Cross Reference: /lxc/src/tests/lxc-test-unpriv

	lxc-test-unpriv revision 569c5fe10365bb93d8773a7bd390353bcaafd3c5
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar#!/bin/bash
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar# lxc: linux Container library
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar# Authors:
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar# Serge Hallyn <serge.hallyn@ubuntu.com>
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar#
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar# This is a test script for unprivileged containers
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar# This library is free software; you can redistribute it and/or
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar# modify it under the terms of the GNU Lesser General Public
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar# License as published by the Free Software Foundation; either
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar# version 2.1 of the License, or (at your option) any later version.
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar# This library is distributed in the hope that it will be useful,
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar# but WITHOUT ANY WARRANTY; without even the implied warranty of
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar# Lesser General Public License for more details.
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar# You should have received a copy of the GNU Lesser General Public
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar# License along with this library; if not, write to the Free Software
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar# This test assumes an Ubuntu host
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikarif [ $(id -u) -ne 0 ]; then
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar    echo "ERROR: Must run as root."
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar    exit 1
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikarfi
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar# Test if we're using an overlayfs module that handles symlinks correctly. If
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar# not, we skip these tests since overlay clones will not work correctly.
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikarif modprobe -q overlayfs; then
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar        TMPDIR=$(mktemp -d)
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar        MOUNTDIR="${TMPDIR}/ovl_symlink_test"
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar        mkdir ${MOUNTDIR}
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar        mount -t tmpfs none ${MOUNTDIR}
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar        mkdir "${MOUNTDIR}/lowerdir" "${MOUNTDIR}/upperdir" "${MOUNTDIR}/overlayfs"
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar        mount -t overlayfs -o lowerdir="${MOUNTDIR}/lowerdir",upperdir="${MOUNTDIR}/upperdir" none "${MOUNTDIR}/overlayfs"
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar        CORRECT_LINK_TARGET="${MOUNTDIR}/overlayfs/dummy_file"
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar        exec 9> "${CORRECT_LINK_TARGET}"
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar        DETECTED_LINK_TARGET=$(readlink -q /proc/$$/fd/9)
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar        # cleanup
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar        exec 9>&-
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar        umount "${MOUNTDIR}/overlayfs"
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar        umount ${MOUNTDIR}
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar        rmdir ${MOUNTDIR}
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar        # This overlay module does not correctly handle symlinks, so skip the
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar        # tests.
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar        if [ "${DETECTED_LINK_TARGET}" != "${CORRECT_LINK_TARGET}" ]; then
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar                exit 0
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar        fi
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikarfi
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
7014882c6a3672fd0e5d60200af8643ae53c5928Richard Lowewhich newuidmap >/dev/null 2>&1 || { echo "'newuidmap' command is missing" >&2; exit 1; }
7014882c6a3672fd0e5d60200af8643ae53c5928Richard Lowe
7014882c6a3672fd0e5d60200af8643ae53c5928Richard LoweDONE=0
7014882c6a3672fd0e5d60200af8643ae53c5928Richard LoweKNOWN_RELEASES="precise trusty xenial yakkety zesty"
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikarcleanup() {
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar    cd /
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar    run_cmd lxc-stop -n c2 -k || true
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar    run_cmd lxc-stop -n c1 -k || true
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar    pkill -u $(id -u $TUSER) -9
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar    sed -i '/lxcunpriv/d' /run/lxc/nics /etc/lxc/lxc-usernet
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar    sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar    rm -Rf $HDIR /run/user/$(id -u $TUSER)
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar    deluser $TUSER
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar    if [ $DONE -eq 0 ]; then
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar        echo "FAIL"
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar        exit 1
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar    fi
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar    echo "PASS"
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar}
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikarrun_cmd() {
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar    sudo -i -u $TUSER \
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar        env http_proxy=${http_proxy:-} https_proxy=${https_proxy:-} \
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar            XDG_RUNTIME_DIR=/run/user/$(id -u $TUSER) $*
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar}
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar# create a test user
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod GunjikarTUSER=lxcunpriv
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod GunjikarHDIR=/home/$TUSER
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod GunjikarARCH=i386
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikarif type dpkg >/dev/null 2>&1; then
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar    ARCH=$(dpkg --print-architecture)
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikarfi
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikartrap cleanup EXIT SIGHUP SIGINT SIGTERM
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikarset -eu
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikardeluser $TUSER && rm -Rf $HDIR || true
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikaruseradd $TUSER
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikarmkdir -p $HDIR
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikarecho "$TUSER veth lxcbr0 2" >> /etc/lxc/lxc-usernet
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikarsed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikarusermod -v 910000-919999 -w 910000-919999 $TUSER
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikar
c39526b769298791ff5b0b6c5e761f49aabaeb4ePramod Gunjikarmkdir -p $HDIR/.config/lxc/
cat > $HDIR/.config/lxc/default.conf << EOF
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.id_map = u 0 910000 9999
lxc.id_map = g 0 910000 9999
EOF
chown -R $TUSER: $HDIR

mkdir -p /run/user/$(id -u $TUSER)
chown -R $TUSER: /run/user/$(id -u $TUSER)

cd $HDIR

if which cgm >/dev/null 2>&1; then
    cgm create all $TUSER
    cgm chown all $TUSER $(id -u $TUSER) $(id -g $TUSER)
    cgm movepid all $TUSER $$
elif [ -e /sys/fs/cgroup/cgmanager/sock ]; then
    for d in $(cut -d : -f 2 /proc/self/cgroup); do
        dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
            --type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Create \
            string:$d string:$TUSER >/dev/null

        dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
            --type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Chown \
            string:$d string:$TUSER int32:$(id -u $TUSER) int32:$(id -g $TUSER) >/dev/null

        dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
            --type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.MovePid \
            string:$d string:$TUSER int32:$$ >/dev/null
    done
else
    for d in /sys/fs/cgroup/*; do
        [ -f $d/cgroup.clone_children ] && echo 1 > $d/cgroup.clone_children
        [ ! -d $d/lxctest ] && mkdir $d/lxctest
        chown -R $TUSER: $d/lxctest
        echo $$ > $d/lxctest/tasks
    done
fi

# default release is trusty, or the systems release if recognized
release=trusty
if [ -f /etc/lsb-release ]; then
    . /etc/lsb-release
    rels=$(ubuntu-distro-info --supported 2>/dev/null) ||
        rels="$KNOWN_RELEASES"
    for r in $rels; do
        [ "$DISTRIB_CODENAME" = "$r" ] && release="$r"
    done
fi

# Copy the download template cache if available
run_cmd mkdir -p $HDIR/.cache/lxc
[ -d /var/cache/lxc/download ] && \
    cp -R /var/cache/lxc/download $HDIR/.cache/lxc && \
    chown -R $TUSER: $HDIR/.cache/lxc

run_cmd lxc-create -t download -n c1 -- -d ubuntu -r $release -a $ARCH

# Make sure we can start it - twice

for count in `seq 1 2`; do
    run_cmd lxc-start -n c1 -d

    p1=$(run_cmd lxc-info -n c1 -p -H)
    [ "$p1" != "-1" ] || { echo "Failed to start container c1 (run $count)"; false; }

    run_cmd lxc-info -n c1
    run_cmd lxc-attach -n c1 -- /bin/true

    run_cmd lxc-stop -n c1
done

run_cmd lxc-copy -s -n c1 -N c2
run_cmd lxc-start -n c2 -d
p1=$(run_cmd lxc-info -n c2 -p -H)
[ "$p1" != "-1" ] || { echo "Failed to start container c2"; false; }

run_cmd lxc-stop -n c2

if which cgm >/dev/null 2>&1; then
    echo "Testing containers under different cgroups per subsystem"
    run_cmd cgm create freezer x1/x2
    cgm movepid freezer x1 $$
    run_cmd lxc-start -n c1 -d
    p1=$(run_cmd lxc-info -n c1 -p -H)
    [ "$p1" != "-1" ] || { echo "Failed to start container c1"; false; }
    run_cmd lxc-info -n c1
    run_cmd lxc-attach -n c1 -- /bin/true
    run_cmd lxc-cgroup -n c1 freezer.state

    echo "Testing lxc-attach and lxc-cgroup from different cgroup"
    cgm movepid freezer x2 $$
    run_cmd lxc-attach -n c1 -- /bin/true
    run_cmd lxc-cgroup -n c1 freezer.state
    run_cmd lxc-cgroup -n c1 memory.limit_in_bytes
fi

DONE=1