Cloudpods/backend/pkg/apis/container.go

// Copyright 2019 Yunion
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package apis

import (
	"encoding/json"

	"yunion.io/x/pkg/errors"
	"yunion.io/x/pkg/util/sets"
)

type ContainerKeyValue struct {
	Key       string                `json:"key"`
	Value     string                `json:"value"`
	ValueFrom *ContainerValueSource `json:"value_from"`
}

type ContainerValueSource struct {
	Credential *ContainerValueSourceCredential `json:"credential"`
}

type ContainerValueSourceCredential struct {
	Id  string `json:"id"`
	Key string `json:"key"`
}

type ContainerLifecyleHandlerType string

const (
	ContainerLifecyleHandlerTypeExec ContainerLifecyleHandlerType = "exec"
)

type ContainerLifecyleHandlerExecAction struct {
	Command []string `json:"command"`
}

type ContainerLifecyleHandler struct {
	Type ContainerLifecyleHandlerType        `json:"type"`
	Exec *ContainerLifecyleHandlerExecAction `json:"exec"`
}

type ContainerLifecyle struct {
	PostStart *ContainerLifecyleHandler `json:"post_start"`
}

type ContainerProcMountType string

const (
	// DefaultProcMount uses the container runtime defaults for readonly and masked
	// paths for /proc.  Most container runtimes mask certain paths in /proc to avoid
	// accidental security exposure of special devices or information.
	ContainerDefaultProcMount ContainerProcMountType = "Default"

	// UnmaskedProcMount bypasses the default masking behavior of the container
	// runtime and ensures the newly created /proc the container stays in tact with
	// no modifications.
	ContainerUnmaskedProcMount ContainerProcMountType = "Unmasked"
)

type ContainerSecurityContext struct {
	RunAsUser  *int64 `json:"run_as_user,omitempty"`
	RunAsGroup *int64 `json:"run_as_group,omitempty"`
	// procMount denotes the type of proc mount to use for the containers.
	// The default is DefaultProcMount which uses the container runtime defaults for
	ProcMount       ContainerProcMountType `json:"proc_mount"`
	ApparmorProfile string                 `json:"apparmor_profile"`
}

type ContainerResources struct {
	// CpuCfsQuota can be set to 0.5 that mapping to 0.5*100000 for cpu.cpu_cfs_quota_us
	CpuCfsQuota *float64 `json:"cpu_cfs_quota,omitempty"`
	// MemoryLimitMB will be transferred to memory.limit_in_bytes
	// MemoryLimitMB *int64 `json:"memory_limit_mb,omitempty"`
	// PidsMax will be set to pids.max
	PidsMax *int `json:"pids_max"`
	// DevicesAllow will be set to devices.allow
	DevicesAllow []string `json:"devices_allow"`
	// This flag only affects the cpuset controller. If the clone_children
	// flag is enabled in a cgroup, a new cpuset cgroup will copy its
	// configuration fromthe parent during initialization.
	CpusetCloneChildren bool `json:"cpuset_clone_children"`
	// cgroup memory.high
	MemoryHighRatio *float64 `json:"memory_high_ratio"`
}

type ContainerEnvRefValueType string

const (
	ContainerEnvRefValueTypeIsolatedDevice ContainerEnvRefValueType = "isolated_device"
)

type ContainerIsolatedDeviceOnlyEnv struct {
	Key             string `json:"key"`
	FromRenderPath  bool   `json:"from_render_path"`
	FromIndex       bool   `json:"from_index"`
	FromDeviceMinor bool   `json:"from_device_minor"`
}

type ContainerCDIKind string

var (
	CONTAINER_CDI_KIND_NVIDIA_GPU ContainerCDIKind = "nvidia.com/gpu"
)

type ContainerIsolatedDeviceCDI struct {
	Kind ContainerCDIKind
}

type ContainerSpec struct {
	// Image to use.
	Image string `json:"image"`
	// Image pull policy
	ImagePullPolicy ImagePullPolicy `json:"image_pull_policy"`
	// Image credential id
	ImageCredentialId string `json:"image_credential_id"`
	// Command to execute (i.e., entrypoint for docker)
	Command []string `json:"command"`
	// Args for the Command (i.e. command for docker)
	Args []string `json:"args"`
	// Current working directory of the command.
	WorkingDir string `json:"working_dir"`
	// List of environment variable to set in the container.
	Envs []*ContainerKeyValue `json:"envs"`
	// Enable lxcfs
	EnableLxcfs        bool                      `json:"enable_lxcfs"`
	Capabilities       *ContainerCapability      `json:"capabilities"`
	Privileged         bool                      `json:"privileged"`
	DisableNoNewPrivs  bool                      `json:"disable_no_new_privs"`
	Lifecyle           *ContainerLifecyle        `json:"lifecyle"`
	CgroupDevicesAllow []string                  `json:"cgroup_devices_allow"`
	CgroupPidsMax      int                       `json:"cgroup_pids_max"`
	ResourcesLimit     *ContainerResources       `json:"resources_limit"`
	SimulateCpu        bool                      `json:"simulate_cpu"`
	ShmSizeMB          int                       `json:"shm_size_mb"`
	SecurityContext    *ContainerSecurityContext `json:"security_context,omitempty"`
	// Periodic probe of container liveness.
	// Container will be restarted if the probe fails.
	// Cannot be updated.
	//LivenessProbe *ContainerProbe `json:"liveness_probe,omitempty"`
	// StartupProbe indicates that the Pod has successfully initialized.
	// If specified, no other probes are executed until this completes successfully.
	StartupProbe  *ContainerProbe `json:"startup_probe,omitempty"`
	AlwaysRestart bool            `json:"always_restart"`
	Primary       bool            `json:"primary"`

	// DependsOn is a list of container name which this container depends on when pod start
	// Only works for containers created & started by pod-create & server-start
	DependsOn []string `json:"depends_on,omitempty"`
}

func (c *ContainerSpec) NeedProbe() bool {
	//if c.LivenessProbe != nil {
	//	return true
	//}
	if c.StartupProbe != nil {
		return true
	}
	return false
}

type ContainerCapability struct {
	Add  []string `json:"add"`
	Drop []string `json:"drop"`
}

type ImagePullPolicy string

const (
	ImagePullPolicyAlways       = "Always"
	ImagePullPolicyIfNotPresent = "IfNotPresent"
)

type ContainerVolumeMountType string

const (
	CONTAINER_VOLUME_MOUNT_TYPE_DISK      ContainerVolumeMountType = "disk"
	CONTAINER_VOLUME_MOUNT_TYPE_HOST_PATH ContainerVolumeMountType = "host_path"
	CONTAINER_VOLUME_MOUNT_TYPE_TEXT      ContainerVolumeMountType = "text"
	CONTAINER_VOLUME_MOUNT_TYPE_CEPHF_FS  ContainerVolumeMountType = "ceph_fs"
)

type ContainerDeviceType string

const (
	CONTAINER_DEVICE_TYPE_ISOLATED_DEVICE ContainerDeviceType = "isolated_device"
	CONTAINER_DEVICE_TYPE_HOST            ContainerDeviceType = "host"
)

type ContainerMountPropagation string

const (
	// No mount propagation ("private" in Linux terminology).
	MOUNTPROPAGATION_PROPAGATION_PRIVATE ContainerMountPropagation = "private"
	// Mounts get propagated from the host to the container ("rslave" in Linux).
	MOUNTPROPAGATION_PROPAGATION_HOST_TO_CONTAINER ContainerMountPropagation = "rslave"
	// Mounts get propagated from the host to the container and from the
	// container to the host ("rshared" in Linux).
	MOUNTPROPAGATION_PROPAGATION_BIDIRECTIONAL ContainerMountPropagation = "rshared"
)

var (
	ContainerMountPropagations = sets.NewString(
		string(MOUNTPROPAGATION_PROPAGATION_PRIVATE), string(MOUNTPROPAGATION_PROPAGATION_HOST_TO_CONTAINER), string(MOUNTPROPAGATION_PROPAGATION_BIDIRECTIONAL))
)

type ContainerVolumeMount struct {
	// 用于标识当前 pod volume mount 的唯一性
	UniqueName string                        `json:"unique_name"`
	Type       ContainerVolumeMountType      `json:"type"`
	Disk       *ContainerVolumeMountDisk     `json:"disk"`
	HostPath   *ContainerVolumeMountHostPath `json:"host_path"`
	Text       *ContainerVolumeMountText     `json:"text"`
	CephFS     *ContainerVolumeMountCephFS   `json:"ceph_fs"`
	// Mounted read-only if true, read-write otherwise (false or unspecified).
	ReadOnly bool `json:"read_only"`
	// Path within the container at which the volume should be mounted.  Must
	// not contain ':'.
	MountPath string `json:"mount_path"`
	// If set, the mount needs SELinux relabeling.
	SelinuxRelabel bool `json:"selinux_relabel,omitempty"`
	// Requested propagation mode.
	Propagation ContainerMountPropagation `json:"propagation,omitempty"`
	// Owner permissions
	FsUser  *int64 `json:"fs_user,omitempty"`
	FsGroup *int64 `json:"fs_group,omitempty"`
}

type ContainerOverlayDiskImage struct {
	DiskId  string `json:"disk_id"`
	ImageId string `json:"image_id"`
}

type ContainerDiskOverlayType string

const (
	CONTAINER_DISK_OVERLAY_TYPE_DIRECTORY  ContainerDiskOverlayType = "directory"
	CONTAINER_DISK_OVERLAY_TYPE_DISK_IMAGE ContainerDiskOverlayType = "disk_image"
	CONTAINER_DISK_OVERLAY_TYPE_UNKNOWN    ContainerDiskOverlayType = "unknown"
)

type ContainerVolumeMountDiskOverlay struct {
	LowerDir     []string `json:"lower_dir"`
	UseDiskImage bool     `json:"use_disk_image"`
}

func (o ContainerVolumeMountDiskOverlay) GetType() ContainerDiskOverlayType {
	if len(o.LowerDir) != 0 {
		return CONTAINER_DISK_OVERLAY_TYPE_DIRECTORY
	}
	if o.UseDiskImage {
		return CONTAINER_DISK_OVERLAY_TYPE_DISK_IMAGE
	}
	return CONTAINER_DISK_OVERLAY_TYPE_UNKNOWN
}

func (o ContainerVolumeMountDiskOverlay) IsValid() error {
	if o.GetType() == CONTAINER_DISK_OVERLAY_TYPE_UNKNOWN {
		return errors.ErrNotSupported
	}
	return nil
}

type HostLowerPath struct {
	PrePath  string `json:"pre_path"`
	PostPath string `json:"post_path"`
}

type ContainerVolumeMountDiskPostImageOverlay struct {
	Id      string            `json:"id"`
	PathMap map[string]string `json:"path_map"`
	// 宿主机底层目录映射, key 为 PathMap 的 key，value 为 overlay lower 格式，多目录以 ":" 分隔
	HostLowerMap map[string]*HostLowerPath `json:"host_lower_map"`
	UpperConfig  *PostOverlayUpperConfig   `json:"upper_config"`
}

type PostOverlayUpperConfigType string

const (
	PostOverlayUpperConfigTypeDisk PostOverlayUpperConfigType = "disk"
)

type PostOverlayUpperConfigDisk struct {
	SubPath string `json:"sub_path"`
}

type PostOverlayUpperConfig struct {
	Type PostOverlayUpperConfigType  `json:"type"`
	Disk *PostOverlayUpperConfigDisk `json:"disk"`
}

type ContainerVolumeMountDiskPostImageOverlayUnpacker ContainerVolumeMountDiskPostImageOverlay

func (ov *ContainerVolumeMountDiskPostImageOverlay) UnmarshalJSON(data []byte) error {
	nov := new(ContainerVolumeMountDiskPostImageOverlayUnpacker)
	if err := json.Unmarshal(data, nov); err != nil {
		return err
	}
	ov.Id = nov.Id
	// 防止 PathMap 被合并，总是用 Unarmshal data 里面的 path_map
	ov.PathMap = nov.PathMap
	ov.HostLowerMap = nov.HostLowerMap
	ov.UpperConfig = nov.UpperConfig
	return nil
}

type ContainerVolumeMountDiskPostOverlayType string

const (
	CONTAINER_VOLUME_MOUNT_DISK_POST_OVERLAY_HOSTPATH ContainerVolumeMountDiskPostOverlayType = "host_path"
	CONTAINER_VOLUME_MOUNT_DISK_POST_OVERLAY_IMAGE    ContainerVolumeMountDiskPostOverlayType = "image"
)

type ContainerVolumeMountDiskPostOverlay struct {
	// 宿主机底层目录
	HostLowerDir []string `json:"host_lower_dir"`
	// 宿主机上层目录
	HostUpperDir string `json:"host_upper_dir"`
	// 合并后要挂载到容器的目录
	ContainerTargetDir string                                    `json:"container_target_dir"`
	Image              *ContainerVolumeMountDiskPostImageOverlay `json:"image"`
	FsUser             *int64                                    `json:"fs_user,omitempty"`
	FsGroup            *int64                                    `json:"fs_group,omitempty"`
	FlattenLayers      bool                                      `json:"flatten_layers"`
}

func (o ContainerVolumeMountDiskPostOverlay) IsEqual(input ContainerVolumeMountDiskPostOverlay) bool {
	if o.GetType() != input.GetType() {
		return false
	}
	switch o.GetType() {
	case CONTAINER_VOLUME_MOUNT_DISK_POST_OVERLAY_HOSTPATH:
		return o.ContainerTargetDir == input.ContainerTargetDir
	case CONTAINER_VOLUME_MOUNT_DISK_POST_OVERLAY_IMAGE:
		return o.Image.Id == input.Image.Id
	}
	return false
}

func (o ContainerVolumeMountDiskPostOverlay) GetType() ContainerVolumeMountDiskPostOverlayType {
	if o.Image != nil {
		return CONTAINER_VOLUME_MOUNT_DISK_POST_OVERLAY_IMAGE
	}
	return CONTAINER_VOLUME_MOUNT_DISK_POST_OVERLAY_HOSTPATH
}

type ContainerVolumeMountDisk struct {
	Index           *int   `json:"index,omitempty"`
	Id              string `json:"id"`
	SubDirectory    string `json:"sub_directory"`
	StorageSizeFile string `json:"storage_size_file"`
	// lower overlay 设置，disk 的 volume 会作为 upper，最终 merged 的目录会传给容器
	Overlay *ContainerVolumeMountDiskOverlay `json:"overlay"`
	// case insensitive feature is incompatible with overlayfs
	CaseInsensitivePaths []string `json:"case_insensitive_paths"`
	// 当 disk volume 挂载完后，需要 overlay 的目录设置
	PostOverlay []*ContainerVolumeMountDiskPostOverlay `json:"post_overlay"`
	// The ext2 filesystem reserves a certain percentage of the available space (by default 5%, see mke2fs(8) and tune2fs(8)). These options determine who can use the reserved blocks. (Roughly: whoever has the specified uid, or belongs to the specified group.)
	ResGid int `json:"res_gid"`
	ResUid int `json:"res_uid"`
}

type ContainerVolumeMountHostPathType string

const (
	CONTAINER_VOLUME_MOUNT_HOST_PATH_TYPE_DIRECTORY ContainerVolumeMountHostPathType = "directory"
	CONTAINER_VOLUME_MOUNT_HOST_PATH_TYPE_FILE      ContainerVolumeMountHostPathType = "file"
)

type ContainerVolumeMountHostPathAutoCreateConfig struct {
	Uid         uint   `json:"uid"`
	Gid         uint   `json:"gid"`
	Permissions string `json:"permissions"`
}

type ContainerVolumeMountHostPath struct {
	Type             ContainerVolumeMountHostPathType              `json:"type"`
	Path             string                                        `json:"path"`
	AutoCreate       bool                                          `json:"auto_create"`
	AutoCreateConfig *ContainerVolumeMountHostPathAutoCreateConfig `json:"auto_create_config,omitempty"`
}

type ContainerVolumeMountText struct {
	Content string `json:"content"`
}

type ContainerVolumeMountCephFS struct {
	Id string `json:"id"`
}

type ContainerPullImageAuthConfig struct {
	Username      string `json:"username,omitempty"`
	Password      string `json:"password,omitempty"`
	Auth          string `json:"auth,omitempty"`
	ServerAddress string `json:"server_address,omitempty"`
	// IdentityToken is used to authenticate the user and get
	// an access token for the registry.
	IdentityToken string `json:"identity_token,omitempty"`
	// RegistryToken is a bearer token to be sent to a registry
	RegistryToken string `json:"registry_token,omitempty"`
}

type ContainerRootfs struct {
	Type ContainerVolumeMountType  `json:"type"`
	Disk *ContainerVolumeMountDisk `json:"disk"`
	//CephFS *ContainerVolumeMountCephFS `json:"ceph_fs"`

	// 是否持久化
	Persistent bool `json:"persistent"`
}