End to end tests refs #3 (#10)

* Separate docs for containerd 1.1 and 1.2

The configuration for the untrusted workload annotation and runtime
class are different enough that it makes sense to separate the docs.

Commands in docs are taken from scripts in the docs/scripts directory.
These scripts can be used later for integration & doc tests (#3). The
docs can be updated using the embedmd tool:
https://github.com/campoy/embedmd

* Add basic e2e tests refs #3

Added end-to-end tests based on the quickstart workflows for
containerd 1.1 and containerd 1.2+.

12 files changed, 317 insertions, 0 deletions

diff --git a/test/e2e/containerd-install.sh b/test/e2e/containerd-install.sh
new file mode 100755
index 000000000..154f7d7a5
--- /dev/null
+++ b/test/e2e/containerd-install.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+# A script to install containerd and CNI plugins for e2e testing
+
+wget -q --https-only \
+    https://github.com/containerd/containerd/releases/download/v${CONTAINERD_VERSION}/containerd-${CONTAINERD_VERSION}.linux-amd64.tar.gz \
+    https://github.com/containernetworking/plugins/releases/download/v0.6.0/cni-plugins-amd64-v0.6.0.tgz
+
+sudo mkdir -p /etc/containerd /etc/cni/net.d /opt/cni/bin
+sudo tar -xvf cni-plugins-amd64-v0.6.0.tgz -C /opt/cni/bin/
+sudo tar -xvf containerd-${CONTAINERD_VERSION}.linux-amd64.tar.gz -C /
+
+cat <<EOF | sudo tee /etc/cni/net.d/10-bridge.conf
+{
+  "cniVersion": "0.3.1",
+  "name": "bridge",
+  "type": "bridge",
+  "bridge": "cnio0",
+  "isGateway": true,
+  "ipMasq": true,
+  "ipam": {
+      "type": "host-local",
+      "ranges": [
+        [{"subnet": "10.200.0.0/24"}]
+      ],
+      "routes": [{"dst": "0.0.0.0/0"}]
+  }
+}
+EOF
+cat <<EOF | sudo tee /etc/cni/net.d/99-loopback.conf
+{
+  "cniVersion": "0.3.1",
+  "type": "loopback"
+}
+EOF
+
+sudo PATH=$PATH containerd -log-level debug &> /tmp/containerd-cri.log &
+
diff --git a/test/e2e/crictl-install.sh b/test/e2e/crictl-install.sh
new file mode 100755
index 000000000..1d63c889b
--- /dev/null
+++ b/test/e2e/crictl-install.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# A sample script for installing crictl.
+
+set -ex
+
+{ # Step 1: Download crictl
+wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.13.0/crictl-v1.13.0-linux-amd64.tar.gz
+tar xf crictl-v1.13.0-linux-amd64.tar.gz
+sudo mv crictl /usr/local/bin
+}
+
+{ # Step 2: Configure crictl
+cat <<EOF | sudo tee /etc/crictl.yaml
+runtime-endpoint: unix:///run/containerd/containerd.sock
+EOF
+}
diff --git a/test/e2e/run-container.sh b/test/e2e/run-container.sh
new file mode 100755
index 000000000..4595433c3
--- /dev/null
+++ b/test/e2e/run-container.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# A sample script to run a container in an existing pod
+
+set -ex
+
+{ # Step 1: Create nginx container config
+cat <<EOF | tee container.json
+{
+  "metadata": {
+      "name": "nginx"
+    },
+  "image":{
+      "image": "nginx"
+    },
+  "log_path":"nginx.0.log",
+  "linux": {
+  }
+}
+EOF
+}
+
+{ # Step 2: Create nginx container
+CONTAINER_ID=$(sudo crictl create ${SANDBOX_ID} container.json sandbox.json)
+}
+
+{ # Step 3: Start nginx container
+sudo crictl start ${CONTAINER_ID}
+}
+
diff --git a/test/e2e/runsc-install.sh b/test/e2e/runsc-install.sh
new file mode 100755
index 000000000..64823bd3b
--- /dev/null
+++ b/test/e2e/runsc-install.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Sample script to install runsc
+
+wget -q --https-only \
+    https://storage.googleapis.com/gvisor/releases/nightly/${RUNSC_VERSION}/runsc
+chmod +x runsc
+sudo mv runsc /usr/local/bin/
diff --git a/test/e2e/runtime-handler/install.sh b/test/e2e/runtime-handler/install.sh
new file mode 100755
index 000000000..ebe9d3580
--- /dev/null
+++ b/test/e2e/runtime-handler/install.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# A sample script for installing and configuring the gvisor-containerd-shim to
+# use the containerd runtime handler. 
+
+set -ex
+
+{ # Step 1: Create containerd config.toml
+cat <<EOF | sudo tee /etc/containerd/config.toml
+disabled_plugins = ["restart"]
+[plugins.linux]
+  shim = "/usr/local/bin/gvisor-containerd-shim"
+  shim_debug = true
+[plugins.cri.containerd.runtimes.runsc]
+  runtime_type = "io.containerd.runtime.v1.linux"
+  runtime_engine = "/usr/local/bin/runsc"
+  runtime_root = "/run/containerd/runsc"
+EOF
+}
+
+{ # Step 2: Restart containerd
+sudo pkill containerd
+sudo containerd -log-level debug &> /tmp/containerd-cri.log &
+}
diff --git a/test/e2e/runtime-handler/test.sh b/test/e2e/runtime-handler/test.sh
new file mode 100755
index 000000000..99f3565b6
--- /dev/null
+++ b/test/e2e/runtime-handler/test.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Runs end-to-end tests for gvisor-containerd-shim to test the use of runtime
+# handler. This should work on containerd 1.2+
+
+# This is meant to be run in a VM as it makes a fairly invasive install of
+# containerd.
+
+set -ex
+
+# Install containerd
+. ./test/e2e/containerd-install.sh
+
+# Install gVisor
+. ./test/e2e/runsc-install.sh
+
+# Install gvisor-containerd-shim
+. ./test/e2e/shim-install.sh
+
+# Test installation/configuration
+. ./test/e2e/runtime-handler/install.sh
+
+# Install crictl
+. ./test/e2e/crictl-install.sh
+
+# Test usage
+. ./test/e2e/runtime-handler/usage.sh
+
+# Run a container in the sandbox
+. ./test/e2e/run-container.sh
+
+# Validate the pod and container
+. ./test/e2e/validate.sh
diff --git a/test/e2e/runtime-handler/usage.sh b/test/e2e/runtime-handler/usage.sh
new file mode 100755
index 000000000..1f8a09757
--- /dev/null
+++ b/test/e2e/runtime-handler/usage.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# A sample script for testing the gvisor-containerd-shim # using untrusted
+# workload extension.
+
+set -ex
+
+{ # Step 1: Pull the nginx image
+sudo crictl pull nginx
+}
+
+{ # Step 2: Create sandbox.json
+cat <<EOF | tee sandbox.json
+{
+    "metadata": {
+        "name": "nginx-sandbox",
+        "namespace": "default",
+        "attempt": 1,
+        "uid": "hdishd83djaidwnduwk28bcsb"
+    },
+    "linux": {
+    },
+    "log_directory": "/tmp"
+}
+EOF
+}
+
+{ # Step 3: Create the sandbox
+SANDBOX_ID=$(sudo crictl runp --runtime runsc sandbox.json)
+}
diff --git a/test/e2e/shim-install.sh b/test/e2e/shim-install.sh
new file mode 100755
index 000000000..93587ea50
--- /dev/null
+++ b/test/e2e/shim-install.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# A sample script to install gvisor-containerd-shim
+
+set -ex
+
+# Build gvisor-containerd-shim
+if [ "${INSTALL_LATEST}" === "1" ]; then
+{ # Step 1: Download gvisor-containerd-shim
+LATEST_RELEASE=$(wget -qO - https://api.github.com/repos/google/gvisor-containerd-shim/releases | grep -oP '(?<="browser_download_url": ")https://[^"]*' | head -1)
+wget -O gvisor-containerd-shim
+chmod +x gvisor-containerd-shim
+}
+else
+    make
+    mv bin/gvisor-containerd-shim gvisor-containerd-shim-dev
+fi
+
+{ # Step 2: Copy the binary to the desired directory
+sudo mv gvisor-containerd-shim-* /usr/local/bin/gvisor-containerd-shim
+}
+
+
+{ # Step 3: Create the gvisor-containerd-shim.yaml
+cat <<EOF | sudo tee /etc/containerd/gvisor-containerd-shim.yaml
+# This is the path to the default runc containerd-shim.
+runc_shim = "/usr/local/bin/containerd-shim"
+EOF
+}
+
diff --git a/test/e2e/untrusted-workload/install.sh b/test/e2e/untrusted-workload/install.sh
new file mode 100755
index 000000000..cb11ab8d3
--- /dev/null
+++ b/test/e2e/untrusted-workload/install.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# A sample script for installing and configuring the gvisor-containerd-shim to
+# use the untrusted workload extension.
+
+set -ex
+
+{ # Step 1: Create containerd config.toml
+cat <<EOF | sudo tee /etc/containerd/config.toml
+disabled_plugins = ["restart"]
+[plugins.linux]
+  shim = "/usr/local/bin/gvisor-containerd-shim"
+  shim_debug = true
+[plugins.cri.containerd.untrusted_workload_runtime]
+  runtime_type = "io.containerd.runtime.v1.linux"
+  runtime_engine = "/usr/local/bin/runsc"
+  runtime_root = "/run/containerd/runsc"
+EOF
+}
+
+{ # Step 2: Restart containerd
+sudo pkill containerd
+sudo containerd -log-level debug &> /tmp/containerd-cri.log &
+}
diff --git a/test/e2e/untrusted-workload/test.sh b/test/e2e/untrusted-workload/test.sh
new file mode 100755
index 000000000..6e312cf6d
--- /dev/null
+++ b/test/e2e/untrusted-workload/test.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Runs end-to-end tests for gvisor-containerd-shim to test using the
+# untrusted workload extension. This should work on containerd 1.1+
+
+# This is meant to be run in a VM as it makes a fairly invasive install of
+# containerd.
+
+set -ex
+
+# Install containerd
+. ./test/e2e/containerd-install.sh
+
+# Install gVisor
+. ./test/e2e/runsc-install.sh
+
+# Install gvisor-containerd-shim
+. ./test/e2e/shim-install.sh
+
+# Test installation/configuration
+. ./test/e2e/untrusted-workload/install.sh
+
+# Install crictl
+. ./test/e2e/crictl-install.sh
+
+# Test usage
+. ./test/e2e/untrusted-workload/usage.sh
+
+# Run a container in the sandbox
+. ./test/e2e/run-container.sh
+
+# Validate the pod and container
+. ./test/e2e/validate.sh
diff --git a/test/e2e/untrusted-workload/usage.sh b/test/e2e/untrusted-workload/usage.sh
new file mode 100755
index 000000000..db8206964
--- /dev/null
+++ b/test/e2e/untrusted-workload/usage.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# A sample script for testing the gvisor-containerd-shim # using untrusted
+# workload extension.
+
+set -ex
+
+{ # Step 1: Pull the nginx image
+sudo crictl pull nginx
+}
+
+{ # Step 2: Create sandbox.json
+cat <<EOF | tee sandbox.json
+{
+    "metadata": {
+        "name": "nginx-sandbox",
+        "namespace": "default",
+        "attempt": 1,
+        "uid": "hdishd83djaidwnduwk28bcsb"
+    },
+    "annotations": {
+      "io.kubernetes.cri.untrusted-workload": "true"
+    },
+    "linux": {
+    },
+    "log_directory": "/tmp"
+}
+EOF
+}
+
+{ # Step 3: Create the sandbox
+SANDBOX_ID=$(sudo crictl runp sandbox.json)
+}
diff --git a/test/e2e/validate.sh b/test/e2e/validate.sh
new file mode 100755
index 000000000..b56b79d2a
--- /dev/null
+++ b/test/e2e/validate.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# A sample script to validate a running nginx container.
+
+set -ex
+
+{ # Step 1: Inspect the pod
+sudo crictl inspectp ${SANDBOX_ID}
+}
+
+{ # Step 2: Inspect the container
+sudo crictl inspect ${CONTAINER_ID}
+}
+
+{ # Step 3: Check dmesg
+sudo crictl exec ${CONTAINER_ID} dmesg | grep -i gvisor
+}