Age | Commit message (Collapse) | Author |
|
By default, fusefs defers node permission checks to the server. The
default_permissions mount option enables the usual unix permission
checks based on the node owner and mode bits. Previously fusefs was
incorrectly checking permissions unconditionally.
Additionally, fusefs should restrict filesystem access to processes
started by the mount owner to prevent the fuse daemon from gaining
priviledge over other processes. The allow_other mount option
overrides this behaviour. Previously fusefs was incorrectly skipping
this check.
Updates #3229
PiperOrigin-RevId: 362419092
|
|
This binary is used to recursively enable and generate Merkle tree files
for all files and directories in a file system from inside a gVisor
sandbox.
PiperOrigin-RevId: 362418770
|
|
PiperOrigin-RevId: 362416183
|
|
The Merkle tree files need to be cleared before enabling to avoid
redundant content.
PiperOrigin-RevId: 362409591
|
|
PiperOrigin-RevId: 362406813
|
|
PiperOrigin-RevId: 362360425
|
|
|
|
PiperOrigin-RevId: 362297474
|
|
The previous "bind" filesystem, already included in go/runsc-benchmarks
is a remote re-validate mount. However, the non-re-validate mount
was not present, and it has been added in the form of rootfs.
Also, fix the fio runs to reads/writes of 10GB as running
with --test.benchtime=Xs may scale beyond the memory available
to tmpfs mounts on buildkite VMs. Currently, our buildkite
pipelines are run on e2-standard-8 machines with 32GB of memory,
allowing tmpfs mounts to safely be at least 10GB.
PiperOrigin-RevId: 362143620
|
|
👋 hello there! I'm a fellow Googler who works on projects that leverage GitHub Actions for CI/CD. Recently I noticed a large increase in our queue time, and I've tracked it down to the [limit of 180 concurrent jobs](https://docs.github.com/en/actions/reference/usage-limits-billing-and-administration) for an organization. To help be better citizens, I'm proposing changes across a few repositories that will reduce GitHub Actions hours and consumption. I hope these changes are reasonable and I'm happy to talk through them in more detail.
- (**you were already doing this, thank you!**) Only run GitHub Actions for pushes and PRs against the main branch of the repository. If your team uses a forking model, this change will not affect you. If your team pushes branches to the repository directly, this changes actions to only run against the primary branches or if you open a Pull Request against a primary branch.
- For long-running jobs (especially tests), I added the "Cancel previous" workflow. This is very helpful to prevent a large queue backlog when you are doing rapid development and pushing multiple commits. Without this, GitHub Actions' default behavior is to run all actions on all commits.
There are other changes you could make, depending on your project (but I'm not an expert):
- If you have tests that should only run when a subset of code changes, consider gating your workflow to particular file paths. For example, we have some jobs that do Terraform linting, but [they only run when Terraform files are changed](https://github.com/google/exposure-notifications-verification-server/blob/c4f59fee71042cf668747e599e7c769fca736554/.github/workflows/terraform.yml#L3-L11).
Hopefully these changes are not too controversial and also hopefully you can see how this would reduce actions consumption to be good citizens to fellow Googlers. If you have any questions, feel free to respond here or ping me on chat. Thank you!
|
|
PiperOrigin-RevId: 361962416
|
|
panic: interface conversion: interface {} is syscall.WaitStatus, not unix.WaitStatus
goroutine 1 [running]:
main.runTestCaseNative(0xc0001fc000, 0xe3, 0xc000119b60, 0x1, 0x1, 0x0, 0x0)
test/runner/runner.go:185 +0xa94
main.main()
test/runner/runner.go:118 +0x745
PiperOrigin-RevId: 361957796
|
|
- Implement Stringer for it so that we can improve error messages.
- Use TCPFlags through the code base. There used to be a mixed usage of byte,
uint8 and int as TCP flags.
PiperOrigin-RevId: 361940150
|
|
Kernels after 3b830a9c return EAGAIN in this case.
PiperOrigin-RevId: 361936327
|
|
Speeds up the socket stress tests by a couple orders of magnitude.
PiperOrigin-RevId: 361721050
|
|
Thread from earlier test can show up in `/proc/self/tasks` while the
thread tears down. Account for that when searching for procs for the
first time in the test.
PiperOrigin-RevId: 361689673
|
|
PiperOrigin-RevId: 361689477
|
|
The dynamic type user defines the marshalling logic, so we don't need to test
for things like alignment, absence of slices, etc.
For dynamic types, the go_marshal generator just generates the missing methods
required to implement marshal.Marshallable.
PiperOrigin-RevId: 361676311
|
|
Run all tests (or a given test partition) in a single sandbox.
Previously, each individual unit test executed in a new
sandbox, which takes much longer to execute.
Before After
Syscall tests: 37m22.768s 14m5.272s
PiperOrigin-RevId: 361661726
|
|
Fix a race where the DUT could send out test data before it received the
peer window advertisement. Such a race results in the DUT taking longer
time to retransmit zero window probe, thus causing the test to fail
receiving the last expected probe.
To ensure this ordering, piggyback a non-zero payload with the zero
window advertisement and let the DUT receive that, before continuing
with the test.
PiperOrigin-RevId: 361640241
|
|
Remove part of test that was making it flaky. It runs for native only,
so not really important since it's not testing gVisor.
Before: http://sponge2/37557c41-298e-408d-9b54-50ba3d41e22f
After: http://sponge2/7bca72be-cb9b-42f8-8c54-af4956c39455
PiperOrigin-RevId: 361611512
|
|
The syscall package has been deprecated in favor of golang.org/x/sys.
Note that syscall is still used in some places because the following don't seem
to have an equivalent in unix package:
- syscall.SysProcIDMap
- syscall.Credential
Updates #214
PiperOrigin-RevId: 361381490
|
|
The syscall package has been deprecated in favor of golang.org/x/sys.
Note that syscall is still used in some places because the following don't seem
to have an equivalent in unix package:
- syscall.SysProcIDMap
- syscall.Credential
Updates #214
PiperOrigin-RevId: 361332034
|
|
Updates #5597
PiperOrigin-RevId: 361252003
|
|
IPv4 would violate the lock ordering of protocol > endpoint when closing
network endpoints by calling `ipv4.protocol.forgetEndpoint` while
holding the network endpoint lock.
PiperOrigin-RevId: 361232817
|
|
The integrator may be interested in who owns a duplicate address so
pass this information (if available) along.
Fixes #5605.
PiperOrigin-RevId: 361213556
|
|
PiperOrigin-RevId: 361196154
|
|
Some OSs behave slightly differently, but still within the RFC. It can be useful
to have access to uname information from the testbench.
PiperOrigin-RevId: 361193766
|
|
While I'm here, update NDPDispatcher.OnDuplicateAddressDetectionStatus to
take a DADResult and rename it to OnDuplicateAddressDetectionResult.
Fixes #5606.
PiperOrigin-RevId: 360965416
|
|
The only user is in (*handshake).complete and it specifies MaxRTO, so there is
no behavior changes.
PiperOrigin-RevId: 360954447
|
|
clientEP.Connect may fail because serverEP was not listening.
PiperOrigin-RevId: 360780667
|
|
One of the preparation to decouple underlying buffer implementation.
There are still some methods that tie to VectorisedView, and they will be
changed gradually in later CLs.
This CL also introduce a new ICMPv6ChecksumParams to replace long list of
parameters when calling ICMPv6Checksum, aiming to be more descriptive.
PiperOrigin-RevId: 360778149
|
|
(*os.PathError).Timeout does the same thing.
PiperOrigin-RevId: 360756784
|
|
PiperOrigin-RevId: 360732928
|
|
Changes the neighbor_cache_test.go tests to always assert UpdatedAtNanos.
Completes the assertion of UpdatedAtNanos in every NUD test, a field that was
historically not checked due to the lack of a deterministic, controllable
clock. This is no longer true with the tcpip.Clock interface. While the tests
have been adjusted to use Clock, asserting by the UpdatedAtNanos was neglected.
Fixes #4663
PiperOrigin-RevId: 360730077
|
|
This validates that struct fields if annotated with "// checklocks:mu" where
"mu" is a mutex field in the same struct then access to the field is only
done with "mu" locked.
All types that are guarded by a mutex must be annotated with
// +checklocks:<mutex field name>
For more details please refer to README.md.
PiperOrigin-RevId: 360729328
|
|
While I'm here, simplify the comments and unify naming of certain stats
across protocols.
PiperOrigin-RevId: 360728849
|
|
- Removed (*testbench.Connection)(&conn) like casts
- Removed redundant definition of Drain, Close and ExpectFrame
PiperOrigin-RevId: 360727788
|
|
The syscall package has been deprecated in favor of golang.org/x/sys.
Note that syscall is still used in the following places:
- pkg/sentry/socket/hostinet/stack.go: some netlink related functionalities
are not yet available in golang.org/x/sys.
- syscall.Stat_t is still used in some places because os.FileInfo.Sys() still
returns it and not unix.Stat_t.
Updates #214
PiperOrigin-RevId: 360701387
|
|
Add reverse operation to mitigate that just enables
all CPUs.
PiperOrigin-RevId: 360511215
|
|
PiperOrigin-RevId: 360491700
|
|
Prevent the situation where callers to (*stack).GetLinkAddress provide
incorrect arguments and are unable to observe this condition.
Updates #5583.
PiperOrigin-RevId: 360481557
|
|
io.Reader.ReadFull returns the number of bytes copied and an error if fewer
bytes were read.
PiperOrigin-RevId: 360247614
|
|
There is a short race where in Write an endpoint can transition from writable
to non-writable state due to say an incoming RST during the time we release
the endpoint lock and reacquire after copying the payload. In such a case
if the write happens to be a zero sized write we end up trying to call
sendData() even though nothing was queued.
This can panic when trying to enable/disable TCP timers if the endpoint had
already transitioned to a CLOSED/ERROR state due to the incoming RST as we
cleanup timers when the protocol goroutine terminates.
Sadly the race window is small enough that my attempts at reproducing the panic
in a syscall test has not been successful.
PiperOrigin-RevId: 359887905
|
|
Changes the neighbor_entry_test.go tests to always assert UpdatedAtNanos.
This field was historically not checked due to the lack of a deterministic,
controllable clock. This is no longer true with the tcpip.Clock interface.
While the tests have been adjusted to use Clock, asserting by the
UpdatedAtNanos was neglected.
Subsequent work is needed to assert UpdatedAtNanos in the neighbor cache tests.
Updates #4663
PiperOrigin-RevId: 359868254
|
|
Converts entryTestLinkResolver and testNUDDispatcher to use the embedded
sync.Mutex pattern for fields that may be accessed concurrently from different
gorountines.
Fixes #5541
PiperOrigin-RevId: 359826169
|
|
Adds helper functions for transitioning into common states. This reduces the
boilerplate by a fair amount, decreasing the barriers to entry for new features
added to neighborEntry.
PiperOrigin-RevId: 359810465
|
|
Also increase refcount of raw.endpoint.route while in use.
Avoid allocating an array of size zero.
PiperOrigin-RevId: 359797788
|
|
Without this change, the error produced is quite useless:
--- FAIL: TestZeroWindowProbeRetransmit (11.44s)
tcp_zero_window_probe_retransmit_test.go:81: expected a probe with sequence number 824638527212: loop 5
FAIL
PiperOrigin-RevId: 359796370
|
|
Use maybeSendSegment while sending segments in RACK recovery which checks if
the receiver has space and splits the segments when the segment size is
greater than MSS.
PiperOrigin-RevId: 359641097
|