Commit Graph

148 Commits

Author SHA1 Message Date
Akihiro Suda bf15cc99b1 cgroup v2: support rootless systemd
Tested with both Podman (master) and Moby (master), on Ubuntu 19.10 .

$ podman --cgroup-manager=systemd run -it --rm --runtime=runc \
  --cgroupns=host --memory 42m --cpus 0.42 --pids-limit 42 alpine
/ # cat /proc/self/cgroup
0::/user.slice/user-1001.slice/user@1001.service/user.slice/libpod-132ff0d72245e6f13a3bbc6cdc5376886897b60ac59eaa8dea1df7ab959cbf1c.scope
/ # cat /sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/user.slice/libpod-132ff0d72245e6f13a3bbc6cdc5376886897b60ac59eaa8dea1df7ab959cbf1c.scope/memory.max
44040192
/ # cat /sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/user.slice/libpod-132ff0d72245e6f13a3bbc6cdc5376886897b60ac59eaa8dea1df7ab959cbf1c.scope/cpu.max
42000 100000
/ # cat /sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/user.slice/libpod-132ff0d72245e6f13a3bbc6cdc5376886897b60ac59eaa8dea1df7ab959cbf1c.scope/pids.max
42

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-05-08 12:39:20 +09:00
lifubang 657407ff23 fix runc events error in cgroup v2
Signed-off-by: lifubang <lifubang@acmcoder.com>
2020-05-07 22:18:46 +08:00
Akihiro Suda 60c647e3b8 fs2: fix cgroup.subtree_control EPERM on rootless + add CI
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-04-27 13:30:15 +09:00
Kir Kolyshkin b19f9cecfe
Merge pull request #2343 from lifubang/updateSystemdScope
fix data inconsistency when using runc update in systemd driven cgroup
2020-04-24 23:34:19 -07:00
lifubang 10ba72a61f add integration test for runc update with systemd
Signed-off-by: lifubang <lifubang@acmcoder.com>
2020-04-24 16:58:29 +08:00
Kir Kolyshkin 32d52a0fab tests/checkpoint: enable for Fedora 31 / cgroup v2
With the fix in the previous commit and criu patched with support for
cgroupv2, these tests should now pass.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-22 11:40:28 -07:00
Kir Kolyshkin 00a2844ab4 tests/checkpoint: add simple c/r test for cgroupns
Same test as the first one, just with cgroupns enabled.

Since in case of cgroupv2 `runc spec` enables cgroupns,
this case was already tested by the first checkpoint test,
so skip it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-22 11:06:24 -07:00
Kir Kolyshkin d5e68ceb0c tests/checkpoint.bats: fix test hang/failure
Commit a9e15e7e0 adds a check that stdin/out/err pipes
are restored correctly. Commit ec260653b7 copy/pastes
the same code to one more another test.

Problem is (as pointed out in commit 5369f9ade3) these tests
sometimes hang. I have also seen them fail.

Apparently, the code used to create pipes and open them to fds
is racy:

```shell
cat $fifo | cat $fifo &
pid=$!
exec 50</proc/$pid/fd/0
exec 51>/proc/$pid/fd/0
```

Since `cat | cat` is spawned asynchronously, by the time exec is used,
the second cat process (i.e. $pid) is already fork'ed but it might
not be exec'ed yet. As a result, we get this (`ls -l /proc/self/fd`):

```
lr-x------. 1 root root 64 Apr 20 02:39 50 -> /dev/pts/1
l-wx------. 1 root root 64 Apr 20 02:39 51 -> /dev/pts/1
```

or, in some cases:
```
lr-x------. 1 root root 64 Apr 20 02:45 50 -> /dev/pts/1
l-wx------. 1 root root 64 Apr 20 02:45 51 -> 'pipe:[215791]'
```

instead of expected set of pipes:

```
> lr-x------. 1 root root 64 Apr 20 02:45 50 -> 'pipe:[215791]'
> l-wx------. 1 root root 64 Apr 20 02:45 51 -> 'pipe:[215791]'
```

One possible workaround is to add `sleep 0.1` or so after cat|cat,
but it is outright ugly (besides, we already have one sleep in
the test code).

The solution is to not use any external processes to create pipes.
I admit this still looks not very comprehensible, but at least it
is easier than before, and it works.

While at it, remove code duplication, moving the setup and check
code into a pair of functions.

Finally, since the tests are working now, remove the skip.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-21 02:16:23 -07:00
Kir Kolyshkin bf172ef44f tests/checkpoint.bats: consolidate requires checks
Since all the criu tests have the same requirements,
move them to setup().

While at it, remove an obviously redundant comment.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-21 02:15:04 -07:00
Kir Kolyshkin e216457eea tests/checkpoint.bats: simplify status checks
Introduce a special case for `testcontainer` to test
for container that is not present (checkpointed), use it.

Fix one place where testcontainer was not used.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-21 01:55:54 -07:00
Kir Kolyshkin 69d599ddbd tests/checkpoint.bats: fix $? checks
runc in this file is actually a function that does `run runc ...`,
and `run` sets variable `$status` as the exit code, so `$status`
is what should be checked.

If calling runc directly (as in `__runc ...`), then $? is legit.

While at it, remove an obsoleted comment, and an unneeded
`ret=$?` assignment (check `$?` directly).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-21 01:55:54 -07:00
Kir Kolyshkin 992d5cadfb travis: enable fs2 driver test on fedora
Run in the same environment as systemd tests.

Disable CRIU tests because:

 - they all fail with cgroup v2;

 - CRIU v3.14 is required and it's not yet released, and
   rebuilding it from sources with patches applied (like
   it is currently done in Dockerfile) is too much work.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-19 16:27:40 -07:00
Mrunal Patel 191def7029
Merge pull request #2308 from kolyshkin/exec-no-tty
runc exec: don't enable terminal unless -t is set
2020-04-15 14:43:50 -07:00
Kir Kolyshkin 84583eb1a4 Enable integration tests in cgroupv2 env
Those needs to be run on the (Vagrant Fedora 31) host
(since we need real systemd running), and so we have
to have all the tools needed to compile runc and run
the tests.

The good news is Fedora packages a decent and recent release
of bats-core (1.1.0), which we can use (Debian does not),
and we can also use golang (currently 1.13.9) from Fedora.

The bad news are

 1. Currently cgroups tests are only working with
    RUNC_USE_SYSTEMD=yes (addressed by #2299, #2305)

 2. Tests in events.bats do not work (need cgroupv2
    memory.events support)

 3. Fedora 31 image is 6 months old (and has broken
    container-selinux policy) so we need `dnf update`,
    which adds ~5 min to test time.

[v2: add -t to ssh to enforce pty]
[v3: disable events tests for cgroupv2]
[v4: update fedora packages, use a single dnf transation]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-13 18:40:08 -07:00
Kir Kolyshkin 0965c970fa tests/integration: disable swap tests for v2
Swap setting for cgroupv2 is currently broken, so let's temporarily
disable this part of test.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-13 16:34:45 -07:00
Kir Kolyshkin 483f9a0c50 tests/integration: add some cgroup v2 tests
1. Add `cgroups_v1` and `cgroups_v2` options to `requires`.

2. Modify `check_cgroup_value` to be able to work with v2.

3. Split `test "update"` into two:

   - (1) testing cgroupv1-only cpu shares and cfs
   - (2) testing limits that are more or less common
         between v1 and v2: memory/swap, pids, cpusets.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-13 16:34:45 -07:00
Kir Kolyshkin 3dfa5434fc tests/integration/update.bats: simplify file creation
There's no need for an intermediate variable

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-13 16:34:45 -07:00
Kir Kolyshkin b8b46419ce tests/integration: rm kmem from upgrade tests
... and add kmem-tcp to cgroups kmem test.

First, we already have a separate kmem test in cgroups.bats.

Second, making kmem a requirement leads to skipping all the other
test cases in the update.bats test.

Third, kmem limit is being removed from the kernel, so it makes sense
to handle it separately.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-13 16:34:45 -07:00
Kir Kolyshkin ba3ee7fe04 tests/integration/update.bats: rm obsoleted comment
This comment was added by commit 6cd425be2b (Allow update rt_period_us
and rt_runtime_us, Nov 4 2016), and the test case was added by commit
51baedf3f3 (Add integration for update rt period and runtime,
Nov 28 2016), making the comment obsolete.

Remove it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-13 16:34:45 -07:00
Kir Kolyshkin 3f6a31b71e tests/integration: simplify cgroup paths init
1. Consolidate all the cgroup-related initialization code to
   a single place, init_cgroup_paths(), so we can see which
   variables are set.

2. Lazily call init_cgroup_paths() from all places that require it.

3. Don't set globals KMEM and RT_PERIOD.

4. Slightly clarlify variables naming:
    - use OCI_CGROUPS_PATH for cgroupsPath in config.json
    - use REL_CGROUPS_PATH for relative cgroups path

5. Do not hardcode the list of cgroup subsystems -- get it from
   /proc/cgroup.

6. Preliminary support for cgroupv2 unified hierarchy (not yet working).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-13 16:34:45 -07:00
Kir Kolyshkin 3ae9358054 tests/integration: check_cgroup_value: simplify
Consolidate two implementations of check_cgroup_value()
into one, putting it into helpers.

Remove the first parameter, deducing the variable to get
the path from by the parameter name.

This should help in future cgroupv2 support.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-13 16:34:45 -07:00
Kir Kolyshkin 939bed2a3e runc exec: don't enable terminal unless -t is set
If container's config.json have `"terminal": true` setting in its
"process" section, runc exec assumes that stdin (fd 0) is a terminal
and tries to use it.

This leads to the following error in case stdin is not a terminal:

> ERRO[0000] exec failed: provided file is not a console

So, even if -t/--tty is not set, exec uses stdin as a terminal.
It does not help that urfave/cli v1 parser we use does not allow
to use `-t no` or `-t false`.

Since the settings in config.json is probably for the container run/start,
not for the auxiliary process started inside a container with exec, do
not use a setting from there, only treating stdin as a terminal in case
`-t` is explicitly given.

Tests that use runc exec with a terminal are amended with -t.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-11 14:22:07 -07:00
Odin Ugedal df583b4c51
Fix file permissions for mounts.bats
Signed-off-by: Odin Ugedal <odin@ugedal.com>
2020-03-07 09:29:33 +01:00
Odin Ugedal 382735469c
Update spec test to use go.mod
Signed-off-by: Odin Ugedal <odin@ugedal.com>
2020-03-07 09:29:32 +01:00
Jordan Liggitt 52951a7c19 Fix race in tty integration test with slow startup
Signed-off-by: Jordan Liggitt <liggitt@google.com>
2019-12-18 16:54:54 +00:00
Sebastiaan van Stijn 4be3c48e05
Reformat vendor.conf and pin all deps by git-sha
to make it better readable, and to encourage pinning by
sha, but align to a tagged release.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:43:33 +02:00
Mrunal Patel 80d35c7ce4
Merge pull request #2082 from AkihiroSuda/blkio-kernel50
integration: remove blkio.weight (unavailable in kernel 5.0)
2019-07-29 12:54:32 -07:00
Akihiro Suda 351bfb4baf integration: remove blkio.weight (unavailable in kernel 5.0)
weight, leafWeight, and weightDevice are removed in kernel 5.0

f382fb0bce
https://github.com/opencontainers/runtime-spec/issues/1015

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-07-08 18:08:50 +09:00
Howard Zhang 68cc1a772a Update busybox source and fix runc exec bug
Currently, the id verification in integration test failed on arm
platform due to the inconsistent /etc/group in the busybox images
for arm and x86. To be specific, the nogroup id in x86 is 99 while
that in arm is 65534.

99 is old id for nogroup, and no longer be used in recent system,
so sync the busybox image for arm and x86 to the image in busybox
github. Also change the id verification rule in integration test.

Signed-off-by: Howard Zhang <howard.zhang@arm.com>
2019-07-07 19:36:23 -07:00
Georgi Sabev a146081828 Write logs to stderr by default
Minor refactoring to use the filePair struct for both init sock and log pipe

Co-authored-by: Julia Nedialkova <julianedialkova@hotmail.com>
Signed-off-by: Georgi Sabev <georgethebeatle@gmail.com>
2019-04-24 15:18:14 +03:00
Georgi Sabev ba3cabf932 Improve nsexec logging
* Simplify logging function
* Logs contain __FUNCTION__:__LINE__
* Bail uses write_log

Co-authored-by: Julia Nedialkova <julianedialkova@hotmail.com>
Co-authored-by: Danail Branekov <danailster@gmail.com>
Signed-off-by: Georgi Sabev <georgethebeatle@gmail.com>
2019-04-22 17:53:52 +03:00
Filipe Brandenburger 5369f9ade3 Skip CRIU tests when $RUNC_USE_SYSTEMD for now
These tests sometimes hang, so let's skip them for now.

Tested:
  $ sudo make localintegration TESTPATH='/checkpoint.bats' RUNC_USE_SYSTEMD=1

The 5 tests in this test suite will be skipped.

Signed-off-by: Filipe Brandenburger <filbranden@google.com>
2019-03-14 14:53:09 -07:00
Filipe Brandenburger d4586090c4 Update tests that depend on cgroupfs paths to consider systemd cgroups
When $RUNC_USE_SYSTEMD is set, then use a systemd syntax for the
cgroupsPath. Also fix $CGROUPS_PATH to look under the actual path to the
slice/scope created by systemd.

Tested:
  $ sudo make localintegration TESTPATH='/cgroups.bats' RUNC_USE_SYSTEMD=1

That test will fail without this commit.

Signed-off-by: Filipe Brandenburger <filbranden@google.com>
2019-03-14 14:51:24 -07:00
Filipe Brandenburger a9056a348f Add $RUNC_USE_SYSTEMD to use systemd cgroup driver in tests
This allows us to test runc using libcontainer's systemd driver, by
passing an extra `--systemd-cgroup` argument to the calls to runc.

Tested:
  $ sudo make localintegration TESTPATH='/exec.bats' RUNC_USE_SYSTEMD=1

And confirmed that systemd was in use by looking at creation and removal
of libcontainer_<pid>_systemd_test_default.slice test slices. Also
introduced a breakage in systemd cgroup driver and confirmed that the
tests failed as expected.

Signed-off-by: Filipe Brandenburger <filbranden@google.com>
2019-03-14 10:26:47 -07:00
Giuseppe Scrivano 52f4e0facc
exec: expose --preserve-fds
The implementation is already there, we only need to add the CLI
option and pass it down.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-02-25 17:33:04 +01:00
Adrian Reber 6f3e13cc48
Added test for container specific CRIU configuration files
Signed-off-by: Adrian Reber <areber@redhat.com>
2018-12-21 07:42:12 +01:00
Adrian Reber bc0b047198
Small fixes for CRIU based test cases
This removes unnecessary lines from checkpoint.bats like:

 sed -i 's;"readonly": true;"readonly": false;' config.json

and adds (and corrects) comments which are leftover from older
versions of checkpoint.bats.

Signed-off-by: Adrian Reber <areber@redhat.com>
2018-11-19 16:08:29 +01:00
Yan Zhu feb90346e0 doc: fix typo
Signed-off-by: Yan Zhu <yanzhu@alauda.io>
2018-09-07 11:58:59 +08:00
Adrian Reber 832ac8a538
tests: add external network namespace tests
This adds a new CRIU based checkpoint/restore test to check if
the restored container runs in the same network namespace as before.

Signed-off-by: Adrian Reber <areber@redhat.com>
2018-08-22 23:27:20 +02:00
Kenta Tada b681b58e8a Fix the problem TESTFLAGS is not to be used in Makefile correctly
This commit modifies Makefile to handle test targets correctly.

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
2018-07-11 17:50:47 +09:00
Adrian Reber 46221e3953
criu tests: rename criu feature check
Upstream renamed the feature check for lazy migration support from
'lazy_pages' to 'uffd'. The lazy migration test case was therefore
not running at all. This enables the lazy migration test case in runc
again.

The test will, however, not run in travis as the kernel is too old.
But it works again locally.

Signed-off-by: Adrian Reber <areber@redhat.com>
2018-07-03 17:35:22 +02:00
Qiang Huang dd67ab10d7
Merge pull request #1759 from cyphar/rootless-erofs-as-eperm
rootless: cgroup: treat EROFS as a skippable error
2018-05-25 09:24:16 +08:00
Aleksa Sarai 03e585985f
rootless: cgroup: treat EROFS as a skippable error
In some cases, /sys/fs/cgroups is mounted read-only. In rootless
containers we can consider this effectively identical to having cgroups
that we don't have write permission to -- because the user isn't
responsible for the read-only setup and cannot modify it. The rules are
identical to when /sys/fs/cgroups is not writable by the unprivileged
user.

An example of this is the default configuration of Docker, where cgroups
are mounted as read-only as a preventative security measure.

Reported-by: Vladimir Rutsky <rutsky@google.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-03-17 13:53:42 +11:00
W. Trevor King 0aa6e4e5d3 libcontainer/specconv/spec_linux: Support empty 'type' for bind mounts
From the "Creating a bind mount" section of mount(2) [1]:

> If mountflags includes MS_BIND (available since Linux 2.4), then
> perform a bind mount...
>
> The filesystemtype and data arguments are ignored.

This commit adds support for configurations that leave the OPTIONAL
type [2] unset for bind mounts.  There's a related spec-example change
in flight with [3], although my personal preference would be a more
explicit spec for the whole mount structure [4].

[1]: http://man7.org/linux/man-pages/man2/mount.2.html
[2]: https://github.com/opencontainers/runtime-spec/blame/v1.0.1/config.md#L102
[3]: https://github.com/opencontainers/runtime-spec/pull/954
[4]: https://github.com/opencontainers/runtime-spec/pull/771

Signed-off-by: W. Trevor King <wking@tremily.us>
2018-03-07 10:23:42 -08:00
Tom Godkin a1edc03c49 Pin version of gojsonschema in tests
Signed-off-by: Will Martin <wmartin@pivotal.io>
2018-01-04 15:11:45 +00:00
Bin Lu 604dbfbe12 enable integration test on arm64 platform
Currently, integration test can't be done on arm64 platform due to several issues.
 Fix points:
 1, add busybox.tar with arm64 format
 2, add hello-world.tar with arm64 format

Signed-off-by: Bin Lu <bin.lu@arm.com>
2017-11-12 22:43:13 -08:00
Thomas Hipp 1cda65c39b
tests: add missing cgroups_kmem requirement
Since the defined config.json contains kmem settings, the test will try
writing to memory.kmem.* and fail. Therefore, it needs to require
cgroups_kmem.

Signed-off-by: Thomas Hipp <thipp@suse.de>
2017-10-26 19:48:52 +02:00
Aleksa Sarai ffe5cdc4f1
tests: add various !terminal tests
Previously we weren't testing that detached io works properly -- which
will be quite important in the case for rootless containers.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-10-25 00:12:21 +11:00
Mrunal Patel d5fc10a011 Merge pull request #1608 from crosbymichael/gids
add additional-gids to runc exec
2017-10-16 09:18:52 -07:00
Michael Crosby ff4481dbf6 Merge pull request #1540 from cloudfoundry-incubator/rootless-cgroups
Support cgroups with limits as rootless
2017-10-16 12:03:49 -04:00