summaryrefslogtreecommitdiffhomepage
path: root/runsc
AgeCommit message (Collapse)Author
2018-09-04runsc: Run sandbox as user nobody.Nicolas Lacasse
When starting a sandbox without direct file or network access, we create an empty user namespace and run the sandbox in there. However, the root user in that namespace is still mapped to the root user in the parent namespace. This CL maps the "nobody" user from the parent namespace into the child namespace, and runs the sandbox process as user "nobody" inside the new namespace. PiperOrigin-RevId: 211572223 Change-Id: I1b1f9b1a86c0b4e7e5ca7bc93be7d4887678bab6
2018-09-04runsc: Pass log and config files to sandbox process by FD.Nicolas Lacasse
This is a prereq for running the sandbox process as user "nobody", when it may not have permissions to open these files. Instead, we must open then before starting the sandbox process, and pass them by FD. The specutils.ReadSpecFromFile method was fixed to always seek to the beginning of the file before reading. This allows Files from the same FD to be read multiple times, as we do in the boot command when the apply-caps flag is set. Tested with --network=host. PiperOrigin-RevId: 211570647 Change-Id: I685be0a290aa7f70731ebdce82ebc0ebcc9d475c
2018-09-04runsc: fix container rootfs path.Lantao Liu
PiperOrigin-RevId: 211515350 Change-Id: Ia495af57447c799909aa97bb873a50b87bee2625
2018-09-04Remove epoll_wait from filtersMichael Pratt
Go 1.11 replaced it with epoll_pwait. PiperOrigin-RevId: 211510006 Change-Id: I48a6cae95ed3d57a4633895358ad05ad8bf2f633
2018-08-31Mounting over '/tmp' may failFabricio Voznika
PiperOrigin-RevId: 211160120 Change-Id: Ie5f280bdac17afd01cb16562ffff6222b3184c34
2018-08-31Remove not used depsFabricio Voznika
PiperOrigin-RevId: 211147521 Change-Id: I9b8b67df50a3ba084c07a48c72a874d7e2007f23
2018-08-31Automated rollback of changelist 210995199Fabricio Voznika
PiperOrigin-RevId: 211116429 Change-Id: I446d149c822177dc9fc3c64ce5e455f7f029aa82
2018-08-31runsc: Set volume mount rslave.Lantao Liu
PiperOrigin-RevId: 211111376 Change-Id: I27b8cb4e070d476fa4781ed6ecfa0cf1dcaf85f5
2018-08-31Add other missing depMichael Pratt
runsc and runsc-race need the same deps. PiperOrigin-RevId: 211103766 Change-Id: Ib0c97078a469656c1e5b019648589a1d07915625
2018-08-31Fix RunAsRoot arguments forwardingFabricio Voznika
It was including the path to the executable twice in the arguments. PiperOrigin-RevId: 211098311 Change-Id: I5357c51c63f38dfab551b17bb0e04011a0575010
2018-08-31Add missing importTamir Duberstein
GoCompile: missing strict dependencies: /tmpfs/tmp/bazel/sandbox/linux-sandbox/1744/execroot/__main__/runsc/main.go: import of "gvisor.googlesource.com/gvisor/runsc/specutils" This was broken in 210995199. PiperOrigin-RevId: 211086595 Change-Id: I166b9a2ed8e4d6e624def944b720190940d7537c
2018-08-30Add seccomp filter to fsgoferFabricio Voznika
PiperOrigin-RevId: 211011542 Change-Id: Ib5a83a00f8eb6401603c6fb5b59afc93bac52558
2018-08-30runsc: Pass log and config files to sandbox process by FD.Nicolas Lacasse
This is a prereq for running the sandbox process as user "nobody", when it may not have permissions to open these files. Instead, we must open then before starting the sandbox process, and pass them by FD. PiperOrigin-RevId: 210995199 Change-Id: I715875a9553290b4a49394a8fcd93be78b1933dd
2018-08-28Add argument checks to seccompFabricio Voznika
This is required to increase protection when running in GKE. PiperOrigin-RevId: 210635123 Change-Id: Iaaa8be49e73f7a3a90805313885e75894416f0b5
2018-08-28Drop support for Go 1.10Michael Pratt
PiperOrigin-RevId: 210589588 Change-Id: Iba898bc3eb8f13e17c668ceea6dc820fc8180a70
2018-08-28runsc: unmount volume mounts when destroy container.Lantao Liu
PiperOrigin-RevId: 210579178 Change-Id: Iae20639c5186b1a976cbff6d05bda134cd00d0da
2018-08-28Consolidate image tests into a single fileFabricio Voznika
This is to keep it consistent with other test, and it's easier to maintain them in single file. Also increase python test timeout to deflake it. PiperOrigin-RevId: 210575042 Change-Id: I2ef5bcd5d97c08549f0c5f645c4b694253ef0b4d
2018-08-27Add command-line parameter to trigger panic on signalFabricio Voznika
This is to troubleshoot problems with a hung process that is not responding to 'runsc debug --stack' command. PiperOrigin-RevId: 210483513 Change-Id: I4377b210b4e51bc8a281ad34fd94f3df13d9187d
2018-08-27runsc: Fix readonly filesystem causing failure to create containers.Kevin Krakauer
For readonly filesystems specified via relative path, we were forgetting to mount relative to the container's bundle directory. PiperOrigin-RevId: 210483388 Change-Id: I84809fce4b1f2056d0e225547cb611add5f74177
2018-08-27fs: Fix remote-revalidate cache policy.Nicolas Lacasse
When revalidating a Dirent, if the inode id is the same, then we don't need to throw away the entire Dirent. We can just update the unstable attributes in place. If the inode id has changed, then the remote file has been deleted or moved, and we have no choice but to throw away the dirent we have a look up another. In this case, we may still end up losing a mounted dirent that is a child of the revalidated dirent. However, that seems appropriate here because the entire mount point has been pulled out from underneath us. Because gVisor's overlay is at the Inode level rather than the Dirent level, we must pass the parent Inode and name along with the Inode that is being revalidated. PiperOrigin-RevId: 210431270 Change-Id: I705caef9c68900234972d5aac4ae3a78c61c7d42
2018-08-27runsc: fsgofer should return a unique QID.Path for each file.Nicolas Lacasse
Previously, we were only using the host inode id as the QID path. But the host filesystem can have multiple devices with conflicting inode ids. This resulted in duplicate inode ids in the sentry. This CL generates a unique QID for each <host inode, host device> pair. PiperOrigin-RevId: 210424813 Change-Id: I16d106f61c7c8f910c0da4ceec562a010ffca2fb
2018-08-27Add runsc-race target.Adin Scannell
PiperOrigin-RevId: 210422178 Change-Id: I984dd348d467908bc3180a20fc79b8387fcca05e
2018-08-27Put fsgofer inside chrootFabricio Voznika
Now each container gets its own dedicated gofer that is chroot'd to the rootfs path. This is done to add an extra layer of security in case the gofer gets compromised. PiperOrigin-RevId: 210396476 Change-Id: Iba21360a59dfe90875d61000db103f8609157ca0
2018-08-24runsc: Terminal support for "docker exec -ti".Nicolas Lacasse
This CL adds terminal support for "docker exec". We previously only supported consoles for the container process, but not exec processes. The SYS_IOCTL syscall was added to the default seccomp filter list, but only for ioctls that get/set winsize and termios structs. We need to allow these ioctl for all containers because it's possible to run "exec -ti" on a container that was started without an attached console, after the filters have been installed. Note that control-character signals are still not properly supported. Tested with: $ docker run --runtime=runsc -it alpine In another terminial: $ docker exec -it <containerid> /bin/sh PiperOrigin-RevId: 210185456 Change-Id: I6d2401e53a7697bb988c120a8961505c335f96d9
2018-08-24runsc: Allow runsc to properly search the PATH for executable name.Kevin Krakauer
Previously, runsc improperly attempted to find an executable in the container's PATH. We now search the PATH via the container's fsgofer rather than the host FS, eliminating the confusing differences between paths on the host and within a container. PiperOrigin-RevId: 210159488 Change-Id: I228174dbebc4c5356599036d6efaa59f28ff28d2
2018-08-24Add option to panic gofer if writes are attempted over RO mountsFabricio Voznika
This is used when '--overlay=true' to guarantee writes are not sent to gofer. PiperOrigin-RevId: 210116288 Change-Id: I7616008c4c0e8d3668e07a205207f46e2144bf30
2018-08-23Clean up syscall filtersFabricio Voznika
Removed syscalls that are only used by whitelistfs which has its own set of filters. PiperOrigin-RevId: 209967259 Change-Id: Idb2e1b9d0201043d7cd25d96894f354729dbd089
2018-08-22runsc: De-flakes container_test TestMultiContainerSanity.Kevin Krakauer
The bug was caused by os.File's finalizer, which closes the file. Because fsgofer.serve() was passed a file descriptor as an int rather than a os.File, callers would pass os.File.Fd(), and the os.File would go out of scope. Thus, the file would get GC'd and finalized nondeterministically, causing failures when the file was used. PiperOrigin-RevId: 209861834 Change-Id: Idf24d5c1f04c9b28659e62c97202ab3b4d72e994
2018-08-21Fix TestUnixDomainSockets failure when path is too largeFabricio Voznika
UDS has a lower size limit than regular files. When running under bazel this limit is exceeded. Test was changed to always mount /tmp and use it for the test. PiperOrigin-RevId: 209717830 Change-Id: I1dbe19fe2051ffdddbaa32b188a9167f446ed193
2018-08-21Temporarily skip multi-container tests in container_test until deflaked.Kevin Krakauer
PiperOrigin-RevId: 209679235 Change-Id: I527e779eeb113d0c162f5e27a2841b9486f0e39f
2018-08-21nonExclusiveFS is causing timeout with --raceFabricio Voznika
Not sure why, just removed for now to unblock the tests. PiperOrigin-RevId: 209661403 Change-Id: I72785c071687d54e22bda9073d36b447d52a7018
2018-08-21Move container_test to the container packageFabricio Voznika
PiperOrigin-RevId: 209655274 Change-Id: Id381114bdb3197c73e14f74b3f6cf1afd87d60cb
2018-08-21Initial change for multi-gofer supportFabricio Voznika
PiperOrigin-RevId: 209647293 Change-Id: I980fca1257ea3fcce796388a049c353b0303a8a5
2018-08-20Standardize mounts in testsFabricio Voznika
Tests get a readonly rootfs mapped to / (which was the case before) and writable TEST_TMPDIR. This makes it easier to setup containers to write to files and to share state between test and containers. PiperOrigin-RevId: 209453224 Change-Id: I4d988e45dc0909a0450a3bb882fe280cf9c24334
2018-08-17Add nonExclusiveFS dimension to more testsFabricio Voznika
The ones using 'kvm' actually mean that they don't want overlay. PiperOrigin-RevId: 209194318 Change-Id: I941a443cb6d783e2c80cf66eb8d8630bcacdb574
2018-08-16Combine functions to search for file under one common functionFabricio Voznika
Bazel adds the build type in front of directories making it hard to refer to binaries in code. PiperOrigin-RevId: 209010854 Change-Id: I6c9da1ac3bbe79766868a3b14222dd42d03b4ec5
2018-08-15runsc fsgofer: Support dynamic serving of filesystems.Kevin Krakauer
When multiple containers run inside a sentry, each container has its own root filesystem and set of mounts. Containers are also added after sentry boot rather than all configured and known at boot time. The fsgofer needs to be able to serve the root filesystem of each container. Thus, it must be possible to add filesystems after the fsgofer has already started. This change: * Creates a URPC endpoint within the gofer process that listens for requests to serve new content. * Enables the sentry, when starting a new container, to add the new container's filesystem. * Mounts those new filesystems at separate roots within the sentry. PiperOrigin-RevId: 208903248 Change-Id: Ifa91ec9c8caf5f2f0a9eead83c4a57090ce92068
2018-08-15runsc: Fix instances of file access "proxy".Nicolas Lacasse
This file access type is actually called "proxy-shared", but I forgot to update all locations. PiperOrigin-RevId: 208832491 Change-Id: I7848bc4ec2478f86cf2de1dcd1bfb5264c6276de
2018-08-14runsc: Change cache policy for root fs and volume mounts.Nicolas Lacasse
Previously, gofer filesystems were configured with the default "fscache" policy, which caches filesystem metadata and contents aggressively. While this setting is best for performance, it means that changes from inside the sandbox may not be immediately propagated outside the sandbox, and vice-versa. This CL changes volumes and the root fs configuration to use a new "remote-revalidate" cache policy which tries to retain as much caching as possible while still making fs changes visible across the sandbox boundary. This cache policy is enabled by default for the root filesystem. The default value for the "--file-access" flag is still "proxy", but the behavior is changed to use the new cache policy. A new value for the "--file-access" flag is added, called "proxy-exclusive", which turns on the previous aggressive caching behavior. As the name implies, this flag should be used when the sandbox has "exclusive" access to the filesystem. All volume mounts are configured to use the new cache policy, since it is safest and most likely to be correct. There is not currently a way to change this behavior, but it's possible to add such a mechanism in the future. The configurability is a smaller issue for volumes, since most of the expensive application fs operations (walking + stating files) will likely served by the root fs. PiperOrigin-RevId: 208735037 Change-Id: Ife048fab1948205f6665df8563434dbc6ca8cfc9
2018-08-10Move checkpoint/restore readme to g3doc directory.Nicolas Lacasse
PiperOrigin-RevId: 208282383 Change-Id: Ifa4aaf5d925b17d9a0672ea951a4570d35855300
2018-08-10README for Checkpoint/Restore.Brielle Broder
PiperOrigin-RevId: 208274833 Change-Id: Iddda875a87205f7b8fa6f5c60b547522b94a6696
2018-08-10Enable checkpoint/restore in cases of UDS use.Brielle Broder
Previously, processes which used file-system Unix Domain Sockets could not be checkpoint-ed in runsc because the sockets were saved with their inode numbers which do not necessarily remain the same upon restore. Now, the sockets are also saved with their paths so that the new inodes can be determined for the sockets based on these paths after restoring. Tests for cases with UDS use are included. Test cleanup to come. PiperOrigin-RevId: 208268781 Change-Id: Ieaa5d5d9a64914ca105cae199fd8492710b1d7ec
2018-08-09Fix runsc integration_test when using --network=hostFabricio Voznika
inethost doesn't support netlink and 'ifconfig' call to retrieve IP address fails. Look up IP address in /etc/hosts instead. PiperOrigin-RevId: 208135641 Change-Id: I3c2ce15db6fc7c3306a45e4bfb9cc5d4423ffad3
2018-08-08Basic support for ip link/addr and ifconfigFabricio Voznika
Closes #94 PiperOrigin-RevId: 207997580 Change-Id: I19b426f1586b5ec12f8b0cd5884d5b401d334924
2018-08-08Resend packets back to netstack if destined to itselfFabricio Voznika
Add option to redirect packet back to netstack if it's destined to itself. This fixes the problem where connecting to the local NIC address would not work, e.g.: echo bar | nc -l -p 8080 & echo foo | nc 192.168.0.2 8080 PiperOrigin-RevId: 207995083 Change-Id: I17adc2a04df48bfea711011a5df206326a1fb8ef
2018-08-08Enable SACK in runscFabricio Voznika
SACK is disabled by default and needs to be manually enabled. It not only improves performance, but also fixes hangs downloading files from certain websites. PiperOrigin-RevId: 207906742 Change-Id: I4fb7277b67bfdf83ac8195f1b9c38265a0d51e8b
2018-08-07Fix build break in testFabricio Voznika
integration_test runs manually and breakage wasn't detected. Added test to kokoro to ensure breakages are detected in the future. PiperOrigin-RevId: 207772835 Change-Id: Iada81b579b558477d4db3516b38366ef6a2e933d
2018-08-06Disable KVM dimension because it's making the test flakyFabricio Voznika
PiperOrigin-RevId: 207642348 Change-Id: Iacec9f097ab93b91c0c8eea61b1347e864f57a8b
2018-08-06Tiny reordering to network codeFabricio Voznika
PiperOrigin-RevId: 207581723 Change-Id: I6e4eb1227b5ed302de5e6c891040b670955f1eea
2018-08-02Isolate image pulling time from container startupFabricio Voznika
mysql image test is timing out sporadically and it's hard to tell where the slow down in coming from. PiperOrigin-RevId: 207147237 Change-Id: I05a4d2c116292695d63cf861f3b89cd1c54b6106