#!/usr/bin/env bats   -*- bats -*-
#
# Tests generated configurations for systemd.
#

# bats file_tags=ci:parallel

load helpers
load helpers.network
load helpers.registry
load helpers.systemd

UNIT_FILES=()

function start_time() {
    sleep_to_next_second # Ensure we're on a new second with no previous logging
    STARTED_TIME=$(date "+%F %R:%S") # Start time for new log time
}

function setup() {
    skip_if_remote "quadlet tests are meaningless over remote"
    skip_if_rootless_cgroupsv1 "Can't use --cgroups=split w/ CGv1 (issue 17456, wontfix)"
    skip_if_journald_unavailable "Needed for RHEL. FIXME: we might be able to re-enable a subset of tests."

    test -x "$QUADLET" || die "Cannot run quadlet tests without executable \$QUADLET ($QUADLET)"

    start_time

    basic_setup
}

function teardown() {
    for UNIT_FILE in ${UNIT_FILES[@]}; do
        if [[ -e "$UNIT_FILE" ]]; then
            local service=$(basename "$UNIT_FILE")
            run systemctl stop "$service"
            if [ $status -ne 0 ]; then
               echo "# WARNING: systemctl stop failed in teardown: $output" >&3
            fi
            run systemctl reset-failed "$service"
            rm -f "$UNIT_FILE"
        fi
    done
    systemctl daemon-reload

    basic_teardown
}

# Converts the quadlet file and installs the result it in $UNIT_DIR
function run_quadlet() {
    local sourcefile="$1"
    local service=$(quadlet_to_service_name "$sourcefile")

    # quadlet always works on an entire directory, so copy the file
    # to transform to the given or newly created tmpdir
    local quadlet_tmpdir="$2"
    if [ -z "$quadlet_tmpdir" ]; then
        quadlet_tmpdir=$(mktemp -d --tmpdir=$PODMAN_TMPDIR quadlet.XXXXXX)
    fi
    cp $sourcefile $quadlet_tmpdir/

    echo "$_LOG_PROMPT $QUADLET $_DASHUSER $UNIT_DIR"
    QUADLET_UNIT_DIRS="$quadlet_tmpdir" run \
                     timeout --foreground -v --kill=10 $PODMAN_TIMEOUT \
                     $QUADLET $_DASHUSER $UNIT_DIR
    echo "$output"
    assert $status -eq 0 "Failed to convert quadlet file: $sourcefile"
    is "$output" "" "quadlet should report no errors"

    run cat $UNIT_DIR/$service
    assert $status -eq 0 "Could not cat $UNIT_DIR/$service"
    echo "$output"
    local content="$output"

    # Ensure this is teared down
    UNIT_FILES+=("$UNIT_DIR/$service")

    QUADLET_SERVICE_NAME="$service"
    QUADLET_SERVICE_CONTENT="$content"
    QUADLET_SYSLOG_ID="$(basename $service .service)"
    QUADLET_CONTAINER_NAME="systemd-$QUADLET_SYSLOG_ID"
}

function service_setup() {
    local service="$1"
    local option="$2"

    systemctl daemon-reload

    local startargs=""
    local statusexit=0
    local activestate="active"

    # If option wait, start and wait for service to exist
    if [ "$option" == "wait" ]; then
        startargs="--wait"
        statusexit=3
        local activestate="inactive"
    fi

    systemctl_start $startargs "$service"

    # FIXME FIXME FIXME: this is racy with short-lived containers!
    echo "$_LOG_PROMPT systemctl status $service"
    run systemctl status "$service"
    echo "$output"
    assert $status -eq $statusexit "systemctl status $service"

    echo "$_LOG_PROMPT systemctl show --value --property=ActiveState $service"
    run systemctl show --value --property=ActiveState "$service"
    echo "$output"
    assert $status -eq 0 "systemctl show $service"
    is "$output" $activestate
}

# Helper to stop a systemd service running a container
function service_cleanup() {
    local service="$1"
    local expected_state="$2"

    run systemctl stop "$service"
    assert $status -eq 0 "Error stopping systemd unit $service: $output"

    # Regression test for #11304: confirm that unit stops into correct state
    if [[ -n "$expected_state" ]]; then
        run systemctl show --property=ActiveState "$service"
        assert "$output" = "ActiveState=$expected_state" \
               "state of service $service after systemctl stop"
    fi

    # reset-failed necessary to clean up stray systemd cruft
    run systemctl reset-failed "$service"
    rm -f "$UNIT_DIR/$service"
    systemctl daemon-reload
}

function create_secret() {
    local secret_name=$(random_string)
    local secret_file=$PODMAN_TMPDIR/secret_$(random_string)
    local secret=$(random_string)

    echo $secret > $secret_file
    run_podman secret create $secret_name $secret_file

    SECRET_NAME=$secret_name
    SECRET=$secret
}

function remove_secret() {
    local secret_name="$1"

    run_podman secret rm $secret_name
}

function wait_for_journal() {
    local step=1
    local count=10
    local expect_str=

    while [ "$#" -gt 0 ]; do
        case "$1" in
            -s|--step)
                step="$2"
                shift 2
                ;;
            -c|--count)
                count="$2"
                shift 2
                ;;
            *)
                expect_str="$1"
                shift 1
                ;;
        esac
    done

    while [ "$count" -gt 0 ]; do
        run journalctl "--since=$STARTED_TIME" --unit="$QUADLET_SERVICE_NAME"
        if [[ "$output" =~ "$expect_str" ]]; then
            return
        fi
        sleep "$step"
        count=$(( count - 1 ))
    done
    die "Timed out waiting for '$expect_str' in journalctl output"
}

@test "quadlet - basic" {
    # Network=none is to work around a Pasta bug, can be removed once a patched Pasta is available.
    # Ref https://github.com/containers/podman/pull/21563#issuecomment-1965145324
    local quadlet_file=$PODMAN_TMPDIR/basic_$(safename).container
    cat > $quadlet_file <<EOF
[Container]
Image=$IMAGE
# Note it is important that the trap is before the ready message,
# otherwise the signal handler may not registered in time before we do systemctl stop.
Exec=sh -c "echo STARTED CONTAINER; trap 'exit' SIGTERM; echo "READY=1" | socat -u STDIN unix-sendto:\$NOTIFY_SOCKET; while :; do sleep 0.1; done"
Notify=yes
LogDriver=passthrough
Network=none
EOF

    run_quadlet "$quadlet_file"
    service_setup $QUADLET_SERVICE_NAME

    run -0 systemctl show --property=Wants --property=After "$QUADLET_SERVICE_NAME"
    service="network-online.target"
    if is_rootless; then
        service="podman-user-wait-network-online.service"
    fi
    assert "${lines[0]}" == "Wants=$service" "quadlet unit Wants network dependency"
    # Note systemd adds some other default services to After= so no exact match possible
    assert "${lines[1]}" =~ "After=.*$service.*" "quadlet unit After network dependency"

    # Check that we can read the logs from the container with podman logs even
    # with the `passthrough` driver.  The log may need a short period of time
    # to bubble up into the journal logs, so wait for it.
    wait_for_output "STARTED CONTAINER" $QUADLET_CONTAINER_NAME
    # Make sure it's an *exact* match, not just a substring (i.e. no spurious
    # warnings or other cruft).
    run_podman logs $QUADLET_CONTAINER_NAME
    assert "$output" == "STARTED CONTAINER" "exact/full match when using the 'passthrough' driver"

    # Also look for the logs via `journalctl`.
    run journalctl "--since=$STARTED_TIME" --unit="$QUADLET_SERVICE_NAME"
    is "$output" '.*STARTED CONTAINER.*'

    run_podman container inspect  --format "{{.State.Status}}" $QUADLET_CONTAINER_NAME
    is "$output" "running" "container should be started by systemd and hence be running"

    service_cleanup $QUADLET_SERVICE_NAME inactive
}

@test "quadlet conflict names" {
    # If two directories in the search have files with the same name, quadlet should
    # only process the first name
    dir1=$PODMAN_TMPDIR/$(random_string)
    dir2=$PODMAN_TMPDIR/$(random_string)
    local quadlet_file=basic_$(safename).container
    mkdir -p $dir1 $dir2

    cat > $dir1/$quadlet_file <<EOF
[Container]
Image=quay.io/libpod/this-is-the-one:wewant
Notify=yes
EOF

    cat > $dir2/$quadlet_file <<EOF
[Container]
Image=quay.io/libpod/bad-bad-bad:nonono
Notify=no
EOF
    QUADLET_UNIT_DIRS="$dir1:$dir2" run \
                    timeout --foreground -v --kill=10 $PODMAN_TIMEOUT \
                    $QUADLET --dryrun
    assert "$output" =~ "Notify=yes" "quadlet should show Notify=yes"
    assert "$output" !~ "Notify=no" "quadlet should not show Notify=no"
}

@test "quadlet - envvar" {
    local quadlet_file=$PODMAN_TMPDIR/envvar_$(safename).container
    cat > $quadlet_file <<EOF
[Container]
Image=$IMAGE
Exec=sh -c "echo OUTPUT: \"\$FOOBAR\" \"\$BAR\""
Environment="FOOBAR=Foo  Bar" BAR=bar
LogDriver=passthrough
EOF

    run_quadlet "$quadlet_file"
    service_setup $QUADLET_SERVICE_NAME wait

    # Ensure we have the right output, sync is done via waiting for service to exit (service_setup wait)

    # Note: Here we have to filter by syslog id instead of unit, because there is a (known) race
    # condition where if the cgroup is cleaned up before journald sees the message, then the journal
    # doesn't know the cgroup  and thus not the unit. (See https://github.com/systemd/systemd/issues/2913)
    run journalctl "--since=$STARTED_TIME"  SYSLOG_IDENTIFIER="$QUADLET_SYSLOG_ID"
    is "$output" '.*OUTPUT: Foo  Bar bar.*'

    service_cleanup $QUADLET_SERVICE_NAME inactive
}

@test "quadlet - ContainerName and journal output check" {
    local quadlet_file=$PODMAN_TMPDIR/containername_$(safename).container
    local token_out="STDOUT$(random_string 10)"
    local token_err="STDERR$(random_string 10)"
    cat > $quadlet_file <<EOF
[Container]
ContainerName=customcontainername
Image=$IMAGE
Exec=sh -c "echo $token_out; echo $token_err 1>&2; top -d 10"
EOF

    run_quadlet "$quadlet_file"
    service_setup $QUADLET_SERVICE_NAME

    # Ensure we can access with the custom container name
    run_podman container inspect  --format "{{.State.Status}}" customcontainername
    is "$output" "running" "container should be started by systemd and hence be running"

    wait_for_journal "Started $QUADLET_SERVICE_NAME"

    run journalctl "--since=$STARTED_TIME" --unit="$QUADLET_SERVICE_NAME"
    assert "$output" =~ "$token_out" "Output can be found with journalctl"
    assert "$output" =~ "$token_err" "Error can be found with journalctl"
    assert "$output" =~ "Starting $QUADLET_SERVICE_NAME" "Status information can be found with journalctl"

    # log priority 3 in journalctl is err. This is documented in syslog(3)
    run journalctl "--since=$STARTED_TIME" --priority=3 --unit="$QUADLET_SERVICE_NAME"
    assert "$output" =~ "$token_err" "Error can be found with journalctl --priority=3"
    assert "$output" !~ "$token_out" "Output can not be found with journalctl --priority=3"

    service_cleanup $QUADLET_SERVICE_NAME failed
}

@test "quadlet - labels" {
    local quadlet_file=$PODMAN_TMPDIR/labels_$(safename).container
    cat > $quadlet_file <<EOF
[Container]
Image=$IMAGE
Exec=top
Label="foo=foo bar" "key=val"
Annotation="afoo=afoo bar"
Annotation="akey=aval"
EOF

    run_quadlet "$quadlet_file"
    service_setup $QUADLET_SERVICE_NAME

    run_podman container inspect --format "{{.Config.Labels.foo}}" $QUADLET_CONTAINER_NAME
    is "$output" "foo bar"
    run_podman container inspect --format "{{.Config.Labels.key}}" $QUADLET_CONTAINER_NAME
    is "$output" "val"
    run_podman container inspect --format "{{.Config.Annotations.afoo}}" $QUADLET_CONTAINER_NAME
    is "$output" "afoo bar"
    run_podman container inspect --format "{{.Config.Annotations.akey}}" $QUADLET_CONTAINER_NAME
    is "$output" "aval"

    service_cleanup $QUADLET_SERVICE_NAME failed
}

@test "quadlet - oneshot" {
    local quadlet_file=$PODMAN_TMPDIR/oneshot_$(safename).container
    cat > $quadlet_file <<EOF
[Container]
Image=$IMAGE
Exec=echo INITIALIZED

[Service]
Type=oneshot
RemainAfterExit=yes
EOF

    run_quadlet "$quadlet_file"

    service_setup $QUADLET_SERVICE_NAME

    # Ensure we have output. Output is synced by oneshot command exit
    run journalctl "--since=$STARTED_TIME"  SYSLOG_IDENTIFIER="$QUADLET_SYSLOG_ID"
    is "$output" '.*INITIALIZED.*'

    service_cleanup $QUADLET_SERVICE_NAME inactive
}

@test "quadlet - volume" {
    local quadlet_file=$PODMAN_TMPDIR/basic_$(safename).volume
    cat > $quadlet_file <<EOF
[Volume]
Label=foo=bar other="with space"
EOF

    run_quadlet "$quadlet_file"

    service_setup $QUADLET_SERVICE_NAME

    local volume_name=systemd-$(basename $quadlet_file .volume)
    run_podman volume ls
    is "$output" ".*local.*${volume_name}.*"

    run_podman volume inspect  --format "{{.Labels.foo}}" $volume_name
    is "$output" "bar"
    run_podman volume inspect  --format "{{.Labels.other}}" $volume_name
    is "$output" "with space"

    service_cleanup $QUADLET_SERVICE_NAME inactive
    run_podman volume rm $volume_name
}

# A quadlet container depends on a quadlet volume
@test "quadlet - volume dependency" {
    # Save the unit name to use as the volume for the container
    local quadlet_vol_unit=dep_$(safename).volume
    local quadlet_vol_file=$PODMAN_TMPDIR/${quadlet_vol_unit}
    cat > $quadlet_vol_file <<EOF
[Volume]
EOF

    local quadlet_tmpdir=$(mktemp -d --tmpdir=$PODMAN_TMPDIR quadlet.XXXXXX)
    # Have quadlet create the systemd unit file for the volume unit
    run_quadlet "$quadlet_vol_file" "$quadlet_tmpdir"

    # Save the volume service name since the variable will be overwritten
    local vol_service=$QUADLET_SERVICE_NAME
    local volume_name=systemd-$(basename $quadlet_vol_file .volume)

    local quadlet_file=$PODMAN_TMPDIR/user_$(safename).container
    cat > $quadlet_file <<EOF
[Container]
Image=$IMAGE
Exec=top
Volume=$quadlet_vol_unit:/tmp
EOF

    # Have quadlet create the systemd unit file for the container unit
    run_quadlet "$quadlet_file" "$quadlet_tmpdir"

    # Save the container service name for readability
    local container_service=$QUADLET_SERVICE_NAME

    # Volume should not exist
    run_podman 1 volume exists ${volume_name}

    # Start the container service which should also trigger the start of the volume service
    service_setup $container_service

    # Volume system unit should be active
    run systemctl show --property=ActiveState "$vol_service"
    assert "$output" = "ActiveState=active" \
           "volume should be active via dependency"

    # Volume should exist
    run_podman volume exists ${volume_name}

    # Shutdown the service and remove the volume
    service_cleanup $container_service failed
    run_podman volume rm $volume_name
}

# A quadlet container depends on a named quadlet volume
@test "quadlet - named volume dependency" {
    local volume_name="v-$(safename)"

    # Save the unit name to use as the volume for the container
    local quadlet_vol_unit=dep_$(safename).volume
    local quadlet_vol_file=$PODMAN_TMPDIR/${quadlet_vol_unit}
    cat > $quadlet_vol_file <<EOF
[Volume]
VolumeName=$volume_name
EOF

    # Have quadlet create the systemd unit file for the volume unit
    local quadlet_tmpdir=$(mktemp -d --tmpdir=$PODMAN_TMPDIR quadlet.XXXXXX)
    run_quadlet "$quadlet_vol_file" "$quadlet_tmpdir"

    # Save the volume service name since the variable will be overwritten
    local vol_service=$QUADLET_SERVICE_NAME

    local quadlet_file=$PODMAN_TMPDIR/user_$(safename).container
    cat > $quadlet_file <<EOF
[Container]
Image=$IMAGE
Exec=top
Volume=$quadlet_vol_unit:/tmp
EOF

    # Have quadlet create the systemd unit file for the container unit
    run_quadlet "$quadlet_file" "$quadlet_tmpdir"

    # Save the container service name for readability
    local container_service=$QUADLET_SERVICE_NAME
    local container_name=systemd-$(basename $quadlet_file .container)

    # Volume should not exist
    run_podman 1 volume exists ${volume_name}

    # Start the container service which should also trigger the start of the volume service
    service_setup $container_service

    # Volume system unit should be active
    run systemctl show --property=ActiveState "$vol_service"
    assert "$output" = "ActiveState=active" "volume should be active via dependency"

    # Volume should exist
    run_podman volume exists ${volume_name}

    # Container should be attached to defined volume
    run_podman container inspect --format "{{(index .Mounts 0).Name}}" $container_name
    assert "$output" = "$volume_name" "container should be attached to network $volume_name"

    # Shutdown the service and remove the volume
    service_cleanup $container_service failed
    run_podman volume rm $volume_name
}

@test "quadlet - network" {
    local quadlet_file=$PODMAN_TMPDIR/basic_$(safename).network
    cat > $quadlet_file <<EOF
[Network]
Label=foo=bar other="with space"
EOF

    run_quadlet "$quadlet_file"

    service_setup $QUADLET_SERVICE_NAME

    local network_name=systemd-$(basename $quadlet_file .network)
    run_podman network exists $network_name

    run_podman network inspect  --format "{{.Labels.foo}}" $network_name
    is "$output" "bar"
    run_podman network inspect  --format "{{.Labels.other}}" $network_name
    is "$output" "with space"

    service_cleanup $QUADLET_SERVICE_NAME inactive
    run_podman network rm $network_name
}

@test "quadlet - network delete with dependencies" {
    # Save the unit name to use as the network for the container
    local network_name=$(safename)
    local quadlet_network_unit=dep_$(safename).network
    local quadlet_network_file=$PODMAN_TMPDIR/${quadlet_network_unit}
    cat > $quadlet_network_file <<EOF
[Network]
NetworkName=${network_name}
NetworkDeleteOnStop=true
EOF

    local quadlet_tmpdir=$(mktemp -d --tmpdir=$PODMAN_TMPDIR quadlet.XXXXXX)
    # Have quadlet create the systemd unit file for the network unit
    run_quadlet "$quadlet_network_file" "$quadlet_tmpdir"

    # Save the network service name since the variable will be overwritten
    local network_service=$QUADLET_SERVICE_NAME

    local quadlet_container_file=$PODMAN_TMPDIR/user_$(safename).container
    cat > $quadlet_container_file <<EOF
[Container]
Image=$IMAGE
Exec=top
Network=$quadlet_network_unit
EOF

    run_quadlet "$quadlet_container_file" "$quadlet_tmpdir"

    # Save the container service name for readability
    local container_service=$QUADLET_SERVICE_NAME

    # Network should not exist
    run_podman 1 network exists $network_name

    # Start the container service
    service_setup $container_service

    # Network system unit should be active
    run systemctl show --property=ActiveState "$network_service"
    assert "$output" = "ActiveState=active" \
           "network should be active via dependency"

    # Network should exist
    run_podman network exists $network_name

    # Stop the Network Service
    service_cleanup $network_service inactive

    # Container system unit should be active
    run systemctl show --property=ActiveState "$container_service"
    assert "$output" = "ActiveState=failed" \
           "container service should be failed via dependency"

    # Network should not exist
    run_podman 1 network exists $network_name
}

# A quadlet container depends on a quadlet network
@test "quadlet - network dependency" {
    # Save the unit name to use as the network for the container
    local quadlet_network_unit=dep_$(safename).network
    local quadlet_network_file=$PODMAN_TMPDIR/${quadlet_network_unit}
    cat > $quadlet_network_file <<EOF
[Network]
EOF

    local quadlet_tmpdir=$(mktemp -d --tmpdir=$PODMAN_TMPDIR quadlet.XXXXXX)
    # Have quadlet create the systemd unit file for the network unit
    run_quadlet "$quadlet_network_file" "$quadlet_tmpdir"

    # Save the volume service name since the variable will be overwritten
    local network_service=$QUADLET_SERVICE_NAME
    local network_name=systemd-$(basename $quadlet_network_file .network)

    local quadlet_file=$PODMAN_TMPDIR/user_$(safename).container
    cat > $quadlet_file <<EOF
[Container]
Image=$IMAGE
Exec=top
Network=$quadlet_network_unit
EOF

    run_quadlet "$quadlet_file" "$quadlet_tmpdir"

    # Save the container service name for readability
    local container_service=$QUADLET_SERVICE_NAME

    # Network should not exist
    run_podman 1 network exists $network_name

    service_setup $container_service

    # Network system unit should be active
    run systemctl show --property=ActiveState "$network_service"
    assert "$output" = "ActiveState=active" \
           "network should be active via dependency"

    # Network should exist
    run_podman network exists $network_name

    service_cleanup $QUADLET_SERVICE_NAME failed
    run_podman network rm $network_name
}

# A quadlet container depends on a named quadlet network
@test "quadlet - named network dependency" {
    # Save the unit name to use as the network for the container
    local quadlet_network_unit=dep_$(safename).network
    local quadlet_network_file=$PODMAN_TMPDIR/${quadlet_network_unit}
    cat > $quadlet_network_file <<EOF
[Network]
NetworkName=foo
EOF

    # Have quadlet create the systemd unit file for the network unit
    local quadlet_tmpdir=$(mktemp -d --tmpdir=$PODMAN_TMPDIR quadlet.XXXXXX)
    run_quadlet "$quadlet_network_file" "$quadlet_tmpdir"

    # Save the network service name since the variable will be overwritten
    local network_service=$QUADLET_SERVICE_NAME
    local network_name="foo"

    local quadlet_file=$PODMAN_TMPDIR/user_$(safename).container
    cat > $quadlet_file <<EOF
[Container]
Image=$IMAGE
Exec=top
Network=$quadlet_network_unit
EOF

    run_quadlet "$quadlet_file" "$quadlet_tmpdir"

    # Save the container service name for readability
    local container_service=$QUADLET_SERVICE_NAME
    local container_name=systemd-$(basename $quadlet_file .container)

    # Network should not exist
    run_podman 1 network exists $network_name

    service_setup $container_service

    # Network system unit should be active
    run systemctl show --property=ActiveState "$network_service"
    assert "$output" = "ActiveState=active" "network should be active via dependency"

    # Network should exist
    run_podman network exists $network_name

    # Container should be attached to defined network
    run_podman container inspect --format "{{index .NetworkSettings.Networks \"$network_name\"}}" $container_name
    assert "$output" != "<nil>" "container should be attached to network $network_name"

    service_cleanup $QUADLET_SERVICE_NAME failed
    run_podman network rm $network_name
}

@test "quadlet kube - basic" {
    # Create the YAMl file
    pod_name="p-$(safename)"
    container_name="c-$(safename)"
    yaml_source="$PODMAN_TMPDIR/basic_$(safename).yaml"
    cat >$yaml_source <<EOF
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: test
  name: $pod_name
spec:
  containers:
  - command:
    - "sh"
    args:
    - "-c"
    - "echo STARTED CONTAINER; top -b"
    image: $IMAGE
    name: $container_name
EOF

    # Create the Quadlet file
    local quadlet_file=$PODMAN_TMPDIR/basic_$(safename).kube
    cat > $quadlet_file <<EOF
[Kube]
Yaml=${yaml_source}
EOF

    run_quadlet "$quadlet_file"
    service_setup $QUADLET_SERVICE_NAME

    # Ensure we have output.
    wait_for_output "STARTED CONTAINER" $pod_name-$container_name

    run_podman container inspect  --format "{{.State.Status}}" $pod_name-$container_name
    is "$output" "running" "container should be started by systemd and hence be running"

    service_cleanup $QUADLET_SERVICE_NAME inactive
}

@test "quadlet kube - named network dependency" {
    # Save the unit name to use as the network for the container
    local quadlet_network_unit=dep_$(safename).network
    local quadlet_network_file=$PODMAN_TMPDIR/${quadlet_network_unit}
    local network_name="n-$(safename)"
    cat > $quadlet_network_file <<EOF
[Network]
NetworkName=${network_name}
EOF

    # Have quadlet create the systemd unit file for the network unit
    local quadlet_tmpdir=$(mktemp -d --tmpdir=$PODMAN_TMPDIR quadlet.XXXXXX)
    run_quadlet "$quadlet_network_file" "$quadlet_tmpdir"

    # Save the network service name since the variable will be overwritten
    local network_service=$QUADLET_SERVICE_NAME

    # Create the YAMl file
    pod_name="p-$(safename)"
    container_name="c-$(safename)"
    yaml_source="$PODMAN_TMPDIR/basic_$(safename).yaml"
    cat >$yaml_source <<EOF
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: test
  name: $pod_name
spec:
  containers:
  - command:
    - "sh"
    args:
    - "-c"
    - "echo STARTED CONTAINER; top -b"
    image: $IMAGE
    name: $container_name
EOF

    # Create the Quadlet file
    local quadlet_file=$PODMAN_TMPDIR/basic_$(safename).kube
    cat > $quadlet_file <<EOF
[Kube]
Yaml=${yaml_source}
Network=$quadlet_network_unit
EOF

    # Network should not exist
    run_podman 1 network exists $network_name

    run_quadlet "$quadlet_file" "$quadlet_tmpdir"
    service_setup $QUADLET_SERVICE_NAME

    # Network system unit should be active
    run systemctl show --property=ActiveState "$network_service"
    assert "$output" = "ActiveState=active" "network should be active via dependency"

    # Network should exist
    run_podman network exists $network_name

    # Ensure we have output.
    wait_for_output "STARTED CONTAINER" $pod_name-$container_name

    run_podman container inspect  --format "{{.State.Status}}" $pod_name-$container_name
    assert "$output" =~ "running" "container should be started by systemd and hence be running"

    # Container should be attached to defined network
    run_podman container inspect --format "{{index .NetworkSettings.Networks \"$network_name\"}}" $pod_name-$container_name
    assert "$output" != "<nil>" "container should be attached to network $network_name"

    service_cleanup $QUADLET_SERVICE_NAME inactive
    run_podman network rm $network_name
}

@test "quadlet - rootfs" {
    skip_if_no_selinux
    skip_if_rootless

    # Mount a container image to use as rootfs. Because we (may) run in
    # parallel, mount a working container, not $IMAGE
    cname="c-$(safename)"
    run_podman run -d --name $cname $IMAGE top
    run_podman container mount $cname
    mountpoint="$output"

    local quadlet_file=$PODMAN_TMPDIR/basic_$(safename).container
    cat > $quadlet_file <<EOF
[Container]
Rootfs=$mountpoint:O
Exec=sh -c "echo STARTED CONTAINER; echo "READY=1" | socat -u STDIN unix-sendto:\$NOTIFY_SOCKET; top -b"
Notify=yes
EOF

    run_quadlet "$quadlet_file"
    service_setup $QUADLET_SERVICE_NAME

    wait_for_output "STARTED CONTAINER" $QUADLET_CONTAINER_NAME

    # Done. Clean up.
    service_cleanup $QUADLET_SERVICE_NAME failed
    run_podman container unmount $cname
    run_podman rm -f -t0 $cname
}

@test "quadlet - selinux disable" {
    skip_if_no_selinux
    local quadlet_file=$PODMAN_TMPDIR/basic_$(safename).container
    cat > $quadlet_file <<EOF
[Container]
Image=$IMAGE
SecurityLabelDisable=true
Exec=sh -c "echo STARTED CONTAINER; top -b"
EOF

    run_quadlet "$quadlet_file"
    service_setup $QUADLET_SERVICE_NAME

    # Ensure we have output. Output is synced via sd-notify (socat in Exec)
    wait_for_output "STARTED CONTAINER" $QUADLET_CONTAINER_NAME

    run_podman container inspect  --format "{{.ProcessLabel}}" $QUADLET_CONTAINER_NAME
    is "$output" "" "container should be started without specifying a Process Label"

    service_cleanup $QUADLET_SERVICE_NAME failed
}

@test "quadlet - selinux labels" {
    skip_if_no_selinux
    NAME=name$(safename)
    local quadlet_file=$PODMAN_TMPDIR/basic_$(safename).container
    cat > $quadlet_file <<EOF
[Container]
ContainerName=$NAME
Image=$IMAGE
SecurityLabelType=spc_t
SecurityLabelLevel=s0:c100,c200
SecurityLabelFileType=container_ro_file_t
Exec=sh -c "echo STARTED CONTAINER; top -b"
EOF

    run_quadlet "$quadlet_file"
    service_setup $QUADLET_SERVICE_NAME

    # Ensure we have output. Output is synced via sd-notify (socat in Exec)
    wait_for_output "STARTED CONTAINER" $NAME

    run_podman container ps
    run_podman container inspect  --format "{{.ProcessLabel}}" $NAME
    is "$output" "system_u:system_r:spc_t:s0:c100,c200" "container should be started with correct Process Label"
    run_podman container inspect  --format "{{.MountLabel}}" $NAME
    is "$output" "system_u:object_r:container_ro_file_t:s0:c100,c200" "container should be started with correct Mount Label"

    service_cleanup $QUADLET_SERVICE_NAME failed
}

@test "quadlet - secret as environment variable" {
    create_secret

    local quadlet_file=$PODMAN_TMPDIR/basic_$(safename).container
    cat > $quadlet_file <<EOF
[Container]
ContainerName=$NAME
Image=$IMAGE
Secret=$SECRET_NAME,type=env,target=MYSECRET
Exec=sh -c "echo STARTED CONTAINER; echo "READY=1" | socat -u STDIN unix-sendto:\$NOTIFY_SOCKET; top -b"
Notify=yes
EOF

    run_quadlet "$quadlet_file"
    service_setup $QUADLET_SERVICE_NAME

    # Ensure we have output. Output is synced via sd-notify (socat in Exec)
    wait_for_output "STARTED CONTAINER" $QUADLET_CONTAINER_NAME

    run_podman exec $QUADLET_CONTAINER_NAME /bin/sh -c "printenv MYSECRET"
    is "$output" $SECRET

    service_cleanup $QUADLET_SERVICE_NAME failed
    remove_secret $SECRET_NAME
}

@test "quadlet - secret as a file" {
    create_secret

    local quadlet_file=$PODMAN_TMPDIR/basic_$(safename).container
    cat > $quadlet_file <<EOF
[Container]
ContainerName=$NAME
Image=$IMAGE
Secret=$SECRET_NAME,type=mount,target=/root/secret
Exec=sh -c "echo STARTED CONTAINER; echo "READY=1" | socat -u STDIN unix-sendto:\$NOTIFY_SOCKET; top -b"
Notify=yes
EOF

    run_quadlet "$quadlet_file"
    service_setup $QUADLET_SERVICE_NAME

    # Ensure we have output. Output is synced via sd-notify (socat in Exec)
    wait_for_output "STARTED CONTAINER" $QUADLET_CONTAINER_NAME

    run_podman exec $QUADLET_CONTAINER_NAME /bin/sh -c "cat /root/secret"
    is "$output" $SECRET

    service_cleanup $QUADLET_SERVICE_NAME failed
    remove_secret $SECRET_NAME
}

@test "quadlet - volume path using systemd %T specifier" {
    # "specifier" is systemd-speak for "replaceable fields"; see systemd.unit(5)
    #
    # Step 1: determine what systemd is using for %T. There does not
    # seem to be any systemctly way to find this.
    percent_t_file="${PODMAN_TMPDIR}/foo"
    local service=get-percent-t.$(safename).service
    local unitfile=${UNIT_DIR}/$service
    cat >$unitfile <<EOF
[Unit]
Description=Get the value of percent T

[Service]
ExecStart=/bin/bash -c "echo %T >$percent_t_file"
Type=oneshot
EOF
    systemctl daemon-reload
    systemctl_start --wait $service
    percent_t=$(< $percent_t_file)
    # Clean up. Don't bother to systemctl-reload, service_setup does that below.
    rm -f $unitfile

    # Sanity check: just make sure it's not "/"
    assert "${#percent_t}" -ge 4 "sanity check: length of %T ($percent_t)"

    # Step 2: Make a subdirectory in %T, and in there, a scratch file
    local tmp_path=$(mktemp -d --tmpdir=${percent_t} quadlet.volume.XXXXXX)
    local tmp_subdir=$(basename $tmp_path)
    local file_name="f$(random_string 10).txt"
    local file_content="data_$(random_string 15)"
    echo $file_content > $tmp_path/$file_name

    local quadlet_file=$PODMAN_TMPDIR/basic_$(safename).container
    cat > $quadlet_file <<EOF
[Container]
Image=$IMAGE
Volume=%T/$tmp_subdir:/test_content:Z
Exec=sh -c "echo STARTED CONTAINER; echo "READY=1" | socat -u STDIN unix-sendto:\$NOTIFY_SOCKET; top"
Notify=yes
EOF

    run_quadlet "$quadlet_file"
    service_setup $QUADLET_SERVICE_NAME

    run_podman exec $QUADLET_CONTAINER_NAME cat /test_content/$file_name
    is "$output" "$file_content" "contents of testfile in container volume"

    service_cleanup $QUADLET_SERVICE_NAME

    rm -rf $tmp_path
}

@test "quadlet - tmpfs" {
    local quadlet_file=$PODMAN_TMPDIR/basic_$(safename).container
    cat > $quadlet_file <<EOF
[Container]
Image=$IMAGE
Exec=top
Tmpfs=/tmpfs1
Tmpfs=/tmpfs2:ro
EOF

    run_quadlet "$quadlet_file"
    service_setup $QUADLET_SERVICE_NAME

    run_podman container inspect  --format '{{index .HostConfig.Tmpfs "/tmpfs1"}}' $QUADLET_CONTAINER_NAME
    is "$output" "rprivate,nosuid,nodev,tmpcopyup" "regular tmpfs mount"

    run_podman container inspect  --format '{{index .HostConfig.Tmpfs "/tmpfs2"}}' $QUADLET_CONTAINER_NAME
    is "$output" "ro,rprivate,nosuid,nodev,tmpcopyup" "read-only tmpfs mount"

    run_podman container inspect  --format '{{index .HostConfig.Tmpfs "/tmpfs3"}}' $QUADLET_CONTAINER_NAME
    is "$output" "" "nonexistent tmpfs mount"

    service_cleanup $QUADLET_SERVICE_NAME failed
}

@test "quadlet - userns" {
    local quadlet_file=$PODMAN_TMPDIR/basic_$(safename).container
    cat > $quadlet_file <<EOF
[Container]
Image=$IMAGE
Exec=top
UserNS=keep-id:uid=200,gid=210
EOF

    run_quadlet "$quadlet_file"
    service_setup $QUADLET_SERVICE_NAME

    run_podman container inspect --format '{{.Config.CreateCommand}}' $QUADLET_CONTAINER_NAME
    is "${output/* --userns keep-id:uid=200,gid=210 */found}" "found"

    service_cleanup $QUADLET_SERVICE_NAME failed
}

@test "quadlet - exit-code propagation" {
   pod_name="p-$(safename)"
   container_name="c-$(safename)"
   exit_tests="
all  | true  | 0   | inactive
all  | false | 137 | failed
none | false | 0   | inactive
"
   while read exit_code_prop cmd exit_code service_state; do
      local basename=propagate-${exit_code_prop}-${cmd}_$(safename)
      local quadlet_file=$PODMAN_TMPDIR/$basename.kube
      local yaml_file=$PODMAN_TMPDIR/$basename.yaml

      cat > $yaml_file <<EOF
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: test
  name: $pod_name
spec:
  restartPolicy: Never
  containers:
    - name: $container_name
      image: $IMAGE
      command:
      - $cmd
EOF
       cat > $quadlet_file <<EOF
[Kube]
Yaml=$yaml_file
ExitCodePropagation=$exit_code_prop
LogDriver=journald
EOF

      run_quadlet "$quadlet_file"
      run systemctl status $QUADLET_SERVICE_NAME

      yaml_sha=$(sha256sum $yaml_file)
      service_container="${yaml_sha:0:12}-service"

      service_setup $QUADLET_SERVICE_NAME

      # Ensure we have output. Output is synced via sd-notify (socat in Exec)
      # When running under heavy load (e.g. parallel tests), it
      # may take a little while for service to reach Started
      for tries in $(seq 1 5); do
          run journalctl "--since=$STARTED_TIME" --unit="$QUADLET_SERVICE_NAME"
          if [[ "$output" =~ "Started.*\.service" ]]; then
              break
          fi
          sleep 1
      done
      is "$output" '.*Started.*\.service.*'

      # Opportunistic test: confirm that the Propagation field got set.
      # This is racy, because the container is short-lived and quadlet
      # cleans up on exit (via kube-down in ExecStopPost). So we use '?'
      # and only check output if the inspect succeeds.
      run_podman '?' container inspect --format '{{.KubeExitCodePropagation}}' $service_container
      if [[ $status -eq 0 ]]; then
          is "$output" "$exit_code_prop" \
             "$basename: service container has the expected policy set in its annotations"
      else
          assert "$output" =~ "no such container \"$service_container\"" \
                 "$basename: unexpected error from podman container inspect"
      fi

      # Container must stop of its own accord before we call service_cleanup(),
      # otherwise the 'systemctl stop' there may affect the unit's status.
      # Again, use '?' to handle the abovementioned race condition.
      run_podman '?' wait $service_container
      if [[ $status -eq 0 ]]; then
          assert "$output" = "$exit_code" \
                 "$basename: service container reflects expected exit code"
      else
          assert "$output" =~ "no container with name or ID" \
                 "$basename: unexpected error from podman wait"
      fi

      # This is the actual propagation check
      service_cleanup $QUADLET_SERVICE_NAME $service_state
      run_podman ps -a
      assert "$output" !~ "$(safename)" \
             "all containers are cleaned up even in case of errors"
   done < <(parse_table "$exit_tests")
}

@test "quadlet kube - Working Directory" {
    yaml_source="$PODMAN_TMPDIR/basic_$(safename).yaml"
    local_path=local_path$(random_string)
    pod_name="p-$(safename)"
    container_name="c-$(safename)"

    cat >$yaml_source <<EOF
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: test
  name: $pod_name
spec:
  containers:
  - command:
    - "sh"
    args:
    - "-c"
    - "echo STARTED CONTAINER; top -b"
    image: $IMAGE
    name: $container_name
    volumeMounts:
    - mountPath: /test
      name: test-volume
  volumes:
  - name: test-volume
    hostPath:
      # directory location on host
      path: ./$local_path
      # this field is optional
      type: DirectoryOrCreate
EOF

    # Create the Quadlet file
    local quadlet_file=$PODMAN_TMPDIR/basic_$(safename).kube
    cat > $quadlet_file <<EOF
[Kube]
Yaml=${yaml_source}
SetWorkingDirectory=yaml
EOF

    run_quadlet "$quadlet_file"
    service_setup $QUADLET_SERVICE_NAME

    # Ensure we have output.
    wait_for_output "STARTED CONTAINER" $pod_name-$container_name

    run_podman container inspect  --format "{{.State.Status}}" $pod_name-$container_name
    is "$output" "running" "container should be started by systemd and hence be running"

    run_podman ps

    run_podman exec $pod_name-$container_name /bin/sh -c "echo hello > /test/test.txt"
    is $(cat $PODMAN_TMPDIR/$local_path/test.txt) "hello"

    service_cleanup $QUADLET_SERVICE_NAME inactive
}

# https://github.com/containers/podman/issues/20667
@test "quadlet kube - start error" {
    local port=$(random_free_port)
    # Create the YAMl file
    pod_name="p-$(safename)"
    container_name="c-$(safename)"
    yaml_source="$PODMAN_TMPDIR/start_err$(safename).yaml"
    cat >$yaml_source <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: $pod_name
spec:
  containers:
  - command:
    - "top"
    image: $IMAGE
    name: $container_name
    ports:
    - containerPort: 80
      hostPort: $port
EOF

    # Bind the port to force a an error when starting the pod
    timeout --foreground -v --kill=10 10 socat TCP-LISTEN:$port,bind=127.0.0.1,fork - &
    socat_pid=$!

    # Create the Quadlet file
    local quadlet_file=$PODMAN_TMPDIR/start_err_$(safename).kube
    cat > $quadlet_file <<EOF
[Kube]
Yaml=${yaml_source}
EOF

    run_quadlet "$quadlet_file"

    run -0 systemctl daemon-reload

    echo "$_LOG_PROMPT systemctl start $QUADLET_SERVICE_NAME"
    run systemctl start $QUADLET_SERVICE_NAME
    echo $output
    assert $status -eq 1 "systemctl start should report failure"

    run -0 systemctl show --property=ActiveState $QUADLET_SERVICE_NAME
    assert "$output" == "ActiveState=failed" "unit must be in failed state"

    echo "$_LOG_PROMPT journalctl -u $QUADLET_SERVICE_NAME"
    run -0 journalctl -eu $QUADLET_SERVICE_NAME
    assert "$output" =~ "$port: bind: address already in use" "journal contains the real podman start error"

    kill "$socat_pid"
}

# https://github.com/containers/podman/issues/25786
@test "quadlet kube - pod without containers" {
    local port=$(random_free_port)
    # Create the YAML file
    pod_name="p-$(safename)"
    yaml_source="$PODMAN_TMPDIR/no_cons_$(safename).yaml"
    cat >$yaml_source <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: $pod_name
EOF

    # Create the Quadlet file
    local quadlet_file=$PODMAN_TMPDIR/no_cons_$(safename).kube
    cat > $quadlet_file <<EOF
[Kube]
Yaml=${yaml_source}
EOF

    run_quadlet "$quadlet_file"
    service_setup $QUADLET_SERVICE_NAME

    run_podman pod ps --format "{{.Name}}--{{.Status}}"
    assert "$output" =~ "$pod_name--Running" "pod is running"

    service_cleanup $QUADLET_SERVICE_NAME inactive
}

@test "quadlet - image files" {
    local quadlet_tmpdir=$PODMAN_TMPDIR/quadlets

    local registry=localhost:${PODMAN_LOGIN_REGISTRY_PORT}
    local image_for_test=$registry/i-$(safename):$(random_string)
    local authfile=$PODMAN_TMPDIR/authfile.json

    local quadlet_image_unit=image_test_$(safename).image
    local quadlet_image_file=$PODMAN_TMPDIR/$quadlet_image_unit
    cat > $quadlet_image_file <<EOF
[Image]
Image=$image_for_test
AuthFile=$authfile
TLSVerify=false
EOF

    local quadlet_volume_unit=image_test_$(safename).volume
    local quadlet_volume_file=$PODMAN_TMPDIR/$quadlet_volume_unit
    local volume_name=systemd-$(basename $quadlet_volume_file .volume)
    cat > $quadlet_volume_file <<EOF
[Volume]
Driver=image
Image=$quadlet_image_unit
EOF

    local quadlet_container_unit=image_test_$(safename).container
    local quadlet_container_file=$PODMAN_TMPDIR/$quadlet_container_unit
    cat > $quadlet_container_file <<EOF
[Container]
Image=$quadlet_image_unit
Volume=$quadlet_volume_unit:/vol
Exec=sh -c "echo STARTED CONTAINER; echo "READY=1" | socat -u STDIN unix-sendto:\$NOTIFY_SOCKET; sleep inf"
EOF

    # In order to test image pull but without possible Network issues,
    # this test uses an additional registry.
    # Start the registry and populate the authfile that we can use for the test.
    start_registry
    run_podman login --authfile=$authfile \
        --tls-verify=false \
        --username ${PODMAN_LOGIN_USER} \
        --password ${PODMAN_LOGIN_PASS} \
        $registry

    # Generate a test image and push it to the registry.
    # For safety in parallel runs, test image must be isolated
    # from $IMAGE. A simple add-tag will not work. (#23756)
    run_podman create -q $IMAGE true
    local tmpcid=$output
    run_podman commit -q $tmpcid $image_for_test
    run_podman rm $tmpcid
    run_podman image push --tls-verify=false --authfile=$authfile $image_for_test

    # Remove the local image to make sure it will be pulled again
    run_podman image rm --ignore $image_for_test

    # Use the same directory for all quadlet files to make sure later steps access previous ones
    mkdir $quadlet_tmpdir

    # Have quadlet create the systemd unit file for the image unit
    run_quadlet "$quadlet_image_file" "$quadlet_tmpdir"
    # Save the image service name since the variable will be overwritten
    local image_service=$QUADLET_SERVICE_NAME

    # Have quadlet create the systemd unit file for the volume unit
    run_quadlet "$quadlet_volume_file" "$quadlet_tmpdir"
    # Save the image service name since the variable will be overwritten
    local volume_service=$QUADLET_SERVICE_NAME

    # Image should not exist
    run_podman 1 image exists ${image_for_test}
    # Volume should not exist
    run_podman 1 volume exists ${volume_name}

    # Have quadlet create the systemd unit file for the image unit
    run_quadlet "$quadlet_container_file" "$quadlet_tmpdir"
    local container_service=$QUADLET_SERVICE_NAME
    local container_name=$QUADLET_CONTAINER_NAME

    service_setup $container_service

    # Image system unit should be active
    run systemctl show --property=ActiveState "$image_service"
    assert "$output" = "ActiveState=active" \
           "quadlet - image files: image should be active via dependency but is not"

    # Volume system unit should be active
    run systemctl show --property=ActiveState "$volume_service"
    assert "$output" = "ActiveState=active" \
           "quadlet - image files: volume should be active via dependency but is not"

    # Image should exist
    run_podman image exists ${image_for_test}

    # Volume should exist
    run_podman volume exists ${volume_name}

    # Verify that the volume was created correctly
    run_podman volume inspect --format "{{ .Driver }}" $volume_name
    assert "$output" = "image" \
           "quadlet - image files: volume driver should be image"

    run_podman volume inspect --format "{{ .Options.image }}" $volume_name
    assert "$output" = "$image_for_test" \
           "quadlet - image files: the image for the volume should be $image_for_test"

    # Verify that the container mounts the volume
    run_podman container inspect --format "{{(index .Mounts 0).Type}}" $container_name
    assert "$output" = "volume" \
           "quadlet - image files: container should be attached to a volume of type volume"

    run_podman container inspect --format "{{(index .Mounts 0).Name}}" $container_name
    assert "$output" = "$volume_name" \
           "quadlet - image files: container should be attached to the volume named $volume_name"

    run_podman exec $QUADLET_CONTAINER_NAME cat /home/podman/testimage-id
    assert "$output" = $PODMAN_TEST_IMAGE_TAG \
           "quadlet - image files: incorrect testimage-id in root"

    run_podman exec $QUADLET_CONTAINER_NAME cat /vol/home/podman/testimage-id
    assert "$output" = $PODMAN_TEST_IMAGE_TAG \
            "quadlet - image files: incorrect testimage-id in bound volume"

    # Shutdown the service and remove the volume
    service_cleanup $container_service failed
    run_podman volume rm $volume_name
    run_podman image rm --ignore $image_for_test
}

@test "quadlet - kube oneshot" {
    local quadlet_tmpdir=$PODMAN_TMPDIR/quadlets
    local test_random_string=r_$(safename)

    local quadlet_kube_volume_name=test-volume_$test_random_string
    local quadlet_kube_volume_yaml_file=$PODMAN_TMPDIR/volume_$test_random_string.yaml
    cat > $quadlet_kube_volume_yaml_file <<EOF
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: $quadlet_kube_volume_name
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
EOF

    local quadlet_kube_volume_unit_file=$PODMAN_TMPDIR/volume_$test_random_string.kube
    cat > $quadlet_kube_volume_unit_file <<EOF
[Kube]
Yaml=$quadlet_kube_volume_yaml_file

[Service]
Type=oneshot
RemainAfterExit=yes
EOF

    local pod_name="p-$(safename)"
    local container_name="c-$(safename)"
    local quadlet_kube_pod_yaml_file=$PODMAN_TMPDIR/pod_$test_random_string.yaml
    cat > $quadlet_kube_pod_yaml_file <<EOF
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: test
  name: $pod_name
spec:
  containers:
  - command:
    - "sh"
    args:
    - "-c"
    - "echo STARTED CONTAINER; top -b"
    image: $IMAGE
    name: $container_name
    volumeMounts:
    - name: storage
      mountPath: /mnt/storage
  volumes:
  - name: storage
    persistentVolumeClaim:
      claimName: $quadlet_kube_volume_name
EOF

    # Use the same directory for all quadlet files to make sure later steps access previous ones
    mkdir $quadlet_tmpdir

    # Have quadlet create the systemd unit file for the kube based volume unit
    run_quadlet "$quadlet_kube_volume_unit_file" "$quadlet_tmpdir"
    # Save the volume service name since the variable will be overwritten
    local volume_service=$QUADLET_SERVICE_NAME

    # Volume should not exist
    run_podman 1 volume exists ${quadlet_kube_volume_name}

    local quadlet_kube_pod_unit_file=$PODMAN_TMPDIR/pod_$test_random_string.kube
    cat > $quadlet_kube_pod_unit_file <<EOF
[Kube]
Yaml=$quadlet_kube_pod_yaml_file

[Unit]
Requires=$volume_service
After=$volume_service
EOF

    # Have quadlet create the systemd unit file for the pod unit
    run_quadlet "$quadlet_kube_pod_unit_file" "$quadlet_tmpdir"
    local pod_service=$QUADLET_SERVICE_NAME

    service_setup $pod_service

    # Volume system unit should be active
    run systemctl show --property=ActiveState "$volume_service"
    assert "$output" = "ActiveState=active" \
           "quadlet - kube oneshot: volume should be active via dependency but is not"

    # Volume should exist
    run_podman volume exists ${quadlet_kube_volume_name}

    run_podman container inspect --format "{{(index .Mounts 0).Type}}" $pod_name-$container_name
    assert "$output" = "volume" \
           "quadlet - kube oneshot: volume .Type"

    run_podman container inspect --format "{{(index .Mounts 0).Name}}" $pod_name-$container_name
    assert "$output" = "$quadlet_kube_volume_name" \
           "quadlet - kube oneshot: volume .Name"

    # Shutdown the service and remove the volume
    service_cleanup $pod_service inactive
    run_podman volume rm $quadlet_kube_volume_name
}

@test "quadlet - kube down force" {
    local test_random_string=$(random_string)

    local quadlet_kube_volume_name=test-volume_$test_random_string
    local pod_name="p-$(safename)"
    local container_name="c-$(safename)"
    local quadlet_kube_pod_yaml_file=$PODMAN_TMPDIR/pod_$test_random_string.yaml
    cat > $quadlet_kube_pod_yaml_file <<EOF
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: $quadlet_kube_volume_name
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
---
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: test
  name: $pod_name
spec:
  containers:
  - command:
    - "sh"
    args:
    - "-c"
    - "echo STARTED CONTAINER; top -b"
    image: $IMAGE
    name: $container_name
    volumeMounts:
    - name: storage
      mountPath: /mnt/storage
  volumes:
  - name: storage
    persistentVolumeClaim:
      claimName: $quadlet_kube_volume_name
EOF

    local quadlet_kube_pod_unit_file=$PODMAN_TMPDIR/pod_$test_random_string.kube
    cat > $quadlet_kube_pod_unit_file <<EOF
[Kube]
Yaml=$quadlet_kube_pod_yaml_file
KubeDownForce=true
EOF

    # Have quadlet create the systemd unit file for the pod unit
    run_quadlet "$quadlet_kube_pod_unit_file" "$quadlet_tmpdir"
    local pod_service=$QUADLET_SERVICE_NAME

    # Volume should not exist
    run_podman 1 volume exists ${quadlet_kube_volume_name}

    service_setup $pod_service

    # Volume should exist
    run_podman volume exists ${quadlet_kube_volume_name}

    run_podman container inspect --format "{{(index .Mounts 0).Type}}" $pod_name-$container_name
    assert "$output" = "volume" \
           "quadlet - kube oneshot: volume .Type"

    run_podman container inspect --format "{{(index .Mounts 0).Name}}" $pod_name-$container_name
    assert "$output" = "$quadlet_kube_volume_name" \
           "quadlet - kube oneshot: volume .Name"

    # Shutdown the service
    service_cleanup $pod_service failed

    # Volume should not exist
    run_podman 1 volume exists ${quadlet_kube_volume_name}
}

@test "quadlet - image tag" {
    local quadlet_tmpdir=$PODMAN_TMPDIR/quadlets
    local archive_file=$PODMAN_TMPDIR/archive-file.tar
    local image_for_test=localhost/i-$(safename):$(random_string)

    local quadlet_image_unit=image_test_$(safename).image
    local quadlet_image_file=$PODMAN_TMPDIR/$quadlet_image_unit
    cat > $quadlet_image_file <<EOF
[Image]
Image=docker-archive:$archive_file
ImageTag=$image_for_test
EOF

    local quadlet_volume_unit=image_test_$(safename).volume
    local quadlet_volume_file=$PODMAN_TMPDIR/$quadlet_volume_unit
    local volume_name=systemd-$(basename $quadlet_volume_file .volume)
    cat > $quadlet_volume_file <<EOF
[Volume]
Driver=image
Image=$quadlet_image_unit
EOF

    local quadlet_container_unit=image_test_$(safename).container
    local quadlet_container_file=$PODMAN_TMPDIR/$quadlet_container_unit
    cat > $quadlet_container_file <<EOF
[Container]
Image=$IMAGE
Exec=sh -c "echo STARTED CONTAINER; echo "READY=1" | socat -u STDIN unix-sendto:\$NOTIFY_SOCKET; sleep inf"
Volume=$quadlet_volume_unit:/vol
EOF

    # Generate a test image, save it into a file, and remove it.
    # For safety in parallel runs, test image must be isolated
    # from $IMAGE. A simple add-tag will not work. (#23756)
    run_podman create -q $IMAGE true
    local tmpcid=$output
    run_podman commit -q $tmpcid $image_for_test
    run_podman rm $tmpcid
    run_podman image save --format docker-archive --output $archive_file $image_for_test
    run_podman image rm $image_for_test

    # Use the same directory for all quadlet files to make sure later steps access previous ones
    mkdir $quadlet_tmpdir

    # Have quadlet create the systemd unit file for the image unit
    run_quadlet "$quadlet_image_file" "$quadlet_tmpdir"
    # Save the image service name since the variable will be overwritten
    local image_service=$QUADLET_SERVICE_NAME

    # Have quadlet create the systemd unit file for the volume unit
    run_quadlet "$quadlet_volume_file" "$quadlet_tmpdir"
    # Save the image service name since the variable will be overwritten
    local volume_service=$QUADLET_SERVICE_NAME

    # Image should not exist
    run_podman 1 image exists ${image_for_test}
    # Volume should not exist
    run_podman 1 volume exists ${volume_name}

    # Have quadlet create the systemd unit file for the image unit
    run_quadlet "$quadlet_container_file" "$quadlet_tmpdir"
    local container_service=$QUADLET_SERVICE_NAME
    local container_name=$QUADLET_CONTAINER_NAME

    service_setup $container_service

    # Image system unit should be active
    run systemctl show --property=ActiveState "$image_service"
    assert "$output" = "ActiveState=active" \
           "quadlet - image tag: image service ActiveState"

    # Volume system unit should be active
    run systemctl show --property=ActiveState "$volume_service"
    assert "$output" = "ActiveState=active" \
           "quadlet - image tag: volume service ActiveState"

    # Image should exist
    run_podman image exists ${image_for_test}

    # Volume should exist
    run_podman volume exists ${volume_name}

    run_podman exec $QUADLET_CONTAINER_NAME cat /vol/home/podman/testimage-id
    assert "$output" = $PODMAN_TEST_IMAGE_TAG \
            "quadlet - image files: incorrect testimage-id in bound volume"

    # Shutdown the service and remove the image
    service_cleanup $container_service failed
    run_podman volume rm $volume_name
    run_podman image rm --ignore $image_for_test
}

@test "quadlet - pod simple" {
    local quadlet_tmpdir=$PODMAN_TMPDIR/quadlets

    local test_pod_name=pod_test_$(safename)
    local quadlet_pod_unit=$test_pod_name.pod
    local quadlet_pod_file=$PODMAN_TMPDIR/$quadlet_pod_unit
    cat > $quadlet_pod_file <<EOF
[Pod]
PodName=$test_pod_name
EOF

    local quadlet_container_unit=pod_test_$(safename).container
    local quadlet_container_file=$PODMAN_TMPDIR/$quadlet_container_unit
    cat > $quadlet_container_file <<EOF
[Container]
Image=$IMAGE
# Note it is important that the trap is before the ready message,
# otherwise the signal handler may not registered in time before we do systemctl stop.
Exec=sh -c "echo STARTED CONTAINER; trap 'exit' SIGTERM; echo "READY=1" | socat -u STDIN unix-sendto:\$NOTIFY_SOCKET; while :; do sleep 0.1; done"
Pod=$quadlet_pod_unit
Notify=yes
EOF

    # Use the same directory for all quadlet files to make sure later steps access previous ones
    mkdir $quadlet_tmpdir

    # Have quadlet create the systemd unit file for the pod unit
    run_quadlet "$quadlet_pod_file" "$quadlet_tmpdir"
    # Save the pod service name since the variable will be overwritten
    local pod_service=$QUADLET_SERVICE_NAME

    # Have quadlet create the systemd unit file for the container unit
    run_quadlet "$quadlet_container_file" "$quadlet_tmpdir"
    local container_service=$QUADLET_SERVICE_NAME
    local container_name=$QUADLET_CONTAINER_NAME

    # Start the pod service
    service_setup $pod_service

    # Pod should exist
    run_podman pod exists ${test_pod_name}

    # Pod exit policy should be stop by default
    run_podman pod inspect --format "{{.ExitPolicy}}" ${test_pod_name}
    assert "$output" = "stop" \
            "quadlet - pod: default ExitPolicy should be stop"

    # Wait for systemd to activate the container service
    wait_for_command_output "systemctl show --property=ActiveState $container_service" "ActiveState=active"

    # Container should exist
    run_podman container exists ${container_name}

    # Shutdown the service
    service_cleanup $pod_service inactive

    # It might take a few seconds to go inactive, esp. under heavy load
    for tries in $(seq 1 5); do
        run systemctl show --property=ActiveState "$container_service"
        if [[ "$output" = "ActiveState=inactive" ]]; then
            break
        fi
        sleep 1
    done
    assert "ActiveState=inactive" \
           "quadlet - pod base: container service ActiveState"

    # Container should not exist
    run_podman 1 container exists ${container_name}
}

# This test reproduces https://github.com/containers/podman/issues/20432
# In order to reproduce the issue, the image in the FROM must no be available locally
# and must not have a tag. The first forces Pull and the second the resolution where the crash occurs
# Using a local registry does not work since kube play does not pass the autofile and tls-verify flags to the build
@test "quadlet - kube build from unavailable image with no tag" {
    local quadlet_tmpdir=$PODMAN_TMPDIR/quadlets

    # FIXME: how to make this parallel-safe? Can we?
    local untagged_image=quay.io/libpod/busybox
    local built_image="built-$(safename)"
    local yaml_dir=$quadlet_tmpdir/$built_image
    local build_dir=$yaml_dir/$built_image

    # Use the same directory for all quadlet files to make sure later steps access previous ones
    mkdir -p $build_dir

    container_file_path=$build_dir/Containerfile
    cat >$container_file_path << EOF
FROM $untagged_image
EOF

    # Create the YAMl file
    pod_name="p-$(safename)"
    container_name="c-$(safename)"
    yaml_source="$yaml_dir/build_$(safename).yaml"
    cat >$yaml_source <<EOF
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: test
  name: $pod_name
spec:
  containers:
  - command:
    - "sh"
    args:
    - "-c"
    - "echo STARTED CONTAINER; sleep inf"
    image: $built_image
    name: $container_name
EOF

    # Create the Quadlet file
    local quadlet_file=$quadlet_tmpdir/build_$(safename).kube
    cat > $quadlet_file <<EOF
[Kube]
Yaml=${yaml_source}
PodmanArgs=--build
SetWorkingDirectory=yaml
EOF

    # Make sure the tagged image is not locally available
    run_podman rmi -i $untagged_image:latest

    run_quadlet "$quadlet_file"
    service_setup $QUADLET_SERVICE_NAME

    # Ensure we have output.
    wait_for_output "STARTED CONTAINER" $pod_name-$container_name

    run_podman container inspect  --format "{{.State.Status}}" $pod_name-$container_name
    is "$output" "running" "container should be started by systemd and hence be running"

    service_cleanup $QUADLET_SERVICE_NAME inactive
    run_podman rmi $untagged_image:latest $built_image
}

@test "quadlet - drop-in files" {
    local quadlet_tmpdir="${PODMAN_TMPDIR}/dropins"

    local quadlet_file="truncated-$(safename).container"

    local -A dropin_dirs=(
        [toplevel]=container.d
        [truncated]=truncated-.container.d
        [quadlet]="${quadlet_file}.d"
    )

    # Table of drop-in .conf files. Format is:
    #
    #    apply | dir | parent dir (optional) | filename | [Section] | Content=...
    #
    # The parent dir used as regression test for https://github.com/containers/podman/issues/26555
    local dropin_files="
y | toplevel  |        | 10 | [Unit]      | Description=Test File for Dropin Configuration
n | toplevel  |        | 99 | [Install]   | WantedBy=default.target
y | truncated |        | 50 | [Container] | ContainerName=truncated-dropins
n | truncated |        | 99 | [Service]   | Restart=always
n | truncated |        | 99 | [Install]   | WantedBy=multiuser.target
y | quadlet   |        | 99 | [Service]   | RestartSec=60s
n | toplevel  |        | 30 | [Service]   | Environment=test=wrong
y | truncated | subdir | 30 | [Service]   | Environment=test=right
"

    # Pass 1: Create all drop-in directories and files
    while read apply dir parent file section content; do
        # By default parent will be '' when left empty in the table and not actually an empty string,
        # make sure we set it to an empty string instead.
        if [[ "$parent" == "''" ]]; then
            parent=""
        fi
        # Parent can be empty which is fine, dir//file is the same as dir/file and what we want here.
        local d="${quadlet_tmpdir}/$parent/${dropin_dirs[${dir}]}"
        mkdir -p "${d}"

        local f="${d}/${file}.conf"
        echo "${section}" >>"${f}"
        echo "${content}" >>"${f}"
    done < <(parse_table "${dropin_files}")

    # Create the base quadlet file
    quadlet_base="${PODMAN_TMPDIR}/${quadlet_file}"
    cat > "${quadlet_base}" <<EOF
[Container]
Image="${IMAGE}"
EOF

    # Generate the quadlet file from the base file and any drop-in .conf files.
    run_quadlet "${quadlet_base}" "${quadlet_tmpdir}"

    # Pass 2: test whether the expected .conf files are applied
    # and the overridden .conf files are not.
    while read apply dir parent file section content; do
        if [[ "$parent" == "''" ]]; then
            parent=""
        fi
        if [[ "${apply}" = "y" ]]; then
            assert "${QUADLET_SERVICE_CONTENT}" =~ "${content}" "Set in ${parent}/${dir}/${file}.conf"
        else
            assert "${QUADLET_SERVICE_CONTENT}" !~ "${content}" "Set in ${parent}/${dir}/${file}.conf but should have been overridden"
        fi
    done < <(parse_table "${dropin_files}")
}

# Following issue: https://github.com/containers/podman/issues/24599
# Make sure future changes do not break
@test "quadlet - build with pull" {
    local quadlet_tmpdir=$PODMAN_TMPDIR/quadlets

    mkdir $quadlet_tmpdir

    local container_file_path=$quadlet_tmpdir/Containerfile
    cat >$container_file_path << EOF
FROM $IMAGE
EOF

    local image_tag=quay.io/i-$(safename):$(random_string)
    local quadlet_file=$PODMAN_TMPDIR/pull_$(safename).build
    cat >$quadlet_file << EOF
[Build]
ImageTag=$image_tag
File=$container_file_path
Pull=never
EOF

    run_quadlet "$quadlet_file"
    service_setup $QUADLET_SERVICE_NAME "wait"

    run_podman rmi -i $image_tag
}
# vim: filetype=sh