The helper function is deprecated. The package gvisor.dev/gvisor/pkg/rand
depends on crypto/rand which performs worse thatn math/rand, the changes
are fine since they are not at any gVisor's hot path.
The ultimate goal is to migrate math/rand to math/rand/v2.
This patch adds an EROFS test which checks that the checksums we get
from the target directory in container are identical with the ones
got from the source directory that we used to create the EROFS images.
erofs-utils is also added to the default image and will be used to
build the EROFS images during the test.
Signed-off-by: Tiwei Bie <tiwei.btw@antgroup.com>
This medium instructs runsc to place the overlay-backing host file inside the
mount being overlayed itself. The file is placed inside the root directory of
the mount at path `.gvisor.overlay.img.{CID}/filestore-{random}`.
Note that the same volume may be mounted at various places in the same
container. Furthermore, the same volume may be mounted by multiple containers
in the same pod. So we create a filestore directory in the mount which is
unique to each container. This filestore directory hosts all the filestore
files for the mount for the given container. This directory is destroyed along
with the contianer on `runsc delete`.
The self medium based host file is a named file because it needs to be
discoverable via path traversal from the host. For the root mount, this allows
k8s to scan the container's root filesystem and apply local ephemeral storage
limits appropriately. This makes self medium appropriate for k8s usage.
Note that the overlay host file (MemoryFile) is a sparse file. Thankfully k8s
uses stat.st_blocks to perform accounting, not stat.st_size. stat.st_blocks
indicates the number of pages allocated towards a file, which works well with
sparse files.
PiperOrigin-RevId: 507301254
When a container exits, it releases all its filesystems. If an overlay was
configured, the tmpfs upper mount is released. Any files created in the overlay
should be deleted and the memory released. Add a test to verify that no such
memory is leaked when containers exit.
I had to add a new OverlayFileUsage method to containerManager to test this
accurately.
I tested the test by intentionally introducing a bug in tmpfs to not release
data from its memory file and this test failed with the following errors:
```
overlay filestore usage changed: old = 0, new = 4096
overlay filestore usage changed: old = 0, new = 8192
overlay filestore usage changed: old = 0, new = 12288
```
This shows that the file created by each sub-containers occupied a different
page in the filestore, which was not cleaned up and hence the test failed.
PiperOrigin-RevId: 501088426
Executing `select {}` to wait forever triggers Go runtime deadlock
detection and kills the child, causing the number actual processes
be less than expected.
PiperOrigin-RevId: 376298799
These are primarily simplification and lint mistakes. However, minor
fixes are also included and tests added where appropriate.
PiperOrigin-RevId: 351425971
This change adds a layer of abstraction around the internal Docker APIs,
and eliminates all direct dependencies on Dockerfiles in the infrastructure.
A subsequent change will automated the generation of local images (with
efficient caching). Note that this change drops the use of bazel container
rules, as that experiment does not seem to be viable.
PiperOrigin-RevId: 308095430
gVisor bot
Jing Chen
Koichi Shiraishi
Tiwei Bie
Nicolas Lacasse
Etienne Perot
Adin Scannell
Ayush Ranjan
Kevin Krakauer
Fabricio Voznika