cri-o · openshift-merge-robot · Dec 8, 2020 · Nov 13, 2020 · Nov 13, 2020 · Nov 13, 2020
diff --git a/test/devices.bats b/test/devices.bats
@@ -3,6 +3,10 @@
 load helpers
 
 function setup() {
+	if test -n "$CONTAINER_UID_MAPPINGS"; then
+		skip "userNS enabled"
+	fi
+
 	setup_test
 	newconfig="$TESTDIR/config.json"
 }
@@ -24,9 +28,6 @@ EOF
 }
 
 @test "additional devices support" {
-	if test -n "$CONTAINER_UID_MAPPINGS"; then
-		skip "userNS enabled"
-	fi
 	OVERRIDE_OPTIONS="--additional-devices /dev/null:/dev/qifoo:rwm" start_crio
 	pod_id=$(crictl runp "$TESTDATA"/sandbox_config.json)
 
@@ -40,13 +41,9 @@ EOF
 @test "additional devices permissions" {
 	# We need a ubiquitously configured device that isn't in the
 	# OCI spec default set.
-	declare -r device="/dev/loop-control"
+	declare -r device="/dev/kmsg"
 	declare -r timeout=30
 
-	if test -n "$CONTAINER_UID_MAPPINGS"; then
-		skip "userNS enabled"
-	fi
-
 	if ! test -r $device; then
 		skip "$device not readable"
 	fi
@@ -66,26 +63,23 @@ EOF
 	if ! is_cgroup_v2; then
 		# Dump the deviced cgroup configuration for debugging.
 		output=$(crictl exec --timeout=$timeout --sync "$ctr_id" cat /sys/fs/cgroup/devices/devices.list)
-		[[ "$output" == *"c 10:237 w"* ]]
+		[[ "$output" == *"c 1:11 w"* ]]
 	fi
 
 	# Opening the device in read mode should fail because the device
 	# cgroup access only allows writes.
-	run crictl exec --timeout=$timeout --sync "$ctr_id" dd if=$device of=/dev/null count=1
+	run crictl exec --timeout=$timeout --sync "$ctr_id" head -1 $device
+	[ "$status" -ne 0 ]
 	[[ "$output" == *"Operation not permitted"* ]]
 
-	# The write should be allowed by the devices cgroup policy, so we
-	# should see an EINVAL from the device when the device fails it.
-	# TODO: fix that test, currently fails with "dd: can't open '/dev/loop-control': No such device non-zero exit code"
-	# run crictl exec --timeout=$timeout --sync "$ctr_id" dd if=/dev/zero of=$device count=1
-	# echo $output
-	# [[ "$output" == *"Invalid argument"* ]]
+	# The write should be allowed by the devices cgroup policy
+	run crictl exec --timeout=$timeout --sync "$ctr_id" sh -c "echo woohoo | tee $device"
+	[ "$status" -eq 0 ]
+	# check there's no error message of any kind from tee
+	[[ "$output" == "woohoo" ]]
 }
 
 @test "annotation devices support" {
-	if test -n "$CONTAINER_UID_MAPPINGS"; then
-		skip "userNS enabled"
-	fi
 	create_device_runtime
 	start_crio
 
@@ -102,10 +96,6 @@ EOF
 }
 
 @test "annotation should not be processed if not allowed" {
-	if test -n "$CONTAINER_UID_MAPPINGS"; then
-		skip "userNS enabled"
-	fi
-
 	start_crio
 
 	jq '      .annotations."io.kubernetes.cri-o.Devices" = "/dev/null:/dev/qifoo:rwm"' \
@@ -116,14 +106,10 @@ EOF
 	ctr_id=$(crictl create "$pod_id" "$TESTDATA"/container_redis.json "$TESTDATA"/sandbox_config.json)
 	crictl start "$ctr_id"
 
-	run crictl exec --sync "$ctr_id" sh -c "ls /dev/qifoo"
-	[ "$status" -ne 0 ]
+	! crictl exec --sync "$ctr_id" sh -c "ls /dev/qifoo"
 }
 
 @test "annotation should override configured additional_devices" {
-	if test -n "$CONTAINER_UID_MAPPINGS"; then
-		skip "userNS enabled"
-	fi
 	create_device_runtime
 
 	OVERRIDE_OPTIONS="--additional-devices /dev/urandom:/dev/qifoo:rwm" start_crio
@@ -142,9 +128,6 @@ EOF
 }
 
 @test "annotation should configure multiple devices" {
-	if test -n "$CONTAINER_UID_MAPPINGS"; then
-		skip "userNS enabled"
-	fi
 	create_device_runtime
 	start_crio
 
@@ -164,9 +147,6 @@ EOF
 }
 
 @test "annotation should fail if one device is invalid" {
-	if test -n "$CONTAINER_UID_MAPPINGS"; then
-		skip "userNS enabled"
-	fi
 	create_device_runtime
 	start_crio
 
@@ -175,6 +155,5 @@ EOF
 
 	pod_id=$(crictl runp "$newconfig")
 
-	run crictl create "$pod_id" "$TESTDATA"/container_redis.json "$TESTDATA"/sandbox_config.json
-	[ "$status" -ne 0 ]
+	! crictl create "$pod_id" "$TESTDATA"/container_redis.json "$TESTDATA"/sandbox_config.json
 }