12 files changed, 317 insertions, 0 deletions

diff --git a/test/e2e/containerd-install.sh b/test/e2e/containerd-install.sh
new file mode 100755
index 000000000..154f7d7a5
--- /dev/null
+++ b/test/e2e/containerd-install.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+# A script to install containerd and CNI plugins for e2e testing
+
+wget -q --https-only \
+    https://github.com/containerd/containerd/releases/download/v${CONTAINERD_VERSION}/containerd-${CONTAINERD_VERSION}.linux-amd64.tar.gz \
+    https://github.com/containernetworking/plugins/releases/download/v0.6.0/cni-plugins-amd64-v0.6.0.tgz
+
+sudo mkdir -p /etc/containerd /etc/cni/net.d /opt/cni/bin
+sudo tar -xvf cni-plugins-amd64-v0.6.0.tgz -C /opt/cni/bin/
+sudo tar -xvf containerd-${CONTAINERD_VERSION}.linux-amd64.tar.gz -C /
+
+cat <<EOF | sudo tee /etc/cni/net.d/10-bridge.conf
+{
+  "cniVersion": "0.3.1",
+  "name": "bridge",
+  "type": "bridge",
+  "bridge": "cnio0",
+  "isGateway": true,
+  "ipMasq": true,
+  "ipam": {
+      "type": "host-local",
+      "ranges": [
+        [{"subnet": "10.200.0.0/24"}]
+      ],
+      "routes": [{"dst": "0.0.0.0/0"}]
+  }
+}
+EOF
+cat <<EOF | sudo tee /etc/cni/net.d/99-loopback.conf
+{
+  "cniVersion": "0.3.1",
+  "type": "loopback"
+}
+EOF
+
+sudo PATH=$PATH containerd -log-level debug &> /tmp/containerd-cri.log &
+
diff --git a/test/e2e/crictl-install.sh b/test/e2e/crictl-install.sh
new file mode 100755
index 000000000..1d63c889b
--- /dev/null
+++ b/test/e2e/crictl-install.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# A sample script for installing crictl.
+
+set -ex
+
+{ # Step 1: Download crictl
+wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.13.0/crictl-v1.13.0-linux-amd64.tar.gz
+tar xf crictl-v1.13.0-linux-amd64.tar.gz
+sudo mv crictl /usr/local/bin
+}
+
+{ # Step 2: Configure crictl
+cat <<EOF | sudo tee /etc/crictl.yaml
+runtime-endpoint: unix:///run/containerd/containerd.sock
+EOF
+}
diff --git a/test/e2e/run-container.sh b/test/e2e/run-container.sh
new file mode 100755
index 000000000..4595433c3
--- /dev/null
+++ b/test/e2e/run-container.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# A sample script to run a container in an existing pod
+
+set -ex
+
+{ # Step 1: Create nginx container config
+cat <<EOF | tee container.json
+{
+  "metadata": {
+      "name": "nginx"
+    },
+  "image":{
+      "image": "nginx"
+    },
+  "log_path":"nginx.0.log",
+  "linux": {
+  }
+}
+EOF
+}
+
+{ # Step 2: Create nginx container
+CONTAINER_ID=$(sudo crictl create ${SANDBOX_ID} container.json sandbox.json)
+}
+
+{ # Step 3: Start nginx container
+sudo crictl start ${CONTAINER_ID}
+}
+
diff --git a/test/e2e/runsc-install.sh b/test/e2e/runsc-install.sh
new file mode 100755
index 000000000..64823bd3b
--- /dev/null
+++ b/test/e2e/runsc-install.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Sample script to install runsc
+
+wget -q --https-only \
+    https://storage.googleapis.com/gvisor/releases/nightly/${RUNSC_VERSION}/runsc
+chmod +x runsc
+sudo mv runsc /usr/local/bin/
diff --git a/test/e2e/runtime-handler/install.sh b/test/e2e/runtime-handler/install.sh
new file mode 100755
index 000000000..ebe9d3580
--- /dev/null
+++ b/test/e2e/runtime-handler/install.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# A sample script for installing and configuring the gvisor-containerd-shim to
+# use the containerd runtime handler. 
+
+set -ex
+
+{ # Step 1: Create containerd config.toml
+cat <<EOF | sudo tee /etc/containerd/config.toml
+disabled_plugins = ["restart"]
+[plugins.linux]
+  shim = "/usr/local/bin/gvisor-containerd-shim"
+  shim_debug = true
+[plugins.cri.containerd.runtimes.runsc]
+  runtime_type = "io.containerd.runtime.v1.linux"
+  runtime_engine = "/usr/local/bin/runsc"
+  runtime_root = "/run/containerd/runsc"
+EOF
+}
+
+{ # Step 2: Restart containerd
+sudo pkill containerd
+sudo containerd -log-level debug &> /tmp/containerd-cri.log &
+}
diff --git a/test/e2e/runtime-handler/test.sh b/test/e2e/runtime-handler/test.sh
new file mode 100755
index 000000000..99f3565b6
--- /dev/null
+++ b/test/e2e/runtime-handler/test.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Runs end-to-end tests for gvisor-containerd-shim to test the use of runtime
+# handler. This should work on containerd 1.2+
+
+# This is meant to be run in a VM as it makes a fairly invasive install of
+# containerd.
+
+set -ex
+
+# Install containerd
+. ./test/e2e/containerd-install.sh
+
+# Install gVisor
+. ./test/e2e/runsc-install.sh
+
+# Install gvisor-containerd-shim
+. ./test/e2e/shim-install.sh
+
+# Test installation/configuration
+. ./test/e2e/runtime-handler/install.sh
+
+# Install crictl
+. ./test/e2e/crictl-install.sh
+
+# Test usage
+. ./test/e2e/runtime-handler/usage.sh
+
+# Run a container in the sandbox
+. ./test/e2e/run-container.sh
+
+# Validate the pod and container
+. ./test/e2e/validate.sh
diff --git a/test/e2e/runtime-handler/usage.sh b/test/e2e/runtime-handler/usage.sh
new file mode 100755
index 000000000..1f8a09757
--- /dev/null
+++ b/test/e2e/runtime-handler/usage.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# A sample script for testing the gvisor-containerd-shim # using untrusted
+# workload extension.
+
+set -ex
+
+{ # Step 1: Pull the nginx image
+sudo crictl pull nginx
+}
+
+{ # Step 2: Create sandbox.json
+cat <<EOF | tee sandbox.json
+{
+    "metadata": {
+        "name": "nginx-sandbox",
+        "namespace": "default",
+        "attempt": 1,
+        "uid": "hdishd83djaidwnduwk28bcsb"
+    },
+    "linux": {
+    },
+    "log_directory": "/tmp"
+}
+EOF
+}
+
+{ # Step 3: Create the sandbox
+SANDBOX_ID=$(sudo crictl runp --runtime runsc sandbox.json)
+}
diff --git a/test/e2e/shim-install.sh b/test/e2e/shim-install.sh
new file mode 100755
index 000000000..93587ea50
--- /dev/null
+++ b/test/e2e/shim-install.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# A sample script to install gvisor-containerd-shim
+
+set -ex
+
+# Build gvisor-containerd-shim
+if [ "${INSTALL_LATEST}" === "1" ]; then
+{ # Step 1: Download gvisor-containerd-shim
+LATEST_RELEASE=$(wget -qO - https://api.github.com/repos/google/gvisor-containerd-shim/releases | grep -oP '(?<="browser_download_url": ")https://[^"]*' | head -1)
+wget -O gvisor-containerd-shim
+chmod +x gvisor-containerd-shim
+}
+else
+    make
+    mv bin/gvisor-containerd-shim gvisor-containerd-shim-dev
+fi
+
+{ # Step 2: Copy the binary to the desired directory
+sudo mv gvisor-containerd-shim-* /usr/local/bin/gvisor-containerd-shim
+}
+
+
+{ # Step 3: Create the gvisor-containerd-shim.yaml
+cat <<EOF | sudo tee /etc/containerd/gvisor-containerd-shim.yaml
+# This is the path to the default runc containerd-shim.
+runc_shim = "/usr/local/bin/containerd-shim"
+EOF
+}
+
diff --git a/test/e2e/untrusted-workload/install.sh b/test/e2e/untrusted-workload/install.sh
new file mode 100755
index 000000000..cb11ab8d3
--- /dev/null
+++ b/test/e2e/untrusted-workload/install.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# A sample script for installing and configuring the gvisor-containerd-shim to
+# use the untrusted workload extension.
+
+set -ex
+
+{ # Step 1: Create containerd config.toml
+cat <<EOF | sudo tee /etc/containerd/config.toml
+disabled_plugins = ["restart"]
+[plugins.linux]
+  shim = "/usr/local/bin/gvisor-containerd-shim"
+  shim_debug = true
+[plugins.cri.containerd.untrusted_workload_runtime]
+  runtime_type = "io.containerd.runtime.v1.linux"
+  runtime_engine = "/usr/local/bin/runsc"
+  runtime_root = "/run/containerd/runsc"
+EOF
+}
+
+{ # Step 2: Restart containerd
+sudo pkill containerd
+sudo containerd -log-level debug &> /tmp/containerd-cri.log &
+}
diff --git a/test/e2e/untrusted-workload/test.sh b/test/e2e/untrusted-workload/test.sh
new file mode 100755
index 000000000..6e312cf6d
--- /dev/null
+++ b/test/e2e/untrusted-workload/test.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Runs end-to-end tests for gvisor-containerd-shim to test using the
+# untrusted workload extension. This should work on containerd 1.1+
+
+# This is meant to be run in a VM as it makes a fairly invasive install of
+# containerd.
+
+set -ex
+
+# Install containerd
+. ./test/e2e/containerd-install.sh
+
+# Install gVisor
+. ./test/e2e/runsc-install.sh
+
+# Install gvisor-containerd-shim
+. ./test/e2e/shim-install.sh
+
+# Test installation/configuration
+. ./test/e2e/untrusted-workload/install.sh
+
+# Install crictl
+. ./test/e2e/crictl-install.sh
+
+# Test usage
+. ./test/e2e/untrusted-workload/usage.sh
+
+# Run a container in the sandbox
+. ./test/e2e/run-container.sh
+
+# Validate the pod and container
+. ./test/e2e/validate.sh
diff --git a/test/e2e/untrusted-workload/usage.sh b/test/e2e/untrusted-workload/usage.sh
new file mode 100755
index 000000000..db8206964
--- /dev/null
+++ b/test/e2e/untrusted-workload/usage.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# A sample script for testing the gvisor-containerd-shim # using untrusted
+# workload extension.
+
+set -ex
+
+{ # Step 1: Pull the nginx image
+sudo crictl pull nginx
+}
+
+{ # Step 2: Create sandbox.json
+cat <<EOF | tee sandbox.json
+{
+    "metadata": {
+        "name": "nginx-sandbox",
+        "namespace": "default",
+        "attempt": 1,
+        "uid": "hdishd83djaidwnduwk28bcsb"
+    },
+    "annotations": {
+      "io.kubernetes.cri.untrusted-workload": "true"
+    },
+    "linux": {
+    },
+    "log_directory": "/tmp"
+}
+EOF
+}
+
+{ # Step 3: Create the sandbox
+SANDBOX_ID=$(sudo crictl runp sandbox.json)
+}
diff --git a/test/e2e/validate.sh b/test/e2e/validate.sh
new file mode 100755
index 000000000..b56b79d2a
--- /dev/null
+++ b/test/e2e/validate.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# A sample script to validate a running nginx container.
+
+set -ex
+
+{ # Step 1: Inspect the pod
+sudo crictl inspectp ${SANDBOX_ID}
+}
+
+{ # Step 2: Inspect the container
+sudo crictl inspect ${CONTAINER_ID}
+}
+
+{ # Step 3: Check dmesg
+sudo crictl exec ${CONTAINER_ID} dmesg | grep -i gvisor
+}