aboutsummaryrefslogtreecommitdiff
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015 David Thompson <davet@gnu.org>
;;; Copyright © 2016, 2017, 2019, 2023 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (test-containers)
  #:use-module (guix utils)
  #:use-module (guix build syscalls)
  #:use-module (gnu build linux-container)
  #:use-module ((gnu system linux-container)
                #:select (eval/container))
  #:use-module (gnu system file-systems)
  #:use-module (guix store)
  #:use-module (guix monads)
  #:use-module (guix gexp)
  #:use-module (guix derivations)
  #:use-module (guix tests)
  #:use-module (srfi srfi-1)
  #:use-module (srfi srfi-64)
  #:use-module (ice-9 match)
  #:use-module ((ice-9 ftw) #:select (scandir)))

(define (assert-exit x)
  (primitive-exit (if x 0 1)))

(test-begin "containers")

;; Skip these tests unless user namespaces are available and the setgroups
;; file (introduced in Linux 3.19 to address a security issue) exists.
(define (skip-if-unsupported)
  (unless (and (user-namespace-supported?)
               (unprivileged-user-namespace-supported?)
               (setgroups-supported?))
    (test-skip 1)))

(skip-if-unsupported)
(test-assert "call-with-container, exit with 0 when there is no error"
  (zero?
   (call-with-container '() (const #t) #:namespaces '(user))))

(skip-if-unsupported)
(test-assert "call-with-container, user namespace"
  (zero?
   (call-with-container '()
     (lambda ()
       ;; The user is root within the new user namespace.
       (assert-exit (and (zero? (getuid)) (zero? (getgid)))))
     #:namespaces '(user))))

(skip-if-unsupported)
(test-assert "call-with-container, user namespace, guest UID/GID"
  (zero?
   (call-with-container '()
     (lambda ()
       (assert-exit (and (= 42 (getuid)) (= 77 (getgid)))))
     #:guest-uid 42
     #:guest-gid 77
     #:namespaces '(user))))

(skip-if-unsupported)
(test-assert "call-with-container, uts namespace"
  (zero?
   (call-with-container '()
     (lambda ()
       ;; The user is root within the container and should be able to change
       ;; the hostname of that container.
       (sethostname "test-container")
       (primitive-exit 0))
     #:namespaces '(user uts))))

(skip-if-unsupported)
(test-assert "call-with-container, pid namespace"
  (zero?
   (call-with-container '()
     (lambda ()
       (match (primitive-fork)
         (0
          ;; The first forked process in the new pid namespace is pid 2.
          (assert-exit (= 2 (getpid))))
         (pid
          (primitive-exit
           (match (waitpid pid)
             ((_ . status)
              (status:exit-val status)))))))
     #:namespaces '(user pid))))

(skip-if-unsupported)
(test-assert "call-with-container, mnt namespace"
  (zero?
   (call-with-container (list (file-system
                                (device "none")
                                (mount-point "/testing")
                                (type "tmpfs")
                                (check? #f)))
     (lambda ()
       (assert-exit (file-exists? "/testing")))
     #:namespaces '(user mnt))))

(skip-if-unsupported)
(test-equal "call-with-container, mnt namespace, wrong bind mount"
  `(system-error ,ENOENT)
  ;; An exception should be raised; see <http://bugs.gnu.org/23306>.
  (catch 'system-error
    (lambda ()
      (call-with-container (list (file-system
                                   (device "/does-not-exist")
                                   (mount-point "/foo")
                                   (type "none")
                                   (flags '(bind-mount))
                                   (check? #f)))
        (const #t)
        #:namespaces '(user mnt)))
    (lambda args
      (list 'system-error (system-error-errno args)))))

(skip-if-unsupported)
(test-assert "call-with-container, all namespaces"
  (zero?
   (call-with-container '()
     (lambda ()
       (primitive-exit 0)))))

(skip-if-unsupported)
(test-assert "call-with-container, mnt namespace, root permissions"
  (zero?
   (call-with-container '()
     (lambda ()
       (assert-exit (= #o755 (stat:perms (lstat "/")))))
     #:namespaces '(user mnt))))

(skip-if-unsupported)
(test-assert "container-excursion"
  (call-with-temporary-directory
   (lambda (root)
     ;; Two pipes: One for the container to signal that the test can begin,
     ;; and one for the parent to signal to the container that the test is
     ;; over.
     (match (list (pipe) (pipe))
       (((start-in . start-out) (end-in . end-out))
        (define (container)
          (close end-out)
          (close start-in)
          ;; Signal for the test to start.
          (write 'ready start-out)
          (close start-out)
          ;; Wait for test completion.
          (read end-in)
          (close end-in))

        (define (namespaces pid)
          (let ((pid (number->string pid)))
            (map (lambda (ns)
                   (readlink (string-append "/proc/" pid "/ns/" ns)))
                 '("user" "ipc" "uts" "net" "pid" "mnt"))))

        (let* ((pid (run-container root '() %namespaces 1 container))
               (container-namespaces (namespaces pid))
               (result
                (begin
                  (close start-out)
                  ;; Wait for container to be ready.
                  (read start-in)
                  (close start-in)
                  (container-excursion pid
                    (lambda ()
                      ;; Check that all of the namespace identifiers are
                      ;; the same as the container process.
                      (assert-exit
                       (equal? container-namespaces
                               (namespaces (getpid)))))))))
          (close end-in)
          ;; Stop the container.
          (write 'done end-out)
          (close end-out)
          (waitpid pid)
          (zero? result)))))))

(skip-if-unsupported)
(test-equal "container-excursion, same namespaces"
  42
  ;; The parent and child are in the same namespaces.  'container-excursion'
  ;; should notice that and avoid calling 'setns' since that would fail.
  (status:exit-val
   (container-excursion (getpid)
     (lambda ()
       (primitive-exit 42)))))

(skip-if-unsupported)
(test-assert "container-excursion*"
  (call-with-temporary-directory
   (lambda (root)
     (define (namespaces pid)
       (let ((pid (number->string pid)))
         (map (lambda (ns)
                (readlink (string-append "/proc/" pid "/ns/" ns)))
              '("user" "ipc" "uts" "net" "pid" "mnt"))))

     (let* ((pid    (run-container root '()
                                   %namespaces 1
                                   (lambda ()
                                     (sleep 100))))
            (expected (namespaces pid))
            (result (container-excursion* pid
                      (lambda ()
                        (namespaces 1)))))
       (kill pid SIGKILL)
       (equal? result expected)))))

(skip-if-unsupported)
(test-equal "container-excursion*, same namespaces"
  42
  (container-excursion* (getpid)
    (lambda ()
      (* 6 7))))

(skip-if-unsupported)
(test-equal "container-excursion*, /proc"
  '("1" "2")
  (call-with-temporary-directory
   (lambda (root)
     (let* ((pid    (run-container root '()
                                   %namespaces 1
                                   (lambda ()
                                     (sleep 100))))
            (result (container-excursion* pid
                      (lambda ()
                        ;; We expect to see exactly two processes in this
                        ;; namespace.
                        (scandir "/proc"
                                 (lambda (file)
                                   (char-set-contains?
                                    char-set:digit
                                    (string-ref file 0))))))))
       (kill pid SIGKILL)
       result))))

(skip-if-unsupported)
(test-equal "eval/container, exit status"
  42
  (let* ((store  (open-connection-for-tests))
         (status (run-with-store store
                   (eval/container #~(exit 42)))))
    (close-connection store)
    (status:exit-val status)))

(skip-if-unsupported)
(test-assert "eval/container, writable user mapping"
  (call-with-temporary-directory
   (lambda (directory)
     (define store
       (open-connection-for-tests))
     (define result
       (string-append directory "/r"))
     (define requisites*
       (store-lift requisites))

     (call-with-output-file result (const #t))
     (run-with-store store
       (mlet %store-monad ((status (eval/container
                                    #~(begin
                                        (use-modules (ice-9 ftw))
                                        (call-with-output-file "/result"
                                          (lambda (port)
                                            (write (scandir #$(%store-prefix))
                                                   port))))
                                    #:mappings
                                    (list (file-system-mapping
                                           (source result)
                                           (target "/result")
                                           (writable? #t)))))
                           (reqs   (requisites*
                                    (list (derivation->output-path
                                           (%guile-for-build))))))
         (close-connection store)
         (return (and (zero? (pk 'status status))
                      (lset= string=? (cons* "." ".." (map basename reqs))
                             (pk (call-with-input-file result read))))))))))

(skip-if-unsupported)
(test-assert "eval/container, non-empty load path"
  (call-with-temporary-directory
   (lambda (directory)
     (define store
       (open-connection-for-tests))
     (define result
       (string-append directory "/r"))
     (define requisites*
       (store-lift requisites))

     (mkdir result)
     (run-with-store store
       (mlet %store-monad ((status (eval/container
                                    (with-imported-modules '((guix build utils))
                                      #~(begin
                                          (use-modules (guix build utils))
                                          (mkdir-p "/result/a/b/c")))
                                    #:mappings
                                    (list (file-system-mapping
                                           (source result)
                                           (target "/result")
                                           (writable? #t))))))
         (close-connection store)
         (return (and (zero? status)
                      (file-is-directory?
                       (string-append result "/a/b/c")))))))))

(test-end)
generated by cgit
cairo): Deprecate. (guile-present): Switch to GUILE-3.0. (guile2.2-present): New variable. (guile3.0-present): Deprecate. (guile-gnome)[propagated-inputs]: Use GUILE2.2-CAIRO and GUILE2.2-LIB. * gnu/packages/guile-xyz.scm (guile-fibers)[arguments]: Add #:configure-flags. Switch to GUILE-3.0. (guile2.2-fibers): New variable. (guile3.0-fibers): Deprecate. (guile-syntax-highlight): Switch to GUILE-3.0. (guile2.2-syntax-highlight): New variable. (guile3.0-syntax-highlight): Deprecate. (guile-colorized): Switch to GUILE-3.0. (guile2.2-colorized): New variable. (guile3.0-colorized): Deprecate. (guile-pfds): Switch to GUILE-3.0. (guile2.2-pfds): New variable. (guile3.0-pfds): Deprecate. (guile-simple-zmq): Switch to GUILE-3.0. (guile2.2-simple-zmq): New variable. (guile3.0-simple-zmq): Deprecate. (guile-newt): Switch to GUILE-3.0. (guile2.2-newt): New variable. (guile3.0-newt): Deprecate. (guile-parted): Switch to GUILE-3.0. (guile2.2-parted): New variable. (guile3.0-parted): Deprecate. (guile-config): Switch to GUILE-3.0. (guile2.2-config): New variable. (guile3.0-config): Deprecate. (guile-hall): Switch to GUILE-3.0. (guile2.2-hall): New variable. (guile3.0-hall): Deprecate. (guile-ics): Switch to GUILE-3.0. (guile2.2-ics): New variable. (guile3.0-ics): Deprecate. (guile-wisp)[arguments]: Add 'support-guile-3.0' phase. Switch to GUILE-3.0. (guile2.2-wisp): New variable. (guile3.0-wisp): Deprecate. (guile-lib): Switch to GUILE-3.0. (guile2.2-lib): New variable. (guile3.0-lib): Deprecate. (guile-minikanren): Switch to GUILE-3.0. (guile2.2-minikanren): New variable. (guile3.0-minikanren): Deprecate. (guile-irregex): Switch to GUILE-3.0. (guile2.2-irregex): New variable. (guile3.0-irregex): Deprecate. (haunt): Switch to GUILE-3.0, and remove GUILE-READER. (guile2.2-haunt): New variable. (guile3.0-haunt): Deprecate. (guile-commonmark): Switch to GUILE-3.0. (guile2.2-commonmark): New variable. (guile3.0-commonmark): Deprecate. (mcron): Switch to GUILE-3.0. (guile2.0-mcron): New variable. (guile3.0-mcron): Deprecate. (guile-picture-language): Switch to GUILE-3.0. (guile2.2-picture-language): New variable. (guile3.0-picture-language): Deprecate. (guile-gi): Switch to GUILE-3.0. (guile2.2-gi): New variable. (guile3.0-gi): Deprecate. (guile-hashing): Switch to GUILE-3.0. (guile2.2-hashing): New variable. (guile3.0-hashing): Deprecate. * gnu/packages/package-management.scm (guix): Switch to GUILE-3.0. (guile2.2-guix): New variable. (guile3.0-guix): Deprecate. (gwl): Replace "guile3.0-" with "guile-". (guix-jupyter)[source]: Adjust for Guile 3.0. Switch to GUILE-3.0. * gnu/packages/ssh.scm (guile-ssh): Switch to GUILE-3.0. (guile2.2-ssh): New variable. (guile3.0-ssh): Deprecate. * gnu/packages/admin.scm (shepherd): Switch to GUILE-3.0. (guile2.2-shepherd): New variable. (guile3.0-shepherd): Deprecate. * gnu/packages/mail.scm (mailutils): Switch to GUILE-3.0. (guile2.2-mailutils): New variable. (guile3.0-mailutils): Deprecate. * gnu/packages/plotutils.scm (guile-charting): Switch to GUILE-3.0. (guile2.2-charting): New variable. (guile3.0-charting): Deprecate. * gnu/packages/version-control.scm (libgit2): Switch to GUILE-3.0. * gnu/packages/vpn.scm (vpnc-scripts): Switch to GUILE-3.0. * gnu/packages/web.scm (guix-data-service): Switch to GUILE-3.0. (hpcguix-web): Switch to GUILE-3.0. * guix/self.scm (specification->package): Refer to the "guile-" variants instead of "guile3.0-". * guix/gexp.scm (default-guile): Change to GUILE-3.0. * build-aux/build-self.scm (build): #:guile-version defaults to "3.0". * gnu/packages/commencement.scm (guile-final): Base on GUILE-3.0/FIXED. Ludovic Courtès 2020-02-20build-self: Show wider backtraces....* build-aux/build-self.scm (build): Add 'setenv' call for "COLUMNS". Ludovic Courtès 2019-07-16Use more guix.gnu.org....* build-aux/build-self.scm (make-config.scm): Replace gnu.org/s/guix with guix.gnu.org. * guix/scripts/publish.scm (render-home-page): Likewise. * guix/self.scm (make-config.scm): Likewise. Tobias Geerinckx-Rice 2019-05-12build-self: Let HOME pass through the execution environment....This is a followup to 48d498c2c3984784336b27ba5e261319f3ac6a3a, which introduced a typo (missing '->' in 'mlet'.) Fixes <https://bugs.gnu.org/35623>. Reported by Karrick McDermott <kmcdermott@linkedin.com>. * build-aux/build-self.scm (build): Add 'getenv' and 'setenv' calls for HOME. Ludovic Courtès 2019-05-11Revert "build-self: Let HOME pass through the execution environment."...This reverts commit 48d498c2c3984784336b27ba5e261319f3ac6a3a. It breaks ‘guix pull’. Tobias Geerinckx-Rice 2019-05-11build-self: Let HOME pass through the execution environment....Fixes <https://bugs.gnu.org/35623>. Reported by Karrick McDermott <kmcdermott@linkedin.com>. * build-aux/build-self.scm (build): Add 'getenv' and 'setenv' calls for HOME. Ludovic Courtès 2019-04-23build-self: Explain why we keep using deprecated bindings....* build-aux/build-self.scm (build): Add comment regarding the deprecated names. Ludovic Courtès 2019-04-23Revert "build-self: Avoid deprecated bindings."...This reverts commit fa9e6e8b676ca920a894cf3b48bfcb670077144f. By using the new bindings, we would prevent users of Guix prior to de9fbe9cdcf5f8deb08becfc54b523084fd67bda, such as version 0.16.0, to upgrade to current master. Thus, we will keep using the old names for a while. Ludovic Courtès 2019-04-22build-self: Avoid deprecated bindings....* build-aux/build-self.scm (build): Replace references to nix-server-* with store-connection-*. Mark H Weaver 2019-04-17self: Remove unused variable....This variable is unused since commit 45779fa676419de8838cb26b6c7a24678a2be1cd. * guix/self.scm (%dependency-variables): Remove. * build-aux/build-self.scm (%dependency-variables): Remove. Ludovic Courtès 2019-03-26build-self: Disable position recording....'guix pull -n' goes roughly from 40s to 35s. * build-aux/build-self.scm (build-program): Add call to 'read-disable'. Ludovic Courtès 2019-02-04daemon: Rename 'NIX_STATE_DIR' and 'NIX_DB_DIR' environment variables....Fixes <https://bugs.gnu.org/22459>. Reported by Jeff Mickey <j@codemac.net>. * guix/config.scm.in (%state-directory): Change NIX_STATE_DIR to GUIX_STATE_DIRECTORY. (%store-database-directory): Change NIX_DB_DIR to GUIX_DATABASE_DIRECTORY. * nix/libstore/globals.cc (Settings::processEnvironment): Likewise. * guix/self.scm (make-config.scm): Likewise. * build-aux/build-self.scm (make-config.scm): Likewise. * build-aux/test-env.in: Likewise. * tests/derivations.scm ("derivation #:leaked-env-vars"): Likewise. * tests/guix-build.sh (GUIX_DAEMON_SOCKET): Likewise. * tests/guix-daemon.sh (socket): Likewise. Ludovic Courtès 2019-01-21build-self: Execute trampoline in a clean environment....Previously execution of the trampoline would be somewhat sensitive to GUILE_LOAD_PATH & co., for example. * build-aux/build-self.scm (build-program): Remove 'unsetenv' call and %LOAD-COMPILED-PATH hack. (call-with-clean-environment): New procedure. (with-clean-environment): New macro. (build): Wrap 'open-pipe*' call in 'with-clean-environment'. Ludovic Courtès 2019-01-08build-self: Spin only on TTYs....* build-aux/build-self.scm (build-program): Spin only when 'isatty?' returns true. Ludovic Courtès 2019-01-06build-self: Don't clobber the output port....The newline is meant to follow the spinner's traces so it must go to the error port as well. * build-aux/build-self.scm (build): Send newline to the error port. Ludovic Courtès 2018-09-13Merge branch 'master' into core-updatesLeo Famulari 2018-09-13build-self: Emit a useful message upon error....* build-aux/build-self.scm (build): Raise a '&message' condition instead of calling 'error'. Ludovic Courtès 2018-09-13build-self: Add a dummy (git) module to 'compute-guix-derivation'....Fixes a regression introduced in aed0a594058a59bc3bb1d2686391dc0e8a181b1f. * build-aux/build-self.scm (build-program)[fake-git]: New variable. Use it as an imported module. Ludovic Courtès 2018-09-09Merge branch 'master' into core-updatesMarius Bakke 2018-09-06build-self: Accomodate upgrades from May 2016 and earlier....Reported by Paul Garlick <pgarlick@tourbillion-technology.com>. Fixes a bug whereby "old" Guix instances (before mid-May 2018) would fail to pull to current master. Specifically, Paul reported being unable to upgrade from 6f84dc4314cd84550d9fc7e7afa11c495edc45a5 (a commit that predates that addition of the 'bootstrap' phase on gnu-build-system on 'master' and that also predates the new 'guix pull'.) * build-aux/build-self.scm (guile-gcrypt)[arguments]: New field. Ludovic Courtès 2018-09-04Switch to Guile-Gcrypt....This removes (guix hash) and (guix pk-crypto), which now live as part of Guile-Gcrypt (version 0.1.0.) * guix/gcrypt.scm, guix/hash.scm, guix/pk-crypto.scm, tests/hash.scm, tests/pk-crypto.scm: Remove. * configure.ac: Test for Guile-Gcrypt. Remove LIBGCRYPT and LIBGCRYPT_LIBDIR assignments. * m4/guix.m4 (GUIX_ASSERT_LIBGCRYPT_USABLE): Remove. * README: Add Guile-Gcrypt to the dependencies; move libgcrypt as "required unless --disable-daemon". * doc/guix.texi (Requirements): Likewise. * gnu/packages/bash.scm, guix/derivations.scm, guix/docker.scm, guix/git.scm, guix/http-client.scm, guix/import/cpan.scm, guix/import/cran.scm, guix/import/crate.scm, guix/import/elpa.scm, guix/import/gnu.scm, guix/import/hackage.scm, guix/import/texlive.scm, guix/import/utils.scm, guix/nar.scm, guix/pki.scm, guix/scripts/archive.scm, guix/scripts/authenticate.scm, guix/scripts/download.scm, guix/scripts/hash.scm, guix/scripts/pack.scm, guix/scripts/publish.scm, guix/scripts/refresh.scm, guix/scripts/substitute.scm, guix/store.scm, guix/store/deduplication.scm, guix/tests.scm, tests/base32.scm, tests/builders.scm, tests/challenge.scm, tests/cpan.scm, tests/crate.scm, tests/derivations.scm, tests/gem.scm, tests/nar.scm, tests/opam.scm, tests/pki.scm, tests/publish.scm, tests/pypi.scm, tests/store-deduplication.scm, tests/store.scm, tests/substitute.scm: Adjust imports. * gnu/system/vm.scm: Likewise. (guile-sqlite3&co): Rename to... (gcrypt-sqlite3&co): ... this. Add GUILE-GCRYPT. (expression->derivation-in-linux-vm)[config]: Remove. (iso9660-image)[config]: Remove. (qemu-image)[config]: Remove. (system-docker-image)[config]: Remove. * guix/scripts/pack.scm: Adjust imports. (guile-sqlite3&co): Rename to... (gcrypt-sqlite3&co): ... this. Add GUILE-GCRYPT. (self-contained-tarball)[build]: Call 'make-config.scm' without #:libgcrypt argument. (squashfs-image)[libgcrypt]: Remove. [build]: Call 'make-config.scm' without #:libgcrypt. (docker-image)[config, json]: Remove. [build]: Add GUILE-GCRYPT to the extensions Remove (guix config) from the imported modules. * guix/self.scm (specification->package): Remove "libgcrypt", add "guile-gcrypt". (compiled-guix): Remove #:libgcrypt. [guile-gcrypt]: New variable. [dependencies]: Add it. [*core-modules*]: Remove #:libgcrypt from 'make-config.scm' call. Add #:extensions. [*config*]: Remove #:libgcrypt from 'make-config.scm' call. (%dependency-variables): Remove %libgcrypt. (make-config.scm): Remove #:libgcrypt. * build-aux/build-self.scm (guile-gcrypt): New variable. (make-config.scm): Remove #:libgcrypt. (build-program)[fake-gcrypt-hash]: New variable. Add (gcrypt hash) to the imported modules. Adjust load path assignments. * gnu/packages/package-management.scm (guix)[propagated-inputs]: Add GUILE-GCRYPT. [arguments]: In 'wrap-program' phase, add GUILE-GCRYPT to the search path. Ludovic Courtès