Add option to configure reference leak checking

2019-08-06 01:15:48 +10:00 · 2019-08-06 01:15:48 +10:00 · 607be0585f
parent f0507e1db1
commit 607be0585f
4 changed files with 43 additions and 5 deletions
--- a/pkg/refs/refcounter.go
+++ b/pkg/refs/refcounter.go
@ -231,6 +231,20 @@ const (
 	LeaksLogTraces
 )

+// String returns LeakMode's string representation.
+func (l LeakMode) String() string {
+	switch l {
+	case NoLeakChecking:
+		return "NoLeakChecking"
+	case LeaksLogWarning:
+		return "LeaksLogWarning"
+	case LeaksLogTraces:
+		return "LeaksLogTraces"
+	default:
+		panic(fmt.Sprintf("Invalid leakmode: %d", l))
+	}
+}
+
 // leakMode stores the current mode for the reference leak checker.
 //
 // Values must be one of the LeakMode values.
--- a/runsc/boot/config.go
+++ b/runsc/boot/config.go
@ -19,6 +19,7 @@ import (
 	"strconv"
 	"strings"

+	"gvisor.dev/gvisor/pkg/refs"
 	"gvisor.dev/gvisor/pkg/sentry/watchdog"
 )

@ -112,6 +113,20 @@ func MakeWatchdogAction(s string) (watchdog.Action, error) {
 	}
 }

+// MakeRefsLeakMode converts type from string
+func MakeRefsLeakMode(s string) (refs.LeakMode, error) {
+	switch strings.ToLower(s) {
+	case "nocheck":
+		return refs.NoLeakChecking, nil
+	case "warning":
+		return refs.LeaksLogWarning, nil
+	case "traces":
+		return refs.LeaksLogTraces, nil
+	default:
+		return 0, fmt.Errorf("invalid refs leakmode %q", s)
+	}
+}
+
 // Config holds configuration that is not part of the runtime spec.
 type Config struct {
 	// RootDir is the runtime root directory.
@ -201,6 +216,9 @@ type Config struct {

 	// AlsoLogToStderr allows to send log messages to stderr.
 	AlsoLogToStderr bool
+
+	// ReferenceLeakMode sets reference leak check mode
+	ReferenceLeakMode refs.LeakMode
 }

 // ToFlags returns a slice of flags that correspond to the given Config.
@ -227,6 +245,7 @@ func (c *Config) ToFlags() []string {
 		"--num-network-channels=" + strconv.Itoa(c.NumNetworkChannels),
 		"--rootless=" + strconv.FormatBool(c.Rootless),
 		"--alsologtostderr=" + strconv.FormatBool(c.AlsoLogToStderr),
+		"--refs-leak-mode=" + c.ReferenceLeakMode.String(),
 	}
 	if c.TestOnlyAllowRunAsCurrentUserWithoutChroot {
 		// Only include if set since it is never to be used by users.
--- a/runsc/boot/loader.go
+++ b/runsc/boot/loader.go
@ -191,6 +191,9 @@ func New(args Args) (*Loader, error) {
 		return nil, fmt.Errorf("setting up memory usage: %v", err)
 	}

+	// Sets the refs leak check mode
+	refs.SetLeakMode(args.Conf.ReferenceLeakMode)
+
 	// Create kernel and platform.
 	p, err := createPlatform(args.Conf, args.Device)
 	if err != nil {
@ -1040,8 +1043,3 @@ func (l *Loader) threadGroupFromIDLocked(key execID) (*kernel.ThreadGroup, *host
 	}
 	return ep.tg, ep.tty, nil
 }
-
-func init() {
-	// TODO(gvisor.dev/issue/365): Make this configurable.
-	refs.SetLeakMode(refs.NoLeakChecking)
-}
--- a/runsc/main.go
+++ b/runsc/main.go
@ -73,6 +73,7 @@ var (
 	netRaw             = flag.Bool("net-raw", false, "enable raw sockets. When false, raw sockets are disabled by removing CAP_NET_RAW from containers (`runsc exec` will still be able to utilize raw sockets). Raw sockets allow malicious containers to craft packets and potentially attack the network.")
 	numNetworkChannels = flag.Int("num-network-channels", 1, "number of underlying channels(FDs) to use for network link endpoints.")
 	rootless           = flag.Bool("rootless", false, "it allows the sandbox to be started with a user that is not root. Sandbox and Gofer processes may run with same privileges as current user.")
+	referenceLeakMode  = flag.String("refs-leak-mode", "nocheck", "sets reference leak check mode: nocheck (default), warning, traces.")

 	// Test flags, not to be used outside tests, ever.
 	testOnlyAllowRunAsCurrentUserWithoutChroot = flag.Bool("TESTONLY-unsafe-nonroot", false, "TEST ONLY; do not ever use! This skips many security measures that isolate the host from the sandbox.")
@ -168,6 +169,11 @@ func main() {
 		cmd.Fatalf("num_network_channels must be > 0, got: %d", *numNetworkChannels)
 	}

+	refsLeakMode, err := boot.MakeRefsLeakMode(*referenceLeakMode)
+	if err != nil {
+		cmd.Fatalf("%v", err)
+	}
+
 	// Create a new Config from the flags.
 	conf := &boot.Config{
 		RootDir:            *rootDir,
@ -191,6 +197,7 @@ func main() {
 		NumNetworkChannels: *numNetworkChannels,
 		Rootless:           *rootless,
 		AlsoLogToStderr:    *alsoLogToStderr,
+		ReferenceLeakMode:  refsLeakMode,

 		TestOnlyAllowRunAsCurrentUserWithoutChroot: *testOnlyAllowRunAsCurrentUserWithoutChroot,
 	}