// Copyright 2018 The gVisor Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package root import ( "bytes" "encoding/json" "fmt" "io" "io/ioutil" "net/http" "os" "os/exec" "path" "regexp" "strconv" "strings" "sync" "testing" "time" "gvisor.dev/gvisor/pkg/cleanup" "gvisor.dev/gvisor/pkg/test/criutil" "gvisor.dev/gvisor/pkg/test/dockerutil" "gvisor.dev/gvisor/pkg/test/testutil" ) // Tests for crictl have to be run as root (rather than in a user namespace) // because crictl creates named network namespaces in /var/run/netns/. // Sandbox returns a JSON config for a simple sandbox. Sandbox names must be // unique so different names should be used when running tests on the same // containerd instance. func Sandbox(name string) string { // Sandbox is a default JSON config for a sandbox. s := map[string]interface{}{ "metadata": map[string]string{ "name": name, "namespace": "default", "uid": testutil.RandomID(""), }, "linux": map[string]string{}, "log_directory": "/tmp", } v, err := json.Marshal(s) if err != nil { // This shouldn't happen. panic(err) } return string(v) } // SimpleSpec returns a JSON config for a simple container that runs the // specified command in the specified image. func SimpleSpec(name, image string, cmd []string, extra map[string]interface{}) string { s := map[string]interface{}{ "metadata": map[string]string{ "name": name, }, "image": map[string]string{ "image": testutil.ImageByName(image), }, // Log files are not deleted after root tests are run. Log to random // paths to ensure logs are fresh. "log_path": fmt.Sprintf("%s.log", testutil.RandomID(name)), "stdin": false, "tty": false, } if len(cmd) > 0 { // Omit if empty. s["command"] = cmd } for k, v := range extra { s[k] = v // Extra settings. } v, err := json.Marshal(s) if err != nil { // This shouldn't happen. panic(err) } return string(v) } // Httpd is a JSON config for an httpd container. var Httpd = SimpleSpec("httpd", "basic/httpd", nil, nil) // TestCrictlSanity refers to b/112433158. func TestCrictlSanity(t *testing.T) { for _, version := range allVersions { t.Run(version, func(t *testing.T) { // Setup containerd and crictl. crictl, cleanup, err := setup(t, version) if err != nil { t.Fatalf("failed to setup crictl: %v", err) } defer cleanup() podID, contID, err := crictl.StartPodAndContainer(containerdRuntime, "basic/httpd", Sandbox("default"), Httpd) if err != nil { t.Fatalf("start failed: %v", err) } // Look for the httpd page. if err = httpGet(crictl, podID, "index.html"); err != nil { t.Fatalf("failed to get page: %v", err) } // Stop everything. if err := crictl.StopPodAndContainer(podID, contID); err != nil { t.Fatalf("stop failed: %v", err) } }) } } // HttpdMountPaths is a JSON config for an httpd container with additional // mounts. var HttpdMountPaths = SimpleSpec("httpd", "basic/httpd", nil, map[string]interface{}{ "mounts": []map[string]interface{}{ map[string]interface{}{ "container_path": "/var/run/secrets/kubernetes.io/serviceaccount", "host_path": "/var/lib/kubelet/pods/82bae206-cdf5-11e8-b245-8cdcd43ac064/volumes/kubernetes.io~secret/default-token-2rpfx", "readonly": true, }, map[string]interface{}{ "container_path": "/etc/hosts", "host_path": "/var/lib/kubelet/pods/82bae206-cdf5-11e8-b245-8cdcd43ac064/etc-hosts", "readonly": false, }, map[string]interface{}{ "container_path": "/dev/termination-log", "host_path": "/var/lib/kubelet/pods/82bae206-cdf5-11e8-b245-8cdcd43ac064/containers/httpd/d1709580", "readonly": false, }, map[string]interface{}{ "container_path": "/usr/local/apache2/htdocs/test", "host_path": "/var/lib/kubelet/pods/82bae206-cdf5-11e8-b245-8cdcd43ac064", "readonly": true, }, }, "linux": map[string]interface{}{}, }) // TestMountPaths refers to b/117635704. func TestMountPaths(t *testing.T) { for _, version := range allVersions { t.Run(version, func(t *testing.T) { // Setup containerd and crictl. crictl, cleanup, err := setup(t, version) if err != nil { t.Fatalf("failed to setup crictl: %v", err) } defer cleanup() podID, contID, err := crictl.StartPodAndContainer(containerdRuntime, "basic/httpd", Sandbox("default"), HttpdMountPaths) if err != nil { t.Fatalf("start failed: %v", err) } // Look for the directory available at /test. if err = httpGet(crictl, podID, "test"); err != nil { t.Fatalf("failed to get page: %v", err) } // Stop everything. if err := crictl.StopPodAndContainer(podID, contID); err != nil { t.Fatalf("stop failed: %v", err) } }) } } // TestMountPaths refers to b/118728671. func TestMountOverSymlinks(t *testing.T) { for _, version := range allVersions { t.Run(version, func(t *testing.T) { // Setup containerd and crictl. crictl, cleanup, err := setup(t, version) if err != nil { t.Fatalf("failed to setup crictl: %v", err) } defer cleanup() spec := SimpleSpec("busybox", "basic/resolv", []string{"sleep", "1000"}, nil) podID, contID, err := crictl.StartPodAndContainer(containerdRuntime, "basic/resolv", Sandbox("default"), spec) if err != nil { t.Fatalf("start failed: %v", err) } out, err := crictl.Exec(contID, "readlink", "/etc/resolv.conf") if err != nil { t.Fatalf("readlink failed: %v, out: %s", err, out) } if want := "/tmp/resolv.conf"; !strings.Contains(string(out), want) { t.Fatalf("/etc/resolv.conf is not pointing to %q: %q", want, string(out)) } etc, err := crictl.Exec(contID, "cat", "/etc/resolv.conf") if err != nil { t.Fatalf("cat failed: %v, out: %s", err, etc) } tmp, err := crictl.Exec(contID, "cat", "/tmp/resolv.conf") if err != nil { t.Fatalf("cat failed: %v, out: %s", err, out) } if tmp != etc { t.Fatalf("file content doesn't match:\n\t/etc/resolv.conf: %s\n\t/tmp/resolv.conf: %s", string(etc), string(tmp)) } // Stop everything. if err := crictl.StopPodAndContainer(podID, contID); err != nil { t.Fatalf("stop failed: %v", err) } }) } } // TestHomeDir tests that the HOME environment variable is set for // Pod containers. func TestHomeDir(t *testing.T) { for _, version := range allVersions { t.Run(version, func(t *testing.T) { // Setup containerd and crictl. crictl, cleanup, err := setup(t, version) if err != nil { t.Fatalf("failed to setup crictl: %v", err) } defer cleanup() // Note that container ID returned here is a sub-container. All Pod // containers are sub-containers. The root container of the sandbox is the // pause container. t.Run("sub-container", func(t *testing.T) { contSpec := SimpleSpec("subcontainer", "basic/busybox", []string{"sh", "-c", "echo $HOME"}, nil) podID, contID, err := crictl.StartPodAndContainer(containerdRuntime, "basic/busybox", Sandbox("subcont-sandbox"), contSpec) if err != nil { t.Fatalf("start failed: %v", err) } out, err := crictl.Logs(contID) if err != nil { t.Fatalf("failed retrieving container logs: %v, out: %s", err, out) } if got, want := strings.TrimSpace(string(out)), "/root"; got != want { t.Fatalf("Home directory invalid. Got %q, Want : %q", got, want) } // Stop everything; note that the pod may have already stopped. crictl.StopPodAndContainer(podID, contID) }) // Tests that HOME is set for the exec process. t.Run("exec", func(t *testing.T) { contSpec := SimpleSpec("exec", "basic/busybox", []string{"sleep", "1000"}, nil) podID, contID, err := crictl.StartPodAndContainer(containerdRuntime, "basic/busybox", Sandbox("exec-sandbox"), contSpec) if err != nil { t.Fatalf("start failed: %v", err) } out, err := crictl.Exec(contID, "sh", "-c", "echo $HOME") if err != nil { t.Fatalf("failed retrieving container logs: %v, out: %s", err, out) } if got, want := strings.TrimSpace(string(out)), "/root"; got != want { t.Fatalf("Home directory invalid. Got %q, Want : %q", got, want) } // Stop everything. if err := crictl.StopPodAndContainer(podID, contID); err != nil { t.Fatalf("stop failed: %v", err) } }) }) } } const containerdRuntime = "runsc" const v1Template = ` disabled_plugins = ["restart"] [plugins.cri] disable_tcp_service = true [plugins.linux] shim = "%s" shim_debug = true [plugins.cri.containerd.runtimes.` + containerdRuntime + `] runtime_type = "io.containerd.runtime.v1.linux" runtime_engine = "%s" runtime_root = "%s/root/runsc" ` const v2Template = ` disabled_plugins = ["restart"] [plugins.cri] disable_tcp_service = true [plugins.linux] shim_debug = true [plugins.cri.containerd.runtimes.` + containerdRuntime + `] runtime_type = "io.containerd.` + containerdRuntime + `.v1" [plugins.cri.containerd.runtimes.` + containerdRuntime + `.options] TypeUrl = "io.containerd.` + containerdRuntime + `.v1.options" ` const ( // v1 is the containerd API v1. v1 string = "v1" // v1 is the containerd API v21. v2 string = "v2" ) // allVersions is the set of known versions. var allVersions = []string{v1, v2} // setup sets up before a test. Specifically it: // * Creates directories and a socket for containerd to utilize. // * Runs containerd and waits for it to reach a "ready" state for testing. // * Returns a cleanup function that should be called at the end of the test. func setup(t *testing.T, version string) (*criutil.Crictl, func(), error) { // Create temporary containerd root and state directories, and a socket // via which crictl and containerd communicate. containerdRoot, err := ioutil.TempDir(testutil.TmpDir(), "containerd-root") if err != nil { t.Fatalf("failed to create containerd root: %v", err) } cu := cleanup.Make(func() { os.RemoveAll(containerdRoot) }) defer cu.Clean() t.Logf("Using containerd root: %s", containerdRoot) containerdState, err := ioutil.TempDir(testutil.TmpDir(), "containerd-state") if err != nil { t.Fatalf("failed to create containerd state: %v", err) } cu.Add(func() { os.RemoveAll(containerdState) }) t.Logf("Using containerd state: %s", containerdState) sockDir, err := ioutil.TempDir(testutil.TmpDir(), "containerd-sock") if err != nil { t.Fatalf("failed to create containerd socket directory: %v", err) } cu.Add(func() { os.RemoveAll(sockDir) }) sockAddr := path.Join(sockDir, "test.sock") t.Logf("Using containerd socket: %s", sockAddr) // Extract the containerd version. versionCmd := exec.Command(getContainerd(), "-v") out, err := versionCmd.CombinedOutput() if err != nil { t.Fatalf("error extracting containerd version: %v (%s)", err, string(out)) } r := regexp.MustCompile(" v([0-9]+)\\.([0-9]+)\\.([0-9+])") vs := r.FindStringSubmatch(string(out)) if len(vs) != 4 { t.Fatalf("error unexpected version string: %s", string(out)) } major, err := strconv.ParseUint(vs[1], 10, 64) if err != nil { t.Fatalf("error parsing containerd major version: %v (%s)", err, string(out)) } minor, err := strconv.ParseUint(vs[2], 10, 64) if err != nil { t.Fatalf("error parsing containerd minor version: %v (%s)", err, string(out)) } t.Logf("Using containerd version: %d.%d", major, minor) // We rewrite a configuration. This is based on the current docker // configuration for the runtime under test. runtime, err := dockerutil.RuntimePath() if err != nil { t.Fatalf("error discovering runtime path: %v", err) } t.Logf("Using runtime: %v", runtime) // Construct a PATH that includes the runtime directory. This is // because the shims will be installed there, and containerd may infer // the binary name and search the PATH. runtimeDir := path.Dir(runtime) modifiedPath := os.Getenv("PATH") if modifiedPath != "" { modifiedPath = ":" + modifiedPath // We prepend below. } modifiedPath = path.Dir(getContainerd()) + modifiedPath modifiedPath = runtimeDir + ":" + modifiedPath t.Logf("Using PATH: %v", modifiedPath) var ( config string runpArgs []string ) switch version { case v1: // This is only supported less than 1.3. if major > 1 || (major == 1 && minor >= 3) { t.Skipf("skipping unsupported containerd (want less than 1.3, got %d.%d)", major, minor) } // We provide the shim, followed by the runtime, and then a // temporary root directory. config = fmt.Sprintf(v1Template, criutil.ResolvePath("gvisor-containerd-shim"), runtime, containerdRoot) case v2: // This is only supported past 1.2. if major < 1 || (major == 1 && minor <= 1) { t.Skipf("skipping incompatible containerd (want at least 1.2, got %d.%d)", major, minor) } // The runtime is provided via parameter. Note that the v2 shim // binary name is always containerd-shim-* so we don't actually // care about the docker runtime name. config = v2Template default: t.Fatalf("unknown version: %s", version) } t.Logf("Using config: %s", config) // Generate the configuration for the test. configFile, configCleanup, err := testutil.WriteTmpFile("containerd-config", config) if err != nil { t.Fatalf("failed to write containerd config") } cu.Add(configCleanup) // Start containerd. args := []string{ getContainerd(), "--config", configFile, "--log-level", "debug", "--root", containerdRoot, "--state", containerdState, "--address", sockAddr, } t.Logf("Using args: %s", strings.Join(args, " ")) cmd := exec.Command(args[0], args[1:]...) cmd.Env = append(os.Environ(), "PATH="+modifiedPath) // Include output in logs. stderrPipe, err := cmd.StderrPipe() if err != nil { t.Fatalf("failed to create stderr pipe: %v", err) } cu.Add(func() { stderrPipe.Close() }) stdoutPipe, err := cmd.StdoutPipe() if err != nil { t.Fatalf("failed to create stdout pipe: %v", err) } cu.Add(func() { stdoutPipe.Close() }) var ( wg sync.WaitGroup stderr bytes.Buffer stdout bytes.Buffer ) startupR, startupW := io.Pipe() wg.Add(2) go func() { defer wg.Done() io.Copy(io.MultiWriter(startupW, &stderr), stderrPipe) }() go func() { defer wg.Done() io.Copy(io.MultiWriter(startupW, &stdout), stdoutPipe) }() cu.Add(func() { wg.Wait() t.Logf("containerd stdout: %s", stdout.String()) t.Logf("containerd stderr: %s", stderr.String()) }) // Start the process. if err := cmd.Start(); err != nil { t.Fatalf("failed running containerd: %v", err) } // Wait for containerd to boot. if err := testutil.WaitUntilRead(startupR, "Start streaming server", 10*time.Second); err != nil { t.Fatalf("failed to start containerd: %v", err) } // Discard all subsequent data. go io.Copy(ioutil.Discard, startupR) // Create the crictl interface. cc := criutil.NewCrictl(t, sockAddr, runpArgs) cu.Add(cc.CleanUp) // Kill must be the last cleanup (as it will be executed first). cu.Add(func() { // Best effort: ignore errors. testutil.KillCommand(cmd) }) return cc, cu.Release(), nil } // httpGet GETs the contents of a file served from a pod on port 80. func httpGet(crictl *criutil.Crictl, podID, filePath string) error { // Get the IP of the httpd server. ip, err := crictl.PodIP(podID) if err != nil { return fmt.Errorf("failed to get IP from pod %q: %v", podID, err) } // GET the page. We may be waiting for the server to start, so retry // with a timeout. var resp *http.Response cb := func() error { r, err := http.Get(fmt.Sprintf("http://%s", path.Join(ip, filePath))) resp = r return err } if err := testutil.Poll(cb, 20*time.Second); err != nil { return err } defer resp.Body.Close() if resp.StatusCode != 200 { return fmt.Errorf("bad status returned: %d", resp.StatusCode) } return nil } func getContainerd() string { // Use the local path if it exists, otherwise, use the system one. if _, err := os.Stat("/usr/local/bin/containerd"); err == nil { return "/usr/local/bin/containerd" } return "/usr/bin/containerd" }