summaryrefslogtreecommitdiffhomepage
path: root/runsc
AgeCommit message (Collapse)Author
2020-06-09Merge release-20200522.0-105-g0ae5bd24d (automated)gVisor bot
2020-06-09Mount root and volumes as read-only if --overlay is enabledFabricio Voznika
PiperOrigin-RevId: 315583963
2020-06-09Merge release-20200522.0-99-g4e96b9491 (automated)gVisor bot
2020-06-08Combine executable lookup codeFabricio Voznika
Run vs. exec, VFS1 vs. VFS2 were executable lookup were slightly different from each other. Combine them all into the same logic. PiperOrigin-RevId: 315426443
2020-06-06Merge release-20200522.0-89-g21b6bc72 (automated)gVisor bot
2020-06-05Implement mount(2) and umount2(2) for VFS2.Rahat Mahmood
This is mostly syscall plumbing, VFS2 already implements the internals of mounts. In addition to the syscall defintions, the following mount-related mechanisms are updated: - Implement MS_NOATIME for VFS2, but only for tmpfs and goferfs. The other VFS2 filesystems don't implement node-level timestamps yet. - Implement the 'mode', 'uid' and 'gid' mount options for VFS2's tmpfs. - Plumb mount namespace ownership, which is necessary for checking appropriate capabilities during mount(2). Updates #1035 PiperOrigin-RevId: 315035352
2020-06-05Merge release-20200522.0-83-ge4e11f27 (automated)gVisor bot
2020-06-05Expand syscall filters to support MSAN.Nicolas Lacasse
PiperOrigin-RevId: 314997564
2020-06-05Merge release-20200522.0-76-g41da7a56 (automated)gVisor bot
2020-06-05Fix copylocks error about copying IPTables.Ting-Yu Wang
IPTables.connections contains a sync.RWMutex. Copying it will trigger copylocks analysis. Tested by manually enabling nogo tests. sync.RWMutex is added to IPTables for the additional race condition discovered. PiperOrigin-RevId: 314817019
2020-06-02Merge release-20200522.0-58-gca5912d1 (automated)gVisor bot
2020-06-01More runsc changes for VFS2Fabricio Voznika
- Add /tmp handling - Apply mount options - Enable more container_test tests - Forward signals to child process when test respaws process to run as root inside namespace. Updates #1487 PiperOrigin-RevId: 314263281
2020-06-01Merge release-20200522.0-55-g3a987160 (automated)gVisor bot
2020-06-01Handle gofer blocking opens of host named pipes in VFS2.Jamie Liu
Using tee instead of read to detect when a O_RDONLY|O_NONBLOCK pipe FD has a writer circumvents the problem of what to do with the byte read from the pipe, avoiding much of the complexity of the fdpipe package. PiperOrigin-RevId: 314216146
2020-06-01Merge release-20200522.0-53-g12f74bd6 (automated)gVisor bot
2020-06-01Include runtime goroutines in panicsMichael Pratt
SetTraceback("all") does not include all goroutines in panics (you didn't think it was that simple, did you?). It includes all _user_ goroutines; those started by the runtime (such as GC workers) are excluded. Switch to "system" to additionally include runtime goroutines, which are useful to track down bugs in the runtime itself. PiperOrigin-RevId: 314204473
2020-06-01Merge release-20200522.0-48-g16100d18 (automated)gVisor bot
2020-06-01Make gofer mount readonly when overlay is enabledFabricio Voznika
No writes are expected to the underlying filesystem when using --overlay. PiperOrigin-RevId: 314171457
2020-05-29Merge release-20200522.0-43-g93edb36c (automated)gVisor bot
2020-05-29Refactor the ResolveExecutablePath logic.Nicolas Lacasse
PiperOrigin-RevId: 313871804
2020-05-29Merge release-20200522.0-36-gf498e46e (automated)gVisor bot
2020-05-29Merge pull request #2767 from mikaelmello:add-cwd-option-specgVisor bot
PiperOrigin-RevId: 313828906
2020-05-28Merge release-20200522.0-25-gf7418e21 (automated)gVisor bot
2020-05-28Move Cleanup to its own packageFabricio Voznika
PiperOrigin-RevId: 313663382
2020-05-28Merge release-20200522.0-21-ga8c1b326 (automated)gVisor bot
2020-05-28Automated rollback of changelist 309082540Fabricio Voznika
PiperOrigin-RevId: 313636920
2020-05-27Merge release-20200518.0-45-g0bc022b7 (automated)gVisor bot
2020-05-24Add cwd option to spec cmdMikael Mello
2020-05-20Add hugetlb and rdma cgroups to runscFabricio Voznika
Updates #2713 PiperOrigin-RevId: 312559463
2020-05-18Merge release-20200511.0-253-g32ab382 (automated)gVisor bot
2020-05-18Improve unsupported syscall messageFabricio Voznika
PiperOrigin-RevId: 312104899
2020-05-16Merge release-20200511.0-251-g420b791 (automated)gVisor bot
2020-05-15Minor formatting updates for gvisor.dev.Adin Scannell
* Aggregate architecture Overview in "What is gVisor?" as it makes more sense in one place. * Drop "user-space kernel" and use "application kernel". The term "user-space kernel" is confusing when some platform implementation do not run in user-space (instead running in guest ring zero). * Clear up the relationship between the Platform page in the user guide and the Platform page in the architecture guide, and ensure they are cross-linked. * Restore the call-to-action quick start link in the main page, and drop the GitHub link (which also appears in the top-right). * Improve image formatting by centering all doc and blog images, and move the image captions to the alt text. PiperOrigin-RevId: 311845158
2020-05-14Merge release-20200422.0-300-g64afaf0 (automated)gVisor bot
2020-05-13Fix runsc association of gofers and FDs on VFS2.Jamie Liu
Updates #1487 PiperOrigin-RevId: 311443628
2020-05-13Merge release-20200422.0-297-gd846077 (automated)gVisor bot
2020-05-13Enable overlayfs_stale_read by default for runsc.Jamie Liu
Linux 4.18 and later make reads and writes coherent between pre-copy-up and post-copy-up FDs representing the same file on an overlay filesystem. However, memory mappings remain incoherent: - Documentation/filesystems/overlayfs.rst, "Non-standard behavior": "If a file residing on a lower layer is opened for read-only and then memory mapped with MAP_SHARED, then subsequent changes to the file are not reflected in the memory mapping." - fs/overlay/file.c:ovl_mmap() passes through to the underlying FD without any management of coherence in the overlay. - Experimentally on Linux 5.2: ``` $ cat mmap_cat_page.c #include <err.h> #include <fcntl.h> #include <stdio.h> #include <string.h> #include <sys/mman.h> #include <unistd.h> int main(int argc, char **argv) { if (argc < 2) { errx(1, "syntax: %s [FILE]", argv[0]); } const int fd = open(argv[1], O_RDONLY); if (fd < 0) { err(1, "open(%s)", argv[1]); } const size_t page_size = sysconf(_SC_PAGE_SIZE); void* page = mmap(NULL, page_size, PROT_READ, MAP_SHARED, fd, 0); if (page == MAP_FAILED) { err(1, "mmap"); } for (;;) { write(1, page, strnlen(page, page_size)); if (getc(stdin) == EOF) { break; } } return 0; } $ gcc -O2 -o mmap_cat_page mmap_cat_page.c $ mkdir lowerdir upperdir workdir overlaydir $ echo old > lowerdir/file $ sudo mount -t overlay -o "lowerdir=lowerdir,upperdir=upperdir,workdir=workdir" none overlaydir $ ./mmap_cat_page overlaydir/file old ^Z [1]+ Stopped ./mmap_cat_page overlaydir/file $ echo new > overlaydir/file $ cat overlaydir/file new $ fg ./mmap_cat_page overlaydir/file old ``` Therefore, while the VFS1 gofer client's behavior of reopening read FDs is only necessary pre-4.18, replacing existing memory mappings (in both sentry and application address spaces) with mappings of the new FD is required regardless of kernel version, and this latter behavior is common to both VFS1 and VFS2. Re-document accordingly, and change the runsc flag to enabled by default. New test: - Before this CL: https://source.cloud.google.com/results/invocations/5b222d2c-e918-4bae-afc4-407f5bac509b - After this CL: https://source.cloud.google.com/results/invocations/f28c747e-d89c-4d8c-a461-602b33e71aab PiperOrigin-RevId: 311361267
2020-05-13Merge release-20200422.0-296-g18cb3d2 (automated)gVisor bot
2020-05-13Use VFS2 mount namesFabricio Voznika
Updates #1487 PiperOrigin-RevId: 311356385
2020-05-13Merge release-20200422.0-294-g305f786 (automated)gVisor bot
2020-05-12Adjust a few log messagesFabricio Voznika
PiperOrigin-RevId: 311234146
2020-05-11Merge release-20200422.0-66-ge838e7a (automated)gVisor bot
2020-05-11Automated rollback of changelist 310417191Bhasker Hariharan
PiperOrigin-RevId: 310963404
2020-05-11Merge release-20200422.0-62-gc52195d (automated)gVisor bot
2020-05-10Stop avoiding preadv2 and pwritev2, and add them to the filters.Nicolas Lacasse
Some code paths needed these syscalls anyways, so they should be included in the filters. Given that we depend on these syscalls in some cases, there's no real reason to avoid them any more. PiperOrigin-RevId: 310829126
2020-05-07Merge release-20200422.0-52-g9115f26 (automated)gVisor bot
2020-05-07Allocate device numbers for VFS2 filesystems.Jamie Liu
Updates #1197, #1198, #1672 PiperOrigin-RevId: 310432006
2020-05-07Merge release-20200422.0-51-g1f4087e (automated)gVisor bot
2020-05-07Merge release-20200422.0-50-g28b5565 (automated)gVisor bot
2020-05-07Automated rollback of changelist 309339316Bhasker Hariharan
PiperOrigin-RevId: 310417191