summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2021-05-21Add aggregated NIC statsArthur Sfez
This change also includes miscellaneous improvements: * UnknownProtocolRcvdPackets has been separated into two stats, to specify at which layer the unknown protocol was found (L3 or L4) * MalformedRcvdPacket is not aggregated across every endpoint anymore. Doing it this way did not add useful information, and it was also error-prone (example: ipv6 forgot to increment this aggregated stat, it only incremented its own ipv6.MalformedPacketsReceived). It is now only incremented the NIC. * Removed TestStatsString test which was outdated and had no real utility. PiperOrigin-RevId: 375057472
2021-05-21Clean-up netstack metrics descriptionsArthur Sfez
PiperOrigin-RevId: 375051638
2021-05-20Send SIGPIPE for closed pipes.Ian Lewis
Fixes #5974 Updates #161 PiperOrigin-RevId: 375024740
2021-05-20Merge pull request #6037 from sudo-sturbia:docgVisor bot
PiperOrigin-RevId: 375007632
2021-05-20Add Knative Services tutorialIan Lewis
This adds a new short tutorial on how to run Knative services in gVisor by enabling the runtime class feature flag for Knative. Fixes #3634 PiperOrigin-RevId: 374999528
2021-05-20Add protocol state to TCPINFOMithun Iyer
Add missing protocol state to TCPINFO struct and update packetimpact. This re-arranges the TCP state definitions to align with Linux. Fixes #478 PiperOrigin-RevId: 374996751
2021-05-20Automated rollback of changelist 374319456gVisor bot
PiperOrigin-RevId: 374983747
2021-05-20Suppress log message when there is no errorFabricio Voznika
PiperOrigin-RevId: 374981100
2021-05-20Fix cgroupfs mount racing with unmount.Rahat Mahmood
Previously, mount could discover a hierarchy being destroyed concurrently, which resulted in mount attempting to take a ref on an already destroyed cgroupfs. Reported-by: syzbot+062c0a67798a200f23ee@syzkaller.appspotmail.com PiperOrigin-RevId: 374959054
2021-05-20Format precondition to match style guide.Zyad A. Ali
2021-05-19Send ICMP errors when link address resolution failsNick Brown
Before this change, we would silently drop packets when link resolution failed. This change brings us into line with RFC 792 (IPv4) and RFC 4443 (IPv6), both of which specify that gateways should return an ICMP error to the sender when link resolution fails. PiperOrigin-RevId: 374699789
2021-05-19Fix nogo analysis.Adin Scannell
Ignore calls to atomic functions in case there is no analysis information. It is unclear why this has broken in some cases, perhaps these functions have been replaced by intrinsics as an optimization? PiperOrigin-RevId: 374682441
2021-05-18use more explicit netstack dependency restrictionsKevin Krakauer
Fuchsia was unable to build when building netstack transitively depended on golang.org/x/unix constants not defined in Fuchsia. The packages causing this (safemem and usermem) are no longer in the allowlist. Tested that this failed at cl/373651666, and passes now that the dependency has been removed. PiperOrigin-RevId: 374570220
2021-05-18Be explicit about setsid() return values in pty.ccKevin Krakauer
PiperOrigin-RevId: 374570219
2021-05-18Prevent infinite loops from being optimized away.gVisor bot
https://github.com/llvm/llvm-project/commit/6c3129549374c0e81e28fd0a21e96f8087b63a78 adds "mustprogress" to loops, which causes empty, side-effect free loops to be optimized away. These loops are intentionally infinite for purposes of testing, so add asm statements that prevent them from being removed. PiperOrigin-RevId: 374546142
2021-05-18Merge pull request #6009 from kevinGC:anotheraligngVisor bot
PiperOrigin-RevId: 374545882
2021-05-18Merge pull request #5908 from zhlhahaha:2157gVisor bot
PiperOrigin-RevId: 374517895
2021-05-18Delete /cloud/gvisor/sandbox/sentry/gofer/opened_write_execute_file metricNayana Bidari
This metric is replaced by /cloud/gvisor/sandbox/sentry/suspicious_operations metric with field value opened_write_execute_file. PiperOrigin-RevId: 374509823
2021-05-18[syserror] Add linuxerr package.Zach Koopmans
Add linuxerr package to replace syserror and syserr errors. This is done to improve performance comparing/returning errors to on par with syscall.Errno. The below linuxerr_test (formerly syserror_test) shows linuxerr.Error on par with unix.Error (syscall.Errno) as desired. BenchmarkAssignErrno BenchmarkAssignErrno-6 1000000000 0.6291 ns/op BenchmarkLinuxerrAssignError BenchmarkLinuxerrAssignError-6 1000000000 0.5808 ns/op BenchmarkAssignSyserrorError BenchmarkAssignSyserrorError-6 1000000000 0.6188 ns/op BenchmarkCompareErrno BenchmarkCompareErrno-6 1000000000 0.5041 ns/op BenchmarkCompareLinuxerrError BenchmarkCompareLinuxerrError-6 1000000000 0.4660 ns/op BenchmarkCompareSyserrorError BenchmarkCompareSyserrorError-6 309026907 3.386 ns/op BenchmarkSwitchErrno BenchmarkSwitchErrno-6 722253750 1.440 ns/op BenchmarkSwitchLinuxerrError BenchmarkSwitchLinuxerrError-6 709108542 1.453 ns/op BenchmarkSwitchSyserrorError BenchmarkSwitchSyserrorError-6 106331331 11.21 ns/op PiperOrigin-RevId: 374507431
2021-05-18Emit more information on panicTamir Duberstein
PiperOrigin-RevId: 374464969
2021-05-17Add badges for Github actions so it's easier to notice when they are failing.Ian Lewis
PiperOrigin-RevId: 374331016
2021-05-17Automated rollback of changelist 373417636Jamie Liu
PiperOrigin-RevId: 374319456
2021-05-17Merge pull request #5224 from avagin:bazel-3.7gVisor bot
PiperOrigin-RevId: 374295866
2021-05-17Update bazel packagesAndrei Vagin
2021-05-17Reduce thread count in TCPResetDuringClose.Jamie Liu
This test suffers from extreme contention on tcpip/stack.AddressableEndpointState.mu via AddressableEndpointState.decAddressRef, at least when Go race detection is enabled. PiperOrigin-RevId: 374273745
2021-05-17Make sandbox join the pod cgroup in K8sFabricio Voznika
cgroups in K8s are setup with the following hierarchy: `.../pod/container`. The sandbox is created with the first container and consequently uses the the pause container cgroup. This change removes the container cgroup from the path to make the sandbox use the pod cgroup instead. Otherwise limits set to the pause container will apply to the entire sandbox. PiperOrigin-RevId: 374273277
2021-05-17replace use of atomic with AlignedAtomicInt64Kevin Krakauer
2021-05-17Rename variables in IP forwarding testsNick Brown
Previously, we named domain objects using numbers (e.g. "e1", "e2" etc). This change renames objects to clarify whether they are part of the incoming or outgoing path. PiperOrigin-RevId: 374226859
2021-05-14Add stuck tasks and startup stuck tasks to weirdness metricNayana Bidari
Weirdness metric will replace the below two metrics: - watchdog/stuck_startup_detected - watchdog/stuck_tasks_detected PiperOrigin-RevId: 373895696
2021-05-14Validate DAD configs when initializing DAD stateGhanan Gowripalan
Make sure that the initial configurations used by the DAD state is valid. Before this change, an invalid DAD configuration (with a zero-valued retransmit timer) was used so the DAD state would attempt to resolve DAD immediately. This lead to a deadlock in TestDADResolve as when DAD resolves, the stack notifies the NDP dispatcher which would attempt to write to an unbuffered channel while holding a lock. The test goroutine also attempts to obtain a stack.Route (before receiving from the channel) which ends up attempting to take the same lock. Test: stack_test.TestDADResolve PiperOrigin-RevId: 373888540
2021-05-14Control forwarding per NetworkEndpointGhanan Gowripalan
...instead of per NetworkProtocol to better conform with linux (https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt): ``` conf/interface/* forwarding - BOOLEAN Enable IP forwarding on this interface. This controls whether packets received _on_ this interface can be forwarded. ``` Fixes #5932. PiperOrigin-RevId: 373888000
2021-05-14Add new metric for suspicious operations.Nayana Bidari
The new metric contains fields and will replace the below existing metric: - opened_write_execute_file PiperOrigin-RevId: 373884604
2021-05-14Add hash15 label for tests.Andrei Vagin
PiperOrigin-RevId: 373875071
2021-05-14Resolve remaining O_PATH TODOs.Dean Deng
O_PATH is now implemented in vfs2. Fixes #2782. PiperOrigin-RevId: 373861410
2021-05-14Add verity_mmap testsChong Cai
PiperOrigin-RevId: 373854462
2021-05-14Don't read forwarding from netstack in sentryGhanan Gowripalan
https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt: /proc/sys/net/ipv4/* Variables: ip_forward - BOOLEAN 0 - disabled (default) not 0 - enabled Forward Packets between interfaces. This variable is special, its change resets all configuration parameters to their default state (RFC1122 for hosts, RFC1812 for routers) /proc/sys/net/ipv4/ip_forward only does work when its value is changed and always returns the last written value. The last written value may not reflect the current state of the netstack (e.g. when `ip_forward` was written a value of "1" then disable forwarding on an interface) so there is no need for sentry to probe netstack to get the current forwarding state of interfaces. ``` ~$ cat /proc/sys/net/ipv4/ip_forward 0 ~$ sudo bash -c "echo 1 > /proc/sys/net/ipv4/ip_forward" ~$ cat /proc/sys/net/ipv4/ip_forward 1 ~$ sudo sysctl -a | grep ipv4 | grep forward net.ipv4.conf.all.forwarding = 1 net.ipv4.conf.default.forwarding = 1 net.ipv4.conf.eno1.forwarding = 1 net.ipv4.conf.lo.forwarding = 1 net.ipv4.conf.wlp1s0.forwarding = 1 net.ipv4.ip_forward = 1 net.ipv4.ip_forward_update_priority = 1 net.ipv4.ip_forward_use_pmtu = 0 ~$ sudo sysctl -w net.ipv4.conf.wlp1s0.forwarding=0 net.ipv4.conf.wlp1s0.forwarding = 0 ~$ sudo sysctl -a | grep ipv4 | grep forward net.ipv4.conf.all.forwarding = 1 net.ipv4.conf.default.forwarding = 1 net.ipv4.conf.eno1.forwarding = 1 net.ipv4.conf.lo.forwarding = 1 net.ipv4.conf.wlp1s0.forwarding = 0 net.ipv4.ip_forward = 1 net.ipv4.ip_forward_update_priority = 1 net.ipv4.ip_forward_use_pmtu = 0 ~$ cat /proc/sys/net/ipv4/ip_forward 1 ~$ sudo bash -c "echo 1 > /proc/sys/net/ipv4/ip_forward" ~$ sudo sysctl -a | grep ipv4 | grep forward net.ipv4.conf.all.forwarding = 1 net.ipv4.conf.default.forwarding = 1 net.ipv4.conf.eno1.forwarding = 1 net.ipv4.conf.lo.forwarding = 1 net.ipv4.conf.wlp1s0.forwarding = 0 net.ipv4.ip_forward = 1 net.ipv4.ip_forward_update_priority = 1 net.ipv4.ip_forward_use_pmtu = 0 ~$ sudo bash -c "echo 0 > /proc/sys/net/ipv4/ip_forward" ~$ sudo sysctl -a | grep ipv4 | grep forward sysctl: unable to open directory "/proc/sys/fs/binfmt_misc/" net.ipv4.conf.all.forwarding = 0 net.ipv4.conf.default.forwarding = 0 net.ipv4.conf.eno1.forwarding = 0 net.ipv4.conf.lo.forwarding = 0 net.ipv4.conf.wlp1s0.forwarding = 0 net.ipv4.ip_forward = 0 net.ipv4.ip_forward_update_priority = 1 net.ipv4.ip_forward_use_pmtu = 0 ~$ cat /proc/sys/net/ipv4/ip_forward 0 ``` In the above example we can see that writing "1" to /proc/sys/net/ipv4/ip_forward configures the stack to be a router (all interfaces are configured to enable forwarding). However, if we manually update an interace (`wlp1s0`) to not forward packets, /proc/sys/net/ipv4/ip_forward continues to return the last written value of "1", even though not all interfaces will forward packets. Also note that writing the same value twice has no effect; work is performed iff the value changes. This change also removes the 'unset' state from sentry's ip forwarding data structures as an 'unset' ip forwarding value is the same as leaving forwarding disabled as the stack is always brought up with forwarding initially disabled; disabling forwarding on a newly created stack is a no-op. PiperOrigin-RevId: 373853106
2021-05-14pkg/buffer: Remove dependency to safemem, code no longer usedTing-Yu Wang
PiperOrigin-RevId: 373846881
2021-05-14Fix panic on consume in a mixed push/consume caseTing-Yu Wang
headerOffset() is incorrectly taking account of previous push(), so it thinks there is more data to consume. This change switches to use pk.reserved as pivot point. Reported-by: syzbot+64fef9acd509976f9ce7@syzkaller.appspotmail.com PiperOrigin-RevId: 373846283
2021-05-14Fix cgroup hierarchy registration.Rahat Mahmood
Previously, registration was racy because we were publishing hierarchies in the registry without fully initializing the underlying filesystem. This led to concurrent mount(2)s discovering the partially intialized filesystems and dropping the final refs on them which cause them to be freed prematurely. Reported-by: syzbot+13f54e77bdf59f0171f0@syzkaller.appspotmail.com Reported-by: syzbot+2c7f0a9127ac6a84f17e@syzkaller.appspotmail.com PiperOrigin-RevId: 373824552
2021-05-13Check filter table when forwarding IP packetsGhanan Gowripalan
This change updates the forwarding path to perform the forwarding hook with iptables so that the filter table is consulted before a packet is forwarded Updates #170. Test: iptables_test.TestForwardingHook PiperOrigin-RevId: 373702359
2021-05-13Apply SWS avoidance to ACKs with window updatesMithun Iyer
When recovering from a zero-receive-window situation, and asked to send out an ACK, ensure that we apply SWS avoidance in our window updates. Fixes #5984 PiperOrigin-RevId: 373689578
2021-05-13Merge pull request #5983 from btw616:fix/issue-5982gVisor bot
PiperOrigin-RevId: 373661350
2021-05-13Fix problem with grouped cgroupsFabricio Voznika
cgroup controllers can be grouped together (e.g. cpu,cpuacct) and that was confusing Cgroup.Install() into thinking that a cgroup directory was created by the caller, when it had being created by another controller that is grouped together. PiperOrigin-RevId: 373661336
2021-05-13Migrate PacketBuffer to use pkg/bufferTing-Yu Wang
Benchmark iperf3: Before After native->runsc 5.14 5.01 (Gbps) runsc->native 4.15 4.07 (Gbps) It did introduce overhead, mainly at the bridge between pkg/buffer and VectorisedView, the ExtractVV method. Once endpoints start migrating away from VV, this overhead will be gone. Updates #2404 PiperOrigin-RevId: 373651666
2021-05-13Rename SetForwarding to SetForwardingDefaultAndAllNICsGhanan Gowripalan
...to make it clear to callers that all interfaces are updated with the forwarding flag and that future NICs will be created with the new forwarding state. PiperOrigin-RevId: 373618435
2021-05-12Fix TODO comments.Ian Lewis
Fix TODO comments referring to incorrect issue numbers. Also fix the link in issue reviver comments to include the right url fragment. PiperOrigin-RevId: 373491821
2021-05-13Fix file descriptor leak in MultiGetAttrTiwei Bie
We need to make sure that all children are closed before return. But the last child saved in parent isn't closed after we successfully iterate all the files in "names". This patch fixes this issue. Fixes #5982 Signed-off-by: Tiwei Bie <tiwei.btw@antgroup.com>
2021-05-12Send ICMP errors when unable to forward fragmented packetsNick Brown
Before this change, we would silently drop packets when the packet was too big to be sent out through the NIC (and, for IPv4 packets, if DF was set). This change brings us into line with RFC 792 (IPv4) and RFC 4443 (IPv6), both of which specify that gateways should return an ICMP error to the sender when the packet can't be fragmented. PiperOrigin-RevId: 373480078
2021-05-12Merge pull request #5975 from kevinGC:align32-mipsgVisor bot
PiperOrigin-RevId: 373466994
2021-05-12Fix not calling decRef on merged segmentsTing-Yu Wang
This code path is for outgoing packets, and we don't currently do memory accounting on this path. So it wasn't breaking anything. This change did not add a test for ref-counting issue fixed, but will switch to the leak-checking ref-counter later when all ref-counting issues are fixed. PiperOrigin-RevId: 373447913