Fix privileged container sysfs can't be rw because pod is ro by default

Signed-off-by: fengwei0328 <feng.wei8@zte.com.cn>
2025-01-17 14:29:53 +08:00
parent 67bb32a8b2
commit c7f64196fc
3 changed files with 120 additions and 0 deletions
--- a/integration/container_stats_test.go
+++ b/integration/container_stats_test.go
@@ -428,3 +428,83 @@ func testStats(t *testing.T,
 		require.NotEmpty(t, s.GetWritableLayer().GetInodesUsed().GetValue())
 	}
 }
+
+func TestContainerSysfsStatsWithPrivilegedPod(t *testing.T) {
+	if goruntime.GOOS == "windows" {
+		t.Skip("Doesn't care about filesystem properties on windows")
+	}
+	testImage := images.Get(images.BusyBox)
+	testcases := []struct {
+		name                               string
+		privilegedPod, privilegedContainer bool
+		expectedSysfsOption, expectedErr   string
+	}{
+		{
+			name:                "sandbox and container with privileged=true, sysfs is rw",
+			privilegedPod:       true,
+			privilegedContainer: true,
+			expectedSysfsOption: "rw",
+		},
+		{
+			name:                "sandbox with privileged=true, and container with privileged=false, sysfs is ro",
+			privilegedPod:       true,
+			privilegedContainer: false,
+			expectedSysfsOption: "ro",
+		},
+		{
+			name:                "sandbox and container with privileged=false, sysfs is ro",
+			privilegedPod:       false,
+			privilegedContainer: false,
+			expectedSysfsOption: "ro",
+		},
+		{
+			name:                "sandbox with privileged=false, and container with privileged=true, create container failed",
+			privilegedPod:       false,
+			privilegedContainer: true,
+			expectedErr:         "failed to generate spec opts: no privileged container allowed in sandbox",
+		},
+	}
+	for _, test := range testcases {
+		t.Run(test.name, func(t *testing.T) {
+			EnsureImageExists(t, testImage)
+			sb, sbConfig := PodSandboxConfigWithCleanup(
+				t,
+				"sandbox",
+				"sysfs-stats-with-privileged",
+				WithPodSecurityContext(test.privilegedPod),
+			)
+			cnConfig := ContainerConfig(
+				"container",
+				testImage,
+				WithCommand("sh", "-c", "top"),
+				WithSecurityContext(test.privilegedContainer),
+			)
+			cn, err := runtimeService.CreateContainer(sb, cnConfig, sbConfig)
+			if test.expectedErr != "" && err != nil {
+				assert.Contains(t, err.Error(), test.expectedErr)
+				return
+			}
+			assert.NoError(t, err)
+			defer func() {
+				if test.expectedErr == "" {
+					assert.NoError(t, runtimeService.RemoveContainer(cn))
+				}
+			}()
+
+			t.Log("Start the container")
+			require.NoError(t, runtimeService.StartContainer(cn))
+			defer func() {
+				assert.NoError(t, runtimeService.StopContainer(cn, 10))
+			}()
+
+			t.Logf("Execute cmd in container by sync")
+			mountinfo, _, err := runtimeService.ExecSync(cn, []string{
+				"sh",
+				"-c",
+				"mount |grep sysfs",
+			}, 10)
+			assert.NoError(t, err)
+			assert.Contains(t, string(mountinfo), test.expectedSysfsOption)
+		})
+	}
+}