test_runtime.sh: Add a user namespace #114
Conversation
|
An alternative to picking one way or the other is to use a test framework with both and skip the entries which require root when the caller isn't. For examples in the ccon test suite, see: |
wking
force-pushed
the
test-runtime-user-namespace
branch
from
01c92d6
to
fdbcc47
Compare
You shouldn't need to be root to test a runtime. The id calls use the POSIX command [1] to find the current user's user and group IDs. [1]: http://pubs.opengroup.org/onlinepubs/9699919799/utilities/id.html Signed-off-by: W. Trevor King <wking@tremily.us>
|
Hi @wking , how does it work? It just adds maps to config.json, but a runtime (runc) still need 'root' to create/start the container. |
|
On Mon, Jul 04, 2016 at 03:56:22AM -0700, 梁辰晔 (Liang Chenye) wrote:
If runC still needs root, you can use ‘-r 'sudo runc'’ or call the And my preferred approach is to have the runtime tests cover both $ make |
|
This did not work with runc last time I tried. I'll try again tomorrow (still on PTO). |
|
On Tue, Jul 05, 2016 at 08:29:08AM -0700, Mrunal Patel wrote:
Searching runC for open user namespace issues turned up But stepping back, this is a good reason to have a test suite that |
|
On Tue, Jul 05, 2016 at 09:20:01AM -0700, W. Trevor King wrote:
Also opencontainers/runc#799. |
|
Yes, there are a couple of user namespace issues I've found in runC as a result of opencontainers/runc#774. They include:
I mentioned in the rootless containers PR that we really need to make our test suite do checks for user namespaces because quite a few things break that shouldn't. Problem is that you can't even run a single integration test case with the current console setup code (which is something that I mentioned in the last weekly call is something I'm working on fixing). |
|
On Fri, Jul 22, 2016 at 11:30:56AM -0700, Aleksa Sarai wrote:
And while fixing runC to work with user namespaces would be nice, I |
|
Yeah, I think we should make progress on #61. We can review it and request a rebase. |
|
@opencontainers/runtime-tools-maintainers should we close this PR? |
|
On Wed, Nov 16, 2016 at 01:13:39AM -0800, Ma Shimiao wrote:
I'm fine closing this PR, but would like more clarity on the path |
|
For an update, since the last time I posted here my rootless containers PR (opencontainers/runc#774) now passes all of the runC tests. So runC no longer has the same issue it did before (though you need to create a different config using The only real issue I have with this PR is that it uses user namespaces for all tests. While this sounds like a no-op in the root-to-root case it actually isn't (you are messing with a lot of different aspects of the final environment). So there should be a flag to enable user namespace testing. Also, as an aside runC's test suite also now works with regular user namespaces (which wasn't possible before without |
|
On Wed, Nov 16, 2016 at 09:48:55AM -0800, Aleksa Sarai wrote:
There's no way to get this right when you only run one test container |
|
As test_runtime.sh is removing as planed, this PR will not be needed. |
You shouldn't need to be root to test a runtime. The
idcalls use thePOSIX command to find the current user's user and group IDs.
Builds on #113, so review that first.