wip: testing that content was actually propagated inside the microvm

anthonycorletti · anthonycorletti · commit 8c32b1e73945 · 2025-02-14T12:02:43.000-05:00
diff --git a/.gitignore b/.gitignore
@@ -14,5 +14,4 @@ test_results/*
 *.bin
 /resources/linux
 /resources/x86_64
-/resources/aarch64
-.venv
+/resources/aarch64
diff --git a/tests/integration_tests/security/test_jail.py b/tests/integration_tests/security/test_jail.py
@@ -666,74 +666,96 @@ def test_cgroupsv2_written_only_once(uvm_plain, cgroups_info):
     assert len(mkdir_lines) == 1
 
 
-def test_mount_proagation_to_root(uvm_plain, tmp_path, guest_kernel, rootfs_rw):
+def test_jail_mount(uvm_plain, guest_kernel, rootfs_rw):
     """
     Test that the jailer mounts are propagated to the root mount namespace.
-
-    This is a test for
-    https://github.com/firecracker-microvm/firecracker/pull/#1093
     """
-
+    # setup the microvm
     test_microvm = uvm_plain
 
+    chroot_base = test_microvm.jailer.chroot_base / str(test_microvm.id)[:8]
     # make a directory to hold the original content
-    original_content_dir = tmp_path / "original"
-    original_content_dir.mkdir(parents=True)
+    original_content_dir = chroot_base / "original_content"
+    original_content_dir.mkdir(parents=True, exist_ok=True)
 
     # make a directory to hold the jailed content
-    jailed_content_dir = tmp_path / "firecracker" / "testbindmount" / "root"
-    jailed_content_dir.mkdir(parents=True)
-
-    test_microvm.jailer.jailer_id = "testbindmount"
-    test_microvm.jailer.chroot_base = tmp_path
-    test_microvm.jailer.daemonize = True
-    test_microvm.jailer.gid = 0
-    test_microvm.jailer.uid = 0
-    test_microvm.extra_args = {"seccomp-level": 0}
+    jailed_content_dir = chroot_base / "firecracker" / "testbindmount" / "root"
+    jailed_content_dir.mkdir(parents=True, exist_ok=True)
+    jailed_content_dir_ssh = jailed_content_dir / ".ssh"
+    jailed_content_dir_ssh.mkdir(parents=True, exist_ok=True)
 
     # assert that the directory was created
+    assert original_content_dir.exists()
     assert jailed_content_dir.exists()
+    assert jailed_content_dir_ssh.exists()
 
-    # Create the guest kernel and rootfs in the jailed content directory
-    # and mount them in the jailed content directory
-    os.system(f"cp {guest_kernel} {original_content_dir}")
-    os.system(f"cp {rootfs_rw} {original_content_dir}")
-    guest_kernel_mount_path = jailed_content_dir / os.path.basename(guest_kernel)
-    rootfs_mount_path = jailed_content_dir / os.path.basename(rootfs_rw)
-    guest_kernel_mount_path.touch()
-    rootfs_mount_path.touch()
+    # add the ssh key to the jailed content dir so we can ssh into the microvm
+    pub_key_contents = Path("/srv/img/x86_64/id_rsa.pub").read_text()
+    ssh_key = jailed_content_dir_ssh / "authorized_keys"
+    ssh_key.write_text(pub_key_contents)
 
-    # assert that the files were created
-    assert guest_kernel_mount_path.exists()
-    assert rootfs_mount_path.exists()
+    # create the files that will be mounted
+    test_data = original_content_dir / "test_data"
+    test_data.touch()
+    assert test_data.exists()
+    test_data.write_text("test_data")
+    assert test_data.read_text() == "test_data"
 
-    # mount the rootfs
+    os.system(f"cp {guest_kernel} {original_content_dir}")
+    os.system(f"cp {rootfs_rw} {original_content_dir}")
+    assert (original_content_dir / guest_kernel.name).exists()
+    assert (original_content_dir / rootfs_rw.name).exists()
+
+    jailed_test_data = jailed_content_dir / "test_data"
+    jailed_test_data.touch()
+    assert jailed_test_data.exists()
+    assert jailed_test_data.read_text() == ""
+    jailed_kernel = jailed_content_dir / guest_kernel.name
+    jailed_rootfs = jailed_content_dir / rootfs_rw.name
+    jailed_kernel.touch()
+    jailed_rootfs.touch()
+    assert (jailed_content_dir / guest_kernel.name).exists()
+    assert (jailed_content_dir / rootfs_rw.name).exists()
+
+    pid_file = jailed_content_dir / "firecracker.pid"
+    pid_file.touch()
+
+    # mount the data
+    subprocess.run(
+        ["mount", "--bind", test_data, jailed_test_data],
+        check=True,
+    )
     subprocess.run(
         [
             "mount",
             "--bind",
-            original_content_dir / os.path.basename(guest_kernel),
-            guest_kernel_mount_path,
+            original_content_dir / guest_kernel.name,
+            jailed_content_dir / guest_kernel.name,
         ],
         check=True,
     )
     subprocess.run(
         [
             "mount",
             "--bind",
-            original_content_dir / os.path.basename(rootfs_rw),
-            rootfs_mount_path,
+            original_content_dir / rootfs_rw.name,
+            jailed_content_dir / rootfs_rw.name,
         ],
         check=True,
     )
 
-    # assert that the mounts are present
-    assert guest_kernel_mount_path.exists()
-    assert rootfs_mount_path.exists()
-
-    # run
+    # spawn the microvm
     test_microvm.spawn()
+    test_microvm.basic_config()
+    # set params for the microvm
+    test_microvm.kernel_file = str(jailed_content_dir / guest_kernel.name)
+    test_microvm.rootfs_file = str(jailed_content_dir / rootfs_rw.name)
+    test_microvm.jailer.chroot_base = chroot_base
+    test_microvm.jailer.jailer_id = "testbindmount"
+    test_microvm.add_net_iface()
+    test_microvm.start()
 
-    # assert that the mounts are present
-    assert guest_kernel_mount_path.exists()
-    assert rootfs_mount_path.exists()
+    # and assert the content is there in the microvm
+    _, stdout, stderr = test_microvm.ssh.run("cat /root/test_data")
+    assert stdout == "test_data"
+    assert stderr == ""
