HCoop / jackhill / guix / guix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'master' into core-updates
[jackhill/guix/guix.git] / tests / containers.scm
1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
3 ;;;
4 ;;; This file is part of GNU Guix.
5 ;;;
6 ;;; GNU Guix is free software; you can redistribute it and/or modify it
7 ;;; under the terms of the GNU General Public License as published by
8 ;;; the Free Software Foundation; either version 3 of the License, or (at
9 ;;; your option) any later version.
10 ;;;
11 ;;; GNU Guix is distributed in the hope that it will be useful, but
12 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
13 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 ;;; GNU General Public License for more details.
15 ;;;
16 ;;; You should have received a copy of the GNU General Public License
17 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
18
19 (define-module (test-containers)
20 #:use-module (guix utils)
21 #:use-module (guix build syscalls)
22 #:use-module (gnu build linux-container)
23 #:use-module (srfi srfi-64)
24 #:use-module (ice-9 match))
25
26 (define (assert-exit x)
27 (primitive-exit (if x 0 1)))
28
29 (test-begin "containers")
30
31 ;; Skip these tests unless user namespaces are available and the setgroups
32 ;; file (introduced in Linux 3.19 to address a security issue) exists.
33 (define (skip-if-unsupported)
34 (unless (and (user-namespace-supported?)
35 (unprivileged-user-namespace-supported?)
36 (setgroups-supported?))
37 (test-skip 1)))
38
39 (skip-if-unsupported)
40 (test-assert "call-with-container, exit with 0 when there is no error"
41 (zero?
42 (call-with-container '() (const #t) #:namespaces '(user))))
43
44 (skip-if-unsupported)
45 (test-assert "call-with-container, user namespace"
46 (zero?
47 (call-with-container '()
48 (lambda ()
49 ;; The user is root within the new user namespace.
50 (assert-exit (and (zero? (getuid)) (zero? (getgid)))))
51 #:namespaces '(user))))
52
53 (skip-if-unsupported)
54 (test-assert "call-with-container, uts namespace"
55 (zero?
56 (call-with-container '()
57 (lambda ()
58 ;; The user is root within the container and should be able to change
59 ;; the hostname of that container.
60 (sethostname "test-container")
61 (primitive-exit 0))
62 #:namespaces '(user uts))))
63
64 (skip-if-unsupported)
65 (test-assert "call-with-container, pid namespace"
66 (zero?
67 (call-with-container '()
68 (lambda ()
69 (match (primitive-fork)
70 (0
71 ;; The first forked process in the new pid namespace is pid 2.
72 (assert-exit (= 2 (getpid))))
73 (pid
74 (primitive-exit
75 (match (waitpid pid)
76 ((_ . status)
77 (status:exit-val status)))))))
78 #:namespaces '(user pid))))
79
80 (skip-if-unsupported)
81 (test-assert "call-with-container, mnt namespace"
82 (zero?
83 (call-with-container '(("none" device "/testing" "tmpfs" () #f #f))
84 (lambda ()
85 (assert-exit (file-exists? "/testing")))
86 #:namespaces '(user mnt))))
87
88 (skip-if-unsupported)
89 (test-equal "call-with-container, mnt namespace, wrong bind mount"
90 `(system-error ,ENOENT)
91 ;; An exception should be raised; see <http://bugs.gnu.org/23306>.
92 (catch 'system-error
93 (lambda ()
94 (call-with-container '(("/does-not-exist" device "/foo"
95 "none" (bind-mount) #f #f))
96 (const #t)
97 #:namespaces '(user mnt)))
98 (lambda args
99 (list 'system-error (system-error-errno args)))))
100
101 (skip-if-unsupported)
102 (test-assert "call-with-container, all namespaces"
103 (zero?
104 (call-with-container '()
105 (lambda ()
106 (primitive-exit 0)))))
107
108 (skip-if-unsupported)
109 (test-assert "container-excursion"
110 (call-with-temporary-directory
111 (lambda (root)
112 ;; Two pipes: One for the container to signal that the test can begin,
113 ;; and one for the parent to signal to the container that the test is
114 ;; over.
115 (match (list (pipe) (pipe))
116 (((start-in . start-out) (end-in . end-out))
117 (define (container)
118 (close end-out)
119 (close start-in)
120 ;; Signal for the test to start.
121 (write 'ready start-out)
122 (close start-out)
123 ;; Wait for test completion.
124 (read end-in)
125 (close end-in))
126
127 (define (namespaces pid)
128 (let ((pid (number->string pid)))
129 (map (lambda (ns)
130 (readlink (string-append "/proc/" pid "/ns/" ns)))
131 '("user" "ipc" "uts" "net" "pid" "mnt"))))
132
133 (let* ((pid (run-container root '() %namespaces 1 container))
134 (container-namespaces (namespaces pid))
135 (result
136 (begin
137 (close start-out)
138 ;; Wait for container to be ready.
139 (read start-in)
140 (close start-in)
141 (container-excursion pid
142 (lambda ()
143 ;; Fork again so that the pid is within the context of
144 ;; the joined pid namespace instead of the original pid
145 ;; namespace.
146 (match (primitive-fork)
147 (0
148 ;; Check that all of the namespace identifiers are
149 ;; the same as the container process.
150 (assert-exit
151 (equal? container-namespaces
152 (namespaces (getpid)))))
153 (fork-pid
154 (match (waitpid fork-pid)
155 ((_ . status)
156 (primitive-exit
157 (status:exit-val status)))))))))))
158 (close end-in)
159 ;; Stop the container.
160 (write 'done end-out)
161 (close end-out)
162 (waitpid pid)
163 (zero? result)))))))
164
165 (test-end)
jackhill's copy of GNU Guix: https://guix.gnu.org/