diff options
Diffstat (limited to 'test/system')
| -rw-r--r-- | test/system/070-build.bats | 26 | ||||
| -rw-r--r-- | test/system/255-auto-update.bats | 127 | ||||
| -rw-r--r-- | test/system/410-selinux.bats | 5 | ||||
| -rwxr-xr-x | test/system/build-testimage | 65 | ||||
| -rw-r--r-- | test/system/helpers.bash | 9 |
5 files changed, 138 insertions, 94 deletions
diff --git a/test/system/070-build.bats b/test/system/070-build.bats index 0f3f3fa7f..40622d6cc 100644 --- a/test/system/070-build.bats +++ b/test/system/070-build.bats @@ -794,6 +794,32 @@ EOF run_podman rmi -f build_test } +@test "podman build -f test " { + tmpdir=$PODMAN_TMPDIR/build-test + subdir=$tmpdir/subdir + mkdir -p $subdir + + containerfile1=$tmpdir/Containerfile1 + cat >$containerfile1 <<EOF +FROM scratch +copy . /tmp +EOF + containerfile2=$PODMAN_TMPDIR/Containerfile2 + cat >$containerfile2 <<EOF +FROM $IMAGE +EOF + run_podman build -t build_test -f Containerfile1 $tmpdir + run_podman 125 build -t build_test -f Containerfile2 $tmpdir + is "$output" ".*Containerfile2: no such file or directory" "Containerfile2 should not exist" + run_podman build -t build_test -f $containerfile1 $tmpdir + run_podman build -t build_test -f $containerfile2 $tmpdir + run_podman build -t build_test -f $containerfile1 + run_podman build -t build_test -f $containerfile2 + run_podman build -t build_test -f $containerfile1 -f $containerfile2 $tmpdir + is "$output" ".*$IMAGE" "Containerfile2 is also passed to server" + run_podman rmi -f build_test +} + function teardown() { # A timeout or other error in 'build' can leave behind stale images # that podman can't even see and which will cascade into subsequent diff --git a/test/system/255-auto-update.bats b/test/system/255-auto-update.bats index 59f53f775..9bfb44791 100644 --- a/test/system/255-auto-update.bats +++ b/test/system/255-auto-update.bats @@ -43,12 +43,12 @@ function teardown() { # 5. Remove the origin container # 6. Start the container from service function generate_service() { - target_img_basename=$1 - autoupdate=$2 + local target_img_basename=$1 + local autoupdate=$2 - # Please keep variable name for cname and ori_image. The - # scripts will use them directly in following tests. - cname=c_$(random_string) + # Container name. Include the autoupdate type, to make debugging easier. + # IMPORTANT: variable 'cname' is passed (out of scope) up to caller! + cname=c_${autoupdate//\'/}_$(random_string) target_img="quay.io/libpod/$target_img_basename:latest" run_podman tag $IMAGE $target_img if [[ -n "$autoupdate" ]]; then @@ -67,6 +67,8 @@ function generate_service() { systemctl start container-$cname systemctl status container-$cname + # Original image ID. + # IMPORTANT: variable 'ori_image' is passed (out of scope) up to caller! run_podman inspect --format "{{.Image}}" $cname ori_image=$output } @@ -76,8 +78,7 @@ function _wait_service_ready() { local timeout=6 while [[ $timeout -gt 1 ]]; do - run systemctl is-active $sname - if [[ $output == "active" ]]; then + if systemctl -q is-active $sname; then return fi sleep 1 @@ -89,65 +90,63 @@ function _wait_service_ready() { die "Timed out waiting for $sname to start" } +# Wait for container to update, as confirmed by its image ID changing function _confirm_update() { - local sname=$1 - - local timeout=6 - last_log="" - while [[ $timeout -gt 1 ]]; do - run journalctl -u $sname -n 10 - if [[ "$output" == "$last_log" ]]; then + local cname=$1 + local old_iid=$2 + + # Image has already been pulled, so this shouldn't take too long + local timeout=5 + while [[ $timeout -gt 0 ]]; do + run_podman '?' inspect --format "{{.Image}}" $cname + if [[ $status != 0 ]]; then + if [[ $output =~ (no such object|does not exist in database): ]]; then + # this is ok, it just means the container is being restarted + : + else + die "podman inspect $cname failed unexpectedly" + fi + elif [[ $output != $old_iid ]]; then return fi - last_log=$output sleep 1 - let timeout=$timeout-1 done - die "Timed out waiting for $sname to update" + die "Timed out waiting for $cname to update; old IID=$old_iid" } # This test can fail in dev. environment because of SELinux. # quick fix: chcon -t container_runtime_exec_t ./bin/podman @test "podman auto-update - label io.containers.autoupdate=image" { - run_podman images generate_service alpine image _wait_service_ready container-$cname.service - run_podman ps -a run_podman auto-update is "$output" "Trying to pull.*" "Image is updated." - run_podman ps -a - _confirm_update container-$cname.service - run_podman inspect --format "{{.Image}}" $cname - [[ "$output" != "$ori_image" ]] + _confirm_update $cname $ori_image } @test "podman auto-update - label io.containers.autoupdate=disabled" { generate_service alpine disabled _wait_service_ready container-$cname.service - run_podman ps -a run_podman auto-update - is "$output" "" "Image is not updated with disabled." - run_podman ps -a - _confirm_update container-$cname.service + is "$output" "" "Image is not updated when autoupdate=disabled." + run_podman inspect --format "{{.Image}}" $cname - is "$output" "$ori_image" "Image hash should not changed." + is "$output" "$ori_image" "Image ID should not change" } @test "podman auto-update - label io.containers.autoupdate=fakevalue" { - fakevalue=$(random_string) + fakevalue=fake_$(random_string) generate_service alpine $fakevalue _wait_service_ready container-$cname.service - run_podman ps -a - run_podman ? auto-update + run_podman 125 auto-update is "$output" ".*invalid auto-update policy.*" "invalid policy setup" - run_podman ps -a - _confirm_update container-$cname.service + run_podman inspect --format "{{.Image}}" $cname - is "$output" "$ori_image" "Image hash should not changed." + is "$output" "$ori_image" "Image ID should not change" } @test "podman auto-update - label io.containers.autoupdate=local" { @@ -155,25 +154,23 @@ function _confirm_update() { podman commit --change CMD=/bin/bash $cname quay.io/libpod/localtest:latest _wait_service_ready container-$cname.service - run_podman ps -a run_podman auto-update - run_podman ps -a - _confirm_update container-$cname.service - run_podman inspect --format "{{.Image}}" $cname - [[ "$output" != "$ori_image" ]] + _confirm_update $cname $ori_image } @test "podman auto-update with multiple services" { - fakevalue=$(random_string) + # Preserve original image ID, to confirm that it changes (or not) run_podman inspect --format "{{.Id}}" $IMAGE - img_id="$output" - cnames=() + local img_id="$output" + + local cnames=() local -A expect_update local -A will_update=([image]=1 [registry]=1 [local]=1) + local fakevalue=fake_$(random_string) for auto_update in image registry "" disabled "''" $fakevalue local do - img_base="alpine" + local img_base="alpine" if [[ $auto_update == "registry" ]]; then img_base="alpine_nginx" elif [[ $auto_update == "local" ]]; then @@ -184,6 +181,7 @@ function _confirm_update() { if [[ $auto_update == "local" ]]; then local_cname=$cname fi + if [[ -n "$auto_update" && -n "${will_update[$auto_update]}" ]]; then expect_update[$cname]=1 fi @@ -192,30 +190,28 @@ function _confirm_update() { # Only check the last service is started. Previous services should already actived. _wait_service_ready container-$cname.service run_podman commit --change CMD=/bin/bash $local_cname quay.io/libpod/localtest:latest - run_podman ? auto-update + # Exit code is expected, due to invalid 'fakevalue' + run_podman 125 auto-update update_log=$output - for cname in "${cnames[@]}"; do - _confirm_update container-$cname.service - done - count=0 - while read line; do - if [[ "$line" =~ "Trying to pull" ]]; then - ((count+=1)) - fi - done <<< "$update_log" is "$update_log" ".*invalid auto-update policy.*" "invalid policy setup" is "$update_log" ".*1 error occurred.*" "invalid policy setup" - is "$count" "2" "There are two images being updated from registry." - for cname in "${!expect_update[@]}"; do + local n_updated=$(grep -c 'Trying to pull' <<<"$update_log") + is "$n_updated" "2" "Number of images updated from registry." + for cname in "${!expect_update[@]}"; do is "$update_log" ".*$cname.*" "container with auto-update policy image updated" + # Just because podman says it fetched, doesn't mean it actually updated + _confirm_update $cname $img_id done + # Final confirmation that all image IDs have/haven't changed for cname in "${cnames[@]}"; do run_podman inspect --format "{{.Image}}" $cname if [[ -n "${expect_update[$cname]}" ]]; then - [[ "$output" != "$img_id" ]] + if [[ "$output" == "$img_id" ]]; then + die "$cname: image ID ($output) did not change" + fi else is "$output" "$img_id" "Image should not be changed." fi @@ -255,25 +251,24 @@ EOF systemctl enable --now podman-auto-update-$cname.timer systemctl list-timers --all - count=0 - failed_start=1 + local expect='Finished Podman auto-update testing service' + local failed_start=failed + local count=0 while [ $count -lt 120 ]; do run journalctl -n 15 -u podman-auto-update-$cname.service - if [[ "$output" =~ "Finished Podman auto-update testing service" ]]; then - failed_start=0 + if [[ "$output" =~ $expect ]]; then + failed_start= break fi ((count+=1)) sleep 1 done - echo $output - _confirm_update container-$cname.service - run_podman inspect --format "{{.Image}}" $cname - if [[ $failed_start == 1 ]]; then - die "Failed to get podman auto-update service finished" + if [[ -n "$failed_start" ]]; then + die "Did not find expected string '$expect' in journalctl output for $cname" fi - [[ "$output" != "$ori_image" ]] + + _confirm_update $cname $ori_image } # vim: filetype=sh diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats index f8cee0e59..4ef9c8b30 100644 --- a/test/system/410-selinux.bats +++ b/test/system/410-selinux.bats @@ -183,7 +183,10 @@ function check_label() { # runc and crun emit different diagnostics runtime=$(podman_runtime) case "$runtime" in - crun) expect="\`/proc/thread-self/attr/exec\`: OCI runtime error: unable to assign security attribute" ;; + # crun 0.20.1 changes the error message + # from /proc/thread-self/attr/exec`: .* unable to assign + # to /proc/self/attr/keycreate`: .* unable to process + crun) expect="\`/proc/.*\`: OCI runtime error: unable to \(assign\|process\) security attribute" ;; runc) expect="OCI runtime error: .*: failed to set /proc/self/attr/keycreate on procfs" ;; *) skip "Unknown runtime '$runtime'";; esac diff --git a/test/system/build-testimage b/test/system/build-testimage index 3e5b982ce..eb5849b5e 100755 --- a/test/system/build-testimage +++ b/test/system/build-testimage @@ -61,8 +61,8 @@ chmod 755 pause # - check for updates @ https://hub.docker.com/_/alpine # busybox-extras provides httpd needed in 500-networking.bats cat >Containerfile <<EOF -ARG ARCH=please-override-arch -FROM docker.io/\${ARCH}/alpine:3.12.0 +ARG REPO=please-override-repo +FROM docker.io/\${REPO}/alpine:3.13.5 RUN apk add busybox-extras ADD testimage-id pause /home/podman/ LABEL created_by=$create_script @@ -74,17 +74,46 @@ EOF # --squash-all : needed by 'tree' test in 070-build.bats podman rmi -f testimage &> /dev/null || true +# There should always be a testimage tagged ':0000000<X>' (eight digits, +# zero-padded sequence ID) in the same location; this is used by tests +# which need to pull a non-locally-cached image. This image will rarely +# if ever need to change, nor in fact does it even have to be a copy of +# this testimage since all we use it for is 'true'. +# However, it does need to be multiarch :-( +zerotag_latest=$(skopeo list-tags docker://quay.io/libpod/testimage |\ + jq -r '.Tags[]' |\ + sort --version-sort |\ + grep '^000' |\ + tail -n 1) +zerotag_next=$(printf "%08d" $((zerotag_latest + 1))) + +# We don't always need to push the :00xx image, but build it anyway. +zeroimg=quay.io/libpod/testimage:${zerotag_next} +buildah manifest create $zeroimg + # We need to use buildah because (as of 2021-02-23) only buildah has --manifest # and because Dan says arch emulation is not currently working on podman # (no further details). # Arch emulation on Fedora requires the qemu-user-static package. -for arch in amd64 arm64v8 ppc64le s390x;do +for arch in amd64 arm64 ppc64le s390x;do + # docker.io repo is usually the same name as the desired arch; except + # for arm64, where podman needs to have the arch be 'arm64' but the + # image lives in 'arm64v8'. + repo=$arch + if [[ $repo = "arm64" ]]; then + repo="${repo}v8" + fi + ${BUILDAH} bud \ --arch=$arch \ - --build-arg ARCH=$arch \ + --build-arg REPO=$repo \ --manifest=testimage \ --squash \ . + + # The zero-tag image + ${BUILDAH} pull --arch $arch docker.io/$repo/busybox:1.33.1 + ${BUILDAH} manifest add $zeroimg docker.io/$repo/busybox:1.33.1 done # Clean up @@ -94,23 +123,13 @@ rm -rf $tmpdir # Tag image and push (all arches) to quay. remote_tag=quay.io/libpod/testimage:$YMD podman tag testimage ${remote_tag} -${BUILDAH} manifest push --all ${remote_tag} docker://${remote_tag} +cat <<EOF -# Side note: there should always be a testimage tagged ':0000000<X>' -# (eight digits, zero-padded sequence ID) in the same location; this is -# used by tests which need to pull a non-locally-cached image. This -# image will rarely if ever need to change, nor in fact does it even -# have to be a copy of this testimage since all we use it for is 'true'. -# However, it does need to be multiarch :-( -# -# As of 2021-02-24 it is simply busybox, because it is super small, -# but it's complicated because of multiarch: -# -# img=quay.io/libpod/testimage:0000000<current+1> -# buildah manifest create $img -# for arch in amd64 arm64v8 ppc64le s390x;do -# buildah pull --arch $arch docker.io/$arch/busybox:1.32.0 -# buildah manifest add $img docker.io/$arch/busybox:1.32.0 -# done -# buildah manifest push --all $img docker://$img -# +If you're happy with these images, run: + + ${BUILDAH} manifest push --all ${remote_tag} docker://${remote_tag} + ${BUILDAH} manifest push --all ${zeroimg} docker://${zeroimg} + +(You do not always need to push the :0000 image) + +EOF diff --git a/test/system/helpers.bash b/test/system/helpers.bash index e0c208f57..1859a2168 100644 --- a/test/system/helpers.bash +++ b/test/system/helpers.bash @@ -7,14 +7,15 @@ PODMAN=${PODMAN:-podman} PODMAN_TEST_IMAGE_REGISTRY=${PODMAN_TEST_IMAGE_REGISTRY:-"quay.io"} PODMAN_TEST_IMAGE_USER=${PODMAN_TEST_IMAGE_USER:-"libpod"} PODMAN_TEST_IMAGE_NAME=${PODMAN_TEST_IMAGE_NAME:-"testimage"} -PODMAN_TEST_IMAGE_TAG=${PODMAN_TEST_IMAGE_TAG:-"20210427"} +PODMAN_TEST_IMAGE_TAG=${PODMAN_TEST_IMAGE_TAG:-"20210610"} PODMAN_TEST_IMAGE_FQN="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODMAN_TEST_IMAGE_NAME:$PODMAN_TEST_IMAGE_TAG" PODMAN_TEST_IMAGE_ID= # Remote image that we *DO NOT* fetch or keep by default; used for testing pull -# This changed from 0 to 1 on 2021-02-24 due to multiarch considerations; it -# should change only very rarely. -PODMAN_NONLOCAL_IMAGE_FQN="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODMAN_TEST_IMAGE_NAME:00000002" +# This has changed in 2021, from 0 through 3, various iterations of getting +# multiarch to work. It should change only very rarely. +PODMAN_NONLOCAL_IMAGE_TAG=${PODMAN_NONLOCAL_IMAGE_TAG:-"00000003"} +PODMAN_NONLOCAL_IMAGE_FQN="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODMAN_TEST_IMAGE_NAME:$PODMAN_NONLOCAL_IMAGE_TAG" # Because who wants to spell that out each time? IMAGE=$PODMAN_TEST_IMAGE_FQN |