This series extends the "nsholder" tool we use in the tests to "nstool" with some more features. In particular it allows entering an established namespace with capabilities intact, and it allows entering them with less verbose options than nsenter. For now this only gives a modest simplification of the tests, but it should enable more in future. I haven't managed to get all the way through the testsuite with this: it's wedging in the IPv4 UDP throughput tests, but that's happening for me with the main branch too. I'll debug that, but I don't want to delay this series on that for now. Changes since v1: * Fixed a bunch of bad indentation from a bad copy/paste * Assorted minor cleanups based on review from Stefano David Gibson (14): nstool: Rename nsholder to nstool nstool: Reverse parameters to nstool nstool: Move description of its operation modes from comment to usage nstool: Split some command line parsing and socket setup to subcommands nstool: Replace "pid" subcommand with "info" subcommand nstool: Detect what namespaces target is in nstool: Add magic number to advertized information nstool: Helpers to iterate through namespace types nstool: Add nstool exec command to execute commands in an nstool namespace nstool: Add --keep-caps option to nstool exec test: Initialise ${TRACE} properly test: Use "nstool exec" to slightly simplify tests nstool: Advertise the holder's cwd (in its mountns) across the socket nstool: Enter holder's cwd when changing mount ns with nstool exec test/.gitignore | 2 +- test/Makefile | 4 +- test/lib/context | 14 +- test/lib/setup | 49 ++-- test/nsholder.c | 139 ------------ test/nstool.c | 565 +++++++++++++++++++++++++++++++++++++++++++++++ test/run | 5 +- 7 files changed, 602 insertions(+), 176 deletions(-) delete mode 100644 test/nsholder.c create mode 100644 test/nstool.c -- 2.39.2
In preparation for extending what it does. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- test/.gitignore | 2 +- test/Makefile | 4 ++-- test/lib/setup | 30 +++++++++++++++--------------- test/{nsholder.c => nstool.c} | 22 +++++++++++----------- 4 files changed, 29 insertions(+), 29 deletions(-) rename test/{nsholder.c => nstool.c} (82%) diff --git a/test/.gitignore b/test/.gitignore index fbee491..4837402 100644 --- a/test/.gitignore +++ b/test/.gitignore @@ -6,6 +6,6 @@ QEMU_EFI.fd *.raw *.raw.xz *.bin -nsholder +nstool guest-key guest-key.pub diff --git a/test/Makefile b/test/Makefile index 1341677..50d283e 100644 --- a/test/Makefile +++ b/test/Makefile @@ -58,7 +58,7 @@ TESTDATA_ASSETS = small.bin big.bin medium.bin LOCAL_ASSETS = mbuto.img mbuto.mem.img QEMU_EFI.fd \ $(DEBIAN_IMGS:%=prepared-%) $(FEDORA_IMGS:%=prepared-%) \ $(UBUNTU_NEW_IMGS:%=prepared-%) \ - nsholder guest-key guest-key.pub \ + nstool guest-key guest-key.pub \ $(TESTDATA_ASSETS) ASSETS = $(DOWNLOAD_ASSETS) $(LOCAL_ASSETS) @@ -79,7 +79,7 @@ mbuto.img: passt.mbuto mbuto guest-key.pub $(TESTDATA_ASSETS) mbuto.mem.img: passt.mem.mbuto mbuto ../passt.avx2 ./mbuto/mbuto -p ./$< -c lz4 -f $@ -nsholder: nsholder.c +nstool: nstool.c $(CC) $(CFLAGS) -o $@ $^ QEMU_EFI.fd: diff --git a/test/lib/setup b/test/lib/setup index 5f8ce26..3bd434b 100755 --- a/test/lib/setup +++ b/test/lib/setup @@ -17,7 +17,7 @@ INITRAMFS="${BASEPATH}/mbuto.img" VCPUS="$( [ $(nproc) -ge 8 ] && echo 6 || echo $(( $(nproc) / 2 + 1 )) )" __mem_kib="$(sed -n 's/MemTotal:[ ]*\([0-9]*\) kB/\1/p' /proc/meminfo)" VMEM="$((${__mem_kib} / 1024 / 4))" -NSHOLDER="${BASEPATH}/nsholder" +NSTOOL="${BASEPATH}/nstool" # setup_build() - Set up pane layout for build tests setup_build() { @@ -77,8 +77,8 @@ setup_pasta() { layout_pasta - context_run_bg unshare "unshare -rUnpf ${NSHOLDER} ${STATESETUP}/ns.hold hold" - __target_pid=$(${NSHOLDER} ${STATESETUP}/ns.hold pid) + context_run_bg unshare "unshare -rUnpf ${NSTOOL} ${STATESETUP}/ns.hold hold" + __target_pid=$(${NSTOOL} ${STATESETUP}/ns.hold pid) context_setup_nsenter ns -U -n -p --preserve-credentials -t ${__target_pid} @@ -126,9 +126,9 @@ setup_passt_in_ns() { [ ${DEBUG} -eq 1 ] && __opts="${__opts} -d" [ ${TRACE} -eq 1 ] && __opts="${__opts} --trace" - context_run_bg pasta "./pasta ${__opts} -t 10001,10002,10011,10012 -T 10003,10013 -u 10001,10002,10011,10012 -U 10003,10013 -P ${STATESETUP}/pasta.pid --config-net ${NSHOLDER} ${STATESETUP}/ns.hold hold" + context_run_bg pasta "./pasta ${__opts} -t 10001,10002,10011,10012 -T 10003,10013 -u 10001,10002,10011,10012 -U 10003,10013 -P ${STATESETUP}/pasta.pid --config-net ${NSTOOL} ${STATESETUP}/ns.hold hold" wait_for [ -f "${STATESETUP}/pasta.pid" ] - __ns_pid=$(${NSHOLDER} ${STATESETUP}/ns.hold pid) + __ns_pid=$(${NSTOOL} ${STATESETUP}/ns.hold pid) context_setup_nsenter qemu "-t ${__ns_pid} -U -n -p --preserve-credentials" context_setup_nsenter ns "-t ${__ns_pid} -U -n -p --preserve-credentials" @@ -189,16 +189,16 @@ setup_two_guests() { [ ${PCAP} -eq 1 ] && __opts="${__opts} -p ${LOGDIR}/pasta_1.pcap" [ ${DEBUG} -eq 1 ] && __opts="${__opts} -d" [ ${TRACE} -eq 1 ] && __opts="${__opts} --trace" - context_run_bg pasta_1 "./pasta ${__opts} --trace -l /tmp/pasta1.log -P ${STATESETUP}/pasta_1.pid -t 10001,10002 -T 10003,10004 -u 10001,10002 -U 10003,10004 --config-net ${NSHOLDER} ${STATESETUP}/ns1.hold hold" - __ns1_pid=$(${NSHOLDER} ${STATESETUP}/ns1.hold pid) + context_run_bg pasta_1 "./pasta ${__opts} --trace -l /tmp/pasta1.log -P ${STATESETUP}/pasta_1.pid -t 10001,10002 -T 10003,10004 -u 10001,10002 -U 10003,10004 --config-net ${NSTOOL} ${STATESETUP}/ns1.hold hold" + __ns1_pid=$(${NSTOOL} ${STATESETUP}/ns1.hold pid) context_setup_nsenter passt_1 -U -n -p --preserve-credentials -t ${__ns1_pid} __opts= [ ${PCAP} -eq 1 ] && __opts="${__opts} -p ${LOGDIR}/pasta_2.pcap" [ ${DEBUG} -eq 1 ] && __opts="${__opts} -d" [ ${TRACE} -eq 1 ] && __opts="${__opts} --trace" - context_run_bg pasta_2 "./pasta ${__opts} --trace -l /tmp/pasta2.log -P ${STATESETUP}/pasta_2.pid -t 10004,10005 -T 10003,10001 -u 10004,10005 -U 10003,10001 --config-net ${NSHOLDER} ${STATESETUP}/ns2.hold hold" - __ns2_pid=$(${NSHOLDER} ${STATESETUP}/ns2.hold pid) + context_run_bg pasta_2 "./pasta ${__opts} --trace -l /tmp/pasta2.log -P ${STATESETUP}/pasta_2.pid -t 10004,10005 -T 10003,10001 -u 10004,10005 -U 10003,10001 --config-net ${NSTOOL} ${STATESETUP}/ns2.hold hold" + __ns2_pid=$(${NSTOOL} ${STATESETUP}/ns2.hold pid) context_setup_nsenter passt_2 -U -n -p --preserve-credentials -t ${__ns2_pid} context_setup_nsenter qemu_1 -U -n -p --preserve-credentials -t ${__ns1_pid} @@ -284,7 +284,7 @@ teardown_passt() { # teardown_pasta() - Exit namespace, kill pasta process teardown_pasta() { - ${NSHOLDER} "${STATESETUP}/ns.hold" stop + ${NSTOOL} "${STATESETUP}/ns.hold" stop context_wait unshare teardown_context_watch ${PANE_HOST} host @@ -297,7 +297,7 @@ teardown_passt_in_ns() { context_run ns kill $(cat "${STATESETUP}/qemu.pid") context_wait qemu - ${NSHOLDER} "${STATESETUP}/ns.hold" stop + ${NSTOOL} "${STATESETUP}/ns.hold" stop context_wait pasta rm "${STATESETUP}/passt.pid" "${STATESETUP}/pasta.pid" @@ -310,8 +310,8 @@ teardown_passt_in_ns() { # teardown_two_guests() - Exit namespaces, kill qemu processes, passt and pasta teardown_two_guests() { - __ns1_pid=$(${NSHOLDER} "${STATESETUP}/ns1.hold" pid) - __ns2_pid=$(${NSHOLDER} "${STATESETUP}/ns2.hold" pid) + __ns1_pid=$(${NSTOOL} "${STATESETUP}/ns1.hold" pid) + __ns2_pid=$(${NSTOOL} "${STATESETUP}/ns2.hold" pid) nsenter -U -p --preserve-credentials -t ${__ns1_pid} kill $(cat "${STATESETUP}/qemu_1.pid") nsenter -U -p --preserve-credentials -t ${__ns2_pid} kill $(cat "${STATESETUP}/qemu_2.pid") context_wait qemu_1 @@ -321,8 +321,8 @@ teardown_two_guests() { nsenter -U -p --preserve-credentials -t ${__ns2_pid} kill $(cat "${STATESETUP}/passt_2.pid") context_wait passt_1 context_wait passt_2 - ${NSHOLDER} "${STATESETUP}/ns1.hold" stop - ${NSHOLDER} "${STATESETUP}/ns2.hold" stop + ${NSTOOL} "${STATESETUP}/ns1.hold" stop + ${NSTOOL} "${STATESETUP}/ns2.hold" stop context_wait pasta_1 context_wait pasta_2 diff --git a/test/nsholder.c b/test/nstool.c similarity index 82% rename from test/nsholder.c rename to test/nstool.c index 010a051..958ece7 100644 --- a/test/nsholder.c +++ b/test/nstool.c @@ -1,23 +1,23 @@ // SPDX-License-Identifier: AGPL-3.0-or-later -/* nsholder - maintain a namespace to be entered by other processes +/* nstool - maintain a namespace to be entered by other processes * * Copyright Red Hat * Author: David Gibson <david(a)gibson.dropbear.id.au> * * Can run in 3 modes: * - * nsholder <path> hold + * nstool <path> hold * Designed to be run inside a namespace, opens a Unix domain * control socket at <path> and waits until instructed to stop - * with "nsholder <path> stop" - * nsholder <path> pid - * Prints the PID of the nsholder hold process with control + * with "nstool <path> stop" + * nstool <path> pid + * Prints the PID of the nstool hold process with control * socket <path>. This is given in the PID namespace where - * nsholder pid is executed, not the one where nsholder hold is + * nstool pid is executed, not the one where nstool hold is * running - * nsholder <path> stop - * Instruct the nsholder hold with control socket at <path> to exit. + * nstool <path> stop + * Instruct the nstool hold with control socket at <path> to exit. */ #define _GNU_SOURCE @@ -38,7 +38,7 @@ static void usage(void) { - die("Usage: holder <socket path> hold|pid\n"); + die("Usage: nstool <socket path> hold|pid\n"); } static void hold(int fd, const struct sockaddr_un *addr) @@ -53,7 +53,7 @@ static void hold(int fd, const struct sockaddr_un *addr) if (rc < 0) die("listen(): %s\n", strerror(errno)); - printf("nsholder: local PID=%d local UID=%u local GID=%u\n", + printf("nstool: local PID=%d local UID=%u local GID=%u\n", getpid(), getuid(), getgid()); do { int afd = accept(fd, NULL, NULL); @@ -103,7 +103,7 @@ static void stop(int fd, const struct sockaddr_un *addr) rc = write(fd, &buf, sizeof(buf)); if (rc < 0) - die("write(): %s\n", strerror(errno)); + die("write(): %s\n", strerror(errno)); close(fd); } -- 2.39.2
Having the "subcommand" first is more conventional and will make it more natural for future extensions I have planned. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- test/lib/setup | 28 ++++++++++++++-------------- test/nstool.c | 28 ++++++++++++++-------------- 2 files changed, 28 insertions(+), 28 deletions(-) diff --git a/test/lib/setup b/test/lib/setup index 3bd434b..e6180b1 100755 --- a/test/lib/setup +++ b/test/lib/setup @@ -77,8 +77,8 @@ setup_pasta() { layout_pasta - context_run_bg unshare "unshare -rUnpf ${NSTOOL} ${STATESETUP}/ns.hold hold" - __target_pid=$(${NSTOOL} ${STATESETUP}/ns.hold pid) + context_run_bg unshare "unshare -rUnpf ${NSTOOL} hold ${STATESETUP}/ns.hold" + __target_pid=$(${NSTOOL} pid ${STATESETUP}/ns.hold) context_setup_nsenter ns -U -n -p --preserve-credentials -t ${__target_pid} @@ -126,9 +126,9 @@ setup_passt_in_ns() { [ ${DEBUG} -eq 1 ] && __opts="${__opts} -d" [ ${TRACE} -eq 1 ] && __opts="${__opts} --trace" - context_run_bg pasta "./pasta ${__opts} -t 10001,10002,10011,10012 -T 10003,10013 -u 10001,10002,10011,10012 -U 10003,10013 -P ${STATESETUP}/pasta.pid --config-net ${NSTOOL} ${STATESETUP}/ns.hold hold" + context_run_bg pasta "./pasta ${__opts} -t 10001,10002,10011,10012 -T 10003,10013 -u 10001,10002,10011,10012 -U 10003,10013 -P ${STATESETUP}/pasta.pid --config-net ${NSTOOL} hold ${STATESETUP}/ns.hold" wait_for [ -f "${STATESETUP}/pasta.pid" ] - __ns_pid=$(${NSTOOL} ${STATESETUP}/ns.hold pid) + __ns_pid=$(${NSTOOL} pid ${STATESETUP}/ns.hold) context_setup_nsenter qemu "-t ${__ns_pid} -U -n -p --preserve-credentials" context_setup_nsenter ns "-t ${__ns_pid} -U -n -p --preserve-credentials" @@ -189,16 +189,16 @@ setup_two_guests() { [ ${PCAP} -eq 1 ] && __opts="${__opts} -p ${LOGDIR}/pasta_1.pcap" [ ${DEBUG} -eq 1 ] && __opts="${__opts} -d" [ ${TRACE} -eq 1 ] && __opts="${__opts} --trace" - context_run_bg pasta_1 "./pasta ${__opts} --trace -l /tmp/pasta1.log -P ${STATESETUP}/pasta_1.pid -t 10001,10002 -T 10003,10004 -u 10001,10002 -U 10003,10004 --config-net ${NSTOOL} ${STATESETUP}/ns1.hold hold" - __ns1_pid=$(${NSTOOL} ${STATESETUP}/ns1.hold pid) + context_run_bg pasta_1 "./pasta ${__opts} --trace -l /tmp/pasta1.log -P ${STATESETUP}/pasta_1.pid -t 10001,10002 -T 10003,10004 -u 10001,10002 -U 10003,10004 --config-net ${NSTOOL} hold ${STATESETUP}/ns1.hold" + __ns1_pid=$(${NSTOOL} pid ${STATESETUP}/ns1.hold) context_setup_nsenter passt_1 -U -n -p --preserve-credentials -t ${__ns1_pid} __opts= [ ${PCAP} -eq 1 ] && __opts="${__opts} -p ${LOGDIR}/pasta_2.pcap" [ ${DEBUG} -eq 1 ] && __opts="${__opts} -d" [ ${TRACE} -eq 1 ] && __opts="${__opts} --trace" - context_run_bg pasta_2 "./pasta ${__opts} --trace -l /tmp/pasta2.log -P ${STATESETUP}/pasta_2.pid -t 10004,10005 -T 10003,10001 -u 10004,10005 -U 10003,10001 --config-net ${NSTOOL} ${STATESETUP}/ns2.hold hold" - __ns2_pid=$(${NSTOOL} ${STATESETUP}/ns2.hold pid) + context_run_bg pasta_2 "./pasta ${__opts} --trace -l /tmp/pasta2.log -P ${STATESETUP}/pasta_2.pid -t 10004,10005 -T 10003,10001 -u 10004,10005 -U 10003,10001 --config-net ${NSTOOL} hold ${STATESETUP}/ns2.hold" + __ns2_pid=$(${NSTOOL} pid ${STATESETUP}/ns2.hold) context_setup_nsenter passt_2 -U -n -p --preserve-credentials -t ${__ns2_pid} context_setup_nsenter qemu_1 -U -n -p --preserve-credentials -t ${__ns1_pid} @@ -284,7 +284,7 @@ teardown_passt() { # teardown_pasta() - Exit namespace, kill pasta process teardown_pasta() { - ${NSTOOL} "${STATESETUP}/ns.hold" stop + ${NSTOOL} stop "${STATESETUP}/ns.hold" context_wait unshare teardown_context_watch ${PANE_HOST} host @@ -297,7 +297,7 @@ teardown_passt_in_ns() { context_run ns kill $(cat "${STATESETUP}/qemu.pid") context_wait qemu - ${NSTOOL} "${STATESETUP}/ns.hold" stop + ${NSTOOL} stop "${STATESETUP}/ns.hold" context_wait pasta rm "${STATESETUP}/passt.pid" "${STATESETUP}/pasta.pid" @@ -310,8 +310,8 @@ teardown_passt_in_ns() { # teardown_two_guests() - Exit namespaces, kill qemu processes, passt and pasta teardown_two_guests() { - __ns1_pid=$(${NSTOOL} "${STATESETUP}/ns1.hold" pid) - __ns2_pid=$(${NSTOOL} "${STATESETUP}/ns2.hold" pid) + __ns1_pid=$(${NSTOOL} pid "${STATESETUP}/ns1.hold") + __ns2_pid=$(${NSTOOL} pid "${STATESETUP}/ns2.hold") nsenter -U -p --preserve-credentials -t ${__ns1_pid} kill $(cat "${STATESETUP}/qemu_1.pid") nsenter -U -p --preserve-credentials -t ${__ns2_pid} kill $(cat "${STATESETUP}/qemu_2.pid") context_wait qemu_1 @@ -321,8 +321,8 @@ teardown_two_guests() { nsenter -U -p --preserve-credentials -t ${__ns2_pid} kill $(cat "${STATESETUP}/passt_2.pid") context_wait passt_1 context_wait passt_2 - ${NSTOOL} "${STATESETUP}/ns1.hold" stop - ${NSTOOL} "${STATESETUP}/ns2.hold" stop + ${NSTOOL} stop "${STATESETUP}/ns1.hold" + ${NSTOOL} stop "${STATESETUP}/ns2.hold" context_wait pasta_1 context_wait pasta_2 diff --git a/test/nstool.c b/test/nstool.c index 958ece7..c38d96f 100644 --- a/test/nstool.c +++ b/test/nstool.c @@ -7,17 +7,17 @@ * * Can run in 3 modes: * - * nstool <path> hold + * nstool hold <path> * Designed to be run inside a namespace, opens a Unix domain * control socket at <path> and waits until instructed to stop - * with "nstool <path> stop" - * nstool <path> pid - * Prints the PID of the nstool hold process with control - * socket <path>. This is given in the PID namespace where - * nstool pid is executed, not the one where nstool hold is - * running - * nstool <path> stop - * Instruct the nstool hold with control socket at <path> to exit. + * with "nstool stop <path>" + * nstool pid <path> + * Prints the PID of the nstool hold process with control socket + * <path>. This is given in the PID namespace where nstool pid + * is executed, not the one where nstool hold is running + * nstool stop <path> + * Instruct the nstool hold with control socket at <path> to + * exit. */ #define _GNU_SOURCE @@ -38,7 +38,7 @@ static void usage(void) { - die("Usage: nstool <socket path> hold|pid\n"); + die("Usage: nstool hold|pid|stop <socket path>\n"); } static void hold(int fd, const struct sockaddr_un *addr) @@ -119,18 +119,18 @@ int main(int argc, char *argv[]) if (argc != 3) usage(); - sockname = argv[1]; + sockname = argv[2]; strncpy(sockaddr.sun_path, sockname, UNIX_PATH_MAX); fd = socket(AF_UNIX, SOCK_STREAM, PF_UNIX); if (fd < 0) die("socket(): %s\n", strerror(errno)); - if (strcmp(argv[2], "hold") == 0) + if (strcmp(argv[1], "hold") == 0) hold(fd, &sockaddr); - else if (strcmp(argv[2], "pid") == 0) + else if (strcmp(argv[1], "pid") == 0) pid(fd, &sockaddr); - else if (strcmp(argv[2], "stop") == 0) + else if (strcmp(argv[1], "stop") == 0) stop(fd, &sockaddr); else usage(); -- 2.39.2
Easier to see it there. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- test/nstool.c | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/test/nstool.c b/test/nstool.c index c38d96f..92909c2 100644 --- a/test/nstool.c +++ b/test/nstool.c @@ -4,20 +4,6 @@ * * Copyright Red Hat * Author: David Gibson <david(a)gibson.dropbear.id.au> - * - * Can run in 3 modes: - * - * nstool hold <path> - * Designed to be run inside a namespace, opens a Unix domain - * control socket at <path> and waits until instructed to stop - * with "nstool stop <path>" - * nstool pid <path> - * Prints the PID of the nstool hold process with control socket - * <path>. This is given in the PID namespace where nstool pid - * is executed, not the one where nstool hold is running - * nstool stop <path> - * Instruct the nstool hold with control socket at <path> to - * exit. */ #define _GNU_SOURCE @@ -38,7 +24,17 @@ static void usage(void) { - die("Usage: nstool hold|pid|stop <socket path>\n"); + die("Usage:\n" + " nstool hold SOCK\n" + " Run within a set of namespaces, open a Unix domain socket\n" + " (the \"control socket\") at SOCK and wait for requests from\n" + " other nstool subcommands.\n" + " nstool pid SOCK\n" + " Print the pid of the nstool hold process with control socket\n" + " at SOCK, as seen in the caller's namespace.\n" + " nstool stop SOCK\n" + " Instruct the nstool hold with control socket at SOCK to\n" + " terminate.\n"); } static void hold(int fd, const struct sockaddr_un *addr) -- 2.39.2
This will make it easier to differentiate the options to those commands further in future. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- test/nstool.c | 102 +++++++++++++++++++++++++++++++++----------------- 1 file changed, 68 insertions(+), 34 deletions(-) diff --git a/test/nstool.c b/test/nstool.c index 92909c2..c75d458 100644 --- a/test/nstool.c +++ b/test/nstool.c @@ -11,6 +11,7 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <stdbool.h> #include <errno.h> #include <unistd.h> #include <sys/socket.h> @@ -37,19 +38,55 @@ static void usage(void) " terminate.\n"); } -static void hold(int fd, const struct sockaddr_un *addr) +static int connect_ctl(const char * sockpath, bool wait) { + int fd = socket(AF_UNIX, SOCK_STREAM, PF_UNIX); + struct sockaddr_un addr = { + .sun_family = AF_UNIX, + }; int rc; - rc = bind(fd, (struct sockaddr *)addr, sizeof(*addr)); + if (fd < 0) + die("socket(): %s\n", strerror(errno)); + + strncpy(addr.sun_path, sockpath, UNIX_PATH_MAX); + + do { + rc = connect(fd, (struct sockaddr *)&addr, sizeof(addr)); + if (rc < 0 && + (!wait || (errno != ENOENT && errno != ECONNREFUSED))) + die("connect() to %s: %s\n", sockpath, strerror(errno)); + } while (rc < 0); + + return fd; +} + +static void cmd_hold(int argc, char *argv[]) +{ + int fd = socket(AF_UNIX, SOCK_STREAM, PF_UNIX); + struct sockaddr_un addr = { + .sun_family = AF_UNIX, + }; + const char *sockpath = argv[1]; + int rc; + + if (argc != 2) + usage(); + + if (fd < 0) + die("socket(): %s\n", strerror(errno)); + + strncpy(addr.sun_path, sockpath, UNIX_PATH_MAX); + + rc = bind(fd, (struct sockaddr *)&addr, sizeof(addr)); if (rc < 0) - die("bind(): %s\n", strerror(errno)); + die("bind() to %s: %s\n", sockpath, strerror(errno)); rc = listen(fd, 0); if (rc < 0) - die("listen(): %s\n", strerror(errno)); + die("listen() on %s: %s\n", sockpath, strerror(errno)); - printf("nstool: local PID=%d local UID=%u local GID=%u\n", + printf("nstool hold: local PID=%d local UID=%u local GID=%u\n", getpid(), getuid(), getgid()); do { int afd = accept(fd, NULL, NULL); @@ -63,71 +100,68 @@ static void hold(int fd, const struct sockaddr_un *addr) die("read(): %s\n", strerror(errno)); } while (rc == 0); - unlink(addr->sun_path); + unlink(sockpath); } -static void pid(int fd, const struct sockaddr_un *addr) +static void cmd_pid(int argc, char *argv[]) { - int rc; + const char *sockpath = argv[1]; struct ucred peercred; socklen_t optlen = sizeof(peercred); + int fd, rc; - do { - rc = connect(fd, (struct sockaddr *)addr, sizeof(*addr)); - if (rc < 0 && errno != ENOENT && errno != ECONNREFUSED) - die("connect(): %s\n", strerror(errno)); - } while (rc < 0); + if (argc != 2) + usage(); + + fd = connect_ctl(sockpath, true); rc = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &peercred, &optlen); if (rc < 0) - die("getsockopet(SO_PEERCRED): %s\n", strerror(errno)); + die("getsockopet(SO_PEERCRED) %s: %s\n", + sockpath, strerror(errno)); close(fd); printf("%d\n", peercred.pid); } -static void stop(int fd, const struct sockaddr_un *addr) +static void cmd_stop(int argc, char *argv[]) { - int rc; + const char *sockpath = argv[1]; + int fd, rc; char buf = 'Q'; - rc = connect(fd, (struct sockaddr *)addr, sizeof(*addr)); - if (rc < 0) - die("connect(): %s\n", strerror(errno)); + if (argc != 2) + usage(); + + fd = connect_ctl(sockpath, false); rc = write(fd, &buf, sizeof(buf)); if (rc < 0) - die("write(): %s\n", strerror(errno)); + die("write() to %s: %s\n", sockpath, strerror(errno)); close(fd); } int main(int argc, char *argv[]) { + const char *subcmd = argv[1]; int fd; - const char *sockname; - struct sockaddr_un sockaddr = { - .sun_family = AF_UNIX, - }; - if (argc != 3) + if (argc < 2) usage(); - sockname = argv[2]; - strncpy(sockaddr.sun_path, sockname, UNIX_PATH_MAX); - fd = socket(AF_UNIX, SOCK_STREAM, PF_UNIX); if (fd < 0) die("socket(): %s\n", strerror(errno)); - if (strcmp(argv[1], "hold") == 0) - hold(fd, &sockaddr); - else if (strcmp(argv[1], "pid") == 0) - pid(fd, &sockaddr); - else if (strcmp(argv[1], "stop") == 0) - stop(fd, &sockaddr); + if (strcmp(subcmd, "hold") == 0) + cmd_hold(argc - 1, argv + 1); + else if (strcmp(subcmd, "pid") == 0) + cmd_pid(argc - 1, argv + 1); + else if (strcmp(subcmd, "stop") == 0) + cmd_stop(argc - 1, argv + 1); else usage(); -- 2.39.2
The new subcommand gives more information about the holder process and its namespace, and may be further extended in future. Add some options which give the old behaviour for existing scripts. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- test/lib/setup | 12 +++++----- test/nstool.c | 60 +++++++++++++++++++++++++++++++++++++++++--------- 2 files changed, 55 insertions(+), 17 deletions(-) diff --git a/test/lib/setup b/test/lib/setup index e6180b1..6d7644a 100755 --- a/test/lib/setup +++ b/test/lib/setup @@ -78,7 +78,7 @@ setup_pasta() { layout_pasta context_run_bg unshare "unshare -rUnpf ${NSTOOL} hold ${STATESETUP}/ns.hold" - __target_pid=$(${NSTOOL} pid ${STATESETUP}/ns.hold) + __target_pid=$(${NSTOOL} info -pw ${STATESETUP}/ns.hold) context_setup_nsenter ns -U -n -p --preserve-credentials -t ${__target_pid} @@ -128,7 +128,7 @@ setup_passt_in_ns() { context_run_bg pasta "./pasta ${__opts} -t 10001,10002,10011,10012 -T 10003,10013 -u 10001,10002,10011,10012 -U 10003,10013 -P ${STATESETUP}/pasta.pid --config-net ${NSTOOL} hold ${STATESETUP}/ns.hold" wait_for [ -f "${STATESETUP}/pasta.pid" ] - __ns_pid=$(${NSTOOL} pid ${STATESETUP}/ns.hold) + __ns_pid=$(${NSTOOL} info -pw ${STATESETUP}/ns.hold) context_setup_nsenter qemu "-t ${__ns_pid} -U -n -p --preserve-credentials" context_setup_nsenter ns "-t ${__ns_pid} -U -n -p --preserve-credentials" @@ -190,7 +190,7 @@ setup_two_guests() { [ ${DEBUG} -eq 1 ] && __opts="${__opts} -d" [ ${TRACE} -eq 1 ] && __opts="${__opts} --trace" context_run_bg pasta_1 "./pasta ${__opts} --trace -l /tmp/pasta1.log -P ${STATESETUP}/pasta_1.pid -t 10001,10002 -T 10003,10004 -u 10001,10002 -U 10003,10004 --config-net ${NSTOOL} hold ${STATESETUP}/ns1.hold" - __ns1_pid=$(${NSTOOL} pid ${STATESETUP}/ns1.hold) + __ns1_pid=$(${NSTOOL} info -pw ${STATESETUP}/ns1.hold) context_setup_nsenter passt_1 -U -n -p --preserve-credentials -t ${__ns1_pid} __opts= @@ -198,7 +198,7 @@ setup_two_guests() { [ ${DEBUG} -eq 1 ] && __opts="${__opts} -d" [ ${TRACE} -eq 1 ] && __opts="${__opts} --trace" context_run_bg pasta_2 "./pasta ${__opts} --trace -l /tmp/pasta2.log -P ${STATESETUP}/pasta_2.pid -t 10004,10005 -T 10003,10001 -u 10004,10005 -U 10003,10001 --config-net ${NSTOOL} hold ${STATESETUP}/ns2.hold" - __ns2_pid=$(${NSTOOL} pid ${STATESETUP}/ns2.hold) + __ns2_pid=$(${NSTOOL} info -pw ${STATESETUP}/ns2.hold) context_setup_nsenter passt_2 -U -n -p --preserve-credentials -t ${__ns2_pid} context_setup_nsenter qemu_1 -U -n -p --preserve-credentials -t ${__ns1_pid} @@ -310,8 +310,8 @@ teardown_passt_in_ns() { # teardown_two_guests() - Exit namespaces, kill qemu processes, passt and pasta teardown_two_guests() { - __ns1_pid=$(${NSTOOL} pid "${STATESETUP}/ns1.hold") - __ns2_pid=$(${NSTOOL} pid "${STATESETUP}/ns2.hold") + __ns1_pid=$(${NSTOOL} info -pw "${STATESETUP}/ns1.hold") + __ns2_pid=$(${NSTOOL} info -pw "${STATESETUP}/ns2.hold") nsenter -U -p --preserve-credentials -t ${__ns1_pid} kill $(cat "${STATESETUP}/qemu_1.pid") nsenter -U -p --preserve-credentials -t ${__ns2_pid} kill $(cat "${STATESETUP}/qemu_2.pid") context_wait qemu_1 diff --git a/test/nstool.c b/test/nstool.c index c75d458..5f54439 100644 --- a/test/nstool.c +++ b/test/nstool.c @@ -14,6 +14,7 @@ #include <stdbool.h> #include <errno.h> #include <unistd.h> +#include <getopt.h> #include <sys/socket.h> #include <linux/un.h> @@ -30,9 +31,11 @@ static void usage(void) " Run within a set of namespaces, open a Unix domain socket\n" " (the \"control socket\") at SOCK and wait for requests from\n" " other nstool subcommands.\n" - " nstool pid SOCK\n" - " Print the pid of the nstool hold process with control socket\n" - " at SOCK, as seen in the caller's namespace.\n" + " nstool info [-pw] pid SOCK\n" + " Print information about the nstool hold process with control\n" + " socket at SOCK\n" + " -p Print just the holder's PID as seen by the caller\n" + " -w Retry connecting to SOCK until it is ready\n" " nstool stop SOCK\n" " Instruct the nstool hold with control socket at SOCK to\n" " terminate.\n"); @@ -103,17 +106,45 @@ static void cmd_hold(int argc, char *argv[]) unlink(sockpath); } -static void cmd_pid(int argc, char *argv[]) +static void cmd_info(int argc, char *argv[]) { - const char *sockpath = argv[1]; + const struct option options[] = { + {"pid", no_argument, NULL, 'p' }, + {"wait", no_argument, NULL, 'w' }, + { 0 }, + }; + bool pidonly = false, waitforsock = false; struct ucred peercred; socklen_t optlen = sizeof(peercred); - int fd, rc; + const char *optstring = "pw"; + const char *sockpath; + int fd, rc, opt; - if (argc != 2) + do { + opt = getopt_long(argc, argv, optstring, options, NULL); + + switch (opt) { + case 'p': + pidonly = true; + break; + case 'w': + waitforsock = true; + break; + case -1: + break; + default: + usage(); + } + } while (opt != -1); + + if (optind != argc - 1) { + fprintf(stderr, "B\n"); usage(); + } + + sockpath = argv[optind]; - fd = connect_ctl(sockpath, true); + fd = connect_ctl(sockpath, waitforsock); rc = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &peercred, &optlen); @@ -123,7 +154,14 @@ static void cmd_pid(int argc, char *argv[]) close(fd); - printf("%d\n", peercred.pid); + if (pidonly) { + printf("%d\n", peercred.pid); + } else { + printf("As seen from calling context:\n"); + printf("\tPID:\t%d\n", peercred.pid); + printf("\tUID:\t%u\n", peercred.uid); + printf("\tGID:\t%u\n", peercred.gid); + } } static void cmd_stop(int argc, char *argv[]) @@ -158,8 +196,8 @@ int main(int argc, char *argv[]) if (strcmp(subcmd, "hold") == 0) cmd_hold(argc - 1, argv + 1); - else if (strcmp(subcmd, "pid") == 0) - cmd_pid(argc - 1, argv + 1); + else if (strcmp(subcmd, "info") == 0) + cmd_info(argc - 1, argv + 1); else if (strcmp(subcmd, "stop") == 0) cmd_stop(argc - 1, argv + 1); else -- 2.39.2
Give nstool the ability to detect what namespaces the target process is in, relative to where it's called. That is, those namespace types for which the target is not in the same namespace as the caller. For now, just print this information with "info", which can be useful for debugging. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- test/nstool.c | 157 +++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 143 insertions(+), 14 deletions(-) diff --git a/test/nstool.c b/test/nstool.c index 5f54439..146b66e 100644 --- a/test/nstool.c +++ b/test/nstool.c @@ -15,8 +15,13 @@ #include <errno.h> #include <unistd.h> #include <getopt.h> +#include <stdarg.h> +#include <limits.h> #include <sys/socket.h> #include <linux/un.h> +#include <sched.h> + +#define ARRAY_SIZE(a) ((int)(sizeof(a) / sizeof((a)[0]))) #define die(...) \ do { \ @@ -24,6 +29,28 @@ exit(1); \ } while (0) +struct ns_type { + int flag; + const char *name; +}; + +const struct ns_type nstypes[] = { + { CLONE_NEWCGROUP, "cgroup" }, + { CLONE_NEWIPC, "ipc" }, + { CLONE_NEWNET, "net" }, + { CLONE_NEWNS, "mnt" }, + { CLONE_NEWPID, "pid" }, + { CLONE_NEWTIME, "time" }, + { CLONE_NEWUSER, "user" }, + { CLONE_NEWUTS, "uts" }, +}; + +struct holder_info { + pid_t pid; + uid_t uid; + gid_t gid; +}; + static void usage(void) { die("Usage:\n" @@ -41,12 +68,16 @@ static void usage(void) " terminate.\n"); } -static int connect_ctl(const char * sockpath, bool wait) +static int connect_ctl(const char *sockpath, bool wait, + struct holder_info *info, + struct ucred *peercred) { int fd = socket(AF_UNIX, SOCK_STREAM, PF_UNIX); struct sockaddr_un addr = { .sun_family = AF_UNIX, }; + struct holder_info discard; + ssize_t len; int rc; if (fd < 0) @@ -61,6 +92,28 @@ static int connect_ctl(const char * sockpath, bool wait) die("connect() to %s: %s\n", sockpath, strerror(errno)); } while (rc < 0); + if (!info) + info = &discard; + + /* Always read the info structure, even if we don't need it, + * so that the holder doesn't get a broken pipe error + */ + len = read(fd, info, sizeof(*info)); + if (len < 0) + die("read() on control socket %s: %s\n", sockpath, strerror(errno)); + if ((size_t)len < sizeof(*info)) + die("short read() on control socket %s\n", sockpath); + + if (peercred) { + socklen_t optlen = sizeof(*peercred); + + rc = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, + peercred, &optlen); + if (rc < 0) + die("getsockopet(SO_PEERCRED) %s: %s\n", + sockpath, strerror(errno)); + } + return fd; } @@ -71,6 +124,7 @@ static void cmd_hold(int argc, char *argv[]) .sun_family = AF_UNIX, }; const char *sockpath = argv[1]; + struct holder_info info; int rc; if (argc != 2) @@ -89,8 +143,10 @@ static void cmd_hold(int argc, char *argv[]) if (rc < 0) die("listen() on %s: %s\n", sockpath, strerror(errno)); - printf("nstool hold: local PID=%d local UID=%u local GID=%u\n", - getpid(), getuid(), getgid()); + info.pid = getpid(); + info.uid = getuid(); + info.gid = getgid(); + do { int afd = accept(fd, NULL, NULL); char buf; @@ -98,6 +154,12 @@ static void cmd_hold(int argc, char *argv[]) if (afd < 0) die("accept(): %s\n", strerror(errno)); + rc = write(afd, &info, sizeof(info)); + if (rc < 0) + die("write(): %s\n", strerror(errno)); + if ((size_t)rc < sizeof(info)) + die("short write() on control socket\n"); + rc = read(afd, &buf, sizeof(buf)); if (rc < 0) die("read(): %s\n", strerror(errno)); @@ -106,6 +168,68 @@ static void cmd_hold(int argc, char *argv[]) unlink(sockpath); } +static ssize_t getlink(char *buf, size_t bufsiz, const char *fmt, ...) +{ + char linkpath[PATH_MAX]; + ssize_t linklen; + va_list ap; + + va_start(ap, fmt); + if (vsnprintf(linkpath, sizeof(linkpath), fmt, ap) >= PATH_MAX) + die("Truncated path \"%s\"\n", linkpath); + va_end(ap); + + linklen = readlink(linkpath, buf, bufsiz); + if (linklen < 0) + die("readlink() on %s: %s\n", linkpath, strerror(errno)); + if ((size_t)linklen >= bufsiz) + die("Target of symbolic link %s is too long\n", linkpath); + + return linklen; +} + +static int detect_namespaces(pid_t pid) +{ + int i; + int flags = 0; + + for (i = 0; i < ARRAY_SIZE(nstypes); i++) { + const struct ns_type *nst = &nstypes[i]; + char selflink[PATH_MAX], pidlink[PATH_MAX]; + ssize_t selflen, pidlen; + + selflen = getlink(selflink, sizeof(selflink), + "/proc/self/ns/%s", nst->name); + pidlen = getlink(pidlink, sizeof(pidlink), + "/proc/%d/ns/%s", pid, nst->name); + + if ((selflen != pidlen) || memcmp(selflink, pidlink, selflen)) + flags |= nst->flag; + } + + return flags; +} + +static void print_nstypes(int flags) +{ + bool first = true; + int i; + + for (i = 0; i < ARRAY_SIZE(nstypes); i++) { + const struct ns_type *nst = &nstypes[i]; + + if (!(flags & nst->flag)) + continue; + + printf("%s%s", first ? "" : ", " , nst->name); + first = false; + flags &= ~nst->flag; + } + + if (flags) + printf("%s0x%x", first ? "" : ", ", flags); +} + static void cmd_info(int argc, char *argv[]) { const struct option options[] = { @@ -114,11 +238,11 @@ static void cmd_info(int argc, char *argv[]) { 0 }, }; bool pidonly = false, waitforsock = false; - struct ucred peercred; - socklen_t optlen = sizeof(peercred); const char *optstring = "pw"; + struct holder_info info; + struct ucred peercred; const char *sockpath; - int fd, rc, opt; + int fd, opt; do { opt = getopt_long(argc, argv, optstring, options, NULL); @@ -144,23 +268,28 @@ static void cmd_info(int argc, char *argv[]) sockpath = argv[optind]; - fd = connect_ctl(sockpath, waitforsock); - - rc = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, - &peercred, &optlen); - if (rc < 0) - die("getsockopet(SO_PEERCRED) %s: %s\n", - sockpath, strerror(errno)); + fd = connect_ctl(sockpath, waitforsock, &info, &peercred); close(fd); if (pidonly) { printf("%d\n", peercred.pid); } else { + int flags = detect_namespaces(peercred.pid); + + printf("Namespaces: "); + print_nstypes(flags); + printf("\n"); + printf("As seen from calling context:\n"); printf("\tPID:\t%d\n", peercred.pid); printf("\tUID:\t%u\n", peercred.uid); printf("\tGID:\t%u\n", peercred.gid); + + printf("As seen from holding context:\n"); + printf("\tPID:\t%d\n", info.pid); + printf("\tUID:\t%u\n", info.uid); + printf("\tGID:\t%u\n", info.gid); } } @@ -173,7 +302,7 @@ static void cmd_stop(int argc, char *argv[]) if (argc != 2) usage(); - fd = connect_ctl(sockpath, false); + fd = connect_ctl(sockpath, false, NULL, NULL); rc = write(fd, &buf, sizeof(buf)); if (rc < 0) -- 2.39.2
So that we'll probably give a better error if you point it at something that's not an nstool hold control socket. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- test/nstool.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/test/nstool.c b/test/nstool.c index 146b66e..7b222dd 100644 --- a/test/nstool.c +++ b/test/nstool.c @@ -12,6 +12,7 @@ #include <stdlib.h> #include <string.h> #include <stdbool.h> +#include <stdint.h> #include <errno.h> #include <unistd.h> #include <getopt.h> @@ -45,7 +46,10 @@ const struct ns_type nstypes[] = { { CLONE_NEWUTS, "uts" }, }; +#define NSTOOL_MAGIC 0x7570017575601d75ULL + struct holder_info { + uint64_t magic; pid_t pid; uid_t uid; gid_t gid; @@ -104,6 +108,10 @@ static int connect_ctl(const char *sockpath, bool wait, if ((size_t)len < sizeof(*info)) die("short read() on control socket %s\n", sockpath); + if (info->magic != NSTOOL_MAGIC) + die("Control socket %s doesn't appear to belong to nstool\n", + sockpath); + if (peercred) { socklen_t optlen = sizeof(*peercred); @@ -143,6 +151,7 @@ static void cmd_hold(int argc, char *argv[]) if (rc < 0) die("listen() on %s: %s\n", sockpath, strerror(errno)); + info.magic = NSTOOL_MAGIC; info.pid = getpid(); info.uid = getuid(); info.gid = getgid(); -- 2.39.2
Will make things a bit less verbose in future. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- test/nstool.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/test/nstool.c b/test/nstool.c index 7b222dd..b70b053 100644 --- a/test/nstool.c +++ b/test/nstool.c @@ -46,6 +46,14 @@ const struct ns_type nstypes[] = { { CLONE_NEWUTS, "uts" }, }; +#define for_each_nst(_nst, _flags) \ + for ((_nst) = &nstypes[0]; \ + ((_nst) - nstypes) < ARRAY_SIZE(nstypes); \ + (_nst)++) \ + if ((_flags) & (_nst)->flag) + +#define for_every_nst(_nst) for_each_nst(_nst, INT_MAX) + #define NSTOOL_MAGIC 0x7570017575601d75ULL struct holder_info { @@ -199,11 +207,10 @@ static ssize_t getlink(char *buf, size_t bufsiz, const char *fmt, ...) static int detect_namespaces(pid_t pid) { - int i; + const struct ns_type *nst; int flags = 0; - for (i = 0; i < ARRAY_SIZE(nstypes); i++) { - const struct ns_type *nst = &nstypes[i]; + for_every_nst(nst) { char selflink[PATH_MAX], pidlink[PATH_MAX]; ssize_t selflen, pidlen; @@ -221,15 +228,10 @@ static int detect_namespaces(pid_t pid) static void print_nstypes(int flags) { + const struct ns_type *nst; bool first = true; - int i; - - for (i = 0; i < ARRAY_SIZE(nstypes); i++) { - const struct ns_type *nst = &nstypes[i]; - - if (!(flags & nst->flag)) - continue; + for_each_nst(nst, flags) { printf("%s%s", first ? "" : ", " , nst->name); first = false; flags &= ~nst->flag; -- 2.39.2
This combines nstool info -pw <sock> with nsenter with various options for a more convenient and less verbose of entering existing nstool managed namespaces. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- test/nstool.c | 139 +++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 137 insertions(+), 2 deletions(-) diff --git a/test/nstool.c b/test/nstool.c index b70b053..5aa14b8 100644 --- a/test/nstool.c +++ b/test/nstool.c @@ -18,7 +18,9 @@ #include <getopt.h> #include <stdarg.h> #include <limits.h> +#include <fcntl.h> #include <sys/socket.h> +#include <sys/wait.h> #include <linux/un.h> #include <sched.h> @@ -75,6 +77,9 @@ static void usage(void) " socket at SOCK\n" " -p Print just the holder's PID as seen by the caller\n" " -w Retry connecting to SOCK until it is ready\n" + " nstool exec SOCK [COMMAND [ARGS...]]\n" + " Execute command or shell in the namespaces of the nstool hold\n" + " with control socket at SOCK\n" " nstool stop SOCK\n" " Instruct the nstool hold with control socket at SOCK to\n" " terminate.\n"); @@ -84,7 +89,7 @@ static int connect_ctl(const char *sockpath, bool wait, struct holder_info *info, struct ucred *peercred) { - int fd = socket(AF_UNIX, SOCK_STREAM, PF_UNIX); + int fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, PF_UNIX); struct sockaddr_un addr = { .sun_family = AF_UNIX, }; @@ -135,7 +140,7 @@ static int connect_ctl(const char *sockpath, bool wait, static void cmd_hold(int argc, char *argv[]) { - int fd = socket(AF_UNIX, SOCK_STREAM, PF_UNIX); + int fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, PF_UNIX); struct sockaddr_un addr = { .sun_family = AF_UNIX, }; @@ -304,6 +309,134 @@ static void cmd_info(int argc, char *argv[]) } } +static int openns(const char *fmt, ...) +{ + char nspath[PATH_MAX]; + va_list ap; + int fd; + + va_start(ap, fmt); + if (vsnprintf(nspath, sizeof(nspath), fmt, ap) >= PATH_MAX) + die("Truncated path \"%s\"\n", nspath); + va_end(ap); + + fd = open(nspath, O_RDONLY | O_CLOEXEC); + if (fd < 0) + die("open() %s: %s\n", nspath, strerror(errno)); + + return fd; +} + +static void wait_for_child(pid_t pid) +{ + int status; + + /* Match the child's exit status, if possible */ + for (;;) { + pid_t rc; + + rc = waitpid(pid, &status, WUNTRACED); + if (rc < 0) + die("waitpid() on %d: %s\n", pid, strerror(errno)); + if (rc != pid) + die("waitpid() on %d returned %d", pid, rc); + if (WIFSTOPPED(status)) { + /* Stop the parent to patch */ + kill(getpid(), SIGSTOP); + /* We must have resumed, resume the child */ + kill(pid, SIGCONT); + continue; + } + + break; + } + + if (WIFEXITED(status)) + exit(WEXITSTATUS(status)); + else if (WIFSIGNALED(status)) + kill(getpid(), WTERMSIG(status)); + + die("Unexpected status for child %d\n", pid); +} + +static void cmd_exec(int argc, char *argv[]) +{ + const char *shargs[] = { NULL, NULL }; + const char *sockpath = argv[1]; + int nfd[ARRAY_SIZE(nstypes)]; + const struct ns_type *nst; + const char *const *xargs; + struct ucred peercred; + int ctlfd, flags, rc; + const char *exe; + pid_t xpid; + + if (argc < 2) + usage(); + + ctlfd = connect_ctl(sockpath, false, NULL, &peercred); + + flags = detect_namespaces(peercred.pid); + + for_each_nst(nst, flags) { + int *fd = &nfd[nst - nstypes]; + *fd = openns("/proc/%d/ns/%s", peercred.pid, nst->name); + } + + /* First pass, will get things where we need the privileges of + * the initial userns */ + for_each_nst(nst, flags) { + int fd = nfd[nst - nstypes]; + + rc = setns(fd, nst->flag); + if (rc == 0) { + flags &= ~nst->flag; + } + } + + /* Second pass, will get things where we need the privileges + * of the target userns */ + for_each_nst(nst, flags) { + int fd = nfd[nst - nstypes]; + + rc = setns(fd, nst->flag); + if (rc < 0) + die("setns() type %s: %s\n", + nst->name, strerror(errno)); + } + + /* Fork to properly enter PID namespace */ + xpid = fork(); + if (xpid < 0) + die("fork(): %s\n", strerror(errno)); + + if (xpid > 0) { + /* Close the control socket so the waiting parent + * doesn't block the holder */ + close(ctlfd); + wait_for_child(xpid); + } + + /* CHILD */ + if (argc > 2) { + exe = argv[2]; + xargs = (const char * const*)(argv + 2); + } else { + exe = getenv("SHELL"); + if (!exe) + exe = "/bin/sh"; + + shargs[0] = exe; + + xargs = shargs; + } + + rc = execvp(exe, (char *const *)xargs); + if (rc < 0) + die("execv() %s: %s\n", exe, strerror(errno)); + die("Returned from exec()\n"); +} + static void cmd_stop(int argc, char *argv[]) { const char *sockpath = argv[1]; @@ -338,6 +471,8 @@ int main(int argc, char *argv[]) cmd_hold(argc - 1, argv + 1); else if (strcmp(subcmd, "info") == 0) cmd_info(argc - 1, argv + 1); + else if (strcmp(subcmd, "exec") == 0) + cmd_exec(argc - 1, argv + 1); else if (strcmp(subcmd, "stop") == 0) cmd_stop(argc - 1, argv + 1); else -- 2.39.2
This allows you to run commands within a user namespace with the privilege that comes from owning that userns. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- test/nstool.c | 87 +++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 78 insertions(+), 9 deletions(-) diff --git a/test/nstool.c b/test/nstool.c index 5aa14b8..c224d23 100644 --- a/test/nstool.c +++ b/test/nstool.c @@ -19,10 +19,15 @@ #include <stdarg.h> #include <limits.h> #include <fcntl.h> +#include <limits.h> +#include <unistd.h> #include <sys/socket.h> #include <sys/wait.h> +#include <sys/syscall.h> +#include <sys/prctl.h> #include <linux/un.h> #include <sched.h> +#include <linux/capability.h> #define ARRAY_SIZE(a) ((int)(sizeof(a) / sizeof((a)[0]))) @@ -75,11 +80,13 @@ static void usage(void) " nstool info [-pw] pid SOCK\n" " Print information about the nstool hold process with control\n" " socket at SOCK\n" - " -p Print just the holder's PID as seen by the caller\n" - " -w Retry connecting to SOCK until it is ready\n" - " nstool exec SOCK [COMMAND [ARGS...]]\n" + " -p Print just the holder's PID as seen by the caller\n" + " -w Retry connecting to SOCK until it is ready\n" + " nstool exec [--keep-caps] SOCK [COMMAND [ARGS...]]\n" " Execute command or shell in the namespaces of the nstool hold\n" " with control socket at SOCK\n" + " --keep-caps Give all possible capabilities to COMMAND via\n" + " the ambient capability mask\n" " nstool stop SOCK\n" " Instruct the nstool hold with control socket at SOCK to\n" " terminate.\n"); @@ -278,7 +285,6 @@ static void cmd_info(int argc, char *argv[]) } while (opt != -1); if (optind != argc - 1) { - fprintf(stderr, "B\n"); usage(); } @@ -359,21 +365,81 @@ static void wait_for_child(pid_t pid) die("Unexpected status for child %d\n", pid); } +static void caps_to_ambient(void) +{ + /* Use raw system calls to avoid the overly complex caps + * libraries. */ + struct __user_cap_header_struct header = { + .version = _LINUX_CAPABILITY_VERSION_3, + .pid = 0, + }; + struct __user_cap_data_struct payload[_LINUX_CAPABILITY_U32S_3] = + {{ 0 }}; + uint64_t effective, cap; + + if (syscall(SYS_capget, &header, payload) < 0) + die("capget(): %s\n", strerror(errno)); + + /* First make caps inheritable */ + payload[0].inheritable = payload[0].permitted; + payload[1].inheritable = payload[1].permitted; + + if (syscall(SYS_capset, &header, payload) < 0) + die("capset(): %s\n", strerror(errno)); + + effective = ((uint64_t)payload[1].effective << 32) | (uint64_t)payload[0].effective; + + for (cap = 0; cap < (sizeof(effective) * 8); cap++) { + /* Skip non-existent caps */ + if (prctl(PR_CAPBSET_READ, cap, 0, 0, 0) < 0) + continue; + + if ((effective & (1 << cap)) + && prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0) < 0) + die("prctl(PR_CAP_AMBIENT): %s\n", strerror(errno)); + } +} + static void cmd_exec(int argc, char *argv[]) { + enum { + OPT_EXEC_KEEPCAPS = CHAR_MAX + 1, + }; + const struct option options[] = { + {"keep-caps", no_argument, NULL, OPT_EXEC_KEEPCAPS }, + { 0 }, + }; const char *shargs[] = { NULL, NULL }; const char *sockpath = argv[1]; int nfd[ARRAY_SIZE(nstypes)]; + const char *optstring = ""; const struct ns_type *nst; + int ctlfd, flags, opt, rc; const char *const *xargs; + bool keepcaps = false; struct ucred peercred; - int ctlfd, flags, rc; const char *exe; pid_t xpid; - if (argc < 2) + do { + opt = getopt_long(argc, argv, optstring, options, NULL); + + switch (opt) { + case OPT_EXEC_KEEPCAPS: + keepcaps = true; + break; + case -1: + break; + default: + usage(); + } + } while (opt != -1); + + if (argc < optind + 1) usage(); + sockpath = argv[optind]; + ctlfd = connect_ctl(sockpath, false, NULL, &peercred); flags = detect_namespaces(peercred.pid); @@ -418,9 +484,9 @@ static void cmd_exec(int argc, char *argv[]) } /* CHILD */ - if (argc > 2) { - exe = argv[2]; - xargs = (const char * const*)(argv + 2); + if (argc > optind + 1) { + exe = argv[optind + 1]; + xargs = (const char * const*)(argv + optind + 1); } else { exe = getenv("SHELL"); if (!exe) @@ -431,6 +497,9 @@ static void cmd_exec(int argc, char *argv[]) xargs = shargs; } + if (keepcaps) + caps_to_ambient(); + rc = execvp(exe, (char *const *)xargs); if (rc < 0) die("execv() %s: %s\n", exe, strerror(errno)); -- 2.39.2
Unlike ${DEBUG} we don't initialize ${TRACE} to 0 if not set, which cases failures when testing it later. That failure acts as though it is false, however it emits spurious errors in script.log, which can make it harder to spot real errors. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- test/run | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/run b/test/run index e07513f..1945c7b 100755 --- a/test/run +++ b/test/run @@ -32,6 +32,9 @@ FAST=${FAST:-1} # If set, run passt and pasta with debug options DEBUG=${DEBUG:-0} +# If set, run passt and pasta with trace options +TRACE=${TRACE:-0} + # If set, tell passt and pasta to take packet captures PCAP=${PCAP:-0} -- 2.39.2
Using this, rather than using "nstool info" to get the pid then manually connecting with nsenter makes things a little simpler. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- test/lib/context | 14 +++++++++----- test/lib/setup | 33 +++++++++++++-------------------- test/run | 2 +- 3 files changed, 23 insertions(+), 26 deletions(-) diff --git a/test/lib/context b/test/lib/context index ee6b683..4938952 100644 --- a/test/lib/context +++ b/test/lib/context @@ -13,6 +13,8 @@ # Copyright Red Hat # Author: David Gibson <david(a)gibson.dropbear.id.au> +NSTOOL="${BASEPATH}/nstool" + # context_setup_common() - Create outline of a new context # $1: Context name context_setup_common() { @@ -30,15 +32,17 @@ context_setup_host() { echo sh -c > "${__enter}" } -# context_setup_nsenter() - Create a new context for running commands in a namespace +# context_setup_nstool() - Create a new context for running commands with nstool exec # $1: Context name -# $2: Namespace PID -context_setup_nsenter() { +# $2: nstool control socket +context_setup_nstool() { __name="$1" - shift + __sock="$2" __enter="${STATESETUP}/context_${__name}.enter" + # Wait for the ns to be ready + ${NSTOOL} info -w "${__sock}" > /dev/null context_setup_common "${__name}" - echo "nsenter $@ sh -c" > "${__enter}" + echo "${NSTOOL} exec ${__sock} -- sh -c" > "${__enter}" } # context_setup_guest() - Create a new context for running commands in a guest diff --git a/test/lib/setup b/test/lib/setup index 6d7644a..28f6a57 100755 --- a/test/lib/setup +++ b/test/lib/setup @@ -17,7 +17,6 @@ INITRAMFS="${BASEPATH}/mbuto.img" VCPUS="$( [ $(nproc) -ge 8 ] && echo 6 || echo $(( $(nproc) / 2 + 1 )) )" __mem_kib="$(sed -n 's/MemTotal:[ ]*\([0-9]*\) kB/\1/p' /proc/meminfo)" VMEM="$((${__mem_kib} / 1024 / 4))" -NSTOOL="${BASEPATH}/nstool" # setup_build() - Set up pane layout for build tests setup_build() { @@ -78,9 +77,8 @@ setup_pasta() { layout_pasta context_run_bg unshare "unshare -rUnpf ${NSTOOL} hold ${STATESETUP}/ns.hold" - __target_pid=$(${NSTOOL} info -pw ${STATESETUP}/ns.hold) - context_setup_nsenter ns -U -n -p --preserve-credentials -t ${__target_pid} + context_setup_nstool ns ${STATESETUP}/ns.hold # Ports: # @@ -94,7 +92,7 @@ setup_pasta() { [ ${DEBUG} -eq 1 ] && __opts="${__opts} -d" [ ${TRACE} -eq 1 ] && __opts="${__opts} --trace" - context_run_bg passt "./pasta ${__opts} -f -t 10002 -T 10003 -u 10002 -U 10003 -P ${STATESETUP}/passt.pid ${__target_pid}" + context_run_bg passt "./pasta ${__opts} -f -t 10002 -T 10003 -u 10002 -U 10003 -P ${STATESETUP}/passt.pid $(${NSTOOL} info -pw ${STATESETUP}/ns.hold)" # pidfile isn't created until pasta is ready wait_for [ -f "${STATESETUP}/passt.pid" ] @@ -128,11 +126,10 @@ setup_passt_in_ns() { context_run_bg pasta "./pasta ${__opts} -t 10001,10002,10011,10012 -T 10003,10013 -u 10001,10002,10011,10012 -U 10003,10013 -P ${STATESETUP}/pasta.pid --config-net ${NSTOOL} hold ${STATESETUP}/ns.hold" wait_for [ -f "${STATESETUP}/pasta.pid" ] - __ns_pid=$(${NSTOOL} info -pw ${STATESETUP}/ns.hold) - context_setup_nsenter qemu "-t ${__ns_pid} -U -n -p --preserve-credentials" - context_setup_nsenter ns "-t ${__ns_pid} -U -n -p --preserve-credentials" - context_setup_nsenter passt "-t ${__ns_pid} -U -n -p --preserve-credentials" + context_setup_nstool qemu ${STATESETUP}/ns.hold + context_setup_nstool ns ${STATESETUP}/ns.hold + context_setup_nstool passt ${STATESETUP}/ns.hold __opts= [ ${PCAP} -eq 1 ] && __opts="${__opts} -p ${LOGDIR}/passt_in_pasta.pcap" @@ -190,19 +187,17 @@ setup_two_guests() { [ ${DEBUG} -eq 1 ] && __opts="${__opts} -d" [ ${TRACE} -eq 1 ] && __opts="${__opts} --trace" context_run_bg pasta_1 "./pasta ${__opts} --trace -l /tmp/pasta1.log -P ${STATESETUP}/pasta_1.pid -t 10001,10002 -T 10003,10004 -u 10001,10002 -U 10003,10004 --config-net ${NSTOOL} hold ${STATESETUP}/ns1.hold" - __ns1_pid=$(${NSTOOL} info -pw ${STATESETUP}/ns1.hold) - context_setup_nsenter passt_1 -U -n -p --preserve-credentials -t ${__ns1_pid} + context_setup_nstool passt_1 ${STATESETUP}/ns1.hold __opts= [ ${PCAP} -eq 1 ] && __opts="${__opts} -p ${LOGDIR}/pasta_2.pcap" [ ${DEBUG} -eq 1 ] && __opts="${__opts} -d" [ ${TRACE} -eq 1 ] && __opts="${__opts} --trace" context_run_bg pasta_2 "./pasta ${__opts} --trace -l /tmp/pasta2.log -P ${STATESETUP}/pasta_2.pid -t 10004,10005 -T 10003,10001 -u 10004,10005 -U 10003,10001 --config-net ${NSTOOL} hold ${STATESETUP}/ns2.hold" - __ns2_pid=$(${NSTOOL} info -pw ${STATESETUP}/ns2.hold) - context_setup_nsenter passt_2 -U -n -p --preserve-credentials -t ${__ns2_pid} + context_setup_nstool passt_2 ${STATESETUP}/ns2.hold - context_setup_nsenter qemu_1 -U -n -p --preserve-credentials -t ${__ns1_pid} - context_setup_nsenter qemu_2 -U -n -p --preserve-credentials -t ${__ns2_pid} + context_setup_nstool qemu_1 ${STATESETUP}/ns1.hold + context_setup_nstool qemu_2 ${STATESETUP}/ns2.hold __ifname="$(context_run qemu_1 "ip -j link show | jq -rM '.[] | select(.link_type == \"ether\").ifname'")" @@ -310,15 +305,13 @@ teardown_passt_in_ns() { # teardown_two_guests() - Exit namespaces, kill qemu processes, passt and pasta teardown_two_guests() { - __ns1_pid=$(${NSTOOL} info -pw "${STATESETUP}/ns1.hold") - __ns2_pid=$(${NSTOOL} info -pw "${STATESETUP}/ns2.hold") - nsenter -U -p --preserve-credentials -t ${__ns1_pid} kill $(cat "${STATESETUP}/qemu_1.pid") - nsenter -U -p --preserve-credentials -t ${__ns2_pid} kill $(cat "${STATESETUP}/qemu_2.pid") + ${NSTOOL} exec ${STATESETUP}/ns1.hold -- kill $(cat "${STATESETUP}/qemu_1.pid") + ${NSTOOL} exec ${STATESETUP}/ns2.hold -- kill $(cat "${STATESETUP}/qemu_2.pid") context_wait qemu_1 context_wait qemu_2 - nsenter -U -p --preserve-credentials -t ${__ns1_pid} kill $(cat "${STATESETUP}/passt_1.pid") - nsenter -U -p --preserve-credentials -t ${__ns2_pid} kill $(cat "${STATESETUP}/passt_2.pid") + ${NSTOOL} exec ${STATESETUP}/ns1.hold -- kill $(cat "${STATESETUP}/passt_1.pid") + ${NSTOOL} exec ${STATESETUP}/ns2.hold -- kill $(cat "${STATESETUP}/passt_2.pid") context_wait passt_1 context_wait passt_2 ${NSTOOL} stop "${STATESETUP}/ns1.hold" diff --git a/test/run b/test/run index 1945c7b..447d831 100755 --- a/test/run +++ b/test/run @@ -41,9 +41,9 @@ PCAP=${PCAP:-0} COMMIT="$(git log --oneline --no-decorate -1)" . lib/util +. lib/context . lib/setup . lib/setup_ugly -. lib/context . lib/term . lib/perf_report . lib/layout -- 2.39.2
This is possible useful in nstool info and has further uses for nstool exec. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- test/nstool.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/test/nstool.c b/test/nstool.c index c224d23..ece566e 100644 --- a/test/nstool.c +++ b/test/nstool.c @@ -68,6 +68,7 @@ struct holder_info { pid_t pid; uid_t uid; gid_t gid; + char cwd[PATH_MAX]; }; static void usage(void) @@ -175,6 +176,8 @@ static void cmd_hold(int argc, char *argv[]) info.pid = getpid(); info.uid = getuid(); info.gid = getgid(); + if (!getcwd(info.cwd, sizeof(info.cwd))) + die("getcwd(): %s\n", strerror(errno)); do { int afd = accept(fd, NULL, NULL); @@ -312,6 +315,7 @@ static void cmd_info(int argc, char *argv[]) printf("\tPID:\t%d\n", info.pid); printf("\tUID:\t%u\n", info.uid); printf("\tGID:\t%u\n", info.gid); + printf("\tCWD:\t%s\n", info.cwd); } } -- 2.39.2
If we enter a mount namespace with nstool exec our working directory will be changed to / in the new mount ns. This is surprising if we haven't actually altered any mounts yet in the new ns. Instead, change the working directory to match that of the holder process in this situation. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- test/nstool.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/test/nstool.c b/test/nstool.c index ece566e..48f4b77 100644 --- a/test/nstool.c +++ b/test/nstool.c @@ -420,6 +420,7 @@ static void cmd_exec(int argc, char *argv[]) const struct ns_type *nst; int ctlfd, flags, opt, rc; const char *const *xargs; + struct holder_info info; bool keepcaps = false; struct ucred peercred; const char *exe; @@ -444,7 +445,7 @@ static void cmd_exec(int argc, char *argv[]) sockpath = argv[optind]; - ctlfd = connect_ctl(sockpath, false, NULL, &peercred); + ctlfd = connect_ctl(sockpath, false, &info, &peercred); flags = detect_namespaces(peercred.pid); @@ -475,6 +476,15 @@ static void cmd_exec(int argc, char *argv[]) nst->name, strerror(errno)); } + /* If we've entered a mount ns, our cwd has changed to /. + * Switch to the cwd of the holder, which is probably less + * surprising. */ + if (flags & CLONE_NEWNS) { + rc = chdir(info.cwd); + if (rc < 0) + die("chdir(\"%s\"): %s\n", info.cwd, strerror(errno)); + } + /* Fork to properly enter PID namespace */ xpid = fork(); if (xpid < 0) -- 2.39.2
On Thu, 6 Apr 2023 13:28:05 +1000 David Gibson <david(a)gibson.dropbear.id.au> wrote:This series extends the "nsholder" tool we use in the tests to "nstool" with some more features. In particular it allows entering an established namespace with capabilities intact, and it allows entering them with less verbose options than nsenter. For now this only gives a modest simplification of the tests, but it should enable more in future. I haven't managed to get all the way through the testsuite with this: it's wedging in the IPv4 UDP throughput tests, but that's happening for me with the main branch too. I'll debug that, but I don't want to delay this series on that for now. Changes since v1: * Fixed a bunch of bad indentation from a bad copy/paste * Assorted minor cleanups based on review from Stefano David Gibson (14): nstool: Rename nsholder to nstool nstool: Reverse parameters to nstool nstool: Move description of its operation modes from comment to usage nstool: Split some command line parsing and socket setup to subcommands nstool: Replace "pid" subcommand with "info" subcommand nstool: Detect what namespaces target is in nstool: Add magic number to advertized information nstool: Helpers to iterate through namespace types nstool: Add nstool exec command to execute commands in an nstool namespace nstool: Add --keep-caps option to nstool exec test: Initialise ${TRACE} properly test: Use "nstool exec" to slightly simplify tests nstool: Advertise the holder's cwd (in its mountns) across the socket nstool: Enter holder's cwd when changing mount ns with nstool execPushed, thanks. -- Stefano