Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ns_itype test #389

Merged
merged 4 commits into from
Oct 21, 2021
Merged

Add ns_itype test #389

merged 4 commits into from
Oct 21, 2021

Conversation

YJDoc2
Copy link
Collaborator

@YJDoc2 YJDoc2 commented Oct 16, 2021

Setup ns_itype test, but I'm not sure if this is set correctly or not :
The original test seem to do things in complecated ways, so I'm worried that I might have missed something.
https://github.com/opencontainers/runtime-tools/blob/master/validation/linux_ns_itype/linux_ns_itype.go#L58 here, it loops through the namespaces, which are defined https://github.com/opencontainers/runtime-tools/blob/master/validation/util/linux_namespace.go here ; and then removes them from the default spec, https://github.com/opencontainers/runtime-tools/blob/master/validation/linux_ns_itype/linux_ns_itype.go#L70 here. But this essentially removes all namespaces from the spec. so in my implementation, I have used the builder with empty vec to remove all namespaces. Then using procfs, I have directly compared the namespace inodes of host and container.
Is it correct? @utam0k @yihuaf can you please take a look?

@YJDoc2 YJDoc2 requested review from utam0k and yihuaf October 16, 2021 05:46
@YJDoc2
Copy link
Collaborator Author

YJDoc2 commented Oct 16, 2021

Currently I have left a few extra comments and commented code, If this is correct, I'll fix that in another commit, I have opened this PR because I wasn't sure if the current implementation is correct or not.

@codecov-commenter
Copy link

codecov-commenter commented Oct 16, 2021

Codecov Report

Merging #389 (cf260fe) into main (9ed52d9) will decrease coverage by 0.02%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main     #389      +/-   ##
==========================================
- Coverage   76.59%   76.56%   -0.03%     
==========================================
  Files          52       52              
  Lines        8458     8458              
==========================================
- Hits         6478     6476       -2     
- Misses       1980     1982       +2     

Copy link
Collaborator

@yihuaf yihuaf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not clear on what do you mean by "The original test seem to do things in complecated ways". I think you have the right idea, but the namespace inode verification part of the code is not complete/comment out, so I can't be 100% sure.

You may be able to use procfs crate to easily find namespace inode. I think the original test tries to read the inode directly by looking at the /proc/. If procfs crate can hide these complexity for you then you are good.

The idea here is that oci runtime will bind each of the namespace in procfs. Take pid namespace for example, the namespace of the container process is bind to /proc/<pid>/ns/pid. If the container process inherits the host namespace, then /proc/<container process pid>/ns/pid inode should be the same as the /proc/<host pid>/ns/pid.

youki_integration_test/Cargo.toml Outdated Show resolved Hide resolved
@YJDoc2
Copy link
Collaborator Author

YJDoc2 commented Oct 16, 2021

Actually I went over original implementation once again, and now I feel my original statement does not make sense, so ignore that part 😅

I am not clear on what do you mean by "The original test seem to do things in complecated ways".

The test in current stage does the verification : instead of storing the inode separately in hashmap, it just takes the complete namespace structure of host returned by procfs (line 42), and compares that to the container's (lines 60 and 68). that way we don't have to manually compare each individual namespace separately.

I think you have the right idea, but the namespace inode verification part of the code is not complete/comment out, so I can't be 100% sure

Yes that's the exact reason I used procfs crate, as it does the reading of /proc/* read-link and finding inode value.

You may be able to use procfs crate to easily find namespace inode. I think the original test tries to read the inode directly by looking at the /proc/. If procfs crate can hide these complexity for you then you are good.

@yihuaf
Copy link
Collaborator

yihuaf commented Oct 16, 2021

Super. Looking forward to the final PR :)

@Furisto
Copy link
Collaborator

Furisto commented Oct 16, 2021

Just fyi, the correct way to compare namespaces is with inode and device id, but the eq implementation of procfs namespace does that already for you, so you are fine.

@YJDoc2
Copy link
Collaborator Author

YJDoc2 commented Oct 17, 2021

Ohh, I originally compared only by inode before changing it to direct comparison of HashMaps 😅 Thanks for the info!

@YJDoc2 YJDoc2 changed the title [WIP] Add ns_itype test Add ns_itype test Oct 17, 2021
@utam0k
Copy link
Collaborator

utam0k commented Oct 17, 2021

Great!! How about making sure that unwrap comes with the appropriate error message?

@YJDoc2
Copy link
Collaborator Author

YJDoc2 commented Oct 17, 2021

Hey, @Furisto has added some great context info instead of unwraps, as well as added some helper function for dealing with the output of test_outside_container in PR #391 . I am reviewing it right now, and it seems it'd be better to merge that before this, and then I fix conflicts that will occur, as well as update. Then we can merge this PR.

@YJDoc2
Copy link
Collaborator Author

YJDoc2 commented Oct 19, 2021

Hey, so I'll make this a draft again, incorporate changes from #391 ,and then open again for review.

@YJDoc2 YJDoc2 changed the title Add ns_itype test [WIP] Add ns_itype test Oct 19, 2021
@YJDoc2 YJDoc2 marked this pull request as draft October 19, 2021 11:34
@YJDoc2 YJDoc2 marked this pull request as ready for review October 20, 2021 15:40
@YJDoc2 YJDoc2 changed the title [WIP] Add ns_itype test Add ns_itype test Oct 20, 2021
@YJDoc2
Copy link
Collaborator Author

YJDoc2 commented Oct 20, 2021

@utam0k @yihuaf Please take a look

Copy link
Collaborator

@yihuaf yihuaf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Nit: all error message should be lower case and no period at the end.

@YJDoc2
Copy link
Collaborator Author

YJDoc2 commented Oct 21, 2021

Thanks @yihuaf , fixed all capital cases, I don't think I had a period at any error end, please check now.

@yihuaf yihuaf merged commit 17135d8 into youki-dev:main Oct 21, 2021
@YJDoc2 YJDoc2 deleted the ns_itype branch November 2, 2021 04:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants