summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry
AgeCommit message (Collapse)Author
2021-04-21Merge release-20210419.0-12-gc2955339d (automated)gVisor bot
2021-04-21Automated rollback of changelist 369325957Michael Pratt
PiperOrigin-RevId: 369686285
2021-04-20Merge release-20210412.0-40-g07a78ecb2 (automated)gVisor bot
2021-04-20[perf] Remove non-empty directory dentries from gofer LRU cache.Ayush Ranjan
The gofer client's LRU cache has a default limit of 1000 dentries. Any attempt to cache more dentries than that will make the LRU cache evict and destroy the least recently used dentry. However, the eviction is expensive because it requires holding fs.renameMu for writing - which in turn creates a lot of contention. All filesystem operations that involve path traversal require fs.renameMu for reading atleast. Therefore, it is in our best interest to keep the cache small and clean. When a dentry is inserted in the dentry tree, it grabs a ref on its parent for its entire lifetime. Hence the parent is longer evictable (because refs > 0). This change additionally calls checkCachingLocked on directories that have been added to so that they can be removed from the LRU cache if needed. This change implies that the LRU cache will only contain the leaves from the filesystem tree which significantly reduces the LRU cache size and consequently reduces the number of expensive LRU cache evictions. > Why are opened dentries not removed from LRU cache? When a file description is open(2)-ed, the file description holds a ref on its dentry for its entire lifetime. However, calling checkCachingLocked() on opened dentries actually ends up hurting performance. Applications usually open file descriptors for a short duration. So upon close(2), the dentry is reinserted into the cache anyway. So the precautionary work done in removing the opened dentry from the cache went for waste as it did not really reduce an eviction. Local benchmarking has shown that this change improves performance by 3-4%. Across 6 runs, without this change it took 296.127 seconds to build runsc while with this change it took only 285.136 seconds. PiperOrigin-RevId: 369510494
2021-04-20Merge release-20210412.0-38-gbf1e14cf8 (automated)gVisor bot
2021-04-20Speed up O_APPEND with remote revalidatingFabricio Voznika
Remote revalidating requires to update file size on every write on a file opened with O_APPEND. If host FD exists, it can be used to update the size and skip round trip to the gofer. With this change, O_APPEND writes with remote revalidating is almost as fast as exclusive mode: BM_Append VFS1 60.7us VFS2 56.8us VFS2 exclusive 14.2us This change 15.8us Updates #1792 PiperOrigin-RevId: 369486801
2021-04-20Merge release-20210412.0-37-g3fff4c4a0 (automated)gVisor bot
2021-04-20Move SO_RCVBUF to socketops.Nayana Bidari
Fixes #2926, #674 PiperOrigin-RevId: 369457123
2021-04-20Merge release-20210412.0-35-g82eecd2e9 (automated)gVisor bot
2021-04-19Change verity action to be a fs memberChong Cai
Currently the verity action is a global variable, which causes the same action for all verity mounts, and is overwritten for each new verity mount. Changed it to a member of verity fs. PiperOrigin-RevId: 369348522
2021-04-19Merge release-20210412.0-32-g276ff149a (automated)gVisor bot
2021-04-19Add MultiGetAttr message to 9PFabricio Voznika
While using remote-validation, the vast majority of time spent during FS operations is re-walking the path to check for modifications and then closing the file given that in most cases it has not been modified externally. This change introduces a new 9P message called MultiGetAttr which bulks query attributes of several files in one shot. The returned attributes are then used to update cached dentries before they are walked. File attributes are updated for files that still exist. Dentries that have been deleted are removed from the cache. And negative cache entries are removed if a new file/directory was created externally. Similarly, synthetic dentries are replaced if a file/directory is created externally. The bulk update needs to be carefull not to follow symlinks, cross mount points, because the gofer doesn't know how to resolve symlinks and where mounts points are located. It also doesn't walk to the parent ("..") to avoid deadlocks. Here are the results: Workload VFS1 VFS2 Change bazel action 115s 70s 28.8s Stat/100 11,043us 7,623us 974us Updates #1638 PiperOrigin-RevId: 369325957
2021-04-17Merge release-20210408.0-47-g3b685753b (automated)gVisor bot
2021-04-16[perf] Reduce contention due to renameMu in gofer client.Ayush Ranjan
Runsc build benchmark's mutex profile shows that we are wasting roughly 25-30 seconds waiting for filesystem.renameMu to get unlocked. Earlier checkCachingLocked required the renameMu to be locked for writing. This is a filesystem wide lock which puts all other filesystem operations on hold and hence is really expensive. Something to note is that all path resolution operations hold renameMu for reading. With this change, we allow to check for caching without even holding renameMu. This change introduces more fine grained locks (fs.cacheMu and dentry.cachingMu) which protect the cache (removing the requirement to hold renameMu for writing to modify the cache) and synchronize concurrent dentry caching attempts on a per dentry basis. We still require to hold renameMu for writing while destroying dentries and evicting from the cache but this still significantly reduces the write locking critical section. Local benchmarking showed that this improved runsc build benchmark time by 4-5%. Across 6 runs, without this change it took 310.9025 seconds to build runsc while with this change it took 296.127 seconds. Runsc build benchmark's mutex profile: https://gvisor.dev/profile/gvisor-buildkite/78a3f968-36ca-4944-93f7-77a8792d56b4/28a1d260-790b-4a9e-94da-a4daede08ee3/tmp/profile/ptrace/BenchmarkBuildRunsc/page_cache.clean/filesystem.bindfs/benchmarks/runsc/mutex.pprof/flamegraph PiperOrigin-RevId: 368958136
2021-04-17Merge release-20210408.0-46-g0c3e8daf5 (automated)gVisor bot
2021-04-16Allow runsc to generate coverage reports.Dean Deng
Add a coverage-report flag that will cause the sandbox to generate a coverage report (with suffix .cov) in the debug log directory upon exiting. For the report to be generated, runsc must have been built with the following Bazel flags: `--collect_code_coverage --instrumentation_filter=...`. With coverage reports, we should be able to aggregate results across all tests to surface code coverage statistics for the project as a whole. The report is simply a text file with each line representing a covered block as `file:start_line.start_col,end_line.end_col`. Note that this is similar to the format of coverage reports generated with `go test -coverprofile`, although we omit the count and number of statements, which are not useful for us. Some simple ways of getting coverage reports: bazel test <some_test> --collect_code_coverage \ --instrumentation_filter=//pkg/... bazel build //runsc --collect_code_coverage \ --instrumentation_filter=//pkg/... runsc -coverage-report=dir/ <other_flags> do ... PiperOrigin-RevId: 368952911
2021-04-16Merge release-20210408.0-44-g32c18f443 (automated)gVisor bot
2021-04-16Enlarge port range and fix integer overflowKevin Krakauer
Also count failed TCP port allocations PiperOrigin-RevId: 368939619
2021-04-16Merge release-20210408.0-38-g14b7d775c (automated)gVisor bot
2021-04-15Add field support to the sentry metrics.Nayana Bidari
Fields allow counter metrics to have multiple tabular values. At most one field is supported at the moment. PiperOrigin-RevId: 368767040
2021-04-16Merge release-20210408.0-35-g2e5022974 (automated)gVisor bot
2021-04-15Add S/R logic for host.ConnectedEndpointFabricio Voznika
Otherwise ConnectedEndpoint.sndbuf will be restored as 0 and writes to the socket will fail with EAGAIN. PiperOrigin-RevId: 368746660
2021-04-15Merge release-20210408.0-34-gb5919d306 (automated)gVisor bot
2021-04-15Generate notification when closing host fd.Dean Deng
Thanks ianlewis@ for discovering the bug/fix! PiperOrigin-RevId: 368740744
2021-04-14Merge release-20210408.0-32-g108410638 (automated)gVisor bot
2021-04-14Use assembly stub to take the address of assembly functionsMichael Pratt
Go 1.17 is adding a new register-based calling convention [1] ("ABIInternal"), which used is when calling between Go functions. Assembly functions are still written using the old ABI ("ABI0"). That is, they still accept arguments on the stack, and pass arguments to other functions on the stack. The call rules look approximately like this: 1. Direct call from Go function to Go function: compiler emits direct ABIInternal call. 2. Indirect call from Go function to Go function: compiler emits indirect ABIInternal call. 3. Direct call from Go function to assembly function: compiler emits direct ABI0 call. 4. Indirect call from Go function to assembly function: compiler emits indirect ABIInternal call to ABI conversion wrapper function. 5. Direct or indirect call from assembly function to assembly function: assembly/linker emits call to original ABI0 function. 6. Direct or indirect call from assembly function to Go function: assembly/linker emits ABI0 call to ABI conversion wrapper function. Case 4 is the interesting one here. Since the compiler can't know the ABI of an indirect call, all indirect calls are made with ABIInternal. In order to support indirect ABI0 assembly function calls, a wrapper is generated that translates ABIInternal arguments to ABI0 arguments, calls the target function, and then converts results back. When the address of an ABI0 function is taken from Go code, it evaluates to the address of this wrapper function rather than the target function so that later indirect calls will work as expected. This is normally fine, but gVisor does more than just call some of the assembly functions we take the address of: either noting the start and end address for future reference from a signal handler (safecopy), or copying the function text to a new mapping (platforms). Both of these fail with wrappers enabled (currently, this is Go tip with GOEXPERIMENT=regabiwrappers) because these operations end up operating on the wrapper instead of the target function. We work around this issue by taking advantage of case 5: references to assembly symbols from other assembly functions resolve directly to the desired target symbol. Thus, rather than using reflect to get the address of a Go reference to the functions, we create assembly stubs that return the address of the function. This approach works just as well on current versions of Go, so the change can be made immediately and doesn't require any build tags. [1] https://go.googlesource.com/go/+/refs/heads/master/src/cmd/compile/abi-internal.md PiperOrigin-RevId: 368505655
2021-04-14Merge release-20210408.0-30-g5c1052b6b (automated)gVisor bot
2021-04-14[syserror] Remove syserror from go_marshalZach Koopmans
PiperOrigin-RevId: 368470656
2021-04-12Merge release-20210408.0-24-gc4c6a71fb (automated)gVisor bot
2021-04-12Add DecRef for verity FDs that were missingChong Cai
Some FileDescriptions in verity fs were opened but DecRef() were missing after used. This could result in a ref leak. PiperOrigin-RevId: 368096759
2021-04-12Merge release-20210408.0-23-gf4f6ce337 (automated)gVisor bot
2021-04-12Don't grab TaskSet mu recursively when reading task state.Rahat Mahmood
Reported-by: syzbot+a6ef0f95a2c9e7da26f3@syzkaller.appspotmail.com Reported-by: syzbot+2eaf8a9f115edec468fe@syzkaller.appspotmail.com PiperOrigin-RevId: 368093861
2021-04-10Merge release-20210408.0-17-gd1edabdca (automated)gVisor bot
2021-04-09iptables: support postrouting hook and SNAT targetToshi Kikuchi
The current SNAT implementation has several limitations: - SNAT source port has to be specified. It is not optional. - SNAT source port range is not supported. - SNAT for UDP is a one-way translation. No response packets are handled (because conntrack doesn't support UDP currently). - SNAT and REDIRECT can't work on the same connection. Fixes #5489 PiperOrigin-RevId: 367750325
2021-04-10Merge release-20210408.0-16-gea7faa505 (automated)gVisor bot
2021-04-09Return integrity failure only if enabledChong Cai
If the parent is not enabled in verity stepLocked(), failure to find the child dentry could just mean an incorrect path. PiperOrigin-RevId: 367733412
2021-04-10Merge release-20210408.0-15-g7420821a7 (automated)gVisor bot
2021-04-09Merge pull request #5767 from avagin:mxcsrgVisor bot
PiperOrigin-RevId: 367730917
2021-04-09Merge release-20210408.0-13-gdc8f6c691 (automated)gVisor bot
2021-04-09Move maxListenBacklog check to sentryMithun Iyer
Move maxListenBacklog check to the caller of endpoint Listen so that it is applicable to Unix domain sockets as well. This was changed in cl/366935921. Reported-by: syzbot+a35ae7cdfdde0c41cf7a@syzkaller.appspotmail.com PiperOrigin-RevId: 367728052
2021-04-09Merge release-20210408.0-9-gedf30a9bc (automated)gVisor bot
2021-04-08Set root dentry and hash for verity before verifyChong Cai
Set root dentry and root hash in verity fs before we verify the root directory if a root hash is provided. These are used during verification. PiperOrigin-RevId: 367547346
2021-04-09Merge release-20210408.0-8-g496a3654e (automated)gVisor bot
2021-04-08Set parent after child is verifiedChong Cai
We should only set parent after child is verified. Also, if the parent is set before verified, destroyLocked() will try to grab parent.dirMu, which may cause deadlock. PiperOrigin-RevId: 367543655
2021-04-08Merge release-20210322.0-63-gae019e39b (automated)gVisor bot
2021-04-08Merge pull request #5736 from lubinszARM:pr_bblu_tlb_asidgVisor bot
PiperOrigin-RevId: 367523491
2021-04-06Merge release-20210322.0-52-gfb4c700d0 (automated)gVisor bot
2021-04-05Update gofer dentry permissions only when needed.Ayush Ranjan
Without this change, we ask the gofer server to update the permissions whenever the UID, GID or size is updated via SetStat. Consequently, we don not generate inotify events when the permissions actually change due to SGID bit getting cleared. With this change, we will update the permissions only when needed and generate inotify events. PiperOrigin-RevId: 366946842
2021-04-06Merge release-20210322.0-51-g56c69fb0e (automated)gVisor bot
2021-04-05Fix listen backlog handling to be in parity with LinuxMithun Iyer
- Change the accept queue full condition for a listening endpoint to only honor completed (and delivered) connections. - Use syncookies if the number of incomplete connections is beyond listen backlog. This also cleans up the SynThreshold option code as that is no longer used with this change. - Added a new stack option to unconditionally generate syncookies. Similar to sysctl -w net.ipv4.tcp_syncookies=2 on Linux. - Enable keeping of incomplete connections beyond listen backlog. - Drop incoming SYNs only if the accept queue is filled up. - Drop incoming ACKs that complete handshakes when accept queue is full - Enable the stack to accept one more connection than programmed by listen backlog. - Handle backlog argument being zero, negative for listen, as Linux. - Add syscall and packetimpact tests to reflect the changes above. - Remove TCPConnectBacklog test which is polling for completed connections on the client side which is not reflective of whether the accept queue is filled up by the test. The modified syscall test in this CL addresses testing of connecting sockets. Fixes #3153 PiperOrigin-RevId: 366935921