summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorAndrei Vagin <avagin@google.com>2019-05-28 11:47:46 -0700
committerShentubot <shentubot@google.com>2019-05-30 12:05:16 -0700
commit673358c0d94f82ac56d9f4f6e7aec7ff5761e1cc (patch)
tree521d25971f581968c94a03b3e06e1bf4e1e7635c
parent1e42b4cfcad9ff4becb1041b14107815f585becf (diff)
runsc/do: allow to run commands in a host network namespace
PiperOrigin-RevId: 250329795
-rwxr-xr-xkokoro/run_tests.sh12
-rw-r--r--runsc/cmd/do.go14
2 files changed, 22 insertions, 4 deletions
diff --git a/kokoro/run_tests.sh b/kokoro/run_tests.sh
index b3f333f2f..6a7c1fdb6 100755
--- a/kokoro/run_tests.sh
+++ b/kokoro/run_tests.sh
@@ -182,6 +182,17 @@ run_syscall_tests() {
--test_tag_filters=runsc_ptrace //test/syscalls/...
}
+run_runsc_do_tests() {
+ local runsc=$(find bazel-bin/runsc -type f -executable -name "runsc" | head -n1)
+
+ # run runsc do without root privileges.
+ unshare -Ur ${runsc} --network=none --TESTONLY-unsafe-nonroot do true
+ unshare -Ur ${runsc} --TESTONLY-unsafe-nonroot --network=host do --netns=false true
+
+ # run runsc do with root privileges.
+ sudo -n -E ${runsc} do true
+}
+
# Find and rename all test xml and log files so that Sponge can pick them up.
# XML files must be named sponge_log.xml, and log files must be named
# sponge_log.log. We move all such files into KOKORO_ARTIFACTS_DIR, in a
@@ -234,6 +245,7 @@ main() {
run_root_tests
run_syscall_tests
+ run_runsc_do_tests
# Build other flavors too.
build_everything dbg
diff --git a/runsc/cmd/do.go b/runsc/cmd/do.go
index 425db8efe..c057f3087 100644
--- a/runsc/cmd/do.go
+++ b/runsc/cmd/do.go
@@ -39,9 +39,10 @@ import (
// Do implements subcommands.Command for the "do" command. It sets up a simple
// sandbox and executes the command inside it. See Usage() for more details.
type Do struct {
- root string
- cwd string
- ip string
+ root string
+ cwd string
+ ip string
+ networkNamespace bool
}
// Name implements subcommands.Command.Name.
@@ -71,6 +72,7 @@ func (c *Do) SetFlags(f *flag.FlagSet) {
f.StringVar(&c.root, "root", "/", `path to the root directory, defaults to "/"`)
f.StringVar(&c.cwd, "cwd", ".", "path to the current directory, defaults to the current directory")
f.StringVar(&c.ip, "ip", "192.168.10.2", "IPv4 address for the sandbox")
+ f.BoolVar(&c.networkNamespace, "netns", true, "run in a new network namespace")
}
// Execute implements subcommands.Command.Execute.
@@ -118,7 +120,11 @@ func (c *Do) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) su
specutils.LogSpec(spec)
cid := fmt.Sprintf("runsc-%06d", rand.Int31n(1000000))
- if conf.Network != boot.NetworkNone {
+ if !c.networkNamespace {
+ if conf.Network != boot.NetworkHost {
+ Fatalf("The current network namespace can be used only if --network=host is set", nil)
+ }
+ } else if conf.Network != boot.NetworkNone {
clean, err := c.setupNet(cid, spec)
if err != nil {
return Errorf("Error setting up network: %v", err)