TestCheckpointRestore was testing that container can be restored into
a new one (e.g. clone) - twice. Change one of the restores to use the
same identity, to test the case where the same container is being saved
and then resumed at a later time.
PiperOrigin-RevId: 552866396
This change implements only the basic functions of mount namespaces.
All features that depends on user namespaces will be implemented separately.
PiperOrigin-RevId: 552673896
Failing to resolve a mount promise is never expected behavior. The
sandbox should crash in this case, since something has gone
fatally wrong.
PiperOrigin-RevId: 552652799
In runsc, the boot (runsc/cmd/boot.go) process and gofer (runsc/cmd/gofer.go)
process re-execute themselves (for various reasons). For re-execution, they
modify some flags in os.Args. There were certain issues with the process of
generating the args for re-execution that this patch aims to fix:
- In the gofer, we were not overwriting the flag if there was a conflict. This
could lead to duplicate flags in the args with conflicting values.
- The arg manipulation (see old Boot.prepareArgs()) was kinda hacky in figuring
out where to place new arguments.
- Arg manipulation was using `strings.Contains()` to figure out which flag to
replace. This can be problematic when manipulating flags that are substrings
of other flags (like --profile and --profile-mutex). This can also hurt when
random flag values contain the flag name string.
- There was no common general utility to do this work.
This patch adds a generic `prepareArgs()` function to the cmd package which
can be used by boot and gofer and it fixes all the above-mentioned issues.
PiperOrigin-RevId: 552627805
Set(String()) should be an idempotent operation. This is a useful property
which allows us to generate args while re-execing the same process. Setting
`--flag-name=val.String()` should work.
PiperOrigin-RevId: 552598313
This is closer to the default nginx settings with respect to concurrency.
Turn off access log, as it is heavy on I/O and would not be used in a
production setup (whether with or without gVisor).
Update nginx to version `1.25.1`.
PiperOrigin-RevId: 551669286
Enforce that `IODepth` must be `1` when using the `sync` IO engine, since
it has no effect with that engine.
Also add unit names to `tools.Fio` struct fields for easier readability.
PiperOrigin-RevId: 550710273
This change introduces the nsfs file system. Each new namespace allocates
a new nsfs inode.
Here are reasons why we need these inodes:
* each namespace has to have an unique id.
* proc/pid/ns/ contains one entry for each namespace. Bind mounting one of
the files in this directory to somewhere else in the filesystem keeps the
corresponding namespace alive even if all processes currently in
the namespace terminate.
* setns() allows the calling process to join an existing namespace specified
by a file descriptor.
PiperOrigin-RevId: 550694515
Right now, the entire sandbox memory is reported per-container, confusing
users and tools that aggregate per-container memory to compute sandbox/pod
memory. So instead, split memory usage amoung all containers in the
system, except for the root container which is ignored by K8s. This way
pod memory usage is shown correctly in graphs.
Updates #172
PiperOrigin-RevId: 550670618
dependabot[bot]
Fabricio Voznika
Andrei Vagin
Kevin Krakauer
Jing Chen
Lucas Manning
Ayush Ranjan
Etienne Perot
gVisor bot
Zach Koopmans
Ivan Prisyazhnyy