This commit enables TMT jobs triggered by Packit to run system tests.
2 set of jobs `dev` and `release` have been added. `dev` jobs are meant
to run on main PRs with additional package updates fetched from
podman-next copr while `release` jobs are meant to run on release-
branch PRs using only the dependencies present in the official distro.
Packit checks PR labels (see previous commit) to filter out
the jobs that get run.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
The "2" tag is very old and not a multi arch manifest. As such testing
on aarch64 failed because it pulled and x86_64 image instead. This was
found in downstream RHEL testing.
The "2.8.2" is multi arch and used in podman testing were we
successfully run aarch64 based testing.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit makes skopeo return a different exit code when an
input is not found. The use case is `osbuild` which uses skopeo
to inspect images and it would be nice to differenciate between
an image that is not found and general skopeo errors (or errors
like network issues etc).
I picked exit code `2` for `not found` because it is also the value
of `ENOENT`.
Man page and a test are added.
Signed-off-by: Michael Vogt <mvogt@redhat.com>
Add the ability to use an on-disk trust store to verify signatures. Also allow the user to trust any known fingerprint instead of having to specify one.
Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
For whatever reasons, the podman configuration in CI results in the
inspect test throwing the following error:
```
not ok 4 inspect: image manifest list w/ diff platform
125
configuration is unset - using hardcoded default graph root
\"/var/lib/containers/storage\""
configuration is unset - using hardcoded default graph root
\"/var/lib/containers/storage\""
StoreOptions
```
Fix this by not using `podman`. It's unnecessary, since all the test
needs is the golang-flavor of the current system's architecture name.
That can easily be obtained by asking the go tool directly.
Signed-off-by: Chris Evich <cevich@redhat.com>
To support signing images without prompting the user, add CLI flags for
providing a passphrase file.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Sigh. 'expr 1 - 1' yields 0 (correctly) but also exits 1. This
is even documented in the man page, but I didn't know it. And
thus, on the final iteration, when timeout reached 0, BATS
errored out on the expr instead of continuing to the 'podman logs'
or the 'die' message.
Solution is super trivial: use $(( ... )) instead of expr.
Signed-off-by: Ed Santiago <santiago@redhat.com>
the 'signing' test is flaking; symptom is that we can never
connect to the port on the registry:
https://api.cirrus-ci.com/v1/task/6208385738604544/logs/system.log
By all indications, the registry is up, i.e., the 'podman rm -f reg'
in teardown() succeeds, as shown by the 53c (CID) in the log. (It
bothers me that the FAIL message from die() does not appear in the
log, and I can't figure out why).
To try to diagnose this, run 'podman logs' on the registry upon
failure.
Signed-off-by: Ed Santiago <santiago@redhat.com>
When copying to an OCI layout destination, forcing zstd compression,
check that the manifest correctly describes the type of the layer blob.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Switch to using images from quay.io/libpod instead, where
we're not (yet) subject to rate limiting.
Completely rewrite one unclear test. The purpose of the
test was to test #708, in which 'skopeo inspect --raw'
was fixed to be able to inspect images that do not
match the current host's os+arch. We now use a fixed
test image on quay.io, generated by a new script,
whose manifest is pretty unlikely to match our host.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Go 1.15 deprecates checking CN; this broke gating tests:
Get "https://localhost:5000/v2/": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
Easy two-line solution in the 'openssl' invocation. Huge
thanks to Nalin for tracking down and fixing while I was
still getting started:
https://github.com/containers/buildah/pull/2595
Copied from 0f2892a5b021de3b1cf273f5679fda8298b57c02 in buildah
Signed-off-by: Ed Santiago <santiago@redhat.com>
registry:2 no longer contains htpasswd.
Also don't use log_and_run ... >> $file
because that will cause the command to be logged to $file.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
'podman info' changed format, again, without preserving backward
compatibility. Basically, some keys that used to be lower-case
are now upper-case-first-letter.
These tests need to work with new podman on rawhide, and
old podman on f31/f32 and possibly RHEL. We must therefore
add a revolting workaround for the change.
Signed-off-by: Ed Santiago <santiago@redhat.com>
PR 834 broke Fedora gating tests, because "--runtime runc"
doesn't work so well on Rawhide. Let's try to be smarter
about when we add that override.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Replace shortnames with FQINs; this should allow tests to
run regardless of the state of registries.conf.
And, fix one broken new test that invoked 'jq' (without dot).
This usage works in Fedora, but not in RHEL.
Signed-off-by: Ed Santiago <santiago@redhat.com>
crun had a regression running on cgroupsv1 in containers. It has been
fixed upstream but did not yet bubble up into the packages. Force using
runc to unblock Skopeo's CI.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
When --raw is provided, can inspect show the raw manifest list, w/o
requiring any particular platform to be present, this test case is
used for make sure inspect command w/ --raw option works well for
container image is different from current platform arch.
Signed-off-by: Alex Jia <chuanchang.jia@gmail.com>
- zstd test - give unique name.
a36d81c copy/pasted an existing test but didn't give
the new test a new name, leading to bats warning:
duplicate test name(s) in [...]/020-copy.bats
- start_registry() - use bash builtins, not curl, to test
if registry port is open.
curl on Fedora now barfs with "Received HTTP/0.9 when not
allowed" when the registry is run with SSL, because the
response is not valid HTTP. One workaround would be 'curl
--http0.9' but (surprise) that option doesn't exist on rhel8;
and even with that option we would need --output /dev/null
to silence a different curl warning. Curl is overkill
for this purpose anyway, all we really need is netcat
or some simple binary is-port-listening-or-not test.
Fortunately, bash provides a /dev/tcp/<host>/<port>
emulator that does the right thing and works on Fedora
as well as RHEL8.
- new log_and_run() helper
This is the noisiest yet least critical part of this PR.
I'm sorry. It's motivated by my frustration in trying
to reproduce the curl problem above: getting just the
right incantation of openssl + podman-run cost me time.
With this enhancement, important commands are logged
as part of the output of failing tests, making it
easy[*] for maintenance programmers to figure out a
recipe for reproducing the failure.
[*] "easy" as long as the test-writing developer
uses log_and_run() wisely.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Temporarily work around https://github.com/containers/libpod/issues/4227
until Fedora has an updated packaged version of podman that includes
that fix, at which point we should revert this patch.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a systemtest copying an image from docker to storage and then to an
oci-archive. There are other ways to trigger the same code paths, but
this one has caught a regression in c/image in libpod's.
Fixes: #734
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The "inspect: env" test started failing since the environment in the
`fedora:latest` image has changed. Hence, only check for `PATH` in
the image's environment which is a defacto standard.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This does not happen in this repo's tests, but containers/image's
(make test-skopeo) fails in the containers_image_openpgp configuration with
> not ok 10 signing
> ...
> # time="2019-06-11T20:59:32Z" level=fatal msg="Signing not supported: signing is not supported in github.com/containers/image built with the containers_image_openpgp build tag"
To reproduce/test this:
> make test-system BUILDTAGS='ostree containers_image_openpgp'
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The usual 'podman run -d' race condition: we've been forking
off the container but not actually making sure it's up; this
leads to flakes in which we try (and fail) to access it.
Solution: use curl to check the port; we will expect a zero
exit status once we can connect. Time out at ten seconds.
Resolves: #675
Signed-off-by: Ed Santiago <santiago@redhat.com>
Skopeo CI tests run under podman; hence the registries
run in the tests will be podman-in-podman. This requires
complex muckery to make work:
- install bats, jq, and podman in the test image
- add new test-system Make target. It runs podman
with /var/lib/containers bind-mounted to a tmpdir
and with other necessary options; and invokes a
test script that hack-edits /etc/containers/storage.conf
before running podman for the first time.
- add --cgroup-manager=cgroupfs option to podman
invocations in BATS: without this, podman-in-podman
fails with:
systemd cgroup flag passed, but systemd support for managing cgroups is not available
Also: gpg --pinentry-mode option is not available on all
our test platforms. Check for it before using.
Signed-off-by: Ed Santiago <santiago@redhat.com>
- Got TLS registry working, and test enabled. The trick was to
copy the .crt file to a separate directory *without* the .key
- auth test - set up a private XDG_RUNTIME_DIR, in case tests
are being run by a real user.
- signing test - remove FIXME comments; questions answered.
- helpers.bash - document start_registries(); save a .crt file,
not .cert; and remove unused stop_registries() - it's too hard
to do right, and very easy for individual tests to 'podman rm -f'
- run-tests - remove SKOPEO_BINARY definition, it's inconsistent
with the one in helpers.bash
Signed-off-by: Ed Santiago <santiago@redhat.com>
