summaryrefslogtreecommitdiffhomepage
path: root/runsc/config/config.go
diff options
context:
space:
mode:
Diffstat (limited to 'runsc/config/config.go')
-rw-r--r--runsc/config/config.go35
1 files changed, 35 insertions, 0 deletions
diff --git a/runsc/config/config.go b/runsc/config/config.go
index a230baa29..a562f7bf4 100644
--- a/runsc/config/config.go
+++ b/runsc/config/config.go
@@ -140,6 +140,26 @@ type Config struct {
// ProfileEnable is set to prepare the sandbox to be profiled.
ProfileEnable bool `flag:"profile"`
+ // ProfileBlock collects a block profile to the passed file for the
+ // duration of the container execution. Requires ProfileEnabled.
+ ProfileBlock string `flag:"profile-block"`
+
+ // ProfileCPU collects a CPU profile to the passed file for the
+ // duration of the container execution. Requires ProfileEnabled.
+ ProfileCPU string `flag:"profile-cpu"`
+
+ // ProfileHeap collects a heap profile to the passed file for the
+ // duration of the container execution. Requires ProfileEnabled.
+ ProfileHeap string `flag:"profile-heap"`
+
+ // ProfileMutex collects a mutex profile to the passed file for the
+ // duration of the container execution. Requires ProfileEnabled.
+ ProfileMutex string `flag:"profile-mutex"`
+
+ // TraceFile collects a Go runtime execution trace to the passed file
+ // for the duration of the container execution.
+ TraceFile string `flag:"trace"`
+
// Controls defines the controls that may be enabled.
Controls controlConfig `flag:"controls"`
@@ -207,6 +227,21 @@ func (c *Config) validate() error {
if c.NumNetworkChannels <= 0 {
return fmt.Errorf("num_network_channels must be > 0, got: %d", c.NumNetworkChannels)
}
+ // Require profile flags to explicitly opt-in to profiling with
+ // -profile rather than implying it since these options have security
+ // implications.
+ if c.ProfileBlock != "" && !c.ProfileEnable {
+ return fmt.Errorf("profile-block flag requires enabling profiling with profile flag")
+ }
+ if c.ProfileCPU != "" && !c.ProfileEnable {
+ return fmt.Errorf("profile-cpu flag requires enabling profiling with profile flag")
+ }
+ if c.ProfileHeap != "" && !c.ProfileEnable {
+ return fmt.Errorf("profile-heap flag requires enabling profiling with profile flag")
+ }
+ if c.ProfileMutex != "" && !c.ProfileEnable {
+ return fmt.Errorf("profile-mutex flag requires enabling profiling with profile flag")
+ }
return nil
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-01 04:38:49 +0000