summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2021-05-18Merge release-20210510.0-49-g3c24d345d (automated)gVisor bot
2021-05-17Automated rollback of changelist 373417636Jamie Liu
PiperOrigin-RevId: 374319456
2021-05-17Merge pull request #5224 from avagin:bazel-3.7gVisor bot
PiperOrigin-RevId: 374295866
2021-05-17Update bazel packagesAndrei Vagin
2021-05-17Merge release-20210510.0-46-ge6cd1ff1b (automated)gVisor bot
2021-05-17Reduce thread count in TCPResetDuringClose.Jamie Liu
This test suffers from extreme contention on tcpip/stack.AddressableEndpointState.mu via AddressableEndpointState.decAddressRef, at least when Go race detection is enabled. PiperOrigin-RevId: 374273745
2021-05-17Merge release-20210510.0-45-gd96499d17 (automated)gVisor bot
2021-05-17Make sandbox join the pod cgroup in K8sFabricio Voznika
cgroups in K8s are setup with the following hierarchy: `.../pod/container`. The sandbox is created with the first container and consequently uses the the pause container cgroup. This change removes the container cgroup from the path to make the sandbox use the pod cgroup instead. Otherwise limits set to the pause container will apply to the entire sandbox. PiperOrigin-RevId: 374273277
2021-05-17Merge release-20210510.0-44-g7654181cc (automated)gVisor bot
2021-05-17Rename variables in IP forwarding testsNick Brown
Previously, we named domain objects using numbers (e.g. "e1", "e2" etc). This change renames objects to clarify whether they are part of the incoming or outgoing path. PiperOrigin-RevId: 374226859
2021-05-15Merge release-20210510.0-43-g8e8b75252 (automated)gVisor bot
2021-05-14Add stuck tasks and startup stuck tasks to weirdness metricNayana Bidari
Weirdness metric will replace the below two metrics: - watchdog/stuck_startup_detected - watchdog/stuck_tasks_detected PiperOrigin-RevId: 373895696
2021-05-14Merge release-20210510.0-42-g820c77d5e (automated)gVisor bot
2021-05-14Validate DAD configs when initializing DAD stateGhanan Gowripalan
Make sure that the initial configurations used by the DAD state is valid. Before this change, an invalid DAD configuration (with a zero-valued retransmit timer) was used so the DAD state would attempt to resolve DAD immediately. This lead to a deadlock in TestDADResolve as when DAD resolves, the stack notifies the NDP dispatcher which would attempt to write to an unbuffered channel while holding a lock. The test goroutine also attempts to obtain a stack.Route (before receiving from the channel) which ends up attempting to take the same lock. Test: stack_test.TestDADResolve PiperOrigin-RevId: 373888540
2021-05-14Control forwarding per NetworkEndpointGhanan Gowripalan
...instead of per NetworkProtocol to better conform with linux (https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt): ``` conf/interface/* forwarding - BOOLEAN Enable IP forwarding on this interface. This controls whether packets received _on_ this interface can be forwarded. ``` Fixes #5932. PiperOrigin-RevId: 373888000
2021-05-14Merge release-20210510.0-40-g25f0ab331 (automated)gVisor bot
2021-05-14Add new metric for suspicious operations.Nayana Bidari
The new metric contains fields and will replace the below existing metric: - opened_write_execute_file PiperOrigin-RevId: 373884604
2021-05-14Merge release-20210510.0-39-gf8d79e94e (automated)gVisor bot
2021-05-14Add hash15 label for tests.Andrei Vagin
PiperOrigin-RevId: 373875071
2021-05-14Merge release-20210510.0-38-g894187b2c (automated)gVisor bot
2021-05-14Resolve remaining O_PATH TODOs.Dean Deng
O_PATH is now implemented in vfs2. Fixes #2782. PiperOrigin-RevId: 373861410
2021-05-14Merge release-20210510.0-37-geb7e83f64 (automated)gVisor bot
2021-05-14Add verity_mmap testsChong Cai
PiperOrigin-RevId: 373854462
2021-05-14Merge release-20210510.0-36-g600d14f83 (automated)gVisor bot
2021-05-14Don't read forwarding from netstack in sentryGhanan Gowripalan
https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt: /proc/sys/net/ipv4/* Variables: ip_forward - BOOLEAN 0 - disabled (default) not 0 - enabled Forward Packets between interfaces. This variable is special, its change resets all configuration parameters to their default state (RFC1122 for hosts, RFC1812 for routers) /proc/sys/net/ipv4/ip_forward only does work when its value is changed and always returns the last written value. The last written value may not reflect the current state of the netstack (e.g. when `ip_forward` was written a value of "1" then disable forwarding on an interface) so there is no need for sentry to probe netstack to get the current forwarding state of interfaces. ``` ~$ cat /proc/sys/net/ipv4/ip_forward 0 ~$ sudo bash -c "echo 1 > /proc/sys/net/ipv4/ip_forward" ~$ cat /proc/sys/net/ipv4/ip_forward 1 ~$ sudo sysctl -a | grep ipv4 | grep forward net.ipv4.conf.all.forwarding = 1 net.ipv4.conf.default.forwarding = 1 net.ipv4.conf.eno1.forwarding = 1 net.ipv4.conf.lo.forwarding = 1 net.ipv4.conf.wlp1s0.forwarding = 1 net.ipv4.ip_forward = 1 net.ipv4.ip_forward_update_priority = 1 net.ipv4.ip_forward_use_pmtu = 0 ~$ sudo sysctl -w net.ipv4.conf.wlp1s0.forwarding=0 net.ipv4.conf.wlp1s0.forwarding = 0 ~$ sudo sysctl -a | grep ipv4 | grep forward net.ipv4.conf.all.forwarding = 1 net.ipv4.conf.default.forwarding = 1 net.ipv4.conf.eno1.forwarding = 1 net.ipv4.conf.lo.forwarding = 1 net.ipv4.conf.wlp1s0.forwarding = 0 net.ipv4.ip_forward = 1 net.ipv4.ip_forward_update_priority = 1 net.ipv4.ip_forward_use_pmtu = 0 ~$ cat /proc/sys/net/ipv4/ip_forward 1 ~$ sudo bash -c "echo 1 > /proc/sys/net/ipv4/ip_forward" ~$ sudo sysctl -a | grep ipv4 | grep forward net.ipv4.conf.all.forwarding = 1 net.ipv4.conf.default.forwarding = 1 net.ipv4.conf.eno1.forwarding = 1 net.ipv4.conf.lo.forwarding = 1 net.ipv4.conf.wlp1s0.forwarding = 0 net.ipv4.ip_forward = 1 net.ipv4.ip_forward_update_priority = 1 net.ipv4.ip_forward_use_pmtu = 0 ~$ sudo bash -c "echo 0 > /proc/sys/net/ipv4/ip_forward" ~$ sudo sysctl -a | grep ipv4 | grep forward sysctl: unable to open directory "/proc/sys/fs/binfmt_misc/" net.ipv4.conf.all.forwarding = 0 net.ipv4.conf.default.forwarding = 0 net.ipv4.conf.eno1.forwarding = 0 net.ipv4.conf.lo.forwarding = 0 net.ipv4.conf.wlp1s0.forwarding = 0 net.ipv4.ip_forward = 0 net.ipv4.ip_forward_update_priority = 1 net.ipv4.ip_forward_use_pmtu = 0 ~$ cat /proc/sys/net/ipv4/ip_forward 0 ``` In the above example we can see that writing "1" to /proc/sys/net/ipv4/ip_forward configures the stack to be a router (all interfaces are configured to enable forwarding). However, if we manually update an interace (`wlp1s0`) to not forward packets, /proc/sys/net/ipv4/ip_forward continues to return the last written value of "1", even though not all interfaces will forward packets. Also note that writing the same value twice has no effect; work is performed iff the value changes. This change also removes the 'unset' state from sentry's ip forwarding data structures as an 'unset' ip forwarding value is the same as leaving forwarding disabled as the stack is always brought up with forwarding initially disabled; disabling forwarding on a newly created stack is a no-op. PiperOrigin-RevId: 373853106
2021-05-14Merge release-20210510.0-35-g2ac6b7688 (automated)gVisor bot
2021-05-14pkg/buffer: Remove dependency to safemem, code no longer usedTing-Yu Wang
PiperOrigin-RevId: 373846881
2021-05-14Fix panic on consume in a mixed push/consume caseTing-Yu Wang
headerOffset() is incorrectly taking account of previous push(), so it thinks there is more data to consume. This change switches to use pk.reserved as pivot point. Reported-by: syzbot+64fef9acd509976f9ce7@syzkaller.appspotmail.com PiperOrigin-RevId: 373846283
2021-05-14Merge release-20210510.0-33-g78ae3db1a (automated)gVisor bot
2021-05-14Fix cgroup hierarchy registration.Rahat Mahmood
Previously, registration was racy because we were publishing hierarchies in the registry without fully initializing the underlying filesystem. This led to concurrent mount(2)s discovering the partially intialized filesystems and dropping the final refs on them which cause them to be freed prematurely. Reported-by: syzbot+13f54e77bdf59f0171f0@syzkaller.appspotmail.com Reported-by: syzbot+2c7f0a9127ac6a84f17e@syzkaller.appspotmail.com PiperOrigin-RevId: 373824552
2021-05-14Merge release-20210510.0-32-g2b457d9ee (automated)gVisor bot
2021-05-13Check filter table when forwarding IP packetsGhanan Gowripalan
This change updates the forwarding path to perform the forwarding hook with iptables so that the filter table is consulted before a packet is forwarded Updates #170. Test: iptables_test.TestForwardingHook PiperOrigin-RevId: 373702359
2021-05-14Merge release-20210510.0-31-g7ea2dcbae (automated)gVisor bot
2021-05-13Apply SWS avoidance to ACKs with window updatesMithun Iyer
When recovering from a zero-receive-window situation, and asked to send out an ACK, ensure that we apply SWS avoidance in our window updates. Fixes #5984 PiperOrigin-RevId: 373689578
2021-05-13Merge release-20210510.0-30-g3894c9fcb (automated)gVisor bot
2021-05-13Merge pull request #5983 from btw616:fix/issue-5982gVisor bot
PiperOrigin-RevId: 373661350
2021-05-13Merge release-20210510.0-28-gf3478b751 (automated)gVisor bot
2021-05-13Fix problem with grouped cgroupsFabricio Voznika
cgroup controllers can be grouped together (e.g. cpu,cpuacct) and that was confusing Cgroup.Install() into thinking that a cgroup directory was created by the caller, when it had being created by another controller that is grouped together. PiperOrigin-RevId: 373661336
2021-05-13Merge release-20210510.0-27-g84f04cc85 (automated)gVisor bot
2021-05-13Migrate PacketBuffer to use pkg/bufferTing-Yu Wang
Benchmark iperf3: Before After native->runsc 5.14 5.01 (Gbps) runsc->native 4.15 4.07 (Gbps) It did introduce overhead, mainly at the bridge between pkg/buffer and VectorisedView, the ExtractVV method. Once endpoints start migrating away from VV, this overhead will be gone. Updates #2404 PiperOrigin-RevId: 373651666
2021-05-13Merge release-20210510.0-26-gbaa0888f1 (automated)gVisor bot
2021-05-13Rename SetForwarding to SetForwardingDefaultAndAllNICsGhanan Gowripalan
...to make it clear to callers that all interfaces are updated with the forwarding flag and that future NICs will be created with the new forwarding state. PiperOrigin-RevId: 373618435
2021-05-13Merge release-20210503.0-53-ge6a9780f3 (automated)gVisor bot
2021-05-12Fix TODO comments.Ian Lewis
Fix TODO comments referring to incorrect issue numbers. Also fix the link in issue reviver comments to include the right url fragment. PiperOrigin-RevId: 373491821
2021-05-13Fix file descriptor leak in MultiGetAttrTiwei Bie
We need to make sure that all children are closed before return. But the last child saved in parent isn't closed after we successfully iterate all the files in "names". This patch fixes this issue. Fixes #5982 Signed-off-by: Tiwei Bie <tiwei.btw@antgroup.com>
2021-05-12Merge release-20210503.0-52-g29f4b71eb (automated)gVisor bot
2021-05-12Send ICMP errors when unable to forward fragmented packetsNick Brown
Before this change, we would silently drop packets when the packet was too big to be sent out through the NIC (and, for IPv4 packets, if DF was set). This change brings us into line with RFC 792 (IPv4) and RFC 4443 (IPv6), both of which specify that gateways should return an ICMP error to the sender when the packet can't be fragmented. PiperOrigin-RevId: 373480078
2021-05-12Merge release-20210503.0-51-g9854e5ac4 (automated)gVisor bot
2021-05-12Merge pull request #5975 from kevinGC:align32-mipsgVisor bot
PiperOrigin-RevId: 373466994
2021-05-12Merge release-20210503.0-48-gba6de2153 (automated)gVisor bot