VFS2 is adding more functionality than VFS1. In order to test
new functionality, it's required to skip some tests with VFS1.
To skip tests, use:
SKIP_IF(IsRunningWithVFS1());
The test will run in Linux and gVisor with VFS2 enabled.
Updates #1035
PiperOrigin-RevId: 312698616
If there is a Timestamps option in the arriving segment and SEG.TSval
< TS.Recent and if TS.Recent is valid, then treat the arriving segment
as not acceptable: Send an acknowledgement in reply as specified in
RFC-793 page 69 and drop the segment.
https://tools.ietf.org/html/rfc1323#page-19
PiperOrigin-RevId: 312590678
With additional logging, the issue described by the new comment looks like:
D0518 21:28:08.416810 6777 task_signals.go:459] [ 8] Notified of signal 27
D0518 21:28:08.416852 6777 task_block.go:223] [ 8] Interrupt queued
D0518 21:28:08.417013 6777 task_run.go:250] [ 8] Switching to sentry
D0518 21:28:08.417033 6777 task_signals.go:220] [ 8] Signal 27: delivering to handler
D0518 21:28:08.417127 6777 task_run.go:248] [ 8] Switching to app
D0518 21:28:08.443765 6777 task_signals.go:519] [ 8] Refusing masked signal 27 // ED: note the ~26ms elapsed since TID 8 "switched to app"
D0518 21:28:08.443814 6777 task_signals.go:465] [ 6] Notified of group signal 27
D0518 21:28:08.443832 6777 task_block.go:223] [ 6] Interrupt queued
D0518 21:28:08.443914 6777 task_block.go:223] [ 6] Interrupt queued
D0518 21:28:08.443859 6777 task_run.go:250] [ 8] Switching to sentry
I0518 21:28:08.443936 6777 strace.go:576] [ 8] exe E rt_sigreturn()
Slow context switches on ptrace are probably due to kernel scheduling delays.
Slow context switches on KVM are less clear, so leave that bug and TODO open.
PiperOrigin-RevId: 312322782
On native Linux, calling recv/read right after send/write sometimes returns
EWOULDBLOCK, if the data has not made it to the receiving socket (even though
the endpoints are on the same host). Poll before reading to avoid this.
Making this change also uncovered a hostinet bug (gvisor.dev/issue/2726),
which is noted in this CL.
PiperOrigin-RevId: 312320587
As per RFC 1122 and Linux retransmit timeout handling:
- The segment retransmit timeout needs to exponentially increase and
cap at a predefined value.
- TCP connection needs to timeout after a predefined number of
segment retransmissions.
- TCP connection should not timeout when the retranmission timeout
exceeds MaxRTO, predefined upper bound.
Fixes#2673
PiperOrigin-RevId: 311463961
This change adds support for TCP_SYNCNT and TCP_WINDOW_CLAMP options
in GetSockOpt/SetSockOpt. This change does not really change any
behaviour in Netstack and only stores/returns the stored value.
Actual honoring of these options will be added as required.
Fixes#2626, #2625
PiperOrigin-RevId: 311453777
Linux 4.18 and later make reads and writes coherent between pre-copy-up and
post-copy-up FDs representing the same file on an overlay filesystem. However,
memory mappings remain incoherent:
- Documentation/filesystems/overlayfs.rst, "Non-standard behavior": "If a file
residing on a lower layer is opened for read-only and then memory mapped with
MAP_SHARED, then subsequent changes to the file are not reflected in the
memory mapping."
- fs/overlay/file.c:ovl_mmap() passes through to the underlying FD without any
management of coherence in the overlay.
- Experimentally on Linux 5.2:
```
$ cat mmap_cat_page.c
#include <err.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/mman.h>
#include <unistd.h>
int main(int argc, char **argv) {
if (argc < 2) {
errx(1, "syntax: %s [FILE]", argv[0]);
}
const int fd = open(argv[1], O_RDONLY);
if (fd < 0) {
err(1, "open(%s)", argv[1]);
}
const size_t page_size = sysconf(_SC_PAGE_SIZE);
void* page = mmap(NULL, page_size, PROT_READ, MAP_SHARED, fd, 0);
if (page == MAP_FAILED) {
err(1, "mmap");
}
for (;;) {
write(1, page, strnlen(page, page_size));
if (getc(stdin) == EOF) {
break;
}
}
return 0;
}
$ gcc -O2 -o mmap_cat_page mmap_cat_page.c
$ mkdir lowerdir upperdir workdir overlaydir
$ echo old > lowerdir/file
$ sudo mount -t overlay -o "lowerdir=lowerdir,upperdir=upperdir,workdir=workdir" none overlaydir
$ ./mmap_cat_page overlaydir/file
old
^Z
[1]+ Stopped ./mmap_cat_page overlaydir/file
$ echo new > overlaydir/file
$ cat overlaydir/file
new
$ fg
./mmap_cat_page overlaydir/file
old
```
Therefore, while the VFS1 gofer client's behavior of reopening read FDs is only
necessary pre-4.18, replacing existing memory mappings (in both sentry and
application address spaces) with mappings of the new FD is required regardless
of kernel version, and this latter behavior is common to both VFS1 and VFS2.
Re-document accordingly, and change the runsc flag to enabled by default.
New test:
- Before this CL: https://source.cloud.google.com/results/invocations/5b222d2c-e918-4bae-afc4-407f5bac509b
- After this CL: https://source.cloud.google.com/results/invocations/f28c747e-d89c-4d8c-a461-602b33e71aab
PiperOrigin-RevId: 311361267
Some functions were added for Arm64 platform:
a, get_fp/set_fp
b, inline_tgkill
Test step:
bazel test //test/syscalls:fpsig_fork_test_runsc_ptrace
Signed-off-by: Bin Lu <bin.lu@arm.com>
As per RFC 1122 4.2.2.17, when the remote advertizes zero receive window,
the sender needs to probe for the window-size to become non-zero starting
from the next retransmission interval. The TCP connection needs to be kept
open as long as the remote is acknowledging the zero window probes.
We reuse the retransmission timers to support this.
Fixes#1644
PiperOrigin-RevId: 310021575
There is the known issue of the linux procfs, that two consequent calls of
readdir can return the same entry twice if between these calls one or more
entries have been removed from this directory.
PiperOrigin-RevId: 309803066
Connection tracking is used to track packets in prerouting and
output hooks of iptables. The NAT rules modify the tuples in
connections. The connection tracking code modifies the packets by
looking at the modified tuples.
Previously the test used an out-dated window size which is advertised
during the handshake to generate testing packets, but the window size
has changed since the handshake; currently it is using the most recent
one which is advertised in DUT's ACK to our FIN packet to generate the
testing outside-the-window packets.
PiperOrigin-RevId: 309222921
Enforce write permission checks in BoundEndpointAt, which corresponds to the
permission checks in Linux (net/unix/af_unix.c:unix_find_other).
Also, create bound socket files with the correct permissions in VFS2.
Fixes#2324.
PiperOrigin-RevId: 308949084
TempPath's destructor runs at the end of the named pipe creation functions,
deleting the named pipe. If the named pipe is backed by a "non-virtual"
filesystem (!fs.Inode.IsVirtual()), this causes the following save attempt to
fail because there are FDs holding the deleted named pipe open.
PiperOrigin-RevId: 308861999
This change moves all Docker images to a standard location, and abstracts the
build process so that they can be maintained in an automated fashion. This also
allows the images to be architecture-independent.
All images will now be referred to by the test framework via the canonical
`gvisor.dev/images/<name>`, where `<name>` is a function of the path within the
source tree.
In a subsequent change, continuous integration will be added so that the images
will always be correct and available locally.
In the end, using `bazel` for Docker containers is simply not possible. Given
that we already have the need to use `make` with the base container (for
Docker), we extend this approach to get more flexibility.
This change also adds a self-documenting and powerful Makefile that is intended
to replace the collection of scripts in scripts. Canonical (self-documenting)
targets can be added here for targets that understand which images need to be
loaded and/or built.
PiperOrigin-RevId: 308322438
Tested:
Intentionally introduce an error and then run:
blaze test --test_output=streamed //third_party/gvisor/test/packetimpact/tests:tcp_outside_the_window_linux_test
PiperOrigin-RevId: 308114194
This change adds a layer of abstraction around the internal Docker APIs,
and eliminates all direct dependencies on Dockerfiles in the infrastructure.
A subsequent change will automated the generation of local images (with
efficient caching). Note that this change drops the use of bazel container
rules, as that experiment does not seem to be viable.
PiperOrigin-RevId: 308095430
Fabricio Voznika
Jay Zhuang
Zeling Feng
gVisor bot
Jamie Liu
Dean Deng
Mithun Iyer
Bhasker Hariharan
Nicolas Lacasse
Ian Gudger
Nayana Bidari
Bin Lu
Andrei Vagin
Adin Scannell
Eyal Soha