Robert Swiecki
d99e530134
cmdline: log to stdout if -h or --help was used
2023-10-02 21:12:08 +02:00
Robert Swiecki
f388cad3e0
contain: use prlimit64 instead of setrlimit64 which seems to be glibc-specific, so it compiles with musl too
2023-09-29 18:11:40 +02:00
Robert Swiecki
439606be70
Makefile/indent: add AlwaysBreakBeforeMultilineStrings:false
2023-09-19 20:31:57 +02:00
Robert Swiecki
bc4e7fdd52
cmdline: constify structs
2023-09-15 15:38:37 +02:00
okunz
14f1e6852d
formatting fix
2023-06-13 11:55:54 +02:00
okunz
924c8fa9f9
Better output formatting for --help
2023-06-13 11:47:21 +02:00
Robert Swiecki
f2dc5966e3
all: unify comments on /**/
2022-11-22 22:19:05 +01:00
Andrew Haberlandt
12df56b9f1
Setup cgroup.subtree_control controllers when necessary in cgroupsv2
...
This commit adds extra setup when cgroupsv2 is enabled. In particular,
we make sure that the root namespace has setup cgroup.subtree_control
with the controllers we need.
If the necessary controller are not listed, we have to move all
processes out of the root namespace before we can change this
(the 'no internal processes' rule:
https://unix.stackexchange.com/a/713343 ). Currently we only
handle the case where the nsjail process is the only process in
the cgroup. It seems like this would be relatively rare, but since
nsjail is frequently the root process in a Docker container (e.g.
for hosting CTF challenges), I think this case is common enough to
make it worth implementing.
This also adds `--detect_cgroupv2`, which will attempt to detect
whether `--cgroupv2_mount` is a valid cgroupv2 mount, and if so
it will set `use_cgroupv2`. This is useful in containerized
environments where you may not know the kernel version ahead of time.
References:
https://github.com/redpwn/jail/blob/master/internal/cgroup/cgroup2.go
2022-11-17 17:09:40 -05:00
Robert Swiecki
c63e5b39e8
use QC() across the code
2022-08-10 15:23:53 +02:00
Robert Swiecki
9aee3dd831
Make logs more efficient by avoiding argument evaluation for LOG* if
...
it's not needed at the current level
2022-08-05 08:42:37 +02:00
Robert Swiecki
856cb0f2ec
When setting CPU affinity, take into consideration the current CPU
...
affinity set. Use only CPU numbers, which exist in the current affinity
set. Maybe fixes https://github.com/google/nsjail/issues/200
2022-08-04 19:22:33 +02:00
Patrick Steinhardt
df21a972b6
nsjail: Optionally forward fatal signals
...
Currently, we always kill children by sending them a SIGKILL signal in
case we've got a fatal signal. This is rather inflexible and forbids
some usecases where e.g. child process listen for specific signals to
shut down gracefully.
Add a new command configuration `--forward_signals` that allows the user
to opt-in to forwarding fatal signals to the child process.
2022-06-05 19:38:32 +02:00
Michał Kowalczyk
f4abf7b726
config: Add more docs for disable_tsc
2022-02-18 00:33:52 +01:00
Robert Swiecki
cdf8e8f14c
config: info about prctl(PR_SET_TSC, PR_TSC_ENABLE) being intel-only
2022-02-18 00:15:12 +01:00
Michał Kowalczyk
16b4416d75
Add disable_tsc
option
...
Implemented via prctl(PR_SET_TSC, PR_TSC_SIGSEGV, ...).
2022-02-17 23:53:13 +01:00
Philip
bf93e8a25d
cgroup2: use cgroup_mem_swap_max and cgroup_mem_memsw_max
2021-11-01 10:28:41 +01:00
Johan Kartiwa
29a556068a
Add support for setting cgroup memory.memsw.limit_in_bytes
2021-10-11 15:46:36 +02:00
James Kay
e09610e789
Allow mount options to contain colons.
...
This is particularly important for overlayfs, which allows multiple
layers to be given to `lowerdir` separated by colons: see
<https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt >,
section ‘Multiple lower layers’.
2021-10-11 15:46:16 +02:00
Colin Stolley
8a1f3b5f4d
The default rlimit_as value is 4096, not 512.
...
In 9b8d91bd7f
the default for rlimit_as
was increased to 4096 MB, but old default remained in the man page,
readme, etc. This patch corrects those spots with the right value.
2021-09-14 11:57:30 -05:00
Wiktor Garbacz
4136dd50d8
Merge branch 'use_switchroot'
2021-08-03 17:44:57 +02:00
Eli Zrihen
7aace9bdc6
rtprio, msgqueue - defaulting to 'soft'
2021-07-20 16:00:13 +03:00
Eli Zrihen
b83d6f7421
Renaming use_switchroot option with no_pivotroot
2021-07-20 15:45:58 +03:00
Eli Zrihen
9f4b4f41e7
Consistentency with RLIMIT_* constant name
2021-07-20 15:20:47 +03:00
Eli Zrihen
b6576fcde7
Adding a warning when switchroot is used
2021-07-20 10:20:23 +03:00
Eli Zrihen
0f903ba9a0
Added rt, memlock & msgq limits
2021-07-19 17:21:34 +03:00
Eli Zrihen
0e0e34c33d
Merge remote-tracking branch 'origin/HEAD' into _use_switchroot
2021-07-13 11:13:35 +03:00
Robert Swiecki
62879de5de
cmdline: clone_newcgroup -> true by default; clone_newtime should be false
2021-07-07 11:55:17 +02:00
Eli Zrihen
dab1713ac9
Added use_switchroot option
2021-06-17 14:57:01 +03:00
Robert Swiecki
2e9fd0e2e4
make indent
2021-06-16 17:44:07 +02:00
Eli Zrihen
5c8b3835b7
MACVLAN modes support
2021-06-16 16:59:12 +03:00
Robert Swiecki
d1f332b911
Enable support for clone3() and for CLONE_NEWTIME
2021-05-18 14:38:01 +02:00
Robert Swiecki
056809ed3b
Initial support for CLONE_NEWTIME
2021-05-11 14:48:45 +02:00
Ziqin Wang
5cddbaf07e
Fix typo in command line description
2021-04-03 23:31:56 +08:00
Philip Papurt
32f2287fbb
net: add support for max_conns
2021-02-09 17:13:35 -05:00
Christian Blichmann
910fb5498c
Fix a few typos.
...
These were found by external tooling while preparing the Debian package.
* Uknown -> Unknown
* Writting -> Writing
* commited -> committed
* processess -> processes
Signed-off-by: Christian Blichmann <mail@blichmann.eu>
2020-07-07 14:07:22 +02:00
Robert Swiecki
b3d544d155
config: simplify log/logfd setting
2019-10-02 19:43:58 +02:00
Robert Swiecki
e2c5c59bd3
standardize on envar vs envvar
2019-08-28 22:18:58 +02:00
robertswiecki
a0cdc71ab2
Merge pull request #120 from jaylees14/disable-rlimits
...
Add flag to disable rlimits
2019-08-19 14:26:27 +02:00
Robert Swiecki
ac6e19d4ec
Merge branch 'master' of github.com:google/nsjail
2019-08-19 11:35:17 +02:00
Robert Swiecki
f07c523543
net/cmdline: better checks for TCP port values
2019-08-19 11:34:34 +02:00
Jay Lees
86293b052e
Add flag to disable rlimits
2019-08-05 03:25:22 -07:00
Jay Lees
08f62b6f76
[cgroup-v2] support cgroup v2 for mem, cpu and pids
2019-07-26 07:02:17 -07:00
Robert Swiecki
28d2220b1e
cmdline: no need to check for nice values
2019-06-30 22:03:57 +02:00
Robert Swiecki
494a5f63cd
Add nice_level to cmd-line/config options
2019-06-30 21:50:56 +02:00
Robert Swiecki
8d9aaec7f0
cmdline: don't clear cmdline exec_file is arguments are provided on cmdline
2019-04-01 22:46:39 +02:00
Robert Swiecki
7aa8916077
cmdline: make sure that argv[0] exists
2019-04-01 22:42:14 +02:00
Robert Swiecki
2b1bad6b5b
cmdline: allow to override config cmdline with cmdline cmdline
2019-03-30 16:10:14 +01:00
Robert Swiecki
a2dacef5d7
allow to use nsjail w/o namespaces
2019-03-29 21:38:14 +01:00
disconnect3d
de872dc6b8
Fix #108 - missing cgroup_cpu_mount option setting
2019-03-05 16:41:38 -06:00
Robert Swiecki
9b8d91bd7f
incrase the default RLIMIT_AS limit to 4GiB. 512MiB is not enough for many payloas, and cgroups should be used for memory limiting anyway
2019-02-06 17:06:42 +01:00