summaryrefslogtreecommitdiffhomepage
path: root/test
AgeCommit message (Collapse)Author
2020-05-13Enable overlayfs_stale_read by default for runsc.Jamie Liu
Linux 4.18 and later make reads and writes coherent between pre-copy-up and post-copy-up FDs representing the same file on an overlay filesystem. However, memory mappings remain incoherent: - Documentation/filesystems/overlayfs.rst, "Non-standard behavior": "If a file residing on a lower layer is opened for read-only and then memory mapped with MAP_SHARED, then subsequent changes to the file are not reflected in the memory mapping." - fs/overlay/file.c:ovl_mmap() passes through to the underlying FD without any management of coherence in the overlay. - Experimentally on Linux 5.2: ``` $ cat mmap_cat_page.c #include <err.h> #include <fcntl.h> #include <stdio.h> #include <string.h> #include <sys/mman.h> #include <unistd.h> int main(int argc, char **argv) { if (argc < 2) { errx(1, "syntax: %s [FILE]", argv[0]); } const int fd = open(argv[1], O_RDONLY); if (fd < 0) { err(1, "open(%s)", argv[1]); } const size_t page_size = sysconf(_SC_PAGE_SIZE); void* page = mmap(NULL, page_size, PROT_READ, MAP_SHARED, fd, 0); if (page == MAP_FAILED) { err(1, "mmap"); } for (;;) { write(1, page, strnlen(page, page_size)); if (getc(stdin) == EOF) { break; } } return 0; } $ gcc -O2 -o mmap_cat_page mmap_cat_page.c $ mkdir lowerdir upperdir workdir overlaydir $ echo old > lowerdir/file $ sudo mount -t overlay -o "lowerdir=lowerdir,upperdir=upperdir,workdir=workdir" none overlaydir $ ./mmap_cat_page overlaydir/file old ^Z [1]+ Stopped ./mmap_cat_page overlaydir/file $ echo new > overlaydir/file $ cat overlaydir/file new $ fg ./mmap_cat_page overlaydir/file old ``` Therefore, while the VFS1 gofer client's behavior of reopening read FDs is only necessary pre-4.18, replacing existing memory mappings (in both sentry and application address spaces) with mappings of the new FD is required regardless of kernel version, and this latter behavior is common to both VFS1 and VFS2. Re-document accordingly, and change the runsc flag to enabled by default. New test: - Before this CL: https://source.cloud.google.com/results/invocations/5b222d2c-e918-4bae-afc4-407f5bac509b - After this CL: https://source.cloud.google.com/results/invocations/f28c747e-d89c-4d8c-a461-602b33e71aab PiperOrigin-RevId: 311361267
2020-05-13Replace test_runner.sh bash script with Go.Ian Gudger
PiperOrigin-RevId: 311285868
2020-05-12iptables: support gid match for owner matching.Nayana Bidari
- Added support for matching gid owner and invert flag for uid and gid. $ iptables -A OUTPUT -p tcp -m owner --gid-owner root -j ACCEPT $ iptables -A OUTPUT -p tcp -m owner ! --uid-owner root -j ACCEPT $ iptables -A OUTPUT -p tcp -m owner ! --gid-owner root -j DROP - Added tests for uid, gid and invert flags.
2020-05-11Internal change.gVisor bot
PiperOrigin-RevId: 311011004
2020-05-11Internal change.gVisor bot
PiperOrigin-RevId: 310949277
2020-05-11Internal change.gVisor bot
PiperOrigin-RevId: 310941717
2020-05-08iptables - filter packets using outgoing interface.gVisor bot
Enables commands with -o (--out-interface) for iptables rules. $ iptables -A OUTPUT -o eth0 -j ACCEPT PiperOrigin-RevId: 310642286
2020-05-08Add UDP send/recv packetimpact tests.Bhasker Hariharan
Fixes #2654 PiperOrigin-RevId: 310642216
2020-05-08Send ACK to OTW SEQs/unacc ACKs in CLOSE_WAITZeling Feng
This fixed the corresponding packetimpact test. PiperOrigin-RevId: 310593470
2020-05-07Internal change.gVisor bot
PiperOrigin-RevId: 310409922
2020-05-06Internal change.gVisor bot
PiperOrigin-RevId: 310213705
2020-05-05gvisor/test: use RetryEINTR for connect()Andrei Vagin
connect() returns EINTR after S/R and usually we use RetryEINTR to workaround this. PiperOrigin-RevId: 310038525
2020-05-05Support TCP zero window probes.Mithun Iyer
As per RFC 1122 4.2.2.17, when the remote advertizes zero receive window, the sender needs to probe for the window-size to become non-zero starting from the next retransmission interval. The TCP connection needs to be kept open as long as the remote is acknowledging the zero window probes. We reuse the retransmission timers to support this. Fixes #1644 PiperOrigin-RevId: 310021575
2020-05-05Internal change.gVisor bot
PiperOrigin-RevId: 310001058
2020-05-04Port eventfd to VFS2.Nicolas Lacasse
And move sys_timerfd.go to just timerfd.go for consistency. Updates #1475. PiperOrigin-RevId: 309835029
2020-05-04Internal change.gVisor bot
PiperOrigin-RevId: 309832671
2020-05-04Deflake //third_party/gvisor/test/syscalls:proc_test_nativeAndrei Vagin
There is the known issue of the linux procfs, that two consequent calls of readdir can return the same entry twice if between these calls one or more entries have been removed from this directory. PiperOrigin-RevId: 309803066
2020-05-04Merge pull request #2275 from nybidari:iptablesgVisor bot
PiperOrigin-RevId: 309783486
2020-05-01Fix include type.Adin Scannell
PiperOrigin-RevId: 309506957
2020-05-01Support for connection tracking of TCP packets.Nayana Bidari
Connection tracking is used to track packets in prerouting and output hooks of iptables. The NAT rules modify the tuples in connections. The connection tracking code modifies the packets by looking at the modified tuples.
2020-05-01Internal change.gVisor bot
PiperOrigin-RevId: 309467878
2020-04-30Make tcp_close_wait_ack_test more accurateZeling Feng
Previously the test used an out-dated window size which is advertised during the handshake to generate testing packets, but the window size has changed since the handshake; currently it is using the most recent one which is advertised in DUT's ACK to our FIN packet to generate the testing outside-the-window packets. PiperOrigin-RevId: 309222921
2020-04-28Fix Unix socket permissions.Dean Deng
Enforce write permission checks in BoundEndpointAt, which corresponds to the permission checks in Linux (net/unix/af_unix.c:unix_find_other). Also, create bound socket files with the correct permissions in VFS2. Fixes #2324. PiperOrigin-RevId: 308949084
2020-04-28Internal change.gVisor bot
PiperOrigin-RevId: 308940886
2020-04-28Don't unlink named pipes in pipe test.Jamie Liu
TempPath's destructor runs at the end of the named pipe creation functions, deleting the named pipe. If the named pipe is backed by a "non-virtual" filesystem (!fs.Inode.IsVirtual()), this causes the following save attempt to fail because there are FDs holding the deleted named pipe open. PiperOrigin-RevId: 308861999
2020-04-24Propagate PID limit from OCI to sandbox cgroupFabricio Voznika
Closes #2489 PiperOrigin-RevId: 308362434
2020-04-24Add ICMP6 param problem testEyal Soha
Tested: When run on Linux, a correct ICMPv6 response is received. On netstack, no ICMPv6 response is received. PiperOrigin-RevId: 308343113
2020-04-24Better error message from ExpectFrameEyal Soha
Display the errors as diffs between the expected and wanted frame. PiperOrigin-RevId: 308333271
2020-04-24Improve and update packetimpact README.mdEyal Soha
PiperOrigin-RevId: 308328860
2020-04-24Standardize all Docker images.Adin Scannell
This change moves all Docker images to a standard location, and abstracts the build process so that they can be maintained in an automated fashion. This also allows the images to be architecture-independent. All images will now be referred to by the test framework via the canonical `gvisor.dev/images/<name>`, where `<name>` is a function of the path within the source tree. In a subsequent change, continuous integration will be added so that the images will always be correct and available locally. In the end, using `bazel` for Docker containers is simply not possible. Given that we already have the need to use `make` with the base container (for Docker), we extend this approach to get more flexibility. This change also adds a self-documenting and powerful Makefile that is intended to replace the collection of scripts in scripts. Canonical (self-documenting) targets can be added here for targets that understand which images need to be loaded and/or built. PiperOrigin-RevId: 308322438
2020-04-23Fix Layer merge and add unit testsEyal Soha
mergo was improperly merging nil and empty strings PiperOrigin-RevId: 308170862
2020-04-23Fix test output so that filenames have the correct path.Eyal Soha
Tested: Intentionally introduce an error and then run: blaze test --test_output=streamed //third_party/gvisor/test/packetimpact/tests:tcp_outside_the_window_linux_test PiperOrigin-RevId: 308114194
2020-04-23Simplify Docker test infrastructure.Adin Scannell
This change adds a layer of abstraction around the internal Docker APIs, and eliminates all direct dependencies on Dockerfiles in the infrastructure. A subsequent change will automated the generation of local images (with efficient caching). Note that this change drops the use of bazel container rules, as that experiment does not seem to be viable. PiperOrigin-RevId: 308095430
2020-04-23Run failing packetimpact test and expect failure.Eyal Soha
This will make it easier to notice if a code change causes an existing test to pass. PiperOrigin-RevId: 308057978
2020-04-22tcp: handle listen after shutdown properlyAndrei Vagin
Right now, sentry panics in this case: panic: close of nil channel goroutine 67 [running]: pkg/tcpip/transport/tcp/tcp.(*endpoint).listen(0xc0000ce000, 0x9, 0x0) pkg/tcpip/transport/tcp/endpoint.go:2208 +0x170 pkg/tcpip/transport/tcp/tcp.(*endpoint).Listen(0xc0000ce000, 0x9, 0xc0003a1ad0) pkg/tcpip/transport/tcp/endpoint.go:2179 +0x50 Fixes #2468 PiperOrigin-RevId: 307896725
2020-04-22Add comments about deepcopy in Layer.incoming()Eyal Soha
PiperOrigin-RevId: 307812340
2020-04-21Don't ignore override if it is longer than layerStatesgVisor bot
PiperOrigin-RevId: 307708653
2020-04-21Restore euid upon test finishKevin Krakauer
PiperOrigin-RevId: 307638329
2020-04-21Internal change.gVisor bot
PiperOrigin-RevId: 307622320
2020-04-20Add a functional vm_test for root_test.Adin Scannell
This change renames the tools/images directory to tools/vm for clarity, and adds a functional vm_test. Sharding is also added to the same test, and some documentation added around key flags & variables to describe how they work. Subsequent changes will add vm_tests for other cases, such as the runtime tests. PiperOrigin-RevId: 307492245
2020-04-20Merge pull request #2060 from xiaobo55x:rseqgVisor bot
PiperOrigin-RevId: 307453436
2020-04-19Don't accept segments outside the receive windowEyal Soha
Fixed to match RFC 793 page 69. Fixes #1607 PiperOrigin-RevId: 307334892
2020-04-19Convert tcp_user_timeout test from packetdrill to packetimpact.Eyal Soha
PiperOrigin-RevId: 307328289
2020-04-17prlimit: don't check credentials on selfKevin Krakauer
prlimit was erroneously comparing UIDs and GIDs when getting/setting a process' own limits. From the manpage: To set or get the resources of a process other than itself, the caller must have the CAP_SYS_RESOURCE capability, or the real, effective, and saved set user IDs of the target process must match the real user ID of the caller and the real, effective, and saved set group IDs of the target process must match the real group ID of the caller. PiperOrigin-RevId: 307127266
2020-04-17Add test name to boot and gofer log filesFabricio Voznika
This is to make easier to find corresponding logs in case test fails. PiperOrigin-RevId: 307104283
2020-04-17proc net test: Annotate disable-save test with NoRandomSave.Ting-Yu Wang
PiperOrigin-RevId: 307069884
2020-04-16Implement pipe(2) and pipe2(2) for VFS2.Jamie Liu
Updates #1035 PiperOrigin-RevId: 306968644
2020-04-16Reset pending connections on listener shutdown.Mithun Iyer
When the listening socket is read shutdown, we need to reset all pending and incoming connections. Ensure that the endpoint is not cleaned up from the demuxer and subsequent bind to same port does not go through. PiperOrigin-RevId: 306958038
2020-04-16Use multierr in packetimpact Connection.Close()Eyal Soha
PiperOrigin-RevId: 306930652
2020-04-16Test TCP behavior when receiving unacceptable segment in CLOSE_WAITgVisor bot
TCP, in CLOSE-WAIT state, MUST return ACK with proper SEQ and ACK numbers after recv a seg with OTW SEQ or unacc ACK number, and remain in same state. If the connection is in a synchronized state, any unacceptable segment (out of window sequence number or unacceptable acknowledgment number) must elicit only an empty acknowledgment segment containing the current send-sequence number and an acknowledgment indicating the next sequence number expected to be received, and the connection remains in the same state. PiperOrigin-RevId: 306897984