Commit 71ced145 authored by Kirill Smelkov's avatar Kirill Smelkov

golang += patches to fix tests under user namespaces

If we enter user namespace via regular unshare without help from SUID
newuidmap/newgidmap, all supplementary groups are mapped to -1. As the result
when Go test tries to chown to a supplementary group, it gets EINVAL:

https://github.com/golang/go/issues/42525

-> work it around with patch to skip this chown tests.

A more proper, longer-term fix would be to fix Linux kernel to allow writes to
/proc/self/gid_map to setup mapping not only to original gid, but to all
original supplementary groups as well here:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/user_namespace.c?id=v5.16-rc4-0-g0fcfb00b28c0#n1143

this fix, even if accepted by upstream, would be long to be waited for to
propagate to distribution kernels that we currently use. So we go with this
workaround for now.

--------

Another patch is to fix the following TestSCMCredentials failure:

    === RUN   TestSCMCredentials
        creds_test.go:81: WriteMsgUnix failed with invalid argument, want EPERM
    --- FAIL: TestSCMCredentials (0.00s)

There the code tries to send uid0/gid0 credentials from non-zero uid and
expects EPERM reject from kernel. However under `unshare -Umc` uid0/gid0 are
not mapped to anywhere and so implicitly map to -1 and are rejected with EINVAL
by the kernel.

/reviewed-by @jerome
/reviewed-on nexedi/slapos!1095
parent 0fcadfbd
Pipeline #18772 failed with stage
...@@ -6,6 +6,7 @@ extends = ...@@ -6,6 +6,7 @@ extends =
../git/buildout.cfg ../git/buildout.cfg
../pkgconfig/buildout.cfg ../pkgconfig/buildout.cfg
../swig/buildout.cfg ../swig/buildout.cfg
../patch/buildout.cfg
./buildout.hash.cfg ./buildout.hash.cfg
parts = gowork go parts = gowork go
...@@ -22,10 +23,19 @@ make-targets= cd src && unset GOBIN && ./all.bash && cp -alf .. ${:location} ...@@ -22,10 +23,19 @@ make-targets= cd src && unset GOBIN && ./all.bash && cp -alf .. ${:location}
# some testdata files have an issue with slapos.extension.strip. # some testdata files have an issue with slapos.extension.strip.
post-install = ${findutils:location}/bin/find ${:location}/src -type d -name testdata -exec rm -rf {} \; || true post-install = ${findutils:location}/bin/find ${:location}/src -type d -name testdata -exec rm -rf {} \; || true
environment = environment =
PATH=${swig:location}/bin:%(PATH)s PATH=${swig:location}/bin:${patch:location}/bin:%(PATH)s
GOROOT_FINAL=${:location} GOROOT_FINAL=${:location}
${:environment-extra} ${:environment-extra}
# TestChown and TestSCMCredentials currently fail in a user-namespace
# https://github.com/golang/go/issues/42525
# the patches apply to go >= 1.12
patch-options = -p1
patches =
${:_profile_base_location_}/skip-chown-tests.patch#d4e3c8ef83788fb2a5d80dd75034786f
${:_profile_base_location_}/fix-TestSCMCredentials.patch#1d8dbc97cd579e03fafd8627d48f1c59
[golang14] [golang14]
<= golang-common <= golang-common
# https://golang.org/doc/install/source#bootstrapFromSource # https://golang.org/doc/install/source#bootstrapFromSource
...@@ -34,6 +44,9 @@ md5sum = dbf727a4b0e365bf88d97cbfde590016 ...@@ -34,6 +44,9 @@ md5sum = dbf727a4b0e365bf88d97cbfde590016
environment-extra = environment-extra =
make-targets= cd src && unset GOBIN && ./make.bash && cp -alf .. ${:location} make-targets= cd src && unset GOBIN && ./make.bash && cp -alf .. ${:location}
# skip-chown-tests.patch does not apply to go1.4, but we don't run go1.4 tests.
patches =
[golang1.12] [golang1.12]
<= golang-common <= golang-common
......
From 385ca858ac89efccffd557eccc1113281306bd88 Mon Sep 17 00:00:00 2001
From: Kirill Smelkov <kirr@nexedi.com>
Date: Mon, 6 Dec 2021 22:50:27 +0300
Subject: [PATCH] syscall: tests: Fix TestSCMCredentials for `unshare -Umc`
---
src/syscall/creds_test.go | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/syscall/creds_test.go b/src/syscall/creds_test.go
index c1a8b516e8..ed6e80c0c3 100644
--- a/src/syscall/creds_test.go
+++ b/src/syscall/creds_test.go
@@ -78,8 +78,10 @@ func TestSCMCredentials(t *testing.T) {
if sys, ok := err.(*os.SyscallError); ok {
err = sys.Err
}
- if err != syscall.EPERM {
- t.Fatalf("WriteMsgUnix failed with %v, want EPERM", err)
+ // can get EINVAL instead of EPERM under `unshare -Umc` because uid0 is not mapped and maps to -1
+ // see also https://github.com/golang/go/issues/42525
+ if !(err == syscall.EPERM || err == syscall.EINVAL) {
+ t.Fatalf("WriteMsgUnix failed with %v, want EPERM/EINVAL", err)
}
}
--
2.30.2
From: regnat <rg@regnat.ovh>
Date: Wed, 3 Nov 2021 10:17:28 +0100
Subject: [PATCH] Disable the chown tests
See https://github.com/golang/go/issues/42525 and
https://github.com/NixOS/nix/issues/3245
---
os/os_unix_test.go | 3 +++
1 file changed, 3 insertions(+)
diff --git a/os/os_unix_test.go b/os/os_unix_test.go
index 51693fd..0936542 100644
--- a/src/os/os_unix_test.go
+++ b/src/os/os_unix_test.go
@@ -40,6 +40,7 @@ func checkUidGid(t *testing.T, path string, uid, gid int) {
}
func TestChown(t *testing.T) {
+ t.Skipf("https://github.com/golang/go/issues/42525")
// Use TempDir() to make sure we're on a local file system,
// so that the group ids returned by Getgroups will be allowed
// on the file. On NFS, the Getgroups groups are
@@ -83,6 +84,7 @@ func TestChown(t *testing.T) {
}
func TestFileChown(t *testing.T) {
+ t.Skipf("https://github.com/golang/go/issues/42525")
// Use TempDir() to make sure we're on a local file system,
// so that the group ids returned by Getgroups will be allowed
// on the file. On NFS, the Getgroups groups are
@@ -126,6 +128,7 @@ func TestFileChown(t *testing.T) {
}
func TestLchown(t *testing.T) {
+ t.Skipf("https://github.com/golang/go/issues/42525")
// Use TempDir() to make sure we're on a local file system,
// so that the group ids returned by Getgroups will be allowed
// on the file. On NFS, the Getgroups groups are
--
2.31.1
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment