syd 3.52.0

rock-solid application kernel
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194

# Contributing

Want to contribute? Great! First, read this page.

### Contributor License Agreement

Contributions to this project must be accompanied by a Contributor License
Agreement. You (or your employer) retain the copyright to your contribution;
this simply gives us permission to use and redistribute your contributions as
part of the project. Head over to <https://cla.developers.google.com/> to see
your current agreements on file or to sign a new one.

You generally only need to submit a CLA once, so if you've already submitted one
(even if it was for a different project), you probably don't need to do it
again.

### AI tool Use

We expect our contributors to embrace AI tools.

This policy ensures that AI-generated contributions are always guided,
validated, and owned by a skilled human, promoting better software and a
stronger community than policing how code gets written.

#### Policy

While contributors can use any AI tools to create their contributions, **human
oversight is mandatory**. All AI-generated content must be thoroughly reviewed
by the contributor before being submitted for review. The contributor remains
the sole author and is fully responsible for the contribution's accuracy,
quality, and maintainability. **AI should augment your abilities, not replace
your critical judgment.** Contributors should ensure their work meets a high
standard before seeking review, respecting maintainers' time, and must be
**prepared to discuss and justify their contributions** during the review
process.

#### Label AI-assisted Work

**Transparently label all contributions containing substantial AI-generated
content.** This should be done in the pull request description, commit message,
or any standard authorship area, for example, by adding

`Assisted-by: Gemini CLI`

to your commit message.

Such transparency is crucial for the community to understand and build best
practices around AI tool usage. This policy includes, but is not limited to:

-   Code changes in a pull request
-   Issues or security vulnerabilities
-   Comments and feedback on pull requests or issues

### Using GOPATH

Some editors may require the code to be structured in a `GOPATH` directory tree.
In this case, you may use the `:gopath` target to generate a directory tree with
symlinks to the original source files.

```
bazel build :gopath
```

You can then set the `GOPATH` in your editor to `bazel-bin/gopath`.

If you use this mechanism, keep in mind that the generated tree is not the
canonical source. You will still need to build and test with `bazel`. New files
will need to be added to the appropriate `BUILD` files, and the `:gopath` target
will need to be re-run to generate appropriate symlinks in the `GOPATH`
directory tree.

Dependencies can be added by using `go get`. In order to keep the `WORKSPACE`
file in sync, run `bazel run //:gazelle -- update-repos -from_file=go.mod` in
place of `go mod`.

### Coding Guidelines

All code should comply with the [style guide](g3doc/style.md). Note that code
may be automatically formatted per the guidelines when merged.

As a secure runtime, we need to maintain the safety of all of code included in
gVisor. The following rules help mitigate issues.

Definitions for the rules below:

`core`:

*   `//pkg/sentry/...`
*   Transitive dependencies in `//pkg/...`, etc.

`runsc`:

*   `//runsc/...`

Rules:

*   No cgo in `core` or `runsc`. The final binary must be a statically-linked
    pure Go binary.

*   Any files importing "unsafe" must have a name ending in `_unsafe.go`.

*   `core` may only depend on the following packages:

    *   Itself.
    *   Go standard library.
    *   `@org_golang_x_sys//unix:go_default_library` (Go import
        `golang.org/x/sys/unix`).
    *   `@org_golang_x_time//rate:go_default_library` (Go import
        `golang.org/x/time/rate`).
    *   `@com_github_google_btree//:go_default_library"` (Go import
        `github.com/google/btree`).
    *   Generated Go protobuf packages.
    *   `@org_golang_google_protobuf//proto:go_default_library` (Go import
        `google.golang.org/protobuf`).

*   `runsc` may only depend on the following packages:

    *   All packages allowed for `core`.
    *   `@com_github_google_subcommands//:go_default_library` (Go import
        `github.com/google/subcommands`).
    *   `@com_github_opencontainers_runtime_spec//specs_go:go_default_library`
        (Go import `github.com/opencontainers/runtime-spec/specs_go`).

*   For performance reasons, `runsc boot` may not run the `netpoller` goroutine.

### Code reviews

Before sending code reviews, run `bazel test ...` to ensure tests are passing.

Code changes are accepted via [pull request][github].

When iterating on a pull request, please amend your commit rather than creating
new commits on the same branch. Our merge bot applies all commits from the
branch to master and does not yet support squash merging. If you'd like to
submit a pull request with multiple commits, please ensure they are independent,
logical units of work that can be applied separately.

When approved, the change will be submitted by a team member and automatically
merged into the repository.

### Presubmit checks

Accessing check logs may require membership in the
[gvisor-dev mailing list][gvisor-dev-list], which is public.

### Bug IDs

Some TODOs and NOTEs sprinkled throughout the code have associated IDs of the
form `b/1234`. These correspond to bugs in our internal bug tracker. Eventually
these bugs will be moved to the GitHub Issues, but until then they can simply be
ignored.

### Build and test with Docker

Running `make dev` is a convenient way to build and install `runsc` as a Docker
runtime. The output of this command will show the runtimes installed.

You may use `make refresh` to refresh the binary after any changes. For example:

```bash
make dev
docker run --rm --runtime=my-branch --rm hello-world
make refresh
```

### Update golang dependencies

First, we need to update dependencies in the go.mod and go.sum files. To do
that, we should checkout the go branch and update dependencies using the go get
tool.

```bash
git checkout origin/go
go get golang.org/x/net
```

Next, we should checkout the master branch and update dependencies in the
WORKSPACE file using the Gazelle tool.

```bash
git checkout origin/master
bazel run //:gazelle -- update-repos -from_file=go.mod
```

### The small print

Contributions made by corporations are covered by a different agreement than the
one above, the
[Software Grant and Corporate Contributor License Agreement][gccla].

[gcla]: https://cla.developers.google.com/about/google-individual
[gccla]: https://cla.developers.google.com/about/google-corporate
[github]: https://github.com/google/gvisor/compare
[gvisor-dev-list]: https://groups.google.com/forum/#!forum/gvisor-dev