diff options
author | Andrei Vagin <avagin@google.com> | 2019-05-28 11:47:46 -0700 |
---|---|---|
committer | Shentubot <shentubot@google.com> | 2019-05-30 12:05:16 -0700 |
commit | 673358c0d94f82ac56d9f4f6e7aec7ff5761e1cc (patch) | |
tree | 521d25971f581968c94a03b3e06e1bf4e1e7635c | |
parent | 1e42b4cfcad9ff4becb1041b14107815f585becf (diff) |
runsc/do: allow to run commands in a host network namespace
PiperOrigin-RevId: 250329795
-rwxr-xr-x | kokoro/run_tests.sh | 12 | ||||
-rw-r--r-- | runsc/cmd/do.go | 14 |
2 files changed, 22 insertions, 4 deletions
diff --git a/kokoro/run_tests.sh b/kokoro/run_tests.sh index b3f333f2f..6a7c1fdb6 100755 --- a/kokoro/run_tests.sh +++ b/kokoro/run_tests.sh @@ -182,6 +182,17 @@ run_syscall_tests() { --test_tag_filters=runsc_ptrace //test/syscalls/... } +run_runsc_do_tests() { + local runsc=$(find bazel-bin/runsc -type f -executable -name "runsc" | head -n1) + + # run runsc do without root privileges. + unshare -Ur ${runsc} --network=none --TESTONLY-unsafe-nonroot do true + unshare -Ur ${runsc} --TESTONLY-unsafe-nonroot --network=host do --netns=false true + + # run runsc do with root privileges. + sudo -n -E ${runsc} do true +} + # Find and rename all test xml and log files so that Sponge can pick them up. # XML files must be named sponge_log.xml, and log files must be named # sponge_log.log. We move all such files into KOKORO_ARTIFACTS_DIR, in a @@ -234,6 +245,7 @@ main() { run_root_tests run_syscall_tests + run_runsc_do_tests # Build other flavors too. build_everything dbg diff --git a/runsc/cmd/do.go b/runsc/cmd/do.go index 425db8efe..c057f3087 100644 --- a/runsc/cmd/do.go +++ b/runsc/cmd/do.go @@ -39,9 +39,10 @@ import ( // Do implements subcommands.Command for the "do" command. It sets up a simple // sandbox and executes the command inside it. See Usage() for more details. type Do struct { - root string - cwd string - ip string + root string + cwd string + ip string + networkNamespace bool } // Name implements subcommands.Command.Name. @@ -71,6 +72,7 @@ func (c *Do) SetFlags(f *flag.FlagSet) { f.StringVar(&c.root, "root", "/", `path to the root directory, defaults to "/"`) f.StringVar(&c.cwd, "cwd", ".", "path to the current directory, defaults to the current directory") f.StringVar(&c.ip, "ip", "192.168.10.2", "IPv4 address for the sandbox") + f.BoolVar(&c.networkNamespace, "netns", true, "run in a new network namespace") } // Execute implements subcommands.Command.Execute. @@ -118,7 +120,11 @@ func (c *Do) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) su specutils.LogSpec(spec) cid := fmt.Sprintf("runsc-%06d", rand.Int31n(1000000)) - if conf.Network != boot.NetworkNone { + if !c.networkNamespace { + if conf.Network != boot.NetworkHost { + Fatalf("The current network namespace can be used only if --network=host is set", nil) + } + } else if conf.Network != boot.NetworkNone { clean, err := c.setupNet(cid, spec) if err != nil { return Errorf("Error setting up network: %v", err) |