github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/tests/integration/start_hello.bats (about) 1 #!/usr/bin/env bats 2 3 load helpers 4 5 function setup() { 6 setup_busybox 7 update_config '.process.args = ["/bin/echo", "Hello World"]' 8 } 9 10 function teardown() { 11 teardown_bundle 12 } 13 14 @test "runc run" { 15 # run hello-world 16 runc run test_hello 17 [ "$status" -eq 0 ] 18 19 # check expected output 20 [[ "${output}" == *"Hello"* ]] 21 } 22 23 @test "runc run ({u,g}id != 0)" { 24 # cannot start containers as another user in rootless setup without idmap 25 [ $EUID -ne 0 ] && requires rootless_idmap 26 27 # replace "uid": 0 with "uid": 1000 28 # and do a similar thing for gid. 29 update_config ' (.. | select(.uid? == 0)) .uid |= 1000 30 | (.. | select(.gid? == 0)) .gid |= 100' 31 32 # run hello-world 33 runc run test_hello 34 [ "$status" -eq 0 ] 35 36 # check expected output 37 [[ "${output}" == *"Hello"* ]] 38 } 39 40 # https://github.com/opencontainers/runc/issues/3715. 41 # 42 # Fails when using Go 1.20 < 1.20.2, the reasons is https://go.dev/issue/58552. 43 @test "runc run as user with no exec bit but CAP_DAC_OVERRIDE set" { 44 requires root # Can't chown/chmod otherwise. 45 46 # Remove exec perm for everyone but owner (root). 47 chown 0 rootfs/bin/echo 48 chmod go-x rootfs/bin/echo 49 50 # Replace "uid": 0 with "uid": 1000 and do a similar thing for gid. 51 update_config ' (.. | select(.uid? == 0)) .uid |= 1000 52 | (.. | select(.gid? == 0)) .gid |= 100' 53 54 # Sanity check: make sure we can't run the container w/o CAP_DAC_OVERRIDE. 55 runc run test_busybox 56 [ "$status" -ne 0 ] 57 58 # Enable CAP_DAC_OVERRIDE. 59 update_config ' .process.capabilities.bounding += ["CAP_DAC_OVERRIDE"] 60 | .process.capabilities.effective += ["CAP_DAC_OVERRIDE"] 61 | .process.capabilities.inheritable += ["CAP_DAC_OVERRIDE"] 62 | .process.capabilities.ambient += ["CAP_DAC_OVERRIDE"] 63 | .process.capabilities.permitted += ["CAP_DAC_OVERRIDE"]' 64 65 runc run test_busybox 66 [ "$status" -eq 0 ] 67 } 68 69 @test "runc run with rootfs set to ." { 70 cp config.json rootfs/. 71 rm config.json 72 cd rootfs 73 update_config '(.. | select(. == "rootfs")) |= "."' 74 75 # run hello-world 76 runc run test_hello 77 [ "$status" -eq 0 ] 78 [[ "${output}" == *"Hello"* ]] 79 } 80 81 @test "runc run --pid-file" { 82 # run hello-world 83 runc run --pid-file pid.txt test_hello 84 [ "$status" -eq 0 ] 85 [[ "${output}" == *"Hello"* ]] 86 87 # check pid.txt was generated 88 [ -e pid.txt ] 89 90 [[ "$(cat pid.txt)" =~ [0-9]+ ]] 91 } 92 93 # https://github.com/opencontainers/runc/pull/2897 94 @test "runc run [rootless with host pidns]" { 95 requires rootless_no_features 96 97 # Remove pid namespace, and replace /proc mount 98 # with a bind mount from the host. 99 update_config ' .linux.namespaces -= [{"type": "pid"}] 100 | .mounts |= map((select(.type == "proc") 101 | .type = "none" 102 | .source = "/proc" 103 | .options = ["rbind", "nosuid", "nodev", "noexec"] 104 ) // .)' 105 106 runc run test_hello 107 [ "$status" -eq 0 ] 108 } 109 110 @test "runc run [redundant seccomp rules]" { 111 update_config ' .linux.seccomp = { 112 "defaultAction": "SCMP_ACT_ALLOW", 113 "syscalls": [{ 114 "names": ["bdflush"], 115 "action": "SCMP_ACT_ALLOW", 116 }] 117 }' 118 runc run test_hello 119 [ "$status" -eq 0 ] 120 }