With the fix in the previous commit and criu patched with support for
cgroupv2, these tests should now pass.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Same test as the first one, just with cgroupns enabled.
Since in case of cgroupv2 `runc spec` enables cgroupns,
this case was already tested by the first checkpoint test,
so skip it.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Commit a9e15e7e0 adds a check that stdin/out/err pipes
are restored correctly. Commit ec260653b7 copy/pastes
the same code to one more another test.
Problem is (as pointed out in commit 5369f9ade3) these tests
sometimes hang. I have also seen them fail.
Apparently, the code used to create pipes and open them to fds
is racy:
```shell
cat $fifo | cat $fifo &
pid=$!
exec 50</proc/$pid/fd/0
exec 51>/proc/$pid/fd/0
```
Since `cat | cat` is spawned asynchronously, by the time exec is used,
the second cat process (i.e. $pid) is already fork'ed but it might
not be exec'ed yet. As a result, we get this (`ls -l /proc/self/fd`):
```
lr-x------. 1 root root 64 Apr 20 02:39 50 -> /dev/pts/1
l-wx------. 1 root root 64 Apr 20 02:39 51 -> /dev/pts/1
```
or, in some cases:
```
lr-x------. 1 root root 64 Apr 20 02:45 50 -> /dev/pts/1
l-wx------. 1 root root 64 Apr 20 02:45 51 -> 'pipe:[215791]'
```
instead of expected set of pipes:
```
> lr-x------. 1 root root 64 Apr 20 02:45 50 -> 'pipe:[215791]'
> l-wx------. 1 root root 64 Apr 20 02:45 51 -> 'pipe:[215791]'
```
One possible workaround is to add `sleep 0.1` or so after cat|cat,
but it is outright ugly (besides, we already have one sleep in
the test code).
The solution is to not use any external processes to create pipes.
I admit this still looks not very comprehensible, but at least it
is easier than before, and it works.
While at it, remove code duplication, moving the setup and check
code into a pair of functions.
Finally, since the tests are working now, remove the skip.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Since all the criu tests have the same requirements,
move them to setup().
While at it, remove an obviously redundant comment.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Introduce a special case for `testcontainer` to test
for container that is not present (checkpointed), use it.
Fix one place where testcontainer was not used.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
runc in this file is actually a function that does `run runc ...`,
and `run` sets variable `$status` as the exit code, so `$status`
is what should be checked.
If calling runc directly (as in `__runc ...`), then $? is legit.
While at it, remove an obsoleted comment, and an unneeded
`ret=$?` assignment (check `$?` directly).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Run in the same environment as systemd tests.
Disable CRIU tests because:
- they all fail with cgroup v2;
- CRIU v3.14 is required and it's not yet released, and
rebuilding it from sources with patches applied (like
it is currently done in Dockerfile) is too much work.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Those needs to be run on the (Vagrant Fedora 31) host
(since we need real systemd running), and so we have
to have all the tools needed to compile runc and run
the tests.
The good news is Fedora packages a decent and recent release
of bats-core (1.1.0), which we can use (Debian does not),
and we can also use golang (currently 1.13.9) from Fedora.
The bad news are
1. Currently cgroups tests are only working with
RUNC_USE_SYSTEMD=yes (addressed by #2299, #2305)
2. Tests in events.bats do not work (need cgroupv2
memory.events support)
3. Fedora 31 image is 6 months old (and has broken
container-selinux policy) so we need `dnf update`,
which adds ~5 min to test time.
[v2: add -t to ssh to enforce pty]
[v3: disable events tests for cgroupv2]
[v4: update fedora packages, use a single dnf transation]
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
1. Add `cgroups_v1` and `cgroups_v2` options to `requires`.
2. Modify `check_cgroup_value` to be able to work with v2.
3. Split `test "update"` into two:
- (1) testing cgroupv1-only cpu shares and cfs
- (2) testing limits that are more or less common
between v1 and v2: memory/swap, pids, cpusets.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
... and add kmem-tcp to cgroups kmem test.
First, we already have a separate kmem test in cgroups.bats.
Second, making kmem a requirement leads to skipping all the other
test cases in the update.bats test.
Third, kmem limit is being removed from the kernel, so it makes sense
to handle it separately.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This comment was added by commit 6cd425be2b (Allow update rt_period_us
and rt_runtime_us, Nov 4 2016), and the test case was added by commit
51baedf3f3 (Add integration for update rt period and runtime,
Nov 28 2016), making the comment obsolete.
Remove it.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
1. Consolidate all the cgroup-related initialization code to
a single place, init_cgroup_paths(), so we can see which
variables are set.
2. Lazily call init_cgroup_paths() from all places that require it.
3. Don't set globals KMEM and RT_PERIOD.
4. Slightly clarlify variables naming:
- use OCI_CGROUPS_PATH for cgroupsPath in config.json
- use REL_CGROUPS_PATH for relative cgroups path
5. Do not hardcode the list of cgroup subsystems -- get it from
/proc/cgroup.
6. Preliminary support for cgroupv2 unified hierarchy (not yet working).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Consolidate two implementations of check_cgroup_value()
into one, putting it into helpers.
Remove the first parameter, deducing the variable to get
the path from by the parameter name.
This should help in future cgroupv2 support.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
If container's config.json have `"terminal": true` setting in its
"process" section, runc exec assumes that stdin (fd 0) is a terminal
and tries to use it.
This leads to the following error in case stdin is not a terminal:
> ERRO[0000] exec failed: provided file is not a console
So, even if -t/--tty is not set, exec uses stdin as a terminal.
It does not help that urfave/cli v1 parser we use does not allow
to use `-t no` or `-t false`.
Since the settings in config.json is probably for the container run/start,
not for the auxiliary process started inside a container with exec, do
not use a setting from there, only treating stdin as a terminal in case
`-t` is explicitly given.
Tests that use runc exec with a terminal are amended with -t.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Odin Ugedal (7):
Run verify-dependencies only on go1.x
Don't add git utils to go.mod in CI
Remove refrences to vndr
Make CI script to verify that vendor is in sync
Fix file permissions for mounts.bats
Update spec test to use go.mod
Add support for GO Modules
LGTMs: @hqhq @AkihiroSuda @cyphar
Closes#2073
Currently, the id verification in integration test failed on arm
platform due to the inconsistent /etc/group in the busybox images
for arm and x86. To be specific, the nogroup id in x86 is 99 while
that in arm is 65534.
99 is old id for nogroup, and no longer be used in recent system,
so sync the busybox image for arm and x86 to the image in busybox
github. Also change the id verification rule in integration test.
Signed-off-by: Howard Zhang <howard.zhang@arm.com>
Minor refactoring to use the filePair struct for both init sock and log pipe
Co-authored-by: Julia Nedialkova <julianedialkova@hotmail.com>
Signed-off-by: Georgi Sabev <georgethebeatle@gmail.com>
These tests sometimes hang, so let's skip them for now.
Tested:
$ sudo make localintegration TESTPATH='/checkpoint.bats' RUNC_USE_SYSTEMD=1
The 5 tests in this test suite will be skipped.
Signed-off-by: Filipe Brandenburger <filbranden@google.com>
When $RUNC_USE_SYSTEMD is set, then use a systemd syntax for the
cgroupsPath. Also fix $CGROUPS_PATH to look under the actual path to the
slice/scope created by systemd.
Tested:
$ sudo make localintegration TESTPATH='/cgroups.bats' RUNC_USE_SYSTEMD=1
That test will fail without this commit.
Signed-off-by: Filipe Brandenburger <filbranden@google.com>
This allows us to test runc using libcontainer's systemd driver, by
passing an extra `--systemd-cgroup` argument to the calls to runc.
Tested:
$ sudo make localintegration TESTPATH='/exec.bats' RUNC_USE_SYSTEMD=1
And confirmed that systemd was in use by looking at creation and removal
of libcontainer_<pid>_systemd_test_default.slice test slices. Also
introduced a breakage in systemd cgroup driver and confirmed that the
tests failed as expected.
Signed-off-by: Filipe Brandenburger <filbranden@google.com>
This removes unnecessary lines from checkpoint.bats like:
sed -i 's;"readonly": true;"readonly": false;' config.json
and adds (and corrects) comments which are leftover from older
versions of checkpoint.bats.
Signed-off-by: Adrian Reber <areber@redhat.com>
This adds a new CRIU based checkpoint/restore test to check if
the restored container runs in the same network namespace as before.
Signed-off-by: Adrian Reber <areber@redhat.com>
Upstream renamed the feature check for lazy migration support from
'lazy_pages' to 'uffd'. The lazy migration test case was therefore
not running at all. This enables the lazy migration test case in runc
again.
The test will, however, not run in travis as the kernel is too old.
But it works again locally.
Signed-off-by: Adrian Reber <areber@redhat.com>
In some cases, /sys/fs/cgroups is mounted read-only. In rootless
containers we can consider this effectively identical to having cgroups
that we don't have write permission to -- because the user isn't
responsible for the read-only setup and cannot modify it. The rules are
identical to when /sys/fs/cgroups is not writable by the unprivileged
user.
An example of this is the default configuration of Docker, where cgroups
are mounted as read-only as a preventative security measure.
Reported-by: Vladimir Rutsky <rutsky@google.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Currently, integration test can't be done on arm64 platform due to several issues.
Fix points:
1, add busybox.tar with arm64 format
2, add hello-world.tar with arm64 format
Signed-off-by: Bin Lu <bin.lu@arm.com>
Since the defined config.json contains kmem settings, the test will try
writing to memory.kmem.* and fail. Therefore, it needs to require
cgroups_kmem.
Signed-off-by: Thomas Hipp <thipp@suse.de>
Previously we weren't testing that detached io works properly -- which
will be quite important in the case for rootless containers.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
This ensures that we don't hard-code the set of cgroups on the host, as
well as making the permissions granted by rootless.sh much more
restrictive (to improve the scope of testing).
Signed-off-by: Aleksa Sarai <asarai@suse.de>
This flag allows specifying additional gids for the process.
Without this flag, the user will have to provide process.json which allows additional gids.
Closes#1306
Signed-off-by: Sumit Sanghrajka <sumit.sanghrajka@gmail.com>
Signed-off-by: Ed King <eking@pivotal.io>
Signed-off-by: Gabriel Rosenhouse <grosenhouse@pivotal.io>
Signed-off-by: Konstantinos Karampogias <konstantinos.karampogias@swisscom.com>
Signed-off-by: Will Martin <wmartin@pivotal.io>
Signed-off-by: Petar Petrov <pppepito86@gmail.com>
Signed-off-by: Ed King <eking@pivotal.io>
Signed-off-by: Roberto Jimenez Sanchez <jszroberto@gmail.com>
Signed-off-by: Thomas Godkin <tgodkin@pivotal.io>
Enable several previously disabled tests (for the idmap execution mode)
for rootless containers, in addition to making all tests use the
additional mappings. At the moment there's no strong need to add any
additional tests purely for rootless_idmap.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
This is necessary in order to add proper opportunistic tests, and is a
placeholder until we add tests for new{uid,gid}map configurations.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
The lazy-pages test case is not as straight forward as the other test
cases. This is related to the fact that restoring requires a different
name if restored on the same host. During 'runc checkpoint' the
container is not destroyed before all memory pages have been transferred
to the destination and thus the same container name cannot be used.
As real world usage will rather migrate a container from one system to
another than lazy migrate a container on the same host this is only
problematic for this test case.
Another reason is that it requires starting 'runc checkpoint' and 'criu
lazy-pages' in the background as those process need to be running to
start the final restore 'runc restore'.
CRIU upstream is currently discussing to automatically start 'criu
lazy-pages' which would simplify the lazy-pages test case a bit.
The handling and checking of the background processes make the test case
not the most elegant as at one point a 'sleep 2' is required to make
sure that 'runc checkpoint' had time to do its thing before looking at
log files.
Before running the actual test criu is called in feature checking mode
to make sure lazy migration is in the test case criu enabled. If not,
the test is skipped.
Signed-off-by: Adrian Reber <areber@redhat.com>
This moves all console code to use github.com/containerd/console library to
handle console I/O. Also move to use EpollConsole by default when user requests
a terminal so we can still cope when the other side temporarily goes away.
Signed-off-by: Daniel Dao <dqminh89@gmail.com>
If criu isn't installed in the host, integration tests won't be able
to go on, it should skip checkpoint/restore tests instead of interrupt.
Output before:
```
$ make localintegration
bats -t tests/integration
/usr/lib/bats/bats-exec-suite: line 20: let: count+=: syntax error:
operand expected (error token is "+=")
Makefile:103: recipe for target 'localintegration' failed
```
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
print out errors in checkpoint/restore log when it failed similar to how we did i
in `checkpoint --pre-dump` tests
Signed-off-by: Daniel Dao <dqminh89@gmail.com>
This patch mimics the behavior of "rm -rf" so that if a container
doesn't exist and you force delete it, it won't error out.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
We have two test cases with and without pre-dump. Terminals and
pre-dump features are orthogonal, so we can modify one of these test cases.
Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
vndr doesn't support non-top-level imports, and in addition we really
should be using tagged releases far more than we currently are
(*especially* when it come to the OCI specs).
Signed-off-by: Aleksa Sarai <asarai@suse.de>
This adds targets for rootless integration tests, as well as all of the
required setup in order to get the tests to run. This includes quite a
few changes, because of a lot of assumptions about things running as
root within the bats scripts (which is not true when setting up rootless
containers).
Signed-off-by: Aleksa Sarai <asarai@suse.de>
As per the discussions in #1156 , we think it's a bad
idea to allow multi container operations in runc. So
revert it.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
This uses the standard go vendor location instead of old Godeps
location.
Also remove usage of symlink GOPATH. Since our README mentions that you
should build it inside GOPATH, i think its a reasonable to assume that
you dont need to create a tmp GOPATH.
Signed-off-by: Daniel Dao <dqminh89@gmail.com>
CRIU gets pre-dump to complete iterative migration.
pre-dump saves process memory info only. And it need parent-path
to specify the former memory files.
This patch add pre-dump and parent-path arguments to runc checkpoint
Signed-off-by: Deng Guangxing <dengguangxing@huawei.com>
Signed-off-by: Adrian Reber <areber@redhat.com>
Add some tests to ensure that we always get a proper console (created
inside the container). This is done by checking that the
/proc/self/fd/[012] "symlinks" are always referencing something in
/dev/pts/*.
This patch is part of the console rewrite patchset.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
This fixes all of the tests that were broken as part of the console
rewrite. This includes fixing the integration tests that used TTY
handling inside libcontainer, as well as the bats integration tests that
needed to be rewritten to use recvtty (as they rely on detached
containers that are running).
This patch is part of the console rewrite patchset.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Switch to the actual source of the official Docker library of images, so
that we have a proper source for the test filesystem. In addition,
update to the latest released version (1.25.0 [2016-06-23]) so that we
can use more up-to-date applets in our tests (such as stat(3)).
This patch is part of the console rewrite patchset.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Currently runc already supports setting realtime runtime and period
before container processes start, this commit will add update support
for realtime scheduler resources.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
I use the same tool (https://github.com/client9/misspell)
as Daniel used a few days ago, don't why he missed these
typos at that time.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Kir Kolyshkin
lifubang
Kir Kolyshkin
Mrunal Patel
Aleksa Sarai
Odin Ugedal
Kenta Tada
Jordan Liggitt
Sebastiaan van Stijn
Akihiro Suda
Howard Zhang
Georgi Sabev
Filipe Brandenburger
Giuseppe Scrivano
Adrian Reber
Yan Zhu
Qiang Huang
W. Trevor King
Tom Godkin
Bin Lu
Thomas Hipp
Michael Crosby
Sumit Sanghrajka
Will Martin
Konstantinos Karampogias
leitwolf7
Daniel Dao
leitwolf7
Zhang Wei
Andrei Vagin
Christy Perez
Antonio Murdaca
Kenfe-Mickael Laventure
Alexander Morozov
Mohammad Arab
Deng Guangxing
Daniel Martí
rajasec
Wang Long