This commit gets tests working under the new local-registry system:
* amend a few image names, mostly just sticking to a consistent
list of those images in our registry cache. Mostly minor
tag updates.
* trickier: pull_test: change some error messages, and remove
a test that's now a NOP. Basically, with a local (unprotected)
registry we always get "404 manifest unknown"; with a real
registry we'll get "403 I can't tell you".
* trickiest: seccomp_test: build our own images at run time,
with our desired labels. Until now we've been pulling
prebuilt images, but those will not copy to the local
cache registry. Something about v1? Anyhow, I gave up
trying to cache them, and the workaround is straightforward.
Also took the liberty of strengthening a few error-message checks
Signed-off-by: Ed Santiago <santiago@redhat.com>
The podman-login tests have accumulated much cruft over the
years, because that's the only place where we run a local
registry, and the process was crufty: we actually start/stopped
the registry as the first & last tests of the file. Meaning,
you couldn't do 'hack/bats 150:just-one-test' because that
would skip the registry start. And just now, a completely
unrelated test has had to be shoved into the login file.
This PR revamps the whole thing, by adding a new registry helper
module that can be used anywhere. And, once the registry is
started, it just stays running until the end of tests. (This
requires BATS 1.7 or greater).
Signed-off-by: Ed Santiago <santiago@redhat.com>
First: fix podman-registry script so it preserves the initial $PODMAN,
so all subsequent invocations of ps, logs, and stop will use the
same binary and arguments. Until now we've handled this by requiring
that our caller manage $PODMAN (and keep it the same), but that's
just wrong.
Next, simplify the golang interface: move the $PODMAN setting into
registry.go, instead of requiring e2e callers to set it. (This
could use some work: the local/remote conditional is icky).
IMPORTANT: To prevent registry.go from using the wrong podman binary,
the Start() call is gone. Only StartWithOptions() is valid now.
And, minor cleanup: comments, and add an actual error-message check
Reason for this PR is a recurring flake, #18355, whose multiple
failure modes I truly can't understand. I don't think this PR
is going to fix it, but this is still necessary work.
Signed-off-by: Ed Santiago <santiago@redhat.com>
hack/podman-registry --help option does not exist.
We need to use -h option when we want to see the usage message.
[NO NEW TESTS NEEDED]
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
... primarily so that it can support OCI artifacts.
2.8 already seems to exist in the repo.
This requires changing WaitContainerReady to also check
stderr (ultimately because docker/distribution was
updated to a more recent sirupsen/logrus, which logs
by default to stderr instead of stdout).
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... instead of hard-coding a copy of the value.
Notably this makes hack/podman_registry actually
support the documented -i option.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
htpasswd is no longer included in docker.io/library/distribution
after 2.7.0, per https://github.com/docker/distribution-library-image/issues/107 ,
and we want to upgrade to a recent version.
At least system tests currently execute htpasswd from the OS,
so it seems that it is likely to be available.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
manifest_test:authenticated_push() is the final test left to
fix before merging #14397. The reason it's failing _seems_ to be
that podman is running with a mix of netavark and CNI, and
that _seems_ to be because this test invokes hack/podman-registry
which invokes plain podman without whatever options used in e2e.
Starting a registry directly from the test is insane: there is
no reusable code for doing that (see login_logout_test.go and
push_test.go. Yeesh.)
Solution: set $PODMAN, by inspecting the podmanTest object
which includes both a path and a list of options. podman-registry
will invoke that. (It will also override --root and --runroot.
This is the desired behavior).
Also: add cleanup. If auth-push test fails, stop the registry.
Also: add a sanity check to podman-registry script, have it
wait for the registry port to activate. Die if it doesn't.
That could've saved us a nice bit of debugging time.
Signed-off-by: Ed Santiago <santiago@redhat.com>
For using the `registry:2.6` image. 2.7 and beyond dropped the
`htpasswd` binary from the rootfs which parts of our CI depends
on.
While this is not a sustainable solution (assuming `htpasswd` is gone
for ever), it unblocks the CI for now.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
1) fix lost credentials.
must_pass(), added in #6375, eats the credentials
generated via 'podman run --entrypoint htpasswd'.
Run that podman instance directly, and add explicit
error check.
(The error and stdout/stderr handling here has gotten
cumbersome. There must be something I'm missing that
could make it all simpler.)
2) fix default podman path.
When setting $PODMAN, default to the locally built
one -- there may not be one in $PATH (e.g. in
Ubuntu, see #6366). This in turn requires us to:
3) run registry test in integration, not unit test
It looks like unit tests run before podman is built,
causing a chicken-egg dilemma. Try to solve that by
running the new hack/podman-registry-go test in
integration tests, not unit tests.
Signed-off-by: Ed Santiago <santiago@redhat.com>
My initial revision of the podman-registry helper script
was written in haste, with an enormous tradeoff: no
visibility into any errors. We are now paying for this
in #6366: the script is failing on Ubuntu and we
have no way of knowing why.
This PR adds a must_pass() function used for critical
steps. This runs the action silently; if the command
fails, it displays the failing command name with
full output logs, cleans up the temporary workdir,
and exits with error status.
As a reminder, the reason this is necessary is that
our script convention is to output a series of
environment variables to stdout -- we must therefore
take pains not to emit anything else to stdout.
And, unfortunately, podman and openssl tend to be
rather verbose.
Signed-off-by: Ed Santiago <santiago@redhat.com>
In response to #6207: this is a helper script intended for
use in starting and stopping a local container registry.
It takes care of port, username, password assignments;
generates a self-signed certificate; and starts the
container in an isolated podman root/runroot to avoid
conflicting with the caller's environment.
Intended usage: invoke from shell script, using 'eval'
to get results into calling process environment. See
help message (-h) for invocation details. This will
work for shell scripts but will be difficult if
called from Go or C - if that is likely to happen,
I'd love to hear suggestions for alternate ways to
get the settings back to the caller.
Signed-off-by: Ed Santiago <santiago@redhat.com>
