[jackhill/guix/guix.git] / tests / containers.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015 David Thompson <davet@gnu.org>
;;; Copyright © 2016, 2017, 2019, 2023 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (test-containers)
  #:use-module (guix utils)
  #:use-module (guix build syscalls)
  #:use-module (gnu build linux-container)
  #:use-module ((gnu system linux-container)
                #:select (eval/container))
  #:use-module (gnu system file-systems)
  #:use-module (guix store)
  #:use-module (guix monads)
  #:use-module (guix gexp)
  #:use-module (guix derivations)
  #:use-module (guix tests)
  #:use-module (srfi srfi-1)
  #:use-module (srfi srfi-64)
  #:use-module (ice-9 match)
  #:use-module ((ice-9 ftw) #:select (scandir)))

(define (assert-exit x)
  (primitive-exit (if x 0 1)))

(test-begin "containers")

;; Skip these tests unless user namespaces are available and the setgroups
;; file (introduced in Linux 3.19 to address a security issue) exists.
(define (skip-if-unsupported)
  (unless (and (user-namespace-supported?)
               (unprivileged-user-namespace-supported?)
               (setgroups-supported?))
    (test-skip 1)))

(skip-if-unsupported)
(test-assert "call-with-container, exit with 0 when there is no error"
  (zero?
   (call-with-container '() (const #t) #:namespaces '(user))))

(skip-if-unsupported)
(test-assert "call-with-container, user namespace"
  (zero?
   (call-with-container '()
     (lambda ()
       ;; The user is root within the new user namespace.
       (assert-exit (and (zero? (getuid)) (zero? (getgid)))))
     #:namespaces '(user))))

(skip-if-unsupported)
(test-assert "call-with-container, user namespace, guest UID/GID"
  (zero?
   (call-with-container '()
     (lambda ()
       (assert-exit (and (= 42 (getuid)) (= 77 (getgid)))))
     #:guest-uid 42
     #:guest-gid 77
     #:namespaces '(user))))

(skip-if-unsupported)
(test-assert "call-with-container, uts namespace"
  (zero?
   (call-with-container '()
     (lambda ()
       ;; The user is root within the container and should be able to change
       ;; the hostname of that container.
       (sethostname "test-container")
       (primitive-exit 0))
     #:namespaces '(user uts))))

(skip-if-unsupported)
(test-assert "call-with-container, pid namespace"
  (zero?
   (call-with-container '()
     (lambda ()
       (match (primitive-fork)
         (0
          ;; The first forked process in the new pid namespace is pid 2.
          (assert-exit (= 2 (getpid))))
         (pid
          (primitive-exit
           (match (waitpid pid)
             ((_ . status)
              (status:exit-val status)))))))
     #:namespaces '(user pid))))

(skip-if-unsupported)
(test-assert "call-with-container, mnt namespace"
  (zero?
   (call-with-container (list (file-system
                                (device "none")
                                (mount-point "/testing")
                                (type "tmpfs")
                                (check? #f)))
     (lambda ()
       (assert-exit (file-exists? "/testing")))
     #:namespaces '(user mnt))))

(skip-if-unsupported)
(test-equal "call-with-container, mnt namespace, wrong bind mount"
  `(system-error ,ENOENT)
  ;; An exception should be raised; see <http://bugs.gnu.org/23306>.
  (catch 'system-error
    (lambda ()
      (call-with-container (list (file-system
                                   (device "/does-not-exist")
                                   (mount-point "/foo")
                                   (type "none")
                                   (flags '(bind-mount))
                                   (check? #f)))
        (const #t)
        #:namespaces '(user mnt)))
    (lambda args
      (list 'system-error (system-error-errno args)))))

(skip-if-unsupported)
(test-assert "call-with-container, all namespaces"
  (zero?
   (call-with-container '()
     (lambda ()
       (primitive-exit 0)))))

(skip-if-unsupported)
(test-assert "call-with-container, mnt namespace, root permissions"
  (zero?
   (call-with-container '()
     (lambda ()
       (assert-exit (= #o755 (stat:perms (lstat "/")))))
     #:namespaces '(user mnt))))

(skip-if-unsupported)
(test-assert "container-excursion"
  (call-with-temporary-directory
   (lambda (root)
     ;; Two pipes: One for the container to signal that the test can begin,
     ;; and one for the parent to signal to the container that the test is
     ;; over.
     (match (list (pipe) (pipe))
       (((start-in . start-out) (end-in . end-out))
        (define (container)
          (close end-out)
          (close start-in)
          ;; Signal for the test to start.
          (write 'ready start-out)
          (close start-out)
          ;; Wait for test completion.
          (read end-in)
          (close end-in))

        (define (namespaces pid)
          (let ((pid (number->string pid)))
            (map (lambda (ns)
                   (readlink (string-append "/proc/" pid "/ns/" ns)))
                 '("user" "ipc" "uts" "net" "pid" "mnt"))))

        (let* ((pid (run-container root '() %namespaces 1 container))
               (container-namespaces (namespaces pid))
               (result
                (begin
                  (close start-out)
                  ;; Wait for container to be ready.
                  (read start-in)
                  (close start-in)
                  (container-excursion pid
                    (lambda ()
                      ;; Check that all of the namespace identifiers are
                      ;; the same as the container process.
                      (assert-exit
                       (equal? container-namespaces
                               (namespaces (getpid)))))))))
          (close end-in)
          ;; Stop the container.
          (write 'done end-out)
          (close end-out)
          (waitpid pid)
          (zero? result)))))))

(skip-if-unsupported)
(test-equal "container-excursion, same namespaces"
  42
  ;; The parent and child are in the same namespaces.  'container-excursion'
  ;; should notice that and avoid calling 'setns' since that would fail.
  (status:exit-val
   (container-excursion (getpid)
     (lambda ()
       (primitive-exit 42)))))

(skip-if-unsupported)
(test-assert "container-excursion*"
  (call-with-temporary-directory
   (lambda (root)
     (define (namespaces pid)
       (let ((pid (number->string pid)))
         (map (lambda (ns)
                (readlink (string-append "/proc/" pid "/ns/" ns)))
              '("user" "ipc" "uts" "net" "pid" "mnt"))))

     (let* ((pid    (run-container root '()
                                   %namespaces 1
                                   (lambda ()
                                     (sleep 100))))
            (expected (namespaces pid))
            (result (container-excursion* pid
                      (lambda ()
                        (namespaces 1)))))
       (kill pid SIGKILL)
       (equal? result expected)))))

(skip-if-unsupported)
(test-equal "container-excursion*, same namespaces"
  42
  (container-excursion* (getpid)
    (lambda ()
      (* 6 7))))

(skip-if-unsupported)
(test-equal "container-excursion*, /proc"
  '("1" "2")
  (call-with-temporary-directory
   (lambda (root)
     (let* ((pid    (run-container root '()
                                   %namespaces 1
                                   (lambda ()
                                     (sleep 100))))
            (result (container-excursion* pid
                      (lambda ()
                        ;; We expect to see exactly two processes in this
                        ;; namespace.
                        (scandir "/proc"
                                 (lambda (file)
                                   (char-set-contains?
                                    char-set:digit
                                    (string-ref file 0))))))))
       (kill pid SIGKILL)
       result))))

(skip-if-unsupported)
(test-equal "eval/container, exit status"
  42
  (let* ((store  (open-connection-for-tests))
         (status (run-with-store store
                   (eval/container #~(exit 42)))))
    (close-connection store)
    (status:exit-val status)))

(skip-if-unsupported)
(test-assert "eval/container, writable user mapping"
  (call-with-temporary-directory
   (lambda (directory)
     (define store
       (open-connection-for-tests))
     (define result
       (string-append directory "/r"))
     (define requisites*
       (store-lift requisites))

     (call-with-output-file result (const #t))
     (run-with-store store
       (mlet %store-monad ((status (eval/container
                                    #~(begin
                                        (use-modules (ice-9 ftw))
                                        (call-with-output-file "/result"
                                          (lambda (port)
                                            (write (scandir #$(%store-prefix))
                                                   port))))
                                    #:mappings
                                    (list (file-system-mapping
                                           (source result)
                                           (target "/result")
                                           (writable? #t)))))
                           (reqs   (requisites*
                                    (list (derivation->output-path
                                           (%guile-for-build))))))
         (close-connection store)
         (return (and (zero? (pk 'status status))
                      (lset= string=? (cons* "." ".." (map basename reqs))
                             (pk (call-with-input-file result read))))))))))

(skip-if-unsupported)
(test-assert "eval/container, non-empty load path"
  (call-with-temporary-directory
   (lambda (directory)
     (define store
       (open-connection-for-tests))
     (define result
       (string-append directory "/r"))
     (define requisites*
       (store-lift requisites))

     (mkdir result)
     (run-with-store store
       (mlet %store-monad ((status (eval/container
                                    (with-imported-modules '((guix build utils))
                                      #~(begin
                                          (use-modules (guix build utils))
                                          (mkdir-p "/result/a/b/c")))
                                    #:mappings
                                    (list (file-system-mapping
                                           (source result)
                                           (target "/result")
                                           (writable? #t))))))
         (close-connection store)
         (return (and (zero? status)
                      (file-is-directory?
                       (string-append result "/a/b/c")))))))))

(test-end)
Commit	Line	Data
c1f6a0c2 DT	1	;;; GNU Guix --- Functional package management for GNU
c1f6a0c2 DT	2	;;; Copyright © 2015 David Thompson <davet@gnu.org>
0ef8fe22	3	;;; Copyright © 2016, 2017, 2019, 2023 Ludovic Courtès <ludo@gnu.org>
c1f6a0c2 DT	4	;;;
	5	;;; This file is part of GNU Guix.
	6	;;;
	7	;;; GNU Guix is free software; you can redistribute it and/or modify it
	8	;;; under the terms of the GNU General Public License as published by
	9	;;; the Free Software Foundation; either version 3 of the License, or (at
	10	;;; your option) any later version.
	11	;;;
	12	;;; GNU Guix is distributed in the hope that it will be useful, but
	13	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	14	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	15	;;; GNU General Public License for more details.
	16	;;;
	17	;;; You should have received a copy of the GNU General Public License
	18	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	19
	20	(define-module (test-containers)
	21	#:use-module (guix utils)
	22	#:use-module (guix build syscalls)
	23	#:use-module (gnu build linux-container)
bacfec86 LC	24	#:use-module ((gnu system linux-container)
bacfec86 LC	25	#:select (eval/container))
5970e8e2	26	#:use-module (gnu system file-systems)
bacfec86 LC	27	#:use-module (guix store)
	28	#:use-module (guix monads)
	29	#:use-module (guix gexp)
	30	#:use-module (guix derivations)
	31	#:use-module (guix tests)
	32	#:use-module (srfi srfi-1)
c1f6a0c2	33	#:use-module (srfi srfi-64)
0ef8fe22 LC	34	#:use-module (ice-9 match)
0ef8fe22 LC	35	#:use-module ((ice-9 ftw) #:select (scandir)))
c1f6a0c2 DT	36
	37	(define (assert-exit x)
	38	(primitive-exit (if x 0 1)))
	39
a9edb211 ML	40	(test-begin "containers")
a9edb211 ML	41
bc459b61 DT	42	;; Skip these tests unless user namespaces are available and the setgroups
bc459b61 DT	43	;; file (introduced in Linux 3.19 to address a security issue) exists.
25a3bfbe LC	44	(define (skip-if-unsupported)
	45	(unless (and (user-namespace-supported?)
	46	(unprivileged-user-namespace-supported?)
	47	(setgroups-supported?))
	48	(test-skip 1)))
c1f6a0c2	49
25a3bfbe	50	(skip-if-unsupported)
a72ccbc2 DT	51	(test-assert "call-with-container, exit with 0 when there is no error"
	52	(zero?
	53	(call-with-container '() (const #t) #:namespaces '(user))))
	54
25a3bfbe	55	(skip-if-unsupported)
c1f6a0c2 DT	56	(test-assert "call-with-container, user namespace"
	57	(zero?
	58	(call-with-container '()
	59	(lambda ()
	60	;; The user is root within the new user namespace.
	61	(assert-exit (and (zero? (getuid)) (zero? (getgid)))))
	62	#:namespaces '(user))))
	63
af76c020 LC	64	(skip-if-unsupported)
	65	(test-assert "call-with-container, user namespace, guest UID/GID"
	66	(zero?
	67	(call-with-container '()
	68	(lambda ()
	69	(assert-exit (and (= 42 (getuid)) (= 77 (getgid)))))
	70	#:guest-uid 42
	71	#:guest-gid 77
	72	#:namespaces '(user))))
	73
25a3bfbe	74	(skip-if-unsupported)
c1f6a0c2 DT	75	(test-assert "call-with-container, uts namespace"
	76	(zero?
	77	(call-with-container '()
	78	(lambda ()
	79	;; The user is root within the container and should be able to change
	80	;; the hostname of that container.
	81	(sethostname "test-container")
	82	(primitive-exit 0))
	83	#:namespaces '(user uts))))
	84
25a3bfbe	85	(skip-if-unsupported)
c1f6a0c2 DT	86	(test-assert "call-with-container, pid namespace"
	87	(zero?
	88	(call-with-container '()
	89	(lambda ()
	90	(match (primitive-fork)
	91	(0
	92	;; The first forked process in the new pid namespace is pid 2.
	93	(assert-exit (= 2 (getpid))))
	94	(pid
	95	(primitive-exit
	96	(match (waitpid pid)
	97	((_ . status)
	98	(status:exit-val status)))))))
	99	#:namespaces '(user pid))))
	100
25a3bfbe	101	(skip-if-unsupported)
c1f6a0c2 DT	102	(test-assert "call-with-container, mnt namespace"
c1f6a0c2 DT	103	(zero?
5970e8e2 LC	104	(call-with-container (list (file-system
	105	(device "none")
	106	(mount-point "/testing")
a24b56fa AP	107	(type "tmpfs")
a24b56fa AP	108	(check? #f)))
c1f6a0c2 DT	109	(lambda ()
	110	(assert-exit (file-exists? "/testing")))
	111	#:namespaces '(user mnt))))
	112
25a3bfbe	113	(skip-if-unsupported)
c06f6db7 LC	114	(test-equal "call-with-container, mnt namespace, wrong bind mount"
	115	`(system-error ,ENOENT)
	116	;; An exception should be raised; see <http://bugs.gnu.org/23306>.
	117	(catch 'system-error
	118	(lambda ()
5970e8e2 LC	119	(call-with-container (list (file-system
	120	(device "/does-not-exist")
	121	(mount-point "/foo")
	122	(type "none")
a24b56fa AP	123	(flags '(bind-mount))
a24b56fa AP	124	(check? #f)))
c06f6db7 LC	125	(const #t)
	126	#:namespaces '(user mnt)))
	127	(lambda args
	128	(list 'system-error (system-error-errno args)))))
	129
25a3bfbe	130	(skip-if-unsupported)
c1f6a0c2 DT	131	(test-assert "call-with-container, all namespaces"
	132	(zero?
	133	(call-with-container '()
	134	(lambda ()
	135	(primitive-exit 0)))))
	136
e7481835 JL	137	(skip-if-unsupported)
	138	(test-assert "call-with-container, mnt namespace, root permissions"
	139	(zero?
	140	(call-with-container '()
	141	(lambda ()
	142	(assert-exit (= #o755 (stat:perms (lstat "/")))))
	143	#:namespaces '(user mnt))))
	144
25a3bfbe	145	(skip-if-unsupported)
c1f6a0c2 DT	146	(test-assert "container-excursion"
	147	(call-with-temporary-directory
	148	(lambda (root)
	149	;; Two pipes: One for the container to signal that the test can begin,
	150	;; and one for the parent to signal to the container that the test is
	151	;; over.
	152	(match (list (pipe) (pipe))
	153	(((start-in . start-out) (end-in . end-out))
	154	(define (container)
	155	(close end-out)
	156	(close start-in)
	157	;; Signal for the test to start.
	158	(write 'ready start-out)
	159	(close start-out)
	160	;; Wait for test completion.
	161	(read end-in)
	162	(close end-in))
	163
	164	(define (namespaces pid)
	165	(let ((pid (number->string pid)))
	166	(map (lambda (ns)
	167	(readlink (string-append "/proc/" pid "/ns/" ns)))
	168	'("user" "ipc" "uts" "net" "pid" "mnt"))))
	169
831bc146	170	(let* ((pid (run-container root '() %namespaces 1 container))
c1f6a0c2 DT	171	(container-namespaces (namespaces pid))
	172	(result
	173	(begin
	174	(close start-out)
	175	;; Wait for container to be ready.
	176	(read start-in)
	177	(close start-in)
	178	(container-excursion pid
	179	(lambda ()
0ef8fe22 LC	180	;; Check that all of the namespace identifiers are
	181	;; the same as the container process.
	182	(assert-exit
	183	(equal? container-namespaces
	184	(namespaces (getpid)))))))))
c1f6a0c2 DT	185	(close end-in)
	186	;; Stop the container.
	187	(write 'done end-out)
	188	(close end-out)
	189	(waitpid pid)
	190	(zero? result)))))))
	191
7fee5b53 LC	192	(skip-if-unsupported)
	193	(test-equal "container-excursion, same namespaces"
	194	42
	195	;; The parent and child are in the same namespaces. 'container-excursion'
	196	;; should notice that and avoid calling 'setns' since that would fail.
52eb3db1 LC	197	(status:exit-val
	198	(container-excursion (getpid)
	199	(lambda ()
	200	(primitive-exit 42)))))
7fee5b53	201
c90db25f LC	202	(skip-if-unsupported)
	203	(test-assert "container-excursion*"
	204	(call-with-temporary-directory
	205	(lambda (root)
	206	(define (namespaces pid)
	207	(let ((pid (number->string pid)))
	208	(map (lambda (ns)
	209	(readlink (string-append "/proc/" pid "/ns/" ns)))
	210	'("user" "ipc" "uts" "net" "pid" "mnt"))))
	211
	212	(let* ((pid (run-container root '()
	213	%namespaces 1
	214	(lambda ()
	215	(sleep 100))))
3e894917	216	(expected (namespaces pid))
c90db25f LC	217	(result (container-excursion* pid
	218	(lambda ()
	219	(namespaces 1)))))
	220	(kill pid SIGKILL)
3e894917	221	(equal? result expected)))))
c90db25f LC	222
	223	(skip-if-unsupported)
	224	(test-equal "container-excursion*, same namespaces"
	225	42
	226	(container-excursion* (getpid)
	227	(lambda ()
	228	(* 6 7))))
	229
0ef8fe22 LC	230	(skip-if-unsupported)
	231	(test-equal "container-excursion*, /proc"
	232	'("1" "2")
	233	(call-with-temporary-directory
	234	(lambda (root)
	235	(let* ((pid (run-container root '()
	236	%namespaces 1
	237	(lambda ()
	238	(sleep 100))))
	239	(result (container-excursion* pid
	240	(lambda ()
	241	;; We expect to see exactly two processes in this
	242	;; namespace.
	243	(scandir "/proc"
	244	(lambda (file)
	245	(char-set-contains?
	246	char-set:digit
	247	(string-ref file 0))))))))
	248	(kill pid SIGKILL)
	249	result))))
	250
bacfec86 LC	251	(skip-if-unsupported)
	252	(test-equal "eval/container, exit status"
	253	42
	254	(let* ((store (open-connection-for-tests))
	255	(status (run-with-store store
	256	(eval/container #~(exit 42)))))
	257	(close-connection store)
	258	(status:exit-val status)))
	259
	260	(skip-if-unsupported)
	261	(test-assert "eval/container, writable user mapping"
	262	(call-with-temporary-directory
	263	(lambda (directory)
	264	(define store
	265	(open-connection-for-tests))
	266	(define result
	267	(string-append directory "/r"))
	268	(define requisites*
	269	(store-lift requisites))
	270
	271	(call-with-output-file result (const #t))
	272	(run-with-store store
	273	(mlet %store-monad ((status (eval/container
	274	#~(begin
	275	(use-modules (ice-9 ftw))
	276	(call-with-output-file "/result"
	277	(lambda (port)
	278	(write (scandir #$(%store-prefix))
	279	port))))
	280	#:mappings
	281	(list (file-system-mapping
	282	(source result)
	283	(target "/result")
	284	(writable? #t)))))
	285	(reqs (requisites*
	286	(list (derivation->output-path
	287	(%guile-for-build))))))
	288	(close-connection store)
	289	(return (and (zero? (pk 'status status))
	290	(lset= string=? (cons* "." ".." (map basename reqs))
	291	(pk (call-with-input-file result read))))))))))
	292
e464ac66	293	(skip-if-unsupported)
96b35998 LC	294	(test-assert "eval/container, non-empty load path"
	295	(call-with-temporary-directory
	296	(lambda (directory)
	297	(define store
	298	(open-connection-for-tests))
	299	(define result
	300	(string-append directory "/r"))
	301	(define requisites*
	302	(store-lift requisites))
	303
	304	(mkdir result)
	305	(run-with-store store
	306	(mlet %store-monad ((status (eval/container
	307	(with-imported-modules '((guix build utils))
	308	#~(begin
	309	(use-modules (guix build utils))
	310	(mkdir-p "/result/a/b/c")))
	311	#:mappings
	312	(list (file-system-mapping
	313	(source result)
	314	(target "/result")
	315	(writable? #t))))))
	316	(close-connection store)
	317	(return (and (zero? status)
	318	(file-is-directory?
	319	(string-append result "/a/b/c")))))))))
	320
c1f6a0c2	321	(test-end)