ci: Add test cases for CoCo image pulling without forked containerd

Additional tests are necessary to verify new feature that pulling image without forked containerd in CoCo.

Fixes kata-containers#5763

Depends:
kata-containers/kata-containers#7688
kata-containers/kata-containers#7676

Signed-off-by: ChengyuZhu6 <[email protected]>

integration/confidential/lib.sh

@@ -12,6 +12,8 @@ source "${BATS_TEST_DIRNAME}/../../../lib/common.bash"
 source "${BATS_TEST_DIRNAME}/../../../.ci/lib.sh"
 FIXTURES_DIR="${BATS_TEST_DIRNAME}/fixtures"
 SHARED_FIXTURES_DIR="${BATS_TEST_DIRNAME}/../../confidential/fixtures"
+NYDUS_SNAPSHOTTER_CONFIG="/opt/confidential-containers/share/remote-snapshotter/config.toml"
+CONTAINERD_CONFIG="/etc/containerd/config.toml"
 
 # Toggle between true and false the service_offload configuration of
 # the Kata agent.
@@ -440,3 +442,48 @@ EOF
 EOF
   fi
 }
+
+###############################################################################
+
+# remote-snapshotter
+
+configure_remote_snapshotter() {
+	case "${SNAPSHOTTER:-}" in
+	"nydus")
+		configure_nydus_snapshotter
+		;;
+	*) ;;
+
+	esac
+}
+check_containerd_version() {
+	containerd_version=$(containerd --version | awk '{print $3}' | sort -V | tail -n 1)
+	if echo $containerd_version | grep -q "^v1.7"; then
+		return 1
+	else
+		return 0
+	fi
+}
+configure_containerd_for_nydus_snapshotter() {
+	if check_containerd_version; then
+		sed -i '/\[plugins\."io\.containerd\.grpc\.v1\.cri"\.containerd\.runtimes\.'"$RUNTIMECLASS"'\]/a\  snapshotter = "nydus"\n  disable_snapshot_annotations = false' "$CONTAINERD_CONFIG"
+	else
+		sed -i 's/disable_snapshot_annotations = .*/disable_snapshot_annotations = false/g; s/snapshotter = .*/snapshotter = "nydus"/g' "$CONTAINERD_CONFIG"
+	fi
+}
+remove_nydus_snapshotter_from_containerd() {
+	if check_containerd_version; then
+		sed -i '/\[plugins\."io\.containerd\.grpc\.v1\.cri"\.containerd\.runtimes\.'"$RUNTIMECLASS"'\]/,/\[/{/snapshotter = "nydus"/d;/disable_snapshot_annotations = false/d;}' "$CONTAINERD_CONFIG"
+	else
+		sed -i 's/disable_snapshot_annotations = .*/disable_snapshot_annotations = true/g; s/snapshotter = .*/snapshotter = "overlayfs"/g' "$CONTAINERD_CONFIG"
+	fi
+}
+restart_nydus_snapshotter() {
+	echo "Restart nydus snapshotter"
+}
+
+configure_nydus_snapshotter() {
+	echo "Configure nydus snapshotter"
+	sed -i "s/export_mode = .*/export_mode = \"$EXPORT_MODE\"/" $NYDUS_SNAPSHOTTER_CONFIG
+	restart_nydus_snapshotter
+}

integration/kubernetes/confidential/agent_image.bats

@@ -223,6 +223,15 @@ assert_logs_contain() {
 	assert_logs_contain 'failed to pull manifest Not authorized'
 }
 
+@test "$test_tag Test can pull an image as a raw block disk image to guest with dm-verity enabled" {
+	if [ "${SNAPSHOTTER}" = "nydus" ]; then
+		EXPORT_MODE="image_block_with_verity" RUNTIMECLASS="$RUNTIMECLASS" configure_remote_snapshotter
+		pod_config="$(new_pod_config "$image_unsigned_unprotected")"
+		echo $pod_config
+		create_test_pod
+	fi
+}
+
 teardown() {
 	# Print the logs and cleanup resources.
 	echo "-- Kata logs:"

integration/kubernetes/confidential/image_pulling_with_snapshotter.bats

@@ -0,0 +1,148 @@
+#!/usr/bin/env bats
+# Copyright (c) 2022 IBM Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+load "${BATS_TEST_DIRNAME}/lib.sh"
+load "${BATS_TEST_DIRNAME}/../../confidential/lib.sh"
+
+tag_suffix=""
+if [ "$(uname -m)" != "x86_64" ]; then
+	tag_suffix="-$(uname -m)"
+fi
+
+# Images used on the tests.
+## Cosign 
+image_cosigned="quay.io/kata-containers/confidential-containers:cosign-signed${tag_suffix}"
+image_cosigned_other="quay.io/kata-containers/confidential-containers:cosign-signed-key2"
+
+## Simple Signing
+
+image_simple_signed="quay.io/kata-containers/confidential-containers:signed${tag_suffix}"
+image_signed_protected_other="quay.io/kata-containers/confidential-containers:other_signed${tag_suffix}"
+image_unsigned_protected="quay.io/kata-containers/confidential-containers:unsigned${tag_suffix}"
+image_unsigned_unprotected="quay.io/prometheus/busybox:latest"
+
+## Authenticated Image
+image_authenticated="quay.io/kata-containers/confidential-containers-auth:test"
+
+original_kernel_params=$(get_kernel_params)
+# Allow to configure the runtimeClassName on pod configuration.
+RUNTIMECLASS="${RUNTIMECLASS:-kata}"
+test_tag="[cc][agent][kubernetes][containerd]"
+
+# Create the test pod.
+#
+# Note: the global $sandbox_name, $pod_config should be set
+# 	already. It also relies on $CI and $DEBUG exported by CI scripts or
+# 	the developer, to decide how to set debug flags.
+#
+create_test_pod() {
+	# On CI mode we only want to enable the agent debug for the case of
+	# the test failure to obtain logs.
+	if [ "${CI:-}" == "true" ]; then
+		enable_full_debug
+	elif [ "${DEBUG:-}" == "true" ]; then
+		enable_full_debug
+		enable_agent_console
+	fi
+
+	echo "Create the test sandbox"
+	echo "Pod config is: $pod_config"
+	kubernetes_create_cc_pod $pod_config
+}
+
+# Create a pod configuration out of a template file.
+#
+# Parameters:
+#	$1 - the container image.
+# Return:
+# 	the path to the configuration file. The caller should not care about
+# 	its removal afterwards as it is created under the bats temporary
+# 	directory.
+#
+# Environment variables:
+#	RUNTIMECLASS: set the runtimeClassName value from $RUNTIMECLASS.
+#
+new_pod_config() {
+	local base_config="${FIXTURES_DIR}/pod-config.yaml.in"
+	local image="$1"
+
+	local new_config=$(mktemp "${BATS_FILE_TMPDIR}/$(basename ${base_config}).XXX")
+	IMAGE="$image" RUNTIMECLASS="$RUNTIMECLASS" envsubst < "$base_config" > "$new_config"
+	echo "$new_config"
+}
+
+setup() {
+	start_date=$(date +"%Y-%m-%d %H:%M:%S")
+
+	pod_config="$(new_pod_config "$image_simple_signed")"
+	pod_id=""
+
+	kubernetes_delete_all_cc_pods_if_any_exists || true
+
+	echo "Prepare containerd for Confidential Container"
+	SAVED_CONTAINERD_CONF_FILE="/etc/containerd/config.toml.$$"
+	configure_cc_containerd "$SAVED_CONTAINERD_CONF_FILE"
+
+	echo "Reconfigure Kata Containers"
+	switch_image_service_offload on
+	clear_kernel_params
+	add_kernel_params "${original_kernel_params}"
+
+	setup_proxy
+	switch_measured_rootfs_verity_scheme none
+}
+
+# Check the logged messages on host have a given message.
+# Parameters:
+#      $1 - the message
+#
+# Note: get the logs since the global $start_date.
+#
+assert_logs_contain() {
+	local message="$1"
+	# Note: with image-rs we get more that the default 1000 lines of logs
+	journalctl -x -t kata --since "$start_date" -n 100000 | grep "$message"
+}
+
+@test "$test_tag Test can pull an image as a raw block disk image to guest with dm-verity enabled" {
+	if [ "${SNAPSHOTTER}" = "nydus" ]; then
+		EXPORT_MODE="image_block_with_verity" RUNTIMECLASS="$RUNTIMECLASS" configure_remote_snapshotter
+		pod_config="$(new_pod_config "$image_unsigned_unprotected")"
+		echo $pod_config
+		create_test_pod
+	fi
+}
+
+@test "$test_tag Test can pull an unencrypted image inside the guest" {
+	create_test_pod
+
+	echo "Check the image was not pulled in the host"
+	local pod_id=$(kubectl get pods -o jsonpath='{.items..metadata.name}')
+	retrieve_sandbox_id
+	rootfs=($(find /run/kata-containers/shared/sandboxes/${sandbox_id}/shared \
+		-name rootfs))
+	[ ${#rootfs[@]} -eq 1 ]
+}
+
+
+teardown() {
+	# Print the logs and cleanup resources.
+	echo "-- Kata logs:"
+	sudo journalctl -xe -t kata --since "$start_date" -n 100000
+
+	# Allow to not destroy the environment if you are developing/debugging
+	# tests.
+	if [[ "${CI:-false}" == "false" && "${DEBUG:-}" == true ]]; then
+		echo "Leaving changes and created resources untouched"
+		return
+	fi
+
+	kubernetes_delete_all_cc_pods_if_any_exists || true
+	clear_kernel_params
+	add_kernel_params "${original_kernel_params}"
+	switch_image_service_offload off
+	disable_full_debug
+}