systemd-run 0.9.0

A Rust crate for running processes as Systemd transient services.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109

use systemd_run::{Identity, RunSystem};

#[async_std::test]
#[ignore]
#[cfg(feature = "systemd_227")]
async fn test_root_private_network_simple() {
    let r = RunSystem::new("/bin/true")
        .identity(Identity::dynamic())
        .start()
        .await
        .expect("should be able to start true")
        .wait()
        .await
        .expect("should be able to get the status of the Run");
    assert!(
        !r.is_failed(),
        "should be able to run true in private network namespace"
    );
}

#[async_std::test]
#[ignore]
#[cfg(feature = "systemd_236")]
async fn test_root_private_network_wget() {
    let r = RunSystem::new("/usr/bin/wget")
        .collect_on_fail()
        .arg("https://example.org/")
        .arg("-O")
        .arg("/dev/null")
        .private_network()
        .identity(Identity::dynamic())
        .start()
        .await
        .expect("should be able to start wget https://example.org")
        .wait()
        .await
        .expect("should be able to get the status of the Run");
    assert!(
        r.is_failed(),
        "should not be able to access Internet with private_network"
    );
}

#[async_std::test]
#[ignore]
#[cfg(feature = "systemd_249")]
async fn test_root_private_ipc() {
    const PATH: &'static str = concat!(env!("OUT_DIR"), "/test-aux/shm");
    // Run twice, if IPC namespace seperation is not in-effect the second
    // run will fail.
    for _ in 0..2 {
        let r = RunSystem::new(PATH)
            .private_ipc()
            .identity(Identity::user_group("nobody", "nogroup"))
            .start()
            .await
            .expect("should be able to start the test program")
            .wait()
            .await
            .expect("should be able to get the status of the Run");
        assert!(
            !r.is_failed(),
            "should be able to create POSIX shm in the new IPC namespace"
        );
    }
}

#[async_std::test]
#[ignore]
#[cfg(feature = "systemd_232")]
async fn test_root_private_users() {
    const PATH: &'static str = concat!(env!("OUT_DIR"), "/test-aux/setuid");
    let r = RunSystem::new(PATH)
        .private_users()
        .start()
        .await
        .expect("should be able to start the test program")
        .wait()
        .await
        .expect("should be able to get the status of the Run");
    assert!(
        !r.is_failed(),
        "UID 514 should not exist in the separate user namespace"
    );
}

#[async_std::test]
#[ignore]
#[cfg(feature = "systemd_227")]
async fn test_root_private_network_wget_join() {
    let r = RunSystem::new("/usr/bin/wget")
        .collect_on_fail()
        .arg("https://example.org/")
        .arg("-O")
        .arg("/dev/null")
        .private_network()
        .joins_namespace_of("systemd-resolved.service")
        .identity(Identity::dynamic())
        .start()
        .await
        .expect("should be able to start wget https://example.org")
        .wait()
        .await
        .expect("should be able to get the status of the Run");
    assert!(
        !r.is_failed(),
        "should not be able to access Internet with joined namespace"
    );
}