Proto commits in google/gvisor

These commits are when the Protocol Buffers files have changed: (only the last 100 relevant commits are shown)

Commit:9f22445
Author:Xin Zhong
Committer:gVisor bot

Add seccheck field to indicate if executed binary is on overlayfs upper layer. This change introduces a new field `binary_overlayfs_upper` to the `ExecveBinaryInfo` seccheck point. This field is set to true if the executable being run is located on the upper layer of an overlay filesystem. A new helper function `overlay.IsCopiedUp` is added to check this condition. PiperOrigin-RevId: 913758999

Commit:1df8033
Author:Xin Zhong
Committer:gVisor bot

Add seccheck point for mmap. This change introduces a new seccheck point, "sentry/mmap", which is triggered when a memory mapping is created. The seccheck event includes information about the mapped file, such as its path, inode, mode, UID, and GID, as well as a timestamp. It also indicates if the mapping corresponds to the initial executable. This allows for monitoring of potential code injection or execution from unexpected sources. PiperOrigin-RevId: 915566174

Commit:93e1ea8
Author:Lucas Manning
Committer:gVisor bot

Add checkpoint/restore coordination with libtpu to runsc. PiperOrigin-RevId: 943469548

The documentation is generated from this commit.

Commit:8c2db95
Author:Xin Zhong
Committer:gVisor bot

Add seccheck field to indicate if executed binary is on overlayfs upper layer. This change introduces a new field `binary_overlayfs_upper` to the `ExecveBinaryInfo` seccheck point. This field is set to true if the executable being run is located on the upper layer of an overlay filesystem. A new helper function `overlay.IsCopiedUp` is added to check this condition. PiperOrigin-RevId: 913758999

Commit:6b5bf02
Author:Xin Zhong
Committer:gVisor bot

Add seccheck point for mmap. This change introduces a new seccheck point, "sentry/mmap", which is triggered when a memory mapping is created. The seccheck event includes information about the mapped file, such as its path, inode, mode, UID, and GID, as well as a timestamp. It also indicates if the mapping corresponds to the initial executable. This allows for monitoring of potential code injection or execution from unexpected sources. PiperOrigin-RevId: 915566174

Commit:66017de
Author:Xin Zhong
Committer:gVisor bot

Add seccheck field to indicate if executed binary is on overlayfs upper layer. This change introduces a new field `binary_overlayfs_upper` to the `ExecveBinaryInfo` seccheck point. This field is set to true if the executable being run is located on the upper layer of an overlay filesystem. A new helper function `overlay.IsCopiedUp` is added to check this condition. PiperOrigin-RevId: 913758999

Commit:d89c902
Author:Lucas Manning
Committer:gVisor bot

Implement save/restore for TPU/VFIO devices to enable cross device C/R. This change enables save and restore for TPU/VFIO such that they can be saved on one device and restored on another. The change tracks open VFIO/TPU FDs and, during save, captures the PCI Bus:Device:Function (BDF) and IOMMU group numbers so they can be properly remapped. During restore, it remaps these old IDs to new IDs based on the restored container's device configuration and reopens the necessary host file descriptors. The remapping information is passed via the context to the afterLoad methods of the VFIO/TPU FD implementations. PiperOrigin-RevId: 938132005

Commit:edfe228
Author:Lucas Manning
Committer:gVisor bot

Add checkpoint/restore coordination with libtpu to runsc. PiperOrigin-RevId: 922310675

Commit:c3eae87
Author:gVisor bot
Committer:gVisor bot

Internal change. PiperOrigin-RevId: 927384056

Commit:b375621
Author:gVisor bot
Committer:gVisor bot

Internal change. PiperOrigin-RevId: 927390410

Commit:dcac645
Author:gVisor bot
Committer:gVisor bot

Internal change. PiperOrigin-RevId: 927399029

Commit:410de8b
Author:gVisor bot
Committer:gVisor bot

Internal change. PiperOrigin-RevId: 927390251

Commit:aac5c63
Author:gVisor bot
Committer:gVisor bot

Internal change. PiperOrigin-RevId: 927389828

Commit:ebde64c
Author:gVisor bot
Committer:gVisor bot

Internal change. PiperOrigin-RevId: 927390359

Commit:46c03e4
Author:Xin Zhong
Committer:gVisor bot

Add PPID to ContextData in gvisor seccheck PiperOrigin-RevId: 919895409

Commit:1e4ca67
Author:Zach Koopmans
Committer:gVisor bot

Internal change PiperOrigin-RevId: 919856743

Commit:f1b8190
Author:Etienne Perot
Committer:gVisor bot

Add support for customizing the default nodepool in GKE tester. PiperOrigin-RevId: 914077000

Commit:c53747f
Author:Etienne Perot
Committer:gVisor bot

Internal change PiperOrigin-RevId: 913914238

Commit:18785eb
Author:Etienne Perot
Committer:gVisor bot

Internal change PiperOrigin-RevId: 913914237

Commit:59090b0
Author:Etienne Perot
Committer:gVisor bot

Internal change PiperOrigin-RevId: 913914232

Commit:baad8b6
Author:Etienne Perot
Committer:gVisor bot

Internal change PiperOrigin-RevId: 913914231

Commit:9bc5f3f
Author:Jing Chen
Committer:gVisor bot

Internal change. PiperOrigin-RevId: 910311877

Commit:b92dfb7
Author:Jing Chen
Committer:gVisor bot

Internal change. PiperOrigin-RevId: 907764703

Commit:9042a16
Author:Lucas Manning
Committer:gVisor bot

Fix new sandbox_options proto build. PiperOrigin-RevId: 878013302

Commit:ec013ff
Author:Lucas Manning
Committer:gVisor bot

Create initial sandbox configuration spec. This configuration will serve as the base for various language-specific sandbox APIs. PiperOrigin-RevId: 877625759

Commit:44df3f8
Author:Zach Koopmans
Committer:gVisor bot

Fix cos_gpu_compatibility_test Update the proto for the cos_gpu_compatibility_test so that it passes PiperOrigin-RevId: 876426910

Commit:385d295
Author:Jing Chen
Committer:gVisor bot

Remove pkg/shim/v1/runtimeoptions/v14 that supports containerd before v1.4. gVisor now supports containerd 1.6 and later. PiperOrigin-RevId: 840429781

Commit:d5069fe
Author:Etienne Perot
Committer:gVisor bot

Kubernetes testcluster: Add "restore" nodepool. This is a nodepool configured identically to the test nodepool, and is meant to be a restore target for checkpoint/restore benchmarks. PiperOrigin-RevId: 766345186

Commit:3a06fd3
Author:gVisor bot
Committer:gVisor bot

Internal change. PiperOrigin-RevId: 761600409

Commit:86abc85
Author:gVisor bot

Merge pull request #11473 from Champ-Goblem:shim-add-cgroup-v2-metrics-support PiperOrigin-RevId: 730560110

Commit:7937c03
Author:Andrei Vagin
Committer:gVisor bot

netstack/packet: use lockdep mutexes FUTURE_COPYBARA_INTEGRATE_REVIEW=https://github.com/google/gvisor/pull/11473 from Champ-Goblem:shim-add-cgroup-v2-metrics-support b602afb7647546148cab820775aba3b57e767213 PiperOrigin-RevId: 730536578

Commit:386ce9f
Author:Jing Chen
Committer:gVisor bot

Relocate containerd-shim-runsc-v1 deps from shim/ to shim/v1. FUTURE_COPYBARA_INTEGRATE_REVIEW=https://github.com/google/gvisor/pull/11473 from Champ-Goblem:shim-add-cgroup-v2-metrics-support b602afb7647546148cab820775aba3b57e767213 PiperOrigin-RevId: 729612115

Commit:f010ae0
Author:Andrei Vagin
Committer:Andrei Vagin

Fix a few typos

Commit:4dbba85
Author:Etienne Perot
Committer:gVisor bot

Kubernetes benchmarks: Refactor kubectl context to allow sets of clusters. Also add sanity check to make sure each cluster works as part of initialization, by running a sample pod within. PiperOrigin-RevId: 710786751

Commit:da0e523
Author:Etienne Perot
Committer:gVisor bot

Internal change (diffbased). PiperOrigin-RevId: 709157384

Commit:23c8b4b
Author:Zach Koopmans
Committer:gVisor bot

Add test to check COS drivers as they are posted. Our current check of COS drivers often lags behind COS releases. This is due to needing to preload GPU docker images onto the images that run in our CI pipelines. In addition, COS can be a bit more complex than originally thought releasing driver versions both across GPU types and release branches. Thus, this test searches the latest COS images on each family for new drivers. It does this by looking at COS's published release notes which include a proto of LATEST/DEFAULT drivers selected for each device. This will flag new versions faster with more coverage than our CI pipeline currently. Due to this not actually needing a GPU to run, this can run on any VM. PiperOrigin-RevId: 693736100

Commit:d18a726
Author:Etienne Perot
Committer:gVisor bot

Unbreak build failures in Kubernetes benchmarks. This updates the Google Cloud APIs and their Go libraries to their latest versions, which adds some of the missing fields of the container cluster service v1 proto that didn't exist in the version defined in `WORKSPACE`. This also severs the proto import dependency of `test_range_config.proto` on the container cluster API proto, both because it shouldn't be GKE-specific but also because the Go genproto version of the container cluster API is different (from the Go linker's perspective) from the container cluster proto that is imported from `test_range_config.proto`. Instead, it is encoded as an "any" proto for both nodepools and clusters. Go repositories are re-arranged such that the genproto version imported is taken from the `WORKSPACE` file rather than the one embedded in other Go repositories earlier in the file. The version of this API in Go's genproto library is still missing some of the TPU node placement fields, so that part is filled in via reflection when available. That is hacky but that codepath only applies to TPU clusters so not applicable for most benchmarks. PiperOrigin-RevId: 688682505

Commit:4cff902
Author:Etienne Perot
Committer:gVisor bot

Add Kubernetes benchmarks suite. This is a large set of Kubernetes-based performance benchmarks that has been in use at Google for gVisor performance testing on GKE, and is now open-source. This set of benchmarks has been created and maintained by multiple contributors over the last 2 years: @zkoopmans, @EtiennePerot, @kevinGC, @ayushr2, @manninglucas, @konstantin-s-bogom. PiperOrigin-RevId: 686649688

Commit:e8ca88e
Author:Anthony Cui
Committer:gVisor bot

Add ioctl sniffing tool to run GPU workloads and report unsupported ioctl calls. PiperOrigin-RevId: 644197930

Commit:43bd258
Author:Andrei Vagin
Committer:Andrei Vagin

Fix a few typos It is an idea of running codespell as part of our presubmit checks. Before enabling it for new changes, let's fix what it has found. Signed-off-by: Andrei Vagin <avagin@gmail.com>

Commit:5f4abad
Author:Andrei Vagin
Committer:Andrei Vagin

Fix a few typos It is an idea of running codespell as part of our presubmit checks. Before enabling it for new changes, let's fix what it has found. Signed-off-by: Andrei Vagin <avagin@gmail.com>

Commit:fd8f39c
Author:Nicolas Lacasse
Committer:gVisor bot

Emit SentryTcpListenEvent when the application listens on a tcp port. PiperOrigin-RevId: 562957239

Commit:c227d18
Author:Nicolas Lacasse
Committer:gVisor bot

Emit SentryTcpListenEvent when the application listens on a tcp port. PiperOrigin-RevId: 562957239

Commit:82d3f31
Author:Lucas Manning
Committer:gVisor bot

Introduce SentryMountPromiseBlockEvent. PiperOrigin-RevId: 523233705

Commit:7de67eb
Author:Lucas Manning
Committer:gVisor bot

Introduce SentryMountPromiseBlockEvent. PiperOrigin-RevId: 523233705

Commit:0c33df1
Author:Etienne Perot
Committer:gVisor bot

gVisor: Add library for exporting instrumentation data in Prometheus format. This adds a new library, `//pkg/prometheus`, which contains just enough data structures such that we can encode instrumentation information in Prometheus information. These data structures are JSON-encodable, such that they can be used over the `runsc` control channel for export (implemented in a future CL). The existing `metric.go` library gains new functionality to export its own data using this new export format. This change is part of a series of changes to support Prometheus-style metrics in `runsc`. Doing so requires making several seemingly-odd design decisions, due to the following architectural constraints: - Prometheus requires an HTTP server serving the `/metrics` endpoint. - For performance reasons, the `runsc boot` process cannot run the `netpoller` goroutine. - Since we don't want to write our own HTTP server implementation, this means the HTTP endpoint has to be served by a separate process that remains running during the lifetime of the container. - The `runsc boot` process is untrusted. - This means we cannot trust metrics data that comes out of the Sentry. Therefore, there needs to be an elaborate dance where we pre-register metric metadata before starting any untrusted workload. Then, the server relaying the metric data must verify the validity of metric values against this metric metadata. This avoids leaking metrics, cardinality blow-ups, and other such DoS vectors. - This feature needs to be easy-to-use in a typical Docker setting. - This means having the ability to just say `--metrics-server=localhost:1337` in the `runsc` runtime entry in `/etc/docker/daemon.json` and have that Just Work(TM), even when multiple containers are running. - Since only one process may listen on a port at a given time, this means the metric server needs to be able to multiplex requests out to multiple running sandboxes, and remain alive for the entire duration of either of these sandboxes. However, it should also die when there are no sandboxes, so that we don't end up with leftover metric servers lying around. - For this reason, the metrics server runs *outside* of the usual per-container cgroups. - This also saves system resources by not running one server per sandbox. - The metrics server must be exposed to the outside world, and cannot assume that its clients are trustworthy. - For this reason, a metrics server is bound to a runtime root directory, and double-checks all that the sandboxes it is asked to follow actually exist in this root directory. PiperOrigin-RevId: 498039624

Commit:d04a8d3
Author:Etienne Perot
Committer:gVisor bot

gVisor: Add library for exporting instrumentation data in Prometheus format. This adds a new library, `//pkg/prometheus`, which contains just enough data structures such that we can encode instrumentation information in Prometheus information. These data structures are JSON-encodable, such that they can be used over the `runsc` control channel for export (implemented in a future CL). The existing `metric.go` library gains new functionality to export its own data using this new export format. This change is part of a series of changes to support Prometheus-style metrics in `runsc`. Doing so requires making several seemingly-odd design decisions, due to the following architectural constraints: - Prometheus requires an HTTP server serving the `/metrics` endpoint. - For performance reasons, the `runsc boot` process cannot run the `netpoller` goroutine. - Since we don't want to write our own HTTP server implementation, this means the HTTP endpoint has to be served by a separate process that remains running during the lifetime of the container. - The `runsc boot` process is untrusted. - This means we cannot trust metrics data that comes out of the Sentry. Therefore, there needs to be an elaborate dance where we pre-register metric metadata before starting any untrusted workload. Then, the server relaying the metric data must verify the validity of metric values against this metric metadata. This avoids leaking metrics, cardinality blow-ups, and other such DoS vectors. - This feature needs to be easy-to-use in a typical Docker setting. - This means having the ability to just say `--metrics-server=localhost:1337` in the `runsc` runtime entry in `/etc/docker/daemon.json` and have that Just Work(TM), even when multiple containers are running. - Since only one process may listen on a port at a given time, this means the metric server needs to be able to multiplex requests out to multiple running sandboxes, and remain alive for the entire duration of either of these sandboxes. However, it should also die when there are no sandboxes, so that we don't end up with leftover metric servers lying around. - For this reason, the metrics server runs *outside* of the usual per-container cgroups. - This also saves system resources by not running one server per sandbox. - The metrics server must be exposed to the outside world, and cannot assume that its clients are trustworthy. - For this reason, a metrics server is bound to a runtime root directory, and double-checks all that the sandboxes it is asked to follow actually exist in this root directory. PiperOrigin-RevId: 498039624

Commit:04b311d
Author:Shambhavi Srivastava
Committer:gVisor bot

Adding container_start_duration metric for container multi-container mode. Including the time when a container start request is received and the time it is completed in the ContainerStartedEvent proto message. PiperOrigin-RevId: 495390114

Commit:1f8c4cb
Author:Shambhavi Srivastava
Committer:gVisor bot

Adding container_start_duration metric for container multi-container mode. Including the time when a container start request is received and the time it is completed in the ContainerStartedEvent proto message. PiperOrigin-RevId: 495390114

Commit:63f4760
Author:Shambhavi Srivastava
Committer:gVisor bot

Adding metrics for start container in multi-container mode. PiperOrigin-RevId: 493655449

Commit:4a1a26f
Author:Shambhavi Srivastava
Committer:gVisor bot

Adding metrics for start container in multi-container mode. PiperOrigin-RevId: 493655449

Commit:874909b
Author:Shambhavi Srivastava
Committer:gVisor bot

Adding more trace point integration tests for the following syscalls: - Chdir - Fchdir - Setgid - Setuid - Setsid - Setresuid - Setresgid Updates #4805 PiperOrigin-RevId: 489076929

Commit:dec1aed
Author:Shambhavi Srivastava
Committer:gVisor bot

Adding more trace point integration tests for the following syscalls: - Chdir - Fchdir - Setgid - Setuid - Setsid - Setresuid - Setresgid Updates #4805 PiperOrigin-RevId: 489076929

Commit:22de242
Author:Fabricio Voznika
Committer:gVisor bot

Add read/write syscalls to trace points Closes #8092 PiperOrigin-RevId: 488719448

Commit:e6f0195
Author:Fabricio Voznika
Committer:gVisor bot

Add read/write syscalls to trace points Closes #8092 PiperOrigin-RevId: 488719448

Commit:126144d
Author:Rahat Mahmood
Committer:gVisor bot

Add container exit event. PiperOrigin-RevId: 479651998

Commit:10a1cad
Author:Rahat Mahmood
Committer:gVisor bot

Add container exit event. PiperOrigin-RevId: 479651998

Commit:d0c5abc
Author:Rahat Mahmood
Committer:gVisor bot

Implement sentry control commands for cgroupfs. Add sentry control commands to read and write cgroup control values. PiperOrigin-RevId: 474663678

Commit:fc0e4d0
Author:Rahat Mahmood
Committer:gVisor bot

Implement sentry control commands for cgroupfs. Add sentry control commands to read and write cgroup control values. PiperOrigin-RevId: 474663678

Commit:b160b2a
Author:Shambhavi Srivastava
Committer:gVisor bot

Add Points to some syscalls Added a raw syscall points to all syscalls. Added schematized syscall points to the following syscalls: - timerfd_create - timerfd_settime - timerfd_gettime - fork, vfork - inotify_init, inotify_init1 - inotify_add_watch - inotify_rm_watch - socketpair Updates #4805 PiperOrigin-RevId: 459596784

Commit:c8e98d9
Author:Shambhavi Srivastava
Committer:gVisor bot

Add Points to some syscalls Added a raw syscall points to all syscalls. Added schematized syscall points to the following syscalls: - timerfd_create - timerfd_settime - timerfd_gettime - fork, vfork - inotify_init, inotify_init1 - inotify_add_watch - inotify_rm_watch - socketpair Updates #4805 PiperOrigin-RevId: 459596784

Commit:6a89472
Author:Shambhavi Srivastava
Committer:gVisor bot

Add Points to some syscalls Added a raw syscall points to all syscalls. Added schematized syscall points to the following syscalls: - chroot - dup, dup2, dup3 - prlimit64 - eventfd, eventfd2 - signalfd, signalfd4 - bind - accept, accept4 - fcntl - pipe, pipe2 Updates #4805 PiperOrigin-RevId: 457139504

Commit:45b06bb
Author:Shambhavi Srivastava
Committer:gVisor bot

Add Points to some syscalls Added a raw syscall points to all syscalls. Added schematized syscall points to the following syscalls: - chroot - dup, dup2, dup3 - prlimit64 - eventfd, eventfd2 - signalfd, signalfd4 - bind - accept, accept4 - fcntl - pipe, pipe2 Updates #4805 PiperOrigin-RevId: 457139504

Commit:2adbcf7
Author:Shambhavi Srivastava
Committer:gVisor bot

Add Points to some syscalls Added a raw syscall points to all syscalls. Added schematized syscall points to the following syscalls: - Chdir - Fchdir - Setgid - Setuid - Setsid - Setresuid - Setresgid PiperOrigin-RevId: 451001973

Commit:f84e9a8
Author:Shambhavi Srivastava
Committer:gVisor bot

Add Points to some syscalls Added a raw syscall points to all syscalls. Added schematized syscall points to the following syscalls: - Chdir - Fchdir - Setgid - Setuid - Setsid - Setresuid - Setresgid PiperOrigin-RevId: 451001973

Commit:2fb14fd
Author:Fabricio Voznika
Committer:gVisor bot

Remove unused field from syscall.Read proto Updates #4805 PiperOrigin-RevId: 450802760

Commit:d3634c8
Author:Fabricio Voznika
Committer:gVisor bot

Remove unused field from syscall.Read proto Updates #4805 PiperOrigin-RevId: 450802760

Commit:389c768
Author:Fabricio Voznika
Committer:gVisor bot

Add version handshake before communication is stablished Details on how it works is in wire.Handshake. Updates #4805 PiperOrigin-RevId: 448552448

Commit:e189fb6
Author:Fabricio Voznika
Committer:gVisor bot

Add version handshake before communication is stablished Details on how it works is in wire.Handshake. Updates #4805 PiperOrigin-RevId: 448552448

Commit:c7b4708
Author:Fabricio Voznika
Committer:gVisor bot

Fire clone point for thread creation Thread creation tracking is required by Falco. Updates #4805 PiperOrigin-RevId: 447003670

Commit:a23e60a
Author:Fabricio Voznika
Committer:gVisor bot

Fire clone point for thread creation Thread creation tracking is required by Falco. Updates #4805 PiperOrigin-RevId: 447003670

Commit:0a75fa3
Author:Fabricio Voznika
Committer:gVisor bot

Faster proto serialization The use of protobuf.Any is convenient, but adds to proto serialization time and number of memory allocations required to send a message. Instead, we now use an enum to indentify the message and use it to determine how to unmarshall the message on the receiveing end. It also speeds up event consuption by not requiring a map from string (proto names) to callbacks. BenchmarkProtoAny-6 115.9 ns/op 210 B/op 4 allocs/op BenchmarkProtoEnum-6 58.3 ns/op 2 B/op 1 allocs/op Updates #4805 PiperOrigin-RevId: 446879057

Commit:2d6e640
Author:Fabricio Voznika
Committer:gVisor bot

Faster proto serialization The use of protobuf.Any is convenient, but adds to proto serialization time and number of memory allocations required to send a message. Instead, we now use an enum to indentify the message and use it to determine how to unmarshall the message on the receiveing end. It also speeds up event consuption by not requiring a map from string (proto names) to callbacks. BenchmarkProtoAny-6 115.9 ns/op 210 B/op 4 allocs/op BenchmarkProtoEnum-6 58.3 ns/op 2 B/op 1 allocs/op Updates #4805 PiperOrigin-RevId: 446879057

Commit:974fc32
Author:Fabricio Voznika
Committer:gVisor bot

Add Points to some syscalls Added a raw syscall points to all syscalls. Added schematized syscall points to the following syscalls: - read - close - socket - connect - execve - creat - openat - execveat Updates #4805 PiperOrigin-RevId: 446008358

Commit:f2b6fbb
Author:Fabricio Voznika
Committer:gVisor bot

Add Points to some syscalls Added a raw syscall points to all syscalls. Added schematized syscall points to the following syscalls: - read - close - socket - connect - execve - creat - openat - execveat Updates #4805 PiperOrigin-RevId: 446008358

Commit:f6a99a6
Author:Fabricio Voznika
Committer:gVisor bot

Add container/start context fields Updates #4805 PiperOrigin-RevId: 445976770

Commit:3b26900
Author:Fabricio Voznika
Committer:gVisor bot

Add container/start context fields Updates #4805 PiperOrigin-RevId: 445976770

Commit:3525d69
Author:Fabricio Voznika
Committer:gVisor bot

Add support for syscall points Each syscall provides 4 different points. There is a raw syscall point that contains the syscall number and all 6 arguments, nothing else. Some syscalls can provide a schematized version of the syscall by defining a function that converts the syscall into a proto representing the syscall. Each of these flavors have a point for enter and another for exit. In both cases, the exit event adds return value and errno (if any). Updates #4805 PiperOrigin-RevId: 445510907

Commit:575d76d
Author:Fabricio Voznika
Committer:gVisor bot

Add support for syscall points Each syscall provides 4 different points. There is a raw syscall point that contains the syscall number and all 6 arguments, nothing else. Some syscalls can provide a schematized version of the syscall by defining a function that converts the syscall into a proto representing the syscall. Each of these flavors have a point for enter and another for exit. In both cases, the exit event adds return value and errno (if any). Updates #4805 PiperOrigin-RevId: 445510907

Commit:78c6e57
Author:Fabricio Voznika
Committer:gVisor bot

Add sentry/task_exit point Updates #4805 PiperOrigin-RevId: 445222912

Commit:e1c4bbc
Author:Fabricio Voznika
Committer:gVisor bot

Add sentry/task_exit point Updates #4805 PiperOrigin-RevId: 445222912

Commit:a240551
Author:Fabricio Voznika
Committer:gVisor bot

Add container/start Point Updates #4805 PiperOrigin-RevId: 444983390

Commit:93185b4
Author:Fabricio Voznika
Committer:gVisor bot

Add container/start Point Updates #4805 PiperOrigin-RevId: 444983390

Commit:93023f5
Author:Fabricio Voznika
Committer:gVisor bot

Use proto structs for seccheck points Given that in most cases points are serialized to another process, point data is now created diretly into protos. As part of this change, infrastructure to track optional and context fields was created to facilitate addition of lots of Points which is needed for upcomming of changes. Updates #4805 Currently the SST code is converting seccheck protos into SST protos in the sentry before sending it to the API. After this change, SST checker will be changed to send seccheck protos to the API and the API then converts these into SST on the way to pubsub. PiperOrigin-RevId: 442688320

Commit:8a24f20
Author:Fabricio Voznika
Committer:gVisor bot

Use proto structs for seccheck points Given that in most cases points are serialized to another process, point data is now created diretly into protos. As part of this change, infrastructure to track optional and context fields was created to facilitate addition of lots of Points which is needed for upcomming of changes. Updates #4805 Currently the SST code is converting seccheck protos into SST protos in the sentry before sending it to the API. After this change, SST checker will be changed to send seccheck protos to the API and the API then converts these into SST on the way to pubsub. PiperOrigin-RevId: 442688320

Commit:34ddcc0
Author:Etienne Perot
Committer:gVisor bot

Implement distribution metrics in the Sentry, with arbitrary number of fields. Distribution metrics are well-suited for recording "events" and the time these events take, for performance measurements. They bucket durations in buckets, and keep track of the number of samples in each bucket. As this structure also inherently keeps track of the *total* number of samples, it can be used as a simple event counter as well, obviating the need for a counter metric next to it counting the same thing. In order to be compatible with the needs of the KVM platform to track events that happen where new memory allocations would not be possible, the code for adding a sample to a distribution is optimized to be fast and allocation-free. The tradeoff there mostly comes in the form of memory, such as requiring a weird new `fieldMapper` recursive struct that acts as a lookup table for the concatenated key containing the values of all the fields for which the sample is being recorded. Since we do not expect to deal with large number of field combinations, this should not be a problem. Another tradeoff this imposes is the lack of support for a generic `Bucketer` interface allowing users to define their own bucketing scheme, as we would not be able to enforce the lack of allocations in custom `Bucketer` implementations, nor enforce `+checkescape` on them. However, since in practice all bucketing implementations will probably reside in `metric.go`, this is worked around by just having the distribution metric code refer to `Bucketer` implementations as references and call them directly (without the interface indirection). Since there is only one implementation currently (`ExponentialBucketer`), this is faster than using the interface. PiperOrigin-RevId: 436614053

Commit:1c9ce54
Author:Etienne Perot
Committer:gVisor bot

Implement distribution metrics in the Sentry, with arbitrary number of fields. Distribution metrics are well-suited for recording "events" and the time these events take, for performance measurements. They bucket durations in buckets, and keep track of the number of samples in each bucket. As this structure also inherently keeps track of the *total* number of samples, it can be used as a simple event counter as well, obviating the need for a counter metric next to it counting the same thing. In order to be compatible with the needs of the KVM platform to track events that happen where new memory allocations would not be possible, the code for adding a sample to a distribution is optimized to be fast and allocation-free. The tradeoff there mostly comes in the form of memory, such as requiring a weird new `fieldMapper` recursive struct that acts as a lookup table for the concatenated key containing the values of all the fields for which the sample is being recorded. Since we do not expect to deal with large number of field combinations, this should not be a problem. Another tradeoff this imposes is the lack of support for a generic `Bucketer` interface allowing users to define their own bucketing scheme, as we would not be able to enforce the lack of allocations in custom `Bucketer` implementations, nor enforce `+checkescape` on them. However, since in practice all bucketing implementations will probably reside in `metric.go`, this is worked around by just having the distribution metric code refer to `Bucketer` implementations as references and call them directly (without the interface indirection). Since there is only one implementation currently (`ExponentialBucketer`), this is faster than using the interface. PiperOrigin-RevId: 436614053

Commit:1cfca31
Author:Fabricio Voznika
Committer:gVisor bot

Add support for containerd 1.5 "cri.runtimeoptions.v1" moved to "runtimeoptions.v1" and containerd configuration format version 2 is required. Updates #6449 PiperOrigin-RevId: 405474653

Commit:9262ea4
Author:Fabricio Voznika
Committer:gVisor bot

Add support for containerd 1.5 "cri.runtimeoptions.v1" moved to "runtimeoptions.v1" and containerd configuration format version 2 is required. Updates #6449 PiperOrigin-RevId: 405474653

Commit:689c04f
Author:Chong Cai
Committer:gVisor bot

Add control configs Also plumber the controls through runsc PiperOrigin-RevId: 391594318

Commit:75b5a4f
Author:Chong Cai
Committer:gVisor bot

Add control configs Also plumber the controls through runsc PiperOrigin-RevId: 391594318

Commit:18f414c
Author:Chong Cai
Committer:gVisor bot

Add control configs PiperOrigin-RevId: 386340922

Commit:9c35910
Author:Nayana Bidari
Committer:gVisor bot

Add TimeToRecover metric to record time spent by the connection in recovery. - The new sentry metric will record the duration when the connection is in Fast/SACK recovery and RTO recovery. This metric will help us to compare between different loss recovery algorithms such as Reno, SACK and RACK. - Added a new field in the TCP sender to record the start time of recovery. - Made changes to create sentry metrics with Microseconds unit. PiperOrigin-RevId: 383539850

Commit:3e5f614
Author:Etienne Perot
Committer:gVisor bot

Sentry: Measure the time it takes to initialize the Sentry. PiperOrigin-RevId: 383472507

Commit:cd558fc
Author:Etienne Perot
Committer:gVisor bot

Sentry: Measure the time it takes to initialize the Sentry. PiperOrigin-RevId: 383472507

Commit:da87fae
Author:Nayana Bidari
Committer:gVisor bot

Add field support to the sentry metrics. Fields allow counter metrics to have multiple tabular values. At most one field is supported at the moment. PiperOrigin-RevId: 368767040

Commit:14b7d77
Author:Nayana Bidari
Committer:gVisor bot

Add field support to the sentry metrics. Fields allow counter metrics to have multiple tabular values. At most one field is supported at the moment. PiperOrigin-RevId: 368767040

Commit:08f5188
Author:Zeling Feng
Committer:gVisor bot

Packetimpact test for ACK to OTW Seq segments behavior in CLOSING TCP, in CLOSING state, MUST send an ACK with next expected SEQ number after receiving any segment with OTW SEQ number and remain in the same state. While I am here, I also changed shutdown to behave the same as other calls in posix_server. PiperOrigin-RevId: 362976955

Commit:06b047a
Author:Zeling Feng
Committer:gVisor bot

Packetimpact test for ACK to OTW Seq segments behavior in CLOSING TCP, in CLOSING state, MUST send an ACK with next expected SEQ number after receiving any segment with OTW SEQ number and remain in the same state. While I am here, I also changed shutdown to behave the same as other calls in posix_server. PiperOrigin-RevId: 362976955

Commit:3f7500f
Author:Zeling Feng
Committer:gVisor bot

Move SetNonblocking into posix_server - open flags can be different on different OSs, by putting SetNonblocking into the posix_server rather than the testbench, we can always get the right value for O_NONBLOCK - merged the tcp_queue_{send,receive}_in_syn_sent into a single file PiperOrigin-RevId: 359620630