tests: cleanup test directory

- add a `pkg` directory for packages
- add a `cases` directory for yml files

Signed-off-by: Dave Tucker <dt@docker.com>

test/pkg/docker-bench/Dockerfile

@@ -0,0 +1,22 @@
+FROM alpine:3.5
+RUN apk update && apk upgrade && apk add --no-cache bash curl
+ADD . ./
+
+# Also add docker
+ENV DOCKER_BUCKET get.docker.com
+ENV DOCKER_VERSION 17.04.0-ce
+ENV DOCKER_SHA256 c52cff62c4368a978b52e3d03819054d87bcd00d15514934ce2e0e09b99dd100
+
+# Downloads docker but only installs the client
+RUN set -x \
+	&& curl -fSL "https://${DOCKER_BUCKET}/builds/$(uname -s)/$(uname -m)/docker-${DOCKER_VERSION}.tgz" -o docker.tgz \
+	&& echo "${DOCKER_SHA256} *docker.tgz" | sha256sum -c - \
+	&& tar -xzvf docker.tgz \
+	&& mv docker/docker /usr/bin/ \
+	&& rm -rf docker \
+	&& rm docker.tgz \
+	&& docker -v
+
+COPY . ./
+
+ENTRYPOINT ["/bin/sh", "/bench_runner.sh"]

test/pkg/docker-bench/Makefile

@@ -0,0 +1,29 @@
+.PHONY: tag push
+
+BASE=alpine:3.5
+IMAGE=test-docker-bench
+
+default: push
+
+hash: Dockerfile bench_runner.sh
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
+	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
+	docker run --rm --entrypoint=/bin/sh $(IMAGE):build -c "cat $^ /lib/apk/db/installed | sha1sum" | sed 's/ .*//' > hash
+
+push: hash
+	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
+		(docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash) && \
+		 docker push linuxkit/$(IMAGE):$(shell cat hash))
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+tag: hash
+	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
+		docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+clean:
+	rm -f hash
+
+.DELETE_ON_ERROR:

test/pkg/docker-bench/bench_runner.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+echo "waiting for docker socket to be available..."
+
+# wait for the docker runc container
+while [ ! -e /var/run/docker.sock ]; do sleep 1; done
+
+echo "found docker socket, starting docker bench..."
+
+docker run -i --net host --pid host --cap-add audit_control -v /var/lib:/var/lib -v /var/run/docker.sock:/var/run/docker.sock --label docker_bench_security docker/docker-bench-security

test/pkg/kernel-config/Dockerfile

@@ -0,0 +1,5 @@
+FROM alpine:3.5
+RUN apk update && apk upgrade && apk add --no-cache bash
+ADD https://raw.githubusercontent.com/docker/docker/master/contrib/check-config.sh /check-config.sh
+ADD . ./
+ENTRYPOINT ["/bin/sh", "/check.sh"]

test/pkg/kernel-config/Makefile

@@ -0,0 +1,29 @@
+.PHONY: tag push
+
+BASE=alpine:3.5
+IMAGE=kernel-config
+
+default: push
+
+hash: Dockerfile check.sh check-kernel-config.sh etc/linuxkit
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
+	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
+	docker run --rm --entrypoint=/bin/sh $(IMAGE):build -c "cat $^ /lib/apk/db/installed | sha1sum" | sed 's/ .*//' > hash
+
+push: hash
+	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
+		(docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash) && \
+		 docker push linuxkit/$(IMAGE):$(shell cat hash))
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+tag: hash
+	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
+		docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+clean:
+	rm -f hash
+
+.DELETE_ON_ERROR:

test/pkg/kernel-config/check-kernel-config.sh

@@ -0,0 +1,73 @@
+#!/bin/sh
+
+set -e
+
+echo "starting kernel config sanity test with /proc/config.gz"
+
+# decompress /proc/config.gz from the host
+UNZIPPED_CONFIG=$(zcat /proc/config.gz)
+
+kernelVersion="$(uname -r)"
+kernelMajor="${kernelVersion%%.*}"
+kernelMinor="${kernelVersion#$kernelMajor.}"
+kernelMinor="${kernelMinor%%.*}"
+
+# Most tests against https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
+# Positive cases
+
+echo $UNZIPPED_CONFIG | grep -q CONFIG_BUG=y || (echo "CONFIG_BUG=y" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q CONFIG_DEBUG_KERNEL=y || (echo "CONFIG_DEBUG_KERNEL=y" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q CONFIG_DEBUG_RODATA=y || (echo "CONFIG_DEBUG_RODATA=y" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q CONFIG_CC_STACKPROTECTOR=y || (echo "CONFIG_CC_STACKPROTECTOR=y" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q CONFIG_CC_STACKPROTECTOR_STRONG=y || (echo "CONFIG_CC_STACKPROTECTOR_STRONG=y" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q CONFIG_STRICT_DEVMEM=y || (echo "CONFIG_STRICT_DEVMEM=y" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q CONFIG_SYN_COOKIES=y || (echo "CONFIG_SYN_COOKIES=y" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q CONFIG_DEBUG_CREDENTIALS=y || (echo "CONFIG_DEBUG_CREDENTIALS=y" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q CONFIG_DEBUG_NOTIFIERS=y || (echo "CONFIG_DEBUG_NOTIFIERS=y" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q CONFIG_DEBUG_LIST=y || (echo "CONFIG_DEBUG_LIST=y" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q CONFIG_SECCOMP=y || (echo "CONFIG_SECCOMP=y" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q CONFIG_SECCOMP_FILTER=y || (echo "CONFIG_SECCOMP_FILTER=y" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q CONFIG_SECURITY=y || (echo "CONFIG_SECURITY=y" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q CONFIG_SECURITY_YAMA=y || (echo "CONFIG_SECURITY_YAMA=y" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q CONFIG_PANIC_ON_OOPS=y || (echo "CONFIG_PANIC_ON_OOPS=y" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q CONFIG_DEBUG_SET_MODULE_RONX=y || (echo "CONFIG_DEBUG_SET_MODULE_RONX=y" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q CONFIG_SYN_COOKIES=y || (echo "CONFIG_SYN_COOKIES=y" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q CONFIG_LEGACY_VSYSCALL_NONE=y || (echo "CONFIG_LEGACY_VSYSCALL_NONE=y" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q CONFIG_RANDOMIZE_BASE=y || (echo "CONFIG_RANDOMIZE_BASE=y" && exit 1)
+
+# Conditional on kernel version
+if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 5 ]; then
+  echo $UNZIPPED_CONFIG | grep -q CONFIG_IO_STRICT_DEVMEM=y || (echo "CONFIG_IO_STRICT_DEVMEM=y" && exit 1)
+  echo $UNZIPPED_CONFIG | grep -q CONFIG_UBSAN=y || (echo "CONFIG_UBSAN=y" && exit 1)
+fi
+if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 7 ]; then
+  echo $UNZIPPED_CONFIG | grep -q CONFIG_SLAB_FREELIST_RANDOM=y || (echo "CONFIG_SLAB_FREELIST_RANDOM=y" && exit 1)
+fi
+if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 8 ]; then
+  echo $UNZIPPED_CONFIG | grep -q CONFIG_HARDENED_USERCOPY=y || (echo "CONFIG_HARDENED_USERCOPY=y" && exit 1)
+  echo $UNZIPPED_CONFIG | grep -q CONFIG_RANDOMIZE_MEMORY=y || (echo "CONFIG_RANDOMIZE_MEMORY=y" && exit 1)
+fi
+
+# poisoning cannot be enabled in 4.4
+if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 9 ]; then
+  echo $UNZIPPED_CONFIG | grep -q CONFIG_PAGE_POISONING=y || (echo "CONFIG_PAGE_POISONING=y" && exit 1)
+  echo $UNZIPPED_CONFIG | grep -q CONFIG_PAGE_POISONING_NO_SANITY=y || (echo "CONFIG_PAGE_POISONING_NO_SANITY=y" && exit 1)
+  echo $UNZIPPED_CONFIG | grep -q CONFIG_PAGE_POISONING_ZERO=y || (echo "CONFIG_PAGE_POISONING_ZERO=y" && exit 1)
+fi
+
+if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 10 ]; then
+  echo $UNZIPPED_CONFIG | grep -q CONFIG_BUG_ON_DATA_CORRUPTION=y || (echo "CONFIG_BUG_ON_DATA_CORRUPTION=y" && exit 1)
+fi
+
+# Negative cases
+echo $UNZIPPED_CONFIG | grep -q 'CONFIG_ACPI_CUSTOM_METHOD is not set' || (echo "CONFIG_ACPI_CUSTOM_METHOD is not set" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q 'CONFIG_COMPAT_BRK is not set' || (echo "CONFIG_COMPAT_BRK is not set" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q 'CONFIG_DEVKMEM is not set' || (echo "CONFIG_DEVKMEM is not set" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q 'CONFIG_COMPAT_VDSO is not set' || (echo "CONFIG_COMPAT_VDSO is not set" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q 'CONFIG_KEXEC is not set' || (echo "CONFIG_KEXEC is not set" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q 'CONFIG_HIBERNATION is not set' || (echo "CONFIG_HIBERNATION is not set" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q 'CONFIG_LEGACY_PTYS is not set' || (echo "CONFIG_LEGACY_PTYS is not set" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q 'CONFIG_X86_X32 is not set' || (echo "CONFIG_X86_X32 is not set" && exit 1)
+echo $UNZIPPED_CONFIG | grep -q 'CONFIG_MODIFY_LDT_SYSCALL is not set' || (echo "CONFIG_MODIFY_LDT_SYSCALL is not set" && exit 1)
+
+echo "kernel config test succeeded!"

test/pkg/kernel-config/check.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+function failed {
+	printf "Kernel config test suite FAILED\n"
+	/sbin/poweroff -f
+}
+
+/check-kernel-config.sh || failed
+bash /check-config.sh || failed
+
+printf "Kernel config test suite PASSED\n"
+
+cat /etc/linuxkit
+
+/sbin/poweroff -f

test/pkg/kernel-config/etc/linuxkit

@@ -0,0 +1,9 @@
+
+                        ##         .
+                  ## ## ##        ==
+               ## ## ## ## ##    ===
+           /"""""""""""""""""\___/ ===
+      ~~~ {~~ ~~~~ ~~~ ~~~~ ~~~ ~ /  ===- ~~~
+           \______ o           __/
+             \    \         __/
+              \____\_______/

test/pkg/ltp/.gitignore

@@ -0,0 +1,2 @@
+/hash
+/opt

test/pkg/ltp/Dockerfile.build

@@ -0,0 +1,19 @@
+FROM debian:jessie
+
+ARG LTP_VERSION
+
+ENV LTP_SOURCE=https://github.com/linux-test-project/ltp/releases/download/${LTP_VERSION}/ltp-full-${LTP_VERSION}.tar.xz
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && \
+    apt-get install -y curl xz-utils make gcc flex bison automake autoconf
+
+RUN curl -fsSL -o ltp-full-${LTP_VERSION}.tar.xz ${LTP_SOURCE}
+
+RUN cat ltp-full-${LTP_VERSION}.tar.xz | tar --absolute-names -xJ &&  mv /ltp-full-${LTP_VERSION} /ltp
+
+RUN cd /ltp \
+    && make autotools \
+    && ./configure \
+    && make -j "$(getconf _NPROCESSORS_ONLN)" all \
+    && make install

test/pkg/ltp/Dockerfile.pkg

@@ -0,0 +1,4 @@
+FROM debian:jessie-slim@sha256:fb22c1cef74071a6cd0145c1f91ca85ba9bd3f8b4d6db8560fe69eb36a175ca3
+ADD . /
+WORKDIR /opt/ltp
+ENTRYPOINT ["/bin/sh", "/check.sh"]

test/pkg/ltp/Makefile

@@ -0,0 +1,42 @@
+LTP_VERSION=20170116
+
+all: ltp.tar push
+
+# Build LTP and get the result as a tarball
+DEPS=Dockerfile.build Makefile
+ltp.tag: $(DEPS)
+	BUILD=$$(docker build -f $< -q . --build-arg LTP_VERSION=$(LTP_VERSION)) && [ -n "$$BUILD" ] && echo "Built $$BUILD" && echo "$$BUILD" > $@
+
+ltp.tar: ltp.tag
+	docker run --rm --net=none --log-driver=none $(shell cat ltp.tag) tar cf - opt/ltp  > $@
+
+SHASUM=alpine:3.5
+IMAGE=test-ltp-$(LTP_VERSION)
+
+# Note: We do not compute the hash from all the dependencies here
+# because the ltp binaries will change everytime we build. Ideally, we
+# would calculate the hash from the source and the apt-get cache, but
+# it's not that critical.
+hash: Dockerfile.pkg ltp.tar check.sh $(DEPS)
+	tar xf ltp.tar
+	tar cf - Dockerfile.pkg opt check.sh | docker build --no-cache -t $(IMAGE):build -f Dockerfile.pkg -
+	cat Dockerfile.pkg check.sh $(DEPS) | DOCKER_CONTENT_TRUST=1 docker run --rm -i $(SHASUM) sha1sum | sed 's/ .*//' > $@
+
+push: hash
+	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
+		(docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash) && \
+		docker push linuxkit/$(IMAGE):$(shell cat hash))
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+tag: hash
+	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
+		docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+.PHONY: clean
+clean:
+	rm -rf opt ltp.tar ltp.tag hash
+
+.DELETE_ON_ERROR:

test/pkg/ltp/README.md

@@ -0,0 +1 @@
+This directory creates a container which runs the Linux Test Project test code

test/pkg/ltp/check.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+sh runltplite.sh -p -l /ltp.log
+cat /ltp.log
+
+baseline="$(cat /etc/ltp/baseline)"
+failures="$( grep "Total Failures" /ltp.log | awk '{print $3}')"
+
+if [ $((failures <= baseline)) -ne 0 ]
+then
+	printf "LTP test suite PASSED\n"
+else
+	printf "LTP test suite FAILED\n"
+	exit 1
+fi

test/pkg/poweroff/Dockerfile

@@ -0,0 +1,3 @@
+FROM alpine:3.5
+ADD . ./
+ENTRYPOINT ["/bin/sh", "/poweroff.sh"]

test/pkg/poweroff/Makefile

@@ -0,0 +1,29 @@
+.PHONY: tag push
+
+BASE=alpine:3.5
+IMAGE=poweroff
+
+default: push
+
+hash: Dockerfile poweroff.sh
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
+	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
+	docker run --rm --entrypoint=/bin/sh $(IMAGE):build -c "cat $^ /lib/apk/db/installed | sha1sum" | sed 's/ .*//' > hash
+
+push: hash
+	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
+		(docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash) && \
+		 docker push linuxkit/$(IMAGE):$(shell cat hash))
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+tag: hash
+	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
+		docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+clean:
+	rm -f hash
+
+.DELETE_ON_ERROR:

test/pkg/poweroff/poweroff.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+TIMEOUT=${1:-30}  
+sleep "${TIMEOUT}"
+
+/sbin/poweroff -f

test/pkg/virtsock/.gitignore

@@ -0,0 +1,3 @@
+/bin
+/virtsock.tag
+/hash

test/pkg/virtsock/Dockerfile

@@ -0,0 +1,14 @@
+FROM linuxkit/go-compile:4513068d9a7e919e4ec42e2d7ee879ff5b95b7f5@sha256:bdfadbe3e4ec699ca45b67453662321ec270f2d1a1dbdbf09625776d3ebd68c5 AS virtsock-build
+
+ENV VIRTSOCK_COMMIT=6b4dec728264e07c41e108caebd6bc2b72559a5f
+RUN mkdir -p $GOPATH/src/github.com/rneugeba && \
+  cd $GOPATH/src/github.com/rneugeba && \
+  git clone https://github.com/rneugeba/virtsock.git
+WORKDIR $GOPATH/src/github.com/rneugeba/virtsock
+RUN git checkout $VIRTSOCK_COMMIT
+RUN make build/virtsock_stress.linux
+RUN cp -a build/virtsock_stress.linux /virtsock_stress
+
+FROM linuxkit/tini:6714d66b82b5397f497b2aa05764096ed1ffe7d7@sha256:ba594b96af6195737ce2df702196d7adea2cafde554e18940ee14ad575d27f3b
+COPY --from=virtsock-build virtsock_stress bin/virtsock_stress
+CMD ["/bin/tini", "/bin/virtsock_stress", "-s", "-v", "1"]

test/pkg/virtsock/Makefile

@@ -0,0 +1,26 @@
+.PHONY: tag push
+IMAGE=test-virtsock
+
+default: push
+
+DEPS=Dockerfile Makefile
+SHASUM=alpine:3.5
+hash: $(DEPS)
+	find $^ -type f | xargs cat  | DOCKER_CONTENT_TRUST=1 docker run --rm -i $(SHASUM) sha1sum | sed 's/ .*//' > $@
+
+tag: hash
+	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
+		(docker build --no-cache -t $(IMAGE):build . && \
+		 docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash))
+	docker rmi $(IMAGE):build || true
+
+push: tag
+	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
+		docker push linuxkit/$(IMAGE):$(shell cat hash)
+	rm -f hash
+
+clean:
+	rm -rf hash
+	docker rmi $(IMAGE):build || true
+
+.DELETE_ON_ERROR:

test/pkg/virtsock/README.md

@@ -0,0 +1,33 @@
+This directory contains the files to build and run a container containing the
+virtio and Hyper-V socket stress tests. `../../cases/test-virtsock-server.yml` builds images which start the server inside the VM.
+
+The client, to be run on the host as per this [README](https://github.com/rneugeba/virtsock/blob/master/examples/README.md), can be obtained compiled from [here](https://github.com/rneugeba/virtsock).
+
+## How to use (on Windows)
+
+- Build the images: `moby build tests/cases/test-virtsock-server.yml`
+- Copy the `test-virtsock-server.iso` to a Windows system
+- Create a Type 1 Hyper-V VM (called `virtsock`).
+  - No Disk or network required
+  - Add the ISO to the CDROM device
+  - Make sure you enable a named pipe for COM1 (call it `virtsock`)
+- Start the VM
+- Connect to the serial console (to get debug output) with `putty -serial \\.\pipe\virtsock`
+
+Run the client:
+```
+$vmId = (get-vm virtsock).Id
+.\virtsock_stress.exe -c $vmId  -v 1 -c 1000000 -p 10
+```
+
+This creates `1000000` connections from `10` threads to the VM and
+sends some random amount of data of the connection before tearing it
+down. There are more options to change the behaviour.
+
+
+## TODO
+
+- Add scripts to create Hyper-V VM
+- Enable virtio sockets in `moby run` with HyperKit
+- Add some sample client YAML files which would connect from the VM to the host
+- Hook up to CI for both HyperKit and Hyper-V