netbird/gvisor
0
0
Fork 0
mirror of https://github.com/netbirdio/gvisor.git synced 2026-05-22 17:12:49 -07:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #11323 from cweld510:cweld/skip-spec-validation-unsafe

Browse Source 
PiperOrigin-RevId: 710762980
This commit is contained in:
gVisor bot
2024-12-30 11:48:14 -08:00
parent 6c5bc5e907 17b2c1b18b
commit 0a288288bb
3 changed files with 11 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
runsc/boot/restore.go
+6 -4
View File
@@ -132,7 +132,7 @@ func (r *restorer) restoreContainerInfo(l *Loader, info *containerInfo) error {
if len(r.containers) == r.totalContainers {
// Trigger the restore if this is the last container.
return r.restore(l)
return r.restore(l, info.conf.UnsafeSkipRestoreSpecValidation)
}
return nil
}
@@ -544,7 +544,7 @@ func validateSpecs(oldSpecs, newSpecs map[string]*specs.Spec) error {
return nil
}
func (r *restorer) restore(l *Loader) error {
func (r *restorer) restore(l *Loader, unsafeSkipRestoreSpecValidation bool) error {
log.Infof("Starting to restore %d containers", len(r.containers))
// Create a new root network namespace with the network stack of the
@@ -650,8 +650,10 @@ func (r *restorer) restore(l *Loader) error {
if err != nil {
return fmt.Errorf("failed to pop container specs from checkpoint: %w", err)
}
if err := validateSpecs(oldSpecs, l.containerSpecs); err != nil {
return fmt.Errorf("failed to validate restore spec: %w", err)
if !unsafeSkipRestoreSpecValidation {
if err := validateSpecs(oldSpecs, l.containerSpecs); err != nil {
return fmt.Errorf("failed to validate restore spec: %w", err)
}
}
// Since we have a new kernel we also must make a new watchdog.
runsc/config/config.go
+4
View File
@@ -384,6 +384,10 @@ type Config struct {
// TestOnlySaveRestoreNetstack indicates netstack should be saved and restored.
TestOnlySaveRestoreNetstack bool `flag:"TESTONLY-save-restore-netstack"`
// UnsafeSkipRestoreSpecValidation optionally skips validation of the container spec for restored
// containers.
UnsafeSkipRestoreSpecValidation bool `flag:"unsafe-skip-restore-spec-validation"`
}
func (c *Config) validate() error {
runsc/config/flags.go
+1
View File
@@ -106,6 +106,7 @@ func RegisterFlags(flagSet *flag.FlagSet) {
flagSet.Bool("enable-core-tags", false, "enables core tagging. Requires host linux kernel >= 5.14.")
flagSet.String("pod-init-config", "", "path to configuration file with additional steps to take during pod creation.")
flagSet.Var(HostSettingsCheck.Ptr(), "host-settings", "how to handle non-optimal host kernel settings: check (default, advisory-only), ignore (do not check), adjust (best-effort auto-adjustment), or enforce (auto-adjustment must succeed).")
flagSet.Bool("unsafe-skip-restore-spec-validation", false, "Enables skipping validation of the restore-time container spec when restoring checkpoints.")
// Flags that control sandbox runtime behavior: MM related.
flagSet.Bool("app-huge-pages", true, "enable use of huge pages for application memory; requires /sys/kernel/mm/transparent_hugepage/shmem_enabled = advise")