Add tests that run docker exec command in gvisor.

milantracy · gvisor-bot · commit 1ac4bf8bd695 · 2025-06-25T02:35:11.000-07:00
PiperOrigin-RevId: 775593936
diff --git a/test/image/image_test.go b/test/image/image_test.go
@@ -405,50 +405,82 @@ func dockerInGvisorCapabilities() []string {
 }
 
 func TestDockerOverlayWithHostNetwork(t *testing.T) {
-	testDocker(t, true, true, false)
+	ctx := context.Background()
+	d := startDockerdInGvisor(ctx, t, true)
+	defer d.CleanUp(ctx)
+	testDockerBuild(ctx, t, d, true)
+	testDockerRun(ctx, t, d, true, false)
+	testDockerExec(ctx, t, d, false)
 }
 
 func TestPrivilegedDockerOverlayWithHostNetwork(t *testing.T) {
-	testDocker(t, true, true, true)
+	ctx := context.Background()
+	d := startDockerdInGvisor(ctx, t, true)
+	defer d.CleanUp(ctx)
+	testDockerRun(ctx, t, d, true, true)
+	testDockerExec(ctx, t, d, true)
 }
 
 func TestDockerOverlay(t *testing.T) {
-	testDocker(t, true, false, false)
+	ctx := context.Background()
+	d := startDockerdInGvisor(ctx, t, true)
+	defer d.CleanUp(ctx)
+	testDockerBuild(ctx, t, d, false)
+	testDockerRun(ctx, t, d, false, false)
+	testDockerExec(ctx, t, d, false)
 }
 
 func TestPrivilegedDockerOverlay(t *testing.T) {
-	testDocker(t, true, false, true)
+	ctx := context.Background()
+	d := startDockerdInGvisor(ctx, t, true)
+	defer d.CleanUp(ctx)
+	testDockerRun(ctx, t, d, false, true)
+	testDockerExec(ctx, t, d, true)
 }
 
 func TestDockerWithHostNetwork(t *testing.T) {
-	testDocker(t, false, true, false)
+	ctx := context.Background()
+	d := startDockerdInGvisor(ctx, t, false)
+	defer d.CleanUp(ctx)
+	testDockerBuild(ctx, t, d, true)
+	testDockerRun(ctx, t, d, true, false)
+	testDockerExec(ctx, t, d, false)
 }
 
 func TestPrivilegedDockerWithHostNetwork(t *testing.T) {
-	testDocker(t, false, true, true)
+	ctx := context.Background()
+	d := startDockerdInGvisor(ctx, t, false)
+	defer d.CleanUp(ctx)
+	testDockerRun(ctx, t, d, true, true)
+	testDockerExec(ctx, t, d, true)
 }
 
 func TestDocker(t *testing.T) {
+	ctx := context.Background()
+	d := startDockerdInGvisor(ctx, t, false)
+	defer d.CleanUp(ctx)
+	testDockerBuild(ctx, t, d, false)
 	// Overlayfs can't be built on top of another overlayfs, so docket has
 	// to fall back to the vfs driver.
-	testDocker(t, false, false, false)
+	testDockerRun(ctx, t, d, false, false)
+	testDockerExec(ctx, t, d, false)
 }
 
 func TestPrivilegedDocker(t *testing.T) {
+	ctx := context.Background()
+	d := startDockerdInGvisor(ctx, t, true)
+	defer d.CleanUp(ctx)
 	// Overlayfs can't be built on top of another overlayfs, so docket has
 	// to fall back to the vfs driver.
-	testDocker(t, false, false, true)
+	testDockerRun(ctx, t, d, false, true)
+	testDockerExec(ctx, t, d, true)
 }
 
-func testDocker(t *testing.T, overlay, hostNetwork, startPrivilegedContainer bool) {
-	if testutil.IsRunningWithHostNet() {
-		t.Skip("docker doesn't work with hostinet")
-	}
-	ctx := context.Background()
+// The container returned by this function has to be cleaned up by the caller.
+func startDockerdInGvisor(ctx context.Context, t *testing.T, overlay bool) *dockerutil.Container {
 	d := dockerutil.MakeContainerWithRuntime(ctx, t, "-docker")
-	defer d.CleanUp(ctx)
 
-	// Start the container.
+	// Start the container which starts dockerd.
 	opts := dockerutil.RunOpts{
 		Image:  "basic/docker",
 		CapAdd: dockerInGvisorCapabilities(),
@@ -477,27 +509,120 @@ func testDocker(t *testing.T, overlay, hostNetwork, startPrivilegedContainer boo
 	}
 	// Wait for the docker daemon.
 	for i := 0; i < 10; i++ {
-		output, err := d.Exec(ctx, dockerutil.ExecOpts{}, "docker", "info")
-		t.Logf("== docker info ==\n%s", output)
+		_, err := d.Exec(ctx, dockerutil.ExecOpts{}, "docker", "info")
 		if err != nil {
 			t.Logf("docker exec failed: %v", err)
 			time.Sleep(5 * time.Second)
 			continue
 		}
 		break
 	}
+	return d
+}
+
+func testDockerRun(ctx context.Context, t *testing.T, d *dockerutil.Container, hostNetwork, startPrivilegedContainer bool) {
+	if testutil.IsRunningWithHostNet() {
+		t.Skip("docker doesn't work with hostinet")
+	}
 	cmd := []string{"docker", "run", "--rm"}
 	if hostNetwork {
 		cmd = append(cmd, "--network", "host")
 	}
 	if startPrivilegedContainer {
 		cmd = append(cmd, "--privileged")
 	}
-	cmd = append(cmd, "alpine", "sh", "-c", "apk add curl && curl -h")
+	cmd = append(cmd, "alpine", "sh", "-c", "apk add curl && apk info -d curl")
+	execProc, err := d.ExecProcess(ctx, dockerutil.ExecOpts{}, cmd...)
+	if err != nil {
+		t.Fatalf("docker exec failed: %v", err)
+	}
+	output, err := execProc.Logs()
+	if err != nil {
+		t.Fatalf("docker logs failed: %v", err)
+	}
+	expectedOutput := "URL retrival utility and library"
+	if !strings.Contains(output, expectedOutput) {
+		t.Fatalf("docker didn't get output expected: %q, got: %q", expectedOutput, output)
+	}
+}
+
+func testDockerBuild(ctx context.Context, t *testing.T, d *dockerutil.Container, hostNetwork bool) {
+	if testutil.IsRunningWithHostNet() {
+		t.Skip("docker doesn't work with hostinet")
+	}
+	cmd := []string{"echo", "-e", "FROM alpine:3.19\nRUN apk add git", "|", "docker", "build"}
+	if hostNetwork {
+		cmd = append(cmd, "--network", "host")
+	}
+	imageName := "test_docker_build_in_gvisor"
+	cmd = append(cmd, "-t", imageName, "-f", "-", ".")
+	_, err := d.ExecProcess(ctx, dockerutil.ExecOpts{}, cmd...)
+	if err != nil {
+		t.Fatalf("docker exec failed: %v", err)
+	}
+	inspectImage, err := d.ExecProcess(ctx, dockerutil.ExecOpts{}, []string{"docker", "image", "inspect", imageName}...)
+	if err != nil {
+		t.Fatalf("docker exec failed: %v", err)
+	}
+	got, err := inspectImage.Logs()
+	if err != nil {
+		t.Fatalf("docker logs failed: %v", err)
+	}
+	output := imageName + ":latest"
+	if !strings.Contains(got, output) {
+		t.Fatalf("docker didn't get output expected: %q, got: %q", output, got)
+	}
+}
+
+func testDockerExec(ctx context.Context, t *testing.T, d *dockerutil.Container, privileged bool) {
+	if testutil.IsRunningWithHostNet() {
+		t.Skip("docker doesn't work with hostinet")
+	}
+	containerName := "test_docker_exec"
+	// TODO(b/425970478): Remove host pidns once setns pidns is supported.
+	// Start a container with a sleep command to ensure that the container
+	// doesn't exit immediately.
+	cmd := []string{"docker", "run", "--rm", "-d", "--pid", "host", "--name", containerName, "alpine", "sleep", "180"}
 	_, err := d.ExecProcess(ctx, dockerutil.ExecOpts{}, cmd...)
+	if err != nil {
+		t.Fatalf("docker run failed: %v", err)
+	}
+
+	for i := 0; i < 10; i++ {
+		inspectProc, err := d.ExecProcess(ctx, dockerutil.ExecOpts{}, []string{"docker", "container", "inspect", containerName}...)
+		if err != nil {
+			t.Fatalf("docker container inspect failed: %v", err)
+		}
+		inspectOutput, err := inspectProc.Logs()
+		if err != nil {
+			t.Fatalf("docker logs failed: %v", err)
+		}
+		if strings.Contains(inspectOutput, "\"Status\": \"running\"") {
+			break
+		}
+		t.Logf("docker container inspect output: %q", inspectOutput)
+		time.Sleep(5 * time.Second)
+	}
+
+	execCmd := []string{"docker", "exec"}
+	if privileged {
+		execCmd = append(execCmd, "--privileged")
+	}
+	// Execute echo command in the container.
+	execCmd = append(execCmd, containerName, "echo", "exec in "+containerName)
+	execProc, err := d.ExecProcess(ctx, dockerutil.ExecOpts{}, execCmd...)
 	if err != nil {
 		t.Fatalf("docker exec failed: %v", err)
 	}
+
+	output, err := execProc.Logs()
+	if err != nil {
+		t.Fatalf("docker logs failed: %v", err)
+	}
+	expectedOutput := "exec in " + containerName
+	if !strings.Contains(output, expectedOutput) {
+		t.Fatalf("docker didn't get output expected: %q, got: %q", expectedOutput, output)
+	}
 }
 
 func TestMain(m *testing.M) {
