def test_isolation_mnt(self):
if not self.isolation_key('mnt'):
pytest.skip('mnt namespace is not supported')
if not self.isolation_key('unprivileged_userns_clone'):
pytest.skip('unprivileged clone is not available')
self.load(
'ns_inspect',
isolation={'namespaces': {'mount': True, 'credential': True}},
)
obj = self.getjson()['body']
# all but user and mnt
allns = list(option.available['features']['isolation'].keys())
allns.remove('user')
allns.remove('mnt')
for ns in allns:
if ns.upper() in obj['NS']:
assert (
obj['NS'][ns.upper()]
== option.available['features']['isolation'][ns]
), ('%s match' % ns)
assert obj['NS']['MNT'] != getns('mnt'), 'mnt set'
assert obj['NS']['USER'] != getns('user'), 'user set'
def check_isolation():
test_conf = {"namespaces": {"credential": True}}
available = option.available
conf = ''
if 'go' in available['modules']:
TestApplicationGo().prepare_env('empty', 'app')
conf = {
"listeners": {
"*:7080": {
"pass": "******"
}
},
"applications": {
"empty": {
"type": "external",
"processes": {
"spare": 0
},
"working_directory": option.test_dir + "/go/empty",
"executable": option.temp_dir + "/go/app",
"isolation": {
"namespaces": {
"credential": True
}
},
},
},
}
elif 'python' in available['modules']:
conf = {
"listeners": {
"*:7080": {
"pass": "******"
}
},
"applications": {
"empty": {
"type": "python",
"processes": {
"spare": 0
},
"path": option.test_dir + "/python/empty",
"working_directory": option.test_dir + "/python/empty",
"module": "wsgi",
"isolation": {
"namespaces": {
"credential": True
}
},
}
},
}
elif 'php' in available['modules']:
conf = {
"listeners": {
"*:7080": {
"pass": "******"
}
},
"applications": {
"phpinfo": {
"type": "php",
"processes": {
"spare": 0
},
"root": option.test_dir + "/php/phpinfo",
"working_directory": option.test_dir + "/php/phpinfo",
"index": "index.php",
"isolation": {
"namespaces": {
"credential": True
}
},
}
},
}
elif 'ruby' in available['modules']:
TestApplicationRuby().prepare_env('empty')
conf = {
"listeners": {
"*:7080": {
"pass": "******"
}
},
"applications": {
"empty": {
"type": "ruby",
"processes": {
"spare": 0
},
"working_directory": option.temp_dir + "/ruby/empty",
"script": option.temp_dir + "/ruby/empty/config.ru",
"isolation": {
"namespaces": {
"credential": True
}
},
}
},
}
elif 'java' in available['modules']:
TestApplicationJava().prepare_env('empty')
conf = {
"listeners": {
"*:7080": {
"pass": "******"
}
},
"applications": {
"empty": {
"unit_jars": option.current_dir + "/build",
"type": "java",
"processes": {
"spare": 0
},
"working_directory": option.test_dir + "/java/empty/",
"webapp": option.temp_dir + "/java",
"isolation": {
"namespaces": {
"credential": True
}
},
}
},
}
elif 'node' in available['modules']:
TestApplicationNode().prepare_env('basic')
conf = {
"listeners": {
"*:7080": {
"pass": "******"
}
},
"applications": {
"basic": {
"type": "external",
"processes": {
"spare": 0
},
"working_directory": option.temp_dir + "/node",
"executable": "app.js",
"isolation": {
"namespaces": {
"credential": True
}
},
}
},
}
elif 'perl' in available['modules']:
conf = {
"listeners": {
"*:7080": {
"pass": "******"
}
},
"applications": {
"body_empty": {
"type": "perl",
"processes": {
"spare": 0
},
"working_directory": option.test_dir + "/perl/body_empty",
"script": option.test_dir + "/perl/body_empty/psgi.pl",
"isolation": {
"namespaces": {
"credential": True
}
},
}
},
}
else:
return
resp = http.put(
url='/config',
sock_type='unix',
addr=option.temp_dir + '/control.unit.sock',
body=json.dumps(conf),
)
if 'success' not in resp['body']:
return
userns = getns('user')
if not userns:
return
available['features']['isolation'] = {'user': userns}
unp_clone_path = '/proc/sys/kernel/unprivileged_userns_clone'
if os.path.exists(unp_clone_path):
with open(unp_clone_path, 'r') as f:
if str(f.read()).rstrip() == '1':
available['features']['isolation'][
'unprivileged_userns_clone'] = True
for ns in allns:
ns_value = getns(ns)
if ns_value:
available['features']['isolation'][ns] = ns_value