github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-04-28 03:42:09 +00:00
Code Issues Projects Releases Wiki Activity
main
kata-containers/tests/functional/kata-agent-apis/setup_common.sh
Sumedh Alok Sharma 4b7aba5c57 agent-ctl: Add support to test kata-agent's container creation APIs. 
This commit introduces changes to enable testing kata-agent's container
APIs of CreateContainer/StartContainer/RemoveContainer. The changeset
include:
- using confidential-containers image-rs crate to pull/unpack/mount a
container image. Currently supports only un-authenicated registry pull
- re-factor api handlers to reduce cmdline complexity and handle
request generation logic in tool
- introduce an OCI config template for container creation
- add test case

Fixes #9707

Signed-off-by: Sumedh Alok Sharma <sumsharma@microsoft.com>
2024-11-01 22:18:54 +05:30

221 lines
4.7 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/bash
# Copyright (c) 2024 Microsoft Corporation
#
# SPDX-License-Identifier: Apache-2.0
set -o errexit
set -o nounset
set -o pipefail
set -o errtrace
# 1. Setup: start kata-agent as an individual process listening on the default port
# 2. Use a bats script to run all tests
# 3. Collect logs if possible (look into this to validate success/failures)
# 4. handle errors/exit in cleanup to remove all mounts, etc.
# The agent process runs locally as a standalone process for now.
agent_binary="/usr/bin/kata-agent"
agent_ctl_path="/opt/kata/bin/kata-agent-ctl"
# Name of socket file used by a local agent.
agent_socket_file="/tmp/kata-agent.socket"
# Kata Agent socket URI.
local_agent_server_addr="unix://@${agent_socket_file}"
# Log file that contains agent ctl output
ctl_log_file="${PWD}/agent-ctl.log"
# Log file that contains agent output.
agent_log_file="${PWD}/kata-agent.log"
agent_log_level="debug"
keep_logs=false
local_policy_file="/opt/kata/test.rego"
cleanup()
{
info "cleaning resources..."
local failure_ret="$?"
stop_agent
sudo rm $local_policy_file
local sandbox_dir="/run/sandbox-ns/"
sudo umount -f "${sandbox_dir}/uts" "${sandbox_dir}/ipc" &>/dev/null || true
sudo rm -rf "${sandbox_dir}" &>/dev/null || true
if [ "$failure_ret" -eq 0 ] && [ "$keep_logs" = 'true' ]
then
info "SUCCESS: Test passed, but leaving logs:"
info ""
info "agent log file : ${agent_log_file}"
info "agent-ctl log file : ${ctl_log_file}"
return 0
fi
if [ $failure_ret -ne 0 ]; then
warn "ERROR: Test failed"
warn ""
warn "Not cleaning up to help debug failure:"
warn ""
info "agent-ctl log file : ${ctl_log_file}"
info "agent log file : ${agent_log_file}"
return 0
fi
sudo rm -f \
"$agent_log_file" \
"$ctl_log_file"
}
run_agent_ctl()
{
local cmds="${1:-}"
[ -n "$cmds" ] || die "need commands for agent control tool"
local redirect=">> ${ctl_log_file} 2>&1"
local server_address="--server-address ${local_agent_server_addr}"
eval \
sudo \
RUST_BACKTRACE=full \
"${agent_ctl_path}" \
-l debug \
connect \
${server_address} \
${cmds} \
${redirect}
}
get_agent_pid()
{
local pids
local name
name=$(basename "$agent_binary")
pids=$(pgrep "$name" || true)
[ -z "$pids" ] && return 0
local count
count=$(echo "$pids"|wc -l)
[ "$count" -gt 1 ] && \
die "too many agent processes running ($count, '$pids')"
echo $pids
}
check_agent_alive()
{
local cmds=()
cmds+=("-c Check")
run_agent_ctl \
"${cmds[@]}"
}
wait_for_agent_to_start()
{
local cmd="check_agent_alive"
local wait_time_secs=20
local sleep_time_secs=1
info "Waiting for agent process to start.."
waitForProcess \
"$wait_time_secs" \
"$sleep_time_secs" \
"$cmd"
info "Kata agent process running."
}
stop_agent() {
info "Stopping agent"
local cmds=()
cmds+=("-c DestroySandbox")
run_agent_ctl \
"${cmds[@]}"
}
start_agent()
{
local log_file="${1:-}"
[ -z "$log_file" ] && die "need agent log file"
local running
running=$(get_agent_pid || true)
[ -n "$running" ] && die "agent already running: '$running'"
eval \
sudo \
RUST_BACKTRACE=full \
KATA_AGENT_LOG_LEVEL=${agent_log_level} \
KATA_AGENT_SERVER_ADDR=${local_agent_server_addr} \
KATA_AGENT_POLICY_FILE=${local_policy_file} \
${agent_binary} \
&> ${log_file} \
&
wait_for_agent_to_start
}
setup_agent() {
info "Starting a single kata agent process."
start_agent $agent_log_file
info "Setup done."
}
# The setup attempts to start kata-agent as standalone process instead of inside a UVM.
# Hence, the contents of the UVM rootfs is not available here.
# Initing Agent policy with a relaxed `allow-all.rego`
install_policy_doc()
{
info "Installing local policy document"
allow_all_rego_file="${repo_root_dir}/src/kata-opa/allow-all.rego"
[ ! -f $allow_all_rego_file ] && die "Failed to locate allow-all.rego file"
sudo cp $allow_all_rego_file $local_policy_file
}
# Same reason as above, we do not have the necessary components to start the coco processes
# in this setup. So removing them before starting kata agent process
try_and_remove_coco_attestation_procs()
{
info "Removing coco attestation process for now"
coco_procs=( "attestation-agent" "confidential-data-hub" "api-server-rest")
local procs_path="/usr/local/bin/"
for i in "${coco_procs[@]}"; do
info "Moving ${i} to /tmp"
[ -f "${procs_path}${i}" ] && sudo mv "${procs_path}${i}" /tmp || true
done
}
deny_single_api_in_policy()
{
info "Setting default deny for single API in policy"
local pol_file=$1
local deny_req=$2
[ ! -f $local_policy_file ] && install_policy_doc
info "Not allowing ${deny_req}"
sudo cp $local_policy_file $pol_file
sed -i "s/\(.*$deny_req.*:= \)\(.*\)/\1false/" $pol_file
}
Reference in New Issue View Git Blame Copy Permalink