diff --git a/example/capabilities.nomad b/example/capabilities.nomad index 39448bf..c3603e0 100644 --- a/example/capabilities.nomad +++ b/example/capabilities.nomad @@ -6,11 +6,12 @@ job "capabilities" { driver = "containerd-driver" config { - image = "docker.io/library/ubuntu:16.04" - command = "sleep" - args = ["600s"] - cap_add = ["CAP_SYS_ADMIN", "CAP_IPC_OWNER", "CAP_IPC_LOCK"] - cap_drop = ["CAP_CHOWN", "CAP_SYS_CHROOT", "CAP_DAC_OVERRIDE"] + image = "docker.io/library/ubuntu:16.04" + command = "sleep" + args = ["600s"] + readonly_rootfs = true + cap_add = ["CAP_SYS_ADMIN", "CAP_IPC_OWNER", "CAP_IPC_LOCK"] + cap_drop = ["CAP_CHOWN", "CAP_SYS_CHROOT", "CAP_DAC_OVERRIDE"] } resources { diff --git a/tests/001-test-redis.sh b/tests/001-test-redis.sh index 95f5ba9..544a29f 100755 --- a/tests/001-test-redis.sh +++ b/tests/001-test-redis.sh @@ -43,7 +43,6 @@ test_redis_nomad_job() { } is_redis_container_active() { - set +e i="0" while test $i -lt 5 do @@ -56,7 +55,6 @@ is_redis_container_active() { sleep 3s i=$[$i+1] done - set -e if [ $i -ge 5 ]; then echo "ERROR: redis container didn't come up. exit 1." diff --git a/tests/003-test-capabilities.sh b/tests/003-test-capabilities.sh new file mode 100755 index 0000000..d082acd --- /dev/null +++ b/tests/003-test-capabilities.sh @@ -0,0 +1,75 @@ +#!/bin/bash + +test_capabilities_nomad_job() { + pushd ~/go/src/github.com/Roblox/nomad-driver-containerd/example + + echo "INFO: Starting nomad capabilities job using nomad-driver-containerd." + nomad job run capabilities.nomad + + echo "INFO: Checking status of capabilities job." + cap_status=$(nomad job status -short capabilities|grep Status|awk '{split($0,a,"="); print a[2]}'|tr -d ' ') + if [ $cap_status != "running" ];then + echo "ERROR: Error in getting capabilities job status." + exit 1 + fi + + # Even though $(nomad job status) reports capabilities job status as "running" + # The actual container process might not be running yet. + # We need to wait for actual container to start running before trying exec. + echo "INFO: Wait for capabilities container to get into RUNNING state, before trying exec." + is_capabilities_container_active + + echo "INFO: Inspecting capabilities job." + cap_status=$(nomad job inspect capabilities|jq -r '.Job .Status') + if [ $cap_status != "running" ]; then + echo "ERROR: Error in inspecting capabilities job." + exit 1 + fi + + # Check if readonly_rootfs is set to true. + echo "INFO: Checking if readonly_rootfs is set to true." + local outfile=$(mktemp /tmp/capabilities.XXXXXX) + nomad alloc exec -job capabilities touch /tmp/file.txt >> $outfile 2>&1 + if ! grep -q "Read-only file system" $outfile; then + echo "ERROR: readonly_rootfs is not set to true." + cleanup "$outfile" + exit 1 + fi + cleanup "$outfile" + + echo "INFO: Stopping nomad capabilities job." + nomad job stop capabilities + cap_status=$(nomad job status -short capabilities|grep Status|awk '{split($0,a,"="); print a[2]}'|tr -d ' ') + if [ $cap_status != "dead(stopped)" ];then + echo "ERROR: Error in stopping capabilities job." + exit 1 + fi + popd +} + +cleanup() { + local tmpfile=$1 + rm $tmpfile > /dev/null 2>&1 +} + +is_capabilities_container_active() { + i="0" + while test $i -lt 5 + do + sudo CONTAINERD_NAMESPACE=nomad ctr task ls|grep -q RUNNING + if [ $? -eq 0 ]; then + echo "INFO: capabilities container is up and running" + break + fi + echo "INFO: capabilities container is down, sleep for 3 seconds." + sleep 3s + i=$[$i+1] + done + + if [ $i -ge 5 ]; then + echo "ERROR: capabilities container didn't come up. exit 1." + exit 1 + fi +} + +test_capabilities_nomad_job