diff options
Diffstat (limited to 'test/e2e')
| -rw-r--r-- | test/e2e/BUILD | 32 | ||||
| -rw-r--r-- | test/e2e/exec_test.go | 268 | ||||
| -rw-r--r-- | test/e2e/integration.go | 16 | ||||
| -rw-r--r-- | test/e2e/integration_test.go | 790 |
4 files changed, 0 insertions, 1106 deletions
diff --git a/test/e2e/BUILD b/test/e2e/BUILD deleted file mode 100644 index 1e9792b4f..000000000 --- a/test/e2e/BUILD +++ /dev/null @@ -1,32 +0,0 @@ -load("//tools:defs.bzl", "go_library", "go_test") - -package(licenses = ["notice"]) - -go_test( - name = "integration_test", - size = "large", - srcs = [ - "exec_test.go", - "integration_test.go", - ], - library = ":integration", - tags = [ - # Requires docker and runsc to be configured before the test runs. - "local", - "manual", - ], - visibility = ["//:sandbox"], - deps = [ - "//pkg/abi/linux", - "//pkg/bits", - "//pkg/test/dockerutil", - "//pkg/test/testutil", - "//runsc/specutils", - "@com_github_docker_docker//api/types/mount:go_default_library", - ], -) - -go_library( - name = "integration", - srcs = ["integration.go"], -) diff --git a/test/e2e/exec_test.go b/test/e2e/exec_test.go deleted file mode 100644 index b47df447c..000000000 --- a/test/e2e/exec_test.go +++ /dev/null @@ -1,268 +0,0 @@ -// Copyright 2018 The gVisor Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Package integration provides end-to-end integration tests for runsc. These -// tests require docker and runsc to be installed on the machine. -// -// Each test calls docker commands to start up a container, and tests that it -// is behaving properly, with various runsc commands. The container is killed -// and deleted at the end. - -package integration - -import ( - "context" - "fmt" - "strconv" - "strings" - "testing" - "time" - - "gvisor.dev/gvisor/pkg/abi/linux" - "gvisor.dev/gvisor/pkg/bits" - "gvisor.dev/gvisor/pkg/test/dockerutil" - "gvisor.dev/gvisor/runsc/specutils" -) - -// Test that exec uses the exact same capability set as the container. -func TestExecCapabilities(t *testing.T) { - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - // Start the container. - if err := d.Spawn(ctx, dockerutil.RunOpts{ - Image: "basic/alpine", - }, "sh", "-c", "cat /proc/self/status; sleep 100"); err != nil { - t.Fatalf("docker run failed: %v", err) - } - - // Check that capability. - matches, err := d.WaitForOutputSubmatch(ctx, "CapEff:\t([0-9a-f]+)\n", 5*time.Second) - if err != nil { - t.Fatalf("WaitForOutputSubmatch() timeout: %v", err) - } - if len(matches) != 2 { - t.Fatalf("There should be a match for the whole line and the capability bitmask") - } - want := fmt.Sprintf("CapEff:\t%s\n", matches[1]) - t.Log("Root capabilities:", want) - - // Now check that exec'd process capabilities match the root. - got, err := d.Exec(ctx, dockerutil.ExecOpts{}, "grep", "CapEff:", "/proc/self/status") - if err != nil { - t.Fatalf("docker exec failed: %v", err) - } - t.Logf("CapEff: %v", got) - if got != want { - t.Errorf("wrong capabilities, got: %q, want: %q", got, want) - } -} - -// Test that 'exec --privileged' adds all capabilities, except for CAP_NET_RAW -// which is removed from the container when --net-raw=false. -func TestExecPrivileged(t *testing.T) { - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - // Start the container with all capabilities dropped. - if err := d.Spawn(ctx, dockerutil.RunOpts{ - Image: "basic/alpine", - CapDrop: []string{"all"}, - }, "sh", "-c", "cat /proc/self/status; sleep 100"); err != nil { - t.Fatalf("docker run failed: %v", err) - } - - // Check that all capabilities where dropped from container. - matches, err := d.WaitForOutputSubmatch(ctx, "CapEff:\t([0-9a-f]+)\n", 5*time.Second) - if err != nil { - t.Fatalf("WaitForOutputSubmatch() timeout: %v", err) - } - if len(matches) != 2 { - t.Fatalf("There should be a match for the whole line and the capability bitmask") - } - containerCaps, err := strconv.ParseUint(matches[1], 16, 64) - if err != nil { - t.Fatalf("failed to convert capabilities %q: %v", matches[1], err) - } - t.Logf("Container capabilities: %#x", containerCaps) - if containerCaps != 0 { - t.Fatalf("Container should have no capabilities: %x", containerCaps) - } - - // Check that 'exec --privileged' adds all capabilities, except for - // CAP_NET_RAW. - got, err := d.Exec(ctx, dockerutil.ExecOpts{ - Privileged: true, - }, "grep", "CapEff:", "/proc/self/status") - if err != nil { - t.Fatalf("docker exec failed: %v", err) - } - t.Logf("Exec CapEff: %v", got) - want := fmt.Sprintf("CapEff:\t%016x\n", specutils.AllCapabilitiesUint64()&^bits.MaskOf64(int(linux.CAP_NET_RAW))) - if got != want { - t.Errorf("Wrong capabilities, got: %q, want: %q. Make sure runsc is not using '--net-raw'", got, want) - } -} - -func TestExecJobControl(t *testing.T) { - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - // Start the container. - if err := d.Spawn(ctx, dockerutil.RunOpts{ - Image: "basic/alpine", - }, "sleep", "1000"); err != nil { - t.Fatalf("docker run failed: %v", err) - } - - p, err := d.ExecProcess(ctx, dockerutil.ExecOpts{UseTTY: true}, "/bin/sh") - if err != nil { - t.Fatalf("docker exec failed: %v", err) - } - - if _, err = p.Write(time.Second, []byte("sleep 100 | cat\n")); err != nil { - t.Fatalf("error exit: %v", err) - } - time.Sleep(time.Second) - - if _, err = p.Write(time.Second, []byte{0x03}); err != nil { - t.Fatalf("error exit: %v", err) - } - - if _, err = p.Write(time.Second, []byte("exit $(expr $? + 10)\n")); err != nil { - t.Fatalf("error exit: %v", err) - } - - want := 140 - got, err := p.WaitExitStatus(ctx) - if err != nil { - t.Fatalf("wait for exit failed with: %v", err) - } else if got != want { - t.Fatalf("wait for exit returned: %d want: %d", got, want) - } -} - -// Test that failure to exec returns proper error message. -func TestExecError(t *testing.T) { - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - // Start the container. - if err := d.Spawn(ctx, dockerutil.RunOpts{ - Image: "basic/alpine", - }, "sleep", "1000"); err != nil { - t.Fatalf("docker run failed: %v", err) - } - - // Attempt to exec a binary that doesn't exist. - out, err := d.Exec(ctx, dockerutil.ExecOpts{}, "no_can_find") - if err == nil { - t.Fatalf("docker exec didn't fail") - } - if want := `error finding executable "no_can_find" in PATH`; !strings.Contains(out, want) { - t.Fatalf("docker exec wrong error, got: %s, want: .*%s.*", out, want) - } -} - -// Test that exec inherits environment from run. -func TestExecEnv(t *testing.T) { - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - // Start the container with env FOO=BAR. - if err := d.Spawn(ctx, dockerutil.RunOpts{ - Image: "basic/alpine", - Env: []string{"FOO=BAR"}, - }, "sleep", "1000"); err != nil { - t.Fatalf("docker run failed: %v", err) - } - - // Exec "echo $FOO". - got, err := d.Exec(ctx, dockerutil.ExecOpts{}, "/bin/sh", "-c", "echo $FOO") - if err != nil { - t.Fatalf("docker exec failed: %v", err) - } - if got, want := strings.TrimSpace(got), "BAR"; got != want { - t.Errorf("bad output from 'docker exec'. Got %q; Want %q.", got, want) - } -} - -// TestRunEnvHasHome tests that run always has HOME environment set. -func TestRunEnvHasHome(t *testing.T) { - // Base alpine image does not have any environment variables set. - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - // Exec "echo $HOME". The 'bin' user's home dir is '/bin'. - got, err := d.Run(ctx, dockerutil.RunOpts{ - Image: "basic/alpine", - User: "bin", - }, "/bin/sh", "-c", "echo $HOME") - if err != nil { - t.Fatalf("docker run failed: %v", err) - } - - // Check that the directory matches. - if got, want := strings.TrimSpace(got), "/bin"; got != want { - t.Errorf("bad output from 'docker run'. Got %q; Want %q.", got, want) - } -} - -// Test that exec always has HOME environment set, even when not set in run. -func TestExecEnvHasHome(t *testing.T) { - // Base alpine image does not have any environment variables set. - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - if err := d.Spawn(ctx, dockerutil.RunOpts{ - Image: "basic/alpine", - }, "sleep", "1000"); err != nil { - t.Fatalf("docker run failed: %v", err) - } - - // Exec "echo $HOME", and expect to see "/root". - got, err := d.Exec(ctx, dockerutil.ExecOpts{}, "/bin/sh", "-c", "echo $HOME") - if err != nil { - t.Fatalf("docker exec failed: %v", err) - } - if want := "/root"; !strings.Contains(got, want) { - t.Errorf("wanted exec output to contain %q, got %q", want, got) - } - - // Create a new user with a home directory. - newUID := 1234 - newHome := "/foo/bar" - cmd := fmt.Sprintf("mkdir -p -m 777 %q && adduser foo -D -u %d -h %q", newHome, newUID, newHome) - if _, err := d.Exec(ctx, dockerutil.ExecOpts{}, "/bin/sh", "-c", cmd); err != nil { - t.Fatalf("docker exec failed: %v", err) - } - - // Execute the same as the new user and expect newHome. - got, err = d.Exec(ctx, dockerutil.ExecOpts{ - User: strconv.Itoa(newUID), - }, "/bin/sh", "-c", "echo $HOME") - if err != nil { - t.Fatalf("docker exec failed: %v", err) - } - if want := newHome; !strings.Contains(got, want) { - t.Errorf("wanted exec output to contain %q, got %q", want, got) - } -} diff --git a/test/e2e/integration.go b/test/e2e/integration.go deleted file mode 100644 index 4cd5f6c24..000000000 --- a/test/e2e/integration.go +++ /dev/null @@ -1,16 +0,0 @@ -// Copyright 2018 The gVisor Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Package integration is empty. See integration_test.go for description. -package integration diff --git a/test/e2e/integration_test.go b/test/e2e/integration_test.go deleted file mode 100644 index d41139944..000000000 --- a/test/e2e/integration_test.go +++ /dev/null @@ -1,790 +0,0 @@ -// Copyright 2018 The gVisor Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Package integration provides end-to-end integration tests for runsc. -// -// Each test calls docker commands to start up a container, and tests that it is -// behaving properly, with various runsc commands. The container is killed and -// deleted at the end. -// -// Setup instruction in test/README.md. -package integration - -import ( - "context" - "flag" - "fmt" - "io/ioutil" - "net" - "net/http" - "os" - "path/filepath" - "regexp" - "strconv" - "strings" - "testing" - "time" - - "github.com/docker/docker/api/types/mount" - "gvisor.dev/gvisor/pkg/test/dockerutil" - "gvisor.dev/gvisor/pkg/test/testutil" -) - -// defaultWait is the default wait time used for tests. -const defaultWait = time.Minute - -func TestMain(m *testing.M) { - dockerutil.EnsureSupportedDockerVersion() - flag.Parse() - os.Exit(m.Run()) -} - -// httpRequestSucceeds sends a request to a given url and checks that the status is OK. -func httpRequestSucceeds(client http.Client, server string, port int) error { - url := fmt.Sprintf("http://%s:%d", server, port) - // Ensure that content is being served. - resp, err := client.Get(url) - if err != nil { - return fmt.Errorf("error reaching http server: %v", err) - } - if want := http.StatusOK; resp.StatusCode != want { - return fmt.Errorf("wrong response code, got: %d, want: %d", resp.StatusCode, want) - } - return nil -} - -// TestLifeCycle tests a basic Create/Start/Stop docker container life cycle. -func TestLifeCycle(t *testing.T) { - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - // Start the container. - port := 80 - if err := d.Create(ctx, dockerutil.RunOpts{ - Image: "basic/nginx", - Ports: []int{port}, - }); err != nil { - t.Fatalf("docker create failed: %v", err) - } - if err := d.Start(ctx); err != nil { - t.Fatalf("docker start failed: %v", err) - } - - ip, err := d.FindIP(ctx, false) - if err != nil { - t.Fatalf("docker.FindIP failed: %v", err) - } - if err := testutil.WaitForHTTP(ip.String(), port, defaultWait); err != nil { - t.Fatalf("WaitForHTTP() timeout: %v", err) - } - client := http.Client{Timeout: defaultWait} - if err := httpRequestSucceeds(client, ip.String(), port); err != nil { - t.Errorf("http request failed: %v", err) - } - - if err := d.Stop(ctx); err != nil { - t.Fatalf("docker stop failed: %v", err) - } - if err := d.Remove(ctx); err != nil { - t.Fatalf("docker rm failed: %v", err) - } -} - -func TestPauseResume(t *testing.T) { - if !testutil.IsCheckpointSupported() { - t.Skip("Checkpoint is not supported.") - } - - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - // Start the container. - port := 8080 - if err := d.Spawn(ctx, dockerutil.RunOpts{ - Image: "basic/python", - Ports: []int{port}, // See Dockerfile. - }); err != nil { - t.Fatalf("docker run failed: %v", err) - } - - // Find container IP address. - ip, err := d.FindIP(ctx, false) - if err != nil { - t.Fatalf("docker.FindIP failed: %v", err) - } - - // Wait until it's up and running. - if err := testutil.WaitForHTTP(ip.String(), port, defaultWait); err != nil { - t.Fatalf("WaitForHTTP() timeout: %v", err) - } - - // Check that container is working. - client := http.Client{Timeout: defaultWait} - if err := httpRequestSucceeds(client, ip.String(), port); err != nil { - t.Error("http request failed:", err) - } - - if err := d.Pause(ctx); err != nil { - t.Fatalf("docker pause failed: %v", err) - } - - // Check if container is paused. - client = http.Client{Timeout: 10 * time.Millisecond} // Don't wait a minute. - switch _, err := client.Get(fmt.Sprintf("http://%s:%d", ip.String(), port)); v := err.(type) { - case nil: - t.Errorf("http req expected to fail but it succeeded") - case net.Error: - if !v.Timeout() { - t.Errorf("http req got error %v, wanted timeout", v) - } - default: - t.Errorf("http req got unexpected error %v", v) - } - - if err := d.Unpause(ctx); err != nil { - t.Fatalf("docker unpause failed: %v", err) - } - - // Wait until it's up and running. - if err := testutil.WaitForHTTP(ip.String(), port, defaultWait); err != nil { - t.Fatalf("WaitForHTTP() timeout: %v", err) - } - - // Check if container is working again. - client = http.Client{Timeout: defaultWait} - if err := httpRequestSucceeds(client, ip.String(), port); err != nil { - t.Error("http request failed:", err) - } -} - -func TestCheckpointRestore(t *testing.T) { - if !testutil.IsCheckpointSupported() { - t.Skip("Pause/resume is not supported.") - } - - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - // Start the container. - port := 8080 - if err := d.Spawn(ctx, dockerutil.RunOpts{ - Image: "basic/python", - Ports: []int{port}, // See Dockerfile. - }); err != nil { - t.Fatalf("docker run failed: %v", err) - } - - // Create a snapshot. - if err := d.Checkpoint(ctx, "test"); err != nil { - t.Fatalf("docker checkpoint failed: %v", err) - } - if err := d.WaitTimeout(ctx, defaultWait); err != nil { - t.Fatalf("wait failed: %v", err) - } - - // TODO(b/143498576): Remove Poll after github.com/moby/moby/issues/38963 is fixed. - if err := testutil.Poll(func() error { return d.Restore(ctx, "test") }, defaultWait); err != nil { - t.Fatalf("docker restore failed: %v", err) - } - - // Find container IP address. - ip, err := d.FindIP(ctx, false) - if err != nil { - t.Fatalf("docker.FindIP failed: %v", err) - } - - // Wait until it's up and running. - if err := testutil.WaitForHTTP(ip.String(), port, defaultWait); err != nil { - t.Fatalf("WaitForHTTP() timeout: %v", err) - } - - // Check if container is working again. - client := http.Client{Timeout: defaultWait} - if err := httpRequestSucceeds(client, ip.String(), port); err != nil { - t.Error("http request failed:", err) - } -} - -// Create client and server that talk to each other using the local IP. -func TestConnectToSelf(t *testing.T) { - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - // Creates server that replies "server" and exists. Sleeps at the end because - // 'docker exec' gets killed if the init process exists before it can finish. - if err := d.Spawn(ctx, dockerutil.RunOpts{ - Image: "basic/ubuntu", - }, "/bin/sh", "-c", "echo server | nc -l -p 8080 && sleep 1"); err != nil { - t.Fatalf("docker run failed: %v", err) - } - - // Finds IP address for host. - ip, err := d.Exec(ctx, dockerutil.ExecOpts{}, "/bin/sh", "-c", "cat /etc/hosts | grep ${HOSTNAME} | awk '{print $1}'") - if err != nil { - t.Fatalf("docker exec failed: %v", err) - } - ip = strings.TrimRight(ip, "\n") - - // Runs client that sends "client" to the server and exits. - reply, err := d.Exec(ctx, dockerutil.ExecOpts{}, "/bin/sh", "-c", fmt.Sprintf("echo client | nc %s 8080", ip)) - if err != nil { - t.Fatalf("docker exec failed: %v", err) - } - - // Ensure both client and server got the message from each other. - if want := "server\n"; reply != want { - t.Errorf("Error on server, want: %q, got: %q", want, reply) - } - if _, err := d.WaitForOutput(ctx, "^client\n$", defaultWait); err != nil { - t.Fatalf("docker.WaitForOutput(client) timeout: %v", err) - } -} - -func TestMemLimit(t *testing.T) { - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - allocMemoryKb := 50 * 1024 - out, err := d.Run(ctx, dockerutil.RunOpts{ - Image: "basic/alpine", - Memory: allocMemoryKb * 1024, // In bytes. - }, "sh", "-c", "cat /proc/meminfo | grep MemTotal: | awk '{print $2}'") - if err != nil { - t.Fatalf("docker run failed: %v", err) - } - - // Remove warning message that swap isn't present. - if strings.HasPrefix(out, "WARNING") { - lines := strings.Split(out, "\n") - if len(lines) != 3 { - t.Fatalf("invalid output: %s", out) - } - out = lines[1] - } - - // Ensure the memory matches what we want. - got, err := strconv.ParseUint(strings.TrimSpace(out), 10, 64) - if err != nil { - t.Fatalf("failed to parse %q: %v", out, err) - } - if want := uint64(allocMemoryKb); got != want { - t.Errorf("MemTotal got: %d, want: %d", got, want) - } -} - -func TestNumCPU(t *testing.T) { - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - // Read how many cores are in the container. - out, err := d.Run(ctx, dockerutil.RunOpts{ - Image: "basic/alpine", - CpusetCpus: "0", - }, "sh", "-c", "cat /proc/cpuinfo | grep 'processor.*:' | wc -l") - if err != nil { - t.Fatalf("docker run failed: %v", err) - } - - // Ensure it matches what we want. - got, err := strconv.Atoi(strings.TrimSpace(out)) - if err != nil { - t.Fatalf("failed to parse %q: %v", out, err) - } - if want := 1; got != want { - t.Errorf("MemTotal got: %d, want: %d", got, want) - } -} - -// TestJobControl tests that job control characters are handled properly. -func TestJobControl(t *testing.T) { - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - // Start the container with an attached PTY. - p, err := d.SpawnProcess(ctx, dockerutil.RunOpts{ - Image: "basic/alpine", - }, "sh", "-c", "sleep 100 | cat") - if err != nil { - t.Fatalf("docker run failed: %v", err) - } - // Give shell a few seconds to start executing the sleep. - time.Sleep(2 * time.Second) - - if _, err := p.Write(time.Second, []byte{0x03}); err != nil { - t.Fatalf("error exit: %v", err) - } - - if err := d.WaitTimeout(ctx, 3*time.Second); err != nil { - t.Fatalf("WaitTimeout failed: %v", err) - } - - want := 130 - got, err := p.WaitExitStatus(ctx) - if err != nil { - t.Fatalf("wait for exit failed with: %v", err) - } else if got != want { - t.Fatalf("got: %d want: %d", got, want) - } -} - -// TestWorkingDirCreation checks that working dir is created if it doesn't exit. -func TestWorkingDirCreation(t *testing.T) { - for _, tc := range []struct { - name string - workingDir string - }{ - {name: "root", workingDir: "/foo"}, - {name: "tmp", workingDir: "/tmp/foo"}, - } { - for _, readonly := range []bool{true, false} { - name := tc.name - if readonly { - name += "-readonly" - } - t.Run(name, func(t *testing.T) { - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - opts := dockerutil.RunOpts{ - Image: "basic/alpine", - WorkDir: tc.workingDir, - ReadOnly: readonly, - } - got, err := d.Run(ctx, opts, "sh", "-c", "echo ${PWD}") - if err != nil { - t.Fatalf("docker run failed: %v", err) - } - if want := tc.workingDir + "\n"; want != got { - t.Errorf("invalid working dir, want: %q, got: %q", want, got) - } - }) - } - } -} - -// TestTmpFile checks that files inside '/tmp' are not overridden. -func TestTmpFile(t *testing.T) { - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - opts := dockerutil.RunOpts{Image: "basic/tmpfile"} - got, err := d.Run(ctx, opts, "cat", "/tmp/foo/file.txt") - if err != nil { - t.Fatalf("docker run failed: %v", err) - } - if want := "123\n"; want != got { - t.Errorf("invalid file content, want: %q, got: %q", want, got) - } -} - -// TestTmpMount checks that mounts inside '/tmp' are not overridden. -func TestTmpMount(t *testing.T) { - dir, err := ioutil.TempDir(testutil.TmpDir(), "tmp-mount") - if err != nil { - t.Fatalf("TempDir(): %v", err) - } - const want = "123" - if err := ioutil.WriteFile(filepath.Join(dir, "file.txt"), []byte("123"), 0666); err != nil { - t.Fatalf("WriteFile(): %v", err) - } - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - opts := dockerutil.RunOpts{ - Image: "basic/alpine", - Mounts: []mount.Mount{ - { - Type: mount.TypeBind, - Source: dir, - Target: "/tmp/foo", - }, - }, - } - got, err := d.Run(ctx, opts, "cat", "/tmp/foo/file.txt") - if err != nil { - t.Fatalf("docker run failed: %v", err) - } - if want != got { - t.Errorf("invalid file content, want: %q, got: %q", want, got) - } -} - -// Test that it is allowed to mount a file on top of /dev files, e.g. -// /dev/random. -func TestMountOverDev(t *testing.T) { - if vfs2, err := dockerutil.UsingVFS2(); err != nil { - t.Fatalf("Failed to read config for runtime %s: %v", dockerutil.Runtime(), err) - } else if !vfs2 { - t.Skip("VFS1 doesn't allow /dev/random to be mounted.") - } - - random, err := ioutil.TempFile(testutil.TmpDir(), "random") - if err != nil { - t.Fatal("ioutil.TempFile() failed:", err) - } - const want = "123" - if _, err := random.WriteString(want); err != nil { - t.Fatalf("WriteString() to %q: %v", random.Name(), err) - } - - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - opts := dockerutil.RunOpts{ - Image: "basic/alpine", - Mounts: []mount.Mount{ - { - Type: mount.TypeBind, - Source: random.Name(), - Target: "/dev/random", - }, - }, - } - cmd := "dd count=1 bs=5 if=/dev/random 2> /dev/null" - got, err := d.Run(ctx, opts, "sh", "-c", cmd) - if err != nil { - t.Fatalf("docker run failed: %v", err) - } - if want != got { - t.Errorf("invalid file content, want: %q, got: %q", want, got) - } -} - -// TestSyntheticDirs checks that submounts can be created inside a readonly -// mount even if the target path does not exist. -func TestSyntheticDirs(t *testing.T) { - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - opts := dockerutil.RunOpts{ - Image: "basic/alpine", - // Make the root read-only to force use of synthetic dirs - // inside the root gofer mount. - ReadOnly: true, - Mounts: []mount.Mount{ - // Mount inside read-only gofer-backed root. - { - Type: mount.TypeTmpfs, - Target: "/foo/bar/baz", - }, - // Mount inside sysfs, which always uses synthetic dirs - // for submounts. - { - Type: mount.TypeTmpfs, - Target: "/sys/foo/bar/baz", - }, - }, - } - // Make sure the directories exist. - if _, err := d.Run(ctx, opts, "ls", "/foo/bar/baz", "/sys/foo/bar/baz"); err != nil { - t.Fatalf("docker run failed: %v", err) - } - -} - -// TestHostOverlayfsCopyUp tests that the --overlayfs-stale-read option causes -// runsc to hide the incoherence of FDs opened before and after overlayfs -// copy-up on the host. -func TestHostOverlayfsCopyUp(t *testing.T) { - runIntegrationTest(t, nil, "./test_copy_up") -} - -// TestHostOverlayfsRewindDir tests that rewinddir() "causes the directory -// stream to refer to the current state of the corresponding directory, as a -// call to opendir() would have done" as required by POSIX, when the directory -// in question is host overlayfs. -// -// This test specifically targets host overlayfs because, per POSIX, "if a file -// is removed from or added to the directory after the most recent call to -// opendir() or rewinddir(), whether a subsequent call to readdir() returns an -// entry for that file is unspecified"; the host filesystems used by other -// automated tests yield newly-added files from readdir() even if the fsgofer -// does not explicitly rewinddir(), but overlayfs does not. -func TestHostOverlayfsRewindDir(t *testing.T) { - runIntegrationTest(t, nil, "./test_rewinddir") -} - -// Basic test for linkat(2). Syscall tests requires CAP_DAC_READ_SEARCH and it -// cannot use tricks like userns as root. For this reason, run a basic link test -// to ensure some coverage. -func TestLink(t *testing.T) { - runIntegrationTest(t, nil, "./link_test") -} - -// This test ensures we can run ping without errors. -func TestPing4Loopback(t *testing.T) { - if testutil.IsRunningWithHostNet() { - // TODO(gvisor.dev/issue/5011): support ICMP sockets in hostnet and enable - // this test. - t.Skip("hostnet only supports TCP/UDP sockets, so ping is not supported.") - } - - runIntegrationTest(t, nil, "./ping4.sh") -} - -// This test ensures we can enable ipv6 on loopback and run ping6 without -// errors. -func TestPing6Loopback(t *testing.T) { - if testutil.IsRunningWithHostNet() { - // TODO(gvisor.dev/issue/5011): support ICMP sockets in hostnet and enable - // this test. - t.Skip("hostnet only supports TCP/UDP sockets, so ping6 is not supported.") - } - - // The CAP_NET_ADMIN capability is required to use the `ip` utility, which - // we use to enable ipv6 on loopback. - // - // By default, ipv6 loopback is not enabled by runsc, because docker does - // not assign an ipv6 address to the test container. - runIntegrationTest(t, []string{"NET_ADMIN"}, "./ping6.sh") -} - -// This test checks that the owner of the sticky directory can delete files -// inside it belonging to other users. It also checks that the owner of a file -// can always delete its file when the file is inside a sticky directory owned -// by another user. -func TestStickyDir(t *testing.T) { - if vfs2Used, err := dockerutil.UsingVFS2(); err != nil { - t.Fatalf("failed to read config for runtime %s: %v", dockerutil.Runtime(), err) - } else if !vfs2Used { - t.Skip("sticky bit test fails on VFS1.") - } - - runIntegrationTest(t, nil, "./test_sticky") -} - -func runIntegrationTest(t *testing.T, capAdd []string, args ...string) { - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - opts := dockerutil.RunOpts{ - Image: "basic/integrationtest", - WorkDir: "/root", - CapAdd: capAdd, - } - if got, err := d.Run(ctx, opts, args...); err != nil { - t.Fatalf("docker run failed: %v", err) - } else if got != "" { - t.Errorf("test failed:\n%s", got) - } -} - -// Test that UDS can be created using overlay when parent directory is in lower -// layer only (b/134090485). -// -// Prerequisite: the directory where the socket file is created must not have -// been open for write before bind(2) is called. -func TestBindOverlay(t *testing.T) { - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - // Run the container. - got, err := d.Run(ctx, dockerutil.RunOpts{ - Image: "basic/ubuntu", - }, "bash", "-c", "nc -q -1 -l -U /var/run/sock & p=$! && sleep 1 && echo foobar-asdf | nc -q 0 -U /var/run/sock && wait $p") - if err != nil { - t.Fatalf("docker run failed: %v", err) - } - - // Check the output contains what we want. - if want := "foobar-asdf"; !strings.Contains(got, want) { - t.Fatalf("docker run output is missing %q: %s", want, got) - } -} - -func TestStdios(t *testing.T) { - if vfs2, err := dockerutil.UsingVFS2(); err != nil { - t.Fatalf("Failed to read config for runtime %s: %v", dockerutil.Runtime(), err) - } else if !vfs2 { - t.Skip("VFS1 doesn't adjust stdios user") - } - - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - testStdios(t, func(user string, args ...string) (string, error) { - defer d.CleanUp(ctx) - opts := dockerutil.RunOpts{ - Image: "basic/alpine", - User: user, - } - return d.Run(ctx, opts, args...) - }) -} - -func TestStdiosExec(t *testing.T) { - if vfs2, err := dockerutil.UsingVFS2(); err != nil { - t.Fatalf("Failed to read config for runtime %s: %v", dockerutil.Runtime(), err) - } else if !vfs2 { - t.Skip("VFS1 doesn't adjust stdios user") - } - - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - runOpts := dockerutil.RunOpts{Image: "basic/alpine"} - if err := d.Spawn(ctx, runOpts, "sleep", "100"); err != nil { - t.Fatalf("docker run failed: %v", err) - } - - testStdios(t, func(user string, args ...string) (string, error) { - opts := dockerutil.ExecOpts{User: user} - return d.Exec(ctx, opts, args...) - }) -} - -func testStdios(t *testing.T, run func(string, ...string) (string, error)) { - const cmd = "stat -L /proc/self/fd/0 /proc/self/fd/1 /proc/self/fd/2 | grep 'Uid:'" - got, err := run("123", "/bin/sh", "-c", cmd) - if err != nil { - t.Fatalf("docker exec failed: %v", err) - } - if len(got) == 0 { - t.Errorf("Unexpected empty output from %q", cmd) - } - re := regexp.MustCompile(`Uid: \(\s*(\w+)\/.*\)`) - for _, line := range strings.SplitN(got, "\n", 3) { - t.Logf("stat -L: %s", line) - matches := re.FindSubmatch([]byte(line)) - if len(matches) != 2 { - t.Fatalf("wrong output format: %q: matches: %v", line, matches) - } - if want, got := "123", string(matches[1]); want != got { - t.Errorf("wrong user, want: %q, got: %q", want, got) - } - } - - // Check that stdout and stderr can be open and written to. This checks - // that ownership and permissions are correct inside gVisor. - got, err = run("456", "/bin/sh", "-c", "echo foobar | tee /proc/self/fd/1 > /proc/self/fd/2") - if err != nil { - t.Fatalf("docker run failed: %v", err) - } - t.Logf("echo foobar: %q", got) - // Check it repeats twice, once for stdout and once for stderr. - if want := "foobar\nfoobar\n"; want != got { - t.Errorf("Wrong echo output, want: %q, got: %q", want, got) - } - - // Check that timestamps can be changed. Setting timestamps require an extra - // write check _after_ the file was opened, and may fail if the underlying - // host file is not setup correctly. - if _, err := run("789", "touch", "/proc/self/fd/0", "/proc/self/fd/1", "/proc/self/fd/2"); err != nil { - t.Fatalf("docker run failed: %v", err) - } -} - -func TestStdiosChown(t *testing.T) { - if vfs2, err := dockerutil.UsingVFS2(); err != nil { - t.Fatalf("Failed to read config for runtime %s: %v", dockerutil.Runtime(), err) - } else if !vfs2 { - t.Skip("VFS1 doesn't adjust stdios user") - } - - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - opts := dockerutil.RunOpts{Image: "basic/alpine"} - if _, err := d.Run(ctx, opts, "chown", "123", "/proc/self/fd/0", "/proc/self/fd/1", "/proc/self/fd/2"); err != nil { - t.Fatalf("docker run failed: %v", err) - } -} - -func TestUnmount(t *testing.T) { - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - dir, err := ioutil.TempDir(testutil.TmpDir(), "sub-mount") - if err != nil { - t.Fatalf("TempDir(): %v", err) - } - opts := dockerutil.RunOpts{ - Image: "basic/alpine", - Privileged: true, // Required for umount - Mounts: []mount.Mount{ - { - Type: mount.TypeBind, - Source: dir, - Target: "/foo", - }, - }, - } - if _, err := d.Run(ctx, opts, "umount", "/foo"); err != nil { - t.Fatalf("docker run failed: %v", err) - } -} - -func TestDeleteInterface(t *testing.T) { - if testutil.IsRunningWithHostNet() { - t.Skip("not able to remove interfaces on hostnet") - } - - ctx := context.Background() - d := dockerutil.MakeContainer(ctx, t) - defer d.CleanUp(ctx) - - opts := dockerutil.RunOpts{ - Image: "basic/alpine", - CapAdd: []string{"NET_ADMIN"}, - } - if err := d.Spawn(ctx, opts, "sleep", "1000"); err != nil { - t.Fatalf("docker run failed: %v", err) - } - - // We should be able to remove eth0. - output, err := d.Exec(ctx, dockerutil.ExecOpts{}, "/bin/sh", "-c", "ip link del dev eth0") - if err != nil { - t.Fatalf("failed to remove eth0: %s, output: %s", err, output) - } - // Verify that eth0 is no longer there. - output, err = d.Exec(ctx, dockerutil.ExecOpts{}, "/bin/sh", "-c", "ip link show") - if err != nil { - t.Fatalf("docker exec ip link show failed: %s, output: %s", err, output) - } - if strings.Contains(output, "eth0") { - t.Fatalf("failed to remove eth0") - } - - // Loopback device can't be removed. - output, err = d.Exec(ctx, dockerutil.ExecOpts{}, "/bin/sh", "-c", "ip link del dev lo") - if err == nil { - t.Fatalf("should not remove the loopback device: %v", output) - } - // Verify that lo is still there. - output, err = d.Exec(ctx, dockerutil.ExecOpts{}, "/bin/sh", "-c", "ip link show") - if err != nil { - t.Fatalf("docker exec ip link show failed: %s, output: %s", err, output) - } - if !strings.Contains(output, "lo") { - t.Fatalf("loopback interface is removed") - } -} |