From 1fbf65aae23d8633afddf39a29c199f624368981 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Thu, 16 Oct 2025 14:42:22 -0700 Subject: [PATCH 1/3] tests/int: improve runc wrapper 1. Add status check support (same as in bats' run helper). 2. Add RUNC_PRE_CMD support (so we can use commands like taskset or timeout). 3. Drop sane_helper since the output of the command is shown in case of an error, and we show the command itself in runc wrapper (unless -N or ! is provided -- in this case the command is shown by bats, together with the error). This does not show the output of successful commands which IMO is a net positive since we are almost always interested in failed command output only. 4. Use the new functionality in cpu_affinity.bats and start.bats as a showcase (the test of refactoring is in a separate commit). Signed-off-by: Kir Kolyshkin --- tests/integration/cpu_affinity.bats | 43 +++++------------------- tests/integration/helpers.bash | 52 ++++++++++++++++++----------- tests/integration/start.bats | 9 ++--- 3 files changed, 44 insertions(+), 60 deletions(-) diff --git a/tests/integration/cpu_affinity.bats b/tests/integration/cpu_affinity.bats index 1b4958a4732..89a5454d73a 100644 --- a/tests/integration/cpu_affinity.bats +++ b/tests/integration/cpu_affinity.bats @@ -106,17 +106,12 @@ function cpus_to_mask() { } @test "runc run [CPU affinity should reset]" { - # We need to use RUNC_CMDLINE since taskset requires a proper binary, not a - # bash function (which is what runc and __runc are). - setup_runc_cmdline - first="$(first_cpu)" # Running without cpuset should result in an affinity for all CPUs. update_config '.process.args = [ "/bin/grep", "-F", "Cpus_allowed_list:", "/proc/self/status" ]' update_config 'del(.linux.resources.cpu)' - sane_run taskset -c "$first" "${RUNC_CMDLINE[@]}" run ctr - [ "$status" -eq 0 ] + RUNC_PRE_CMD="taskset -c $first" runc -0 run ctr [[ "$output" != $'Cpus_allowed_list:\t'"$first" ]] [[ "$output" == $'Cpus_allowed_list:\t'"$INITIAL_CPU_MASK" ]] } @@ -125,18 +120,13 @@ function cpus_to_mask() { [ $EUID -ne 0 ] && requires rootless_cgroup set_cgroups_path - # We need to use RUNC_CMDLINE since taskset requires a proper binary, not a - # bash function (which is what runc and __runc are). - setup_runc_cmdline - first="$(first_cpu)" second="$((first + 1))" # Hacky; might not work in all environments. # Running with a cpuset should result in an affinity that matches. update_config '.process.args = [ "/bin/grep", "-F", "Cpus_allowed_list:", "/proc/self/status" ]' update_config '.linux.resources.cpu = {"mems": "0", "cpus": "'"$first-$second"'"}' - sane_run taskset -c "$first" "${RUNC_CMDLINE[@]}" run ctr - [ "$status" -eq 0 ] + RUNC_PRE_CMD="taskset -c $first" runc -0 run ctr [[ "$output" != $'Cpus_allowed_list:\t'"$first" ]] # XXX: For some reason, systemd-cgroup leads to us using the all-set # cpumask rather than the cpuset we configured? @@ -144,8 +134,7 @@ function cpus_to_mask() { # Ditto for a cpuset that has no overlap with the original cpumask. update_config '.linux.resources.cpu = {"mems": "0", "cpus": "'"$second"'"}' - sane_run taskset -c "$first" "${RUNC_CMDLINE[@]}" run ctr - [ "$status" -eq 0 ] + RUNC_PRE_CMD="taskset -c $first" runc -0 run ctr [[ "$output" != $'Cpus_allowed_list:\t'"$first" ]] # XXX: For some reason, systemd-cgroup leads to us using the all-set # cpumask rather than the cpuset we configured? @@ -153,19 +142,13 @@ function cpus_to_mask() { } @test "runc exec [default CPU affinity should reset]" { - # We need to use RUNC_CMDLINE since taskset requires a proper binary, not a - # bash function (which is what runc and __runc are). - setup_runc_cmdline - first="$(first_cpu)" # Running without cpuset should result in an affinity for all CPUs. update_config '.process.args = [ "/bin/sleep", "infinity" ]' update_config 'del(.linux.resources.cpu)' - sane_run taskset -c "$first" "${RUNC_CMDLINE[@]}" run -d --console-socket "$CONSOLE_SOCKET" ctr3 - [ "$status" -eq 0 ] - sane_run taskset -c "$first" "${RUNC_CMDLINE[@]}" exec ctr3 grep -F Cpus_allowed_list: /proc/self/status - [ "$status" -eq 0 ] + RUNC_PRE_CMD="taskset -c $first" runc -0 run -d --console-socket "$CONSOLE_SOCKET" ctr3 + RUNC_PRE_CMD="taskset -c $first" runc -0 exec ctr3 grep -F Cpus_allowed_list: /proc/self/status [[ "$output" != $'Cpus_allowed_list:\t'"$first" ]] [[ "$output" == $'Cpus_allowed_list:\t'"$INITIAL_CPU_MASK" ]] } @@ -174,20 +157,14 @@ function cpus_to_mask() { [ $EUID -ne 0 ] && requires rootless_cgroup set_cgroups_path - # We need to use RUNC_CMDLINE since taskset requires a proper binary, not a - # bash function (which is what runc and __runc are). - setup_runc_cmdline - first="$(first_cpu)" second="$((first + 1))" # Hacky; might not work in all environments. # Running with a cpuset should result in an affinity that matches. update_config '.process.args = [ "/bin/sleep", "infinity" ]' update_config '.linux.resources.cpu = {"mems": "0", "cpus": "'"$first-$second"'"}' - sane_run taskset -c "$first" "${RUNC_CMDLINE[@]}" run -d --console-socket "$CONSOLE_SOCKET" ctr - [ "$status" -eq 0 ] - sane_run taskset -c "$first" "${RUNC_CMDLINE[@]}" exec ctr grep -F Cpus_allowed_list: /proc/self/status - [ "$status" -eq 0 ] + RUNC_PRE_CMD="taskset -c $first" runc -0 run -d --console-socket "$CONSOLE_SOCKET" ctr + RUNC_PRE_CMD="taskset -c $first" runc -0 exec ctr grep -F Cpus_allowed_list: /proc/self/status [[ "$output" != $'Cpus_allowed_list:\t'"$first" ]] # XXX: For some reason, systemd-cgroup leads to us using the all-set # cpumask rather than the cpuset we configured? @@ -199,10 +176,8 @@ function cpus_to_mask() { # Ditto for a cpuset that has no overlap with the original cpumask. update_config '.linux.resources.cpu = {"mems": "0", "cpus": "'"$second"'"}' - sane_run taskset -c "$first" "${RUNC_CMDLINE[@]}" run -d --console-socket "$CONSOLE_SOCKET" ctr - [ "$status" -eq 0 ] - sane_run taskset -c "$first" "${RUNC_CMDLINE[@]}" exec ctr grep -F Cpus_allowed_list: /proc/self/status - [ "$status" -eq 0 ] + RUNC_PRE_CMD="taskset -c $first" runc -0 run -d --console-socket "$CONSOLE_SOCKET" ctr + RUNC_PRE_CMD="taskset -c $first" runc -0 exec ctr grep -F Cpus_allowed_list: /proc/self/status [[ "$output" != $'Cpus_allowed_list:\t'"$first" ]] # XXX: For some reason, systemd-cgroup leads to us using the all-set # cpumask rather than the cpuset we configured? diff --git a/tests/integration/helpers.bash b/tests/integration/helpers.bash index 24035eb6486..56ce5861c09 100755 --- a/tests/integration/helpers.bash +++ b/tests/integration/helpers.bash @@ -36,35 +36,45 @@ ARCH=$(uname -m) # Seccomp agent socket. SECCCOMP_AGENT_SOCKET="$BATS_TMPDIR/seccomp-agent.sock" -# Wrapper around "run" that logs output to make tests easier to debug. -function sane_run() { - local cmd="$1" - local cmdname="${CMDNAME:-$(basename "$cmd")}" - shift - - run "$cmd" "$@" - - # Some debug information to make life easier. bats will only print it if the - # test failed, in which case the output is useful. - # shellcheck disable=SC2154 - echo "$cmdname $* (status=$status)" >&2 - # shellcheck disable=SC2154 - echo "$output" >&2 -} - -# Wrapper for runc. +# Wrapper for runc to run it via bats run helper. +# +# Optional $1 parameter (as in bats run): +# -N expect exit status N (0-255), fail otherwise; +# ! expect nonzero exit status (1-255), fail if command succeeds. +# +# Optional environment: +# RUNC_PRE_CMD a command to insert before runc (taskset, timeout etc.) function runc() { - CMDNAME="$(basename "$RUNC")" sane_run __runc "$@" + local run=(run) + local show=yes + case $1 in + "!" | -[0-9]*) + run+=("$1") + # When -N or ! option is used, run shows the failed command + # on error so we don't have to. + unset show + shift + ;; + esac + setup_runc_cmdline + [ -v show ] && echo "# ${RUNC_CMDLINE[*]} $*" | sed "s| $RUNC | runc |" >&2 + "${run[@]}" "${RUNC_CMDLINE[@]}" "$@" } function setup_runc_cmdline() { - RUNC_CMDLINE=("$RUNC") + RUNC_CMDLINE=() + # If RUNC_PRE_CMD is set, prepend it. + for pre in ${RUNC_PRE_CMD:+$RUNC_PRE_CMD}; do + RUNC_CMDLINE+=("$pre") + done + RUNC_CMDLINE+=("$RUNC") [[ -v RUNC_USE_SYSTEMD ]] && RUNC_CMDLINE+=("--systemd-cgroup") [[ -n "${ROOT:-}" ]] && RUNC_CMDLINE+=("--root" "$ROOT/state") export RUNC_CMDLINE } -# Raw wrapper for runc. +# Raw wrapper for runc (no bats' run helper, use in special cases, +# e.g. if I/O redirection is needed). function __runc() { setup_runc_cmdline "${RUNC_CMDLINE[@]}" "$@" @@ -708,12 +718,14 @@ function retry() { for ((i = 0; i < attempts; i++)); do run "$@" + # shellcheck disable=SC2154 if [[ "$status" -eq 0 ]]; then return 0 fi sleep "$delay" done + # shellcheck disable=SC2154 echo "Command \"$*\" failed $attempts times. Output: $output" false } diff --git a/tests/integration/start.bats b/tests/integration/start.bats index 10609102974..1a1c79b1e9f 100644 --- a/tests/integration/start.bats +++ b/tests/integration/start.bats @@ -11,18 +11,15 @@ function teardown() { } @test "runc start" { - runc create --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 create --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox created - runc start test_busybox - [ "$status" -eq 0 ] + runc -0 start test_busybox testcontainer test_busybox running runc delete --force test_busybox - runc state test_busybox - [ "$status" -ne 0 ] + runc ! state test_busybox } From 7cc09a0ef09603332cb9c5507bd23d782c993872 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Thu, 16 Oct 2025 16:12:32 -0700 Subject: [PATCH 2/3] tests/int: refactor to use runc status checks Signed-off-by: Kir Kolyshkin --- tests/integration/capabilities.bats | 33 +-- tests/integration/cgroup_delegation.bats | 18 +- tests/integration/cgroups.bats | 132 ++++-------- tests/integration/checkpoint.bats | 93 +++----- tests/integration/cpu_affinity.bats | 15 +- tests/integration/create.bats | 30 +-- tests/integration/cwd.bats | 12 +- tests/integration/debug.bats | 12 +- tests/integration/delete.bats | 61 ++---- tests/integration/dev.bats | 51 ++--- tests/integration/env.bats | 21 +- tests/integration/events.bats | 27 +-- tests/integration/exec.bats | 173 +++++---------- tests/integration/help.bats | 12 +- tests/integration/hooks.bats | 18 +- tests/integration/hooks_so.bats | 3 +- tests/integration/host-mntns.bats | 3 +- tests/integration/idmap.bats | 75 +++---- tests/integration/ioprio.bats | 12 +- tests/integration/kill.bats | 36 ++-- tests/integration/list.bats | 21 +- tests/integration/mask.bats | 33 +-- tests/integration/memorypolicy.bats | 33 +-- tests/integration/mounts.bats | 27 +-- tests/integration/mounts_propagation.bats | 3 +- tests/integration/mounts_recursive.bats | 27 +-- tests/integration/mounts_sshfs.bats | 6 +- tests/integration/netdev.bats | 27 +-- tests/integration/no_pivot.bats | 3 +- tests/integration/pause.bats | 27 +-- tests/integration/personality.bats | 24 +-- tests/integration/pidfd-socket.bats | 12 +- tests/integration/ps.bats | 21 +- tests/integration/rlimits.bats | 9 +- tests/integration/root.bats | 30 +-- tests/integration/run.bats | 72 +++---- tests/integration/scheduler.bats | 12 +- tests/integration/seccomp-notify-compat.bats | 3 +- tests/integration/seccomp-notify.bats | 52 ++--- tests/integration/seccomp.bats | 21 +- tests/integration/selinux.bats | 15 +- tests/integration/spec.bats | 6 +- tests/integration/start_detached.bats | 12 +- tests/integration/start_hello.bats | 24 +-- tests/integration/state.bats | 27 +-- tests/integration/timens.bats | 18 +- tests/integration/tty.bats | 57 ++--- tests/integration/umask.bats | 9 +- tests/integration/update.bats | 211 ++++++------------- tests/integration/userns.bats | 69 ++---- tests/integration/version.bats | 3 +- 51 files changed, 581 insertions(+), 1170 deletions(-) diff --git a/tests/integration/capabilities.bats b/tests/integration/capabilities.bats index 4b1c127e026..e56a7a70ad2 100644 --- a/tests/integration/capabilities.bats +++ b/tests/integration/capabilities.bats @@ -12,8 +12,7 @@ function teardown() { } @test "runc run no capability" { - runc run test_no_caps - [ "$status" -eq 0 ] + runc -0 run test_no_caps [[ "${output}" == *"CapInh: 0000000000000000"* ]] [[ "${output}" == *"CapAmb: 0000000000000000"* ]] @@ -22,8 +21,7 @@ function teardown() { @test "runc run with unknown capability" { update_config '.process.capabilities.bounding = ["CAP_UNKNOWN", "UNKNOWN_CAP"]' - runc run test_unknown_caps - [ "$status" -eq 0 ] + runc -0 run test_unknown_caps [[ "${output}" == *"CapInh: 0000000000000000"* ]] [[ "${output}" == *"CapAmb: 0000000000000000"* ]] @@ -32,8 +30,7 @@ function teardown() { @test "runc run with new privileges" { update_config '.process.noNewPrivileges = false' - runc run test_new_privileges - [ "$status" -eq 0 ] + runc -0 run test_new_privileges [[ "${output}" == *"CapInh: 0000000000000000"* ]] [[ "${output}" == *"CapAmb: 0000000000000000"* ]] @@ -44,8 +41,7 @@ function teardown() { update_config '.process.user = {"uid":0}' update_config '.process.capabilities.bounding = ["CAP_SYS_ADMIN"]' update_config '.process.capabilities.permitted = ["CAP_SYS_ADMIN", "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE"]' - runc run test_some_caps - [ "$status" -eq 0 ] + runc -0 run test_some_caps [[ "${output}" == *"CapInh: 0000000000000000"* ]] [[ "${output}" == *"CapBnd: 0000000000200000"* ]] @@ -57,11 +53,9 @@ function teardown() { @test "runc exec --cap" { update_config ' .process.args = ["/bin/sh"] | .process.capabilities = {}' - runc run -d --console-socket "$CONSOLE_SOCKET" test_exec_cap - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_exec_cap - runc exec test_exec_cap cat /proc/self/status - [ "$status" -eq 0 ] + runc -0 exec test_exec_cap cat /proc/self/status # Check no capabilities are set. [[ "${output}" == *"CapInh: 0000000000000000"* ]] [[ "${output}" == *"CapPrm: 0000000000000000"* ]] @@ -69,8 +63,7 @@ function teardown() { [[ "${output}" == *"CapBnd: 0000000000000000"* ]] [[ "${output}" == *"CapAmb: 0000000000000000"* ]] - runc exec --cap CAP_KILL --cap CAP_AUDIT_WRITE test_exec_cap cat /proc/self/status - [ "$status" -eq 0 ] + runc -0 exec --cap CAP_KILL --cap CAP_AUDIT_WRITE test_exec_cap cat /proc/self/status # Check capabilities are added into bounding/effective/permitted only, # but not to inheritable or ambient. # @@ -90,11 +83,9 @@ function teardown() { | .process.capabilities.effective = ["CAP_KILL"] | .process.capabilities.bounding = ["CAP_KILL", "CAP_CHOWN", "CAP_SYSLOG"] | .process.capabilities.ambient = ["CAP_CHOWN"]' - runc run -d --console-socket "$CONSOLE_SOCKET" test_some_caps - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_some_caps - runc exec test_some_caps cat /proc/self/status - [ "$status" -eq 0 ] + runc -0 exec test_some_caps cat /proc/self/status # Check that capabilities are as set in spec. # # CAP_CHOWN is 0, the bit mask is 0x1 (1 << 0) @@ -108,8 +99,7 @@ function teardown() { # Check that if config.json has an inheritable capability set, # runc exec --cap adds ambient capabilities. - runc exec --cap CAP_SYSLOG test_some_caps cat /proc/self/status - [ "$status" -eq 0 ] + runc -0 exec --cap CAP_SYSLOG test_some_caps cat /proc/self/status [[ "${output}" == *"CapInh: 0000000400000001"* ]] [[ "${output}" == *"CapPrm: 0000000400000021"* ]] [[ "${output}" == *"CapEff: 0000000400000021"* ]] @@ -120,8 +110,7 @@ function teardown() { @test "runc run [ambient caps not set in inheritable result in a warning]" { update_config ' .process.capabilities.inheritable = ["CAP_KILL"] | .process.capabilities.ambient = ["CAP_KILL", "CAP_CHOWN"]' - runc run test_amb - [ "$status" -eq 0 ] + runc -0 run test_amb # This should result in CAP_KILL set in ambient, # and a warning about inability to set CAP_CHOWN. # diff --git a/tests/integration/cgroup_delegation.bats b/tests/integration/cgroup_delegation.bats index c0f734e8330..3ae63247987 100644 --- a/tests/integration/cgroup_delegation.bats +++ b/tests/integration/cgroup_delegation.bats @@ -27,11 +27,9 @@ function setup() { } @test "runc exec (cgroup v2, ro cgroupfs, new cgroupns) does not chown cgroup" { - runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroup_chown - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_cgroup_chown - runc exec test_cgroup_chown sh -c "stat -c %U /sys/fs/cgroup" - [ "$status" -eq 0 ] + runc -0 exec test_cgroup_chown sh -c "stat -c %U /sys/fs/cgroup" [ "$output" = "nobody" ] # /sys/fs/cgroup owned by unmapped user } @@ -41,21 +39,17 @@ function setup() { # inherit cgroup namespace (remove cgroup from namespaces list) update_config '.linux.namespaces |= map(select(.type != "cgroup"))' - runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroup_chown - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_cgroup_chown - runc exec test_cgroup_chown sh -c "stat -c %U /sys/fs/cgroup" - [ "$status" -eq 0 ] + runc -0 exec test_cgroup_chown sh -c "stat -c %U /sys/fs/cgroup" [ "$output" = "nobody" ] # /sys/fs/cgroup owned by unmapped user } @test "runc exec (cgroup v2, rw cgroupfs, new cgroupns) does chown cgroup" { set_cgroup_mount_writable - runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroup_chown - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_cgroup_chown - runc exec test_cgroup_chown sh -c "stat -c %U /sys/fs/cgroup" - [ "$status" -eq 0 ] + runc -0 exec test_cgroup_chown sh -c "stat -c %U /sys/fs/cgroup" [ "$output" = "root" ] # /sys/fs/cgroup owned by root (of user namespace) } diff --git a/tests/integration/cgroups.bats b/tests/integration/cgroups.bats index a2df63e8002..ab055062c6d 100644 --- a/tests/integration/cgroups.bats +++ b/tests/integration/cgroups.bats @@ -12,8 +12,7 @@ function setup() { } @test "runc create (no limits + no cgrouppath + no permission) succeeds" { - runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_permissions - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_permissions } @test "runc create (rootless + no limits + cgrouppath + no permission) fails with permission error" { @@ -21,8 +20,7 @@ function setup() { set_cgroups_path - runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_permissions - [ "$status" -eq 1 ] + runc -1 run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_permissions [[ "$output" == *"unable to apply cgroup configuration"*"permission denied"* ]] } @@ -31,8 +29,7 @@ function setup() { set_resources_limit - runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_permissions - [ "$status" -eq 1 ] + runc -1 run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_permissions [[ "$output" == *"rootless needs no limits + no cgrouppath when no permission is granted for cgroups"* ]] || [[ "$output" == *"cannot set pids limit: container could not join or create cgroup"* ]] } @@ -43,8 +40,7 @@ function setup() { set_cgroups_path set_resources_limit - runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_permissions - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_permissions if [ -v CGROUP_V2 ]; then if [ -v RUNC_USE_SYSTEMD ]; then if [ $EUID -eq 0 ]; then @@ -65,11 +61,9 @@ function setup() { set_cgroups_path set_resources_limit - runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_permissions - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_permissions - runc exec test_cgroups_permissions echo "cgroups_exec" - [ "$status" -eq 0 ] + runc -0 exec test_cgroups_permissions echo "cgroups_exec" [[ ${lines[0]} == *"cgroups_exec"* ]] } @@ -79,37 +73,29 @@ function setup() { set_cgroups_path set_cgroup_mount_writable - runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_group - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_group - runc exec test_cgroups_group cat /sys/fs/cgroup/cgroup.controllers - [ "$status" -eq 0 ] + runc -0 exec test_cgroups_group cat /sys/fs/cgroup/cgroup.controllers [[ ${lines[0]} == *"memory"* ]] - runc exec test_cgroups_group cat /proc/self/cgroup - [ "$status" -eq 0 ] + runc -0 exec test_cgroups_group cat /proc/self/cgroup [[ ${lines[0]} = "0::/" ]] - runc exec test_cgroups_group mkdir /sys/fs/cgroup/foo - [ "$status" -eq 0 ] + runc -0 exec test_cgroups_group mkdir /sys/fs/cgroup/foo - runc exec test_cgroups_group sh -c "echo 1 > /sys/fs/cgroup/foo/cgroup.procs" - [ "$status" -eq 0 ] + runc -0 exec test_cgroups_group sh -c "echo 1 > /sys/fs/cgroup/foo/cgroup.procs" # the init process is now in "/foo", but an exec process can still join "/" # because we haven't enabled any domain controller. - runc exec test_cgroups_group cat /proc/self/cgroup - [ "$status" -eq 0 ] + runc -0 exec test_cgroups_group cat /proc/self/cgroup [[ ${lines[0]} = "0::/" ]] # turn on a domain controller (memory) - runc exec test_cgroups_group sh -euxc 'echo $$ > /sys/fs/cgroup/foo/cgroup.procs; echo +memory > /sys/fs/cgroup/cgroup.subtree_control' - [ "$status" -eq 0 ] + runc -0 exec test_cgroups_group sh -euxc 'echo $$ > /sys/fs/cgroup/foo/cgroup.procs; echo +memory > /sys/fs/cgroup/cgroup.subtree_control' # an exec process can no longer join "/" after turning on a domain controller. # falls back to "/foo". - runc exec test_cgroups_group cat /proc/self/cgroup - [ "$status" -eq 0 ] + runc -0 exec test_cgroups_group cat /proc/self/cgroup [[ ${lines[0]} = "0::/foo" ]] # teardown: remove "/foo" @@ -120,8 +106,7 @@ for pid in $(cat /sys/fs/cgroup/foo/cgroup.procs); do done rmdir /sys/fs/cgroup/foo EOF - runc exec test_cgroups_group test ! -d /sys/fs/cgroup/foo - [ "$status" -eq 0 ] + runc -0 exec test_cgroups_group test ! -d /sys/fs/cgroup/foo } @test "runc run (cgroup v1 + unified resources should fail)" { @@ -131,8 +116,7 @@ EOF set_resources_limit update_config '.linux.resources.unified |= {"memory.min": "131072"}' - runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_unified - [ "$status" -ne 0 ] + runc ! run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_unified [[ "$output" == *'invalid configuration'* ]] } @@ -143,8 +127,7 @@ EOF set_cgroups_path update_config '.linux.resources.blockIO |= {"weight": 750}' - runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_unified - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_unified runc exec test_cgroups_unified sh -c 'cat /sys/fs/cgroup/io.bfq.weight' if [[ "$status" -eq 0 ]]; then @@ -188,8 +171,7 @@ EOF | .linux.resources.blockIO.weightDevice |= [ { major: '"$major"', minor: '"$minor"', weight: 444 } ]' - runc run -d --console-socket "$CONSOLE_SOCKET" test_dev_weight - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_dev_weight if [ -v CGROUP_V2 ]; then file="io.bfq.weight" @@ -240,8 +222,7 @@ EOF ] | .linux.resources.unified |= {"io.max": "'"$major1"':'"$minor1"' riops=333 wiops=444\n'"$major2"':'"$minor2"' riops=555 wiops=666\n"}' - runc run -d --console-socket "$CONSOLE_SOCKET" test_dev_weight - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_dev_weight weights=$(get_cgroup_value "io.max") grep "^$major1:$minor1 .* riops=333 wiops=444$" <<<"$weights" @@ -255,8 +236,7 @@ EOF set_cgroups_path update_config '.linux.resources.cpu.idle = 1' - runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_unified - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_unified check_cgroup_value "cpu.idle" "1" } @@ -300,8 +280,7 @@ convert_hugetlb_size() { done set_cgroups_path - runc run -d --console-socket "$CONSOLE_SOCKET" test_hugetlb - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_hugetlb lim="max" [ -v CGROUP_V1 ] && lim="limit_in_bytes" @@ -338,11 +317,9 @@ convert_hugetlb_size() { "cpu.weight": "42" }' - runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_unified - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_unified - runc exec test_cgroups_unified sh -c 'cd /sys/fs/cgroup && grep . *.min *.max *.low *.high' - [ "$status" -eq 0 ] + runc -0 exec test_cgroups_unified sh -c 'cd /sys/fs/cgroup && grep . *.min *.max *.low *.high' echo "$output" echo "$output" | grep -q '^memory.min:131072$' @@ -370,11 +347,9 @@ convert_hugetlb_size() { "memory.swap.max": "20971520" }' - runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_unified - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_unified - runc exec test_cgroups_unified sh -c 'cd /sys/fs/cgroup && grep . *.max' - [ "$status" -eq 0 ] + runc -0 exec test_cgroups_unified sh -c 'cd /sys/fs/cgroup && grep . *.max' echo "$output" echo "$output" | grep -q '^memory.max:20512768$' @@ -403,19 +378,15 @@ convert_hugetlb_size() { "cpu.weight": "42" }' - runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_unified - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_unified - runc exec test_cgroups_unified cat /sys/fs/cgroup/memory.min - [ "$status" -eq 0 ] + runc -0 exec test_cgroups_unified cat /sys/fs/cgroup/memory.min [ "$output" = '131072' ] - runc exec test_cgroups_unified cat /sys/fs/cgroup/memory.max - [ "$status" -eq 0 ] + runc -0 exec test_cgroups_unified cat /sys/fs/cgroup/memory.max [ "$output" = '10485760' ] - runc exec test_cgroups_unified cat /sys/fs/cgroup/pids.max - [ "$status" -eq 0 ] + runc -0 exec test_cgroups_unified cat /sys/fs/cgroup/pids.max [ "$output" = '42' ] check_systemd_value "TasksMax" 42 @@ -430,12 +401,10 @@ convert_hugetlb_size() { set_cgroups_path - runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_unified - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_cgroups_unified # Make sure we don't have any extra cgroups inside - runc exec test_cgroups_unified find /sys/fs/cgroup/ -type d - [ "$status" -eq 0 ] + runc -0 exec test_cgroups_unified find /sys/fs/cgroup/ -type d [ "$(wc -l <<<"$output")" -eq 1 ] } @@ -444,15 +413,13 @@ convert_hugetlb_size() { set_cgroups_path - runc run --pid-file pid.txt -d --console-socket "$CONSOLE_SOCKET" test_cgroups_group - [ "$status" -eq 0 ] + runc -0 run --pid-file pid.txt -d --console-socket "$CONSOLE_SOCKET" test_cgroups_group pid=$(cat pid.txt) run_cgroup=$(tail -1 "$FREEZER" # Start a container. - runc run -d --console-socket "$CONSOLE_SOCKET" ct1 - [ "$status" -eq 1 ] + runc -1 run -d --console-socket "$CONSOLE_SOCKET" ct1 # A warning should be printed. [[ "$output" == *"container's cgroup unexpectedly frozen"* ]] # Same check for runc create. - runc create --console-socket "$CONSOLE_SOCKET" ct2 - [ "$status" -eq 1 ] + runc -1 create --console-socket "$CONSOLE_SOCKET" ct2 # A warning should be printed. [[ "$output" == *"container's cgroup unexpectedly frozen"* ]] diff --git a/tests/integration/checkpoint.bats b/tests/integration/checkpoint.bats index c694cebe035..a8750eaad4a 100644 --- a/tests/integration/checkpoint.bats +++ b/tests/integration/checkpoint.bats @@ -114,25 +114,21 @@ function runc_restore_with_pipes() { testcontainer "$name" running - runc exec --cwd /bin "$name" echo ok - [ "$status" -eq 0 ] + runc -0 exec --cwd /bin "$name" echo ok [ "$output" = "ok" ] } function simple_cr() { - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running for _ in $(seq 2); do - runc "$@" checkpoint --work-path ./work-dir test_busybox - [ "$status" -eq 0 ] + runc -0 "$@" checkpoint --work-path ./work-dir test_busybox testcontainer test_busybox checkpointed - runc "$@" restore -d --work-path ./work-dir --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 "$@" restore -d --work-path ./work-dir --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running done @@ -152,28 +148,23 @@ function simple_cr_with_netdevice() { create_netns update_config '(.. | select(.type? == "network")) .path |= "'"$ns_path"'"' update_config ' .linux.netDevices |= {"dummy0": {} }' - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox_netdevice - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox_netdevice testcontainer test_busybox_netdevice running - runc exec test_busybox_netdevice ip address show dev dummy0 - [ "$status" -eq 0 ] + runc -0 exec test_busybox_netdevice ip address show dev dummy0 [[ "$output" == *" $global_ip "* ]] [[ "$output" == *"ether $mac_address "* ]] [[ "$output" == *"mtu $mtu_value "* ]] for _ in $(seq 2); do - runc "$@" checkpoint --work-path ./work-dir test_busybox_netdevice - [ "$status" -eq 0 ] + runc -0 "$@" checkpoint --work-path ./work-dir test_busybox_netdevice testcontainer test_busybox_netdevice checkpointed - runc "$@" restore -d --work-path ./work-dir --console-socket "$CONSOLE_SOCKET" test_busybox_netdevice - [ "$status" -eq 0 ] + runc -0 "$@" restore -d --work-path ./work-dir --console-socket "$CONSOLE_SOCKET" test_busybox_netdevice testcontainer test_busybox_netdevice running - runc exec test_busybox_netdevice ip address show dev dummy0 - [ "$status" -eq 0 ] + runc -0 exec test_busybox_netdevice ip address show dev dummy0 [[ "$output" == *" $global_ip "* ]] [[ "$output" == *"ether $mac_address "* ]] [[ "$output" == *"mtu $mtu_value "* ]] @@ -239,20 +230,17 @@ function simple_cr_with_netdevice() { } @test "checkpoint --pre-dump (bad --parent-path)" { - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running # runc should fail with absolute parent image path. - runc checkpoint --parent-path "$(pwd)"/parent-dir --work-path ./work-dir --image-path ./image-dir test_busybox + runc ! checkpoint --parent-path "$(pwd)"/parent-dir --work-path ./work-dir --image-path ./image-dir test_busybox [[ "${output}" == *"--parent-path"* ]] - [ "$status" -ne 0 ] # runc should fail with invalid parent image path. - runc checkpoint --parent-path ./parent-dir --work-path ./work-dir --image-path ./image-dir test_busybox + runc ! checkpoint --parent-path ./parent-dir --work-path ./work-dir --image-path ./image-dir test_busybox [[ "${output}" == *"--parent-path"* ]] - [ "$status" -ne 0 ] } @test "checkpoint --pre-dump and restore" { @@ -264,15 +252,13 @@ function simple_cr_with_netdevice() { runc_run_with_pipes test_busybox mkdir parent-dir - runc checkpoint --pre-dump --image-path ./parent-dir test_busybox - [ "$status" -eq 0 ] + runc -0 checkpoint --pre-dump --image-path ./parent-dir test_busybox testcontainer test_busybox running mkdir image-dir mkdir work-dir - runc checkpoint --parent-path ../parent-dir --work-path ./work-dir --image-path ./image-dir test_busybox - [ "$status" -eq 0 ] + runc -0 checkpoint --parent-path ../parent-dir --work-path ./work-dir --image-path ./image-dir test_busybox # check parent path is valid [ -e ./image-dir/parent ] @@ -367,22 +353,19 @@ function simple_cr_with_netdevice() { # tell runc which network namespace to use update_config '(.. | select(.type? == "network")) .path |= "'"$ns_path"'"' - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running for _ in $(seq 2); do # checkpoint the running container; this automatically tells CRIU to # handle the network namespace defined in config.json as an external - runc checkpoint --work-path ./work-dir test_busybox - [ "$status" -eq 0 ] + runc -0 checkpoint --work-path ./work-dir test_busybox testcontainer test_busybox checkpointed # restore from checkpoint; this should restore the container into the existing network namespace - runc restore -d --work-path ./work-dir --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 restore -d --work-path ./work-dir --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running @@ -416,13 +399,11 @@ function simple_cr_with_netdevice() { # Make sure the RPC defined configuration file overwrites the previous echo "log-file=$tmplog2" >"$tmp" - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running - runc checkpoint --work-path ./work-dir test_busybox - [ "$status" -eq 0 ] + runc -0 checkpoint --work-path ./work-dir test_busybox run ! test -f ./work-dir/"$tmplog1" test -f ./work-dir/"$tmplog2" @@ -430,8 +411,7 @@ function simple_cr_with_netdevice() { test -f ./work-dir/"$tmplog2" && unlink ./work-dir/"$tmplog2" - runc restore -d --work-path ./work-dir --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 restore -d --work-path ./work-dir --console-socket "$CONSOLE_SOCKET" test_busybox run ! test -f ./work-dir/"$tmplog1" test -f ./work-dir/"$tmplog2" @@ -456,13 +436,11 @@ function simple_cr_with_netdevice() { options: ["rw", "bind"] }]' - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running - runc checkpoint --work-path ./work-dir test_busybox - [ "$status" -eq 0 ] + runc -0 checkpoint --work-path ./work-dir test_busybox testcontainer test_busybox checkpointed @@ -470,8 +448,7 @@ function simple_cr_with_netdevice() { # the mountpoints should be recreated during restore - that is the actual thing tested here rm -rf "${bind1:?}"/* - runc restore -d --work-path ./work-dir --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 restore -d --work-path ./work-dir --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running } @@ -479,8 +456,7 @@ function simple_cr_with_netdevice() { @test "checkpoint then restore into a different cgroup (via --manage-cgroups-mode ignore)" { set_resources_limit set_cgroups_path - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running local orig_path @@ -488,17 +464,15 @@ function simple_cr_with_netdevice() { # Check that the cgroup exists. test -d "$orig_path" - runc checkpoint --work-path ./work-dir --manage-cgroups-mode ignore test_busybox - [ "$status" -eq 0 ] + runc -0 checkpoint --work-path ./work-dir --manage-cgroups-mode ignore test_busybox testcontainer test_busybox checkpointed # Check that the cgroup is gone. run ! test -d "$orig_path" # Restore into a different cgroup. set_cgroups_path # Changes the path. - runc restore -d --manage-cgroups-mode ignore --pid-file pid \ + runc -0 restore -d --manage-cgroups-mode ignore --pid-file pid \ --work-path ./work-dir --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] testcontainer test_busybox running # Check that the old cgroup path doesn't exist. @@ -516,32 +490,27 @@ function simple_cr_with_netdevice() { } @test "checkpoint/restore and exec" { - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running local execed_pid="" for _ in $(seq 2); do - runc checkpoint --work-path ./work-dir test_busybox - [ "$status" -eq 0 ] + runc -0 checkpoint --work-path ./work-dir test_busybox testcontainer test_busybox checkpointed - runc restore -d --work-path ./work-dir --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 restore -d --work-path ./work-dir --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running # verify that previously exec'd process is restored. if [ -n "$execed_pid" ]; then - runc exec test_busybox ls -ld "/proc/$execed_pid" - [ "$status" -eq 0 ] + runc -0 exec test_busybox ls -ld "/proc/$execed_pid" fi # exec a new background process. - runc exec test_busybox sh -c 'sleep 1000 < /dev/null &> /dev/null & echo $!' - [ "$status" -eq 0 ] + runc -0 exec test_busybox sh -c 'sleep 1000 < /dev/null &> /dev/null & echo $!' execed_pid=$output done } diff --git a/tests/integration/cpu_affinity.bats b/tests/integration/cpu_affinity.bats index 89a5454d73a..242f5a072cc 100644 --- a/tests/integration/cpu_affinity.bats +++ b/tests/integration/cpu_affinity.bats @@ -41,8 +41,7 @@ function cpus_to_mask() { first="$(first_cpu)" second=$((first + 1)) # Hacky; might not work in all environments. - runc run -d --console-socket "$CONSOLE_SOCKET" ct1 - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" ct1 for cpus in "$second" "$first-$second" "$first,$second" "$first"; do proc=' @@ -65,8 +64,7 @@ function cpus_to_mask() { first="$(first_cpu)" second=$((first + 1)) # Hacky; might not work in all environments. - runc run -d --console-socket "$CONSOLE_SOCKET" ct1 - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" ct1 for cpus in "$second" "$first-$second" "$first,$second" "$first"; do proc=' @@ -95,11 +93,9 @@ function cpus_to_mask() { update_config " .process.execCPUAffinity.initial = \"$initial\" | .process.execCPUAffinity.final = \"$final\"" - runc run -d --console-socket "$CONSOLE_SOCKET" ct1 - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" ct1 - runc --debug exec ct1 grep "Cpus_allowed_list:" /proc/self/status - [ "$status" -eq 0 ] + runc -0 --debug exec ct1 grep "Cpus_allowed_list:" /proc/self/status mask=$(cpus_to_mask "$initial") [[ "$output" == *"nsexec"*": affinity: $mask"* ]] [[ "$output" == *"Cpus_allowed_list: $final"* ]] # Mind the literal tab. @@ -171,8 +167,7 @@ function cpus_to_mask() { [ -v RUNC_USE_SYSTEMD ] || [[ "$output" == $'Cpus_allowed_list:\t'"$first-$second" ]] # Stop the container so we can reconfigure it. - runc delete -f ctr - [ "$status" -eq 0 ] + runc -0 delete -f ctr # Ditto for a cpuset that has no overlap with the original cpumask. update_config '.linux.resources.cpu = {"mems": "0", "cpus": "'"$second"'"}' diff --git a/tests/integration/create.bats b/tests/integration/create.bats index b1693518a99..aabf5c09e26 100644 --- a/tests/integration/create.bats +++ b/tests/integration/create.bats @@ -11,45 +11,38 @@ function teardown() { } @test "runc create" { - runc create --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 create --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox created - runc start test_busybox - [ "$status" -eq 0 ] + runc -0 start test_busybox testcontainer test_busybox running } @test "runc create exec" { - runc create --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 create --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox created - runc exec test_busybox true - [ "$status" -eq 0 ] + runc -0 exec test_busybox true testcontainer test_busybox created - runc start test_busybox - [ "$status" -eq 0 ] + runc -0 start test_busybox testcontainer test_busybox running } @test "runc create --pid-file" { - runc create --pid-file pid.txt --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 create --pid-file pid.txt --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox created [ -e pid.txt ] [[ $(cat pid.txt) = $(__runc state test_busybox | jq '.pid') ]] - runc start test_busybox - [ "$status" -eq 0 ] + runc -0 start test_busybox testcontainer test_busybox running } @@ -59,16 +52,14 @@ function teardown() { mkdir pid_file cd pid_file - runc create --pid-file pid.txt -b "$bundle" --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 create --pid-file pid.txt -b "$bundle" --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox created [ -e pid.txt ] [[ $(cat pid.txt) = $(__runc state test_busybox | jq '.pid') ]] - runc start test_busybox - [ "$status" -eq 0 ] + runc -0 start test_busybox testcontainer test_busybox running } @@ -92,8 +83,7 @@ function teardown() { fi exp="Such configuration is strongly discouraged" - runc create --console-socket "$CONSOLE_SOCKET" test - [ "$status" -eq 0 ] + runc -0 create --console-socket "$CONSOLE_SOCKET" test if [ $EUID -ne 0 ] && ! rootless_cgroup; then [[ "$output" = *"$exp"* ]] else diff --git a/tests/integration/cwd.bats b/tests/integration/cwd.bats index f1859623be3..e793af746ec 100644 --- a/tests/integration/cwd.bats +++ b/tests/integration/cwd.bats @@ -21,11 +21,9 @@ function teardown() { | .process.user.uid = 42 | .process.args |= ["sleep", "1h"]' - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox - runc exec --user 0 test_busybox true - [ "$status" -eq 0 ] + runc -0 exec --user 0 test_busybox true } # Verify a cwd owned by the container user can be chdir'd to, @@ -53,8 +51,7 @@ function teardown() { | .process.cwd = "'"$AUX_DIR"'" | .process.args |= ["ls", "'"$AUX_DIR"'"]' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox } # Verify a cwd not owned by the container user can be chdir'd to, @@ -69,6 +66,5 @@ function teardown() { | .process.user.uid = 42 | .process.args |= ["ls", "/tmp"]' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox } diff --git a/tests/integration/debug.bats b/tests/integration/debug.bats index cb9276a4afd..eb69c668cdb 100644 --- a/tests/integration/debug.bats +++ b/tests/integration/debug.bats @@ -18,8 +18,7 @@ function check_debug() { } @test "global --debug" { - runc --debug run test_hello - [ "$status" -eq 0 ] + runc -0 --debug run test_hello # check expected debug output was sent to stderr [[ "${output}" == *"level=debug"* ]] @@ -27,8 +26,7 @@ function check_debug() { } @test "global --debug to --log" { - runc --log log.out --debug run test_hello - [ "$status" -eq 0 ] + runc -0 --log log.out --debug run test_hello # check output does not include debug info [[ "${output}" != *"level=debug"* ]] @@ -41,8 +39,7 @@ function check_debug() { } @test "global --debug to --log --log-format 'text'" { - runc --log log.out --log-format "text" --debug run test_hello - [ "$status" -eq 0 ] + runc -0 --log log.out --log-format "text" --debug run test_hello # check output does not include debug info [[ "${output}" != *"level=debug"* ]] @@ -55,8 +52,7 @@ function check_debug() { } @test "global --debug to --log --log-format 'json'" { - runc --log log.out --log-format "json" --debug run test_hello - [ "$status" -eq 0 ] + runc -0 --log log.out --log-format "json" --debug run test_hello # check output does not include debug info [[ "${output}" != *"level=debug"* ]] diff --git a/tests/integration/delete.bats b/tests/integration/delete.bats index 78321c3b433..4e718b7bc75 100644 --- a/tests/integration/delete.bats +++ b/tests/integration/delete.bats @@ -40,8 +40,7 @@ function test_runc_delete_host_pidns() { ) // .)' fi - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox cgpath=$(get_cgroup_path "pids") init_pid=$(cat "$cgpath"/cgroup.procs) @@ -65,11 +64,10 @@ function test_runc_delete_host_pidns() { done # Must kill those processes and remove container. - runc delete "$@" test_busybox - [ "$status" -eq 0 ] + runc -0 delete "$@" test_busybox - runc state test_busybox - [ "$status" -ne 0 ] # "Container does not exist" + runc ! state test_busybox + [[ "$output" == *"container does not exist"* ]] # Wait and check that all the processes are gone. wait_pids_gone 10 0.2 "${pids[@]}" @@ -90,8 +88,7 @@ function test_runc_delete_host_pidns() { [ $EUID -ne 0 ] && requires systemd set_resources_limit - runc run -d --console-socket "$CONSOLE_SOCKET" testbusyboxdelete - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" testbusyboxdelete testcontainer testbusyboxdelete running # Ensure the find statement used later is correct. @@ -100,35 +97,29 @@ function test_runc_delete_host_pidns() { fail "expected cgroup not found" fi - runc kill testbusyboxdelete KILL - [ "$status" -eq 0 ] + runc -0 kill testbusyboxdelete KILL wait_for_container 10 1 testbusyboxdelete stopped - runc delete testbusyboxdelete - [ "$status" -eq 0 ] + runc -0 delete testbusyboxdelete - runc state testbusyboxdelete - [ "$status" -ne 0 ] + runc ! state testbusyboxdelete output=$(find /sys/fs/cgroup -name testbusyboxdelete -o -name \*-testbusyboxdelete.scope 2>/dev/null || true) [ "$output" = "" ] || fail "cgroup not cleaned up correctly: $output" } @test "runc delete --force" { - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running runc delete --force test_busybox - runc state test_busybox - [ "$status" -ne 0 ] + runc ! state test_busybox } @test "runc delete --force ignore not exist" { - runc delete --force notexists - [ "$status" -eq 0 ] + runc -0 delete --force notexists } # Issue 4047, case "runc delete". @@ -149,14 +140,11 @@ function test_runc_delete_host_pidns() { set_cgroups_path fi - runc run -d --console-socket "$CONSOLE_SOCKET" ct1 - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" ct1 testcontainer ct1 running - runc pause ct1 - [ "$status" -eq 0 ] - runc delete --force ct1 - [ "$status" -eq 0 ] + runc -0 pause ct1 + runc -0 delete --force ct1 } @test "runc delete --force in cgroupv1 with subcgroups" { @@ -168,8 +156,7 @@ function test_runc_delete_host_pidns() { local subsystems="memory freezer" - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running @@ -180,7 +167,7 @@ function test_runc_delete_host_pidns() { [[ ${pid} =~ [0-9]+ ]] # create a sub-cgroup - cat </dev/null || true) [ "$output" = "" ] || fail "cgroup not cleaned up correctly: $output" @@ -214,8 +199,7 @@ EOF set_cgroups_path set_cgroup_mount_writable - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running @@ -237,8 +221,7 @@ EOF echo ${pid} > cgroup.threads cat cgroup.threads EOF - runc exec test_busybox sh preserve-fds.test # fd 3 is used by bats, so we use 4 exec 4 /sys/fs/cgroup/foobar/cgroup.procs \ && grep -w foobar /proc/1/cgroup" - [ "$status" -eq 0 ] # The following part is taken from # @test "runc exec (cgroup v2 + init process in non-root cgroup) succeeds" # The init process is now in "/foo", but an exec process can still # join "/" because we haven't enabled any domain controller yet. - runc exec test_busybox grep '^0::/$' /proc/self/cgroup - [ "$status" -eq 0 ] + runc -0 exec test_busybox grep '^0::/$' /proc/self/cgroup # Turn on a domain controller (memory). - runc exec test_busybox sh -euc 'echo $$ > /sys/fs/cgroup/foobar/cgroup.procs; echo +memory > /sys/fs/cgroup/cgroup.subtree_control' - [ "$status" -eq 0 ] + runc -0 exec test_busybox sh -euc 'echo $$ > /sys/fs/cgroup/foobar/cgroup.procs; echo +memory > /sys/fs/cgroup/cgroup.subtree_control' # An exec process can no longer join "/" after turning on a domain # controller. Check that cgroup v2 fallback to init cgroup works. - runc exec test_busybox sh -euc "cat /proc/self/cgroup && grep '^0::/foobar$' /proc/self/cgroup" - [ "$status" -eq 0 ] + runc -0 exec test_busybox sh -euc "cat /proc/self/cgroup && grep '^0::/foobar$' /proc/self/cgroup" # Check that --cgroup / disables the init cgroup fallback. - runc exec --cgroup / test_busybox true - [ "$status" -ne 0 ] + runc ! exec --cgroup / test_busybox true [[ "$output" == *" adding pid "*" to cgroups"*"evice or resource busy"* ]] # Check that explicit --cgroup foobar works. - runc exec --cgroup foobar test_busybox grep '^0::/foobar$' /proc/self/cgroup - [ "$status" -eq 0 ] + runc -0 exec --cgroup foobar test_busybox grep '^0::/foobar$' /proc/self/cgroup # Check all processes is in foobar (this check is redundant). - runc exec --cgroup foobar test_busybox sh -euc '! grep -vwH foobar /proc/*/cgroup' - [ "$status" -eq 0 ] + runc -0 exec --cgroup foobar test_busybox sh -euc '! grep -vwH foobar /proc/*/cgroup' # Add a second subcgroup, check we're in it. - runc exec --cgroup foobar test_busybox mkdir /sys/fs/cgroup/second - [ "$status" -eq 0 ] - runc exec --cgroup second test_busybox grep -w second /proc/self/cgroup - [ "$status" -eq 0 ] + runc -0 exec --cgroup foobar test_busybox mkdir /sys/fs/cgroup/second + runc -0 exec --cgroup second test_busybox grep -w second /proc/self/cgroup } @test "runc exec [execve error]" { @@ -327,9 +267,8 @@ function check_exec_debug() { sh EOF chmod +x rootfs/run.sh - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - runc exec -t test_busybox /run.sh - [ "$status" -ne 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox + runc ! exec -t test_busybox /run.sh # After the sync socket closed, we should not send error to parent # process, or else we will get a unnecessary error log(#4171). @@ -345,10 +284,8 @@ EOF [ $EUID -ne 0 ] && requires rootless_idmap echo 'tempuser:x:2000:2000:tempuser:/home/tempuser:/bin/sh' >>rootfs/etc/passwd - runc run -d --console-socket "$CONSOLE_SOCKET" test - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test - runc exec -u 2000 test sh -c "echo \$HOME" - [ "$status" -eq 0 ] + runc -0 exec -u 2000 test sh -c "echo \$HOME" [ "${lines[0]}" = "/home/tempuser" ] } diff --git a/tests/integration/help.bats b/tests/integration/help.bats index 64cc66f674a..d1954047ca4 100644 --- a/tests/integration/help.bats +++ b/tests/integration/help.bats @@ -10,13 +10,11 @@ function setup() { } @test "runc -h" { - runc -h - [ "$status" -eq 0 ] + runc -0 -h [[ ${lines[0]} =~ NAME:+ ]] [[ ${lines[1]} =~ runc\ '-'\ Open\ Container\ Initiative\ runtime+ ]] - runc --help - [ "$status" -eq 0 ] + runc -0 --help [[ ${lines[0]} =~ NAME:+ ]] [[ ${lines[1]} =~ runc\ '-'\ Open\ Container\ Initiative\ runtime+ ]] } @@ -47,8 +45,7 @@ function setup() { for cmd in "${cmds[@]}"; do for arg in "-h" "--help"; do - runc "$cmd" "$arg" - [ "$status" -eq 0 ] + runc -0 "$cmd" "$arg" [[ ${lines[0]} =~ NAME:+ ]] [[ ${lines[1]} =~ $runc\ $cmd+ ]] done @@ -56,7 +53,6 @@ function setup() { } @test "runc foo -h" { - runc foo -h - [ "$status" -ne 0 ] + runc ! foo -h [[ "${output}" == *"No help topic for 'foo'"* ]] } diff --git a/tests/integration/hooks.bats b/tests/integration/hooks.bats index 854fc4b832a..8320f892bc0 100644 --- a/tests/integration/hooks.bats +++ b/tests/integration/hooks.bats @@ -13,8 +13,7 @@ function teardown() { @test "runc create [second createRuntime hook fails]" { update_config '.hooks |= {"createRuntime": [{"path": "/bin/true"}, {"path": "/bin/false"}]}' - runc create --console-socket "$CONSOLE_SOCKET" test_hooks - [ "$status" -ne 0 ] + runc ! create --console-socket "$CONSOLE_SOCKET" test_hooks [[ "$output" == *"error running createRuntime hook #1:"* ]] } @@ -22,8 +21,7 @@ function teardown() { for hook in prestart createRuntime createContainer; do echo "testing hook $hook" update_config '.hooks |= {"'$hook'": [{"path": "/bin/true"}, {"path": "/bin/false"}]}' - runc create --console-socket "$CONSOLE_SOCKET" test_hooks - [ "$status" -ne 0 ] + runc ! create --console-socket "$CONSOLE_SOCKET" test_hooks [[ "$output" == *"error running $hook hook #1:"* ]] done } @@ -34,9 +32,8 @@ function teardown() { for hook in prestart createRuntime createContainer startContainer poststart; do echo "testing hook $hook" update_config '.hooks |= {"'$hook'": [{"path": "/bin/true"}, {"path": "/bin/false"}]}' - runc run "test_hook-$hook" + runc ! run "test_hook-$hook" [[ "$output" != "Hello World" ]] - [ "$status" -ne 0 ] [[ "$output" == *"error running $hook hook #1:"* ]] done } @@ -58,8 +55,7 @@ function teardown() { update_config ' .process.args = ["/bin/true"] | .process.env = ["ONE=two", "FOO=bar"] | .hooks |= {"startContainer": [{"path": "/check-env.sh"}]}' - runc run ct1 - [ "$status" -eq 0 ] + runc -0 run ct1 } # https://github.com/opencontainers/runc/issues/1663 @@ -67,14 +63,12 @@ function teardown() { # Check that argv[0] and argv[1] passed to the hook's binary # exactly as set in config.json. update_config '.hooks |= {"startContainer": [{"path": "/bin/busybox", "args": ["cat", "/nosuchfile"]}]}' - runc run ct1 - [ "$status" -ne 0 ] + runc ! run ct1 [[ "$output" == *"cat: can't open"*"/nosuchfile"* ]] # Busybox also accepts commands where argv[0] is "busybox", # and argv[1] is applet name. Test this as well. update_config '.hooks |= {"startContainer": [{"path": "/bin/busybox", "args": ["busybox", "cat", "/nosuchfile"]}]}' - runc run ct1 - [ "$status" -ne 0 ] + runc ! run ct1 [[ "$output" == *"cat: can't open"*"/nosuchfile"* ]] } diff --git a/tests/integration/hooks_so.bats b/tests/integration/hooks_so.bats index 515f9e322a2..cddbe51d5c8 100644 --- a/tests/integration/hooks_so.bats +++ b/tests/integration/hooks_so.bats @@ -43,8 +43,7 @@ function teardown() { .root.readonly |= false | .process.args = ["/bin/sh", "-c", "ldconfig -p | grep librunc"]' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian echo "Checking create-runtime library" echo "$output" | grep "$HOOKLIBCR" diff --git a/tests/integration/host-mntns.bats b/tests/integration/host-mntns.bats index 7907a5b9e47..f8a3525f12d 100644 --- a/tests/integration/host-mntns.bats +++ b/tests/integration/host-mntns.bats @@ -23,8 +23,7 @@ function teardown() { | .linux.namespaces -= [{"type": "mount"}] | .linux.maskedPaths = [] | .linux.readonlyPaths = []' - runc run test_host_mntns - [ "$status" -eq 0 ] + runc -0 run test_host_mntns runc delete -f test_host_mntns # There should be one such file. diff --git a/tests/integration/idmap.bats b/tests/integration/idmap.bats index a816fe96863..28c5ef52275 100644 --- a/tests/integration/idmap.bats +++ b/tests/integration/idmap.bats @@ -113,8 +113,7 @@ function setup_idmap_basic_mount() { update_config '.process.args = ["sh", "-c", "stat -c =%u=%g= /tmp/mount-1/foo.txt"]' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"=0=0="* ]] } @@ -123,8 +122,7 @@ function setup_idmap_basic_mount() { update_config '.process.args = ["sh", "-c", "stat -c =%u=%g= /tmp/mount-1/foo.txt"]' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"=100000=100000="* ]] } @@ -134,8 +132,7 @@ function setup_idmap_basic_mount() { update_config '.process.args = ["sh", "-c", "touch /tmp/mount-1/bar && stat -c =%u=%g= /tmp/mount-1/bar"]' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"=0=0="* ]] } @@ -144,9 +141,8 @@ function setup_idmap_basic_mount() { update_config '.process.args = ["sh", "-c", "touch /tmp/mount-1/bar && stat -c =%u=%g= /tmp/mount-1/bar"]' - runc run test_debian + runc ! run test_debian # The write must fail because the user is unmapped. - [ "$status" -ne 0 ] [[ "$output" == *"Value too large for defined data type"* ]] # ERANGE } @@ -158,8 +154,7 @@ function setup_idmap_basic_mount() { # Add the shared option to the idmap mount. update_config '.mounts |= map((select(.source == "source-1/") | .options += ["shared"]) // .)' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"shared"* ]] } @@ -171,8 +166,7 @@ function setup_idmap_basic_mount() { # Switch the mount to have a relative mount destination. update_config '.mounts |= map((select(.source == "source-1/") | .destination = "tmp/mount-1") // .)' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"=0=0="* ]] } @@ -183,8 +177,7 @@ function setup_idmap_basic_mount() { update_config '.process.args = ["bash", "-c", "stat -c =%n:%u=%g= /tmp/{,bind-}mount-1/foo.txt"]' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"=/tmp/mount-1/foo.txt:0=0="* ]] [[ "$output" == *"=/tmp/bind-mount-1/foo.txt:$OVERFLOW_UID=$OVERFLOW_GID="* ]] } @@ -195,8 +188,7 @@ function setup_idmap_basic_mount() { update_config '.process.args = ["bash", "-c", "stat -c =%n:%u=%g= /tmp/{,bind-}mount-1/foo.txt"]' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"=/tmp/mount-1/foo.txt:100000=100000="* ]] [[ "$output" == *"=/tmp/bind-mount-1/foo.txt:0=0="* ]] } @@ -211,8 +203,7 @@ function setup_idmap_basic_mount() { update_config '.process.args = ["bash", "-c", "stat -c =%n:%u=%g= /tmp/mount-[12]/foo.txt"]' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"=/tmp/mount-1/foo.txt:0=0="* ]] [[ "$output" == *"=/tmp/mount-2/foo.txt:1=1="* ]] } @@ -228,8 +219,7 @@ function setup_idmap_basic_mount() { update_config '.process.args = ["bash", "-c", "stat -c =%n:%u=%g= /tmp/mount-multi1{,-alt{,-sym}}/{foo,bar,baz}.txt"]' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"=/tmp/mount-multi1/foo.txt:0=11="* ]] [[ "$output" == *"=/tmp/mount-multi1/bar.txt:1=22="* ]] [[ "$output" == *"=/tmp/mount-multi1/baz.txt:2=33="* ]] @@ -250,8 +240,7 @@ function setup_idmap_basic_mount() { update_config '.process.args = ["bash", "-c", "stat -c =%n:%u=%g= /tmp/mount-multi1{,-alt{,-sym}}/{foo,bar,baz}.txt"]' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"=/tmp/mount-multi1/foo.txt:100000=100011="* ]] [[ "$output" == *"=/tmp/mount-multi1/bar.txt:100001=100022="* ]] [[ "$output" == *"=/tmp/mount-multi1/baz.txt:100002=100033="* ]] @@ -273,8 +262,7 @@ function setup_idmap_basic_mount() { update_config '.process.args = ["bash", "-c", "stat -c =%n:%u=%g= /tmp/mount-multi[123]/{foo,bar,baz}.txt"]' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"=/tmp/mount-multi1/foo.txt:1100=1911="* ]] [[ "$output" == *"=/tmp/mount-multi1/bar.txt:1101=1922="* ]] [[ "$output" == *"=/tmp/mount-multi1/baz.txt:1102=1933="* ]] @@ -294,8 +282,7 @@ function setup_idmap_basic_mount() { update_config '.process.args = ["bash", "-c", "stat -c =%n:%u=%g= /tmp/mount-multi[123]/{foo,bar,baz}.txt"]' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"=/tmp/mount-multi1/foo.txt:1100=1911="* ]] [[ "$output" == *"=/tmp/mount-multi1/bar.txt:1101=1922="* ]] [[ "$output" == *"=/tmp/mount-multi1/baz.txt:1102=1933="* ]] @@ -329,8 +316,7 @@ function setup_idmap_basic_mount() { ]' update_config '.process.args = ["bash", "-c", "stat -c =%n:%u=%g= /tmp/mount-multi1/{foo,bar,baz}.txt"]' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"=/tmp/mount-multi1/foo.txt:1000=1101="* ]] [[ "$output" == *"=/tmp/mount-multi1/bar.txt:2000=2202="* ]] [[ "$output" == *"=/tmp/mount-multi1/baz.txt:3000=3303="* ]] @@ -356,8 +342,7 @@ function setup_idmap_basic_mount() { ]' update_config '.process.args = ["bash", "-c", "stat -c =%n:%u=%g= /tmp/mount-multi1/{foo,bar,baz}.txt"]' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"=/tmp/mount-multi1/foo.txt:1000=1101="* ]] [[ "$output" == *"=/tmp/mount-multi1/bar.txt:2000=2202="* ]] [[ "$output" == *"=/tmp/mount-multi1/baz.txt:3000=3303="* ]] @@ -388,8 +373,7 @@ function setup_idmap_basic_mount() { ]' update_config '.process.args = ["bash", "-c", "stat -c =%n:%u=%g= /tmp/mount-tree{,/multi1,/multi2}/{foo,bar,baz}.txt"]' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"=/tmp/mount-tree/foo.txt:1000=1101="* ]] [[ "$output" == *"=/tmp/mount-tree/bar.txt:2000=2202="* ]] [[ "$output" == *"=/tmp/mount-tree/baz.txt:3000=3303="* ]] @@ -425,8 +409,7 @@ function setup_idmap_basic_mount() { ]' update_config '.process.args = ["bash", "-c", "stat -c =%n:%u=%g= /tmp/mount-tree{,/multi1,/multi2}/{foo,bar,baz}.txt"]' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"=/tmp/mount-tree/foo.txt:101000=101101="* ]] [[ "$output" == *"=/tmp/mount-tree/bar.txt:102000=102202="* ]] [[ "$output" == *"=/tmp/mount-tree/baz.txt:103000=103303="* ]] @@ -464,8 +447,7 @@ function setup_idmap_basic_mount() { ]' update_config '.process.args = ["bash", "-c", "stat -c =%n:%u=%g= /tmp/mount-tree{,/multi1,/multi2}/{foo,bar,baz}.txt"]' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"=/tmp/mount-tree/foo.txt:1000=1101="* ]] [[ "$output" == *"=/tmp/mount-tree/bar.txt:2000=2202="* ]] [[ "$output" == *"=/tmp/mount-tree/baz.txt:3000=3303="* ]] @@ -501,8 +483,7 @@ function setup_idmap_basic_mount() { ]' update_config '.process.args = ["bash", "-c", "stat -c =%n:%u=%g= /tmp/mount-tree{,/multi1,/multi2}/{foo,bar,baz}.txt"]' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"=/tmp/mount-tree/foo.txt:101000=101101="* ]] [[ "$output" == *"=/tmp/mount-tree/bar.txt:102000=102202="* ]] [[ "$output" == *"=/tmp/mount-tree/baz.txt:103000=103303="* ]] @@ -540,8 +521,7 @@ function setup_idmap_basic_mount() { ]' update_config '.process.args = ["bash", "-c", "stat -c =%n:%u=%g= /tmp/mount-tree{,/multi1,/multi2}/{foo,bar,baz}.txt"]' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"=/tmp/mount-tree/foo.txt:1000=1101="* ]] [[ "$output" == *"=/tmp/mount-tree/bar.txt:2000=2202="* ]] [[ "$output" == *"=/tmp/mount-tree/baz.txt:3000=3303="* ]] @@ -577,8 +557,7 @@ function setup_idmap_basic_mount() { ]' update_config '.process.args = ["bash", "-c", "stat -c =%n:%u=%g= /tmp/mount-tree{,/multi1,/multi2}/{foo,bar,baz}.txt"]' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"=/tmp/mount-tree/foo.txt:101000=101101="* ]] [[ "$output" == *"=/tmp/mount-tree/bar.txt:102000=102202="* ]] [[ "$output" == *"=/tmp/mount-tree/baz.txt:103000=103303="* ]] @@ -606,8 +585,7 @@ function setup_idmap_basic_mount() { ]' update_config '.process.args = ["bash", "-c", "stat -c =%n:%u=%g= /tmp/mount-tree{,/multi1,/multi2}/{foo,bar,baz}.txt"]' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"=/tmp/mount-tree/foo.txt:100=211="* ]] [[ "$output" == *"=/tmp/mount-tree/bar.txt:200=222="* ]] [[ "$output" == *"=/tmp/mount-tree/baz.txt:300=233="* ]] @@ -635,8 +613,7 @@ function setup_idmap_basic_mount() { ]' update_config '.process.args = ["bash", "-c", "stat -c =%n:%u=%g= /tmp/mount-tree{,/multi1,/multi2}/{foo,bar,baz}.txt"]' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"=/tmp/mount-tree/foo.txt:100=211="* ]] [[ "$output" == *"=/tmp/mount-tree/bar.txt:200=222="* ]] [[ "$output" == *"=/tmp/mount-tree/baz.txt:300=233="* ]] @@ -657,8 +634,7 @@ function setup_idmap_basic_mount() { | .linux.gidMappings += [{"containerID": 0, "hostID": 100000, "size": 65536}]' update_config '.process.args = ["sleep", "infinity"]' - runc run -d --console-socket "$CONSOLE_SOCKET" target_userns - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" target_userns # Configure our container to attach to the first container's userns. target_pid="$(__runc state target_userns | jq .pid)" @@ -677,8 +653,7 @@ function setup_idmap_basic_mount() { ]' update_config '.process.args = ["bash", "-c", "stat -c =%n:%u=%g= /tmp/mount-tree{,/multi1,/multi2}/{foo,bar,baz}.txt"]' - runc run test_debian - [ "$status" -eq 0 ] + runc -0 run test_debian [[ "$output" == *"=/tmp/mount-tree/foo.txt:100=211="* ]] [[ "$output" == *"=/tmp/mount-tree/bar.txt:200=222="* ]] [[ "$output" == *"=/tmp/mount-tree/baz.txt:300=233="* ]] diff --git a/tests/integration/ioprio.bats b/tests/integration/ioprio.bats index 9faa72d61ab..6a0da11fe4f 100644 --- a/tests/integration/ioprio.bats +++ b/tests/integration/ioprio.bats @@ -14,17 +14,14 @@ function teardown() { # Create a container with a specific I/O priority. update_config '.process.ioPriority = {"class": "IOPRIO_CLASS_BE", "priority": 4}' - runc run -d --console-socket "$CONSOLE_SOCKET" test_ioprio - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_ioprio # Check the init process. - runc exec test_ioprio ionice -p 1 - [ "$status" -eq 0 ] + runc -0 exec test_ioprio ionice -p 1 [ "${lines[0]}" = 'best-effort: prio 4' ] # Check an exec process, which should derive ioprio from config.json. - runc exec test_ioprio ionice - [ "$status" -eq 0 ] + runc -0 exec test_ioprio ionice [ "${lines[0]}" = 'best-effort: prio 4' ] # Check an exec with a priority taken from process.json, @@ -38,7 +35,6 @@ function teardown() { "args": [ "/usr/bin/ionice" ], "cwd": "/" }' - runc exec --process <(echo "$proc") test_ioprio - [ "$status" -eq 0 ] + runc -0 exec --process <(echo "$proc") test_ioprio [ "${lines[0]}" = 'idle' ] } diff --git a/tests/integration/kill.bats b/tests/integration/kill.bats index f8fdd328b7d..d9e1f4d9f2f 100644 --- a/tests/integration/kill.bats +++ b/tests/integration/kill.bats @@ -28,8 +28,7 @@ test_host_pidns_kill() { ) // .)' fi - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox cgpath=$(get_cgroup_path "pids") init_pid=$(cat "$cgpath"/cgroup.procs) @@ -57,8 +56,7 @@ test_host_pidns_kill() { kill -0 "$p" done - runc kill test_busybox KILL - [ "$status" -eq 0 ] + runc -0 kill test_busybox KILL # Wait and check that all processes are gone. wait_pids_gone 10 0.2 "${pids[@]}" @@ -76,26 +74,21 @@ test_host_pidns_kill() { } @test "kill detached busybox" { - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running - runc kill test_busybox KILL - [ "$status" -eq 0 ] + runc -0 kill test_busybox KILL wait_for_container 10 1 test_busybox stopped # Check that kill errors on a stopped container. - runc kill test_busybox 0 - [ "$status" -ne 0 ] + runc ! kill test_busybox 0 [[ "$output" == *"container not running"* ]] # Check that -a (now obsoleted) makes kill return no error for a stopped container. - runc kill -a test_busybox 0 - [ "$status" -eq 0 ] + runc -0 kill -a test_busybox 0 - runc delete test_busybox - [ "$status" -eq 0 ] + runc -0 delete test_busybox } # This is roughly the same as TestPIDHostInitProcessWait in libcontainer/integration. @@ -136,22 +129,17 @@ test_host_pidns_kill() { @test "kill KILL [shared pidns]" { update_config '.process.args = ["sleep", "infinity"]' - runc run -d --console-socket "$CONSOLE_SOCKET" target_ctr - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" target_ctr testcontainer target_ctr running target_pid="$(__runc state target_ctr | jq .pid)" update_config '.linux.namespaces |= map(if .type == "user" or .type == "pid" then (.path = "/proc/'"$target_pid"'/ns/" + .type) else . end) | del(.linux.uidMappings) | del(.linux.gidMappings)' - runc run -d --console-socket "$CONSOLE_SOCKET" attached_ctr - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" attached_ctr testcontainer attached_ctr running - runc kill attached_ctr 9 - [ "$status" -eq 0 ] + runc -0 kill attached_ctr 9 - runc delete --force attached_ctr - [ "$status" -eq 0 ] + runc -0 delete --force attached_ctr - runc delete --force target_ctr - [ "$status" -eq 0 ] + runc -0 delete --force target_ctr } diff --git a/tests/integration/list.bats b/tests/integration/list.bats index 2d23b8afef0..85ea73a65ee 100644 --- a/tests/integration/list.bats +++ b/tests/integration/list.bats @@ -16,37 +16,30 @@ function teardown() { @test "list" { bundle=$(pwd) - ROOT=$ALT_ROOT runc run -d --console-socket "$CONSOLE_SOCKET" test_box1 - [ "$status" -eq 0 ] + ROOT=$ALT_ROOT runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_box1 - ROOT=$ALT_ROOT runc run -d --console-socket "$CONSOLE_SOCKET" test_box2 - [ "$status" -eq 0 ] + ROOT=$ALT_ROOT runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_box2 - ROOT=$ALT_ROOT runc run -d --console-socket "$CONSOLE_SOCKET" test_box3 - [ "$status" -eq 0 ] + ROOT=$ALT_ROOT runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_box3 - ROOT=$ALT_ROOT runc list - [ "$status" -eq 0 ] + ROOT=$ALT_ROOT runc -0 list [[ ${lines[0]} =~ ID\ +PID\ +STATUS\ +BUNDLE\ +CREATED+ ]] [[ "${lines[1]}" == *"test_box1"*[0-9]*"running"*$bundle*[0-9]* ]] [[ "${lines[2]}" == *"test_box2"*[0-9]*"running"*$bundle*[0-9]* ]] [[ "${lines[3]}" == *"test_box3"*[0-9]*"running"*$bundle*[0-9]* ]] - ROOT=$ALT_ROOT runc list -q - [ "$status" -eq 0 ] + ROOT=$ALT_ROOT runc -0 list -q [ "${lines[0]}" = "test_box1" ] [ "${lines[1]}" = "test_box2" ] [ "${lines[2]}" = "test_box3" ] - ROOT=$ALT_ROOT runc list --format table - [ "$status" -eq 0 ] + ROOT=$ALT_ROOT runc -0 list --format table [[ ${lines[0]} =~ ID\ +PID\ +STATUS\ +BUNDLE\ +CREATED+ ]] [[ "${lines[1]}" == *"test_box1"*[0-9]*"running"*$bundle*[0-9]* ]] [[ "${lines[2]}" == *"test_box2"*[0-9]*"running"*$bundle*[0-9]* ]] [[ "${lines[3]}" == *"test_box3"*[0-9]*"running"*$bundle*[0-9]* ]] - ROOT=$ALT_ROOT runc list --format json - [ "$status" -eq 0 ] + ROOT=$ALT_ROOT runc -0 list --format json [[ "${lines[0]}" == [\[][\{]"\"ociVersion\""[:]"\""*[0-9][\.]*[0-9][\.]*[0-9]*"\""[,]"\"id\""[:]"\"test_box1\""[,]"\"pid\""[:]*[0-9][,]"\"status\""[:]*"\"running\""[,]"\"bundle\""[:]*$bundle*[,]"\"rootfs\""[:]"\""*"\""[,]"\"created\""[:]*[0-9]*[\}]* ]] [[ "${lines[0]}" == *[,][\{]"\"ociVersion\""[:]"\""*[0-9][\.]*[0-9][\.]*[0-9]*"\""[,]"\"id\""[:]"\"test_box2\""[,]"\"pid\""[:]*[0-9][,]"\"status\""[:]*"\"running\""[,]"\"bundle\""[:]*$bundle*[,]"\"rootfs\""[:]"\""*"\""[,]"\"created\""[:]*[0-9]*[\}]* ]] [[ "${lines[0]}" == *[,][\{]"\"ociVersion\""[:]"\""*[0-9][\.]*[0-9][\.]*[0-9]*"\""[,]"\"id\""[:]"\"test_box3\""[,]"\"pid\""[:]*[0-9][,]"\"status\""[:]*"\"running\""[,]"\"bundle\""[:]*$bundle*[,]"\"rootfs\""[:]"\""*"\""[,]"\"created\""[:]*[0-9]*[\}][\]] ]] diff --git a/tests/integration/mask.bats b/tests/integration/mask.bats index 5783332ea18..7d5768f9121 100644 --- a/tests/integration/mask.bats +++ b/tests/integration/mask.bats @@ -18,47 +18,37 @@ function teardown() { } @test "mask paths [file]" { - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox - runc exec test_busybox cat /testfile - [ "$status" -eq 0 ] + runc -0 exec test_busybox cat /testfile [ -z "$output" ] - runc exec test_busybox rm -f /testfile - [ "$status" -eq 1 ] + runc -1 exec test_busybox rm -f /testfile [[ "${output}" == *"Read-only file system"* ]] - runc exec test_busybox umount /testfile - [ "$status" -eq 1 ] + runc -1 exec test_busybox umount /testfile [[ "${output}" == *"Operation not permitted"* ]] } @test "mask paths [directory]" { - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox - runc exec test_busybox ls /testdir - [ "$status" -eq 0 ] + runc -0 exec test_busybox ls /testdir [ -z "$output" ] - runc exec test_busybox touch /testdir/foo - [ "$status" -eq 1 ] + runc -1 exec test_busybox touch /testdir/foo [[ "${output}" == *"Read-only file system"* ]] - runc exec test_busybox rm -rf /testdir - [ "$status" -eq 1 ] + runc -1 exec test_busybox rm -rf /testdir [[ "${output}" == *"Read-only file system"* ]] - runc exec test_busybox umount /testdir - [ "$status" -eq 1 ] + runc -1 exec test_busybox umount /testdir [[ "${output}" == *"Operation not permitted"* ]] } @test "mask paths [prohibit symlink /proc]" { ln -s /symlink rootfs/proc - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 1 ] + runc -1 run -d --console-socket "$CONSOLE_SOCKET" test_busybox [[ "${output}" == *"must be mounted on ordinary directory"* ]] } @@ -67,8 +57,7 @@ function teardown() { requires root ln -s /symlink rootfs/sys - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 1 ] + runc -1 run -d --console-socket "$CONSOLE_SOCKET" test_busybox # On cgroup v1, this may fail before checking if /sys is a symlink, # so we merely check that it fails, and do not check the exact error # message like for /proc above. diff --git a/tests/integration/memorypolicy.bats b/tests/integration/memorypolicy.bats index 77ccd427cc9..7cb34a2b110 100644 --- a/tests/integration/memorypolicy.bats +++ b/tests/integration/memorypolicy.bats @@ -17,8 +17,7 @@ function teardown() { "mode": "MPOL_INTERLEAVE", "nodes": "0" }' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox [[ "${lines[0]}" == "interleave:0" ]] } @@ -30,8 +29,7 @@ function teardown() { "nodes": "0", "flags": ["MPOL_F_STATIC_NODES"] }' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox [[ "${lines[0]}" == "bind"*"static"*"0" ]] } @@ -42,11 +40,9 @@ function teardown() { "nodes": "0", "flags": ["MPOL_F_RELATIVE_NODES"] }' - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox - runc exec test_busybox /bin/sh -c "head -n 1 /proc/self/numa_maps | cut -d \" \" -f 2" - [ "$status" -eq 0 ] + runc -0 exec test_busybox /bin/sh -c "head -n 1 /proc/self/numa_maps | cut -d \" \" -f 2" [[ "${lines[0]}" == "prefer"*"relative"*"0" ]] } @@ -55,8 +51,7 @@ function teardown() { .process.args = ["/bin/sh", "-c", "head -n 1 /proc/self/numa_maps | cut -d \" \" -f 2"] | .linux.memoryPolicy = { }' - runc run test_busybox - [ "$status" -eq 1 ] + runc -1 run test_busybox [[ "${lines[0]}" == *"invalid memory policy"* ]] } @@ -67,8 +62,7 @@ function teardown() { "mode": "INTERLEAVE", "nodes": "0" }' - runc run test_busybox - [ "$status" -eq 1 ] + runc -1 run test_busybox [[ "${lines[0]}" == *"invalid memory policy"* ]] } @@ -80,8 +74,7 @@ function teardown() { "nodes": "0", "flags": ["MPOL_F_RELATIVE_NODES", "badflag"] }' - runc run test_busybox - [ "$status" -eq 1 ] + runc -1 run test_busybox [[ "${lines[0]}" == *"invalid memory policy flag"* ]] } @@ -91,8 +84,7 @@ function teardown() { | .linux.memoryPolicy = { "mode": "MPOL_DEFAULT" }' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox [[ "${lines[0]}" == *"default"* ]] } @@ -102,8 +94,7 @@ function teardown() { | .linux.memoryPolicy = { "nodes": "0-7" }' - runc run test_busybox - [ "$status" -eq 1 ] + runc -1 run test_busybox [[ "${lines[0]}" == *"invalid memory policy mode"* ]] } @@ -114,8 +105,7 @@ function teardown() { "mode": "MPOL_DEFAULT", "nodes": "0-7", }' - runc run test_busybox - [ "$status" -eq 1 ] + runc -1 run test_busybox [[ "${lines[*]}" == *"mode requires 0 nodes but got 8"* ]] } @@ -127,7 +117,6 @@ function teardown() { "nodes": "0-9876543210", "flags": [] }' - runc run test_busybox - [ "$status" -eq 1 ] + runc -1 run test_busybox [[ "${lines[0]}" == *"invalid memory policy node"* ]] } diff --git a/tests/integration/mounts.bats b/tests/integration/mounts.bats index 11fb2cfc63e..96c27084117 100644 --- a/tests/integration/mounts.bats +++ b/tests/integration/mounts.bats @@ -18,8 +18,7 @@ function test_ro_cgroup_mount() { local lines status # shellcheck disable=SC2016 update_config '.process.args |= ["sh", "-euc", "for f in `grep /sys/fs/cgroup /proc/mounts | awk \"{print \\\\$2}\"| uniq`; do test -e $f && grep -w $f /proc/mounts | tail -n1; done"]' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox [ "${#lines[@]}" -ne 0 ] for line in "${lines[@]}"; do [[ "${line}" == *'ro,'* ]]; done } @@ -122,8 +121,7 @@ function test_mount_order() { # Check that the entire tree was copied and the mounts were done in the # expected order. update_config '.process.args = ["cat", "/final/x/y/z/z/x/y/z/x/file"]' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox [[ "$output" == *"a/x"* ]] # the final "file" was from a/x. } @@ -140,8 +138,7 @@ function test_mount_order() { | .process.args |= ["ls", "-ld", "/dir1/dir2"]' umask 022 - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox [[ "${lines[0]}" == *'drwxrwxrwx'* ]] } @@ -153,8 +150,7 @@ function test_mount_order() { }] | .process.args |= ["ls", "/tmp/bind/config.json"]' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox [[ "${lines[0]}" == *'/tmp/bind/config.json'* ]] } @@ -168,8 +164,7 @@ function test_mount_order() { }] | .process.args |= ["grep", "^tmpfs /mnt", "/proc/mounts"]' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox [[ "${lines[0]}" == *'ro,'* ]] } @@ -178,8 +173,7 @@ function test_mount_order() { update_config ' .mounts |= map((select(.destination == "/dev") | .options += ["ro"]) // .) | .process.args |= ["grep", "^tmpfs /dev", "/proc/mounts"]' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox [[ "${lines[0]}" == *'ro,'* ]] } @@ -195,8 +189,7 @@ function test_mount_order() { options: ["ro", "nodev", "nosuid"] }] | .process.args |= ["true"]' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox } # CVE-2023-27561 CVE-2019-19921 @@ -206,8 +199,7 @@ function test_mount_order() { mkdir -p rootfs/bad-proc ln -sf /bad-proc rootfs/proc # This should fail. - runc run test_busybox - [ "$status" -ne 0 ] + runc ! run test_busybox [[ "$output" == *"must be mounted on ordinary directory"* ]] } @@ -224,8 +216,7 @@ function test_mount_order() { }]' update_config '.process.args |= ["true"]' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox # Verify that the setgid bit is inherited. [[ "$(stat -c %a rootfs/setgid)" == 7755 ]] diff --git a/tests/integration/mounts_propagation.bats b/tests/integration/mounts_propagation.bats index 909b0d9d514..74f0b242b6b 100644 --- a/tests/integration/mounts_propagation.bats +++ b/tests/integration/mounts_propagation.bats @@ -16,7 +16,6 @@ function teardown() { update_config ' .process.args = ["findmnt", "--noheadings", "-o", "PROPAGATION", "/"] ' - runc run test_shared_rootfs - [ "$status" -eq 0 ] + runc -0 run test_shared_rootfs [ "$output" = "shared" ] } diff --git a/tests/integration/mounts_recursive.bats b/tests/integration/mounts_recursive.bats index b3ce579fc02..db9b330574d 100644 --- a/tests/integration/mounts_recursive.bats +++ b/tests/integration/mounts_recursive.bats @@ -34,30 +34,24 @@ function teardown() { @test "runc run [rbind,ro mount is read-only but not recursively]" { update_config ".mounts += [{source: \"${TESTVOLUME}\" , destination: \"/mnt\", options: [\"rbind\",\"ro\"]}]" - runc run -d --console-socket "$CONSOLE_SOCKET" test_rbind_ro - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_rbind_ro - runc exec test_rbind_ro touch /mnt/foo - [ "$status" -eq 1 ] + runc -1 exec test_rbind_ro touch /mnt/foo [[ "${output}" == *"Read-only file system"* ]] - runc exec test_rbind_ro touch /mnt/subvol/bar - [ "$status" -eq 0 ] + runc -0 exec test_rbind_ro touch /mnt/subvol/bar } @test "runc run [rbind,rro mount is recursively read-only]" { requires_kernel 5.12 update_config ".mounts += [{source: \"${TESTVOLUME}\" , destination: \"/mnt\", options: [\"rbind\",\"rro\"]}]" - runc run -d --console-socket "$CONSOLE_SOCKET" test_rbind_rro - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_rbind_rro - runc exec test_rbind_rro touch /mnt/foo - [ "$status" -eq 1 ] + runc -1 exec test_rbind_rro touch /mnt/foo [[ "${output}" == *"Read-only file system"* ]] - runc exec test_rbind_rro touch /mnt/subvol/bar - [ "$status" -eq 1 ] + runc -1 exec test_rbind_rro touch /mnt/subvol/bar [[ "${output}" == *"Read-only file system"* ]] } @@ -65,14 +59,11 @@ function teardown() { requires_kernel 5.12 update_config ".mounts += [{source: \"${TESTVOLUME}\" , destination: \"/mnt\", options: [\"rbind\",\"ro\",\"rro\"]}]" - runc run -d --console-socket "$CONSOLE_SOCKET" test_rbind_ro_rro - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_rbind_ro_rro - runc exec test_rbind_ro_rro touch /mnt/foo - [ "$status" -eq 1 ] + runc -1 exec test_rbind_ro_rro touch /mnt/foo [[ "${output}" == *"Read-only file system"* ]] - runc exec test_rbind_ro_rro touch /mnt/subvol/bar - [ "$status" -eq 1 ] + runc -1 exec test_rbind_ro_rro touch /mnt/subvol/bar [[ "${output}" == *"Read-only file system"* ]] } diff --git a/tests/integration/mounts_sshfs.bats b/tests/integration/mounts_sshfs.bats index ad7c215c5c1..d412784fa83 100644 --- a/tests/integration/mounts_sshfs.bats +++ b/tests/integration/mounts_sshfs.bats @@ -78,16 +78,14 @@ function setup_sshfs_bind_flags() { function pass_sshfs_bind_flags() { setup_sshfs_bind_flags "$@" - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox mnt_flags="$output" } function fail_sshfs_bind_flags() { setup_sshfs_bind_flags "$@" - runc run test_busybox - [ "$status" -ne 0 ] + runc ! run test_busybox [[ "$output" == *"runc run failed: unable to start container process: error during container init: error mounting"*"operation not permitted"* ]] } diff --git a/tests/integration/netdev.bats b/tests/integration/netdev.bats index b14ad834a65..dfd5a196bdd 100644 --- a/tests/integration/netdev.bats +++ b/tests/integration/netdev.bats @@ -40,16 +40,14 @@ function teardown() { update_config ' .linux.netDevices |= {"dummy0": {} } | .process.args |= ["ip", "address", "show", "dev", "dummy0"]' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox } @test "move network device to container network namespace and restore it back" { setup_netns update_config ' .linux.netDevices |= {"dummy0": {} }' - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox # The network namespace owner controls the lifecycle of the interface. # The interface should remain on the namespace after the container was killed. @@ -67,8 +65,7 @@ function teardown() { update_config ' .linux.netDevices |= {"dummy0": {} } | .process.args |= ["ip", "address", "show", "dev", "dummy0"]' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox # Verify the interface is still present in the network namespace. ip netns exec "$ns_name" ip address show dev dummy0 @@ -86,8 +83,7 @@ function teardown() { ip link set down dev dummy0 ip address add "$global_ip" dev dummy0 - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox [[ "$output" == *"$global_ip "* ]] # Verify the interface is still present in the network namespace. @@ -107,8 +103,7 @@ function teardown() { ip link set down dev dummy0 ip address add "$non_global_ip" dev dummy0 - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox [[ "$output" != *" $non_global_ip "* ]] # Verify the interface is still present in the network namespace. @@ -124,8 +119,7 @@ function teardown() { # Set a custom mtu to the interface. ip link set mtu "$mtu_value" dev dummy0 - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox [[ "$output" == *"mtu $mtu_value "* ]] # Verify the interface is still present in the network namespace. @@ -142,8 +136,7 @@ function teardown() { # set a custom mac address to the interface ip link set address "$mac_address" dev dummy0 - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox [[ "$output" == *"ether $mac_address "* ]] # Verify the interface is still present in the network namespace. @@ -156,8 +149,7 @@ function teardown() { update_config ' .linux.netDevices |= { "dummy0": { "name" : "ctr_dummy0" } } | .process.args |= ["ip", "address", "show", "dev", "ctr_dummy0"]' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox # Verify the interface is still present in the network namespace. ip netns exec "$ns_name" ip address show dev ctr_dummy0 @@ -179,8 +171,7 @@ function teardown() { # Set a custom ip address to the interface. ip address add "$global_ip" dev dummy0 - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox [[ "$output" == *" $global_ip "* ]] [[ "$output" == *"ether $mac_address "* ]] [[ "$output" == *"mtu $mtu_value "* ]] diff --git a/tests/integration/no_pivot.bats b/tests/integration/no_pivot.bats index 30dbe7f73dc..08564dd8e65 100644 --- a/tests/integration/no_pivot.bats +++ b/tests/integration/no_pivot.bats @@ -17,7 +17,6 @@ function teardown() { | .process.capabilities.bounding += ["CAP_SETFCAP"] | .process.capabilities.permitted += ["CAP_SETFCAP"]' - runc run --no-pivot test_no_pivot - [ "$status" -eq 1 ] + runc -1 run --no-pivot test_no_pivot [[ "$output" == *"mount: permission denied"* ]] } diff --git a/tests/integration/pause.bats b/tests/integration/pause.bats index 398788c2382..833812389c1 100644 --- a/tests/integration/pause.bats +++ b/tests/integration/pause.bats @@ -17,18 +17,15 @@ function teardown() { set_cgroups_path fi - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running - runc pause test_busybox - [ "$status" -eq 0 ] + runc -0 pause test_busybox testcontainer test_busybox paused - runc resume test_busybox - [ "$status" -eq 0 ] + runc -0 resume test_busybox testcontainer test_busybox running } @@ -40,27 +37,21 @@ function teardown() { set_cgroups_path fi - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running - runc pause test_busybox - [ "$status" -eq 0 ] - runc pause nonexistent - [ "$status" -ne 0 ] + runc -0 pause test_busybox + runc ! pause nonexistent testcontainer test_busybox paused - runc resume test_busybox - [ "$status" -eq 0 ] - runc resume nonexistent - [ "$status" -ne 0 ] + runc -0 resume test_busybox + runc ! resume nonexistent testcontainer test_busybox running runc delete --force test_busybox - runc state test_busybox - [ "$status" -ne 0 ] + runc ! state test_busybox } diff --git a/tests/integration/personality.bats b/tests/integration/personality.bats index 94e2ac1b25e..08513dd6b4a 100644 --- a/tests/integration/personality.bats +++ b/tests/integration/personality.bats @@ -19,8 +19,7 @@ function teardown() { "flags": [] }' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox [[ "$output" == *"i686"* ]] } @@ -30,10 +29,8 @@ function teardown() { "domain": "LINUX32", }' - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] - runc exec test_busybox /bin/sh -c "uname -a" - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox + runc -0 exec test_busybox /bin/sh -c "uname -a" [[ "$output" == *"i686"* ]] } @@ -45,8 +42,7 @@ function teardown() { "flags": [] }' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox [[ "$output" == *"x86_64"* ]] } @@ -56,10 +52,8 @@ function teardown() { "domain": "LINUX", }' - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] - runc exec test_busybox /bin/sh -c "uname -a" - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox + runc -0 exec test_busybox /bin/sh -c "uname -a" [[ "$output" == *"x86_64"* ]] } @@ -74,9 +68,7 @@ function teardown() { "syscalls":[{"names":["personality"], "action":"SCMP_ACT_ERRNO"}] }' - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] - runc exec test_busybox /bin/sh -c "uname -a" - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox + runc -0 exec test_busybox /bin/sh -c "uname -a" [[ "$output" == *"x86_64"* ]] } diff --git a/tests/integration/pidfd-socket.bats b/tests/integration/pidfd-socket.bats index 5dbd8660bb8..66534a68170 100644 --- a/tests/integration/pidfd-socket.bats +++ b/tests/integration/pidfd-socket.bats @@ -17,8 +17,7 @@ function teardown() { @test "runc create [ --pidfd-socket ] " { setup_pidfd_kill "SIGTERM" - runc create --console-socket "$CONSOLE_SOCKET" --pidfd-socket "${PIDFD_SOCKET}" test_pidfd - [ "$status" -eq 0 ] + runc -0 create --console-socket "$CONSOLE_SOCKET" --pidfd-socket "${PIDFD_SOCKET}" test_pidfd testcontainer test_pidfd created pidfd_kill @@ -28,8 +27,7 @@ function teardown() { @test "runc run [ --pidfd-socket ] " { setup_pidfd_kill "SIGKILL" - runc run -d --console-socket "$CONSOLE_SOCKET" --pidfd-socket "${PIDFD_SOCKET}" test_pidfd - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" --pidfd-socket "${PIDFD_SOCKET}" test_pidfd testcontainer test_pidfd running pidfd_kill @@ -41,8 +39,7 @@ function teardown() { set_cgroups_path - runc run -d --console-socket "$CONSOLE_SOCKET" test_pidfd - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_pidfd testcontainer test_pidfd running # Use sub-cgroup to ensure that exec process has been killed @@ -70,8 +67,7 @@ function teardown() { set_cgroups_path - runc run -d --console-socket "$CONSOLE_SOCKET" test_pidfd - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_pidfd testcontainer test_pidfd running # Use sub-cgroup to ensure that exec process has been killed diff --git a/tests/integration/ps.bats b/tests/integration/ps.bats index b63260f83ca..0e2cd7e0f80 100644 --- a/tests/integration/ps.bats +++ b/tests/integration/ps.bats @@ -11,8 +11,7 @@ function setup() { # Rootless does not have default cgroup path. [ $EUID -ne 0 ] && set_cgroups_path - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running } @@ -21,33 +20,27 @@ function teardown() { } @test "ps" { - runc ps test_busybox - [ "$status" -eq 0 ] + runc -0 ps test_busybox [[ "$output" =~ UID\ +PID\ +PPID\ +C\ +STIME\ +TTY\ +TIME\ +CMD+ ]] [[ "$output" == *"$(id -un 2>/dev/null)"*[0-9]* ]] } @test "ps -f json" { - runc ps -f json test_busybox - [ "$status" -eq 0 ] + runc -0 ps -f json test_busybox [[ "$output" =~ [0-9]+ ]] } @test "ps -e -x" { - runc ps test_busybox -e -x - [ "$status" -eq 0 ] + runc -0 ps test_busybox -e -x [[ "$output" =~ \ +PID\ +TTY\ +STAT\ +TIME\ +COMMAND+ ]] [[ "$output" =~ [0-9]+ ]] } @test "ps after the container stopped" { - runc ps test_busybox - [ "$status" -eq 0 ] + runc -0 ps test_busybox - runc kill test_busybox KILL - [ "$status" -eq 0 ] + runc -0 kill test_busybox KILL wait_for_container 10 1 test_busybox stopped - runc ps test_busybox - [ "$status" -eq 0 ] + runc -0 ps test_busybox } diff --git a/tests/integration/rlimits.bats b/tests/integration/rlimits.bats index 356a7871069..af2749f9504 100644 --- a/tests/integration/rlimits.bats +++ b/tests/integration/rlimits.bats @@ -22,8 +22,7 @@ function run_check_nofile() { update_config ".process.rlimits = [{\"type\": \"RLIMIT_NOFILE\", \"soft\": ${soft}, \"hard\": ${hard}}]" update_config '.process.args = ["/bin/sh", "-c", "ulimit -n; ulimit -H -n"]' - runc run test_rlimit - [ "$status" -eq 0 ] + runc -0 run test_rlimit [[ "${lines[0]}" == "${soft}" ]] [[ "${lines[1]}" == "${hard}" ]] } @@ -36,11 +35,9 @@ function exec_check_nofile() { hard="$2" update_config ".process.rlimits = [{\"type\": \"RLIMIT_NOFILE\", \"soft\": ${soft}, \"hard\": ${hard}}]" - runc run -d --console-socket "$CONSOLE_SOCKET" test_rlimit - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_rlimit - runc exec test_rlimit /bin/sh -c "ulimit -n; ulimit -H -n" - [ "$status" -eq 0 ] + runc -0 exec test_rlimit /bin/sh -c "ulimit -n; ulimit -H -n" [[ "${lines[0]}" == "${soft}" ]] [[ "${lines[1]}" == "${hard}" ]] } diff --git a/tests/integration/root.bats b/tests/integration/root.bats index 68bdf5e76cc..f839dee6b67 100644 --- a/tests/integration/root.bats +++ b/tests/integration/root.bats @@ -16,36 +16,26 @@ function teardown() { @test "global --root" { # run busybox detached using $ALT_ROOT for state - ROOT=$ALT_ROOT runc run -d --console-socket "$CONSOLE_SOCKET" test_dotbox - [ "$status" -eq 0 ] + ROOT=$ALT_ROOT runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_dotbox # run busybox detached in default root - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox - runc state test_busybox - [ "$status" -eq 0 ] + runc -0 state test_busybox [[ "${output}" == *"running"* ]] - ROOT=$ALT_ROOT runc state test_dotbox - [ "$status" -eq 0 ] + ROOT=$ALT_ROOT runc -0 state test_dotbox [[ "${output}" == *"running"* ]] - ROOT=$ALT_ROOT runc state test_busybox - [ "$status" -ne 0 ] + ROOT=$ALT_ROOT runc ! state test_busybox - runc state test_dotbox - [ "$status" -ne 0 ] + runc ! state test_dotbox - runc kill test_busybox KILL - [ "$status" -eq 0 ] + runc -0 kill test_busybox KILL wait_for_container 10 1 test_busybox stopped - runc delete test_busybox - [ "$status" -eq 0 ] + runc -0 delete test_busybox - ROOT=$ALT_ROOT runc kill test_dotbox KILL - [ "$status" -eq 0 ] + ROOT=$ALT_ROOT runc -0 kill test_dotbox KILL ROOT=$ALT_ROOT wait_for_container 10 1 test_dotbox stopped - ROOT=$ALT_ROOT runc delete test_dotbox - [ "$status" -eq 0 ] + ROOT=$ALT_ROOT runc -0 delete test_dotbox } diff --git a/tests/integration/run.bats b/tests/integration/run.bats index d1143cfea32..d760440c16d 100644 --- a/tests/integration/run.bats +++ b/tests/integration/run.bats @@ -12,26 +12,21 @@ function teardown() { } @test "runc run" { - runc run test_hello - [ "$status" -eq 0 ] + runc -0 run test_hello - runc state test_hello - [ "$status" -ne 0 ] + runc ! state test_hello } @test "runc run --keep" { - runc run --keep test_run_keep - [ "$status" -eq 0 ] + runc -0 run --keep test_run_keep testcontainer test_run_keep stopped - runc state test_run_keep - [ "$status" -eq 0 ] + runc -0 state test_run_keep runc delete test_run_keep - runc state test_run_keep - [ "$status" -ne 0 ] + runc ! state test_run_keep } @test "runc run --keep (check cgroup exists)" { @@ -41,21 +36,18 @@ function teardown() { set_cgroups_path - runc run --keep test_run_keep - [ "$status" -eq 0 ] + runc -0 run --keep test_run_keep testcontainer test_run_keep stopped - runc state test_run_keep - [ "$status" -eq 0 ] + runc -0 state test_run_keep # check that cgroup exists check_cgroup_value "pids.max" "max" runc delete test_run_keep - runc state test_run_keep - [ "$status" -ne 0 ] + runc ! state test_run_keep } @test "runc run [hostname domainname]" { @@ -63,17 +55,14 @@ function teardown() { | .hostname = "myhostname" | .domainname= "mydomainname"' - runc run -d --console-socket "$CONSOLE_SOCKET" test_utc - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_utc # test hostname - runc exec test_utc hostname - [ "$status" -eq 0 ] + runc -0 exec test_utc hostname [[ "${lines[0]}" == *'myhostname'* ]] # test domainname - runc exec test_utc cat /proc/sys/kernel/domainname - [ "$status" -eq 0 ] + runc -0 exec test_utc cat /proc/sys/kernel/domainname [[ "${lines[0]}" == *'mydomainname'* ]] } @@ -87,8 +76,7 @@ function teardown() { update_config '.process.args = ["sh", "-c", "stat -c %A /tmp"]' update_config '.mounts += [{"destination": "/tmp", "type": "tmpfs", "source": "tmpfs", "options":["noexec","nosuid","nodev","rprivate"]}]' - runc run test_tmpfs - [ "$status" -eq 0 ] + runc -0 run test_tmpfs [ "${lines[0]}" = "$mode" ] } @@ -97,35 +85,30 @@ function teardown() { update_config '.mounts += [{"destination": "/tmp/test", "type": "tmpfs", "source": "tmpfs", "options": ["mode=0444"]}]' # Directory is to be created by runc. - runc run test_tmpfs - [ "$status" -eq 0 ] + runc -0 run test_tmpfs [ "${lines[0]}" = "444" ] # Run a 2nd time with the pre-existing directory. # Ref: https://github.com/opencontainers/runc/issues/3911 - runc run test_tmpfs - [ "$status" -eq 0 ] + runc -0 run test_tmpfs [ "${lines[0]}" = "444" ] # Existing directory, custom perms, no mode on the mount, # so it should use the directory's perms. update_config '.mounts[-1].options = []' chmod 0710 rootfs/tmp/test - runc run test_tmpfs - [ "$status" -eq 0 ] + runc -0 run test_tmpfs [ "${lines[0]}" = "710" ] # Add back the mode on the mount, and it should use that instead. # Just for fun, use different perms than was used earlier. update_config '.mounts[-1].options = ["mode=0410"]' - runc run test_tmpfs - [ "$status" -eq 0 ] + runc -0 run test_tmpfs [ "${lines[0]}" = "410" ] } @test "runc run [/proc/self/exe clone]" { - runc --debug run test_hello - [ "$status" -eq 0 ] + runc -0 --debug run test_hello [[ "$output" = *"Hello World"* ]] [[ "$output" = *"runc exeseal: using /proc/self/exe clone"* ]] # runc will use fsopen("overlay") if it can. @@ -153,8 +136,7 @@ function teardown() { }' update_config '.process.args = ["sleep", "infinity"]' - runc run -d --console-socket "$CONSOLE_SOCKET" target_ctr - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" target_ctr # Modify our container's configuration such that it is just going to # inherit all of the namespaces of the target container. @@ -173,25 +155,21 @@ function teardown() { # Remove the userns and timens configuration (they cannot be changed). update_config '.linux |= (del(.uidMappings) | del(.gidMappings) | del(.timeOffsets))' - runc run -d --console-socket "$CONSOLE_SOCKET" attached_ctr - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" attached_ctr # Make sure there are two sleep processes in our container. - runc exec attached_ctr ps aux - [ "$status" -eq 0 ] + runc -0 exec attached_ctr ps aux run -0 grep "sleep infinity" <<<"$output" [ "${#lines[@]}" -eq 2 ] # ... that the userns mappings are the same... - runc exec attached_ctr cat /proc/self/uid_map - [ "$status" -eq 0 ] + runc -0 exec attached_ctr cat /proc/self/uid_map if [ $EUID -eq 0 ]; then grep -E '^\s+0\s+100000\s+100$' <<<"$output" else grep -E '^\s+0\s+'$EUID'\s+1$' <<<"$output" fi - runc exec attached_ctr cat /proc/self/gid_map - [ "$status" -eq 0 ] + runc -0 exec attached_ctr cat /proc/self/gid_map if [ $EUID -eq 0 ]; then grep -E '^\s+0\s+200000\s+200$' <<<"$output" else @@ -211,8 +189,7 @@ sh EOF chmod +x rootfs/run.sh update_config '.process.args = [ "/run.sh" ]' - runc run test_hello - [ "$status" -ne 0 ] + runc ! run test_hello # After the sync socket closed, we should not send error to parent # process, or else we will get a unnecessary error log(#4171). @@ -231,7 +208,6 @@ EOF | .process.user.uid = 2000 | .process.args |= ["sh", "-c", "echo $HOME"]' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox [ "${lines[0]}" = "/home/tempuser" ] } diff --git a/tests/integration/scheduler.bats b/tests/integration/scheduler.bats index 853f36f60c6..155d16ac69e 100644 --- a/tests/integration/scheduler.bats +++ b/tests/integration/scheduler.bats @@ -18,18 +18,15 @@ function teardown() { "nice": 19 }' - runc run -d --console-socket "$CONSOLE_SOCKET" test_scheduler - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_scheduler # Check init settings. - runc exec test_scheduler chrt -p 1 - [ "$status" -eq 0 ] + runc -0 exec test_scheduler chrt -p 1 [[ "${lines[0]}" == *"scheduling policy: SCHED_BATCH" ]] [[ "${lines[1]}" == *"priority: 0" ]] # Check exec settings derived from config.json. - runc exec test_scheduler sh -c 'chrt -p $$' - [ "$status" -eq 0 ] + runc -0 exec test_scheduler sh -c 'chrt -p $$' [[ "${lines[0]}" == *"scheduling policy: SCHED_BATCH" ]] [[ "${lines[1]}" == *"priority: 0" ]] @@ -71,7 +68,6 @@ function teardown() { update_config ' .linux.resources.cpu.cpus = "0" | .process.scheduler = {"policy": "SCHED_DEADLINE", "nice": 19, "runtime": 42000, "deadline": 1000000, "period": 1000000, }' - runc run -d --console-socket "$CONSOLE_SOCKET" test_scheduler - [ "$status" -eq 1 ] + runc -1 run -d --console-socket "$CONSOLE_SOCKET" test_scheduler [[ "$output" == *"process scheduler can't be used together with AllowedCPUs"* ]] } diff --git a/tests/integration/seccomp-notify-compat.bats b/tests/integration/seccomp-notify-compat.bats index 6ca3449bffa..cc3d2a0feac 100644 --- a/tests/integration/seccomp-notify-compat.bats +++ b/tests/integration/seccomp-notify-compat.bats @@ -29,7 +29,6 @@ function teardown() { "syscalls": [{ "names": [ "mkdir" ], "action": "SCMP_ACT_NOTIFY" }] }' - runc run test_busybox - [ "$status" -ne 0 ] + runc ! run test_busybox [[ "$output" == *"seccomp notify unsupported:"* ]] } diff --git a/tests/integration/seccomp-notify.bats b/tests/integration/seccomp-notify.bats index b6992e5752a..a6228e859ff 100644 --- a/tests/integration/seccomp-notify.bats +++ b/tests/integration/seccomp-notify.bats @@ -46,16 +46,14 @@ function scmp_act_notify_template() { @test "runc run [seccomp] (SCMP_ACT_NOTIFY noNewPrivileges false)" { scmp_act_notify_template "mkdir /dev/shm/foo && stat /dev/shm/foo-bar" false '"mkdir"' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox } # Test basic actions handled by the agent work fine. noNewPrivileges TRUE. @test "runc run [seccomp] (SCMP_ACT_NOTIFY noNewPrivileges true)" { scmp_act_notify_template "mkdir /dev/shm/foo && stat /dev/shm/foo-bar" true '"mkdir"' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox } # Test actions not-handled by the agent work fine. noNewPrivileges FALSE. @@ -64,11 +62,9 @@ function scmp_act_notify_template() { scmp_act_notify_template "sleep infinity" false '"mkdir"' - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox - runc exec test_busybox /bin/sh -c "mkdir /dev/shm/foo && stat /dev/shm/foo-bar" - [ "$status" -eq 0 ] + runc -0 exec test_busybox /bin/sh -c "mkdir /dev/shm/foo && stat /dev/shm/foo-bar" } # Test actions not-handled by the agent work fine. noNewPrivileges TRUE. @@ -78,8 +74,7 @@ function scmp_act_notify_template() { scmp_act_notify_template "sleep infinity" true '"mkdir"' runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - runc exec test_busybox /bin/sh -c "mkdir /dev/shm/foo && stat /dev/shm/foo-bar" - [ "$status" -eq 0 ] + runc -0 exec test_busybox /bin/sh -c "mkdir /dev/shm/foo && stat /dev/shm/foo-bar" } # Test important syscalls (some might be executed by runc) work fine when handled by the agent. noNewPrivileges FALSE. @@ -87,16 +82,14 @@ function scmp_act_notify_template() { @test "runc run [seccomp] (SCMP_ACT_NOTIFY important syscalls noNewPrivileges false)" { scmp_act_notify_template "/bin/true" false '"execve","openat","open","read","close","fcntl"' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox } # Test important syscalls (some might be executed by runc) work fine when handled by the agent. noNewPrivileges TRUE. @test "runc run [seccomp] (SCMP_ACT_NOTIFY important syscalls noNewPrivileges true)" { scmp_act_notify_template "/bin/true" true '"execve","openat","open","read","close","fcntl"' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox } # Ignore listenerPath if the profile doesn't use seccomp notify actions. @@ -108,8 +101,7 @@ function scmp_act_notify_template() { "listenerMetadata": "bar", }' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox } # Ensure listenerPath is present if the profile uses seccomp notify actions. @@ -117,8 +109,7 @@ function scmp_act_notify_template() { scmp_act_notify_template "/bin/true" false '"mkdir"' update_config '.linux.seccomp.listenerPath = ""' - runc run test_busybox - [ "$status" -ne 0 ] + runc ! run test_busybox } # Test using an invalid socket (none listening) as listenerPath fails. @@ -126,8 +117,7 @@ function scmp_act_notify_template() { scmp_act_notify_template "/bin/true" false '"mkdir"' update_config '.linux.seccomp.listenerPath = "/some-non-existing-listener-path.sock"' - runc run test_busybox - [ "$status" -ne 0 ] + runc ! run test_busybox } # Test using an invalid abstract socket as listenerPath fails. @@ -135,8 +125,7 @@ function scmp_act_notify_template() { scmp_act_notify_template "/bin/true" false '"mkdir"' update_config '.linux.seccomp.listenerPath = "@mysocketishere"' - runc run test_busybox - [ "$status" -ne 0 ] + runc ! run test_busybox } # Check that killing the seccompagent doesn't block syscalls in @@ -145,8 +134,7 @@ function scmp_act_notify_template() { scmp_act_notify_template "sleep 4 && mkdir /dev/shm/foo" false '"mkdir"' sleep 2 && teardown_seccompagent & - runc run test_busybox - [ "$status" -ne 0 ] + runc ! run test_busybox [[ "$output" == *"mkdir:"*"/dev/shm/foo"*"Function not implemented"* ]] } @@ -156,8 +144,7 @@ function scmp_act_notify_template() { scmp_act_notify_template "/bin/true" false '"mkdir"' - runc run test_busybox - [ "$status" -ne 0 ] + runc ! run test_busybox [[ "$output" == *"failed to connect with seccomp agent"* ]] } @@ -165,8 +152,7 @@ function scmp_act_notify_template() { @test "runc run [seccomp] (SCMP_ACT_NOTIFY error chmod)" { scmp_act_notify_template "touch /dev/shm/foo && chmod 777 /dev/shm/foo" false '"chmod", "fchmod", "fchmodat"' - runc run test_busybox - [ "$status" -ne 0 ] + runc ! run test_busybox [[ "$output" == *"chmod:"*"/dev/shm/foo"*"No medium found"* ]] } @@ -174,8 +160,7 @@ function scmp_act_notify_template() { @test "runc run [seccomp] (SCMP_ACT_NOTIFY write)" { scmp_act_notify_template "/bin/true" false '"write"' - runc run test_busybox - [ "$status" -ne 0 ] + runc ! run test_busybox [[ "$output" == *"SCMP_ACT_NOTIFY cannot be used for the write syscall"* ]] } @@ -206,8 +191,7 @@ function scmp_act_notify_template() { } ] }' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox } # Check that example config in the seccomp agent dir works. @@ -220,8 +204,6 @@ function scmp_act_notify_template() { # seccomp agent. However, inside bats the socket is in a bats tmp dir. update_config '.linux.seccomp.listenerPath = "'"$SECCCOMP_AGENT_SOCKET"'"' - runc run test_busybox - - [ "$status" -eq 0 ] + runc -0 run test_busybox [[ "$output" == *"chmod:"*"test-file"*"No medium found"* ]] } diff --git a/tests/integration/seccomp.bats b/tests/integration/seccomp.bats index 748dbd2bfca..a36930b7f0a 100644 --- a/tests/integration/seccomp.bats +++ b/tests/integration/seccomp.bats @@ -18,8 +18,7 @@ function teardown() { update_config ".linux.seccomp = $(<"${TESTDATA}/${TEST_NAME}.json")" update_config '.process.args = ["/seccomp_test"]' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox } @test "runc run [seccomp defaultErrnoRet=ENXIO]" { @@ -30,8 +29,7 @@ function teardown() { update_config ".linux.seccomp = $(<"${TESTDATA}/${TEST_NAME}.json")" update_config '.process.args = ["/seccomp_test2"]' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox } # TODO: @@ -47,8 +45,7 @@ function teardown() { "syscalls":[{"names":["mkdir","mkdirat"], "action":"SCMP_ACT_ERRNO"}] }' - runc run test_busybox - [ "$status" -ne 0 ] + runc ! run test_busybox [[ "$output" == *"mkdir:"*"/dev/shm/foo"*"Operation not permitted"* ]] } @@ -61,8 +58,7 @@ function teardown() { "syscalls":[{"names":["mkdir","mkdirat"], "action":"SCMP_ACT_ERRNO", "errnoRet": 100}] }' - runc run test_busybox - [ "$status" -ne 0 ] + runc ! run test_busybox [[ "$output" == *"Network is down"* ]] } @@ -141,8 +137,7 @@ function flags_value() { ;; esac - runc --debug run test_busybox - [ "$status" -ne 0 ] + runc ! --debug run test_busybox [[ "$output" == *"mkdir:"*"/dev/shm/foo"*"Operation not permitted"* ]] # Check the numeric flags value, as printed in the debug log, is as expected. @@ -161,8 +156,7 @@ function flags_value() { "syscalls":[{"names":["mkdir","mkdirat"], "action":"SCMP_ACT_KILL"}] }' - runc run test_busybox - [ "$status" -ne 0 ] + runc ! run test_busybox } # check that a startContainer hook is run with the seccomp filters applied @@ -180,8 +174,7 @@ function flags_value() { } ] }' - runc run test_busybox - [ "$status" -ne 0 ] + runc ! run test_busybox [[ "$output" == *"error running startContainer hook"* ]] [[ "$output" == *"bad system call"* ]] } diff --git a/tests/integration/selinux.bats b/tests/integration/selinux.bats index 66665c45059..7ae33b59b1d 100644 --- a/tests/integration/selinux.bats +++ b/tests/integration/selinux.bats @@ -40,8 +40,7 @@ function run_check_label() { LABEL="system_u:system_r:container_t:s0:c4,c5" update_config ' .process.selinuxLabel |= "'"$LABEL"'" | .process.args = ["/bin/'"$HELPER"'"]' - runc run tst - [ "$status" -eq 0 ] + runc -0 run tst # Key name is _ses.$CONTAINER_NAME. KEY=_ses.tst [ "$output" == "$KEY $LABEL" ] @@ -56,11 +55,9 @@ function exec_check_label() { LABEL="system_u:system_r:container_t:s0:c4,c5" update_config ' .process.selinuxLabel |= "'"$LABEL"'" | .process.args = ["/bin/sh"]' - runc run -d --console-socket "$CONSOLE_SOCKET" tst - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" tst - runc exec tst "/bin/$HELPER" - [ "$status" -eq 0 ] + runc -0 exec tst "/bin/$HELPER" # Key name is _ses.$CONTAINER_NAME. KEY=_ses.tst [ "$output" == "$KEY $LABEL" ] @@ -76,15 +73,13 @@ function enable_userns() { # Baseline test, to check that runc works with selinux enabled. @test "runc run (no selinux label)" { update_config ' .process.args = ["/bin/true"]' - runc run tst - [ "$status" -eq 0 ] + runc -0 run tst } @test "runc run (custom selinux label)" { update_config ' .process.selinuxLabel |= "system_u:system_r:container_t:s0:c4,c5" | .process.args = ["/bin/true"]' - runc run tst - [ "$status" -eq 0 ] + runc -0 run tst } @test "runc run (session keyring security label)" { diff --git a/tests/integration/spec.bats b/tests/integration/spec.bats index 999e3b8c940..0fb3c94ef18 100644 --- a/tests/integration/spec.bats +++ b/tests/integration/spec.bats @@ -12,13 +12,11 @@ function teardown() { } @test "spec generation cwd" { - runc run test_hello - [ "$status" -eq 0 ] + runc -0 run test_hello } @test "spec generation --bundle" { - runc run --bundle "$(pwd)" test_hello - [ "$status" -eq 0 ] + runc -0 run --bundle "$(pwd)" test_hello } @test "spec validator" { diff --git a/tests/integration/start_detached.bats b/tests/integration/start_detached.bats index 25a5f364205..ad1c5a03613 100644 --- a/tests/integration/start_detached.bats +++ b/tests/integration/start_detached.bats @@ -11,8 +11,7 @@ function teardown() { } @test "runc run detached" { - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running } @@ -25,15 +24,13 @@ function teardown() { update_config ' (.. | select(.uid? == 0)) .uid |= 1000 | (.. | select(.gid? == 0)) .gid |= 100' - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running } @test "runc run detached --pid-file" { - runc run --pid-file pid.txt -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run --pid-file pid.txt -d --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running @@ -46,8 +43,7 @@ function teardown() { mkdir pid_file cd pid_file - runc run --pid-file pid.txt -d -b "$bundle" --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run --pid-file pid.txt -d -b "$bundle" --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running diff --git a/tests/integration/start_hello.bats b/tests/integration/start_hello.bats index 77cd5dcd1ae..8a8d6d23686 100644 --- a/tests/integration/start_hello.bats +++ b/tests/integration/start_hello.bats @@ -12,8 +12,7 @@ function teardown() { } @test "runc run" { - runc run test_hello - [ "$status" -eq 0 ] + runc -0 run test_hello [[ "${output}" == *"Hello"* ]] } @@ -26,8 +25,7 @@ function teardown() { update_config ' (.. | select(.uid? == 0)) .uid |= 1000 | (.. | select(.gid? == 0)) .gid |= 100' - runc run test_hello - [ "$status" -eq 0 ] + runc -0 run test_hello [[ "${output}" == *"Hello"* ]] } @@ -46,8 +44,7 @@ function teardown() { | (.. | select(.gid? == 0)) .gid |= 100' # Sanity check: make sure we can't run the container w/o CAP_DAC_OVERRIDE. - runc run test_busybox - [ "$status" -ne 0 ] + runc ! run test_busybox # Enable CAP_DAC_OVERRIDE. update_config ' .process.capabilities.bounding += ["CAP_DAC_OVERRIDE"] @@ -56,8 +53,7 @@ function teardown() { | .process.capabilities.ambient += ["CAP_DAC_OVERRIDE"] | .process.capabilities.permitted += ["CAP_DAC_OVERRIDE"]' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox } @test "runc run with rootfs set to ." { @@ -66,14 +62,12 @@ function teardown() { cd rootfs update_config '(.. | select(. == "rootfs")) |= "."' - runc run test_hello - [ "$status" -eq 0 ] + runc -0 run test_hello [[ "${output}" == *"Hello"* ]] } @test "runc run --pid-file" { - runc run --pid-file pid.txt test_hello - [ "$status" -eq 0 ] + runc -0 run --pid-file pid.txt test_hello [[ "${output}" == *"Hello"* ]] [ -e pid.txt ] @@ -93,8 +87,7 @@ function teardown() { | .options = ["rbind", "nosuid", "nodev", "noexec"] ) // .)' - runc run test_hello - [ "$status" -eq 0 ] + runc -0 run test_hello } @test "runc run [redundant seccomp rules]" { @@ -105,6 +98,5 @@ function teardown() { "action": "SCMP_ACT_ALLOW", }] }' - runc run test_hello - [ "$status" -eq 0 ] + runc -0 run test_hello } diff --git a/tests/integration/state.bats b/tests/integration/state.bats index 4a8da0579b0..2dffe9f05ba 100644 --- a/tests/integration/state.bats +++ b/tests/integration/state.bats @@ -11,44 +11,35 @@ function teardown() { } @test "state (kill + delete)" { - runc state test_busybox - [ "$status" -ne 0 ] + runc ! state test_busybox - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running - runc kill test_busybox KILL - [ "$status" -eq 0 ] + runc -0 kill test_busybox KILL wait_for_container 10 1 test_busybox stopped - runc delete test_busybox - [ "$status" -eq 0 ] + runc -0 delete test_busybox - runc state test_busybox - [ "$status" -ne 0 ] + runc ! state test_busybox } @test "state (pause + resume)" { # XXX: pause and resume require cgroups. requires root - runc state test_busybox - [ "$status" -ne 0 ] + runc ! state test_busybox - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running - runc pause test_busybox - [ "$status" -eq 0 ] + runc -0 pause test_busybox testcontainer test_busybox paused - runc resume test_busybox - [ "$status" -eq 0 ] + runc -0 resume test_busybox testcontainer test_busybox running } diff --git a/tests/integration/timens.bats b/tests/integration/timens.bats index 10f3fc057d8..fad95d59dc1 100644 --- a/tests/integration/timens.bats +++ b/tests/integration/timens.bats @@ -20,8 +20,7 @@ function teardown() { "boottime": { "secs": 1337, "nanosecs": 3141519 } }' - runc run test_busybox - [ "$status" -ne 0 ] + runc ! run test_busybox } @test "runc run [timens with no offsets]" { @@ -31,8 +30,7 @@ function teardown() { update_config '.linux.namespaces += [{"type": "time"}] | .linux.timeOffsets = null' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox # Default offsets are 0. grep -E '^monotonic\s+0\s+0$' <<<"$output" grep -E '^boottime\s+0\s+0$' <<<"$output" @@ -48,8 +46,7 @@ function teardown() { "boottime": { "secs": 1337, "nanosecs": 3141519 } }' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox grep -E '^monotonic\s+7881\s+2718281$' <<<"$output" grep -E '^boottime\s+1337\s+3141519$' <<<"$output" } @@ -65,11 +62,9 @@ function teardown() { "boottime": { "secs": 1337, "nanosecs": 3141519 } }' - runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_busybox - runc exec test_busybox cat /proc/self/timens_offsets - [ "$status" -eq 0 ] + runc -0 exec test_busybox cat /proc/self/timens_offsets grep -E '^monotonic\s+7881\s+2718281$' <<<"$output" grep -E '^boottime\s+1337\s+3141519$' <<<"$output" } @@ -90,8 +85,7 @@ function teardown() { "boottime": { "secs": 1337, "nanosecs": 3141519 } }' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox grep -E '^monotonic\s+7881\s+2718281$' <<<"$output" grep -E '^boottime\s+1337\s+3141519$' <<<"$output" } diff --git a/tests/integration/tty.bats b/tests/integration/tty.bats index 9e8e4c14c0f..4dc663e9548 100644 --- a/tests/integration/tty.bats +++ b/tests/integration/tty.bats @@ -14,8 +14,7 @@ function teardown() { # stty size fails without a tty update_config '(.. | select(.[]? == "sh")) += ["-c", "stty size"]' # note that stdout/stderr are already redirected by bats' run - runc run test_busybox "$target_runtime" done - runc run -d --console-socket "$CONSOLE_SOCKET" test_update_rt - [ "$status" -eq 0 ] + runc -0 run -d --console-socket "$CONSOLE_SOCKET" test_update_rt - runc update -r - test_update_rt <>"$to_umount_list" # Kill the container -- we have the userns bind-mounted. - runc delete -f target_userns - [ "$status" -eq 0 ] + runc -0 delete -f target_userns # Configure our container to attach to the external userns. update_config '.linux.namespaces |= map(if .type == "user" then (.path = "'"$userns_path"'") else . end) @@ -232,18 +214,15 @@ function teardown() { # Create a detached container to verify the namespaces are correct. update_config '.process.args = ["sleep", "infinity"]' - runc --debug run -d --console-socket "$CONSOLE_SOCKET" ctr - [ "$status" -eq 0 ] + runc -0 --debug run -d --console-socket "$CONSOLE_SOCKET" ctr userns_id="user:[$(stat -c "%i" "$userns_path")]" netns_id="net:[$(stat -c "%i" "$netns_path")]" - runc exec ctr readlink /proc/self/ns/user - [ "$status" -eq 0 ] + runc -0 exec ctr readlink /proc/self/ns/user [[ "$output" == "$userns_id" ]] - runc exec ctr readlink /proc/self/ns/net - [ "$status" -eq 0 ] + runc -0 exec ctr readlink /proc/self/ns/net [[ "$output" == "$netns_id" ]] } @@ -256,8 +235,7 @@ function teardown() { update_config ' .linux.netDevices |= {"dummy0": {} } | .process.args |= ["ip", "address", "show", "dev", "dummy0"]' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox # The interface is virtual and should not exist because # is deleted during the namespace cleanup. @@ -273,8 +251,7 @@ function teardown() { update_config ' .linux.netDevices |= { "dummy0": { "name" : "ctr_dummy0" } } | .process.args |= ["ip", "address", "show", "dev", "ctr_dummy0"]' - runc run test_busybox - [ "$status" -eq 0 ] + runc -0 run test_busybox # The interface is virtual and should not exist because # is deleted during the namespace cleanup. diff --git a/tests/integration/version.bats b/tests/integration/version.bats index 56667e4223f..d3db819b7db 100644 --- a/tests/integration/version.bats +++ b/tests/integration/version.bats @@ -3,8 +3,7 @@ load helpers @test "runc version" { - runc -v - [ "$status" -eq 0 ] + runc -0 -v [[ ${lines[0]} =~ runc\ version\ [0-9]+\.[0-9]+\.[0-9]+ ]] [[ ${lines[1]} =~ commit:+ ]] [[ ${lines[2]} =~ spec:\ [0-9]+\.[0-9]+\.[0-9]+ ]] From 4f9e318d71dde4d687159db5b7e09c870a94b80d Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Fri, 17 Oct 2025 16:04:13 -0700 Subject: [PATCH 3/3] tests/int: add missing runc exit code checks These places should check runc exit code but they don't. Signed-off-by: Kir Kolyshkin --- tests/integration/cgroups.bats | 8 ++++---- tests/integration/delete.bats | 8 ++++---- tests/integration/dev.bats | 4 ++-- tests/integration/events.bats | 2 +- tests/integration/helpers.bash | 2 +- tests/integration/host-mntns.bats | 2 +- tests/integration/netdev.bats | 2 +- tests/integration/pause.bats | 2 +- tests/integration/run.bats | 6 +++--- tests/integration/seccomp-notify.bats | 2 +- tests/integration/start.bats | 2 +- tests/integration/update.bats | 12 ++++++------ 12 files changed, 26 insertions(+), 26 deletions(-) diff --git a/tests/integration/cgroups.bats b/tests/integration/cgroups.bats index ab055062c6d..064f26b7d7b 100644 --- a/tests/integration/cgroups.bats +++ b/tests/integration/cgroups.bats @@ -99,7 +99,7 @@ function setup() { [[ ${lines[0]} = "0::/foo" ]] # teardown: remove "/foo" - cat <<'EOF' | runc exec test_cgroups_group sh -eux + cat <<'EOF' | runc -0 exec test_cgroups_group sh -eux echo -memory > /sys/fs/cgroup/cgroup.subtree_control for pid in $(cat /sys/fs/cgroup/foo/cgroup.procs); do echo $pid > /sys/fs/cgroup/cgroup.procs || true @@ -133,7 +133,7 @@ EOF if [[ "$status" -eq 0 ]]; then [ "$output" = 'default 750' ] else - runc exec test_cgroups_unified sh -c 'cat /sys/fs/cgroup/io.weight' + runc -0 exec test_cgroups_unified sh -c 'cat /sys/fs/cgroup/io.weight' [ "$output" = 'default 7475' ] fi } @@ -181,7 +181,7 @@ EOF weights1=$(get_cgroup_value $file) # Check that runc update works. - runc update -r - test_dev_weight <