summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorFabricio Voznika <fvoznika@google.com>2018-10-09 21:06:18 -0700
committerShentubot <shentubot@google.com>2018-10-09 21:07:14 -0700
commit20508bafb88d2037ea3b2c8483b191ce72e7ad7e (patch)
tree7713850d594c45cd8e577dc582cb1771c6d4e6de
parentc36d2ef3733a0619b992f8ddc23b072474b04044 (diff)
Add tests to verify gofer is chroot'ed
PiperOrigin-RevId: 216472439 Change-Id: Ic4cb86c8e0a9cb022d3ceed9dc5615266c307cf9
-rw-r--r--runsc/cmd/debug.go2
-rw-r--r--runsc/cmd/list.go2
-rw-r--r--runsc/container/container.go8
-rw-r--r--runsc/test/root/chroot_test.go70
-rw-r--r--runsc/test/testutil/docker.go9
5 files changed, 85 insertions, 6 deletions
diff --git a/runsc/cmd/debug.go b/runsc/cmd/debug.go
index caa44168b..cb7d81057 100644
--- a/runsc/cmd/debug.go
+++ b/runsc/cmd/debug.go
@@ -85,7 +85,7 @@ func (d *Debug) Execute(_ context.Context, f *flag.FlagSet, args ...interface{})
if err != nil {
Fatalf("error loading container %q: %v", id, err)
}
- if candidate.Pid() == d.pid {
+ if candidate.SandboxPid() == d.pid {
c = candidate
break
}
diff --git a/runsc/cmd/list.go b/runsc/cmd/list.go
index d554bf7cf..4d4a5cb0b 100644
--- a/runsc/cmd/list.go
+++ b/runsc/cmd/list.go
@@ -94,7 +94,7 @@ func (l *List) Execute(_ context.Context, f *flag.FlagSet, args ...interface{})
for _, c := range containers {
fmt.Fprintf(w, "%s\t%d\t%s\t%s\t%s\t%s\n",
c.ID,
- c.Pid(),
+ c.SandboxPid(),
c.Status,
c.BundleDir,
c.CreatedAt.Format(time.RFC3339Nano),
diff --git a/runsc/container/container.go b/runsc/container/container.go
index 827528349..f0cdee8d3 100644
--- a/runsc/container/container.go
+++ b/runsc/container/container.go
@@ -316,7 +316,7 @@ func Create(id string, spec *specs.Spec, conf *boot.Config, bundleDir, consoleSo
// Write the PID file. Containerd considers the create complete after
// this file is created, so it must be the last thing we do.
if pidFile != "" {
- if err := ioutil.WriteFile(pidFile, []byte(strconv.Itoa(c.Pid())), 0644); err != nil {
+ if err := ioutil.WriteFile(pidFile, []byte(strconv.Itoa(c.SandboxPid())), 0644); err != nil {
c.Destroy()
return nil, fmt.Errorf("error writing PID file: %v", err)
}
@@ -426,9 +426,9 @@ func (c *Container) Event() (*boot.Event, error) {
return c.Sandbox.Event(c.ID)
}
-// Pid returns the Pid of the sandbox the container is running in, or -1 if the
+// SandboxPid returns the Pid of the sandbox the container is running in, or -1 if the
// container is not running.
-func (c *Container) Pid() int {
+func (c *Container) SandboxPid() int {
if err := c.requireStatus("get PID", Created, Running, Paused); err != nil {
return -1
}
@@ -566,7 +566,7 @@ func (c *Container) State() specs.State {
Version: specs.Version,
ID: c.ID,
Status: c.Status.String(),
- Pid: c.Pid(),
+ Pid: c.SandboxPid(),
Bundle: c.BundleDir,
}
}
diff --git a/runsc/test/root/chroot_test.go b/runsc/test/root/chroot_test.go
index 5c59e7451..8831e6a78 100644
--- a/runsc/test/root/chroot_test.go
+++ b/runsc/test/root/chroot_test.go
@@ -24,6 +24,7 @@ import (
"fmt"
"io/ioutil"
"os"
+ "os/exec"
"path/filepath"
"reflect"
"sort"
@@ -91,6 +92,75 @@ func TestChroot(t *testing.T) {
}
}
+func TestChrootGofer(t *testing.T) {
+ d := testutil.MakeDocker("chroot-test")
+ if err := d.Run("alpine", "sleep", "10000"); err != nil {
+ t.Fatalf("docker run failed: %v", err)
+ }
+ defer d.CleanUp()
+
+ // It's tricky to find gofers. Get sandbox PID first, then find parent. From
+ // parent get all immediate children, remove the sandbox, and everything else
+ // are gofers.
+ sandPID, err := d.SandboxPid()
+ if err != nil {
+ t.Fatalf("Docker.SandboxPid(): %v", err)
+ }
+
+ // Find sandbox's parent PID.
+ cmd := fmt.Sprintf("grep PPid /proc/%d/status | awk '{print $2}'", sandPID)
+ parent, err := exec.Command("sh", "-c", cmd).CombinedOutput()
+ if err != nil {
+ t.Fatalf("failed to fetch runsc (%d) parent PID: %v, out:\n%s", sandPID, err, string(parent))
+ }
+ parentPID, err := strconv.Atoi(strings.TrimSpace(string(parent)))
+ if err != nil {
+ t.Fatalf("failed to parse PPID %q: %v", string(parent), err)
+ }
+
+ // Get all children from parent.
+ childrenOut, err := exec.Command("/usr/bin/pgrep", "-P", strconv.Itoa(parentPID)).CombinedOutput()
+ if err != nil {
+ t.Fatalf("failed to fetch containerd-shim children: %v", err)
+ }
+ children := strings.Split(strings.TrimSpace(string(childrenOut)), "\n")
+
+ // This where the root directory is mapped on the host and that's where the
+ // gofer must have chroot'd to.
+ root, err := d.RootDirInHost()
+ if err != nil {
+ t.Fatalf("Docker.RootDirInHost(): %v", err)
+ }
+
+ for _, child := range children {
+ childPID, err := strconv.Atoi(child)
+ if err != nil {
+ t.Fatalf("failed to parse child PID %q: %v", child, err)
+ }
+ if childPID == sandPID {
+ // Skip the sandbox, all other immediate children are gofers.
+ continue
+ }
+
+ // Check that gofer is chroot'ed.
+ chroot, err := filepath.EvalSymlinks(filepath.Join("/proc", child, "root"))
+ if err != nil {
+ t.Fatalf("error resolving /proc/<pid>/root symlink: %v", err)
+ }
+ if root != chroot {
+ t.Errorf("gofer chroot is wrong, want: %q, got: %q", root, chroot)
+ }
+
+ path, err := filepath.EvalSymlinks(filepath.Join("/proc", child, "cwd"))
+ if err != nil {
+ t.Fatalf("error resolving /proc/<pid>/cwd symlink: %v", err)
+ }
+ if root != path {
+ t.Errorf("gofer current dir is wrong, want: %q, got: %q", root, path)
+ }
+ }
+}
+
func TestMain(m *testing.M) {
testutil.EnsureSupportedDockerVersion()
diff --git a/runsc/test/testutil/docker.go b/runsc/test/testutil/docker.go
index cf61f2c10..d70b4377a 100644
--- a/runsc/test/testutil/docker.go
+++ b/runsc/test/testutil/docker.go
@@ -280,6 +280,15 @@ func (d *Docker) SandboxPid() (int, error) {
return pid, nil
}
+// RootDirInHost returns where the root directory is mapped on the host.
+func (d *Docker) RootDirInHost() (string, error) {
+ out, err := do("inspect", "-f={{.GraphDriver.Data.MergedDir}}", d.Name)
+ if err != nil {
+ return "", fmt.Errorf("error retrieving pid: %v", err)
+ }
+ return strings.TrimSuffix(string(out), "\n"), nil
+}
+
// WaitForOutput calls 'docker logs' to retrieve containers output and searches
// for the given pattern.
func (d *Docker) WaitForOutput(pattern string, timeout time.Duration) (string, error) {