...
1#!/usr/bin/env bats
2
3load helpers
4
5function setup() {
6 setup_busybox
7 update_config '.process.args = ["/bin/echo", "Hello World"]'
8}
9
10function teardown() {
11 teardown_bundle
12}
13
14@test "runc run" {
15 # run hello-world
16 runc run test_hello
17 [ "$status" -eq 0 ]
18
19 # check expected output
20 [[ "${output}" == *"Hello"* ]]
21}
22
23@test "runc run ({u,g}id != 0)" {
24 # cannot start containers as another user in rootless setup without idmap
25 [[ "$ROOTLESS" -ne 0 ]] && requires rootless_idmap
26
27 # replace "uid": 0 with "uid": 1000
28 # and do a similar thing for gid.
29 update_config ' (.. | select(.uid? == 0)) .uid |= 1000
30 | (.. | select(.gid? == 0)) .gid |= 100'
31
32 # run hello-world
33 runc run test_hello
34 [ "$status" -eq 0 ]
35
36 # check expected output
37 [[ "${output}" == *"Hello"* ]]
38}
39
40# https://github.com/opencontainers/runc/issues/3715.
41#
42# Fails when using Go 1.20 < 1.20.2, the reasons is https://go.dev/issue/58552.
43@test "runc run as user with no exec bit but CAP_DAC_OVERRIDE set" {
44 requires root # Can't chown/chmod otherwise.
45
46 # Remove exec perm for everyone but owner (root).
47 chown 0 rootfs/bin/echo
48 chmod go-x rootfs/bin/echo
49
50 # Replace "uid": 0 with "uid": 1000 and do a similar thing for gid.
51 update_config ' (.. | select(.uid? == 0)) .uid |= 1000
52 | (.. | select(.gid? == 0)) .gid |= 100'
53
54 # Sanity check: make sure we can't run the container w/o CAP_DAC_OVERRIDE.
55 runc run test_busybox
56 [ "$status" -ne 0 ]
57
58 # Enable CAP_DAC_OVERRIDE.
59 update_config ' .process.capabilities.bounding += ["CAP_DAC_OVERRIDE"]
60 | .process.capabilities.effective += ["CAP_DAC_OVERRIDE"]
61 | .process.capabilities.permitted += ["CAP_DAC_OVERRIDE"]'
62
63 runc run test_busybox
64 [ "$status" -eq 0 ]
65}
66
67@test "runc run with rootfs set to ." {
68 cp config.json rootfs/.
69 rm config.json
70 cd rootfs
71 update_config '(.. | select(. == "rootfs")) |= "."'
72
73 # run hello-world
74 runc run test_hello
75 [ "$status" -eq 0 ]
76 [[ "${output}" == *"Hello"* ]]
77}
78
79@test "runc run --pid-file" {
80 # run hello-world
81 runc run --pid-file pid.txt test_hello
82 [ "$status" -eq 0 ]
83 [[ "${output}" == *"Hello"* ]]
84
85 # check pid.txt was generated
86 [ -e pid.txt ]
87
88 [[ "$(cat pid.txt)" =~ [0-9]+ ]]
89}
90
91# https://github.com/opencontainers/runc/pull/2897
92@test "runc run [rootless with host pidns]" {
93 requires rootless_no_features
94
95 # Remove pid namespace, and replace /proc mount
96 # with a bind mount from the host.
97 update_config ' .linux.namespaces -= [{"type": "pid"}]
98 | .mounts |= map((select(.type == "proc")
99 | .type = "none"
100 | .source = "/proc"
101 | .options = ["rbind", "nosuid", "nodev", "noexec"]
102 ) // .)'
103
104 runc run test_hello
105 [ "$status" -eq 0 ]
106}
107
108@test "runc run [redundant seccomp rules]" {
109 update_config ' .linux.seccomp = {
110 "defaultAction": "SCMP_ACT_ALLOW",
111 "syscalls": [{
112 "names": ["bdflush"],
113 "action": "SCMP_ACT_ALLOW",
114 }]
115 }'
116 runc run test_hello
117 [ "$status" -eq 0 ]
118}
View as plain text