In certain circumstances (such as the rootless containers patchset), it
is not possible to test things using /sys/firmware. In addition, we
should be testing our own functionality rather than testing protection
against /sys attacks (for which the system might already have extra
protections).
Instead, just make some fake paths in the rootfs that we then mask.
Oddly I noticed that one of the errors changed when doing this (because
before we tested removing a file from /sys/firmware which is -EPERM). So
the old test was broken.
Fixes: 53179559a1 ("MaskPaths: support directory")
Fixes: #1068
Signed-off-by: Aleksa Sarai <asarai@suse.de>
With this patch, `runc start` command can start mulit-containers
at one command this patch also checks the argument of the `start`
command.
root@ubuntu:# runc list
ID PID STATUS BUNDLE CREATED
a 0 stopped /mycontainer 2016-09-23T08:56:42.754026567Z
b 62979 created /mycontainer 2016-09-23T09:01:36.421976458Z
c 62993 running /mycontainer 2016-09-23T09:01:38.105940389Z
d 63006 created /mycontainer 2016-09-23T09:01:39.65441942Z
e 63020 created /mycontainer 2016-09-23T09:01:40.989995515Z
root@ubuntu:# runc start
runc: "start" requires a minimum of 1 argument
root@ubuntu:# runc start a b c d e f
cannot start a container that has run and stopped
cannot start an already running container
container f is not exist
all or part of the containers start failed
root@ubuntu:# runc list
ID PID STATUS BUNDLE CREATED
a 0 stopped /mycontainer 2016-09-23T08:56:42.754026567Z
b 62979 running /mycontainer 2016-09-23T09:01:36.421976458Z
c 62993 running /mycontainer 2016-09-23T09:01:38.105940389Z
d 63006 running /mycontainer 2016-09-23T09:01:39.65441942Z
e 63020 running /mycontainer 2016-09-23T09:01:40.989995515Z
Signed-off-by: Wang Long <long.wanglong@huawei.com>
For example, the /sys/firmware directory should be masked because it can contain some sensitive files:
- /sys/firmware/acpi/tables/{SLIC,MSDM}: Windows license information:
- /sys/firmware/ibft/target0/chap-secret: iSCSI CHAP secret
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
On older kernels or kernels were CONFIG_MEMCG_KMEM is not set some cgroup tests
cannot be run. We simply test for the existence of the file
"${CGROUP_BASE_PATH}/memory/memory.kmem.limit_in_bytes" which should be
sufficient to conclude that CONFIG_MEMCG_KMEM is not set.
Signed-off-by: Christian Brauner <cbrauner@suse.de>
This is a very important testcase, as certain permission issues can
arise if we don't test this automatically.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
bats doesn't automatically print the entirety of $output when an error
has occurred in a test. This makes debugging much harder, so add to the
runc wrapper some more debug information to make maintainers' lives
easier.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
This makes it much simpler to write tests, and you don't have to worry
about some of the oddness with bats.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Since kernel 4.6, we can update kernel memory without
initialization, because it's accounted by default.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
--root invocations make tests harder to read, and they only serve a very
specific purpose. As such, remove them from the `runc update` tests
because they don't serve a purpose.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
On some systems, the cgroup hierarchies are grouped together
(cpu,cpuacct). In order to avoid fake failures, update the cgroup
parsing to just check whether or not the mountinfo options *contain* the
cgroup type.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Signed-off-by: rajasec <rajasec79@gmail.com>
Adding kernel mem tcp for update command
Signed-off-by: rajasec <rajasec79@gmail.com>
Fixing update.bats to reduce the TCP value
Signed-off-by: rajasec <rajasec79@gmail.com>
Updated the kernelTCP in bats as per json
Signed-off-by: rajasec <rajasec79@gmail.com>
Fixed some minor issue in bats file
Signed-off-by: rajasec <rajasec79@gmail.com>
Rounded off to right bytes for kernel TCP
Signed-off-by: rajasec <rajasec79@gmail.com>
Updating man file for update command
Signed-off-by: rajasec <rajasec79@gmail.com>
Qiang Huang
Wang Long
Aleksa Sarai
Michael Crosby
Shukui Yang
Akihiro Suda
Mrunal Patel
Adam Thomason
Aleksa Sarai
Christian Brauner
Johnny Bieren
Kenfe-Mickael Laventure
Mrunal Patel
rajasec