@@ -62,6 +62,54 @@ function create_test_rro_mounts() {
6262 echo " $directory "
6363}
6464
65+ function setup_log_linking_test() {
66+ local pod_uid=$1
67+ local pod_name pod_namespace pod_log_dir pod_empty_dir_volume_path pod_id ctr_name ctr_attempt ctr_id
68+
69+ pod_name=$( jq -r ' .metadata.name' " $TESTDATA /sandbox_config.json" )
70+ pod_namespace=$( jq -r ' .metadata.namespace' " $TESTDATA /sandbox_config.json" )
71+ pod_log_dir=" /var/log/pods/${pod_namespace} _${pod_name} _${pod_uid} "
72+ pod_empty_dir_volume_path=" /var/lib/kubelet/pods/$pod_uid /volumes/kubernetes.io~empty-dir/logging-volume"
73+
74+ # Create directories and set up pod/container.
75+ mkdir -p " $pod_log_dir " " $pod_empty_dir_volume_path "
76+ jq --arg pod_log_dir " $pod_log_dir " " $pod_uid " ' .annotations["io.kubernetes.cri-o.LinkLogs"] = "logging-volume"
77+ | .log_directory = $pod_log_dir | .metadata.uid = $pod_uid' \
78+ " $TESTDATA /sandbox_config.json" > " $TESTDIR /sandbox_config.json"
79+ pod_id=$( crictl runp " $TESTDIR /sandbox_config.json" )
80+
81+ # Touch the log file.
82+ ctr_name=$( jq -r ' .metadata.name' " $TESTDATA /container_config.json" )
83+ ctr_attempt=$( jq -r ' .metadata.attempt' " $TESTDATA /container_config.json" )
84+ mkdir -p " $pod_log_dir /$ctr_name "
85+ touch " $pod_log_dir /$ctr_name /$ctr_attempt .log"
86+
87+ jq --arg host_path " $pod_empty_dir_volume_path " " /mnt/logging-volume" " $ctr_name /$ctr_attempt .log"
88+ ' .command = ["sh", "-c", "echo Hello log linking && sleep 1000"]
89+ | .log_path = $log_path
90+ | .mounts = [ { host_path: $host_path, container_path: $ctr_path } ]' \
91+ " $TESTDATA " > " $TESTDIR /container_config.json"
92+ ctr_id=$( crictl create " $pod_id " " $TESTDIR /container_config.json" " $TESTDIR /sandbox_config.json" )
93+ }
94+
95+ function assert_log_linking() {
96+ local pod_empty_dir_volume_path=$1
97+ local ctr_name=$2
98+ local ctr_attempt=$3
99+ local ctr_id=$4
100+ local should_succeed=$5
101+
102+ if $should_succeed ; then
103+ [ -f " $pod_empty_dir_volume_path /$ctr_name /$ctr_attempt .log"
104+ [ -f " $pod_empty_dir_volume_path /$ctr_id .log"
105+ grep -E " Hello log linking" " $pod_empty_dir_volume_path /$ctr_name /$ctr_attempt .log"
106+ grep -E " Hello log linking" " $pod_empty_dir_volume_path /$ctr_id .log"
107+ else
108+ [ ! -f " $pod_empty_dir_volume_path /$ctr_name /$ctr_attempt .log"
109+ [ ! -f " $pod_empty_dir_volume_path /$ctr_id .log"
110+ fi
111+ }
112+
65113@test " ctr not found correct error message"
66114 start_crio
67115 run ! crictl inspect " container_not_exist"
@@ -1356,6 +1404,32 @@ function create_test_rro_mounts() {
13561404 [ ! -f " $linked_log_path "
13571405}
13581406
1407+ @test " ctr log linking with malicious paths"
1408+ if [[ $RUNTIME_TYPE == vm ]]; then
1409+ skip " not applicable to vm runtime type"
1410+ fi
1411+ setup_crio
1412+ create_runtime_with_allowed_annotation logs io.kubernetes.cri-o.LinkLogs
1413+ start_crio_no_setup
1414+
1415+ read -r pod_empty_dir_volume_path ctr_name ctr_attempt ctr_id <<< " $(setup_log_linking_test " " )"
1416+ assert_log_linking " $pod_empty_dir_volume_path " " $ctr_name " " $ctr_attempt " " $ctr_id " false
1417+ crictl rmp -fa
1418+ }
1419+
1420+ @test " ctr log linking with invalid paths"
1421+ if [[ $RUNTIME_TYPE == vm ]]; then
1422+ skip " not applicable to vm runtime type"
1423+ fi
1424+ setup_crio
1425+ create_runtime_with_allowed_annotation logs io.kubernetes.cri-o.LinkLogs
1426+ start_crio_no_setup
1427+
1428+ read -r pod_empty_dir_volume_path ctr_name ctr_attempt ctr_id <<< " $(setup_log_linking_test " " )"
1429+ assert_log_linking " $pod_empty_dir_volume_path " " $ctr_name " " $ctr_attempt " " $ctr_id " false
1430+ crictl rmp -fa
1431+ }
1432+
13591433@test " ctr stop loop kill retry attempts"
13601434 FAKE_RUNTIME_BINARY_PATH=" $TESTDIR "
13611435 FAKE_RUNTIME_ATTEMPTS_LOG=" $TESTDIR "
0 commit comments