Skip to content
This repository has been archived by the owner on Jun 28, 2024. It is now read-only.

Commit

Permalink
test:cri: Add guest AppArmor support
Browse files Browse the repository at this point in the history
Add a test case which check whether AppArmor inside the guest
works properly using containerd.

The test creates a container configured to apply the `kata-default`
profile, then it checks the container process is running with the
profile enforced.

Fixes: #5748
Depends-on: github.com/kata-containers/kata-containers#7587

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
  • Loading branch information
ManaSugi committed Aug 22, 2023
1 parent de2c828 commit 542a587
Show file tree
Hide file tree
Showing 3 changed files with 95 additions and 1 deletion.
3 changes: 3 additions & 0 deletions .ci/install_kata_image.sh
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ source "${cidir}/lib.sh"
main() {
build_static_artifact_and_install "rootfs-image"
build_static_artifact_and_install "rootfs-initrd"

# Build and install an image for the guest AppArmor
build_install_apparmor_image
}

main
19 changes: 19 additions & 0 deletions .ci/lib.sh
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ fi
export KATA_KSM_THROTTLER=${KATA_KSM_THROTTLER:-no}
export KATA_QEMU_DESTDIR=${KATA_QEMU_DESTDIR:-"/usr"}
export KATA_ETC_CONFIG_PATH="/etc/kata-containers/configuration.toml"
export KATA_APPARMOR_IMAGE="/opt/kata/share/kata-containers/kata-containers-apparmor.img"

export katacontainers_repo=${katacontainers_repo:="github.com/kata-containers/kata-containers"}
export katacontainers_repo_git="https://${katacontainers_repo}.git"
Expand Down Expand Up @@ -180,6 +181,24 @@ function build_static_artifact_and_install() {
popd >/dev/null
}

build_install_apparmor_image() {
USE_DOCKER=${USE_DOCKER:-"true"}

info "Build AppArmor guest image"
local rootfs_builder_dir="${katacontainers_repo_dir}/tools/osbuilder/rootfs-builder"
local rootfs_dir="${rootfs_builder_dir}/rootfs-apparmor"
pushd "$rootfs_builder_dir" >/dev/null
sudo -E AGENT_INIT=no APPARMOR=yes USE_DOCKER="${USE_DOCKER}" ./rootfs.sh -r "${rootfs_dir}" ubuntu
popd >/dev/null

info "Install AppArmor guest image"
local image_builder_dir="${katacontainers_repo_dir}/tools/osbuilder/image-builder"
pushd "${image_builder_dir}" >/dev/null
sudo -E AGENT_INIT=no USE_DOCKER="${USE_DOCKER}" ./image_builder.sh "${rootfs_dir}"
popd >/dev/null
sudo install -o root -g root -m 0640 -D "${image_builder_dir}/kata-containers.img" "${KATA_APPARMOR_IMAGE}"
}

function get_dep_from_yaml_db(){
local versions_file="$1"
local dependency="$2"
Expand Down
74 changes: 73 additions & 1 deletion integration/containerd/cri/integration-tests.sh
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ source "${SCRIPT_PATH}/../../../.ci/lib.sh"
# runc is installed in /usr/local/sbin/ add that path
export PATH="$PATH:/usr/local/sbin"

TEST_INITRD="${TEST_INITRD:-no}"

containerd_tarball_version=$(get_version "externals.containerd.version")

# Runtime to be used for testing
Expand Down Expand Up @@ -97,7 +99,7 @@ ci_cleanup() {
fi

[ -f "$kata_config_backup" ] && sudo mv "$kata_config_backup" "$kata_config" || \
sudo rm "$kata_config"
sudo rm "$kata_config" || true
}

create_containerd_config() {
Expand Down Expand Up @@ -431,6 +433,74 @@ EOF
create_containerd_config "${containerd_runtime_test}"
}

TestContainerGuestApparmor() {
info "Test container guest AppArmor"

if [[ "${TEST_INITRD}" == "yes" ]]; then
info "Skip the test because the guest AppArmor doesn't work with the agent init"
return
fi
if [ ! -e "${KATA_APPARMOR_IMAGE}" ]; then
info "Skip the test becasue the guest AppArmor image doesn't exist"
return
fi

# Set the guest AppArmor rootfs image because the guest AppArmor doesn't work with the agent init.
sudo sed -i "/^image =/c image = "\"${KATA_APPARMOR_IMAGE}\""" "${kata_config}"
# Enable the guest AppArmor.
sudo sed -i '/^disable_guest_apparmor/ s/true/false/g' "${kata_config}"
sudo sed -i 's/^#\(debug_console_enabled\).*=.*$/\1 = true/g' "${kata_config}"

local container_yaml="${REPORT_DIR}/container.yaml"
local image="busybox:latest"
cat << EOF > "${container_yaml}"
metadata:
name: busybox-apparmor
image:
image: "$image"
command:
- top
EOF

info "Check the AppArmor profile is applied to the container executed by crictl start"
testContainerStart 1
aa_status=$(expect -c "
spawn -noecho kata-runtime exec $podid
expect "root@localhost:/#"
send \"aa-status\n\"
expect "root@localhost:/#"
send \"exit\n\"
expect eof
")
echo "aa-status results:"
echo "${aa_status}"
ret=$(echo "$aa_status" | grep "/bin/top.*kata-default" || true)
[ -n "$ret" ] || die "not found /bin/top kata-default profile"
info "Check the AppArmor profile is applied to the process executed by crictl exec"
sudo -E crictl exec $cid sleep 10 &
# sleep for 1s to make sure the exec process started.
sleep 1
aa_status=$(expect -c "
spawn -noecho kata-runtime exec $podid
expect "root@localhost:/#"
send \"aa-status\n\"
expect "root@localhost:/#"
send \"exit\n\"
expect eof
")
echo "aa-status results:"
echo "${aa_status}"
ret=$(echo "$aa_status" | grep "/bin/sleep.*kata-default" || true)
[ -n "$ret" ] || die "not found /bin/sleep kata-default profile"
testContainerStop
# Reset the Kata configuration file.
sudo rm "${kata_config}"
ci_config
}
# k8s may restart docker which will impact on containerd stop
stop_containerd() {
local tmp=$(pgrep kubelet || true)
Expand Down Expand Up @@ -509,6 +579,8 @@ main() {
TestContainerMemoryUpdate 0
fi
TestContainerGuestApparmor
TestKilledVmmCleanup
popd
Expand Down

0 comments on commit 542a587

Please sign in to comment.