validation: add more values for rlimits test #623

zhouhao3 · 2018-04-16T02:44:13Z

Signed-off-by: Zhou Hao [email protected]

alban · 2018-04-16T16:09:22Z

validation/process_rlimits.go

+	g.AddProcessRlimits("RLIMIT_CPU", 1024, 1024)
+	g.AddProcessRlimits("RLIMIT_DATA", 1024, 1024)
+	g.AddProcessRlimits("RLIMIT_FSIZE", 1024, 1024)
+	g.AddProcessRlimits("RLIMIT_STACK", 1024, 1024)


Could we use different values for each of the limits? So that it would check if the runtime does not mix them.
Ditto between the soft and hard value.

wking · 2018-04-16T18:05:14Z

validation/process_rlimits.go

@@ -17,7 +17,12 @@ func main() {
 	if err != nil {
 		util.Fatal(err)
 	}
-	g.AddProcessRlimits("RLIMIT_NOFILE", 1024, 1024)


RLIMIT_NOFILE is also in POSIX, so I don't think we want to drop this one. I'm in favor of adding the others.

It has been added by GetDefaultGenerator().

However the default generator uses the same value 1024 for the soft and hard value.

updated, I add RLIMIT_NOFILE and use different value.

wking · 2018-04-17T04:46:56Z

validation/process_rlimits.go

@@ -17,7 +17,12 @@ func main() {
 	if err != nil {
 		util.Fatal(err)
 	}
-	g.AddProcessRlimits("RLIMIT_NOFILE", 1024, 1024)
+	g.AddProcessRlimits("RLIMIT_AS", 100, 200)


This is not many bytes ;). Does it even run? Similarly for RLIMIT_DATA, RLIMIT_FSIZE, and RLIMIT_STACK below. I don't see a problem with making these generous values in the 1GB range, as long as they're distinct values.

alban · 2018-04-18T13:12:03Z

I'd prefer different values both for soft & hard limits, and between the different kinds of limits. I tried the following:

	var gigaBytes uint64 = 1024 * 1024 * 1024
	g.AddProcessRlimits("RLIMIT_AS", 2*gigaBytes, 1*gigaBytes)
	g.AddProcessRlimits("RLIMIT_CORE", 4*gigaBytes, 3*gigaBytes)
	g.AddProcessRlimits("RLIMIT_DATA", 6*gigaBytes, 5*gigaBytes)
	g.AddProcessRlimits("RLIMIT_FSIZE", 8*gigaBytes, 7*gigaBytes)
	g.AddProcessRlimits("RLIMIT_STACK", 10*gigaBytes, 9*gigaBytes)

	g.AddProcessRlimits("RLIMIT_CPU", 120, 60)       // seconds
	g.AddProcessRlimits("RLIMIT_NOFILE", 4000, 3000) // number of files

And it works with runc:

$ sudo validation/process_rlimits.t 
TAP version 13
ok 1 - has expected hostname
  ---
  {
    "actual": "mrsdalloway",
    "expected": "mrsdalloway"
  }
  ...
ok 2 - has expected working directory
  ---
  {
    "actual": "/",
    "expected": "/"
  }
  ...
ok 3 - has expected environment variable PATH
  ---
  {
    "actual": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
    "expected": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
    "variable": "PATH"
  }
  ...
ok 4 - has expected environment variable TERM
  ---
  {
    "actual": "xterm",
    "expected": "xterm",
    "variable": "TERM"
  }
  ...
ok 5 - mounts[0] (/proc) found in order
  ---
  {
    "config": {
      "destination": "/proc",
      "type": "proc",
      "source": "proc"
    },
    "earlier": {
      "config": {
        "destination": "/proc",
        "type": "proc",
        "source": "proc"
      },
      "indexConfig": 0,
      "indexSystem": 1
    },
    "indexConfig": 0,
    "indexSystem": 1,
    "level": "MUST",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#mounts"
  }
  ...
ok 6 - mounts[1] (/dev) found in order
  ---
  {
    "config": {
      "destination": "/dev",
      "type": "tmpfs",
      "source": "tmpfs",
      "options": [
        "nosuid",
        "strictatime",
        "mode=755",
        "size=65536k"
      ]
    },
    "earlier": {
      "config": {
        "destination": "/dev",
        "type": "tmpfs",
        "source": "tmpfs",
        "options": [
          "nosuid",
          "strictatime",
          "mode=755",
          "size=65536k"
        ]
      },
      "indexConfig": 1,
      "indexSystem": 2
    },
    "indexConfig": 1,
    "indexSystem": 2,
    "level": "MUST",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#mounts"
  }
  ...
ok 7 - mounts[2] (/dev/pts) found in order
  ---
  {
    "config": {
      "destination": "/dev/pts",
      "type": "devpts",
      "source": "devpts",
      "options": [
        "nosuid",
        "noexec",
        "newinstance",
        "ptmxmode=0666",
        "mode=0620",
        "gid=5"
      ]
    },
    "earlier": {
      "config": {
        "destination": "/dev/pts",
        "type": "devpts",
        "source": "devpts",
        "options": [
          "nosuid",
          "noexec",
          "newinstance",
          "ptmxmode=0666",
          "mode=0620",
          "gid=5"
        ]
      },
      "indexConfig": 2,
      "indexSystem": 3
    },
    "indexConfig": 2,
    "indexSystem": 3,
    "level": "MUST",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#mounts"
  }
  ...
ok 8 - mounts[3] (/dev/shm) found in order
  ---
  {
    "config": {
      "destination": "/dev/shm",
      "type": "tmpfs",
      "source": "shm",
      "options": [
        "nosuid",
        "noexec",
        "nodev",
        "mode=1777",
        "size=65536k"
      ]
    },
    "earlier": {
      "config": {
        "destination": "/dev/shm",
        "type": "tmpfs",
        "source": "shm",
        "options": [
          "nosuid",
          "noexec",
          "nodev",
          "mode=1777",
          "size=65536k"
        ]
      },
      "indexConfig": 3,
      "indexSystem": 4
    },
    "indexConfig": 3,
    "indexSystem": 4,
    "level": "MUST",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#mounts"
  }
  ...
ok 9 - mounts[4] (/dev/mqueue) found in order
  ---
  {
    "config": {
      "destination": "/dev/mqueue",
      "type": "mqueue",
      "source": "mqueue",
      "options": [
        "nosuid",
        "noexec",
        "nodev"
      ]
    },
    "earlier": {
      "config": {
        "destination": "/dev/mqueue",
        "type": "mqueue",
        "source": "mqueue",
        "options": [
          "nosuid",
          "noexec",
          "nodev"
        ]
      },
      "indexConfig": 4,
      "indexSystem": 5
    },
    "indexConfig": 4,
    "indexSystem": 5,
    "level": "MUST",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#mounts"
  }
  ...
ok 10 - mounts[5] (/sys) found in order
  ---
  {
    "config": {
      "destination": "/sys",
      "type": "sysfs",
      "source": "sysfs",
      "options": [
        "nosuid",
        "noexec",
        "nodev",
        "ro"
      ]
    },
    "earlier": {
      "config": {
        "destination": "/sys",
        "type": "sysfs",
        "source": "sysfs",
        "options": [
          "nosuid",
          "noexec",
          "nodev",
          "ro"
        ]
      },
      "indexConfig": 5,
      "indexSystem": 6
    },
    "indexConfig": 5,
    "indexSystem": 6,
    "level": "MUST",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#mounts"
  }
  ...
ok 11 - has expected user ID
  ---
  {
    "actual": 0,
    "expected": 0
  }
  ...
ok 12 - has expected group ID
  ---
  {
    "actual": 0,
    "expected": 0
  }
  ...
ok 13 - has expected soft RLIMIT_NOFILE
  ---
  {
    "actual": 3000,
    "expected": 3000,
    "level": "MUST",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#posix-process",
    "type": "RLIMIT_NOFILE"
  }
  ...
ok 14 - has expected hard RLIMIT_NOFILE
  ---
  {
    "actual": 4000,
    "expected": 4000,
    "level": "MUST",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#posix-process",
    "type": "RLIMIT_NOFILE"
  }
  ...
ok 15 - has expected soft RLIMIT_AS
  ---
  {
    "actual": 1073741824,
    "expected": 1073741824,
    "level": "MUST",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#posix-process",
    "type": "RLIMIT_AS"
  }
  ...
ok 16 - has expected hard RLIMIT_AS
  ---
  {
    "actual": 2147483648,
    "expected": 2147483648,
    "level": "MUST",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#posix-process",
    "type": "RLIMIT_AS"
  }
  ...
ok 17 - has expected soft RLIMIT_CORE
  ---
  {
    "actual": 3221225472,
    "expected": 3221225472,
    "level": "MUST",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#posix-process",
    "type": "RLIMIT_CORE"
  }
  ...
ok 18 - has expected hard RLIMIT_CORE
  ---
  {
    "actual": 4294967296,
    "expected": 4294967296,
    "level": "MUST",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#posix-process",
    "type": "RLIMIT_CORE"
  }
  ...
ok 19 - has expected soft RLIMIT_DATA
  ---
  {
    "actual": 5368709120,
    "expected": 5368709120,
    "level": "MUST",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#posix-process",
    "type": "RLIMIT_DATA"
  }
  ...
ok 20 - has expected hard RLIMIT_DATA
  ---
  {
    "actual": 6442450944,
    "expected": 6442450944,
    "level": "MUST",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#posix-process",
    "type": "RLIMIT_DATA"
  }
  ...
ok 21 - has expected soft RLIMIT_FSIZE
  ---
  {
    "actual": 7516192768,
    "expected": 7516192768,
    "level": "MUST",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#posix-process",
    "type": "RLIMIT_FSIZE"
  }
  ...
ok 22 - has expected hard RLIMIT_FSIZE
  ---
  {
    "actual": 8589934592,
    "expected": 8589934592,
    "level": "MUST",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#posix-process",
    "type": "RLIMIT_FSIZE"
  }
  ...
ok 23 - has expected soft RLIMIT_STACK
  ---
  {
    "actual": 9663676416,
    "expected": 9663676416,
    "level": "MUST",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#posix-process",
    "type": "RLIMIT_STACK"
  }
  ...
ok 24 - has expected hard RLIMIT_STACK
  ---
  {
    "actual": 10737418240,
    "expected": 10737418240,
    "level": "MUST",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#posix-process",
    "type": "RLIMIT_STACK"
  }
  ...
ok 25 - has expected soft RLIMIT_CPU
  ---
  {
    "actual": 60,
    "expected": 60,
    "level": "MUST",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#posix-process",
    "type": "RLIMIT_CPU"
  }
  ...
ok 26 - has expected hard RLIMIT_CPU
  ---
  {
    "actual": 120,
    "expected": 120,
    "level": "MUST",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#posix-process",
    "type": "RLIMIT_CPU"
  }
  ...
ok 27 - expected bounding capability CAP_CHOWN set
ok 28 - expected bounding capability CAP_DAC_OVERRIDE set
ok 29 - unexpected bounding capability CAP_DAC_READ_SEARCH not set
ok 30 - expected bounding capability CAP_FOWNER set
ok 31 - expected bounding capability CAP_FSETID set
ok 32 - expected bounding capability CAP_KILL set
ok 33 - expected bounding capability CAP_SETGID set
ok 34 - expected bounding capability CAP_SETUID set
ok 35 - expected bounding capability CAP_SETPCAP set
ok 36 - unexpected bounding capability CAP_LINUX_IMMUTABLE not set
ok 37 - expected bounding capability CAP_NET_BIND_SERVICE set
ok 38 - unexpected bounding capability CAP_NET_BROADCAST not set
ok 39 - unexpected bounding capability CAP_NET_ADMIN not set
ok 40 - expected bounding capability CAP_NET_RAW set
ok 41 - unexpected bounding capability CAP_IPC_LOCK not set
ok 42 - unexpected bounding capability CAP_IPC_OWNER not set
ok 43 - unexpected bounding capability CAP_SYS_MODULE not set
ok 44 - unexpected bounding capability CAP_SYS_RAWIO not set
ok 45 - expected bounding capability CAP_SYS_CHROOT set
ok 46 - unexpected bounding capability CAP_SYS_PTRACE not set
ok 47 - unexpected bounding capability CAP_SYS_PACCT not set
ok 48 - unexpected bounding capability CAP_SYS_ADMIN not set
ok 49 - unexpected bounding capability CAP_SYS_BOOT not set
ok 50 - unexpected bounding capability CAP_SYS_NICE not set
ok 51 - unexpected bounding capability CAP_SYS_RESOURCE not set
ok 52 - unexpected bounding capability CAP_SYS_TIME not set
ok 53 - unexpected bounding capability CAP_SYS_TTY_CONFIG not set
ok 54 - expected bounding capability CAP_MKNOD set
ok 55 - unexpected bounding capability CAP_LEASE not set
ok 56 - expected bounding capability CAP_AUDIT_WRITE set
ok 57 - unexpected bounding capability CAP_AUDIT_CONTROL not set
ok 58 - expected bounding capability CAP_SETFCAP set
ok 59 - unexpected bounding capability CAP_MAC_OVERRIDE not set
ok 60 - unexpected bounding capability CAP_MAC_ADMIN not set
ok 61 - unexpected bounding capability CAP_SYSLOG not set
ok 62 - unexpected bounding capability CAP_WAKE_ALARM not set
ok 63 - unexpected bounding capability CAP_BLOCK_SUSPEND not set
ok 64 - unexpected bounding capability CAP_AUDIT_READ not set
ok 65 - expected effective capability CAP_CHOWN set
ok 66 - expected effective capability CAP_DAC_OVERRIDE set
ok 67 - unexpected effective capability CAP_DAC_READ_SEARCH not set
ok 68 - expected effective capability CAP_FOWNER set
ok 69 - expected effective capability CAP_FSETID set
ok 70 - expected effective capability CAP_KILL set
ok 71 - expected effective capability CAP_SETGID set
ok 72 - expected effective capability CAP_SETUID set
ok 73 - expected effective capability CAP_SETPCAP set
ok 74 - unexpected effective capability CAP_LINUX_IMMUTABLE not set
ok 75 - expected effective capability CAP_NET_BIND_SERVICE set
ok 76 - unexpected effective capability CAP_NET_BROADCAST not set
ok 77 - unexpected effective capability CAP_NET_ADMIN not set
ok 78 - expected effective capability CAP_NET_RAW set
ok 79 - unexpected effective capability CAP_IPC_LOCK not set
ok 80 - unexpected effective capability CAP_IPC_OWNER not set
ok 81 - unexpected effective capability CAP_SYS_MODULE not set
ok 82 - unexpected effective capability CAP_SYS_RAWIO not set
ok 83 - expected effective capability CAP_SYS_CHROOT set
ok 84 - unexpected effective capability CAP_SYS_PTRACE not set
ok 85 - unexpected effective capability CAP_SYS_PACCT not set
ok 86 - unexpected effective capability CAP_SYS_ADMIN not set
ok 87 - unexpected effective capability CAP_SYS_BOOT not set
ok 88 - unexpected effective capability CAP_SYS_NICE not set
ok 89 - unexpected effective capability CAP_SYS_RESOURCE not set
ok 90 - unexpected effective capability CAP_SYS_TIME not set
ok 91 - unexpected effective capability CAP_SYS_TTY_CONFIG not set
ok 92 - expected effective capability CAP_MKNOD set
ok 93 - unexpected effective capability CAP_LEASE not set
ok 94 - expected effective capability CAP_AUDIT_WRITE set
ok 95 - unexpected effective capability CAP_AUDIT_CONTROL not set
ok 96 - expected effective capability CAP_SETFCAP set
ok 97 - unexpected effective capability CAP_MAC_OVERRIDE not set
ok 98 - unexpected effective capability CAP_MAC_ADMIN not set
ok 99 - unexpected effective capability CAP_SYSLOG not set
ok 100 - unexpected effective capability CAP_WAKE_ALARM not set
ok 101 - unexpected effective capability CAP_BLOCK_SUSPEND not set
ok 102 - unexpected effective capability CAP_AUDIT_READ not set
ok 103 - expected inheritable capability CAP_CHOWN set
ok 104 - expected inheritable capability CAP_DAC_OVERRIDE set
ok 105 - unexpected inheritable capability CAP_DAC_READ_SEARCH not set
ok 106 - expected inheritable capability CAP_FOWNER set
ok 107 - expected inheritable capability CAP_FSETID set
ok 108 - expected inheritable capability CAP_KILL set
ok 109 - expected inheritable capability CAP_SETGID set
ok 110 - expected inheritable capability CAP_SETUID set
ok 111 - expected inheritable capability CAP_SETPCAP set
ok 112 - unexpected inheritable capability CAP_LINUX_IMMUTABLE not set
ok 113 - expected inheritable capability CAP_NET_BIND_SERVICE set
ok 114 - unexpected inheritable capability CAP_NET_BROADCAST not set
ok 115 - unexpected inheritable capability CAP_NET_ADMIN not set
ok 116 - expected inheritable capability CAP_NET_RAW set
ok 117 - unexpected inheritable capability CAP_IPC_LOCK not set
ok 118 - unexpected inheritable capability CAP_IPC_OWNER not set
ok 119 - unexpected inheritable capability CAP_SYS_MODULE not set
ok 120 - unexpected inheritable capability CAP_SYS_RAWIO not set
ok 121 - expected inheritable capability CAP_SYS_CHROOT set
ok 122 - unexpected inheritable capability CAP_SYS_PTRACE not set
ok 123 - unexpected inheritable capability CAP_SYS_PACCT not set
ok 124 - unexpected inheritable capability CAP_SYS_ADMIN not set
ok 125 - unexpected inheritable capability CAP_SYS_BOOT not set
ok 126 - unexpected inheritable capability CAP_SYS_NICE not set
ok 127 - unexpected inheritable capability CAP_SYS_RESOURCE not set
ok 128 - unexpected inheritable capability CAP_SYS_TIME not set
ok 129 - unexpected inheritable capability CAP_SYS_TTY_CONFIG not set
ok 130 - expected inheritable capability CAP_MKNOD set
ok 131 - unexpected inheritable capability CAP_LEASE not set
ok 132 - expected inheritable capability CAP_AUDIT_WRITE set
ok 133 - unexpected inheritable capability CAP_AUDIT_CONTROL not set
ok 134 - expected inheritable capability CAP_SETFCAP set
ok 135 - unexpected inheritable capability CAP_MAC_OVERRIDE not set
ok 136 - unexpected inheritable capability CAP_MAC_ADMIN not set
ok 137 - unexpected inheritable capability CAP_SYSLOG not set
ok 138 - unexpected inheritable capability CAP_WAKE_ALARM not set
ok 139 - unexpected inheritable capability CAP_BLOCK_SUSPEND not set
ok 140 - unexpected inheritable capability CAP_AUDIT_READ not set
ok 141 - expected permitted capability CAP_CHOWN set
ok 142 - expected permitted capability CAP_DAC_OVERRIDE set
ok 143 - unexpected permitted capability CAP_DAC_READ_SEARCH not set
ok 144 - expected permitted capability CAP_FOWNER set
ok 145 - expected permitted capability CAP_FSETID set
ok 146 - expected permitted capability CAP_KILL set
ok 147 - expected permitted capability CAP_SETGID set
ok 148 - expected permitted capability CAP_SETUID set
ok 149 - expected permitted capability CAP_SETPCAP set
ok 150 - unexpected permitted capability CAP_LINUX_IMMUTABLE not set
ok 151 - expected permitted capability CAP_NET_BIND_SERVICE set
ok 152 - unexpected permitted capability CAP_NET_BROADCAST not set
ok 153 - unexpected permitted capability CAP_NET_ADMIN not set
ok 154 - expected permitted capability CAP_NET_RAW set
ok 155 - unexpected permitted capability CAP_IPC_LOCK not set
ok 156 - unexpected permitted capability CAP_IPC_OWNER not set
ok 157 - unexpected permitted capability CAP_SYS_MODULE not set
ok 158 - unexpected permitted capability CAP_SYS_RAWIO not set
ok 159 - expected permitted capability CAP_SYS_CHROOT set
ok 160 - unexpected permitted capability CAP_SYS_PTRACE not set
ok 161 - unexpected permitted capability CAP_SYS_PACCT not set
ok 162 - unexpected permitted capability CAP_SYS_ADMIN not set
ok 163 - unexpected permitted capability CAP_SYS_BOOT not set
ok 164 - unexpected permitted capability CAP_SYS_NICE not set
ok 165 - unexpected permitted capability CAP_SYS_RESOURCE not set
ok 166 - unexpected permitted capability CAP_SYS_TIME not set
ok 167 - unexpected permitted capability CAP_SYS_TTY_CONFIG not set
ok 168 - expected permitted capability CAP_MKNOD set
ok 169 - unexpected permitted capability CAP_LEASE not set
ok 170 - expected permitted capability CAP_AUDIT_WRITE set
ok 171 - unexpected permitted capability CAP_AUDIT_CONTROL not set
ok 172 - expected permitted capability CAP_SETFCAP set
ok 173 - unexpected permitted capability CAP_MAC_OVERRIDE not set
ok 174 - unexpected permitted capability CAP_MAC_ADMIN not set
ok 175 - unexpected permitted capability CAP_SYSLOG not set
ok 176 - unexpected permitted capability CAP_WAKE_ALARM not set
ok 177 - unexpected permitted capability CAP_BLOCK_SUSPEND not set
ok 178 - unexpected permitted capability CAP_AUDIT_READ not set
ok 179 - expected ambient capability CAP_CHOWN set
ok 180 - expected ambient capability CAP_DAC_OVERRIDE set
ok 181 - unexpected ambient capability CAP_DAC_READ_SEARCH not set
ok 182 - expected ambient capability CAP_FOWNER set
ok 183 - expected ambient capability CAP_FSETID set
ok 184 - expected ambient capability CAP_KILL set
ok 185 - expected ambient capability CAP_SETGID set
ok 186 - expected ambient capability CAP_SETUID set
ok 187 - expected ambient capability CAP_SETPCAP set
ok 188 - unexpected ambient capability CAP_LINUX_IMMUTABLE not set
ok 189 - expected ambient capability CAP_NET_BIND_SERVICE set
ok 190 - unexpected ambient capability CAP_NET_BROADCAST not set
ok 191 - unexpected ambient capability CAP_NET_ADMIN not set
ok 192 - expected ambient capability CAP_NET_RAW set
ok 193 - unexpected ambient capability CAP_IPC_LOCK not set
ok 194 - unexpected ambient capability CAP_IPC_OWNER not set
ok 195 - unexpected ambient capability CAP_SYS_MODULE not set
ok 196 - unexpected ambient capability CAP_SYS_RAWIO not set
ok 197 - expected ambient capability CAP_SYS_CHROOT set
ok 198 - unexpected ambient capability CAP_SYS_PTRACE not set
ok 199 - unexpected ambient capability CAP_SYS_PACCT not set
ok 200 - unexpected ambient capability CAP_SYS_ADMIN not set
ok 201 - unexpected ambient capability CAP_SYS_BOOT not set
ok 202 - unexpected ambient capability CAP_SYS_NICE not set
ok 203 - unexpected ambient capability CAP_SYS_RESOURCE not set
ok 204 - unexpected ambient capability CAP_SYS_TIME not set
ok 205 - unexpected ambient capability CAP_SYS_TTY_CONFIG not set
ok 206 - expected ambient capability CAP_MKNOD set
ok 207 - unexpected ambient capability CAP_LEASE not set
ok 208 - expected ambient capability CAP_AUDIT_WRITE set
ok 209 - unexpected ambient capability CAP_AUDIT_CONTROL not set
ok 210 - expected ambient capability CAP_SETFCAP set
ok 211 - unexpected ambient capability CAP_MAC_OVERRIDE not set
ok 212 - unexpected ambient capability CAP_MAC_ADMIN not set
ok 213 - unexpected ambient capability CAP_SYSLOG not set
ok 214 - unexpected ambient capability CAP_WAKE_ALARM not set
ok 215 - unexpected ambient capability CAP_BLOCK_SUSPEND not set
ok 216 - unexpected ambient capability CAP_AUDIT_READ not set
ok 217 - has a file at default symlink path "/dev/stdin"
  ---
  {
    "level": "MUST",
    "path": "/dev/stdin",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/runtime-linux.md#dev-symbolic-links"
  }
  ...
ok 218 - file at default symlink path "/dev/stdin" is a symlink
  ---
  {
    "level": "MUST",
    "mode": 134218239,
    "path": "/dev/stdin",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/runtime-linux.md#dev-symbolic-links"
  }
  ...
ok 219 - symlink at default symlink path "/dev/stdin" has the expected target
  ---
  {
    "actual": "/proc/self/fd/0",
    "expected": "/proc/self/fd/0",
    "level": "MUST",
    "path": "/dev/stdin",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/runtime-linux.md#dev-symbolic-links"
  }
  ...
ok 220 - has a file at default symlink path "/dev/stdout"
  ---
  {
    "level": "MUST",
    "path": "/dev/stdout",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/runtime-linux.md#dev-symbolic-links"
  }
  ...
ok 221 - file at default symlink path "/dev/stdout" is a symlink
  ---
  {
    "level": "MUST",
    "mode": 134218239,
    "path": "/dev/stdout",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/runtime-linux.md#dev-symbolic-links"
  }
  ...
ok 222 - symlink at default symlink path "/dev/stdout" has the expected target
  ---
  {
    "actual": "/proc/self/fd/1",
    "expected": "/proc/self/fd/1",
    "level": "MUST",
    "path": "/dev/stdout",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/runtime-linux.md#dev-symbolic-links"
  }
  ...
ok 223 - has a file at default symlink path "/dev/stderr"
  ---
  {
    "level": "MUST",
    "path": "/dev/stderr",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/runtime-linux.md#dev-symbolic-links"
  }
  ...
ok 224 - file at default symlink path "/dev/stderr" is a symlink
  ---
  {
    "level": "MUST",
    "mode": 134218239,
    "path": "/dev/stderr",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/runtime-linux.md#dev-symbolic-links"
  }
  ...
ok 225 - symlink at default symlink path "/dev/stderr" has the expected target
  ---
  {
    "actual": "/proc/self/fd/2",
    "expected": "/proc/self/fd/2",
    "level": "MUST",
    "path": "/dev/stderr",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/runtime-linux.md#dev-symbolic-links"
  }
  ...
ok 226 - has a file at default symlink path "/dev/fd"
  ---
  {
    "level": "MUST",
    "path": "/dev/fd",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/runtime-linux.md#dev-symbolic-links"
  }
  ...
ok 227 - file at default symlink path "/dev/fd" is a symlink
  ---
  {
    "level": "MUST",
    "mode": 134218239,
    "path": "/dev/fd",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/runtime-linux.md#dev-symbolic-links"
  }
  ...
ok 228 - symlink at default symlink path "/dev/fd" has the expected target
  ---
  {
    "actual": "/proc/self/fd",
    "expected": "/proc/self/fd",
    "level": "MUST",
    "path": "/dev/fd",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/runtime-linux.md#dev-symbolic-links"
  }
  ...
ok 229 - mount /dev/shm has expected type
  ---
  {
    "actual": "tmpfs",
    "expected": "tmpfs",
    "level": "SHOULD",
    "mount": "/dev/shm",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-filesystems"
  }
  ...
ok 230 - mount /proc has expected type
  ---
  {
    "actual": "proc",
    "expected": "proc",
    "level": "SHOULD",
    "mount": "/proc",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-filesystems"
  }
  ...
ok 231 - mount /sys has expected type
  ---
  {
    "actual": "sysfs",
    "expected": "sysfs",
    "level": "SHOULD",
    "mount": "/sys",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-filesystems"
  }
  ...
ok 232 - mount /dev/pts has expected type
  ---
  {
    "actual": "devpts",
    "expected": "devpts",
    "level": "SHOULD",
    "mount": "/dev/pts",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-filesystems"
  }
  ...
ok 233 - has a file at /dev/null (default device)
  ---
  {
    "level": "MUST",
    "path": "/dev/null",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 234 - /dev/null (default device) has the expected type
  ---
  {
    "actual": "c",
    "expected": "c",
    "level": "MUST",
    "path": "/dev/null",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 235 - /dev/null (default device) has the expected major ID
  ---
  {
    "actual": 1,
    "expected": 1,
    "level": "MUST",
    "path": "/dev/null",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 236 - /dev/null (default device) has the expected minor ID
  ---
  {
    "actual": 3,
    "expected": 3,
    "level": "MUST",
    "path": "/dev/null",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 237 # SKIP /dev/null (default device) has unconfigured permissions
ok 238 # SKIP /dev/null (default device) has an unconfigured user ID
ok 239 # SKIP /dev/null (default device) has an unconfigured group ID
ok 240 - has a file at /dev/zero (default device)
  ---
  {
    "level": "MUST",
    "path": "/dev/zero",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 241 - /dev/zero (default device) has the expected type
  ---
  {
    "actual": "c",
    "expected": "c",
    "level": "MUST",
    "path": "/dev/zero",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 242 - /dev/zero (default device) has the expected major ID
  ---
  {
    "actual": 1,
    "expected": 1,
    "level": "MUST",
    "path": "/dev/zero",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 243 - /dev/zero (default device) has the expected minor ID
  ---
  {
    "actual": 5,
    "expected": 5,
    "level": "MUST",
    "path": "/dev/zero",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 244 # SKIP /dev/zero (default device) has unconfigured permissions
ok 245 # SKIP /dev/zero (default device) has an unconfigured user ID
ok 246 # SKIP /dev/zero (default device) has an unconfigured group ID
ok 247 - has a file at /dev/full (default device)
  ---
  {
    "level": "MUST",
    "path": "/dev/full",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 248 - /dev/full (default device) has the expected type
  ---
  {
    "actual": "c",
    "expected": "c",
    "level": "MUST",
    "path": "/dev/full",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 249 - /dev/full (default device) has the expected major ID
  ---
  {
    "actual": 1,
    "expected": 1,
    "level": "MUST",
    "path": "/dev/full",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 250 - /dev/full (default device) has the expected minor ID
  ---
  {
    "actual": 7,
    "expected": 7,
    "level": "MUST",
    "path": "/dev/full",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 251 # SKIP /dev/full (default device) has unconfigured permissions
ok 252 # SKIP /dev/full (default device) has an unconfigured user ID
ok 253 # SKIP /dev/full (default device) has an unconfigured group ID
ok 254 - has a file at /dev/random (default device)
  ---
  {
    "level": "MUST",
    "path": "/dev/random",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 255 - /dev/random (default device) has the expected type
  ---
  {
    "actual": "c",
    "expected": "c",
    "level": "MUST",
    "path": "/dev/random",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 256 - /dev/random (default device) has the expected major ID
  ---
  {
    "actual": 1,
    "expected": 1,
    "level": "MUST",
    "path": "/dev/random",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 257 - /dev/random (default device) has the expected minor ID
  ---
  {
    "actual": 8,
    "expected": 8,
    "level": "MUST",
    "path": "/dev/random",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 258 # SKIP /dev/random (default device) has unconfigured permissions
ok 259 # SKIP /dev/random (default device) has an unconfigured user ID
ok 260 # SKIP /dev/random (default device) has an unconfigured group ID
ok 261 - has a file at /dev/urandom (default device)
  ---
  {
    "level": "MUST",
    "path": "/dev/urandom",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 262 - /dev/urandom (default device) has the expected type
  ---
  {
    "actual": "c",
    "expected": "c",
    "level": "MUST",
    "path": "/dev/urandom",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 263 - /dev/urandom (default device) has the expected major ID
  ---
  {
    "actual": 1,
    "expected": 1,
    "level": "MUST",
    "path": "/dev/urandom",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 264 - /dev/urandom (default device) has the expected minor ID
  ---
  {
    "actual": 9,
    "expected": 9,
    "level": "MUST",
    "path": "/dev/urandom",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 265 # SKIP /dev/urandom (default device) has unconfigured permissions
ok 266 # SKIP /dev/urandom (default device) has an unconfigured user ID
ok 267 # SKIP /dev/urandom (default device) has an unconfigured group ID
ok 268 - has a file at /dev/tty (default device)
  ---
  {
    "level": "MUST",
    "path": "/dev/tty",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 269 - /dev/tty (default device) has the expected type
  ---
  {
    "actual": "c",
    "expected": "c",
    "level": "MUST",
    "path": "/dev/tty",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 270 - /dev/tty (default device) has the expected major ID
  ---
  {
    "actual": 5,
    "expected": 5,
    "level": "MUST",
    "path": "/dev/tty",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 271 - /dev/tty (default device) has the expected minor ID
  ---
  {
    "actual": 0,
    "expected": 0,
    "level": "MUST",
    "path": "/dev/tty",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 272 # SKIP /dev/tty (default device) has unconfigured permissions
ok 273 # SKIP /dev/tty (default device) has an unconfigured user ID
ok 274 # SKIP /dev/tty (default device) has an unconfigured group ID
ok 275 - has a file at /dev/ptmx (default device)
  ---
  {
    "level": "MUST",
    "path": "/dev/ptmx",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 276 - /dev/ptmx (default device) has the expected type
  ---
  {
    "actual": "c",
    "expected": "c",
    "level": "MUST",
    "path": "/dev/ptmx",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 277 - /dev/ptmx (default device) has the expected major ID
  ---
  {
    "actual": 5,
    "expected": 5,
    "level": "MUST",
    "path": "/dev/ptmx",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 278 - /dev/ptmx (default device) has the expected minor ID
  ---
  {
    "actual": 2,
    "expected": 2,
    "level": "MUST",
    "path": "/dev/ptmx",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#default-devices"
  }
  ...
ok 279 # SKIP /dev/ptmx (default device) has unconfigured permissions
ok 280 # SKIP /dev/ptmx (default device) has an unconfigured user ID
ok 281 # SKIP /dev/ptmx (default device) has an unconfigured group ID
ok 282 # SKIP linux.devices is not set
ok 283 - has expected number of process arguments
  ---
  {
    "actual": [
      "L3J1bnRpbWV0ZXN0",
      "LS1wYXRoPS8="
    ],
    "expected": [
      "/runtimetest",
      "--path=/"
    ]
  }
  ...
ok 284 - has expected process argument 0
  ---
  {
    "actual": "/runtimetest",
    "expected": "/runtimetest",
    "index": 0
  }
  ...
ok 285 - has expected process argument 1
  ---
  {
    "actual": "--path=/",
    "expected": "--path=/",
    "index": 1
  }
  ...
ok 286 - has expected noNewPrivileges
ok 287 # SKIP linux.maskedPaths not set
ok 288 # SKIP process.oomScoreAdj not set
ok 289 # SKIP syscall action SCMP_ACT_ALLOW
ok 290 # SKIP syscall action SCMP_ACT_ALLOW
ok 291 # SKIP syscall action SCMP_ACT_ALLOW
ok 292 # SKIP syscall action SCMP_ACT_ALLOW
ok 293 # SKIP syscall action SCMP_ACT_ALLOW
ok 294 # SKIP syscall action SCMP_ACT_ALLOW
ok 295 # SKIP linux.readonlyPaths not set
ok 296 # SKIP linux.rootfsPropagation not set
ok 297 # SKIP linux.sysctl not set
ok 298 # SKIP linux.uidMappings not set
ok 299 # SKIP linux.gidMappings not set
1..299

Test all getrlimit(3) values. Signed-off-by: Zhou Hao <[email protected]>

zhouhao3 · 2018-04-19T03:06:38Z

@alban updated, thanks for your suggestion.

liangchenye · 2018-04-19T10:19:42Z

LGTM

alban reviewed Apr 16, 2018

View reviewed changes

wking reviewed Apr 16, 2018

View reviewed changes

zhouhao3 force-pushed the rlimit-test branch from 199a32c to cb4ef26 Compare April 17, 2018 03:06

wking reviewed Apr 17, 2018

View reviewed changes

zhouhao3 force-pushed the rlimit-test branch from cb4ef26 to 6b7bf89 Compare April 18, 2018 08:21

validation: add more values for rlimits test

d165658

Test all getrlimit(3) values. Signed-off-by: Zhou Hao <[email protected]>

zhouhao3 force-pushed the rlimit-test branch from 6b7bf89 to d165658 Compare April 19, 2018 03:04

wking approved these changes Apr 19, 2018

View reviewed changes

liangchenye merged commit 026b88e into opencontainers:master Apr 19, 2018

zhouhao3 deleted the rlimit-test branch April 20, 2018 01:07

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

validation: add more values for rlimits test #623

validation: add more values for rlimits test #623

zhouhao3 commented Apr 16, 2018 •

edited

Loading

alban Apr 16, 2018

zhouhao3 Apr 17, 2018

wking Apr 16, 2018

zhouhao3 Apr 17, 2018

alban Apr 17, 2018

zhouhao3 Apr 18, 2018

wking Apr 17, 2018

alban commented Apr 18, 2018

zhouhao3 commented Apr 19, 2018

liangchenye commented Apr 19, 2018 •

edited by caniszczyk

Loading

validation: add more values for rlimits test #623

validation: add more values for rlimits test #623

Conversation

zhouhao3 commented Apr 16, 2018 • edited Loading

alban Apr 16, 2018

Choose a reason for hiding this comment

zhouhao3 Apr 17, 2018

Choose a reason for hiding this comment

wking Apr 16, 2018

Choose a reason for hiding this comment

zhouhao3 Apr 17, 2018

Choose a reason for hiding this comment

alban Apr 17, 2018

Choose a reason for hiding this comment

zhouhao3 Apr 18, 2018

Choose a reason for hiding this comment

wking Apr 17, 2018

Choose a reason for hiding this comment

alban commented Apr 18, 2018

zhouhao3 commented Apr 19, 2018

liangchenye commented Apr 19, 2018 • edited by caniszczyk Loading

zhouhao3 commented Apr 16, 2018 •

edited

Loading

liangchenye commented Apr 19, 2018 •

edited by caniszczyk

Loading