@@ -174,3 +174,44 @@ function teardown() {
174174 [[ " $container_name " == " restored-sleep-container"
175175 [[ " $pod_name " == " restoresandbox2"
176176}
177+
178+ @test " checkpoint and restore: /etc/passwd uses Kubernetes run_as_user on restore"
179+ CONTAINER_ENABLE_CRIU_SUPPORT=true start_crio
180+ pod_id=$( crictl runp " $TESTDATA " )
181+ # Create container with run_as_user=1001
182+ START_JSON=$( mktemp)
183+ jq ' .linux.security_context.run_as_user.value = 1001
184+ | .command=["/bin/sh"]
185+ | .args=["-c","sleep inf"]' \
186+ " $TESTDATA " > " $START_JSON "
187+ ctr_id=$( crictl create " $pod_id " " $START_JSON " " $TESTDATA " )
188+ crictl start " $ctr_id "
189+ # Verify the UID of the running process
190+ run crictl exec " $ctr_id "
191+ [[ " $output " == * " uid=1001" * ]]
192+ # Verify /etc/passwd contains entry for UID 1001
193+ run crictl exec " $ctr_id "
194+ [[ " $output " == * " 1001" * ]]
195+ # Checkpoint the container
196+ crictl checkpoint --export=" $TESTDIR " " $ctr_id "
197+ crictl rm -f " $ctr_id "
198+ crictl rmp -f " $pod_id "
199+ pod_id=$( crictl runp " $TESTDATA " )
200+ RESTORE_JSON=$( mktemp)
201+ jq ' .image.image="' " $TESTDIR " ' /cp.tar"
202+ | .linux.security_context.run_as_user.value = 1001' \
203+ " $TESTDATA " > " $RESTORE_JSON "
204+ ctr_id=$( crictl create " $pod_id " " $RESTORE_JSON " " $TESTDATA " )
205+ crictl start " $ctr_id "
206+ # Verify that the container was restored
207+ restored=$( crictl inspect --output go-template --template " {{(index .info.restored)}}" " $ctr_id " )
208+ [[ " $restored " == " true"
209+ # Verify the UID is still 1001
210+ run crictl exec " $ctr_id "
211+ [[ " $output " == * " uid=1001" * ]]
212+ run crictl exec " $ctr_id "
213+ [[ " $output " == * " 1001" * ]]
214+ # Cleanup
215+ rm -f " $START_JSON "
216+ rm -f " $RESTORE_JSON "
217+ }
0 commit comments