diff options
author | praveensastry <sastry.praveen@gmail.com> | 2019-08-06 01:15:48 +1000 |
---|---|---|
committer | praveensastry <sastry.praveen@gmail.com> | 2019-08-06 01:15:48 +1000 |
commit | 607be0585fdc659ec3c043c989a8a6f86fcc14db (patch) | |
tree | 14c86afd532de8dc16790ecc15acff926267c6f0 /runsc | |
parent | f0507e1db1574ff165000fa5e34b651413f37aae (diff) |
Add option to configure reference leak checking
Diffstat (limited to 'runsc')
-rw-r--r-- | runsc/boot/config.go | 19 | ||||
-rw-r--r-- | runsc/boot/loader.go | 8 | ||||
-rw-r--r-- | runsc/main.go | 7 |
3 files changed, 29 insertions, 5 deletions
diff --git a/runsc/boot/config.go b/runsc/boot/config.go index 7ae0dd05d..139eb1cce 100644 --- a/runsc/boot/config.go +++ b/runsc/boot/config.go @@ -19,6 +19,7 @@ import ( "strconv" "strings" + "gvisor.dev/gvisor/pkg/refs" "gvisor.dev/gvisor/pkg/sentry/watchdog" ) @@ -112,6 +113,20 @@ func MakeWatchdogAction(s string) (watchdog.Action, error) { } } +// MakeRefsLeakMode converts type from string +func MakeRefsLeakMode(s string) (refs.LeakMode, error) { + switch strings.ToLower(s) { + case "nocheck": + return refs.NoLeakChecking, nil + case "warning": + return refs.LeaksLogWarning, nil + case "traces": + return refs.LeaksLogTraces, nil + default: + return 0, fmt.Errorf("invalid refs leakmode %q", s) + } +} + // Config holds configuration that is not part of the runtime spec. type Config struct { // RootDir is the runtime root directory. @@ -201,6 +216,9 @@ type Config struct { // AlsoLogToStderr allows to send log messages to stderr. AlsoLogToStderr bool + + // ReferenceLeakMode sets reference leak check mode + ReferenceLeakMode refs.LeakMode } // ToFlags returns a slice of flags that correspond to the given Config. @@ -227,6 +245,7 @@ func (c *Config) ToFlags() []string { "--num-network-channels=" + strconv.Itoa(c.NumNetworkChannels), "--rootless=" + strconv.FormatBool(c.Rootless), "--alsologtostderr=" + strconv.FormatBool(c.AlsoLogToStderr), + "--refs-leak-mode=" + c.ReferenceLeakMode.String(), } if c.TestOnlyAllowRunAsCurrentUserWithoutChroot { // Only include if set since it is never to be used by users. diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go index 50cac0433..2fce800ae 100644 --- a/runsc/boot/loader.go +++ b/runsc/boot/loader.go @@ -191,6 +191,9 @@ func New(args Args) (*Loader, error) { return nil, fmt.Errorf("setting up memory usage: %v", err) } + // Sets the refs leak check mode + refs.SetLeakMode(args.Conf.ReferenceLeakMode) + // Create kernel and platform. p, err := createPlatform(args.Conf, args.Device) if err != nil { @@ -1040,8 +1043,3 @@ func (l *Loader) threadGroupFromIDLocked(key execID) (*kernel.ThreadGroup, *host } return ep.tg, ep.tty, nil } - -func init() { - // TODO(gvisor.dev/issue/365): Make this configurable. - refs.SetLeakMode(refs.NoLeakChecking) -} diff --git a/runsc/main.go b/runsc/main.go index 5823819f4..a10138049 100644 --- a/runsc/main.go +++ b/runsc/main.go @@ -73,6 +73,7 @@ var ( netRaw = flag.Bool("net-raw", false, "enable raw sockets. When false, raw sockets are disabled by removing CAP_NET_RAW from containers (`runsc exec` will still be able to utilize raw sockets). Raw sockets allow malicious containers to craft packets and potentially attack the network.") numNetworkChannels = flag.Int("num-network-channels", 1, "number of underlying channels(FDs) to use for network link endpoints.") rootless = flag.Bool("rootless", false, "it allows the sandbox to be started with a user that is not root. Sandbox and Gofer processes may run with same privileges as current user.") + referenceLeakMode = flag.String("refs-leak-mode", "nocheck", "sets reference leak check mode: nocheck (default), warning, traces.") // Test flags, not to be used outside tests, ever. testOnlyAllowRunAsCurrentUserWithoutChroot = flag.Bool("TESTONLY-unsafe-nonroot", false, "TEST ONLY; do not ever use! This skips many security measures that isolate the host from the sandbox.") @@ -168,6 +169,11 @@ func main() { cmd.Fatalf("num_network_channels must be > 0, got: %d", *numNetworkChannels) } + refsLeakMode, err := boot.MakeRefsLeakMode(*referenceLeakMode) + if err != nil { + cmd.Fatalf("%v", err) + } + // Create a new Config from the flags. conf := &boot.Config{ RootDir: *rootDir, @@ -191,6 +197,7 @@ func main() { NumNetworkChannels: *numNetworkChannels, Rootless: *rootless, AlsoLogToStderr: *alsoLogToStderr, + ReferenceLeakMode: refsLeakMode, TestOnlyAllowRunAsCurrentUserWithoutChroot: *testOnlyAllowRunAsCurrentUserWithoutChroot, } |