summaryrefslogtreecommitdiffhomepage
path: root/runsc/cmd
AgeCommit message (Collapse)Author
2021-07-13Merge release-20210705.0-14-g275932bf0 (automated)gVisor bot
2021-07-12Fix stdios ownershipFabricio Voznika
Set stdio ownership based on the container's user to ensure the user can open/read/write to/from stdios. 1. stdios in the host are changed to have the owner be the same uid/gid of the process running the sandbox. This ensures that the sandbox has full control over it. 2. stdios owner owner inside the sandbox is changed to match the container's user to give access inside the container and make it behave the same as runc. Fixes #6180 PiperOrigin-RevId: 384347009
2021-07-12Merge release-20210705.0-12-g7132b9a07 (automated)gVisor bot
2021-07-12Fix GoLand analyzer errors under runsc/...Fabricio Voznika
PiperOrigin-RevId: 384344990
2021-07-09Merge release-20210628.0-32-gf8207a823 (automated)gVisor bot
2021-07-08clarify safemount behaviorKevin Krakauer
PiperOrigin-RevId: 383750666
2021-07-08Merge release-20210628.0-31-g052eb90dc (automated)gVisor bot
2021-07-08Replace kernel.ExitStatus with linux.WaitStatus.Jamie Liu
PiperOrigin-RevId: 383705129
2021-07-03Merge release-20210628.0-23-g3d32a05a3 (automated)gVisor bot
2021-07-02runsc: validate mount targetsKevin Krakauer
PiperOrigin-RevId: 382845950
2021-07-01Merge release-20210628.0-19-g16b751b6c (automated)gVisor bot
2021-07-01Mix checklocks and atomic analyzers.Adin Scannell
This change makes the checklocks analyzer considerable more powerful, adding: * The ability to traverse complex structures, e.g. to have multiple nested fields as part of the annotation. * The ability to resolve simple anonymous functions and closures, and perform lock analysis across these invocations. This does not apply to closures that are passed elsewhere, since it is not possible to know the context in which they might be invoked. * The ability to annotate return values in addition to receivers and other parameters, with the same complex structures noted above. * Ignoring locking semantics for "fresh" objects, i.e. objects that are allocated in the local frame (typically a new-style function). * Sanity checking of locking state across block transitions and returns, to ensure that no unexpected locks are held. Note that initially, most of these findings are excluded by a comprehensive nogo.yaml. The findings that are included are fundamental lock violations. The changes here should be relatively low risk, minor refactorings to either include necessary annotations to simplify the code structure (in general removing closures in favor of methods) so that the analyzer can be easily track the lock state. This change additional includes two changes to nogo itself: * Sanity checking of all types to ensure that the binary and ast-derived types have a consistent objectpath, to prevent the bug above from occurring silently (and causing much confusion). This also requires a trick in order to ensure that serialized facts are consumable downstream. This can be removed with https://go-review.googlesource.com/c/tools/+/331789 merged. * A minor refactoring to isolation the objdump settings in its own package. This was originally used to implement the sanity check above, but this information is now being passed another way. The minor refactor is preserved however, since it cleans up the code slightly and is minimal risk. PiperOrigin-RevId: 382613300
2021-06-09Merge release-20210601.0-29-g1ca981f50 (automated)gVisor bot
2021-06-09Remove --overlayfs-stale-read flagFabricio Voznika
It defaults to true and setting it to false can cause filesytem corruption. PiperOrigin-RevId: 378518663
2021-05-10Merge release-20210503.0-30-g6c349c675 (automated)gVisor bot
2021-05-10Merge pull request #5764 from zhlhahaha:2126-2gVisor bot
PiperOrigin-RevId: 372993341
2021-04-17Merge release-20210408.0-46-g0c3e8daf5 (automated)gVisor bot
2021-04-16Allow runsc to generate coverage reports.Dean Deng
Add a coverage-report flag that will cause the sandbox to generate a coverage report (with suffix .cov) in the debug log directory upon exiting. For the report to be generated, runsc must have been built with the following Bazel flags: `--collect_code_coverage --instrumentation_filter=...`. With coverage reports, we should be able to aggregate results across all tests to surface code coverage statistics for the project as a whole. The report is simply a text file with each line representing a covered block as `file:start_line.start_col,end_line.end_col`. Note that this is similar to the format of coverage reports generated with `go test -coverprofile`, although we omit the count and number of statements, which are not useful for us. Some simple ways of getting coverage reports: bazel test <some_test> --collect_code_coverage \ --instrumentation_filter=//pkg/... bazel build //runsc --collect_code_coverage \ --instrumentation_filter=//pkg/... runsc -coverage-report=dir/ <other_flags> do ... PiperOrigin-RevId: 368952911
2021-04-16Merge release-20210408.0-41-g025cff180 (automated)gVisor bot
2021-04-16Internal changeZach Koopmans
PiperOrigin-RevId: 368919504
2021-04-05Merge release-20210322.0-43-ge21a71bff (automated)gVisor bot
2021-04-05Set Verity bit in verity_prepare cmdChong Cai
This is needed to enable Xattrs features required by verity. PiperOrigin-RevId: 366843640
2021-04-03Merge release-20210322.0-36-g491b106d6 (automated)gVisor bot
2021-04-02Implement the runsc verity-prepare command.Rahat Mahmood
Implement a new runsc command to set up a sandbox with verityfs and run the measure tool. This is loosely forked from the do command, and currently requires the caller to provide the measure tool binary. PiperOrigin-RevId: 366553769
2021-04-01Disable mitigate and related test on ARM64Howard Zhang
As MDS side channel attack does not affect ARM64, we disable mitigate on ARM64 in case misusage. For more detail, please refer to: https://access.redhat.com/security/vulnerabilities/mds Signed-off-by: Howard Zhang <howard.zhang@arm.com>
2021-03-30Merge release-20210322.0-30-g71f3dccbb (automated)gVisor bot
2021-03-30Fix panic when overriding /dev files with VFS2Fabricio Voznika
VFS1 skips over mounts that overrides files in /dev because the list of files is hardcoded. This is not needed for VFS2 and a recent change lifted this restriction. However, parts of the code were still skipping /dev mounts even in VFS2, causing the loader to panic when it ran short of FDs to connect to the gofer. PiperOrigin-RevId: 365858436
2021-03-23Merge release-20210315.0-16-g92374e519 (automated)gVisor bot
2021-03-23setgid directory support in goferfsKevin Krakauer
Also adds support for clearing the setuid bit when appropriate (writing, truncating, changing size, changing UID, or changing GID). VFS2 only. PiperOrigin-RevId: 364661835
2021-03-23Merge release-20210315.0-14-gbeb11cec7 (automated)gVisor bot
2021-03-23Allow FSETXATTR/FGETXATTR host calls for VerityChong Cai
These host calls are needed for Verity fs to generate/verify hashes. PiperOrigin-RevId: 364598180
2021-03-18Merge release-20210309.0-39-g5c4f4ed9e (automated)gVisor bot
2021-03-18Skip /dev submount hack on VFS2.Jamie Liu
containerd usually configures both /dev and /dev/shm as tmpfs mounts, e.g.: ``` "mounts": [ ... { "destination": "/dev", "type": "tmpfs", "source": "/run/containerd/io.containerd.runtime.v2.task/moby/10eedbd6a0e7937ddfcab90f2c25bd9a9968b734c4ae361318142165d445e67e/tmpfs", "options": [ "nosuid", "strictatime", "mode=755", "size=65536k" ] }, ... { "destination": "/dev/shm", "type": "tmpfs", "source": "/run/containerd/io.containerd.runtime.v2.task/moby/10eedbd6a0e7937ddfcab90f2c25bd9a9968b734c4ae361318142165d445e67e/shm", "options": [ "nosuid", "noexec", "nodev", "mode=1777", "size=67108864" ] }, ... ``` (This is mostly consistent with how Linux is usually configured, except that /dev is conventionally devtmpfs, not regular tmpfs. runc/libcontainer implements OCI-runtime-spec-undocumented behavior to create /dev/{ptmx,fd,stdin,stdout,stderr} in non-bind /dev mounts. runsc silently switches /dev to devtmpfs. In VFS1, this is necessary to get device files like /dev/null at all, since VFS1 doesn't support real device special files, only what is hardcoded in devfs. VFS2 does support device special files, but using devtmpfs is the easiest way to get pre-created files in /dev.) runsc ignores many /dev submounts in the spec, including /dev/shm. In VFS1, this appears to be to avoid introducing a submount overlay for /dev, and is mostly fine since the typical mode for the /dev/shm mount is ~consistent with the mode of the /dev/shm directory provided by devfs (modulo the sticky bit). In VFS2, this is vestigial (VFS2 does not use submount overlays), and devtmpfs' /dev/shm mode is correct for the mount point but not the mount. So turn off this behavior for VFS2. After this change: ``` $ docker run --rm -it ubuntu:focal ls -lah /dev/shm total 0 drwxrwxrwt 2 root root 40 Mar 18 00:16 . drwxr-xr-x 5 root root 360 Mar 18 00:16 .. $ docker run --runtime=runsc --rm -it ubuntu:focal ls -lah /dev/shm total 0 drwxrwxrwx 1 root root 0 Mar 18 00:16 . dr-xr-xr-x 1 root root 0 Mar 18 00:16 .. $ docker run --runtime=runsc-vfs2 --rm -it ubuntu:focal ls -lah /dev/shm total 0 drwxrwxrwt 2 root root 40 Mar 18 00:16 . drwxr-xr-x 5 root root 320 Mar 18 00:16 .. ``` Fixes #5687 PiperOrigin-RevId: 363699385
2021-03-12Merge release-20210301.0-37-gc5667022b (automated)gVisor bot
2021-03-11Major refactor of runsc mitigate.Zach Koopmans
PiperOrigin-RevId: 362360425
2021-03-09Merge release-20210301.0-27-g8018bf62b (automated)gVisor bot
2021-03-08Internal change.Chong Cai
PiperOrigin-RevId: 361689477
2021-03-07Merge release-20210301.0-22-ge668288fa (automated)gVisor bot
2021-03-06[op] Replace syscall package usage with golang.org/x/sys/unix in runsc/.Ayush Ranjan
The syscall package has been deprecated in favor of golang.org/x/sys. Note that syscall is still used in some places because the following don't seem to have an equivalent in unix package: - syscall.SysProcIDMap - syscall.Credential Updates #214 PiperOrigin-RevId: 361381490
2021-03-02Merge release-20210208.0-109-gb8a5420f4 (automated)gVisor bot
2021-03-02Add reverse flag to mitigate.Zach Koopmans
Add reverse operation to mitigate that just enables all CPUs. PiperOrigin-RevId: 360511215
2021-02-22Merge release-20210208.0-79-g19fe3a2bf (automated)gVisor bot
2021-02-22Fix `runsc kill --pid`Fabricio Voznika
Previously, loader.signalProcess was inconsitently using both root and container's PID namespace to find the process. It used root namespace for the exec'd process and container's PID namespace for other processes. This fixes the code to use the root PID namespace across the board, which is the same PID reported in `runsc ps` (or soon will after https://github.com/google/gvisor/pull/5519). PiperOrigin-RevId: 358836297
2021-02-10Merge release-20210201.0-76-g1ac58cc23 (automated)gVisor bot
2021-02-10Add mitigate command to runscZach Koopmans
PiperOrigin-RevId: 356772367
2021-02-02Merge release-20210125.0-62-g5f7bf3152 (automated)gVisor bot
2021-02-02Stub out basic `runsc events --stat` CPU functionalityKevin Krakauer
Because we lack gVisor-internal cgroups, we take the CPU usage of the entire pod and divide it proportionally according to sentry-internal usage stats. This fixes `kubectl top pods`, which gets a pod's CPU usage by summing the usage of its containers. Addresses #172. PiperOrigin-RevId: 355229833
2021-01-13Switch uses of os.Getenv that check for empty string to os.LookupEnv.Dean Deng
Whether the variable was found is already returned by syscall.Getenv. os.Getenv drops this value while os.Lookupenv passes it along. PiperOrigin-RevId: 351674032
2021-01-12Merge release-20201216.0-87-g4e03e8754 (automated)gVisor bot
2021-01-12Fix simple mistakes identified by goreportcard.Adin Scannell
These are primarily simplification and lint mistakes. However, minor fixes are also included and tests added where appropriate. PiperOrigin-RevId: 351425971