22 files changed, 1166 insertions, 3 deletions
diff --git a/test/runtimes/BUILD b/test/runtimes/BUILD
new file mode 100644
index 000000000..e85804a83
--- /dev/null
+++ b/test/runtimes/BUILD
@@ -0,0 +1,25 @@
+# These packages are used to run language runtime tests inside gVisor sandboxes.
+
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+load("//runsc/test:build_defs.bzl", "runtime_test")
+
+package(licenses = ["notice"])
+
+go_library(
+    name = "runtimes",
+    srcs = ["runtimes.go"],
+    importpath = "gvisor.dev/gvisor/test/runtimes",
+)
+
+runtime_test(
+    name = "runtimes_test",
+    size = "small",
+    srcs = ["runtimes_test.go"],
+    embed = [":runtimes"],
+    tags = [
+        # Requires docker and runsc to be configured before the test runs.
+        "manual",
+        "local",
+    ],
+    deps = ["//runsc/test/testutil"],
+)
diff --git a/test/runtimes/README.md b/test/runtimes/README.md
new file mode 100644
index 000000000..4e5a950bc
--- /dev/null
+++ b/test/runtimes/README.md
@@ -0,0 +1,40 @@
+# Runtimes Tests Dockerfiles
+
+The Dockerfiles defined under this path are configured to host the execution of
+the runtimes language tests. Each Dockerfile can support the language indicated
+by its directory.
+
+The following runtimes are currently supported:
+
+-   Go 1.12
+-   Java 11
+-   Node.js 12
+-   PHP 7.3
+-   Python 3.7
+
+#### Prerequisites:
+
+1) [Install and configure Docker](https://docs.docker.com/install/)
+
+2) Build each Docker container:
+
+```bash
+$ docker build -f $LANG/Dockerfile [-t $NAME] .
+```
+
+### Testing:
+
+If the prerequisites have been fulfilled, you can run the tests with the
+following command:
+
+```bash
+$ docker run --rm -it $NAME [FLAG]
+```
+
+Running the command with no flags will cause all the available tests to execute.
+
+Flags can be added for additional functionality:
+
+-   --list: Print a list of all available tests
+-   --test &lt;name&gt;: Run a single test from the list of available tests
+-   --v: Print the language version
diff --git a/test/runtimes/go/BUILD b/test/runtimes/go/BUILD
new file mode 100644
index 000000000..c34f49ea6
--- /dev/null
+++ b/test/runtimes/go/BUILD
@@ -0,0 +1,8 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_binary")
+
+package(licenses = ["notice"])
+
+go_binary(
+    name = "proctor-go",
+    srcs = ["proctor-go.go"],
+)
diff --git a/test/runtimes/go/Dockerfile b/test/runtimes/go/Dockerfile
new file mode 100644
index 000000000..cd55608cd
--- /dev/null
+++ b/test/runtimes/go/Dockerfile
@@ -0,0 +1,31 @@
+FROM ubuntu:bionic
+ENV LANG_VER=1.12.5
+ENV LANG_NAME=Go
+
+RUN apt-get update && apt-get install -y \
+  curl \
+  gcc \
+  git
+
+WORKDIR /root
+
+# Download Go 1.4 to use as a bootstrap for building Go from the source.
+RUN curl -o go1.4.linux-amd64.tar.gz https://dl.google.com/go/go1.4.linux-amd64.tar.gz
+RUN curl -LJO https://github.com/golang/go/archive/go${LANG_VER}.tar.gz
+RUN mkdir bootstr
+RUN tar -C bootstr -xzf go1.4.linux-amd64.tar.gz
+RUN tar -xzf go-go${LANG_VER}.tar.gz
+RUN mv go-go${LANG_VER} go
+
+ENV GOROOT=/root/go
+ENV GOROOT_BOOTSTRAP=/root/bootstr/go
+ENV LANG_DIR=${GOROOT}
+
+WORKDIR ${LANG_DIR}/src
+RUN ./make.bash
+
+WORKDIR ${LANG_DIR}
+
+COPY proctor-go.go ${LANG_DIR}
+
+ENTRYPOINT ["/root/go/bin/go", "run", "proctor-go.go"]
diff --git a/test/runtimes/go/proctor-go.go b/test/runtimes/go/proctor-go.go
new file mode 100644
index 000000000..c5387e21d
--- /dev/null
+++ b/test/runtimes/go/proctor-go.go
@@ -0,0 +1,161 @@
+// Copyright 2019 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Binary proctor-go is a utility that facilitates language testing for Go.
+
+// There are two types of Go tests: "Go tool tests" and "Go tests on disk".
+// "Go tool tests" are found and executed using `go tool dist test`.
+// "Go tests on disk" are found in the /test directory and are
+// executed using `go run run.go`.
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"regexp"
+	"strings"
+)
+
+var (
+	list    = flag.Bool("list", false, "list all available tests")
+	test    = flag.String("test", "", "run a single test from the list of available tests")
+	version = flag.Bool("v", false, "print out the version of node that is installed")
+
+	dir       = os.Getenv("LANG_DIR")
+	testDir   = filepath.Join(dir, "test")
+	testRegEx = regexp.MustCompile(`^.+\.go$`)
+
+	// Directories with .dir contain helper files for tests.
+	// Exclude benchmarks and stress tests.
+	exclDirs = regexp.MustCompile(`^.+\/(bench|stress)\/.+$|^.+\.dir.+$`)
+)
+
+func main() {
+	flag.Parse()
+
+	if *list && *test != "" {
+		flag.PrintDefaults()
+		os.Exit(1)
+	}
+	if *list {
+		tests, err := listTests()
+		if err != nil {
+			log.Fatalf("Failed to list tests: %v", err)
+		}
+		for _, test := range tests {
+			fmt.Println(test)
+		}
+		return
+	}
+	if *version {
+		fmt.Println("Go version: ", os.Getenv("LANG_VER"), "  is installed.")
+		return
+	}
+	if *test != "" {
+		runTest(*test)
+		return
+	}
+	runAllTests()
+}
+
+func listTests() ([]string, error) {
+	// Go tool dist test tests.
+	args := []string{"tool", "dist", "test", "-list"}
+	cmd := exec.Command(filepath.Join(dir, "bin/go"), args...)
+	cmd.Stderr = os.Stderr
+	out, err := cmd.Output()
+	if err != nil {
+		log.Fatalf("Failed to list: %v", err)
+	}
+	var testSlice []string
+	for _, test := range strings.Split(string(out), "\n") {
+		testSlice = append(testSlice, test)
+	}
+
+	// Go tests on disk.
+	if err := filepath.Walk(testDir, func(path string, info os.FileInfo, err error) error {
+		name := filepath.Base(path)
+
+		if info.IsDir() {
+			return nil
+		}
+
+		if !testRegEx.MatchString(name) {
+			return nil
+		}
+
+		if exclDirs.MatchString(path) {
+			return nil
+		}
+
+		testSlice = append(testSlice, path)
+		return nil
+	}); err != nil {
+		return nil, fmt.Errorf("walking %q: %v", testDir, err)
+	}
+
+	return testSlice, nil
+}
+
+func runTest(test string) {
+	toolArgs := []string{
+		"tool",
+		"dist",
+		"test",
+	}
+	diskArgs := []string{
+		"run",
+		"run.go",
+		"-v",
+	}
+	// Check if test exists on disk by searching for file of the same name.
+	// This will determine whether or not it is a Go test on disk.
+	if _, err := os.Stat(test); err == nil {
+		relPath, err := filepath.Rel(testDir, test)
+		if err != nil {
+			log.Fatalf("Failed to get rel path: %v", err)
+		}
+		diskArgs = append(diskArgs, "--", relPath)
+		cmd := exec.Command(filepath.Join(dir, "bin/go"), diskArgs...)
+		cmd.Dir = testDir
+		cmd.Stdout, cmd.Stderr = os.Stdout, os.Stderr
+		if err := cmd.Run(); err != nil {
+			log.Fatalf("Failed to run: %v", err)
+		}
+	} else if os.IsNotExist(err) {
+		// File was not found, try running as Go tool test.
+		toolArgs = append(toolArgs, "-run", test)
+		cmd := exec.Command(filepath.Join(dir, "bin/go"), toolArgs...)
+		cmd.Stdout, cmd.Stderr = os.Stdout, os.Stderr
+		if err := cmd.Run(); err != nil {
+			log.Fatalf("Failed to run: %v", err)
+		}
+	} else {
+		log.Fatalf("Error searching for test: %v", err)
+	}
+}
+
+func runAllTests() {
+	tests, err := listTests()
+	if err != nil {
+		log.Fatalf("Failed to list tests: %v", err)
+	}
+	for _, test := range tests {
+		runTest(test)
+	}
+}
diff --git a/test/runtimes/java/BUILD b/test/runtimes/java/BUILD
new file mode 100644
index 000000000..7e2808ece
--- /dev/null
+++ b/test/runtimes/java/BUILD
@@ -0,0 +1,8 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_binary")
+
+package(licenses = ["notice"])
+
+go_binary(
+    name = "proctor-java",
+    srcs = ["proctor-java.go"],
+)
diff --git a/test/runtimes/java/Dockerfile b/test/runtimes/java/Dockerfile
new file mode 100644
index 000000000..e162d7218
--- /dev/null
+++ b/test/runtimes/java/Dockerfile
@@ -0,0 +1,52 @@
+FROM ubuntu:bionic
+# This hash is associated with a specific JDK release and needed for ensuring
+# the same version is downloaded every time.
+ENV LANG_HASH=af47e0398606
+ENV LANG_VER=11u-dev
+ENV LANG_NAME=Java
+
+RUN apt-get update && apt-get install -y \
+  autoconf \
+  build-essential \
+  curl\
+  file \
+  libasound2-dev \
+  libcups2-dev \
+  libfontconfig1-dev \
+  libx11-dev \
+  libxext-dev \
+  libxrandr-dev \
+  libxrender-dev \
+  libxt-dev \
+  libxtst-dev \
+  make \
+  unzip \
+  zip
+
+WORKDIR /root
+RUN curl -o go.tar.gz https://dl.google.com/go/go1.12.6.linux-amd64.tar.gz
+RUN tar -zxf go.tar.gz
+
+# Use curl instead of ADD to prevent redownload every time.
+RUN curl -o jdk.tar.gz http://hg.openjdk.java.net/jdk-updates/jdk${LANG_VER}/archive/${LANG_HASH}.tar.gz
+# Download Java version N-1 to be used as the Boot JDK to build Java version N.
+RUN curl -o bootjdk.tar.gz https://download.java.net/openjdk/jdk10/ri/openjdk-10+44_linux-x64_bin_ri.tar.gz
+
+RUN tar -zxf jdk.tar.gz
+RUN tar -zxf bootjdk.tar.gz
+
+# Specify the JDK to be used by jtreg.
+ENV JT_JAVA=/root/jdk${LANG_VER}-${LANG_HASH}/build/linux-x86_64-normal-server-release/jdk
+ENV LANG_DIR=/root/jdk${LANG_VER}-${LANG_HASH}
+
+WORKDIR ${LANG_DIR}
+
+RUN curl -o jtreg.tar.gz https://ci.adoptopenjdk.net/view/Dependencies/job/jtreg/lastSuccessfulBuild/artifact/jtreg-4.2.0-tip.tar.gz
+RUN tar -xzf jtreg.tar.gz
+RUN bash configure --with-boot-jdk=/root/jdk-10 --with-jtreg=${LANG_DIR}/jtreg
+RUN make clean
+RUN make images
+
+COPY proctor-java.go ${LANG_DIR}
+
+ENTRYPOINT ["/root/go/bin/go", "run", "proctor-java.go"]
diff --git a/test/runtimes/java/proctor-java.go b/test/runtimes/java/proctor-java.go
new file mode 100644
index 000000000..0177f421d
--- /dev/null
+++ b/test/runtimes/java/proctor-java.go
@@ -0,0 +1,110 @@
+// Copyright 2019 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Binary proctor-java is a utility that facilitates language testing for Java.
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"regexp"
+	"strings"
+)
+
+var (
+	list    = flag.Bool("list", false, "list all available tests")
+	test    = flag.String("test", "", "run a single test from the list of available tests")
+	version = flag.Bool("v", false, "print out the version of node that is installed")
+
+	dir      = os.Getenv("LANG_DIR")
+	jtreg    = filepath.Join(dir, "jtreg/bin/jtreg")
+	exclDirs = regexp.MustCompile(`(^(sun\/security)|(java\/util\/stream)|(java\/time)| )`)
+)
+
+func main() {
+	flag.Parse()
+
+	if *list && *test != "" {
+		flag.PrintDefaults()
+		os.Exit(1)
+	}
+	if *list {
+		tests, err := listTests()
+		if err != nil {
+			log.Fatalf("Failed to list tests: %v", err)
+		}
+		for _, test := range tests {
+			fmt.Println(test)
+		}
+		return
+	}
+	if *version {
+		fmt.Println("Java version: ", os.Getenv("LANG_VER"), " is installed.")
+		return
+	}
+	if *test != "" {
+		runTest(*test)
+		return
+	}
+	runAllTests()
+}
+
+func listTests() ([]string, error) {
+	args := []string{
+		"-dir:test/jdk",
+		"-ignore:quiet",
+		"-a",
+		"-listtests",
+		":jdk_core",
+		":jdk_svc",
+		":jdk_sound",
+		":jdk_imageio",
+	}
+	cmd := exec.Command(jtreg, args...)
+	cmd.Stderr = os.Stderr
+	out, err := cmd.Output()
+	if err != nil {
+		return nil, fmt.Errorf("jtreg -listtests : %v", err)
+	}
+	var testSlice []string
+	for _, test := range strings.Split(string(out), "\n") {
+		if !exclDirs.MatchString(test) {
+			testSlice = append(testSlice, test)
+		}
+	}
+	return testSlice, nil
+}
+
+func runTest(test string) {
+	args := []string{"-dir:test/jdk/", test}
+	cmd := exec.Command(jtreg, args...)
+	cmd.Stdout, cmd.Stderr = os.Stdout, os.Stderr
+	if err := cmd.Run(); err != nil {
+		log.Fatalf("Failed to run: %v", err)
+	}
+}
+
+func runAllTests() {
+	tests, err := listTests()
+	if err != nil {
+		log.Fatalf("Failed to list tests: %v", err)
+	}
+	for _, test := range tests {
+		runTest(test)
+	}
+}
diff --git a/test/runtimes/nodejs/BUILD b/test/runtimes/nodejs/BUILD
new file mode 100644
index 000000000..0fe5ff83e
--- /dev/null
+++ b/test/runtimes/nodejs/BUILD
@@ -0,0 +1,8 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_binary")
+
+package(licenses = ["notice"])
+
+go_binary(
+    name = "proctor-nodejs",
+    srcs = ["proctor-nodejs.go"],
+)
diff --git a/test/runtimes/nodejs/Dockerfile b/test/runtimes/nodejs/Dockerfile
new file mode 100644
index 000000000..b2416cce8
--- /dev/null
+++ b/test/runtimes/nodejs/Dockerfile
@@ -0,0 +1,29 @@
+FROM ubuntu:bionic
+ENV LANG_VER=12.4.0
+ENV LANG_NAME=Node
+
+RUN apt-get update && apt-get install -y \
+  curl \
+  dumb-init \
+  g++ \
+  make \
+  python
+
+WORKDIR /root
+RUN curl -o go.tar.gz https://dl.google.com/go/go1.12.6.linux-amd64.tar.gz
+RUN tar -zxf go.tar.gz
+
+RUN curl -o node-v${LANG_VER}.tar.gz https://nodejs.org/dist/v${LANG_VER}/node-v${LANG_VER}.tar.gz
+RUN tar -zxf node-v${LANG_VER}.tar.gz
+ENV LANG_DIR=/root/node-v${LANG_VER}
+
+WORKDIR ${LANG_DIR}
+RUN ./configure
+RUN make
+RUN make test-build
+
+COPY proctor-nodejs.go ${LANG_DIR}
+
+# Including dumb-init emulates the Linux "init" process, preventing the failure
+# of tests involving worker processes.
+ENTRYPOINT ["/usr/bin/dumb-init", "/root/go/bin/go", "run", "proctor-nodejs.go"]
diff --git a/test/runtimes/nodejs/proctor-nodejs.go b/test/runtimes/nodejs/proctor-nodejs.go
new file mode 100644
index 000000000..8ddfb67fe
--- /dev/null
+++ b/test/runtimes/nodejs/proctor-nodejs.go
@@ -0,0 +1,108 @@
+// Copyright 2019 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Binary proctor-nodejs is a utility that facilitates language testing for NodeJS.
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"regexp"
+)
+
+var (
+	list    = flag.Bool("list", false, "list all available tests")
+	test    = flag.String("test", "", "run a single test from the list of available tests")
+	version = flag.Bool("v", false, "print out the version of node that is installed")
+
+	dir       = os.Getenv("LANG_DIR")
+	testRegEx = regexp.MustCompile(`^test-.+\.js$`)
+)
+
+func main() {
+	flag.Parse()
+
+	if *list && *test != "" {
+		flag.PrintDefaults()
+		os.Exit(1)
+	}
+	if *list {
+		tests, err := listTests()
+		if err != nil {
+			log.Fatalf("Failed to list tests: %v", err)
+		}
+		for _, test := range tests {
+			fmt.Println(test)
+		}
+		return
+	}
+	if *version {
+		fmt.Println("Node.js version: ", os.Getenv("LANG_VER"), " is installed.")
+		return
+	}
+	if *test != "" {
+		runTest(*test)
+		return
+	}
+	runAllTests()
+}
+
+func listTests() ([]string, error) {
+	var testSlice []string
+	root := filepath.Join(dir, "test")
+
+	err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
+		name := filepath.Base(path)
+
+		if info.IsDir() || !testRegEx.MatchString(name) {
+			return nil
+		}
+
+		relPath, err := filepath.Rel(root, path)
+		if err != nil {
+			return err
+		}
+		testSlice = append(testSlice, relPath)
+		return nil
+	})
+
+	if err != nil {
+		return nil, fmt.Errorf("walking %q: %v", root, err)
+	}
+
+	return testSlice, nil
+}
+
+func runTest(test string) {
+	args := []string{filepath.Join(dir, "tools", "test.py"), test}
+	cmd := exec.Command("/usr/bin/python", args...)
+	cmd.Stdout, cmd.Stderr = os.Stdout, os.Stderr
+	if err := cmd.Run(); err != nil {
+		log.Fatalf("Failed to run: %v", err)
+	}
+}
+
+func runAllTests() {
+	tests, err := listTests()
+	if err != nil {
+		log.Fatalf("Failed to list tests: %v", err)
+	}
+	for _, test := range tests {
+		runTest(test)
+	}
+}
diff --git a/test/runtimes/php/BUILD b/test/runtimes/php/BUILD
new file mode 100644
index 000000000..22aef7ba4
--- /dev/null
+++ b/test/runtimes/php/BUILD
@@ -0,0 +1,8 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_binary")
+
+package(licenses = ["notice"])
+
+go_binary(
+    name = "proctor-php",
+    srcs = ["proctor-php.go"],
+)
diff --git a/test/runtimes/php/Dockerfile b/test/runtimes/php/Dockerfile
new file mode 100644
index 000000000..1f8959b50
--- /dev/null
+++ b/test/runtimes/php/Dockerfile
@@ -0,0 +1,29 @@
+FROM ubuntu:bionic
+ENV LANG_VER=7.3.6
+ENV LANG_NAME=PHP
+
+RUN apt-get update && apt-get install -y \
+  autoconf \
+  automake \
+  bison \
+  build-essential \
+  curl \
+  libtool \
+  libxml2-dev \
+  re2c
+
+WORKDIR /root
+RUN curl -o go.tar.gz https://dl.google.com/go/go1.12.6.linux-amd64.tar.gz
+RUN tar -zxf go.tar.gz
+
+RUN curl -o php-${LANG_VER}.tar.gz https://www.php.net/distributions/php-${LANG_VER}.tar.gz
+RUN tar -zxf php-${LANG_VER}.tar.gz
+ENV LANG_DIR=/root/php-${LANG_VER}
+
+WORKDIR ${LANG_DIR}
+RUN ./configure
+RUN make
+
+COPY proctor-php.go ${LANG_DIR}
+
+ENTRYPOINT ["/root/go/bin/go", "run", "proctor-php.go"]
diff --git a/test/runtimes/php/proctor-php.go b/test/runtimes/php/proctor-php.go
new file mode 100644
index 000000000..9dfb33b04
--- /dev/null
+++ b/test/runtimes/php/proctor-php.go
@@ -0,0 +1,107 @@
+// Copyright 2019 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Binary proctor-php is a utility that facilitates language testing for PHP.
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"regexp"
+)
+
+var (
+	list    = flag.Bool("list", false, "list all available tests")
+	test    = flag.String("test", "", "run a single test from the list of available tests")
+	version = flag.Bool("v", false, "print out the version of node that is installed")
+
+	dir       = os.Getenv("LANG_DIR")
+	testRegEx = regexp.MustCompile(`^.+\.phpt$`)
+)
+
+func main() {
+	flag.Parse()
+
+	if *list && *test != "" {
+		flag.PrintDefaults()
+		os.Exit(1)
+	}
+	if *list {
+		tests, err := listTests()
+		if err != nil {
+			log.Fatalf("Failed to list tests: %v", err)
+		}
+		for _, test := range tests {
+			fmt.Println(test)
+		}
+		return
+	}
+	if *version {
+		fmt.Println("PHP version: ", os.Getenv("LANG_VER"), " is installed.")
+		return
+	}
+	if *test != "" {
+		runTest(*test)
+		return
+	}
+	runAllTests()
+}
+
+func listTests() ([]string, error) {
+	var testSlice []string
+
+	err := filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
+		name := filepath.Base(path)
+
+		if info.IsDir() || !testRegEx.MatchString(name) {
+			return nil
+		}
+
+		relPath, err := filepath.Rel(dir, path)
+		if err != nil {
+			return err
+		}
+		testSlice = append(testSlice, relPath)
+		return nil
+	})
+
+	if err != nil {
+		return nil, fmt.Errorf("walking %q: %v", dir, err)
+	}
+
+	return testSlice, nil
+}
+
+func runTest(test string) {
+	args := []string{"test", "TESTS=" + test}
+	cmd := exec.Command("make", args...)
+	cmd.Stdout, cmd.Stderr = os.Stdout, os.Stderr
+	if err := cmd.Run(); err != nil {
+		log.Fatalf("Failed to run: %v", err)
+	}
+}
+
+func runAllTests() {
+	tests, err := listTests()
+	if err != nil {
+		log.Fatalf("Failed to list tests: %v", err)
+	}
+	for _, test := range tests {
+		runTest(test)
+	}
+}
diff --git a/test/runtimes/python/BUILD b/test/runtimes/python/BUILD
new file mode 100644
index 000000000..501f77d63
--- /dev/null
+++ b/test/runtimes/python/BUILD
@@ -0,0 +1,8 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_binary")
+
+package(licenses = ["notice"])
+
+go_binary(
+    name = "proctor-python",
+    srcs = ["proctor-python.go"],
+)
diff --git a/test/runtimes/python/Dockerfile b/test/runtimes/python/Dockerfile
new file mode 100644
index 000000000..811f48f8a
--- /dev/null
+++ b/test/runtimes/python/Dockerfile
@@ -0,0 +1,31 @@
+FROM ubuntu:bionic
+ENV LANG_VER=3.7.3
+ENV LANG_NAME=Python
+
+RUN apt-get update && apt-get install -y \
+  curl \
+  gcc \
+  libbz2-dev \
+  libffi-dev \
+  liblzma-dev \
+  libreadline-dev \
+  libssl-dev \
+  make \
+  zlib1g-dev
+
+WORKDIR /root
+RUN curl -o go.tar.gz https://dl.google.com/go/go1.12.6.linux-amd64.tar.gz
+RUN tar -zxf go.tar.gz
+
+# Use flags -LJO to follow the html redirect and download .tar.gz.
+RUN curl -LJO https://github.com/python/cpython/archive/v${LANG_VER}.tar.gz
+RUN tar -zxf cpython-${LANG_VER}.tar.gz
+ENV LANG_DIR=/root/cpython-${LANG_VER}
+
+WORKDIR ${LANG_DIR}
+RUN ./configure --with-pydebug
+RUN make -s -j2
+
+COPY proctor-python.go ${LANG_DIR}
+
+ENTRYPOINT ["/root/go/bin/go", "run", "proctor-python.go"]
diff --git a/test/runtimes/python/proctor-python.go b/test/runtimes/python/proctor-python.go
new file mode 100644
index 000000000..73c8deb49
--- /dev/null
+++ b/test/runtimes/python/proctor-python.go
@@ -0,0 +1,108 @@
+// Copyright 2019 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Binary proctor-python is a utility that facilitates language testing for Pyhton.
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"regexp"
+)
+
+var (
+	list    = flag.Bool("list", false, "list all available tests")
+	test    = flag.String("test", "", "run a single test from the list of available tests")
+	version = flag.Bool("v", false, "print out the version of node that is installed")
+
+	dir       = os.Getenv("LANG_DIR")
+	testRegEx = regexp.MustCompile(`^test_.+\.py$`)
+)
+
+func main() {
+	flag.Parse()
+
+	if *list && *test != "" {
+		flag.PrintDefaults()
+		os.Exit(1)
+	}
+	if *list {
+		tests, err := listTests()
+		if err != nil {
+			log.Fatalf("Failed to list tests: %v", err)
+		}
+		for _, test := range tests {
+			fmt.Println(test)
+		}
+		return
+	}
+	if *version {
+		fmt.Println("Python version: ", os.Getenv("LANG_VER"), " is installed.")
+		return
+	}
+	if *test != "" {
+		runTest(*test)
+		return
+	}
+	runAllTests()
+}
+
+func listTests() ([]string, error) {
+	var testSlice []string
+	root := filepath.Join(dir, "Lib/test")
+
+	err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
+		name := filepath.Base(path)
+
+		if info.IsDir() || !testRegEx.MatchString(name) {
+			return nil
+		}
+
+		relPath, err := filepath.Rel(root, path)
+		if err != nil {
+			return err
+		}
+		testSlice = append(testSlice, relPath)
+		return nil
+	})
+
+	if err != nil {
+		return nil, fmt.Errorf("walking %q: %v", root, err)
+	}
+
+	return testSlice, nil
+}
+
+func runTest(test string) {
+	args := []string{"-m", "test", test}
+	cmd := exec.Command(filepath.Join(dir, "python"), args...)
+	cmd.Stdout, cmd.Stderr = os.Stdout, os.Stderr
+	if err := cmd.Run(); err != nil {
+		log.Fatalf("Failed to run: %v", err)
+	}
+}
+
+func runAllTests() {
+	tests, err := listTests()
+	if err != nil {
+		log.Fatalf("Failed to list tests: %v", err)
+	}
+	for _, test := range tests {
+		runTest(test)
+	}
+}
diff --git a/test/runtimes/runtimes.go b/test/runtimes/runtimes.go
new file mode 100644
index 000000000..2568e07fe
--- /dev/null
+++ b/test/runtimes/runtimes.go
@@ -0,0 +1,20 @@
+// Copyright 2019 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package runtimes provides language tests for runsc runtimes.
+// Each test calls docker commands to start up a container for each supported runtime,
+// and tests that its respective language tests are behaving as expected, like
+// connecting to a port or looking at the output. The container is killed and deleted
+// at the end.
+package runtimes
diff --git a/test/runtimes/runtimes_test.go b/test/runtimes/runtimes_test.go
new file mode 100644
index 000000000..6bf954e78
--- /dev/null
+++ b/test/runtimes/runtimes_test.go
@@ -0,0 +1,67 @@
+// Copyright 2019 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package runtimes
+
+import (
+	"strings"
+	"testing"
+	"time"
+
+	"gvisor.dev/gvisor/runsc/test/testutil"
+)
+
+func TestNodeJS(t *testing.T) {
+	const img = "gcr.io/gvisor-proctor/nodejs"
+	if err := testutil.Pull(img); err != nil {
+		t.Fatalf("docker pull failed: %v", err)
+	}
+
+	c := testutil.MakeDocker("gvisor-list")
+
+	list, err := c.RunFg(img, "--list")
+	if err != nil {
+		t.Fatalf("docker run failed: %v", err)
+	}
+	c.CleanUp()
+
+	tests := strings.Fields(list)
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc, func(t *testing.T) {
+			t.Parallel()
+
+			d := testutil.MakeDocker("gvisor-test")
+			if err := d.Run(img, "--test", tc); err != nil {
+				t.Fatalf("docker test %q failed to run: %v", tc, err)
+			}
+			defer d.CleanUp()
+
+			status, err := d.Wait(60 * time.Second)
+			if err != nil {
+				t.Fatalf("docker test %q failed to wait: %v", tc, err)
+			}
+			if status == 0 {
+				t.Logf("test %q passed", tc)
+				return
+			}
+			logs, err := d.Logs()
+			if err != nil {
+				t.Fatalf("docker test %q failed to supply logs: %v", tc, err)
+			}
+			t.Errorf("test %q failed: %v", tc, logs)
+		})
+	}
+}
diff --git a/test/syscalls/linux/BUILD b/test/syscalls/linux/BUILD
index c5a368463..40fc73812 100644
--- a/test/syscalls/linux/BUILD
+++ b/test/syscalls/linux/BUILD
@@ -904,6 +904,14 @@ cc_binary(
     ],
 )
 
+cc_library(
+    name = "iptables_types",
+    testonly = 1,
+    hdrs = [
+        "iptables.h",
+    ],
+)
+
 cc_binary(
     name = "itimer_test",
     testonly = 1,
diff --git a/test/syscalls/linux/iptables.h b/test/syscalls/linux/iptables.h
new file mode 100644
index 000000000..616bea550
--- /dev/null
+++ b/test/syscalls/linux/iptables.h
@@ -0,0 +1,198 @@
+// Copyright 2019 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// There are a number of structs and values that we can't #include because of a
+// difference between C and C++ (C++ won't let you implicitly cast from void* to
+// struct something*). We re-define them here.
+
+#ifndef GVISOR_TEST_SYSCALLS_IPTABLES_TYPES_H_
+#define GVISOR_TEST_SYSCALLS_IPTABLES_TYPES_H_
+
+// Netfilter headers require some headers to preceed them.
+// clang-format off
+#include <netinet/in.h>
+#include <stddef.h>
+// clang-format on
+
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter_ipv4.h>
+#include <net/if.h>
+#include <netinet/ip.h>
+#include <stdint.h>
+
+#define ipt_standard_target xt_standard_target
+#define ipt_entry_target xt_entry_target
+#define ipt_error_target xt_error_target
+
+enum SockOpts {
+  // For setsockopt.
+  BASE_CTL = 64,
+  SO_SET_REPLACE = BASE_CTL,
+  SO_SET_ADD_COUNTERS,
+  SO_SET_MAX = SO_SET_ADD_COUNTERS,
+
+  // For getsockopt.
+  SO_GET_INFO = BASE_CTL,
+  SO_GET_ENTRIES,
+  SO_GET_REVISION_MATCH,
+  SO_GET_REVISION_TARGET,
+  SO_GET_MAX = SO_GET_REVISION_TARGET
+};
+
+// ipt_ip specifies basic matching criteria that can be applied by examining
+// only the IP header of a packet.
+struct ipt_ip {
+  // Source IP address.
+  struct in_addr src;
+
+  // Destination IP address.
+  struct in_addr dst;
+
+  // Source IP address mask.
+  struct in_addr smsk;
+
+  // Destination IP address mask.
+  struct in_addr dmsk;
+
+  // Input interface.
+  char iniface[IFNAMSIZ];
+
+  // Output interface.
+  char outiface[IFNAMSIZ];
+
+  // Input interface mask.
+  unsigned char iniface_mask[IFNAMSIZ];
+
+  // Output interface mask.
+  unsigned char outiface_mask[IFNAMSIZ];
+
+  // Transport protocol.
+  uint16_t proto;
+
+  // Flags.
+  uint8_t flags;
+
+  // Inverse flags.
+  uint8_t invflags;
+};
+
+// ipt_entry is an iptables rule. It contains information about what packets the
+// rule matches and what action (target) to perform for matching packets.
+struct ipt_entry {
+  // Basic matching information used to match a packet's IP header.
+  struct ipt_ip ip;
+
+  // A caching field that isn't used by userspace.
+  unsigned int nfcache;
+
+  // The number of bytes between the start of this ipt_entry struct and the
+  // rule's target.
+  uint16_t target_offset;
+
+  // The total size of this rule, from the beginning of the entry to the end of
+  // the target.
+  uint16_t next_offset;
+
+  // A return pointer not used by userspace.
+  unsigned int comefrom;
+
+  // Counters for packets and bytes, which we don't yet implement.
+  struct xt_counters counters;
+
+  // The data for all this rules matches followed by the target. This runs
+  // beyond the value of sizeof(struct ipt_entry).
+  unsigned char elems[0];
+};
+
+// Passed to getsockopt(SO_GET_INFO).
+struct ipt_getinfo {
+  // The name of the table. The user only fills this in, the rest is filled in
+  // when returning from getsockopt. Currently "nat" and "mangle" are supported.
+  char name[XT_TABLE_MAXNAMELEN];
+
+  // A bitmap of which hooks apply to the table. For example, a table with hooks
+  // PREROUTING and FORWARD has the value
+  // (1 << NF_IP_PRE_REOUTING) | (1 << NF_IP_FORWARD).
+  unsigned int valid_hooks;
+
+  // The offset into the entry table for each valid hook. The entry table is
+  // returned by getsockopt(SO_GET_ENTRIES).
+  unsigned int hook_entry[NF_IP_NUMHOOKS];
+
+  // For each valid hook, the underflow is the offset into the entry table to
+  // jump to in case traversing the table yields no verdict (although I have no
+  // clue how that could happen - builtin chains always end with a policy, and
+  // user-defined chains always end with a RETURN.
+  //
+  // The entry referred to must be an "unconditional" entry, meaning it has no
+  // matches, specifies no IP criteria, and either DROPs or ACCEPTs packets.  It
+  // basically has to be capable of making a definitive decision no matter what
+  // it's passed.
+  unsigned int underflow[NF_IP_NUMHOOKS];
+
+  // The number of entries in the entry table returned by
+  // getsockopt(SO_GET_ENTRIES).
+  unsigned int num_entries;
+
+  // The size of the entry table returned by getsockopt(SO_GET_ENTRIES).
+  unsigned int size;
+};
+
+// Passed to getsockopt(SO_GET_ENTRIES).
+struct ipt_get_entries {
+  // The name of the table. The user fills this in. Currently "nat" and "mangle"
+  // are supported.
+  char name[XT_TABLE_MAXNAMELEN];
+
+  // The size of the entry table in bytes. The user fills this in with the value
+  // from struct ipt_getinfo.size.
+  unsigned int size;
+
+  // The entries for the given table. This will run past the size defined by
+  // sizeof(struct ipt_get_entries).
+  struct ipt_entry entrytable[0];
+};
+
+// Passed to setsockopt(SO_SET_REPLACE).
+struct ipt_replace {
+  // The name of the table.
+  char name[XT_TABLE_MAXNAMELEN];
+
+  // The same as struct ipt_getinfo.valid_hooks. Users don't change this.
+  unsigned int valid_hooks;
+
+  // The same as struct ipt_getinfo.num_entries.
+  unsigned int num_entries;
+
+  // The same as struct ipt_getinfo.size.
+  unsigned int size;
+
+  // The same as struct ipt_getinfo.hook_entry.
+  unsigned int hook_entry[NF_IP_NUMHOOKS];
+
+  // The same as struct ipt_getinfo.underflow.
+  unsigned int underflow[NF_IP_NUMHOOKS];
+
+  // The number of counters, which should equal the number of entries.
+  unsigned int num_counters;
+
+  // The unchanged values from each ipt_entry's counters.
+  struct xt_counters *counters;
+
+  // The entries to write to the table. This will run past the size defined by
+  // sizeof(srtuct ipt_replace);
+  struct ipt_entry entries[0];
+};
+
+#endif  // GVISOR_TEST_SYSCALLS_IPTABLES_TYPES_H_
diff --git a/test/syscalls/linux/stat.cc b/test/syscalls/linux/stat.cc
index 510f7bee5..88ab90b5b 100644
--- a/test/syscalls/linux/stat.cc
+++ b/test/syscalls/linux/stat.cc
@@ -539,9 +539,8 @@ TEST(SimpleStatTest, AnonDeviceAllocatesUniqueInodesAcrossSaveRestore) {
   ASSERT_THAT(fstat(fd1.get(), &st1), SyscallSucceeds());
   ASSERT_THAT(fstat(fd2.get(), &st2), SyscallSucceeds());
 
-  // The two fds should have different inode numbers. Specifically, since fd2
-  // was created later, it should have a higher inode number.
-  EXPECT_GT(st2.st_ino, st1.st_ino);
+  // The two fds should have different inode numbers.
+  EXPECT_NE(st2.st_ino, st1.st_ino);
 
   // Verify again after another S/R cycle. The inode numbers should remain the
   // same.