From fd340ac91cfd29a74a2f5ff442755c244cb7f43f Mon Sep 17 00:00:00 2001 From: Manuel Huber Date: Fri, 6 Feb 2026 11:51:41 -0800 Subject: [PATCH] tests: remove skips for some guest-pull scenarios Issue 10838 is resolved by the prior commit, enabling the -m option of the kernel build for confidential guests which are not users of the measured rootfs, and by commit 976df22119b1f26866b308658432c252f313f80c, which ensures relevant user space packages are present. Not every confidential guest has the measured rootfs option enabled. Every confidential guest is assumed to support CDH's secure storage features, in contrast. We also adjust test timeouts to account for occasional spikes on our bare metal runners (e.g., SNP, TDX, s390x). Signed-off-by: Manuel Huber --- .../kubernetes/k8s-guest-pull-image.bats | 42 ++++++++----------- 1 file changed, 18 insertions(+), 24 deletions(-) diff --git a/tests/integration/kubernetes/k8s-guest-pull-image.bats b/tests/integration/kubernetes/k8s-guest-pull-image.bats index e878c7d19e..abe4075c9f 100644 --- a/tests/integration/kubernetes/k8s-guest-pull-image.bats +++ b/tests/integration/kubernetes/k8s-guest-pull-image.bats @@ -92,9 +92,6 @@ setup() { } @test "Test we can pull an image inside the guest using trusted storage" { - [ "$(uname -m)" == "s390x" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/10838" - [ "${KATA_HYPERVISOR}" == "qemu-snp" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/10838" - [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/10838" # The image pulled in the guest will be downloaded and unpacked in the `/run/kata-containers/image` directory. # The tests will use `cryptsetup` to encrypt a block device and mount it at `/run/kata-containers/image`. @@ -112,14 +109,18 @@ setup() { pod_config=$(mktemp "${BATS_FILE_TMPDIR}/$(basename "${pod_config_template}").XXX") IMAGE="$image_pulled_time_less_than_default_time" NODE_NAME="$node" envsubst < "$pod_config_template" > "$pod_config" - - # Set CreateContainerRequest timeout for qemu-coco-dev - if [[ "${KATA_HYPERVISOR}" == qemu-coco-dev* ]]; then - create_container_timeout=300 - set_metadata_annotation "$pod_config" \ - "io.katacontainers.config.runtime.create_container_timeout" \ - "${create_container_timeout}" + # Set CreateContainerRequest timeout in the annotation to allow for enough time for guest-pull where + # the container remains in 'creating' state until the pull completes. Usually pulling this and the large image in + # below test takes 30-60 seconds, but we occasionally observe spikes on all our bare-metal runners. + create_container_timeout=300 + # On AKS, so far, these spikes have not been observed. Issue 10299, as referenced in other parts of this test, tells us + # that we cannot modify the runtimeRequestTimeout on AKS. We hence set the timeout to the 120s default value. + if [[ "${KATA_HYPERVISOR}" == qemu-coco-dev* ]] && [ "${KBS_INGRESS}" = "aks" ]; then + create_container_timeout=120 fi + set_metadata_annotation "$pod_config" \ + "io.katacontainers.config.runtime.create_container_timeout" \ + "${create_container_timeout}" # Set annotation to pull image in guest set_metadata_annotation "${pod_config}" \ @@ -131,16 +132,14 @@ setup() { cat $pod_config add_allow_all_policy_to_yaml "$pod_config" - local wait_time=120 - [[ "${KATA_HYPERVISOR}" == qemu-coco-dev* ]] && wait_time=300 + local wait_time=300 + if [[ "${KATA_HYPERVISOR}" == qemu-coco-dev* ]] && [ "${KBS_INGRESS}" = "aks" ]; then + wait_time=120 + fi k8s_create_pod "$pod_config" "$wait_time" } @test "Test we cannot pull a large image that pull time exceeds createcontainer timeout inside the guest" { - [ "$(uname -m)" == "s390x" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/10838" - [ "${KATA_HYPERVISOR}" == "qemu-snp" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/10838" - [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/10838" - storage_config=$(mktemp "${BATS_FILE_TMPDIR}/$(basename "${storage_config_template}").XXX") local_device=$(create_loop_device) LOCAL_DEVICE="$local_device" NODE_NAME="$node" envsubst < "$storage_config_template" > "$storage_config" @@ -186,10 +185,6 @@ setup() { } @test "Test we can pull a large image inside the guest with large createcontainer timeout" { - [ "$(uname -m)" == "s390x" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/10838" - [ "${KATA_HYPERVISOR}" == "qemu-snp" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/10838" - [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/10838" - if [[ "${KATA_HYPERVISOR}" == qemu-coco-dev* ]] && [ "${KBS_INGRESS}" = "aks" ]; then skip "skip this specific one due to issue https://github.com/kata-containers/kata-containers/issues/10299" fi @@ -208,8 +203,8 @@ setup() { IMAGE="$large_image" NODE_NAME="$node" envsubst < "$pod_config_template" > "$pod_config" # Set CreateContainerRequest timeout in the annotation to pull large image in guest - create_container_timeout=120 - [[ "${KATA_HYPERVISOR}" == qemu-coco-dev* ]] && create_container_timeout=600 + # Bare-metal CI runners' kubelets are configured with an equivalent runtimeRequestTimeout of 600s + create_container_timeout=600 set_metadata_annotation "$pod_config" \ "io.katacontainers.config.runtime.create_container_timeout" \ "${create_container_timeout}" @@ -224,8 +219,7 @@ setup() { cat $pod_config add_allow_all_policy_to_yaml "$pod_config" - local wait_time=120 - [[ "${KATA_HYPERVISOR}" == qemu-coco-dev* ]] && wait_time=600 + local wait_time=600 k8s_create_pod "$pod_config" "$wait_time" }