From 668959408dd8dd0b20b1ece15fdb5d969c8ed58a Mon Sep 17 00:00:00 2001 From: Ryan Savino Date: Mon, 3 Jun 2024 01:13:54 -0500 Subject: [PATCH 1/8] tests: ensure kata_deploy cleanup even if namespace deletion fails the test cluster namespace deletion failing causes kata_deploy to not get cleaned up. Signed-Off-By: Ryan Savino --- tests/integration/kubernetes/gha-run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/integration/kubernetes/gha-run.sh b/tests/integration/kubernetes/gha-run.sh index 4f9d8cea76..0d631c1dca 100755 --- a/tests/integration/kubernetes/gha-run.sh +++ b/tests/integration/kubernetes/gha-run.sh @@ -464,7 +464,7 @@ function cleanup() { fi # Switch back to the default namespace and delete the tests one - delete_test_cluster_namespace + delete_test_cluster_namespace || true cleanup_kata_deploy } From 6db08ed6204324a619d6fe14e57bd63fdc9b4328 Mon Sep 17 00:00:00 2001 From: Ryan Savino Date: Wed, 29 May 2024 17:04:01 -0500 Subject: [PATCH 2/8] runtime: sev: snp: Use shared_fs=none Disabling 9p for SEV and SNP TEEs. Signed-Off-By: Ryan Savino --- src/runtime/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/runtime/Makefile b/src/runtime/Makefile index 3b6f792001..c67da6ba4b 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -249,8 +249,8 @@ DEFSHAREDFS_QEMU_VIRTIOFS := virtio-fs DEFSHAREDFS_QEMU_COCO_DEV_VIRTIOFS := virtio-9p DEFSHAREDFS_STRATOVIRT_VIRTIOFS := virtio-fs DEFSHAREDFS_QEMU_TDX_VIRTIOFS := none -DEFSHAREDFS_QEMU_SEV_VIRTIOFS := virtio-9p -DEFSHAREDFS_QEMU_SNP_VIRTIOFS := virtio-9p +DEFSHAREDFS_QEMU_SEV_VIRTIOFS := none +DEFSHAREDFS_QEMU_SNP_VIRTIOFS := none DEFVIRTIOFSDAEMON := $(LIBEXECDIR)/virtiofsd DEFVALIDVIRTIOFSDAEMONPATHS := [\"$(DEFVIRTIOFSDAEMON)\"] # Default DAX mapping cache size in MiB From 6c646dc96dbc1c5054d94c979131929384e7b7eb Mon Sep 17 00:00:00 2001 From: Ryan Savino Date: Wed, 29 May 2024 18:43:07 -0500 Subject: [PATCH 3/8] tests: k8s: sev: snp: add runtime annotation for sev and snp sev and snp cases added to the KATA_HYPERVISOR switch. Signed-off-by: Ryan Savino --- tests/integration/kubernetes/setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) mode change 100755 => 100644 tests/integration/kubernetes/setup.sh diff --git a/tests/integration/kubernetes/setup.sh b/tests/integration/kubernetes/setup.sh old mode 100755 new mode 100644 index 49ea3636b2..cd7ba0d30f --- a/tests/integration/kubernetes/setup.sh +++ b/tests/integration/kubernetes/setup.sh @@ -113,7 +113,7 @@ add_runtime_handler_annotations() { fi case "${KATA_HYPERVISOR}" in - qemu-tdx|qemu-coco-dev) + qemu-coco-dev | qemu-sev | qemu-snp | qemu-tdx) info "Add runtime handler annotations for ${KATA_HYPERVISOR}" local handler_value="kata-${KATA_HYPERVISOR}" for K8S_TEST_YAML in runtimeclass_workloads_work/*.yaml From 1820b02993e292cfba6155ab6dedf3cbe3156d03 Mon Sep 17 00:00:00 2001 From: ChengyuZhu6 Date: Thu, 23 May 2024 11:31:34 +0800 Subject: [PATCH 4/8] tests: replace busybox from docker with quay in guest pull To prevent download failures caused by high traffic to the Docker image, opt for quay.io/prometheus/busybox:latest over docker.io/library/busybox:latest . Signed-off-by: ChengyuZhu6 --- .../kubernetes/runtimeclass_workloads/pod-file-volume.yaml | 2 +- .../kubernetes/runtimeclass_workloads/pod-readonly-volume.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/integration/kubernetes/runtimeclass_workloads/pod-file-volume.yaml b/tests/integration/kubernetes/runtimeclass_workloads/pod-file-volume.yaml index e7a194f42a..3c3b281b28 100644 --- a/tests/integration/kubernetes/runtimeclass_workloads/pod-file-volume.yaml +++ b/tests/integration/kubernetes/runtimeclass_workloads/pod-file-volume.yaml @@ -19,7 +19,7 @@ spec: type: File containers: - name: busybox-file-volume-container - image: busybox + image: quay.io/prometheus/busybox:latest volumeMounts: - name: shared-file mountPath: MOUNT_PATH diff --git a/tests/integration/kubernetes/runtimeclass_workloads/pod-readonly-volume.yaml b/tests/integration/kubernetes/runtimeclass_workloads/pod-readonly-volume.yaml index 8835bae999..a6e129aae9 100644 --- a/tests/integration/kubernetes/runtimeclass_workloads/pod-readonly-volume.yaml +++ b/tests/integration/kubernetes/runtimeclass_workloads/pod-readonly-volume.yaml @@ -18,7 +18,7 @@ spec: type: Directory containers: - name: busybox-ro-volume-container - image: busybox + image: quay.io/prometheus/busybox:latest volumeMounts: - name: shared-data mountPath: /tmp From 62cc1dec4caee397ecce18ad7167ffde70f440e0 Mon Sep 17 00:00:00 2001 From: Ryan Savino Date: Sat, 1 Jun 2024 03:18:32 -0500 Subject: [PATCH 5/8] tests: replace docker debug alpine image with ghcr docker alpine latest image is rate limited. Need to use ghcr.io image. Signed-Off-By: Ryan Savino --- tests/integration/kubernetes/tests_common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh index b82a15a829..0e7e7102fb 100644 --- a/tests/integration/kubernetes/tests_common.sh +++ b/tests/integration/kubernetes/tests_common.sh @@ -103,7 +103,7 @@ exec_host() { # [bats-exec-test:38] INFO: k8s configured to use runtimeclass # bash: line 1: $'\r': command not found # ``` - output="$(kubectl debug -qit "node/${node}" --image=alpine:latest -- chroot /host bash -c "${command}" | tr -d '\r')" + output="$(kubectl debug -qit "node/${node}" --image=ghcr.io/linuxcontainers/alpine:latest -- chroot /host bash -c "${command}" | tr -d '\r')" # Get the updated list of debugger pods. declare -a new_debugger_pods=( $(kubectl get pods -o name | grep node-debugger) ) From 35dfb730ce568fbee447d58e72f12d6d164a22c2 Mon Sep 17 00:00:00 2001 From: Ryan Savino Date: Fri, 31 May 2024 23:56:45 -0500 Subject: [PATCH 6/8] tests: k8s: sev: snp: skip "kill all processes in container" test This test fails when using `shared_fs=none` with the nydus napshotter, Issue tracked here: #9664 Skipping for now. Signed-Off-By: Ryan Savino --- .../kubernetes/k8s-kill-all-process-in-container.bats | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/integration/kubernetes/k8s-kill-all-process-in-container.bats b/tests/integration/kubernetes/k8s-kill-all-process-in-container.bats index ab60a5897a..794a4aa449 100644 --- a/tests/integration/kubernetes/k8s-kill-all-process-in-container.bats +++ b/tests/integration/kubernetes/k8s-kill-all-process-in-container.bats @@ -9,7 +9,8 @@ load "${BATS_TEST_DIRNAME}/../../common.bash" load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { - [[ "${KATA_HYPERVISOR}" = "qemu-tdx" || "${KATA_HYPERVISOR}" = "qemu-coco-dev" ]] && \ + [[ "${KATA_HYPERVISOR}" = "qemu-tdx" || "${KATA_HYPERVISOR}" = "qemu-coco-dev" || \ + "${KATA_HYPERVISOR}" = "qemu-sev" || "${KATA_HYPERVISOR}" = "qemu-snp" ]] && \ skip "See: https://github.com/kata-containers/kata-containers/issues/9664" pod_name="busybox" @@ -42,7 +43,8 @@ setup() { } teardown() { - [[ "${KATA_HYPERVISOR}" = "qemu-tdx" || "${KATA_HYPERVISOR}" = "qemu-coco-dev" ]] && \ + [[ "${KATA_HYPERVISOR}" = "qemu-tdx" || "${KATA_HYPERVISOR}" = "qemu-coco-dev" || \ + "${KATA_HYPERVISOR}" = "qemu-sev" || "${KATA_HYPERVISOR}" = "qemu-snp" ]] && \ skip "See: https://github.com/kata-containers/kata-containers/issues/9664" # Debugging information From 3f3be54893be71297d222252d349ff41db11c750 Mon Sep 17 00:00:00 2001 From: Ryan Savino Date: Sat, 1 Jun 2024 00:06:16 -0500 Subject: [PATCH 7/8] tests: k8s: sev: snp: skip initContainers shared vol test This test is failing due to the initContainers not being properly handled with the guest image pulling. Issue tracked here: #9668 Skipping for now. Signed-Off-By: Ryan Savino --- tests/integration/kubernetes/k8s-shared-volume.bats | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/integration/kubernetes/k8s-shared-volume.bats b/tests/integration/kubernetes/k8s-shared-volume.bats index 63d8a1a9c8..f81eaf8449 100644 --- a/tests/integration/kubernetes/k8s-shared-volume.bats +++ b/tests/integration/kubernetes/k8s-shared-volume.bats @@ -42,7 +42,8 @@ setup() { } @test "initContainer with shared volume" { - [[ "${KATA_HYPERVISOR}" = "qemu-tdx" || "${KATA_HYPERVISOR}" = "qemu-coco-dev" ]] && \ + [[ "${KATA_HYPERVISOR}" = "qemu-tdx" || "${KATA_HYPERVISOR}" = "qemu-coco-dev" || \ + "${KATA_HYPERVISOR}" = "qemu-sev" || "${KATA_HYPERVISOR}" = "qemu-snp" ]] && \ skip "See: https://github.com/kata-containers/kata-containers/issues/9668" pod_name="initcontainer-shared-volume" From 72dc8230599016f46255d32f920f41c2a2298e3d Mon Sep 17 00:00:00 2001 From: Ryan Savino Date: Sat, 1 Jun 2024 00:00:07 -0500 Subject: [PATCH 8/8] tests: k8s: sev: snp: skip "setting sysctl" test This test fails when using `shared_fs=none` with the nydus snapshotter. Issue tracked here: #9666 Skipping for now. Signed-Off-By: Ryan Savino --- tests/integration/kubernetes/k8s-sysctls.bats | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/integration/kubernetes/k8s-sysctls.bats b/tests/integration/kubernetes/k8s-sysctls.bats index ab2eca1e9b..8987792e8d 100644 --- a/tests/integration/kubernetes/k8s-sysctls.bats +++ b/tests/integration/kubernetes/k8s-sysctls.bats @@ -9,7 +9,8 @@ load "${BATS_TEST_DIRNAME}/../../common.bash" load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { - [[ "${KATA_HYPERVISOR}" = "qemu-tdx" || "${KATA_HYPERVISOR}" = "qemu-coco-dev" ]] && \ + [[ "${KATA_HYPERVISOR}" = "qemu-tdx" || "${KATA_HYPERVISOR}" = "qemu-coco-dev" || \ + "${KATA_HYPERVISOR}" = "qemu-sev" || "${KATA_HYPERVISOR}" = "qemu-snp" ]] && \ skip "See: https://github.com/kata-containers/kata-containers/issues/9666" pod_name="sysctl-test" @@ -33,7 +34,8 @@ setup() { } teardown() { - [[ "${KATA_HYPERVISOR}" = "qemu-tdx" || "${KATA_HYPERVISOR}" = "qemu-coco-dev" ]] && \ + [[ "${KATA_HYPERVISOR}" = "qemu-tdx" || "${KATA_HYPERVISOR}" = "qemu-coco-dev" || \ + "${KATA_HYPERVISOR}" = "qemu-sev" || "${KATA_HYPERVISOR}" = "qemu-snp" ]] && \ skip "See: https://github.com/kata-containers/kata-containers/issues/9666" # Debugging information