tests/int: introduce the concept of unsafe tests#5212
tests/int: introduce the concept of unsafe tests#5212cyphar merged 1 commit intoopencontainers:mainfrom
Conversation
|
Note that the following is not considered "unsafe":
One other "unsafe" case not covered here is rootless idmap tests setup/cleanup in tests/rootless.sh, which renames /usr/bin/new{u,g}idmap binaries and modifies /etc/sub{u,g}id. Maybe we should skip it, too, unless RUNC_ALLOW_UNSAFE_TESTS is set. |
rata
left a comment
rata
left a comment
There was a problem hiding this comment.
It seems bats has built-in support for tags/labels, but if you run bats ... <file> it won't work. You can force it to be opt-in. So this SGTM
Right, I forgot about bats tags. The big issue is, you can't force it to be opt-in (you probably meant the same thing) if you're using bats directly (I often do that on my machine). Another thing with bats tags is the test is silently excluded rather than skipped, while here the test is shown as skipped with a reason why ("requires unsafe"). To me being visible is slightly better. Since implementation is rather trivial I'd rather stick to it. |
Some of runc integration tests may do something that I would not like when running those on my development laptop. Examples include - changing the root mount propagation [1]; - replacing /root/runc [2]; - changing the file in /etc (see checkpoint.bats). Yet it is totally fine to do all that in a throwaway CI environment, or inside a Docker container. Introduce a mechanism to skip specific "unsafe" tests unless an environment variable, RUNC_ALLOW_UNSAFE_TESTS, is set. Use it from a specific checkpoint/restore test which modifies /etc/criu/default.conf. [1]: opencontainers#5200 [2]: opencontainers#5207 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
thaJeztah
left a comment
thaJeztah
left a comment
There was a problem hiding this comment.
SGTM
haven't tested as I'm not on a Linux machine, so assuming this does the skips as expected 😅
| LIBPATHRS_VERSION: "0.2.4" | ||
| RPMS: gcc git-core iptables jq glibc-static libseccomp-devel make criu fuse-sshfs container-selinux policycoreutils cargo lld wget | ||
| # Allow potentially unsafe tests. | ||
| RUNC_ALLOW_UNSAFE_TESTS: yes |
There was a problem hiding this comment.
Does this variable RUNC_ALLOW_UNSAFE_TESTS reach the tests in Cirrus CI correctly?. It seams all integration tests are executed via ssh -tt localhost "make ...", which starts a new login shell.
I checked the cirrus ci logs of this PR and found ok 46 checkpoint and restore with container specific CRIU config # skip test requires unsafe. If the variable works, the comment # skip test requires unsafe won't appear here, right?
There was a problem hiding this comment.
Thanks, good catch. Would you mind opening a PR to fix this?
6 participants
Some of runc integration tests may do something that I would not like when running those on my development laptop. Examples include
Yet it is totally fine to do all that in a throwaway CI environment, or inside a Docker container.
Introduce a mechanism to skip specific "unsafe" tests unless an environment variable, RUNC_ALLOW_UNSAFE_TESTS, is set. Use it from a specific checkpoint/restore test which modifies /etc/criu/default.conf.