Beispiel #1
// FindImage tries to get a hash of a passed image, ideally from
// store. Otherwise this might involve fetching it from remote with
// the Fetcher.
func (f *Finder) FindImage(img string, asc string) (*types.Hash, error) {

	// Check if it's an hash
	if _, err := types.NewHash(img); err == nil {
		h, err := f.getHashFromStore(img)
		if err != nil {
			return nil, err
		return h, nil

	d, err := DistFromImageString(img)
	if err != nil {
		return nil, err

	// urls, names, paths have to be fetched, potentially remotely
	ft := (*Fetcher)(f)
	h, err := ft.FetchImage(d, img, asc)
	if err != nil {
		return nil, err
	return h, nil
Beispiel #2
func (f *Finder) getHashFromStore(img string) (*types.Hash, error) {
	h, err := types.NewHash(img)
	if err != nil {
		return nil, errwrap.Wrap(fmt.Errorf("%q is not a valid hash", img), err)
	fullKey, err := f.S.ResolveKey(img)
	if err != nil {
		return nil, errwrap.Wrap(fmt.Errorf("could not resolve image %q", img), err)
	h, err = types.NewHash(fullKey)
	if err != nil {
		// should never happen
		log.PanicE("got an invalid hash from the store, looks like it is corrupted", err)
	return h, nil
Beispiel #3
func getImage(name string, localOnly bool) (*jetpack.Image, error) {
	if h, err := types.NewHash(name); err == nil {
		if len(name) < hashSize {
			// Short hash. Iterate over images, return first prefix match.
			// FIXME: what about multiple matches?
			name = strings.ToLower(name)
			if imgs, err := Host.Images(); err != nil {
				return nil, errors.Trace(err)
			} else {
				for _, img := range imgs {
					if strings.HasPrefix(img.Hash.String(), name) {
						return img, nil
				return nil, jetpack.ErrNotFound
		return Host.GetImage(*h, "", nil)
	if name, labels, err := parseImageName(name); err != nil {
		return nil, errors.Trace(err)
	} else if localOnly {
		return Host.GetLocalImage(types.Hash{}, name, labels)
	} else {
		return Host.GetImage(types.Hash{}, name, labels)
Beispiel #4
func parseApp(args []string) ([]string, *schema.RuntimeApp, error) {
	if len(args) == 0 {
		return nil, nil, nil

	rtapp := schema.RuntimeApp{}

	// Parse first argument (image name)
	if h, err := types.NewHash(args[0]); err == nil {
		rtapp.Image.ID = *h
		rtapp.Name.Set(h.String()) // won't err
	} else if dapp, err := discovery.NewAppFromString(args[0]); err == nil {
		rtapp.Image.Name = &dapp.Name
		rtapp.Name.Set(path.Base(dapp.Name.String())) // won't err here
		if ll, err := types.LabelsFromMap(dapp.Labels); err != nil {
			return args, nil, err
		} else {
			rtapp.Image.Labels = ll
	} else {
		return args, nil, err

	fl := flag.NewFlagSet(args[0], flag.ExitOnError)
	fl.Var(&rtapp.Name, "name", "App name")
	fl.Var((*AnnotationsFlag)(&rtapp.Annotations), "a", "Add annotation (NAME=VALUE)")
	fl.Var((*MountsFlag)(&rtapp.Mounts), "m", "Mount volume (VOLUME[:MOUNTPOINT])")
	// TODO: app override
	return fl.Args(), &rtapp, nil
Beispiel #5
// ExtractLayerInfo extracts the image name and ID from a path to an ACI
func ExtractLayerInfo(store *store.Store, in string) (types.Dependency, error) {
	im, err := GetManifestFromImage(in)
	if err != nil {
		return types.Dependency{}, fmt.Errorf("error getting manifest from image (%v): %v", in, err)

	inFile, err := os.Open(in)
	if err != nil {
		return types.Dependency{}, fmt.Errorf("error opening ACI: %v", err)
	defer inFile.Close()

	inImageID, err := store.WriteACI(inFile, false)
	if err != nil {
		return types.Dependency{}, fmt.Errorf("error writing ACI into the tree store: %v", err)

	hash, err := types.NewHash(inImageID)
	if err != nil {
		return types.Dependency{}, fmt.Errorf("error creating hash from an image ID (%s): %v", hash, err)

	return types.Dependency{
		ImageName: im.Name,
		ImageID:   hash,
	}, nil
Beispiel #6
//rktDirectory string, ociConfig string, ociRuntimeConfig string, ociDirectory string
func (this *oci2rkt) makePod() (err error) {

	//1.covert to pod
	this.podManifest.ACVersion = types.SemVer{
		Major:      0,
		Minor:      8,
		Patch:      0,
		PreRelease: "",
		Metadata:   "",

	this.podManifest.ACKind = "PodManifest"

		this.podManifest.Apps = schema.AppList{
				Name: "oci",
				Image: schema.RuntimeImage{
					ID: types.Hash{
						Val: "",

	runTimeImage := schema.RuntimeImage{}
	hash, err := types.NewHash("sha512-ca0bee4ecb888d10cf0816ebe7e16499230ab349bd3126976ab60b9b1db2e120")
	if err != nil {
		return err
	runTimeImage.ID = *hash
	runTimeApp := schema.RuntimeApp{
		Name: "oci",
	runTimeApp.Image = runTimeImage

	this.podManifest.Apps = append(this.podManifest.Apps, runTimeApp)

	this.podManifest.Volumes = nil
	this.podManifest.Isolators = nil
	this.podManifest.Annotations = nil
	this.podManifest.Ports = nil

	podBuf, err := json.Marshal(this.podManifest)
	if err != nil {
		return err

	//3.wirte pod file
	pod := this.RktBundlePath + "/pod"

	err = ioutil.WriteFile(pod, podBuf, 0755)
	if err != nil {
		return err

	return nil
Beispiel #7
func mustRktHash(hash string) *appctypes.Hash {
	h, err := appctypes.NewHash(hash)
	if err != nil {
	return h
Beispiel #8
// FetchImage will take an image as either a path, a URL or a name
// string and import it into the store if found. If ascPath is not "",
// it must exist as a local file and will be used as the signature
// file for verification, unless verification is disabled. If
// f.WithDeps is true also image dependencies are fetched.
func (f *Fetcher) FetchImage(d dist.Distribution, image, ascPath string) (*types.Hash, error) {
	db := &distBundle{
		dist:  d,
		image: image,
	a := f.getAsc(ascPath)
	hash, err := f.fetchSingleImage(db, a)
	if err != nil {
		return nil, err
	if f.WithDeps {
		err = f.fetchImageDeps(hash)
		if err != nil {
			return nil, err

	// we need to be able to do a chroot and access to the tree store
	// directories, we need to
	// 1) check if the system supports OverlayFS
	// 2) check if we're root
	if common.SupportsOverlay() == nil && os.Geteuid() == 0 {
		if _, _, err := f.Ts.Render(hash, false); err != nil {
			return nil, errwrap.Wrap(errors.New("error rendering tree store"), err)
	h, err := types.NewHash(hash)
	if err != nil {
		// should never happen
		log.PanicE("invalid hash", err)
	return h, nil
Beispiel #9
func (p *Pod) processAci(e common.RuntimeApp) (*schema.RuntimeApp, error) {
	aci, err := p.buildAci(e)
	if err != nil {
		return nil, err

	name, err := types.NewACName(e.Name)
	if err != nil {
		return nil, errs.WithEF(err, p.fields.WithField("name", e.Name), "Invalid name format")

	sum, err := Sha512sum( + pathImageAci)
	if err != nil {
		return nil, errs.WithEF(err, p.fields.WithField("file",, "Failed to calculate sha512 of aci")

	tmp, _ := types.NewHash("sha512-" + sum)

	labels := types.Labels{}
	labels = append(labels, types.Label{Name: "version", Value: aci.manifest.NameAndVersion.Version()})
	identifier, _ := types.NewACIdentifier(aci.manifest.NameAndVersion.Name())
	ttmp := schema.RuntimeImage{Name: identifier, ID: *tmp, Labels: labels}

	e.App.Group = aci.manifest.Aci.App.Group
	e.App.User = aci.manifest.Aci.App.User
	if e.App.User == "" {
		e.App.User = "******"
	if e.App.Group == "" {
		e.App.Group = "0"

	isolators, err := common.ToAppcIsolators(e.App.Isolators)
	if err != nil {
		return nil, errs.WithEF(err, p.fields, "Failed to prepare isolators")

	return &schema.RuntimeApp{
		Name:  *name,
		Image: ttmp,
		App: &types.App{
			Exec:              e.App.Exec,
			User:              e.App.User,
			Group:             e.App.Group,
			WorkingDirectory:  e.App.WorkingDirectory,
			SupplementaryGIDs: e.App.SupplementaryGIDs,
			Environment:       e.App.Environment,
			MountPoints:       e.App.MountPoints,
			Ports:             e.App.Ports,
			Isolators:         isolators,
		Mounts:      e.Mounts,
		Annotations: e.Annotations}, nil
Beispiel #10
func guessImageType(image string) apps.AppImageType {
	if _, err := types.NewHash(image); err == nil {
		return apps.AppImageHash
	if u, err := url.Parse(image); err == nil && u.Scheme != "" {
		return apps.AppImageURL
	if filepath.IsAbs(image) {
		return apps.AppImagePath

	// Well, at this point is basically heuristics time. The image
	// parameter can be either a relative path or an image name.

	// First, let's try to stat whatever file the URL would specify. If it
	// exists, that's probably what the user wanted.
	f, err := os.Stat(image)
	if err == nil && f.Mode().IsRegular() {
		return apps.AppImagePath

	// Second, let's check if there is a colon in the image
	// parameter. Colon often serves as a paths separator (like in
	// the PATH environment variable), so if it exists, then it is
	// highly unlikely that the image parameter is a path. Colon
	// in this context is often used for specifying a version of
	// an image, like in "".
	if strings.ContainsRune(image, ':') {
		return apps.AppImageName

	// Third, let's check if there is a dot followed by a slash
	// (./) - if so, it is likely that the image parameter is path
	// like ./aci-in-this-dir or ../aci-in-parent-dir
	if strings.Contains(image, "./") {
		return apps.AppImagePath

	// Fourth, let's check if the image parameter has an .aci
	// extension. If so, likely a path like "stage1-coreos.aci".
	if filepath.Ext(image) == schema.ACIExtension {
		return apps.AppImagePath

	// At this point, if the image parameter is something like
	// "" and you have a directory
	// tree "" in the current working directory and
	// you meant the image parameter to point to the file
	// "stage1-coreos" in this directory tree, then you better be
	// off prepending the parameter with "./", because I'm gonna
	// treat this as an image name otherwise.
	return apps.AppImageName
Beispiel #11
func runAddDep(cmd *cobra.Command, args []string) (exit int) {
	if len(args) == 0 {
		return 1
	if len(args) != 1 {
		stderr("dependency add: incorrect number of arguments")
		return 1

	if debug {
		stderr("Adding dependency %q", args[0])

	app, err := discovery.NewAppFromString(args[0])
	if err != nil {
		stderr("dependency add: couldn't parse dependency name: %v", err)
		return 1

	appcLabels := types.Labels(labels)

	for name, value := range app.Labels {
		if _, ok := appcLabels.Get(string(name)); ok {
			stderr("multiple %s labels specified", name)
			return 1
		appcLabels = append(appcLabels, types.Label{
			Name:  name,
			Value: value,

	var hash *types.Hash
	if imageId != "" {
		var err error
		hash, err = types.NewHash(imageId)
		if err != nil {
			stderr("dependency add: couldn't parse image ID: %v", err)
			return 1

	err = newACBuild().AddDependency(app.Name, hash, appcLabels, size)

	if err != nil {
		stderr("dependency add: %v", err)
		return getErrorCode(err)

	return 0
Beispiel #12
func (p *Pod) processAci() []schema.RuntimeApp {
	apps := []schema.RuntimeApp{}
	for _, e := range p.manifest.Pod.Apps {

		aciName := p.buildAciIfNeeded(e)
		// TODO: support not FS override by only storing info pod manifest
		//		if aciName == nil {
		//			aciName = &e.Image
		//		}

		name, _ := types.NewACName(e.Name)

		sum, err := utils.Sha512sum(p.path + "/" + e.Name + "/target/image.aci")
		if err != nil {

		tmp, _ := types.NewHash("sha512-" + sum)

		labels := types.Labels{}
		labels = append(labels, types.Label{Name: "version", Value: aciName.Version()})
		identifier, _ := types.NewACIdentifier(aciName.Name())
		ttmp := schema.RuntimeImage{Name: identifier, ID: *tmp, Labels: labels}

		if e.App.User == "" {
			e.App.User = "******"
		if e.App.Group == "" {
			e.App.Group = "0"

		apps = append(apps, schema.RuntimeApp{
			Name:  *name,
			Image: ttmp,
			App: &types.App{
				Exec:             e.App.Exec,
				EventHandlers:    e.App.EventHandlers,
				User:             e.App.User,
				Group:            e.App.Group,
				WorkingDirectory: e.App.WorkingDirectory,
				Environment:      e.App.Environment,
				MountPoints:      e.App.MountPoints,
				Ports:            e.App.Ports,
				Isolators:        e.App.Isolators,
			Mounts:      e.Mounts,
			Annotations: e.Annotations})


	return apps
Beispiel #13
func TestDockerVolumeSemanticsPodManifest(t *testing.T) {
	ctx := testutils.NewRktRunCtx()
	defer ctx.Cleanup()

	for i, tt := range volDockerTests {
		t.Logf("Running test #%v on directory %s", i, tt.dir)

		hash, err := patchImportAndFetchHash(fmt.Sprintf("rkt-volume-image-pm-%d.aci", i), []string{fmt.Sprintf("--mounts=mydir,path=%s,readOnly=false", tt.dir)}, t, ctx)
		if err != nil {
			t.Fatalf("%v", err)

		imgID, err := types.NewHash(hash)
		if err != nil {
			t.Fatalf("Cannot generate types.Hash from %v: %v", hash, err)

		pm := &schema.PodManifest{
			ACKind:    schema.PodManifestKind,
			ACVersion: schema.AppContainerVersion,
			Apps: []schema.RuntimeApp{
					Name: "rkt-volume-image",
					App: &types.App{
						Exec:  []string{"/inspect", "--read-file"},
						User:  "******",
						Group: "0",
						Environment: []types.EnvironmentVariable{
							{"FILE", fmt.Sprintf("%s/file", tt.dir)},
						MountPoints: []types.MountPoint{
							{"mydir", tt.dir, false},
					Image: schema.RuntimeImage{
						ID: *imgID,

		manifestFile := generatePodManifestFile(t, pm)
		defer os.Remove(manifestFile)

		cmd := fmt.Sprintf("%s --debug --insecure-options=image run --pod-manifest=%s", ctx.Cmd(), manifestFile)

		expected := fmt.Sprintf("<<<%s>>>", tt.expectedContent)

		runRktAndCheckOutput(t, cmd, expected, false)
Beispiel #14
func (r *Runtime) newAppcRuntimeApp(pod *api.Pod, c api.Container, pullSecrets []api.Secret) (*appcschema.RuntimeApp, []kubecontainer.PortMapping, error) {
	if err, _ := r.imagePuller.PullImage(pod, &c, pullSecrets); err != nil {
		return nil, nil, err
	imgManifest, err := r.getImageManifest(c.Image)
	if err != nil {
		return nil, nil, err

	if imgManifest.App == nil {
		imgManifest.App = new(appctypes.App)

	imageID, err := r.getImageID(c.Image)
	if err != nil {
		return nil, nil, err
	hash, err := appctypes.NewHash(imageID)
	if err != nil {
		return nil, nil, err

	opts, err := r.generator.GenerateRunContainerOptions(pod, &c)
	if err != nil {
		return nil, nil, err

	if err := setApp(imgManifest.App, &c, opts); err != nil {
		return nil, nil, err

	name, err := appctypes.SanitizeACName(c.Name)
	if err != nil {
		return nil, nil, err
	appName := appctypes.MustACName(name)

	kubehash := kubecontainer.HashContainer(&c)

	return &appcschema.RuntimeApp{
		Name:  *appName,
		Image: appcschema.RuntimeImage{ID: *hash},
		App:   imgManifest.App,
		Annotations: []appctypes.Annotation{
				Name:  *appctypes.MustACIdentifier(k8sRktContainerHashAnno),
				Value: strconv.FormatUint(kubehash, 10),
	}, opts.PortMappings, nil
Beispiel #15
func getStoreKeyFromAppOrHash(s *imagestore.Store, input string) (string, error) {
	var key string
	if _, err := types.NewHash(input); err == nil {
		key, err = s.ResolveKey(input)
		if err != nil {
			return "", errwrap.Wrap(errors.New("cannot resolve image ID"), err)
	} else {
		key, err = getStoreKeyFromApp(s, input)
		if err != nil {
			return "", errwrap.Wrap(errors.New("cannot find image"), err)
	return key, nil
Beispiel #16
func TestAdd2Dependencies(t *testing.T) {
	workingDir := setUpTest(t)
	defer cleanUpTest(workingDir)

	err := runACBuildNoHist(workingDir, "dependency", "add", depName,
		"--image-id", depImageID,
		"--label", newLabel(depLabel1Key, depLabel1Val),
		"--label", newLabel(depLabel2Key, depLabel2Val),
		"--size", strconv.Itoa(int(depSize)))
	if err != nil {
		t.Fatalf("%v\n", err)

	err = runACBuildNoHist(workingDir, "dependency", "add", depName2)
	if err != nil {
		t.Fatalf("%v\n", err)

	hash, err := types.NewHash(depImageID)
	if err != nil {

	deps := types.Dependencies{
			ImageName: *types.MustACIdentifier(depName),
			ImageID:   hash,
			Labels: types.Labels{
					Name:  *types.MustACIdentifier(depLabel1Key),
					Value: depLabel1Val,
					Name:  *types.MustACIdentifier(depLabel2Key),
					Value: depLabel2Val,
			Size: depSize,
			ImageName: *types.MustACIdentifier(depName2),

	checkManifest(t, workingDir, manWithDeps(deps))
	checkEmptyRootfs(t, workingDir)
Beispiel #17
func (p *Pod) processAci() []schema.RuntimeApp {
	apps := []schema.RuntimeApp{}
	for _, e := range p.manifest.Pod.Apps {

		aci := p.buildAci(e)

		name, _ := types.NewACName(e.Name)

		sum, err := utils.Sha512sum( + "/image.aci")
		if err != nil {

		tmp, _ := types.NewHash("sha512-" + sum)

		labels := types.Labels{}
		labels = append(labels, types.Label{Name: "version", Value: aci.manifest.NameAndVersion.Version()})
		identifier, _ := types.NewACIdentifier(aci.manifest.NameAndVersion.Name())
		ttmp := schema.RuntimeImage{Name: identifier, ID: *tmp, Labels: labels}

		if e.App.User == "" {
			e.App.User = "******"
		if e.App.Group == "" {
			e.App.Group = "0"

		apps = append(apps, schema.RuntimeApp{
			Name:  *name,
			Image: ttmp,
			App: &types.App{
				Exec:             e.App.Exec,
				User:             e.App.User,
				Group:            e.App.Group,
				WorkingDirectory: e.App.WorkingDirectory,
				Environment:      e.App.Environment,
				MountPoints:      e.App.MountPoints,
				Ports:            e.App.Ports,
				Isolators:        e.App.Isolators,
			Mounts:      e.Mounts,
			Annotations: e.Annotations})

	return apps
Beispiel #18
// Write renders the ACI with the provided key in the treestore
// Write, to avoid having a rendered ACI with old stale files, requires that
// the destination directory doesn't exist (usually Remove should be called
// before Write)
func (ts *TreeStore) Write(key string, s *Store) error {
	treepath := filepath.Join(ts.path, key)
	fi, _ := os.Stat(treepath)
	if fi != nil {
		return fmt.Errorf("treestore: path %s already exists", treepath)
	imageID, err := types.NewHash(key)
	if err != nil {
		return fmt.Errorf("treestore: cannot convert key to imageID: %v", err)
	if err := os.MkdirAll(treepath, 0755); err != nil {
		return fmt.Errorf("treestore: cannot create treestore directory %s: %v", treepath, err)
	err = aci.RenderACIWithImageID(*imageID, treepath, s)
	if err != nil {
		return fmt.Errorf("treestore: cannot render aci: %v", err)
	hash, err := ts.Hash(key)
	if err != nil {
		return fmt.Errorf("treestore: cannot calculate tree hash: %v", err)
	err = ioutil.WriteFile(filepath.Join(treepath, hashfilename), []byte(hash), 0644)
	if err != nil {
		return fmt.Errorf("treestore: cannot write hash file: %v", err)
	// before creating the "rendered" flag file we need to ensure that all data is fsynced
	dfd, err := syscall.Open(treepath, syscall.O_RDONLY, 0)
	if err != nil {
		return err
	defer syscall.Close(dfd)
	if err := sys.Syncfs(dfd); err != nil {
		return fmt.Errorf("treestore: failed to sync data: %v", err)
	// Create rendered file
	f, err := os.Create(filepath.Join(treepath, renderedfilename))
	if err != nil {
		return fmt.Errorf("treestore: failed to write rendered file: %v", err)

	if err := syscall.Fsync(dfd); err != nil {
		return fmt.Errorf("treestore: failed to sync tree store directory: %v", err)
	return nil
Beispiel #19
// GetID calculates the treestore ID for the given image key.
// The treeStoreID is computed as an hash of the flattened dependency tree
// image keys. In this way the ID may change for the same key if the image's
// dependencies change.
func (ts *Store) GetID(key string) (string, error) {
	hash, err := types.NewHash(key)
	if err != nil {
		return "", err
	images, err := acirenderer.CreateDepListFromImageID(*hash,
	if err != nil {
		return "", err

	var keys []string
	for _, image := range images {
		keys = append(keys, image.Key)
	imagesString := strings.Join(keys, ",")
	h := sha512.New()
	return "deps-" + hashToKey(h), nil
Beispiel #20
// FindImage tries to get a hash of a passed image, ideally from
// store. Otherwise this might involve fetching it from remote with
// the Fetcher.
func (f *Finder) FindImage(img string, asc string, imgType apps.AppImageType) (*types.Hash, error) {
	if imgType == apps.AppImageGuess {
		imgType = guessImageType(img)

	if imgType == apps.AppImageHash {
		return f.getHashFromStore(img)

	// urls, names, paths have to be fetched, potentially remotely
	ft := (*Fetcher)(f)
	key, err := ft.FetchImage(img, asc, imgType)
	if err != nil {
		return nil, err
	h, err := types.NewHash(key)
	if err != nil {
		// should never happen
		log.PanicE("got an invalid hash from the store, looks like it is corrupted", err)
	return h, nil
Beispiel #21
func TestAddDependencyWithImageID(t *testing.T) {
	workingDir := setUpTest(t)
	defer cleanUpTest(workingDir)

	err := runACBuildNoHist(workingDir, "dependency", "add", depName, "--image-id", depImageID)
	if err != nil {
		t.Fatalf("%v\n", err)

	hash, err := types.NewHash(depImageID)
	if err != nil {

	deps := types.Dependencies{
			ImageName: *types.MustACIdentifier(depName),
			ImageID:   hash,

	checkManifest(t, workingDir, manWithDeps(deps))
	checkEmptyRootfs(t, workingDir)
Beispiel #22
// makePodManifest transforms a kubelet pod spec to the rkt pod manifest.
// TODO(yifan): Use the RunContainerOptions generated by GenerateRunContainerOptions().
func (r *runtime) makePodManifest(pod *api.Pod) (*appcschema.PodManifest, error) {
	var globalPortMappings []kubecontainer.PortMapping
	manifest := appcschema.BlankPodManifest()

	for _, c := range pod.Spec.Containers {
		imgManifest, err := r.getImageManifest(c.Image)
		if err != nil {
			return nil, err

		if imgManifest.App == nil {
			return nil, fmt.Errorf("no app section in image manifest for image: %q", c.Image)

		img, err := r.getImageByName(c.Image)
		if err != nil {
			return nil, err
		hash, err := appctypes.NewHash(
		if err != nil {
			return nil, err

		opts, err := r.generator.GenerateRunContainerOptions(pod, &c)
		if err != nil {
			return nil, err

		globalPortMappings = append(globalPortMappings, opts.PortMappings...)

		if err := setApp(imgManifest.App, &c, opts); err != nil {
			return nil, err

		manifest.Apps = append(manifest.Apps, appcschema.RuntimeApp{
			// TODO(yifan): We should allow app name to be different with
			// image name. See
			Name:  imgManifest.Name,
			Image: appcschema.RuntimeImage{ID: *hash},
			App:   imgManifest.App,

	volumeMap, ok := r.volumeGetter.GetVolumes(pod.UID)
	if !ok {
		return nil, fmt.Errorf("cannot get the volumes for pod %q", kubecontainer.GetPodFullName(pod))

	// Set global volumes.
	for name, volume := range volumeMap {
		volName, err := appctypes.NewACName(name)
		if err != nil {
			return nil, fmt.Errorf("cannot use the volume's name %q as ACName: %v", name, err)
		manifest.Volumes = append(manifest.Volumes, appctypes.Volume{
			Name:   *volName,
			Kind:   "host",
			Source: volume.GetPath(),

	// Set global ports.
	for _, port := range globalPortMappings {
		name, err := appctypes.SanitizeACName(port.Name)
		if err != nil {
			return nil, fmt.Errorf("cannot use the port's name %q as ACName: %v", port.Name, err)
		portName := appctypes.MustACName(name)
		manifest.Ports = append(manifest.Ports, appctypes.ExposedPort{
			Name:     *portName,
			HostPort: uint(port.HostPort),
	// TODO(yifan): Set pod-level isolators once it's supported in kubernetes.
	return manifest, nil
Beispiel #23
func NewTestVolumeMount(volumeMountTestCases [][]volumeMountTestCase) testutils.Test {
	return testutils.TestFunc(func(t *testing.T) {
		ctx := testutils.NewRktRunCtx()
		defer ctx.Cleanup()

		deferredFuncs := prepareTmpDirWithRecursiveMountsAndFiles(t)
		defer executeFuncsReverse(deferredFuncs)

		for _, testCases := range volumeMountTestCases {
			for i, tt := range testCases {
				var hashesToRemove []string
				for j, v := range tt.images {
					hash, err := patchImportAndFetchHash(, v.patches, t, ctx)
					if err != nil {
						t.Fatalf("error running patchImportAndFetchHash: %v", err)

					hashesToRemove = append(hashesToRemove, hash)
					if tt.podManifest != nil {
						imgName := types.MustACIdentifier(
						imgID, err := types.NewHash(hash)
						if err != nil {
							t.Fatalf("Cannot generate types.Hash from %v: %v", hash, err)
						tt.podManifest.Apps[j].Image.Name = imgName
						tt.podManifest.Apps[j].Image.ID = *imgID

				manifestFile := ""
				if tt.podManifest != nil {
					tt.podManifest.ACKind = schema.PodManifestKind
					tt.podManifest.ACVersion = schema.AppContainerVersion

					manifestFile = generatePodManifestFile(t, tt.podManifest)
					defer os.Remove(manifestFile)

				// 1. Test 'rkt run'.
				runCmd := fmt.Sprintf("%s run --mds-register=false", ctx.Cmd())
				if manifestFile != "" {
					runCmd += fmt.Sprintf(" --pod-manifest=%s", manifestFile)
				} else {
					// TODO: run the tests for more than just the first image
					runCmd += fmt.Sprintf(" %s %s", tt.cmdArgs, hashesToRemove[0])
				t.Logf("Running 'run' test #%v: %q", i, tt.description)
				child := spawnOrFail(t, runCmd)

				if tt.expectedResult != "" {
					if _, out, err := expectRegexWithOutput(child, tt.expectedResult); err != nil {
						t.Fatalf("Expected %q but not found: %v\n%s", tt.expectedResult, err, out)
				verifyHostFile(t, volDir, "file", i, tt.expectedResult)

				// 2. Test 'rkt prepare' + 'rkt run-prepared'.
				prepareCmd := fmt.Sprintf("%s prepare", ctx.Cmd())
				if manifestFile != "" {
					prepareCmd += fmt.Sprintf(" --pod-manifest=%s", manifestFile)
				} else {
					// TODO: run the tests for more than just the first image
					prepareCmd += fmt.Sprintf(" %s %s", tt.cmdArgs, hashesToRemove[0])
				uuid := runRktAndGetUUID(t, prepareCmd)

				runPreparedCmd := fmt.Sprintf("%s run-prepared --mds-register=false %s", ctx.Cmd(), uuid)
				t.Logf("Running 'run-prepared' test #%v: %q", i, tt.description)
				child = spawnOrFail(t, runPreparedCmd)

				if tt.expectedResult != "" {
					if _, out, err := expectRegexWithOutput(child, tt.expectedResult); err != nil {
						t.Fatalf("Expected %q but not found: %v\n%s", tt.expectedResult, err, out)
				verifyHostFile(t, volDir, "file", i, tt.expectedResult)

				// we run the garbage collector and remove the imported images to save
				// space
				runGC(t, ctx)
				for _, h := range hashesToRemove {
					removeFromCas(t, ctx, h)
// Test running pod manifests that contains just one app.
// TODO(yifan): Figure out a way to test port mapping on single host.
func TestPodManifest(t *testing.T) {
	ctx := testutils.NewRktRunCtx()
	defer ctx.Cleanup()

	tmpdir := createTempDirOrPanic("rkt-tests.")
	defer os.RemoveAll(tmpdir)

	boolFalse, boolTrue := false, true

	tests := []struct {
		// [image name]:[image patches]
		images         []imagePatch
		podManifest    *schema.PodManifest
		expectedExit   int
		expectedResult string
		cgroup         string
			// Special characters
				{"rkt-test-run-pod-manifest-special-characters.aci", []string{}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--print-msg=\n'\"$"},
							User:  "******",
							Group: "0",
			// Working directory.
				{"rkt-test-run-pod-manifest-working-directory.aci", []string{}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:             []string{"/inspect", "--print-cwd"},
							User:             "******",
							Group:            "0",
							WorkingDirectory: "/dir1",
			"cwd: /dir1",
			// Simple read.
				{"rkt-test-run-pod-manifest-read.aci", []string{}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--read-file"},
							User:  "******",
							Group: "0",
							Environment: []types.EnvironmentVariable{
								{"FILE", "/dir1/file"},
			// Simple read from read-only rootfs.
				{"rkt-test-run-read-only-rootfs-pod-manifest-read.aci", []string{}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--read-file"},
							User:  "******",
							Group: "0",
							Environment: []types.EnvironmentVariable{
								{"FILE", "/dir1/file"},
						ReadOnlyRootFS: true,
			// Simple read after write with *empty* volume mounted.
				{"rkt-test-run-pod-manifest-empty-vol-rw.aci", []string{}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--write-file", "--read-file"},
							User:  "******",
							Group: "0",
							Environment: []types.EnvironmentVariable{
								{"FILE", "/dir1/file"},
								{"CONTENT", "empty:foo"},
							MountPoints: []types.MountPoint{
									Name:     "dir1",
									Path:     "/dir1",
									ReadOnly: false,
				Volumes: []types.Volume{
						Name: "dir1",
						Kind: "empty",
						Mode: stringP("0755"),
						UID:  intP(0),
						GID:  intP(0),
			// Simple read from read-only rootfs after write with *empty* volume mounted.
				{"rkt-test-run-pod-manifest-read-only-rootfs-empty-vol-rw.aci", []string{}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--write-file", "--read-file"},
							User:  "******",
							Group: "0",
							Environment: []types.EnvironmentVariable{
								{"FILE", "/dir1/file"},
								{"CONTENT", "empty:foo"},
							MountPoints: []types.MountPoint{
									Name:     "dir1",
									Path:     "/dir1",
									ReadOnly: false,
						ReadOnlyRootFS: true,
				Volumes: []types.Volume{
						Name: "dir1",
						Kind: "empty",
						Mode: stringP("0755"),
						UID:  intP(0),
						GID:  intP(0),
			// Stat directory in a *empty* volume mounted.
				{"rkt-test-run-pod-manifest-empty-vol-stat.aci", []string{}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--stat-file"},
							User:  "******",
							Group: "0",
							Environment: []types.EnvironmentVariable{
								{"FILE", "/dir1"},
							MountPoints: []types.MountPoint{
									Name:     "dir1",
									Path:     "/dir1",
									ReadOnly: false,
				Volumes: []types.Volume{
						Name: "dir1",
						Kind: "empty",
						Mode: stringP("0123"),
						UID:  intP(9991),
						GID:  intP(9992),
			"(?s)/dir1: mode: d--x-w--wx.*" + "/dir1: user: 9991.*" + "/dir1: group: 9992",
			// Stat directory in a *empty* volume mounted using a read-only rootfs.
				{"rkt-test-run-pod-manifest-read-only-rootfs-empty-vol-stat.aci", []string{}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--stat-file"},
							User:  "******",
							Group: "0",
							Environment: []types.EnvironmentVariable{
								{"FILE", "/dir1"},
							MountPoints: []types.MountPoint{
									Name:     "dir1",
									Path:     "/dir1",
									ReadOnly: false,
						ReadOnlyRootFS: true,
				Volumes: []types.Volume{
						Name: "dir1",
						Kind: "empty",
						Mode: stringP("0123"),
						UID:  intP(9991),
						GID:  intP(9992),
			"(?s)/dir1: mode: d--x-w--wx.*" + "/dir1: user: 9991.*" + "/dir1: group: 9992",
			// Simple read after write with volume mounted.
				{"rkt-test-run-pod-manifest-vol-rw.aci", []string{}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--write-file", "--read-file"},
							User:  "******",
							Group: "0",
							Environment: []types.EnvironmentVariable{
								{"FILE", "/dir1/file"},
								{"CONTENT", "host:foo"},
							MountPoints: []types.MountPoint{
									Name:     "dir1",
									Path:     "/dir1",
									ReadOnly: false,
				Volumes: []types.Volume{
						Name:      "dir1",
						Kind:      "host",
						Source:    tmpdir,
						ReadOnly:  nil,
						Recursive: nil,
						Mode:      nil,
						UID:       nil,
						GID:       nil,
			// Simple read after write with volume mounted in a read-only rootfs.
				{"rkt-test-run-pod-manifest-read-only-rootfs-vol-rw.aci", []string{}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--write-file", "--read-file"},
							User:  "******",
							Group: "0",
							Environment: []types.EnvironmentVariable{
								{"FILE", "/dir1/file"},
								{"CONTENT", "host:foo"},
							MountPoints: []types.MountPoint{
									Name:     "dir1",
									Path:     "/dir1",
									ReadOnly: false,
						ReadOnlyRootFS: true,
				Volumes: []types.Volume{
						Name:      "dir1",
						Kind:      "host",
						Source:    tmpdir,
						ReadOnly:  nil,
						Recursive: nil,
						Mode:      nil,
						UID:       nil,
						GID:       nil,
			// Simple read after write with read-only mount point, should fail.
				{"rkt-test-run-pod-manifest-vol-ro.aci", []string{}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--write-file", "--read-file"},
							User:  "******",
							Group: "0",
							Environment: []types.EnvironmentVariable{
								{"FILE", "/dir1/file"},
								{"CONTENT", "bar"},
							MountPoints: []types.MountPoint{
									Name:     "dir1",
									Path:     "/dir1",
									ReadOnly: true,
				Volumes: []types.Volume{
						Name:      "dir1",
						Kind:      "host",
						Source:    tmpdir,
						ReadOnly:  nil,
						Recursive: nil,
						Mode:      nil,
						UID:       nil,
						GID:       nil,
			`Cannot write to file "/dir1/file": open /dir1/file: read-only file system`,
			// Simple read after write with read-only mount point in a read-only rootfs, should fail.
				{"rkt-test-run-pod-manifest-read-only-rootfs-vol-ro.aci", []string{}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--write-file", "--read-file"},
							User:  "******",
							Group: "0",
							Environment: []types.EnvironmentVariable{
								{"FILE", "/dir1/file"},
								{"CONTENT", "bar"},
							MountPoints: []types.MountPoint{
									Name:     "dir1",
									Path:     "/dir1",
									ReadOnly: true,
						ReadOnlyRootFS: true,
				Volumes: []types.Volume{
						Name:      "dir1",
						Kind:      "host",
						Source:    tmpdir,
						ReadOnly:  nil,
						Recursive: nil,
						Mode:      nil,
						UID:       nil,
						GID:       nil,
			`Cannot write to file "/dir1/file": open /dir1/file: read-only file system`,
			// Simple read after write with volume mounted.
			// Override the image's mount point spec. This should fail as the volume is
			// read-only in pod manifest, (which will override the mount point in both image/pod manifest).
				{"rkt-test-run-pod-manifest-vol-rw-override.aci", []string{"--mounts=dir1,path=/dir1,readOnly=false"}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--write-file", "--read-file"},
							User:  "******",
							Group: "0",
							Environment: []types.EnvironmentVariable{
								{"FILE", "/dir1/file"},
								{"CONTENT", "bar"},
							MountPoints: []types.MountPoint{
									Name:     "dir1",
									Path:     "/dir1",
									ReadOnly: false,
				Volumes: []types.Volume{
						Name:      "dir1",
						Kind:      "host",
						Source:    tmpdir,
						ReadOnly:  &boolTrue,
						Recursive: nil,
						Mode:      nil,
						UID:       nil,
						GID:       nil,
			`Cannot write to file "/dir1/file": open /dir1/file: read-only file system`,
			// Simple read after write with volume mounted in a read-only rootfs.
			// Override the image's mount point spec. This should fail as the volume is
			// read-only in pod manifest, (which will override the mount point in both image/pod manifest).
				{"rkt-test-run-pod-manifest-vol-rw-override.aci", []string{"--mounts=dir1,path=/dir1,readOnly=false"}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--write-file", "--read-file"},
							User:  "******",
							Group: "0",
							Environment: []types.EnvironmentVariable{
								{"FILE", "/dir1/file"},
								{"CONTENT", "bar"},
							MountPoints: []types.MountPoint{
									Name:     "dir1",
									Path:     "/dir1",
									ReadOnly: false,
						ReadOnlyRootFS: true,
				Volumes: []types.Volume{
						Name:      "dir1",
						Kind:      "host",
						Source:    tmpdir,
						ReadOnly:  &boolTrue,
						Recursive: nil,
						Mode:      nil,
						UID:       nil,
						GID:       nil,
			`Cannot write to file "/dir1/file": open /dir1/file: read-only file system`,
			// Simple read after write with volume mounted.
			// Override the image's mount point spec.
				{"rkt-test-run-pod-manifest-vol-rw-override.aci", []string{"--mounts=dir1,path=/dir1,readOnly=true"}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--write-file", "--read-file"},
							User:  "******",
							Group: "0",
							Environment: []types.EnvironmentVariable{
								{"FILE", "/dir2/file"},
								{"CONTENT", "host:bar"},
							MountPoints: []types.MountPoint{
									Name:     "dir1",
									Path:     "/dir2",
									ReadOnly: false,
				Volumes: []types.Volume{
						Name:      "dir1",
						Kind:      "host",
						Source:    tmpdir,
						ReadOnly:  nil,
						Recursive: nil,
						Mode:      nil,
						UID:       nil,
						GID:       nil,
			// Simple read after write with volume mounted in a read-only rootfs.
			// Override the image's mount point spec.
				{"rkt-test-run-pod-manifest-read-only-rootfs-vol-rw-override.aci", []string{"--mounts=dir1,path=/dir1,readOnly=true"}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--write-file", "--read-file"},
							User:  "******",
							Group: "0",
							Environment: []types.EnvironmentVariable{
								{"FILE", "/dir2/file"},
								{"CONTENT", "host:bar"},
							MountPoints: []types.MountPoint{
									Name:     "dir1",
									Path:     "/dir2",
									ReadOnly: false,
						ReadOnlyRootFS: true,
				Volumes: []types.Volume{
						Name:      "dir1",
						Kind:      "host",
						Source:    tmpdir,
						ReadOnly:  nil,
						Recursive: nil,
						Mode:      nil,
						UID:       nil,
						GID:       nil,
			// Simple read after write with volume mounted, no apps in pod manifest.
						"--exec=/inspect --write-file --read-file --file-name=/dir1/file --content=host:baw",
				Apps: []schema.RuntimeApp{
					{Name: baseAppName},
				Volumes: []types.Volume{
						Name:      "dir1",
						Kind:      "host",
						Source:    tmpdir,
						ReadOnly:  nil,
						Recursive: nil,
						Mode:      nil,
						UID:       nil,
						GID:       nil,
			// Simple read after write with volume mounted in a read-only rootfs, no apps in pod manifest.
						"--exec=/inspect --write-file --read-file --file-name=/dir1/file --content=host:baz",
				Apps: []schema.RuntimeApp{
						Name:           baseAppName,
						ReadOnlyRootFS: true,
				Volumes: []types.Volume{
						Name:      "dir1",
						Kind:      "host",
						Source:    tmpdir,
						ReadOnly:  nil,
						Recursive: nil,
						Mode:      nil,
						UID:       nil,
						GID:       nil,
			// Simple read after write with volume mounted, no apps in pod manifest.
			// This should succeed even the mount point in image manifest is readOnly,
			// because it is overridden by the volume's readOnly.
						"--exec=/inspect --write-file --read-file --file-name=/dir1/file --content=host:zaz",
				Apps: []schema.RuntimeApp{
					{Name: baseAppName},
				Volumes: []types.Volume{
						Name:      "dir1",
						Kind:      "host",
						Source:    tmpdir,
						ReadOnly:  &boolFalse,
						Recursive: nil,
						Mode:      nil,
						UID:       nil,
						GID:       nil,
			// Simple read after write with read-only volume mounted, no apps in pod manifest.
			// This should fail as the volume is read-only.
						"--exec=/inspect --write-file --read-file --file-name=/dir1/file --content=baz",
				Apps: []schema.RuntimeApp{
					{Name: baseAppName},
				Volumes: []types.Volume{
						Name:      "dir1",
						Kind:      "host",
						Source:    tmpdir,
						ReadOnly:  &boolTrue,
						Recursive: nil,
						Mode:      nil,
						UID:       nil,
						GID:       nil,
			`Cannot write to file "/dir1/file": open /dir1/file: read-only file system`,
			// Simple read after write in read-only rootfs with read-only volume mounted, no apps in pod manifest.
			// This should fail as the volume is read-only.
						"--exec=/inspect --write-file --read-file --file-name=/dir1/file --content=baz",
				Apps: []schema.RuntimeApp{
						Name:           baseAppName,
						ReadOnlyRootFS: true,
				Volumes: []types.Volume{
						Name:      "dir1",
						Kind:      "host",
						Source:    tmpdir,
						ReadOnly:  &boolTrue,
						Recursive: nil,
						Mode:      nil,
						UID:       nil,
						GID:       nil,
			`Cannot write to file "/dir1/file": open /dir1/file: read-only file system`,
			// Print CPU quota, which should be overwritten by the pod manifest.
				{"rkt-test-run-pod-manifest-cpu-isolator.aci", []string{}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--print-cpuquota"},
							User:  "******",
							Group: "0",
							Isolators: []types.Isolator{
									"name":     "resource/cpu",
									"value":    { "request": "100m", "limit": "100m"}
									"name":     "os/linux/capabilities-retain-set",
									"value":    { "set": ["CAP_SYS_PTRACE"] }
			`CPU Quota: 100`,
			// Print memory limit, which should be overwritten by the pod manifest.
				{"rkt-test-run-pod-manifest-memory-isolator.aci", []string{}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--print-memorylimit"},
							User:  "******",
							Group: "0",
							Isolators: []types.Isolator{
								// 4MB.
									"name":     "resource/memory",
									"value":    { "request": "4194304", "limit": "4194304"}
									"name":     "os/linux/capabilities-retain-set",
									"value":    { "set": ["CAP_SYS_PTRACE"] }
			`Memory Limit: 4194304`,
			// Multiple apps (with same images) in the pod. The first app will read out the content
			// written by the second app.
				{"rkt-test-run-pod-manifest-app.aci", []string{"--name=aci1"}},
				{"rkt-test-run-pod-manifest-app.aci", []string{"--name=aci2"}},
				Apps: []schema.RuntimeApp{
						Name: "rkt-inspect-readapp",
						App: &types.App{
							Exec:  []string{"/inspect", "--pre-sleep=10", "--read-file"},
							User:  "******",
							Group: "0",
							Environment: []types.EnvironmentVariable{
								{"FILE", "/dir/file"},
							MountPoints: []types.MountPoint{
									Name:     "dir",
									Path:     "/dir",
									ReadOnly: false,
						Name: "rkt-inspect-writeapp",
						App: &types.App{
							Exec:  []string{"/inspect", "--write-file"},
							User:  "******",
							Group: "0",
							Environment: []types.EnvironmentVariable{
								{"FILE", "/dir/file"},
								{"CONTENT", "host:foo"},
							MountPoints: []types.MountPoint{
									Name:     "dir",
									Path:     "/dir",
									ReadOnly: false,
				Volumes: []types.Volume{
						Name:      "dir",
						Kind:      "host",
						Source:    tmpdir,
						ReadOnly:  nil,
						Recursive: nil,
						Mode:      nil,
						UID:       nil,
						GID:       nil,
			// Pod manifest overwrites the image's capability.
				{"rkt-test-run-pod-manifest-cap.aci", []string{"--capability=CAP_NET_ADMIN"}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--print-caps-pid=0"},
							User:  "******",
							Group: "0",
							Environment: []types.EnvironmentVariable{
								{"CAPABILITY", strconv.Itoa(int(capability.CAP_NET_ADMIN))},
			fmt.Sprintf("%v=disabled", capability.CAP_NET_ADMIN.String()),
			// Pod manifest overwrites the image's capability.
				{"rkt-test-run-pod-manifest-cap.aci", []string{"--capability=CAP_NET_BIND_SERVICE"}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--print-caps-pid=0"},
							User:  "******",
							Group: "0",
							Environment: []types.EnvironmentVariable{
								{"CAPABILITY", strconv.Itoa(int(capability.CAP_NET_ADMIN))},
							Isolators: []types.Isolator{
									"name":     "os/linux/capabilities-retain-set",
									"value":    { "set": ["CAP_NET_ADMIN"] }
			fmt.Sprintf("%v=enabled", capability.CAP_NET_ADMIN.String()),
			// Set valid numerical app user and group.
				{"rkt-test-run-pod-manifest-valid-numerical-user-group.aci", []string{}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--print-user"},
							User:  "******",
							Group: "100",
			"User: uid=1000 euid=1000 gid=100 egid=100",
			// Set valid non-numerical app user and group.
				{"rkt-test-run-pod-manifest-valid-user-group.aci", []string{}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--print-user"},
							User:  "******",
							Group: "group1",
			"User: uid=1000 euid=1000 gid=100 egid=100",
			// Set "root", it should work without it being present in
			// /etc/{passwd,group}
				{"rkt-test-run-pod-manifest-root-user-group.aci", []string{}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--print-user"},
							User:  "******",
							Group: "root",
			"User: uid=0 euid=0 gid=0 egid=0",
			// Set invalid non-numerical app user.
				{"rkt-test-run-pod-manifest-invalid-user.aci", []string{}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--print-user"},
							User:  "******",
							Group: "0",
			`"user2" user not found`,
			// Set invalid non-numerical app group.
				{"rkt-test-run-pod-manifest-invalid-group.aci", []string{}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--print-user"},
							User:  "******",
							Group: "group2",
			`"group2" group not found`,
			// Set valid path-like app user and group.
				{"rkt-test-run-pod-manifest-valid-path-user-group.aci", []string{}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--print-user"},
							User:  "******",
							Group: "/etc/group",
			"User: uid=0 euid=0 gid=0 egid=0",
			// Set invalid path-like app user.
				{"rkt-test-run-pod-manifest-invalid-path-user.aci", []string{}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--print-user"},
							User:  "******",
							Group: "0",
			`no such file or directory`,
			// Set invalid path-like app group.
				{"rkt-test-run-pod-manifest-invalid-path-group.aci", []string{}},
				Apps: []schema.RuntimeApp{
						Name: baseAppName,
						App: &types.App{
							Exec:  []string{"/inspect", "--print-user"},
							User:  "******",
							Group: "/etc/nofile",
			`no such file or directory`,

	for i, tt := range tests {
		if tt.cgroup != "" {
			ok, err := cgroup.IsIsolatorSupported(tt.cgroup)
			if err != nil {
				t.Fatalf("Error checking memory isolator support: %v", err)
			if !ok {
				t.Logf("Skip test #%v: cgroup %s not supported", i, tt.cgroup)

		var hashesToRemove []string
		for j, v := range tt.images {
			hash, err := patchImportAndFetchHash(, v.patches, t, ctx)
			if err != nil {
				t.Fatalf("%v", err)
			hashesToRemove = append(hashesToRemove, hash)
			imgName := types.MustACIdentifier(
			imgID, err := types.NewHash(hash)
			if err != nil {
				t.Fatalf("Cannot generate types.Hash from %v: %v", hash, err)

			ra := &tt.podManifest.Apps[j]
			ra.Image.Name = imgName
			ra.Image.ID = *imgID

		tt.podManifest.ACKind = schema.PodManifestKind
		tt.podManifest.ACVersion = schema.AppContainerVersion

		manifestFile := generatePodManifestFile(t, tt.podManifest)
		defer os.Remove(manifestFile)

		// 1. Test 'rkt run'.
		runCmd := fmt.Sprintf("%s run --mds-register=false --pod-manifest=%s", ctx.Cmd(), manifestFile)
		t.Logf("Running 'run' test #%v", i)
		child := spawnOrFail(t, runCmd)

		if tt.expectedResult != "" {
			if _, out, err := expectRegexWithOutput(child, tt.expectedResult); err != nil {
				t.Errorf("Expected %q but not found: %v\n%s", tt.expectedResult, err, out)
		waitOrFail(t, child, tt.expectedExit)
		verifyHostFile(t, tmpdir, "file", i, tt.expectedResult)

		// 2. Test 'rkt prepare' + 'rkt run-prepared'.
		rktCmd := fmt.Sprintf("%s --insecure-options=image prepare --pod-manifest=%s",
			ctx.Cmd(), manifestFile)
		uuid := runRktAndGetUUID(t, rktCmd)

		runPreparedCmd := fmt.Sprintf("%s run-prepared --mds-register=false %s", ctx.Cmd(), uuid)
		t.Logf("Running 'run-prepared' test #%v", i)
		child = spawnOrFail(t, runPreparedCmd)

		if tt.expectedResult != "" {
			if _, out, err := expectRegexWithOutput(child, tt.expectedResult); err != nil {
				t.Errorf("Expected %q but not found: %v\n%s", tt.expectedResult, err, out)

		waitOrFail(t, child, tt.expectedExit)
		verifyHostFile(t, tmpdir, "file", i, tt.expectedResult)

		// we run the garbage collector and remove the imported images to save
		// space
		runGC(t, ctx)
		for _, h := range hashesToRemove {
			removeFromCas(t, ctx, h)
Beispiel #25
// makePodManifest transforms a kubelet pod spec to the rkt pod manifest.
func (r *runtime) makePodManifest(pod *api.Pod, pullSecrets []api.Secret) (*appcschema.PodManifest, error) {
	var globalPortMappings []kubecontainer.PortMapping
	manifest := appcschema.BlankPodManifest()

	for _, c := range pod.Spec.Containers {
		if err := r.imagePuller.PullImage(pod, &c, pullSecrets); err != nil {
			return nil, err
		imgManifest, err := r.getImageManifest(c.Image)
		if err != nil {
			return nil, err

		if imgManifest.App == nil {
			imgManifest.App = new(appctypes.App)

		img, err := r.getImageByName(c.Image)
		if err != nil {
			return nil, err
		hash, err := appctypes.NewHash(img.ID)
		if err != nil {
			return nil, err

		opts, err := r.generator.GenerateRunContainerOptions(pod, &c)
		if err != nil {
			return nil, err

		globalPortMappings = append(globalPortMappings, opts.PortMappings...)

		if err := setApp(imgManifest.App, &c, opts); err != nil {
			return nil, err

		name, err := appctypes.SanitizeACName(c.Name)
		if err != nil {
			return nil, err
		appName := appctypes.MustACName(name)

		manifest.Apps = append(manifest.Apps, appcschema.RuntimeApp{
			Name:  *appName,
			Image: appcschema.RuntimeImage{ID: *hash},
			App:   imgManifest.App,

	volumeMap, ok := r.volumeGetter.GetVolumes(pod.UID)
	if !ok {
		return nil, fmt.Errorf("cannot get the volumes for pod %q", kubeletUtil.FormatPodName(pod))

	// Set global volumes.
	for name, volume := range volumeMap {
		volName, err := appctypes.NewACName(name)
		if err != nil {
			return nil, fmt.Errorf("cannot use the volume's name %q as ACName: %v", name, err)
		manifest.Volumes = append(manifest.Volumes, appctypes.Volume{
			Name:   *volName,
			Kind:   "host",
			Source: volume.GetPath(),

	// Set global ports.
	for _, port := range globalPortMappings {
		name, err := appctypes.SanitizeACName(port.Name)
		if err != nil {
			return nil, fmt.Errorf("cannot use the port's name %q as ACName: %v", port.Name, err)
		portName := appctypes.MustACName(name)
		manifest.Ports = append(manifest.Ports, appctypes.ExposedPort{
			Name:     *portName,
			HostPort: uint(port.HostPort),
	// TODO(yifan): Set pod-level isolators once it's supported in kubernetes.
	return manifest, nil
Beispiel #26
// Write renders the ACI with the provided key in the treestore. id references
// that specific tree store rendered image.
// Write, to avoid having a rendered ACI with old stale files, requires that
// the destination directory doesn't exist (usually Remove should be called
// before Write)
func (ts *TreeStore) Write(id string, key string, s *Store) (string, error) {
	treepath := ts.GetPath(id)
	fi, _ := os.Stat(treepath)
	if fi != nil {
		return "", fmt.Errorf("path %s already exists", treepath)
	imageID, err := types.NewHash(key)
	if err != nil {
		return "", errwrap.Wrap(errors.New("cannot convert key to imageID"), err)
	if err := os.MkdirAll(treepath, 0755); err != nil {
		return "", errwrap.Wrap(fmt.Errorf("cannot create treestore directory %s", treepath), err)
	err = aci.RenderACIWithImageID(*imageID, treepath, s, uid.NewBlankUidRange())
	if err != nil {
		return "", errwrap.Wrap(errors.New("cannot render aci"), err)
	hash, err := ts.Hash(id)
	if err != nil {
		return "", errwrap.Wrap(errors.New("cannot calculate tree hash"), err)
	err = ioutil.WriteFile(filepath.Join(treepath, hashfilename), []byte(hash), 0644)
	if err != nil {
		return "", errwrap.Wrap(errors.New("cannot write hash file"), err)
	// before creating the "rendered" flag file we need to ensure that all data is fsynced
	dfd, err := syscall.Open(treepath, syscall.O_RDONLY, 0)
	if err != nil {
		return "", err
	defer syscall.Close(dfd)
	if err := sys.Syncfs(dfd); err != nil {
		return "", errwrap.Wrap(errors.New("failed to sync data"), err)
	// Create rendered file
	f, err := os.Create(filepath.Join(treepath, renderedfilename))
	if err != nil {
		return "", errwrap.Wrap(errors.New("failed to write rendered file"), err)

	// Write the hash of the image that will use this tree store
	err = ioutil.WriteFile(filepath.Join(treepath, imagefilename), []byte(key), 0644)
	if err != nil {
		return "", errwrap.Wrap(errors.New("cannot write image file"), err)

	if err := syscall.Fsync(dfd); err != nil {
		return "", errwrap.Wrap(errors.New("failed to sync tree store directory"), err)

	treeSize, err := ts.Size(id)
	if err != nil {
		return "", err

	if err := s.UpdateTreeStoreSize(key, treeSize); err != nil {
		return "", err

	return string(hash), nil
Beispiel #27
func (r *Runtime) newAppcRuntimeApp(pod *api.Pod, c api.Container, pullSecrets []api.Secret, manifest *appcschema.PodManifest) error {
	if err, _ := r.imagePuller.PullImage(pod, &c, pullSecrets); err != nil {
		return nil
	imgManifest, err := r.getImageManifest(c.Image)
	if err != nil {
		return err

	if imgManifest.App == nil {
		imgManifest.App = new(appctypes.App)

	imageID, err := r.getImageID(c.Image)
	if err != nil {
		return err
	hash, err := appctypes.NewHash(imageID)
	if err != nil {
		return err

	opts, err := r.runtimeHelper.GenerateRunContainerOptions(pod, &c)
	if err != nil {
		return err

	// create the container log file and make a mount pair.
	mnt, err := makeContainerLogMount(opts, &c)
	if err != nil {
		return err

	ctx := securitycontext.DetermineEffectiveSecurityContext(pod, &c)
	if err := setApp(imgManifest.App, &c, opts, ctx, pod.Spec.SecurityContext); err != nil {
		return err

	ra := appcschema.RuntimeApp{
		Name:  convertToACName(c.Name),
		Image: appcschema.RuntimeImage{ID: *hash},
		App:   imgManifest.App,
		Annotations: []appctypes.Annotation{
				Name:  *appctypes.MustACIdentifier(k8sRktContainerHashAnno),
				Value: strconv.FormatUint(kubecontainer.HashContainer(&c), 10),

	if mnt != nil {
		ra.Annotations = append(ra.Annotations, appctypes.Annotation{
			Name:  *appctypes.MustACIdentifier(k8sRktTerminationMessagePathAnno),
			Value: mnt.HostPath,

		manifest.Volumes = append(manifest.Volumes, appctypes.Volume{
			Name:   convertToACName(mnt.Name),
			Kind:   "host",
			Source: mnt.HostPath,

	manifest.Apps = append(manifest.Apps, ra)

	// Set global ports.
	for _, port := range opts.PortMappings {
		manifest.Ports = append(manifest.Ports, appctypes.ExposedPort{
			Name:     convertToACName(port.Name),
			HostPort: uint(port.HostPort),

	return nil
Beispiel #28
func NewAPIServiceListInspectPodsTest() testutils.Test {
	return testutils.TestFunc(func(t *testing.T) {
		ctx := testutils.NewRktRunCtx()
		defer ctx.Cleanup()

		svc := startAPIService(t, ctx)
		defer stopAPIService(t, svc)

		c, conn := newAPIClientOrFail(t, "localhost:15441")
		defer conn.Close()

		resp, err := c.ListPods(context.Background(), &v1alpha.ListPodsRequest{})
		if err != nil {
			t.Fatalf("Unexpected error: %v", err)

		if len(resp.Pods) != 0 {
			t.Errorf("Unexpected result: %v, should see zero pods", resp.Pods)

		patches := []string{"--exec=/inspect --print-msg=HELLO_API --exit-code=0"}
		imageHash, err := patchImportAndFetchHash("rkt-inspect-print.aci", patches, t, ctx)
		if err != nil {
			t.Fatalf("%v", err)
		imgID, err := types.NewHash(imageHash)
		if err != nil {
			t.Fatalf("Cannot generate types.Hash from %v: %v", imageHash, err)

		podManifests := []struct {
			mfst             schema.PodManifest
			net              string
			expectedExitCode int
				// 1, Good pod.
					ACKind:    schema.PodManifestKind,
					ACVersion: schema.AppContainerVersion,
					Apps: []schema.RuntimeApp{
							Name: types.ACName("rkt-inspect"),
							Image: schema.RuntimeImage{
								Name: types.MustACIdentifier(""),
								ID:   *imgID,
							Annotations: []types.Annotation{{Name: types.ACIdentifier("app-test"), Value: "app-test"}},
					Annotations: []types.Annotation{
						{Name: types.ACIdentifier("test"), Value: "test"},
				// 2, Bad pod, won't be launched correctly.
					ACKind:    schema.PodManifestKind,
					ACVersion: schema.AppContainerVersion,
					Apps: []schema.RuntimeApp{
							Name: types.ACName("rkt-inspect"),
							Image: schema.RuntimeImage{
								Name: types.MustACIdentifier(""),
								ID:   *imgID,

		// Launch the pods.
		for _, entry := range podManifests {
			manifestFile := generatePodManifestFile(t, &entry.mfst)
			defer os.Remove(manifestFile)

			runCmd := fmt.Sprintf("%s run --net=%s --pod-manifest=%s", ctx.Cmd(),, manifestFile)
			waitOrFail(t, spawnOrFail(t, runCmd), entry.expectedExitCode)


		gcCmd := fmt.Sprintf("%s gc --mark-only=true", ctx.Cmd())
		waitOrFail(t, spawnOrFail(t, gcCmd), 0)

		gcTime := time.Now()

		// ListPods(detail=false).
		resp, err = c.ListPods(context.Background(), &v1alpha.ListPodsRequest{})
		if err != nil {
			t.Fatalf("Unexpected error: %v", err)

		if len(resp.Pods) != len(podManifests) {
			t.Errorf("Unexpected result: %v, should see %v pods", len(resp.Pods), len(podManifests))

		for _, p := range resp.Pods {
			checkPodBasicsWithGCTime(t, ctx, p, gcTime)

			// Test InspectPod().
			inspectResp, err := c.InspectPod(context.Background(), &v1alpha.InspectPodRequest{Id: p.Id})
			if err != nil {
				t.Fatalf("Unexpected error: %v", err)
			checkPodDetails(t, ctx, inspectResp.Pod)

		// ListPods(detail=true).
		resp, err = c.ListPods(context.Background(), &v1alpha.ListPodsRequest{Detail: true})
		if err != nil {
			t.Fatalf("Unexpected error: %v", err)

		if len(resp.Pods) != len(podManifests) {
			t.Errorf("Unexpected result: %v, should see %v pods", len(resp.Pods), len(podManifests))

		for _, p := range resp.Pods {
			checkPodDetails(t, ctx, p)

		// ListPods with corrupt pod directory
		// Note that we don't checkPodDetails here, the failure this is testing is
		// the api server panicing, which results in a list call hanging for ages
		// and then failing.
		// TODO: do further validation on the partial pods returned
		for _, p := range resp.Pods {
			numRemoved := 0
			podDir := getPodDir(t, ctx, p.Id)
			filepath.Walk(filepath.Join(podDir, "appsinfo"), filepath.WalkFunc(func(path string, info os.FileInfo, err error) error {
				if err != nil {
					return err
				if info.Name() == "manifest" {
				return nil
			if numRemoved == 0 {
				t.Fatalf("Expected to remove at least one app manifest for pod %v", p)

		// ListPods(detail=true).
		resp, err = c.ListPods(context.Background(), &v1alpha.ListPodsRequest{Detail: true})
		if err != nil {
			t.Fatalf("Unexpected error: %v", err)
		if len(resp.Pods) != len(podManifests) {
			t.Fatalf("Expected %v pods, got %v pods", len(podManifests), len(resp.Pods))
Beispiel #29
func rmImages(s *imagestore.Store, images []string) error {
	done := 0
	errors := 0
	staleErrors := 0
	imageMap := make(map[string]string)
	imageCounter := make(map[string]int)

	for _, pkey := range images {
		h, err := types.NewHash(pkey)
		if err != nil {
			var found bool
			keys, found, err := s.ResolveName(pkey)
			if len(keys) > 0 {
				errors += len(keys) - 1
			if err != nil {
			if !found {
				stderr.Printf("image name %q not found", pkey)
			for _, key := range keys {
				imageMap[key] = pkey
		} else {
			key, err := s.ResolveKey(h.String())
			if err != nil {
				stderr.PrintE(fmt.Sprintf("image ID %q not valid", pkey), err)
			if key == "" {
				stderr.Printf("image ID %q doesn't exist", pkey)

			aciinfo, err := s.GetACIInfoWithBlobKey(key)
			if err != nil {
				stderr.PrintE(fmt.Sprintf("error retrieving aci infos for image %q", key), err)
			imageMap[key] = aciinfo.Name

	// Adjust the error count by subtracting duplicate IDs from it,
	// therefore allowing only one error per ID.
	for _, c := range imageCounter {
		if c > 1 {
			errors -= c - 1

	for key, name := range imageMap {
		if err := s.RemoveACI(key); err != nil {
			if serr, ok := err.(*imagestore.StoreRemovalError); ok {
				stderr.PrintE(fmt.Sprintf("some files cannot be removed for image %q (%q)", key, name), serr)
			} else {
				stderr.PrintE(fmt.Sprintf("error removing aci for image %q (%q)", key, name), err)
		stdout.Printf("successfully removed aci for image: %q", key)

	if done > 0 {
		stderr.Printf("%d image(s) successfully removed", done)

	// If anything didn't complete, return exit status of 1
	if (errors + staleErrors) > 0 {
		if staleErrors > 0 {
			stderr.Printf("%d image(s) removed but left some stale files", staleErrors)
		if errors > 0 {
			stderr.Printf("%d image(s) cannot be removed", errors)
		return fmt.Errorf("error(s) found while removing images")

	return nil
Beispiel #30
// Test an image with 1 dep. The parent image has a pathWhiteList.
func TestPWLOnlyParent(t *testing.T) {
	dir, err := ioutil.TempDir("", tstprefix)
	if err != nil {
		t.Fatalf("error creating tempdir: %v", err)
	defer os.RemoveAll(dir)
	ds := NewTestStore()

	imj := `
		    "acKind": "ImageManifest",
		    "acVersion": "0.1.1",
		    "name": "",
		    "pathWhitelist" : [ "/a/file01.txt", "/a/file02.txt", "/b/link01.txt", "/c/", "/d/" ]

	entries := []*testTarEntry{
			contents: imj,
			header: &tar.Header{
				Name: "manifest",
				Size: int64(len(imj)),
			contents: "hello",
			header: &tar.Header{
				Name: "rootfs/a/file01.txt",
				Size: 5,
			contents: "hello",
			header: &tar.Header{
				Name: "rootfs/a/file02.txt",
				Size: 5,
		// This should not appear in rendered aci
			contents: "hello",
			header: &tar.Header{
				Name: "rootfs/a/file03.txt",
				Size: 5,
			header: &tar.Header{
				Name:     "rootfs/b/link01.txt",
				Linkname: "file01.txt",
				Typeflag: tar.TypeSymlink,
		// The file "rootfs/c/file01.txt" should not appear but a new file "rootfs/c/file02.txt" provided by the upper image should appear.
		// The directory should be left with its permissions
			header: &tar.Header{
				Name:     "rootfs/c",
				Typeflag: tar.TypeDir,
				Mode:     0700,
			contents: "hello",
			header: &tar.Header{
				Name: "rootfs/c/file01.txt",
				Size: 5,
				Mode: 0700,
		// The file "rootfs/d/file01.txt" should not appear but the directory should be left and also its permissions
			header: &tar.Header{
				Name:     "rootfs/d",
				Typeflag: tar.TypeDir,
				Mode:     0700,
			contents: "hello",
			header: &tar.Header{
				Name: "rootfs/d/file01.txt",
				Size: 5,
				Mode: 0700,
		// The file and the directory should not appear
			contents: "hello",
			header: &tar.Header{
				Name: "rootfs/e/file01.txt",
				Size: 5,
				Mode: 0700,

	key1, err := newTestACI(entries, dir, ds)
	if err != nil {
		t.Fatalf("unexpected error: %v", err)
	im, err := createImageManifest(imj)
	if err != nil {
		t.Fatalf("unexpected error: %v", err)
	image1 := Image{Im: im, Key: key1, Level: 1}

	imj = `
		    "acKind": "ImageManifest",
		    "acVersion": "0.1.1",
		    "name": ""

	k1, _ := types.NewHash(key1)
	imj, err = addDependencies(imj,
			ImageName: "",
			ImageID:   k1},

	entries = []*testTarEntry{
			contents: imj,
			header: &tar.Header{
				Name: "manifest",
				Size: int64(len(imj)),
			contents: "hellohello",
			header: &tar.Header{
				Name: "rootfs/b/file01.txt",
				Size: 10,
		// New file
			contents: "hello",
			header: &tar.Header{
				Name: "rootfs/c/file02.txt",
				Size: 5,

	expectedFiles := []*fileInfo{
		&fileInfo{path: "manifest", typeflag: tar.TypeReg},
		&fileInfo{path: "rootfs/a/file01.txt", typeflag: tar.TypeReg, size: 5},
		&fileInfo{path: "rootfs/a/file02.txt", typeflag: tar.TypeReg, size: 5},
		&fileInfo{path: "rootfs/b/link01.txt", typeflag: tar.TypeSymlink},
		&fileInfo{path: "rootfs/b/file01.txt", typeflag: tar.TypeReg, size: 10},
		&fileInfo{path: "rootfs/c", typeflag: tar.TypeDir, mode: 0700},
		&fileInfo{path: "rootfs/c/file02.txt", typeflag: tar.TypeReg, size: 5},
		&fileInfo{path: "rootfs/d", typeflag: tar.TypeDir, mode: 0700},

	key2, err := newTestACI(entries, dir, ds)
	if err != nil {
		t.Fatalf("unexpected error: %v", err)
	im, err = createImageManifest(imj)
	if err != nil {
		t.Fatalf("unexpected error: %v", err)
	image2 := Image{Im: im, Key: key2, Level: 0}

	images := Images{image2, image1}
	err = checkRenderACIFromList(images, expectedFiles, ds)
	if err != nil {
		t.Fatalf("unexpected error: %v", err)
	err = checkRenderACI("", expectedFiles, ds)
	if err != nil {
		t.Fatalf("unexpected error: %v", err)