summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2019-08-01Set sandbox oom_score_adjIan Lewis
Set /proc/self/oom_score_adj based on oomScoreAdj specified in the OCI bundle. When new containers are added to the sandbox oom_score_adj for the sandbox and all other gofers are adjusted so that oom_score_adj is equal to the lowest oom_score_adj of all containers in the sandbox. Fixes #512 PiperOrigin-RevId: 261242725
2019-08-01Drop reference on fs.Inode if Mount goes wrong.Nicolas Lacasse
PiperOrigin-RevId: 261203674
2019-08-01tmpfs and ramfs Dirs should drop references on children in Release().Nicolas Lacasse
This is the source of many warnings like: AtomicRefCount 0x7f5ff84e3500 owned by "fs.Inode" garbage collected with ref count of 1 (want 0) PiperOrigin-RevId: 261197093
2019-08-01Implement getsockopt(TCP_INFO).Rahat Mahmood
Export some readily-available fields for TCP_INFO and stub out the rest. PiperOrigin-RevId: 261191548
2019-07-31Basic support for 'ip route'Ian Lewis
Implements support for RTM_GETROUTE requests for netlink sockets. Fixes #507 PiperOrigin-RevId: 261051045
2019-07-31Fix test execution bugs in proctor-go and proctor-python.Brett Landau
proctor-go had a bug where it would incorrectly identify a tool test as a disk test. Instead of searching for the test on disk as the identification method, we now check if the test name ends in ".go". If the test ends in ".go" it is run as a disk test, otherwise the test is run as a tool test. Python tests need to be run from within the directory they exist. Functionality to split the test name from it's parent directory has been added and a cmd.Dir argument has been set. PiperOrigin-RevId: 261021693
2019-07-31Flipcall refinements.Jamie Liu
Note that some of these changes affect the protocol in backward-incompatible ways. - Replace use of "initially-active" and "initially-inactive" with "client" and "server" respectively for clarity. - Fix a race condition involving Endpoint.Shutdown() by repeatedly invoking FUTEX_WAKE until it is confirmed that no local thread is blocked in FUTEX_WAIT. - Drop flipcall.ControlMode. PiperOrigin-RevId: 260981382
2019-07-31Initialize kernel.unimplementedSyscallEmitter with a sync.Once.Nicolas Lacasse
This is initialized lazily on the first unimplemented syscall. Without the sync.Once, this is racy. PiperOrigin-RevId: 260971758
2019-07-31Refactor proctor binaries to implement testRunner interface.Brett Landau
Shared code among proctor-*.go files has been refactored into common/common.go. The common package is imported in each proctor binary and a struct is created to implement the testRunner interface defined in common.go. This allows for the proctor binaries to be updated without having to copy/paste the same code across all files. There are no usage or functionality changes. PiperOrigin-RevId: 260967080
2019-07-31Fix ICMPv4 EchoReply packet checksumAustin Kiekintveld
The checksum was not being reset before being re-calculated and sent out. This caused the sent checksum to always be `0x0800`. Fixes #605. PiperOrigin-RevId: 260965059
2019-07-31Test connecting UDP sockets to the ANY addressTamir Duberstein
This doesn't currently pass on gVisor. While I'm here, fix a bug where connecting to the v6-mapped v4 address doesn't work in gVisor. PiperOrigin-RevId: 260923961
2019-07-30Cache pages in CachingInodeOperations.Read when memory evictions are delayed.Jamie Liu
PiperOrigin-RevId: 260851452
2019-07-30ext: Migrate from using fileReader custom interface to using io.Reader.Ayush Ranjan
It gets rid of holding state of the io.Reader offset (which is anyways held by the vfs.FileDescriptor struct. It is also odd using a io.Reader becuase we using io.ReaderAt to interact with the device. So making a io.ReaderAt wrapper makes more sense. Most importantly, it gets rid of the complexity of extracting the file reader from a regular file implementation and then using it. Now we can just use the regular file implementation as a reader which is more intuitive. PiperOrigin-RevId: 260846927
2019-07-30ext: block map file reader implementation.Ayush Ranjan
Also adds stress tests for block map reader and intensifies extent reader tests. PiperOrigin-RevId: 260838177
2019-07-30Remove unused const variablesIan Lewis
PiperOrigin-RevId: 260824989
2019-07-30Pass ProtocolAddress instead of its fieldsTamir Duberstein
PiperOrigin-RevId: 260803517
2019-07-30Merge pull request #607 from DarcySail:mastergVisor bot
PiperOrigin-RevId: 260783254
2019-07-30Add feature to launch Sentry from an open host FD.Zach Koopmans
Adds feature to launch from an open host FD instead of a binary_path. The FD should point to a valid executable and most likely be statically compiled. If the executable is not statically compiled, the loader will search along the interpreter paths, which must be able to be resolved in the Sandbox's file system or start will fail. PiperOrigin-RevId: 260756825
2019-07-30Change syscall.POLL to syscall.PPOLL.Haibo Xu
syscall.POLL is not supported on arm64, using syscall.PPOLL to support both the x86 and arm64. refs #63 Signed-off-by: Haibo Xu <haibo.xu@arm.com> Change-Id: I2c81a063d3ec4e7e6b38fe62f17a0924977f505e COPYBARA_INTEGRATE_REVIEW=https://github.com/google/gvisor/pull/543 from xiaobo55x:master ba598263fd3748d1addd48e4194080aa12085164 PiperOrigin-RevId: 260752049
2019-07-29Migrate from using io.ReadSeeker to io.ReaderAt.Ayush Ranjan
This provides the following benefits: - We can now use pkg/fd package which does not take ownership of the file descriptor. So it does not close the fd when garbage collected. This reduces scope of errors from unexpected garbage collection of io.File. - It enforces the offset parameter in every read call. It does not affect the fd offset nor is it affected by it. Hence reducing scope of error of using stale offsets when reading. - We do not need to serialize the usage of any global file descriptor anymore. So this drops the mutual exclusion req hence reducing complexity and congestion. PiperOrigin-RevId: 260635174
2019-07-30Combine multiple epoll events copiesHang Su
Allocate a larger memory buffer and combine multiple copies into one copy, to reduce the number of copies from kernel memory to user memory. Signed-off-by: Hang Su <darcy.sh@antfin.com>
2019-07-29ext: extent reader implementation.Ayush Ranjan
PiperOrigin-RevId: 260629559
2019-07-29ext: inode implementations.Ayush Ranjan
PiperOrigin-RevId: 260624470
2019-07-29Use x/sys/unix for sentry/host interaction; abi is for guest/sentry.Christopher Koch
PiperOrigin-RevId: 260613864
2019-07-29Rate limit the unimplemented syscall event handler.Nicolas Lacasse
This introduces two new types of Emitters: 1. MultiEmitter, which will forward events to other registered Emitters, and 2. RateLimitedEmitter, which will forward events to a wrapped Emitter, subject to given rate limits. The methods in the eventchannel package itself act like a multiEmitter, but is not actually an Emitter. Now we have a DefaultEmitter, and the methods in eventchannel simply forward calls to the DefaultEmitter. The unimplemented syscall handler now uses a RateLimetedEmitter that wraps the DefaultEmitter. PiperOrigin-RevId: 260612770
2019-07-29Fix flaky stat.cc test.Zach Koopmans
This test flaked on my current CL. Linux makes no guarantee that two inodes will consecutive (overflows happen). https://github.com/avagin/linux-task-diag/blob/master/fs/inode.c#L880 PiperOrigin-RevId: 260608240
2019-07-29Move runtimes tests to appropriate directory.Samantha Sample
PiperOrigin-RevId: 260577765
2019-07-29Add iptables types for syscalls tests.Kevin Krakauer
Unfortunately, Linux's ip_tables.h header doesn't compile in C++ because it implicitly converts from void* to struct xt_entry_target*. C allows this, but C++ does not. So we have to re-implement many types ourselves. Relevant code here: https://github.com/torvalds/linux/blob/master/include/uapi/linux/netfilter_ipv4/ip_tables.h#L222 PiperOrigin-RevId: 260565570
2019-07-26runsc: propagate the alsologtostderr to sub-commandsAndrei Vagin
PiperOrigin-RevId: 260239119
2019-07-26Add debug symbols to published runsc binaryFabricio Voznika
This allows published binary to be debugged if needed. PiperOrigin-RevId: 260228367
2019-07-26Merge pull request #452 from zhangningdlut:chris_test_pidnsgVisor bot
PiperOrigin-RevId: 260220279
2019-07-26Publish Dockerfiles and test-runner binaries for running language tests.Samantha Sample
By following the directions in the README file, these Dockerfiles can be built and used to run native language tests for their respective runtimes. PiperOrigin-RevId: 260174430
2019-07-25Automated rollback of changelist 255679453Fabricio Voznika
PiperOrigin-RevId: 260047477
2019-07-24ext: filesystem boilerplate code.Ayush Ranjan
PiperOrigin-RevId: 259865366
2019-07-24ext: Add tests for root directory inode.Ayush Ranjan
PiperOrigin-RevId: 259856442
2019-07-24ext: testing environment setup with VFS2 support.Ayush Ranjan
PiperOrigin-RevId: 259835948
2019-07-24Add support for a subnet prefix length on interface network addressesChris Kuiper
This allows the user code to add a network address with a subnet prefix length. The prefix length value is stored in the network endpoint and provided back to the user in the ProtocolAddress type. PiperOrigin-RevId: 259807693
2019-07-24Use different pidns among different containerschris.zn
The different containers in a sandbox used only one pid namespace before. This results in that a container can see the processes in another container in the same sandbox. This patch use different pid namespace for different containers. Signed-off-by: chris.zn <chris.zn@antfin.com>
2019-07-23ext: Inode creation logic.Ayush Ranjan
PiperOrigin-RevId: 259666476
2019-07-23ext: Add ext2 and ext3 tiny images.Ayush Ranjan
PiperOrigin-RevId: 259657917
2019-07-23ext: Added extent tree building logic.Ayush Ranjan
PiperOrigin-RevId: 259628657
2019-07-23Give each container a distinct MountNamespace.Nicolas Lacasse
This keeps all container filesystem completely separate from eachother (including from the root container filesystem), and allows us to get rid of the "__runsc_containers__" directory. It also simplifies container startup/teardown as we don't have to muck around in the root container's filesystem. PiperOrigin-RevId: 259613346
2019-07-23Make runAllTests() consistent with listTests().Brett Landau
This change has the listTests() function return a string slice of all the tests. Originally, I planned not to modify the listTests() function and instead capture the output of it and then iterate through the captured output. I decided against this approach as most of the test binaries already produce a slice as they collect tests through filepath.Walk(). Now I use this slice and return it so that I can iterate through in runAllTests() and also when printing out the tests. PiperOrigin-RevId: 259599782
2019-07-23Deduplicate EndpointState.connected someTamir Duberstein
This fixes a bug introduced in cl/251934850 that caused connect-accept-close-connect races to result in the second connect call failiing when it should have succeeded. PiperOrigin-RevId: 259584525
2019-07-22Fix up and add some iptables ABI.Kevin Krakauer
PiperOrigin-RevId: 259437060
2019-07-22Merge pull request #571 from lubinszARM:pr_loadergVisor bot
PiperOrigin-RevId: 259427074
2019-07-22kvm: fix race between machine.Put and machine.GetAndrei Vagin
m.available.Signal() has to be called under m.mu.RLock, otherwise it can race with machine.Get: m.Get | m.Put ------------------------------------- m.mu.Lock() | Seatching available vcpu| | m.available.Signal() m.available.Wait | PiperOrigin-RevId: 259394051
2019-07-22Prototype integration of runtime language tests for Node.js into gVisor.Samantha Sample
This is the first version of a testing program to be used by gVisor for including language testing into their presubmits. It works when ran in the same manor the image and integration tests are ran in as described in their README file. PiperOrigin-RevId: 259392416
2019-07-22Fix struct statx field alignment.Jamie Liu
PiperOrigin-RevId: 259376740
2019-07-21Add ARM64 support to pkg/sentry/loaderBin Lu
Signed-off-by: Bin Lu <bin.lu@arm.com>