[mirror_lxc.git] / src / tests / lxc-test-unpriv

#!/bin/bash

# lxc: linux Container library

# Authors:
# Serge Hallyn <serge.hallyn@ubuntu.com>
#
# This is a test script for unprivileged containers

# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.

# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.

# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

# This test assumes an Ubuntu host

if [ $(id -u) -ne 0 ]; then
	echo "ERROR: Must run as root."
	exit 1
fi
which newuidmap >/dev/null 2>&1 || { echo "'newuidmap' command is missing" >&2; exit 1; }

DONE=0
cleanup() {
	cd /

	run_cmd lxc-stop -n c2 -k || true
	run_cmd lxc-stop -n c1 -k || true
	pkill -u $(id -u $TUSER) -9

	sed -i '/lxcunpriv/d' /run/lxc/nics /etc/lxc/lxc-usernet
	sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid

	rm -Rf $HDIR /run/user/$(id -u $TUSER)

	deluser $TUSER

	if [ $DONE -eq 0 ]; then
		echo "FAIL"
		exit 1
	fi
	echo "PASS"
}

run_cmd() {
	sudo -i -u $TUSER \
	    env http_proxy=${http_proxy:-} https_proxy=${https_proxy:-} \
	        XDG_RUNTIME_DIR=/run/user/$(id -u $TUSER) $*
}

# create a test user
TUSER=lxcunpriv
HDIR=/home/$TUSER

ARCH=i386
if type dpkg >/dev/null 2>&1; then
	ARCH=$(dpkg --print-architecture)
fi

trap cleanup EXIT SIGHUP SIGINT SIGTERM
set -eu

deluser $TUSER && rm -Rf $HDIR || true
useradd $TUSER

mkdir -p $HDIR
echo "$TUSER veth lxcbr0 2" >> /etc/lxc/lxc-usernet
sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid

usermod -v 910000-919999 -w 910000-919999 $TUSER

mkdir -p $HDIR/.config/lxc/
cat > $HDIR/.config/lxc/default.conf << EOF
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.id_map = u 0 910000 9999
lxc.id_map = g 0 910000 9999
EOF
chown -R $TUSER: $HDIR

mkdir -p /run/user/$(id -u $TUSER)
chown -R $TUSER: /run/user/$(id -u $TUSER)

cd $HDIR

if which cgm >/dev/null 2>&1; then
	cgm create all $TUSER
	cgm chown all $TUSER $(id -u $TUSER) $(id -g $TUSER)
	cgm movepid all $TUSER $$
elif [ -e /sys/fs/cgroup/cgmanager/sock ]; then
	for d in $(cut -d : -f 2 /proc/self/cgroup); do
		dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
			--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Create \
			string:$d string:$TUSER >/dev/null

		dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
			--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Chown \
			string:$d string:$TUSER int32:$(id -u $TUSER) int32:$(id -g $TUSER) >/dev/null

		dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
			--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.MovePid \
			string:$d string:$TUSER int32:$$ >/dev/null
	done
else
	for d in /sys/fs/cgroup/*; do
		[ -f $d/cgroup.clone_children ] && echo 1 > $d/cgroup.clone_children
		[ ! -d $d/lxctest ] && mkdir $d/lxctest
		chown -R $TUSER: $d/lxctest
		echo $$ > $d/lxctest/tasks
	done
fi

# Copy the download template cache if available
run_cmd mkdir -p $HDIR/.cache/lxc
[ -d /var/cache/lxc/download ] && \
    cp -R /var/cache/lxc/download $HDIR/.cache/lxc && \
    chown -R $TUSER: $HDIR/.cache/lxc

run_cmd lxc-create -t download -n c1 -- -d ubuntu -r trusty -a $ARCH

# Make sure we can start it - twice

for count in `seq 1 2`; do
    run_cmd lxc-start -n c1 -d

    p1=$(run_cmd lxc-info -n c1 -p -H)
    [ "$p1" != "-1" ] || { echo "Failed to start container c1 (run $count)"; false; }

    run_cmd lxc-info -n c1
    run_cmd lxc-attach -n c1 -- /bin/true

    run_cmd lxc-stop -n c1
done

run_cmd lxc-copy -s -n c1 -N c2
run_cmd lxc-start -n c2 -d
p1=$(run_cmd lxc-info -n c2 -p -H)
[ "$p1" != "-1" ] || { echo "Failed to start container c2"; false; }

run_cmd lxc-stop -n c2

if which cgm >/dev/null 2>&1; then
    echo "Testing containers under different cgroups per subsystem"
    run_cmd cgm create freezer x1/x2
    cgm movepid freezer x1 $$
    run_cmd lxc-start -n c1 -d
    p1=$(run_cmd lxc-info -n c1 -p -H)
    [ "$p1" != "-1" ] || { echo "Failed to start container c1"; false; }
    run_cmd lxc-info -n c1
    run_cmd lxc-attach -n c1 -- /bin/true
    run_cmd lxc-cgroup -n c1 freezer.state

    echo "Testing lxc-attach and lxc-cgroup from different cgroup"
    cgm movepid freezer x2 $$
    run_cmd lxc-attach -n c1 -- /bin/true
    run_cmd lxc-cgroup -n c1 freezer.state
    run_cmd lxc-cgroup -n c1 memory.limit_in_bytes
fi

DONE=1
Commit	Line	Data
d08363af SH	1	#!/bin/bash
	2
	3	# lxc: linux Container library
	4
	5	# Authors:
	6	# Serge Hallyn <serge.hallyn@ubuntu.com>
	7	#
	8	# This is a test script for unprivileged containers
	9
	10	# This library is free software; you can redistribute it and/or
	11	# modify it under the terms of the GNU Lesser General Public
	12	# License as published by the Free Software Foundation; either
	13	# version 2.1 of the License, or (at your option) any later version.
	14
	15	# This library is distributed in the hope that it will be useful,
	16	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	18	# Lesser General Public License for more details.
	19
	20	# You should have received a copy of the GNU Lesser General Public
	21	# License along with this library; if not, write to the Free Software
	22	# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
	23
061ba5d0 SG	24	# This test assumes an Ubuntu host
061ba5d0 SG	25
d08363af	26	if [ $(id -u) -ne 0 ]; then
c26adb82	27	echo "ERROR: Must run as root."
d08363af SH	28	exit 1
	29	fi
	30	which newuidmap >/dev/null 2>&1 \|\| { echo "'newuidmap' command is missing" >&2; exit 1; }
	31
	32	DONE=0
	33	cleanup() {
6ebc0504	34	cd /
73d3e090	35
3ad30ff7 SH	36	run_cmd lxc-stop -n c2 -k \|\| true
3ad30ff7 SH	37	run_cmd lxc-stop -n c1 -k \|\| true
73d3e090 SG	38	pkill -u $(id -u $TUSER) -9
73d3e090 SG	39
061ba5d0	40	sed -i '/lxcunpriv/d' /run/lxc/nics /etc/lxc/lxc-usernet
d08363af	41	sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid
73d3e090 SG	42
	43	rm -Rf $HDIR /run/user/$(id -u $TUSER)
	44
	45	deluser $TUSER
	46
d08363af	47	if [ $DONE -eq 0 ]; then
73d3e090 SG	48	echo "FAIL"
73d3e090 SG	49	exit 1
d08363af	50	fi
73d3e090 SG	51	echo "PASS"
	52	}
	53
	54	run_cmd() {
198a3f10 SG	55	sudo -i -u $TUSER \
	56	env http_proxy=${http_proxy:-} https_proxy=${https_proxy:-} \
	57	XDG_RUNTIME_DIR=/run/user/$(id -u $TUSER) $*
d08363af SH	58	}
	59
	60	# create a test user
	61	TUSER=lxcunpriv
	62	HDIR=/home/$TUSER
	63
fd2b7320 SG	64	ARCH=i386
	65	if type dpkg >/dev/null 2>&1; then
	66	ARCH=$(dpkg --print-architecture)
	67	fi
	68
d08363af	69	trap cleanup EXIT SIGHUP SIGINT SIGTERM
73d3e090	70	set -eu
d08363af	71
73d3e090	72	deluser $TUSER && rm -Rf $HDIR \|\| true
d08363af	73	useradd $TUSER
73d3e090 SG	74
73d3e090 SG	75	mkdir -p $HDIR
9a64d3cf	76	echo "$TUSER veth lxcbr0 2" >> /etc/lxc/lxc-usernet
d08363af	77	sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid
73d3e090	78
d08363af	79	usermod -v 910000-919999 -w 910000-919999 $TUSER
d08363af	80
73d3e090 SG	81	mkdir -p $HDIR/.config/lxc/
73d3e090 SG	82	cat > $HDIR/.config/lxc/default.conf << EOF
d08363af SH	83	lxc.network.type = veth
	84	lxc.network.link = lxcbr0
	85	lxc.id_map = u 0 910000 9999
	86	lxc.id_map = g 0 910000 9999
	87	EOF
79d88b03	88	chown -R $TUSER: $HDIR
73d3e090 SG	89
73d3e090 SG	90	mkdir -p /run/user/$(id -u $TUSER)
79d88b03	91	chown -R $TUSER: /run/user/$(id -u $TUSER)
73d3e090 SG	92
73d3e090 SG	93	cd $HDIR
d08363af	94
42e5c987 SG	95	if which cgm >/dev/null 2>&1; then
	96	cgm create all $TUSER
	97	cgm chown all $TUSER $(id -u $TUSER) $(id -g $TUSER)
	98	cgm movepid all $TUSER $$
	99	elif [ -e /sys/fs/cgroup/cgmanager/sock ]; then
ef4deb7f	100	for d in $(cut -d : -f 2 /proc/self/cgroup); do
3f458ed0 SG	101	dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
	102	--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Create \
	103	string:$d string:$TUSER >/dev/null
	104
	105	dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
	106	--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Chown \
	107	string:$d string:$TUSER int32:$(id -u $TUSER) int32:$(id -g $TUSER) >/dev/null
	108
	109	dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
	110	--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.MovePid \
	111	string:$d string:$TUSER int32:$$ >/dev/null
	112	done
	113	else
	114	for d in /sys/fs/cgroup/*; do
177f793a	115	[ -f $d/cgroup.clone_children ] && echo 1 > $d/cgroup.clone_children
3f458ed0	116	[ ! -d $d/lxctest ] && mkdir $d/lxctest
79d88b03	117	chown -R $TUSER: $d/lxctest
3f458ed0 SG	118	echo $$ > $d/lxctest/tasks
	119	done
	120	fi
73d3e090	121
57221f67 SG	122	# Copy the download template cache if available
	123	run_cmd mkdir -p $HDIR/.cache/lxc
	124	[ -d /var/cache/lxc/download ] && \
	125	cp -R /var/cache/lxc/download $HDIR/.cache/lxc && \
	126	chown -R $TUSER: $HDIR/.cache/lxc
	127
fd2b7320	128	run_cmd lxc-create -t download -n c1 -- -d ubuntu -r trusty -a $ARCH
73d3e090	129
a17d94a5	130	# Make sure we can start it - twice
d08363af	131
a17d94a5 SH	132	for count in `seq 1 2`; do
	133	run_cmd lxc-start -n c1 -d
	134
	135	p1=$(run_cmd lxc-info -n c1 -p -H)
	136	[ "$p1" != "-1" ] \|\| { echo "Failed to start container c1 (run $count)"; false; }
	137
	138	run_cmd lxc-info -n c1
	139	run_cmd lxc-attach -n c1 -- /bin/true
	140
	141	run_cmd lxc-stop -n c1
	142	done
73d3e090	143
d0a6bd39	144	run_cmd lxc-copy -s -n c1 -N c2
3ad30ff7 SH	145	run_cmd lxc-start -n c2 -d
	146	p1=$(run_cmd lxc-info -n c2 -p -H)
	147	[ "$p1" != "-1" ] \|\| { echo "Failed to start container c2"; false; }
	148
	149	run_cmd lxc-stop -n c2
	150
e2ef635e SH	151	if which cgm >/dev/null 2>&1; then
	152	echo "Testing containers under different cgroups per subsystem"
	153	run_cmd cgm create freezer x1/x2
	154	cgm movepid freezer x1 $$
	155	run_cmd lxc-start -n c1 -d
	156	p1=$(run_cmd lxc-info -n c1 -p -H)
	157	[ "$p1" != "-1" ] \|\| { echo "Failed to start container c1"; false; }
	158	run_cmd lxc-info -n c1
	159	run_cmd lxc-attach -n c1 -- /bin/true
	160	run_cmd lxc-cgroup -n c1 freezer.state
	161
	162	echo "Testing lxc-attach and lxc-cgroup from different cgroup"
	163	cgm movepid freezer x2 $$
	164	run_cmd lxc-attach -n c1 -- /bin/true
	165	run_cmd lxc-cgroup -n c1 freezer.state
	166	run_cmd lxc-cgroup -n c1 memory.limit_in_bytes
	167	fi
	168
d08363af	169	DONE=1