@@ -58,6 +58,17 @@ type options struct {
5858 Debug bool `long:"debug" short:"d" description:"Enable debug output"`
5959 Version bool `long:"version" description:"Outputs the version of the application"`
6060
61+ Id string `long:"id" description:"Jailer VMM id"`
62+ ExecFile string `long:"exec-file" description:"Jailer executable"`
63+ JailerBinary string `long:"jailer" description:"Jailer binary"`
64+
65+ Uid int `long:"uid" description:"Jailer uid for dropping privileges"`
66+ Gid int `long:"gid" description:"Jailer gid for dropping privileges"`
67+ NumaNode int `long:"node" description:"Jailer numa node"`
68+
69+ ChrootBaseDir string `long:"chroot-base-dir" description:"Jailer chroot base directory"`
70+ Daemonize bool `long:"daemonize" description:"Run jailer as daemon"`
71+
6172 closers []func () error
6273 validMetadata interface {}
6374
@@ -96,11 +107,41 @@ func (opts *options) getFirecrackerConfig() (firecracker.Config, error) {
96107 return firecracker.Config {}, err
97108 }
98109
99- var socketPath string
100- if opts .FcSocketPath != "" {
101- socketPath = opts .FcSocketPath
110+ var (
111+ socketPath string
112+ jail * firecracker.JailerConfig
113+ )
114+
115+ if opts .JailerBinary != "" {
116+ jail = & firecracker.JailerConfig {
117+ GID : firecracker .Int (opts .Gid ),
118+ UID : firecracker .Int (opts .Uid ),
119+ ID : opts .Id ,
120+ NumaNode : firecracker .Int (opts .NumaNode ),
121+ ExecFile : opts .ExecFile ,
122+ JailerBinary : opts .JailerBinary ,
123+ ChrootBaseDir : opts .ChrootBaseDir ,
124+ Daemonize : opts .Daemonize ,
125+ ChrootStrategy : firecracker .NewNaiveChrootStrategy (filepath .Join (
126+ opts .ChrootBaseDir ,
127+ filepath .Base (opts .ExecFile ),
128+ opts .Id ,
129+ ), opts .FcKernelImage ),
130+ // with: https://github.com/firecracker-microvm/firecracker-go-sdk/pull/255
131+ // ChrootStrategy: firecracker.NewNaiveChrootStrategy(opts.FcKernelImage),
132+ Stdout : os .Stdout ,
133+ Stderr : os .Stderr ,
134+ Stdin : os .Stdin ,
135+ }
102136 } else {
103- socketPath = getSocketPath ()
137+
138+ // if no jail is active, either use the path from the arguments
139+ if opts .FcSocketPath != "" {
140+ socketPath = opts .FcSocketPath
141+ } else {
142+ // or generate a default socket path
143+ socketPath = getSocketPath ()
144+ }
104145 }
105146
106147 htEnabled := ! opts .FcDisableHt
@@ -122,7 +163,8 @@ func (opts *options) getFirecrackerConfig() (firecracker.Config, error) {
122163 HtEnabled : firecracker .Bool (htEnabled ),
123164 MemSizeMib : firecracker .Int64 (opts .FcMemSz ),
124165 },
125- Debug : opts .Debug ,
166+ JailerCfg : jail ,
167+ VMID : opts .Id ,
126168 }, nil
127169}
128170
@@ -312,8 +354,8 @@ func createFifoFileLogs(fifoPath string) (*os.File, error) {
312354 return os .OpenFile (fifoPath , os .O_CREATE | os .O_APPEND | os .O_WRONLY , 0644 )
313355}
314356
315- // getSocketPath provides a randomized socket path by building a unique fielname
316- // and searching for the existance of directories {$HOME, os.TempDir()} and returning
357+ // getSocketPath provides a randomized socket path by building a unique filename
358+ // and searching for the existence of directories {$HOME, os.TempDir()} and returning
317359// the path with the first directory joined with the unique filename. If we can't
318360// find a good path panics.
319361func getSocketPath () string {
0 commit comments