summaryrefslogtreecommitdiffhomepage
path: root/runsc
diff options
context:
space:
mode:
Diffstat (limited to 'runsc')
-rw-r--r--runsc/boot/strace.go4
-rw-r--r--runsc/config/config.go443
-rw-r--r--runsc/config/flags.go168
-rw-r--r--runsc/flag/flag.go14
-rw-r--r--runsc/main.go170
-rw-r--r--runsc/sandbox/network.go2
6 files changed, 407 insertions, 394 deletions
diff --git a/runsc/boot/strace.go b/runsc/boot/strace.go
index 176981f74..c21648a32 100644
--- a/runsc/boot/strace.go
+++ b/runsc/boot/strace.go
@@ -15,6 +15,8 @@
package boot
import (
+ "strings"
+
"gvisor.dev/gvisor/pkg/sentry/strace"
"gvisor.dev/gvisor/runsc/config"
)
@@ -37,5 +39,5 @@ func enableStrace(conf *config.Config) error {
strace.EnableAll(strace.SinkTypeLog)
return nil
}
- return strace.Enable(conf.StraceSyscalls, strace.SinkTypeLog)
+ return strace.Enable(strings.Split(conf.StraceSyscalls, ","), strace.SinkTypeLog)
}
diff --git a/runsc/config/config.go b/runsc/config/config.go
index 8cf0378d5..bca27ebf1 100644
--- a/runsc/config/config.go
+++ b/runsc/config/config.go
@@ -19,254 +19,105 @@ package config
import (
"fmt"
- "strconv"
- "strings"
"gvisor.dev/gvisor/pkg/refs"
"gvisor.dev/gvisor/pkg/sentry/watchdog"
)
-// FileAccessType tells how the filesystem is accessed.
-type FileAccessType int
-
-const (
- // FileAccessShared sends IO requests to a Gofer process that validates the
- // requests and forwards them to the host.
- FileAccessShared FileAccessType = iota
-
- // FileAccessExclusive is the same as FileAccessShared, but enables
- // extra caching for improved performance. It should only be used if
- // the sandbox has exclusive access to the filesystem.
- FileAccessExclusive
-)
-
-// MakeFileAccessType converts type from string.
-func MakeFileAccessType(s string) (FileAccessType, error) {
- switch s {
- case "shared":
- return FileAccessShared, nil
- case "exclusive":
- return FileAccessExclusive, nil
- default:
- return 0, fmt.Errorf("invalid file access type %q", s)
- }
-}
-
-func (f FileAccessType) String() string {
- switch f {
- case FileAccessShared:
- return "shared"
- case FileAccessExclusive:
- return "exclusive"
- default:
- return fmt.Sprintf("unknown(%d)", f)
- }
-}
-
-// NetworkType tells which network stack to use.
-type NetworkType int
-
-const (
- // NetworkSandbox uses internal network stack, isolated from the host.
- NetworkSandbox NetworkType = iota
-
- // NetworkHost redirects network related syscalls to the host network.
- NetworkHost
-
- // NetworkNone sets up just loopback using netstack.
- NetworkNone
-)
-
-// MakeNetworkType converts type from string.
-func MakeNetworkType(s string) (NetworkType, error) {
- switch s {
- case "sandbox":
- return NetworkSandbox, nil
- case "host":
- return NetworkHost, nil
- case "none":
- return NetworkNone, nil
- default:
- return 0, fmt.Errorf("invalid network type %q", s)
- }
-}
-
-func (n NetworkType) String() string {
- switch n {
- case NetworkSandbox:
- return "sandbox"
- case NetworkHost:
- return "host"
- case NetworkNone:
- return "none"
- default:
- return fmt.Sprintf("unknown(%d)", n)
- }
-}
-
-// MakeWatchdogAction converts type from string.
-func MakeWatchdogAction(s string) (watchdog.Action, error) {
- switch strings.ToLower(s) {
- case "log", "logwarning":
- return watchdog.LogWarning, nil
- case "panic":
- return watchdog.Panic, nil
- default:
- return 0, fmt.Errorf("invalid watchdog action %q", s)
- }
-}
-
-// MakeRefsLeakMode converts type from string.
-func MakeRefsLeakMode(s string) (refs.LeakMode, error) {
- switch strings.ToLower(s) {
- case "disabled":
- return refs.NoLeakChecking, nil
- case "log-names":
- return refs.LeaksLogWarning, nil
- case "log-traces":
- return refs.LeaksLogTraces, nil
- default:
- return 0, fmt.Errorf("invalid refs leakmode %q", s)
- }
-}
-
-func refsLeakModeToString(mode refs.LeakMode) string {
- switch mode {
- // If not set, default it to disabled.
- case refs.UninitializedLeakChecking, refs.NoLeakChecking:
- return "disabled"
- case refs.LeaksLogWarning:
- return "log-names"
- case refs.LeaksLogTraces:
- return "log-traces"
- default:
- panic(fmt.Sprintf("Invalid leakmode: %d", mode))
- }
-}
-
-// QueueingDiscipline is used to specify the kind of Queueing Discipline to
-// apply for a give FDBasedLink.
-type QueueingDiscipline int
-
-const (
- // QDiscNone disables any queueing for the underlying FD.
- QDiscNone QueueingDiscipline = iota
-
- // QDiscFIFO applies a simple fifo based queue to the underlying
- // FD.
- QDiscFIFO
-)
-
-// MakeQueueingDiscipline if possible the equivalent QueuingDiscipline for s
-// else returns an error.
-func MakeQueueingDiscipline(s string) (QueueingDiscipline, error) {
- switch s {
- case "none":
- return QDiscNone, nil
- case "fifo":
- return QDiscFIFO, nil
- default:
- return 0, fmt.Errorf("unsupported qdisc specified: %q", s)
- }
-}
-
-// String implements fmt.Stringer.
-func (q QueueingDiscipline) String() string {
- switch q {
- case QDiscNone:
- return "none"
- case QDiscFIFO:
- return "fifo"
- default:
- panic(fmt.Sprintf("Invalid queueing discipline: %d", q))
- }
-}
-
// Config holds configuration that is not part of the runtime spec.
+//
+// Follow these steps to add a new flag:
+// 1. Create a new field in Config.
+// 2. Add a field tag with the flag name
+// 3. Register a new flag in flags.go, with name and description
+// 4. Add any necessary validation into validate()
+// 5. If adding an enum, follow the same pattern as FileAccessType
+//
type Config struct {
// RootDir is the runtime root directory.
- RootDir string
+ RootDir string `flag:"root"`
// Debug indicates that debug logging should be enabled.
- Debug bool
+ Debug bool `flag:"debug"`
// LogFilename is the filename to log to, if not empty.
- LogFilename string
+ LogFilename string `flag:"log"`
// LogFormat is the log format.
- LogFormat string
+ LogFormat string `flag:"log-format"`
// DebugLog is the path to log debug information to, if not empty.
- DebugLog string
+ DebugLog string `flag:"debug-log"`
// PanicLog is the path to log GO's runtime messages, if not empty.
- PanicLog string
+ PanicLog string `flag:"panic-log"`
// DebugLogFormat is the log format for debug.
- DebugLogFormat string
+ DebugLogFormat string `flag:"debug-log-format"`
// FileAccess indicates how the filesystem is accessed.
- FileAccess FileAccessType
+ FileAccess FileAccessType `flag:"file-access"`
// Overlay is whether to wrap the root filesystem in an overlay.
- Overlay bool
+ Overlay bool `flag:"overlay"`
// FSGoferHostUDS enables the gofer to mount a host UDS.
- FSGoferHostUDS bool
+ FSGoferHostUDS bool `flag:"fsgofer-host-uds"`
// Network indicates what type of network to use.
- Network NetworkType
+ Network NetworkType `flag:"network"`
// EnableRaw indicates whether raw sockets should be enabled. Raw
// sockets are disabled by stripping CAP_NET_RAW from the list of
// capabilities.
- EnableRaw bool
+ EnableRaw bool `flag:"net-raw"`
// HardwareGSO indicates that hardware segmentation offload is enabled.
- HardwareGSO bool
+ HardwareGSO bool `flag:"gso"`
// SoftwareGSO indicates that software segmentation offload is enabled.
- SoftwareGSO bool
+ SoftwareGSO bool `flag:"software-gso"`
// TXChecksumOffload indicates that TX Checksum Offload is enabled.
- TXChecksumOffload bool
+ TXChecksumOffload bool `flag:"tx-checksum-offload"`
// RXChecksumOffload indicates that RX Checksum Offload is enabled.
- RXChecksumOffload bool
+ RXChecksumOffload bool `flag:"rx-checksum-offload"`
// QDisc indicates the type of queuening discipline to use by default
// for non-loopback interfaces.
- QDisc QueueingDiscipline
+ QDisc QueueingDiscipline `flag:"qdisc"`
// LogPackets indicates that all network packets should be logged.
- LogPackets bool
+ LogPackets bool `flag:"log-packets"`
// Platform is the platform to run on.
- Platform string
+ Platform string `flag:"platform"`
// Strace indicates that strace should be enabled.
- Strace bool
+ Strace bool `flag:"strace"`
- // StraceSyscalls is the set of syscalls to trace. If StraceEnable is
- // true and this list is empty, then all syscalls will be traced.
- StraceSyscalls []string
+ // StraceSyscalls is the set of syscalls to trace (comma-separated values).
+ // If StraceEnable is true and this string is empty, then all syscalls will
+ // be traced.
+ StraceSyscalls string `flag:"strace-syscalls"`
// StraceLogSize is the max size of data blobs to display.
- StraceLogSize uint
+ StraceLogSize uint `flag:"strace-log-size"`
// DisableSeccomp indicates whether seccomp syscall filters should be
// disabled. Pardon the double negation, but default to enabled is important.
DisableSeccomp bool
// WatchdogAction sets what action the watchdog takes when triggered.
- WatchdogAction watchdog.Action
+ WatchdogAction watchdog.Action `flag:"watchdog-action"`
// PanicSignal registers signal handling that panics. Usually set to
// SIGUSR2(12) to troubleshoot hangs. -1 disables it.
- PanicSignal int
+ PanicSignal int `flag:"panic-signal"`
// ProfileEnable is set to prepare the sandbox to be profiled.
- ProfileEnable bool
+ ProfileEnable bool `flag:"profile"`
// RestoreFile is the path to the saved container image
RestoreFile string
@@ -274,105 +125,209 @@ type Config struct {
// NumNetworkChannels controls the number of AF_PACKET sockets that map
// to the same underlying network device. This allows netstack to better
// scale for high throughput use cases.
- NumNetworkChannels int
+ NumNetworkChannels int `flag:"num-network-channels"`
// Rootless allows the sandbox to be started with a user that is not root.
// Defense is depth measures are weaker with rootless. Specifically, the
// sandbox and Gofer process run as root inside a user namespace with root
// mapped to the caller's user.
- Rootless bool
+ Rootless bool `flag:"rootless"`
// AlsoLogToStderr allows to send log messages to stderr.
- AlsoLogToStderr bool
+ AlsoLogToStderr bool `flag:"alsologtostderr"`
// ReferenceLeakMode sets reference leak check mode
- ReferenceLeakMode refs.LeakMode
+ ReferenceLeak refs.LeakMode `flag:"ref-leak-mode"`
// OverlayfsStaleRead instructs the sandbox to assume that the root mount
// is on a Linux overlayfs mount, which does not necessarily preserve
// coherence between read-only and subsequent writable file descriptors
// representing the "same" file.
- OverlayfsStaleRead bool
+ OverlayfsStaleRead bool `flag:"overlayfs-stale-read"`
// CPUNumFromQuota sets CPU number count to available CPU quota, using
// least integer value greater than or equal to quota.
//
// E.g. 0.2 CPU quota will result in 1, and 1.9 in 2.
- CPUNumFromQuota bool
+ CPUNumFromQuota bool `flag:"cpu-num-from-quota"`
- // Enables VFS2 (not plumbed through yet).
- VFS2 bool
+ // Enables VFS2.
+ VFS2 bool `flag:"vfs2"`
- // Enables FUSE usage (not plumbed through yet).
- FUSE bool
+ // Enables FUSE usage.
+ FUSE bool `flag:"fuse"`
// TestOnlyAllowRunAsCurrentUserWithoutChroot should only be used in
// tests. It allows runsc to start the sandbox process as the current
// user, and without chrooting the sandbox process. This can be
// necessary in test environments that have limited capabilities.
- TestOnlyAllowRunAsCurrentUserWithoutChroot bool
+ TestOnlyAllowRunAsCurrentUserWithoutChroot bool `flag:"TESTONLY-unsafe-nonroot"`
// TestOnlyTestNameEnv should only be used in tests. It looks up for the
// test name in the container environment variables and adds it to the debug
// log file name. This is done to help identify the log with the test when
// multiple tests are run in parallel, since there is no way to pass
// parameters to the runtime from docker.
- TestOnlyTestNameEnv string
+ TestOnlyTestNameEnv string `flag:"TESTONLY-test-name-env"`
+}
+
+func (c *Config) validate() error {
+ if c.FileAccess == FileAccessShared && c.Overlay {
+ return fmt.Errorf("overlay flag is incompatible with shared file access")
+ }
+ if c.NumNetworkChannels <= 0 {
+ return fmt.Errorf("num_network_channels must be > 0, got: %d", c.NumNetworkChannels)
+ }
+ return nil
}
-// ToFlags returns a slice of flags that correspond to the given Config.
-func (c *Config) ToFlags() []string {
- f := []string{
- "--root=" + c.RootDir,
- "--debug=" + strconv.FormatBool(c.Debug),
- "--log=" + c.LogFilename,
- "--log-format=" + c.LogFormat,
- "--debug-log=" + c.DebugLog,
- "--panic-log=" + c.PanicLog,
- "--debug-log-format=" + c.DebugLogFormat,
- "--file-access=" + c.FileAccess.String(),
- "--overlay=" + strconv.FormatBool(c.Overlay),
- "--fsgofer-host-uds=" + strconv.FormatBool(c.FSGoferHostUDS),
- "--network=" + c.Network.String(),
- "--log-packets=" + strconv.FormatBool(c.LogPackets),
- "--platform=" + c.Platform,
- "--strace=" + strconv.FormatBool(c.Strace),
- "--strace-syscalls=" + strings.Join(c.StraceSyscalls, ","),
- "--strace-log-size=" + strconv.Itoa(int(c.StraceLogSize)),
- "--watchdog-action=" + c.WatchdogAction.String(),
- "--panic-signal=" + strconv.Itoa(c.PanicSignal),
- "--profile=" + strconv.FormatBool(c.ProfileEnable),
- "--net-raw=" + strconv.FormatBool(c.EnableRaw),
- "--num-network-channels=" + strconv.Itoa(c.NumNetworkChannels),
- "--rootless=" + strconv.FormatBool(c.Rootless),
- "--alsologtostderr=" + strconv.FormatBool(c.AlsoLogToStderr),
- "--ref-leak-mode=" + refsLeakModeToString(c.ReferenceLeakMode),
- "--gso=" + strconv.FormatBool(c.HardwareGSO),
- "--software-gso=" + strconv.FormatBool(c.SoftwareGSO),
- "--rx-checksum-offload=" + strconv.FormatBool(c.RXChecksumOffload),
- "--tx-checksum-offload=" + strconv.FormatBool(c.TXChecksumOffload),
- "--overlayfs-stale-read=" + strconv.FormatBool(c.OverlayfsStaleRead),
- "--qdisc=" + c.QDisc.String(),
- "--vfs2=" + strconv.FormatBool(c.VFS2),
- "--fuse=" + strconv.FormatBool(c.FUSE),
+// FileAccessType tells how the filesystem is accessed.
+type FileAccessType int
+
+const (
+ // FileAccessExclusive is the same as FileAccessShared, but enables
+ // extra caching for improved performance. It should only be used if
+ // the sandbox has exclusive access to the filesystem.
+ FileAccessExclusive FileAccessType = iota
+
+ // FileAccessShared sends IO requests to a Gofer process that validates the
+ // requests and forwards them to the host.
+ FileAccessShared
+)
+
+func fileAccessTypePtr(v FileAccessType) *FileAccessType {
+ return &v
+}
+
+// Set implements flag.Value.
+func (f *FileAccessType) Set(v string) error {
+ switch v {
+ case "shared":
+ *f = FileAccessShared
+ case "exclusive":
+ *f = FileAccessExclusive
+ default:
+ return fmt.Errorf("invalid file access type %q", v)
}
- if c.CPUNumFromQuota {
- f = append(f, "--cpu-num-from-quota")
+ return nil
+}
+
+// Get implements flag.Value.
+func (f *FileAccessType) Get() interface{} {
+ return *f
+}
+
+// String implements flag.Value.
+func (f *FileAccessType) String() string {
+ switch *f {
+ case FileAccessShared:
+ return "shared"
+ case FileAccessExclusive:
+ return "exclusive"
}
- if c.VFS2 {
- f = append(f, "--vfs2=true")
+ panic(fmt.Sprintf("Invalid file access type %v", *f))
+}
+
+// NetworkType tells which network stack to use.
+type NetworkType int
+
+const (
+ // NetworkSandbox uses internal network stack, isolated from the host.
+ NetworkSandbox NetworkType = iota
+
+ // NetworkHost redirects network related syscalls to the host network.
+ NetworkHost
+
+ // NetworkNone sets up just loopback using netstack.
+ NetworkNone
+)
+
+func networkTypePtr(v NetworkType) *NetworkType {
+ return &v
+}
+
+// Set implements flag.Value.
+func (n *NetworkType) Set(v string) error {
+ switch v {
+ case "sandbox":
+ *n = NetworkSandbox
+ case "host":
+ *n = NetworkHost
+ case "none":
+ *n = NetworkNone
+ default:
+ return fmt.Errorf("invalid network type %q", v)
}
- if c.FUSE {
- f = append(f, "--fuse=true")
+ return nil
+}
+
+// Get implements flag.Value.
+func (n *NetworkType) Get() interface{} {
+ return *n
+}
+
+// String implements flag.Value.
+func (n *NetworkType) String() string {
+ switch *n {
+ case NetworkSandbox:
+ return "sandbox"
+ case NetworkHost:
+ return "host"
+ case NetworkNone:
+ return "none"
}
+ panic(fmt.Sprintf("Invalid network type %v", *n))
+}
+
+// QueueingDiscipline is used to specify the kind of Queueing Discipline to
+// apply for a give FDBasedLink.
+type QueueingDiscipline int
- // Only include these if set since it is never to be used by users.
- if c.TestOnlyAllowRunAsCurrentUserWithoutChroot {
- f = append(f, "--TESTONLY-unsafe-nonroot=true")
+const (
+ // QDiscNone disables any queueing for the underlying FD.
+ QDiscNone QueueingDiscipline = iota
+
+ // QDiscFIFO applies a simple fifo based queue to the underlying FD.
+ QDiscFIFO
+)
+
+func queueingDisciplinePtr(v QueueingDiscipline) *QueueingDiscipline {
+ return &v
+}
+
+// Set implements flag.Value.
+func (q *QueueingDiscipline) Set(v string) error {
+ switch v {
+ case "none":
+ *q = QDiscNone
+ case "fifo":
+ *q = QDiscFIFO
+ default:
+ return fmt.Errorf("invalid qdisc %q", v)
}
- if len(c.TestOnlyTestNameEnv) != 0 {
- f = append(f, "--TESTONLY-test-name-env="+c.TestOnlyTestNameEnv)
+ return nil
+}
+
+// Get implements flag.Value.
+func (q *QueueingDiscipline) Get() interface{} {
+ return *q
+}
+
+// String implements flag.Value.
+func (q *QueueingDiscipline) String() string {
+ switch *q {
+ case QDiscNone:
+ return "none"
+ case QDiscFIFO:
+ return "fifo"
}
+ panic(fmt.Sprintf("Invalid qdisc %v", *q))
+}
+
+func leakModePtr(v refs.LeakMode) *refs.LeakMode {
+ return &v
+}
- return f
+func watchdogActionPtr(v watchdog.Action) *watchdog.Action {
+ return &v
}
diff --git a/runsc/config/flags.go b/runsc/config/flags.go
new file mode 100644
index 000000000..488a4b9fb
--- /dev/null
+++ b/runsc/config/flags.go
@@ -0,0 +1,168 @@
+// Copyright 2020 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package config
+
+import (
+ "fmt"
+ "os"
+ "path/filepath"
+ "reflect"
+ "strconv"
+
+ "gvisor.dev/gvisor/pkg/refs"
+ "gvisor.dev/gvisor/pkg/sentry/watchdog"
+ "gvisor.dev/gvisor/pkg/sync"
+ "gvisor.dev/gvisor/runsc/flag"
+)
+
+var registration sync.Once
+
+// This is the set of flags used to populate Config.
+func RegisterFlags() {
+ registration.Do(func() {
+ // Although these flags are not part of the OCI spec, they are used by
+ // Docker, and thus should not be changed.
+ flag.String("root", "", "root directory for storage of container state.")
+ flag.String("log", "", "file path where internal debug information is written, default is stdout.")
+ flag.String("log-format", "text", "log format: text (default), json, or json-k8s.")
+ flag.Bool("debug", false, "enable debug logging.")
+
+ // These flags are unique to runsc, and are used to configure parts of the
+ // system that are not covered by the runtime spec.
+
+ // Debugging flags.
+ flag.String("debug-log", "", "additional location for logs. If it ends with '/', log files are created inside the directory with default names. The following variables are available: %TIMESTAMP%, %COMMAND%.")
+ flag.String("panic-log", "", "file path were panic reports and other Go's runtime messages are written.")
+ flag.Bool("log-packets", false, "enable network packet logging.")
+ flag.String("debug-log-format", "text", "log format: text (default), json, or json-k8s.")
+ flag.Bool("alsologtostderr", false, "send log messages to stderr.")
+
+ // Debugging flags: strace related
+ flag.Bool("strace", false, "enable strace.")
+ flag.String("strace-syscalls", "", "comma-separated list of syscalls to trace. If --strace is true and this list is empty, then all syscalls will be traced.")
+ flag.Uint("strace-log-size", 1024, "default size (in bytes) to log data argument blobs.")
+
+ // Flags that control sandbox runtime behavior.
+ flag.String("platform", "ptrace", "specifies which platform to use: ptrace (default), kvm.")
+ flag.Var(watchdogActionPtr(watchdog.LogWarning), "watchdog-action", "sets what action the watchdog takes when triggered: log (default), panic.")
+ flag.Int("panic-signal", -1, "register signal handling that panics. Usually set to SIGUSR2(12) to troubleshoot hangs. -1 disables it.")
+ flag.Bool("profile", false, "prepares the sandbox to use Golang profiler. Note that enabling profiler loosens the seccomp protection added to the sandbox (DO NOT USE IN PRODUCTION).")
+ flag.Bool("rootless", false, "it allows the sandbox to be started with a user that is not root. Sandbox and Gofer processes may run with same privileges as current user.")
+ flag.Var(leakModePtr(refs.NoLeakChecking), "ref-leak-mode", "sets reference leak check mode: disabled (default), log-names, log-traces.")
+ flag.Bool("cpu-num-from-quota", false, "set cpu number to cpu quota (least integer greater or equal to quota value, but not less than 2)")
+
+ // Flags that control sandbox runtime behavior: FS related.
+ flag.Var(fileAccessTypePtr(FileAccessExclusive), "file-access", "specifies which filesystem to use for the root mount: exclusive (default), shared. Volume mounts are always shared.")
+ flag.Bool("overlay", false, "wrap filesystem mounts with writable overlay. All modifications are stored in memory inside the sandbox.")
+ flag.Bool("overlayfs-stale-read", true, "assume root mount is an overlay filesystem")
+ flag.Bool("fsgofer-host-uds", false, "allow the gofer to mount Unix Domain Sockets.")
+ flag.Bool("vfs2", false, "TEST ONLY; use while VFSv2 is landing. This uses the new experimental VFS layer.")
+ flag.Bool("fuse", false, "TEST ONLY; use while FUSE in VFSv2 is landing. This allows the use of the new experimental FUSE filesystem.")
+
+ // Flags that control sandbox runtime behavior: network related.
+ flag.Var(networkTypePtr(NetworkSandbox), "network", "specifies which network to use: sandbox (default), host, none. Using network inside the sandbox is more secure because it's isolated from the host network.")
+ flag.Bool("net-raw", false, "enable raw sockets. When false, raw sockets are disabled by removing CAP_NET_RAW from containers (`runsc exec` will still be able to utilize raw sockets). Raw sockets allow malicious containers to craft packets and potentially attack the network.")
+ flag.Bool("gso", true, "enable hardware segmentation offload if it is supported by a network device.")
+ flag.Bool("software-gso", true, "enable software segmentation offload when hardware offload can't be enabled.")
+ flag.Bool("tx-checksum-offload", false, "enable TX checksum offload.")
+ flag.Bool("rx-checksum-offload", true, "enable RX checksum offload.")
+ flag.Var(queueingDisciplinePtr(QDiscFIFO), "qdisc", "specifies which queueing discipline to apply by default to the non loopback nics used by the sandbox.")
+ flag.Int("num-network-channels", 1, "number of underlying channels(FDs) to use for network link endpoints.")
+
+ // Test flags, not to be used outside tests, ever.
+ flag.Bool("TESTONLY-unsafe-nonroot", false, "TEST ONLY; do not ever use! This skips many security measures that isolate the host from the sandbox.")
+ flag.String("TESTONLY-test-name-env", "", "TEST ONLY; do not ever use! Used for automated tests to improve logging.")
+ })
+}
+
+// NewFromFlags creates a new Config with values coming from command line flags.
+func NewFromFlags() (*Config, error) {
+ conf := &Config{}
+
+ obj := reflect.ValueOf(conf).Elem()
+ st := obj.Type()
+ for i := 0; i < st.NumField(); i++ {
+ f := st.Field(i)
+ name, ok := f.Tag.Lookup("flag")
+ if !ok {
+ // No flag set for this field.
+ continue
+ }
+ fl := flag.CommandLine.Lookup(name)
+ if fl == nil {
+ panic(fmt.Sprintf("Flag %q not found", name))
+ }
+ x := reflect.ValueOf(flag.Get(fl.Value))
+ obj.Field(i).Set(x)
+ }
+
+ if len(conf.RootDir) == 0 {
+ // If not set, set default root dir to something (hopefully) user-writeable.
+ conf.RootDir = "/var/run/runsc"
+ if runtimeDir := os.Getenv("XDG_RUNTIME_DIR"); runtimeDir != "" {
+ conf.RootDir = filepath.Join(runtimeDir, "runsc")
+ }
+ }
+
+ if err := conf.validate(); err != nil {
+ return nil, err
+ }
+ return conf, nil
+}
+
+// ToFlags returns a slice of flags that correspond to the given Config.
+func (c *Config) ToFlags() []string {
+ var rv []string
+
+ obj := reflect.ValueOf(c).Elem()
+ st := obj.Type()
+ for i := 0; i < st.NumField(); i++ {
+ f := st.Field(i)
+ name, ok := f.Tag.Lookup("flag")
+ if !ok {
+ // No flag set for this field.
+ continue
+ }
+ val := getVal(obj.Field(i))
+
+ flag := flag.CommandLine.Lookup(name)
+ if flag == nil {
+ panic(fmt.Sprintf("Flag %q not found", name))
+ }
+ if val == flag.DefValue {
+ continue
+ }
+ rv = append(rv, fmt.Sprintf("--%s=%s", flag.Name, val))
+ }
+ return rv
+}
+
+func getVal(field reflect.Value) string {
+ if str, ok := field.Addr().Interface().(fmt.Stringer); ok {
+ return str.String()
+ }
+ switch field.Kind() {
+ case reflect.Bool:
+ return strconv.FormatBool(field.Bool())
+ case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+ return strconv.FormatInt(field.Int(), 10)
+ case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+ return strconv.FormatUint(field.Uint(), 10)
+ case reflect.String:
+ return field.String()
+ default:
+ panic("unknown type " + field.Kind().String())
+ }
+}
diff --git a/runsc/flag/flag.go b/runsc/flag/flag.go
index 0ca4829d7..ba1ff833f 100644
--- a/runsc/flag/flag.go
+++ b/runsc/flag/flag.go
@@ -21,13 +21,19 @@ import (
type FlagSet = flag.FlagSet
var (
- NewFlagSet = flag.NewFlagSet
- String = flag.String
Bool = flag.Bool
- Int = flag.Int
- Uint = flag.Uint
CommandLine = flag.CommandLine
+ Int = flag.Int
+ NewFlagSet = flag.NewFlagSet
Parse = flag.Parse
+ String = flag.String
+ Uint = flag.Uint
+ Var = flag.Var
)
const ContinueOnError = flag.ContinueOnError
+
+// Get returns the flag's underlying object.
+func Get(v flag.Value) interface{} {
+ return v.(flag.Getter).Get()
+}
diff --git a/runsc/main.go b/runsc/main.go
index c2ffecbdc..ed244c4ba 100644
--- a/runsc/main.go
+++ b/runsc/main.go
@@ -23,8 +23,6 @@ import (
"io/ioutil"
"os"
"os/signal"
- "path/filepath"
- "strings"
"syscall"
"time"
@@ -41,58 +39,17 @@ import (
var (
// Although these flags are not part of the OCI spec, they are used by
// Docker, and thus should not be changed.
- rootDir = flag.String("root", "", "root directory for storage of container state.")
- logFilename = flag.String("log", "", "file path where internal debug information is written, default is stdout.")
- logFormat = flag.String("log-format", "text", "log format: text (default), json, or json-k8s.")
- debug = flag.Bool("debug", false, "enable debug logging.")
- showVersion = flag.Bool("version", false, "show version and exit.")
// TODO(gvisor.dev/issue/193): support systemd cgroups
systemdCgroup = flag.Bool("systemd-cgroup", false, "Use systemd for cgroups. NOT SUPPORTED.")
+ showVersion = flag.Bool("version", false, "show version and exit.")
// These flags are unique to runsc, and are used to configure parts of the
// system that are not covered by the runtime spec.
// Debugging flags.
- debugLog = flag.String("debug-log", "", "additional location for logs. If it ends with '/', log files are created inside the directory with default names. The following variables are available: %TIMESTAMP%, %COMMAND%.")
- panicLog = flag.String("panic-log", "", "file path were panic reports and other Go's runtime messages are written.")
- logPackets = flag.Bool("log-packets", false, "enable network packet logging.")
- logFD = flag.Int("log-fd", -1, "file descriptor to log to. If set, the 'log' flag is ignored.")
- debugLogFD = flag.Int("debug-log-fd", -1, "file descriptor to write debug logs to. If set, the 'debug-log-dir' flag is ignored.")
- panicLogFD = flag.Int("panic-log-fd", -1, "file descriptor to write Go's runtime messages.")
- debugLogFormat = flag.String("debug-log-format", "text", "log format: text (default), json, or json-k8s.")
- alsoLogToStderr = flag.Bool("alsologtostderr", false, "send log messages to stderr.")
-
- // Debugging flags: strace related
- strace = flag.Bool("strace", false, "enable strace.")
- straceSyscalls = flag.String("strace-syscalls", "", "comma-separated list of syscalls to trace. If --strace is true and this list is empty, then all syscalls will be traced.")
- straceLogSize = flag.Uint("strace-log-size", 1024, "default size (in bytes) to log data argument blobs.")
-
- // Flags that control sandbox runtime behavior.
- platformName = flag.String("platform", "ptrace", "specifies which platform to use: ptrace (default), kvm.")
- network = flag.String("network", "sandbox", "specifies which network to use: sandbox (default), host, none. Using network inside the sandbox is more secure because it's isolated from the host network.")
- hardwareGSO = flag.Bool("gso", true, "enable hardware segmentation offload if it is supported by a network device.")
- softwareGSO = flag.Bool("software-gso", true, "enable software segmentation offload when hardware offload can't be enabled.")
- txChecksumOffload = flag.Bool("tx-checksum-offload", false, "enable TX checksum offload.")
- rxChecksumOffload = flag.Bool("rx-checksum-offload", true, "enable RX checksum offload.")
- qDisc = flag.String("qdisc", "fifo", "specifies which queueing discipline to apply by default to the non loopback nics used by the sandbox.")
- fileAccess = flag.String("file-access", "exclusive", "specifies which filesystem to use for the root mount: exclusive (default), shared. Volume mounts are always shared.")
- fsGoferHostUDS = flag.Bool("fsgofer-host-uds", false, "allow the gofer to mount Unix Domain Sockets.")
- overlay = flag.Bool("overlay", false, "wrap filesystem mounts with writable overlay. All modifications are stored in memory inside the sandbox.")
- overlayfsStaleRead = flag.Bool("overlayfs-stale-read", true, "assume root mount is an overlay filesystem")
- watchdogAction = flag.String("watchdog-action", "log", "sets what action the watchdog takes when triggered: log (default), panic.")
- panicSignal = flag.Int("panic-signal", -1, "register signal handling that panics. Usually set to SIGUSR2(12) to troubleshoot hangs. -1 disables it.")
- profile = flag.Bool("profile", false, "prepares the sandbox to use Golang profiler. Note that enabling profiler loosens the seccomp protection added to the sandbox (DO NOT USE IN PRODUCTION).")
- netRaw = flag.Bool("net-raw", false, "enable raw sockets. When false, raw sockets are disabled by removing CAP_NET_RAW from containers (`runsc exec` will still be able to utilize raw sockets). Raw sockets allow malicious containers to craft packets and potentially attack the network.")
- numNetworkChannels = flag.Int("num-network-channels", 1, "number of underlying channels(FDs) to use for network link endpoints.")
- rootless = flag.Bool("rootless", false, "it allows the sandbox to be started with a user that is not root. Sandbox and Gofer processes may run with same privileges as current user.")
- referenceLeakMode = flag.String("ref-leak-mode", "disabled", "sets reference leak check mode: disabled (default), log-names, log-traces.")
- cpuNumFromQuota = flag.Bool("cpu-num-from-quota", false, "set cpu number to cpu quota (least integer greater or equal to quota value, but not less than 2)")
- vfs2Enabled = flag.Bool("vfs2", false, "TEST ONLY; use while VFSv2 is landing. This uses the new experimental VFS layer.")
- fuseEnabled = flag.Bool("fuse", false, "TEST ONLY; use while FUSE in VFSv2 is landing. This allows the use of the new experimental FUSE filesystem.")
-
- // Test flags, not to be used outside tests, ever.
- testOnlyAllowRunAsCurrentUserWithoutChroot = flag.Bool("TESTONLY-unsafe-nonroot", false, "TEST ONLY; do not ever use! This skips many security measures that isolate the host from the sandbox.")
- testOnlyTestNameEnv = flag.String("TESTONLY-test-name-env", "", "TEST ONLY; do not ever use! Used for automated tests to improve logging.")
+ logFD = flag.Int("log-fd", -1, "file descriptor to log to. If set, the 'log' flag is ignored.")
+ debugLogFD = flag.Int("debug-log-fd", -1, "file descriptor to write debug logs to. If set, the 'debug-log-dir' flag is ignored.")
+ panicLogFD = flag.Int("panic-log-fd", -1, "file descriptor to write Go's runtime messages.")
)
func main() {
@@ -136,6 +93,8 @@ func main() {
subcommands.Register(new(cmd.Gofer), internalGroup)
subcommands.Register(new(cmd.Statefile), internalGroup)
+ config.RegisterFlags()
+
// All subcommands must be registered before flag parsing.
flag.Parse()
@@ -147,6 +106,12 @@ func main() {
os.Exit(0)
}
+ // Create a new Config from the flags.
+ conf, err := config.NewFromFlags()
+ if err != nil {
+ cmd.Fatalf(err.Error())
+ }
+
// TODO(gvisor.dev/issue/193): support systemd cgroups
if *systemdCgroup {
fmt.Fprintln(os.Stderr, "systemd cgroup flag passed, but systemd cgroups not supported. See gvisor.dev/issue/193")
@@ -157,103 +122,28 @@ func main() {
if *logFD > -1 {
errorLogger = os.NewFile(uintptr(*logFD), "error log file")
- } else if *logFilename != "" {
+ } else if conf.LogFilename != "" {
// We must set O_APPEND and not O_TRUNC because Docker passes
// the same log file for all commands (and also parses these
// log files), so we can't destroy them on each command.
var err error
- errorLogger, err = os.OpenFile(*logFilename, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0644)
+ errorLogger, err = os.OpenFile(conf.LogFilename, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0644)
if err != nil {
- cmd.Fatalf("error opening log file %q: %v", *logFilename, err)
+ cmd.Fatalf("error opening log file %q: %v", conf.LogFilename, err)
}
}
cmd.ErrorLogger = errorLogger
- platformType := *platformName
- if _, err := platform.Lookup(platformType); err != nil {
- cmd.Fatalf("%v", err)
- }
-
- fsAccess, err := config.MakeFileAccessType(*fileAccess)
- if err != nil {
- cmd.Fatalf("%v", err)
- }
-
- if fsAccess == config.FileAccessShared && *overlay {
- cmd.Fatalf("overlay flag is incompatible with shared file access")
- }
-
- netType, err := config.MakeNetworkType(*network)
- if err != nil {
+ if _, err := platform.Lookup(conf.Platform); err != nil {
cmd.Fatalf("%v", err)
}
- wa, err := config.MakeWatchdogAction(*watchdogAction)
- if err != nil {
- cmd.Fatalf("%v", err)
- }
-
- if *numNetworkChannels <= 0 {
- cmd.Fatalf("num_network_channels must be > 0, got: %d", *numNetworkChannels)
- }
-
- refsLeakMode, err := config.MakeRefsLeakMode(*referenceLeakMode)
- if err != nil {
- cmd.Fatalf("%v", err)
- }
-
- queueingDiscipline, err := config.MakeQueueingDiscipline(*qDisc)
- if err != nil {
- cmd.Fatalf("%s", err)
- }
-
// Sets the reference leak check mode. Also set it in config below to
// propagate it to child processes.
- refs.SetLeakMode(refsLeakMode)
-
- // Create a new Config from the flags.
- conf := &config.Config{
- RootDir: *rootDir,
- Debug: *debug,
- LogFilename: *logFilename,
- LogFormat: *logFormat,
- DebugLog: *debugLog,
- PanicLog: *panicLog,
- DebugLogFormat: *debugLogFormat,
- FileAccess: fsAccess,
- FSGoferHostUDS: *fsGoferHostUDS,
- Overlay: *overlay,
- Network: netType,
- HardwareGSO: *hardwareGSO,
- SoftwareGSO: *softwareGSO,
- TXChecksumOffload: *txChecksumOffload,
- RXChecksumOffload: *rxChecksumOffload,
- LogPackets: *logPackets,
- Platform: platformType,
- Strace: *strace,
- StraceLogSize: *straceLogSize,
- WatchdogAction: wa,
- PanicSignal: *panicSignal,
- ProfileEnable: *profile,
- EnableRaw: *netRaw,
- NumNetworkChannels: *numNetworkChannels,
- Rootless: *rootless,
- AlsoLogToStderr: *alsoLogToStderr,
- ReferenceLeakMode: refsLeakMode,
- OverlayfsStaleRead: *overlayfsStaleRead,
- CPUNumFromQuota: *cpuNumFromQuota,
- VFS2: *vfs2Enabled,
- FUSE: *fuseEnabled,
- QDisc: queueingDiscipline,
- TestOnlyAllowRunAsCurrentUserWithoutChroot: *testOnlyAllowRunAsCurrentUserWithoutChroot,
- TestOnlyTestNameEnv: *testOnlyTestNameEnv,
- }
- if len(*straceSyscalls) != 0 {
- conf.StraceSyscalls = strings.Split(*straceSyscalls, ",")
- }
+ refs.SetLeakMode(conf.ReferenceLeak)
// Set up logging.
- if *debug {
+ if conf.Debug {
log.SetLevel(log.Debug)
}
@@ -275,14 +165,14 @@ func main() {
if *debugLogFD > -1 {
f := os.NewFile(uintptr(*debugLogFD), "debug log file")
- e = newEmitter(*debugLogFormat, f)
+ e = newEmitter(conf.DebugLogFormat, f)
- } else if *debugLog != "" {
- f, err := specutils.DebugLogFile(*debugLog, subcommand, "" /* name */)
+ } else if conf.DebugLog != "" {
+ f, err := specutils.DebugLogFile(conf.DebugLog, subcommand, "" /* name */)
if err != nil {
- cmd.Fatalf("error opening debug log file in %q: %v", *debugLog, err)
+ cmd.Fatalf("error opening debug log file in %q: %v", conf.DebugLog, err)
}
- e = newEmitter(*debugLogFormat, f)
+ e = newEmitter(conf.DebugLogFormat, f)
} else {
// Stderr is reserved for the application, just discard the logs if no debug
@@ -308,8 +198,8 @@ func main() {
if err := syscall.Dup3(fd, int(os.Stderr.Fd()), 0); err != nil {
cmd.Fatalf("error dup'ing fd %d to stderr: %v", fd, err)
}
- } else if *alsoLogToStderr {
- e = &log.MultiEmitter{e, newEmitter(*debugLogFormat, os.Stderr)}
+ } else if conf.AlsoLogToStderr {
+ e = &log.MultiEmitter{e, newEmitter(conf.DebugLogFormat, os.Stderr)}
}
log.SetTarget(e)
@@ -328,7 +218,7 @@ func main() {
log.Infof("\t\tVFS2 enabled: %v", conf.VFS2)
log.Infof("***************************")
- if *testOnlyAllowRunAsCurrentUserWithoutChroot {
+ if conf.TestOnlyAllowRunAsCurrentUserWithoutChroot {
// SIGTERM is sent to all processes if a test exceeds its
// timeout and this case is handled by syscall_test_runner.
log.Warningf("Block the TERM signal. This is only safe in tests!")
@@ -364,11 +254,3 @@ func newEmitter(format string, logFile io.Writer) log.Emitter {
cmd.Fatalf("invalid log format %q, must be 'text', 'json', or 'json-k8s'", format)
panic("unreachable")
}
-
-func init() {
- // Set default root dir to something (hopefully) user-writeable.
- *rootDir = "/var/run/runsc"
- if runtimeDir := os.Getenv("XDG_RUNTIME_DIR"); runtimeDir != "" {
- *rootDir = filepath.Join(runtimeDir, "runsc")
- }
-}
diff --git a/runsc/sandbox/network.go b/runsc/sandbox/network.go
index f9abb2d44..0b9f39466 100644
--- a/runsc/sandbox/network.go
+++ b/runsc/sandbox/network.go
@@ -69,7 +69,7 @@ func setupNetwork(conn *urpc.Client, pid int, spec *specs.Spec, conf *config.Con
case config.NetworkHost:
// Nothing to do here.
default:
- return fmt.Errorf("invalid network type: %d", conf.Network)
+ return fmt.Errorf("invalid network type: %v", conf.Network)
}
return nil
}