[thirdparty/systemd.git] / test / TEST-13-NSPAWN-SMOKE / test.sh

#!/bin/bash
set -e
TEST_DESCRIPTION="systemd-nspawn smoke test"
TEST_NO_NSPAWN=1

. $TEST_BASE_DIR/test-functions

test_setup() {
    create_empty_image_rootdir

    # Create what will eventually be our root filesystem onto an overlay
    (
        LOG_LEVEL=5
        eval $(udevadm info --export --query=env --name=${LOOPDEV}p2)

        setup_basic_environment
        mask_supporting_services
        dracut_install busybox chmod rmdir unshare ip sysctl

        cp create-busybox-container $initdir/

        ./create-busybox-container $initdir/nc-container
        initdir="$initdir/nc-container" dracut_install nc ip

        # setup the testsuite service
        cat >$initdir/etc/systemd/system/testsuite.service <<EOF
[Unit]
Description=Testsuite service

[Service]
ExecStart=/test-nspawn.sh
Type=oneshot
EOF

        cat >$initdir/test-nspawn.sh <<'EOF'
#!/bin/bash
set -x
set -e
set -u
set -o pipefail

export SYSTEMD_LOG_LEVEL=debug

# check cgroup-v2
is_v2_supported=no
mkdir -p /tmp/cgroup2
if mount -t cgroup2 cgroup2 /tmp/cgroup2; then
    is_v2_supported=yes
    umount /tmp/cgroup2
fi
rmdir /tmp/cgroup2

# check cgroup namespaces
is_cgns_supported=no
if [[ -f /proc/1/ns/cgroup ]]; then
    is_cgns_supported=yes
fi

is_user_ns_supported=no
# On some systems (e.g. CentOS 7) the default limit for user namespaces
# is set to 0, which causes the following unshare syscall to fail, even
# with enabled user namespaces support. By setting this value explicitly
# we can ensure the user namespaces support to be detected correctly.
sysctl -w user.max_user_namespaces=10000
if unshare -U sh -c :; then
    is_user_ns_supported=yes
fi

function check_bind_tmp_path {
    # https://github.com/systemd/systemd/issues/4789
    local _root="/var/lib/machines/bind-tmp-path"
    /create-busybox-container "$_root"
    >/tmp/bind
    systemd-nspawn --register=no -D "$_root" --bind=/tmp/bind /bin/sh -c 'test -e /tmp/bind'
}

function check_norbind {
    # https://github.com/systemd/systemd/issues/13170
    local _root="/var/lib/machines/norbind-path"
    mkdir -p /tmp/binddir/subdir
    echo -n "outer" > /tmp/binddir/subdir/file
    mount -t tmpfs tmpfs /tmp/binddir/subdir
    echo -n "inner" > /tmp/binddir/subdir/file
    /create-busybox-container "$_root"
    systemd-nspawn --register=no -D "$_root" --bind=/tmp/binddir:/mnt:norbind /bin/sh -c 'CONTENT=$(cat /mnt/subdir/file); if [[ $CONTENT != "outer" ]]; then echo "*** unexpected content: $CONTENT"; return 1; fi'
}

function check_notification_socket {
    # https://github.com/systemd/systemd/issues/4944
    local _cmd='echo a | $(busybox which nc) -U -u -w 1 /run/systemd/nspawn/notify'
    systemd-nspawn --register=no -D /nc-container /bin/sh -x -c "$_cmd"
    systemd-nspawn --register=no -D /nc-container -U /bin/sh -x -c "$_cmd"
}

function run {
    if [[ "$1" = "yes" && "$is_v2_supported" = "no" ]]; then
        printf "Unified cgroup hierarchy is not supported. Skipping.\n" >&2
        return 0
    fi
    if [[ "$2" = "yes" && "$is_cgns_supported" = "no" ]];  then
        printf "CGroup namespaces are not supported. Skipping.\n" >&2
        return 0
    fi

    local _root="/var/lib/machines/unified-$1-cgns-$2-api-vfs-writable-$3"
    /create-busybox-container "$_root"
    SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" -b
    SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" --private-network -b

    if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" -U -b; then
       [[ "$is_user_ns_supported" = "yes" && "$3" = "network" ]] && return 1
    else
       [[ "$is_user_ns_supported" = "no" && "$3" = "network" ]] && return 1
    fi

    if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" --private-network -U -b; then
       [[ "$is_user_ns_supported" = "yes" && "$3" = "yes" ]] && return 1
    else
       [[ "$is_user_ns_supported" = "no" && "$3" = "yes" ]] && return 1
    fi

    local _netns_opt="--network-namespace-path=/proc/self/ns/net"

    # --network-namespace-path and network-related options cannot be used together
    if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" "$_netns_opt" --network-interface=lo -b; then
       return 1
    fi

    if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" "$_netns_opt" --network-macvlan=lo -b; then
       return 1
    fi

    if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" "$_netns_opt" --network-ipvlan=lo -b; then
       return 1
    fi

    if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" "$_netns_opt" --network-veth -b; then
       return 1
    fi

    if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" "$_netns_opt" --network-veth-extra=lo -b; then
       return 1
    fi

    if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" "$_netns_opt" --network-bridge=lo -b; then
       return 1
    fi

    if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" "$_netns_opt" --network-zone=zone -b; then
       return 1
    fi

    if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" "$_netns_opt" --private-network -b; then
       return 1
    fi

    # test --network-namespace-path works with a network namespace created by "ip netns"
    ip netns add nspawn_test
    _netns_opt="--network-namespace-path=/run/netns/nspawn_test"
    SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" "$_netns_opt" /bin/ip a | grep -v -E '^1: lo.*UP'
    local r=$?
    ip netns del nspawn_test

    if [ $r -ne 0 ]; then
       return 1
    fi

    return 0
}

check_bind_tmp_path

check_norbind

check_notification_socket

for api_vfs_writable in yes no network; do
    run no no $api_vfs_writable
    run yes no $api_vfs_writable
    run no yes $api_vfs_writable
    run yes yes $api_vfs_writable
done

touch /testok
EOF

        chmod 0755 $initdir/test-nspawn.sh
        setup_testsuite
    )
}

do_test "$@"
Commit	Line	Data
c7934185	1	#!/bin/bash
818567fc	2	set -e
c7934185	3	TEST_DESCRIPTION="systemd-nspawn smoke test"
054ee249	4	TEST_NO_NSPAWN=1
c2d4da00	5
c7934185 EV	6	. $TEST_BASE_DIR/test-functions
c7934185 EV	7
c7934185	8	test_setup() {
ec4cab49	9	create_empty_image_rootdir
c7934185 EV	10
	11	# Create what will eventually be our root filesystem onto an overlay
	12	(
	13	LOG_LEVEL=5
	14	eval $(udevadm info --export --query=env --name=${LOOPDEV}p2)
	15
	16	setup_basic_environment
51fa8591	17	mask_supporting_services
67f5c0c7	18	dracut_install busybox chmod rmdir unshare ip sysctl
c7934185 EV	19
	20	cp create-busybox-container $initdir/
	21
9bcef206	22	./create-busybox-container $initdir/nc-container
f3d33947	23	initdir="$initdir/nc-container" dracut_install nc ip
9bcef206	24
c7934185 EV	25	# setup the testsuite service
	26	cat >$initdir/etc/systemd/system/testsuite.service <<EOF
	27	[Unit]
	28	Description=Testsuite service
c7934185 EV	29
	30	[Service]
	31	ExecStart=/test-nspawn.sh
	32	Type=oneshot
	33	EOF
	34
	35	cat >$initdir/test-nspawn.sh <<'EOF'
	36	#!/bin/bash
	37	set -x
	38	set -e
	39	set -u
	40	set -o pipefail
	41
	42	export SYSTEMD_LOG_LEVEL=debug
	43
	44	# check cgroup-v2
	45	is_v2_supported=no
	46	mkdir -p /tmp/cgroup2
	47	if mount -t cgroup2 cgroup2 /tmp/cgroup2; then
	48	is_v2_supported=yes
	49	umount /tmp/cgroup2
	50	fi
	51	rmdir /tmp/cgroup2
	52
	53	# check cgroup namespaces
	54	is_cgns_supported=no
	55	if [[ -f /proc/1/ns/cgroup ]]; then
	56	is_cgns_supported=yes
	57	fi
	58
8e391ada	59	is_user_ns_supported=no
67f5c0c7 FS	60	# On some systems (e.g. CentOS 7) the default limit for user namespaces
	61	# is set to 0, which causes the following unshare syscall to fail, even
	62	# with enabled user namespaces support. By setting this value explicitly
	63	# we can ensure the user namespaces support to be detected correctly.
	64	sysctl -w user.max_user_namespaces=10000
8e391ada EV	65	if unshare -U sh -c :; then
	66	is_user_ns_supported=yes
	67	fi
	68
c9fd9872 EV	69	function check_bind_tmp_path {
	70	# https://github.com/systemd/systemd/issues/4789
	71	local _root="/var/lib/machines/bind-tmp-path"
	72	/create-busybox-container "$_root"
	73	>/tmp/bind
	74	systemd-nspawn --register=no -D "$_root" --bind=/tmp/bind /bin/sh -c 'test -e /tmp/bind'
	75	}
	76
55741811 ILG	77	function check_norbind {
	78	# https://github.com/systemd/systemd/issues/13170
	79	local _root="/var/lib/machines/norbind-path"
	80	mkdir -p /tmp/binddir/subdir
	81	echo -n "outer" > /tmp/binddir/subdir/file
	82	mount -t tmpfs tmpfs /tmp/binddir/subdir
	83	echo -n "inner" > /tmp/binddir/subdir/file
	84	/create-busybox-container "$_root"
	85	systemd-nspawn --register=no -D "$_root" --bind=/tmp/binddir:/mnt:norbind /bin/sh -c 'CONTENT=$(cat /mnt/subdir/file); if [[ $CONTENT != "outer" ]]; then echo "*** unexpected content: $CONTENT"; return 1; fi'
	86	}
	87
9bcef206 EV	88	function check_notification_socket {
	89	# https://github.com/systemd/systemd/issues/4944
	90	local _cmd='echo a \| $(busybox which nc) -U -u -w 1 /run/systemd/nspawn/notify'
	91	systemd-nspawn --register=no -D /nc-container /bin/sh -x -c "$_cmd"
	92	systemd-nspawn --register=no -D /nc-container -U /bin/sh -x -c "$_cmd"
	93	}
	94
c7934185 EV	95	function run {
	96	if [[ "$1" = "yes" && "$is_v2_supported" = "no" ]]; then
	97	printf "Unified cgroup hierarchy is not supported. Skipping.\n" >&2
	98	return 0
	99	fi
	100	if [[ "$2" = "yes" && "$is_cgns_supported" = "no" ]]; then
77599f06	101	printf "CGroup namespaces are not supported. Skipping.\n" >&2
c7934185 EV	102	return 0
	103	fi
	104
8e391ada	105	local _root="/var/lib/machines/unified-$1-cgns-$2-api-vfs-writable-$3"
c7934185	106	/create-busybox-container "$_root"
c78c095b ZJS	107	SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" -b
c78c095b ZJS	108	SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" --private-network -b
8e391ada	109
c78c095b	110	if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" -U -b; then
8e391ada EV	111	[[ "$is_user_ns_supported" = "yes" && "$3" = "network" ]] && return 1
	112	else
	113	[[ "$is_user_ns_supported" = "no" && "$3" = "network" ]] && return 1
	114	fi
	115
c78c095b	116	if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" --private-network -U -b; then
8e391ada EV	117	[[ "$is_user_ns_supported" = "yes" && "$3" = "yes" ]] && return 1
	118	else
	119	[[ "$is_user_ns_supported" = "no" && "$3" = "yes" ]] && return 1
	120	fi
c7934185	121
25fd8143 DP	122	local _netns_opt="--network-namespace-path=/proc/self/ns/net"
	123
	124	# --network-namespace-path and network-related options cannot be used together
c78c095b	125	if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" "$_netns_opt" --network-interface=lo -b; then
25fd8143 DP	126	return 1
	127	fi
	128
c78c095b	129	if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" "$_netns_opt" --network-macvlan=lo -b; then
25fd8143 DP	130	return 1
	131	fi
	132
c78c095b	133	if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" "$_netns_opt" --network-ipvlan=lo -b; then
25fd8143 DP	134	return 1
	135	fi
	136
c78c095b	137	if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" "$_netns_opt" --network-veth -b; then
25fd8143 DP	138	return 1
	139	fi
	140
c78c095b	141	if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" "$_netns_opt" --network-veth-extra=lo -b; then
25fd8143 DP	142	return 1
	143	fi
	144
c78c095b	145	if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" "$_netns_opt" --network-bridge=lo -b; then
25fd8143 DP	146	return 1
	147	fi
	148
c78c095b	149	if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" "$_netns_opt" --network-zone=zone -b; then
25fd8143 DP	150	return 1
	151	fi
	152
c78c095b	153	if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" "$_netns_opt" --private-network -b; then
25fd8143 DP	154	return 1
	155	fi
	156
f3d33947 ILG	157	# test --network-namespace-path works with a network namespace created by "ip netns"
	158	ip netns add nspawn_test
	159	_netns_opt="--network-namespace-path=/run/netns/nspawn_test"
c78c095b	160	SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$3" systemd-nspawn --register=no -D "$_root" "$_netns_opt" /bin/ip a \| grep -v -E '^1: lo.*UP'
f3d33947 ILG	161	local r=$?
	162	ip netns del nspawn_test
	163
	164	if [ $r -ne 0 ]; then
	165	return 1
	166	fi
	167
c7934185 EV	168	return 0
	169	}
	170
c9fd9872 EV	171	check_bind_tmp_path
c9fd9872 EV	172
55741811 ILG	173	check_norbind
55741811 ILG	174
9bcef206 EV	175	check_notification_socket
9bcef206 EV	176
8e391ada EV	177	for api_vfs_writable in yes no network; do
	178	run no no $api_vfs_writable
	179	run yes no $api_vfs_writable
	180	run no yes $api_vfs_writable
	181	run yes yes $api_vfs_writable
	182	done
c7934185 EV	183
	184	touch /testok
	185	EOF
	186
	187	chmod 0755 $initdir/test-nspawn.sh
	188	setup_testsuite
cc469c3d	189	)
c7934185 EV	190	}
c7934185 EV	191
c7934185	192	do_test "$@"