Merge pull request #16408 from runcom/fix-test-no-docker

openshift-merge-robot · web-flow · commit f2a47df77c22 · 2017-10-30T04:13:46.000-07:00
Automatic merge from submit-queue. test: extended: avoid using docker directly This test fails when running against CRI-O (https://ci.openshift.redhat.com/jenkins/job/test_branch_origin_extended_conformance_crio/40/console) because it uses docker. Modify the test to check groups in container instead. ref #16403 @smarterclayton PTAL Signed-off-by: Antonio Murdaca <runcom@redhat.com>
diff --git a/test/extended/security/supplemental_groups.go b/test/extended/security/supplemental_groups.go
@@ -8,29 +8,33 @@ import (
 	g "github.com/onsi/ginkgo"
 	o "github.com/onsi/gomega"
 
+	exutil "github.com/openshift/origin/test/extended/util"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kapiv1 "k8s.io/kubernetes/pkg/api/v1"
 	e2e "k8s.io/kubernetes/test/e2e/framework"
+)
 
-	testutil "github.com/openshift/origin/test/util"
+const (
+	supplementalGroupsPod = "supplemental-groups"
 )
 
 var _ = g.Describe("[security] supplemental groups", func() {
 	defer g.GinkgoRecover()
 
 	var (
-		f = e2e.NewDefaultFramework("security-supgroups")
+		oc = exutil.NewCLI("sup-groups", exutil.KubeConfigPath())
+		f  = oc.KubeFramework()
 	)
 
 	g.Describe("[Conformance]Ensure supplemental groups propagate to docker", func() {
-		g.It("should propagate requested groups to the docker host config [local]", func() {
-			g.By("getting the docker client")
-			dockerCli, err := testutil.NewDockerClient()
-			o.Expect(err).NotTo(o.HaveOccurred())
+		g.It("should propagate requested groups to the container [local]", func() {
 
 			fsGroup := int64(1111)
 			supGroup := int64(2222)
 
+			_, err := oc.AsAdmin().Run("adm").Args("policy", "add-scc-to-user", "anyuid", oc.Username()).Output()
+			o.Expect(err).NotTo(o.HaveOccurred())
+
 			// create a pod that is requesting supplemental groups.  We request specific sup groups
 			// so that we can check for the exact values later and not rely on SCC allocation.
 			g.By("creating a pod that requests supplemental groups")
@@ -52,50 +56,29 @@ var _ = g.Describe("[security] supplemental groups", func() {
 			err = f.WaitForPodRunning(submittedPod.Name)
 			o.Expect(err).NotTo(o.HaveOccurred())
 
-			// find the docker id of our running container.
-			g.By("finding the docker container id on the pod")
-			retrievedPod, err = f.ClientSet.CoreV1().Pods(f.Namespace.Name).Get(submittedPod.Name, metav1.GetOptions{})
-			o.Expect(err).NotTo(o.HaveOccurred())
-			containerID, err := getContainerID(retrievedPod)
-			o.Expect(err).NotTo(o.HaveOccurred())
-
-			// now check the host config of the container which should have been updated by the
-			// kubelet.  If that is good then ensure we have the groups we expected.
-			g.By("inspecting the container")
-			dockerContainer, err := dockerCli.InspectContainer(containerID)
+			out, stderr, err := oc.Run("exec").Args("-p", supplementalGroupsPod, "--", "/usr/bin/id", "-G").Outputs()
+			if err != nil {
+				logs, _ := oc.Run("logs").Args(supplementalGroupsPod).Output()
+				e2e.Failf("Failed to get groups: \n%q, %q, pod logs: \n%q", out, stderr, logs)
+			}
 			o.Expect(err).NotTo(o.HaveOccurred())
 
-			g.By("ensuring the host config has GroupAdd")
-			groupAdd := dockerContainer.HostConfig.GroupAdd
-			o.Expect(groupAdd).ToNot(o.BeEmpty(), fmt.Sprintf("groupAdd on host config was %v", groupAdd))
-
-			g.By("ensuring the groups are set")
+			split := strings.Split(out, " ")
+			o.Expect(split).ToNot(o.BeEmpty(), fmt.Sprintf("no groups in pod: %v", out))
 			group := strconv.FormatInt(fsGroup, 10)
-			o.Expect(groupAdd).To(o.ContainElement(group), fmt.Sprintf("fsGroup %v should exist on host config: %v", fsGroup, groupAdd))
-
+			o.Expect(split).To(o.ContainElement(group), fmt.Sprintf("fsGroup %v should exist in pod's groups: %v", fsGroup, out))
 			group = strconv.FormatInt(supGroup, 10)
-			o.Expect(groupAdd).To(o.ContainElement(group), fmt.Sprintf("supGroup %v should exist on host config: %v", supGroup, groupAdd))
+			o.Expect(split).To(o.ContainElement(group), fmt.Sprintf("supGroup %v should exist in pod's groups: %v", supGroup, out))
 		})
 
 	})
 })
 
-// getContainerID is a helper to parse the docker container id from a status.
-func getContainerID(p *kapiv1.Pod) (string, error) {
-	for _, status := range p.Status.ContainerStatuses {
-		if len(status.ContainerID) > 0 {
-			containerID := strings.Replace(status.ContainerID, "docker://", "", -1)
-			return containerID, nil
-		}
-	}
-	return "", fmt.Errorf("unable to find container id on pod")
-}
-
 // supGroupPod generates the pod requesting supplemental groups.
 func supGroupPod(fsGroup int64, supGroup int64) *kapiv1.Pod {
 	return &kapiv1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: "supplemental-groups",
+			Name: supplementalGroupsPod,
 		},
 		Spec: kapiv1.PodSpec{
 			SecurityContext: &kapiv1.PodSecurityContext{
@@ -104,7 +87,7 @@ func supGroupPod(fsGroup int64, supGroup int64) *kapiv1.Pod {
 			},
 			Containers: []kapiv1.Container{
 				{
-					Name:  "supplemental-groups",
+					Name:  supplementalGroupsPod,
 					Image: "openshift/origin-pod",
 				},
 			},
