summaryrefslogtreecommitdiffhomepage
path: root/runsc/cmd
AgeCommit message (Collapse)Author
2019-10-16Merge release-20190806.1-281-g9fb5622 (automated)gVisor bot
2019-10-16Fix problem with open FD when copy up is triggered in overlayfsFabricio Voznika
Linux kernel before 4.19 doesn't implement a feature that updates open FD after a file is open for write (and is copied to the upper layer). Already open FD will continue to read the old file content until they are reopened. This is especially problematic for gVisor because it caches open files. Flag was added to force readonly files to be reopenned when the same file is open for write. This is only needed if using kernels prior to 4.19. Closes #1006 It's difficult to really test this because we never run on tests on older kernels. I'm adding a test in GKE which uses kernels with the overlayfs problem for 1.14 and lower. PiperOrigin-RevId: 275115289
2019-10-15Merge release-20190806.1-270-gbfa0bb2 (automated)gVisor bot
2019-10-11Set base to rootDavor Kapsa
2019-10-10Remove unnecessary assignment to pathDavor Kapsa
2019-10-01Merge release-20190806.1-218-g0b02c3d (automated)gVisor bot
2019-10-01Prevent CAP_NET_RAW from appearing in execFabricio Voznika
'docker exec' was getting CAP_NET_RAW even when --net-raw=false because it was not filtered out from when copying container's capabilities. PiperOrigin-RevId: 272260451
2019-09-25Merge release-20190806.1-195-gdd0e5ee (automated)gVisor bot
2019-09-25Merge pull request #765 from trailofbits:uds_supportgVisor bot
PiperOrigin-RevId: 271235134
2019-09-24Refactor command line options and remove the allowed terminology for udsRobert Tonic
2019-09-24Merge release-20190806.1-172-gf2ea8e6 (automated)gVisor bot
2019-09-23Always set HOME env var with `runsc exec`.Nicolas Lacasse
We already do this for `runsc run`, but need to do the same for `runsc exec`. PiperOrigin-RevId: 270793459
2019-09-19Fix documentation, clean up seccomp filter installation, rename helpers.Robert Tonic
Filter installation has been streamlined and functions renamed. Documentation has been fixed to be standards compliant, and missing documentation added. gofmt has also been applied to modified files.
2019-09-19Place the host UDS mounting behind --fsgofer-host-uds-allowed.Robert Tonic
This commit allows the use of the `--fsgofer-host-uds-allowed` flag to enable mounting sockets and add the appropriate seccomp filters.
2019-09-04Merge 67a2ab14 (automated)gVisor bot
2019-09-03Impose order on test scripts.Adin Scannell
The simple test script has gotten out of control. Shard this script into different pieces and attempt to impose order on overall test structure. This change helps lay some of the foundations for future improvements. * The runsc/test directories are moved into just test/. * The runsc/test/testutil package is split into logical pieces. * The scripts/ directory contains new top-level targets. * Each test is now responsible for building targets it requires. * The install functionality is moved into `runsc` itself for simplicity. * The existing kokoro run_tests.sh file now just calls all (can be split). After this change is merged, I will create multiple distinct workflows for Kokoro, one for each of the scripts currently targeted by `run_tests.sh` today, which should dramatically reduce the time-to-run for the Kokoro tests, and provides a better foundation for further improvements to the infrastructure. PiperOrigin-RevId: 267081397
2019-07-12Merge 69e0affa (automated)gVisor bot
2019-07-03Avoid importing platforms from many source filesAndrei Vagin
PiperOrigin-RevId: 256494243
2019-06-27Merge 5b41ba5d (automated)gVisor bot
2019-06-27Fix various spelling issues in the documentationMichael Pratt
Addresses obvious typos, in the documentation only. COPYBARA_INTEGRATE_REVIEW=https://github.com/google/gvisor/pull/443 from Pixep:fix/documentation-spelling 4d0688164eafaf0b3010e5f4824b35d1e7176d65 PiperOrigin-RevId: 255477779
2019-06-26Merge 67e2f227 (automated)gVisor bot
2019-06-26Always set SysProcAttr.Ctty to an FD in the child's FD table.Nicolas Lacasse
Go was going to change the behavior of SysProcAttr.Ctty such that it must be an FD in the *parent* FD table: https://go-review.googlesource.com/c/go/+/178919/ However, after some debate, it was decided that this change was too backwards-incompatible, and so it was reverted. https://github.com/golang/go/issues/29458 The behavior going forward is unchanged: the Ctty FD must be an FD in the *child* FD table. PiperOrigin-RevId: 255228476
2019-06-25Merge a8f148b8 (automated)gVisor bot
2019-06-25Use different Ctty FDs based on the go version.Nicolas Lacasse
An upcoming change in Go 1.13 [1] changes the semantics of the SysProcAttr.Ctty field. Prior to the change, the FD must be an FD in the child process's FD table (aka "post-shuffle"). After the change, the FD must be an FD in the current process's FD table (aka "pre-shuffle"). To be compatible with both versions this CL introduces a new boolean "CttyFdIsPostShuffle" which indicates whether a pre- or post-shuffle FD should be provided. We use build tags to chose the correct one. 1: https://go-review.googlesource.com/c/go/+/178919/ PiperOrigin-RevId: 255015303
2019-06-25Merge fd16a329 (automated)gVisor bot
2019-06-24fsgopher: reopen files via /proc/self/fdAndrei Vagin
When we reopen file by path, we can't be sure that we will open exactly the same file. The file can be deleted and another one with the same name can be created. PiperOrigin-RevId: 254898594
2019-06-24Merge b21b1db7 (automated)gVisor bot
2019-06-24Allow to change logging options using 'runsc debug'Fabricio Voznika
New options are: runsc debug --strace=off|all|function1,function2 runsc debug --log-level=warning|info|debug runsc debug --log-packets=true|false Updates #407 PiperOrigin-RevId: 254843128
2019-06-18Merge 0e07c94d (automated)gVisor bot
2019-06-18Kill sandbox process when 'runsc do' exitsFabricio Voznika
PiperOrigin-RevId: 253882115
2019-06-18Merge bdb19b82 (automated)gVisor bot
2019-06-18Add Container/Sandbox args struct for creationFabricio Voznika
There were 3 string arguments that could be easily misplaced and it makes it easier to add new arguments, especially for Container that has dozens of callers. PiperOrigin-RevId: 253872074
2019-06-13Merge add40fd6 (automated)gVisor bot
2019-06-13Update canonical repository.Adin Scannell
This can be merged after: https://github.com/google/gvisor-website/pull/77 or https://github.com/google/gvisor-website/pull/78 PiperOrigin-RevId: 253132620
2019-06-12Merge 356d1be1 (automated)gVisor bot
2019-06-12Allow 'runsc do' to run without rootFabricio Voznika
'--rootless' flag lets a non-root user execute 'runsc do'. The drawback is that the sandbox and gofer processes will run as root inside a user namespace that is mapped to the caller's user, intead of nobody. And network is defaulted to '--network=host' inside the root network namespace. On the bright side, it's very convenient for testing: runsc --rootless do ls runsc --rootless do curl www.google.com PiperOrigin-RevId: 252840970
2019-06-11Merge 74e397e3 (automated)gVisor bot
2019-06-10Add introspection for Linux/AMD64 syscallsIan Lewis
Adds simple introspection for syscall compatibility information to Linux/AMD64. Syscalls registered in the syscall table now have associated metadata like name, support level, notes, and URLs to relevant issues. Syscall information can be exported as a table, JSON, or CSV using the new 'runsc help syscalls' command. Users can use this info to debug and get info on the compatibility of the version of runsc they are running or to generate documentation. PiperOrigin-RevId: 252558304
2019-06-10Merge a00157cc (automated)gVisor bot
2019-06-06Send error message to docker/kubectl exec on failureFabricio Voznika
Containerd uses the last error message sent to the log to print as failure cause for create/exec. This required a few changes in the logging logic for runsc: - cmd.Errorf/Fatalf: now writes a message with 'error' level to containerd log, in addition to stderr and debug logs, like before. - log.Infof/Warningf/Fatalf: are not sent to containerd log anymore. They are mostly used for debugging and not useful to containerd. In most cases, --debug-log is enabled and this avoids the logs messages from being duplicated. - stderr is not used as default log destination anymore. Some commands assume stdio is for the container/process running inside the sandbox and it's better to never use it for logging. By default, logs are supressed now. PiperOrigin-RevId: 251881815
2019-06-04Merge f520d0d5 (automated)gVisor bot
2019-06-03Remove 'clearStatus' option from container.Wait*PID()Fabricio Voznika
clearStatus was added to allow detached execution to wait on the exec'd process and retrieve its exit status. However, it's not currently used. Both docker and gvisor-containerd-shim wait on the "shim" process and retrieve the exit status from there. We could change gvisor-containerd-shim to use waits, but it will end up also consuming a process for the wait, which is similar to having the shim process. Closes #234 PiperOrigin-RevId: 251349490
2019-06-02Merge 216da0b7 (automated)gVisor bot
2019-05-30Add support for collecting execution trace to runsc.Bhasker Hariharan
Updates #220 PiperOrigin-RevId: 250532302
2019-05-30runsc/do: don't specify the read-only flag for the root mountAndrei Vagin
The root mount is an overlay mount. PiperOrigin-RevId: 250429317
2019-05-30runsc/do: allow to run commands in a host network namespaceAndrei Vagin
PiperOrigin-RevId: 250329795
2019-05-30Update internal flag name and documentationFabricio Voznika
Updates #234 PiperOrigin-RevId: 250323553
2019-05-23runsc/do: do a proper cleanup if a command failed due to internal errorsAndrei Vagin
Fatalf calls os.Exit and a process exits without calling defer callbacks. Should we do this for other runsc commands? PiperOrigin-RevId: 249776310 Change-Id: If9d8b54d0ae37db443895906eb33bd9e9b600cc9
2019-05-15Cleanup around urpc file payload handlingFabricio Voznika
urpc always closes all files once the RPC function returns. PiperOrigin-RevId: 248406857 Change-Id: I400a8562452ec75c8e4bddc2154948567d572950
2019-05-03Fix runsc restore to be compatible with docker start --checkpoint ...Andrei Vagin
Change-Id: I02b30de13f1393df66edf8829fedbf32405d18f8 PiperOrigin-RevId: 246621192