Mirror of GNU Guix (https://git.savannah.gnu.org/git/guix.git) with personal branches integrated into master branch.
/tests/containers.scm (608902c41adcaa77008f84e537c208055084b537) (11158 bytes) (mode 100644) (type blob)
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015 David Thompson <davet@gnu.org>
;;; Copyright © 2016, 2017, 2019 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (test-containers)
#:use-module (guix utils)
#:use-module (guix build syscalls)
#:use-module (gnu build linux-container)
#:use-module ((gnu system linux-container)
#:select (eval/container))
#:use-module (gnu system file-systems)
#:use-module (guix store)
#:use-module (guix monads)
#:use-module (guix gexp)
#:use-module (guix derivations)
#:use-module (guix tests)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-64)
#:use-module (ice-9 match))
(define (assert-exit x)
(primitive-exit (if x 0 1)))
(test-begin "containers")
;; Skip these tests unless user namespaces are available and the setgroups
;; file (introduced in Linux 3.19 to address a security issue) exists.
(define (skip-if-unsupported)
(unless (and (user-namespace-supported?)
(unprivileged-user-namespace-supported?)
(setgroups-supported?))
(test-skip 1)))
(skip-if-unsupported)
(test-assert "call-with-container, exit with 0 when there is no error"
(zero?
(call-with-container '() (const #t) #:namespaces '(user))))
(skip-if-unsupported)
(test-assert "call-with-container, user namespace"
(zero?
(call-with-container '()
(lambda ()
;; The user is root within the new user namespace.
(assert-exit (and (zero? (getuid)) (zero? (getgid)))))
#:namespaces '(user))))
(skip-if-unsupported)
(test-assert "call-with-container, user namespace, guest UID/GID"
(zero?
(call-with-container '()
(lambda ()
(assert-exit (and (= 42 (getuid)) (= 77 (getgid)))))
#:guest-uid 42
#:guest-gid 77
#:namespaces '(user))))
(skip-if-unsupported)
(test-assert "call-with-container, uts namespace"
(zero?
(call-with-container '()
(lambda ()
;; The user is root within the container and should be able to change
;; the hostname of that container.
(sethostname "test-container")
(primitive-exit 0))
#:namespaces '(user uts))))
(skip-if-unsupported)
(test-assert "call-with-container, pid namespace"
(zero?
(call-with-container '()
(lambda ()
(match (primitive-fork)
(0
;; The first forked process in the new pid namespace is pid 2.
(assert-exit (= 2 (getpid))))
(pid
(primitive-exit
(match (waitpid pid)
((_ . status)
(status:exit-val status)))))))
#:namespaces '(user pid))))
(skip-if-unsupported)
(test-assert "call-with-container, mnt namespace"
(zero?
(call-with-container (list (file-system
(device "none")
(mount-point "/testing")
(type "tmpfs")
(check? #f)))
(lambda ()
(assert-exit (file-exists? "/testing")))
#:namespaces '(user mnt))))
(skip-if-unsupported)
(test-equal "call-with-container, mnt namespace, wrong bind mount"
`(system-error ,ENOENT)
;; An exception should be raised; see <http://bugs.gnu.org/23306>.
(catch 'system-error
(lambda ()
(call-with-container (list (file-system
(device "/does-not-exist")
(mount-point "/foo")
(type "none")
(flags '(bind-mount))
(check? #f)))
(const #t)
#:namespaces '(user mnt)))
(lambda args
(list 'system-error (system-error-errno args)))))
(skip-if-unsupported)
(test-assert "call-with-container, all namespaces"
(zero?
(call-with-container '()
(lambda ()
(primitive-exit 0)))))
(skip-if-unsupported)
(test-assert "call-with-container, mnt namespace, root permissions"
(zero?
(call-with-container '()
(lambda ()
(assert-exit (= #o755 (stat:perms (lstat "/")))))
#:namespaces '(user mnt))))
(skip-if-unsupported)
(test-assert "container-excursion"
(call-with-temporary-directory
(lambda (root)
;; Two pipes: One for the container to signal that the test can begin,
;; and one for the parent to signal to the container that the test is
;; over.
(match (list (pipe) (pipe))
(((start-in . start-out) (end-in . end-out))
(define (container)
(close end-out)
(close start-in)
;; Signal for the test to start.
(write 'ready start-out)
(close start-out)
;; Wait for test completion.
(read end-in)
(close end-in))
(define (namespaces pid)
(let ((pid (number->string pid)))
(map (lambda (ns)
(readlink (string-append "/proc/" pid "/ns/" ns)))
'("user" "ipc" "uts" "net" "pid" "mnt"))))
(let* ((pid (run-container root '() %namespaces 1 container))
(container-namespaces (namespaces pid))
(result
(begin
(close start-out)
;; Wait for container to be ready.
(read start-in)
(close start-in)
(container-excursion pid
(lambda ()
;; Fork again so that the pid is within the context of
;; the joined pid namespace instead of the original pid
;; namespace.
(match (primitive-fork)
(0
;; Check that all of the namespace identifiers are
;; the same as the container process.
(assert-exit
(equal? container-namespaces
(namespaces (getpid)))))
(fork-pid
(match (waitpid fork-pid)
((_ . status)
(primitive-exit
(status:exit-val status)))))))))))
(close end-in)
;; Stop the container.
(write 'done end-out)
(close end-out)
(waitpid pid)
(zero? result)))))))
(skip-if-unsupported)
(test-equal "container-excursion, same namespaces"
42
;; The parent and child are in the same namespaces. 'container-excursion'
;; should notice that and avoid calling 'setns' since that would fail.
(container-excursion (getpid)
(lambda ()
(primitive-exit 42))))
(skip-if-unsupported)
(test-assert "container-excursion*"
(call-with-temporary-directory
(lambda (root)
(define (namespaces pid)
(let ((pid (number->string pid)))
(map (lambda (ns)
(readlink (string-append "/proc/" pid "/ns/" ns)))
'("user" "ipc" "uts" "net" "pid" "mnt"))))
(let* ((pid (run-container root '()
%namespaces 1
(lambda ()
(sleep 100))))
(expected (namespaces pid))
(result (container-excursion* pid
(lambda ()
(namespaces 1)))))
(kill pid SIGKILL)
(equal? result expected)))))
(skip-if-unsupported)
(test-equal "container-excursion*, same namespaces"
42
(container-excursion* (getpid)
(lambda ()
(* 6 7))))
(skip-if-unsupported)
(test-equal "eval/container, exit status"
42
(let* ((store (open-connection-for-tests))
(status (run-with-store store
(eval/container #~(exit 42)))))
(close-connection store)
(status:exit-val status)))
(skip-if-unsupported)
(test-assert "eval/container, writable user mapping"
(call-with-temporary-directory
(lambda (directory)
(define store
(open-connection-for-tests))
(define result
(string-append directory "/r"))
(define requisites*
(store-lift requisites))
(call-with-output-file result (const #t))
(run-with-store store
(mlet %store-monad ((status (eval/container
#~(begin
(use-modules (ice-9 ftw))
(call-with-output-file "/result"
(lambda (port)
(write (scandir #$(%store-prefix))
port))))
#:mappings
(list (file-system-mapping
(source result)
(target "/result")
(writable? #t)))))
(reqs (requisites*
(list (derivation->output-path
(%guile-for-build))))))
(close-connection store)
(return (and (zero? (pk 'status status))
(lset= string=? (cons* "." ".." (map basename reqs))
(pk (call-with-input-file result read))))))))))
(skip-if-unsupported)
(test-assert "eval/container, non-empty load path"
(call-with-temporary-directory
(lambda (directory)
(define store
(open-connection-for-tests))
(define result
(string-append directory "/r"))
(define requisites*
(store-lift requisites))
(mkdir result)
(run-with-store store
(mlet %store-monad ((status (eval/container
(with-imported-modules '((guix build utils))
#~(begin
(use-modules (guix build utils))
(mkdir-p "/result/a/b/c")))
#:mappings
(list (file-system-mapping
(source result)
(target "/result")
(writable? #t))))))
(close-connection store)
(return (and (zero? status)
(file-is-directory?
(string-append result "/a/b/c")))))))))
(test-end)
| Mode | Type | Size | Ref | File |
|---|---|---|---|---|
| 100644 | blob | 6139 | 7f310d2612983845551d0a641b730a269a180a3f | .dir-locals.el |
| 100644 | blob | 2533 | e2f745b42a5a1591a93a3e9a7ccfc107a6178eff | .gitignore |
| 100644 | blob | 6179 | ee164083c8379d90c6e7ab3b38576266f458f40c | .guix-authorizations |
| 100644 | blob | 182 | b852180cf2563ec7b74b93c954de38d77237f23f | .guix-channel |
| 100644 | blob | 4499 | 146e65184a2f987b0307d0ec7300c93e84110625 | .mailmap |
| 100644 | blob | 472 | 1e30a74a64f51ec735dcc44ff4dfe5fa4fa13c6f | AUTHORS |
| 100644 | blob | 3273 | ef90330cdacb9ecf7dbf38a03cdb490db131a4ad | CODE-OF-CONDUCT |
| 100644 | blob | 35147 | 94a9ed024d3859793618152ea559a168bbcbb5e2 | COPYING |
| 100644 | blob | 163 | d6ea6943261fcae51c095ad39fe59140fc62de22 | ChangeLog |
| 100644 | blob | 749 | aaa673fc93b0bb74feca4783ae427b9ea1b604ea | HACKING |
| 100644 | blob | 33109 | a75d9c1ffc4237c0478b62a235b9b521fd840517 | Makefile.am |
| 100644 | blob | 359348 | bb1de1e93802064ff44392db56d05cd0a11fcc15 | NEWS |
| 100644 | blob | 5260 | 5e9069f80f58d3946cdd588f30919a177eaccb55 | README |
| 100644 | blob | 3237 | 2475cb637ceb6eb43f54d080c56e5793041b76e5 | ROADMAP |
| 100644 | blob | 2381 | af7afd3576f2e6aa5cbafc3c6354bbab1ae00774 | THANKS |
| 100644 | blob | 4360 | f854f7fa98e09c7b512f3efb702c290b615186a0 | TODO |
| 100755 | blob | 906 | a47269d87f1d6fd27bbaf634ac7439b38b32cca3 | bootstrap |
| 040000 | tree | - | b15b9ede344760715e240528bc322c7b0194bbe7 | build-aux |
| 100644 | blob | 4808 | 50ead355a81edebf5c9419bd76a1dd69e85f5adf | config-daemon.ac |
| 100644 | blob | 8760 | 6861112eafaed85e107f8976f12e0ddb795571b7 | configure.ac |
| 100644 | blob | 339545 | d234c4ec8668cead20279d903589d29c513b4cb6 | d3.v3.js |
| 040000 | tree | - | 3429d151d1aa398d5f16df794830da129964d217 | doc |
| 040000 | tree | - | 1b48bfe2c716d39c5f4e7bf962dbc5ad4540b961 | etc |
| 100644 | blob | 5289 | f139531ef3ecf56a790ae73934e2d91016c1aba4 | gnu.scm |
| 040000 | tree | - | 6580445118b0be8a7dcf78a96a35b76de3bd1eaa | gnu |
| 100644 | blob | 4207 | ad8279395d8eb1fe5a836d54ec563a4577f4d135 | graph.js |
| 100644 | blob | 1357 | 8753c21e423f880e7a6d9f7f6f6ff1139f8b7254 | guix.scm |
| 040000 | tree | - | 74d74de00060be23e3d5280d0300a8fe69a58387 | guix |
| 040000 | tree | - | 8df9aaabfb400159e2559fd4331fb861cb0a5adc | m4 |
| 040000 | tree | - | d0ec05821e49fa1536a9c19a33ad13b5ba3ea0c2 | nix |
| 040000 | tree | - | 8dac6dd305591d733ef087c35eee3b3acb1daee2 | po |
| 040000 | tree | - | 8c4db11917d51c4d71a841813cf8951000b76687 | scripts |
| 040000 | tree | - | 867e6957c2eed1c47764e42093bb26ae37b221e3 | tests |
Hints:
Before first commit, do not forget to setup your git environment:
Clone this repository using HTTP(S):
Clone this repository using ssh (do not forget to upload a key first):
Clone this repository using git:
You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:
Before first commit, do not forget to setup your git environment:
git config --global user.name "your_name_here"
git config --global user.email "your@email_here"
git config --global user.email "your@email_here"
Clone this repository using HTTP(S):
git clone https://rocketgit.com/user/maav/guix-mirror
Clone this repository using ssh (do not forget to upload a key first):
git clone ssh://rocketgit@ssh.rocketgit.com/user/maav/guix-mirror
Clone this repository using git:
git clone git://git.rocketgit.com/user/maav/guix-mirror
You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:
... clone the repository ...
... make some changes and some commits ...
git push origin main
... make some changes and some commits ...
git push origin main
RocketGit
Rocket your launch!
Rocket your launch!