Add Test_RunPodSandbox_Mount_SandboxDir_NoShare_WCOW test

This change adds a new WCOW sandbox mount test that verifies that if we don't supply the sandbox:/// mount for another container in the pod, it doesn't have access to the mount. Signed-off-by: Daniel Canter <dcanter@microsoft.com>
microsoft · Sep 7, 2021 · 91ea115 · 91ea115
1 parent 17b5493
commit 91ea115
Showing 1 changed file with 56 additions and 0 deletions.
diff --git a/test/cri-containerd/runpodsandbox_test.go b/test/cri-containerd/runpodsandbox_test.go
@@ -921,6 +921,62 @@ func Test_RunPodSandbox_Mount_SandboxDir_WCOW(t *testing.T) {
 	}
 }
 
+func Test_RunPodSandbox_Mount_SandboxDir_NoShare_WCOW(t *testing.T) {
+	requireFeatures(t, featureWCOWHypervisor)
+
+	pullRequiredImages(t, []string{imageWindowsNanoserver})
+
+	client := newTestRuntimeClient(t)
+	ctx := context.Background()
+
+	sbRequest := getRunPodSandboxRequest(t, wcowHypervisorRuntimeHandler, nil)
+	podID := runPodSandbox(t, client, ctx, sbRequest)
+	defer removePodSandbox(t, client, ctx, podID)
+	defer stopPodSandbox(t, client, ctx, podID)
+
+	command := []string{
+		"cmd",
+		"/c",
+		"ping",
+		"-t",
+		"127.0.0.1",
+	}
+
+	mounts := []*runtime.Mount{
+		{
+			HostPath:      "sandbox:///test",
+			ContainerPath: "C:\\test",
+		},
+	}
+	// This test case is making sure that the sandbox mount doesn't show up in another container if not
+	// explicitly asked for. Make first container with the mount and another shortly after without.
+	container1Name := t.Name() + "-Container-" + "1"
+	container1Id := createContainerInSandbox(t, client, ctx, podID, container1Name, imageWindowsNanoserver, command, nil, mounts, sbRequest.Config)
+	defer removeContainer(t, client, ctx, container1Id)
+
+	startContainer(t, client, ctx, container1Id)
+	defer stopContainer(t, client, ctx, container1Id)
+
+	container2Name := t.Name() + "-Container-" + "2"
+	container2Id := createContainerInSandbox(t, client, ctx, podID, container2Name, imageWindowsNanoserver, command, nil, nil, sbRequest.Config)
+	defer removeContainer(t, client, ctx, container2Id)
+
+	startContainer(t, client, ctx, container2Id)
+	defer stopContainer(t, client, ctx, container2Id)
+
+	// Test that we can't see the file made in the first container in the second one.
+	execDir := []string{
+		"cmd",
+		"/c",
+		"dir",
+		"C:\\test\\",
+	}
+	output, _, exitCode := execContainer(t, client, ctx, container2Id, execDir)
+	if exitCode == 0 {
+		t.Fatalf("Found directory in second container when not expected: %s", output)
+	}
+}
+
 func Test_RunPodSandbox_CPUGroup(t *testing.T) {
 	testutilities.RequiresBuild(t, 20124)
 	ctx := context.Background()