search

containers / bubblewrap

Low-level unprivileged sandboxing tool used by Flatpak and similar projects
Other
3.88k stars 236 forks source link

some tests fail in an LXC environment where some but not all capabilities are available #352

Open kloczek opened 4 years ago

kloczek commented 4 years ago
``` + /usr/bin/make -O -j48 V=1 VERBOSE=1 check -j1 /usr/bin/make test-bwrap make[1]: Entering directory '/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0' rm -rf test-bwrap cp bwrap test-bwrap make[1]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0' /usr/bin/make check-TESTS make[1]: Entering directory '/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0' make[2]: Entering directory '/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0' PASS: tests/test-run.sh 1 - Help works SKIP: tests/test-run.sh 2 # SKIP no FUSE support PASS: tests/test-run.sh 3 - can mount /proc with PASS: tests/test-run.sh 4 - can unshare network, create new /dev with PASS: tests/test-run.sh 5 - cannot read /etc/shadow with PASS: tests/test-run.sh 6 - cannot read /root/.bashrc with PASS: tests/test-run.sh 7 - can bind a destination over a symlink SKIP: tests/test-run.sh 8 # SKIP no FUSE support PASS: tests/test-run.sh 9 - can mount /proc with --unshare-user-try PASS: tests/test-run.sh 10 - can unshare network, create new /dev with --unshare-user-try PASS: tests/test-run.sh 11 - cannot read /etc/shadow with --unshare-user-try PASS: tests/test-run.sh 12 - cannot read /root/.bashrc with --unshare-user-try PASS: tests/test-run.sh 13 - can bind a destination over a symlink SKIP: tests/test-run.sh 14 # SKIP no FUSE support PASS: tests/test-run.sh 15 - can mount /proc with --unshare-pid PASS: tests/test-run.sh 16 - can unshare network, create new /dev with --unshare-pid PASS: tests/test-run.sh 17 - cannot read /etc/shadow with --unshare-pid PASS: tests/test-run.sh 18 - cannot read /root/.bashrc with --unshare-pid PASS: tests/test-run.sh 19 - can bind a destination over a symlink SKIP: tests/test-run.sh 20 # SKIP no FUSE support PASS: tests/test-run.sh 21 - can mount /proc with --unshare-user-try --unshare-pid PASS: tests/test-run.sh 22 - can unshare network, create new /dev with --unshare-user-try --unshare-pid PASS: tests/test-run.sh 23 - cannot read /etc/shadow with --unshare-user-try --unshare-pid PASS: tests/test-run.sh 24 - cannot read /root/.bashrc with --unshare-user-try --unshare-pid PASS: tests/test-run.sh 25 - can bind a destination over a symlink PASS: tests/test-run.sh 26 - all expected devices were created PASS: tests/test-run.sh 27 - can run as pid 1 PASS: tests/test-run.sh 28 info and json-status fd PASS: tests/test-run.sh 29 namespace id info in info and json-status fd PASS: tests/test-run.sh 30 pre-exec failure doesn't include exit-code in json-status PASS: tests/test-run.sh 31 exec failure doesn't include exit-code in json-status PASS: tests/test-run.sh 32 - can mount /proc recursively PASS: tests/test-run.sh 33 - can pivot to new rootfs recursively PASS: tests/test-run.sh 34 error prefxing PASS: tests/test-run.sh 35 - we have no caps as uid != 0 ERROR: tests/test-run.sh - too few tests run (expected 49, got 35) ERROR: tests/test-run.sh - exited with status 127 (command not found?) ======================================== bubblewrap 0.4.0: ./test-suite.log ======================================== # TOTAL: 37 # PASS: 31 # SKIP: 4 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 2 .. contents:: :depth: 2 ERROR: tests/test-run.sh ======================== + PATH=/home/tkloczko/.local/bin:/home/tkloczko/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/usr/sbin:/sbin +++ dirname ./tests/test-run.sh ++ cd ./tests ++ pwd + srcd=/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/tests + . /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/tests/libtest-core.sh ++ locale -a ++ grep C.UTF-8 ++ export LC_ALL=C ++ LC_ALL=C ++ export G_DEBUG=fatal-warnings ++ G_DEBUG=fatal-warnings ++ basename ./tests/test-run.sh + bn=test-run.sh ++ mktemp -d /var/tmp/tap-test.XXXXXX + tempdir=/var/tmp/tap-test.fkr6ZR + touch /var/tmp/tap-test.fkr6ZR/.testtmp + trap cleanup EXIT + cd /var/tmp/tap-test.fkr6ZR + : /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap ++ type -p /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap + test -u /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap + FUSE_DIR= ++ cat /proc/self/mounts ++ grep ' fuse[. ]' ++ awk '{print $2}' +++ id -u ++ grep user_id=1000 ++ id -u + test 1000 = 0 + is_uidzero=false + UNREADABLE=/root/.bashrc + false ++ dirname /root/.bashrc + test -x /root + '[' /lib -ef /usr/lib ']' + BWRAP_RO_HOST_ARGS='--ro-bind /usr /usr --ro-bind /etc /etc --dir /var/tmp --symlink usr/lib /lib --symlink usr/lib64 /lib64 --symlink usr/bin /bin --symlink usr/sbin /sbin --proc /proc --dev /dev' + RUN='/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp' + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp true + echo 1..49 + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --help + assert_file_has_content help.txt 'usage: /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap' + fpath=help.txt + shift + for re in "$@" + grep -q -e 'usage: /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap' help.txt + echo 'ok - Help works' + for ALT in "" "--unshare-user-try" "--unshare-pid" "--unshare-user-try --unshare-pid" + '[' x '!=' x ']' + echo 'ok # SKIP no FUSE support' + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --proc /proc true 1..49 ok - Help works PASS: tests/test-run.sh 1 - Help works + echo 'ok - can mount /proc with ' + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-net --proc /proc --dev /dev true ok # SKIP no FUSE support SKIP: tests/test-run.sh 2 # SKIP no FUSE support + echo 'ok - can unshare network, create new /dev with ' + echo -n 'expect EPERM: ' expect EPERM: ok - can mount /proc with + test -n '' + CAP= + false PASS: tests/test-run.sh 3 - can mount /proc with + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-net --proc /proc --bind /etc/shadow /tmp/foo cat /etc/shadow cat: /etc/shadow: Permission denied + echo 'ok - cannot read /etc/shadow with ' + '[' x/root/.bashrc '!=' x ']' ok - can unshare network, create new /dev with + echo -n 'expect EPERM: ' expect EPERM: PASS: tests/test-run.sh 4 - can unshare network, create new /dev with + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-net --proc /proc --dev /dev --bind /root/.bashrc /tmp/foo cat /tmp/foo bwrap: Can't find source path /root/.bashrc: Permission denied + echo 'ok - cannot read /root/.bashrc with ' ok - cannot read /etc/shadow with + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --dir /tmp/dir --symlink dir /tmp/link --bind /etc /tmp/link true PASS: tests/test-run.sh 5 - cannot read /etc/shadow with + echo 'ok - can bind a destination over a symlink' + for ALT in "" "--unshare-user-try" "--unshare-pid" "--unshare-user-try --unshare-pid" + '[' x '!=' x ']' + echo 'ok # SKIP no FUSE support' ok - cannot read /root/.bashrc with + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --proc /proc true PASS: tests/test-run.sh 6 - cannot read /root/.bashrc with ok - can bind a destination over a symlink PASS: tests/test-run.sh 7 - can bind a destination over a symlink + echo 'ok - can mount /proc with --unshare-user-try' + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --unshare-net --proc /proc --dev /dev true ok # SKIP no FUSE support SKIP: tests/test-run.sh 8 # SKIP no FUSE support + echo 'ok - can unshare network, create new /dev with --unshare-user-try' + echo -n 'expect EPERM: ' expect EPERM: ok - can mount /proc with --unshare-user-try + test -n '' + CAP= + false PASS: tests/test-run.sh 9 - can mount /proc with --unshare-user-try + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --unshare-net --proc /proc --bind /etc/shadow /tmp/foo cat /etc/shadow cat: /etc/shadow: Permission denied + echo 'ok - cannot read /etc/shadow with --unshare-user-try' + '[' x/root/.bashrc '!=' x ']' ok - can unshare network, create new /dev with --unshare-user-try + echo -n 'expect EPERM: ' expect EPERM: PASS: tests/test-run.sh 10 - can unshare network, create new /dev with --unshare-user-try + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --unshare-net --proc /proc --dev /dev --bind /root/.bashrc /tmp/foo cat /tmp/foo bwrap: Can't find source path /root/.bashrc: Permission denied + echo 'ok - cannot read /root/.bashrc with --unshare-user-try' + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --dir /tmp/dir --symlink dir /tmp/link --bind /etc /tmp/link true ok - cannot read /etc/shadow with --unshare-user-try PASS: tests/test-run.sh 11 - cannot read /etc/shadow with --unshare-user-try + echo 'ok - can bind a destination over a symlink' + for ALT in "" "--unshare-user-try" "--unshare-pid" "--unshare-user-try --unshare-pid" + '[' x '!=' x ']' + echo 'ok # SKIP no FUSE support' ok - cannot read /root/.bashrc with --unshare-user-try + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-pid --proc /proc true PASS: tests/test-run.sh 12 - cannot read /root/.bashrc with --unshare-user-try ok - can bind a destination over a symlink PASS: tests/test-run.sh 13 - can bind a destination over a symlink + echo 'ok - can mount /proc with --unshare-pid' + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-pid --unshare-net --proc /proc --dev /dev true ok # SKIP no FUSE support SKIP: tests/test-run.sh 14 # SKIP no FUSE support + echo 'ok - can unshare network, create new /dev with --unshare-pid' + echo -n 'expect EPERM: ' expect EPERM: + test -n '' ok - can mount /proc with --unshare-pid + CAP= + false PASS: tests/test-run.sh 15 - can mount /proc with --unshare-pid + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-pid --unshare-net --proc /proc --bind /etc/shadow /tmp/foo cat /etc/shadow cat: /etc/shadow: Permission denied + echo 'ok - cannot read /etc/shadow with --unshare-pid' + '[' x/root/.bashrc '!=' x ']' + echo -n 'expect EPERM: ' expect EPERM: ok - can unshare network, create new /dev with --unshare-pid + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-pid --unshare-net --proc /proc --dev /dev --bind /root/.bashrc /tmp/foo cat /tmp/foo PASS: tests/test-run.sh 16 - can unshare network, create new /dev with --unshare-pid bwrap: Can't find source path /root/.bashrc: Permission denied + echo 'ok - cannot read /root/.bashrc with --unshare-pid' + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-pid --dir /tmp/dir --symlink dir /tmp/link --bind /etc /tmp/link true ok - cannot read /etc/shadow with --unshare-pid PASS: tests/test-run.sh 17 - cannot read /etc/shadow with --unshare-pid + echo 'ok - can bind a destination over a symlink' + for ALT in "" "--unshare-user-try" "--unshare-pid" "--unshare-user-try --unshare-pid" + '[' x '!=' x ']' + echo 'ok # SKIP no FUSE support' ok - cannot read /root/.bashrc with --unshare-pid + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --unshare-pid --proc /proc true PASS: tests/test-run.sh 18 - cannot read /root/.bashrc with --unshare-pid ok - can bind a destination over a symlink PASS: tests/test-run.sh 19 - can bind a destination over a symlink + echo 'ok - can mount /proc with --unshare-user-try --unshare-pid' + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --unshare-pid --unshare-net --proc /proc --dev /dev true ok # SKIP no FUSE support SKIP: tests/test-run.sh 20 # SKIP no FUSE support + echo 'ok - can unshare network, create new /dev with --unshare-user-try --unshare-pid' + echo -n 'expect EPERM: ' expect EPERM: + test -n '' ok - can mount /proc with --unshare-user-try --unshare-pid + CAP= + false + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --unshare-pid --unshare-net --proc /proc --bind /etc/shadow /tmp/foo cat /etc/shadow PASS: tests/test-run.sh 21 - can mount /proc with --unshare-user-try --unshare-pid cat: /etc/shadow: Permission denied + echo 'ok - cannot read /etc/shadow with --unshare-user-try --unshare-pid' + '[' x/root/.bashrc '!=' x ']' ok - can unshare network, create new /dev with --unshare-user-try --unshare-pid + echo -n 'expect EPERM: ' expect EPERM: PASS: tests/test-run.sh 22 - can unshare network, create new /dev with --unshare-user-try --unshare-pid + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --unshare-pid --unshare-net --proc /proc --dev /dev --bind /root/.bashrc /tmp/foo cat /tmp/foo bwrap: Can't find source path /root/.bashrc: Permission denied + echo 'ok - cannot read /root/.bashrc with --unshare-user-try --unshare-pid' ok - cannot read /etc/shadow with --unshare-user-try --unshare-pid + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --unshare-pid --dir /tmp/dir --symlink dir /tmp/link --bind /etc /tmp/link true PASS: tests/test-run.sh 23 - cannot read /etc/shadow with --unshare-user-try --unshare-pid + echo 'ok - can bind a destination over a symlink' ok - cannot read /root/.bashrc with --unshare-user-try --unshare-pid PASS: tests/test-run.sh 24 - cannot read /root/.bashrc with --unshare-user-try --unshare-pid + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-pid --dev /dev ls -al /dev/stdin /dev/stdout /dev/stderr /dev/null /dev/random /dev/urandom /dev/fd /dev/core + echo 'ok - all expected devices were created' ok - can bind a destination over a symlink + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-pid --as-pid-1 --bind / / bash -c 'echo $$' PASS: tests/test-run.sh 25 - can bind a destination over a symlink /usr/share/lmod/lmod/init/bash: line 124: /dev/null: Permission denied + assert_file_has_content as_pid_1.txt 1 + fpath=as_pid_1.txt + shift + for re in "$@" + grep -q -e 1 as_pid_1.txt + echo 'ok - can run as pid 1' ok - all expected devices were created + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-all --info-fd 42 --json-status-fd 43 -- bash -c 'exit 42' PASS: tests/test-run.sh 26 - all expected devices were created + assert_file_has_content info.json '"child-pid": [0-9]' + fpath=info.json + shift + for re in "$@" + grep -q -e '"child-pid": [0-9]' info.json + assert_file_has_content json-status.json '"child-pid": [0-9]' + fpath=json-status.json + shift + for re in "$@" + grep -q -e '"child-pid": [0-9]' json-status.json + assert_file_has_content_literal json-status.json '"exit-code": 42' + grep -q -F -e '"exit-code": 42' json-status.json + echo 'ok info and json-status fd' ok - can run as pid 1 PASS: tests/test-run.sh 27 - can run as pid 1 ++ /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --proc /proc --unshare-all --info-fd 42 --json-status-fd 43 -- bash -c 'stat -L --format "%n %i" /proc/self/ns/*' + DATA='/proc/self/ns/cgroup 4026535433 /proc/self/ns/ipc 4026535429 /proc/self/ns/mnt 4026535427 /proc/self/ns/net 4026536379 /proc/self/ns/pid 4026535430 /proc/self/ns/pid_for_children 4026535430 /proc/self/ns/user 4026535422 /proc/self/ns/uts 4026535428' + for NS in "ipc" "mnt" "net" "pid" "uts" ++ echo '/proc/self/ns/cgroup 4026535433 /proc/self/ns/ipc 4026535429 /proc/self/ns/mnt 4026535427 /proc/self/ns/net 4026536379 /proc/self/ns/pid 4026535430 /proc/self/ns/pid_for_children 4026535430 /proc/self/ns/user 4026535422 /proc/self/ns/uts 4026535428' ++ grep /proc/self/ns/ipc ++ awk '{print $2}' + want=4026535429 + assert_file_has_content info.json 4026535429 + fpath=info.json + shift + for re in "$@" + grep -q -e 4026535429 info.json + assert_file_has_content json-status.json 4026535429 + fpath=json-status.json + shift + for re in "$@" + grep -q -e 4026535429 json-status.json + for NS in "ipc" "mnt" "net" "pid" "uts" ++ echo '/proc/self/ns/cgroup 4026535433 /proc/self/ns/ipc 4026535429 /proc/self/ns/mnt 4026535427 /proc/self/ns/net 4026536379 /proc/self/ns/pid 4026535430 /proc/self/ns/pid_for_children 4026535430 /proc/self/ns/user 4026535422 /proc/self/ns/uts 4026535428' ++ grep /proc/self/ns/mnt ++ awk '{print $2}' + want=4026535427 + assert_file_has_content info.json 4026535427 + fpath=info.json + shift + for re in "$@" + grep -q -e 4026535427 info.json + assert_file_has_content json-status.json 4026535427 + fpath=json-status.json + shift + for re in "$@" + grep -q -e 4026535427 json-status.json + for NS in "ipc" "mnt" "net" "pid" "uts" ++ echo '/proc/self/ns/cgroup 4026535433 /proc/self/ns/ipc 4026535429 /proc/self/ns/mnt 4026535427 /proc/self/ns/net 4026536379 /proc/self/ns/pid 4026535430 /proc/self/ns/pid_for_children 4026535430 /proc/self/ns/user 4026535422 /proc/self/ns/uts 4026535428' ++ grep /proc/self/ns/net ++ awk '{print $2}' + want=4026536379 + assert_file_has_content info.json 4026536379 + fpath=info.json + shift + for re in "$@" + grep -q -e 4026536379 info.json + assert_file_has_content json-status.json 4026536379 + fpath=json-status.json + shift + for re in "$@" + grep -q -e 4026536379 json-status.json + for NS in "ipc" "mnt" "net" "pid" "uts" ++ echo '/proc/self/ns/cgroup 4026535433 /proc/self/ns/ipc 4026535429 /proc/self/ns/mnt 4026535427 /proc/self/ns/net 4026536379 /proc/self/ns/pid 4026535430 /proc/self/ns/pid_for_children 4026535430 /proc/self/ns/user 4026535422 /proc/self/ns/uts 4026535428' ++ grep /proc/self/ns/pid ++ awk '{print $2}' + want='4026535430 4026535430' + assert_file_has_content info.json '4026535430 4026535430' + fpath=info.json + shift + for re in "$@" + grep -q -e '4026535430 4026535430' info.json + assert_file_has_content json-status.json '4026535430 4026535430' + fpath=json-status.json + shift + for re in "$@" + grep -q -e '4026535430 4026535430' json-status.json + for NS in "ipc" "mnt" "net" "pid" "uts" ++ echo '/proc/self/ns/cgroup 4026535433 /proc/self/ns/ipc 4026535429 /proc/self/ns/mnt 4026535427 /proc/self/ns/net 4026536379 /proc/self/ns/pid 4026535430 /proc/self/ns/pid_for_children 4026535430 /proc/self/ns/user 4026535422 /proc/self/ns/uts 4026535428' ++ grep /proc/self/ns/uts ++ awk '{print $2}' + want=4026535428 + assert_file_has_content info.json 4026535428 + fpath=info.json + shift + for re in "$@" + grep -q -e 4026535428 info.json + assert_file_has_content json-status.json 4026535428 + fpath=json-status.json + shift + for re in "$@" + grep -q -e 4026535428 json-status.json + echo 'ok namespace id info in info and json-status fd' ok info and json-status fd + which strace PASS: tests/test-run.sh 28 info and json-status fd ok namespace id info in info and json-status fd PASS: tests/test-run.sh 29 namespace id info in info and json-status fd + strace -h + grep -v -e default + grep -e fault /usr/bin/strace options: trace, abbrev, verbose, raw, signal, read, write, fault, + strace -o /dev/null -f -e trace=prctl -e fault=prctl:when=39 /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --die-with-parent --json-status-fd 42 true bwrap: can't set dumpable: Function not implemented + assert_not_file_has_content json-status.json '"exit-code": [0-9]' + fpath=json-status.json + shift + for re in "$@" + grep -q -e '"exit-code": [0-9]' json-status.json + echo 'ok pre-exec failure doesn'\''t include exit-code in json-status' + notanexecutable=/ -e fault=SET[:error=ERRNO][:when=WHEN], --fault=SET[:error=ERRNO][:when=WHEN] + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --json-status-fd 42 / bwrap: execvp /: Permission denied + true + assert_not_file_has_content json-status.json '"exit-code": [0-9]' + fpath=json-status.json + shift + for re in "$@" + grep -q -e '"exit-code": [0-9]' json-status.json + echo 'ok exec failure doesn'\''t include exit-code in json-status' ok pre-exec failure doesn't include exit-code in json-status PASS: tests/test-run.sh 30 pre-exec failure doesn't include exit-code in json-status + test -n '' + BWRAP_RECURSE='/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --unshare-all --uid 0 --gid 0 --cap-add ALL --bind / / --bind /proc /proc' + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --unshare-all --uid 0 --gid 0 --cap-add ALL --bind / / --bind /proc /proc -- /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --unshare-all --bind / / --bind /proc /proc echo hello + assert_file_has_content recursive_proc.txt hello + fpath=recursive_proc.txt + shift + for re in "$@" + grep -q -e hello recursive_proc.txt + echo 'ok - can mount /proc recursively' ok exec failure doesn't include exit-code in json-status + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --unshare-all --uid 0 --gid 0 --cap-add ALL --bind / / --bind /proc /proc -- /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --unshare-all --ro-bind /usr /usr --ro-bind /etc /etc --dir /var/tmp --symlink usr/lib /lib --symlink usr/lib64 /lib64 --symlink usr/bin /bin --symlink usr/sbin /sbin --proc /proc --dev /dev findmnt PASS: tests/test-run.sh 31 exec failure doesn't include exit-code in json-status + assert_file_has_content recursive-newroot.txt /usr + fpath=recursive-newroot.txt + shift + for re in "$@" + grep -q -e /usr recursive-newroot.txt + echo 'ok - can pivot to new rootfs recursively' ok - can mount /proc recursively + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-pid --bind /source-enoent /dest true PASS: tests/test-run.sh 32 - can mount /proc recursively + assert_file_has_content err.txt '^bwrap: Can'\''t find source path.*source-enoent' + fpath=err.txt + shift + for re in "$@" + grep -q -e '^bwrap: Can'\''t find source path.*source-enoent' err.txt + echo 'ok error prefxing' ok - can pivot to new rootfs recursively PASS: tests/test-run.sh 33 - can pivot to new rootfs recursively + false + for OPT in "" "--unshare-user-try --as-pid-1" "--unshare-user-try" "--as-pid-1" + e=0 + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-pid getpcaps 1 ok error prefxing PASS: tests/test-run.sh 34 error prefxing + sed -e 's/^/# /' + test 0 = 0 + assert_not_file_has_content caps.test ': =.*cap' + fpath=caps.test + shift + for re in "$@" + grep -q -e ': =.*cap' caps.test + for OPT in "" "--unshare-user-try --as-pid-1" "--unshare-user-try" "--as-pid-1" + e=0 + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --as-pid-1 --unshare-pid getpcaps 1 1: = + sed -e 's/^/# /' + test 0 = 0 + assert_not_file_has_content caps.test ': =.*cap' + fpath=caps.test + shift + for re in "$@" + grep -q -e ': =.*cap' caps.test + for OPT in "" "--unshare-user-try --as-pid-1" "--unshare-user-try" "--as-pid-1" + e=0 + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --unshare-pid getpcaps 1 1: = + sed -e 's/^/# /' + test 0 = 0 + assert_not_file_has_content caps.test ': =.*cap' + fpath=caps.test + shift + for re in "$@" + grep -q -e ': =.*cap' caps.test + for OPT in "" "--unshare-user-try --as-pid-1" "--unshare-user-try" "--as-pid-1" + e=0 + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --as-pid-1 --unshare-pid getpcaps 1 1: = + sed -e 's/^/# /' + test 0 = 0 + assert_not_file_has_content caps.test ': =.*cap' + fpath=caps.test + shift + for re in "$@" + grep -q -e ': =.*cap' caps.test + echo 'ok - we have no caps as uid != 0' + cat 1: = + chmod a+x lockf-n.py + touch lock + for die_with_parent_argv in "--die-with-parent" "--die-with-parent --unshare-pid" + childshellpid=942166 ++ seq 10 ++ pwd + /bin/bash -c 'while true; do /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.4.0/test-bwrap --bind / / --tmpfs /tmp --die-with-parent --lock-file /var/tmp/tap-test.fkr6ZR/lock sleep 1h; done' + for x in $(seq 10) + ./lockf-n.py ./lock nowait /usr/bin/env: 'python': No such file or directory + break + ./lockf-n.py ./lock nowait /usr/bin/env: 'python': No such file or directory + kill -9 942166 + ./lockf-n.py ./lock wait /usr/bin/env: 'python': No such file or directory ./tests/test-run.sh: line 247: 942166 Killed /bin/bash -c "while true; do $RUN ${die_with_parent_argv} --lock-file $(pwd)/lock sleep 1h; done" + cleanup + test -n '' + test -f /var/tmp/tap-test.fkr6ZR/.test ok - we have no caps as uid != 0 PASS: tests/test-run.sh 35 - we have no caps as uid != 0 ERROR: tests/test-run.sh - too few tests run (expected 49, got 35) ERROR: tests/test-run.sh - exited with status 127 (command not found?) ============================================================================ Testsuite summary for bubblewrap 0.4.0 ============================================================================ # TOTAL: 37 # PASS: 31 # SKIP: 4 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 2 ============================================================================ See ./test-suite.log Please report to atomic-devel@projectatomic.io ============================================================================ ```
kloczek commented 2 years ago

Jus ttested new 0.6.3 and looks like issue still is around ..

```console + cd bubblewrap-0.6.2 + /usr/bin/make -O -j48 V=1 VERBOSE=1 check -j1 /usr/bin/make tests/test-utils test-bwrap tests/try-syscall make[1]: Entering directory '/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2' /usr/bin/gcc -DHAVE_CONFIG_H -I. -pipe -Wall -Werror=shadow -Werror=empty-body -Werror=strict-prototypes -Werror=missing-prototypes -Werror=implicit-function-declaration -Werror=format=2 -Werror=format-security -Werror=format-nonliteral -Werror=pointer-arith -Werror=init-self -Werror=missing-declarations -Werror=return-type -Werror=overflow -Werror=int-conversion -Werror=incompatible-pointer-types -Werror=misleading-indentation -Werror=missing-include-dirs -Werror=aggregate-return -Werror=switch-default -Wswitch-enum -O2 -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fdata-sections -ffunction-sections -flto=auto -flto-partition=none -c -o test-utils.o `test -f 'tests/test-utils.c' || echo './'`tests/test-utils.c /usr/bin/gcc -DHAVE_CONFIG_H -I. -pipe -Wall -Werror=shadow -Werror=empty-body -Werror=strict-prototypes -Werror=missing-prototypes -Werror=implicit-function-declaration -Werror=format=2 -Werror=format-security -Werror=format-nonliteral -Werror=pointer-arith -Werror=init-self -Werror=missing-declarations -Werror=return-type -Werror=overflow -Werror=int-conversion -Werror=incompatible-pointer-types -Werror=misleading-indentation -Werror=missing-include-dirs -Werror=aggregate-return -Werror=switch-default -Wswitch-enum -O2 -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fdata-sections -ffunction-sections -flto=auto -flto-partition=none -c -o utils.o utils.c /usr/bin/gcc -pipe -Wall -Werror=shadow -Werror=empty-body -Werror=strict-prototypes -Werror=missing-prototypes -Werror=implicit-function-declaration -Werror=format=2 -Werror=format-security -Werror=format-nonliteral -Werror=pointer-arith -Werror=init-self -Werror=missing-declarations -Werror=return-type -Werror=overflow -Werror=int-conversion -Werror=incompatible-pointer-types -Werror=misleading-indentation -Werror=missing-include-dirs -Werror=aggregate-return -Werror=switch-default -Wswitch-enum -O2 -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fdata-sections -ffunction-sections -flto=auto -flto-partition=none -Wl,-z,relro -Wl,--as-needed -Wl,--gc-sections -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -flto=auto -flto-partition=none -fuse-linker-plugin -Wl,--build-id=sha1 -o tests/test-utils test-utils.o utils.o -lselinux -lcap rm -rf test-bwrap cp bwrap test-bwrap chmod 0755 test-bwrap /usr/bin/gcc -DHAVE_CONFIG_H -I. -pipe -Wall -Werror=shadow -Werror=empty-body -Werror=strict-prototypes -Werror=missing-prototypes -Werror=implicit-function-declaration -Werror=format=2 -Werror=format-security -Werror=format-nonliteral -Werror=pointer-arith -Werror=init-self -Werror=missing-declarations -Werror=return-type -Werror=overflow -Werror=int-conversion -Werror=incompatible-pointer-types -Werror=misleading-indentation -Werror=missing-include-dirs -Werror=aggregate-return -Werror=switch-default -Wswitch-enum -O2 -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fdata-sections -ffunction-sections -flto=auto -flto-partition=none -c -o try-syscall.o `test -f 'tests/try-syscall.c' || echo './'`tests/try-syscall.c /usr/bin/gcc -pipe -Wall -Werror=shadow -Werror=empty-body -Werror=strict-prototypes -Werror=missing-prototypes -Werror=implicit-function-declaration -Werror=format=2 -Werror=format-security -Werror=format-nonliteral -Werror=pointer-arith -Werror=init-self -Werror=missing-declarations -Werror=return-type -Werror=overflow -Werror=int-conversion -Werror=incompatible-pointer-types -Werror=misleading-indentation -Werror=missing-include-dirs -Werror=aggregate-return -Werror=switch-default -Wswitch-enum -O2 -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fdata-sections -ffunction-sections -flto=auto -flto-partition=none -Wl,-z,relro -Wl,--as-needed -Wl,--gc-sections -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -flto=auto -flto-partition=none -fuse-linker-plugin -Wl,--build-id=sha1 -o tests/try-syscall try-syscall.o -lcap make[1]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2' /usr/bin/make check-TESTS make[1]: Entering directory '/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2' make[2]: Entering directory '/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2' PASS: tests/test-utils 1 - N_ELEMENTS (three) (3) == 3 (3) PASS: tests/test-utils 2 - ab ("aaabbb") == "aaabbb" ("aaabbb") PASS: tests/test-utils 3 - abc ("aaabbbccc") == "aaabbbccc" ("aaabbbccc") PASS: tests/test-utils 4 - has_prefix ("foo", "foo") PASS: tests/test-utils 5 - has_prefix ("foobar", "foo") PASS: tests/test-utils 6 - !(has_prefix ("foobar", "fool")) PASS: tests/test-utils 7 - !(has_prefix ("foo", "fool")) PASS: tests/test-utils 8 - has_prefix ("foo", "") PASS: tests/test-utils 9 - has_prefix ("", "") PASS: tests/test-utils 10 - !(has_prefix ("", "no")) PASS: tests/test-utils 11 - !(has_prefix ("yes", "no")) PASS: tests/test-utils 12 - has_path_prefix (str, prefix) PASS: tests/test-utils 13 - has_path_prefix (str, prefix) PASS: tests/test-utils 14 - has_path_prefix (str, prefix) PASS: tests/test-utils 15 - has_path_prefix (str, prefix) PASS: tests/test-utils 16 - has_path_prefix (str, prefix) PASS: tests/test-utils 17 - !(has_path_prefix (str, prefix)) PASS: tests/test-utils 18 - has_path_prefix (str, prefix) PASS: tests/test-utils 19 - has_path_prefix (str, prefix) PASS: tests/test-run.sh 1 - Help works SKIP: tests/test-run.sh 2 # SKIP no FUSE support PASS: tests/test-run.sh 3 - can mount /proc with PASS: tests/test-run.sh 4 - can unshare network, create new /dev with PASS: tests/test-run.sh 5 - cannot read /etc/shadow with PASS: tests/test-run.sh 6 - cannot read /root/.bashrc with PASS: tests/test-run.sh 7 - can bind a destination over a symlink SKIP: tests/test-run.sh 8 # SKIP no FUSE support PASS: tests/test-run.sh 9 - can mount /proc with --unshare-user-try PASS: tests/test-run.sh 10 - can unshare network, create new /dev with --unshare-user-try PASS: tests/test-run.sh 11 - cannot read /etc/shadow with --unshare-user-try PASS: tests/test-run.sh 12 - cannot read /root/.bashrc with --unshare-user-try PASS: tests/test-run.sh 13 - can bind a destination over a symlink SKIP: tests/test-run.sh 14 # SKIP no FUSE support ERROR: tests/test-run.sh - too few tests run (expected 54, got 14) ERROR: tests/test-run.sh - exited with status 1 SKIP: tests/test-seccomp.py - cannot import seccomp Python module PASS: tests/test-specifying-userns.sh 1 - Test --userns PASS: tests/test-specifying-pidns.sh 1 - Test --pidns ======================================== bubblewrap 0.6.2: ./test-suite.log ======================================== # TOTAL: 38 # PASS: 32 # SKIP: 4 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 2 .. contents:: :depth: 2 ERROR: tests/test-run.sh ======================== +++ dirname ./tests/test-run.sh ++ cd ./tests ++ pwd + srcd=/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/tests + . /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/tests/libtest.sh ++ set -e ++ '[' -n /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2 ']' ++ test_srcdir=/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/tests ++ '[' -n /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2 ']' ++ test_builddir=/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/tests ++ . /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/tests/libtest-core.sh +++ type -p locale ++++ locale -a ++++ grep -iEe '^(C|en_US)\.(UTF-8|utf8)$' ++++ head -n1 +++ export LC_ALL=C.utf8 +++ LC_ALL=C.utf8 +++ '[' -z C.utf8 ']' +++ unset LANGUAGE +++ export G_DEBUG=fatal-warnings +++ G_DEBUG=fatal-warnings +++ trap report_err ERR ++ PATH=/usr/bin:/usr/sbin:/usr/local/sbin:/usr/sbin:/sbin +++ mktemp -d /var/tmp/tap-test.XXXXXX ++ tempdir=/var/tmp/tap-test.TPYsEP ++ touch /var/tmp/tap-test.TPYsEP/.testtmp ++ trap cleanup EXIT ++ cd /var/tmp/tap-test.TPYsEP ++ : /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/test-bwrap +++ type -p /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/test-bwrap ++ test -u /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/test-bwrap ++ FUSE_DIR= +++ grep ' fuse[. ]' /proc/self/mounts +++ awk '{print $2}' ++++ id -u +++ grep user_id=1000 +++ id -u ++ test 1000 = 0 ++ is_uidzero=false ++ UNREADABLE=/root/.bashrc ++ false +++ dirname /root/.bashrc ++ test -x /root ++ '[' /lib -ef /usr/lib ']' ++ BWRAP_RO_HOST_ARGS='--ro-bind /usr /usr --ro-bind /etc /etc --dir /var/tmp --symlink usr/lib /lib --symlink usr/lib64 /lib64 --symlink usr/bin /bin --symlink usr/sbin /sbin --proc /proc --dev /dev' ++ RUN='/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/test-bwrap --bind / / --tmpfs /tmp' ++ '[' -z '' ']' ++ /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/test-bwrap --bind / / --tmpfs /tmp true ++ basename ./tests/test-run.sh + bn=test-run.sh + echo 1..54 + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/test-bwrap --help + assert_file_has_content help.txt 'usage: /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/test-bwrap' + fpath=help.txt + shift + for re in "$@" + grep -q -e 'usage: /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/test-bwrap' help.txt + echo 'ok - Help works' + for ALT in "" "--unshare-user-try" "--unshare-pid" "--unshare-user-try --unshare-pid" + '[' x '!=' x ']' + echo 'ok # SKIP no FUSE support' + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/test-bwrap --bind / / --tmpfs /tmp --proc /proc true 1..54 ok - Help works PASS: tests/test-run.sh 1 - Help works + echo 'ok - can mount /proc with ' + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/test-bwrap --bind / / --tmpfs /tmp --unshare-net --proc /proc --dev /dev true ok # SKIP no FUSE support SKIP: tests/test-run.sh 2 # SKIP no FUSE support + echo 'ok - can unshare network, create new /dev with ' + echo -n 'expect EPERM: ' expect EPERM: + test -n '' + CAP= + false ok - can mount /proc with PASS: tests/test-run.sh 3 - can mount /proc with + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/test-bwrap --bind / / --tmpfs /tmp --unshare-net --proc /proc --bind /etc/shadow /tmp/foo cat /etc/shadow cat: /etc/shadow: Permission denied + echo 'ok - cannot read /etc/shadow with ' + '[' x/root/.bashrc '!=' x ']' + echo -n 'expect EPERM: ' expect EPERM: ok - can unshare network, create new /dev with + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/test-bwrap --bind / / --tmpfs /tmp --unshare-net --proc /proc --dev /dev --bind /root/.bashrc /tmp/foo cat /tmp/foo PASS: tests/test-run.sh 4 - can unshare network, create new /dev with bwrap: Can't find source path /root/.bashrc: Permission denied + echo 'ok - cannot read /root/.bashrc with ' + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/test-bwrap --bind / / --tmpfs /tmp --dir /tmp/dir --symlink dir /tmp/link --bind /etc /tmp/link true ok - cannot read /etc/shadow with PASS: tests/test-run.sh 5 - cannot read /etc/shadow with + echo 'ok - can bind a destination over a symlink' + for ALT in "" "--unshare-user-try" "--unshare-pid" "--unshare-user-try --unshare-pid" + '[' x '!=' x ']' + echo 'ok # SKIP no FUSE support' ok - cannot read /root/.bashrc with + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --proc /proc true PASS: tests/test-run.sh 6 - cannot read /root/.bashrc with ok - can bind a destination over a symlink PASS: tests/test-run.sh 7 - can bind a destination over a symlink + echo 'ok - can mount /proc with --unshare-user-try' + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --unshare-net --proc /proc --dev /dev true ok # SKIP no FUSE support SKIP: tests/test-run.sh 8 # SKIP no FUSE support + echo 'ok - can unshare network, create new /dev with --unshare-user-try' + echo -n 'expect EPERM: ' expect EPERM: + test -n '' + CAP= + false ok - can mount /proc with --unshare-user-try + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --unshare-net --proc /proc --bind /etc/shadow /tmp/foo cat /etc/shadow PASS: tests/test-run.sh 9 - can mount /proc with --unshare-user-try cat: /etc/shadow: Permission denied + echo 'ok - cannot read /etc/shadow with --unshare-user-try' + '[' x/root/.bashrc '!=' x ']' + echo -n 'expect EPERM: ' expect EPERM: ok - can unshare network, create new /dev with --unshare-user-try + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --unshare-net --proc /proc --dev /dev --bind /root/.bashrc /tmp/foo cat /tmp/foo PASS: tests/test-run.sh 10 - can unshare network, create new /dev with --unshare-user-try bwrap: Can't find source path /root/.bashrc: Permission denied + echo 'ok - cannot read /root/.bashrc with --unshare-user-try' + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --dir /tmp/dir --symlink dir /tmp/link --bind /etc /tmp/link true ok - cannot read /etc/shadow with --unshare-user-try PASS: tests/test-run.sh 11 - cannot read /etc/shadow with --unshare-user-try + echo 'ok - can bind a destination over a symlink' + for ALT in "" "--unshare-user-try" "--unshare-pid" "--unshare-user-try --unshare-pid" + '[' x '!=' x ']' + echo 'ok # SKIP no FUSE support' + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.6.2/test-bwrap --bind / / --tmpfs /tmp --unshare-pid --proc /proc true ok - cannot read /root/.bashrc with --unshare-user-try PASS: tests/test-run.sh 12 - cannot read /root/.bashrc with --unshare-user-try ok - can bind a destination over a symlink PASS: tests/test-run.sh 13 - can bind a destination over a symlink bwrap: Can't mount proc on /newroot/proc: Operation not permitted ++ report_err ++ local exit_status=1 Unexpected nonzero exit status 1 while running: $RUN $ALT --proc /proc true + cleanup + test -n '' + test -f /var/tmp/tap-test.TPYsEP/.testtmp + rm -rf /var/tmp/tap-test.TPYsEP ok # SKIP no FUSE support SKIP: tests/test-run.sh 14 # SKIP no FUSE support ERROR: tests/test-run.sh - too few tests run (expected 54, got 14) ERROR: tests/test-run.sh - exited with status 1 SKIP: tests/test-seccomp.py =========================== 1..0 # SKIP cannot import seccomp Python module SKIP: tests/test-seccomp.py - cannot import seccomp Python module ============================================================================ Testsuite summary for bubblewrap 0.6.2 ============================================================================ # TOTAL: 38 # PASS: 32 # SKIP: 4 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 2 ============================================================================ See ./test-suite.log Please report to atomic-devel@projectatomic.io ============================================================================ ```
smcv commented 2 years ago

freezez when started with palatalisation

I assume you mean "freezes when started with parallelization". It works for me, but I don't have a machine with 48 CPU cores.

smcv commented 2 years ago

bwrap: Can't mount proc on /newroot/proc: Operation not permitted

What environment are you running this in? Is it in a container, or a restrictive seccomp profile, or a chroot, or some other environment where bubblewrap can't work?

kloczek commented 2 years ago

Indeed I'm running all my builds insiide LXC zones with stripped down many CAP_s.

smcv commented 2 years ago

If capabilities involved in creating containers have been removed from the bounding set, then yes, you can expect bubblewrap to fail some of its tests: it's a container tool.

The failing command seems to be that in this particular LXC environment, we can combine --proc /proc with either --unshare-user-try or --unshare-pid, but not both?

kloczek commented 8 months ago

Gentle ping .. any update? 🤔

smcv commented 8 months ago

If there was anything new to say about this, then there would have been a comment or a merge request.

As I said above, if capabilities involved in creating containers have been removed from the bounding set, then yes, you can expect bubblewrap to fail some of its tests: it's a container tool. I can't magic bubblewrap into working in environments where it isn't allowed to do its job.

I also don't have access to your specific test environment, but if you want to propose a merge request that somehow detects an environment where a subset of the tests can't work, and skips those tests, then please do.

kloczek commented 8 months ago

I just back to this issue with last version 0.8.0 and currently test suite fails because missing seccomp python module. I cannot find this module on pypi

```console + cd bubblewrap-0.8.0 + /usr/bin/make -O -j48 V=1 VERBOSE=1 check -j1 /usr/bin/make tests/test-utils test-bwrap tests/try-syscall make[1]: Entering directory '/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0' /usr/bin/gcc -DHAVE_CONFIG_H -I. -pipe -Wall -Werror=shadow -Werror=empty-body -Werror=strict-prototypes -Werror=missing-prototypes -Werror=implicit-function-declaration -Werror=format=2 -Werror=format-security -Werror=format-nonliteral -Werror=pointer-arith -Werror=init-self -Werror=missing-declarations -Werror=return-type -Werror=overflow -Werror=int-conversion -Werror=incompatible-pointer-types -Werror=misleading-indentation -Werror=missing-include-dirs -Werror=aggregate-return -Werror=switch-default -Wswitch-enum -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -O2 -g -grecord-gcc-switches -pipe -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -fdata-sections -ffunction-sections -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -flto=auto -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -Wall -Werror=format-security -c -o test-utils.o `test -f 'tests/test-utils.c' || echo './'`tests/test-utils.c /usr/bin/gcc -DHAVE_CONFIG_H -I. -pipe -Wall -Werror=shadow -Werror=empty-body -Werror=strict-prototypes -Werror=missing-prototypes -Werror=implicit-function-declaration -Werror=format=2 -Werror=format-security -Werror=format-nonliteral -Werror=pointer-arith -Werror=init-self -Werror=missing-declarations -Werror=return-type -Werror=overflow -Werror=int-conversion -Werror=incompatible-pointer-types -Werror=misleading-indentation -Werror=missing-include-dirs -Werror=aggregate-return -Werror=switch-default -Wswitch-enum -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -O2 -g -grecord-gcc-switches -pipe -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -fdata-sections -ffunction-sections -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -flto=auto -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -Wall -Werror=format-security -c -o utils.o utils.c /usr/bin/gcc -pipe -Wall -Werror=shadow -Werror=empty-body -Werror=strict-prototypes -Werror=missing-prototypes -Werror=implicit-function-declaration -Werror=format=2 -Werror=format-security -Werror=format-nonliteral -Werror=pointer-arith -Werror=init-self -Werror=missing-declarations -Werror=return-type -Werror=overflow -Werror=int-conversion -Werror=incompatible-pointer-types -Werror=misleading-indentation -Werror=missing-include-dirs -Werror=aggregate-return -Werror=switch-default -Wswitch-enum -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -O2 -g -grecord-gcc-switches -pipe -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -fdata-sections -ffunction-sections -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -flto=auto -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -Wall -Werror=format-security -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--gc-sections -Wl,--as-needed -Wl,--build-id=sha1 -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-z,pack-relative-relocs -flto=auto -fuse-linker-plugin -o tests/test-utils test-utils.o utils.o -L/usr/lib -lselinux -lcap rm -rf test-bwrap cp bwrap test-bwrap chmod 0755 test-bwrap /usr/bin/gcc -DHAVE_CONFIG_H -I. -pipe -Wall -Werror=shadow -Werror=empty-body -Werror=strict-prototypes -Werror=missing-prototypes -Werror=implicit-function-declaration -Werror=format=2 -Werror=format-security -Werror=format-nonliteral -Werror=pointer-arith -Werror=init-self -Werror=missing-declarations -Werror=return-type -Werror=overflow -Werror=int-conversion -Werror=incompatible-pointer-types -Werror=misleading-indentation -Werror=missing-include-dirs -Werror=aggregate-return -Werror=switch-default -Wswitch-enum -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -O2 -g -grecord-gcc-switches -pipe -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -fdata-sections -ffunction-sections -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -flto=auto -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -Wall -Werror=format-security -c -o try-syscall.o `test -f 'tests/try-syscall.c' || echo './'`tests/try-syscall.c /usr/bin/gcc -pipe -Wall -Werror=shadow -Werror=empty-body -Werror=strict-prototypes -Werror=missing-prototypes -Werror=implicit-function-declaration -Werror=format=2 -Werror=format-security -Werror=format-nonliteral -Werror=pointer-arith -Werror=init-self -Werror=missing-declarations -Werror=return-type -Werror=overflow -Werror=int-conversion -Werror=incompatible-pointer-types -Werror=misleading-indentation -Werror=missing-include-dirs -Werror=aggregate-return -Werror=switch-default -Wswitch-enum -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -O2 -g -grecord-gcc-switches -pipe -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -fdata-sections -ffunction-sections -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -flto=auto -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -Wall -Werror=format-security -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--gc-sections -Wl,--as-needed -Wl,--build-id=sha1 -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-z,pack-relative-relocs -flto=auto -fuse-linker-plugin -o tests/try-syscall try-syscall.o -lcap make[1]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0' /usr/bin/make check-TESTS make[1]: Entering directory '/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0' make[2]: Entering directory '/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0' PASS: tests/test-utils 1 - N_ELEMENTS (three) (3) == 3 (3) PASS: tests/test-utils 2 - ab ("aaabbb") == "aaabbb" ("aaabbb") PASS: tests/test-utils 3 - abc ("aaabbbccc") == "aaabbbccc" ("aaabbbccc") PASS: tests/test-utils 4 - has_prefix ("foo", "foo") PASS: tests/test-utils 5 - has_prefix ("foobar", "foo") PASS: tests/test-utils 6 - !(has_prefix ("foobar", "fool")) PASS: tests/test-utils 7 - !(has_prefix ("foo", "fool")) PASS: tests/test-utils 8 - has_prefix ("foo", "") PASS: tests/test-utils 9 - has_prefix ("", "") PASS: tests/test-utils 10 - !(has_prefix ("", "no")) PASS: tests/test-utils 11 - !(has_prefix ("yes", "no")) PASS: tests/test-utils 12 - has_path_prefix (str, prefix) PASS: tests/test-utils 13 - has_path_prefix (str, prefix) PASS: tests/test-utils 14 - has_path_prefix (str, prefix) PASS: tests/test-utils 15 - has_path_prefix (str, prefix) PASS: tests/test-utils 16 - has_path_prefix (str, prefix) PASS: tests/test-utils 17 - !(has_path_prefix (str, prefix)) PASS: tests/test-utils 18 - has_path_prefix (str, prefix) PASS: tests/test-utils 19 - has_path_prefix (str, prefix) PASS: tests/test-run.sh 1 - Help works SKIP: tests/test-run.sh 2 # SKIP no FUSE support PASS: tests/test-run.sh 3 - can mount /proc with PASS: tests/test-run.sh 4 - can unshare network, create new /dev with PASS: tests/test-run.sh 5 - cannot read /etc/shadow with PASS: tests/test-run.sh 6 - cannot read /root/.bashrc with PASS: tests/test-run.sh 7 - can bind a destination over a symlink SKIP: tests/test-run.sh 8 # SKIP no FUSE support PASS: tests/test-run.sh 9 - can mount /proc with --unshare-user-try PASS: tests/test-run.sh 10 - can unshare network, create new /dev with --unshare-user-try PASS: tests/test-run.sh 11 - cannot read /etc/shadow with --unshare-user-try PASS: tests/test-run.sh 12 - cannot read /root/.bashrc with --unshare-user-try PASS: tests/test-run.sh 13 - can bind a destination over a symlink SKIP: tests/test-run.sh 14 # SKIP no FUSE support ERROR: tests/test-run.sh - too few tests run (expected 58, got 14) ERROR: tests/test-run.sh - exited with status 1 SKIP: tests/test-seccomp.py - cannot import seccomp Python module PASS: tests/test-specifying-userns.sh 1 - Test --userns PASS: tests/test-specifying-pidns.sh 1 - Test --pidns ======================================== bubblewrap 0.8.0: ./test-suite.log ======================================== # TOTAL: 38 # PASS: 32 # SKIP: 4 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 2 .. contents:: :depth: 2 ERROR: tests/test-run.sh ======================== +++ dirname ./tests/test-run.sh ++ cd ./tests ++ pwd + srcd=/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/tests + . /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/tests/libtest.sh ++ set -e ++ '[' -n /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0 ']' ++ test_srcdir=/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/tests ++ '[' -n /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0 ']' ++ test_builddir=/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/tests ++ . /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/tests/libtest-core.sh +++ type -p locale ++++ locale -a ++++ grep -iEe '^(C|en_US)\.(UTF-8|utf8)$' ++++ head -n1 +++ export LC_ALL=C.utf8 +++ LC_ALL=C.utf8 +++ '[' -z C.utf8 ']' +++ unset LANGUAGE +++ export G_DEBUG=fatal-warnings +++ G_DEBUG=fatal-warnings +++ trap report_err ERR ++ PATH=/usr/bin:/usr/sbin:/usr/local/sbin:/usr/sbin:/sbin +++ mktemp -d /var/tmp/tap-test.XXXXXX ++ tempdir=/var/tmp/tap-test.MDjIji ++ touch /var/tmp/tap-test.MDjIji/.testtmp ++ trap cleanup EXIT ++ cd /var/tmp/tap-test.MDjIji ++ : /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/test-bwrap +++ type -p /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/test-bwrap ++ test -u /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/test-bwrap ++ FUSE_DIR= +++ grep ' fuse[. ]' /proc/self/mounts +++ awk '{print $2}' ++++ id -u +++ grep user_id=1000 +++ id -u ++ test 1000 = 0 ++ is_uidzero=false ++ UNREADABLE=/root/.bashrc ++ false +++ dirname /root/.bashrc ++ test -x /root ++ '[' /lib -ef /usr/lib ']' ++ BWRAP_RO_HOST_ARGS='--ro-bind /usr /usr --ro-bind /etc /etc --dir /var/tmp --symlink usr/lib /lib --symlink usr/lib64 /lib64 --symlink usr/bin /bin --symlink usr/sbin /sbin --proc /proc --dev /dev' ++ RUN='/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/test-bwrap --bind / / --tmpfs /tmp' ++ '[' -z '' ']' ++ /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/test-bwrap --bind / / --tmpfs /tmp true ++ basename ./tests/test-run.sh + bn=test-run.sh + echo 1..58 + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/test-bwrap --help + assert_file_has_content help.txt 'usage: /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/test-bwrap' + fpath=help.txt + shift + for re in "$@" + grep -q -e 'usage: /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/test-bwrap' help.txt + echo 'ok - Help works' + for ALT in "" "--unshare-user-try" "--unshare-pid" "--unshare-user-try --unshare-pid" + '[' x '!=' x ']' + echo 'ok # SKIP no FUSE support' + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/test-bwrap --bind / / --tmpfs /tmp --proc /proc true 1..58 ok - Help works PASS: tests/test-run.sh 1 - Help works + echo 'ok - can mount /proc with ' + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/test-bwrap --bind / / --tmpfs /tmp --unshare-net --proc /proc --dev /dev true ok # SKIP no FUSE support SKIP: tests/test-run.sh 2 # SKIP no FUSE support + echo 'ok - can unshare network, create new /dev with ' + echo -n 'expect EPERM: ' expect EPERM: + test -n '' + CAP= + cat /etc/shadow ok - can mount /proc with PASS: tests/test-run.sh 3 - can mount /proc with cat: /etc/shadow: Permission denied + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/test-bwrap --bind / / --tmpfs /tmp --unshare-net --proc /proc --bind /etc/shadow /tmp/foo cat /tmp/foo cat: /tmp/foo: Permission denied + cat /etc/shadow cat: /etc/shadow: Permission denied + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/test-bwrap --bind / / --tmpfs /tmp --unshare-net --proc /proc --bind /etc/shadow /tmp/foo cat /etc/shadow cat: /etc/shadow: Permission denied + echo 'ok - cannot read /etc/shadow with ' + '[' x/root/.bashrc '!=' x ']' + echo -n 'expect EPERM: ' expect EPERM: + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/test-bwrap --bind / / --tmpfs /tmp --unshare-net --proc /proc --dev /dev --bind /root/.bashrc /tmp/foo cat /tmp/foo ok - can unshare network, create new /dev with PASS: tests/test-run.sh 4 - can unshare network, create new /dev with bwrap: Can't find source path /root/.bashrc: Permission denied + echo 'ok - cannot read /root/.bashrc with ' + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/test-bwrap --bind / / --tmpfs /tmp --dir /tmp/dir --symlink dir /tmp/link --bind /etc /tmp/link true ok - cannot read /etc/shadow with PASS: tests/test-run.sh 5 - cannot read /etc/shadow with + echo 'ok - can bind a destination over a symlink' + for ALT in "" "--unshare-user-try" "--unshare-pid" "--unshare-user-try --unshare-pid" + '[' x '!=' x ']' + echo 'ok # SKIP no FUSE support' + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --proc /proc true ok - cannot read /root/.bashrc with PASS: tests/test-run.sh 6 - cannot read /root/.bashrc with ok - can bind a destination over a symlink PASS: tests/test-run.sh 7 - can bind a destination over a symlink + echo 'ok - can mount /proc with --unshare-user-try' + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --unshare-net --proc /proc --dev /dev true ok # SKIP no FUSE support SKIP: tests/test-run.sh 8 # SKIP no FUSE support + echo 'ok - can unshare network, create new /dev with --unshare-user-try' + echo -n 'expect EPERM: ' expect EPERM: + test -n '' + CAP= + cat /etc/shadow ok - can mount /proc with --unshare-user-try PASS: tests/test-run.sh 9 - can mount /proc with --unshare-user-try cat: /etc/shadow: Permission denied + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --unshare-net --proc /proc --bind /etc/shadow /tmp/foo cat /tmp/foo cat: /tmp/foo: Permission denied + cat /etc/shadow cat: /etc/shadow: Permission denied + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --unshare-net --proc /proc --bind /etc/shadow /tmp/foo cat /etc/shadow cat: /etc/shadow: Permission denied + echo 'ok - cannot read /etc/shadow with --unshare-user-try' + '[' x/root/.bashrc '!=' x ']' ok - can unshare network, create new /dev with --unshare-user-try + echo -n 'expect EPERM: ' PASS: tests/test-run.sh 10 - can unshare network, create new /dev with --unshare-user-try expect EPERM: + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --unshare-net --proc /proc --dev /dev --bind /root/.bashrc /tmp/foo cat /tmp/foo bwrap: Can't find source path /root/.bashrc: Permission denied + echo 'ok - cannot read /root/.bashrc with --unshare-user-try' ok - cannot read /etc/shadow with --unshare-user-try + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/test-bwrap --bind / / --tmpfs /tmp --unshare-user-try --dir /tmp/dir --symlink dir /tmp/link --bind /etc /tmp/link true PASS: tests/test-run.sh 11 - cannot read /etc/shadow with --unshare-user-try + echo 'ok - can bind a destination over a symlink' + for ALT in "" "--unshare-user-try" "--unshare-pid" "--unshare-user-try --unshare-pid" ok - cannot read /root/.bashrc with --unshare-user-try + '[' x '!=' x ']' PASS: tests/test-run.sh 12 - cannot read /root/.bashrc with --unshare-user-try + echo 'ok # SKIP no FUSE support' ok - can bind a destination over a symlink + /home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0/test-bwrap --bind / / --tmpfs /tmp --unshare-pid --proc /proc true PASS: tests/test-run.sh 13 - can bind a destination over a symlink bwrap: Can't mount proc on /newroot/proc: Operation not permitted ++ report_err ++ local exit_status=1 Unexpected nonzero exit status 1 while running: $RUN $ALT --proc /proc true + cleanup + test -n '' + test -f /var/tmp/tap-test.MDjIji/.testtmp + rm -rf /var/tmp/tap-test.MDjIji ok # SKIP no FUSE support SKIP: tests/test-run.sh 14 # SKIP no FUSE support ERROR: tests/test-run.sh - too few tests run (expected 58, got 14) ERROR: tests/test-run.sh - exited with status 1 SKIP: tests/test-seccomp.py =========================== 1..0 # SKIP cannot import seccomp Python module SKIP: tests/test-seccomp.py - cannot import seccomp Python module ============================================================================ Testsuite summary for bubblewrap 0.8.0 ============================================================================ # TOTAL: 38 # PASS: 32 # SKIP: 4 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 2 ============================================================================ See ./test-suite.log Please report to atomic-devel@projectatomic.io ============================================================================ make[2]: *** [Makefile:1010: test-suite.log] Error 1 make[2]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0' make[1]: *** [Makefile:1118: check-TESTS] Error 2 make[1]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/bubblewrap-0.8.0' make: *** [Makefile:1357: check-am] Error 2 ```
smcv commented 8 months ago

currently test suite fails because missing seccomp python module

No it doesn't, some tests were skipped because of a missing seccomp Python module. The actual failure is (still)

bwrap: Can't mount proc on /newroot/proc: Operation not permitted

If your test environment is not allowed to mount the proc filesystem, then bubblewrap cannot do its job.

kloczek commented 8 months ago

If your test environment is not allowed to mount the proc filesystem, then bubblewrap cannot do its job.

It is allowed but test suite is executed from non-0root account.