openshift · Chandan9112 · May 11, 2026 · May 12, 2026
diff --git a/test/extended/node/node_e2e/node.go b/test/extended/node/node_e2e/node.go
@@ -1,15 +1,21 @@
 package node
 
 import (
+	"context"
 	"path/filepath"
 	"strings"
 	"time"
 
 	g "github.com/onsi/ginkgo/v2"
 	o "github.com/onsi/gomega"
+	mcfgv1 "github.com/openshift/api/machineconfiguration/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
 	e2e "k8s.io/kubernetes/test/e2e/framework"
+	"k8s.io/utils/ptr"
 
+	"github.com/openshift/origin/test/extended/imagepolicy"
 	nodeutils "github.com/openshift/origin/test/extended/node"
 	exutil "github.com/openshift/origin/test/extended/util"
 )
@@ -158,3 +164,102 @@ var _ = g.Describe("[sig-node] [Jira:Node/Kubelet] Kubelet, CRI-O, CPU manager",
 		o.Expect(output).To(o.ContainSubstring("fuse"), "dev fuse is not mounted inside pod")
 	})
 })
+
+var _ = g.Describe("[Suite:openshift/disruptive-longrunning][sig-node][Disruptive] ContainerRuntimeConfig", func() {
+	var (
+		oc = exutil.NewCLIWithoutNamespace("ctrcfg")
+	)
+
+	g.BeforeEach(func() {
+		isMicroShift, err := exutil.IsMicroShiftCluster(oc.AdminKubeClient())
+		if err != nil {
+			e2e.Logf("Failed to detect MicroShift cluster: %v", err)
+			g.Skip("Skipping: unable to determine cluster type")
+		}
+		if isMicroShift {
+			g.Skip("Skipping test on MicroShift cluster - MachineConfig resources are not available")
+		}
+	})
+
+	// Validates that ContainerRuntimeConfig pidsLimit setting is correctly applied
+	// by MCO and that manual crio.conf edits are overwritten during rollout.
+	//author: cmaurya@redhat.com
+	g.It("[OTP] Verify ContainerRuntimeConfig pidsLimit and conmon setting [OCP-45351]", func() {
+		ctrcfgName := "set-pids-limit"
+
+		g.By("Get a ready worker node")
+		workers, err := exutil.GetReadySchedulableWorkerNodes(context.Background(), oc.AdminKubeClient())
+		o.Expect(err).NotTo(o.HaveOccurred(), "failed to get ready schedulable worker nodes")
+		o.Expect(workers).NotTo(o.BeEmpty(), "No Ready worker nodes found")
+		workerNode := workers[0].Name
+
+		g.By("Make a manual change to crio.conf on node " + workerNode)
+		_, err = nodeutils.ExecOnNodeWithChroot(oc, workerNode,
+			"/bin/bash", "-c", `sed -i '/^\[crio\.runtime\]/a log_level = "debug"' /etc/crio/crio.conf`)
+		o.Expect(err).NotTo(o.HaveOccurred(), "failed to edit crio.conf on node %s", workerNode)
+
+		g.By("Verify the manual crio.conf edit took effect")
+		editedConf, err := nodeutils.ExecOnNodeWithChroot(oc, workerNode,
+			"cat", "/etc/crio/crio.conf")
+		o.Expect(err).NotTo(o.HaveOccurred(), "failed to read crio.conf on node %s", workerNode)
+		o.Expect(editedConf).To(o.ContainSubstring(`log_level = "debug"`),
+			"sed edit did not apply: expected log_level = debug in crio.conf")
+
+		g.By("Label worker MachineConfigPool with custom-crio=high-pid-limit")
+		err = oc.AsAdmin().WithoutNamespace().Run("label").Args(
+			"machineconfigpool", "worker", "custom-crio=high-pid-limit").Execute()
+		o.Expect(err).NotTo(o.HaveOccurred(), "failed to label worker MachineConfigPool")
+
+		g.DeferCleanup(func() {
+			g.By("Cleanup: delete ContainerRuntimeConfig and remove MCP label")
+			cleanupSpec := imagepolicy.GetMCPCurrentSpecConfigName(oc, "worker")
+			cleanupErr := oc.MachineConfigurationClient().MachineconfigurationV1().ContainerRuntimeConfigs().Delete(
+				context.Background(), ctrcfgName, metav1.DeleteOptions{})
+			if !apierrors.IsNotFound(cleanupErr) {
+				o.Expect(cleanupErr).NotTo(o.HaveOccurred(),
+					"cleanup failed: could not delete ContainerRuntimeConfig %s", ctrcfgName)
+			}
+			cleanupErr = oc.AsAdmin().WithoutNamespace().Run("label").Args(
+				"machineconfigpool", "worker", "custom-crio-").Execute()
+			o.Expect(cleanupErr).NotTo(o.HaveOccurred(),
+				"cleanup failed: could not remove custom-crio label from worker MachineConfigPool")
+			imagepolicy.WaitForMCPConfigSpecChangeAndUpdated(oc, "worker", cleanupSpec)
+		})
+
+		initialSpec := imagepolicy.GetMCPCurrentSpecConfigName(oc, "worker")
+
+		g.By("Create ContainerRuntimeConfig with pidsLimit 2048")
+		ctrcfg := &mcfgv1.ContainerRuntimeConfig{
+			ObjectMeta: metav1.ObjectMeta{Name: ctrcfgName},
+			Spec: mcfgv1.ContainerRuntimeConfigSpec{
+				MachineConfigPoolSelector: &metav1.LabelSelector{
+					MatchLabels: map[string]string{"custom-crio": "high-pid-limit"},
+				},
+				ContainerRuntimeConfig: &mcfgv1.ContainerRuntimeConfiguration{
+					PidsLimit: ptr.To[int64](2048),
+				},
+			},
+		}
+		_, err = oc.MachineConfigurationClient().MachineconfigurationV1().ContainerRuntimeConfigs().Create(
+			context.Background(), ctrcfg, metav1.CreateOptions{})
+		o.Expect(err).NotTo(o.HaveOccurred(), "failed to create ContainerRuntimeConfig")
+
+		g.By("Wait for worker MCP rollout to complete")
+		imagepolicy.WaitForMCPConfigSpecChangeAndUpdated(oc, "worker", initialSpec)
+		e2e.Logf("All worker nodes rolled out successfully")
+
+		g.By("Verify pidsLimit and conmon in crio config on node " + workerNode)
+		var crioConfig string
+		o.Eventually(func() error {
+			var execErr error
+			crioConfig, execErr = nodeutils.ExecOnNodeWithChroot(oc, workerNode,
+				"/bin/bash", "-c", "crio config 2>/dev/null")
+			return execErr
+		}, 30*time.Second, 5*time.Second).Should(o.Succeed(), "failed to get crio config on node %s", workerNode)
+		o.Expect(crioConfig).To(o.ContainSubstring("pids_limit = 2048"), "pidsLimit should be 2048")
+		o.Expect(crioConfig).To(o.ContainSubstring(`conmon = ""`),
+			"conmon should be empty")
+		o.Expect(crioConfig).NotTo(o.ContainSubstring(`log_level = "debug"`),
+			"manual crio.conf edit should be overwritten by MCO")
+	})
+})