256: Option<String>

Expected SHA-256 hash of the capability policy file.

§landlock_policy: Option<PathBuf>

Path to Landlock policy file (TOML).

§landlock_policy_sha256: Option<String>

Expected SHA-256 hash of the Landlock policy file.

§hooks: Option<OciHooks>

OCI lifecycle hooks to execute at various container lifecycle points.

§pid_file: Option<PathBuf>

Path to write the container PID (OCI –pid-file).

§console_socket: Option<PathBuf>

Path to AF_UNIX socket for console pseudo-terminal master (OCI –console-socket).

§bundle_dir: Option<PathBuf>

Override OCI bundle directory path (OCI –bundle).

§state_root: Option<PathBuf>

Override root directory for state storage (–root). When set, ContainerStateManager uses this instead of the default.

Implementations§

Source§

impl ContainerConfig

Source

pub fn try_new(name: Option<String>, command: Vec<String>) -> Result<Self>

Create a new container config with a random ID.

§Panics

Panics if secure random bytes cannot be read from /dev/urandom.

Source

pub fn try_new_with_id( preset_id: Option<String>, name: Option<String>, command: Vec<String>, ) -> Result<Self>

Create a new container config, optionally using a pre-generated ID.

When preset_id is Some, it is used as the container ID instead of generating a new one. This is used by --detach to ensure the outer CLI process and the systemd-managed inner process share the same ID.

Source

pub fn with_rootless(self) -> Self

Enable rootless mode with user namespace mapping

Source

pub fn with_user_namespace(self, config: UserNamespaceConfig) -> Self

Configure custom user namespace mapping

Source

pub fn with_context(self, dir: PathBuf) -> Self

Source

pub fn with_limits(self, limits: ResourceLimits) -> Self

Source

pub fn with_namespaces(self, namespaces: NamespaceConfig) -> Self

Source

pub fn with_hostname(self, hostname: Option<String>) -> Self

Source

pub fn with_gvisor(self, enabled: bool) -> Self

Source

pub fn with_trust_level(self, level: TrustLevel) -> Self

Source

pub fn with_oci_bundle(self) -> Self

Enable OCI bundle runtime path (always OCI for gVisor).

Source

pub fn with_network(self, mode: NetworkMode) -> Self

Source

pub fn with_context_mode(self, mode: ContextMode) -> Self

Source

pub fn with_allow_degraded_security(self, allow: bool) -> Self

Source

pub fn with_allow_chroot_fallback(self, allow: bool) -> Self

Source

pub fn with_allow_host_network(self, allow: bool) -> Self

Source

pub fn with_proc_readonly(self, proc_readonly: bool) -> Self

Source

pub fn with_service_mode(self, mode: ServiceMode) -> Self

Source

pub fn with_rootfs_path(self, path: PathBuf) -> Self

Source

pub fn with_egress_policy(self, policy: EgressPolicy) -> Self

Source

pub fn with_health_check(self, hc: HealthCheck) -> Self

Source

pub fn with_readiness_probe(self, probe: ReadinessProbe) -> Self

Source

pub fn with_secret(self, secret: SecretMount) -> Self

Source

pub fn with_volume(self, volume: VolumeMount) -> Self

Source

pub fn with_env(self, key: String, value: String) -> Self

Source

pub fn with_process_identity(self, identity: ProcessIdentity) -> Self

Source

pub fn with_config_hash(self, hash: u64) -> Self

Source

pub fn with_sd_notify(self, enabled: bool) -> Self

Source

pub fn with_required_kernel_lockdown(self, mode: KernelLockdownMode) -> Self

Source

pub fn with_verify_context_integrity(self, enabled: bool) -> Self

Source

pub fn with_verify_rootfs_attestation(self, enabled: bool) -> Self

Source

pub fn with_seccomp_log_denied(self, enabled: bool) -> Self

Source

pub fn with_gvisor_platform(self, platform: GVisorPlatform) -> Self

Source

pub fn with_seccomp_profile(self, path: PathBuf) -> Self

Source

pub fn with_seccomp_profile_sha256(self, hash: String) -> Self

Source

pub fn with_seccomp_mode(self, mode: SeccompMode) -> Self

Source

pub fn with_seccomp_trace_log(self, path: PathBuf) -> Self

Source

pub fn with_seccomp_allow_syscalls(self, syscalls: Vec<String>) -> Self

Source

pub fn with_caps_policy(self, path: PathBuf) -> Self

Source

pub fn with_caps_policy_sha256(self, hash: String) -> Self

Source

pub fn with_landlock_policy(self, path: PathBuf) -> Self

Source

pub fn with_landlock_policy_sha256(self, hash: String) -> Self

Source

pub fn with_pid_file(self, path: PathBuf) -> Self

Source

pub fn with_console_socket(self, path: PathBuf) -> Self

Source

pub fn with_bundle_dir(self, path: PathBuf) -> Self

Source

pub fn with_state_root(self, root: PathBuf) -> Self

Source

pub fn validate_production_mode(&self) -> Result<()>

Validate that production mode invariants are satisfied. Called before container startup when service_mode == Production.

Source

pub fn validate_runtime_support(&self) -> Result<()>

Validate runtime-specific feature support.

Source

pub fn apply_runtime_selection( self, runtime: RuntimeSelection, oci: bool, ) -> Result<Self>

Apply runtime selection (native vs gVisor) and OCI bundle mode.

Trait Implementations§

Source§

impl Clone for ContainerConfig

Source§

fn clone(&self) -> ContainerConfig

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for ContainerConfig

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more