* gnu/build/linux-container.scm (mount-file-systems): Add 'chmod' call.
* tests/containers.scm
("call-with-container, mnt namespace, root permissions"): New test.
		
	
			
		
			
				
	
	
		
			308 lines
		
	
	
	
		
			11 KiB
		
	
	
	
		
			Scheme
		
	
	
	
	
	
			
		
		
	
	
			308 lines
		
	
	
	
		
			11 KiB
		
	
	
	
		
			Scheme
		
	
	
	
	
	
| ;;; GNU Guix --- Functional package management for GNU
 | |
| ;;; Copyright © 2015 David Thompson <davet@gnu.org>
 | |
| ;;; Copyright © 2016, 2017, 2019 Ludovic Courtès <ludo@gnu.org>
 | |
| ;;;
 | |
| ;;; This file is part of GNU Guix.
 | |
| ;;;
 | |
| ;;; GNU Guix is free software; you can redistribute it and/or modify it
 | |
| ;;; under the terms of the GNU General Public License as published by
 | |
| ;;; the Free Software Foundation; either version 3 of the License, or (at
 | |
| ;;; your option) any later version.
 | |
| ;;;
 | |
| ;;; GNU Guix is distributed in the hope that it will be useful, but
 | |
| ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
| ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | |
| ;;; GNU General Public License for more details.
 | |
| ;;;
 | |
| ;;; You should have received a copy of the GNU General Public License
 | |
| ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
 | |
| 
 | |
| (define-module (test-containers)
 | |
|   #:use-module (guix utils)
 | |
|   #:use-module (guix build syscalls)
 | |
|   #:use-module (gnu build linux-container)
 | |
|   #:use-module ((gnu system linux-container)
 | |
|                 #:select (eval/container))
 | |
|   #:use-module (gnu system file-systems)
 | |
|   #:use-module (guix store)
 | |
|   #:use-module (guix monads)
 | |
|   #:use-module (guix gexp)
 | |
|   #:use-module (guix derivations)
 | |
|   #:use-module (guix tests)
 | |
|   #:use-module (srfi srfi-1)
 | |
|   #:use-module (srfi srfi-64)
 | |
|   #:use-module (ice-9 match))
 | |
| 
 | |
| (define (assert-exit x)
 | |
|   (primitive-exit (if x 0 1)))
 | |
| 
 | |
| (test-begin "containers")
 | |
| 
 | |
| ;; Skip these tests unless user namespaces are available and the setgroups
 | |
| ;; file (introduced in Linux 3.19 to address a security issue) exists.
 | |
| (define (skip-if-unsupported)
 | |
|   (unless (and (user-namespace-supported?)
 | |
|                (unprivileged-user-namespace-supported?)
 | |
|                (setgroups-supported?))
 | |
|     (test-skip 1)))
 | |
| 
 | |
| (skip-if-unsupported)
 | |
| (test-assert "call-with-container, exit with 0 when there is no error"
 | |
|   (zero?
 | |
|    (call-with-container '() (const #t) #:namespaces '(user))))
 | |
| 
 | |
| (skip-if-unsupported)
 | |
| (test-assert "call-with-container, user namespace"
 | |
|   (zero?
 | |
|    (call-with-container '()
 | |
|      (lambda ()
 | |
|        ;; The user is root within the new user namespace.
 | |
|        (assert-exit (and (zero? (getuid)) (zero? (getgid)))))
 | |
|      #:namespaces '(user))))
 | |
| 
 | |
| (skip-if-unsupported)
 | |
| (test-assert "call-with-container, user namespace, guest UID/GID"
 | |
|   (zero?
 | |
|    (call-with-container '()
 | |
|      (lambda ()
 | |
|        (assert-exit (and (= 42 (getuid)) (= 77 (getgid)))))
 | |
|      #:guest-uid 42
 | |
|      #:guest-gid 77
 | |
|      #:namespaces '(user))))
 | |
| 
 | |
| (skip-if-unsupported)
 | |
| (test-assert "call-with-container, uts namespace"
 | |
|   (zero?
 | |
|    (call-with-container '()
 | |
|      (lambda ()
 | |
|        ;; The user is root within the container and should be able to change
 | |
|        ;; the hostname of that container.
 | |
|        (sethostname "test-container")
 | |
|        (primitive-exit 0))
 | |
|      #:namespaces '(user uts))))
 | |
| 
 | |
| (skip-if-unsupported)
 | |
| (test-assert "call-with-container, pid namespace"
 | |
|   (zero?
 | |
|    (call-with-container '()
 | |
|      (lambda ()
 | |
|        (match (primitive-fork)
 | |
|          (0
 | |
|           ;; The first forked process in the new pid namespace is pid 2.
 | |
|           (assert-exit (= 2 (getpid))))
 | |
|          (pid
 | |
|           (primitive-exit
 | |
|            (match (waitpid pid)
 | |
|              ((_ . status)
 | |
|               (status:exit-val status)))))))
 | |
|      #:namespaces '(user pid))))
 | |
| 
 | |
| (skip-if-unsupported)
 | |
| (test-assert "call-with-container, mnt namespace"
 | |
|   (zero?
 | |
|    (call-with-container (list (file-system
 | |
|                                 (device "none")
 | |
|                                 (mount-point "/testing")
 | |
|                                 (type "tmpfs")
 | |
|                                 (check? #f)))
 | |
|      (lambda ()
 | |
|        (assert-exit (file-exists? "/testing")))
 | |
|      #:namespaces '(user mnt))))
 | |
| 
 | |
| (skip-if-unsupported)
 | |
| (test-equal "call-with-container, mnt namespace, wrong bind mount"
 | |
|   `(system-error ,ENOENT)
 | |
|   ;; An exception should be raised; see <http://bugs.gnu.org/23306>.
 | |
|   (catch 'system-error
 | |
|     (lambda ()
 | |
|       (call-with-container (list (file-system
 | |
|                                    (device "/does-not-exist")
 | |
|                                    (mount-point "/foo")
 | |
|                                    (type "none")
 | |
|                                    (flags '(bind-mount))
 | |
|                                    (check? #f)))
 | |
|         (const #t)
 | |
|         #:namespaces '(user mnt)))
 | |
|     (lambda args
 | |
|       (list 'system-error (system-error-errno args)))))
 | |
| 
 | |
| (skip-if-unsupported)
 | |
| (test-assert "call-with-container, all namespaces"
 | |
|   (zero?
 | |
|    (call-with-container '()
 | |
|      (lambda ()
 | |
|        (primitive-exit 0)))))
 | |
| 
 | |
| (skip-if-unsupported)
 | |
| (test-assert "call-with-container, mnt namespace, root permissions"
 | |
|   (zero?
 | |
|    (call-with-container '()
 | |
|      (lambda ()
 | |
|        (assert-exit (= #o755 (stat:perms (lstat "/")))))
 | |
|      #:namespaces '(user mnt))))
 | |
| 
 | |
| (skip-if-unsupported)
 | |
| (test-assert "container-excursion"
 | |
|   (call-with-temporary-directory
 | |
|    (lambda (root)
 | |
|      ;; Two pipes: One for the container to signal that the test can begin,
 | |
|      ;; and one for the parent to signal to the container that the test is
 | |
|      ;; over.
 | |
|      (match (list (pipe) (pipe))
 | |
|        (((start-in . start-out) (end-in . end-out))
 | |
|         (define (container)
 | |
|           (close end-out)
 | |
|           (close start-in)
 | |
|           ;; Signal for the test to start.
 | |
|           (write 'ready start-out)
 | |
|           (close start-out)
 | |
|           ;; Wait for test completion.
 | |
|           (read end-in)
 | |
|           (close end-in))
 | |
| 
 | |
|         (define (namespaces pid)
 | |
|           (let ((pid (number->string pid)))
 | |
|             (map (lambda (ns)
 | |
|                    (readlink (string-append "/proc/" pid "/ns/" ns)))
 | |
|                  '("user" "ipc" "uts" "net" "pid" "mnt"))))
 | |
| 
 | |
|         (let* ((pid (run-container root '() %namespaces 1 container))
 | |
|                (container-namespaces (namespaces pid))
 | |
|                (result
 | |
|                 (begin
 | |
|                   (close start-out)
 | |
|                   ;; Wait for container to be ready.
 | |
|                   (read start-in)
 | |
|                   (close start-in)
 | |
|                   (container-excursion pid
 | |
|                     (lambda ()
 | |
|                       ;; Fork again so that the pid is within the context of
 | |
|                       ;; the joined pid namespace instead of the original pid
 | |
|                       ;; namespace.
 | |
|                       (match (primitive-fork)
 | |
|                         (0
 | |
|                          ;; Check that all of the namespace identifiers are
 | |
|                          ;; the same as the container process.
 | |
|                          (assert-exit
 | |
|                           (equal? container-namespaces
 | |
|                                   (namespaces (getpid)))))
 | |
|                         (fork-pid
 | |
|                          (match (waitpid fork-pid)
 | |
|                            ((_ . status)
 | |
|                             (primitive-exit
 | |
|                              (status:exit-val status)))))))))))
 | |
|           (close end-in)
 | |
|           ;; Stop the container.
 | |
|           (write 'done end-out)
 | |
|           (close end-out)
 | |
|           (waitpid pid)
 | |
|           (zero? result)))))))
 | |
| 
 | |
| (skip-if-unsupported)
 | |
| (test-equal "container-excursion, same namespaces"
 | |
|   42
 | |
|   ;; The parent and child are in the same namespaces.  'container-excursion'
 | |
|   ;; should notice that and avoid calling 'setns' since that would fail.
 | |
|   (container-excursion (getpid)
 | |
|     (lambda ()
 | |
|       (primitive-exit 42))))
 | |
| 
 | |
| (skip-if-unsupported)
 | |
| (test-assert "container-excursion*"
 | |
|   (call-with-temporary-directory
 | |
|    (lambda (root)
 | |
|      (define (namespaces pid)
 | |
|        (let ((pid (number->string pid)))
 | |
|          (map (lambda (ns)
 | |
|                 (readlink (string-append "/proc/" pid "/ns/" ns)))
 | |
|               '("user" "ipc" "uts" "net" "pid" "mnt"))))
 | |
| 
 | |
|      (let* ((pid    (run-container root '()
 | |
|                                    %namespaces 1
 | |
|                                    (lambda ()
 | |
|                                      (sleep 100))))
 | |
|             (expected (namespaces pid))
 | |
|             (result (container-excursion* pid
 | |
|                       (lambda ()
 | |
|                         (namespaces 1)))))
 | |
|        (kill pid SIGKILL)
 | |
|        (equal? result expected)))))
 | |
| 
 | |
| (skip-if-unsupported)
 | |
| (test-equal "container-excursion*, same namespaces"
 | |
|   42
 | |
|   (container-excursion* (getpid)
 | |
|     (lambda ()
 | |
|       (* 6 7))))
 | |
| 
 | |
| (skip-if-unsupported)
 | |
| (test-equal "eval/container, exit status"
 | |
|   42
 | |
|   (let* ((store  (open-connection-for-tests))
 | |
|          (status (run-with-store store
 | |
|                    (eval/container #~(exit 42)))))
 | |
|     (close-connection store)
 | |
|     (status:exit-val status)))
 | |
| 
 | |
| (skip-if-unsupported)
 | |
| (test-assert "eval/container, writable user mapping"
 | |
|   (call-with-temporary-directory
 | |
|    (lambda (directory)
 | |
|      (define store
 | |
|        (open-connection-for-tests))
 | |
|      (define result
 | |
|        (string-append directory "/r"))
 | |
|      (define requisites*
 | |
|        (store-lift requisites))
 | |
| 
 | |
|      (call-with-output-file result (const #t))
 | |
|      (run-with-store store
 | |
|        (mlet %store-monad ((status (eval/container
 | |
|                                     #~(begin
 | |
|                                         (use-modules (ice-9 ftw))
 | |
|                                         (call-with-output-file "/result"
 | |
|                                           (lambda (port)
 | |
|                                             (write (scandir #$(%store-prefix))
 | |
|                                                    port))))
 | |
|                                     #:mappings
 | |
|                                     (list (file-system-mapping
 | |
|                                            (source result)
 | |
|                                            (target "/result")
 | |
|                                            (writable? #t)))))
 | |
|                            (reqs   (requisites*
 | |
|                                     (list (derivation->output-path
 | |
|                                            (%guile-for-build))))))
 | |
|          (close-connection store)
 | |
|          (return (and (zero? (pk 'status status))
 | |
|                       (lset= string=? (cons* "." ".." (map basename reqs))
 | |
|                              (pk (call-with-input-file result read))))))))))
 | |
| 
 | |
| (skip-if-unsupported)
 | |
| (test-assert "eval/container, non-empty load path"
 | |
|   (call-with-temporary-directory
 | |
|    (lambda (directory)
 | |
|      (define store
 | |
|        (open-connection-for-tests))
 | |
|      (define result
 | |
|        (string-append directory "/r"))
 | |
|      (define requisites*
 | |
|        (store-lift requisites))
 | |
| 
 | |
|      (mkdir result)
 | |
|      (run-with-store store
 | |
|        (mlet %store-monad ((status (eval/container
 | |
|                                     (with-imported-modules '((guix build utils))
 | |
|                                       #~(begin
 | |
|                                           (use-modules (guix build utils))
 | |
|                                           (mkdir-p "/result/a/b/c")))
 | |
|                                     #:mappings
 | |
|                                     (list (file-system-mapping
 | |
|                                            (source result)
 | |
|                                            (target "/result")
 | |
|                                            (writable? #t))))))
 | |
|          (close-connection store)
 | |
|          (return (and (zero? status)
 | |
|                       (file-is-directory?
 | |
|                        (string-append result "/a/b/c")))))))))
 | |
| 
 | |
| (test-end)
 |