Skip to content
This repository has been archived by the owner on Jun 28, 2024. It is now read-only.

Commit

Permalink
test:cri: Add guest AppArmor support
Browse files Browse the repository at this point in the history
Add a test case which check whether AppArmor inside the guest
works properly using containerd.

The test creates a container configured to apply the `kata-default`
profile, then it checks the container process is running with the
profile enforced.

Fixes: #5748
Depends-on: github.com/kata-containers/kata-containers#7587

Signed-off-by: Manabu Sugimoto <[email protected]>
  • Loading branch information
ManaSugi committed Aug 18, 2023
1 parent de2c828 commit f0a69ec
Showing 1 changed file with 77 additions and 0 deletions.
77 changes: 77 additions & 0 deletions integration/containerd/cri/integration-tests.sh
Original file line number Diff line number Diff line change
Expand Up @@ -431,6 +431,81 @@ EOF
create_containerd_config "${containerd_runtime_test}"
}

build_install_apparmor_image() {
info "Build and install AppArmor guest image"

local rootfs_builder_dir="${katacontainers_repo_dir}/tools/osbuilder/rootfs-builder"
sudo -E SECCOMP=yes APPARMOR=yes USE_DOCKER=yes sudo -E "${rootfs_builder_dir}"/rootfs.sh ubuntu

local rootfs_dir="${rootfs_builder_dir}/rootfs"
local image_builder_dir="${katacontainers_repo_dir}/tools/osbuilder/image-builder"
sudo -E USE_DOCKER=yes "${image_builder_dir}"/image_builder.sh "${rootfs_dir}"

apparmor_image="/opt/kata/share/kata-containers/kata-containers-apparmor.img"
sudo install -o root -g root -m 0640 -D "${image_builder_dir}/kata-containers.img" "${apparmor_image}"
}

TestContainerGuestApparmor() {
info "Test container guest AppArmor"

build_install_apparmor_image

original_image=$(sudo sed -n 's/^image = \(.*\)/\1/p' ${kata_config})
sudo sed -i "/image =/c image = "\"${apparmor_image}\""" "${kata_config}"
sudo sed -i '/^disable_guest_apparmor/ s/true/false/g' "${kata_config}"
sudo sed -i 's/^#\(debug_console_enabled\).*=.*$/\1 = true/g' "${kata_config}"

local container_yaml="${REPORT_DIR}/container.yaml"
local image="busybox:latest"
cat << EOF > "${container_yaml}"
metadata:
name: busybox-apparmor
image:
image: "$image"
command:
- top
EOF

testContainerStart 1

info "check kata-runtime exec"
aa_status=$(expect -c "
spawn -noecho kata-runtime exec $podid
expect "root@localhost:/#"
send \"aa-status\n\"
expect "root@localhost:/#"
send \"exit\n\"
expect eof
")
echo "aa-status results:"
echo "${aa_status}"
ret=$(echo "$aa_status" | grep "/pause.*kata-default" || true)
[ -n "$ret" ] || die "not found /pause kata-default profile"
ret=$(echo "$aa_status" | grep "/bin/top.*kata-default" || true)
[ -n "$ret" ] || die "not found /bin/top kata-default profile"
info "check crictl exec"
sudo -E crictl exec $cid sleep 10 &
aa_status=$(expect -c "
spawn -noecho kata-runtime exec $podid
expect "root@localhost:/#"
send \"aa-status\n\"
expect "root@localhost:/#"
send \"exit\n\"
expect eof
")
echo "aa-status results:"
echo "${aa_status}"
ret=$(echo "$aa_status" | grep "/bin/sleep.*kata-default" || true)
[ -n "$ret" ] || die "not found /bin/sleep kata-default profile"
testContainerStop
sudo sed -i '/^disable_guest_apparmor/ s/false/true/g' "${kata_config}"
sudo sed -i "/image =/c image = "\"${original_image}\""" "$kata_config"
}
# k8s may restart docker which will impact on containerd stop
stop_containerd() {
local tmp=$(pgrep kubelet || true)
Expand Down Expand Up @@ -509,6 +584,8 @@ main() {
TestContainerMemoryUpdate 0
fi
TestContainerGuestApparmor
TestKilledVmmCleanup
popd
Expand Down

0 comments on commit f0a69ec

Please sign in to comment.