mirror of
https://github.com/containers/podman.git
synced 2025-10-16 18:53:19 +08:00
CI: e2e: use distinct ports, not just 5000
Too many tests use port 5000. Although there's a putative GetPortLock() it seems to be unreliable, and we often get what appear to be collisions between tests. A proper solution would be to pseudorandomly allocate ports, verify that they're not being reused, Sprintf() these everywhere that needs them, and sprinkle some powdered cinnamon on top. This is not that proper solution. Fixes: #20655 Signed-off-by: Ed Santiago <santiago@redhat.com>
This commit is contained in:
Ed Santiago
@ -1175,7 +1175,7 @@ func (p *PodmanTestIntegration) removeNetwork(name string) {
|
||||
|
||||
// generatePolicyFile generates a signature verification policy file.
|
||||
// it returns the policy file path.
|
||||
func generatePolicyFile(tempDir string) string {
|
||||
func generatePolicyFile(tempDir string, port int) string {
|
||||
keyPath := filepath.Join(tempDir, "key.gpg")
|
||||
policyPath := filepath.Join(tempDir, "policy.json")
|
||||
conf := fmt.Sprintf(`
|
||||
@ -1187,20 +1187,20 @@ func generatePolicyFile(tempDir string) string {
|
||||
],
|
||||
"transports": {
|
||||
"docker": {
|
||||
"localhost:5000": [
|
||||
"localhost:%[1]d": [
|
||||
{
|
||||
"type": "signedBy",
|
||||
"keyType": "GPGKeys",
|
||||
"keyPath": "%s"
|
||||
"keyPath": "%[2]s"
|
||||
}
|
||||
],
|
||||
"localhost:5000/sigstore-signed": [
|
||||
"localhost:%[1]d/sigstore-signed": [
|
||||
{
|
||||
"type": "sigstoreSigned",
|
||||
"keyPath": "testdata/sigstore-key.pub"
|
||||
}
|
||||
],
|
||||
"localhost:5000/sigstore-signed-params": [
|
||||
"localhost:%[1]d/sigstore-signed-params": [
|
||||
{
|
||||
"type": "sigstoreSigned",
|
||||
"keyPath": "testdata/sigstore-key.pub"
|
||||
@ -1209,7 +1209,7 @@ func generatePolicyFile(tempDir string) string {
|
||||
}
|
||||
}
|
||||
}
|
||||
`, keyPath)
|
||||
`, port, keyPath)
|
||||
writeConf([]byte(conf), policyPath)
|
||||
return policyPath
|
||||
}
|
||||
|
||||
@ -668,11 +668,11 @@ var _ = Describe("Podman kube generate", func() {
|
||||
It("on pod with ports", func() {
|
||||
podName := "test"
|
||||
|
||||
lock4 := GetPortLock("4000")
|
||||
lock4 := GetPortLock("4008")
|
||||
defer lock4.Unlock()
|
||||
lock5 := GetPortLock("5000")
|
||||
lock5 := GetPortLock("5008")
|
||||
defer lock5.Unlock()
|
||||
podSession := podmanTest.Podman([]string{"pod", "create", "--name", podName, "-p", "4000:4000", "-p", "5000:5000"})
|
||||
podSession := podmanTest.Podman([]string{"pod", "create", "--name", podName, "-p", "4008:4000", "-p", "5008:5000"})
|
||||
podSession.WaitWithDefaultTimeout()
|
||||
Expect(podSession).Should(ExitCleanly())
|
||||
|
||||
@ -694,8 +694,8 @@ var _ = Describe("Podman kube generate", func() {
|
||||
err := yaml.Unmarshal(kube.Out.Contents(), pod)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
|
||||
foundPort4000 := 0
|
||||
foundPort5000 := 0
|
||||
foundPort400x := 0
|
||||
foundPort500x := 0
|
||||
foundOtherPort := 0
|
||||
for _, ctr := range pod.Spec.Containers {
|
||||
for _, port := range ctr.Ports {
|
||||
@ -703,17 +703,17 @@ var _ = Describe("Podman kube generate", func() {
|
||||
// have anything for protocol under the ports as tcp is the default
|
||||
// for k8s
|
||||
Expect(port.Protocol).To(BeEmpty())
|
||||
if port.HostPort == 4000 {
|
||||
foundPort4000++
|
||||
} else if port.HostPort == 5000 {
|
||||
foundPort5000++
|
||||
if port.HostPort == 4008 {
|
||||
foundPort400x++
|
||||
} else if port.HostPort == 5008 {
|
||||
foundPort500x++
|
||||
} else {
|
||||
foundOtherPort++
|
||||
}
|
||||
}
|
||||
}
|
||||
Expect(foundPort4000).To(Equal(1))
|
||||
Expect(foundPort5000).To(Equal(1))
|
||||
Expect(foundPort400x).To(Equal(1))
|
||||
Expect(foundPort500x).To(Equal(1))
|
||||
Expect(foundOtherPort).To(Equal(0))
|
||||
|
||||
// Create container with UDP port and check the generated kube yaml
|
||||
|
||||
@ -169,9 +169,9 @@ var _ = Describe("Podman manifest", func() {
|
||||
err := podmanTest.RestoreArtifact(REGISTRY_IMAGE)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
}
|
||||
lock := GetPortLock("5000")
|
||||
lock := GetPortLock("5007")
|
||||
defer lock.Unlock()
|
||||
session := podmanTest.Podman([]string{"run", "-d", "--name", "registry", "-p", "5000:5000", REGISTRY_IMAGE, "/entrypoint.sh", "/etc/docker/registry/config.yml"})
|
||||
session := podmanTest.Podman([]string{"run", "-d", "--name", "registry", "-p", "5007:5000", REGISTRY_IMAGE, "/entrypoint.sh", "/etc/docker/registry/config.yml"})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(ExitCleanly())
|
||||
|
||||
@ -197,14 +197,14 @@ var _ = Describe("Podman manifest", func() {
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(ExitCleanly())
|
||||
|
||||
push := podmanTest.Podman([]string{"manifest", "push", "--all", "--compression-format", "gzip", "--add-compression", "zstd", "--tls-verify=false", "--remove-signatures", "foobar", "localhost:5000/list"})
|
||||
push := podmanTest.Podman([]string{"manifest", "push", "--all", "--compression-format", "gzip", "--add-compression", "zstd", "--tls-verify=false", "--remove-signatures", "foobar", "localhost:5007/list"})
|
||||
push.WaitWithDefaultTimeout()
|
||||
Expect(push).Should(Exit(0))
|
||||
output := push.ErrorToString()
|
||||
// 4 images must be pushed two for gzip and two for zstd
|
||||
Expect(output).To(ContainSubstring("Copying 4 images generated from 2 images in list"))
|
||||
|
||||
session = podmanTest.Podman([]string{"run", "--rm", "--net", "host", "quay.io/skopeo/stable", "inspect", "--tls-verify=false", "--raw", "docker://localhost:5000/list:latest"})
|
||||
session = podmanTest.Podman([]string{"run", "--rm", "--net", "host", "quay.io/skopeo/stable", "inspect", "--tls-verify=false", "--raw", "docker://localhost:5007/list:latest"})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(Exit(0))
|
||||
var index imgspecv1.Index
|
||||
@ -218,14 +218,14 @@ var _ = Describe("Podman manifest", func() {
|
||||
Expect(verifyInstanceCompression(index.Manifests, "gzip", "amd64")).Should(BeTrue())
|
||||
|
||||
// Note: Pushing again with --force-compression should produce the correct response the since blobs will be correctly force-pushed again.
|
||||
push = podmanTest.Podman([]string{"manifest", "push", "--all", "--add-compression", "zstd", "--tls-verify=false", "--compression-format", "gzip", "--force-compression", "--remove-signatures", "foobar", "localhost:5000/list"})
|
||||
push = podmanTest.Podman([]string{"manifest", "push", "--all", "--add-compression", "zstd", "--tls-verify=false", "--compression-format", "gzip", "--force-compression", "--remove-signatures", "foobar", "localhost:5007/list"})
|
||||
push.WaitWithDefaultTimeout()
|
||||
Expect(push).Should(Exit(0))
|
||||
output = push.ErrorToString()
|
||||
// 4 images must be pushed two for gzip and two for zstd
|
||||
Expect(output).To(ContainSubstring("Copying 4 images generated from 2 images in list"))
|
||||
|
||||
session = podmanTest.Podman([]string{"run", "--rm", "--net", "host", "quay.io/skopeo/stable", "inspect", "--tls-verify=false", "--raw", "docker://localhost:5000/list:latest"})
|
||||
session = podmanTest.Podman([]string{"run", "--rm", "--net", "host", "quay.io/skopeo/stable", "inspect", "--tls-verify=false", "--raw", "docker://localhost:5007/list:latest"})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(ExitCleanly())
|
||||
inspectData = []byte(session.OutputToString())
|
||||
@ -244,14 +244,14 @@ add_compression = ["zstd"]`), 0o644)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
os.Setenv("CONTAINERS_CONF", confFile)
|
||||
|
||||
push = podmanTest.Podman([]string{"manifest", "push", "--all", "--tls-verify=false", "--compression-format", "gzip", "--force-compression", "--remove-signatures", "foobar", "localhost:5000/list"})
|
||||
push = podmanTest.Podman([]string{"manifest", "push", "--all", "--tls-verify=false", "--compression-format", "gzip", "--force-compression", "--remove-signatures", "foobar", "localhost:5007/list"})
|
||||
push.WaitWithDefaultTimeout()
|
||||
Expect(push).Should(Exit(0))
|
||||
output = push.ErrorToString()
|
||||
// 4 images must be pushed two for gzip and two for zstd
|
||||
Expect(output).To(ContainSubstring("Copying 4 images generated from 2 images in list"))
|
||||
|
||||
session = podmanTest.Podman([]string{"run", "--rm", "--net", "host", "quay.io/skopeo/stable", "inspect", "--tls-verify=false", "--raw", "docker://localhost:5000/list:latest"})
|
||||
session = podmanTest.Podman([]string{"run", "--rm", "--net", "host", "quay.io/skopeo/stable", "inspect", "--tls-verify=false", "--raw", "docker://localhost:5007/list:latest"})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(ExitCleanly())
|
||||
inspectData = []byte(session.OutputToString())
|
||||
@ -265,14 +265,14 @@ add_compression = ["zstd"]`), 0o644)
|
||||
|
||||
// Note: Pushing again with --force-compression=false should produce in-correct/wrong result since blobs are already present in registry so they will be reused
|
||||
// ignoring our compression priority ( this is expected behaviour of c/image and --force-compression is introduced to mitigate this behaviour ).
|
||||
push = podmanTest.Podman([]string{"manifest", "push", "--all", "--add-compression", "zstd", "--force-compression=false", "--tls-verify=false", "--remove-signatures", "foobar", "localhost:5000/list"})
|
||||
push = podmanTest.Podman([]string{"manifest", "push", "--all", "--add-compression", "zstd", "--force-compression=false", "--tls-verify=false", "--remove-signatures", "foobar", "localhost:5007/list"})
|
||||
push.WaitWithDefaultTimeout()
|
||||
Expect(push).Should(Exit(0))
|
||||
output = push.ErrorToString()
|
||||
// 4 images must be pushed two for gzip and two for zstd
|
||||
Expect(output).To(ContainSubstring("Copying 4 images generated from 2 images in list"))
|
||||
|
||||
session = podmanTest.Podman([]string{"run", "--rm", "--net", "host", "quay.io/skopeo/stable", "inspect", "--tls-verify=false", "--raw", "docker://localhost:5000/list:latest"})
|
||||
session = podmanTest.Podman([]string{"run", "--rm", "--net", "host", "quay.io/skopeo/stable", "inspect", "--tls-verify=false", "--raw", "docker://localhost:5007/list:latest"})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(ExitCleanly())
|
||||
inspectData = []byte(session.OutputToString())
|
||||
|
||||
@ -106,12 +106,12 @@ var _ = Describe("Podman port", func() {
|
||||
|
||||
It("podman port multiple ports", func() {
|
||||
// Acquire and release locks
|
||||
lock1 := GetPortLock("5000")
|
||||
lock1 := GetPortLock("5010")
|
||||
defer lock1.Unlock()
|
||||
lock2 := GetPortLock("5001")
|
||||
lock2 := GetPortLock("5011")
|
||||
defer lock2.Unlock()
|
||||
|
||||
setup := podmanTest.Podman([]string{"run", "--name", "test", "-dt", "-p", "5000:5000", "-p", "5001:5001", ALPINE, "top"})
|
||||
setup := podmanTest.Podman([]string{"run", "--name", "test", "-dt", "-p", "5010:5000", "-p", "5011:5001", ALPINE, "top"})
|
||||
setup.WaitWithDefaultTimeout()
|
||||
Expect(setup).Should(ExitCleanly())
|
||||
|
||||
@ -119,12 +119,12 @@ var _ = Describe("Podman port", func() {
|
||||
result1 := podmanTest.Podman([]string{"port", "test", "5000"})
|
||||
result1.WaitWithDefaultTimeout()
|
||||
Expect(result1).Should(ExitCleanly())
|
||||
Expect(result1.OutputToStringArray()).To(ContainElement(HavePrefix("0.0.0.0:5000")))
|
||||
Expect(result1.OutputToStringArray()).To(ContainElement(HavePrefix("0.0.0.0:5010")))
|
||||
|
||||
// Check that the second port was honored
|
||||
result2 := podmanTest.Podman([]string{"port", "test", "5001"})
|
||||
result2.WaitWithDefaultTimeout()
|
||||
Expect(result2).Should(ExitCleanly())
|
||||
Expect(result2.OutputToStringArray()).To(ContainElement(HavePrefix("0.0.0.0:5001")))
|
||||
Expect(result2.OutputToStringArray()).To(ContainElement(HavePrefix("0.0.0.0:5011")))
|
||||
})
|
||||
})
|
||||
|
||||
@ -633,12 +633,12 @@ var _ = Describe("Podman pull", func() {
|
||||
Expect(session).Should(Exit(125))
|
||||
|
||||
// Pulling encrypted image with wrong key should fail
|
||||
session = podmanTest.Podman([]string{"pull", "-q", "--decryption-key", wrongPrivateKeyFileName, imgPath})
|
||||
session = podmanTest.Podman([]string{"pull", "-q", "--decryption-key", wrongPrivateKeyFileName, "--tls-verify=false", imgPath})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(Exit(125))
|
||||
|
||||
// Pulling encrypted image with correct key should pass
|
||||
session = podmanTest.Podman([]string{"pull", "-q", "--decryption-key", privateKeyFileName, imgPath})
|
||||
session = podmanTest.Podman([]string{"pull", "-q", "--decryption-key", privateKeyFileName, "--tls-verify=false", imgPath})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(ExitCleanly())
|
||||
session = podmanTest.Podman([]string{"images"})
|
||||
@ -675,9 +675,9 @@ var _ = Describe("Podman pull", func() {
|
||||
err := podmanTest.RestoreArtifact(REGISTRY_IMAGE)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
}
|
||||
lock := GetPortLock("5000")
|
||||
lock := GetPortLock("5012")
|
||||
defer lock.Unlock()
|
||||
session := podmanTest.Podman([]string{"run", "-d", "--name", "registry", "-p", "5000:5000", REGISTRY_IMAGE, "/entrypoint.sh", "/etc/docker/registry/config.yml"})
|
||||
session := podmanTest.Podman([]string{"run", "-d", "--name", "registry", "-p", "5012:5000", REGISTRY_IMAGE, "/entrypoint.sh", "/etc/docker/registry/config.yml"})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(ExitCleanly())
|
||||
|
||||
@ -685,7 +685,7 @@ var _ = Describe("Podman pull", func() {
|
||||
Skip("Cannot start docker registry.")
|
||||
}
|
||||
|
||||
imgPath := "localhost:5000/my-alpine"
|
||||
imgPath := "localhost:5012/my-alpine"
|
||||
|
||||
session = decryptionTestHelper(imgPath)
|
||||
|
||||
|
||||
@ -92,9 +92,9 @@ var _ = Describe("Podman push", func() {
|
||||
err := podmanTest.RestoreArtifact(REGISTRY_IMAGE)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
}
|
||||
lock := GetPortLock("5000")
|
||||
lock := GetPortLock("5002")
|
||||
defer lock.Unlock()
|
||||
session := podmanTest.Podman([]string{"run", "-d", "--name", "registry", "-p", "5000:5000", REGISTRY_IMAGE, "/entrypoint.sh", "/etc/docker/registry/config.yml"})
|
||||
session := podmanTest.Podman([]string{"run", "-d", "--name", "registry", "-p", "5002:5000", REGISTRY_IMAGE, "/entrypoint.sh", "/etc/docker/registry/config.yml"})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(ExitCleanly())
|
||||
|
||||
@ -106,18 +106,18 @@ var _ = Describe("Podman push", func() {
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(ExitCleanly())
|
||||
|
||||
push := podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--force-compression=true", "--compression-format", "gzip", "--remove-signatures", "imageone", "localhost:5000/image"})
|
||||
push := podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--force-compression=true", "--compression-format", "gzip", "--remove-signatures", "imageone", "localhost:5002/image"})
|
||||
push.WaitWithDefaultTimeout()
|
||||
Expect(push).Should(ExitCleanly())
|
||||
|
||||
skopeoInspect := []string{"inspect", "--tls-verify=false", "--raw", "docker://localhost:5000/image:latest"}
|
||||
skopeoInspect := []string{"inspect", "--tls-verify=false", "--raw", "docker://localhost:5002/image:latest"}
|
||||
skopeo := SystemExec("skopeo", skopeoInspect)
|
||||
skopeo.WaitWithDefaultTimeout()
|
||||
Expect(skopeo).Should(ExitCleanly())
|
||||
output := skopeo.OutputToString()
|
||||
Expect(output).ToNot(ContainSubstring("zstd"))
|
||||
|
||||
push = podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--force-compression=false", "--compression-format", "zstd", "--remove-signatures", "imageone", "localhost:5000/image"})
|
||||
push = podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--force-compression=false", "--compression-format", "zstd", "--remove-signatures", "imageone", "localhost:5002/image"})
|
||||
push.WaitWithDefaultTimeout()
|
||||
Expect(push).Should(ExitCleanly())
|
||||
|
||||
@ -129,7 +129,7 @@ var _ = Describe("Podman push", func() {
|
||||
// since blobs must be reused from last `gzip` image.
|
||||
Expect(output).ToNot(ContainSubstring("zstd"))
|
||||
|
||||
push = podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--compression-format", "zstd", "--force-compression", "--remove-signatures", "imageone", "localhost:5000/image"})
|
||||
push = podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--compression-format", "zstd", "--force-compression", "--remove-signatures", "imageone", "localhost:5002/image"})
|
||||
push.WaitWithDefaultTimeout()
|
||||
Expect(push).Should(ExitCleanly())
|
||||
|
||||
@ -149,9 +149,9 @@ var _ = Describe("Podman push", func() {
|
||||
err := podmanTest.RestoreArtifact(REGISTRY_IMAGE)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
}
|
||||
lock := GetPortLock("5000")
|
||||
lock := GetPortLock("5003")
|
||||
defer lock.Unlock()
|
||||
session := podmanTest.Podman([]string{"run", "-d", "--name", "registry", "-p", "5000:5000", REGISTRY_IMAGE, "/entrypoint.sh", "/etc/docker/registry/config.yml"})
|
||||
session := podmanTest.Podman([]string{"run", "-d", "--name", "registry", "-p", "5003:5000", REGISTRY_IMAGE, "/entrypoint.sh", "/etc/docker/registry/config.yml"})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(ExitCleanly())
|
||||
|
||||
@ -159,11 +159,11 @@ var _ = Describe("Podman push", func() {
|
||||
Skip("Cannot start docker registry.")
|
||||
}
|
||||
|
||||
push := podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", ALPINE, "localhost:5000/my-alpine"})
|
||||
push := podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", ALPINE, "localhost:5003/my-alpine"})
|
||||
push.WaitWithDefaultTimeout()
|
||||
Expect(push).Should(ExitCleanly())
|
||||
|
||||
push = podmanTest.Podman([]string{"push", "--compression-format=gzip", "--compression-level=1", "--tls-verify=false", "--remove-signatures", ALPINE, "localhost:5000/my-alpine"})
|
||||
push = podmanTest.Podman([]string{"push", "--compression-format=gzip", "--compression-level=1", "--tls-verify=false", "--remove-signatures", ALPINE, "localhost:5003/my-alpine"})
|
||||
push.WaitWithDefaultTimeout()
|
||||
Expect(push).Should(Exit(0))
|
||||
output := push.ErrorToString()
|
||||
@ -177,14 +177,14 @@ var _ = Describe("Podman push", func() {
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
|
||||
if !IsRemote() { // Remote does not support --encryption-key
|
||||
push = podmanTest.Podman([]string{"push", "-q", "--encryption-key", "jwe:" + publicKeyFileName, "--tls-verify=false", "--remove-signatures", ALPINE, "localhost:5000/my-alpine"})
|
||||
push = podmanTest.Podman([]string{"push", "-q", "--encryption-key", "jwe:" + publicKeyFileName, "--tls-verify=false", "--remove-signatures", ALPINE, "localhost:5003/my-alpine"})
|
||||
push.WaitWithDefaultTimeout()
|
||||
Expect(push).Should(ExitCleanly())
|
||||
}
|
||||
|
||||
// Test --digestfile option
|
||||
digestFile := filepath.Join(podmanTest.TempDir, "digestfile.txt")
|
||||
push2 := podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--digestfile=" + digestFile, "--remove-signatures", ALPINE, "localhost:5000/my-alpine"})
|
||||
push2 := podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--digestfile=" + digestFile, "--remove-signatures", ALPINE, "localhost:5003/my-alpine"})
|
||||
push2.WaitWithDefaultTimeout()
|
||||
fi, err := os.Lstat(digestFile)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
@ -207,45 +207,45 @@ var _ = Describe("Podman push", func() {
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
}()
|
||||
// Generate a signature verification policy file
|
||||
policyPath := generatePolicyFile(podmanTest.TempDir)
|
||||
policyPath := generatePolicyFile(podmanTest.TempDir, 5003)
|
||||
defer os.Remove(policyPath)
|
||||
|
||||
// Verify that the policy rejects unsigned images
|
||||
push := podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", ALPINE, "localhost:5000/sigstore-signed"})
|
||||
push := podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", ALPINE, "localhost:5003/sigstore-signed"})
|
||||
push.WaitWithDefaultTimeout()
|
||||
Expect(push).Should(ExitCleanly())
|
||||
|
||||
pull := podmanTest.Podman([]string{"pull", "-q", "--tls-verify=false", "--signature-policy", policyPath, "localhost:5000/sigstore-signed"})
|
||||
pull := podmanTest.Podman([]string{"pull", "-q", "--tls-verify=false", "--signature-policy", policyPath, "localhost:5003/sigstore-signed"})
|
||||
pull.WaitWithDefaultTimeout()
|
||||
Expect(pull).To(ExitWithError())
|
||||
Expect(pull.ErrorToString()).To(ContainSubstring("A signature was required, but no signature exists"))
|
||||
|
||||
// Sign an image, and verify it is accepted.
|
||||
push = podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", "--sign-by-sigstore-private-key", "testdata/sigstore-key.key", "--sign-passphrase-file", "testdata/sigstore-key.key.pass", ALPINE, "localhost:5000/sigstore-signed"})
|
||||
push = podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", "--sign-by-sigstore-private-key", "testdata/sigstore-key.key", "--sign-passphrase-file", "testdata/sigstore-key.key.pass", ALPINE, "localhost:5003/sigstore-signed"})
|
||||
push.WaitWithDefaultTimeout()
|
||||
Expect(push).Should(ExitCleanly())
|
||||
|
||||
pull = podmanTest.Podman([]string{"pull", "-q", "--tls-verify=false", "--signature-policy", policyPath, "localhost:5000/sigstore-signed"})
|
||||
pull = podmanTest.Podman([]string{"pull", "-q", "--tls-verify=false", "--signature-policy", policyPath, "localhost:5003/sigstore-signed"})
|
||||
pull.WaitWithDefaultTimeout()
|
||||
Expect(pull).Should(ExitCleanly())
|
||||
|
||||
By("pushing and pulling with --sign-by-sigstore")
|
||||
// Verify that the policy rejects unsigned images
|
||||
push = podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", ALPINE, "localhost:5000/sigstore-signed-params"})
|
||||
push = podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", ALPINE, "localhost:5003/sigstore-signed-params"})
|
||||
push.WaitWithDefaultTimeout()
|
||||
Expect(push).Should(ExitCleanly())
|
||||
|
||||
pull = podmanTest.Podman([]string{"pull", "-q", "--tls-verify=false", "--signature-policy", policyPath, "localhost:5000/sigstore-signed-params"})
|
||||
pull = podmanTest.Podman([]string{"pull", "-q", "--tls-verify=false", "--signature-policy", policyPath, "localhost:5003/sigstore-signed-params"})
|
||||
pull.WaitWithDefaultTimeout()
|
||||
Expect(pull).To(ExitWithError())
|
||||
Expect(pull.ErrorToString()).To(ContainSubstring("A signature was required, but no signature exists"))
|
||||
|
||||
// Sign an image, and verify it is accepted.
|
||||
push = podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", "--sign-by-sigstore", "testdata/sigstore-signing-params.yaml", ALPINE, "localhost:5000/sigstore-signed-params"})
|
||||
push = podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", "--sign-by-sigstore", "testdata/sigstore-signing-params.yaml", ALPINE, "localhost:5003/sigstore-signed-params"})
|
||||
push.WaitWithDefaultTimeout()
|
||||
Expect(push).Should(ExitCleanly())
|
||||
|
||||
pull = podmanTest.Podman([]string{"pull", "-q", "--tls-verify=false", "--signature-policy", policyPath, "localhost:5000/sigstore-signed-params"})
|
||||
pull = podmanTest.Podman([]string{"pull", "-q", "--tls-verify=false", "--signature-policy", policyPath, "localhost:5003/sigstore-signed-params"})
|
||||
pull.WaitWithDefaultTimeout()
|
||||
Expect(pull).Should(ExitCleanly())
|
||||
}
|
||||
@ -275,14 +275,14 @@ var _ = Describe("Podman push", func() {
|
||||
authPath := filepath.Join(podmanTest.TempDir, "auth")
|
||||
err = os.Mkdir(authPath, os.ModePerm)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
err = os.MkdirAll("/etc/containers/certs.d/localhost:5000", os.ModePerm)
|
||||
err = os.MkdirAll("/etc/containers/certs.d/localhost:5004", os.ModePerm)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
defer os.RemoveAll("/etc/containers/certs.d/localhost:5000")
|
||||
defer os.RemoveAll("/etc/containers/certs.d/localhost:5004")
|
||||
|
||||
cwd, _ := os.Getwd()
|
||||
certPath := filepath.Join(cwd, "../", "certs")
|
||||
|
||||
lock := GetPortLock("5000")
|
||||
lock := GetPortLock("5004")
|
||||
defer lock.Unlock()
|
||||
htpasswd := SystemExec("htpasswd", []string{"-Bbn", "podmantest", "test"})
|
||||
htpasswd.WaitWithDefaultTimeout()
|
||||
@ -297,7 +297,7 @@ var _ = Describe("Podman push", func() {
|
||||
err = f.Sync()
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
|
||||
session := podmanTest.Podman([]string{"run", "-d", "-p", "5000:5000", "--name", "registry", "-v",
|
||||
session := podmanTest.Podman([]string{"run", "-d", "-p", "5004:5000", "--name", "registry", "-v",
|
||||
strings.Join([]string{authPath, "/auth", "z"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e",
|
||||
"REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm", "-e", "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd",
|
||||
"-v", strings.Join([]string{certPath, "/certs", "z"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt",
|
||||
@ -307,43 +307,43 @@ var _ = Describe("Podman push", func() {
|
||||
|
||||
Expect(WaitContainerReady(podmanTest, "registry", "listening on", 20, 1)).To(BeTrue(), "registry container ready")
|
||||
|
||||
push := podmanTest.Podman([]string{"push", "--tls-verify=true", "--format=v2s2", "--creds=podmantest:test", ALPINE, "localhost:5000/tlstest"})
|
||||
push := podmanTest.Podman([]string{"push", "--tls-verify=true", "--format=v2s2", "--creds=podmantest:test", ALPINE, "localhost:5004/tlstest"})
|
||||
push.WaitWithDefaultTimeout()
|
||||
Expect(push).To(ExitWithError())
|
||||
Expect(push.ErrorToString()).To(ContainSubstring("x509: certificate signed by unknown authority"))
|
||||
|
||||
push = podmanTest.Podman([]string{"push", "--creds=podmantest:test", "--tls-verify=false", ALPINE, "localhost:5000/tlstest"})
|
||||
push = podmanTest.Podman([]string{"push", "--creds=podmantest:test", "--tls-verify=false", ALPINE, "localhost:5004/tlstest"})
|
||||
push.WaitWithDefaultTimeout()
|
||||
Expect(push).Should(Exit(0))
|
||||
Expect(push.ErrorToString()).To(ContainSubstring("Writing manifest to image destination"))
|
||||
|
||||
setup := SystemExec("cp", []string{filepath.Join(certPath, "domain.crt"), "/etc/containers/certs.d/localhost:5000/ca.crt"})
|
||||
setup := SystemExec("cp", []string{filepath.Join(certPath, "domain.crt"), "/etc/containers/certs.d/localhost:5004/ca.crt"})
|
||||
Expect(setup).Should(ExitCleanly())
|
||||
|
||||
push = podmanTest.Podman([]string{"push", "--creds=podmantest:wrongpasswd", ALPINE, "localhost:5000/credstest"})
|
||||
push = podmanTest.Podman([]string{"push", "--creds=podmantest:wrongpasswd", ALPINE, "localhost:5004/credstest"})
|
||||
push.WaitWithDefaultTimeout()
|
||||
Expect(push).To(ExitWithError())
|
||||
Expect(push.ErrorToString()).To(ContainSubstring("/credstest: authentication required"))
|
||||
|
||||
if !IsRemote() {
|
||||
// remote does not support --cert-dir
|
||||
push = podmanTest.Podman([]string{"push", "--tls-verify=true", "--creds=podmantest:test", "--cert-dir=fakedir", ALPINE, "localhost:5000/certdirtest"})
|
||||
push = podmanTest.Podman([]string{"push", "--tls-verify=true", "--creds=podmantest:test", "--cert-dir=fakedir", ALPINE, "localhost:5004/certdirtest"})
|
||||
push.WaitWithDefaultTimeout()
|
||||
Expect(push).To(ExitWithError())
|
||||
Expect(push.ErrorToString()).To(ContainSubstring("x509: certificate signed by unknown authority"))
|
||||
}
|
||||
|
||||
push = podmanTest.Podman([]string{"push", "--creds=podmantest:test", ALPINE, "localhost:5000/defaultflags"})
|
||||
push = podmanTest.Podman([]string{"push", "--creds=podmantest:test", ALPINE, "localhost:5004/defaultflags"})
|
||||
push.WaitWithDefaultTimeout()
|
||||
Expect(push).Should(Exit(0))
|
||||
Expect(push.ErrorToString()).To(ContainSubstring("Writing manifest to image destination"))
|
||||
|
||||
// create and push manifest
|
||||
session = podmanTest.Podman([]string{"manifest", "create", "localhost:5000/manifesttest"})
|
||||
session = podmanTest.Podman([]string{"manifest", "create", "localhost:5004/manifesttest"})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(ExitCleanly())
|
||||
|
||||
session = podmanTest.Podman([]string{"manifest", "push", "--creds=podmantest:test", "--tls-verify=false", "--all", "localhost:5000/manifesttest"})
|
||||
session = podmanTest.Podman([]string{"manifest", "push", "--creds=podmantest:test", "--tls-verify=false", "--all", "localhost:5004/manifesttest"})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(Exit(0))
|
||||
Expect(session.ErrorToString()).To(ContainSubstring("Writing manifest list to image destination"))
|
||||
|
||||
@ -2147,9 +2147,9 @@ WORKDIR /madethis`, BB)
|
||||
|
||||
podmanTest.AddImageToRWStore(ALPINE)
|
||||
|
||||
lock := GetPortLock("5000")
|
||||
lock := GetPortLock("5006")
|
||||
defer lock.Unlock()
|
||||
session := podmanTest.Podman([]string{"run", "-d", "--name", "registry", "-p", "5000:5000", REGISTRY_IMAGE, "/entrypoint.sh", "/etc/docker/registry/config.yml"})
|
||||
session := podmanTest.Podman([]string{"run", "-d", "--name", "registry", "-p", "5006:5000", REGISTRY_IMAGE, "/entrypoint.sh", "/etc/docker/registry/config.yml"})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(ExitCleanly())
|
||||
|
||||
@ -2162,7 +2162,7 @@ WORKDIR /madethis`, BB)
|
||||
publicKeyFileName, privateKeyFileName, err := WriteRSAKeyPair(keyFileName, bitSize)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
|
||||
imgPath := "localhost:5000/my-alpine"
|
||||
imgPath := "localhost:5006/my-alpine"
|
||||
session = podmanTest.Podman([]string{"push", "--encryption-key", "jwe:" + publicKeyFileName, "--tls-verify=false", "--remove-signatures", ALPINE, imgPath})
|
||||
session.WaitWithDefaultTimeout()
|
||||
|
||||
@ -2171,15 +2171,14 @@ WORKDIR /madethis`, BB)
|
||||
Expect(session).Should(ExitCleanly())
|
||||
|
||||
// Must fail without --decryption-key
|
||||
// NOTE: --tls-verify=false not needed, because localhost:5000 is in registries.conf
|
||||
session = podmanTest.Podman([]string{"run", imgPath})
|
||||
session = podmanTest.Podman([]string{"run", "--tls-verify=false", imgPath})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(Exit(125))
|
||||
Expect(session.ErrorToString()).To(ContainSubstring("Trying to pull " + imgPath))
|
||||
Expect(session.ErrorToString()).To(ContainSubstring("invalid tar header"))
|
||||
|
||||
// With
|
||||
session = podmanTest.Podman([]string{"run", "--decryption-key", privateKeyFileName, imgPath})
|
||||
session = podmanTest.Podman([]string{"run", "--tls-verify=false", "--decryption-key", privateKeyFileName, imgPath})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(Exit(0))
|
||||
Expect(session.ErrorToString()).To(ContainSubstring("Trying to pull " + imgPath))
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
package integration
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"os/exec"
|
||||
"path/filepath"
|
||||
@ -133,11 +134,11 @@ var _ = Describe("Podman save", func() {
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
defer os.Setenv("GNUPGHOME", origGNUPGHOME)
|
||||
|
||||
port := 5000
|
||||
port := 5005
|
||||
portlock := GetPortLock(strconv.Itoa(port))
|
||||
defer portlock.Unlock()
|
||||
|
||||
session := podmanTest.Podman([]string{"run", "-d", "--name", "registry", "-p", strings.Join([]string{strconv.Itoa(port), strconv.Itoa(port)}, ":"), REGISTRY_IMAGE})
|
||||
session := podmanTest.Podman([]string{"run", "-d", "--name", "registry", "-p", strings.Join([]string{strconv.Itoa(port), "5000"}, ":"), REGISTRY_IMAGE})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(ExitCleanly())
|
||||
if !WaitContainerReady(podmanTest, "registry", "listening on", 20, 1) {
|
||||
@ -173,29 +174,30 @@ default-docker:
|
||||
`
|
||||
Expect(os.WriteFile("/etc/containers/registries.d/default.yaml", []byte(sigstore), 0755)).To(Succeed())
|
||||
|
||||
session = podmanTest.Podman([]string{"tag", ALPINE, "localhost:5000/alpine"})
|
||||
pushedImage := fmt.Sprintf("localhost:%d/alpine", port)
|
||||
session = podmanTest.Podman([]string{"tag", ALPINE, pushedImage})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(ExitCleanly())
|
||||
|
||||
session = podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--sign-by", "foo@bar.com", "localhost:5000/alpine"})
|
||||
session = podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--sign-by", "foo@bar.com", pushedImage})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(ExitCleanly())
|
||||
|
||||
session = podmanTest.Podman([]string{"rmi", ALPINE, "localhost:5000/alpine"})
|
||||
session = podmanTest.Podman([]string{"rmi", ALPINE, pushedImage})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(ExitCleanly())
|
||||
|
||||
if !IsRemote() {
|
||||
// Generate a signature verification policy file
|
||||
policyPath := generatePolicyFile(podmanTest.TempDir)
|
||||
policyPath := generatePolicyFile(podmanTest.TempDir, port)
|
||||
defer os.Remove(policyPath)
|
||||
|
||||
session = podmanTest.Podman([]string{"pull", "-q", "--tls-verify=false", "--signature-policy", policyPath, "localhost:5000/alpine"})
|
||||
session = podmanTest.Podman([]string{"pull", "-q", "--tls-verify=false", "--signature-policy", policyPath, pushedImage})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(ExitCleanly())
|
||||
|
||||
outfile := filepath.Join(podmanTest.TempDir, "temp.tar")
|
||||
save := podmanTest.Podman([]string{"save", "-q", "remove-signatures=true", "-o", outfile, "localhost:5000/alpine"})
|
||||
save := podmanTest.Podman([]string{"save", "-q", "remove-signatures=true", "-o", outfile, pushedImage})
|
||||
save.WaitWithDefaultTimeout()
|
||||
Expect(save).To(ExitWithError())
|
||||
}
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
docker:
|
||||
localhost:5000/sigstore-signed:
|
||||
localhost:5003/sigstore-signed:
|
||||
use-sigstore-attachments: true
|
||||
localhost:5000/sigstore-signed-params:
|
||||
localhost:5003/sigstore-signed-params:
|
||||
use-sigstore-attachments: true
|
||||
|
||||
Reference in New Issue
Block a user