绕过dev/urandom | random进行测试 [英] bypass dev/urandom|random for testing

问题描述

我想编写一个功能测试用例，用一个已知值的随机数测试程序.我已经在单元测试期间使用模拟程序对其进行了测试.但是我也希望将其用于功能测试(当然，并不是全部):

I want to write a functional test case that tests a program with a known value for random numbers. I have already tested it with mocks during the unit testing. But I would like that for functional testing as well (not all of them, of course :)

仅对一个进程覆盖/dev/urandom的最简单方法是什么?是否可以对单个文件执行类似chroot的操作，并让所有其他文件通过"?

What is the easiest way to have /dev/urandom overridden for just one process? Is there a way to do something like a chroot for a single file and let all the others 'pass through'?

推荐答案

如果您的系统足够新(例如RHEL 7)并且支持setns syscall，则可以在安装命名空间的帮助下完成.根访问权限是必需的.

If your system is new enough (e.g. RHEL 7) and supports setns syscall it can be done with the help of mount namespaces. Root access is required.

这个想法是为进程创建一个单独的安装命名空间，然后在该命名空间内通过/dev/random绑定安装其他文件或FIFO，以便该安装命名空间中的进程将从该绑定安装的文件中读取数据. .其他进程将看到常规的/dev/random.

The idea is to create a separate mount namespace for the process, and inside that namespace bind-mount some other file or FIFO over /dev/random so that the processes from this mount namespace would read the data from this bind-mounted file. Other processes will see the regular /dev/random.

这是操作方法.

准备:运行以下命令以使所有这些工作人员正常工作(因为默认情况下它可能无法工作，请参见

Preparation: run the following command to make all this staff work (as it may not work by default, see this question for details).

# mount --make-rprivate /

现在，让我们创建一个在新的安装命名空间内运行的shell.

Now let's create a shell running inside a new mount namespace.

# unshare -m /bin/bash

您已经启动了新的bash，它具有自己的安装命名空间.您可以从此外壳程序内部和其他外壳程序中比较以下命令的结果:

You have the new bash started which has its own mount namespace. You can compare the result of the following command from inside this shell and from some other shell:

此外壳:

# ls -l /proc/self/ns/mnt
lrwxrwxrwx. 1 root root 0 Sep 26 16:06 /proc/self/ns/mnt -> mnt:[4026532148]

其他外壳:

$ ls -l /proc/self/ns/mnt
lrwxrwxrwx. 1 ec2-user ec2-user 0 Sep 26 16:06 /proc/self/ns/mnt -> mnt:[4026531840]

请注意，数字不同，因此这两个外壳程序位于不同的安装程序命名空间中，并且从第一个外壳程序执行的安装程序对于系统中的其他进程(该外壳程序的所有子代除外)将是不可见的.

Note that the numbers differ, so the two shells are in the different mount namespaces and the mounts performed from the first shell will not be visible to other processes in the system (except all the children of this shell).

现在，在此shell中，我们可以在现有的/dev/random上绑定安装某些东西.

Now in this shell we can bind-mount something over the existing /dev/random.

# echo 'some large text' > /tmp/fakerandom
# mount --bind /tmp/fakerandom /dev/random

其他进程看不到，因为它们/dev/random照常工作:

Other processes don't see that, for them /dev/random works as usual:

$ ls -l /dev/random
crw-rw-rw-. 1 root root 1, 8 Sep 26 15:45 /dev/random
$ cat /dev/random
�Znp7�v�c��Ω^C

但是在我们的外壳中，它很特殊:

But in our shell it's special:

# ls -l /dev/random
-rw-r--r--. 1 root root 16 Sep 26 16:18 /dev/random
# cat /dev/random
some large text

对于功能测试，您可能需要用某些FIFO代替/dev/random并在其他一些过程中将一些已知数据写入该FIFO(如果需要，请参见mkfifo(1)以获得更多信息).

For the functional testing you may want to substitute /dev/random with some FIFO and write some known data to that FIFO in some other process (see mkfifo(1) for more information on that if needed).

有关装载名称空间的更多信息，可以在这篇优秀文章中找到.

More information about mount namespaces can be found in this excellent article.

这篇关于绕过dev/urandom | random进行测试的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！