[mirror_lxc.git] / src / tests / lxc-test-unpriv

#!/bin/bash

# lxc: linux Container library

# Authors:
# Serge Hallyn <serge.hallyn@ubuntu.com>
#
# This is a test script for unprivileged containers

# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.

# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.

# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

# This test assumes an Ubuntu host

if [ $(id -u) -ne 0 ]; then
	echo "ERROR: Must run as root."
	exit 1
fi

# Test if we're using an overlayfs module that handles symlinks correctly. If
# not, we skip these tests since overlay clones will not work correctly.
if modprobe -q overlayfs; then
        TMPDIR=$(mktemp -d)

        MOUNTDIR="${TMPDIR}/ovl_symlink_test"

        mkdir ${MOUNTDIR}

        mount -t tmpfs none ${MOUNTDIR}

        mkdir ${MOUNTDIR}/{lowerdir,upperdir,workdir,overlayfs}
        mount -t overlayfs -o lowerdir="${MOUNTDIR}/lowerdir",upperdir="${MOUNTDIR}/upperdir",workdir="${MOUNTDIR}/workdir" none "${MOUNTDIR}/overlayfs"

        CORRECT_LINK_TARGET="${MOUNTDIR}/overlayfs/placeholder_file"
        exec 9> "${CORRECT_LINK_TARGET}"

        DETECTED_LINK_TARGET=$(readlink -q /proc/$$/fd/9)

        # cleanup
        exec 9>&-

        umount "${MOUNTDIR}/overlayfs"
        umount ${MOUNTDIR}

        rmdir ${MOUNTDIR}

        # This overlay module does not correctly handle symlinks, so skip the
        # tests.
        if [ "${DETECTED_LINK_TARGET}" != "${CORRECT_LINK_TARGET}" ]; then
                exit 0
        fi
fi

which newuidmap >/dev/null 2>&1 || { echo "'newuidmap' command is missing" >&2; exit 1; }

DONE=0
UNPRIV_LOG=$(mktemp --dry-run)
cleanup() {
	cd /

	if [ $DONE -eq 0 ]; then
		cat "${UNPRIV_LOG}"
	fi
	rm -f "${UNPRIV_LOG}" || true

	run_cmd lxc-stop -n c2 -k -l trace -o "${UNPRIV_LOG}" || true
	run_cmd lxc-stop -n c1 -k -l trace -o "${UNPRIV_LOG}" || true
	pkill -u $(id -u $TUSER) -9 || true

	sed -i '/lxcunpriv/d' /run/lxc/nics /etc/lxc/lxc-usernet
	sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid

	rm -Rf $HDIR /run/user/$(id -u $TUSER)

	deluser $TUSER

	if [ $DONE -eq 0 ]; then
		echo "FAIL"
		exit 1
	fi

	echo "PASS"
}

run_cmd() {
	sudo -i -u $TUSER \
	    env http_proxy=${http_proxy:-} https_proxy=${https_proxy:-} \
	        XDG_RUNTIME_DIR=/run/user/$(id -u $TUSER) ASAN_OPTIONS=${ASAN_OPTIONS:-} \
		UBSAN_OPTIONS=${UBSAN_OPTIONS:-} $*
}

# create a test user
TUSER=lxcunpriv
HDIR=/home/$TUSER

trap cleanup EXIT SIGHUP SIGINT SIGTERM
set -eu

id $TUSER &> /dev/null && deluser -q --remove-home $TUSER
useradd $TUSER

mkdir -p $HDIR
echo "$TUSER veth lxcbr0 2" >> /etc/lxc/lxc-usernet
sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid

usermod -v 910000-919999 -w 910000-919999 $TUSER

mkdir -p $HDIR/.config/lxc/
cat > $HDIR/.config/lxc/default.conf << EOF
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.idmap = u 0 910000 9999
lxc.idmap = g 0 910000 9999
EOF
chown -R $TUSER: $HDIR

mkdir -p /run/user/$(id -u $TUSER)
chown -R $TUSER: /run/user/$(id -u $TUSER)

cd $HDIR

if which cgm >/dev/null 2>&1; then
	cgm create all $TUSER
	cgm chown all $TUSER $(id -u $TUSER) $(id -g $TUSER)
	cgm movepid all $TUSER $$
elif [ -e /sys/fs/cgroup/cgmanager/sock ]; then
	for d in $(cut -d : -f 2 /proc/self/cgroup); do
		dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
			--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Create \
			string:$d string:$TUSER >/dev/null

		dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
			--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Chown \
			string:$d string:$TUSER int32:$(id -u $TUSER) int32:$(id -g $TUSER) >/dev/null

		dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
			--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.MovePid \
			string:$d string:$TUSER int32:$$ >/dev/null
	done
else
	for d in /sys/fs/cgroup/*; do
		[ "$d" = "/sys/fs/cgroup/unified" ] && continue
		[ -f $d/cgroup.clone_children ] && echo 1 > $d/cgroup.clone_children
		[ ! -d $d/lxctest ] && mkdir $d/lxctest
		chown -R $TUSER: $d/lxctest
		echo $$ > $d/lxctest/tasks
	done
fi

run_cmd lxc-create -t busybox -n c1 -l trace -o "${UNPRIV_LOG}"

# Make sure we can start it - twice

for count in `seq 1 2`; do
    run_cmd lxc-start -n c1 -d -l trace -o "${UNPRIV_LOG}"

    p1=$(run_cmd lxc-info -n c1 -p -H -l trace -o "${UNPRIV_LOG}")
    [ "$p1" != "-1" ] || { echo "Failed to start container c1 (run $count)"; false; }

    run_cmd lxc-info -n c1 -l trace -o "${UNPRIV_LOG}"
    run_cmd lxc-attach -n c1 -l trace -o "${UNPRIV_LOG}" -- /bin/true

    run_cmd lxc-stop -n c1 -k -l trace -o "${UNPRIV_LOG}"
done

run_cmd lxc-copy -s -n c1 -N c2 -l trace -o "${UNPRIV_LOG}"
run_cmd lxc-start -n c2 -d -l trace -o "${UNPRIV_LOG}"
p1=$(run_cmd lxc-info -n c2 -p -H -l trace -o "${UNPRIV_LOG}")
[ "$p1" != "-1" ] || { echo "Failed to start container c2"; false; }

run_cmd lxc-stop -n c2 -k -l trace -o "${UNPRIV_LOG}"

if which cgm >/dev/null 2>&1; then
    echo "Testing containers under different cgroups per subsystem"
    run_cmd cgm create freezer x1/x2
    cgm movepid freezer x1 $$
    run_cmd lxc-start -n c1 -d -l trace -o "${UNPRIV_LOG}"
    p1=$(run_cmd lxc-info -n c1 -p -H -l trace -o "${UNPRIV_LOG}")
    [ "$p1" != "-1" ] || { echo "Failed to start container c1"; false; }
    run_cmd lxc-info -n c1 -l trace -o "${UNPRIV_LOG}"
    run_cmd lxc-attach -n c1 -l trace -o "${UNPRIV_LOG}" -- /bin/true
    run_cmd lxc-cgroup -n c1 freezer.state -l trace -o "${UNPRIV_LOG}"

    echo "Testing lxc-attach and lxc-cgroup from different cgroup"
    cgm movepid freezer x2 $$
    run_cmd lxc-attach -n c1 -l trace -o "${UNPRIV_LOG}" -- /bin/true
    run_cmd lxc-cgroup -n c1 -l trace -o "${UNPRIV_LOG}" freezer.state
    run_cmd lxc-cgroup -n c1 -l trace -o "${UNPRIV_LOG}" memory.limit_in_bytes
fi

DONE=1
Commit	Line	Data
d08363af SH	1	#!/bin/bash
	2
	3	# lxc: linux Container library
	4
	5	# Authors:
	6	# Serge Hallyn <serge.hallyn@ubuntu.com>
	7	#
	8	# This is a test script for unprivileged containers
	9
	10	# This library is free software; you can redistribute it and/or
	11	# modify it under the terms of the GNU Lesser General Public
	12	# License as published by the Free Software Foundation; either
	13	# version 2.1 of the License, or (at your option) any later version.
	14
	15	# This library is distributed in the hope that it will be useful,
	16	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	18	# Lesser General Public License for more details.
	19
	20	# You should have received a copy of the GNU Lesser General Public
	21	# License along with this library; if not, write to the Free Software
	22	# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
	23
061ba5d0 SG	24	# This test assumes an Ubuntu host
061ba5d0 SG	25
d08363af	26	if [ $(id -u) -ne 0 ]; then
c26adb82	27	echo "ERROR: Must run as root."
d08363af SH	28	exit 1
d08363af SH	29	fi
90e4eead CB	30
	31	# Test if we're using an overlayfs module that handles symlinks correctly. If
	32	# not, we skip these tests since overlay clones will not work correctly.
	33	if modprobe -q overlayfs; then
	34	TMPDIR=$(mktemp -d)
	35
	36	MOUNTDIR="${TMPDIR}/ovl_symlink_test"
	37
	38	mkdir ${MOUNTDIR}
	39
	40	mount -t tmpfs none ${MOUNTDIR}
	41
706f1101 PHL	42	mkdir ${MOUNTDIR}/{lowerdir,upperdir,workdir,overlayfs}
706f1101 PHL	43	mount -t overlayfs -o lowerdir="${MOUNTDIR}/lowerdir",upperdir="${MOUNTDIR}/upperdir",workdir="${MOUNTDIR}/workdir" none "${MOUNTDIR}/overlayfs"
90e4eead	44
8de0119d	45	CORRECT_LINK_TARGET="${MOUNTDIR}/overlayfs/placeholder_file"
90e4eead CB	46	exec 9> "${CORRECT_LINK_TARGET}"
	47
	48	DETECTED_LINK_TARGET=$(readlink -q /proc/$$/fd/9)
	49
	50	# cleanup
	51	exec 9>&-
	52
	53	umount "${MOUNTDIR}/overlayfs"
	54	umount ${MOUNTDIR}
	55
	56	rmdir ${MOUNTDIR}
	57
	58	# This overlay module does not correctly handle symlinks, so skip the
	59	# tests.
	60	if [ "${DETECTED_LINK_TARGET}" != "${CORRECT_LINK_TARGET}" ]; then
	61	exit 0
	62	fi
	63	fi
	64
d08363af SH	65	which newuidmap >/dev/null 2>&1 \|\| { echo "'newuidmap' command is missing" >&2; exit 1; }
	66
	67	DONE=0
17d9d072	68	UNPRIV_LOG=$(mktemp --dry-run)
d08363af	69	cleanup() {
6ebc0504	70	cd /
73d3e090	71
6bc4165d CB	72	if [ $DONE -eq 0 ]; then
	73	cat "${UNPRIV_LOG}"
	74	fi
	75	rm -f "${UNPRIV_LOG}" \|\| true
	76
17d9d072 CB	77	run_cmd lxc-stop -n c2 -k -l trace -o "${UNPRIV_LOG}" \|\| true
17d9d072 CB	78	run_cmd lxc-stop -n c1 -k -l trace -o "${UNPRIV_LOG}" \|\| true
d0ab6d91	79	pkill -u $(id -u $TUSER) -9 \|\| true
73d3e090	80
061ba5d0	81	sed -i '/lxcunpriv/d' /run/lxc/nics /etc/lxc/lxc-usernet
d08363af	82	sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid
73d3e090 SG	83
	84	rm -Rf $HDIR /run/user/$(id -u $TUSER)
	85
	86	deluser $TUSER
	87
d08363af	88	if [ $DONE -eq 0 ]; then
73d3e090 SG	89	echo "FAIL"
73d3e090 SG	90	exit 1
d08363af	91	fi
6bc4165d	92
73d3e090 SG	93	echo "PASS"
	94	}
	95
	96	run_cmd() {
198a3f10 SG	97	sudo -i -u $TUSER \
198a3f10 SG	98	env http_proxy=${http_proxy:-} https_proxy=${https_proxy:-} \
5f850cf9 EV	99	XDG_RUNTIME_DIR=/run/user/$(id -u $TUSER) ASAN_OPTIONS=${ASAN_OPTIONS:-} \
5f850cf9 EV	100	UBSAN_OPTIONS=${UBSAN_OPTIONS:-} $*
d08363af SH	101	}
	102
	103	# create a test user
	104	TUSER=lxcunpriv
	105	HDIR=/home/$TUSER
	106
	107	trap cleanup EXIT SIGHUP SIGINT SIGTERM
73d3e090	108	set -eu
d08363af	109
438c96e9	110	id $TUSER &> /dev/null && deluser -q --remove-home $TUSER
d08363af	111	useradd $TUSER
73d3e090 SG	112
73d3e090 SG	113	mkdir -p $HDIR
9a64d3cf	114	echo "$TUSER veth lxcbr0 2" >> /etc/lxc/lxc-usernet
d08363af	115	sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid
73d3e090	116
d08363af	117	usermod -v 910000-919999 -w 910000-919999 $TUSER
d08363af	118
73d3e090 SG	119	mkdir -p $HDIR/.config/lxc/
73d3e090 SG	120	cat > $HDIR/.config/lxc/default.conf << EOF
7fa3f2e9	121	lxc.net.0.type = veth
7fa3f2e9	122	lxc.net.0.link = lxcbr0
bdcbb6b3 CB	123	lxc.idmap = u 0 910000 9999
bdcbb6b3 CB	124	lxc.idmap = g 0 910000 9999
d08363af	125	EOF
79d88b03	126	chown -R $TUSER: $HDIR
73d3e090 SG	127
73d3e090 SG	128	mkdir -p /run/user/$(id -u $TUSER)
79d88b03	129	chown -R $TUSER: /run/user/$(id -u $TUSER)
73d3e090 SG	130
73d3e090 SG	131	cd $HDIR
d08363af	132
42e5c987 SG	133	if which cgm >/dev/null 2>&1; then
	134	cgm create all $TUSER
	135	cgm chown all $TUSER $(id -u $TUSER) $(id -g $TUSER)
	136	cgm movepid all $TUSER $$
	137	elif [ -e /sys/fs/cgroup/cgmanager/sock ]; then
ef4deb7f	138	for d in $(cut -d : -f 2 /proc/self/cgroup); do
3f458ed0 SG	139	dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
	140	--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Create \
	141	string:$d string:$TUSER >/dev/null
	142
	143	dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
	144	--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Chown \
	145	string:$d string:$TUSER int32:$(id -u $TUSER) int32:$(id -g $TUSER) >/dev/null
	146
	147	dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
	148	--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.MovePid \
	149	string:$d string:$TUSER int32:$$ >/dev/null
	150	done
	151	else
	152	for d in /sys/fs/cgroup/*; do
8d5a91fc	153	[ "$d" = "/sys/fs/cgroup/unified" ] && continue
177f793a	154	[ -f $d/cgroup.clone_children ] && echo 1 > $d/cgroup.clone_children
3f458ed0	155	[ ! -d $d/lxctest ] && mkdir $d/lxctest
79d88b03	156	chown -R $TUSER: $d/lxctest
3f458ed0 SG	157	echo $$ > $d/lxctest/tasks
	158	done
	159	fi
73d3e090	160
6c321cea	161	run_cmd lxc-create -t busybox -n c1 -l trace -o "${UNPRIV_LOG}"
73d3e090	162
a17d94a5	163	# Make sure we can start it - twice
d08363af	164
a17d94a5	165	for count in `seq 1 2`; do
17d9d072	166	run_cmd lxc-start -n c1 -d -l trace -o "${UNPRIV_LOG}"
a17d94a5	167
17d9d072	168	p1=$(run_cmd lxc-info -n c1 -p -H -l trace -o "${UNPRIV_LOG}")
a17d94a5 SH	169	[ "$p1" != "-1" ] \|\| { echo "Failed to start container c1 (run $count)"; false; }
a17d94a5 SH	170
17d9d072 CB	171	run_cmd lxc-info -n c1 -l trace -o "${UNPRIV_LOG}"
17d9d072 CB	172	run_cmd lxc-attach -n c1 -l trace -o "${UNPRIV_LOG}" -- /bin/true
a17d94a5	173
17d9d072	174	run_cmd lxc-stop -n c1 -k -l trace -o "${UNPRIV_LOG}"
a17d94a5	175	done
73d3e090	176
17d9d072 CB	177	run_cmd lxc-copy -s -n c1 -N c2 -l trace -o "${UNPRIV_LOG}"
	178	run_cmd lxc-start -n c2 -d -l trace -o "${UNPRIV_LOG}"
	179	p1=$(run_cmd lxc-info -n c2 -p -H -l trace -o "${UNPRIV_LOG}")
3ad30ff7 SH	180	[ "$p1" != "-1" ] \|\| { echo "Failed to start container c2"; false; }
3ad30ff7 SH	181
17d9d072	182	run_cmd lxc-stop -n c2 -k -l trace -o "${UNPRIV_LOG}"
3ad30ff7	183
e2ef635e SH	184	if which cgm >/dev/null 2>&1; then
	185	echo "Testing containers under different cgroups per subsystem"
	186	run_cmd cgm create freezer x1/x2
	187	cgm movepid freezer x1 $$
17d9d072 CB	188	run_cmd lxc-start -n c1 -d -l trace -o "${UNPRIV_LOG}"
17d9d072 CB	189	p1=$(run_cmd lxc-info -n c1 -p -H -l trace -o "${UNPRIV_LOG}")
e2ef635e	190	[ "$p1" != "-1" ] \|\| { echo "Failed to start container c1"; false; }
17d9d072 CB	191	run_cmd lxc-info -n c1 -l trace -o "${UNPRIV_LOG}"
	192	run_cmd lxc-attach -n c1 -l trace -o "${UNPRIV_LOG}" -- /bin/true
	193	run_cmd lxc-cgroup -n c1 freezer.state -l trace -o "${UNPRIV_LOG}"
e2ef635e SH	194
	195	echo "Testing lxc-attach and lxc-cgroup from different cgroup"
	196	cgm movepid freezer x2 $$
17d9d072 CB	197	run_cmd lxc-attach -n c1 -l trace -o "${UNPRIV_LOG}" -- /bin/true
	198	run_cmd lxc-cgroup -n c1 -l trace -o "${UNPRIV_LOG}" freezer.state
	199	run_cmd lxc-cgroup -n c1 -l trace -o "${UNPRIV_LOG}" memory.limit_in_bytes
e2ef635e SH	200	fi
e2ef635e SH	201
d08363af	202	DONE=1