diff options
| author | Thomas Haller <thaller@redhat.com> | 2023-09-06 13:52:10 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2023-09-07 19:35:20 +0200 |
| commit | ae54726dbfe83f07ba5d6e72d2f101b6475fbd97 (patch) | |
| tree | 585dee77c2e59cad5052f6bfe259caff082bf06e /tests/shell/helpers/test-wrapper.sh | |
| parent | cdb0a1dba86af1b20fb061d047cfe85b2c1561ac (diff) | |
tests/shell: run each test in separate namespace and allow rootless
Don't unshare the entire shell script. Instead, call unshare each test
separately. That means, all tests use now a different sandbox and will
also allow (with further changes) to run them in parallel.
Also, allow to run rootless/unprivileged.
The script first tries to run a separate PID+USER+NET namespace. If that
fails, it downgrades to USER+NET. If that fails, it downgrades to a
separate NET namespace. If unshare still fails, the script fails
entirely. That differs from before, where the script would proceed
without sandboxing. The script will now always require that unsharing
works, unless the user opts-out.
If the user cannot unshare, they can set NFT_TEST_UNSHARE_CMD to the
command used for unsharing. It may be empty for no unshare. The command
line arguments -U/--no-unshare are a shortcut for setting
NFT_TEST_UNSHARE_CMD="".
If we are able to create a separate USER namespace, then this mode
allows to run the test as rootless/unprivileged. We no longer require
[ `id -u` = 0 ]. Some tests may not work as rootless. For example, the
socket buffers is limited by /proc/sys/net/core/{wmem_max,rmem_max}
which real-root can override, but rootless tests cannot. Such tests
should check for [ "$NFT_TEST_HAS_REALROOT" != y ] and skip gracefully.
Usually, the user doesn't need to tell the script whether they have
real-root. The script will autodetect it via [ `id -u` = 0 ]. But that
won't work when run inside a rootless container already. In that case,
the user would want to tell the script that there is no real-root. They
can do so via the -R/--without-root option or NFT_TEST_HAS_REALROOT=n.
If tests wish, the can know whether they run inside "unshare"
environment by checking for [ "$NFT_TEST_HAS_UNSHARED" = y ].
When setting NFT_TEST_UNSHARE_CMD to override the unshare command, users
may want to also set NFT_TEST_HAS_UNSHARED= and NFT_TEST_HAS_REALROOT=
correctly.
As we run each test in a separate unshare environment, we need a wrapper
"tests/shell/helpers/test-wrapper.sh" around the test, which executes
inside the tested environment. Also, each test gets its own temp
directory prepared in NFT_TEST_TESTTMPDIR. This is also the place, where
test artifacts and results will be collected.
Signed-off-by: Thomas Haller <thaller@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'tests/shell/helpers/test-wrapper.sh')
| -rwxr-xr-x | tests/shell/helpers/test-wrapper.sh | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/tests/shell/helpers/test-wrapper.sh b/tests/shell/helpers/test-wrapper.sh new file mode 100755 index 00000000..f811b44a --- /dev/null +++ b/tests/shell/helpers/test-wrapper.sh @@ -0,0 +1,23 @@ +#!/bin/bash -e + +# This wrapper wraps the invocation of the test. It is called by run-tests.sh, +# and already in the unshared namespace. +# +# For some printf debugging, you can also patch this file. + +TEST="$1" + +printf '%s\n' "$TEST" > "$NFT_TEST_TESTTMPDIR/name" + +rc_test=0 +"$TEST" |& tee "$NFT_TEST_TESTTMPDIR/testout.log" || rc_test=$? + +if [ "$rc_test" -eq 0 ] ; then + echo "$rc_test" > "$NFT_TEST_TESTTMPDIR/rc_test-ok" +else + echo "$rc_test" > "$NFT_TEST_TESTTMPDIR/rc_test-failed" +fi + +$NFT list ruleset > "$NFT_TEST_TESTTMPDIR/ruleset-after" + +exit "$rc_test" |