xref: /unit/test/unit/check/isolation.py (revision 1984:06514cd08a35)
11740Szelenkov@nginx.comimport json
21740Szelenkov@nginx.comimport os
31740Szelenkov@nginx.com
41740Szelenkov@nginx.comfrom unit.applications.lang.go import TestApplicationGo
51740Szelenkov@nginx.comfrom unit.applications.lang.java import TestApplicationJava
6*1971Szelenkov@nginx.comfrom unit.applications.lang.node import TestApplicationNode
71911So.canty@f5.comfrom unit.applications.lang.ruby import TestApplicationRuby
81740Szelenkov@nginx.comfrom unit.http import TestHTTP
91740Szelenkov@nginx.comfrom unit.option import option
101740Szelenkov@nginx.comfrom unit.utils import getns
111740Szelenkov@nginx.com
121740Szelenkov@nginx.comallns = ['pid', 'mnt', 'ipc', 'uts', 'cgroup', 'net']
131740Szelenkov@nginx.comhttp = TestHTTP()
141740Szelenkov@nginx.com
151848Szelenkov@nginx.com
161740Szelenkov@nginx.comdef check_isolation():
171740Szelenkov@nginx.com    test_conf = {"namespaces": {"credential": True}}
181740Szelenkov@nginx.com    available = option.available
191740Szelenkov@nginx.com
201740Szelenkov@nginx.com    conf = ''
211740Szelenkov@nginx.com    if 'go' in available['modules']:
221740Szelenkov@nginx.com        TestApplicationGo().prepare_env('empty', 'app')
231740Szelenkov@nginx.com
241740Szelenkov@nginx.com        conf = {
251740Szelenkov@nginx.com            "listeners": {"*:7080": {"pass": "applications/empty"}},
261740Szelenkov@nginx.com            "applications": {
271740Szelenkov@nginx.com                "empty": {
281740Szelenkov@nginx.com                    "type": "external",
291740Szelenkov@nginx.com                    "processes": {"spare": 0},
301740Szelenkov@nginx.com                    "working_directory": option.test_dir + "/go/empty",
311740Szelenkov@nginx.com                    "executable": option.temp_dir + "/go/app",
321740Szelenkov@nginx.com                    "isolation": {"namespaces": {"credential": True}},
331740Szelenkov@nginx.com                },
341740Szelenkov@nginx.com            },
351740Szelenkov@nginx.com        }
361740Szelenkov@nginx.com
371740Szelenkov@nginx.com    elif 'python' in available['modules']:
381740Szelenkov@nginx.com        conf = {
391740Szelenkov@nginx.com            "listeners": {"*:7080": {"pass": "applications/empty"}},
401740Szelenkov@nginx.com            "applications": {
411740Szelenkov@nginx.com                "empty": {
421740Szelenkov@nginx.com                    "type": "python",
431740Szelenkov@nginx.com                    "processes": {"spare": 0},
441740Szelenkov@nginx.com                    "path": option.test_dir + "/python/empty",
451740Szelenkov@nginx.com                    "working_directory": option.test_dir + "/python/empty",
461740Szelenkov@nginx.com                    "module": "wsgi",
471740Szelenkov@nginx.com                    "isolation": {"namespaces": {"credential": True}},
481740Szelenkov@nginx.com                }
491740Szelenkov@nginx.com            },
501740Szelenkov@nginx.com        }
511740Szelenkov@nginx.com
521740Szelenkov@nginx.com    elif 'php' in available['modules']:
531740Szelenkov@nginx.com        conf = {
541740Szelenkov@nginx.com            "listeners": {"*:7080": {"pass": "applications/phpinfo"}},
551740Szelenkov@nginx.com            "applications": {
561740Szelenkov@nginx.com                "phpinfo": {
571740Szelenkov@nginx.com                    "type": "php",
581740Szelenkov@nginx.com                    "processes": {"spare": 0},
591740Szelenkov@nginx.com                    "root": option.test_dir + "/php/phpinfo",
601740Szelenkov@nginx.com                    "working_directory": option.test_dir + "/php/phpinfo",
611740Szelenkov@nginx.com                    "index": "index.php",
621740Szelenkov@nginx.com                    "isolation": {"namespaces": {"credential": True}},
631740Szelenkov@nginx.com                }
641740Szelenkov@nginx.com            },
651740Szelenkov@nginx.com        }
661740Szelenkov@nginx.com
671740Szelenkov@nginx.com    elif 'ruby' in available['modules']:
681911So.canty@f5.com        TestApplicationRuby().prepare_env('empty')
691911So.canty@f5.com
701740Szelenkov@nginx.com        conf = {
711740Szelenkov@nginx.com            "listeners": {"*:7080": {"pass": "applications/empty"}},
721740Szelenkov@nginx.com            "applications": {
731740Szelenkov@nginx.com                "empty": {
741740Szelenkov@nginx.com                    "type": "ruby",
751740Szelenkov@nginx.com                    "processes": {"spare": 0},
761911So.canty@f5.com                    "working_directory": option.temp_dir + "/ruby/empty",
771911So.canty@f5.com                    "script": option.temp_dir + "/ruby/empty/config.ru",
781740Szelenkov@nginx.com                    "isolation": {"namespaces": {"credential": True}},
791740Szelenkov@nginx.com                }
801740Szelenkov@nginx.com            },
811740Szelenkov@nginx.com        }
821740Szelenkov@nginx.com
831740Szelenkov@nginx.com    elif 'java' in available['modules']:
841740Szelenkov@nginx.com        TestApplicationJava().prepare_env('empty')
851740Szelenkov@nginx.com
861740Szelenkov@nginx.com        conf = {
871740Szelenkov@nginx.com            "listeners": {"*:7080": {"pass": "applications/empty"}},
881740Szelenkov@nginx.com            "applications": {
891740Szelenkov@nginx.com                "empty": {
901740Szelenkov@nginx.com                    "unit_jars": option.current_dir + "/build",
911740Szelenkov@nginx.com                    "type": "java",
921740Szelenkov@nginx.com                    "processes": {"spare": 0},
931740Szelenkov@nginx.com                    "working_directory": option.test_dir + "/java/empty/",
941740Szelenkov@nginx.com                    "webapp": option.temp_dir + "/java",
951740Szelenkov@nginx.com                    "isolation": {"namespaces": {"credential": True}},
961740Szelenkov@nginx.com                }
971740Szelenkov@nginx.com            },
981740Szelenkov@nginx.com        }
991740Szelenkov@nginx.com
1001740Szelenkov@nginx.com    elif 'node' in available['modules']:
1011740Szelenkov@nginx.com        TestApplicationNode().prepare_env('basic')
1021740Szelenkov@nginx.com
1031740Szelenkov@nginx.com        conf = {
1041740Szelenkov@nginx.com            "listeners": {"*:7080": {"pass": "applications/basic"}},
1051740Szelenkov@nginx.com            "applications": {
1061740Szelenkov@nginx.com                "basic": {
1071740Szelenkov@nginx.com                    "type": "external",
1081740Szelenkov@nginx.com                    "processes": {"spare": 0},
1091740Szelenkov@nginx.com                    "working_directory": option.temp_dir + "/node",
1101740Szelenkov@nginx.com                    "executable": "app.js",
1111740Szelenkov@nginx.com                    "isolation": {"namespaces": {"credential": True}},
1121740Szelenkov@nginx.com                }
1131740Szelenkov@nginx.com            },
1141740Szelenkov@nginx.com        }
1151740Szelenkov@nginx.com
1161740Szelenkov@nginx.com    elif 'perl' in available['modules']:
1171740Szelenkov@nginx.com        conf = {
1181740Szelenkov@nginx.com            "listeners": {"*:7080": {"pass": "applications/body_empty"}},
1191740Szelenkov@nginx.com            "applications": {
1201740Szelenkov@nginx.com                "body_empty": {
1211740Szelenkov@nginx.com                    "type": "perl",
1221740Szelenkov@nginx.com                    "processes": {"spare": 0},
1231848Szelenkov@nginx.com                    "working_directory": option.test_dir + "/perl/body_empty",
1241740Szelenkov@nginx.com                    "script": option.test_dir + "/perl/body_empty/psgi.pl",
1251740Szelenkov@nginx.com                    "isolation": {"namespaces": {"credential": True}},
1261740Szelenkov@nginx.com                }
1271740Szelenkov@nginx.com            },
1281740Szelenkov@nginx.com        }
1291740Szelenkov@nginx.com
1301740Szelenkov@nginx.com    else:
1311740Szelenkov@nginx.com        return
1321740Szelenkov@nginx.com
1331740Szelenkov@nginx.com    resp = http.put(
1341740Szelenkov@nginx.com        url='/config',
1351740Szelenkov@nginx.com        sock_type='unix',
1361740Szelenkov@nginx.com        addr=option.temp_dir + '/control.unit.sock',
1371740Szelenkov@nginx.com        body=json.dumps(conf),
1381740Szelenkov@nginx.com    )
1391740Szelenkov@nginx.com
1401746St.nateldemoura@f5.com    if 'success' not in resp['body']:
1411740Szelenkov@nginx.com        return
1421740Szelenkov@nginx.com
1431740Szelenkov@nginx.com    userns = getns('user')
1441740Szelenkov@nginx.com    if not userns:
1451740Szelenkov@nginx.com        return
1461740Szelenkov@nginx.com
1471740Szelenkov@nginx.com    available['features']['isolation'] = {'user': userns}
1481740Szelenkov@nginx.com
1491740Szelenkov@nginx.com    unp_clone_path = '/proc/sys/kernel/unprivileged_userns_clone'
1501740Szelenkov@nginx.com    if os.path.exists(unp_clone_path):
1511740Szelenkov@nginx.com        with open(unp_clone_path, 'r') as f:
1521740Szelenkov@nginx.com            if str(f.read()).rstrip() == '1':
1531740Szelenkov@nginx.com                available['features']['isolation'][
1541740Szelenkov@nginx.com                    'unprivileged_userns_clone'
1551740Szelenkov@nginx.com                ] = True
1561740Szelenkov@nginx.com
1571740Szelenkov@nginx.com    for ns in allns:
1581740Szelenkov@nginx.com        ns_value = getns(ns)
1591740Szelenkov@nginx.com        if ns_value:
1601740Szelenkov@nginx.com            available['features']['isolation'][ns] = ns_value
161