tests: add rootless integration tests

This adds targets for rootless integration tests, as well as all of the required setup in order to get the tests to run. This includes quite a few changes, because of a lot of assumptions about things running as root within the bats scripts (which is not true when setting up rootless containers). Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-05-11 17:45:00 +10:00 · 2016-05-11 17:45:00 +10:00 · ba38383a39
parent 2ce33574d0
commit ba38383a39
14 changed files with 117 additions and 24 deletions
--- a/7
+++ b/7
@ -6,6 +6,7 @@ RUN echo 'deb http://httpredir.debian.org/debian jessie-backports main' > /etc/a
 RUN apt-get update && apt-get install -y \
    build-essential \
    curl \
+    sudo \
    gawk \
    iptables \
    jq \
@ -22,6 +23,12 @@ RUN apt-get update && apt-get install -y \
    --no-install-recommends \
    && apt-get clean

+# Add a dummy user for the rootless integration tests. While runC does
+# not require an entry in /etc/passwd to operate, one of the tests uses
+# `git clone` -- and `git clone` does not allow you to clone a
+# repository if the current uid does not have an entry in /etc/passwd.
+RUN useradd -u1000 -m -d/home/rootless -s/bin/bash rootless
+
 # install bats
 RUN cd /tmp \
    && git clone https://github.com/sstephenson/bats.git \
--- a/11
+++ b/11
@ -79,10 +79,10 @@ runcimage:
 	docker build -t $(RUNC_IMAGE) .

 test:
-	make unittest integration
+	make unittest integration rootlessintegration

 localtest:
-	make localunittest localintegration
+	make localunittest localintegration localrootlessintegration

 unittest: runcimage
 	docker run -e TESTFLAGS -t --privileged --rm -v $(CURDIR):/go/src/$(PROJECT) $(RUNC_IMAGE) make localunittest
@ -96,6 +96,13 @@ integration: runcimage
 localintegration: all
 	bats -t tests/integration${TESTFLAGS}

+rootlessintegration: runcimage
+	docker run -e TESTFLAGS -t --privileged --rm -v $(CURDIR):/go/src/$(PROJECT) --cap-drop=ALL -u rootless $(RUNC_IMAGE) make localintegration
+
+# FIXME: This should not be separate from rootlessintegration's method of running.
+localrootlessintegration: all
+	sudo -u rootless -H PATH="${PATH}" bats -t tests/integration${TESTFLAGS}
+
 shell: all
 	docker run -e TESTFLAGS -ti --privileged --rm -v $(CURDIR):/go/src/$(PROJECT) $(RUNC_IMAGE) bash

--- a/tests/integration/checkpoint.bats
+++ b/tests/integration/checkpoint.bats
@ -59,8 +59,9 @@ function teardown() {
  [[ "${output}" == *"running"* ]]
 }

-@test "checkpoint(pre-dump) and restore" {
-  requires criu
+@test "checkpoint --pre-dump and restore" {
+  # XXX: currently criu require root containers.
+  requires criu root

  # criu does not work with external terminals so..
  # setting terminal and root:readonly: to false
--- a/tests/integration/delete.bats
+++ b/tests/integration/delete.bats
@ -22,11 +22,13 @@ function teardown() {
  testcontainer test_busybox running

  runc kill test_busybox KILL
+  [ "$status" -eq 0 ]
  # wait for busybox to be in the destroyed state
  retry 10 1 eval "__runc state test_busybox | grep -q 'stopped'"

  # delete test_busybox
  runc delete test_busybox
+  [ "$status" -eq 0 ]

  runc state test_busybox
  [ "$status" -ne 0 ]
--- a/tests/integration/events.bats
+++ b/tests/integration/events.bats
@ -12,6 +12,9 @@ function teardown() {
 }

@test "events --stats" {
+  # XXX: currently cgroups require root containers.
+  requires root
+
  # run busybox detached
  runc run -d --console-socket $CONSOLE_SOCKET test_busybox
  [ "$status" -eq 0 ]
@ -27,6 +30,9 @@ function teardown() {
 }

@test "events --interval default " {
+  # XXX: currently cgroups require root containers.
+  requires root
+
  # run busybox detached
  runc run -d --console-socket $CONSOLE_SOCKET test_busybox
  [ "$status" -eq 0 ]
@ -54,6 +60,9 @@ function teardown() {
 }

@test "events --interval 1s " {
+  # XXX: currently cgroups require root containers.
+  requires root
+
  # run busybox detached
  runc run -d --console-socket $CONSOLE_SOCKET test_busybox
  [ "$status" -eq 0 ]
@ -80,6 +89,9 @@ function teardown() {
 }

@test "events --interval 100ms " {
+  # XXX: currently cgroups require root containers.
+  requires root
+
  # run busybox detached
  runc run -d --console-socket $CONSOLE_SOCKET test_busybox
  [ "$status" -eq 0 ]
--- a/tests/integration/exec.bats
+++ b/tests/integration/exec.bats
@ -112,6 +112,9 @@ function teardown() {
 }

@test "runc exec --user" {
+  # --user can't work in rootless containers
+  requires root
+
  # run busybox detached
  runc run -d --console-socket $CONSOLE_SOCKET test_busybox
  [ "$status" -eq 0 ]
--- a/tests/integration/help.bats
+++ b/tests/integration/help.bats
@ -57,6 +57,7 @@ load helpers
  [ "$status" -eq 0 ]
  [[ ${lines[1]} =~ runc\ resume+ ]]

+  # We don't use runc_spec here, because we're just testing the help page.
  runc spec -h
  [ "$status" -eq 0 ]
  [[ ${lines[1]} =~ runc\ spec+ ]]
--- a/tests/integration/helpers.bash
+++ b/tests/integration/helpers.bash
@ -4,7 +4,7 @@
 INTEGRATION_ROOT=$(dirname "$(readlink -f "$BASH_SOURCE")")
 RUNC="${INTEGRATION_ROOT}/../../runc"
 RECVTTY="${INTEGRATION_ROOT}/../../contrib/cmd/recvtty/recvtty"
-GOPATH="${INTEGRATION_ROOT}/../../../.."
+GOPATH="$(mktemp -d --tmpdir runc-integration-gopath.XXXXXX)"

 # Test data path.
 TESTDATA="${INTEGRATION_ROOT}/testdata"
@ -27,7 +27,7 @@ KERNEL_MINOR="${KERNEL_VERSION#$KERNEL_MAJOR.}"
 KERNEL_MINOR="${KERNEL_MINOR%%.*}"

 # Root state path.
-ROOT="$BATS_TMPDIR/runc"
+ROOT=$(mktemp -d "$BATS_TMPDIR/runc.XXXXXX")

 # Path to console socket.
 CONSOLE_SOCKET="$BATS_TMPDIR/console.sock"
@ -58,6 +58,17 @@ function __runc() {
 	"$RUNC" --root "$ROOT" "$@"
 }

+# Wrapper for runc spec.
+function runc_spec() {
+	local args=""
+
+	if [ "$ROOTLESS" -ne 0 ]; then
+		args+="--rootless"
+	fi
+
+	runc spec $args "$@"
+}
+
 # Fails the current test, providing the error given.
 function fail() {
 	echo "$@" >&2
@ -187,18 +198,18 @@ function setup_busybox() {
 	if [ ! -e $BUSYBOX_IMAGE ]; then
 		curl -o $BUSYBOX_IMAGE -sSL 'https://github.com/docker-library/busybox/raw/a0558a9006ce0dd6f6ec5d56cfd3f32ebeeb815f/glibc/busybox.tar.xz'
 	fi
-	tar -C "$BUSYBOX_BUNDLE"/rootfs -xf "$BUSYBOX_IMAGE"
+	tar --exclude './dev/*' -C "$BUSYBOX_BUNDLE"/rootfs -xf "$BUSYBOX_IMAGE"
 	cd "$BUSYBOX_BUNDLE"
-	runc spec
+	runc_spec
 }

 function setup_hello() {
 	setup_recvtty
 	run mkdir "$HELLO_BUNDLE"
 	run mkdir "$HELLO_BUNDLE"/rootfs
-	tar -C "$HELLO_BUNDLE"/rootfs -xf "$HELLO_IMAGE"
+	tar --exclude './dev/*' -C "$HELLO_BUNDLE"/rootfs -xf "$HELLO_IMAGE"
 	cd "$HELLO_BUNDLE"
-	runc spec
+	runc_spec
 	sed -i 's;"sh";"/hello";' config.json
 }

--- a/tests/integration/ps.bats
+++ b/tests/integration/ps.bats
@ -12,6 +12,9 @@ function teardown() {
 }

@test "ps" {
+  # ps is not supported, it requires cgroups
+  requires root
+
  # start busybox detached
  runc run -d --console-socket $CONSOLE_SOCKET test_busybox
  [ "$status" -eq 0 ]
@ -24,10 +27,13 @@ function teardown() {
  runc ps test_busybox
  [ "$status" -eq 0 ]
  [[ ${lines[0]} =~ UID\ +PID\ +PPID\ +C\ +STIME\ +TTY\ +TIME\ +CMD+ ]]
-  [[ "${lines[1]}" == *"root"*[0-9]* ]]
+  [[ "${lines[1]}" == *"$(id -un 2>/dev/null)"*[0-9]* ]]
 }

@test "ps -f json" {
+  # ps is not supported, it requires cgroups
+  requires root
+
  # start busybox detached
  runc run -d --console-socket $CONSOLE_SOCKET test_busybox
  [ "$status" -eq 0 ]
@ -43,6 +49,9 @@ function teardown() {
 }

@test "ps -e -x" {
+  # ps is not supported, it requires cgroups
+  requires root
+
  # start busybox detached
  runc run -d --console-socket $CONSOLE_SOCKET test_busybox
  [ "$status" -eq 0 ]
--- a/tests/integration/spec.bats
+++ b/tests/integration/spec.bats
@ -26,7 +26,7 @@ function teardown() {
  [ ! -e config.json ]

  # test generation of spec does not return an error
-  runc spec
+  runc_spec
  [ "$status" -eq 0 ]

  # test generation of spec created our config.json (spec)
@ -51,7 +51,7 @@ function teardown() {
  [ ! -e "$HELLO_BUNDLE"/config.json ]

  # test generation of spec does not return an error
-  runc spec --bundle "$HELLO_BUNDLE"
+  runc_spec --bundle "$HELLO_BUNDLE"
  [ "$status" -eq 0 ]

  # test generation of spec created our config.json (spec)
--- a/tests/integration/start_detached.bats
+++ b/tests/integration/start_detached.bats
@ -23,6 +23,9 @@ function teardown() {
 }

@test "runc run detached ({u,g}id != 0)" {
+  # cannot start containers as another user in rootless setup
+  requires root
+
  # replace "uid": 0 with "uid": 1000
  # and do a similar thing for gid.
  sed -i 's;"uid": 0;"uid": 1000;g' config.json
--- a/tests/integration/start_hello.bats
+++ b/tests/integration/start_hello.bats
@ -21,6 +21,9 @@ function teardown() {
 }

@test "runc run ({u,g}id != 0)" {
+  # cannot start containers as another user in rootless setup
+  requires root
+
  # replace "uid": 0 with "uid": 1000
  # and do a similar thing for gid.
  sed -i 's;"uid": 0;"uid": 1000;g' config.json
--- a/tests/integration/state.bats
+++ b/tests/integration/state.bats
@ -11,7 +11,37 @@ function teardown() {
  teardown_busybox
 }

-@test "state" {
+@test "state (kill + delete)" {
+  runc state test_busybox
+  [ "$status" -ne 0 ]
+
+  # run busybox detached
+  runc run -d --console-socket $CONSOLE_SOCKET test_busybox
+  [ "$status" -eq 0 ]
+
+  # check state
+  wait_for_container 15 1 test_busybox
+
+  testcontainer test_busybox running
+
+  runc kill test_busybox KILL
+  [ "$status" -eq 0 ]
+
+  # wait for busybox to be in the destroyed state
+  retry 10 1 eval "__runc state test_busybox | grep -q 'stopped'"
+
+  # delete test_busybox
+  runc delete test_busybox
+  [ "$status" -eq 0 ]
+
+  runc state test_busybox
+  [ "$status" -ne 0 ]
+}
+
+@test "state (pause + resume)" {
+  # XXX: pause and resume require cgroups.
+  requires root
+
  runc state test_busybox
  [ "$status" -ne 0 ]

@ -37,14 +67,4 @@ function teardown() {

  # test state of busybox is back to running
  testcontainer test_busybox running
-
-  runc kill test_busybox KILL
-  # wait for busybox to be in the destroyed state
-  retry 10 1 eval "__runc state test_busybox | grep -q 'stopped'"
-
-  # delete test_busybox
-  runc delete test_busybox
-
-  runc state test_busybox
-  [ "$status" -ne 0 ]
 }
--- a/tests/integration/tty.bats
+++ b/tests/integration/tty.bats
@ -24,6 +24,10 @@ function teardown() {
 }

@test "runc run [tty owner]" {
+	# tty chmod is not doable in rootless containers.
+	# TODO: this can be made as a change to the gid test.
+	requires root
+
 	# Replace sh script with stat.
 	sed -i 's/"sh"/"sh", "-c", "stat -c %u:%g $(tty) | tr : \\\\\\\\n"/' config.json

@ -36,6 +40,9 @@ function teardown() {
 }

@test "runc run [tty owner] ({u,g}id != 0)" {
+	# tty chmod is not doable in rootless containers.
+	requires root
+
 	# replace "uid": 0 with "uid": 1000
 	# and do a similar thing for gid.
 	sed -i 's;"uid": 0;"uid": 1000;g' config.json
@ -72,6 +79,10 @@ function teardown() {
 }

@test "runc exec [tty owner]" {
+	# tty chmod is not doable in rootless containers.
+	# TODO: this can be made as a change to the gid test.
+	requires root
+
 	# run busybox detached
 	runc run -d --console-socket $CONSOLE_SOCKET test_busybox
 	[ "$status" -eq 0 ]
@ -90,6 +101,9 @@ function teardown() {
 }

@test "runc exec [tty owner] ({u,g}id != 0)" {
+	# tty chmod is not doable in rootless containers.
+	requires root
+
 	# replace "uid": 0 with "uid": 1000
 	# and do a similar thing for gid.
 	sed -i 's;"uid": 0;"uid": 1000;g' config.json