Add option to configure reference leak checking
This commit is contained in:
parent
f0507e1db1
commit
607be0585f
|
@ -231,6 +231,20 @@ const (
|
|||
LeaksLogTraces
|
||||
)
|
||||
|
||||
// String returns LeakMode's string representation.
|
||||
func (l LeakMode) String() string {
|
||||
switch l {
|
||||
case NoLeakChecking:
|
||||
return "NoLeakChecking"
|
||||
case LeaksLogWarning:
|
||||
return "LeaksLogWarning"
|
||||
case LeaksLogTraces:
|
||||
return "LeaksLogTraces"
|
||||
default:
|
||||
panic(fmt.Sprintf("Invalid leakmode: %d", l))
|
||||
}
|
||||
}
|
||||
|
||||
// leakMode stores the current mode for the reference leak checker.
|
||||
//
|
||||
// Values must be one of the LeakMode values.
|
||||
|
|
|
@ -19,6 +19,7 @@ import (
|
|||
"strconv"
|
||||
"strings"
|
||||
|
||||
"gvisor.dev/gvisor/pkg/refs"
|
||||
"gvisor.dev/gvisor/pkg/sentry/watchdog"
|
||||
)
|
||||
|
||||
|
@ -112,6 +113,20 @@ func MakeWatchdogAction(s string) (watchdog.Action, error) {
|
|||
}
|
||||
}
|
||||
|
||||
// MakeRefsLeakMode converts type from string
|
||||
func MakeRefsLeakMode(s string) (refs.LeakMode, error) {
|
||||
switch strings.ToLower(s) {
|
||||
case "nocheck":
|
||||
return refs.NoLeakChecking, nil
|
||||
case "warning":
|
||||
return refs.LeaksLogWarning, nil
|
||||
case "traces":
|
||||
return refs.LeaksLogTraces, nil
|
||||
default:
|
||||
return 0, fmt.Errorf("invalid refs leakmode %q", s)
|
||||
}
|
||||
}
|
||||
|
||||
// Config holds configuration that is not part of the runtime spec.
|
||||
type Config struct {
|
||||
// RootDir is the runtime root directory.
|
||||
|
@ -201,6 +216,9 @@ type Config struct {
|
|||
|
||||
// AlsoLogToStderr allows to send log messages to stderr.
|
||||
AlsoLogToStderr bool
|
||||
|
||||
// ReferenceLeakMode sets reference leak check mode
|
||||
ReferenceLeakMode refs.LeakMode
|
||||
}
|
||||
|
||||
// ToFlags returns a slice of flags that correspond to the given Config.
|
||||
|
@ -227,6 +245,7 @@ func (c *Config) ToFlags() []string {
|
|||
"--num-network-channels=" + strconv.Itoa(c.NumNetworkChannels),
|
||||
"--rootless=" + strconv.FormatBool(c.Rootless),
|
||||
"--alsologtostderr=" + strconv.FormatBool(c.AlsoLogToStderr),
|
||||
"--refs-leak-mode=" + c.ReferenceLeakMode.String(),
|
||||
}
|
||||
if c.TestOnlyAllowRunAsCurrentUserWithoutChroot {
|
||||
// Only include if set since it is never to be used by users.
|
||||
|
|
|
@ -191,6 +191,9 @@ func New(args Args) (*Loader, error) {
|
|||
return nil, fmt.Errorf("setting up memory usage: %v", err)
|
||||
}
|
||||
|
||||
// Sets the refs leak check mode
|
||||
refs.SetLeakMode(args.Conf.ReferenceLeakMode)
|
||||
|
||||
// Create kernel and platform.
|
||||
p, err := createPlatform(args.Conf, args.Device)
|
||||
if err != nil {
|
||||
|
@ -1040,8 +1043,3 @@ func (l *Loader) threadGroupFromIDLocked(key execID) (*kernel.ThreadGroup, *host
|
|||
}
|
||||
return ep.tg, ep.tty, nil
|
||||
}
|
||||
|
||||
func init() {
|
||||
// TODO(gvisor.dev/issue/365): Make this configurable.
|
||||
refs.SetLeakMode(refs.NoLeakChecking)
|
||||
}
|
||||
|
|
|
@ -73,6 +73,7 @@ var (
|
|||
netRaw = flag.Bool("net-raw", false, "enable raw sockets. When false, raw sockets are disabled by removing CAP_NET_RAW from containers (`runsc exec` will still be able to utilize raw sockets). Raw sockets allow malicious containers to craft packets and potentially attack the network.")
|
||||
numNetworkChannels = flag.Int("num-network-channels", 1, "number of underlying channels(FDs) to use for network link endpoints.")
|
||||
rootless = flag.Bool("rootless", false, "it allows the sandbox to be started with a user that is not root. Sandbox and Gofer processes may run with same privileges as current user.")
|
||||
referenceLeakMode = flag.String("refs-leak-mode", "nocheck", "sets reference leak check mode: nocheck (default), warning, traces.")
|
||||
|
||||
// Test flags, not to be used outside tests, ever.
|
||||
testOnlyAllowRunAsCurrentUserWithoutChroot = flag.Bool("TESTONLY-unsafe-nonroot", false, "TEST ONLY; do not ever use! This skips many security measures that isolate the host from the sandbox.")
|
||||
|
@ -168,6 +169,11 @@ func main() {
|
|||
cmd.Fatalf("num_network_channels must be > 0, got: %d", *numNetworkChannels)
|
||||
}
|
||||
|
||||
refsLeakMode, err := boot.MakeRefsLeakMode(*referenceLeakMode)
|
||||
if err != nil {
|
||||
cmd.Fatalf("%v", err)
|
||||
}
|
||||
|
||||
// Create a new Config from the flags.
|
||||
conf := &boot.Config{
|
||||
RootDir: *rootDir,
|
||||
|
@ -191,6 +197,7 @@ func main() {
|
|||
NumNetworkChannels: *numNetworkChannels,
|
||||
Rootless: *rootless,
|
||||
AlsoLogToStderr: *alsoLogToStderr,
|
||||
ReferenceLeakMode: refsLeakMode,
|
||||
|
||||
TestOnlyAllowRunAsCurrentUserWithoutChroot: *testOnlyAllowRunAsCurrentUserWithoutChroot,
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue