Tests for capabilities and readonly_rootfs.

example/capabilities.nomad

@@ -6,11 +6,12 @@ job "capabilities" {
       driver = "containerd-driver"
 
       config {
-        image    = "docker.io/library/ubuntu:16.04"
+        image           = "docker.io/library/ubuntu:16.04"
-        command  = "sleep"
+        command         = "sleep"
-        args     = ["600s"]
+        args            = ["600s"]
-        cap_add  = ["CAP_SYS_ADMIN", "CAP_IPC_OWNER", "CAP_IPC_LOCK"]
+        readonly_rootfs = true
-        cap_drop = ["CAP_CHOWN", "CAP_SYS_CHROOT", "CAP_DAC_OVERRIDE"]
+        cap_add         = ["CAP_SYS_ADMIN", "CAP_IPC_OWNER", "CAP_IPC_LOCK"]
+        cap_drop        = ["CAP_CHOWN", "CAP_SYS_CHROOT", "CAP_DAC_OVERRIDE"]
       }
 
       resources {

tests/001-test-redis.sh

@@ -43,7 +43,6 @@ test_redis_nomad_job() {
 }
 
 is_redis_container_active() {
-        set +e
         i="0"
         while test $i -lt 5
         do
@@ -56,7 +55,6 @@ is_redis_container_active() {
                 sleep 3s
                 i=$[$i+1]
         done
-        set -e
 
         if [ $i -ge 5 ]; then
                 echo "ERROR: redis container didn't come up. exit 1."

tests/003-test-capabilities.sh

@@ -0,0 +1,75 @@
+#!/bin/bash
+
+test_capabilities_nomad_job() {
+    pushd ~/go/src/github.com/Roblox/nomad-driver-containerd/example
+
+    echo "INFO: Starting nomad capabilities job using nomad-driver-containerd."
+    nomad job run capabilities.nomad
+
+    echo "INFO: Checking status of capabilities job."
+    cap_status=$(nomad job status -short capabilities|grep Status|awk '{split($0,a,"="); print a[2]}'|tr -d ' ')
+    if [ $cap_status != "running" ];then
+        echo "ERROR: Error in getting capabilities job status."
+        exit 1
+    fi
+
+    # Even though $(nomad job status) reports capabilities job status as "running"
+    # The actual container process might not be running yet.
+    # We need to wait for actual container to start running before trying exec.
+    echo "INFO: Wait for capabilities container to get into RUNNING state, before trying exec."
+    is_capabilities_container_active
+
+    echo "INFO: Inspecting capabilities job."
+    cap_status=$(nomad job inspect capabilities|jq -r '.Job .Status')
+    if [ $cap_status != "running" ]; then
+        echo "ERROR: Error in inspecting capabilities job."
+        exit 1
+    fi
+
+    # Check if readonly_rootfs is set to true.
+    echo "INFO: Checking if readonly_rootfs is set to true."
+    local outfile=$(mktemp /tmp/capabilities.XXXXXX)
+    nomad alloc exec -job capabilities touch /tmp/file.txt >> $outfile 2>&1
+    if ! grep -q "Read-only file system" $outfile; then
+        echo "ERROR: readonly_rootfs is not set to true."
+        cleanup "$outfile"
+        exit 1
+    fi
+    cleanup "$outfile"
+
+    echo "INFO: Stopping nomad capabilities job."
+    nomad job stop capabilities
+    cap_status=$(nomad job status -short capabilities|grep Status|awk '{split($0,a,"="); print a[2]}'|tr -d ' ')
+    if [ $cap_status != "dead(stopped)" ];then
+        echo "ERROR: Error in stopping capabilities job."
+        exit 1
+    fi
+    popd
+}
+
+cleanup() {
+  local tmpfile=$1
+  rm $tmpfile > /dev/null 2>&1
+}
+
+is_capabilities_container_active() {
+        i="0"
+        while test $i -lt 5
+        do
+                sudo CONTAINERD_NAMESPACE=nomad ctr task ls|grep -q RUNNING
+                if [ $? -eq 0 ]; then
+                        echo "INFO: capabilities container is up and running"
+                        break
+                fi
+                echo "INFO: capabilities container is down, sleep for 3 seconds."
+                sleep 3s
+                i=$[$i+1]
+        done
+
+        if [ $i -ge 5 ]; then
+                echo "ERROR: capabilities container didn't come up. exit 1."
+                exit 1
+        fi
+}
+
+test_capabilities_nomad_job