diff --git a/runsc/BUILD b/runsc/BUILD index 8f8e2ee35..2f0bbaf2b 100644 --- a/runsc/BUILD +++ b/runsc/BUILD @@ -8,6 +8,9 @@ go_binary( "main.go", ], pure = "on", + visibility = [ + "//runsc:__subpackages__", + ], x_defs = {"main.gitRevision": "{GIT_REVISION}"}, deps = [ "//pkg/log", diff --git a/runsc/container/BUILD b/runsc/container/BUILD index c558b4b0a..fe477abf2 100644 --- a/runsc/container/BUILD +++ b/runsc/container/BUILD @@ -27,18 +27,17 @@ go_test( name = "container_test", size = "small", srcs = ["container_test.go"], - pure = "on", - rundir = ".", + data = [ + "//runsc", + ], deps = [ "//pkg/abi/linux", "//pkg/log", "//pkg/sentry/control", "//pkg/sentry/kernel/auth", "//pkg/unet", - "//runsc/boot", - "//runsc/cmd", "//runsc/container", - "@com_github_google_subcommands//:go_default_library", + "//runsc/test/testutil", "@com_github_opencontainers_runtime-spec//specs-go:go_default_library", "@org_golang_x_sys//unix:go_default_library", ], diff --git a/runsc/container/container_test.go b/runsc/container/container_test.go index 24e9de3ce..0844cb9df 100644 --- a/runsc/container/container_test.go +++ b/runsc/container/container_test.go @@ -15,7 +15,6 @@ package container_test import ( - "encoding/json" "fmt" "io" "io/ioutil" @@ -29,9 +28,6 @@ import ( "testing" "time" - "context" - "flag" - "github.com/google/subcommands" specs "github.com/opencontainers/runtime-spec/specs-go" "golang.org/x/sys/unix" "gvisor.googlesource.com/gvisor/pkg/abi/linux" @@ -39,80 +35,15 @@ import ( "gvisor.googlesource.com/gvisor/pkg/sentry/control" "gvisor.googlesource.com/gvisor/pkg/sentry/kernel/auth" "gvisor.googlesource.com/gvisor/pkg/unet" - "gvisor.googlesource.com/gvisor/runsc/boot" - "gvisor.googlesource.com/gvisor/runsc/cmd" "gvisor.googlesource.com/gvisor/runsc/container" + "gvisor.googlesource.com/gvisor/runsc/test/testutil" ) func init() { log.SetLevel(log.Debug) -} - -// writeSpec writes the spec to disk in the given directory. -func writeSpec(dir string, spec *specs.Spec) error { - b, err := json.Marshal(spec) - if err != nil { - return err + if err := testutil.ConfigureExePath(); err != nil { + panic(err.Error()) } - return ioutil.WriteFile(filepath.Join(dir, "config.json"), b, 0755) -} - -// newSpecWithArgs creates a simple spec with the given args suitable for use -// in tests. -func newSpecWithArgs(args ...string) *specs.Spec { - spec := &specs.Spec{ - // The host filesystem root is the container root. - Root: &specs.Root{ - Path: "/", - Readonly: true, - }, - Process: &specs.Process{ - Args: args, - Env: []string{ - "PATH=" + os.Getenv("PATH"), - }, - }, - } - return spec -} - -// setupContainer creates a bundle and root dir for the container, generates a -// test config, and writes the spec to config.json in the bundle dir. -func setupContainer(spec *specs.Spec) (rootDir, bundleDir string, conf *boot.Config, err error) { - rootDir, err = ioutil.TempDir("", "containers") - if err != nil { - return "", "", nil, fmt.Errorf("error creating root dir: %v", err) - } - - bundleDir, err = ioutil.TempDir("", "bundle") - if err != nil { - return "", "", nil, fmt.Errorf("error creating bundle dir: %v", err) - } - - if err = writeSpec(bundleDir, spec); err != nil { - return "", "", nil, fmt.Errorf("error writing spec: %v", err) - } - - conf = &boot.Config{ - RootDir: rootDir, - Network: boot.NetworkNone, - // Don't add flags when calling subprocesses, since the test - // runner does not know about all the flags. We control the - // Config in the subprocess anyways, so it does not matter. - TestModeNoFlags: true, - } - - return rootDir, bundleDir, conf, nil -} - -// uniqueContainerID generates a unique container id for each test. -// -// The container id is used to create an abstract unix domain socket, which must -// be unique. While the container forbids creating two containers with the same -// name, sometimes between test runs the socket does not get cleaned up quickly -// enough, causing container creation to fail. -func uniqueContainerID() string { - return fmt.Sprintf("test-container-%d", time.Now().UnixNano()) } // waitForProcessList waits for the given process list to show up in the container. @@ -167,9 +98,9 @@ func procListToString(pl []*control.Process) string { func TestLifecycle(t *testing.T) { // The container will just sleep for a long time. We will kill it before // it finishes sleeping. - spec := newSpecWithArgs("sleep", "100") + spec := testutil.NewSpecWithArgs("sleep", "100") - rootDir, bundleDir, conf, err := setupContainer(spec) + rootDir, bundleDir, conf, err := testutil.SetupContainer(spec) if err != nil { t.Fatalf("error setting up container: %v", err) } @@ -187,7 +118,7 @@ func TestLifecycle(t *testing.T) { }, } // Create the container. - id := uniqueContainerID() + id := testutil.UniqueContainerID() if _, err := container.Create(id, spec, conf, bundleDir, "", ""); err != nil { t.Fatalf("error creating container: %v", err) } @@ -298,13 +229,13 @@ func TestExePath(t *testing.T) { {path: "bin/thisfiledoesntexit", success: false}, {path: "/bin/thisfiledoesntexit", success: false}, } { - spec := newSpecWithArgs(test.path) - rootDir, bundleDir, conf, err := setupContainer(spec) + spec := testutil.NewSpecWithArgs(test.path) + rootDir, bundleDir, conf, err := testutil.SetupContainer(spec) if err != nil { t.Fatalf("exec: %s, error setting up container: %v", test.path, err) } - ws, err := container.Run(uniqueContainerID(), spec, conf, bundleDir, "", "") + ws, err := container.Run(testutil.UniqueContainerID(), spec, conf, bundleDir, "", "") os.RemoveAll(rootDir) os.RemoveAll(bundleDir) @@ -327,16 +258,16 @@ func TestExePath(t *testing.T) { // Test the we can retrieve the application exit status from the container. func TestAppExitStatus(t *testing.T) { // First container will succeed. - succSpec := newSpecWithArgs("true") + succSpec := testutil.NewSpecWithArgs("true") - rootDir, bundleDir, conf, err := setupContainer(succSpec) + rootDir, bundleDir, conf, err := testutil.SetupContainer(succSpec) if err != nil { t.Fatalf("error setting up container: %v", err) } defer os.RemoveAll(rootDir) defer os.RemoveAll(bundleDir) - ws, err := container.Run(uniqueContainerID(), succSpec, conf, bundleDir, "", "") + ws, err := container.Run(testutil.UniqueContainerID(), succSpec, conf, bundleDir, "", "") if err != nil { t.Fatalf("error running container: %v", err) } @@ -346,16 +277,16 @@ func TestAppExitStatus(t *testing.T) { // Second container exits with non-zero status. wantStatus := 123 - errSpec := newSpecWithArgs("bash", "-c", fmt.Sprintf("exit %d", wantStatus)) + errSpec := testutil.NewSpecWithArgs("bash", "-c", fmt.Sprintf("exit %d", wantStatus)) - rootDir2, bundleDir2, conf, err := setupContainer(errSpec) + rootDir2, bundleDir2, conf, err := testutil.SetupContainer(errSpec) if err != nil { t.Fatalf("error setting up container: %v", err) } defer os.RemoveAll(rootDir2) defer os.RemoveAll(bundleDir2) - ws, err = container.Run(uniqueContainerID(), succSpec, conf, bundleDir2, "", "") + ws, err = container.Run(testutil.UniqueContainerID(), succSpec, conf, bundleDir2, "", "") if err != nil { t.Fatalf("error running container: %v", err) } @@ -367,9 +298,9 @@ func TestAppExitStatus(t *testing.T) { // TestExec verifies that a container can exec a new program. func TestExec(t *testing.T) { const uid = 343 - spec := newSpecWithArgs("sleep", "100") + spec := testutil.NewSpecWithArgs("sleep", "100") - rootDir, bundleDir, conf, err := setupContainer(spec) + rootDir, bundleDir, conf, err := testutil.SetupContainer(spec) if err != nil { t.Fatalf("error setting up container: %v", err) } @@ -377,7 +308,7 @@ func TestExec(t *testing.T) { defer os.RemoveAll(bundleDir) // Create and start the container. - s, err := container.Create(uniqueContainerID(), spec, conf, bundleDir, "", "") + s, err := container.Create(testutil.UniqueContainerID(), spec, conf, bundleDir, "", "") if err != nil { t.Fatalf("error creating container: %v", err) } @@ -454,7 +385,7 @@ func TestExec(t *testing.T) { func TestCapabilities(t *testing.T) { const uid = 343 const gid = 2401 - spec := newSpecWithArgs("sleep", "100") + spec := testutil.NewSpecWithArgs("sleep", "100") // We generate files in the host temporary directory. spec.Mounts = append(spec.Mounts, specs.Mount{ @@ -463,7 +394,7 @@ func TestCapabilities(t *testing.T) { Type: "bind", }) - rootDir, bundleDir, conf, err := setupContainer(spec) + rootDir, bundleDir, conf, err := testutil.SetupContainer(spec) if err != nil { t.Fatalf("error setting up container: %v", err) } @@ -471,7 +402,7 @@ func TestCapabilities(t *testing.T) { defer os.RemoveAll(bundleDir) // Create and start the container. - s, err := container.Create(uniqueContainerID(), spec, conf, bundleDir, "", "") + s, err := container.Create(testutil.UniqueContainerID(), spec, conf, bundleDir, "", "") if err != nil { t.Fatalf("error creating container: %v", err) } @@ -540,8 +471,8 @@ func TestCapabilities(t *testing.T) { // Test that an tty FD is sent over the console socket if one is provided. func TestConsoleSocket(t *testing.T) { - spec := newSpecWithArgs("true") - rootDir, bundleDir, conf, err := setupContainer(spec) + spec := testutil.NewSpecWithArgs("true") + rootDir, bundleDir, conf, err := testutil.SetupContainer(spec) if err != nil { t.Fatalf("error setting up container: %v", err) } @@ -569,7 +500,7 @@ func TestConsoleSocket(t *testing.T) { defer os.Remove(socketPath) // Create the container and pass the socket name. - id := uniqueContainerID() + id := testutil.UniqueContainerID() s, err := container.Create(id, spec, conf, bundleDir, socketRelPath, "") if err != nil { t.Fatalf("error creating container: %v", err) @@ -618,21 +549,21 @@ func TestConsoleSocket(t *testing.T) { } func TestSpecUnsupported(t *testing.T) { - spec := newSpecWithArgs("/bin/true") + spec := testutil.NewSpecWithArgs("/bin/true") spec.Process.SelinuxLabel = "somelabel" // These are normally set by docker and will just cause warnings to be logged. spec.Process.ApparmorProfile = "someprofile" spec.Linux = &specs.Linux{Seccomp: &specs.LinuxSeccomp{}} - rootDir, bundleDir, conf, err := setupContainer(spec) + rootDir, bundleDir, conf, err := testutil.SetupContainer(spec) if err != nil { t.Fatalf("error setting up container: %v", err) } defer os.RemoveAll(rootDir) defer os.RemoveAll(bundleDir) - id := uniqueContainerID() + id := testutil.UniqueContainerID() _, err = container.Create(id, spec, conf, bundleDir, "", "") if err == nil || !strings.Contains(err.Error(), "is not supported") { t.Errorf("container.Create() wrong error, got: %v, want: *is not supported, spec.Process: %+v", err, spec.Process) @@ -642,14 +573,17 @@ func TestSpecUnsupported(t *testing.T) { // TestRunNonRoot checks that sandbox can be configured when running as // non-priviledged user. func TestRunNonRoot(t *testing.T) { - spec := newSpecWithArgs("/bin/true") + spec := testutil.NewSpecWithArgs("/bin/true") spec.Process.User.UID = 343 spec.Process.User.GID = 2401 // User that container runs as can't list '$TMP/blocked' and would fail to // mount it. - dir := path.Join(os.TempDir(), "blocked") - if err := os.Mkdir(dir, 0700); err != nil { + dir, err := ioutil.TempDir("", "blocked") + if err != nil { + t.Fatalf("ioutil.TempDir() failed: %v", err) + } + if err := os.Chmod(dir, 0700); err != nil { t.Fatalf("os.MkDir(%q) failed: %v", dir, err) } dir = path.Join(dir, "test") @@ -664,7 +598,7 @@ func TestRunNonRoot(t *testing.T) { Type: "bind", }) - rootDir, bundleDir, conf, err := setupContainer(spec) + rootDir, bundleDir, conf, err := testutil.SetupContainer(spec) if err != nil { t.Fatalf("error setting up container: %v", err) } @@ -672,7 +606,7 @@ func TestRunNonRoot(t *testing.T) { defer os.RemoveAll(bundleDir) // Create, start and wait for the container. - s, err := container.Create(uniqueContainerID(), spec, conf, bundleDir, "", "") + s, err := container.Create(testutil.UniqueContainerID(), spec, conf, bundleDir, "", "") if err != nil { t.Fatalf("error creating container: %v", err) } @@ -688,39 +622,3 @@ func TestRunNonRoot(t *testing.T) { t.Errorf("container failed, waitStatus: %v", ws) } } - -// TestMain acts like runsc if it is called with the "boot" argument, otherwise -// it just runs the tests. This is required because creating a container will -// call "/proc/self/exe boot". Normally /proc/self/exe is the runsc binary, -// but for tests we have to fake it. -func TestMain(m *testing.M) { - // exit writes coverage data before exiting. - exit := func(status int) { - os.Exit(status) - } - - if !flag.Parsed() { - flag.Parse() - } - - // If we are passed one of the commands then run it. - subcommands.Register(new(cmd.Boot), "boot") - subcommands.Register(new(cmd.Gofer), "gofer") - switch flag.Arg(0) { - case "boot", "gofer": - conf := &boot.Config{ - RootDir: "unused-root-dir", - Network: boot.NetworkNone, - } - var ws syscall.WaitStatus - subcmdCode := subcommands.Execute(context.Background(), conf, &ws) - if subcmdCode != subcommands.ExitSuccess { - panic(fmt.Sprintf("command failed to execute, err: %v", subcmdCode)) - } - // Container exited. Shut down this process. - exit(ws.ExitStatus()) - default: - // Otherwise run the tests. - exit(m.Run()) - } -} diff --git a/runsc/specutils/specutils.go b/runsc/specutils/specutils.go index 5f455dec4..3161360b4 100644 --- a/runsc/specutils/specutils.go +++ b/runsc/specutils/specutils.go @@ -32,6 +32,10 @@ import ( "gvisor.googlesource.com/gvisor/pkg/sentry/kernel/auth" ) +// ExePath must point to runsc binary, which is normally the same binary. It's +// changed in tests that aren't linked in the same binary. +var ExePath = "/proc/self/exe" + // LogSpec logs the spec in a human-friendly way. func LogSpec(spec *specs.Spec) { log.Debugf("Spec: %+v", spec) @@ -197,9 +201,9 @@ func Is9PMount(m specs.Mount) bool { // BinPath returns the real path to self, resolving symbolink links. This is done // to make the process name appears as 'runsc', instead of 'exe'. func BinPath() (string, error) { - binPath, err := filepath.EvalSymlinks("/proc/self/exe") + binPath, err := filepath.EvalSymlinks(ExePath) if err != nil { - return "", fmt.Errorf(`error resolving "/proc/self/exe" symlink: %v`, err) + return "", fmt.Errorf(`error resolving %q symlink: %v`, ExePath, err) } return binPath, nil } diff --git a/runsc/test/testutil/BUILD b/runsc/test/testutil/BUILD new file mode 100644 index 000000000..2c2555d98 --- /dev/null +++ b/runsc/test/testutil/BUILD @@ -0,0 +1,17 @@ +package(licenses = ["notice"]) # Apache 2.0 + +load("@io_bazel_rules_go//go:def.bzl", "go_library") + +go_library( + name = "testutil", + srcs = ["testutil.go"], + importpath = "gvisor.googlesource.com/gvisor/runsc/test/testutil", + visibility = [ + "//runsc:__subpackages__", + ], + deps = [ + "//runsc/boot", + "//runsc/specutils", + "@com_github_opencontainers_runtime-spec//specs-go:go_default_library", + ], +) diff --git a/runsc/test/testutil/testutil.go b/runsc/test/testutil/testutil.go new file mode 100644 index 000000000..87db0a170 --- /dev/null +++ b/runsc/test/testutil/testutil.go @@ -0,0 +1,133 @@ +// Copyright 2018 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package testutil contains utility functions for runsc tests. +package testutil + +import ( + "encoding/json" + "fmt" + "io/ioutil" + "os" + "path/filepath" + "time" + + specs "github.com/opencontainers/runtime-spec/specs-go" + "gvisor.googlesource.com/gvisor/runsc/boot" + "gvisor.googlesource.com/gvisor/runsc/specutils" +) + +// ConfigureExePath configures the executable for runsc in the test environment. +func ConfigureExePath() error { + + // runsc is in a directory like: 'runsc/linux_amd64_pure_stripped/runsc'. + // Since I don't want to construct 'linux_amd64_pure_stripped' based on the + // build type, do a quick search for: 'runsc/*/runsc' + exePath := "" + lv1 := "./runsc" + lv1fis, err := ioutil.ReadDir(lv1) + if err != nil { + return err + } + for _, fi := range lv1fis { + if !fi.IsDir() { + continue + } + lv2fis, err := ioutil.ReadDir(filepath.Join(lv1, fi.Name())) + if err != nil { + return err + } + for _, candidate := range lv2fis { + if !candidate.IsDir() && candidate.Name() == "runsc" { + exePath, err = filepath.Abs(filepath.Join(lv1, fi.Name(), candidate.Name())) + if err != nil { + return err + } + break + } + } + } + if exePath == "" { + return fmt.Errorf("path to runsc not found") + } + specutils.ExePath = exePath + return nil +} + +// NewSpecWithArgs creates a simple spec with the given args suitable for use +// in tests. +func NewSpecWithArgs(args ...string) *specs.Spec { + spec := &specs.Spec{ + // The host filesystem root is the container root. + Root: &specs.Root{ + Path: "/", + Readonly: true, + }, + Process: &specs.Process{ + Args: args, + Env: []string{ + "PATH=" + os.Getenv("PATH"), + }, + }, + } + return spec +} + +// SetupContainer creates a bundle and root dir for the container, generates a +// test config, and writes the spec to config.json in the bundle dir. +func SetupContainer(spec *specs.Spec) (rootDir, bundleDir string, conf *boot.Config, err error) { + rootDir, err = ioutil.TempDir("", "containers") + if err != nil { + return "", "", nil, fmt.Errorf("error creating root dir: %v", err) + } + + bundleDir, err = ioutil.TempDir("", "bundle") + if err != nil { + return "", "", nil, fmt.Errorf("error creating bundle dir: %v", err) + } + + if err = writeSpec(bundleDir, spec); err != nil { + return "", "", nil, fmt.Errorf("error writing spec: %v", err) + } + + conf = &boot.Config{ + RootDir: rootDir, + Network: boot.NetworkNone, + // Don't add flags when calling subprocesses, since the test + // runner does not know about all the flags. We control the + // Config in the subprocess anyways, so it does not matter. + TestModeNoFlags: true, + } + + return rootDir, bundleDir, conf, nil +} + +// writeSpec writes the spec to disk in the given directory. +func writeSpec(dir string, spec *specs.Spec) error { + b, err := json.Marshal(spec) + if err != nil { + return err + } + return ioutil.WriteFile(filepath.Join(dir, "config.json"), b, 0755) +} + +// UniqueContainerID generates a unique container id for each test. +// +// The container id is used to create an abstract unix domain socket, which must +// be unique. While the container forbids creating two containers with the same +// name, sometimes between test runs the socket does not get cleaned up quickly +// enough, causing container creation to fail. +func UniqueContainerID() string { + return fmt.Sprintf("test-container-%d", time.Now().UnixNano()) +}