summaryrefslogtreecommitdiffhomepage
path: root/test/shim/untrusted-workload
diff options
context:
space:
mode:
Diffstat (limited to 'test/shim/untrusted-workload')
-rwxr-xr-xtest/shim/untrusted-workload/install.sh27
-rwxr-xr-xtest/shim/untrusted-workload/test.sh33
-rwxr-xr-xtest/shim/untrusted-workload/usage.sh33
3 files changed, 93 insertions, 0 deletions
diff --git a/test/shim/untrusted-workload/install.sh b/test/shim/untrusted-workload/install.sh
new file mode 100755
index 000000000..c4538aed1
--- /dev/null
+++ b/test/shim/untrusted-workload/install.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# A sample script for installing and configuring the gvisor-containerd-shim to
+# use the untrusted workload extension.
+
+set -ex
+
+{ # Step 1: Create containerd config.toml
+cat <<EOF | sudo tee /etc/containerd/config.toml
+disabled_plugins = ["restart"]
+[plugins.linux]
+ shim = "/usr/local/bin/gvisor-containerd-shim"
+ shim_debug = true
+# Set to avoid port overlap on older versions of containerd where default is 10010.
+[plugins.cri]
+ stream_server_port = "10011"
+[plugins.cri.containerd.untrusted_workload_runtime]
+ runtime_type = "io.containerd.runtime.v1.linux"
+ runtime_engine = "/usr/local/bin/runsc"
+ runtime_root = "/run/containerd/runsc"
+EOF
+}
+
+{ # Step 2: Restart containerd
+sudo pkill containerd
+sudo containerd -log-level debug &>/tmp/containerd-cri.log &
+}
diff --git a/test/shim/untrusted-workload/test.sh b/test/shim/untrusted-workload/test.sh
new file mode 100755
index 000000000..6e312cf6d
--- /dev/null
+++ b/test/shim/untrusted-workload/test.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Runs end-to-end tests for gvisor-containerd-shim to test using the
+# untrusted workload extension. This should work on containerd 1.1+
+
+# This is meant to be run in a VM as it makes a fairly invasive install of
+# containerd.
+
+set -ex
+
+# Install containerd
+. ./test/e2e/containerd-install.sh
+
+# Install gVisor
+. ./test/e2e/runsc-install.sh
+
+# Install gvisor-containerd-shim
+. ./test/e2e/shim-install.sh
+
+# Test installation/configuration
+. ./test/e2e/untrusted-workload/install.sh
+
+# Install crictl
+. ./test/e2e/crictl-install.sh
+
+# Test usage
+. ./test/e2e/untrusted-workload/usage.sh
+
+# Run a container in the sandbox
+. ./test/e2e/run-container.sh
+
+# Validate the pod and container
+. ./test/e2e/validate.sh
diff --git a/test/shim/untrusted-workload/usage.sh b/test/shim/untrusted-workload/usage.sh
new file mode 100755
index 000000000..db8206964
--- /dev/null
+++ b/test/shim/untrusted-workload/usage.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# A sample script for testing the gvisor-containerd-shim # using untrusted
+# workload extension.
+
+set -ex
+
+{ # Step 1: Pull the nginx image
+sudo crictl pull nginx
+}
+
+{ # Step 2: Create sandbox.json
+cat <<EOF | tee sandbox.json
+{
+ "metadata": {
+ "name": "nginx-sandbox",
+ "namespace": "default",
+ "attempt": 1,
+ "uid": "hdishd83djaidwnduwk28bcsb"
+ },
+ "annotations": {
+ "io.kubernetes.cri.untrusted-workload": "true"
+ },
+ "linux": {
+ },
+ "log_directory": "/tmp"
+}
+EOF
+}
+
+{ # Step 3: Create the sandbox
+SANDBOX_ID=$(sudo crictl runp sandbox.json)
+}