Runc 1.1 throws a warning when using rel destination paths, and runc 1.2
is planning to thow an error (i.e. won't start the container).
Let's just make this an abs path in the only place it might not be: the
mounts created due to `VOLUME` directives in the Dockerfile.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
The name of the GID 65534 differs across distros.
("nogroup" on Debian derivatives, "nobody" on Red Hat derivatives)
Fix the following test failure:
```
=== RUN TestVolumeOwnership
volume_copy_up_test.go:103: Create a sandbox
main_test.go:667: Pull test image "ghcr.io/containerd/volume-ownership:2.1"
volume_copy_up_test.go:108: Create a container with volume-ownership test image
volume_copy_up_test.go:117: Start the container
volume_copy_up_test.go:125: Check ownership of test directory inside container
volume_copy_up_test.go:146: Check ownership of test directory on the host
volume_copy_up_test.go:153:
Error Trace: /root/go/src/github.com/containerd/containerd/volume_copy_up_test.go:153
Error: Not equal:
expected: "nobody:nogroup\n"
actual : "nobody:nobody\n"
Diff:
--- Expected
+++ Actual
@@ -1,2 +1,2 @@
-nobody:nogroup
+nobody:nobody
Test: TestVolumeOwnership
--- FAIL: TestVolumeOwnership (3.45s)
```
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This change enables the TestVolumeOwnership on Windows. The test
assumes that the volume-ownership image is built on Windows, thus
ensuring that Windows file security info (ACLs and ownership info)
are attached to the C:\volumes\test_dir path.
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
I noticed we were using some different versions of the same test
images, so changing them to be the same (can help with find/replace
if we need to update them).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The image that the test is used for Windows has busybox included,
which means we can use sleep.
Signed-off-by: Claudiu Belu <cbelu@cloudbasesolutions.com>
Go 1.15.7 contained a security fix for CVE-2021-3115, which allowed arbitrary
code to be executed at build time when using cgo on Windows. This issue also
affects Unix users who have “.” listed explicitly in their PATH and are running
“go get” outside of a module or with module mode disabled.
This issue is not limited to the go command itself, and can also affect binaries
that use `os.Command`, `os.LookPath`, etc.
From the related blogpost (ttps://blog.golang.org/path-security):
> Are your own programs affected?
>
> If you use exec.LookPath or exec.Command in your own programs, you only need to
> be concerned if you (or your users) run your program in a directory with untrusted
> contents. If so, then a subprocess could be started using an executable from dot
> instead of from a system directory. (Again, using an executable from dot happens
> always on Windows and only with uncommon PATH settings on Unix.)
>
> If you are concerned, then we’ve published the more restricted variant of os/exec
> as golang.org/x/sys/execabs. You can use it in your program by simply replacing
This patch replaces all uses of `os/exec` with `golang.org/x/sys/execabs`. While
some uses of `os/exec` should not be problematic (e.g. part of tests), it is
probably good to be consistent, in case code gets moved around.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Most of the tests creating and using Pod Sandboxes in the same way. We can create
a common function that will do that for us, so we can have less duplicated code,
and make it easier to add new tests in the future.
Signed-off-by: Claudiu Belu <cbelu@cloudbasesolutions.com>
Currently, the cri-integration tests do not work on Windows due to various reasons.
One of the reasons is because all the tests are using Linux-specific images.
Previous commits refactored the image pulling / usage in the cri-integration tests,
making it easier to update, and easier to configure a custom registry to pull images
with Windows support.
For Windows runs, custom registries can be created, which will also contain Windows
images, and the cri-integration tests can be configured to use those registries by
specifying the "--repo-list" argument, a YAML file which will contain an alternative
mapping of the default registries. This is similar to how E2E tests are handled for
Windows runs in Kubernetes.
Some of the tests are Skipped, as they do not pass yet on Windows.
Windows does not collect inodes used stats, thus, the tests that were expecting non-zero
inodes stats were failing.
Signed-off-by: Claudiu Belu <cbelu@cloudbasesolutions.com>
Most of the tests are pulling and deleting the same test images, which
can be quite inefficient, especially on Windows nodes, where the images
are larger than the Linux ones (a nanoserver Container image is ~250MB
in size). We can instead pull them only once, and reuse them. This will
reduce the test run time on Windows considerably.
Additionally, some of the test images are currently hosted on dockerhub
(busybox image), which has introduced image ratelimiting in November 2020,
which means that test runners could potentially hit that limit faster with
the current implementation. This will reduce that risk.
Some tests are specifically deleting images, so we always have to ensure
that they are pulled.
Signed-off-by: Claudiu Belu <cbelu@cloudbasesolutions.com>
Currently, the cri-integration tests do not work on Windows due to various reasons.
One of the reasons is because all the tests are using Linux-specific images. This
commit refactors the image pulling / usage in the cri-integration tests, making it
easier to update, and easier to configure the a custom registry to pull those images
from.
For Windows runs, custom registries can be created, which will also contain Windows
images, and the cri-integration tests can be configured to use those registries by
specifying the "--image-list" argument, a TOML file which will contain an alternative
mapping of the default images.
Signed-off-by: Claudiu Belu <cbelu@cloudbasesolutions.com>
