contrib/Dockerfile.test - third_party/containerd - Git at Google

 # This dockerfile is used to test containerd within a container
 #
 # usage:
 # 1.) docker build -t containerd-test -f Dockerfile.test ../
 # 2.) docker run -it --privileged -v /tmp:/tmp --tmpfs /var/lib/containerd-test containerd-test  bash
 # 3.) $ make binaries install test
 #
 # Use the RUNC_VERSION build-arg to build with a custom version of runc, for example,
 # to build runc v1.0.0-rc94, use:
 #
 # docker build -t containerd-test --build-arg RUNC_VERSION=v1.0.0-rc94 -f Dockerfile.test ../

 # ------------------------------------------------------------------------------
 # Public stages:
 # "integration": for running integration tests:
 #   docker build -t containerd-test -f Dockerfile.test --target integration ../
 #   docker run --privileged containerd-test
 #
 # "cri-integration": for running cri-integration tests:
 #   docker build -t containerd-test -f Dockerfile.test --target cri-integration ../
 #   docker run --privileged --sysctl net.ipv6.conf.all.disable_ipv6=0 containerd-test
 #
 # "critest: for running critest:
 #   docker build -t containerd-test -f Dockerfile.test --target critest ../
 #   docker run --privileged --sysctl net.ipv6.conf.all.disable_ipv6=0 containerd-test
 #
 # "cri-in-userns": for running critest with "CRI-in-UserNS" mode; needs Rootless Docker/Podman/nerdctl:
 #   docker build -t containerd-test -f Dockerfile.test --target cri-in-userns ../
 #   docker run --privileged containerd-test
 #
 # "cri-in-userns-systemd": for running critest with "CRI-in-UserNS-Systemd" mode; needs Rootless Docker/Podman/nerdctl:
 #   docker build -t containerd-test -f Dockerfile.test --target cri-in-userns-systemd ../
 #   touch ./critest_exit_code.txt
 #   docker run --privileged --group-add keep-groups -v ./critest_exit_code.txt:/tmp/critest_exit_code.txt containerd-test
 # ------------------------------------------------------------------------------

 ARG GOLANG_VERSION=1.24.9
 ARG GOLANG_IMAGE=golang

 FROM ${GOLANG_IMAGE}:${GOLANG_VERSION} AS golang

 # Install runc
 FROM golang AS runc
 RUN apt-get update && apt-get install -y --no-install-recommends \
     libseccomp-dev \
     && rm -rf /var/lib/apt/lists/*

 COPY script/setup/runc-version script/setup/install-runc ./
 # Allow overriding the version of runc to install through build-args
 ARG RUNC_VERSION
 ARG GOPROXY=direct
 ARG DESTDIR=/build
 RUN ./install-runc

 FROM golang AS build-env
 RUN apt-get update && apt-get install -y --no-install-recommends \
     btrfs-progs \
     libseccomp-dev \
     xfsprogs \
     && rm -rf /var/lib/apt/lists/*
 RUN mkdir -p /go/src/github.com/containerd/containerd
 WORKDIR /go/src/github.com/containerd/containerd

 FROM golang AS cni
 ENV DESTDIR=/build
 COPY script/setup/install-cni go.mod /
 RUN DESTDIR=/build /install-cni

 FROM golang AS critools
 ARG DESTDIR=/build
 COPY script/setup/install-critools script/setup/critools-version  ./
 RUN GOBIN=$DESTDIR/usr/local/bin ./install-critools

 # integration stage is for running integration tests.
 FROM build-env AS integration
 RUN apt-get update && apt-get install -y --no-install-recommends \
     lsof \
     && rm -rf /var/lib/apt/lists/*
 COPY --from=runc       /build/ /
 COPY contrib/Dockerfile.test.d/docker-entrypoint.sh /docker-entrypoint.sh
 COPY . .
 RUN make BUILDTAGS="no_btrfs no_devmapper" binaries install
 VOLUME /tmp
 # TestMain wants to unlink /var/lib/containerd-test, so the entire /var/lib has to be volumified.
 VOLUME /var/lib
 # The entrypoint script is needed for nesting cgroup v2.
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["make", "integration"]

 # cri-integration stage is for running cri-integration tests.
 FROM integration AS cri-integration
 RUN apt-get update && apt-get install -y --no-install-recommends \
     sudo iptables \
     && rm -rf /var/lib/apt/lists/*
 COPY --from=cni                /build/ /
 COPY --from=critools           /build/ /
 RUN make BUILDTAGS="no_btrfs no_devmapper" bin/cri-integration.test
 # install-failpoint-binaries cannot be easily executed in a substage as it does not support custom DESTDIR.
 RUN ./script/setup/install-failpoint-binaries
 # The test scripts need these env vars to be explicitly set
 ENV GITHUB_WORKSPACE=""
 ENV CONTAINERD_RUNTIME="io.containerd.runc.v2"
 CMD ["make", "cri-integration"]

 # critest stage is for running critest.
 FROM cri-integration AS critest
 # critest wants to create mounts under this directory, so it has to be volumified.
 VOLUME /go/src/github.com/containerd/containerd
 ENV TEST_RUNTIME="io.containerd.runc.v2"
 CMD ["script/critest.sh", "/tmp"]

 # cri-in-userns stage is for testing "CRI-in-UserNS", which should be used in conjunction with
 # "Kubelet-in-UserNS": https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2033-kubelet-in-userns-aka-rootless
 # This feature is mostly expected to be used for `kind` and `minikube`.
 #
 # Requires Rootless Docker/Podman/nerdctl with cgroup v2 delegation: https://rootlesscontaine.rs/getting-started/common/cgroup2/
 # (Rootless Docker/Podman/nerdctl prepares the UserNS, so we do not need to create UserNS by ourselves)
 FROM critest AS cri-in-userns
 ENV IS_SYSTEMD_CGROUP=false
 COPY contrib/Dockerfile.test.d/cri-in-userns/etc_containerd_config.toml /etc/containerd/config.toml
 COPY contrib/Dockerfile.test.d/cri-in-userns/docker-entrypoint.sh       /docker-entrypoint.sh
 ENTRYPOINT ["/docker-entrypoint.sh"]
 # Skip "runtime should support unsafe sysctls": `container init caused:  write sysctl key fs.mqueue.msg_max: open /proc/sys/fs/mqueue/msg_max: permission denied`
 # Skip "runtime should support safe sysctls": `container init caused: write sysctl key kernel.shm_rmid_forced: open /proc/sys/kernel/shm_rmid_forced: permission denied`
 # Skip "should allow privilege escalation when (NoNewPrivis is) false": expected log "Effective uid: 0\n" (stream="stdout") not found in logs [{timestamp:{wall:974487519 ext:63761339984 loc:<nil>} stream:stdout log:Effective uid: 1000) }]
 # Skip "runtime should support deprecated apparmor_profile field": "sudo: apparmor_parser: command not found\n"
 # Skip "runtime should support apparmor field": "sudo: apparmor_parser: command not found\n"
 # Skip "runtime should prefer new apparmor field": "sudo: apparmor_parser: command not found\n"
 CMD ["critest", "--ginkgo.skip=runtime should prefer new apparmor field|should support apparmor field|should support deprecated apparmor_profile field|should support unsafe sysctls|should support safe sysctls|should allow privilege escalation when false"]

 # cri-in-userns-systemd stage is for testing "CRI-in-UserNS-Systemd", which should be used in conjunction with
 # "Kubelet-in-UserNS": https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2033-kubelet-in-userns-aka-rootless
 # This feature is mostly expected to be used for `kind` and `minikube`.
 #
 # Requires Rootless Docker/Podman/nerdctl with cgroup v2 delegation: https://rootlesscontaine.rs/getting-started/common/cgroup2/
 # (Rootless Docker/Podman/nerdctl prepares the UserNS, so we do not need to create UserNS by ourselves)
 FROM critest AS cri-in-userns-systemd
 ENV IS_SYSTEMD_CGROUP=true
 RUN apt-get update && apt-get install -y systemd sysvinit-core
 COPY contrib/Dockerfile.test.d/cri-in-userns/etc_containerd_config.toml /etc/containerd/config.toml
 COPY contrib/Dockerfile.test.d/cri-in-userns/docker-entrypoint.sh       /docker-entrypoint.sh
 COPY contrib/Dockerfile.test.d/critest.sh /critest.sh
 # Skip "runtime should support unsafe sysctls": `container init caused:  write sysctl key fs.mqueue.msg_max: open /proc/sys/fs/mqueue/msg_max: permission denied`
 # Skip "runtime should support safe sysctls": `container init caused: write sysctl key kernel.shm_rmid_forced: open /proc/sys/kernel/shm_rmid_forced: permission denied`
 # Skip "should allow privilege escalation when (NoNewPrivis is) false": expected log "Effective uid: 0\n" (stream="stdout") not found in logs [{timestamp:{wall:974487519 ext:63761339984 loc:<nil>} stream:stdout log:Effective uid: 1000) }]
 ENTRYPOINT ["/critest.sh","start"]


 # Install proto3
 FROM golang AS proto3
 ARG DESTDIR=/build
 RUN apt-get update && apt-get install -y --no-install-recommends \
     autoconf \
     automake \
     g++ \
     libtool \
     unzip \
     && rm -rf /var/lib/apt/lists/*

 COPY script/setup/install-protobuf install-protobuf
 RUN ./install-protobuf \
     && mkdir -p $DESTDIR/usr/local/bin $DESTDIR/usr/local/include \
     && mv /usr/local/bin/protoc $DESTDIR/usr/local/bin/protoc \
     && mv /usr/local/include/google $DESTDIR/usr/local/include/google

 FROM build-env AS dev
 COPY --from=proto3 /build/ /
 COPY --from=runc   /build/ /
 COPY . .
	# This dockerfile is used to test containerd within a container
	#
	# usage:
	# 1.) docker build -t containerd-test -f Dockerfile.test ../
	# 2.) docker run -it --privileged -v /tmp:/tmp --tmpfs /var/lib/containerd-test containerd-test bash
	# 3.) $ make binaries install test
	#
	# Use the RUNC_VERSION build-arg to build with a custom version of runc, for example,
	# to build runc v1.0.0-rc94, use:
	#
	# docker build -t containerd-test --build-arg RUNC_VERSION=v1.0.0-rc94 -f Dockerfile.test ../

	# ------------------------------------------------------------------------------
	# Public stages:
	# "integration": for running integration tests:
	# docker build -t containerd-test -f Dockerfile.test --target integration ../
	# docker run --privileged containerd-test
	#
	# "cri-integration": for running cri-integration tests:
	# docker build -t containerd-test -f Dockerfile.test --target cri-integration ../
	# docker run --privileged --sysctl net.ipv6.conf.all.disable_ipv6=0 containerd-test
	#
	# "critest: for running critest:
	# docker build -t containerd-test -f Dockerfile.test --target critest ../
	# docker run --privileged --sysctl net.ipv6.conf.all.disable_ipv6=0 containerd-test
	#
	# "cri-in-userns": for running critest with "CRI-in-UserNS" mode; needs Rootless Docker/Podman/nerdctl:
	# docker build -t containerd-test -f Dockerfile.test --target cri-in-userns ../
	# docker run --privileged containerd-test
	#
	# "cri-in-userns-systemd": for running critest with "CRI-in-UserNS-Systemd" mode; needs Rootless Docker/Podman/nerdctl:
	# docker build -t containerd-test -f Dockerfile.test --target cri-in-userns-systemd ../
	# touch ./critest_exit_code.txt
	# docker run --privileged --group-add keep-groups -v ./critest_exit_code.txt:/tmp/critest_exit_code.txt containerd-test
	# ------------------------------------------------------------------------------

	ARG GOLANG_VERSION=1.24.9
	ARG GOLANG_IMAGE=golang

	FROM ${GOLANG_IMAGE}:${GOLANG_VERSION} AS golang

	# Install runc
	FROM golang AS runc
	RUN apt-get update && apt-get install -y --no-install-recommends \
	libseccomp-dev \
	&& rm -rf /var/lib/apt/lists/*

	COPY script/setup/runc-version script/setup/install-runc ./
	# Allow overriding the version of runc to install through build-args
	ARG RUNC_VERSION
	ARG GOPROXY=direct
	ARG DESTDIR=/build
	RUN ./install-runc

	FROM golang AS build-env
	RUN apt-get update && apt-get install -y --no-install-recommends \
	btrfs-progs \
	libseccomp-dev \
	xfsprogs \
	&& rm -rf /var/lib/apt/lists/*
	RUN mkdir -p /go/src/github.com/containerd/containerd
	WORKDIR /go/src/github.com/containerd/containerd

	FROM golang AS cni
	ENV DESTDIR=/build
	COPY script/setup/install-cni go.mod /
	RUN DESTDIR=/build /install-cni

	FROM golang AS critools
	ARG DESTDIR=/build
	COPY script/setup/install-critools script/setup/critools-version ./
	RUN GOBIN=$DESTDIR/usr/local/bin ./install-critools

	# integration stage is for running integration tests.
	FROM build-env AS integration
	RUN apt-get update && apt-get install -y --no-install-recommends \
	lsof \
	&& rm -rf /var/lib/apt/lists/*
	COPY --from=runc /build/ /
	COPY contrib/Dockerfile.test.d/docker-entrypoint.sh /docker-entrypoint.sh
	COPY . .
	RUN make BUILDTAGS="no_btrfs no_devmapper" binaries install
	VOLUME /tmp
	# TestMain wants to unlink /var/lib/containerd-test, so the entire /var/lib has to be volumified.
	VOLUME /var/lib
	# The entrypoint script is needed for nesting cgroup v2.
	ENTRYPOINT ["/docker-entrypoint.sh"]
	CMD ["make", "integration"]

	# cri-integration stage is for running cri-integration tests.
	FROM integration AS cri-integration
	RUN apt-get update && apt-get install -y --no-install-recommends \
	sudo iptables \
	&& rm -rf /var/lib/apt/lists/*
	COPY --from=cni /build/ /
	COPY --from=critools /build/ /
	RUN make BUILDTAGS="no_btrfs no_devmapper" bin/cri-integration.test
	# install-failpoint-binaries cannot be easily executed in a substage as it does not support custom DESTDIR.
	RUN ./script/setup/install-failpoint-binaries
	# The test scripts need these env vars to be explicitly set
	ENV GITHUB_WORKSPACE=""
	ENV CONTAINERD_RUNTIME="io.containerd.runc.v2"
	CMD ["make", "cri-integration"]

	# critest stage is for running critest.
	FROM cri-integration AS critest
	# critest wants to create mounts under this directory, so it has to be volumified.
	VOLUME /go/src/github.com/containerd/containerd
	ENV TEST_RUNTIME="io.containerd.runc.v2"
	CMD ["script/critest.sh", "/tmp"]

	# cri-in-userns stage is for testing "CRI-in-UserNS", which should be used in conjunction with
	# "Kubelet-in-UserNS": https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2033-kubelet-in-userns-aka-rootless
	# This feature is mostly expected to be used for `kind` and `minikube`.
	#
	# Requires Rootless Docker/Podman/nerdctl with cgroup v2 delegation: https://rootlesscontaine.rs/getting-started/common/cgroup2/
	# (Rootless Docker/Podman/nerdctl prepares the UserNS, so we do not need to create UserNS by ourselves)
	FROM critest AS cri-in-userns
	ENV IS_SYSTEMD_CGROUP=false
	COPY contrib/Dockerfile.test.d/cri-in-userns/etc_containerd_config.toml /etc/containerd/config.toml
	COPY contrib/Dockerfile.test.d/cri-in-userns/docker-entrypoint.sh /docker-entrypoint.sh
	ENTRYPOINT ["/docker-entrypoint.sh"]
	# Skip "runtime should support unsafe sysctls": `container init caused: write sysctl key fs.mqueue.msg_max: open /proc/sys/fs/mqueue/msg_max: permission denied`
	# Skip "runtime should support safe sysctls": `container init caused: write sysctl key kernel.shm_rmid_forced: open /proc/sys/kernel/shm_rmid_forced: permission denied`
	# Skip "should allow privilege escalation when (NoNewPrivis is) false": expected log "Effective uid: 0\n" (stream="stdout") not found in logs [{timestamp:{wall:974487519 ext:63761339984 loc:<nil>} stream:stdout log:Effective uid: 1000) }]
	# Skip "runtime should support deprecated apparmor_profile field": "sudo: apparmor_parser: command not found\n"
	# Skip "runtime should support apparmor field": "sudo: apparmor_parser: command not found\n"
	# Skip "runtime should prefer new apparmor field": "sudo: apparmor_parser: command not found\n"
	CMD ["critest", "--ginkgo.skip=runtime should prefer new apparmor field\|should support apparmor field\|should support deprecated apparmor_profile field\|should support unsafe sysctls\|should support safe sysctls\|should allow privilege escalation when false"]

	# cri-in-userns-systemd stage is for testing "CRI-in-UserNS-Systemd", which should be used in conjunction with
	# "Kubelet-in-UserNS": https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2033-kubelet-in-userns-aka-rootless
	# This feature is mostly expected to be used for `kind` and `minikube`.
	#
	# Requires Rootless Docker/Podman/nerdctl with cgroup v2 delegation: https://rootlesscontaine.rs/getting-started/common/cgroup2/
	# (Rootless Docker/Podman/nerdctl prepares the UserNS, so we do not need to create UserNS by ourselves)
	FROM critest AS cri-in-userns-systemd
	ENV IS_SYSTEMD_CGROUP=true
	RUN apt-get update && apt-get install -y systemd sysvinit-core
	COPY contrib/Dockerfile.test.d/cri-in-userns/etc_containerd_config.toml /etc/containerd/config.toml
	COPY contrib/Dockerfile.test.d/cri-in-userns/docker-entrypoint.sh /docker-entrypoint.sh
	COPY contrib/Dockerfile.test.d/critest.sh /critest.sh
	# Skip "runtime should support unsafe sysctls": `container init caused: write sysctl key fs.mqueue.msg_max: open /proc/sys/fs/mqueue/msg_max: permission denied`
	# Skip "runtime should support safe sysctls": `container init caused: write sysctl key kernel.shm_rmid_forced: open /proc/sys/kernel/shm_rmid_forced: permission denied`
	# Skip "should allow privilege escalation when (NoNewPrivis is) false": expected log "Effective uid: 0\n" (stream="stdout") not found in logs [{timestamp:{wall:974487519 ext:63761339984 loc:<nil>} stream:stdout log:Effective uid: 1000) }]
	ENTRYPOINT ["/critest.sh","start"]


	# Install proto3
	FROM golang AS proto3
	ARG DESTDIR=/build
	RUN apt-get update && apt-get install -y --no-install-recommends \
	autoconf \
	automake \
	g++ \
	libtool \
	unzip \
	&& rm -rf /var/lib/apt/lists/*

	COPY script/setup/install-protobuf install-protobuf
	RUN ./install-protobuf \
	&& mkdir -p $DESTDIR/usr/local/bin $DESTDIR/usr/local/include \
	&& mv /usr/local/bin/protoc $DESTDIR/usr/local/bin/protoc \
	&& mv /usr/local/include/google $DESTDIR/usr/local/include/google

	FROM build-env AS dev
	COPY --from=proto3 /build/ /
	COPY --from=runc /build/ /
	COPY . .