Age | Commit message (Collapse) | Author |
|
TCP, in CLOSING state, MUST send an ACK with next expected SEQ number after
receiving any segment with OTW SEQ number and remain in the same state.
While I am here, I also changed shutdown to behave the same as other calls
in posix_server.
PiperOrigin-RevId: 362976955
|
|
The test queries for RTO via TCP_INFO and applies that to the
rest of the test. The RTO is estimated by processing incoming ACK.
There is a race in the test where we may query for RTO before the
incoming ACK was processed. Fix the race in the test by letting the
DUT complete a payload receive, thus estimating RTO before proceeding
to query the RTO. Bump up the time correction to reduce flakes.
PiperOrigin-RevId: 362865904
|
|
By default net.ipv4.ping_group_range is set to "1 0" and no one (even the root)
can create an ICMP socket. Setting it to "0 0" allows root, which we are inside
the container, to create ICMP sockets for packetimpact tests.
PiperOrigin-RevId: 362454201
|
|
With /proc/sys/net/ipv4/ip_local_port_range implemented, the socket stress
test runs in a more normal time and doesn't need to sacrifice coverage to
prevent timeouts.
PiperOrigin-RevId: 362443366
|
|
By default, fusefs defers node permission checks to the server. The
default_permissions mount option enables the usual unix permission
checks based on the node owner and mode bits. Previously fusefs was
incorrectly checking permissions unconditionally.
Additionally, fusefs should restrict filesystem access to processes
started by the mount owner to prevent the fuse daemon from gaining
priviledge over other processes. The allow_other mount option
overrides this behaviour. Previously fusefs was incorrectly skipping
this check.
Updates #3229
PiperOrigin-RevId: 362419092
|
|
The previous "bind" filesystem, already included in go/runsc-benchmarks
is a remote re-validate mount. However, the non-re-validate mount
was not present, and it has been added in the form of rootfs.
Also, fix the fio runs to reads/writes of 10GB as running
with --test.benchtime=Xs may scale beyond the memory available
to tmpfs mounts on buildkite VMs. Currently, our buildkite
pipelines are run on e2-standard-8 machines with 32GB of memory,
allowing tmpfs mounts to safely be at least 10GB.
PiperOrigin-RevId: 362143620
|
|
panic: interface conversion: interface {} is syscall.WaitStatus, not unix.WaitStatus
goroutine 1 [running]:
main.runTestCaseNative(0xc0001fc000, 0xe3, 0xc000119b60, 0x1, 0x1, 0x0, 0x0)
test/runner/runner.go:185 +0xa94
main.main()
test/runner/runner.go:118 +0x745
PiperOrigin-RevId: 361957796
|
|
- Implement Stringer for it so that we can improve error messages.
- Use TCPFlags through the code base. There used to be a mixed usage of byte,
uint8 and int as TCP flags.
PiperOrigin-RevId: 361940150
|
|
Kernels after 3b830a9c return EAGAIN in this case.
PiperOrigin-RevId: 361936327
|
|
Speeds up the socket stress tests by a couple orders of magnitude.
PiperOrigin-RevId: 361721050
|
|
Thread from earlier test can show up in `/proc/self/tasks` while the
thread tears down. Account for that when searching for procs for the
first time in the test.
PiperOrigin-RevId: 361689673
|
|
Run all tests (or a given test partition) in a single sandbox.
Previously, each individual unit test executed in a new
sandbox, which takes much longer to execute.
Before After
Syscall tests: 37m22.768s 14m5.272s
PiperOrigin-RevId: 361661726
|
|
Fix a race where the DUT could send out test data before it received the
peer window advertisement. Such a race results in the DUT taking longer
time to retransmit zero window probe, thus causing the test to fail
receiving the last expected probe.
To ensure this ordering, piggyback a non-zero payload with the zero
window advertisement and let the DUT receive that, before continuing
with the test.
PiperOrigin-RevId: 361640241
|
|
Remove part of test that was making it flaky. It runs for native only,
so not really important since it's not testing gVisor.
Before: http://sponge2/37557c41-298e-408d-9b54-50ba3d41e22f
After: http://sponge2/7bca72be-cb9b-42f8-8c54-af4956c39455
PiperOrigin-RevId: 361611512
|
|
The syscall package has been deprecated in favor of golang.org/x/sys.
Note that syscall is still used in some places because the following don't seem
to have an equivalent in unix package:
- syscall.SysProcIDMap
- syscall.Credential
Updates #214
PiperOrigin-RevId: 361332034
|
|
Some OSs behave slightly differently, but still within the RFC. It can be useful
to have access to uname information from the testbench.
PiperOrigin-RevId: 361193766
|
|
One of the preparation to decouple underlying buffer implementation.
There are still some methods that tie to VectorisedView, and they will be
changed gradually in later CLs.
This CL also introduce a new ICMPv6ChecksumParams to replace long list of
parameters when calling ICMPv6Checksum, aiming to be more descriptive.
PiperOrigin-RevId: 360778149
|
|
- Removed (*testbench.Connection)(&conn) like casts
- Removed redundant definition of Drain, Close and ExpectFrame
PiperOrigin-RevId: 360727788
|
|
PiperOrigin-RevId: 360491700
|
|
io.Reader.ReadFull returns the number of bytes copied and an error if fewer
bytes were read.
PiperOrigin-RevId: 360247614
|
|
Without this change, the error produced is quite useless:
--- FAIL: TestZeroWindowProbeRetransmit (11.44s)
tcp_zero_window_probe_retransmit_test.go:81: expected a probe with sequence number 824638527212: loop 5
FAIL
PiperOrigin-RevId: 359796370
|
|
- open flags can be different on different OSs, by putting SetNonblocking into
the posix_server rather than the testbench, we can always get the right value
for O_NONBLOCK
- merged the tcp_queue_{send,receive}_in_syn_sent into a single file
PiperOrigin-RevId: 359620630
|
|
PiperOrigin-RevId: 359591577
|
|
One precondition of VFS.PrepareRenameAt is that the `from` and `to` dentries
are not the same. Kernfs was not checking this, which could lead to a deadlock.
PiperOrigin-RevId: 359385974
|
|
Restrict ptrace(2) according to the default configurations of the YAMA security
module (mode 1), which is a common default among various Linux distributions.
The new access checks only permit the tracer to proceed if one of the following
conditions is met:
a) The tracer is already attached to the tracee.
b) The target is a descendant of the tracer.
c) The target has explicitly given permission to the tracer through the
PR_SET_PTRACER prctl.
d) The tracer has CAP_SYS_PTRACE.
See security/yama/yama_lsm.c for more details.
Note that these checks are added to CanTrace, which is checked for
PTRACE_ATTACH as well as some other operations, e.g., checking a process'
memory layout through /proc/[pid]/mem.
Since this patch adds restrictions to ptrace, it may break compatibility for
applications run by non-root users that, for instance, rely on being able to
trace processes that are not descended from the tracer (e.g., `gdb -p`). YAMA
restrictions can be turned off by setting /proc/sys/kernel/yama/ptrace_scope
to 0, or exceptions can be made on a per-process basis with the PR_SET_PTRACER
prctl.
Reported-by: syzbot+622822d8bca08c99e8c8@syzkaller.appspotmail.com
PiperOrigin-RevId: 359237723
|
|
Reported-by: syzbot+f2489ba0b999a45d1ad1@syzkaller.appspotmail.com
PiperOrigin-RevId: 358866218
|
|
fio should scale by written/read bytes and not iterate runs
of the fio container.
PiperOrigin-RevId: 358511771
|
|
Also skips a test if the setsockopt to increase send buffer did not result in an
increase. This is possible when the underlying socket is a host backed unix
domain socket as in such cases gVisor does not permit increasing SO_SNDBUF.
PiperOrigin-RevId: 358285158
|
|
Currently, iperf runs a client that scales by
bytes sent. In practice, this causes b.N to scale
slowly and have several short lived containers.
Instead, scale by KB to more quickly reach required time.
PiperOrigin-RevId: 358244926
|
|
Remove unused argument while I'm here and avoid returning
syscall.Errno(0) which should rather be a nil error.
PiperOrigin-RevId: 358227396
|
|
Individual test cases must not rely on being executed in a clean environment.
PiperOrigin-RevId: 358207468
|
|
Previously, we make two connect attempts. If the first attempt is still on
going when the second attempt is made, the test will fail. This change deflakes
the situation by not making the second attempt, instead, we poll for the first
attempt's completion and read the errno from SO_ERROR.
PiperOrigin-RevId: 358104769
|
|
PiperOrigin-RevId: 358085809
|
|
- TCP_INFO is used to get the RTO instead of calculating it manually.
PiperOrigin-RevId: 358032487
|
|
- Wrap comments at 80 columns
- Avoid duplicating the number of retries (5)
- Reduce indentation
- Use (*testing.T).Fatal rather than (*testing.T).Fatalf
PiperOrigin-RevId: 358017412
|
|
We were opening dual-stack sockets, but tests only set iptables rules for a
single network protocol. Thus, packets (probably sent by previous tests) could
sneak in and break tests.
Tested with:
bazel test ///test/iptables:iptables_test
--test_arg=--runtime=runsc --nocache_test_results --test_output=errors
--runs_per_test=1000 --test_filter=TestFilterInputDropUDP
PiperOrigin-RevId: 357972385
|
|
Remove flaky tcp_reordering_test as it does not check reordering. We have
added new reorder tests in tcp_rack_test.go
PiperOrigin-RevId: 357278769
|
|
Rename operation params in iperf and tensorflow to
match other similar benchmarks.
PiperOrigin-RevId: 357250304
|
|
Fix issue with iperf where b.N wasn't changing across runs.
Also, if the given runtime is runc/not given, don't run a profile against it.
PiperOrigin-RevId: 357231450
|
|
PiperOrigin-RevId: 357224877
|
|
Implementing interfaces on value types causes the interface to be
implemented by both the value type and the pointer type of the
implementer. This complicates type assertion as it requires the
assertion to check for both the pointer type and the value type.
PiperOrigin-RevId: 357061063
|
|
PiperOrigin-RevId: 357031904
|
|
PiperOrigin-RevId: 357015186
|
|
PiperOrigin-RevId: 356868412
|
|
PiperOrigin-RevId: 356843249
|
|
Deflake this test by retransmitting the ACK and retrying RST
expectation after the supposed state transition to CLOSED.
This gives time for the state transition to complete.
Without such a retransmit from the test, the ACK could get silently
dropped by the listener when the passively connecting endpoint
has not yet completely updated the state (in gVisor this would be
endpoint state and decrement of synRcvdCount).
PiperOrigin-RevId: 356825562
|
|
The limits for snd/rcv buffers for unix domain socket is controlled by the
following sysctls on linux
- net.core.rmem_default
- net.core.rmem_max
- net.core.wmem_default
- net.core.wmem_max
Today in gVisor we do not expose these sysctls but we do support setting the
equivalent in netstack via stack.Options() method. But AF_UNIX sockets in gVisor
can be used without netstack, with hostinet or even without any networking stack
at all. Which means ideally these sysctls need to live as globals in gVisor.
But rather than make this a big change for now we hardcode the limits in the
AF_UNIX implementation itself (which in itself is better than where we were
before) where it SO_SNDBUF was hardcoded to 16KiB. Further we bump the initial
limit to a default value of 208 KiB to match linux from the paltry 16 KiB we use
today.
Updates #5132
PiperOrigin-RevId: 356665498
|
|
The test will sometimes fail on Bind calls using the old RPCTimeout.
PiperOrigin-RevId: 356646668
|
|
PiperOrigin-RevId: 356587965
|
|
Reported-by: syzbot+9ffc71246fe72c73fc25@syzkaller.appspotmail.com
PiperOrigin-RevId: 356536113
|