Merge pull request #49914 from yguo0905/shared-pid-ns

Automatic merge from submit-queue (batch tested with PRs 50087, 39587, 50042, 50241, 49914)

Add node e2e test for Docker's shared PID namespace

Ref: https://github.com/kubernetes/kubernetes/issues/42926

This PR adds a simple test for the shared PID namespace that's enabled when Docker is 1.13.1+.

/sig node
/area node-e2e
/assign @yujuhong 

**Release note**:
```
None
```
This commit is contained in:
Kubernetes Submit Queue 2017-08-07 10:59:04 -07:00 committed by GitHub
commit 02d04de81e
7 changed files with 153 additions and 21 deletions

View File

@ -14,6 +14,7 @@ go_library(
"benchmark_util.go",
"container.go",
"doc.go",
"docker_util.go",
"gpus.go",
"image_list.go",
"node_problem_detector_linux.go",
@ -39,6 +40,8 @@ go_library(
"//test/e2e/framework/metrics:go_default_library",
"//test/e2e/perftype:go_default_library",
"//test/e2e_node/perftype:go_default_library",
"//vendor/github.com/blang/semver:go_default_library",
"//vendor/github.com/docker/docker/client:go_default_library",
"//vendor/github.com/golang/glog:go_default_library",
"//vendor/github.com/google/cadvisor/client/v2:go_default_library",
"//vendor/github.com/google/cadvisor/info/v2:go_default_library",
@ -71,6 +74,7 @@ go_test(
"critical_pod_test.go",
"density_test.go",
"disk_eviction_test.go",
"docker_test.go",
"dockershim_checkpoint_test.go",
"dynamic_kubelet_configuration_test.go",
"e2e_node_suite_test.go",
@ -118,7 +122,6 @@ go_test(
"//test/e2e_node/services:go_default_library",
"//test/e2e_node/system:go_default_library",
"//test/utils:go_default_library",
"//vendor/github.com/blang/semver:go_default_library",
"//vendor/github.com/coreos/go-systemd/util:go_default_library",
"//vendor/github.com/davecgh/go-spew/spew:go_default_library",
"//vendor/github.com/golang/glog:go_default_library",

View File

@ -0,0 +1,73 @@
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package e2e_node
import (
"k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/kubernetes/test/e2e/framework"
. "github.com/onsi/ginkgo"
)
var _ = framework.KubeDescribe("Docker features [Feature:Docker]", func() {
f := framework.NewDefaultFramework("docker-feature-test")
BeforeEach(func() {
framework.RunIfContainerRuntimeIs("docker")
})
Context("when shared PID namespace is enabled", func() {
It("processes in different containers of the same pod should be able to see each other", func() {
// TODO(yguo0905): Change this test to run unless the runtime is
// Docker and its version is <1.13.
By("Check whether shared PID namespace is enabled.")
isEnabled, err := isSharedPIDNamespaceEnabled()
framework.ExpectNoError(err)
if !isEnabled {
framework.Skipf("Skipped because shared PID namespace is not enabled.")
}
By("Create a pod with two containers.")
f.PodClient().CreateSync(&v1.Pod{
ObjectMeta: metav1.ObjectMeta{Name: "shared-pid-ns-test-pod"},
Spec: v1.PodSpec{
Containers: []v1.Container{
{
Name: "test-container-1",
Image: "gcr.io/google_containers/busybox:1.24",
Command: []string{"/bin/top"},
},
{
Name: "test-container-2",
Image: "gcr.io/google_containers/busybox:1.24",
Command: []string{"/bin/sleep"},
Args: []string{"10000"},
},
},
},
})
By("Check if the process in one container is visible to the process in the other.")
pid1 := f.ExecCommandInContainer("shared-pid-ns-test-pod", "test-container-1", "/bin/pidof", "top")
pid2 := f.ExecCommandInContainer("shared-pid-ns-test-pod", "test-container-2", "/bin/pidof", "top")
if pid1 != pid2 {
framework.Failf("PIDs are not the same in different containers: test-container-1=%v, test-container-2=%v", pid1, pid2)
}
})
})
})

View File

@ -0,0 +1,62 @@
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package e2e_node
import (
"context"
"fmt"
"github.com/blang/semver"
"github.com/docker/docker/client"
)
const (
defaultDockerEndpoint = "unix:///var/run/docker.sock"
)
// getDockerAPIVersion returns the Docker's API version.
func getDockerAPIVersion() (semver.Version, error) {
c, err := client.NewClient(defaultDockerEndpoint, "", nil, nil)
if err != nil {
return semver.Version{}, fmt.Errorf("failed to create docker client: %v", err)
}
version, err := c.ServerVersion(context.Background())
if err != nil {
return semver.Version{}, fmt.Errorf("failed to get docker info: %v", err)
}
return semver.MustParse(version.APIVersion + ".0"), nil
}
// isSharedPIDNamespaceEnabled returns true if the Docker version is 1.13.1+
// (API version 1.26+), and false otherwise.
func isSharedPIDNamespaceEnabled() (bool, error) {
version, err := getDockerAPIVersion()
if err != nil {
return false, err
}
return version.GTE(semver.MustParse("1.26.0")), nil
}
// isDockerNoNewPrivilegesSupported returns true if Docker version is 1.11+
// (API version 1.23+), and false otherwise.
func isDockerNoNewPrivilegesSupported() (bool, error) {
version, err := getDockerAPIVersion()
if err != nil {
return false, err
}
return version.GTE(semver.MustParse("1.23.0")), nil
}

View File

@ -32,8 +32,6 @@ import (
)
const (
defaultDockerEndpoint = "unix:///var/run/docker.sock"
//TODO (dashpole): Once dynamic config is possible, test different values for maxPerPodContainer and maxContainers
// Currently using default values for maxPerPodContainer and maxTotalContainers
maxPerPodContainer = 1

View File

@ -12,7 +12,7 @@ images:
containervm:
image: e2e-node-containervm-v20161208-image # docker 1.11.2
project: kubernetes-node-e2e-images
gci:
cos-stable:
image_regex: cos-stable-59-9460-64-0 # docker 1.11.2
project: cos-cloud
metadata: "user-data<test/e2e_node/jenkins/gci-init-gpu.yaml,gci-update-strategy=update_disabled"
@ -20,3 +20,7 @@ images:
accelerators:
- type: nvidia-tesla-k80
count: 2
cos-beta:
image_regex: cos-beta-60-9592-70-0 # docker 1.13.1
project: cos-cloud
metadata: "user-data<test/e2e_node/jenkins/gci-init.yaml,gci-update-strategy=update_disabled"

View File

@ -12,7 +12,11 @@ images:
containervm:
image: e2e-node-containervm-v20161208-image # docker 1.11.2
project: kubernetes-node-e2e-images
gci:
cos-stable:
image_regex: cos-stable-59-9460-64-0 # docker 1.11.2
project: cos-cloud
metadata: "user-data<test/e2e_node/jenkins/gci-init.yaml,gci-update-strategy=update_disabled"
cos-beta:
image_regex: cos-beta-60-9592-70-0 # docker 1.13.1
project: cos-cloud
metadata: "user-data<test/e2e_node/jenkins/gci-init.yaml,gci-update-strategy=update_disabled"

View File

@ -28,7 +28,6 @@ import (
"k8s.io/apimachinery/pkg/util/uuid"
"k8s.io/kubernetes/test/e2e/framework"
"github.com/blang/semver"
. "github.com/onsi/ginkgo"
)
@ -381,21 +380,10 @@ var _ = framework.KubeDescribe("Security Context", func() {
BeforeEach(func() {
if framework.TestContext.ContainerRuntime == "docker" {
// parse the docker version
out, err := exec.Command("docker", "-v").CombinedOutput()
if err != nil {
framework.Failf("checking docker version failed output %s: %v", string(out), err)
}
parts := strings.Split(string(out), ",")
parts = strings.Split(parts[0], " ")
dversion := parts[len(parts)-1]
version, err := semver.New(dversion)
if err != nil {
framework.Failf("parsing docker version %q failed: %v", dversion, err)
}
if version.LT(semver.Version{Major: 1, Minor: 11}) {
// make sure its >= 1.11 thats when "no-new-privileges" was added
framework.Skipf("Skipping no_new_privs tests, docker version is < 1.11 it is %s", version.String())
isSupported, err := isDockerNoNewPrivilegesSupported()
framework.ExpectNoError(err)
if !isSupported {
framework.Skipf("Skipping because no_new_privs is not supported in this docker")
}
}
})