Merge branch 'master' into fix/tmpdir-sandbox-env

Author: a7i

.buildkite/hooks/pre-command

@@ -95,7 +95,7 @@ if [[ "${BUILDKITE_PIPELINE_INSTALL_RUNTIME:-}" == "true" ]]; then
   if [[ -n "${STAGED_BINARIES:-}" ]]; then
     # Used `runsc` from STAGED_BINARIES instead of building it from scratch.
     export BUILDKITE_STAGED_BINARIES_DIRECTORY="$(mktemp -d)"
-    gsutil cat "$STAGED_BINARIES" \
+    gcloud storage cat "$STAGED_BINARIES" \
       | tar -C "$BUILDKITE_STAGED_BINARIES_DIRECTORY" -zxvf - runsc
     chmod +x "$BUILDKITE_STAGED_BINARIES_DIRECTORY/runsc"
     sudo "$BUILDKITE_STAGED_BINARIES_DIRECTORY/runsc" install \

.buildkite/release.yaml

@@ -50,7 +50,7 @@ steps:
       - "make BAZEL_OPTIONS='--config=x86_64 --compilation_mode=opt' artifacts/x86_64"
       - "make BAZEL_OPTIONS='--config=aarch64 --compilation_mode=opt' artifacts/aarch64"
       - make release RELEASE_NIGHTLY=$$RELEASE_NIGHTLY
-      - cd repo && gsutil cp -r . gs://gvisor/releases/
+      - cd repo && gcloud storage cp --recursive . gs://gvisor/releases/
   - <<: *common
     label: ":ship: Website Deploy"
     if: build.branch == "master" && build.tag == null

Makefile

@@ -136,7 +136,7 @@ $(RUNTIME_BIN): # See below.
 ifeq (,$(STAGED_BINARIES))
 	@$(call copy,$(RUNSC_TARGET),$(RUNTIME_BIN))
 else
-	gsutil cat "${STAGED_BINARIES}" | \
+	gcloud storage cat "${STAGED_BINARIES}" | \
 	  tar -C "$(RUNTIME_DIR)" -zxvf - runsc && \
 	  chmod a+rx "$(RUNTIME_BIN)"
 endif
@@ -479,7 +479,7 @@ ifeq (,$(STAGED_BINARIES))
 	sudo mv $$T/containerd-shim-runsc-v1 "$$(dirname $$(which containerd))"; \
 	rm -rf $$T)
 else
-	gsutil cat "$(STAGED_BINARIES)" | \
+	gcloud storage cat "$(STAGED_BINARIES)" | \
 		sudo tar -C "$$(dirname $$(which containerd))" -zxvf - containerd-shim-runsc-v1
 endif
 	@$(call sudo,test/root:root_test,--runtime=$(RUNTIME) -test.v)

images/gpu/triton/Dockerfile.x86_64

@@ -2,9 +2,12 @@
 # Fetches model/tokenizer assets from GCS
 FROM google/cloud-sdk:541.0.0-slim AS downloader
 RUN gcloud config set auth/disable_credentials true
-RUN gsutil -m cp -r gs://gvisor/tests/models/llama-2-7b-chat-hf /
+# Workaround: gcloud storage crashes when copying directly to root ('/').
+# We pre-create the directory and use /* to copy contents without nesting.
+RUN mkdir -p /llama-2-7b-chat-hf
+RUN gcloud storage cp --recursive gs://gvisor/tests/models/llama-2-7b-chat-hf/* /llama-2-7b-chat-hf/
 RUN mkdir -p /engines
-RUN gsutil -m cp -r gs://gvisor/tests/l4/engines/llama-2-7b-chat-hf /engines/
+RUN gcloud storage cp --recursive gs://gvisor/tests/l4/engines/llama-2-7b-chat-hf /engines/
 
 # --- Builder Stage for TensorRT-LLM ---
 # This stage uses 'git sparse-checkout' to download *only* the

pkg/sentry/fsimpl/user/path.go

@@ -72,9 +72,13 @@ func ResolveExecutablePath(ctx context.Context, args *kernel.CreateProcessArgs)
 	return f, nil
 }
 
+// resolve searches for an executable in the given PATH directories.
+// Error handling follows glibc execvpe() (posix/execvpe.c).
 func resolve(ctx context.Context, creds *auth.Credentials, mns *vfs.MountNamespace, paths []string, name string) (string, error) {
 	root := mns.Root(ctx)
 	defer root.DecRef(ctx)
+	gotEACCES := false
+	lastErr := error(linuxerr.ENOENT)
 	for _, p := range paths {
 		if !path.IsAbs(p) {
 			// Relative paths aren't safe, no one should be using them.
@@ -94,20 +98,31 @@ func resolve(ctx context.Context, creds *auth.Credentials, mns *vfs.MountNamespa
 			Flags:    linux.O_RDONLY,
 		}
 		dentry, err := root.Mount().Filesystem().VirtualFilesystem().OpenAt(ctx, creds, pop, opts)
-		if linuxerr.Equals(linuxerr.ENOENT, err) || linuxerr.Equals(linuxerr.EACCES, err) {
-			// Didn't find it here.
-			continue
+		if err == nil {
+			dentry.DecRef(ctx)
+			return binPath, nil
 		}
-		if err != nil {
+
+		// Preserve the last error, matching glibc's errno semantics.
+		lastErr = err
+		switch {
+		case linuxerr.Equals(linuxerr.EACCES, err):
+			gotEACCES = true
+		case linuxerr.Equals(linuxerr.ENOENT, err),
+			linuxerr.Equals(linuxerr.ESTALE, err),
+			linuxerr.Equals(linuxerr.ENOTDIR, err),
+			linuxerr.Equals(linuxerr.ENODEV, err),
+			linuxerr.Equals(linuxerr.ETIMEDOUT, err):
+			// Skip to next PATH entry.
+		default:
 			return "", err
 		}
-		dentry.DecRef(ctx)
-
-		return binPath, nil
 	}
 
-	// Couldn't find it.
-	return "", linuxerr.ENOENT
+	if gotEACCES {
+		return "", linuxerr.EACCES
+	}
+	return "", lastErr
 }
 
 // getPath returns the PATH as a slice of strings given the environment

pkg/sentry/fsimpl/user/user_test.go

@@ -436,3 +436,158 @@ func TestGetExecUIDGIDFromUser(t *testing.T) {
 		})
 	}
 }
+
+// newResolveTestVFS creates a tmpfs-backed VFS for resolve() tests.
+func newResolveTestVFS(t *testing.T) (context.Context, *auth.Credentials, *vfs.VirtualFilesystem, *vfs.MountNamespace, vfs.VirtualDentry) {
+	t.Helper()
+	ctx := contexttest.Context(t)
+	creds := auth.CredentialsFromContext(ctx)
+
+	vfsObj := &vfs.VirtualFilesystem{}
+	if err := vfsObj.Init(ctx); err != nil {
+		t.Fatalf("VFS init: %v", err)
+	}
+	vfsObj.MustRegisterFilesystemType("tmpfs", tmpfs.FilesystemType{}, &vfs.RegisterFilesystemTypeOptions{
+		AllowUserMount: true,
+	})
+	mns, err := vfsObj.NewMountNamespace(ctx, creds, "", "tmpfs", &vfs.MountOptions{}, nil)
+	if err != nil {
+		t.Fatalf("failed to create tmpfs root mount: %v", err)
+	}
+	root := mns.Root(ctx)
+	return ctx, creds, vfsObj, mns, root
+}
+
+// createFile creates a regular file at the given path in the test VFS.
+func createFile(t *testing.T, ctx context.Context, creds *auth.Credentials, vfsObj *vfs.VirtualFilesystem, root vfs.VirtualDentry, filePath string, mode uint16) {
+	t.Helper()
+	pop := vfs.PathOperation{
+		Root:  root,
+		Start: root,
+		Path:  fspath.Parse(filePath),
+	}
+	fd, err := vfsObj.OpenAt(ctx, creds, &pop, &vfs.OpenOptions{
+		Flags: linux.O_CREAT | linux.O_WRONLY,
+		Mode:  linux.S_IFREG | linux.FileMode(mode),
+	})
+	if err != nil {
+		t.Fatalf("failed to create %s: %v", filePath, err)
+	}
+	fd.DecRef(ctx)
+}
+
+// createDir creates a directory at the given path in the test VFS.
+func createDir(t *testing.T, ctx context.Context, creds *auth.Credentials, vfsObj *vfs.VirtualFilesystem, root vfs.VirtualDentry, dirPath string) {
+	t.Helper()
+	pop := vfs.PathOperation{
+		Root:  root,
+		Start: root,
+		Path:  fspath.Parse(dirPath),
+	}
+	if err := vfsObj.MkdirAt(ctx, creds, &pop, &vfs.MkdirOptions{Mode: 0755}); err != nil {
+		t.Fatalf("failed to create directory %s: %v", dirPath, err)
+	}
+}
+
+// TestResolveExecutablePath tests that resolve() follows glibc execvpe()
+// semantics for handling errors during PATH search:
+//   - ENOENT, ENOTDIR, ESTALE, ENODEV, ETIMEDOUT: skip to next PATH entry.
+//   - EACCES: record and continue; if no executable is found, return EACCES
+//     instead of ENOENT.
+//   - Any other error: stop and return immediately.
+//
+// Reference: glibc posix/execvpe.c __execvpe_common().
+func TestResolveExecutablePath(t *testing.T) {
+	ctx, creds, vfsObj, mns, root := newResolveTestVFS(t)
+	defer mns.DecRef(ctx)
+	defer root.DecRef(ctx)
+
+	// Layout:
+	//   /not_a_dir       — regular file (triggers ENOTDIR)
+	//   /bin/myexec      — executable
+	createFile(t, ctx, creds, vfsObj, root, "not_a_dir", 0755)
+	createDir(t, ctx, creds, vfsObj, root, "bin")
+	createFile(t, ctx, creds, vfsObj, root, "bin/myexec", 0755)
+
+	t.Run("SkipENOTDIR", func(t *testing.T) {
+		// /not_a_dir/myexec → ENOTDIR, should skip and find /bin/myexec.
+		got, err := resolve(ctx, creds, mns, []string{"/not_a_dir", "/bin"}, "myexec")
+		if err != nil {
+			t.Fatalf("resolve failed: %v", err)
+		}
+		if got != "/bin/myexec" {
+			t.Fatalf("expected /bin/myexec, got %v", got)
+		}
+	})
+
+	t.Run("SkipENOENT", func(t *testing.T) {
+		// /nonexistent doesn't exist → ENOENT, should skip and find /bin/myexec.
+		got, err := resolve(ctx, creds, mns, []string{"/nonexistent", "/bin"}, "myexec")
+		if err != nil {
+			t.Fatalf("resolve failed: %v", err)
+		}
+		if got != "/bin/myexec" {
+			t.Fatalf("expected /bin/myexec, got %v", got)
+		}
+	})
+
+	t.Run("AllMissReturnENOENT", func(t *testing.T) {
+		// PATH has ENOTDIR then ENOENT. glibc preserves the last errno
+		// from execve(), which is ENOENT from /nonexistent.
+		_, err := resolve(ctx, creds, mns, []string{"/not_a_dir", "/nonexistent"}, "myexec")
+		if !linuxerr.Equals(linuxerr.ENOENT, err) {
+			t.Fatalf("expected ENOENT, got: %v", err)
+		}
+	})
+
+	t.Run("OnlyENOTDIR", func(t *testing.T) {
+		// All PATH entries are files (not directories) → ENOTDIR.
+		// glibc preserves the last errno, which is ENOTDIR.
+		_, err := resolve(ctx, creds, mns, []string{"/not_a_dir"}, "myexec")
+		if !linuxerr.Equals(linuxerr.ENOTDIR, err) {
+			t.Fatalf("expected ENOTDIR, got: %v", err)
+		}
+	})
+
+	t.Run("EACCESReturnedOverENOENT", func(t *testing.T) {
+		// Create a file that exists but is not executable (mode 0644).
+		// The first PATH entry will fail with EACCES, and the second
+		// with ENOENT. Per glibc, EACCES should be returned.
+		createDir(t, ctx, creds, vfsObj, root, "noperm")
+		createFile(t, ctx, creds, vfsObj, root, "noperm/myexec", 0644)
+
+		_, err := resolve(ctx, creds, mns, []string{"/noperm", "/nonexistent"}, "myexec")
+		if !linuxerr.Equals(linuxerr.EACCES, err) {
+			t.Fatalf("expected EACCES, got: %v", err)
+		}
+	})
+
+	t.Run("EACCESThenFound", func(t *testing.T) {
+		// EACCES in first entry, but found in second → success.
+		got, err := resolve(ctx, creds, mns, []string{"/noperm", "/bin"}, "myexec")
+		if err != nil {
+			t.Fatalf("resolve failed: %v", err)
+		}
+		if got != "/bin/myexec" {
+			t.Fatalf("expected /bin/myexec, got %v", got)
+		}
+	})
+
+	t.Run("EmptyPATH", func(t *testing.T) {
+		_, err := resolve(ctx, creds, mns, nil, "myexec")
+		if !linuxerr.Equals(linuxerr.ENOENT, err) {
+			t.Fatalf("expected ENOENT, got: %v", err)
+		}
+	})
+
+	t.Run("SkipRelativePath", func(t *testing.T) {
+		// Relative paths should be skipped.
+		got, err := resolve(ctx, creds, mns, []string{"relative", "/bin"}, "myexec")
+		if err != nil {
+			t.Fatalf("resolve failed: %v", err)
+		}
+		if got != "/bin/myexec" {
+			t.Fatalf("expected /bin/myexec, got %v", got)
+		}
+	})
+}

pkg/shim/v1/extension/extension.go

@@ -26,6 +26,11 @@ import (
 // extension should not handle this task request. Returning an error will fail the task request.
 var NewExtension func(ctx context.Context, next TaskServiceExt, req *task.CreateTaskRequest) (TaskServiceExt, error)
 
+// NewPodExtension registers an extension constructor which is used when grouping is enabled.
+// It may return nil, nil to indicate that the extension should not handle this task request.
+// Returning an error will fail the task request.
+var NewPodExtension func(ctx context.Context, next TaskServiceExt) (TaskServiceExt, error)
+
 // FSRestoreConfig is the configuration for a FS restore request.
 type FSRestoreConfig struct {
 	ImagePath string

pkg/shim/v1/service.go

@@ -69,6 +69,7 @@ func New(ctx context.Context, id string, publisher shim.Publisher, cancel func()
 		s.shimAddress = address
 	}
 
+	s.grouping = getEnableGrouping()
 	return s, nil
 }
 
@@ -109,6 +110,9 @@ type service struct {
 	//
 	// Protected by mu.
 	ext extension.TaskServiceExt
+
+	// grouping indicates if shim grouping is enabled.
+	grouping bool
 }
 
 var _ shim.Shim = (*service)(nil)
@@ -290,22 +294,37 @@ func (s *service) Cleanup(ctx context.Context) (*taskapi.DeleteResponse, error)
 func (s *service) Create(ctx context.Context, r *taskapi.CreateTaskRequest) (*taskapi.CreateTaskResponse, error) {
 	log.L.Debugf("Create, id: %s, bundle: %q", r.ID, r.Bundle)
 
-	// Check if we need to create an extension to intercept calls to the container's shim.
-	if extension.NewExtension != nil {
-		s.mu.Lock()
-		var err error
-		s.ext, err = extension.NewExtension(ctx, s.main, r)
-		if err != nil {
-			s.mu.Unlock()
-			return nil, err
+	s.mu.Lock()
+	if s.grouping {
+		// Create shim extension if required.
+		if s.ext == nil && extension.NewPodExtension != nil {
+			log.L.Infof("Create shim extension per pod")
+			var err error
+			s.ext, err = extension.NewPodExtension(ctx, s.main)
+			if err != nil {
+				log.L.Debugf("Creating shim extension per pod failed with error: %v", err)
+				s.mu.Unlock()
+				return nil, err
+			}
 		}
-		if s.ext == nil {
-			log.L.Debugf("No extension created for container")
-		} else {
-			log.L.Infof("Extension created for container")
+	} else {
+		// Check if we need to create an extension to intercept calls to the container's shim.
+		if extension.NewExtension != nil {
+			log.L.Infof("Create shim extension per container")
+			var err error
+			s.ext, err = extension.NewExtension(ctx, s.main, r)
+			if err != nil {
+				s.mu.Unlock()
+				return nil, err
+			}
 		}
-		s.mu.Unlock()
 	}
+	if s.ext == nil {
+		log.L.Debugf("No extension created")
+	} else {
+		log.L.Infof("Extension created")
+	}
+	s.mu.Unlock()
 
 	resp, err := s.get().Create(ctx, r)
 	return resp, errdefs.ToGRPC(err)

runsc/sandbox/BUILD

@@ -72,7 +72,17 @@ go_test(
     size = "small",
     srcs = [
         "memory_test.go",
+<<<<<<< fix/tmpdir-sandbox-env
         "sandbox_env_test.go",
+=======
+        "network_test.go",
+>>>>>>> master
     ],
     library = ":sandbox",
+    deps = [
+        "//runsc/boot",
+        "//runsc/config",
+        "@com_github_vishvananda_netlink//:go_default_library",
+        "@org_golang_x_sys//unix:go_default_library",
+    ],
 )