The "2" tag is very old and not a multi arch manifest. As such testing
on aarch64 failed because it pulled and x86_64 image instead. This was
found in downstream RHEL testing.
The "2.8.2" is multi arch and used in podman testing were we
successfully run aarch64 based testing.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Sigh. 'expr 1 - 1' yields 0 (correctly) but also exits 1. This
is even documented in the man page, but I didn't know it. And
thus, on the final iteration, when timeout reached 0, BATS
errored out on the expr instead of continuing to the 'podman logs'
or the 'die' message.
Solution is super trivial: use $(( ... )) instead of expr.
Signed-off-by: Ed Santiago <santiago@redhat.com>
the 'signing' test is flaking; symptom is that we can never
connect to the port on the registry:
https://api.cirrus-ci.com/v1/task/6208385738604544/logs/system.log
By all indications, the registry is up, i.e., the 'podman rm -f reg'
in teardown() succeeds, as shown by the 53c (CID) in the log. (It
bothers me that the FAIL message from die() does not appear in the
log, and I can't figure out why).
To try to diagnose this, run 'podman logs' on the registry upon
failure.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Switch to using images from quay.io/libpod instead, where
we're not (yet) subject to rate limiting.
Completely rewrite one unclear test. The purpose of the
test was to test #708, in which 'skopeo inspect --raw'
was fixed to be able to inspect images that do not
match the current host's os+arch. We now use a fixed
test image on quay.io, generated by a new script,
whose manifest is pretty unlikely to match our host.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Go 1.15 deprecates checking CN; this broke gating tests:
Get "https://localhost:5000/v2/": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
Easy two-line solution in the 'openssl' invocation. Huge
thanks to Nalin for tracking down and fixing while I was
still getting started:
https://github.com/containers/buildah/pull/2595
Copied from 0f2892a5b021de3b1cf273f5679fda8298b57c02 in buildah
Signed-off-by: Ed Santiago <santiago@redhat.com>
registry:2 no longer contains htpasswd.
Also don't use log_and_run ... >> $file
because that will cause the command to be logged to $file.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
PR 834 broke Fedora gating tests, because "--runtime runc"
doesn't work so well on Rawhide. Let's try to be smarter
about when we add that override.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Replace shortnames with FQINs; this should allow tests to
run regardless of the state of registries.conf.
And, fix one broken new test that invoked 'jq' (without dot).
This usage works in Fedora, but not in RHEL.
Signed-off-by: Ed Santiago <santiago@redhat.com>
crun had a regression running on cgroupsv1 in containers. It has been
fixed upstream but did not yet bubble up into the packages. Force using
runc to unblock Skopeo's CI.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
- zstd test - give unique name.
a36d81c copy/pasted an existing test but didn't give
the new test a new name, leading to bats warning:
duplicate test name(s) in [...]/020-copy.bats
- start_registry() - use bash builtins, not curl, to test
if registry port is open.
curl on Fedora now barfs with "Received HTTP/0.9 when not
allowed" when the registry is run with SSL, because the
response is not valid HTTP. One workaround would be 'curl
--http0.9' but (surprise) that option doesn't exist on rhel8;
and even with that option we would need --output /dev/null
to silence a different curl warning. Curl is overkill
for this purpose anyway, all we really need is netcat
or some simple binary is-port-listening-or-not test.
Fortunately, bash provides a /dev/tcp/<host>/<port>
emulator that does the right thing and works on Fedora
as well as RHEL8.
- new log_and_run() helper
This is the noisiest yet least critical part of this PR.
I'm sorry. It's motivated by my frustration in trying
to reproduce the curl problem above: getting just the
right incantation of openssl + podman-run cost me time.
With this enhancement, important commands are logged
as part of the output of failing tests, making it
easy[*] for maintenance programmers to figure out a
recipe for reproducing the failure.
[*] "easy" as long as the test-writing developer
uses log_and_run() wisely.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The usual 'podman run -d' race condition: we've been forking
off the container but not actually making sure it's up; this
leads to flakes in which we try (and fail) to access it.
Solution: use curl to check the port; we will expect a zero
exit status once we can connect. Time out at ten seconds.
Resolves: #675
Signed-off-by: Ed Santiago <santiago@redhat.com>
Skopeo CI tests run under podman; hence the registries
run in the tests will be podman-in-podman. This requires
complex muckery to make work:
- install bats, jq, and podman in the test image
- add new test-system Make target. It runs podman
with /var/lib/containers bind-mounted to a tmpdir
and with other necessary options; and invokes a
test script that hack-edits /etc/containers/storage.conf
before running podman for the first time.
- add --cgroup-manager=cgroupfs option to podman
invocations in BATS: without this, podman-in-podman
fails with:
systemd cgroup flag passed, but systemd support for managing cgroups is not available
Also: gpg --pinentry-mode option is not available on all
our test platforms. Check for it before using.
Signed-off-by: Ed Santiago <santiago@redhat.com>
- Got TLS registry working, and test enabled. The trick was to
copy the .crt file to a separate directory *without* the .key
- auth test - set up a private XDG_RUNTIME_DIR, in case tests
are being run by a real user.
- signing test - remove FIXME comments; questions answered.
- helpers.bash - document start_registries(); save a .crt file,
not .cert; and remove unused stop_registries() - it's too hard
to do right, and very easy for individual tests to 'podman rm -f'
- run-tests - remove SKOPEO_BINARY definition, it's inconsistent
with the one in helpers.bash
Signed-off-by: Ed Santiago <santiago@redhat.com>
