11848Szelenkov@nginx.comimport pytest 21490St.nateldemoura@f5.comfrom unit.applications.lang.python import TestApplicationPython 31730Szelenkov@nginx.comfrom unit.option import option 41773Szelenkov@nginx.comfrom unit.utils import findmnt 51773Szelenkov@nginx.comfrom unit.utils import waitformount 61773Szelenkov@nginx.comfrom unit.utils import waitforunmount 71490St.nateldemoura@f5.com 81490St.nateldemoura@f5.com 91490St.nateldemoura@f5.comclass TestPythonIsolation(TestApplicationPython): 101490St.nateldemoura@f5.com prerequisites = {'modules': {'python': 'any'}, 'features': ['isolation']} 111490St.nateldemoura@f5.com 121654Szelenkov@nginx.com def test_python_isolation_rootfs(self, is_su, temp_dir): 131654Szelenkov@nginx.com isolation_features = option.available['features']['isolation'].keys() 141490St.nateldemoura@f5.com 151596Szelenkov@nginx.com if not is_su: 161490St.nateldemoura@f5.com if not 'unprivileged_userns_clone' in isolation_features: 171596Szelenkov@nginx.com pytest.skip('requires unprivileged userns or root') 181490St.nateldemoura@f5.com 191673St.nateldemoura@f5.com if 'user' not in isolation_features: 201673St.nateldemoura@f5.com pytest.skip('user namespace is not supported') 211673St.nateldemoura@f5.com 221673St.nateldemoura@f5.com if 'mnt' not in isolation_features: 231673St.nateldemoura@f5.com pytest.skip('mnt namespace is not supported') 241673St.nateldemoura@f5.com 251673St.nateldemoura@f5.com if 'pid' not in isolation_features: 261673St.nateldemoura@f5.com pytest.skip('pid namespace is not supported') 271490St.nateldemoura@f5.com 281673St.nateldemoura@f5.com isolation = {'rootfs': temp_dir} 291490St.nateldemoura@f5.com 301673St.nateldemoura@f5.com if not is_su: 311673St.nateldemoura@f5.com isolation['namespaces'] = { 321673St.nateldemoura@f5.com 'mount': True, 331673St.nateldemoura@f5.com 'credential': True, 341848Szelenkov@nginx.com 'pid': True, 351673St.nateldemoura@f5.com } 361490St.nateldemoura@f5.com 371490St.nateldemoura@f5.com self.load('ns_inspect', isolation=isolation) 381490St.nateldemoura@f5.com 391596Szelenkov@nginx.com assert ( 401654Szelenkov@nginx.com self.getjson(url='/?path=' + temp_dir)['body']['FileExists'] 411596Szelenkov@nginx.com == False 421596Szelenkov@nginx.com ), 'temp_dir does not exists in rootfs' 431490St.nateldemoura@f5.com 441596Szelenkov@nginx.com assert ( 451848Szelenkov@nginx.com self.getjson(url='/?path=/proc/self')['body']['FileExists'] == True 461596Szelenkov@nginx.com ), 'no /proc/self' 471490St.nateldemoura@f5.com 481596Szelenkov@nginx.com assert ( 491596Szelenkov@nginx.com self.getjson(url='/?path=/dev/pts')['body']['FileExists'] == False 501596Szelenkov@nginx.com ), 'no /dev/pts' 511596Szelenkov@nginx.com 521596Szelenkov@nginx.com assert ( 531596Szelenkov@nginx.com self.getjson(url='/?path=/sys/kernel')['body']['FileExists'] 541596Szelenkov@nginx.com == False 551596Szelenkov@nginx.com ), 'no /sys/kernel' 561490St.nateldemoura@f5.com 571490St.nateldemoura@f5.com ret = self.getjson(url='/?path=/app/python/ns_inspect') 581490St.nateldemoura@f5.com 59*2073Szelenkov@nginx.com assert ret['body']['FileExists'] == True, 'application exists in rootfs' 601622St.nateldemoura@f5.com 611654Szelenkov@nginx.com def test_python_isolation_rootfs_no_language_deps(self, is_su, temp_dir): 621622St.nateldemoura@f5.com if not is_su: 631773Szelenkov@nginx.com pytest.skip('requires root') 641673St.nateldemoura@f5.com 651848Szelenkov@nginx.com isolation = {'rootfs': temp_dir, 'automount': {'language_deps': False}} 661622St.nateldemoura@f5.com 671622St.nateldemoura@f5.com self.load('empty', isolation=isolation) 681622St.nateldemoura@f5.com 691773Szelenkov@nginx.com assert findmnt().find(temp_dir) == -1 701848Szelenkov@nginx.com assert self.get()['status'] != 200, 'disabled language_deps' 711773Szelenkov@nginx.com assert findmnt().find(temp_dir) == -1 721622St.nateldemoura@f5.com 731622St.nateldemoura@f5.com isolation['automount']['language_deps'] = True 741622St.nateldemoura@f5.com 751622St.nateldemoura@f5.com self.load('empty', isolation=isolation) 761622St.nateldemoura@f5.com 771773Szelenkov@nginx.com assert findmnt().find(temp_dir) == -1 781848Szelenkov@nginx.com assert self.get()['status'] == 200, 'enabled language_deps' 791773Szelenkov@nginx.com assert waitformount(temp_dir), 'language_deps mount' 801773Szelenkov@nginx.com 811773Szelenkov@nginx.com self.conf({"listeners": {}, "applications": {}}) 821773Szelenkov@nginx.com 831773Szelenkov@nginx.com assert waitforunmount(temp_dir), 'language_deps unmount' 841774Szelenkov@nginx.com 851774Szelenkov@nginx.com def test_python_isolation_procfs(self, is_su, temp_dir): 861774Szelenkov@nginx.com if not is_su: 871774Szelenkov@nginx.com pytest.skip('requires root') 881774Szelenkov@nginx.com 891774Szelenkov@nginx.com isolation = {'rootfs': temp_dir, 'automount': {'procfs': False}} 901774Szelenkov@nginx.com 911774Szelenkov@nginx.com self.load('ns_inspect', isolation=isolation) 921774Szelenkov@nginx.com 931774Szelenkov@nginx.com assert ( 94*2073Szelenkov@nginx.com self.getjson(url='/?path=/proc/self')['body']['FileExists'] == False 951774Szelenkov@nginx.com ), 'no /proc/self' 961774Szelenkov@nginx.com 971774Szelenkov@nginx.com isolation['automount']['procfs'] = True 981774Szelenkov@nginx.com 991774Szelenkov@nginx.com self.load('ns_inspect', isolation=isolation) 1001774Szelenkov@nginx.com 1011774Szelenkov@nginx.com assert ( 1021774Szelenkov@nginx.com self.getjson(url='/?path=/proc/self')['body']['FileExists'] == True 1031774Szelenkov@nginx.com ), '/proc/self' 104