...

Source file src/github.com/opencontainers/runc/libcontainer/integration/template_test.go

Documentation: github.com/opencontainers/runc/libcontainer/integration 

     1  package integration
     2  
     3  import (
     4  	"strconv"
     5  	"strings"
     6  	"testing"
     7  	"time"
     8  
     9  	"github.com/opencontainers/runc/libcontainer/configs"
    10  	"github.com/opencontainers/runc/libcontainer/devices"
    11  	"github.com/opencontainers/runc/libcontainer/specconv"
    12  	"golang.org/x/sys/unix"
    13  )
    14  
    15  var standardEnvironment = []string{
    16  	"HOME=/root",
    17  	"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
    18  	"HOSTNAME=integration",
    19  	"TERM=xterm",
    20  }
    21  
    22  const defaultMountFlags = unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV
    23  
    24  type tParam struct {
    25  	userns  bool
    26  	systemd bool
    27  }
    28  
    29  // newTemplateConfig returns a base template for running a container.
    30  //
    31  // It uses a network strategy of just setting a loopback interface
    32  // and the default setup for devices.
    33  //
    34  // If p is nil, a default container is created.
    35  func newTemplateConfig(t *testing.T, p *tParam) *configs.Config {
    36  	var allowedDevices []*devices.Rule
    37  	for _, device := range specconv.AllowedDevices {
    38  		allowedDevices = append(allowedDevices, &device.Rule)
    39  	}
    40  	if p == nil {
    41  		p = &tParam{}
    42  	}
    43  	config := &configs.Config{
    44  		Rootfs: newRootfs(t),
    45  		Capabilities: &configs.Capabilities{
    46  			Bounding: []string{
    47  				"CAP_CHOWN",
    48  				"CAP_DAC_OVERRIDE",
    49  				"CAP_FSETID",
    50  				"CAP_FOWNER",
    51  				"CAP_MKNOD",
    52  				"CAP_NET_RAW",
    53  				"CAP_SETGID",
    54  				"CAP_SETUID",
    55  				"CAP_SETFCAP",
    56  				"CAP_SETPCAP",
    57  				"CAP_NET_BIND_SERVICE",
    58  				"CAP_SYS_CHROOT",
    59  				"CAP_KILL",
    60  				"CAP_AUDIT_WRITE",
    61  			},
    62  			Permitted: []string{
    63  				"CAP_CHOWN",
    64  				"CAP_DAC_OVERRIDE",
    65  				"CAP_FSETID",
    66  				"CAP_FOWNER",
    67  				"CAP_MKNOD",
    68  				"CAP_NET_RAW",
    69  				"CAP_SETGID",
    70  				"CAP_SETUID",
    71  				"CAP_SETFCAP",
    72  				"CAP_SETPCAP",
    73  				"CAP_NET_BIND_SERVICE",
    74  				"CAP_SYS_CHROOT",
    75  				"CAP_KILL",
    76  				"CAP_AUDIT_WRITE",
    77  			},
    78  			Ambient: []string{
    79  				"CAP_CHOWN",
    80  				"CAP_DAC_OVERRIDE",
    81  				"CAP_FSETID",
    82  				"CAP_FOWNER",
    83  				"CAP_MKNOD",
    84  				"CAP_NET_RAW",
    85  				"CAP_SETGID",
    86  				"CAP_SETUID",
    87  				"CAP_SETFCAP",
    88  				"CAP_SETPCAP",
    89  				"CAP_NET_BIND_SERVICE",
    90  				"CAP_SYS_CHROOT",
    91  				"CAP_KILL",
    92  				"CAP_AUDIT_WRITE",
    93  			},
    94  			Effective: []string{
    95  				"CAP_CHOWN",
    96  				"CAP_DAC_OVERRIDE",
    97  				"CAP_FSETID",
    98  				"CAP_FOWNER",
    99  				"CAP_MKNOD",
   100  				"CAP_NET_RAW",
   101  				"CAP_SETGID",
   102  				"CAP_SETUID",
   103  				"CAP_SETFCAP",
   104  				"CAP_SETPCAP",
   105  				"CAP_NET_BIND_SERVICE",
   106  				"CAP_SYS_CHROOT",
   107  				"CAP_KILL",
   108  				"CAP_AUDIT_WRITE",
   109  			},
   110  		},
   111  		Namespaces: configs.Namespaces([]configs.Namespace{
   112  			{Type: configs.NEWNS},
   113  			{Type: configs.NEWUTS},
   114  			{Type: configs.NEWIPC},
   115  			{Type: configs.NEWPID},
   116  			{Type: configs.NEWNET},
   117  		}),
   118  		Cgroups: &configs.Cgroup{
   119  			Systemd: p.systemd,
   120  			Resources: &configs.Resources{
   121  				MemorySwappiness: nil,
   122  				Devices:          allowedDevices,
   123  			},
   124  		},
   125  		MaskPaths: []string{
   126  			"/proc/kcore",
   127  			"/sys/firmware",
   128  		},
   129  		ReadonlyPaths: []string{
   130  			"/proc/sys", "/proc/sysrq-trigger", "/proc/irq", "/proc/bus",
   131  		},
   132  		Devices:  specconv.AllowedDevices,
   133  		Hostname: "integration",
   134  		Mounts: []*configs.Mount{
   135  			{
   136  				Source:      "proc",
   137  				Destination: "/proc",
   138  				Device:      "proc",
   139  				Flags:       defaultMountFlags,
   140  			},
   141  			{
   142  				Source:      "tmpfs",
   143  				Destination: "/dev",
   144  				Device:      "tmpfs",
   145  				Flags:       unix.MS_NOSUID | unix.MS_STRICTATIME,
   146  				Data:        "mode=755",
   147  			},
   148  			{
   149  				Source:      "devpts",
   150  				Destination: "/dev/pts",
   151  				Device:      "devpts",
   152  				Flags:       unix.MS_NOSUID | unix.MS_NOEXEC,
   153  				Data:        "newinstance,ptmxmode=0666,mode=0620,gid=5",
   154  			},
   155  			{
   156  				Device:      "tmpfs",
   157  				Source:      "shm",
   158  				Destination: "/dev/shm",
   159  				Data:        "mode=1777,size=65536k",
   160  				Flags:       defaultMountFlags,
   161  			},
   162  			/*
   163  				            CI is broken on the debian based kernels with this
   164  							{
   165  								Source:      "mqueue",
   166  								Destination: "/dev/mqueue",
   167  								Device:      "mqueue",
   168  								Flags:       defaultMountFlags,
   169  							},
   170  			*/
   171  			{
   172  				Source:      "sysfs",
   173  				Destination: "/sys",
   174  				Device:      "sysfs",
   175  				Flags:       defaultMountFlags | unix.MS_RDONLY,
   176  			},
   177  		},
   178  		Networks: []*configs.Network{
   179  			{
   180  				Type:    "loopback",
   181  				Address: "127.0.0.1/0",
   182  				Gateway: "localhost",
   183  			},
   184  		},
   185  		Rlimits: []configs.Rlimit{
   186  			{
   187  				Type: unix.RLIMIT_NOFILE,
   188  				Hard: uint64(1025),
   189  				Soft: uint64(1025),
   190  			},
   191  		},
   192  	}
   193  
   194  	if p.userns {
   195  		config.UidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
   196  		config.GidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
   197  		config.Namespaces = append(config.Namespaces, configs.Namespace{Type: configs.NEWUSER})
   198  	} else {
   199  		config.Mounts = append(config.Mounts, &configs.Mount{
   200  			Destination: "/sys/fs/cgroup",
   201  			Device:      "cgroup",
   202  			Flags:       defaultMountFlags | unix.MS_RDONLY,
   203  		})
   204  	}
   205  
   206  	if p.systemd {
   207  		id := strconv.FormatInt(-int64(time.Now().Nanosecond()), 36)
   208  		config.Cgroups.Name = strings.ReplaceAll(t.Name(), "/", "_") + id
   209  		config.Cgroups.Parent = "system.slice"
   210  		config.Cgroups.ScopePrefix = "runc-test"
   211  	} else {
   212  		config.Cgroups.Path = "/test/integration"
   213  	}
   214  
   215  	return config
   216  }
   217  

View as plain text