diff options
Diffstat (limited to 'test')
-rwxr-xr-x | test/e2e/containerd-install.sh | 38 | ||||
-rwxr-xr-x | test/e2e/crictl-install.sh | 17 | ||||
-rwxr-xr-x | test/e2e/run-container.sh | 30 | ||||
-rwxr-xr-x | test/e2e/runsc-install.sh | 8 | ||||
-rwxr-xr-x | test/e2e/runtime-handler/install.sh | 24 | ||||
-rwxr-xr-x | test/e2e/runtime-handler/test.sh | 33 | ||||
-rwxr-xr-x | test/e2e/runtime-handler/usage.sh | 30 | ||||
-rwxr-xr-x | test/e2e/shim-install.sh | 30 | ||||
-rwxr-xr-x | test/e2e/untrusted-workload/install.sh | 24 | ||||
-rwxr-xr-x | test/e2e/untrusted-workload/test.sh | 33 | ||||
-rwxr-xr-x | test/e2e/untrusted-workload/usage.sh | 33 | ||||
-rwxr-xr-x | test/e2e/validate.sh | 17 |
12 files changed, 317 insertions, 0 deletions
diff --git a/test/e2e/containerd-install.sh b/test/e2e/containerd-install.sh new file mode 100755 index 000000000..154f7d7a5 --- /dev/null +++ b/test/e2e/containerd-install.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +# A script to install containerd and CNI plugins for e2e testing + +wget -q --https-only \ + https://github.com/containerd/containerd/releases/download/v${CONTAINERD_VERSION}/containerd-${CONTAINERD_VERSION}.linux-amd64.tar.gz \ + https://github.com/containernetworking/plugins/releases/download/v0.6.0/cni-plugins-amd64-v0.6.0.tgz + +sudo mkdir -p /etc/containerd /etc/cni/net.d /opt/cni/bin +sudo tar -xvf cni-plugins-amd64-v0.6.0.tgz -C /opt/cni/bin/ +sudo tar -xvf containerd-${CONTAINERD_VERSION}.linux-amd64.tar.gz -C / + +cat <<EOF | sudo tee /etc/cni/net.d/10-bridge.conf +{ + "cniVersion": "0.3.1", + "name": "bridge", + "type": "bridge", + "bridge": "cnio0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "ranges": [ + [{"subnet": "10.200.0.0/24"}] + ], + "routes": [{"dst": "0.0.0.0/0"}] + } +} +EOF +cat <<EOF | sudo tee /etc/cni/net.d/99-loopback.conf +{ + "cniVersion": "0.3.1", + "type": "loopback" +} +EOF + +sudo PATH=$PATH containerd -log-level debug &> /tmp/containerd-cri.log & + diff --git a/test/e2e/crictl-install.sh b/test/e2e/crictl-install.sh new file mode 100755 index 000000000..1d63c889b --- /dev/null +++ b/test/e2e/crictl-install.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +# A sample script for installing crictl. + +set -ex + +{ # Step 1: Download crictl +wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.13.0/crictl-v1.13.0-linux-amd64.tar.gz +tar xf crictl-v1.13.0-linux-amd64.tar.gz +sudo mv crictl /usr/local/bin +} + +{ # Step 2: Configure crictl +cat <<EOF | sudo tee /etc/crictl.yaml +runtime-endpoint: unix:///run/containerd/containerd.sock +EOF +} diff --git a/test/e2e/run-container.sh b/test/e2e/run-container.sh new file mode 100755 index 000000000..4595433c3 --- /dev/null +++ b/test/e2e/run-container.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +# A sample script to run a container in an existing pod + +set -ex + +{ # Step 1: Create nginx container config +cat <<EOF | tee container.json +{ + "metadata": { + "name": "nginx" + }, + "image":{ + "image": "nginx" + }, + "log_path":"nginx.0.log", + "linux": { + } +} +EOF +} + +{ # Step 2: Create nginx container +CONTAINER_ID=$(sudo crictl create ${SANDBOX_ID} container.json sandbox.json) +} + +{ # Step 3: Start nginx container +sudo crictl start ${CONTAINER_ID} +} + diff --git a/test/e2e/runsc-install.sh b/test/e2e/runsc-install.sh new file mode 100755 index 000000000..64823bd3b --- /dev/null +++ b/test/e2e/runsc-install.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +# Sample script to install runsc + +wget -q --https-only \ + https://storage.googleapis.com/gvisor/releases/nightly/${RUNSC_VERSION}/runsc +chmod +x runsc +sudo mv runsc /usr/local/bin/ diff --git a/test/e2e/runtime-handler/install.sh b/test/e2e/runtime-handler/install.sh new file mode 100755 index 000000000..ebe9d3580 --- /dev/null +++ b/test/e2e/runtime-handler/install.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +# A sample script for installing and configuring the gvisor-containerd-shim to +# use the containerd runtime handler. + +set -ex + +{ # Step 1: Create containerd config.toml +cat <<EOF | sudo tee /etc/containerd/config.toml +disabled_plugins = ["restart"] +[plugins.linux] + shim = "/usr/local/bin/gvisor-containerd-shim" + shim_debug = true +[plugins.cri.containerd.runtimes.runsc] + runtime_type = "io.containerd.runtime.v1.linux" + runtime_engine = "/usr/local/bin/runsc" + runtime_root = "/run/containerd/runsc" +EOF +} + +{ # Step 2: Restart containerd +sudo pkill containerd +sudo containerd -log-level debug &> /tmp/containerd-cri.log & +} diff --git a/test/e2e/runtime-handler/test.sh b/test/e2e/runtime-handler/test.sh new file mode 100755 index 000000000..99f3565b6 --- /dev/null +++ b/test/e2e/runtime-handler/test.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +# Runs end-to-end tests for gvisor-containerd-shim to test the use of runtime +# handler. This should work on containerd 1.2+ + +# This is meant to be run in a VM as it makes a fairly invasive install of +# containerd. + +set -ex + +# Install containerd +. ./test/e2e/containerd-install.sh + +# Install gVisor +. ./test/e2e/runsc-install.sh + +# Install gvisor-containerd-shim +. ./test/e2e/shim-install.sh + +# Test installation/configuration +. ./test/e2e/runtime-handler/install.sh + +# Install crictl +. ./test/e2e/crictl-install.sh + +# Test usage +. ./test/e2e/runtime-handler/usage.sh + +# Run a container in the sandbox +. ./test/e2e/run-container.sh + +# Validate the pod and container +. ./test/e2e/validate.sh diff --git a/test/e2e/runtime-handler/usage.sh b/test/e2e/runtime-handler/usage.sh new file mode 100755 index 000000000..1f8a09757 --- /dev/null +++ b/test/e2e/runtime-handler/usage.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +# A sample script for testing the gvisor-containerd-shim # using untrusted +# workload extension. + +set -ex + +{ # Step 1: Pull the nginx image +sudo crictl pull nginx +} + +{ # Step 2: Create sandbox.json +cat <<EOF | tee sandbox.json +{ + "metadata": { + "name": "nginx-sandbox", + "namespace": "default", + "attempt": 1, + "uid": "hdishd83djaidwnduwk28bcsb" + }, + "linux": { + }, + "log_directory": "/tmp" +} +EOF +} + +{ # Step 3: Create the sandbox +SANDBOX_ID=$(sudo crictl runp --runtime runsc sandbox.json) +} diff --git a/test/e2e/shim-install.sh b/test/e2e/shim-install.sh new file mode 100755 index 000000000..93587ea50 --- /dev/null +++ b/test/e2e/shim-install.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +# A sample script to install gvisor-containerd-shim + +set -ex + +# Build gvisor-containerd-shim +if [ "${INSTALL_LATEST}" === "1" ]; then +{ # Step 1: Download gvisor-containerd-shim +LATEST_RELEASE=$(wget -qO - https://api.github.com/repos/google/gvisor-containerd-shim/releases | grep -oP '(?<="browser_download_url": ")https://[^"]*' | head -1) +wget -O gvisor-containerd-shim +chmod +x gvisor-containerd-shim +} +else + make + mv bin/gvisor-containerd-shim gvisor-containerd-shim-dev +fi + +{ # Step 2: Copy the binary to the desired directory +sudo mv gvisor-containerd-shim-* /usr/local/bin/gvisor-containerd-shim +} + + +{ # Step 3: Create the gvisor-containerd-shim.yaml +cat <<EOF | sudo tee /etc/containerd/gvisor-containerd-shim.yaml +# This is the path to the default runc containerd-shim. +runc_shim = "/usr/local/bin/containerd-shim" +EOF +} + diff --git a/test/e2e/untrusted-workload/install.sh b/test/e2e/untrusted-workload/install.sh new file mode 100755 index 000000000..cb11ab8d3 --- /dev/null +++ b/test/e2e/untrusted-workload/install.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +# A sample script for installing and configuring the gvisor-containerd-shim to +# use the untrusted workload extension. + +set -ex + +{ # Step 1: Create containerd config.toml +cat <<EOF | sudo tee /etc/containerd/config.toml +disabled_plugins = ["restart"] +[plugins.linux] + shim = "/usr/local/bin/gvisor-containerd-shim" + shim_debug = true +[plugins.cri.containerd.untrusted_workload_runtime] + runtime_type = "io.containerd.runtime.v1.linux" + runtime_engine = "/usr/local/bin/runsc" + runtime_root = "/run/containerd/runsc" +EOF +} + +{ # Step 2: Restart containerd +sudo pkill containerd +sudo containerd -log-level debug &> /tmp/containerd-cri.log & +} diff --git a/test/e2e/untrusted-workload/test.sh b/test/e2e/untrusted-workload/test.sh new file mode 100755 index 000000000..6e312cf6d --- /dev/null +++ b/test/e2e/untrusted-workload/test.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +# Runs end-to-end tests for gvisor-containerd-shim to test using the +# untrusted workload extension. This should work on containerd 1.1+ + +# This is meant to be run in a VM as it makes a fairly invasive install of +# containerd. + +set -ex + +# Install containerd +. ./test/e2e/containerd-install.sh + +# Install gVisor +. ./test/e2e/runsc-install.sh + +# Install gvisor-containerd-shim +. ./test/e2e/shim-install.sh + +# Test installation/configuration +. ./test/e2e/untrusted-workload/install.sh + +# Install crictl +. ./test/e2e/crictl-install.sh + +# Test usage +. ./test/e2e/untrusted-workload/usage.sh + +# Run a container in the sandbox +. ./test/e2e/run-container.sh + +# Validate the pod and container +. ./test/e2e/validate.sh diff --git a/test/e2e/untrusted-workload/usage.sh b/test/e2e/untrusted-workload/usage.sh new file mode 100755 index 000000000..db8206964 --- /dev/null +++ b/test/e2e/untrusted-workload/usage.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +# A sample script for testing the gvisor-containerd-shim # using untrusted +# workload extension. + +set -ex + +{ # Step 1: Pull the nginx image +sudo crictl pull nginx +} + +{ # Step 2: Create sandbox.json +cat <<EOF | tee sandbox.json +{ + "metadata": { + "name": "nginx-sandbox", + "namespace": "default", + "attempt": 1, + "uid": "hdishd83djaidwnduwk28bcsb" + }, + "annotations": { + "io.kubernetes.cri.untrusted-workload": "true" + }, + "linux": { + }, + "log_directory": "/tmp" +} +EOF +} + +{ # Step 3: Create the sandbox +SANDBOX_ID=$(sudo crictl runp sandbox.json) +} diff --git a/test/e2e/validate.sh b/test/e2e/validate.sh new file mode 100755 index 000000000..b56b79d2a --- /dev/null +++ b/test/e2e/validate.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +# A sample script to validate a running nginx container. + +set -ex + +{ # Step 1: Inspect the pod +sudo crictl inspectp ${SANDBOX_ID} +} + +{ # Step 2: Inspect the container +sudo crictl inspect ${CONTAINER_ID} +} + +{ # Step 3: Check dmesg +sudo crictl exec ${CONTAINER_ID} dmesg | grep -i gvisor +} |