9 files changed, 604 insertions, 29 deletions
diff --git a/test/root/BUILD b/test/root/BUILD
index f130df2c7..d5dd9bca2 100644
--- a/test/root/BUILD
+++ b/test/root/BUILD
@@ -15,6 +15,11 @@ go_test(
         "cgroup_test.go",
         "chroot_test.go",
         "crictl_test.go",
+        "main_test.go",
+        "oom_score_adj_test.go",
+    ],
+    data = [
+        "//runsc",
     ],
     embed = [":root"],
     tags = [
@@ -25,12 +30,15 @@ go_test(
     ],
     visibility = ["//:sandbox"],
     deps = [
+        "//runsc/boot",
         "//runsc/cgroup",
+        "//runsc/container",
         "//runsc/criutil",
         "//runsc/dockerutil",
         "//runsc/specutils",
         "//runsc/testutil",
         "//test/root/testdata",
+        "@com_github_opencontainers_runtime-spec//specs-go:go_default_library",
         "@com_github_syndtr_gocapability//capability:go_default_library",
     ],
 )
diff --git a/test/root/cgroup_test.go b/test/root/cgroup_test.go
index cc7e8583e..4038661cb 100644
--- a/test/root/cgroup_test.go
+++ b/test/root/cgroup_test.go
@@ -24,6 +24,7 @@ import (
 	"strconv"
 	"strings"
 	"testing"
+	"time"
 
 	"gvisor.dev/gvisor/runsc/cgroup"
 	"gvisor.dev/gvisor/runsc/dockerutil"
@@ -56,12 +57,71 @@ func verifyPid(pid int, path string) error {
 }
 
 // TestCgroup sets cgroup options and checks that cgroup was properly configured.
+func TestMemCGroup(t *testing.T) {
+	allocMemSize := 128 << 20
+	if err := dockerutil.Pull("python"); err != nil {
+		t.Fatal("docker pull failed:", err)
+	}
+	d := dockerutil.MakeDocker("memusage-test")
+
+	// Start a new container and allocate the specified about of memory.
+	args := []string{
+		"--memory=256MB",
+		"python",
+		"python",
+		"-c",
+		fmt.Sprintf("import time; s = 'a' * %d; time.sleep(100)", allocMemSize),
+	}
+	if err := d.Run(args...); err != nil {
+		t.Fatal("docker create failed:", err)
+	}
+	defer d.CleanUp()
+
+	gid, err := d.ID()
+	if err != nil {
+		t.Fatalf("Docker.ID() failed: %v", err)
+	}
+	t.Logf("cgroup ID: %s", gid)
+
+	path := filepath.Join("/sys/fs/cgroup/memory/docker", gid, "memory.usage_in_bytes")
+	memUsage := 0
+
+	// Wait when the container will allocate memory.
+	start := time.Now()
+	for time.Now().Sub(start) < 30*time.Second {
+		outRaw, err := ioutil.ReadFile(path)
+		if err != nil {
+			t.Fatalf("failed to read %q: %v", path, err)
+		}
+		out := strings.TrimSpace(string(outRaw))
+		memUsage, err = strconv.Atoi(out)
+		if err != nil {
+			t.Fatalf("Atoi(%v): %v", out, err)
+		}
+
+		if memUsage > allocMemSize {
+			return
+		}
+
+		time.Sleep(100 * time.Millisecond)
+	}
+
+	t.Fatalf("%vMB is less than %vMB: %v", memUsage>>20, allocMemSize>>20)
+}
+
+// TestCgroup sets cgroup options and checks that cgroup was properly configured.
 func TestCgroup(t *testing.T) {
 	if err := dockerutil.Pull("alpine"); err != nil {
 		t.Fatal("docker pull failed:", err)
 	}
 	d := dockerutil.MakeDocker("cgroup-test")
 
+	// This is not a comprehensive list of attributes.
+	//
+	// Note that we are specifically missing cpusets, which fail if specified.
+	// In any case, it's unclear if cpusets can be reliably tested here: these
+	// are often run on a single core virtual machine, and there is only a single
+	// CPU available in our current set, and every container's set.
 	attrs := []struct {
 		arg            string
 		ctrl           string
@@ -88,18 +148,6 @@ func TestCgroup(t *testing.T) {
 			want: "3000",
 		},
 		{
-			arg:  "--cpuset-cpus=0",
-			ctrl: "cpuset",
-			file: "cpuset.cpus",
-			want: "0",
-		},
-		{
-			arg:  "--cpuset-mems=0",
-			ctrl: "cpuset",
-			file: "cpuset.mems",
-			want: "0",
-		},
-		{
 			arg:  "--kernel-memory=100MB",
 			ctrl: "memory",
 			file: "memory.kmem.limit_in_bytes",
diff --git a/test/root/chroot_test.go b/test/root/chroot_test.go
index f47f8e2c2..be0f63d18 100644
--- a/test/root/chroot_test.go
+++ b/test/root/chroot_test.go
@@ -16,19 +16,15 @@
 package root
 
 import (
-	"flag"
 	"fmt"
 	"io/ioutil"
-	"os"
 	"os/exec"
 	"path/filepath"
 	"strconv"
 	"strings"
 	"testing"
 
-	"github.com/syndtr/gocapability/capability"
 	"gvisor.dev/gvisor/runsc/dockerutil"
-	"gvisor.dev/gvisor/runsc/specutils"
 )
 
 // TestChroot verifies that the sandbox is chroot'd and that mounts are cleaned
@@ -144,15 +140,3 @@ func TestChrootGofer(t *testing.T) {
 		}
 	}
 }
-
-func TestMain(m *testing.M) {
-	dockerutil.EnsureSupportedDockerVersion()
-
-	if !specutils.HasCapabilities(capability.CAP_SYS_ADMIN, capability.CAP_DAC_OVERRIDE) {
-		fmt.Println("Test requires sysadmin privileges to run. Try again with sudo.")
-		os.Exit(1)
-	}
-
-	flag.Parse()
-	os.Exit(m.Run())
-}
diff --git a/test/root/crictl_test.go b/test/root/crictl_test.go
index d597664f5..3f90c4c6a 100644
--- a/test/root/crictl_test.go
+++ b/test/root/crictl_test.go
@@ -126,6 +126,59 @@ func TestMountOverSymlinks(t *testing.T) {
 	}
 }
 
+// TestHomeDir tests that the HOME environment variable is set for
+// multi-containers.
+func TestHomeDir(t *testing.T) {
+	// Setup containerd and crictl.
+	crictl, cleanup, err := setup(t)
+	if err != nil {
+		t.Fatalf("failed to setup crictl: %v", err)
+	}
+	defer cleanup()
+	contSpec := testdata.SimpleSpec("root", "k8s.gcr.io/busybox", []string{"sleep", "1000"})
+	podID, contID, err := crictl.StartPodAndContainer("k8s.gcr.io/busybox", testdata.Sandbox, contSpec)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	t.Run("root container", func(t *testing.T) {
+		out, err := crictl.Exec(contID, "sh", "-c", "echo $HOME")
+		if err != nil {
+			t.Fatal(err)
+		}
+		if got, want := strings.TrimSpace(string(out)), "/root"; got != want {
+			t.Fatalf("Home directory invalid. Got %q, Want : %q", got, want)
+		}
+	})
+
+	t.Run("sub-container", func(t *testing.T) {
+		// Create a sub container in the same pod.
+		subContSpec := testdata.SimpleSpec("subcontainer", "k8s.gcr.io/busybox", []string{"sleep", "1000"})
+		subContID, err := crictl.StartContainer(podID, "k8s.gcr.io/busybox", testdata.Sandbox, subContSpec)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		out, err := crictl.Exec(subContID, "sh", "-c", "echo $HOME")
+		if err != nil {
+			t.Fatal(err)
+		}
+		if got, want := strings.TrimSpace(string(out)), "/root"; got != want {
+			t.Fatalf("Home directory invalid. Got %q, Want: %q", got, want)
+		}
+
+		if err := crictl.StopContainer(subContID); err != nil {
+			t.Fatal(err)
+		}
+	})
+
+	// Stop everything.
+	if err := crictl.StopPodAndContainer(podID, contID); err != nil {
+		t.Fatal(err)
+	}
+
+}
+
 // setup sets up before a test. Specifically it:
 // * Creates directories and a socket for containerd to utilize.
 // * Runs containerd and waits for it to reach a "ready" state for testing.
diff --git a/test/root/main_test.go b/test/root/main_test.go
new file mode 100644
index 000000000..d74dec85f
--- /dev/null
+++ b/test/root/main_test.go
@@ -0,0 +1,49 @@
+// Copyright 2018 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package root
+
+import (
+	"flag"
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/syndtr/gocapability/capability"
+	"gvisor.dev/gvisor/runsc/dockerutil"
+	"gvisor.dev/gvisor/runsc/specutils"
+)
+
+// TestMain is the main function for root tests. This function checks the
+// supported docker version, required capabilities, and configures the executable
+// path for runsc.
+func TestMain(m *testing.M) {
+	flag.Parse()
+
+	if !specutils.HasCapabilities(capability.CAP_SYS_ADMIN, capability.CAP_DAC_OVERRIDE) {
+		fmt.Println("Test requires sysadmin privileges to run. Try again with sudo.")
+		os.Exit(1)
+	}
+
+	dockerutil.EnsureSupportedDockerVersion()
+
+	// Configure exe for tests.
+	path, err := dockerutil.RuntimePath()
+	if err != nil {
+		panic(err.Error())
+	}
+	specutils.ExePath = path
+
+	os.Exit(m.Run())
+}
diff --git a/test/root/oom_score_adj_test.go b/test/root/oom_score_adj_test.go
new file mode 100644
index 000000000..126f0975a
--- /dev/null
+++ b/test/root/oom_score_adj_test.go
@@ -0,0 +1,386 @@
+// Copyright 2018 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package root
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	specs "github.com/opencontainers/runtime-spec/specs-go"
+	"gvisor.dev/gvisor/runsc/boot"
+	"gvisor.dev/gvisor/runsc/container"
+	"gvisor.dev/gvisor/runsc/specutils"
+	"gvisor.dev/gvisor/runsc/testutil"
+)
+
+var (
+	maxOOMScoreAdj  = 1000
+	highOOMScoreAdj = 500
+	lowOOMScoreAdj  = -500
+	minOOMScoreAdj  = -1000
+)
+
+// Tests for oom_score_adj have to be run as root (rather than in a user
+// namespace) because we need to adjust oom_score_adj for PIDs other than our
+// own and test values below 0.
+
+// TestOOMScoreAdjSingle tests that oom_score_adj is set properly in a
+// single container sandbox.
+func TestOOMScoreAdjSingle(t *testing.T) {
+	rootDir, err := testutil.SetupRootDir()
+	if err != nil {
+		t.Fatalf("error creating root dir: %v", err)
+	}
+	defer os.RemoveAll(rootDir)
+
+	conf := testutil.TestConfig()
+	conf.RootDir = rootDir
+
+	ppid, err := specutils.GetParentPid(os.Getpid())
+	if err != nil {
+		t.Fatalf("getting parent pid: %v", err)
+	}
+	parentOOMScoreAdj, err := specutils.GetOOMScoreAdj(ppid)
+	if err != nil {
+		t.Fatalf("getting parent oom_score_adj: %v", err)
+	}
+
+	testCases := []struct {
+		Name string
+
+		// OOMScoreAdj is the oom_score_adj set to the OCI spec. If nil then
+		// no value is set.
+		OOMScoreAdj *int
+	}{
+		{
+			Name:        "max",
+			OOMScoreAdj: &maxOOMScoreAdj,
+		},
+		{
+			Name:        "high",
+			OOMScoreAdj: &highOOMScoreAdj,
+		},
+		{
+			Name:        "low",
+			OOMScoreAdj: &lowOOMScoreAdj,
+		},
+		{
+			Name:        "min",
+			OOMScoreAdj: &minOOMScoreAdj,
+		},
+		{
+			Name:        "nil",
+			OOMScoreAdj: &parentOOMScoreAdj,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.Name, func(t *testing.T) {
+			id := testutil.UniqueContainerID()
+			s := testutil.NewSpecWithArgs("sleep", "1000")
+			s.Process.OOMScoreAdj = testCase.OOMScoreAdj
+
+			containers, cleanup, err := startContainers(conf, []*specs.Spec{s}, []string{id})
+			if err != nil {
+				t.Fatalf("error starting containers: %v", err)
+			}
+			defer cleanup()
+
+			c := containers[0]
+
+			// Verify the gofer's oom_score_adj
+			if testCase.OOMScoreAdj != nil {
+				goferScore, err := specutils.GetOOMScoreAdj(c.GoferPid)
+				if err != nil {
+					t.Fatalf("error reading gofer oom_score_adj: %v", err)
+				}
+				if goferScore != *testCase.OOMScoreAdj {
+					t.Errorf("gofer oom_score_adj got: %d, want: %d", goferScore, *testCase.OOMScoreAdj)
+				}
+
+				// Verify the sandbox's oom_score_adj.
+				//
+				// The sandbox should be the same for all containers so just use
+				// the first one.
+				sandboxPid := c.Sandbox.Pid
+				sandboxScore, err := specutils.GetOOMScoreAdj(sandboxPid)
+				if err != nil {
+					t.Fatalf("error reading sandbox oom_score_adj: %v", err)
+				}
+				if sandboxScore != *testCase.OOMScoreAdj {
+					t.Errorf("sandbox oom_score_adj got: %d, want: %d", sandboxScore, *testCase.OOMScoreAdj)
+				}
+			}
+		})
+	}
+}
+
+// TestOOMScoreAdjMulti tests that oom_score_adj is set properly in a
+// multi-container sandbox.
+func TestOOMScoreAdjMulti(t *testing.T) {
+	rootDir, err := testutil.SetupRootDir()
+	if err != nil {
+		t.Fatalf("error creating root dir: %v", err)
+	}
+	defer os.RemoveAll(rootDir)
+
+	conf := testutil.TestConfig()
+	conf.RootDir = rootDir
+
+	ppid, err := specutils.GetParentPid(os.Getpid())
+	if err != nil {
+		t.Fatalf("getting parent pid: %v", err)
+	}
+	parentOOMScoreAdj, err := specutils.GetOOMScoreAdj(ppid)
+	if err != nil {
+		t.Fatalf("getting parent oom_score_adj: %v", err)
+	}
+
+	testCases := []struct {
+		Name string
+
+		// OOMScoreAdj is the oom_score_adj set to the OCI spec. If nil then
+		// no value is set. One value for each container. The first value is the
+		// root container.
+		OOMScoreAdj []*int
+
+		// Expected is the expected oom_score_adj of the sandbox. If nil, then
+		// this value is ignored.
+		Expected *int
+
+		// Remove is a set of container indexes to remove from the sandbox.
+		Remove []int
+
+		// ExpectedAfterRemove is the expected oom_score_adj of the sandbox
+		// after containers are removed. Ignored if nil.
+		ExpectedAfterRemove *int
+	}{
+		// A single container CRI test case. This should not happen in
+		// practice as there should be at least one container besides the pause
+		// container. However, we include a test case to ensure sane behavior.
+		{
+			Name:        "single",
+			OOMScoreAdj: []*int{&highOOMScoreAdj},
+			Expected:    &parentOOMScoreAdj,
+		},
+		{
+			Name:        "multi_no_value",
+			OOMScoreAdj: []*int{nil, nil, nil},
+			Expected:    &parentOOMScoreAdj,
+		},
+		{
+			Name:        "multi_non_nil_root",
+			OOMScoreAdj: []*int{&minOOMScoreAdj, nil, nil},
+			Expected:    &parentOOMScoreAdj,
+		},
+		{
+			Name:        "multi_value",
+			OOMScoreAdj: []*int{&minOOMScoreAdj, &highOOMScoreAdj, &lowOOMScoreAdj},
+			// The lowest value excluding the root container is expected.
+			Expected: &lowOOMScoreAdj,
+		},
+		{
+			Name:        "multi_min_value",
+			OOMScoreAdj: []*int{&minOOMScoreAdj, &lowOOMScoreAdj},
+			// The lowest value excluding the root container is expected.
+			Expected: &lowOOMScoreAdj,
+		},
+		{
+			Name:        "multi_max_value",
+			OOMScoreAdj: []*int{&minOOMScoreAdj, &maxOOMScoreAdj, &highOOMScoreAdj},
+			// The lowest value excluding the root container is expected.
+			Expected: &highOOMScoreAdj,
+		},
+		{
+			Name:        "remove_adjusted",
+			OOMScoreAdj: []*int{&minOOMScoreAdj, &maxOOMScoreAdj, &highOOMScoreAdj},
+			// The lowest value excluding the root container is expected.
+			Expected: &highOOMScoreAdj,
+			// Remove highOOMScoreAdj container.
+			Remove:              []int{2},
+			ExpectedAfterRemove: &maxOOMScoreAdj,
+		},
+		{
+			// This test removes all non-root sandboxes with a specified oomScoreAdj.
+			Name:        "remove_to_nil",
+			OOMScoreAdj: []*int{&minOOMScoreAdj, nil, &lowOOMScoreAdj},
+			Expected:    &lowOOMScoreAdj,
+			// Remove lowOOMScoreAdj container.
+			Remove: []int{2},
+			// The oom_score_adj expected after remove is that of the parent process.
+			ExpectedAfterRemove: &parentOOMScoreAdj,
+		},
+		{
+			Name:        "remove_no_effect",
+			OOMScoreAdj: []*int{&minOOMScoreAdj, &maxOOMScoreAdj, &highOOMScoreAdj},
+			// The lowest value excluding the root container is expected.
+			Expected: &highOOMScoreAdj,
+			// Remove the maxOOMScoreAdj container.
+			Remove:              []int{1},
+			ExpectedAfterRemove: &highOOMScoreAdj,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.Name, func(t *testing.T) {
+			var cmds [][]string
+			var oomScoreAdj []*int
+			var toRemove []string
+
+			for _, oomScore := range testCase.OOMScoreAdj {
+				oomScoreAdj = append(oomScoreAdj, oomScore)
+				cmds = append(cmds, []string{"sleep", "100"})
+			}
+
+			specs, ids := createSpecs(cmds...)
+			for i, spec := range specs {
+				// Ensure the correct value is set, including no value.
+				spec.Process.OOMScoreAdj = oomScoreAdj[i]
+
+				for _, j := range testCase.Remove {
+					if i == j {
+						toRemove = append(toRemove, ids[i])
+					}
+				}
+			}
+
+			containers, cleanup, err := startContainers(conf, specs, ids)
+			if err != nil {
+				t.Fatalf("error starting containers: %v", err)
+			}
+			defer cleanup()
+
+			for i, c := range containers {
+				if oomScoreAdj[i] != nil {
+					// Verify the gofer's oom_score_adj
+					score, err := specutils.GetOOMScoreAdj(c.GoferPid)
+					if err != nil {
+						t.Fatalf("error reading gofer oom_score_adj: %v", err)
+					}
+					if score != *oomScoreAdj[i] {
+						t.Errorf("gofer oom_score_adj got: %d, want: %d", score, *oomScoreAdj[i])
+					}
+				}
+			}
+
+			// Verify the sandbox's oom_score_adj.
+			//
+			// The sandbox should be the same for all containers so just use
+			// the first one.
+			sandboxPid := containers[0].Sandbox.Pid
+			if testCase.Expected != nil {
+				score, err := specutils.GetOOMScoreAdj(sandboxPid)
+				if err != nil {
+					t.Fatalf("error reading sandbox oom_score_adj: %v", err)
+				}
+				if score != *testCase.Expected {
+					t.Errorf("sandbox oom_score_adj got: %d, want: %d", score, *testCase.Expected)
+				}
+			}
+
+			if len(toRemove) == 0 {
+				return
+			}
+
+			// Remove containers.
+			for _, removeID := range toRemove {
+				for _, c := range containers {
+					if c.ID == removeID {
+						c.Destroy()
+					}
+				}
+			}
+
+			// Check the new adjusted oom_score_adj.
+			if testCase.ExpectedAfterRemove != nil {
+				scoreAfterRemove, err := specutils.GetOOMScoreAdj(sandboxPid)
+				if err != nil {
+					t.Fatalf("error reading sandbox oom_score_adj: %v", err)
+				}
+				if scoreAfterRemove != *testCase.ExpectedAfterRemove {
+					t.Errorf("sandbox oom_score_adj got: %d, want: %d", scoreAfterRemove, *testCase.ExpectedAfterRemove)
+				}
+			}
+		})
+	}
+}
+
+func createSpecs(cmds ...[]string) ([]*specs.Spec, []string) {
+	var specs []*specs.Spec
+	var ids []string
+	rootID := testutil.UniqueContainerID()
+
+	for i, cmd := range cmds {
+		spec := testutil.NewSpecWithArgs(cmd...)
+		if i == 0 {
+			spec.Annotations = map[string]string{
+				specutils.ContainerdContainerTypeAnnotation: specutils.ContainerdContainerTypeSandbox,
+			}
+			ids = append(ids, rootID)
+		} else {
+			spec.Annotations = map[string]string{
+				specutils.ContainerdContainerTypeAnnotation: specutils.ContainerdContainerTypeContainer,
+				specutils.ContainerdSandboxIDAnnotation:     rootID,
+			}
+			ids = append(ids, testutil.UniqueContainerID())
+		}
+		specs = append(specs, spec)
+	}
+	return specs, ids
+}
+
+func startContainers(conf *boot.Config, specs []*specs.Spec, ids []string) ([]*container.Container, func(), error) {
+	if len(conf.RootDir) == 0 {
+		panic("conf.RootDir not set. Call testutil.SetupRootDir() to set.")
+	}
+
+	var containers []*container.Container
+	var bundles []string
+	cleanup := func() {
+		for _, c := range containers {
+			c.Destroy()
+		}
+		for _, b := range bundles {
+			os.RemoveAll(b)
+		}
+	}
+	for i, spec := range specs {
+		bundleDir, err := testutil.SetupBundleDir(spec)
+		if err != nil {
+			cleanup()
+			return nil, nil, fmt.Errorf("error setting up container: %v", err)
+		}
+		bundles = append(bundles, bundleDir)
+
+		args := container.Args{
+			ID:        ids[i],
+			Spec:      spec,
+			BundleDir: bundleDir,
+		}
+		cont, err := container.New(conf, args)
+		if err != nil {
+			cleanup()
+			return nil, nil, fmt.Errorf("error creating container: %v", err)
+		}
+		containers = append(containers, cont)
+
+		if err := cont.Start(conf); err != nil {
+			cleanup()
+			return nil, nil, fmt.Errorf("error starting container: %v", err)
+		}
+	}
+	return containers, cleanup, nil
+}
diff --git a/test/root/root.go b/test/root/root.go
index 349c752cc..0f1d29faf 100644
--- a/test/root/root.go
+++ b/test/root/root.go
@@ -12,5 +12,10 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// Package root is empty. See chroot_test.go for description.
+// Package root is used for tests that requires sysadmin privileges run. First,
+// follow the setup instruction in runsc/test/README.md. You should also have
+// docker, containerd, and crictl installed. To run these tests from the
+// project root directory:
+//
+//     ./scripts/root_tests.sh
 package root
diff --git a/test/root/testdata/BUILD b/test/root/testdata/BUILD
index 14c19ef1e..125633680 100644
--- a/test/root/testdata/BUILD
+++ b/test/root/testdata/BUILD
@@ -10,6 +10,7 @@ go_library(
         "httpd.go",
         "httpd_mount_paths.go",
         "sandbox.go",
+        "simple.go",
     ],
     importpath = "gvisor.dev/gvisor/test/root/testdata",
     visibility = [
diff --git a/test/root/testdata/simple.go b/test/root/testdata/simple.go
new file mode 100644
index 000000000..1cca53f0c
--- /dev/null
+++ b/test/root/testdata/simple.go
@@ -0,0 +1,41 @@
+// Copyright 2018 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package testdata
+
+import (
+	"encoding/json"
+	"fmt"
+)
+
+// SimpleSpec returns a JSON config for a simple container that runs the
+// specified command in the specified image.
+func SimpleSpec(name, image string, cmd []string) string {
+	cmds, err := json.Marshal(cmd)
+	if err != nil {
+		// This shouldn't happen.
+		panic(err)
+	}
+	return fmt.Sprintf(`
+{
+        "metadata": {
+                "name": %q
+        },
+        "image": {
+                "image": %q
+        },
+        "command": %s
+	}
+`, name, image, cmds)
+}