summaryrefslogtreecommitdiffhomepage
path: root/runsc/boot
AgeCommit message (Collapse)Author
2019-09-07Merge fe1f5210 (automated)gVisor bot
2019-09-06Remove reundant global tcpip.LinkEndpointID.Ian Gudger
PiperOrigin-RevId: 267709597
2019-09-05Merge fbbb2f7e (automated)gVisor bot
2019-09-04Resolve flakes with TestMultiContainerDestroyFabricio Voznika
Some processes are reparented to the root container depending on the kill order and the root container would not reap in time. So some zombie processes were still present when the test checked. Fix it by running the second container inside a PID namespace. PiperOrigin-RevId: 267278591
2019-08-29Merge 0789b9cc (automated)gVisor bot
2019-08-29Merge pull request #655 from praveensastry:feature/runsc-ref-chk-leakgVisor bot
PiperOrigin-RevId: 266226714
2019-08-27Merge c3956433 (automated)gVisor bot
2019-08-27Mount volumes as super userFabricio Voznika
This used to be the case, but regressed after a recent change. Also made a few fixes around it and clean up the code a bit. Closes #720 PiperOrigin-RevId: 265717496
2019-08-22Add log prefix for better claritypraveensastry
2019-08-21Merge 573e6e4b (automated)gVisor bot
2019-08-21Use tcpip.Subnet in tcpip.RouteTamir Duberstein
This is the first step in replacing some of the redundant types with the standard library equivalents. PiperOrigin-RevId: 264706552
2019-08-09Fix the Stringer for leak modepraveensastry
2019-08-08Merge 13a98df4 (automated)gVisor bot
2019-08-08netstack: Don't start endpoint goroutines too soon on restore.Rahat Mahmood
Endpoint protocol goroutines were previously started as part of loading the endpoint. This is potentially too soon, as resources used by these goroutine may not have been loaded. Protocol goroutines may perform meaningful work as soon as they're started (ex: incoming connect) which can cause them to indirectly access resources that haven't been loaded yet. This CL defers resuming all protocol goroutines until the end of restore. PiperOrigin-RevId: 262409429
2019-08-06Remove traces option for ref leak modepraveensastry
2019-08-06Add option to configure reference leak checkingpraveensastry
2019-08-02Merge 960a5e55 (automated)gVisor bot
2019-08-02Remove stale TODOFabricio Voznika
This was done in commit 04cbb13ce9b151cf906f42e3f18ce3a875f01f63 PiperOrigin-RevId: 261414748
2019-08-02Plumbing for iptables sockopts.Kevin Krakauer
PiperOrigin-RevId: 261413396
2019-08-02Merge b461be88 (automated)gVisor bot
2019-08-02Stops container if gofer is killedFabricio Voznika
Each gofer now has a goroutine that polls on the FDs used to communicate with the sandbox. The respective gofer is destroyed if any of the FDs is closed. Closes #601 PiperOrigin-RevId: 261383725
2019-08-02Merge aaaefdf9 (automated)gVisor bot
2019-08-02Remove kernel.mounts.Nicolas Lacasse
We can get the mount namespace from the CreateProcessArgs in all cases where we need it. This also gets rid of kernel.Destroy method, since the only thing it was doing was DecRefing the mounts. Removing the need to call kernel.SetRootMountNamespace also allowed for some more simplifications in the container fs setup code. PiperOrigin-RevId: 261357060
2019-07-30Merge 1decf764 (automated)gVisor bot
2019-07-30Change syscall.POLL to syscall.PPOLL.Haibo Xu
syscall.POLL is not supported on arm64, using syscall.PPOLL to support both the x86 and arm64. refs #63 Signed-off-by: Haibo Xu <haibo.xu@arm.com> Change-Id: I2c81a063d3ec4e7e6b38fe62f17a0924977f505e COPYBARA_INTEGRATE_REVIEW=https://github.com/google/gvisor/pull/543 from xiaobo55x:master ba598263fd3748d1addd48e4194080aa12085164 PiperOrigin-RevId: 260752049
2019-07-27Merge 4183b902 (automated)gVisor bot
2019-07-26runsc: propagate the alsologtostderr to sub-commandsAndrei Vagin
PiperOrigin-RevId: 260239119
2019-07-26Merge b5012237 (automated)gVisor bot
2019-07-26Merge pull request #452 from zhangningdlut:chris_test_pidnsgVisor bot
PiperOrigin-RevId: 260220279
2019-07-25Merge 7052d21d (automated)gVisor bot
2019-07-25Automated rollback of changelist 255679453Fabricio Voznika
PiperOrigin-RevId: 260047477
2019-07-24Use different pidns among different containerschris.zn
The different containers in a sandbox used only one pid namespace before. This results in that a container can see the processes in another container in the same sandbox. This patch use different pid namespace for different containers. Signed-off-by: chris.zn <chris.zn@antfin.com>
2019-07-23Merge 04cbb13c (automated)gVisor bot
2019-07-23Give each container a distinct MountNamespace.Nicolas Lacasse
This keeps all container filesystem completely separate from eachother (including from the root container filesystem), and allows us to get rid of the "__runsc_containers__" directory. It also simplifies container startup/teardown as we don't have to muck around in the root container's filesystem. PiperOrigin-RevId: 259613346
2019-07-12Merge 6116473b (automated)gVisor bot
2019-07-12Take a reference on the already-mounted inode before re-mounting it.Nicolas Lacasse
PiperOrigin-RevId: 257855777
2019-07-12Merge 69e0affa (automated)gVisor bot
2019-07-08Merge pull request #375 from jmgao:mastergVisor bot
PiperOrigin-RevId: 257041876
2019-07-03Avoid importing platforms from many source filesAndrei Vagin
PiperOrigin-RevId: 256494243
2019-07-02Remove map from fd_map, change to fd_table.Adin Scannell
This renames FDMap to FDTable and drops the kernel.FD type, which had an entire package to itself and didn't serve much use (it was freely cast between types, and served as more of an annoyance than providing any protection.) Based on BenchmarkFDLookupAndDecRef-12, we can expect 5-10 ns per lookup operation, and 10-15 ns per concurrent lookup operation of savings. This also fixes two tangential usage issues with the FDMap. Namely, non-atomic use of NewFDFrom and associated calls to Remove (that are both racy and fail to drop the reference on the underlying file.) PiperOrigin-RevId: 256285890
2019-06-28Add finalizer on AtomicRefCount to check for leaks.Ian Gudger
PiperOrigin-RevId: 255711454
2019-06-28Automated rollback of changelist 255263686Nicolas Lacasse
PiperOrigin-RevId: 255679453
2019-06-28runsc: allow openat for runsc-raceAndrei Vagin
I see that runsc-race is killed by SIGSYS, because openat isn't allowed by seccomp filters: 60052 openat(AT_FDCWD, "/proc/sys/vm/overcommit_memory", O_RDONLY|O_CLOEXEC <unfinished ...> 60052 <... openat resumed> ) = 257 60052 --- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP, si_call_addr=0xfaacf1, si_syscall=__NR_openat, si_arch=AUDIT_ARCH_X86_64} --- PiperOrigin-RevId: 255640808
2019-06-27Merge 5b41ba5d (automated)gVisor bot
2019-06-27Merge 085a9075 (automated)gVisor bot
2019-06-27Fix various spelling issues in the documentationMichael Pratt
Addresses obvious typos, in the documentation only. COPYBARA_INTEGRATE_REVIEW=https://github.com/google/gvisor/pull/443 from Pixep:fix/documentation-spelling 4d0688164eafaf0b3010e5f4824b35d1e7176d65 PiperOrigin-RevId: 255477779
2019-06-27Cache directory entries in the overlayMichael Pratt
Currently, the overlay dirCache is only used for a single logical use of getdents. i.e., it is discard when the FD is closed or seeked back to the beginning. But the initial work of getting the directory contents can be quite expensive (particularly sorting large directories), so we should keep it as long as possible. This is very similar to the readdirCache in fs/gofer. Since the upper filesystem does not have to allow caching readdir entries, the new CacheReaddir MountSourceOperations method controls this behavior. This caching should be trivially movable to all Inodes if desired, though that adds an additional copy step for non-overlay Inodes. (Overlay Inodes already do the extra copy). PiperOrigin-RevId: 255477592
2019-06-26Merge 42e212f6 (automated)gVisor bot
2019-06-26Preserve permissions when checking lowerFabricio Voznika
The code was wrongly assuming that only read access was required from the lower overlay when checking for permissions. This allowed non-writable files to be writable in the overlay. Fixes #316 PiperOrigin-RevId: 255263686
2019-06-24fsgopher: reopen files via /proc/self/fdAndrei Vagin
When we reopen file by path, we can't be sure that we will open exactly the same file. The file can be deleted and another one with the same name can be created. PiperOrigin-RevId: 254898594