mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 12:43:23 +00:00
Merge pull request #49914 from yguo0905/shared-pid-ns
Automatic merge from submit-queue (batch tested with PRs 50087, 39587, 50042, 50241, 49914) Add node e2e test for Docker's shared PID namespace Ref: https://github.com/kubernetes/kubernetes/issues/42926 This PR adds a simple test for the shared PID namespace that's enabled when Docker is 1.13.1+. /sig node /area node-e2e /assign @yujuhong **Release note**: ``` None ```
This commit is contained in:
commit
02d04de81e
@ -14,6 +14,7 @@ go_library(
|
||||
"benchmark_util.go",
|
||||
"container.go",
|
||||
"doc.go",
|
||||
"docker_util.go",
|
||||
"gpus.go",
|
||||
"image_list.go",
|
||||
"node_problem_detector_linux.go",
|
||||
@ -39,6 +40,8 @@ go_library(
|
||||
"//test/e2e/framework/metrics:go_default_library",
|
||||
"//test/e2e/perftype:go_default_library",
|
||||
"//test/e2e_node/perftype:go_default_library",
|
||||
"//vendor/github.com/blang/semver:go_default_library",
|
||||
"//vendor/github.com/docker/docker/client:go_default_library",
|
||||
"//vendor/github.com/golang/glog:go_default_library",
|
||||
"//vendor/github.com/google/cadvisor/client/v2:go_default_library",
|
||||
"//vendor/github.com/google/cadvisor/info/v2:go_default_library",
|
||||
@ -71,6 +74,7 @@ go_test(
|
||||
"critical_pod_test.go",
|
||||
"density_test.go",
|
||||
"disk_eviction_test.go",
|
||||
"docker_test.go",
|
||||
"dockershim_checkpoint_test.go",
|
||||
"dynamic_kubelet_configuration_test.go",
|
||||
"e2e_node_suite_test.go",
|
||||
@ -118,7 +122,6 @@ go_test(
|
||||
"//test/e2e_node/services:go_default_library",
|
||||
"//test/e2e_node/system:go_default_library",
|
||||
"//test/utils:go_default_library",
|
||||
"//vendor/github.com/blang/semver:go_default_library",
|
||||
"//vendor/github.com/coreos/go-systemd/util:go_default_library",
|
||||
"//vendor/github.com/davecgh/go-spew/spew:go_default_library",
|
||||
"//vendor/github.com/golang/glog:go_default_library",
|
||||
|
73
test/e2e_node/docker_test.go
Normal file
73
test/e2e_node/docker_test.go
Normal file
@ -0,0 +1,73 @@
|
||||
/*
|
||||
Copyright 2017 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package e2e_node
|
||||
|
||||
import (
|
||||
"k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/kubernetes/test/e2e/framework"
|
||||
|
||||
. "github.com/onsi/ginkgo"
|
||||
)
|
||||
|
||||
var _ = framework.KubeDescribe("Docker features [Feature:Docker]", func() {
|
||||
f := framework.NewDefaultFramework("docker-feature-test")
|
||||
|
||||
BeforeEach(func() {
|
||||
framework.RunIfContainerRuntimeIs("docker")
|
||||
})
|
||||
|
||||
Context("when shared PID namespace is enabled", func() {
|
||||
It("processes in different containers of the same pod should be able to see each other", func() {
|
||||
// TODO(yguo0905): Change this test to run unless the runtime is
|
||||
// Docker and its version is <1.13.
|
||||
By("Check whether shared PID namespace is enabled.")
|
||||
isEnabled, err := isSharedPIDNamespaceEnabled()
|
||||
framework.ExpectNoError(err)
|
||||
if !isEnabled {
|
||||
framework.Skipf("Skipped because shared PID namespace is not enabled.")
|
||||
}
|
||||
|
||||
By("Create a pod with two containers.")
|
||||
f.PodClient().CreateSync(&v1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{Name: "shared-pid-ns-test-pod"},
|
||||
Spec: v1.PodSpec{
|
||||
Containers: []v1.Container{
|
||||
{
|
||||
Name: "test-container-1",
|
||||
Image: "gcr.io/google_containers/busybox:1.24",
|
||||
Command: []string{"/bin/top"},
|
||||
},
|
||||
{
|
||||
Name: "test-container-2",
|
||||
Image: "gcr.io/google_containers/busybox:1.24",
|
||||
Command: []string{"/bin/sleep"},
|
||||
Args: []string{"10000"},
|
||||
},
|
||||
},
|
||||
},
|
||||
})
|
||||
|
||||
By("Check if the process in one container is visible to the process in the other.")
|
||||
pid1 := f.ExecCommandInContainer("shared-pid-ns-test-pod", "test-container-1", "/bin/pidof", "top")
|
||||
pid2 := f.ExecCommandInContainer("shared-pid-ns-test-pod", "test-container-2", "/bin/pidof", "top")
|
||||
if pid1 != pid2 {
|
||||
framework.Failf("PIDs are not the same in different containers: test-container-1=%v, test-container-2=%v", pid1, pid2)
|
||||
}
|
||||
})
|
||||
})
|
||||
})
|
62
test/e2e_node/docker_util.go
Normal file
62
test/e2e_node/docker_util.go
Normal file
@ -0,0 +1,62 @@
|
||||
/*
|
||||
Copyright 2017 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package e2e_node
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/blang/semver"
|
||||
"github.com/docker/docker/client"
|
||||
)
|
||||
|
||||
const (
|
||||
defaultDockerEndpoint = "unix:///var/run/docker.sock"
|
||||
)
|
||||
|
||||
// getDockerAPIVersion returns the Docker's API version.
|
||||
func getDockerAPIVersion() (semver.Version, error) {
|
||||
c, err := client.NewClient(defaultDockerEndpoint, "", nil, nil)
|
||||
if err != nil {
|
||||
return semver.Version{}, fmt.Errorf("failed to create docker client: %v", err)
|
||||
}
|
||||
version, err := c.ServerVersion(context.Background())
|
||||
if err != nil {
|
||||
return semver.Version{}, fmt.Errorf("failed to get docker info: %v", err)
|
||||
}
|
||||
return semver.MustParse(version.APIVersion + ".0"), nil
|
||||
}
|
||||
|
||||
// isSharedPIDNamespaceEnabled returns true if the Docker version is 1.13.1+
|
||||
// (API version 1.26+), and false otherwise.
|
||||
func isSharedPIDNamespaceEnabled() (bool, error) {
|
||||
version, err := getDockerAPIVersion()
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
return version.GTE(semver.MustParse("1.26.0")), nil
|
||||
}
|
||||
|
||||
// isDockerNoNewPrivilegesSupported returns true if Docker version is 1.11+
|
||||
// (API version 1.23+), and false otherwise.
|
||||
func isDockerNoNewPrivilegesSupported() (bool, error) {
|
||||
version, err := getDockerAPIVersion()
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
return version.GTE(semver.MustParse("1.23.0")), nil
|
||||
}
|
@ -32,8 +32,6 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
defaultDockerEndpoint = "unix:///var/run/docker.sock"
|
||||
|
||||
//TODO (dashpole): Once dynamic config is possible, test different values for maxPerPodContainer and maxContainers
|
||||
// Currently using default values for maxPerPodContainer and maxTotalContainers
|
||||
maxPerPodContainer = 1
|
||||
|
@ -12,7 +12,7 @@ images:
|
||||
containervm:
|
||||
image: e2e-node-containervm-v20161208-image # docker 1.11.2
|
||||
project: kubernetes-node-e2e-images
|
||||
gci:
|
||||
cos-stable:
|
||||
image_regex: cos-stable-59-9460-64-0 # docker 1.11.2
|
||||
project: cos-cloud
|
||||
metadata: "user-data<test/e2e_node/jenkins/gci-init-gpu.yaml,gci-update-strategy=update_disabled"
|
||||
@ -20,3 +20,7 @@ images:
|
||||
accelerators:
|
||||
- type: nvidia-tesla-k80
|
||||
count: 2
|
||||
cos-beta:
|
||||
image_regex: cos-beta-60-9592-70-0 # docker 1.13.1
|
||||
project: cos-cloud
|
||||
metadata: "user-data<test/e2e_node/jenkins/gci-init.yaml,gci-update-strategy=update_disabled"
|
||||
|
@ -12,7 +12,11 @@ images:
|
||||
containervm:
|
||||
image: e2e-node-containervm-v20161208-image # docker 1.11.2
|
||||
project: kubernetes-node-e2e-images
|
||||
gci:
|
||||
cos-stable:
|
||||
image_regex: cos-stable-59-9460-64-0 # docker 1.11.2
|
||||
project: cos-cloud
|
||||
metadata: "user-data<test/e2e_node/jenkins/gci-init.yaml,gci-update-strategy=update_disabled"
|
||||
cos-beta:
|
||||
image_regex: cos-beta-60-9592-70-0 # docker 1.13.1
|
||||
project: cos-cloud
|
||||
metadata: "user-data<test/e2e_node/jenkins/gci-init.yaml,gci-update-strategy=update_disabled"
|
||||
|
@ -28,7 +28,6 @@ import (
|
||||
"k8s.io/apimachinery/pkg/util/uuid"
|
||||
"k8s.io/kubernetes/test/e2e/framework"
|
||||
|
||||
"github.com/blang/semver"
|
||||
. "github.com/onsi/ginkgo"
|
||||
)
|
||||
|
||||
@ -381,21 +380,10 @@ var _ = framework.KubeDescribe("Security Context", func() {
|
||||
|
||||
BeforeEach(func() {
|
||||
if framework.TestContext.ContainerRuntime == "docker" {
|
||||
// parse the docker version
|
||||
out, err := exec.Command("docker", "-v").CombinedOutput()
|
||||
if err != nil {
|
||||
framework.Failf("checking docker version failed output %s: %v", string(out), err)
|
||||
}
|
||||
parts := strings.Split(string(out), ",")
|
||||
parts = strings.Split(parts[0], " ")
|
||||
dversion := parts[len(parts)-1]
|
||||
version, err := semver.New(dversion)
|
||||
if err != nil {
|
||||
framework.Failf("parsing docker version %q failed: %v", dversion, err)
|
||||
}
|
||||
if version.LT(semver.Version{Major: 1, Minor: 11}) {
|
||||
// make sure its >= 1.11 thats when "no-new-privileges" was added
|
||||
framework.Skipf("Skipping no_new_privs tests, docker version is < 1.11 it is %s", version.String())
|
||||
isSupported, err := isDockerNoNewPrivilegesSupported()
|
||||
framework.ExpectNoError(err)
|
||||
if !isSupported {
|
||||
framework.Skipf("Skipping because no_new_privs is not supported in this docker")
|
||||
}
|
||||
}
|
||||
})
|
||||
|
Loading…
Reference in New Issue
Block a user