2015-06-02 08:48:16 -04:00
|
|
|
;;; GNU Guix --- Functional package management for GNU
|
|
|
|
|
;;; Copyright © 2015 David Thompson <davet@gnu.org>
|
2023-01-30 16:20:18 -05:00
|
|
|
;;; Copyright © 2016, 2017, 2019, 2023 Ludovic Courtès <ludo@gnu.org>
|
2015-06-02 08:48:16 -04:00
|
|
|
;;;
|
|
|
|
|
;;; This file is part of GNU Guix.
|
|
|
|
|
;;;
|
|
|
|
|
;;; GNU Guix is free software; you can redistribute it and/or modify it
|
|
|
|
|
;;; under the terms of the GNU General Public License as published by
|
|
|
|
|
;;; the Free Software Foundation; either version 3 of the License, or (at
|
|
|
|
|
;;; your option) any later version.
|
|
|
|
|
;;;
|
|
|
|
|
;;; GNU Guix is distributed in the hope that it will be useful, but
|
|
|
|
|
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
;;; GNU General Public License for more details.
|
|
|
|
|
;;;
|
|
|
|
|
;;; You should have received a copy of the GNU General Public License
|
|
|
|
|
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
|
|
(define-module (test-containers)
|
|
|
|
|
#:use-module (guix utils)
|
|
|
|
|
#:use-module (guix build syscalls)
|
|
|
|
|
#:use-module (gnu build linux-container)
|
2019-07-15 10:14:31 -04:00
|
|
|
#:use-module ((gnu system linux-container)
|
|
|
|
|
#:select (eval/container))
|
2016-11-10 11:45:54 -05:00
|
|
|
#:use-module (gnu system file-systems)
|
2019-07-15 10:14:31 -04:00
|
|
|
#:use-module (guix store)
|
|
|
|
|
#:use-module (guix monads)
|
|
|
|
|
#:use-module (guix gexp)
|
|
|
|
|
#:use-module (guix derivations)
|
|
|
|
|
#:use-module (guix tests)
|
|
|
|
|
#:use-module (srfi srfi-1)
|
2015-06-02 08:48:16 -04:00
|
|
|
#:use-module (srfi srfi-64)
|
2023-01-30 16:20:18 -05:00
|
|
|
#:use-module (ice-9 match)
|
|
|
|
|
#:use-module ((ice-9 ftw) #:select (scandir)))
|
2015-06-02 08:48:16 -04:00
|
|
|
|
|
|
|
|
(define (assert-exit x)
|
|
|
|
|
(primitive-exit (if x 0 1)))
|
|
|
|
|
|
build: Add a Guile custom test driver using SRFI-64.
Before that '.log' files for scheme tests were fragmented and not
included in test-suite.log. This unifies the semantics of SRFI-64 API
with Automake test suite.
* build-aux/test-driver.scm: New file.
* Makefile.am (SCM_LOG_DRIVER, AM_SCM_LOG_DRIVER_FLAGS): New variables.
(SCM_LOG_COMPILER, AM_SCM_LOG_FLAGS): Delete variables.
(AM_TESTS_ENVIRONMENT): Set GUILE_AUTO_COMPILE to 0.
* test-env.in: Silence guix-daemon.
* doc/guix.texi (Running the Test Suite): Describe how to display the
detailed results. Bug reports require only 'test-suite.log' file.
* tests/base32.scm, tests/build-utils.scm, tests/builders.scm,
tests/challenge.scm, tests/cpan.scm, tests/cpio.scm, tests/cran.scm,
tests/cve.scm, tests/derivations.scm, tests/elpa.scm,
tests/file-systems.scm, tests/gem.scm, tests/gexp.scm,
tests/gnu-maintenance.scm, tests/grafts.scm, tests/graph.scm,
tests/gremlin.scm, tests/hackage.scm, tests/hash.scm,
tests/import-utils.scm, tests/lint.scm, tests/monads.scm, tests/nar.scm,
tests/packages.scm, tests/pk-crypto.scm, tests/pki.scm,
tests/profiles.scm, tests/publish.scm, tests/pypi.scm,
tests/records.scm, tests/scripts-build.scm, tests/scripts.scm,
tests/services.scm, tests/sets.scm, tests/size.scm, tests/snix.scm,
tests/store.scm, tests/substitute.scm, tests/syscalls.scm,
tests/system.scm, tests/ui.scm, tests/union.scm, tests/upstream.scm,
tests/utils.scm: Don't exit at the end of test groups.
* tests/containers.scm: Likewise. Use 'test-skip' instead of exiting
with error code 77.
2015-10-26 18:47:24 -04:00
|
|
|
(test-begin "containers")
|
|
|
|
|
|
2015-08-11 08:30:28 -04:00
|
|
|
;; Skip these tests unless user namespaces are available and the setgroups
|
|
|
|
|
;; file (introduced in Linux 3.19 to address a security issue) exists.
|
2016-06-24 18:42:19 -04:00
|
|
|
(define (skip-if-unsupported)
|
|
|
|
|
(unless (and (user-namespace-supported?)
|
|
|
|
|
(unprivileged-user-namespace-supported?)
|
|
|
|
|
(setgroups-supported?))
|
|
|
|
|
(test-skip 1)))
|
2015-06-02 08:48:16 -04:00
|
|
|
|
2016-06-24 18:42:19 -04:00
|
|
|
(skip-if-unsupported)
|
2015-10-09 12:33:40 -04:00
|
|
|
(test-assert "call-with-container, exit with 0 when there is no error"
|
|
|
|
|
(zero?
|
|
|
|
|
(call-with-container '() (const #t) #:namespaces '(user))))
|
|
|
|
|
|
2016-06-24 18:42:19 -04:00
|
|
|
(skip-if-unsupported)
|
2015-06-02 08:48:16 -04:00
|
|
|
(test-assert "call-with-container, user namespace"
|
|
|
|
|
(zero?
|
|
|
|
|
(call-with-container '()
|
|
|
|
|
(lambda ()
|
|
|
|
|
;; The user is root within the new user namespace.
|
|
|
|
|
(assert-exit (and (zero? (getuid)) (zero? (getgid)))))
|
|
|
|
|
#:namespaces '(user))))
|
|
|
|
|
|
2019-04-02 04:34:48 -04:00
|
|
|
(skip-if-unsupported)
|
|
|
|
|
(test-assert "call-with-container, user namespace, guest UID/GID"
|
|
|
|
|
(zero?
|
|
|
|
|
(call-with-container '()
|
|
|
|
|
(lambda ()
|
|
|
|
|
(assert-exit (and (= 42 (getuid)) (= 77 (getgid)))))
|
|
|
|
|
#:guest-uid 42
|
|
|
|
|
#:guest-gid 77
|
|
|
|
|
#:namespaces '(user))))
|
|
|
|
|
|
2016-06-24 18:42:19 -04:00
|
|
|
(skip-if-unsupported)
|
2015-06-02 08:48:16 -04:00
|
|
|
(test-assert "call-with-container, uts namespace"
|
|
|
|
|
(zero?
|
|
|
|
|
(call-with-container '()
|
|
|
|
|
(lambda ()
|
|
|
|
|
;; The user is root within the container and should be able to change
|
|
|
|
|
;; the hostname of that container.
|
|
|
|
|
(sethostname "test-container")
|
|
|
|
|
(primitive-exit 0))
|
|
|
|
|
#:namespaces '(user uts))))
|
|
|
|
|
|
2016-06-24 18:42:19 -04:00
|
|
|
(skip-if-unsupported)
|
2015-06-02 08:48:16 -04:00
|
|
|
(test-assert "call-with-container, pid namespace"
|
|
|
|
|
(zero?
|
|
|
|
|
(call-with-container '()
|
|
|
|
|
(lambda ()
|
|
|
|
|
(match (primitive-fork)
|
|
|
|
|
(0
|
|
|
|
|
;; The first forked process in the new pid namespace is pid 2.
|
|
|
|
|
(assert-exit (= 2 (getpid))))
|
|
|
|
|
(pid
|
|
|
|
|
(primitive-exit
|
|
|
|
|
(match (waitpid pid)
|
|
|
|
|
((_ . status)
|
|
|
|
|
(status:exit-val status)))))))
|
|
|
|
|
#:namespaces '(user pid))))
|
|
|
|
|
|
2016-06-24 18:42:19 -04:00
|
|
|
(skip-if-unsupported)
|
2015-06-02 08:48:16 -04:00
|
|
|
(test-assert "call-with-container, mnt namespace"
|
|
|
|
|
(zero?
|
2016-11-10 11:45:54 -05:00
|
|
|
(call-with-container (list (file-system
|
|
|
|
|
(device "none")
|
|
|
|
|
(mount-point "/testing")
|
2016-11-12 22:20:28 -05:00
|
|
|
(type "tmpfs")
|
|
|
|
|
(check? #f)))
|
2015-06-02 08:48:16 -04:00
|
|
|
(lambda ()
|
|
|
|
|
(assert-exit (file-exists? "/testing")))
|
|
|
|
|
#:namespaces '(user mnt))))
|
|
|
|
|
|
2016-06-24 18:42:19 -04:00
|
|
|
(skip-if-unsupported)
|
2016-05-30 16:44:58 -04:00
|
|
|
(test-equal "call-with-container, mnt namespace, wrong bind mount"
|
|
|
|
|
`(system-error ,ENOENT)
|
|
|
|
|
;; An exception should be raised; see <http://bugs.gnu.org/23306>.
|
|
|
|
|
(catch 'system-error
|
|
|
|
|
(lambda ()
|
2016-11-10 11:45:54 -05:00
|
|
|
(call-with-container (list (file-system
|
|
|
|
|
(device "/does-not-exist")
|
|
|
|
|
(mount-point "/foo")
|
|
|
|
|
(type "none")
|
2016-11-12 22:20:28 -05:00
|
|
|
(flags '(bind-mount))
|
|
|
|
|
(check? #f)))
|
2016-05-30 16:44:58 -04:00
|
|
|
(const #t)
|
|
|
|
|
#:namespaces '(user mnt)))
|
|
|
|
|
(lambda args
|
|
|
|
|
(list 'system-error (system-error-errno args)))))
|
|
|
|
|
|
2016-06-24 18:42:19 -04:00
|
|
|
(skip-if-unsupported)
|
2015-06-02 08:48:16 -04:00
|
|
|
(test-assert "call-with-container, all namespaces"
|
|
|
|
|
(zero?
|
|
|
|
|
(call-with-container '()
|
|
|
|
|
(lambda ()
|
|
|
|
|
(primitive-exit 0)))))
|
|
|
|
|
|
2020-09-29 17:25:13 -04:00
|
|
|
(skip-if-unsupported)
|
|
|
|
|
(test-assert "call-with-container, mnt namespace, root permissions"
|
|
|
|
|
(zero?
|
|
|
|
|
(call-with-container '()
|
|
|
|
|
(lambda ()
|
|
|
|
|
(assert-exit (= #o755 (stat:perms (lstat "/")))))
|
|
|
|
|
#:namespaces '(user mnt))))
|
|
|
|
|
|
2016-06-24 18:42:19 -04:00
|
|
|
(skip-if-unsupported)
|
2015-06-02 08:48:16 -04:00
|
|
|
(test-assert "container-excursion"
|
|
|
|
|
(call-with-temporary-directory
|
|
|
|
|
(lambda (root)
|
|
|
|
|
;; Two pipes: One for the container to signal that the test can begin,
|
|
|
|
|
;; and one for the parent to signal to the container that the test is
|
|
|
|
|
;; over.
|
|
|
|
|
(match (list (pipe) (pipe))
|
|
|
|
|
(((start-in . start-out) (end-in . end-out))
|
|
|
|
|
(define (container)
|
|
|
|
|
(close end-out)
|
|
|
|
|
(close start-in)
|
|
|
|
|
;; Signal for the test to start.
|
|
|
|
|
(write 'ready start-out)
|
|
|
|
|
(close start-out)
|
|
|
|
|
;; Wait for test completion.
|
|
|
|
|
(read end-in)
|
|
|
|
|
(close end-in))
|
|
|
|
|
|
|
|
|
|
(define (namespaces pid)
|
|
|
|
|
(let ((pid (number->string pid)))
|
|
|
|
|
(map (lambda (ns)
|
|
|
|
|
(readlink (string-append "/proc/" pid "/ns/" ns)))
|
|
|
|
|
'("user" "ipc" "uts" "net" "pid" "mnt"))))
|
|
|
|
|
|
2015-08-01 21:04:31 -04:00
|
|
|
(let* ((pid (run-container root '() %namespaces 1 container))
|
2015-06-02 08:48:16 -04:00
|
|
|
(container-namespaces (namespaces pid))
|
|
|
|
|
(result
|
|
|
|
|
(begin
|
|
|
|
|
(close start-out)
|
|
|
|
|
;; Wait for container to be ready.
|
|
|
|
|
(read start-in)
|
|
|
|
|
(close start-in)
|
|
|
|
|
(container-excursion pid
|
|
|
|
|
(lambda ()
|
2023-01-30 16:20:18 -05:00
|
|
|
;; Check that all of the namespace identifiers are
|
|
|
|
|
;; the same as the container process.
|
|
|
|
|
(assert-exit
|
|
|
|
|
(equal? container-namespaces
|
|
|
|
|
(namespaces (getpid)))))))))
|
2015-06-02 08:48:16 -04:00
|
|
|
(close end-in)
|
|
|
|
|
;; Stop the container.
|
|
|
|
|
(write 'done end-out)
|
|
|
|
|
(close end-out)
|
|
|
|
|
(waitpid pid)
|
|
|
|
|
(zero? result)))))))
|
|
|
|
|
|
2016-10-18 17:22:03 -04:00
|
|
|
(skip-if-unsupported)
|
|
|
|
|
(test-equal "container-excursion, same namespaces"
|
|
|
|
|
42
|
|
|
|
|
;; The parent and child are in the same namespaces. 'container-excursion'
|
|
|
|
|
;; should notice that and avoid calling 'setns' since that would fail.
|
2023-01-29 16:13:53 -05:00
|
|
|
(status:exit-val
|
|
|
|
|
(container-excursion (getpid)
|
|
|
|
|
(lambda ()
|
|
|
|
|
(primitive-exit 42)))))
|
2016-10-18 17:22:03 -04:00
|
|
|
|
2017-02-06 17:45:00 -05:00
|
|
|
(skip-if-unsupported)
|
|
|
|
|
(test-assert "container-excursion*"
|
|
|
|
|
(call-with-temporary-directory
|
|
|
|
|
(lambda (root)
|
|
|
|
|
(define (namespaces pid)
|
|
|
|
|
(let ((pid (number->string pid)))
|
|
|
|
|
(map (lambda (ns)
|
|
|
|
|
(readlink (string-append "/proc/" pid "/ns/" ns)))
|
|
|
|
|
'("user" "ipc" "uts" "net" "pid" "mnt"))))
|
|
|
|
|
|
|
|
|
|
(let* ((pid (run-container root '()
|
|
|
|
|
%namespaces 1
|
|
|
|
|
(lambda ()
|
|
|
|
|
(sleep 100))))
|
2017-05-31 04:02:42 -04:00
|
|
|
(expected (namespaces pid))
|
2017-02-06 17:45:00 -05:00
|
|
|
(result (container-excursion* pid
|
|
|
|
|
(lambda ()
|
|
|
|
|
(namespaces 1)))))
|
|
|
|
|
(kill pid SIGKILL)
|
2017-05-31 04:02:42 -04:00
|
|
|
(equal? result expected)))))
|
2017-02-06 17:45:00 -05:00
|
|
|
|
|
|
|
|
(skip-if-unsupported)
|
|
|
|
|
(test-equal "container-excursion*, same namespaces"
|
|
|
|
|
42
|
|
|
|
|
(container-excursion* (getpid)
|
|
|
|
|
(lambda ()
|
|
|
|
|
(* 6 7))))
|
|
|
|
|
|
2023-01-30 16:20:18 -05:00
|
|
|
(skip-if-unsupported)
|
|
|
|
|
(test-equal "container-excursion*, /proc"
|
|
|
|
|
'("1" "2")
|
|
|
|
|
(call-with-temporary-directory
|
|
|
|
|
(lambda (root)
|
|
|
|
|
(let* ((pid (run-container root '()
|
|
|
|
|
%namespaces 1
|
|
|
|
|
(lambda ()
|
|
|
|
|
(sleep 100))))
|
|
|
|
|
(result (container-excursion* pid
|
|
|
|
|
(lambda ()
|
|
|
|
|
;; We expect to see exactly two processes in this
|
|
|
|
|
;; namespace.
|
|
|
|
|
(scandir "/proc"
|
|
|
|
|
(lambda (file)
|
|
|
|
|
(char-set-contains?
|
|
|
|
|
char-set:digit
|
|
|
|
|
(string-ref file 0))))))))
|
|
|
|
|
(kill pid SIGKILL)
|
|
|
|
|
result))))
|
|
|
|
|
|
2019-07-15 10:14:31 -04:00
|
|
|
(skip-if-unsupported)
|
|
|
|
|
(test-equal "eval/container, exit status"
|
|
|
|
|
42
|
|
|
|
|
(let* ((store (open-connection-for-tests))
|
|
|
|
|
(status (run-with-store store
|
|
|
|
|
(eval/container #~(exit 42)))))
|
|
|
|
|
(close-connection store)
|
|
|
|
|
(status:exit-val status)))
|
|
|
|
|
|
|
|
|
|
(skip-if-unsupported)
|
|
|
|
|
(test-assert "eval/container, writable user mapping"
|
|
|
|
|
(call-with-temporary-directory
|
|
|
|
|
(lambda (directory)
|
|
|
|
|
(define store
|
|
|
|
|
(open-connection-for-tests))
|
|
|
|
|
(define result
|
|
|
|
|
(string-append directory "/r"))
|
|
|
|
|
(define requisites*
|
|
|
|
|
(store-lift requisites))
|
|
|
|
|
|
|
|
|
|
(call-with-output-file result (const #t))
|
|
|
|
|
(run-with-store store
|
|
|
|
|
(mlet %store-monad ((status (eval/container
|
|
|
|
|
#~(begin
|
|
|
|
|
(use-modules (ice-9 ftw))
|
|
|
|
|
(call-with-output-file "/result"
|
|
|
|
|
(lambda (port)
|
|
|
|
|
(write (scandir #$(%store-prefix))
|
|
|
|
|
port))))
|
|
|
|
|
#:mappings
|
|
|
|
|
(list (file-system-mapping
|
|
|
|
|
(source result)
|
|
|
|
|
(target "/result")
|
|
|
|
|
(writable? #t)))))
|
|
|
|
|
(reqs (requisites*
|
|
|
|
|
(list (derivation->output-path
|
|
|
|
|
(%guile-for-build))))))
|
|
|
|
|
(close-connection store)
|
|
|
|
|
(return (and (zero? (pk 'status status))
|
|
|
|
|
(lset= string=? (cons* "." ".." (map basename reqs))
|
|
|
|
|
(pk (call-with-input-file result read))))))))))
|
|
|
|
|
|
2019-10-15 04:21:41 -04:00
|
|
|
(skip-if-unsupported)
|
2019-09-18 09:11:40 -04:00
|
|
|
(test-assert "eval/container, non-empty load path"
|
|
|
|
|
(call-with-temporary-directory
|
|
|
|
|
(lambda (directory)
|
|
|
|
|
(define store
|
|
|
|
|
(open-connection-for-tests))
|
|
|
|
|
(define result
|
|
|
|
|
(string-append directory "/r"))
|
|
|
|
|
(define requisites*
|
|
|
|
|
(store-lift requisites))
|
|
|
|
|
|
|
|
|
|
(mkdir result)
|
|
|
|
|
(run-with-store store
|
|
|
|
|
(mlet %store-monad ((status (eval/container
|
|
|
|
|
(with-imported-modules '((guix build utils))
|
|
|
|
|
#~(begin
|
|
|
|
|
(use-modules (guix build utils))
|
|
|
|
|
(mkdir-p "/result/a/b/c")))
|
|
|
|
|
#:mappings
|
|
|
|
|
(list (file-system-mapping
|
|
|
|
|
(source result)
|
|
|
|
|
(target "/result")
|
|
|
|
|
(writable? #t))))))
|
|
|
|
|
(close-connection store)
|
|
|
|
|
(return (and (zero? status)
|
|
|
|
|
(file-is-directory?
|
|
|
|
|
(string-append result "/a/b/c")))))))))
|
|
|
|
|
|
2015-06-02 08:48:16 -04:00
|
|
|
(test-end)
|
