summaryrefslogtreecommitdiffhomepage
path: root/runsc
diff options
context:
space:
mode:
authorpraveensastry <sastry.praveen@gmail.com>2019-08-06 01:15:48 +1000
committerpraveensastry <sastry.praveen@gmail.com>2019-08-06 01:15:48 +1000
commit607be0585fdc659ec3c043c989a8a6f86fcc14db (patch)
tree14c86afd532de8dc16790ecc15acff926267c6f0 /runsc
parentf0507e1db1574ff165000fa5e34b651413f37aae (diff)
Add option to configure reference leak checking
Diffstat (limited to 'runsc')
-rw-r--r--runsc/boot/config.go19
-rw-r--r--runsc/boot/loader.go8
-rw-r--r--runsc/main.go7
3 files changed, 29 insertions, 5 deletions
diff --git a/runsc/boot/config.go b/runsc/boot/config.go
index 7ae0dd05d..139eb1cce 100644
--- a/runsc/boot/config.go
+++ b/runsc/boot/config.go
@@ -19,6 +19,7 @@ import (
"strconv"
"strings"
+ "gvisor.dev/gvisor/pkg/refs"
"gvisor.dev/gvisor/pkg/sentry/watchdog"
)
@@ -112,6 +113,20 @@ func MakeWatchdogAction(s string) (watchdog.Action, error) {
}
}
+// MakeRefsLeakMode converts type from string
+func MakeRefsLeakMode(s string) (refs.LeakMode, error) {
+ switch strings.ToLower(s) {
+ case "nocheck":
+ return refs.NoLeakChecking, nil
+ case "warning":
+ return refs.LeaksLogWarning, nil
+ case "traces":
+ return refs.LeaksLogTraces, nil
+ default:
+ return 0, fmt.Errorf("invalid refs leakmode %q", s)
+ }
+}
+
// Config holds configuration that is not part of the runtime spec.
type Config struct {
// RootDir is the runtime root directory.
@@ -201,6 +216,9 @@ type Config struct {
// AlsoLogToStderr allows to send log messages to stderr.
AlsoLogToStderr bool
+
+ // ReferenceLeakMode sets reference leak check mode
+ ReferenceLeakMode refs.LeakMode
}
// ToFlags returns a slice of flags that correspond to the given Config.
@@ -227,6 +245,7 @@ func (c *Config) ToFlags() []string {
"--num-network-channels=" + strconv.Itoa(c.NumNetworkChannels),
"--rootless=" + strconv.FormatBool(c.Rootless),
"--alsologtostderr=" + strconv.FormatBool(c.AlsoLogToStderr),
+ "--refs-leak-mode=" + c.ReferenceLeakMode.String(),
}
if c.TestOnlyAllowRunAsCurrentUserWithoutChroot {
// Only include if set since it is never to be used by users.
diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go
index 50cac0433..2fce800ae 100644
--- a/runsc/boot/loader.go
+++ b/runsc/boot/loader.go
@@ -191,6 +191,9 @@ func New(args Args) (*Loader, error) {
return nil, fmt.Errorf("setting up memory usage: %v", err)
}
+ // Sets the refs leak check mode
+ refs.SetLeakMode(args.Conf.ReferenceLeakMode)
+
// Create kernel and platform.
p, err := createPlatform(args.Conf, args.Device)
if err != nil {
@@ -1040,8 +1043,3 @@ func (l *Loader) threadGroupFromIDLocked(key execID) (*kernel.ThreadGroup, *host
}
return ep.tg, ep.tty, nil
}
-
-func init() {
- // TODO(gvisor.dev/issue/365): Make this configurable.
- refs.SetLeakMode(refs.NoLeakChecking)
-}
diff --git a/runsc/main.go b/runsc/main.go
index 5823819f4..a10138049 100644
--- a/runsc/main.go
+++ b/runsc/main.go
@@ -73,6 +73,7 @@ var (
netRaw = flag.Bool("net-raw", false, "enable raw sockets. When false, raw sockets are disabled by removing CAP_NET_RAW from containers (`runsc exec` will still be able to utilize raw sockets). Raw sockets allow malicious containers to craft packets and potentially attack the network.")
numNetworkChannels = flag.Int("num-network-channels", 1, "number of underlying channels(FDs) to use for network link endpoints.")
rootless = flag.Bool("rootless", false, "it allows the sandbox to be started with a user that is not root. Sandbox and Gofer processes may run with same privileges as current user.")
+ referenceLeakMode = flag.String("refs-leak-mode", "nocheck", "sets reference leak check mode: nocheck (default), warning, traces.")
// Test flags, not to be used outside tests, ever.
testOnlyAllowRunAsCurrentUserWithoutChroot = flag.Bool("TESTONLY-unsafe-nonroot", false, "TEST ONLY; do not ever use! This skips many security measures that isolate the host from the sandbox.")
@@ -168,6 +169,11 @@ func main() {
cmd.Fatalf("num_network_channels must be > 0, got: %d", *numNetworkChannels)
}
+ refsLeakMode, err := boot.MakeRefsLeakMode(*referenceLeakMode)
+ if err != nil {
+ cmd.Fatalf("%v", err)
+ }
+
// Create a new Config from the flags.
conf := &boot.Config{
RootDir: *rootDir,
@@ -191,6 +197,7 @@ func main() {
NumNetworkChannels: *numNetworkChannels,
Rootless: *rootless,
AlsoLogToStderr: *alsoLogToStderr,
+ ReferenceLeakMode: refsLeakMode,
TestOnlyAllowRunAsCurrentUserWithoutChroot: *testOnlyAllowRunAsCurrentUserWithoutChroot,
}