Commit Graph

235 Commits

Author SHA1 Message Date
Djalal Harouni
afc402b76a Merge pull request #4658 from endocode/djalal/sandbox-various-fixes-v1
core: improve the logic that implies no new privileges and documentation fixes
2016-11-15 20:45:27 +01:00
Evgeny Vereshchagin
22f1f8f24c tests: add UNIFIED_CGROUP_HIERARCHY=[default|hybrid] (#4675)
This will simplify testing a bit.
Mainly for https://github.com/systemd/systemd/pull/4670
2016-11-15 17:38:04 +01:00
Djalal Harouni
97e60383c0 test: add tests for RestrictNamespaces= 2016-11-15 15:50:19 +01:00
Evgeny Vereshchagin
e1a2731868 tests: fix kernel/initrd searching (Arch)
We can run
sudo make run

instead of the
sudo make run KERNEL_BIN=/boot/vmlinuz-linux INITRD=/boot/initramfs-linux.img

See https://github.com/systemd/systemd/issues/4607
2016-11-11 13:47:44 +11:00
Martin Pitt
5209e9afd2 tests: use less aggressive systemctl --wait timeout in TEST-03-JOBS (#4606)
If the "systemctl start" happens at an "unlucky" time such as 1000.9 seconds
and then e. g.  runs for 2.6 s (sleep 2 plus the overhead of starting the unit
and waiting for it) the END_SEC would be 1003.5s which would round to 1004,
making the difference 4. On busier testbeds the overhead apparently can take a
bit more than 0.5s. The main point is really that it doesn't wait that much
longer, so "-le 4" seems perfectly fine. We allow up to 1.5s in the subsequent
"wait5fail" test below too.

Fixes #4582
2016-11-07 21:51:20 +03:00
Djalal Harouni
5c67067f0e test: test DynamicUser= with SupplementaryGroups= 2016-11-03 08:38:28 +01:00
Djalal Harouni
2b9ac11ed9 test: test DynamicUser= with a fixed user 2016-11-03 08:37:15 +01:00
Evgeny Vereshchagin
bff653e397 tests: add test that journald keeps fds over termination by signal
This test fails before previous commit, and passes with it.
2016-11-01 21:20:26 -04:00
Djalal Harouni
50ca7a35a1 test: lets add more tests to cover SupplementaryGroups= cases. 2016-10-24 12:38:53 +02:00
Zbigniew Jędrzejewski-Szmek
60f17f75d1 Merge pull request #4372 from evverx/fix-synced-cgroup-hierarchy-perms 2016-10-23 23:25:57 -04:00
Evgeny Vereshchagin
844da987ef tests/TEST-13-NSPAWN-SMOKE: remove an expected failure check
https://github.com/systemd/systemd/issues/4352 has been fixed
So, we don't need this workaround anymore
2016-10-23 23:23:43 -04:00
Djalal Harouni
bf9ace96fc test: add more tests for SupplementaryGroups= 2016-10-23 23:27:16 +02:00
Djalal Harouni
86b838eaa3 test: Add simple test for supplementary groups 2016-10-23 23:27:14 +02:00
Evgeny Vereshchagin
c7934185fe tests: add smoke test for systemd-nspawn
Basically, this test runs:
```
    systemd-nspawn --register=no -D "$_root" -b
    systemd-nspawn --register=no -D "$_root" --private-network -b
    systemd-nspawn --register=no -D "$_root" -U -b
    systemd-nspawn --register=no -D "$_root" --private-network -U -b
```
and exports the `UNIFIED_CGROUP_HIERARCHY=[yes|no]`, `SYSTEMD_NSPAWN_USE_CGNS=[yes|no]`

Inspired by
* systemd#3589 (comment)
* systemd#4372 (comment)
* systemd#4223 (comment)
* systemd#1555

and so on :-)
2016-10-17 16:50:09 +00:00
Djalal Harouni
4982dbcc30 test: add test to make sure that ProtectKernelModules=yes disconnect mount propagation 2016-10-12 14:12:36 +02:00
Djalal Harouni
625d8769fa test: add test to make sure that CAP_SYS_RAWIO was removed on PrivateDevices=yes 2016-10-12 13:47:59 +02:00
Djalal Harouni
3ae33295f0 test: add capability tests for ProtectKernelModules=
This just adds capabilities test.
2016-10-12 13:36:27 +02:00
Martin Pitt
93a0884126 systemctl: Add --wait option to wait until started units terminate again
Fixes #3830
2016-10-01 17:58:59 +02:00
Martin Pitt
b9fe94cad9 resolved: don't query domain-limited DNS servers for other domains (#3621)
DNS servers which have route-only domains should only be used for
the specified domains. Routing queries about other domains there is a privacy
violation, prone to fail (as that DNS server was not meant to be used for other
domains), and puts unnecessary load onto that server.

Introduce a new helper function dns_server_limited_domains() that checks if the
DNS server should only be used for some selected domains, i. e. has some
route-only domains without "~.". Use that when determining whether to query it
in the scope, and when writing resolv.conf.

Extend the test_route_only_dns() case to ensure that the DNS server limited to
~company does not appear in resolv.conf. Add test_route_only_dns_all_domains()
to ensure that a server that also has ~. does appear in resolv.conf as global
name server. These reproduce #3420.

Add a new test_resolved_domain_restricted_dns() test case that verifies that
domain-limited DNS servers are only being used for those domains. This
reproduces #3421.

Clarify what a "routing domain" is in the manpage.

Fixes #3420
Fixes #3421
2016-09-30 09:30:08 +02:00
Djalal Harouni
cdfbd1fb26 test: make sure that {readonly|inaccessible|readwrite}paths disconnect mount propagation
Better safe.
2016-09-27 09:24:46 +02:00
Djalal Harouni
f78b36f016 test: add tests for simple ReadOnlyPaths= case 2016-09-27 09:24:43 +02:00
Djalal Harouni
615a1f4b26 test: add CAP_MKNOD tests for PrivateDevices= 2016-09-25 13:04:30 +02:00
Jean-Sébastien Bour
047a0dacde networkd: support drop-in directories for .network files
Fixes #3655.

[zj: Fix the tests.]
2016-09-16 10:31:58 -04:00
Zbigniew Jędrzejewski-Szmek
38d78d1ee9 networkd-test: add a helper function to always clean up temporary config files 2016-09-16 10:30:34 -04:00
Evgeny Vereshchagin
23cabb68ac tests: mount proc before exec valgrind (#4044)
Fixes:
$ sudo make run QEMU_BIN=/usr/bin/qemu-system-x86_64  KERNEL_APPEND=systemd.unit=multi-user.target SKIP_INITRD=yes
TEST RUN: Basic systemd setup
+ /usr/bin/qemu-system-x86_64 -smp 1 -net none -m 512M -nographic -kernel /boot/vmlinuz-4.6.7-200.fc23.x86_64 -drive format=raw,cache=unsafe,file=/var/tmp/systemd-test.izx99J/rootdisk.img -append 'root=/dev/sda1 raid=noautodetect loglevel=2 init=/usr/lib/systemd/systemd-under-valgrind rw console=ttyS0 selinux=0 systemd.unified_cgroup_hierarchy=no systemd.unit=multi-user.target '
valgrind: warning (non-fatal): readlink("/proc/self/exe") failed.
valgrind: continuing, however --trace-children=yes will not work.
--1:0: aspacem Valgrind: FATAL: can't open /proc/self/maps
--1:0: aspacem Exiting now.
[    3.152367] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100
[    3.152367]
[    3.152367] CPU: 0 PID: 1 Comm: memcheck-amd64- Not tainted 4.6.7-200.fc23.x86_64 #1
[    3.152367] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191134- 04/01/2014
[    3.152367]  0000000000000086 0000000047ca1666 ffff88001ea43e00 ffffffff813d954e
[    3.152367]  ffffffff81a205a0 ffff88001ea43e98 ffff88001ea43e88 ffffffff811b5557
[    3.152367]  ffffffff00000010 ffff88001ea43e98 ffff88001ea43e30 0000000047ca1666
[    3.152367] Call Trace:
[    3.152367]  [<ffffffff813d954e>] dump_stack+0x63/0x85
[    3.152367]  [<ffffffff811b5557>] panic+0xde/0x220
[    3.152367]  [<ffffffff810ab9c3>] do_exit+0xb43/0xb50
[    3.152367]  [<ffffffff810aba57>] do_group_exit+0x47/0xb0
[    3.152367]  [<ffffffff810abad4>] SyS_exit_group+0x14/0x20
[    3.152367]  [<ffffffff817dae72>] entry_SYSCALL_64_fastpath+0x1a/0xa4
[    3.152367] Kernel Offset: disabled
[    3.152367] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100
[    3.152367]
QEMU: Terminated
2016-08-26 17:49:56 +02:00
Lennart Poettering
d3fc8bf43f tests: let's stick to 8ch indenting, in perl code too 2016-08-19 16:01:17 +02:00
Jan Synacek
1259186355 test: fix test-execute personality tests on ppc64 and aarch64 (#3825) 2016-08-02 16:22:56 +02:00
Zbigniew Jędrzejewski-Szmek
ce5fcc695e Merge pull request 3821 from davide125/fix-tests 2016-07-31 22:06:09 -04:00
Davide Cavalca
e4d214efc2 tests: skip udev-test if running inside a chroot 2016-07-29 09:20:11 -07:00
Alexander Kurtz
00f69504a2 bootctl: Always use upper case for "/EFI/BOOT" and "/EFI/BOOT/BOOT*.EFI".
If the ESP is not mounted with "iocharset=ascii", but with "iocharset=utf8"
(which is for example the default in Debian), the file system becomes case
sensitive. This means that a file created as "FooBarBaz" cannot be accessed as
"foobarbaz" since those are then considered different files.

Moreover, a file created as "FooBar" can then also not be accessed as "foobar",
and it also prevents such a file from being created, as both would use the same
8.3 short name "FOOBAR".

Even though the UEFI specification [0] does give the canonical spelling for
the files mentioned above, not all implementations completely conform to that,
so it's possible that those files would already exist, but with a different
spelling, causing subtle bugs when scanning or modifying the ESP.

While the proper fix would of course be that everybody conformed to the
standard, we can work around this problem by just referencing the files by
their 8.3 short names, i.e. using upper case.

Fixes: #3740

[0] <http://www.uefi.org/specifications>, version 2.6, section 3.5.1.1
2016-07-21 03:02:15 +02:00
Felipe Sateler
11ea343126 tests: Install missing libraries for things installed in /usr too 2016-07-03 18:56:54 -04:00
Felipe Sateler
d7a4278d29 tests: follow RUNPATH when installing missing libraries
Fixes #3630
2016-07-03 18:33:02 -04:00
Martin Pitt
30b42a9a36 test: check resolved generated resolv.conf in networkd-test (#3628)
* test: check resolved generated resolv.conf in networkd-test

Directly verify the contents of /run/systemd/resolve/resolv.conf instead of
/etc/resolv.conf. The latter might be a plain file or a symlink to something
else (like Debian's resolvconf output), and in these cases we cannot make
strong assumptions about the contents.

Drop the "/etc/resolv.conf is a symlink" conditions and the "resolv.conf can
have at most three nameservers" alternatives, as we know that resolved always
adds all nameservers.

Explicitly start resolved at the start of a test to ensure that it is running.

* test: get along with existing system search domains in resolv.conf

The previous change has uncovered a bug in the tests: Existing search domains
can exist in resolv.conf which test_search_domains{,_too_long} didn't take into account.

As existing domains take some of the "max 6 domains" and "max 255 chars" limit,
don't expect that the last items from our test data actually appears in the
output, just the first few.
2016-06-30 16:44:22 +03:00
Martin Pitt
94363cbbf3 resolved: add test for route-only domain filtering (#3609)
With commit 6f7da49d00 route-only domains do not get put into resolv.conf's
"search" list any more. Add a comment about the tri-state, to clarify its
semantics and why we are passing a bool parameter into an int type. Also add a
test case for it.
2016-06-28 18:18:27 +02:00
Martin Pitt
7cad32bbde test: merge check_nspawn() into run_nspawn()
This makes nspawn tests symmetric with run_qemu() which also exits with 1 if
QEMU is not available.
2016-06-24 16:23:39 +02:00
Martin Pitt
b2ecd099dc tests: track and check for timeouts
If run_qemu() exits with non-zero, this either meant that QEMU was not
available (which should be a SKIP) or that QEMU timed out if $QEMU_TIMEOUT was
set (which then should be a FAIL).

Limit the exit code of run_qemu() to QEMU availability only, and track timeouts
separately through the new $TIMED_OUT variable, which is then checked in
check_result_qemu().

Do the same for $NSPAWN_TIMEOUT and run_nspawn() so that nspawn and QEMU work
similarly.
2016-06-24 16:07:16 +02:00
Martin Pitt
633736bbf4 tests: make TEST-12-ISSUE-3171 nspawn invocation consistent with other tests
The result of check_nspawn does not mean much, and this forgot to ask
check_nspawn() whether nspawn can be used at all. This brings
TEST-12-ISSUE-3171 in line with other nspawn tests.
2016-06-24 12:07:18 +02:00
Martin Pitt
eaa03c05f7 tests: don't fail if QEMU is not available
Fix TEST-{08,09,10,11} to properly skip the test if QEMU is not available
instead of failing, like in the other tests.
2016-06-24 11:28:35 +02:00
Martin Pitt
a415d43655 tests: force booting the kernel with SELinux
selinux=1 is not sufficient when running on a kernel which also has another LSM
(such as AppArmor) enabled and defaults to that.
2016-06-24 11:28:35 +02:00
Lennart Poettering
f921f5739e networkd: rename IPv6AcceptRouterAdvertisements to IPv6AcceptRA
The long name is just too hard to type. We generally should avoid using
acronyms too liberally, if they aren't established enough, but it appears that
"RA" is known well enough. Internally we call the option "ipv6_accept_ra"
anyway, and the kernel also exposes it under this name. Hence, let's rename the
IPv6AcceptRouterAdvertisements= setting and the
[IPv6AcceptRouterAdvertisements] section to IPv6AcceptRA= and [IPv6AcceptRA].

The old setting IPv6AcceptRouterAdvertisements= is kept for compatibility with
older configuration. (However the section [IPv6AcceptRouterAdvertisements] is
not, as it was never available in a published version of systemd.
2016-06-07 11:24:30 +02:00
Evgeny Vereshchagin
856ca72b29 tests: introduce UNIFIED_CGROUP_HIERARCHY (#3419)
There are many cgroups-related changes (thanks, @htejun!)
This commit will simplify testing a bit.

Use:
make run UNIFIED_CGROUP_HIERARCHY=yes to enable cgroup-v2
make run UNIFIED_CGROUP_HIERARCHY=no to enable cgroup-v1
2016-06-03 11:17:00 +02:00
Martin Pitt
d2bc125132 resolved: fix comments in resolve.conf for search domain overflows (#3422)
Write comments about "too many search domains" and "Total length of all search
domains is too long" just once. Also put it on a separate line, as
resolv.conf(5) only specifies comments in a line by themselves.

This is ugly to do if write_resolv_conf_search() gets called once for every
search domain. So change it to receive the complete OrderedSet instead and do
the iteration by itself.

Add test cases to networkd-test.py.

https://launchpad.net/bugs/1588229
2016-06-03 11:15:44 +02:00
Tejun Heo
538b48524c core: translate between IO and BlockIO settings to ease transition
Due to the substantial interface changes in cgroup unified hierarchy, new IO
settings are introduced.  Currently, IO settings apply only to unified
hierarchy and BlockIO to legacy.  While the transition is necessary, it's
painful for users to have to provide configs for both.  This patch implements
translation from one config set to another for configs which make sense.

* The translation takes place during application of the configs.  Users won't
  see IO or BlockIO settings appearing without being explicitly created.

* The translation takes place only if there is no config for the matching
  cgroup hierarchy type at all.

While this doesn't provide comprehensive compatibility, it should considerably
ease transition to the new IO settings which are a superset of BlockIO
settings.

v2:

- Update test-cgroup-mask.c so that it accounts for the fact that
  CGROUP_MASK_IO and CGROUP_MASK_BLKIO move together.  Also, test/parent.slice
  now sets IOWeight instead of BlockIOWeight.
2016-05-18 17:35:12 -07:00
Zbigniew Jędrzejewski-Szmek
62a992bed9 TEST-08: make sure / is remounted rw
In this test /etc/fstab is replaced by -.mount unit. This causes
systemd-remount-fs.service to not remount / rw, which in turn causes various
failures becuase /var is not writable. In particular
systemd-tmpfiles-setup.service reports many failures. This is something
to possibly fix on its own (see https://github.com/systemd/systemd/issues/791);
in the meanwhile let's fix this test so that it doesn't fail, since the
point of the test is to check aliases on mount units, and not a ro root.
2016-05-08 22:00:23 -04:00
Zbigniew Jędrzejewski-Szmek
61b480b68b tests: enable logging for pid1, disable for other systemd services
systemd-udev generated an insane amount of log output at debug level.
It would break TEST-02-CRYPTSETUP by filling the overflowing the disk
(which seems to be a bug in itself!).
2016-05-08 20:27:34 -04:00
Zbigniew Jędrzejewski-Szmek
e14b866bc1 tests: allow root to login with empty password to test images 2016-05-08 20:27:33 -04:00
Zbigniew Jędrzejewski-Szmek
ed1190498f tree-wide: remove uses of --failed
It has been replaced by --state=failed.
2016-05-08 20:27:33 -04:00
Zbigniew Jędrzejewski-Szmek
5b23cef0bb tests: specify format=raw for qemu to avoid warning
WARNING: Image format was not specified for
         '/var/tmp/systemd-test.tGi3od/rootdisk.img' and probing guessed raw.
         Automatically detecting the format is dangerous for raw images, write
         operations on block 0 will be restricted.  Specify the 'raw' format
         explicitly to remove the restrictions.

Also use unsafe caching mode, we don't care about data integrity here.
2016-05-08 20:27:33 -04:00
Evgeny Vereshchagin
03ae6f7dee tests: add test for #3171 (#3206) 2016-05-06 23:05:59 +02:00
Evgeny Vereshchagin
0b2abe0f03 tests: add test for #3166 (#3180) 2016-05-03 11:43:22 +02:00