Commit | Line | Data |
---|---|---|
c1f6a0c2 DT |
1 | ;;; GNU Guix --- Functional package management for GNU |
2 | ;;; Copyright © 2015 David Thompson <davet@gnu.org> | |
af76c020 | 3 | ;;; Copyright © 2016, 2017, 2019 Ludovic Courtès <ludo@gnu.org> |
c1f6a0c2 DT |
4 | ;;; |
5 | ;;; This file is part of GNU Guix. | |
6 | ;;; | |
7 | ;;; GNU Guix is free software; you can redistribute it and/or modify it | |
8 | ;;; under the terms of the GNU General Public License as published by | |
9 | ;;; the Free Software Foundation; either version 3 of the License, or (at | |
10 | ;;; your option) any later version. | |
11 | ;;; | |
12 | ;;; GNU Guix is distributed in the hope that it will be useful, but | |
13 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of | |
14 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
15 | ;;; GNU General Public License for more details. | |
16 | ;;; | |
17 | ;;; You should have received a copy of the GNU General Public License | |
18 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. | |
19 | ||
20 | (define-module (test-containers) | |
21 | #:use-module (guix utils) | |
22 | #:use-module (guix build syscalls) | |
23 | #:use-module (gnu build linux-container) | |
5970e8e2 | 24 | #:use-module (gnu system file-systems) |
c1f6a0c2 DT |
25 | #:use-module (srfi srfi-64) |
26 | #:use-module (ice-9 match)) | |
27 | ||
28 | (define (assert-exit x) | |
29 | (primitive-exit (if x 0 1))) | |
30 | ||
a9edb211 ML |
31 | (test-begin "containers") |
32 | ||
bc459b61 DT |
33 | ;; Skip these tests unless user namespaces are available and the setgroups |
34 | ;; file (introduced in Linux 3.19 to address a security issue) exists. | |
25a3bfbe LC |
35 | (define (skip-if-unsupported) |
36 | (unless (and (user-namespace-supported?) | |
37 | (unprivileged-user-namespace-supported?) | |
38 | (setgroups-supported?)) | |
39 | (test-skip 1))) | |
c1f6a0c2 | 40 | |
25a3bfbe | 41 | (skip-if-unsupported) |
a72ccbc2 DT |
42 | (test-assert "call-with-container, exit with 0 when there is no error" |
43 | (zero? | |
44 | (call-with-container '() (const #t) #:namespaces '(user)))) | |
45 | ||
25a3bfbe | 46 | (skip-if-unsupported) |
c1f6a0c2 DT |
47 | (test-assert "call-with-container, user namespace" |
48 | (zero? | |
49 | (call-with-container '() | |
50 | (lambda () | |
51 | ;; The user is root within the new user namespace. | |
52 | (assert-exit (and (zero? (getuid)) (zero? (getgid))))) | |
53 | #:namespaces '(user)))) | |
54 | ||
af76c020 LC |
55 | (skip-if-unsupported) |
56 | (test-assert "call-with-container, user namespace, guest UID/GID" | |
57 | (zero? | |
58 | (call-with-container '() | |
59 | (lambda () | |
60 | (assert-exit (and (= 42 (getuid)) (= 77 (getgid))))) | |
61 | #:guest-uid 42 | |
62 | #:guest-gid 77 | |
63 | #:namespaces '(user)))) | |
64 | ||
25a3bfbe | 65 | (skip-if-unsupported) |
c1f6a0c2 DT |
66 | (test-assert "call-with-container, uts namespace" |
67 | (zero? | |
68 | (call-with-container '() | |
69 | (lambda () | |
70 | ;; The user is root within the container and should be able to change | |
71 | ;; the hostname of that container. | |
72 | (sethostname "test-container") | |
73 | (primitive-exit 0)) | |
74 | #:namespaces '(user uts)))) | |
75 | ||
25a3bfbe | 76 | (skip-if-unsupported) |
c1f6a0c2 DT |
77 | (test-assert "call-with-container, pid namespace" |
78 | (zero? | |
79 | (call-with-container '() | |
80 | (lambda () | |
81 | (match (primitive-fork) | |
82 | (0 | |
83 | ;; The first forked process in the new pid namespace is pid 2. | |
84 | (assert-exit (= 2 (getpid)))) | |
85 | (pid | |
86 | (primitive-exit | |
87 | (match (waitpid pid) | |
88 | ((_ . status) | |
89 | (status:exit-val status))))))) | |
90 | #:namespaces '(user pid)))) | |
91 | ||
25a3bfbe | 92 | (skip-if-unsupported) |
c1f6a0c2 DT |
93 | (test-assert "call-with-container, mnt namespace" |
94 | (zero? | |
5970e8e2 LC |
95 | (call-with-container (list (file-system |
96 | (device "none") | |
97 | (mount-point "/testing") | |
a24b56fa AP |
98 | (type "tmpfs") |
99 | (check? #f))) | |
c1f6a0c2 DT |
100 | (lambda () |
101 | (assert-exit (file-exists? "/testing"))) | |
102 | #:namespaces '(user mnt)))) | |
103 | ||
25a3bfbe | 104 | (skip-if-unsupported) |
c06f6db7 LC |
105 | (test-equal "call-with-container, mnt namespace, wrong bind mount" |
106 | `(system-error ,ENOENT) | |
107 | ;; An exception should be raised; see <http://bugs.gnu.org/23306>. | |
108 | (catch 'system-error | |
109 | (lambda () | |
5970e8e2 LC |
110 | (call-with-container (list (file-system |
111 | (device "/does-not-exist") | |
112 | (mount-point "/foo") | |
113 | (type "none") | |
a24b56fa AP |
114 | (flags '(bind-mount)) |
115 | (check? #f))) | |
c06f6db7 LC |
116 | (const #t) |
117 | #:namespaces '(user mnt))) | |
118 | (lambda args | |
119 | (list 'system-error (system-error-errno args))))) | |
120 | ||
25a3bfbe | 121 | (skip-if-unsupported) |
c1f6a0c2 DT |
122 | (test-assert "call-with-container, all namespaces" |
123 | (zero? | |
124 | (call-with-container '() | |
125 | (lambda () | |
126 | (primitive-exit 0))))) | |
127 | ||
25a3bfbe | 128 | (skip-if-unsupported) |
c1f6a0c2 DT |
129 | (test-assert "container-excursion" |
130 | (call-with-temporary-directory | |
131 | (lambda (root) | |
132 | ;; Two pipes: One for the container to signal that the test can begin, | |
133 | ;; and one for the parent to signal to the container that the test is | |
134 | ;; over. | |
135 | (match (list (pipe) (pipe)) | |
136 | (((start-in . start-out) (end-in . end-out)) | |
137 | (define (container) | |
138 | (close end-out) | |
139 | (close start-in) | |
140 | ;; Signal for the test to start. | |
141 | (write 'ready start-out) | |
142 | (close start-out) | |
143 | ;; Wait for test completion. | |
144 | (read end-in) | |
145 | (close end-in)) | |
146 | ||
147 | (define (namespaces pid) | |
148 | (let ((pid (number->string pid))) | |
149 | (map (lambda (ns) | |
150 | (readlink (string-append "/proc/" pid "/ns/" ns))) | |
151 | '("user" "ipc" "uts" "net" "pid" "mnt")))) | |
152 | ||
831bc146 | 153 | (let* ((pid (run-container root '() %namespaces 1 container)) |
c1f6a0c2 DT |
154 | (container-namespaces (namespaces pid)) |
155 | (result | |
156 | (begin | |
157 | (close start-out) | |
158 | ;; Wait for container to be ready. | |
159 | (read start-in) | |
160 | (close start-in) | |
161 | (container-excursion pid | |
162 | (lambda () | |
163 | ;; Fork again so that the pid is within the context of | |
164 | ;; the joined pid namespace instead of the original pid | |
165 | ;; namespace. | |
166 | (match (primitive-fork) | |
167 | (0 | |
168 | ;; Check that all of the namespace identifiers are | |
169 | ;; the same as the container process. | |
170 | (assert-exit | |
171 | (equal? container-namespaces | |
172 | (namespaces (getpid))))) | |
173 | (fork-pid | |
174 | (match (waitpid fork-pid) | |
175 | ((_ . status) | |
176 | (primitive-exit | |
177 | (status:exit-val status))))))))))) | |
178 | (close end-in) | |
179 | ;; Stop the container. | |
180 | (write 'done end-out) | |
181 | (close end-out) | |
182 | (waitpid pid) | |
183 | (zero? result))))))) | |
184 | ||
7fee5b53 LC |
185 | (skip-if-unsupported) |
186 | (test-equal "container-excursion, same namespaces" | |
187 | 42 | |
188 | ;; The parent and child are in the same namespaces. 'container-excursion' | |
189 | ;; should notice that and avoid calling 'setns' since that would fail. | |
190 | (container-excursion (getpid) | |
191 | (lambda () | |
192 | (primitive-exit 42)))) | |
193 | ||
c90db25f LC |
194 | (skip-if-unsupported) |
195 | (test-assert "container-excursion*" | |
196 | (call-with-temporary-directory | |
197 | (lambda (root) | |
198 | (define (namespaces pid) | |
199 | (let ((pid (number->string pid))) | |
200 | (map (lambda (ns) | |
201 | (readlink (string-append "/proc/" pid "/ns/" ns))) | |
202 | '("user" "ipc" "uts" "net" "pid" "mnt")))) | |
203 | ||
204 | (let* ((pid (run-container root '() | |
205 | %namespaces 1 | |
206 | (lambda () | |
207 | (sleep 100)))) | |
3e894917 | 208 | (expected (namespaces pid)) |
c90db25f LC |
209 | (result (container-excursion* pid |
210 | (lambda () | |
211 | (namespaces 1))))) | |
212 | (kill pid SIGKILL) | |
3e894917 | 213 | (equal? result expected))))) |
c90db25f LC |
214 | |
215 | (skip-if-unsupported) | |
216 | (test-equal "container-excursion*, same namespaces" | |
217 | 42 | |
218 | (container-excursion* (getpid) | |
219 | (lambda () | |
220 | (* 6 7)))) | |
221 | ||
c1f6a0c2 | 222 | (test-end) |