mirror of
https://github.com/opencontainers/runc.git
synced 2025-10-16 04:20:52 +08:00
3bc606e9d3
1. Use t.TempDir instead of ioutil.TempDir. This means no need for an explicit cleanup, which removes some code, including newTestBundle and newTestRoot. 2. Move newRootfs invocation down to newTemplateConfig, removing a need for explicit rootfs creation. Also, remove rootfs from tParam as it is no longer needed (there was a since test case in which two containers shared the same rootfs, but it does not look like it's required for the test). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
99 lines
2.2 KiB
Go
99 lines
2.2 KiB
Go
package integration
|
|
|
|
import (
|
|
"bytes"
|
|
"os"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/opencontainers/runc/libcontainer"
|
|
"github.com/opencontainers/runc/libcontainer/cgroups/systemd"
|
|
"github.com/opencontainers/runc/libcontainer/devices"
|
|
)
|
|
|
|
func testUpdateDevices(t *testing.T, systemd bool) {
|
|
if testing.Short() {
|
|
return
|
|
}
|
|
config := newTemplateConfig(t, &tParam{systemd: systemd})
|
|
container, err := newContainer(t, config)
|
|
ok(t, err)
|
|
defer destroyContainer(container)
|
|
|
|
// Execute a first process in the container
|
|
stdinR, stdinW, err := os.Pipe()
|
|
ok(t, err)
|
|
process := &libcontainer.Process{
|
|
Cwd: "/",
|
|
Args: []string{"cat"},
|
|
Env: standardEnvironment,
|
|
Stdin: stdinR,
|
|
Init: true,
|
|
}
|
|
err = container.Run(process)
|
|
_ = stdinR.Close()
|
|
defer func() {
|
|
_ = stdinW.Close()
|
|
if _, err := process.Wait(); err != nil {
|
|
t.Log(err)
|
|
}
|
|
}()
|
|
ok(t, err)
|
|
|
|
var buf bytes.Buffer
|
|
devCheck := &libcontainer.Process{
|
|
Cwd: "/",
|
|
Args: []string{"/bin/sh", "-c", "echo > /dev/full; cat /dev/null; true"},
|
|
Env: standardEnvironment,
|
|
Stderr: &buf,
|
|
}
|
|
isAllowed := true
|
|
expected := map[bool][]string{
|
|
true: {
|
|
"write error: No space left on device", // from write to /dev/full
|
|
// no error from cat /dev/null
|
|
},
|
|
false: {
|
|
"/dev/full: Operation not permitted",
|
|
`cat: can't open '/dev/null': Operation not permitted`,
|
|
},
|
|
}
|
|
defaultDevices := config.Cgroups.Resources.Devices
|
|
|
|
for i := 0; i < 300; i++ {
|
|
// Check the access
|
|
buf.Reset()
|
|
err = container.Run(devCheck)
|
|
ok(t, err)
|
|
waitProcess(devCheck, t)
|
|
|
|
for _, exp := range expected[isAllowed] {
|
|
if !strings.Contains(buf.String(), exp) {
|
|
t.Fatalf("[%d] expected %q, got %q", i, exp, buf.String())
|
|
}
|
|
}
|
|
|
|
// Now flip the access permission
|
|
isAllowed = !isAllowed
|
|
if isAllowed {
|
|
config.Cgroups.Resources.Devices = defaultDevices
|
|
} else {
|
|
config.Cgroups.Resources.Devices = []*devices.Rule{}
|
|
}
|
|
if err := container.Set(*config); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestUpdateDevices(t *testing.T) {
|
|
testUpdateDevices(t, false)
|
|
}
|
|
|
|
func TestUpdateDevicesSystemd(t *testing.T) {
|
|
if !systemd.IsRunningSystemd() {
|
|
t.Skip("Test requires systemd.")
|
|
}
|
|
testUpdateDevices(t, true)
|
|
}
|