November 2020, docker.io started restricting unauthenticated
image pulls. Try to work around this by using a custom
registries.conf file.
For the most part this means copying images from docker.io
to quay.io, via:
$ skopeo copy --all docker://docker.io/library/img:tag \
docker://quay.io/libpod/img:tag
...for the following values of 'img:tag':
busybox:musl
centos:7 centos:8 centos:latest
composer:latest
debian:latest ubuntu:latest
docker:latest
php:7.2
For each of those, it was necessary to go into the quay.io
GUI, click the image name, click the settings (gear) icon
at bottom left, click 'Make public', and confirm.
This process did not work in four instances, which required
special-casing:
commit.bats : openshift/hello-openshift did not match the
mirroring rules; I switched to alpine instead.
Nalin confirmed on IRC that there was no magic
reason for requiring hello-openshift.
pull.bats : change a SHA. AFAICT there was nothing magic
about the SHA being used, it was just a
convenient one for purposes of testing
pull-by-sha. I simply switched to the SHA
of an image present on quay.
registries.bats : was assuming that fedora-minimal shortname
would be pulled from fedora registry.
Unfortunately, we have a copy on quay
(for podman tests), so that's what we
pull by shortname, and it does not match
the SHA of the fedoraproject.org one.
Solution: pull by tag (fedora-minimal:32)
and hope that nobody ever mirrors that one
on quay.
run.bats : another pull-by-SHA, but this time I changed
the SHA to a named tag, and skopeo copy'd
that image from docker.io to the given name
on quay. This time there _is_ something
magic about that particular SHA (it's an
image with a specific volume quirk) but
there's no actual reason to reference it
by SHA - we simply did so because we have
no control over tag names on docker.io.
Since we control tag names on quay.io,
it's easy and more maintainable to give
this image a descriptive tag.
Signed-off-by: Ed Santiago <santiago@redhat.com>
We recieved feedback on the --omit-timestamp that
users would rather specify the timestamp seconds
rather then just use EPOCH.
This PR removes --omit-timestamp from buildah bud
since this has never been released.
We also hide --omit-timestamp from buildah commit
and allow users to continue to use it, but it conflicts
with --timestamp.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2536: Avoid feeding run_buildah to pipe r=TomSweeneyRedHat a=edsantiago
The usage 'run_buildah ... | grep' (or pipe whatever) works,
but it's a super bad pattern. Replace all instances of it
with a one-two of 'run_buildah' and 'expect_output'. Some
of these needed a little minor massaging.
Also: 'run_buildah ... || true' -> 'run_buildah 125 ...'.
I don't review all buildah PRs, so this one slipped by me.
Also: clean up trailing whitespace
Digression: why is 'run_buildah | grep' bad? Because:
- it is inaccurate. run_buildah does 'echo $output',
but it also emits other output (the buildah command
itself, and possible expected-status mismatch).
It is possible that a pipe-grep could trigger
on one of these.
- the reason run_buildah emits these things is so
a human can look at debug output on failure and
recognize what command was run, what the output
was. If we pipe-grep, we lose that.
- it is possible that a pipe-grep will mask
a failing run_buildah (I'm not sure about this)
- expect_output is more precise anyway, hence
makes a better test.
Signed-off-by: Ed Santiago <santiago@redhat.com>
<!--
Thanks for sending a pull request!
Please make sure you've read and understood our contributing guidelines
(https://github.com/containers/buildah/blob/master/CONTRIBUTING.md) as well as ensuring
that all your commits are signed with `git commit -s`.
-->
#### What type of PR is this?
<!--
Please label this pull request according to what type of issue you are
addressing, especially if this is a release targeted pull request.
Uncomment only one `/kind <>` line, hit enter to put that in a new line, and
remove leading whitespace from that line:
-->
> /kind api-change
> /kind bug
> /kind cleanup
> /kind deprecation
> /kind design
> /kind documentation
> /kind failing-test
> /kind feature
> /kind flake
> /kind other
#### What this PR does / why we need it:
#### How to verify it
#### Which issue(s) this PR fixes:
<!--
Automatically closes linked issue when PR is merged.
Uncomment the following comment block and include the issue
number or None on one line.
Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`, or `None`.
-->
<!--
Fixes #
or
None
-->
#### Special notes for your reviewer:
#### Does this PR introduce a user-facing change?
<!--
If no, just write `None` in the release-note block below. If yes, a release note
is required: Enter your extended release note in the block below. If the PR
requires additional action from users switching to the new release, include the
string "action required".
For more information on release notes please follow the kubernetes model:
https://git.k8s.io/community/contributors/guide/release-notes.md
-->
```release-note
```
2537: Vendor in containers/storage v1.23.0 r=TomSweeneyRedHat a=rhatdan
Also drop runc vendor back to v1.0.0-rc91 since this vendor
brings in an unreleased version of runtime-spec which breaks runtime-tools
Finally lower version of runtime-spec
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
<!--
Thanks for sending a pull request!
Please make sure you've read and understood our contributing guidelines
(https://github.com/containers/buildah/blob/master/CONTRIBUTING.md) as well as ensuring
that all your commits are signed with `git commit -s`.
-->
#### What type of PR is this?
<!--
Please label this pull request according to what type of issue you are
addressing, especially if this is a release targeted pull request.
Uncomment only one `/kind <>` line, hit enter to put that in a new line, and
remove leading whitespace from that line:
-->
> /kind api-change
> /kind bug
> /kind cleanup
> /kind deprecation
> /kind design
> /kind documentation
> /kind failing-test
> /kind feature
> /kind flake
> /kind other
#### What this PR does / why we need it:
#### How to verify it
#### Which issue(s) this PR fixes:
<!--
Automatically closes linked issue when PR is merged.
Uncomment the following comment block and include the issue
number or None on one line.
Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`, or `None`.
-->
<!--
Fixes #
or
None
-->
#### Special notes for your reviewer:
#### Does this PR introduce a user-facing change?
<!--
If no, just write `None` in the release-note block below. If yes, a release note
is required: Enter your extended release note in the block below. If the PR
requires additional action from users switching to the new release, include the
string "action required".
For more information on release notes please follow the kubernetes model:
https://git.k8s.io/community/contributors/guide/release-notes.md
-->
```release-note
```
2538: conformance testing: ignore buildah.BuilderIdentityAnnotation labels r=TomSweeneyRedHat a=nalind
#### What type of PR is this?
/kind bug
#### What this PR does / why we need it:
Ignore the buildah.BuilderIdentityAnnotation label when comparing images that we build with images built using other tools, which of course don't automatically set that label.
#### How to verify it:
Conformance tests should now account for #2510.
#### Which issue(s) this PR fixes:
None
#### Special notes for your reviewer:
The conformance tests don't all pass even with this change; that's ongoing work.
#### Does this PR introduce a user-facing change?
```
None
```
Co-authored-by: Ed Santiago <santiago@redhat.com>
Co-authored-by: Daniel J Walsh <dwalsh@redhat.com>
Co-authored-by: Nalin Dahyabhai <nalin@redhat.com>
The usage 'run_buildah ... | grep' (or pipe whatever) works,
but it's a super bad pattern. Replace all instances of it
with a one-two of 'run_buildah' and 'expect_output'. Some
of these needed a little minor massaging.
Also: 'run_buildah ... || true' -> 'run_buildah 125 ...'.
I don't review all buildah PRs, so this one slipped by me.
Also: clean up trailing whitespace
Digression: why is 'run_buildah | grep' bad? Because:
- it is inaccurate. run_buildah does 'echo $output',
but it also emits other output (the buildah command
itself, and possible expected-status mismatch).
It is possible that a pipe-grep could trigger
on one of these.
- the reason run_buildah emits these things is so
a human can look at debug output on failure and
recognize what command was run, what the output
was. If we pipe-grep, we lose that.
- it is possible that a pipe-grep will mask
a failing run_buildah (I'm not sure about this)
- expect_output is more precise anyway, hence
makes a better test.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Currently you can only do deterministic builds with commit command
this change will cause the metadata in the container image to be
epoch 0.
Next step is to save the data in the tar balls as 0.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Buildah run was exiting with the correct exit code, when a container
failed. Buildah bud was not, so this should fix this.
Also switched to the proper exit codes when containers fail. When
Buildah fails to execute it will exit with a 125 exit code like
Podman does. If a command fails to execute inside of a container
we will exit with a 126. Currently we do not support the 127 for
exiting when the command does not exist.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Show of hands: who here loves submitting a PR, then coming back
hours later to find one job failed, then spending time poring
over logs and finding a network error? Anyone? Anyone?
This is a lame attempt to minimize such flakes by caching
commonly-used images and restoring them on demand. We
introduce a new helper, _prefetch(), which podman-pulls
an image the first time, podman-saves it, then on
subsequent calls (for the same image) podman-loads it:
@test foo {
_prefetch alpine busybox
...tests that run buildah-from either
}
This is an imperfect solution: it is incomplete and will
grow more so over time as new tests are added. It is
difficult to verify its coverage. I'm really unhappy
with it but if it works, the Total Sum Of Unhappiness
might decrease overall thanks to fewer flakes. If it
doesn't work, it's trivial to remove _prefetch calls
using a sed script. Shall we give it a chance?
Signed-off-by: Ed Santiago <santiago@redhat.com>
This is the manual part of the cleanup.
- remove most 'buildah rm's from cleanup steps
- remove unused variables
- use expect_output when possible, not 'test [ x = y ]'
- includes fixing some not-what-you-think-it-is uses
of run_buildah | grep
- be careful not to leave droppings in current directory
Special attention to:
- authenticate.bats: create Dockerfile in temp dir, not pwd!
- push.bats: remove broken output check
- registries.bats: refactor, remove duplicate tests & code
- rmi.bats: better checking of messages
- secrets.bats: use TESTDIR (tmp), not TESTSDIR (/usr/share) !
We don't want to leave droppings behind if we fail; this has
bitten us before. And, since there's only one test, there's
no need to override setup() / teardown(). Do setup inline,
and take advantage of existing defaults.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #2029
Approved by: rhatdan
Replace plain 'buildah' invocations with run_buildah
For ease of review, this commit was entirely machine-generated via:
$ perl -pi -e 's/^(\s+)buildah(\s)/${1}run_buildah${2}/' *.bats
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #2029
Approved by: rhatdan
Replace this pattern:
cid=$(buildah ...)
with:
run_buildah ...
cid=$output
As a special case, if the buildah command is 'from' and the
string 'scratch' does not appear in the arguments, add '--quiet'.
Otherwise we'll get Pulling messages as part of $output. This
is an overkill solution.
For ease of review, this commit was entirely machine-generated via:
$ perl -pi -e 's{^(\s+)(\S+)=\$\(buildah (.*)\)$}{$indent=$1;$var=$2;$cmd=$3; $cmd =~ s/(\bfrom)\s(?!.*scratch)/$1 --quiet $2/; "${indent}run_buildah $cmd\n$indent$var=\$output"}e' *.bats
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #2029
Approved by: rhatdan
PR #1935 removed the default --debug logging; so all run_buildah
calls now use the default (error). It is safe to remove unnecessary
instances of --log-level=error .
For ease of review, this commit was entirely machine-generated via:
$ perl -pi -e 's/ --log-level=error / /' *.bats
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #2029
Approved by: rhatdan
PR 1966 has languished for three weeks without activity from
submitter. In the interests of getting it online, I have
taken it over and:
- rebased
- fixed several misunderstandings (bugs) noted in review feedback
- fixed a few more
I also slightly rewrote two tests (tag by id, commit with name)
that were incomprehensible to me: unnecessary mount/umount and
no actual testing of anything other than checking exit status.
I believe the new code is closer to the intention of testing
but please pay closer attention to those bits.
Also: fixed the basic 'inspect' test. It looks like at some
point in the last month #1917 added a version string to
the buildah-inspect output. The test was fixed on master,
but ypu's PR did not incorporate those fixes and the
test was breaking. I took the liberty of cleaning up
the entire test for readability and maintainability.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #2004
Approved by: rhatdan
Add following test cases for commit:
- commit with name
- commit to docker-distribution
Signed-off-by: Yiqiao Pu <ypu@redhat.com>
Closes: #2004
Approved by: rhatdan
For the sake of the Docker output format, always set the ContainerID
field, and if we have a non-nil Config, set ContainerConfig to the same
values.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1989
Approved by: rhatdan
(Replaces #1873 as it had lint issues that were timing out tests that I couldn't
track down easily)
Prior to this fix, if someone did `buildah bud --pull=false .` and the image in
the Containerfile's FROM statement was not local, the build would fail. The same
build on Docker will succeed. In Docker, when `--pull` is set to false, it only
pulls the image from the registry if there was not one locally. Buildah would never
pull the image and if the image was not locally available, it would throw an error.
In certain Kubernetes environments, this was especially troublesome.
To retain the old `--pull=false` functionality, I've created a new `--pull-never`
option that fails if an image is not locally available just like the old
`--pull=false` option used to do.
In addition, if there was a newer version of the image on the repository than
the one locally, the `--pull=true` option would not pull the image as it should
have, this corrects that.
Changes both the from and bud commands.
Addresses: #1675
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Closes: #1959
Approved by: rhatdan
The previous log-level implementation does not seem to work, which is
now fixed and aligns to other projects like podman and CRI-O. Therefore
the `--debug` flag has been deprecated and is now hidden.
Added documentation as well as integration tests.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Closes: #1811
Approved by: rhatdan
...and make the "$output" argument implicit, as well as the
description text. This greatly simplifies its invocation.
Also: make it test for exact matches unless --substring
option is passed; this eases my mind about a few potentially
ambiguous situations such as the one in #1464.
Also: add comments to two truth-table check functions
Also: reorder some config checks alphabetically, for ease
of reading.
Thanks to Tom Sweeney for the suggestions and encouragement.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #1492
Approved by: rhatdan
Make the name of the image to create an optional parameter. If none is
specified, use a temporary mostly-random name that can't be interpreted
as an ID, so that the image copying logic will compute the correct ID to
assign to the new image, and remove the temporary name before returning.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1486
Approved by: rhatdan
This started off as bug fixes necessary to get BATS tests
actually working on RHEL8 (they weren't). It grew. I will
defend my actions in the first comment post.
Primary change: import some helpers from podman BATS tests,
most importantly 'run_buildah' and 'is'. The vast majority
of the changes you'll see here are of the form:
- run buildah ...
- [ $status = 0 ]
- [ check $output ]
+ run_buildah ... ! automatically checks status
+ is "$output" "..."
Also: chmod'ed some files -x. Necessary because rpmbuild tries
to be oh-so-clever about requirements, and when it sees an
executable file with a shebang line like '#!env bats' it
helpfully adds 'Requires: /usr/bin/bats' to the rpm, which
then fails to install because RHEL8 does not have bats.
Also: refactored duplicate code in a few places, by writing
and invoking module-specific helper functions.
Also: changed a handful of 'buildah's to run_buildah, in
order to get error checking and debug logging.
Also: added descriptive reasons to many "skip"s.
Also: selinux test: some tweakery to make it run on production
system (context is different if /usr/bin/buildah is chcon'ed
appropriately). I can't get this test to pass on Fedora from
a build dir, and I'm actually not convinced that this test
has ever passed, but let's see what CI shows.
Also: selinux test: skip broken test (#1465).
Also: version test: skip parts of it if running w/o sources.
Tests are now passing as root on RHEL8; rootless has numerous
failures which I don't believe are related to this PR.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #1472
Approved by: TomSweeneyRedHat
Check that when we use "buildah commit" to create an image, we always
specify a value in the created-by field in the item that we're appending
to the image's history.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When committing an image to local storage, compressing the new layers
only wastes time because they need to be decompressed again when being
written to local storage.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1274
Approved by: rhatdan
Allow util.ResolveName() to return errors from libraries that it uses.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #948
Approved by: rhatdan
When testing --quiet, turn off debugging, have the image ID written to a
file, and verify that we get no output.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Recognize cases when we're committing to local storage, but in a
location other than where the working container is, by checking if the
base image (by ID, in case it's tagged and the tag points to a different
image with different layers) is present in the destination's store.
In those cases, we can't just assume that we can skip exporting the base
image's layers.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Hironori Shiina
Josh Soref
Ed Santiago
Daniel J Walsh
bors[bot]
Brandon Lum
Yiqiao Pu
Nalin Dahyabhai
caiges
Qi Wang
TomSweeneyRedHat
Sascha Grunert
baude
Boaz Shuster
Zhou Hao