bubblewrap: adds --die-with-parent option
This change ensures that no processes leak from the bubblewrapdriver. Change-Id: Ica388ad2595cbd237d074fd54cc99d1685f6e729
This commit is contained in:
Tristan Cacqueray
parent
91601d788e
commit
2438860823
|
|
@ -15,6 +15,7 @@ import logging
|
|||
import subprocess
|
||||
import tempfile
|
||||
import testtools
|
||||
import os
|
||||
|
||||
from zuul.driver import bubblewrap
|
||||
from zuul.executor.server import SshAgent
|
||||
|
|
@ -52,3 +53,23 @@ class TestBubblewrap(testtools.TestCase):
|
|||
# Make sure the _r's are closed
|
||||
self.assertIsNone(po.passwd_r)
|
||||
self.assertIsNone(po.group_r)
|
||||
|
||||
def test_bubblewrap_leak(self):
|
||||
bwrap = bubblewrap.BubblewrapDriver()
|
||||
work_dir = tempfile.mkdtemp()
|
||||
ansible_dir = tempfile.mkdtemp()
|
||||
ssh_agent = SshAgent()
|
||||
self.addCleanup(ssh_agent.stop)
|
||||
ssh_agent.start()
|
||||
po = bwrap.getPopen(work_dir=work_dir,
|
||||
ansible_dir=ansible_dir,
|
||||
ssh_auth_sock=ssh_agent.env['SSH_AUTH_SOCK'])
|
||||
leak_time = 7
|
||||
# Use hexadecimal notation to avoid false-positive
|
||||
true_proc = po(['bash', '-c', 'sleep 0x%X & disown' % leak_time])
|
||||
self.assertEqual(0, true_proc.wait())
|
||||
cmdline = "sleep\x000x%X\x00" % leak_time
|
||||
sleep_proc = [pid for pid in os.listdir("/proc") if
|
||||
os.path.isfile("/proc/%s/cmdline" % pid) and
|
||||
open("/proc/%s/cmdline" % pid).read() == cmdline]
|
||||
self.assertEqual(len(sleep_proc), 0, "Processes leaked")
|
||||
|
|
|
|||
|
|
@ -93,6 +93,7 @@ class BubblewrapDriver(Driver, WrapperInterface):
|
|||
'--chdir', '{work_dir}',
|
||||
'--unshare-all',
|
||||
'--share-net',
|
||||
'--die-with-parent',
|
||||
'--uid', '{uid}',
|
||||
'--gid', '{gid}',
|
||||
'--file', '{uid_fd}', '/etc/passwd',
|
||||
|
|
|
|||
Loading…
Reference in New Issue