gvisor/community

Ian Lewis

@ianlewis

@ZymoticB Both examples have a pause container, so you'll still need to delete the daemon set once the init containers have fully run :-/

Ian Lewis

@ianlewis

@jonfriesen emptyDir should be accessible if you mount it to multiple containers in a pod. I'm not sure what you mean by "overlay vfs2 runtime class". How do you have your runtime class set up?

Also, specifically, what sort of behavior are you seeing?

It may be that the overlay is created per container so any writes in one container won't show up in the other

MAHAK GUPTA

@mhk19

Hello! I am Mahak, a BTech CSE sophomore from IIT Roorkee. I am a full-stack web developer and open source enthusiast. I am participating in GSoC 2021 and looking forward to working with you all.

Ian Lewis

@ianlewis

@mhk19 Welcome!

gdsoumya

@gdsoumya:matrix.org

Hi everyone, I am GD Soumya a final year CS undergrad student. I was going through the GSoC 2021 proposed projects and started looking into this issue google/gvisor#140. I left a comment there, would be great if someone can tell me if I am going in the right direction.

Harshit Verma

@hv7214

Hello, the community! I'm Harshit Verma. I had participated in GSoC'20, where I worked on a C++ project under SCoReLab, and this summer I'm looking forward to work on this incredible project.

Bhasker Hariharan

@hbhasker

welcome soumyam/harshi and mahak

Rahat Mahmood

@mrahatm

Hey @mhk19 @gdsoumya:matrix.org and @hv7214, welcome to gvisor! We're currently in the application phase for GSoC. Before you submit your proposals to GSoC, we should chat about what projects you're interested in and how it would fit within the scope of GSoC. I'm happy to answer questions and work through ideas! I'll follow up with each of you separately.

Vishwas Puri

@vishwaspuri

Hello everyone, I am Vishwas, a third-year undergrad at BITS Pilani. I was looking through organizations for GSOC 2021 and found gVisor to be incredibly interesting. I'm skilled at server-side development and am looking forward to working on this project.

Rahat Mahmood

@mrahatm

Hey Vishwas, welcome! I'll follow up with you about GSoC

Akhil Nair

@Jedi18

Hi everyone! I'm Akhil, looking to participate in GSoC 2021 this year. gVisor looks very interesting and I'm really looking forward to contributing! Could someone give me a few pointers on how I can get started and start contributing?

anti_neutron(Neeraj)

@anti_neutron:matrix.org

Hi everyone! I'm Neeraj, a final-year undergrad at BITS-Pilani, India. I'm interested to contribute to gVisor for GSOC 2021. Can someone please guide me on how to begin?

Rahat Mahmood

@mrahatm

Hey Akhil and Neeraj, I'll follow up with your about GSoC

Robin Luk

@lubinsz

Welcome

Skallwar

@skallwar:matrix.org

Hi everyone! My name is Esteban, I’m in the 4th year of my CS degree in France. I’m interested in the subject "Implement io_uring"

Vũ Hải Lâm

@VUHAILAM

Hi everyone!! My name is Vu Hai Lam. I'm interested in the subject "Implement fanotify". I'm last year student and have some experience with Go. Could someone guide us on how to start and contribute!! Thanks!!

Rahat Mahmood

@mrahatm

Hey Esteban and Vu, I'll message you about GSoC

MaxLiu

@LiuHaolan

Hi everyone! My name is Haolan, a PhD student in UCSD. I am interested in the project "io_uring" in the idea page. I have some experience in Go, system programming and kernel hacking. Could someone guide me on how to start? Hopefully it's not too late.

R-Niagra

@R-Niagra

Hi guys! I am Rizwan. I'm joining University of Arizona for MS in CS this fall. I have worked on the security aspect of Docker and kubernetes. I also have good experience in Golang. Looking forward to some guidelines to get started.

Naman Arora

@ArorAnam

Hi, I am Naman. I'm currently a final year CE student at TCD, Ireland. I am interested in the project "Implement message queues". I wanted to know how to get started with it? If there are any good first issues also ?

Oguz

@ozsaygin_gitlab

Hello everyone, I'm Oguz from Turkey. I am Master student in CS. I have some experience with Go and Linux. I am interested in gvisor project and its Implement the setns syscall task, however ready to go through other task options though. If it's not too late, I would like to discuss project specifications.

Rahat Mahmood

@mrahatm

Hey everyone, I'll follow up with you individually about GSoC

KhaledEmaraDev

@KhaledEmaraDev

Hi, I'm Khaled from Egypt, a Computer Engineering Student at Ain Shams University. I'm interested in completing the first stage of the io_uring interface. I've used it before in userland and I have some experience working with filesystems in kernels.

siddhant gupta

@siddhant1223

Hi, I am siddhant gupta from India. I'm currently pursuing masters in ICT From DAIICT gandhinagar. I've a great experience in working with linux and am proficient in C language. I wanted to contribute to Gvisor with the project of implementation of setns syscall and fanotify, can anyone share some breif description and a process to get started with this?

Skallwar (Esteban Blanc)

@skallwar:matrix.org

Hi guys ! It's seems that gopls does not support bazel based project (golang/go#37205) and (https://github.com/bazelbuild/rules_go/issues/512). What tools are you using for navigating the codebase ?

prattmic

@prattmic:matrix.org

Skallwar (Esteban Blanc): personally I tend to browse on https://cs.opensource.google/gvisor/gvisor. I'm not sure about others.

3 replies

If you are on the go branch, the repo will be go toolchain compatible and thus should work with gopls. However, contributions need to be on the master branch, so it is probably not a friendly workflow to try to develop on the go branch and then migrate changes to master.

Skallwar (Esteban Blanc)

@skallwar:matrix.org

Yeah I think the go branch is not ideal. Online sources works but I like LSP features like find references

prattmic

@prattmic:matrix.org

On further thought, we also have bazel build //:gopath, which will create a GOPATH-style tree in bazel-bin/gopath made of symlinks back to the original files. If you point gopls at that, it may work OK?

5 replies

Note that the site above does do cross-references (and much better than GitHub cross-references!). But it isn't in your text editor, which I know can be a path.

1 reply

s/path/pain

Skallwar (Esteban Blanc)

@skallwar:matrix.org

It's working but not everywhere for some reason. Sometime I can jump to definitions, sometimes I can't. Weird

prattmic

@prattmic:matrix.org

Odd, that should work. I'll see if I can figure out what's up

Skallwar (Esteban Blanc)

@skallwar:matrix.org

Fun fact: I can get my vim setup to jump to Read from pkg/sentry/syscalls/linux/linux64.go but I can't jump to AccountReadSyscall neither

prattmic

@prattmic:matrix.org

Most cross-package references seem to be broken at the moment :(

Skallwar (Esteban Blanc)

@skallwar:matrix.org

Ok. As I am discovering the codebase, it's quite hard ^^

prattmic

@prattmic:matrix.org

Update: we're still working on getting the cs.opensource.google xrefs working again (several internal bugs), but as it happens it looks like there is really promising progress on bazel+gopls support: bazelbuild/rules_go#2858

Skallwar (Esteban Blanc)

@skallwar:matrix.org

Oh that's neat! I will follow that

Nitin

@i-Pix

Hi, My name is Nitin Kumar. CSE undergrad from Indian Institute of Information Technology Kurnool. I am a sophomore.

Skallwar (Esteban Blanc)

@skallwar:matrix.org

Awesome 😎

Rahat Mahmood

@mrahatm

Hey everyone, PSA for GSoC. The deadline for project proposals is tomorrow morning at 11:00 AM PDT. Thank you to those who submitted a draft early, hopefully you got some useful feedback. If you're still working on your proposal, be sure to upload a final version to GSoC before the deadline. GSoC will not extend the deadline for any reason, and a draft proposal is an automatic rejection from the system.

If we've spoken about a specific project, I've also messaged you directly

Pavel Sviderski

@psviderski

Hi, I'm considering using gVisor with Docker on AWS ECS for sandboxing third-party tools (ImageMagick, ffmpeg, etc.) to process untrusted user media. To protect the sandbox from accessing the private network access, I would like to disable networking with --network none. To not start a new container on each tool execution and improve performance, there is an idea of running the sandbox sidecar container permanently with a tiny RPC service that exposes API to run commands in sandbox. The only IPC mechanism to communicate with a process in a gVisor container I can think about in this case is a unix socket shared from the app container/host. It will allow establishing connections from the sandbox to the host but I need the opposite direction (send RPC requests to sandbox). It sounds like I need some sort of reverse tunnelling through the unix socket. And I even managed to run a PoC with socat:

// App container: requests to 127.0.0.1:9042 proxied to 127.0.0.1:8042 in sandbox
socat UNIX-LISTEN:/share/sandbox.sock TCP4-LISTEN:9042,reuseaddr,fork
// Sandbox sidecar: tiny RPC is running on 127.0.0.1:8042
socat UNIX-CONNECT:/share/sandbox.sock TCP4:127.0.0.1:8042

However this only works one request at a time. When I start sending a few requests per second, they start to hang. It seems that socat does not properly multiplex multiple streams through a single connection.

Am I doing it wrong or missing something, are there any other IPC mechanisms to communicate with gVisor sandboxes except networking?

Bhasker Hariharan

@hbhasker

@psviderski I am not that familiar with socat and support for multiple streams but could your RPC server just listen directly on the Unix domain socket instead of a TCP port. On the host you can write a small utility to accept TCP connections and connect to the UDS and just avoid socat altogether.

Pavel Sviderski

@psviderski

@hbhasker Ah yeah, the server in a sandbox can listen on a Unix socket directly but the problem is that I couldn't manage to share a sandbox internal unix socket with another non-sandbox container or host through a shared volume. I thought this is a limitation of the overlay fs.
I've found a message from @prattmic above

@TomasTurina do you want to bind sandbox-internal UDS, or host UDS accessible from outside the sandbox?
The former is definitely possible on internal tmpfs, and I thought we had a overlay to allow this on other filesystems, but that may not be enabled by default.
The latter we don't allow to help reduce attack surface on the host. With --fsgofer-host-uds, we do allow connecting to a host UDS, which you could set up from outside the sandbox. See gvisor.dev/issue/235

@prattmic should a sandbox-internal UDS socket bound on a shared data volume be accessible from outside the sandbox? I tested that with netcat with no luck (the listening part in the sandbox does not respond to connections). Is there any workaround for that?

Pavel Sviderski

@psviderski

To clarify I do not enable --overlay for runsc and use its default behaviour without any extra runtimeArgs.

Pavel Sviderski

@psviderski

Sandbox container:

docker run -it --runtime=runsc --rm -v sandbox-share:/share ubuntu bash
nc -U -l /share/sandbox.sock

Regular container:

docker run -it --rm -v sandbox-share:/share --network none ubuntu bash

root@888dd3208b8f:/# ls -la /share/
drwxrwxrwx 2 root root 26 Apr 19 02:10 .
drwxr-xr-x 1 root root 19 Apr 19 02:10 ..
-r-------- 1 root root  0 Apr 19 02:10 sandbox.sock        <-------- NOTE: There is no 's' bit telling this is a Unix domain socket

root@888dd3208b8f:/# nc -U /share/sandbox.sock
nc: unix connect failed: Connection refused
nc: /share/sandbox.sock: Connection refused

When the sandbox container is launched like a normal container without --runtime=runsc the shared /share/sandbox.sock outside the sandbox looks differently, note there is s bit

root@32e9777384d6:/# ls -l /share/
srwxr-xr-x 1 root root 0 Apr 19 02:12 sandbox.sock

prattmic

@prattmic:matrix.org

@psviderski: No, we don't allow binding a socket from within the sandbox and making it accessible outside the sandbox. Though per the message you quoted, it is possible to do the opposite: bind outside and connect inside.