libcontainer/integration/update_test.go - third_party/runc - Git at Google

 package integration

 import (
 	"bytes"
 	"os"
 	"strings"
 	"testing"

 	"github.com/opencontainers/runc/libcontainer"
 	"github.com/opencontainers/runc/libcontainer/cgroups/systemd"
 	"github.com/opencontainers/runc/libcontainer/devices"
 )

 func testUpdateDevices(t *testing.T, systemd bool) {
 	if testing.Short() {
 		return
 	}
 	config := newTemplateConfig(t, &tParam{systemd: systemd})
 	container, err := newContainer(t, config)
 	ok(t, err)
 	defer destroyContainer(container)

 	// Execute a first process in the container
 	stdinR, stdinW, err := os.Pipe()
 	ok(t, err)
 	process := &libcontainer.Process{
 		Cwd:   "/",
 		Args:  []string{"cat"},
 		Env:   standardEnvironment,
 		Stdin: stdinR,
 		Init:  true,
 	}
 	err = container.Run(process)
 	_ = stdinR.Close()
 	defer func() {
 		_ = stdinW.Close()
 		if _, err := process.Wait(); err != nil {
 			t.Log(err)
 		}
 	}()
 	ok(t, err)

 	var buf bytes.Buffer
 	devCheck := &libcontainer.Process{
 		Cwd:    "/",
 		Args:   []string{"/bin/sh", "-c", "echo > /dev/full; cat /dev/null; true"},
 		Env:    standardEnvironment,
 		Stderr: &buf,
 	}
 	isAllowed := true
 	expected := map[bool][]string{
 		true: {
 			"write error: No space left on device", // from write to /dev/full
 			// no error from cat /dev/null
 		},
 		false: {
 			"/dev/full: Operation not permitted",
 			`cat: can't open '/dev/null': Operation not permitted`,
 		},
 	}
 	defaultDevices := config.Cgroups.Resources.Devices

 	for i := 0; i < 300; i++ {
 		// Check the access
 		buf.Reset()
 		err = container.Run(devCheck)
 		ok(t, err)
 		waitProcess(devCheck, t)

 		for _, exp := range expected[isAllowed] {
 			if !strings.Contains(buf.String(), exp) {
 				t.Fatalf("[%d] expected %q, got %q", i, exp, buf.String())
 			}
 		}

 		// Now flip the access permission
 		isAllowed = !isAllowed
 		if isAllowed {
 			config.Cgroups.Resources.Devices = defaultDevices
 		} else {
 			config.Cgroups.Resources.Devices = []*devices.Rule{}
 		}
 		if err := container.Set(*config); err != nil {
 			t.Fatal(err)
 		}
 	}
 }

 func TestUpdateDevices(t *testing.T) {
 	testUpdateDevices(t, false)
 }

 func TestUpdateDevicesSystemd(t *testing.T) {
 	if !systemd.IsRunningSystemd() {
 		t.Skip("Test requires systemd.")
 	}
 	testUpdateDevices(t, true)
 }
	package integration

	import (
	"bytes"
	"os"
	"strings"
	"testing"

	"github.com/opencontainers/runc/libcontainer"
	"github.com/opencontainers/runc/libcontainer/cgroups/systemd"
	"github.com/opencontainers/runc/libcontainer/devices"
	)

	func testUpdateDevices(t *testing.T, systemd bool) {
	if testing.Short() {
	return
	}
	config := newTemplateConfig(t, &tParam{systemd: systemd})
	container, err := newContainer(t, config)
	ok(t, err)
	defer destroyContainer(container)

	// Execute a first process in the container
	stdinR, stdinW, err := os.Pipe()
	ok(t, err)
	process := &libcontainer.Process{
	Cwd: "/",
	Args: []string{"cat"},
	Env: standardEnvironment,
	Stdin: stdinR,
	Init: true,
	}
	err = container.Run(process)
	_ = stdinR.Close()
	defer func() {
	_ = stdinW.Close()
	if _, err := process.Wait(); err != nil {
	t.Log(err)
	}
	}()
	ok(t, err)

	var buf bytes.Buffer
	devCheck := &libcontainer.Process{
	Cwd: "/",
	Args: []string{"/bin/sh", "-c", "echo > /dev/full; cat /dev/null; true"},
	Env: standardEnvironment,
	Stderr: &buf,
	}
	isAllowed := true
	expected := map[bool][]string{
	true: {
	"write error: No space left on device", // from write to /dev/full
	// no error from cat /dev/null
	},
	false: {
	"/dev/full: Operation not permitted",
	`cat: can't open '/dev/null': Operation not permitted`,
	},
	}
	defaultDevices := config.Cgroups.Resources.Devices

	for i := 0; i < 300; i++ {
	// Check the access
	buf.Reset()
	err = container.Run(devCheck)
	ok(t, err)
	waitProcess(devCheck, t)

	for _, exp := range expected[isAllowed] {
	if !strings.Contains(buf.String(), exp) {
	t.Fatalf("[%d] expected %q, got %q", i, exp, buf.String())
	}
	}

	// Now flip the access permission
	isAllowed = !isAllowed
	if isAllowed {
	config.Cgroups.Resources.Devices = defaultDevices
	} else {
	config.Cgroups.Resources.Devices = []*devices.Rule{}
	}
	if err := container.Set(*config); err != nil {
	t.Fatal(err)
	}
	}
	}

	func TestUpdateDevices(t *testing.T) {
	testUpdateDevices(t, false)
	}

	func TestUpdateDevicesSystemd(t *testing.T) {
	if !systemd.IsRunningSystemd() {
	t.Skip("Test requires systemd.")
	}
	testUpdateDevices(t, true)
	}