;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015 David Thompson <davet@gnu.org>
;;; Copyright © 2016, 2017, 2019, 2023 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (test-containers)
#:use-module (guix utils)
#:use-module (guix build syscalls)
#:use-module (gnu build linux-container)
#:use-module ((gnu system linux-container)
#:select (eval/container))
#:use-module (gnu system file-systems)
#:use-module (guix store)
#:use-module (guix monads)
#:use-module (guix gexp)
#:use-module (guix derivations)
#:use-module (guix tests)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-64)
#:use-module (ice-9 match)
#:use-module ((ice-9 ftw) #:select (scandir)))
(define (assert-exit x)
(primitive-exit (if x 0 1)))
(test-begin "containers")
;; Skip these tests unless user namespaces are available and the setgroups
;; file (introduced in Linux 3.19 to address a security issue) exists.
(define (skip-if-unsupported)
(unless (and (user-namespace-supported?)
(unprivileged-user-namespace-supported?)
(setgroups-supported?))
(test-skip 1)))
(skip-if-unsupported)
(test-assert "call-with-container, exit with 0 when there is no error"
(zero?
(call-with-container '() (const #t) #:namespaces '(user))))
(skip-if-unsupported)
(test-assert "call-with-container, user namespace"
(zero?
(call-with-container '()
(lambda ()
;; The user is root within the new user namespace.
(assert-exit (and (zero? (getuid)) (zero? (getgid)))))
#:namespaces '(user))))
(skip-if-unsupported)
(test-assert "call-with-container, user namespace, guest UID/GID"
(zero?
(call-with-container '()
(lambda ()
(assert-exit (and (= 42 (getuid)) (= 77 (getgid)))))
#:guest-uid 42
#:guest-gid 77
#:namespaces '(user))))
(skip-if-unsupported)
(test-assert "call-with-container, uts namespace"
(zero?
(call-with-container '()
(lambda ()
;; The user is root within the container and should be able to change
;; the hostname of that container.
(sethostname "test-container")
(primitive-exit 0))
#:namespaces '(user uts))))
(skip-if-unsupported)
(test-assert "call-with-container, pid namespace"
(zero?
(call-with-container '()
(lambda ()
(match (primitive-fork)
(0
;; The first forked process in the new pid namespace is pid 2.
(assert-exit (= 2 (getpid))))
(pid
(primitive-exit
(match (waitpid pid)
((_ . status)
(status:exit-val status)))))))
#:namespaces '(user pid))))
(skip-if-unsupported)
(test-assert "call-with-container, mnt namespace"
(zero?
(call-with-container (list (file-system
(device "none")
(mount-point "/testing")
(type "tmpfs")
(check? #f)))
(lambda ()
(assert-exit (file-exists? "/testing")))
#:namespaces '(user mnt))))
(skip-if-unsupported)
(test-equal "call-with-container, mnt namespace, wrong bind mount"
`(system-error ,ENOENT)
;; An exception should be raised; see <http://bugs.gnu.org/23306>.
(catch 'system-error
(lambda ()
(call-with-container (list (file-system
(device "/does-not-exist")
(mount-point "/foo")
(type "none")
(flags '(bind-mount))
(check? #f)))
(const #t)
#:namespaces '(user mnt)))
(lambda args
(list 'system-error (system-error-errno args)))))
(skip-if-unsupported)
(test-assert "call-with-container, all namespaces"
(zero?
(call-with-container '()
(lambda ()
(primitive-exit 0)))))
(skip-if-unsupported)
(test-assert "call-with-container, mnt namespace, root permissions"
(zero?
(call-with-container '()
(lambda ()
(assert-exit (= #o755 (stat:perms (lstat "/")))))
#:namespaces '(user mnt))))
(skip-if-unsupported)
(test-assert "container-excursion"
(call-with-temporary-directory
(lambda (root)
;; Two pipes: One for the container to signal that the test can begin,
;; and one for the parent to signal to the container that the test is
;; over.
(match (list (pipe) (pipe))
(((start-in . start-out) (end-in . end-out))
(define (container)
(close end-out)
(close start-in)
;; Signal for the test to start.
(write 'ready start-out)
(close start-out)
;; Wait for test completion.
(read end-in)
(close end-in))
(define (namespaces pid)
(let ((pid (number->string pid)))
(map (lambda (ns)
(readlink (string-append "/proc/" pid "/ns/" ns)))
'("user" "ipc" "uts" "net" "pid" "mnt"))))
(let* ((pid (run-container root '() %namespaces 1 container))
(container-namespaces (namespaces pid))
(result
(begin
(close start-out)
;; Wait for container to be ready.
(read start-in)
(close start-in)
(container-excursion pid
(lambda ()
;; Check that all of the namespace identifiers are
;; the same as the container process.
(assert-exit
(equal? container-namespaces
(namespaces (getpid)))))))))
(close end-in)
;; Stop the container.
(write 'done end-out)
(close end-out)
(waitpid pid)
(zero? result)))))))
(skip-if-unsupported)
(test-equal "container-excursion, same namespaces"
42
;; The parent and child are in the same namespaces. 'container-excursion'
;; should notice that and avoid calling 'setns' since that would fail.
(status:exit-val
(container-excursion (getpid)
(lambda ()
(primitive-exit 42)))))
(skip-if-unsupported)
(test-assert "container-excursion*"
(call-with-temporary-directory
(lambda (root)
(define (namespaces pid)
(let ((pid (number->string pid)))
(map (lambda (ns)
(readlink (string-append "/proc/" pid "/ns/" ns)))
'("user" "ipc" "uts" "net" "pid" "mnt"))))
(let* ((pid (run-container root '()
%namespaces 1
(lambda ()
(sleep 100))))
(expected (namespaces pid))
(result (container-excursion* pid
(lambda ()
(namespaces 1)))))
(kill pid SIGKILL)
(equal? result expected)))))
(skip-if-unsupported)
(test-equal "container-excursion*, same namespaces"
42
(container-excursion* (getpid)
(lambda ()
(* 6 7))))
(skip-if-unsupported)
(test-equal "container-excursion*, /proc"
'("1" "2")
(call-with-temporary-directory
(lambda (root)
(let* ((pid (run-container root '()
%namespaces 1
(lambda ()
(sleep 100))))
(result (container-excursion* pid
(lambda ()
;; We expect to see exactly two processes in this
;; namespace.
(scandir "/proc"
(lambda (file)
(char-set-contains?
char-set:digit
(string-ref file 0))))))))
(kill pid SIGKILL)
result))))
(skip-if-unsupported)
(test-equal "eval/container, exit status"
42
(let* ((store (open-connection-for-tests))
(status (run-with-store store
(eval/container #~(exit 42)))))
(close-connection store)
(status:exit-val status)))
(skip-if-unsupported)
(test-assert "eval/container, writable user mapping"
(call-with-temporary-directory
(lambda (directory)
(define store
(open-connection-for-tests))
(define result
(string-append directory "/r"))
(define requisites*
(store-lift requisites))
(call-with-output-file result (const #t))
(run-with-store store
(mlet %store-monad ((status (eval/container
#~(begin
(use-modules (ice-9 ftw))
(call-with-output-file "/result"
(lambda (port)
(write (scandir #$(%store-prefix))
port))))
#:mappings
(list (file-system-mapping
(source result)
(target "/result")
(writable? #t)))))
(reqs (requisites*
(list (derivation->output-path
(%guile-for-build))))))
(close-connection store)
(return (and (zero? (pk 'status status))
(lset= string=? (cons* "." ".." (map basename reqs))
(pk (call-with-input-file result read))))))))))
(skip-if-unsupported)
(test-assert "eval/container, non-empty load path"
(call-with-temporary-directory
(lambda (directory)
(define store
(open-connection-for-tests))
(define result
(string-append directory "/r"))
(define requisites*
(store-lift requisites))
(mkdir result)
(run-with-store store
(mlet %store-monad ((status (eval/container
(with-imported-modules '((guix build utils))
#~(begin
(use-modules (guix build utils))
(mkdir-p "/result/a/b/c")))
#:mappings
(list (file-system-mapping
(source result)
(target "/result")
(writable? #t))))))
(close-connection store)
(return (and (zero? status)
(file-is-directory?
(string-append result "/a/b/c")))))))))
(test-end)
