gha/ci: Add rootless integration test job#123
Draft
vvoland wants to merge 3 commits intocontainerd:mainfrom
Draft
gha/ci: Add rootless integration test job#123vvoland wants to merge 3 commits intocontainerd:mainfrom
vvoland wants to merge 3 commits intocontainerd:mainfrom
Conversation
Add an `integration-rootless` job that creates a non-root user (`testuser`), adds it to the kvm group, and runs integration tests as that user. Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
The previous logic prepended "../_output" and "." relative to the executable directory. This was fragile and only worked correctly when the binary was run from specific locations (test.sh from integration/). When run via "go test" the binary is in a temp dir where those relative paths are meaningless, and it only worked because PATH was already set externally via $GITHUB_PATH. Simplify to just prepend the executable's own directory to PATH. Since all artifacts (libkrun.so, kernel, initrd) are built into _output/ alongside the test binary, this handles all execution methods: - test.sh (binary at ../_output/ relative to integration/) - go test (relies on PATH already containing _output/) - pre-compiled binary run directly from _output/ Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Add TestShimStart that invokes the real containerd-shim-nerdbox-v1 binary with the "start" subcommand. This exercises the shim manager's Start() code path end-to-end, including mount namespace setup. Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
There was a problem hiding this comment.
Pull request overview
This PR extends CI and integration testing to better validate non-root execution and the shim startup path, while also making integration tests less dependent on how they’re invoked.
Changes:
- Adds a new GitHub Actions job (
integration-rootless) that runs integration tests as a non-root user with KVM group access. - Simplifies
integration.TestMainPATH setup to prepend only the test binary’s directory. - Introduces a new integration test (
TestShimStart) that invokes the real shim binary with thestartsubcommand to exercise the shim manager Start path end-to-end.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
integration/shim_start_test.go |
Adds an end-to-end shim start integration test using the real shim binary. |
integration/main_test.go |
Simplifies PATH setup during integration test initialization. |
.github/workflows/ci.yml |
Adds a rootless integration test job that runs the compiled integration test binary as a non-root user. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+65
to
+72
| out, err := cmd.Output() | ||
| if err != nil { | ||
| stderr := "" | ||
| if ee, ok := err.(*exec.ExitError); ok { | ||
| stderr = string(ee.Stderr) | ||
| } | ||
| t.Fatalf("shim start failed: %v\nstderr: %s", err, stderr) | ||
| } |
Comment on lines
+87
to
+92
| // Clean up the child shim process that Start() spawned. | ||
| pidData, err := os.ReadFile(filepath.Join(bundleDir, "shim.pid")) | ||
| if err == nil { | ||
| if pid, err := strconv.Atoi(strings.TrimSpace(string(pidData))); err == nil { | ||
| syscall.Kill(pid, syscall.SIGKILL) | ||
| } |
Comment on lines
+36
to
+38
| // Prepend the directory containing the test binary to PATH so that | ||
| // NewInstance can find libkrun.so, the kernel, and initrd located | ||
| // alongside the binary (the _output/ directory). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
gha/ci: Add rootless integration test job
Add an
integration-rootlessjob that creates a non-root user(
testuser), adds it to the kvm group, and runs integration tests as that user.integration: Simplify TestMain PATH setup
The previous logic prepended "../_output" and "." relative to the executable directory. This was fragile and only worked correctly when the binary was run from specific locations (test.sh from integration/). When run via "go test" the binary is in a temp dir where those relative paths are meaningless, and it only worked because PATH was already set externally via $GITHUB_PATH.
Simplify to just prepend the executable's own directory to PATH. Since all artifacts (libkrun.so, kernel, initrd) are built into _output/ alongside the test binary, this handles all execution methods:
integration: Add test for shim start
Add TestShimStart that invokes the real containerd-shim-nerdbox-v1 binary with the "start" subcommand. This exercises the shim manager's Start() code path end-to-end, including mount namespace setup.