[thirdparty/systemd.git] / test / units / testsuite-19.delegate.sh

#!/usr/bin/env bash
# SPDX-License-Identifier: LGPL-2.1-or-later
set -eux
set -o pipefail

# Test cgroup delegation in the unified hierarchy

# shellcheck source=test/units/util.sh
. "$(dirname "$0")"/util.sh

if [[ "$(get_cgroup_hierarchy)" != unified ]]; then
    echo "Skipping $0 as we're not running with the unified cgroup hierarchy"
    exit 0
fi

at_exit() {
    set +e
    userdel -r test
}

systemd-run --wait \
            --unit=test-0.service \
            --property="DynamicUser=1" \
            --property="Delegate=" \
            test -w /sys/fs/cgroup/system.slice/test-0.service/ -a \
                 -w /sys/fs/cgroup/system.slice/test-0.service/cgroup.procs -a \
                 -w /sys/fs/cgroup/system.slice/test-0.service/cgroup.subtree_control

# Test if this also works for some of the more recent attrs the kernel might or might not support
for attr in cgroup.threads memory.oom.group memory.reclaim ; do

    if grep -q "$attr" /sys/kernel/cgroup/delegate ; then
        systemd-run --wait \
                    --unit=test-0.service \
                    --property="DynamicUser=1" \
                    --property="Delegate=" \
                    test -w /sys/fs/cgroup/system.slice/test-0.service/ -a \
                    -w /sys/fs/cgroup/system.slice/test-0.service/"$attr"
    fi
done

systemd-run --wait \
            --unit=test-1.service \
            --property="DynamicUser=1" \
            --property="Delegate=memory pids" \
            grep -q memory /sys/fs/cgroup/system.slice/test-1.service/cgroup.controllers

systemd-run --wait \
            --unit=test-2.service \
            --property="DynamicUser=1" \
            --property="Delegate=memory pids" \
            grep -q pids /sys/fs/cgroup/system.slice/test-2.service/cgroup.controllers

# "io" is not among the controllers enabled by default for all units, verify that
grep -qv io /sys/fs/cgroup/system.slice/cgroup.controllers

# Run a service with "io" enabled, and verify it works
systemd-run --wait \
            --unit=test-3.service \
            --property="IOAccounting=yes" \
            --property="Slice=system-foo-bar-baz.slice"  \
            grep -q io /sys/fs/cgroup/system.slice/system-foo.slice/system-foo-bar.slice/system-foo-bar-baz.slice/test-3.service/cgroup.controllers

# We want to check if "io" is removed again from the controllers
# list. However, PID 1 (rightfully) does this asynchronously. In order
# to force synchronization on this, let's start a short-lived service
# which requires PID 1 to refresh the cgroup tree, so that we can
# verify that this all works.
systemd-run --wait --unit=test-4.service true

# And now check again, "io" should have vanished
grep -qv io /sys/fs/cgroup/system.slice/cgroup.controllers

# Check that unprivileged delegation works for scopes
useradd test ||:
systemd-run --uid=test \
            --property="User=test" \
            --property="Delegate=yes" \
            --slice workload.slice \
            --unit test-workload0.scope\
            --scope \
            test -w /sys/fs/cgroup/workload.slice/test-workload0.scope -a \
                 -w /sys/fs/cgroup/workload.slice/test-workload0.scope/cgroup.procs -a \
                 -w /sys/fs/cgroup/workload.slice/test-workload0.scope/cgroup.subtree_control

# Verify that DelegateSubgroup= affects ownership correctly
unit="test-subgroup-$RANDOM.service"
systemd-run --wait \
            --unit="$unit" \
            --property="DynamicUser=1" \
            --property="Delegate=pids" \
            --property="DelegateSubgroup=foo" \
            test -w "/sys/fs/cgroup/system.slice/$unit" -a \
                 -w "/sys/fs/cgroup/system.slice/$unit/foo"

# Check that for the subgroup also attributes that aren't covered by
# regular (i.e. main cgroup) delegation ownership rules are delegated properly
if test -f /sys/fs/cgroup/cgroup.max.depth; then
    unit="test-subgroup-$RANDOM.service"
    systemd-run --wait \
                --unit="$unit" \
                --property="DynamicUser=1" \
                --property="Delegate=pids" \
                --property="DelegateSubgroup=zzz" \
                test -w "/sys/fs/cgroup/system.slice/$unit/zzz/cgroup.max.depth"
fi

# Check that the invoked process itself is also in the subgroup
unit="test-subgroup-$RANDOM.service"
systemd-run --wait \
            --unit="$unit" \
            --property="DynamicUser=1" \
            --property="Delegate=pids" \
            --property="DelegateSubgroup=bar" \
            grep -q -x -F "0::/system.slice/$unit/bar" /proc/self/cgroup
Commit	Line	Data
3999ea00 FS	1	#!/usr/bin/env bash
	2	# SPDX-License-Identifier: LGPL-2.1-or-later
	3	set -eux
	4	set -o pipefail
	5
	6	# Test cgroup delegation in the unified hierarchy
	7
	8	# shellcheck source=test/units/util.sh
	9	. "$(dirname "$0")"/util.sh
	10
	11	if [[ "$(get_cgroup_hierarchy)" != unified ]]; then
	12	echo "Skipping $0 as we're not running with the unified cgroup hierarchy"
	13	exit 0
	14	fi
	15
	16	at_exit() {
	17	set +e
	18	userdel -r test
	19	}
	20
	21	systemd-run --wait \
	22	--unit=test-0.service \
	23	--property="DynamicUser=1" \
	24	--property="Delegate=" \
	25	test -w /sys/fs/cgroup/system.slice/test-0.service/ -a \
	26	-w /sys/fs/cgroup/system.slice/test-0.service/cgroup.procs -a \
	27	-w /sys/fs/cgroup/system.slice/test-0.service/cgroup.subtree_control
	28
113defc7 LP	29	# Test if this also works for some of the more recent attrs the kernel might or might not support
	30	for attr in cgroup.threads memory.oom.group memory.reclaim ; do
	31
	32	if grep -q "$attr" /sys/kernel/cgroup/delegate ; then
	33	systemd-run --wait \
	34	--unit=test-0.service \
	35	--property="DynamicUser=1" \
	36	--property="Delegate=" \
	37	test -w /sys/fs/cgroup/system.slice/test-0.service/ -a \
	38	-w /sys/fs/cgroup/system.slice/test-0.service/"$attr"
	39	fi
	40	done
	41
3999ea00 FS	42	systemd-run --wait \
	43	--unit=test-1.service \
	44	--property="DynamicUser=1" \
	45	--property="Delegate=memory pids" \
	46	grep -q memory /sys/fs/cgroup/system.slice/test-1.service/cgroup.controllers
	47
	48	systemd-run --wait \
	49	--unit=test-2.service \
	50	--property="DynamicUser=1" \
	51	--property="Delegate=memory pids" \
	52	grep -q pids /sys/fs/cgroup/system.slice/test-2.service/cgroup.controllers
	53
	54	# "io" is not among the controllers enabled by default for all units, verify that
	55	grep -qv io /sys/fs/cgroup/system.slice/cgroup.controllers
	56
	57	# Run a service with "io" enabled, and verify it works
	58	systemd-run --wait \
	59	--unit=test-3.service \
	60	--property="IOAccounting=yes" \
	61	--property="Slice=system-foo-bar-baz.slice" \
	62	grep -q io /sys/fs/cgroup/system.slice/system-foo.slice/system-foo-bar.slice/system-foo-bar-baz.slice/test-3.service/cgroup.controllers
	63
	64	# We want to check if "io" is removed again from the controllers
	65	# list. However, PID 1 (rightfully) does this asynchronously. In order
	66	# to force synchronization on this, let's start a short-lived service
	67	# which requires PID 1 to refresh the cgroup tree, so that we can
	68	# verify that this all works.
	69	systemd-run --wait --unit=test-4.service true
	70
	71	# And now check again, "io" should have vanished
	72	grep -qv io /sys/fs/cgroup/system.slice/cgroup.controllers
	73
	74	# Check that unprivileged delegation works for scopes
	75	useradd test \|\|:
	76	systemd-run --uid=test \
	77	--property="User=test" \
	78	--property="Delegate=yes" \
	79	--slice workload.slice \
	80	--unit test-workload0.scope\
	81	--scope \
	82	test -w /sys/fs/cgroup/workload.slice/test-workload0.scope -a \
	83	-w /sys/fs/cgroup/workload.slice/test-workload0.scope/cgroup.procs -a \
	84	-w /sys/fs/cgroup/workload.slice/test-workload0.scope/cgroup.subtree_control
	85
	86	# Verify that DelegateSubgroup= affects ownership correctly
	87	unit="test-subgroup-$RANDOM.service"
	88	systemd-run --wait \
	89	--unit="$unit" \
	90	--property="DynamicUser=1" \
	91	--property="Delegate=pids" \
	92	--property="DelegateSubgroup=foo" \
	93	test -w "/sys/fs/cgroup/system.slice/$unit" -a \
	94	-w "/sys/fs/cgroup/system.slice/$unit/foo"
	95
	96	# Check that for the subgroup also attributes that aren't covered by
	97	# regular (i.e. main cgroup) delegation ownership rules are delegated properly
	98	if test -f /sys/fs/cgroup/cgroup.max.depth; then
	99	unit="test-subgroup-$RANDOM.service"
	100	systemd-run --wait \
	101	--unit="$unit" \
	102	--property="DynamicUser=1" \
	103	--property="Delegate=pids" \
	104	--property="DelegateSubgroup=zzz" \
	105	test -w "/sys/fs/cgroup/system.slice/$unit/zzz/cgroup.max.depth"
106	fi
107
9a27ef09	108	# Check that the invoked process itself is also in the subgroup
3999ea00 FS	109	unit="test-subgroup-$RANDOM.service"
	110	systemd-run --wait \
	111	--unit="$unit" \
	112	--property="DynamicUser=1" \
	113	--property="Delegate=pids" \
	114	--property="DelegateSubgroup=bar" \
	115	grep -q -x -F "0::/system.slice/$unit/bar" /proc/self/cgroup