diff options
author | gVisor bot <gvisor-bot@google.com> | 2021-03-07 06:11:49 +0000 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2021-03-07 06:11:49 +0000 |
commit | 05c2d6c038777818932d3991c0de9cfa2a7bea51 (patch) | |
tree | 2a394d8666124ff8188b0c945854e2b7e3281217 /runsc/sandbox | |
parent | 2fa12b2aa91ba00211df440f5e6a64e45a2ecb91 (diff) | |
parent | e668288fafe378ab4dc7fbb23ac933a15a2fff94 (diff) |
Merge release-20210301.0-22-ge668288fa (automated)
Diffstat (limited to 'runsc/sandbox')
-rw-r--r-- | runsc/sandbox/network.go | 25 | ||||
-rw-r--r-- | runsc/sandbox/network_unsafe.go | 3 | ||||
-rw-r--r-- | runsc/sandbox/sandbox.go | 35 |
3 files changed, 31 insertions, 32 deletions
diff --git a/runsc/sandbox/network.go b/runsc/sandbox/network.go index 9e429f7d5..f69558021 100644 --- a/runsc/sandbox/network.go +++ b/runsc/sandbox/network.go @@ -21,7 +21,6 @@ import ( "path/filepath" "runtime" "strconv" - "syscall" specs "github.com/opencontainers/runtime-spec/specs-go" "github.com/vishvananda/netlink" @@ -102,11 +101,11 @@ func joinNetNS(nsPath string) (func(), error) { // isRootNS determines whether we are running in the root net namespace. // /proc/sys/net/core/rmem_default only exists in root network namespace. func isRootNS() (bool, error) { - err := syscall.Access("/proc/sys/net/core/rmem_default", syscall.F_OK) + err := unix.Access("/proc/sys/net/core/rmem_default", unix.F_OK) switch err { case nil: return true, nil - case syscall.ENOENT: + case unix.ENOENT: return false, nil default: return false, fmt.Errorf("failed to access /proc/sys/net/core/rmem_default: %v", err) @@ -270,17 +269,17 @@ type socketEntry struct { func createSocket(iface net.Interface, ifaceLink netlink.Link, enableGSO bool) (*socketEntry, error) { // Create the socket. const protocol = 0x0300 // htons(ETH_P_ALL) - fd, err := syscall.Socket(syscall.AF_PACKET, syscall.SOCK_RAW, protocol) + fd, err := unix.Socket(unix.AF_PACKET, unix.SOCK_RAW, protocol) if err != nil { return nil, fmt.Errorf("unable to create raw socket: %v", err) } deviceFile := os.NewFile(uintptr(fd), "raw-device-fd") // Bind to the appropriate device. - ll := syscall.SockaddrLinklayer{ + ll := unix.SockaddrLinklayer{ Protocol: protocol, Ifindex: iface.Index, } - if err := syscall.Bind(fd, &ll); err != nil { + if err := unix.Bind(fd, &ll); err != nil { return nil, fmt.Errorf("unable to bind to %q: %v", iface.Name, err) } @@ -291,7 +290,7 @@ func createSocket(iface net.Interface, ifaceLink netlink.Link, enableGSO bool) ( return nil, fmt.Errorf("getting GSO for interface %q: %v", iface.Name, err) } if gso { - if err := syscall.SetsockoptInt(fd, syscall.SOL_PACKET, unix.PACKET_VNET_HDR, 1); err != nil { + if err := unix.SetsockoptInt(fd, unix.SOL_PACKET, unix.PACKET_VNET_HDR, 1); err != nil { return nil, fmt.Errorf("unable to enable the PACKET_VNET_HDR option: %v", err) } gsoMaxSize = ifaceLink.Attrs().GSOMaxSize @@ -307,18 +306,18 @@ func createSocket(iface net.Interface, ifaceLink netlink.Link, enableGSO bool) ( // incurring packet drops. const bufSize = 4 << 20 // 4MB. - if err := syscall.SetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_RCVBUFFORCE, bufSize); err != nil { - syscall.SetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_RCVBUF, bufSize) - sz, _ := syscall.GetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_RCVBUF) + if err := unix.SetsockoptInt(fd, unix.SOL_SOCKET, unix.SO_RCVBUFFORCE, bufSize); err != nil { + unix.SetsockoptInt(fd, unix.SOL_SOCKET, unix.SO_RCVBUF, bufSize) + sz, _ := unix.GetsockoptInt(fd, unix.SOL_SOCKET, unix.SO_RCVBUF) if sz < bufSize { log.Warningf("Failed to increase rcv buffer to %d on SOCK_RAW on %s. Current buffer %d: %v", bufSize, iface.Name, sz, err) } } - if err := syscall.SetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_SNDBUFFORCE, bufSize); err != nil { - syscall.SetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_SNDBUF, bufSize) - sz, _ := syscall.GetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_SNDBUF) + if err := unix.SetsockoptInt(fd, unix.SOL_SOCKET, unix.SO_SNDBUFFORCE, bufSize); err != nil { + unix.SetsockoptInt(fd, unix.SOL_SOCKET, unix.SO_SNDBUF, bufSize) + sz, _ := unix.GetsockoptInt(fd, unix.SOL_SOCKET, unix.SO_SNDBUF) if sz < bufSize { log.Warningf("Failed to increase snd buffer to %d on SOCK_RAW on %s. Curent buffer %d: %v", bufSize, iface.Name, sz, err) } diff --git a/runsc/sandbox/network_unsafe.go b/runsc/sandbox/network_unsafe.go index 2a2a0fb7e..1b808a8a0 100644 --- a/runsc/sandbox/network_unsafe.go +++ b/runsc/sandbox/network_unsafe.go @@ -15,7 +15,6 @@ package sandbox import ( - "syscall" "unsafe" "golang.org/x/sys/unix" @@ -48,7 +47,7 @@ func isGSOEnabled(fd int, intf string) (bool, error) { ifrData: &val, } - if _, _, err := syscall.Syscall(syscall.SYS_IOCTL, uintptr(fd), unix.SIOCETHTOOL, uintptr(unsafe.Pointer(&ifr))); err != 0 { + if _, _, err := unix.Syscall(unix.SYS_IOCTL, uintptr(fd), unix.SIOCETHTOOL, uintptr(unsafe.Pointer(&ifr))); err != 0 { return false, err } diff --git a/runsc/sandbox/sandbox.go b/runsc/sandbox/sandbox.go index 7fe65c7ba..450f92645 100644 --- a/runsc/sandbox/sandbox.go +++ b/runsc/sandbox/sandbox.go @@ -30,6 +30,7 @@ import ( "github.com/cenkalti/backoff" specs "github.com/opencontainers/runtime-spec/specs-go" "github.com/syndtr/gocapability/capability" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/cleanup" "gvisor.dev/gvisor/pkg/control/client" "gvisor.dev/gvisor/pkg/control/server" @@ -83,7 +84,7 @@ type Sandbox struct { // child==true and the sandbox was waited on. This field allows for multiple // threads to wait on sandbox and get the exit code, since Linux will return // WaitStatus to one of the waiters only. - status syscall.WaitStatus + status unix.WaitStatus } // Args is used to configure a new sandbox. @@ -383,7 +384,7 @@ func (s *Sandbox) createSandboxProcess(conf *config.Config, args *Args, startSyn binPath := specutils.ExePath cmd := exec.Command(binPath, conf.ToFlags()...) - cmd.SysProcAttr = &syscall.SysProcAttr{} + cmd.SysProcAttr = &unix.SysProcAttr{} // Open the log files to pass to the sandbox as FDs. // @@ -739,7 +740,7 @@ func (s *Sandbox) createSandboxProcess(conf *config.Config, args *Args, startSyn if args.Attached { // Kill sandbox if parent process exits in attached mode. - cmd.SysProcAttr.Pdeathsig = syscall.SIGKILL + cmd.SysProcAttr.Pdeathsig = unix.SIGKILL // Tells boot that any process it creates must have pdeathsig set. cmd.Args = append(cmd.Args, "--attached") } @@ -762,7 +763,7 @@ func (s *Sandbox) createSandboxProcess(conf *config.Config, args *Args, startSyn // // NOTE: The error message is checked because error types are lost over // rpc calls. - if strings.Contains(err.Error(), syscall.EACCES.Error()) { + if strings.Contains(err.Error(), unix.EACCES.Error()) { if permsErr := checkBinaryPermissions(conf); permsErr != nil { return fmt.Errorf("%v: %v", err, permsErr) } @@ -782,7 +783,7 @@ func (s *Sandbox) createSandboxProcess(conf *config.Config, args *Args, startSyn } // Wait waits for the containerized process to exit, and returns its WaitStatus. -func (s *Sandbox) Wait(cid string) (syscall.WaitStatus, error) { +func (s *Sandbox) Wait(cid string) (unix.WaitStatus, error) { log.Debugf("Waiting for container %q in sandbox %q", cid, s.ID) if conn, err := s.sandboxConnect(); err != nil { @@ -790,14 +791,14 @@ func (s *Sandbox) Wait(cid string) (syscall.WaitStatus, error) { // There is nothing we can do for subcontainers. For the init container, we // can try to get the sandbox exit code. if !s.IsRootContainer(cid) { - return syscall.WaitStatus(0), err + return unix.WaitStatus(0), err } log.Warningf("Wait on container %q failed: %v. Will try waiting on the sandbox process instead.", cid, err) } else { defer conn.Close() // Try the Wait RPC to the sandbox. - var ws syscall.WaitStatus + var ws unix.WaitStatus err = conn.Call(boot.ContainerWait, &cid, &ws) if err == nil { // It worked! @@ -805,7 +806,7 @@ func (s *Sandbox) Wait(cid string) (syscall.WaitStatus, error) { } // See comment above. if !s.IsRootContainer(cid) { - return syscall.WaitStatus(0), err + return unix.WaitStatus(0), err } // The sandbox may have exited after we connected, but before @@ -817,10 +818,10 @@ func (s *Sandbox) Wait(cid string) (syscall.WaitStatus, error) { // The best we can do is ask Linux what the sandbox exit status was, since in // most cases that will be the same as the container exit status. if err := s.waitForStopped(); err != nil { - return syscall.WaitStatus(0), err + return unix.WaitStatus(0), err } if !s.child { - return syscall.WaitStatus(0), fmt.Errorf("sandbox no longer running and its exit status is unavailable") + return unix.WaitStatus(0), fmt.Errorf("sandbox no longer running and its exit status is unavailable") } s.statusMu.Lock() @@ -830,9 +831,9 @@ func (s *Sandbox) Wait(cid string) (syscall.WaitStatus, error) { // WaitPID waits for process 'pid' in the container's sandbox and returns its // WaitStatus. -func (s *Sandbox) WaitPID(cid string, pid int32) (syscall.WaitStatus, error) { +func (s *Sandbox) WaitPID(cid string, pid int32) (unix.WaitStatus, error) { log.Debugf("Waiting for PID %d in sandbox %q", pid, s.ID) - var ws syscall.WaitStatus + var ws unix.WaitStatus conn, err := s.sandboxConnect() if err != nil { return ws, err @@ -861,7 +862,7 @@ func (s *Sandbox) destroy() error { log.Debugf("Destroy sandbox %q", s.ID) if s.Pid != 0 { log.Debugf("Killing sandbox %q", s.ID) - if err := syscall.Kill(s.Pid, syscall.SIGKILL); err != nil && err != syscall.ESRCH { + if err := unix.Kill(s.Pid, unix.SIGKILL); err != nil && err != unix.ESRCH { return fmt.Errorf("killing sandbox %q PID %q: %v", s.ID, s.Pid, err) } if err := s.waitForStopped(); err != nil { @@ -875,7 +876,7 @@ func (s *Sandbox) destroy() error { // SignalContainer sends the signal to a container in the sandbox. If all is // true and signal is SIGKILL, then waits for all processes to exit before // returning. -func (s *Sandbox) SignalContainer(cid string, sig syscall.Signal, all bool) error { +func (s *Sandbox) SignalContainer(cid string, sig unix.Signal, all bool) error { log.Debugf("Signal sandbox %q", s.ID) conn, err := s.sandboxConnect() if err != nil { @@ -903,7 +904,7 @@ func (s *Sandbox) SignalContainer(cid string, sig syscall.Signal, all bool) erro // fgProcess is true, then the signal is sent to the foreground process group // in the same session that PID belongs to. This is only valid if the process // is attached to a host TTY. -func (s *Sandbox) SignalProcess(cid string, pid int32, sig syscall.Signal, fgProcess bool) error { +func (s *Sandbox) SignalProcess(cid string, pid int32, sig unix.Signal, fgProcess bool) error { log.Debugf("Signal sandbox %q", s.ID) conn, err := s.sandboxConnect() if err != nil { @@ -984,7 +985,7 @@ func (s *Sandbox) Resume(cid string) error { func (s *Sandbox) IsRunning() bool { if s.Pid != 0 { // Send a signal 0 to the sandbox process. - if err := syscall.Kill(s.Pid, 0); err == nil { + if err := unix.Kill(s.Pid, 0); err == nil { // Succeeded, process is running. return true } @@ -1147,7 +1148,7 @@ func (s *Sandbox) waitForStopped() error { } // The sandbox process is a child of the current process, // so we can wait it and collect its zombie. - wpid, err := syscall.Wait4(int(s.Pid), &s.status, syscall.WNOHANG, nil) + wpid, err := unix.Wait4(int(s.Pid), &s.status, unix.WNOHANG, nil) if err != nil { return fmt.Errorf("error waiting the sandbox process: %v", err) } |