[thirdparty/systemd.git] / test / units / testsuite-19.delegate.sh

#!/usr/bin/env bash
# SPDX-License-Identifier: LGPL-2.1-or-later
set -eux
set -o pipefail

# Test cgroup delegation in the unified hierarchy

# shellcheck source=test/units/util.sh
. "$(dirname "$0")"/util.sh

if [[ "$(get_cgroup_hierarchy)" != unified ]]; then
    echo "Skipping $0 as we're not running with the unified cgroup hierarchy"
    exit 0
fi

at_exit() {
    set +e
    userdel -r test
}

systemd-run --wait \
            --unit=test-0.service \
            --property="DynamicUser=1" \
            --property="Delegate=" \
            test -w /sys/fs/cgroup/system.slice/test-0.service/ -a \
                 -w /sys/fs/cgroup/system.slice/test-0.service/cgroup.procs -a \
                 -w /sys/fs/cgroup/system.slice/test-0.service/cgroup.subtree_control

systemd-run --wait \
            --unit=test-1.service \
            --property="DynamicUser=1" \
            --property="Delegate=memory pids" \
            grep -q memory /sys/fs/cgroup/system.slice/test-1.service/cgroup.controllers

systemd-run --wait \
            --unit=test-2.service \
            --property="DynamicUser=1" \
            --property="Delegate=memory pids" \
            grep -q pids /sys/fs/cgroup/system.slice/test-2.service/cgroup.controllers

# "io" is not among the controllers enabled by default for all units, verify that
grep -qv io /sys/fs/cgroup/system.slice/cgroup.controllers

# Run a service with "io" enabled, and verify it works
systemd-run --wait \
            --unit=test-3.service \
            --property="IOAccounting=yes" \
            --property="Slice=system-foo-bar-baz.slice"  \
            grep -q io /sys/fs/cgroup/system.slice/system-foo.slice/system-foo-bar.slice/system-foo-bar-baz.slice/test-3.service/cgroup.controllers

# We want to check if "io" is removed again from the controllers
# list. However, PID 1 (rightfully) does this asynchronously. In order
# to force synchronization on this, let's start a short-lived service
# which requires PID 1 to refresh the cgroup tree, so that we can
# verify that this all works.
systemd-run --wait --unit=test-4.service true

# And now check again, "io" should have vanished
grep -qv io /sys/fs/cgroup/system.slice/cgroup.controllers

# Check that unprivileged delegation works for scopes
useradd test ||:
systemd-run --uid=test \
            --property="User=test" \
            --property="Delegate=yes" \
            --slice workload.slice \
            --unit test-workload0.scope\
            --scope \
            test -w /sys/fs/cgroup/workload.slice/test-workload0.scope -a \
                 -w /sys/fs/cgroup/workload.slice/test-workload0.scope/cgroup.procs -a \
                 -w /sys/fs/cgroup/workload.slice/test-workload0.scope/cgroup.subtree_control

# Verify that DelegateSubgroup= affects ownership correctly
unit="test-subgroup-$RANDOM.service"
systemd-run --wait \
            --unit="$unit" \
            --property="DynamicUser=1" \
            --property="Delegate=pids" \
            --property="DelegateSubgroup=foo" \
            test -w "/sys/fs/cgroup/system.slice/$unit" -a \
                 -w "/sys/fs/cgroup/system.slice/$unit/foo"

# Check that for the subgroup also attributes that aren't covered by
# regular (i.e. main cgroup) delegation ownership rules are delegated properly
if test -f /sys/fs/cgroup/cgroup.max.depth; then
    unit="test-subgroup-$RANDOM.service"
    systemd-run --wait \
                --unit="$unit" \
                --property="DynamicUser=1" \
                --property="Delegate=pids" \
                --property="DelegateSubgroup=zzz" \
                test -w "/sys/fs/cgroup/system.slice/$unit/zzz/cgroup.max.depth"
fi

# Check that the invoked process itself is also in the subgroup
unit="test-subgroup-$RANDOM.service"
systemd-run --wait \
            --unit="$unit" \
            --property="DynamicUser=1" \
            --property="Delegate=pids" \
            --property="DelegateSubgroup=bar" \
            grep -q -x -F "0::/system.slice/$unit/bar" /proc/self/cgroup
Commit	Line	Data
3999ea00 FS	1	#!/usr/bin/env bash
	2	# SPDX-License-Identifier: LGPL-2.1-or-later
	3	set -eux
	4	set -o pipefail
	5
	6	# Test cgroup delegation in the unified hierarchy
	7
	8	# shellcheck source=test/units/util.sh
	9	. "$(dirname "$0")"/util.sh
	10
	11	if [[ "$(get_cgroup_hierarchy)" != unified ]]; then
	12	echo "Skipping $0 as we're not running with the unified cgroup hierarchy"
	13	exit 0
	14	fi
	15
	16	at_exit() {
	17	set +e
	18	userdel -r test
	19	}
	20
	21	systemd-run --wait \
	22	--unit=test-0.service \
	23	--property="DynamicUser=1" \
	24	--property="Delegate=" \
	25	test -w /sys/fs/cgroup/system.slice/test-0.service/ -a \
	26	-w /sys/fs/cgroup/system.slice/test-0.service/cgroup.procs -a \
	27	-w /sys/fs/cgroup/system.slice/test-0.service/cgroup.subtree_control
	28
	29	systemd-run --wait \
	30	--unit=test-1.service \
	31	--property="DynamicUser=1" \
	32	--property="Delegate=memory pids" \
	33	grep -q memory /sys/fs/cgroup/system.slice/test-1.service/cgroup.controllers
	34
	35	systemd-run --wait \
	36	--unit=test-2.service \
	37	--property="DynamicUser=1" \
	38	--property="Delegate=memory pids" \
	39	grep -q pids /sys/fs/cgroup/system.slice/test-2.service/cgroup.controllers
	40
	41	# "io" is not among the controllers enabled by default for all units, verify that
	42	grep -qv io /sys/fs/cgroup/system.slice/cgroup.controllers
	43
	44	# Run a service with "io" enabled, and verify it works
	45	systemd-run --wait \
	46	--unit=test-3.service \
	47	--property="IOAccounting=yes" \
	48	--property="Slice=system-foo-bar-baz.slice" \
	49	grep -q io /sys/fs/cgroup/system.slice/system-foo.slice/system-foo-bar.slice/system-foo-bar-baz.slice/test-3.service/cgroup.controllers
	50
	51	# We want to check if "io" is removed again from the controllers
	52	# list. However, PID 1 (rightfully) does this asynchronously. In order
	53	# to force synchronization on this, let's start a short-lived service
	54	# which requires PID 1 to refresh the cgroup tree, so that we can
	55	# verify that this all works.
	56	systemd-run --wait --unit=test-4.service true
	57
	58	# And now check again, "io" should have vanished
	59	grep -qv io /sys/fs/cgroup/system.slice/cgroup.controllers
	60
	61	# Check that unprivileged delegation works for scopes
	62	useradd test \|\|:
	63	systemd-run --uid=test \
	64	--property="User=test" \
65	--property="Delegate=yes" \
66	--slice workload.slice \
67	--unit test-workload0.scope\
68	--scope \
69	test -w /sys/fs/cgroup/workload.slice/test-workload0.scope -a \
70	-w /sys/fs/cgroup/workload.slice/test-workload0.scope/cgroup.procs -a \
71	-w /sys/fs/cgroup/workload.slice/test-workload0.scope/cgroup.subtree_control
72
73	# Verify that DelegateSubgroup= affects ownership correctly
74	unit="test-subgroup-$RANDOM.service"
75	systemd-run --wait \
76	--unit="$unit" \
77	--property="DynamicUser=1" \
78	--property="Delegate=pids" \
79	--property="DelegateSubgroup=foo" \
80	test -w "/sys/fs/cgroup/system.slice/$unit" -a \
81	-w "/sys/fs/cgroup/system.slice/$unit/foo"
82
83	# Check that for the subgroup also attributes that aren't covered by
84	# regular (i.e. main cgroup) delegation ownership rules are delegated properly
85	if test -f /sys/fs/cgroup/cgroup.max.depth; then
86	unit="test-subgroup-$RANDOM.service"
87	systemd-run --wait \
88	--unit="$unit" \
89	--property="DynamicUser=1" \
90	--property="Delegate=pids" \
91	--property="DelegateSubgroup=zzz" \
92	test -w "/sys/fs/cgroup/system.slice/$unit/zzz/cgroup.max.depth"
93	fi
94
9a27ef09	95	# Check that the invoked process itself is also in the subgroup
3999ea00 FS	96	unit="test-subgroup-$RANDOM.service"
	97	systemd-run --wait \
	98	--unit="$unit" \
	99	--property="DynamicUser=1" \
	100	--property="Delegate=pids" \
	101	--property="DelegateSubgroup=bar" \
	102	grep -q -x -F "0::/system.slice/$unit/bar" /proc/self/cgroup