| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322 |
- ;;; GNU Guix --- Functional package management for GNU
- ;;; Copyright © 2015 David Thompson <davet@gnu.org>
- ;;; Copyright © 2016, 2017, 2019, 2023 Ludovic Courtès <ludo@gnu.org>
- ;;;
- ;;; This file is part of GNU Guix.
- ;;;
- ;;; GNU Guix is free software; you can redistribute it and/or modify it
- ;;; under the terms of the GNU General Public License as published by
- ;;; the Free Software Foundation; either version 3 of the License, or (at
- ;;; your option) any later version.
- ;;;
- ;;; GNU Guix is distributed in the hope that it will be useful, but
- ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
- ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- ;;; GNU General Public License for more details.
- ;;;
- ;;; You should have received a copy of the GNU General Public License
- ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
- (define-module (test-containers)
- #:use-module (guix utils)
- #:use-module (guix build syscalls)
- #:use-module (gnu build linux-container)
- #:use-module ((gnu system linux-container)
- #:select (eval/container))
- #:use-module (gnu system file-systems)
- #:use-module (guix store)
- #:use-module (guix monads)
- #:use-module (guix gexp)
- #:use-module (guix derivations)
- #:use-module (guix tests)
- #:use-module (srfi srfi-1)
- #:use-module (srfi srfi-64)
- #:use-module (ice-9 match)
- #:use-module ((ice-9 ftw) #:select (scandir)))
- (define (assert-exit x)
- (primitive-exit (if x 0 1)))
- (test-begin "containers")
- ;; Skip these tests unless user namespaces are available and the setgroups
- ;; file (introduced in Linux 3.19 to address a security issue) exists.
- (define (skip-if-unsupported)
- (unless (and (user-namespace-supported?)
- (unprivileged-user-namespace-supported?)
- (setgroups-supported?))
- (test-skip 1)))
- (skip-if-unsupported)
- (test-assert "call-with-container, exit with 0 when there is no error"
- (zero?
- (call-with-container '() (const #t) #:namespaces '(user))))
- (skip-if-unsupported)
- (test-assert "call-with-container, user namespace"
- (zero?
- (call-with-container '()
- (lambda ()
- ;; The user is root within the new user namespace.
- (assert-exit (and (zero? (getuid)) (zero? (getgid)))))
- #:namespaces '(user))))
- (skip-if-unsupported)
- (test-assert "call-with-container, user namespace, guest UID/GID"
- (zero?
- (call-with-container '()
- (lambda ()
- (assert-exit (and (= 42 (getuid)) (= 77 (getgid)))))
- #:guest-uid 42
- #:guest-gid 77
- #:namespaces '(user))))
- (skip-if-unsupported)
- (test-assert "call-with-container, uts namespace"
- (zero?
- (call-with-container '()
- (lambda ()
- ;; The user is root within the container and should be able to change
- ;; the hostname of that container.
- (sethostname "test-container")
- (primitive-exit 0))
- #:namespaces '(user uts))))
- (skip-if-unsupported)
- (test-assert "call-with-container, pid namespace"
- (zero?
- (call-with-container '()
- (lambda ()
- (match (primitive-fork)
- (0
- ;; The first forked process in the new pid namespace is pid 2.
- (assert-exit (= 2 (getpid))))
- (pid
- (primitive-exit
- (match (waitpid pid)
- ((_ . status)
- (status:exit-val status)))))))
- #:namespaces '(user pid))))
- (skip-if-unsupported)
- (test-assert "call-with-container, mnt namespace"
- (zero?
- (call-with-container (list (file-system
- (device "none")
- (mount-point "/testing")
- (type "tmpfs")
- (check? #f)))
- (lambda ()
- (assert-exit (file-exists? "/testing")))
- #:namespaces '(user mnt))))
- (skip-if-unsupported)
- (test-equal "call-with-container, mnt namespace, wrong bind mount"
- `(system-error ,ENOENT)
- ;; An exception should be raised; see <http://bugs.gnu.org/23306>.
- (catch 'system-error
- (lambda ()
- (call-with-container (list (file-system
- (device "/does-not-exist")
- (mount-point "/foo")
- (type "none")
- (flags '(bind-mount))
- (check? #f)))
- (const #t)
- #:namespaces '(user mnt)))
- (lambda args
- (list 'system-error (system-error-errno args)))))
- (skip-if-unsupported)
- (test-assert "call-with-container, all namespaces"
- (zero?
- (call-with-container '()
- (lambda ()
- (primitive-exit 0)))))
- (skip-if-unsupported)
- (test-assert "call-with-container, mnt namespace, root permissions"
- (zero?
- (call-with-container '()
- (lambda ()
- (assert-exit (= #o755 (stat:perms (lstat "/")))))
- #:namespaces '(user mnt))))
- (skip-if-unsupported)
- (test-assert "container-excursion"
- (call-with-temporary-directory
- (lambda (root)
- ;; Two pipes: One for the container to signal that the test can begin,
- ;; and one for the parent to signal to the container that the test is
- ;; over.
- (match (list (pipe) (pipe))
- (((start-in . start-out) (end-in . end-out))
- (define (container)
- (close end-out)
- (close start-in)
- ;; Signal for the test to start.
- (write 'ready start-out)
- (close start-out)
- ;; Wait for test completion.
- (read end-in)
- (close end-in))
- (define (namespaces pid)
- (let ((pid (number->string pid)))
- (map (lambda (ns)
- (readlink (string-append "/proc/" pid "/ns/" ns)))
- '("user" "ipc" "uts" "net" "pid" "mnt"))))
- (let* ((pid (run-container root '() %namespaces 1 container))
- (container-namespaces (namespaces pid))
- (result
- (begin
- (close start-out)
- ;; Wait for container to be ready.
- (read start-in)
- (close start-in)
- (container-excursion pid
- (lambda ()
- ;; Check that all of the namespace identifiers are
- ;; the same as the container process.
- (assert-exit
- (equal? container-namespaces
- (namespaces (getpid)))))))))
- (close end-in)
- ;; Stop the container.
- (write 'done end-out)
- (close end-out)
- (waitpid pid)
- (zero? result)))))))
- (skip-if-unsupported)
- (test-equal "container-excursion, same namespaces"
- 42
- ;; The parent and child are in the same namespaces. 'container-excursion'
- ;; should notice that and avoid calling 'setns' since that would fail.
- (status:exit-val
- (container-excursion (getpid)
- (lambda ()
- (primitive-exit 42)))))
- (skip-if-unsupported)
- (test-assert "container-excursion*"
- (call-with-temporary-directory
- (lambda (root)
- (define (namespaces pid)
- (let ((pid (number->string pid)))
- (map (lambda (ns)
- (readlink (string-append "/proc/" pid "/ns/" ns)))
- '("user" "ipc" "uts" "net" "pid" "mnt"))))
- (let* ((pid (run-container root '()
- %namespaces 1
- (lambda ()
- (sleep 100))))
- (expected (namespaces pid))
- (result (container-excursion* pid
- (lambda ()
- (namespaces 1)))))
- (kill pid SIGKILL)
- (equal? result expected)))))
- (skip-if-unsupported)
- (test-equal "container-excursion*, same namespaces"
- 42
- (container-excursion* (getpid)
- (lambda ()
- (* 6 7))))
- (skip-if-unsupported)
- (test-equal "container-excursion*, /proc"
- '("1" "2")
- (call-with-temporary-directory
- (lambda (root)
- (let* ((pid (run-container root '()
- %namespaces 1
- (lambda ()
- (sleep 100))))
- (result (container-excursion* pid
- (lambda ()
- ;; We expect to see exactly two processes in this
- ;; namespace.
- (scandir "/proc"
- (lambda (file)
- (char-set-contains?
- char-set:digit
- (string-ref file 0))))))))
- (kill pid SIGKILL)
- result))))
- (skip-if-unsupported)
- (test-equal "eval/container, exit status"
- 42
- (let* ((store (open-connection-for-tests))
- (status (run-with-store store
- (eval/container #~(exit 42)))))
- (close-connection store)
- (status:exit-val status)))
- (skip-if-unsupported)
- (test-assert "eval/container, writable user mapping"
- (call-with-temporary-directory
- (lambda (directory)
- (define store
- (open-connection-for-tests))
- (define result
- (string-append directory "/r"))
- (define requisites*
- (store-lift requisites))
- (call-with-output-file result (const #t))
- (run-with-store store
- (mlet %store-monad ((status (eval/container
- #~(begin
- (use-modules (ice-9 ftw))
- (call-with-output-file "/result"
- (lambda (port)
- (write (scandir #$(%store-prefix))
- port))))
- #:mappings
- (list (file-system-mapping
- (source result)
- (target "/result")
- (writable? #t)))))
- (reqs (requisites*
- (list (derivation->output-path
- (%guile-for-build))))))
- (close-connection store)
- (return (and (zero? (pk 'status status))
- (lset= string=? (cons* "." ".." (map basename reqs))
- (pk (call-with-input-file result read))))))))))
- (skip-if-unsupported)
- (test-assert "eval/container, non-empty load path"
- (call-with-temporary-directory
- (lambda (directory)
- (define store
- (open-connection-for-tests))
- (define result
- (string-append directory "/r"))
- (define requisites*
- (store-lift requisites))
- (mkdir result)
- (run-with-store store
- (mlet %store-monad ((status (eval/container
- (with-imported-modules '((guix build utils))
- #~(begin
- (use-modules (guix build utils))
- (mkdir-p "/result/a/b/c")))
- #:mappings
- (list (file-system-mapping
- (source result)
- (target "/result")
- (writable? #t))))))
- (close-connection store)
- (return (and (zero? status)
- (file-is-directory?
- (string-append result "/a/b/c")))))))))
- (test-end)
|
