Merge pull request #7892 from AkihiroSuda/cri-integration-cgroup2

fuweid · web-flow · commit 28e8e247b912 · 2023-01-04T20:21:14.000+08:00
Cirrus CI (Fedora 37, Rocky 8): enable cri-integration
diff --git a/.cirrus.yml b/.cirrus.yml
@@ -40,6 +40,9 @@ task:
   integration_script: |
     vagrant up --provision-with=selinux,install-runc,install-gotestsum,test-integration
 
+  cri_integration_script: |
+    vagrant up --provision-with=selinux,install-runc,install-gotestsum,test-cri-integration
+
   cri_test_script: |
     vagrant up --provision-with=selinux,install-runc,install-gotestsum,test-cri
 
diff --git a/Vagrantfile b/Vagrantfile
@@ -207,6 +207,19 @@ EOF
       SHELL
   end
 
+  config.vm.provision "install-failpoint-binaries", type: "shell",  run: "once" do |sh|
+      sh.upload_path = "/tmp/vagrant-install-failpoint-binaries"
+      sh.inline = <<~SHELL
+        #!/usr/bin/env bash
+        source /etc/environment
+        source /etc/profile.d/sh.local
+        set -eux -o pipefail
+        ${GOPATH}/src/github.com/containerd/containerd/script/setup/install-failpoint-binaries
+        chcon -v -t container_runtime_exec_t $(type -ap containerd-shim-runc-fp-v1)
+        containerd-shim-runc-fp-v1 -v
+      SHELL
+  end
+
   # SELinux is Enforcing by default.
   # To set SELinux as Disabled on a VM that has already been provisioned:
   #   SELINUX=Disabled vagrant up --provision-with=selinux
@@ -246,6 +259,36 @@ EOF
     SHELL
   end
 
+  # SELinux is Enforcing by default (via provisioning) in this VM. To re-run with SELinux disabled:
+  #   SELINUX=Disabled vagrant up --provision-with=selinux,test-cri-integration
+  #
+  config.vm.provision "test-cri-integration", type: "shell", run: "never" do |sh|
+    sh.upload_path = "/tmp/test-cri-integration"
+    sh.env = {
+        'GOTEST': ENV['GOTEST'] || "go test",
+        'GOTESTSUM_JUNITFILE': ENV['GOTESTSUM_JUNITFILE'],
+        'GOTESTSUM_JSONFILE': ENV['GOTESTSUM_JSONFILE'],
+        'GITHUB_WORKSPACE': '',
+        'ENABLE_CRI_SANDBOXES': ENV['ENABLE_CRI_SANDBOXES'],
+    }
+    sh.inline = <<~SHELL
+        #!/usr/bin/env bash
+        source /etc/environment
+        source /etc/profile.d/sh.local
+        set -eux -o pipefail
+        cleanup() {
+          rm -rf /var/lib/containerd* /run/containerd* /tmp/containerd* /tmp/test* /tmp/failpoint* /tmp/nri*
+        }
+        cleanup
+        cd ${GOPATH}/src/github.com/containerd/containerd
+        # cri-integration.sh executes containerd from ./bin, not from $PATH .
+        make BUILDTAGS="seccomp selinux no_aufs no_btrfs no_devmapper no_zfs" binaries bin/cri-integration.test
+        chcon -v -t container_runtime_exec_t ./bin/{containerd,containerd-shim*}
+        CONTAINERD_RUNTIME=io.containerd.runc.v2 ./script/test/cri-integration.sh
+        cleanup
+    SHELL
+  end
+
   # SELinux is Enforcing by default (via provisioning) in this VM. To re-run with SELinux disabled:
   #   SELINUX=Disabled vagrant up --provision-with=selinux,test-cri
   #
diff --git a/integration/container_stats_test.go b/integration/container_stats_test.go
@@ -61,7 +61,7 @@ func TestContainerStats(t *testing.T) {
 		if err != nil {
 			return false, err
 		}
-		if s.GetWritableLayer().GetUsedBytes().GetValue() != 0 {
+		if s.GetWritableLayer().GetTimestamp() != 0 {
 			return true, nil
 		}
 		return false, nil
@@ -103,7 +103,7 @@ func TestContainerConsumedStats(t *testing.T) {
 		if err != nil {
 			return false, err
 		}
-		if s.GetMemory().GetWorkingSetBytes().GetValue() > 0 {
+		if s.GetWritableLayer().GetTimestamp() > 0 {
 			return true, nil
 		}
 		return false, nil
@@ -179,7 +179,7 @@ func TestContainerListStats(t *testing.T) {
 			return false, err
 		}
 		for _, s := range stats {
-			if s.GetWritableLayer().GetUsedBytes().GetValue() == 0 {
+			if s.GetWritableLayer().GetTimestamp() == 0 {
 				return false, nil
 			}
 		}
@@ -238,7 +238,7 @@ func TestContainerListStatsWithIdFilter(t *testing.T) {
 			if len(stats) != 1 {
 				return false, errors.New("unexpected stats length")
 			}
-			if stats[0].GetWritableLayer().GetUsedBytes().GetValue() != 0 {
+			if stats[0].GetWritableLayer().GetTimestamp() != 0 {
 				return true, nil
 			}
 			return false, nil
@@ -300,7 +300,7 @@ func TestContainerListStatsWithSandboxIdFilter(t *testing.T) {
 
 		for _, containerStats := range stats {
 			// Wait for stats on all containers, not just the first one in the list.
-			if containerStats.GetWritableLayer().GetUsedBytes().GetValue() == 0 {
+			if containerStats.GetWritableLayer().GetTimestamp() == 0 {
 				return false, nil
 			}
 		}
@@ -358,7 +358,7 @@ func TestContainerListStatsWithIdSandboxIdFilter(t *testing.T) {
 			if len(stats) != 1 {
 				return false, errors.New("unexpected stats length")
 			}
-			if stats[0].GetWritableLayer().GetUsedBytes().GetValue() != 0 {
+			if stats[0].GetWritableLayer().GetTimestamp() != 0 {
 				return true, nil
 			}
 			return false, nil
@@ -380,7 +380,7 @@ func TestContainerListStatsWithIdSandboxIdFilter(t *testing.T) {
 			if len(stats) != 1 {
 				return false, fmt.Errorf("expected only one stat, but got %v", stats)
 			}
-			if stats[0].GetWritableLayer().GetUsedBytes().GetValue() != 0 {
+			if stats[0].GetWritableLayer().GetTimestamp() != 0 {
 				return true, nil
 			}
 			return false, nil
@@ -410,7 +410,12 @@ func testStats(t *testing.T,
 	require.NotEmpty(t, s.GetMemory().GetWorkingSetBytes().GetValue())
 	require.NotEmpty(t, s.GetWritableLayer().GetTimestamp())
 	require.NotEmpty(t, s.GetWritableLayer().GetFsId().GetMountpoint())
-	require.NotEmpty(t, s.GetWritableLayer().GetUsedBytes().GetValue())
+
+	// UsedBytes of a fresh container can be zero on Linux, depending on the backing filesystem.
+	// https://github.com/containerd/containerd/issues/7909
+	if goruntime.GOOS == "windows" {
+		require.NotEmpty(t, s.GetWritableLayer().GetUsedBytes().GetValue())
+	}
 
 	// Windows does not collect inodes stats.
 	if goruntime.GOOS != "windows" {
diff --git a/integration/main_test.go b/integration/main_test.go
@@ -43,6 +43,7 @@ import (
 	"github.com/containerd/containerd/pkg/cri/constants"
 	"github.com/containerd/containerd/pkg/cri/server"
 	"github.com/containerd/containerd/pkg/cri/util"
+	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -289,7 +290,11 @@ func WithVolumeMount(hostPath, containerPath string) ContainerOpts {
 	return func(c *runtime.ContainerConfig) {
 		hostPath, _ = filepath.Abs(hostPath)
 		containerPath, _ = filepath.Abs(containerPath)
-		mount := &runtime.Mount{HostPath: hostPath, ContainerPath: containerPath}
+		mount := &runtime.Mount{
+			HostPath:       hostPath,
+			ContainerPath:  containerPath,
+			SelinuxRelabel: selinux.GetEnabled(),
+		}
 		c.Mounts = append(c.Mounts, mount)
 	}
 }
diff --git a/integration/nri_test.go b/integration/nri_test.go
@@ -32,6 +32,7 @@ import (
 	cri "github.com/containerd/containerd/integration/cri-api/pkg/apis"
 	"github.com/containerd/nri/pkg/api"
 	"github.com/containerd/nri/pkg/stub"
+	"github.com/opencontainers/selinux/go-selinux"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
 
 	"github.com/containerd/containerd/integration/images"
@@ -57,6 +58,11 @@ func skipNriTestIfNecessary(t *testing.T, extraSkipChecks ...map[string]bool) {
 	if goruntime.GOOS != "linux" {
 		t.Skip("Not running on linux")
 	}
+
+	if selinux.GetEnabled() {
+		// https://github.com/containerd/containerd/pull/7892#issuecomment-1369825603
+		t.Skip("SELinux relabeling is not supported for NRI yet")
+	}
 	_, err := os.Stat(nriTestSocket)
 	if err != nil {
 		t.Skip("Containerd test instance does not have NRI enabled")
diff --git a/integration/volume_copy_up_test.go b/integration/volume_copy_up_test.go
@@ -118,17 +118,17 @@ func TestVolumeOwnership(t *testing.T) {
 	require.NoError(t, runtimeService.StartContainer(cn))
 
 	// ghcr.io/containerd/volume-ownership:2.1 contains a test_dir
-	// volume, which is owned by nobody:nogroup.
+	// volume, which is owned by 65534:65534 (nobody:nogroup, or nobody:nobody).
 	// On Windows, the folder is situated in C:\volumes\test_dir and is owned
 	// by ContainerUser (SID: S-1-5-93-2-2). A helper tool get_owner.exe should
 	// exist inside the container that returns the owner in the form of USERNAME:SID.
 	t.Logf("Check ownership of test directory inside container")
 
 	cmd := []string{
-		"stat", "-c", "%U:%G", "/test_dir",
+		"stat", "-c", "%u:%g", "/test_dir",
 	}
-	expectedContainerOutput := "nobody:nogroup\n"
-	expectedHostOutput := "nobody:nogroup\n"
+	expectedContainerOutput := "65534:65534\n"
+	expectedHostOutput := "65534:65534\n"
 	if goruntime.GOOS == "windows" {
 		cmd = []string{
 			"C:\\bin\\get_owner.exe",
diff --git a/integration/volume_copy_up_unix_test.go b/integration/volume_copy_up_unix_test.go
@@ -25,7 +25,7 @@ import (
 )
 
 func getOwnership(path string) (string, error) {
-	hostCmd := fmt.Sprintf("stat -c %%U:%%G '%s'", path)
+	hostCmd := fmt.Sprintf("stat -c %%u:%%g '%s'", path)
 	output, err := exec.Command("sh", "-c", hostCmd).CombinedOutput()
 	if err != nil {
 		return "", err

Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ func TestContainerStats(t *testing.T) {`
`61`	`61`	`if err != nil {`
`62`	`62`	`return false, err`
`63`	`63`	`}`
`64`		`- if s.GetWritableLayer().GetUsedBytes().GetValue() != 0 {`
	`64`	`+ if s.GetWritableLayer().GetTimestamp() != 0 {`
`65`	`65`	`return true, nil`
`66`	`66`	`}`
`67`	`67`	`return false, nil`
`@@ -103,7 +103,7 @@ func TestContainerConsumedStats(t *testing.T) {`
`103`	`103`	`if err != nil {`
`104`	`104`	`return false, err`
`105`	`105`	`}`
`106`		`- if s.GetMemory().GetWorkingSetBytes().GetValue() > 0 {`
	`106`	`+ if s.GetWritableLayer().GetTimestamp() > 0 {`
`107`	`107`	`return true, nil`
`108`	`108`	`}`
`109`	`109`	`return false, nil`
`@@ -179,7 +179,7 @@ func TestContainerListStats(t *testing.T) {`
`179`	`179`	`return false, err`
`180`	`180`	`}`
`181`	`181`	`for _, s := range stats {`
`182`		`- if s.GetWritableLayer().GetUsedBytes().GetValue() == 0 {`
	`182`	`+ if s.GetWritableLayer().GetTimestamp() == 0 {`
`183`	`183`	`return false, nil`
`184`	`184`	`}`
`185`	`185`	`}`
`@@ -238,7 +238,7 @@ func TestContainerListStatsWithIdFilter(t *testing.T) {`
`238`	`238`	`if len(stats) != 1 {`
`239`	`239`	`return false, errors.New("unexpected stats length")`
`240`	`240`	`}`
`241`		`- if stats[0].GetWritableLayer().GetUsedBytes().GetValue() != 0 {`
	`241`	`+ if stats[0].GetWritableLayer().GetTimestamp() != 0 {`
`242`	`242`	`return true, nil`
`243`	`243`	`}`
`244`	`244`	`return false, nil`
`@@ -300,7 +300,7 @@ func TestContainerListStatsWithSandboxIdFilter(t *testing.T) {`
`300`	`300`
`301`	`301`	`for _, containerStats := range stats {`
`302`	`302`	`// Wait for stats on all containers, not just the first one in the list.`
`303`		`- if containerStats.GetWritableLayer().GetUsedBytes().GetValue() == 0 {`
	`303`	`+ if containerStats.GetWritableLayer().GetTimestamp() == 0 {`
`304`	`304`	`return false, nil`
`305`	`305`	`}`
`306`	`306`	`}`
`@@ -358,7 +358,7 @@ func TestContainerListStatsWithIdSandboxIdFilter(t *testing.T) {`
`358`	`358`	`if len(stats) != 1 {`
`359`	`359`	`return false, errors.New("unexpected stats length")`
`360`	`360`	`}`
`361`		`- if stats[0].GetWritableLayer().GetUsedBytes().GetValue() != 0 {`
	`361`	`+ if stats[0].GetWritableLayer().GetTimestamp() != 0 {`
`362`	`362`	`return true, nil`
`363`	`363`	`}`
`364`	`364`	`return false, nil`
`@@ -380,7 +380,7 @@ func TestContainerListStatsWithIdSandboxIdFilter(t *testing.T) {`
`380`	`380`	`if len(stats) != 1 {`
`381`	`381`	`return false, fmt.Errorf("expected only one stat, but got %v", stats)`
`382`	`382`	`}`
`383`		`- if stats[0].GetWritableLayer().GetUsedBytes().GetValue() != 0 {`
	`383`	`+ if stats[0].GetWritableLayer().GetTimestamp() != 0 {`
`384`	`384`	`return true, nil`
`385`	`385`	`}`
`386`	`386`	`return false, nil`
`@@ -410,7 +410,12 @@ func testStats(t *testing.T,`
`410`	`410`	`require.NotEmpty(t, s.GetMemory().GetWorkingSetBytes().GetValue())`
`411`	`411`	`require.NotEmpty(t, s.GetWritableLayer().GetTimestamp())`
`412`	`412`	`require.NotEmpty(t, s.GetWritableLayer().GetFsId().GetMountpoint())`
`413`		`- require.NotEmpty(t, s.GetWritableLayer().GetUsedBytes().GetValue())`
	`413`	`+`
	`414`	`+ // UsedBytes of a fresh container can be zero on Linux, depending on the backing filesystem.`
	`415`	`+ // https://github.com/containerd/containerd/issues/7909`
	`416`	`+ if goruntime.GOOS == "windows" {`
	`417`	`+ require.NotEmpty(t, s.GetWritableLayer().GetUsedBytes().GetValue())`
	`418`	`+ }`
`414`	`419`
`415`	`420`	`// Windows does not collect inodes stats.`
`416`	`421`	`if goruntime.GOOS != "windows" {`
Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ import (`
`25`	`25`	`)`
`26`	`26`
`27`	`27`	`func getOwnership(path string) (string, error) {`
`28`		`- hostCmd := fmt.Sprintf("stat -c %%U:%%G '%s'", path)`
	`28`	`+ hostCmd := fmt.Sprintf("stat -c %%u:%%g '%s'", path)`
`29`	`29`	`output, err := exec.Command("sh", "-c", hostCmd).CombinedOutput()`
`30`	`30`	`if err != nil {`
`31`	`31`	`return "", err`