From 16b595c32ca2984921ecfcf5960723cf5f85beef Mon Sep 17 00:00:00 2001
From: Ed Santiago <santiago@redhat.com>
Date: Tue, 6 Dec 2022 08:03:41 -0700
Subject: [PATCH] Build and use a newer systemd image

...based on f37, not f31. And make it fedora-minimal so it's
smaller. And clean up dnf so it's even smaller. And tag it
with our proper YMD tag, and commit the script that builds it.

This broke the system-df tests. In the process of resolving
that, I found those tests a little lacking. So, improve their
coverage a little bit.

Signed-off-by: Ed Santiago <santiago@redhat.com>
---
 test/system/255-auto-update.bats | 11 +++---
 test/system/260-sdnotify.bats    | 31 +++++----------
 test/system/320-system-df.bats   | 50 ++++++++++++++++++++++--
 test/system/build-systemd-image  | 67 ++++++++++++++++++++++++++++++++
 test/system/helpers.bash         | 11 +++++-
 5 files changed, 139 insertions(+), 31 deletions(-)
 create mode 100755 test/system/build-systemd-image

diff --git a/test/system/255-auto-update.bats b/test/system/255-auto-update.bats
index 698495050b..46d6370ecd 100644
--- a/test/system/255-auto-update.bats
+++ b/test/system/255-auto-update.bats
@@ -31,8 +31,7 @@ function teardown() {
             quay.io/libpod/busybox:latest          \
             quay.io/libpod/localtest:latest        \
             quay.io/libpod/autoupdatebroken:latest \
-            quay.io/libpod/test:latest             \
-            quay.io/libpod/fedora:31
+            quay.io/libpod/test:latest
 
     # The rollback tests may leave some dangling images behind, so let's prune
     # them to leave a clean state.
@@ -267,7 +266,7 @@ function _confirm_update() {
 
     dockerfile1=$PODMAN_TMPDIR/Dockerfile.1
     cat >$dockerfile1 <<EOF
-FROM quay.io/libpod/fedora:31
+FROM $SYSTEMD_IMAGE
 RUN echo -e "#!/bin/sh\n\
 printenv NOTIFY_SOCKET; echo READY; systemd-notify --ready;\n\
 trap 'echo Received SIGTERM, finishing; exit' SIGTERM; echo WAITING; while :; do sleep 0.1; done" \
@@ -277,7 +276,7 @@ EOF
 
     dockerfile2=$PODMAN_TMPDIR/Dockerfile.2
     cat >$dockerfile2 <<EOF
-FROM quay.io/libpod/fedora:31
+FROM $SYSTEMD_IMAGE
 RUN echo -e "#!/bin/sh\n\
 exit 1" >> /runme
 RUN chmod +x /runme
@@ -446,7 +445,7 @@ EOF
 
     dockerfile1=$PODMAN_TMPDIR/Dockerfile.1
     cat >$dockerfile1 <<EOF
-FROM quay.io/libpod/fedora:31
+FROM $SYSTEMD_IMAGE
 RUN echo -e "#!/bin/sh\n\
 printenv NOTIFY_SOCKET; echo READY; systemd-notify --ready;\n\
 trap 'echo Received SIGTERM, finishing; exit' SIGTERM; echo WAITING; while :; do sleep 0.1; done" \
@@ -456,7 +455,7 @@ EOF
 
     dockerfile2=$PODMAN_TMPDIR/Dockerfile.2
     cat >$dockerfile2 <<EOF
-FROM quay.io/libpod/fedora:31
+FROM $SYSTEMD_IMAGE
 RUN echo -e "#!/bin/sh\n\
 exit 1" >> /runme
 RUN chmod +x /runme
diff --git a/test/system/260-sdnotify.bats b/test/system/260-sdnotify.bats
index 037dffd884..f5da4e2734 100644
--- a/test/system/260-sdnotify.bats
+++ b/test/system/260-sdnotify.bats
@@ -144,20 +144,15 @@ READY=1" "sdnotify sent MAINPID and READY"
 # These tests can fail in dev. environment because of SELinux.
 # quick fix: chcon -t container_runtime_exec_t ./bin/podman
 @test "sdnotify : container" {
-    # Sigh... we need to pull a humongous image because it has systemd-notify.
-    # (IMPORTANT: fedora:32 and above silently removed systemd-notify; this
-    # caused CI to hang. That's why we explicitly require fedora:31)
-    # FIXME: is there a smaller image we could use?
-    local _FEDORA="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/fedora:31"
-    # Pull that image. Retry in case of flakes.
-    run_podman pull $_FEDORA || \
-        run_podman pull $_FEDORA || \
-        run_podman pull $_FEDORA
+    # Pull our systemd image. Retry in case of flakes.
+    run_podman pull $SYSTEMD_IMAGE || \
+        run_podman pull $SYSTEMD_IMAGE || \
+        run_podman pull $SYSTEMD_IMAGE
 
     export NOTIFY_SOCKET=$PODMAN_TMPDIR/container.sock
     _start_socat
 
-    run_podman run -d --sdnotify=container $_FEDORA \
+    run_podman run -d --sdnotify=container $SYSTEMD_IMAGE \
                sh -c 'printenv NOTIFY_SOCKET; echo READY; while ! test -f /stop;do sleep 0.1;done;systemd-notify --ready'
     cid="$output"
     wait_for_ready $cid
@@ -191,7 +186,6 @@ READY=1" "sdnotify sent MAINPID and READY"
 READY=1"
 
     run_podman rm $cid
-    run_podman rmi $_FEDORA
     _stop_socat
 }
 
@@ -250,15 +244,10 @@ READY=1" "sdnotify sent MAINPID and READY"
 }
 
 @test "sdnotify : play kube - with policies" {
-    # Sigh... we need to pull a humongous image because it has systemd-notify.
-    # (IMPORTANT: fedora:32 and above silently removed systemd-notify; this
-    # caused CI to hang. That's why we explicitly require fedora:31)
-    # FIXME: is there a smaller image we could use?
-    local _FEDORA="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/fedora:31"
     # Pull that image. Retry in case of flakes.
-    run_podman pull $_FEDORA || \
-        run_podman pull $_FEDORA || \
-        run_podman pull $_FEDORA
+    run_podman pull $SYSTEMD_IMAGE || \
+        run_podman pull $SYSTEMD_IMAGE || \
+        run_podman pull $SYSTEMD_IMAGE
 
     # Create the YAMl file
     yaml_source="$PODMAN_TMPDIR/test.yaml"
@@ -279,7 +268,7 @@ spec:
     - /bin/sh
     - -c
     - 'printenv NOTIFY_SOCKET; while ! test -f /stop;do sleep 0.1;done'
-    image: $_FEDORA
+    image: $SYSTEMD_IMAGE
     name: a
   - command:
     - /bin/sh
@@ -360,7 +349,7 @@ READY=1" "sdnotify sent MAINPID and READY"
 
     # Clean up pod and pause image
     run_podman play kube --down $yaml_source
-    run_podman rmi $_FEDORA $(pause_image)
+    run_podman rmi $(pause_image)
 }
 
 # vim: filetype=sh
diff --git a/test/system/320-system-df.bats b/test/system/320-system-df.bats
index b7ba34006d..488cacfc59 100644
--- a/test/system/320-system-df.bats
+++ b/test/system/320-system-df.bats
@@ -5,6 +5,15 @@
 
 load helpers
 
+function setup() {
+    # Depending on which tests have been run prior to getting here, there
+    # may be one or two images loaded. We want only '$IMAGE', not the
+    # systemd one.
+    run_podman rmi -f $SYSTEMD_IMAGE
+
+    basic_setup
+}
+
 function teardown() {
     basic_teardown
 
@@ -30,10 +39,45 @@ function teardown() {
 }
 
 @test "podman system df --format json functionality" {
+    # Run two dummy containers, one which exits, one which stays running
+    run_podman run    --name stoppedcontainer $IMAGE true
+    run_podman run -d --name runningcontainer $IMAGE top
     run_podman system df --format json
-    is "$output" '.*"TotalCount": 1'       "Exactly one image"
-    is "$output" '.*"RawSize": 0' "RawSize reported"
-    is "$output" '.*"Size": "0B"' "Size reported"
+    local results="$output"
+
+    # FIXME: we can't check exact RawSize or Size because every CI system
+    # computes a different value: 12701526, 12702113, 12706209... and
+    # those are all amd64. aarch64 gets 12020148, 12019561.
+    #
+    # WARNING: RawSize and Size tests may fail if $IMAGE is updated. Since
+    # that tends to be done yearly or less, and only by Ed, that's OK.
+    local tests='
+Type           | Images    | Containers | Local Volumes
+Total          |         1 |          2 |             0
+Active         |         1 |          1 |             0
+RawSize        | ~12...... |          0 |             0
+RawReclaimable |         0 |          0 |             0
+TotalCount     |         1 |          2 |             0
+Size           |   ~12.*MB |         0B |            0B
+'
+    while read -a fields; do
+        for i in 0 1 2;do
+            expect="${fields[$((i+1))]}"
+            actual=$(jq -r ".[$i].${fields[0]}" <<<"$results")
+
+            # Do exact-match check, unless the expect term starts with ~
+            op='='
+            if [[ "$expect" =~ ^~ ]]; then
+                op='=~'
+                expect=${expect##\~}
+            fi
+
+            assert "$actual" "$op" "$expect" "system df[$i].${fields[0]}"
+        done
+    done < <(parse_table "$tests")
+
+    # Clean up
+    run_podman rm -f -t 0 stoppedcontainer runningcontainer
 }
 
 @test "podman system df - with active containers and volumes" {
diff --git a/test/system/build-systemd-image b/test/system/build-systemd-image
new file mode 100755
index 0000000000..a05577c6c2
--- /dev/null
+++ b/test/system/build-systemd-image
@@ -0,0 +1,67 @@
+#!/bin/bash
+#
+# build-systemd-image - script for producing a test image with systemd
+#
+# Based on the build-testimage script. This script builds a fedora-based
+# image with systemd in it, for use in systemd-based tests.
+#
+
+# Podman binary to use
+PODMAN=${PODMAN:-$(pwd)/bin/podman}
+
+# Tag for this new image
+YMD=$(date +%Y%m%d)
+
+# git-relative path to this script
+create_script=$(cd $(dirname $0) && git ls-files --full-name $(basename $0))
+if [ -z "$create_script" ]; then
+    create_script=$0
+fi
+
+# Creation timestamp, Zulu time
+create_time_t=$(date +%s)
+create_time_z=$(env TZ=UTC date --date=@$create_time_t +'%Y-%m-%dT%H:%M:%SZ')
+
+set -ex
+
+# We'll need to create a Containerfile plus various other files to add in
+tmpdir=$(mktemp -t -d $(basename $0).tmp.XXXXXXX)
+cd $tmpdir
+echo $YMD >testimage-id
+
+cat >Containerfile <<EOF
+FROM registry.fedoraproject.org/fedora-minimal:37
+LABEL created_by=$create_script
+LABEL created_at=$create_time_z
+RUN microdnf install -y systemd && microdnf clean all
+ADD testimage-id /home/podman/
+WORKDIR /home/podman
+CMD ["/bin/echo", "This image is intended for podman CI testing"]
+EOF
+
+# Start from scratch
+testimg_base=quay.io/libpod/systemd-image
+testimg=${testimg_base}:$YMD
+$PODMAN rmi -f $testimg &> /dev/null || true
+
+# Arch emulation on Fedora requires the qemu-user-static package.
+for arch in amd64 arm64 ppc64le s390x;do
+    $PODMAN build \
+            --arch=$arch \
+            --squash-all \
+            --timestamp=$create_time_t \
+            --manifest=$testimg \
+            .
+done
+
+# Clean up
+cd /tmp
+rm -rf $tmpdir
+
+# Tag image and push (all arches) to quay.
+cat <<EOF
+
+If you're happy with this image, run:
+
+   podman manifest push --all  ${testimg} docker://${testimg}
+EOF
diff --git a/test/system/helpers.bash b/test/system/helpers.bash
index 0c7a690223..d679ef5a2c 100644
--- a/test/system/helpers.bash
+++ b/test/system/helpers.bash
@@ -12,6 +12,11 @@ PODMAN_TEST_IMAGE_TAG=${PODMAN_TEST_IMAGE_TAG:-"20221018"}
 PODMAN_TEST_IMAGE_FQN="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODMAN_TEST_IMAGE_NAME:$PODMAN_TEST_IMAGE_TAG"
 PODMAN_TEST_IMAGE_ID=
 
+# Larger image containing systemd tools.
+PODMAN_SYSTEMD_IMAGE_NAME=${PODMAN_SYSTEMD_IMAGE_NAME:-"systemd-image"}
+PODMAN_SYSTEMD_IMAGE_TAG=${PODMAN_SYSTEMD_IMAGE_TAG:-"20221206"}
+PODMAN_SYSTEMD_IMAGE_FQN="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODMAN_SYSTEMD_IMAGE_NAME:$PODMAN_SYSTEMD_IMAGE_TAG"
+
 # Remote image that we *DO NOT* fetch or keep by default; used for testing pull
 # This has changed in 2021, from 0 through 3, various iterations of getting
 # multiarch to work. It should change only very rarely.
@@ -20,6 +25,7 @@ PODMAN_NONLOCAL_IMAGE_FQN="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$
 
 # Because who wants to spell that out each time?
 IMAGE=$PODMAN_TEST_IMAGE_FQN
+SYSTEMD_IMAGE=$PODMAN_SYSTEMD_IMAGE_FQN
 
 # Default timeout for a podman command.
 PODMAN_TIMEOUT=${PODMAN_TIMEOUT:-120}
@@ -55,12 +61,15 @@ function basic_setup() {
     run_podman images --all --format '{{.Repository}}:{{.Tag}} {{.ID}}'
     for line in "${lines[@]}"; do
         set $line
-        if [ "$1" == "$PODMAN_TEST_IMAGE_FQN" ]; then
+        if [[ "$1" == "$PODMAN_TEST_IMAGE_FQN" ]]; then
             if [[ -z "$PODMAN_TEST_IMAGE_ID" ]]; then
                 # This will probably only trigger the 2nd time through setup
                 PODMAN_TEST_IMAGE_ID=$2
             fi
             found_needed_image=1
+        elif [[ "$1" == "$PODMAN_SYSTEMD_IMAGE_FQN" ]]; then
+            # This is a big image, don't force unnecessary pulls
+            :
         else
             # Always remove image that doesn't match by name
             echo "# setup(): removing stray image $1" >&3