validation: add test for NSProcInPath

[dongsupark]

This PR validates NSProcInPath, i.e. The runtime MUST place the container process in the namespace associated with that path. It checks that Linux namespaces are created with a given path by making use of util.RuntimeOutsideValidate().

Since the previous version of PR, we had to fix the following things:

• Fix a bug caused by namespace string mismatches, found by @alban.
• Kill the unshare process as well as child processes at once, making use of setpgid().
• Use a ticker loop instead of a pure sleep call for general sync mechanism.
• Print out correct diagnostics based on specError.

This PR replaces #613.
See also #572.

[zhouhao3]

It failed when I tested:

➜  runtime-tools git:(dongsupark/NSProcInPath) ✗ sudo ./linux_ns_path
TAP version 13
failed to create the container
namespace {"cgroup" "/proc/27701/ns/cgroup"} does not exist
not ok 1 - set cgroup namespace by path
  ---
  {
    "actual": "err == exit status 1",
    "expected": "err == nil",
    "level": "MUST",
    "namespace type": "cgroup",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#namespaces"
  }
  ...
ok 2 - set ipc namespace by path
ok 3 - set mnt namespace by path
ok 4 - set net namespace by path
ok 5 - set pid namespace by path
failed to create the container
User namespaces enabled, but no uid mappings found.
not ok 6 - set user namespace by path
  ---
  {
    "actual": "err == exit status 1",
    "expected": "err == nil",
    "level": "MUST",
    "namespace type": "user",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#namespaces"
  }
  ...
ok 7 - set uts namespace by path
1..7

For user namespace errors, I think that uid should be set, but I don't know why the cgroups namespace are wrong.

[dongsupark]

@q384566678 Yeah, I'm aware of both failures.
Userns test fails because UID/GID mappings are currently disabled, due to unclear runtime-specs. According to the discussion in opencontainers/runtime-spec#961, I suppose we can enable UID/GID mappings in this test, right?

Cgroupns test fails because runc has never supported cgroup namespaces. See the pending PR opencontainers/runc#1184.

[zhouhao3]

According to the discussion in opencontainers/runtime-spec#961, I suppose we can enable UID/GID mappings in this test, right?

I think so.

Cgroupns test fails because runc has never supported cgroup namespaces. See the pending PR opencontainers/runc#1184.

I think we can add some explanations to the cgroups to facilitate understanding.

[dongsupark]

@q384566678
Pushed with a new commit for enabling UID/GID mappings, as well as adding comments about cgroup namespaces.
Though userns test still fails. I'm not sure why. Will look into it later again.

[dongsupark]

@q384566678
Ok, I decided to exclude both namespaces from this PR, user and cgroups.
As for cgroup namespaces, it's nothing special, as mentioned above.
Though for user namespaces, I've seen so many different kinds of issues when running unshare + runc. I'll have a deeper look into these issues. When I figure it out, I'll create a separate PR.
I think we should not get this PR blocked forever. For it to be merged, I exclude both user and cgroups from this PR.

[zhouhao3]

LGTM