mirror of
https://github.com/opencontainers/runc.git
synced 2026-07-11 06:03:57 +08:00
a5c14847f4
This is a bit opinionated, but some comments in integration tests do not
really help to understand the nature of the tests being performed by
stating something very obvious, like
# run busybox detached
runc run -d busybox
To make things worse, these not-so-helpful messages are being
copy/pasted over and over, and that is the main reason to remove them.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 0eb03ef86f)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
76 lines
1.9 KiB
Bash
76 lines
1.9 KiB
Bash
#!/usr/bin/env bats
|
|
|
|
load helpers
|
|
|
|
function setup() {
|
|
setup_busybox
|
|
|
|
# Create fake rootfs.
|
|
mkdir rootfs/testdir
|
|
echo "Forbidden information!" >rootfs/testfile
|
|
|
|
# add extra masked paths
|
|
update_config '(.. | select(.maskedPaths? != null)) .maskedPaths += ["/testdir", "/testfile"]'
|
|
}
|
|
|
|
function teardown() {
|
|
teardown_bundle
|
|
}
|
|
|
|
@test "mask paths [file]" {
|
|
runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
|
|
[ "$status" -eq 0 ]
|
|
|
|
runc exec test_busybox cat /testfile
|
|
[ "$status" -eq 0 ]
|
|
[ -z "$output" ]
|
|
|
|
runc exec test_busybox rm -f /testfile
|
|
[ "$status" -eq 1 ]
|
|
[[ "${output}" == *"Read-only file system"* ]]
|
|
|
|
runc exec test_busybox umount /testfile
|
|
[ "$status" -eq 1 ]
|
|
[[ "${output}" == *"Operation not permitted"* ]]
|
|
}
|
|
|
|
@test "mask paths [directory]" {
|
|
runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
|
|
[ "$status" -eq 0 ]
|
|
|
|
runc exec test_busybox ls /testdir
|
|
[ "$status" -eq 0 ]
|
|
[ -z "$output" ]
|
|
|
|
runc exec test_busybox touch /testdir/foo
|
|
[ "$status" -eq 1 ]
|
|
[[ "${output}" == *"Read-only file system"* ]]
|
|
|
|
runc exec test_busybox rm -rf /testdir
|
|
[ "$status" -eq 1 ]
|
|
[[ "${output}" == *"Read-only file system"* ]]
|
|
|
|
runc exec test_busybox umount /testdir
|
|
[ "$status" -eq 1 ]
|
|
[[ "${output}" == *"Operation not permitted"* ]]
|
|
}
|
|
|
|
@test "mask paths [prohibit symlink /proc]" {
|
|
ln -s /symlink rootfs/proc
|
|
runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
|
|
[ "$status" -eq 1 ]
|
|
[[ "${output}" == *"must be mounted on ordinary directory"* ]]
|
|
}
|
|
|
|
@test "mask paths [prohibit symlink /sys]" {
|
|
# In rootless containers, /sys is a bind mount not a real sysfs.
|
|
requires root
|
|
|
|
ln -s /symlink rootfs/sys
|
|
runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
|
|
[ "$status" -eq 1 ]
|
|
# On cgroup v1, this may fail before checking if /sys is a symlink,
|
|
# so we merely check that it fails, and do not check the exact error
|
|
# message like for /proc above.
|
|
}
|