Kevin Krakauer

Took a look -- it's not obvious to me where the concurrent write is that isn't taking the lock. Is there perhaps more output, e.g. other goroutine stacks in the...

Yeah, I think this is unresolved. Started, then forgotten during leave. Will pick it back up.

Per the [x86_64 syscall table](https://github.com/torvalds/linux/blob/42226c989789d8da4af1de0c31070c96726d990c/arch/x86/entry/syscalls/syscall_64.tbl#L363), this is a call to `faccessat2`. Because the syscall is relatively new, most likely the code is attempting to use it, then falling back to...

gVisor probably won't want to silence this. Some things we do silence, e.g. https://github.com/google/gvisor/commit/007a91a911084e46efffc4e2531ff8dee5cf1917. That commit can safely be silenced because use of `SO_RCVLOWAT` doesn't affect correctness. But it's possible...

Looks like we actually don't reject packets for being larger than the unscaled window. Because `tcpconntrack` was written pre-`PacketBuffer`, it assumes that passed-in `header.TCP` buffers also contain the payload. You...

Fixed by 5e984d5aa2c3f98934040e199d460c74744e5799.

@nixprime WDYT?

Also testing on M1. Two ways to deal with this: - Quick way: newer versions of gVisor appear not to have this problem. The following commands update the gVisor module...

This is a tough problem to solve. At a high level: putting an application inside gVisor sandboxes it, but Compose puts the DNS server outside the sandbox. I don't know...

I'm not sure of a generic way to do it, but it could certainly be done. Note that I'm not familiar with Docker Compose, so I'm not sure how difficult...