@@ -40,6 +40,25 @@ import (
4040 servertesting "github.com/kubernetes-incubator/cri-containerd/pkg/server/testing"
4141)
4242
43+ func checkMount (t * testing.T , mounts []runtimespec.Mount , src , dest , typ string ,
44+ contains , notcontains []string ) {
45+ found := false
46+ for _ , m := range mounts {
47+ if m .Source == src && m .Destination == dest {
48+ assert .Equal (t , m .Type , typ )
49+ for _ , c := range contains {
50+ assert .Contains (t , m .Options , c )
51+ }
52+ for _ , n := range notcontains {
53+ assert .NotContains (t , m .Options , n )
54+ }
55+ found = true
56+ break
57+ }
58+ }
59+ assert .True (t , found , "mount from %q to %q not found" , src , dest )
60+ }
61+
4362func getStartContainerTestData () (* runtime.ContainerConfig , * runtime.PodSandboxConfig ,
4463 * imagespec.ImageConfig , func (* testing.T , string , uint32 , * runtimespec.Spec )) {
4564 config := & runtime.ContainerConfig {
@@ -107,22 +126,12 @@ func getStartContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandboxC
107126 assert .Equal (t , "test-cwd" , spec .Process .Cwd )
108127 assert .Contains (t , spec .Process .Env , "k1=v1" , "k2=v2" , "ik1=iv1" , "ik2=iv2" )
109128
129+ t .Logf ("Check cgroups bind mount" )
130+ checkMount (t , spec .Mounts , "cgroup" , "/sys/fs/cgroup" , "cgroup" , []string {"ro" }, nil )
131+
110132 t .Logf ("Check bind mount" )
111- found1 , found2 := false , false
112- for _ , m := range spec .Mounts {
113- if m .Source == "host-path-1" {
114- assert .Equal (t , m .Destination , "container-path-1" )
115- assert .Contains (t , m .Options , "rw" )
116- found1 = true
117- }
118- if m .Source == "host-path-2" {
119- assert .Equal (t , m .Destination , "container-path-2" )
120- assert .Contains (t , m .Options , "ro" )
121- found2 = true
122- }
123- }
124- assert .True (t , found1 )
125- assert .True (t , found2 )
133+ checkMount (t , spec .Mounts , "host-path-1" , "container-path-1" , "bind" , []string {"rw" }, nil )
134+ checkMount (t , spec .Mounts , "host-path-2" , "container-path-2" , "bind" , []string {"ro" }, nil )
126135
127136 t .Logf ("Check resource limits" )
128137 assert .EqualValues (t , * spec .Linux .Resources .CPU .Period , 100 )
@@ -389,6 +398,47 @@ func TestGenerateContainerMounts(t *testing.T) {
389398 }
390399}
391400
401+ func TestPrivilegedBindMount (t * testing.T ) {
402+ for desc , test := range map [string ]struct {
403+ privileged bool
404+ readonlyRootFS bool
405+ expectedSysFSRO bool
406+ expectedCgroupFSRO bool
407+ }{
408+ "sysfs and cgroupfs should mount as 'ro' by default" : {
409+ expectedSysFSRO : true ,
410+ expectedCgroupFSRO : true ,
411+ },
412+ "sysfs and cgroupfs should not mount as 'ro' if privileged" : {
413+ privileged : true ,
414+ expectedSysFSRO : false ,
415+ expectedCgroupFSRO : false ,
416+ },
417+ "sysfs should mount as 'ro' if root filrsystem is readonly" : {
418+ privileged : true ,
419+ readonlyRootFS : true ,
420+ expectedSysFSRO : true ,
421+ expectedCgroupFSRO : false ,
422+ },
423+ } {
424+ t .Logf ("TestCase %q" , desc )
425+ g := generate .New ()
426+ g .SetRootReadonly (test .readonlyRootFS )
427+ addOCIBindMounts (& g , nil , test .privileged )
428+ spec := g .Spec ()
429+ if test .expectedSysFSRO {
430+ checkMount (t , spec .Mounts , "sysfs" , "/sys" , "sysfs" , []string {"ro" }, nil )
431+ } else {
432+ checkMount (t , spec .Mounts , "sysfs" , "/sys" , "sysfs" , nil , []string {"ro" })
433+ }
434+ if test .expectedCgroupFSRO {
435+ checkMount (t , spec .Mounts , "cgroup" , "/sys/fs/cgroup" , "cgroup" , []string {"ro" }, nil )
436+ } else {
437+ checkMount (t , spec .Mounts , "cgroup" , "/sys/fs/cgroup" , "cgroup" , nil , []string {"ro" })
438+ }
439+ }
440+ }
441+
392442func TestStartContainer (t * testing.T ) {
393443 testID := "test-id"
394444 testSandboxID := "test-sandbox-id"
0 commit comments