[lxc-devel] [PATCH 2/2] introduce lxc-unpriv test

Stéphane Graber stgraber at ubuntu.com
Mon Jan 13 02:50:13 UTC 2014


On Sun, Jan 12, 2014 at 08:45:00PM -0600, Serge Hallyn wrote:
> It simply creates a test user and tries to create and start
> a container as that user.  Tries to lxc-attach to that
> container to test network connectivity.
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  src/tests/Makefile.am      |  3 +-
>  src/tests/lxc-test-unpriv  | 93 ++++++++++++++++++++++++++++++++++++++++++++++
>  src/tests/lxc-test-usernic |  2 +
>  3 files changed, 97 insertions(+), 1 deletion(-)
>  create mode 100755 src/tests/lxc-test-unpriv
> 
> diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
> index ab956be..3cf4f75 100644
> --- a/src/tests/Makefile.am
> +++ b/src/tests/Makefile.am
> @@ -47,7 +47,7 @@ bin_PROGRAMS = lxc-test-containertests lxc-test-locktests lxc-test-startone \
>  bin_SCRIPTS = lxc-test-usernic
>  
>  if DISTRO_UBUNTU
> -bin_SCRIPTS += lxc-test-ubuntu
> +bin_SCRIPTS += lxc-test-ubuntu lxc-test-unpriv
>  endif
>  
>  endif
> @@ -71,4 +71,5 @@ EXTRA_DIST = \
>  	concurrent.c \
>  	may_control.c \
>  	lxc-test-ubuntu \
> +	lxc-test-unpriv \
>  	list.c
> diff --git a/src/tests/lxc-test-unpriv b/src/tests/lxc-test-unpriv
> new file mode 100755
> index 0000000..ce3cc75
> --- /dev/null
> +++ b/src/tests/lxc-test-unpriv
> @@ -0,0 +1,93 @@
> +#!/bin/bash
> +
> +# lxc: linux Container library
> +
> +# Authors:
> +# Serge Hallyn <serge.hallyn at ubuntu.com>
> +#
> +# This is a test script for unprivileged containers
> +
> +# This library is free software; you can redistribute it and/or
> +# modify it under the terms of the GNU Lesser General Public
> +# License as published by the Free Software Foundation; either
> +# version 2.1 of the License, or (at your option) any later version.
> +
> +# This library is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> +# Lesser General Public License for more details.
> +
> +# You should have received a copy of the GNU Lesser General Public
> +# License along with this library; if not, write to the Free Software
> +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
> +
> +if [ $(id -u) -ne 0 ]; then
> +	echo 'run as root'
> +	exit 1
> +fi
> +which newuidmap >/dev/null 2>&1 || { echo "'newuidmap' command is missing" >&2; exit 1; }
> +
> +DONE=0
> +cleanup() {
> +	lxc-stop -P $HDIR/lxcbase -n c1
> +	sed -i '/usernic-user/d' /var/run/lxc/nics /etc/lxc/lxc-usernet
> +	sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid
> +	sudo deluser $TUSER
> +	rm -rf $HDIR
> +	if [ $DONE -eq 0 ]; then
> +		exit $1
> +	fi
> +}
> +
> +# create a test user
> +TUSER=lxcunpriv
> +HDIR=/home/$TUSER
> +
> +trap cleanup EXIT SIGHUP SIGINT SIGTERM
> +
> +deluser $TUSER || true
> +useradd $TUSER
> +sudo mkdir -p $HDIR
> +sudo chown $TUSER $HDIR
> +echo "$TUSER veth lxcbr0 2" > /etc/lxc/lxc-usernet
> +sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid
> +usermod -v 910000-919999 -w 910000-919999 $TUSER
> +mkdir -p $HDIR/lxcbase
> +chown $TUSER $HDIR/lxcbase
> +uid=$(id -u $TUSER)
> +cat >> $HDIR/.bashrc << EOF
> +export HOME=$HDIR
> +export USER=$TUSER
> +EOF
> +chown $TUSER $HDIR/.bashrc
> +
> +cat > $HDIR/lxc-usernic.conf << EOF
> +lxc.network.type = veth
> +lxc.network.link = lxcbr0
> +lxc.id_map = u 0 910000 9999
> +lxc.id_map = g 0 910000 9999
> +EOF
> +chown $TUSER $HDIR/lxc-usernic.conf
> +rm -rf /run/lock/lxc/home/$TUSER
> +mkdir -p /run/lock/lxc/home/$TUSER
> +chown $TUSER /run/lock/lxc/home/$TUSER
> +
> +for d in /sys/fs/cgroup/*; do
> +	mkdir $d/lxctest
> +	chown -R $TUSER $d/lxctest
> +	echo $$ > $d/lxctest/tasks
> +done
> +cd $HDIR
> +#export HOME=$HDIR
> +env | awk -F= '{print $1}' | while read line; do export ${line}=; done
> +echo "DOING: lxc-create -P $HDIR/lxcbase -t ubuntu-cloud -n c1 -f $HDIR/lxc-usernic.conf"
> +sudo --set-home -u $TUSER lxc-create -P $HDIR/lxcbase -t ubuntu-cloud -n c1 -f $HDIR/lxc-usernic.conf -l outout -o /tmp/o1
> +#read -p "c1 created, check it now" x
> +sudo --set-home -u $TUSER lxc-start -P $HDIR/lxcbase -n c1 -d
> +
> +p1=`lxc-info -P $HDIR/lxcbase -n c1 -p | awk -F: '{ print $2 }'`
> +[ "$p1" != "-1" ] || { echo "Failed to start container c1"; false; }
> +lxc-attach -P $HDIR/lxcbase -n c1 -- ping -c 1 google.com
> +
> +echo "All tests passed"
> +DONE=1
> diff --git a/src/tests/lxc-test-usernic b/src/tests/lxc-test-usernic
> index 168bac0..801419a 100755
> --- a/src/tests/lxc-test-usernic
> +++ b/src/tests/lxc-test-usernic
> @@ -81,6 +81,8 @@ if [ $? -eq 0 ]; then
>  fi
>  
>  # Give him a quota of two
> +touch /etc/lxc/lxc-usernet
> +sed -i '/^lxc-usernet/d' /etc/lxc/lxc-usernet
>  echo "lxc-usernet veth usernic-br0 2" >> /etc/lxc/lxc-usernet
>  
>  # Assign one veth to second bridge, should fail
> -- 
> 1.8.5.2
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140112/2b22b449/attachment-0001.pgp>


More information about the lxc-devel mailing list