Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Ian Lewis
    @ianlewis
    @ZymoticB Both examples have a pause container, so you'll still need to delete the daemon set once the init containers have fully run :-/
    Ian Lewis
    @ianlewis
    @jonfriesen emptyDir should be accessible if you mount it to multiple containers in a pod. I'm not sure what you mean by "overlay vfs2 runtime class". How do you have your runtime class set up?
    Also, specifically, what sort of behavior are you seeing?
    It may be that the overlay is created per container so any writes in one container won't show up in the other
    MAHAK GUPTA
    @mhk19
    Hello! I am Mahak, a BTech CSE sophomore from IIT Roorkee. I am a full-stack web developer and open source enthusiast. I am participating in GSoC 2021 and looking forward to working with you all.
    Ian Lewis
    @ianlewis
    @mhk19 Welcome!
    gdsoumya
    @gdsoumya:matrix.org
    [m]
    Hi everyone, I am GD Soumya a final year CS undergrad student. I was going through the GSoC 2021 proposed projects and started looking into this issue google/gvisor#140. I left a comment there, would be great if someone can tell me if I am going in the right direction.
    Harshit Verma
    @hv7214
    Hello, the community! I'm Harshit Verma. I had participated in GSoC'20, where I worked on a C++ project under SCoReLab, and this summer I'm looking forward to work on this incredible project.
    Bhasker Hariharan
    @hbhasker
    welcome soumyam/harshi and mahak
    Rahat Mahmood
    @mrahatm
    Hey @mhk19 @gdsoumya:matrix.org and @hv7214, welcome to gvisor! We're currently in the application phase for GSoC. Before you submit your proposals to GSoC, we should chat about what projects you're interested in and how it would fit within the scope of GSoC. I'm happy to answer questions and work through ideas! I'll follow up with each of you separately.
    Vishwas Puri
    @vishwaspuri
    Hello everyone, I am Vishwas, a third-year undergrad at BITS Pilani. I was looking through organizations for GSOC 2021 and found gVisor to be incredibly interesting. I'm skilled at server-side development and am looking forward to working on this project.
    Rahat Mahmood
    @mrahatm
    Hey Vishwas, welcome! I'll follow up with you about GSoC
    Akhil Nair
    @Jedi18
    Hi everyone! I'm Akhil, looking to participate in GSoC 2021 this year. gVisor looks very interesting and I'm really looking forward to contributing! Could someone give me a few pointers on how I can get started and start contributing?
    anti_neutron(Neeraj)
    @anti_neutron:matrix.org
    [m]
    Hi everyone! I'm Neeraj, a final-year undergrad at BITS-Pilani, India. I'm interested to contribute to gVisor for GSOC 2021. Can someone please guide me on how to begin?
    Rahat Mahmood
    @mrahatm
    Hey Akhil and Neeraj, I'll follow up with your about GSoC
    Robin Luk
    @lubinsz
    Welcome
    Skallwar
    @skallwar:matrix.org
    [m]
    Hi everyone! My name is Esteban, I’m in the 4th year of my CS degree in France. I’m interested in the subject "Implement io_uring"
    Vũ Hải Lâm
    @VUHAILAM
    Hi everyone!! My name is Vu Hai Lam. I'm interested in the subject "Implement fanotify". I'm last year student and have some experience with Go. Could someone guide us on how to start and contribute!! Thanks!!
    Rahat Mahmood
    @mrahatm
    Hey Esteban and Vu, I'll message you about GSoC
    MaxLiu
    @LiuHaolan
    Hi everyone! My name is Haolan, a PhD student in UCSD. I am interested in the project "io_uring" in the idea page. I have some experience in Go, system programming and kernel hacking. Could someone guide me on how to start? Hopefully it's not too late.
    R-Niagra
    @R-Niagra
    Hi guys! I am Rizwan. I'm joining University of Arizona for MS in CS this fall. I have worked on the security aspect of Docker and kubernetes. I also have good experience in Golang. Looking forward to some guidelines to get started.
    Naman Arora
    @ArorAnam
    Hi, I am Naman. I'm currently a final year CE student at TCD, Ireland. I am interested in the project "Implement message queues". I wanted to know how to get started with it? If there are any good first issues also ?
    Oguz
    @ozsaygin_gitlab
    Hello everyone, I'm Oguz from Turkey. I am Master student in CS. I have some experience with Go and Linux. I am interested in gvisor project and its Implement the setns syscall task, however ready to go through other task options though. If it's not too late, I would like to discuss project specifications.
    Rahat Mahmood
    @mrahatm
    Hey everyone, I'll follow up with you individually about GSoC
    KhaledEmaraDev
    @KhaledEmaraDev
    Hi, I'm Khaled from Egypt, a Computer Engineering Student at Ain Shams University. I'm interested in completing the first stage of the io_uring interface. I've used it before in userland and I have some experience working with filesystems in kernels.
    siddhant gupta
    @siddhant1223
    Hi, I am siddhant gupta from India. I'm currently pursuing masters in ICT From DAIICT gandhinagar. I've a great experience in working with linux and am proficient in C language. I wanted to contribute to Gvisor with the project of implementation of setns syscall and fanotify, can anyone share some breif description and a process to get started with this?
    Skallwar (Esteban Blanc)
    @skallwar:matrix.org
    [m]
    Hi guys ! It's seems that gopls does not support bazel based project (golang/go#37205) and (https://github.com/bazelbuild/rules_go/issues/512). What tools are you using for navigating the codebase ?
    prattmic
    @prattmic:matrix.org
    [m]
    Skallwar (Esteban Blanc): personally I tend to browse on https://cs.opensource.google/gvisor/gvisor. I'm not sure about others.
    3 replies
    If you are on the go branch, the repo will be go toolchain compatible and thus should work with gopls. However, contributions need to be on the master branch, so it is probably not a friendly workflow to try to develop on the go branch and then migrate changes to master.
    Skallwar (Esteban Blanc)
    @skallwar:matrix.org
    [m]
    Yeah I think the go branch is not ideal. Online sources works but I like LSP features like find references
    prattmic
    @prattmic:matrix.org
    [m]
    On further thought, we also have bazel build //:gopath, which will create a GOPATH-style tree in bazel-bin/gopath made of symlinks back to the original files. If you point gopls at that, it may work OK?
    5 replies
    Note that the site above does do cross-references (and much better than GitHub cross-references!). But it isn't in your text editor, which I know can be a path.
    1 reply
    s/path/pain
    Skallwar (Esteban Blanc)
    @skallwar:matrix.org
    [m]
    It's working but not everywhere for some reason. Sometime I can jump to definitions, sometimes I can't. Weird
    prattmic
    @prattmic:matrix.org
    [m]
    Odd, that should work. I'll see if I can figure out what's up
    Skallwar (Esteban Blanc)
    @skallwar:matrix.org
    [m]
    Fun fact: I can get my vim setup to jump to Read from pkg/sentry/syscalls/linux/linux64.go but I can't jump to AccountReadSyscall neither
    prattmic
    @prattmic:matrix.org
    [m]
    Most cross-package references seem to be broken at the moment :(
    Skallwar (Esteban Blanc)
    @skallwar:matrix.org
    [m]
    Ok. As I am discovering the codebase, it's quite hard ^^
    prattmic
    @prattmic:matrix.org
    [m]
    Update: we're still working on getting the cs.opensource.google xrefs working again (several internal bugs), but as it happens it looks like there is really promising progress on bazel+gopls support: bazelbuild/rules_go#2858
    Skallwar (Esteban Blanc)
    @skallwar:matrix.org
    [m]
    Oh that's neat! I will follow that
    Nitin
    @i-Pix
    Hi, My name is Nitin Kumar. CSE undergrad from Indian Institute of Information Technology Kurnool. I am a sophomore.
    Skallwar (Esteban Blanc)
    @skallwar:matrix.org
    [m]
    Awesome 😎
    Rahat Mahmood
    @mrahatm
    Hey everyone, PSA for GSoC. The deadline for project proposals is tomorrow morning at 11:00 AM PDT. Thank you to those who submitted a draft early, hopefully you got some useful feedback. If you're still working on your proposal, be sure to upload a final version to GSoC before the deadline. GSoC will not extend the deadline for any reason, and a draft proposal is an automatic rejection from the system.
    If we've spoken about a specific project, I've also messaged you directly
    Pavel Sviderski
    @psviderski

    Hi, I'm considering using gVisor with Docker on AWS ECS for sandboxing third-party tools (ImageMagick, ffmpeg, etc.) to process untrusted user media. To protect the sandbox from accessing the private network access, I would like to disable networking with --network none. To not start a new container on each tool execution and improve performance, there is an idea of running the sandbox sidecar container permanently with a tiny RPC service that exposes API to run commands in sandbox. The only IPC mechanism to communicate with a process in a gVisor container I can think about in this case is a unix socket shared from the app container/host. It will allow establishing connections from the sandbox to the host but I need the opposite direction (send RPC requests to sandbox). It sounds like I need some sort of reverse tunnelling through the unix socket. And I even managed to run a PoC with socat:

    // App container: requests to 127.0.0.1:9042 proxied to 127.0.0.1:8042 in sandbox
    socat UNIX-LISTEN:/share/sandbox.sock TCP4-LISTEN:9042,reuseaddr,fork
    // Sandbox sidecar: tiny RPC is running on 127.0.0.1:8042
    socat UNIX-CONNECT:/share/sandbox.sock TCP4:127.0.0.1:8042

    However this only works one request at a time. When I start sending a few requests per second, they start to hang. It seems that socat does not properly multiplex multiple streams through a single connection.

    Am I doing it wrong or missing something, are there any other IPC mechanisms to communicate with gVisor sandboxes except networking?

    Bhasker Hariharan
    @hbhasker
    @psviderski I am not that familiar with socat and support for multiple streams but could your RPC server just listen directly on the Unix domain socket instead of a TCP port. On the host you can write a small utility to accept TCP connections and connect to the UDS and just avoid socat altogether.
    Pavel Sviderski
    @psviderski

    @hbhasker Ah yeah, the server in a sandbox can listen on a Unix socket directly but the problem is that I couldn't manage to share a sandbox internal unix socket with another non-sandbox container or host through a shared volume. I thought this is a limitation of the overlay fs.
    I've found a message from @prattmic above

    @TomasTurina do you want to bind sandbox-internal UDS, or host UDS accessible from outside the sandbox?
    The former is definitely possible on internal tmpfs, and I thought we had a overlay to allow this on other filesystems, but that may not be enabled by default.
    The latter we don't allow to help reduce attack surface on the host. With --fsgofer-host-uds, we do allow connecting to a host UDS, which you could set up from outside the sandbox. See gvisor.dev/issue/235

    @prattmic should a sandbox-internal UDS socket bound on a shared data volume be accessible from outside the sandbox? I tested that with netcat with no luck (the listening part in the sandbox does not respond to connections). Is there any workaround for that?

    Pavel Sviderski
    @psviderski
    To clarify I do not enable --overlay for runsc and use its default behaviour without any extra runtimeArgs.
    Pavel Sviderski
    @psviderski

    Sandbox container:

    docker run -it --runtime=runsc --rm -v sandbox-share:/share ubuntu bash
    nc -U -l /share/sandbox.sock

    Regular container:

    docker run -it --rm -v sandbox-share:/share --network none ubuntu bash
    
    root@888dd3208b8f:/# ls -la /share/
    drwxrwxrwx 2 root root 26 Apr 19 02:10 .
    drwxr-xr-x 1 root root 19 Apr 19 02:10 ..
    -r-------- 1 root root  0 Apr 19 02:10 sandbox.sock        <-------- NOTE: There is no 's' bit telling this is a Unix domain socket
    
    root@888dd3208b8f:/# nc -U /share/sandbox.sock
    nc: unix connect failed: Connection refused
    nc: /share/sandbox.sock: Connection refused

    When the sandbox container is launched like a normal container without --runtime=runsc the shared /share/sandbox.sock outside the sandbox looks differently, note there is s bit

    root@32e9777384d6:/# ls -l /share/
    srwxr-xr-x 1 root root 0 Apr 19 02:12 sandbox.sock
    prattmic
    @prattmic:matrix.org
    [m]
    @psviderski: No, we don't allow binding a socket from within the sandbox and making it accessible outside the sandbox. Though per the message you quoted, it is possible to do the opposite: bind outside and connect inside.