Merge pull request #8198 from kiashok/argsEscapedSupportInCri

Add ArgsEscaped support for CRI
2023-03-07 16:12:24 +08:00
parent b6c72a02ba 8137e41c48
commit 5ae3a7f417
11 changed files with 363 additions and 20 deletions
--- a/pkg/cri/server/container_create_windows.go
+++ b/pkg/cri/server/container_create_windows.go
@@ -51,9 +51,8 @@ func (c *criService) containerSpec(
 	extraMounts []*runtime.Mount,
 	ociRuntime config.Runtime,
 ) (*runtimespec.Spec, error) {
-	specOpts := []oci.SpecOpts{
-		customopts.WithProcessArgs(config, imageConfig),
-	}
+	var specOpts []oci.SpecOpts
+	specOpts = append(specOpts, customopts.WithProcessCommandLineOrArgsForWindows(config, imageConfig))

 	// All containers in a pod need to have HostProcess set if it was set on the pod,
 	// and vice versa no containers in the pod can be HostProcess if the pods spec
--- a/pkg/cri/server/container_create_windows_test.go
+++ b/pkg/cri/server/container_create_windows_test.go
@@ -22,12 +22,27 @@ import (
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1"

 	"github.com/containerd/containerd/pkg/cri/annotations"
 	"github.com/containerd/containerd/pkg/cri/config"
 )

+func getSandboxConfig() *runtime.PodSandboxConfig {
+	return &runtime.PodSandboxConfig{
+		Metadata: &runtime.PodSandboxMetadata{
+			Name:      "test-sandbox-name",
+			Uid:       "test-sandbox-uid",
+			Namespace: "test-sandbox-ns",
+			Attempt:   2,
+		},
+		Windows:     &runtime.WindowsPodSandboxConfig{},
+		Hostname:    "test-hostname",
+		Annotations: map[string]string{"c": "d"},
+	}
+}
+
 func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandboxConfig,
 	*imagespec.ImageConfig, func(*testing.T, string, string, uint32, *runtimespec.Spec)) {
 	config := &runtime.ContainerConfig{
@@ -76,17 +91,7 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox
 			},
 		},
 	}
-	sandboxConfig := &runtime.PodSandboxConfig{
-		Metadata: &runtime.PodSandboxMetadata{
-			Name:      "test-sandbox-name",
-			Uid:       "test-sandbox-uid",
-			Namespace: "test-sandbox-ns",
-			Attempt:   2,
-		},
-		Windows:     &runtime.WindowsPodSandboxConfig{},
-		Hostname:    "test-hostname",
-		Annotations: map[string]string{"c": "d"},
-	}
+	sandboxConfig := getSandboxConfig()
 	imageConfig := &imagespec.ImageConfig{
 		Env:        []string{"ik1=iv1", "ik2=iv2", "ik3=iv3=iv3bis", "ik4=iv4=iv4bis=boop"},
 		Entrypoint: []string{"/entrypoint"},
@@ -248,3 +253,104 @@ func TestHostProcessRequirements(t *testing.T) {
 		})
 	}
 }
+
+func TestEntrypointAndCmdForArgsEscaped(t *testing.T) {
+	testID := "test-id"
+	testSandboxID := "sandbox-id"
+	testContainerName := "container-name"
+	testPid := uint32(1234)
+	nsPath := "test-ns"
+	c := newTestCRIService()
+
+	for name, test := range map[string]struct {
+		imgEntrypoint       []string
+		imgCmd              []string
+		command             []string
+		args                []string
+		expectedArgs        []string
+		expectedCommandLine string
+		ArgsEscaped         bool
+	}{
+		// override image entrypoint and cmd in shell form with container args and verify expected runtime spec
+		"TestShellFormImgEntrypointCmdWithCtrArgs": {
+			imgEntrypoint:       []string{`"C:\My Folder\MyProcess.exe" -arg1 "test value"`},
+			imgCmd:              []string{`cmd -args "hello world"`},
+			command:             nil,
+			args:                []string{`cmd -args "additional args"`},
+			expectedArgs:        nil,
+			expectedCommandLine: `"C:\My Folder\MyProcess.exe" -arg1 "test value" "cmd -args \"additional args\""`,
+			ArgsEscaped:         true,
+		},
+		// check image entrypoint and cmd in shell form without overriding with container command and args and verify expected runtime spec
+		"TestShellFormImgEntrypointCmdWithoutCtrArgs": {
+			imgEntrypoint:       []string{`"C:\My Folder\MyProcess.exe" -arg1 "test value"`},
+			imgCmd:              []string{`cmd -args "hello world"`},
+			command:             nil,
+			args:                nil,
+			expectedArgs:        nil,
+			expectedCommandLine: `"C:\My Folder\MyProcess.exe" -arg1 "test value" "cmd -args \"hello world\""`,
+			ArgsEscaped:         true,
+		},
+		// override image entrypoint and cmd by container command and args in shell form and verify expected runtime spec
+		"TestShellFormImgEntrypointCmdWithCtrEntrypointAndArgs": {
+			imgEntrypoint:       []string{`"C:\My Folder\MyProcess.exe" -arg1 "test value"`},
+			imgCmd:              []string{`cmd -args "hello world"`},
+			command:             []string{`C:\My Folder\MyProcess.exe`, "-arg1", "additional test value"},
+			args:                []string{"cmd", "-args", "additional args"},
+			expectedArgs:        nil,
+			expectedCommandLine: `"C:\My Folder\MyProcess.exe" -arg1 "additional test value" cmd -args "additional args"`,
+			ArgsEscaped:         true,
+		},
+		// override image cmd by container args in exec form and verify expected runtime spec
+		"TestExecFormImgEntrypointCmdWithCtrArgs": {
+			imgEntrypoint:       []string{`C:\My Folder\MyProcess.exe`, "-arg1", "test value"},
+			imgCmd:              []string{"cmd", "-args", "hello world"},
+			command:             nil,
+			args:                []string{"additional", "args"},
+			expectedArgs:        []string{`C:\My Folder\MyProcess.exe`, "-arg1", "test value", "additional", "args"},
+			expectedCommandLine: "",
+			ArgsEscaped:         false,
+		},
+		// check image entrypoint and cmd in exec form without overriding with container command and args and verify expected runtime spec
+		"TestExecFormImgEntrypointCmdWithoutCtrArgs": {
+			imgEntrypoint:       []string{`C:\My Folder\MyProcess.exe`, "-arg1", "test value"},
+			imgCmd:              []string{"cmd", "-args", "hello world"},
+			command:             nil,
+			args:                nil,
+			expectedArgs:        []string{`C:\My Folder\MyProcess.exe`, "-arg1", "test value", "cmd", "-args", "hello world"},
+			expectedCommandLine: "",
+			ArgsEscaped:         false,
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			imageConfig := &imagespec.ImageConfig{
+				Entrypoint:  test.imgEntrypoint,
+				Cmd:         test.imgCmd,
+				ArgsEscaped: test.ArgsEscaped,
+			}
+			sandboxConfig := getSandboxConfig()
+			containerConfig := &runtime.ContainerConfig{
+				Metadata: &runtime.ContainerMetadata{
+					Name:    "test-name",
+					Attempt: 1,
+				},
+				Image: &runtime.ImageSpec{
+					Image: testImageName,
+				},
+				Command: test.command,
+				Args:    test.args,
+				Windows: &runtime.WindowsContainerConfig{},
+			}
+			runtimeSpec, err := c.containerSpec(testID, testSandboxID, testPid, nsPath, testContainerName, testImageName, containerConfig, sandboxConfig, imageConfig, nil, config.Runtime{})
+			assert.NoError(t, err)
+			assert.NotNil(t, runtimeSpec)
+
+			// check the runtime spec for expected commandline and args
+			actualCommandLine := runtimeSpec.Process.CommandLine
+			actualArgs := runtimeSpec.Process.Args
+
+			require.Equal(t, actualArgs, test.expectedArgs)
+			require.Equal(t, actualCommandLine, test.expectedCommandLine)
+		})
+	}
+}
--- a/pkg/cri/server/container_execsync.go
+++ b/pkg/cri/server/container_execsync.go
@@ -146,6 +146,8 @@ func (c *criService) execInternal(ctx context.Context, container containerd.Cont
 	}

 	pspec.Args = opts.cmd
+	// CommandLine may already be set on the container's spec, but we want to only use Args here.
+	pspec.CommandLine = ""

 	if opts.stdout == nil {
 		opts.stdout = cio.NewDiscardLogger()