test: firecracker-microvm#1099 jailer mount propagation Signed-off-by: Anthony Corletti <[email protected]>

Author: anthonycorletti

tests/framework/microvm.py

@@ -18,6 +18,7 @@
 import select
 import shutil
 import signal
+import subprocess
 import time
 import uuid
 from collections import namedtuple
@@ -299,9 +300,9 @@ def kill(self):
             backend.kill()
         self.disks_vhost_user.clear()
 
-        assert (
-            "Shutting down VM after intercepting signal" not in self.log_data
-        ), self.log_data
+        assert "Shutting down VM after intercepting signal" not in self.log_data, (
+            self.log_data
+        )
 
         try:
             if self.firecracker_pid:
@@ -330,9 +331,9 @@ def kill(self):
                 f"ps aux | grep {self.jailer.jailer_id}"
             )
             # make sure firecracker was killed
-            assert (
-                stderr == "" and "firecracker" not in stdout
-            ), f"Firecracker reported its pid {self.firecracker_pid}, which was killed, but there still exist processes using the supposedly dead Firecracker's jailer_id: {stdout}"
+            assert stderr == "" and "firecracker" not in stdout, (
+                f"Firecracker reported its pid {self.firecracker_pid}, which was killed, but there still exist processes using the supposedly dead Firecracker's jailer_id: {stdout}"
+            )
 
         # Mark the microVM as not spawned, so we avoid trying to kill twice.
         self._spawned = False
@@ -391,9 +392,9 @@ def _validate_api_response_times(self):
                 if current_call.url != "/snapshot/create":
                     exec_time = float(match.group("execution_time")) / 1000.0
 
-                    assert (
-                        exec_time <= MAX_API_CALL_DURATION_MS
-                    ), f"{current_call.method} {current_call.url} API call exceeded maximum duration: {exec_time} ms. Body: {current_call.body}"
+                    assert exec_time <= MAX_API_CALL_DURATION_MS, (
+                        f"{current_call.method} {current_call.url} API call exceeded maximum duration: {exec_time} ms. Body: {current_call.body}"
+                    )
 
                 current_call = None
 
@@ -560,18 +561,18 @@ def pin_threads(self, first_cpu):
         Return next "free" cpu core.
         """
         for vcpu, pcpu in enumerate(range(first_cpu, first_cpu + self.vcpus_count)):
-            assert self.pin_vcpu(
-                vcpu, pcpu
-            ), f"Failed to pin fc_vcpu {vcpu} thread to core {pcpu}."
+            assert self.pin_vcpu(vcpu, pcpu), (
+                f"Failed to pin fc_vcpu {vcpu} thread to core {pcpu}."
+            )
         # The cores first_cpu,...,first_cpu + self.vcpus_count - 1 are assigned to the individual vCPU threads,
         # So the remaining two threads (VMM and API) get first_cpu + self.vcpus_count
         # and first_cpu + self.vcpus_count + 1
-        assert self.pin_vmm(
-            first_cpu + self.vcpus_count
-        ), "Failed to pin firecracker thread."
-        assert self.pin_api(
-            first_cpu + self.vcpus_count + 1
-        ), "Failed to pin fc_api thread."
+        assert self.pin_vmm(first_cpu + self.vcpus_count), (
+            "Failed to pin firecracker thread."
+        )
+        assert self.pin_api(first_cpu + self.vcpus_count + 1), (
+            "Failed to pin fc_api thread."
+        )
 
         return first_cpu + self.vcpus_count + 2
 
@@ -683,9 +684,9 @@ def _wait_create(self):
     @retry(wait=wait_fixed(0.2), stop=stop_after_attempt(5), reraise=True)
     def check_log_message(self, message):
         """Wait until `message` appears in logging output."""
-        assert (
-            message in self.log_data
-        ), f'Message ("{message}") not found in log data ("{self.log_data}").'
+        assert message in self.log_data, (
+            f'Message ("{message}") not found in log data ("{self.log_data}").'
+        )
 
     @retry(wait=wait_fixed(0.2), stop=stop_after_attempt(5), reraise=True)
     def get_exit_code(self):
@@ -1115,13 +1116,33 @@ def build_from_snapshot(self, snapshot: Snapshot):
         vm.restore_from_snapshot(snapshot, resume=True)
         return vm
 
+    def unmount(self, path: str):
+        try:
+            subprocess.run(["umount", path], check=True)
+        except subprocess.CalledProcessError:
+            print(f"Failed to unmount {path}")
+
+    def get_mounts_at_path(self, path: str) -> list:
+        try:
+            with open("/proc/mounts", "r") as f:
+                return [
+                    line.split()[1]
+                    for line in f
+                    if line.split()[1].startswith(os.path.abspath(path))
+                ]
+        except FileNotFoundError:
+            return False  # /proc/mounts may not exist on some systems
+
     def kill(self):
         """Clean up all built VMs"""
         for vm in self.vms:
             vm.kill()
             vm.jailer.cleanup()
             chroot_base_with_id = vm.jailer.chroot_base_with_id()
             if len(vm.jailer.jailer_id) > 0 and chroot_base_with_id.exists():
+                mounts = self.get_mounts_at_path(chroot_base_with_id)
+                if mounts:
+                    [self.unmount(mounted_path) for mounted_path in mounts]
                 shutil.rmtree(chroot_base_with_id)
             vm.netns.cleanup()
 

tests/integration_tests/security/test_jail.py

@@ -664,3 +664,79 @@ def test_cgroupsv2_written_only_once(uvm_plain, cgroups_info):
     assert len(write_lines) == 1
     assert len(mkdir_lines) != len(cgroups), "mkdir equal to number of cgroups"
     assert len(mkdir_lines) == 1
+
+
+def test_mount_proagation_to_root(uvm_plain, tmp_path, guest_kernel, rootfs_rw):
+    """
+    Test that the jailer mounts are propagated to the root mount namespace.
+
+    This is a test for
+    https://github.com/firecracker-microvm/firecracker/pull/#1093
+    """
+
+    test_microvm = uvm_plain
+
+    # make a directory to hold the original content
+    original_content_dir = tmp_path / "original"
+    original_content_dir.mkdir(parents=True)
+
+    # make a directory to hold the jailed content
+    jailed_content_dir = tmp_path / "firecracker" / "testbindmount" / "root"
+    jailed_content_dir.mkdir(parents=True)
+
+    test_microvm.jailer.jailer_id = "testbindmount"
+    test_microvm.jailer.chroot_base = tmp_path
+    test_microvm.jailer.daemonize = True
+    test_microvm.jailer.gid = 0
+    test_microvm.jailer.uid = 0
+    test_microvm.extra_args = {"seccomp-level": 0}
+
+    # assert that the directory was created
+    assert jailed_content_dir.exists()
+
+    # Create the guest kernel and rootfs in the jailed content directory
+    # and mount them in the jailed content directory
+    os.system(f"cp {guest_kernel} {original_content_dir}")
+    os.system(f"cp {rootfs_rw} {original_content_dir}")
+    guest_kernel_mount_path = jailed_content_dir / os.path.basename(guest_kernel)
+    rootfs_mount_path = jailed_content_dir / os.path.basename(rootfs_rw)
+    guest_kernel_mount_path.touch()
+    rootfs_mount_path.touch()
+
+    # assert that the files were created
+    assert guest_kernel_mount_path.exists()
+    assert rootfs_mount_path.exists()
+
+    # mount the rootfs
+    subprocess.run(
+        [
+            "mount",
+            "--bind",
+            original_content_dir / os.path.basename(guest_kernel),
+            guest_kernel_mount_path,
+        ],
+        check=True,
+    )
+    subprocess.run(
+        [
+            "mount",
+            "--bind",
+            original_content_dir / os.path.basename(rootfs_rw),
+            rootfs_mount_path,
+        ],
+        check=True,
+    )
+
+    # assert that the mounts are present
+    assert guest_kernel_mount_path.exists()
+    assert rootfs_mount_path.exists()
+
+    print("test_microvm", test_microvm.__dict__)
+    print("test_microvm.jailer", test_microvm.jailer.__dict__)
+
+    # run
+    test_microvm.spawn()
+
+    # assert that the mounts are present
+    assert guest_kernel_mount_path.exists()
+    assert rootfs_mount_path.exists()