zdtm: enable tests with encrypted images

This patch extends ZDTM to run `criu dump` with the `--encrypt` option to test the encryption functionality of CRIU images. Signed-off-by: Radostin Stoyanov <[email protected]>
checkpoint-restore · Jan 10, 2024 · 4fbb0c6 · 4fbb0c6
1 parent c366a9f
commit 4fbb0c6
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 9 deletions.
diff --git a/.github/workflows/encrypted-images.yml b/.github/workflows/encrypted-images.yml
@@ -0,0 +1,17 @@
+name: Encrypted Images Test
+
+on: [push, pull_request]
+
+# Cancel any preceding run on the pull request.
+concurrency:
+  group: encrypted-images-test-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/criu-dev' }}
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Run CRIU Encrypted Images Test
+      run: sudo -E make -C scripts/ci local ENCRYPTED_IMAGES_TEST=1
diff --git a/scripts/ci/run-ci-tests.sh b/scripts/ci/run-ci-tests.sh
@@ -72,6 +72,42 @@ test_stream() {
 	./test/zdtm.py run --stream -p 2 --keep-going -a "${STREAM_TEST_EXCLUDE[@]}" "${ZDTM_OPTS[@]}"
 }
 
+test_encrypted_images() {
+	# Running tests with encrypted images
+	TEST_EXCLUDE=(
+		-x zdtm/static/cgroup01 \
+		-x zdtm/static/cgroup02 \
+		-x zdtm/static/file_lease00 \
+		-x zdtm/static/file_lease01 \
+		-x zdtm/static/mountpoints \
+		-x zdtm/static/autofs \
+		-x zdtm/static/bind-mount \
+		-x zdtm/static/cr_veth \
+		-x zdtm/static/dumpable02 \
+		-x zdtm/static/ghost_on_rofs \
+		-x zdtm/static/inotify00 \
+		-x zdtm/static/mntns_overmount \
+		-x zdtm/static/mntns_shared_bind \
+		-x zdtm/static/mntns_shared_bind02 \
+		-x zdtm/static/mntns_shared_vs_private \
+		-x zdtm/static/non_uniform_share_propagation \
+		-x zdtm/static/overmount_sock \
+		-x zdtm/static/overmount_with_shared_parent \
+		-x zdtm/static/pipe01 \
+		-x zdtm/static/private_bind_propagation \
+		-x zdtm/static/pty00 \
+		-x zdtm/static/shared_mount_propagation \
+		-x zdtm/static/shared_slave_mount_children \
+		-x zdtm/static/socket-tcp-reuseport \
+		-x zdtm/static/tempfs \
+		-x zdtm/static/tempfs_overmounted \
+		-x zdtm/static/unbindable \
+		-x zdtm/static/unlink_regular00 \
+		-x zdtm/static/session01 \
+	)
+	./test/zdtm.py run -a --keep-going --encrypt "${TEST_EXCLUDE[@]}" "${ZDTM_OPTS[@]}"
+}
+
 print_header() {
 	echo "############### $1 ###############"
 }
@@ -213,6 +249,11 @@ if [ "${STREAM_TEST}" = "1" ]; then
 	exit 0
 fi
 
+if [ "${ENCRYPTED_IMAGES_TEST}" = "1" ]; then
+	test_encrypted_images
+	exit 0
+fi
+
 ./test/zdtm.py run -a -p 2 --keep-going "${ZDTM_OPTS[@]}"
 if criu/criu check --feature move_mount_set_group; then
 	./test/zdtm.py run -a -p 2 --mntns-compat-mode --keep-going "${ZDTM_OPTS[@]}"

diff --git a/test/zdtm.py b/test/zdtm.py
@@ -1061,7 +1061,8 @@ def __init__(self, opts):
         self.__page_server_p = None
         self.__dump_process = None
         self.__img_streamer_process = None
-        self.__tls = self.__tls_options() if opts['tls'] else []
+        self.__tls = ['--tls'] + self.__tls_options() if opts['tls'] else []
+        self.__encrypt = ['--encrypt'] + self.__tls_options() if opts['encrypt'] else []
         self.__criu_bin = opts['criu_bin']
         self.__crit_bin = opts['crit_bin']
         self.__pre_dump_mode = opts['pre_dump_mode']
@@ -1127,11 +1128,13 @@ def cleanup(self):
 
     def __tls_options(self):
         pki_dir = os.path.dirname(os.path.abspath(__file__)) + "/pki"
-        return [
-            "--tls", "--tls-no-cn-verify", "--tls-key", pki_dir + "/key.pem",
-            "--tls-cert", pki_dir + "/cert.pem", "--tls-cacert",
-            pki_dir + "/cacert.pem"
+        output = [
+            "--tls-no-cn-verify",
+            "--tls-key", pki_dir + "/key.pem",
+            "--tls-cert", pki_dir + "/cert.pem",
+            "--tls-cacert", pki_dir + "/cacert.pem"
         ]
+        return output
 
     def __ddir(self):
         return os.path.join(self.__dump_path, "%d" % self.__iter)
@@ -1350,7 +1353,7 @@ def dump(self, action, opts=[]):
         os.mkdir(self.__ddir())
         os.chmod(self.__ddir(), 0o777)
 
-        a_opts = ["--tree", self.__test.getpid()]
+        a_opts = ["--tree", self.__test.getpid()] + self.__encrypt
         if self.__prev_dump_iter:
             a_opts += [
                 "--prev-images-dir",
@@ -1425,7 +1428,7 @@ def dump(self, action, opts=[]):
                 raise test_fail_exc("criu page-server exited with %d" % ret)
 
     def restore(self):
-        r_opts = []
+        r_opts = self.__encrypt
         if self.__restore_sibling:
             r_opts = ["--restore-sibling"]
             self.__test.auto_reap = False
@@ -2082,8 +2085,8 @@ def run_test(self, name, desc, flavor):
               'sat', 'script', 'rpc', 'criu_config', 'lazy_pages', 'join_ns',
               'dedup', 'sbs', 'freezecg', 'user', 'dry_run', 'noauto_dedup',
               'remote_lazy_pages', 'show_stats', 'lazy_migrate', 'stream',
-              'tls', 'criu_bin', 'crit_bin', 'pre_dump_mode', 'mntns_compat_mode',
-              'rootless')
+              'tls', 'encrypt', 'criu_bin', 'crit_bin', 'pre_dump_mode',
+              'mntns_compat_mode', 'rootless')
         arg = repr((name, desc, flavor, {d: self.__opts[d] for d in nd}))
 
         if self.__use_log:
@@ -2764,6 +2767,7 @@ def get_cli_args():
                     help="simulate lazy migration",
                     action='store_true')
     rp.add_argument("--tls", help="use TLS for migration", action='store_true')
+    rp.add_argument("--encrypt", help="encrypt images", action='store_true')
     rp.add_argument("--title", help="A test suite title", default="criu")
     rp.add_argument("--show-stats",
                     help="Show criu statistics",