summaryrefslogtreecommitdiffhomepage
path: root/runsc
AgeCommit message (Collapse)Author
2018-06-22runsc: Enable waiting on individual containers within a sandbox.Kevin Krakauer
PiperOrigin-RevId: 201742160 Change-Id: Ia9fa1442287c5f9e1196fb117c41536a80f6bb31
2018-06-22Modified Checkpoint/Restore flags to improve compatibility with Docker.Brielle Broder
Added a number of unimplemented flags required for using runsc's Checkpoint and Restore with Docker. Modified the "image-path" flag to require a directory instead of a file. PiperOrigin-RevId: 201697486 Change-Id: I55883df2f1bbc3ec3c395e0ca160ce189e5e7eba
2018-06-21Forward SIGUSR2 to the sandbox tooFabricio Voznika
SIGUSR2 was being masked out to be used as a way to dump sentry stacks. This could cause compatibility problems in cases anyone uses SIGUSR2 to communicate with the container init process. PiperOrigin-RevId: 201575374 Change-Id: I312246e828f38ad059139bb45b8addc2ed055d74
2018-06-21Added functionality to create a RestoreEnvironment.Justine Olshan
Before a container can be restored, the mounts must be configured. The root and submounts and their key information is compiled into a RestoreEnvironment. Future code will be added to set this created environment before restoring a container. Tests to ensure the correct environment were added. PiperOrigin-RevId: 201544637 Change-Id: Ia894a8b0f80f31104d1c732e113b1d65a4697087
2018-06-21Restore implementation added to runsc.Brielle Broder
Restore creates a new container and uses the given image-path to load a saved image of a previous container. Restore command is plumbed through container and sandbox. This command does not work yet - more to come. PiperOrigin-RevId: 201541229 Change-Id: I864a14c799ce3717d99bcdaaebc764281863d06f
2018-06-21runsc: Default umask should be 0.Nicolas Lacasse
PiperOrigin-RevId: 201539050 Change-Id: I36cbf270fa5ad25de507ecb919e4005eda6aa16d
2018-06-21Fix typo in runsc gofer flag descriptionIan Gudger
PiperOrigin-RevId: 201529295 Change-Id: I55eb516ec6d14fbcd48593a3d61f724adc253a23
2018-06-20Reduce test sleep timeFabricio Voznika
PiperOrigin-RevId: 201428433 Change-Id: I72de1e46788ec84f61513416bb690956e515907e
2018-06-20Include image test as part of kokoro testsFabricio Voznika
PiperOrigin-RevId: 201427731 Change-Id: I5cbee383ec51c02b7892ec7812cbbdc426be8991
2018-06-20Add end-to-end image testsFabricio Voznika
PiperOrigin-RevId: 201418619 Change-Id: I7961b027394d98422642f829bc54745838c138bd
2018-06-20Add 'runsc debug' commandFabricio Voznika
It prints sandbox stacks to the log to help debug stuckness. I expect that many more options will be added in the future. PiperOrigin-RevId: 201405931 Change-Id: I87e560800cd5a5a7b210dc25a5661363c8c3a16e
2018-06-20Add tool to configure runtime settings in dockerFabricio Voznika
This will be used with the upcoming e2e image tests. PiperOrigin-RevId: 201400832 Change-Id: I49509314e16ea54655ea8060dbf511a04a7a8f79
2018-06-19runsc: Enable container creation within existing sandboxes.Kevin Krakauer
Containers are created as processes in the sandbox. Of the many things that don't work yet, the biggest issue is that the fsgofer is launched with its root as the sandbox's root directory. Thus, when a container is started and wants to read anything (including the init binary of the container), the gofer tries to serve from sandbox's root (which basically just has pause), not the container's. PiperOrigin-RevId: 201294560 Change-Id: I6423aa8830538959c56ae908ce067e4199d627b1
2018-06-19runsc: Whitelist lstat, as it is now used in specutils.Kevin Krakauer
When running multi-container, child containers are added after the filters have been installed. Thus, lstat must be in the set of allowed syscalls. PiperOrigin-RevId: 201269550 Change-Id: I03f2e6675a53d462ed12a0f651c10049b76d4c52
2018-06-19runsc: Fix flakey container_test.Kevin Krakauer
Verified that this is no longer flakey over 10K repetitions. PiperOrigin-RevId: 201267499 Change-Id: I793c916fe725412aec25953f764cb4f52c9fbed3
2018-06-19Added a resume command to unpause a paused container.Justine Olshan
Resume checks the status of the container and unpauses the kernel if its status is paused. Otherwise nothing happens. Tests were added to ensure that the process is in the correct state after various commands. PiperOrigin-RevId: 201251234 Change-Id: Ifd11b336c33b654fea6238738f864fcf2bf81e19
2018-06-18Modified boot.go to allow for restores.Justine Olshan
A file descriptor was added as a flag to boot so a state file can restore a container that was checkpointed. PiperOrigin-RevId: 201068699 Change-Id: I18e96069488ffa3add468861397f3877725544aa
2018-06-18runsc: support symlink to the exec path.Lantao Liu
PiperOrigin-RevId: 201049912 Change-Id: Idd937492217a4c2ca3d59c602e41576a3b203dd9
2018-06-18runsc: support "rw" mount option.Lantao Liu
PiperOrigin-RevId: 201018483 Change-Id: I52fe3d01c83c8a2f0e9275d9d88c37e46fa224a2
2018-06-18Automated rollback of changelist 200770591Fabricio Voznika
PiperOrigin-RevId: 201012131 Change-Id: I5cd69e795555129319eb41135ecf26db9a0b1fcb
2018-06-15Added code for a pause command for a container process.Justine Olshan
Like runc, the pause command will pause the processes of the given container. It will set that container's status to "paused." A resume command will be be added to unpause and continue running the process. PiperOrigin-RevId: 200789624 Change-Id: I72a5d7813d90ecfc4d01cc252d6018855016b1ea
2018-06-15runsc: Make gofer logs show up in test output.Kevin Krakauer
PiperOrigin-RevId: 200770591 Change-Id: Ifc096d88615b63135210d93c2b4cee2eaecf1eee
2018-06-15runsc: support /dev bind mount which does not conflict with default /dev mount.Lantao Liu
PiperOrigin-RevId: 200768923 Change-Id: I4b8da10bcac296e8171fe6754abec5aabfec5e65
2018-06-15runsc/cmd: fix kill signal parsingDmitry Vyukov
Signal is arg 1, not 2. Killing with SIGABRT is useful to get Go traces. Signed-off-by: Dmitry Vyukov <dvyukov@google.com> Change-Id: I0b78e34a9de3fb3385108e26fdb4ff6e9347aeff PiperOrigin-RevId: 200742743
2018-06-15Set kernel.applicationCores to the number of processor on the hostFabricio Voznika
The right number to use is the number of processors assigned to the cgroup. But until we make the sandbox join the respective cgroup, just use the number of processors on the host. Closes #65, closes #66 PiperOrigin-RevId: 200725483 Change-Id: I34a566b1a872e26c66f56fa6e3100f42aaf802b1
2018-06-14Fix typo.Brielle Broder
PiperOrigin-RevId: 200631795 Change-Id: I297fe3e30fb06b04fccd8358c933e45019dcc1fa
2018-06-14Add nanosleep filter for Go 1.11 supportMichael Pratt
golang.org/cl/108538 replaces pselect6 with nanosleep in runtime.usleep. Update the filters accordingly. PiperOrigin-RevId: 200574612 Change-Id: Ifb2296fcb3781518fc047aabbbffedb9ae488cd7
2018-06-13Fix failure to mount volume that sandbox process has no accessFabricio Voznika
Boot loader tries to stat mount to determine whether it's a file or not. This may file if the sandbox process doesn't have access to the file. Instead, add overlay on top of file, which is better anyway since we don't want to propagate changes to the host. PiperOrigin-RevId: 200411261 Change-Id: I14222410e8bc00ed037b779a1883d503843ffebb
2018-06-12runsc: do not include sub target if it is not started with '/'.Lantao Liu
PiperOrigin-RevId: 200274828 Change-Id: I956703217df08d8650a881479b7ade8f9f119912
2018-06-12Runsc checkpoint works.Brielle Broder
This is the first iteration of checkpoint that actually saves to a file. Tests for checkpoint are included. Ran into an issue when private unix sockets are enabled. An error message was added for this case and the mutex state was set. PiperOrigin-RevId: 200269470 Change-Id: I28d29a9f92c44bf73dc4a4b12ae0509ee4070e93
2018-06-12runsc: enable terminals in the sandbox.Kevin Krakauer
runsc now mounts the devpts filesystem, so you get a real terminal using ssh+sshd. PiperOrigin-RevId: 200244830 Change-Id: If577c805ad0138fda13103210fa47178d8ac6605
2018-06-12Enable debug logging in testsFabricio Voznika
Unit tests call runsc directly now, so all command line arguments are valid. On the other hand, enabling debug in the test binary doesn't affect runsc. It needs to be set in the config. PiperOrigin-RevId: 200237706 Change-Id: I0b5922db17f887f58192dbc2f8dd2fd058b76ec7
2018-06-08Drop capabilities not needed by GoferFabricio Voznika
PiperOrigin-RevId: 199808391 Change-Id: Ib37a4fb6193dc85c1f93bc16769d6aa41854b9d4
2018-06-06runsc: Support abbreviated container IDs.Kevin Krakauer
Just a UI/usability addition. It's a lot easier to type "60" than "60185c721d7e10c00489f1fa210ee0d35c594873d6376b457fb1815e4fdbfc2c". PiperOrigin-RevId: 199547932 Change-Id: I19011b5061a88aba48a9ad7f8cf954a6782de854
2018-06-06Add runsc checkpoint command.Googler
Checkpoint command is plumbed through container and sandbox. Restore has also been added but it is only a stub. None of this works yet. More changes to come. PiperOrigin-RevId: 199510105 Change-Id: Ibd08d57f4737847eb25ca20b114518e487320185
2018-06-06Added a function to the controller to checkpoint a container.Googler
Functionality for checkpoint is not complete, more to come. PiperOrigin-RevId: 199500803 Change-Id: Iafb0fcde68c584270000fea898e6657a592466f7
2018-06-04Make fsgofer attach more strictFabricio Voznika
Refuse to mount paths with "." and ".." in the path to prevent a compromised Sentry to mount "../../secrets". Only allow Attach to be called once per mount point. PiperOrigin-RevId: 199225929 Change-Id: I2a3eb7ea0b23f22eb8dde2e383e32563ec003bd5
2018-06-04Create destination mount dir if it doesn't existFabricio Voznika
PiperOrigin-RevId: 199175296 Change-Id: I694ad1cfa65572c92f77f22421fdcac818f44630
2018-06-04Return 'running' if gofer is still aliveFabricio Voznika
Containerd will start deleting container and rootfs after container is stopped. However, if gofer is still running, rootfs cleanup will fail because of device busy. This CL makes sure that gofer is not running when container state is stopped. Change from: lantaol@google.com PiperOrigin-RevId: 199172668 Change-Id: I9d874eec3ecf74fd9c8edd7f62d9f998edef66fe
2018-06-04Fix leaky FDFabricio Voznika
9P socket was being created without CLOEXEC and was being inherited by the children. This would prevent the gofer from detecting that the sandbox had exited, because the socket would not be closed. PiperOrigin-RevId: 199168959 Change-Id: I3ee1a07cbe7331b0aeb1cf2b697e728ce24f85a7
2018-06-04Refactor container_test in preparation for sandbox_testFabricio Voznika
Common code to setup and run sandbox is moved to testutil. Also, don't link "boot" and "gofer" commands with test binary. Instead, use runsc binary from the build. This not only make the test setup simpler, but also resolves a dependency issue with sandbox_tests not depending on container package. PiperOrigin-RevId: 199164478 Change-Id: I27226286ca3f914d4d381358270dd7d70ee8372f
2018-06-01Add SyscallRules that supports argument filteringZhengyu He
PiperOrigin-RevId: 198919043 Change-Id: I7f1f0a3b3430cd0936a4ee4fc6859aab71820bdf
2018-06-01Ignores IPv6 addresses when configuring networkFabricio Voznika
Closes #60 PiperOrigin-RevId: 198887885 Change-Id: I9bf990ee3fde9259836e57d67257bef5b85c6008
2018-05-29Supress error when deleting non-existing container with --forceFabricio Voznika
This addresses the first issue reported in #59. CRI-O expects runsc to return success to delete when --force is used with a non-existing container. PiperOrigin-RevId: 198487418 Change-Id: If7660e8fdab1eb29549d0a7a45ea82e20a1d4f4a
2018-05-24Configure sandbox as superuserFabricio Voznika
Container user might not have enough priviledge to walk directories and mount filesystems. Instead, create superuser to perform these steps of the configuration. PiperOrigin-RevId: 197953667 Change-Id: I643650ab654e665408e2af1b8e2f2aa12d58d4fb
2018-05-21Fix test failure when user can't mount temp dirFabricio Voznika
PiperOrigin-RevId: 197491098 Change-Id: Ifb75bd4e4f41b84256b6d7afc4b157f6ce3839f3
2018-05-17Implement sysv shm.Rahat Mahmood
PiperOrigin-RevId: 197058289 Change-Id: I3946c25028b7e032be4894d61acb48ac0c24d574
2018-05-17Push signal-delivery and wait into the sandbox.Nicolas Lacasse
This is another step towards multi-container support. Previously, we delivered signals directly to the sandbox process (which then forwarded the signal to PID 1 inside the sandbox). Similarly, we waited on a container by waiting on the sandbox process itself. This approach will not work when there are multiple containers inside the sandbox, and we need to signal/wait on individual containers. This CL adds two new messages, ContainerSignal and ContainerWait. These messages include the id of the container to signal/wait. The controller inside the sandbox receives these messages and signals/waits on the appropriate process inside the sandbox. The container id is plumbed into the sandbox, but it currently is not used. We still end up signaling/waiting on PID 1 in all cases. Once we actually have multiple containers inside the sandbox, we will need to keep some sort of map of container id -> pid (or possibly pid namespace), and signal/kill the appropriate process for the container. PiperOrigin-RevId: 197028366 Change-Id: I07b4d5dc91ecd2affc1447e6b4bdd6b0b7360895
2018-05-15Refactor the Sandbox package into Sandbox + Container.Nicolas Lacasse
This is a necessary prerequisite for supporting multiple containers in a single sandbox. All the commands (in cmd package) now call operations on Containers (container package). When a Container first starts, it will create a Sandbox with the same ID. The Sandbox class is now simpler, as it only knows how to create boot/gofer processes, and how to forward commands into the running boot process. There are TODOs sprinkled around for additional support for multiple containers. Most notably, we need to detect when a container is intended to run in an existing sandbox (by reading the metadata), and then have some way to signal to the sandbox to start a new container. Other urpc calls into the sandbox need to pass the container ID, so the sandbox can run the operation on the given container. These are only half-plummed through right now. PiperOrigin-RevId: 196688269 Change-Id: I1ecf4abbb9dd8987a53ae509df19341aaf42b5b0
2018-05-10Fix failure to rename directoryFabricio Voznika
os.Rename validates that the target doesn't exist, which is different from syscall.Rename which replace the target if both are directories. fsgofer needs the syscall behavior. PiperOrigin-RevId: 196194630 Change-Id: I87d08cad88b5ef310b245cd91647c4f5194159d8