From a9dbd2b3de3cf11e71aa01ed3233e180ae0b0951 Mon Sep 17 00:00:00 2001 From: Ed Santiago Date: Wed, 2 Sep 2020 07:03:49 -0600 Subject: Migrate away from docker.io CI and system tests currently pull some images from docker.io. Eliminate that, by: - building a custom image containing much of what we need for testing; and - copying other needed images to quay.io (Reason: effective 2020-11-01 docker.io will limit the number of image pulls). The principal change is to create a new quay.io/libpod/testimage, using the new test/system/build-testimage script, instead of relying on quay.io/libpod/alpine_labels. We also switch to using a hardcoded :YYYYMMDD tag, instead of :latest, in an attempt to futureproof our CI. This image includes 'httpd' from busybox-extras, which we use in our networking test (previously we had to pull and run busybox from docker.io). The testimage can and should be extended as needed for future tests, e.g. adding test file content or other useful tools. For the '--pull' tests which require actually pulling from the registry, I've created an image with the same name but tagged :00000000 so it will never be pulled by default. Since this image is only used minimally, it's just busybox. Unfortunately there remain two cases we cannot solve in this tiny alpine-based image: 1) docker registry 2) systemd For those, I've (manually) run: podman pull [ docker.io/library/registry:2.7 | registry.fedoraproject.org/fedora:31 ] podman tag !$ quay.io/... podman push !$ ...and amended the calling tests accordingly. I've tried to make the the smallest reasonable diff, not the smallest possible one. I hope it's a reasonable tradeoff. Signed-off-by: Ed Santiago --- test/system/010-images.bats | 14 ++++++---- test/system/030-run.bats | 23 +++++++++------- test/system/110-history.bats | 3 ++- test/system/150-login.bats | 43 +++++++++++------------------- test/system/260-sdnotify.bats | 5 ++-- test/system/500-networking.bats | 13 +++++---- test/system/build-testimage | 59 +++++++++++++++++++++++++++++++++++++++++ test/system/helpers.bash | 4 +-- 8 files changed, 111 insertions(+), 53 deletions(-) create mode 100755 test/system/build-testimage diff --git a/test/system/010-images.bats b/test/system/010-images.bats index 7fd731ca0..c0a8936e3 100644 --- a/test/system/010-images.bats +++ b/test/system/010-images.bats @@ -14,6 +14,8 @@ load helpers --format {{.ID}} | [0-9a-f]\\\{12\\\} --format {{.ID}} --no-trunc | sha256:[0-9a-f]\\\{64\\\} --format {{.Repository}}:{{.Tag}} | $PODMAN_TEST_IMAGE_FQN +--format {{.Labels.created_by}} | test/system/build-testimage +--format {{.Labels.created_at}} | 20[0-9-]\\\+T[0-9:]\\\+Z " parse_table "$tests" | while read fmt expect; do @@ -27,11 +29,13 @@ load helpers @test "podman images - json" { # 'created': podman includes fractional seconds, podman-remote does not tests=" -Names[0] | $PODMAN_TEST_IMAGE_FQN -Id | [0-9a-f]\\\{64\\\} -Digest | sha256:[0-9a-f]\\\{64\\\} -CreatedAt | [0-9-]\\\+T[0-9:.]\\\+Z -Size | [0-9]\\\+ +Names[0] | $PODMAN_TEST_IMAGE_FQN +Id | [0-9a-f]\\\{64\\\} +Digest | sha256:[0-9a-f]\\\{64\\\} +CreatedAt | [0-9-]\\\+T[0-9:.]\\\+Z +Size | [0-9]\\\+ +Labels.created_by | test/system/build-testimage +Labels.created_at | 20[0-9-]\\\+T[0-9:]\\\+Z " run_podman images -a --format json diff --git a/test/system/030-run.bats b/test/system/030-run.bats index 198c8881d..0b92554b8 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -134,24 +134,29 @@ echo $rand | 0 | $rand run_podman run --pull=never $IMAGE true is "$output" "" "--pull=never [present]: no output" - # Now test with busybox, which we don't have present - run_podman 125 run --pull=never busybox true - is "$output" "Error: unable to find a name and tag match for busybox in repotags: no such image" "--pull=never [busybox/missing]: error" + # Now test with a remote image which we don't have present (the 00 tag) + NONLOCAL_IMAGE="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODMAN_TEST_IMAGE_NAME:00000000" - run_podman run --pull=missing busybox true - is "$output" "Trying to pull .*" "--pull=missing [busybox/missing]: fetches" + run_podman 125 run --pull=never $NONLOCAL_IMAGE true + is "$output" "Error: unable to find a name and tag match for $NONLOCAL_IMAGE in repotags: no such image" "--pull=never [with image not present]: error" - run_podman run --pull=always busybox true - is "$output" "Trying to pull .*" "--pull=always [busybox/present]: fetches" + run_podman run --pull=missing $NONLOCAL_IMAGE true + is "$output" "Trying to pull .*" "--pull=missing [with image NOT PRESENT]: fetches" + + run_podman run --pull=missing $NONLOCAL_IMAGE true + is "$output" "" "--pull=missing [with image PRESENT]: does not re-fetch" + + run_podman run --pull=always $NONLOCAL_IMAGE true + is "$output" "Trying to pull .*" "--pull=always [with image PRESENT]: re-fetches" run_podman rm -a - run_podman rmi busybox + run_podman rmi $NONLOCAL_IMAGE } # 'run --rmi' deletes the image in the end unless it's used by another container @test "podman run --rmi" { # Name of a nonlocal image. It should be pulled in by the first 'run' - NONLOCAL_IMAGE=busybox + NONLOCAL_IMAGE="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODMAN_TEST_IMAGE_NAME:00000000" run_podman 1 image exists $NONLOCAL_IMAGE # Run a container, without --rm; this should block subsequent --rmi diff --git a/test/system/110-history.bats b/test/system/110-history.bats index 5dc221d61..75c15b088 100644 --- a/test/system/110-history.bats +++ b/test/system/110-history.bats @@ -22,9 +22,10 @@ load helpers } @test "podman history - json" { + # Sigh. Timestamp in .created can be '...Z' or '...-06:00' tests=" id | [0-9a-f]\\\{64\\\} -created | [0-9-]\\\+T[0-9:.]\\\+Z +created | [0-9-]\\\+T[0-9:.]\\\+[Z0-9:+-]\\\+ size | -\\\?[0-9]\\\+ " diff --git a/test/system/150-login.bats b/test/system/150-login.bats index 00c60ca95..5151ab0e1 100644 --- a/test/system/150-login.bats +++ b/test/system/150-login.bats @@ -56,14 +56,17 @@ function setup() { AUTHDIR=${PODMAN_LOGIN_WORKDIR}/auth mkdir -p $AUTHDIR + # Registry image; copy of docker.io, but on our own registry + local REGISTRY_IMAGE="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/registry:2.7" + # Pull registry image, but into a separate container storage mkdir -p ${PODMAN_LOGIN_WORKDIR}/root mkdir -p ${PODMAN_LOGIN_WORKDIR}/runroot PODMAN_LOGIN_ARGS="--root ${PODMAN_LOGIN_WORKDIR}/root --runroot ${PODMAN_LOGIN_WORKDIR}/runroot" # Give it three tries, to compensate for flakes - run_podman ${PODMAN_LOGIN_ARGS} pull registry:2.6 || - run_podman ${PODMAN_LOGIN_ARGS} pull registry:2.6 || - run_podman ${PODMAN_LOGIN_ARGS} pull registry:2.6 + run_podman ${PODMAN_LOGIN_ARGS} pull $REGISTRY_IMAGE || + run_podman ${PODMAN_LOGIN_ARGS} pull $REGISTRY_IMAGE || + run_podman ${PODMAN_LOGIN_ARGS} pull $REGISTRY_IMAGE # Registry image needs a cert. Self-signed is good enough. CERT=$AUTHDIR/domain.crt @@ -76,10 +79,8 @@ function setup() { # Store credentials where container will see them if [ ! -e $AUTHDIR/htpasswd ]; then - run_podman ${PODMAN_LOGIN_ARGS} run --rm \ - --entrypoint htpasswd registry:2.6 \ - -Bbn ${PODMAN_LOGIN_USER} ${PODMAN_LOGIN_PASS} \ - > $AUTHDIR/htpasswd + htpasswd -Bbn ${PODMAN_LOGIN_USER} ${PODMAN_LOGIN_PASS} \ + > $AUTHDIR/htpasswd # In case $PODMAN_TEST_KEEP_LOGIN_REGISTRY is set, for testing later echo "${PODMAN_LOGIN_USER}:${PODMAN_LOGIN_PASS}" \ @@ -97,7 +98,7 @@ function setup() { -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/auth/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/auth/domain.key \ - registry:2.6 + $REGISTRY_IMAGE } # END first "test" - start a registry for use by other tests @@ -189,38 +190,26 @@ EOF } @test "podman push ok" { - # ARGH! We can't push $IMAGE (alpine_labels) to this registry; error is: - # - # Writing manifest to image destination - # Error: Error copying image to the remote destination: Error writing manifest: Error uploading manifest latest to localhost:${PODMAN_LOGIN_REGISTRY_PORT}/okpush: received unexpected HTTP status: 500 Internal Server Error - # - # Root cause: something to do with v1/v2 s1/s2: - # - # https://github.com/containers/skopeo/issues/651 - # - - run_podman pull busybox - - # Preserve its ID for later comparison against push/pulled image - run_podman inspect --format '{{.Id}}' busybox - id_busybox=$output + # Preserve image ID for later comparison against push/pulled image + run_podman inspect --format '{{.Id}}' $IMAGE + iid=$output destname=ok-$(random_string 10 | tr A-Z a-z)-ok # Use command-line credentials run_podman push --tls-verify=false \ --creds ${PODMAN_LOGIN_USER}:${PODMAN_LOGIN_PASS} \ - busybox localhost:${PODMAN_LOGIN_REGISTRY_PORT}/$destname + $IMAGE localhost:${PODMAN_LOGIN_REGISTRY_PORT}/$destname # Yay! Pull it back run_podman pull --tls-verify=false \ --creds ${PODMAN_LOGIN_USER}:${PODMAN_LOGIN_PASS} \ localhost:${PODMAN_LOGIN_REGISTRY_PORT}/$destname - # Compare to original busybox + # Compare to original image run_podman inspect --format '{{.Id}}' $destname - is "$output" "$id_busybox" "Image ID of pulled image == busybox" + is "$output" "$iid" "Image ID of pulled image == original IID" - run_podman rmi busybox $destname + run_podman rmi $destname } # END primary podman login/push/pull tests diff --git a/test/system/260-sdnotify.bats b/test/system/260-sdnotify.bats index 62d3c1497..06aa3bba7 100644 --- a/test/system/260-sdnotify.bats +++ b/test/system/260-sdnotify.bats @@ -115,9 +115,10 @@ function _assert_mainpid_is_conmon() { @test "sdnotify : container" { # Sigh... we need to pull a humongous image because it has systemd-notify. + # (IMPORTANT: fedora:32 and above silently removed systemd-notify; this + # caused CI to hang. That's why we explicitly require fedora:31) # FIXME: is there a smaller image we could use? - _FEDORA=registry.fedoraproject.org/fedora:31 - + local _FEDORA="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/fedora:31" # Pull that image. Retry in case of flakes. run_podman pull $_FEDORA || \ run_podman pull $_FEDORA || \ diff --git a/test/system/500-networking.bats b/test/system/500-networking.bats index 0fae3dcd3..39de8ad54 100644 --- a/test/system/500-networking.bats +++ b/test/system/500-networking.bats @@ -12,7 +12,7 @@ load helpers random_2=$(random_string 30) HOST_PORT=8080 - SERVER=http://localhost:$HOST_PORT + SERVER=http://127.0.0.1:$HOST_PORT # Create a test file with random content INDEX1=$PODMAN_TMPDIR/hello.txt @@ -22,7 +22,7 @@ load helpers run_podman run -d --name myweb -p "$HOST_PORT:80" \ -v $INDEX1:/var/www/index.txt \ -w /var/www \ - busybox httpd -f -p 80 + $IMAGE /bin/busybox-extras httpd -f -p 80 cid=$output # In that container, create a second file, using exec and redirection @@ -33,14 +33,14 @@ load helpers # Verify http contents: curl from localhost run curl -s $SERVER/index.txt - is "$output" "$random_1" "curl localhost:/index.txt" + is "$output" "$random_1" "curl 127.0.0.1:/index.txt" run curl -s $SERVER/index2.txt - is "$output" "$random_2" "curl localhost:/index2.txt" + is "$output" "$random_2" "curl 127.0.0.1:/index2.txt" # Verify http contents: wget from a second container - run_podman run --rm --net=host busybox wget -qO - $SERVER/index.txt + run_podman run --rm --net=host $IMAGE wget -qO - $SERVER/index.txt is "$output" "$random_1" "podman wget /index.txt" - run_podman run --rm --net=host busybox wget -qO - $SERVER/index2.txt + run_podman run --rm --net=host $IMAGE wget -qO - $SERVER/index2.txt is "$output" "$random_2" "podman wget /index2.txt" # Tests #4889 - two-argument form of "podman ports" was broken @@ -57,7 +57,6 @@ load helpers # Clean up run_podman stop -t 1 myweb run_podman rm myweb - run_podman rmi busybox } # Issue #5466 - port-forwarding doesn't work with this option and -d diff --git a/test/system/build-testimage b/test/system/build-testimage new file mode 100755 index 000000000..64aa46337 --- /dev/null +++ b/test/system/build-testimage @@ -0,0 +1,59 @@ +#!/bin/bash +# +# build-testimage - script for producing a test image for podman CI +# +# The idea is to have a small multi-purpose image that can be pulled once +# by system tests and used for as many tests as possible. This image +# should live on quay.io, should be small in size, and should include +# as many components as needed by system tests so they don't have to +# pull other images. +# +# Unfortunately, "small" is incompatible with "systemd" so tests +# still need a fedora image for that. +# + +# Tag for this new image +YMD=$(date +%Y%m%d) + +# git-relative path to this script +create_script=$(cd $(dirname $0) && git ls-files --full-name $(basename $0)) +if [ -z "$create_script" ]; then + create_script=$0 +fi + +# Creation timestamp, Zulu time +create_time_z=$(env TZ=UTC date +'%Y-%m-%dT%H:%M:%SZ') + +set -ex + +# Please document the reason for all flags, apk's, and anything non-obvious +# +# --squash-all : needed by 'tree' test in 070-build.bats +# busybox-extras : provides httpd needed in 500-networking.bats +# +podman rmi -f testimage &> /dev/null || true +podman build --squash-all -t testimage - <