mirror of
https://github.com/kemko/nomad.git
synced 2026-01-03 17:05:43 +03:00
05937ab75b
* exec2: add client support for unveil filesystem isolation mode This PR adds support for a new filesystem isolation mode, "Unveil". The mode introduces a "alloc_mounts" directory where tasks have user-owned directory structure which are bind mounts into the real alloc directory structure. This enables a task driver to use landlock (and maybe the real unveil on openbsd one day) to isolate a task to the task owned directory structure, providing sandboxing. * actually create alloc-mounts-dir directory * fix doc strings about alloc mount dir paths
26 lines
680 B
Go
26 lines
680 B
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
package fsisolation
|
|
|
|
// Mode is an enum to describe what kind of filesystem isolation a
|
|
// driver supports.
|
|
type Mode string
|
|
|
|
const (
|
|
// IsolationNone means no isolation. The host filesystem is used.
|
|
None = Mode("none")
|
|
|
|
// IsolationChroot means the driver will use a chroot on the host
|
|
// filesystem.
|
|
Chroot = Mode("chroot")
|
|
|
|
// IsolationImage means the driver uses an image.
|
|
Image = Mode("image")
|
|
|
|
// IsolationUnveil means the driver and client will work together using
|
|
// unveil() syscall semantics (i.e. landlock on linux) isolate the host
|
|
// filesytem from workloads.
|
|
Unveil = Mode("unveil")
|
|
)
|