Add tests to verify gofer is chroot'ed

PiperOrigin-RevId: 216472439
Change-Id: Ic4cb86c8e0a9cb022d3ceed9dc5615266c307cf9

2 files changed, 79 insertions, 0 deletions

diff --git a/runsc/test/root/chroot_test.go b/runsc/test/root/chroot_test.go
index 5c59e7451..8831e6a78 100644
--- a/runsc/test/root/chroot_test.go
+++ b/runsc/test/root/chroot_test.go
@@ -24,6 +24,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"reflect"
 	"sort"
@@ -91,6 +92,75 @@ func TestChroot(t *testing.T) {
 	}
 }
 
+func TestChrootGofer(t *testing.T) {
+	d := testutil.MakeDocker("chroot-test")
+	if err := d.Run("alpine", "sleep", "10000"); err != nil {
+		t.Fatalf("docker run failed: %v", err)
+	}
+	defer d.CleanUp()
+
+	// It's tricky to find gofers. Get sandbox PID first, then find parent. From
+	// parent get all immediate children, remove the sandbox, and everything else
+	// are gofers.
+	sandPID, err := d.SandboxPid()
+	if err != nil {
+		t.Fatalf("Docker.SandboxPid(): %v", err)
+	}
+
+	// Find sandbox's parent PID.
+	cmd := fmt.Sprintf("grep PPid /proc/%d/status | awk '{print $2}'", sandPID)
+	parent, err := exec.Command("sh", "-c", cmd).CombinedOutput()
+	if err != nil {
+		t.Fatalf("failed to fetch runsc (%d) parent PID: %v, out:\n%s", sandPID, err, string(parent))
+	}
+	parentPID, err := strconv.Atoi(strings.TrimSpace(string(parent)))
+	if err != nil {
+		t.Fatalf("failed to parse PPID %q: %v", string(parent), err)
+	}
+
+	// Get all children from parent.
+	childrenOut, err := exec.Command("/usr/bin/pgrep", "-P", strconv.Itoa(parentPID)).CombinedOutput()
+	if err != nil {
+		t.Fatalf("failed to fetch containerd-shim children: %v", err)
+	}
+	children := strings.Split(strings.TrimSpace(string(childrenOut)), "\n")
+
+	// This where the root directory is mapped on the host and that's where the
+	// gofer must have chroot'd to.
+	root, err := d.RootDirInHost()
+	if err != nil {
+		t.Fatalf("Docker.RootDirInHost(): %v", err)
+	}
+
+	for _, child := range children {
+		childPID, err := strconv.Atoi(child)
+		if err != nil {
+			t.Fatalf("failed to parse child PID %q: %v", child, err)
+		}
+		if childPID == sandPID {
+			// Skip the sandbox, all other immediate children are gofers.
+			continue
+		}
+
+		// Check that gofer is chroot'ed.
+		chroot, err := filepath.EvalSymlinks(filepath.Join("/proc", child, "root"))
+		if err != nil {
+			t.Fatalf("error resolving /proc/<pid>/root symlink: %v", err)
+		}
+		if root != chroot {
+			t.Errorf("gofer chroot is wrong, want: %q, got: %q", root, chroot)
+		}
+
+		path, err := filepath.EvalSymlinks(filepath.Join("/proc", child, "cwd"))
+		if err != nil {
+			t.Fatalf("error resolving /proc/<pid>/cwd symlink: %v", err)
+		}
+		if root != path {
+			t.Errorf("gofer current dir is wrong, want: %q, got: %q", root, path)
+		}
+	}
+}
+
 func TestMain(m *testing.M) {
 	testutil.EnsureSupportedDockerVersion()
 
diff --git a/runsc/test/testutil/docker.go b/runsc/test/testutil/docker.go
index cf61f2c10..d70b4377a 100644
--- a/runsc/test/testutil/docker.go
+++ b/runsc/test/testutil/docker.go
@@ -280,6 +280,15 @@ func (d *Docker) SandboxPid() (int, error) {
 	return pid, nil
 }
 
+// RootDirInHost returns where the root directory is mapped on the host.
+func (d *Docker) RootDirInHost() (string, error) {
+	out, err := do("inspect", "-f={{.GraphDriver.Data.MergedDir}}", d.Name)
+	if err != nil {
+		return "", fmt.Errorf("error retrieving pid: %v", err)
+	}
+	return strings.TrimSuffix(string(out), "\n"), nil
+}
+
 // WaitForOutput calls 'docker logs' to retrieve containers output and searches
 // for the given pattern.
 func (d *Docker) WaitForOutput(pattern string, timeout time.Duration) (string, error) {