From 0a36d3ca3dd97559d6e94c98f4ad971942fb415a Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 19 Jan 2017 17:59:27 +0100 Subject: [PATCH 1/7] Dockerfile: use golang:1.7 Signed-off-by: Antonio Murdaca --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 48e46a7d..cd3cc455 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.7.3 +FROM golang:1.7 # libseccomp in jessie is not _quite_ new enough -- need backports version RUN echo 'deb http://httpredir.debian.org/debian jessie-backports main' > /etc/apt/sources.list.d/backports.list From f195d516158b3caf6871f36846dd115e64c803e7 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 19 Jan 2017 18:00:27 +0100 Subject: [PATCH 2/7] Dockerfile: install CNI plugins for integration tests Signed-off-by: Antonio Murdaca --- Dockerfile | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Dockerfile b/Dockerfile index cd3cc455..b951e8af 100644 --- a/Dockerfile +++ b/Dockerfile @@ -53,6 +53,16 @@ RUN set -x \ && cp runc /usr/local/bin/runc \ && rm -rf "$GOPATH" +# Install CNI plugins +RUN set -x \ + && export GOPATH="$(mktemp -d)" \ + && git clone https://github.com/containernetworking/cni.git "$GOPATH/src/github.com/containernetworking/cni" \ + && cd "$GOPATH/src/github.com/containernetworking/cni" \ + && ./build \ + && mkdir -p /opt/cni/bin \ + && cp bin/* /opt/cni/bin/ \ + && rm -rf "$GOPATH" + # Make sure we have some policy for pulling images RUN mkdir -p /etc/containers COPY test/policy.json /etc/containers/policy.json From e5126a91766b533f1ed90668fb7cb3fda9bb4094 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 19 Jan 2017 18:05:57 +0100 Subject: [PATCH 3/7] Dockerfile: pull test image at build time Signed-off-by: Antonio Murdaca --- Dockerfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Dockerfile b/Dockerfile index b951e8af..5fc2b294 100644 --- a/Dockerfile +++ b/Dockerfile @@ -70,3 +70,7 @@ COPY test/policy.json /etc/containers/policy.json WORKDIR /go/src/github.com/kubernetes-incubator/cri-o ADD . /go/src/github.com/kubernetes-incubator/cri-o + +RUN make copyimg \ + && mkdir -p .artifacts/redis-image \ + && ./test/copyimg/copyimg --import-from=docker://redis --export-to=dir:.artifacts/redis-image --signature-policy ./test/policy.json From f1f5c635d25a241323c227647c7b0513a112b59c Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 19 Jan 2017 18:06:34 +0100 Subject: [PATCH 4/7] test: change location of the test image Signed-off-by: Antonio Murdaca --- .gitignore | 1 + test/helpers.bash | 12 +++++++----- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index d073fa34..50485059 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +.artifacts/ conmon/conmon conmon/conmon.o pause/pause diff --git a/test/helpers.bash b/test/helpers.bash index f0e2f8e2..576e8360 100644 --- a/test/helpers.bash +++ b/test/helpers.bash @@ -40,6 +40,8 @@ APPARMOR_PARAMETERS_FILE_PATH=${APPARMOR_PARAMETERS_FILE_PATH:-/sys/module/appar BIN2IMG_BINARY=${BIN2IMG_BINARY:-${OCID_ROOT}/cri-o/test/bin2img/bin2img} # Path of the copyimg binary. COPYIMG_BINARY=${COPYIMG_BINARY:-${OCID_ROOT}/cri-o/test/copyimg/copyimg} +# Path of tests artifacts. +ARTIFACTS_PATH=${ARTIFACTS_PATH:-${OCID_ROOT}/cri-o/.artifacts} TESTDIR=$(mktemp -d) if [ -e /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then @@ -61,11 +63,11 @@ mkdir -p $OCID_CNI_CONFIG PATH=$PATH:$TESTDIR # Make sure we have a copy of the redis:latest image. -if ! [ -d "$TESTDATA"/redis-image ]; then - mkdir -p "$TESTDATA"/redis-image - if ! "$COPYIMG_BINARY" --import-from=docker://redis --export-to=dir:"$TESTDATA"/redis-image --signature-policy="$INTEGRATION_ROOT"/policy.json ; then +if ! [ -d "$ARTIFACTS_PATH"/redis-image ]; then + mkdir -p "$ARTIFACTS_PATH"/redis-image + if ! "$COPYIMG_BINARY" --import-from=docker://redis --export-to=dir:"$ARTIFACTS_PATH"/redis-image --signature-policy="$INTEGRATION_ROOT"/policy.json ; then echo "Error pulling docker://redis" - rm -fr "$TESTDATA"/redis-image + rm -fr "$ARTIFACTS_PATH"/redis-image exit 1 fi fi @@ -130,7 +132,7 @@ function start_ocid() { if ! [ "$3" = "--no-pause-image" ] ; then "$BIN2IMG_BINARY" --root "$TESTDIR/ocid" --runroot "$TESTDIR/ocid-run" --source-binary "$PAUSE_BINARY" fi - "$COPYIMG_BINARY" --root "$TESTDIR/ocid" --runroot "$TESTDIR/ocid-run" --image-name=redis --import-from=dir:"$TESTDATA"/redis-image --add-name=docker://docker.io/library/redis:latest + "$COPYIMG_BINARY" --root "$TESTDIR/ocid" --runroot "$TESTDIR/ocid-run" --image-name=redis --import-from=dir:"$ARTIFACTS_PATH"/redis-image --add-name=docker://docker.io/library/redis:latest "$OCID_BINARY" --conmon "$CONMON_BINARY" --listen "$OCID_SOCKET" --runtime "$RUNC_BINARY" --root "$TESTDIR/ocid" --runroot "$TESTDIR/ocid-run" --seccomp-profile "$seccomp" --apparmor-profile "$apparmor" --cni-config-dir "$OCID_CNI_CONFIG" --signature-policy "$INTEGRATION_ROOT"/policy.json config >$OCID_CONFIG "$OCID_BINARY" --debug --config "$OCID_CONFIG" & OCID_PID=$! wait_until_reachable From 0d37c41521282b095ab0b6093deb98a4ca34d452 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 19 Jan 2017 18:10:47 +0100 Subject: [PATCH 5/7] test: add a custom binary to reliable check seccomp support Signed-off-by: Antonio Murdaca --- .gitignore | 1 + Makefile | 7 ++++++- test/checkseccomp/Makefile | 6 ++++++ test/checkseccomp/checkseccomp.go | 22 ++++++++++++++++++++++ 4 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 test/checkseccomp/Makefile create mode 100644 test/checkseccomp/checkseccomp.go diff --git a/.gitignore b/.gitignore index 50485059..59b6efe0 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,4 @@ ocid.conf test/bin2img/bin2img test/copyimg/copyimg test/testdata/redis-image +test/checkseccomp/checkseccomp diff --git a/Makefile b/Makefile index 9a37318c..f4efef6a 100644 --- a/Makefile +++ b/Makefile @@ -50,6 +50,9 @@ bin2img: copyimg: make -C test/$@ +checkseccomp: + make -C test/$@ + ocid: ifndef GOPATH $(error GOPATH is not set) @@ -82,6 +85,7 @@ clean: make -C pause clean make -C test/bin2img clean make -C test/copyimg clean + make -C test/checkseccomp clean ocidimage: docker build -t ${OCID_IMAGE} . @@ -95,7 +99,7 @@ integration: ocidimage localintegration: binaries ./test/test_runner.sh ${TESTFLAGS} -binaries: ocid ocic kpod conmon pause bin2img copyimg +binaries: ocid ocic kpod conmon pause bin2img copyimg checkseccomp MANPAGES_MD := $(wildcard docs/*.md) MANPAGES := $(MANPAGES_MD:%.md=%) @@ -191,6 +195,7 @@ install.tools: .install.gitvalidation .install.gometalinter .install.md2man .PHONY: \ bin2img \ binaries \ + checkseccomp \ clean \ conmon \ copyimg \ diff --git a/test/checkseccomp/Makefile b/test/checkseccomp/Makefile new file mode 100644 index 00000000..fc3ba4fb --- /dev/null +++ b/test/checkseccomp/Makefile @@ -0,0 +1,6 @@ +checkseccomp: $(wildcard *.go) + go build -o $@ + +.PHONY: clean + clean: + rm -f checkseccomp diff --git a/test/checkseccomp/checkseccomp.go b/test/checkseccomp/checkseccomp.go new file mode 100644 index 00000000..06a2f69c --- /dev/null +++ b/test/checkseccomp/checkseccomp.go @@ -0,0 +1,22 @@ +package main + +import ( + "os" + "syscall" +) + +const ( + // SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER. + SeccompModeFilter = uintptr(2) +) + +func main() { + // Check if Seccomp is supported, via CONFIG_SECCOMP. + if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL { + // Make sure the kernel has CONFIG_SECCOMP_FILTER. + if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL { + os.Exit(0) + } + } + os.Exit(1) +} From 25d40b6927f6af0bcda79d5638559ade956c42fd Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 19 Jan 2017 18:11:02 +0100 Subject: [PATCH 6/7] test: use checkseccomp to test if seccomp is supported Signed-off-by: Antonio Murdaca --- test/helpers.bash | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/test/helpers.bash b/test/helpers.bash index 576e8360..7c67ef9b 100644 --- a/test/helpers.bash +++ b/test/helpers.bash @@ -42,6 +42,8 @@ BIN2IMG_BINARY=${BIN2IMG_BINARY:-${OCID_ROOT}/cri-o/test/bin2img/bin2img} COPYIMG_BINARY=${COPYIMG_BINARY:-${OCID_ROOT}/cri-o/test/copyimg/copyimg} # Path of tests artifacts. ARTIFACTS_PATH=${ARTIFACTS_PATH:-${OCID_ROOT}/cri-o/.artifacts} +# Path of the checkseccomp binary. +CHECKSECCOMP_BINARY=${CHECKSECCOMP_BINARY:-${OCID_ROOT}/cri-o/test/checkseccomp/checkseccomp} TESTDIR=$(mktemp -d) if [ -e /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then @@ -214,14 +216,11 @@ function remove_apparmor_profile() { } function is_seccomp_enabled() { - if [[ -f "$BOOT_CONFIG_FILE_PATH" ]]; then - out=$(cat "$BOOT_CONFIG_FILE_PATH" | grep CONFIG_SECCOMP=) - if [[ "$out" =~ "CONFIG_SECCOMP=y" ]]; then - echo 1 - return - fi + if ! "$CHECKSECCOMP_BINARY" ; then + echo 0 + return fi - echo 0 + echo 1 } function is_apparmor_enabled() { From 5d86f1f110603e358b947d8467c7f0e60fae9d2b Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 19 Jan 2017 18:47:50 +0100 Subject: [PATCH 7/7] test: enable tests in Travis Signed-off-by: Antonio Murdaca --- test/apparmor.bats | 25 ----------------------- test/ctr.bats | 45 ----------------------------------------- test/network.bats | 15 -------------- test/pod.bats | 45 ----------------------------------------- test/restore.bats | 5 ----- test/seccomp.bats | 50 ---------------------------------------------- 6 files changed, 185 deletions(-) diff --git a/test/apparmor.bats b/test/apparmor.bats index 480acb9f..014d3257 100644 --- a/test/apparmor.bats +++ b/test/apparmor.bats @@ -9,11 +9,6 @@ function teardown() { # 1. test running with loading the default apparmor profile. # test that we can run with the default apparmor profile which will not block touching a file in `.` @test "load default apparmor profile and run a container with it" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - # this test requires apparmor, so skip this test if apparmor is not enabled. enabled=$(is_apparmor_enabled) if [[ "$enabled" -eq 0 ]]; then @@ -46,11 +41,6 @@ function teardown() { # 2. test running with loading a specific apparmor profile as ocid default apparmor profile. # test that we can run with a specific apparmor profile which will block touching a file in `.` as ocid default apparmor profile. @test "load a specific apparmor profile as default apparmor and run a container with it" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - # this test requires apparmor, so skip this test if apparmor is not enabled. enabled=$(is_apparmor_enabled) if [[ "$enabled" -eq 0 ]]; then @@ -85,11 +75,6 @@ function teardown() { # 3. test running with loading a specific apparmor profile but not as ocid default apparmor profile. # test that we can run with a specific apparmor profile which will block touching a file in `.` @test "load default apparmor profile and run a container with another apparmor profile" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - # this test requires apparmor, so skip this test if apparmor is not enabled. enabled=$(is_apparmor_enabled) if [[ "$enabled" -eq 0 ]]; then @@ -124,11 +109,6 @@ function teardown() { # 4. test running with wrong apparmor profile name. # test that we can will fail when running a ctr with rong apparmor profile name. @test "run a container with wrong apparmor profile name" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - # this test requires apparmor, so skip this test if apparmor is not enabled. enabled=$(is_apparmor_enabled) if [[ "$enabled" -eq 0 ]]; then @@ -157,11 +137,6 @@ function teardown() { # 5. test running with default apparmor profile unloaded. # test that we can will fail when running a ctr with rong apparmor profile name. @test "run a container after unloading default apparmor profile" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - # this test requires apparmor, so skip this test if apparmor is not enabled. enabled=$(is_apparmor_enabled) if [[ "$enabled" -eq 0 ]]; then diff --git a/test/ctr.bats b/test/ctr.bats index 257c43c2..ba92f0f7 100644 --- a/test/ctr.bats +++ b/test/ctr.bats @@ -7,11 +7,6 @@ function teardown() { } @test "ctr remove" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - start_ocid run ocic pod run --config "$TESTDATA"/sandbox_config.json echo "$output" @@ -39,11 +34,6 @@ function teardown() { } @test "ctr lifecycle" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - start_ocid run ocic pod run --config "$TESTDATA"/sandbox_config.json echo "$output" @@ -111,11 +101,6 @@ function teardown() { # regression test for #127 @test "ctrs status for a pod" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - start_ocid run ocic pod run --config "$TESTDATA"/sandbox_config.json echo "$output" @@ -143,11 +128,6 @@ function teardown() { } @test "ctr list filtering" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - start_ocid run ocic pod run --config "$TESTDATA"/sandbox_config.json --name pod1 echo "$output" @@ -246,11 +226,6 @@ function teardown() { } @test "ctr list label filtering" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - start_ocid run ocic pod run --config "$TESTDATA"/sandbox_config.json echo "$output" @@ -299,11 +274,6 @@ function teardown() { } @test "ctr metadata in list & status" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - start_ocid run ocic pod run --config "$TESTDATA"/sandbox_config.json echo "$output" @@ -334,11 +304,6 @@ function teardown() { } @test "ctr execsync" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - start_ocid run ocic pod run --config "$TESTDATA"/sandbox_config.json echo "$output" @@ -367,11 +332,6 @@ function teardown() { } @test "ctr execsync failure" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - start_ocid run ocic pod run --config "$TESTDATA"/sandbox_config.json echo "$output" @@ -394,11 +354,6 @@ function teardown() { } @test "ctr stop idempotent" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - start_ocid run ocic pod run --config "$TESTDATA"/sandbox_config.json echo "$output" diff --git a/test/network.bats b/test/network.bats index 419d4f52..0deea5e2 100644 --- a/test/network.bats +++ b/test/network.bats @@ -3,11 +3,6 @@ load helpers @test "Check for valid pod netns CIDR" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - if [ ! -f "$OCID_CNI_PLUGIN/bridge" ]; then skip "missing CNI bridge plugin, please install it" fi @@ -32,11 +27,6 @@ load helpers } @test "Ping pod from the host" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - if [ ! -f "$OCID_CNI_PLUGIN/bridge" ]; then skip "missing CNI bridge plugin, please install it" fi @@ -61,11 +51,6 @@ load helpers } @test "Ping pod from another pod" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - if [ ! -f "$OCID_CNI_PLUGIN/bridge" ]; then skip "missing CNI bridge plugin, please install it" fi diff --git a/test/pod.bats b/test/pod.bats index 4331fcdb..a805e0b9 100644 --- a/test/pod.bats +++ b/test/pod.bats @@ -8,11 +8,6 @@ function teardown() { # PR#59 @test "pod release name on remove" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - start_ocid run ocic pod run --config "$TESTDATA"/sandbox_config.json echo "$output" @@ -41,11 +36,6 @@ function teardown() { } @test "pod remove" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - start_ocid run ocic pod run --config "$TESTDATA"/sandbox_config.json echo "$output" @@ -67,11 +57,6 @@ function teardown() { } @test "pod list filtering" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - start_ocid run ocic pod run --config "$TESTDATA"/sandbox_config.json -name pod1 --label "a=b" --label "c=d" --label "e=f" echo "$output" @@ -161,11 +146,6 @@ function teardown() { } @test "pod metadata in list & status" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - start_ocid run ocic pod run --config "$TESTDATA"/sandbox_config.json echo "$output" @@ -195,11 +175,6 @@ function teardown() { } @test "pass pod sysctls to runtime" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - start_ocid run ocic pod run --config "$TESTDATA"/sandbox_config.json echo "$output" @@ -235,11 +210,6 @@ function teardown() { } @test "pod stop idempotent" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - start_ocid run ocic pod run --config "$TESTDATA"/sandbox_config.json echo "$output" @@ -258,11 +228,6 @@ function teardown() { } @test "pod remove idempotent" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - start_ocid run ocic pod run --config "$TESTDATA"/sandbox_config.json echo "$output" @@ -281,11 +246,6 @@ function teardown() { } @test "pod stop idempotent with ctrs already stopped" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - start_ocid run ocic pod run --config "$TESTDATA"/sandbox_config.json echo "$output" @@ -308,11 +268,6 @@ function teardown() { } @test "restart ocid and still get pod status" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - start_ocid run ocic pod run --config "$TESTDATA"/sandbox_config.json echo "$output" diff --git a/test/restore.bats b/test/restore.bats index 5d36e284..6e345c34 100644 --- a/test/restore.bats +++ b/test/restore.bats @@ -7,11 +7,6 @@ function teardown() { } @test "ocid restore" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - start_ocid run ocic pod run --config "$TESTDATA"/sandbox_config.json echo "$output" diff --git a/test/seccomp.bats b/test/seccomp.bats index ecfbaaf4..97ac125d 100644 --- a/test/seccomp.bats +++ b/test/seccomp.bats @@ -9,11 +9,6 @@ function teardown() { # 1. test running with ctr unconfined # test that we can run with a syscall which would be otherwise blocked @test "ctr seccomp profiles unconfined" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - # this test requires seccomp, so skip this test if seccomp is not enabled. enabled=$(is_seccomp_enabled) if [[ "$enabled" -eq 0 ]]; then @@ -50,11 +45,6 @@ function teardown() { # 2. test running with ctr runtime/default # test that we cannot run with a syscall blocked by the default seccomp profile @test "ctr seccomp profiles runtime/default" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - # this test requires seccomp, so skip this test if seccomp is not enabled. enabled=$(is_seccomp_enabled) if [[ "$enabled" -eq 0 ]]; then @@ -91,11 +81,6 @@ function teardown() { # 3. test running with ctr wrong profile name @test "ctr seccomp profiles wrong profile name" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - # this test requires seccomp, so skip this test if seccomp is not enabled. enabled=$(is_seccomp_enabled) if [[ "$enabled" -eq 0 ]]; then @@ -127,11 +112,6 @@ function teardown() { # TODO(runcom): need https://issues.k8s.io/36997 # 4. test running with ctr localhost/profile_name @test "ctr seccomp profiles localhost/profile_name" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - # this test requires seccomp, so skip this test if seccomp is not enabled. enabled=$(is_seccomp_enabled) if [[ "$enabled" -eq 0 ]]; then @@ -152,11 +132,6 @@ function teardown() { # pod -> runtime/default # result: fail chmod @test "ctr seccomp profiles falls back to pod profile" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - # this test requires seccomp, so skip this test if seccomp is not enabled. enabled=$(is_seccomp_enabled) if [[ "$enabled" -eq 0 ]]; then @@ -196,11 +171,6 @@ function teardown() { # pod -> NO # result: success, running unconfined @test "ctr seccomp profiles falls back to unconfined" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - # this test requires seccomp, so skip this test if seccomp is not enabled. enabled=$(is_seccomp_enabled) if [[ "$enabled" -eq 0 ]]; then @@ -237,11 +207,6 @@ function teardown() { # 1. test running with pod unconfined # test that we can run with a syscall which would be otherwise blocked @test "pod seccomp profiles unconfined" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - # this test requires seccomp, so skip this test if seccomp is not enabled. enabled=$(is_seccomp_enabled) if [[ "$enabled" -eq 0 ]]; then @@ -278,11 +243,6 @@ function teardown() { # 2. test running with pod runtime/default # test that we cannot run with a syscall blocked by the default seccomp profile @test "pod seccomp profiles runtime/default" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - # this test requires seccomp, so skip this test if seccomp is not enabled. enabled=$(is_seccomp_enabled) if [[ "$enabled" -eq 0 ]]; then @@ -319,11 +279,6 @@ function teardown() { # 3. test running with pod wrong profile name @test "pod seccomp profiles wrong profile name" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - # this test requires seccomp, so skip this test if seccomp is not enabled. enabled=$(is_seccomp_enabled) if [[ "$enabled" -eq 0 ]]; then @@ -356,11 +311,6 @@ function teardown() { # TODO(runcom): need https://issues.k8s.io/36997 # 4. test running with pod localhost/profile_name @test "pod seccomp profiles localhost/profile_name" { - # this test requires docker, thus it can't yet be run in a container - if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here - skip "cannot yet run this test in a container, use sudo make localintegration" - fi - # this test requires seccomp, so skip this test if seccomp is not enabled. enabled=$(is_seccomp_enabled) if [[ "$enabled" -eq 0 ]]; then