runc/tests/integration/cgroups.bats

#!/usr/bin/env bats

load helpers

function teardown() {
    rm -f $BATS_TMPDIR/runc-cgroups-integration-test.json
    teardown_running_container test_cgroups_kmem
    teardown_running_container test_cgroups_permissions
    teardown_busybox
}

function setup() {
    teardown
    setup_busybox
}

@test "runc update --kernel-memory{,-tcp} (initialized)" {
    [[ "$ROOTLESS" -ne 0 ]] && requires rootless_cgroup
    requires cgroups_kmem

    set_cgroups_path "$BUSYBOX_BUNDLE"

    # Set some initial known values
    DATA=$(cat <<-EOF
    "memory": {
        "kernel": 16777216,
        "kernelTCP": 11534336
    },
EOF
    )
    DATA=$(echo ${DATA} | sed 's/\n/\\n/g')
    sed -i "s/\(\"resources\": {\)/\1\n${DATA}/" ${BUSYBOX_BUNDLE}/config.json

    # run a detached busybox to work with
    runc run -d --console-socket $CONSOLE_SOCKET test_cgroups_kmem
    [ "$status" -eq 0 ]

    check_cgroup_value "memory.kmem.limit_in_bytes" 16777216
    check_cgroup_value "memory.kmem.tcp.limit_in_bytes" 11534336

    # update kernel memory limit
    runc update test_cgroups_kmem --kernel-memory 50331648
    [ "$status" -eq 0 ]
    check_cgroup_value "memory.kmem.limit_in_bytes" 50331648

    # update kernel memory tcp limit
    runc update test_cgroups_kmem --kernel-memory-tcp 41943040
    [ "$status" -eq 0 ]
    check_cgroup_value "memory.kmem.tcp.limit_in_bytes" 41943040
}

@test "runc update --kernel-memory (uninitialized)" {
    [[ "$ROOTLESS" -ne 0 ]] && requires rootless_cgroup
    requires cgroups_kmem

    set_cgroups_path "$BUSYBOX_BUNDLE"

    # run a detached busybox to work with
    runc run -d --console-socket $CONSOLE_SOCKET test_cgroups_kmem
    [ "$status" -eq 0 ]

    # update kernel memory limit
    runc update test_cgroups_kmem --kernel-memory 50331648
    # Since kernel 4.6, we can update kernel memory without initialization
    # because it's accounted by default.
    if [ "$KERNEL_MAJOR" -lt 4 ] || [ "$KERNEL_MAJOR" -eq 4 -a "$KERNEL_MINOR" -le 5 ]; then
        [ ! "$status" -eq 0 ]
    else
        [ "$status" -eq 0 ]
        check_cgroup_value "memory.kmem.limit_in_bytes" 50331648
    fi
}

@test "runc create (no limits + no cgrouppath + no permission) succeeds" {
    runc run -d --console-socket $CONSOLE_SOCKET test_cgroups_permissions
    [ "$status" -eq 0 ]
}

@test "runc create (rootless + no limits + cgrouppath + no permission) fails with permission error" {
    requires rootless
    requires rootless_no_cgroup
    # systemd controls the permission, so error does not happen
    requires no_systemd

    set_cgroups_path "$BUSYBOX_BUNDLE"

    runc run -d --console-socket $CONSOLE_SOCKET test_cgroups_permissions
    [ "$status" -eq 1 ]
    [[ ${lines[1]} == *"permission denied"* ]]
}

@test "runc create (rootless + limits + no cgrouppath + no permission) fails with informative error" {
    requires rootless
    requires rootless_no_cgroup
    # systemd controls the permission, so error does not happen
    requires no_systemd

    set_resources_limit "$BUSYBOX_BUNDLE"

    runc run -d --console-socket $CONSOLE_SOCKET test_cgroups_permissions
    [ "$status" -eq 1 ]
    [[ ${lines[1]} == *"rootless needs no limits + no cgrouppath when no permission is granted for cgroups"* ]] || [[ ${lines[1]} == *"cannot set pids limit: container could not join or create cgroup"* ]]
}

@test "runc create (limits + cgrouppath + permission on the cgroup dir) succeeds" {
   [[ "$ROOTLESS" -ne 0 ]] && requires rootless_cgroup

    set_cgroups_path "$BUSYBOX_BUNDLE"
    set_resources_limit "$BUSYBOX_BUNDLE"

    runc run -d --console-socket $CONSOLE_SOCKET test_cgroups_permissions
    [ "$status" -eq 0 ]
}

@test "runc exec (limits + cgrouppath + permission on the cgroup dir) succeeds" {
   [[ "$ROOTLESS" -ne 0 ]] && requires rootless_cgroup

    set_cgroups_path "$BUSYBOX_BUNDLE"
    set_resources_limit "$BUSYBOX_BUNDLE"

    runc run -d --console-socket $CONSOLE_SOCKET test_cgroups_permissions
    [ "$status" -eq 0 ]

    runc exec test_cgroups_permissions echo "cgroups_exec"
    [ "$status" -eq 0 ]
    [[ ${lines[0]} == *"cgroups_exec"* ]]
}
Add test for cgroup memory.kmem.limit_in_bytes handling Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com> 2016-05-05 10:12:25 +08:00			`#!/usr/bin/env bats`

			`load helpers`

			`function teardown() {`
Support cgroups with limits as rootless Signed-off-by: Ed King <eking@pivotal.io> Signed-off-by: Gabriel Rosenhouse <grosenhouse@pivotal.io> Signed-off-by: Konstantinos Karampogias <konstantinos.karampogias@swisscom.com> 2017-09-15 17:39:35 +08:00			`rm -f $BATS_TMPDIR/runc-cgroups-integration-test.json`
integration: remove pointless *_inroot invocations --root invocations make tests harder to read, and they only serve a very specific purpose. As such, remove them from the `runc update` tests because they don't serve a purpose. Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-05-11 14:17:32 +08:00			`teardown_running_container test_cgroups_kmem`
Support cgroups with limits as rootless Signed-off-by: Ed King <eking@pivotal.io> Signed-off-by: Gabriel Rosenhouse <grosenhouse@pivotal.io> Signed-off-by: Konstantinos Karampogias <konstantinos.karampogias@swisscom.com> 2017-09-15 17:39:35 +08:00			`teardown_running_container test_cgroups_permissions`
Add test for cgroup memory.kmem.limit_in_bytes handling Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com> 2016-05-05 10:12:25 +08:00			`teardown_busybox`
			`}`

			`function setup() {`
			`teardown`
			`setup_busybox`
			`}`

tests/integration: rm kmem from upgrade tests ... and add kmem-tcp to cgroups kmem test. First, we already have a separate kmem test in cgroups.bats. Second, making kmem a requirement leads to skipping all the other test cases in the update.bats test. Third, kmem limit is being removed from the kernel, so it makes sense to handle it separately. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2020-03-31 05:00:35 +08:00			`@test "runc update --kernel-memory{,-tcp} (initialized)" {`
Support cgroups with limits as rootless Signed-off-by: Ed King <eking@pivotal.io> Signed-off-by: Gabriel Rosenhouse <grosenhouse@pivotal.io> Signed-off-by: Konstantinos Karampogias <konstantinos.karampogias@swisscom.com> 2017-09-15 17:39:35 +08:00			`[[ "$ROOTLESS" -ne 0 ]] && requires rootless_cgroup`
			`requires cgroups_kmem`
integration: added root requires This is in preperation of allowing us to run the integration test suite on rootless containers. Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-05-10 20:22:13 +08:00
Support cgroups with limits as rootless Signed-off-by: Ed King <eking@pivotal.io> Signed-off-by: Gabriel Rosenhouse <grosenhouse@pivotal.io> Signed-off-by: Konstantinos Karampogias <konstantinos.karampogias@swisscom.com> 2017-09-15 17:39:35 +08:00			`set_cgroups_path "$BUSYBOX_BUNDLE"`
Add test for cgroup memory.kmem.limit_in_bytes handling Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com> 2016-05-05 10:12:25 +08:00
			`# Set some initial known values`
			`DATA=$(cat <<-EOF`
			`"memory": {`
tests/integration: rm kmem from upgrade tests ... and add kmem-tcp to cgroups kmem test. First, we already have a separate kmem test in cgroups.bats. Second, making kmem a requirement leads to skipping all the other test cases in the update.bats test. Third, kmem limit is being removed from the kernel, so it makes sense to handle it separately. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2020-03-31 05:00:35 +08:00			`"kernel": 16777216,`
			`"kernelTCP": 11534336`
Add test for cgroup memory.kmem.limit_in_bytes handling Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com> 2016-05-05 10:12:25 +08:00			`},`
			`EOF`
			`)`
			`DATA=$(echo ${DATA} \| sed 's/\n/\\n/g')`
			`sed -i "s/\(\"resources\": {\)/\1\n${DATA}/" ${BUSYBOX_BUNDLE}/config.json`

Rename start to run `runc run` is the command that will create and start a container in one single command. Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2016-05-14 06:49:45 +08:00			`# run a detached busybox to work with`
tests: fix all the things This fixes all of the tests that were broken as part of the console rewrite. This includes fixing the integration tests that used TTY handling inside libcontainer, as well as the bats integration tests that needed to be rewritten to use recvtty (as they rely on detached containers that are running). This patch is part of the console rewrite patchset. Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-09-06 20:40:01 +08:00			`runc run -d --console-socket $CONSOLE_SOCKET test_cgroups_kmem`
Add test for cgroup memory.kmem.limit_in_bytes handling Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com> 2016-05-05 10:12:25 +08:00			`[ "$status" -eq 0 ]`

tests/integration: check_cgroup_value: simplify Consolidate two implementations of check_cgroup_value() into one, putting it into helpers. Remove the first parameter, deducing the variable to get the path from by the parameter name. This should help in future cgroupv2 support. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2020-03-26 09:18:06 +08:00			`check_cgroup_value "memory.kmem.limit_in_bytes" 16777216`
tests/integration: rm kmem from upgrade tests ... and add kmem-tcp to cgroups kmem test. First, we already have a separate kmem test in cgroups.bats. Second, making kmem a requirement leads to skipping all the other test cases in the update.bats test. Third, kmem limit is being removed from the kernel, so it makes sense to handle it separately. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2020-03-31 05:00:35 +08:00			`check_cgroup_value "memory.kmem.tcp.limit_in_bytes" 11534336`
tests/integration: check_cgroup_value: simplify Consolidate two implementations of check_cgroup_value() into one, putting it into helpers. Remove the first parameter, deducing the variable to get the path from by the parameter name. This should help in future cgroupv2 support. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2020-03-26 09:18:06 +08:00
Add test for cgroup memory.kmem.limit_in_bytes handling Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com> 2016-05-05 10:12:25 +08:00			`# update kernel memory limit`
bats: refactor run "$RUNC" -> runc This makes it much simpler to write tests, and you don't have to worry about some of the oddness with bats. Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-05-09 21:06:42 +08:00			`runc update test_cgroups_kmem --kernel-memory 50331648`
Add test for cgroup memory.kmem.limit_in_bytes handling Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com> 2016-05-05 10:12:25 +08:00			`[ "$status" -eq 0 ]`
tests/integration: check_cgroup_value: simplify Consolidate two implementations of check_cgroup_value() into one, putting it into helpers. Remove the first parameter, deducing the variable to get the path from by the parameter name. This should help in future cgroupv2 support. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2020-03-26 09:18:06 +08:00			`check_cgroup_value "memory.kmem.limit_in_bytes" 50331648`
tests/integration: rm kmem from upgrade tests ... and add kmem-tcp to cgroups kmem test. First, we already have a separate kmem test in cgroups.bats. Second, making kmem a requirement leads to skipping all the other test cases in the update.bats test. Third, kmem limit is being removed from the kernel, so it makes sense to handle it separately. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2020-03-31 05:00:35 +08:00
			`# update kernel memory tcp limit`
			`runc update test_cgroups_kmem --kernel-memory-tcp 41943040`
			`[ "$status" -eq 0 ]`
			`check_cgroup_value "memory.kmem.tcp.limit_in_bytes" 41943040`
Add test for cgroup memory.kmem.limit_in_bytes handling Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com> 2016-05-05 10:12:25 +08:00			`}`

integration: remove pointless *_inroot invocations --root invocations make tests harder to read, and they only serve a very specific purpose. As such, remove them from the `runc update` tests because they don't serve a purpose. Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-05-11 14:17:32 +08:00			`@test "runc update --kernel-memory (uninitialized)" {`
Support cgroups with limits as rootless Signed-off-by: Ed King <eking@pivotal.io> Signed-off-by: Gabriel Rosenhouse <grosenhouse@pivotal.io> Signed-off-by: Konstantinos Karampogias <konstantinos.karampogias@swisscom.com> 2017-09-15 17:39:35 +08:00			`[[ "$ROOTLESS" -ne 0 ]] && requires rootless_cgroup`
			`requires cgroups_kmem`
integration: added root requires This is in preperation of allowing us to run the integration test suite on rootless containers. Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-05-10 20:22:13 +08:00
Support cgroups with limits as rootless Signed-off-by: Ed King <eking@pivotal.io> Signed-off-by: Gabriel Rosenhouse <grosenhouse@pivotal.io> Signed-off-by: Konstantinos Karampogias <konstantinos.karampogias@swisscom.com> 2017-09-15 17:39:35 +08:00			`set_cgroups_path "$BUSYBOX_BUNDLE"`
Add test for cgroup memory.kmem.limit_in_bytes handling Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com> 2016-05-05 10:12:25 +08:00
Rename start to run `runc run` is the command that will create and start a container in one single command. Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2016-05-14 06:49:45 +08:00			`# run a detached busybox to work with`
tests: fix all the things This fixes all of the tests that were broken as part of the console rewrite. This includes fixing the integration tests that used TTY handling inside libcontainer, as well as the bats integration tests that needed to be rewritten to use recvtty (as they rely on detached containers that are running). This patch is part of the console rewrite patchset. Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-09-06 20:40:01 +08:00			`runc run -d --console-socket $CONSOLE_SOCKET test_cgroups_kmem`
Add test for cgroup memory.kmem.limit_in_bytes handling Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com> 2016-05-05 10:12:25 +08:00			`[ "$status" -eq 0 ]`

			`# update kernel memory limit`
bats: refactor run "$RUNC" -> runc This makes it much simpler to write tests, and you don't have to worry about some of the oddness with bats. Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-05-09 21:06:42 +08:00			`runc update test_cgroups_kmem --kernel-memory 50331648`
Fix update kernel memory test Since kernel 4.6, we can update kernel memory without initialization, because it's accounted by default. Signed-off-by: Qiang Huang <h.huangqiang@huawei.com> 2016-05-18 08:51:02 +08:00			`# Since kernel 4.6, we can update kernel memory without initialization`
			`# because it's accounted by default.`
			`if [ "$KERNEL_MAJOR" -lt 4 ] \|\| [ "$KERNEL_MAJOR" -eq 4 -a "$KERNEL_MINOR" -le 5 ]; then`
			`[ ! "$status" -eq 0 ]`
			`else`
			`[ "$status" -eq 0 ]`
tests/integration: check_cgroup_value: simplify Consolidate two implementations of check_cgroup_value() into one, putting it into helpers. Remove the first parameter, deducing the variable to get the path from by the parameter name. This should help in future cgroupv2 support. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2020-03-26 09:18:06 +08:00			`check_cgroup_value "memory.kmem.limit_in_bytes" 50331648`
Fix update kernel memory test Since kernel 4.6, we can update kernel memory without initialization, because it's accounted by default. Signed-off-by: Qiang Huang <h.huangqiang@huawei.com> 2016-05-18 08:51:02 +08:00			`fi`
Add test for cgroup memory.kmem.limit_in_bytes handling Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com> 2016-05-05 10:12:25 +08:00			`}`
Support cgroups with limits as rootless Signed-off-by: Ed King <eking@pivotal.io> Signed-off-by: Gabriel Rosenhouse <grosenhouse@pivotal.io> Signed-off-by: Konstantinos Karampogias <konstantinos.karampogias@swisscom.com> 2017-09-15 17:39:35 +08:00
			`@test "runc create (no limits + no cgrouppath + no permission) succeeds" {`
			`runc run -d --console-socket $CONSOLE_SOCKET test_cgroups_permissions`
			`[ "$status" -eq 0 ]`
			`}`

			`@test "runc create (rootless + no limits + cgrouppath + no permission) fails with permission error" {`
			`requires rootless`
			`requires rootless_no_cgroup`
cgroup v2: support rootless systemd Tested with both Podman (master) and Moby (master), on Ubuntu 19.10 . $ podman --cgroup-manager=systemd run -it --rm --runtime=runc \ --cgroupns=host --memory 42m --cpus 0.42 --pids-limit 42 alpine / # cat /proc/self/cgroup 0::/user.slice/user-1001.slice/user@1001.service/user.slice/libpod-132ff0d72245e6f13a3bbc6cdc5376886897b60ac59eaa8dea1df7ab959cbf1c.scope / # cat /sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/user.slice/libpod-132ff0d72245e6f13a3bbc6cdc5376886897b60ac59eaa8dea1df7ab959cbf1c.scope/memory.max 44040192 / # cat /sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/user.slice/libpod-132ff0d72245e6f13a3bbc6cdc5376886897b60ac59eaa8dea1df7ab959cbf1c.scope/cpu.max 42000 100000 / # cat /sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/user.slice/libpod-132ff0d72245e6f13a3bbc6cdc5376886897b60ac59eaa8dea1df7ab959cbf1c.scope/pids.max 42 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> 2020-04-01 09:47:06 +08:00			`# systemd controls the permission, so error does not happen`
			`requires no_systemd`
Support cgroups with limits as rootless Signed-off-by: Ed King <eking@pivotal.io> Signed-off-by: Gabriel Rosenhouse <grosenhouse@pivotal.io> Signed-off-by: Konstantinos Karampogias <konstantinos.karampogias@swisscom.com> 2017-09-15 17:39:35 +08:00
			`set_cgroups_path "$BUSYBOX_BUNDLE"`

			`runc run -d --console-socket $CONSOLE_SOCKET test_cgroups_permissions`
			`[ "$status" -eq 1 ]`
			`[[ ${lines[1]} == "permission denied" ]]`
			`}`

			`@test "runc create (rootless + limits + no cgrouppath + no permission) fails with informative error" {`
			`requires rootless`
			`requires rootless_no_cgroup`
cgroup v2: support rootless systemd Tested with both Podman (master) and Moby (master), on Ubuntu 19.10 . $ podman --cgroup-manager=systemd run -it --rm --runtime=runc \ --cgroupns=host --memory 42m --cpus 0.42 --pids-limit 42 alpine / # cat /proc/self/cgroup 0::/user.slice/user-1001.slice/user@1001.service/user.slice/libpod-132ff0d72245e6f13a3bbc6cdc5376886897b60ac59eaa8dea1df7ab959cbf1c.scope / # cat /sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/user.slice/libpod-132ff0d72245e6f13a3bbc6cdc5376886897b60ac59eaa8dea1df7ab959cbf1c.scope/memory.max 44040192 / # cat /sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/user.slice/libpod-132ff0d72245e6f13a3bbc6cdc5376886897b60ac59eaa8dea1df7ab959cbf1c.scope/cpu.max 42000 100000 / # cat /sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/user.slice/libpod-132ff0d72245e6f13a3bbc6cdc5376886897b60ac59eaa8dea1df7ab959cbf1c.scope/pids.max 42 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> 2020-04-01 09:47:06 +08:00			`# systemd controls the permission, so error does not happen`
			`requires no_systemd`
Support cgroups with limits as rootless Signed-off-by: Ed King <eking@pivotal.io> Signed-off-by: Gabriel Rosenhouse <grosenhouse@pivotal.io> Signed-off-by: Konstantinos Karampogias <konstantinos.karampogias@swisscom.com> 2017-09-15 17:39:35 +08:00
			`set_resources_limit "$BUSYBOX_BUNDLE"`

			`runc run -d --console-socket $CONSOLE_SOCKET test_cgroups_permissions`
			`[ "$status" -eq 1 ]`
fs2: fix cgroup.subtree_control EPERM on rootless + add CI Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> 2020-04-21 23:19:36 +08:00			`[[ ${lines[1]} == "rootless needs no limits + no cgrouppath when no permission is granted for cgroups" ]] \|\| [[ ${lines[1]} == "cannot set pids limit: container could not join or create cgroup" ]]`
Support cgroups with limits as rootless Signed-off-by: Ed King <eking@pivotal.io> Signed-off-by: Gabriel Rosenhouse <grosenhouse@pivotal.io> Signed-off-by: Konstantinos Karampogias <konstantinos.karampogias@swisscom.com> 2017-09-15 17:39:35 +08:00			`}`

			`@test "runc create (limits + cgrouppath + permission on the cgroup dir) succeeds" {`
			`[[ "$ROOTLESS" -ne 0 ]] && requires rootless_cgroup`

			`set_cgroups_path "$BUSYBOX_BUNDLE"`
			`set_resources_limit "$BUSYBOX_BUNDLE"`

			`runc run -d --console-socket $CONSOLE_SOCKET test_cgroups_permissions`
			`[ "$status" -eq 0 ]`
			`}`

			`@test "runc exec (limits + cgrouppath + permission on the cgroup dir) succeeds" {`
			`[[ "$ROOTLESS" -ne 0 ]] && requires rootless_cgroup`

			`set_cgroups_path "$BUSYBOX_BUNDLE"`
			`set_resources_limit "$BUSYBOX_BUNDLE"`

			`runc run -d --console-socket $CONSOLE_SOCKET test_cgroups_permissions`
			`[ "$status" -eq 0 ]`

			`runc exec test_cgroups_permissions echo "cgroups_exec"`
			`[ "$status" -eq 0 ]`
			`[[ ${lines[0]} == "cgroups_exec" ]]`
			`}`