From de43901d8ba5984eac9d88a051cfd53ef793dbef Mon Sep 17 00:00:00 2001 From: Manabu Sugimoto Date: Fri, 18 Aug 2023 16:43:44 +0900 Subject: [PATCH] test:cri: Add guest AppArmor support Add a test case which check whether AppArmor inside the guest works properly using containerd. The test creates a container configured to apply the `kata-default` profile, then it checks the container process is running with the profile enforced. Fixes: #5748 Depends-on: github.com/kata-containers/kata-containers#7587 Signed-off-by: Manabu Sugimoto --- .../containerd/cri/integration-tests.sh | 80 +++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/integration/containerd/cri/integration-tests.sh b/integration/containerd/cri/integration-tests.sh index c29eea2e9..1b9b9c0c5 100755 --- a/integration/containerd/cri/integration-tests.sh +++ b/integration/containerd/cri/integration-tests.sh @@ -431,6 +431,84 @@ EOF create_containerd_config "${containerd_runtime_test}" } +build_install_apparmor_image() { + info "Build AppArmor guest image" + local rootfs_builder_dir="${katacontainers_repo_dir}/tools/osbuilder/rootfs-builder" + pushd "$rootfs_builder_dir" + sudo -E AGENT_INIT=no APPARMOR=yes USE_DOCKER=yes ./rootfs.sh ubuntu + popd + + info "Install AppArmor guest image" + local rootfs_dir="${rootfs_builder_dir}/rootfs" + local image_builder_dir="${katacontainers_repo_dir}/tools/osbuilder/image-builder" + pushd "${image_builder_dir}" + sudo -E AGENT_INIT=no USE_DOCKER=yes ./image_builder.sh "${rootfs_dir}" + popd + apparmor_image="/opt/kata/share/kata-containers/kata-containers-apparmor.img" + sudo install -o root -g root -m 0640 -D "${image_builder_dir}/kata-containers.img" "${apparmor_image}" +} + +TestContainerGuestApparmor() { + info "Test container guest AppArmor" + + build_install_apparmor_image + + original_image=$(sudo sed -n 's/^image = \(.*\)/\1/p' ${kata_config}) + sudo sed -i "/image =/c image = "\"${apparmor_image}\""" "${kata_config}" + sudo sed -i '/^disable_guest_apparmor/ s/true/false/g' "${kata_config}" + sudo sed -i 's/^#\(debug_console_enabled\).*=.*$/\1 = true/g' "${kata_config}" + + local container_yaml="${REPORT_DIR}/container.yaml" + local image="busybox:latest" + cat << EOF > "${container_yaml}" +metadata: + name: busybox-apparmor +image: + image: "$image" +command: +- top +EOF + + testContainerStart 1 + + info "check kata-runtime exec" + aa_status=$(expect -c " + spawn -noecho kata-runtime exec $podid + expect "root@localhost:/#" + send \"aa-status\n\" + expect "root@localhost:/#" + send \"exit\n\" + expect eof + ") + echo "aa-status results:" + echo "${aa_status}" + ret=$(echo "$aa_status" | grep "/pause.*kata-default" || true) + [ -n "$ret" ] || die "not found /pause kata-default profile" + ret=$(echo "$aa_status" | grep "/bin/top.*kata-default" || true) + [ -n "$ret" ] || die "not found /bin/top kata-default profile" + + info "check crictl exec" + sudo -E crictl exec $cid sleep 10 & + + aa_status=$(expect -c " + spawn -noecho kata-runtime exec $podid + expect "root@localhost:/#" + send \"aa-status\n\" + expect "root@localhost:/#" + send \"exit\n\" + expect eof + ") + echo "aa-status results:" + echo "${aa_status}" + ret=$(echo "$aa_status" | grep "/bin/sleep.*kata-default" || true) + [ -n "$ret" ] || die "not found /bin/sleep kata-default profile" + + testContainerStop + + sudo sed -i '/^disable_guest_apparmor/ s/false/true/g' "${kata_config}" + sudo sed -i "/image =/c image = "\"${original_image}\""" "$kata_config" +} + # k8s may restart docker which will impact on containerd stop stop_containerd() { local tmp=$(pgrep kubelet || true) @@ -509,6 +587,8 @@ main() { TestContainerMemoryUpdate 0 fi + TestContainerGuestApparmor + TestKilledVmmCleanup popd