Use the new etchosts package to generate the hosts file.
This will ensure that we use the same logic in podman and buildah.
New features are:
- no duplicated entries
- adds entries for the network/slirp4netns ips
- configure the host.containers.internal entry in containers.conf
- configure the base hosts file in containers.conf
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Right now `assert t:[1] != t:[1]` passes. This is obviously incorrect
and some test might not be working correctly because of this. We have to
special case this like the "==" case.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When a test needs to talk to a registry server, launch one as part of
the test rather than depending on it having been started by someone
else.
Use run_buildah where we used to use 'run buildah' without checking the
return code, and in a few cases where we did check it.
In the "from with non buildah container" test, use "podman create" with
host networking, in an attempt to avoid messing with networking in cases
where we're running on a system with a version of podman that will
create a bridge with CNI that we'll also create with netavark. We're
not sharing storage between the two invocations, so the logic that tries
to detect this problem won't detect it.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Mount and umount can must be unshared for rootless environment.
Co-authored-by: Ed Santiago <santiago@redhat.com>
Signed-off-by: Aditya R <arajan@redhat.com>
Instrument test so that they can be executed in rootless environment.
Certain tests perform mount directly and they need a seperate
usernamespace, these tests are marked to be skipped for `rootless
environment`
Signed-off-by: Aditya R <arajan@redhat.com>
Fixes gating test failure:
```
/usr/share/buildah/test/system/./helpers.bash: line 474: !is_cgroupsv2: command not found
```
Co-authored-by: Yiqiao Pu <ypu@redhat.com>
I'm just the committer.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
When testing that we can handle contexts that are described using the
git:// protocol, launch a local git-daemon with a minimal repository to
point the binary at instead of github, which doesn't do that any more.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a --max-parallel-downloads flag to allow tuning down from the
default of six blobs at a time, and tune it down to one at a time when
we invoke the helper.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When firing up a minimal server to serve up content so that we can
retrieve it using HTTP, make it possible to let the kernel assign us
which port to use, so that the script that's calling us doesn't have to
make a(n occasionally bad) guess.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Allow ssh socket from host or certain ssh keys to be exposed to a
certain RUN instruction, but not any other instructions, as well as not
showing up in the final image.
This is done by spawining a new agent from buildah and mounting
the listening socket inside the run. SSH_AUTH_SOCK inside the container
will be set to the socket mountpoint. The defualt mountpoint is
/run/buildkit/ssh_agent.{i}
Signed-off-by: Ashley Cui <acui@redhat.com>
Make sure to use the correct resolv.conf in case of systemd-resolved.
Also filter out 127... nameserver when run in private netns.
Fixes#2780
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This is much scarier than I had intended. The intention is to
start migrating from 'expect_output' and to use 'assert'
instead; the reason is that 'assert' allows much more
flexibility, particularly negative tests.
We've long wanted something like "assert that output does
not contain 'foo'". I've been too lazy to implement it,
but last week I noticed code in bud.bats that does:
! expect_output "sdfsdfsdf"
This is a really super bad idea: although it works fine when
things are good and tests pass, it's a disaster when tests
fail because the poor person debugging test output now sees
a test failure log, and starts tracking it down, and then
much later realizes that it was an intentional failure but
the '!' was negating it, and all that track-down work was
wasted.
To keep this PR reasonable, I'm keeping all positive uses
of expect_output untouched. We can migrate those (if desired)
over time. All negative uses are now assertions.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Make it possible to override the location of the copy test helper by
setting its location in an environment variable, as we do for imgtype.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
We re-tag images produced for Dockerfiles which contain no instructions
by "copying" them from their current names to their destination names,
letting the lower storage libraries deduplicate them into the same image
record.
When the source included signatures, this would break because
containers-storage can't guarantee that the compressed version of the
blob it will produce for a given layer will have the same digest that
the version referenced by the manifest had, so the image library would
refuse to "copy" them.
When the source and destination are the same, though, the
RemoveSignatures option doesn't cause the signatures to be deleted, but
it does bypass that check in the image library, so toggling it on works
around the problem.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Gating tests have failed (at least) twice already because
one of the push.bats tests runs "which docker" and skips
if it's missing. Sadly, some gating-test systems install
podman-docker (possibly when there's a bodhi that combines
podman and buildah). This causes the test to fail.
Solution: confirm that if docker exists, it isn't podman
in disguise. Since we need to do a similar check in
the pull-from-docker-daemon test in pull.bats, refactor
that into a common skip_if_no_docker helper.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Primarily desired for the podman CI setup in which we
run bud.bats tests using podman-build; but these are
all worthwhile changes useful for buildah itself.
bud.bats:
- from-scratch-iid test: use expect_output to confirm
leading 'sha256' (was: [[ ... ]])
- hardlinks test: add test-name arg to expect_output
(to help diagnose test failures, such as just happened
in podman tests)
- build-arg-cache test: add test-name string to expect_output,
to help someone narrow down which test failed.
- stdin tests: use 'run_buildah <' instead of '| buildah'
- remove trailing whitespace
helpers.bash: reindent, converting tabs to spaces. TL;DR this
is needed for running buildah-bud tests under podman(*). As
of this commit, there are no tab characters in the file.
* Long version: podman CI runs bud.bats using 'podman build'.
This requires a few changes to bud.bats and helpers.bash,
changes which need to be carried in podman itself, not in
the buildah repo (like grokking 'remote', a concept that
is meaningless in buildah-land). We use 'git diff', which
is funny about whitespace, which in turn causes podman
CI hooks to fail when we try to check in the .diff file.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The _prefetch helper has proven invaluable in reducing pull-
related flakes. However, it is now failing because it uses
podman to pull, and buildah tests rely on shortnames, and
podman no longer works with shortnames.
Solution: use buildah, not podman, for initial image pulls.
(The reason we used podman in the first place is because
buildah does not have save/load. But since image store
is shared, we can use buildah for pull and podman for save
and load.)
Add shortname config to registries.conf. I don't think it's
actually necessary or even used, but we can tweak it later.
And, fix one test in from.bats that was using inconsistent
names between buildah and podman.
Signed-off-by: Ed Santiago <santiago@redhat.com>
November 2020, docker.io started restricting unauthenticated
image pulls. Try to work around this by using a custom
registries.conf file.
For the most part this means copying images from docker.io
to quay.io, via:
$ skopeo copy --all docker://docker.io/library/img:tag \
docker://quay.io/libpod/img:tag
...for the following values of 'img:tag':
busybox:musl
centos:7 centos:8 centos:latest
composer:latest
debian:latest ubuntu:latest
docker:latest
php:7.2
For each of those, it was necessary to go into the quay.io
GUI, click the image name, click the settings (gear) icon
at bottom left, click 'Make public', and confirm.
This process did not work in four instances, which required
special-casing:
commit.bats : openshift/hello-openshift did not match the
mirroring rules; I switched to alpine instead.
Nalin confirmed on IRC that there was no magic
reason for requiring hello-openshift.
pull.bats : change a SHA. AFAICT there was nothing magic
about the SHA being used, it was just a
convenient one for purposes of testing
pull-by-sha. I simply switched to the SHA
of an image present on quay.
registries.bats : was assuming that fedora-minimal shortname
would be pulled from fedora registry.
Unfortunately, we have a copy on quay
(for podman tests), so that's what we
pull by shortname, and it does not match
the SHA of the fedoraproject.org one.
Solution: pull by tag (fedora-minimal:32)
and hope that nobody ever mirrors that one
on quay.
run.bats : another pull-by-SHA, but this time I changed
the SHA to a named tag, and skopeo copy'd
that image from docker.io to the given name
on quay. This time there _is_ something
magic about that particular SHA (it's an
image with a specific volume quirk) but
there's no actual reason to reference it
by SHA - we simply did so because we have
no control over tag names on docker.io.
Since we control tag names on quay.io,
it's easy and more maintainable to give
this image a descriptive tag.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Add a pushd/popd to setup()/teardown() to ensure that tests run in our
tests directory, even if they're not invoked by test_runner.sh, so that
we can reliably use relative paths in tests without having to ensure our
location on a per-test or per-test-file basis.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add following tests:
1. bud capabilities test
2. from with non buildah container
3. pull image into a full storage
Signed-off-by: Yiqiao Pu <ypu@redhat.com>
Add a --retry flag to run_buildah; intended for tests which
really need to pull an image, and can't rely on prefetch().
It will try a failed buildah command three times, waiting
thirty seconds between retries.
This is imperfect: there's no way to specify the number of
retries, no way to specify the timeout, and no way to
combine --retry with an expected (i.e. nonzero) exit
status. (FWIW I can't think of any possible use for that).
It is, though, quick, minimal-impact, easy to remember
and use.
Add --retry option to various tests in pull.bats and
registries.bats.
And, while I'm at it, add expect_output checks to many
of the new encryption checks in pull.bats and from.bats.
This actually caught a bug in a test, a check that was
failing (expected) but for the wrong reason (missing
file, not wrong key). Have I mentioned, lately, that
tests should check error message strings, not just
exit status?
Fixes: #2473
Signed-off-by: Ed Santiago <santiago@redhat.com>
Buildah run was exiting with the correct exit code, when a container
failed. Buildah bud was not, so this should fix this.
Also switched to the proper exit codes when containers fail. When
Buildah fails to execute it will exit with a 125 exit code like
Podman does. If a command fails to execute inside of a container
we will exit with a 126. Currently we do not support the 127 for
exiting when the command does not exist.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Workaround for #1991, in which buildah leaves behind stale
mounts under overlayfs, which causes the 'rm -fr' in teardown()
to barf with EBUSY. Here we amend teardown() to look for
mounts underneath our temp dir and to umount them. With
this, bats runs cleanly even with STORAGE_DRIVER=overlay
Signed-off-by: Ed Santiago <santiago@redhat.com>
Also: images json test: rewrite to actually check for
keys instead of just number of lines. Reason: when using
older podman to prefetch (in f29), 'history' key is lost,
giving us 26 lines of output instead of 30.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Show of hands: who here loves submitting a PR, then coming back
hours later to find one job failed, then spending time poring
over logs and finding a network error? Anyone? Anyone?
This is a lame attempt to minimize such flakes by caching
commonly-used images and restoring them on demand. We
introduce a new helper, _prefetch(), which podman-pulls
an image the first time, podman-saves it, then on
subsequent calls (for the same image) podman-loads it:
@test foo {
_prefetch alpine busybox
...tests that run buildah-from either
}
This is an imperfect solution: it is incomplete and will
grow more so over time as new tests are added. It is
difficult to verify its coverage. I'm really unhappy
with it but if it works, the Total Sum Of Unhappiness
might decrease overall thanks to fewer flakes. If it
doesn't work, it's trivial to remove _prefetch calls
using a sed script. Shall we give it a chance?
Signed-off-by: Ed Santiago <santiago@redhat.com>
Set GPG_TTY=/dev/null, which should hopefully prevent ENOTTY errors
during gating tests in CI. h/t Chris Evich.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #2120
Approved by: rhatdan
Many of the 'from' tests set up cgroup limits. Most of
these seem to have no equivalent in cgroups v2; until
we can find one, let's just skip them.
One test can be ported. It's hideous, requiring complicated
shell-script combining of /proc/self/cgroup into a file path,
but it works. (If the other tests can be made to work under
cgroups v2, we may want to refactor the horrible 'awk' mess
into a helper function; possibly only for this test module)
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #1965
Approved by: rhatdan
Refactor many cumbersome BUILDAH_ISOLATION and 'which runc'
checks into common 'skip_if_{ chroot, rootless, no_runtime}'
calls.
This is in preparation for the next PR, which introduces
additional cgroups-v2 skips.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #1965
Approved by: rhatdan
- add explicit --log-level=debug in some buildah-bud invocations
where we need to check debug output
- use expect_line_count() in one place, to get better diagnostics
- formats test: refactor, make more readable
- imgtype invoker: remove -debug
- fix one more instance of 'step' needing to be 'STEP'
- fix one mkdir to mkdir -p, and run rm -rf beforehand, to deal
with a failed prior run that might have left state
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #1935
Approved by: giuseppe
First, and possibly most controversial, remove --debug flag.
Output on test failure is painful to read. It is unlikely
(but not inconceivable) that --debug will be of any use.
Second, fix a failure message so it properly uses %s instead
of string interpolation. (If the test name itself includes
a percent sign, we get undefined behavior on output).
Fix a few instances of 'buildah' to be 'run_buildah'.
Remove some unnecessary 'run/echo/check-status' sequences,
sticking with the much cleaner 'test'. When BATS shows
an error of the form 'this failed: [ $status -eq 0 ]'
I weep in despair.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #1935
Approved by: giuseppe
The previous log-level implementation does not seem to work, which is
now fixed and aligns to other projects like podman and CRI-O. Therefore
the `--debug` flag has been deprecated and is now hidden.
Added documentation as well as integration tests.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Closes: #1811
Approved by: rhatdan
Some operating systems don’t have `bash` in `/bin`, so we should take the
`$PATH` into consideration for searching it.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Closes: #1804
Approved by: TomSweeneyRedHat
...and make the "$output" argument implicit, as well as the
description text. This greatly simplifies its invocation.
Also: make it test for exact matches unless --substring
option is passed; this eases my mind about a few potentially
ambiguous situations such as the one in #1464.
Also: add comments to two truth-table check functions
Also: reorder some config checks alphabetically, for ease
of reading.
Thanks to Tom Sweeney for the suggestions and encouragement.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #1492
Approved by: rhatdan
The idea is to replace messages of the form:
# `[ $(wc -l <<< "$output") -eq 3 ]' failed
with:
# #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
# #| FAIL: buildah images
# #| Expected 3 lines of output, got 4
# #| Output was:
# #| >REPOSITORY TAG IMAGE ID ...
# #| ><none> <none> eb6c71a3945f ...
# #| >localhost/test latest 4711b358c2d9 ...
# #| >docker.io/library/alpine latest 5cb3aa00f899 ...
# #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Diff generated via:
perl -pi.BAK -e 's/\[ \$\(wc -l <<< .\$output.\) -eq (\d+) \]/expect_line_count $1/' tests/*.bats
REVIEWING THIS DIFF: look at helpers.bash, but really, don't
spend much effort looking at the individual diffs. They were
all done with the oneliner above. (Industrious reviewers will
look for cases that my oneliner missed, by grepping the sources
for 'wc -l'. I am aware of those, I just prefer to deal with
them in a separate commit later.)
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #1472
Approved by: TomSweeneyRedHat
- 'timeout' : remove '-v' option. This was added in coreutils 8.29
and it looks like travis has an older version. This makes the
timeout check more fragile because we now rely only on exit
code = 124. Added FIXME for when/if travis upgrades.
- also: bump up TIMEOUT from 120s to 300 due to real timeout
seen in travis CI
- also: handle exit status 137 - thanks to Chris for catching that
- is() : switch from expr to '[[ "$string" =~ ... ]]'.
Necessary because some travis runs were failing with:
expr: Argument list too long
Unfortunate, because expr is nicer, but [[ is a shell
builtin hence shouldn't be subject to command-line limits.
Adjust various test expressions as necessary, most notably
replacing [[:space:]] with ' '.
- secrets.bats : add a teardown() function for removing
the directories added in setup(); otherwise a failure
in the test makes subsequent passes fail.
Signed-off-by: Ed Santiago <santiago@redhat.com>
checkpoint
Closes: #1472
Approved by: TomSweeneyRedHat
This started off as bug fixes necessary to get BATS tests
actually working on RHEL8 (they weren't). It grew. I will
defend my actions in the first comment post.
Primary change: import some helpers from podman BATS tests,
most importantly 'run_buildah' and 'is'. The vast majority
of the changes you'll see here are of the form:
- run buildah ...
- [ $status = 0 ]
- [ check $output ]
+ run_buildah ... ! automatically checks status
+ is "$output" "..."
Also: chmod'ed some files -x. Necessary because rpmbuild tries
to be oh-so-clever about requirements, and when it sees an
executable file with a shebang line like '#!env bats' it
helpfully adds 'Requires: /usr/bin/bats' to the rpm, which
then fails to install because RHEL8 does not have bats.
Also: refactored duplicate code in a few places, by writing
and invoking module-specific helper functions.
Also: changed a handful of 'buildah's to run_buildah, in
order to get error checking and debug logging.
Also: added descriptive reasons to many "skip"s.
Also: selinux test: some tweakery to make it run on production
system (context is different if /usr/bin/buildah is chcon'ed
appropriately). I can't get this test to pass on Fedora from
a build dir, and I'm actually not convinced that this test
has ever passed, but let's see what CI shows.
Also: selinux test: skip broken test (#1465).
Also: version test: skip parts of it if running w/o sources.
Tests are now passing as root on RHEL8; rootless has numerous
failures which I don't believe are related to this PR.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #1472
Approved by: TomSweeneyRedHat
Ed Santiago
Paul Holzinger
OpenShift Merge Robot
Nalin Dahyabhai
Giuseppe Scrivano
Aditya R
Lokesh Mandvekar
Daniel J Walsh
openshift-ci[bot]
Ashley Cui
Josh Soref
Yiqiao Pu
Wong Hoi Sing Edison
Sascha Grunert
Boaz Shuster