summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2020-05-15Minor formatting updates for gvisor.dev.Adin Scannell
* Aggregate architecture Overview in "What is gVisor?" as it makes more sense in one place. * Drop "user-space kernel" and use "application kernel". The term "user-space kernel" is confusing when some platform implementation do not run in user-space (instead running in guest ring zero). * Clear up the relationship between the Platform page in the user guide and the Platform page in the architecture guide, and ensure they are cross-linked. * Restore the call-to-action quick start link in the main page, and drop the GitHub link (which also appears in the top-right). * Improve image formatting by centering all doc and blog images, and move the image captions to the alt text. PiperOrigin-RevId: 311845158
2020-05-15Remove debug log left behind by mistake.Bhasker Hariharan
PiperOrigin-RevId: 311808460
2020-05-15Update vm scripts to handle existing kbuilder user.Adin Scannell
PiperOrigin-RevId: 311751972
2020-05-15Minor text updates and jquery ordering.Adin Scannell
PiperOrigin-RevId: 311744091
2020-05-14Update Kokoro images to include newer gcloud.Adin Scannell
PiperOrigin-RevId: 311658774
2020-05-14Make utimes_test pass on VFS2.Jamie Liu
PiperOrigin-RevId: 311657502
2020-05-14Internal change.gVisor bot
PiperOrigin-RevId: 311645222
2020-05-14Run issue_reviver via GitHub.Adin Scannell
PiperOrigin-RevId: 311600872
2020-05-14Merge pull request #2663 from lubinszARM:pr_sigfp_forkgVisor bot
PiperOrigin-RevId: 311573552
2020-05-14Port memfd_create to vfs2 and finish implementation of file seals.Nicolas Lacasse
Closes #2612. PiperOrigin-RevId: 311548074
2020-05-13Fix TCP segment retransmit timeout handling.Mithun Iyer
As per RFC 1122 and Linux retransmit timeout handling: - The segment retransmit timeout needs to exponentially increase and cap at a predefined value. - TCP connection needs to timeout after a predefined number of segment retransmissions. - TCP connection should not timeout when the retranmission timeout exceeds MaxRTO, predefined upper bound. Fixes #2673 PiperOrigin-RevId: 311463961
2020-05-13Stub support for TCP_SYNCNT and TCP_WINDOW_CLAMP.Bhasker Hariharan
This change adds support for TCP_SYNCNT and TCP_WINDOW_CLAMP options in GetSockOpt/SetSockOpt. This change does not really change any behaviour in Netstack and only stores/returns the stored value. Actual honoring of these options will be added as required. Fixes #2626, #2625 PiperOrigin-RevId: 311453777
2020-05-13Fix runsc association of gofers and FDs on VFS2.Jamie Liu
Updates #1487 PiperOrigin-RevId: 311443628
2020-05-13Resolve remaining TODOs for tmpfs.Nicolas Lacasse
Closes #1197 PiperOrigin-RevId: 311438223
2020-05-13Automated rollback of changelist 311285868Bhasker Hariharan
PiperOrigin-RevId: 311424257
2020-05-13Enable overlayfs_stale_read by default for runsc.Jamie Liu
Linux 4.18 and later make reads and writes coherent between pre-copy-up and post-copy-up FDs representing the same file on an overlay filesystem. However, memory mappings remain incoherent: - Documentation/filesystems/overlayfs.rst, "Non-standard behavior": "If a file residing on a lower layer is opened for read-only and then memory mapped with MAP_SHARED, then subsequent changes to the file are not reflected in the memory mapping." - fs/overlay/file.c:ovl_mmap() passes through to the underlying FD without any management of coherence in the overlay. - Experimentally on Linux 5.2: ``` $ cat mmap_cat_page.c #include <err.h> #include <fcntl.h> #include <stdio.h> #include <string.h> #include <sys/mman.h> #include <unistd.h> int main(int argc, char **argv) { if (argc < 2) { errx(1, "syntax: %s [FILE]", argv[0]); } const int fd = open(argv[1], O_RDONLY); if (fd < 0) { err(1, "open(%s)", argv[1]); } const size_t page_size = sysconf(_SC_PAGE_SIZE); void* page = mmap(NULL, page_size, PROT_READ, MAP_SHARED, fd, 0); if (page == MAP_FAILED) { err(1, "mmap"); } for (;;) { write(1, page, strnlen(page, page_size)); if (getc(stdin) == EOF) { break; } } return 0; } $ gcc -O2 -o mmap_cat_page mmap_cat_page.c $ mkdir lowerdir upperdir workdir overlaydir $ echo old > lowerdir/file $ sudo mount -t overlay -o "lowerdir=lowerdir,upperdir=upperdir,workdir=workdir" none overlaydir $ ./mmap_cat_page overlaydir/file old ^Z [1]+ Stopped ./mmap_cat_page overlaydir/file $ echo new > overlaydir/file $ cat overlaydir/file new $ fg ./mmap_cat_page overlaydir/file old ``` Therefore, while the VFS1 gofer client's behavior of reopening read FDs is only necessary pre-4.18, replacing existing memory mappings (in both sentry and application address spaces) with mappings of the new FD is required regardless of kernel version, and this latter behavior is common to both VFS1 and VFS2. Re-document accordingly, and change the runsc flag to enabled by default. New test: - Before this CL: https://source.cloud.google.com/results/invocations/5b222d2c-e918-4bae-afc4-407f5bac509b - After this CL: https://source.cloud.google.com/results/invocations/f28c747e-d89c-4d8c-a461-602b33e71aab PiperOrigin-RevId: 311361267
2020-05-13Use VFS2 mount namesFabricio Voznika
Updates #1487 PiperOrigin-RevId: 311356385
2020-05-13Replace test_runner.sh bash script with Go.Ian Gudger
PiperOrigin-RevId: 311285868
2020-05-12Adjust a few log messagesFabricio Voznika
PiperOrigin-RevId: 311234146
2020-05-12Merge pull request #2678 from nybidari:iptablesgVisor bot
PiperOrigin-RevId: 311203776
2020-05-12Don't allow rename across different gofer or tmpfs mounts.Nicolas Lacasse
Fixes #2651. PiperOrigin-RevId: 311193661
2020-05-12Merge pull request #2513 from amscanne:website-integratedgVisor bot
PiperOrigin-RevId: 311184385
2020-05-12Merge pull request #2671 from kevinGC:skip-outputgVisor bot
PiperOrigin-RevId: 311181084
2020-05-12Don't call kernel.Task.Block() from netstack.SocketOperations.Write().Jamie Liu
kernel.Task.Block() requires that the caller is running on the task goroutine. netstack.SocketOperations.Write() uses kernel.TaskFromContext() to call kernel.Task.Block() even if it's not running on the task goroutine. Stop doing that. PiperOrigin-RevId: 311178335
2020-05-12iptables: support gid match for owner matching.Nayana Bidari
- Added support for matching gid owner and invert flag for uid and gid. $ iptables -A OUTPUT -p tcp -m owner --gid-owner root -j ACCEPT $ iptables -A OUTPUT -p tcp -m owner ! --uid-owner root -j ACCEPT $ iptables -A OUTPUT -p tcp -m owner ! --gid-owner root -j DROP - Added tests for uid, gid and invert flags.
2020-05-12Merge pull request #2664 from lubinszARM:pr_sigfpgVisor bot
PiperOrigin-RevId: 311153824
2020-05-11Internal change.Jamie Liu
PiperOrigin-RevId: 311046755
2020-05-11iptables: check for truly unconditional rulesKevin Krakauer
We weren't properly checking whether the inserted default rule was unconditional.
2020-05-11Add fpsimd support in sigreturn on Arm64Bin Lu
Signed-off-by: Bin Lu <bin.lu@arm.com>
2020-05-11Add fsimpl/gofer.InternalFilesystemOptions.OpenSocketsByConnecting.Jamie Liu
PiperOrigin-RevId: 311014995
2020-05-11Internal change.gVisor bot
PiperOrigin-RevId: 311011004
2020-05-11Automated rollback of changelist 310417191Bhasker Hariharan
PiperOrigin-RevId: 310963404
2020-05-11Internal change.gVisor bot
PiperOrigin-RevId: 310949277
2020-05-11Fix view.ToVectorisedView().Bhasker Hariharan
view.ToVectorisedView() now just returns an empty vectorised view if the view is of zero length. Earlier it would return a VectorisedView of zero length but with 1 empty view. This has been a source of bugs as lower layers don't expect zero length views in VectorisedViews. VectorisedView.AppendView() now is a no-op if the view being appended is of zero length. Fixes #2658 PiperOrigin-RevId: 310942269
2020-05-11Internal change.gVisor bot
PiperOrigin-RevId: 310941717
2020-05-11passed the syscall test case 'fpsig_fork' on Arm64 platformBin Lu
Some functions were added for Arm64 platform: a, get_fp/set_fp b, inline_tgkill Test step: bazel test //test/syscalls:fpsig_fork_test_runsc_ptrace Signed-off-by: Bin Lu <bin.lu@arm.com>
2020-05-10Stop avoiding preadv2 and pwritev2, and add them to the filters.Nicolas Lacasse
Some code paths needed these syscalls anyways, so they should be included in the filters. Given that we depend on these syscalls in some cases, there's no real reason to avoid them any more. PiperOrigin-RevId: 310829126
2020-05-08iptables - filter packets using outgoing interface.gVisor bot
Enables commands with -o (--out-interface) for iptables rules. $ iptables -A OUTPUT -o eth0 -j ACCEPT PiperOrigin-RevId: 310642286
2020-05-08Add UDP send/recv packetimpact tests.Bhasker Hariharan
Fixes #2654 PiperOrigin-RevId: 310642216
2020-05-08Pass flags to fsimpl/host.inode.open().Jamie Liu
This has two effects: It makes flags passed to open("/proc/[pid]/fd/[hostfd]") effective, and it prevents imported pipes/sockets/character devices from being opened with O_NONBLOCK unconditionally (because the underlying host FD was set to non-blocking in ImportFD()). PiperOrigin-RevId: 310596062
2020-05-08Send ACK to OTW SEQs/unacc ACKs in CLOSE_WAITZeling Feng
This fixed the corresponding packetimpact test. PiperOrigin-RevId: 310593470
2020-05-07Merge pull request #2637 from avagin:make-vs-bazelgVisor bot
PiperOrigin-RevId: 310479788
2020-05-07make: exit with non-zero code if "bazel build" failedAndrei Vagin
Without this fix, make exits with zero code when bazel build failed: $ make run TARGETS="--abra --kadabra" ERROR: Unrecognized option: --abra $ echo $? 0 Signed-off-by: Andrei Vagin <avagin@gmail.com>
2020-05-07make: bazel docker container should clean itself up.Adin Scannell
This change two does things: 1) Name the container based on the canonical directory path. 2) Allow the container to exit after bazel itself has exited. The first is necessary to support multiple working directories, while the second one allows these instances to clean up properly. PiperOrigin-RevId: 310460748
2020-05-07Fix ARM64 build.Adin Scannell
The common syscall definitions mean that ARM64-exclusive files need stubs in the ARM64 build. PiperOrigin-RevId: 310446698
2020-05-07Capture range variable in parallel subtestsSam Balana
Only the last test was running before since the goroutines won't be executed until after this loop. I added t.Log(test.name) and this is was the result: TestListenNoAcceptNonUnicastV4/SourceUnspecified: DestOtherMulticast TestListenNoAcceptNonUnicastV4/DestUnspecified: DestOtherMulticast TestListenNoAcceptNonUnicastV4/DestOtherMulticast: DestOtherMulticast TestListenNoAcceptNonUnicastV4/SourceBroadcast: DestOtherMulticast TestListenNoAcceptNonUnicastV4/DestOurMulticast: DestOtherMulticast TestListenNoAcceptNonUnicastV4/DestBroadcast: DestOtherMulticast TestListenNoAcceptNonUnicastV4/SourceOtherMulticast: DestOtherMulticast TestListenNoAcceptNonUnicastV4/SourceOurMulticast: DestOtherMulticast https://github.com/golang/go/wiki/TableDrivenTests#parallel-testing PiperOrigin-RevId: 310440629
2020-05-07Allocate device numbers for VFS2 filesystems.Jamie Liu
Updates #1197, #1198, #1672 PiperOrigin-RevId: 310432006
2020-05-07Fix tags used for determining file sets.Adin Scannell
Updates #2569 Updates #2298 PiperOrigin-RevId: 310423629
2020-05-07Automated rollback of changelist 309339316Bhasker Hariharan
PiperOrigin-RevId: 310417191
2020-05-07Move pkg/sentry/vfs/{eventfd,timerfd} to new packages in pkg/sentry/fsimpl.Nicolas Lacasse
They don't depend on anything in VFS2, so they should be their own packages. PiperOrigin-RevId: 310416807