github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/libcontainer/integration/template_test.go (about) 1 package integration 2 3 import ( 4 "strconv" 5 "strings" 6 "testing" 7 "time" 8 9 "github.com/opencontainers/runc/libcontainer/configs" 10 "github.com/opencontainers/runc/libcontainer/devices" 11 "github.com/opencontainers/runc/libcontainer/specconv" 12 "golang.org/x/sys/unix" 13 ) 14 15 var standardEnvironment = []string{ 16 "HOME=/root", 17 "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 18 "HOSTNAME=integration", 19 "TERM=xterm", 20 } 21 22 const defaultMountFlags = unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV 23 24 type tParam struct { 25 userns bool 26 systemd bool 27 } 28 29 // newTemplateConfig returns a base template for running a container. 30 // 31 // It uses a network strategy of just setting a loopback interface 32 // and the default setup for devices. 33 // 34 // If p is nil, a default container is created. 35 func newTemplateConfig(t *testing.T, p *tParam) *configs.Config { 36 var allowedDevices []*devices.Rule 37 for _, device := range specconv.AllowedDevices { 38 allowedDevices = append(allowedDevices, &device.Rule) 39 } 40 if p == nil { 41 p = &tParam{} 42 } 43 config := &configs.Config{ 44 Rootfs: newRootfs(t), 45 Capabilities: &configs.Capabilities{ 46 Bounding: []string{ 47 "CAP_CHOWN", 48 "CAP_DAC_OVERRIDE", 49 "CAP_FSETID", 50 "CAP_FOWNER", 51 "CAP_MKNOD", 52 "CAP_NET_RAW", 53 "CAP_SETGID", 54 "CAP_SETUID", 55 "CAP_SETFCAP", 56 "CAP_SETPCAP", 57 "CAP_NET_BIND_SERVICE", 58 "CAP_SYS_CHROOT", 59 "CAP_KILL", 60 "CAP_AUDIT_WRITE", 61 }, 62 Permitted: []string{ 63 "CAP_CHOWN", 64 "CAP_DAC_OVERRIDE", 65 "CAP_FSETID", 66 "CAP_FOWNER", 67 "CAP_MKNOD", 68 "CAP_NET_RAW", 69 "CAP_SETGID", 70 "CAP_SETUID", 71 "CAP_SETFCAP", 72 "CAP_SETPCAP", 73 "CAP_NET_BIND_SERVICE", 74 "CAP_SYS_CHROOT", 75 "CAP_KILL", 76 "CAP_AUDIT_WRITE", 77 }, 78 Ambient: []string{ 79 "CAP_CHOWN", 80 "CAP_DAC_OVERRIDE", 81 "CAP_FSETID", 82 "CAP_FOWNER", 83 "CAP_MKNOD", 84 "CAP_NET_RAW", 85 "CAP_SETGID", 86 "CAP_SETUID", 87 "CAP_SETFCAP", 88 "CAP_SETPCAP", 89 "CAP_NET_BIND_SERVICE", 90 "CAP_SYS_CHROOT", 91 "CAP_KILL", 92 "CAP_AUDIT_WRITE", 93 }, 94 Effective: []string{ 95 "CAP_CHOWN", 96 "CAP_DAC_OVERRIDE", 97 "CAP_FSETID", 98 "CAP_FOWNER", 99 "CAP_MKNOD", 100 "CAP_NET_RAW", 101 "CAP_SETGID", 102 "CAP_SETUID", 103 "CAP_SETFCAP", 104 "CAP_SETPCAP", 105 "CAP_NET_BIND_SERVICE", 106 "CAP_SYS_CHROOT", 107 "CAP_KILL", 108 "CAP_AUDIT_WRITE", 109 }, 110 }, 111 Namespaces: configs.Namespaces([]configs.Namespace{ 112 {Type: configs.NEWNS}, 113 {Type: configs.NEWUTS}, 114 {Type: configs.NEWIPC}, 115 {Type: configs.NEWPID}, 116 {Type: configs.NEWNET}, 117 }), 118 Cgroups: &configs.Cgroup{ 119 Systemd: p.systemd, 120 Resources: &configs.Resources{ 121 MemorySwappiness: nil, 122 Devices: allowedDevices, 123 }, 124 }, 125 MaskPaths: []string{ 126 "/proc/kcore", 127 "/sys/firmware", 128 }, 129 ReadonlyPaths: []string{ 130 "/proc/sys", "/proc/sysrq-trigger", "/proc/irq", "/proc/bus", 131 }, 132 Devices: specconv.AllowedDevices, 133 Hostname: "integration", 134 Domainname: "integration", 135 Mounts: []*configs.Mount{ 136 { 137 Source: "proc", 138 Destination: "/proc", 139 Device: "proc", 140 Flags: defaultMountFlags, 141 }, 142 { 143 Source: "tmpfs", 144 Destination: "/dev", 145 Device: "tmpfs", 146 Flags: unix.MS_NOSUID | unix.MS_STRICTATIME, 147 Data: "mode=755", 148 }, 149 { 150 Source: "devpts", 151 Destination: "/dev/pts", 152 Device: "devpts", 153 Flags: unix.MS_NOSUID | unix.MS_NOEXEC, 154 Data: "newinstance,ptmxmode=0666,mode=0620,gid=5", 155 }, 156 { 157 Device: "tmpfs", 158 Source: "shm", 159 Destination: "/dev/shm", 160 Data: "mode=1777,size=65536k", 161 Flags: defaultMountFlags, 162 }, 163 /* 164 CI is broken on the debian based kernels with this 165 { 166 Source: "mqueue", 167 Destination: "/dev/mqueue", 168 Device: "mqueue", 169 Flags: defaultMountFlags, 170 }, 171 */ 172 { 173 Source: "sysfs", 174 Destination: "/sys", 175 Device: "sysfs", 176 Flags: defaultMountFlags | unix.MS_RDONLY, 177 }, 178 }, 179 Networks: []*configs.Network{ 180 { 181 Type: "loopback", 182 Address: "127.0.0.1/0", 183 Gateway: "localhost", 184 }, 185 }, 186 Rlimits: []configs.Rlimit{ 187 { 188 Type: unix.RLIMIT_NOFILE, 189 Hard: uint64(1025), 190 Soft: uint64(1025), 191 }, 192 }, 193 } 194 195 if p.userns { 196 config.UIDMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}} 197 config.GIDMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}} 198 config.Namespaces = append(config.Namespaces, configs.Namespace{Type: configs.NEWUSER}) 199 } else { 200 config.Mounts = append(config.Mounts, &configs.Mount{ 201 Destination: "/sys/fs/cgroup", 202 Device: "cgroup", 203 Flags: defaultMountFlags | unix.MS_RDONLY, 204 }) 205 } 206 207 if p.systemd { 208 id := strconv.FormatInt(-int64(time.Now().Nanosecond()), 36) 209 config.Cgroups.Name = strings.ReplaceAll(t.Name(), "/", "_") + id 210 config.Cgroups.Parent = "system.slice" 211 config.Cgroups.ScopePrefix = "runc-test" 212 } else { 213 config.Cgroups.Path = "/test/integration" 214 } 215 216 return config 217 }