Merge pull request #1357 from cyphar/noterminal-io-tests

tests: add various !terminal tests
opencontainers · Oct 25, 2017 · c9b649d · c9b649d
2 parents 74a1729 + ffe5cdc
commit c9b649d
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 8 deletions.
diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
@@ -348,21 +348,22 @@ func fixStdioPermissions(config *initConfig, u *user.ExecUser) error {
 			continue
 		}
 
-		// Skip chown if s.Gid is actually an unmapped gid in the host. While
-		// this is a bit dodgy if it just so happens that the console _is_
-		// owned by overflow_gid, there's no way for us to disambiguate this as
-		// a userspace program.
-		if _, err := config.Config.HostGID(int(s.Gid)); err != nil {
-			continue
-		}
-
 		// We only change the uid owner (as it is possible for the mount to
 		// prefer a different gid, and there's no reason for us to change it).
 		// The reason why we don't just leave the default uid=X mount setup is
 		// that users expect to be able to actually use their console. Without
 		// this code, you couldn't effectively run as a non-root user inside a
 		// container and also have a console set up.
 		if err := unix.Fchown(int(fd), u.Uid, int(s.Gid)); err != nil {
+			// If we've hit an EINVAL then s.Gid isn't mapped in the user
+			// namespace. If we've hit an EPERM then the inode's current owner
+			// is not mapped in our user namespace (in particular,
+			// privileged_wrt_inode_uidgid() has failed). In either case, we
+			// are in a configuration where it's better for us to just not
+			// touch the stdio rather than bail at this point.
+			if err == unix.EINVAL || err == unix.EPERM {
+				continue
+			}
 			return err
 		}
 	}

diff --git a/tests/integration/config.json b/tests/integration/config.json
diff --git a/tests/integration/tty.bats b/tests/integration/tty.bats
@@ -173,3 +173,58 @@ EOF
 	# test tty width and height against original process.json
 	[[ ${lines[0]} =~ "rows 10; columns 110" ]]
 }
+
+@test "runc create [terminal=false]" {
+	# Disable terminal creation.
+	sed -i 's|"terminal": true,|"terminal": false,|g' config.json
+	# Replace sh script with sleep.
+    sed -i 's|"sh"|"sleep", "1000s"|' config.json
+
+	# Make sure that the handling of detached IO is done properly. See #1354.
+	__runc create test_busybox
+
+	# Start the command.
+	runc start test_busybox
+	[ "$status" -eq 0 ]
+
+	testcontainer test_busybox running
+
+	# Kill the container.
+	runc kill test_busybox KILL
+	[ "$status" -eq 0 ]
+}
+
+@test "runc run [terminal=false]" {
+	# Disable terminal creation.
+	sed -i 's|"terminal": true,|"terminal": false,|g' config.json
+	# Replace sh script with sleep.
+    sed -i 's|"sh"|"sleep", "1000s"|' config.json
+
+	# Make sure that the handling of non-detached IO is done properly. See #1354.
+	(
+		__runc run test_busybox
+	) &
+
+	wait_for_container 15 1 test_busybox
+	testcontainer test_busybox running
+
+	# Kill the container.
+	runc kill test_busybox KILL
+	[ "$status" -eq 0 ]
+}
+
+@test "runc run -d [terminal=false]" {
+	# Disable terminal creation.
+	sed -i 's|"terminal": true,|"terminal": false,|g' config.json
+	# Replace sh script with sleep.
+    sed -i 's|"sh"|"sleep", "1000s"|' config.json
+
+	# Make sure that the handling of detached IO is done properly. See #1354.
+	__runc run -d test_busybox
+
+	testcontainer test_busybox running
+
+	# Kill the container.
+	runc kill test_busybox KILL
+	[ "$status" -eq 0 ]
+}