Keep linux mounts for linux sandboxes on Windows/Darwin
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
This commit is contained in:
Maksym Pavlenko
@@ -18,7 +18,6 @@ package sbserver
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
"path/filepath"
|
||||
@@ -360,23 +359,16 @@ func TestContainerSpecWithExtraMounts(t *testing.T) {
|
||||
HostPath: "test-sys-extra",
|
||||
Readonly: false,
|
||||
},
|
||||
{
|
||||
ContainerPath: "/dev",
|
||||
HostPath: "test-dev-extra",
|
||||
Readonly: false,
|
||||
},
|
||||
}
|
||||
spec, err := c.buildContainerSpec(currentPlatform, testID, testSandboxID, testPid, "", testContainerName, testImageName, containerConfig, sandboxConfig, imageConfig, extraMounts, ociRuntime)
|
||||
require.NoError(t, err)
|
||||
specCheck(t, testID, testSandboxID, testPid, spec)
|
||||
var mounts, sysMounts, devMounts []runtimespec.Mount
|
||||
var mounts, sysMounts []runtimespec.Mount
|
||||
for _, m := range spec.Mounts {
|
||||
if strings.HasPrefix(m.Destination, "test-container-path") {
|
||||
mounts = append(mounts, m)
|
||||
} else if m.Destination == "/sys" {
|
||||
sysMounts = append(sysMounts, m)
|
||||
} else if strings.HasPrefix(m.Destination, "/dev") {
|
||||
devMounts = append(devMounts, m)
|
||||
}
|
||||
}
|
||||
t.Logf("CRI mount should override extra mount")
|
||||
@@ -388,11 +380,6 @@ func TestContainerSpecWithExtraMounts(t *testing.T) {
|
||||
require.Len(t, sysMounts, 1)
|
||||
assert.Equal(t, "test-sys-extra", sysMounts[0].Source)
|
||||
assert.Contains(t, sysMounts[0].Options, "rw")
|
||||
|
||||
t.Logf("Dev mount should override all default dev mounts")
|
||||
require.Len(t, devMounts, 1)
|
||||
assert.Equal(t, "test-dev-extra", devMounts[0].Source)
|
||||
assert.Contains(t, devMounts[0].Options, "rw")
|
||||
}
|
||||
|
||||
func TestContainerAndSandboxPrivileged(t *testing.T) {
|
||||
@@ -444,173 +431,6 @@ func TestContainerAndSandboxPrivileged(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestContainerMounts(t *testing.T) {
|
||||
const testSandboxID = "test-id"
|
||||
for desc, test := range map[string]struct {
|
||||
statFn func(string) (os.FileInfo, error)
|
||||
criMounts []*runtime.Mount
|
||||
securityContext *runtime.LinuxContainerSecurityContext
|
||||
expectedMounts []*runtime.Mount
|
||||
}{
|
||||
"should setup ro mount when rootfs is read-only": {
|
||||
securityContext: &runtime.LinuxContainerSecurityContext{
|
||||
ReadonlyRootfs: true,
|
||||
},
|
||||
expectedMounts: []*runtime.Mount{
|
||||
{
|
||||
ContainerPath: "/etc/hostname",
|
||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
|
||||
Readonly: true,
|
||||
SelinuxRelabel: true,
|
||||
},
|
||||
{
|
||||
ContainerPath: "/etc/hosts",
|
||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
|
||||
Readonly: true,
|
||||
SelinuxRelabel: true,
|
||||
},
|
||||
{
|
||||
ContainerPath: resolvConfPath,
|
||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
|
||||
Readonly: true,
|
||||
SelinuxRelabel: true,
|
||||
},
|
||||
{
|
||||
ContainerPath: "/dev/shm",
|
||||
HostPath: filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
|
||||
Readonly: false,
|
||||
SelinuxRelabel: true,
|
||||
},
|
||||
},
|
||||
},
|
||||
"should setup rw mount when rootfs is read-write": {
|
||||
securityContext: &runtime.LinuxContainerSecurityContext{},
|
||||
expectedMounts: []*runtime.Mount{
|
||||
{
|
||||
ContainerPath: "/etc/hostname",
|
||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
|
||||
Readonly: false,
|
||||
SelinuxRelabel: true,
|
||||
},
|
||||
{
|
||||
ContainerPath: "/etc/hosts",
|
||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
|
||||
Readonly: false,
|
||||
SelinuxRelabel: true,
|
||||
},
|
||||
{
|
||||
ContainerPath: resolvConfPath,
|
||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
|
||||
Readonly: false,
|
||||
SelinuxRelabel: true,
|
||||
},
|
||||
{
|
||||
ContainerPath: "/dev/shm",
|
||||
HostPath: filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
|
||||
Readonly: false,
|
||||
SelinuxRelabel: true,
|
||||
},
|
||||
},
|
||||
},
|
||||
"should use host /dev/shm when host ipc is set": {
|
||||
securityContext: &runtime.LinuxContainerSecurityContext{
|
||||
NamespaceOptions: &runtime.NamespaceOption{Ipc: runtime.NamespaceMode_NODE},
|
||||
},
|
||||
expectedMounts: []*runtime.Mount{
|
||||
{
|
||||
ContainerPath: "/etc/hostname",
|
||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
|
||||
Readonly: false,
|
||||
SelinuxRelabel: true,
|
||||
},
|
||||
{
|
||||
ContainerPath: "/etc/hosts",
|
||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
|
||||
Readonly: false,
|
||||
SelinuxRelabel: true,
|
||||
},
|
||||
{
|
||||
ContainerPath: resolvConfPath,
|
||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
|
||||
Readonly: false,
|
||||
SelinuxRelabel: true,
|
||||
},
|
||||
{
|
||||
ContainerPath: "/dev/shm",
|
||||
HostPath: "/dev/shm",
|
||||
Readonly: false,
|
||||
},
|
||||
},
|
||||
},
|
||||
"should skip container mounts if already mounted by CRI": {
|
||||
criMounts: []*runtime.Mount{
|
||||
{
|
||||
ContainerPath: "/etc/hostname",
|
||||
HostPath: "/test-etc-hostname",
|
||||
},
|
||||
{
|
||||
ContainerPath: "/etc/hosts",
|
||||
HostPath: "/test-etc-host",
|
||||
},
|
||||
{
|
||||
ContainerPath: resolvConfPath,
|
||||
HostPath: "test-resolv-conf",
|
||||
},
|
||||
{
|
||||
ContainerPath: "/dev/shm",
|
||||
HostPath: "test-dev-shm",
|
||||
},
|
||||
},
|
||||
securityContext: &runtime.LinuxContainerSecurityContext{},
|
||||
expectedMounts: nil,
|
||||
},
|
||||
"should skip hostname mount if the old sandbox doesn't have hostname file": {
|
||||
statFn: func(path string) (os.FileInfo, error) {
|
||||
assert.Equal(t, filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"), path)
|
||||
return nil, errors.New("random error")
|
||||
},
|
||||
securityContext: &runtime.LinuxContainerSecurityContext{},
|
||||
expectedMounts: []*runtime.Mount{
|
||||
{
|
||||
ContainerPath: "/etc/hosts",
|
||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
|
||||
Readonly: false,
|
||||
SelinuxRelabel: true,
|
||||
},
|
||||
{
|
||||
ContainerPath: resolvConfPath,
|
||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
|
||||
Readonly: false,
|
||||
SelinuxRelabel: true,
|
||||
},
|
||||
{
|
||||
ContainerPath: "/dev/shm",
|
||||
HostPath: filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
|
||||
Readonly: false,
|
||||
SelinuxRelabel: true,
|
||||
},
|
||||
},
|
||||
},
|
||||
} {
|
||||
t.Run(desc, func(t *testing.T) {
|
||||
config := &runtime.ContainerConfig{
|
||||
Metadata: &runtime.ContainerMetadata{
|
||||
Name: "test-name",
|
||||
Attempt: 1,
|
||||
},
|
||||
Mounts: test.criMounts,
|
||||
Linux: &runtime.LinuxContainerConfig{
|
||||
SecurityContext: test.securityContext,
|
||||
},
|
||||
}
|
||||
c := newTestCRIService()
|
||||
c.os.(*ostesting.FakeOS).StatFn = test.statFn
|
||||
mounts := c.containerMounts(testSandboxID, config)
|
||||
assert.Equal(t, test.expectedMounts, mounts, desc)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestPrivilegedBindMount(t *testing.T) {
|
||||
testPid := uint32(1234)
|
||||
c := newTestCRIService()
|
||||
|
||||
Reference in New Issue
Block a user