set -e
+# Only run on a normally configured ubuntu lxc system
+if [ ! -d /sys/class/net/lxcbr0 ]; then
+ echo "lxcbr0 is not configured."
+ exit 1
+fi
+if [ "$(id -u)" != "0" ]; then
+ echo "ERROR: Must run as root."
+ exit 1
+fi
+
if [ -f /proc/self/ns/cgroup ]; then
default_profile="lxc-container-default-cgns (enforce)"
else
KNOWN_RELEASES="precise trusty xenial yakkety zesty"
MOUNTSR=/sys/kernel/security/apparmor/features/mount
dnam=`mktemp -d`
+logfile=`mktemp`
cname=`basename $dnam`
cleanup() {
run_cmd lxc-destroy -f -n $cname || true
rm -Rf $HDIR /run/user/$(id -u $TUSER)
deluser $TUSER
if [ $DONE -eq 0 ]; then
+ echo 'Failed container log:' >&2
+ cat "$logfile" >&2
+ echo 'End log' >&2
+ rm -f "$logfile"
echo "FAIL"
exit 1
fi
+ rm -f "$logfile"
echo "PASS"
}
+clear_log() {
+ truncate -s0 "$logfile"
+}
+
trap cleanup exit
-# Only run on a normally configured ubuntu lxc system
-if [ ! -d /sys/class/net/lxcbr0 ]; then
- echo "lxcbr0 is not configured."
- exit 1
-fi
-if [ "$(id -u)" != "0" ]; then
- echo "ERROR: Must run as root."
- exit 1
-fi
+chmod 0666 "$logfile"
# This would be much simpler if we could run it as
# root. However, in order to not have the bind mount
-# of an empty directory over the securitfs 'mount' directory
+# of an empty directory over the securityfs 'mount' directory
# be removed, we need to do this as non-root.
which newuidmap >/dev/null 2>&1 || { echo "'newuidmap' command is missing" >&2; exit 1; }
mkdir -p $HDIR/.config/lxc/
cat > $HDIR/.config/lxc/default.conf << EOF
-lxc.network.type = veth
-lxc.network.link = lxcbr0
-lxc.id_map = u 0 910000 9999
-lxc.id_map = g 0 910000 9999
+lxc.net.0.type = veth
+lxc.net.0.link = lxcbr0
+lxc.idmap = u 0 910000 9999
+lxc.idmap = g 0 910000 9999
EOF
chown -R $TUSER: $HDIR
done
else
for d in /sys/fs/cgroup/*; do
+ [ "$d" = "/sys/fs/cgroup/unified" ] && continue
[ -f $d/cgroup.clone_children ] && echo 1 > $d/cgroup.clone_children
[ ! -d $d/lxctest ] && mkdir $d/lxctest
chown -R $TUSER: $d/lxctest
run_cmd lxc-create -t download -n $cname -- -d ubuntu -r $release -a $ARCH
echo "test default confined container"
-run_cmd lxc-start -n $cname -d
+run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile"
run_cmd lxc-wait -n $cname -s RUNNING
pid=`run_cmd lxc-info -p -H -n $cname`
profile=`cat /proc/$pid/attr/current`
exit 1
fi
run_cmd lxc-stop -n $cname -k
+clear_log
echo "test regular unconfined container"
-echo "lxc.aa_profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
-run_cmd lxc-start -n $cname -d
+echo "lxc.apparmor.profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
+run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile"
run_cmd lxc-wait -n $cname -s RUNNING
pid=`run_cmd lxc-info -p -H -n $cname`
profile=`cat /proc/$pid/attr/current`
exit 1
fi
run_cmd lxc-stop -n $cname -k
+clear_log
echo "masking $MOUNTSR"
mount --bind $dnam $MOUNTSR
echo "test default confined container"
-sed -i '/aa_profile/d' $HDIR/.local/share/lxc/$cname/config
+sed -i '/apparmor.profile/d' $HDIR/.local/share/lxc/$cname/config
run_cmd lxc-start -n $cname -d || true
sleep 3
pid=`run_cmd lxc-info -p -H -n $cname` || true
fi
echo "test regular unconfined container"
-echo "lxc.aa_profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
-run_cmd lxc-start -n $cname -d
+echo "lxc.apparmor.profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
+run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile"
run_cmd lxc-wait -n $cname -s RUNNING
pid=`run_cmd lxc-info -p -H -n $cname`
if [ "$pid" = "-1" ]; then
exit 1
fi
run_cmd lxc-stop -n $cname -k
+clear_log
echo "testing override"
-sed -i '/aa_profile/d' $HDIR/.local/share/lxc/$cname/config
-echo "lxc.aa_allow_incomplete = 1" >> $HDIR/.local/share/lxc/$cname/config
-run_cmd lxc-start -n $cname -d
+sed -i '/apparmor.profile/d' $HDIR/.local/share/lxc/$cname/config
+echo "lxc.apparmor.allow_incomplete = 1" >> $HDIR/.local/share/lxc/$cname/config
+run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile"
run_cmd lxc-wait -n $cname -s RUNNING
pid=`run_cmd lxc-info -p -H -n $cname`
if [ "$pid" = "-1" ]; then
exit 1
fi
run_cmd lxc-stop -n $cname -k
+clear_log
DONE=1