Skip to content

Commit

Permalink
update cgroup parent test to work with cgroupns
Browse files Browse the repository at this point in the history 
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
  • Loading branch information
@tonistiigi
tonistiigi committed Jul 10, 2023
1 parent c963649 commit 45b3856
Show file tree
Hide file tree
Showing 2 changed files with 56 additions and 8 deletions.
34 changes: 30 additions & 4 deletions client/client_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -853,6 +853,10 @@ func testCgroupParent(t *testing.T, sb integration.Sandbox) {
t.SkipNow()
}

if _, err := os.Lstat("/sys/fs/cgroup/cgroup.subtree_control"); os.IsNotExist(err) {
t.Skipf("test requires cgroup v2")
}

c, err := New(sb.Context(), sb.Address())
require.NoError(t, err)
defer c.Close()
Expand All @@ -864,8 +868,21 @@ func testCgroupParent(t *testing.T, sb integration.Sandbox) {
st = img.Run(append(ro, llb.Shlex(cmd), llb.Dir("/wd"))...).AddMount("/wd", st)
}

run(`sh -c "cat /proc/self/cgroup > first"`, llb.WithCgroupParent("foocgroup"))
run(`sh -c "cat /proc/self/cgroup > second"`)
cgroupName := "test." + identity.NewID()

err = os.MkdirAll(filepath.Join("/sys/fs/cgroup", cgroupName), 0755)
require.NoError(t, err)

defer func() {
err := os.RemoveAll(filepath.Join("/sys/fs/cgroup", cgroupName))
require.NoError(t, err)
}()

err = os.WriteFile(filepath.Join("/sys/fs/cgroup", cgroupName, "pids.max"), []byte("10"), 0644)
require.NoError(t, err)

run(`sh -c "(for i in $(seq 1 10); do sleep 1 & done 2>first.error); cat /proc/self/cgroup >> first"`, llb.WithCgroupParent(cgroupName))
run(`sh -c "(for i in $(seq 1 10); do sleep 1 & done 2>second.error); cat /proc/self/cgroup >> second"`)

def, err := st.Marshal(sb.Context())
require.NoError(t, err)
Expand All @@ -882,13 +899,22 @@ func testCgroupParent(t *testing.T, sb integration.Sandbox) {
}, nil)
require.NoError(t, err)

// neither process leaks parent cgroup name inside container
dt, err := os.ReadFile(filepath.Join(destDir, "first"))
require.NoError(t, err)
require.Contains(t, strings.TrimSpace(string(dt)), `/foocgroup/buildkit/`)
require.NotContains(t, strings.TrimSpace(string(dt)), cgroupName)

dt2, err := os.ReadFile(filepath.Join(destDir, "second"))
require.NoError(t, err)
require.NotContains(t, strings.TrimSpace(string(dt2)), `/foocgroup/buildkit/`)
require.NotContains(t, strings.TrimSpace(string(dt2)), cgroupName)

dt, err = os.ReadFile(filepath.Join(destDir, "first.error"))
require.NoError(t, err)
require.Contains(t, strings.TrimSpace(string(dt)), "Resource temporarily unavailable")

dt, err = os.ReadFile(filepath.Join(destDir, "second.error"))
require.NoError(t, err)
require.Equal(t, strings.TrimSpace(string(dt)), "")
}

func testNetworkMode(t *testing.T, sb integration.Sandbox) {
Expand Down
30 changes: 26 additions & 4 deletions frontend/dockerfile/dockerfile_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5193,10 +5193,27 @@ func testCgroupParent(t *testing.T, sb integration.Sandbox) {
t.SkipNow()
}

if _, err := os.Lstat("/sys/fs/cgroup/cgroup.subtree_control"); os.IsNotExist(err) {
t.Skipf("test requires cgroup v2")
}

cgroupName := "test." + identity.NewID()

err := os.MkdirAll(filepath.Join("/sys/fs/cgroup", cgroupName), 0755)
require.NoError(t, err)

defer func() {
err := os.RemoveAll(filepath.Join("/sys/fs/cgroup", cgroupName))
require.NoError(t, err)
}()

err = os.WriteFile(filepath.Join("/sys/fs/cgroup", cgroupName, "pids.max"), []byte("10"), 0644)
require.NoError(t, err)

f := getFrontend(t, sb)
dockerfile := []byte(`
FROM alpine AS base
RUN cat /proc/self/cgroup > /out
RUN mkdir /out; (for i in $(seq 1 10); do sleep 1 & done 2>/out/error); cat /proc/self/cgroup > /out/cgroup
FROM scratch
COPY --from=base /out /
`)
Expand All @@ -5215,7 +5232,7 @@ COPY --from=base /out /

_, err = f.Solve(sb.Context(), c, client.SolveOpt{
FrontendAttrs: map[string]string{
"cgroup-parent": "foocgroup",
"cgroup-parent": cgroupName,
},
LocalDirs: map[string]string{
dockerui.DefaultLocalNameDockerfile: dir,
Expand All @@ -5230,9 +5247,14 @@ COPY --from=base /out /
}, nil)
require.NoError(t, err)

dt, err := os.ReadFile(filepath.Join(destDir, "out"))
dt, err := os.ReadFile(filepath.Join(destDir, "cgroup"))
require.NoError(t, err)
// cgroupns does not leak the parent cgroup name
require.NotContains(t, strings.TrimSpace(string(dt)), `foocgroup`)

dt, err = os.ReadFile(filepath.Join(destDir, "error"))
require.NoError(t, err)
require.Contains(t, strings.TrimSpace(string(dt)), `/foocgroup/buildkit/`)
require.Contains(t, strings.TrimSpace(string(dt)), `Resource temporarily unavailable`)
}

func testNamedImageContext(t *testing.T, sb integration.Sandbox) {
Expand Down

0 comments on commit 45b3856

Please sign in to comment.