podman
1//go:build !remote2)27// CgroupfsDefaultCgroupParent is the cgroup parent for CgroupFS in libpod29const CgroupfsDefaultCgroupParent = "/libpod_parent"30// SystemdDefaultCgroupParent is the cgroup parent for the systemd cgroup32// manager in libpod33const SystemdDefaultCgroupParent = "machine.slice"34// SystemdDefaultRootlessCgroupParent is the cgroup parent for the systemd cgroup36// manager in libpod when running as rootless37const SystemdDefaultRootlessCgroupParent = "user.slice"38// DefaultWaitInterval is the default interval between container status checks40// while waiting.41const DefaultWaitInterval = 250 * time.Millisecond42// LinuxNS represents a Linux namespace44type LinuxNS int45)64// String returns a string representation of a Linux namespace66// It is guaranteed to be the name of the namespace in /proc for valid ns types67func (ns LinuxNS) String() string {68switch ns {69case InvalidNS:70return "invalid"71case IPCNS:72return "ipc"73case MountNS:74return "mnt"75case NetNS:76return "net"77case PIDNS:78return "pid"79case UserNS:80return "user"81case UTSNS:82return "uts"83case CgroupNS:84return "cgroup"85default:86return "unknown"87}88}89// Container is a single OCI container.91// All operations on a Container that access state must begin with a call to92// syncContainer().93// There is no guarantee that state exists in a readable state before94// syncContainer() is run, and even if it does, its contents will be out of date95// and must be refreshed from the database.96// Generally, this requirement applies only to top-level functions; helpers can97// assume that their callers handled this requirement. Generally speaking, if a98// function takes the container lock and accesses any part of state, it should99// syncContainer() immediately after locking.100type Container struct {101config *ContainerConfig102ociRuntime OCIRuntime114}133// ContainerState contains the current state of the container135// It is stored on disk in a tmpfs and recreated on reboot136type ContainerState struct {137// The current state of the running container138State define.ContainerStatus `json:"state"`139// The path to the JSON OCI runtime spec for this container140ConfigPath string `json:"configPath,omitempty"`141// RunDir is a per-boot directory for container content142RunDir string `json:"runDir,omitempty"`143// Mounted indicates whether the container's storage has been mounted144// for use145Mounted bool `json:"mounted,omitempty"`146// Mountpoint contains the path to the container's mounted storage as given147// by containers/storage.148Mountpoint string `json:"mountPoint,omitempty"`149// StartedTime is the time the container was started150StartedTime time.Time `json:"startedTime,omitempty"`151// FinishedTime is the time the container finished executing152FinishedTime time.Time `json:"finishedTime,omitempty"`153// ExitCode is the exit code returned when the container stopped154ExitCode int32 `json:"exitCode,omitempty"`155// Exited is whether the container has exited156Exited bool `json:"exited,omitempty"`157// Error holds the last known error message during start, stop, or remove158Error string `json:"error,omitempty"`159// OOMKilled indicates that the container was killed as it ran out of160// memory161OOMKilled bool `json:"oomKilled,omitempty"`162// Checkpointed indicates that the container was stopped by a checkpoint163// operation.164Checkpointed bool `json:"checkpointed,omitempty"`165// PID is the PID of a running container166PID int `json:"pid,omitempty"`167// ConmonPID is the PID of the container's conmon168ConmonPID int `json:"conmonPid,omitempty"`169// ExecSessions contains all exec sessions that are associated with this170// container.171ExecSessions map[string]*ExecSession `json:"newExecSessions,omitempty"`172// LegacyExecSessions are legacy exec sessions from older versions of173// Podman.174// These are DEPRECATED and will be removed in a future release.175LegacyExecSessions map[string]*legacyExecSession `json:"execSessions,omitempty"`176// NetNS is the path or name of the NetNS177NetNS string `json:"netns,omitempty"`178// NetworkStatus contains the network Status for all networks179// the container is attached to. Only populated if we created a network180// namespace for the container, and the network namespace is currently181// active.182// To read this field use container.getNetworkStatus() instead, this will183// take care of migrating the old DEPRECATED network status to the new format.184NetworkStatus map[string]types.StatusBlock `json:"networkStatus,omitempty"`185// BindMounts contains files that will be bind-mounted into the186// container when it is mounted.187// These include /etc/hosts and /etc/resolv.conf188// This maps the path the file will be mounted to in the container to189// the path of the file on disk outside the container190BindMounts map[string]string `json:"bindMounts,omitempty"`191// StoppedByUser indicates whether the container was stopped by an192// explicit call to the Stop() API.193StoppedByUser bool `json:"stoppedByUser,omitempty"`194// RestartPolicyMatch indicates whether the conditions for restart195// policy have been met.196RestartPolicyMatch bool `json:"restartPolicyMatch,omitempty"`197// RestartCount is how many times the container was restarted by its198// restart policy. This is NOT incremented by normal container restarts199// (only by restart policy).200RestartCount uint `json:"restartCount,omitempty"`201// StartupHCPassed indicates that the startup healthcheck has202// succeeded and the main healthcheck can begin.203StartupHCPassed bool `json:"startupHCPassed,omitempty"`204// StartupHCSuccessCount indicates the number of successes of the205// startup healthcheck. A startup HC can require more than one success206// to be marked as passed.207StartupHCSuccessCount int `json:"startupHCSuccessCount,omitempty"`208// StartupHCFailureCount indicates the number of failures of the startup209// healthcheck. The container will be restarted if this exceed a set210// number in the startup HC config.211StartupHCFailureCount int `json:"startupHCFailureCount,omitempty"`212Service Service228}238// ContainerNamedVolume is a named volume that will be mounted into the240// container. Each named volume is a libpod Volume present in the state.241type ContainerNamedVolume struct {242// Name is the name of the volume to mount in.243// Must resolve to a valid volume present in this Podman.244Name string `json:"volumeName"`245// Dest is the mount's destination246Dest string `json:"dest"`247// Options are fstab style mount options248Options []string `json:"options,omitempty"`249// IsAnonymous sets the named volume as anonymous even if it has a name250// This is used for emptyDir volumes from a kube yaml251IsAnonymous bool `json:"setAnonymous,omitempty"`252// SubPath determines which part of the Source will be mounted in the container253SubPath string254}255// ContainerOverlayVolume is an overlay volume that will be mounted into the257// container. Each volume is a libpod Volume present in the state.258type ContainerOverlayVolume struct {259// Destination is the absolute path where the mount will be placed in the container.260Dest string `json:"dest"`261// Source specifies the source path of the mount.262Source string `json:"source,omitempty"`263// Options holds overlay volume options.264Options []string `json:"options,omitempty"`265}266// ContainerImageVolume is a volume based on a container image. The container268// image is first mounted on the host and is then bind-mounted into the269// container.270type ContainerImageVolume struct {271// Source is the source of the image volume. The image can be referred272// to by name and by ID.273Source string `json:"source"`274// Dest is the absolute path of the mount in the container.275Dest string `json:"dest"`276// ReadWrite sets the volume writable.277ReadWrite bool `json:"rw"`278}279// ContainerSecret is a secret that is mounted in a container281type ContainerSecret struct {282// Secret is the secret283*secrets.Secret284// UID is the UID of the secret file285UID uint32286// GID is the GID of the secret file287GID uint32288// Mode is the mode of the secret file289Mode uint32290// Secret target inside container291Target string292}293// ContainerNetworkDescriptions describes the relationship between the CNI295// network and the ethN where N is an integer296type ContainerNetworkDescriptions map[string]int297// Config accessors299// Unlocked300// Config returns the configuration used to create the container.302// Note that the returned config does not include the actual networks.303// Use ConfigWithNetworks() if you need them.304func (c *Container) Config() *ContainerConfig {305returnConfig := new(ContainerConfig)306if err := JSONDeepCopy(c.config, returnConfig); err != nil {307return nil308}309return returnConfig310}311// Config returns the configuration used to create the container.313func (c *Container) ConfigWithNetworks() *ContainerConfig {314returnConfig := c.Config()315if returnConfig == nil {316return nil317}318}327// ConfigNoCopy returns the configuration used by the container.329// Note that the returned value is not a copy and must hence330// only be used in a reading fashion.331func (c *Container) ConfigNoCopy() *ContainerConfig {332return c.config333}334// DeviceHostSrc returns the user supplied device to be passed down in the pod336func (c *Container) DeviceHostSrc() []spec.LinuxDevice {337return c.config.DeviceHostSrc338}339// Runtime returns the container's Runtime.341func (c *Container) Runtime() *Runtime {342return c.runtime343}344// Spec returns the container's OCI runtime spec346// The spec returned is the one used to create the container. The running347// spec may differ slightly as mounts are added based on the image348func (c *Container) Spec() *spec.Spec {349returnSpec := new(spec.Spec)350if err := JSONDeepCopy(c.config.Spec, returnSpec); err != nil {351return nil352}353}356// specFromState returns the unmarshalled json config of the container. If the358// config does not exist (e.g., because the container was never started) return359// the spec from the config.360func (c *Container) specFromState() (*spec.Spec, error) {361returnSpec := c.config.Spec362}381// ID returns the container's ID383func (c *Container) ID() string {384return c.config.ID385}386// Name returns the container's name388func (c *Container) Name() string {389return c.config.Name390}391// PodID returns the full ID of the pod the container belongs to, or "" if it393// does not belong to a pod394func (c *Container) PodID() string {395return c.config.Pod396}397// Namespace returns the libpod namespace the container is in.399// Namespaces are used to logically separate containers and pods in the state.400func (c *Container) Namespace() string {401return c.config.Namespace402}403// Image returns the ID and name of the image used as the container's rootfs.405func (c *Container) Image() (string, string) {406return c.config.RootfsImageID, c.config.RootfsImageName407}408// RawImageName returns the unprocessed and not-normalized user-specified image410// name.411func (c *Container) RawImageName() string {412return c.config.RawImageName413}414// ShmDir returns the sources path to be mounted on /dev/shm in container416func (c *Container) ShmDir() string {417return c.config.ShmDir418}419// ShmSize returns the size of SHM device to be mounted into the container421func (c *Container) ShmSize() int64 {422return c.config.ShmSize423}424// StaticDir returns the directory used to store persistent container files426func (c *Container) StaticDir() string {427return c.config.StaticDir428}429// NamedVolumes returns the container's named volumes.431// The name of each is guaranteed to point to a valid libpod Volume present in432// the state.433func (c *Container) NamedVolumes() []*ContainerNamedVolume {434volumes := []*ContainerNamedVolume{}435for _, vol := range c.config.NamedVolumes {436newVol := new(ContainerNamedVolume)437newVol.Name = vol.Name438newVol.Dest = vol.Dest439newVol.Options = vol.Options440newVol.SubPath = vol.SubPath441volumes = append(volumes, newVol)442}443}446// Privileged returns whether the container is privileged448func (c *Container) Privileged() bool {449return c.config.Privileged450}451// ProcessLabel returns the selinux ProcessLabel of the container453func (c *Container) ProcessLabel() string {454return c.config.ProcessLabel455}456// MountLabel returns the SELinux mount label of the container458func (c *Container) MountLabel() string {459return c.config.MountLabel460}461// Systemd returns whether the container will be running in systemd mode463func (c *Container) Systemd() bool {464if c.config.Systemd != nil {465return *c.config.Systemd466}467return false468}469// User returns the user who the container is run as471func (c *Container) User() string {472return c.config.User473}474// Dependencies gets the containers this container depends upon476func (c *Container) Dependencies() []string {477// Collect in a map first to remove dupes478dependsCtrs := map[string]bool{}479}519// NewNetNS returns whether the container will create a new network namespace521func (c *Container) NewNetNS() bool {522return c.config.CreateNetNS523}524// PortMappings returns the ports that will be mapped into a container if526// a new network namespace is created527// If NewNetNS() is false, this value is unused528func (c *Container) PortMappings() ([]types.PortMapping, error) {529// First check if the container belongs to a network namespace (like a pod)530if len(c.config.NetNsCtr) > 0 {531netNsCtr, err := c.runtime.GetContainer(c.config.NetNsCtr)532if err != nil {533return nil, fmt.Errorf("unable to look up network namespace for container %s: %w", c.ID(), err)534}535return netNsCtr.PortMappings()536}537return c.config.PortMappings, nil538}539// DNSServers returns DNS servers that will be used in the container's541// resolv.conf542// If empty, DNS server from the host's resolv.conf will be used instead543func (c *Container) DNSServers() []net.IP {544return c.config.DNSServer545}546// DNSSearch returns the DNS search domains that will be used in the container's548// resolv.conf549// If empty, DNS Search domains from the host's resolv.conf will be used instead550func (c *Container) DNSSearch() []string {551return c.config.DNSSearch552}553// DNSOption returns the DNS options that will be used in the container's555// resolv.conf556// If empty, options from the host's resolv.conf will be used instead557func (c *Container) DNSOption() []string {558return c.config.DNSOption559}560// HostsAdd returns hosts that will be added to the container's hosts file562// The host system's hosts file is used as a base, and these are appended to it563func (c *Container) HostsAdd() []string {564return c.config.HostAdd565}566// UserVolumes returns user-added volume mounts in the container.568// These are not added to the spec, but are used during image commit and to569// trigger some OCI hooks.570func (c *Container) UserVolumes() []string {571volumes := make([]string, 0, len(c.config.UserVolumes))572volumes = append(volumes, c.config.UserVolumes...)573return volumes574}575// Entrypoint is the container's entrypoint.577// This is not added to the spec, but is instead used during image commit.578func (c *Container) Entrypoint() []string {579entrypoint := make([]string, 0, len(c.config.Entrypoint))580entrypoint = append(entrypoint, c.config.Entrypoint...)581return entrypoint582}583// Command is the container's command585// This is not added to the spec, but is instead used during image commit586func (c *Container) Command() []string {587command := make([]string, 0, len(c.config.Command))588command = append(command, c.config.Command...)589return command590}591// Stdin returns whether STDIN on the container will be kept open593func (c *Container) Stdin() bool {594return c.config.Stdin595}596// Labels returns the container's labels598func (c *Container) Labels() map[string]string {599labels := make(map[string]string)600for key, value := range c.config.Labels {601labels[key] = value602}603return labels604}605// StopSignal is the signal that will be used to stop the container607// If it fails to stop the container, SIGKILL will be used after a timeout608// If StopSignal is 0, the default signal of SIGTERM will be used609func (c *Container) StopSignal() uint {610return c.config.StopSignal611}612// StopTimeout returns the container's stop timeout614// If the container's default stop signal fails to kill the container, SIGKILL615// will be used after this timeout616func (c *Container) StopTimeout() uint {617return c.config.StopTimeout618}619// CreatedTime gets the time when the container was created621func (c *Container) CreatedTime() time.Time {622return c.config.CreatedTime623}624// CgroupParent gets the container's Cgroup parent626func (c *Container) CgroupParent() string {627return c.config.CgroupParent628}629// LogPath returns the path to the container's log file631// This file will only be present after Init() is called to create the container632// in the runtime633func (c *Container) LogPath() string {634return c.config.LogPath635}636// LogTag returns the tag to the container's log file638func (c *Container) LogTag() string {639return c.config.LogTag640}641// RestartPolicy returns the container's restart policy.643func (c *Container) RestartPolicy() string {644return c.config.RestartPolicy645}646// RestartRetries returns the number of retries that will be attempted when648// using the "on-failure" restart policy649func (c *Container) RestartRetries() uint {650return c.config.RestartRetries651}652// LogDriver returns the log driver for this container654func (c *Container) LogDriver() string {655return c.config.LogDriver656}657// RuntimeName returns the name of the runtime659func (c *Container) RuntimeName() string {660return c.config.OCIRuntime661}662// Runtime spec accessors664// Unlocked665// Hostname gets the container's hostname667func (c *Container) Hostname() string {668if c.config.UTSNsCtr != "" {669utsNsCtr, err := c.runtime.GetContainer(c.config.UTSNsCtr)670if err != nil {671// should we return an error here?672logrus.Errorf("unable to look up uts namespace for container %s: %v", c.ID(), err)673return ""674}675return utsNsCtr.Hostname()676}677if c.config.Spec.Hostname != "" {678return c.config.Spec.Hostname679}680}695// WorkingDir returns the containers working dir697func (c *Container) WorkingDir() string {698if c.config.Spec.Process != nil {699return c.config.Spec.Process.Cwd700}701return "/"702}703// Terminal returns true if the container has a terminal705func (c *Container) Terminal() bool {706if c.config.Spec != nil && c.config.Spec.Process != nil {707return c.config.Spec.Process.Terminal708}709return false710}711// LinuxResources return the containers Linux Resources (if any)713func (c *Container) LinuxResources() *spec.LinuxResources {714if c.config.Spec != nil && c.config.Spec.Linux != nil {715return c.config.Spec.Linux.Resources716}717return nil718}719// Env returns the default environment variables defined for the container721func (c *Container) Env() []string {722if c.config.Spec != nil && c.config.Spec.Process != nil {723return c.config.Spec.Process.Env724}725return nil726}727// State Accessors729// Require locking730// State returns the current state of the container732func (c *Container) State() (define.ContainerStatus, error) {733if !c.batched {734c.lock.Lock()735defer c.lock.Unlock()736}743}755// Mounted returns whether the container is mounted and the path it is mounted757// at (if it is mounted).758// If the container is not mounted, no error is returned, and the mountpoint759// will be set to "".760func (c *Container) Mounted() (bool, string, error) {761if !c.batched {762c.lock.Lock()763defer c.lock.Unlock()764if err := c.syncContainer(); err != nil {765return false, "", fmt.Errorf("updating container %s state: %w", c.ID(), err)766}767}768// We cannot directly return c.state.Mountpoint as it is not guaranteed769// to be set if the container is mounted, only if the container has been770// prepared with c.prepare().771// Instead, let's call into c/storage772mountedTimes, err := c.runtime.storageService.MountedContainerImage(c.ID())773if err != nil {774return false, "", err775}776}788// StartedTime is the time the container was started790func (c *Container) StartedTime() (time.Time, error) {791if !c.batched {792c.lock.Lock()793defer c.lock.Unlock()794if err := c.syncContainer(); err != nil {795return time.Time{}, fmt.Errorf("updating container %s state: %w", c.ID(), err)796}797}798return c.state.StartedTime, nil799}800// FinishedTime is the time the container was stopped802func (c *Container) FinishedTime() (time.Time, error) {803if !c.batched {804c.lock.Lock()805defer c.lock.Unlock()806if err := c.syncContainer(); err != nil {807return time.Time{}, fmt.Errorf("updating container %s state: %w", c.ID(), err)808}809}810return c.state.FinishedTime, nil811}812// ExitCode returns the exit code of the container as814// an int32, and whether the container has exited.815// If the container has not exited, exit code will always be 0.816// If the container restarts, the exit code is reset to 0.817func (c *Container) ExitCode() (int32, bool, error) {818if !c.batched {819c.lock.Lock()820defer c.lock.Unlock()821if err := c.syncContainer(); err != nil {822return 0, false, fmt.Errorf("updating container %s state: %w", c.ID(), err)823}824}825return c.state.ExitCode, c.state.Exited, nil826}827// OOMKilled returns whether the container was killed by an OOM condition829func (c *Container) OOMKilled() (bool, error) {830if !c.batched {831c.lock.Lock()832defer c.lock.Unlock()833if err := c.syncContainer(); err != nil {834return false, fmt.Errorf("updating container %s state: %w", c.ID(), err)835}836}837return c.state.OOMKilled, nil838}839// PID returns the PID of the container.841// If the container is not running, a pid of 0 will be returned. No error will842// occur.843func (c *Container) PID() (int, error) {844if !c.batched {845c.lock.Lock()846defer c.lock.Unlock()847}855// ConmonPID Returns the PID of the container's conmon process.857// If the container is not running, a PID of 0 will be returned. No error will858// occur.859func (c *Container) ConmonPID() (int, error) {860if !c.batched {861c.lock.Lock()862defer c.lock.Unlock()863}871// ExecSessions retrieves active exec sessions running in the container873func (c *Container) ExecSessions() ([]string, error) {874if !c.batched {875c.lock.Lock()876defer c.lock.Unlock()877}890// execSessionNoCopy returns the associated exec session to id.892// Note that the session is not a deep copy.893func (c *Container) execSessionNoCopy(id string) (*ExecSession, error) {894if !c.batched {895c.lock.Lock()896defer c.lock.Unlock()897}921// ExecSession retrieves detailed information on a single active exec session in923// a container924func (c *Container) ExecSession(id string) (*ExecSession, error) {925session, err := c.execSessionNoCopy(id)926if err != nil {927return nil, err928}929}937// BindMounts retrieves bind mounts that were created by libpod and will be939// added to the container940// All these mounts except /dev/shm are ignored if a mount in the given spec has941// the same destination942// These mounts include /etc/resolv.conf, /etc/hosts, and /etc/hostname943// The return is formatted as a map from destination (mountpoint in the944// container) to source (path of the file that will be mounted into the945// container)946// If the container has not been started yet, an empty map will be returned, as947// the files in question are only created when the container is started.948func (c *Container) BindMounts() (map[string]string, error) {949if !c.batched {950c.lock.Lock()951defer c.lock.Unlock()952}966// StoppedByUser returns whether the container was last stopped by an explicit968// call to the Stop() API, or whether it exited naturally.969func (c *Container) StoppedByUser() (bool, error) {970if !c.batched {971c.lock.Lock()972defer c.lock.Unlock()973}981// StartupHCPassed returns whether the container's startup healthcheck passed.983func (c *Container) StartupHCPassed() (bool, error) {984if !c.batched {985c.lock.Lock()986defer c.lock.Unlock()987}995// Misc Accessors997// Most will require locking998// NamespacePath returns the path of one of the container's namespaces1000// If the container is not running, an error will be returned1001func (c *Container) NamespacePath(linuxNS LinuxNS) (string, error) { //nolint:interfacer1002if !c.batched {1003c.lock.Lock()1004defer c.lock.Unlock()1005if err := c.syncContainer(); err != nil {1006return "", fmt.Errorf("updating container %s state: %w", c.ID(), err)1007}1008}1009}1012// namespacePath returns the path of one of the container's namespaces1014// If the container is not running, an error will be returned1015func (c *Container) namespacePath(linuxNS LinuxNS) (string, error) { //nolint:interfacer1016if c.state.State != define.ContainerStateRunning && c.state.State != define.ContainerStatePaused {1017return "", fmt.Errorf("cannot get namespace path unless container %s is running: %w", c.ID(), define.ErrCtrStopped)1018}1019}1026// CgroupManager returns the cgroup manager used by the given container.1028func (c *Container) CgroupManager() string {1029cgroupManager := c.config.CgroupManager1030if cgroupManager == "" {1031cgroupManager = c.runtime.config.Engine.CgroupManager1032}1033return cgroupManager1034}1035// CgroupPath returns a cgroups "path" for the given container.1037// Note that the container must be running. Otherwise, an error1038// is returned.1039func (c *Container) CgroupPath() (string, error) {1040if !c.batched {1041c.lock.Lock()1042defer c.lock.Unlock()1043if err := c.syncContainer(); err != nil {1044return "", fmt.Errorf("updating container %s state: %w", c.ID(), err)1045}1046}1047return c.cGroupPath()1048}1049// cGroupPath returns a cgroups "path" for the given container.1051// Note that the container must be running. Otherwise, an error1052// is returned.1053// NOTE: only call this when owning the container's lock.1054func (c *Container) cGroupPath() (string, error) {1055if c.config.NoCgroups || c.config.CgroupsMode == "disabled" {1056return "", fmt.Errorf("this container is not creating cgroups: %w", define.ErrNoCgroups)1057}1058if c.state.State != define.ContainerStateRunning && c.state.State != define.ContainerStatePaused {1059return "", fmt.Errorf("cannot get cgroup path unless container %s is running: %w", c.ID(), define.ErrCtrStopped)1060}1061}1138// RootFsSize returns the root FS size of the container1140func (c *Container) RootFsSize() (int64, error) {1141if !c.batched {1142c.lock.Lock()1143defer c.lock.Unlock()1144if err := c.syncContainer(); err != nil {1145return -1, fmt.Errorf("updating container %s state: %w", c.ID(), err)1146}1147}1148return c.rootFsSize()1149}1150// RWSize returns the rw size of the container1152func (c *Container) RWSize() (int64, error) {1153if !c.batched {1154c.lock.Lock()1155defer c.lock.Unlock()1156if err := c.syncContainer(); err != nil {1157return -1, fmt.Errorf("updating container %s state: %w", c.ID(), err)1158}1159}1160return c.rwSize()1161}1162// IDMappings returns the UID/GID mapping used for the container1164func (c *Container) IDMappings() storage.IDMappingOptions {1165return c.config.IDMappings1166}1167// RootUID returns the root user mapping from container1169func (c *Container) RootUID() int {1170if len(c.config.IDMappings.UIDMap) == 1 && c.config.IDMappings.UIDMap[0].Size == 1 {1171return c.config.IDMappings.UIDMap[0].HostID1172}1173for _, uidmap := range c.config.IDMappings.UIDMap {1174if uidmap.ContainerID == 0 {1175return uidmap.HostID1176}1177}1178return 01179}1180// RootGID returns the root user mapping from container1182func (c *Container) RootGID() int {1183if len(c.config.IDMappings.GIDMap) == 1 && c.config.IDMappings.GIDMap[0].Size == 1 {1184return c.config.IDMappings.GIDMap[0].HostID1185}1186for _, gidmap := range c.config.IDMappings.GIDMap {1187if gidmap.ContainerID == 0 {1188return gidmap.HostID1189}1190}1191return 01192}1193// IsInfra returns whether the container is an infra container1195func (c *Container) IsInfra() bool {1196return c.config.IsInfra1197}1198// IsInitCtr returns whether the container is an init container1200func (c *Container) IsInitCtr() bool {1201return len(c.config.InitContainerType) > 01202}1203// IsReadOnly returns whether the container is running in read-only mode1205func (c *Container) IsReadOnly() bool {1206return c.config.Spec.Root.Readonly1207}1208// NetworkDisabled returns whether the container is running with a disabled network1210func (c *Container) NetworkDisabled() (bool, error) {1211if c.config.NetNsCtr != "" {1212container, err := c.runtime.state.Container(c.config.NetNsCtr)1213if err != nil {1214return false, err1215}1216return container.NetworkDisabled()1217}1218return networkDisabled(c)1219}1220}1234// HasHealthCheck returns bool as to whether there is a health check1236// defined for the container1237func (c *Container) HasHealthCheck() bool {1238return c.config.HealthCheckConfig != nil1239}1240// HealthCheckConfig returns the command and timing attributes of the health check1242func (c *Container) HealthCheckConfig() *manifest.Schema2HealthConfig {1243return c.config.HealthCheckConfig1244}1245// AutoRemove indicates whether the container will be removed after it is executed1247func (c *Container) AutoRemove() bool {1248spec := c.config.Spec1249if spec.Annotations == nil {1250return false1251}1252return spec.Annotations[define.InspectAnnotationAutoremove] == define.InspectResponseTrue1253}1254// Timezone returns the timezone configured inside the container.1256// Local means it has the same timezone as the host machine1257func (c *Container) Timezone() string {1258return c.config.Timezone1259}1260// Umask returns the Umask bits configured inside the container.1262func (c *Container) Umask() string {1263return c.config.Umask1264}1265// Secrets return the secrets in the container1267func (c *Container) Secrets() []*ContainerSecret {1268return c.config.Secrets1269}1270// Networks gets all the networks this container is connected to.1272// Please do NOT use ctr.config.Networks, as this can be changed from those1273// values at runtime via network connect and disconnect.1274// Returned array of network names or error.1275func (c *Container) Networks() ([]string, error) {1276if !c.batched {1277c.lock.Lock()1278defer c.lock.Unlock()1279}1298// NetworkMode gets the configured network mode for the container.1300// Get actual value from the database1301func (c *Container) NetworkMode() string {1302networkMode := ""1303ctrSpec := c.config.Spec1304}1338// Unlocked accessor for networks1340func (c *Container) networks() (map[string]types.PerNetworkOptions, error) {1341return c.runtime.state.GetNetworks(c)1342}1343// getInterfaceByName returns a formatted interface name for a given1345// network along with a bool as to whether the network existed1346func (d ContainerNetworkDescriptions) getInterfaceByName(networkName string) (string, bool) {1347val, exists := d[networkName]1348if !exists {1349return "", exists1350}1351return fmt.Sprintf("eth%d", val), exists1352}1353// GetNetworkStatus returns the current network status for this container.1355// This returns a map without deep copying which means this should only ever1356// be used as read only access, do not modify this status.1357func (c *Container) GetNetworkStatus() (map[string]types.StatusBlock, error) {1358if !c.batched {1359c.lock.Lock()1360defer c.lock.Unlock()1361}1368// getNetworkStatus get the current network status from the state. This function1370// should be used instead of reading c.state.NetworkStatus directly.1371func (c *Container) getNetworkStatus() map[string]types.StatusBlock {1372return c.state.NetworkStatus1373}1374}1423