Merge pull request #325 from runcom/tests-in-docker
fix integration tests in docker
This commit is contained in:
commit
c4673a9136
12 changed files with 64 additions and 199 deletions
2
.gitignore
vendored
2
.gitignore
vendored
|
@ -1,3 +1,4 @@
|
||||||
|
.artifacts/
|
||||||
conmon/conmon
|
conmon/conmon
|
||||||
conmon/conmon.o
|
conmon/conmon.o
|
||||||
pause/pause
|
pause/pause
|
||||||
|
@ -10,3 +11,4 @@ ocid.conf
|
||||||
test/bin2img/bin2img
|
test/bin2img/bin2img
|
||||||
test/copyimg/copyimg
|
test/copyimg/copyimg
|
||||||
test/testdata/redis-image
|
test/testdata/redis-image
|
||||||
|
test/checkseccomp/checkseccomp
|
||||||
|
|
16
Dockerfile
16
Dockerfile
|
@ -1,4 +1,4 @@
|
||||||
FROM golang:1.7.3
|
FROM golang:1.7
|
||||||
|
|
||||||
# libseccomp in jessie is not _quite_ new enough -- need backports version
|
# libseccomp in jessie is not _quite_ new enough -- need backports version
|
||||||
RUN echo 'deb http://httpredir.debian.org/debian jessie-backports main' > /etc/apt/sources.list.d/backports.list
|
RUN echo 'deb http://httpredir.debian.org/debian jessie-backports main' > /etc/apt/sources.list.d/backports.list
|
||||||
|
@ -53,6 +53,16 @@ RUN set -x \
|
||||||
&& cp runc /usr/local/bin/runc \
|
&& cp runc /usr/local/bin/runc \
|
||||||
&& rm -rf "$GOPATH"
|
&& rm -rf "$GOPATH"
|
||||||
|
|
||||||
|
# Install CNI plugins
|
||||||
|
RUN set -x \
|
||||||
|
&& export GOPATH="$(mktemp -d)" \
|
||||||
|
&& git clone https://github.com/containernetworking/cni.git "$GOPATH/src/github.com/containernetworking/cni" \
|
||||||
|
&& cd "$GOPATH/src/github.com/containernetworking/cni" \
|
||||||
|
&& ./build \
|
||||||
|
&& mkdir -p /opt/cni/bin \
|
||||||
|
&& cp bin/* /opt/cni/bin/ \
|
||||||
|
&& rm -rf "$GOPATH"
|
||||||
|
|
||||||
# Make sure we have some policy for pulling images
|
# Make sure we have some policy for pulling images
|
||||||
RUN mkdir -p /etc/containers
|
RUN mkdir -p /etc/containers
|
||||||
COPY test/policy.json /etc/containers/policy.json
|
COPY test/policy.json /etc/containers/policy.json
|
||||||
|
@ -60,3 +70,7 @@ COPY test/policy.json /etc/containers/policy.json
|
||||||
WORKDIR /go/src/github.com/kubernetes-incubator/cri-o
|
WORKDIR /go/src/github.com/kubernetes-incubator/cri-o
|
||||||
|
|
||||||
ADD . /go/src/github.com/kubernetes-incubator/cri-o
|
ADD . /go/src/github.com/kubernetes-incubator/cri-o
|
||||||
|
|
||||||
|
RUN make copyimg \
|
||||||
|
&& mkdir -p .artifacts/redis-image \
|
||||||
|
&& ./test/copyimg/copyimg --import-from=docker://redis --export-to=dir:.artifacts/redis-image --signature-policy ./test/policy.json
|
||||||
|
|
7
Makefile
7
Makefile
|
@ -52,6 +52,9 @@ bin2img:
|
||||||
copyimg:
|
copyimg:
|
||||||
make -C test/$@
|
make -C test/$@
|
||||||
|
|
||||||
|
checkseccomp:
|
||||||
|
make -C test/$@
|
||||||
|
|
||||||
ocid:
|
ocid:
|
||||||
ifndef GOPATH
|
ifndef GOPATH
|
||||||
$(error GOPATH is not set)
|
$(error GOPATH is not set)
|
||||||
|
@ -84,6 +87,7 @@ clean:
|
||||||
make -C pause clean
|
make -C pause clean
|
||||||
make -C test/bin2img clean
|
make -C test/bin2img clean
|
||||||
make -C test/copyimg clean
|
make -C test/copyimg clean
|
||||||
|
make -C test/checkseccomp clean
|
||||||
|
|
||||||
ocidimage:
|
ocidimage:
|
||||||
docker build -t ${OCID_IMAGE} .
|
docker build -t ${OCID_IMAGE} .
|
||||||
|
@ -97,7 +101,7 @@ integration: ocidimage
|
||||||
localintegration: binaries
|
localintegration: binaries
|
||||||
./test/test_runner.sh ${TESTFLAGS}
|
./test/test_runner.sh ${TESTFLAGS}
|
||||||
|
|
||||||
binaries: ocid ocic kpod conmon pause bin2img copyimg
|
binaries: ocid ocic kpod conmon pause bin2img copyimg checkseccomp
|
||||||
|
|
||||||
MANPAGES_MD := $(wildcard docs/*.md)
|
MANPAGES_MD := $(wildcard docs/*.md)
|
||||||
MANPAGES := $(MANPAGES_MD:%.md=%)
|
MANPAGES := $(MANPAGES_MD:%.md=%)
|
||||||
|
@ -193,6 +197,7 @@ install.tools: .install.gitvalidation .install.gometalinter .install.md2man
|
||||||
.PHONY: \
|
.PHONY: \
|
||||||
bin2img \
|
bin2img \
|
||||||
binaries \
|
binaries \
|
||||||
|
checkseccomp \
|
||||||
clean \
|
clean \
|
||||||
conmon \
|
conmon \
|
||||||
copyimg \
|
copyimg \
|
||||||
|
|
|
@ -9,11 +9,6 @@ function teardown() {
|
||||||
# 1. test running with loading the default apparmor profile.
|
# 1. test running with loading the default apparmor profile.
|
||||||
# test that we can run with the default apparmor profile which will not block touching a file in `.`
|
# test that we can run with the default apparmor profile which will not block touching a file in `.`
|
||||||
@test "load default apparmor profile and run a container with it" {
|
@test "load default apparmor profile and run a container with it" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# this test requires apparmor, so skip this test if apparmor is not enabled.
|
# this test requires apparmor, so skip this test if apparmor is not enabled.
|
||||||
enabled=$(is_apparmor_enabled)
|
enabled=$(is_apparmor_enabled)
|
||||||
if [[ "$enabled" -eq 0 ]]; then
|
if [[ "$enabled" -eq 0 ]]; then
|
||||||
|
@ -46,11 +41,6 @@ function teardown() {
|
||||||
# 2. test running with loading a specific apparmor profile as ocid default apparmor profile.
|
# 2. test running with loading a specific apparmor profile as ocid default apparmor profile.
|
||||||
# test that we can run with a specific apparmor profile which will block touching a file in `.` as ocid default apparmor profile.
|
# test that we can run with a specific apparmor profile which will block touching a file in `.` as ocid default apparmor profile.
|
||||||
@test "load a specific apparmor profile as default apparmor and run a container with it" {
|
@test "load a specific apparmor profile as default apparmor and run a container with it" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# this test requires apparmor, so skip this test if apparmor is not enabled.
|
# this test requires apparmor, so skip this test if apparmor is not enabled.
|
||||||
enabled=$(is_apparmor_enabled)
|
enabled=$(is_apparmor_enabled)
|
||||||
if [[ "$enabled" -eq 0 ]]; then
|
if [[ "$enabled" -eq 0 ]]; then
|
||||||
|
@ -85,11 +75,6 @@ function teardown() {
|
||||||
# 3. test running with loading a specific apparmor profile but not as ocid default apparmor profile.
|
# 3. test running with loading a specific apparmor profile but not as ocid default apparmor profile.
|
||||||
# test that we can run with a specific apparmor profile which will block touching a file in `.`
|
# test that we can run with a specific apparmor profile which will block touching a file in `.`
|
||||||
@test "load default apparmor profile and run a container with another apparmor profile" {
|
@test "load default apparmor profile and run a container with another apparmor profile" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# this test requires apparmor, so skip this test if apparmor is not enabled.
|
# this test requires apparmor, so skip this test if apparmor is not enabled.
|
||||||
enabled=$(is_apparmor_enabled)
|
enabled=$(is_apparmor_enabled)
|
||||||
if [[ "$enabled" -eq 0 ]]; then
|
if [[ "$enabled" -eq 0 ]]; then
|
||||||
|
@ -124,11 +109,6 @@ function teardown() {
|
||||||
# 4. test running with wrong apparmor profile name.
|
# 4. test running with wrong apparmor profile name.
|
||||||
# test that we can will fail when running a ctr with rong apparmor profile name.
|
# test that we can will fail when running a ctr with rong apparmor profile name.
|
||||||
@test "run a container with wrong apparmor profile name" {
|
@test "run a container with wrong apparmor profile name" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# this test requires apparmor, so skip this test if apparmor is not enabled.
|
# this test requires apparmor, so skip this test if apparmor is not enabled.
|
||||||
enabled=$(is_apparmor_enabled)
|
enabled=$(is_apparmor_enabled)
|
||||||
if [[ "$enabled" -eq 0 ]]; then
|
if [[ "$enabled" -eq 0 ]]; then
|
||||||
|
@ -157,11 +137,6 @@ function teardown() {
|
||||||
# 5. test running with default apparmor profile unloaded.
|
# 5. test running with default apparmor profile unloaded.
|
||||||
# test that we can will fail when running a ctr with rong apparmor profile name.
|
# test that we can will fail when running a ctr with rong apparmor profile name.
|
||||||
@test "run a container after unloading default apparmor profile" {
|
@test "run a container after unloading default apparmor profile" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# this test requires apparmor, so skip this test if apparmor is not enabled.
|
# this test requires apparmor, so skip this test if apparmor is not enabled.
|
||||||
enabled=$(is_apparmor_enabled)
|
enabled=$(is_apparmor_enabled)
|
||||||
if [[ "$enabled" -eq 0 ]]; then
|
if [[ "$enabled" -eq 0 ]]; then
|
||||||
|
|
6
test/checkseccomp/Makefile
Normal file
6
test/checkseccomp/Makefile
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
checkseccomp: $(wildcard *.go)
|
||||||
|
go build -o $@
|
||||||
|
|
||||||
|
.PHONY: clean
|
||||||
|
clean:
|
||||||
|
rm -f checkseccomp
|
22
test/checkseccomp/checkseccomp.go
Normal file
22
test/checkseccomp/checkseccomp.go
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"os"
|
||||||
|
"syscall"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
// SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER.
|
||||||
|
SeccompModeFilter = uintptr(2)
|
||||||
|
)
|
||||||
|
|
||||||
|
func main() {
|
||||||
|
// Check if Seccomp is supported, via CONFIG_SECCOMP.
|
||||||
|
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
|
||||||
|
// Make sure the kernel has CONFIG_SECCOMP_FILTER.
|
||||||
|
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL {
|
||||||
|
os.Exit(0)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
os.Exit(1)
|
||||||
|
}
|
|
@ -7,11 +7,6 @@ function teardown() {
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "ctr remove" {
|
@test "ctr remove" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
start_ocid
|
start_ocid
|
||||||
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
||||||
echo "$output"
|
echo "$output"
|
||||||
|
@ -39,11 +34,6 @@ function teardown() {
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "ctr lifecycle" {
|
@test "ctr lifecycle" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
start_ocid
|
start_ocid
|
||||||
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
||||||
echo "$output"
|
echo "$output"
|
||||||
|
@ -111,11 +101,6 @@ function teardown() {
|
||||||
|
|
||||||
# regression test for #127
|
# regression test for #127
|
||||||
@test "ctrs status for a pod" {
|
@test "ctrs status for a pod" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
start_ocid
|
start_ocid
|
||||||
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
||||||
echo "$output"
|
echo "$output"
|
||||||
|
@ -143,11 +128,6 @@ function teardown() {
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "ctr list filtering" {
|
@test "ctr list filtering" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
start_ocid
|
start_ocid
|
||||||
run ocic pod run --config "$TESTDATA"/sandbox_config.json --name pod1
|
run ocic pod run --config "$TESTDATA"/sandbox_config.json --name pod1
|
||||||
echo "$output"
|
echo "$output"
|
||||||
|
@ -246,11 +226,6 @@ function teardown() {
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "ctr list label filtering" {
|
@test "ctr list label filtering" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
start_ocid
|
start_ocid
|
||||||
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
||||||
echo "$output"
|
echo "$output"
|
||||||
|
@ -299,11 +274,6 @@ function teardown() {
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "ctr metadata in list & status" {
|
@test "ctr metadata in list & status" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
start_ocid
|
start_ocid
|
||||||
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
||||||
echo "$output"
|
echo "$output"
|
||||||
|
@ -334,11 +304,6 @@ function teardown() {
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "ctr execsync" {
|
@test "ctr execsync" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
start_ocid
|
start_ocid
|
||||||
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
||||||
echo "$output"
|
echo "$output"
|
||||||
|
@ -367,11 +332,6 @@ function teardown() {
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "ctr execsync failure" {
|
@test "ctr execsync failure" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
start_ocid
|
start_ocid
|
||||||
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
||||||
echo "$output"
|
echo "$output"
|
||||||
|
@ -394,11 +354,6 @@ function teardown() {
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "ctr stop idempotent" {
|
@test "ctr stop idempotent" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
start_ocid
|
start_ocid
|
||||||
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
||||||
echo "$output"
|
echo "$output"
|
||||||
|
|
|
@ -40,6 +40,10 @@ APPARMOR_PARAMETERS_FILE_PATH=${APPARMOR_PARAMETERS_FILE_PATH:-/sys/module/appar
|
||||||
BIN2IMG_BINARY=${BIN2IMG_BINARY:-${OCID_ROOT}/cri-o/test/bin2img/bin2img}
|
BIN2IMG_BINARY=${BIN2IMG_BINARY:-${OCID_ROOT}/cri-o/test/bin2img/bin2img}
|
||||||
# Path of the copyimg binary.
|
# Path of the copyimg binary.
|
||||||
COPYIMG_BINARY=${COPYIMG_BINARY:-${OCID_ROOT}/cri-o/test/copyimg/copyimg}
|
COPYIMG_BINARY=${COPYIMG_BINARY:-${OCID_ROOT}/cri-o/test/copyimg/copyimg}
|
||||||
|
# Path of tests artifacts.
|
||||||
|
ARTIFACTS_PATH=${ARTIFACTS_PATH:-${OCID_ROOT}/cri-o/.artifacts}
|
||||||
|
# Path of the checkseccomp binary.
|
||||||
|
CHECKSECCOMP_BINARY=${CHECKSECCOMP_BINARY:-${OCID_ROOT}/cri-o/test/checkseccomp/checkseccomp}
|
||||||
|
|
||||||
TESTDIR=$(mktemp -d)
|
TESTDIR=$(mktemp -d)
|
||||||
if [ -e /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
|
if [ -e /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
|
||||||
|
@ -61,11 +65,11 @@ mkdir -p $OCID_CNI_CONFIG
|
||||||
PATH=$PATH:$TESTDIR
|
PATH=$PATH:$TESTDIR
|
||||||
|
|
||||||
# Make sure we have a copy of the redis:latest image.
|
# Make sure we have a copy of the redis:latest image.
|
||||||
if ! [ -d "$TESTDATA"/redis-image ]; then
|
if ! [ -d "$ARTIFACTS_PATH"/redis-image ]; then
|
||||||
mkdir -p "$TESTDATA"/redis-image
|
mkdir -p "$ARTIFACTS_PATH"/redis-image
|
||||||
if ! "$COPYIMG_BINARY" --import-from=docker://redis --export-to=dir:"$TESTDATA"/redis-image --signature-policy="$INTEGRATION_ROOT"/policy.json ; then
|
if ! "$COPYIMG_BINARY" --import-from=docker://redis --export-to=dir:"$ARTIFACTS_PATH"/redis-image --signature-policy="$INTEGRATION_ROOT"/policy.json ; then
|
||||||
echo "Error pulling docker://redis"
|
echo "Error pulling docker://redis"
|
||||||
rm -fr "$TESTDATA"/redis-image
|
rm -fr "$ARTIFACTS_PATH"/redis-image
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
@ -130,7 +134,7 @@ function start_ocid() {
|
||||||
if ! [ "$3" = "--no-pause-image" ] ; then
|
if ! [ "$3" = "--no-pause-image" ] ; then
|
||||||
"$BIN2IMG_BINARY" --root "$TESTDIR/ocid" --runroot "$TESTDIR/ocid-run" --source-binary "$PAUSE_BINARY"
|
"$BIN2IMG_BINARY" --root "$TESTDIR/ocid" --runroot "$TESTDIR/ocid-run" --source-binary "$PAUSE_BINARY"
|
||||||
fi
|
fi
|
||||||
"$COPYIMG_BINARY" --root "$TESTDIR/ocid" --runroot "$TESTDIR/ocid-run" --image-name=redis --import-from=dir:"$TESTDATA"/redis-image --add-name=docker://docker.io/library/redis:latest
|
"$COPYIMG_BINARY" --root "$TESTDIR/ocid" --runroot "$TESTDIR/ocid-run" --image-name=redis --import-from=dir:"$ARTIFACTS_PATH"/redis-image --add-name=docker://docker.io/library/redis:latest
|
||||||
"$OCID_BINARY" --conmon "$CONMON_BINARY" --listen "$OCID_SOCKET" --runtime "$RUNC_BINARY" --root "$TESTDIR/ocid" --runroot "$TESTDIR/ocid-run" --seccomp-profile "$seccomp" --apparmor-profile "$apparmor" --cni-config-dir "$OCID_CNI_CONFIG" --signature-policy "$INTEGRATION_ROOT"/policy.json config >$OCID_CONFIG
|
"$OCID_BINARY" --conmon "$CONMON_BINARY" --listen "$OCID_SOCKET" --runtime "$RUNC_BINARY" --root "$TESTDIR/ocid" --runroot "$TESTDIR/ocid-run" --seccomp-profile "$seccomp" --apparmor-profile "$apparmor" --cni-config-dir "$OCID_CNI_CONFIG" --signature-policy "$INTEGRATION_ROOT"/policy.json config >$OCID_CONFIG
|
||||||
"$OCID_BINARY" --debug --config "$OCID_CONFIG" & OCID_PID=$!
|
"$OCID_BINARY" --debug --config "$OCID_CONFIG" & OCID_PID=$!
|
||||||
wait_until_reachable
|
wait_until_reachable
|
||||||
|
@ -212,14 +216,11 @@ function remove_apparmor_profile() {
|
||||||
}
|
}
|
||||||
|
|
||||||
function is_seccomp_enabled() {
|
function is_seccomp_enabled() {
|
||||||
if [[ -f "$BOOT_CONFIG_FILE_PATH" ]]; then
|
if ! "$CHECKSECCOMP_BINARY" ; then
|
||||||
out=$(cat "$BOOT_CONFIG_FILE_PATH" | grep CONFIG_SECCOMP=)
|
echo 0
|
||||||
if [[ "$out" =~ "CONFIG_SECCOMP=y" ]]; then
|
return
|
||||||
echo 1
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
echo 0
|
echo 1
|
||||||
}
|
}
|
||||||
|
|
||||||
function is_apparmor_enabled() {
|
function is_apparmor_enabled() {
|
||||||
|
|
|
@ -3,11 +3,6 @@
|
||||||
load helpers
|
load helpers
|
||||||
|
|
||||||
@test "Check for valid pod netns CIDR" {
|
@test "Check for valid pod netns CIDR" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ ! -f "$OCID_CNI_PLUGIN/bridge" ]; then
|
if [ ! -f "$OCID_CNI_PLUGIN/bridge" ]; then
|
||||||
skip "missing CNI bridge plugin, please install it"
|
skip "missing CNI bridge plugin, please install it"
|
||||||
fi
|
fi
|
||||||
|
@ -32,11 +27,6 @@ load helpers
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "Ping pod from the host" {
|
@test "Ping pod from the host" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ ! -f "$OCID_CNI_PLUGIN/bridge" ]; then
|
if [ ! -f "$OCID_CNI_PLUGIN/bridge" ]; then
|
||||||
skip "missing CNI bridge plugin, please install it"
|
skip "missing CNI bridge plugin, please install it"
|
||||||
fi
|
fi
|
||||||
|
@ -61,11 +51,6 @@ load helpers
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "Ping pod from another pod" {
|
@test "Ping pod from another pod" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ ! -f "$OCID_CNI_PLUGIN/bridge" ]; then
|
if [ ! -f "$OCID_CNI_PLUGIN/bridge" ]; then
|
||||||
skip "missing CNI bridge plugin, please install it"
|
skip "missing CNI bridge plugin, please install it"
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -8,11 +8,6 @@ function teardown() {
|
||||||
|
|
||||||
# PR#59
|
# PR#59
|
||||||
@test "pod release name on remove" {
|
@test "pod release name on remove" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
start_ocid
|
start_ocid
|
||||||
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
||||||
echo "$output"
|
echo "$output"
|
||||||
|
@ -41,11 +36,6 @@ function teardown() {
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "pod remove" {
|
@test "pod remove" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
start_ocid
|
start_ocid
|
||||||
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
||||||
echo "$output"
|
echo "$output"
|
||||||
|
@ -67,11 +57,6 @@ function teardown() {
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "pod list filtering" {
|
@test "pod list filtering" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
start_ocid
|
start_ocid
|
||||||
run ocic pod run --config "$TESTDATA"/sandbox_config.json -name pod1 --label "a=b" --label "c=d" --label "e=f"
|
run ocic pod run --config "$TESTDATA"/sandbox_config.json -name pod1 --label "a=b" --label "c=d" --label "e=f"
|
||||||
echo "$output"
|
echo "$output"
|
||||||
|
@ -161,11 +146,6 @@ function teardown() {
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "pod metadata in list & status" {
|
@test "pod metadata in list & status" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
start_ocid
|
start_ocid
|
||||||
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
||||||
echo "$output"
|
echo "$output"
|
||||||
|
@ -195,11 +175,6 @@ function teardown() {
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "pass pod sysctls to runtime" {
|
@test "pass pod sysctls to runtime" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
start_ocid
|
start_ocid
|
||||||
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
||||||
echo "$output"
|
echo "$output"
|
||||||
|
@ -235,11 +210,6 @@ function teardown() {
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "pod stop idempotent" {
|
@test "pod stop idempotent" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
start_ocid
|
start_ocid
|
||||||
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
||||||
echo "$output"
|
echo "$output"
|
||||||
|
@ -258,11 +228,6 @@ function teardown() {
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "pod remove idempotent" {
|
@test "pod remove idempotent" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
start_ocid
|
start_ocid
|
||||||
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
||||||
echo "$output"
|
echo "$output"
|
||||||
|
@ -281,11 +246,6 @@ function teardown() {
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "pod stop idempotent with ctrs already stopped" {
|
@test "pod stop idempotent with ctrs already stopped" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
start_ocid
|
start_ocid
|
||||||
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
||||||
echo "$output"
|
echo "$output"
|
||||||
|
@ -308,11 +268,6 @@ function teardown() {
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "restart ocid and still get pod status" {
|
@test "restart ocid and still get pod status" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
start_ocid
|
start_ocid
|
||||||
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
||||||
echo "$output"
|
echo "$output"
|
||||||
|
|
|
@ -7,11 +7,6 @@ function teardown() {
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "ocid restore" {
|
@test "ocid restore" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
start_ocid
|
start_ocid
|
||||||
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
||||||
echo "$output"
|
echo "$output"
|
||||||
|
|
|
@ -9,11 +9,6 @@ function teardown() {
|
||||||
# 1. test running with ctr unconfined
|
# 1. test running with ctr unconfined
|
||||||
# test that we can run with a syscall which would be otherwise blocked
|
# test that we can run with a syscall which would be otherwise blocked
|
||||||
@test "ctr seccomp profiles unconfined" {
|
@test "ctr seccomp profiles unconfined" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
||||||
enabled=$(is_seccomp_enabled)
|
enabled=$(is_seccomp_enabled)
|
||||||
if [[ "$enabled" -eq 0 ]]; then
|
if [[ "$enabled" -eq 0 ]]; then
|
||||||
|
@ -50,11 +45,6 @@ function teardown() {
|
||||||
# 2. test running with ctr runtime/default
|
# 2. test running with ctr runtime/default
|
||||||
# test that we cannot run with a syscall blocked by the default seccomp profile
|
# test that we cannot run with a syscall blocked by the default seccomp profile
|
||||||
@test "ctr seccomp profiles runtime/default" {
|
@test "ctr seccomp profiles runtime/default" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
||||||
enabled=$(is_seccomp_enabled)
|
enabled=$(is_seccomp_enabled)
|
||||||
if [[ "$enabled" -eq 0 ]]; then
|
if [[ "$enabled" -eq 0 ]]; then
|
||||||
|
@ -91,11 +81,6 @@ function teardown() {
|
||||||
|
|
||||||
# 3. test running with ctr wrong profile name
|
# 3. test running with ctr wrong profile name
|
||||||
@test "ctr seccomp profiles wrong profile name" {
|
@test "ctr seccomp profiles wrong profile name" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
||||||
enabled=$(is_seccomp_enabled)
|
enabled=$(is_seccomp_enabled)
|
||||||
if [[ "$enabled" -eq 0 ]]; then
|
if [[ "$enabled" -eq 0 ]]; then
|
||||||
|
@ -127,11 +112,6 @@ function teardown() {
|
||||||
# TODO(runcom): need https://issues.k8s.io/36997
|
# TODO(runcom): need https://issues.k8s.io/36997
|
||||||
# 4. test running with ctr localhost/profile_name
|
# 4. test running with ctr localhost/profile_name
|
||||||
@test "ctr seccomp profiles localhost/profile_name" {
|
@test "ctr seccomp profiles localhost/profile_name" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
||||||
enabled=$(is_seccomp_enabled)
|
enabled=$(is_seccomp_enabled)
|
||||||
if [[ "$enabled" -eq 0 ]]; then
|
if [[ "$enabled" -eq 0 ]]; then
|
||||||
|
@ -152,11 +132,6 @@ function teardown() {
|
||||||
# pod -> runtime/default
|
# pod -> runtime/default
|
||||||
# result: fail chmod
|
# result: fail chmod
|
||||||
@test "ctr seccomp profiles falls back to pod profile" {
|
@test "ctr seccomp profiles falls back to pod profile" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
||||||
enabled=$(is_seccomp_enabled)
|
enabled=$(is_seccomp_enabled)
|
||||||
if [[ "$enabled" -eq 0 ]]; then
|
if [[ "$enabled" -eq 0 ]]; then
|
||||||
|
@ -196,11 +171,6 @@ function teardown() {
|
||||||
# pod -> NO
|
# pod -> NO
|
||||||
# result: success, running unconfined
|
# result: success, running unconfined
|
||||||
@test "ctr seccomp profiles falls back to unconfined" {
|
@test "ctr seccomp profiles falls back to unconfined" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
||||||
enabled=$(is_seccomp_enabled)
|
enabled=$(is_seccomp_enabled)
|
||||||
if [[ "$enabled" -eq 0 ]]; then
|
if [[ "$enabled" -eq 0 ]]; then
|
||||||
|
@ -237,11 +207,6 @@ function teardown() {
|
||||||
# 1. test running with pod unconfined
|
# 1. test running with pod unconfined
|
||||||
# test that we can run with a syscall which would be otherwise blocked
|
# test that we can run with a syscall which would be otherwise blocked
|
||||||
@test "pod seccomp profiles unconfined" {
|
@test "pod seccomp profiles unconfined" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
||||||
enabled=$(is_seccomp_enabled)
|
enabled=$(is_seccomp_enabled)
|
||||||
if [[ "$enabled" -eq 0 ]]; then
|
if [[ "$enabled" -eq 0 ]]; then
|
||||||
|
@ -278,11 +243,6 @@ function teardown() {
|
||||||
# 2. test running with pod runtime/default
|
# 2. test running with pod runtime/default
|
||||||
# test that we cannot run with a syscall blocked by the default seccomp profile
|
# test that we cannot run with a syscall blocked by the default seccomp profile
|
||||||
@test "pod seccomp profiles runtime/default" {
|
@test "pod seccomp profiles runtime/default" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
||||||
enabled=$(is_seccomp_enabled)
|
enabled=$(is_seccomp_enabled)
|
||||||
if [[ "$enabled" -eq 0 ]]; then
|
if [[ "$enabled" -eq 0 ]]; then
|
||||||
|
@ -319,11 +279,6 @@ function teardown() {
|
||||||
|
|
||||||
# 3. test running with pod wrong profile name
|
# 3. test running with pod wrong profile name
|
||||||
@test "pod seccomp profiles wrong profile name" {
|
@test "pod seccomp profiles wrong profile name" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
||||||
enabled=$(is_seccomp_enabled)
|
enabled=$(is_seccomp_enabled)
|
||||||
if [[ "$enabled" -eq 0 ]]; then
|
if [[ "$enabled" -eq 0 ]]; then
|
||||||
|
@ -356,11 +311,6 @@ function teardown() {
|
||||||
# TODO(runcom): need https://issues.k8s.io/36997
|
# TODO(runcom): need https://issues.k8s.io/36997
|
||||||
# 4. test running with pod localhost/profile_name
|
# 4. test running with pod localhost/profile_name
|
||||||
@test "pod seccomp profiles localhost/profile_name" {
|
@test "pod seccomp profiles localhost/profile_name" {
|
||||||
# this test requires docker, thus it can't yet be run in a container
|
|
||||||
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
|
|
||||||
skip "cannot yet run this test in a container, use sudo make localintegration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
||||||
enabled=$(is_seccomp_enabled)
|
enabled=$(is_seccomp_enabled)
|
||||||
if [[ "$enabled" -eq 0 ]]; then
|
if [[ "$enabled" -eq 0 ]]; then
|
||||||
|
|
Loading…
Reference in a new issue