-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Split runtime validate #391
Conversation
2bf25f7
to
ae33d7b
Compare
On Fri, Jun 09, 2017 at 01:03:08AM -0700, Ma Shimiao wrote:
* add error catch
This seems like an orthogonal, easy-to-review change. Maybe split it
out into its own PR so it can get in more quickly than the other
commit in this PR (which is a bit more complicated ;)?
|
validation/validation_test.go
Outdated
if err != nil { | ||
t.Errorf("%s failed validation: %v", runtime, err) | ||
} | ||
g.SetProcessArgs([]string{"sleep", "50"}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are we setting this at all, since sleep
may not exist inside the container? process
is optional (since opencontainers/runtime-spec#701), so I'd rather just unset process
completely and call create
(but never start
) during these outer tests.
ae33d7b
to
a259dda
Compare
On 06/15/2017 01:05 AM, W. Trevor King wrote:
Why are we setting this at all, since |sleep| may not exist inside the container? |process| is optional <https://github.com/opencontainers/runtime-spec/blob/b5017e22ec9592d9e4935812fdce8f9a6b71a365/config.md#process> (since opencontainers/runtime-spec#701 <opencontainers/runtime-spec#701>), so I'd rather just unset |process| completely and call |create| (but never |start|) during these outer tests.
Currently, it seems a good idea, so updated.
|
ping @opencontainers/runtime-tools-maintainers |
validation/validation_test.go
Outdated
if err != nil { | ||
return err | ||
} | ||
// defer os.RemoveAll(bundleDir) | ||
|
||
// TODO: Use a library to split run into create/start | ||
// Launch the OCI runtime |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're using create
below, so this comment is stale here. You will want to run kill
and delete
to clean up though.
a259dda
to
9ee5be2
Compare
9ee5be2
to
0d93e18
Compare
Rebased, PTAL |
0d93e18
to
ddef754
Compare
I like this change. It makes lifecycle testing easier. |
validation/validation_test.go
Outdated
if err != nil { | ||
return err | ||
} | ||
defer os.RemoveAll(tmpDir) | ||
// defer os.RemoveAll(bundleDir) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm guessing this change was for local testing, and that we want to restore the deferred removal before this PR lands?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah... yes, this is a mistake
bundleDir := tmpDir + "/busybox" | ||
if err := os.MkdirAll(bundleDir, 0755); err != nil { | ||
// Copy the runtimetest binary to the rootfs | ||
err = fileutils.CopyFile("../runtimetest", filepath.Join(rootfsDir, "runtimetest")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this actually work? My local build of runtimetest
is dynamically linked:
$ lddtree runtimetest
runtimetest (interpreter => /lib64/ld-linux-x86-64.so.2)
libpthread.so.0 => /lib64/libpthread.so.0
libc.so.6 => /lib64/libc.so.6
and neither that linker nor those libraries aren't part of our Busybox rootfs
. For example, here is the statically-linked Busybox working fine in a chroot based on that rootfs
:
$ unshare -rUmfp --mount-proc sh -c 'mount --rbind /proc proc && chroot . sh -c "pwd && ls"'
/
bin etc proc runtimetest
And here is runtimetest
failing to launch in the same situation:
$ unshare -rUmfp --mount-proc sh -c 'mount --rbind /proc proc && chroot . /runtimetest'
chroot: failed to run command ‘/runtimetest’: No such file or directory
I expect we're going to need to either compile runtimetest
as a static binary (#442), copy the linker and required libraries into rootfs
, or use busybox
for our internal tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we need #442 merged first
ddef754
to
18b08d4
Compare
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
18b08d4
to
2010c81
Compare
Hi @Mashimiao, For example, we can add TestCreate function. In this function, we provides testing cases to cover
I used to add test like this: |
I think this PR is obsolete, or at least in need of a fairly involved rebase, now that #447 has landed. |
If we want to totally validate a runtime, we do not only need to check container inside environment but also outside settings like cgroup, label, lifecycle. So I split runtimevalidate into to parts: inside and outside.
The following is an example output:
`# make localvalidation
RUNTIME=runc go test -tags "" -v github.com/opencontainers/runtime-tools/validation
=== RUN TestValidateRuntimeInside
TAP version 13
ok 1 - root filesystem
ok 2 - hostname
not ok 3 - mounts
not ok 4 - capabilities
ok 5 - default symlinks
ok 6 - default devices
ok 7 - linux devices
ok 8 - linux process
ok 9 - masked paths
ok 10 - oom score adj
ok 11 - read only paths
ok 12 - rlimits
ok 13 - sysctls
ok 14 - uid mappings
ok 15 - gid mappings
1..15
2 errors occurred:
--- FAIL: TestValidateRuntimeInside (0.27s)
validation_test.go:42: runc failed validation: exit status 1
=== RUN TestValidateRuntimeOutside
TAP version 13
ok 1 - labels
1..1
--- PASS: TestValidateRuntimeOutside (0.08s)
FAIL
exit status 1
FAIL github.com/opencontainers/runtime-tools/validation 0.350s
Makefile:40: recipe for target 'localvalidation' failed
make: *** [localvalidation] Error 1
`