Age | Commit message (Collapse) | Author |
|
PiperOrigin-RevId: 231263193
Change-Id: Ib732c9639462f7994d473050495d88c2855434af
|
|
PiperOrigin-RevId: 231263114
Change-Id: I57467a34fe94e395fdd3685462c4fe9776d040a3
|
|
It never actually should have applied to environ (the relevant change in
Linux 4.2 is c2c0bb44620d "proc: fix PAGE_SIZE limit of
/proc/$PID/cmdline"), and we claim to be Linux 4.4 now anyway.
PiperOrigin-RevId: 231250661
Change-Id: I37f9c4280a533d1bcb3eebb7803373ac3c7b9f15
|
|
PiperOrigin-RevId: 231020482
Change-Id: Idd9168678b18d03aac473adcc40902e27e06d0a1
|
|
When file size changes outside the sandbox, page cache was not
refreshing file size which is required for cacheRemoteRevalidating.
In fact, cacheRemoteRevalidating should be skipping the cache
completely since it's not really benefiting from it. The cache is
cache is already bypassed for unstable attributes (see
cachePolicy.cacheUAttrs). And althought the cache is called to
map pages, they will always miss the cache and map directly from
the host.
Created a HostMappable struct that maps directly to the host and
use it for files with cacheRemoteRevalidating.
Closes #124
PiperOrigin-RevId: 230998440
Change-Id: Ic5f632eabe33b47241e05e98c95e9b2090ae08fc
|
|
In Container.Destroy(), we call c.stop() before calling
executeHooksBestEffort(), therefore, when we call
executeHooksBestEffort(c.Spec.Hooks.Poststop, c.State()) to execute
the poststop hook, it results in a nil pointer dereference since it
reads c.Sandbox.Pid in c.State() after the sandbox has been destroyed.
To fix this bug, we can change container's status to "stopped" before
executing the poststop hook.
Signed-off-by: ShiruRen <renshiru2000@gmail.com>
Change-Id: I4d835e430066fab7e599e188f945291adfc521ef
PiperOrigin-RevId: 230975505
|
|
Mounting lib and lib64 are not necessary anymore and simplifies the test.
PiperOrigin-RevId: 230971195
Change-Id: Ib91a3ffcec4b322cd3687c337eedbde9641685ed
|
|
The implementation of O_CLOEXEC is orthogonal to every property tested
by these tests; removing it significantly reduces the number of
redundant tests we run.
Also remove no-op calls to VecCat (calls with a single argument).
PiperOrigin-RevId: 230959537
Change-Id: I83fe7db24e481ef67ca1f1992228af423f640b5c
|
|
PiperOrigin-RevId: 230850177
Change-Id: I34eb24e8ff8dd9ce3e7f5eb2dc2ee58eeac49f07
|
|
Change-Id: I94704a90beebb53164325e0cce1fcb9a0b97d65c
PiperOrigin-RevId: 230817308
|
|
Lots of tests use /tmp for the tests. Force /tmp to be
mounted over fsgofer instead of tmpfs.
PiperOrigin-RevId: 230788985
Change-Id: Id6597ed88133232d15e808c48126bf77cb32673e
|
|
Otherwise, C++11-compliant compilers may select PosixErrorOr(const T&)
as the relevant constructor, and fail because std::vector<Mapping> is
not copyable (because Mapping is not copyable).
This is a C++11 defect that is fixed in C++14 (and in C++11 mode for
Clang, but not GCC). See DR 1579,
http://www.open-std.org/jtc1/sc22/wg21/docs/cwg_defects.html#1579.
PiperOrigin-RevId: 230767401
Change-Id: I65f481f5188d91db6cbbbd65ed0a60bc55df3401
|
|
PiperOrigin-RevId: 230641540
Change-Id: Icccc3cdeec191138940f0ecea0a29798359d2b1f
|
|
netlink_autobind() sets a port id to a process ID, if this address is
available. Otherwise, it will set a port id to a random negative value.
PiperOrigin-RevId: 230631956
Change-Id: I11692e4fe9421e77d9406627b4e7772e4d9b105a
|
|
PiperOrigin-RevId: 230437407
Change-Id: Id9d8ceeb018aad2fe317407c78c6ee0f4b47aa2b
|
|
Compilation of this test fails in kokoro:
In file included from /usr/include/linux/netdevice.h:28:0,
from /usr/include/linux/if_arp.h:26,
from ./test/syscalls/linux/socket_netlink_util.h:18,
from test/syscalls/linux/socket_netdevice.cc:24:
/usr/include/linux/if.h:143:8: error: redefinition of 'struct ifmap'
struct ifmap {
^~~~~
In file included from test/syscalls/linux/socket_netdevice.cc:18:0:
/usr/include/net/if.h:111:8: note: previous definition of 'struct ifmap'
struct ifmap
^~~~~
In file included from /usr/include/linux/netdevice.h:28:0,
from /usr/include/linux/if_arp.h:26,
from ./test/syscalls/linux/socket_netlink_util.h:18,
from test/syscalls/linux/socket_netdevice.cc:24:
/usr/include/linux/if.h:177:8: error: redefinition of 'struct ifreq'
struct ifreq {
^~~~~
In file included from test/syscalls/linux/socket_netdevice.cc:18:0:
/usr/include/net/if.h:126:8: note: previous definition of 'struct ifreq'
struct ifreq
^~~~~
In file included from /usr/include/linux/netdevice.h:28:0,
from /usr/include/linux/if_arp.h:26,
from ./test/syscalls/linux/socket_netlink_util.h:18,
from test/syscalls/linux/socket_netdevice.cc:24:
/usr/include/linux/if.h:226:8: error: redefinition of 'struct ifconf'
struct ifconf {
^~~~~~
In file included from test/syscalls/linux/socket_netdevice.cc:18:0:
/usr/include/net/if.h:176:8: note: previous definition of 'struct ifconf'
struct ifconf
PiperOrigin-RevId: 230381931
Change-Id: I3c422c53e50cf2b90022778599d3a8a4a61fd1a3
|
|
Removed "error" and "failed to" prefix that don't add value
from messages. Adjusted a few other messages. In particular,
when the container fail to start, the message returned is easier
for humans to read:
$ docker run --rm --runtime=runsc alpine foobar
docker: Error response from daemon: OCI runtime start failed: <path> did not terminate sucessfully: starting container: starting root container [foobar]: starting sandbox: searching for executable "foobar", cwd: "/", $PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin": no such file or directory
Closes #77
PiperOrigin-RevId: 230022798
Change-Id: I83339017c70dae09e4f9f8e0ea2e554c4d5d5cd1
|
|
In addition, it fixes a race condition in TestMultiContainerGoferStop.
There are two scripts copy the same set of files into the same directory
and sometime one of this command fails with EXIST.
PiperOrigin-RevId: 230011247
Change-Id: I9289f72e65dc407cdcd0e6cd632a509e01f43e9c
|
|
PiperOrigin-RevId: 229971902
Change-Id: Ief4fac731e839ef092175908de9375d725eaa3aa
|
|
Most of the entries are stubbed out at the moment, but even those were
only displayed if IPv6 support was enabled. The entries should be
displayed with IPv4-support only, and with only loopback devices.
PiperOrigin-RevId: 229946441
Change-Id: I18afaa3af386322787f91bf9d168ab66c01d5a4c
|
|
We no longer need to depend on master, since v1.2.2 contains a commit to work
around "malformed input path" bug:
https://github.com/containerd/containerd/commit/27c6449c2c50f7e66076a4186e81aa3167e0dd5a
PiperOrigin-RevId: 229790405
Change-Id: Ia93b66959e6433bf096d6742be6064c1d7ed8b18
|
|
PiperOrigin-RevId: 229781337
Change-Id: I1f946cff2771714fb1abd83a83ed454e9febda0a
|
|
Runsc wants to mount /tmp using internal tmpfs implementation for
performance. However, it risks hiding files that may exist under
/tmp in case it's present in the container. Now, it only mounts
over /tmp iff:
- /tmp was not explicitly asked to be mounted
- /tmp is empty
If any of this is not true, then /tmp maps to the container's
image /tmp.
Note: checkpoint doesn't have sentry FS mounted to check if /tmp
is empty. It simply looks for explicit mounts right now.
PiperOrigin-RevId: 229607856
Change-Id: I10b6dae7ac157ef578efc4dfceb089f3b94cde06
|
|
PiperOrigin-RevId: 229438125
Change-Id: I58eb0d10178d1adfc709d7b859189d1acbcb2f22
|
|
PiperOrigin-RevId: 229427852
Change-Id: I9de8ed63f4a7672dacd3b282c863c599d00acd52
|
|
syscall test split testcase via shard count, reset
high bound as begin of next subslice, cause the slice
is half-open range.
Change-Id: I1954f57c93cbfd9be518153315da305a2de377a0
PiperOrigin-RevId: 229405199
|
|
More helper structs have been added to the fsutil package to make it easier to
implement fs.InodeOperations and fs.FileOperations.
PiperOrigin-RevId: 229305982
Change-Id: Ib6f8d3862f4216745116857913dbfa351530223b
|
|
test/syscalls/linux/wait.cc:626:8: warning: lambda capture 'this' is not
used
302
[this, stack] { ASSERT_THAT(FreeStack(stack), SyscallSucceeds()); });
303
^~~~~
test/syscalls/linux/priority.cc:195:17: warning: lambda capture
'kParentPriority' is not required to be captured for this use
273
ScopedThread([kParentPriority, kChildPriority]() {
274
^~~~~~~~~~~~~~~~
PiperOrigin-RevId: 229275900
Change-Id: I6f0c88efc7891c6c729378a2fa70f70b1b9046a7
|
|
In this case, new mounts are not created in the host mount namspaces, so
tearDownChroot isn't needed, because chroot will be destroyed with a
sandbox mount namespace.
In additional, pivot_root can't be called instead of chroot.
PiperOrigin-RevId: 229250871
Change-Id: I765bdb587d0b8287a6a8efda8747639d37c7e7b6
|
|
PiperOrigin-RevId: 229243918
Change-Id: Ie14ef34e66ae851ed080f57b7d26a369a66f7664
|
|
PiperOrigin-RevId: 229238781
Change-Id: Ib5a1e46293583efcb09e255fcd400c3fcc53ef1b
|
|
PiperOrigin-RevId: 229214698
Change-Id: Ib4ea2e330e61ee34bf913938d6120a52ecc38ce1
|
|
PiperOrigin-RevId: 228979583
Change-Id: I69bd82def48ceb19bc8558c890622b8528d98764
|
|
- Fix a few cases where async-signal-unsafe code is executed in a forked
process pre-execve.
- Ensure that the return value of fork() is always checked.
PiperOrigin-RevId: 228949310
Change-Id: I3096cb7d7394b8d9ab81b0e0245f2060713ef589
|
|
PiperOrigin-RevId: 228949227
Change-Id: I8f47bcd56aab706081218ec7498af8049ccd6d63
|
|
PiperOrigin-RevId: 228945914
Change-Id: Idfa0a3c27434655b5f9ac241f1726e0bc9ef0392
|
|
PiperOrigin-RevId: 228904169
Change-Id: I948f417d1336cb69c5733b142c53850507432fda
|
|
And we need to wait a gofer process before cgroup.Uninstall,
because it is running in the sandbox cgroups.
PiperOrigin-RevId: 228904020
Change-Id: Iaf8826d5b9626db32d4057a1c505a8d7daaeb8f9
|
|
PiperOrigin-RevId: 228805981
Change-Id: I4f4c4a5d8de325dff38f6dfb92108fc848d823fd
|
|
Removing check to RLIMIT_NOFILE in select call.
Adding unit test to select suite to document behavior.
Moving setrlimit class from mlock to a util file for reuse.
Fixing flaky test based on comments from Jamie.
PiperOrigin-RevId: 228726131
Change-Id: Ie9dbe970bbf835ba2cca6e17eec7c2ee6fadf459
|
|
- Call MemoryEvents.done.Add(1) outside of MemoryEvents.run() so that if
MemoryEvents.Stop() => MemoryEvents.done.Wait() is called before the
goroutine starts running, it still waits for the goroutine to stop.
- Use defer to call MemoryEvents.done.Done() in MemoryEvents.run() so that it's
called even if the goroutine panics.
PiperOrigin-RevId: 228623307
Change-Id: I1b0459e7999606c1a1a271b16092b1ca87005015
|
|
Instead just find the syscall_test_runner binary in the shell script.
PiperOrigin-RevId: 228621230
Change-Id: I274ee0874e47d53f59474b1ac730ee45e3dff977
|
|
The static local variable `enabled` in CooperativeSaveEnabled() is not
initialized until the first call to CooperativeSaveEnabled(), per the
C++14 standard, section 6.7 ("Declaration statement"), paragraph 4. This
initialization is thread-safe as of C++11, but it is *not* required to
be async-signal-safe. Use a namespace-scope variable instead, since this
is guaranteed to be zero-initialized before main() by section 3.6.2
("Initialization of non-local variables").
getenv() is technically not async-signal-safe either, hence the hedging
in the change summary line. However, glibc's implementation of getenv()
appears to be async-signal-safe in the absence of calls to setenv().
PiperOrigin-RevId: 228588617
Change-Id: I669f555d1c91352d55c606970bb237ec888fa7ca
|
|
PiperOrigin-RevId: 228574092
Change-Id: Id93abcca1ce964eb595907df9355702d469bc33b
|
|
overlayFileOperations.Readdir was holding overlay.copyMu while calling
DirentReaddir, which then attempts to take take the corresponding Dirent.mu,
causing a lock order violation. (See lock order documentation in
fs/copy_up.go.)
We only actually need to hold copyMu during readdirEntries(), so holding the
lock is moved in there, thus avoiding the lock order violation.
A new lock was added to protect overlayFileOperations.dirCache. We were
inadvertently relying on copyMu to protect this. There is no reason it should
not have its own lock.
PiperOrigin-RevId: 228542473
Change-Id: I03c3a368c8cbc0b5a79d50cc486fc94adaddc1c2
|
|
The original code assumed that it was safe to join and not restore cgroup,
but Container.Run will not exit after calling start, making cgroup cleanup
fail because there were still processes inside the cgroup.
PiperOrigin-RevId: 228529199
Change-Id: I12a48d9adab4bbb02f20d71ec99598c336cbfe51
|
|
PiperOrigin-RevId: 228428223
Change-Id: I433ba5ffc15ea4c2706ec944901b8269b1f364f8
|
|
PiperOrigin-RevId: 228403149
Change-Id: Iab212e49d9eb27d785bddc9fd447835ce8c485ae
|
|
PiperOrigin-RevId: 228382827
Change-Id: Ica1d30e0df826bdd77f180a5092b2b735ea5c804
|
|
See modified comment in auth.NewUserCredentials(); compare to the
behavior of setresuid(2) as implemented by
//pkg/sentry/kernel/task_identity.go:kernel.Task.setKUIDsUncheckedLocked().
PiperOrigin-RevId: 228381765
Change-Id: I45238777c8f63fcf41b99fce3969caaf682fe408
|