summaryrefslogtreecommitdiffhomepage
path: root/runsc/test
AgeCommit message (Collapse)Author
2018-11-20Internal change.Nicolas Lacasse
PiperOrigin-RevId: 221848471 Change-Id: I882fbe5ce7737048b2e1f668848e9c14ed355665
2018-11-15Allow sandbox.Wait to be called after the sandbox has exited.Nicolas Lacasse
sandbox.Wait is racey, as the sandbox may have exited before it is called, or even during. We already had code to handle the case that the sandbox exits during the Wait call, but we were not properly handling the case where the sandbox has exited before the call. The best we can do in such cases is return the sandbox exit code as the application exit code. PiperOrigin-RevId: 221702517 Change-Id: I290d0333cc094c7c1c3b4ce0f17f61a3e908d787
2018-11-13Internal change.Nicolas Lacasse
PiperOrigin-RevId: 221343421 Change-Id: I418b5204c5ed4fe1e0af25ef36ee66b9b571928e
2018-11-13Internal change.Nicolas Lacasse
PiperOrigin-RevId: 221299066 Change-Id: I8ae352458f9976c329c6946b1efa843a3de0eaa4
2018-11-12Internal change.Nicolas Lacasse
PiperOrigin-RevId: 221178413 Change-Id: I0e615c5e945cb924d8df767c894a9e402f0b8ff2
2018-11-07Add test that volume can be mounted on top of a symlinkFabricio Voznika
PiperOrigin-RevId: 220588094 Change-Id: I18915e892ceac86eac1f89ebcadffb4fdf8d0cf6
2018-11-07Fix test --race violationFabricio Voznika
SetupContainerInRoot was setting Config.RootDir unnecessarily and causing a --race violation in TestMultiContainerDestroyStarting. PiperOrigin-RevId: 220580073 Change-Id: Ie0b28c19846106c7458a92681b708ae70f87d25a
2018-11-06Fix problem where crictl tests would signal both error and done channelsKevin Krakauer
PiperOrigin-RevId: 220372291 Change-Id: I054ba56a23c402c7244b476d7d6fe72084942a0e
2018-11-01First crictl integration tests.Kevin Krakauer
More tests will come, but it's worth getting what's done so far reviewed. PiperOrigin-RevId: 219734531 Change-Id: If15ca6e6855e3d1cc28c83b5f9c3a72cb65b2e59
2018-11-01Close http.Response.Body after Get request.Kevin Krakauer
From https://golang.org/pkg/net/http/#Get: "When err is nil, resp always contains a non-nil resp.Body. Caller should close resp.Body when done reading from it." PiperOrigin-RevId: 219658052 Change-Id: I556e88ac4f2c90cd36ab16cd3163d1a52afc32b7
2018-10-24Re-enable TestPythonHello now that ptrace seccomp issue is resolved.Nicolas Lacasse
PiperOrigin-RevId: 218636184 Change-Id: I44deac3f32276d06955c5fb1e28c5970bb08f5fd
2018-10-23Track paths and provide a rename hook.Adin Scannell
This change also adds extensive testing to the p9 package via mocks. The sanity checks and type checks are moved from the gofer into the core package, where they can be more easily validated. PiperOrigin-RevId: 218296768 Change-Id: I4fc3c326e7bf1e0e140a454cbacbcc6fd617ab55
2018-10-19Use correct company name in copyright headerIan Gudger
PiperOrigin-RevId: 217951017 Change-Id: Ie08bf6987f98467d07457bcf35b5f1ff6e43c035
2018-10-18Resolve mount paths while setting up root fs mountFabricio Voznika
It's hard to resolve symlinks inside the sandbox because rootfs and mounts may be read-only, forcing us to create mount points inside lower layer of an overlay, **before** the volumes are mounted. Since the destination must already be resolved outside the sandbox when creating mounts, take this opportunity to rewrite the spec with paths resolved. "runsc boot" will use the "resolved" spec to load mounts. In addition, symlink traversals were disabled while mounting containers inside the sandbox. It haven't been able to write a good test for it. So I'm relying on manual tests for now. PiperOrigin-RevId: 217749904 Change-Id: I7ac434d5befd230db1488446cda03300cc0751a9
2018-10-18Skip TestPythonHello on ptrace platform while we debug the issue.Nicolas Lacasse
PiperOrigin-RevId: 217743078 Change-Id: I47fabd88139b968b6183bcc0340065fdbbc1d40d
2018-10-17runsc: Support job control signals for the root container.Nicolas Lacasse
Now containers run with "docker run -it" support control characters like ^C and ^Z. This required refactoring our signal handling a bit. Signals delivered to the "runsc boot" process are turned into loader.Signal calls with the appropriate delivery mode. Previously they were always sent directly to PID 1. PiperOrigin-RevId: 217566770 Change-Id: I5b7220d9a0f2b591a56335479454a200c6de8732
2018-10-17Attempt to deflake TestPythonHelloFabricio Voznika
It has timed out running with kokoro a few times. I passes consistently on my machine (200+ runsc). Increase the timeout to see if it helps. Failure: image_test.go:212: WaitForHTTP() timeout: Get http://localhost:32785/: dial tcp [::1]:32785: connect: connection refused PiperOrigin-RevId: 217532428 Change-Id: Ibf860aecf537830bef832e436f2e804b3fc12f2d
2018-10-17Bump Pause/Resume integration test timeout in attempt to deflake Kokoro.Nicolas Lacasse
This is one of the many tests that fails periodically, making Kokoro unstable. PiperOrigin-RevId: 217528257 Change-Id: I2508ecf4d74d71b91feff1183544d61d7bd16995
2018-10-11Make debug log file name configurableFabricio Voznika
This is a breaking change if you're using --debug-log-dir. The fix is to replace it with --debug-log and add a '/' at the end: --debug-log-dir=/tmp/runsc ==> --debug-log=/tmp/runsc/ PiperOrigin-RevId: 216761212 Change-Id: I244270a0a522298c48115719fa08dad55e34ade1
2018-10-11Sandbox cgroup testsFabricio Voznika
Verify that cgroup is being properly set. PiperOrigin-RevId: 216736137 Change-Id: I0e27fd604eca67e7dd2e3548dc372ca9cc416309
2018-10-10Add sandbox to cgroupFabricio Voznika
Sandbox creation uses the limits and reservations configured in the OCI spec and set cgroup options accordinly. Then it puts both the sandbox and gofer processes inside the cgroup. It also allows the cgroup to be pre-configured by the caller. If the cgroup already exists, sandbox and gofer processes will join the cgroup but it will not modify the cgroup with spec limits. PiperOrigin-RevId: 216538209 Change-Id: If2c65ffedf55820baab743a0edcfb091b89c1019
2018-10-09Add tests to verify gofer is chroot'edFabricio Voznika
PiperOrigin-RevId: 216472439 Change-Id: Ic4cb86c8e0a9cb022d3ceed9dc5615266c307cf9
2018-10-08Job control signals must be sent to all processes in the FG process group.Nicolas Lacasse
We were previously only sending to the originator of the process group. Integration test was changed to test this behavior. It fails without the corresponding code change. PiperOrigin-RevId: 216297263 Change-Id: I7e41cfd6bdd067f4b9dc215e28f555fb5088916f
2018-10-04Capture boot panics in debug log.Nicolas Lacasse
Docker and Containerd both eat the boot processes stderr, making it difficult to track down panics (which are always written to stderr). This CL makes the boot process dup its debug log FD to stderr, so that panics will be captured in the debug log, which is better than nothing. This is the 3rd try at this CL. Previous attempts were foiled because Docker expects the 'create' command to pass its stdio directly to the container, so duping stderr in 'create' caused the applications stderr to go to the log file, which breaks many applications (including our mysql test). I added a new image_test that makes sure stdout and stderr are handled correctly. PiperOrigin-RevId: 215767328 Change-Id: Icebac5a5dcf39b623b79d7a0e2f968e059130059
2018-10-03Fix sandbox chrootFabricio Voznika
Sandbox was setting chroot, but was not chaging the working dir. Added test to ensure this doesn't happen in the future. PiperOrigin-RevId: 215676270 Change-Id: I14352d3de64a4dcb90e50948119dc8328c9c15e1
2018-10-02Bump some timeouts in the image tests.Nicolas Lacasse
PiperOrigin-RevId: 215489101 Change-Id: Iaf96aa8edb1101b70548030c62995841215237d9
2018-10-02Fix compilation bug.Nicolas Lacasse
Docker.Run only returns a single argument. PiperOrigin-RevId: 215427309 Change-Id: I1eebbc628853ca57f79d25e18d4f04dfa5a2a003
2018-10-01runsc: Support job control signals in "exec -it".Nicolas Lacasse
Terminal support in runsc relies on host tty file descriptors that are imported into the sandbox. Application tty ioctls are sent directly to the host fd. However, those host tty ioctls are associated in the host kernel with a host process (in this case runsc), and the host kernel intercepts job control characters like ^C and send signals to the host process. Thus, typing ^C into a "runsc exec" shell will send a SIGINT to the runsc process. This change makes "runsc exec" handle all signals, and forward them into the sandbox via the "ContainerSignal" urpc method. Since the "runsc exec" is associated with a particular container process in the sandbox, the signal must be associated with the same container process. One big difficulty is that the signal should not necessarily be sent to the sandbox process started by "exec", but instead must be sent to the foreground process group for the tty. For example, we may exec "bash", and from bash call "sleep 100". A ^C at this point should SIGINT sleep, not bash. To handle this, tty files inside the sandbox must keep track of their foreground process group, which is set/get via ioctls. When an incoming ContainerSignal urpc comes in, we look up the foreground process group via the tty file. Unfortunately, this means we have to expose and cache the tty file in the Loader. Note that "runsc exec" now handles signals properly, but "runs run" does not. That will come in a later CL, as this one is complex enough already. Example: root@:/usr/local/apache2# sleep 100 ^C root@:/usr/local/apache2# sleep 100 ^Z [1]+ Stopped sleep 100 root@:/usr/local/apache2# fg sleep 100 ^C root@:/usr/local/apache2# PiperOrigin-RevId: 215334554 Change-Id: I53cdce39653027908510a5ba8d08c49f9cf24f39
2018-10-01Fix ruby image tests.Nicolas Lacasse
PiperOrigin-RevId: 215274663 Change-Id: I051721f459084db3aa608432831170cd47ae7df0
2018-10-01Make multi-container the default mode for runscFabricio Voznika
And remove multicontainer option. PiperOrigin-RevId: 215236981 Change-Id: I9fd1d963d987e421e63d5817f91a25c819ced6cb
2018-09-28Made a few changes to make testutil.Docker easier to useFabricio Voznika
PiperOrigin-RevId: 215023376 Change-Id: I139569bd15c013e5dd0f60d0c98a64eaa0ba9e8e
2018-09-28Add ruby image testsFabricio Voznika
PiperOrigin-RevId: 215009066 Change-Id: I54ab920fa649cf4d0817f7cb8ea76f9126523330
2018-09-28Switch to root in userns when CAP_SYS_CHROOT is also missingFabricio Voznika
Some tests check current capabilities and re-run the tests as root inside userns if required capabibilities are missing. It was checking for CAP_SYS_ADMIN only, CAP_SYS_CHROOT is also required now. PiperOrigin-RevId: 214949226 Change-Id: Ic81363969fa76c04da408fae8ea7520653266312
2018-09-21Run gofmt -s on everythingIan Gudger
PiperOrigin-RevId: 214040901 Change-Id: I74d79497a053da3624921ad2b7c5193ca4a87942
2018-09-18Handle children processes better in testsFabricio Voznika
Reap children more systematically in container tests. Previously, container_test was taking ~5 mins to run because constainer.Destroy() would timeout waiting for the sandbox process to exit. Now the test running in less than a minute. Also made the contract around Container and Sandbox destroy clearer. PiperOrigin-RevId: 213527471 Change-Id: Icca84ee1212bbdcb62bdfc9cc7b71b12c6d1688d
2018-09-07Automated rollback of changelist 212059579Nicolas Lacasse
PiperOrigin-RevId: 212069131 Change-Id: I01476f957bbf29d4ee5a3c11d59d4f863ba9f2df
2018-09-07Disable test until we figure out what's brokenFabricio Voznika
PiperOrigin-RevId: 212059579 Change-Id: I052c2192d3483d7bd0fd2232ef2023a12da66446
2018-09-07Remove '--file-access=direct' optionFabricio Voznika
It was used before gofer was implemented and it's not supported anymore. BREAKING CHANGE: proxy-shared and proxy-exclusive options are now: shared and exclusive. PiperOrigin-RevId: 212017643 Change-Id: If029d4073fe60583e5ca25f98abb2953de0d78fd
2018-09-07runsc: Run sandbox process inside minimal chroot.Nicolas Lacasse
We construct a dir with the executable bind-mounted at /exe, and proc mounted at /proc. Runsc now executes the sandbox process inside this chroot, thus limiting access to the host filesystem. The mounts and chroot dir are removed when the sandbox is destroyed. Because this requires bind-mounts, we can only do the chroot if we have CAP_SYS_ADMIN. PiperOrigin-RevId: 211994001 Change-Id: Ia71c515e26085e0b69b833e71691830148bc70d1
2018-09-05Use container's capabilities in execFabricio Voznika
When no capabilities are specified in exec, use the container's capabilities to match runc's behavior. PiperOrigin-RevId: 211735186 Change-Id: Icd372ed64410c81144eae94f432dffc9fe3a86ce
2018-09-04runsc: Run sandbox as user nobody.Nicolas Lacasse
When starting a sandbox without direct file or network access, we create an empty user namespace and run the sandbox in there. However, the root user in that namespace is still mapped to the root user in the parent namespace. This CL maps the "nobody" user from the parent namespace into the child namespace, and runs the sandbox process as user "nobody" inside the new namespace. PiperOrigin-RevId: 211572223 Change-Id: I1b1f9b1a86c0b4e7e5ca7bc93be7d4887678bab6
2018-09-04runsc: Pass log and config files to sandbox process by FD.Nicolas Lacasse
This is a prereq for running the sandbox process as user "nobody", when it may not have permissions to open these files. Instead, we must open then before starting the sandbox process, and pass them by FD. The specutils.ReadSpecFromFile method was fixed to always seek to the beginning of the file before reading. This allows Files from the same FD to be read multiple times, as we do in the boot command when the apply-caps flag is set. Tested with --network=host. PiperOrigin-RevId: 211570647 Change-Id: I685be0a290aa7f70731ebdce82ebc0ebcc9d475c
2018-08-31Automated rollback of changelist 210995199Fabricio Voznika
PiperOrigin-RevId: 211116429 Change-Id: I446d149c822177dc9fc3c64ce5e455f7f029aa82
2018-08-31Fix RunAsRoot arguments forwardingFabricio Voznika
It was including the path to the executable twice in the arguments. PiperOrigin-RevId: 211098311 Change-Id: I5357c51c63f38dfab551b17bb0e04011a0575010
2018-08-30runsc: Pass log and config files to sandbox process by FD.Nicolas Lacasse
This is a prereq for running the sandbox process as user "nobody", when it may not have permissions to open these files. Instead, we must open then before starting the sandbox process, and pass them by FD. PiperOrigin-RevId: 210995199 Change-Id: I715875a9553290b4a49394a8fcd93be78b1933dd
2018-08-28Consolidate image tests into a single fileFabricio Voznika
This is to keep it consistent with other test, and it's easier to maintain them in single file. Also increase python test timeout to deflake it. PiperOrigin-RevId: 210575042 Change-Id: I2ef5bcd5d97c08549f0c5f645c4b694253ef0b4d
2018-08-27Put fsgofer inside chrootFabricio Voznika
Now each container gets its own dedicated gofer that is chroot'd to the rootfs path. This is done to add an extra layer of security in case the gofer gets compromised. PiperOrigin-RevId: 210396476 Change-Id: Iba21360a59dfe90875d61000db103f8609157ca0
2018-08-20Standardize mounts in testsFabricio Voznika
Tests get a readonly rootfs mapped to / (which was the case before) and writable TEST_TMPDIR. This makes it easier to setup containers to write to files and to share state between test and containers. PiperOrigin-RevId: 209453224 Change-Id: I4d988e45dc0909a0450a3bb882fe280cf9c24334
2018-08-16Combine functions to search for file under one common functionFabricio Voznika
Bazel adds the build type in front of directories making it hard to refer to binaries in code. PiperOrigin-RevId: 209010854 Change-Id: I6c9da1ac3bbe79766868a3b14222dd42d03b4ec5
2018-08-14runsc: Change cache policy for root fs and volume mounts.Nicolas Lacasse
Previously, gofer filesystems were configured with the default "fscache" policy, which caches filesystem metadata and contents aggressively. While this setting is best for performance, it means that changes from inside the sandbox may not be immediately propagated outside the sandbox, and vice-versa. This CL changes volumes and the root fs configuration to use a new "remote-revalidate" cache policy which tries to retain as much caching as possible while still making fs changes visible across the sandbox boundary. This cache policy is enabled by default for the root filesystem. The default value for the "--file-access" flag is still "proxy", but the behavior is changed to use the new cache policy. A new value for the "--file-access" flag is added, called "proxy-exclusive", which turns on the previous aggressive caching behavior. As the name implies, this flag should be used when the sandbox has "exclusive" access to the filesystem. All volume mounts are configured to use the new cache policy, since it is safest and most likely to be correct. There is not currently a way to change this behavior, but it's possible to add such a mechanism in the future. The configurability is a smaller issue for volumes, since most of the expensive application fs operations (walking + stating files) will likely served by the root fs. PiperOrigin-RevId: 208735037 Change-Id: Ife048fab1948205f6665df8563434dbc6ca8cfc9