tests: add rootless integration tests

This adds targets for rootless integration tests, as well as all of the
required setup in order to get the tests to run. This includes quite a
few changes, because of a lot of assumptions about things running as
root within the bats scripts (which is not true when setting up rootless
containers).

Signed-off-by: Aleksa Sarai <[email protected]>

Author: cyphar

Dockerfile

@@ -6,6 +6,7 @@ RUN echo 'deb http://httpredir.debian.org/debian jessie-backports main' > /etc/a
 RUN apt-get update && apt-get install -y \
     build-essential \
     curl \
+    sudo \
     gawk \
     iptables \
     jq \
@@ -22,6 +23,12 @@ RUN apt-get update && apt-get install -y \
     --no-install-recommends \
     && apt-get clean
 
+# Add a dummy user for the rootless integration tests. While runC does
+# not require an entry in /etc/passwd to operate, one of the tests uses
+# `git clone` -- and `git clone` does not allow you to clone a
+# repository if the current uid does not have an entry in /etc/passwd.
+RUN useradd -u1000 -m -d/home/rootless -s/bin/bash rootless
+
 # install bats
 RUN cd /tmp \
     && git clone https://github.com/sstephenson/bats.git \

Makefile

@@ -79,10 +79,10 @@ runcimage:
 	docker build -t $(RUNC_IMAGE) .
 
 test:
-	make unittest integration
+	make unittest integration rootlessintegration
 
 localtest:
-	make localunittest localintegration
+	make localunittest localintegration localrootlessintegration
 
 unittest: runcimage
 	docker run -e TESTFLAGS -t --privileged --rm -v $(CURDIR):/go/src/$(PROJECT) $(RUNC_IMAGE) make localunittest
@@ -96,6 +96,13 @@ integration: runcimage
 localintegration: all
 	bats -t tests/integration${TESTFLAGS}
 
+rootlessintegration: runcimage
+	docker run -e TESTFLAGS -t --privileged --rm -v $(CURDIR):/go/src/$(PROJECT) --cap-drop=ALL -u rootless $(RUNC_IMAGE) make localintegration
+
+# FIXME: This should not be separate from rootlessintegration's method of running.
+localrootlessintegration: all
+	sudo -u rootless -H PATH="${PATH}" bats -t tests/integration${TESTFLAGS}
+
 shell: all
 	docker run -e TESTFLAGS -ti --privileged --rm -v $(CURDIR):/go/src/$(PROJECT) $(RUNC_IMAGE) bash
 

tests/integration/checkpoint.bats

@@ -59,8 +59,9 @@ function teardown() {
   [[ "${output}" == *"running"* ]]
 }
 
-@test "checkpoint(pre-dump) and restore" {
-  requires criu
+@test "checkpoint --pre-dump and restore" {
+  # XXX: currently criu require root containers.
+  requires criu root
 
   # criu does not work with external terminals so..
   # setting terminal and root:readonly: to false

tests/integration/delete.bats

@@ -22,11 +22,13 @@ function teardown() {
   testcontainer test_busybox running
 
   runc kill test_busybox KILL
+  [ "$status" -eq 0 ]
   # wait for busybox to be in the destroyed state
   retry 10 1 eval "__runc state test_busybox | grep -q 'stopped'"
 
   # delete test_busybox
   runc delete test_busybox
+  [ "$status" -eq 0 ]
 
   runc state test_busybox
   [ "$status" -ne 0 ]

tests/integration/events.bats

@@ -12,6 +12,9 @@ function teardown() {
 }
 
 @test "events --stats" {
+  # XXX: currently cgroups require root containers.
+  requires root
+
   # run busybox detached
   runc run -d --console-socket $CONSOLE_SOCKET test_busybox
   [ "$status" -eq 0 ]
@@ -27,6 +30,9 @@ function teardown() {
 }
 
 @test "events --interval default " {
+  # XXX: currently cgroups require root containers.
+  requires root
+
   # run busybox detached
   runc run -d --console-socket $CONSOLE_SOCKET test_busybox
   [ "$status" -eq 0 ]
@@ -54,6 +60,9 @@ function teardown() {
 }
 
 @test "events --interval 1s " {
+  # XXX: currently cgroups require root containers.
+  requires root
+
   # run busybox detached
   runc run -d --console-socket $CONSOLE_SOCKET test_busybox
   [ "$status" -eq 0 ]
@@ -80,6 +89,9 @@ function teardown() {
 }
 
 @test "events --interval 100ms " {
+  # XXX: currently cgroups require root containers.
+  requires root
+
   # run busybox detached
   runc run -d --console-socket $CONSOLE_SOCKET test_busybox
   [ "$status" -eq 0 ]

tests/integration/exec.bats

@@ -112,6 +112,9 @@ function teardown() {
 }
 
 @test "runc exec --user" {
+  # --user can't work in rootless containers
+  requires root
+
   # run busybox detached
   runc run -d --console-socket $CONSOLE_SOCKET test_busybox
   [ "$status" -eq 0 ]

tests/integration/help.bats

@@ -57,6 +57,7 @@ load helpers
   [ "$status" -eq 0 ]
   [[ ${lines[1]} =~ runc\ resume+ ]]
 
+  # We don't use runc_spec here, because we're just testing the help page.
   runc spec -h
   [ "$status" -eq 0 ]
   [[ ${lines[1]} =~ runc\ spec+ ]]

tests/integration/helpers.bash

@@ -4,7 +4,7 @@
 INTEGRATION_ROOT=$(dirname "$(readlink -f "$BASH_SOURCE")")
 RUNC="${INTEGRATION_ROOT}/../../runc"
 RECVTTY="${INTEGRATION_ROOT}/../../contrib/cmd/recvtty/recvtty"
-GOPATH="${INTEGRATION_ROOT}/../../../.."
+GOPATH="$(mktemp -d --tmpdir runc-integration-gopath.XXXXXX)"
 
 # Test data path.
 TESTDATA="${INTEGRATION_ROOT}/testdata"
@@ -27,7 +27,7 @@ KERNEL_MINOR="${KERNEL_VERSION#$KERNEL_MAJOR.}"
 KERNEL_MINOR="${KERNEL_MINOR%%.*}"
 
 # Root state path.
-ROOT="$BATS_TMPDIR/runc"
+ROOT=$(mktemp -d "$BATS_TMPDIR/runc.XXXXXX")
 
 # Path to console socket.
 CONSOLE_SOCKET="$BATS_TMPDIR/console.sock"
@@ -58,6 +58,17 @@ function __runc() {
 	"$RUNC" --root "$ROOT" "$@"
 }
 
+# Wrapper for runc spec.
+function runc_spec() {
+	local args=""
+
+	if [ "$ROOTLESS" -ne 0 ]; then
+		args+="--rootless"
+	fi
+
+	runc spec $args "$@"
+}
+
 # Fails the current test, providing the error given.
 function fail() {
 	echo "$@" >&2
@@ -187,18 +198,18 @@ function setup_busybox() {
 	if [ ! -e $BUSYBOX_IMAGE ]; then
 		curl -o $BUSYBOX_IMAGE -sSL 'https://github.com/docker-library/busybox/raw/a0558a9006ce0dd6f6ec5d56cfd3f32ebeeb815f/glibc/busybox.tar.xz'
 	fi
-	tar -C "$BUSYBOX_BUNDLE"/rootfs -xf "$BUSYBOX_IMAGE"
+	tar --exclude './dev/*' -C "$BUSYBOX_BUNDLE"/rootfs -xf "$BUSYBOX_IMAGE"
 	cd "$BUSYBOX_BUNDLE"
-	runc spec
+	runc_spec
 }
 
 function setup_hello() {
 	setup_recvtty
 	run mkdir "$HELLO_BUNDLE"
 	run mkdir "$HELLO_BUNDLE"/rootfs
-	tar -C "$HELLO_BUNDLE"/rootfs -xf "$HELLO_IMAGE"
+	tar --exclude './dev/*' -C "$HELLO_BUNDLE"/rootfs -xf "$HELLO_IMAGE"
 	cd "$HELLO_BUNDLE"
-	runc spec
+	runc_spec
 	sed -i 's;"sh";"/hello";' config.json
 }
 

tests/integration/ps.bats

@@ -12,6 +12,9 @@ function teardown() {
 }
 
 @test "ps" {
+  # ps is not supported, it requires cgroups
+  requires root
+
   # start busybox detached
   runc run -d --console-socket $CONSOLE_SOCKET test_busybox
   [ "$status" -eq 0 ]
@@ -24,10 +27,13 @@ function teardown() {
   runc ps test_busybox
   [ "$status" -eq 0 ]
   [[ ${lines[0]} =~ UID\ +PID\ +PPID\ +C\ +STIME\ +TTY\ +TIME\ +CMD+ ]]
-  [[ "${lines[1]}" == *"root"*[0-9]* ]]
+  [[ "${lines[1]}" == *"$(id -un 2>/dev/null)"*[0-9]* ]]
 }
 
 @test "ps -f json" {
+  # ps is not supported, it requires cgroups
+  requires root
+
   # start busybox detached
   runc run -d --console-socket $CONSOLE_SOCKET test_busybox
   [ "$status" -eq 0 ]
@@ -43,6 +49,9 @@ function teardown() {
 }
 
 @test "ps -e -x" {
+  # ps is not supported, it requires cgroups
+  requires root
+
   # start busybox detached
   runc run -d --console-socket $CONSOLE_SOCKET test_busybox
   [ "$status" -eq 0 ]

tests/integration/spec.bats

@@ -26,7 +26,7 @@ function teardown() {
   [ ! -e config.json ]
 
   # test generation of spec does not return an error
-  runc spec
+  runc_spec
   [ "$status" -eq 0 ]
 
   # test generation of spec created our config.json (spec)
@@ -51,7 +51,7 @@ function teardown() {
   [ ! -e "$HELLO_BUNDLE"/config.json ]
 
   # test generation of spec does not return an error
-  runc spec --bundle "$HELLO_BUNDLE"
+  runc_spec --bundle "$HELLO_BUNDLE"
   [ "$status" -eq 0 ]
 
   # test generation of spec created our config.json (spec)