Skip to content
This repository was archived by the owner on Mar 9, 2022. It is now read-only.

Mount cgroup into the container and add unit test for privileged mount. #70

Merged
Random-Liu merged 1 commit into from
Jun 12, 2017
Merged

Mount cgroup into the container and add unit test for privileged mount. #70

Random-Liu merged 1 commit into from
Jun 12, 2017

Conversation

@Random-Liu
Copy link
Member

@Random-Liu Random-Liu commented Jun 11, 2017
edited
Loading

This PR:

  1. Mount cgroup into the container, which inherits the docker's behavior.
  2. Add unit test left from Privileged PR. /cc @heartlock

Signed-off-by: Lantao Liu [email protected]

@Random-Liu
Copy link
Member Author

Random-Liu commented Jun 11, 2017

With another PR I'll send out soon to add ExecSync support, now we could pass the privileged cri validation test:

$ critest --runtime-endpoint=/var/run/cri-containerd.sock --focus=Privileged validation
Running Suite: E2ECRI Suite
===========================
Random Seed: 1497146817 - Will randomize all specs
Will run 2 of 36 specs

SSSS
------------------------------
[k8s.io] Security Context runtime should support container with security context 
  runtime should support Privileged is false [security context]
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:344
[BeforeEach] [k8s.io] Security Context
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:50
[BeforeEach] [k8s.io] Security Context
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:49
[It] runtime should support Privileged is false [security context]
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:344
STEP: create pod
STEP: create Privileged podSandbox
STEP: create container for security context Privileged is true
STEP: create Privileged container
STEP: Get image status for image: busybox:1.26
STEP: Create container.
Jun 11 02:06:57.338: INFO: Created container "9a8a67700c05190546c04fe34f8b784e944d68781cf32420cbf7941b2447ff2d"

STEP: start container
STEP: Start container for containerID: 9a8a67700c05190546c04fe34f8b784e944d68781cf32420cbf7941b2447ff2d
Jun 11 02:06:57.470: INFO: Started container "9a8a67700c05190546c04fe34f8b784e944d68781cf32420cbf7941b2447ff2d"

STEP: Get container status for containerID: 9a8a67700c05190546c04fe34f8b784e944d68781cf32420cbf7941b2447ff2d
STEP: check the Privileged container
[AfterEach] runtime should support container with security context
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:235
STEP: stop PodSandbox
STEP: delete PodSandbox
[AfterEach] [k8s.io] Security Context
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:51
•SSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
------------------------------
[k8s.io] Security Context runtime should support container with security context 
  runtime should support Privileged is true [security context]
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:326
[BeforeEach] [k8s.io] Security Context
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:50
[BeforeEach] [k8s.io] Security Context
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:49
[It] runtime should support Privileged is true [security context]
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:326
STEP: create pod
STEP: create Privileged podSandbox
STEP: create container for security context Privileged is true
STEP: create Privileged container
STEP: Get image status for image: busybox:1.26
STEP: Create container.
Jun 11 02:06:57.926: INFO: Created container "27885777a565087ad917b434f885243abf4f8ac9f2cf301fbe1ed0a965700932"

STEP: start container
STEP: Start container for containerID: 27885777a565087ad917b434f885243abf4f8ac9f2cf301fbe1ed0a965700932
Jun 11 02:06:58.046: INFO: Started container "27885777a565087ad917b434f885243abf4f8ac9f2cf301fbe1ed0a965700932"

STEP: Get container status for containerID: 27885777a565087ad917b434f885243abf4f8ac9f2cf301fbe1ed0a965700932
STEP: check the Privileged container
[AfterEach] runtime should support container with security context
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:235
STEP: stop PodSandbox
STEP: delete PodSandbox
[AfterEach] [k8s.io] Security Context
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:51
•
Ran 2 of 36 Specs in 1.036 seconds
SUCCESS! -- 2 Passed | 0 Failed | 0 Pending | 34 Skipped PASS

Ginkgo ran 1 suite in 1.106217989s
Test Suite Passed

@Random-Liu Random-Liu added this to the v0.1.0-alpha.1 milestone Jun 11, 2017
mikebrow
mikebrow approved these changes Jun 12, 2017
View reviewed changes
Copy link
Member

@mikebrow mikebrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cool.. LGTM

@mikebrow mikebrow added the lgtm label Jun 12, 2017
@Random-Liu Random-Liu merged commit 479e8c3 into containerd:master Jun 12, 2017
@Random-Liu Random-Liu deleted the mount-cgroup branch June 12, 2017 21:14
lanchongyizu pushed a commit to lanchongyizu/cri-containerd that referenced this pull request Sep 3, 2017
@Random-Liu
Merge pull request containerd#70 from Random-Liu/mount-cgroup
3c5c112 
Mount cgroup into the container and add unit test for privileged mount.
jieyu added a commit to jieyu/docker-images that referenced this pull request Apr 22, 2020
@jieyu
dind: adjust the entrypoint script
8658d20 
No need to distinguish between docker and containerd because they have
the same behavior. See the following pull request:
containerd/cri#70

However, we do need to handle the case when the user manually bind mount
`/sys/fs/cgroup` from the host. This is fairly common. We can
distinguish between these two cases by checking if
`/sys/fs/cgroup/<subsystem>` is the root cgroup (by checking if
`release_agent` file exists or not).
kevpar added a commit to kevpar/cri that referenced this pull request Sep 1, 2020
@kevpar
Merge pull request containerd#70 from kevpar/empty-dir
7f30bd5 
Support kubernetes.io~empty-dir mounts for WCOW
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@mikebrow mikebrow mikebrow approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@mikebrow mikebrow

Labels

cncf-cla: yes lgtm

Projects

None yet

Milestone

v0.1.0-alpha.1

Development

Successfully merging this pull request may close these issues.

3 participants

@Random-Liu @mikebrow @k8s-ci-robot