mirror of
https://github.com/opencontainers/runc.git
synced 2025-09-26 19:41:35 +08:00
30f8f51eab
Shared pid namespace means `runc kill` (or `runc delete -f`) have to kill all container processes, not just init. To do so, it needs a cgroup to read the PIDs from. If there is no cgroup, processes will be leaked, and so such configuration is bad and should not be allowed. To keep backward compatibility, though, let's merely warn about this for now. Alas, the only way to know if cgroup access is available is by returning an error from Manager.Apply. Amend fs cgroup managers to do so (systemd doesn't need it, since v1 can't work with rootless, and cgroup v2 does not have a special rootless case). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
112 lines
2.5 KiB
Bash
112 lines
2.5 KiB
Bash
#!/usr/bin/env bats
|
|
|
|
load helpers
|
|
|
|
function setup() {
|
|
setup_busybox
|
|
}
|
|
|
|
function teardown() {
|
|
teardown_bundle
|
|
}
|
|
|
|
@test "runc create" {
|
|
runc create --console-socket "$CONSOLE_SOCKET" test_busybox
|
|
[ "$status" -eq 0 ]
|
|
|
|
testcontainer test_busybox created
|
|
|
|
# start the command
|
|
runc start test_busybox
|
|
[ "$status" -eq 0 ]
|
|
|
|
testcontainer test_busybox running
|
|
}
|
|
|
|
@test "runc create exec" {
|
|
runc create --console-socket "$CONSOLE_SOCKET" test_busybox
|
|
[ "$status" -eq 0 ]
|
|
|
|
testcontainer test_busybox created
|
|
|
|
runc exec test_busybox true
|
|
[ "$status" -eq 0 ]
|
|
|
|
testcontainer test_busybox created
|
|
|
|
# start the command
|
|
runc start test_busybox
|
|
[ "$status" -eq 0 ]
|
|
|
|
testcontainer test_busybox running
|
|
}
|
|
|
|
@test "runc create --pid-file" {
|
|
runc create --pid-file pid.txt --console-socket "$CONSOLE_SOCKET" test_busybox
|
|
[ "$status" -eq 0 ]
|
|
|
|
testcontainer test_busybox created
|
|
|
|
# check pid.txt was generated
|
|
[ -e pid.txt ]
|
|
|
|
[[ $(cat pid.txt) = $(__runc state test_busybox | jq '.pid') ]]
|
|
|
|
# start the command
|
|
runc start test_busybox
|
|
[ "$status" -eq 0 ]
|
|
|
|
testcontainer test_busybox running
|
|
}
|
|
|
|
@test "runc create --pid-file with new CWD" {
|
|
bundle="$(pwd)"
|
|
# create pid_file directory as the CWD
|
|
mkdir pid_file
|
|
cd pid_file
|
|
|
|
runc create --pid-file pid.txt -b "$bundle" --console-socket "$CONSOLE_SOCKET" test_busybox
|
|
[ "$status" -eq 0 ]
|
|
|
|
testcontainer test_busybox created
|
|
|
|
# check pid.txt was generated
|
|
[ -e pid.txt ]
|
|
|
|
[[ $(cat pid.txt) = $(__runc state test_busybox | jq '.pid') ]]
|
|
|
|
# start the command
|
|
runc start test_busybox
|
|
[ "$status" -eq 0 ]
|
|
|
|
testcontainer test_busybox running
|
|
}
|
|
|
|
# https://github.com/opencontainers/runc/issues/4394#issuecomment-2334926257
|
|
@test "runc create [shared pidns + rootless]" {
|
|
# Remove pidns so it's shared with the host.
|
|
update_config ' .linux.namespaces -= [{"type": "pid"}]'
|
|
if [ $EUID -ne 0 ]; then
|
|
if rootless_cgroup; then
|
|
# Rootless containers have empty cgroup path by default.
|
|
set_cgroups_path
|
|
fi
|
|
# Can't mount real /proc when rootless + no pidns,
|
|
# so change it to a bind-mounted one from the host.
|
|
update_config ' .mounts |= map((select(.type == "proc")
|
|
| .type = "none"
|
|
| .source = "/proc"
|
|
| .options = ["rbind", "nosuid", "nodev", "noexec"]
|
|
) // .)'
|
|
fi
|
|
|
|
exp="Such configuration is strongly discouraged"
|
|
runc create --console-socket "$CONSOLE_SOCKET" test
|
|
[ "$status" -eq 0 ]
|
|
if [ $EUID -ne 0 ] && ! rootless_cgroup; then
|
|
[[ "$output" = *"$exp"* ]]
|
|
else
|
|
[[ "$output" != *"$exp"* ]]
|
|
fi
|
|
}
|