Tested on a REHL box and found out that the mounts were not showing up
Had a logic flaw, where if the mount was "host:container"
Was setting the mount source to "host" and destination to "ctrRunDir/container"
When instead, the mount source should be "ctrRunDir/container" and destination "container"
with the data copied from "host" to "ctrRunDir/container"
Signed-off-by: umohnani8 <umohnani@redhat.com>
New network test makes improper assumptions about conmon path.
Use predefined CONMON_BINARY variable instead.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The bats "run" helper function sets "$status", so there's no point to
checking the value of "$status" when we haven't used the "run" helper to
run a command, and we almost always want to be checking the value after
we have used the helper.
There's no need to run commands like 'sleep' or 'rm -f' with the helper,
since they're not expected to fail, and if they do, it's probably
indicative of a larger problem that we want to allow to cause tests to
fail.
Helper functions like start_crio already check "$status" when they call
"run", so we don't need to check it again after they return.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
In the kpod-stop-by-name test, use 'kpod inspect' to look up the name of
the container, rather than predicting the name that crio will assign.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Allows the user to define secret paths in /etc/containers/mounts.conf
These are then volume mounted into the container
Signed-off-by: umohnani8 <umohnani@redhat.com>
When running the test suite interactively, "Connect to pod
hostport from the host" test hangs because nc thinks it's
got a bidirectional connection. Running with </dev/null
closes the connection after receiving the expected data,
letting the tests proceed.
This is just a suggestion for n00b-friendliness. Running
interactively is rare, but it's exactly where a n00b
will begin, and the hang costs a little time and energy
to track down.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Refactored rmi, images, diff, and history.
Made fixes to kpod images in the way it was handing the templates as well as printing the image names
Signed-off-by: umohnani8 <umohnani@redhat.com>
Running crio with -debug is very verbose. Having more granularity
on the log level can be useful when e.g. only looking for errors.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
* Remove duplicate definitions of storage-related flags for kpod, since
we set them in helpers.bash now, and the other locations that were
also setting it were doing so after loading the definitions in
helpers.
* Set kpod storage flags after checking if we need to force use of the
"vfs" storage driver for cri-o, to make sure kpod also ends up with
the same override if we're using one.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Move kpod tests from kpod.bats to kpod_[commandname].bats
Also make sure all status checks have a echo $output before them.
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: umohnani8 <umohnani@redhat.com>
Allow overriding CRIO_CNI_PLUGIN (default: /opt/cni/bin) and
make sure it gets written to our crio.conf file. This is
intended for running cri-o tests with containernetworking-cni
rpm which installs into /usr/libexec/cni
Signed-off-by: Ed Santiago <santiago@redhat.com>
Implement the ability to pause and unpause running containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
server: fix selinux labels for pod and containers
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
sandbox: set selinux labels from request, not defaults
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
container_create: use sandbox's selinux if container's nil
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
sandbox: correctly init selinux labels
First, we weren't correctly initializing selinux labels. If any of
(level, user, role, type) was missing from kube selinux options, we
were erroring out. This is wrong as kube sends just `level=s0`
sometimes and docker itself allows `--security-opt label=level:s0`.
This patch directly initializes selinux labels, correctly, and adds a
test to verify it.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
test: testdata: use container_runtime_t selinux type
RHEL SELinux policy doesn't have `container_t` type but we're using it
in our fixtures. That means Fedora integration tests pass because
`container_t` is in Fedora's container policy but RHEL is broken.
Fix it by using `container_runtime_t` which is aliased in Fedora policy
to `container_t`.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
If the user provides kpod pull a short name like 'debian', we
still want the pull to be sucessful. As such, when a short
name is provided, we get the list of searchable registries via
the systemregistries code in containers-storage. We then
append a tag of 'latest' (if not provided) and we formulate
a list of possible fully-qualified image names to try.
Vendor update for containers-storage to bring in the system_registries
code.
Also includes a patch from Nalin to fix compilation errors.
Signed-off-by: baude <bbaude@redhat.com>
Stop one or more containers. Specific a timeout value
that if the stop operation exceeds, will forcibly stop
the container.
Signed-off-by: baude <bbaude@redhat.com>
Our CI tests on RHEL and Fedora and we want to test the systemd cgroup
driver. However, kubelet needs to run in tests with systemd cgroup
driver as well, or tests fail. This patch fixes broken CI because of
not matching cgroup driver between CRI-O and the kubelet.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Kubelet can send cap add/drop ALL. Handle that in CRI-O as well.
Also, this PR is re-vendoring runtime-tools to fix capabilities add to
add caps to _all_ caps set **and** fix a shared memory issue (caps set
were initialized with the same slice, if one modifies one slice, it's
reflected on the other slices, the vendoring fixes this as well)
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Because we need a working CNI plugin to setup a correct netns so
sandbox_run can grab a working IP address.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
When performing a tag, if a shortname was provided, tag.go would
preprend docker.io to the shortname through the ParseNormalized
function. Here we work around that such that is a short name
and tag are provided, the resulting tag will be shortname:tag. If
a shortname is provided without a tag, we append "latest" as the
tag.
Added specific tag tests too
Signed-off-by: baude <bbaude@redhat.com>
Kpod rm removes a container from the system
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: umohnani8 <umohnani@redhat.com>
Add new directory /etc/crio/hooks.d, where packagers can drop a json config
file to specify a hook.
The json must specify a valid executable to run.
The json must also specify which stage(s) to run the hook:
prestart, poststart, poststop
The json must specify under which criteria the hook should be launched
If the container HasBindMounts
If the container cmd matches a list of regular expressions
If the containers annotations matches a list of regular expressions.
If any of these match the the hook will be launched.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Correct some syntax errors in kpod.bats, ensure that it always checks
the exit status of "kpod rmi" commands, correct the order of options
when calling "kpod inspect", and test for string equality correctly.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
We want all kpod subcommands to use the formats code to output
formats like json. Altering kpod diff --json to kpod diff --format json
like the kpod images command.
Signed-off-by: baude <bbaude@redhat.com>
For kpod images, we need to output in JSON format so that consumers
(programatic) have structured input to work with.
kpod images --format json
Signed-off-by: baude <bbaude@redhat.com>
kpod diff reports on differences between two layers, specified as
layer IDs, containers, or images. In the case of containers or
images, kpod diff produces a diff for the top layer
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
This command will allow users to manipulate and examine the container
images from outside of the container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Need to mv to latest released and supported version of logrus
switch github.com/Sirupsen/logrus github.com/sirupsen/logrus
Also vendor in latest containers/storage and containers/image
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Basically none of the clever storage drivers will work when we're on top
of AUFS, so if we find ourselves in that situation when running tests,
default to storage options of "--storage-driver vfs".
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use unix.Prctl() instead of manually reimplementing it using
unix.RawSyscall. Also use unix.SECCOMP_MODE_FILTER instead of locally
defining it.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
The syscall package is locked down and the comment in [1] advises to
switch code to use the corresponding package from golang.org/x/sys. Do
so and replace usage of package syscall where possible (leave
syscall.SysProcAttr and syscall.Stat_t).
[1] https://github.com/golang/go/blob/master/src/syscall/syscall.go#L21-L24
This will also allow to get updates and fixes just by re-vendoring
golang.org/x/sys/unix instead of having to update to a new go version.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
The test "ctr execsync std{out,err}" from ctr.bats works with runc,
but the semantics behind is wrong.
We should not be able to execute a new process on a container which
has not been previously started. That's why this patch adds a call
to start the container.
Moreover, we don't want to be able to execute a new process on a
container that has already returned because its workload is done.
For that reason, we need to force the container workload to be a
"sleep 10" to ensure it is still running when the call to "exec"
is issued.
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>