Backport of Make runsc the default plugin container runtime into release/1.15.x (#22886)

* backport of commit d6da79aa5f Make runsc the default plugin container runtime (#22850) * Also makes plugin directory optional when registering container plugins * And threads plugin runtime settings through to plugin execution config * Add runsc to github runner for plugin container tests * backport of commit: f20b6eb710 * Disable gVisor in tests (for now) (#22881) We can't use `sudo` on our self-hosted runners at the moment to do the install and Docker reload. So, we'll disable this for now, which should automatically cause the gVisor-related tests to be skipped. --------- Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com> Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
2025-11-01 19:17:58 +00:00 · 2023-09-08 07:56:59 -04:00
parent 749cfea705
commit 1bbb53ab2c
13 changed files with 574 additions and 151 deletions
--- a/sdk/helper/pluginutil/run_config_test.go
+++ b/sdk/helper/pluginutil/run_config_test.go
@@ -5,13 +5,19 @@ package pluginutil

 import (
 	"context"
+	"encoding/hex"
 	"fmt"
+	"os"
 	"os/exec"
+	"strconv"
 	"testing"
 	"time"

 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-plugin"
+	"github.com/hashicorp/go-secure-stdlib/plugincontainer"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/helper/pluginruntimeutil"
 	"github.com/hashicorp/vault/sdk/helper/wrapping"
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
@@ -28,8 +34,10 @@ func TestMakeConfig(t *testing.T) {
 		mlockEnabled      bool
 		mlockEnabledTimes int

-		expectedConfig  *plugin.ClientConfig
-		expectTLSConfig bool
+		expectedConfig   *plugin.ClientConfig
+		expectTLSConfig  bool
+		expectRunnerFunc bool
+		skipSecureConfig bool
 	}

 	tests := map[string]testCase{
@@ -286,6 +294,64 @@ func TestMakeConfig(t *testing.T) {
 			},
 			expectTLSConfig: false,
 		},
+		"image set": {
+			rc: runConfig{
+				command:  "echo",
+				args:     []string{"foo", "bar"},
+				sha256:   []byte("some_sha256"),
+				env:      []string{"initial=true"},
+				image:    "some-image",
+				imageTag: "0.1.0",
+				PluginClientConfig: PluginClientConfig{
+					PluginSets: map[int]plugin.PluginSet{
+						1: {
+							"bogus": nil,
+						},
+					},
+					HandshakeConfig: plugin.HandshakeConfig{
+						ProtocolVersion:  1,
+						MagicCookieKey:   "magic_cookie_key",
+						MagicCookieValue: "magic_cookie_value",
+					},
+					Logger:         hclog.NewNullLogger(),
+					IsMetadataMode: false,
+					AutoMTLS:       true,
+				},
+			},
+
+			responseWrapInfoTimes: 0,
+
+			mlockEnabled:      false,
+			mlockEnabledTimes: 1,
+
+			expectedConfig: &plugin.ClientConfig{
+				HandshakeConfig: plugin.HandshakeConfig{
+					ProtocolVersion:  1,
+					MagicCookieKey:   "magic_cookie_key",
+					MagicCookieValue: "magic_cookie_value",
+				},
+				VersionedPlugins: map[int]plugin.PluginSet{
+					1: {
+						"bogus": nil,
+					},
+				},
+				Cmd:          nil,
+				SecureConfig: nil,
+				AllowedProtocols: []plugin.Protocol{
+					plugin.ProtocolNetRPC,
+					plugin.ProtocolGRPC,
+				},
+				Logger:      hclog.NewNullLogger(),
+				AutoMTLS:    true,
+				SkipHostEnv: true,
+				UnixSocketConfig: &plugin.UnixSocketConfig{
+					Group: strconv.Itoa(os.Getgid()),
+				},
+			},
+			expectTLSConfig:  false,
+			expectRunnerFunc: true,
+			skipSecureConfig: true,
+		},
 	}

 	for name, test := range tests {
@@ -309,11 +375,13 @@ func TestMakeConfig(t *testing.T) {

 			// The following fields are generated, so we just need to check for existence, not specific value
 			// The value must be nilled out before performing a DeepEqual check
-			hsh := config.SecureConfig.Hash
-			if hsh == nil {
-				t.Fatalf("Missing SecureConfig.Hash")
+			if !test.skipSecureConfig {
+				hsh := config.SecureConfig.Hash
+				if hsh == nil {
+					t.Fatalf("Missing SecureConfig.Hash")
+				}
+				config.SecureConfig.Hash = nil
 			}
-			config.SecureConfig.Hash = nil

 			if test.expectTLSConfig && config.TLSConfig == nil {
 				t.Fatalf("TLS config expected, got nil")
@@ -323,6 +391,11 @@ func TestMakeConfig(t *testing.T) {
 			}
 			config.TLSConfig = nil

+			if test.expectRunnerFunc != (config.RunnerFunc != nil) {
+				t.Fatalf("expected RunnerFunc: %v, actual: %v", test.expectRunnerFunc, config.RunnerFunc != nil)
+			}
+			config.RunnerFunc = nil
+
 			require.Equal(t, test.expectedConfig, config)
 		})
 	}
@@ -358,3 +431,117 @@ func (m *mockRunnerUtil) MlockEnabled() bool {
 	args := m.Called()
 	return args.Bool(0)
 }
+
+func TestContainerConfig(t *testing.T) {
+	dummySHA, err := hex.DecodeString("abc123")
+	if err != nil {
+		t.Fatal(err)
+	}
+	for name, tc := range map[string]struct {
+		rc       runConfig
+		expected plugincontainer.Config
+	}{
+		"image set, no runtime": {
+			rc: runConfig{
+				command:  "echo",
+				args:     []string{"foo", "bar"},
+				sha256:   dummySHA,
+				env:      []string{"initial=true"},
+				image:    "some-image",
+				imageTag: "0.1.0",
+				PluginClientConfig: PluginClientConfig{
+					PluginSets: map[int]plugin.PluginSet{
+						1: {
+							"bogus": nil,
+						},
+					},
+					HandshakeConfig: plugin.HandshakeConfig{
+						ProtocolVersion:  1,
+						MagicCookieKey:   "magic_cookie_key",
+						MagicCookieValue: "magic_cookie_value",
+					},
+					Logger:   hclog.NewNullLogger(),
+					AutoMTLS: true,
+				},
+			},
+			expected: plugincontainer.Config{
+				Image:      "some-image",
+				Tag:        "0.1.0",
+				SHA256:     "abc123",
+				Entrypoint: []string{"echo"},
+				Args:       []string{"foo", "bar"},
+				Env: []string{
+					"initial=true",
+					fmt.Sprintf("%s=%s", PluginVaultVersionEnv, "dummyversion"),
+					fmt.Sprintf("%s=%t", PluginMetadataModeEnv, false),
+					fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, true),
+				},
+				Labels: map[string]string{
+					"managed-by": "hashicorp.com/vault",
+				},
+				Runtime:  consts.DefaultContainerPluginOCIRuntime,
+				GroupAdd: os.Getgid(),
+			},
+		},
+		"image set, with runtime": {
+			rc: runConfig{
+				sha256:   dummySHA,
+				image:    "some-image",
+				imageTag: "0.1.0",
+				runtimeConfig: &pluginruntimeutil.PluginRuntimeConfig{
+					OCIRuntime:   "some-oci-runtime",
+					CgroupParent: "/cgroup/parent",
+					CPU:          1000,
+					Memory:       2000,
+				},
+				PluginClientConfig: PluginClientConfig{
+					PluginSets: map[int]plugin.PluginSet{
+						1: {
+							"bogus": nil,
+						},
+					},
+					HandshakeConfig: plugin.HandshakeConfig{
+						ProtocolVersion:  1,
+						MagicCookieKey:   "magic_cookie_key",
+						MagicCookieValue: "magic_cookie_value",
+					},
+					Logger:   hclog.NewNullLogger(),
+					AutoMTLS: true,
+				},
+			},
+			expected: plugincontainer.Config{
+				Image:  "some-image",
+				Tag:    "0.1.0",
+				SHA256: "abc123",
+				Env: []string{
+					fmt.Sprintf("%s=%s", PluginVaultVersionEnv, "dummyversion"),
+					fmt.Sprintf("%s=%t", PluginMetadataModeEnv, false),
+					fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, true),
+				},
+				Labels: map[string]string{
+					"managed-by": "hashicorp.com/vault",
+				},
+				Runtime:      "some-oci-runtime",
+				GroupAdd:     os.Getgid(),
+				CgroupParent: "/cgroup/parent",
+				NanoCpus:     1000,
+				Memory:       2000,
+			},
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			mockWrapper := new(mockRunnerUtil)
+			mockWrapper.On("ResponseWrapData", mock.Anything, mock.Anything, mock.Anything, mock.Anything).
+				Return(nil, nil)
+			mockWrapper.On("MlockEnabled").
+				Return(false)
+			tc.rc.Wrapper = mockWrapper
+			cmd, _, err := tc.rc.generateCmd(context.Background())
+			if err != nil {
+				t.Fatal(err)
+			}
+			cfg := tc.rc.containerConfig(cmd.Env)
+			require.Equal(t, tc.expected, *cfg)
+		})
+	}
+}