You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by gi...@apache.org on 2018/08/14 23:57:58 UTC
[mesos] 06/10: Added a test
`ROOT_ImageInReadOnlyVolumeWithoutRootFilesystem`.
This is an automated email from the ASF dual-hosted git repository.
gilbert pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 6d1af986c323295af71e7dbbf3319742a906bf77
Author: Qian Zhang <zh...@gmail.com>
AuthorDate: Tue Aug 14 16:19:31 2018 -0700
Added a test `ROOT_ImageInReadOnlyVolumeWithoutRootFilesystem`.
Review: https://reviews.apache.org/r/68218/
---
.../containerizer/volume_image_isolator_tests.cpp | 85 ++++++++++++++++++++++
1 file changed, 85 insertions(+)
diff --git a/src/tests/containerizer/volume_image_isolator_tests.cpp b/src/tests/containerizer/volume_image_isolator_tests.cpp
index b49f0f9..e47df53 100644
--- a/src/tests/containerizer/volume_image_isolator_tests.cpp
+++ b/src/tests/containerizer/volume_image_isolator_tests.cpp
@@ -244,6 +244,91 @@ TEST_P(VolumeImageIsolatorTest, ROOT_ImageInVolumeWithRootFilesystem)
}
}
+
+// This test verifies that a container launched without
+// a rootfs cannot write to a read-only IMAGE volume.
+TEST_P(VolumeImageIsolatorTest, ROOT_ImageInReadOnlyVolumeWithoutRootFilesystem)
+{
+ string registry = path::join(sandbox.get(), "registry");
+ AWAIT_READY(DockerArchive::create(registry, "test_image"));
+
+ slave::Flags flags = CreateSlaveFlags();
+ flags.isolation = "filesystem/linux,volume/image,docker/runtime";
+ flags.docker_registry = registry;
+ flags.docker_store_dir = path::join(sandbox.get(), "store");
+ flags.image_providers = "docker";
+
+ Fetcher fetcher(flags);
+
+ Try<MesosContainerizer*> create =
+ MesosContainerizer::create(flags, true, &fetcher);
+
+ ASSERT_SOME(create);
+
+ Owned<Containerizer> containerizer(create.get());
+
+ ContainerID containerId;
+ containerId.set_value(id::UUID::random().toString());
+
+ ContainerInfo container = createContainerInfo(
+ None(),
+ {createVolumeFromDockerImage("rootfs", "test_image", Volume::RO)});
+
+ CommandInfo command = createCommandInfo("echo abc > rootfs/file");
+
+ ExecutorInfo executor = createExecutorInfo(
+ "test_executor",
+ nesting ? createCommandInfo("sleep 1000") : command);
+
+ if (!nesting) {
+ executor.mutable_container()->CopyFrom(container);
+ }
+
+ string directory = path::join(flags.work_dir, "sandbox");
+ ASSERT_SOME(os::mkdir(directory));
+
+ Future<Containerizer::LaunchResult> launch = containerizer->launch(
+ containerId,
+ createContainerConfig(None(), executor, directory),
+ map<string, string>(),
+ None());
+
+ AWAIT_ASSERT_EQ(Containerizer::LaunchResult::SUCCESS, launch);
+
+ Future<Option<ContainerTermination>> wait = containerizer->wait(containerId);
+
+ if (nesting) {
+ ContainerID nestedContainerId;
+ nestedContainerId.mutable_parent()->CopyFrom(containerId);
+ nestedContainerId.set_value(id::UUID::random().toString());
+
+ launch = containerizer->launch(
+ nestedContainerId,
+ createContainerConfig(command, container),
+ map<string, string>(),
+ None());
+
+ AWAIT_ASSERT_EQ(Containerizer::LaunchResult::SUCCESS, launch);
+
+ wait = containerizer->wait(nestedContainerId);
+ }
+
+ AWAIT_READY(wait);
+ ASSERT_SOME(wait.get());
+ ASSERT_TRUE(wait->get().has_status());
+ EXPECT_WEXITSTATUS_NE(0, wait->get().status());
+
+ if (nesting) {
+ Future<Option<ContainerTermination>> termination =
+ containerizer->destroy(containerId);
+
+ AWAIT_READY(termination);
+ ASSERT_SOME(termination.get());
+ ASSERT_TRUE(termination->get().has_status());
+ EXPECT_WTERMSIG_EQ(SIGKILL, termination.get()->status());
+ }
+}
+
} // namespace tests {
} // namespace internal {
} // namespace mesos {