diff options
author | Adin Scannell <ascannell@google.com> | 2020-07-09 16:59:42 -0700 |
---|---|---|
committer | Adin Scannell <ascannell@google.com> | 2020-07-09 16:59:42 -0700 |
commit | 5471dbe2f36976eb61f8c8fe8eaafd5da0569779 (patch) | |
tree | 08fa0f9691189012085c5a515dd81dea46a105e2 /test/shim | |
parent | 5946f111827fa4e342a2e6e9c043c198d2e5cb03 (diff) | |
parent | 7f8172edf583e0d26bee5e06578a442c7507ba6f (diff) |
Merge gvisor-containerd-shim
Diffstat (limited to 'test/shim')
-rwxr-xr-x | test/shim/containerd-install.sh | 44 | ||||
-rwxr-xr-x | test/shim/crictl-install.sh | 17 | ||||
-rwxr-xr-x | test/shim/run-container.sh | 30 | ||||
-rwxr-xr-x | test/shim/runsc-install.sh | 8 | ||||
-rwxr-xr-x | test/shim/runtime-handler-shim-v2/install.sh | 21 | ||||
-rwxr-xr-x | test/shim/runtime-handler-shim-v2/test.sh | 34 | ||||
-rwxr-xr-x | test/shim/runtime-handler-shim-v2/validate.sh | 7 | ||||
-rwxr-xr-x | test/shim/runtime-handler/install.sh | 24 | ||||
-rwxr-xr-x | test/shim/runtime-handler/test.sh | 33 | ||||
-rwxr-xr-x | test/shim/runtime-handler/usage.sh | 30 | ||||
-rwxr-xr-x | test/shim/runtimeclass-install.sh | 33 | ||||
-rwxr-xr-x | test/shim/shim-install.sh | 28 | ||||
-rwxr-xr-x | test/shim/untrusted-workload/install.sh | 27 | ||||
-rwxr-xr-x | test/shim/untrusted-workload/test.sh | 33 | ||||
-rwxr-xr-x | test/shim/untrusted-workload/usage.sh | 33 | ||||
-rwxr-xr-x | test/shim/validate.sh | 17 |
16 files changed, 419 insertions, 0 deletions
diff --git a/test/shim/containerd-install.sh b/test/shim/containerd-install.sh new file mode 100755 index 000000000..400819245 --- /dev/null +++ b/test/shim/containerd-install.sh @@ -0,0 +1,44 @@ +#!/bin/bash + +# A script to install containerd and CNI plugins for e2e testing + +wget -q --https-only \ + https://github.com/containerd/containerd/releases/download/v${CONTAINERD_VERSION}/containerd-${CONTAINERD_VERSION}.linux-amd64.tar.gz \ + https://github.com/containernetworking/plugins/releases/download/v0.7.0/cni-plugins-amd64-v0.7.0.tgz + +sudo mkdir -p /etc/containerd /etc/cni/net.d /opt/cni/bin +sudo tar -xvf cni-plugins-amd64-v0.7.0.tgz -C /opt/cni/bin/ +sudo tar -xvf containerd-${CONTAINERD_VERSION}.linux-amd64.tar.gz -C / + +cat <<EOF | sudo tee /etc/containerd/config.toml +disabled_plugins = ["restart"] +# Set to avoid port overlap on older versions of containerd where default is 10010. +[plugins.cri] + stream_server_port = "10011" +EOF + +cat <<EOF | sudo tee /etc/cni/net.d/10-bridge.conf +{ + "cniVersion": "0.3.1", + "name": "bridge", + "type": "bridge", + "bridge": "cnio0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "ranges": [ + [{"subnet": "10.200.0.0/24"}] + ], + "routes": [{"dst": "0.0.0.0/0"}] + } +} +EOF +cat <<EOF | sudo tee /etc/cni/net.d/99-loopback.conf +{ + "cniVersion": "0.3.1", + "type": "loopback" +} +EOF + +sudo PATH=$PATH containerd -log-level debug &>/tmp/containerd-cri.log & diff --git a/test/shim/crictl-install.sh b/test/shim/crictl-install.sh new file mode 100755 index 000000000..1d63c889b --- /dev/null +++ b/test/shim/crictl-install.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +# A sample script for installing crictl. + +set -ex + +{ # Step 1: Download crictl +wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.13.0/crictl-v1.13.0-linux-amd64.tar.gz +tar xf crictl-v1.13.0-linux-amd64.tar.gz +sudo mv crictl /usr/local/bin +} + +{ # Step 2: Configure crictl +cat <<EOF | sudo tee /etc/crictl.yaml +runtime-endpoint: unix:///run/containerd/containerd.sock +EOF +} diff --git a/test/shim/run-container.sh b/test/shim/run-container.sh new file mode 100755 index 000000000..4595433c3 --- /dev/null +++ b/test/shim/run-container.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +# A sample script to run a container in an existing pod + +set -ex + +{ # Step 1: Create nginx container config +cat <<EOF | tee container.json +{ + "metadata": { + "name": "nginx" + }, + "image":{ + "image": "nginx" + }, + "log_path":"nginx.0.log", + "linux": { + } +} +EOF +} + +{ # Step 2: Create nginx container +CONTAINER_ID=$(sudo crictl create ${SANDBOX_ID} container.json sandbox.json) +} + +{ # Step 3: Start nginx container +sudo crictl start ${CONTAINER_ID} +} + diff --git a/test/shim/runsc-install.sh b/test/shim/runsc-install.sh new file mode 100755 index 000000000..420fe01e9 --- /dev/null +++ b/test/shim/runsc-install.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +# Sample script to install runsc + +wget -q --https-only \ + https://storage.googleapis.com/gvisor/releases/${RUNSC_VERSION}/runsc +chmod +x runsc +sudo mv runsc /usr/local/bin/ diff --git a/test/shim/runtime-handler-shim-v2/install.sh b/test/shim/runtime-handler-shim-v2/install.sh new file mode 100755 index 000000000..af6b5be1e --- /dev/null +++ b/test/shim/runtime-handler-shim-v2/install.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +# A sample script for installing and configuring the gvisor-containerd-shim to +# use the containerd runtime handler. + +set -ex + +{ # Step 1: Create containerd config.toml +cat <<EOF | sudo tee /etc/containerd/config.toml +disabled_plugins = ["restart"] +[plugins.linux] + shim_debug = true +[plugins.cri.containerd.runtimes.runsc] + runtime_type = "io.containerd.runsc.v1" +EOF +} + +{ # Step 2: Restart containerd +sudo pkill containerd +sudo containerd -log-level debug &> /tmp/containerd-cri.log & +} diff --git a/test/shim/runtime-handler-shim-v2/test.sh b/test/shim/runtime-handler-shim-v2/test.sh new file mode 100755 index 000000000..e33655ec1 --- /dev/null +++ b/test/shim/runtime-handler-shim-v2/test.sh @@ -0,0 +1,34 @@ +#!/bin/bash + +# Runs end-to-end tests for gvisor-containerd-shim to test the use of runtime +# handler. This should work on containerd 1.2+ + +# This is meant to be run in a VM as it makes a fairly invasive install of +# containerd. + +set -ex + +# Install containerd +. ./test/e2e/containerd-install.sh + +# Install gVisor +. ./test/e2e/runsc-install.sh + +# Install gvisor-containerd-shim +. ./test/e2e/shim-install.sh + +# Test installation/configuration +. ./test/e2e/runtime-handler-shim-v2/install.sh + +# Install crictl +. ./test/e2e/crictl-install.sh + +# Test usage (the same with runtime-handler) +. ./test/e2e/runtime-handler/usage.sh + +# Run a container in the sandbox +. ./test/e2e/run-container.sh + +# Validate the pod and container +. ./test/e2e/validate.sh +. ./test/e2e/runtime-handler-shim-v2/validate.sh diff --git a/test/shim/runtime-handler-shim-v2/validate.sh b/test/shim/runtime-handler-shim-v2/validate.sh new file mode 100755 index 000000000..b74a059ef --- /dev/null +++ b/test/shim/runtime-handler-shim-v2/validate.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# A sample script to validating the running containerd-shim-runsc-v1. + +set -ex + +ps aux | grep [c]ontainerd-shim-runsc-v1 diff --git a/test/shim/runtime-handler/install.sh b/test/shim/runtime-handler/install.sh new file mode 100755 index 000000000..ebe9d3580 --- /dev/null +++ b/test/shim/runtime-handler/install.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +# A sample script for installing and configuring the gvisor-containerd-shim to +# use the containerd runtime handler. + +set -ex + +{ # Step 1: Create containerd config.toml +cat <<EOF | sudo tee /etc/containerd/config.toml +disabled_plugins = ["restart"] +[plugins.linux] + shim = "/usr/local/bin/gvisor-containerd-shim" + shim_debug = true +[plugins.cri.containerd.runtimes.runsc] + runtime_type = "io.containerd.runtime.v1.linux" + runtime_engine = "/usr/local/bin/runsc" + runtime_root = "/run/containerd/runsc" +EOF +} + +{ # Step 2: Restart containerd +sudo pkill containerd +sudo containerd -log-level debug &> /tmp/containerd-cri.log & +} diff --git a/test/shim/runtime-handler/test.sh b/test/shim/runtime-handler/test.sh new file mode 100755 index 000000000..99f3565b6 --- /dev/null +++ b/test/shim/runtime-handler/test.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +# Runs end-to-end tests for gvisor-containerd-shim to test the use of runtime +# handler. This should work on containerd 1.2+ + +# This is meant to be run in a VM as it makes a fairly invasive install of +# containerd. + +set -ex + +# Install containerd +. ./test/e2e/containerd-install.sh + +# Install gVisor +. ./test/e2e/runsc-install.sh + +# Install gvisor-containerd-shim +. ./test/e2e/shim-install.sh + +# Test installation/configuration +. ./test/e2e/runtime-handler/install.sh + +# Install crictl +. ./test/e2e/crictl-install.sh + +# Test usage +. ./test/e2e/runtime-handler/usage.sh + +# Run a container in the sandbox +. ./test/e2e/run-container.sh + +# Validate the pod and container +. ./test/e2e/validate.sh diff --git a/test/shim/runtime-handler/usage.sh b/test/shim/runtime-handler/usage.sh new file mode 100755 index 000000000..350c720c2 --- /dev/null +++ b/test/shim/runtime-handler/usage.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +# A sample script for testing the gvisor-containerd-shim +# using runtime handler. + +set -ex + +{ # Step 1: Pull the nginx image +sudo crictl pull nginx +} + +{ # Step 2: Create sandbox.json +cat <<EOF | tee sandbox.json +{ + "metadata": { + "name": "nginx-sandbox", + "namespace": "default", + "attempt": 1, + "uid": "hdishd83djaidwnduwk28bcsb" + }, + "linux": { + }, + "log_directory": "/tmp" +} +EOF +} + +{ # Step 3: Create the sandbox +SANDBOX_ID=$(sudo crictl runp --runtime runsc sandbox.json) +} diff --git a/test/shim/runtimeclass-install.sh b/test/shim/runtimeclass-install.sh new file mode 100755 index 000000000..28abbcd00 --- /dev/null +++ b/test/shim/runtimeclass-install.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +# A sample script to test installing a RuntimeClass + +set -ex + +{ # Step 1: Install a RuntimeClass +cat <<EOF | kubectl apply -f - +apiVersion: node.k8s.io/v1beta1 +kind: RuntimeClass +metadata: + name: gvisor +handler: runsc +EOF +} + +{ # Step 2: Create a pod +cat <<EOF | kubectl apply -f - +apiVersion: v1 +kind: Pod +metadata: + name: nginx-gvisor +spec: + runtimeClassName: gvisor + containers: + - name: nginx + image: nginx +EOF +} + +{ # Step 3: Get the pod +kubectl get pod nginx-gvisor -o wide +} diff --git a/test/shim/shim-install.sh b/test/shim/shim-install.sh new file mode 100755 index 000000000..f98455d46 --- /dev/null +++ b/test/shim/shim-install.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# A sample script to install gvisor-containerd-shim + +set -ex + +# Build gvisor-containerd-shim +if [ "${INSTALL_LATEST}" == "1" ]; then +{ # Step 1(release): Install gvisor-containerd-shim +LATEST_RELEASE=$(wget -qO - https://api.github.com/repos/google/gvisor-containerd-shim/releases | grep -oP '(?<="browser_download_url": ")https://[^"]*gvisor-containerd-shim.linux-amd64' | head -1) +wget -O gvisor-containerd-shim ${LATEST_RELEASE} +chmod +x gvisor-containerd-shim +sudo mv gvisor-containerd-shim /usr/local/bin/gvisor-containerd-shim +} +else +{ # Step 1(dev): Build and install gvisor-containerd-shim and containerd-shim-runsc-v1 + make + sudo make install +} +fi + +{ # Step 2: Create the gvisor-containerd-shim.toml +cat <<EOF | sudo tee /etc/containerd/gvisor-containerd-shim.toml +# This is the path to the default runc containerd-shim. +runc_shim = "/usr/local/bin/containerd-shim" +EOF +} + diff --git a/test/shim/untrusted-workload/install.sh b/test/shim/untrusted-workload/install.sh new file mode 100755 index 000000000..c4538aed1 --- /dev/null +++ b/test/shim/untrusted-workload/install.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +# A sample script for installing and configuring the gvisor-containerd-shim to +# use the untrusted workload extension. + +set -ex + +{ # Step 1: Create containerd config.toml +cat <<EOF | sudo tee /etc/containerd/config.toml +disabled_plugins = ["restart"] +[plugins.linux] + shim = "/usr/local/bin/gvisor-containerd-shim" + shim_debug = true +# Set to avoid port overlap on older versions of containerd where default is 10010. +[plugins.cri] + stream_server_port = "10011" +[plugins.cri.containerd.untrusted_workload_runtime] + runtime_type = "io.containerd.runtime.v1.linux" + runtime_engine = "/usr/local/bin/runsc" + runtime_root = "/run/containerd/runsc" +EOF +} + +{ # Step 2: Restart containerd +sudo pkill containerd +sudo containerd -log-level debug &>/tmp/containerd-cri.log & +} diff --git a/test/shim/untrusted-workload/test.sh b/test/shim/untrusted-workload/test.sh new file mode 100755 index 000000000..6e312cf6d --- /dev/null +++ b/test/shim/untrusted-workload/test.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +# Runs end-to-end tests for gvisor-containerd-shim to test using the +# untrusted workload extension. This should work on containerd 1.1+ + +# This is meant to be run in a VM as it makes a fairly invasive install of +# containerd. + +set -ex + +# Install containerd +. ./test/e2e/containerd-install.sh + +# Install gVisor +. ./test/e2e/runsc-install.sh + +# Install gvisor-containerd-shim +. ./test/e2e/shim-install.sh + +# Test installation/configuration +. ./test/e2e/untrusted-workload/install.sh + +# Install crictl +. ./test/e2e/crictl-install.sh + +# Test usage +. ./test/e2e/untrusted-workload/usage.sh + +# Run a container in the sandbox +. ./test/e2e/run-container.sh + +# Validate the pod and container +. ./test/e2e/validate.sh diff --git a/test/shim/untrusted-workload/usage.sh b/test/shim/untrusted-workload/usage.sh new file mode 100755 index 000000000..db8206964 --- /dev/null +++ b/test/shim/untrusted-workload/usage.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +# A sample script for testing the gvisor-containerd-shim # using untrusted +# workload extension. + +set -ex + +{ # Step 1: Pull the nginx image +sudo crictl pull nginx +} + +{ # Step 2: Create sandbox.json +cat <<EOF | tee sandbox.json +{ + "metadata": { + "name": "nginx-sandbox", + "namespace": "default", + "attempt": 1, + "uid": "hdishd83djaidwnduwk28bcsb" + }, + "annotations": { + "io.kubernetes.cri.untrusted-workload": "true" + }, + "linux": { + }, + "log_directory": "/tmp" +} +EOF +} + +{ # Step 3: Create the sandbox +SANDBOX_ID=$(sudo crictl runp sandbox.json) +} diff --git a/test/shim/validate.sh b/test/shim/validate.sh new file mode 100755 index 000000000..b56b79d2a --- /dev/null +++ b/test/shim/validate.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +# A sample script to validate a running nginx container. + +set -ex + +{ # Step 1: Inspect the pod +sudo crictl inspectp ${SANDBOX_ID} +} + +{ # Step 2: Inspect the container +sudo crictl inspect ${CONTAINER_ID} +} + +{ # Step 3: Check dmesg +sudo crictl exec ${CONTAINER_ID} dmesg | grep -i gvisor +} |