Repository files navigation

The Container Structure Tests provide a powerful framework to validate the structureof a container image. These tests can be used to check the output of commandsin an image, as well as verify metadata and contents of the filesystem.

Tests can be run either through a standalone binary, or through a Docker image.

Note: container-structure-test is not an officially supported Google project, and is currently in maintainence mode. Contributions are still welcome!

Install viabrew:

$ brew install container-structure-test

curl -LO https://github.com/GoogleContainerTools/container-structure-test/releases/latest/download/container-structure-test-darwin-arm64&& chmod +x container-structure-test-darwin-arm64&& sudo mv container-structure-test-darwin-arm64 /usr/local/bin/container-structure-test

curl -LO https://github.com/GoogleContainerTools/container-structure-test/releases/latest/download/container-structure-test-linux-amd64&& chmod +x container-structure-test-linux-amd64&& sudo mv container-structure-test-linux-amd64 /usr/local/bin/container-structure-test

If you want to avoid using sudo:

curl -LO https://github.com/GoogleContainerTools/container-structure-test/releases/latest/download/container-structure-test-linux-amd64&& chmod +x container-structure-test-linux-amd64&& mkdir -p$HOME/bin&&export PATH=$PATH:$HOME/bin&& mv container-structure-test-linux-amd64$HOME/bin/container-structure-test

Additionally, a container image for running tests through Google Cloud Builder can be foundatgcr.io/gcp-runtimes/container-structure-test:latest.

To use container structure tests to validate your containers, you'll need the following:

• The container structure test binary or docker image
• A container image to test against
• A test.yaml or.json file with user defined structure tests to run inside of the specified container image

Note that the test framework looks for the provided image in the local Dockerdaemon (if it is not provided as a tar). The--pull flag can optionallybe provided to force a pull of a remote image before running the tests.

An example run of the test framework:

container-structure-testtest --image gcr.io/registry/image:latest \--config config.yaml

Tests within this framework are specified through a YAML or JSON config file,which is provided to the test driver via a CLI flag. Multiple config files maybe specified in a single test run. The config file will be loaded in by thetest driver, which will execute the tests in order. Within this config file,four types of tests can be written:

• Command Tests (testing output/error of a specific command issued)
• File Existence Tests (making sure a file is, or isn't, present in thefile system of the image)
• File Content Tests (making sure files in the file system of the imagecontain, or do not contain, specific contents)
• Metadata Test,singular (making sure certain container metadata is correct)

Command tests ensure that certain commands run properly in the target image.Regexes can be used to check for expected or excluded strings in bothstdoutandstderr. Additionally, any number of flags can be passed to the argumentas normal. Each command in the setup section will run in a separate containerand then commits a modified image to be the new base image for the test run.

NOTE:schemaVersion must be specified in all container-structure-test yamls. The current version is2.0.0.

• Name (string,required): The name of the test
• Setup ([][]string,optional): A list of commands(each with optional flags) to run before the actual command under test.
• Teardown ([][]string,optional): A list of commands(each with optional flags) to run after the actual command under test.
• Command (string,required): The command to run in the test.
• Args ([]string,optional): The arguments to pass to the command.
• EnvVars ([]EnvVar,optional): A list of environment variables to set forthe individual test. See theEnvironment Variables section for more info.
• Expected Output ([]string,optional): List of regexes that shouldmatch the stdout from running the command.
• Excluded Output ([]string,optional): List of regexes that shouldnotmatch the stdout from running the command.
• Expected Error ([]string,optional): List of regexes that shouldmatch the stderr from running the command.
• Excluded Error ([]string,optional): List of regexes that shouldnotmatch the stderr from running the command.
• Exit Code (int,optional): Exit code that the command should exit with.

Example:

commandTests:  -name:"gunicorn flask"setup:[["virtualenv", "/env"], ["pip", "install", "gunicorn", "flask"]]command:"which"args:["gunicorn"]expectedOutput:["/env/bin/gunicorn"]  -name:"apt-get upgrade"command:"apt-get"args:["-qqs", "upgrade"]excludedOutput:[".*Inst.*Security.* | .*Security.*Inst.*"]excludedError:[".*Inst.*Security.* | .*Security.*Inst.*"]

Depending on your command the argument section can get quite long. Thus, youcan make use of YAML's list style option for separation of arguments and theliteral style option to preserve newlines like so:

commandTests:  - name:"say hello world"    command:"bash"    args:      - -c      -|echo hello&&echo world

To avoid unexpected behavior and output when running commands in thecontainers,all entrypoints are overwritten by default. If yourentrypoint is necessary for the structure of your container, use thesetup field to call any scripts or commands manually before runningthe tests.

commandTests:...setup:[["my_image_entrypoint.sh"]]...

Each command test run creates either a container (with thedocker driver) ortar artifact (with thetar driver). By default, these are deleted after thetest run finishes, but the--save flag can optionally be passed to keepthese around. This would normally be used for debugging purposes.

File existence tests check to make sure a specific file (or directory) existwithin the file system of the image. No contents of the files or directoriesare checked. These tests can also be used to ensure a file or directory isnot present in the file system.

• Name (string,required): The name of the test
• Path (string,required): Path to the file or directory under test
• ShouldExist (boolean,required): Whether or not the specified file ordirectory should exist in the file system
• Permissions (string,optional): The expected Unix permission string (e.g.drwxrwxrwx) of the files or directory.
• Uid (int,optional): The expected Unix user ID of the owner of the fileor directory.
• Gid (int,optional): The expected Unix group ID of the owner of the file or directory.
• IsExecutableBy (string,optional): Checks if file is executable by a given user.One ofowner,group,other orany

Example:

fileExistenceTests:-name:'Root'path:'/'shouldExist:truepermissions:'-rw-r--r--'uid:1000gid:1000isExecutableBy:'group'

File content tests open a file on the file system and check its contents.These tests assume the specified fileis a file, and that itexists(if unsure about either or these criteria, see the aboveFile Existence Tests section). Regexes can again be used to check forexpected or excluded content in the specified file.

• Name (string,required): The name of the test
• Path (string,required): Path to the file under test
• ExpectedContents (string[],optional): List of regexes thatshould match the contents of the file
• ExcludedContents (string[],optional): List of regexes thatshouldnot match the contents of the file

Example:

fileContentTests:-name:'Debian Sources'path:'/etc/apt/sources.list'expectedContents:['.*httpredir\.debian\.org.*']excludedContents:['.*gce_debian_mirror.*']

The Metadata test ensures the container is configured correctly. Allof these checks are optional.

• EnvVars ([]EnvVar): A list of environment variable key/value pairs that should be setin the container. isRegex (optional) interpretes the value as regex.
• UnboundEnvVars ([]EnvVar): A list of environment variable keys that shouldNOT be setin the container.
• Labels ([]Label): A list of image labels key/value pairs that should be set on thecontainer. isRegex (optional) interpretes the value as regex.
• Entrypoint ([]string): The entrypoint of the container.
• Cmd ([]string): The CMD specified in the container.
• Exposed Ports ([]string): The ports exposed in the container.
• Unexposed Ports ([]string): The portsNOT exposed in the container.
• Volumes ([]string): The volumes exposed in the container.
• UnmountedVolumes ([]string): The volumesNOT exposed in the container.
• Workdir (string): The default working directory of the container.
• User (user): The default user of the container.

Example:

metadataTest:envVars:    -key:foovalue:bazlabels:    -key:'com.example.vendor'value:'ACME Incorporated'    -key:'build-date'value:'^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{6}$'isRegex:trueexposedPorts:["8080", "2345"]volumes:["/test"]entrypoint:[]cmd:["/bin/bash"]workdir:"/app"user:"luke"

License tests check a list of copyright files and makes sure all licenses areallowed at Google. By default it will look at where Debian lists all copyrightfiles, but can also look at an arbitrary list of files.

• Debian (bool,required): If the image is based on Debian, check whereDebian lists all licenses.
• Files (string[],optional): A list of other files to check.

Example:

licenseTests:-debian:truefiles:["/foo/bar", "/baz/bat"]

A list of environment variables can optionally be specified as part of thetest setup. They can either be set up globally (for all test runs), ortest-local as part of individual command test runs (see theCommand Testssection above). Each environment variable is specified as a key-value pair.Unix-style environment variable substitution is supported.

To specify, add a section like this to your config:

globalEnvVars:  -key:"VIRTUAL_ENV"value:"/env"  -key:"PATH"value:"/env/bin:$PATH"

The following fields are used to control various options and flags that may bedesirable to set for the running container used to perform a structure testagainst an image. This allows an image author to validate certain runtimebehavior that cannot be modified in the image-under-test such as running acontainer with an alternative user/UID or mounting a volume.

Note that these options are currently only supported with thedocker driver.

The following list of options are currently supported:

containerRunOptions:user:"root"# set the --user/-u flagprivileged:true# set the --privileged flag (default: false)allocateTty:true# set the --tty flag (default: false)envFile:path/to/.env# load environment variables from file and pass to container (equivalent to --env-file)envVars:# if not empty, read each envVar from the environment and pass to test (equivalent to --env/e)    -SECRET_KEY_FOO    -OTHER_SECRET_BARcapabilities:# Add list of Linux capabilities (--cap-add)    -NET_BIND_SERVICEbindMounts:# Bind mount a volume (--volume, -v)    -/etc/example/dir:/etc/dir

This tool is released as a builder image, tagged asgcr.io/gcp-runtimes/container-structure-test, so you can specify tests in yourcloudbuild.yaml:

steps:# Build an image.-name:'gcr.io/cloud-builders/docker'args:['build', '-t', 'gcr.io/$PROJECT_ID/image', '.']# Test the image.-name:'gcr.io/gcp-runtimes/container-structure-test'args:['test', '--image', 'gcr.io/$PROJECT_ID/image', '--config', 'test_config.yaml']# Push the image.images:['gcr.io/$PROJECT_ID/image']

Container images can be represented in multiple formats, and the Docker imageis just one of them. At their core, images are just a series of layers, eachof which is a tarball, and so can be interacted with without a working Dockerdaemon. While running command tests currently requires a functioning Dockerdaemon on the host machine, File Existence/Content tests do not. This can beuseful when dealing with images which have beendocker exportedor saved in a different image format than the Docker format, or when you're simplytrying to run structure tests in an environment where Docker can't be installed.

To run tests without using a Docker daemon, users can specify a different"driver" to use in the tests, with the--driver flag.

An example test run with a different driver looks like:

container-structure-testtest --driver tar --image gcr.io/registry/image:latest \--config config.yaml

The currently supported drivers in the framework are:

• docker: the default driver.Supports all tests, and uses the Docker daemon on the host to run them. You canset the runtime to use (by examplerunsc to run with gVisor) using--runtimeflag.
• tar: a tar driver, which extracts an image filesystem to wherever tests arerunning, and runs file/metadata tests against it.Doesnot support command tests.

Structure tests can also be run throughbazel.

With Bazel 6 and bzlmod, just seehttps://registry.bazel.build/modules/container_structure_test.Otherwise, load the rule and its dependencies in yourWORKSPACE, see bazel/test/WORKSPACE.bazel in this repo.

Load the rule definition in your BUILD file and declare acontainer_structure_test target, passing in your image and config file as parameters:

load("@container_structure_test//:defs.bzl","container_structure_test")container_structure_test(name="hello_test",configs= ["testdata/hello.yaml"],image=":hello",)

container-structure-test test -h

  -c, --config stringArray             test config files      --default-image-tag string       default image tag to used when loading images to the daemon. required when --image-from-oci-layout refers to a oci layout lacking the reference annotation.  -d, --driver string                  driver to use when running tests (default "docker")  -f, --force                          force run of host driver (without user prompt)  -h, --help                           help for test  -i, --image string                   path to test image      --image-from-oci-layout string   path to the oci layout to test against      --metadata string                path to image metadata file      --no-color                       no color in the output  -o, --output string                  output format for the test report (available format: text, json, junit) (default "text")      --platform string                Set platform if host is multi-platform capable (default "linux/amd64")      --pull                           force a pull of the image before running tests  -q, --quiet                          flag to suppress output      --runtime string                 runtime to use with docker driver      --save                           preserve created containers after test run      --test-report string             generate test report and write it to specified file (supported format: json, junit; default: json)

See thisexample repo for a full working example.

Reports are generated using one of the following output formats:text,json orjunit.Formats likejson andjunit can also be used to write a report to a specified file using the--test-report.

========================================== Test file: config.yaml ============================================= RUN: File Existence Test: whoami--- PASSduration: 0s=== RUN: Metadata Test--- PASSduration: 0s=================================================== RESULTS ===================================================Passes:      2Failures:    0Duration:    0sTotal tests: 2PASS

The following sample has been formatted.

{"Pass":2,"Fail":0,"Total":2,"Duration":0,"Results": [    {"Name":"File Existence Test: whoami","Pass":true,"Duration":0    },    {"Name":"Metadata Test","Pass":true,"Duration":0    }  ]}

The following sample has been formatted.

<?xml version="1.0"?><testsuitesfailures="0"tests="2"time="0">  <testsuite>    <testcasename="File Existence Test: whoami"time="0"/>    <testcasename="Metadata Test"time="0"/>  </testsuite></testsuites>