github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/libcontainer/integration/update_test.go

github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/libcontainer/integration/update_test.go (about)

     1  package integration
     2  
     3  import (
     4  	"bytes"
     5  	"os"
     6  	"strings"
     7  	"testing"
     8  
     9  	"github.com/opencontainers/runc/libcontainer"
    10  	"github.com/opencontainers/runc/libcontainer/cgroups/systemd"
    11  	"github.com/opencontainers/runc/libcontainer/devices"
    12  )
    13  
    14  func testUpdateDevices(t *testing.T, systemd bool) {
    15  	if testing.Short() {
    16  		return
    17  	}
    18  	config := newTemplateConfig(t, &tParam{systemd: systemd})
    19  	container, err := newContainer(t, config)
    20  	ok(t, err)
    21  	defer destroyContainer(container)
    22  
    23  	// Execute a first process in the container
    24  	stdinR, stdinW, err := os.Pipe()
    25  	ok(t, err)
    26  	process := &libcontainer.Process{
    27  		Cwd:   "/",
    28  		Args:  []string{"cat"},
    29  		Env:   standardEnvironment,
    30  		Stdin: stdinR,
    31  		Init:  true,
    32  	}
    33  	err = container.Run(process)
    34  	_ = stdinR.Close()
    35  	defer func() {
    36  		_ = stdinW.Close()
    37  		if _, err := process.Wait(); err != nil {
    38  			t.Log(err)
    39  		}
    40  	}()
    41  	ok(t, err)
    42  
    43  	var buf bytes.Buffer
    44  	devCheck := &libcontainer.Process{
    45  		Cwd:    "/",
    46  		Args:   []string{"/bin/sh", "-c", "echo > /dev/full; cat /dev/null; true"},
    47  		Env:    standardEnvironment,
    48  		Stderr: &buf,
    49  	}
    50  	isAllowed := true
    51  	expected := map[bool][]string{
    52  		true: {
    53  			"write error: No space left on device", // from write to /dev/full
    54  			// no error from cat /dev/null
    55  		},
    56  		false: {
    57  			"/dev/full: Operation not permitted",
    58  			`cat: can't open '/dev/null': Operation not permitted`,
    59  		},
    60  	}
    61  	defaultDevices := config.Cgroups.Resources.Devices
    62  
    63  	for i := 0; i < 300; i++ {
    64  		// Check the access
    65  		buf.Reset()
    66  		err = container.Run(devCheck)
    67  		ok(t, err)
    68  		waitProcess(devCheck, t)
    69  
    70  		for _, exp := range expected[isAllowed] {
    71  			if !strings.Contains(buf.String(), exp) {
    72  				t.Fatalf("[%d] expected %q, got %q", i, exp, buf.String())
    73  			}
    74  		}
    75  
    76  		// Now flip the access permission
    77  		isAllowed = !isAllowed
    78  		if isAllowed {
    79  			config.Cgroups.Resources.Devices = defaultDevices
    80  		} else {
    81  			config.Cgroups.Resources.Devices = []*devices.Rule{}
    82  		}
    83  		if err := container.Set(*config); err != nil {
    84  			t.Fatal(err)
    85  		}
    86  	}
    87  }
    88  
    89  func TestUpdateDevices(t *testing.T) {
    90  	testUpdateDevices(t, false)
    91  }
    92  
    93  func TestUpdateDevicesSystemd(t *testing.T) {
    94  	if !systemd.IsRunningSystemd() {
    95  		t.Skip("Test requires systemd.")
    96  	}
    97  	testUpdateDevices(t, true)
    98  }