func TestLinuxCapabilitiesSETFCAP() string {
	linuxspec, linuxruntimespec := setCapability("CAP_SETFCAP")
	linuxspec.Spec.Process.Args = []string{"/sbin/setcap", "CAP_SETFCAP=eip", "/containerend/linuxcapabilities"}
	capability := linuxspec.Linux.Capabilities

	configFile := "./config.json"
	runtimeFile := "./runtime.json"
	err := configconvert.LinuxSpecToConfig(configFile, &linuxspec)
	err = configconvert.LinuxRuntimeToConfig(runtimeFile, &linuxruntimespec)
	out, err := adaptor.StartRunc(configFile, runtimeFile)

	var result string
	var errout error
	if err != nil {
		result = manager.UNSPPORTED
		errout = errors.New(string(out) + err.Error())
	} else if strings.EqualFold(strings.TrimSpace(string(out)), "") {
		result = manager.PASSED
		errout = nil
	} else {
		result = manager.FAILED
		errout = errors.New("test Capabilities CAP_SETFCAP NOT  does''t work")
	}
	var testResult manager.TestResult
	testResult.Set("TestMountTmpfs", capability, errout, result)
	return testResult.Marshal()
}
func testCgroupspath(linuxSpec *specs.LinuxSpec, linuxRuntimeSpec *specs.LinuxRuntimeSpec) (string, error) {
	configFile := "./config.json"
	runtimeFile := "./runtime.json"
	// check whether the container mounts Cgroup filesystem and get the mount point
	hasCgFs := false
	var cgmnt string
	for k, v := range linuxRuntimeSpec.RuntimeSpec.Mounts {
		if strings.EqualFold(v.Type, "cgroup") {
			hasCgFs = true
			for _, u := range linuxSpec.Spec.Mounts {
				if strings.EqualFold(u.Name, k) {
					cgmnt = u.Path
				}
			}
		}
	}
	if hasCgFs == false {
		return manager.UNSPPORTED, errors.New("Container doesn't support cgroup")
	}
	linuxSpec.Spec.Process.Args = []string{"/bin/bash", "-c", "find " + cgmnt + "/ -name " + linuxRuntimeSpec.Linux.CgroupsPath}
	err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
	err = configconvert.LinuxRuntimeToConfig(runtimeFile, linuxRuntimeSpec)
	out, err := adaptor.StartRunc(configFile, runtimeFile)
	if err != nil {
		return manager.UNKNOWNERR, errors.New("StartRunc error :" + out + "," + err.Error())
	} else if strings.Contains(out, linuxRuntimeSpec.Linux.CgroupsPath) {
		return manager.PASSED, nil
	} else {
		return manager.FAILED, errors.New("may be NOT SUPPORT setting cgrouppath")
	}
}
示例#3
0
// Convert specs obj to json file, and start runc to have a test, return testresult
func testVersion(linuxSpec *specs.LinuxSpec, linuxRuntime *specs.LinuxRuntimeSpec, value bool) (string, error) {

	// Convert LinuxSpec to config.json
	configFile := "./config.json"
	linuxSpec.Spec.Process.Args[0] = "/bin/ls"
	err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
	if err != nil {
		return manager.UNKNOWNERR, err
	}

	// Convert LinuxRuntimeSpec to runtime.json
	runtimeFile := "./runtime.json"
	err = configconvert.LinuxRuntimeToConfig(runtimeFile, linuxRuntime)
	if err != nil {
		return manager.UNKNOWNERR, err
	}

	// Start runc to have a test
	out, err := adaptor.StartRunc(configFile, runtimeFile)
	if err != nil {
		if value {
			return manager.FAILED, errors.New(string(out) + err.Error())
		} else {
			return manager.PASSED, nil
		}

	} else {
		if value {
			return manager.PASSED, nil
		} else {
			return manager.FAILED, errors.New("Give wrong value to Version but runc works!")
		}
	}
}
示例#4
0
func testIDmappings(linuxSpec *specs.LinuxSpec, isUid bool, failinfo string) (string, error) {
	//test whether the usernamespace works
	configFile := "./config.json"
	err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
	out, err := adaptor.StartRunc(configFile)
	if err != nil {
		return manager.UNSPPORTED, errors.New("StartRunc error :" + out + "," + err.Error())
	}
	outarray := strings.Fields(strings.TrimSpace(out))
	outcuid, _ := strconv.ParseInt(outarray[0], 10, 0)
	outhuid, _ := strconv.ParseInt(outarray[1], 10, 0)
	outsize, _ := strconv.ParseInt(outarray[2], 10, 0)
	var incuid, inhuid, insize int32
	if isUid {
		incuid = linuxSpec.Linux.UIDMappings[0].ContainerID
		inhuid = linuxSpec.Linux.UIDMappings[0].HostID
		insize = linuxSpec.Linux.UIDMappings[0].Size
	} else {
		incuid = linuxSpec.Linux.GIDMappings[0].ContainerID
		inhuid = linuxSpec.Linux.GIDMappings[0].HostID
		insize = linuxSpec.Linux.GIDMappings[0].Size
	}
	if (int32(outcuid) == incuid) && (int32(outhuid) == inhuid) && (int32(outsize) == insize) {
		return manager.PASSED, nil
	} else {
		return manager.FAILED, errors.New("test failed because" + failinfo)
	}
}
示例#5
0
func testRoot(linuxSpec *specs.LinuxSpec, linuxRuntime *specs.LinuxRuntimeSpec, readonlyValue bool, pathValue string) (string, error) {
	configFile := "./config.json"
	linuxSpec.Spec.Process.Args[0] = "/bin/mount"
	err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
	if err != nil {
		return manager.UNKNOWNERR, err
	}
	runtimeFile := "./runtime.json"
	err = configconvert.LinuxRuntimeToConfig(runtimeFile, linuxRuntime)
	if err != nil {
		return manager.UNKNOWNERR, err
	}

	out, err := adaptor.StartRunc(configFile, runtimeFile)
	if err != nil {
		if pathValue == testPathError {
			return manager.PASSED, nil
		} else {
			return manager.FAILED, errors.New(string(out) + err.Error())
		}
	}
	if pathValue == testPathCorrect {
		if readonlyValue == true && strings.Contains(out, "(ro,") {
			return manager.PASSED, nil
		} else if readonlyValue == false && strings.Contains(out, "(rw,") {
			return manager.PASSED, nil
		} else {
			return manager.FAILED, errors.New("Start runc successful, but get the wrong right of root.")
		}
	} else {
		return manager.UNKNOWNERR, nil
	}
}
示例#6
0
func testProcessEnv(linuxspec *specs.LinuxSpec, linuxruntime *specs.LinuxRuntimeSpec, supported bool) (string, error) {

	configFile := "./config.json"
	err := configconvert.LinuxSpecToConfig(configFile, linuxspec)
	if err != nil {
		return manager.UNKNOWNERR, errors.New("Got unexpected err when LinuxSpecConfig, plz report to OCT project with a issuse")
	}

	rFile := "runtime.json"
	err = configconvert.LinuxRuntimeToConfig(rFile, linuxruntime)
	if err != nil {
		return manager.UNKNOWNERR, errors.New("Got unexpected err when LinuxRuntimeToConfig, plz report to OCT project with a issuse")
	}

	output, err := adaptor.StartRunc(configFile, rFile)
	if err != nil {
		if supported {
			return manager.UNKNOWNERR, errors.New("Can not start runc, maybe runc is not support the specs with these input" + string(output) + "----" + err.Error())
		} else {
			return manager.PASSED, nil
		}
	}
	value := linuxspec.Spec.Process.Env
	res := checkOutEnv(output, value)
	if res {
		return manager.PASSED, nil
	} else {
		return manager.FAILED, errors.New("Input is not compliant with the specs or not supported by runc" + "----" + string(output))
	}
}
示例#7
0
func testPlatform(linuxSpec *specs.LinuxSpec, linuxRuntime *specs.LinuxRuntimeSpec, osValue string, archValue string) (string, error) {
	configFile := "./config.json"
	linuxSpec.Spec.Process.Args[0] = "/bin/ls"
	err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
	if err != nil {
		return manager.UNKNOWNERR, errors.New("Met unexpected LinuxSpecToConfig err, plz report to OCT project with a issuse")
	}

	rFile := "runtime.json"
	err = configconvert.LinuxRuntimeToConfig(rFile, linuxRuntime)
	if err != nil {
		return manager.UNKNOWNERR, errors.New("Met unexpected LinuxRuntimeToConfig err, plz report to OCT project with a issuse")
	}

	out, err := adaptor.StartRunc(configFile, rFile)
	if err != nil {
		if osValue != runtime.GOOS || archValue != runtime.GOARCH {
			return manager.PASSED, nil
		} else {
			return manager.FAILED, errors.New(string(out) + err.Error())
		}
	}
	if osValue == runtime.GOOS && archValue == runtime.GOARCH {
		return manager.PASSED, nil
	} else {
		return manager.FAILED, errors.New("Err: Gived err value to platform, but runc ran well")
	}
}
示例#8
0
func testRootfsPropagationHost(linuxSpec *specs.LinuxSpec, guestfilename string) (string, error) {
	//
	configFile := "./config.json"
	propagationmode := linuxSpec.Linux.RootfsPropagation

	cmd := exec.Command("bash", "-c", "touch  rootfs/fspropagationtest/fromhost.txt")
	_, err := cmd.Output()
	if err != nil {
		log.Fatalf("[Specstest] linux rootfs propagation test : touch test file in host error, %v", err)
	}
	// set the config parameters relative to this case
	result := os.Getenv("GOPATH")
	if result == "" {
		log.Fatalf("utils.setBind error GOPATH == nil")
	}
	resource := result + "/src/github.com/huawei-openlab/oct/tools/runtimeValidator/containerend"
	utils.SetRight(resource, linuxSpec.Process.User.UID, linuxSpec.Process.User.GID)
	linuxSpec.Spec.Process.Args = []string{"/bin/bash", "-c", "/testtool/" + guestfilename}
	testtoolfolder := specs.Mount{"bind", resource, "/testtool", "bind"}
	linuxSpec.Spec.Mounts = append(linuxSpec.Spec.Mounts, testtoolfolder)
	linuxSpec.Linux.Capabilities = []string{"AUDIT_WRITE", "KILL", "NET_BIND_SERVICE", "SYS_ADMIN"}
	linuxSpec.Spec.Root.Readonly = false

	err = configconvert.LinuxSpecToConfig(configFile, linuxSpec)
	out_container, err := adaptor.StartRunc(configFile)
	cmd = exec.Command("/bin/bash", "-c", "ls rootfs/fspropagationtest")
	out_host, err := cmd.Output()
	if err != nil {
		log.Fatalf("[Specstest] linux rootfs propagation test : read test file from container (in host) error, %v", err)
		return manager.UNKNOWNERR, err
	}
	var flag_container, flag_host bool
	if strings.Contains(strings.TrimSpace(out_container), "fromhost.txt") {
		flag_container = true
	} else {
		flag_container = false
	}
	if strings.Contains(strings.TrimSpace(string(out_host)), "fromcontainer.txt") {
		flag_host = true
	} else {
		flag_container = false
	}
	switch propagationmode {
	case "slave":
		if flag_container == true && flag_host == false {
			return manager.PASSED, nil
		}
	case "private":
		if flag_container == false && flag_host == false {
			return manager.PASSED, nil
		}
	case "share":
		if flag_container && flag_host {
			return manager.PASSED, nil
		}
	}
	return manager.FAILED, errors.New("RootfsPropagationmode:" + propagationmode + "failed")
}
示例#9
0
func testResources(linuxSpec *specs.LinuxSpec) (string, error) {
	fmt.Println("enter test source")
	configFile := "./config.json"
	linuxSpec.Spec.Process.Args = []string{"/bin/bash", "-c", "sleep 10s"}
	err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
	out, err := adaptor.StartRunc(configFile)
	if err != nil {
		return manager.UNSPPORTED, errors.New("StartRunc error :" + out + "," + err.Error())
	} else {
		return manager.PASSED, nil
	}
}
func testRootfsPropagationHost(linuxSpec *specs.LinuxSpec, linuxRuntimeSpec *specs.LinuxRuntimeSpec, guestfilename string) (string, error) {

	configFile := "./config.json"
	runtimeFile := "./runtime.json"
	propagationmode := linuxRuntimeSpec.Linux.RootfsPropagation

	cmd := exec.Command("bash", "-c", "touch  rootfs/fspropagationtest/fromhost.txt")
	_, err := cmd.Output()
	if err != nil {
		log.Fatalf("[Specstest] linux rootfs propagation test : touch test file in host error, %v", err)
	}
	// set the config parameters relative to this case
	utils.SetBind(linuxRuntimeSpec, linuxSpec)
	linuxSpec.Spec.Process.Args = []string{"/bin/bash", "-c", "/containerend/" + guestfilename}
	linuxSpec.Linux.Capabilities = []string{"CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE", "CAP_SYS_ADMIN"}
	linuxSpec.Spec.Root.Readonly = false
	err = configconvert.LinuxSpecToConfig(configFile, linuxSpec)
	err = configconvert.LinuxRuntimeToConfig(runtimeFile, linuxRuntimeSpec)
	out_container, err := adaptor.StartRunc(configFile, runtimeFile)

	cmd = exec.Command("/bin/bash", "-c", "ls rootfs/fspropagationtest")
	out_host, err := cmd.Output()
	if err != nil {
		log.Fatalf("[Specstest] linux rootfs propagation test : read test file from container (in host) error, %v", err)
		return manager.UNKNOWNERR, err
	}
	var flag_container, flag_host bool
	if strings.Contains(strings.TrimSpace(out_container), "fromhost.txt") {
		flag_container = true
	} else {
		flag_container = false
	}
	if strings.Contains(strings.TrimSpace(string(out_host)), "fromcontainer.txt") {
		flag_host = true
	} else {
		flag_container = false
	}
	switch propagationmode {
	case "slave":
		if flag_container == true && flag_host == false {
			return manager.PASSED, nil
		}
	case "private":
		if flag_container == false && flag_host == false {
			return manager.PASSED, nil
		}
	case "share":
		if flag_container && flag_host {
			return manager.PASSED, nil
		}
	}
	return manager.FAILED, errors.New("RootfsPropagationmode:" + propagationmode + "failed")
}
示例#11
0
func testVersion(linuxSpec *specs.LinuxSpec) (string, error) {
	configFile := "./config.json"
	linuxSpec.Spec.Process.Args[0] = "/bin/ls"
	err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)

	out, err := adaptor.StartRunc(configFile)
	if err != nil {
		return manager.FAILED, errors.New(string(out) + err.Error())
	} else {
		return manager.PASSED, nil
	}
}
示例#12
0
func testResources(linuxSpec *specs.LinuxSpec, linuxRuntimeSpec *specs.LinuxRuntimeSpec) (string, error) {
	configFile := "./config.json"
	runtimeFile := "./runtime.json"
	linuxSpec.Spec.Process.Args = []string{"/bin/bash", "-c", "sleep 0.5s"}
	err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
	err = configconvert.LinuxRuntimeToConfig(runtimeFile, linuxRuntimeSpec)
	out, err := adaptor.StartRunc(configFile, runtimeFile)
	if err != nil {
		return manager.UNSPPORTED, errors.New("StartRunc error :" + out + "," + err.Error())
	} else {
		return manager.PASSED, nil
	}
}
示例#13
0
func testSeccomp(linuxSpec *specs.LinuxSpec, failinfo string) (string, error) {
	configFile := "./config.json"
	err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
	out, err := adaptor.StartRunc(configFile)
	if err != nil {
		return manager.UNKNOWNERR, errors.New("StartRunc error :" + out + "," + err.Error())
	} else if strings.EqualFold(strings.TrimSpace(out), "Operation not permitted") {
		return manager.PASSED, nil
	} else {
		return manager.FAILED, errors.New("test failed because" + failinfo)
	}

}
示例#14
0
func testMount(linuxSpec *specs.LinuxSpec, failinfo string) (string, error) {
	configFile := "./config.json"
	linuxSpec.Spec.Process.Args[0] = "/bin/mount"
	err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
	out, err := adaptor.StartRunc(configFile)
	if err != nil {
		return manager.UNSPPORTED, errors.New(string(out) + err.Error())
	} else if strings.Contains(out, "/mountTest") {
		return manager.PASSED, nil
	} else {
		return manager.FAILED, errors.New("test failed because" + failinfo)
	}
}
示例#15
0
func testHooks(linuxSpec *specs.LinuxSpec, compare string, failinfo string) (string, error) {
	configFile := "./config.json"
	linuxSpec.Spec.Process.Args = []string{"/bin/bash", "-c", "ls"}
	err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
	out, err := adaptor.StartRunc(configFile)
	if err != nil {
		return manager.UNSPPORTED, errors.New(string(out) + err.Error())
	} else {
		if strings.Contains(strings.TrimSpace(string(out)), compare) {
			return manager.PASSED, nil
		} else {
			return manager.FAILED, errors.New("test failed because" + failinfo)
		}
	}
}
func testApparmorProfile(linuxSpec *specs.LinuxSpec, linuxRuntimeSpec *specs.LinuxRuntimeSpec) (string, error) {
	out, err := pretest()
	configFile := "./config.json"
	runtimeFile := "./runtime.json"
	err = configconvert.LinuxSpecToConfig(configFile, linuxSpec)
	err = configconvert.LinuxRuntimeToConfig(runtimeFile, linuxRuntimeSpec)
	go adaptor.StartRunc(configFile, runtimeFile)
	time.Sleep(time.Second * 1)
	out, err = checkapparmorfilefromhost()
	if err != nil {
		return manager.UNKNOWNERR, errors.New(out + err.Error())
	}
	return out, err

}
示例#17
0
func testPlatform(linuxSpec *specs.LinuxSpec, osValue string, archValue string) (string, error) {
	configFile := "./config.json"
	err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
	linuxSpec.Spec.Process.Args[0] = "/bin/ls"
	out, err := adaptor.StartRunc(configFile)
	if err != nil {
		if osValue == runtime.GOOS && archValue == runtime.GOARCH {
			return manager.PASSED, nil
		} else {
			return manager.FAILED, errors.New(string(out) + err.Error())
		}
	}
	if osValue == runtime.GOOS && archValue == runtime.GOARCH {
		return manager.PASSED, nil
	} else {
		return manager.UNKNOWNERR, nil
	}
}
示例#18
0
func testProcessUser(linuxspec *specs.LinuxSpec, supported bool) (string, error) {
	configFile := "./config.json"
	err := configconvert.LinuxSpecToConfig(configFile, linuxspec)
	output, err := adaptor.StartRunc(configFile)
	if err != nil {
		if supported {
			return manager.UNKNOWNERR, errors.New("Can not start runc, maybe runc is not support the specs with this config.json" + err.Error())
		} else {
			return manager.PASSED, nil
		}
	}
	res, errMsg := checkOutUser(output)
	if res {
		return manager.PASSED, nil
	} else {
		return manager.FAILED, errors.New(errMsg + " in runtime is not compliant with the specs")
	}

}
示例#19
0
func testProcessEnv(linuxspec *specs.LinuxSpec, supported bool) (string, error) {
	configFile := "./config.json"
	err := configconvert.LinuxSpecToConfig(configFile, linuxspec)
	output, err := adaptor.StartRunc(configFile)
	if err != nil {
		if supported {
			return manager.UNKNOWNERR, errors.New("Can not start runc, maybe runc is not support the specs with this config.json----" + string(output) + "----" + err.Error())
		} else {
			return manager.PASSED, nil
		}
	}
	value := linuxSpec.Spec.Process.Env
	res := checkOutEnv(output, value)
	if res {
		return manager.PASSED, nil
	} else {
		return manager.FAILED, errors.New("Env in runtime is not compliant with the specs" + "----" + string(output))
	}
}
示例#20
0
func testSysctls(linuxSpec *specs.LinuxSpec, failinfo string) (string, error) {
	configFile := "./config.json"
	var key, value string
	for k, v := range linuxSpec.Linux.Sysctl {
		linuxSpec.Spec.Process.Args = []string{"/bin/bash", "-c", "sysctl " + k}
		key = k
		value = v
	}
	err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
	out, err := adaptor.StartRunc(configFile)
	if err != nil {
		return manager.UNSPPORTED, errors.New(string(out) + err.Error())
	} else {
		if strings.EqualFold(strings.TrimSpace(out), key+" = "+value) {
			return manager.PASSED, nil
		} else {
			return manager.FAILED, errors.New("test failed because" + failinfo)
		}
	}
}
示例#21
0
func testRlimits(linuxSpec *specs.LinuxSpec, rlimitItem string, value string, isSoftLimit bool) (string, error) {
	configFile := "./config.json"
	if isSoftLimit {
		linuxSpec.Spec.Process.Args = []string{"/bin/bash", "-c", "ulimit " + rlimitItem + " -S"}
	} else {
		linuxSpec.Spec.Process.Args = []string{"/bin/bash", "-c", "ulimit " + rlimitItem + " -H"}
	}

	err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
	out, err := adaptor.StartRunc(configFile)
	if err != nil {
		return manager.UNSPPORTED, errors.New(string(out) + err.Error())
	} else {
		if strings.EqualFold(strings.TrimSpace(string(out)), value) {
			return manager.PASSED, nil
		} else {
			return manager.FAILED, nil
		}
	}
}
示例#22
0
func TestSuiteLinuxDevicesFull() string {
	// copy the testbin into container
	var device specs.Device = specs.Device{
		Type:        99,
		Path:        "/dev/full",
		Major:       1,
		Minor:       7,
		Permissions: "rwm",
		FileMode:    438,
		UID:         0,
		GID:         0,
	}
	linuxSpec = setDevices(device)
	gopath := os.Getenv("GOPATH")
	if gopath == "" {
		log.Fatalf("utils.setBind error GOPATH == nil")
	}
	resource := gopath + "/src/github.com/huawei-openlab/oct/tools/runtimeValidator/containerend"
	utils.SetRight(resource, linuxSpec.Process.User.UID, linuxSpec.Process.User.GID)
	testtoolfolder := specs.Mount{"bind", resource, "/testtool", "bind"}
	linuxSpec.Spec.Mounts = append(linuxSpec.Spec.Mounts, testtoolfolder)
	linuxSpec.Spec.Process.Args[0] = "/testtool/linuxdevicesfull"
	configFile := "./config.json"
	err := configconvert.LinuxSpecToConfig(configFile, &linuxSpec)
	out, err := adaptor.StartRunc(configFile)
	var result string
	var errout error
	if err != nil {
		result = manager.UNSPPORTED
		errout = errors.New("StartRunc error :" + out + ", " + err.Error())
	} else if strings.Contains(strings.TrimSpace(out), "echo: write error: No space left on device") {
		result = manager.PASSED
		errout = nil
	} else {
		result = manager.FAILED
		errout = errors.New("device /dev/full is NOT effective")
	}
	var testResult manager.TestResult
	testResult.Set("TestSuiteLinuxDevicesFull", device, errout, result)
	return testResult.Marshal()
}
示例#23
0
func testSElinuxLabel(linuxSpec *specs.LinuxSpec) (string, error) {
	selinuxlable := linuxSpec.Linux.SelinuxProcessLabel
	//test whether the host supports the selinux
	cmdout, err := exec.Command("/bin/bash", "-c", "getenforce").Output()
	if err != nil || strings.EqualFold(strings.TrimSpace(string(cmdout)), "Permissive") {
		return manager.UNSPPORTED, errors.New("Host Machine doesn't support SElinux")
	}
	configFile := "./config.json"
	linuxSpec.Process.Args = []string{"/bin/bash", "-c", "ps xZ|awk '{print $1}' |sed -n '2p' "}
	err = configconvert.LinuxSpecToConfig(configFile, linuxSpec)

	out, err := adaptor.StartRunc(configFile)
	if err != nil {
		return manager.UNSPPORTED, errors.New("StartRunc error :" + out + "," + err.Error())
	} else {
		if strings.EqualFold(strings.TrimSpace(string(out)), label) {
			return manager.PASSED, nil
		} else {
			return manager.FAILED, errors.New("test failed because selinux label is not effective")
		}
	}
}
示例#24
0
func TestLinuxDevicesFull() string {

	var device specs.Device = specs.Device{
		Type:        99,
		Path:        "/dev/full",
		Major:       1,
		Minor:       7,
		Permissions: "rwm",
		FileMode:    438,
		UID:         0,
		GID:         0,
	}
	linuxspec, linuxruntimespec := setDevices(device)
	utils.SetBind(&linuxruntimespec, &linuxspec)
	linuxspec.Spec.Process.Args[0] = "/containerend/linuxdevicesfull"

	configFile := "./config.json"
	runtimeFile := "./runtime.json"
	err := configconvert.LinuxSpecToConfig(configFile, &linuxspec)
	err = configconvert.LinuxRuntimeToConfig(runtimeFile, &linuxruntimespec)
	out, err := adaptor.StartRunc(configFile, runtimeFile)

	var result string
	var errout error
	if err != nil {
		result = manager.UNSPPORTED
		errout = errors.New("StartRunc error :" + out + ", " + err.Error())
	} else if strings.Contains(strings.TrimSpace(out), "echo: write error: No space left on device") {
		result = manager.PASSED
		errout = nil
	} else {
		result = manager.FAILED
		errout = errors.New("device /dev/full is NOT effective")
	}
	var testResult manager.TestResult
	testResult.Set("TestSuiteLinuxDevicesFull", device, errout, result)
	return testResult.Marshal()
}
示例#25
0
func testApparmorProfile(linuxSpec *specs.LinuxSpec) (string, error) {
	configFile := "./config.json"
	inputprofilename := linuxSpec.Linux.ApparmorProfile
	err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
	cmd := exec.Command("bash", "-c", "cp cases/linuxapparmorprofile/"+inputprofilename+" /etc/apparmor.d")
	_, err = cmd.Output()
	if err != nil {
		log.Fatalf("[runtimeValidator] linux apparmor profile test : copy the apparmor file error, %v", err)
	}
	out, err := adaptor.StartRunc(configFile)
	if err != nil {
		return manager.UNKNOWNERR, errors.New(out + err.Error())
	}
	cmd = exec.Command("bash", "-c", " apparmor_status")
	cmdout, err := cmd.Output()
	if err != nil {
		return manager.UNSPPORTED, errors.New("HOST Machine NOT Support Apparmor")
	} else if strings.Contains(strings.TrimSpace(string(cmdout)), inputprofilename) {
		return manager.PASSED, nil
	} else {
		return manager.FAILED, nil
	}
}
示例#26
0
/**
*container unreused namespace of host
 */
func TestPathEmpty(linuxSpec *specs.LinuxSpec, hostNamespacePath string) (string, error) {
	//1. output json file for runc
	configfile := "./config.json"
	err := configconvert.LinuxSpecToConfig(configfile, linuxSpec)
	if err != nil {
		log.Fatalf("write config error, %v", err)
	}

	//2. get container's pid namespace after executing  runc
	out, err := adaptor.StartRunc(configfile)
	if err != nil {
		return manager.UNSPPORTED, errors.New(string(out) + err.Error())
		//log.Fatalf("write config error, %v\n", errors.New(string(out)+err.Error()))
	}
	containerNs := strings.TrimSuffix(string(out), "\n")
	containerNs = strings.TrimSpace(containerNs)
	if containerNs == "" {
		log.Fatalf("can not find namespace in container.")
	}

	//3. get host's all pid namespace
	cmd := "readlink " + hostNamespacePath + "|sort -u"
	hostNs, err := getHostNs(cmd)
	if err != nil {
		log.Fatalf("get host namespace error,%v\n", err)
	}

	//4. juge if the container's pid namespace is not in host namespaces
	var result string
	if strings.Contains(hostNs, containerNs) {
		result = manager.FAILED
	} else {
		result = manager.PASSED
	}

	return result, nil
}