This CL restores the listening connections when netstack s/r is enabled.
The changes include:
- New method as a workaround to replace the new routes and nics to the loaded
stack after restore.
- New Restore() for transport layer protocols to restore the protocol level
background workers.
- Adds afterLoad() method for fdbased processors.
- Adds a test to verify listening connection is restored after checkpointing
with netstack s/r enabled.
- Few other changes to save restore fields to enable netstack s/r.
PiperOrigin-RevId: 698453124
The helper function is deprecated. The package gvisor.dev/gvisor/pkg/rand
depends on crypto/rand which performs worse thatn math/rand, the changes
are fine since they are not at any gVisor's hot path.
The ultimate goal is to migrate math/rand to math/rand/v2.
This utility creates a nested structure out of a flat list of fully-qualified
test names, and can then execute them using nested `t.Run`s that reflect the
hierarchy properly.
This is useful for CUDA sample tests, which are organized in a hierarchy.
This hierarchy isn't known at compile time, so it cannot be reflected using
plain `t.Run`s.
PiperOrigin-RevId: 619730658
Tmpfs with file-backed are widely used:
1. Via --overlay2 flag. The default is root:self so the root mount uses this.
2. EmptyDir mounts with default medium are created as tmpfs with file backend.
This change unblocks (1) use case from being used with checkpoint/restore.
For (2), checkpoint/restore is not yet supported in multicontainers.
Most notably, this allows checkpoint/restore to work with default runsc flags.
PiperOrigin-RevId: 586291915
It is an idea of running codespell as part of our presubmit checks.
Before enabling it for new changes, let's fix what it has found.
Signed-off-by: Andrei Vagin <avagin@gmail.com>
Starting with Go 1.21, build tags select the language version. We currently
have several `go:build go1.1` tags, which were intended to act as "true" tags.
But that will break with 1.21. So replace them with "!false".
Fixes#9568.
PiperOrigin-RevId: 576020779
And enable all of the netlink tests that depend on this functionality.
Specifially, this CL implements hostinet.stack:
* .RemoveInterface()
* .AddInterfaceAddr()
* .RemoveInterfaceAddr()
Applications use netlink messages to call into these methods. For hostinet, we
use netlink messages to the host to implement these methods.
Note that the netlink messages are not simple passed from the application to
the host -- they are parsed first and only carefully crafted messages are sent
to the host.
This CL required a lot of refactoring to the existing netlink code in the
hostinet package, as well as a bunch of new functionality. All of that code has
been collected in hostinet/netlink.go
I also changed how we handle CAP_NET_ADMIN and CAP_NET_RAW in tests, since we
must drop those capabilities inside the sandbox if we don't have them on the
host. The new solution is cleaner and does not rely on google-specific env
variables.
PiperOrigin-RevId: 522685544
We plan on making --overlay2=root:self the default for runsc. That will be a
risky change which might need rollbacks. This change is in preparation for
that. We manually set --overlay2=none in places where we don't want the
overlay configuration to impact. This change should be a noop. The intention
for this change is to make the risky change very small and limited to just
flipping a flag.
PiperOrigin-RevId: 513930702
We must have CAP_NET_RAW to create raw sockets with hostinet. This change makes
the runsc Loader fail if hostinet+raw sockets are configured but we do not have
the necessary capability.
PiperOrigin-RevId: 513417124
--overlay2 flag supersedes --overlay flag. It allows more granular
configuration for overlayfs in runsc. It does so in two ways:
1. Allows to apply overlay on all mounts or only the root mount.
--overlay applies overlay to all mounts.
2. Allows to specify if overlay's upper layer should be backed by
container memory or disk. --overlay always used container memory.
Allowing tmpfs to be backed by a file on disk prevents the container
memory from bloating up. Note that the tmpfs filesystem tree will
still be stored in sentry memory.
Using overlay on the root filesystem, helps avoid expensive
communication with the gofer process. The root filesystem of the
container is not preserved across container lifecycle. So we don't
need to keep updating the host filesystem, which will anyways be
destroyed once the container is destroyed. It is wasted effort.
Instead we keep all the changes to the root filesystem in tmpfs which
is directly accessible by the sentry.
The host file is created as an unnamed file using O_TMPFILE. Support
has been added for sub-containers too. Save/restore support is
still lacking.
Co-authored-by: Andrei Vagin <avagin@gmail.com>
PiperOrigin-RevId: 491988485
This adds flags and env variables for the following settings to runtime tests:
- `per_test_timeout`: A per-test timeout which can be shorter
than the batch timeout. Useful to cap the duration of tests
which flake by getting stuck (as is the case for
`bug60120.phpt`)
- `runs_per_test`: Number of times to run each test (useful to
detect flakes).
- `flaky_is_error`: Controls whether a flaky test is considered
passing or failing for batch error code purposes. Useful when
either diagnosing a flaky test, or diagnosing a
consistently-failing test while bypassing flaky others.
- `flaky_short_circuit`: If a test is found to be flaky, declare
it as such immediately, rather than waiting for the rest of the
`--runs_per_test` to finish. Speeds up bisecting flaky test, at
the cost of flakiness percentage accuracy.
PiperOrigin-RevId: 466791296
First, this change moves the internal config API to use flag.FlagSet, which
allows more flexibility and fixes many test usages.
Second, the runtime flags are validated during install. The platform is opened
and a warning issued if this fails, but this is not fatal.
This change requires moving the Makefile to --test_env, since the attribute
is not properly supported by test targets. Therefore, the targets can use args
while the Makefile must pass in configuration via --test_env.
PiperOrigin-RevId: 428048274
In some cases, it may be desirable to prebuild binaries and run all tests,
for example to run benchmarks with various experiments. Allow the top-level
Makefile to support this by checking for a STAGED_BINARIES variable.
PiperOrigin-RevId: 410673120
Executing `select {}` to wait forever triggers Go runtime deadlock
detection and kills the child, causing the number actual processes
be less than expected.
PiperOrigin-RevId: 376298799
Nayana Bidari
gVisor bot
Jing Chen
Koichi Shiraishi
Etienne Perot
dongjinlong
Ayush Ranjan
Andrei Vagin
Nicolas Lacasse
Adin Scannell
Kevin Krakauer
Fabricio Voznika
Jamie Liu