test(jailer): add test to check solitary --parent-cgroup

Tests that --parent-cgroup without any cgroups moves Firecracker to the cgroup (cgroupsv2 only). Signed-off-by: Pablo Barbáchano <[email protected]>
JonathanWoollett-Light · Dec 14, 2023 · 036d990 · 036d990
1 parent 8baba7f
commit 036d990
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 2 deletions.
diff --git a/tests/framework/jailer.py b/tests/framework/jailer.py
@@ -72,7 +72,7 @@ def __init__(
         self.new_pid_ns = new_pid_ns
         self.extra_args = extra_args
         self.api_socket_name = DEFAULT_USOCKET_NAME
-        self.cgroups = cgroups
+        self.cgroups = cgroups or []
         self.resource_limits = resource_limits
         self.cgroup_ver = cgroup_ver
         self.parent_cgroup = parent_cgroup
@@ -112,7 +112,7 @@ def construct_param_list(self):
             jailer_param_list.extend(["--parent-cgroup", str(self.parent_cgroup)])
         if self.cgroup_ver:
             jailer_param_list.extend(["--cgroup-version", str(self.cgroup_ver)])
-        if self.cgroups is not None:
+        if self.cgroups:
             for cgroup in self.cgroups:
                 jailer_param_list.extend(["--cgroup", str(cgroup)])
         if self.resource_limits is not None:

diff --git a/tests/integration_tests/security/test_jail.py b/tests/integration_tests/security/test_jail.py
@@ -249,6 +249,13 @@ def check_cgroups_v2(vm):
         parent_cgroup = FC_BINARY_NAME
     cg_parent = cg.root / parent_cgroup
     cg_jail = cg_parent / vm.jailer.jailer_id
+
+    # if no cgroups were specified, then the jailer should move the FC process
+    # to the parent group
+    if len(vm.jailer.cgroups) == 0:
+        procs = cg_parent.joinpath("cgroup.procs").read_text().splitlines()
+        assert str(vm.firecracker_pid) in procs
+
     for cgroup in vm.jailer.cgroups:
         controller = cgroup.split(".")[0]
         file_name, value = cgroup.split("=")
@@ -406,6 +413,24 @@ def test_v1_default_cgroups(test_microvm_with_api, cgroups_info):
     check_cgroups_v1(test_microvm.jailer.cgroups, test_microvm.jailer.jailer_id)
 
 
+def test_cgroups_custom_parent_move(test_microvm_with_api, cgroups_info):
+    """
+    Test cgroups when a custom parent cgroup is used and no cgroups are specified
+
+    In this case we just want to move under the parent cgroup
+    """
+    if cgroups_info.version != 2:
+        pytest.skip("cgroupsv2 only")
+    test_microvm = test_microvm_with_api
+    test_microvm.jailer.cgroup_ver = cgroups_info.version
+    # Make it somewhat unique so it doesn't conflict with other test runs
+    parent_cgroup = f"custom_cgroup/{test_microvm.id[:8]}"
+    test_microvm.jailer.parent_cgroup = parent_cgroup
+
+    cgroups_info.new_cgroup(parent_cgroup)
+    test_microvm.spawn()
+    check_cgroups_v2(test_microvm)
+
 
 def test_args_default_resource_limits(test_microvm_with_api):
     """