libcontainer 0.6.0

Library for container control
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115

use std::collections::HashMap;
use std::fs::create_dir;
use std::hash::{DefaultHasher, Hash, Hasher};
use std::path::Path;

use anyhow::Result;
use libcontainer::container::builder::ContainerBuilder;
use libcontainer::syscall::syscall::SyscallType;
use libcontainer::workload::{
    Executor, ExecutorError, ExecutorSetEnvsError, ExecutorValidationError,
};
use nix::unistd::{getegid, geteuid};
use oci_spec::runtime::{RootBuilder, Spec};
use procfs::process::Process;
use serial_test::serial;
use tempfile::tempdir;

fn prepare_container_root(root: impl AsRef<Path>) -> Result<()> {
    let root = root.as_ref();
    create_dir(root.join("rootfs"))?;

    let uid = geteuid().as_raw();
    let gid = getegid().as_raw();

    let mut spec = Spec::rootless(uid, gid);
    spec.set_root(
        RootBuilder::default()
            .path("rootfs")
            .readonly(false)
            .build()
            .ok(),
    );

    spec.save(root.join("config.json"))?;

    Ok(())
}

fn hash(v: impl Hash) -> u64 {
    let mut hasher = DefaultHasher::default();
    v.hash(&mut hasher);
    hasher.finish()
}

#[derive(Clone)]
struct SomeExecutor;

impl Executor for SomeExecutor {
    fn setup_envs(&self, _: HashMap<String, String>) -> Result<(), ExecutorSetEnvsError> {
        Ok(())
    }

    fn validate(&self, _: &Spec) -> Result<(), ExecutorValidationError> {
        Ok(())
    }

    fn exec(&self, _: &Spec) -> Result<(), ExecutorError> {
        Ok(())
    }
}

#[test]
#[serial]
fn run_init_process_as_child() -> Result<()> {
    let root = tempdir()?;
    prepare_container_root(&root)?;

    let id = format!("test-container-{:x}", hash(root.as_ref()));
    let container = ContainerBuilder::new(id, SyscallType::Linux)
        .with_executor(SomeExecutor)
        .with_root_path(root.as_ref())?
        .as_init(root.as_ref())
        .build()?;

    let container = scopeguard::guard(container, |mut container| {
        let _ = container.delete(true);
    });

    let init_pid = container.pid().unwrap().as_raw();

    let init_ppid = Process::new(init_pid)?.stat()?.ppid;
    let this_pid = Process::myself()?.pid();

    assert_eq!(init_ppid, this_pid);

    Ok(())
}

#[test]
#[serial]
fn run_init_process_as_sibling() -> Result<()> {
    let root = tempdir()?;
    prepare_container_root(&root)?;

    let id = format!("test-container-{:x}", hash(root.as_ref()));
    let container = ContainerBuilder::new(id, SyscallType::Linux)
        .with_executor(SomeExecutor)
        .with_root_path(root.as_ref())?
        .as_init(root.as_ref())
        .as_sibling(true)
        .build()?;

    let container = scopeguard::guard(container, |mut container| {
        let _ = container.delete(true);
    });

    let init_pid = container.pid().unwrap().as_raw();

    let init_ppid = Process::new(init_pid)?.stat()?.ppid;
    let this_ppid = Process::myself()?.stat()?.ppid;

    assert_eq!(init_ppid, this_ppid);

    Ok(())
}