Merge branch 'master' into ip-forwarding

- Merges aleksej-paschenko's with HEAD
- Adds vfs2 support for ip_forward

17 files changed, 290 insertions, 0 deletions

diff --git a/images/basic/alpine/Dockerfile b/images/basic/alpine/Dockerfile
new file mode 100644
index 000000000..12b26040a
--- /dev/null
+++ b/images/basic/alpine/Dockerfile
@@ -0,0 +1 @@
+FROM alpine:3.11.5
diff --git a/images/basic/busybox/Dockerfile b/images/basic/busybox/Dockerfile
new file mode 100644
index 000000000..79b3f683a
--- /dev/null
+++ b/images/basic/busybox/Dockerfile
@@ -0,0 +1 @@
+FROM busybox:1.31.1
diff --git a/images/basic/hostoverlaytest/Dockerfile b/images/basic/hostoverlaytest/Dockerfile
new file mode 100644
index 000000000..6cef1a542
--- /dev/null
+++ b/images/basic/hostoverlaytest/Dockerfile
@@ -0,0 +1,8 @@
+FROM ubuntu:bionic
+
+WORKDIR /root
+COPY . .
+
+RUN apt-get update && apt-get install -y gcc
+RUN gcc -O2 -o test_copy_up test_copy_up.c
+RUN gcc -O2 -o test_rewinddir test_rewinddir.c
diff --git a/images/basic/hostoverlaytest/copy_up_testfile.txt b/images/basic/hostoverlaytest/copy_up_testfile.txt
new file mode 100644
index 000000000..e4188c841
--- /dev/null
+++ b/images/basic/hostoverlaytest/copy_up_testfile.txt
@@ -0,0 +1 @@
+old data
diff --git a/images/basic/hostoverlaytest/test_copy_up.c b/images/basic/hostoverlaytest/test_copy_up.c
new file mode 100644
index 000000000..010b261dc
--- /dev/null
+++ b/images/basic/hostoverlaytest/test_copy_up.c
@@ -0,0 +1,88 @@
+#include <err.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <unistd.h>
+
+int main(int argc, char** argv) {
+  const char kTestFilePath[] = "copy_up_testfile.txt";
+  const char kOldFileData[] = "old data\n";
+  const char kNewFileData[] = "new data\n";
+  const size_t kPageSize = sysconf(_SC_PAGE_SIZE);
+
+  // Open a file that already exists in a host overlayfs lower layer.
+  const int fd_rdonly = open(kTestFilePath, O_RDONLY);
+  if (fd_rdonly < 0) {
+    err(1, "open(%s, O_RDONLY)", kTestFilePath);
+  }
+
+  // Check that the file's initial contents are what we expect when read via
+  // syscall.
+  char oldbuf[sizeof(kOldFileData)] = {};
+  ssize_t n = pread(fd_rdonly, oldbuf, sizeof(oldbuf), 0);
+  if (n < 0) {
+    err(1, "initial pread");
+  }
+  if (n != strlen(kOldFileData)) {
+    errx(1, "short initial pread (%ld/%lu bytes)", n, strlen(kOldFileData));
+  }
+  if (strcmp(oldbuf, kOldFileData) != 0) {
+    errx(1, "initial pread returned wrong data: %s", oldbuf);
+  }
+
+  // Check that the file's initial contents are what we expect when read via
+  // memory mapping.
+  void* page = mmap(NULL, kPageSize, PROT_READ, MAP_SHARED, fd_rdonly, 0);
+  if (page == MAP_FAILED) {
+    err(1, "mmap");
+  }
+  if (strcmp(page, kOldFileData) != 0) {
+    errx(1, "mapping contains wrong initial data: %s", (const char*)page);
+  }
+
+  // Open the same file writably, causing host overlayfs to copy it up, and
+  // replace its contents.
+  const int fd_rdwr = open(kTestFilePath, O_RDWR);
+  if (fd_rdwr < 0) {
+    err(1, "open(%s, O_RDWR)", kTestFilePath);
+  }
+  n = write(fd_rdwr, kNewFileData, strlen(kNewFileData));
+  if (n < 0) {
+    err(1, "write");
+  }
+  if (n != strlen(kNewFileData)) {
+    errx(1, "short write (%ld/%lu bytes)", n, strlen(kNewFileData));
+  }
+  if (ftruncate(fd_rdwr, strlen(kNewFileData)) < 0) {
+    err(1, "truncate");
+  }
+
+  int failed = 0;
+
+  // Check that syscalls on the old FD return updated contents. (Before Linux
+  // 4.18, this requires that runsc use a post-copy-up FD to service the read.)
+  char newbuf[sizeof(kNewFileData)] = {};
+  n = pread(fd_rdonly, newbuf, sizeof(newbuf), 0);
+  if (n < 0) {
+    err(1, "final pread");
+  }
+  if (n != strlen(kNewFileData)) {
+    warnx("short final pread (%ld/%lu bytes)", n, strlen(kNewFileData));
+    failed = 1;
+  } else if (strcmp(newbuf, kNewFileData) != 0) {
+    warnx("final pread returned wrong data: %s", newbuf);
+    failed = 1;
+  }
+
+  // Check that the memory mapping of the old FD has been updated. (Linux
+  // overlayfs does not do this, so regardless of kernel version this requires
+  // that runsc replace existing memory mappings with mappings of a
+  // post-copy-up FD.)
+  if (strcmp(page, kNewFileData) != 0) {
+    warnx("mapping contains wrong final data: %s", (const char*)page);
+    failed = 1;
+  }
+
+  return failed;
+}
diff --git a/images/basic/hostoverlaytest/test_rewinddir.c b/images/basic/hostoverlaytest/test_rewinddir.c
new file mode 100644
index 000000000..f1a4085e1
--- /dev/null
+++ b/images/basic/hostoverlaytest/test_rewinddir.c
@@ -0,0 +1,78 @@
+#include <dirent.h>
+#include <err.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+int main(int argc, char** argv) {
+  const char kDirPath[] = "rewinddir_test_dir";
+  const char kFileBasename[] = "rewinddir_test_file";
+
+  // Create the test directory.
+  if (mkdir(kDirPath, 0755) < 0) {
+    err(1, "mkdir(%s)", kDirPath);
+  }
+
+  // The test directory should initially be empty.
+  DIR* dir = opendir(kDirPath);
+  if (!dir) {
+    err(1, "opendir(%s)", kDirPath);
+  }
+  int failed = 0;
+  while (1) {
+    errno = 0;
+    struct dirent* d = readdir(dir);
+    if (!d) {
+      if (errno != 0) {
+        err(1, "readdir");
+      }
+      break;
+    }
+    if (strcmp(d->d_name, ".") != 0 && strcmp(d->d_name, "..") != 0) {
+      warnx("unexpected file %s in new directory", d->d_name);
+      failed = 1;
+    }
+  }
+
+  // Create a file in the test directory.
+  char* file_path = malloc(strlen(kDirPath) + 1 + strlen(kFileBasename));
+  if (!file_path) {
+    errx(1, "malloc");
+  }
+  strcpy(file_path, kDirPath);
+  file_path[strlen(kDirPath)] = '/';
+  strcpy(file_path + strlen(kDirPath) + 1, kFileBasename);
+  if (mknod(file_path, 0644, 0) < 0) {
+    err(1, "mknod(%s)", file_path);
+  }
+
+  // After rewinddir(), re-reading the directory stream should yield the new
+  // file.
+  rewinddir(dir);
+  size_t found_file = 0;
+  while (1) {
+    errno = 0;
+    struct dirent* d = readdir(dir);
+    if (!d) {
+      if (errno != 0) {
+        err(1, "readdir");
+      }
+      break;
+    }
+    if (strcmp(d->d_name, kFileBasename) == 0) {
+      found_file++;
+    } else if (strcmp(d->d_name, ".") != 0 && strcmp(d->d_name, "..") != 0) {
+      warnx("unexpected file %s in new directory", d->d_name);
+      failed = 1;
+    }
+  }
+  if (found_file != 1) {
+    warnx("readdir returned file %s %zu times, wanted 1", kFileBasename,
+          found_file);
+    failed = 1;
+  }
+
+  return failed;
+}
diff --git a/images/basic/httpd/Dockerfile b/images/basic/httpd/Dockerfile
new file mode 100644
index 000000000..83bc0ed88
--- /dev/null
+++ b/images/basic/httpd/Dockerfile
@@ -0,0 +1 @@
+FROM httpd:2.4.43
diff --git a/images/basic/linktest/Dockerfile b/images/basic/linktest/Dockerfile
new file mode 100644
index 000000000..baebc9b76
--- /dev/null
+++ b/images/basic/linktest/Dockerfile
@@ -0,0 +1,7 @@
+FROM ubuntu:bionic
+
+WORKDIR /root
+COPY . .
+
+RUN apt-get update && apt-get install -y gcc
+RUN gcc -O2 -o link_test link_test.c
diff --git a/images/basic/linktest/link_test.c b/images/basic/linktest/link_test.c
new file mode 100644
index 000000000..45ab00abe
--- /dev/null
+++ b/images/basic/linktest/link_test.c
@@ -0,0 +1,93 @@
+// Copyright 2020 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <err.h>
+#include <fcntl.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+// Basic test for linkat(2). Syscall tests requires CAP_DAC_READ_SEARCH and it
+// cannot use tricks like userns as root. For this reason, run a basic link test
+// to ensure some coverage.
+int main(int argc, char** argv) {
+  const char kOldPath[] = "old.txt";
+  int fd = open(kOldPath, O_RDWR | O_CREAT | O_TRUNC, 0600);
+  if (fd < 0) {
+    errx(1, "open(%s) failed", kOldPath);
+  }
+  const char kData[] = "some random content";
+  if (write(fd, kData, sizeof(kData)) < 0) {
+    err(1, "write failed");
+  }
+  close(fd);
+
+  struct stat old_stat;
+  if (stat(kOldPath, &old_stat)) {
+    errx(1, "stat(%s) failed", kOldPath);
+  }
+
+  const char kNewPath[] = "new.txt";
+  if (link(kOldPath, kNewPath)) {
+    errx(1, "link(%s, %s) failed", kOldPath, kNewPath);
+  }
+
+  struct stat new_stat;
+  if (stat(kNewPath, &new_stat)) {
+    errx(1, "stat(%s) failed", kNewPath);
+  }
+
+  // Check that files are the same.
+  if (old_stat.st_dev != new_stat.st_dev) {
+    errx(1, "files st_dev is different, want: %lu, got: %lu", old_stat.st_dev,
+         new_stat.st_dev);
+  }
+  if (old_stat.st_ino != new_stat.st_ino) {
+    errx(1, "files st_ino is different, want: %lu, got: %lu", old_stat.st_ino,
+         new_stat.st_ino);
+  }
+
+  // Check that link count is correct.
+  if (new_stat.st_nlink != old_stat.st_nlink + 1) {
+    errx(1, "wrong nlink, want: %lu, got: %lu", old_stat.st_nlink + 1,
+         new_stat.st_nlink);
+  }
+
+  // Check taht contents are the same.
+  fd = open(kNewPath, O_RDONLY);
+  if (fd < 0) {
+    errx(1, "open(%s) failed", kNewPath);
+  }
+  char buf[sizeof(kData)] = {};
+  if (read(fd, buf, sizeof(buf)) < 0) {
+    err(1, "read failed");
+  }
+  close(fd);
+
+  if (strcmp(buf, kData) != 0) {
+    errx(1, "file content mismatch: %s", buf);
+  }
+
+  // Cleanup.
+  if (unlink(kNewPath)) {
+    errx(1, "unlink(%s) failed", kNewPath);
+  }
+  if (unlink(kOldPath)) {
+    errx(1, "unlink(%s) failed", kOldPath);
+  }
+
+  // Success!
+  return 0;
+}
diff --git a/images/basic/mysql/Dockerfile b/images/basic/mysql/Dockerfile
new file mode 100644
index 000000000..95da9c48d
--- /dev/null
+++ b/images/basic/mysql/Dockerfile
@@ -0,0 +1 @@
+FROM mysql:8.0.19
diff --git a/images/basic/nginx/Dockerfile b/images/basic/nginx/Dockerfile
new file mode 100644
index 000000000..af2e62526
--- /dev/null
+++ b/images/basic/nginx/Dockerfile
@@ -0,0 +1 @@
+FROM nginx:1.17.9
diff --git a/images/basic/python/Dockerfile b/images/basic/python/Dockerfile
new file mode 100644
index 000000000..acf07cca9
--- /dev/null
+++ b/images/basic/python/Dockerfile
@@ -0,0 +1,2 @@
+FROM python:3
+ENTRYPOINT ["python", "-m", "http.server", "8080"]
diff --git a/images/basic/resolv/Dockerfile b/images/basic/resolv/Dockerfile
new file mode 100644
index 000000000..13665bdaf
--- /dev/null
+++ b/images/basic/resolv/Dockerfile
@@ -0,0 +1 @@
+FROM k8s.gcr.io/busybox:latest
diff --git a/images/basic/ruby/Dockerfile b/images/basic/ruby/Dockerfile
new file mode 100644
index 000000000..d290418fb
--- /dev/null
+++ b/images/basic/ruby/Dockerfile
@@ -0,0 +1 @@
+FROM ruby:2.7.1
diff --git a/images/basic/tmpfile/Dockerfile b/images/basic/tmpfile/Dockerfile
new file mode 100644
index 000000000..e3816c8cb
--- /dev/null
+++ b/images/basic/tmpfile/Dockerfile
@@ -0,0 +1,4 @@
+# Create file under /tmp to ensure files inside '/tmp' are not overridden.
+FROM alpine:3.11.5
+RUN mkdir -p /tmp/foo \
+  && echo 123 > /tmp/foo/file.txt
diff --git a/images/basic/tomcat/Dockerfile b/images/basic/tomcat/Dockerfile
new file mode 100644
index 000000000..c7db39a36
--- /dev/null
+++ b/images/basic/tomcat/Dockerfile
@@ -0,0 +1 @@
+FROM tomcat:8.0
diff --git a/images/basic/ubuntu/Dockerfile b/images/basic/ubuntu/Dockerfile
new file mode 100644
index 000000000..331b71343
--- /dev/null
+++ b/images/basic/ubuntu/Dockerfile
@@ -0,0 +1 @@
+FROM ubuntu:trusty