Skip to content

Commit

Permalink
refactor
Browse files Browse the repository at this point in the history 
PiperOrigin-RevId: 715454790
  • Loading branch information
@nybidari @gvisor-bot
nybidari authored and gvisor-bot committed Jan 16, 2025
1 parent 25b1d71 commit 9b6963f
Show file tree
Hide file tree
Showing 12 changed files with 124 additions and 107 deletions.
8 changes: 0 additions & 8 deletions pkg/sentry/inet/inet.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,14 +100,6 @@ type Stack interface {
// Restore restarts the network stack after restore.
Restore()

// ReplaceConfig replaces the new network stack configuration to the
// loaded or saved network stack after restore.
// TODO(b/379115439): This method is a workaround to update netstack config
// during restore. It should be removed after a new method is added to
// extract the complete config from the spec and update it in the loaded
// stack during restore.
ReplaceConfig(st Stack)

// Destroy the network stack.
Destroy()

Expand Down
8 changes: 0 additions & 8 deletions pkg/sentry/kernel/kernel.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -836,14 +836,6 @@ func (k *Kernel) LoadFrom(ctx context.Context, r, pagesMetadata io.Reader, pages

if saveRestoreNet {
log.Infof("netstack save restore is enabled")
s := k.rootNetworkNamespace.Stack()
if s == nil {
panic("inet.Stack cannot be nil when netstack s/r is enabled")
}
if net != nil {
s.ReplaceConfig(net)
}
s.Restore()
} else if net != nil {
net.Restore()
}
Expand Down
3 changes: 0 additions & 3 deletions pkg/sentry/socket/hostinet/stack.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -398,9 +398,6 @@ func (*Stack) Pause() {}
// Restore implements inet.Stack.Restore.
func (*Stack) Restore() {}

// ReplaceConfig implements inet.Stack.ReplaceConfig.
func (s *Stack) ReplaceConfig(_ inet.Stack) {}

// Resume implements inet.Stack.Resume.
func (*Stack) Resume() {}

Expand Down
12 changes: 3 additions & 9 deletions pkg/sentry/socket/netstack/stack.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
"gvisor.dev/gvisor/pkg/log"
"gvisor.dev/gvisor/pkg/refs"
"gvisor.dev/gvisor/pkg/sentry/inet"
"gvisor.dev/gvisor/pkg/sentry/socket/netfilter"
"gvisor.dev/gvisor/pkg/sentry/socket/netlink/nlmsg"
"gvisor.dev/gvisor/pkg/syserr"
"gvisor.dev/gvisor/pkg/tcpip"
Expand Down Expand Up @@ -922,15 +923,8 @@ func (s *Stack) Pause() {

// Restore implements inet.Stack.Restore.
func (s *Stack) Restore() {
s.Stack.Restore()
}

// ReplaceConfig implements inet.Stack.ReplaceConfig.
func (s *Stack) ReplaceConfig(st inet.Stack) {
if _, ok := st.(*Stack); !ok {
panic("netstack.Stack cannot be nil when netstack s/r is enabled")
}
s.Stack.ReplaceConfig(st.(*Stack).Stack)
defaultIPTables := netfilter.DefaultLinuxTables
s.Stack.Restore(defaultIPTables)
}

// Resume implements inet.Stack.Resume.
Expand Down
4 changes: 4 additions & 0 deletions pkg/tcpip/stack/save_restore.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,14 @@ import (
"time"

cryptorand "gvisor.dev/gvisor/pkg/rand"
"gvisor.dev/gvisor/pkg/tcpip"
)

// afterLoad is invoked by stateify.
func (s *Stack) afterLoad(context.Context) {
s.insecureRNG = rand.New(rand.NewSource(time.Now().UnixNano()))
s.secureRNG = cryptorand.RNGFrom(cryptorand.Reader)
s.mu.Lock()
s.nics = make(map[tcpip.NICID]*nic)
s.mu.Unlock()
}
34 changes: 3 additions & 31 deletions pkg/tcpip/stack/stack.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1966,45 +1966,17 @@ func (s *Stack) Pause() {
}
}

func (s *Stack) getNICs() map[tcpip.NICID]*nic {
s.mu.RLock()
defer s.mu.RUnlock()

nics := s.nics
return nics
}

// ReplaceConfig replaces config in the loaded stack.
func (s *Stack) ReplaceConfig(st *Stack) {
if st == nil {
panic("stack.Stack cannot be nil when netstack s/r is enabled")
}

// Update route table.
s.SetRouteTable(st.GetRouteTable())

// Update NICs.
nics := st.getNICs()
s.mu.Lock()
defer s.mu.Unlock()
s.nics = make(map[tcpip.NICID]*nic)
for id, nic := range nics {
nic.stack = s
s.nics[id] = nic
_ = s.NextNICID()
}
s.tables = st.tables
}

// Restore restarts the stack after a restore. This must be called after the
// entire system has been restored.
func (s *Stack) Restore() {
func (s *Stack) Restore(defaultIPTables func(clock tcpip.Clock, rand *rand.Rand) *IPTables) {
// RestoredEndpoint.Restore() may call other methods on s, so we can't hold
// s.mu while restoring the endpoints.
s.mu.Lock()
eps := s.restoredEndpoints
s.restoredEndpoints = nil
saveRestoreEnabled := s.saveRestoreEnabled
s.icmpRateLimiter = NewICMPRateLimiter(s.clock)
s.tables = defaultIPTables(s.clock, s.insecureRNG)
s.mu.Unlock()
for _, e := range eps {
e.Restore(s)
Expand Down
9 changes: 9 additions & 0 deletions runsc/boot/controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,10 @@ const (

// ContMgrContainerRuntimeState returns the runtime state of a container.
ContMgrContainerRuntimeState = "containerManager.ContainerRuntimeState"

// ContMgrStoreNetworkArgs stores the network config which are required
// during restore in the loader.
ContMgrStoreNetworkArgs = "containerManager.StoreNetworkArgs"
)

const (
Expand Down Expand Up @@ -943,3 +947,8 @@ func (cm *containerManager) ContainerRuntimeState(cid *string, state *ContainerR
*state = cm.l.containerRuntimeState(*cid)
return nil
}

func (cm *containerManager) StoreNetworkArgs(args *CreateLinksAndRoutesArgs, _ *struct{}) error {
cm.l.networkArgs = args
return nil
}
3 changes: 3 additions & 0 deletions runsc/boot/loader.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -255,6 +255,9 @@ type Loader struct {
// saveRestoreNet indicates if the saved network stack should be used
// during restore.
saveRestoreNet bool

// networkArgs contains the network configuration required during restore.
networkArgs *CreateLinksAndRoutesArgs
}

// execID uniquely identifies a sentry process that is executed in a container.
Expand Down
12 changes: 12 additions & 0 deletions runsc/boot/restore.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -714,6 +714,18 @@ func (r *restorer) restore(l *Loader, unsafeSkipRestoreSpecValidation bool) erro
// Release `l.mu` before calling into callbacks.
cu.Clean()

if eps, ok := l.k.RootNetworkNamespace().Stack().(*netstack.Stack); ok {
n := &Network{
Stack: eps.Stack,
Kernel: l.k,
}
if err := n.CreateLinksAndRoutes(l.networkArgs, nil); err != nil {
return fmt.Errorf("restore network error: %w", err)
}
log.Infof("network Args: %+v", l.networkArgs)
l.k.RootNetworkNamespace().Stack().Restore()
}

// r.restoreDone() signals and waits for the sandbox to start.
if err := r.restoreDone(); err != nil {
return fmt.Errorf("restorer.restoreDone callback failed: %w", err)
Expand Down
2 changes: 1 addition & 1 deletion runsc/config/flags.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ func RegisterFlags(flagSet *flag.FlagSet) {
flagSet.Bool("TESTONLY-afs-syscall-panic", false, "TEST ONLY; do not ever use! Used for tests exercising gVisor panic reporting.")
flagSet.String("TESTONLY-autosave-image-path", "", "TEST ONLY; enable auto save for syscall tests and set path for state file.")
flagSet.Bool("TESTONLY-autosave-resume", false, "TEST ONLY; enable auto save and resume for syscall tests and set path for state file.")
flagSet.Bool("TESTONLY-save-restore-netstack", false, "TEST ONLY; enable save/restore for netstack.")
flagSet.Bool("TESTONLY-save-restore-netstack", true, "TEST ONLY; enable save/restore for netstack.")
}

// overrideAllowlist lists all flags that can be changed using OCI
Expand Down
Loading

0 comments on commit 9b6963f

Please sign in to comment.