;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2014, 2015, 2016, 2017 Ludovic Courtès ;;; Copyright © 2016 David Craven ;;; Copyright © 2016 Julien Lepiller ;;; Copyright © 2017 Clément Lassieur ;;; ;;; This file is part of GNU Guix. ;;; ;;; GNU Guix is free software; you can redistribute it and/or modify it ;;; under the terms of the GNU General Public License as published by ;;; the Free Software Foundation; either version 3 of the License, or (at ;;; your option) any later version. ;;; ;;; GNU Guix is distributed in the hope that it will be useful, but ;;; WITHOUT ANY WARRANTY; without even the implied warranty of ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;;; GNU General Public License for more details. ;;; ;;; You should have received a copy of the GNU General Public License ;;; along with GNU Guix. If not, see . (define-modu
aboutsummaryrefslogtreecommitdiff
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015 David Thompson <davet@gnu.org>
;;; Copyright © 2016, 2017, 2019, 2023 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (test-containers)
  #:use-module (guix utils)
  #:use-module (guix build syscalls)
  #:use-module (gnu build linux-container)
  #:use-module ((gnu system linux-container)
                #:select (eval/container))
  #:use-module (gnu system file-systems)
  #:use-module (guix store)
  #:use-module (guix monads)
  #:use-module (guix gexp)
  #:use-module (guix derivations)
  #:use-module (guix tests)
  #:use-module (srfi srfi-1)
  #:use-module (srfi srfi-64)
  #:use-module (ice-9 match)
  #:use-module ((ice-9 ftw) #:select (scandir)))

(define (assert-exit x)
  (primitive-exit (if x 0 1)))

(test-begin "containers")

;; Skip these tests unless user namespaces are available and the setgroups
;; file (introduced in Linux 3.19 to address a security issue) exists.
(define (skip-if-unsupported)
  (unless (and (user-namespace-supported?)
               (unprivileged-user-namespace-supported?)
               (setgroups-supported?))
    (test-skip 1)))

(skip-if-unsupported)
(test-assert "call-with-container, exit with 0 when there is no error"
  (zero?
   (call-with-container '() (const #t) #:namespaces '(user))))

(skip-if-unsupported)
(test-assert "call-with-container, user namespace"
  (zero?
   (call-with-container '()
     (lambda ()
       ;; The user is root within the new user namespace.
       (assert-exit (and (zero? (getuid)) (zero? (getgid)))))
     #:namespaces '(user))))

(skip-if-unsupported)
(test-assert "call-with-container, user namespace, guest UID/GID"
  (zero?
   (call-with-container '()
     (lambda ()
       (assert-exit (and (= 42 (getuid)) (= 77 (getgid)))))
     #:guest-uid 42
     #:guest-gid 77
     #:namespaces '(user))))

(skip-if-unsupported)
(test-assert "call-with-container, uts namespace"
  (zero?
   (call-with-container '()
     (lambda ()
       ;; The user is root within the container and should be able to change
       ;; the hostname of that container.
       (sethostname "test-container")
       (primitive-exit 0))
     #:namespaces '(user uts))))

(skip-if-unsupported)
(test-assert "call-with-container, pid namespace"
  (zero?
   (call-with-container '()
     (lambda ()
       (match (primitive-fork)
         (0
          ;; The first forked process in the new pid namespace is pid 2.
          (assert-exit (= 2 (getpid))))
         (pid
          (primitive-exit
           (match (waitpid pid)
             ((_ . status)
              (status:exit-val status)))))))
     #:namespaces '(user pid))))

(skip-if-unsupported)
(test-assert "call-with-container, mnt namespace"
  (zero?
   (call-with-container (list (file-system
                                (device "none")
                                (mount-point "/testing")
                                (type "tmpfs")
                                (check? #f)))
     (lambda ()
       (assert-exit (file-exists? "/testing")))
     #:namespaces '(user mnt))))

(skip-if-unsupported)
(test-equal "call-with-container, mnt namespace, wrong bind mount"
  `(system-error ,ENOENT)
  ;; An exception should be raised; see <http://bugs.gnu.org/23306>.
  (catch 'system-error
    (lambda ()
      (call-with-container (list (file-system
                                   (device "/does-not-exist")
                                   (mount-point "/foo")
                                   (type "none")
                                   (flags '(bind-mount))
                                   (check? #f)))
        (const #t)
        #:namespaces '(user mnt)))
    (lambda args
      (list 'system-error (system-error-errno args)))))

(skip-if-unsupported)
(test-assert "call-with-container, all namespaces"
  (zero?
   (call-with-container '()
     (lambda ()
       (primitive-exit 0)))))

(skip-if-unsupported)
(test-assert "call-with-container, mnt namespace, root permissions"
  (zero?
   (call-with-container '()
     (lambda ()
       (assert-exit (= #o755 (stat:perms (lstat "/")))))
     #:namespaces '(user mnt))))

(skip-if-unsupported)
(test-assert "container-excursion"
  (call-with-temporary-directory
   (lambda (root)
     ;; Two pipes: One for the container to signal that the test can begin,
     ;; and one for the parent to signal to the container that the test is
     ;; over.
     (match (list (pipe) (pipe))
       (((start-in . start-out) (end-in . end-out))
        (define (container)
          (close end-out)
          (close start-in)
          ;; Signal for the test to start.
          (write 'ready start-out)
          (close start-out)
          ;; Wait for test completion.
          (read end-in)
          (close end-in))

        (define (namespaces pid)
          (let ((pid (number->string pid)))
            (map (lambda (ns)
                   (readlink (string-append "/proc/" pid "/ns/" ns)))
                 '("user" "ipc" "uts" "net" "pid" "mnt"))))

        (let* ((pid (run-container root '() %namespaces 1 container))
               (container-namespaces (namespaces pid))
               (result
                (begin
                  (close start-out)
                  ;; Wait for container to be ready.
                  (read start-in)
                  (close start-in)
                  (container-excursion pid
                    (lambda ()
                      ;; Check that all of the namespace identifiers are
                      ;; the same as the container process.
                      (assert-exit
                       (equal? container-namespaces
                               (namespaces (getpid)))))))))
          (close end-in)
          ;; Stop the container.
          (write 'done end-out)
          (close end-out)
          (waitpid pid)
          (zero? result)))))))

(skip-if-unsupported)
(test-equal "container-excursion, same namespaces"
  42
  ;; The parent and child are in the same namespaces.  'container-excursion'
  ;; should notice that and avoid calling 'setns' since that would fail.
  (status:exit-val
   (container-excursion (getpid)
     (lambda ()
       (primitive-exit 42)))))

(skip-if-unsupported)
(test-assert "container-excursion*"
  (call-with-temporary-directory
   (lambda (root)
     (define (namespaces pid)
       (let ((pid (number->string pid)))
         (map (lambda (ns)
                (readlink (string-append "/proc/" pid "/ns/" ns)))
              '("user" "ipc" "uts" "net" "pid" "mnt"))))

     (let* ((pid    (run-container root '()
                                   %namespaces 1
                                   (lambda ()
                                     (sleep 100))))
            (expected (namespaces pid))
            (result (container-excursion* pid
                      (lambda ()
                        (namespaces 1)))))
       (kill pid SIGKILL)
       (equal? result expected)))))

(skip-if-unsupported)
(test-equal "container-excursion*, same namespaces"
  42
  (container-excursion* (getpid)
    (lambda ()
      (* 6 7))))

(skip-if-unsupported)
(test-equal "container-excursion*, /proc"
  '("1" "2")
  (call-with-temporary-directory
   (lambda (root)
     (let* ((pid    (run-container root '()
                                   %namespaces 1
                                   (lambda ()
                                     (sleep 100))))
            (result (container-excursion* pid
                      (lambda ()
                        ;; We expect to see exactly two processes in this
                        ;; namespace.
                        (scandir "/proc"
                                 (lambda (file)
                                   (char-set-contains?
                                    char-set:digit
                                    (string-ref file 0))))))))
       (kill pid SIGKILL)
       result))))

(skip-if-unsupported)
(test-equal "eval/container, exit status"
  42
  (let* ((store  (open-connection-for-tests))
         (status (run-with-store store
                   (eval/container #~(exit 42)))))
    (close-connection store)
    (status:exit-val status)))

(skip-if-unsupported)
(test-assert "eval/container, writable user mapping"
  (call-with-temporary-directory
   (lambda (directory)
     (define store
       (open-connection-for-tests))
     (define result
       (string-append directory "/r"))
     (define requisites*
       (store-lift requisites))

     (call-with-output-file result (const #t))
     (run-with-store store
       (mlet %store-monad ((status (eval/container
                                    #~(begin
                                        (use-modules (ice-9 ftw))
                                        (call-with-output-file "/result"
                                          (lambda (port)
                                            (write (scandir #$(%store-prefix))
                                                   port))))
                                    #:mappings
                                    (list (file-system-mapping
                                           (source result)
                                           (target "/result")
                                           (writable? #t)))))
                           (reqs   (requisites*
                                    (list (derivation->output-path
                                           (%guile-for-build))))))
         (close-connection store)
         (return (and (zero? (pk 'status status))
                      (lset= string=? (cons* "." ".." (map basename reqs))
                             (pk (call-with-input-file result read))))))))))

(skip-if-unsupported)
(test-assert "eval/container, non-empty load path"
  (call-with-temporary-directory
   (lambda (directory)
     (define store
       (open-connection-for-tests))
     (define result
       (string-append directory "/r"))
     (define requisites*
       (store-lift requisites))

     (mkdir result)
     (run-with-store store
       (mlet %store-monad ((status (eval/container
                                    (with-imported-modules '((guix build utils))
                                      #~(begin
                                          (use-modules (guix build utils))
                                          (mkdir-p "/result/a/b/c")))
                                    #:mappings
                                    (list (file-system-mapping
                                           (source result)
                                           (target "/result")
                                           (writable? #t))))))
         (close-connection store)
         (return (and (zero? status)
                      (file-is-directory?
                       (string-append result "/a/b/c")))))))))

(test-end)
h) (srfi srfi-26) (guix build utils)) (mkdir #$output) (for-each (match-lambda ((user keys ...) (let ((file (string-append #$output "/" user))) (call-with-output-file file (lambda (port) (for-each (lambda (key) (call-with-input-file key (cut dump-port <> port))) keys)))))) '#$keys)))) (computed-file "openssh-authorized-keys" build)) (define (openssh-config-file config) "Return the sshd configuration file corresponding to CONFIG." (computed-file "sshd_config" #~(begin (use-modules (ice-9 match)) (call-with-output-file #$output (lambda (port) (display "# Generated by 'openssh-service'.\n" port) (format port "Port ~a\n" #$(number->string (openssh-configuration-port-number config))) (format port "PermitRootLogin ~a\n" #$(match (openssh-configuration-permit-root-login config) (#t "yes") (#f "no") ('without-password "without-password"))) (format port "PermitEmptyPasswords ~a\n" #$(if (openssh-configuration-allow-empty-passwords? config) "yes" "no")) (format port "PasswordAuthentication ~a\n" #$(if (openssh-configuration-password-authentication? config) "yes" "no")) (format port "PubkeyAuthentication ~a\n" #$(if (openssh-configuration-public-key-authentication? config) "yes" "no")) (format port "X11Forwarding ~a\n" #$(if (openssh-configuration-x11-forwarding? config) "yes" "no")) (format port "PidFile ~a\n" #$(openssh-configuration-pid-file config)) (format port "ChallengeResponseAuthentication ~a\n" #$(if (openssh-challenge-response-authentication? config) "yes" "no")) (format port "UsePAM ~a\n" #$(if (openssh-configuration-use-pam? config) "yes" "no")) (format port "PrintLastLog ~a\n" #$(if (openssh-configuration-print-last-log? config) "yes" "no")) ;; Add '/etc/authorized_keys.d/%u', which we populate. (format port "AuthorizedKeysFile \ .ssh/authorized_keys .ssh/authorized_keys2 /etc/ssh/authorized_keys.d/%u\n") (for-each (match-lambda ((name command) (format port "Subsystem\t~a\t~a\n" name command))) '#$(openssh-configuration-subsystems config)) #t))))) (define (openssh-shepherd-service config) "Return a for openssh with CONFIG." (define pid-file (openssh-configuration-pid-file config)) (define openssh-command #~(list (string-append #$(openssh-configuration-openssh config) "/sbin/sshd") "-D" "-f" #$(openssh-config-file config))) (list (shepherd-service (documentation "OpenSSH server.") (requirement '(syslogd)) (provision '(ssh-daemon)) (start #~(make-forkexec-constructor #$openssh-command #:pid-file #$pid-file)) (stop #~(make-kill-destructor))))) (define (openssh-pam-services config) "Return a list of for sshd with CONFIG." (list (unix-pam-service "sshd" #:allow-empty-passwords? (openssh-configuration-allow-empty-passwords? config)))) (define (extend-openssh-authorized-keys config keys) "Extend CONFIG with the extra authorized keys listed in KEYS." (openssh-configuration (inherit config) (authorized-keys (append (openssh-authorized-keys config) keys)))) (define openssh-service-type (service-type (name 'openssh) (extensions (list (service-extension shepherd-root-service-type openssh-shepherd-service) (service-extension pam-root-service-type openssh-pam-services) (service-extension activation-service-type openssh-activation) (service-extension account-service-type (const %openssh-accounts)))) (compose concatenate) (extend extend-openssh-authorized-keys) (default-value (openssh-configuration)))) ;;; ;;; Dropbear. ;;; (define-record-type* dropbear-configuration make-dropbear-configuration dropbear-configuration? (dropbear dropbear-configuration-dropbear (default dropbear)) (port-number dropbear-configuration-port-number (default 22)) (syslog-output? dropbear-configuration-syslog-output? (default #t)) (pid-file dropbear-configuration-pid-file (default "/var/run/dropbear.pid")) (root-login? dropbear-configuration-root-login? (default #f)) (allow-empty-passwords? dropbear-configuration-allow-empty-passwords? (default #f)) (password-authentication? dropbear-configuration-password-authentication? (default #t))) (define (dropbear-activation config) "Return the activation gexp for CONFIG." #~(begin (use-modules (guix build utils)) (mkdir-p "/etc/dropbear"))) (define (dropbear-shepherd-service config) "Return a for dropbear with CONFIG." (define dropbear (dropbear-configuration-dropbear config)) (define pid-file (dropbear-configuration-pid-file config)) (define dropbear-command #~(list (string-append #$dropbear "/sbin/dropbear") ;; '-R' allows host keys to be automatically generated upon first ;; connection, at a time when /dev/urandom is more likely securely ;; seeded. "-F" "-R" "-p" #$(number->string (dropbear-configuration-port-number config)) "-P" #$pid-file #$@(if (dropbear-configuration-syslog-output? config) '() '("-E")) #$@(if (dropbear-configuration-root-login? config) '() '("-w")) #$@(if (dropbear-configuration-password-authentication? config) '() '("-s" "-g")) #$@(if (dropbear-configuration-allow-empty-passwords? config) '("-B") '()))) (define requires (if (dropbear-configuration-syslog-output? config) '(networking syslogd) '(networking))) (list (shepherd-service (documentation "Dropbear SSH server.") (requirement requires) (provision '(ssh-daemon)) (start #~(make-forkexec-constructor #$dropbear-command #:pid-file #$pid-file)) (stop #~(make-kill-destructor))))) (define dropbear-service-type (service-type (name 'dropbear) (extensions (list (service-extension shepherd-root-service-type dropbear-shepherd-service) (service-extension activation-service-type dropbear-activation))))) (define* (dropbear-service #:optional (config (dropbear-configuration))) "Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH daemon} with the given @var{config}, a @code{} object." (service dropbear-service-type config)) ;;; ssh.scm ends here