From 4dcf33581ca09a6e22e3e3f80cca7bf4fdd0f338 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 18 May 2017 17:39:44 +0200 Subject: [PATCH 1/4] test: add CGROUP_MANAGER env to switch to systemd default is still cgroupfs Signed-off-by: Antonio Murdaca --- test/helpers.bash | 4 +++- test/testdata/sandbox_config.json | 2 +- test/testdata/sandbox_config_hostnet.json | 2 +- test/testdata/sandbox_config_seccomp.json | 2 +- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/test/helpers.bash b/test/helpers.bash index f6aff752..873c2f67 100644 --- a/test/helpers.bash +++ b/test/helpers.bash @@ -47,6 +47,8 @@ ARTIFACTS_PATH=${ARTIFACTS_PATH:-${CRIO_ROOT}/cri-o/.artifacts} CHECKSECCOMP_BINARY=${CHECKSECCOMP_BINARY:-${CRIO_ROOT}/cri-o/test/checkseccomp/checkseccomp} # XXX: This is hardcoded inside cri-o at the moment. DEFAULT_LOG_PATH=/var/log/crio/pods +# Cgroup manager to be used +CGROUP_MANAGER=${CGROUP_MANAGER:-cgroupfs} TESTDIR=$(mktemp -d) if [ -e /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then @@ -146,7 +148,7 @@ function start_crio() { "$BIN2IMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTS --runroot "$TESTDIR/crio-run" --source-binary "$PAUSE_BINARY" fi "$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTS --runroot "$TESTDIR/crio-run" --image-name=redis:alpine --import-from=dir:"$ARTIFACTS_PATH"/redis-image --add-name=docker://docker.io/library/redis:alpine --signature-policy="$INTEGRATION_ROOT"/policy.json - "$CRIO_BINARY" --conmon "$CONMON_BINARY" --listen "$CRIO_SOCKET" --runtime "$RUNTIME_BINARY" --root "$TESTDIR/crio" --runroot "$TESTDIR/crio-run" $STORAGE_OPTS --seccomp-profile "$seccomp" --apparmor-profile "$apparmor" --cni-config-dir "$CRIO_CNI_CONFIG" --signature-policy "$INTEGRATION_ROOT"/policy.json --config /dev/null config >$CRIO_CONFIG + "$CRIO_BINARY" --conmon "$CONMON_BINARY" --listen "$CRIO_SOCKET" --cgroup-manager "$CGROUP_MANAGER" --runtime "$RUNTIME_BINARY" --root "$TESTDIR/crio" --runroot "$TESTDIR/crio-run" $STORAGE_OPTS --seccomp-profile "$seccomp" --apparmor-profile "$apparmor" --cni-config-dir "$CRIO_CNI_CONFIG" --signature-policy "$INTEGRATION_ROOT"/policy.json --config /dev/null config >$CRIO_CONFIG # Prepare the CNI configuration files, we're running with non host networking by default if [[ -n "$4" ]]; then diff --git a/test/testdata/sandbox_config.json b/test/testdata/sandbox_config.json index 5833013b..446a338c 100644 --- a/test/testdata/sandbox_config.json +++ b/test/testdata/sandbox_config.json @@ -52,7 +52,7 @@ "security.alpha.kubernetes.io/seccomp/pod": "unconfined" }, "linux": { - "cgroup_parent": "/crio-podsandbox1", + "cgroup_parent": "/Burstable/pod_123-456", "security_context": { "namespace_options": { "host_network": false, diff --git a/test/testdata/sandbox_config_hostnet.json b/test/testdata/sandbox_config_hostnet.json index 7315960d..da76483e 100644 --- a/test/testdata/sandbox_config_hostnet.json +++ b/test/testdata/sandbox_config_hostnet.json @@ -51,7 +51,7 @@ "security.alpha.kubernetes.io/seccomp/pod": "unconfined" }, "linux": { - "cgroup_parent": "/crio-podsandbox1", + "cgroup_parent": "/Burstable/pod_123-456", "security_context": { "namespace_options": { "host_network": true, diff --git a/test/testdata/sandbox_config_seccomp.json b/test/testdata/sandbox_config_seccomp.json index 97c8b5ed..6b0254d7 100644 --- a/test/testdata/sandbox_config_seccomp.json +++ b/test/testdata/sandbox_config_seccomp.json @@ -50,7 +50,7 @@ %VALUE% }, "linux": { - "cgroup_parent": "podsandbox1.slice:container:infra", + "cgroup_parent": "/Burstable/pod_123-456", "security_context": { "namespace_options": { "host_network": false, From dac6b7ceb5109deee82eea3401339777f5ad52c3 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 18 May 2017 17:47:43 +0200 Subject: [PATCH 2/4] test: fix typo Signed-off-by: Antonio Murdaca --- test/seccomp.bats | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/seccomp.bats b/test/seccomp.bats index 47459d0a..c8f9659d 100644 --- a/test/seccomp.bats +++ b/test/seccomp.bats @@ -11,7 +11,7 @@ function teardown() { @test "ctr seccomp profiles unconfined" { # this test requires seccomp, so skip this test if seccomp is not enabled. enabled=$(is_seccomp_enabled) - if [[ "$enabled" -eq 0 ]]; then + if [[ "$enabled" -eq 0 ]]; then skip "skip this test since seccomp is not enabled." fi From aeaca81280888a9849c36ac8dbc6c430cb56a5ca Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 18 May 2017 17:49:49 +0200 Subject: [PATCH 3/4] contrib: test: run tests with systemd cgroup manager Signed-off-by: Antonio Murdaca --- contrib/test/crio-integration-playbook.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/contrib/test/crio-integration-playbook.yaml b/contrib/test/crio-integration-playbook.yaml index f6bbc7e7..31abb875 100644 --- a/contrib/test/crio-integration-playbook.yaml +++ b/contrib/test/crio-integration-playbook.yaml @@ -213,7 +213,7 @@ args: chdir: /root/src/github.com/kubernetes-incubator/cri-o/ - name: run integration tests RHEL - shell: 'STORAGE_OPTS="--storage-driver=overlay2 --storage-opt overlay2.override_kernel_check=1" make localintegration > testout.txt' + shell: 'CGROUP_MANAGER=systemd STORAGE_OPTS="--storage-driver=overlay2 --storage-opt overlay2.override_kernel_check=1" make localintegration > testout.txt' args: chdir: /root/src/github.com/kubernetes-incubator/cri-o async: 3600 @@ -221,7 +221,7 @@ ignore_errors: yes when: ansible_distribution == 'RedHat' or ansible_distribution == 'CentOS' - name: run integration tests RHEL with xunit results - shell: 'STORAGE_OPTS="--storage-driver=overlay2 --storage-opt overlay2.override_kernel_check=1" make localintegration' + shell: 'CGROUP_MANAGER=systemd STORAGE_OPTS="--storage-driver=overlay2 --storage-opt overlay2.override_kernel_check=1" make localintegration' args: chdir: /root/src/github.com/kubernetes-incubator/cri-o async: 3600 @@ -229,7 +229,7 @@ ignore_errors: yes when: (ansible_distribution == 'RedHat' or ansible_distribution == 'CentOS') and xunit - name: run integration tests Fedora - shell: 'STORAGE_OPTS="--storage-driver=overlay2" make localintegration > testout.txt' + shell: 'CGROUP_MANAGER=systemd STORAGE_OPTS="--storage-driver=overlay2" make localintegration > testout.txt' args: chdir: /root/src/github.com/kubernetes-incubator/cri-o async: 3600 @@ -237,7 +237,7 @@ ignore_errors: yes when: ansible_distribution == 'Fedora' - name: run integration tests Fedora with xunit results - shell: 'STORAGE_OPTS="--storage-driver=overlay2" make localintegration' + shell: 'CGROUP_MANAGER=systemd STORAGE_OPTS="--storage-driver=overlay2" make localintegration' args: chdir: /root/src/github.com/kubernetes-incubator/cri-o async: 3600 From 3318dac64b4a5efe534a898e619d35410deccee4 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 18 May 2017 18:23:16 +0200 Subject: [PATCH 4/4] test: exercise systemd cgroup_parent Signed-off-by: Antonio Murdaca --- test/pod.bats | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/test/pod.bats b/test/pod.bats index 762dee5c..4a4ce3f4 100644 --- a/test/pod.bats +++ b/test/pod.bats @@ -287,3 +287,42 @@ function teardown() { cleanup_pods stop_crio } + +@test "invalid systemd cgroup_parent fail" { + if [[ "$CGROUP_MANAGER" != "systemd" ]]; then + skip "need systemd cgroup manager" + fi + + wrong_cgroup_parent_config=$(cat "$TESTDATA"/sandbox_config.json | python -c 'import json,sys;obj=json.load(sys.stdin);obj["linux"]["cgroup_parent"] = "podsandbox1.slice:container:infra"; json.dump(obj, sys.stdout)') + echo "$wrong_cgroup_parent_config" > "$TESTDIR"/sandbox_wrong_cgroup_parent.json + + start_crio + run crioctl pod run --config "$TESTDIR"/sandbox_wrong_cgroup_parent.json + echo "$output" + [ "$status" -eq 1 ] + + stop_crio +} + +@test "systemd cgroup_parent correctly set" { + if [[ "$CGROUP_MANAGER" != "systemd" ]]; then + skip "need systemd cgroup manager" + fi + + cgroup_parent_config=$(cat "$TESTDATA"/sandbox_config.json | python -c 'import json,sys;obj=json.load(sys.stdin);obj["linux"]["cgroup_parent"] = "/Burstable/pod_integration_tests-123"; json.dump(obj, sys.stdout)') + echo "$cgroup_parent_config" > "$TESTDIR"/sandbox_systemd_cgroup_parent.json + + start_crio + run crioctl pod run --config "$TESTDIR"/sandbox_systemd_cgroup_parent.json + echo "$output" + [ "$status" -eq 0 ] + pod_id="$output" + + run systemctl list-units --type=slice + echo "$output" + [ "$status" -eq 0 ] + [[ "$output" =~ "Burstable-pod_integration_tests_123.slice" ]] + + cleanup_pods + stop_crio +}