2018-09-03 19:20:52 +08:00
|
|
|
#!/usr/bin/env bats
|
|
|
|
|
|
|
|
|
|
load helpers
|
|
|
|
|
|
2021-01-14 17:08:31 +08:00
|
|
|
# Regression test for #2904
|
|
|
|
|
@test "local-image resolution" {
|
|
|
|
|
run_buildah pull -q busybox
|
|
|
|
|
iid=$output
|
|
|
|
|
run_buildah tag ${iid} localhost/image
|
|
|
|
|
|
|
|
|
|
# We want to make sure that "image" will always resolve to "localhost/image"
|
|
|
|
|
# (given a local image with that name exists). The trick we're using is to
|
|
|
|
|
# force a failed pull and look at the error message which *must* include the
|
|
|
|
|
# the resolved image name (localhost/image:latest).
|
|
|
|
|
run_buildah 125 pull --policy=always image
|
2021-07-23 16:31:35 +08:00
|
|
|
[[ "$output" == *"initializing source docker://localhost/image:latest"* ]]
|
2021-01-14 17:08:31 +08:00
|
|
|
run_buildah rmi localhost/image ${iid}
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-03 19:20:52 +08:00
|
|
|
@test "pull-flags-order-verification" {
|
2020-04-16 21:48:43 +08:00
|
|
|
run_buildah 125 pull image1 --tls-verify
|
2018-09-03 19:20:52 +08:00
|
|
|
check_options_flag_err "--tls-verify"
|
|
|
|
|
|
2020-04-16 21:48:43 +08:00
|
|
|
run_buildah 125 pull image1 --authfile=/tmp/somefile
|
2018-09-03 19:20:52 +08:00
|
|
|
check_options_flag_err "--authfile=/tmp/somefile"
|
|
|
|
|
|
2020-04-16 21:48:43 +08:00
|
|
|
run_buildah 125 pull image1 -q --cred bla:bla --authfile=/tmp/somefile
|
2018-09-03 19:20:52 +08:00
|
|
|
check_options_flag_err "-q"
|
|
|
|
|
}
|
2018-10-03 02:48:11 +08:00
|
|
|
|
|
|
|
|
@test "pull-blocked" {
|
2020-04-16 21:48:43 +08:00
|
|
|
run_buildah 125 --registries-conf ${TESTSDIR}/registries.conf.block pull --signature-policy ${TESTSDIR}/policy.json docker.io/alpine
|
2021-04-11 01:44:51 +08:00
|
|
|
expect_output --substring "registry docker.io is blocked in"
|
2019-04-02 05:56:29 +08:00
|
|
|
|
BATS tests: make more robust
Add a --retry flag to run_buildah; intended for tests which
really need to pull an image, and can't rely on prefetch().
It will try a failed buildah command three times, waiting
thirty seconds between retries.
This is imperfect: there's no way to specify the number of
retries, no way to specify the timeout, and no way to
combine --retry with an expected (i.e. nonzero) exit
status. (FWIW I can't think of any possible use for that).
It is, though, quick, minimal-impact, easy to remember
and use.
Add --retry option to various tests in pull.bats and
registries.bats.
And, while I'm at it, add expect_output checks to many
of the new encryption checks in pull.bats and from.bats.
This actually caught a bug in a test, a check that was
failing (expected) but for the wrong reason (missing
file, not wrong key). Have I mentioned, lately, that
tests should check error message strings, not just
exit status?
Fixes: #2473
Signed-off-by: Ed Santiago <santiago@redhat.com>
2020-07-17 04:54:34 +08:00
|
|
|
run_buildah --retry --registries-conf ${TESTSDIR}/registries.conf pull --signature-policy ${TESTSDIR}/policy.json docker.io/alpine
|
2018-10-03 02:48:11 +08:00
|
|
|
}
|
2018-12-17 15:59:48 +08:00
|
|
|
|
|
|
|
|
@test "pull-from-registry" {
|
BATS tests: make more robust
Add a --retry flag to run_buildah; intended for tests which
really need to pull an image, and can't rely on prefetch().
It will try a failed buildah command three times, waiting
thirty seconds between retries.
This is imperfect: there's no way to specify the number of
retries, no way to specify the timeout, and no way to
combine --retry with an expected (i.e. nonzero) exit
status. (FWIW I can't think of any possible use for that).
It is, though, quick, minimal-impact, easy to remember
and use.
Add --retry option to various tests in pull.bats and
registries.bats.
And, while I'm at it, add expect_output checks to many
of the new encryption checks in pull.bats and from.bats.
This actually caught a bug in a test, a check that was
failing (expected) but for the wrong reason (missing
file, not wrong key). Have I mentioned, lately, that
tests should check error message strings, not just
exit status?
Fixes: #2473
Signed-off-by: Ed Santiago <santiago@redhat.com>
2020-07-17 04:54:34 +08:00
|
|
|
run_buildah --retry pull --registries-conf ${TESTSDIR}/registries.conf --signature-policy ${TESTSDIR}/policy.json busybox:glibc
|
2021-04-30 15:16:03 +08:00
|
|
|
run_buildah pull --registries-conf ${TESTSDIR}/registries.conf --signature-policy ${TESTSDIR}/policy.json busybox:latest
|
2019-04-02 05:56:29 +08:00
|
|
|
run_buildah images --format "{{.Name}}:{{.Tag}}"
|
2019-04-05 23:59:54 +08:00
|
|
|
expect_output --substring "busybox:glibc"
|
|
|
|
|
expect_output --substring "busybox:latest"
|
2019-04-02 05:56:29 +08:00
|
|
|
|
BATS tests: make more robust
Add a --retry flag to run_buildah; intended for tests which
really need to pull an image, and can't rely on prefetch().
It will try a failed buildah command three times, waiting
thirty seconds between retries.
This is imperfect: there's no way to specify the number of
retries, no way to specify the timeout, and no way to
combine --retry with an expected (i.e. nonzero) exit
status. (FWIW I can't think of any possible use for that).
It is, though, quick, minimal-impact, easy to remember
and use.
Add --retry option to various tests in pull.bats and
registries.bats.
And, while I'm at it, add expect_output checks to many
of the new encryption checks in pull.bats and from.bats.
This actually caught a bug in a test, a check that was
failing (expected) but for the wrong reason (missing
file, not wrong key). Have I mentioned, lately, that
tests should check error message strings, not just
exit status?
Fixes: #2473
Signed-off-by: Ed Santiago <santiago@redhat.com>
2020-07-17 04:54:34 +08:00
|
|
|
run_buildah --retry pull --registries-conf ${TESTSDIR}/registries.conf --signature-policy ${TESTSDIR}/policy.json quay.io/libpod/alpine_nginx:latest
|
2019-04-02 05:56:29 +08:00
|
|
|
run_buildah images --format "{{.Name}}:{{.Tag}}"
|
2019-04-05 23:59:54 +08:00
|
|
|
expect_output --substring "alpine_nginx:latest"
|
2019-04-02 05:56:29 +08:00
|
|
|
|
|
|
|
|
run_buildah rmi quay.io/libpod/alpine_nginx:latest
|
BATS tests: make more robust
Add a --retry flag to run_buildah; intended for tests which
really need to pull an image, and can't rely on prefetch().
It will try a failed buildah command three times, waiting
thirty seconds between retries.
This is imperfect: there's no way to specify the number of
retries, no way to specify the timeout, and no way to
combine --retry with an expected (i.e. nonzero) exit
status. (FWIW I can't think of any possible use for that).
It is, though, quick, minimal-impact, easy to remember
and use.
Add --retry option to various tests in pull.bats and
registries.bats.
And, while I'm at it, add expect_output checks to many
of the new encryption checks in pull.bats and from.bats.
This actually caught a bug in a test, a check that was
failing (expected) but for the wrong reason (missing
file, not wrong key). Have I mentioned, lately, that
tests should check error message strings, not just
exit status?
Fixes: #2473
Signed-off-by: Ed Santiago <santiago@redhat.com>
2020-07-17 04:54:34 +08:00
|
|
|
run_buildah --retry pull --registries-conf ${TESTSDIR}/registries.conf --signature-policy ${TESTSDIR}/policy.json quay.io/libpod/alpine_nginx
|
2019-04-02 05:56:29 +08:00
|
|
|
run_buildah images --format "{{.Name}}:{{.Tag}}"
|
2019-04-05 23:59:54 +08:00
|
|
|
expect_output --substring "alpine_nginx:latest"
|
2019-04-02 05:56:29 +08:00
|
|
|
|
Move away from using docker.io
November 2020, docker.io started restricting unauthenticated
image pulls. Try to work around this by using a custom
registries.conf file.
For the most part this means copying images from docker.io
to quay.io, via:
$ skopeo copy --all docker://docker.io/library/img:tag \
docker://quay.io/libpod/img:tag
...for the following values of 'img:tag':
busybox:musl
centos:7 centos:8 centos:latest
composer:latest
debian:latest ubuntu:latest
docker:latest
php:7.2
For each of those, it was necessary to go into the quay.io
GUI, click the image name, click the settings (gear) icon
at bottom left, click 'Make public', and confirm.
This process did not work in four instances, which required
special-casing:
commit.bats : openshift/hello-openshift did not match the
mirroring rules; I switched to alpine instead.
Nalin confirmed on IRC that there was no magic
reason for requiring hello-openshift.
pull.bats : change a SHA. AFAICT there was nothing magic
about the SHA being used, it was just a
convenient one for purposes of testing
pull-by-sha. I simply switched to the SHA
of an image present on quay.
registries.bats : was assuming that fedora-minimal shortname
would be pulled from fedora registry.
Unfortunately, we have a copy on quay
(for podman tests), so that's what we
pull by shortname, and it does not match
the SHA of the fedoraproject.org one.
Solution: pull by tag (fedora-minimal:32)
and hope that nobody ever mirrors that one
on quay.
run.bats : another pull-by-SHA, but this time I changed
the SHA to a named tag, and skopeo copy'd
that image from docker.io to the given name
on quay. This time there _is_ something
magic about that particular SHA (it's an
image with a specific volume quirk) but
there's no actual reason to reference it
by SHA - we simply did so because we have
no control over tag names on docker.io.
Since we control tag names on quay.io,
it's easy and more maintainable to give
this image a descriptive tag.
Signed-off-by: Ed Santiago <santiago@redhat.com>
2020-12-08 06:36:43 +08:00
|
|
|
run_buildah --retry pull --registries-conf ${TESTSDIR}/registries.conf --signature-policy ${TESTSDIR}/policy.json alpine@sha256:e9a2035f9d0d7cee1cdd445f5bfa0c5c646455ee26f14565dce23cf2d2de7570
|
2020-04-16 21:48:43 +08:00
|
|
|
run_buildah 125 pull --registries-conf ${TESTSDIR}/registries.conf --signature-policy ${TESTSDIR}/policy.json fakeimage/fortest
|
2019-04-02 05:56:29 +08:00
|
|
|
run_buildah images --format "{{.Name}}:{{.Tag}}"
|
2018-12-17 15:59:48 +08:00
|
|
|
[[ ! "$output" =~ "fakeimage/fortest" ]]
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-22 23:35:52 +08:00
|
|
|
@test "pull-from-docker-archive" {
|
BATS tests: make more robust
Add a --retry flag to run_buildah; intended for tests which
really need to pull an image, and can't rely on prefetch().
It will try a failed buildah command three times, waiting
thirty seconds between retries.
This is imperfect: there's no way to specify the number of
retries, no way to specify the timeout, and no way to
combine --retry with an expected (i.e. nonzero) exit
status. (FWIW I can't think of any possible use for that).
It is, though, quick, minimal-impact, easy to remember
and use.
Add --retry option to various tests in pull.bats and
registries.bats.
And, while I'm at it, add expect_output checks to many
of the new encryption checks in pull.bats and from.bats.
This actually caught a bug in a test, a check that was
failing (expected) but for the wrong reason (missing
file, not wrong key). Have I mentioned, lately, that
tests should check error message strings, not just
exit status?
Fixes: #2473
Signed-off-by: Ed Santiago <santiago@redhat.com>
2020-07-17 04:54:34 +08:00
|
|
|
run_buildah --retry pull --signature-policy ${TESTSDIR}/policy.json alpine
|
2019-04-02 05:56:29 +08:00
|
|
|
run_buildah push --signature-policy ${TESTSDIR}/policy.json docker.io/library/alpine:latest docker-archive:${TESTDIR}/alp.tar:alpine:latest
|
|
|
|
|
run_buildah rmi alpine
|
BATS tests: make more robust
Add a --retry flag to run_buildah; intended for tests which
really need to pull an image, and can't rely on prefetch().
It will try a failed buildah command three times, waiting
thirty seconds between retries.
This is imperfect: there's no way to specify the number of
retries, no way to specify the timeout, and no way to
combine --retry with an expected (i.e. nonzero) exit
status. (FWIW I can't think of any possible use for that).
It is, though, quick, minimal-impact, easy to remember
and use.
Add --retry option to various tests in pull.bats and
registries.bats.
And, while I'm at it, add expect_output checks to many
of the new encryption checks in pull.bats and from.bats.
This actually caught a bug in a test, a check that was
failing (expected) but for the wrong reason (missing
file, not wrong key). Have I mentioned, lately, that
tests should check error message strings, not just
exit status?
Fixes: #2473
Signed-off-by: Ed Santiago <santiago@redhat.com>
2020-07-17 04:54:34 +08:00
|
|
|
run_buildah --retry pull --signature-policy ${TESTSDIR}/policy.json docker-archive:${TESTDIR}/alp.tar
|
2019-04-02 05:56:29 +08:00
|
|
|
run_buildah images --format "{{.Name}}:{{.Tag}}"
|
2019-04-05 23:59:54 +08:00
|
|
|
expect_output --substring "alpine"
|
2020-04-16 21:48:43 +08:00
|
|
|
run_buildah 125 pull --all-tags --signature-policy ${TESTSDIR}/policy.json docker-archive:${TESTDIR}/alp.tar
|
2021-04-11 01:44:51 +08:00
|
|
|
expect_output --substring "pulling all tags is not supported for docker-archive transport"
|
2018-12-17 15:59:48 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@test "pull-from-oci-archive" {
|
BATS tests: make more robust
Add a --retry flag to run_buildah; intended for tests which
really need to pull an image, and can't rely on prefetch().
It will try a failed buildah command three times, waiting
thirty seconds between retries.
This is imperfect: there's no way to specify the number of
retries, no way to specify the timeout, and no way to
combine --retry with an expected (i.e. nonzero) exit
status. (FWIW I can't think of any possible use for that).
It is, though, quick, minimal-impact, easy to remember
and use.
Add --retry option to various tests in pull.bats and
registries.bats.
And, while I'm at it, add expect_output checks to many
of the new encryption checks in pull.bats and from.bats.
This actually caught a bug in a test, a check that was
failing (expected) but for the wrong reason (missing
file, not wrong key). Have I mentioned, lately, that
tests should check error message strings, not just
exit status?
Fixes: #2473
Signed-off-by: Ed Santiago <santiago@redhat.com>
2020-07-17 04:54:34 +08:00
|
|
|
run_buildah --retry pull --signature-policy ${TESTSDIR}/policy.json alpine
|
2019-04-02 05:56:29 +08:00
|
|
|
run_buildah push --signature-policy ${TESTSDIR}/policy.json docker.io/library/alpine:latest oci-archive:${TESTDIR}/alp.tar:alpine
|
|
|
|
|
run_buildah rmi alpine
|
|
|
|
|
run_buildah pull --signature-policy ${TESTSDIR}/policy.json oci-archive:${TESTDIR}/alp.tar
|
|
|
|
|
run_buildah images --format "{{.Name}}:{{.Tag}}"
|
2019-04-05 23:59:54 +08:00
|
|
|
expect_output --substring "alpine"
|
2020-04-16 21:48:43 +08:00
|
|
|
run_buildah 125 pull --all-tags --signature-policy ${TESTSDIR}/policy.json oci-archive:${TESTDIR}/alp.tar
|
2021-04-11 01:44:51 +08:00
|
|
|
expect_output --substring "pulling all tags is not supported for oci-archive transport"
|
2018-12-17 15:59:48 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@test "pull-from-local-directory" {
|
2019-02-07 04:26:03 +08:00
|
|
|
mkdir ${TESTDIR}/buildahtest
|
BATS tests: make more robust
Add a --retry flag to run_buildah; intended for tests which
really need to pull an image, and can't rely on prefetch().
It will try a failed buildah command three times, waiting
thirty seconds between retries.
This is imperfect: there's no way to specify the number of
retries, no way to specify the timeout, and no way to
combine --retry with an expected (i.e. nonzero) exit
status. (FWIW I can't think of any possible use for that).
It is, though, quick, minimal-impact, easy to remember
and use.
Add --retry option to various tests in pull.bats and
registries.bats.
And, while I'm at it, add expect_output checks to many
of the new encryption checks in pull.bats and from.bats.
This actually caught a bug in a test, a check that was
failing (expected) but for the wrong reason (missing
file, not wrong key). Have I mentioned, lately, that
tests should check error message strings, not just
exit status?
Fixes: #2473
Signed-off-by: Ed Santiago <santiago@redhat.com>
2020-07-17 04:54:34 +08:00
|
|
|
run_buildah --retry pull --signature-policy ${TESTSDIR}/policy.json alpine
|
2019-04-02 05:56:29 +08:00
|
|
|
run_buildah push --signature-policy ${TESTSDIR}/policy.json docker.io/library/alpine:latest dir:${TESTDIR}/buildahtest
|
|
|
|
|
run_buildah rmi alpine
|
|
|
|
|
run_buildah pull --signature-policy ${TESTSDIR}/policy.json dir:${TESTDIR}/buildahtest
|
|
|
|
|
run_buildah images --format "{{.Name}}:{{.Tag}}"
|
2019-08-19 17:33:20 +08:00
|
|
|
expect_output --substring "localhost${TESTDIR}/buildahtest:latest"
|
2020-04-16 21:48:43 +08:00
|
|
|
run_buildah 125 pull --all-tags --signature-policy ${TESTSDIR}/policy.json dir:${TESTDIR}/buildahtest
|
2021-04-11 01:44:51 +08:00
|
|
|
expect_output --substring "pulling all tags is not supported for dir transport"
|
2018-12-17 15:59:48 +08:00
|
|
|
}
|
|
|
|
|
|
2020-12-22 00:19:56 +08:00
|
|
|
@test "pull-from-docker-daemon" {
|
2021-04-21 05:55:25 +08:00
|
|
|
skip_if_no_docker
|
2018-12-17 15:59:48 +08:00
|
|
|
|
|
|
|
|
run docker pull alpine
|
|
|
|
|
echo "$output"
|
|
|
|
|
[ "$status" -eq 0 ]
|
2019-04-02 05:56:29 +08:00
|
|
|
run_buildah pull --signature-policy ${TESTSDIR}/policy.json docker-daemon:docker.io/library/alpine:latest
|
|
|
|
|
run_buildah images --format "{{.Name}}:{{.Tag}}"
|
2019-04-05 23:59:54 +08:00
|
|
|
expect_output --substring "alpine:latest"
|
2019-04-02 05:56:29 +08:00
|
|
|
run_buildah rmi alpine
|
2020-04-16 21:48:43 +08:00
|
|
|
run_buildah 125 pull --all-tags --signature-policy ${TESTSDIR}/policy.json docker-daemon:docker.io/library/alpine:latest
|
2021-04-11 01:44:51 +08:00
|
|
|
expect_output --substring "pulling all tags is not supported for docker-daemon transport"
|
2018-12-17 15:59:48 +08:00
|
|
|
}
|
|
|
|
|
|
2019-02-19 04:30:00 +08:00
|
|
|
@test "pull-all-tags" {
|
WIP: safer test for pull --all-tags
The 'pull --all-tags' test flakes often in CI, e.g.:
unexpected http code: 500 [...] URL: https://auth.docker.io/...
This is a remote registry error, not one we can resolve
on our end without complex retry-pull logic.
Here is an alternative which I believe provides better
testing anyway: instead of relying heavily on a remote
registry, do all the work using our already-set-up local
one. Pull one image (yes, sigh, from remote registry)
and push it locally with various different tags. Then
pull with --all-tags and make sure we get what we expect.
Advantages:
+ less reliance on network & remote server
+ less reliance on the _setup_ of said server, i.e.
we don't have to just blindly trust that there
will be multiple tagged versions of an image
+ better testing: since we know what we push to
the local registry, we know exactly what we
should expect to see on pull, and we now
actually test that instead of a handwavey
"oh just hope that there are more than three"
+ better testing of messages, and comparing image IDs
Disadvantages:
- I've rolled two tests into one. (I'm not sure what the
purpose was of pull-with-alltags-from-registry. Is the
behavior that different?
- In a development environment or some imaginary CI
environment in which the local registry is persistent
across runs, if someone were to remove one or more
tags from the 'tags=(...)' list, tests would fail
because the registry would include more tagged images
(saved in a previous run) than the test expects. The
diagnostic in this case would not be very helpful.
And of course, while I'm at it, improve a few of the other
tests: don't just check for error on non-docker --all-tags
pulls, actually make sure we get the expected message.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #2032
Approved by: rhatdan
2019-12-18 03:12:26 +08:00
|
|
|
declare -a tags=(0.9 0.9.1 1.1 alpha beta gamma2.0 latest)
|
2019-02-19 04:30:00 +08:00
|
|
|
|
WIP: safer test for pull --all-tags
The 'pull --all-tags' test flakes often in CI, e.g.:
unexpected http code: 500 [...] URL: https://auth.docker.io/...
This is a remote registry error, not one we can resolve
on our end without complex retry-pull logic.
Here is an alternative which I believe provides better
testing anyway: instead of relying heavily on a remote
registry, do all the work using our already-set-up local
one. Pull one image (yes, sigh, from remote registry)
and push it locally with various different tags. Then
pull with --all-tags and make sure we get what we expect.
Advantages:
+ less reliance on network & remote server
+ less reliance on the _setup_ of said server, i.e.
we don't have to just blindly trust that there
will be multiple tagged versions of an image
+ better testing: since we know what we push to
the local registry, we know exactly what we
should expect to see on pull, and we now
actually test that instead of a handwavey
"oh just hope that there are more than three"
+ better testing of messages, and comparing image IDs
Disadvantages:
- I've rolled two tests into one. (I'm not sure what the
purpose was of pull-with-alltags-from-registry. Is the
behavior that different?
- In a development environment or some imaginary CI
environment in which the local registry is persistent
across runs, if someone were to remove one or more
tags from the 'tags=(...)' list, tests would fail
because the registry would include more tagged images
(saved in a previous run) than the test expects. The
diagnostic in this case would not be very helpful.
And of course, while I'm at it, improve a few of the other
tests: don't just check for error on non-docker --all-tags
pulls, actually make sure we get the expected message.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #2032
Approved by: rhatdan
2019-12-18 03:12:26 +08:00
|
|
|
# setup: pull alpine, and push it repeatedly to localhost using those tags
|
|
|
|
|
opts="--signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds testuser:testpassword"
|
BATS tests: make more robust
Add a --retry flag to run_buildah; intended for tests which
really need to pull an image, and can't rely on prefetch().
It will try a failed buildah command three times, waiting
thirty seconds between retries.
This is imperfect: there's no way to specify the number of
retries, no way to specify the timeout, and no way to
combine --retry with an expected (i.e. nonzero) exit
status. (FWIW I can't think of any possible use for that).
It is, though, quick, minimal-impact, easy to remember
and use.
Add --retry option to various tests in pull.bats and
registries.bats.
And, while I'm at it, add expect_output checks to many
of the new encryption checks in pull.bats and from.bats.
This actually caught a bug in a test, a check that was
failing (expected) but for the wrong reason (missing
file, not wrong key). Have I mentioned, lately, that
tests should check error message strings, not just
exit status?
Fixes: #2473
Signed-off-by: Ed Santiago <santiago@redhat.com>
2020-07-17 04:54:34 +08:00
|
|
|
run_buildah --retry pull --quiet --signature-policy ${TESTSDIR}/policy.json alpine
|
WIP: safer test for pull --all-tags
The 'pull --all-tags' test flakes often in CI, e.g.:
unexpected http code: 500 [...] URL: https://auth.docker.io/...
This is a remote registry error, not one we can resolve
on our end without complex retry-pull logic.
Here is an alternative which I believe provides better
testing anyway: instead of relying heavily on a remote
registry, do all the work using our already-set-up local
one. Pull one image (yes, sigh, from remote registry)
and push it locally with various different tags. Then
pull with --all-tags and make sure we get what we expect.
Advantages:
+ less reliance on network & remote server
+ less reliance on the _setup_ of said server, i.e.
we don't have to just blindly trust that there
will be multiple tagged versions of an image
+ better testing: since we know what we push to
the local registry, we know exactly what we
should expect to see on pull, and we now
actually test that instead of a handwavey
"oh just hope that there are more than three"
+ better testing of messages, and comparing image IDs
Disadvantages:
- I've rolled two tests into one. (I'm not sure what the
purpose was of pull-with-alltags-from-registry. Is the
behavior that different?
- In a development environment or some imaginary CI
environment in which the local registry is persistent
across runs, if someone were to remove one or more
tags from the 'tags=(...)' list, tests would fail
because the registry would include more tagged images
(saved in a previous run) than the test expects. The
diagnostic in this case would not be very helpful.
And of course, while I'm at it, improve a few of the other
tests: don't just check for error on non-docker --all-tags
pulls, actually make sure we get the expected message.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #2032
Approved by: rhatdan
2019-12-18 03:12:26 +08:00
|
|
|
for tag in "${tags[@]}"; do
|
|
|
|
|
run_buildah push $opts alpine localhost:5000/myalpine:$tag
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
run_buildah images -q
|
|
|
|
|
expect_line_count 1 "There's only one actual image ID"
|
|
|
|
|
alpine_iid=$output
|
|
|
|
|
|
|
|
|
|
# Remove it, and confirm.
|
|
|
|
|
run_buildah rmi alpine
|
|
|
|
|
run_buildah images -q
|
|
|
|
|
expect_output "" "After buildah rmi, there are no locally stored images"
|
|
|
|
|
|
|
|
|
|
# Now pull with --all-tags, and confirm that we see all expected tag strings
|
|
|
|
|
run_buildah pull $opts --all-tags localhost:5000/myalpine
|
|
|
|
|
for tag in "${tags[@]}"; do
|
2021-04-11 01:44:51 +08:00
|
|
|
expect_output --substring "Trying to pull localhost:5000/myalpine:$tag"
|
WIP: safer test for pull --all-tags
The 'pull --all-tags' test flakes often in CI, e.g.:
unexpected http code: 500 [...] URL: https://auth.docker.io/...
This is a remote registry error, not one we can resolve
on our end without complex retry-pull logic.
Here is an alternative which I believe provides better
testing anyway: instead of relying heavily on a remote
registry, do all the work using our already-set-up local
one. Pull one image (yes, sigh, from remote registry)
and push it locally with various different tags. Then
pull with --all-tags and make sure we get what we expect.
Advantages:
+ less reliance on network & remote server
+ less reliance on the _setup_ of said server, i.e.
we don't have to just blindly trust that there
will be multiple tagged versions of an image
+ better testing: since we know what we push to
the local registry, we know exactly what we
should expect to see on pull, and we now
actually test that instead of a handwavey
"oh just hope that there are more than three"
+ better testing of messages, and comparing image IDs
Disadvantages:
- I've rolled two tests into one. (I'm not sure what the
purpose was of pull-with-alltags-from-registry. Is the
behavior that different?
- In a development environment or some imaginary CI
environment in which the local registry is persistent
across runs, if someone were to remove one or more
tags from the 'tags=(...)' list, tests would fail
because the registry would include more tagged images
(saved in a previous run) than the test expects. The
diagnostic in this case would not be very helpful.
And of course, while I'm at it, improve a few of the other
tests: don't just check for error on non-docker --all-tags
pulls, actually make sure we get the expected message.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #2032
Approved by: rhatdan
2019-12-18 03:12:26 +08:00
|
|
|
done
|
|
|
|
|
|
|
|
|
|
# Confirm that 'images -a' lists all of them. <Brackets> help confirm
|
|
|
|
|
# that tag names are exact, e.g we don't confuse 0.9 and 0.9.1
|
|
|
|
|
run_buildah images -a --format '<{{.Tag}}>'
|
|
|
|
|
expect_line_count "${#tags[@]}" "number of tagged images"
|
|
|
|
|
for tag in "${tags[@]}"; do
|
|
|
|
|
expect_output --substring "<$tag>"
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
# Finally, make sure that there's actually one and exactly one image
|
2019-04-02 05:56:29 +08:00
|
|
|
run_buildah images -q
|
WIP: safer test for pull --all-tags
The 'pull --all-tags' test flakes often in CI, e.g.:
unexpected http code: 500 [...] URL: https://auth.docker.io/...
This is a remote registry error, not one we can resolve
on our end without complex retry-pull logic.
Here is an alternative which I believe provides better
testing anyway: instead of relying heavily on a remote
registry, do all the work using our already-set-up local
one. Pull one image (yes, sigh, from remote registry)
and push it locally with various different tags. Then
pull with --all-tags and make sure we get what we expect.
Advantages:
+ less reliance on network & remote server
+ less reliance on the _setup_ of said server, i.e.
we don't have to just blindly trust that there
will be multiple tagged versions of an image
+ better testing: since we know what we push to
the local registry, we know exactly what we
should expect to see on pull, and we now
actually test that instead of a handwavey
"oh just hope that there are more than three"
+ better testing of messages, and comparing image IDs
Disadvantages:
- I've rolled two tests into one. (I'm not sure what the
purpose was of pull-with-alltags-from-registry. Is the
behavior that different?
- In a development environment or some imaginary CI
environment in which the local registry is persistent
across runs, if someone were to remove one or more
tags from the 'tags=(...)' list, tests would fail
because the registry would include more tagged images
(saved in a previous run) than the test expects. The
diagnostic in this case would not be very helpful.
And of course, while I'm at it, improve a few of the other
tests: don't just check for error on non-docker --all-tags
pulls, actually make sure we get the expected message.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #2032
Approved by: rhatdan
2019-12-18 03:12:26 +08:00
|
|
|
expect_output $alpine_iid "Pulled image has the same IID as original alpine"
|
2019-02-19 04:30:00 +08:00
|
|
|
}
|
2019-02-20 05:59:59 +08:00
|
|
|
|
|
|
|
|
@test "pull-from-oci-directory" {
|
BATS tests: make more robust
Add a --retry flag to run_buildah; intended for tests which
really need to pull an image, and can't rely on prefetch().
It will try a failed buildah command three times, waiting
thirty seconds between retries.
This is imperfect: there's no way to specify the number of
retries, no way to specify the timeout, and no way to
combine --retry with an expected (i.e. nonzero) exit
status. (FWIW I can't think of any possible use for that).
It is, though, quick, minimal-impact, easy to remember
and use.
Add --retry option to various tests in pull.bats and
registries.bats.
And, while I'm at it, add expect_output checks to many
of the new encryption checks in pull.bats and from.bats.
This actually caught a bug in a test, a check that was
failing (expected) but for the wrong reason (missing
file, not wrong key). Have I mentioned, lately, that
tests should check error message strings, not just
exit status?
Fixes: #2473
Signed-off-by: Ed Santiago <santiago@redhat.com>
2020-07-17 04:54:34 +08:00
|
|
|
run_buildah --retry pull --signature-policy ${TESTSDIR}/policy.json alpine
|
2019-04-02 05:56:29 +08:00
|
|
|
run_buildah push --signature-policy ${TESTSDIR}/policy.json docker.io/library/alpine:latest oci:${TESTDIR}/alpine
|
|
|
|
|
run_buildah rmi alpine
|
|
|
|
|
run_buildah pull --signature-policy ${TESTSDIR}/policy.json oci:${TESTDIR}/alpine
|
|
|
|
|
run_buildah images --format "{{.Name}}:{{.Tag}}"
|
2019-08-19 17:33:20 +08:00
|
|
|
expect_output --substring "localhost${TESTDIR}/alpine:latest"
|
2020-04-16 21:48:43 +08:00
|
|
|
run_buildah 125 pull --all-tags --signature-policy ${TESTSDIR}/policy.json oci:${TESTDIR}/alpine
|
2021-04-11 01:44:51 +08:00
|
|
|
expect_output --substring "pulling all tags is not supported for oci transport"
|
2019-02-20 05:59:59 +08:00
|
|
|
}
|
2019-08-13 12:23:28 +08:00
|
|
|
|
|
|
|
|
@test "pull-denied-by-registry-sources" {
|
|
|
|
|
export BUILD_REGISTRY_SOURCES='{"blockedRegistries": ["docker.io"]}'
|
|
|
|
|
|
2020-04-16 21:48:43 +08:00
|
|
|
run_buildah 125 pull --signature-policy ${TESTSDIR}/policy.json --registries-conf ${TESTSDIR}/registries.conf.hub --quiet busybox
|
2021-04-11 01:44:51 +08:00
|
|
|
expect_output --substring 'registry "docker.io" denied by policy: it is in the blocked registries list'
|
2019-08-13 12:23:28 +08:00
|
|
|
|
2020-04-16 21:48:43 +08:00
|
|
|
run_buildah 125 pull --signature-policy ${TESTSDIR}/policy.json --registries-conf ${TESTSDIR}/registries.conf.hub --quiet busybox
|
2021-04-11 01:44:51 +08:00
|
|
|
expect_output --substring 'registry "docker.io" denied by policy: it is in the blocked registries list'
|
2019-08-13 12:23:28 +08:00
|
|
|
|
|
|
|
|
export BUILD_REGISTRY_SOURCES='{"allowedRegistries": ["some-other-registry.example.com"]}'
|
|
|
|
|
|
2020-04-16 21:48:43 +08:00
|
|
|
run_buildah 125 pull --signature-policy ${TESTSDIR}/policy.json --registries-conf ${TESTSDIR}/registries.conf.hub --quiet busybox
|
2021-04-11 01:44:51 +08:00
|
|
|
expect_output --substring 'registry "docker.io" denied by policy: not in allowed registries list'
|
2019-08-13 12:23:28 +08:00
|
|
|
|
2020-04-16 21:48:43 +08:00
|
|
|
run_buildah 125 pull --signature-policy ${TESTSDIR}/policy.json --registries-conf ${TESTSDIR}/registries.conf.hub --quiet busybox
|
2021-04-11 01:44:51 +08:00
|
|
|
expect_output --substring 'registry "docker.io" denied by policy: not in allowed registries list'
|
2019-08-13 12:23:28 +08:00
|
|
|
}
|
2019-11-06 11:57:38 +08:00
|
|
|
|
2020-12-22 00:19:56 +08:00
|
|
|
@test "pull should fail with nonexistent authfile" {
|
|
|
|
|
run_buildah 125 pull --authfile /tmp/nonexistent --signature-policy ${TESTSDIR}/policy.json alpine
|
2019-11-06 11:57:38 +08:00
|
|
|
}
|
2020-04-02 02:15:56 +08:00
|
|
|
|
|
|
|
|
@test "pull encrypted local image" {
|
|
|
|
|
_prefetch busybox
|
|
|
|
|
mkdir ${TESTDIR}/tmp
|
|
|
|
|
openssl genrsa -out ${TESTDIR}/tmp/mykey.pem 1024
|
|
|
|
|
openssl genrsa -out ${TESTDIR}/tmp/mykey2.pem 1024
|
|
|
|
|
openssl rsa -in ${TESTDIR}/tmp/mykey.pem -pubout > ${TESTDIR}/tmp/mykey.pub
|
|
|
|
|
run_buildah push --signature-policy ${TESTSDIR}/policy.json --encryption-key jwe:${TESTDIR}/tmp/mykey.pub busybox oci:${TESTDIR}/tmp/busybox_enc
|
|
|
|
|
|
|
|
|
|
# Try to pull encrypted image without key should fail
|
2020-04-29 02:07:41 +08:00
|
|
|
run_buildah 125 pull --signature-policy ${TESTSDIR}/policy.json oci:${TESTDIR}/tmp/busybox_enc
|
2021-07-23 16:31:35 +08:00
|
|
|
expect_output --substring "decrypting layer .* missing private key needed for decryption"
|
BATS tests: make more robust
Add a --retry flag to run_buildah; intended for tests which
really need to pull an image, and can't rely on prefetch().
It will try a failed buildah command three times, waiting
thirty seconds between retries.
This is imperfect: there's no way to specify the number of
retries, no way to specify the timeout, and no way to
combine --retry with an expected (i.e. nonzero) exit
status. (FWIW I can't think of any possible use for that).
It is, though, quick, minimal-impact, easy to remember
and use.
Add --retry option to various tests in pull.bats and
registries.bats.
And, while I'm at it, add expect_output checks to many
of the new encryption checks in pull.bats and from.bats.
This actually caught a bug in a test, a check that was
failing (expected) but for the wrong reason (missing
file, not wrong key). Have I mentioned, lately, that
tests should check error message strings, not just
exit status?
Fixes: #2473
Signed-off-by: Ed Santiago <santiago@redhat.com>
2020-07-17 04:54:34 +08:00
|
|
|
|
2020-04-02 02:15:56 +08:00
|
|
|
# Try to pull encrypted image with wrong key should fail
|
2020-04-29 02:07:41 +08:00
|
|
|
run_buildah 125 pull --signature-policy ${TESTSDIR}/policy.json --decryption-key ${TESTDIR}/tmp/mykey2.pem oci:${TESTDIR}/tmp/busybox_enc
|
2021-07-23 16:31:35 +08:00
|
|
|
expect_output --substring "decrypting layer .* no suitable key unwrapper found or none of the private keys could be used for decryption"
|
BATS tests: make more robust
Add a --retry flag to run_buildah; intended for tests which
really need to pull an image, and can't rely on prefetch().
It will try a failed buildah command three times, waiting
thirty seconds between retries.
This is imperfect: there's no way to specify the number of
retries, no way to specify the timeout, and no way to
combine --retry with an expected (i.e. nonzero) exit
status. (FWIW I can't think of any possible use for that).
It is, though, quick, minimal-impact, easy to remember
and use.
Add --retry option to various tests in pull.bats and
registries.bats.
And, while I'm at it, add expect_output checks to many
of the new encryption checks in pull.bats and from.bats.
This actually caught a bug in a test, a check that was
failing (expected) but for the wrong reason (missing
file, not wrong key). Have I mentioned, lately, that
tests should check error message strings, not just
exit status?
Fixes: #2473
Signed-off-by: Ed Santiago <santiago@redhat.com>
2020-07-17 04:54:34 +08:00
|
|
|
|
2020-04-02 02:15:56 +08:00
|
|
|
# Providing the right key should succeed
|
|
|
|
|
run_buildah pull --signature-policy ${TESTSDIR}/policy.json --decryption-key ${TESTDIR}/tmp/mykey.pem oci:${TESTDIR}/tmp/busybox_enc
|
|
|
|
|
|
|
|
|
|
rm -rf ${TESTDIR}/tmp
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@test "pull encrypted registry image" {
|
|
|
|
|
_prefetch busybox
|
|
|
|
|
mkdir ${TESTDIR}/tmp
|
|
|
|
|
openssl genrsa -out ${TESTDIR}/tmp/mykey.pem 1024
|
|
|
|
|
openssl genrsa -out ${TESTDIR}/tmp/mykey2.pem 1024
|
|
|
|
|
openssl rsa -in ${TESTDIR}/tmp/mykey.pem -pubout > ${TESTDIR}/tmp/mykey.pub
|
|
|
|
|
run_buildah push --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds testuser:testpassword --encryption-key jwe:${TESTDIR}/tmp/mykey.pub busybox docker://localhost:5000/buildah/busybox_encrypted:latest
|
|
|
|
|
|
|
|
|
|
# Try to pull encrypted image without key should fail
|
2020-04-29 02:07:41 +08:00
|
|
|
run_buildah 125 pull --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds testuser:testpassword docker://localhost:5000/buildah/busybox_encrypted:latest
|
2021-07-23 16:31:35 +08:00
|
|
|
expect_output --substring "decrypting layer .* missing private key needed for decryption"
|
BATS tests: make more robust
Add a --retry flag to run_buildah; intended for tests which
really need to pull an image, and can't rely on prefetch().
It will try a failed buildah command three times, waiting
thirty seconds between retries.
This is imperfect: there's no way to specify the number of
retries, no way to specify the timeout, and no way to
combine --retry with an expected (i.e. nonzero) exit
status. (FWIW I can't think of any possible use for that).
It is, though, quick, minimal-impact, easy to remember
and use.
Add --retry option to various tests in pull.bats and
registries.bats.
And, while I'm at it, add expect_output checks to many
of the new encryption checks in pull.bats and from.bats.
This actually caught a bug in a test, a check that was
failing (expected) but for the wrong reason (missing
file, not wrong key). Have I mentioned, lately, that
tests should check error message strings, not just
exit status?
Fixes: #2473
Signed-off-by: Ed Santiago <santiago@redhat.com>
2020-07-17 04:54:34 +08:00
|
|
|
|
|
|
|
|
# Try to pull encrypted image with wrong key should fail, with diff. msg
|
2020-04-29 02:07:41 +08:00
|
|
|
run_buildah 125 pull --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds testuser:testpassword --decryption-key ${TESTDIR}/tmp/mykey2.pem docker://localhost:5000/buildah/busybox_encrypted:latest
|
2021-07-23 16:31:35 +08:00
|
|
|
expect_output --substring "decrypting layer .* no suitable key unwrapper found or none of the private keys could be used for decryption"
|
BATS tests: make more robust
Add a --retry flag to run_buildah; intended for tests which
really need to pull an image, and can't rely on prefetch().
It will try a failed buildah command three times, waiting
thirty seconds between retries.
This is imperfect: there's no way to specify the number of
retries, no way to specify the timeout, and no way to
combine --retry with an expected (i.e. nonzero) exit
status. (FWIW I can't think of any possible use for that).
It is, though, quick, minimal-impact, easy to remember
and use.
Add --retry option to various tests in pull.bats and
registries.bats.
And, while I'm at it, add expect_output checks to many
of the new encryption checks in pull.bats and from.bats.
This actually caught a bug in a test, a check that was
failing (expected) but for the wrong reason (missing
file, not wrong key). Have I mentioned, lately, that
tests should check error message strings, not just
exit status?
Fixes: #2473
Signed-off-by: Ed Santiago <santiago@redhat.com>
2020-07-17 04:54:34 +08:00
|
|
|
|
2020-04-02 02:15:56 +08:00
|
|
|
# Providing the right key should succeed
|
|
|
|
|
run_buildah pull --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds testuser:testpassword --decryption-key ${TESTDIR}/tmp/mykey.pem docker://localhost:5000/buildah/busybox_encrypted:latest
|
BATS tests: make more robust
Add a --retry flag to run_buildah; intended for tests which
really need to pull an image, and can't rely on prefetch().
It will try a failed buildah command three times, waiting
thirty seconds between retries.
This is imperfect: there's no way to specify the number of
retries, no way to specify the timeout, and no way to
combine --retry with an expected (i.e. nonzero) exit
status. (FWIW I can't think of any possible use for that).
It is, though, quick, minimal-impact, easy to remember
and use.
Add --retry option to various tests in pull.bats and
registries.bats.
And, while I'm at it, add expect_output checks to many
of the new encryption checks in pull.bats and from.bats.
This actually caught a bug in a test, a check that was
failing (expected) but for the wrong reason (missing
file, not wrong key). Have I mentioned, lately, that
tests should check error message strings, not just
exit status?
Fixes: #2473
Signed-off-by: Ed Santiago <santiago@redhat.com>
2020-07-17 04:54:34 +08:00
|
|
|
|
2020-04-02 02:15:56 +08:00
|
|
|
run_buildah rmi localhost:5000/buildah/busybox_encrypted:latest
|
|
|
|
|
|
|
|
|
|
rm -rf ${TESTDIR}/tmp
|
|
|
|
|
}
|
2020-04-17 23:48:14 +08:00
|
|
|
|
|
|
|
|
@test "pull encrypted registry image from commit" {
|
|
|
|
|
_prefetch busybox
|
|
|
|
|
mkdir ${TESTDIR}/tmp
|
|
|
|
|
openssl genrsa -out ${TESTDIR}/tmp/mykey.pem 1024
|
BATS tests: make more robust
Add a --retry flag to run_buildah; intended for tests which
really need to pull an image, and can't rely on prefetch().
It will try a failed buildah command three times, waiting
thirty seconds between retries.
This is imperfect: there's no way to specify the number of
retries, no way to specify the timeout, and no way to
combine --retry with an expected (i.e. nonzero) exit
status. (FWIW I can't think of any possible use for that).
It is, though, quick, minimal-impact, easy to remember
and use.
Add --retry option to various tests in pull.bats and
registries.bats.
And, while I'm at it, add expect_output checks to many
of the new encryption checks in pull.bats and from.bats.
This actually caught a bug in a test, a check that was
failing (expected) but for the wrong reason (missing
file, not wrong key). Have I mentioned, lately, that
tests should check error message strings, not just
exit status?
Fixes: #2473
Signed-off-by: Ed Santiago <santiago@redhat.com>
2020-07-17 04:54:34 +08:00
|
|
|
openssl genrsa -out ${TESTDIR}/tmp/mykey2.pem 1024
|
2020-04-17 23:48:14 +08:00
|
|
|
openssl rsa -in ${TESTDIR}/tmp/mykey.pem -pubout > ${TESTDIR}/tmp/mykey.pub
|
|
|
|
|
run_buildah from --quiet --pull=false --signature-policy ${TESTSDIR}/policy.json busybox
|
|
|
|
|
cid=$output
|
|
|
|
|
run_buildah commit --iidfile /dev/null --tls-verify=false --creds testuser:testpassword --signature-policy ${TESTSDIR}/policy.json --encryption-key jwe:${TESTDIR}/tmp/mykey.pub -q $cid docker://localhost:5000/buildah/busybox_encrypted:latest
|
|
|
|
|
|
|
|
|
|
# Try to pull encrypted image without key should fail
|
2020-04-29 02:07:41 +08:00
|
|
|
run_buildah 125 pull --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds testuser:testpassword docker://localhost:5000/buildah/busybox_encrypted:latest
|
2021-07-23 16:31:35 +08:00
|
|
|
expect_output --substring "decrypting layer .* missing private key needed for decryption"
|
BATS tests: make more robust
Add a --retry flag to run_buildah; intended for tests which
really need to pull an image, and can't rely on prefetch().
It will try a failed buildah command three times, waiting
thirty seconds between retries.
This is imperfect: there's no way to specify the number of
retries, no way to specify the timeout, and no way to
combine --retry with an expected (i.e. nonzero) exit
status. (FWIW I can't think of any possible use for that).
It is, though, quick, minimal-impact, easy to remember
and use.
Add --retry option to various tests in pull.bats and
registries.bats.
And, while I'm at it, add expect_output checks to many
of the new encryption checks in pull.bats and from.bats.
This actually caught a bug in a test, a check that was
failing (expected) but for the wrong reason (missing
file, not wrong key). Have I mentioned, lately, that
tests should check error message strings, not just
exit status?
Fixes: #2473
Signed-off-by: Ed Santiago <santiago@redhat.com>
2020-07-17 04:54:34 +08:00
|
|
|
|
2020-04-17 23:48:14 +08:00
|
|
|
# Try to pull encrypted image with wrong key should fail
|
2020-04-29 02:07:41 +08:00
|
|
|
run_buildah 125 pull --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds testuser:testpassword --decryption-key ${TESTDIR}/tmp/mykey2.pem docker://localhost:5000/buildah/busybox_encrypted:latest
|
2021-07-23 16:31:35 +08:00
|
|
|
expect_output --substring "decrypting layer .* no suitable key unwrapper found or none of the private keys could be used for decryption"
|
BATS tests: make more robust
Add a --retry flag to run_buildah; intended for tests which
really need to pull an image, and can't rely on prefetch().
It will try a failed buildah command three times, waiting
thirty seconds between retries.
This is imperfect: there's no way to specify the number of
retries, no way to specify the timeout, and no way to
combine --retry with an expected (i.e. nonzero) exit
status. (FWIW I can't think of any possible use for that).
It is, though, quick, minimal-impact, easy to remember
and use.
Add --retry option to various tests in pull.bats and
registries.bats.
And, while I'm at it, add expect_output checks to many
of the new encryption checks in pull.bats and from.bats.
This actually caught a bug in a test, a check that was
failing (expected) but for the wrong reason (missing
file, not wrong key). Have I mentioned, lately, that
tests should check error message strings, not just
exit status?
Fixes: #2473
Signed-off-by: Ed Santiago <santiago@redhat.com>
2020-07-17 04:54:34 +08:00
|
|
|
|
2020-04-17 23:48:14 +08:00
|
|
|
# Providing the right key should succeed
|
|
|
|
|
run_buildah pull --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds testuser:testpassword --decryption-key ${TESTDIR}/tmp/mykey.pem docker://localhost:5000/buildah/busybox_encrypted:latest
|
BATS tests: make more robust
Add a --retry flag to run_buildah; intended for tests which
really need to pull an image, and can't rely on prefetch().
It will try a failed buildah command three times, waiting
thirty seconds between retries.
This is imperfect: there's no way to specify the number of
retries, no way to specify the timeout, and no way to
combine --retry with an expected (i.e. nonzero) exit
status. (FWIW I can't think of any possible use for that).
It is, though, quick, minimal-impact, easy to remember
and use.
Add --retry option to various tests in pull.bats and
registries.bats.
And, while I'm at it, add expect_output checks to many
of the new encryption checks in pull.bats and from.bats.
This actually caught a bug in a test, a check that was
failing (expected) but for the wrong reason (missing
file, not wrong key). Have I mentioned, lately, that
tests should check error message strings, not just
exit status?
Fixes: #2473
Signed-off-by: Ed Santiago <santiago@redhat.com>
2020-07-17 04:54:34 +08:00
|
|
|
|
2020-04-17 23:48:14 +08:00
|
|
|
run_buildah rmi localhost:5000/buildah/busybox_encrypted:latest
|
|
|
|
|
|
|
|
|
|
rm -rf ${TESTDIR}/tmp
|
|
|
|
|
}
|
2020-08-24 16:48:58 +08:00
|
|
|
|
|
|
|
|
@test "pull image into a full storage" {
|
|
|
|
|
mkdir /tmp/buildah-test
|
|
|
|
|
mount -t tmpfs -o size=5M tmpfs /tmp/buildah-test
|
|
|
|
|
run dd if=/dev/urandom of=/tmp/buildah-test/full
|
|
|
|
|
run_buildah 125 --root=/tmp/buildah-test pull --signature-policy ${TESTSDIR}/policy.json alpine
|
|
|
|
|
expect_output --substring "no space left on device"
|
|
|
|
|
umount /tmp/buildah-test
|
|
|
|
|
rm -rf /tmp/buildah-test
|
|
|
|
|
}
|
2020-08-04 18:10:25 +08:00
|
|
|
|
|
|
|
|
@test "pull with authfile" {
|
|
|
|
|
_prefetch busybox
|
|
|
|
|
mkdir ${TESTDIR}/tmp
|
|
|
|
|
run_buildah push --creds testuser:testpassword --tls-verify=false busybox docker://localhost:5000/buildah/busybox:latest
|
|
|
|
|
run_buildah login --authfile ${TESTDIR}/tmp/test.auth --username testuser --password testpassword --tls-verify=false localhost:5000
|
|
|
|
|
run_buildah pull --authfile ${TESTDIR}/tmp/test.auth --tls-verify=false docker://localhost:5000/buildah/busybox:latest
|
|
|
|
|
run_buildah rmi localhost:5000/buildah/busybox:latest
|
|
|
|
|
|
|
|
|
|
rm -rf ${TESTDIR}/tmp
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@test "pull quietly" {
|
|
|
|
|
run_buildah pull -q busybox
|
|
|
|
|
iid=$output
|
|
|
|
|
run_buildah rmi ${iid}
|
|
|
|
|
}
|
2020-11-10 19:58:31 +08:00
|
|
|
|
|
|
|
|
@test "pull-policy" {
|
|
|
|
|
mkdir ${TESTDIR}/buildahtest
|
|
|
|
|
run_buildah 125 pull --signature-policy ${TESTSDIR}/policy.json --policy bogus alpine
|
2021-04-11 01:44:51 +08:00
|
|
|
expect_output --substring "unsupported pull policy \"bogus\""
|
2020-11-10 19:58:31 +08:00
|
|
|
|
|
|
|
|
# If image does not exist the never will fail
|
|
|
|
|
run_buildah 125 pull -q --signature-policy ${TESTSDIR}/policy.json --policy never alpine
|
2021-04-11 01:44:51 +08:00
|
|
|
expect_output --substring "image not known"
|
2021-01-07 20:26:31 +08:00
|
|
|
run_buildah 125 inspect --type image alpine
|
2020-11-10 19:58:31 +08:00
|
|
|
expect_output --substring "image not known"
|
|
|
|
|
|
|
|
|
|
# create bogus alpine image
|
|
|
|
|
run_buildah from --signature-policy ${TESTSDIR}/policy.json scratch
|
|
|
|
|
cid=$output
|
|
|
|
|
run_buildah commit -q $cid docker.io/library/alpine
|
|
|
|
|
iid=$output
|
|
|
|
|
|
|
|
|
|
# If image does not exist the never will succeed, but iid should not change
|
|
|
|
|
run_buildah pull -q --signature-policy ${TESTSDIR}/policy.json --policy never alpine
|
|
|
|
|
expect_output $iid
|
|
|
|
|
|
|
|
|
|
# Pull image by default should change the image id
|
|
|
|
|
run_buildah pull -q --policy always --signature-policy ${TESTSDIR}/policy.json alpine
|
2021-05-14 05:08:35 +08:00
|
|
|
assert "$output" != "$iid" "pulled image should have a new IID"
|
2020-11-10 19:58:31 +08:00
|
|
|
|
|
|
|
|
# Recreate image
|
|
|
|
|
run_buildah commit -q $cid docker.io/library/alpine
|
|
|
|
|
iid=$output
|
|
|
|
|
|
|
|
|
|
# Make sure missing image works
|
|
|
|
|
run_buildah pull -q --signature-policy ${TESTSDIR}/policy.json --policy missing alpine
|
|
|
|
|
expect_output $iid
|
|
|
|
|
|
|
|
|
|
run_buildah rmi alpine
|
|
|
|
|
run_buildah pull -q --signature-policy ${TESTSDIR}/policy.json alpine
|
|
|
|
|
run_buildah inspect alpine
|
|
|
|
|
|
|
|
|
|
run_buildah rmi alpine
|
|
|
|
|
run_buildah pull -q --signature-policy ${TESTSDIR}/policy.json --policy missing alpine
|
|
|
|
|
run_buildah inspect alpine
|
|
|
|
|
|
|
|
|
|
run_buildah rmi alpine
|
|
|
|
|
}
|
2020-12-23 05:12:38 +08:00
|
|
|
|
|
|
|
|
@test "pull --arch" {
|
|
|
|
|
mkdir ${TESTDIR}/buildahtest
|
|
|
|
|
run_buildah 125 pull --signature-policy ${TESTSDIR}/policy.json --arch bogus alpine
|
|
|
|
|
expect_output --substring "no image found in manifest list"
|
|
|
|
|
|
|
|
|
|
# Make sure missing image works
|
|
|
|
|
run_buildah pull -q --signature-policy ${TESTSDIR}/policy.json --arch arm64 alpine
|
|
|
|
|
|
|
|
|
|
run_buildah inspect --format "{{ .Docker.Architecture }}" alpine
|
bud: teach --platform to take a list
Add a pkg/parse.PlatformsFromOptions() which understands a "variant"
value as an optional third value in an OS/ARCH[/VARIANT] argument value,
which accepts a comma-separated list of them, and which returns a list
of platforms.
Teach "from" and "pull" about the --platform option and add integration
tests for them, warning if --platform was given multiple values.
Add a define.BuildOptions.JobSemaphore which an imagebuildah executor
will use in preference to one that it might allocate for itself.
In main(), allocate a JobSemaphore if the number of jobs is not 0 (which
we treat as "unlimited", and continue to allow executors to do).
In addManifest(), take a lock on the manifest list's image ID so that we
don't overwrite changes that another thread might be making while we're
attempting to make changes to it. In main(), create an empty list if
the list doesn't already exist before we start down this path, so that
we don't get two threads trying to create that manifest list at the same
time later on. Two processes could still try to create the same list
twice, but it's an incremental improvement.
Finally, if we've been given multiple platforms to build for, run their
builds concurrently and gather up their results.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2021-06-22 22:52:49 +08:00
|
|
|
expect_output arm64
|
|
|
|
|
|
|
|
|
|
run_buildah inspect --format "{{ .OCIv1.Architecture }}" alpine
|
|
|
|
|
expect_output arm64
|
|
|
|
|
|
|
|
|
|
run_buildah rmi alpine
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@test "pull --platform" {
|
|
|
|
|
mkdir ${TESTDIR}/buildahtest
|
|
|
|
|
run_buildah 125 pull --signature-policy ${TESTSDIR}/policy.json --platform linux/bogus alpine
|
|
|
|
|
expect_output --substring "no image found in manifest list"
|
|
|
|
|
|
|
|
|
|
# Make sure missing image works
|
|
|
|
|
run_buildah pull -q --signature-policy ${TESTSDIR}/policy.json --platform linux/arm64 alpine
|
|
|
|
|
|
|
|
|
|
run_buildah inspect --format "{{ .Docker.Architecture }}" alpine
|
2020-12-23 05:12:38 +08:00
|
|
|
expect_output arm64
|
|
|
|
|
|
|
|
|
|
run_buildah inspect --format "{{ .OCIv1.Architecture }}" alpine
|
|
|
|
|
expect_output arm64
|
|
|
|
|
|
|
|
|
|
run_buildah rmi alpine
|
|
|
|
|
}
|
2021-01-07 03:47:09 +08:00
|
|
|
|
|
|
|
|
@test "pull image with TMPDIR set" {
|
|
|
|
|
testdir=${TESTDIR}/buildah-test
|
|
|
|
|
mkdir -p $testdir
|
|
|
|
|
mount -t tmpfs -o size=1M tmpfs $testdir
|
|
|
|
|
|
|
|
|
|
TMPDIR=$testdir run_buildah 125 pull --policy always --signature-policy ${TESTSDIR}/policy.json quay.io/libpod/alpine_nginx:latest
|
|
|
|
|
expect_output --substring "no space left on device"
|
|
|
|
|
|
|
|
|
|
run_buildah pull --policy always --signature-policy ${TESTSDIR}/policy.json quay.io/libpod/alpine_nginx:latest
|
|
|
|
|
umount $testdir
|
|
|
|
|
rm -rf $testdir
|
|
|
|
|
}
|
2021-03-02 07:21:57 +08:00
|
|
|
|
|
|
|
|
@test "pull-policy --missing --arch" {
|
|
|
|
|
# Make sure missing image works
|
|
|
|
|
run_buildah pull -q --signature-policy ${TESTSDIR}/policy.json --policy missing --arch amd64 alpine
|
|
|
|
|
amdiid=$output
|
|
|
|
|
|
|
|
|
|
run_buildah pull -q --signature-policy ${TESTSDIR}/policy.json --policy missing --arch arm64 alpine
|
|
|
|
|
armiid=$output
|
|
|
|
|
|
2021-05-14 05:08:35 +08:00
|
|
|
assert "$amdiid" != "$armiid" "AMD and ARM ids should differ"
|
2021-03-02 07:21:57 +08:00
|
|
|
}
|
