diff options
| -rw-r--r-- | Dockerfile | 2 | ||||
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | libpod/oci.go | 1 | ||||
| -rw-r--r-- | test/e2e/systemd_test.go | 81 | ||||
| -rw-r--r-- | vendor.conf | 2 | ||||
| -rw-r--r-- | vendor/github.com/opencontainers/selinux/go-selinux/label/label.go | 18 | ||||
| -rw-r--r-- | vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go | 13 | ||||
| -rw-r--r-- | vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go | 11 | ||||
| -rw-r--r-- | vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go | 13 |
9 files changed, 136 insertions, 7 deletions
diff --git a/Dockerfile b/Dockerfile index 08af0f851..c227207bd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.10 +FROM golang:1.11 RUN echo 'deb http://httpredir.debian.org/debian jessie-backports main' > /etc/apt/sources.list.d/backports.list @@ -165,7 +165,7 @@ integration.centos: DIST=CentOS sh .papr_prepare.sh shell: libpodimage - ${CONTAINER_RUNTIME} run --tmpfs -e STORAGE_OPTIONS="--storage-driver=vfs" -e CGROUP_MANAGER=cgroupfs -e TESTFLAGS -e TRAVIS -it --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${LIBPOD_IMAGE} sh + ${CONTAINER_RUNTIME} run -e STORAGE_OPTIONS="--storage-driver=vfs" -e CGROUP_MANAGER=cgroupfs -e TESTFLAGS -e TRAVIS -it --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${LIBPOD_IMAGE} sh testunit: libpodimage ${CONTAINER_RUNTIME} run -e STORAGE_OPTIONS="--storage-driver=vfs" -e TESTFLAGS -e CGROUP_MANAGER=cgroupfs -e TRAVIS -t --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${LIBPOD_IMAGE} make localunit diff --git a/libpod/oci.go b/libpod/oci.go index 3222f9403..093bfdd35 100644 --- a/libpod/oci.go +++ b/libpod/oci.go @@ -861,6 +861,7 @@ func (r *OCIRuntime) execStopContainer(ctr *Container, timeout uint) error { // checkpointContainer checkpoints the given container func (r *OCIRuntime) checkpointContainer(ctr *Container, options ContainerCheckpointOptions) error { + label.SetSocketLabel(ctr.ProcessLabel()) // imagePath is used by CRIU to store the actual checkpoint files imagePath := ctr.CheckpointPath() // workPath will be used to store dump.log and stats-dump diff --git a/test/e2e/systemd_test.go b/test/e2e/systemd_test.go new file mode 100644 index 000000000..ce67bb469 --- /dev/null +++ b/test/e2e/systemd_test.go @@ -0,0 +1,81 @@ +package integration + +import ( + "fmt" + "io/ioutil" + "os" + + . "github.com/containers/libpod/test/utils" + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" +) + +var _ = Describe("Podman systemd", func() { + var ( + tempdir string + err error + podmanTest *PodmanTestIntegration + systemd_unit_file string + ) + + BeforeEach(func() { + tempdir, err = CreateTempDirInTempDir() + if err != nil { + os.Exit(1) + } + podmanTest = PodmanTestCreate(tempdir) + podmanTest.RestoreAllArtifacts() + systemd_unit_file = `[Unit] +Description=redis container +[Service] +Restart=always +ExecStart=/usr/bin/podman start -a redis +ExecStop=/usr/bin/podman stop -t 10 redis +KillMode=process +[Install] +WantedBy=multi-user.target +` + }) + + AfterEach(func() { + podmanTest.Cleanup() + f := CurrentGinkgoTestDescription() + timedResult := fmt.Sprintf("Test: %s completed in %f seconds", f.TestText, f.Duration.Seconds()) + GinkgoWriter.Write([]byte(timedResult)) + }) + + It("podman start container by systemd", func() { + if os.Getenv("SKIP_USERNS") != "" { + Skip("Skip userns tests.") + } + + sys_file := ioutil.WriteFile("/etc/systemd/system/redis.service", []byte(systemd_unit_file), 0644) + Expect(sys_file).To(BeNil()) + + create := podmanTest.Podman([]string{"create", "-d", "--name", "redis", "redis"}) + create.WaitWithDefaultTimeout() + Expect(create.ExitCode()).To(Equal(0)) + + enable := SystemExec("bash", []string{"-c", "systemctl daemon-reload && systemctl enable --now redis"}) + enable.WaitWithDefaultTimeout() + Expect(enable.ExitCode()).To(Equal(0)) + + start := SystemExec("bash", []string{"-c", "systemctl start redis"}) + start.WaitWithDefaultTimeout() + + logs := SystemExec("bash", []string{"-c", "journalctl -n 20 -u redis"}) + logs.WaitWithDefaultTimeout() + + status := SystemExec("bash", []string{"-c", "systemctl status redis"}) + status.WaitWithDefaultTimeout() + Expect(status.OutputToString()).To(ContainSubstring("active (running)")) + + cleanup := SystemExec("bash", []string{"-c", "systemctl stop redis && systemctl disable redis"}) + cleanup.WaitWithDefaultTimeout() + Expect(cleanup.ExitCode()).To(Equal(0)) + os.Remove("/etc/systemd/system/redis.service") + sys_clean := SystemExec("bash", []string{"-c", "systemctl daemon-reload"}) + sys_clean.WaitWithDefaultTimeout() + Expect(sys_clean.ExitCode()).To(Equal(0)) + }) +}) diff --git a/vendor.conf b/vendor.conf index 75483e9f3..f2d7fa414 100644 --- a/vendor.conf +++ b/vendor.conf @@ -51,7 +51,7 @@ github.com/opencontainers/image-spec v1.0.0 github.com/opencontainers/runc b4e2ecb452d9ee4381137cc0a7e6715b96bed6de github.com/opencontainers/runtime-spec d810dbc60d8c5aeeb3d054bd1132fab2121968ce github.com/opencontainers/runtime-tools master -github.com/opencontainers/selinux 6ba084dd09db3dfe49a839bab0bbe97fd9274d80 +github.com/opencontainers/selinux 51c6c0a5dbc675792e953298cb9871819d6f9bb8 github.com/ostreedev/ostree-go master github.com/pkg/errors v0.8.0 github.com/pmezard/go-difflib 792786c7400a136282c1664665ae0a8db921c6c2 diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go index 2a31cd3c5..bb27ac936 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go @@ -9,7 +9,7 @@ func InitLabels(options []string) (string, string, error) { return "", "", nil } -func GetROMountLabel() string { +func ROMountLabel() string { return "" } @@ -25,7 +25,19 @@ func SetProcessLabel(processLabel string) error { return nil } -func GetFileLabel(path string) (string, error) { +func ProcessLabel() (string, error) { + return "", nil +} + +func SetSocketLabel(processLabel string) error { + return nil +} + +func SocketLabel() (string, error) { + return "", nil +} + +func FileLabel(path string) (string, error) { return "", nil } @@ -41,7 +53,7 @@ func Relabel(path string, fileLabel string, shared bool) error { return nil } -func GetPidLabel(pid int) (string, error) { +func PidLabel(pid int) (string, error) { return "", nil } diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go index 63c4edd05..de214b2d5 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go @@ -95,6 +95,17 @@ func SetProcessLabel(processLabel string) error { return selinux.SetExecLabel(processLabel) } +// SetSocketLabel takes a process label and tells the kernel to assign the +// label to the next socket that gets created +func SetSocketLabel(processLabel string) error { + return selinux.SetSocketLabel(processLabel) +} + +// SocketLabel retrieves the current default socket label setting +func SocketLabel() (string, error) { + return selinux.SocketLabel() +} + // ProcessLabel returns the process label that the kernel will assign // to the next program executed by the current process. If "" is returned // this indicates that the default labeling will happen for the process. @@ -102,7 +113,7 @@ func ProcessLabel() (string, error) { return selinux.ExecLabel() } -// GetFileLabel returns the label for specified path +// FileLabel returns the label for specified path func FileLabel(path string) (string, error) { return selinux.FileLabel(path) } diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go index bbaa1e0d7..7832f7497 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go @@ -385,6 +385,17 @@ func SetExecLabel(label string) error { return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()), label) } +// SetSocketLabel takes a process label and tells the kernel to assign the +// label to the next socket that gets created +func SetSocketLabel(label string) error { + return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/sockcreate", syscall.Gettid()), label) +} + +// SocketLabel retrieves the current socket label setting +func SocketLabel() (string, error) { + return readCon(fmt.Sprintf("/proc/self/task/%d/attr/sockcreate", syscall.Gettid())) +} + // Get returns the Context as a string func (c Context) Get() string { if c["level"] != "" { diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go index 5abf8a362..99efa155a 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go @@ -96,6 +96,19 @@ func SetExecLabel(label string) error { return nil } +/* +SetSocketLabel sets the SELinux label that the kernel will use for any programs +that are executed by the current process thread, or an error. +*/ +func SetSocketLabel(label string) error { + return nil +} + +// SocketLabel retrieves the current socket label setting +func SocketLabel() (string, error) { + return "", nil +} + // Get returns the Context as a string func (c Context) Get() string { return "" |