Package: guix-patches;
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Fri, 24 Jan 2025 17:24:02 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
View this message in rfc822 format
From: Ludovic Courtès <ludo <at> gnu.org> To: 75810 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [bug#75810] [PATCH 2/6] DRAFT tests: Run in a chroot and unprivileged user namespaces. Date: Fri, 24 Jan 2025 18:24:52 +0100
DRAFT:
- Double-check the test suite.
* build-aux/test-env.in: Pass ‘--disable-chroot’ only when unprivileged
user namespace support is lacking.
* tests/store.scm ("build-things, check mode"): Use ‘gettimeofday’
rather than a shared file as a source of entropy.
("isolated environment"): New test.
Change-Id: Iedb816ef548c77799e5b2f9b6a3b7510ad19ec2a
---
build-aux/test-env.in | 14 ++++++-
tests/store.scm | 89 ++++++++++++++++++++++++++-----------------
2 files changed, 66 insertions(+), 37 deletions(-)
diff --git a/build-aux/test-env.in b/build-aux/test-env.in
index 9caa29da58..5626152b34 100644
--- a/build-aux/test-env.in
+++ b/build-aux/test-env.in
@@ -1,7 +1,7 @@
#!/bin/sh
# GNU Guix --- Functional package management for GNU
-# Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2021 Ludovic Courtès <ludo <at> gnu.org>
+# Copyright © 2012-2019, 2021, 2025 Ludovic Courtès <ludo <at> gnu.org>
#
# This file is part of GNU Guix.
#
@@ -102,10 +102,20 @@ then
rm -rf "$GUIX_STATE_DIRECTORY/daemon-socket"
mkdir -m 0700 "$GUIX_STATE_DIRECTORY/daemon-socket"
+ # If unprivileged user namespaces are not supported, pass
+ # '--disable-chroot'.
+ if [ ! -f /proc/sys/kernel/unprivileged_userns_clone ] \
+ || [ "$(cat /proc/sys/kernel/unprivileged_userns_clone)" -eq 1 ]; then
+ extra_options=""
+ else
+ extra_options="--disable-chroot"
+ fi
+
# Launch the daemon without chroot support because is may be
# unavailable, for instance if we're not running as root.
"@abs_top_builddir@/pre-inst-env" \
- "@abs_top_builddir@/guix-daemon" --disable-chroot \
+ "@abs_top_builddir@/guix-daemon" \
+ $extra_options \
--substitute-urls="$GUIX_BINARY_SUBSTITUTE_URL" &
daemon_pid=$!
diff --git a/tests/store.scm b/tests/store.scm
index 45948f4f43..bdbb026dd9 100644
--- a/tests/store.scm
+++ b/tests/store.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012-2021, 2023 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2012-2021, 2023, 2025 Ludovic Courtès <ludo <at> gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -30,6 +30,8 @@ (define-module (test-store)
#:use-module (guix derivations)
#:use-module (guix serialization)
#:use-module (guix build utils)
+ #:use-module ((gnu build linux-container)
+ #:select (unprivileged-user-namespace-supported?))
#:use-module (guix gexp)
#:use-module (gnu packages)
#:use-module (gnu packages bootstrap)
@@ -391,6 +393,32 @@ (define %shell
(equal? (valid-derivers %store o)
(list (derivation-file-name d))))))
+(unless (unprivileged-user-namespace-supported?)
+ (test-skip 1))
+(test-equal "isolated environment"
+ (string-join (append
+ '("PID: 1" "UID: 30001")
+ (delete-duplicates
+ (sort (list "/dev" "/tmp" "/proc" "/etc"
+ (match (string-tokenize (%store-prefix)
+ (char-set-complement
+ (char-set #\/)))
+ ((top _ ...) (string-append "/" top))))
+ string<?))
+ '("/etc/group" "/etc/hosts" "/etc/passwd")))
+ (let* ((b (add-text-to-store %store "build.sh"
+ "echo -n PID: $$ UID: $UID /* /etc/* > $out"))
+ (s (add-to-store %store "bash" #t "sha256"
+ (search-bootstrap-binary "bash"
+ (%current-system))))
+ (d (derivation %store "the-thing"
+ s `("-e" ,b)
+ #:env-vars `(("foo" . ,(random-text)))
+ #:inputs `((,b) (,s))))
+ (o (derivation->output-path d)))
+ (and (build-derivations %store (list d))
+ (call-with-input-file o get-string-all))))
+
(test-equal "with-build-handler"
'success
(let* ((b (add-text-to-store %store "build" "echo $foo > $out" '()))
@@ -1333,40 +1361,31 @@ (define %shell
(test-assert "build-things, check mode"
(with-store store
- (call-with-temporary-output-file
- (lambda (entropy entropy-port)
- (write (random-text) entropy-port)
- (force-output entropy-port)
- (let* ((drv (build-expression->derivation
- store "non-deterministic"
- `(begin
- (use-modules (rnrs io ports))
- (let ((out (assoc-ref %outputs "out")))
- (call-with-output-file out
- (lambda (port)
- ;; Rely on the fact that tests do not use the
- ;; chroot, and thus ENTROPY is readable.
- (display (call-with-input-file ,entropy
- get-string-all)
- port)))
- #t))
- #:guile-for-build
- (package-derivation store %bootstrap-guile (%current-system))))
- (file (derivation->output-path drv)))
- (and (build-things store (list (derivation-file-name drv)))
- (begin
- (write (random-text) entropy-port)
- (force-output entropy-port)
- (guard (c ((store-protocol-error? c)
- (pk 'determinism-exception c)
- (and (not (zero? (store-protocol-error-status c)))
- (string-contains (store-protocol-error-message c)
- "deterministic"))))
- ;; This one will produce a different result. Since we're in
- ;; 'check' mode, this must fail.
- (build-things store (list (derivation-file-name drv))
- (build-mode check))
- #f))))))))
+ (let* ((drv (build-expression->derivation
+ store "non-deterministic"
+ `(begin
+ (use-modules (rnrs io ports))
+ (let ((out (assoc-ref %outputs "out")))
+ (call-with-output-file out
+ (lambda (port)
+ (let ((now (gettimeofday)))
+ (display (+ (car now) (cdr now)) port))))
+ #t))
+ #:guile-for-build
+ (package-derivation store %bootstrap-guile (%current-system))))
+ (file (derivation->output-path drv)))
+ (and (build-things store (list (derivation-file-name drv)))
+ (begin
+ (guard (c ((store-protocol-error? c)
+ (pk 'determinism-exception c)
+ (and (not (zero? (store-protocol-error-status c)))
+ (string-contains (store-protocol-error-message c)
+ "deterministic"))))
+ ;; This one will produce a different result. Since we're in
+ ;; 'check' mode, this must fail.
+ (build-things store (list (derivation-file-name drv))
+ (build-mode check))
+ #f))))))
(test-assert "build-succeeded trace in check mode"
(string-contains
--
2.47.1
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.