a11b8cd8ec
server: fix selinux labels for pod and containers Signed-off-by: Antonio Murdaca <runcom@redhat.com> sandbox: set selinux labels from request, not defaults Signed-off-by: Antonio Murdaca <runcom@redhat.com> container_create: use sandbox's selinux if container's nil Signed-off-by: Antonio Murdaca <runcom@redhat.com> sandbox: correctly init selinux labels First, we weren't correctly initializing selinux labels. If any of (level, user, role, type) was missing from kube selinux options, we were erroring out. This is wrong as kube sends just `level=s0` sometimes and docker itself allows `--security-opt label=level:s0`. This patch directly initializes selinux labels, correctly, and adds a test to verify it. Signed-off-by: Antonio Murdaca <runcom@redhat.com> test: testdata: use container_runtime_t selinux type RHEL SELinux policy doesn't have `container_t` type but we're using it in our fixtures. That means Fedora integration tests pass because `container_t` is in Fedora's container policy but RHEL is broken. Fix it by using `container_runtime_t` which is aliased in Fedora policy to `container_t`. Signed-off-by: Antonio Murdaca <runcom@redhat.com> |
||
---|---|---|
.. | ||
bin2img | ||
checkseccomp | ||
copyimg | ||
hooks | ||
testdata | ||
apparmor.bats | ||
cgroups.bats | ||
ctr.bats | ||
helpers.bash | ||
hooks.bats | ||
image.bats | ||
image_volume.bats | ||
inspect.bats | ||
kpod.bats | ||
kpod_diff.bats | ||
kpod_export.bats | ||
kpod_load.bats | ||
kpod_logs.bats | ||
kpod_mount.bats | ||
kpod_ps.bats | ||
kpod_rename.bats | ||
kpod_rm.bats | ||
kpod_save.bats | ||
kpod_stats.bats | ||
kpod_stop.bats | ||
network.bats | ||
pod.bats | ||
policy.json | ||
README.md | ||
redhat_sigstore.yaml | ||
restore.bats | ||
runtimeversion.bats | ||
seccomp.bats | ||
selinux.bats | ||
tag.bats | ||
test_runner.sh |
CRIO Integration Tests
Integration tests provide end-to-end testing of CRIO.
Note that integration tests do not replace unit tests.
As a rule of thumb, code should be tested thoroughly with unit tests. Integration tests on the other hand are meant to test a specific feature end to end.
Integration tests are written in bash using the bats framework.
Running integration tests
Containerized tests
The easiest way to run integration tests is with Docker:
$ make integration
To run a single test bucket:
$ make integration TESTFLAGS="runtimeversion.bats"
On your host
To run the integration tests on your host, you will first need to setup a development environment plus bats For example:
$ cd ~/go/src/github.com
$ git clone https://github.com/sstephenson/bats.git
$ cd bats
$ ./install.sh /usr/local
You will also need to install the CNI plugins as the the default pod test template runs without host networking:
$ go get github.com/containernetworking/cni
$ cd "$GOPATH/src/github.com/containernetworking/cni"
$ git checkout -q d4bbce1865270cd2d2be558d6a23e63d314fe769
$ ./build.sh \
$ mkdir -p /opt/cni/bin \
$ cp bin/* /opt/cni/bin/
Then you can run the tests on your host:
$ sudo make localintegration
To run a single test bucket:
$ make localintegration TESTFLAGS="runtimeversion.bats"
Or you can just run them directly using bats
$ sudo bats test
Runtime selection
Tests on the host will run with runc
as the default runtime.
However you can select other OCI compatible runtimes by setting
the RUNTIME
environment variable.
For example one could use the Clear Containers
runtime instead of runc
:
make localintegration RUNTIME=cc-oci-runtime
Writing integration tests
[Helper functions] (https://github.com/kubernetes-incubator/crio/blob/master/test/helpers.bash) are provided in order to facilitate writing tests.
#!/usr/bin/env bats
# This will load the helpers.
load helpers
# setup is called at the beginning of every test.
function setup() {
}
# teardown is called at the end of every test.
function teardown() {
cleanup_test
}
@test "crioctl runtimeversion" {
start_crio
crioctl runtimeversion
[ "$status" -eq 0 ]
}