Skip to content
This repository has been archived by the owner on Jun 28, 2024. It is now read-only.

Commit

Permalink
test:cri: Add guest AppArmor support
Browse files Browse the repository at this point in the history
Add a test case which check whether AppArmor inside the guest
works properly using containerd.

The test creates a container configured to apply the `kata-default`
profile, then it checks the container process is running with the
profile enforced.

Fixes: #5748
Depends-on: github.com/kata-containers/kata-containers#7587

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
  • Loading branch information
ManaSugi committed Aug 20, 2023
1 parent de2c828 commit de43901
Showing 1 changed file with 80 additions and 0 deletions.
80 changes: 80 additions & 0 deletions integration/containerd/cri/integration-tests.sh
Original file line number Diff line number Diff line change
Expand Up @@ -431,6 +431,84 @@ EOF
create_containerd_config "${containerd_runtime_test}"
}

build_install_apparmor_image() {
info "Build AppArmor guest image"
local rootfs_builder_dir="${katacontainers_repo_dir}/tools/osbuilder/rootfs-builder"
pushd "$rootfs_builder_dir"
sudo -E AGENT_INIT=no APPARMOR=yes USE_DOCKER=yes ./rootfs.sh ubuntu
popd

info "Install AppArmor guest image"
local rootfs_dir="${rootfs_builder_dir}/rootfs"
local image_builder_dir="${katacontainers_repo_dir}/tools/osbuilder/image-builder"
pushd "${image_builder_dir}"
sudo -E AGENT_INIT=no USE_DOCKER=yes ./image_builder.sh "${rootfs_dir}"
popd
apparmor_image="/opt/kata/share/kata-containers/kata-containers-apparmor.img"
sudo install -o root -g root -m 0640 -D "${image_builder_dir}/kata-containers.img" "${apparmor_image}"
}

TestContainerGuestApparmor() {
info "Test container guest AppArmor"

build_install_apparmor_image

original_image=$(sudo sed -n 's/^image = \(.*\)/\1/p' ${kata_config})
sudo sed -i "/image =/c image = "\"${apparmor_image}\""" "${kata_config}"
sudo sed -i '/^disable_guest_apparmor/ s/true/false/g' "${kata_config}"
sudo sed -i 's/^#\(debug_console_enabled\).*=.*$/\1 = true/g' "${kata_config}"

local container_yaml="${REPORT_DIR}/container.yaml"
local image="busybox:latest"
cat << EOF > "${container_yaml}"
metadata:
name: busybox-apparmor
image:
image: "$image"
command:
- top
EOF

testContainerStart 1

info "check kata-runtime exec"
aa_status=$(expect -c "
spawn -noecho kata-runtime exec $podid
expect "root@localhost:/#"
send \"aa-status\n\"
expect "root@localhost:/#"
send \"exit\n\"
expect eof
")
echo "aa-status results:"
echo "${aa_status}"
ret=$(echo "$aa_status" | grep "/pause.*kata-default" || true)
[ -n "$ret" ] || die "not found /pause kata-default profile"
ret=$(echo "$aa_status" | grep "/bin/top.*kata-default" || true)
[ -n "$ret" ] || die "not found /bin/top kata-default profile"
info "check crictl exec"
sudo -E crictl exec $cid sleep 10 &
aa_status=$(expect -c "
spawn -noecho kata-runtime exec $podid
expect "root@localhost:/#"
send \"aa-status\n\"
expect "root@localhost:/#"
send \"exit\n\"
expect eof
")
echo "aa-status results:"
echo "${aa_status}"
ret=$(echo "$aa_status" | grep "/bin/sleep.*kata-default" || true)
[ -n "$ret" ] || die "not found /bin/sleep kata-default profile"
testContainerStop
sudo sed -i '/^disable_guest_apparmor/ s/false/true/g' "${kata_config}"
sudo sed -i "/image =/c image = "\"${original_image}\""" "$kata_config"
}
# k8s may restart docker which will impact on containerd stop
stop_containerd() {
local tmp=$(pgrep kubelet || true)
Expand Down Expand Up @@ -509,6 +587,8 @@ main() {
TestContainerMemoryUpdate 0
fi
TestContainerGuestApparmor
TestKilledVmmCleanup
popd
Expand Down

0 comments on commit de43901

Please sign in to comment.