tksadik92/wrenn-releases
1
0
Fork 0
forked from wrenn/wrenn
Code Pull Requests Activity

Replace gopsutil port scanner with direct /proc/net/tcp reading

Browse Source 
The envd port scanner used gopsutil's net.Connections() which walks
/proc/{pid}/fd to enumerate socket inodes. This corrupts Go runtime
semaphore state when the VM is paused mid-operation and restored from
a Firecracker snapshot.

Replace with a direct /proc/net/tcp + /proc/net/tcp6 parser that reads
a single file per address family — no /proc/{pid}/fd walk, no goroutines,
no WaitGroups. Also replace concurrent-map (smap) in the scanner with a
plain sync.RWMutex-protected map, since concurrent-map's Items() spawns
goroutines with a WaitGroup internally, which is equally unsafe across
snapshot boundaries.

Use socket inode instead of PID for the port forwarding map key, since
inode is available directly from /proc/net/tcp without the fd walk.
This commit is contained in:
Rafeed M. Bhuiyan
2026-04-01 15:47:28 +06:00
parent 2b4c5e0176
commit 8b5fa3438e
5 changed files with 216 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
envd/internal/port/scanSubscriber.go
View File

@ -4,7 +4,6 @@ package port
import (
"github.com/rs/zerolog"
"github.com/shirou/gopsutil/v4/net"
)
// If we want to create a listener/subscriber pattern somewhere else we should move
@ -13,7 +12,7 @@ import (
type ScannerSubscriber struct {
logger *zerolog.Logger
filter *ScannerFilter
Messages chan ([]net.ConnectionStat)
Messages chan ([]ConnStat)
id string
}
@ -22,7 +21,7 @@ func NewScannerSubscriber(logger *zerolog.Logger, id string, filter *ScannerFilt
logger: logger,
id: id,
filter: filter,
Messages: make(chan []net.ConnectionStat),
Messages: make(chan []ConnStat),
}
}
@ -34,17 +33,17 @@ func (ss *ScannerSubscriber) Destroy() {
close(ss.Messages)
}
func (ss *ScannerSubscriber) Signal(proc []net.ConnectionStat) {
func (ss *ScannerSubscriber) Signal(conns []ConnStat) {
// Filter isn't specified. Accept everything.
if ss.filter == nil {
ss.Messages <- proc
ss.Messages <- conns
} else {
filtered := []net.ConnectionStat{}
for i := range proc {
filtered := []ConnStat{}
for i := range conns {
// We need to access the list directly otherwise there will be implicit memory aliasing
// If the filter matched a process, we will send it to a channel.
if ss.filter.Match(&proc[i]) {
filtered = append(filtered, proc[i])
// If the filter matched a connection, we will send it to a channel.
if ss.filter.Match(&conns[i]) {
filtered = append(filtered, conns[i])
}
}
ss.Messages <- filtered