This support is only needed when the gofer mount in question is writable.
By default, the rootfs has an overlayfs applied, so the gofer lower layer is
not writabled. But if you are using --overlay2=none, then this change should
allow you to save sandbox with open FDs to deleted files in rootfs.
Updates #11425
PiperOrigin-RevId: 733021267
This adds a `hostsettings` package which can be used to check and
optionally automatically adjust host kernel settings.
This currently covers six kernel settings:
- `/proc/sys/kernel/yama/ptrace_scope`: must set to 0 or 1 when using
`ptrace`.
- `/proc/sys/user/max_user_namespaces`: must be >= 2, but also
suggest increasing it further if low.
- `/proc/sys/kernel/unprivileged_userns_clone`: Must be enabled in
rootless mode.
- `/proc/sys/kernel/unprivileged_userns_apparmor_policy`: Same.
- `/proc/sys/vm/max_map_count`: suggest increasing max host VMAs.
- `/sys/kernel/mm/transparent_hugepage/shmem_enabled`: suggest turning
on transparent hugepages.
This is flag-gated; by default `runsc` only checks that these settings
are optimal, but only warns if they are not optimal (unless marked as
mandatory). Other flag settings can be used to either bypass this process
entirely (to avoid the small startup overhead this adds), or to make it
auto-adjust any suboptiomal kernel settings, either on a best-effort or
mandatory basis.
Updates issue #5964
Updates issue #9006
PiperOrigin-RevId: 683375555
Coverage files now have their own subdirectory.
Also add useful extra logging, and rename the log directory from `runsc.log`
(which sounds like a filename) to `runsc-logs`.
PiperOrigin-RevId: 642125227
As of right now, all runsc logs from all commands are concatenated into one
file named "runsc.log". Instead create "runsc.log" directory which will
contain a log file for each runsc command. This is easier to inspect, specially
for save/restore tests.
This was changed in 5b33e4a3d8 ("Enable leak checkers for runsc tests") and
one-log-file approach was used to check for warnings from only one file.
The warning checking code has been fixed to work with this directory approach.
PiperOrigin-RevId: 641282534
Adds the save-resume variant to all syscall tests. These tests save/checkpoint
the sandbox for every syscall in the test and then resume.
PiperOrigin-RevId: 623601440
This CL adds a new "save" variant for runsc syscall tests to enable S/R.
The changes include:
- Adding the syscall trigger to start the S/R in the tests.
- Changes in the test framework to save and restore the sandbox.
PiperOrigin-RevId: 604800992
The cgroups mounting is changed, in the root container cgroups are mounted
by default and for other containers the cgroups are mounted if the spec has a
cgroup mount. These tests mount cgroups directly which will fail. This CL
modifies the cgroup tests to pass with the new behavior.
PiperOrigin-RevId: 596739547
The wait command will always return 0 even if the underlying process
returns a different exit code. It prints out the exit code of the process
to its stdout as json.
PiperOrigin-RevId: 557877257
Ayush Ranjan
Jamie Liu
Nayana Bidari
Koichi Shiraishi
Etienne Perot
Andrei Vagin
Nicolas Lacasse
gVisor bot
Kevin Krakauer
dongjinlong
Lucas Manning