These commits are when the Protocol Buffers files have changed: (only the last 100 relevant commits are shown)
| Commit: | 9f22445 | |
|---|---|---|
| Author: | Xin Zhong | |
| Committer: | gVisor bot | |
Add seccheck field to indicate if executed binary is on overlayfs upper layer. This change introduces a new field `binary_overlayfs_upper` to the `ExecveBinaryInfo` seccheck point. This field is set to true if the executable being run is located on the upper layer of an overlay filesystem. A new helper function `overlay.IsCopiedUp` is added to check this condition. PiperOrigin-RevId: 913758999
| Commit: | 1df8033 | |
|---|---|---|
| Author: | Xin Zhong | |
| Committer: | gVisor bot | |
Add seccheck point for mmap. This change introduces a new seccheck point, "sentry/mmap", which is triggered when a memory mapping is created. The seccheck event includes information about the mapped file, such as its path, inode, mode, UID, and GID, as well as a timestamp. It also indicates if the mapping corresponds to the initial executable. This allows for monitoring of potential code injection or execution from unexpected sources. PiperOrigin-RevId: 915566174
| Commit: | 93e1ea8 | |
|---|---|---|
| Author: | Lucas Manning | |
| Committer: | gVisor bot | |
Add checkpoint/restore coordination with libtpu to runsc. PiperOrigin-RevId: 943469548
The documentation is generated from this commit.
| Commit: | 8c2db95 | |
|---|---|---|
| Author: | Xin Zhong | |
| Committer: | gVisor bot | |
Add seccheck field to indicate if executed binary is on overlayfs upper layer. This change introduces a new field `binary_overlayfs_upper` to the `ExecveBinaryInfo` seccheck point. This field is set to true if the executable being run is located on the upper layer of an overlay filesystem. A new helper function `overlay.IsCopiedUp` is added to check this condition. PiperOrigin-RevId: 913758999
| Commit: | 6b5bf02 | |
|---|---|---|
| Author: | Xin Zhong | |
| Committer: | gVisor bot | |
Add seccheck point for mmap. This change introduces a new seccheck point, "sentry/mmap", which is triggered when a memory mapping is created. The seccheck event includes information about the mapped file, such as its path, inode, mode, UID, and GID, as well as a timestamp. It also indicates if the mapping corresponds to the initial executable. This allows for monitoring of potential code injection or execution from unexpected sources. PiperOrigin-RevId: 915566174
| Commit: | 66017de | |
|---|---|---|
| Author: | Xin Zhong | |
| Committer: | gVisor bot | |
Add seccheck field to indicate if executed binary is on overlayfs upper layer. This change introduces a new field `binary_overlayfs_upper` to the `ExecveBinaryInfo` seccheck point. This field is set to true if the executable being run is located on the upper layer of an overlay filesystem. A new helper function `overlay.IsCopiedUp` is added to check this condition. PiperOrigin-RevId: 913758999
| Commit: | d89c902 | |
|---|---|---|
| Author: | Lucas Manning | |
| Committer: | gVisor bot | |
Implement save/restore for TPU/VFIO devices to enable cross device C/R. This change enables save and restore for TPU/VFIO such that they can be saved on one device and restored on another. The change tracks open VFIO/TPU FDs and, during save, captures the PCI Bus:Device:Function (BDF) and IOMMU group numbers so they can be properly remapped. During restore, it remaps these old IDs to new IDs based on the restored container's device configuration and reopens the necessary host file descriptors. The remapping information is passed via the context to the afterLoad methods of the VFIO/TPU FD implementations. PiperOrigin-RevId: 938132005
| Commit: | edfe228 | |
|---|---|---|
| Author: | Lucas Manning | |
| Committer: | gVisor bot | |
Add checkpoint/restore coordination with libtpu to runsc. PiperOrigin-RevId: 922310675
| Commit: | c3eae87 | |
|---|---|---|
| Author: | gVisor bot | |
| Committer: | gVisor bot | |
Internal change. PiperOrigin-RevId: 927384056
| Commit: | b375621 | |
|---|---|---|
| Author: | gVisor bot | |
| Committer: | gVisor bot | |
Internal change. PiperOrigin-RevId: 927390410
| Commit: | dcac645 | |
|---|---|---|
| Author: | gVisor bot | |
| Committer: | gVisor bot | |
Internal change. PiperOrigin-RevId: 927399029
| Commit: | 410de8b | |
|---|---|---|
| Author: | gVisor bot | |
| Committer: | gVisor bot | |
Internal change. PiperOrigin-RevId: 927390251
| Commit: | aac5c63 | |
|---|---|---|
| Author: | gVisor bot | |
| Committer: | gVisor bot | |
Internal change. PiperOrigin-RevId: 927389828
| Commit: | ebde64c | |
|---|---|---|
| Author: | gVisor bot | |
| Committer: | gVisor bot | |
Internal change. PiperOrigin-RevId: 927390359
| Commit: | 46c03e4 | |
|---|---|---|
| Author: | Xin Zhong | |
| Committer: | gVisor bot | |
Add PPID to ContextData in gvisor seccheck PiperOrigin-RevId: 919895409
| Commit: | 1e4ca67 | |
|---|---|---|
| Author: | Zach Koopmans | |
| Committer: | gVisor bot | |
Internal change PiperOrigin-RevId: 919856743
| Commit: | f1b8190 | |
|---|---|---|
| Author: | Etienne Perot | |
| Committer: | gVisor bot | |
Add support for customizing the default nodepool in GKE tester. PiperOrigin-RevId: 914077000
| Commit: | c53747f | |
|---|---|---|
| Author: | Etienne Perot | |
| Committer: | gVisor bot | |
Internal change PiperOrigin-RevId: 913914238
| Commit: | 18785eb | |
|---|---|---|
| Author: | Etienne Perot | |
| Committer: | gVisor bot | |
Internal change PiperOrigin-RevId: 913914237
| Commit: | 59090b0 | |
|---|---|---|
| Author: | Etienne Perot | |
| Committer: | gVisor bot | |
Internal change PiperOrigin-RevId: 913914232
| Commit: | baad8b6 | |
|---|---|---|
| Author: | Etienne Perot | |
| Committer: | gVisor bot | |
Internal change PiperOrigin-RevId: 913914231
| Commit: | 9bc5f3f | |
|---|---|---|
| Author: | Jing Chen | |
| Committer: | gVisor bot | |
Internal change. PiperOrigin-RevId: 910311877
| Commit: | b92dfb7 | |
|---|---|---|
| Author: | Jing Chen | |
| Committer: | gVisor bot | |
Internal change. PiperOrigin-RevId: 907764703
| Commit: | 9042a16 | |
|---|---|---|
| Author: | Lucas Manning | |
| Committer: | gVisor bot | |
Fix new sandbox_options proto build. PiperOrigin-RevId: 878013302
| Commit: | ec013ff | |
|---|---|---|
| Author: | Lucas Manning | |
| Committer: | gVisor bot | |
Create initial sandbox configuration spec. This configuration will serve as the base for various language-specific sandbox APIs. PiperOrigin-RevId: 877625759
| Commit: | 44df3f8 | |
|---|---|---|
| Author: | Zach Koopmans | |
| Committer: | gVisor bot | |
Fix cos_gpu_compatibility_test Update the proto for the cos_gpu_compatibility_test so that it passes PiperOrigin-RevId: 876426910
| Commit: | 385d295 | |
|---|---|---|
| Author: | Jing Chen | |
| Committer: | gVisor bot | |
Remove pkg/shim/v1/runtimeoptions/v14 that supports containerd before v1.4. gVisor now supports containerd 1.6 and later. PiperOrigin-RevId: 840429781
| Commit: | d5069fe | |
|---|---|---|
| Author: | Etienne Perot | |
| Committer: | gVisor bot | |
Kubernetes testcluster: Add "restore" nodepool. This is a nodepool configured identically to the test nodepool, and is meant to be a restore target for checkpoint/restore benchmarks. PiperOrigin-RevId: 766345186
| Commit: | 3a06fd3 | |
|---|---|---|
| Author: | gVisor bot | |
| Committer: | gVisor bot | |
Internal change. PiperOrigin-RevId: 761600409
| Commit: | 86abc85 | |
|---|---|---|
| Author: | gVisor bot | |
Merge pull request #11473 from Champ-Goblem:shim-add-cgroup-v2-metrics-support PiperOrigin-RevId: 730560110
| Commit: | 7937c03 | |
|---|---|---|
| Author: | Andrei Vagin | |
| Committer: | gVisor bot | |
netstack/packet: use lockdep mutexes FUTURE_COPYBARA_INTEGRATE_REVIEW=https://github.com/google/gvisor/pull/11473 from Champ-Goblem:shim-add-cgroup-v2-metrics-support b602afb7647546148cab820775aba3b57e767213 PiperOrigin-RevId: 730536578
| Commit: | 386ce9f | |
|---|---|---|
| Author: | Jing Chen | |
| Committer: | gVisor bot | |
Relocate containerd-shim-runsc-v1 deps from shim/ to shim/v1. FUTURE_COPYBARA_INTEGRATE_REVIEW=https://github.com/google/gvisor/pull/11473 from Champ-Goblem:shim-add-cgroup-v2-metrics-support b602afb7647546148cab820775aba3b57e767213 PiperOrigin-RevId: 729612115
| Commit: | f010ae0 | |
|---|---|---|
| Author: | Andrei Vagin | |
| Committer: | Andrei Vagin | |
Fix a few typos
| Commit: | 4dbba85 | |
|---|---|---|
| Author: | Etienne Perot | |
| Committer: | gVisor bot | |
Kubernetes benchmarks: Refactor kubectl context to allow sets of clusters. Also add sanity check to make sure each cluster works as part of initialization, by running a sample pod within. PiperOrigin-RevId: 710786751
| Commit: | da0e523 | |
|---|---|---|
| Author: | Etienne Perot | |
| Committer: | gVisor bot | |
Internal change (diffbased). PiperOrigin-RevId: 709157384
| Commit: | 23c8b4b | |
|---|---|---|
| Author: | Zach Koopmans | |
| Committer: | gVisor bot | |
Add test to check COS drivers as they are posted. Our current check of COS drivers often lags behind COS releases. This is due to needing to preload GPU docker images onto the images that run in our CI pipelines. In addition, COS can be a bit more complex than originally thought releasing driver versions both across GPU types and release branches. Thus, this test searches the latest COS images on each family for new drivers. It does this by looking at COS's published release notes which include a proto of LATEST/DEFAULT drivers selected for each device. This will flag new versions faster with more coverage than our CI pipeline currently. Due to this not actually needing a GPU to run, this can run on any VM. PiperOrigin-RevId: 693736100
| Commit: | d18a726 | |
|---|---|---|
| Author: | Etienne Perot | |
| Committer: | gVisor bot | |
Unbreak build failures in Kubernetes benchmarks. This updates the Google Cloud APIs and their Go libraries to their latest versions, which adds some of the missing fields of the container cluster service v1 proto that didn't exist in the version defined in `WORKSPACE`. This also severs the proto import dependency of `test_range_config.proto` on the container cluster API proto, both because it shouldn't be GKE-specific but also because the Go genproto version of the container cluster API is different (from the Go linker's perspective) from the container cluster proto that is imported from `test_range_config.proto`. Instead, it is encoded as an "any" proto for both nodepools and clusters. Go repositories are re-arranged such that the genproto version imported is taken from the `WORKSPACE` file rather than the one embedded in other Go repositories earlier in the file. The version of this API in Go's genproto library is still missing some of the TPU node placement fields, so that part is filled in via reflection when available. That is hacky but that codepath only applies to TPU clusters so not applicable for most benchmarks. PiperOrigin-RevId: 688682505
| Commit: | 4cff902 | |
|---|---|---|
| Author: | Etienne Perot | |
| Committer: | gVisor bot | |
Add Kubernetes benchmarks suite. This is a large set of Kubernetes-based performance benchmarks that has been in use at Google for gVisor performance testing on GKE, and is now open-source. This set of benchmarks has been created and maintained by multiple contributors over the last 2 years: @zkoopmans, @EtiennePerot, @kevinGC, @ayushr2, @manninglucas, @konstantin-s-bogom. PiperOrigin-RevId: 686649688
| Commit: | e8ca88e | |
|---|---|---|
| Author: | Anthony Cui | |
| Committer: | gVisor bot | |
Add ioctl sniffing tool to run GPU workloads and report unsupported ioctl calls. PiperOrigin-RevId: 644197930
| Commit: | 43bd258 | |
|---|---|---|
| Author: | Andrei Vagin | |
| Committer: | Andrei Vagin | |
Fix a few typos It is an idea of running codespell as part of our presubmit checks. Before enabling it for new changes, let's fix what it has found. Signed-off-by: Andrei Vagin <avagin@gmail.com>
| Commit: | 5f4abad | |
|---|---|---|
| Author: | Andrei Vagin | |
| Committer: | Andrei Vagin | |
Fix a few typos It is an idea of running codespell as part of our presubmit checks. Before enabling it for new changes, let's fix what it has found. Signed-off-by: Andrei Vagin <avagin@gmail.com>
| Commit: | fd8f39c | |
|---|---|---|
| Author: | Nicolas Lacasse | |
| Committer: | gVisor bot | |
Emit SentryTcpListenEvent when the application listens on a tcp port. PiperOrigin-RevId: 562957239
| Commit: | c227d18 | |
|---|---|---|
| Author: | Nicolas Lacasse | |
| Committer: | gVisor bot | |
Emit SentryTcpListenEvent when the application listens on a tcp port. PiperOrigin-RevId: 562957239
| Commit: | 82d3f31 | |
|---|---|---|
| Author: | Lucas Manning | |
| Committer: | gVisor bot | |
Introduce SentryMountPromiseBlockEvent. PiperOrigin-RevId: 523233705
| Commit: | 7de67eb | |
|---|---|---|
| Author: | Lucas Manning | |
| Committer: | gVisor bot | |
Introduce SentryMountPromiseBlockEvent. PiperOrigin-RevId: 523233705
| Commit: | 0c33df1 | |
|---|---|---|
| Author: | Etienne Perot | |
| Committer: | gVisor bot | |
gVisor: Add library for exporting instrumentation data in Prometheus format. This adds a new library, `//pkg/prometheus`, which contains just enough data structures such that we can encode instrumentation information in Prometheus information. These data structures are JSON-encodable, such that they can be used over the `runsc` control channel for export (implemented in a future CL). The existing `metric.go` library gains new functionality to export its own data using this new export format. This change is part of a series of changes to support Prometheus-style metrics in `runsc`. Doing so requires making several seemingly-odd design decisions, due to the following architectural constraints: - Prometheus requires an HTTP server serving the `/metrics` endpoint. - For performance reasons, the `runsc boot` process cannot run the `netpoller` goroutine. - Since we don't want to write our own HTTP server implementation, this means the HTTP endpoint has to be served by a separate process that remains running during the lifetime of the container. - The `runsc boot` process is untrusted. - This means we cannot trust metrics data that comes out of the Sentry. Therefore, there needs to be an elaborate dance where we pre-register metric metadata before starting any untrusted workload. Then, the server relaying the metric data must verify the validity of metric values against this metric metadata. This avoids leaking metrics, cardinality blow-ups, and other such DoS vectors. - This feature needs to be easy-to-use in a typical Docker setting. - This means having the ability to just say `--metrics-server=localhost:1337` in the `runsc` runtime entry in `/etc/docker/daemon.json` and have that Just Work(TM), even when multiple containers are running. - Since only one process may listen on a port at a given time, this means the metric server needs to be able to multiplex requests out to multiple running sandboxes, and remain alive for the entire duration of either of these sandboxes. However, it should also die when there are no sandboxes, so that we don't end up with leftover metric servers lying around. - For this reason, the metrics server runs *outside* of the usual per-container cgroups. - This also saves system resources by not running one server per sandbox. - The metrics server must be exposed to the outside world, and cannot assume that its clients are trustworthy. - For this reason, a metrics server is bound to a runtime root directory, and double-checks all that the sandboxes it is asked to follow actually exist in this root directory. PiperOrigin-RevId: 498039624
| Commit: | d04a8d3 | |
|---|---|---|
| Author: | Etienne Perot | |
| Committer: | gVisor bot | |
gVisor: Add library for exporting instrumentation data in Prometheus format. This adds a new library, `//pkg/prometheus`, which contains just enough data structures such that we can encode instrumentation information in Prometheus information. These data structures are JSON-encodable, such that they can be used over the `runsc` control channel for export (implemented in a future CL). The existing `metric.go` library gains new functionality to export its own data using this new export format. This change is part of a series of changes to support Prometheus-style metrics in `runsc`. Doing so requires making several seemingly-odd design decisions, due to the following architectural constraints: - Prometheus requires an HTTP server serving the `/metrics` endpoint. - For performance reasons, the `runsc boot` process cannot run the `netpoller` goroutine. - Since we don't want to write our own HTTP server implementation, this means the HTTP endpoint has to be served by a separate process that remains running during the lifetime of the container. - The `runsc boot` process is untrusted. - This means we cannot trust metrics data that comes out of the Sentry. Therefore, there needs to be an elaborate dance where we pre-register metric metadata before starting any untrusted workload. Then, the server relaying the metric data must verify the validity of metric values against this metric metadata. This avoids leaking metrics, cardinality blow-ups, and other such DoS vectors. - This feature needs to be easy-to-use in a typical Docker setting. - This means having the ability to just say `--metrics-server=localhost:1337` in the `runsc` runtime entry in `/etc/docker/daemon.json` and have that Just Work(TM), even when multiple containers are running. - Since only one process may listen on a port at a given time, this means the metric server needs to be able to multiplex requests out to multiple running sandboxes, and remain alive for the entire duration of either of these sandboxes. However, it should also die when there are no sandboxes, so that we don't end up with leftover metric servers lying around. - For this reason, the metrics server runs *outside* of the usual per-container cgroups. - This also saves system resources by not running one server per sandbox. - The metrics server must be exposed to the outside world, and cannot assume that its clients are trustworthy. - For this reason, a metrics server is bound to a runtime root directory, and double-checks all that the sandboxes it is asked to follow actually exist in this root directory. PiperOrigin-RevId: 498039624
| Commit: | 04b311d | |
|---|---|---|
| Author: | Shambhavi Srivastava | |
| Committer: | gVisor bot | |
Adding container_start_duration metric for container multi-container mode. Including the time when a container start request is received and the time it is completed in the ContainerStartedEvent proto message. PiperOrigin-RevId: 495390114
| Commit: | 1f8c4cb | |
|---|---|---|
| Author: | Shambhavi Srivastava | |
| Committer: | gVisor bot | |
Adding container_start_duration metric for container multi-container mode. Including the time when a container start request is received and the time it is completed in the ContainerStartedEvent proto message. PiperOrigin-RevId: 495390114
| Commit: | 63f4760 | |
|---|---|---|
| Author: | Shambhavi Srivastava | |
| Committer: | gVisor bot | |
Adding metrics for start container in multi-container mode. PiperOrigin-RevId: 493655449
| Commit: | 4a1a26f | |
|---|---|---|
| Author: | Shambhavi Srivastava | |
| Committer: | gVisor bot | |
Adding metrics for start container in multi-container mode. PiperOrigin-RevId: 493655449
| Commit: | 874909b | |
|---|---|---|
| Author: | Shambhavi Srivastava | |
| Committer: | gVisor bot | |
Adding more trace point integration tests for the following syscalls: - Chdir - Fchdir - Setgid - Setuid - Setsid - Setresuid - Setresgid Updates #4805 PiperOrigin-RevId: 489076929
| Commit: | dec1aed | |
|---|---|---|
| Author: | Shambhavi Srivastava | |
| Committer: | gVisor bot | |
Adding more trace point integration tests for the following syscalls: - Chdir - Fchdir - Setgid - Setuid - Setsid - Setresuid - Setresgid Updates #4805 PiperOrigin-RevId: 489076929
| Commit: | 22de242 | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Add read/write syscalls to trace points Closes #8092 PiperOrigin-RevId: 488719448
| Commit: | e6f0195 | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Add read/write syscalls to trace points Closes #8092 PiperOrigin-RevId: 488719448
| Commit: | 126144d | |
|---|---|---|
| Author: | Rahat Mahmood | |
| Committer: | gVisor bot | |
Add container exit event. PiperOrigin-RevId: 479651998
| Commit: | 10a1cad | |
|---|---|---|
| Author: | Rahat Mahmood | |
| Committer: | gVisor bot | |
Add container exit event. PiperOrigin-RevId: 479651998
| Commit: | d0c5abc | |
|---|---|---|
| Author: | Rahat Mahmood | |
| Committer: | gVisor bot | |
Implement sentry control commands for cgroupfs. Add sentry control commands to read and write cgroup control values. PiperOrigin-RevId: 474663678
| Commit: | fc0e4d0 | |
|---|---|---|
| Author: | Rahat Mahmood | |
| Committer: | gVisor bot | |
Implement sentry control commands for cgroupfs. Add sentry control commands to read and write cgroup control values. PiperOrigin-RevId: 474663678
| Commit: | b160b2a | |
|---|---|---|
| Author: | Shambhavi Srivastava | |
| Committer: | gVisor bot | |
Add Points to some syscalls Added a raw syscall points to all syscalls. Added schematized syscall points to the following syscalls: - timerfd_create - timerfd_settime - timerfd_gettime - fork, vfork - inotify_init, inotify_init1 - inotify_add_watch - inotify_rm_watch - socketpair Updates #4805 PiperOrigin-RevId: 459596784
| Commit: | c8e98d9 | |
|---|---|---|
| Author: | Shambhavi Srivastava | |
| Committer: | gVisor bot | |
Add Points to some syscalls Added a raw syscall points to all syscalls. Added schematized syscall points to the following syscalls: - timerfd_create - timerfd_settime - timerfd_gettime - fork, vfork - inotify_init, inotify_init1 - inotify_add_watch - inotify_rm_watch - socketpair Updates #4805 PiperOrigin-RevId: 459596784
| Commit: | 6a89472 | |
|---|---|---|
| Author: | Shambhavi Srivastava | |
| Committer: | gVisor bot | |
Add Points to some syscalls Added a raw syscall points to all syscalls. Added schematized syscall points to the following syscalls: - chroot - dup, dup2, dup3 - prlimit64 - eventfd, eventfd2 - signalfd, signalfd4 - bind - accept, accept4 - fcntl - pipe, pipe2 Updates #4805 PiperOrigin-RevId: 457139504
| Commit: | 45b06bb | |
|---|---|---|
| Author: | Shambhavi Srivastava | |
| Committer: | gVisor bot | |
Add Points to some syscalls Added a raw syscall points to all syscalls. Added schematized syscall points to the following syscalls: - chroot - dup, dup2, dup3 - prlimit64 - eventfd, eventfd2 - signalfd, signalfd4 - bind - accept, accept4 - fcntl - pipe, pipe2 Updates #4805 PiperOrigin-RevId: 457139504
| Commit: | 2adbcf7 | |
|---|---|---|
| Author: | Shambhavi Srivastava | |
| Committer: | gVisor bot | |
Add Points to some syscalls Added a raw syscall points to all syscalls. Added schematized syscall points to the following syscalls: - Chdir - Fchdir - Setgid - Setuid - Setsid - Setresuid - Setresgid PiperOrigin-RevId: 451001973
| Commit: | f84e9a8 | |
|---|---|---|
| Author: | Shambhavi Srivastava | |
| Committer: | gVisor bot | |
Add Points to some syscalls Added a raw syscall points to all syscalls. Added schematized syscall points to the following syscalls: - Chdir - Fchdir - Setgid - Setuid - Setsid - Setresuid - Setresgid PiperOrigin-RevId: 451001973
| Commit: | 2fb14fd | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Remove unused field from syscall.Read proto Updates #4805 PiperOrigin-RevId: 450802760
| Commit: | d3634c8 | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Remove unused field from syscall.Read proto Updates #4805 PiperOrigin-RevId: 450802760
| Commit: | 389c768 | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Add version handshake before communication is stablished Details on how it works is in wire.Handshake. Updates #4805 PiperOrigin-RevId: 448552448
| Commit: | e189fb6 | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Add version handshake before communication is stablished Details on how it works is in wire.Handshake. Updates #4805 PiperOrigin-RevId: 448552448
| Commit: | c7b4708 | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Fire clone point for thread creation Thread creation tracking is required by Falco. Updates #4805 PiperOrigin-RevId: 447003670
| Commit: | a23e60a | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Fire clone point for thread creation Thread creation tracking is required by Falco. Updates #4805 PiperOrigin-RevId: 447003670
| Commit: | 0a75fa3 | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Faster proto serialization The use of protobuf.Any is convenient, but adds to proto serialization time and number of memory allocations required to send a message. Instead, we now use an enum to indentify the message and use it to determine how to unmarshall the message on the receiveing end. It also speeds up event consuption by not requiring a map from string (proto names) to callbacks. BenchmarkProtoAny-6 115.9 ns/op 210 B/op 4 allocs/op BenchmarkProtoEnum-6 58.3 ns/op 2 B/op 1 allocs/op Updates #4805 PiperOrigin-RevId: 446879057
| Commit: | 2d6e640 | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Faster proto serialization The use of protobuf.Any is convenient, but adds to proto serialization time and number of memory allocations required to send a message. Instead, we now use an enum to indentify the message and use it to determine how to unmarshall the message on the receiveing end. It also speeds up event consuption by not requiring a map from string (proto names) to callbacks. BenchmarkProtoAny-6 115.9 ns/op 210 B/op 4 allocs/op BenchmarkProtoEnum-6 58.3 ns/op 2 B/op 1 allocs/op Updates #4805 PiperOrigin-RevId: 446879057
| Commit: | 974fc32 | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Add Points to some syscalls Added a raw syscall points to all syscalls. Added schematized syscall points to the following syscalls: - read - close - socket - connect - execve - creat - openat - execveat Updates #4805 PiperOrigin-RevId: 446008358
| Commit: | f2b6fbb | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Add Points to some syscalls Added a raw syscall points to all syscalls. Added schematized syscall points to the following syscalls: - read - close - socket - connect - execve - creat - openat - execveat Updates #4805 PiperOrigin-RevId: 446008358
| Commit: | f6a99a6 | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Add container/start context fields Updates #4805 PiperOrigin-RevId: 445976770
| Commit: | 3b26900 | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Add container/start context fields Updates #4805 PiperOrigin-RevId: 445976770
| Commit: | 3525d69 | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Add support for syscall points Each syscall provides 4 different points. There is a raw syscall point that contains the syscall number and all 6 arguments, nothing else. Some syscalls can provide a schematized version of the syscall by defining a function that converts the syscall into a proto representing the syscall. Each of these flavors have a point for enter and another for exit. In both cases, the exit event adds return value and errno (if any). Updates #4805 PiperOrigin-RevId: 445510907
| Commit: | 575d76d | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Add support for syscall points Each syscall provides 4 different points. There is a raw syscall point that contains the syscall number and all 6 arguments, nothing else. Some syscalls can provide a schematized version of the syscall by defining a function that converts the syscall into a proto representing the syscall. Each of these flavors have a point for enter and another for exit. In both cases, the exit event adds return value and errno (if any). Updates #4805 PiperOrigin-RevId: 445510907
| Commit: | 78c6e57 | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Add sentry/task_exit point Updates #4805 PiperOrigin-RevId: 445222912
| Commit: | e1c4bbc | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Add sentry/task_exit point Updates #4805 PiperOrigin-RevId: 445222912
| Commit: | a240551 | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Add container/start Point Updates #4805 PiperOrigin-RevId: 444983390
| Commit: | 93185b4 | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Add container/start Point Updates #4805 PiperOrigin-RevId: 444983390
| Commit: | 93023f5 | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Use proto structs for seccheck points Given that in most cases points are serialized to another process, point data is now created diretly into protos. As part of this change, infrastructure to track optional and context fields was created to facilitate addition of lots of Points which is needed for upcomming of changes. Updates #4805 Currently the SST code is converting seccheck protos into SST protos in the sentry before sending it to the API. After this change, SST checker will be changed to send seccheck protos to the API and the API then converts these into SST on the way to pubsub. PiperOrigin-RevId: 442688320
| Commit: | 8a24f20 | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Use proto structs for seccheck points Given that in most cases points are serialized to another process, point data is now created diretly into protos. As part of this change, infrastructure to track optional and context fields was created to facilitate addition of lots of Points which is needed for upcomming of changes. Updates #4805 Currently the SST code is converting seccheck protos into SST protos in the sentry before sending it to the API. After this change, SST checker will be changed to send seccheck protos to the API and the API then converts these into SST on the way to pubsub. PiperOrigin-RevId: 442688320
| Commit: | 34ddcc0 | |
|---|---|---|
| Author: | Etienne Perot | |
| Committer: | gVisor bot | |
Implement distribution metrics in the Sentry, with arbitrary number of fields. Distribution metrics are well-suited for recording "events" and the time these events take, for performance measurements. They bucket durations in buckets, and keep track of the number of samples in each bucket. As this structure also inherently keeps track of the *total* number of samples, it can be used as a simple event counter as well, obviating the need for a counter metric next to it counting the same thing. In order to be compatible with the needs of the KVM platform to track events that happen where new memory allocations would not be possible, the code for adding a sample to a distribution is optimized to be fast and allocation-free. The tradeoff there mostly comes in the form of memory, such as requiring a weird new `fieldMapper` recursive struct that acts as a lookup table for the concatenated key containing the values of all the fields for which the sample is being recorded. Since we do not expect to deal with large number of field combinations, this should not be a problem. Another tradeoff this imposes is the lack of support for a generic `Bucketer` interface allowing users to define their own bucketing scheme, as we would not be able to enforce the lack of allocations in custom `Bucketer` implementations, nor enforce `+checkescape` on them. However, since in practice all bucketing implementations will probably reside in `metric.go`, this is worked around by just having the distribution metric code refer to `Bucketer` implementations as references and call them directly (without the interface indirection). Since there is only one implementation currently (`ExponentialBucketer`), this is faster than using the interface. PiperOrigin-RevId: 436614053
| Commit: | 1c9ce54 | |
|---|---|---|
| Author: | Etienne Perot | |
| Committer: | gVisor bot | |
Implement distribution metrics in the Sentry, with arbitrary number of fields. Distribution metrics are well-suited for recording "events" and the time these events take, for performance measurements. They bucket durations in buckets, and keep track of the number of samples in each bucket. As this structure also inherently keeps track of the *total* number of samples, it can be used as a simple event counter as well, obviating the need for a counter metric next to it counting the same thing. In order to be compatible with the needs of the KVM platform to track events that happen where new memory allocations would not be possible, the code for adding a sample to a distribution is optimized to be fast and allocation-free. The tradeoff there mostly comes in the form of memory, such as requiring a weird new `fieldMapper` recursive struct that acts as a lookup table for the concatenated key containing the values of all the fields for which the sample is being recorded. Since we do not expect to deal with large number of field combinations, this should not be a problem. Another tradeoff this imposes is the lack of support for a generic `Bucketer` interface allowing users to define their own bucketing scheme, as we would not be able to enforce the lack of allocations in custom `Bucketer` implementations, nor enforce `+checkescape` on them. However, since in practice all bucketing implementations will probably reside in `metric.go`, this is worked around by just having the distribution metric code refer to `Bucketer` implementations as references and call them directly (without the interface indirection). Since there is only one implementation currently (`ExponentialBucketer`), this is faster than using the interface. PiperOrigin-RevId: 436614053
| Commit: | 1cfca31 | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Add support for containerd 1.5 "cri.runtimeoptions.v1" moved to "runtimeoptions.v1" and containerd configuration format version 2 is required. Updates #6449 PiperOrigin-RevId: 405474653
| Commit: | 9262ea4 | |
|---|---|---|
| Author: | Fabricio Voznika | |
| Committer: | gVisor bot | |
Add support for containerd 1.5 "cri.runtimeoptions.v1" moved to "runtimeoptions.v1" and containerd configuration format version 2 is required. Updates #6449 PiperOrigin-RevId: 405474653
| Commit: | 689c04f | |
|---|---|---|
| Author: | Chong Cai | |
| Committer: | gVisor bot | |
Add control configs Also plumber the controls through runsc PiperOrigin-RevId: 391594318
| Commit: | 75b5a4f | |
|---|---|---|
| Author: | Chong Cai | |
| Committer: | gVisor bot | |
Add control configs Also plumber the controls through runsc PiperOrigin-RevId: 391594318
| Commit: | 18f414c | |
|---|---|---|
| Author: | Chong Cai | |
| Committer: | gVisor bot | |
Add control configs PiperOrigin-RevId: 386340922
| Commit: | 9c35910 | |
|---|---|---|
| Author: | Nayana Bidari | |
| Committer: | gVisor bot | |
Add TimeToRecover metric to record time spent by the connection in recovery. - The new sentry metric will record the duration when the connection is in Fast/SACK recovery and RTO recovery. This metric will help us to compare between different loss recovery algorithms such as Reno, SACK and RACK. - Added a new field in the TCP sender to record the start time of recovery. - Made changes to create sentry metrics with Microseconds unit. PiperOrigin-RevId: 383539850
| Commit: | 3e5f614 | |
|---|---|---|
| Author: | Etienne Perot | |
| Committer: | gVisor bot | |
Sentry: Measure the time it takes to initialize the Sentry. PiperOrigin-RevId: 383472507
| Commit: | cd558fc | |
|---|---|---|
| Author: | Etienne Perot | |
| Committer: | gVisor bot | |
Sentry: Measure the time it takes to initialize the Sentry. PiperOrigin-RevId: 383472507
| Commit: | da87fae | |
|---|---|---|
| Author: | Nayana Bidari | |
| Committer: | gVisor bot | |
Add field support to the sentry metrics. Fields allow counter metrics to have multiple tabular values. At most one field is supported at the moment. PiperOrigin-RevId: 368767040
| Commit: | 14b7d77 | |
|---|---|---|
| Author: | Nayana Bidari | |
| Committer: | gVisor bot | |
Add field support to the sentry metrics. Fields allow counter metrics to have multiple tabular values. At most one field is supported at the moment. PiperOrigin-RevId: 368767040
| Commit: | 08f5188 | |
|---|---|---|
| Author: | Zeling Feng | |
| Committer: | gVisor bot | |
Packetimpact test for ACK to OTW Seq segments behavior in CLOSING TCP, in CLOSING state, MUST send an ACK with next expected SEQ number after receiving any segment with OTW SEQ number and remain in the same state. While I am here, I also changed shutdown to behave the same as other calls in posix_server. PiperOrigin-RevId: 362976955
| Commit: | 06b047a | |
|---|---|---|
| Author: | Zeling Feng | |
| Committer: | gVisor bot | |
Packetimpact test for ACK to OTW Seq segments behavior in CLOSING TCP, in CLOSING state, MUST send an ACK with next expected SEQ number after receiving any segment with OTW SEQ number and remain in the same state. While I am here, I also changed shutdown to behave the same as other calls in posix_server. PiperOrigin-RevId: 362976955
| Commit: | 3f7500f | |
|---|---|---|
| Author: | Zeling Feng | |
| Committer: | gVisor bot | |
Move SetNonblocking into posix_server - open flags can be different on different OSs, by putting SetNonblocking into the posix_server rather than the testbench, we can always get the right value for O_NONBLOCK - merged the tcp_queue_{send,receive}_in_syn_sent into a single file PiperOrigin-RevId: 359620630