Skip to content

Instantly share code, notes, and snippets.

@dweomer

dweomer/containerd-cri-test-selinux.md

Last active July 27, 2020 17:32
Show Gist options
  • Save dweomer/c085922ca4df344945a1e6cd1838bc33 to your computer and use it in GitHub Desktop.
Save dweomer/c085922ca4df344945a1e6cd1838bc33 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
containerd-cri-test-selinux.md

Notes

Setup the VM:

Prepare

cd $GOPATH/src/github.com/containerd/cri
./hack/install/install-cni.sh
./hack/install/install-cni-config.sh
./hack/install/install-containerd.sh

Test

# PERMISSIVE
sudo setenforce 0
sudo rm -rvf /tmp/test-cri
mkdir -p /tmp/test-cri/
sudo truncate --reference=/dev/null /var/log/audit/audit.log
make test-cri SEED=123456789 > /tmp/test-cri/permissive-critest.log 2>&1
sudo cp -vf /var/log/audit/audit.log /tmp/test-cri/permissive-audit.log
sudo mv -vf /tmp/test-cri/containerd.log /tmp/test-cri/permissive-containerd.log
# ENFORCING
sudo setenforce 1
make test-cri SEED=123456789 > /tmp/test-cri/enforcing-critest.log 2>&1
sudo mv -vf /tmp/test-cri/containerd.log /tmp/test-cri/enforcing-containerd.log
sudo chown -R vagrant:vagrant /tmp/test-cri

Results

  • containerd/containerd v1.4.0-beta.0: https://gist.github.com/dweomer/f5bdbbd2bd9aa692e9f77dc499b79338 
    Summarizing 10 Failures:

[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support PodPID 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:418

[Fail] [k8s.io] Multiple Containers [Conformance] when running multiple containers in a pod [It] should support container exec 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:418

[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostPID 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:418

[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support ContainerPID 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:418

[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support portforward [Conformance] 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/networking.go:253

[Fail] [k8s.io] Multiple Containers [Conformance] when running multiple containers in a pod [It] should support container log 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/multi_container_linux.go:95

[Fail] [k8s.io] Multiple Containers [Conformance] when running multiple containers in a pod [It] should support network 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/networking.go:253

[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support port mapping with only container port [Conformance] 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/networking.go:253

[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support port mapping with host port and container port [Conformance] 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/networking.go:253

[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support portforward in host network 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/networking.go:253
  • rancher/containerd v1.3.3-k3s2 (k3s v1.18.6+k3s1): https://gist.github.com/dweomer/0e0e6cde39f1c9bcee6f2cc3c5ba3531 
    Summarizing 13 Failures:

[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support portforward [Conformance] 
/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/networking.go:253

[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support PodPID 
/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:418

[Fail] [k8s.io] SELinux runtime should support selinux when single pod sandbox is not privileged [It] should error on create with wrong options 
/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/selinux_linux.go:175

[Fail] [k8s.io] Multiple Containers [Conformance] when running multiple containers in a pod [It] should support container log 
/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/multi_container_linux.go:95

[Fail] [k8s.io] Multiple Containers [Conformance] when running multiple containers in a pod [It] should support network 
/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/networking.go:253

[Fail] [k8s.io] Multiple Containers [Conformance] when running multiple containers in a pod [It] should support container exec 
/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:418

[Fail] [k8s.io] SELinux runtime should support selinux when single pod sandbox is privileged [It] should error on create with wrong options 
/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/selinux_linux.go:175

[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support port mapping with only container port [Conformance] 
/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/networking.go:253

[Fail] [k8s.io] Container runtime should support basic operations on container [It] runtime should support removing running container [Conformance] 
/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:399

[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support port mapping with host port and container port [Conformance] 
/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/networking.go:253

[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostPID 
/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:418

[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support portforward in host network 
/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/networking.go:253

[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support ContainerPID 
/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:418
  • dweomer/containerd v1.3.6-dev 
    Summarizing 13 Failures:

[Fail] [k8s.io] SELinux runtime should support selinux when single pod sandbox is not privileged [It] should work with just selinux level set 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/selinux_linux.go:212

[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support PodPID 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:418

[Fail] [k8s.io] SELinux runtime should support selinux when single pod sandbox is not privileged [It] should work with selinux set 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/selinux_linux.go:212

[Fail] [k8s.io] Multiple Containers [Conformance] when running multiple containers in a pod [It] should support container exec 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:418

[Fail] [k8s.io] Security Context bucket [It] runtime should support that ReadOnlyRootfs is false 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:594

[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostPID 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:418

[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support ContainerPID 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:418

[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support portforward [Conformance] 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/networking.go:253

[Fail] [k8s.io] Multiple Containers [Conformance] when running multiple containers in a pod [It] should support container log 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/multi_container_linux.go:95

[Fail] [k8s.io] Multiple Containers [Conformance] when running multiple containers in a pod [It] should support network 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/networking.go:253

[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support port mapping with only container port [Conformance] 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/networking.go:253

[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support port mapping with host port and container port [Conformance] 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/networking.go:253

[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support portforward in host network 
/go/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/networking.go:253
Raw
test-selinux-k3s.diff
--- /go/test-selinux-containerd-1.3.3-k3s2/enforcing-critest-summary.txt 2020-07-27 10:23:23.658095489 -0700
+++ /go/test-selinux-containerd-1.3.0-k3s-dev/enforcing-critest-summary.txt 2020-07-27 10:26:16.441130936 -0700
@@ -1,11 +1,26 @@
-[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support portforward [Conformance]
-/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/networking.go:253
+[Fail] [k8s.io] SELinux runtime should support selinux when single pod sandbox is not privileged [It] should work with just selinux level set
+/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/selinux_linux.go:212
[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support PodPID
/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:418
-[Fail] [k8s.io] SELinux runtime should support selinux when single pod sandbox is not privileged [It] should error on create with wrong options
-/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/selinux_linux.go:175
+[Fail] [k8s.io] SELinux runtime should support selinux when single pod sandbox is not privileged [It] should work with selinux set
+/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/selinux_linux.go:212
+
+[Fail] [k8s.io] Multiple Containers [Conformance] when running multiple containers in a pod [It] should support container exec
+/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:418
+
+[Fail] [k8s.io] Security Context bucket [It] runtime should support that ReadOnlyRootfs is false
+/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:594
+
+[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostPID
+/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:418
+
+[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support ContainerPID
+/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:418
+
+[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support portforward [Conformance]
+/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/networking.go:253
[Fail] [k8s.io] Multiple Containers [Conformance] when running multiple containers in a pod [It] should support container log
/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/multi_container_linux.go:95
@@ -13,27 +28,12 @@
[Fail] [k8s.io] Multiple Containers [Conformance] when running multiple containers in a pod [It] should support network
/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/networking.go:253
-[Fail] [k8s.io] Multiple Containers [Conformance] when running multiple containers in a pod [It] should support container exec
-/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:418
-
-[Fail] [k8s.io] SELinux runtime should support selinux when single pod sandbox is privileged [It] should error on create with wrong options
-/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/selinux_linux.go:175
-
[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support port mapping with only container port [Conformance]
/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/networking.go:253
-[Fail] [k8s.io] Container runtime should support basic operations on container [It] runtime should support removing running container [Conformance]
-/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:399
-
[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support port mapping with host port and container port [Conformance]
/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/networking.go:253
-[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostPID
-/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:418
-
[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support portforward in host network
/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/networking.go:253
-[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support ContainerPID
-/usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:418
-
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment