containers
diff --git a/‎tests/guest-agent/src/main.rs‎
Lines changed: 5 additions & 1 deletion b/‎tests/guest-agent/src/main.rs‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎tests/runner/src/main.rs‎
Lines changed: 52 additions & 9 deletions b/‎tests/runner/src/main.rs‎
Lines changed: 52 additions & 9 deletions
diff --git a/‎tests/test_cases/Cargo.toml‎
Lines changed: 1 addition & 1 deletion b/‎tests/test_cases/Cargo.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎tests/test_cases/src/common.rs‎
Lines changed: 40 additions & 109 deletions b/‎tests/test_cases/src/common.rs‎
Lines changed: 40 additions & 109 deletions
@@ -8,7 +8,11 @@ fn run_guest_agent(test_name: &str) -> anyhow::Result<()> {
         .into_iter()
         .find(|t| t.name() == test_name)
         .context("No such test!")?;
-    let TestCase { test, name: _, requires_namespace: _ } = test_case;
+    let TestCase {
+        test,
+        name: _,
+        requires_namespace: _,
+    } = test_case;
     test.in_guest();
     Ok(())
 }
 
@@ -25,7 +25,7 @@ fn get_test(name: &str) -> anyhow::Result<Box<dyn Test>> {
         .map(|t| t.test)
 }
 
-fn start_vm(test_setup: TestSetup) -> anyhow::Result<()> {
+fn start_vm(mut test_setup: TestSetup) -> anyhow::Result<()> {
     // Raise soft fd limit up to the hard limit
     let (_soft_limit, hard_limit) =
         getrlimit(Resource::RLIMIT_NOFILE).context("getrlimit RLIMIT_NOFILE")?;
@@ -40,6 +40,8 @@ fn start_vm(test_setup: TestSetup) -> anyhow::Result<()> {
         .map(|t| t.requires_namespace)
         .unwrap_or(false);
 
+    test_setup.requires_namespace = requires_namespace;
+
     if requires_namespace {
         setup_namespace_and_run(test_setup)?;
     } else {
@@ -52,7 +54,7 @@ fn start_vm(test_setup: TestSetup) -> anyhow::Result<()> {
 
 fn setup_namespace_and_run(test_setup: TestSetup) -> anyhow::Result<()> {
     use nix::sched::{unshare, CloneFlags};
-    use nix::unistd::{fork, Gid, Uid, ForkResult};
+    use nix::unistd::{fork, ForkResult, Gid, Uid};
     use std::fs;
 
     // Get our current uid/gid before entering the namespace
@@ -65,17 +67,14 @@ fn setup_namespace_and_run(test_setup: TestSetup) -> anyhow::Result<()> {
 
     // Set up uid_map to map our uid to root (0) in the namespace
     let uid_map = format!("0 {} 1", uid);
-    fs::write("/proc/self/uid_map", uid_map)
-        .context("Failed to write uid_map")?;
+    fs::write("/proc/self/uid_map", uid_map).context("Failed to write uid_map")?;
 
     // Disable setgroups (required before writing gid_map as non-root)
-    fs::write("/proc/self/setgroups", "deny")
-        .context("Failed to write setgroups")?;
+    fs::write("/proc/self/setgroups", "deny").context("Failed to write setgroups")?;
 
     // Set up gid_map to map our gid to root (0) in the namespace
     let gid_map = format!("0 {} 1", gid);
-    fs::write("/proc/self/gid_map", gid_map)
-        .context("Failed to write gid_map")?;
+    fs::write("/proc/self/gid_map", gid_map).context("Failed to write gid_map")?;
 
     // Fork so the child becomes PID 1 in the new PID namespace
     // This is necessary to be able to mount procfs
@@ -92,7 +91,47 @@ fn setup_namespace_and_run(test_setup: TestSetup) -> anyhow::Result<()> {
             }
         }
         ForkResult::Child => {
+            use nix::mount::{mount, MsFlags};
+            use std::fs::create_dir;
+
             // Child continues - we are now PID 1 in the PID namespace
+            // Set up the root directory structure (but don't chroot yet - that happens after krun loads libraries)
+            let root_dir = test_setup.tmp_dir.join("root");
+            create_dir(&root_dir).context("Failed to create root directory")?;
+
+            // Create necessary directories
+            create_dir(root_dir.join("tmp")).context("Failed to create tmp directory")?;
+            create_dir(root_dir.join("dev")).context("Failed to create dev directory")?;
+            create_dir(root_dir.join("proc")).context("Failed to create proc directory")?;
+            create_dir(root_dir.join("sys")).context("Failed to create sys directory")?;
+
+            // Copy guest agent
+            let guest_agent_path = env::var_os("KRUN_TEST_GUEST_AGENT_PATH")
+                .context("KRUN_TEST_GUEST_AGENT_PATH env variable not set")?;
+            fs::copy(&guest_agent_path, root_dir.join("guest-agent"))
+                .context("Failed to copy guest agent")?;
+
+            // Make mounts private so they don't affect parent namespace
+            mount(
+                None::<&str>,
+                "/",
+                None::<&str>,
+                MsFlags::MS_REC | MsFlags::MS_PRIVATE,
+                None::<&str>,
+            )
+            .context("Failed to make / private")?;
+
+            // Bind mount /dev
+            mount(
+                Some("/dev"),
+                root_dir.join("dev").as_path(),
+                None::<&str>,
+                MsFlags::MS_BIND | MsFlags::MS_REC,
+                None::<&str>,
+            )
+            .context("Failed to bind mount /dev")?;
+
+            // The test's start_vm will handle chroot after loading libraries
             let test = get_test(&test_setup.test_case)?;
             test.start_vm(test_setup.clone())
                 .with_context(|| format!("testcase: {test_setup:?}"))?;
@@ -305,7 +344,11 @@ fn main() -> anyhow::Result<()> {
     let command = cli.command.unwrap_or_default();
 
     match command {
-        CliCommand::StartVm { test_case, tmp_dir } => start_vm(TestSetup { test_case, tmp_dir }),
+        CliCommand::StartVm { test_case, tmp_dir } => start_vm(TestSetup {
+            test_case,
+            tmp_dir,
+            requires_namespace: false, // Will be set by start_vm based on test case
+        }),
         CliCommand::Test {
             test_case,
             base_dir,
 
@@ -12,6 +12,6 @@ name = "test_cases"
 [dependencies]
 krun-sys = { path = "../../krun-sys", optional = true }
 macros = { path = "../macros" }
-nix = { version = "0.29.0", features = ["socket", "sched", "user", "mount"] }
+nix = { version = "0.29.0", features = ["socket", "sched", "user", "mount", "fs"] }
 anyhow = "1.0.95"
 tempdir = "0.3.7"
@@ -1,8 +1,7 @@
-//! Common utilities used by multiple test
+//! Common utilities used by multiple tests
 
 use anyhow::Context;
 use std::ffi::CString;
-use std::fs;
 use std::fs::create_dir;
 use std::os::unix::ffi::OsStrExt;
 use std::path::Path;
@@ -11,125 +10,57 @@ use std::ptr::null;
 use crate::{krun_call, TestSetup};
 use krun_sys::*;
 
-use nix::unistd::{chroot, chdir};
-use std::path::PathBuf;
-
 fn copy_guest_agent(dir: &Path) -> anyhow::Result<()> {
     let path = std::env::var_os("KRUN_TEST_GUEST_AGENT_PATH")
         .context("KRUN_TEST_GUEST_AGENT_PATH env variable not set")?;
 
     let output_path = dir.join("guest-agent");
-    fs::copy(path, output_path).context("Failed to copy executable into vm")?;
+    std::fs::copy(path, output_path).context("Failed to copy executable into vm")?;
     Ok(())
 }
 
-/// Common part of most test. This setups an empty root filesystem, copies the guest agent there
-/// and runs the guest agent in the VM.
-/// Note that some tests might want to use a different root file system (perhaps a qcow image),
-/// in which case the test can implement the equivalent functionality itself, or better if there
-/// are more test doing that, add another utility method in this file.
+/// Common setup for most tests. Sets up the root filesystem and runs the guest agent in the VM.
 ///
-/// The returned object is used for deleting the temporary files.
-pub fn setup_fs_and_enter(ctx: u32, test_setup: TestSetup) -> anyhow::Result<()> {
-    let root_dir = test_setup.tmp_dir.join("root");
-    create_dir(&root_dir).context("Failed to create root directory")?;
-
-    let path_str = CString::new(root_dir.as_os_str().as_bytes()).context("CString::new")?;
-    copy_guest_agent(&root_dir)?;
-    unsafe {
-        krun_call!(krun_set_root(ctx, path_str.as_ptr()))?;
-        krun_call!(krun_set_workdir(ctx, c"/".as_ptr()))?;
-        let test_case_cstr = CString::new(test_setup.test_case).context("CString::new")?;
-        let argv = [test_case_cstr.as_ptr(), null()];
-        //let envp = [c"RUST_BACKTRACE=1".as_ptr(), null()];
-        let envp = [null()];
-        krun_call!(krun_set_exec(
-            ctx,
-            c"/guest-agent".as_ptr(),
-            argv.as_ptr(),
-            envp.as_ptr(),
-        ))?;
-        krun_call!(krun_start_enter(ctx))?;
-    }
-    unreachable!()
-}
-
-/// Like setup_fs_and_enter, but changes the host process's root to the guest's root
-/// before entering the VM. This is needed for Unix domain socket TSI tests where the
-/// host process needs to access socket paths in the guest filesystem.
+/// If `requires_namespace` is true, the runner has already created the root directory structure
+/// with /dev, /tmp, /sys, guest-agent. After krun_create_ctx loads libraries, we chroot there.
 ///
-/// This function:
-/// 1. Creates a new user namespace and mount namespace (unshare CLONE_NEWUSER | CLONE_NEWNS)
-/// 2. Sets up uid/gid mappings to become root in the namespace
-/// 3. Changes root to the guest's root directory (chroot)
-/// 4. Then calls krun_start_enter
-///
-/// The before_enter callback is called after chroot but before krun_start_enter, allowing
-/// setup of host-side resources (like Unix domain socket servers) that need to be accessible
-/// at the same paths as the guest will use.
-///
-/// Note: This uses rootless namespaces (user namespaces) so it doesn't require root.
-pub fn setup_fs_and_enter_with_namespace<F>(
-    ctx: u32,
-    test_setup: TestSetup,
-    before_enter: F,
-) -> anyhow::Result<()>
-where
-    F: FnOnce() -> anyhow::Result<()>,
-{
-    let root_dir = test_setup.tmp_dir.join("root");
-    create_dir(&root_dir).context("Failed to create root directory")?;
-
-    // Create necessary directories in the guest root
-    create_dir(root_dir.join("tmp")).context("Failed to create tmp directory")?;
-    create_dir(root_dir.join("dev")).context("Failed to create dev directory")?;
-    create_dir(root_dir.join("proc")).context("Failed to create proc directory")?;
-    create_dir(root_dir.join("sys")).context("Failed to create sys directory")?;
-
-    copy_guest_agent(&root_dir)?;
-
-    // The runner has already set up the namespace for us (user+mount+pid)
-    // We are now root in the user namespace and PID 1 in the PID namespace
-    // Make our mounts private so they don't affect the parent namespace
-    use nix::mount::{mount, MsFlags};
-    mount(
-        None::<&str>,
-        "/",
-        None::<&str>,
-        MsFlags::MS_REC | MsFlags::MS_PRIVATE,
-        None::<&str>,
-    ).context("Failed to make / private")?;
-
-    // Bind mount /dev into the guest root so /dev/kvm is accessible
-    // (we're root in the namespace now)
-    mount(
-        Some("/dev"),
-        root_dir.join("dev").as_path(),
-        None::<&str>,
-        MsFlags::MS_BIND | MsFlags::MS_REC,
-        None::<&str>,
-    ).context("Failed to bind mount /dev")?;
-
-    // Now we can chroot
-    let root_path = PathBuf::from(&root_dir);
-    chroot(&root_path).context("Failed to chroot to guest root")?;
-    chdir("/").context("Failed to chdir to /")?;
-
-    // Mount procfs after chroot with standard proc mount flags
-    mount(
-        Some("proc"),
-        "/proc",
-        Some("proc"),
-        MsFlags::MS_NOSUID | MsFlags::MS_NODEV | MsFlags::MS_NOEXEC,
-        None::<&str>,
-    ).context("Failed to mount procfs")?;
-
-    // Call the before_enter callback to set up host-side resources
-    before_enter().context("before_enter callback failed")?;
+/// If `requires_namespace` is false, this function creates a root directory, copies the
+/// guest agent there, and sets it as the VM root.
+pub fn setup_fs_and_enter(ctx: u32, test_setup: TestSetup) -> anyhow::Result<()> {
+    let root_path = if test_setup.requires_namespace {
+        // Runner set up the root dir structure, now we chroot after libraries are loaded
+        use nix::mount::{mount, MsFlags};
+        use nix::unistd::{chdir, chroot};
+
+        let root_dir = test_setup.tmp_dir.join("root");
+
+        // Chroot into the prepared root
+        chroot(&root_dir).context("Failed to chroot")?;
+        chdir("/").context("Failed to chdir to /")?;
+
+        // Mount procfs after chroot
+        mount(
+            Some("proc"),
+            "/proc",
+            Some("proc"),
+            MsFlags::MS_NOSUID | MsFlags::MS_NODEV | MsFlags::MS_NOEXEC,
+            None::<&str>,
+        )
+        .context("Failed to mount procfs")?;
+
+        CString::new("/").context("CString::new")?
+    } else {
+        // Create root directory and copy guest agent
+        let root_dir = test_setup.tmp_dir.join("root");
+        create_dir(&root_dir).context("Failed to create root directory")?;
+        // Create /tmp for tests that use Unix sockets
+        let _ = create_dir(root_dir.join("tmp"));
+        copy_guest_agent(&root_dir)?;
+        CString::new(root_dir.as_os_str().as_bytes()).context("CString::new")?
+    };
 
-    let path_str = CString::new("/").context("CString::new")?;
     unsafe {
-        krun_call!(krun_set_root(ctx, path_str.as_ptr()))?;
+        krun_call!(krun_set_root(ctx, root_path.as_ptr()))?;
         krun_call!(krun_set_workdir(ctx, c"/".as_ptr()))?;
         let test_case_cstr = CString::new(test_setup.test_case).context("CString::new")?;
         let argv = [test_case_cstr.as_ptr(), null()];