diff options
Diffstat (limited to 'pkg/sentry/state')
| -rw-r--r-- | pkg/sentry/state/BUILD | 23 | ||||
| -rw-r--r-- | pkg/sentry/state/state.go | 119 | ||||
| -rw-r--r-- | pkg/sentry/state/state_metadata.go | 45 | ||||
| -rw-r--r-- | pkg/sentry/state/state_unsafe.go | 34 |
4 files changed, 221 insertions, 0 deletions
diff --git a/pkg/sentry/state/BUILD b/pkg/sentry/state/BUILD new file mode 100644 index 000000000..0ea4aab8b --- /dev/null +++ b/pkg/sentry/state/BUILD @@ -0,0 +1,23 @@ +load("//tools:defs.bzl", "go_library") + +package(licenses = ["notice"]) + +go_library( + name = "state", + srcs = [ + "state.go", + "state_metadata.go", + "state_unsafe.go", + ], + visibility = ["//pkg/sentry:internal"], + deps = [ + "//pkg/abi/linux", + "//pkg/log", + "//pkg/sentry/inet", + "//pkg/sentry/kernel", + "//pkg/sentry/time", + "//pkg/sentry/watchdog", + "//pkg/state/statefile", + "//pkg/syserror", + ], +) diff --git a/pkg/sentry/state/state.go b/pkg/sentry/state/state.go new file mode 100644 index 000000000..9eb626b76 --- /dev/null +++ b/pkg/sentry/state/state.go @@ -0,0 +1,119 @@ +// Copyright 2018 The gVisor Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package state provides high-level state wrappers. +package state + +import ( + "fmt" + "io" + + "gvisor.dev/gvisor/pkg/log" + "gvisor.dev/gvisor/pkg/sentry/inet" + "gvisor.dev/gvisor/pkg/sentry/kernel" + "gvisor.dev/gvisor/pkg/sentry/time" + "gvisor.dev/gvisor/pkg/sentry/watchdog" + "gvisor.dev/gvisor/pkg/state/statefile" + "gvisor.dev/gvisor/pkg/syserror" +) + +var previousMetadata map[string]string + +// ErrStateFile is returned when an error is encountered writing the statefile +// (which may occur during open or close calls in addition to write). +type ErrStateFile struct { + err error +} + +// Error implements error.Error(). +func (e ErrStateFile) Error() string { + return fmt.Sprintf("statefile error: %v", e.err) +} + +// SaveOpts contains save-related options. +type SaveOpts struct { + // Destination is the save target. + Destination io.Writer + + // Key is used for state integrity check. + Key []byte + + // Metadata is save metadata. + Metadata map[string]string + + // Callback is called prior to unpause, with any save error. + Callback func(err error) +} + +// Save saves the system state. +func (opts SaveOpts) Save(k *kernel.Kernel, w *watchdog.Watchdog) error { + log.Infof("Sandbox save started, pausing all tasks.") + k.Pause() + defer k.Unpause() + defer log.Infof("Tasks resumed after save.") + + w.Stop() + defer w.Start() + + // Supplement the metadata. + if opts.Metadata == nil { + opts.Metadata = make(map[string]string) + } + addSaveMetadata(opts.Metadata) + + // Open the statefile. + wc, err := statefile.NewWriter(opts.Destination, opts.Key, opts.Metadata) + if err != nil { + err = ErrStateFile{err} + } else { + // Save the kernel. + err = k.SaveTo(wc) + + // ENOSPC is a state file error. This error can only come from + // writing the state file, and not from fs.FileOperations.Fsync + // because we wrap those in kernel.TaskSet.flushWritesToFiles. + if err == syserror.ENOSPC { + err = ErrStateFile{err} + } + + if closeErr := wc.Close(); err == nil && closeErr != nil { + err = ErrStateFile{closeErr} + } + } + opts.Callback(err) + return err +} + +// LoadOpts contains load-related options. +type LoadOpts struct { + // Destination is the load source. + Source io.Reader + + // Key is used for state integrity check. + Key []byte +} + +// Load loads the given kernel, setting the provided platform and stack. +func (opts LoadOpts) Load(k *kernel.Kernel, n inet.Stack, clocks time.Clocks) error { + // Open the file. + r, m, err := statefile.NewReader(opts.Source, opts.Key) + if err != nil { + return ErrStateFile{err} + } + + previousMetadata = m + + // Restore the Kernel object graph. + return k.LoadFrom(r, n, clocks) +} diff --git a/pkg/sentry/state/state_metadata.go b/pkg/sentry/state/state_metadata.go new file mode 100644 index 000000000..cefd20b9b --- /dev/null +++ b/pkg/sentry/state/state_metadata.go @@ -0,0 +1,45 @@ +// Copyright 2018 The gVisor Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package state + +import ( + "fmt" + "time" + + "gvisor.dev/gvisor/pkg/log" +) + +// The save metadata keys for timestamp. +const ( + cpuUsage = "cpu_usage" + metadataTimestamp = "timestamp" +) + +func addSaveMetadata(m map[string]string) { + t, err := CPUTime() + if err != nil { + log.Warningf("Error getting cpu time: %v", err) + } + if previousMetadata != nil { + p, err := time.ParseDuration(previousMetadata[cpuUsage]) + if err != nil { + log.Warningf("Error parsing previous runs' cpu time: %v", err) + } + t += p + } + m[cpuUsage] = t.String() + + m[metadataTimestamp] = fmt.Sprintf("%v", time.Now()) +} diff --git a/pkg/sentry/state/state_unsafe.go b/pkg/sentry/state/state_unsafe.go new file mode 100644 index 000000000..d271c6fc9 --- /dev/null +++ b/pkg/sentry/state/state_unsafe.go @@ -0,0 +1,34 @@ +// Copyright 2018 The gVisor Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package state + +import ( + "fmt" + "syscall" + "time" + "unsafe" + + "gvisor.dev/gvisor/pkg/abi/linux" +) + +// CPUTime returns the CPU time usage by Sentry and app. +func CPUTime() (time.Duration, error) { + var ts syscall.Timespec + _, _, errno := syscall.RawSyscall(syscall.SYS_CLOCK_GETTIME, uintptr(linux.CLOCK_PROCESS_CPUTIME_ID), uintptr(unsafe.Pointer(&ts)), 0) + if errno != 0 { + return 0, fmt.Errorf("failed calling clock_gettime(CLOCK_PROCESS_CPUTIME_ID): errno=%d", errno) + } + return time.Duration(ts.Nano()), nil +} |