add test for running container as non-default user that is missing

test/cri-containerd/container_downlevel_test.go

@@ -16,16 +16,7 @@ func Test_CreateContainer_DownLevel_WCOW_Hypervisor(t *testing.T) {
 
 	pullRequiredImages(t, []string{imageWindowsNanoserver17763})
 
-	sandboxRequest := &runtime.RunPodSandboxRequest{
-		Config: &runtime.PodSandboxConfig{
-			Metadata: &runtime.PodSandboxMetadata{
-				Name:      t.Name() + "-Sandbox",
-				Uid:       "0",
-				Namespace: testNamespace,
-			},
-		},
-		RuntimeHandler: wcowHypervisor17763RuntimeHandler,
-	}
+	sandboxRequest := getRunPodSandboxRequest(t, wcowHypervisor17763RuntimeHandler)
 
 	request := &runtime.CreateContainerRequest{
 		Config: &runtime.ContainerConfig{

test/cri-containerd/container_network_test.go

@@ -32,15 +32,7 @@ func Test_Container_Network_LCOW(t *testing.T) {
 	}()
 	log := filepath.Join(dir, "ping.txt")
 
-	sandboxRequest := &runtime.RunPodSandboxRequest{
-		Config: &runtime.PodSandboxConfig{
-			Metadata: &runtime.PodSandboxMetadata{
-				Name:      t.Name() + "-Sandbox",
-				Namespace: testNamespace,
-			},
-		},
-		RuntimeHandler: lcowRuntimeHandler,
-	}
+	sandboxRequest := getRunPodSandboxRequest(t, lcowRuntimeHandler)
 
 	client := newTestRuntimeClient(t)
 	ctx, cancel := context.WithCancel(context.Background())
@@ -145,16 +137,8 @@ func Test_Container_Network_Hostname(t *testing.T) {
 				pullRequiredImages(t, []string{test.sandboxImage, test.containerImage})
 			}
 
-			sandboxRequest := &runtime.RunPodSandboxRequest{
-				Config: &runtime.PodSandboxConfig{
-					Metadata: &runtime.PodSandboxMetadata{
-						Name:      t.Name() + "-Sandbox",
-						Namespace: testNamespace,
-					},
-					Hostname: "TestHost",
-				},
-				RuntimeHandler: test.runtimeHandler,
-			}
+			sandboxRequest := getRunPodSandboxRequest(t, test.runtimeHandler)
+			sandboxRequest.Config.Hostname = "TestHost"
 
 			client := newTestRuntimeClient(t)
 			ctx, cancel := context.WithCancel(context.Background())

test/cri-containerd/container_test.go

@@ -80,15 +80,7 @@ func Test_RotateLogs_LCOW(t *testing.T) {
 	pullRequiredLcowImages(t, []string{imageLcowK8sPause, image})
 	logrus.SetLevel(logrus.DebugLevel)
 
-	sandboxRequest := &runtime.RunPodSandboxRequest{
-		Config: &runtime.PodSandboxConfig{
-			Metadata: &runtime.PodSandboxMetadata{
-				Name:      t.Name() + "-Sandbox",
-				Namespace: testNamespace,
-			},
-		},
-		RuntimeHandler: lcowRuntimeHandler,
-	}
+	sandboxRequest := getRunPodSandboxRequest(t, lcowRuntimeHandler)
 
 	request := &runtime.CreateContainerRequest{
 		Config: &runtime.ContainerConfig{
@@ -150,16 +142,7 @@ func Test_RunContainer_Events_LCOW(t *testing.T) {
 	defer podcancel()
 	targetNamespace := "k8s.io"
 
-	sandboxRequest := &runtime.RunPodSandboxRequest{
-		Config: &runtime.PodSandboxConfig{
-			Metadata: &runtime.PodSandboxMetadata{
-				Name:      t.Name(),
-				Uid:       "0",
-				Namespace: testNamespace,
-			},
-		},
-		RuntimeHandler: lcowRuntimeHandler,
-	}
+	sandboxRequest := getRunPodSandboxRequest(t, lcowRuntimeHandler)
 
 	podID := runPodSandbox(t, client, podctx, sandboxRequest)
 	defer removePodSandbox(t, client, podctx, podID)
@@ -228,15 +211,7 @@ func Test_RunContainer_ForksThenExits_ShowsAsExited_LCOW(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
 	defer cancel()
 
-	podRequest := &runtime.RunPodSandboxRequest{
-		Config: &runtime.PodSandboxConfig{
-			Metadata: &runtime.PodSandboxMetadata{
-				Name:      t.Name(),
-				Namespace: testNamespace,
-			},
-		},
-		RuntimeHandler: lcowRuntimeHandler,
-	}
+	podRequest := getRunPodSandboxRequest(t, lcowRuntimeHandler)
 	podID := runPodSandbox(t, client, ctx, podRequest)
 	defer removePodSandbox(t, client, ctx, podID)
 	defer stopPodSandbox(t, client, ctx, podID)
@@ -288,18 +263,10 @@ func Test_RunContainer_ZeroVPMEM_LCOW(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	sandboxRequest := &runtime.RunPodSandboxRequest{
-		Config: &runtime.PodSandboxConfig{
-			Metadata: &runtime.PodSandboxMetadata{
-				Name:      t.Name() + "-Sandbox",
-				Namespace: testNamespace,
-			},
-			Annotations: map[string]string{
-				"io.microsoft.virtualmachine.lcow.preferredrootfstype":         "initrd",
-				"io.microsoft.virtualmachine.devices.virtualpmem.maximumcount": "0",
-			},
-		},
-		RuntimeHandler: lcowRuntimeHandler,
+	sandboxRequest := getRunPodSandboxRequest(t, lcowRuntimeHandler)
+	sandboxRequest.Config.Annotations = map[string]string{
+		"io.microsoft.virtualmachine.lcow.preferredrootfstype":         "initrd",
+		"io.microsoft.virtualmachine.devices.virtualpmem.maximumcount": "0",
 	}
 
 	podID := runPodSandbox(t, client, ctx, sandboxRequest)
@@ -335,18 +302,10 @@ func Test_RunContainer_ZeroVPMEM_Multiple_LCOW(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	sandboxRequest := &runtime.RunPodSandboxRequest{
-		Config: &runtime.PodSandboxConfig{
-			Metadata: &runtime.PodSandboxMetadata{
-				Name:      t.Name() + "-Sandbox",
-				Namespace: testNamespace,
-			},
-			Annotations: map[string]string{
-				"io.microsoft.virtualmachine.lcow.preferredrootfstype":         "initrd",
-				"io.microsoft.virtualmachine.devices.virtualpmem.maximumcount": "0",
-			},
-		},
-		RuntimeHandler: lcowRuntimeHandler,
+	sandboxRequest := getRunPodSandboxRequest(t, lcowRuntimeHandler)
+	sandboxRequest.Config.Annotations = map[string]string{
+		"io.microsoft.virtualmachine.lcow.preferredrootfstype":         "initrd",
+		"io.microsoft.virtualmachine.devices.virtualpmem.maximumcount": "0",
 	}
 
 	podID := runPodSandbox(t, client, ctx, sandboxRequest)
@@ -391,15 +350,7 @@ func Test_RunContainer_GMSA_WCOW_Process(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	sandboxRequest := &runtime.RunPodSandboxRequest{
-		Config: &runtime.PodSandboxConfig{
-			Metadata: &runtime.PodSandboxMetadata{
-				Name:      t.Name() + "-Sandbox",
-				Namespace: testNamespace,
-			},
-		},
-		RuntimeHandler: wcowProcessRuntimeHandler,
-	}
+	sandboxRequest := getRunPodSandboxRequest(t, wcowProcessRuntimeHandler)
 
 	podID := runPodSandbox(t, client, ctx, sandboxRequest)
 	defer removePodSandbox(t, client, ctx, podID)
@@ -463,15 +414,7 @@ func Test_RunContainer_GMSA_WCOW_Hypervisor(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	sandboxRequest := &runtime.RunPodSandboxRequest{
-		Config: &runtime.PodSandboxConfig{
-			Metadata: &runtime.PodSandboxMetadata{
-				Name:      t.Name() + "-Sandbox",
-				Namespace: testNamespace,
-			},
-		},
-		RuntimeHandler: wcowHypervisorRuntimeHandler,
-	}
+	sandboxRequest := getRunPodSandboxRequest(t, wcowHypervisorRuntimeHandler)
 
 	podID := runPodSandbox(t, client, ctx, sandboxRequest)
 	defer removePodSandbox(t, client, ctx, podID)
@@ -535,20 +478,11 @@ func Test_RunContainer_SandboxDevice_LCOW(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	sandboxRequest := &runtime.RunPodSandboxRequest{
-		Config: &runtime.PodSandboxConfig{
-			Metadata: &runtime.PodSandboxMetadata{
-				Name:      t.Name() + "-Sandbox",
-				Uid:       "0",
-				Namespace: testNamespace,
-			},
-			Linux: &runtime.LinuxPodSandboxConfig{
-				SecurityContext: &runtime.LinuxSandboxSecurityContext{
-					Privileged: true,
-				},
-			},
+	sandboxRequest := getRunPodSandboxRequest(t, lcowRuntimeHandler)
+	sandboxRequest.Config.Linux = &runtime.LinuxPodSandboxConfig{
+		SecurityContext: &runtime.LinuxSandboxSecurityContext{
+			Privileged: true,
 		},
-		RuntimeHandler: lcowRuntimeHandler,
 	}
 
 	podID := runPodSandbox(t, client, ctx, sandboxRequest)
@@ -596,3 +530,67 @@ func Test_RunContainer_SandboxDevice_LCOW(t *testing.T) {
 		t.Fatal("did not find expected device /dev/fuse in container")
 	}
 }
+
+func Test_RunContainer_NonDefault_User(t *testing.T) {
+	requireFeatures(t, featureLCOW)
+
+	type config struct {
+		containerSecCtx *runtime.LinuxContainerSecurityContext
+		name            string
+	}
+	client := newTestRuntimeClient(t)
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	pullRequiredLcowImages(t, []string{imageLcowK8sPause, imageLcowAlpine})
+
+	podReq := getRunPodSandboxRequest(t, lcowRuntimeHandler)
+	podID := runPodSandbox(t, client, ctx, podReq)
+	defer removePodSandbox(t, client, ctx, podID)
+	defer stopPodSandbox(t, client, ctx, podID)
+
+	tests := []config{
+		{
+			containerSecCtx: &runtime.LinuxContainerSecurityContext{
+				RunAsUsername: "guest",
+			},
+			name: "RunAsUsername",
+		},
+		{
+			containerSecCtx: &runtime.LinuxContainerSecurityContext{
+				RunAsUser: &runtime.Int64Value{
+					Value: 10001,
+				},
+			},
+			name: "RunAsUserUID",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(_ *testing.T) {
+			conReq := &runtime.CreateContainerRequest{
+				Config: &runtime.ContainerConfig{
+					Metadata: &runtime.ContainerMetadata{
+						Name: t.Name() + "-Container",
+					},
+					Image: &runtime.ImageSpec{
+						Image: imageLcowAlpine,
+					},
+					Command: []string{
+						"top",
+					},
+					Linux: &runtime.LinuxContainerConfig{
+						SecurityContext: test.containerSecCtx,
+					},
+				},
+				PodSandboxId:  podID,
+				SandboxConfig: podReq.Config,
+			}
+
+			containerID := createContainer(t, client, ctx, conReq)
+			defer removeContainer(t, client, ctx, containerID)
+			startContainer(t, client, ctx, containerID)
+			defer stopContainer(t, client, ctx, containerID)
+		})
+	}
+}

test/cri-containerd/container_virtual_device_test.go

@@ -420,15 +420,7 @@ func Test_RunContainer_VirtualDevice_LocationPath_WCOW_Process(t *testing.T) {
 	client := newTestRuntimeClient(t)
 
 	podctx := context.Background()
-	sandboxRequest := &runtime.RunPodSandboxRequest{
-		Config: &runtime.PodSandboxConfig{
-			Metadata: &runtime.PodSandboxMetadata{
-				Name:      t.Name(),
-				Namespace: testNamespace,
-			},
-		},
-		RuntimeHandler: wcowProcessRuntimeHandler,
-	}
+	sandboxRequest := getRunPodSandboxRequest(t, wcowProcessRuntimeHandler)
 
 	podID := runPodSandbox(t, client, podctx, sandboxRequest)
 	defer removePodSandbox(t, client, podctx, podID)
@@ -469,15 +461,7 @@ func Test_RunContainer_VirtualDevice_ClassGUID_WCOW_Process(t *testing.T) {
 	client := newTestRuntimeClient(t)
 
 	podctx := context.Background()
-	sandboxRequest := &runtime.RunPodSandboxRequest{
-		Config: &runtime.PodSandboxConfig{
-			Metadata: &runtime.PodSandboxMetadata{
-				Name:      t.Name(),
-				Namespace: testNamespace,
-			},
-		},
-		RuntimeHandler: wcowProcessRuntimeHandler,
-	}
+	sandboxRequest := getRunPodSandboxRequest(t, wcowProcessRuntimeHandler)
 
 	podID := runPodSandbox(t, client, podctx, sandboxRequest)
 	defer removePodSandbox(t, client, podctx, podID)
@@ -518,17 +502,9 @@ func Test_RunContainer_VirtualDevice_GPU_WCOW_Hypervisor(t *testing.T) {
 	client := newTestRuntimeClient(t)
 
 	podctx := context.Background()
-	sandboxRequest := &runtime.RunPodSandboxRequest{
-		Config: &runtime.PodSandboxConfig{
-			Metadata: &runtime.PodSandboxMetadata{
-				Name:      t.Name(),
-				Namespace: testNamespace,
-			},
-			Annotations: map[string]string{
-				"io.microsoft.virtualmachine.fullyphysicallybacked": "true",
-			},
-		},
-		RuntimeHandler: wcowHypervisorRuntimeHandler,
+	sandboxRequest := getRunPodSandboxRequest(t, wcowHypervisorRuntimeHandler)
+	sandboxRequest.Config.Annotations = map[string]string{
+		"io.microsoft.virtualmachine.fullyphysicallybacked": "true",
 	}
 
 	podID := runPodSandbox(t, client, podctx, sandboxRequest)
@@ -571,17 +547,9 @@ func Test_RunContainer_VirtualDevice_GPU_and_NoGPU_WCOW_Hypervisor(t *testing.T)
 	client := newTestRuntimeClient(t)
 
 	podctx := context.Background()
-	sandboxRequest := &runtime.RunPodSandboxRequest{
-		Config: &runtime.PodSandboxConfig{
-			Metadata: &runtime.PodSandboxMetadata{
-				Name:      t.Name(),
-				Namespace: testNamespace,
-			},
-			Annotations: map[string]string{
-				"io.microsoft.virtualmachine.fullyphysicallybacked": "true",
-			},
-		},
-		RuntimeHandler: wcowHypervisorRuntimeHandler,
+	sandboxRequest := getRunPodSandboxRequest(t, wcowHypervisorRuntimeHandler)
+	sandboxRequest.Config.Annotations = map[string]string{
+		"io.microsoft.virtualmachine.fullyphysicallybacked": "true",
 	}
 
 	podID := runPodSandbox(t, client, podctx, sandboxRequest)
@@ -641,17 +609,9 @@ func Test_RunContainer_VirtualDevice_GPU_Multiple_WCOW_Hypervisor(t *testing.T)
 	client := newTestRuntimeClient(t)
 
 	podctx := context.Background()
-	sandboxRequest := &runtime.RunPodSandboxRequest{
-		Config: &runtime.PodSandboxConfig{
-			Metadata: &runtime.PodSandboxMetadata{
-				Name:      t.Name(),
-				Namespace: testNamespace,
-			},
-			Annotations: map[string]string{
-				"io.microsoft.virtualmachine.fullyphysicallybacked": "true",
-			},
-		},
-		RuntimeHandler: wcowHypervisorRuntimeHandler,
+	sandboxRequest := getRunPodSandboxRequest(t, wcowHypervisorRuntimeHandler)
+	sandboxRequest.Config.Annotations = map[string]string{
+		"io.microsoft.virtualmachine.fullyphysicallybacked": "true",
 	}
 
 	podID := runPodSandbox(t, client, podctx, sandboxRequest)
@@ -701,17 +661,9 @@ func Test_RunContainer_VirtualDevice_GPU_Multiple_Removal_WCOW_Hypervisor(t *tes
 	client := newTestRuntimeClient(t)
 
 	podctx := context.Background()
-	sandboxRequest := &runtime.RunPodSandboxRequest{
-		Config: &runtime.PodSandboxConfig{
-			Metadata: &runtime.PodSandboxMetadata{
-				Name:      t.Name(),
-				Namespace: testNamespace,
-			},
-			Annotations: map[string]string{
-				"io.microsoft.virtualmachine.fullyphysicallybacked": "true",
-			},
-		},
-		RuntimeHandler: wcowHypervisorRuntimeHandler,
+	sandboxRequest := getRunPodSandboxRequest(t, wcowHypervisorRuntimeHandler)
+	sandboxRequest.Config.Annotations = map[string]string{
+		"io.microsoft.virtualmachine.fullyphysicallybacked": "true",
 	}
 
 	podID := runPodSandbox(t, client, podctx, sandboxRequest)