gvisor

module
v0.0.0-...-84f1146 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 19, 2024 License: Apache-2.0, MIT

README

gVisor

Build status Issue reviver CodeQL gVisor chat code search

What is gVisor?

gVisor provides a strong layer of isolation between running applications and the host operating system. It is an application kernel that implements a Linux-like interface. Unlike Linux, it is written in a memory-safe language (Go) and runs in userspace.

gVisor includes an Open Container Initiative (OCI) runtime called runsc that makes it easy to work with existing container tooling. The runsc runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.

What isn't gVisor?

  • gVisor is not a syscall filter (e.g. seccomp-bpf), nor a wrapper over Linux isolation primitives (e.g. firejail, AppArmor, etc.).
  • gVisor is also not a VM in the everyday sense of the term (e.g. VirtualBox, QEMU).

gVisor takes a distinct third approach, providing many security benefits of VMs while maintaining the lower resource footprint, fast startup, and flexibility of regular userspace applications.

Why does gVisor exist?

Containers are not a sandbox. While containers have revolutionized how we develop, package, and deploy applications, using them to run untrusted or potentially malicious code without additional isolation is not a good idea. While using a single, shared kernel allows for efficiency and performance gains, it also means that container escape is possible with a single vulnerability.

gVisor is an application kernel for containers. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects. Unlike most kernels, gVisor does not assume or require a fixed set of physical resources; instead, it leverages existing host kernel functionality and runs as a normal process. In other words, gVisor implements Linux by way of Linux.

gVisor should not be confused with technologies and tools to harden containers against external threats, provide additional integrity checks, or limit the scope of access for a service. One should always be careful about what data is made available to a container.

Documentation

User documentation and technical architecture, including quick start guides, can be found at gvisor.dev.

Installing from source

gVisor builds on x86_64 and ARM64. Other architectures may become available in the future.

For the purposes of these instructions, bazel and other build dependencies are wrapped in a build container. It is possible to use bazel directly, or type make help for standard targets.

Requirements

Make sure the following dependencies are installed:

Building

Build and install the runsc binary:

mkdir -p bin
make copy TARGETS=runsc DESTINATION=bin/
sudo cp ./bin/runsc /usr/local/bin

Testing

To run standard test suites, you can use:

make unit-tests
make tests

To run specific tests, you can specify the target:

make test TARGETS="//runsc:version_test"

Using go get

This project uses bazel to build and manage dependencies. A synthetic go branch is maintained that is compatible with standard go tooling for convenience.

For example, to build and install runsc directly from this branch:

echo "module runsc" > go.mod
GO111MODULE=on go get gvisor.dev/gvisor/runsc@go
CGO_ENABLED=0 GO111MODULE=on sudo -E go build -o /usr/local/bin/runsc gvisor.dev/gvisor/runsc

Subsequently, you can build and install the shim binary for containerd:

GO111MODULE=on sudo -E go build -o /usr/local/bin/containerd-shim-runsc-v1 gvisor.dev/gvisor/shim

Note that this branch is supported in a best effort capacity, and direct development on this branch is not supported. Development should occur on the master branch, which is then reflected into the go branch.

Community & Governance

See GOVERNANCE.md for project governance information.

The gvisor-users mailing list and gvisor-dev mailing list are good starting points for questions and discussion.

Security Policy

See SECURITY.md.

Contributing

See Contributing.md.

Directories

Path Synopsis
images
benchmarks/profile-helper
Binary profilehelper helps exfiltrate benchmark profiles.
Binary profilehelper helps exfiltrate benchmark profiles.
gpu/cuda-tests
run_sample runs a CUDA sample test.
run_sample runs a CUDA sample test.
gpu/ollama/client
A simple `curl`-like HTTP client that prints metrics after the request.
A simple `curl`-like HTTP client that prints metrics after the request.
pkg
abi
Package abi describes the interface between a kernel and userspace.
Package abi describes the interface between a kernel and userspace.
abi/attestation
Package attestation includes definitions needed for gVisor attestation.
Package attestation includes definitions needed for gVisor attestation.
abi/gasket
Package gasket describes the userspace interface for Gasket devices.
Package gasket describes the userspace interface for Gasket devices.
abi/linux
Package linux contains the constants and types needed to interface with a Linux kernel.
Package linux contains the constants and types needed to interface with a Linux kernel.
abi/linux/errno
Package errno holds errno codes for abi/linux.
Package errno holds errno codes for abi/linux.
abi/nvgpu
Package nvgpu tracks the ABI of the Nvidia GPU Linux kernel driver: https://github.com/NVIDIA/open-gpu-kernel-modules
Package nvgpu tracks the ABI of the Nvidia GPU Linux kernel driver: https://github.com/NVIDIA/open-gpu-kernel-modules
abi/sentry
Package sentry contains ABI-related constants for the gVisor sentry.
Package sentry contains ABI-related constants for the gVisor sentry.
abi/tpu
Package tpu defines constants used to interact with TPUs.
Package tpu defines constants used to interact with TPUs.
atomicbitops
Package atomicbitops provides extensions to the sync/atomic package.
Package atomicbitops provides extensions to the sync/atomic package.
binary
Package binary translates between select fixed-sized types and a binary representation.
Package binary translates between select fixed-sized types and a binary representation.
bitmap
Package bitmap provides the implementation of bitmap.
Package bitmap provides the implementation of bitmap.
bits
Package bits includes all bit related types and operations.
Package bits includes all bit related types and operations.
bpf
Package bpf provides tools for working with Berkeley Packet Filter (BPF) programs.
Package bpf provides tools for working with Berkeley Packet Filter (BPF) programs.
buffer
Package buffer provides the implementation of a non-contiguous buffer that is reference counted, pooled, and copy-on-write.
Package buffer provides the implementation of a non-contiguous buffer that is reference counted, pooled, and copy-on-write.
cleanup
Package cleanup provides utilities to clean "stuff" on defers.
Package cleanup provides utilities to clean "stuff" on defers.
compressio
Package compressio provides parallel compression and decompression, as well as optional SHA-256 hashing.
Package compressio provides parallel compression and decompression, as well as optional SHA-256 hashing.
context
Package context defines an internal context type.
Package context defines an internal context type.
control/client
Package client provides a basic control client interface.
Package client provides a basic control client interface.
control/server
Package server provides a basic control server interface.
Package server provides a basic control server interface.
coretag
Package coretag implements core tagging.
Package coretag implements core tagging.
coverage
Package coverage provides an interface through which Go coverage data can be collected, converted to kcov format, and exposed to userspace.
Package coverage provides an interface through which Go coverage data can be collected, converted to kcov format, and exposed to userspace.
cpuid
Package cpuid provides basic functionality for creating and adjusting CPU feature sets.
Package cpuid provides basic functionality for creating and adjusting CPU feature sets.
crypto
Package crypto wraps crypto primitives.
Package crypto wraps crypto primitives.
devutil
Package devutil provides device specific utilities.
Package devutil provides device specific utilities.
erofs
Package erofs provides the ability to access the contents in an EROFS [1] image.
Package erofs provides the ability to access the contents in an EROFS [1] image.
errors
Package errors holds the standardized error definition for gVisor.
Package errors holds the standardized error definition for gVisor.
errors/linuxerr
Package linuxerr contains syscall error codes exported as an error interface pointers.
Package linuxerr contains syscall error codes exported as an error interface pointers.
eventchannel
Package eventchannel contains functionality for sending any protobuf message on a socketpair.
Package eventchannel contains functionality for sending any protobuf message on a socketpair.
eventfd
Package eventfd wraps Linux's eventfd(2) syscall.
Package eventfd wraps Linux's eventfd(2) syscall.
fd
Package fd provides types for working with file descriptors.
Package fd provides types for working with file descriptors.
fdchannel
Package fdchannel implements passing file descriptors between processes over Unix domain sockets.
Package fdchannel implements passing file descriptors between processes over Unix domain sockets.
fdnotifier
Package fdnotifier contains an adapter that translates IO events (e.g., a file became readable/writable) from native FDs to the notifications in the waiter package.
Package fdnotifier contains an adapter that translates IO events (e.g., a file became readable/writable) from native FDs to the notifications in the waiter package.
flipcall
Package flipcall implements a protocol providing Fast Local Interprocess Procedure Calls between mutually-distrusting processes.
Package flipcall implements a protocol providing Fast Local Interprocess Procedure Calls between mutually-distrusting processes.
fspath
Package fspath provides efficient tools for working with file paths in Linux-compatible filesystem implementations.
Package fspath provides efficient tools for working with file paths in Linux-compatible filesystem implementations.
fsutil
Package fsutil contains filesystem utilities that can be shared between the sentry and other sandbox components.
Package fsutil contains filesystem utilities that can be shared between the sentry and other sandbox components.
gohacks
Package gohacks contains utilities for subverting the Go compiler.
Package gohacks contains utilities for subverting the Go compiler.
goid
Package goid provides the Get function.
Package goid provides the Get function.
hostarch
Package hostarch contains host arch address operations for user memory.
Package hostarch contains host arch address operations for user memory.
hostos
Package hostos contains utility functions for getting information about the host OS.
Package hostos contains utility functions for getting information about the host OS.
hosttid
Package hosttid provides the Current function.
Package hosttid provides the Current function.
linewriter
Package linewriter provides an io.Writer which calls an emitter on each line.
Package linewriter provides an io.Writer which calls an emitter on each line.
lisafs
Package lisafs (LInux SAndbox FileSystem) defines the protocol for filesystem RPCs between an untrusted Sandbox (client) and a trusted filesystem server.
Package lisafs (LInux SAndbox FileSystem) defines the protocol for filesystem RPCs between an untrusted Sandbox (client) and a trusted filesystem server.
lisafs/testsuite
Package testsuite provides a integration testing suite for lisafs.
Package testsuite provides a integration testing suite for lisafs.
log
Package log implements a library for logging.
Package log implements a library for logging.
marshal
Package marshal defines the Marshallable interface for serialize/deserializing go data structures to/from memory, according to the Linux ABI.
Package marshal defines the Marshallable interface for serialize/deserializing go data structures to/from memory, according to the Linux ABI.
marshal/primitive
Package primitive defines marshal.Marshallable implementations for primitive types.
Package primitive defines marshal.Marshallable implementations for primitive types.
memutil
Package memutil provides utilities for working with shared memory files.
Package memutil provides utilities for working with shared memory files.
metric
Package metric provides primitives for collecting metrics.
Package metric provides primitives for collecting metrics.
metric/buckettool
buckettool prints buckets for distribution metrics.
buckettool prints buckets for distribution metrics.
p9
Package p9 is a 9P2000.L implementation.
Package p9 is a 9P2000.L implementation.
p9/p9test
Package p9test provides standard mocks for p9.
Package p9test provides standard mocks for p9.
pool
Package pool provides a trivial integer pool.
Package pool provides a trivial integer pool.
prometheus
Package prometheus contains Prometheus-compliant metric data structures and utilities.
Package prometheus contains Prometheus-compliant metric data structures and utilities.
rand
Package rand implements a cryptographically secure pseudorandom number generator.
Package rand implements a cryptographically secure pseudorandom number generator.
rawfile
Package rawfile contains utilities for using raw host files on Linux hosts.
Package rawfile contains utilities for using raw host files on Linux hosts.
ring0
Package ring0 provides basic operating system-level stubs.
Package ring0 provides basic operating system-level stubs.
ring0/pagetables
Package pagetables provides a generic implementation of pagetables.
Package pagetables provides a generic implementation of pagetables.
safecopy
Package safecopy provides an efficient implementation of functions to access memory that may result in SIGSEGV or SIGBUS being sent to the accessor.
Package safecopy provides an efficient implementation of functions to access memory that may result in SIGSEGV or SIGBUS being sent to the accessor.
safemem
Package safemem provides the Block and BlockSeq types.
Package safemem provides the Block and BlockSeq types.
seccomp
Package seccomp provides generation of basic seccomp filters.
Package seccomp provides generation of basic seccomp filters.
seccomp/precompiledseccomp/example
Package example defines two seccomp programs ("example_program1" and "example_program2") to be embedded in the `usage` package in this directory.
Package example defines two seccomp programs ("example_program1" and "example_program2") to be embedded in the `usage` package in this directory.
seccomp/precompiledseccomp/example/usage
Package usage shows how to use precompiled seccomp-bpf programs.
Package usage shows how to use precompiled seccomp-bpf programs.
seccomp/victim
Test binary used to test that seccomp filters are properly constructed and indeed kill the process on violation.
Test binary used to test that seccomp filters are properly constructed and indeed kill the process on violation.
secio
Package secio provides support for sectioned I/O.
Package secio provides support for sectioned I/O.
segment
Package segment provides tools for working with collections of segments.
Package segment provides tools for working with collections of segments.
segment/test
Package segment is a test package.
Package segment is a test package.
sentry/arch
Package arch provides abstractions around architecture-dependent details, such as syscall calling conventions, native types, etc.
Package arch provides abstractions around architecture-dependent details, such as syscall calling conventions, native types, etc.
sentry/arch/fpu
Package fpu provides basic floating point helpers.
Package fpu provides basic floating point helpers.
sentry/contexttest
Package contexttest builds a test context.Context.
Package contexttest builds a test context.Context.
sentry/control
Package control contains types that expose control server methods, and can be used to configure and interact with a running sandbox process.
Package control contains types that expose control server methods, and can be used to configure and interact with a running sandbox process.
sentry/devices/accel
Package accel implements proxying for hardware accelerators.
Package accel implements proxying for hardware accelerators.
sentry/devices/memdev
Package memdev implements "mem" character devices, as implemented in Linux by drivers/char/mem.c and drivers/char/random.c.
Package memdev implements "mem" character devices, as implemented in Linux by drivers/char/mem.c and drivers/char/random.c.
sentry/devices/nvproxy
Package nvproxy implements proxying for the Nvidia GPU Linux kernel driver: https://github.com/NVIDIA/open-gpu-kernel-modules.
Package nvproxy implements proxying for the Nvidia GPU Linux kernel driver: https://github.com/NVIDIA/open-gpu-kernel-modules.
sentry/devices/tpuproxy
Package tpuproxy implements proxying for TPU devices.
Package tpuproxy implements proxying for TPU devices.
sentry/devices/ttydev
Package ttydev implements an unopenable vfs.Device for /dev/tty.
Package ttydev implements an unopenable vfs.Device for /dev/tty.
sentry/devices/tundev
Package tundev implements the /dev/net/tun device.
Package tundev implements the /dev/net/tun device.
sentry/fdimport
Package fdimport provides the Import function.
Package fdimport provides the Import function.
sentry/fsimpl/cgroupfs
Package cgroupfs implements cgroupfs.
Package cgroupfs implements cgroupfs.
sentry/fsimpl/dev
Package dev provides a filesystem implementation for /dev.
Package dev provides a filesystem implementation for /dev.
sentry/fsimpl/devpts
Package devpts provides a filesystem implementation that behaves like devpts.
Package devpts provides a filesystem implementation that behaves like devpts.
sentry/fsimpl/devtmpfs
Package devtmpfs provides a singleton fsimpl/dev filesystem instance, analogous to Linux's devtmpfs.
Package devtmpfs provides a singleton fsimpl/dev filesystem instance, analogous to Linux's devtmpfs.
sentry/fsimpl/erofs
Package erofs implements erofs.
Package erofs implements erofs.
sentry/fsimpl/eventfd
Package eventfd implements event fds.
Package eventfd implements event fds.
sentry/fsimpl/fuse
Package fuse implements fusefs.
Package fuse implements fusefs.
sentry/fsimpl/gofer
Package gofer provides a filesystem implementation that is backed by a 9p server, interchangeably referred to as "gofers" throughout this package.
Package gofer provides a filesystem implementation that is backed by a 9p server, interchangeably referred to as "gofers" throughout this package.
sentry/fsimpl/host
Package host provides a filesystem implementation for host files imported as file descriptors.
Package host provides a filesystem implementation for host files imported as file descriptors.
sentry/fsimpl/iouringfs
Package iouringfs provides a filesystem implementation for IO_URING basing it on anonfs.
Package iouringfs provides a filesystem implementation for IO_URING basing it on anonfs.
sentry/fsimpl/kernfs
Package kernfs provides the tools to implement inode-based filesystems.
Package kernfs provides the tools to implement inode-based filesystems.
sentry/fsimpl/lock
Package lock is the API for POSIX-style advisory regional file locks and BSD-style full file locks.
Package lock is the API for POSIX-style advisory regional file locks and BSD-style full file locks.
sentry/fsimpl/mqfs
Package mqfs provides a filesystem implementation to back POSIX message queues.
Package mqfs provides a filesystem implementation to back POSIX message queues.
sentry/fsimpl/nsfs
Package nsfs provides the filesystem implementation backing Kernel.NsfsMount.
Package nsfs provides the filesystem implementation backing Kernel.NsfsMount.
sentry/fsimpl/overlay
Package overlay provides an overlay filesystem implementation, which synthesizes a filesystem by composing one or more immutable filesystems ("lower layers") with an optional mutable filesystem ("upper layer").
Package overlay provides an overlay filesystem implementation, which synthesizes a filesystem by composing one or more immutable filesystems ("lower layers") with an optional mutable filesystem ("upper layer").
sentry/fsimpl/pipefs
Package pipefs provides the filesystem implementation backing Kernel.PipeMount.
Package pipefs provides the filesystem implementation backing Kernel.PipeMount.
sentry/fsimpl/proc
Package proc implements a partial in-memory file system for procfs.
Package proc implements a partial in-memory file system for procfs.
sentry/fsimpl/signalfd
Package signalfd provides basic signalfd file implementations.
Package signalfd provides basic signalfd file implementations.
sentry/fsimpl/sockfs
Package sockfs provides a filesystem implementation for anonymous sockets.
Package sockfs provides a filesystem implementation for anonymous sockets.
sentry/fsimpl/sys
Package sys implements sysfs.
Package sys implements sysfs.
sentry/fsimpl/testutil
Package testutil provides common test utilities for kernfs-based filesystems.
Package testutil provides common test utilities for kernfs-based filesystems.
sentry/fsimpl/timerfd
Package timerfd implements timer fds.
Package timerfd implements timer fds.
sentry/fsimpl/tmpfs
Package tmpfs provides an in-memory filesystem whose contents are application-mutable, consistent with Linux's tmpfs.
Package tmpfs provides an in-memory filesystem whose contents are application-mutable, consistent with Linux's tmpfs.
sentry/fsimpl/user
Package user contains methods for resolving filesystem paths based on the user and their environment.
Package user contains methods for resolving filesystem paths based on the user and their environment.
sentry/fsmetric
Package fsmetric defines filesystem metrics.
Package fsmetric defines filesystem metrics.
sentry/fsutil
Package fsutil provides utilities for implementing vfs.FileDescriptionImpl and vfs.FilesystemImpl.
Package fsutil provides utilities for implementing vfs.FileDescriptionImpl and vfs.FilesystemImpl.
sentry/hostcpu
Package hostcpu provides utilities for working with CPU information provided by a host Linux kernel.
Package hostcpu provides utilities for working with CPU information provided by a host Linux kernel.
sentry/hostfd
Package hostfd provides efficient I/O with host file descriptors.
Package hostfd provides efficient I/O with host file descriptors.
sentry/hostmm
Package hostmm provides tools for interacting with the host Linux kernel's virtual memory management subsystem.
Package hostmm provides tools for interacting with the host Linux kernel's virtual memory management subsystem.
sentry/inet
Package inet defines semantics for IP stacks.
Package inet defines semantics for IP stacks.
sentry/kernel
Package kernel provides an emulation of the Linux kernel.
Package kernel provides an emulation of the Linux kernel.
sentry/kernel/auth
Package auth implements an access control model that is a subset of Linux's.
Package auth implements an access control model that is a subset of Linux's.
sentry/kernel/contexttest
Package contexttest provides a test context.Context which includes a dummy kernel pointing to a valid platform.
Package contexttest provides a test context.Context which includes a dummy kernel pointing to a valid platform.
sentry/kernel/fasync
Package fasync provides FIOASYNC related functionality.
Package fasync provides FIOASYNC related functionality.
sentry/kernel/futex
Package futex provides an implementation of the futex interface as found in the Linux kernel.
Package futex provides an implementation of the futex interface as found in the Linux kernel.
sentry/kernel/ipc
Package ipc defines functionality and utilities common to sysvipc mechanisms.
Package ipc defines functionality and utilities common to sysvipc mechanisms.
sentry/kernel/memevent
Package memevent implements the memory usage events controller, which periodically emits events via the eventchannel.
Package memevent implements the memory usage events controller, which periodically emits events via the eventchannel.
sentry/kernel/mq
Package mq provides an implementation for POSIX message queues.
Package mq provides an implementation for POSIX message queues.
sentry/kernel/msgqueue
Package msgqueue implements System V message queues.
Package msgqueue implements System V message queues.
sentry/kernel/pipe
Package pipe provides a pipe implementation.
Package pipe provides a pipe implementation.
sentry/kernel/sched
Package sched implements scheduler related features.
Package sched implements scheduler related features.
sentry/kernel/semaphore
Package semaphore implements System V semaphores.
Package semaphore implements System V semaphores.
sentry/kernel/shm
Package shm implements sysv shared memory segments.
Package shm implements sysv shared memory segments.
sentry/kernel/time
Package time defines the Timer type, which provides a periodic timer that works by sampling a user-provided clock.
Package time defines the Timer type, which provides a periodic timer that works by sampling a user-provided clock.
sentry/limits
Package limits provides resource limits.
Package limits provides resource limits.
sentry/loader
Package loader loads an executable file into a MemoryManager.
Package loader loads an executable file into a MemoryManager.
sentry/loader/vdsodata
Package vdsodata contains a compiled VDSO object.
Package vdsodata contains a compiled VDSO object.
sentry/memmap
Package memmap defines semantics for memory mappings.
Package memmap defines semantics for memory mappings.
sentry/mm
Package mm provides a memory management subsystem.
Package mm provides a memory management subsystem.
sentry/pgalloc
Package pgalloc contains the page allocator subsystem, which provides allocatable memory that may be mapped into application address spaces.
Package pgalloc contains the page allocator subsystem, which provides allocatable memory that may be mapped into application address spaces.
sentry/platform
Package platform provides a Platform abstraction.
Package platform provides a Platform abstraction.
sentry/platform/interrupt
Package interrupt provides an interrupt helper.
Package interrupt provides an interrupt helper.
sentry/platform/kvm
Package kvm provides a kvm-based implementation of the platform interface.
Package kvm provides a kvm-based implementation of the platform interface.
sentry/platform/kvm/testutil
Package testutil provides common assembly stubs for testing.
Package testutil provides common assembly stubs for testing.
sentry/platform/ptrace
Package ptrace provides a ptrace-based implementation of the platform interface.
Package ptrace provides a ptrace-based implementation of the platform interface.
sentry/platform/systrap
Package systrap provides a seccomp-based implementation of the platform interface.
Package systrap provides a seccomp-based implementation of the platform interface.
sentry/platform/systrap/sysmsg
Package sysmsg provides a stub signal handler and a communication protocol between stub threads and the Sentry.
Package sysmsg provides a stub signal handler and a communication protocol between stub threads and the Sentry.
sentry/platform/systrap/usertrap
Package usertrap implements the library to replace syscall instructions with function calls.
Package usertrap implements the library to replace syscall instructions with function calls.
sentry/seccheck
Package seccheck defines a structure for dynamically-configured security checks in the sentry.
Package seccheck defines a structure for dynamically-configured security checks in the sentry.
sentry/seccheck/sinks/null
Package null defines a seccheck.Sink that does nothing with the trace points, akin to /dev/null.
Package null defines a seccheck.Sink that does nothing with the trace points, akin to /dev/null.
sentry/seccheck/sinks/remote
Package remote defines a seccheck.Sink that serializes points to a remote process.
Package remote defines a seccheck.Sink that serializes points to a remote process.
sentry/seccheck/sinks/remote/server
Package server provides a common server implementation that can connect with remote.Remote.
Package server provides a common server implementation that can connect with remote.Remote.
sentry/seccheck/sinks/remote/test
Package test provides functionality used to test the remote sink.
Package test provides functionality used to test the remote sink.
sentry/seccheck/sinks/remote/wire
Package wire defines structs used in the wire format for the remote checker.
Package wire defines structs used in the wire format for the remote checker.
sentry/socket
Package socket provides the interfaces that need to be provided by socket implementations and providers, as well as per family demultiplexing of socket creation.
Package socket provides the interfaces that need to be provided by socket implementations and providers, as well as per family demultiplexing of socket creation.
sentry/socket/control
Package control provides internal representations of socket control messages.
Package control provides internal representations of socket control messages.
sentry/socket/hostinet
Package hostinet implements AF_INET and AF_INET6 sockets using the host's network stack.
Package hostinet implements AF_INET and AF_INET6 sockets using the host's network stack.
sentry/socket/netfilter
Package netfilter helps the sentry interact with netstack's netfilter capabilities.
Package netfilter helps the sentry interact with netstack's netfilter capabilities.
sentry/socket/netlink
Package netlink provides core functionality for netlink sockets.
Package netlink provides core functionality for netlink sockets.
sentry/socket/netlink/nlmsg
Package nlmsg provides helpers to parse and construct netlink messages.
Package nlmsg provides helpers to parse and construct netlink messages.
sentry/socket/netlink/port
Package port provides port ID allocation for netlink sockets.
Package port provides port ID allocation for netlink sockets.
sentry/socket/netlink/route
Package route provides a NETLINK_ROUTE socket protocol.
Package route provides a NETLINK_ROUTE socket protocol.
sentry/socket/netlink/uevent
Package uevent provides a NETLINK_KOBJECT_UEVENT socket protocol.
Package uevent provides a NETLINK_KOBJECT_UEVENT socket protocol.
sentry/socket/netstack
Package netstack provides an implementation of the socket.Socket interface that is backed by a tcpip.Endpoint.
Package netstack provides an implementation of the socket.Socket interface that is backed by a tcpip.Endpoint.
sentry/socket/unix
Package unix provides an implementation of the socket.Socket interface for the AF_UNIX protocol family.
Package unix provides an implementation of the socket.Socket interface for the AF_UNIX protocol family.
sentry/socket/unix/transport
Package transport contains the implementation of Unix endpoints.
Package transport contains the implementation of Unix endpoints.
sentry/state
Package state provides high-level state wrappers.
Package state provides high-level state wrappers.
sentry/strace
Package strace implements the logic to print out the input and the return value of each traced syscall.
Package strace implements the logic to print out the input and the return value of each traced syscall.
sentry/syscalls
Package syscalls is the interface from the application to the kernel.
Package syscalls is the interface from the application to the kernel.
sentry/syscalls/linux
Package linux provides syscall tables for amd64 and arm64 Linux.
Package linux provides syscall tables for amd64 and arm64 Linux.
sentry/time
Package time provides a calibrated clock synchronized to a system reference clock.
Package time provides a calibrated clock synchronized to a system reference clock.
sentry/unimpl
Package unimpl contains interface to emit events about unimplemented features.
Package unimpl contains interface to emit events about unimplemented features.
sentry/uniqueid
Package uniqueid defines context.Context keys for obtaining system-wide unique identifiers.
Package uniqueid defines context.Context keys for obtaining system-wide unique identifiers.
sentry/usage
Package usage provides representations of resource usage.
Package usage provides representations of resource usage.
sentry/vfs
Package vfs implements a virtual filesystem layer.
Package vfs implements a virtual filesystem layer.
sentry/vfs/genericfstree
Package genericfstree provides tools for implementing vfs.FilesystemImpls where a single statically-determined lock or set of locks is sufficient to ensure that a Dentry's name and parent are contextually immutable.
Package genericfstree provides tools for implementing vfs.FilesystemImpls where a single statically-determined lock or set of locks is sufficient to ensure that a Dentry's name and parent are contextually immutable.
sentry/vfs/memxattr
Package memxattr provides a default, in-memory extended attribute implementation.
Package memxattr provides a default, in-memory extended attribute implementation.
sentry/watchdog
Package watchdog is responsible for monitoring the sentry for tasks that may potentially be stuck or looping inderterminally causing hard to debug hangs in the untrusted app.
Package watchdog is responsible for monitoring the sentry for tasks that may potentially be stuck or looping inderterminally causing hard to debug hangs in the untrusted app.
shim
Package shim implements Containerd Shim v2 interface.
Package shim implements Containerd Shim v2 interface.
shim/extension
Package extension provides an extension to the shim.
Package extension provides an extension to the shim.
shim/proc
Package proc is responsible to manage the communication between the shim and the sandbox process running the container.
Package proc is responsible to manage the communication between the shim and the sandbox process running the container.
shim/runsc
Package runsc implements Containerd Shim v2 interface.
Package runsc implements Containerd Shim v2 interface.
shim/runsccmd
Package runsccmd provides an API to interact with runsc command line.
Package runsccmd provides an API to interact with runsc command line.
shim/runtimeoptions
Package runtimeoptions contains the runtimeoptions proto for containerd 1.5 and above.
Package runtimeoptions contains the runtimeoptions proto for containerd 1.5 and above.
shim/runtimeoptions/v14
Package v14 contains the runtimeoptions proto for containerd 1.4 and earlier.
Package v14 contains the runtimeoptions proto for containerd 1.4 and earlier.
shim/utils
Package utils container miscellaneous utility function used by the shim.
Package utils container miscellaneous utility function used by the shim.
sighandling
Package sighandling contains helpers for handling signals to applications.
Package sighandling contains helpers for handling signals to applications.
sleep
Package sleep allows goroutines to efficiently sleep on multiple sources of notifications (wakers).
Package sleep allows goroutines to efficiently sleep on multiple sources of notifications (wakers).
state
Package state provides functionality related to saving and loading object graphs.
Package state provides functionality related to saving and loading object graphs.
state/pretty
Package pretty is a pretty-printer for state streams.
Package pretty is a pretty-printer for state streams.
state/statefile
Package statefile defines the state file data stream.
Package statefile defines the state file data stream.
state/tests
Package tests tests the state packages.
Package tests tests the state packages.
state/wire
Package wire contains a few basic types that can be composed to serialize graph information for the state package.
Package wire contains a few basic types that can be composed to serialize graph information for the state package.
sync
Package sync provides synchronization primitives.
Package sync provides synchronization primitives.
sync/atomicptr
Package seqatomic doesn't exist.
Package seqatomic doesn't exist.
sync/atomicptrmap
Package atomicptrmap instantiates generic_atomicptrmap for testing.
Package atomicptrmap instantiates generic_atomicptrmap for testing.
sync/locking
Package locking implements lock primitives with the correctness validator.
Package locking implements lock primitives with the correctness validator.
sync/seqatomic
Package seqatomic doesn't exist.
Package seqatomic doesn't exist.
syncevent
Package syncevent provides efficient primitives for goroutine synchronization based on event bitmasks.
Package syncevent provides efficient primitives for goroutine synchronization based on event bitmasks.
syserr
Package syserr contains sandbox-internal errors.
Package syserr contains sandbox-internal errors.
tcpip
Package tcpip provides the interfaces and related types that users of the tcpip stack will use in order to create endpoints used to send and receive data over the network stack.
Package tcpip provides the interfaces and related types that users of the tcpip stack will use in order to create endpoints used to send and receive data over the network stack.
tcpip/adapters/gonet
Package gonet provides a Go net package compatible wrapper for a tcpip stack.
Package gonet provides a Go net package compatible wrapper for a tcpip stack.
tcpip/checker
Package checker provides helper functions to check networking packets for validity.
Package checker provides helper functions to check networking packets for validity.
tcpip/checksum
Package checksum provides the implementation of the encoding and decoding of network protocol headers.
Package checksum provides the implementation of the encoding and decoding of network protocol headers.
tcpip/faketime
Package faketime provides a fake clock that implements tcpip.Clock interface.
Package faketime provides a fake clock that implements tcpip.Clock interface.
tcpip/hash/jenkins
Package jenkins implements Jenkins's one_at_a_time, non-cryptographic hash functions created by by Bob Jenkins.
Package jenkins implements Jenkins's one_at_a_time, non-cryptographic hash functions created by by Bob Jenkins.
tcpip/header
Package header provides the implementation of the encoding and decoding of network protocol headers.
Package header provides the implementation of the encoding and decoding of network protocol headers.
tcpip/header/parse
Package parse provides utilities to parse packets.
Package parse provides utilities to parse packets.
tcpip/internal/tcp
Package tcp contains internal type definitions that are not expected to be used by anyone else outside pkg/tcpip.
Package tcp contains internal type definitions that are not expected to be used by anyone else outside pkg/tcpip.
tcpip/link/channel
Package channel provides the implementation of channel-based data-link layer endpoints.
Package channel provides the implementation of channel-based data-link layer endpoints.
tcpip/link/ethernet
Package ethernet provides an implementation of an ethernet link endpoint that wraps an inner link endpoint.
Package ethernet provides an implementation of an ethernet link endpoint that wraps an inner link endpoint.
tcpip/link/fdbased
Package fdbased provides the implementation of data-link layer endpoints backed by boundary-preserving file descriptors (e.g., TUN devices, seqpacket/datagram sockets).
Package fdbased provides the implementation of data-link layer endpoints backed by boundary-preserving file descriptors (e.g., TUN devices, seqpacket/datagram sockets).
tcpip/link/loopback
Package loopback provides the implementation of loopback data-link layer endpoints.
Package loopback provides the implementation of loopback data-link layer endpoints.
tcpip/link/muxed
Package muxed provides a muxed link endpoints.
Package muxed provides a muxed link endpoints.
tcpip/link/nested
Package nested provides helpers to implement the pattern of nested stack.LinkEndpoints.
Package nested provides helpers to implement the pattern of nested stack.LinkEndpoints.
tcpip/link/packetsocket
Package packetsocket provides a link endpoint that enables delivery of incoming and outgoing packets to any interested packet sockets.
Package packetsocket provides a link endpoint that enables delivery of incoming and outgoing packets to any interested packet sockets.
tcpip/link/pipe
Package pipe provides the implementation of pipe-like data-link layer endpoints.
Package pipe provides the implementation of pipe-like data-link layer endpoints.
tcpip/link/qdisc/fifo
Package fifo provides the implementation of FIFO queuing discipline that queues all outbound packets and asynchronously dispatches them to the lower link endpoint in the order that they were queued.
Package fifo provides the implementation of FIFO queuing discipline that queues all outbound packets and asynchronously dispatches them to the lower link endpoint in the order that they were queued.
tcpip/link/sharedmem
Package sharedmem provides the implementation of data-link layer endpoints backed by shared memory.
Package sharedmem provides the implementation of data-link layer endpoints backed by shared memory.
tcpip/link/sharedmem/pipe
Package pipe implements a shared memory ring buffer on which a single reader and a single writer can operate (read/write) concurrently.
Package pipe implements a shared memory ring buffer on which a single reader and a single writer can operate (read/write) concurrently.
tcpip/link/sharedmem/queue
Package queue provides the implementation of transmit and receive queues based on shared memory ring buffers.
Package queue provides the implementation of transmit and receive queues based on shared memory ring buffers.
tcpip/link/sniffer
Package sniffer provides the implementation of data-link layer endpoints that wrap another endpoint and logs inbound and outbound packets.
Package sniffer provides the implementation of data-link layer endpoints that wrap another endpoint and logs inbound and outbound packets.
tcpip/link/stopfd
Package stopfd provides an type that can be used to signal the stop of a dispatcher.
Package stopfd provides an type that can be used to signal the stop of a dispatcher.
tcpip/link/tun
Package tun contains methods to open TAP and TUN devices.
Package tun contains methods to open TAP and TUN devices.
tcpip/link/veth
Package veth provides the implementation of virtual ethernet device pair.
Package veth provides the implementation of virtual ethernet device pair.
tcpip/link/waitable
Package waitable provides the implementation of data-link layer endpoints that wrap other endpoints, and can wait for inflight calls to WritePacket or DeliverNetworkPacket to finish (and new ones to be prevented).
Package waitable provides the implementation of data-link layer endpoints that wrap other endpoints, and can wait for inflight calls to WritePacket or DeliverNetworkPacket to finish (and new ones to be prevented).
tcpip/link/xdp
Package xdp provides link layer endpoints backed by AF_XDP sockets.
Package xdp provides link layer endpoints backed by AF_XDP sockets.
tcpip/network/arp
Package arp implements the ARP network protocol.
Package arp implements the ARP network protocol.
tcpip/network/hash
Package hash contains utility functions for hashing.
Package hash contains utility functions for hashing.
tcpip/network/internal/fragmentation
Package fragmentation contains the implementation of IP fragmentation.
Package fragmentation contains the implementation of IP fragmentation.
tcpip/network/internal/ip
Package ip holds IPv4/IPv6 common utilities.
Package ip holds IPv4/IPv6 common utilities.
tcpip/network/internal/multicast
Package multicast contains utilities for supporting multicast routing.
Package multicast contains utilities for supporting multicast routing.
tcpip/network/internal/testutil
Package testutil defines types and functions used to test Network Layer functionality such as IP fragmentation.
Package testutil defines types and functions used to test Network Layer functionality such as IP fragmentation.
tcpip/network/ipv4
Package ipv4 contains the implementation of the ipv4 network protocol.
Package ipv4 contains the implementation of the ipv4 network protocol.
tcpip/network/ipv6
Package ipv6 contains the implementation of the ipv6 network protocol.
Package ipv6 contains the implementation of the ipv6 network protocol.
tcpip/nftables
Package nftables provides the interface to process packets through a netfilter (nf) ruleset and maintain/modify the ruleset accordingly.
Package nftables provides the interface to process packets through a netfilter (nf) ruleset and maintain/modify the ruleset accordingly.
tcpip/ports
Package ports provides PortManager that manages allocating, reserving and releasing ports.
Package ports provides PortManager that manages allocating, reserving and releasing ports.
tcpip/prependable
Package prependable defines a buffer that grows backwards.
Package prependable defines a buffer that grows backwards.
tcpip/sample/tun_tcp_connect
This sample creates a stack with TCP and IPv4 protocols on top of a TUN device, and connects to a peer.
This sample creates a stack with TCP and IPv4 protocols on top of a TUN device, and connects to a peer.
tcpip/sample/tun_tcp_echo
This sample creates a stack with TCP and IPv4 protocols on top of a TUN device, and listens on a port.
This sample creates a stack with TCP and IPv4 protocols on top of a TUN device, and listens on a port.
tcpip/seqnum
Package seqnum defines the types and methods for TCP sequence numbers such that they fit in 32-bit words and work properly when overflows occur.
Package seqnum defines the types and methods for TCP sequence numbers such that they fit in 32-bit words and work properly when overflows occur.
tcpip/stack
Package stack provides the glue between networking protocols and the consumers of the networking stack.
Package stack provides the glue between networking protocols and the consumers of the networking stack.
tcpip/stack/gro
Package gro implements generic receive offload.
Package gro implements generic receive offload.
tcpip/tests/utils
Package utils holds common testing utilities for tcpip.
Package utils holds common testing utilities for tcpip.
tcpip/testutil
Package testutil provides helper functions for netstack unit tests.
Package testutil provides helper functions for netstack unit tests.
tcpip/transport
Package transport supports transport protocols.
Package transport supports transport protocols.
tcpip/transport/icmp
Package icmp contains the implementation of the ICMP and IPv6-ICMP transport protocols for use in ping.
Package icmp contains the implementation of the ICMP and IPv6-ICMP transport protocols for use in ping.
tcpip/transport/internal/network
Package network provides facilities to support tcpip.Endpoints that operate at the network layer or above.
Package network provides facilities to support tcpip.Endpoints that operate at the network layer or above.
tcpip/transport/internal/noop
Package noop contains an endpoint that implements all tcpip.Endpoint functions as noops.
Package noop contains an endpoint that implements all tcpip.Endpoint functions as noops.
tcpip/transport/packet
Package packet provides the implementation of packet sockets (see packet(7)).
Package packet provides the implementation of packet sockets (see packet(7)).
tcpip/transport/raw
Package raw provides the implementation of raw sockets (see raw(7)).
Package raw provides the implementation of raw sockets (see raw(7)).
tcpip/transport/tcp
Package tcp contains the implementation of the TCP transport protocol.
Package tcp contains the implementation of the TCP transport protocol.
tcpip/transport/tcp/test/e2e
Package e2e contains definitions common to all e2e tcp tests.
Package e2e contains definitions common to all e2e tcp tests.
tcpip/transport/tcp/testing/context
Package context provides a test context for use in tcp tests.
Package context provides a test context for use in tcp tests.
tcpip/transport/tcpconntrack
Package tcpconntrack implements a TCP connection tracking object.
Package tcpconntrack implements a TCP connection tracking object.
tcpip/transport/testing/context
Package context provides a context used by datagram-based network endpoints tests.
Package context provides a context used by datagram-based network endpoints tests.
tcpip/transport/udp
Package udp contains the implementation of the UDP transport protocol.
Package udp contains the implementation of the UDP transport protocol.
test/criutil
Package criutil contains utility functions for interacting with the Container Runtime Interface (CRI), principally via the crictl command line tool.
Package criutil contains utility functions for interacting with the Container Runtime Interface (CRI), principally via the crictl command line tool.
test/dockerutil
Package dockerutil is a collection of utility functions.
Package dockerutil is a collection of utility functions.
test/testutil
Package testutil contains utility functions for runsc tests.
Package testutil contains utility functions for runsc tests.
trie
Package trie provides a character-based prefix trie data structure for storing arbitrary payloads in an efficiently retrievable manner.
Package trie provides a character-based prefix trie data structure for storing arbitrary payloads in an efficiently retrievable manner.
unet
Package unet provides a minimal net package based on Unix Domain Sockets.
Package unet provides a minimal net package based on Unix Domain Sockets.
urpc
Package urpc provides a minimal RPC package based on unet.
Package urpc provides a minimal RPC package based on unet.
usermem
Package usermem governs access to user memory.
Package usermem governs access to user memory.
waiter
Package waiter provides the implementation of a wait queue, where waiters can be enqueued to be notified when an event of interest happens.
Package waiter provides the implementation of a wait queue, where waiters can be enqueued to be notified when an event of interest happens.
xdp
Package xdp provides tools for working with AF_XDP sockets.
Package xdp provides tools for working with AF_XDP sockets.
Binary runsc implements the OCI runtime interface.
Binary runsc implements the OCI runtime interface.
boot
Package boot loads the kernel and runs a container.
Package boot loads the kernel and runs a container.
boot/filter
Package filter installs seccomp filters to prevent prohibited syscalls in case it's compromised.
Package filter installs seccomp filters to prevent prohibited syscalls in case it's compromised.
boot/filter/config
Package config defines all syscalls the sandbox is allowed to make to the host.
Package config defines all syscalls the sandbox is allowed to make to the host.
boot/filter/dumpfilter
dumpfilter dumps the seccomp-bpf program used by the Sentry.
dumpfilter dumps the seccomp-bpf program used by the Sentry.
boot/platforms
Package platforms imports all available platform packages.
Package platforms imports all available platform packages.
boot/portforward
Package portforward holds the infrastructure to support the port forward command.
Package portforward holds the infrastructure to support the port forward command.
boot/pprof
Package pprof provides a stub to initialize custom profilers.
Package pprof provides a stub to initialize custom profilers.
boot/procfs
Package procfs holds utilities for getting procfs information for sandboxed processes.
Package procfs holds utilities for getting procfs information for sandboxed processes.
cgroup
Package cgroup provides an interface to read and write configuration to cgroup.
Package cgroup provides an interface to read and write configuration to cgroup.
cli
Package cli is the main entrypoint for runsc.
Package cli is the main entrypoint for runsc.
cmd
Package cmd holds implementations of the runsc commands.
Package cmd holds implementations of the runsc commands.
cmd/metricserver
The metricserver binary is a separate binary that implements the 'runsc metric-server' subcommand.
The metricserver binary is a separate binary that implements the 'runsc metric-server' subcommand.
cmd/metricserver/metricservercmd
Package metricservercmd partially implements the 'metric-server' subcommand.
Package metricservercmd partially implements the 'metric-server' subcommand.
cmd/nvproxy
Package nvproxy provides subcommands for the nvproxy command.
Package nvproxy provides subcommands for the nvproxy command.
cmd/trace
Package trace provides subcommands for the trace command.
Package trace provides subcommands for the trace command.
cmd/util
Package util groups a bunch of common helper functions used by commands.
Package util groups a bunch of common helper functions used by commands.
config
Package config provides basic infrastructure to set configuration settings for runsc.
Package config provides basic infrastructure to set configuration settings for runsc.
console
Package console contains utilities for working with pty consols in runsc.
Package console contains utilities for working with pty consols in runsc.
container
Package container creates and manipulates containers.
Package container creates and manipulates containers.
donation
Package donation tracks files that are being donated to a child process and using flags to notified the child process where the FDs are.
Package donation tracks files that are being donated to a child process and using flags to notified the child process where the FDs are.
flag
Package flag wraps flag primitives.
Package flag wraps flag primitives.
fsgofer
Package fsgofer provides a lisafs server implementation which gives access to local files.
Package fsgofer provides a lisafs server implementation which gives access to local files.
fsgofer/filter
Package filter defines all syscalls the gofer is allowed to make, and installs seccomp filters to prevent prohibited syscalls in case it's compromised.
Package filter defines all syscalls the gofer is allowed to make, and installs seccomp filters to prevent prohibited syscalls in case it's compromised.
metricserver
Package metricserver implements a Prometheus metric server for runsc data.
Package metricserver implements a Prometheus metric server for runsc data.
metricserver/containermetrics
Package containermetrics returns metrics and labels interesting to export about a container or sandbox.
Package containermetrics returns metrics and labels interesting to export about a container or sandbox.
mitigate
Package mitigate provides libraries for the mitigate command.
Package mitigate provides libraries for the mitigate command.
profile
Package profile contains profiling utils.
Package profile contains profiling utils.
sandbox
Package sandbox creates and manipulates sandboxes.
Package sandbox creates and manipulates sandboxes.
sandbox/bpf
Package bpf provides compiled bpf programs as byte slices.
Package bpf provides compiled bpf programs as byte slices.
specutils
Package specutils contains utility functions for working with OCI runtime specs.
Package specutils contains utility functions for working with OCI runtime specs.
specutils/safemount_test
safemount_runner is used to test the SafeMount function.
safemount_runner is used to test the SafeMount function.
specutils/seccomp
Package seccomp implements some features of libseccomp in order to support OCI.
Package seccomp implements some features of libseccomp in order to support OCI.
starttime
Package starttime holds the time the `runsc` command started.
Package starttime holds the time the `runsc` command started.
version
Package version holds a string containing version information for runsc.
Package version holds a string containing version information for runsc.
Binary containerd-shim-runsc-v1 is the v2 containerd shim (implementing the formal v1 API).
Binary containerd-shim-runsc-v1 is the v2 containerd shim (implementing the formal v1 API).
cli
Package cli defines the command line interface for the V2 shim.
Package cli defines the command line interface for the V2 shim.
test
benchmarks/base
Package base holds utility methods common to the base tests.
Package base holds utility methods common to the base tests.
benchmarks/database
Package database holds benchmarks around database applications.
Package database holds benchmarks around database applications.
benchmarks/fs/fsbench
Package fsbench provides utility functions for filesystem benchmarks.
Package fsbench provides utility functions for filesystem benchmarks.
benchmarks/harness
Package harness holds utility code for running benchmarks on Docker.
Package harness holds utility code for running benchmarks on Docker.
benchmarks/media
Package media holds benchmarks around media processing applications.
Package media holds benchmarks around media processing applications.
benchmarks/ml
Package ml holds benchmarks around machine learning performance.
Package ml holds benchmarks around machine learning performance.
benchmarks/network
Package network holds benchmarks around raw network performance.
Package network holds benchmarks around raw network performance.
benchmarks/tcp
Binary tcp_proxy is a simple TCP proxy.
Binary tcp_proxy is a simple TCP proxy.
benchmarks/tools
Package tools holds tooling to couple command formatting and output parsers together.
Package tools holds tooling to couple command formatting and output parsers together.
cmd/test_app
Binary test_app is like a swiss knife for tests that need to run anything inside the sandbox.
Binary test_app is like a swiss knife for tests that need to run anything inside the sandbox.
e2e
Package integration is empty.
Package integration is empty.
fsstress
Package fsstress is empty.
Package fsstress is empty.
gpu/ollama
Package ollama provides an Ollama API client.
Package ollama provides an Ollama API client.
gpu/stablediffusion
Package stablediffusion provides utilities to generate images with Stable Diffusion.
Package stablediffusion provides utilities to generate images with Stable Diffusion.
image
Package image is empty.
Package image is empty.
iptables
Package iptables contains a set of iptables tests implemented as TestCases
Package iptables contains a set of iptables tests implemented as TestCases
iptables/runner
Package main runs iptables tests from within a docker container.
Package main runs iptables tests from within a docker container.
metricclient
Package metricclient provides utility functions to start, stop, and talk to a metric server.
Package metricclient provides utility functions to start, stop, and talk to a metric server.
metricsviz
Package metricsviz charts profiling metrics data and renders them to HTML.
Package metricsviz charts profiling metrics data and renders them to HTML.
metricsviz/metricsviz_cli
metricsviz_cli visualizes metrics from profiling metrics logs.
metricsviz_cli visualizes metrics from profiling metrics logs.
packetimpact/dut
Package dut provides common definitions and utilities to be shared by DUTs.
Package dut provides common definitions and utilities to be shared by DUTs.
packetimpact/dut/linux
Package linux provides utilities specific to bringing up linux DUTs.
Package linux provides utilities specific to bringing up linux DUTs.
packetimpact/dut/native
The native binary is used to bring up a native linux DUT.
The native binary is used to bring up a native linux DUT.
packetimpact/dut/runsc
The devid binary is used to get the device ID in the runsc container.
The devid binary is used to get the device ID in the runsc container.
packetimpact/internal/testing
Package testing provides common testing functionalities.
Package testing provides common testing functionalities.
packetimpact/netdevs/netlink
Package netlink has routines to get interfaces information through netlink.
Package netlink has routines to get interfaces information through netlink.
packetimpact/runner
The runner binary is used as the test runner for PacketImpact tests.
The runner binary is used as the test runner for PacketImpact tests.
packetimpact/testbench
Package testbench has utilities to send and receive packets, and also command the DUT to run POSIX functions.
Package testbench has utilities to send and receive packets, and also command the DUT to run POSIX functions.
root
Package root is used for tests that requires sysadmin privileges run.
Package root is used for tests that requires sysadmin privileges run.
rtnetlink/linux
tcp_serv creates a TCP server socket, reads data from stdin, and sends that data to the socket.
tcp_serv creates a TCP server socket, reads data from stdin, and sends that data to the socket.
runner
Binary syscall_test_runner runs the syscall test suites in gVisor containers and on the host platform.
Binary syscall_test_runner runs the syscall test suites in gVisor containers and on the host platform.
runner/fuse
Binary main starts a fuse server that forwards filesystem operations from /tmp to /fuse.
Binary main starts a fuse server that forwards filesystem operations from /tmp to /fuse.
runner/gtest
Package gtest contains helpers for running google-test tests from Go.
Package gtest contains helpers for running google-test tests from Go.
runtimes/proctor
Binary proctor runs the test for a particular runtime.
Binary proctor runs the test for a particular runtime.
runtimes/proctor/lib
Package lib contains proctor functions.
Package lib contains proctor functions.
runtimes/runner
Binary runner runs the runtime tests in a Docker container.
Binary runner runs the runtime tests in a Docker container.
runtimes/runner/lib
Package lib provides utilities for runner.
Package lib provides utilities for runner.
secbench/secbenchdef
Package secbenchdef contains struct definitions for secbench benchmarks.
Package secbenchdef contains struct definitions for secbench benchmarks.
secfuzz
Package secfuzz allows fuzz-based testing of seccomp-bpf programs.
Package secfuzz allows fuzz-based testing of seccomp-bpf programs.
trace
Package trace is empty.
Package trace is empty.
trace/config
Package config providides helper functions to configure trace sessions.
Package config providides helper functions to configure trace sessions.
uds
Package uds contains helpers for testing external UDS functionality.
Package uds contains helpers for testing external UDS functionality.
tools
bigquery
Package bigquery defines a BigQuery schema for benchmarks.
Package bigquery defines a BigQuery schema for benchmarks.
checkaligned
Package checkaligned ensures that atomic (u)int operations happen exclusively via the atomicbitops package.
Package checkaligned ensures that atomic (u)int operations happen exclusively via the atomicbitops package.
checkconst
Package checkconst checks constant values.
Package checkconst checks constant values.
checkescape
Package checkescape allows recursive escape analysis for hot paths.
Package checkescape allows recursive escape analysis for hot paths.
checkescape/test1
Package test1 is a test package.
Package test1 is a test package.
checkescape/test2
Package test2 is a test package that imports test1.
Package test2 is a test package that imports test1.
checklinkname
Package checklinkname ensures that linkname declarations match their source.
Package checklinkname ensures that linkname declarations match their source.
checklinkname/test
Package test provides linkname test targets.
Package test provides linkname test targets.
checklocks
Package checklocks performs lock analysis to identify and flag unprotected access to annotated fields.
Package checklocks performs lock analysis to identify and flag unprotected access to annotated fields.
checklocks/cmd/checklocks
Binary checklocks is a `vettool` for `go vet`.
Binary checklocks is a `vettool` for `go vet`.
checklocks/test
Package test is a test package.
Package test is a test package.
checklocks/test/crosspkg
Package crosspkg is a second package for testing.
Package crosspkg is a second package for testing.
checkunsafe
Package checkunsafe allows unsafe imports only in files named appropriately.
Package checkunsafe allows unsafe imports only in files named appropriately.
constraintutil
Package constraintutil provides utilities for working with Go build constraints.
Package constraintutil provides utilities for working with Go build constraints.
embeddedbinary/test
helloworld_bundler bundles helloworld_bundlee and executes it.
helloworld_bundler bundles helloworld_bundlee and executes it.
embeddedbinary/test/helloworld
helloworld_bundlee writes "Hello, gVisor!\n" to stdout.
helloworld_bundlee writes "Hello, gVisor!\n" to stdout.
github
Binary github is the entry point for GitHub utilities.
Binary github is the entry point for GitHub utilities.
github/reviver
Package reviver scans the code looking for TODOs and pass them to registered Buggers to ensure TODOs point to active issues.
Package reviver scans the code looking for TODOs and pass them to registered Buggers to ensure TODOs point to active issues.
go_fieldenum
Binary fieldenum emits field bitmasks for all structs in a package marked "+fieldenum".
Binary fieldenum emits field bitmasks for all structs in a package marked "+fieldenum".
go_generics
go_generics reads a Go source file and writes a new version of that file with a few transformations applied to each.
go_generics reads a Go source file and writes a new version of that file with a few transformations applied to each.
go_generics/globals
Package globals provides an AST visitor that calls the visit function for all global identifiers.
Package globals provides an AST visitor that calls the visit function for all global identifiers.
go_marshal
go_marshal is a code generation utility for automatically generating code to marshal go data structures to memory.
go_marshal is a code generation utility for automatically generating code to marshal go data structures to memory.
go_marshal/analysis
Package analysis implements common functionality used by generated go_marshal tests.
Package analysis implements common functionality used by generated go_marshal tests.
go_marshal/gomarshal
Package gomarshal implements the go_marshal code generator.
Package gomarshal implements the go_marshal code generator.
go_marshal/test
Package test contains data structures for testing the go_marshal tool.
Package test contains data structures for testing the go_marshal tool.
go_marshal/test/escape
Package escape contains test cases for escape analysis.
Package escape contains test cases for escape analysis.
go_marshal/test/external
Package external defines types we can import for testing.
Package external defines types we can import for testing.
go_stateify
Stateify provides a simple way to generate Load/Save methods based on existing types and struct tags.
Stateify provides a simple way to generate Load/Save methods based on existing types and struct tags.
gpu
Package main downloads and installs drivers.
Package main downloads and installs drivers.
gpu/drivers
Package drivers contains methods to download and install drivers.
Package drivers contains methods to download and install drivers.
gvisor_k8s_tool
gvisor_k8s_tool is a command-line tool to interact with gVisor in Kubernetes clusters.
gvisor_k8s_tool is a command-line tool to interact with gVisor in Kubernetes clusters.
gvisor_k8s_tool/cluster
Package cluster provides functions for dealing with Kubernetes clusters.
Package cluster provides functions for dealing with Kubernetes clusters.
gvisor_k8s_tool/cmd/install
Package install provides a function to install gVisor in a k8s cluster.
Package install provides a function to install gVisor in a k8s cluster.
gvisor_k8s_tool/provider/clusterflag
Package clusterflag implements a flag.Value which can be used in commands to represent a Kubernetes cluster.
Package clusterflag implements a flag.Value which can be used in commands to represent a Kubernetes cluster.
gvisor_k8s_tool/provider/gke
Package gke contains functions to interact with Google Kubernetes Engine.
Package gke contains functions to interact with Google Kubernetes Engine.
gvisor_k8s_tool/provider/kubectl
Package kubectl contains functions to interact with Kubernetes clusters controlled using kubectl configurations.
Package kubectl contains functions to interact with Kubernetes clusters controlled using kubectl configurations.
gvisor_k8s_tool/spec
Package spec contains Kubernetes object specifications for gVisor setup.
Package spec contains Kubernetes object specifications for gVisor setup.
gvisor_k8s_tool/util
Package util contains utility functions for gvisor_k8s_tools.
Package util contains utility functions for gvisor_k8s_tools.
ioctl_sniffer
Package main sets up the ioctl sniffer and runs a given command.
Package main sets up the ioctl sniffer and runs a given command.
ioctl_sniffer/sniffer
Package sniffer parses the output of the ioctl hook.
Package sniffer parses the output of the ioctl hook.
nogo
Binary nogo performs static analysis.
Binary nogo performs static analysis.
nogo/check
Package check implements binary analysis similar to bazel's nogo, or the unitchecker package.
Package check implements binary analysis similar to bazel's nogo, or the unitchecker package.
nogo/cli
Package cli implements a basic command line interface.
Package cli implements a basic command line interface.
nogo/config
Package config defines a filter configuration for nogo findings.
Package config defines a filter configuration for nogo findings.
nogo/facts
Package facts implements alternate fact types.
Package facts implements alternate fact types.
nogo/flags
Package flags contains globally-visible flags.
Package flags contains globally-visible flags.
nogo/sanity
Package sanity provides a basic sanity test.
Package sanity provides a basic sanity test.
profiletool
profiletool deals with pprof profiles.
profiletool deals with pprof profiles.
stucktasks
Package main implements a tool to help troubleshoot watchdog dumps.
Package main implements a tool to help troubleshoot watchdog dumps.
tracereplay
Package tracereplay implements a tool that can save and replay messages issued from remote.Remote.
Package tracereplay implements a tool that can save and replay messages issued from remote.Remote.
tracereplay/main
Package main implements a tool that can save and replay messages from issued from remote.Remote.
Package main implements a tool that can save and replay messages from issued from remote.Remote.
xdp
The xdp_loader tool is used to load compiled XDP object files into the XDP hook of a net device.
The xdp_loader tool is used to load compiled XDP object files into the XDP hook of a net device.
xdp/cmd
Package cmd implements the subcommands of xdp_loader.
Package cmd implements the subcommands of xdp_loader.
yamltest
Binary yamltest does strict yaml parsing and validation.
Binary yamltest does strict yaml parsing and validation.
Binary main serves a mutating Kubernetes webhook.
Binary main serves a mutating Kubernetes webhook.
pkg/cli
Package cli provides a CLI interface for a mutating Kubernetes webhook.
Package cli provides a CLI interface for a mutating Kubernetes webhook.
pkg/injector
Package injector handles mutating webhook operations.
Package injector handles mutating webhook operations.
website
cmd/server
Server is the main gvisor.dev binary.
Server is the main gvisor.dev binary.
cmd/syscalldocs
Binary syscalldocs generates system call markdown.
Binary syscalldocs generates system call markdown.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL