summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2018-11-20Use RET_KILL_PROCESS if available in kernelFabricio Voznika
RET_KILL_THREAD doesn't work well for Go because it will kill only the offending thread and leave the process hanging. RET_TRAP can be masked out and it's not guaranteed to kill the process. RET_KILL_PROCESS is available since 4.14. For older kernel, continue to use RET_TRAP as this is the best option (likely to kill process, easy to debug). PiperOrigin-RevId: 222357867 Change-Id: Icc1d7d731274b16c2125b7a1ba4f7883fbdb2cbd
2018-11-20Dumps stacks if watchdog thread is stuckFabricio Voznika
PiperOrigin-RevId: 222332703 Change-Id: Id5c3cf79591c5d2949895b4e323e63c48c679820
2018-11-20Use math.Rand to generate a random test container id.Nicolas Lacasse
We were relying on time.UnixNano, but that was causing collisions. Now we generate 20 bytes of entropy from rand.Read, and base32-encode it to get a valid container id. PiperOrigin-RevId: 222313867 Change-Id: Iaeea9b9582d36de55f9f02f55de6a5de3f739371
2018-11-20Fix recursive read lock taken on TaskSetFabricio Voznika
SyncSyscallFiltersToThreadGroup and Task.TheadID() both acquired TaskSet RWLock in R mode and could deadlock if a writer comes in between. PiperOrigin-RevId: 222313551 Change-Id: I4221057d8d46fec544cbfa55765c9a284fe7ebfa
2018-11-20Reference upstream licensesMichael Pratt
Include copyright notices and the referenced LICENSE file. PiperOrigin-RevId: 222171321 Change-Id: I0cc0b167ca51b536d1087bf1c4742fdf1430bc2a
2018-11-20Internal change.Nicolas Lacasse
PiperOrigin-RevId: 222170431 Change-Id: I26a6d6ad5d6910a94bb8b0a05fc2d12e23098399
2018-11-20Add unsupported syscall events for get/setsockoptFabricio Voznika
PiperOrigin-RevId: 222148953 Change-Id: I21500a9f08939c45314a6414e0824490a973e5aa
2018-11-20Don't fail when destroyContainerFS is called more than onceFabricio Voznika
This can happen when destroy is called multiple times or when destroy failed previously and is being called again. PiperOrigin-RevId: 221882034 Change-Id: I8d069af19cf66c4e2419bdf0d4b789c5def8d19e
2018-11-20Internal change.Nicolas Lacasse
PiperOrigin-RevId: 221848471 Change-Id: I882fbe5ce7737048b2e1f668848e9c14ed355665
2018-11-20Parse the tmpfs mode before validating.Nicolas Lacasse
This gets rid of the problematic modeRegex. PiperOrigin-RevId: 221835959 Change-Id: I566b8d8a43579a4c30c0a08a620a964bbcd826dd
2018-11-20Update futex to use usermem abstractions.Adin Scannell
This eliminates the indirection that existed in task_futex. PiperOrigin-RevId: 221832498 Change-Id: Ifb4c926d493913aa6694e193deae91616a29f042
2018-11-20Add postgres to supported images listFabricio Voznika
PiperOrigin-RevId: 221706184 Change-Id: Ia186c51e5981e984f25c340e98b94225f860e473
2018-11-15Allow sandbox.Wait to be called after the sandbox has exited.Nicolas Lacasse
sandbox.Wait is racey, as the sandbox may have exited before it is called, or even during. We already had code to handle the case that the sandbox exits during the Wait call, but we were not properly handling the case where the sandbox has exited before the call. The best we can do in such cases is return the sandbox exit code as the application exit code. PiperOrigin-RevId: 221702517 Change-Id: I290d0333cc094c7c1c3b4ce0f17f61a3e908d787
2018-11-15Advertise vsyscall support via /proc/<pid>/maps.Rahat Mahmood
Also update test utilities for probing vsyscall support and add a metric to see if vsyscalls are actually used in sandboxes. PiperOrigin-RevId: 221698834 Change-Id: I57870ecc33ea8c864bd7437833f21aa1e8117477
2018-11-15Allow setting sticky bit in tmpfs permissions.Nicolas Lacasse
PiperOrigin-RevId: 221683127 Change-Id: Ide6a9f41d75aa19d0e2051a05a1e4a114a4fb93c
2018-11-15Process delayed packets when delay is disabledIan Gudger
Moving the wakeup logic into the disable blocks is an optimization. PiperOrigin-RevId: 221677028 Change-Id: Ib5a5a6d52cc77b4bbc5dedcad9ee1dbb3da98deb
2018-11-14Rename incorrectly named (dst, src) arguments in DeliverNetworkPacket prototypeBert Muthalaly
...to (remote, local), reflecting the (correct) names in the implementation of DeliverNetworkPacket (see tcpip/stack/nic.go). Also trim the names in DeliverNetworkPacket and elsewhere to avoid stuttering; since the type is tcpip.LinkAddress, there's no need to include "LinkAddr" in the parameter names. Note that every callsite passes arguments in the order (src, dst). PiperOrigin-RevId: 221514396 Change-Id: I3637454ad0d6e62a19e4dcbc2a16493798bd0f09
2018-11-14Clean up tcp.sendDataIan Gudger
PiperOrigin-RevId: 221484739 Change-Id: I44c71f79f99d0d00a2e70a7f06d7024a62a5de0a
2018-11-14Internal change.Nicolas Lacasse
PiperOrigin-RevId: 221462069 Change-Id: Id469ed21fe12e582c78340189b932989afa13c67
2018-11-13Implement TCP_NODELAY and TCP_CORKIan Gudger
Previously, TCP_NODELAY was always enabled and we would lie about it being configurable. TCP_NODELAY is now disabled by default (to match Linux) in the socket layer so that non-gVisor users don't automatically start using this questionable optimization. PiperOrigin-RevId: 221368472 Change-Id: Ib0240f66d94455081f4e0ca94f09d9338b2c1356
2018-11-13Internal change.Nicolas Lacasse
PiperOrigin-RevId: 221343626 Change-Id: I03d57293a555cf4da9952a81803b9f8463173c89
2018-11-13Internal change.Nicolas Lacasse
PiperOrigin-RevId: 221343421 Change-Id: I418b5204c5ed4fe1e0af25ef36ee66b9b571928e
2018-11-13Internal change.Nicolas Lacasse
PiperOrigin-RevId: 221299066 Change-Id: I8ae352458f9976c329c6946b1efa843a3de0eaa4
2018-11-12Internal change.Googler
PiperOrigin-RevId: 221189534 Change-Id: Id20d318bed97d5226b454c9351df396d11251e1f
2018-11-12Internal change.Nicolas Lacasse
PiperOrigin-RevId: 221178413 Change-Id: I0e615c5e945cb924d8df767c894a9e402f0b8ff2
2018-11-12runsc: generate exec pidfile after everything is ready.Lantao Liu
PiperOrigin-RevId: 221123160 Change-Id: Ia7061d60d114d69f49aba853fe6bae3c733522b5
2018-11-12Remove obsolete TODOIan Gudger
PiperOrigin-RevId: 221117846 Change-Id: I2a43fd8135b1d1194ff81e98644ce6b6182ece50
2018-11-09Close donated files if containerManager.Start() failsFabricio Voznika
PiperOrigin-RevId: 220869535 Change-Id: I9917e5daf02499f7aab6e2aa4051c54ff4461b9a
2018-11-09Add an implementation of a SACK scoreboard as per RFC6675.Bhasker Hariharan
PiperOrigin-RevId: 220866996 Change-Id: I89d48215df57c00d6a6ec512fc18712a2ea9080b
2018-11-09Add tests multicontainer start/stopFabricio Voznika
Each container has its respective gofer. Test that gofer can be shutdown when a container stops and that it doesn't affect other containers. PiperOrigin-RevId: 220829898 Change-Id: I2a44a3cf2a88577e6ad1133afc622bbf4a5f6591
2018-11-08Implement sync_file_range()Andrei Vagin
sync_file_range - sync a file segment with disk In Linux, sync_file_range() accepts three flags: SYNC_FILE_RANGE_WAIT_BEFORE Wait upon write-out of all pages in the specified range that have already been submitted to the device driver for write-out before performing any write. SYNC_FILE_RANGE_WRITE Initiate write-out of all dirty pages in the specified range which are not presently submitted write-out. Note that even this may block if you attempt to write more than request queue size. SYNC_FILE_RANGE_WAIT_AFTER Wait upon write-out of all pages in the range after performing any write. In this implementation: SYNC_FILE_RANGE_WAIT_BEFORE without SYNC_FILE_RANGE_WAIT_AFTER isn't supported right now. SYNC_FILE_RANGE_WRITE is skipped. It should initiate write-out of all dirty pages, but it doesn't wait, so it should be safe to do nothing while nobody uses SYNC_FILE_RANGE_WAIT_BEFORE. SYNC_FILE_RANGE_WAIT_AFTER is equal to fdatasync(). In Linux, sync_file_range() doesn't writes out the file's meta-data, but fdatasync() does if a file size is changed. PiperOrigin-RevId: 220730840 Change-Id: Iae5dfb23c2c916967d67cf1a1ad32f25eb3f6286
2018-11-08Create stubs for syscalls upto Linux 4.4.Rahat Mahmood
Create syscall stubs for missing syscalls upto Linux 4.4 and advertise a kernel version of 4.4. PiperOrigin-RevId: 220667680 Change-Id: Idbdccde538faabf16debc22f492dd053a8af0ba7
2018-11-07Add test that volume can be mounted on top of a symlinkFabricio Voznika
PiperOrigin-RevId: 220588094 Change-Id: I18915e892ceac86eac1f89ebcadffb4fdf8d0cf6
2018-11-07Fix test --race violationFabricio Voznika
SetupContainerInRoot was setting Config.RootDir unnecessarily and causing a --race violation in TestMultiContainerDestroyStarting. PiperOrigin-RevId: 220580073 Change-Id: Ie0b28c19846106c7458a92681b708ae70f87d25a
2018-11-07AsyncBarrier should be run after all defers in destroyContainerFS.Nicolas Lacasse
destroyContainerFS must wait for all async operations to finish before returning. In an attempt to do this, we call fs.AsyncBarrier() at the end of the function. However, there are many defer'd DecRefs which end up running AFTER the AsyncBarrier() call. This CL fixes this by calling fs.AsyncBarrier() in the first defer statement, thus ensuring that it runs at the end of the function, after all other defers. PiperOrigin-RevId: 220523545 Change-Id: I5e96ee9ea6d86eeab788ff964484c50ef7f64a2f
2018-11-07Add more logging to controller.goFabricio Voznika
PiperOrigin-RevId: 220519632 Change-Id: Iaeec007fc1aa3f0b72569b288826d45f2534c4bf
2018-11-07Fix flaky TestCacheResolutionTimeoutFabricio Voznika
Increase timeout to prevent the entry from being found when there is delay on the address resolution goroutine that doesn't mark the request as failed. PiperOrigin-RevId: 220504789 Change-Id: I7e44fd95d8624bd69962f862fbf5517a81395f2a
2018-11-07Bump rules_go to v0.16.1 and go toolchain to v1.11.2.Nicolas Lacasse
PiperOrigin-RevId: 220492705 Change-Id: I6b7bc11acd5d407982e0038e7f0762975a56f4d4
2018-11-06Fix problem where crictl tests would signal both error and done channelsKevin Krakauer
PiperOrigin-RevId: 220372291 Change-Id: I054ba56a23c402c7244b476d7d6fe72084942a0e
2018-11-06Move bazelrc to new locationMichael Pratt
Bazel 0.18 moved the workspace bazelrc location from //tools/bazel.rc to //.bazelrc. The old location will be dropped by a future version of bazel. This bumps the minimum required version of bazel to 0.18. More context: https://groups.google.com/forum/#!msg/bazel-discuss/ycDacctX2vw/EGFxGLibAgAJ PiperOrigin-RevId: 220338084 Change-Id: Ib6fa83a4a0f89e8e898d67152c7bd429e0b9b21e
2018-11-06Internal change.Googler
PiperOrigin-RevId: 220314735 Change-Id: Ic519567e43f6caf042b9f223e517da40640b7d38
2018-11-05Fix race between start and destroyFabricio Voznika
Before this change, a container starting up could race with destroy (aka delete) and leave processes behind. Now, whenever a container is created, Loader.processes gets a new entry. Start now expects the entry to be there, and if it's not it means that the container was deleted. I've also fixed Loader.waitPID to search for the process using the init process's PID namespace. We could use a few more tests for signal and wait. I'll send them in another cl. PiperOrigin-RevId: 220224290 Change-Id: I15146079f69904dc07d43c3b66cc343a2dab4cc4
2018-11-05Log when external signal is receivedFabricio Voznika
PiperOrigin-RevId: 220204591 Change-Id: I21a9c6f5c12a376d18da5d10c1871837c4f49ad2
2018-11-05Use correct company name in copyright headerIan Gudger
These files were added with the wrong name after all of the existing files were corrected. PiperOrigin-RevId: 220202068 Change-Id: Ia0d15233c1aa69330356a7cf16b5aa00d978e09c
2018-11-05Merge segments in sender's writeListIan Gudger
PiperOrigin-RevId: 220185891 Change-Id: Iaea73fd7b2fa8c399b989cdcaabf4885f370df4b
2018-11-01First crictl integration tests.Kevin Krakauer
More tests will come, but it's worth getting what's done so far reviewed. PiperOrigin-RevId: 219734531 Change-Id: If15ca6e6855e3d1cc28c83b5f9c3a72cb65b2e59
2018-11-01Use spec with clean paths for goferFabricio Voznika
Otherwise the gofer's attach point may be different from sandbox when there symlinks in the path. PiperOrigin-RevId: 219730492 Change-Id: Ia9c4c2d16228c6a1a9e790e0cb673fd881003fe1
2018-11-01Add new log format that is compatible with KubernetesFabricio Voznika
Fluentd configuration uses 'log' for the log message while containerd uses 'msg'. Since we can't have a single JSON format for both, add another log format and make debug log configurable. PiperOrigin-RevId: 219729658 Change-Id: I2a6afc4034d893ab90bafc63b394c4fb62b2a7a0
2018-11-01Make error messages a bit more user friendly.Ian Lewis
Updated error messages so that it doesn't print full Go struct representations when running a new container in a sandbox. For example, this occurs frequently when commands are not found when doing a 'kubectl exec'. PiperOrigin-RevId: 219729141 Change-Id: Ic3a7bc84cd7b2167f495d48a1da241d621d3ca09
2018-11-01Prevent premature destruction of shm segments.Rahat Mahmood
Shm segments can be marked for lazy destruction via shmctl(IPC_RMID), which destroys a segment once it is no longer attached to any processes. We were unconditionally decrementing the segment refcount on shmctl(IPC_RMID) which allowed a user to force a segment to be destroyed by repeatedly calling shmctl(IPC_RMID), with outstanding memory maps to the segment. This is problematic because the memory released by a segment destroyed this way can be reused by a different process while remaining accessible by the process with outstanding maps to the segment. PiperOrigin-RevId: 219713660 Change-Id: I443ab838322b4fb418ed87b2722c3413ead21845