diff --git a/test/libsinsp_e2e/CMakeLists.txt b/test/libsinsp_e2e/CMakeLists.txt index 46dfb5d602..ca64c57b09 100755 --- a/test/libsinsp_e2e/CMakeLists.txt +++ b/test/libsinsp_e2e/CMakeLists.txt @@ -32,10 +32,6 @@ configure_file( add_executable( libsinsp_e2e_tests capture_to_file_test.cpp - container/container.cpp - container/container_cgroup.cpp - container/container_cri.cpp - container/docker_utils.cpp event_capture.cpp forking.cpp fs.cpp @@ -99,6 +95,3 @@ execute_process( COMMAND tar xzf ${CMAKE_CURRENT_BINARY_DIR}/resources/fake-proc.tar.gz WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/resources/ ) - -add_subdirectory(fake_cri) -add_dependencies(libsinsp_e2e_tests fake_cri) diff --git a/test/libsinsp_e2e/container/container.cpp b/test/libsinsp_e2e/container/container.cpp deleted file mode 100644 index 522cf02ed9..0000000000 --- a/test/libsinsp_e2e/container/container.cpp +++ /dev/null @@ -1,899 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -/* -Copyright (C) 2024 The Falco Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. - -*/ - -#include "../sys_call_test.h" -#include "docker_utils.h" - -#include - -#include -#include - -using namespace std; - -TEST_F(sys_call_test, container_cgroups) { - int ctid; - bool done = false; - - // - // FILTER - // - event_filter_t filter = [&](sinsp_evt* evt) { - return evt->get_type() == PPME_SYSCALL_CLONE_20_X && evt->get_tid() == ctid; - }; - - // - // TEST CODE - // - run_callback_async_t test = [&]() { - ctid = fork(); - if(ctid >= 0) { - if(ctid == 0) { - sleep(1); - // _exit prevents asan from complaining for a false positive memory leak. - _exit(0); - } else { - wait(NULL); - } - } else { - FAIL(); - } - }; - - // - // OUTPUT VALIDATION - // - captured_event_callback_t callback = [&](const callback_param& param) { - sinsp_threadinfo sinsp_tinfo(nullptr); - char buf[100]; - - sinsp_threadinfo* tinfo = param.m_evt->get_thread_info(); - ASSERT_TRUE(tinfo != nullptr); - const auto& cgroups = tinfo->cgroups(); - ASSERT_TRUE(!cgroups.empty()); - - snprintf(buf, sizeof(buf), "/proc/%d/", ctid); - - sinsp_tinfo.m_tid = ctid; - sinsp_cgroup::instance().lookup_cgroups(sinsp_tinfo); - - const auto& sinsp_cgroups = sinsp_tinfo.cgroups(); - ASSERT_TRUE(!sinsp_cgroups.empty()); - - map cgroups_kernel; - for(const auto& cgroup : cgroups) { - cgroups_kernel.insert(pair(cgroup.first, cgroup.second)); - } - - map cgroups_proc; - for(const auto& sinsp_cgroup : sinsp_cgroups) { - cgroups_proc.insert(pair(sinsp_cgroup.first, sinsp_cgroup.second)); - } - - ASSERT_TRUE(!cgroups_kernel.empty()); - ASSERT_TRUE(!cgroups_proc.empty()); - - for(const auto& [subsys, path] : cgroups_proc) { - printf(" proc cgroup[%s] == <%s>\n", subsys.c_str(), path.c_str()); - } - - for(const auto& [subsys, path] : cgroups_kernel) { - printf(" kernel cgroup[%s] == <%s>\n", subsys.c_str(), path.c_str()); - } - - for(auto& [proc_subsys, proc_path] : cgroups_proc) { - auto it_kernel = cgroups_kernel.find(proc_subsys); - if(it_kernel != cgroups_kernel.end()) { - ASSERT_EQ(it_kernel->first, proc_subsys); - ASSERT_EQ(it_kernel->second, proc_path); - } - } - - done = true; - }; - - ASSERT_NO_FATAL_FAILURE({ - event_capture::run(test, - callback, - filter, - event_capture::do_nothing, - event_capture::do_nothing, - libsinsp::events::sinsp_state_sc_set()); - }); - ASSERT_TRUE(done); -} - -static int clone_callback(void* arg) { - sleep(1); - return 0; -} - -TEST_F(sys_call_test, container_clone_nspid) { - int ctid; - int flags = CLONE_CHILD_CLEARTID | CLONE_CHILD_SETTID | SIGCHLD | CLONE_NEWPID; - bool done = false; - - // - // FILTER - // - event_filter_t filter = [&](sinsp_evt* evt) { return evt->get_tid() == ctid; }; - - // - // TEST CODE - // - run_callback_t test = [&](sinsp* inspector) { - const int STACK_SIZE = 65536; /* Stack size for cloned child */ - char* stack; /* Start of stack buffer area */ - char* stack_top; /* End of stack buffer area */ - - stack = (char*)malloc(STACK_SIZE); - if(stack == NULL) { - FAIL(); - } - stack_top = stack + STACK_SIZE; - - ctid = clone(clone_callback, stack_top, flags, NULL); - if(ctid == -1) { - FAIL(); - } else if(ctid == 0) { - free(stack); - _exit(0); - } else { - free(stack); - waitpid(ctid, NULL, 0); - } - }; - - // - // OUTPUT VALDATION - // - captured_event_callback_t callback = [&](const callback_param& param) { - sinsp_evt* e = param.m_evt; - if(e->get_type() == PPME_SYSCALL_CLONE_20_X) { - sinsp_threadinfo* tinfo = param.m_evt->get_thread_info(); - ASSERT_TRUE(tinfo != NULL); - ASSERT_TRUE(tinfo->m_vtid == 1); - ASSERT_TRUE(tinfo->m_vpid == 1); - - done = true; - } - }; - - ASSERT_NO_FATAL_FAILURE({ - event_capture::run(test, - callback, - filter, - event_capture::do_nothing, - event_capture::do_nothing, - libsinsp::events::sinsp_state_sc_set()); - }); - ASSERT_TRUE(done); -} - -TEST_F(sys_call_test, container_clone_nspid_ioctl) { - int ctid; - int flags = CLONE_CHILD_CLEARTID | CLONE_CHILD_SETTID | SIGCHLD | CLONE_NEWPID; - bool done = false; - - // - // FILTER - // - event_filter_t filter = [&](sinsp_evt* evt) { return evt->get_tid() == ctid; }; - - // - // TEST CODE - // - run_callback_t test = [&](sinsp* inspector) { - const int STACK_SIZE = 65536; - char* stack; - char* stack_top; - - stack = (char*)malloc(STACK_SIZE); - if(stack == NULL) { - FAIL(); - } - stack_top = stack + STACK_SIZE; - - ctid = clone(clone_callback, stack_top, flags, NULL); - if(ctid == -1) { - FAIL(); - } - waitpid(ctid, NULL, 0); - free(stack); - }; - - // - // OUTPUT VALDATION - // - captured_event_callback_t callback = [&](const callback_param& param) { - sinsp_threadinfo* tinfo = param.m_evt->get_thread_info(); - if(tinfo && tinfo->m_vtid == 1 && tinfo->m_vpid == 1) { - done = true; - } - }; - - ASSERT_NO_FATAL_FAILURE({ - event_capture::run(test, - callback, - filter, - event_capture::do_nothing, - event_capture::do_nothing, - libsinsp::events::sinsp_state_sc_set()); - }); - ASSERT_TRUE(done); -} - -static void run_container_docker_test(bool fork_after_container_start) { - bool done = false; - - if(!dutils_check_docker()) { - printf("Docker not running, skipping test\n"); - return; - } - - event_filter_t filter = [&](sinsp_evt* evt) { - return (evt->get_type() == PPME_CONTAINER_JSON_E || - evt->get_type() == PPME_CONTAINER_JSON_2_E); - }; - - run_callback_async_t test = [&]() { - ASSERT_TRUE(system("docker kill libsinsp_docker > /dev/null 2>&1 || true") == 0); - ASSERT_TRUE(system("docker rm -v libsinsp_docker > /dev/null 2>&1 || true") == 0); - -#ifdef __s390x__ - if(system("docker run -d --name libsinsp_docker s390x/busybox") != 0) -#else - if(system("docker run -d --name libsinsp_docker busybox") != 0) -#endif - { - ASSERT_TRUE(false); - } - - sleep(5); - - ASSERT_TRUE(system("docker kill libsinsp_docker > /dev/null 2>&1 || true") == 0); - ASSERT_TRUE(system("docker rm -v libsinsp_docker > /dev/null 2>&1") == 0); - - if(fork_after_container_start) { - int child_pid = fork(); - - ASSERT_TRUE(child_pid >= 0) << "Could not fork" << strerror(errno); - if(child_pid == 0) { - // _exit prevents asan from complaining for a false positive memory leak. - _exit(0); - } else { - wait(NULL); - } - } - }; - - captured_event_callback_t callback = [&](const callback_param& param) { - sinsp_threadinfo* tinfo = param.m_evt->get_thread_info(); - ASSERT_TRUE(tinfo != NULL); - ASSERT_TRUE(tinfo->m_vtid != tinfo->m_tid); - ASSERT_TRUE(tinfo->m_vpid != tinfo->m_pid); - - ASSERT_TRUE(tinfo->m_container_id.length() == 12); - - const auto container_info = - param.m_inspector->m_container_manager.get_container(tinfo->m_container_id); - ASSERT_TRUE(container_info != NULL); - - EXPECT_EQ(sinsp_container_lookup::state::SUCCESSFUL, container_info->get_lookup_status()); - EXPECT_EQ(sinsp_container_type::CT_DOCKER, container_info->m_type); - EXPECT_EQ("libsinsp_docker", container_info->m_name); -#ifdef __s390x__ - EXPECT_EQ("s390x/busybox", container_info->m_image); -#else - EXPECT_EQ("busybox", container_info->m_image); -#endif - - done = true; - }; - - ASSERT_NO_FATAL_FAILURE({ - event_capture::run(test, - callback, - filter, - event_capture::do_nothing, - event_capture::do_nothing, - libsinsp::events::sinsp_state_sc_set()); - }); - ASSERT_TRUE(done); -} - -TEST_F(sys_call_test, container_docker) { - bool fork_after_container_start = false; - - run_container_docker_test(fork_after_container_start); -} - -// This test intentionally does a fork after starting the container -// and then calls exit(), which closes all FILEs, calls destructors -// for static globals, etc. Best practices recommend calling _exit() -// in forked children instead of exit(), as _exit() skips all those -// teardown steps, but this test verifies that even if a child calls -// exit(), that there aren't any conflicts/races in the static -// globals, etc. -// -// It may be the case someday that there are globals that we don't -// control or have to keep global that cause conflicts on duplicate -// exit(), in which case this test will start -// hanging/failing/crashing. If this happens, we should remove this -// test. - -TEST_F(sys_call_test, container_docker_fork) { - bool fork_after_container_start = true; - - run_container_docker_test(fork_after_container_start); -} - -TEST_F(sys_call_test, container_docker_bad_socket) { - bool done = false; - - if(!dutils_check_docker()) { - printf("Docker not running, skipping test\n"); - return; - } - - before_capture_t setup = [&](sinsp* inspector) { - inspector->set_docker_socket_path("/invalid/path"); - }; - - event_filter_t filter = [&](sinsp_evt* evt) { - if(evt->get_type() == PPME_CONTAINER_JSON_E || evt->get_type() == PPME_CONTAINER_JSON_2_E) { - return true; - } - auto tinfo = evt->get_thread_info(); - if(tinfo) { - return !tinfo->m_container_id.empty(); - } - return false; - }; - - run_callback_async_t test = []() { - ASSERT_TRUE(system("docker kill libsinsp_docker > /dev/null 2>&1 || true") == 0); - ASSERT_TRUE(system("docker rm -v libsinsp_docker > /dev/null 2>&1 || true") == 0); - -#ifdef __s390x__ - if(system("docker run -d --name libsinsp_docker s390x/busybox sh -c 'while true; do " - "sleep 1; done'") != 0) -#else - if(system("docker run -d --name libsinsp_docker busybox sh -c 'while true; do sleep 1; " - "done'") != 0) -#endif - { - ASSERT_TRUE(false); - } - - sleep(2); - - ASSERT_TRUE(system("docker kill libsinsp_docker > /dev/null 2>&1 || true") == 0); - ASSERT_TRUE(system("docker rm -v libsinsp_docker > /dev/null 2>&1") == 0); - }; - - captured_event_callback_t callback = [&](const callback_param& param) { - // can't get a container event for failed lookup - ASSERT_NE(PPME_CONTAINER_JSON_E, param.m_evt->get_type()); - ASSERT_NE(PPME_CONTAINER_JSON_2_E, param.m_evt->get_type()); - - sinsp_threadinfo* tinfo = param.m_evt->get_thread_info(false); - ASSERT_TRUE(tinfo->m_container_id.length() == 12); - ASSERT_TRUE(param.m_inspector->m_container_manager.container_exists(tinfo->m_container_id)); - const auto container_info = - param.m_inspector->m_container_manager.get_container(tinfo->m_container_id); - if(container_info && container_info->m_type == CT_DOCKER) { - EXPECT_EQ(sinsp_container_lookup::state::FAILED, container_info->get_lookup_status()); - done = true; - } - }; - - after_capture_t cleanup = [&](sinsp* inspector) { - inspector->set_docker_socket_path("/var/run/docker.sock"); - }; - - ASSERT_NO_FATAL_FAILURE({ event_capture::run(test, callback, filter, setup, cleanup); }); - ASSERT_TRUE(done); -} - -TEST_F(sys_call_test, container_libvirt) { - bool done = false; - - if(system("virsh --help > /dev/null 2>&1") != 0) { - GTEST_SKIP() << "libvirt not installed, skipping test"; - return; - } - - // Setup phase before capture has start, to avoid generating too many events - before_capture_t setup = [](sinsp* inspector) { - FILE* f = fopen("/tmp/conf.xml", "w"); - ASSERT_TRUE(f != NULL); - fprintf(f, - "\n" - " libvirt-container\n" - " 128000\n" - " \n" - " exe\n" - " /bin/sh\n" - " \n" - " \n" - " \n" - " \n" - ""); - fclose(f); - - ASSERT_TRUE( - system("virsh -c lxc:/// undefine libvirt-container > /dev/null 2>&1 || true") == - 0); - ASSERT_TRUE(system("virsh -c lxc:/// destroy libvirt-container > /dev/null 2>&1 || true") == - 0); - - if(system("virsh -c lxc:/// define /tmp/conf.xml") != 0) { - ASSERT_TRUE(false); - } - }; - - event_filter_t filter = [&](sinsp_evt* evt) { - sinsp_threadinfo* tinfo = evt->get_thread_info(); - if(tinfo) { - return !tinfo->m_container_id.empty() && tinfo->m_comm == "sh"; - } - return false; - }; - - run_callback_async_t test = []() { - if(system("virsh -c lxc:/// start libvirt-container") != 0) { - ASSERT_TRUE(false); - } - sleep(2); - }; - - captured_event_callback_t callback = [&](const callback_param& param) { - sinsp_threadinfo* tinfo = param.m_evt->get_thread_info(); - ASSERT_TRUE(tinfo != NULL); - ASSERT_TRUE(tinfo->m_vtid != tinfo->m_tid); - ASSERT_TRUE(tinfo->m_vpid != tinfo->m_pid); - - unsigned int lxc_id; - ASSERT_TRUE(tinfo->m_container_id.find("libvirt\\x2dcontainer") != string::npos || - sscanf(tinfo->m_container_id.c_str(), "lxc-%u-libvirt-container", &lxc_id) == - 1); - - const auto container_info = - param.m_inspector->m_container_manager.get_container(tinfo->m_container_id); - ASSERT_TRUE(container_info != NULL); - - ASSERT_TRUE(container_info->m_type == sinsp_container_type::CT_LIBVIRT_LXC); - ASSERT_TRUE(container_info->m_name == tinfo->m_container_id); - ASSERT_TRUE(container_info->m_image.empty()); - - done = true; - }; - - after_capture_t cleanup = [](sinsp* inspector) { - ASSERT_TRUE(system("virsh -c lxc:/// undefine libvirt-container > /dev/null 2>&1") == 0); - ASSERT_TRUE(system("virsh -c lxc:/// destroy libvirt-container > /dev/null 2>&1") == 0); - }; - - ASSERT_NO_FATAL_FAILURE({ - event_capture::run(test, - callback, - filter, - setup, - cleanup, - libsinsp::events::sinsp_state_sc_set()); - }); - ASSERT_TRUE(done); -} - -class container_state { -public: - container_state(): - container_w_health_probe(false), - root_cmd_seen(false), - second_cmd_seen(false), - healthcheck_seen(false) {}; - virtual ~container_state() {}; - - bool container_w_health_probe; - bool root_cmd_seen; - bool second_cmd_seen; - bool healthcheck_seen; -}; - -static void update_container_state(sinsp* inspector, - sinsp_evt* evt, - container_state& cstate, - sinsp_threadinfo::command_category expected_cat) { - sinsp_threadinfo* tinfo = evt->get_thread_info(); - - if(tinfo == NULL) { - return; - } - - if(inspector->m_container_manager.container_exists(tinfo->m_container_id)) { - std::string cmdline; - - sinsp_threadinfo::populate_cmdline(cmdline, tinfo); - - const auto container_info = - inspector->m_container_manager.get_container(tinfo->m_container_id); - - if(container_info && !container_info->m_health_probes.empty()) { - cstate.container_w_health_probe = true; - } - - // This is the container's initial command. In the test case - // where the health check is the same command, we will see this - // command twice--the first time it should not be identified as - // a health check, and the second time it should. - if(cmdline == "sh -c /bin/sleep 10") { - if(!cstate.root_cmd_seen) { - cstate.root_cmd_seen = true; - - ASSERT_EQ(tinfo->m_category, sinsp_threadinfo::CAT_CONTAINER); - } else { - // In some cases, it can take so long for the async fetch of container info to - // complete (1.5 seconds) that a healthcheck proc might be run before the container - // info has been updated. So only require the threadinfo category to match once - // the container info has a health probe. - if(cstate.container_w_health_probe) { - cstate.healthcheck_seen = true; - ASSERT_EQ(tinfo->m_category, expected_cat); - } - } - } - - // Child process of the above sh command. Same handling as above, - // will see twice only when health check is same as root command. - if(cmdline == "sleep 10") { - if(!cstate.second_cmd_seen) { - cstate.second_cmd_seen = true; - ASSERT_EQ(tinfo->m_category, sinsp_threadinfo::CAT_CONTAINER); - } else { - // See above caveat about slow container info fetches - if(cstate.container_w_health_probe) { - // Should inherit container healthcheck property from parent. - ASSERT_EQ(tinfo->m_category, expected_cat); - } - } - } - - // Commandline for the health check of the healthcheck containers, - // in direct exec and shell formats. - if(cmdline == "ut-health-check" || cmdline == "sh -c /bin/ut-health-check") { - cstate.healthcheck_seen = true; - - ASSERT_EQ(tinfo->m_category, expected_cat); - } - } -} - -// Start up a container with the provided dockerfile, and track the -// state of the initial command for the container, a child proces of -// that initial command, and a health check (if one is configured). -static void healthcheck_helper( - const char* dockerfile, - bool expect_healthcheck, - const char* build_extra_args, - const char* run_extra_args, - std::vector& labels, - sinsp_threadinfo::command_category expected_cat = sinsp_threadinfo::CAT_HEALTHCHECK) { - container_state cstate; - std::atomic exited_early = false; - - if(!dutils_check_docker()) { - return; - } - - dutils_kill_container("cont_health_ut"); - dutils_kill_image("cont_health_ut_img"); - std::string docker_res(LIBSINSP_TEST_RESOURCES_PATH "/docker/"); - docker_helper dhelper(docker_res + dockerfile, - "cont_health_ut_img", - labels, - build_extra_args, - run_extra_args); - - ASSERT_TRUE(dhelper.build_image() == 0); - - event_filter_t filter = [&](sinsp_evt* evt) { - sinsp_threadinfo* tinfo = evt->get_thread_info(); - - return (tinfo != nullptr && strcmp(evt->get_name(), "execve") == 0 && - evt->get_direction() == SCAP_ED_OUT && !tinfo->m_container_id.empty()); - }; - - run_callback_async_t test = [&]() { - int rc = dhelper.run_container("cont_health_ut", "/bin/sh -c '/bin/sleep 10'"); - - ASSERT_TRUE(exited_early || (rc == 0)); - }; - - captured_event_callback_t callback = [&](const callback_param& param) { - update_container_state(param.m_inspector, param.m_evt, cstate, expected_cat); - - // Exit as soon as we've seen all the initial commands - // and the health check (if expecting one) - if(!exited_early && cstate.root_cmd_seen && cstate.second_cmd_seen && - (cstate.healthcheck_seen || !expect_healthcheck)) { - exited_early = true; - dutils_kill_container("cont_health_ut"); - } - }; - - ASSERT_NO_FATAL_FAILURE({ - event_capture::run(test, - callback, - filter, - event_capture::do_nothing, - event_capture::do_nothing, - libsinsp::events::sinsp_state_sc_set()); - }); - - ASSERT_TRUE(cstate.root_cmd_seen); - ASSERT_TRUE(cstate.second_cmd_seen); - ASSERT_EQ(cstate.container_w_health_probe, expect_healthcheck); - ASSERT_EQ(cstate.healthcheck_seen, expect_healthcheck); -} - -static void healthcheck_tracefile_helper( - const std::string& dockerfile, - bool expect_healthcheck, - sinsp_threadinfo::command_category expected_cat = sinsp_threadinfo::CAT_HEALTHCHECK) { - container_state cstate; - - std::string build_cmdline( - "cd " LIBSINSP_TEST_RESOURCES_PATH - "/docker/health_dockerfiles && docker build -t cont_health_ut_img -f " + - dockerfile + " . > /dev/null 2>&1"); - ASSERT_TRUE(system(build_cmdline.c_str()) == 0); - - run_callback_async_t test = []() { - // --network=none speeds up the container setup a bit. - ASSERT_TRUE( - (system("docker run --rm --network=none --name cont_health_ut cont_health_ut_img " - "/bin/sh -c '/bin/sleep 10' > /dev/null 2>&1")) == 0); - }; - - event_filter_t filter = [&](sinsp_evt* evt) { - std::string evt_name(evt->get_name()); - return evt_name.find("execve") != std::string::npos && evt->get_direction() == SCAP_ED_OUT; - }; - - captured_event_callback_t callback = [&](const callback_param& param) { return; }; - - ASSERT_NO_FATAL_FAILURE({ - event_capture::run(test, - callback, - filter, - event_capture::do_nothing, - event_capture::do_nothing, - libsinsp::events::sinsp_state_sc_set()); - }); - - // Now reread the file we just wrote and pass it through - // update_container_state. - - const ::testing::TestInfo* const test_info = - ::testing::UnitTest::GetInstance()->current_test_info(); - auto dumpfile = std::string(LIBSINSP_TEST_CAPTURES_PATH) + test_info->test_case_name() + "_" + - test_info->name() + ".scap"; - - sinsp inspector; - inspector.set_hostname_and_port_resolution_mode(false); - inspector.set_filter("evt.type=execve and evt.dir=<"); - inspector.open_savefile(dumpfile); - inspector.start_capture(); - - while(true) { - sinsp_evt* ev; - int32_t res = inspector.next(&ev); - - if(res == SCAP_TIMEOUT) { - continue; - } - if(res == SCAP_FILTERED_EVENT) { - continue; - } else if(res == SCAP_EOF) { - break; - } - ASSERT_TRUE(res == SCAP_SUCCESS); - - update_container_state(&inspector, ev, cstate, expected_cat); - } - - std::string capture_stats_str = event_capture::capture_stats(&inspector); - - inspector.stop_capture(); - inspector.close(); - - ASSERT_TRUE(cstate.root_cmd_seen) << capture_stats_str; - ASSERT_TRUE(cstate.second_cmd_seen) << capture_stats_str; - ASSERT_EQ(cstate.container_w_health_probe, expect_healthcheck) << capture_stats_str; - ASSERT_EQ(cstate.healthcheck_seen, expect_healthcheck) << capture_stats_str; -} - -// Run container w/o health check, should not find any health check -// for the container. Should not identify either the entrypoint -// or a second process spawned after as a health check process. -TEST_F(sys_call_test, docker_container_no_healthcheck) { - std::vector labels{}; - healthcheck_helper("Dockerfile.no_healthcheck", false, "", "", labels); -} - -// A container with HEALTHCHECK=none should behave identically to one -// without any container at all. -TEST_F(sys_call_test, docker_container_none_healthcheck) { - std::vector labels{}; - healthcheck_helper("Dockerfile.none_healthcheck", false, "", "", labels); -} - -// Run container w/ health check. Should find health check for -// container but not identify entrypoint or second process after as -// a health check process. Should identify at least one health -// check executed for container. -TEST_F(sys_call_test, docker_container_healthcheck) { - std::vector labels{}; - healthcheck_helper("Dockerfile", true, "", "", labels); -} - -// Run container w/ health check and entrypoint having identical -// cmdlines. Should identify healthcheck but not entrypoint as a -// health check process. -TEST_F(sys_call_test, docker_container_healthcheck_cmd_overlap) { - std::vector labels{}; - healthcheck_helper("Dockerfile", true, "", "", labels); -} - -// A health check using shell exec instead of direct exec. -TEST_F(sys_call_test, docker_container_healthcheck_shell) { - std::vector labels{}; - healthcheck_helper("Dockerfile", - true, - "", - "--health-cmd 'sh -c \"/bin/ut-health-check\"' --health-interval 0.5s", - labels); -} - -// A health check where the container has docker labels that make it -// look like it was started in k8s. -TEST_F(sys_call_test, docker_container_liveness_probe) { - const char* label = - R""""(annotation.kubectl.kubernetes.io/last-applied-configuration="{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"mysql-app\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"env\":[{\"name\":\"MYSQL_ROOT_PASSWORD\",\"value\":\"no\"}],\"image\":\"user/mysql:healthcheck\",\"livenessProbe\":{\"exec\":{\"command\":[\"/bin/ut-health-check\"]},\"initialDelaySeconds\":5,\"periodSeconds\":5},\"name\":\"mysql\"}]}}\n")""""; - std::vector labels{std::string(label)}; - healthcheck_helper("Dockerfile", true, "", "", labels, sinsp_threadinfo::CAT_LIVENESS_PROBE); -} - -TEST_F(sys_call_test, docker_container_readiness_probe) { - const char* label = - R""""(annotation.kubectl.kubernetes.io/last-applied-configuration="{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"mysql-app\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"env\":[{\"name\":\"MYSQL_ROOT_PASSWORD\",\"value\":\"no\"}],\"image\":\"user/mysql:healthcheck\",\"readinessProbe\":{\"exec\":{\"command\":[\"/bin/ut-health-check\"]},\"initialDelaySeconds\":5,\"periodSeconds\":5},\"name\":\"mysql\"}]}}\n")""""; - std::vector labels{std::string(label)}; - healthcheck_helper("Dockerfile", true, "", "", labels, sinsp_threadinfo::CAT_READINESS_PROBE); -} - -// Identical to above tests, but read events from a trace file instead -// of live. Only doing selected cases. -TEST_F(sys_call_test, docker_container_healthcheck_trace) { - healthcheck_tracefile_helper("Dockerfile.healthcheck", true); -} - -TEST_F(sys_call_test, docker_container_healthcheck_cmd_overlap_trace) { - healthcheck_tracefile_helper("Dockerfile.healthcheck_cmd_overlap", true); -} - -TEST_F(sys_call_test, docker_container_liveness_probe_trace) { - healthcheck_tracefile_helper("Dockerfile.healthcheck_liveness", - true, - sinsp_threadinfo::CAT_LIVENESS_PROBE); -} - -TEST_F(sys_call_test, docker_container_readiness_probe_trace) { - healthcheck_tracefile_helper("Dockerfile.healthcheck_readiness", - true, - sinsp_threadinfo::CAT_READINESS_PROBE); -} - -TEST_F(sys_call_test, docker_container_large_json) { - bool saw_container_evt = false; - - if(!dutils_check_docker()) { - return; - } - - std::string repeated_string = std::string(4096, 'a'); - - std::vector labels; - labels.emplace_back("url2=" + repeated_string); - labels.emplace_back("summary2=" + repeated_string); - labels.emplace_back("vcs-type2=" + repeated_string); - labels.emplace_back("vcs-ref2=" + repeated_string); - labels.emplace_back("description2=" + repeated_string); - labels.emplace_back("io.k8s.description2=" + repeated_string); - - dutils_kill_container("large_container_ut"); - dutils_kill_image("large_container_ut_img"); - std::string docker_res(LIBSINSP_TEST_RESOURCES_PATH "/docker/"); - docker_helper dhelper(docker_res + "Dockerfile", "large_container_ut_img", labels, "", ""); - - ASSERT_TRUE(dhelper.build_image() == 0); - - before_capture_t before = [&](sinsp* inspector) { - inspector->set_container_labels_max_len(60000); - }; - - event_filter_t filter = [&](sinsp_evt* evt) { - return evt->get_type() == PPME_CONTAINER_JSON_E || - evt->get_type() == PPME_CONTAINER_JSON_2_E; - }; - - run_callback_async_t test = [&]() { - int rc = dhelper.run_container("large_container_ut", "/bin/sh -c '/bin/sleep 3'"); - ASSERT_TRUE(rc == 0); - }; - - captured_event_callback_t callback = [&](const callback_param& param) { - saw_container_evt = true; - - sinsp_threadinfo* tinfo = param.m_evt->get_thread_info(); - ASSERT_TRUE(tinfo != NULL); - - const auto container_info = - param.m_inspector->m_container_manager.get_container(tinfo->m_container_id); - - ASSERT_NE(nullptr, container_info); - ASSERT_EQ(container_info->m_type, CT_DOCKER); - - ASSERT_STREQ(container_info->m_name.c_str(), "large_container_ut"); - ASSERT_STREQ(container_info->m_image.c_str(), "large_container_ut_img"); - - std::unordered_set labels = { - "url2", - "summary2", - "vcs-type2", - "vcs-ref2", - "description2", - "io.k8s.description2", - }; - - const std::string aaaaaa(4096, 'a'); - - for(const auto& label : container_info->m_labels) { - EXPECT_EQ(1, labels.erase(label.first)); - EXPECT_EQ(4096, label.second.size()); - EXPECT_EQ(aaaaaa, label.second); - } - - EXPECT_TRUE(labels.empty()); - }; - - after_capture_t cleanup = [](sinsp* inspector) { - // reset the value - inspector->set_container_labels_max_len(100); - }; - - ASSERT_NO_FATAL_FAILURE({ - event_capture::run(test, - callback, - filter, - before, - cleanup, - libsinsp::events::sinsp_state_sc_set()); - }); - ASSERT_TRUE(saw_container_evt); -} diff --git a/test/libsinsp_e2e/container/container_cgroup.cpp b/test/libsinsp_e2e/container/container_cgroup.cpp deleted file mode 100644 index 831b618d48..0000000000 --- a/test/libsinsp_e2e/container/container_cgroup.cpp +++ /dev/null @@ -1,105 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -/* -Copyright (C) 2024 The Falco Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. - -*/ - -#include "../sys_call_test.h" - -#include - -#include - -using namespace libsinsp::runc; - -constexpr const cgroup_layout CRI_CGROUP_LAYOUT[] = { - {"/", ""}, // non-systemd containerd - {"/crio-", ""}, // non-systemd cri-o - {"/containerd-", ".scope"}, // systemd containerd (?) - {"/crio-", ".scope"}, // systemd cri-o - {":cri-containerd:", ""}, // unknown containerd seen in the wild - {nullptr, nullptr}}; - -constexpr const cgroup_layout DOCKER_CGROUP_LAYOUT[] = {{"/", ""}, // non-systemd docker - {"/docker-", ".scope"}, // systemd docker - {nullptr, nullptr}}; - -class container_cgroup : public testing::Test {}; - -TEST_F(container_cgroup, containerd_cgroupfs) { - std::string container_id; - const std::string cgroup = - "/kubepods/besteffort/podac04f3f2-1f2c-11e9-b015-1ebee232acfa/" - "605439acbd4fb18c145069289094b17f17e0cfa938f78012d4960bc797305f22"; - const std::string expected_container_id = "605439acbd4f"; - - EXPECT_EQ(true, match_container_id(cgroup, CRI_CGROUP_LAYOUT, container_id)); - EXPECT_EQ(expected_container_id, container_id); -} - -TEST_F(container_cgroup, crio_cgroupfs) { - std::string container_id; - const std::string cgroup = - "/kubepods/besteffort/pod63b3ebfc-2890-11e9-8154-16bf8ef8d9dc/" - "crio-73bfe475650de66df8e2affdc98d440dcbe84f8df83b6f75a68a82eb7026136a"; - const std::string expected_container_id = "73bfe475650d"; - - EXPECT_EQ(true, match_container_id(cgroup, CRI_CGROUP_LAYOUT, container_id)); - EXPECT_EQ(expected_container_id, container_id); -} - -TEST_F(container_cgroup, crio_systemd) { - std::string container_id; - const std::string cgroup = - "/kubepods.slice/kubepods-besteffort.slice/" - "kubepods-besteffort-pod63b3ebfc_2890_11e9_8154_16bf8ef8d9dc.slice/" - "crio-17d8c9eacc629f9945f304d89e9708c0c619649a484a215b240628319548a09f.scope"; - const std::string expected_container_id = "17d8c9eacc62"; - - EXPECT_EQ(true, match_container_id(cgroup, CRI_CGROUP_LAYOUT, container_id)); - EXPECT_EQ(expected_container_id, container_id); -} - -TEST_F(container_cgroup, docker_cgroupfs) { - std::string container_id; - const std::string cgroup = - "/docker/7951fb549ab99e0722a949b6c121634e1f3a36b5bacbe5392991e3b12251e6b8"; - const std::string expected_container_id = "7951fb549ab9"; - - EXPECT_EQ(true, match_container_id(cgroup, DOCKER_CGROUP_LAYOUT, container_id)); - EXPECT_EQ(expected_container_id, container_id); -} - -TEST_F(container_cgroup, docker_systemd) { - std::string container_id; - const std::string cgroup = - "/docker.slice/" - "docker-7951fb549ab99e0722a949b6c121634e1f3a36b5bacbe5392991e3b12251e6b8.scope"; - const std::string expected_container_id = "7951fb549ab9"; - - EXPECT_EQ(true, match_container_id(cgroup, DOCKER_CGROUP_LAYOUT, container_id)); - EXPECT_EQ(expected_container_id, container_id); -} - -TEST_F(container_cgroup, containerd_unknown) { - std::string container_id; - const std::string cgroup = - "/kubepods-burstable-podbd12dd3393227d950605a2444b13c27a.slice:cri-containerd:" - "d52db56a9c80d536a91354c0951c061187ca46249e64865a12703003d8f42366"; - const std::string expected_container_id = "d52db56a9c80"; - - EXPECT_EQ(true, match_container_id(cgroup, CRI_CGROUP_LAYOUT, container_id)); - EXPECT_EQ(expected_container_id, container_id); -} diff --git a/test/libsinsp_e2e/container/container_cri.cpp b/test/libsinsp_e2e/container/container_cri.cpp deleted file mode 100644 index 2c4671b26a..0000000000 --- a/test/libsinsp_e2e/container/container_cri.cpp +++ /dev/null @@ -1,551 +0,0 @@ -#include "../sys_call_test.h" -#include "../subprocess.h" - -#include - -static const std::string cri_container_id = "aec4c703604b"; -static const std::string fake_cri_socket = "/tmp/fake-cri.sock"; -static const std::string fake_docker_socket = "/tmp/fake-docker.sock"; -static const std::string default_docker_socket = "/var/run/docker.sock"; - -struct exp_container_event_info { - sinsp_container_type type; - sinsp_container_lookup::state state; -}; - -class container_cri : public sys_call_test { -protected: - void fake_cri_test(const std::string& pb_prefix, - const std::string& runtime, - const std::function& done)>& callback, - bool extra_queries = true); - - void fake_cri_test_timing(const std::string& pb_prefix, - const std::string& delay_arg, - const std::string& runtime, - float docker_delay, - bool async, - const exp_container_event_info& exp_info, - uint64_t container_engine_mask = 0, - int64_t test_duration = 10); -}; - -TEST_F(container_cri, fake_cri_no_server) { - std::atomic done(false); - - event_filter_t filter = [&](sinsp_evt* evt) { - // we never get the PPME_CONTAINER_JSON_E event if the lookup fails - sinsp_threadinfo* tinfo = evt->get_tinfo(); - if(tinfo) { - return tinfo->m_exe == "/bin/echo" && !tinfo->m_container_id.empty(); - } - - return false; - }; - - run_callback_t test = [&](sinsp* inspector) { - subprocess handle(LIBSINSP_TEST_PATH "/test_helper", {"cri_container_echo"}); - handle.in() << "\n"; - handle.wait(); - }; - - captured_event_callback_t callback = [&](const callback_param& param) { - sinsp_threadinfo* tinfo = param.m_evt->get_tinfo(); - EXPECT_TRUE(tinfo != NULL); - - EXPECT_EQ(cri_container_id, tinfo->m_container_id); - - const auto container_info = - param.m_inspector->m_container_manager.get_container(tinfo->m_container_id); - - // This can either be null or a container with incomplete metadata - EXPECT_TRUE( - (container_info == nullptr || - container_info->get_lookup_status() != sinsp_container_lookup::state::SUCCESSFUL)); - - done = true; - }; - - before_capture_t setup = [&](sinsp* inspector) { - inspector->set_cri_socket_path(fake_cri_socket); - }; - - EXPECT_NO_FATAL_FAILURE({ event_capture::run(test, callback, filter, setup); }); - EXPECT_TRUE(done); -} - -void container_cri::fake_cri_test( - const std::string& pb_prefix, - const std::string& runtime, - const std::function& done)>& callback, - bool extra_queries) { - std::atomic done(false); - unlink(fake_cri_socket.c_str()); - subprocess fake_cri_handle(LIBSINSP_TEST_PATH "/fake_cri/fake_cri", - {"unix://" + fake_cri_socket, pb_prefix, runtime}); - pid_t fake_cri_pid = fake_cri_handle.get_pid(); - - auto start_time = time(NULL); - - event_filter_t filter = [&](sinsp_evt* evt) { - return evt->get_type() == PPME_CONTAINER_JSON_E || - evt->get_type() == PPME_CONTAINER_JSON_2_E; - }; - - run_callback_t test = [&](sinsp* inspector) { - subprocess handle(LIBSINSP_TEST_PATH "/test_helper", {"cri_container_echo"}); - handle.in() << "\n"; - handle.wait(); - while(!done && time(NULL) < start_time + 10) { - usleep(100000); - } - }; - - captured_event_callback_t cri_callback = [&](const callback_param& param) { - callback(param, done); - }; - - before_capture_t setup = [&](sinsp* inspector) { - inspector->set_cri_socket_path(fake_cri_socket); - inspector->set_docker_socket_path(""); - inspector->set_cri_extra_queries(extra_queries); - }; - - after_capture_t cleanup = [&](sinsp* inspector) { - inspector->set_docker_socket_path(default_docker_socket); - }; - - EXPECT_NO_FATAL_FAILURE({ event_capture::run(test, cri_callback, filter, setup, cleanup); }); - - // The fake server had to stay running the whole time in order - // for the test to be succesful - // Needed to reap the zombine if it exited - waitpid(fake_cri_pid, NULL, WNOHANG); - EXPECT_TRUE(fake_cri_handle.is_alive()); - - EXPECT_TRUE(done); - - fake_cri_handle.kill(); -} - -TEST_F(container_cri, fake_cri) { - fake_cri_test( - LIBSINSP_TEST_RESOURCES_PATH "/fake_cri_falco", - "containerd", - [&](const callback_param& param, std::atomic& done) { - sinsp_threadinfo* tinfo = param.m_evt->get_tinfo(); - EXPECT_TRUE(tinfo != NULL); - - EXPECT_EQ(cri_container_id, tinfo->m_container_id); - - const auto container_info = - param.m_inspector->m_container_manager.get_container(tinfo->m_container_id); - EXPECT_NE(container_info, nullptr); - - EXPECT_EQ(sinsp_container_type::CT_CONTAINERD, container_info->m_type); - EXPECT_EQ("falco", container_info->m_name); - EXPECT_EQ("docker.io/falcosecurity/falco:latest", container_info->m_image); - EXPECT_EQ("sha256:8d0619a4da278dfe2772f75aa3cc74df0a250385de56085766035db5c9a062ed", - container_info->m_imagedigest); - EXPECT_EQ("4bc0e14060f4263acf658387e76715bd836a13b9ba44f48465bd0633a412dbd0", - container_info->m_imageid); - EXPECT_EQ(1073741824, container_info->m_memory_limit); - EXPECT_EQ(102, container_info->m_cpu_shares); - EXPECT_EQ(0, container_info->m_cpu_quota); - EXPECT_EQ(100000, container_info->m_cpu_period); - - done = true; - }); -} - -TEST_F(container_cri, fake_cri_crio_extra_queries) { - fake_cri_test( - LIBSINSP_TEST_RESOURCES_PATH "/fake_cri_crio", - "cri-o", - [&](const callback_param& param, std::atomic& done) { - sinsp_threadinfo* tinfo = param.m_evt->get_tinfo(); - EXPECT_TRUE(tinfo != NULL); - - EXPECT_EQ(cri_container_id, tinfo->m_container_id); - - const auto container_info = - param.m_inspector->m_container_manager.get_container(tinfo->m_container_id); - EXPECT_NE(container_info, nullptr); - - EXPECT_EQ(sinsp_container_type::CT_CRIO, container_info->m_type); - EXPECT_EQ("falco", container_info->m_name); - EXPECT_EQ("docker.io/falcosecurity/falco:crio", container_info->m_image); - EXPECT_EQ("sha256:5241704b37e01f7bbca0ef6a90f5034731eba85320afd2eb9e4bce7ab09165a2", - container_info->m_imagedigest); - EXPECT_EQ("4e01602047d456fa783025a26b4b4c59b6527d304f9983fbd63b8d9a3bec53dc", - container_info->m_imageid); - - done = true; - }); -} - -TEST_F(container_cri, fake_cri_crio) { - fake_cri_test( - LIBSINSP_TEST_RESOURCES_PATH "/fake_cri_crio", - "cri-o", - [&](const callback_param& param, std::atomic& done) { - sinsp_threadinfo* tinfo = param.m_evt->get_tinfo(); - EXPECT_TRUE(tinfo != NULL); - - EXPECT_EQ(cri_container_id, tinfo->m_container_id); - - const auto container_info = - param.m_inspector->m_container_manager.get_container(tinfo->m_container_id); - EXPECT_NE(container_info, nullptr); - - EXPECT_EQ(sinsp_container_type::CT_CRIO, container_info->m_type); - EXPECT_EQ(sinsp_container_lookup::state::SUCCESSFUL, - container_info->get_lookup_status()); - EXPECT_EQ("falco", container_info->m_name); - EXPECT_EQ("docker.io/falcosecurity/falco:crio", container_info->m_image); - EXPECT_EQ("sha256:5241704b37e01f7bbca0ef6a90f5034731eba85320afd2eb9e4bce7ab09165a2", - container_info->m_imagedigest); - EXPECT_EQ("", container_info->m_imageid); // no extra queries -> no image id - - done = true; - }, - false); -} - -TEST_F(container_cri, fake_cri_unknown_runtime) { - fake_cri_test( - LIBSINSP_TEST_RESOURCES_PATH "/fake_cri_falco", - "unknown-runtime", - [&](const callback_param& param, std::atomic& done) { - sinsp_threadinfo* tinfo = param.m_evt->get_tinfo(); - EXPECT_TRUE(tinfo != NULL); - - EXPECT_EQ(cri_container_id, tinfo->m_container_id); - - const auto container_info = - param.m_inspector->m_container_manager.get_container(tinfo->m_container_id); - EXPECT_NE(container_info, nullptr); - - EXPECT_EQ(sinsp_container_type::CT_CRI, container_info->m_type); - EXPECT_EQ("falco", container_info->m_name); - EXPECT_EQ("docker.io/falcosecurity/falco:latest", container_info->m_image); - EXPECT_EQ("sha256:8d0619a4da278dfe2772f75aa3cc74df0a250385de56085766035db5c9a062ed", - container_info->m_imagedigest); - EXPECT_EQ("4bc0e14060f4263acf658387e76715bd836a13b9ba44f48465bd0633a412dbd0", - container_info->m_imageid); - - done = true; - }); -} - -namespace { -void verify_cri_container_info(const sinsp_container_info& container_info) { - EXPECT_EQ("falco", container_info.m_name); - EXPECT_EQ("docker.io/falcosecurity/falco:latest", container_info.m_image); - EXPECT_EQ("sha256:8d0619a4da278dfe2772f75aa3cc74df0a250385de56085766035db5c9a062ed", - container_info.m_imagedigest); - EXPECT_EQ("4bc0e14060f4263acf658387e76715bd836a13b9ba44f48465bd0633a412dbd0", - container_info.m_imageid); - EXPECT_EQ(1073741824, container_info.m_memory_limit); - EXPECT_EQ(102, container_info.m_cpu_shares); - EXPECT_EQ(0, container_info.m_cpu_quota); - EXPECT_EQ(100000, container_info.m_cpu_period); -} - -void verify_docker_container_info(const sinsp_container_info& container_info) { - EXPECT_EQ("nginx", container_info.m_name); - EXPECT_EQ("568c4670fa800978e08e4a51132b995a54f8d5ae83ca133ef5546d092b864acf", - container_info.m_imageid); -} - -void verify_container_info(const std::string& container_id, - const exp_container_event_info& exp_info, - const sinsp_container_info& container_info) { - EXPECT_EQ(cri_container_id, container_id); - - EXPECT_EQ(container_info.get_lookup_status(), exp_info.state); - EXPECT_EQ(container_info.m_type, exp_info.type); - if(exp_info.state == sinsp_container_lookup::state::SUCCESSFUL) { - if(container_info.m_type == CT_CONTAINERD) { - verify_cri_container_info(container_info); - } else if(container_info.m_type == CT_DOCKER) { - verify_docker_container_info(container_info); - } else { - FAIL() << "Unexpected container type " << (int)container_info.m_type; - } - } -} - -} // namespace - -void container_cri::fake_cri_test_timing(const std::string& pb_prefix, - const std::string& delay_arg, - const std::string& runtime, - float docker_delay, - bool async, - const exp_container_event_info& exp_info, - uint64_t container_engine_mask, - int64_t test_duration) { - std::atomic saw_container_event(false); - std::atomic saw_container_callback(false); - unlink(fake_cri_socket.c_str()); - subprocess fake_cri_handle(LIBSINSP_TEST_PATH "/fake_cri/fake_cri", - {delay_arg, "unix://" + fake_cri_socket, pb_prefix, runtime}); - pid_t fake_cri_pid = fake_cri_handle.get_pid(); - - subprocess fake_docker_handle("/usr/bin/env", - {"python3", - LIBSINSP_TEST_RESOURCES_PATH "/fake_docker.py", - std::to_string(docker_delay), - fake_docker_socket}); - pid_t fake_docker_pid = fake_docker_handle.get_pid(); - - auto start_time = time(NULL); - - event_filter_t filter = [&](sinsp_evt* evt) { - return evt->get_type() == PPME_CONTAINER_JSON_E || - evt->get_type() == PPME_CONTAINER_JSON_2_E; - }; - - run_callback_async_t test = [&]() { - subprocess handle(LIBSINSP_TEST_PATH "/test_helper", {"cri_container_echo"}); - handle.in() << "\n"; - handle.wait(); - while(time(NULL) < start_time + test_duration) { - usleep(100000); - } - }; - - captured_event_callback_t container_event_callback = [&](const callback_param& param) { - EXPECT_FALSE(saw_container_event) << "Received more than one container event"; - - sinsp_threadinfo* tinfo = param.m_evt->get_tinfo(); - EXPECT_TRUE(tinfo != NULL); - - const auto container_info = - param.m_inspector->m_container_manager.get_container(tinfo->m_container_id); - EXPECT_NE(container_info, nullptr); - - verify_container_info(tinfo->m_container_id, exp_info, *(container_info.get())); - - saw_container_event = true; - }; - - before_capture_t setup = [&](sinsp* inspector) { - inspector->set_docker_socket_path(fake_docker_socket); - inspector->set_cri_socket_path(fake_cri_socket); - inspector->set_cri_extra_queries(false); - inspector->set_cri_async(async); - if(container_engine_mask != 0) { - inspector->set_container_engine_mask(container_engine_mask); - } - inspector->m_container_manager.subscribe_on_new_container( - [&](const sinsp_container_info& container, sinsp_threadinfo* tinfo) { - EXPECT_FALSE(saw_container_callback) - << "Received more than one on_new_container callback"; - - verify_container_info(tinfo->m_container_id, exp_info, container); - saw_container_callback = true; - }); - }; - - before_capture_t cleanup = [&](sinsp* inspector) { - inspector->set_docker_socket_path(default_docker_socket); - }; - - EXPECT_NO_FATAL_FAILURE( - { event_capture::run(test, container_event_callback, filter, setup, cleanup); }); - - // We only expect to see a container event when the lookup succeeds - if(exp_info.state == sinsp_container_lookup::state::SUCCESSFUL) { - EXPECT_TRUE(saw_container_event) << "Did not see expected container event"; - } else { - EXPECT_FALSE(saw_container_event) << "Received container event but did not expect one"; - } - - // We always expect an on_new_container callback - EXPECT_TRUE(saw_container_callback) << "Did not see expected on_new_container callback"; - - // The fake servers had to stay running the whole time in order - // for the test to be succesful - // Needed to reap the zombine if it exited - waitpid(fake_cri_pid, NULL, WNOHANG); - EXPECT_TRUE(fake_cri_handle.is_alive()); - waitpid(fake_docker_pid, NULL, WNOHANG); - EXPECT_TRUE(fake_docker_handle.is_alive()); - - fake_cri_handle.kill(); - fake_docker_handle.kill(); -} - -TEST_F(container_cri, fake_cri_then_docker) { - exp_container_event_info exp_info = {CT_CONTAINERD, sinsp_container_lookup::state::SUCCESSFUL}; - - fake_cri_test_timing(LIBSINSP_TEST_RESOURCES_PATH "/fake_cri_falco", - "--nodelay", - "containerd", - 0.5, - true, - exp_info); -} - -TEST_F(container_cri, fake_docker_then_cri) { - exp_container_event_info exp_info = {CT_DOCKER, sinsp_container_lookup::state::SUCCESSFUL}; - - fake_cri_test_timing(LIBSINSP_TEST_RESOURCES_PATH "/fake_cri_falco", - "--slow", - "containerd", - 0.0, - true, - exp_info); -} - -TEST_F(container_cri, fake_cri_fail_then_docker) { - exp_container_event_info exp_info = {CT_DOCKER, sinsp_container_lookup::state::SUCCESSFUL}; - - fake_cri_test_timing(LIBSINSP_TEST_RESOURCES_PATH "/fake_cri_falco", - "--veryslow", - "containerd", - 1.0, - true, - exp_info); -} - -TEST_F(container_cri, fake_docker_then_cri_fail) { - exp_container_event_info exp_info = {CT_DOCKER, sinsp_container_lookup::state::SUCCESSFUL}; - - fake_cri_test_timing(LIBSINSP_TEST_RESOURCES_PATH "/fake_cri_falco", - "--veryslow", - "containerd", - 0.0, - true, - exp_info); -} - -TEST_F(container_cri, fake_cri_then_docker_fail) { - exp_container_event_info exp_info{CT_CONTAINERD, sinsp_container_lookup::state::SUCCESSFUL}; - - fake_cri_test_timing(LIBSINSP_TEST_RESOURCES_PATH "/fake_cri_falco", - "--nodelay", - "containerd", - -0.5, - true, - exp_info); -} - -TEST_F(container_cri, fake_docker_fail_then_cri) { - exp_container_event_info exp_info = {CT_CONTAINERD, sinsp_container_lookup::state::SUCCESSFUL}; - - fake_cri_test_timing(LIBSINSP_TEST_RESOURCES_PATH "/fake_cri_falco", - "--slow", - "containerd", - -0.1, - true, - exp_info); -} - -TEST_F(container_cri, fake_cri_fail) { - exp_container_event_info exp_info = {CT_CONTAINERD, sinsp_container_lookup::state::FAILED}; - - // Run long enough for cri lookup to exhaust all retries - fake_cri_test_timing(LIBSINSP_TEST_RESOURCES_PATH "/fake_cri_falco", - "--veryslow", - "containerd", - -2.0, - true, - exp_info, - 1 << CT_CONTAINERD, - 40); -} - -TEST_F(container_cri, docker_fail) { - exp_container_event_info exp_info = {CT_DOCKER, sinsp_container_lookup::state::FAILED}; - - fake_cri_test_timing(LIBSINSP_TEST_RESOURCES_PATH "/fake_cri_falco", - "--veryslow", - "containerd", - -0.1, - true, - exp_info, - 1 << CT_DOCKER); -} - -TEST_F(container_cri, fake_cri_then_docker_sync) { - exp_container_event_info exp_info = {CT_CONTAINERD, sinsp_container_lookup::state::SUCCESSFUL}; - - fake_cri_test_timing(LIBSINSP_TEST_RESOURCES_PATH "/fake_cri_falco", - "--nodelay", - "containerd", - 0.5, - false, - exp_info); -} - -TEST_F(container_cri, fake_docker_then_cri_sync) { - exp_container_event_info exp_info = {CT_DOCKER, sinsp_container_lookup::state::SUCCESSFUL}; - - fake_cri_test_timing(LIBSINSP_TEST_RESOURCES_PATH "/fake_cri_falco", - "--slow", - "containerd", - 0.0, - false, - exp_info); -} - -TEST_F(container_cri, fake_cri_fail_then_docker_sync) { - exp_container_event_info exp_info = {CT_DOCKER, sinsp_container_lookup::state::SUCCESSFUL}; - - fake_cri_test_timing(LIBSINSP_TEST_RESOURCES_PATH "/fake_cri_falco", - "--veryslow", - "containerd", - 1.0, - false, - exp_info); -} - -TEST_F(container_cri, fake_docker_then_cri_fail_sync) { - exp_container_event_info exp_info = {CT_DOCKER, sinsp_container_lookup::state::SUCCESSFUL}; - - fake_cri_test_timing(LIBSINSP_TEST_RESOURCES_PATH "/fake_cri_falco", - "--veryslow", - "containerd", - 0.0, - false, - exp_info); -} - -TEST_F(container_cri, fake_cri_then_docker_fail_sync) { - exp_container_event_info exp_info = {CT_CONTAINERD, sinsp_container_lookup::state::SUCCESSFUL}; - - fake_cri_test_timing(LIBSINSP_TEST_RESOURCES_PATH "/fake_cri_falco", - "--nodelay", - "containerd", - -0.5, - false, - exp_info); -} - -TEST_F(container_cri, fake_docker_fail_then_cri_sync) { - exp_container_event_info exp_info = {CT_CONTAINERD, sinsp_container_lookup::state::SUCCESSFUL}; - - fake_cri_test_timing(LIBSINSP_TEST_RESOURCES_PATH "/fake_cri_falco", - "--slow", - "containerd", - -0.1, - false, - exp_info); -} - -TEST_F(container_cri, fake_cri_fail_sync) { - exp_container_event_info exp_info = {CT_CONTAINERD, sinsp_container_lookup::state::FAILED}; - - // Run long enough for cri lookup to exhaust all retries - fake_cri_test_timing(LIBSINSP_TEST_RESOURCES_PATH "/fake_cri_falco", - "--veryslow", - "containerd", - -2.0, - false, - exp_info, - 1 << CT_CONTAINERD); -} diff --git a/test/libsinsp_e2e/container/docker_utils.cpp b/test/libsinsp_e2e/container/docker_utils.cpp deleted file mode 100644 index 10996935bb..0000000000 --- a/test/libsinsp_e2e/container/docker_utils.cpp +++ /dev/null @@ -1,113 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -/* -Copyright (C) 2024 The Falco Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. - -*/ - -#include "docker_utils.h" - -#include - -#include -#include - -#include - -using namespace std; - -bool dutils_check_docker() { - if(system("service docker status > /dev/null 2>&1") != 0) { - if(system("systemctl status docker > /dev/null 2>&1") != 0) { - printf("Docker not running, skipping test\n"); - return false; - } - } - - // We depend on docker versions >= 1.10 - if(system("docker --version | grep -qE \"Docker version 1.[56789].\"") == 0) { - printf("Docker version too old, skipping test\n"); - return false; - } - - return true; -} - -void dutils_create_tag(const char* tag, const char* image) { - std::string tag_cmd = string("docker tag ") + image + " " + tag + " > /dev/null 2>&1"; - std::string remove_tag_cmd = string("(docker rmi ") + tag + " || true) > /dev/null 2>&1"; - - EXPECT_EQ(system(remove_tag_cmd.c_str()), 0); - EXPECT_EQ(system(tag_cmd.c_str()), 0); -} - -void dutils_kill_container_if_exists(const char* name) { - std::string kill_cmd = string("(docker kill --signal SIGKILL ") + name + " || true) 2>&1"; - std::string rm_cmd = string("(docker rm -fv ") + name + " || true) 2>&1"; - - system(kill_cmd.c_str()); - system(rm_cmd.c_str()); -} - -void dutils_kill_container(const char* name) { - std::string kill_cmd = - string("(docker kill --signal SIGKILL ") + name + " || true) > /dev/null 2>&1"; - std::string rm_cmd = string("(docker rm -fv ") + name + " || true) > /dev/null 2>&1"; - - EXPECT_EQ(system(kill_cmd.c_str()), 0); - EXPECT_EQ(system(rm_cmd.c_str()), 0); -} - -void dutils_kill_image(const char* image) { - std::string rmi_cmd = string("(docker rmi ") + image + " || true) > /dev/null 2>&1"; - - EXPECT_EQ(system(rmi_cmd.c_str()), 0); -} - -docker_helper::docker_helper(const std::string& dockerfile_path, - const std::string& tagname, - const std::vector& labels, - const std::string& build_extra_args, - const std::string& run_extra_args, - const bool& verbose): - m_dockerfile_path(dockerfile_path), - m_tagname(tagname), - m_labels(labels), - m_build_extra_args(build_extra_args), - m_run_extra_args(run_extra_args), - m_verbose(verbose) {} - -int docker_helper::build_image() { - std::string label_options; - for(const auto& label : m_labels) { - label_options += " --label " + label; - } - std::string command = "docker build " + m_build_extra_args + label_options + " -t " + - m_tagname + " -f " + m_dockerfile_path + " ."; - if(!m_verbose) { - command += " > /dev/null 2>&1"; - } - return system(command.c_str()); -} - -int docker_helper::run_container(const std::string& container_name, - const std::string& cmd, - const std::string& additional_options) { - std::string command = "docker run " + additional_options + " " + m_run_extra_args + " --name " + - container_name + " " + m_tagname + " " + cmd; - if(!m_verbose) { - command += " > /dev/null 2>&1"; - } - return system(command.c_str()); -} diff --git a/test/libsinsp_e2e/container/docker_utils.h b/test/libsinsp_e2e/container/docker_utils.h deleted file mode 100644 index 6008bada02..0000000000 --- a/test/libsinsp_e2e/container/docker_utils.h +++ /dev/null @@ -1,50 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -/* -Copyright (C) 2024 The Falco Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. - -*/ - -#pragma once - -#include -#include - -bool dutils_check_docker(); -void dutils_create_tag(const char* tag, const char* image); -void dutils_kill_container(const char* name); -void dutils_kill_container_if_exists(const char* name); -void dutils_kill_image(const char* image); - -class docker_helper { -public: - docker_helper(const std::string& dockerfile_path, - const std::string& tagname, - const std::vector& labels, - const std::string& build_extra_args, - const std::string& run_extra_args, - const bool& verbose = false); - int build_image(); - int run_container(const std::string& containerName, - const std::string& cmd, - const std::string& additional_options = "--rm --network=none"); - -private: - std::string m_dockerfile_path; - std::string m_tagname; - std::vector m_labels; - std::string m_build_extra_args; - std::string m_run_extra_args; - bool m_verbose; -}; diff --git a/test/libsinsp_e2e/event_capture.h b/test/libsinsp_e2e/event_capture.h index 203ddcad39..2f1994a2d2 100644 --- a/test/libsinsp_e2e/event_capture.h +++ b/test/libsinsp_e2e/event_capture.h @@ -34,6 +34,7 @@ limitations under the License. #include #include #include +#include // Just a stupid fake FD value to signal to stop capturing events from driver and exit. // Note: we don't use it through eventfd because we want to make sure diff --git a/test/libsinsp_e2e/fake_cri/CMakeLists.txt b/test/libsinsp_e2e/fake_cri/CMakeLists.txt deleted file mode 100644 index 49c12a5df6..0000000000 --- a/test/libsinsp_e2e/fake_cri/CMakeLists.txt +++ /dev/null @@ -1,34 +0,0 @@ -include_directories(${CMAKE_CURRENT_BINARY_DIR}) - -if(NOT EXISTS ${CMAKE_BINARY_DIR}/libsinsp/cri-v1alpha2.grpc.pb.cc) - file(TOUCH ${CMAKE_BINARY_DIR}/libsinsp/cri-v1alpha2.grpc.pb.cc - ${CMAKE_BINARY_DIR}/libsinsp/cri-v1alpha2.pb.cc - ) -endif() - -add_executable( - fake_cri fake_cri.cpp ${CMAKE_BINARY_DIR}/libsinsp/cri-v1alpha2.grpc.pb.cc - ${CMAKE_BINARY_DIR}/libsinsp/cri-v1alpha2.pb.cc -) - -include(protobuf) -include(grpc) -target_link_libraries( - fake_cri - PRIVATE "${GRPC_LIBRARIES}" - "${GRPCPP_LIB}" - "${GRPC_LIB}" - "${GPR_LIB}" - "${PROTOBUF_LIB}" - "${CARES_LIB}" - pthread - sinsp - rt -) - -target_include_directories(fake_cri PRIVATE ${CMAKE_BINARY_DIR} ${PROTOBUF_INCLUDE}) - -file(GLOB PROTOS "*.pb") -foreach(FILENAME IN LISTS PROTOS) - configure_file(${FILENAME} ${CMAKE_BINARY_DIR}/test/libsinsp_e2e/resources/ COPYONLY) -endforeach() diff --git a/test/libsinsp_e2e/fake_cri/fake_cri.cpp b/test/libsinsp_e2e/fake_cri/fake_cri.cpp deleted file mode 100644 index 3bc592dbc1..0000000000 --- a/test/libsinsp_e2e/fake_cri/fake_cri.cpp +++ /dev/null @@ -1,212 +0,0 @@ -#include "libsinsp/cri-v1alpha2.grpc.pb.h" - -#include -#include - -#include -#include -#include -#include -#include - -#include -#include - -using namespace runtime::v1alpha2; - -class FakeCRIServer final : public runtime::v1alpha2::RuntimeService::Service { -public: - FakeCRIServer(int delay_us, - ContainerStatusResponse&& cs, - PodSandboxStatusResponse&& ps, - ListContainersResponse&& lc, - const std::string& runtime_name): - m_delay_us(delay_us), - m_container_status_response(cs), - m_pod_sandbox_status_response(ps), - m_list_containers_response(lc), - m_runtime_name(runtime_name) {} - - grpc::Status ContainerStatus(grpc::ServerContext* context, - const ContainerStatusRequest* req, - ContainerStatusResponse* resp) { - usleep(m_delay_us); - if(CONTAINER_IDS.find(req->container_id()) == CONTAINER_IDS.end()) { - std::cout << "CONTAINER NOT FOUND\n"; - return grpc::Status( - grpc::StatusCode::NOT_FOUND, - "fake_cri does not serve this container id: " + req->container_id()); - } - resp->CopyFrom(m_container_status_response); - resp->mutable_status()->set_id(req->container_id()); - return grpc::Status::OK; - } - - grpc::Status ListContainers(grpc::ServerContext* context, - const ListContainersRequest* req, - ListContainersResponse* resp) { - usleep(m_delay_us); - resp->CopyFrom(m_list_containers_response); - return grpc::Status::OK; - } - - grpc::Status StopContainer(grpc::ServerContext* context, - const StopContainerRequest* req, - StopContainerResponse* resp) { - usleep(m_delay_us); - return grpc::Status::OK; - } - - grpc::Status PodSandboxStatus(grpc::ServerContext* context, - const PodSandboxStatusRequest* req, - PodSandboxStatusResponse* resp) { - usleep(m_delay_us); - if(POD_SANDBOX_IDS.find(req->pod_sandbox_id()) == POD_SANDBOX_IDS.end()) { - return grpc::Status( - grpc::StatusCode::NOT_FOUND, - "fake_cri does not serve this pod sandbox id: " + req->pod_sandbox_id()); - } - resp->CopyFrom(m_pod_sandbox_status_response); - resp->mutable_status()->set_id(req->pod_sandbox_id()); - return grpc::Status::OK; - } - - grpc::Status Version(grpc::ServerContext* context, - const VersionRequest* req, - VersionResponse* resp) { - resp->set_version("0.1.0"); - resp->set_runtime_name(m_runtime_name); - resp->set_runtime_version("1.1.2"); - resp->set_runtime_api_version("v1alpha2"); - return grpc::Status::OK; - } - -private: - int m_delay_us; - ContainerStatusResponse m_container_status_response; - PodSandboxStatusResponse m_pod_sandbox_status_response; - ListContainersResponse m_list_containers_response; - std::string m_runtime_name; - static const std::set CONTAINER_IDS; - static const std::set POD_SANDBOX_IDS; -}; - -// The fake cri server will only answer to these container IDs/Pod sandbox ids -const std::set FakeCRIServer::CONTAINER_IDS{ - "aec4c703604b4504df03108eef12e8256870eca8aabcb251855a35bf4f0337f1", - "aec4c703604b", - "ea457cc8202bb5684ddd4a2845ad7450ad48fb01448da5172790dcc4641757b9", - "ea457cc8202b"}; - -const std::set FakeCRIServer::POD_SANDBOX_IDS{ - "e16577158fb2003bc4d0a152dd0e2bda888235d0f131ff93390d16138c11c556", - "e16577158fb2"}; - -class FakeCRIImageServer final : public runtime::v1alpha2::ImageService::Service { -public: - FakeCRIImageServer(ListImagesResponse&& is): m_list_images_response(is) {} - - grpc::Status ListImages(grpc::ServerContext* context, - const ListImagesRequest* req, - ListImagesResponse* resp) { - resp->CopyFrom(m_list_images_response); - return grpc::Status::OK; - } - -private: - ListImagesResponse m_list_images_response; -}; - -int main(int argc, char** argv) { - google::protobuf::io::FileOutputStream pb_stdout(1); - int delay_us = 0; - - if(argc < 3) { - fprintf(stderr, - "Usage: fake_cri [--nodelay|--slow|--veryslow] listen_addr pb_file_prefix " - "[runtime_name]\n"); - return 1; - } - - if(argv[1] == std::string("--nodelay")) { - // no delay, the default - delay_us = 0; - argv++; - } else if(argv[1] == std::string("--slow")) { - // 500 ms is slow but not slow enough to trigger the timeout - delay_us = 500000; - argv++; - } else if(argv[1] == std::string("--veryslow")) { - // 1200 ms is beyond the default 1 sec timeout so queries will fail - delay_us = 1200000; - argv++; - } - - const char* addr = argv[1]; - const std::string pb_prefix(argv[2]); - const std::string runtime(argc > 3 ? argv[3] : "containerd"); - - ContainerStatusResponse cs; - { - const std::string path = pb_prefix + "_container.pb"; - int fd = open(path.c_str(), O_RDONLY); - if(fd >= 0) { - google::protobuf::io::FileInputStream fs(fd); - google::protobuf::TextFormat::Parse(&fs, &cs); - close(fd); - } else { - std::cout << "could not open file " << path << std::endl; - } - } - - PodSandboxStatusResponse ps; - { - const std::string path = pb_prefix + "_pod.pb"; - int fd = open(path.c_str(), O_RDONLY); - if(fd >= 0) { - google::protobuf::io::FileInputStream fs(fd); - google::protobuf::TextFormat::Parse(&fs, &ps); - close(fd); - } else { - std::cout << "could not open file " << path << std::endl; - } - } - - ListImagesResponse is; - { - const std::string path = pb_prefix + "_images.pb"; - int fd = open(path.c_str(), O_RDONLY); - if(fd >= 0) { - google::protobuf::io::FileInputStream fs(fd); - google::protobuf::TextFormat::Parse(&fs, &is); - close(fd); - } else { - std::cout << "could not open file " << path << std::endl; - } - } - - ListContainersResponse lc; - { - const std::string path = pb_prefix + "_listcontainers.pb"; - int fd = open(path.c_str(), O_RDONLY); - if(fd >= 0) { - google::protobuf::io::FileInputStream fs(fd); - google::protobuf::TextFormat::Parse(&fs, &lc); - close(fd); - } else { - std::cout << "could not open file " << path << std::endl; - } - } - - FakeCRIServer service(delay_us, std::move(cs), std::move(ps), std::move(lc), runtime); - FakeCRIImageServer image_service(std::move(is)); - - grpc::ServerBuilder builder; - builder.AddListeningPort(addr, grpc::InsecureServerCredentials()); - builder.RegisterService(&service); - builder.RegisterService(&image_service); - std::unique_ptr server(builder.BuildAndStart()); - server->Wait(); - - return 0; -} diff --git a/test/libsinsp_e2e/fake_cri/fake_cri_crio_container.pb b/test/libsinsp_e2e/fake_cri/fake_cri_crio_container.pb deleted file mode 100644 index 9a2e72b18f..0000000000 --- a/test/libsinsp_e2e/fake_cri/fake_cri_crio_container.pb +++ /dev/null @@ -1,144 +0,0 @@ -status { -id: "aec4c703604b4504df03108eef12e8256870eca8aabcb251855a35bf4f0337f1" -metadata { - name: "falco", - attempt: 0 -} -state: CONTAINER_EXITED -created_at: 1549308953419092021 -started_at: 1549308953442910382 -finished_at: 0 -exit_code: 0 -image { - image: "docker.io/falcosecurity/falco:crio" -} -image_ref: "docker.io/falcosecurity/falco@sha256:5241704b37e01f7bbca0ef6a90f5034731eba85320afd2eb9e4bce7ab09165a2" -labels { - key: "io.kubernetes.container.name" - value: "falco" -} -labels { - key: "io.kubernetes.pod.name" - value: "falco-w5fbj" -} -labels { - key: "io.kubernetes.pod.namespace" - value: "default" -} -labels { - key: "io.kubernetes.pod.uid" - value: "153b7a61-28b4-11e9-afc4-16bf8ef8d9dc" -} -annotations { - key: "io.kubernetes.container.hash" - value: "9435c2ec" -} -annotations { - key: "io.kubernetes.container.restartCount" - value: "0" -} -annotations { - key: "io.kubernetes.container.terminationMessagePath" - value: "/dev/termination-log" -} -annotations { - key: "io.kubernetes.container.terminationMessagePolicy" - value: "File" -} -annotations { - key: "io.kubernetes.pod.terminationGracePeriod" - value: "5" -} -mounts { - container_path: "/dev/shm" - host_path: "/var/lib/kubelet/pods/153b7a61-28b4-11e9-afc4-16bf8ef8d9dc/volumes/kubernetes.io~empty-dir/dshm" - readonly: false - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/host/proc" - host_path: "/proc" - readonly: true - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/host/boot" - host_path: "/boot" - readonly: true - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/etc/hosts" - host_path: "/var/lib/kubelet/pods/153b7a61-28b4-11e9-afc4-16bf8ef8d9dc/etc-hosts" - readonly: false - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/host/usr" - host_path: "/usr" - readonly: true - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/host/run" - host_path: "/run" - readonly: false - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/host/dev" - host_path: "/dev" - readonly: false - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/dev/termination-log" - host_path: "/var/lib/kubelet/pods/153b7a61-28b4-11e9-afc4-16bf8ef8d9dc/containers/falco/e01754de" - readonly: false - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/host/lib/modules" - host_path: "/lib/modules" - readonly: true - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/host/var/run" - host_path: "/run" - readonly: false - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/opt/falco/etc/kubernetes/config" - host_path: "/var/lib/kubelet/pods/153b7a61-28b4-11e9-afc4-16bf8ef8d9dc/volumes/kubernetes.io~configmap/falco-config" - readonly: true - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/opt/falco/etc/kubernetes/secrets" - host_path: "/var/lib/kubelet/pods/153b7a61-28b4-11e9-afc4-16bf8ef8d9dc/volumes/kubernetes.io~secret/falco-secrets" - readonly: true - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/var/run/secrets/kubernetes.io/serviceaccount" - host_path: "/var/lib/kubelet/pods/153b7a61-28b4-11e9-afc4-16bf8ef8d9dc/volumes/kubernetes.io~secret/falco-token-wl4zl" - readonly: true - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -log_path: "/var/log/pods/153b7a61-28b4-11e9-afc4-16bf8ef8d9dc/-falco/0.log" -} diff --git a/test/libsinsp_e2e/fake_cri/fake_cri_crio_images.pb b/test/libsinsp_e2e/fake_cri/fake_cri_crio_images.pb deleted file mode 100644 index ba8b47f978..0000000000 --- a/test/libsinsp_e2e/fake_cri/fake_cri_crio_images.pb +++ /dev/null @@ -1,6 +0,0 @@ -images { - id: "4e01602047d456fa783025a26b4b4c59b6527d304f9983fbd63b8d9a3bec53dc" - repo_tags: "docker.io/falcosecurity/falco:crio" - repo_digests: "docker.io/falcosecurity/falco@sha256:5241704b37e01f7bbca0ef6a90f5034731eba85320afd2eb9e4bce7ab09165a2" - size: 1402153176 -} diff --git a/test/libsinsp_e2e/fake_cri/fake_cri_crio_listcontainers.pb b/test/libsinsp_e2e/fake_cri/fake_cri_crio_listcontainers.pb deleted file mode 100644 index 7c9bb2241d..0000000000 --- a/test/libsinsp_e2e/fake_cri/fake_cri_crio_listcontainers.pb +++ /dev/null @@ -1,50 +0,0 @@ -containers { -id: "ea457cc8202bb5684ddd4a2845ad7450ad48fb01448da5172790dcc4641757b9" -pod_sandbox_id: "e16577158fb2003bc4d0a152dd0e2bda888235d0f131ff93390d16138c11c556" -metadata { - name: "falco" - attempt: 0 -} -state: CONTAINER_RUNNING -created_at: 1545339739712670450 -image { - image: "docker.io/falcosecurity/falco:latest" -} -image_ref: "docker.io/falcosecurity/falco@sha256:8d0619a4da278dfe2772f75aa3cc74df0a250385de56085766035db5c9a062ed" -labels { - key: "io.kubernetes.container.name" - value: "falco" -} -labels { - key: "io.kubernetes.pod.name" - value: "falco-9bzbj" -} -labels { - key: "io.kubernetes.pod.namespace" - value: "default" -} -labels { - key: "io.kubernetes.pod.uid" - value: "893231bb-049a-11e9-9b30-0a583e8b7896" -} -annotations { - key: "io.kubernetes.container.hash" - value: "decd134" -} -annotations { - key: "io.kubernetes.container.restartCount" - value: "0" -} -annotations { - key: "io.kubernetes.container.terminationMessagePath" - value: "/dev/termination-log" -} -annotations { - key: "io.kubernetes.container.terminationMessagePolicy" - value: "File" -} -annotations { - key: "io.kubernetes.pod.terminationGracePeriod" - value: "5" -} -} diff --git a/test/libsinsp_e2e/fake_cri/fake_cri_crio_pod.pb b/test/libsinsp_e2e/fake_cri/fake_cri_crio_pod.pb deleted file mode 100644 index 64f5259294..0000000000 --- a/test/libsinsp_e2e/fake_cri/fake_cri_crio_pod.pb +++ /dev/null @@ -1,63 +0,0 @@ -status { -id: "e16577158fb2003bc4d0a152dd0e2bda888235d0f131ff93390d16138c11c556" -metadata { - name: "falco-w5fbj" - uid: "153b7a61-28b4-11e9-afc4-16bf8ef8d9dc" - namespace: "default" - attempt: 0 -} -state: SANDBOX_READY -created_at: 1549308953113637984 -network { - ip: "172.31.95.87" -} -linux { -namespaces { -options { - network: NODE - pid: NODE - ipc: POD -} -} -} -labels { - key: "app" - value: "falco" -} -labels { - key: "controller-revision-hash" - value: "56d6c4cf5" -} -labels { - key: "io.kubernetes.container.name" - value: "POD" -} -labels { - key: "io.kubernetes.pod.name" - value: "falco-w5fbj" -} -labels { - key: "io.kubernetes.pod.namespace" - value: "default" -} -labels { - key: "io.kubernetes.pod.uid" - value: "153b7a61-28b4-11e9-afc4-16bf8ef8d9dc" -} -labels { - key: "pod-template-generation" - value: "2" -} -annotations { - key: "kubernetes.io/config.seen" - value: "2019-02-04T19:35:52.701633172Z" -} -annotations { - key: "kubernetes.io/config.source" - value: "api" -} -} -info { - key: "version" - value: "{\"version\":\"1.26.0\"}" -} diff --git a/test/libsinsp_e2e/fake_cri/fake_cri_falco_container.pb b/test/libsinsp_e2e/fake_cri/fake_cri_falco_container.pb deleted file mode 100644 index e1e17802a0..0000000000 --- a/test/libsinsp_e2e/fake_cri/fake_cri_falco_container.pb +++ /dev/null @@ -1,141 +0,0 @@ -status { -id: "ea457cc8202bb5684ddd4a2845ad7450ad48fb01448da5172790dcc4641757b9" -metadata { - name: "falco" - attempt: 0 -} -state: CONTAINER_RUNNING -created_at: 1545339739712670450 -started_at: 1545339739819661493 -finished_at: 0 -exit_code: 0 -image { - image: "docker.io/falcosecurity/falco:latest" -} -image_ref: "docker.io/falcosecurity/falco@sha256:8d0619a4da278dfe2772f75aa3cc74df0a250385de56085766035db5c9a062ed" -labels { - key: "io.kubernetes.container.name" - value: "falco" -} -labels { - key: "io.kubernetes.pod.name" - value: "falco-9bzbj" -} -labels { - key: "io.kubernetes.pod.namespace" - value: "default" -} -labels { - key: "io.kubernetes.pod.uid" - value: "893231bb-049a-11e9-9b30-0a583e8b7896" -} -annotations { - key: "io.kubernetes.container.hash" - value: "decd134" -} -annotations { - key: "io.kubernetes.container.restartCount" - value: "0" -} -annotations { - key: "io.kubernetes.container.terminationMessagePath" - value: "/dev/termination-log" -} -annotations { - key: "io.kubernetes.container.terminationMessagePolicy" - value: "File" -} -annotations { - key: "io.kubernetes.pod.terminationGracePeriod" - value: "5" -} -mounts { - container_path: "/opt/falco/bin/cointerface" - host_path: "/root/cointerface" - readonly: false - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/host/dev" - host_path: "/dev" - readonly: false - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/host/proc" - host_path: "/proc" - readonly: false - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/host/boot" - host_path: "/boot" - readonly: false - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/host/lib/modules" - host_path: "/lib/modules" - readonly: false - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/host/usr" - host_path: "/usr" - readonly: false - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/dev/shm" - host_path: "/var/lib/kubelet/pods/893231bb-049a-11e9-9b30-0a583e8b7896/volumes/kubernetes.io~empty-dir/dshm" - readonly: false - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/opt/falco/etc/kubernetes/config" - host_path: "/var/lib/kubelet/pods/893231bb-049a-11e9-9b30-0a583e8b7896/volumes/kubernetes.io~configmap/falco-config" - readonly: true - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/opt/falco/etc/kubernetes/secrets" - host_path: "/var/lib/kubelet/pods/893231bb-049a-11e9-9b30-0a583e8b7896/volumes/kubernetes.io~secret/falco-secrets" - readonly: true - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/var/run/secrets/kubernetes.io/serviceaccount" - host_path: "/var/lib/kubelet/pods/893231bb-049a-11e9-9b30-0a583e8b7896/volumes/kubernetes.io~secret/falco-token-6zbgh" - readonly: true - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/etc/hosts" - host_path: "/var/lib/kubelet/pods/893231bb-049a-11e9-9b30-0a583e8b7896/etc-hosts" - readonly: false - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -mounts { - container_path: "/dev/termination-log" - host_path: "/var/lib/kubelet/pods/893231bb-049a-11e9-9b30-0a583e8b7896/containers/falco/f26e7883" - readonly: false - selinux_relabel: false - propagation: PROPAGATION_PRIVATE -} -log_path: "/var/log/pods/893231bb-049a-11e9-9b30-0a583e8b7896/falco/0.log" -} -info { - key: "info" - value: "{\n \"sandboxID\": \"599ad631db94fef0be7722785e299ba128bd3f7f83a27dd00e4f94974eb5acfa\",\n \"pid\": 31417,\n \"removing\": false,\n \"snapshotKey\": \"ea457cc8202bb5684ddd4a2845ad7450ad48fb01448da5172790dcc4641757b9\",\n \"snapshotter\": \"overlayfs\",\n \"runtime\": {\n \"runtimeType\": \"io.containerd.runtime.v1.linux\",\n \"runtimeEngine\": \"\",\n \"runtimeRoot\": \"\"\n },\n \"config\": {\n \"metadata\": {\n \"name\": \"falco\"\n },\n \"image\": {\n \"image\": \"sha256:4bc0e14060f4263acf658387e76715bd836a13b9ba44f48465bd0633a412dbd0\"\n },\n \"envs\": [\n {\n \"key\": \"NGINX_SERVICE_PORT\",\n \"value\": \"tcp://10.98.54.136:80\"\n },\n {\n \"key\": \"NGINX_SERVICE_PORT_80_TCP_PROTO\",\n \"value\": \"tcp\"\n },\n {\n \"key\": \"NGINX_SERVICE_SERVICE_HOST\",\n \"value\": \"10.98.54.136\"\n },\n {\n \"key\": \"KUBERNETES_PORT\",\n \"value\": \"tcp://10.96.0.1:443\"\n },\n {\n \"key\": \"KUBERNETES_PORT_443_TCP_PROTO\",\n \"value\": \"tcp\"\n },\n {\n \"key\": \"NGINX_SERVICE_SERVICE_PORT\",\n \"value\": \"80\"\n },\n {\n \"key\": \"NGINX_SERVICE_PORT_80_TCP_PORT\",\n \"value\": \"80\"\n },\n {\n \"key\": \"KUBERNETES_PORT_443_TCP\",\n \"value\": \"tcp://10.96.0.1:443\"\n },\n {\n \"key\": \"KUBERNETES_PORT_443_TCP_PORT\",\n \"value\": \"443\"\n },\n {\n \"key\": \"KUBERNETES_PORT_443_TCP_ADDR\",\n \"value\": \"10.96.0.1\"\n },\n {\n \"key\": \"NGINX_SERVICE_PORT_80_TCP\",\n \"value\": \"tcp://10.98.54.136:80\"\n },\n {\n \"key\": \"NGINX_SERVICE_PORT_80_TCP_ADDR\",\n \"value\": \"10.98.54.136\"\n },\n {\n \"key\": \"KUBERNETES_SERVICE_HOST\",\n \"value\": \"10.96.0.1\"\n },\n {\n \"key\": \"KUBERNETES_SERVICE_PORT\",\n \"value\": \"443\"\n },\n {\n \"key\": \"KUBERNETES_SERVICE_PORT_HTTPS\",\n \"value\": \"443\"\n }\n ],\n \"mounts\": [\n {\n \"container_path\": \"/opt/falco/bin/cointerface\",\n \"host_path\": \"/root/cointerface\"\n },\n {\n \"container_path\": \"/host/dev\",\n \"host_path\": \"/dev\"\n },\n {\n \"container_path\": \"/host/proc\",\n \"host_path\": \"/proc\",\n \"readonly\": true\n },\n {\n \"container_path\": \"/host/boot\",\n \"host_path\": \"/boot\",\n \"readonly\": true\n },\n {\n \"container_path\": \"/host/lib/modules\",\n \"host_path\": \"/lib/modules\",\n \"readonly\": true\n },\n {\n \"container_path\": \"/host/usr\",\n \"host_path\": \"/usr\",\n \"readonly\": true\n },\n {\n \"container_path\": \"/dev/shm\",\n \"host_path\": \"/var/lib/kubelet/pods/893231bb-049a-11e9-9b30-0a583e8b7896/volumes/kubernetes.io~empty-dir/dshm\"\n },\n {\n \"container_path\": \"/opt/falco/etc/kubernetes/config\",\n \"host_path\": \"/var/lib/kubelet/pods/893231bb-049a-11e9-9b30-0a583e8b7896/volumes/kubernetes.io~configmap/falco-config\",\n \"readonly\": true\n },\n {\n \"container_path\": \"/opt/falco/etc/kubernetes/secrets\",\n \"host_path\": \"/var/lib/kubelet/pods/893231bb-049a-11e9-9b30-0a583e8b7896/volumes/kubernetes.io~secret/falco-secrets\",\n \"readonly\": true\n },\n {\n \"container_path\": \"/var/run/secrets/kubernetes.io/serviceaccount\",\n \"host_path\": \"/var/lib/kubelet/pods/893231bb-049a-11e9-9b30-0a583e8b7896/volumes/kubernetes.io~secret/falco-token-6zbgh\",\n \"readonly\": true\n },\n {\n \"container_path\": \"/etc/hosts\",\n \"host_path\": \"/var/lib/kubelet/pods/893231bb-049a-11e9-9b30-0a583e8b7896/etc-hosts\"\n },\n {\n \"container_path\": \"/dev/termination-log\",\n \"host_path\": \"/var/lib/kubelet/pods/893231bb-049a-11e9-9b30-0a583e8b7896/containers/falco/f26e7883\"\n }\n ],\n \"labels\": {\n \"io.kubernetes.container.name\": \"falco\",\n \"io.kubernetes.pod.name\": \"falco-9bzbj\",\n \"io.kubernetes.pod.namespace\": \"default\",\n \"io.kubernetes.pod.uid\": \"893231bb-049a-11e9-9b30-0a583e8b7896\"\n },\n \"annotations\": {\n \"io.kubernetes.container.hash\": \"decd134\",\n \"io.kubernetes.container.restartCount\": \"0\",\n \"io.kubernetes.container.terminationMessagePath\": \"/dev/termination-log\",\n \"io.kubernetes.container.terminationMessagePolicy\": \"File\",\n \"io.kubernetes.pod.terminationGracePeriod\": \"5\"\n },\n \"log_path\": \"falco/0.log\",\n \"linux\": {\n \"resources\": {\n \"cpu_period\": 100000,\n \"cpu_shares\": 102,\n \"memory_limit_in_bytes\": 1073741824,\n \"oom_score_adj\": 869\n },\n \"security_context\": {\n \"privileged\": true,\n \"namespace_options\": {\n \"network\": 2,\n \"pid\": 2\n },\n \"run_as_user\": {}\n }\n }\n },\n \"runtimeSpec\": {\n \"ociVersion\": \"1.0.1\",\n \"process\": {\n \"user\": {\n \"uid\": 0,\n \"gid\": 0\n },\n \"args\": [\n \"/docker-entrypoint.sh\"\n ],\n \"env\": [\n \"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\n \"FALCO_REPOSITORY=stable\",\n \"FALCO_BUILD_KERNEL_MODULE=1\",\n \"FALCO_LAUNCH=1\",\n \"FALCO_HOST_ROOT=/host\",\n \"HOME=/root\",\n \"NGINX_SERVICE_PORT=tcp://10.98.54.136:80\",\n \"NGINX_SERVICE_PORT_80_TCP_PROTO=tcp\",\n \"NGINX_SERVICE_SERVICE_HOST=10.98.54.136\",\n \"KUBERNETES_PORT=tcp://10.96.0.1:443\",\n \"KUBERNETES_PORT_443_TCP_PROTO=tcp\",\n \"NGINX_SERVICE_SERVICE_PORT=80\",\n \"NGINX_SERVICE_PORT_80_TCP_PORT=80\",\n \"KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443\",\n \"KUBERNETES_PORT_443_TCP_PORT=443\",\n \"KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1\",\n \"NGINX_SERVICE_PORT_80_TCP=tcp://10.98.54.136:80\",\n \"NGINX_SERVICE_PORT_80_TCP_ADDR=10.98.54.136\",\n \"KUBERNETES_SERVICE_HOST=10.96.0.1\",\n \"KUBERNETES_SERVICE_PORT=443\",\n \"KUBERNETES_SERVICE_PORT_HTTPS=443\"\n ],\n \"cwd\": \"/\",\n \"capabilities\": {\n \"bounding\": [\n \"CAP_CHOWN\",\n \"CAP_DAC_OVERRIDE\",\n \"CAP_DAC_READ_SEARCH\",\n \"CAP_FOWNER\",\n \"CAP_FSETID\",\n \"CAP_KILL\",\n \"CAP_SETGID\",\n \"CAP_SETUID\",\n \"CAP_SETPCAP\",\n \"CAP_LINUX_IMMUTABLE\",\n \"CAP_NET_BIND_SERVICE\",\n \"CAP_NET_BROADCAST\",\n \"CAP_NET_ADMIN\",\n \"CAP_NET_RAW\",\n \"CAP_IPC_LOCK\",\n \"CAP_IPC_OWNER\",\n \"CAP_SYS_MODULE\",\n \"CAP_SYS_RAWIO\",\n \"CAP_SYS_CHROOT\",\n \"CAP_SYS_PTRACE\",\n \"CAP_SYS_PACCT\",\n \"CAP_SYS_ADMIN\",\n \"CAP_SYS_BOOT\",\n \"CAP_SYS_NICE\",\n \"CAP_SYS_RESOURCE\",\n \"CAP_SYS_TIME\",\n \"CAP_SYS_TTY_CONFIG\",\n \"CAP_MKNOD\",\n \"CAP_LEASE\",\n \"CAP_AUDIT_WRITE\",\n \"CAP_AUDIT_CONTROL\",\n \"CAP_SETFCAP\",\n \"CAP_MAC_OVERRIDE\",\n \"CAP_MAC_ADMIN\",\n \"CAP_SYSLOG\",\n \"CAP_WAKE_ALARM\",\n \"CAP_BLOCK_SUSPEND\",\n \"CAP_AUDIT_READ\"\n ],\n \"effective\": [\n \"CAP_CHOWN\",\n \"CAP_DAC_OVERRIDE\",\n \"CAP_DAC_READ_SEARCH\",\n \"CAP_FOWNER\",\n \"CAP_FSETID\",\n \"CAP_KILL\",\n \"CAP_SETGID\",\n \"CAP_SETUID\",\n \"CAP_SETPCAP\",\n \"CAP_LINUX_IMMUTABLE\",\n \"CAP_NET_BIND_SERVICE\",\n \"CAP_NET_BROADCAST\",\n \"CAP_NET_ADMIN\",\n \"CAP_NET_RAW\",\n \"CAP_IPC_LOCK\",\n \"CAP_IPC_OWNER\",\n \"CAP_SYS_MODULE\",\n \"CAP_SYS_RAWIO\",\n \"CAP_SYS_CHROOT\",\n \"CAP_SYS_PTRACE\",\n \"CAP_SYS_PACCT\",\n \"CAP_SYS_ADMIN\",\n \"CAP_SYS_BOOT\",\n \"CAP_SYS_NICE\",\n \"CAP_SYS_RESOURCE\",\n \"CAP_SYS_TIME\",\n \"CAP_SYS_TTY_CONFIG\",\n \"CAP_MKNOD\",\n \"CAP_LEASE\",\n \"CAP_AUDIT_WRITE\",\n \"CAP_AUDIT_CONTROL\",\n \"CAP_SETFCAP\",\n \"CAP_MAC_OVERRIDE\",\n \"CAP_MAC_ADMIN\",\n \"CAP_SYSLOG\",\n \"CAP_WAKE_ALARM\",\n \"CAP_BLOCK_SUSPEND\",\n \"CAP_AUDIT_READ\"\n ],\n \"inheritable\": [\n \"CAP_CHOWN\",\n \"CAP_DAC_OVERRIDE\",\n \"CAP_DAC_READ_SEARCH\",\n \"CAP_FOWNER\",\n \"CAP_FSETID\",\n \"CAP_KILL\",\n \"CAP_SETGID\",\n \"CAP_SETUID\",\n \"CAP_SETPCAP\",\n \"CAP_LINUX_IMMUTABLE\",\n \"CAP_NET_BIND_SERVICE\",\n \"CAP_NET_BROADCAST\",\n \"CAP_NET_ADMIN\",\n \"CAP_NET_RAW\",\n \"CAP_IPC_LOCK\",\n \"CAP_IPC_OWNER\",\n \"CAP_SYS_MODULE\",\n \"CAP_SYS_RAWIO\",\n \"CAP_SYS_CHROOT\",\n \"CAP_SYS_PTRACE\",\n \"CAP_SYS_PACCT\",\n \"CAP_SYS_ADMIN\",\n \"CAP_SYS_BOOT\",\n \"CAP_SYS_NICE\",\n \"CAP_SYS_RESOURCE\",\n \"CAP_SYS_TIME\",\n \"CAP_SYS_TTY_CONFIG\",\n \"CAP_MKNOD\",\n \"CAP_LEASE\",\n \"CAP_AUDIT_WRITE\",\n \"CAP_AUDIT_CONTROL\",\n \"CAP_SETFCAP\",\n \"CAP_MAC_OVERRIDE\",\n \"CAP_MAC_ADMIN\",\n \"CAP_SYSLOG\",\n \"CAP_WAKE_ALARM\",\n \"CAP_BLOCK_SUSPEND\",\n \"CAP_AUDIT_READ\"\n ],\n \"permitted\": [\n \"CAP_CHOWN\",\n \"CAP_DAC_OVERRIDE\",\n \"CAP_DAC_READ_SEARCH\",\n \"CAP_FOWNER\",\n \"CAP_FSETID\",\n \"CAP_KILL\",\n \"CAP_SETGID\",\n \"CAP_SETUID\",\n \"CAP_SETPCAP\",\n \"CAP_LINUX_IMMUTABLE\",\n \"CAP_NET_BIND_SERVICE\",\n \"CAP_NET_BROADCAST\",\n \"CAP_NET_ADMIN\",\n \"CAP_NET_RAW\",\n \"CAP_IPC_LOCK\",\n \"CAP_IPC_OWNER\",\n \"CAP_SYS_MODULE\",\n \"CAP_SYS_RAWIO\",\n \"CAP_SYS_CHROOT\",\n \"CAP_SYS_PTRACE\",\n \"CAP_SYS_PACCT\",\n \"CAP_SYS_ADMIN\",\n \"CAP_SYS_BOOT\",\n \"CAP_SYS_NICE\",\n \"CAP_SYS_RESOURCE\",\n \"CAP_SYS_TIME\",\n \"CAP_SYS_TTY_CONFIG\",\n \"CAP_MKNOD\",\n \"CAP_LEASE\",\n \"CAP_AUDIT_WRITE\",\n \"CAP_AUDIT_CONTROL\",\n \"CAP_SETFCAP\",\n \"CAP_MAC_OVERRIDE\",\n \"CAP_MAC_ADMIN\",\n \"CAP_SYSLOG\",\n \"CAP_WAKE_ALARM\",\n \"CAP_BLOCK_SUSPEND\",\n \"CAP_AUDIT_READ\"\n ]\n },\n \"oomScoreAdj\": 869\n },\n \"root\": {\n \"path\": \"rootfs\"\n },\n \"mounts\": [\n {\n \"destination\": \"/proc\",\n \"type\": \"proc\",\n \"source\": \"proc\"\n },\n {\n \"destination\": \"/dev\",\n \"type\": \"tmpfs\",\n \"source\": \"tmpfs\",\n \"options\": [\n \"nosuid\",\n \"strictatime\",\n \"mode=755\",\n \"size=65536k\"\n ]\n },\n {\n \"destination\": \"/dev/pts\",\n \"type\": \"devpts\",\n \"source\": \"devpts\",\n \"options\": [\n \"nosuid\",\n \"noexec\",\n \"newinstance\",\n \"ptmxmode=0666\",\n \"mode=0620\",\n \"gid=5\"\n ]\n },\n {\n \"destination\": \"/dev/mqueue\",\n \"type\": \"mqueue\",\n \"source\": \"mqueue\",\n \"options\": [\n \"nosuid\",\n \"noexec\",\n \"nodev\"\n ]\n },\n {\n \"destination\": \"/sys\",\n \"type\": \"sysfs\",\n \"source\": \"sysfs\",\n \"options\": [\n \"nosuid\",\n \"noexec\",\n \"nodev\",\n \"rw\"\n ]\n },\n {\n \"destination\": \"/sys/fs/cgroup\",\n \"type\": \"cgroup\",\n \"source\": \"cgroup\",\n \"options\": [\n \"nosuid\",\n \"noexec\",\n \"nodev\",\n \"relatime\",\n \"rw\"\n ]\n },\n {\n \"destination\": \"/etc/resolv.conf\",\n \"type\": \"bind\",\n \"source\": \"/var/lib/containerd/io.containerd.grpc.v1.cri/sandboxes/599ad631db94fef0be7722785e299ba128bd3f7f83a27dd00e4f94974eb5acfa/resolv.conf\",\n \"options\": [\n \"rbind\",\n \"rprivate\",\n \"rw\"\n ]\n },\n {\n \"destination\": \"/opt/falco/bin/cointerface\",\n \"type\": \"bind\",\n \"source\": \"/root/cointerface\",\n \"options\": [\n \"rbind\",\n \"rprivate\",\n \"rw\"\n ]\n },\n {\n \"destination\": \"/host/dev\",\n \"type\": \"bind\",\n \"source\": \"/dev\",\n \"options\": [\n \"rbind\",\n \"rprivate\",\n \"rw\"\n ]\n },\n {\n \"destination\": \"/host/proc\",\n \"type\": \"bind\",\n \"source\": \"/proc\",\n \"options\": [\n \"rbind\",\n \"rprivate\",\n \"ro\"\n ]\n },\n {\n \"destination\": \"/host/boot\",\n \"type\": \"bind\",\n \"source\": \"/boot\",\n \"options\": [\n \"rbind\",\n \"rprivate\",\n \"ro\"\n ]\n },\n {\n \"destination\": \"/host/lib/modules\",\n \"type\": \"bind\",\n \"source\": \"/lib/modules\",\n \"options\": [\n \"rbind\",\n \"rprivate\",\n \"ro\"\n ]\n },\n {\n \"destination\": \"/host/usr\",\n \"type\": \"bind\",\n \"source\": \"/usr\",\n \"options\": [\n \"rbind\",\n \"rprivate\",\n \"ro\"\n ]\n },\n {\n \"destination\": \"/dev/shm\",\n \"type\": \"bind\",\n \"source\": \"/var/lib/kubelet/pods/893231bb-049a-11e9-9b30-0a583e8b7896/volumes/kubernetes.io~empty-dir/dshm\",\n \"options\": [\n \"rbind\",\n \"rprivate\",\n \"rw\"\n ]\n },\n {\n \"destination\": \"/opt/falco/etc/kubernetes/config\",\n \"type\": \"bind\",\n \"source\": \"/var/lib/kubelet/pods/893231bb-049a-11e9-9b30-0a583e8b7896/volumes/kubernetes.io~configmap/falco-config\",\n \"options\": [\n \"rbind\",\n \"rprivate\",\n \"ro\"\n ]\n },\n {\n \"destination\": \"/opt/falco/etc/kubernetes/secrets\",\n \"type\": \"bind\",\n \"source\": \"/var/lib/kubelet/pods/893231bb-049a-11e9-9b30-0a583e8b7896/volumes/kubernetes.io~secret/falco-secrets\",\n \"options\": [\n \"rbind\",\n \"rprivate\",\n \"ro\"\n ]\n },\n {\n \"destination\": \"/var/run/secrets/kubernetes.io/serviceaccount\",\n \"type\": \"bind\",\n \"source\": \"/var/lib/kubelet/pods/893231bb-049a-11e9-9b30-0a583e8b7896/volumes/kubernetes.io~secret/falco-token-6zbgh\",\n \"options\": [\n \"rbind\",\n \"rprivate\",\n \"ro\"\n ]\n },\n {\n \"destination\": \"/etc/hosts\",\n \"type\": \"bind\",\n \"source\": \"/var/lib/kubelet/pods/893231bb-049a-11e9-9b30-0a583e8b7896/etc-hosts\",\n \"options\": [\n \"rbind\",\n \"rprivate\",\n \"rw\"\n ]\n },\n {\n \"destination\": \"/dev/termination-log\",\n \"type\": \"bind\",\n \"source\": \"/var/lib/kubelet/pods/893231bb-049a-11e9-9b30-0a583e8b7896/containers/falco/f26e7883\",\n \"options\": [\n \"rbind\",\n \"rprivate\",\n \"rw\"\n ]\n }\n ],\n \"annotations\": {\n \"io.kubernetes.cri.container-type\": \"container\",\n \"io.kubernetes.cri.sandbox-id\": \"599ad631db94fef0be7722785e299ba128bd3f7f83a27dd00e4f94974eb5acfa\"\n },\n \"linux\": {\n \"resources\": {\n \"devices\": [\n {\n \"allow\": true,\n \"access\": \"rwm\"\n }\n ],\n \"memory\": {\n \"limit\": 1073741824\n },\n \"cpu\": {\n \"shares\": 102,\n \"quota\": 0,\n \"period\": 100000\n }\n },\n \"cgroupsPath\": \"/kubepods/burstable/pod893231bb-049a-11e9-9b30-0a583e8b7896/ea457cc8202bb5684ddd4a2845ad7450ad48fb01448da5172790dcc4641757b9\",\n \"namespaces\": [\n {\n \"type\": \"pid\",\n \"path\": \"/proc/31353/ns/pid\"\n },\n {\n \"type\": \"ipc\",\n \"path\": \"/proc/31353/ns/ipc\"\n },\n {\n \"type\": \"uts\",\n \"path\": \"/proc/31353/ns/uts\"\n },\n {\n \"type\": \"mount\"\n },\n {\n \"type\": \"network\",\n \"path\": \"/proc/31353/ns/net\"\n }\n ],\n \"devices\": [\n {\n \"path\": \"/dev/autofs\",\n \"type\": \"c\",\n \"major\": 10,\n \"minor\": 235,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/btrfs-control\",\n \"type\": \"c\",\n \"major\": 10,\n \"minor\": 234,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/cpu_dma_latency\",\n \"type\": \"c\",\n \"major\": 10,\n \"minor\": 59,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/ecryptfs\",\n \"type\": \"c\",\n \"major\": 10,\n \"minor\": 61,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/full\",\n \"type\": \"c\",\n \"major\": 1,\n \"minor\": 7,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/fuse\",\n \"type\": \"c\",\n \"major\": 10,\n \"minor\": 229,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/hpet\",\n \"type\": \"c\",\n \"major\": 10,\n \"minor\": 228,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/hwrng\",\n \"type\": \"c\",\n \"major\": 10,\n \"minor\": 183,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/input/event0\",\n \"type\": \"c\",\n \"major\": 13,\n \"minor\": 64,\n \"uid\": 0,\n \"gid\": 106\n },\n {\n \"path\": \"/dev/input/event1\",\n \"type\": \"c\",\n \"major\": 13,\n \"minor\": 65,\n \"uid\": 0,\n \"gid\": 106\n },\n {\n \"path\": \"/dev/input/event2\",\n \"type\": \"c\",\n \"major\": 13,\n \"minor\": 66,\n \"uid\": 0,\n \"gid\": 106\n },\n {\n \"path\": \"/dev/input/mice\",\n \"type\": \"c\",\n \"major\": 13,\n \"minor\": 63,\n \"uid\": 0,\n \"gid\": 106\n },\n {\n \"path\": \"/dev/kmsg\",\n \"type\": \"c\",\n \"major\": 1,\n \"minor\": 11,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/lightnvm/control\",\n \"type\": \"c\",\n \"major\": 10,\n \"minor\": 60,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/loop-control\",\n \"type\": \"c\",\n \"major\": 10,\n \"minor\": 237,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/loop0\",\n \"type\": \"b\",\n \"major\": 7,\n \"minor\": 0,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/loop1\",\n \"type\": \"b\",\n \"major\": 7,\n \"minor\": 1,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/loop2\",\n \"type\": \"b\",\n \"major\": 7,\n \"minor\": 2,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/loop3\",\n \"type\": \"b\",\n \"major\": 7,\n \"minor\": 3,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/loop4\",\n \"type\": \"b\",\n \"major\": 7,\n \"minor\": 4,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/loop5\",\n \"type\": \"b\",\n \"major\": 7,\n \"minor\": 5,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/loop6\",\n \"type\": \"b\",\n \"major\": 7,\n \"minor\": 6,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/loop7\",\n \"type\": \"b\",\n \"major\": 7,\n \"minor\": 7,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/mapper/control\",\n \"type\": \"c\",\n \"major\": 10,\n \"minor\": 236,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/mcelog\",\n \"type\": \"c\",\n \"major\": 10,\n \"minor\": 227,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/mem\",\n \"type\": \"c\",\n \"major\": 1,\n \"minor\": 1,\n \"uid\": 0,\n \"gid\": 15\n },\n {\n \"path\": \"/dev/memory_bandwidth\",\n \"type\": \"c\",\n \"major\": 10,\n \"minor\": 56,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/net/tun\",\n \"type\": \"c\",\n \"major\": 10,\n \"minor\": 200,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/network_latency\",\n \"type\": \"c\",\n \"major\": 10,\n \"minor\": 58,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/network_throughput\",\n \"type\": \"c\",\n \"major\": 10,\n \"minor\": 57,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/null\",\n \"type\": \"c\",\n \"major\": 1,\n \"minor\": 3,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/nvme0\",\n \"type\": \"c\",\n \"major\": 248,\n \"minor\": 0,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/nvme0n1\",\n \"type\": \"b\",\n \"major\": 259,\n \"minor\": 0,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/nvme0n1p1\",\n \"type\": \"b\",\n \"major\": 259,\n \"minor\": 1,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/port\",\n \"type\": \"c\",\n \"major\": 1,\n \"minor\": 4,\n \"uid\": 0,\n \"gid\": 15\n },\n {\n \"path\": \"/dev/ppp\",\n \"type\": \"c\",\n \"major\": 108,\n \"minor\": 0,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/psaux\",\n \"type\": \"c\",\n \"major\": 10,\n \"minor\": 1,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/ptmx\",\n \"type\": \"c\",\n \"major\": 5,\n \"minor\": 2,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/ram0\",\n \"type\": \"b\",\n \"major\": 1,\n \"minor\": 0,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/ram1\",\n \"type\": \"b\",\n \"major\": 1,\n \"minor\": 1,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/ram10\",\n \"type\": \"b\",\n \"major\": 1,\n \"minor\": 10,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/ram11\",\n \"type\": \"b\",\n \"major\": 1,\n \"minor\": 11,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/ram12\",\n \"type\": \"b\",\n \"major\": 1,\n \"minor\": 12,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/ram13\",\n \"type\": \"b\",\n \"major\": 1,\n \"minor\": 13,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/ram14\",\n \"type\": \"b\",\n \"major\": 1,\n \"minor\": 14,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/ram15\",\n \"type\": \"b\",\n \"major\": 1,\n \"minor\": 15,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/ram2\",\n \"type\": \"b\",\n \"major\": 1,\n \"minor\": 2,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/ram3\",\n \"type\": \"b\",\n \"major\": 1,\n \"minor\": 3,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/ram4\",\n \"type\": \"b\",\n \"major\": 1,\n \"minor\": 4,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/ram5\",\n \"type\": \"b\",\n \"major\": 1,\n \"minor\": 5,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/ram6\",\n \"type\": \"b\",\n \"major\": 1,\n \"minor\": 6,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/ram7\",\n \"type\": \"b\",\n \"major\": 1,\n \"minor\": 7,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/ram8\",\n \"type\": \"b\",\n \"major\": 1,\n \"minor\": 8,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/ram9\",\n \"type\": \"b\",\n \"major\": 1,\n \"minor\": 9,\n \"uid\": 0,\n \"gid\": 6\n },\n {\n \"path\": \"/dev/random\",\n \"type\": \"c\",\n \"major\": 1,\n \"minor\": 8,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/rfkill\",\n \"type\": \"c\",\n \"major\": 10,\n \"minor\": 62,\n \"uid\": 0,\n \"gid\": 109\n },\n {\n \"path\": \"/dev/rtc0\",\n \"type\": \"c\",\n \"major\": 251,\n \"minor\": 0,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/snapshot\",\n \"type\": \"c\",\n \"major\": 10,\n \"minor\": 231,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/scap0\",\n \"type\": \"c\",\n \"major\": 246,\n \"minor\": 0,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/scap1\",\n \"type\": \"c\",\n \"major\": 246,\n \"minor\": 1,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/tty\",\n \"type\": \"c\",\n \"major\": 5,\n \"minor\": 0,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty0\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 0,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty1\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 1,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty10\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 10,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty11\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 11,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty12\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 12,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty13\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 13,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty14\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 14,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty15\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 15,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty16\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 16,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty17\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 17,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty18\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 18,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty19\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 19,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty2\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 2,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty20\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 20,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty21\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 21,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty22\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 22,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty23\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 23,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty24\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 24,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty25\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 25,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty26\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 26,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty27\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 27,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty28\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 28,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty29\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 29,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty3\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 3,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty30\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 30,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty31\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 31,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty32\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 32,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty33\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 33,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty34\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 34,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty35\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 35,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty36\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 36,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty37\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 37,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty38\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 38,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty39\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 39,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty4\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 4,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty40\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 40,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty41\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 41,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty42\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 42,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty43\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 43,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty44\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 44,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty45\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 45,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty46\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 46,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty47\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 47,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty48\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 48,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty49\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 49,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty5\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 5,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty50\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 50,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty51\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 51,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty52\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 52,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty53\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 53,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty54\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 54,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty55\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 55,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty56\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 56,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty57\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 57,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty58\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 58,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty59\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 59,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty6\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 6,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty60\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 60,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty61\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 61,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty62\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 62,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty63\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 63,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty7\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 7,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty8\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 8,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/tty9\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 9,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/ttyS0\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 64,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/ttyS1\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 65,\n \"uid\": 0,\n \"gid\": 20\n },\n {\n \"path\": \"/dev/ttyS2\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 66,\n \"uid\": 0,\n \"gid\": 20\n },\n {\n \"path\": \"/dev/ttyS3\",\n \"type\": \"c\",\n \"major\": 4,\n \"minor\": 67,\n \"uid\": 0,\n \"gid\": 20\n },\n {\n \"path\": \"/dev/ttyprintk\",\n \"type\": \"c\",\n \"major\": 5,\n \"minor\": 3,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/uinput\",\n \"type\": \"c\",\n \"major\": 10,\n \"minor\": 223,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/urandom\",\n \"type\": \"c\",\n \"major\": 1,\n \"minor\": 9,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/vcs\",\n \"type\": \"c\",\n \"major\": 7,\n \"minor\": 0,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/vcs1\",\n \"type\": \"c\",\n \"major\": 7,\n \"minor\": 1,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/vcs2\",\n \"type\": \"c\",\n \"major\": 7,\n \"minor\": 2,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/vcs3\",\n \"type\": \"c\",\n \"major\": 7,\n \"minor\": 3,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/vcs4\",\n \"type\": \"c\",\n \"major\": 7,\n \"minor\": 4,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/vcs5\",\n \"type\": \"c\",\n \"major\": 7,\n \"minor\": 5,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/vcs6\",\n \"type\": \"c\",\n \"major\": 7,\n \"minor\": 6,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/vcsa\",\n \"type\": \"c\",\n \"major\": 7,\n \"minor\": 128,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/vcsa1\",\n \"type\": \"c\",\n \"major\": 7,\n \"minor\": 129,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/vcsa2\",\n \"type\": \"c\",\n \"major\": 7,\n \"minor\": 130,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/vcsa3\",\n \"type\": \"c\",\n \"major\": 7,\n \"minor\": 131,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/vcsa4\",\n \"type\": \"c\",\n \"major\": 7,\n \"minor\": 132,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/vcsa5\",\n \"type\": \"c\",\n \"major\": 7,\n \"minor\": 133,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/vcsa6\",\n \"type\": \"c\",\n \"major\": 7,\n \"minor\": 134,\n \"uid\": 0,\n \"gid\": 5\n },\n {\n \"path\": \"/dev/vga_arbiter\",\n \"type\": \"c\",\n \"major\": 10,\n \"minor\": 63,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/vhost-net\",\n \"type\": \"c\",\n \"major\": 10,\n \"minor\": 238,\n \"uid\": 0,\n \"gid\": 0\n },\n {\n \"path\": \"/dev/zero\",\n \"type\": \"c\",\n \"major\": 1,\n \"minor\": 5,\n \"uid\": 0,\n \"gid\": 0\n }\n ]\n }\n }\n}" -} diff --git a/test/libsinsp_e2e/fake_cri/fake_cri_falco_images.pb b/test/libsinsp_e2e/fake_cri/fake_cri_falco_images.pb deleted file mode 100644 index b6fc82cf22..0000000000 --- a/test/libsinsp_e2e/fake_cri/fake_cri_falco_images.pb +++ /dev/null @@ -1,6 +0,0 @@ -images { - id: "4bc0e14060f4263acf658387e76715bd836a13b9ba44f48465bd0633a412dbd0" - repo_tags: "docker.io/falcosecurity/falco:latest" - repo_digests: "docker.io/falcosecurity/falco@sha256:8d0619a4da278dfe2772f75aa3cc74df0a250385de56085766035db5c9a062ed" - size: 1402153176 -} diff --git a/test/libsinsp_e2e/fake_cri/fake_cri_falco_listcontainers.pb b/test/libsinsp_e2e/fake_cri/fake_cri_falco_listcontainers.pb deleted file mode 100644 index 7cb4cad99e..0000000000 --- a/test/libsinsp_e2e/fake_cri/fake_cri_falco_listcontainers.pb +++ /dev/null @@ -1,50 +0,0 @@ -containers { -id: "ea457cc8202bb5684ddd4a2845ad7450ad48fb01448da5172790dcc4641757b9" -pod_sandbox_id: "599ad631db94fef0be7722785e299ba128bd3f7f83a27dd00e4f94974eb5acfa" -metadata { - name: "falco" - attempt: 0 -} -state: CONTAINER_RUNNING -created_at: 1545339739712670450 -image { - image: "docker.io/falcosecurity/falco:latest" -} -image_ref: "docker.io/falcosecurity/falco@sha256:8d0619a4da278dfe2772f75aa3cc74df0a250385de56085766035db5c9a062ed" -labels { - key: "io.kubernetes.container.name" - value: "falco" -} -labels { - key: "io.kubernetes.pod.name" - value: "falco-9bzbj" -} -labels { - key: "io.kubernetes.pod.namespace" - value: "default" -} -labels { - key: "io.kubernetes.pod.uid" - value: "893231bb-049a-11e9-9b30-0a583e8b7896" -} -annotations { - key: "io.kubernetes.container.hash" - value: "decd134" -} -annotations { - key: "io.kubernetes.container.restartCount" - value: "0" -} -annotations { - key: "io.kubernetes.container.terminationMessagePath" - value: "/dev/termination-log" -} -annotations { - key: "io.kubernetes.container.terminationMessagePolicy" - value: "File" -} -annotations { - key: "io.kubernetes.pod.terminationGracePeriod" - value: "5" -} -} diff --git a/test/libsinsp_e2e/fake_cri/fake_cri_falco_pod.pb b/test/libsinsp_e2e/fake_cri/fake_cri_falco_pod.pb deleted file mode 100644 index 27c0a020e9..0000000000 --- a/test/libsinsp_e2e/fake_cri/fake_cri_falco_pod.pb +++ /dev/null @@ -1,58 +0,0 @@ -status { -metadata { - name: "falco-9bzbj" - uid: "893231bb-049a-11e9-9b30-0a583e8b7896" - namespace: "default", - attempt: 0 -} -state: SANDBOX_READY -created_at: 1545339738831266021 -network { - ip: "" -} -linux { -namespaces { -options { - network: NODE, - pid: NODE, - ipc: POD -} -} -} -labels { - key: "app" - value: "falco" -} -labels { - key: "controller-revision-hash" - value: "b5944cc84" -} -labels { - key: "io.kubernetes.pod.name" - value: "falco-9bzbj" -} -labels { - key: "io.kubernetes.pod.namespace" - value: "default" -} -labels { - key: "io.kubernetes.pod.uid" - value: "893231bb-049a-11e9-9b30-0a583e8b7896" -} -labels { - key: "pod-template-generation" - value: "1" -} -annotations { - key: "kubernetes.io/config.seen" - value: "2018-12-20T21:02:18.502551218Z" -} -annotations { - key: "kubernetes.io/config.source" - value: "api" -} -} -info { - key: "info" - value: "{\"pid\":31353, \"processStatus\":\"running\", \"netNamespaceClosed\":false, \"image\":\"k8s.gcr.io/pause:3.1\", \"snapshotKey\":\"599ad631db94fef0be7722785e299ba128bd3f7f83a27dd00e4f94974eb5acfa\", \"snapshotter\":\"overlayfs\", \"runtime\":{\"runtimeType\":\"io.containerd.runtime.v1.linux\", \"runtimeEngine\":\"\", \"runtimeRoot\":\"\"}, \"config\":{\"metadata\":{\"name\":\"falco-9bzbj\", \"uid\":\"893231bb-049a-11e9-9b30-0a583e8b7896\", \"namespace\":\"default\"}, \"log_directory\":\"/var/log/pods/893231bb-049a-11e9-9b30-0a583e8b7896\", \"dns_config\":{\"servers\":[\"10.96.0.10\"], \"searches\":[\"default.svc.cluster.local\", \"svc.cluster.local\", \"cluster.local\", \"us-east-2.compute.internal\"], \"options\":[\"ndots:5\"]}, \"labels\":{\"app\":\"falco\", \"controller-revision-hash\":\"b5944cc84\", \"io.kubernetes.pod.name\":\"falco-9bzbj\", \"io.kubernetes.pod.namespace\":\"default\", \"io.kubernetes.pod.uid\":\"893231bb-049a-11e9-9b30-0a583e8b7896\", \"pod-template-generation\":\"1\"}, \"annotations\":{\"kubernetes.io/config.seen\":\"2018-12-20T21:02:18.502551218Z\", \"kubernetes.io/config.source\":\"api\"}, \"linux\":{\"cgroup_parent\":\"/kubepods/burstable/pod893231bb-049a-11e9-9b30-0a583e8b7896\", \"security_context\":{\"namespace_options\":{\"network\":2, \"pid\":2}, \"privileged\":true}}}, \"runtimeSpec\":{\"ociVersion\":\"1.0.1\", \"process\":{\"user\":{\"uid\":0, \"gid\":0}, \"args\":[\"/pause\"], \"env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"], \"cwd\":\"/\", \"capabilities\":{\"bounding\":[\"CAP_CHOWN\", \"CAP_DAC_OVERRIDE\", \"CAP_FSETID\", \"CAP_FOWNER\", \"CAP_MKNOD\", \"CAP_NET_RAW\", \"CAP_SETGID\", \"CAP_SETUID\", \"CAP_SETFCAP\", \"CAP_SETPCAP\", \"CAP_NET_BIND_SERVICE\", \"CAP_SYS_CHROOT\", \"CAP_KILL\", \"CAP_AUDIT_WRITE\"], \"effective\":[\"CAP_CHOWN\", \"CAP_DAC_OVERRIDE\", \"CAP_FSETID\", \"CAP_FOWNER\", \"CAP_MKNOD\", \"CAP_NET_RAW\", \"CAP_SETGID\", \"CAP_SETUID\", \"CAP_SETFCAP\", \"CAP_SETPCAP\", \"CAP_NET_BIND_SERVICE\", \"CAP_SYS_CHROOT\", \"CAP_KILL\", \"CAP_AUDIT_WRITE\"], \"inheritable\":[\"CAP_CHOWN\", \"CAP_DAC_OVERRIDE\", \"CAP_FSETID\", \"CAP_FOWNER\", \"CAP_MKNOD\", \"CAP_NET_RAW\", \"CAP_SETGID\", \"CAP_SETUID\", \"CAP_SETFCAP\", \"CAP_SETPCAP\", \"CAP_NET_BIND_SERVICE\", \"CAP_SYS_CHROOT\", \"CAP_KILL\", \"CAP_AUDIT_WRITE\"], \"permitted\":[\"CAP_CHOWN\", \"CAP_DAC_OVERRIDE\", \"CAP_FSETID\", \"CAP_FOWNER\", \"CAP_MKNOD\", \"CAP_NET_RAW\", \"CAP_SETGID\", \"CAP_SETUID\", \"CAP_SETFCAP\", \"CAP_SETPCAP\", \"CAP_NET_BIND_SERVICE\", \"CAP_SYS_CHROOT\", \"CAP_KILL\", \"CAP_AUDIT_WRITE\"]}, \"noNewPrivileges\":true, \"oomScoreAdj\":-998}, \"root\":{\"path\":\"rootfs\", \"readonly\":true}, \"mounts\":[{\"destination\":\"/proc\", \"type\":\"proc\", \"source\":\"proc\"}, {\"destination\":\"/dev\", \"type\":\"tmpfs\", \"source\":\"tmpfs\", \"options\":[\"nosuid\", \"strictatime\", \"mode=755\", \"size=65536k\"]}, {\"destination\":\"/dev/pts\", \"type\":\"devpts\", \"source\":\"devpts\", \"options\":[\"nosuid\", \"noexec\", \"newinstance\", \"ptmxmode=0666\", \"mode=0620\", \"gid=5\"]}, {\"destination\":\"/dev/mqueue\", \"type\":\"mqueue\", \"source\":\"mqueue\", \"options\":[\"nosuid\", \"noexec\", \"nodev\"]}, {\"destination\":\"/sys\", \"type\":\"sysfs\", \"source\":\"sysfs\", \"options\":[\"nosuid\", \"noexec\", \"nodev\", \"ro\"]}, {\"destination\":\"/dev/shm\", \"type\":\"bind\", \"source\":\"/run/containerd/io.containerd.grpc.v1.cri/sandboxes/599ad631db94fef0be7722785e299ba128bd3f7f83a27dd00e4f94974eb5acfa/shm\", \"options\":[\"rbind\", \"ro\"]}], \"annotations\":{\"io.kubernetes.cri.container-type\":\"sandbox\", \"io.kubernetes.cri.sandbox-id\":\"599ad631db94fef0be7722785e299ba128bd3f7f83a27dd00e4f94974eb5acfa\"}, \"linux\":{\"resources\":{\"devices\":[{\"allow\":false, \"access\":\"rwm\"}], \"cpu\":{\"shares\":2}}, \"cgroupsPath\":\"/kubepods/burstable/pod893231bb-049a-11e9-9b30-0a583e8b7896/599ad631db94fef0be7722785e299ba128bd3f7f83a27dd00e4f94974eb5acfa\", \"namespaces\":[{\"type\":\"ipc\"}, {\"type\":\"uts\"}, {\"type\":\"mount\"}], \"maskedPaths\":[\"/proc/acpi\", \"/proc/kcore\", \"/proc/keys\", \"/proc/latency_stats\", \"/proc/timer_list\", \"/proc/timer_stats\", \"/proc/sched_debug\", \"/sys/firmware\", \"/proc/scsi\"], \"readonlyPaths\":[\"/proc/asound\", \"/proc/bus\", \"/proc/fs\", \"/proc/irq\", \"/proc/sys\", \"/proc/sysrq-trigger\"]}}}" -} diff --git a/test/libsinsp_e2e/resources/docker/Dockerfile b/test/libsinsp_e2e/resources/docker/Dockerfile deleted file mode 100644 index b140f006c7..0000000000 --- a/test/libsinsp_e2e/resources/docker/Dockerfile +++ /dev/null @@ -1,3 +0,0 @@ -FROM busybox -RUN cp /bin/true /bin/ut-health-check -HEALTHCHECK --interval=0.5s CMD ["/bin/ut-health-check"] diff --git a/test/libsinsp_e2e/resources/docker/Dockerfile.no_healthcheck b/test/libsinsp_e2e/resources/docker/Dockerfile.no_healthcheck deleted file mode 100644 index 9a3adf68b5..0000000000 --- a/test/libsinsp_e2e/resources/docker/Dockerfile.no_healthcheck +++ /dev/null @@ -1 +0,0 @@ -FROM busybox:latest diff --git a/test/libsinsp_e2e/resources/docker/Dockerfile.none_healthcheck b/test/libsinsp_e2e/resources/docker/Dockerfile.none_healthcheck deleted file mode 100644 index f5a257ee6f..0000000000 --- a/test/libsinsp_e2e/resources/docker/Dockerfile.none_healthcheck +++ /dev/null @@ -1,2 +0,0 @@ -FROM busybox:latest -HEALTHCHECK NONE diff --git a/test/libsinsp_e2e/resources/docker/health_dockerfiles/CMakeLists.txt b/test/libsinsp_e2e/resources/docker/health_dockerfiles/CMakeLists.txt deleted file mode 100644 index d1abd153bb..0000000000 --- a/test/libsinsp_e2e/resources/docker/health_dockerfiles/CMakeLists.txt +++ /dev/null @@ -1,17 +0,0 @@ -foreach( - dockerfile - Dockerfile.healthcheck - Dockerfile.healthcheck_shell - Dockerfile.healthcheck_cmd_overlap - Dockerfile.healthcheck_liveness - Dockerfile.healthcheck_readiness - Dockerfile.no_healthcheck - Dockerfile.none_healthcheck -) - - configure_file( - ${CMAKE_CURRENT_SOURCE_DIR}/${dockerfile} ${CMAKE_CURRENT_BINARY_DIR}/${dockerfile} - COPYONLY - ) - -endforeach(dockerfile) diff --git a/test/libsinsp_e2e/resources/docker/health_dockerfiles/Dockerfile.healthcheck b/test/libsinsp_e2e/resources/docker/health_dockerfiles/Dockerfile.healthcheck deleted file mode 100644 index b140f006c7..0000000000 --- a/test/libsinsp_e2e/resources/docker/health_dockerfiles/Dockerfile.healthcheck +++ /dev/null @@ -1,3 +0,0 @@ -FROM busybox -RUN cp /bin/true /bin/ut-health-check -HEALTHCHECK --interval=0.5s CMD ["/bin/ut-health-check"] diff --git a/test/libsinsp_e2e/resources/docker/health_dockerfiles/Dockerfile.healthcheck_cmd_overlap b/test/libsinsp_e2e/resources/docker/health_dockerfiles/Dockerfile.healthcheck_cmd_overlap deleted file mode 100644 index 405b4153be..0000000000 --- a/test/libsinsp_e2e/resources/docker/health_dockerfiles/Dockerfile.healthcheck_cmd_overlap +++ /dev/null @@ -1,2 +0,0 @@ -FROM busybox -HEALTHCHECK --interval=0.5s CMD ["/bin/sh", "-c", "/bin/sleep 10"] diff --git a/test/libsinsp_e2e/resources/docker/health_dockerfiles/Dockerfile.healthcheck_liveness b/test/libsinsp_e2e/resources/docker/health_dockerfiles/Dockerfile.healthcheck_liveness deleted file mode 100644 index 91cbf0da6d..0000000000 --- a/test/libsinsp_e2e/resources/docker/health_dockerfiles/Dockerfile.healthcheck_liveness +++ /dev/null @@ -1,8 +0,0 @@ -FROM busybox -RUN cp /bin/true /bin/ut-health-check - -# This container runs a docker healthcheck, but due to the -# annotation.... label, it gets interpretated as if it were a k8s -# liveness check. -HEALTHCHECK --interval=0.5s CMD ["/bin/ut-health-check"] -LABEL annotation.kubectl.kubernetes.io/last-applied-configuration="{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"mysql-app\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"env\":[{\"name\":\"MYSQL_ROOT_PASSWORD\",\"value\":\"no\"}],\"image\":\"mstemm/mysql:healthcheck\",\"livenessProbe\":{\"exec\":{\"command\":[\"/bin/ut-health-check\"]},\"initialDelaySeconds\":5,\"periodSeconds\":5},\"name\":\"mysql\"}]}}\n" diff --git a/test/libsinsp_e2e/resources/docker/health_dockerfiles/Dockerfile.healthcheck_readiness b/test/libsinsp_e2e/resources/docker/health_dockerfiles/Dockerfile.healthcheck_readiness deleted file mode 100644 index 5919b746bf..0000000000 --- a/test/libsinsp_e2e/resources/docker/health_dockerfiles/Dockerfile.healthcheck_readiness +++ /dev/null @@ -1,8 +0,0 @@ -FROM busybox -RUN cp /bin/true /bin/ut-health-check - -# This container runs a docker healthcheck, but due to the -# annotation.... label, it gets interpretated as if it were a k8s -# readiness check. -HEALTHCHECK --interval=0.5s CMD ["/bin/ut-health-check"] -LABEL annotation.kubectl.kubernetes.io/last-applied-configuration="{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"mysql-app\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"env\":[{\"name\":\"MYSQL_ROOT_PASSWORD\",\"value\":\"no\"}],\"image\":\"mstemm/mysql:healthcheck\",\"readinessProbe\":{\"exec\":{\"command\":[\"/bin/ut-health-check\"]},\"initialDelaySeconds\":5,\"periodSeconds\":5},\"name\":\"mysql\"}]}}\n" diff --git a/test/libsinsp_e2e/resources/docker/health_dockerfiles/Dockerfile.healthcheck_shell b/test/libsinsp_e2e/resources/docker/health_dockerfiles/Dockerfile.healthcheck_shell deleted file mode 100644 index 0c908253ab..0000000000 --- a/test/libsinsp_e2e/resources/docker/health_dockerfiles/Dockerfile.healthcheck_shell +++ /dev/null @@ -1,3 +0,0 @@ -FROM busybox -RUN cp /bin/true /bin/ut-health-check -HEALTHCHECK --interval=0.5s CMD /bin/ut-health-check diff --git a/test/libsinsp_e2e/resources/docker/health_dockerfiles/Dockerfile.no_healthcheck b/test/libsinsp_e2e/resources/docker/health_dockerfiles/Dockerfile.no_healthcheck deleted file mode 100644 index 9a3adf68b5..0000000000 --- a/test/libsinsp_e2e/resources/docker/health_dockerfiles/Dockerfile.no_healthcheck +++ /dev/null @@ -1 +0,0 @@ -FROM busybox:latest diff --git a/test/libsinsp_e2e/resources/docker/health_dockerfiles/Dockerfile.none_healthcheck b/test/libsinsp_e2e/resources/docker/health_dockerfiles/Dockerfile.none_healthcheck deleted file mode 100644 index f5a257ee6f..0000000000 --- a/test/libsinsp_e2e/resources/docker/health_dockerfiles/Dockerfile.none_healthcheck +++ /dev/null @@ -1,2 +0,0 @@ -FROM busybox:latest -HEALTHCHECK NONE diff --git a/test/libsinsp_e2e/resources/fake_docker.py b/test/libsinsp_e2e/resources/fake_docker.py deleted file mode 100755 index 6c1e8809e2..0000000000 --- a/test/libsinsp_e2e/resources/fake_docker.py +++ /dev/null @@ -1,283 +0,0 @@ -#!/usr/bin/env python3 - -import socketserver -import os -import re -import socket -import sys -import time -from http.server import HTTPServer, BaseHTTPRequestHandler - - -DELAY = 0.0 -CONTAINER_JSON = '''{ - "Id": "CONTAINER_ID", - "Created": "2019-01-14T16:42:46.980332855Z", - "Path": "nginx", - "Args": [ - "-g", - "daemon off;" - ], - "State": { - "Status": "running", - "Running": true, - "Paused": false, - "Restarting": false, - "OOMKilled": false, - "Dead": false, - "Pid": 6892, - "ExitCode": 0, - "Error": "", - "StartedAt": "2019-07-04T15:14:21.106678691Z", - "FinishedAt": "2019-06-24T14:45:06.735210924Z" - }, - "Image": "sha256:568c4670fa800978e08e4a51132b995a54f8d5ae83ca133ef5546d092b864acf", - "ResolvConfPath": "/var/lib/docker/containers/CONTAINER_ID/resolv.conf", - "HostnamePath": "/var/lib/docker/containers/CONTAINER_ID/hostname", - "HostsPath": "/var/lib/docker/containers/CONTAINER_ID/hosts", - "LogPath": "/var/lib/docker/containers/CONTAINER_ID/CONTAINER_ID-json.log", - "Name": "/nginx", - "RestartCount": 0, - "Driver": "overlay2", - "Platform": "linux", - "MountLabel": "", - "ProcessLabel": "", - "AppArmorProfile": "docker-default", - "ExecIDs": null, - "HostConfig": { - "Binds": null, - "ContainerIDFile": "", - "LogConfig": { - "Type": "json-file", - "Config": {} - }, - "NetworkMode": "default", - "PortBindings": {}, - "RestartPolicy": { - "Name": "no", - "MaximumRetryCount": 0 - }, - "AutoRemove": false, - "VolumeDriver": "", - "VolumesFrom": null, - "CapAdd": null, - "CapDrop": null, - "Dns": [], - "DnsOptions": [], - "DnsSearch": [], - "ExtraHosts": null, - "GroupAdd": null, - "IpcMode": "shareable", - "Cgroup": "", - "Links": null, - "OomScoreAdj": 0, - "PidMode": "", - "Privileged": false, - "PublishAllPorts": false, - "ReadonlyRootfs": false, - "SecurityOpt": null, - "UTSMode": "", - "UsernsMode": "", - "ShmSize": 67108864, - "Runtime": "runc", - "ConsoleSize": [ - 0, - 0 - ], - "Isolation": "", - "CpuShares": 0, - "Memory": 0, - "NanoCpus": 1000000000, - "CgroupParent": "", - "BlkioWeight": 0, - "BlkioWeightDevice": [], - "BlkioDeviceReadBps": null, - "BlkioDeviceWriteBps": null, - "BlkioDeviceReadIOps": null, - "BlkioDeviceWriteIOps": null, - "CpuPeriod": 0, - "CpuQuota": 0, - "CpuRealtimePeriod": 0, - "CpuRealtimeRuntime": 0, - "CpusetCpus": "", - "CpusetMems": "", - "Devices": [], - "DeviceCgroupRules": null, - "DiskQuota": 0, - "KernelMemory": 0, - "MemoryReservation": 0, - "MemorySwap": 0, - "MemorySwappiness": null, - "OomKillDisable": false, - "PidsLimit": 0, - "Ulimits": null, - "CpuCount": 0, - "CpuPercent": 0, - "IOMaximumIOps": 0, - "IOMaximumBandwidth": 0, - "MaskedPaths": [ - "/proc/acpi", - "/proc/kcore", - "/proc/keys", - "/proc/latency_stats", - "/proc/timer_list", - "/proc/timer_stats", - "/proc/sched_debug", - "/proc/scsi", - "/sys/firmware" - ], - "ReadonlyPaths": [ - "/proc/asound", - "/proc/bus", - "/proc/fs", - "/proc/irq", - "/proc/sys", - "/proc/sysrq-trigger" - ] - }, - "GraphDriver": { - "Data": { - "LowerDir": "/var/lib/docker/overlay2/5284854b193a34c17b13fb545c36dff28edce5643a93f19ad40147a667dd0f58-init/diff:/var/lib/docker/overlay2/19c870f9c69f36e320db5da254282fe84260abf1af9b85eab226450a0e74dfe5/diff:/var/lib/docker/overlay2/9ebfada4bda894ff1bc7e22c07d0590128f59e36abac32963372cf1faa50bd21/diff:/var/lib/docker/overlay2/172e9582199ef0bb9de43451eb95f0d1901625a18af7351e1909aca8d1a7cd37/diff", - "MergedDir": "/var/lib/docker/overlay2/5284854b193a34c17b13fb545c36dff28edce5643a93f19ad40147a667dd0f58/merged", - "UpperDir": "/var/lib/docker/overlay2/5284854b193a34c17b13fb545c36dff28edce5643a93f19ad40147a667dd0f58/diff", - "WorkDir": "/var/lib/docker/overlay2/5284854b193a34c17b13fb545c36dff28edce5643a93f19ad40147a667dd0f58/work" - }, - "Name": "overlay2" - }, - "Mounts": [], - "Config": { - "Hostname": "7951fb549ab9", - "Domainname": "", - "User": "", - "AttachStdin": false, - "AttachStdout": true, - "AttachStderr": true, - "ExposedPorts": { - "80/tcp": {} - }, - "Tty": false, - "OpenStdin": false, - "StdinOnce": false, - "Env": [ - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", - "NGINX_VERSION=1.15.7-1~stretch", - "NJS_VERSION=1.15.7.0.2.6-1~stretch" - ], - "Cmd": [ - "nginx", - "-g", - "daemon off;" - ], - "ArgsEscaped": true, - "Image": "nginx", - "Volumes": null, - "WorkingDir": "", - "Entrypoint": null, - "OnBuild": null, - "Labels": { - "maintainer": "NGINX Docker Maintainers " - }, - "StopSignal": "SIGTERM" - }, - "NetworkSettings": { - "Bridge": "", - "SandboxID": "7ed54ba097dd40da1bfa11a7ab1add815f9289407037f0971c5b487c279a3da7", - "HairpinMode": false, - "LinkLocalIPv6Address": "", - "LinkLocalIPv6PrefixLen": 0, - "Ports": { - "80/tcp": null - }, - "SandboxKey": "/var/run/docker/netns/7ed54ba097dd", - "SecondaryIPAddresses": null, - "SecondaryIPv6Addresses": null, - "EndpointID": "1316e3ef1748bc5dd0771fd2b2736cc9cbd612096b03685180a839f750bc17e7", - "Gateway": "172.17.0.1", - "GlobalIPv6Address": "", - "GlobalIPv6PrefixLen": 0, - "IPAddress": "172.17.0.2", - "IPPrefixLen": 16, - "IPv6Gateway": "", - "MacAddress": "02:42:ac:11:00:02", - "Networks": { - "bridge": { - "IPAMConfig": null, - "Links": null, - "Aliases": null, - "NetworkID": "ed370a609b530f9c5560561d37fcec6a0d444ba2ed5e85d9bda66c8e36fbb210", - "EndpointID": "1316e3ef1748bc5dd0771fd2b2736cc9cbd612096b03685180a839f750bc17e7", - "Gateway": "172.17.0.1", - "IPAddress": "172.17.0.2", - "IPPrefixLen": 16, - "IPv6Gateway": "", - "GlobalIPv6Address": "", - "GlobalIPv6PrefixLen": 0, - "MacAddress": "02:42:ac:11:00:02", - "DriverOpts": null - } - } - } -} -''' - -CONTAINER_REQUEST = re.compile('^(?:/v1.[0-9]*)?/containers/([0-9a-f]+)/json') - -class FakeDockerHTTPHandler(BaseHTTPRequestHandler): - - def _send_response(self, resp): - resp_bytes = resp.encode('utf-8') # Convert to bytes - self.send_header('Content-Length', len(resp_bytes)) - self.send_header('Connection', 'close') - self.end_headers() - self.wfile.write(resp_bytes) - - def do_GET(self): - matches = CONTAINER_REQUEST.match(self.path) - if matches: - if DELAY < 0: - time.sleep(-DELAY) - self.send_response(404) - self._send_response('Not found\n') - else: - time.sleep(DELAY) - self.send_response(200) - self.send_header('Content-type', 'application/json') - resp = CONTAINER_JSON.replace('CONTAINER_ID', matches.group(1)) - self._send_response(resp) - else: - self.send_response(404) - self.send_header('Content-type', 'text/plain') - self._send_response('Not found\n') - - -class UnixHTTPServer(HTTPServer): - address_family = socket.AF_UNIX - - def server_bind(self): - socketserver.TCPServer.server_bind(self) - self.server_name = 'localhost' - self.server_port = 0 - - def get_request(self): - request, client_address = HTTPServer.get_request(self) - return request, ['local', 0] - - -if __name__ == '__main__': - try: - DELAY = float(sys.argv[1]) - except Exception: - pass - - try: - socket_path = sys.argv[2] - except Exception: - socket_path = '/tmp/http.socket' - - try: - os.unlink(socket_path) - except Exception: - pass - - server = UnixHTTPServer(socket_path, FakeDockerHTTPHandler) - server.serve_forever()