summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorValentin Rothberg <rothberg@redhat.com>2021-11-23 11:08:31 +0100
committerValentin Rothberg <rothberg@redhat.com>2021-11-30 14:22:52 +0100
commit5bdd571b1e46f26e23f030456efb009cbb765e4c (patch)
treeadad2324e3c5f094785a411cb537d8f922a3fafc /test
parent8de68b170716dd1293c5a044f3e9cfd962fdbfb1 (diff)
downloadpodman-5bdd571b1e46f26e23f030456efb009cbb765e4c.tar.gz
podman-5bdd571b1e46f26e23f030456efb009cbb765e4c.tar.bz2
podman-5bdd571b1e46f26e23f030456efb009cbb765e4c.zip
compat API: allow enforcing short-names resolution to Docker Hub
The Docker-compatible REST API has historically behaved just as the rest of Podman and Buildah (and the atomic Docker in older RHEL/Fedora) where `containers-registries.conf` is centrally controlling which registries a short name may resolve to during pull or local image lookups. Please refer to a blog for more details [1]. Docker, however, is only resolving short names to docker.io which has been reported (see #12320) to break certain clients who rely on this behavior. In order to support this scenario, `containers.conf(5)` received a new option to control whether Podman's compat API resolves to docker.io only or behaves as before. Most endpoints allow for directly normalizing parameters that represent an image. If set in containers.conf, Podman will then normalize the references directly to docker.io. The build endpoint is an outlier since images are also referenced in Dockerfiles. The Buildah API, however, supports specifying a custom `types.SystemContext` in which we can set a field that enforces short-name resolution to docker.io in `c/image/pkg/shortnames`. Notice that this a "hybrid" approach of doing the normalization directly in the compat endpoints *and* in `pkg/shortnames` by passing a system context. Doing such a hybrid approach is neccessary since the compat and the libpod endpoints share the same `libimage.Runtime` which makes a global enforcement via the `libimage.Runtime.systemContext` impossible. Having two separate runtimes for the compat and the libpod endpoints seems risky and not generally applicable to all endpoints. [1] https://www.redhat.com/sysadmin/container-image-short-names Fixes: #12320 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Diffstat (limited to 'test')
-rw-r--r--test/apiv2/12-imagesMore.at3
-rw-r--r--test/apiv2/70-short-names.at148
-rw-r--r--test/apiv2/containers.conf8
3 files changed, 157 insertions, 2 deletions
diff --git a/test/apiv2/12-imagesMore.at b/test/apiv2/12-imagesMore.at
index 144b83194..3a5d5c096 100644
--- a/test/apiv2/12-imagesMore.at
+++ b/test/apiv2/12-imagesMore.at
@@ -47,8 +47,7 @@ t POST "images/localhost:5000/myrepo/push?tlsVerify=false&tag=mytag" 200
t POST "libpod/images/$iid/untag?repo=localhost:5000/myrepo&tag=mytag" 201
# Try to push non-existing image
-t POST "images/localhost:5000/idonotexist/push?tlsVerify=false" 200
-jq -re 'select(.errorDetail)' <<<"$output" &>/dev/null || echo -e "${red}not ok: error message not found in output${nc}" 1>&2
+t POST "images/localhost:5000/idonotexist/push?tlsVerify=false" 404
t GET libpod/images/$IMAGE/json 200 \
.RepoTags[-1]=$IMAGE
diff --git a/test/apiv2/70-short-names.at b/test/apiv2/70-short-names.at
new file mode 100644
index 000000000..a5087c115
--- /dev/null
+++ b/test/apiv2/70-short-names.at
@@ -0,0 +1,148 @@
+# -*- sh -*-
+#
+# Tests for exercising short-name resolution in the compat API.
+#
+
+# Pull the libpod/quay image which is used in all tests below.
+t POST "images/create?fromImage=quay.io/libpod/alpine:latest" 200 .error~null .status~".*Download complete.*"
+
+
+########## TAG
+
+t POST "images/quay.io/libpod/alpine/tag?repo=foo" 201
+t DELETE "images/foo" 200
+
+
+########## BUILD
+
+function test_build {
+ from=$1
+ tag=$2
+ fqn=$3
+
+ TMPD=$(mktemp -d podman-apiv2-test.build.XXXXXXXX)
+ CONTAINERFILE_TAR="${TMPD}/containerfile.tar"
+ cat > $TMPD/containerfile << EOF
+FROM $from
+RUN touch /foo
+EOF
+ tar --format=posix -C $TMPD -cvf ${CONTAINERFILE_TAR} containerfile &> /dev/null
+
+ curl -XPOST --data-binary @<(cat $CONTAINERFILE_TAR) \
+ -H "content-type: application/x-tar" \
+ --dump-header "${TMPD}/headers.txt" \
+ -o "${TMPD}/response.txt" \
+ "http://$HOST:$PORT/build?dockerfile=containerfile&t=$tag" &> /dev/null
+
+ if ! grep -q '200 OK' "${TMPD}/headers.txt"; then
+ cat "${TMPD}/headers.txt"
+ cat "${TMPD}/response.txt"
+ echo -e "${red}NOK: Image build from tar failed response was not 200 OK (application/x-tar)"
+ exit 1
+ fi
+
+ rm -rf $TMPD
+ t DELETE "images/$fqn" 200
+}
+
+t POST "images/quay.io/libpod/alpine/tag?repo=foo" 201
+test_build foo bar "docker.io/library/bar:latest"
+t DELETE "images/foo" 200
+
+
+########## TAG
+
+# Looking up 'alpine' will fail as it gets normalized to docker.io.
+t POST "images/alpine/tag?repo=foo" 404 .cause="image not known"
+
+# The libpod endpoint will resolve to it without issues.
+t GET "libpod/images/alpine/exists" 204
+
+# Now let's tag the image with 'foo'. Remember, it will be normalized to
+# docker.io/library/foo.
+t GET "libpod/images/docker.io/library/foo/exists" 404
+t POST "images/quay.io/libpod/alpine/tag?repo=foo" 201
+t GET "libpod/images/docker.io/library/foo/exists" 204
+
+
+########## REMOVE
+
+t DELETE "images/alpine" 404 .cause="image not known" # fails since docker.io/library/alpine does not exist
+t DELETE "images/foo" 200 # removes the previously tagged image
+
+
+########## GET
+
+# Same procedure as above but with the /get endpoint.
+t GET "images/alpine/get" 404 .cause="image not known"
+t POST "images/quay.io/libpod/alpine/tag?repo=foo" 201
+t GET "images/foo/get" 200 '[POSIX tar archive]'
+t DELETE "images/foo" 200
+
+
+########## HISTORY
+
+t GET "images/alpine/history" 404 .cause="image not known"
+t GET "images/quay.io/libpod/alpine/history" 200
+t POST "images/quay.io/libpod/alpine/tag?repo=foo" 201
+t GET "libpod/images/foo/history" 200
+t DELETE "images/foo" 200
+
+
+########## PUSH
+
+t POST "images/alpine/push?destination=localhost:9999/do/not:exist" 404 .cause="image not known"
+t POST "images/quay.io/libpod/alpine/push?destination=localhost:9999/do/not:exist" 200 # Error is in the response
+t POST "images/quay.io/libpod/alpine/tag?repo=foo" 201
+t POST "images/foo/push?destination=localhost:9999/do/not:exist" 200 # Error is in the response
+t DELETE "images/foo" 200
+
+
+########## CREATE A CONTAINER
+
+t POST "containers/create" Image=alpine 404 .cause="image not known"
+t POST "containers/create" Image=quay.io/libpod/alpine:latest 201
+cid=$(jq -r '.Id' <<<"$output")
+t POST "images/quay.io/libpod/alpine/tag?repo=foo" 201
+t POST "containers/create" Image=foo 201
+cid=$(jq -r '.Id' <<<"$output")
+t DELETE "images/foo" 200
+t DELETE "containers/$cid" 204
+
+########## COMMIT CONTAINER
+
+t POST "containers/create" Image=quay.io/libpod/alpine:latest 201
+cid=$(jq -r '.Id' <<<"$output")
+t GET "images/alpine/get" 404 .cause="image not known"
+t POST "commit?container=$cid&repo=foo&tag=tag" 201
+t GET "images/foo/get" 404 .cause="image not known"
+t GET "images/foo:tag/get" 200
+t DELETE "images/docker.io/library/foo:tag" 200
+t DELETE "containers/$cid" 204
+
+
+######### SMOKE TESTS WITHOUT DOCKER.IO ENFORCEMENT
+
+# Note that we need to restart the service with a custom containers.conf to
+# disable the docker.io enforcement.
+
+stop_service
+CONTAINERS_CONF=$(pwd)/test/apiv2/containers.conf start_service
+
+t POST "images/create?fromImage=quay.io/libpod/alpine:latest" 200 .error~null .status~".*Download complete.*"
+t POST "images/alpine/tag?repo=foo" 201
+t GET "images/localhost/foo:latest/get" 200
+t DELETE "images/foo" 200
+t GET "images/alpine/history" 200
+t POST "images/alpine/push?destination=localhost:9999/do/not:exist" 200 # Error is in the response
+t POST "containers/create" Image=alpine 201
+cid=$(jq -r '.Id' <<<"$output")
+t POST "commit?container=$cid&repo=foo&tag=tag" 201
+t DELETE "images/localhost/foo:tag" 200
+t DELETE "containers/$cid" 204
+
+test_build alpine bar "localhost/bar:latest"
+
+
+stop_service
+start_service
diff --git a/test/apiv2/containers.conf b/test/apiv2/containers.conf
new file mode 100644
index 000000000..24762192f
--- /dev/null
+++ b/test/apiv2/containers.conf
@@ -0,0 +1,8 @@
+# This containers.conf file is used to test enforcing short-name resolution to
+# docker.io for Podman's *compat* API. By default, the compat API defaults to
+# resolving to docker.io only. The behavior can be altered by configuring the
+# containers.conf as done below in which case short names are subject to aliases,
+# "localhost/" and the unqualified-search registries.
+
+[engine]
+compat_api_enforce_docker_hub=false