2016-07-15 15:02:40 +08:00
|
|
|
// +build linux
|
2016-02-18 00:33:46 +08:00
|
|
|
|
2016-03-25 23:44:09 +08:00
|
|
|
package specconv
|
2016-02-18 00:33:46 +08:00
|
|
|
|
|
|
|
import (
|
2017-10-25 07:58:10 +08:00
|
|
|
"os"
|
2018-11-06 11:34:33 +08:00
|
|
|
"strings"
|
2016-02-18 00:33:46 +08:00
|
|
|
"testing"
|
|
|
|
|
2019-06-04 17:52:00 +08:00
|
|
|
"golang.org/x/sys/unix"
|
|
|
|
|
2020-03-01 21:52:48 +08:00
|
|
|
dbus "github.com/godbus/dbus/v5"
|
2017-10-29 03:46:46 +08:00
|
|
|
"github.com/opencontainers/runc/libcontainer/configs"
|
2016-04-23 21:39:42 +08:00
|
|
|
"github.com/opencontainers/runc/libcontainer/configs/validate"
|
2016-04-13 04:35:51 +08:00
|
|
|
"github.com/opencontainers/runtime-spec/specs-go"
|
2016-02-18 00:33:46 +08:00
|
|
|
)
|
|
|
|
|
2017-10-29 03:46:46 +08:00
|
|
|
func TestCreateCommandHookTimeout(t *testing.T) {
|
|
|
|
timeout := 3600
|
|
|
|
hook := specs.Hook{
|
|
|
|
Path: "/some/hook/path",
|
|
|
|
Args: []string{"--some", "thing"},
|
|
|
|
Env: []string{"SOME=value"},
|
|
|
|
Timeout: &timeout,
|
|
|
|
}
|
|
|
|
command := createCommandHook(hook)
|
|
|
|
timeoutStr := command.Timeout.String()
|
|
|
|
if timeoutStr != "1h0m0s" {
|
|
|
|
t.Errorf("Expected the Timeout to be 1h0m0s, got: %s", timeoutStr)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestCreateHooks(t *testing.T) {
|
|
|
|
rspec := &specs.Spec{
|
|
|
|
Hooks: &specs.Hooks{
|
|
|
|
Prestart: []specs.Hook{
|
|
|
|
{
|
|
|
|
Path: "/some/hook/path",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Path: "/some/hook2/path",
|
|
|
|
Args: []string{"--some", "thing"},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
Poststart: []specs.Hook{
|
|
|
|
{
|
|
|
|
Path: "/some/hook/path",
|
|
|
|
Args: []string{"--some", "thing"},
|
|
|
|
Env: []string{"SOME=value"},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Path: "/some/hook2/path",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Path: "/some/hook3/path",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
Poststop: []specs.Hook{
|
|
|
|
{
|
|
|
|
Path: "/some/hook/path",
|
|
|
|
Args: []string{"--some", "thing"},
|
|
|
|
Env: []string{"SOME=value"},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Path: "/some/hook2/path",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Path: "/some/hook3/path",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Path: "/some/hook4/path",
|
|
|
|
Args: []string{"--some", "thing"},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
conf := &configs.Config{}
|
|
|
|
createHooks(rspec, conf)
|
|
|
|
|
|
|
|
prestart := conf.Hooks.Prestart
|
|
|
|
|
|
|
|
if len(prestart) != 2 {
|
|
|
|
t.Error("Expected 2 Prestart hooks")
|
|
|
|
}
|
|
|
|
|
|
|
|
poststart := conf.Hooks.Poststart
|
|
|
|
|
|
|
|
if len(poststart) != 3 {
|
|
|
|
t.Error("Expected 3 Poststart hooks")
|
|
|
|
}
|
|
|
|
|
|
|
|
poststop := conf.Hooks.Poststop
|
|
|
|
|
|
|
|
if len(poststop) != 4 {
|
|
|
|
t.Error("Expected 4 Poststop hooks")
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
func TestSetupSeccomp(t *testing.T) {
|
|
|
|
conf := &specs.LinuxSeccomp{
|
|
|
|
DefaultAction: "SCMP_ACT_ERRNO",
|
|
|
|
Architectures: []specs.Arch{specs.ArchX86_64, specs.ArchARM},
|
|
|
|
Syscalls: []specs.LinuxSyscall{
|
|
|
|
{
|
|
|
|
Names: []string{"clone"},
|
|
|
|
Action: "SCMP_ACT_ALLOW",
|
|
|
|
Args: []specs.LinuxSeccompArg{
|
|
|
|
{
|
|
|
|
Index: 0,
|
2019-06-04 17:52:00 +08:00
|
|
|
Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
|
2017-10-29 03:46:46 +08:00
|
|
|
ValueTwo: 0,
|
|
|
|
Op: "SCMP_CMP_MASKED_EQ",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Names: []string{
|
|
|
|
"select",
|
|
|
|
"semctl",
|
|
|
|
"semget",
|
|
|
|
"semop",
|
|
|
|
"semtimedop",
|
|
|
|
"send",
|
|
|
|
"sendfile",
|
|
|
|
},
|
|
|
|
Action: "SCMP_ACT_ALLOW",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
2018-04-18 01:42:04 +08:00
|
|
|
seccomp, err := SetupSeccomp(conf)
|
2017-10-29 03:46:46 +08:00
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
t.Errorf("Couldn't create Seccomp config: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if seccomp.DefaultAction != 2 { // SCMP_ACT_ERRNO
|
|
|
|
t.Error("Wrong conversion for DefaultAction")
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(seccomp.Architectures) != 2 {
|
|
|
|
t.Error("Wrong number of architectures")
|
|
|
|
}
|
|
|
|
|
|
|
|
if seccomp.Architectures[0] != "amd64" || seccomp.Architectures[1] != "arm" {
|
|
|
|
t.Error("Expected architectures are not found")
|
|
|
|
}
|
|
|
|
|
|
|
|
calls := seccomp.Syscalls
|
|
|
|
|
|
|
|
callsLength := len(calls)
|
|
|
|
if callsLength != 8 {
|
|
|
|
t.Errorf("Expected 8 syscalls, got :%d", callsLength)
|
|
|
|
}
|
|
|
|
|
|
|
|
for i, call := range calls {
|
|
|
|
if i == 0 {
|
|
|
|
expectedCloneSyscallArgs := configs.Arg{
|
|
|
|
Index: 0,
|
|
|
|
Op: 7, // SCMP_CMP_MASKED_EQ
|
2019-06-04 17:52:00 +08:00
|
|
|
Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
|
2017-10-29 03:46:46 +08:00
|
|
|
ValueTwo: 0,
|
|
|
|
}
|
|
|
|
if expectedCloneSyscallArgs != *call.Args[0] {
|
|
|
|
t.Errorf("Wrong arguments conversion for the clone syscall under test")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if call.Action != 4 {
|
|
|
|
t.Error("Wrong conversion for the clone syscall action")
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2017-10-25 07:58:10 +08:00
|
|
|
func TestLinuxCgroupWithMemoryResource(t *testing.T) {
|
|
|
|
cgroupsPath := "/user/cgroups/path/id"
|
|
|
|
|
|
|
|
spec := &specs.Spec{}
|
|
|
|
devices := []specs.LinuxDeviceCgroup{
|
|
|
|
{
|
|
|
|
Allow: false,
|
|
|
|
Access: "rwm",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
limit := int64(100)
|
|
|
|
reservation := int64(50)
|
|
|
|
swap := int64(20)
|
|
|
|
kernel := int64(40)
|
|
|
|
kernelTCP := int64(45)
|
|
|
|
swappiness := uint64(1)
|
|
|
|
swappinessPtr := &swappiness
|
|
|
|
disableOOMKiller := true
|
|
|
|
resources := &specs.LinuxResources{
|
|
|
|
Devices: devices,
|
|
|
|
Memory: &specs.LinuxMemory{
|
|
|
|
Limit: &limit,
|
|
|
|
Reservation: &reservation,
|
|
|
|
Swap: &swap,
|
|
|
|
Kernel: &kernel,
|
|
|
|
KernelTCP: &kernelTCP,
|
|
|
|
Swappiness: swappinessPtr,
|
|
|
|
DisableOOMKiller: &disableOOMKiller,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
spec.Linux = &specs.Linux{
|
|
|
|
CgroupsPath: cgroupsPath,
|
|
|
|
Resources: resources,
|
|
|
|
}
|
|
|
|
|
|
|
|
opts := &CreateOpts{
|
|
|
|
CgroupName: "ContainerID",
|
|
|
|
UseSystemdCgroup: false,
|
|
|
|
Spec: spec,
|
|
|
|
}
|
|
|
|
|
2019-12-06 23:25:17 +08:00
|
|
|
cgroup, err := CreateCgroupConfig(opts)
|
2017-10-25 07:58:10 +08:00
|
|
|
if err != nil {
|
|
|
|
t.Errorf("Couldn't create Cgroup config: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if cgroup.Path != cgroupsPath {
|
|
|
|
t.Errorf("Wrong cgroupsPath, expected '%s' got '%s'", cgroupsPath, cgroup.Path)
|
|
|
|
}
|
|
|
|
if cgroup.Resources.Memory != limit {
|
|
|
|
t.Errorf("Expected to have %d as memory limit, got %d", limit, cgroup.Resources.Memory)
|
|
|
|
}
|
|
|
|
if cgroup.Resources.MemoryReservation != reservation {
|
|
|
|
t.Errorf("Expected to have %d as memory reservation, got %d", reservation, cgroup.Resources.MemoryReservation)
|
|
|
|
}
|
|
|
|
if cgroup.Resources.MemorySwap != swap {
|
|
|
|
t.Errorf("Expected to have %d as swap, got %d", swap, cgroup.Resources.MemorySwap)
|
|
|
|
}
|
|
|
|
if cgroup.Resources.KernelMemory != kernel {
|
|
|
|
t.Errorf("Expected to have %d as Kernel Memory, got %d", kernel, cgroup.Resources.KernelMemory)
|
|
|
|
}
|
|
|
|
if cgroup.Resources.KernelMemoryTCP != kernelTCP {
|
|
|
|
t.Errorf("Expected to have %d as TCP Kernel Memory, got %d", kernelTCP, cgroup.Resources.KernelMemoryTCP)
|
|
|
|
}
|
|
|
|
if cgroup.Resources.MemorySwappiness != swappinessPtr {
|
|
|
|
t.Errorf("Expected to have %d as memory swappiness, got %d", swappinessPtr, cgroup.Resources.MemorySwappiness)
|
|
|
|
}
|
|
|
|
if cgroup.Resources.OomKillDisable != disableOOMKiller {
|
|
|
|
t.Errorf("The OOMKiller should be enabled")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestLinuxCgroupSystemd(t *testing.T) {
|
|
|
|
cgroupsPath := "parent:scopeprefix:name"
|
|
|
|
|
|
|
|
spec := &specs.Spec{}
|
|
|
|
spec.Linux = &specs.Linux{
|
|
|
|
CgroupsPath: cgroupsPath,
|
|
|
|
}
|
|
|
|
|
|
|
|
opts := &CreateOpts{
|
|
|
|
UseSystemdCgroup: true,
|
|
|
|
Spec: spec,
|
|
|
|
}
|
|
|
|
|
2019-12-06 23:25:17 +08:00
|
|
|
cgroup, err := CreateCgroupConfig(opts)
|
2017-10-25 07:58:10 +08:00
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
t.Errorf("Couldn't create Cgroup config: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
expectedParent := "parent"
|
|
|
|
if cgroup.Parent != expectedParent {
|
|
|
|
t.Errorf("Expected to have %s as Parent instead of %s", expectedParent, cgroup.Parent)
|
|
|
|
}
|
|
|
|
|
|
|
|
expectedScopePrefix := "scopeprefix"
|
|
|
|
if cgroup.ScopePrefix != expectedScopePrefix {
|
|
|
|
t.Errorf("Expected to have %s as ScopePrefix instead of %s", expectedScopePrefix, cgroup.ScopePrefix)
|
|
|
|
}
|
|
|
|
|
|
|
|
expectedName := "name"
|
|
|
|
if cgroup.Name != expectedName {
|
|
|
|
t.Errorf("Expected to have %s as Name instead of %s", expectedName, cgroup.Name)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestLinuxCgroupSystemdWithEmptyPath(t *testing.T) {
|
|
|
|
cgroupsPath := ""
|
|
|
|
|
|
|
|
spec := &specs.Spec{}
|
|
|
|
spec.Linux = &specs.Linux{
|
|
|
|
CgroupsPath: cgroupsPath,
|
|
|
|
}
|
|
|
|
|
|
|
|
opts := &CreateOpts{
|
|
|
|
CgroupName: "ContainerID",
|
|
|
|
UseSystemdCgroup: true,
|
|
|
|
Spec: spec,
|
|
|
|
}
|
|
|
|
|
2019-12-06 23:25:17 +08:00
|
|
|
cgroup, err := CreateCgroupConfig(opts)
|
2017-10-25 07:58:10 +08:00
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
t.Errorf("Couldn't create Cgroup config: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
expectedParent := "system.slice"
|
|
|
|
if cgroup.Parent != expectedParent {
|
|
|
|
t.Errorf("Expected to have %s as Parent instead of %s", expectedParent, cgroup.Parent)
|
|
|
|
}
|
|
|
|
|
|
|
|
expectedScopePrefix := "runc"
|
|
|
|
if cgroup.ScopePrefix != expectedScopePrefix {
|
|
|
|
t.Errorf("Expected to have %s as ScopePrefix instead of %s", expectedScopePrefix, cgroup.ScopePrefix)
|
|
|
|
}
|
|
|
|
|
|
|
|
if cgroup.Name != opts.CgroupName {
|
|
|
|
t.Errorf("Expected to have %s as Name instead of %s", opts.CgroupName, cgroup.Name)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestLinuxCgroupSystemdWithInvalidPath(t *testing.T) {
|
|
|
|
cgroupsPath := "/user/cgroups/path/id"
|
|
|
|
|
|
|
|
spec := &specs.Spec{}
|
|
|
|
spec.Linux = &specs.Linux{
|
|
|
|
CgroupsPath: cgroupsPath,
|
|
|
|
}
|
|
|
|
|
|
|
|
opts := &CreateOpts{
|
|
|
|
CgroupName: "ContainerID",
|
|
|
|
UseSystemdCgroup: true,
|
|
|
|
Spec: spec,
|
|
|
|
}
|
|
|
|
|
2019-12-06 23:25:17 +08:00
|
|
|
_, err := CreateCgroupConfig(opts)
|
2017-10-25 07:58:10 +08:00
|
|
|
if err == nil {
|
|
|
|
t.Error("Expected to produce an error if not using the correct format for cgroup paths belonging to systemd")
|
|
|
|
}
|
|
|
|
}
|
2016-02-18 00:33:46 +08:00
|
|
|
func TestLinuxCgroupsPathSpecified(t *testing.T) {
|
|
|
|
cgroupsPath := "/user/cgroups/path/id"
|
|
|
|
|
2016-03-11 06:18:39 +08:00
|
|
|
spec := &specs.Spec{}
|
2016-09-12 07:30:17 +08:00
|
|
|
spec.Linux = &specs.Linux{
|
2017-03-15 00:36:38 +08:00
|
|
|
CgroupsPath: cgroupsPath,
|
2016-09-12 07:30:17 +08:00
|
|
|
}
|
2016-02-18 00:33:46 +08:00
|
|
|
|
2016-04-23 21:39:42 +08:00
|
|
|
opts := &CreateOpts{
|
|
|
|
CgroupName: "ContainerID",
|
|
|
|
UseSystemdCgroup: false,
|
|
|
|
Spec: spec,
|
|
|
|
}
|
|
|
|
|
2019-12-06 23:25:17 +08:00
|
|
|
cgroup, err := CreateCgroupConfig(opts)
|
2016-02-18 00:33:46 +08:00
|
|
|
if err != nil {
|
|
|
|
t.Errorf("Couldn't create Cgroup config: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if cgroup.Path != cgroupsPath {
|
|
|
|
t.Errorf("Wrong cgroupsPath, expected '%s' got '%s'", cgroupsPath, cgroup.Path)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestLinuxCgroupsPathNotSpecified(t *testing.T) {
|
2016-03-11 06:18:39 +08:00
|
|
|
spec := &specs.Spec{}
|
2016-04-23 21:39:42 +08:00
|
|
|
opts := &CreateOpts{
|
|
|
|
CgroupName: "ContainerID",
|
|
|
|
UseSystemdCgroup: false,
|
|
|
|
Spec: spec,
|
|
|
|
}
|
2016-02-18 00:33:46 +08:00
|
|
|
|
2019-12-06 23:25:17 +08:00
|
|
|
cgroup, err := CreateCgroupConfig(opts)
|
2016-02-18 00:33:46 +08:00
|
|
|
if err != nil {
|
|
|
|
t.Errorf("Couldn't create Cgroup config: %v", err)
|
|
|
|
}
|
|
|
|
|
2016-08-30 14:12:15 +08:00
|
|
|
if cgroup.Path != "" {
|
|
|
|
t.Errorf("Wrong cgroupsPath, expected it to be empty string, got '%s'", cgroup.Path)
|
2016-02-18 00:33:46 +08:00
|
|
|
}
|
|
|
|
}
|
2016-10-27 00:42:22 +08:00
|
|
|
|
2016-04-23 21:39:42 +08:00
|
|
|
func TestSpecconvExampleValidate(t *testing.T) {
|
2016-05-09 19:26:11 +08:00
|
|
|
spec := Example()
|
2016-04-23 21:39:42 +08:00
|
|
|
spec.Root.Path = "/"
|
2016-05-09 19:26:11 +08:00
|
|
|
|
2016-04-23 21:39:42 +08:00
|
|
|
opts := &CreateOpts{
|
|
|
|
CgroupName: "ContainerID",
|
|
|
|
UseSystemdCgroup: false,
|
|
|
|
Spec: spec,
|
|
|
|
}
|
|
|
|
|
|
|
|
config, err := CreateLibcontainerConfig(opts)
|
|
|
|
if err != nil {
|
|
|
|
t.Errorf("Couldn't create libcontainer config: %v", err)
|
|
|
|
}
|
|
|
|
|
2020-05-12 04:38:14 +08:00
|
|
|
if config.NoNewPrivileges != spec.Process.NoNewPrivileges {
|
|
|
|
t.Errorf("specconv NoNewPrivileges mismatch. Expected %v got %v",
|
|
|
|
spec.Process.NoNewPrivileges, config.NoNewPrivileges)
|
|
|
|
}
|
|
|
|
|
2016-04-23 21:39:42 +08:00
|
|
|
validator := validate.New()
|
|
|
|
if err := validator.Validate(config); err != nil {
|
|
|
|
t.Errorf("Expected specconv to produce valid container config: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-10-27 00:42:22 +08:00
|
|
|
func TestDupNamespaces(t *testing.T) {
|
|
|
|
spec := &specs.Spec{
|
2018-11-06 11:34:33 +08:00
|
|
|
Root: &specs.Root{
|
|
|
|
Path: "rootfs",
|
|
|
|
},
|
2016-10-27 00:42:22 +08:00
|
|
|
Linux: &specs.Linux{
|
2016-12-17 13:01:53 +08:00
|
|
|
Namespaces: []specs.LinuxNamespace{
|
2016-10-27 00:42:22 +08:00
|
|
|
{
|
|
|
|
Type: "pid",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Type: "pid",
|
|
|
|
Path: "/proc/1/ns/pid",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
_, err := CreateLibcontainerConfig(&CreateOpts{
|
|
|
|
Spec: spec,
|
|
|
|
})
|
|
|
|
|
2018-11-06 11:34:33 +08:00
|
|
|
if !strings.Contains(err.Error(), "malformed spec file: duplicated ns") {
|
2016-10-27 00:42:22 +08:00
|
|
|
t.Errorf("Duplicated namespaces should be forbidden")
|
|
|
|
}
|
|
|
|
}
|
2016-04-23 21:39:42 +08:00
|
|
|
|
Disable rootless mode except RootlessCgMgr when executed as the root in userns
This PR decomposes `libcontainer/configs.Config.Rootless bool` into `RootlessEUID bool` and
`RootlessCgroups bool`, so as to make "runc-in-userns" to be more compatible with "rootful" runc.
`RootlessEUID` denotes that runc is being executed as a non-root user (euid != 0) in
the current user namespace. `RootlessEUID` is almost identical to the former `Rootless`
except cgroups stuff.
`RootlessCgroups` denotes that runc is unlikely to have the full access to cgroups.
`RootlessCgroups` is set to false if runc is executed as the root (euid == 0) in the initial namespace.
Otherwise `RootlessCgroups` is set to true.
(Hint: if `RootlessEUID` is true, `RootlessCgroups` becomes true as well)
When runc is executed as the root (euid == 0) in an user namespace (e.g. by Docker-in-LXD, Podman, Usernetes),
`RootlessEUID` is set to false but `RootlessCgroups` is set to true.
So, "runc-in-userns" behaves almost same as "rootful" runc except that cgroups errors are ignored.
This PR does not have any impact on CLI flags and `state.json`.
Note about CLI:
* Now `runc --rootless=(auto|true|false)` CLI flag is only used for setting `RootlessCgroups`.
* Now `runc spec --rootless` is only required when `RootlessEUID` is set to true.
For runc-in-userns, `runc spec` without `--rootless` should work, when sufficient numbers of
UID/GID are mapped.
Note about `$XDG_RUNTIME_DIR` (e.g. `/run/user/1000`):
* `$XDG_RUNTIME_DIR` is ignored if runc is being executed as the root (euid == 0) in the initial namespace, for backward compatibility.
(`/run/runc` is used)
* If runc is executed as the root (euid == 0) in an user namespace, `$XDG_RUNTIME_DIR` is honored if `$USER != "" && $USER != "root"`.
This allows unprivileged users to allow execute runc as the root in userns, without mounting writable `/run/runc`.
Note about `state.json`:
* `rootless` is set to true when `RootlessEUID == true && RootlessCgroups == true`.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-07-05 14:28:21 +08:00
|
|
|
func TestNonZeroEUIDCompatibleSpecconvValidate(t *testing.T) {
|
2017-10-25 07:58:10 +08:00
|
|
|
if _, err := os.Stat("/proc/self/ns/user"); os.IsNotExist(err) {
|
|
|
|
t.Skip("userns is unsupported")
|
|
|
|
}
|
|
|
|
|
2016-05-09 19:26:11 +08:00
|
|
|
spec := Example()
|
|
|
|
spec.Root.Path = "/"
|
|
|
|
ToRootless(spec)
|
2016-04-23 21:39:42 +08:00
|
|
|
|
|
|
|
opts := &CreateOpts{
|
|
|
|
CgroupName: "ContainerID",
|
|
|
|
UseSystemdCgroup: false,
|
|
|
|
Spec: spec,
|
Disable rootless mode except RootlessCgMgr when executed as the root in userns
This PR decomposes `libcontainer/configs.Config.Rootless bool` into `RootlessEUID bool` and
`RootlessCgroups bool`, so as to make "runc-in-userns" to be more compatible with "rootful" runc.
`RootlessEUID` denotes that runc is being executed as a non-root user (euid != 0) in
the current user namespace. `RootlessEUID` is almost identical to the former `Rootless`
except cgroups stuff.
`RootlessCgroups` denotes that runc is unlikely to have the full access to cgroups.
`RootlessCgroups` is set to false if runc is executed as the root (euid == 0) in the initial namespace.
Otherwise `RootlessCgroups` is set to true.
(Hint: if `RootlessEUID` is true, `RootlessCgroups` becomes true as well)
When runc is executed as the root (euid == 0) in an user namespace (e.g. by Docker-in-LXD, Podman, Usernetes),
`RootlessEUID` is set to false but `RootlessCgroups` is set to true.
So, "runc-in-userns" behaves almost same as "rootful" runc except that cgroups errors are ignored.
This PR does not have any impact on CLI flags and `state.json`.
Note about CLI:
* Now `runc --rootless=(auto|true|false)` CLI flag is only used for setting `RootlessCgroups`.
* Now `runc spec --rootless` is only required when `RootlessEUID` is set to true.
For runc-in-userns, `runc spec` without `--rootless` should work, when sufficient numbers of
UID/GID are mapped.
Note about `$XDG_RUNTIME_DIR` (e.g. `/run/user/1000`):
* `$XDG_RUNTIME_DIR` is ignored if runc is being executed as the root (euid == 0) in the initial namespace, for backward compatibility.
(`/run/runc` is used)
* If runc is executed as the root (euid == 0) in an user namespace, `$XDG_RUNTIME_DIR` is honored if `$USER != "" && $USER != "root"`.
This allows unprivileged users to allow execute runc as the root in userns, without mounting writable `/run/runc`.
Note about `state.json`:
* `rootless` is set to true when `RootlessEUID == true && RootlessCgroups == true`.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-07-05 14:28:21 +08:00
|
|
|
RootlessEUID: true,
|
|
|
|
RootlessCgroups: true,
|
2016-04-23 21:39:42 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
config, err := CreateLibcontainerConfig(opts)
|
|
|
|
if err != nil {
|
|
|
|
t.Errorf("Couldn't create libcontainer config: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
validator := validate.New()
|
|
|
|
if err := validator.Validate(config); err != nil {
|
|
|
|
t.Errorf("Expected specconv to produce valid rootless container config: %v", err)
|
|
|
|
}
|
|
|
|
}
|
Support for setting systemd properties via annotations
In case systemd is used to set cgroups for the container,
it creates a scope unit dedicated to it (usually named
`runc-$ID.scope`).
This patch adds an ability to set arbitrary systemd properties
for the systemd unit via runtime spec annotations.
Initially this was developed as an ability to specify the
`TimeoutStopUSec` property, but later generalized to work with
arbitrary ones.
Example usage: add the following to runtime spec (config.json):
```
"annotations": {
"org.systemd.property.TimeoutStopUSec": "uint64 123456789",
"org.systemd.property.CollectMode":"'inactive-or-failed'"
},
```
and start the container (e.g. `runc --systemd-cgroup run $ID`).
The above will set the following systemd parameters:
* `TimeoutStopSec` to 2 minutes and 3 seconds,
* `CollectMode` to "inactive-or-failed".
The values are in the gvariant format (see [1]). To figure out
which type systemd expects for a particular parameter, see
systemd sources.
In particular, parameters with `USec` suffix require an `uint64`
typed argument, while gvariant assumes int32 for a numeric values,
therefore the explicit type is required.
NOTE that systemd receives the time-typed parameters as *USec
but shows them (in `systemctl show`) as *Sec. For example,
the stop timeout should be set as `TimeoutStopUSec` but
is shown as `TimeoutStopSec`.
[1] https://developer.gnome.org/glib/stable/gvariant-text.html
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-02-07 12:26:06 +08:00
|
|
|
|
|
|
|
func TestInitSystemdProps(t *testing.T) {
|
|
|
|
type inT struct {
|
|
|
|
name, value string
|
|
|
|
}
|
|
|
|
type expT struct {
|
|
|
|
isErr bool
|
|
|
|
name string
|
|
|
|
value interface{}
|
|
|
|
}
|
|
|
|
|
|
|
|
testCases := []struct {
|
|
|
|
desc string
|
|
|
|
in inT
|
|
|
|
exp expT
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
in: inT{"org.systemd.property.TimeoutStopUSec", "uint64 123456789"},
|
|
|
|
exp: expT{false, "TimeoutStopUSec", uint64(123456789)},
|
|
|
|
},
|
2020-02-14 05:02:15 +08:00
|
|
|
{
|
|
|
|
desc: "convert USec to Sec (default numeric type)",
|
|
|
|
in: inT{"org.systemd.property.TimeoutStopSec", "456"},
|
|
|
|
exp: expT{false, "TimeoutStopUSec", uint64(456000000)},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "convert USec to Sec (byte)",
|
|
|
|
in: inT{"org.systemd.property.TimeoutStopSec", "byte 234"},
|
|
|
|
exp: expT{false, "TimeoutStopUSec", uint64(234000000)},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "convert USec to Sec (int16)",
|
|
|
|
in: inT{"org.systemd.property.TimeoutStopSec", "int16 234"},
|
|
|
|
exp: expT{false, "TimeoutStopUSec", uint64(234000000)},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "convert USec to Sec (uint16)",
|
|
|
|
in: inT{"org.systemd.property.TimeoutStopSec", "uint16 234"},
|
|
|
|
exp: expT{false, "TimeoutStopUSec", uint64(234000000)},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "convert USec to Sec (int32)",
|
|
|
|
in: inT{"org.systemd.property.TimeoutStopSec", "int32 234"},
|
|
|
|
exp: expT{false, "TimeoutStopUSec", uint64(234000000)},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "convert USec to Sec (uint32)",
|
|
|
|
in: inT{"org.systemd.property.TimeoutStopSec", "uint32 234"},
|
|
|
|
exp: expT{false, "TimeoutStopUSec", uint64(234000000)},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "convert USec to Sec (int64)",
|
|
|
|
in: inT{"org.systemd.property.TimeoutStopSec", "int64 234"},
|
|
|
|
exp: expT{false, "TimeoutStopUSec", uint64(234000000)},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "convert USec to Sec (uint64)",
|
|
|
|
in: inT{"org.systemd.property.TimeoutStopSec", "uint64 234"},
|
|
|
|
exp: expT{false, "TimeoutStopUSec", uint64(234000000)},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "convert USec to Sec (float)",
|
|
|
|
in: inT{"org.systemd.property.TimeoutStopSec", "234.789"},
|
|
|
|
exp: expT{false, "TimeoutStopUSec", uint64(234789000)},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "convert USec to Sec (bool -- invalid value)",
|
|
|
|
in: inT{"org.systemd.property.TimeoutStopSec", "false"},
|
|
|
|
exp: expT{true, "", ""},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "convert USec to Sec (string -- invalid value)",
|
|
|
|
in: inT{"org.systemd.property.TimeoutStopSec", "'covfefe'"},
|
|
|
|
exp: expT{true, "", ""},
|
|
|
|
},
|
Support for setting systemd properties via annotations
In case systemd is used to set cgroups for the container,
it creates a scope unit dedicated to it (usually named
`runc-$ID.scope`).
This patch adds an ability to set arbitrary systemd properties
for the systemd unit via runtime spec annotations.
Initially this was developed as an ability to specify the
`TimeoutStopUSec` property, but later generalized to work with
arbitrary ones.
Example usage: add the following to runtime spec (config.json):
```
"annotations": {
"org.systemd.property.TimeoutStopUSec": "uint64 123456789",
"org.systemd.property.CollectMode":"'inactive-or-failed'"
},
```
and start the container (e.g. `runc --systemd-cgroup run $ID`).
The above will set the following systemd parameters:
* `TimeoutStopSec` to 2 minutes and 3 seconds,
* `CollectMode` to "inactive-or-failed".
The values are in the gvariant format (see [1]). To figure out
which type systemd expects for a particular parameter, see
systemd sources.
In particular, parameters with `USec` suffix require an `uint64`
typed argument, while gvariant assumes int32 for a numeric values,
therefore the explicit type is required.
NOTE that systemd receives the time-typed parameters as *USec
but shows them (in `systemctl show`) as *Sec. For example,
the stop timeout should be set as `TimeoutStopUSec` but
is shown as `TimeoutStopSec`.
[1] https://developer.gnome.org/glib/stable/gvariant-text.html
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-02-07 12:26:06 +08:00
|
|
|
{
|
|
|
|
in: inT{"org.systemd.property.CollectMode", "'inactive-or-failed'"},
|
|
|
|
exp: expT{false, "CollectMode", "inactive-or-failed"},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "unrelated property",
|
|
|
|
in: inT{"some.other.annotation", "0"},
|
|
|
|
exp: expT{false, "", ""},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "too short property name",
|
|
|
|
in: inT{"org.systemd.property.Xo", "1"},
|
|
|
|
exp: expT{true, "", ""},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "invalid character in property name",
|
|
|
|
in: inT{"org.systemd.property.Number1", "1"},
|
|
|
|
exp: expT{true, "", ""},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "invalid property value",
|
|
|
|
in: inT{"org.systemd.property.ValidName", "invalid-value"},
|
|
|
|
exp: expT{true, "", ""},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
spec := &specs.Spec{}
|
|
|
|
|
|
|
|
for _, tc := range testCases {
|
|
|
|
tc := tc
|
|
|
|
spec.Annotations = map[string]string{tc.in.name: tc.in.value}
|
|
|
|
|
|
|
|
outMap, err := initSystemdProps(spec)
|
|
|
|
//t.Logf("input %+v, expected %+v, got err:%v out:%+v", tc.in, tc.exp, err, outMap)
|
|
|
|
|
|
|
|
if tc.exp.isErr != (err != nil) {
|
|
|
|
t.Errorf("input %+v, expecting error: %v, got %v", tc.in, tc.exp.isErr, err)
|
|
|
|
}
|
|
|
|
expLen := 1 // expect a single item
|
|
|
|
if tc.exp.name == "" {
|
|
|
|
expLen = 0 // expect nothing
|
|
|
|
}
|
|
|
|
if len(outMap) != expLen {
|
|
|
|
t.Fatalf("input %+v, expected %d, got %d entries: %v", tc.in, expLen, len(outMap), outMap)
|
|
|
|
}
|
|
|
|
if expLen == 0 {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
out := outMap[0]
|
|
|
|
if tc.exp.name != out.Name {
|
|
|
|
t.Errorf("input %+v, expecting name: %q, got %q", tc.in, tc.exp.name, out.Name)
|
|
|
|
}
|
|
|
|
expValue := dbus.MakeVariant(tc.exp.value).String()
|
|
|
|
if expValue != out.Value.String() {
|
|
|
|
t.Errorf("input %+v, expecting value: %s, got %s", tc.in, expValue, out.Value)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2018-06-17 20:42:04 +08:00
|
|
|
|
|
|
|
func TestNullProcess(t *testing.T) {
|
|
|
|
spec := Example()
|
|
|
|
spec.Process = nil
|
|
|
|
|
|
|
|
_, err := CreateLibcontainerConfig(&CreateOpts{
|
|
|
|
Spec: spec,
|
|
|
|
})
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
t.Errorf("Null process should be forbidden")
|
|
|
|
}
|
|
|
|
}
|