Skip to content
This repository has been archived by the owner on Jun 28, 2024. It is now read-only.

test:cri: Add guest AppArmor support #5749

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .ci/install_kata_image.sh
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ source "${cidir}/lib.sh"
main() {
build_static_artifact_and_install "rootfs-image"
build_static_artifact_and_install "rootfs-initrd"

# Build and install an image for the guest AppArmor
build_install_apparmor_image
}

main
19 changes: 19 additions & 0 deletions .ci/lib.sh
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ fi
export KATA_KSM_THROTTLER=${KATA_KSM_THROTTLER:-no}
export KATA_QEMU_DESTDIR=${KATA_QEMU_DESTDIR:-"/usr"}
export KATA_ETC_CONFIG_PATH="/etc/kata-containers/configuration.toml"
export KATA_APPARMOR_IMAGE="/opt/kata/share/kata-containers/kata-containers-apparmor.img"

export katacontainers_repo=${katacontainers_repo:="github.com/kata-containers/kata-containers"}
export katacontainers_repo_git="https://${katacontainers_repo}.git"
Expand Down Expand Up @@ -180,6 +181,24 @@ function build_static_artifact_and_install() {
popd >/dev/null
}

build_install_apparmor_image() {
USE_DOCKER=${USE_DOCKER:-"true"}

info "Build AppArmor guest image"
local rootfs_builder_dir="${katacontainers_repo_dir}/tools/osbuilder/rootfs-builder"
local rootfs_dir="${rootfs_builder_dir}/rootfs-apparmor"
pushd "$rootfs_builder_dir" >/dev/null
sudo -E AGENT_INIT=no APPARMOR=yes USE_DOCKER="${USE_DOCKER}" ./rootfs.sh -r "${rootfs_dir}" ubuntu
popd >/dev/null

info "Install AppArmor guest image"
local image_builder_dir="${katacontainers_repo_dir}/tools/osbuilder/image-builder"
pushd "${image_builder_dir}" >/dev/null
sudo -E AGENT_INIT=no USE_DOCKER="${USE_DOCKER}" ./image_builder.sh "${rootfs_dir}"
popd >/dev/null
sudo install -o root -g root -m 0640 -D "${image_builder_dir}/kata-containers.img" "${KATA_APPARMOR_IMAGE}"
}

function get_dep_from_yaml_db(){
local versions_file="$1"
local dependency="$2"
Expand Down
75 changes: 74 additions & 1 deletion integration/containerd/cri/integration-tests.sh
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ source "${SCRIPT_PATH}/../../../.ci/lib.sh"
# runc is installed in /usr/local/sbin/ add that path
export PATH="$PATH:/usr/local/sbin"

TEST_INITRD="${TEST_INITRD:-no}"

containerd_tarball_version=$(get_version "externals.containerd.version")

# Runtime to be used for testing
Expand Down Expand Up @@ -97,7 +99,7 @@ ci_cleanup() {
fi

[ -f "$kata_config_backup" ] && sudo mv "$kata_config_backup" "$kata_config" || \
sudo rm "$kata_config"
sudo rm "$kata_config" || true
}

create_containerd_config() {
Expand Down Expand Up @@ -431,6 +433,75 @@ EOF
create_containerd_config "${containerd_runtime_test}"
}

TestContainerGuestApparmor() {
info "Test container guest AppArmor"

# The ppc64le job uses the initrd image, so the test will be skipped.
if [[ "${TEST_INITRD}" == "yes" ]]; then
info "Skip the test because the guest AppArmor doesn't work with the agent init"
return
fi
if [ ! -e "${KATA_APPARMOR_IMAGE}" ]; then
info "Skip the test becasue the guest AppArmor image doesn't exist"
return
fi

# Set the guest AppArmor rootfs image because the guest AppArmor doesn't work with the agent init.
sudo sed -i "/^image =/c image = "\"${KATA_APPARMOR_IMAGE}\""" "${kata_config}"
# Enable the guest AppArmor.
sudo sed -i '/^disable_guest_apparmor/ s/true/false/g' "${kata_config}"
sudo sed -i 's/^#\(debug_console_enabled\).*=.*$/\1 = true/g' "${kata_config}"

local container_yaml="${REPORT_DIR}/container.yaml"
local image="busybox:latest"
cat << EOF > "${container_yaml}"
metadata:
name: busybox-apparmor
image:
image: "$image"
command:
- top
EOF

info "Check the AppArmor profile is applied to the container executed by crictl start"
testContainerStart 1
aa_status=$(expect -c "
spawn -noecho kata-runtime exec $podid
expect "root@localhost:/#"
send \"aa-status\n\"
expect "root@localhost:/#"
send \"exit\n\"
expect eof
")
echo "aa-status results:"
echo "${aa_status}"
ret=$(echo "$aa_status" | grep "/bin/top.*kata-default" || true)
[ -n "$ret" ] || die "not found /bin/top kata-default profile"

info "Check the AppArmor profile is applied to the process executed by crictl exec"
sudo -E crictl exec $cid sleep 10 &
# sleep for 1s to make sure the exec process started.
sleep 1
aa_status=$(expect -c "
spawn -noecho kata-runtime exec $podid
expect "root@localhost:/#"
send \"aa-status\n\"
expect "root@localhost:/#"
send \"exit\n\"
expect eof
")
echo "aa-status results:"
echo "${aa_status}"
ret=$(echo "$aa_status" | grep "/bin/sleep.*kata-default" || true)
[ -n "$ret" ] || die "not found /bin/sleep kata-default profile"

testContainerStop

# Reset the Kata configuration file.
sudo rm "${kata_config}"
ci_config
}

# k8s may restart docker which will impact on containerd stop
stop_containerd() {
local tmp=$(pgrep kubelet || true)
Expand Down Expand Up @@ -509,6 +580,8 @@ main() {
TestContainerMemoryUpdate 0
fi

TestContainerGuestApparmor

TestKilledVmmCleanup

popd
Expand Down