From 29cf869c6835043fd311fd93e2e2920e1a486c65 Mon Sep 17 00:00:00 2001 From: utam0k Date: Sat, 6 May 2023 23:15:32 +0000 Subject: [PATCH] Add the handly script for kind and youki Signed-off-by: utam0k --- .github/scripts/dependency.sh | 4 +-- .../workflows/benchmark_execution_time.yml | 4 +-- ...ainerd_integration_tests.yaml => e2e.yaml} | 22 ++++++++++-- .../integration_tests_validation.yaml | 2 +- .github/workflows/main.yml | 6 ++-- .github/workflows/podman_tests.yaml | 2 +- .github/workflows/release.yml | 4 +-- .gitignore | 2 ++ Makefile | 32 +++++++++++++++-- .../src/process/container_init_process.rs | 4 +-- tests/k8s/Dockerfile | 36 +++++++++++++++++++ 11 files changed, 101 insertions(+), 17 deletions(-) rename .github/workflows/{containerd_integration_tests.yaml => e2e.yaml} (73%) create mode 100644 tests/k8s/Dockerfile diff --git a/.github/scripts/dependency.sh b/.github/scripts/dependency.sh index e57330fc..b8c55e2d 100755 --- a/.github/scripts/dependency.sh +++ b/.github/scripts/dependency.sh @@ -1,4 +1,4 @@ #!/bin/bash -sudo apt-get -y update -sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev libseccomp-dev +apt-get -y update +apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev libseccomp-dev diff --git a/.github/workflows/benchmark_execution_time.yml b/.github/workflows/benchmark_execution_time.yml index 5d319b5b..9ef0964f 100644 --- a/.github/workflows/benchmark_execution_time.yml +++ b/.github/workflows/benchmark_execution_time.yml @@ -15,7 +15,7 @@ jobs: uses: actions/checkout@v3 - name: Install requirements - run: ./.github/scripts/dependency.sh + run: sudo ./.github/scripts/dependency.sh - name: Setup Rust toolchain and cache uses: actions-rust-lang/setup-rust-toolchain@v1.3.7 @@ -41,7 +41,7 @@ jobs: ref: main - name: Install requirements - run: ./.github/scripts/dependency.sh + run: sudo ./.github/scripts/dependency.sh - name: Setup Rust toolchain and cache uses: actions-rust-lang/setup-rust-toolchain@v1.3.7 diff --git a/.github/workflows/containerd_integration_tests.yaml b/.github/workflows/e2e.yaml similarity index 73% rename from .github/workflows/containerd_integration_tests.yaml rename to .github/workflows/e2e.yaml index 03f399c3..cf9f2e1d 100644 --- a/.github/workflows/containerd_integration_tests.yaml +++ b/.github/workflows/e2e.yaml @@ -1,4 +1,4 @@ -name: 🧪 Containerd integration test +name: 🧪 e2e test on: push: @@ -17,7 +17,7 @@ jobs: - name: Setup Rust toolchain and cache uses: actions-rust-lang/setup-rust-toolchain@v1.3.7 - name: Install requirements - run: ./.github/scripts/dependency.sh + run: sudo ./.github/scripts/dependency.sh - name: Build youki run: make youki-release - name: Upload youki binary @@ -57,3 +57,21 @@ jobs: runc --version - name: Integration Test run: sudo make TEST_RUNTIME=io.containerd.runc.v2 TESTFLAGS="-timeout 40m" integration + # + # k8s-tests: + # runs-on: ubuntu-22.04 + # needs: [youki-build] + # timeout-minutes: 40 + # steps: + # - uses: actions/checkout@v3 + # - name: Download youki binary + # uses: actions/download-artifact@v3 + # with: + # name: youki + # - name: Add the permission to run + # run: chmod +x ./youki + # - name: test/k8s/deploy + # run: make test/k8s/deploy + # # - name: Debug + # # if: ${{ always() }} + # # uses: mxschmitt/action-tmate@v3 diff --git a/.github/workflows/integration_tests_validation.yaml b/.github/workflows/integration_tests_validation.yaml index 17b2571b..8b285f3d 100644 --- a/.github/workflows/integration_tests_validation.yaml +++ b/.github/workflows/integration_tests_validation.yaml @@ -31,7 +31,7 @@ jobs: - name: Setup Rust toolchain and cache uses: actions-rust-lang/setup-rust-toolchain@v1.3.7 - name: Install requirements - run: ./.github/scripts/dependency.sh + run: sudo ./.github/scripts/dependency.sh - name: Install runc 1.1.0 run: | wget -q https://github.com/opencontainers/runc/releases/download/v1.1.0/runc.amd64 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 417b945d..525fe203 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -46,7 +46,7 @@ jobs: uses: actions-rust-lang/setup-rust-toolchain@v1.3.7 - run: rustup component add rustfmt clippy - name: Install requirements - run: ./.github/scripts/dependency.sh + run: sudo ./.github/scripts/dependency.sh - run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev libseccomp-dev - name: Check formatting run: cargo fmt --all -- --check @@ -84,7 +84,7 @@ jobs: with: tool: cargo-llvm-cov@0.4.0 - name: Install requirements - run: ./.github/scripts/dependency.sh + run: sudo ./.github/scripts/dependency.sh - name: Run Test Coverage for youki run: | cargo llvm-cov clean --workspace @@ -105,7 +105,7 @@ jobs: - name: Setup Rust toolchain and cache uses: actions-rust-lang/setup-rust-toolchain@v1.3.7 - name: Install requirements - run: ./.github/scripts/dependency.sh + run: sudo ./.github/scripts/dependency.sh - uses: actions/setup-go@v3 with: go-version: "1.17.6" diff --git a/.github/workflows/podman_tests.yaml b/.github/workflows/podman_tests.yaml index d9ec7c02..e4680c4c 100644 --- a/.github/workflows/podman_tests.yaml +++ b/.github/workflows/podman_tests.yaml @@ -10,7 +10,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: Install requirements - run: ./.github/scripts/dependency.sh + run: sudo ./.github/scripts/dependency.sh - run: make youki-dev - run: sudo cp youki /usr/local/bin - name: Install requirements for Podman diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 49d009ef..5f8d09db 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ jobs: with: submodules: recursive - name: Install requirements - run: ./.github/scripts/dependency.sh + run: sudo ./.github/scripts/dependency.sh - name: Setup Rust toolchain and cache uses: actions-rust-lang/setup-rust-toolchain@v1.3.7 - name: Build @@ -30,7 +30,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: Install requirements - run: ./.github/scripts/dependency.sh + run: sudo ./.github/scripts/dependency.sh - name: Setup Rust toolchain and cache uses: actions-rust-lang/setup-rust-toolchain@v1.3.7 - name: Release build diff --git a/.gitignore b/.gitignore index 0dd74a3f..fdeed4a2 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,5 @@ tags.temp /bundle.tar.gz /test.log + +/tests/k8s/_out/ diff --git a/Makefile b/Makefile index 012c7420..899b9dcd 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,9 @@ ROOT = $(shell git rev-parse --show-toplevel) +DOCKER_BUILD ?= docker buildx build + +KIND_CLUSTER_NAME ?= youki + # builds .PHONY:build @@ -80,13 +84,37 @@ test/k3s: bin/k3s test/k3s/clean: sudo bin/k3s-youki-uninstall.sh -# Misc -# +.PHONY: test/k8s/cluster +test/k8s/cluster: bin/kind tests/k8s/_out/img bin/kind + bin/kind create cluster --name $(KIND_CLUSTER_NAME) --image="$(shell cat tests/k8s/_out/img)" + +.PHONY: test/k8s/deploy +test/k8s/deploy: test/k8s/cluster + kubectl --context=kind-$(KIND_CLUSTER_NAME) apply -f tests/k8s/deploy.yaml + kubectl --context=kind-$(KIND_CLUSTER_NAME) wait deployment nginx-deployment --for condition=Available=True --timeout=90s + kubectl --context=kind-$(KIND_CLUSTER_NAME) get pods -o wide + +# Bin + .PHONY: bin/k3s bin/k3s: mkdir -p bin && \ curl -sfL https://get.k3s.io | INSTALL_K3S_BIN_DIR=$(PWD)/bin INSTALL_K3S_SYMLINK=skip INSTALL_K3S_NAME=youki sh - +.PHONY: bin/kind +bin/kind: tests/k8s/Dockerfile + $(DOCKER_BUILD) --output=bin/ -f tests/k8s/Dockerfile --target kind-bin . + +.PHONY: test/k8s/clean +test/k8s/clean: + kind delete cluster --name $(KIND_CLUSTER_NAME) + rm -r tests/k8s/_out + +tests/k8s/_out/img: tests/k8s/Dockerfile Cargo.toml Cargo.lock $(shell find . -type f -name '*.rs') + mkdir -p $(@D) && $(DOCKER_BUILD) -f tests/k8s/Dockerfile --iidfile=$(@) --load . + +# Misc + .PHONY: lint lint: cargo fmt --all -- --check diff --git a/crates/libcontainer/src/process/container_init_process.rs b/crates/libcontainer/src/process/container_init_process.rs index 7024e46e..05d02c37 100644 --- a/crates/libcontainer/src/process/container_init_process.rs +++ b/crates/libcontainer/src/process/container_init_process.rs @@ -376,9 +376,9 @@ pub fn container_init_process( warn!("seccomp not available, unable to enforce no_new_privileges!") } - capabilities::reset_effective(syscall).context("Failed to reset effective capabilities")?; + capabilities::reset_effective(syscall).context("failed to reset effective capabilities")?; if let Some(caps) = proc.capabilities() { - capabilities::drop_privileges(caps, syscall).context("Failed to drop capabilities")?; + capabilities::drop_privileges(caps, syscall).context("failed to drop capabilities")?; } // Change directory to process.cwd if process.cwd is not empty diff --git a/tests/k8s/Dockerfile b/tests/k8s/Dockerfile new file mode 100644 index 00000000..eacb6e9f --- /dev/null +++ b/tests/k8s/Dockerfile @@ -0,0 +1,36 @@ +# syntax=docker/dockerfile:1.4 + +ARG KIND_NODE_VERSION=v1.23.13 + +FROM kindest/node:${KIND_NODE_VERSION} AS kind-base + +FROM kind-base AS shim-build +RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /tmp/rustup.sh && sh /tmp/rustup.sh -y --profile=minimal +ENV PATH="/root/.cargo/bin:${PATH}" +WORKDIR /shim +COPY ./youki /shim/youki + +FROM scratch AS shim +COPY --from=shim-build /shim/youki / + +FROM kind-base AS kind-fetch +ARG TARGETARCH +ARG KIND_VERSION=v0.17.0 +RUN curl -sSLf https://kind.sigs.k8s.io/dl/${KIND_VERSION}/kind-linux-${TARGETARCH} > /root/kind && chmod +x /root/kind + +FROM scratch AS kind-bin +COPY --from=kind-fetch /root/kind /kind + +FROM kind-base +RUN <> /etc/containerd/config.toml +echo ' runtime_type = "io.containerd.runc.v2"' >> /etc/containerd/config.toml +echo ' [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.youki.options]' >> /etc/containerd/config.toml +echo ' BinaryName = "/usr/local/bin/youki"' >> /etc/containerd/config.toml +sed -i 's,SystemdCgroup = true,,' /etc/containerd/config.toml +EOF +COPY .github/scripts/dependency.sh .github/scripts/dependency.sh +RUN apt-get update && .github/scripts/dependency.sh +COPY --link --from=shim /* /usr/local/bin/ +