Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

syscall: GNU/Linux tests fail when run as root inside container #21379

Closed
mdcnz opened this issue Aug 10, 2017 · 9 comments
Closed

syscall: GNU/Linux tests fail when run as root inside container #21379

mdcnz opened this issue Aug 10, 2017 · 9 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. OS-Linux release-blocker
Milestone
Go1.10

Comments

@mdcnz
Copy link

mdcnz commented Aug 10, 2017
edited

What version of Go are you using (go version)?

1.9 and tip

What operating system and processor architecture are you using (go env)?

host: ubuntu16 x86_64
docker: 17.06.0-ce
container: golang:1.9

What did you do?

Tried to compile and test golang tip using docker golang:1.9 image.

Dockerfile:

FROM golang:1.9
RUN apt-get update && apt-get install -y vim && apt-get upgrade -y
ENV GOROOT_BOOTSTRAP="/usr/local/go"
ENV TIP="/go_tip"
RUN git clone --depth=1 https://go.googlesource.com/go $TIP
WORKDIR $TIP/src
RUN ./all.bash

Tried to build with:
docker build --no-cache -t dogo-img .

What did you expect to see?

All tests pass

What did you see instead?

...
ok  	sync	6.848s
ok  	sync/atomic	0.147s
--- FAIL: TestCloneNEWUSERAndRemapRootDisableSetgroups (0.00s)
	exec_linux_test.go:97: Cmd failed with err fork/exec /usr/bin/whoami: operation not permitted, output: 
--- FAIL: TestCloneNEWUSERAndRemapRootEnableSetgroups (0.00s)
	exec_linux_test.go:97: Cmd failed with err fork/exec /usr/bin/whoami: operation not permitted, output: 
--- FAIL: TestEmptyCredGroupsDisableSetgroups (0.00s)
	exec_linux_test.go:145: fork/exec /usr/bin/whoami: operation not permitted
--- FAIL: TestGroupCleanupUserNamespace (0.00s)
	exec_linux_test.go:261: Cmd failed with err fork/exec /usr/bin/id: operation not permitted, output: 
--- FAIL: TestUnshareMountNameSpace (0.00s)
	exec_linux_test.go:324: unshare failed: , fork/exec /tmp/go-build277915935/syscall/_test/syscall.test: operation not permitted
--- FAIL: TestUnshareMountNameSpaceChroot (3.48s)
	exec_linux_test.go:382: unshare failed: , fork/exec /syscall.test: operation not permitted
--- FAIL: TestAmbientCaps (0.00s)
	exec_linux_test.go:506: SYS_CAPSET: operation not permitted
FAIL
FAIL	syscall	3.551s
ok  	testing	0.969s
ok  	testing/quick	0.441s
...

Might be related to
@mvdan
Copy link
Member

mvdan commented Aug 10, 2017

If you run whoami or id in the container, do they execute fine?

Have you tried make.bash instead of all.bash? If what you're after is compiling Go, you don't need to run all the tests.

@mdcnz
Copy link
Author

mdcnz commented Aug 10, 2017
edited

Thanks for your response Daniel. Yes, they execute:

whoami
root

id
uid=0(root) gid=0(root) groups=0(root)

make.bash
...
Installed Go for linux/amd64 in /go_tip

@ianlancetaylor ianlancetaylor changed the title Test failures in syscall compiling golang tip within docker golang:1.9 container syscall: GNU/Linux tests fail when run as root inside container Aug 12, 2017
@ianlancetaylor ianlancetaylor added NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. release-blocker OS-Linux labels Aug 12, 2017
@ianlancetaylor ianlancetaylor added this to the Go1.10 milestone Aug 12, 2017
@ianlancetaylor
Copy link
Contributor

CC @LK4D4

@LK4D4
Copy link
Contributor

LK4D4 commented Aug 12, 2017

There are definitely not enough permissions in simple docker container to create user or mount namespaces (I'm actually surprised that it was able to create network namespace).
I wonder if we could just check for "permission denied" and "operation not permitted" for needed unshare operations before running tests. @bradfitz added "permission denied" check in 3e4afe2 , so we'd just need to add "operation not permitted"(yeah, it's weird) and add the same for user namespace as well. But that's kinda defies meaning of some tests.
Alternatively, to fix only this issue it's possible to check that we're in docker container.

@dagelf
Copy link

dagelf commented Aug 13, 2017

The network namespace tests already ignore permission errors. Perhaps ignoring permission errors should be logged as "OK - unable to test, no permission" ?

@tv42
Copy link

tv42 commented Aug 18, 2017

I wonder if we could just check for "permission denied" and "operation not permitted" for needed unshare operations before running tests. @bradfitz added "permission denied" check in 3e4afe2 , so we'd just need to add "operation not permitted"(yeah, it's weird) and add the same for user namespace as well.

Drive-by clarification: EACCES means "access control told me not to let you do this", and EPERM means "that just won't ever happen (with this kernel, with this input, at this time)". For example, for open(2) EACCES errors are fixable with chmod, EPERM are not.

Perhaps ignoring permission errors should be logged as "OK - unable to test, no permission" ?

Sounds like a case for t.Skip.

@gopherbot
Copy link

Change https://golang.org/cl/58170 mentions this issue: syscall: skip some exec tests in container

@LK4D4
Copy link
Contributor

LK4D4 commented Aug 23, 2017

@mdcnz would you mind trying with master?

@mdcnz
Copy link
Author

mdcnz commented Aug 24, 2017

Confirm all tests now pass on master 9d3d370.

Thanks @LK4D4

@ianlancetaylor ianlancetaylor mentioned this issue Oct 23, 2017
Closed
@golang golang locked and limited conversation to collaborators Aug 24, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. OS-Linux release-blocker
Projects
None yet
Milestone
Go1.10
Development

No branches or pull requests
7 participants
@LK4D4 @tv42 @dagelf @ianlancetaylor @mvdan @mdcnz @gopherbot