package integration
import (
"fmt"
"io/ioutil"
"os"
"os/exec"
"path/filepath"
"strings"
"github.com/containers/podman/v4/pkg/rootless"
. "github.com/containers/podman/v4/test/utils"
"github.com/containers/storage/pkg/archive"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
. "github.com/onsi/gomega/gexec"
)
var _ = Describe("Podman push", func() {
var (
tempdir string
err error
podmanTest *PodmanTestIntegration
)
BeforeEach(func() {
tempdir, err = CreateTempDirInTempDir()
if err != nil {
os.Exit(1)
}
podmanTest = PodmanTestCreate(tempdir)
podmanTest.Setup()
podmanTest.AddImageToRWStore(ALPINE)
})
AfterEach(func() {
podmanTest.Cleanup()
f := CurrentGinkgoTestDescription()
processTestResult(f)
})
It("podman push to containers/storage", func() {
SkipIfRemote("Remote push does not support containers-storage transport")
session := podmanTest.Podman([]string{"push", ALPINE, "containers-storage:busybox:test"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
session = podmanTest.Podman([]string{"rmi", ALPINE})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
})
It("podman push to dir", func() {
SkipIfRemote("Remote push does not support dir transport")
bbdir := filepath.Join(podmanTest.TempDir, "busybox")
session := podmanTest.Podman([]string{"push", "--remove-signatures", ALPINE,
fmt.Sprintf("dir:%s", bbdir)})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
bbdir = filepath.Join(podmanTest.TempDir, "busybox")
session = podmanTest.Podman([]string{"push", "--format", "oci", ALPINE,
fmt.Sprintf("dir:%s", bbdir)})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
})
It("podman push to oci with compression-format", func() {
SkipIfRemote("Remote push does not support dir transport")
bbdir := filepath.Join(podmanTest.TempDir, "busybox-oci")
session := podmanTest.Podman([]string{"push", "--compression-format=zstd", "--remove-signatures", ALPINE,
fmt.Sprintf("oci:%s", bbdir)})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
foundZstdFile := false
blobsDir := filepath.Join(bbdir, "blobs/sha256")
blobs, err := ioutil.ReadDir(blobsDir)
Expect(err).To(BeNil())
for _, f := range blobs {
blobPath := filepath.Join(blobsDir, f.Name())
sourceFile, err := ioutil.ReadFile(blobPath)
Expect(err).To(BeNil())
compressionType := archive.DetectCompression(sourceFile)
if compressionType == archive.Zstd {
foundZstdFile = true
break
}
}
Expect(foundZstdFile).To(BeTrue())
})
It("podman push to local registry", func() {
if podmanTest.Host.Arch == "ppc64le" {
Skip("No registry image for ppc64le")
}
if rootless.IsRootless() {
err := podmanTest.RestoreArtifact(REGISTRY_IMAGE)
Expect(err).ToNot(HaveOccurred())
}
lock := GetPortLock("5000")
defer lock.Unlock()
session := podmanTest.Podman([]string{"run", "-d", "--name", "registry", "-p", "5000:5000", REGISTRY_IMAGE, "/entrypoint.sh", "/etc/docker/registry/config.yml"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
if !WaitContainerReady(podmanTest, "registry", "listening on", 20, 1) {
Skip("Cannot start docker registry.")
}
push := podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", ALPINE, "localhost:5000/my-alpine"})
push.WaitWithDefaultTimeout()
Expect(push).Should(Exit(0))
Expect(len(push.ErrorToString())).To(Equal(0))
push = podmanTest.Podman([]string{"push", "--tls-verify=false", "--remove-signatures", ALPINE, "localhost:5000/my-alpine"})
push.WaitWithDefaultTimeout()
Expect(push).Should(Exit(0))
output := push.ErrorToString()
Expect(output).To(ContainSubstring("Copying blob "))
Expect(output).To(ContainSubstring("Copying config "))
Expect(output).To(ContainSubstring("Writing manifest to image destination"))
Expect(output).To(ContainSubstring("Storing signatures"))
if !IsRemote() { // Remote does not support --digestfile
// Test --digestfile option
push2 := podmanTest.Podman([]string{"push", "--tls-verify=false", "--digestfile=/tmp/digestfile.txt", "--remove-signatures", ALPINE, "localhost:5000/my-alpine"})
push2.WaitWithDefaultTimeout()
fi, err := os.Lstat("/tmp/digestfile.txt")
Expect(err).To(BeNil())
Expect(fi.Name()).To(Equal("digestfile.txt"))
Expect(push2).Should(Exit(0))
}
if !IsRemote() { // Remote does not support signing
By("pushing and pulling with sigstore signatures")
// Ideally, this should set SystemContext.RegistriesDirPath, but Podman currently doesn’t
// expose that as an option. So, for now, modify /etc/directly, and skip testing sigstore if
// we don’t have permission to do so.
systemRegistriesDAddition := "/etc/containers/registries.d/podman-test-only-temporary-addition.yaml"
cmd := exec.Command("cp", "testdata/sigstore-registries.d-fragment.yaml", systemRegistriesDAddition)
output, err := cmd.CombinedOutput()
if err != nil {
fmt.Fprintf(os.Stderr, "Skipping sigstore tests because /etc/containers/registries.d isn’t writable: %s", string(output))
} else {
defer func() {
err := os.Remove(systemRegistriesDAddition)
Expect(err).ToNot(HaveOccurred())
}()
// Verify that the policy rejects unsigned images
push := podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", ALPINE, "localhost:5000/sigstore-signed"})
push.WaitWithDefaultTimeout()
Expect(push).Should(Exit(0))
Expect(len(push.ErrorToString())).To(Equal(0))
pull := podmanTest.Podman([]string{"pull", "-q", "--tls-verify=false", "--signature-policy", "sign/policy.json", "localhost:5000/sigstore-signed"})
pull.WaitWithDefaultTimeout()
Expect(pull).To(ExitWithError())
Expect(pull.ErrorToString()).To(ContainSubstring("A signature was required, but no signature exists"))
// Sign an image, and verify it is accepted.
push = podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", "--sign-by-sigstore-private-key", "testdata/sigstore-key.key", "--sign-passphrase-file", "testdata/sigstore-key.key.pass", ALPINE, "localhost:5000/sigstore-signed"})
push.WaitWithDefaultTimeout()
Expect(push).Should(Exit(0))
Expect(len(push.ErrorToString())).To(Equal(0))
pull = podmanTest.Podman([]string{"pull", "-q", "--tls-verify=false", "--signature-policy", "sign/policy.json", "localhost:5000/sigstore-signed"})
pull.WaitWithDefaultTimeout()
Expect(pull).Should(Exit(0))
}
}
})
It("podman push to local registry with authorization", func() {
SkipIfRootless("volume-mounting a certs.d file N/A over remote")
if podmanTest.Host.Arch == "ppc64le" {
Skip("No registry image for ppc64le")
}
authPath := filepath.Join(podmanTest.TempDir, "auth")
err = os.Mkdir(authPath, os.ModePerm)
Expect(err).ToNot(HaveOccurred())
err = os.MkdirAll("/etc/containers/certs.d/localhost:5000", os.ModePerm)
Expect(err).ToNot(HaveOccurred())
defer os.RemoveAll("/etc/containers/certs.d/localhost:5000")
cwd, _ := os.Getwd()
certPath := filepath.Join(cwd, "../", "certs")
if IsCommandAvailable("getenforce") {
ge := SystemExec("getenforce", []string{})
Expect(ge).Should(Exit(0))
if ge.OutputToString() == "Enforcing" {
se := SystemExec("setenforce", []string{"0"})
Expect(se).Should(Exit(0))
defer func() {
se2 := SystemExec("setenforce", []string{"1"})
Expect(se2).Should(Exit(0))
}()
}
}
lock := GetPortLock("5000")
defer lock.Unlock()
htpasswd := SystemExec("htpasswd", []string{"-Bbn", "podmantest", "test"})
htpasswd.WaitWithDefaultTimeout()
Expect(htpasswd).Should(Exit(0))
f, err := os.Create(filepath.Join(authPath, "htpasswd"))
Expect(err).ToNot(HaveOccurred())
defer f.Close()
_, err = f.WriteString(htpasswd.OutputToString())
Expect(err).ToNot(HaveOccurred())
err = f.Sync()
Expect(err).ToNot(HaveOccurred())
session := podmanTest.Podman([]string{"run", "-d", "-p", "5000:5000", "--name", "registry", "-v",
strings.Join([]string{authPath, "/auth"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e",
"REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm", "-e", "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd",
"-v", strings.Join([]string{certPath, "/certs"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt",
"-e", "REGISTRY_HTTP_TLS_KEY=/certs/domain.key", REGISTRY_IMAGE})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
if !WaitContainerReady(podmanTest, "registry", "listening on", 20, 1) {
Skip("Cannot start docker registry.")
}
session = podmanTest.Podman([]string{"logs", "registry"})
session.WaitWithDefaultTimeout()
push := podmanTest.Podman([]string{"push", "--tls-verify=true", "--format=v2s2", "--creds=podmantest:test", ALPINE, "localhost:5000/tlstest"})
push.WaitWithDefaultTimeout()
Expect(push).To(ExitWithError())
push = podmanTest.Podman([]string{"push", "--creds=podmantest:test", "--tls-verify=false", ALPINE, "localhost:5000/tlstest"})
push.WaitWithDefaultTimeout()
Expect(push).Should(Exit(0))
setup := SystemExec("cp", []string{filepath.Join(certPath, "domain.crt"), "/etc/containers/certs.d/localhost:5000/ca.crt"})
Expect(setup).Should(Exit(0))
push = podmanTest.Podman([]string{"push", "--creds=podmantest:wrongpasswd", ALPINE, "localhost:5000/credstest"})
push.WaitWithDefaultTimeout()
Expect(push).To(ExitWithError())
if !IsRemote() {
// remote does not support --cert-dir
push = podmanTest.Podman([]string{"push", "--tls-verify=true", "--creds=podmantest:test", "--cert-dir=fakedir", ALPINE, "localhost:5000/certdirtest"})
push.WaitWithDefaultTimeout()
Expect(push).To(ExitWithError())
}
push = podmanTest.Podman([]string{"push", "--creds=podmantest:test", ALPINE, "localhost:5000/defaultflags"})
push.WaitWithDefaultTimeout()
Expect(push).Should(Exit(0))
})
It("podman push to docker-archive", func() {
SkipIfRemote("Remote push does not support docker-archive transport")
tarfn := filepath.Join(podmanTest.TempDir, "alp.tar")
session := podmanTest.Podman([]string{"push", ALPINE,
fmt.Sprintf("docker-archive:%s:latest", tarfn)})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
})
It("podman push to docker daemon", func() {
SkipIfRemote("Remote push does not support docker-daemon transport")
setup := SystemExec("bash", []string{"-c", "systemctl status docker 2>&1"})
if setup.LineInOutputContains("Active: inactive") {
setup = SystemExec("systemctl", []string{"start", "docker"})
Expect(setup).Should(Exit(0))
defer func() {
stop := SystemExec("systemctl", []string{"stop", "docker"})
Expect(stop).Should(Exit(0))
}()
} else if setup.ExitCode() != 0 {
Skip("Docker is not available")
}
session := podmanTest.Podman([]string{"push", ALPINE, "docker-daemon:alpine:podmantest"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
check := SystemExec("docker", []string{"images", "--format", "{{.Repository}}:{{.Tag}}"})
Expect(check).Should(Exit(0))
Expect(check.OutputToString()).To(ContainSubstring("alpine:podmantest"))
clean := SystemExec("docker", []string{"rmi", "alpine:podmantest"})
Expect(clean).Should(Exit(0))
})
It("podman push to oci-archive", func() {
SkipIfRemote("Remote push does not support oci-archive transport")
tarfn := filepath.Join(podmanTest.TempDir, "alp.tar")
session := podmanTest.Podman([]string{"push", ALPINE,
fmt.Sprintf("oci-archive:%s:latest", tarfn)})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
})
It("podman push to docker-archive no reference", func() {
SkipIfRemote("Remote push does not support docker-archive transport")
tarfn := filepath.Join(podmanTest.TempDir, "alp.tar")
session := podmanTest.Podman([]string{"push", ALPINE,
fmt.Sprintf("docker-archive:%s", tarfn)})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
})
It("podman push to oci-archive no reference", func() {
SkipIfRemote("Remote push does not support oci-archive transport")
ociarc := filepath.Join(podmanTest.TempDir, "alp-oci")
session := podmanTest.Podman([]string{"push", ALPINE,
fmt.Sprintf("oci-archive:%s", ociarc)})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
})
})