Age | Commit message (Collapse) | Author |
|
Netstack has traditionally parsed headers on-demand as a packet moves up the
stack. This is conceptually simple and convenient, but incompatible with
iptables, where headers can be inspected and mangled before even a routing
decision is made.
This changes header parsing to happen early in the incoming packet path, as soon
as the NIC gets the packet from a link endpoint. Even if an invalid packet is
found (e.g. a TCP header of insufficient length), the packet is passed up the
stack for proper stats bookkeeping.
PiperOrigin-RevId: 315179302
|
|
PiperOrigin-RevId: 315166991
|
|
PiperOrigin-RevId: 315041419
|
|
This is mostly syscall plumbing, VFS2 already implements the internals of
mounts. In addition to the syscall defintions, the following mount-related
mechanisms are updated:
- Implement MS_NOATIME for VFS2, but only for tmpfs and goferfs. The other VFS2
filesystems don't implement node-level timestamps yet.
- Implement the 'mode', 'uid' and 'gid' mount options for VFS2's tmpfs.
- Plumb mount namespace ownership, which is necessary for checking appropriate
capabilities during mount(2).
Updates #1035
PiperOrigin-RevId: 315035352
|
|
This analysis also catches a potential bug, which is a split on mapPhysical.
This would have led to potential guest-exit during Mapping (although this
would have been handled by the now-unecessary retryInGuest loop).
PiperOrigin-RevId: 315025106
|
|
PiperOrigin-RevId: 315020368
|
|
Loopback traffic is not affected by rules in the PREROUTING chain.
This change is also necessary for istio's envoy to talk to other
components in the same pod.
|
|
PiperOrigin-RevId: 315018295
|
|
This change has multiple small components.
First, the chunk size is bumped to 1GB in order to avoid creating excessive
VMAs in the Sentry, which can lead to VMA exhaustion (and hitting limits).
Second, gap-tracking is added to the usage set in order to efficiently scan
for available regions.
Third, reclaim is moved to a simple segment set. This is done to allow the
order of reclaim to align with the Allocate order (which becomes much more
complex when trying to track a "max page" as opposed to "min page", so we
just track explicit segments instead, which should make reclaim scanning
faster anyways).
Finally, the findAvailable function attempts to scan from the top-down, in
order to maximize opportunities for VMA merging in applications (hopefully
preventing the same VMA exhaustion that can affect the Sentry).
PiperOrigin-RevId: 315009249
|
|
The current task can share its fdtable with a few other tasks,
but after exec, this should be a completely separate process.
PiperOrigin-RevId: 314999565
|
|
PiperOrigin-RevId: 314997564
|
|
PiperOrigin-RevId: 314996457
|
|
For TCP sockets gVisor incorrectly returns EAGAIN when no ephemeral ports are
available to bind during a connect. Linux returns EADDRNOTAVAIL. This change
fixes gVisor to return the correct code and adds a test for the same.
This change also fixes a minor bug for ping sockets where connect() would fail
with EINVAL unless the socket was bound first.
Also added tests for testing UDP Port exhaustion and Ping socket port
exhaustion.
PiperOrigin-RevId: 314988525
|
|
PiperOrigin-RevId: 314970516
|
|
PiperOrigin-RevId: 314855924
|
|
IPTables.connections contains a sync.RWMutex. Copying it will trigger copylocks
analysis. Tested by manually enabling nogo tests.
sync.RWMutex is added to IPTables for the additional race condition discovered.
PiperOrigin-RevId: 314817019
|
|
- Always split segments larger than MSS.
Currently, we base the segment split decision as a function of the
send congestion window and MSS, which could be greater than the MSS
advertised by remote.
- While splitting segments, ensure the PSH flag is reset when there
are segments that are queued to be sent.
- With TCP_CORK, hold up segments up until MSS. Fix a bug in computing
available send space before attempting to coalesce segments.
Fixes #2832
PiperOrigin-RevId: 314802928
|
|
It isn't used.
PiperOrigin-RevId: 314775492
|
|
PiperOrigin-RevId: 314630516
|
|
A few tests use hard coded port numbers, so we need to guruantee that
these ports will not be used for somthing else.
|
|
Historically we've been passing PacketBuffer by shallow copying through out
the stack. Right now, this is only correct as the caller would not use
PacketBuffer after passing into the next layer in netstack.
With new buffer management effort in gVisor/netstack, PacketBuffer will
own a Buffer (to be added). Internally, both PacketBuffer and Buffer may
have pointers and shallow copying shouldn't be used.
Updates #2404.
PiperOrigin-RevId: 314610879
|
|
b/36576592 calls out an edge case previously not supported
by HostFS. HostFS is currently being removed, meaning gVisor
supports this feature. Simply add the test to open_test.
PiperOrigin-RevId: 314610226
|
|
We must hold f.mu to write f.offset.
PiperOrigin-RevId: 314582968
|
|
PiperOrigin-RevId: 314570894
|
|
The --quick-generate-key command wasn't added until recently.
PiperOrigin-RevId: 314570297
|
|
Updates #179
PiperOrigin-RevId: 314563830
|
|
If the entire segment cannot be accommodated in the receiver advertised
window and if there are still unacknowledged pending segments, skip
splitting the segment. The segment transmit would get retried by the
retransmit handler.
PiperOrigin-RevId: 314538523
|
|
PiperOrigin-RevId: 314450191
|
|
PiperOrigin-RevId: 314449030
|
|
PiperOrigin-RevId: 314415253
|
|
PiperOrigin-RevId: 314415164
|
|
This change adds more information about what needs to be done
to implement `/dev/fuse`
|
|
And don't parse binary paths for the build target.
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
Updates #1487
PiperOrigin-RevId: 314271995
|
|
- Add /tmp handling
- Apply mount options
- Enable more container_test tests
- Forward signals to child process when test respaws process
to run as root inside namespace.
Updates #1487
PiperOrigin-RevId: 314263281
|
|
Splice, setxattr and removexattr should generate events. Note that VFS2 already
generates events for extended attributes.
Updates #1479.
PiperOrigin-RevId: 314244261
|
|
gofer.filesystem.createAndOpenChildLocked() doesn't need to take a reference on
the new dentry since vfs.FileDescription.Init() will do so.
PiperOrigin-RevId: 314242127
|
|
Using tee instead of read to detect when a O_RDONLY|O_NONBLOCK pipe FD has a
writer circumvents the problem of what to do with the byte read from the pipe,
avoiding much of the complexity of the fdpipe package.
PiperOrigin-RevId: 314216146
|
|
PiperOrigin-RevId: 314208973
|
|
SetTraceback("all") does not include all goroutines in panics (you didn't think
it was that simple, did you?). It includes all _user_ goroutines; those started
by the runtime (such as GC workers) are excluded.
Switch to "system" to additionally include runtime goroutines, which are useful
to track down bugs in the runtime itself.
PiperOrigin-RevId: 314204473
|
|
PiperOrigin-RevId: 314192441
|
|
PiperOrigin-RevId: 314192359
|
|
PiperOrigin-RevId: 314186752
|
|
No writes are expected to the underlying filesystem when
using --overlay.
PiperOrigin-RevId: 314171457
|
|
PiperOrigin-RevId: 314157710
|
|
This will make tag & release workflows idempotent.
PiperOrigin-RevId: 314154888
|
|
Fixes #1666
PiperOrigin-RevId: 314148384
|
|
PiperOrigin-RevId: 313878910
|
|
PiperOrigin-RevId: 313871804
|
|
None of the dependencies have changed in 1.15. It may be possible to simplify
some of the wrappers in rawfile following 1.13, but that can come in a later
change.
PiperOrigin-RevId: 313863264
|