tests/containers.scm

   1 ;;; GNU Guix --- Functional package management for GNU
   2 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
   3 ;;; Copyright © 2016, 2017, 2019 Ludovic Courtès <ludo@gnu.org>
   4 ;;;
   5 ;;; This file is part of GNU Guix.
   6 ;;;
   7 ;;; GNU Guix is free software; you can redistribute it and/or modify it
   8 ;;; under the terms of the GNU General Public License as published by
   9 ;;; the Free Software Foundation; either version 3 of the License, or (at
  10 ;;; your option) any later version.
  11 ;;;
  12 ;;; GNU Guix is distributed in the hope that it will be useful, but
  13 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
  14 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 ;;; GNU General Public License for more details.
  16 ;;;
  17 ;;; You should have received a copy of the GNU General Public License
  18 ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
  19
  20 (define-module (test-containers)
  21   #:use-module (guix utils)
  22   #:use-module (guix build syscalls)
  23   #:use-module (gnu build linux-container)
  24   #:use-module (gnu system file-systems)
  25   #:use-module (srfi srfi-64)
  26   #:use-module (ice-9 match))
  27
  28 (define (assert-exit x)
  29   (primitive-exit (if x 0 1)))
  30
  31 (test-begin "containers")
  32
  33 ;; Skip these tests unless user namespaces are available and the setgroups
  34 ;; file (introduced in Linux 3.19 to address a security issue) exists.
  35 (define (skip-if-unsupported)
  36   (unless (and (user-namespace-supported?)
  37                (unprivileged-user-namespace-supported?)
  38                (setgroups-supported?))
  39     (test-skip 1)))
  40
  41 (skip-if-unsupported)
  42 (test-assert "call-with-container, exit with 0 when there is no error"
  43   (zero?
  44    (call-with-container '() (const #t) #:namespaces '(user))))
  45
  46 (skip-if-unsupported)
  47 (test-assert "call-with-container, user namespace"
  48   (zero?
  49    (call-with-container '()
  50      (lambda ()
  51        ;; The user is root within the new user namespace.
  52        (assert-exit (and (zero? (getuid)) (zero? (getgid)))))
  53      #:namespaces '(user))))
  54
  55 (skip-if-unsupported)
  56 (test-assert "call-with-container, user namespace, guest UID/GID"
  57   (zero?
  58    (call-with-container '()
  59      (lambda ()
  60        (assert-exit (and (= 42 (getuid)) (= 77 (getgid)))))
  61      #:guest-uid 42
  62      #:guest-gid 77
  63      #:namespaces '(user))))
  64
  65 (skip-if-unsupported)
  66 (test-assert "call-with-container, uts namespace"
  67   (zero?
  68    (call-with-container '()
  69      (lambda ()
  70        ;; The user is root within the container and should be able to change
  71        ;; the hostname of that container.
  72        (sethostname "test-container")
  73        (primitive-exit 0))
  74      #:namespaces '(user uts))))
  75
  76 (skip-if-unsupported)
  77 (test-assert "call-with-container, pid namespace"
  78   (zero?
  79    (call-with-container '()
  80      (lambda ()
  81        (match (primitive-fork)
  82          (0
  83           ;; The first forked process in the new pid namespace is pid 2.
  84           (assert-exit (= 2 (getpid))))
  85          (pid
  86           (primitive-exit
  87            (match (waitpid pid)
  88              ((_ . status)
  89               (status:exit-val status)))))))
  90      #:namespaces '(user pid))))
  91
  92 (skip-if-unsupported)
  93 (test-assert "call-with-container, mnt namespace"
  94   (zero?
  95    (call-with-container (list (file-system
  96                                 (device "none")
  97                                 (mount-point "/testing")
  98                                 (type "tmpfs")
  99                                 (check? #f)))
 100      (lambda ()
 101        (assert-exit (file-exists? "/testing")))
 102      #:namespaces '(user mnt))))
 103
 104 (skip-if-unsupported)
 105 (test-equal "call-with-container, mnt namespace, wrong bind mount"
 106   `(system-error ,ENOENT)
 107   ;; An exception should be raised; see <http://bugs.gnu.org/23306>.
 108   (catch 'system-error
 109     (lambda ()
 110       (call-with-container (list (file-system
 111                                    (device "/does-not-exist")
 112                                    (mount-point "/foo")
 113                                    (type "none")
 114                                    (flags '(bind-mount))
 115                                    (check? #f)))
 116         (const #t)
 117         #:namespaces '(user mnt)))
 118     (lambda args
 119       (list 'system-error (system-error-errno args)))))
 120
 121 (skip-if-unsupported)
 122 (test-assert "call-with-container, all namespaces"
 123   (zero?
 124    (call-with-container '()
 125      (lambda ()
 126        (primitive-exit 0)))))
 127
 128 (skip-if-unsupported)
 129 (test-assert "container-excursion"
 130   (call-with-temporary-directory
 131    (lambda (root)
 132      ;; Two pipes: One for the container to signal that the test can begin,
 133      ;; and one for the parent to signal to the container that the test is
 134      ;; over.
 135      (match (list (pipe) (pipe))
 136        (((start-in . start-out) (end-in . end-out))
 137         (define (container)
 138           (close end-out)
 139           (close start-in)
 140           ;; Signal for the test to start.
 141           (write 'ready start-out)
 142           (close start-out)
 143           ;; Wait for test completion.
 144           (read end-in)
 145           (close end-in))
 146
 147         (define (namespaces pid)
 148           (let ((pid (number->string pid)))
 149             (map (lambda (ns)
 150                    (readlink (string-append "/proc/" pid "/ns/" ns)))
 151                  '("user" "ipc" "uts" "net" "pid" "mnt"))))
 152
 153         (let* ((pid (run-container root '() %namespaces 1 container))
 154                (container-namespaces (namespaces pid))
 155                (result
 156                 (begin
 157                   (close start-out)
 158                   ;; Wait for container to be ready.
 159                   (read start-in)
 160                   (close start-in)
 161                   (container-excursion pid
 162                     (lambda ()
 163                       ;; Fork again so that the pid is within the context of
 164                       ;; the joined pid namespace instead of the original pid
 165                       ;; namespace.
 166                       (match (primitive-fork)
 167                         (0
 168                          ;; Check that all of the namespace identifiers are
 169                          ;; the same as the container process.
 170                          (assert-exit
 171                           (equal? container-namespaces
 172                                   (namespaces (getpid)))))
 173                         (fork-pid
 174                          (match (waitpid fork-pid)
 175                            ((_ . status)
 176                             (primitive-exit
 177                              (status:exit-val status)))))))))))
 178           (close end-in)
 179           ;; Stop the container.
 180           (write 'done end-out)
 181           (close end-out)
 182           (waitpid pid)
 183           (zero? result)))))))
 184
 185 (skip-if-unsupported)
 186 (test-equal "container-excursion, same namespaces"
 187   42
 188   ;; The parent and child are in the same namespaces.  'container-excursion'
 189   ;; should notice that and avoid calling 'setns' since that would fail.
 190   (container-excursion (getpid)
 191     (lambda ()
 192       (primitive-exit 42))))
 193
 194 (skip-if-unsupported)
 195 (test-assert "container-excursion*"
 196   (call-with-temporary-directory
 197    (lambda (root)
 198      (define (namespaces pid)
 199        (let ((pid (number->string pid)))
 200          (map (lambda (ns)
 201                 (readlink (string-append "/proc/" pid "/ns/" ns)))
 202               '("user" "ipc" "uts" "net" "pid" "mnt"))))
 203
 204      (let* ((pid    (run-container root '()
 205                                    %namespaces 1
 206                                    (lambda ()
 207                                      (sleep 100))))
 208             (expected (namespaces pid))
 209             (result (container-excursion* pid
 210                       (lambda ()
 211                         (namespaces 1)))))
 212        (kill pid SIGKILL)
 213        (equal? result expected)))))
 214
 215 (skip-if-unsupported)
 216 (test-equal "container-excursion*, same namespaces"
 217   42
 218   (container-excursion* (getpid)
 219     (lambda ()
 220       (* 6 7))))
 221
 222 (test-end)