It is unclear exactly what happened in the DNS response that has caused
this test to start breaking. However, since this is unrelated to any code
change, this can be attributed to a non-hermetic or broken test case.
See master failure:
https://buildkite.com/gvisor/pipeline/builds/10462#ae46ee7c-855c-4efe-8165-f0c694557cf9
This may be related to https://github.com/nodejs/node/issues/28790, where
older versions of node are not parsing this field correctly? However, we
would like to retain other tests from the same older version of node.
For posterity, the current serial field appears as:
; <<>> DiG 9.17.19-1-Debian <<>> nodejs.org -t SOA +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56131
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;nodejs.org. IN SOA
;; ANSWER SECTION:
nodejs.org. 3402 IN SOA meera.ns.cloudflare.com. dns.cloudflare.com. (
2264470260 ; serial
10000 ; refresh (2 hours 46 minutes 40 seconds)
2400 ; retry (40 minutes)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
;; Query time: 59 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Dec 09 10:35:57 PST 2021
;; MSG SIZE rcvd: 102
PiperOrigin-RevId: 415308624
This change adapts the existing context to use more suitable non-channel-based
methods. This is a requisite for migrating the kernel internals to a
sleeper-based notification mechanism.
The last uses of amutex outside those migrated as part of this change were
dropped in a previous change. Since amutex depends on the channel-based
implementation, this package is also deleted as part of this change.
PiperOrigin-RevId: 415189675
Docker maps stdin to `/dev/null` which doesn't support epoll. Host FD
was ignoring the error and suceeding the epoll_ctl call from the
container, giving false impressing that epoll would be notified.
This required plumbing failure to all waiter.Waitable.EventRegister
callers and implementers.
Closes#6795
PiperOrigin-RevId: 414797621
This relaxes constraints on mixed atomic / lock protected fields. We
explicitly allow reads in this case, since this should be safe.
PiperOrigin-RevId: 414476414
This is needed so that connectioned endpoint in the transport package can use
this endpoint to implement host FD based binded endpoints.
I had to simplify some other dependencies to make this possible.
- Removed uniqueid's dependency on transport package completely.
- Removed SCMConnectedEndpoint and HostConnectedEndpoint's dependency on
control package so they could be moved to transport. control already depends
on transport.
- scmRights struct from fsimpl/host/control.go had to be moved into transport
so that HostConnectedEndpoint could be implemented. But scmRights.Fill()
could not be moved because it inherently depends on making
vfs.FileDescriptions which depends on vfs which in turn depends on transport.
So now that scmRights -> vfs.FD conversion happens in the syscall package.
PiperOrigin-RevId: 413839350
This change is to prepare for later changes which may determine if a
packet is sent in response to an original packet so that the reply
packet does not create a new connection.
PiperOrigin-RevId: 413501477
A blog about how Ant Group run gVisor in production at scale.
Signed-off-by: Jianfeng Tan <henry.tjf@antgroup.com>
Signed-off-by: Yong He <chenglang.hy@antgroup.com>
CPUQuota can return "max PERIOD", in this case, we detect "max"
and return `-1, nil`, which for the current usecase of detecting
cpu-num from quota should be sufficient.
Signed-off-by: Daniel Dao <dqminh89@gmail.com>
Adds support for cgroupv2 based on the common cgroup interface.
The cgroupv2 implementation mostly mirrors the structure of cgroupv1,
with many helper functions derived from containerd/cgroups and opencontainers/runc
implementations. We implemented the following controllers: cpu, cpuset, memory,
io, pids, hugetlb.
In order to avoid upgrading containerd dependency (to get oom poller
implementation), we copied the oom poller implementation for cgroupv2
into shim/oom_v2.go. This requires containerd/cgroups dependency to have
cgroupv2 support which we already have.
Signed-off-by: Daniel Dao <dqminh89@gmail.com>
containerd < 1.4 does not support cgroupv2, so we adjust the Make
targets and installer scripts to skip test run on those versions.
Signed-off-by: Daniel Dao <dqminh89@gmail.com>
Conntrack was not reading the window scale TCP option and thus could reject
valid packets for being beyond the receive window.
Addresses #6734.
PiperOrigin-RevId: 411932393
Some system have controller directories created, but they are
read-only. Handle that case and skip optional controllers.
Closes#5887
PiperOrigin-RevId: 411907208
This is as per proposal in #6450. I have gated this behind a tag because this
is a very sparsely used feature and otherwise will leads to a lot of unused
generated code.
Secondly, we can not generate the CheckUnmarshal method for dynamic types. So
the dynamic tag would now require its users to additionally implement
CheckUnmarshal method which is more cumbersome.
Fixes#6450
PiperOrigin-RevId: 411197734
In some cases, it may be desirable to prebuild binaries and run all tests,
for example to run benchmarks with various experiments. Allow the top-level
Makefile to support this by checking for a STAGED_BINARIES variable.
PiperOrigin-RevId: 410673120
This avoids a race condition when a packet is being written and the NAT
table is being updated at the same time.
Previously, NAT will only be skipped if either the connection has been
finalized or the hook's relevant NAT (DNAT for Prerouting/Output; SNAT
for Input/Postrouting) has been performed. However, it is possible for
the following sequence of events to occur:
1) A packet performs DNAT related hooks in Prerouting or Output
but not perform DNAT as no rule matched the packet.
2) The NAT table updates such that a DNAT rule now will be performed
on packets matching the packet's tuple from (1).
3) A second packet matching the original packet's tuple performs
the Prerouting or Output hook, now having performed DNAT and
updating the connection.
4) Either packet goes through the other hooks and finalizes the
connection.
Here we would have 2 packets that have the same original tuple but have
different destination address/ports after performing all the hooks.
Later packets will look like the second packet in the example but the
first packet may trigger a response that the connection table will not
recognize, potentially leading to an ICMP error or TCP RST.
A similar race exists for SNAT.
To avoid the race, this change guarantees that {D,S}NAT is always
performed on a connection before leaving the relevant hook. This
way we make sure that all packets that are associated with a
connection will have the same tuple, per direction.
PiperOrigin-RevId: 410338441
FUSE introduced StubMarshallable to avoid boilerplate around types
that were either marshalled in one direction, or were dynamically
sized. The marshal dynamic generator can deal with these cases with a
small bit of stubbing per type.
This also allows FUSE types to be treated as full marshal.Marshallable
types, addressing gVisor.dev/issue/3698.
Closes#3698.
PiperOrigin-RevId: 410335216
These amutex lock uses are limited to vfs1 and provide questionable utility.
They protect only offset access, and not blocking operations. In order to
completely remove amutex, drop these uses. The amutex package will be removed
in a subsequent commit, which migrates other (less questionable) uses to a new
Context API.
PiperOrigin-RevId: 409716979
Instead of passing the event mask at registratrion time, pass the mask as part
of the waiter. This makes the mask immutable and simplifies the architecture of
waiters. This is also necessary for a future fix that will allow the fdnotifier
to keep persistent entries, as opposed to requiring constant updates.
This change is intended to be a no-op in terms of function. The only exception
is signalfd, where this mask was abused. To handle this case, the operation of
signalfd changed to allow one layer of indirection.
PiperOrigin-RevId: 409702998
Adin Scannell
gVisor bot
Fabricio Voznika
Ayush Ranjan
Zeling Feng
Zach Koopmans
Ghanan Gowripalan
Andrei Vagin
Nayana Bidari
Ian Lewis
Jianfeng Tan
Andrei Vagin
Daniel Dao
Kevin Krakauer
Lucas Manning
Rahat Mahmood