Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make our testsuite pass in a podman container with default privs #19800

Merged
merged 4 commits into from
Jun 3, 2021
Merged

make our testsuite pass in a podman container with default privs #19800

merged 4 commits into from
Jun 3, 2021

Conversation

poettering
Copy link
Member

Our tests so far mostly did a geteuid() == 0 check to guard privileged operations. Podman apparently invokes containers by default with geteuid() == 0 but then takes most caps away, which then means we'll try the privleged operaitons and fail. Let's tweak the conditioning hence.

Fixes: #19746

yuwata
yuwata approved these changes Jun 2, 2021
View reviewed changes
Copy link
Member

@yuwata yuwata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. One minor suggestion, and one question.

src/test/test-execute.c Outdated Show resolved Hide resolved
src/test/test-seccomp.c Show resolved Hide resolved
@poettering
test-capability: skip tests that need CAP_NET_RAW if cap is not passed
e80cb4c 
See: systemd#19746
@poettering
test-seccomp: tighten privilege check before seccomp()
6da5d7d 
geteuid() without CAP_SYS_ADMIN is not enough to do unrestricted
seccomp(). Hence tighten the check.

See: systemd#19746
@poettering
test: tweak privilege tests for two more tests
c75370c 
These tests require properly privileged root users, hence skip things
when we don't have CAP_SYS_ADMIN.

Fixes: systemd#19746
@poettering
test: add a 'static' on a global variable we don't actually export
9b1c561 
All global but not exported variables should be "static" in our
codebase, add "static" to one more such variable hence.
@poettering poettering mentioned this pull request Jun 3, 2021
Closed
@poettering
Copy link
Member Author

Force pushed a new version changing that one check to geteuid(). For the other thing see comment above. Uprgading green label

@poettering poettering added good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed and removed good-to-merge/with-minor-suggestions labels Jun 3, 2021
@poettering poettering merged commit 8d8053c into systemd:main Jun 3, 2021
@mbiebl
Copy link
Contributor

mbiebl commented Jun 3, 2021

Seems to work fine under Podman. Under Docker, a single test failure remains:

The output from the failed tests:

438/918 test-util                                                                 FAIL           0.32s (killed by signal 6 SIGABRT)

--- command ---
21:35:03 SYSTEMD_LANGUAGE_FALLBACK_MAP='/systemd/src/locale/language-fallback-map' SYSTEMD_KBD_MODEL_MAP='/systemd/src/locale/kbd-model-map' PATH='/systemd/build:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /systemd/build/test-util
--- stderr ---
/* test_align_power2 */
/* test_max */
/* test_container_of */
/* test_div_round_up */
/* test_u64log2 */
/* test_protect_errno */
/* test_unprotect_errno */
/* test_in_set */
/* test_log2i */
/* test_eqzero */
/* test_raw_clone */
before clone: getpid()→39301
raw_clone: 39302 getpid()→39301 raw_getpid()→39301
raw_clone: 0 getpid()→39302 raw_getpid()→39302
Assertion 'errno == EINVAL' failed at src/test/test-util.c:319, function test_raw_clone(). Aborting.
-------


Summary of Failures:

324/918 udev-test                                                                 SKIP           0.14s
352/918 test-bus-marshal                                                          SKIP           0.02s
356/918 test-bus-chat                                                             SKIP           0.02s
357/918 test-bus-cleanup                                                          SKIP           0.01s
358/918 test-bus-track                                                            SKIP           0.01s
362/918 test-bus-gvariant                                                         SKIP           0.01s
364/918 test-bus-match                                                            SKIP           0.01s
372/918 test-sd-device-monitor                                                    SKIP           0.01s
399/918 test-oomd-util                                                            SKIP           0.01s
417/918 test-boot-timestamps                                                      SKIP           0.02s
438/918 test-util                                                                 FAIL           0.32s (killed by signal 6 SIGABRT)
438/918 test-util                                                                 FAIL           0.32s (killed by signal 6 SIGABRT)
480/918 test-barrier                                                              SKIP           0.01s
482/918 test-namespace                                                            SKIP           0.01s
489/918 test-loop-block                                                           SKIP           0.02s
492/918 test-bpf-devices                                                          SKIP           0.01s
493/918 test-bpf-firewall                                                         SKIP           0.02s
494/918 test-bpf-foreign-programs                                                 SKIP           0.02s
537/918 test-execute                                                              SKIP           0.02s
554/918 test-sd-hwdb                                                              SKIP           0.01s
917/918 check-directives                                                          SKIP           0.01s

Ok:                 898 
Expected Fail:      0   
Fail:               1   
Unexpected Pass:    0   
Skipped:            19  
Timeout:            0

poettering added a commit to poettering/systemd that referenced this pull request Jun 4, 2021
@poettering
test: don't expect that clone() always makes it to the kernel
9ab7fa6 
We might get EPERM on certain clone() flag combinations. Apparently in
Docker for example.

Prompted by: systemd#19800 (comment)
@poettering poettering mentioned this pull request Jun 4, 2021
Merged
@poettering
Copy link
Member Author

@mbiebl #19816 — but I didn't test it in Docker myself. Docker still can't deal with cgroupsv2? wtf? Anyway, can you check if it fixes things for you? My educated guess is that it will

@mbiebl
Copy link
Contributor

mbiebl commented Jun 4, 2021

With #19816 applied:

Ok:                 899 
Expected Fail:      0   
Fail:               0   
Unexpected Pass:    0   
Skipped:            19  
Timeout:            0

@mbiebl
Copy link
Contributor

mbiebl commented Jun 4, 2021

Docker still can't deal with cgroupsv2?

In theory it should. At least according to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840829 resp. moby/moby#40360

That said, it's possible that cgroupsv2 support is still buggy.

poettering added a commit that referenced this pull request Jun 4, 2021
@poettering
test: don't expect that clone() always makes it to the kernel
d414f41 
We might get EPERM on certain clone() flag combinations. Apparently in
Docker for example.

Prompted by: #19800 (comment)
dakr pushed a commit to dakr/systemd that referenced this pull request Jun 14, 2021
@poettering
test: don't expect that clone() always makes it to the kernel
fa0592a 
We might get EPERM on certain clone() flag combinations. Apparently in
Docker for example.

Prompted by: systemd#19800 (comment)
mrc0mmand pushed a commit to mrc0mmand/rhel-9 that referenced this pull request Jul 2, 2021
@poettering @mrc0mmand
test: don't expect that clone() always makes it to the kernel
f738e67 
We might get EPERM on certain clone() flag combinations. Apparently in
Docker for example.

Prompted by: systemd/systemd#19800 (comment)
mrc0mmand pushed a commit to mrc0mmand/rhel-9 that referenced this pull request Jul 2, 2021
@poettering @mrc0mmand
test: don't expect that clone() always makes it to the kernel
12ae9db 
We might get EPERM on certain clone() flag combinations. Apparently in
Docker for example.

Prompted by: systemd/systemd#19800 (comment)
keszybz pushed a commit to systemd/systemd-stable that referenced this pull request Jul 12, 2021
@poettering @keszybz
test: don't expect that clone() always makes it to the kernel
b5ce8b2 
We might get EPERM on certain clone() flag combinations. Apparently in
Docker for example.

Prompted by: systemd/systemd#19800 (comment)

(cherry picked from commit d414f41)
Yamakuzure pushed a commit to elogind/elogind that referenced this pull request Jan 31, 2022
@poettering @Yamakuzure
test: don't expect that clone() always makes it to the kernel
db55ab8 
We might get EPERM on certain clone() flag combinations. Apparently in
Docker for example.

Prompted by: systemd/systemd#19800 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuwata yuwata yuwata approved these changes

Assignees
No one assigned
Labels
good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed quick-review 🏃‍♂️ tests
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

test-suite failures inside Docker / Podman
3 participants
@poettering @mbiebl @yuwata