# This dockerfile is used to test containerd within a container # # usage: # 1.) docker build -t containerd-test -f Dockerfile.test ../ # 2.) docker run -it --privileged -v /tmp:/tmp --tmpfs /var/lib/containerd-test containerd-test bash # 3.) $ make binaries install test # # Use the RUNC_VERSION build-arg to build with a custom version of runc, for example, # to build runc v1.0.0-rc94, use: # # docker build -t containerd-test --build-arg RUNC_VERSION=v1.0.0-rc94 -f Dockerfile.test ../ # ------------------------------------------------------------------------------ # Public stages: # "integration": for running integration tests: # docker build -t containerd-test -f Dockerfile.test --target integration ../ # docker run --privileged containerd-test # # "cri-integration": for running cri-integration tests: # docker build -t containerd-test -f Dockerfile.test --target cri-integration ../ # docker run --privileged --sysctl net.ipv6.conf.all.disable_ipv6=0 containerd-test # # "critest: for running critest: # docker build -t containerd-test -f Dockerfile.test --target critest ../ # docker run --privileged --sysctl net.ipv6.conf.all.disable_ipv6=0 containerd-test # # "cri-in-userns": for running critest with "CRI-in-UserNS" mode; needs Rootless Docker/Podman/nerdctl: # docker build -t containerd-test -f Dockerfile.test --target cri-in-userns ../ # docker run --privileged containerd-test # ------------------------------------------------------------------------------ ARG GOLANG_VERSION=1.20.4 ARG GOLANG_IMAGE=golang FROM ${GOLANG_IMAGE}:${GOLANG_VERSION} AS golang # Install runc FROM golang AS runc RUN apt-get update && apt-get install -y --no-install-recommends \ libseccomp-dev \ && rm -rf /var/lib/apt/lists/* COPY script/setup/runc-version script/setup/install-runc ./ # Allow overriding the version of runc to install through build-args ARG RUNC_VERSION ARG GOPROXY=direct ARG DESTDIR=/build RUN ./install-runc FROM golang AS build-env RUN apt-get update && apt-get install -y --no-install-recommends \ btrfs-progs \ libseccomp-dev \ xfsprogs \ && rm -rf /var/lib/apt/lists/* RUN mkdir -p /go/src/github.com/containerd/containerd WORKDIR /go/src/github.com/containerd/containerd FROM golang AS cni ENV DESTDIR=/build COPY script/setup/install-cni go.mod / RUN DESTDIR=/build /install-cni FROM golang AS critools ARG DESTDIR=/build COPY script/setup/install-critools script/setup/critools-version ./ RUN GOBIN=$DESTDIR/usr/local/bin ./install-critools # integration stage is for running integration tests. FROM build-env AS integration RUN apt-get update && apt-get install -y --no-install-recommends \ lsof \ && rm -rf /var/lib/apt/lists/* COPY --from=runc /build/ / COPY contrib/Dockerfile.test.d/docker-entrypoint.sh /docker-entrypoint.sh COPY . . RUN make BUILDTAGS="no_btrfs no_devmapper" binaries install VOLUME /tmp # TestMain wants to unlink /var/lib/containerd-test, so the entire /var/lib has to be volumified. VOLUME /var/lib # The entrypoint script is needed for nesting cgroup v2. ENTRYPOINT ["/docker-entrypoint.sh"] CMD ["make", "integration"] # cri-integration stage is for running cri-integration tests. FROM integration AS cri-integration RUN apt-get update && apt-get install -y --no-install-recommends \ sudo iptables \ && rm -rf /var/lib/apt/lists/* COPY --from=cni /build/ / COPY --from=critools /build/ / RUN make BUILDTAGS="no_btrfs no_devmapper" bin/cri-integration.test # install-failpoint-binaries cannot be easily executed in a substage as it does not support custom DESTDIR. RUN ./script/setup/install-failpoint-binaries # The test scripts need these env vars to be explicitly set ENV GITHUB_WORKSPACE="" ENV ENABLE_CRI_SANDBOXES="" ENV CONTAINERD_RUNTIME="io.containerd.runc.v2" CMD ["make", "cri-integration"] # critest stage is for running critest. FROM cri-integration AS critest # critest wants to create mounts under this directory, so it has to be volumified. VOLUME /go/src/github.com/containerd/containerd ENV TEST_RUNTIME="io.containerd.runc.v2" CMD ["script/critest.sh", "/tmp"] # cri-in-userns stage is for testing "CRI-in-UserNS", which should be used in conjunction with # "Kubelet-in-UserNS": https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2033-kubelet-in-userns-aka-rootless # This feature is mostly expected to be used for `kind` and `minikube`. # # Requires Rootless Docker/Podman/nerdctl with cgroup v2 delegation: https://rootlesscontaine.rs/getting-started/common/cgroup2/ # (Rootless Docker/Podman/nerdctl prepares the UserNS, so we do not need to create UserNS by ourselves) FROM critest AS cri-in-userns COPY contrib/Dockerfile.test.d/cri-in-userns/etc_containerd_config.toml /etc/containerd/config.toml COPY contrib/Dockerfile.test.d/cri-in-userns/docker-entrypoint.sh /docker-entrypoint.sh ENTRYPOINT ["/docker-entrypoint.sh"] # Skip "runtime should support unsafe sysctls": `container init caused: write sysctl key fs.mqueue.msg_max: open /proc/sys/fs/mqueue/msg_max: permission denied` # Skip "runtime should support safe sysctls": `container init caused: write sysctl key kernel.shm_rmid_forced: open /proc/sys/kernel/shm_rmid_forced: permission denied` # Skip "should allow privilege escalation when (NoNewPrivis is) false": expected log "Effective uid: 0\n" (stream="stdout") not found in logs [{timestamp:{wall:974487519 ext:63761339984 loc:} stream:stdout log:Effective uid: 1000) }] CMD ["critest", "--ginkgo.skip=should support unsafe sysctls|should support safe sysctls|should allow privilege escalation when false"] # Install proto3 FROM golang AS proto3 ARG DESTDIR=/build RUN apt-get update && apt-get install -y --no-install-recommends \ autoconf \ automake \ g++ \ libtool \ unzip \ && rm -rf /var/lib/apt/lists/* COPY script/setup/install-protobuf install-protobuf RUN ./install-protobuf \ && mkdir -p $DESTDIR/usr/local/bin $DESTDIR/usr/local/include \ && mv /usr/local/bin/protoc $DESTDIR/usr/local/bin/protoc \ && mv /usr/local/include/google $DESTDIR/usr/local/include/google FROM build-env AS dev COPY --from=proto3 /build/ / COPY --from=runc /build/ / COPY . .