summaryrefslogtreecommitdiffhomepage
path: root/runsc/sandbox
AgeCommit message (Collapse)Author
2020-11-05Merge release-20201030.0-32-gc47f8afe2 (automated)gVisor bot
2020-11-05Fix failure setting OOM score adjustmentFabricio Voznika
When OOM score adjustment needs to be set, all the containers need to be loaded to find all containers that belong to the sandbox. However, each load signals the container to ensure it is still alive. OOM score adjustment is set during creation and deletion of every container, generating a flood of signals to all containers. The fix removes the signal check when it's not needed. There is also a race fetching OOM score adjustment value from the parent when the sandbox exits at the same time (the time it took to signal containers above made this window quite large). The fix is to store the original value in the sandbox state file and use it when the value needs to be restored. Also add more logging and made the existing ones more consistent to help with debugging. PiperOrigin-RevId: 340940799
2020-10-06Merge release-20200928.0-57-gb761330ca (automated)gVisor bot
2020-10-06Merge pull request #4355 from majek:marek/swallow-SO_RCVBUFFORCE-errorgVisor bot
PiperOrigin-RevId: 335714100
2020-10-06Merge release-20200928.0-48-g9e64b9f3a (automated)gVisor bot
2020-10-05Fix gofer monitor prematurely destroying containerFabricio Voznika
When all container tasks finish, they release the mount which in turn will close the 9P session to the gofer. The gofer exits when the connection closes, triggering the gofer monitor. The gofer monitor will _think_ that the gofer died prematurely and destroy the container. Then when the caller attempts to wait for the container, e.g. to get the exit code, wait fails saying the container doesn't exist. Gofer monitor now just SIGKILLs the container, and let the normal teardown process to happen, which will evetually destroy the container at the right time. Also, fixed an issue with exec racing with container's init process exiting. Closes #1487 PiperOrigin-RevId: 335537350
2020-09-25Swallow SO_RCVBUFFORCE and SO_SNDBUFFORCE errors on SOCK_RAW socketsMarek Majkowski
In --network=sandbox mode, we create SOCK_RAW sockets on the given network device. The code tries to force-set 4MiB rcv and snd buffers on it, but in certain situations it might fail. There is no reason for refusing the sandbox startup in such case - we should bump the buffers to max availabe size and just move on.
2020-09-01Merge release-20200818.0-102-g2eaf54dd5 (automated)gVisor bot
2020-09-01Refactor tty codebase to use master-replica terminology.Ayush Ranjan
Updates #2972 PiperOrigin-RevId: 329584905
2020-08-27Merge release-20200818.0-66-g32e7a54f7 (automated)gVisor bot
2020-08-26Make flag propagation automaticFabricio Voznika
Use reflection and tags to provide automatic conversion from Config to flags. This makes adding new flags less error-prone, skips flags using default values (easier to read), and makes tests correctly use default flag values for test Configs. Updates #3494 PiperOrigin-RevId: 328662070
2020-08-20Merge release-20200810.0-69-gbe76c7ce6 (automated)gVisor bot
2020-08-19Move boot.Config to its own packageFabricio Voznika
Updates #3494 PiperOrigin-RevId: 327548511
2020-08-05Merge release-20200804.0-19-g190b1e6bd (automated)gVisor bot
2020-08-05Stop profiling when the sentry exitsFabricio Voznika
Also removes `--profile-goroutine` because it's equivalent to `debug --stacks`. PiperOrigin-RevId: 325061502
2020-07-14Merge release-20200622.1-153-g1bfb556cc (automated)gVisor bot
2020-07-14Prepare boot.Loader to support multi-container TTYFabricio Voznika
- Combine process creation code that is shared between root and subcontainer processes - Move root container information into a struct for clarity Updates #2714 PiperOrigin-RevId: 321204798
2020-07-13Merge pull request #2672 from amscanne:shim-integratedgVisor bot
PiperOrigin-RevId: 321053634
2020-07-08Merge release-20200622.1-82-ga75d9f7be (automated)gVisor bot
2020-07-08Drop empty lineMichael Pratt
PiperOrigin-RevId: 320281516
2020-06-16Merge release-20200608.0-67-gdbf786c6b (automated)gVisor bot
2020-06-16Add runsc options to set checksum offloading statusgVisor bot
--tx-checksum-offload=<true|false> enable TX checksum offload (default: false) --rx-checksum-offload=<true|false> enable RX checksum offload (default: true) Fixes #2989 PiperOrigin-RevId: 316781309
2020-05-28Merge release-20200522.0-25-gf7418e21 (automated)gVisor bot
2020-05-28Move Cleanup to its own packageFabricio Voznika
PiperOrigin-RevId: 313663382
2020-05-27Merge release-20200518.0-45-g0bc022b7 (automated)gVisor bot
2020-05-07Merge release-20200422.0-51-g1f4087e (automated)gVisor bot
2020-04-30Merge release-20200422.0-7-gae15d90 (automated)gVisor bot
2020-04-30FIFO QDisc implementationBhasker Hariharan
Updates #231 PiperOrigin-RevId: 309323808
2020-04-23Merge release-20200323.0-215-g0c58694 (automated)gVisor bot
2020-04-22Specify a memory file in platform.New().Andrei Vagin
PiperOrigin-RevId: 307941984
2020-04-10Merge release-20200323.0-111-g2a28e3e (automated)gVisor bot
2020-04-09Don't unconditionally set --panic-signalFabricio Voznika
Closes #2393 PiperOrigin-RevId: 305793027
2020-04-08Merge release-20200323.0-89-g56054fc (automated)gVisor bot
2020-04-07Add friendlier messages for frequently encountered errors.Ian Lewis
Issue #2270 Issue #1765 PiperOrigin-RevId: 305385436
2020-04-07Merge release-20200323.0-85-gacf0259 (automated)gVisor bot
2020-04-07Don't map the 0 uid into a sandbox user namespaceAndrei Vagin
Starting with go1.13, we can specify ambient capabilities when we execute a new process with os/exe.Cmd. PiperOrigin-RevId: 305366706
2020-04-01Merge release-20200323.0-49-g4e6a1a5 (automated)gVisor bot
2020-04-01Automated rollback of changelist 303799678Adin Scannell
PiperOrigin-RevId: 304221302
2020-03-30Merge release-20200219.0-259-g3fac85d (automated)gVisor bot
2020-03-30kvm: handle exit reasons even under EINTR.Adin Scannell
In the case of other signals (preemption), inject a normal bounce and defer the signal until the vCPU has been returned from guest mode. PiperOrigin-RevId: 303799678
2020-03-12Merge release-20200219.0-157-gf2e4b5a (automated)gVisor bot
2020-03-12Kill sandbox process when parent process terminatesFabricio Voznika
When the sandbox runs in attached more, e.g. runsc do, runsc run, the sandbox lifetime is controlled by the parent process. This wasn't working in all cases because PR_GET_PDEATHSIG doesn't propagate through execve when the process changes uid/gid. So it was getting dropped when the sandbox execve's to change to user nobody. PiperOrigin-RevId: 300601247
2020-03-11Merge release-20200219.0-146-gd3fa741 (automated)gVisor bot
2020-03-11runsc: Set asyncpreemptoff for the kvm platformAndrei Vagin
The asynchronous goroutine preemption is a new feature of Go 1.14. When we switched to go 1.14 (cl/297915917) in the bazel config, the kokoro syscall-kvm job started permanently failing. Lets temporary set asyncpreemptoff for the kvm platform to unblock tests. PiperOrigin-RevId: 300372387
2020-03-06Merge release-20200219.0-109-g6367963 (automated)gVisor bot
2020-03-05Merge pull request #1951 from moricho:moricho/add-profiler-optiongVisor bot
PiperOrigin-RevId: 299233818
2020-02-28Merge release-20200219.0-66-g322dbfe (automated)gVisor bot
2020-02-28Allow to specify a separate log for GO's runtime messagesAndrei Vagin
GO's runtime calls the write system call twice to print "panic:" and "the reason of this panic", so here is a race window when other threads can print something to the log and we will see something like this: panic: log messages from another thread The reason of the panic. This confuses the syzkaller blacklist and dedup detection. It also makes the logs generally difficult to read. e.g., data races often have one side of the race, followed by a large "diagnosis" dump, finally followed by the other side of the race. PiperOrigin-RevId: 297887895
2020-02-26add profile optionmoricho
2020-02-20Merge release-20200211.0-57-g4a73bae (automated)gVisor bot