func setCapability(capabilityname string) (specs.LinuxSpec, specs.LinuxRuntimeSpec) {
	linuxSpec := specsinit.SetLinuxspecMinimum()
	linuxRuntimeSpec := specsinit.SetLinuxruntimeMinimum()
	linuxSpec.Linux.Capabilities = []string{capabilityname}
	utils.SetBind(&linuxRuntimeSpec, &linuxSpec)
	return linuxSpec, linuxRuntimeSpec
}
示例#2
0
func setProcess(process specs.Process) (specs.LinuxSpec, specs.LinuxRuntimeSpec) {

	linuxSpec := specsinit.SetLinuxspecMinimum()
	lr := specsinit.SetLinuxruntimeMinimum()

	//Bind containerend folder to runc container, thus we can get containerend guest programme
	linuxSpec.Spec.Process = process
	utils.SetBind(&lr, &linuxSpec)

	return linuxSpec, lr
}
func testRootfsPropagationHost(linuxSpec *specs.LinuxSpec, linuxRuntimeSpec *specs.LinuxRuntimeSpec, guestfilename string) (string, error) {

	configFile := "./config.json"
	runtimeFile := "./runtime.json"
	propagationmode := linuxRuntimeSpec.Linux.RootfsPropagation

	cmd := exec.Command("bash", "-c", "touch  rootfs/fspropagationtest/fromhost.txt")
	_, err := cmd.Output()
	if err != nil {
		log.Fatalf("[Specstest] linux rootfs propagation test : touch test file in host error, %v", err)
	}
	// set the config parameters relative to this case
	utils.SetBind(linuxRuntimeSpec, linuxSpec)
	linuxSpec.Spec.Process.Args = []string{"/bin/bash", "-c", "/containerend/" + guestfilename}
	linuxSpec.Linux.Capabilities = []string{"CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE", "CAP_SYS_ADMIN"}
	linuxSpec.Spec.Root.Readonly = false
	err = configconvert.LinuxSpecToConfig(configFile, linuxSpec)
	err = configconvert.LinuxRuntimeToConfig(runtimeFile, linuxRuntimeSpec)
	out_container, err := adaptor.StartRunc(configFile, runtimeFile)

	cmd = exec.Command("/bin/bash", "-c", "ls rootfs/fspropagationtest")
	out_host, err := cmd.Output()
	if err != nil {
		log.Fatalf("[Specstest] linux rootfs propagation test : read test file from container (in host) error, %v", err)
		return manager.UNKNOWNERR, err
	}
	var flag_container, flag_host bool
	if strings.Contains(strings.TrimSpace(out_container), "fromhost.txt") {
		flag_container = true
	} else {
		flag_container = false
	}
	if strings.Contains(strings.TrimSpace(string(out_host)), "fromcontainer.txt") {
		flag_host = true
	} else {
		flag_container = false
	}
	switch propagationmode {
	case "slave":
		if flag_container == true && flag_host == false {
			return manager.PASSED, nil
		}
	case "private":
		if flag_container == false && flag_host == false {
			return manager.PASSED, nil
		}
	case "share":
		if flag_container && flag_host {
			return manager.PASSED, nil
		}
	}
	return manager.FAILED, errors.New("RootfsPropagationmode:" + propagationmode + "failed")
}
示例#4
0
func setProcess(process specs.Process) specs.LinuxSpec {
	linuxSpec.Spec.Process = process
	//linuxSpec.Spec.Process.Args = append(linuxSpec.Spec.Process.Args, "/specprocess")
	//linuxSpec.Spec.Process.Args[0] = "./specprocess"

	result := os.Getenv("GOPATH")
	if result == "" {
		log.Fatalf("utils.setBind error GOPATH == nil")
	}
	resource := result + "/src/github.com/huawei-openlab/oct/tools/runtimeValidator/containerend"
	utils.SetRight(resource, process.User.UID, process.User.GID)
	//linuxSpec.Spec.Mounts[0].Source = resource
	utils.SetBind(&linuxSpec, resource)

	return linuxSpec
}
func TestSuiteLinuxSeccompGetcwd() string {
	// copy the testbin into container
	var se specs.Seccomp = specs.Seccomp{
		DefaultAction: "SCMP_ACT_ALLOW",
		Syscalls: []*specs.Syscall{
			{
				Name:   "getcwd",
				Action: "SCMP_ACT_ERRNO",
			},
		},
	}
	linuxspec, linuxruntimespec := setSeccomp(se)

	utils.SetBind(&linuxruntimespec, &linuxspec)
	linuxspec.Spec.Process.Args = []string{"/bin/bash", "-c", "/containerend/linuxseccomp"}
	info := ",Name=" + se.Syscalls[0].Name + ", Action=" + string(se.Syscalls[0].Action)
	result, errout := testSeccomp(&linuxspec, &linuxruntimespec, info)
	var testResult manager.TestResult
	testResult.Set("TestSuiteLinuxSeccompGetcwd", se, errout, result)
	return testResult.Marshal()
}
func TestLinuxDevicesFull() string {

	var device specs.Device = specs.Device{
		Type:        99,
		Path:        "/dev/full",
		Major:       1,
		Minor:       7,
		Permissions: "rwm",
		FileMode:    438,
		UID:         0,
		GID:         0,
	}
	linuxspec, linuxruntimespec := setDevices(device)
	utils.SetBind(&linuxruntimespec, &linuxspec)
	linuxspec.Spec.Process.Args[0] = "/containerend/linuxdevicesfull"

	configFile := "./config.json"
	runtimeFile := "./runtime.json"
	err := configconvert.LinuxSpecToConfig(configFile, &linuxspec)
	err = configconvert.LinuxRuntimeToConfig(runtimeFile, &linuxruntimespec)
	out, err := adaptor.StartRunc(configFile, runtimeFile)

	var result string
	var errout error
	if err != nil {
		result = manager.UNSPPORTED
		errout = errors.New("StartRunc error :" + out + ", " + err.Error())
	} else if strings.Contains(strings.TrimSpace(out), "echo: write error: No space left on device") {
		result = manager.PASSED
		errout = nil
	} else {
		result = manager.FAILED
		errout = errors.New("device /dev/full is NOT effective")
	}
	var testResult manager.TestResult
	testResult.Set("TestSuiteLinuxDevicesFull", device, errout, result)
	return testResult.Marshal()
}