From: Thomas Haller <thaller@redhat.com>
To: NetFilter <netfilter-devel@vger.kernel.org>
Cc: Thomas Haller <thaller@redhat.com>
Subject: [PATCH nft] tests/shell: allow running tests as non-root users
Date: Wed, 30 Aug 2023 13:31:48 +0200 [thread overview]
Message-ID: <20230830113153.877968-1-thaller@redhat.com> (raw)
Allow to opt-out from the have-real-root check via
NFT_TEST_ROOTLESS=1 ./run-tests.sh
For that to be useful, we must also unshare the PID and user namespace
and map the root user inside that namespace.
With that, inside the namespace we look like root. Including having
CAP_NET_ADMIN for the new net namespace. This allows to run the tests as
rootless and most tests will pass.
Note that some tests will fail as rootless. For example, the socket
buffers are limited by /proc/sys/net/core/{wmem_max,rmem_max}, which is
not namespaced. When running as real-root, nftables can raise them
beyond those limits and the tests will pass. Rootless cannot do that and
the test may fail.
Test that don't work without real root should check for
[ "$NFT_TEST_HAVE_REALROOT" != 1 ] and skip gracefully.
Signed-off-by: Thomas Haller <thaller@redhat.com>
---
tests/shell/run-tests.sh | 57 +++++++++++++++++++++++++++++++---------
1 file changed, 45 insertions(+), 12 deletions(-)
diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh
index b66ef4fa4d1f..96dd0b0c2fd6 100755
--- a/tests/shell/run-tests.sh
+++ b/tests/shell/run-tests.sh
@@ -1,9 +1,18 @@
#!/bin/bash
-# Configuration
-TESTDIR="./$(dirname $0)/testcases"
-SRC_NFT="$(dirname $0)/../../src/nft"
-DIFF=$(which diff)
+# Environment variables for the user:
+# NFT=<path> Path to the nft executable.
+# NFT_TEST_ROOTLESS=0|1: Whether the test allows to run as rootless. Usually the test
+# will require real root permissions. You can set NFT_TEST_ROOTLESS=1
+# to run rootless in a separate namespace.
+# NFT_TEST_HAVE_REALROOT=0|1: To indicate whether the test has real root permissions.
+# Usually, you don't need this and it gets autodetected.
+# Note that without real root, certain tests may not work.
+# For example, due to limited /proc/sys/net/core/{wmem_max,rmem_max}.
+# Such test should check for [ "$NFT_TEST_HAVE_REALROOT" != 1 ] and
+# skip (not fail) in such an environment.
+# NFT_TEST_NO_UNSHARE=0|1: Usually, the test will run in a separate namespace.
+# You can opt-out from that by setting NFT_TEST_NO_UNSHARE=1.
msg_error() {
echo "E: $1 ..." >&2
@@ -18,18 +27,42 @@ msg_info() {
echo "I: $1"
}
-if [ "$(id -u)" != "0" ] ; then
+if [ "$NFT_TEST_HAVE_REALROOT" = "" ] ; then
+ # The caller can set NFT_TEST_HAVE_REALROOT to indicate us whether we
+ # have real root. They usually don't need, and we detect it now based
+ # on `id -u`. Note that we may unshare below, so the check inside the
+ # new namespace won't be conclusive. We thus only detect once and export
+ # the result.
+ export NFT_TEST_HAVE_REALROOT="$(test "$(id -u)" = "0" && echo 1 || echo 0)"
+fi
+
+if [ "$NFT_TEST_HAVE_REALROOT" != 1 -a "$NFT_TEST_ROOTLESS" != 1 ] ; then
+ # By default, we require real-root, unless the user explicitly opts-in
+ # to proceed via NFT_TEST_ROOTLESS=1.
msg_error "this requires root!"
fi
-if [ "${1}" != "run" ]; then
- if unshare -f -n true; then
- unshare -n "${0}" run $@
- exit $?
- fi
- msg_warn "cannot run in own namespace, connectivity might break"
+if [ "$NFT_TEST_NO_UNSHARE" = 1 ]; then
+ # The user opts-out from unshare. Proceed without.
+ :
+elif [ "$_NFT_TEST_IS_UNSHARED" = 1 ]; then
+ # We are inside the unshared environment. Don't unshare again.
+ # Continue.
+ :
+else
+ # Unshare. This works both as rootless and with real root. Inside
+ # the user namespace we will map the root user, so we appear to have
+ # root. Check for [ "$NFT_TEST_HAVE_REALROOT" != 1 ] to know when
+ # not having real root.
+ export _NFT_TEST_IS_UNSHARED=1
+ unshare -f --map-root-user -U -p -n "$0" "$@"
+ exit $?
fi
-shift
+
+# Configuration
+TESTDIR="./$(dirname $0)/testcases"
+SRC_NFT="$(dirname $0)/../../src/nft"
+DIFF=$(which diff)
[ -z "$NFT" ] && NFT=$SRC_NFT
${NFT} > /dev/null 2>&1
--
2.41.0
next reply other threads:[~2023-08-30 18:44 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-30 11:31 Thomas Haller [this message]
2023-08-31 16:08 ` [PATCH nft] tests/shell: allow running tests as non-root users Florian Westphal
2023-08-31 17:26 ` Thomas Haller
2023-08-31 18:18 ` Florian Westphal
2023-09-01 14:56 ` Thomas Haller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230830113153.877968-1-thaller@redhat.com \
--to=thaller@redhat.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).