Merge pull request #22733 from nalind/system-check

Add `podman system check`
2025-12-01 18:49:18 +08:00 · 2024-06-13 10:35:56 +00:00
parent 6180052534 2e70d4201f
commit 00bcd9aa81
36 changed files with 2378 additions and 4 deletions
--- a/test/system/331-system-check.bats
+++ b/test/system/331-system-check.bats
@@ -0,0 +1,248 @@
+#!/usr/bin/env bats   -*- bats -*-
+#
+# Creates errors that should be caught by `system check`, and verifies
+# that they are caught and remedied, even if it requires discarding some
+# data in read-write layers.
+#
+
+load helpers
+
+@test "podman system check - unmanaged layers" {
+    run_podman_testing create-storage-layer
+    layerID="$output"
+    run_podman_testing create-storage-layer --parent=$layerID
+    run_podman 125 system check
+    assert "$output" =~ "layer in lower level storage driver not accounted for" "output from 'podman system check' with unmanaged layers"
+    run_podman system check -r
+    run_podman system check
+}
+
+@test "podman system check - unused layers" {
+    run_podman_testing create-layer
+    layerID="$output"
+    run_podman_testing create-layer --parent=$layerID
+    run_podman system check
+    run_podman 125 system check -m 0
+    assert "$output" =~ "layer not referenced" "output from 'podman system check' with unused layers"
+    run_podman system check -m 0 -r
+    run_podman system check -m 0
+}
+
+@test "podman system check - layer content digest changed" {
+    run_podman_testing create-layer
+    layerID="$output"
+    make_layer_blob 8 ${PODMAN_TMPDIR}/archive.tar
+    run_podman_testing populate-layer --layer=$layerID --file=${PODMAN_TMPDIR}/archive.tar
+    run_podman_testing create-image --layer=$layerID
+    imageID="$output"
+    testing_make_image_metadata_for_layer_blobs $imageID ${PODMAN_TMPDIR}/archive.tar
+    run_podman create $imageID
+    make_layer_blob 1 ${PODMAN_TMPDIR}/archive.tar
+    run_podman_testing modify-layer --layer=$layerID --file=${PODMAN_TMPDIR}/archive.tar
+    run_podman 125 system check
+    assert "$output" =~ "checksum failed" "output from 'podman system check' with modified layer contents"
+    run_podman 125 system check -r
+    run_podman 0+w system check -r -f
+    run_podman system check
+}
+
+@test "podman system check - layer content added" {
+    run_podman_testing create-layer
+    layerID="$output"
+    make_layer_blob 8 ${PODMAN_TMPDIR}/archive.tar
+    run_podman_testing populate-layer --layer=$layerID --file=${PODMAN_TMPDIR}/archive.tar
+    run_podman_testing create-image --layer=$layerID
+    imageID="$output"
+    testing_make_image_metadata_for_layer_blobs $imageID ${PODMAN_TMPDIR}/archive.tar
+    run_podman create $imageID
+    make_layer_blob 100 101 ${PODMAN_TMPDIR}/archive.tar
+    run_podman_testing modify-layer --layer=$layerID --file=${PODMAN_TMPDIR}/archive.tar
+    run_podman 125 system check
+    assert "$output" =~ "content modified" "output from 'podman system check' with unexpected content added to layer"
+    run_podman 125 system check -r
+    run_podman 0+w system check -r -f
+    run_podman system check
+}
+
+@test "podman system check - storage image layer missing" {
+    run_podman_testing create-layer
+    layerID="$output"
+    make_layer_blob 8 ${PODMAN_TMPDIR}/archive.tar
+    run_podman_testing populate-layer --layer=$layerID --file=${PODMAN_TMPDIR}/archive.tar
+    run_podman_testing create-image --layer=$layerID
+    imageID="$output"
+    testing_make_image_metadata_for_layer_blobs $imageID ${PODMAN_TMPDIR}/archive.tar
+    run_podman create $imageID
+    run_podman_testing remove-layer --layer=$layerID
+    run_podman 125 system check
+    assert "$output" =~ "image layer is missing" "output from 'podman system check' with missing layer"
+    run_podman 125 system check -r
+    run_podman 0+w system check -r -f
+    run_podman system check
+}
+
+@test "podman system check - storage container image missing" {
+    run_podman_testing create-layer
+    layerID="$output"
+    make_layer_blob 8 ${PODMAN_TMPDIR}/archive.tar
+    run_podman_testing populate-layer --layer=$layerID --file=${PODMAN_TMPDIR}/archive.tar
+    run_podman_testing create-image --layer=$layerID
+    imageID="$output"
+    testing_make_image_metadata_for_layer_blobs $imageID ${PODMAN_TMPDIR}/archive.tar
+    run_podman create $imageID
+    run_podman_testing remove-image --image=$imageID
+    run_podman 125 system check -m 0
+    assert "$output" =~ "image missing" "output from 'podman system check' with missing image"
+    run_podman 125 system check -r -m 0
+    run_podman 0+w system check -r -f -m 0
+    run_podman system check -m 0
+}
+
+@test "podman system check - storage layer data missing" {
+    run_podman_testing create-layer
+    layerID="$output"
+    make_layer_blob ${PODMAN_TMPDIR}/archive.tar
+    run_podman_testing populate-layer --layer=$layerID --file=${PODMAN_TMPDIR}/archive.tar
+    make_random_file ${PODMAN_TMPDIR}/random-data.bin
+    run_podman_testing create-layer-data --key=foo --file=${PODMAN_TMPDIR}/random-data.bin --layer=$layerID
+    run_podman_testing create-image --layer=$layerID
+    imageID="$output"
+    testing_make_image_metadata_for_layer_blobs $imageID ${PODMAN_TMPDIR}/archive.tar
+    run_podman create $imageID
+    run_podman_testing remove-layer-data --key=foo --layer=$layerID
+    run_podman 125 system check
+    assert "$output" =~ "layer data item is missing" "output from 'podman system check' with missing layer data"
+    run_podman 125 system check -r
+    run_podman 0+w system check -r -f
+    run_podman system check
+}
+
+@test "podman system check - storage image data missing" {
+    run_podman_testing create-layer
+    layerID="$output"
+    make_layer_blob 8 ${PODMAN_TMPDIR}/archive.tar
+    run_podman_testing populate-layer --layer=$layerID --file=${PODMAN_TMPDIR}/archive.tar
+    run_podman_testing create-image --layer=$layerID
+    imageID="$output"
+    testing_make_image_metadata_for_layer_blobs $imageID ${PODMAN_TMPDIR}/archive.tar
+    make_random_file ${PODMAN_TMPDIR}/random-data.bin
+    run_podman_testing create-image-data --key=foo --file=${PODMAN_TMPDIR}/random-data.bin --image=$imageID
+    run_podman create $imageID
+    run_podman_testing remove-image-data --key=foo --image=$imageID
+    run_podman 125 system check
+    assert "$output" =~ "image data item is missing" "output from 'podman system check' with missing image data"
+    run_podman 125 system check -r
+    run_podman 0+w system check -r -f
+    run_podman system check
+}
+
+@test "podman system check - storage image data modified" {
+    run_podman_testing create-layer
+    layerID="$output"
+    make_layer_blob 8 ${PODMAN_TMPDIR}/archive.tar
+    run_podman_testing populate-layer --layer=$layerID --file=${PODMAN_TMPDIR}/archive.tar
+    run_podman_testing create-image --layer=$layerID
+    imageID="$output"
+    testing_make_image_metadata_for_layer_blobs $imageID ${PODMAN_TMPDIR}/archive.tar
+    run_podman create $imageID
+    make_random_file ${PODMAN_TMPDIR}/random-data.bin
+    run_podman_testing create-image-data --key=foo --file=${PODMAN_TMPDIR}/random-data.bin --image=$imageID
+    make_random_file ${PODMAN_TMPDIR}/random-data.bin
+    run_podman_testing modify-image-data --key=foo --file=${PODMAN_TMPDIR}/random-data.bin --image=$imageID
+    run_podman 125 system check
+    assert "$output" =~ "image data item has incorrect" "output from 'podman system check' with modified image data"
+    run_podman 125 system check -r
+    run_podman 0+w system check -r -f
+    run_podman system check
+}
+
+@test "podman system check - container data missing" {
+    run_podman_testing create-layer
+    layerID="$output"
+    make_layer_blob 8 ${PODMAN_TMPDIR}/archive.tar
+    run_podman_testing populate-layer --layer=$layerID --file=${PODMAN_TMPDIR}/archive.tar
+    run_podman_testing create-image --layer=$layerID
+    imageID="$output"
+    testing_make_image_metadata_for_layer_blobs $imageID ${PODMAN_TMPDIR}/archive.tar
+    run_podman create $imageID
+    containerID="$output"
+    make_random_file ${PODMAN_TMPDIR}/random-data.bin
+    run_podman_testing create-container-data --key=foo --file=${PODMAN_TMPDIR}/random-data.bin --container=$containerID
+    run_podman_testing remove-container-data --key=foo --container=$containerID
+    run_podman 125 system check
+    assert "$output" =~ "container data item is missing" "output from 'podman system check' with missing container data"
+    run_podman 125 system check -r
+    run_podman 0+w system check -r -f
+    run_podman system check
+    run_podman rmi $imageID
+}
+
+@test "podman system check - container data modified" {
+    run_podman_testing create-layer
+    layerID="$output"
+    make_layer_blob 8 ${PODMAN_TMPDIR}/archive.tar
+    run_podman_testing populate-layer --layer=$layerID --file=${PODMAN_TMPDIR}/archive.tar
+    run_podman_testing create-image --layer=$layerID
+    imageID="$output"
+    testing_make_image_metadata_for_layer_blobs $imageID ${PODMAN_TMPDIR}/archive.tar
+    run_podman create $imageID
+    containerID="$output"
+    make_random_file ${PODMAN_TMPDIR}/random-data.bin
+    run_podman_testing create-container-data --key=foo --file=${PODMAN_TMPDIR}/random-data.bin --container=$containerID
+    make_random_file ${PODMAN_TMPDIR}/random-data.bin
+    run_podman_testing modify-container-data --key=foo --file=${PODMAN_TMPDIR}/random-data.bin --container=$containerID
+    run_podman 125 system check
+    assert "$output" =~ "container data item has incorrect" "output from 'podman system check' with modified container data"
+    run_podman 125 system check -r
+    run_podman 0+w system check -r -f
+    run_podman system check
+    run_podman rmi $imageID
+}
+
+function make_layer_blob() {
+    local tmpdir=$(mktemp -d --tmpdir=${PODMAN_TMPDIR} make_layer_blob.XXXXXX)
+    local blobfile
+    local seqargs
+    for arg in "${@}" ; do
+        seqargs="${blobfile:+$seqargs $blobfile}"
+        blobfile="$arg"
+    done
+    seqargs="${seqargs:-8}"
+    local filelist=
+    for file in $(seq ${seqargs}); do
+        dd if=/dev/urandom of="$tmpdir/file$file" bs=1 count=$((1024 + $file)) status=none
+        filelist="$filelist file$file"
+    done
+    tar -c --owner=root:0 --group=root:0 -f "$blobfile" -C "$tmpdir" $filelist
+}
+
+function testing_make_image_metadata_for_layer_blobs() {
+    local tmpdir=$(mktemp -d --tmpdir=${PODMAN_TMPDIR} make_image_metadata.XXXXXX)
+    local imageID=$1
+    shift
+    echo '{"config":{},"rootfs":{"type":"layers","diff_ids":[' > $tmpdir/config.json
+    echo '{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","layers":[' > $tmpdir/manifest
+    local comma=
+    for blob in "$@" ; do
+        local sum=$(sha256sum $blob)
+        sum=${sum%% *}
+        local size=$(wc -c $blob)
+        size=${size%% *}
+        echo $comma '"sha256:'$sum'"' >> $tmpdir/config.json
+        echo $comma '{"digest":"sha256:'$sum'","size":'$size',"mediaType":"application/vnd.oci.image.layer.v1.tar"}' >> $tmpdir/manifest
+        comma=,
+    done
+    echo ']}}' >> $tmpdir/config.json
+    sum=$(sha256sum $tmpdir/config.json)
+    sum=${sum%% *}
+    size=$(wc -c $tmpdir/config.json)
+    size=${size%% *}
+    echo '],"config":{"digest":"sha256:'$sum'","size":'$size',"mediaType":"application/vnd.oci.image.config.v1+json"}}' >> $tmpdir/manifest
+    run_podman_testing create-image-data -i $imageID -k sha256:$sum -f $tmpdir/config.json
+    sum=$(sha256sum $tmpdir/manifest)
+    sum=${sum%% *}
+    run_podman_testing create-image-data -i $imageID -k manifest-sha256:$sum -f $tmpdir/manifest
+    run_podman_testing create-image-data -i $imageID -k manifest -f $tmpdir/manifest
+}
+
+# vim: filetype=sh
--- a/test/system/helpers.bash
+++ b/test/system/helpers.bash
@@ -4,6 +4,9 @@
 PODMAN=${PODMAN:-podman}
 QUADLET=${QUADLET:-/usr/libexec/podman/quadlet}

+# Podman testing helper used in 331-system-check tests
+PODMAN_TESTING=${PODMAN_TESTING:-$(dirname ${BASH_SOURCE})/../../bin/podman-testing}
+
 # crun or runc, unlikely to change. Cache, because it's expensive to determine.
 PODMAN_RUNTIME=

@@ -449,6 +452,14 @@ function run_podman() {
    fi
 }

+function run_podman_testing() {
+    printf "\n%s %s %s %s\n" "$(timestamp)" "$_LOG_PROMPT" "$PODMAN_TESTING" "$*"
+    run $PODMAN_TESTING "$@"
+    if [[ $status -ne 0 ]]; then
+        echo "$output"
+        die "Unexpected error from testing helper, which should always always succeed"
+    fi
+}

 # Wait for certain output from a container, indicating that it's ready.
 function wait_for_output {
@@ -1178,5 +1189,9 @@ function wait_for_command_output() {
    die "Timed out waiting for '$cmd' to return '$want'"
 }

+function make_random_file() {
+    dd if=/dev/urandom of="$1" bs=1 count=${2:-$((${RANDOM} % 8192 + 1024))} status=none
+}
+
 # END   miscellaneous tools
 ###############################################################################