Allow setting the uid & gid of the io pipes
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
This commit is contained in:
Kenfe-Mickael Laventure
@@ -979,3 +979,93 @@ func TestContainerKillInitPidHost(t *testing.T) {
|
||||
t.Error(err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestUserNamespaces(t *testing.T) {
|
||||
t.Parallel()
|
||||
t.Run("WritableRootFS", func(t *testing.T) { testUserNamespaces(t, false) })
|
||||
// see #1373 and runc#1572
|
||||
t.Run("ReadonlyRootFS", func(t *testing.T) { testUserNamespaces(t, true) })
|
||||
}
|
||||
|
||||
func testUserNamespaces(t *testing.T, readonlyRootFS bool) {
|
||||
client, err := newClient(t, address)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
defer client.Close()
|
||||
|
||||
var (
|
||||
image Image
|
||||
ctx, cancel = testContext()
|
||||
id = strings.Replace(t.Name(), "/", "-", -1)
|
||||
)
|
||||
defer cancel()
|
||||
|
||||
image, err = client.GetImage(ctx, testImage)
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
return
|
||||
}
|
||||
|
||||
opts := []NewContainerOpts{WithNewSpec(withImageConfig(image),
|
||||
withExitStatus(7),
|
||||
WithUserNamespace(0, 1000, 10000),
|
||||
)}
|
||||
if readonlyRootFS {
|
||||
opts = append(opts, withRemappedSnapshotView(id, image, 1000, 1000))
|
||||
} else {
|
||||
opts = append(opts, withRemappedSnapshot(id, image, 1000, 1000))
|
||||
}
|
||||
|
||||
container, err := client.NewContainer(ctx, id, opts...)
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
return
|
||||
}
|
||||
defer container.Delete(ctx, WithSnapshotCleanup)
|
||||
|
||||
task, err := container.NewTask(ctx, Stdio, func(_ context.Context, client *Client, r *TaskInfo) error {
|
||||
r.Options = &runcopts.CreateOptions{
|
||||
IoUid: 1000,
|
||||
IoGid: 1000,
|
||||
}
|
||||
return nil
|
||||
})
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
return
|
||||
}
|
||||
defer task.Delete(ctx)
|
||||
|
||||
statusC, err := task.Wait(ctx)
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
return
|
||||
}
|
||||
|
||||
if pid := task.Pid(); pid <= 0 {
|
||||
t.Errorf("invalid task pid %d", pid)
|
||||
}
|
||||
if err := task.Start(ctx); err != nil {
|
||||
t.Error(err)
|
||||
task.Delete(ctx)
|
||||
return
|
||||
}
|
||||
status := <-statusC
|
||||
code, _, err := status.Result()
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
return
|
||||
}
|
||||
if code != 7 {
|
||||
t.Errorf("expected status 7 from wait but received %d", code)
|
||||
}
|
||||
deleteStatus, err := task.Delete(ctx)
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
return
|
||||
}
|
||||
if ec := deleteStatus.ExitCode(); ec != 7 {
|
||||
t.Errorf("expected status 7 from delete but received %d", ec)
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user