Commit | Line | Data |
---|---|---|
c1f6a0c2 DT |
1 | ;;; GNU Guix --- Functional package management for GNU |
2 | ;;; Copyright © 2015 David Thompson <davet@gnu.org> | |
3 | ;;; | |
4 | ;;; This file is part of GNU Guix. | |
5 | ;;; | |
6 | ;;; GNU Guix is free software; you can redistribute it and/or modify it | |
7 | ;;; under the terms of the GNU General Public License as published by | |
8 | ;;; the Free Software Foundation; either version 3 of the License, or (at | |
9 | ;;; your option) any later version. | |
10 | ;;; | |
11 | ;;; GNU Guix is distributed in the hope that it will be useful, but | |
12 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
14 | ;;; GNU General Public License for more details. | |
15 | ;;; | |
16 | ;;; You should have received a copy of the GNU General Public License | |
17 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. | |
18 | ||
19 | (define-module (test-containers) | |
20 | #:use-module (guix utils) | |
21 | #:use-module (guix build syscalls) | |
22 | #:use-module (gnu build linux-container) | |
23 | #:use-module (srfi srfi-64) | |
24 | #:use-module (ice-9 match)) | |
25 | ||
26 | (define (assert-exit x) | |
27 | (primitive-exit (if x 0 1))) | |
28 | ||
a9edb211 ML |
29 | (test-begin "containers") |
30 | ||
bc459b61 DT |
31 | ;; Skip these tests unless user namespaces are available and the setgroups |
32 | ;; file (introduced in Linux 3.19 to address a security issue) exists. | |
25a3bfbe LC |
33 | (define (skip-if-unsupported) |
34 | (unless (and (user-namespace-supported?) | |
35 | (unprivileged-user-namespace-supported?) | |
36 | (setgroups-supported?)) | |
37 | (test-skip 1))) | |
c1f6a0c2 | 38 | |
25a3bfbe | 39 | (skip-if-unsupported) |
a72ccbc2 DT |
40 | (test-assert "call-with-container, exit with 0 when there is no error" |
41 | (zero? | |
42 | (call-with-container '() (const #t) #:namespaces '(user)))) | |
43 | ||
25a3bfbe | 44 | (skip-if-unsupported) |
c1f6a0c2 DT |
45 | (test-assert "call-with-container, user namespace" |
46 | (zero? | |
47 | (call-with-container '() | |
48 | (lambda () | |
49 | ;; The user is root within the new user namespace. | |
50 | (assert-exit (and (zero? (getuid)) (zero? (getgid))))) | |
51 | #:namespaces '(user)))) | |
52 | ||
25a3bfbe | 53 | (skip-if-unsupported) |
c1f6a0c2 DT |
54 | (test-assert "call-with-container, uts namespace" |
55 | (zero? | |
56 | (call-with-container '() | |
57 | (lambda () | |
58 | ;; The user is root within the container and should be able to change | |
59 | ;; the hostname of that container. | |
60 | (sethostname "test-container") | |
61 | (primitive-exit 0)) | |
62 | #:namespaces '(user uts)))) | |
63 | ||
25a3bfbe | 64 | (skip-if-unsupported) |
c1f6a0c2 DT |
65 | (test-assert "call-with-container, pid namespace" |
66 | (zero? | |
67 | (call-with-container '() | |
68 | (lambda () | |
69 | (match (primitive-fork) | |
70 | (0 | |
71 | ;; The first forked process in the new pid namespace is pid 2. | |
72 | (assert-exit (= 2 (getpid)))) | |
73 | (pid | |
74 | (primitive-exit | |
75 | (match (waitpid pid) | |
76 | ((_ . status) | |
77 | (status:exit-val status))))))) | |
78 | #:namespaces '(user pid)))) | |
79 | ||
25a3bfbe | 80 | (skip-if-unsupported) |
c1f6a0c2 DT |
81 | (test-assert "call-with-container, mnt namespace" |
82 | (zero? | |
83 | (call-with-container '(("none" device "/testing" "tmpfs" () #f #f)) | |
84 | (lambda () | |
85 | (assert-exit (file-exists? "/testing"))) | |
86 | #:namespaces '(user mnt)))) | |
87 | ||
25a3bfbe | 88 | (skip-if-unsupported) |
c06f6db7 LC |
89 | (test-equal "call-with-container, mnt namespace, wrong bind mount" |
90 | `(system-error ,ENOENT) | |
91 | ;; An exception should be raised; see <http://bugs.gnu.org/23306>. | |
92 | (catch 'system-error | |
93 | (lambda () | |
94 | (call-with-container '(("/does-not-exist" device "/foo" | |
95 | "none" (bind-mount) #f #f)) | |
96 | (const #t) | |
97 | #:namespaces '(user mnt))) | |
98 | (lambda args | |
99 | (list 'system-error (system-error-errno args))))) | |
100 | ||
25a3bfbe | 101 | (skip-if-unsupported) |
c1f6a0c2 DT |
102 | (test-assert "call-with-container, all namespaces" |
103 | (zero? | |
104 | (call-with-container '() | |
105 | (lambda () | |
106 | (primitive-exit 0))))) | |
107 | ||
25a3bfbe | 108 | (skip-if-unsupported) |
c1f6a0c2 DT |
109 | (test-assert "container-excursion" |
110 | (call-with-temporary-directory | |
111 | (lambda (root) | |
112 | ;; Two pipes: One for the container to signal that the test can begin, | |
113 | ;; and one for the parent to signal to the container that the test is | |
114 | ;; over. | |
115 | (match (list (pipe) (pipe)) | |
116 | (((start-in . start-out) (end-in . end-out)) | |
117 | (define (container) | |
118 | (close end-out) | |
119 | (close start-in) | |
120 | ;; Signal for the test to start. | |
121 | (write 'ready start-out) | |
122 | (close start-out) | |
123 | ;; Wait for test completion. | |
124 | (read end-in) | |
125 | (close end-in)) | |
126 | ||
127 | (define (namespaces pid) | |
128 | (let ((pid (number->string pid))) | |
129 | (map (lambda (ns) | |
130 | (readlink (string-append "/proc/" pid "/ns/" ns))) | |
131 | '("user" "ipc" "uts" "net" "pid" "mnt")))) | |
132 | ||
831bc146 | 133 | (let* ((pid (run-container root '() %namespaces 1 container)) |
c1f6a0c2 DT |
134 | (container-namespaces (namespaces pid)) |
135 | (result | |
136 | (begin | |
137 | (close start-out) | |
138 | ;; Wait for container to be ready. | |
139 | (read start-in) | |
140 | (close start-in) | |
141 | (container-excursion pid | |
142 | (lambda () | |
143 | ;; Fork again so that the pid is within the context of | |
144 | ;; the joined pid namespace instead of the original pid | |
145 | ;; namespace. | |
146 | (match (primitive-fork) | |
147 | (0 | |
148 | ;; Check that all of the namespace identifiers are | |
149 | ;; the same as the container process. | |
150 | (assert-exit | |
151 | (equal? container-namespaces | |
152 | (namespaces (getpid))))) | |
153 | (fork-pid | |
154 | (match (waitpid fork-pid) | |
155 | ((_ . status) | |
156 | (primitive-exit | |
157 | (status:exit-val status))))))))))) | |
158 | (close end-in) | |
159 | ;; Stop the container. | |
160 | (write 'done end-out) | |
161 | (close end-out) | |
162 | (waitpid pid) | |
163 | (zero? result))))))) | |
164 | ||
165 | (test-end) |