classification
Title: test_prlimit from test_resource fails when building python3 inside systemd-nspawn environment
Type: Stage:
Components: Versions: Python 3.7, Python 3.6
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: cstratak, encukou, haypo, torsava
Priority: normal Keywords:

Created on 2017-08-07 16:43 by cstratak, last changed 2017-08-29 09:54 by encukou.

Messages (4)
msg299852 - (view) Author: Charalampos Stratakis (cstratak) * Date: 2017-08-07 16:43
FAIL: test_prlimit (test.test_resource.ResourceTest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.6.2/Lib/test/support/__init__.py", line 556, in wrapper
    return func(*args, **kw)
  File "/builddir/build/BUILD/Python-3.6.2/Lib/test/test_resource.py", line 153, in test_prlimit
    1, resource.RLIMIT_AS)
AssertionError: PermissionError not raised by prlimit


I observed this issue when mock [0] the underlying build system we use in Fedora started using the systemd-nspawn container technology instead of chroot [1][2] in order to create a minimal build environment.

[0] https://github.com/rpm-software-management/mock
[1] https://github.com/rpm-software-management/mock/wiki/Release-Notes-1.4.1
[2] https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html
msg299853 - (view) Author: Tomas Orsava (torsava) * Date: 2017-08-07 16:55
So the issue seems to be that Python believes it's run without root privileges, but it's mistaken because it indeed has root.
msg299866 - (view) Author: STINNER Victor (haypo) * (Python committer) Date: 2017-08-07 20:20
Maybe we should simply skip the test if the user is root? If os.getuid()==0.
msg300979 - (view) Author: Petr Viktorin (encukou) * Date: 2017-08-29 09:54
The test is already skipped if the user is root. It verifies that process 1 can't be touched by non-root users.

The problem is an assumption that process with PID 1 belongs to root. That assumption isn't true in containers: PID 1 is whatever the container was started with -- in this case, likely a test runner or build system.

On Linux, we could check if `/proc/1` actually belongs to root. I don't know about other systems, though.
Would that change be acceptable?
History
Date User Action Args
2017-08-29 09:54:20encukousetnosy: + encukou
messages: + msg300979
2017-08-07 20:20:00hayposetnosy: + haypo
messages: + msg299866
2017-08-07 16:55:50torsavasetnosy: + torsava
messages: + msg299853
2017-08-07 16:43:22cstratakcreate