File: update_test.go

package info (click to toggle)
runc 1.3.3%2Bds1-3
  • links: PTS, VCS
  • area: main
  • in suites: experimental
  • size: 3,136 kB
  • sloc: sh: 2,298; ansic: 1,125; makefile: 229
file content (98 lines) | stat: -rw-r--r-- 2,196 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
 
package integration

import (
	"bytes"
	"os"
	"strings"
	"testing"

	devices "github.com/opencontainers/cgroups/devices/config"
	"github.com/opencontainers/cgroups/systemd"
	"github.com/opencontainers/runc/libcontainer"
)

func testUpdateDevices(t *testing.T, systemd bool) {
	if testing.Short() {
		return
	}
	config := newTemplateConfig(t, &tParam{systemd: systemd})
	container, err := newContainer(t, config)
	ok(t, err)
	defer destroyContainer(container)

	// Execute a first process in the container
	stdinR, stdinW, err := os.Pipe()
	ok(t, err)
	process := &libcontainer.Process{
		Cwd:   "/",
		Args:  []string{"cat"},
		Env:   standardEnvironment,
		Stdin: stdinR,
		Init:  true,
	}
	err = container.Run(process)
	_ = stdinR.Close()
	defer func() {
		_ = stdinW.Close()
		if _, err := process.Wait(); err != nil {
			t.Log(err)
		}
	}()
	ok(t, err)

	var buf bytes.Buffer
	devCheck := &libcontainer.Process{
		Cwd:    "/",
		Args:   []string{"/bin/sh", "-c", "echo > /dev/full; cat /dev/null; true"},
		Env:    standardEnvironment,
		Stderr: &buf,
	}
	isAllowed := true
	expected := map[bool][]string{
		true: {
			"write error: No space left on device", // from write to /dev/full
			// no error from cat /dev/null
		},
		false: {
			"/dev/full: Operation not permitted",
			`cat: can't open '/dev/null': Operation not permitted`,
		},
	}
	defaultDevices := config.Cgroups.Resources.Devices

	for i := 0; i < 300; i++ {
		// Check the access
		buf.Reset()
		err = container.Run(devCheck)
		ok(t, err)
		waitProcess(devCheck, t)

		for _, exp := range expected[isAllowed] {
			if !strings.Contains(buf.String(), exp) {
				t.Fatalf("[%d] expected %q, got %q", i, exp, buf.String())
			}
		}

		// Now flip the access permission
		isAllowed = !isAllowed
		if isAllowed {
			config.Cgroups.Resources.Devices = defaultDevices
		} else {
			config.Cgroups.Resources.Devices = []*devices.Rule{}
		}
		if err := container.Set(*config); err != nil {
			t.Fatal(err)
		}
	}
}

func TestUpdateDevices(t *testing.T) {
	testUpdateDevices(t, false)
}

func TestUpdateDevicesSystemd(t *testing.T) {
	if !systemd.IsRunningSystemd() {
		t.Skip("Test requires systemd.")
	}
	testUpdateDevices(t, true)
}