Categorygithub.com/firecracker-microvm/firecracker-go-sdk
modulepackage
0.22.0
Repository: https://github.com/firecracker-microvm/firecracker-go-sdk.git
Documentation: pkg.go.dev
Overview
Versions
2
Dependencies
33
Dependents
28
Files
2.7k SLOC

# README

A basic Go interface to the Firecracker API

Build status GoDoc

This package is a Go library to interact with the Firecracker API. It is designed as an abstraction of the OpenAPI-generated client that allows for convenient manipulation of Firecracker VM from Go programs.

There are some Firecracker features that are not yet supported by the SDK. These are tracked as GitHub issues with the firecracker-feature label . Contributions to address missing features are welcomed.

Developing

Please see HACKING

Building

This library requires Go 1.11 and Go modules to build. A Makefile is provided for convenience, but is not required. When using the Makefile, you can pass additional flags to the Go compiler via the EXTRAGOARGS make variable.

Tools

There's a firectl tool that provides a simple command-line interface to launching a firecracker VM. It also serves as an example client of this SDK.

Network configuration

Firecracker, by design, only supports Linux tap devices. The SDK provides facilities to:

  • Attach a pre-created tap device, optionally with static IP configuration, to the VM. This is referred to as a "static network interface".
  • Create a tap device via CNI plugins, which will then be attached to the VM automatically by the SDK. This is referred to as a "CNI-configured network interface"

CNI

If a VM is configured with a CNI-configured network interface, by default CNI configuration files will be sought from /etc/cni/conf.d and CNI plugins will be sought under /opt/cni/bin (both of these values can be overridden via API fields). CNI network lists must be specified in a configuration file at this time.

It's currently highly recommended to use CNI configuration that includes tc-redirect-tap as a chained plugin. This will allow you to adapt pre-existing CNI plugins/configuration to a tap device usable by a Firecracker VM.

Example

With the following file at /etc/cni/conf.d/fcnet.conflist:

{
  "name": "fcnet",
  "cniVersion": "0.3.1",
  "plugins": [
    {
      "type": "ptp",
      "ipMasq": true,
      "ipam": {
        "type": "host-local",
        "subnet": "192.168.127.0/24",
        "resolvConf": "/etc/resolv.conf"
      }
    },
    {
      "type": "firewall"
    },
    {
      "type": "tc-redirect-tap"
    }
  ]
}

and the ptp, host-local, firewall, and tc-redirect-tap CNI plugin binaries installed under /opt/cni/bin, you can specify, in the Go SDK API, a Machine with the following NetworkInterface:

{
  NetworkInterfaces: []firecracker.NetworkInterface{{
    CNIConfiguration: &firecracker.CNIConfiguration{
      NetworkName: "fcnet",
      IfName: "veth0",
    },
  }}
}

Note that NetworkName in the CNIConfiguration of the API matches the name field specified inside the /etc/cni/conf.d/fcnet.conflist file.

With the above configuration, when the Firecracker VM is started the SDK will invoke CNI and place the final VM inside the resultant network namespace. The end result being:

  • Outside the network namespace, a single veth endpoint created by the ptp plugin will exist with a static IP from the host-local plugin (i.e. 192.168.127.1)
    • Users can obtain the IP address and other static network configuration generated for their machine via CNI by inspecting the network interface's StaticConfiguration field, which will be automatically filled out after the machine has been started.
    • The IP address, for example, can be obtained at NetworkInterfaces[0].StaticConfiguration.IPConfiguration.IPAddr after a call to the machine object's Start method succeeds.
  • Inside the VM's network namespace:
    • The other side of the veth device will exist with name veth0, as specified by the IfName parameter above, and a different IP (i.e. 192.168.127.2)
    • The tap device created by tc-redirect-tap, which will not have an IP but will have all of its traffic mirrored with the veth0 device
  • Inside the actual Firecracker VM guest:
    • A network interface with the same IP as that of veth0 (i.e. 192.168.127.2)
    • Traffic sent on this device will be mirrored with the external veth0 device, so from a practical perspective the VM's internal network interface will externally appear the same as veth0
    • The internal name of the interface is determined by the Guest OS, not the Firecracker Go SDK.

Note that the ptp and host-local plugins are not required, they are just used in this example. The tc-redirect-tap plugin can be chained after any CNI plugin that creates a network interface. It will setup the tap device to be mirrored with the IfName device created by any previous plugin. Any IP configuration on that IfName device will be applied statically to the VM's internal network interface on boot.

Also note that use of CNI-configured network interfaces will require the SDK to be running with at least CAP_SYS_ADMIN and CAP_NET_ADMIN Linux capabilities (in order to have the ability to create and configure network namespaces).

Network Setup Limitations

These limitations are a result of the current implementation and may be lifted in the future:

  • For a given VM, if a CNI-configured network interface is specified or a static interface that includes IP configuration is specified, the VM can only have a single network interface, not multiple.
    • Users can specify multiple static interfaces as long as none of them include IP configuration.
  • DNS nameserver settings will only be effective if the VM's rootfs makes /etc/resolv.conf be a symlink to /proc/net/pnp.
  • Only up to 2 DNS nameservers can be configured within the VM internally.
    • If a static network interface specifies more than 2, an error will be returned.
    • If a CNI-configured network interface receives more than 2 nameservers from the CNI invocation result, the nameservers after the second will be ignored without error (in order to be compatible with pre-existing CNI plugins/configuration).

Questions?

Please use GitHub issues to report problems, discuss roadmap items, or make feature requests.

If you've discovered an issue that may have security implications to users or developers of this software, please do not report it using GitHub issues, but instead follow Firecracker's security reporting guidelines.

Other discussion: For general discussion, please join us in the #general channel on the Firecracker Slack.

License

This library is licensed under the Apache 2.0 License.

# Packages

No description provided by the author
No description provided by the author
No description provided by the author

# Functions

Bool will return a pointer value of the given parameter.
BoolValue will return a boolean value.
Int will return a pointer value of the given parameters.
Int64 will return a pointer value of the given parameter.
Int64Value will return an int64 value.
IntValue will return an int value.
LinkFilesHandler creates a new link files handler that will link files to the rootfs.
NewClient creates a Client.
NewDrivesBuilder will return a new DrivesBuilder with a given rootfs.
NewJailerCommandBuilder will return a new jailer command builder with the proper default value initialized.
NewMachine initializes a new Machine instance and performs validation of the provided Config.
NewNaiveChrootStrategy returns a new NaivceChrootStrategy.
NewRateLimiter will construct a new RateLimiter with given parameters.
NewSetMetadataHandler is a named handler that puts the metadata into the firecracker process.
NewUnixSocketTransport creates a new clientTransport configured at the specified Unix socketPath.
String will return a pointer value of the given parameter.
StringValue will return a string value.
WithClient will use the client in place rather than the client constructed during bootstrapping of the machine.
WithDriveID sets the ID of the drive.
WithLogger will allow for the Machine to use the provided logger.
WithOpsClient will return a functional option and replace the operations client.
WithPartuuid sets the unique ID of the boot partition.
WithProcessRunner will allow for a specific command to be run instead of the default firecracker command.
WithRateLimiter sets the rate limitter of the drive.
WithReadOnly sets the drive read-only.

# Constants

Handler name constants.
Handler name constants.
Handler name constants.
Handler name constants.
Handler name constants.
Handler name constants.
Handler name constants.
Handler name constants.
SeccompLevelAdvanced adds further checks on some of the parameters of the allowed syscalls.
SeccompLevelBasic prohibits syscalls not whitelisted by Firecracker.
SeccompLevelDisable is the default value.
Handler name constants.
Handler name constants.
Handler name constants.
Handler name constants.
Handler name constants.
Handler name constants.
Handler name constants.
Version represents the current version of the SDK.

# Variables

AddVsocksHandler is a named handler that adds vsocks to the firecracker process.
AttachDrivesHandler is a named handler that will attach all drives for the firecracker process.
BootstrapLoggingHandler is a named handler that will set up fifo logging of firecracker process.
ConfigValidationHandler is used to validate that required fields are present.
CreateBootSourceHandler is a named handler that will set up the booting process of the firecracker process.
CreateLogFilesHandler is a named handler that will create the fifo log files.
CreateMachineHandler is a named handler that will "create" the machine and upload any necessary configuration to the firecracker process.
CreateNetworkInterfacesHandler is a named handler that registers network interfaces with the Firecracker VMM.
ErrAlreadyStarted signifies that the Machine has already started and cannot be started again.
ErrMissingJailerConfig will occur when entering jailer logic but the jailer config had not been specified.
ErrRequiredHandlerMissing occurs when a required handler is not present in the handler list.
JailerConfigValidationHandler is used to validate that required fields are present.
No description provided by the author
SetupKernelArgsHandler is a named handler that will update any kernel boot args being provided to the VM based on the other configuration provided, if needed.
SetupNetworkHandler is a named handler that will setup the network namespace and network interface configuration prior to the Firecracker VMM starting.
StartVMMHandler is a named handler that will handle starting of the VMM.

# Structs

Client is a client for interacting with the Firecracker API.
CNIConfiguration specifies the CNI parameters that will be used to generate the network namespace and tap device used by a Firecracker interface.
Config is a collection of user-configurable VMM settings.
DrivesBuilder is a builder that will build an array of drives used to set up the firecracker microVM.
Handler represents a named handler that contains a name and a function which is used to execute during the initialization process of a machine.
HandlerList represents a list of named handler that can be used to execute a flow of instructions for a given machine.
Handlers is a container that houses categories of handler lists.
IPConfiguration specifies an IP, a gateway and DNS Nameservers that should be configured automatically within the VM upon boot.
JailerCommandBuilder will build a jailer command.
JailerConfig is jailer specific configuration needed to execute the jailer.
Machine is the main object for manipulating Firecracker microVMs.
NaiveChrootStrategy will simply hard link all files, drives and kernel image, to the root drive.
NetworkInterface represents a Firecracker microVM's network interface.
RateLimiterSet represents a pair of RateLimiters (inbound and outbound).
StaticNetworkConfiguration allows a network interface to be defined via static parameters (as contrasted with parameters autogenerated from CNI).
TokenBucketBuilder is a builder that allows of building components of the models.RateLimiter structure.
VMCommandBuilder is a utility for building an exec.Cmd that represents how to start the Firecracker VMM.
VsockDevice represents a vsock connection between the host and the guest microVM.

# Interfaces

HandlersAdapter is an interface used to modify a given set of handlers.
MachineIface can be used for mocking and testing of the Machine.

# Type aliases

ClientOpt is a functional option used to modify the client after construction.
CreateSyncActionOpt is a functional option to be used for the CreateSyncAction API in setting any additional optional fields.
DriveOpt represents an optional function used to allow for specific customization of the models.Drive structure.
GetMachineConfigurationOpt is a functional option to be used for the GetMachineConfiguration API in setting any additional optional fields.
GetMmdsOpt is a functional option to be used for the GetMmds API in setting any additional optional fields.
NetworkInterfaces is a slice of NetworkInterface objects that a VM will be configured to use.
Opt represents a functional option to help modify functionality of a Machine.
PatchGuestDriveByIDOpt is a functional option to be used for the PutMmds API in setting any additional optional fields.
PatchGuestNetworkInterfaceByIDOpt is a functional option to be used for the PatchGuestNetworkInterfaceByID API in setting any additional optional fields.
PatchMmdsOpt is a functional option to be used for the GetMmds API in setting any additional optional fields.
PutGuestBootSourceOpt is a functional option to be used for the PutGuestBootSource API in setting any additional optional fields.
PutGuestDriveByIDOpt is a functional option to be used for the PutGuestDriveByID API in setting any additional optional fields.
PutGuestNetworkInterfaceByIDOpt is a functional option to be used for the PutGuestNetworkInterfaceByID API in setting any additional optional fields.
PutGuestVsockOpt is a functional option to be used for the PutGuestVsock API in setting any additional optional fields.
PutLoggerOpt is a functional option to be used for the PutLogger API in setting any additional optional fields.
PutMachineConfigurationOpt is a functional option to be used for the PutMachineConfiguration API in setting any additional optional fields.
PutMetricsOpt is a functional option to be used for the PutMetrics API in setting any additional optional fields.
PutMmdsOpt is a functional option to be used for the PutMmds API in setting any additional optional fields.
RateLimiterOpt represents a functional option for rate limiting construction.
SeccompLevelValue represents a secure computing level type.