Skip to content

[WIP] validation: add test for NSProcInPath #613

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
alban wants to merge 2 commits into from
Closed

[WIP] validation: add test for NSProcInPath #613

alban wants to merge 2 commits into from

Conversation

@alban
Copy link
Contributor

@alban alban commented Mar 22, 2018

I initially tried to add the checks in the container process
'runtimetest' by adding annotations prefixed with "runtimetest/". But
that proved impractical with TAP outputs because I wanted to have
several tests for each namespace.

This patch now validates the namespaces outside the container with
util.RuntimeOutsideValidate().

TODO/notes:

Signed-off-by: Alban Crequy [email protected]

@alban
validation: add test for NSProcInPath
4a9bf2c 
I initially tried to add the checks in the container process
'runtimetest' by adding annotations prefixed with "runtimetest/".  But
that proved impractical with TAP outputs because I wanted to have
several tests for each namespace.

This patch now validates the namespaces outside the container with
util.RuntimeOutsideValidate().

Signed-off-by: Alban Crequy <[email protected]>
@alban alban force-pushed the alban/NSProcInPath branch from f6ef8c1 to 4a9bf2c Compare March 22, 2018 15:03
@alban alban mentioned this pull request Mar 22, 2018
Open
44 tasks
alban
alban commented Apr 4, 2018
View reviewed changes
validation/linux_ns_path.go
}
defer func() {
if cmd.Process != nil {
cmd.Process.Kill()
Copy link
Contributor Author

@alban alban Apr 4, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sleep processes are surviving the death of the unshare parent unfortunately.

I tried cmd.Process.Signal(syscall.SIGTERM) but it does not help because:

  • unshare does not catch the signal so it dies without forwarding the SIGTERM to its children
  • processes in a different pid namespaces would not receive the signal anyway because of signal rules in pid namespaces (see man 7 pid_namespaces)

validation: fix a bug when passing in namespace strings
e140ec7 
We need to deal with additional namespace strings, in case of mount
& network namespaces, because `MapStrToNamespace()` does not recognize
input strings like `mnt` or `net`.

Found by @alban.
@dongsupark dongsupark mentioned this pull request Apr 23, 2018
Merged
@dongsupark
Copy link

dongsupark commented Apr 23, 2018

I created a new version of PR #628, based on this PR #613.

For the record, I'll go through each TODO item.

  • I think Fix sync with sleep and stale child processes are already resolved.
  • Is it ok to have a dependency on util-linux?: I think yes, as util-linux has been a de facto standard library since many years.
  • /proc/pid/ns/pid_for_children for kernel >= 4.12: we don't need to care about it, because it's solved by using setpgid.
  • unclear spec about user namespaces: I'm not sure if there's anything left to do
  • Fix about cgroupns in runc: This is blocked by the ancient PR Carry #781: Add support for cgroup namespace runc#1184. Nothing to do right now.

@alban
Copy link
Contributor Author

alban commented May 18, 2018

Superseded by #628.

@alban alban closed this May 18, 2018
@dongsupark dongsupark deleted the alban/NSProcInPath branch May 22, 2018 09:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alban @dongsupark