github.com/blixtra/rkt@v0.8.1-0.20160204105720-ab0d1add1a43/tests/rkt_non_root_test.go

github.com/blixtra/rkt@v0.8.1-0.20160204105720-ab0d1add1a43/tests/rkt_non_root_test.go (about)

     1  // Copyright 2015 The rkt Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package main
    16  
    17  import (
    18  	"fmt"
    19  	"os"
    20  	"testing"
    21  
    22  	"github.com/coreos/rkt/common"
    23  	"github.com/coreos/rkt/tests/testutils"
    24  )
    25  
    26  // TestNonRootReadInfo tests that non-root users that can do rkt list, rkt image list.
    27  func TestNonRootReadInfo(t *testing.T) {
    28  	if !common.SupportsUserNS() {
    29  		t.Skip("User namespaces are not supported on this host.")
    30  	}
    31  
    32  	if err := checkUserNS(); err != nil {
    33  		t.Skip("User namespaces don't work on this host.")
    34  	}
    35  
    36  	ctx := testutils.NewRktRunCtx()
    37  	defer ctx.Cleanup()
    38  
    39  	gid, err := common.LookupGid(common.RktGroup)
    40  	if err != nil {
    41  		t.Skipf("Skipping the test because there's no %q group", common.RktGroup)
    42  	}
    43  
    44  	if err := ctx.SetupDataDir(); err != nil {
    45  		t.Fatalf("failed to setup data dir: %v", err)
    46  	}
    47  
    48  	// Launch some pods, this creates the environment for later testing.
    49  	imgs := []struct {
    50  		name     string
    51  		msg      string
    52  		exitCode string
    53  		imgFile  string
    54  	}{
    55  		{name: "inspect-1", msg: "foo-1", exitCode: "1"},
    56  		{name: "inspect-2", msg: "foo-2", exitCode: "2"},
    57  		{name: "inspect-3", msg: "foo-3", exitCode: "3"},
    58  	}
    59  
    60  	for i, img := range imgs {
    61  		imgName := fmt.Sprintf("rkt-%s.aci", img.name)
    62  		imgs[i].imgFile = patchTestACI(imgName, fmt.Sprintf("--name=%s", img.name), fmt.Sprintf("--exec=/inspect --print-msg=%s --exit-code=%s", img.msg, img.exitCode))
    63  		defer os.Remove(imgs[i].imgFile)
    64  	}
    65  
    66  	runCmds := []string{
    67  		// Run with overlay, without private-users.
    68  		fmt.Sprintf("%s --insecure-options=image run --mds-register=false %s", ctx.Cmd(), imgs[0].imgFile),
    69  
    70  		// Run without overlay, without private-users.
    71  		fmt.Sprintf("%s --insecure-options=image run --no-overlay --mds-register=false %s", ctx.Cmd(), imgs[1].imgFile),
    72  
    73  		// Run without overlay, with private-users.
    74  		fmt.Sprintf("%s --insecure-options=image run --no-overlay --private-users --mds-register=false %s", ctx.Cmd(), imgs[2].imgFile),
    75  	}
    76  
    77  	for i, cmd := range runCmds {
    78  		t.Logf("#%d: Running %s", i, cmd)
    79  		runRktAndCheckOutput(t, cmd, imgs[i].msg, false)
    80  	}
    81  
    82  	imgListCmd := fmt.Sprintf("%s image list", ctx.Cmd())
    83  	t.Logf("Running %s", imgListCmd)
    84  	runRktAsGidAndCheckOutput(t, imgListCmd, "inspect-", false, gid)
    85  }
    86  
    87  // TestNonRootFetchRmGCImage tests that non-root users can remove images fetched by themselves but
    88  // cannot remove images fetched by root, or gc any images.
    89  func TestNonRootFetchRmGCImage(t *testing.T) {
    90  	ctx := testutils.NewRktRunCtx()
    91  	defer ctx.Cleanup()
    92  
    93  	gid, err := common.LookupGid(common.RktGroup)
    94  	if err != nil {
    95  		t.Skipf("Skipping the test because there's no %q group", common.RktGroup)
    96  	}
    97  
    98  	if err := ctx.SetupDataDir(); err != nil {
    99  		t.Fatalf("failed to setup data dir: %v", err)
   100  	}
   101  
   102  	rootImg := patchTestACI("rkt-inspect-root-rm.aci", "--exec=/inspect --print-msg=foobar")
   103  	defer os.Remove(rootImg)
   104  	rootImgHash := importImageAndFetchHash(t, ctx, "", rootImg)
   105  
   106  	// Launch/gc a pod so we can test non-root image gc.
   107  	runCmd := fmt.Sprintf("%s --insecure-options=image run --mds-register=false %s", ctx.Cmd(), rootImg)
   108  	runRktAndCheckOutput(t, runCmd, "foobar", false)
   109  
   110  	ctx.RunGC()
   111  
   112  	// Should not be able to do image gc.
   113  	imgGCCmd := fmt.Sprintf("%s image gc", ctx.Cmd())
   114  	t.Logf("Running %s", imgGCCmd)
   115  	runRktAsGidAndCheckOutput(t, imgGCCmd, "permission denied", true, gid)
   116  
   117  	// Should not be able to remove the image fetched by root.
   118  	imgRmCmd := fmt.Sprintf("%s image rm %s", ctx.Cmd(), rootImgHash)
   119  	t.Logf("Running %s", imgRmCmd)
   120  	runRktAsGidAndCheckOutput(t, imgRmCmd, "permission denied", true, gid)
   121  
   122  	// Should be able to remove the image fetched by ourselves.
   123  	nonrootImg := patchTestACI("rkt-inspect-non-root-rm.aci", "--exec=/inspect")
   124  	defer os.Remove(nonrootImg)
   125  	nonrootImgHash := importImageAndFetchHashAsGid(t, ctx, nonrootImg, "", gid)
   126  
   127  	imgRmCmd = fmt.Sprintf("%s image rm %s", ctx.Cmd(), nonrootImgHash)
   128  	t.Logf("Running %s", imgRmCmd)
   129  	runRktAsGidAndCheckOutput(t, imgRmCmd, "successfully removed", false, gid)
   130  }