summaryrefslogtreecommitdiffhomepage
path: root/test/shim
diff options
context:
space:
mode:
authorAdin Scannell <ascannell@google.com>2020-07-09 16:59:42 -0700
committerAdin Scannell <ascannell@google.com>2020-07-09 16:59:42 -0700
commit5471dbe2f36976eb61f8c8fe8eaafd5da0569779 (patch)
tree08fa0f9691189012085c5a515dd81dea46a105e2 /test/shim
parent5946f111827fa4e342a2e6e9c043c198d2e5cb03 (diff)
parent7f8172edf583e0d26bee5e06578a442c7507ba6f (diff)
Merge gvisor-containerd-shim
Diffstat (limited to 'test/shim')
-rwxr-xr-xtest/shim/containerd-install.sh44
-rwxr-xr-xtest/shim/crictl-install.sh17
-rwxr-xr-xtest/shim/run-container.sh30
-rwxr-xr-xtest/shim/runsc-install.sh8
-rwxr-xr-xtest/shim/runtime-handler-shim-v2/install.sh21
-rwxr-xr-xtest/shim/runtime-handler-shim-v2/test.sh34
-rwxr-xr-xtest/shim/runtime-handler-shim-v2/validate.sh7
-rwxr-xr-xtest/shim/runtime-handler/install.sh24
-rwxr-xr-xtest/shim/runtime-handler/test.sh33
-rwxr-xr-xtest/shim/runtime-handler/usage.sh30
-rwxr-xr-xtest/shim/runtimeclass-install.sh33
-rwxr-xr-xtest/shim/shim-install.sh28
-rwxr-xr-xtest/shim/untrusted-workload/install.sh27
-rwxr-xr-xtest/shim/untrusted-workload/test.sh33
-rwxr-xr-xtest/shim/untrusted-workload/usage.sh33
-rwxr-xr-xtest/shim/validate.sh17
16 files changed, 419 insertions, 0 deletions
diff --git a/test/shim/containerd-install.sh b/test/shim/containerd-install.sh
new file mode 100755
index 000000000..400819245
--- /dev/null
+++ b/test/shim/containerd-install.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+# A script to install containerd and CNI plugins for e2e testing
+
+wget -q --https-only \
+ https://github.com/containerd/containerd/releases/download/v${CONTAINERD_VERSION}/containerd-${CONTAINERD_VERSION}.linux-amd64.tar.gz \
+ https://github.com/containernetworking/plugins/releases/download/v0.7.0/cni-plugins-amd64-v0.7.0.tgz
+
+sudo mkdir -p /etc/containerd /etc/cni/net.d /opt/cni/bin
+sudo tar -xvf cni-plugins-amd64-v0.7.0.tgz -C /opt/cni/bin/
+sudo tar -xvf containerd-${CONTAINERD_VERSION}.linux-amd64.tar.gz -C /
+
+cat <<EOF | sudo tee /etc/containerd/config.toml
+disabled_plugins = ["restart"]
+# Set to avoid port overlap on older versions of containerd where default is 10010.
+[plugins.cri]
+ stream_server_port = "10011"
+EOF
+
+cat <<EOF | sudo tee /etc/cni/net.d/10-bridge.conf
+{
+ "cniVersion": "0.3.1",
+ "name": "bridge",
+ "type": "bridge",
+ "bridge": "cnio0",
+ "isGateway": true,
+ "ipMasq": true,
+ "ipam": {
+ "type": "host-local",
+ "ranges": [
+ [{"subnet": "10.200.0.0/24"}]
+ ],
+ "routes": [{"dst": "0.0.0.0/0"}]
+ }
+}
+EOF
+cat <<EOF | sudo tee /etc/cni/net.d/99-loopback.conf
+{
+ "cniVersion": "0.3.1",
+ "type": "loopback"
+}
+EOF
+
+sudo PATH=$PATH containerd -log-level debug &>/tmp/containerd-cri.log &
diff --git a/test/shim/crictl-install.sh b/test/shim/crictl-install.sh
new file mode 100755
index 000000000..1d63c889b
--- /dev/null
+++ b/test/shim/crictl-install.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# A sample script for installing crictl.
+
+set -ex
+
+{ # Step 1: Download crictl
+wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.13.0/crictl-v1.13.0-linux-amd64.tar.gz
+tar xf crictl-v1.13.0-linux-amd64.tar.gz
+sudo mv crictl /usr/local/bin
+}
+
+{ # Step 2: Configure crictl
+cat <<EOF | sudo tee /etc/crictl.yaml
+runtime-endpoint: unix:///run/containerd/containerd.sock
+EOF
+}
diff --git a/test/shim/run-container.sh b/test/shim/run-container.sh
new file mode 100755
index 000000000..4595433c3
--- /dev/null
+++ b/test/shim/run-container.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# A sample script to run a container in an existing pod
+
+set -ex
+
+{ # Step 1: Create nginx container config
+cat <<EOF | tee container.json
+{
+ "metadata": {
+ "name": "nginx"
+ },
+ "image":{
+ "image": "nginx"
+ },
+ "log_path":"nginx.0.log",
+ "linux": {
+ }
+}
+EOF
+}
+
+{ # Step 2: Create nginx container
+CONTAINER_ID=$(sudo crictl create ${SANDBOX_ID} container.json sandbox.json)
+}
+
+{ # Step 3: Start nginx container
+sudo crictl start ${CONTAINER_ID}
+}
+
diff --git a/test/shim/runsc-install.sh b/test/shim/runsc-install.sh
new file mode 100755
index 000000000..420fe01e9
--- /dev/null
+++ b/test/shim/runsc-install.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Sample script to install runsc
+
+wget -q --https-only \
+ https://storage.googleapis.com/gvisor/releases/${RUNSC_VERSION}/runsc
+chmod +x runsc
+sudo mv runsc /usr/local/bin/
diff --git a/test/shim/runtime-handler-shim-v2/install.sh b/test/shim/runtime-handler-shim-v2/install.sh
new file mode 100755
index 000000000..af6b5be1e
--- /dev/null
+++ b/test/shim/runtime-handler-shim-v2/install.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# A sample script for installing and configuring the gvisor-containerd-shim to
+# use the containerd runtime handler.
+
+set -ex
+
+{ # Step 1: Create containerd config.toml
+cat <<EOF | sudo tee /etc/containerd/config.toml
+disabled_plugins = ["restart"]
+[plugins.linux]
+ shim_debug = true
+[plugins.cri.containerd.runtimes.runsc]
+ runtime_type = "io.containerd.runsc.v1"
+EOF
+}
+
+{ # Step 2: Restart containerd
+sudo pkill containerd
+sudo containerd -log-level debug &> /tmp/containerd-cri.log &
+}
diff --git a/test/shim/runtime-handler-shim-v2/test.sh b/test/shim/runtime-handler-shim-v2/test.sh
new file mode 100755
index 000000000..e33655ec1
--- /dev/null
+++ b/test/shim/runtime-handler-shim-v2/test.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+# Runs end-to-end tests for gvisor-containerd-shim to test the use of runtime
+# handler. This should work on containerd 1.2+
+
+# This is meant to be run in a VM as it makes a fairly invasive install of
+# containerd.
+
+set -ex
+
+# Install containerd
+. ./test/e2e/containerd-install.sh
+
+# Install gVisor
+. ./test/e2e/runsc-install.sh
+
+# Install gvisor-containerd-shim
+. ./test/e2e/shim-install.sh
+
+# Test installation/configuration
+. ./test/e2e/runtime-handler-shim-v2/install.sh
+
+# Install crictl
+. ./test/e2e/crictl-install.sh
+
+# Test usage (the same with runtime-handler)
+. ./test/e2e/runtime-handler/usage.sh
+
+# Run a container in the sandbox
+. ./test/e2e/run-container.sh
+
+# Validate the pod and container
+. ./test/e2e/validate.sh
+. ./test/e2e/runtime-handler-shim-v2/validate.sh
diff --git a/test/shim/runtime-handler-shim-v2/validate.sh b/test/shim/runtime-handler-shim-v2/validate.sh
new file mode 100755
index 000000000..b74a059ef
--- /dev/null
+++ b/test/shim/runtime-handler-shim-v2/validate.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# A sample script to validating the running containerd-shim-runsc-v1.
+
+set -ex
+
+ps aux | grep [c]ontainerd-shim-runsc-v1
diff --git a/test/shim/runtime-handler/install.sh b/test/shim/runtime-handler/install.sh
new file mode 100755
index 000000000..ebe9d3580
--- /dev/null
+++ b/test/shim/runtime-handler/install.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# A sample script for installing and configuring the gvisor-containerd-shim to
+# use the containerd runtime handler.
+
+set -ex
+
+{ # Step 1: Create containerd config.toml
+cat <<EOF | sudo tee /etc/containerd/config.toml
+disabled_plugins = ["restart"]
+[plugins.linux]
+ shim = "/usr/local/bin/gvisor-containerd-shim"
+ shim_debug = true
+[plugins.cri.containerd.runtimes.runsc]
+ runtime_type = "io.containerd.runtime.v1.linux"
+ runtime_engine = "/usr/local/bin/runsc"
+ runtime_root = "/run/containerd/runsc"
+EOF
+}
+
+{ # Step 2: Restart containerd
+sudo pkill containerd
+sudo containerd -log-level debug &> /tmp/containerd-cri.log &
+}
diff --git a/test/shim/runtime-handler/test.sh b/test/shim/runtime-handler/test.sh
new file mode 100755
index 000000000..99f3565b6
--- /dev/null
+++ b/test/shim/runtime-handler/test.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Runs end-to-end tests for gvisor-containerd-shim to test the use of runtime
+# handler. This should work on containerd 1.2+
+
+# This is meant to be run in a VM as it makes a fairly invasive install of
+# containerd.
+
+set -ex
+
+# Install containerd
+. ./test/e2e/containerd-install.sh
+
+# Install gVisor
+. ./test/e2e/runsc-install.sh
+
+# Install gvisor-containerd-shim
+. ./test/e2e/shim-install.sh
+
+# Test installation/configuration
+. ./test/e2e/runtime-handler/install.sh
+
+# Install crictl
+. ./test/e2e/crictl-install.sh
+
+# Test usage
+. ./test/e2e/runtime-handler/usage.sh
+
+# Run a container in the sandbox
+. ./test/e2e/run-container.sh
+
+# Validate the pod and container
+. ./test/e2e/validate.sh
diff --git a/test/shim/runtime-handler/usage.sh b/test/shim/runtime-handler/usage.sh
new file mode 100755
index 000000000..350c720c2
--- /dev/null
+++ b/test/shim/runtime-handler/usage.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# A sample script for testing the gvisor-containerd-shim
+# using runtime handler.
+
+set -ex
+
+{ # Step 1: Pull the nginx image
+sudo crictl pull nginx
+}
+
+{ # Step 2: Create sandbox.json
+cat <<EOF | tee sandbox.json
+{
+ "metadata": {
+ "name": "nginx-sandbox",
+ "namespace": "default",
+ "attempt": 1,
+ "uid": "hdishd83djaidwnduwk28bcsb"
+ },
+ "linux": {
+ },
+ "log_directory": "/tmp"
+}
+EOF
+}
+
+{ # Step 3: Create the sandbox
+SANDBOX_ID=$(sudo crictl runp --runtime runsc sandbox.json)
+}
diff --git a/test/shim/runtimeclass-install.sh b/test/shim/runtimeclass-install.sh
new file mode 100755
index 000000000..28abbcd00
--- /dev/null
+++ b/test/shim/runtimeclass-install.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# A sample script to test installing a RuntimeClass
+
+set -ex
+
+{ # Step 1: Install a RuntimeClass
+cat <<EOF | kubectl apply -f -
+apiVersion: node.k8s.io/v1beta1
+kind: RuntimeClass
+metadata:
+ name: gvisor
+handler: runsc
+EOF
+}
+
+{ # Step 2: Create a pod
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-gvisor
+spec:
+ runtimeClassName: gvisor
+ containers:
+ - name: nginx
+ image: nginx
+EOF
+}
+
+{ # Step 3: Get the pod
+kubectl get pod nginx-gvisor -o wide
+}
diff --git a/test/shim/shim-install.sh b/test/shim/shim-install.sh
new file mode 100755
index 000000000..f98455d46
--- /dev/null
+++ b/test/shim/shim-install.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# A sample script to install gvisor-containerd-shim
+
+set -ex
+
+# Build gvisor-containerd-shim
+if [ "${INSTALL_LATEST}" == "1" ]; then
+{ # Step 1(release): Install gvisor-containerd-shim
+LATEST_RELEASE=$(wget -qO - https://api.github.com/repos/google/gvisor-containerd-shim/releases | grep -oP '(?<="browser_download_url": ")https://[^"]*gvisor-containerd-shim.linux-amd64' | head -1)
+wget -O gvisor-containerd-shim ${LATEST_RELEASE}
+chmod +x gvisor-containerd-shim
+sudo mv gvisor-containerd-shim /usr/local/bin/gvisor-containerd-shim
+}
+else
+{ # Step 1(dev): Build and install gvisor-containerd-shim and containerd-shim-runsc-v1
+ make
+ sudo make install
+}
+fi
+
+{ # Step 2: Create the gvisor-containerd-shim.toml
+cat <<EOF | sudo tee /etc/containerd/gvisor-containerd-shim.toml
+# This is the path to the default runc containerd-shim.
+runc_shim = "/usr/local/bin/containerd-shim"
+EOF
+}
+
diff --git a/test/shim/untrusted-workload/install.sh b/test/shim/untrusted-workload/install.sh
new file mode 100755
index 000000000..c4538aed1
--- /dev/null
+++ b/test/shim/untrusted-workload/install.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# A sample script for installing and configuring the gvisor-containerd-shim to
+# use the untrusted workload extension.
+
+set -ex
+
+{ # Step 1: Create containerd config.toml
+cat <<EOF | sudo tee /etc/containerd/config.toml
+disabled_plugins = ["restart"]
+[plugins.linux]
+ shim = "/usr/local/bin/gvisor-containerd-shim"
+ shim_debug = true
+# Set to avoid port overlap on older versions of containerd where default is 10010.
+[plugins.cri]
+ stream_server_port = "10011"
+[plugins.cri.containerd.untrusted_workload_runtime]
+ runtime_type = "io.containerd.runtime.v1.linux"
+ runtime_engine = "/usr/local/bin/runsc"
+ runtime_root = "/run/containerd/runsc"
+EOF
+}
+
+{ # Step 2: Restart containerd
+sudo pkill containerd
+sudo containerd -log-level debug &>/tmp/containerd-cri.log &
+}
diff --git a/test/shim/untrusted-workload/test.sh b/test/shim/untrusted-workload/test.sh
new file mode 100755
index 000000000..6e312cf6d
--- /dev/null
+++ b/test/shim/untrusted-workload/test.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Runs end-to-end tests for gvisor-containerd-shim to test using the
+# untrusted workload extension. This should work on containerd 1.1+
+
+# This is meant to be run in a VM as it makes a fairly invasive install of
+# containerd.
+
+set -ex
+
+# Install containerd
+. ./test/e2e/containerd-install.sh
+
+# Install gVisor
+. ./test/e2e/runsc-install.sh
+
+# Install gvisor-containerd-shim
+. ./test/e2e/shim-install.sh
+
+# Test installation/configuration
+. ./test/e2e/untrusted-workload/install.sh
+
+# Install crictl
+. ./test/e2e/crictl-install.sh
+
+# Test usage
+. ./test/e2e/untrusted-workload/usage.sh
+
+# Run a container in the sandbox
+. ./test/e2e/run-container.sh
+
+# Validate the pod and container
+. ./test/e2e/validate.sh
diff --git a/test/shim/untrusted-workload/usage.sh b/test/shim/untrusted-workload/usage.sh
new file mode 100755
index 000000000..db8206964
--- /dev/null
+++ b/test/shim/untrusted-workload/usage.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# A sample script for testing the gvisor-containerd-shim # using untrusted
+# workload extension.
+
+set -ex
+
+{ # Step 1: Pull the nginx image
+sudo crictl pull nginx
+}
+
+{ # Step 2: Create sandbox.json
+cat <<EOF | tee sandbox.json
+{
+ "metadata": {
+ "name": "nginx-sandbox",
+ "namespace": "default",
+ "attempt": 1,
+ "uid": "hdishd83djaidwnduwk28bcsb"
+ },
+ "annotations": {
+ "io.kubernetes.cri.untrusted-workload": "true"
+ },
+ "linux": {
+ },
+ "log_directory": "/tmp"
+}
+EOF
+}
+
+{ # Step 3: Create the sandbox
+SANDBOX_ID=$(sudo crictl runp sandbox.json)
+}
diff --git a/test/shim/validate.sh b/test/shim/validate.sh
new file mode 100755
index 000000000..b56b79d2a
--- /dev/null
+++ b/test/shim/validate.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# A sample script to validate a running nginx container.
+
+set -ex
+
+{ # Step 1: Inspect the pod
+sudo crictl inspectp ${SANDBOX_ID}
+}
+
+{ # Step 2: Inspect the container
+sudo crictl inspect ${CONTAINER_ID}
+}
+
+{ # Step 3: Check dmesg
+sudo crictl exec ${CONTAINER_ID} dmesg | grep -i gvisor
+}