[jackhill/guix/guix.git] / tests / containers.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015 David Thompson <davet@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (test-containers)
  #:use-module (guix utils)
  #:use-module (guix build syscalls)
  #:use-module (gnu build linux-container)
  #:use-module (srfi srfi-64)
  #:use-module (ice-9 match))

(define (assert-exit x)
  (primitive-exit (if x 0 1)))

;; Skip these tests unless user namespaces are available and the setgroups
;; file (introduced in Linux 3.19 to address a security issue) exists.
(unless (and (user-namespace-supported?)
             (unprivileged-user-namespace-supported?)
             (setgroups-supported?))
  (exit 77))

(test-begin "containers")

(test-assert "call-with-container, exit with 0 when there is no error"
  (zero?
   (call-with-container '() (const #t) #:namespaces '(user))))

(test-assert "call-with-container, user namespace"
  (zero?
   (call-with-container '()
     (lambda ()
       ;; The user is root within the new user namespace.
       (assert-exit (and (zero? (getuid)) (zero? (getgid)))))
     #:namespaces '(user))))

(test-assert "call-with-container, uts namespace"
  (zero?
   (call-with-container '()
     (lambda ()
       ;; The user is root within the container and should be able to change
       ;; the hostname of that container.
       (sethostname "test-container")
       (primitive-exit 0))
     #:namespaces '(user uts))))

(test-assert "call-with-container, pid namespace"
  (zero?
   (call-with-container '()
     (lambda ()
       (match (primitive-fork)
         (0
          ;; The first forked process in the new pid namespace is pid 2.
          (assert-exit (= 2 (getpid))))
         (pid
          (primitive-exit
           (match (waitpid pid)
             ((_ . status)
              (status:exit-val status)))))))
     #:namespaces '(user pid))))

(test-assert "call-with-container, mnt namespace"
  (zero?
   (call-with-container '(("none" device "/testing" "tmpfs" () #f #f))
     (lambda ()
       (assert-exit (file-exists? "/testing")))
     #:namespaces '(user mnt))))

(test-assert "call-with-container, all namespaces"
  (zero?
   (call-with-container '()
     (lambda ()
       (primitive-exit 0)))))

(test-assert "container-excursion"
  (call-with-temporary-directory
   (lambda (root)
     ;; Two pipes: One for the container to signal that the test can begin,
     ;; and one for the parent to signal to the container that the test is
     ;; over.
     (match (list (pipe) (pipe))
       (((start-in . start-out) (end-in . end-out))
        (define (container)
          (close end-out)
          (close start-in)
          ;; Signal for the test to start.
          (write 'ready start-out)
          (close start-out)
          ;; Wait for test completion.
          (read end-in)
          (close end-in))

        (define (namespaces pid)
          (let ((pid (number->string pid)))
            (map (lambda (ns)
                   (readlink (string-append "/proc/" pid "/ns/" ns)))
                 '("user" "ipc" "uts" "net" "pid" "mnt"))))

        (let* ((pid (run-container root '() %namespaces 1 container))
               (container-namespaces (namespaces pid))
               (result
                (begin
                  (close start-out)
                  ;; Wait for container to be ready.
                  (read start-in)
                  (close start-in)
                  (container-excursion pid
                    (lambda ()
                      ;; Fork again so that the pid is within the context of
                      ;; the joined pid namespace instead of the original pid
                      ;; namespace.
                      (match (primitive-fork)
                        (0
                         ;; Check that all of the namespace identifiers are
                         ;; the same as the container process.
                         (assert-exit
                          (equal? container-namespaces
                                  (namespaces (getpid)))))
                        (fork-pid
                         (match (waitpid fork-pid)
                           ((_ . status)
                            (primitive-exit
                             (status:exit-val status)))))))))))
          (close end-in)
          ;; Stop the container.
          (write 'done end-out)
          (close end-out)
          (waitpid pid)
          (zero? result)))))))

(test-end)

\f
(exit (= (test-runner-fail-count (test-runner-current)) 0))
Commit	Line	Data
c1f6a0c2 DT	1	;;; GNU Guix --- Functional package management for GNU
	2	;;; Copyright © 2015 David Thompson <davet@gnu.org>
	3	;;;
	4	;;; This file is part of GNU Guix.
	5	;;;
	6	;;; GNU Guix is free software; you can redistribute it and/or modify it
	7	;;; under the terms of the GNU General Public License as published by
	8	;;; the Free Software Foundation; either version 3 of the License, or (at
	9	;;; your option) any later version.
	10	;;;
	11	;;; GNU Guix is distributed in the hope that it will be useful, but
	12	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	13	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	;;; GNU General Public License for more details.
	15	;;;
	16	;;; You should have received a copy of the GNU General Public License
	17	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	18
	19	(define-module (test-containers)
	20	#:use-module (guix utils)
	21	#:use-module (guix build syscalls)
	22	#:use-module (gnu build linux-container)
	23	#:use-module (srfi srfi-64)
	24	#:use-module (ice-9 match))
	25
	26	(define (assert-exit x)
	27	(primitive-exit (if x 0 1)))
	28
bc459b61 DT	29	;; Skip these tests unless user namespaces are available and the setgroups
bc459b61 DT	30	;; file (introduced in Linux 3.19 to address a security issue) exists.
b7d48312 DT	31	(unless (and (user-namespace-supported?)
	32	(unprivileged-user-namespace-supported?)
	33	(setgroups-supported?))
8bff3d1e DT	34	(exit 77))
8bff3d1e DT	35
c1f6a0c2 DT	36	(test-begin "containers")
c1f6a0c2 DT	37
a72ccbc2 DT	38	(test-assert "call-with-container, exit with 0 when there is no error"
	39	(zero?
	40	(call-with-container '() (const #t) #:namespaces '(user))))
	41
c1f6a0c2 DT	42	(test-assert "call-with-container, user namespace"
	43	(zero?
	44	(call-with-container '()
	45	(lambda ()
	46	;; The user is root within the new user namespace.
	47	(assert-exit (and (zero? (getuid)) (zero? (getgid)))))
	48	#:namespaces '(user))))
	49
	50	(test-assert "call-with-container, uts namespace"
	51	(zero?
	52	(call-with-container '()
	53	(lambda ()
	54	;; The user is root within the container and should be able to change
	55	;; the hostname of that container.
	56	(sethostname "test-container")
	57	(primitive-exit 0))
	58	#:namespaces '(user uts))))
	59
	60	(test-assert "call-with-container, pid namespace"
	61	(zero?
	62	(call-with-container '()
	63	(lambda ()
	64	(match (primitive-fork)
	65	(0
	66	;; The first forked process in the new pid namespace is pid 2.
	67	(assert-exit (= 2 (getpid))))
	68	(pid
	69	(primitive-exit
	70	(match (waitpid pid)
	71	((_ . status)
	72	(status:exit-val status)))))))
	73	#:namespaces '(user pid))))
	74
	75	(test-assert "call-with-container, mnt namespace"
	76	(zero?
	77	(call-with-container '(("none" device "/testing" "tmpfs" () #f #f))
	78	(lambda ()
	79	(assert-exit (file-exists? "/testing")))
	80	#:namespaces '(user mnt))))
	81
	82	(test-assert "call-with-container, all namespaces"
	83	(zero?
	84	(call-with-container '()
	85	(lambda ()
	86	(primitive-exit 0)))))
	87
	88	(test-assert "container-excursion"
	89	(call-with-temporary-directory
	90	(lambda (root)
	91	;; Two pipes: One for the container to signal that the test can begin,
	92	;; and one for the parent to signal to the container that the test is
	93	;; over.
	94	(match (list (pipe) (pipe))
	95	(((start-in . start-out) (end-in . end-out))
	96	(define (container)
	97	(close end-out)
	98	(close start-in)
	99	;; Signal for the test to start.
	100	(write 'ready start-out)
	101	(close start-out)
	102	;; Wait for test completion.
	103	(read end-in)
	104	(close end-in))
	105
106	(define (namespaces pid)
107	(let ((pid (number->string pid)))
108	(map (lambda (ns)
109	(readlink (string-append "/proc/" pid "/ns/" ns)))
110	'("user" "ipc" "uts" "net" "pid" "mnt"))))
111
831bc146	112	(let* ((pid (run-container root '() %namespaces 1 container))
c1f6a0c2 DT	113	(container-namespaces (namespaces pid))
	114	(result
	115	(begin
	116	(close start-out)
	117	;; Wait for container to be ready.
	118	(read start-in)
	119	(close start-in)
	120	(container-excursion pid
	121	(lambda ()
	122	;; Fork again so that the pid is within the context of
	123	;; the joined pid namespace instead of the original pid
	124	;; namespace.
	125	(match (primitive-fork)
	126	(0
	127	;; Check that all of the namespace identifiers are
	128	;; the same as the container process.
	129	(assert-exit
	130	(equal? container-namespaces
	131	(namespaces (getpid)))))
	132	(fork-pid
	133	(match (waitpid fork-pid)
	134	((_ . status)
	135	(primitive-exit
	136	(status:exit-val status)))))))))))
	137	(close end-in)
	138	;; Stop the container.
	139	(write 'done end-out)
	140	(close end-out)
	141	(waitpid pid)
	142	(zero? result)))))))
	143
	144	(test-end)
	145
	146	\f
	147	(exit (= (test-runner-fail-count (test-runner-current)) 0))