summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2021-05-07Merge release-20210419.0-77-g339001204 (automated)gVisor bot
2021-05-06Implement /proc/cmdlineSteve Silva
This change implements /proc/cmdline with a basic faux command line "BOOT_IMAGE=/vmlinuz-[version]-gvisor quiet" so apps that may expect it do not receive errors. Also tests for the existence of /proc/cmdline as part of the system call test suite PiperOrigin-RevId: 372462070
2021-05-06Merge release-20210419.0-76-g9800fd8e4 (automated)gVisor bot
2021-05-06Solicit routers as long as RAs are handledGhanan Gowripalan
...to conform with Linux's `accept_ra` sysctl option. ``` accept_ra - INTEGER Accept Router Advertisements; autoconfigure using them. It also determines whether or not to transmit Router Solicitations. If and only if the functional setting is to accept Router Advertisements, Router Solicitations will be transmitted. Possible values are: 0 Do not accept Router Advertisements. 1 Accept Router Advertisements if forwarding is disabled. 2 Overrule forwarding behaviour. Accept Router Advertisements even if forwarding is enabled. Functional default: enabled if local forwarding is disabled. disabled if local forwarding is enabled. ``` With this change, routers may be solicited even if the stack is has forwarding enabled, as long as the interface is configured to handle RAs when forwarding is enabled. PiperOrigin-RevId: 372406501
2021-05-06Merge release-20210419.0-75-gf1afd9e1a (automated)gVisor bot
2021-05-06internal import of Go cloud client librariesgVisor bot
PiperOrigin-RevId: 372376653
2021-05-06Merge release-20210419.0-74-g9f33fe64f (automated)gVisor bot
2021-05-05Fixes to runsc cgroupsFabricio Voznika
When loading cgroups for another process, `/proc/self` was used in a few places, causing the end state to be a mix of the process and self. This is now fixes to always use the proper `/proc/[pid]` path. Added net_prio and net_cls to the list of optional controllers. This is to allow runsc to execute then these cgroups are disabled as long as there are no net_prio and net_cls limits that need to be applied. Deflake TestMultiContainerEvent. Closes #5875 Closes #5887 PiperOrigin-RevId: 372242687
2021-05-05Merge release-20210419.0-73-g47d1b8b4b (automated)gVisor bot
2021-05-05Automated rollback of changelist 361661726Andrei Vagin
PiperOrigin-RevId: 372221411
2021-05-05Merge release-20210419.0-72-g8e40cca4b (automated)gVisor bot
2021-05-05Allow handling RAs when forwarding is enabledGhanan Gowripalan
...to conform with Linux's `accept_ra` sysctl option. ``` accept_ra - INTEGER Accept Router Advertisements; autoconfigure using them. It also determines whether or not to transmit Router Solicitations. If and only if the functional setting is to accept Router Advertisements, Router Solicitations will be transmitted. Possible values are: 0 Do not accept Router Advertisements. 1 Accept Router Advertisements if forwarding is disabled. 2 Overrule forwarding behaviour. Accept Router Advertisements even if forwarding is enabled. Functional default: enabled if local forwarding is disabled. disabled if local forwarding is enabled. ``` PiperOrigin-RevId: 372214640
2021-05-05Send ICMP errors when the network is unreachableNick Brown
Before this change, we would silently drop packets when unable to determine a route to the destination host. This change brings us into line with RFC 792 (IPv4) and RFC 4443 (IPv6), both of which specify that gateways should return an ICMP error to the sender when unable to reach the destination. Startblock: has LGTM from asfez and then add reviewer ghanan PiperOrigin-RevId: 372214051
2021-05-05Merge release-20210419.0-70-g45884ba63 (automated)gVisor bot
2021-05-05Internal changeKevin Krakauer
PiperOrigin-RevId: 372166050
2021-05-05Merge release-20210419.0-69-gbf49a847a (automated)gVisor bot
2021-05-05Don't cleanup NDP state when enabling forwardingGhanan Gowripalan
...to match linux behaviour: ``` $ sudo sysctl net.ipv6.conf.eno1.forwarding net.ipv6.conf.eno1.forwarding = 0 $ ip addr list dev eno1 2: eno1: <...> ... inet6 PREFIX:TEMP_IID/64 scope global temporary dynamic valid_lft 209363sec preferred_lft 64024sec inet6 PREFIX:GLOBAL_STABLE_IID/64 scope global dynamic mngtmpaddr ... valid_lft 209363sec preferred_lft 209363sec inet6 fe80::LINKLOCAL_STABLE_IID/64 scope link valid_lft forever preferred_lft forever $ sudo sysctl -w "net.ipv6.conf.all.forwarding=1" net.ipv6.conf.all.forwarding = 1 $ sudo sysctl net.ipv6.conf.eno1.forwarding net.ipv6.conf.eno1.forwarding = 1 $ ip addr list dev eno1 2: eno1: <...> ... inet6 PREFIX:TEMP_IID/64 scope global temporary dynamic valid_lft 209339sec preferred_lft 64000sec inet6 PREFIX:GLOBAL_STABLE_IID/64 scope global dynamic mngtmpaddr ... valid_lft 209339sec preferred_lft 209339sec inet6 fe80::LINKLOCAL_STABLE_IID/64 scope link valid_lft forever preferred_lft forever $ ip -6 route list ... PREFIX::/64 dev eno1 proto ra metric 100 expires 209241sec pref medium default via fe80::ROUTER_IID dev eno1 proto ra ... ``` PiperOrigin-RevId: 372146689
2021-05-05Merge release-20210419.0-68-g61615f3f1 (automated)gVisor bot
2021-05-05Fix a race in reading last seen ICMP error during handshakeMithun Iyer
On receiving an ICMP error during handshake, the error is propagated by reading `endpoint.lastError`. This can race with the socket layer invoking getsockopt() with SO_ERROR where the same value is read and cleared, causing the handshake to bail out with a non-error state. Fix the race by checking for lastError state and failing the handshake with ErrConnectionAborted if the lastError was read and cleared by say SO_ERROR. The race mentioned in the bug, is caught only with the newly added tcp_test unit test, where we have control over stopping/resuming protocol loop. Adding a packetimpact test as well for sanity testing of ICMP error handling during handshake. Fixes #5922 PiperOrigin-RevId: 372135662
2021-05-05Merge release-20210419.0-67-gd924515b0 (automated)gVisor bot
2021-05-05[perf] Fix profiling in benchmarking jobs.Ayush Ranjan
Due to https://github.com/moby/moby/issues/42345, the docker daemon is passing the incorrect `--root` flag to runsc. So our profiler is not able to find the container stat files where it expects them to be. PiperOrigin-RevId: 372067954
2021-05-05Merge release-20210419.0-66-gd38437807 (automated)gVisor bot
2021-05-04Fix tcp_test listen backlog expectationMithun Iyer
Listen backlog value is 1 more than what is configured by the socket layer listen call. TestListenBacklogFull expects this behavior which is incorrect as it directly invokes endpoint Listen and with cl/369974744, backlog++ logic is moved to the callers of Listen(). This test passes sometimes, because the handshakes could overlap causing the last SYN to arrive at the listener before the previous handshake is enqueued to the accept queue. In such a case the accept queue is still not full and the SYN is replied to. The final ACK of this last handshake would get dropped eventually. PiperOrigin-RevId: 372041827
2021-05-05Merge release-20210419.0-65-g5960674c8 (automated)gVisor bot
2021-05-04Document how to handle build failures from go-marshal verbosity.Rahat Mahmood
With debugging enabled, go-marshal can generate too much output for bazel under default configurations, which can cause builds to fail. The limit defaults to 1 MB. PiperOrigin-RevId: 372030402
2021-05-04Merge release-20210419.0-64-g689b369f5 (automated)gVisor bot
2021-05-04tcp_socket_test: replace tcp_wmem with SO_SNDBUFKevin Krakauer
PiperOrigin-RevId: 372022596
2021-05-04Use cmp.Diff for tcpip.Error comparisonMithun Iyer
PiperOrigin-RevId: 372021039
2021-05-04Remove uses of the binary package from the rest of the sentry.Rahat Mahmood
PiperOrigin-RevId: 372020696
2021-05-04Merge release-20210419.0-61-gd496c285a (automated)gVisor bot
2021-05-04Add TODOs to old reference counting utility.Dean Deng
PiperOrigin-RevId: 372012795
2021-05-04Merge release-20210419.0-60-g95df852bf (automated)gVisor bot
2021-05-04Make Mount.Type optional for bind mountsFabricio Voznika
According to the OCI spec Mount.Type is an optional field and it defaults to "bind" when any of "bind" or "rbind" is included in Mount.Options. Also fix the shim to remove bind/rbind from options when mount is converted from bind to tmpfs inside the Sentry. Fixes #2330 Fixes #3274 PiperOrigin-RevId: 371996891
2021-05-04Merge release-20210419.0-59-gdd3875eab (automated)gVisor bot
2021-05-04Increase error margin for memory accounting test.Dean Deng
PiperOrigin-RevId: 371963265
2021-05-04Merge release-20210419.0-58-g2f5393375 (automated)gVisor bot
2021-05-03Merge pull request #5903 from zchee:safecopy/fix-argsgVisor bot
PiperOrigin-RevId: 371829568
2021-05-03Merge release-20210419.0-56-g279f9fcee (automated)gVisor bot
2021-05-03Implement standard clock safelyGhanan Gowripalan
Previously, tcpip.StdClock depended on linking with the unexposed method time.now to implement tcpip.Clock using the time package. This change updates the standard clock to not require manually linking to this unexported method and use publicly documented functions from the time package. PiperOrigin-RevId: 371805101
2021-05-03Merge release-20210419.0-55-gf0b3298db (automated)gVisor bot
2021-05-03Convey GSO capabilities through GSOEndpointGhanan Gowripalan
...as all GSO capable endpoints must implement GSOEndpoint. PiperOrigin-RevId: 371804175
2021-05-03Merge release-20210419.0-54-g4218ba6fb (automated)gVisor bot
2021-05-03netstack: Add a test for mixed Push/ConsumeTing-Yu Wang
Not really designed to be used this way, but it works and it's been relied upon. Add a test. PiperOrigin-RevId: 371802756
2021-05-03Merge release-20210419.0-53-g1d92396aa (automated)gVisor bot
2021-05-03Temporarily disable atime/mtime check in utimensat test.Dean Deng
PiperOrigin-RevId: 371776583
2021-05-03Merge release-20210419.0-52-g1947c8734 (automated)gVisor bot
2021-05-03Fix deadlock in /proc/[pid]/fd/[num]Fabricio Voznika
In order to resolve path names, fsSymlink.Readlink() may need to reenter kernfs. Change the code so that kernfs.Inode.Readlink() is called without locks and document the new contract. PiperOrigin-RevId: 371770222
2021-05-01Merge release-20210419.0-51-g7cafac9f4 (automated)gVisor bot
2021-05-01[perf] Check caching on IncRef'd dentries before the others.Ayush Ranjan
When a child is added to a parent (directory) dentry, both child and parent are queued for checkCachingLocked(). Make sure that the parent is queued first because the parent gained a ref and so could be removed from the LRU cache hence making space for the new child. This could prevent an LRU cache eviction. In practice, this did seem to help. ~800 RPCs were reduced while building //absl/... (ABSL build benchmark). Evictions hurt in 2 ways - create renameMu contention and destroy a possibly useful dentry which will have to be re-walked and re-opened later. Follow up fix for #5859. PiperOrigin-RevId: 371509392
2021-05-01Merge release-20210419.0-50-gcde8e8b7a (automated)gVisor bot