Skip to main content

NamespaceContainer

synwire_sandbox::platform::linux::namespace

Struct NamespaceContainer 

Source 
pub struct NamespaceContainer { /* private fields */ }
Expand description

Spawns processes inside Linux containers via an OCI runtime.

Supports OciRuntime::Runc (standard namespace isolation) and OciRuntime::Gvisor (user-space kernel via runsc).

For gVisor, the constructor probes whether the systrap platform works (it requires CAP_SYS_PTRACE which is missing in rootless + host-network mode due to a gVisor bug). If systrap fails, it falls back to ptrace and caches the result for the lifetime of the process — all subsequent gVisor containers skip the probe.

Implementations§

Source§

impl NamespaceContainer

Source

pub fn new() -> Result<Self, SandboxError>

Create a container using runc from $PATH.

§Errors

Returns SandboxError::RuntimeNotFound if runc is not on $PATH.

Source

pub fn with_gvisor() -> Result<Self, SandboxError>

Create a container using gVisor (runsc) from $PATH.

On first call, probes the systrap platform by running a trivial container. If systrap works, uses it for all future containers (fastest). If it fails (e.g., missing CAP_SYS_PTRACE in rootless mode), falls back to ptrace and logs a warning. The result is cached process-wide — subsequent calls skip the probe.

§Errors

Returns SandboxError::RuntimeNotFound if runsc is not on $PATH.

Source

pub fn with_runtime(kind: OciRuntime) -> Result<Self, SandboxError>

Create a container using the specified OCI runtime.

§Errors

Returns SandboxError::RuntimeNotFound if the runtime binary is not on $PATH.

Source

pub fn spawn( &self, config: &ContainerConfig, ) -> Result<ContainerProcess, SandboxError>

Spawn a command inside a namespace container.

Creates a temporary OCI bundle, generates a runtime spec from config, and runs the container in the foreground. Returns a ContainerProcess that holds the runtime child and the bundle dir.

§Errors

Returns a SandboxError if bundle creation or process spawn fails.

Source

pub fn spawn_captured( &self, config: &ContainerConfig, mode: OutputMode, ) -> Result<ProcessCapture, SandboxError>

Spawn a command inside a namespace container with output captured to files in a temporary directory.

stdout and stderr are redirected to files rather than pipes. The files persist even if the process is killed, and the temporary directory is deleted when the last Arc<CapturedOutput> reference is dropped.

§Errors

Returns a SandboxError if directory creation, file opening, or process spawn fails.

Source

pub fn spawn_interactive( &self, config: &ContainerConfig, ) -> Result<PtySession, SandboxError>

Spawn a command inside a namespace container with full PTY support for human-in-the-loop interaction.

Uses the OCI runtime’s --console-socket mechanism: the runtime creates a PTY inside the container and sends the controller fd back over a Unix socket via SCM_RIGHTS. The returned PtySession contains the controller fd for host-side I/O.

§Errors

Returns a SandboxError if socket setup, process spawn, or PTY fd handshake fails.

Source

pub fn build_config( sandbox: &SandboxConfig, command: impl Into<String>, args: Vec<String>, ) -> ContainerConfig

Build a ContainerConfig from synwire-core’s SandboxConfig.

Derives namespace flags, bind mounts, and security parameters from the high-level configuration.

Trait Implementations§

Source§

impl Debug for NamespaceContainer

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> FutureExt for T

Source§

fn with_context(self, otel_cx: Context) -> WithContext<Self>

Attaches the provided Context to this type, returning a WithContext wrapper. Read more
Source§

fn with_current_context(self) -> WithContext<Self>

Attaches the current Context to this type, returning a WithContext wrapper. Read more
Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> Pointable for T

Source§

const ALIGN: usize

The alignment of pointer.
Source§

type Init = T

The type for initializers.
Source§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
Source§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
Source§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
Source§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more