-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initial integration tests for cgroupv2 #2295
Conversation
Thanks a lot for working on this, do you plan to work on |
Can we execute this on Travis? |
Probably not, Travis only provides Ubuntu 18.04 and I think it's kernel is too old. We need to find some other CI platform, say one that provides Fedora 31. Maybe Cirrus-CI could be used, I have yet to research it. |
We have been already running Fedora 31 KVM on Travis for unittest Line 36 in e4363b0
|
Right! I forgot about vargant/kvm. Will try to enable localintegration then. |
0cc5be6
to
71cfe8d
Compare
Not sure if it's possible to run a podman container with systemd in it. |
71cfe8d
to
a7cf01f
Compare
No need to use Podman/Docker for systemd test Line 22 in e4363b0
|
Description updated to refer to the up-to-date relevant PRs and issues.
@AkihiroSuda not at the moment, at least not until we fix cgroup v2. |
a7cf01f
to
76db7b5
Compare
I asked it because we have https://github.com/opencontainers/runc/blob/master/tests/integration/events.bats |
76db7b5
to
2e6e793
Compare
Removed the patch that caused test breakage |
118df02
to
825b300
Compare
OK the tests are running (currently with systemd only) and passing! Let me see if I can move bats installation into a script. |
2c2fb3b
to
3dac3f6
Compare
.travis.yml
Outdated
@@ -34,6 +34,7 @@ matrix: | |||
- sudo ssh default sudo podman build -t test /vagrant | |||
# Mounting /lib/modules into the container is necessary as CRIU wants to load (via iptables) additional modules | |||
- sudo ssh default sudo podman run --privileged --cgroupns=private -v /lib/modules:/lib/modules:ro test make localunittest | |||
- sudo ssh default 'cd /vagrant && sudo ./script/install-bats.sh && make RUNC_USE_SYSTEMD=yes integration' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- bats should be installed in Vagrantfile
- integration -> localintegration
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
bats should be installed in Vagrantfile
I did that initially, but by copy-pasting the installation steps from the Dockerfile. I'd rather have it in a script executed from both places. Is there a way to source the script to Vagrantfile (like I do for Dockerfile)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess, it should be also possible to invoke scripts under /vagrant
from the inline script, but haven't confirmed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like I found a way. Let me test locally and then I'll push it.
c3f85b7
to
3805bfa
Compare
OK we need runc binary and bats on the vagrant host. We build runc inside a debian container, it might now work on a fedora host. Alternatively, we build it on host with whatever golang version Fedora 31 provides (currently 1.13.9 which is good). |
So, version 1 is to copy bats and runc from the container to the host and run the test (we can't use make since it wants to rebuild runc): diff --git a/.travis.yml b/.travis.yml
index 3e12b820..44773938 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -34,6 +34,9 @@ matrix:
- sudo ssh default sudo podman build -t test /vagrant
# Mounting /lib/modules into the container is necessary as CRIU wants to load (via iptables) additional modules
- sudo ssh default sudo podman run --privileged --cgroupns=private -v /lib/modules:/lib/modules:ro test make localunittest
+ # Copy bats and compiled runc binary from test image to vagrant host
+ - sudo ssh default 'sudo podman run --rm test tar cf - /usr/local/bin/bats /usr/local/libexec/bats* | sudo tar xf - -C / && sudo podman run --rm test tar cf - runc | sudo tar xf - -C /vagrant'
+ - sudo ssh default 'cd /vagrant && sudo RUNC_USE_SYSTEMD=yes bats -t tests/integration'
allow_failures:
- go: tip version 2 (install git, bats, golang, make on the host, compile and run test as usual): diff --git a/.travis.yml b/.travis.yml
index 44773938..aaca6307 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -34,6 +34,7 @@ matrix:
- sudo ssh default sudo podman build -t test /vagrant
# Mounting /lib/modules into the container is necessary as CRIU wants to load (via iptables) additional modules
- sudo ssh default sudo podman run --privileged --cgroupns=private -v /lib/modules:/lib/modules:ro test make localunittest
+ - sudo ssh default 'cd /vagrant && sudo RUNC_USE_SYSTEMD=yes make localintegration'
allow_failures:
- go: tip
diff --git a/Dockerfile b/Dockerfile
index 94be151e..e7d203a7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,4 @@
ARG GO_VERSION=1.13
-ARG BATS_VERSION=03608115df2071fff4eaaff1605768c275e5f81f
ARG CRIU_VERSION=v3.13
FROM golang:${GO_VERSION}-buster
@@ -49,13 +48,8 @@ RUN dpkg --add-architecture armel \
RUN useradd -u1000 -m -d/home/rootless -s/bin/bash rootless
# install bats
-ARG BATS_VERSION
-RUN cd /tmp \
- && git clone https://github.com/sstephenson/bats.git \
- && cd bats \
- && git reset --hard "${BATS_VERSION}" \
- && ./install.sh /usr/local \
- && rm -rf /tmp/bats
+COPY script/install-bats.sh /tmp
+RUN /tmp/install-bats.sh && rm /tmp/install-bats.sh
# install criu
ARG CRIU_VERSION
diff --git a/Vagrantfile b/Vagrantfile
index 165b0780..c8ec0ad0 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -13,6 +13,7 @@ Vagrant.configure("2") do |config|
v.cpus = 2
end
config.vm.provision "shell", inline: <<-SHELL
- dnf install -y podman
+ dnf install -y podman git make golang-go
SHELL
+ config.vm.provision "shell", path: "script/install-bats.sh"
diff --git a/script/install-bats.sh b/script/install-bats.sh
new file mode 100644
index 00000000..d63f4f0a
--- /dev/null
+++ b/script/install-bats.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -u -e -o pipefail
+: "${BATS_VERSION:="03608115df2071fff4eaaff1605768c275e5f81f"}"
+
+cd /tmp \
+ && git clone https://github.com/sstephenson/bats.git \
+ && cd bats \
+ && git reset --hard "${BATS_VERSION}" \
+ && ./install.sh /usr/local \
+ && rm -rf /tmp/bats @AkihiroSuda which one do you like better? (I kinda don't like either) |
0b6ce29
to
efc480e
Compare
OK, due to some options set by Fix: add |
My tests are now passing. Got unrelated failures in podman:
|
efc480e
to
1b11fce
Compare
OK, looks like everything works except |
@mrunalp @crosbymichael PTAL |
Consolidate two implementations of check_cgroup_value() into one, putting it into helpers. Remove the first parameter, deducing the variable to get the path from by the parameter name. This should help in future cgroupv2 support. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
1. Consolidate all the cgroup-related initialization code to a single place, init_cgroup_paths(), so we can see which variables are set. 2. Lazily call init_cgroup_paths() from all places that require it. 3. Don't set globals KMEM and RT_PERIOD. 4. Slightly clarlify variables naming: - use OCI_CGROUPS_PATH for cgroupsPath in config.json - use REL_CGROUPS_PATH for relative cgroups path 5. Do not hardcode the list of cgroup subsystems -- get it from /proc/cgroup. 6. Preliminary support for cgroupv2 unified hierarchy (not yet working). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This comment was added by commit 6cd425b (Allow update rt_period_us and rt_runtime_us, Nov 4 2016), and the test case was added by commit 51baedf (Add integration for update rt period and runtime, Nov 28 2016), making the comment obsolete. Remove it. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
... and add kmem-tcp to cgroups kmem test. First, we already have a separate kmem test in cgroups.bats. Second, making kmem a requirement leads to skipping all the other test cases in the update.bats test. Third, kmem limit is being removed from the kernel, so it makes sense to handle it separately. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
There's no need for an intermediate variable Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
1. Add `cgroups_v1` and `cgroups_v2` options to `requires`. 2. Modify `check_cgroup_value` to be able to work with v2. 3. Split `test "update"` into two: - (1) testing cgroupv1-only cpu shares and cfs - (2) testing limits that are more or less common between v1 and v2: memory/swap, pids, cpusets. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Swap setting for cgroupv2 is currently broken, so let's temporarily disable this part of test. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
1b11fce
to
bcbdccc
Compare
|
OK, vagrant on Travis is installing |
50d4157
to
571a36c
Compare
Those needs to be run on the (Vagrant Fedora 31) host (since we need real systemd running), and so we have to have all the tools needed to compile runc and run the tests. The good news is Fedora packages a decent and recent release of bats-core (1.1.0), which we can use (Debian does not), and we can also use golang (currently 1.13.9) from Fedora. The bad news are 1. Currently cgroups tests are only working with RUNC_USE_SYSTEMD=yes (addressed by opencontainers#2299, opencontainers#2305) 2. Tests in events.bats do not work (need cgroupv2 memory.events support) 3. Fedora 31 image is 6 months old (and has broken container-selinux policy) so we need `dnf update`, which adds ~5 min to test time. [v2: add -t to ssh to enforce pty] [v3: disable events tests for cgroupv2] [v4: update fedora packages, use a single dnf transation] Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
571a36c
to
84583eb
Compare
This refactors integration test helpers a bit, and adds some initial tests for cgroupv2.
Split into logical small(er) commits for the sake of easier reviewing, so better to review it commit by commit.
This is far from complete, but is it mergeable and already helped to find a surprising number of bugs:
[SELinux] cgroupv2: runc run --systemd-cgroup do not put container in proper cgroup #2310 cgroupv2: runc run --systemd-cgroup do not put container in proper cgroup (should be fixed by [WIP] cgroupv2: fix systemd driver not putting pid into cgroup #2311)