mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-07-09 21:33:23 +00:00
ci: Install policy document on host to run kata-agent as local process.
The test setup starts kata-agent as a local process without the UVM. The agent policy initialization fails due to missing policy document at `/etc/kata-opa/default-policy.rego`. The fix - installs a relaxed `allow-all.rego` policy document - cleans up the install during exit Signed-off-by: Sumedh Alok Sharma <sumsharma@microsoft.com>
This commit is contained in:
parent
822f898433
commit
8045a7a2ba
@ -48,6 +48,8 @@ main()
|
|||||||
|
|
||||||
trap cleanup EXIT
|
trap cleanup EXIT
|
||||||
|
|
||||||
|
install_policy_doc
|
||||||
|
|
||||||
setup_agent
|
setup_agent
|
||||||
|
|
||||||
run_tests
|
run_tests
|
||||||
|
@ -32,6 +32,9 @@ agent_log_file="${PWD}/kata-agent.log"
|
|||||||
agent_log_level="debug"
|
agent_log_level="debug"
|
||||||
keep_logs=false
|
keep_logs=false
|
||||||
|
|
||||||
|
local_policy_file="/opt/kata/test.rego"
|
||||||
|
policy_file="/etc/kata-opa/default-policy.rego"
|
||||||
|
|
||||||
cleanup()
|
cleanup()
|
||||||
{
|
{
|
||||||
info "cleaning resources..."
|
info "cleaning resources..."
|
||||||
@ -40,6 +43,10 @@ cleanup()
|
|||||||
|
|
||||||
stop_agent
|
stop_agent
|
||||||
|
|
||||||
|
sudo unlink $policy_file
|
||||||
|
sudo rm $local_policy_file
|
||||||
|
sudo rm -rf $(dirname ${policy_file})
|
||||||
|
|
||||||
local sandbox_dir="/run/sandbox-ns/"
|
local sandbox_dir="/run/sandbox-ns/"
|
||||||
sudo umount -f "${sandbox_dir}/uts" "${sandbox_dir}/ipc" &>/dev/null || true
|
sudo umount -f "${sandbox_dir}/uts" "${sandbox_dir}/ipc" &>/dev/null || true
|
||||||
sudo rm -rf "${sandbox_dir}" &>/dev/null || true
|
sudo rm -rf "${sandbox_dir}" &>/dev/null || true
|
||||||
@ -173,3 +180,21 @@ setup_agent() {
|
|||||||
|
|
||||||
info "Setup done."
|
info "Setup done."
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# The setup attempts to start kata-agent as standalone process instead of inside a UVM.
|
||||||
|
# Hence, the contents of the UVM rootfs is not available here.
|
||||||
|
# Initing Agent policy with a relaxed `allow-all.rego`
|
||||||
|
install_policy_doc()
|
||||||
|
{
|
||||||
|
info "Installing local policy document"
|
||||||
|
|
||||||
|
allow_all_rego_file="${repo_root_dir}/src/kata-opa/allow-all.rego"
|
||||||
|
[ ! -f $allow_all_rego_file ] && die "Failed to locate allow-all.rego file"
|
||||||
|
|
||||||
|
local policy_dir=$(dirname ${policy_file})
|
||||||
|
[ ! -d $policy_dir ] && sudo mkdir -p $policy_dir || true
|
||||||
|
|
||||||
|
sudo cp $allow_all_rego_file $local_policy_file
|
||||||
|
|
||||||
|
[ ! -f $policy_file ] && sudo ln -s $local_policy_file $policy_file || die "Failed to setup local policy file, exists: $policy_file"
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user