149 lines
4.3 KiB
Go
149 lines
4.3 KiB
Go
// Copyright 2018 The gVisor Authors.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
// Package root is used for tests that requires sysadmin privileges run.
|
|
package root
|
|
|
|
import (
|
|
"fmt"
|
|
"io/ioutil"
|
|
"os/exec"
|
|
"path/filepath"
|
|
"strconv"
|
|
"strings"
|
|
"testing"
|
|
|
|
"gvisor.dev/gvisor/pkg/test/dockerutil"
|
|
)
|
|
|
|
// TestChroot verifies that the sandbox is chroot'd and that mounts are cleaned
|
|
// up after the sandbox is destroyed.
|
|
func TestChroot(t *testing.T) {
|
|
d := dockerutil.MakeDocker(t)
|
|
defer d.CleanUp()
|
|
|
|
if err := d.Spawn(dockerutil.RunOpts{
|
|
Image: "basic/alpine",
|
|
}, "sleep", "10000"); err != nil {
|
|
t.Fatalf("docker run failed: %v", err)
|
|
}
|
|
|
|
pid, err := d.SandboxPid()
|
|
if err != nil {
|
|
t.Fatalf("Docker.SandboxPid(): %v", err)
|
|
}
|
|
|
|
// Check that sandbox is chroot'ed.
|
|
procRoot := filepath.Join("/proc", strconv.Itoa(pid), "root")
|
|
chroot, err := filepath.EvalSymlinks(procRoot)
|
|
if err != nil {
|
|
t.Fatalf("error resolving /proc/<pid>/root symlink: %v", err)
|
|
}
|
|
if chroot != "/" {
|
|
t.Errorf("sandbox is not chroot'd, it should be inside: /, got: %q", chroot)
|
|
}
|
|
|
|
path, err := filepath.EvalSymlinks(filepath.Join("/proc", strconv.Itoa(pid), "cwd"))
|
|
if err != nil {
|
|
t.Fatalf("error resolving /proc/<pid>/cwd symlink: %v", err)
|
|
}
|
|
if chroot != path {
|
|
t.Errorf("sandbox current dir is wrong, want: %q, got: %q", chroot, path)
|
|
}
|
|
|
|
fi, err := ioutil.ReadDir(procRoot)
|
|
if err != nil {
|
|
t.Fatalf("error listing %q: %v", chroot, err)
|
|
}
|
|
if want, got := 1, len(fi); want != got {
|
|
t.Fatalf("chroot dir got %d entries, want %d", got, want)
|
|
}
|
|
|
|
// chroot dir is prepared by runsc and should contains only /proc.
|
|
if fi[0].Name() != "proc" {
|
|
t.Errorf("chroot got children %v, want %v", fi[0].Name(), "proc")
|
|
}
|
|
|
|
d.CleanUp()
|
|
}
|
|
|
|
func TestChrootGofer(t *testing.T) {
|
|
d := dockerutil.MakeDocker(t)
|
|
defer d.CleanUp()
|
|
|
|
if err := d.Spawn(dockerutil.RunOpts{
|
|
Image: "basic/alpine",
|
|
}, "sleep", "10000"); err != nil {
|
|
t.Fatalf("docker run failed: %v", err)
|
|
}
|
|
|
|
// It's tricky to find gofers. Get sandbox PID first, then find parent. From
|
|
// parent get all immediate children, remove the sandbox, and everything else
|
|
// are gofers.
|
|
sandPID, err := d.SandboxPid()
|
|
if err != nil {
|
|
t.Fatalf("Docker.SandboxPid(): %v", err)
|
|
}
|
|
|
|
// Find sandbox's parent PID.
|
|
cmd := fmt.Sprintf("grep PPid /proc/%d/status | awk '{print $2}'", sandPID)
|
|
parent, err := exec.Command("sh", "-c", cmd).CombinedOutput()
|
|
if err != nil {
|
|
t.Fatalf("failed to fetch runsc (%d) parent PID: %v, out:\n%s", sandPID, err, string(parent))
|
|
}
|
|
parentPID, err := strconv.Atoi(strings.TrimSpace(string(parent)))
|
|
if err != nil {
|
|
t.Fatalf("failed to parse PPID %q: %v", string(parent), err)
|
|
}
|
|
|
|
// Get all children from parent.
|
|
childrenOut, err := exec.Command("/usr/bin/pgrep", "-P", strconv.Itoa(parentPID)).CombinedOutput()
|
|
if err != nil {
|
|
t.Fatalf("failed to fetch containerd-shim children: %v", err)
|
|
}
|
|
children := strings.Split(strings.TrimSpace(string(childrenOut)), "\n")
|
|
|
|
// This where the root directory is mapped on the host and that's where the
|
|
// gofer must have chroot'd to.
|
|
root := "/root"
|
|
|
|
for _, child := range children {
|
|
childPID, err := strconv.Atoi(child)
|
|
if err != nil {
|
|
t.Fatalf("failed to parse child PID %q: %v", child, err)
|
|
}
|
|
if childPID == sandPID {
|
|
// Skip the sandbox, all other immediate children are gofers.
|
|
continue
|
|
}
|
|
|
|
// Check that gofer is chroot'ed.
|
|
chroot, err := filepath.EvalSymlinks(filepath.Join("/proc", child, "root"))
|
|
if err != nil {
|
|
t.Fatalf("error resolving /proc/<pid>/root symlink: %v", err)
|
|
}
|
|
if root != chroot {
|
|
t.Errorf("gofer chroot is wrong, want: %q, got: %q", root, chroot)
|
|
}
|
|
|
|
path, err := filepath.EvalSymlinks(filepath.Join("/proc", child, "cwd"))
|
|
if err != nil {
|
|
t.Fatalf("error resolving /proc/<pid>/cwd symlink: %v", err)
|
|
}
|
|
if root != path {
|
|
t.Errorf("gofer current dir is wrong, want: %q, got: %q", root, path)
|
|
}
|
|
}
|
|
}
|