diff options
| -rw-r--r-- | runsc/boot/config.go | 6 | ||||
| -rw-r--r-- | runsc/boot/loader.go | 6 | ||||
| -rw-r--r-- | runsc/main.go | 2 |
3 files changed, 6 insertions, 8 deletions
diff --git a/runsc/boot/config.go b/runsc/boot/config.go index 139eb1cce..4276a4cc4 100644 --- a/runsc/boot/config.go +++ b/runsc/boot/config.go @@ -116,12 +116,10 @@ func MakeWatchdogAction(s string) (watchdog.Action, error) { // MakeRefsLeakMode converts type from string func MakeRefsLeakMode(s string) (refs.LeakMode, error) { switch strings.ToLower(s) { - case "nocheck": + case "disabled": return refs.NoLeakChecking, nil case "warning": return refs.LeaksLogWarning, nil - case "traces": - return refs.LeaksLogTraces, nil default: return 0, fmt.Errorf("invalid refs leakmode %q", s) } @@ -245,7 +243,7 @@ func (c *Config) ToFlags() []string { "--num-network-channels=" + strconv.Itoa(c.NumNetworkChannels), "--rootless=" + strconv.FormatBool(c.Rootless), "--alsologtostderr=" + strconv.FormatBool(c.AlsoLogToStderr), - "--refs-leak-mode=" + c.ReferenceLeakMode.String(), + "--ref-leak-mode=" + c.ReferenceLeakMode.String(), } if c.TestOnlyAllowRunAsCurrentUserWithoutChroot { // Only include if set since it is never to be used by users. diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go index 2fce800ae..65ac67dbf 100644 --- a/runsc/boot/loader.go +++ b/runsc/boot/loader.go @@ -181,6 +181,9 @@ type Args struct { // New initializes a new kernel loader configured by spec. // New also handles setting up a kernel for restoring a container. func New(args Args) (*Loader, error) { + // Sets the reference leak check mode + refs.SetLeakMode(args.Conf.ReferenceLeakMode) + // We initialize the rand package now to make sure /dev/urandom is pre-opened // on kernels that do not support getrandom(2). if err := rand.Init(); err != nil { @@ -191,9 +194,6 @@ func New(args Args) (*Loader, error) { return nil, fmt.Errorf("setting up memory usage: %v", err) } - // Sets the refs leak check mode - refs.SetLeakMode(args.Conf.ReferenceLeakMode) - // Create kernel and platform. p, err := createPlatform(args.Conf, args.Device) if err != nil { diff --git a/runsc/main.go b/runsc/main.go index a10138049..8857b96ac 100644 --- a/runsc/main.go +++ b/runsc/main.go @@ -73,7 +73,7 @@ var ( netRaw = flag.Bool("net-raw", false, "enable raw sockets. When false, raw sockets are disabled by removing CAP_NET_RAW from containers (`runsc exec` will still be able to utilize raw sockets). Raw sockets allow malicious containers to craft packets and potentially attack the network.") numNetworkChannels = flag.Int("num-network-channels", 1, "number of underlying channels(FDs) to use for network link endpoints.") rootless = flag.Bool("rootless", false, "it allows the sandbox to be started with a user that is not root. Sandbox and Gofer processes may run with same privileges as current user.") - referenceLeakMode = flag.String("refs-leak-mode", "nocheck", "sets reference leak check mode: nocheck (default), warning, traces.") + referenceLeakMode = flag.String("ref-leak-mode", "disabled", "sets reference leak check mode: disabled (default), warning.") // Test flags, not to be used outside tests, ever. testOnlyAllowRunAsCurrentUserWithoutChroot = flag.Bool("TESTONLY-unsafe-nonroot", false, "TEST ONLY; do not ever use! This skips many security measures that isolate the host from the sandbox.") |