tests/containers.scm

   1 ;;; GNU Guix --- Functional package management for GNU
   2 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
   3 ;;;
   4 ;;; This file is part of GNU Guix.
   5 ;;;
   6 ;;; GNU Guix is free software; you can redistribute it and/or modify it
   7 ;;; under the terms of the GNU General Public License as published by
   8 ;;; the Free Software Foundation; either version 3 of the License, or (at
   9 ;;; your option) any later version.
  10 ;;;
  11 ;;; GNU Guix is distributed in the hope that it will be useful, but
  12 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
  13 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14 ;;; GNU General Public License for more details.
  15 ;;;
  16 ;;; You should have received a copy of the GNU General Public License
  17 ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
  18
  19 (define-module (test-containers)
  20   #:use-module (guix utils)
  21   #:use-module (guix build syscalls)
  22   #:use-module (gnu build linux-container)
  23   #:use-module (gnu system file-systems)
  24   #:use-module (srfi srfi-64)
  25   #:use-module (ice-9 match))
  26
  27 (define (assert-exit x)
  28   (primitive-exit (if x 0 1)))
  29
  30 (test-begin "containers")
  31
  32 ;; Skip these tests unless user namespaces are available and the setgroups
  33 ;; file (introduced in Linux 3.19 to address a security issue) exists.
  34 (define (skip-if-unsupported)
  35   (unless (and (user-namespace-supported?)
  36                (unprivileged-user-namespace-supported?)
  37                (setgroups-supported?))
  38     (test-skip 1)))
  39
  40 (skip-if-unsupported)
  41 (test-assert "call-with-container, exit with 0 when there is no error"
  42   (zero?
  43    (call-with-container '() (const #t) #:namespaces '(user))))
  44
  45 (skip-if-unsupported)
  46 (test-assert "call-with-container, user namespace"
  47   (zero?
  48    (call-with-container '()
  49      (lambda ()
  50        ;; The user is root within the new user namespace.
  51        (assert-exit (and (zero? (getuid)) (zero? (getgid)))))
  52      #:namespaces '(user))))
  53
  54 (skip-if-unsupported)
  55 (test-assert "call-with-container, uts namespace"
  56   (zero?
  57    (call-with-container '()
  58      (lambda ()
  59        ;; The user is root within the container and should be able to change
  60        ;; the hostname of that container.
  61        (sethostname "test-container")
  62        (primitive-exit 0))
  63      #:namespaces '(user uts))))
  64
  65 (skip-if-unsupported)
  66 (test-assert "call-with-container, pid namespace"
  67   (zero?
  68    (call-with-container '()
  69      (lambda ()
  70        (match (primitive-fork)
  71          (0
  72           ;; The first forked process in the new pid namespace is pid 2.
  73           (assert-exit (= 2 (getpid))))
  74          (pid
  75           (primitive-exit
  76            (match (waitpid pid)
  77              ((_ . status)
  78               (status:exit-val status)))))))
  79      #:namespaces '(user pid))))
  80
  81 (skip-if-unsupported)
  82 (test-assert "call-with-container, mnt namespace"
  83   (zero?
  84    (call-with-container (list (file-system
  85                                 (device "none")
  86                                 (mount-point "/testing")
  87                                 (type "tmpfs")
  88                                 (check? #f)))
  89      (lambda ()
  90        (assert-exit (file-exists? "/testing")))
  91      #:namespaces '(user mnt))))
  92
  93 (skip-if-unsupported)
  94 (test-equal "call-with-container, mnt namespace, wrong bind mount"
  95   `(system-error ,ENOENT)
  96   ;; An exception should be raised; see <http://bugs.gnu.org/23306>.
  97   (catch 'system-error
  98     (lambda ()
  99       (call-with-container (list (file-system
 100                                    (device "/does-not-exist")
 101                                    (mount-point "/foo")
 102                                    (type "none")
 103                                    (flags '(bind-mount))
 104                                    (check? #f)))
 105         (const #t)
 106         #:namespaces '(user mnt)))
 107     (lambda args
 108       (list 'system-error (system-error-errno args)))))
 109
 110 (skip-if-unsupported)
 111 (test-assert "call-with-container, all namespaces"
 112   (zero?
 113    (call-with-container '()
 114      (lambda ()
 115        (primitive-exit 0)))))
 116
 117 (skip-if-unsupported)
 118 (test-assert "container-excursion"
 119   (call-with-temporary-directory
 120    (lambda (root)
 121      ;; Two pipes: One for the container to signal that the test can begin,
 122      ;; and one for the parent to signal to the container that the test is
 123      ;; over.
 124      (match (list (pipe) (pipe))
 125        (((start-in . start-out) (end-in . end-out))
 126         (define (container)
 127           (close end-out)
 128           (close start-in)
 129           ;; Signal for the test to start.
 130           (write 'ready start-out)
 131           (close start-out)
 132           ;; Wait for test completion.
 133           (read end-in)
 134           (close end-in))
 135
 136         (define (namespaces pid)
 137           (let ((pid (number->string pid)))
 138             (map (lambda (ns)
 139                    (readlink (string-append "/proc/" pid "/ns/" ns)))
 140                  '("user" "ipc" "uts" "net" "pid" "mnt"))))
 141
 142         (let* ((pid (run-container root '() %namespaces 1 container))
 143                (container-namespaces (namespaces pid))
 144                (result
 145                 (begin
 146                   (close start-out)
 147                   ;; Wait for container to be ready.
 148                   (read start-in)
 149                   (close start-in)
 150                   (container-excursion pid
 151                     (lambda ()
 152                       ;; Fork again so that the pid is within the context of
 153                       ;; the joined pid namespace instead of the original pid
 154                       ;; namespace.
 155                       (match (primitive-fork)
 156                         (0
 157                          ;; Check that all of the namespace identifiers are
 158                          ;; the same as the container process.
 159                          (assert-exit
 160                           (equal? container-namespaces
 161                                   (namespaces (getpid)))))
 162                         (fork-pid
 163                          (match (waitpid fork-pid)
 164                            ((_ . status)
 165                             (primitive-exit
 166                              (status:exit-val status)))))))))))
 167           (close end-in)
 168           ;; Stop the container.
 169           (write 'done end-out)
 170           (close end-out)
 171           (waitpid pid)
 172           (zero? result)))))))
 173
 174 (skip-if-unsupported)
 175 (test-equal "container-excursion, same namespaces"
 176   42
 177   ;; The parent and child are in the same namespaces.  'container-excursion'
 178   ;; should notice that and avoid calling 'setns' since that would fail.
 179   (container-excursion (getpid)
 180     (lambda ()
 181       (primitive-exit 42))))
 182
 183 (test-end)