summaryrefslogtreecommitdiffhomepage
path: root/runsc
AgeCommit message (Collapse)Author
2018-09-12runsc: Add exec flag that specifies where to save the sandbox-internal pid.Kevin Krakauer
This is different from the existing -pid-file flag, which saves a host pid. PiperOrigin-RevId: 212713968 Change-Id: I2c486de8dd5cfd9b923fb0970165ef7c5fc597f0
2018-09-12Remove getdents from filtersMichael Pratt
It was only used by whitelistfs, which was removed in bc81f3fe4a042a15343d2eab44da32d818ac1ade. PiperOrigin-RevId: 212666374 Change-Id: Ia35e6dc9d68c1a3b015d5b5f71ea3e68e46c5bed
2018-09-11Rollback of changelist 212483372Michael Pratt
PiperOrigin-RevId: 212557844 Change-Id: I414de848e75d57ecee2c05e851d05b607db4aa57
2018-09-11platform: Pass device fd into platform constructor.Nicolas Lacasse
We were previously openining the platform device (i.e. /dev/kvm) inside the platfrom constructor (i.e. kvm.New). This requires that we have RW access to the platform device when constructing the platform. However, now that the runsc sandbox process runs as user "nobody", it is not able to open the platform device. This CL changes the kvm constructor to take the platform device FD, rather than opening the device file itself. The device file is opened outside of the sandbox and passed to the sandbox process. PiperOrigin-RevId: 212505804 Change-Id: I427e1d9de5eb84c84f19d513356e1bb148a52910
2018-09-11Allow fstatat back in syscall filtersFabricio Voznika
PiperOrigin-RevId: 212483372 Change-Id: If95f32a8e41126cf3dc8bd6c8b2fb0fcfefedc6d
2018-09-10runsc: Chmod all mounted files to 777 inside chroot.Nicolas Lacasse
Inside the chroot, we run as user nobody, so all mounted files and directories must be accessible to all users. PiperOrigin-RevId: 212284805 Change-Id: I705e0dbbf15e01e04e0c7f378a99daffe6866807
2018-09-07Automated rollback of changelist 212059579Nicolas Lacasse
PiperOrigin-RevId: 212069131 Change-Id: I01476f957bbf29d4ee5a3c11d59d4f863ba9f2df
2018-09-07Automated rollback of changelist 211992321Nicolas Lacasse
PiperOrigin-RevId: 212066419 Change-Id: Icded56e7e117bfd9b644e6541bddcd110460a9b8
2018-09-07runsc: Support multi-container exec.Nicolas Lacasse
We must use a context.Context with a Root Dirent that corresponds to the container's chroot. Previously we were using the root context, which does not have a chroot. Getting the correct context required refactoring some of the path-lookup code. We can't lookup the path without a context.Context, which requires kernel.CreateProcArgs, which we only get inside control.Execute. So we have to do the path lookup much later than we previously were. PiperOrigin-RevId: 212064734 Change-Id: I84a5cfadacb21fd9c3ab9c393f7e308a40b9b537
2018-09-07Disable test until we figure out what's brokenFabricio Voznika
PiperOrigin-RevId: 212059579 Change-Id: I052c2192d3483d7bd0fd2232ef2023a12da66446
2018-09-07Add additional sanity checks for walk.Adin Scannell
PiperOrigin-RevId: 212058684 Change-Id: I319709b9ffcfccb3231bac98df345d2a20eca24b
2018-09-07Only start signal forwarding after init process is createdFabricio Voznika
PiperOrigin-RevId: 212028121 Change-Id: If9c2c62f3be103e2bb556b8d154c169888e34369
2018-09-07Remove '--file-access=direct' optionFabricio Voznika
It was used before gofer was implemented and it's not supported anymore. BREAKING CHANGE: proxy-shared and proxy-exclusive options are now: shared and exclusive. PiperOrigin-RevId: 212017643 Change-Id: If029d4073fe60583e5ca25f98abb2953de0d78fd
2018-09-07Use root abstract socket namespace for execFabricio Voznika
PiperOrigin-RevId: 211999211 Change-Id: I5968dd1a8313d3e49bb6e6614e130107495de41d
2018-09-07runsc: Run sandbox process inside minimal chroot.Nicolas Lacasse
We construct a dir with the executable bind-mounted at /exe, and proc mounted at /proc. Runsc now executes the sandbox process inside this chroot, thus limiting access to the host filesystem. The mounts and chroot dir are removed when the sandbox is destroyed. Because this requires bind-mounts, we can only do the chroot if we have CAP_SYS_ADMIN. PiperOrigin-RevId: 211994001 Change-Id: Ia71c515e26085e0b69b833e71691830148bc70d1
2018-09-07runsc: Dup debug log file to stderr, so sentry panics don't get lost.Nicolas Lacasse
Docker and containerd do not expose runsc's stderr, so tracking down sentry panics can be painful. If we have a debug log file, we should send panics (and all stderr data) to the log file. PiperOrigin-RevId: 211992321 Change-Id: I5f0d2f45f35c110a38dab86bafc695aaba42f7a3
2018-09-06runsc: do not delete in paused state.Lantao Liu
PiperOrigin-RevId: 211835570 Change-Id: Ied7933732cad5bc60b762e9c964986cb49a8d9b9
2018-09-06Enable network for multi-containerFabricio Voznika
PiperOrigin-RevId: 211834411 Change-Id: I52311a6c5407f984e5069359d9444027084e4d2a
2018-09-06runsc testing: Move TestMultiContainerSignal to multi_container_test.Kevin Krakauer
PiperOrigin-RevId: 211831396 Change-Id: Id67f182cb43dccb696180ec967f5b96176f252e0
2018-09-05runsc: Support runsc kill multi-container.Kevin Krakauer
Now, we can kill individual containers rather than the entire sandbox. PiperOrigin-RevId: 211748106 Change-Id: Ic97e91db33d53782f838338c4a6d0aab7a313ead
2018-09-05Use container's capabilities in execFabricio Voznika
When no capabilities are specified in exec, use the container's capabilities to match runc's behavior. PiperOrigin-RevId: 211735186 Change-Id: Icd372ed64410c81144eae94f432dffc9fe3a86ce
2018-09-05Enabled bind mounts in sub-containersFabricio Voznika
With multi-gofers, bind mounts in sub-containers should just work. Removed restrictions and added test. There are also a few cleanups along the way, e.g. retry unmounting in case cleanup races with gofer teardown. PiperOrigin-RevId: 211699569 Change-Id: Ic0a69c29d7c31cd7e038909cc686c6ac98703374
2018-09-05Running container should have a valid sandboxFabricio Voznika
PiperOrigin-RevId: 211693868 Change-Id: Iea340dd78bf26ae6409c310b63c17cc611c2055f
2018-09-05Add MADVISE to fsgofer seccomp profileFabricio Voznika
PiperOrigin-RevId: 211686037 Change-Id: I0e776ca760b65ba100e495f471b6e811dbd6590a
2018-09-05Move multi-container test to a single fileFabricio Voznika
PiperOrigin-RevId: 211685288 Change-Id: I7872f2a83fcaaa54f385e6e567af6e72320c5aa0
2018-09-05runsc: Promote getExecutablePathInternal to getExecutablePath.Nicolas Lacasse
Remove GetExecutablePath (the non-internal version). This makes path handling more consistent between exec, root, and child containers. The new getExecutablePath now uses MountNamespace.FindInode, which is more robust than Walking the Dirent tree ourselves. This also removes the last use of lstat(2) in the sentry, so that can be removed from the filters. PiperOrigin-RevId: 211683110 Change-Id: Ic8ec960fc1c267aa7d310b8efe6e900c88a9207a
2018-09-04runsc: Run sandbox as user nobody.Nicolas Lacasse
When starting a sandbox without direct file or network access, we create an empty user namespace and run the sandbox in there. However, the root user in that namespace is still mapped to the root user in the parent namespace. This CL maps the "nobody" user from the parent namespace into the child namespace, and runs the sandbox process as user "nobody" inside the new namespace. PiperOrigin-RevId: 211572223 Change-Id: I1b1f9b1a86c0b4e7e5ca7bc93be7d4887678bab6
2018-09-04runsc: Pass log and config files to sandbox process by FD.Nicolas Lacasse
This is a prereq for running the sandbox process as user "nobody", when it may not have permissions to open these files. Instead, we must open then before starting the sandbox process, and pass them by FD. The specutils.ReadSpecFromFile method was fixed to always seek to the beginning of the file before reading. This allows Files from the same FD to be read multiple times, as we do in the boot command when the apply-caps flag is set. Tested with --network=host. PiperOrigin-RevId: 211570647 Change-Id: I685be0a290aa7f70731ebdce82ebc0ebcc9d475c
2018-09-04runsc: fix container rootfs path.Lantao Liu
PiperOrigin-RevId: 211515350 Change-Id: Ia495af57447c799909aa97bb873a50b87bee2625
2018-09-04Remove epoll_wait from filtersMichael Pratt
Go 1.11 replaced it with epoll_pwait. PiperOrigin-RevId: 211510006 Change-Id: I48a6cae95ed3d57a4633895358ad05ad8bf2f633
2018-08-31Mounting over '/tmp' may failFabricio Voznika
PiperOrigin-RevId: 211160120 Change-Id: Ie5f280bdac17afd01cb16562ffff6222b3184c34
2018-08-31Remove not used depsFabricio Voznika
PiperOrigin-RevId: 211147521 Change-Id: I9b8b67df50a3ba084c07a48c72a874d7e2007f23
2018-08-31Automated rollback of changelist 210995199Fabricio Voznika
PiperOrigin-RevId: 211116429 Change-Id: I446d149c822177dc9fc3c64ce5e455f7f029aa82
2018-08-31runsc: Set volume mount rslave.Lantao Liu
PiperOrigin-RevId: 211111376 Change-Id: I27b8cb4e070d476fa4781ed6ecfa0cf1dcaf85f5
2018-08-31Add other missing depMichael Pratt
runsc and runsc-race need the same deps. PiperOrigin-RevId: 211103766 Change-Id: Ib0c97078a469656c1e5b019648589a1d07915625
2018-08-31Fix RunAsRoot arguments forwardingFabricio Voznika
It was including the path to the executable twice in the arguments. PiperOrigin-RevId: 211098311 Change-Id: I5357c51c63f38dfab551b17bb0e04011a0575010
2018-08-31Add missing importTamir Duberstein
GoCompile: missing strict dependencies: /tmpfs/tmp/bazel/sandbox/linux-sandbox/1744/execroot/__main__/runsc/main.go: import of "gvisor.googlesource.com/gvisor/runsc/specutils" This was broken in 210995199. PiperOrigin-RevId: 211086595 Change-Id: I166b9a2ed8e4d6e624def944b720190940d7537c
2018-08-30Add seccomp filter to fsgoferFabricio Voznika
PiperOrigin-RevId: 211011542 Change-Id: Ib5a83a00f8eb6401603c6fb5b59afc93bac52558
2018-08-30runsc: Pass log and config files to sandbox process by FD.Nicolas Lacasse
This is a prereq for running the sandbox process as user "nobody", when it may not have permissions to open these files. Instead, we must open then before starting the sandbox process, and pass them by FD. PiperOrigin-RevId: 210995199 Change-Id: I715875a9553290b4a49394a8fcd93be78b1933dd
2018-08-28Add argument checks to seccompFabricio Voznika
This is required to increase protection when running in GKE. PiperOrigin-RevId: 210635123 Change-Id: Iaaa8be49e73f7a3a90805313885e75894416f0b5
2018-08-28Drop support for Go 1.10Michael Pratt
PiperOrigin-RevId: 210589588 Change-Id: Iba898bc3eb8f13e17c668ceea6dc820fc8180a70
2018-08-28runsc: unmount volume mounts when destroy container.Lantao Liu
PiperOrigin-RevId: 210579178 Change-Id: Iae20639c5186b1a976cbff6d05bda134cd00d0da
2018-08-28Consolidate image tests into a single fileFabricio Voznika
This is to keep it consistent with other test, and it's easier to maintain them in single file. Also increase python test timeout to deflake it. PiperOrigin-RevId: 210575042 Change-Id: I2ef5bcd5d97c08549f0c5f645c4b694253ef0b4d
2018-08-27Add command-line parameter to trigger panic on signalFabricio Voznika
This is to troubleshoot problems with a hung process that is not responding to 'runsc debug --stack' command. PiperOrigin-RevId: 210483513 Change-Id: I4377b210b4e51bc8a281ad34fd94f3df13d9187d
2018-08-27runsc: Fix readonly filesystem causing failure to create containers.Kevin Krakauer
For readonly filesystems specified via relative path, we were forgetting to mount relative to the container's bundle directory. PiperOrigin-RevId: 210483388 Change-Id: I84809fce4b1f2056d0e225547cb611add5f74177
2018-08-27fs: Fix remote-revalidate cache policy.Nicolas Lacasse
When revalidating a Dirent, if the inode id is the same, then we don't need to throw away the entire Dirent. We can just update the unstable attributes in place. If the inode id has changed, then the remote file has been deleted or moved, and we have no choice but to throw away the dirent we have a look up another. In this case, we may still end up losing a mounted dirent that is a child of the revalidated dirent. However, that seems appropriate here because the entire mount point has been pulled out from underneath us. Because gVisor's overlay is at the Inode level rather than the Dirent level, we must pass the parent Inode and name along with the Inode that is being revalidated. PiperOrigin-RevId: 210431270 Change-Id: I705caef9c68900234972d5aac4ae3a78c61c7d42
2018-08-27runsc: fsgofer should return a unique QID.Path for each file.Nicolas Lacasse
Previously, we were only using the host inode id as the QID path. But the host filesystem can have multiple devices with conflicting inode ids. This resulted in duplicate inode ids in the sentry. This CL generates a unique QID for each <host inode, host device> pair. PiperOrigin-RevId: 210424813 Change-Id: I16d106f61c7c8f910c0da4ceec562a010ffca2fb
2018-08-27Add runsc-race target.Adin Scannell
PiperOrigin-RevId: 210422178 Change-Id: I984dd348d467908bc3180a20fc79b8387fcca05e
2018-08-27Put fsgofer inside chrootFabricio Voznika
Now each container gets its own dedicated gofer that is chroot'd to the rootfs path. This is done to add an extra layer of security in case the gofer gets compromised. PiperOrigin-RevId: 210396476 Change-Id: Iba21360a59dfe90875d61000db103f8609157ca0
2018-08-24runsc: Terminal support for "docker exec -ti".Nicolas Lacasse
This CL adds terminal support for "docker exec". We previously only supported consoles for the container process, but not exec processes. The SYS_IOCTL syscall was added to the default seccomp filter list, but only for ioctls that get/set winsize and termios structs. We need to allow these ioctl for all containers because it's possible to run "exec -ti" on a container that was started without an attached console, after the filters have been installed. Note that control-character signals are still not properly supported. Tested with: $ docker run --runtime=runsc -it alpine In another terminial: $ docker exec -it <containerid> /bin/sh PiperOrigin-RevId: 210185456 Change-Id: I6d2401e53a7697bb988c120a8961505c335f96d9