]>
Commit | Line | Data |
---|---|---|
d08363af SH |
1 | #!/bin/bash |
2 | ||
3 | # lxc: linux Container library | |
4 | ||
5 | # Authors: | |
6 | # Serge Hallyn <serge.hallyn@ubuntu.com> | |
7 | # | |
8 | # This is a test script for unprivileged containers | |
9 | ||
10 | # This library is free software; you can redistribute it and/or | |
11 | # modify it under the terms of the GNU Lesser General Public | |
12 | # License as published by the Free Software Foundation; either | |
13 | # version 2.1 of the License, or (at your option) any later version. | |
14 | ||
15 | # This library is distributed in the hope that it will be useful, | |
16 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
18 | # Lesser General Public License for more details. | |
19 | ||
20 | # You should have received a copy of the GNU Lesser General Public | |
21 | # License along with this library; if not, write to the Free Software | |
22 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | |
23 | ||
061ba5d0 SG |
24 | # This test assumes an Ubuntu host |
25 | ||
d08363af | 26 | if [ $(id -u) -ne 0 ]; then |
c26adb82 | 27 | echo "ERROR: Must run as root." |
d08363af SH |
28 | exit 1 |
29 | fi | |
90e4eead CB |
30 | |
31 | # Test if we're using an overlayfs module that handles symlinks correctly. If | |
32 | # not, we skip these tests since overlay clones will not work correctly. | |
33 | if modprobe -q overlayfs; then | |
34 | TMPDIR=$(mktemp -d) | |
35 | ||
36 | MOUNTDIR="${TMPDIR}/ovl_symlink_test" | |
37 | ||
38 | mkdir ${MOUNTDIR} | |
39 | ||
40 | mount -t tmpfs none ${MOUNTDIR} | |
41 | ||
706f1101 PHL |
42 | mkdir ${MOUNTDIR}/{lowerdir,upperdir,workdir,overlayfs} |
43 | mount -t overlayfs -o lowerdir="${MOUNTDIR}/lowerdir",upperdir="${MOUNTDIR}/upperdir",workdir="${MOUNTDIR}/workdir" none "${MOUNTDIR}/overlayfs" | |
90e4eead | 44 | |
8de0119d | 45 | CORRECT_LINK_TARGET="${MOUNTDIR}/overlayfs/placeholder_file" |
90e4eead CB |
46 | exec 9> "${CORRECT_LINK_TARGET}" |
47 | ||
48 | DETECTED_LINK_TARGET=$(readlink -q /proc/$$/fd/9) | |
49 | ||
50 | # cleanup | |
51 | exec 9>&- | |
52 | ||
53 | umount "${MOUNTDIR}/overlayfs" | |
54 | umount ${MOUNTDIR} | |
55 | ||
56 | rmdir ${MOUNTDIR} | |
57 | ||
58 | # This overlay module does not correctly handle symlinks, so skip the | |
59 | # tests. | |
60 | if [ "${DETECTED_LINK_TARGET}" != "${CORRECT_LINK_TARGET}" ]; then | |
61 | exit 0 | |
62 | fi | |
63 | fi | |
64 | ||
d08363af SH |
65 | which newuidmap >/dev/null 2>&1 || { echo "'newuidmap' command is missing" >&2; exit 1; } |
66 | ||
67 | DONE=0 | |
17d9d072 | 68 | UNPRIV_LOG=$(mktemp --dry-run) |
d08363af | 69 | cleanup() { |
6ebc0504 | 70 | cd / |
73d3e090 | 71 | |
6bc4165d CB |
72 | if [ $DONE -eq 0 ]; then |
73 | cat "${UNPRIV_LOG}" | |
74 | fi | |
75 | rm -f "${UNPRIV_LOG}" || true | |
76 | ||
17d9d072 CB |
77 | run_cmd lxc-stop -n c2 -k -l trace -o "${UNPRIV_LOG}" || true |
78 | run_cmd lxc-stop -n c1 -k -l trace -o "${UNPRIV_LOG}" || true | |
d0ab6d91 | 79 | pkill -u $(id -u $TUSER) -9 || true |
73d3e090 | 80 | |
061ba5d0 | 81 | sed -i '/lxcunpriv/d' /run/lxc/nics /etc/lxc/lxc-usernet |
d08363af | 82 | sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid |
73d3e090 SG |
83 | |
84 | rm -Rf $HDIR /run/user/$(id -u $TUSER) | |
85 | ||
86 | deluser $TUSER | |
87 | ||
d08363af | 88 | if [ $DONE -eq 0 ]; then |
73d3e090 SG |
89 | echo "FAIL" |
90 | exit 1 | |
d08363af | 91 | fi |
6bc4165d | 92 | |
73d3e090 SG |
93 | echo "PASS" |
94 | } | |
95 | ||
96 | run_cmd() { | |
198a3f10 SG |
97 | sudo -i -u $TUSER \ |
98 | env http_proxy=${http_proxy:-} https_proxy=${https_proxy:-} \ | |
5f850cf9 EV |
99 | XDG_RUNTIME_DIR=/run/user/$(id -u $TUSER) ASAN_OPTIONS=${ASAN_OPTIONS:-} \ |
100 | UBSAN_OPTIONS=${UBSAN_OPTIONS:-} $* | |
d08363af SH |
101 | } |
102 | ||
103 | # create a test user | |
104 | TUSER=lxcunpriv | |
105 | HDIR=/home/$TUSER | |
106 | ||
107 | trap cleanup EXIT SIGHUP SIGINT SIGTERM | |
73d3e090 | 108 | set -eu |
d08363af | 109 | |
438c96e9 | 110 | id $TUSER &> /dev/null && deluser -q --remove-home $TUSER |
d08363af | 111 | useradd $TUSER |
73d3e090 SG |
112 | |
113 | mkdir -p $HDIR | |
9a64d3cf | 114 | echo "$TUSER veth lxcbr0 2" >> /etc/lxc/lxc-usernet |
d08363af | 115 | sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid |
73d3e090 | 116 | |
d08363af | 117 | usermod -v 910000-919999 -w 910000-919999 $TUSER |
d08363af | 118 | |
73d3e090 SG |
119 | mkdir -p $HDIR/.config/lxc/ |
120 | cat > $HDIR/.config/lxc/default.conf << EOF | |
7fa3f2e9 | 121 | lxc.net.0.type = veth |
122 | lxc.net.0.link = lxcbr0 | |
bdcbb6b3 CB |
123 | lxc.idmap = u 0 910000 9999 |
124 | lxc.idmap = g 0 910000 9999 | |
d08363af | 125 | EOF |
79d88b03 | 126 | chown -R $TUSER: $HDIR |
73d3e090 SG |
127 | |
128 | mkdir -p /run/user/$(id -u $TUSER) | |
79d88b03 | 129 | chown -R $TUSER: /run/user/$(id -u $TUSER) |
73d3e090 SG |
130 | |
131 | cd $HDIR | |
d08363af | 132 | |
42e5c987 SG |
133 | if which cgm >/dev/null 2>&1; then |
134 | cgm create all $TUSER | |
135 | cgm chown all $TUSER $(id -u $TUSER) $(id -g $TUSER) | |
136 | cgm movepid all $TUSER $$ | |
137 | elif [ -e /sys/fs/cgroup/cgmanager/sock ]; then | |
ef4deb7f | 138 | for d in $(cut -d : -f 2 /proc/self/cgroup); do |
3f458ed0 SG |
139 | dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \ |
140 | --type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Create \ | |
141 | string:$d string:$TUSER >/dev/null | |
142 | ||
143 | dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \ | |
144 | --type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Chown \ | |
145 | string:$d string:$TUSER int32:$(id -u $TUSER) int32:$(id -g $TUSER) >/dev/null | |
146 | ||
147 | dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \ | |
148 | --type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.MovePid \ | |
149 | string:$d string:$TUSER int32:$$ >/dev/null | |
150 | done | |
151 | else | |
152 | for d in /sys/fs/cgroup/*; do | |
8d5a91fc | 153 | [ "$d" = "/sys/fs/cgroup/unified" ] && continue |
177f793a | 154 | [ -f $d/cgroup.clone_children ] && echo 1 > $d/cgroup.clone_children |
3f458ed0 | 155 | [ ! -d $d/lxctest ] && mkdir $d/lxctest |
79d88b03 | 156 | chown -R $TUSER: $d/lxctest |
3f458ed0 SG |
157 | echo $$ > $d/lxctest/tasks |
158 | done | |
159 | fi | |
73d3e090 | 160 | |
6c321cea | 161 | run_cmd lxc-create -t busybox -n c1 -l trace -o "${UNPRIV_LOG}" |
73d3e090 | 162 | |
a17d94a5 | 163 | # Make sure we can start it - twice |
d08363af | 164 | |
a17d94a5 | 165 | for count in `seq 1 2`; do |
17d9d072 | 166 | run_cmd lxc-start -n c1 -d -l trace -o "${UNPRIV_LOG}" |
a17d94a5 | 167 | |
17d9d072 | 168 | p1=$(run_cmd lxc-info -n c1 -p -H -l trace -o "${UNPRIV_LOG}") |
a17d94a5 SH |
169 | [ "$p1" != "-1" ] || { echo "Failed to start container c1 (run $count)"; false; } |
170 | ||
17d9d072 CB |
171 | run_cmd lxc-info -n c1 -l trace -o "${UNPRIV_LOG}" |
172 | run_cmd lxc-attach -n c1 -l trace -o "${UNPRIV_LOG}" -- /bin/true | |
a17d94a5 | 173 | |
17d9d072 | 174 | run_cmd lxc-stop -n c1 -k -l trace -o "${UNPRIV_LOG}" |
a17d94a5 | 175 | done |
73d3e090 | 176 | |
17d9d072 CB |
177 | run_cmd lxc-copy -s -n c1 -N c2 -l trace -o "${UNPRIV_LOG}" |
178 | run_cmd lxc-start -n c2 -d -l trace -o "${UNPRIV_LOG}" | |
179 | p1=$(run_cmd lxc-info -n c2 -p -H -l trace -o "${UNPRIV_LOG}") | |
3ad30ff7 SH |
180 | [ "$p1" != "-1" ] || { echo "Failed to start container c2"; false; } |
181 | ||
17d9d072 | 182 | run_cmd lxc-stop -n c2 -k -l trace -o "${UNPRIV_LOG}" |
3ad30ff7 | 183 | |
e2ef635e SH |
184 | if which cgm >/dev/null 2>&1; then |
185 | echo "Testing containers under different cgroups per subsystem" | |
186 | run_cmd cgm create freezer x1/x2 | |
187 | cgm movepid freezer x1 $$ | |
17d9d072 CB |
188 | run_cmd lxc-start -n c1 -d -l trace -o "${UNPRIV_LOG}" |
189 | p1=$(run_cmd lxc-info -n c1 -p -H -l trace -o "${UNPRIV_LOG}") | |
e2ef635e | 190 | [ "$p1" != "-1" ] || { echo "Failed to start container c1"; false; } |
17d9d072 CB |
191 | run_cmd lxc-info -n c1 -l trace -o "${UNPRIV_LOG}" |
192 | run_cmd lxc-attach -n c1 -l trace -o "${UNPRIV_LOG}" -- /bin/true | |
193 | run_cmd lxc-cgroup -n c1 freezer.state -l trace -o "${UNPRIV_LOG}" | |
e2ef635e SH |
194 | |
195 | echo "Testing lxc-attach and lxc-cgroup from different cgroup" | |
196 | cgm movepid freezer x2 $$ | |
17d9d072 CB |
197 | run_cmd lxc-attach -n c1 -l trace -o "${UNPRIV_LOG}" -- /bin/true |
198 | run_cmd lxc-cgroup -n c1 -l trace -o "${UNPRIV_LOG}" freezer.state | |
199 | run_cmd lxc-cgroup -n c1 -l trace -o "${UNPRIV_LOG}" memory.limit_in_bytes | |
e2ef635e SH |
200 | fi |
201 | ||
d08363af | 202 | DONE=1 |