@@ -154,3 +154,44 @@ function teardown() {
154154 [[ " $container_name " == " restored-sleep-container"
155155 [[ " $pod_name " == " restoresandbox2"
156156}
157+
158+ @test " checkpoint and restore: /etc/passwd uses Kubernetes run_as_user on restore"
159+ CONTAINER_ENABLE_CRIU_SUPPORT=true start_crio
160+ pod_id=$( crictl runp " $TESTDATA " )
161+ # Create container with run_as_user=1001
162+ START_JSON=$( mktemp)
163+ jq ' .linux.security_context.run_as_user.value = 1001
164+ | .command=["/bin/sh"]
165+ | .args=["-c","sleep inf"]' \
166+ " $TESTDATA " > " $START_JSON "
167+ ctr_id=$( crictl create " $pod_id " " $START_JSON " " $TESTDATA " )
168+ crictl start " $ctr_id "
169+ # Verify the UID of the running process
170+ run crictl exec " $ctr_id "
171+ [[ " $output " == * " uid=1001" * ]]
172+ # Verify /etc/passwd contains entry for UID 1001
173+ run crictl exec " $ctr_id "
174+ [[ " $output " == * " 1001" * ]]
175+ # Checkpoint the container
176+ crictl checkpoint --export=" $TESTDIR " " $ctr_id "
177+ crictl rm -f " $ctr_id "
178+ crictl rmp -f " $pod_id "
179+ pod_id=$( crictl runp " $TESTDATA " )
180+ RESTORE_JSON=$( mktemp)
181+ jq ' .image.image="' " $TESTDIR " ' /cp.tar"
182+ | .linux.security_context.run_as_user.value = 1001' \
183+ " $TESTDATA " > " $RESTORE_JSON "
184+ ctr_id=$( crictl create " $pod_id " " $RESTORE_JSON " " $TESTDATA " )
185+ crictl start " $ctr_id "
186+ # Verify that the container was restored
187+ restored=$( crictl inspect --output go-template --template " {{(index .info.restored)}}" " $ctr_id " )
188+ [[ " $restored " == " true"
189+ # Verify the UID is still 1001
190+ run crictl exec " $ctr_id "
191+ [[ " $output " == * " uid=1001" * ]]
192+ run crictl exec " $ctr_id "
193+ [[ " $output " == * " 1001" * ]]
194+ # Cleanup
195+ rm -f " $START_JSON "
196+ rm -f " $RESTORE_JSON "
197+ }
0 commit comments