github.com/blixtra/rkt@v0.8.1-0.20160204105720-ab0d1add1a43/tests/rkt_non_root_test.go (about) 1 // Copyright 2015 The rkt Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package main 16 17 import ( 18 "fmt" 19 "os" 20 "testing" 21 22 "github.com/coreos/rkt/common" 23 "github.com/coreos/rkt/tests/testutils" 24 ) 25 26 // TestNonRootReadInfo tests that non-root users that can do rkt list, rkt image list. 27 func TestNonRootReadInfo(t *testing.T) { 28 if !common.SupportsUserNS() { 29 t.Skip("User namespaces are not supported on this host.") 30 } 31 32 if err := checkUserNS(); err != nil { 33 t.Skip("User namespaces don't work on this host.") 34 } 35 36 ctx := testutils.NewRktRunCtx() 37 defer ctx.Cleanup() 38 39 gid, err := common.LookupGid(common.RktGroup) 40 if err != nil { 41 t.Skipf("Skipping the test because there's no %q group", common.RktGroup) 42 } 43 44 if err := ctx.SetupDataDir(); err != nil { 45 t.Fatalf("failed to setup data dir: %v", err) 46 } 47 48 // Launch some pods, this creates the environment for later testing. 49 imgs := []struct { 50 name string 51 msg string 52 exitCode string 53 imgFile string 54 }{ 55 {name: "inspect-1", msg: "foo-1", exitCode: "1"}, 56 {name: "inspect-2", msg: "foo-2", exitCode: "2"}, 57 {name: "inspect-3", msg: "foo-3", exitCode: "3"}, 58 } 59 60 for i, img := range imgs { 61 imgName := fmt.Sprintf("rkt-%s.aci", img.name) 62 imgs[i].imgFile = patchTestACI(imgName, fmt.Sprintf("--name=%s", img.name), fmt.Sprintf("--exec=/inspect --print-msg=%s --exit-code=%s", img.msg, img.exitCode)) 63 defer os.Remove(imgs[i].imgFile) 64 } 65 66 runCmds := []string{ 67 // Run with overlay, without private-users. 68 fmt.Sprintf("%s --insecure-options=image run --mds-register=false %s", ctx.Cmd(), imgs[0].imgFile), 69 70 // Run without overlay, without private-users. 71 fmt.Sprintf("%s --insecure-options=image run --no-overlay --mds-register=false %s", ctx.Cmd(), imgs[1].imgFile), 72 73 // Run without overlay, with private-users. 74 fmt.Sprintf("%s --insecure-options=image run --no-overlay --private-users --mds-register=false %s", ctx.Cmd(), imgs[2].imgFile), 75 } 76 77 for i, cmd := range runCmds { 78 t.Logf("#%d: Running %s", i, cmd) 79 runRktAndCheckOutput(t, cmd, imgs[i].msg, false) 80 } 81 82 imgListCmd := fmt.Sprintf("%s image list", ctx.Cmd()) 83 t.Logf("Running %s", imgListCmd) 84 runRktAsGidAndCheckOutput(t, imgListCmd, "inspect-", false, gid) 85 } 86 87 // TestNonRootFetchRmGCImage tests that non-root users can remove images fetched by themselves but 88 // cannot remove images fetched by root, or gc any images. 89 func TestNonRootFetchRmGCImage(t *testing.T) { 90 ctx := testutils.NewRktRunCtx() 91 defer ctx.Cleanup() 92 93 gid, err := common.LookupGid(common.RktGroup) 94 if err != nil { 95 t.Skipf("Skipping the test because there's no %q group", common.RktGroup) 96 } 97 98 if err := ctx.SetupDataDir(); err != nil { 99 t.Fatalf("failed to setup data dir: %v", err) 100 } 101 102 rootImg := patchTestACI("rkt-inspect-root-rm.aci", "--exec=/inspect --print-msg=foobar") 103 defer os.Remove(rootImg) 104 rootImgHash := importImageAndFetchHash(t, ctx, "", rootImg) 105 106 // Launch/gc a pod so we can test non-root image gc. 107 runCmd := fmt.Sprintf("%s --insecure-options=image run --mds-register=false %s", ctx.Cmd(), rootImg) 108 runRktAndCheckOutput(t, runCmd, "foobar", false) 109 110 ctx.RunGC() 111 112 // Should not be able to do image gc. 113 imgGCCmd := fmt.Sprintf("%s image gc", ctx.Cmd()) 114 t.Logf("Running %s", imgGCCmd) 115 runRktAsGidAndCheckOutput(t, imgGCCmd, "permission denied", true, gid) 116 117 // Should not be able to remove the image fetched by root. 118 imgRmCmd := fmt.Sprintf("%s image rm %s", ctx.Cmd(), rootImgHash) 119 t.Logf("Running %s", imgRmCmd) 120 runRktAsGidAndCheckOutput(t, imgRmCmd, "permission denied", true, gid) 121 122 // Should be able to remove the image fetched by ourselves. 123 nonrootImg := patchTestACI("rkt-inspect-non-root-rm.aci", "--exec=/inspect") 124 defer os.Remove(nonrootImg) 125 nonrootImgHash := importImageAndFetchHashAsGid(t, ctx, nonrootImg, "", gid) 126 127 imgRmCmd = fmt.Sprintf("%s image rm %s", ctx.Cmd(), nonrootImgHash) 128 t.Logf("Running %s", imgRmCmd) 129 runRktAsGidAndCheckOutput(t, imgRmCmd, "successfully removed", false, gid) 130 }