HCoop / jackhill / guix / guix.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
gnu: Add breeze.
[jackhill/guix/guix.git] / tests / containers.scm
CommitLineData
c1f6a0c2
DT		 1;;; GNU Guix --- Functional package management for GNU
2;;; Copyright © 2015 David Thompson <davet@gnu.org>
af76c020 3;;; Copyright © 2016, 2017, 2019 Ludovic Courtès <ludo@gnu.org>
c1f6a0c2
DT		 4;;;
5;;; This file is part of GNU Guix.
6;;;
7;;; GNU Guix is free software; you can redistribute it and/or modify it
8;;; under the terms of the GNU General Public License as published by
9;;; the Free Software Foundation; either version 3 of the License, or (at
10;;; your option) any later version.
11;;;
12;;; GNU Guix is distributed in the hope that it will be useful, but
13;;; WITHOUT ANY WARRANTY; without even the implied warranty of
14;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15;;; GNU General Public License for more details.
16;;;
17;;; You should have received a copy of the GNU General Public License
18;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
19
20(define-module (test-containers)
21 #:use-module (guix utils)
22 #:use-module (guix build syscalls)
23 #:use-module (gnu build linux-container)
bacfec86
LC		 24 #:use-module ((gnu system linux-container)
25 #:select (eval/container))
5970e8e2 26 #:use-module (gnu system file-systems)
bacfec86
LC		 27 #:use-module (guix store)
28 #:use-module (guix monads)
29 #:use-module (guix gexp)
30 #:use-module (guix derivations)
31 #:use-module (guix tests)
32 #:use-module (srfi srfi-1)
c1f6a0c2
DT		 33 #:use-module (srfi srfi-64)
34 #:use-module (ice-9 match))
35
36(define (assert-exit x)
37 (primitive-exit (if x 0 1)))
38
a9edb211
ML		 39(test-begin "containers")
40
bc459b61
DT		 41;; Skip these tests unless user namespaces are available and the setgroups
42;; file (introduced in Linux 3.19 to address a security issue) exists.
25a3bfbe
LC		 43(define (skip-if-unsupported)
44 (unless (and (user-namespace-supported?)
45 (unprivileged-user-namespace-supported?)
46 (setgroups-supported?))
47 (test-skip 1)))
c1f6a0c2 48
25a3bfbe 49(skip-if-unsupported)
a72ccbc2
DT		 50(test-assert "call-with-container, exit with 0 when there is no error"
51 (zero?
52 (call-with-container '() (const #t) #:namespaces '(user))))
53
25a3bfbe 54(skip-if-unsupported)
c1f6a0c2
DT		 55(test-assert "call-with-container, user namespace"
56 (zero?
57 (call-with-container '()
58 (lambda ()
59 ;; The user is root within the new user namespace.
60 (assert-exit (and (zero? (getuid)) (zero? (getgid)))))
61 #:namespaces '(user))))
62
af76c020
LC		 63(skip-if-unsupported)
64(test-assert "call-with-container, user namespace, guest UID/GID"
65 (zero?
66 (call-with-container '()
67 (lambda ()
68 (assert-exit (and (= 42 (getuid)) (= 77 (getgid)))))
69 #:guest-uid 42
70 #:guest-gid 77
71 #:namespaces '(user))))
72
25a3bfbe 73(skip-if-unsupported)
c1f6a0c2
DT		 74(test-assert "call-with-container, uts namespace"
75 (zero?
76 (call-with-container '()
77 (lambda ()
78 ;; The user is root within the container and should be able to change
79 ;; the hostname of that container.
80 (sethostname "test-container")
81 (primitive-exit 0))
82 #:namespaces '(user uts))))
83
25a3bfbe 84(skip-if-unsupported)
c1f6a0c2
DT		 85(test-assert "call-with-container, pid namespace"
86 (zero?
87 (call-with-container '()
88 (lambda ()
89 (match (primitive-fork)
90 (0
91 ;; The first forked process in the new pid namespace is pid 2.
92 (assert-exit (= 2 (getpid))))
93 (pid
94 (primitive-exit
95 (match (waitpid pid)
96 ((_ . status)
97 (status:exit-val status)))))))
98 #:namespaces '(user pid))))
99
25a3bfbe 100(skip-if-unsupported)
c1f6a0c2
DT		 101(test-assert "call-with-container, mnt namespace"
102 (zero?
5970e8e2
LC		 103 (call-with-container (list (file-system
104 (device "none")
105 (mount-point "/testing")
a24b56fa
AP		 106 (type "tmpfs")
107 (check? #f)))
c1f6a0c2
DT		 108 (lambda ()
109 (assert-exit (file-exists? "/testing")))
110 #:namespaces '(user mnt))))
111
25a3bfbe 112(skip-if-unsupported)
c06f6db7
LC		 113(test-equal "call-with-container, mnt namespace, wrong bind mount"
114 `(system-error ,ENOENT)
115 ;; An exception should be raised; see <http://bugs.gnu.org/23306>.
116 (catch 'system-error
117 (lambda ()
5970e8e2
LC		 118 (call-with-container (list (file-system
119 (device "/does-not-exist")
120 (mount-point "/foo")
121 (type "none")
a24b56fa
AP		 122 (flags '(bind-mount))
123 (check? #f)))
c06f6db7
LC		 124 (const #t)
125 #:namespaces '(user mnt)))
126 (lambda args
127 (list 'system-error (system-error-errno args)))))
128
25a3bfbe 129(skip-if-unsupported)
c1f6a0c2
DT		 130(test-assert "call-with-container, all namespaces"
131 (zero?
132 (call-with-container '()
133 (lambda ()
134 (primitive-exit 0)))))
135
25a3bfbe 136(skip-if-unsupported)
c1f6a0c2
DT		 137(test-assert "container-excursion"
138 (call-with-temporary-directory
139 (lambda (root)
140 ;; Two pipes: One for the container to signal that the test can begin,
141 ;; and one for the parent to signal to the container that the test is
142 ;; over.
143 (match (list (pipe) (pipe))
144 (((start-in . start-out) (end-in . end-out))
145 (define (container)
146 (close end-out)
147 (close start-in)
148 ;; Signal for the test to start.
149 (write 'ready start-out)
150 (close start-out)
151 ;; Wait for test completion.
152 (read end-in)
153 (close end-in))
154
155 (define (namespaces pid)
156 (let ((pid (number->string pid)))
157 (map (lambda (ns)
158 (readlink (string-append "/proc/" pid "/ns/" ns)))
159 '("user" "ipc" "uts" "net" "pid" "mnt"))))
160
831bc146 161 (let* ((pid (run-container root '() %namespaces 1 container))
c1f6a0c2
DT		 162 (container-namespaces (namespaces pid))
163 (result
164 (begin
165 (close start-out)
166 ;; Wait for container to be ready.
167 (read start-in)
168 (close start-in)
169 (container-excursion pid
170 (lambda ()
171 ;; Fork again so that the pid is within the context of
172 ;; the joined pid namespace instead of the original pid
173 ;; namespace.
174 (match (primitive-fork)
175 (0
176 ;; Check that all of the namespace identifiers are
177 ;; the same as the container process.
178 (assert-exit
179 (equal? container-namespaces
180 (namespaces (getpid)))))
181 (fork-pid
182 (match (waitpid fork-pid)
183 ((_ . status)
184 (primitive-exit
185 (status:exit-val status)))))))))))
186 (close end-in)
187 ;; Stop the container.
188 (write 'done end-out)
189 (close end-out)
190 (waitpid pid)
191 (zero? result)))))))
192
7fee5b53
LC		 193(skip-if-unsupported)
194(test-equal "container-excursion, same namespaces"
195 42
196 ;; The parent and child are in the same namespaces. 'container-excursion'
197 ;; should notice that and avoid calling 'setns' since that would fail.
198 (container-excursion (getpid)
199 (lambda ()
200 (primitive-exit 42))))
201
c90db25f
LC		 202(skip-if-unsupported)
203(test-assert "container-excursion*"
204 (call-with-temporary-directory
205 (lambda (root)
206 (define (namespaces pid)
207 (let ((pid (number->string pid)))
208 (map (lambda (ns)
209 (readlink (string-append "/proc/" pid "/ns/" ns)))
210 '("user" "ipc" "uts" "net" "pid" "mnt"))))
211
212 (let* ((pid (run-container root '()
213 %namespaces 1
214 (lambda ()
215 (sleep 100))))
3e894917 216 (expected (namespaces pid))
c90db25f
LC		 217 (result (container-excursion* pid
218 (lambda ()
219 (namespaces 1)))))
220 (kill pid SIGKILL)
3e894917 221 (equal? result expected)))))
c90db25f
LC		 222
223(skip-if-unsupported)
224(test-equal "container-excursion*, same namespaces"
225 42
226 (container-excursion* (getpid)
227 (lambda ()
228 (* 6 7))))
229
bacfec86
LC		 230(skip-if-unsupported)
231(test-equal "eval/container, exit status"
232 42
233 (let* ((store (open-connection-for-tests))
234 (status (run-with-store store
235 (eval/container #~(exit 42)))))
236 (close-connection store)
237 (status:exit-val status)))
238
239(skip-if-unsupported)
240(test-assert "eval/container, writable user mapping"
241 (call-with-temporary-directory
242 (lambda (directory)
243 (define store
244 (open-connection-for-tests))
245 (define result
246 (string-append directory "/r"))
247 (define requisites*
248 (store-lift requisites))
249
250 (call-with-output-file result (const #t))
251 (run-with-store store
252 (mlet %store-monad ((status (eval/container
253 #~(begin
254 (use-modules (ice-9 ftw))
255 (call-with-output-file "/result"
256 (lambda (port)
257 (write (scandir #$(%store-prefix))
258 port))))
259 #:mappings
260 (list (file-system-mapping
261 (source result)
262 (target "/result")
263 (writable? #t)))))
264 (reqs (requisites*
265 (list (derivation->output-path
266 (%guile-for-build))))))
267 (close-connection store)
268 (return (and (zero? (pk 'status status))
269 (lset= string=? (cons* "." ".." (map basename reqs))
270 (pk (call-with-input-file result read))))))))))
271
e464ac66 272(skip-if-unsupported)
96b35998
LC		 273(test-assert "eval/container, non-empty load path"
274 (call-with-temporary-directory
275 (lambda (directory)
276 (define store
277 (open-connection-for-tests))
278 (define result
279 (string-append directory "/r"))
280 (define requisites*
281 (store-lift requisites))
282
283 (mkdir result)
284 (run-with-store store
285 (mlet %store-monad ((status (eval/container
286 (with-imported-modules '((guix build utils))
287 #~(begin
288 (use-modules (guix build utils))
289 (mkdir-p "/result/a/b/c")))
290 #:mappings
291 (list (file-system-mapping
292 (source result)
293 (target "/result")
294 (writable? #t))))))
295 (close-connection store)
296 (return (and (zero? status)
297 (file-is-directory?
298 (string-append result "/a/b/c")))))))))
299
c1f6a0c2 300(test-end)
jackhill's copy of GNU Guix: https://guix.gnu.org/