From efcb187429b7438488f1ea2be83d26cc57da34c1 Mon Sep 17 00:00:00 2001 From: Thomas Hartland Date: Tue, 16 Mar 2021 14:22:34 +0000 Subject: [PATCH] Add unit tests for PID NamespaceMode_TARGET validation Signed-off-by: Thomas Hartland --- pkg/cri/server/helpers_test.go | 93 ++++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) diff --git a/pkg/cri/server/helpers_test.go b/pkg/cri/server/helpers_test.go index 4605ac9b2..7cd9314e1 100644 --- a/pkg/cri/server/helpers_test.go +++ b/pkg/cri/server/helpers_test.go @@ -20,6 +20,7 @@ import ( "context" "io/ioutil" "testing" + "time" "github.com/containerd/containerd/oci" "github.com/containerd/containerd/plugin" @@ -34,6 +35,7 @@ import ( criconfig "github.com/containerd/containerd/pkg/cri/config" "github.com/containerd/containerd/pkg/cri/store" + containerstore "github.com/containerd/containerd/pkg/cri/store/container" imagestore "github.com/containerd/containerd/pkg/cri/store/image" ) @@ -501,3 +503,94 @@ func TestEnsureRemoveAllWithFile(t *testing.T) { t.Fatal(err) } } + +// Helper function for setting up an environment to test PID namespace targeting. +func addContainer(c *criService, containerID, sandboxID string, PID uint32, createdAt, startedAt, finishedAt int64) error { + meta := containerstore.Metadata{ + ID: containerID, + SandboxID: sandboxID, + } + status := containerstore.Status{ + Pid: PID, + CreatedAt: createdAt, + StartedAt: startedAt, + FinishedAt: finishedAt, + } + container, err := containerstore.NewContainer(meta, + containerstore.WithFakeStatus(status), + ) + if err != nil { + return err + } + return c.containerStore.Add(container) +} + +func TestValidateTargetContainer(t *testing.T) { + testSandboxID := "test-sandbox-uid" + + // The existing container that will be targeted. + testTargetContainerID := "test-target-container" + testTargetContainerPID := uint32(4567) + + // A container that has finished running and cannot be targeted. + testStoppedContainerID := "stopped-target-container" + testStoppedContainerPID := uint32(6789) + + // A container from another pod. + testOtherContainerSandboxID := "other-sandbox-uid" + testOtherContainerID := "other-target-container" + testOtherContainerPID := uint32(7890) + + // Container create/start/stop times. + createdAt := time.Now().Add(-15 * time.Second).UnixNano() + startedAt := time.Now().Add(-10 * time.Second).UnixNano() + finishedAt := time.Now().Add(-5 * time.Second).UnixNano() + + c := newTestCRIService() + + // Create a target container. + err := addContainer(c, testTargetContainerID, testSandboxID, testTargetContainerPID, createdAt, startedAt, 0) + require.NoError(t, err, "error creating test target container") + + // Create a stopped container. + err = addContainer(c, testStoppedContainerID, testSandboxID, testStoppedContainerPID, createdAt, startedAt, finishedAt) + require.NoError(t, err, "error creating test stopped container") + + // Create a container in another pod. + err = addContainer(c, testOtherContainerID, testOtherContainerSandboxID, testOtherContainerPID, createdAt, startedAt, 0) + require.NoError(t, err, "error creating test container in other pod") + + for desc, test := range map[string]struct { + targetContainerID string + expectError bool + }{ + "target container in pod": { + targetContainerID: testTargetContainerID, + expectError: false, + }, + "target stopped container in pod": { + targetContainerID: testStoppedContainerID, + expectError: true, + }, + "target container does not exist": { + targetContainerID: "no-container-with-this-id", + expectError: true, + }, + "target container in other pod": { + targetContainerID: testOtherContainerID, + expectError: true, + }, + } { + t.Run(desc, func(t *testing.T) { + targetContainer, err := c.validateTargetContainer(testSandboxID, test.targetContainerID) + if test.expectError { + require.Error(t, err, "target should have been invalid but no error") + return + } + require.NoErrorf(t, err, "target should have been valid but got error") + + assert.Equal(t, test.targetContainerID, targetContainer.ID, "returned target container does not have expected ID") + }) + } + +}