Merge pull request #576 from ginglis13/critest-buildkite

Add critest as step to buildkite pipeline.

Author: ginglis13

.buildkite/pipeline.yml

@@ -108,3 +108,15 @@ steps:
       - make -C examples integ-test TEST_POOL=build_${BUILDKITE_BUILD_NUMBER}_example
     timeout_in_minutes: 10
 
+  - label: ":rotating_light: cri conformance tests"
+    agents:
+      queue: "${BUILDKITE_AGENT_META_DATA_QUEUE:-default}"
+      distro: "${BUILDKITE_AGENT_META_DATA_DISTRO}"
+      hostname: "${BUILDKITE_AGENT_META_DATA_HOSTNAME}"
+    env:
+      DOCKER_IMAGE_TAG: "$BUILDKITE_BUILD_NUMBER"
+      FICD_DM_VOLUME_GROUP: fcci-vg
+    command:
+      - make -C runtime critest FICD_DM_POOL=build_${BUILDKITE_BUILD_NUMBER}_critest
+    timeout_in_minutes: 10
+

runtime/Makefile

@@ -150,14 +150,20 @@ critest:
 		--volume /dev:/dev \
 		--volume /run/udev/control:/run/udev/control \
 		--volume $(CURDIR)/..:/src \
+		--volume $(CURDIR)/../examples/etc/containerd/firecracker-runtime.json:/etc/containerd/firecracker-runtime.json \
+		--volume $(CURDIR)/../tools/demo/fc-br0.interface:/etc/network/interfaces.d/fc-br0 \
+		--volume $(CURDIR)/logs:/var/log/firecracker-containerd-test \
+		--volume $(CURDIR)/../tools/critest:/src/runtime/critest \
 		--volume $(GO_CACHE_VOLUME_NAME):/go \
 		--env FICD_DM_VOLUME_GROUP=$(FICD_DM_VOLUME_GROUP) \
 		--env FICD_DM_POOL=$(FICD_DM_POOL) \
 		--env GOPROXY=direct \
 		--env GOSUMDB=off \
+      	--env ACK_GINKGO_DEPRECATIONS=1.16.5 \
 		--workdir="/src/runtime" \
 		$(FIRECRACKER_CONTAINERD_TEST_IMAGE):$(DOCKER_IMAGE_TAG) \
-		"critest -runtime-endpoint unix:///run/firecracker-containerd/containerd.sock"
+		"sleep 1 && critest -ginkgo.noColor -runtime-endpoint unix:///run/firecracker-containerd/containerd.sock | \
+		./critest/critest_diff.sh"
 
 clean:
 	- rm -f containerd-shim-aws-firecracker

tools/critest/critest_diff.sh

@@ -0,0 +1,36 @@
+#! /bin/bash
+#
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You may
+# not use this file except in compliance with the License. A copy of the
+# License is located at
+#
+# 	http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is distributed
+# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+# express or implied. See the License for the specific language governing
+# permissions and limitations under the License.
+
+
+# Create temporary critest output file
+critest_output="$(</dev/stdin)"
+critest_output_file="$(mktemp)"
+echo "$critest_output" >> "$critest_output_file"
+
+set -eu
+
+# Remove up until report summary
+sed -i -E '0,/^Summarizing [0-9][0-9]? Failure[s]?:$/d' "$critest_output_file" # Remove empty lines
+sed -i '/^$/d' "$critest_output_file"
+
+# Remove unnecessary error messages
+sed -i '/^\/.*[0-9]$/d' "$critest_output_file"
+sed -i '/^Ran [0-9][0-9] of [0-9][0-9] Specs in .*seconds$/d' "$critest_output_file"
+sed -i '/^--- FAIL: TestCRISuite.*$/d' "$critest_output_file"
+sed -i '/^FAIL.*$/d' "$critest_output_file"
+sed -i '/^Ran.*$/d' "$critest_output_file"
+
+# Diff expected vs. actual
+diff -y <(sort critest/expected_critest_output.out) <(sort "$critest_output_file")

tools/critest/expected_critest_output.out

@@ -0,0 +1,67 @@
+[Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should support an seccomp profile that blocks setting hostname with SYS_ADMIN 
+[Fail] [k8s.io] Security Context SeccompProfilePath [It] should support seccomp localhost/profile on the container 
+[Fail] [k8s.io] Container runtime should support adding volume and device [BeforeEach] runtime should support starting container with volume [Conformance] 
+[Fail] [k8s.io] Security Context bucket [It] runtime should support that ReadOnlyRootfs is false 
+[Fail] [k8s.io] PodSandbox runtime should support basic operations on PodSandbox [It] runtime should support running PodSandbox [Conformance] 
+[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostIpc is false 
+[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support ContainerPID 
+[Fail] [k8s.io] Security Context bucket [It] runtime should return error if RunAsGroup is set without RunAsUser 
+[Fail] [k8s.io] Security Context NoNewPrivs [BeforeEach] should allow privilege escalation when false 
+[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support set hostname [Conformance] 
+[Fail] [k8s.io] Security Context bucket [It] runtime should support dropping ALL capabilities 
+[Fail] [k8s.io] Security Context bucket [It] runtime should support dropping capability 
+[Fail] [k8s.io] Security Context SeccompProfilePath docker/default [It] runtime should support setting hostname with docker/default seccomp profile and SYS_ADMIN 
+[Fail] [k8s.io] Security Context bucket [It] runtime should support ReadonlyPaths 
+[Fail] [k8s.io] Security Context bucket [It] runtime should support MaskedPaths 
+[Fail] [k8s.io] PodSandbox runtime should support basic operations on PodSandbox [It] runtime should support removing PodSandbox [Conformance] 
+[Fail] [k8s.io] Container Mount Propagation runtime should support mount propagation [BeforeEach] mount with 'rshared' should support propagation from host to container and vice versa 
+[Fail] [k8s.io] Security Context bucket [It] runtime should support that ReadOnlyRootfs is true 
+[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostPID 
+[Fail] [k8s.io] Security Context bucket [It] runtime should support RunAsUserName 
+[Fail] [k8s.io] Container runtime should support log [BeforeEach] runtime should support starting container with log [Conformance] 
+[Fail] [k8s.io] Container Mount Propagation runtime should support mount propagation [BeforeEach] mount with 'rslave' should support propagation from host to container 
+[Fail] [k8s.io] Security Context bucket [It] runtime should support SupplementalGroups 
+[Fail] [k8s.io] Security Context bucket [It] runtime should support Privileged is true 
+[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostNetwork is true 
+[Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should not support a custom seccomp profile without using localhost/ as a prefix 
+[Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should ignore a seccomp profile that blocks setting hostname when privileged 
+[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support exec with tty=false and stdin=false [Conformance] 
+[Fail] [k8s.io] Multiple Containers [Conformance] when running multiple containers in a pod [BeforeEach] should support network 
+[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support stopping container [Conformance] 
+[Fail] [k8s.io] Multiple Containers [Conformance] when running multiple containers in a pod [BeforeEach] should support container exec 
+[Fail] [k8s.io] Security Context NoNewPrivs [BeforeEach] should not allow privilege escalation when true 
+[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support execSync [Conformance] 
+[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support execSync with timeout [Conformance] 
+[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support attach [Conformance] 
+[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support starting container [Conformance] 
+[Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should not block setting host name with unconfined seccomp and SYS_ADMIN 
+[Fail] [k8s.io] PodSandbox runtime should support sysctls [It] should support unsafe sysctls 
+[Fail] [k8s.io] PodSandbox runtime should support basic operations on PodSandbox [It] runtime should support stopping PodSandbox [Conformance] 
+[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support exec with tty=true and stdin=true [Conformance] 
+[Fail] [k8s.io] Security Context SeccompProfilePath docker/default [It] runtime should block sethostname with docker/default seccomp profile and no extra caps 
+[Fail] [k8s.io] Security Context SeccompProfilePath docker/default [It] should support seccomp docker/default on the container 
+[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support DNS config [Conformance] 
+[Fail] [k8s.io] Security Context bucket [It] runtime should support RunAsUser 
+[Fail] [k8s.io] Container runtime should support log [BeforeEach] runtime should support reopening container log [Conformance] 
+[Fail] [k8s.io] Container runtime should support adding volume and device [BeforeEach] runtime should support starting container with volume when host path is a symlink [Conformance] 
+[Fail] [k8s.io] Security Context bucket [It] runtime should support adding capability 
+[Fail] [k8s.io] Multiple Containers [Conformance] when running multiple containers in a pod [BeforeEach] should support container log 
+[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support portforward [Conformance] 
+[Fail] [k8s.io] Container Mount Propagation runtime should support mount propagation [BeforeEach] mount with 'rprivate' should not support propagation 
+[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support creating container [Conformance] 
+[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support removing running container [Conformance] 
+[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support PodPID 
+[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support listing container stats [Conformance] 
+[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support port mapping with host port and container port [Conformance] 
+[Fail] [k8s.io] Security Context bucket [It] runtime should support RunAsGroup 
+[Fail] [k8s.io] Security Context SeccompProfilePath [It] should support seccomp unconfined on the container 
+[Fail] [k8s.io] PodSandbox runtime should support sysctls [It] should support safe sysctls 
+[Fail] [k8s.io] Security Context bucket [It] runtime should support adding ALL capabilities 
+[Fail] [k8s.io] Security Context SeccompProfilePath [It] should support seccomp default which is unconfined on the container 
+[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support removing stopped container [Conformance] 
+[Fail] [k8s.io] Security Context bucket [It] runtime should support Privileged is false 
+[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostIpc is true 
+[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostNetwork is false 
+[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support portforward in host network 
+[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support port mapping with only container port [Conformance] 
+[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support removing created container [Conformance] 

tools/demo/fcnet.conflist

@@ -1,5 +1,5 @@
 {
-  "cniVersion": "0.4.0",
+  "cniVersion": "1.0.0",
   "name": "fcnet",
   "plugins": [
     {
@@ -21,6 +21,9 @@
     },
     {
       "type": "tc-redirect-tap"
+    },
+    {
+      "type": "loopback"
     }
   ]
 }

tools/docker/Dockerfile.integ-test

@@ -34,8 +34,7 @@ RUN mkdir -p \
 # installs so we can minimize re-runs of the time-expensive downloading of images.
 COPY tools/docker/config.toml /etc/containerd/config.toml
 COPY tools/docker/do_not_edit_for_firecracker-control.config.json /etc/containerd/firecracker-runtime.json
-COPY tools/docker/critest/10-mynet.conf /etc/cni/net.d
-COPY tools/docker/critest/99-loopback.conf /etc/cni/net.d
+COPY tools/demo/fcnet.conflist /etc/cni/net.d/10-fcnet.conflist
 
 RUN --mount=type=bind,source=firecracker-control/cmd/containerd,target=/src \
   make -C /src install && \

tools/docker/critest/10-mynet.conf

@@ -23,38 +23,17 @@ EOF
 cat > /etc/containerd/cri/criconfig.toml <<EOF
 version = 2
 [plugins]
-  # The 'plugins."io.containerd.grpc.v1.cri"' table contains all of the server options.
   [plugins."io.containerd.grpc.v1.cri"]
- 
-    # 'plugins."io.containerd.grpc.v1.cri".containerd' contains config related to containerd
     [plugins."io.containerd.grpc.v1.cri".containerd]
-
-      # snapshotter is the snapshotter used by containerd.
       snapshotter = "devmapper"
-
-      # default_runtime_name is the default runtime name to use.
       default_runtime_name = "containerd-shim-aws-firecracker"
 
-      # 'plugins."io.containerd.grpc.v1.cri".containerd.runtimes' is a map from CRI RuntimeHandler strings, which specify types
-      # of runtime configurations, to the matching configurations.
-      # In this example, 'runc' is the RuntimeHandler string to match.
       [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.containerd-shim-aws-firecracker]
-        # runtime_type is the runtime type to use in containerd.
-        # The default value is "io.containerd.runc.v2" since containerd 1.4.
-        # The default value was "io.containerd.runc.v1" in containerd 1.3, "io.containerd.runtime.v1.linux" in prior releases.
         runtime_type = "aws.firecracker"
-
-
-        # conf_dir is the directory in which the admin places a CNI conf.
-        # this allows a different CNI conf for the network stack when a different runtime is being used.
         cni_conf_dir = "/etc/cni/net.d"
 
-    # 'plugins."io.containerd.grpc.v1.cri".cni' contains config related to cni
     [plugins."io.containerd.grpc.v1.cri".cni]
-      # bin_dir is the directory in which the binaries for the plugin is kept.
       bin_dir = "/opt/cni/bin"
-
-      # conf_dir is the directory in which the admin places a CNI conf.
       conf_dir = "/etc/cni/net.d"
 
 [debug]