summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2018-11-01Make error messages a bit more user friendly.Ian Lewis
Updated error messages so that it doesn't print full Go struct representations when running a new container in a sandbox. For example, this occurs frequently when commands are not found when doing a 'kubectl exec'. PiperOrigin-RevId: 219729141 Change-Id: Ic3a7bc84cd7b2167f495d48a1da241d621d3ca09
2018-11-01Prevent premature destruction of shm segments.Rahat Mahmood
Shm segments can be marked for lazy destruction via shmctl(IPC_RMID), which destroys a segment once it is no longer attached to any processes. We were unconditionally decrementing the segment refcount on shmctl(IPC_RMID) which allowed a user to force a segment to be destroyed by repeatedly calling shmctl(IPC_RMID), with outstanding memory maps to the segment. This is problematic because the memory released by a segment destroyed this way can be reused by a different process while remaining accessible by the process with outstanding maps to the segment. PiperOrigin-RevId: 219713660 Change-Id: I443ab838322b4fb418ed87b2722c3413ead21845
2018-11-01modify modeRegexp to adapt the default spec of containerdJuan
https://github.com/containerd/containerd/blob/master/oci/spec.go#L206, the mode=755 didn't match the pattern modeRegexp = regexp.MustCompile("0[0-7][0-7][0-7]"). Closes #112 Signed-off-by: Juan <xionghuan.cn@gmail.com> Change-Id: I469e0a68160a1278e34c9e1dbe4b7784c6f97e5a PiperOrigin-RevId: 219672525
2018-11-01Close http.Response.Body after Get request.Kevin Krakauer
From https://golang.org/pkg/net/http/#Get: "When err is nil, resp always contains a non-nil resp.Body. Caller should close resp.Body when done reading from it." PiperOrigin-RevId: 219658052 Change-Id: I556e88ac4f2c90cd36ab16cd3163d1a52afc32b7
2018-10-31Mark amutex_test as flaky.Rahat Mahmood
PiperOrigin-RevId: 219575226 Change-Id: If4e67b29110332c94013513fb111ec7e019f2915
2018-10-31Fix a race where keepalives could be sent while there is pending dataIan Gudger
PiperOrigin-RevId: 219571556 Change-Id: I5a1042c1cb05eb2711eb01627fd298bad6c543a6
2018-10-31Use syserr style error translation in netstack's rawfileIan Gudger
Replacing map lookups with slice indexing is higher performance. PiperOrigin-RevId: 219569901 Change-Id: I9b7cd22abd4b95383025edbd5a80d1c1a4496936
2018-10-31kvm: simplify floating point logic.Adin Scannell
This reduces the number of floating point save/restore cycles required (since we don't need to restore immediately following the switch, this always happens in a known context) and allows the kernel hooks to capture state. This lets us remove calls like "Current()". PiperOrigin-RevId: 219552844 Change-Id: I7676fa2f6c18b9919718458aa888b832a7db8cab
2018-10-31kvm: add detailed traces on vCPU errors.Adin Scannell
This improves debuggability greatly. PiperOrigin-RevId: 219551560 Change-Id: I2ecaffdd1c17b0d9f25911538ea6f693e2bc699f
2018-10-31Make lazy open the mode of operation for fsgoferFabricio Voznika
With recent changes to 9P server, path walks are now safe inside open, create, rename and setattr calls. To simplify the code, remove the lazyopen=false mode that was used for bind mounts, and converge all mounts to using lazy open. PiperOrigin-RevId: 219508628 Change-Id: I073e7e1e2e9a9972d150eaf4cb29e553997a9b76
2018-10-31kvm: avoid siginfo allocations.Adin Scannell
PiperOrigin-RevId: 219492587 Change-Id: I47f6fc0b74a4907ab0aff03d5f26453bdb983bb5
2018-10-31Remove ipv4.endpoint.addressTamir Duberstein
This field was added in the intial implementation, before Route existed to pass the local and remote addresses to the packet-writing path. Today, the Route's members should be respected. A similar bug was previously fixed in 214650822. PiperOrigin-RevId: 219474095 Change-Id: Id2a8ee4421d2841c8d88ccb3c193c455086350ee
2018-10-30kvm: use private futexes.Adin Scannell
Use private futexes for performance and to align with other runtime uses. PiperOrigin-RevId: 219422634 Change-Id: Ief2af5e8302847ea6dc246e8d1ee4d64684ca9dd
2018-10-30Clean up cpuid_parse_testMichael Pratt
Actually parse flags from cpuinfo to avoid mistakenly matching substrings in cpuinfo that happen to match a flags. Some features were only exposed in recent versions of Linux. Don't require them to appear in cpuinfo on old versions of Linux. Move PREFETCHWT1 back to parse only features. It isn't actually exposed in Linux yet. Move SDBG to shown features. It has been visible since Linux 4.3. PiperOrigin-RevId: 219381731 Change-Id: Ied7c0ee7c8a9879683e81933de56c9074b01108f
2018-10-29Install containerd and crictl when running tests in Kokoro.Kevin Krakauer
PiperOrigin-RevId: 219166563 Change-Id: If4922eb5dd119b00f2c4bc7a5e016016ce9b9e45
2018-10-29Add copybara rules to export C++ test code.Brian Geffon
PiperOrigin-RevId: 219166541 Change-Id: Ieebadaed4096eb48f00fba663e1c76fb41438078
2018-10-29Removes outdated TODO.Kevin Krakauer
PiperOrigin-RevId: 219151173 Change-Id: I73014ea648ae485692ea0d44860c87f4365055cb
2018-10-26Add AMD-specific features to cpuid packageMichael Pratt
Extend the cpuid package to parse and emulate cpuid features that exist only on AMD and not Intel. The least straightforward part of this is that AMD duplicates several block 1 features in block 6. Thus we ignore those features when parsing block 6 and add them when emulating. PiperOrigin-RevId: 218935032 Change-Id: Id41bf1c24720b0d9b968e2c19ab5bc00a6d62bd4
2018-10-26Add block 3 features to /proc/cpuinfoMichael Pratt
Linux added these block 3 features to the end of /proc/cpuinfo in dfb4a70f20c5b3880da56ee4c9484bdb4e8f1e65. This also fixes that block 3 features were completely missing from FeatureSet.FlagsString(false) because FlagsString only prints Linux blocks regardless of the cpuinfo option. PiperOrigin-RevId: 218913816 Change-Id: I2f9c38c7c9da4b247a140877d4aca782e80684bd
2018-10-26Order feature strings by blockMichael Pratt
PiperOrigin-RevId: 218894181 Change-Id: I97d0c74175f4aa528363f768a0a85d6953ea0bfd
2018-10-25Uninstall() should not fail if a cgroup directory doesn't existAndrei Vagin
It can be occurred if two controllers are mounted together or if Uninstall() is called on a error path. PiperOrigin-RevId: 218723886 Change-Id: I69d7a3c0685a7da38527ea8b7b301dbe96268285
2018-10-24Re-enable TestPythonHello now that ptrace seccomp issue is resolved.Nicolas Lacasse
PiperOrigin-RevId: 218636184 Change-Id: I44deac3f32276d06955c5fb1e28c5970bb08f5fd
2018-10-24Use TRAP to simplify vsyscall emulation.Adin Scannell
PiperOrigin-RevId: 218592058 Change-Id: I373a2d813aa6cc362500dd5a894c0b214a1959d7
2018-10-24Convert Unix transport to syserrIan Gudger
Previously this code used the tcpip error space. Since it is no longer part of netstack, it can use the sentry's error space (except for a few cases where there is still some shared code. This reduces the number of error space conversions required for hot Unix socket operations. PiperOrigin-RevId: 218541611 Change-Id: I3d13047006a8245b5dfda73364d37b8a453784bb
2018-10-24Mark netstack/tcpip/transport/tcp:tcp_test flakyFabricio Voznika
PiperOrigin-RevId: 218537640 Change-Id: I1c5f55a46390174e1f5caeff74b1a364fa3268d9
2018-10-24Run ptrace stubs in their own session and process group.Nicolas Lacasse
Pseudoterminal job control signals are meant to be received and handled by the sandbox process, but if the ptrace stubs are running in the same process group, they will receive the signals as well and inject then into the sentry kernel. This can result in duplicate signals being delivered (often to the wrong process), or a sentry panic if the ptrace stub is inactive. This CL makes the ptrace stub run in a new session. PiperOrigin-RevId: 218536851 Change-Id: Ie593c5687439bbfbf690ada3b2197ea71ed60a0e
2018-10-23Fix panic on creation of zero-len shm segments.Rahat Mahmood
Attempting to create a zero-len shm segment causes a panic since we try to allocate a zero-len filemem region. The existing code had a guard to disallow this, but the check didn't encode the fact that requesting a private segment implies a segment creation regardless of whether IPC_CREAT is explicitly specified. PiperOrigin-RevId: 218405743 Change-Id: I30aef1232b2125ebba50333a73352c2f907977da
2018-10-23Remove blanket TODO, as it is self-evident.Adin Scannell
PiperOrigin-RevId: 218390517 Change-Id: Ic891c1626e62a6c4ed57f8180740872bcd1be177
2018-10-23Remove artificial name length check.Adin Scannell
This should be determined by the filesystem. PiperOrigin-RevId: 218376553 Change-Id: I55d176e2cdf8acdd6642789af057b98bb8ca25b8
2018-10-23Simplify channel managementTamir Duberstein
The channels {cancel,resCh} have roughly the same lifetime and are used for roughly the same purpose as an entry's waiters; we can unify the state management of the two mechanisms, while also reducing unncessary mutex locking and unlocking. Made some cosmetic changes while I'm here. PiperOrigin-RevId: 218343915 Change-Id: Ic69546a2b7b390162b2231f07f335dd6199472d7
2018-10-23Track paths and provide a rename hook.Adin Scannell
This change also adds extensive testing to the p9 package via mocks. The sanity checks and type checks are moved from the gofer into the core package, where they can be more easily validated. PiperOrigin-RevId: 218296768 Change-Id: I4fc3c326e7bf1e0e140a454cbacbcc6fd617ab55
2018-10-21Updated cleanup code to be more explicit about ignoring errors.Ian Lewis
Errors are shown as being ignored by assigning to the blank identifier. PiperOrigin-RevId: 218103819 Change-Id: I7cc7b9d8ac503a03de5504ebdeb99ed30a531cf2
2018-10-20Refcount Unix transport queueIan Gudger
This allows us to release messages in the queue when all users close. PiperOrigin-RevId: 218033550 Change-Id: I2f6e87650fced87a3977e3b74c64775c7b885c1b
2018-10-20Add more unimplemented syscall eventsFabricio Voznika
Added events for *ctl syscalls that may have multiple different commands. For runsc, each syscall event is only logged once. For *ctl syscalls, use the cmd as identifier, not only the syscall number. PiperOrigin-RevId: 218015941 Change-Id: Ie3c19131ae36124861e9b492a7dbe1765d9e5e59
2018-10-19Use correct company name in copyright headerIan Gudger
PiperOrigin-RevId: 217951017 Change-Id: Ie08bf6987f98467d07457bcf35b5f1ff6e43c035
2018-10-18Resolve mount paths while setting up root fs mountFabricio Voznika
It's hard to resolve symlinks inside the sandbox because rootfs and mounts may be read-only, forcing us to create mount points inside lower layer of an overlay, **before** the volumes are mounted. Since the destination must already be resolved outside the sandbox when creating mounts, take this opportunity to rewrite the spec with paths resolved. "runsc boot" will use the "resolved" spec to load mounts. In addition, symlink traversals were disabled while mounting containers inside the sandbox. It haven't been able to write a good test for it. So I'm relying on manual tests for now. PiperOrigin-RevId: 217749904 Change-Id: I7ac434d5befd230db1488446cda03300cc0751a9
2018-10-18Skip TestPythonHello on ptrace platform while we debug the issue.Nicolas Lacasse
PiperOrigin-RevId: 217743078 Change-Id: I47fabd88139b968b6183bcc0340065fdbbc1d40d
2018-10-17Use generic ilist in Unix transport queueIan Gudger
This should improve performance. PiperOrigin-RevId: 217610560 Change-Id: I370f196ea2396f1715a460b168ecbee197f94d6c
2018-10-17Close the gofer socket gracefully in boot:boot_test.Nicolas Lacasse
We were closing the FD directly. If the test then created a new socket pair with the same FD, in-flight RPCs would get directed to the new socket and break the test. Instead, we should use unet.Socket.Close(), which allows any in-flight RPCs to finish. PiperOrigin-RevId: 217608491 Change-Id: I8c5a76638899ba30f33ca976e6fac967fa0aadbf
2018-10-17Check thread group CPU timers in the CPU clock ticker.Jamie Liu
This reduces the number of goroutines and runtime timers when ITIMER_VIRTUAL or ITIMER_PROF are enabled, or when RLIMIT_CPU is set. This also ensures that thread group CPU timers only advance if running tasks are observed at the time the CPU clock advances, mostly eliminating the possibility that a CPU timer expiration observes no running tasks and falls back to the group leader. PiperOrigin-RevId: 217603396 Change-Id: Ia24ce934d5574334857d9afb5ad8ca0b6a6e65f4
2018-10-17Merge queue into Unix transportIan Gudger
This queue only has a single user, so there is no need for it to use an interface. Merging it into the same package as its sole user allows us to avoid a circular dependency. This simplifies the code and should slightly improve performance. PiperOrigin-RevId: 217595889 Change-Id: Iabbd5164240b935f79933618c61581bc8dcd2822
2018-10-17Relativize all socket paths in tests.Nicolas Lacasse
Otherwise they may exceed the maximum. PiperOrigin-RevId: 217584658 Change-Id: I869e400d3409599c0d3b85c6590702c052f49550
2018-10-17Fix typos in socket_testIan Gudger
PiperOrigin-RevId: 217576188 Change-Id: I82e45c306c5c9161e207311c7dbb8a983820c1df
2018-10-17Reflow comment to 80 columnsMichael Pratt
PiperOrigin-RevId: 217573168 Change-Id: Ic1914d0ef71bab020e3ee11cf9c4a50a702bd8dd
2018-10-17runsc: Support job control signals for the root container.Nicolas Lacasse
Now containers run with "docker run -it" support control characters like ^C and ^Z. This required refactoring our signal handling a bit. Signals delivered to the "runsc boot" process are turned into loader.Signal calls with the appropriate delivery mode. Previously they were always sent directly to PID 1. PiperOrigin-RevId: 217566770 Change-Id: I5b7220d9a0f2b591a56335479454a200c6de8732
2018-10-17Fix PTRACE_GETREGSET write sizeMichael Pratt
The existing logic is backwards and writes iov_len == 0 for a full write. PiperOrigin-RevId: 217560377 Change-Id: I5a39c31bf0ba9063a8495993bfef58dc8ab7c5fa
2018-10-17Move Unix transport out of netstackIan Gudger
PiperOrigin-RevId: 217557656 Change-Id: I63d27635b1a6c12877279995d2d9847b6a19da9b
2018-10-17Remove incorrect TODO.Kevin Krakauer
PiperOrigin-RevId: 217548429 Change-Id: Ie640c881fdc4fc70af58c8ca834df1ac531e519a
2018-10-17runsc: Add --pid flag to runsc kill.Kevin Krakauer
--pid allows specific processes to be signalled rather than the container root process or all processes in the container. containerd needs to SIGKILL exec'd processes that timeout and check whether processes are still alive. PiperOrigin-RevId: 217547636 Change-Id: I2058ebb548b51c8eb748f5884fb88bad0b532e45
2018-10-17compressio: do not schedule new I/Os when there is no worker (stream closed).Zhaozhong Ni
PiperOrigin-RevId: 217536677 Change-Id: Ib9a5a2542df12d0bc5592b91463ffd646e2ec295