summaryrefslogtreecommitdiffhomepage
path: root/pkg
AgeCommit message (Collapse)Author
2020-04-24Standardize all Docker images.Adin Scannell
This change moves all Docker images to a standard location, and abstracts the build process so that they can be maintained in an automated fashion. This also allows the images to be architecture-independent. All images will now be referred to by the test framework via the canonical `gvisor.dev/images/<name>`, where `<name>` is a function of the path within the source tree. In a subsequent change, continuous integration will be added so that the images will always be correct and available locally. In the end, using `bazel` for Docker containers is simply not possible. Given that we already have the need to use `make` with the base container (for Docker), we extend this approach to get more flexibility. This change also adds a self-documenting and powerful Makefile that is intended to replace the collection of scripts in scripts. Canonical (self-documenting) targets can be added here for targets that understand which images need to be loaded and/or built. PiperOrigin-RevId: 308322438
2020-04-24Port SCM Rights to VFS2.Dean Deng
Fixes #1477. PiperOrigin-RevId: 308317511
2020-04-24Do not copy tcpip.CancellableTimerGhanan Gowripalan
A CancellableTimer's AfterFunc timer instance creates a closure over the CancellableTimer's address. This closure makes a CancellableTimer unsafe to copy. No behaviour change, existing tests pass. PiperOrigin-RevId: 308306664
2020-04-24Plumb context.Context into kernfs.Inode.Open().Dean Deng
PiperOrigin-RevId: 308304793
2020-04-24Fixes for procfsFabricio Voznika
- Return ENOENT for /proc/[pid]/task if task is zoombied or terminated - Allow directory to be Seek() to the end - Construct synthetic files for /proc/[pid]/ns/* - Changed GenericDirectoryFD.Init to not register with FileDescription, otherwise other implementation cannot change behavior. Updates #1195,1193 PiperOrigin-RevId: 308294649
2020-04-24Move hostfs mount to Kernel struct.Dean Deng
This is needed to set up host fds passed through a Unix socket. Note that the host package depends on kernel, so we cannot set up the hostfs mount directly in Kernel.Init as we do for sockfs and pipefs. Also, adjust sockfs to make its setup look more like hostfs's and pipefs's. PiperOrigin-RevId: 308274053
2020-04-24Refactor syscall.Fstat calls in hostfs.Dean Deng
Just call syscall.Fstat directly each time mode/file owner are needed. This feels more natural than using i.getPermissions(). PiperOrigin-RevId: 308257405
2020-04-23Enable automated marshalling for mempolicy syscalls.Rahat Mahmood
PiperOrigin-RevId: 308170679
2020-04-23Port devpts to VFS2.Nicolas Lacasse
PiperOrigin-RevId: 308164359
2020-04-23Remove View.First() and View.RemoveFirst()Kevin Krakauer
These methods let users eaily break the VectorisedView abstraction, and allowed netstack to slip into pseudo-enforcement of the "all headers are in the first View" invariant. Removing them and replacing with PullUp(n) breaks this reliance and will make it easier to add iptables support and rework network buffer management. The new View.PullUp(n) method is low cost in the common case, when when all the headers fit in the first View. PiperOrigin-RevId: 308163542
2020-04-23Enable automated marshalling for epoll events.Rahat Mahmood
Ensure we use the correct architecture-specific defintion of epoll event, and use go-marshal for serialization. PiperOrigin-RevId: 308145677
2020-04-23Add vfs.MkdirOptions.ForSyntheticMountpoint.Jamie Liu
PiperOrigin-RevId: 308143529
2020-04-23Merge pull request #1819 from lubinszARM:pr_signal_2gVisor bot
PiperOrigin-RevId: 308100771
2020-04-23Simplify Docker test infrastructure.Adin Scannell
This change adds a layer of abstraction around the internal Docker APIs, and eliminates all direct dependencies on Dockerfiles in the infrastructure. A subsequent change will automated the generation of local images (with efficient caching). Note that this change drops the use of bazel container rules, as that experiment does not seem to be viable. PiperOrigin-RevId: 308095430
2020-04-23Factor fsimpl/gofer.host{Preadv,Pwritev} out of fsimpl/gofer.Jamie Liu
Also fix returning EOF when 0 bytes are read. PiperOrigin-RevId: 308089875
2020-04-22Move user home detection to its own library.Nicolas Lacasse
PiperOrigin-RevId: 307977689
2020-04-22Specify a memory file in platform.New().Andrei Vagin
PiperOrigin-RevId: 307941984
2020-04-22tcp: handle listen after shutdown properlyAndrei Vagin
Right now, sentry panics in this case: panic: close of nil channel goroutine 67 [running]: pkg/tcpip/transport/tcp/tcp.(*endpoint).listen(0xc0000ce000, 0x9, 0x0) pkg/tcpip/transport/tcp/endpoint.go:2208 +0x170 pkg/tcpip/transport/tcp/tcp.(*endpoint).Listen(0xc0000ce000, 0x9, 0xc0003a1ad0) pkg/tcpip/transport/tcp/endpoint.go:2179 +0x50 Fixes #2468 PiperOrigin-RevId: 307896725
2020-04-21Fix set/getsockopt in vfs2 override.Dean Deng
Updates #1476. PiperOrigin-RevId: 307726055
2020-04-21Update gofer.filesystem.BoundEndpointAt() to allow path resolution.Dean Deng
Even though BoundEndpointAt is not yet implemented for gofer fs, allow path resolution errors to be returned so that we can jump to tmpfs, where it is implemented. Updates #1476. PiperOrigin-RevId: 307718335
2020-04-21Misc VFS2 fixesFabricio Voznika
- Fix defer operation ordering in kernfs.Filesystem.AccessAt() - Add AT_NULL entry in proc/pid/auvx - Fix line padding in /proc/pid/maps - Fix linux_dirent serialization for getdents(2) - Remove file creation flags from vfs.FileDescription.statusFlags() Updates #1193, #1035 PiperOrigin-RevId: 307704159
2020-04-21Merge pull request #1818 from lubinszARM:pr_signal_1gVisor bot
PiperOrigin-RevId: 307680200
2020-04-21Remove filesystem structure from vfs.Dentry.Jamie Liu
This change: - Drastically simplifies the synchronization model: filesystem structure is both implementation-defined and implementation-synchronized. - Allows implementations of vfs.DentryImpl to use implementation-specific dentry types, reducing casts during path traversal. - Doesn't require dentries representing non-directory files to waste space on a map of children. - Allows dentry revalidation and mount lookup to be correctly ordered (fixed FIXME in fsimpl/gofer/filesystem.go). - Removes the need to have two separate maps in gofer.dentry (dentry.vfsd.children and dentry.negativeChildren) for positive and negative lookups respectively. //pkg/sentry/fsimpl/tmpfs/benchmark_test.go: name old time/op new time/op delta VFS2TmpfsStat/1-112 172ns ± 4% 165ns ± 3% -4.08% (p=0.002 n=9+9) VFS2TmpfsStat/2-112 199ns ± 3% 195ns ±10% ~ (p=0.132 n=8+9) VFS2TmpfsStat/3-112 230ns ± 2% 216ns ± 2% -6.15% (p=0.000 n=8+8) VFS2TmpfsStat/8-112 390ns ± 2% 358ns ± 4% -8.33% (p=0.000 n=9+8) VFS2TmpfsStat/64-112 2.20µs ± 3% 2.01µs ± 3% -8.48% (p=0.000 n=10+8) VFS2TmpfsStat/100-112 3.42µs ± 9% 3.08µs ± 2% -9.82% (p=0.000 n=9+8) VFS2TmpfsMountStat/1-112 278ns ± 1% 286ns ±15% ~ (p=0.712 n=8+10) VFS2TmpfsMountStat/2-112 311ns ± 4% 298ns ± 2% -4.27% (p=0.000 n=9+8) VFS2TmpfsMountStat/3-112 339ns ± 3% 330ns ± 9% ~ (p=0.070 n=8+9) VFS2TmpfsMountStat/8-112 503ns ± 3% 466ns ± 3% -7.38% (p=0.000 n=8+8) VFS2TmpfsMountStat/64-112 2.53µs ±16% 2.17µs ± 7% -14.19% (p=0.000 n=10+9) VFS2TmpfsMountStat/100-112 3.60µs ± 4% 3.30µs ± 8% -8.33% (p=0.001 n=8+9) Updates #1035 PiperOrigin-RevId: 307655892
2020-04-21Sentry metrics updates.Dave Bailey
Sentry metrics with nanoseconds units are labeled as such, and non-cumulative sentry metrics are supported. PiperOrigin-RevId: 307621080
2020-04-21Automated rollback of changelist 307477185gVisor bot
PiperOrigin-RevId: 307598974
2020-04-20Add internal nogo analysis & checkescape tool.Adin Scannell
See tools/nogo/README.md. The checkescape tool is able to perform recursive escape analysis, using the actual generated binary to confirm the results produced by the compiler itself. As an initial use case, this replaces the manual escape analysis tests used for go_marshal, and validates that the CopyIn and CopyOut paths will not require any allocation or stack splits. Updates #2243 PiperOrigin-RevId: 307532986
2020-04-20Prevent race when reassigning CancellableTimerGhanan Gowripalan
Capture a timer's locker for each instance of a CancellableTimer so that reassigning a tcpip.CancellableTimer does not cause a data race. Reassigning a tcpip.CancellableTimer updates its underlying locker. When a timer fires, it does a read of the timer's locker variable to lock it. This read of the locker was not synchronized so a race existed where one goroutine may reassign the timer (updating the locker) and another handles the timer firing (attempts to lock the timer's locker). Test: tcpip_test.TestCancellableTimerReassignment PiperOrigin-RevId: 307499822
2020-04-20Merge pull request #2313 from kevinGC:firstngVisor bot
PiperOrigin-RevId: 307477185
2020-04-20Change lingering uses of "memfs" in fsimpl/tmpfs to "tmpfs".Jamie Liu
PiperOrigin-RevId: 307422746
2020-04-20Resolve issue with file mode for host fds.Dean Deng
Instead of plumbing error through kernfs.Inode.Mode, panic if err != nil. The errors that can result from an fstat syscall all indicate that something is fundamentally wrong, and panicking should be acceptable. PiperOrigin-RevId: 307406847
2020-04-19Don't accept segments outside the receive windowEyal Soha
Fixed to match RFC 793 page 69. Fixes #1607 PiperOrigin-RevId: 307334892
2020-04-17Merge pull request #2235 from xiaobo55x:pcidgVisor bot
PiperOrigin-RevId: 307166482
2020-04-17Fix watchdog skipStack: the meaning was reversed.Adin Scannell
PiperOrigin-RevId: 307166317
2020-04-17prlimit: don't check credentials on selfKevin Krakauer
prlimit was erroneously comparing UIDs and GIDs when getting/setting a process' own limits. From the manpage: To set or get the resources of a process other than itself, the caller must have the CAP_SYS_RESOURCE capability, or the real, effective, and saved set user IDs of the target process must match the real user ID of the caller and the real, effective, and saved set group IDs of the target process must match the real group ID of the caller. PiperOrigin-RevId: 307127266
2020-04-17Support NDP DNS Search List optionGhanan Gowripalan
Inform the netstack integrator when the netstack receives an NDP Router Advertisement message with the NDP DNS Search List option with at least one domain name. The stack will not maintain any state related to the search list - the integrator is expected to maintain any required state and invalidate domain names after their lifetime expires, or refresh the lifetime when a new one is received for a known domain name. Test: - header_test.TestNDPDNSSearchListOption - header_test.TestNDPDNSSearchListOptionSerialize - header_test.TestNDPSearchListOptionDomainNameLabelInvalidSymbols - header_test.TestNDPOptionsIterCheck - stack_test.TestNDPDNSSearchListDispatch PiperOrigin-RevId: 307109375
2020-04-17Remove View.First() and View.RemoveFirst()Kevin Krakauer
These methods let users eaily break the VectorisedView abstraction, and allowed netstack to slip into pseudo-enforcement of the "all headers are in the first View" invariant. Removing them and replacing with PullUp(n) breaks this reliance and will make it easier to add iptables support and rework network buffer management. The new View.PullUp(n) method is low cost in the common case, when when all the headers fit in the first View.
2020-04-17Merge pull request #1978 from lubinszARM:pr_signal_mmgVisor bot
PiperOrigin-RevId: 307078788
2020-04-17Get /bin/true to run on VFS2Zach Koopmans
Included: - loader_test.go RunTest and TestStartSignal VFS2 - container_test.go TestAppExitStatus on VFS2 - experimental flag added to runsc to turn on VFS2 Note: shared mounts are not yet supported. PiperOrigin-RevId: 307070753
2020-04-17Allow caller-defined sinks for packet sniffing.Tamir Duberstein
PiperOrigin-RevId: 307053624
2020-04-17Permit setting unknown optionsTamir Duberstein
This previously changed in 305699233, but this behaviour turned out to be load bearing. PiperOrigin-RevId: 307033802
2020-04-17Arm64: VDSO support for signalBin Lu
The vdso is enabled, so we can use the sigreturn trampolines the vdso provides in arch module. Signed-off-by: Bin Lu <bin.lu@arm.com>
2020-04-16Implement pipe(2) and pipe2(2) for VFS2.Jamie Liu
Updates #1035 PiperOrigin-RevId: 306968644
2020-04-16Drop invalid NDP NA messagesGhanan Gowripalan
Better validate NDP NAs options before updating the link address cache. Test: stack_test.TestNeighorAdvertisementWithTargetLinkLayerOption PiperOrigin-RevId: 306962924
2020-04-16Properly delegate WaitTamir Duberstein
PiperOrigin-RevId: 306959393
2020-04-16Reset pending connections on listener shutdown.Mithun Iyer
When the listening socket is read shutdown, we need to reset all pending and incoming connections. Ensure that the endpoint is not cleaned up from the demuxer and subsequent bind to same port does not go through. PiperOrigin-RevId: 306958038
2020-04-16Return detailed errors when iterating NDP optionsGhanan Gowripalan
Test: header_test.TestNDPOptionsIterCheck PiperOrigin-RevId: 306953867
2020-04-16Fix data race in tcp_test.Bhasker Hariharan
This change makes SynRcvdCountThreshold and the global synRcvdCount into a stack configurable value. This is required because in cases like mod_proxy which create multiple Stack instances the count will be a global value that impacts all Stack instances. Further the tests relied on modifying the global threshold to simulate tests where we want to verify SYN cookie based behaviour. This lead to data races due to the global being modified/read without locks or atomics. PiperOrigin-RevId: 306947723
2020-04-16Make ExtractErrno a functionFabricio Voznika
PiperOrigin-RevId: 306891171
2020-04-15Deduplicate packet loggingTamir Duberstein
PiperOrigin-RevId: 306677789
2020-04-15Remove unnecessary codeTamir Duberstein
Remove useless casts and duplicate return statements. PiperOrigin-RevId: 306627916