summaryrefslogtreecommitdiffhomepage
path: root/runsc
AgeCommit message (Collapse)Author
2020-07-09Merge release-20200622.1-87-ge506fcd93 (automated)gVisor bot
2020-07-09Add args and netns flag to runsc specIan Lewis
Adds a netns flag to runsc spec that allows users to specify a network namespace path when creating a sample config.json file. Also, adds the ability to specify the command arguments used when running the container. This will make it easier for new users to create sample OCI bundles without having to edit the config.json by hand. PiperOrigin-RevId: 320486267
2020-07-09Merge release-20200622.1-85-gc4815af94 (automated)gVisor bot
2020-07-08Add shared mount hints to VFS2Fabricio Voznika
Container restart test is disabled for VFS2 for now. Updates #1487 PiperOrigin-RevId: 320296401
2020-07-08Merge release-20200622.1-82-ga75d9f7be (automated)gVisor bot
2020-07-08Drop empty lineMichael Pratt
PiperOrigin-RevId: 320281516
2020-07-08Merge release-20200622.1-78-gefa2615eb (automated)gVisor bot
2020-07-07[vfs2] Remove VFS1 usage in VDSO.Ayush Ranjan
Removed VDSO dependency on VFS1. Resolves #2921 PiperOrigin-RevId: 320122176
2020-07-07Merge release-20200622.1-74-g10930189c (automated)gVisor bot
2020-07-07Fix mknod and inotify syscall testAyush Ranjan
This change fixes a few things: - creating sockets using mknod(2) is supported via vfs2 - fsgofer can create regular files via mknod(2) - mode = 0 for mknod(2) will be interpreted as regular file in vfs2 as well Updates #2923 PiperOrigin-RevId: 320074267
2020-06-26Merge release-20200622.1-28-gcfd049da8 (automated)gVisor bot
2020-06-25Test that the fuse device can be openedRidwan Sharif
2020-06-25Moved FUSE device under the fuse directoryRidwan Sharif
2020-06-24Merge release-20200608.0-122-g58880bf55 (automated)gVisor bot
2020-06-24Port /dev/net/tun device to VFS2.Nicolas Lacasse
Updates #2912 #1035 PiperOrigin-RevId: 318162565
2020-06-24Merge release-20200608.0-120-gb070e218c (automated)gVisor bot
2020-06-24Add support for Stack level options.Bhasker Hariharan
Linux controls socket send/receive buffers using a few sysctl variables - net.core.rmem_default - net.core.rmem_max - net.core.wmem_max - net.core.wmem_default - net.ipv4.tcp_rmem - net.ipv4.tcp_wmem The first 4 control the default socket buffer sizes for all sockets raw/packet/tcp/udp and also the maximum permitted socket buffer that can be specified in setsockopt(SOL_SOCKET, SO_(RCV|SND)BUF,...). The last two control the TCP auto-tuning limits and override the default specified in rmem_default/wmem_default as well as the max limits. Netstack today only implements tcp_rmem/tcp_wmem and incorrectly uses it to limit the maximum size in setsockopt() as well as uses it for raw/udp sockets. This changelist introduces the other 4 and updates the udp/raw sockets to use the newly introduced variables. The values for min/max match the current tcp_rmem/wmem values and the default value buffers for UDP/RAW sockets is updated to match the linux value of 212KiB up from the really low current value of 32 KiB. Updates #3043 Fixes #3043 PiperOrigin-RevId: 318089805
2020-06-24Merge release-20200608.0-119-g364ac92ba (automated)gVisor bot
2020-06-23Support for saving pointers to fields in the state package.Adin Scannell
Previously, it was not possible to encode/decode an object graph which contained a pointer to a field within another type. This was because the encoder was previously unable to disambiguate a pointer to an object and a pointer within the object. This CL remedies this by constructing an address map tracking the full memory range object occupy. The encoded Refvalue message has been extended to allow references to children objects within another object. Because the encoding process may learn about object structure over time, we cannot encode any objects under the entire graph has been generated. This CL also updates the state package to use standard interfaces intead of reflection-based dispatch in order to improve performance overall. This includes a custom wire protocol to significantly reduce the number of allocations and take advantage of structure packing. As part of these changes, there are a small number of minor changes in other places of the code base: * The lists used during encoding are changed to use intrusive lists with the objectEncodeState directly, which required that the ilist Len() method is updated to work properly with the ElementMapper mechanism. * A bug is fixed in the list code wherein Remove() called on an element that is already removed can corrupt the list (removing the element if there's only a single element). Now the behavior is correct. * Standard error wrapping is introduced. * Compressio was updated to implement the new wire.Reader and wire.Writer inteface methods directly. The lack of a ReadByte and WriteByte caused issues not due to interface dispatch, but because underlying slices for a Read or Write call through an interface would always escape to the heap! * Statify has been updated to support the new APIs. See README.md for a description of how the new mechanism works. PiperOrigin-RevId: 318010298
2020-06-24Merge release-20200608.0-115-g0f328beb0 (automated)gVisor bot
2020-06-23Port /dev/tty device to VFS2.Nicolas Lacasse
Support is limited to the functionality that exists in VFS1. Updates #2923 #1035 PiperOrigin-RevId: 317981417
2020-06-19Merge release-20200608.0-87-g28b8a5cc3 (automated)gVisor bot
2020-06-18iptables: remove metadata structKevin Krakauer
Metadata was useful for debugging and safety, but enough tests exist that we should see failures when (de)serialization is broken. It made stack initialization more cumbersome and it's also getting in the way of ip6tables. PiperOrigin-RevId: 317210653
2020-06-18Merge release-20200608.0-82-g07ff909e7 (automated)gVisor bot
2020-06-18Support setsockopt SO_SNDBUF/SO_RCVBUF for raw/udp sockets.Bhasker Hariharan
Updates #173,#6 Fixes #2888 PiperOrigin-RevId: 317087652
2020-06-16Merge release-20200608.0-67-gdbf786c6b (automated)gVisor bot
2020-06-16Add runsc options to set checksum offloading statusgVisor bot
--tx-checksum-offload=<true|false> enable TX checksum offload (default: false) --rx-checksum-offload=<true|false> enable RX checksum offload (default: true) Fixes #2989 PiperOrigin-RevId: 316781309
2020-06-16Merge release-20200608.0-64-gbae147560 (automated)gVisor bot
2020-06-16Print spec as json when --debug is enabledFabricio Voznika
The previous format skipped many important structs that are pointers, especially for cgroups. Change to print as json, removing parts of the spec that are not relevant. Also removed debug message from gofer that can be very noisy when directories are large. PiperOrigin-RevId: 316713267
2020-06-12Merge release-20200522.0-147-g8ea99d58f (automated)gVisor bot
2020-06-11Set the HOME environment variable for sub-containers.Ian Lewis
Fixes #701 PiperOrigin-RevId: 316025635
2020-06-12Merge release-20200522.0-145-g77c206e37 (automated)gVisor bot
2020-06-11Add //pkg/sentry/fsimpl/overlay.Jamie Liu
Major differences from existing overlay filesystems: - Linux allows lower layers in an overlay to require revalidation, but not the upper layer. VFS1 allows the upper layer in an overlay to require revalidation, but not the lower layer. VFS2 does not allow any layers to require revalidation. (Now that vfs.MkdirOptions.ForSyntheticMountpoint exists, no uses of overlay in VFS1 are believed to require upper layer revalidation; in particular, the requirement that the upper layer support the creation of "trusted." extended attributes for whiteouts effectively required the upper filesystem to be tmpfs in most cases.) - Like VFS1, but unlike Linux, VFS2 overlay does not attempt to make mutations of the upper layer atomic using a working directory and features like RENAME_WHITEOUT. (This may change in the future, since not having a working directory makes error recovery for some operations, e.g. rmdir, particularly painful.) - Like Linux, but unlike VFS1, VFS2 represents whiteouts using character devices with rdev == 0; the equivalent of the whiteout attribute on directories is xattr trusted.overlay.opaque = "y"; and there is no equivalent to the whiteout attribute on non-directories since non-directories are never merged with lower layers. - Device and inode numbers work as follows: - In Linux, modulo the xino feature and a special case for when all layers are the same filesystem: - Directories use the overlay filesystem's device number and an ephemeral inode number assigned by the overlay. - Non-directories that have been copied up use the device and inode number assigned by the upper filesystem. - Non-directories that have not been copied up use a per-(overlay, layer)-pair device number and the inode number assigned by the lower filesystem. - In VFS1, device and inode numbers always come from the lower layer unless "whited out"; this has the adverse effect of requiring interaction with the lower filesystem even for non-directory files that exist on the upper layer. - In VFS2, device and inode numbers are assigned as in Linux, except that xino and the samefs special case are not supported. - Like Linux, but unlike VFS1, VFS2 does not attempt to maintain memory mapping coherence across copy-up. (This may have to change in the future, as users may be dependent on this property.) - Like Linux, but unlike VFS1, VFS2 uses the overlayfs mounter's credentials when interacting with the overlay's layers, rather than the caller's. - Like Linux, but unlike VFS1, VFS2 permits multiple lower layers in an overlay. - Like Linux, but unlike VFS1, VFS2's overlay filesystem is application-mountable. Updates #1199 PiperOrigin-RevId: 316019067
2020-06-11Merge release-20200522.0-123-gab4c85189 (automated)gVisor bot
2020-06-10Cgroup fixesFabricio Voznika
- Set hugetlb related fields - Add realtime scheduler related fields - Beef up unit tests Updates #2713 PiperOrigin-RevId: 315797979
2020-06-10Merge release-20200522.0-122-g41d9e536d (automated)gVisor bot
2020-06-10Skip pids.max if value is zeroFabricio Voznika
LinuxPids.Limit is the only optional cgroup field in OCI that is not a pointer. If value is 0 or negative it should be skipped. PiperOrigin-RevId: 315791909
2020-06-09Merge release-20200522.0-105-g0ae5bd24d (automated)gVisor bot
2020-06-09Mount root and volumes as read-only if --overlay is enabledFabricio Voznika
PiperOrigin-RevId: 315583963
2020-06-09Merge release-20200522.0-99-g4e96b9491 (automated)gVisor bot
2020-06-08Combine executable lookup codeFabricio Voznika
Run vs. exec, VFS1 vs. VFS2 were executable lookup were slightly different from each other. Combine them all into the same logic. PiperOrigin-RevId: 315426443
2020-06-06Merge release-20200522.0-89-g21b6bc72 (automated)gVisor bot
2020-06-05Implement mount(2) and umount2(2) for VFS2.Rahat Mahmood
This is mostly syscall plumbing, VFS2 already implements the internals of mounts. In addition to the syscall defintions, the following mount-related mechanisms are updated: - Implement MS_NOATIME for VFS2, but only for tmpfs and goferfs. The other VFS2 filesystems don't implement node-level timestamps yet. - Implement the 'mode', 'uid' and 'gid' mount options for VFS2's tmpfs. - Plumb mount namespace ownership, which is necessary for checking appropriate capabilities during mount(2). Updates #1035 PiperOrigin-RevId: 315035352
2020-06-05Merge release-20200522.0-83-ge4e11f27 (automated)gVisor bot
2020-06-05Expand syscall filters to support MSAN.Nicolas Lacasse
PiperOrigin-RevId: 314997564
2020-06-05Merge release-20200522.0-76-g41da7a56 (automated)gVisor bot
2020-06-05Fix copylocks error about copying IPTables.Ting-Yu Wang
IPTables.connections contains a sync.RWMutex. Copying it will trigger copylocks analysis. Tested by manually enabling nogo tests. sync.RWMutex is added to IPTables for the additional race condition discovered. PiperOrigin-RevId: 314817019
2020-06-02Merge release-20200522.0-58-gca5912d1 (automated)gVisor bot
2020-06-01More runsc changes for VFS2Fabricio Voznika
- Add /tmp handling - Apply mount options - Enable more container_test tests - Forward signals to child process when test respaws process to run as root inside namespace. Updates #1487 PiperOrigin-RevId: 314263281
2020-06-01Merge release-20200522.0-55-g3a987160 (automated)gVisor bot