github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

test: Add unit tests for privileged runtime functions

Browse Source 
- Add unit test for privilegedSandbox

- Add unit test  for getRuntime

Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
This commit is contained in:
Jose Carlos Venegas Munoz 2018-03-20 13:36:24 -06:00
parent ca16bd601a
commit bdc5eee544
2 changed files with 118 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
pkg/server/helpers_test.go
View File

@ -19,10 +19,10 @@ package server
import ( import (
"testing" "testing"
criconfig "github.com/containerd/cri/pkg/config"
"github.com/containerd/cri/pkg/util"
imagedigest "github.com/opencontainers/go-digest" imagedigest "github.com/opencontainers/go-digest"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/containerd/cri/pkg/util"
) )
// TestGetUserFromImage tests the logic of getting image uid or user name of image user. // TestGetUserFromImage tests the logic of getting image uid or user name of image user.
@ -142,3 +142,64 @@ func TestBuildLabels(t *testing.T) {
assert.Empty(t, configLabels[containerKindLabel], "should not add new labels into original label") assert.Empty(t, configLabels[containerKindLabel], "should not add new labels into original label")
assert.Equal(t, "b", configLabels["a"], "change in new labels should not affect original label") assert.Equal(t, "b", configLabels["a"], "change in new labels should not affect original label")
} }
func Test_criService_getRuntime(t *testing.T) {
const (
privilegedWorkload = true
nonPrivilegedWorkload = false
)
nonPrivilegedRuntime := criconfig.Runtime{
Type: "io.containerd.runtime.v1.linux",
Engine: "kata-runtime",
Root: "",
}
privilegedRuntime := criconfig.Runtime{
Type: "io.containerd.runtime.v1.linux",
Engine: "runc",
Root: "",
}
// Crate a configuration that does not specify a privileged runtime
// Both privileged and non-privileged workloads are created with the
// defaultRuntime (nonPrivilegedRuntime).
nonPrivilegedConfig := criService{
config: criconfig.Config{
PluginConfig: criconfig.DefaultConfig(),
},
}
nonPrivilegedConfig.config.ContainerdConfig.DefaultRuntime = nonPrivilegedRuntime
// Crate a configuration that specifies a privileged runtime
// The privileged workloads are created with the privilegedRuntime
// The non-privileged workloads be created with the
// defaultRuntime(nonPrivilegedRuntime)
privilegedConfig := criService{
config: criconfig.Config{
PluginConfig: criconfig.DefaultConfig(),
},
}
privilegedConfig.config.ContainerdConfig.DefaultRuntime = nonPrivilegedRuntime
privilegedConfig.config.ContainerdConfig.PrivilegedRuntime = privilegedRuntime
tests := []struct {
name string
cri criService
privileged bool
wantRuntime criconfig.Runtime
}{
{"nonPrivilegedConfig/PrivilegedWorkload", nonPrivilegedConfig, privilegedWorkload, nonPrivilegedRuntime},
{"nonPrivilegedConfig/PrivilegedWorkload", nonPrivilegedConfig, nonPrivilegedWorkload, nonPrivilegedRuntime},
{"PrivilegedConfig/nonPrivilegedWorkload", privilegedConfig, privilegedWorkload, privilegedRuntime},
{"PrivilegedConfig/nonPrivilegedWorkload", privilegedConfig, nonPrivilegedWorkload, nonPrivilegedRuntime},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
gotRuntime := tt.cri.getRuntime(tt.privileged)
assert.Equal(t, tt.wantRuntime, gotRuntime)
})
}
}

55
pkg/server/sandbox_run_test.go
View File

@ -435,3 +435,58 @@ func TestTypeurlMarshalUnmarshalSandboxMeta(t *testing.T) {
// TODO(random-liu): [P1] Add unit test for different error cases to make sure // TODO(random-liu): [P1] Add unit test for different error cases to make sure
// the function cleans up on error properly. // the function cleans up on error properly.
func TestPrivilegedSandbox(t *testing.T) {
privilegedContext := runtime.RunPodSandboxRequest{
Config: &runtime.PodSandboxConfig{
Linux: &runtime.LinuxPodSandboxConfig{
SecurityContext: &runtime.LinuxSandboxSecurityContext{
Privileged: true,
},
},
},
}
nonPrivilegedContext := runtime.RunPodSandboxRequest{
Config: &runtime.PodSandboxConfig{
Linux: &runtime.LinuxPodSandboxConfig{
SecurityContext: &runtime.LinuxSandboxSecurityContext{
Privileged: false,
},
},
},
}
hostNamespace := runtime.RunPodSandboxRequest{
Config: &runtime.PodSandboxConfig{
Linux: &runtime.LinuxPodSandboxConfig{
SecurityContext: &runtime.LinuxSandboxSecurityContext{
Privileged: false,
NamespaceOptions: &runtime.NamespaceOption{
Network: runtime.NamespaceMode_NODE,
Pid: runtime.NamespaceMode_NODE,
Ipc: runtime.NamespaceMode_NODE,
},
},
},
},
}
type args struct {
req *runtime.RunPodSandboxRequest
}
tests := []struct {
name string
args args
want bool
}{
{"Security Context is nil", args{&runtime.RunPodSandboxRequest{}}, false},
{"Security Context is privileged", args{&privilegedContext}, true},
{"Security Context is not privileged", args{&nonPrivilegedContext}, false},
{"Security Context namespace host access", args{&hostNamespace}, true},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := privilegedSandbox(tt.args.req); got != tt.want {
t.Errorf("privilegedSandbox() = %v, want %v", got, tt.want)
}
})
}
}