This wraps all GPU tests' command line with the nvproxy ioctl sniffer.
This has multiple functions:
- Verifying that the application does not call ioctls unsupported by
nvproxy. This is controlled by a `AllowIncompatibleIoctl` option, which
is initially set to `true` in all tests to mirror current behavior, but
should be flipped as we verify that they do not call unsupported ioctls.
- Verifying that the sniffer itself works transparently for a wide range
of applications.
- Later down the line, enforcing that the application only calls ioctls
that are part of GPU capabilities that it has a need for. This is
controlled by a capability string which is currently only used to set
the `NVIDIA_DRIVER_CAPABILITIES` environment variable.
Updates issue #10856
PiperOrigin-RevId: 672714520
* disable broken socket_inet_loopback test // Lucas Manning
* disable lseek tests on anon inodes. They have been broken by
commit e7478158e1378325907edfdd960eca98a1be405b
Date: Wed Jun 29 15:06:57 2022 +0200
fs: clear or set FMODE_LSEEK based on llseek function
* don't check memory.kmem.limit_in_bytes, it has been deprecated and dropped:
commit 86327e8eb94c52eca4f93cfece2e29d1bf52acbf
Date: Tue Jul 4 13:52:40 2023 +0200
memcg: drop kmem.limit_in_bytes
commit 58056f77502f3567b760c9a8fc8d2e9081515b2d
Date: Fri Nov 5 13:37:44 2021 -0700
memcg, kmem: further deprecate kmem.limit_in_bytes
commit 0158115f702b0ba208ab0b5adf44cae99b3ebcc7
Date: Mon Sep 23 15:37:22 2019 -0700
memcg, kmem: deprecate kmem.limit_in_bytes
PiperOrigin-RevId: 562915457
Earlier setCapsAndCallSelf() and callSelfAsNobody() were unconditionally
clearing the sandbox process's env vars. But in some cases we want to preserve
it. For example, when running runsc-race, we want to set GLIBC_TUNABLES for the
sandbox process. Note that runsc-race requires --TESTONLY-unsafe-nonroot=true.
Right now, when --TESTONLY-unsafe-nonroot is set, boot process does not end up
calling setCapsAndCallSelf() or callSelfAsNobody(). So the env vars are
retained as desired. But with directfs, those methods are called in spite of
--TESTONLY-unsafe-nonroot. So this change is required to preserve env vars with
--directfs && --TESTONLY-unsafe-nonroot.
This change also adds a test to verify that the sandbox process is running with
no leaked environment variables.
PiperOrigin-RevId: 533170470
Attempt to fix flaky port forward test using "netstat" in the container
to check the a process is listening on the port before attempting to
connect.
Also, re-enable the test in a seperate job, but w/ a soft fail. This
will be removed later in favor of adding port-forward to integration
tests to remove the high overhead of starting a new job (scheduling,
compiling runsc, downloading images, etc).
PiperOrigin-RevId: 526135859
Port forward stream mode will be used for k8s. Stream mode takes a
UNIX socket and donates a connected FD to the sandbox in question,
and returns. No proxy process is kept around to do the transfer
and the UDS will be returned to containerd as the address on which
to send i/o to the forwarded port.
PiperOrigin-RevId: 521823250
Add portforward comand so that we can use runsc to forward connections
to container ports. This will eventually be supported in k8s.
PiperOrigin-RevId: 520739913
When running in COS in a container, things are different when accessing
process or cgroup data.
This CL uses the `HOST_PROCFS_MOUNTPOINT` and `HOST_CGROUPFS_MOUNTPOINT`
environment variables as alternate roots for `/proc` and `/sys/fs/cgroup` in
`root_test` and in other related places.
Also includes some minor refactors:
- Factor out code to get the parent PID of a child PID to its own function
- Fix some typos
PiperOrigin-RevId: 457102457
k8s.gcr.io/busybox:latest doesn't have the arm variant, so
let's use the upstream busybox and create /etc/recolv.conf symlink.
PiperOrigin-RevId: 450059917
First, this change moves the internal config API to use flag.FlagSet, which
allows more flexibility and fixes many test usages.
Second, the runtime flags are validated during install. The platform is opened
and a warning issued if this fails, but this is not fatal.
This change requires moving the Makefile to --test_env, since the attribute
is not properly supported by test targets. Therefore, the targets can use args
while the Makefile must pass in configuration via --test_env.
PiperOrigin-RevId: 428048274
Adds support for cgroupv2 based on the common cgroup interface.
The cgroupv2 implementation mostly mirrors the structure of cgroupv1,
with many helper functions derived from containerd/cgroups and opencontainers/runc
implementations. We implemented the following controllers: cpu, cpuset, memory,
io, pids, hugetlb.
In order to avoid upgrading containerd dependency (to get oom poller
implementation), we copied the oom poller implementation for cgroupv2
into shim/oom_v2.go. This requires containerd/cgroups dependency to have
cgroupv2 support which we already have.
Signed-off-by: Daniel Dao <dqminh89@gmail.com>
"cri.runtimeoptions.v1" moved to "runtimeoptions.v1" and containerd
configuration format version 2 is required.
Updates #6449
PiperOrigin-RevId: 405474653
Koichi Shiraishi
Andrei Vagin
Etienne Perot
Lucas Manning
Ayush Ranjan
Zach Koopmans
Adin Scannell
Andrei Vagin
Kevin Krakauer
gVisor bot
Daniel Dao
Fabricio Voznika