;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015 David Thompson <davet@gnu.org>
+;;; Copyright © 2016, 2017, 2019 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
#:use-module (guix utils)
#:use-module (guix build syscalls)
#:use-module (gnu build linux-container)
+ #:use-module ((gnu system linux-container)
+ #:select (eval/container))
+ #:use-module (gnu system file-systems)
+ #:use-module (guix store)
+ #:use-module (guix monads)
+ #:use-module (guix gexp)
+ #:use-module (guix derivations)
+ #:use-module (guix tests)
+ #:use-module (srfi srfi-1)
#:use-module (srfi srfi-64)
#:use-module (ice-9 match))
(define (assert-exit x)
(primitive-exit (if x 0 1)))
-;; Skip these tests unless user namespaces are available.
-(unless (file-exists? "/proc/self/ns/user")
- (exit 77))
-
(test-begin "containers")
+;; Skip these tests unless user namespaces are available and the setgroups
+;; file (introduced in Linux 3.19 to address a security issue) exists.
+(define (skip-if-unsupported)
+ (unless (and (user-namespace-supported?)
+ (unprivileged-user-namespace-supported?)
+ (setgroups-supported?))
+ (test-skip 1)))
+
+(skip-if-unsupported)
+(test-assert "call-with-container, exit with 0 when there is no error"
+ (zero?
+ (call-with-container '() (const #t) #:namespaces '(user))))
+
+(skip-if-unsupported)
(test-assert "call-with-container, user namespace"
(zero?
(call-with-container '()
(assert-exit (and (zero? (getuid)) (zero? (getgid)))))
#:namespaces '(user))))
+(skip-if-unsupported)
+(test-assert "call-with-container, user namespace, guest UID/GID"
+ (zero?
+ (call-with-container '()
+ (lambda ()
+ (assert-exit (and (= 42 (getuid)) (= 77 (getgid)))))
+ #:guest-uid 42
+ #:guest-gid 77
+ #:namespaces '(user))))
+
+(skip-if-unsupported)
(test-assert "call-with-container, uts namespace"
(zero?
(call-with-container '()
(primitive-exit 0))
#:namespaces '(user uts))))
+(skip-if-unsupported)
(test-assert "call-with-container, pid namespace"
(zero?
(call-with-container '()
(status:exit-val status)))))))
#:namespaces '(user pid))))
+(skip-if-unsupported)
(test-assert "call-with-container, mnt namespace"
(zero?
- (call-with-container '(("none" device "/testing" "tmpfs" () #f #f))
+ (call-with-container (list (file-system
+ (device "none")
+ (mount-point "/testing")
+ (type "tmpfs")
+ (check? #f)))
(lambda ()
(assert-exit (file-exists? "/testing")))
#:namespaces '(user mnt))))
+(skip-if-unsupported)
+(test-equal "call-with-container, mnt namespace, wrong bind mount"
+ `(system-error ,ENOENT)
+ ;; An exception should be raised; see <http://bugs.gnu.org/23306>.
+ (catch 'system-error
+ (lambda ()
+ (call-with-container (list (file-system
+ (device "/does-not-exist")
+ (mount-point "/foo")
+ (type "none")
+ (flags '(bind-mount))
+ (check? #f)))
+ (const #t)
+ #:namespaces '(user mnt)))
+ (lambda args
+ (list 'system-error (system-error-errno args)))))
+
+(skip-if-unsupported)
(test-assert "call-with-container, all namespaces"
(zero?
(call-with-container '()
(lambda ()
(primitive-exit 0)))))
+(skip-if-unsupported)
(test-assert "container-excursion"
(call-with-temporary-directory
(lambda (root)
(readlink (string-append "/proc/" pid "/ns/" ns)))
'("user" "ipc" "uts" "net" "pid" "mnt"))))
- (let* ((pid (run-container root '() %namespaces container))
+ (let* ((pid (run-container root '() %namespaces 1 container))
(container-namespaces (namespaces pid))
(result
(begin
(waitpid pid)
(zero? result)))))))
-(test-end)
+(skip-if-unsupported)
+(test-equal "container-excursion, same namespaces"
+ 42
+ ;; The parent and child are in the same namespaces. 'container-excursion'
+ ;; should notice that and avoid calling 'setns' since that would fail.
+ (container-excursion (getpid)
+ (lambda ()
+ (primitive-exit 42))))
+
+(skip-if-unsupported)
+(test-assert "container-excursion*"
+ (call-with-temporary-directory
+ (lambda (root)
+ (define (namespaces pid)
+ (let ((pid (number->string pid)))
+ (map (lambda (ns)
+ (readlink (string-append "/proc/" pid "/ns/" ns)))
+ '("user" "ipc" "uts" "net" "pid" "mnt"))))
+
+ (let* ((pid (run-container root '()
+ %namespaces 1
+ (lambda ()
+ (sleep 100))))
+ (expected (namespaces pid))
+ (result (container-excursion* pid
+ (lambda ()
+ (namespaces 1)))))
+ (kill pid SIGKILL)
+ (equal? result expected)))))
+
+(skip-if-unsupported)
+(test-equal "container-excursion*, same namespaces"
+ 42
+ (container-excursion* (getpid)
+ (lambda ()
+ (* 6 7))))
+
+(skip-if-unsupported)
+(test-equal "eval/container, exit status"
+ 42
+ (let* ((store (open-connection-for-tests))
+ (status (run-with-store store
+ (eval/container #~(exit 42)))))
+ (close-connection store)
+ (status:exit-val status)))
+
+(skip-if-unsupported)
+(test-assert "eval/container, writable user mapping"
+ (call-with-temporary-directory
+ (lambda (directory)
+ (define store
+ (open-connection-for-tests))
+ (define result
+ (string-append directory "/r"))
+ (define requisites*
+ (store-lift requisites))
+
+ (call-with-output-file result (const #t))
+ (run-with-store store
+ (mlet %store-monad ((status (eval/container
+ #~(begin
+ (use-modules (ice-9 ftw))
+ (call-with-output-file "/result"
+ (lambda (port)
+ (write (scandir #$(%store-prefix))
+ port))))
+ #:mappings
+ (list (file-system-mapping
+ (source result)
+ (target "/result")
+ (writable? #t)))))
+ (reqs (requisites*
+ (list (derivation->output-path
+ (%guile-for-build))))))
+ (close-connection store)
+ (return (and (zero? (pk 'status status))
+ (lset= string=? (cons* "." ".." (map basename reqs))
+ (pk (call-with-input-file result read))))))))))
+
+(skip-if-unsupported)
+(test-assert "eval/container, non-empty load path"
+ (call-with-temporary-directory
+ (lambda (directory)
+ (define store
+ (open-connection-for-tests))
+ (define result
+ (string-append directory "/r"))
+ (define requisites*
+ (store-lift requisites))
+
+ (mkdir result)
+ (run-with-store store
+ (mlet %store-monad ((status (eval/container
+ (with-imported-modules '((guix build utils))
+ #~(begin
+ (use-modules (guix build utils))
+ (mkdir-p "/result/a/b/c")))
+ #:mappings
+ (list (file-system-mapping
+ (source result)
+ (target "/result")
+ (writable? #t))))))
+ (close-connection store)
+ (return (and (zero? status)
+ (file-is-directory?
+ (string-append result "/a/b/c")))))))))
-\f
-(exit (= (test-runner-fail-count (test-runner-current)) 0))
+(test-end)