dweomer

docker run --rm -v /:/host --net=host --pid=host --ipc=host --privileged -it alpine chroot /host

dweomer

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>loopback.alias</string>
	<key>ProgramArguments</key>
	<array>
		<string>/sbin/ifconfig</string>
		<string>lo0</string>

dweomer

version: "3"

volumes:
  local-data:
  mirror-data:

services:
  local:
    container_name: registry-local
    image: registry:2

dweomer

tooling

• https://github.com/containers/udica
  • https://www.youtube.com/watch?v=iMO6rwA-i_s
• https://github.com/xek/capabilities_tracker

k3s

• https://github.com/rancher/k3s-selinux/blob/v0.1/k3s.te
• https://github.com/rancher/k3s-selinux/blob/v0.1/k3s.fc

containerd/cri

dweomer

[vagrant@localhost cri]$ make test-cri
🇩 binaries
🇩 test-cri
/go/bin/critest
'/go/src/github.com/containerd/cri/hack/../_output/containerd' -> '/usr/local/bin/containerd-test'
changing security context of '/usr/local/bin/containerd-test'
make[1]: Entering directory '/go/src/github.com/containerd/cri/test/selinux/policy'
make[1]: 'containerd-test.pp' is up to date.
make[1]: Leaving directory '/go/src/github.com/containerd/cri/test/selinux/policy'
mkdir: created directory '/var/lib/containerd-test'

dweomer

Notes

Setup the VM:

• https://github.com/dweomer/cri/blob/test/selinux/test/selinux/Vagrantfile

Prepare

cd $GOPATH/src/github.com/containerd/cri
./hack/install/install-cni.sh
./hack/install/install-cni-config.sh

dweomer

🇩 binaries
🇩 test-cri
/go/bin/critest
'/go/src/github.com/containerd/cri/hack/../_output/containerd' -> '/usr/local/bin/containerd-test'
changing security context of '/usr/local/bin/containerd-test'
make[1]: Entering directory '/go/src/github.com/containerd/cri/test/selinux/policy'
rm -fR tmp
rm -f *.pp
/usr/share/selinux/devel/include/services/container.if:13: Error: duplicate definition of container_runtime_domtrans(). Original definition on 13.
/usr/share/selinux/devel/include/services/container.if:40: Error: duplicate definition of container_runtime_run(). Original definition on 40.

dweomer

critest version: 1.18.0-89-gbaca4a1
Running Suite: CRI validation
=============================
Random Seed: 123456789 - Will randomize all specs
Will run 90 of 97 specs

[k8s.io] Container runtime should support basic operations on container 
  runtime should support removing stopped container [Conformance]
  /usr/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:134
[BeforeEach] [k8s.io] Container

dweomer

🇩 binaries
🇩 test-cri
/go/bin/critest
'/go/src/github.com/containerd/cri/hack/../_output/containerd' -> '/usr/local/bin/containerd-test'
changing security context of '/usr/local/bin/containerd-test'
make[1]: Entering directory '/go/src/github.com/containerd/cri/test/selinux/policy'
rm -fR tmp
rm -f *.pp
/usr/share/selinux/devel/include/services/container.if:13: Error: duplicate definition of container_runtime_domtrans(). Original definition on 13.
/usr/share/selinux/devel/include/services/container.if:40: Error: duplicate definition of container_runtime_run(). Original definition on 40.

dweomer

KVM in runc

Running a KVM virtual machine inside a runc contianer.

Requirements

• A host which can run KVM virtual machines using Vagrant.

Setting up a test VM