summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLuca Boccassi <bluca@debian.org>2024-07-26 15:01:38 +0200
committerGitHub <noreply@github.com>2024-07-26 15:01:38 +0200
commit85c7a9a2f507536d386bf1ae276156ec50646364 (patch)
tree3c0f8bfddce3b3ddae9581be3e4f42926233179d
parentMerge pull request #30307 from bluca/enforce_inhibitors (diff)
parenttest: Fail cgroup delegation test when user cannot be created (diff)
downloadsystemd-85c7a9a2f507536d386bf1ae276156ec50646364.tar.xz
systemd-85c7a9a2f507536d386bf1ae276156ec50646364.zip
Merge pull request #27855 from Werkov/test-delegate-useraddfixup
Delegate/cgroup test refactor
-rwxr-xr-xtest/units/TEST-19-CGROUP.delegate.sh183
1 files changed, 95 insertions, 88 deletions
diff --git a/test/units/TEST-19-CGROUP.delegate.sh b/test/units/TEST-19-CGROUP.delegate.sh
index 022515fc8c..7f3a7059e2 100755
--- a/test/units/TEST-19-CGROUP.delegate.sh
+++ b/test/units/TEST-19-CGROUP.delegate.sh
@@ -5,6 +5,8 @@ set -o pipefail
# Test cgroup delegation in the unified hierarchy
+# shellcheck source=test/units/test-control.sh
+. "$(dirname "$0")"/test-control.sh
# shellcheck source=test/units/util.sh
. "$(dirname "$0")"/util.sh
@@ -13,104 +15,109 @@ if [[ "$(get_cgroup_hierarchy)" != unified ]]; then
exit 0
fi
-at_exit() {
- set +e
- userdel -r test
+testcase_controllers() {
+ systemd-run --wait \
+ --unit=test-0.service \
+ --property="DynamicUser=1" \
+ --property="Delegate=" \
+ test -w /sys/fs/cgroup/system.slice/test-0.service/ -a \
+ -w /sys/fs/cgroup/system.slice/test-0.service/cgroup.procs -a \
+ -w /sys/fs/cgroup/system.slice/test-0.service/cgroup.subtree_control
+
+ systemd-run --wait \
+ --unit=test-1.service \
+ --property="DynamicUser=1" \
+ --property="Delegate=memory pids" \
+ grep -q memory /sys/fs/cgroup/system.slice/test-1.service/cgroup.controllers
+
+ systemd-run --wait \
+ --unit=test-2.service \
+ --property="DynamicUser=1" \
+ --property="Delegate=memory pids" \
+ grep -q pids /sys/fs/cgroup/system.slice/test-2.service/cgroup.controllers
+
+ # "io" is not among the controllers enabled by default for all units, verify that
+ grep -qv io /sys/fs/cgroup/system.slice/cgroup.controllers
+
+ # Run a service with "io" enabled, and verify it works
+ systemd-run --wait \
+ --unit=test-3.service \
+ --property="IOAccounting=yes" \
+ --property="Slice=system-foo-bar-baz.slice" \
+ grep -q io /sys/fs/cgroup/system.slice/system-foo.slice/system-foo-bar.slice/system-foo-bar-baz.slice/test-3.service/cgroup.controllers
+
+ # We want to check if "io" is removed again from the controllers
+ # list. However, PID 1 (rightfully) does this asynchronously. In order
+ # to force synchronization on this, let's start a short-lived service
+ # which requires PID 1 to refresh the cgroup tree, so that we can
+ # verify that this all works.
+ systemd-run --wait --unit=test-4.service true
+
+ # And now check again, "io" should have vanished
+ grep -qv io /sys/fs/cgroup/system.slice/cgroup.controllers
}
-systemd-run --wait \
- --unit=test-0.service \
- --property="DynamicUser=1" \
- --property="Delegate=" \
- test -w /sys/fs/cgroup/system.slice/test-0.service/ -a \
- -w /sys/fs/cgroup/system.slice/test-0.service/cgroup.procs -a \
- -w /sys/fs/cgroup/system.slice/test-0.service/cgroup.subtree_control
+testcase_attributes() {
+ # Test if delegation also works for some of the more recent attrs the kernel might or might not support
+ for attr in cgroup.threads memory.oom.group memory.reclaim ; do
+ if grep -q "$attr" /sys/kernel/cgroup/delegate ; then
+ systemd-run --wait \
+ --unit=test-0.service \
+ --property="MemoryAccounting=1" \
+ --property="DynamicUser=1" \
+ --property="Delegate=" \
+ test -w /sys/fs/cgroup/system.slice/test-0.service/ -a \
+ -w /sys/fs/cgroup/system.slice/test-0.service/"$attr"
+ fi
+ done
+}
-# Test if this also works for some of the more recent attrs the kernel might or might not support
-for attr in cgroup.threads memory.oom.group memory.reclaim ; do
+testcase_scope_unpriv_delegation() {
+ # Check that unprivileged delegation works for scopes
+ useradd test
+ trap "userdel -r test" RETURN
+ systemd-run --uid=test \
+ --property="User=test" \
+ --property="Delegate=yes" \
+ --slice workload.slice \
+ --unit test-workload0.scope\
+ --scope \
+ test -w /sys/fs/cgroup/workload.slice/test-workload0.scope -a \
+ -w /sys/fs/cgroup/workload.slice/test-workload0.scope/cgroup.procs -a \
+ -w /sys/fs/cgroup/workload.slice/test-workload0.scope/cgroup.subtree_control
+}
- if grep -q "$attr" /sys/kernel/cgroup/delegate ; then
+testcase_subgroup() {
+ # Verify that DelegateSubgroup= affects ownership correctly
+ unit="test-subgroup-$RANDOM.service"
+ systemd-run --wait \
+ --unit="$unit" \
+ --property="DynamicUser=1" \
+ --property="Delegate=pids" \
+ --property="DelegateSubgroup=foo" \
+ test -w "/sys/fs/cgroup/system.slice/$unit" -a \
+ -w "/sys/fs/cgroup/system.slice/$unit/foo"
+
+ # Check that for the subgroup also attributes that aren't covered by
+ # regular (i.e. main cgroup) delegation ownership rules are delegated properly
+ if test -f /sys/fs/cgroup/cgroup.max.depth; then
+ unit="test-subgroup-$RANDOM.service"
systemd-run --wait \
- --unit=test-0.service \
- --property="MemoryAccounting=1" \
+ --unit="$unit" \
--property="DynamicUser=1" \
- --property="Delegate=" \
- test -w /sys/fs/cgroup/system.slice/test-0.service/ -a \
- -w /sys/fs/cgroup/system.slice/test-0.service/"$attr"
+ --property="Delegate=pids" \
+ --property="DelegateSubgroup=zzz" \
+ test -w "/sys/fs/cgroup/system.slice/$unit/zzz/cgroup.max.depth"
fi
-done
-
-systemd-run --wait \
- --unit=test-1.service \
- --property="DynamicUser=1" \
- --property="Delegate=memory pids" \
- grep -q memory /sys/fs/cgroup/system.slice/test-1.service/cgroup.controllers
-
-systemd-run --wait \
- --unit=test-2.service \
- --property="DynamicUser=1" \
- --property="Delegate=memory pids" \
- grep -q pids /sys/fs/cgroup/system.slice/test-2.service/cgroup.controllers
-
-# "io" is not among the controllers enabled by default for all units, verify that
-grep -qv io /sys/fs/cgroup/system.slice/cgroup.controllers
-
-# Run a service with "io" enabled, and verify it works
-systemd-run --wait \
- --unit=test-3.service \
- --property="IOAccounting=yes" \
- --property="Slice=system-foo-bar-baz.slice" \
- grep -q io /sys/fs/cgroup/system.slice/system-foo.slice/system-foo-bar.slice/system-foo-bar-baz.slice/test-3.service/cgroup.controllers
-
-# We want to check if "io" is removed again from the controllers
-# list. However, PID 1 (rightfully) does this asynchronously. In order
-# to force synchronization on this, let's start a short-lived service
-# which requires PID 1 to refresh the cgroup tree, so that we can
-# verify that this all works.
-systemd-run --wait --unit=test-4.service true
-
-# And now check again, "io" should have vanished
-grep -qv io /sys/fs/cgroup/system.slice/cgroup.controllers
-
-# Check that unprivileged delegation works for scopes
-useradd test ||:
-systemd-run --uid=test \
- --property="User=test" \
- --property="Delegate=yes" \
- --slice workload.slice \
- --unit test-workload0.scope\
- --scope \
- test -w /sys/fs/cgroup/workload.slice/test-workload0.scope -a \
- -w /sys/fs/cgroup/workload.slice/test-workload0.scope/cgroup.procs -a \
- -w /sys/fs/cgroup/workload.slice/test-workload0.scope/cgroup.subtree_control
-
-# Verify that DelegateSubgroup= affects ownership correctly
-unit="test-subgroup-$RANDOM.service"
-systemd-run --wait \
- --unit="$unit" \
- --property="DynamicUser=1" \
- --property="Delegate=pids" \
- --property="DelegateSubgroup=foo" \
- test -w "/sys/fs/cgroup/system.slice/$unit" -a \
- -w "/sys/fs/cgroup/system.slice/$unit/foo"
-
-# Check that for the subgroup also attributes that aren't covered by
-# regular (i.e. main cgroup) delegation ownership rules are delegated properly
-if test -f /sys/fs/cgroup/cgroup.max.depth; then
+
+ # Check that the invoked process itself is also in the subgroup
unit="test-subgroup-$RANDOM.service"
systemd-run --wait \
--unit="$unit" \
--property="DynamicUser=1" \
--property="Delegate=pids" \
- --property="DelegateSubgroup=zzz" \
- test -w "/sys/fs/cgroup/system.slice/$unit/zzz/cgroup.max.depth"
-fi
+ --property="DelegateSubgroup=bar" \
+ grep -q -x -F "0::/system.slice/$unit/bar" /proc/self/cgroup
+}
-# Check that the invoked process itself is also in the subgroup
-unit="test-subgroup-$RANDOM.service"
-systemd-run --wait \
- --unit="$unit" \
- --property="DynamicUser=1" \
- --property="Delegate=pids" \
- --property="DelegateSubgroup=bar" \
- grep -q -x -F "0::/system.slice/$unit/bar" /proc/self/cgroup
+run_testcases