summaryrefslogtreecommitdiffstats
path: root/test/units/testsuite-13.nspawn-oci.sh
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-06-12 03:50:40 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-06-12 03:50:40 +0000
commitfc53809803cd2bc2434e312b19a18fa36776da12 (patch)
treeb4b43bd6538f51965ce32856e9c053d0f90919c8 /test/units/testsuite-13.nspawn-oci.sh
parentAdding upstream version 255.5. (diff)
downloadsystemd-fc53809803cd2bc2434e312b19a18fa36776da12.tar.xz
systemd-fc53809803cd2bc2434e312b19a18fa36776da12.zip
Adding upstream version 256.upstream/256
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'test/units/testsuite-13.nspawn-oci.sh')
-rwxr-xr-xtest/units/testsuite-13.nspawn-oci.sh467
1 files changed, 0 insertions, 467 deletions
diff --git a/test/units/testsuite-13.nspawn-oci.sh b/test/units/testsuite-13.nspawn-oci.sh
deleted file mode 100755
index 8fa0bc4..0000000
--- a/test/units/testsuite-13.nspawn-oci.sh
+++ /dev/null
@@ -1,467 +0,0 @@
-#!/usr/bin/env bash
-# SPDX-License-Identifier: LGPL-2.1-or-later
-# shellcheck disable=SC2016
-set -eux
-set -o pipefail
-
-# shellcheck source=test/units/util.sh
-. "$(dirname "$0")"/util.sh
-
-export SYSTEMD_LOG_LEVEL=debug
-export SYSTEMD_LOG_TARGET=journal
-
-# shellcheck disable=SC2317
-at_exit() {
- set +e
-
- mountpoint -q /var/lib/machines && umount /var/lib/machines
- [[ -n "${DEV:-}" ]] && rm -f "$DEV"
- [[ -n "${NETNS:-}" ]] && umount "$NETNS" && rm -f "$NETNS"
- [[ -n "${TMPDIR:-}" ]] && rm -fr "$TMPDIR"
- rm -f /run/systemd/nspawn/*.nspawn
-}
-
-trap at_exit EXIT
-
-# Mount tmpfs over /var/lib/machines to not pollute the image
-mkdir -p /var/lib/machines
-mount -t tmpfs tmpfs /var/lib/machines
-
-# Setup a couple of dirs/devices for the OCI containers
-DEV="$(mktemp -u /dev/oci-dev-XXX)"
-mknod -m 666 "$DEV" b 42 42
-NETNS="$(mktemp /var/tmp/netns.XXX)"
-mount --bind /proc/self/ns/net "$NETNS"
-TMPDIR="$(mktemp -d)"
-touch "$TMPDIR/hello"
-OCI="$(mktemp -d /var/lib/machines/testsuite-13.oci-bundle.XXX)"
-create_dummy_container "$OCI/rootfs"
-mkdir -p "$OCI/rootfs/opt/var"
-mkdir -p "$OCI/rootfs/opt/readonly"
-
-# Let's start with a simple config
-cat >"$OCI/config.json" <<EOF
-{
- "ociVersion" : "1.0.0",
- "root" : {
- "path" : "rootfs"
- },
- "mounts" : [
- {
- "destination" : "/root",
- "type" : "tmpfs",
- "source" : "tmpfs"
- }
- ]
-}
-EOF
-systemd-nspawn --oci-bundle="$OCI" bash -xec 'mountpoint /root'
-
-# And now for something a bit more involved
-# Notes:
-# - the hooks are parsed & processed, but never executed
-# - set sysctl's are parsed but never used?
-# - same goes for arg_sysctl in nspawn.c
-cat >"$OCI/config.json" <<EOF
-{
- "ociVersion" : "1.0.0",
- "hostname" : "my-oci-container",
- "root" : {
- "path" : "rootfs",
- "readonly" : false
- },
- "mounts" : [
- {
- "destination" : "/root",
- "type" : "tmpfs",
- "source" : "tmpfs"
- },
- ${COVERAGE_BUILD_DIR:+"{ \"destination\" : \"$COVERAGE_BUILD_DIR\" },"}
- {
- "destination" : "/var",
- "type" : "none",
- "source" : "$TMPDIR",
- "options" : ["rbind", "rw"]
- }
- ],
- "process" : {
- "terminal" : false,
- "consoleSize" : {
- "height" : 25,
- "width" : 80
- },
- "user" : {
- "uid" : 0,
- "gid" : 0,
- "additionalGids" : [5, 6]
- },
- "env" : [
- "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
- "FOO=bar"
- ],
- "cwd" : "/root",
- "args" : [
- "bash",
- "-xe",
- "/entrypoint.sh"
- ],
- "noNewPrivileges" : true,
- "oomScoreAdj" : 20,
- "capabilities" : {
- "bounding" : [
- "CAP_AUDIT_WRITE",
- "CAP_KILL",
- "CAP_NET_BIND_SERVICE"
- ],
- "permitted" : [
- "CAP_AUDIT_WRITE",
- "CAP_KILL",
- "CAP_NET_BIND_SERVICE"
- ],
- "inheritable" : [
- "CAP_AUDIT_WRITE",
- "CAP_KILL",
- "CAP_NET_BIND_SERVICE"
- ],
- "effective" : [
- "CAP_AUDIT_WRITE",
- "CAP_KILL"
- ],
- "ambient" : [
- "CAP_NET_BIND_SERVICE"
- ]
- },
- "rlimits" : [
- {
- "type" : "RLIMIT_NOFILE",
- "soft" : 1024,
- "hard" : 1024
- },
- {
- "type" : "RLIMIT_RTPRIO",
- "soft" : 5,
- "hard" : 10
- }
- ]
- },
- "linux" : {
- "namespaces" : [
- {
- "type" : "mount"
- },
- {
- "type" : "network",
- "path" : "$NETNS"
- },
- {
- "type" : "pid"
- },
- {
- "type" : "uts"
- }
- ],
- "uidMappings" : [
- {
- "containerID" : 0,
- "hostID" : 1000,
- "size" : 100
- }
- ],
- "gidMappings" : [
- {
- "containerID" : 0,
- "hostID" : 1000,
- "size" : 100
- }
- ],
- "devices" : [
- {
- "type" : "c",
- "path" : "/dev/zero",
- "major" : 1,
- "minor" : 5,
- "fileMode" : 444
- },
- {
- "type" : "b",
- "path" : "$DEV",
- "major" : 4,
- "minor" : 2,
- "fileMode" : 666,
- "uid" : 0,
- "gid" : 0
- }
- ],
- "resources" : {
- "devices" : [
- {
- "allow" : false,
- "access" : "m"
- },
- {
- "allow" : true,
- "type" : "b",
- "major" : 4,
- "minor" : 2,
- "access" : "rwm"
- }
- ],
- "memory" : {
- "limit" : 134217728,
- "reservation" : 33554432,
- "swap" : 268435456
- },
- "cpu" : {
- "shares" : 1024,
- "quota" : 1000000,
- "period" : 500000,
- "cpus" : "0-7"
- },
- "blockIO" : {
- "weight" : 10,
- "weightDevice" : [
- {
- "major" : 4,
- "minor" : 2,
- "weight" : 500
- }
- ],
- "throttleReadBpsDevice" : [
- {
- "major" : 4,
- "minor" : 2,
- "rate" : 500
- }
- ],
- "throttleWriteBpsDevice" : [
- {
- "major" : 4,
- "minor" : 2,
- "rate" : 500
- }
- ],
- "throttleReadIOPSDevice" : [
- {
- "major" : 4,
- "minor" : 2,
- "rate" : 500
- }
- ],
- "throttleWriteIOPSDevice" : [
- {
- "major" : 4,
- "minor" : 2,
- "rate" : 500
- }
- ]
- },
- "pids" : {
- "limit" : 1024
- }
- },
- "sysctl" : {
- "kernel.domainname" : "foo.bar",
- "vm.swappiness" : "60"
- },
- "seccomp" : {
- "defaultAction" : "SCMP_ACT_ALLOW",
- "architectures" : [
- "SCMP_ARCH_ARM",
- "SCMP_ARCH_X86_64"
- ],
- "syscalls" : [
- {
- "names" : [
- "lchown",
- "chmod"
- ],
- "action" : "SCMP_ACT_ERRNO",
- "args" : [
- {
- "index" : 0,
- "value" : 1,
- "op" : "SCMP_CMP_NE"
- },
- {
- "index" : 1,
- "value" : 2,
- "valueTwo" : 3,
- "op" : "SCMP_CMP_MASKED_EQ"
- }
- ]
- }
- ]
- },
- "rootfsPropagation" : "shared",
- "maskedPaths" : [
- "/proc/kcore",
- "/root/nonexistent"
- ],
- "readonlyPaths" : [
- "/proc/sys",
- "/opt/readonly"
- ]
- },
- "hooks" : {
- "prestart" : [
- {
- "path" : "/bin/sh",
- "args" : [
- "-xec",
- "echo \$PRESTART_FOO >/prestart"
- ],
- "env" : [
- "PRESTART_FOO=prestart_bar",
- "ALSO_FOO=also_bar"
- ],
- "timeout" : 666
- },
- {
- "path" : "/bin/touch",
- "args" : [
- "/tmp/also-prestart"
- ]
- }
- ],
- "poststart" : [
- {
- "path" : "/bin/sh",
- "args" : [
- "touch",
- "/poststart"
- ]
- }
- ],
- "poststop" : [
- {
- "path" : "/bin/sh",
- "args" : [
- "touch",
- "/poststop"
- ]
- }
- ]
- },
- "annotations" : {
- "hello.world" : "1",
- "foo" : "bar"
- }
-}
-EOF
-# Create a simple "entrypoint" script that validates that the container
-# is created correctly according to the OCI config
-cat >"$OCI/rootfs/entrypoint.sh" <<EOF
-#!/usr/bin/bash -e
-
-# Mounts
-mountpoint /root
-mountpoint /var
-test -e /var/hello
-
-# Process
-[[ "\$PWD" == /root ]]
-[[ "\$FOO" == bar ]]
-
-# Process - rlimits
-[[ "\$(ulimit -S -n)" -eq 1024 ]]
-[[ "\$(ulimit -H -n)" -eq 1024 ]]
-[[ "\$(ulimit -S -r)" -eq 5 ]]
-[[ "\$(ulimit -H -r)" -eq 10 ]]
-[[ "\$(hostname)" == my-oci-container ]]
-
-# Linux - devices
-test -c /dev/zero
-test -b "$DEV"
-[[ "\$(stat -c '%t:%T' "$DEV")" == 4:2 ]]
-
-# Linux - maskedPaths
-test -e /proc/kcore
-cat /proc/kcore && exit 1
-test ! -e /root/nonexistent
-
-# Linux - readonlyPaths
-touch /opt/readonly/foo && exit 1
-
-exit 0
-EOF
-timeout 30 systemd-nspawn --oci-bundle="$OCI"
-
-# Test a couple of invalid configs
-INVALID_SNIPPETS=(
- # Invalid object
- '"foo" : { }'
- '"process" : { "foo" : [ ] }'
- # Non-absolute mount
- '"mounts" : [ { "destination" : "foo", "type" : "tmpfs", "source" : "tmpfs" } ]'
- # Invalid rlimit
- '"process" : { "rlimits" : [ { "type" : "RLIMIT_FOO", "soft" : 0, "hard" : 0 } ] }'
- # rlimit without RLIMIT_ prefix
- '"process" : { "rlimits" : [ { "type" : "CORE", "soft" : 0, "hard" : 0 } ] }'
- # Invalid env assignment
- '"process" : { "env" : [ "foo" ] }'
- '"process" : { "env" : [ "foo=bar", 1 ] }'
- # Invalid process args
- '"process" : { "args" : [ ] }'
- '"process" : { "args" : [ "" ] }'
- '"process" : { "args" : [ "foo", 1 ] }'
- # Invalid capabilities
- '"process" : { "capabilities" : { "bounding" : [ 1 ] } }'
- '"process" : { "capabilities" : { "bounding" : [ "FOO_BAR" ] } }'
- # Unsupported option (without JSON_PERMISSIVE)
- '"linux" : { "resources" : { "cpu" : { "realtimeRuntime" : 1 } } }'
- # Invalid namespace
- '"linux" : { "namespaces" : [ { "type" : "foo" } ] }'
- # Namespace path for a non-network namespace
- '"linux" : { "namespaces" : [ { "type" : "user", "path" : "/foo/bar" } ] }'
- # Duplicate namespace
- '"linux" : { "namespaces" : [ { "type" : "ipc" }, { "type" : "ipc" } ] }'
- # Invalid device type
- '"linux" : { "devices" : [ { "type" : "foo", "path" : "/dev/foo" } ] }'
- # Invalid cgroups path
- '"linux" : { "cgroupsPath" : "/foo/bar/baz" }'
- '"linux" : { "cgroupsPath" : "foo/bar/baz" }'
- # Invalid sysctl assignments
- '"linux" : { "sysctl" : { "vm.swappiness" : 60 } }'
- '"linux" : { "sysctl" : { "foo..bar" : "baz" } }'
- # Invalid seccomp assignments
- '"linux" : { "seccomp" : { } }'
- '"linux" : { "seccomp" : { "defaultAction" : 1 } }'
- '"linux" : { "seccomp" : { "defaultAction" : "foo" } }'
- '"linux" : { "seccomp" : { "defaultAction" : "SCMP_ACT_ALLOW", "syscalls" : [ { "action" : "SCMP_ACT_ERRNO", "names" : [ ] } ] } }'
- # Invalid masked paths
- '"linux" : { "maskedPaths" : [ "/foo", 1 ] }'
- '"linux" : { "maskedPaths" : [ "/foo", "bar" ] }'
- # Invalid read-only paths
- '"linux" : { "readonlyPaths" : [ "/foo", 1 ] }'
- '"linux" : { "readonlyPaths" : [ "/foo", "bar" ] }'
- # Invalid hooks
- '"hooks" : { "prestart" : [ { "path" : "/bin/sh", "timeout" : 0 } ] }'
- # Invalid annotations
- '"annotations" : { "" : "bar" }'
- '"annotations" : { "foo" : 1 }'
-)
-
-for snippet in "${INVALID_SNIPPETS[@]}"; do
- : "Snippet: $snippet"
- cat >"$OCI/config.json" <<EOF
-{
- "ociVersion" : "1.0.0",
- "root" : {
- "path" : "rootfs"
- },
- $snippet
-}
-EOF
- (! systemd-nspawn --oci-bundle="$OCI" sh -c 'echo hello')
-done
-
-# Invalid OCI bundle version
-cat >"$OCI/config.json" <<EOF
-{
- "ociVersion" : "6.6.6",
- "root" : {
- "path" : "rootfs"
- }
-}
-EOF
-(! systemd-nspawn --oci-bundle="$OCI" sh -c 'echo hello')