summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2020-07-15iptables: remove check for NetworkHeaderKevin Krakauer
This is no longer necessary, as we always set NetworkHeader before calling iptables.Check. PiperOrigin-RevId: 321461978
2020-07-15Merge pull request #3022 from prattmic:runsc_do_pdeathsiggVisor bot
PiperOrigin-RevId: 321449877
2020-07-15fdbased: Vectorized write for packet; relax writev syscall filter.Ting-Yu Wang
Now it calls pkt.Data.ToView() when writing the packet. This may require copying when the packet is large, which puts the worse case in an even worse situation. This sent out in a separate preparation change as it requires syscall filter changes. This change will be followed by the change for the adoption of the new PacketHeader API. PiperOrigin-RevId: 321447003
2020-07-15Add support for SO_ERROR to packet sockets.Bhasker Hariharan
Packet sockets also seem to allow double binding and do not return an error on linux. This was tested by running the syscall test in a linux namespace as root and the current test DoubleBind fails@HEAD. Passes after this change. Updates #173 PiperOrigin-RevId: 321445137
2020-07-15Fix minor bugs in a couple of interface IOCTLs.Bhasker Hariharan
gVisor incorrectly returns the wrong ARP type for SIOGIFHWADDR. This breaks tcpdump as it tries to interpret the packets incorrectly. Similarly, SIOCETHTOOL is used by tcpdump to query interface properties which fails with an EINVAL since we don't implement it. For now change it to return EOPNOTSUPP to indicate that we don't support the query rather than return EINVAL. NOTE: ARPHRD types for link endpoints are distinct from NIC capabilities and NIC flags. In Linux all 3 exist eg. ARPHRD types are stored in dev->type field while NIC capabilities are more like the device features which can be queried using SIOCETHTOOL but not modified and NIC Flags are fields that can be modified from user space. eg. NIC status (UP/DOWN/MULTICAST/BROADCAST) etc. Updates #2746 PiperOrigin-RevId: 321436525
2020-07-15Fix errors not getting caught when building vm image.Ting-Yu Wang
`set -e` does not catch errors in bash command substituions like `echo $(bad cmd)` so bazel thinks it succeeded and cached the result. PiperOrigin-RevId: 321412327
2020-07-15Apply pdeathsig to gofer for runsc run/doMichael Pratt
Much like the boot process, apply pdeathsig to the gofer for cases where the sandbox lifecycle is attached to the parent (runsc run/do). This isn't strictly necessary, as the gofer normally exits once the sentry disappears, but this makes that extra reliable.
2020-07-15Merge pull request #3165 from ridwanmsharif:ridwanmsharif/fuse-off-by-defaultgVisor bot
PiperOrigin-RevId: 321411758
2020-07-15Merge pull request #3242 from btw616:fix/issue-3241gVisor bot
PiperOrigin-RevId: 321403149
2020-07-15hostinet: fix fd leak in fdnotifier for VFS2Tiwei Bie
When we failed to create the new socket after adding the fd to fdnotifier, we should remove the fd from fdnotifier, because we are going to close the fd directly. Fixes: #3241 Signed-off-by: Tiwei Bie <tiwei.btw@antgroup.com>
2020-07-14Update special file option name in comment.Dean Deng
PiperOrigin-RevId: 321269281
2020-07-14remove IPv6 dockerKevin Krakauer
Will re-submit when ICMP dest unreachable is handled correctly and it can be turned back on. PiperOrigin-RevId: 321227330
2020-07-14Test IPv6 fragment reassemblyZeling Feng
A packetimpact test for: "A node must be able to accept a fragmented packet that, after reassembly, is as large as 1500 octets." PiperOrigin-RevId: 321210729
2020-07-14Prepare boot.Loader to support multi-container TTYFabricio Voznika
- Combine process creation code that is shared between root and subcontainer processes - Move root container information into a struct for clarity Updates #2714 PiperOrigin-RevId: 321204798
2020-07-14Add support for UDP IPv6Jay Zhuang
Also ironed out all the bugs found on the IPv6 code path that affects socket bind, send and receive. PiperOrigin-RevId: 321202653
2020-07-13Enable experimental features in docker.Ting-Yu Wang
PiperOrigin-RevId: 321062975
2020-07-13Merge pull request #3200 from lubinszARM:pr_kvm_ut_1gVisor bot
PiperOrigin-RevId: 321060717
2020-07-13Merge pull request #2672 from amscanne:shim-integratedgVisor bot
PiperOrigin-RevId: 321053634
2020-07-13Disable debug time adjustment loggingFabricio Voznika
When --debug is enabled, the following log messages are printed every second filling up the log: D0430 18:04:42.823775 129561 parameters.go:238] Clock(Monotonic): error: 46 ns, adjusted frequency from 3591713733 Hz to 3591714196 Hz D0430 18:04:42.823870 129561 parameters.go:238] Clock(Realtime): error: 36 ns, adjusted frequency from 3591714003 Hz to 3591714169 Hz D0430 18:04:42.823892 129561 timekeeper.go:209] Updating VDSO parameters: {monotonicReady:1 monotonicBaseCycles:15758797714254696 monotonicBaseRef:29000233837 monotonicFrequency:3591714196 realtimeReady:1 realtimeBaseCycles:15758797714610880 realtimeBaseRef:1588269882823867374 realtimeFrequency:3591714169} Info and warning messages for larger changes are kept the same. PiperOrigin-RevId: 321048523
2020-07-13Don't run issue reviver on forks.Ian Lewis
Add a conditional to avoid running the issue reviver on forks. It will always cause errors since bug references in the source code don't match issue IDs in forked repos. PiperOrigin-RevId: 321042060
2020-07-13Fix recvMMsgDispatcher not slicing link header correctly.Ting-Yu Wang
PiperOrigin-RevId: 321035635
2020-07-13Fix runtime test targetAyush Ranjan
PiperOrigin-RevId: 321029113
2020-07-13Clean up inotify comments.Dean Deng
PiperOrigin-RevId: 321028238
2020-07-13iptables: remove useless ip6tables VM rulesKevin Krakauer
This rule isn't restored when the Kokoro VM is restarted, so it's not doing anything. And the problem it was meant to solved is instead addressed by https://github.com/google/gvisor/pull/3207. PiperOrigin-RevId: 321026846
2020-07-13[vfs2] Make gofer metadata atomics consistentAyush Ranjan
For accessing metadata fields: - If metadataMu is locked, we can access without atomics - If metadataMu is unlocked, we should use atomics For mutating metadata fields: - Always lock metadataMu and use atomics. There were some instances of inconsistencies which have been fixed. PiperOrigin-RevId: 321022895
2020-07-13Initial golang BenchmarksZach Koopmans
PiperOrigin-RevId: 321021071
2020-07-13Merge pull request #3136 from lubinszARM:pr_sys64_1gVisor bot
PiperOrigin-RevId: 321020733
2020-07-13Add ReadAllFd to test utilFabricio Voznika
PiperOrigin-RevId: 321008185
2020-07-13garbage collect connectionsKevin Krakauer
As in Linux, we must periodically clean up unused connections. PiperOrigin-RevId: 321003353
2020-07-13Create packetimpact test for UDP broadcastJay Zhuang
PiperOrigin-RevId: 321000340
2020-07-13Automated rollback of changelist 320972241Adin Scannell
PiperOrigin-RevId: 320999851
2020-07-13Print testbench log on packetimpact failuresJay Zhuang
These logs include flags passed to packetimpact tests (the Go tests), and test failure messages. PiperOrigin-RevId: 320989521
2020-07-13Use host networking for build container.Adin Scannell
This will allow the use of default credentials. PiperOrigin-RevId: 320972241
2020-07-12Do not copy sleep.WakerGhanan Gowripalan
sleep.Waker's fields are modified as values. PiperOrigin-RevId: 320873451
2020-07-11Runtime test batch executorAyush Ranjan
Earlier we were docker exec-ing each test at a time. However invoking the test framework has a fixed overhead which made it infeasible to make the runtime tests run as presubmits. This change now executes tests in batches of 50 (can be altered). This really speeds up testing process. With this change, the following tests can be run in reasonable times: - Go - Nodejs - Php - Python PiperOrigin-RevId: 320763916
2020-07-11Stub out SO_DETACH_FILTER.Bhasker Hariharan
Updates #2746 PiperOrigin-RevId: 320757963
2020-07-10Split the kvm ut test cases to correspond to different platformsBin Lu
Split the kvm ut test cases to pass unit-tests on Arm64. I will add the tls and full-context test cases for Arm64 later. Signed-off-by: Bin Lu <bin.lu@arm.com>
2020-07-09Discard multicast UDP source address.gVisor bot
RFC-1122 (and others) specify that UDP should not receive datagrams that have a source address that is a multicast address. Packets should never be received FROM a multicast address. See also, RFC 768: 'User Datagram Protocol' J. Postel, ISI, 28 August 1980 A UDP datagram received with an invalid IP source address (e.g., a broadcast or multicast address) must be discarded by UDP or by the IP layer (see rfc 1122 Section 3.2.1.3). This CL does not address TCP or broadcast which is more complicated. Also adds a test for both ipv6 and ipv4 UDP. Fixes #3154 PiperOrigin-RevId: 320547674
2020-07-09Update shim to build using bazel.Adin Scannell
The go.mod dependency tree for the shim was somehow contradictory. After resolving these issues (e.g. explicitly imported k8s 1.14, pulling a specific dbus version), and adding all dependencies, the shim can now be build as part of the regular bazel tree. As part of this process, minor cleanup was done in all the source files: headers were standardized (and include "The gVisor Authors" in addition to the "The containerd Authors" if originally derived from containerd sources), and comments were cleaned up to meet coding standards. This change makes the containerd installation dynamic, so that multiple versions can be tested, and drops the static installer for the VM image itself. This change also updates test/root/crictl_test.go and related utilities, so that the containerd tests can be run on any version (and in cases where it applies, they can be run on both v1 and v2 as parameterized tests).
2020-07-09Allow arbitrary Go commands for go_mod.sh.Adin Scannell
2020-07-09Update canonical paths.Adin Scannell
2020-07-09Merge gvisor-containerd-shimAdin Scannell
2020-07-09Add support for IP_HDRINCL IP option for raw sockets.Bhasker Hariharan
Updates #2746 Fixes #3158 PiperOrigin-RevId: 320497190
2020-07-09Add args and netns flag to runsc specIan Lewis
Adds a netns flag to runsc spec that allows users to specify a network namespace path when creating a sample config.json file. Also, adds the ability to specify the command arguments used when running the container. This will make it easier for new users to create sample OCI bundles without having to edit the config.json by hand. PiperOrigin-RevId: 320486267
2020-07-09Explain how to bypass the Docker proxyMichael Pratt
Neither myself nor bhaskerh@ can consistently remember how to do this. PiperOrigin-RevId: 320407005
2020-07-09Gate FUSE behind a runsc flagRidwan Sharif
This change gates all FUSE commands (by gating /dev/fuse) behind a runsc flag. In order to use FUSE commands, use the --fuse flag with the --vfs2 flag. Check if FUSE is enabled by running dmesg in the sandbox.
2020-07-08Add shared mount hints to VFS2Fabricio Voznika
Container restart test is disabled for VFS2 for now. Updates #1487 PiperOrigin-RevId: 320296401
2020-07-08Merge pull request #3171 from kevinGC:ipv6-kokorogVisor bot
PiperOrigin-RevId: 320290162
2020-07-08Drop empty lineMichael Pratt
PiperOrigin-RevId: 320281516
2020-07-08ip6tables: handle both IPv4 and v6 addressesKevin Krakauer
Enabling IPv6 in Docker caused IPv4 tests to fail because localAddrs didn't distinguish between address types. Example failure: https://source.cloud.google.com/results/invocations/203b2401-3333-4bec-9a56-72cc53d68ddd/log