Comments (3)
This must have been broken by cf9d55b.
validateOpenFDs()
is a security check that happens right before the application starts which checks that the sandbox process does not have any open directory FDs. This is to prevent leaking directory FDs to the sandbox. Because with directfs, sandbox has access to openat(2) syscall and we don't want a compromised sandbox to be able to walk on these directories.
Notes:
prepareMounts() initializes the gofer connection:
Lines 750 to 756 in 2d90b66
It is called after seccomp filters are installed in the normal case (via runsc start), but it is called before seccomp filters are initialized in the restore case. When the connection is initialized, it donates a directory FD to the sandbox to use. This is what validateOpenFDs()
is complaining about.
from gvisor.
@luiscape FYI we fixed another GPU checkpoint/restore bug (b373c8e) and added a GPU checkpoint restore test (1214e28). So hopefully we don't break you again.
from gvisor.
@ayushr2 awesome. Thanks a lot. It's been working well so far. I'll send you a detailed update this week.
from gvisor.
Related Issues (20)
- Fail to build runsc from the go branch with standard go tooling
- gVisor fails to detect memory/cpu w/ systemd+cgroupsv2 HOT 11
- cudaMallocManaged() is unsupported in nvproxy
- text-embeddings-inference fails with error attempting to alloc NV_CONFIDENTIAL_COMPUTE object HOT 4
- gvisor panic: Invalid MmapLayout HOT 7
- gVisor start failed in Rasberry Pi 3b+ HOT 3
- not able to install any package using apt on Debian 12 container - Setting TIOCSCTTY for slave fd 23 failed! - ioctl HOT 3
- Unable to checkpoint container with `-nvproxy` after the introduction of `driverABI` HOT 3
- gVisor failed to use host network silently HOT 6
- OOM OCI Events Broken for Kubernetes + CgroupsV2
- `xxx | grep > /dev/null` randomly fails HOT 2
- runsc fails on GCP c3 and EC2 m7i instances with status code 137 (i.e. sigkill) HOT 13
- netstack: performance w/TCP-RACK on Windows HOT 7
- Segmentation fault when using powershell with GKE sandboxed nodes HOT 5
- checklocksignore only seems to work as a postfix field comment HOT 1
- gVisor on GCP with gVNIC has long epoll_wait() delays when sending HTTP data HOT 16
- NV50_P2P allocation class unimplemented in nvproxy HOT 19
- Pods stuck in Terminating state due to process not being killed HOT 38
- Nvidia H100 nvproxy: unknown control command 0x20801230 HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gvisor.