Skip to content

Commit 45b3856

Browse files
tonistiigitonistiigi
committed
update cgroup parent test to work with cgroupns
Signed-off-by: Tonis Tiigi <[email protected]>
1 parent c963649 commit 45b3856

File tree

2 files changed

+56
-8
lines changed

2 files changed

+56
-8
lines changed

client/client_test.go

Lines changed: 30 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -853,6 +853,10 @@ func testCgroupParent(t *testing.T, sb integration.Sandbox) {
853853
t.SkipNow()
854854
}
855855

856+
if _, err := os.Lstat("/sys/fs/cgroup/cgroup.subtree_control"); os.IsNotExist(err) {
857+
t.Skipf("test requires cgroup v2")
858+
}
859+
856860
c, err := New(sb.Context(), sb.Address())
857861
require.NoError(t, err)
858862
defer c.Close()
@@ -864,8 +868,21 @@ func testCgroupParent(t *testing.T, sb integration.Sandbox) {
864868
st = img.Run(append(ro, llb.Shlex(cmd), llb.Dir("/wd"))...).AddMount("/wd", st)
865869
}
866870

867-
run(`sh -c "cat /proc/self/cgroup > first"`, llb.WithCgroupParent("foocgroup"))
868-
run(`sh -c "cat /proc/self/cgroup > second"`)
871+
cgroupName := "test." + identity.NewID()
872+
873+
err = os.MkdirAll(filepath.Join("/sys/fs/cgroup", cgroupName), 0755)
874+
require.NoError(t, err)
875+
876+
defer func() {
877+
err := os.RemoveAll(filepath.Join("/sys/fs/cgroup", cgroupName))
878+
require.NoError(t, err)
879+
}()
880+
881+
err = os.WriteFile(filepath.Join("/sys/fs/cgroup", cgroupName, "pids.max"), []byte("10"), 0644)
882+
require.NoError(t, err)
883+
884+
run(`sh -c "(for i in $(seq 1 10); do sleep 1 & done 2>first.error); cat /proc/self/cgroup >> first"`, llb.WithCgroupParent(cgroupName))
885+
run(`sh -c "(for i in $(seq 1 10); do sleep 1 & done 2>second.error); cat /proc/self/cgroup >> second"`)
869886

870887
def, err := st.Marshal(sb.Context())
871888
require.NoError(t, err)
@@ -882,13 +899,22 @@ func testCgroupParent(t *testing.T, sb integration.Sandbox) {
882899
}, nil)
883900
require.NoError(t, err)
884901

902+
// neither process leaks parent cgroup name inside container
885903
dt, err := os.ReadFile(filepath.Join(destDir, "first"))
886904
require.NoError(t, err)
887-
require.Contains(t, strings.TrimSpace(string(dt)), `/foocgroup/buildkit/`)
905+
require.NotContains(t, strings.TrimSpace(string(dt)), cgroupName)
888906

889907
dt2, err := os.ReadFile(filepath.Join(destDir, "second"))
890908
require.NoError(t, err)
891-
require.NotContains(t, strings.TrimSpace(string(dt2)), `/foocgroup/buildkit/`)
909+
require.NotContains(t, strings.TrimSpace(string(dt2)), cgroupName)
910+
911+
dt, err = os.ReadFile(filepath.Join(destDir, "first.error"))
912+
require.NoError(t, err)
913+
require.Contains(t, strings.TrimSpace(string(dt)), "Resource temporarily unavailable")
914+
915+
dt, err = os.ReadFile(filepath.Join(destDir, "second.error"))
916+
require.NoError(t, err)
917+
require.Equal(t, strings.TrimSpace(string(dt)), "")
892918
}
893919

894920
func testNetworkMode(t *testing.T, sb integration.Sandbox) {

frontend/dockerfile/dockerfile_test.go

Lines changed: 26 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5193,10 +5193,27 @@ func testCgroupParent(t *testing.T, sb integration.Sandbox) {
51935193
t.SkipNow()
51945194
}
51955195

5196+
if _, err := os.Lstat("/sys/fs/cgroup/cgroup.subtree_control"); os.IsNotExist(err) {
5197+
t.Skipf("test requires cgroup v2")
5198+
}
5199+
5200+
cgroupName := "test." + identity.NewID()
5201+
5202+
err := os.MkdirAll(filepath.Join("/sys/fs/cgroup", cgroupName), 0755)
5203+
require.NoError(t, err)
5204+
5205+
defer func() {
5206+
err := os.RemoveAll(filepath.Join("/sys/fs/cgroup", cgroupName))
5207+
require.NoError(t, err)
5208+
}()
5209+
5210+
err = os.WriteFile(filepath.Join("/sys/fs/cgroup", cgroupName, "pids.max"), []byte("10"), 0644)
5211+
require.NoError(t, err)
5212+
51965213
f := getFrontend(t, sb)
51975214
dockerfile := []byte(`
51985215
FROM alpine AS base
5199-
RUN cat /proc/self/cgroup > /out
5216+
RUN mkdir /out; (for i in $(seq 1 10); do sleep 1 & done 2>/out/error); cat /proc/self/cgroup > /out/cgroup
52005217
FROM scratch
52015218
COPY --from=base /out /
52025219
`)
@@ -5215,7 +5232,7 @@ COPY --from=base /out /
52155232

52165233
_, err = f.Solve(sb.Context(), c, client.SolveOpt{
52175234
FrontendAttrs: map[string]string{
5218-
"cgroup-parent": "foocgroup",
5235+
"cgroup-parent": cgroupName,
52195236
},
52205237
LocalDirs: map[string]string{
52215238
dockerui.DefaultLocalNameDockerfile: dir,
@@ -5230,9 +5247,14 @@ COPY --from=base /out /
52305247
}, nil)
52315248
require.NoError(t, err)
52325249

5233-
dt, err := os.ReadFile(filepath.Join(destDir, "out"))
5250+
dt, err := os.ReadFile(filepath.Join(destDir, "cgroup"))
5251+
require.NoError(t, err)
5252+
// cgroupns does not leak the parent cgroup name
5253+
require.NotContains(t, strings.TrimSpace(string(dt)), `foocgroup`)
5254+
5255+
dt, err = os.ReadFile(filepath.Join(destDir, "error"))
52345256
require.NoError(t, err)
5235-
require.Contains(t, strings.TrimSpace(string(dt)), `/foocgroup/buildkit/`)
5257+
require.Contains(t, strings.TrimSpace(string(dt)), `Resource temporarily unavailable`)
52365258
}
52375259

52385260
func testNamedImageContext(t *testing.T, sb integration.Sandbox) {

0 commit comments

Comments
 (0)