diff options
| author | Luca Boccassi <bluca@debian.org> | 2023-05-15 11:45:15 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-05-15 11:45:15 +0100 |
| commit | f9c91eea78b1043879f98012c943fed2dffcc7a8 (patch) | |
| tree | c266ed4157e7533ccebbe358e08b6d75ca55a200 | |
| parent | 62281c78bb0ef77dafb2cad14c1216c313417a23 (diff) | |
| parent | 806b18240abda55030efe223be89ed5e2d3d60e8 (diff) | |
| download | systemd-f9c91eea78b1043879f98012c943fed2dffcc7a8.tar.gz | |
Merge pull request #27644 from mrc0mmand/fuzz-nspawn
test: update nspawn's basic config file used for fuzzing
| -rw-r--r-- | test/fuzz/fuzz-nspawn-settings/basic-config | 35 | ||||
| -rw-r--r-- | test/test-functions | 5 | ||||
| -rwxr-xr-x | test/units/testsuite-13.nspawn.sh | 8 |
3 files changed, 43 insertions, 5 deletions
diff --git a/test/fuzz/fuzz-nspawn-settings/basic-config b/test/fuzz/fuzz-nspawn-settings/basic-config index be0d4e7c7b..abc8b20d3d 100644 --- a/test/fuzz/fuzz-nspawn-settings/basic-config +++ b/test/fuzz/fuzz-nspawn-settings/basic-config @@ -1,6 +1,7 @@ [Exec] Boot=off ProcessTwo=off +Ephemeral=yes Parameters=/sbin/init -x=1 Environment=THIS=that User=user @@ -8,28 +9,56 @@ WorkingDirectory=/cwd PivotRoot=/newroot Capability=CAP_NET DropCapability=CAP_ADMIN +AmbientCapability=CAP_SETUID +NoNewPrivileges=yes KillSignal=SIGTERM Personality=shy MachineID=edbfea3309ba41ea83e2318c58a8d498 -PrivateUser=1:2 +PrivateUsers=1:2 NotifyReady=no SystemCallFilters=write +LimitCPU=10:20 +LimitFSIZE=5:10 +LimitDATA=100:200 +LimitSTACK=1024:2048 +LimitCore=0:1024 +LimitRSS=1024:4096 +LimitNOFILE=5:15 +LimitAS=2048:4096 +LimitNPROC=32:64 +LimitMEMLOCK=128:256 +LimitLOCKS=100:300 +LimitSIGPENDING=1:3 +LimitMSGQUEUE=16:32 +LimitNICE=4:5 +LimitRTPRIO=0:1 +LimitRTTIME=2:3 +OOMScoreAdjust=50 +CPUAffinity=1,2,3-4 +Hostname=foo.bar +ResolvConf=copy-host +Timezone=bind +LinkJournal=try-guest +SuppressSync=yes [Files] ReadOnly=no Volatile=no Bind=/bindthis BindReadOnly=/bindthisro +BindUser=testuser TemporaryFileSystem=/thisismytmpfs:rw +Inaccessible=yes Overlay=/thisisanoverlay:/thisisanoverlaytoo -PrivateUsersChown=no +OverlayReadOnly=/foo:/bar:/baz:/merged +PrivateUsersOwnership=no [Network] Private=off VirtualEthernet=yes VirtualEthernetExtra=veth1:veth2 Interface=eth1 enp0s1 -MacVLAN=eno1 eno2 +MACVLAN=eno1 eno2 IPVLAN=eno3 enp2s124 Bridge=bridge123 bridge125 Zone=myzone diff --git a/test/test-functions b/test/test-functions index 2a733d8b8f..1bf9f2d54f 100644 --- a/test/test-functions +++ b/test/test-functions @@ -1256,6 +1256,11 @@ install_systemd() { # the systemd-nspawn@.service unit. cp "$initdir/usr/lib/systemd/system/systemd-nspawn@.service" "$initdir/etc/systemd/system/systemd-nspawn@.service" sed -ri "s/^ExecStart=.+$/& --bind=${BUILD_DIR//\//\\\/}/" "$initdir/etc/systemd/system/systemd-nspawn@.service" + # Pass the $BUILD_DIR as $COVERAGE_BUILD_DIR env variable to the system + # manager, similarly to what we do with $ASAN_RT_PATH during sanitized + # builds + mkdir -p "$initdir/etc/systemd/system.conf.d/" + echo -ne "[Manager]\nDefaultEnvironment=COVERAGE_BUILD_DIR=$BUILD_DIR\n" >"$initdir/etc/systemd/system.conf.d/99-COVERAGE_BUILD_DIR.conf" fi # If we're built with -Dportabled=false, tests with systemd-analyze diff --git a/test/units/testsuite-13.nspawn.sh b/test/units/testsuite-13.nspawn.sh index 22a06e8112..76ba143751 100755 --- a/test/units/testsuite-13.nspawn.sh +++ b/test/units/testsuite-13.nspawn.sh @@ -48,6 +48,7 @@ mount -t tmpfs tmpfs /var/lib/machines testcase_sanity_check() { local template root image oci uuid tmpdir + tmpdir="$(mktemp -d)" template="$(mktemp -d /tmp/nspawn-template.XXX)" "$CREATE_BB_CONTAINER" "$template" # Create a simple image from the just created container template @@ -94,7 +95,10 @@ EOF systemd-nspawn --directory="$root" --ephemeral sh -xec 'touch /ephemeral' test ! -e "$root/ephemeral" - (! systemd-nspawn --directory="$root" --read-only sh -xec 'touch /nope') + (! systemd-nspawn --directory="$root" \ + --bind="${COVERAGE_BUILD_DIR:-$tmpdir}" \ + --read-only \ + sh -xec 'touch /nope') test ! -e "$root/nope" systemd-nspawn --image="$image" sh -xec 'echo hello' systemd-nspawn --oci-bundle="$oci" sh -xec 'mountpoint /root' @@ -114,6 +118,7 @@ EOF test ! -e "$root/usr/read-only" # volatile=state: rootfs is read-only, /var/ is tmpfs systemd-nspawn --directory="$root" \ + --bind="${COVERAGE_BUILD_DIR:-$tmpdir}" \ --volatile=state \ sh -xec 'test -e /usr/has-usr; mountpoint /var; touch /read-only && exit 1; touch /var/nope' test ! -e "$root/read-only" @@ -178,7 +183,6 @@ EOF sh -xec "[[ \$container_uuid == $uuid ]]" # Mounts - tmpdir="$(mktemp -d)" mkdir "$tmpdir"/{1,2,3} touch "$tmpdir/1/one" "$tmpdir/2/two" "$tmpdir/3/three" touch "$tmpdir/foo" |