tests: add nspawn's rootidmap integration test

Add integration test to testsuite-13.sh to ensure rootidmap option map
user IDs as expected.

diff --git a/test/create-busybox-container b/test/create-busybox-container
index 05ab2b11c9fc2224a3e3ae2f27f079df7a9113b2..fca9d6150acb219441b17ce28130c7debbcc4cf6 100755 (executable)
--- a/test/create-busybox-container
+++ b/test/create-busybox-container
@@ -25,6 +25,8 @@ ln -s busybox "$root/bin/seq"
 ln -s busybox "$root/bin/sleep"
 ln -s busybox "$root/bin/usleep"
 ln -s busybox "$root/bin/test"
+ln -s busybox "$root/bin/stat"
+ln -s busybox "$root/bin/touch"
 
 mkdir -p "$root/sbin"
 cat <<'EOF' >"$root/sbin/init"

diff --git a/test/test-functions b/test/test-functions
index bda04bca6b65dddb7dae49d8ef2bac98c5505294..16d9da637bf881ed447e1764aa3e6e4de7614ec1 100644 (file)
--- a/test/test-functions
+++ b/test/test-functions
@@ -2593,11 +2593,11 @@ inst_binary() {
 
     # Same as above, but we need to wrap certain libraries unconditionally
     #
-    # getent, login, su, useradd, userdel - dlopen()s (not only) systemd's PAM modules
+    # chown, getent, login, su, useradd, userdel - dlopen()s (not only) systemd's PAM modules
     # ls, stat - pulls in nss_systemd with certain options (like ls -l) when
     #            nsswitch.conf uses [SUCCESS=merge] (like on Arch Linux)
     # tar - called by machinectl in TEST-25
-    if get_bool "$IS_BUILT_WITH_ASAN" && [[ "$bin" =~ /(getent|login|ls|stat|su|tar|useradd|userdel)$ ]]; then
+    if get_bool "$IS_BUILT_WITH_ASAN" && [[ "$bin" =~ /(chown|getent|login|ls|stat|su|tar|useradd|userdel)$ ]]; then
         wrap_binary=1
     fi
 

diff --git a/test/units/testsuite-13.sh b/test/units/testsuite-13.sh
index fb0b3cda1679bab03e0b74e261f0e3d23daa618a..4ad7431e425ac04a6a1f5d56c5762fdad6e32bcb 100755 (executable)
--- a/test/units/testsuite-13.sh
+++ b/test/units/testsuite-13.sh
@@ -53,6 +53,42 @@ function check_norbind {
     systemd-nspawn --register=no -D "$_root" --bind=/tmp/binddir:/mnt:norbind /bin/sh -c 'CONTENT=$(cat /mnt/subdir/file); if [[ $CONTENT != "outer" ]]; then echo "*** unexpected content: $CONTENT"; return 1; fi'
 }
 
+function check_rootidmap {
+    local _owner=1000
+    local _root="/var/lib/machines/testsuite-13.rootidmap-path"
+    local _command
+    rm -rf "$_root"
+
+    # Create ext4 image, as ext4 supports idmapped-mounts.
+    dd if=/dev/zero of=/tmp/ext4.img bs=4k count=2048
+    mkfs.ext4 /tmp/ext4.img
+    mkdir -p /tmp/rootidmapdir
+    mount /tmp/ext4.img /tmp/rootidmapdir
+
+    touch /tmp/rootidmapdir/file
+    chown -R $_owner:$_owner /tmp/rootidmapdir
+
+    /usr/lib/systemd/tests/testdata/create-busybox-container "$_root"
+    _command='PERMISSIONS=$(stat -c "%u:%g" /mnt/file); if [[ $PERMISSIONS != "0:0" ]]; then echo "*** wrong permissions: $PERMISSIONS"; return 1; fi; touch /mnt/other_file'
+    if ! SYSTEMD_LOG_TARGET=console systemd-nspawn \
+            --register=no -D "$_root" \
+            --bind=/tmp/rootidmapdir:/mnt:rootidmap \
+            /bin/sh -c "$_command" |& tee nspawn.out; then
+        if grep -q "Failed to map ids for bind mount.*: Function not implemented" nspawn.out; then
+            echo "idmapped mounts are not supported, skipping the test..."
+            return 0
+        fi
+
+        return 1
+    fi
+
+    PERMISSIONS=$(stat -c "%u:%g" /tmp/rootidmapdir/other_file)
+    if [[ $PERMISSIONS != "$_owner:$_owner" ]]; then
+        echo "*** wrong permissions: $PERMISSIONS"
+        [[ "$is_user_ns_supported" = "yes" ]] && return 1
+    fi
+}
+
 function check_notification_socket {
     # https://github.com/systemd/systemd/issues/4944
     local _cmd='echo a | $(busybox which nc) -U -u -w 1 /run/host/notify'
@@ -210,6 +246,8 @@ check_bind_tmp_path
 
 check_norbind
 
+check_rootidmap
+
 check_notification_socket
 
 check_os_release