summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2019-06-12Merge e352f464 (automated)gVisor bot
2019-06-12Minor BUILD file cleanup.Adin Scannell
PiperOrigin-RevId: 252918338
2019-06-12Merge 70578806 (automated)gVisor bot
2019-06-12Add support for TCP_CONGESTION socket option.Bhasker Hariharan
This CL also cleans up the error returned for setting congestion control which was incorrectly returning EINVAL instead of ENOENT. PiperOrigin-RevId: 252889093
2019-06-12Merge bb849bad (automated)gVisor bot
2019-06-12gvisor/runsc: apply seccomp filters before parsing a state fileAndrei Vagin
PiperOrigin-RevId: 252869983
2019-06-12Merge 0d05a12f (automated)gVisor bot
2019-06-12gvisor/ptrace: print guest registers if a stub stopped with unexpected codeAndrei Vagin
PiperOrigin-RevId: 252855280
2019-06-12Merge 356d1be1 (automated)gVisor bot
2019-06-12Allow 'runsc do' to run without rootFabricio Voznika
'--rootless' flag lets a non-root user execute 'runsc do'. The drawback is that the sandbox and gofer processes will run as root inside a user namespace that is mapped to the caller's user, intead of nobody. And network is defaulted to '--network=host' inside the root network namespace. On the bright side, it's very convenient for testing: runsc --rootless do ls runsc --rootless do curl www.google.com PiperOrigin-RevId: 252840970
2019-06-12Merge df110ad4 (automated)gVisor bot
2019-06-11Eat sendfile partial errorAdin Scannell
For sendfile(2), we propagate a TCP error through the system call layer. This should be eaten if there is a partial result. This change also adds a test to ensure that there is no panic in this case, for both TCP sockets and unix domain sockets. PiperOrigin-RevId: 252746192
2019-06-11Merge 69c8657a (automated)gVisor bot
2019-06-11kokoro: don't overwrite test results for different runtimesAndrei Vagin
PiperOrigin-RevId: 252724255
2019-06-11Merge 478a0873 (automated)gVisor bot
2019-06-11Explicitly reference workspace root in test commandMichael Pratt
oh-my-zsh aliases ... to ../.. [1]. Add an explicit reference to workspace root to work around the alias. [1] https://github.com/robbyrussell/oh-my-zsh/blob/master/lib/directories.zsh Fixes #341 PiperOrigin-RevId: 252720590
2019-06-11Merge fc746efa (automated)gVisor bot
2019-06-11Add support to mount pod shared tmpfs mountsFabricio Voznika
Parse annotations containing 'gvisor.dev/spec/mount' that gives hints about how mounts are shared between containers inside a pod. This information can be used to better inform how to mount these volumes inside gVisor. For example, a volume that is shared between containers inside a pod can be bind mounted inside the sandbox, instead of being two independent mounts. For now, this information is used to allow the same tmpfs mounts to be shared between containers which wasn't possible before. PiperOrigin-RevId: 252704037
2019-06-11Merge 847c4b97 (automated)gVisor bot
2019-06-11Use net.HardwareAddr for FDBasedLink.LinkAddressFabricio Voznika
It prints formatted to the log. PiperOrigin-RevId: 252699551
2019-06-11Merge a775ae82 (automated)gVisor bot
2019-06-11Fix broken pipe error building version fileFabricio Voznika
(11:34:09) ERROR: /tmpfs/src/github/repo/runsc/BUILD:82:1: Couldn't build file runsc/version.txt: Executing genrule //runsc:deb-version failed (Broken pipe): bash failed: error executing command PiperOrigin-RevId: 252691902
2019-06-11Merge 307a9854 (automated)gVisor bot
2019-06-11gvisor/test: create a per-testcase directory for runsc logsAndrei Vagin
Otherwise it's hard to find a directory for a specific test case. PiperOrigin-RevId: 252636901
2019-06-11Merge 74e397e3 (automated)gVisor bot
2019-06-10Add introspection for Linux/AMD64 syscallsIan Lewis
Adds simple introspection for syscall compatibility information to Linux/AMD64. Syscalls registered in the syscall table now have associated metadata like name, support level, notes, and URLs to relevant issues. Syscall information can be exported as a table, JSON, or CSV using the new 'runsc help syscalls' command. Users can use this info to debug and get info on the compatibility of the version of runsc they are running or to generate documentation. PiperOrigin-RevId: 252558304
2019-06-10Merge 589f36ac (automated)gVisor bot
2019-06-10Move //pkg/sentry/platform/procid to //pkg/procid.Jamie Liu
PiperOrigin-RevId: 252501653
2019-06-10Merge a00157cc (automated)gVisor bot
2019-06-10Fixes to listen backlog handling.Bhasker Hariharan
Changes netstack to confirm to current linux behaviour where if the backlog is full then we drop the SYN and do not send a SYN-ACK. Similarly we allow upto backlog connections to be in SYN-RCVD state as long as the backlog is not full. We also now drop a SYN if syn cookies are in use and the backlog for the listening endpoint is full. Added new tests to confirm the behaviour. Also reverted the change to increase the backlog in TcpPortReuseMultiThread syscall test. Fixes #236 PiperOrigin-RevId: 252500462
2019-06-10Store more information in the kernel socket table.Rahat Mahmood
Store enough information in the kernel socket table to distinguish between different types of sockets. Previously we were only storing the socket family, but this isn't enough to classify sockets. For example, TCPv4 and UDPv4 sockets are both AF_INET, and ICMP sockets are SOCK_DGRAM sockets with a particular protocol. Instead of creating more sub-tables, flatten the socket table and provide a filtering mechanism based on the socket entry. Also generate and store a socket entry index ("sl" in linux) which allows us to output entries in a stable order from procfs. PiperOrigin-RevId: 252495895
2019-06-07Move //pkg/sentry/memutil to //pkg/memutil.Jamie Liu
PiperOrigin-RevId: 252124156
2019-06-06BUILD: Use runsc to generate versionAdin Scannell
This also ensures BUILD files are correctly formatted. PiperOrigin-RevId: 251990267
2019-06-06Change visibility of //pkg/sentry/time.Jamie Liu
PiperOrigin-RevId: 251965598
2019-06-06Add alsologtostderr optionFabricio Voznika
When set sends log messages to the error log: sudo ./runsc --logtostderr do ls I0531 17:59:58.105064 144564 x:0] *************************** I0531 17:59:58.105087 144564 x:0] Args: [runsc --logtostderr do ls] I0531 17:59:58.105112 144564 x:0] PID: 144564 I0531 17:59:58.105125 144564 x:0] UID: 0, GID: 0 [...] PiperOrigin-RevId: 251964377
2019-06-06Cap initial usermem.CopyStringIn buffer size.Jamie Liu
Almost (?) all uses of CopyStringIn are via linux.copyInPath(), which passes maxlen = linux.PATH_MAX = 4096. Pre-allocating a buffer of this size is measurably inefficient in most cases: most paths will not be this long, 4 KB is a lot of bytes to zero, and as of this writing the Go runtime allocator maps only two 4 KB objects to each 8 KB span, necessitating a call to runtime.mcache.refill() on ~every other call. Limit the initial buffer size to 256 B instead, and geometrically reallocate if necessary. PiperOrigin-RevId: 251960441
2019-06-06Use common definition of SockType.Rahat Mahmood
SockType isn't specific to unix domain sockets, and the current definition basically mirrors the linux ABI's definition. PiperOrigin-RevId: 251956740
2019-06-06Add the gVisor gitter badge to the READMEIan Lewis
Moves the build badge to just below the logo and adds the gitter badge next to it for consistency. PiperOrigin-RevId: 251956383
2019-06-06Copy up parent when binding UDS on overlayfsFabricio Voznika
Overlayfs was expecting the parent to exist when bind(2) was called, which may not be the case. The fix is to copy the parent directory to the upper layer before binding the UDS. There is not good place to add tests for it. Syscall tests would be ideal, but it's hard to guarantee that the directory where the socket is created hasn't been touched before (and thus copied the parent to the upper layer). Added it to runsc integration tests for now. If it turns out we have lots of these kind of tests, we can consider moving them somewhere more appropriate. PiperOrigin-RevId: 251954156
2019-06-06"Implement" mbind(2).Jamie Liu
We still only advertise a single NUMA node, and ignore mempolicy accordingly, but mbind() at least now succeeds and has effects reflected by get_mempolicy(). Also fix handling of nodemasks: round sizes to unsigned long (as documented and done by Linux), and zero trailing bits when copying them out. PiperOrigin-RevId: 251950859
2019-06-06Implement reclaim-driven MemoryFile eviction.Jamie Liu
PiperOrigin-RevId: 251950660
2019-06-06Remove tmpfs restriction from testFabricio Voznika
runsc supports UDS over gofer mounts and tmpfs is not needed for this test. PiperOrigin-RevId: 251944870
2019-06-06Track and export socket state.Rahat Mahmood
This is necessary for implementing network diagnostic interfaces like /proc/net/{tcp,udp,unix} and sock_diag(7). For pass-through endpoints such as hostinet, we obtain the socket state from the backend. For netstack, we add explicit tracking of TCP states. PiperOrigin-RevId: 251934850
2019-06-06Add overlay dimension to FS related syscall testsFabricio Voznika
PiperOrigin-RevId: 251929314
2019-06-06Try increase listen backlog.Rahat Mahmood
PiperOrigin-RevId: 251928000
2019-06-06Internal change.Googler
PiperOrigin-RevId: 251902567
2019-06-06Send error message to docker/kubectl exec on failureFabricio Voznika
Containerd uses the last error message sent to the log to print as failure cause for create/exec. This required a few changes in the logging logic for runsc: - cmd.Errorf/Fatalf: now writes a message with 'error' level to containerd log, in addition to stderr and debug logs, like before. - log.Infof/Warningf/Fatalf: are not sent to containerd log anymore. They are mostly used for debugging and not useful to containerd. In most cases, --debug-log is enabled and this avoids the logs messages from being duplicated. - stderr is not used as default log destination anymore. Some commands assume stdio is for the container/process running inside the sandbox and it's better to never use it for logging. By default, logs are supressed now. PiperOrigin-RevId: 251881815
2019-06-06Add multi-fd support to fdbased endpoint.Bhasker Hariharan
This allows an fdbased endpoint to have multiple underlying fd's from which packets can be read and dispatched/written to. This should allow for higher throughput as well as better scalability of the network stack as number of connections increases. Updates #231 PiperOrigin-RevId: 251852825
2019-06-05netstack/sniffer: log GSO attributesAndrei Vagin
PiperOrigin-RevId: 251788534
2019-06-05Shutdown host sockets on internal shutdownMichael Pratt
This is required to make the shutdown visible to peers outside the sandbox. The readClosed / writeClosed fields were dropped, as they were preventing a shutdown socket from reading the remainder of queued bytes. The host syscalls will return the appropriate errors for shutdown. The control message tests have been split out of socket_unix.cc to make the (few) remaining tests accessible to testing inherited host UDS, which don't support sending control messages. Updates #273 PiperOrigin-RevId: 251763060