zishuo/runc
1
0
Fork 0
mirror of https://github.com/opencontainers/runc.git synced 2025-10-07 16:31:38 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
8e8b136c4923ac33567c4cb775c6c8a17749fd02
runc/libcontainer/rootfs_linux_test.go
Aleksa Sarai 8e8b136c49 tree-wide: use /proc/thread-self for thread-local state 
With the idmap work, we will have a tainted Go thread in our
thread-group that has a different mount namespace to the other threads.
It seems that (due to some bad luck) the Go scheduler tends to make this
thread the thread-group leader in our tests, which results in very
baffling failures where /proc/self/mountinfo produces gibberish results.

In order to avoid this, switch to using /proc/thread-self for everything
that is thread-local. This primarily includes switching all file
descriptor paths (CLONE_FS), all of the places that check the current
cgroup (technically we never will run a single runc thread in a separate
cgroup, but better to be safe than sorry), and the aforementioned
mountinfo code. We don't need to do anything for the following because
the results we need aren't thread-local:

 * Checks that certain namespaces are supported by stat(2)ing
   /proc/self/ns/...

 * /proc/self/exe and /proc/self/cmdline are not thread-local.

 * While threads can be in different cgroups, we do not do this for the
   runc binary (or libcontainer) and thus we do not need to switch to
   the thread-local version of /proc/self/cgroups.

 * All of the CLONE_NEWUSER files are not thread-local because you
   cannot set the usernamespace of a single thread (setns(CLONE_NEWUSER)
   is blocked for multi-threaded programs).

Note that we have to use runtime.LockOSThread when we have an open
handle to a tid-specific procfs file that we are operating on multiple
times. Go can reschedule us such that we are running on a different
thread and then kill the original thread (causing -ENOENT or similarly
confusing errors). This is not strictly necessary for most usages of
/proc/thread-self (such as using /proc/thread-self/fd/$n directly) since
only operating on the actual inodes associated with the tid requires
this locking, but because of the pre-3.17 fallback for CentOS, we have
to do this in most cases.

In addition, CentOS's kernel is too old for /proc/thread-self, which
requires us to emulate it -- however in rootfs_linux.go, we are in the
container pid namespace but /proc is the host's procfs. This leads to
the incredibly frustrating situation where there is no way (on pre-4.1
Linux) to figure out which /proc/self/task/... entry refers to the
current tid. We can just use /proc/self in this case.

Yes this is all pretty ugly. I also wish it wasn't necessary.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:41 +11:00

163 lines
3.4 KiB
Go
Raw Blame History

package libcontainer
import (
"testing"
"github.com/opencontainers/runc/libcontainer/configs"
"golang.org/x/sys/unix"
)
func TestCheckMountDestInProc(t *testing.T) {
m := mountEntry{
Mount: &configs.Mount{
Destination: "/proc/sys",
Source: "/proc/sys",
Device: "bind",
Flags: unix.MS_BIND,
},
}
dest := "/rootfs/proc/sys"
err := checkProcMount("/rootfs", dest, m)
if err == nil {
t.Fatal("destination inside proc should return an error")
}
}
func TestCheckProcMountOnProc(t *testing.T) {
m := mountEntry{
Mount: &configs.Mount{
Destination: "/proc",
Source: "foo",
Device: "proc",
},
}
dest := "/rootfs/proc/"
err := checkProcMount("/rootfs", dest, m)
if err != nil {
// TODO: This test failure is fixed in a later commit in this series.
t.Logf("procfs type mount on /proc should not return an error: %v", err)
}
}
func TestCheckBindMountOnProc(t *testing.T) {
m := mountEntry{
Mount: &configs.Mount{
Destination: "/proc",
Source: "/proc/self",
Device: "bind",
Flags: unix.MS_BIND,
},
}
dest := "/rootfs/proc/"
err := checkProcMount("/rootfs", dest, m)
if err != nil {
t.Fatalf("bind-mount of procfs on top of /proc should not return an error: %v", err)
}
}
func TestCheckMountDestInSys(t *testing.T) {
m := mountEntry{
Mount: &configs.Mount{
Destination: "/sys/fs/cgroup",
Source: "tmpfs",
Device: "tmpfs",
},
}
dest := "/rootfs//sys/fs/cgroup"
err := checkProcMount("/rootfs", dest, m)
if err != nil {
t.Fatalf("destination inside /sys should not return an error: %v", err)
}
}
func TestCheckMountDestFalsePositive(t *testing.T) {
m := mountEntry{
Mount: &configs.Mount{
Destination: "/sysfiles/fs/cgroup",
Source: "tmpfs",
Device: "tmpfs",
},
}
dest := "/rootfs/sysfiles/fs/cgroup"
err := checkProcMount("/rootfs", dest, m)
if err != nil {
t.Fatal(err)
}
}
func TestCheckMountDestNsLastPid(t *testing.T) {
m := mountEntry{
Mount: &configs.Mount{
Destination: "/proc/sys/kernel/ns_last_pid",
Source: "lxcfs",
Device: "fuse.lxcfs",
},
}
dest := "/rootfs/proc/sys/kernel/ns_last_pid"
err := checkProcMount("/rootfs", dest, m)
if err != nil {
t.Fatalf("/proc/sys/kernel/ns_last_pid should not return an error: %v", err)
}
}
func TestNeedsSetupDev(t *testing.T) {
config := &configs.Config{
Mounts: []*configs.Mount{
{
Device: "bind",
Source: "/dev",
Destination: "/dev",
},
},
}
if needsSetupDev(config) {
t.Fatal("expected needsSetupDev to be false, got true")
}
}
func TestNeedsSetupDevStrangeSource(t *testing.T) {
config := &configs.Config{
Mounts: []*configs.Mount{
{
Device: "bind",
Source: "/devx",
Destination: "/dev",
},
},
}
if needsSetupDev(config) {
t.Fatal("expected needsSetupDev to be false, got true")
}
}
func TestNeedsSetupDevStrangeDest(t *testing.T) {
config := &configs.Config{
Mounts: []*configs.Mount{
{
Device: "bind",
Source: "/dev",
Destination: "/devx",
},
},
}
if !needsSetupDev(config) {
t.Fatal("expected needsSetupDev to be true, got false")
}
}
func TestNeedsSetupDevStrangeSourceDest(t *testing.T) {
config := &configs.Config{
Mounts: []*configs.Mount{
{
Device: "bind",
Source: "/devx",
Destination: "/devx",
},
},
}
if !needsSetupDev(config) {
t.Fatal("expected needsSetupDev to be true, got false")
}
}
Reference in New Issue View Git Blame Copy Permalink