From 3999ea001a70c8efc48115737e9c5b3c03d3640f Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Tue, 16 May 2023 19:17:40 +0200 Subject: test: rename TEST-19-DELEGATE to TEST-19-CGROUP And clean it up a bit. --- test/TEST-19-CGROUP/Makefile | 1 + test/TEST-19-CGROUP/test.sh | 12 +++++ test/TEST-19-DELEGATE/Makefile | 1 - test/TEST-19-DELEGATE/test.sh | 13 ----- test/units/testsuite-19.delegate.sh | 102 ++++++++++++++++++++++++++++++++++++ test/units/testsuite-19.sh | 70 +++---------------------- 6 files changed, 121 insertions(+), 78 deletions(-) create mode 120000 test/TEST-19-CGROUP/Makefile create mode 100755 test/TEST-19-CGROUP/test.sh delete mode 120000 test/TEST-19-DELEGATE/Makefile delete mode 100755 test/TEST-19-DELEGATE/test.sh create mode 100755 test/units/testsuite-19.delegate.sh diff --git a/test/TEST-19-CGROUP/Makefile b/test/TEST-19-CGROUP/Makefile new file mode 120000 index 0000000000..e9f93b1104 --- /dev/null +++ b/test/TEST-19-CGROUP/Makefile @@ -0,0 +1 @@ +../TEST-01-BASIC/Makefile \ No newline at end of file diff --git a/test/TEST-19-CGROUP/test.sh b/test/TEST-19-CGROUP/test.sh new file mode 100755 index 0000000000..ba05b5ecdf --- /dev/null +++ b/test/TEST-19-CGROUP/test.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +TEST_DESCRIPTION="Various cgroup-related tests" + +# shellcheck source=test/test-functions +. "${TEST_BASE_DIR:?}/test-functions" + +UNIFIED_CGROUP_HIERARCHY=yes + +do_test "$@" diff --git a/test/TEST-19-DELEGATE/Makefile b/test/TEST-19-DELEGATE/Makefile deleted file mode 120000 index e9f93b1104..0000000000 --- a/test/TEST-19-DELEGATE/Makefile +++ /dev/null @@ -1 +0,0 @@ -../TEST-01-BASIC/Makefile \ No newline at end of file diff --git a/test/TEST-19-DELEGATE/test.sh b/test/TEST-19-DELEGATE/test.sh deleted file mode 100755 index 1b50ac3ae7..0000000000 --- a/test/TEST-19-DELEGATE/test.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/usr/bin/env bash -# SPDX-License-Identifier: LGPL-2.1-or-later -set -e - -TEST_DESCRIPTION="test cgroup delegation in the unified hierarchy" -TEST_NO_NSPAWN=1 - -# shellcheck source=test/test-functions -. "${TEST_BASE_DIR:?}/test-functions" - -UNIFIED_CGROUP_HIERARCHY=yes - -do_test "$@" diff --git a/test/units/testsuite-19.delegate.sh b/test/units/testsuite-19.delegate.sh new file mode 100755 index 0000000000..691913cb81 --- /dev/null +++ b/test/units/testsuite-19.delegate.sh @@ -0,0 +1,102 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -eux +set -o pipefail + +# Test cgroup delegation in the unified hierarchy + +# shellcheck source=test/units/util.sh +. "$(dirname "$0")"/util.sh + +if [[ "$(get_cgroup_hierarchy)" != unified ]]; then + echo "Skipping $0 as we're not running with the unified cgroup hierarchy" + exit 0 +fi + +at_exit() { + set +e + userdel -r test +} + +systemd-run --wait \ + --unit=test-0.service \ + --property="DynamicUser=1" \ + --property="Delegate=" \ + test -w /sys/fs/cgroup/system.slice/test-0.service/ -a \ + -w /sys/fs/cgroup/system.slice/test-0.service/cgroup.procs -a \ + -w /sys/fs/cgroup/system.slice/test-0.service/cgroup.subtree_control + +systemd-run --wait \ + --unit=test-1.service \ + --property="DynamicUser=1" \ + --property="Delegate=memory pids" \ + grep -q memory /sys/fs/cgroup/system.slice/test-1.service/cgroup.controllers + +systemd-run --wait \ + --unit=test-2.service \ + --property="DynamicUser=1" \ + --property="Delegate=memory pids" \ + grep -q pids /sys/fs/cgroup/system.slice/test-2.service/cgroup.controllers + +# "io" is not among the controllers enabled by default for all units, verify that +grep -qv io /sys/fs/cgroup/system.slice/cgroup.controllers + +# Run a service with "io" enabled, and verify it works +systemd-run --wait \ + --unit=test-3.service \ + --property="IOAccounting=yes" \ + --property="Slice=system-foo-bar-baz.slice" \ + grep -q io /sys/fs/cgroup/system.slice/system-foo.slice/system-foo-bar.slice/system-foo-bar-baz.slice/test-3.service/cgroup.controllers + +# We want to check if "io" is removed again from the controllers +# list. However, PID 1 (rightfully) does this asynchronously. In order +# to force synchronization on this, let's start a short-lived service +# which requires PID 1 to refresh the cgroup tree, so that we can +# verify that this all works. +systemd-run --wait --unit=test-4.service true + +# And now check again, "io" should have vanished +grep -qv io /sys/fs/cgroup/system.slice/cgroup.controllers + +# Check that unprivileged delegation works for scopes +useradd test ||: +systemd-run --uid=test \ + --property="User=test" \ + --property="Delegate=yes" \ + --slice workload.slice \ + --unit test-workload0.scope\ + --scope \ + test -w /sys/fs/cgroup/workload.slice/test-workload0.scope -a \ + -w /sys/fs/cgroup/workload.slice/test-workload0.scope/cgroup.procs -a \ + -w /sys/fs/cgroup/workload.slice/test-workload0.scope/cgroup.subtree_control + +# Verify that DelegateSubgroup= affects ownership correctly +unit="test-subgroup-$RANDOM.service" +systemd-run --wait \ + --unit="$unit" \ + --property="DynamicUser=1" \ + --property="Delegate=pids" \ + --property="DelegateSubgroup=foo" \ + test -w "/sys/fs/cgroup/system.slice/$unit" -a \ + -w "/sys/fs/cgroup/system.slice/$unit/foo" + +# Check that for the subgroup also attributes that aren't covered by +# regular (i.e. main cgroup) delegation ownership rules are delegated properly +if test -f /sys/fs/cgroup/cgroup.max.depth; then + unit="test-subgroup-$RANDOM.service" + systemd-run --wait \ + --unit="$unit" \ + --property="DynamicUser=1" \ + --property="Delegate=pids" \ + --property="DelegateSubgroup=zzz" \ + test -w "/sys/fs/cgroup/system.slice/$unit/zzz/cgroup.max.depth" +fi + +# Check that the invoked process itsel is also in the subgroup +unit="test-subgroup-$RANDOM.service" +systemd-run --wait \ + --unit="$unit" \ + --property="DynamicUser=1" \ + --property="Delegate=pids" \ + --property="DelegateSubgroup=bar" \ + grep -q -x -F "0::/system.slice/$unit/bar" /proc/self/cgroup diff --git a/test/units/testsuite-19.sh b/test/units/testsuite-19.sh index 93280993f1..34fe819c5e 100755 --- a/test/units/testsuite-19.sh +++ b/test/units/testsuite-19.sh @@ -3,70 +3,12 @@ set -eux set -o pipefail -test_scope_unpriv_delegation() { - useradd test ||: - trap "userdel -r test" RETURN +: >/failed - systemd-run --uid=test -p User=test -p Delegate=yes --slice workload.slice --unit test-workload0.scope --scope \ - test -w /sys/fs/cgroup/workload.slice/test-workload0.scope -a \ - -w /sys/fs/cgroup/workload.slice/test-workload0.scope/cgroup.procs -a \ - -w /sys/fs/cgroup/workload.slice/test-workload0.scope/cgroup.subtree_control -} +# shellcheck source=test/units/test-control.sh +. "$(dirname "$0")"/test-control.sh -if grep -q cgroup2 /proc/filesystems ; then - systemd-run --wait --unit=test-0.service -p "DynamicUser=1" -p "Delegate=" \ - test -w /sys/fs/cgroup/system.slice/test-0.service/ -a \ - -w /sys/fs/cgroup/system.slice/test-0.service/cgroup.procs -a \ - -w /sys/fs/cgroup/system.slice/test-0.service/cgroup.subtree_control +run_subtests - systemd-run --wait --unit=test-1.service -p "DynamicUser=1" -p "Delegate=memory pids" \ - grep -q memory /sys/fs/cgroup/system.slice/test-1.service/cgroup.controllers - - systemd-run --wait --unit=test-2.service -p "DynamicUser=1" -p "Delegate=memory pids" \ - grep -q pids /sys/fs/cgroup/system.slice/test-2.service/cgroup.controllers - - # "io" is not among the controllers enabled by default for all units, verify that - grep -qv io /sys/fs/cgroup/system.slice/cgroup.controllers - - # Run a service with "io" enabled, and verify it works - systemd-run --wait --unit=test-3.service -p "IOAccounting=yes" -p "Slice=system-foo-bar-baz.slice" \ - grep -q io /sys/fs/cgroup/system.slice/system-foo.slice/system-foo-bar.slice/system-foo-bar-baz.slice/test-3.service/cgroup.controllers - - # We want to check if "io" is removed again from the controllers - # list. However, PID 1 (rightfully) does this asynchronously. In order - # to force synchronization on this, let's start a short-lived service - # which requires PID 1 to refresh the cgroup tree, so that we can - # verify that this all works. - systemd-run --wait --unit=test-4.service true - - # And now check again, "io" should have vanished - grep -qv io /sys/fs/cgroup/system.slice/cgroup.controllers - - # Check that unprivileged delegation works for scopes - test_scope_unpriv_delegation - - # Verify that DelegateSubgroup= affects ownership correctly - U="test-subgroup-$RANDOM.service" - systemd-run --wait --unit="$U" -p "DynamicUser=1" -p "Delegate=pids" -p "DelegateSubgroup=foo" \ - test -w "/sys/fs/cgroup/system.slice/$U" -a \ - -w "/sys/fs/cgroup/system.slice/$U/foo" - - # Check that for the subgroup also attributes that aren't covered by - # regular (i.e. main cgroup) delegation ownership rules are delegated properly - if test -f /sys/fs/cgroup/cgroup.max.depth ; then - U="test-subgroup-$RANDOM.service" - systemd-run --wait --unit="$U" -p "DynamicUser=1" -p "Delegate=pids" -p "DelegateSubgroup=zzz" \ - test -w "/sys/fs/cgroup/system.slice/$U/zzz/cgroup.max.depth" - fi - - # Check that the invoked process itsel is also in the subgroup - U="test-subgroup-$RANDOM.service" - systemd-run --wait --unit="$U" -p "DynamicUser=1" -p "Delegate=pids" -p "DelegateSubgroup=bar" \ - grep -q -x -F "0::/system.slice/$U/bar" /proc/self/cgroup -else - echo "Skipping TEST-19-DELEGATE, as the kernel doesn't actually support cgroup v2" >&2 -fi - -echo OK >/testok - -exit 0 +touch /testok +rm /failed -- cgit v1.2.1