Split runtime validate #391
Conversation
Mashimiao
force-pushed
the
split-runtime-validate
branch
from
2bf25f7 to
ae33d7b
Compare
|
On Fri, Jun 09, 2017 at 01:03:08AM -0700, Ma Shimiao wrote:
* add error catch
This seems like an orthogonal, easy-to-review change. Maybe split it
out into its own PR so it can get in more quickly than the other
commit in this PR (which is a bit more complicated ;)?
|
validation/validation_test.go
Outdated
| if err != nil { | ||
| t.Errorf("%s failed validation: %v", runtime, err) | ||
| } | ||
| g.SetProcessArgs([]string{"sleep", "50"}) |
There was a problem hiding this comment.
Why are we setting this at all, since sleep may not exist inside the container? process is optional (since opencontainers/runtime-spec#701), so I'd rather just unset process completely and call create (but never start) during these outer tests.
Mashimiao
force-pushed
the
split-runtime-validate
branch
from
ae33d7b to
a259dda
Compare
|
On 06/15/2017 01:05 AM, W. Trevor King wrote:
Why are we setting this at all, since |sleep| may not exist inside the container? |process| is optional <https://github.com/opencontainers/runtime-spec/blob/b5017e22ec9592d9e4935812fdce8f9a6b71a365/config.md#process> (since opencontainers/runtime-spec#701 <opencontainers/runtime-spec#701>), so I'd rather just unset |process| completely and call |create| (but never |start|) during these outer tests.
Currently, it seems a good idea, so updated.
|
|
ping @opencontainers/runtime-tools-maintainers |
| // defer os.RemoveAll(bundleDir) | ||
|
|
||
| // TODO: Use a library to split run into create/start | ||
| // Launch the OCI runtime |
There was a problem hiding this comment.
You're using create below, so this comment is stale here. You will want to run kill and delete to clean up though.
Mashimiao
force-pushed
the
split-runtime-validate
branch
from
a259dda to
9ee5be2
Compare
Mashimiao
force-pushed
the
split-runtime-validate
branch
from
9ee5be2 to
0d93e18
Compare
|
Rebased, PTAL |
Mashimiao
force-pushed
the
split-runtime-validate
branch
from
0d93e18 to
ddef754
Compare
|
I like this change. It makes lifecycle testing easier. |
validation/validation_test.go
Outdated
| return err | ||
| } | ||
| defer os.RemoveAll(tmpDir) | ||
| // defer os.RemoveAll(bundleDir) |
There was a problem hiding this comment.
I'm guessing this change was for local testing, and that we want to restore the deferred removal before this PR lands?
| bundleDir := tmpDir + "/busybox" | ||
| if err := os.MkdirAll(bundleDir, 0755); err != nil { | ||
| // Copy the runtimetest binary to the rootfs | ||
| err = fileutils.CopyFile("../runtimetest", filepath.Join(rootfsDir, "runtimetest")) |
There was a problem hiding this comment.
Does this actually work? My local build of runtimetest is dynamically linked:
$ lddtree runtimetest
runtimetest (interpreter => /lib64/ld-linux-x86-64.so.2)
libpthread.so.0 => /lib64/libpthread.so.0
libc.so.6 => /lib64/libc.so.6
and neither that linker nor those libraries aren't part of our Busybox rootfs. For example, here is the statically-linked Busybox working fine in a chroot based on that rootfs:
$ unshare -rUmfp --mount-proc sh -c 'mount --rbind /proc proc && chroot . sh -c "pwd && ls"'
/
bin etc proc runtimetest
And here is runtimetest failing to launch in the same situation:
$ unshare -rUmfp --mount-proc sh -c 'mount --rbind /proc proc && chroot . /runtimetest'
chroot: failed to run command ‘/runtimetest’: No such file or directory
I expect we're going to need to either compile runtimetest as a static binary (#442), copy the linker and required libraries into rootfs, or use busybox for our internal tests.
Mashimiao
force-pushed
the
split-runtime-validate
branch
from
ddef754 to
18b08d4
Compare
Signed-off-by: Ma Shimiao <[email protected]>
Mashimiao
force-pushed
the
split-runtime-validate
branch
from
18b08d4 to
2010c81
Compare
|
Hi @Mashimiao, For example, we can add TestCreate function. In this function, we provides testing cases to cover
I used to add test like this: |
|
I think this PR is obsolete, or at least in need of a fairly involved rebase, now that #447 has landed. |
3 participants
If we want to totally validate a runtime, we do not only need to check container inside environment but also outside settings like cgroup, label, lifecycle. So I split runtimevalidate into to parts: inside and outside.
The following is an example output:
`# make localvalidation
RUNTIME=runc go test -tags "" -v github.com/opencontainers/runtime-tools/validation
=== RUN TestValidateRuntimeInside
TAP version 13
ok 1 - root filesystem
ok 2 - hostname
not ok 3 - mounts
not ok 4 - capabilities
ok 5 - default symlinks
ok 6 - default devices
ok 7 - linux devices
ok 8 - linux process
ok 9 - masked paths
ok 10 - oom score adj
ok 11 - read only paths
ok 12 - rlimits
ok 13 - sysctls
ok 14 - uid mappings
ok 15 - gid mappings
1..15
2 errors occurred:
--- FAIL: TestValidateRuntimeInside (0.27s)
validation_test.go:42: runc failed validation: exit status 1
=== RUN TestValidateRuntimeOutside
TAP version 13
ok 1 - labels
1..1
--- PASS: TestValidateRuntimeOutside (0.08s)
FAIL
exit status 1
FAIL github.com/opencontainers/runtime-tools/validation 0.350s
Makefile:40: recipe for target 'localvalidation' failed
make: *** [localvalidation] Error 1
`