From 2474c089b39b432cab0fc7d2c68919090105697e Mon Sep 17 00:00:00 2001 From: Manabu Sugimoto Date: Fri, 18 Aug 2023 16:43:44 +0900 Subject: [PATCH] test:cri: Add guest AppArmor support Add a test case which check whether AppArmor inside the guest works properly using containerd. The test creates a container configured to apply the `kata-default` profile, then it checks the container process is running with the profile enforced. Fixes: #5748 Depends-on: github.com/kata-containers/kata-containers#7587 Signed-off-by: Manabu Sugimoto --- .ci/install_kata_image.sh | 3 + .ci/lib.sh | 19 +++++ .../containerd/cri/integration-tests.sh | 75 ++++++++++++++++++- 3 files changed, 96 insertions(+), 1 deletion(-) diff --git a/.ci/install_kata_image.sh b/.ci/install_kata_image.sh index 2aff520a8..b1f5e5109 100755 --- a/.ci/install_kata_image.sh +++ b/.ci/install_kata_image.sh @@ -16,6 +16,9 @@ source "${cidir}/lib.sh" main() { build_static_artifact_and_install "rootfs-image" build_static_artifact_and_install "rootfs-initrd" + + # Build and install an image for the guest AppArmor + build_install_apparmor_image } main diff --git a/.ci/lib.sh b/.ci/lib.sh index 7156a3a26..18bec440f 100755 --- a/.ci/lib.sh +++ b/.ci/lib.sh @@ -17,6 +17,7 @@ fi export KATA_KSM_THROTTLER=${KATA_KSM_THROTTLER:-no} export KATA_QEMU_DESTDIR=${KATA_QEMU_DESTDIR:-"/usr"} export KATA_ETC_CONFIG_PATH="/etc/kata-containers/configuration.toml" +export KATA_APPARMOR_IMAGE="/opt/kata/share/kata-containers/kata-containers-apparmor.img" export katacontainers_repo=${katacontainers_repo:="github.com/kata-containers/kata-containers"} export katacontainers_repo_git="https://${katacontainers_repo}.git" @@ -180,6 +181,24 @@ function build_static_artifact_and_install() { popd >/dev/null } +build_install_apparmor_image() { + USE_DOCKER=${USE_DOCKER:-"true"} + + info "Build AppArmor guest image" + local rootfs_builder_dir="${katacontainers_repo_dir}/tools/osbuilder/rootfs-builder" + local rootfs_dir="${rootfs_builder_dir}/rootfs-apparmor" + pushd "$rootfs_builder_dir" >/dev/null + sudo -E AGENT_INIT=no APPARMOR=yes USE_DOCKER="${USE_DOCKER}" ./rootfs.sh -r "${rootfs_dir}" ubuntu + popd >/dev/null + + info "Install AppArmor guest image" + local image_builder_dir="${katacontainers_repo_dir}/tools/osbuilder/image-builder" + pushd "${image_builder_dir}" >/dev/null + sudo -E AGENT_INIT=no USE_DOCKER="${USE_DOCKER}" ./image_builder.sh "${rootfs_dir}" + popd >/dev/null + sudo install -o root -g root -m 0640 -D "${image_builder_dir}/kata-containers.img" "${KATA_APPARMOR_IMAGE}" +} + function get_dep_from_yaml_db(){ local versions_file="$1" local dependency="$2" diff --git a/integration/containerd/cri/integration-tests.sh b/integration/containerd/cri/integration-tests.sh index c29eea2e9..ce29bb1a9 100755 --- a/integration/containerd/cri/integration-tests.sh +++ b/integration/containerd/cri/integration-tests.sh @@ -18,6 +18,8 @@ source "${SCRIPT_PATH}/../../../.ci/lib.sh" # runc is installed in /usr/local/sbin/ add that path export PATH="$PATH:/usr/local/sbin" +TEST_INITRD="${TEST_INITRD:-no}" + containerd_tarball_version=$(get_version "externals.containerd.version") # Runtime to be used for testing @@ -97,7 +99,7 @@ ci_cleanup() { fi [ -f "$kata_config_backup" ] && sudo mv "$kata_config_backup" "$kata_config" || \ - sudo rm "$kata_config" + sudo rm "$kata_config" || true } create_containerd_config() { @@ -431,6 +433,75 @@ EOF create_containerd_config "${containerd_runtime_test}" } +TestContainerGuestApparmor() { + info "Test container guest AppArmor" + + # The ppc64le job uses the initrd image, so the test will be skipped. + if [[ "${TEST_INITRD}" == "yes" ]]; then + info "Skip the test because the guest AppArmor doesn't work with the agent init" + return + fi + if [ ! -e "${KATA_APPARMOR_IMAGE}" ]; then + info "Skip the test becasue the guest AppArmor image doesn't exist" + return + fi + + # Set the guest AppArmor rootfs image because the guest AppArmor doesn't work with the agent init. + sudo sed -i "/^image =/c image = "\"${KATA_APPARMOR_IMAGE}\""" "${kata_config}" + # Enable the guest AppArmor. + sudo sed -i '/^disable_guest_apparmor/ s/true/false/g' "${kata_config}" + sudo sed -i 's/^#\(debug_console_enabled\).*=.*$/\1 = true/g' "${kata_config}" + + local container_yaml="${REPORT_DIR}/container.yaml" + local image="busybox:latest" + cat << EOF > "${container_yaml}" +metadata: + name: busybox-apparmor +image: + image: "$image" +command: +- top +EOF + + info "Check the AppArmor profile is applied to the container executed by crictl start" + testContainerStart 1 + aa_status=$(expect -c " + spawn -noecho kata-runtime exec $podid + expect "root@localhost:/#" + send \"aa-status\n\" + expect "root@localhost:/#" + send \"exit\n\" + expect eof + ") + echo "aa-status results:" + echo "${aa_status}" + ret=$(echo "$aa_status" | grep "/bin/top.*kata-default" || true) + [ -n "$ret" ] || die "not found /bin/top kata-default profile" + + info "Check the AppArmor profile is applied to the process executed by crictl exec" + sudo -E crictl exec $cid sleep 10 & + # sleep for 1s to make sure the exec process started. + sleep 1 + aa_status=$(expect -c " + spawn -noecho kata-runtime exec $podid + expect "root@localhost:/#" + send \"aa-status\n\" + expect "root@localhost:/#" + send \"exit\n\" + expect eof + ") + echo "aa-status results:" + echo "${aa_status}" + ret=$(echo "$aa_status" | grep "/bin/sleep.*kata-default" || true) + [ -n "$ret" ] || die "not found /bin/sleep kata-default profile" + + testContainerStop + + # Reset the Kata configuration file. + sudo rm "${kata_config}" + ci_config +} + # k8s may restart docker which will impact on containerd stop stop_containerd() { local tmp=$(pgrep kubelet || true) @@ -509,6 +580,8 @@ main() { TestContainerMemoryUpdate 0 fi + TestContainerGuestApparmor + TestKilledVmmCleanup popd