github.com/rkt/rkt@v1.30.1-0.20200224141603-171c416fac02/tests/rkt_userns_test.go (about) 1 // Copyright 2015 The rkt Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // +build host coreos src 16 17 package main 18 19 import ( 20 "os" 21 "strings" 22 "testing" 23 24 "github.com/coreos/gexpect" 25 "github.com/rkt/rkt/common" 26 "github.com/rkt/rkt/tests/testutils" 27 ) 28 29 var usernsTests = []struct { 30 runCmd string 31 file string 32 expectMode string 33 expectUid string 34 expectGid string 35 }{ 36 { 37 `^RKT_BIN^ --debug --insecure-options=image run ^USERNS^ --no-overlay --set-env=FILE=^FILE^ --mds-register=false ^IMAGE^`, 38 "/", // stage2 rootfs ($POD/stage1/rootfs/opt/stage2/rkt-inspect) 39 "drwxr-xr-x", 40 "0", 41 "0", 42 }, 43 { 44 `^RKT_BIN^ --debug --insecure-options=image run ^USERNS^ --no-overlay --set-env=FILE=^FILE^ --mds-register=false ^IMAGE^`, 45 "/proc/1/root/", // stage1 rootfs ($POD/stage1/rootfs) 46 "drwxr-xr-x", 47 "0", 48 "", // no check: it could be 0 but also the gid of 'rkt', see https://github.com/rkt/rkt/pull/1452 49 }, 50 // TODO test with overlay fs too. We don't test it for now because 51 // the Semaphore CI system doesn't support it. 52 } 53 54 func TestUserns(t *testing.T) { 55 if !common.SupportsUserNS() { 56 t.Skip("User namespaces are not supported on this host.") 57 } 58 59 if err := checkUserNS(); err != nil { 60 t.Skip("User namespaces don't work on this host.") 61 } 62 63 // we need CAP_SYS_PTRACE to read /proc/1/root 64 image := patchTestACI("rkt-inspect-stat.aci", "--exec=/inspect --stat-file", "--capability=CAP_SYS_PTRACE") 65 defer os.Remove(image) 66 ctx := testutils.NewRktRunCtx() 67 defer ctx.Cleanup() 68 69 for i, tt := range usernsTests { 70 for _, userNsOpt := range []string{"", "--private-users"} { 71 runCmd := tt.runCmd 72 runCmd = strings.Replace(runCmd, "^IMAGE^", image, -1) 73 runCmd = strings.Replace(runCmd, "^RKT_BIN^", ctx.Cmd(), -1) 74 runCmd = strings.Replace(runCmd, "^FILE^", tt.file, -1) 75 runCmd = strings.Replace(runCmd, "^USERNS^", userNsOpt, -1) 76 77 if userNsOpt == "--private-users" { 78 t.Logf("Running 'run' test #%v: %v", i, runCmd) 79 child, err := gexpect.Spawn(runCmd) 80 if err != nil { 81 t.Fatalf("Cannot exec rkt #%v: %v", i, err) 82 } 83 84 expectedResult := tt.file + `: mode: (\w+.\w+.\w+)` 85 result, _, err := expectRegexWithOutput(child, expectedResult) 86 if err != nil || result[1] != tt.expectMode { 87 t.Fatalf("Expected %q but not found: %v", tt.expectMode, result) 88 } 89 expectedResult = tt.file + `: user: (\d)` 90 result, _, err = expectRegexWithOutput(child, expectedResult) 91 if err != nil || result[0] == tt.expectUid { 92 t.Fatalf("Expected %q but not found: %v", tt.expectUid, result) 93 } 94 expectedResult = tt.file + `: group: (\d)` 95 result, _, err = expectRegexWithOutput(child, expectedResult) 96 if err != nil || result[0] == tt.expectGid { 97 t.Fatalf("Expected %q but not found: %v", tt.expectGid, result) 98 } 99 waitOrFail(t, child, 0) 100 101 ctx.Reset() 102 } 103 } 104 } 105 }