Skip to content

tests: Add CRI tests for integrity protection of LCOW layers#1193

Merged
anmaxvl merged 3 commits intomicrosoft:masterfrom
anmaxvl:lcow-layer-integrity-tests
Oct 22, 2021
Merged

tests: Add CRI tests for integrity protection of LCOW layers#1193
anmaxvl merged 3 commits intomicrosoft:masterfrom
anmaxvl:lcow-layer-integrity-tests

Conversation

@anmaxvl
Copy link
Contributor

@anmaxvl anmaxvl commented Oct 8, 2021
edited
Loading

Add tests that validate that integrity protection is checked when
LCOW layers have dm-verity hashes appended.

Depends on:

Signed-off-by: Maksim An maksiman@microsoft.com

@anmaxvl anmaxvl requested a review from a team as a code owner October 8, 2021 17:53
katiewasnothere
katiewasnothere reviewed Oct 8, 2021
View reviewed changes
katiewasnothere
katiewasnothere approved these changes Oct 8, 2021
View reviewed changes
Copy link

@katiewasnothere katiewasnothere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one request, otherwise LGTM

@katiewasnothere katiewasnothere self-assigned this Oct 8, 2021
dcantah
dcantah reviewed Oct 11, 2021
View reviewed changes
test/cri-containerd/layer_integrity_test.go Outdated
t,
[]string{imageLcowAlpine},
WithSandboxAnnotations(map[string]string{
"containerd.io/diff/io.microsoft.storage.lcow.append-dm-verity": "true",
Copy link
Contributor

@dcantah dcantah Oct 11, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This depends on this getting in as is right?

Copy link
Contributor Author

@anmaxvl anmaxvl Oct 11, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yup, that too. added a feature flag to enable local testing at least.

@dcantah dcantah self-assigned this Oct 11, 2021
@dcantah
Copy link
Contributor

dcantah commented Oct 14, 2021

I think we should hold off to see if anyone has opinions on the labels vs annotations for the containerd PR, as that would change this slightly. The tests LGTM though so if the ctrd one goes in feel free to check in

@anmaxvl anmaxvl force-pushed the lcow-layer-integrity-tests branch from 9d8f078 to e77c84e Compare October 19, 2021 23:45
@anmaxvl
tests: Add CRI tests for integrity protection of LCOW layers
bce7f69 
Add tests that validate that integrity protection is checked when
LCOW layers have dm-verity hashes appended.

Signed-off-by: Maksim An <maksiman@microsoft.com>
@anmaxvl
pr feedback #1: add rootfs type to container name
7bd0a44 
Signed-off-by: Maksim An <maksiman@microsoft.com>
@anmaxvl
Adjust behavior to upstream PR, use Labels instead of Annotations
e38656e 
Signed-off-by: Maksim An <maksiman@microsoft.com>
@anmaxvl anmaxvl force-pushed the lcow-layer-integrity-tests branch from e77c84e to e38656e Compare October 22, 2021 05:17
@anmaxvl
Copy link
Contributor Author

anmaxvl commented Oct 22, 2021

I think we shouldn't wait for the upstream PR here. The tests are hidden behind a feature flag which is not added to allFeatures

@anmaxvl
Copy link
Contributor Author

anmaxvl commented Oct 22, 2021

@dcantah lmk if you have any concerns with merging this.

@dcantah
Copy link
Contributor

dcantah commented Oct 22, 2021

Sure, I was mainly hesitant on the labels vs annotations discussion. I still don't have a great view of which to use. I'd ping Mike Brown on the PR for his opinion.

@dcantah
Copy link
Contributor

dcantah commented Oct 22, 2021

If anything it's a one line change depending on what is decided between the two.

@anmaxvl anmaxvl merged commit f174aa8 into microsoft:master Oct 22, 2021
@anmaxvl anmaxvl deleted the lcow-layer-integrity-tests branch October 22, 2021 20:28
anmaxvl pushed a commit to anmaxvl/hcsshim that referenced this pull request Nov 17, 2021
@ambarve
Merged PR 5361442: Update ADO to hcsshim db9908f
f584e1e 
Related work items: microsoft#1067, microsoft#1097, microsoft#1119, microsoft#1170, microsoft#1176, microsoft#1180, microsoft#1181, microsoft#1182, microsoft#1183, microsoft#1184, microsoft#1185, microsoft#1186, microsoft#1187, microsoft#1188, microsoft#1189, microsoft#1191, microsoft#1193, microsoft#1194, microsoft#1195, microsoft#1196, microsoft#1197, microsoft#1200, microsoft#1201, microsoft#1202, microsoft#1203, microsoft#1204, microsoft#1205, microsoft#1206, microsoft#1207, microsoft#1209, microsoft#1210, microsoft#1211, microsoft#1218, microsoft#1219, microsoft#1220, microsoft#1223
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@katiewasnothere katiewasnothere katiewasnothere approved these changes

@dcantah dcantah dcantah approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@katiewasnothere katiewasnothere

@dcantah dcantah

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@anmaxvl @dcantah @katiewasnothere