diff options
author | Fabricio Voznika <fvoznika@google.com> | 2018-10-09 21:06:18 -0700 |
---|---|---|
committer | Shentubot <shentubot@google.com> | 2018-10-09 21:07:14 -0700 |
commit | 20508bafb88d2037ea3b2c8483b191ce72e7ad7e (patch) | |
tree | 7713850d594c45cd8e577dc582cb1771c6d4e6de | |
parent | c36d2ef3733a0619b992f8ddc23b072474b04044 (diff) |
Add tests to verify gofer is chroot'ed
PiperOrigin-RevId: 216472439
Change-Id: Ic4cb86c8e0a9cb022d3ceed9dc5615266c307cf9
-rw-r--r-- | runsc/cmd/debug.go | 2 | ||||
-rw-r--r-- | runsc/cmd/list.go | 2 | ||||
-rw-r--r-- | runsc/container/container.go | 8 | ||||
-rw-r--r-- | runsc/test/root/chroot_test.go | 70 | ||||
-rw-r--r-- | runsc/test/testutil/docker.go | 9 |
5 files changed, 85 insertions, 6 deletions
diff --git a/runsc/cmd/debug.go b/runsc/cmd/debug.go index caa44168b..cb7d81057 100644 --- a/runsc/cmd/debug.go +++ b/runsc/cmd/debug.go @@ -85,7 +85,7 @@ func (d *Debug) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) if err != nil { Fatalf("error loading container %q: %v", id, err) } - if candidate.Pid() == d.pid { + if candidate.SandboxPid() == d.pid { c = candidate break } diff --git a/runsc/cmd/list.go b/runsc/cmd/list.go index d554bf7cf..4d4a5cb0b 100644 --- a/runsc/cmd/list.go +++ b/runsc/cmd/list.go @@ -94,7 +94,7 @@ func (l *List) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) for _, c := range containers { fmt.Fprintf(w, "%s\t%d\t%s\t%s\t%s\t%s\n", c.ID, - c.Pid(), + c.SandboxPid(), c.Status, c.BundleDir, c.CreatedAt.Format(time.RFC3339Nano), diff --git a/runsc/container/container.go b/runsc/container/container.go index 827528349..f0cdee8d3 100644 --- a/runsc/container/container.go +++ b/runsc/container/container.go @@ -316,7 +316,7 @@ func Create(id string, spec *specs.Spec, conf *boot.Config, bundleDir, consoleSo // Write the PID file. Containerd considers the create complete after // this file is created, so it must be the last thing we do. if pidFile != "" { - if err := ioutil.WriteFile(pidFile, []byte(strconv.Itoa(c.Pid())), 0644); err != nil { + if err := ioutil.WriteFile(pidFile, []byte(strconv.Itoa(c.SandboxPid())), 0644); err != nil { c.Destroy() return nil, fmt.Errorf("error writing PID file: %v", err) } @@ -426,9 +426,9 @@ func (c *Container) Event() (*boot.Event, error) { return c.Sandbox.Event(c.ID) } -// Pid returns the Pid of the sandbox the container is running in, or -1 if the +// SandboxPid returns the Pid of the sandbox the container is running in, or -1 if the // container is not running. -func (c *Container) Pid() int { +func (c *Container) SandboxPid() int { if err := c.requireStatus("get PID", Created, Running, Paused); err != nil { return -1 } @@ -566,7 +566,7 @@ func (c *Container) State() specs.State { Version: specs.Version, ID: c.ID, Status: c.Status.String(), - Pid: c.Pid(), + Pid: c.SandboxPid(), Bundle: c.BundleDir, } } diff --git a/runsc/test/root/chroot_test.go b/runsc/test/root/chroot_test.go index 5c59e7451..8831e6a78 100644 --- a/runsc/test/root/chroot_test.go +++ b/runsc/test/root/chroot_test.go @@ -24,6 +24,7 @@ import ( "fmt" "io/ioutil" "os" + "os/exec" "path/filepath" "reflect" "sort" @@ -91,6 +92,75 @@ func TestChroot(t *testing.T) { } } +func TestChrootGofer(t *testing.T) { + d := testutil.MakeDocker("chroot-test") + if err := d.Run("alpine", "sleep", "10000"); err != nil { + t.Fatalf("docker run failed: %v", err) + } + defer d.CleanUp() + + // It's tricky to find gofers. Get sandbox PID first, then find parent. From + // parent get all immediate children, remove the sandbox, and everything else + // are gofers. + sandPID, err := d.SandboxPid() + if err != nil { + t.Fatalf("Docker.SandboxPid(): %v", err) + } + + // Find sandbox's parent PID. + cmd := fmt.Sprintf("grep PPid /proc/%d/status | awk '{print $2}'", sandPID) + parent, err := exec.Command("sh", "-c", cmd).CombinedOutput() + if err != nil { + t.Fatalf("failed to fetch runsc (%d) parent PID: %v, out:\n%s", sandPID, err, string(parent)) + } + parentPID, err := strconv.Atoi(strings.TrimSpace(string(parent))) + if err != nil { + t.Fatalf("failed to parse PPID %q: %v", string(parent), err) + } + + // Get all children from parent. + childrenOut, err := exec.Command("/usr/bin/pgrep", "-P", strconv.Itoa(parentPID)).CombinedOutput() + if err != nil { + t.Fatalf("failed to fetch containerd-shim children: %v", err) + } + children := strings.Split(strings.TrimSpace(string(childrenOut)), "\n") + + // This where the root directory is mapped on the host and that's where the + // gofer must have chroot'd to. + root, err := d.RootDirInHost() + if err != nil { + t.Fatalf("Docker.RootDirInHost(): %v", err) + } + + for _, child := range children { + childPID, err := strconv.Atoi(child) + if err != nil { + t.Fatalf("failed to parse child PID %q: %v", child, err) + } + if childPID == sandPID { + // Skip the sandbox, all other immediate children are gofers. + continue + } + + // Check that gofer is chroot'ed. + chroot, err := filepath.EvalSymlinks(filepath.Join("/proc", child, "root")) + if err != nil { + t.Fatalf("error resolving /proc/<pid>/root symlink: %v", err) + } + if root != chroot { + t.Errorf("gofer chroot is wrong, want: %q, got: %q", root, chroot) + } + + path, err := filepath.EvalSymlinks(filepath.Join("/proc", child, "cwd")) + if err != nil { + t.Fatalf("error resolving /proc/<pid>/cwd symlink: %v", err) + } + if root != path { + t.Errorf("gofer current dir is wrong, want: %q, got: %q", root, path) + } + } +} + func TestMain(m *testing.M) { testutil.EnsureSupportedDockerVersion() diff --git a/runsc/test/testutil/docker.go b/runsc/test/testutil/docker.go index cf61f2c10..d70b4377a 100644 --- a/runsc/test/testutil/docker.go +++ b/runsc/test/testutil/docker.go @@ -280,6 +280,15 @@ func (d *Docker) SandboxPid() (int, error) { return pid, nil } +// RootDirInHost returns where the root directory is mapped on the host. +func (d *Docker) RootDirInHost() (string, error) { + out, err := do("inspect", "-f={{.GraphDriver.Data.MergedDir}}", d.Name) + if err != nil { + return "", fmt.Errorf("error retrieving pid: %v", err) + } + return strings.TrimSuffix(string(out), "\n"), nil +} + // WaitForOutput calls 'docker logs' to retrieve containers output and searches // for the given pattern. func (d *Docker) WaitForOutput(pattern string, timeout time.Duration) (string, error) { |