CI: use local registry, part 2 of 2

Make tests pass when using a local cache registry (as triggered by $CI_USE_REGISTRY_CACHE being non-empty). Mostly just change images: consolidate to a smaller set, like, replace the few instances of debian with ubuntu, use $SAFEIMAGE where we can. The most significant change was with some s1 (schema 1?) images. Those exist on quay, but cannot be mirrored locally: the local registry forbids schema 1 images. I choose to skip these tests when running against a local registry. Second most significant change is running containerized tests with --net=host. We need this to access the registry running on a localhost port. (One alternative would be to bind the registry on all interfaces, cringe, then perform sed magic on the registries-cache.conf file changing 127.0.0.1 to host.containers.internal, more cringe). Also, some cleanup. Signed-off-by: Ed Santiago <santiago@redhat.com>
2026-02-05 09:45:38 +01:00 · 2024-06-11 10:10:22 -06:00
parent 52df6e0e0f
commit 3ad0fd1ed1
12 changed files with 77 additions and 40 deletions
--- a/contrib/cirrus/lib.sh
+++ b/contrib/cirrus/lib.sh
@@ -96,8 +96,8 @@ PASSTHROUGH_ENV_RE="(^($PASSTHROUGH_ENV_EXACT)\$)|(^($PASSTHROUGH_ENV_ATSTART))|
 SECRET_ENV_RE='ACCOUNT|GC[EP]..|SSH|PASSWORD|SECRET|TOKEN'

 # FQINs needed for testing
-REGISTRY_FQIN=${REGISTRY_FQIN:-docker.io/library/registry}
-ALPINE_FQIN=${ALPINE_FQIN:-docker.io/library/alpine}
+REGISTRY_FQIN=${REGISTRY_FQIN:-quay.io/libpod/registry:2.8.2}
+ALPINE_FQIN=${ALPINE_FQIN:-quay.io/libpod/alpine}

 # for in-container testing
 IN_PODMAN_NAME="in_podman_$CIRRUS_TASK_ID"
@@ -193,7 +193,7 @@ in_podman() {
    done <<<"$(passthrough_envars)"

    showrun podman run -i --name="$IN_PODMAN_NAME" \
-                   --net="container:registry" \
+                   --net=host \
                   --privileged \
                   --cgroupns=host \
                   "${envargs[@]}" \
--- a/tests/bud.bats
+++ b/tests/bud.bats
@@ -4586,9 +4586,11 @@ EOM
 }

@test "bud copy chown with newuser" {
-  _prefetch quay.io/fedora/fedora
+  _prefetch $SAFEIMAGE
  # Regression test for https://github.com/containers/buildah/issues/2192
-  run_buildah build $WITH_POLICY_JSON -t testctr -f $BUDFILES/copy-chown/Containerfile.chown_user $BUDFILES/copy-chown
+  run_buildah build $WITH_POLICY_JSON -t testctr \
+              --build-arg SAFEIMAGE=$SAFEIMAGE \
+              -f $BUDFILES/copy-chown/Containerfile.chown_user $BUDFILES/copy-chown
  expect_output --substring "myuser:myuser"
 }

@@ -6334,10 +6336,10 @@ _EOF
  expect_output --substring "world"
 }

-@test "bud-verify-if-we-dont-clean-prexisting-path" {
+@test "bud-verify-if-we-dont-clean-preexisting-path" {
  skip_if_no_runtime
  skip_if_in_container
-  _prefetch alpine debian
+  _prefetch alpine ubuntu
  run_buildah 1 build -t testbud $WITH_POLICY_JSON --secret id=secret-foo,src=$BUDFILES/verify-cleanup/secret1.txt -f $BUDFILES/verify-cleanup/Dockerfile $BUDFILES/verify-cleanup/
  expect_output --substring "hello"
  expect_output --substring "secrettext"
--- a/tests/bud/copy-chown/Containerfile.chown_user
+++ b/tests/bud/copy-chown/Containerfile.chown_user
@@ -1,7 +1,8 @@
-FROM quay.io/fedora/fedora
+ARG SAFEIMAGE
+FROM $SAFEIMAGE

 ENV MYUSER=myuser
-RUN useradd --create-home --home /"${MYUSER}" "${MYUSER}"
+RUN adduser -D -h /"${MYUSER}" "${MYUSER}"
 COPY --chown="${MYUSER}" ./copychown.txt /somewhere

 RUN stat -c "%U:%G" /somewhere
--- a/tests/bud/verify-cleanup/Dockerfile
+++ b/tests/bud/verify-cleanup/Dockerfile
@@ -2,7 +2,7 @@ FROM alpine as builder
 RUN mkdir subdir
 COPY hey .

-FROM debian
+FROM ubuntu
 RUN  --mount=type=bind,source=.,dst=/tmp,z \
     --mount=type=tmpfs,dst=/var/tmp \
    cat /tmp/hey
--- a/tests/copy.bats
+++ b/tests/copy.bats
@@ -447,7 +447,7 @@ stuff/mystuff"
@test "copy-preserving-extended-attributes" {
  createrandom ${TEST_SCRATCH_DIR}/randomfile
  # if we need to change which image we use, any image that can provide a working setattr/setcap/getfattr will do
-  image="quay.io/libpod/fedora-minimal:34"
+  image="quay.io/libpod/systemd-image:20240124"
  if ! which setfattr > /dev/null 2> /dev/null; then
    skip "setfattr not available, unable to check if it'll work in filesystem at ${TEST_SCRATCH_DIR}"
  fi
--- a/tests/digest.bats
+++ b/tests/digest.bats
@@ -30,11 +30,15 @@ fromreftest() {
 }

@test "from-by-digest-s1" {
+  test -n "$CI_USE_REGISTRY_CACHE" && skip "Cannot test against local cache registry"
+
  skip_if_rootless_environment
  fromreftest quay.io/libpod/testdigest_v2s1@sha256:816563225d7baae4782653efc9410579341754fe32cbe20f7600b39fc37d8ec7
 }

@test "from-by-digest-s1-a-discarded-layer" {
+  test -n "$CI_USE_REGISTRY_CACHE" && skip "Cannot test against local cache registry"
+
  skip_if_rootless_environment
  IMG=quay.io/libpod/testdigest_v2s1_with_dups@sha256:2c619fffbed29d8677e246798333e7d1b288333cb61c020575f6372c76fdbb52

@@ -54,6 +58,8 @@ fromreftest() {
 }

@test "from-by-tag-s1" {
+  test -n "$CI_USE_REGISTRY_CACHE" && skip "Cannot test against local cache registry"
+
  skip_if_rootless_environment
  fromreftest quay.io/libpod/testdigest_v2s1:20200210
 }
--- a/tests/e2e/buildah_suite_test.go
+++ b/tests/e2e/buildah_suite_test.go
@@ -103,6 +103,11 @@ func BuildahCreate(tempDir string) BuildAhTest {
 		storageOpts = fmt.Sprintf("--storage-driver %s", os.Getenv("STORAGE_DRIVER"))
 	}

+	registriesConfBase := "../../tests/registries"
+	if os.Getenv("CI_USE_REGISTRY_CACHE") != "" {
+		registriesConfBase += "-cached"
+	}
+
 	return BuildAhTest{
 		BuildAhBinary:  buildAhBinary,
 		RunRoot:        filepath.Join(tempDir, "runroot"),
@@ -111,7 +116,7 @@ func BuildahCreate(tempDir string) BuildAhTest {
 		ArtifactPath:   artifactDir,
 		TempDir:        tempDir,
 		SignaturePath:  "../../tests/policy.json",
-		RegistriesConf: "../../tests/registries.conf",
+		RegistriesConf: registriesConfBase + ".conf",
 	}
 }

--- a/tests/from.bats
+++ b/tests/from.bats
@@ -110,13 +110,14 @@ load helpers
  run_buildah rm $output
  run_buildah rmi docker.io/alpine:latest

-  run_buildah from --quiet --pull=true $WITH_POLICY_JSON docker.io/centos:7
-  run_buildah rm $output
-  run_buildah rmi docker.io/centos:7
+  # FIXME FIXME FIXME: I don't see the point of these. Any reason not to delete?
+#  run_buildah from --quiet --pull=true $WITH_POLICY_JSON docker.io/centos:7
+#  run_buildah rm $output
+#  run_buildah rmi docker.io/centos:7

-  run_buildah from --quiet --pull=true $WITH_POLICY_JSON docker.io/centos:latest
-  run_buildah rm $output
-  run_buildah rmi docker.io/centos:latest
+#  run_buildah from --quiet --pull=true $WITH_POLICY_JSON docker.io/centos:latest
+#  run_buildah rm $output
+#  run_buildah rmi docker.io/centos:latest
 }

@test "from the following transports: docker-archive, oci-archive, and dir" {
@@ -124,8 +125,11 @@ load helpers
  run_buildah from --quiet --pull=true $WITH_POLICY_JSON alpine
  run_buildah rm $output

-  run_buildah from --quiet --pull=true $WITH_POLICY_JSON docker:latest
-  run_buildah rm $output
+  # #2205: The important thing here is differentiating 'docker:latest'
+  # (the image) from 'docker:/path' ('docker' as a protocol identifier).
+  # This is a parsing fix so we don't actually need to pull the image.
+  run_buildah 125 from --quiet --pull=false $WITH_POLICY_JSON docker:latest
+  assert "$output" = "Error: docker:latest: image not known"

  run_buildah push $WITH_POLICY_JSON alpine docker-archive:${TEST_SCRATCH_DIR}/docker-alp.tar:alpine
  run_buildah push $WITH_POLICY_JSON alpine    oci-archive:${TEST_SCRATCH_DIR}/oci-alp.tar:alpine
--- a/tests/helpers.bash
+++ b/tests/helpers.bash
@@ -68,9 +68,17 @@ EOF

    # Common options for all buildah and podman invocations
    ROOTDIR_OPTS="--root ${TEST_SCRATCH_DIR}/root --runroot ${TEST_SCRATCH_DIR}/runroot --storage-driver ${STORAGE_DRIVER}"
-    BUILDAH_REGISTRY_OPTS="--registries-conf ${TEST_SOURCES}/registries.conf --registries-conf-dir ${TEST_SCRATCH_DIR}/registries.d --short-name-alias-conf ${TEST_SCRATCH_DIR}/cache/shortnames.conf"
-    COPY_REGISTRY_OPTS="--registries-conf ${TEST_SOURCES}/registries.conf --registries-conf-dir ${TEST_SCRATCH_DIR}/registries.d --short-name-alias-conf ${TEST_SCRATCH_DIR}/cache/shortnames.conf"
-    PODMAN_REGISTRY_OPTS="--registries-conf ${TEST_SOURCES}/registries.conf"
+
+    # When running in CI, use a local registry for all image pulls
+    local cached=
+    if [[ -n "$CI_USE_REGISTRY_CACHE" ]]; then
+        cached="-cached"
+    fi
+    regconfopt="--registries-conf ${TEST_SOURCES}/registries$cached.conf"
+    regconfdir="--registries-conf-dir ${TEST_SCRATCH_DIR}/registries.d"
+    BUILDAH_REGISTRY_OPTS="${regconfopt} ${regconfdir} --short-name-alias-conf ${TEST_SCRATCH_DIR}/cache/shortnames.conf"
+    COPY_REGISTRY_OPTS="${BUILDAH_REGISTRY_OPTS}"
+    PODMAN_REGISTRY_OPTS="${regconfopt}"
 }

 function starthttpd() {
@@ -676,7 +684,7 @@ function stop_git_daemon() {
 function start_registry() {
  local testuser="${1:-testuser}"
  local testpassword="${2:-testpassword}"
-  local REGISTRY_IMAGE=quay.io/libpod/registry:2.8
+  local REGISTRY_IMAGE=quay.io/libpod/registry:2.8.2
  local config='
 version: 0.1
 log:
--- a/tests/mkcw.bats
+++ b/tests/mkcw.bats
@@ -58,7 +58,14 @@ function mkcw_check_image() {
    skip "cryptsetup not found"
  fi
  _prefetch busybox
-  _prefetch bash
+  # The important thing we need from $SAFEIMAGE is that it have >1 layer.
+  # Per @nalind:
+  #     The error we were attempting to avoid was causing the disk image to lose
+  #     content from layers that weren't the last one (and as far as this test is
+  #     concerned, for images with one layer, the only layer is also the last layer),
+  #     and the presence of the second layer, empty as it is, means the image still
+  #     meets the test expectations.
+  _prefetch $SAFEIMAGE
  createrandom randomfile1
  createrandom randomfile2

@@ -67,8 +74,8 @@ function mkcw_check_image() {
  run_buildah mkcw --ignore-attestation-errors --type snp --passphrase=mkcw-convert --add-file randomfile1:/in-a-subdir/rnd1 busybox busybox-cw
  mkcw_check_image busybox-cw "" randomfile1:in-a-subdir/rnd1
  # image has multiple layers, check with all-upper-case TEE type name
-  run_buildah mkcw --ignore-attestation-errors --type SNP --passphrase=mkcw-convert --add-file randomfile2:rnd2 bash bash-cw
-  mkcw_check_image bash-cw "" randomfile2:/rnd2
+  run_buildah mkcw --ignore-attestation-errors --type SNP --passphrase=mkcw-convert --add-file randomfile2:rnd2 $SAFEIMAGE my-cw
+  mkcw_check_image my-cw "" randomfile2:/rnd2
 }

@test "mkcw-commit" {
@@ -77,10 +84,10 @@ function mkcw_check_image() {
  if ! which cryptsetup > /dev/null 2> /dev/null ; then
    skip "cryptsetup not found"
  fi
-  _prefetch bash
+  _prefetch $SAFEIMAGE

  echo -n "mkcw commit" > "$TEST_SCRATCH_DIR"/key
-  run_buildah from bash
+  run_buildah from $SAFEIMAGE
  ctrID="$output"
  run_buildah commit --iidfile "$TEST_SCRATCH_DIR"/iid --cw type=SEV,ignore_attestation_errors,passphrase="mkcw commit" "$ctrID"
  mkcw_check_image $(cat "$TEST_SCRATCH_DIR"/iid)
--- a/tests/pull.bats
+++ b/tests/pull.bats
@@ -32,29 +32,30 @@ load helpers
  run_buildah 125 --registries-conf ${TEST_SOURCES}/registries.conf.block pull $WITH_POLICY_JSON docker.io/alpine
  expect_output --substring "registry docker.io is blocked in"

-  run_buildah --retry --registries-conf ${TEST_SOURCES}/registries.conf       pull $WITH_POLICY_JSON docker.io/alpine
+  run_buildah --retry pull $WITH_POLICY_JSON docker.io/alpine
 }

@test "pull-from-registry" {
-  run_buildah --retry pull --registries-conf ${TEST_SOURCES}/registries.conf $WITH_POLICY_JSON busybox:glibc
-  run_buildah pull --registries-conf ${TEST_SOURCES}/registries.conf $WITH_POLICY_JSON busybox:latest
+  run_buildah --retry pull $WITH_POLICY_JSON busybox:glibc
+  run_buildah pull $WITH_POLICY_JSON busybox:latest
  run_buildah images --format "{{.Name}}:{{.Tag}}"
  expect_output --substring "busybox:glibc"
  expect_output --substring "busybox:latest"
  # We need to see if this file is created after first pull in at least one test
  [ -f ${TEST_SCRATCH_DIR}/root/defaultNetworkBackend ]

-  run_buildah --retry pull --registries-conf ${TEST_SOURCES}/registries.conf $WITH_POLICY_JSON quay.io/libpod/alpine_nginx:latest
+  run_buildah --retry pull $WITH_POLICY_JSON quay.io/libpod/alpine_nginx:latest
  run_buildah images --format "{{.Name}}:{{.Tag}}"
  expect_output --substring "alpine_nginx:latest"

  run_buildah rmi quay.io/libpod/alpine_nginx:latest
-  run_buildah --retry pull --registries-conf ${TEST_SOURCES}/registries.conf $WITH_POLICY_JSON quay.io/libpod/alpine_nginx
+  run_buildah --retry pull $WITH_POLICY_JSON quay.io/libpod/alpine_nginx
  run_buildah images --format "{{.Name}}:{{.Tag}}"
  expect_output --substring "alpine_nginx:latest"

-  run_buildah --retry pull --registries-conf ${TEST_SOURCES}/registries.conf $WITH_POLICY_JSON alpine@sha256:e9a2035f9d0d7cee1cdd445f5bfa0c5c646455ee26f14565dce23cf2d2de7570
-  run_buildah 125 pull --registries-conf ${TEST_SOURCES}/registries.conf $WITH_POLICY_JSON fakeimage/fortest
+  run_buildah --retry pull $WITH_POLICY_JSON alpine@sha256:634a8f35b5f16dcf4aaa0822adc0b1964bb786fca12f6831de8ddc45e5986a00
+
+  run_buildah 125 pull $WITH_POLICY_JSON fakeimage/fortest
  run_buildah images --format "{{.Name}}:{{.Tag}}"
  assert "$output" !~ "fakeimage/fortest" "fakeimage/fortest found in buildah images"
 }
--- a/tests/run.bats
+++ b/tests/run.bats
@@ -657,11 +657,14 @@ function configure_and_check_user() {
 	skip_if_in_container

 	${OCI} --version
-	_prefetch debian
+        # We use ubuntu image because it has no /etc/hosts file. This
+        # allows the fake_host test below to be an equality check,
+        # not a substring check.
+	_prefetch ubuntu

 	local hostname=h-$(random_string)

-	run_buildah from --quiet --pull=false $WITH_POLICY_JSON debian
+	run_buildah from --quiet --pull=false $WITH_POLICY_JSON ubuntu
 	cid=$output
 	run_buildah 125 run --network=bogus $cid cat /etc/hosts
 	expect_output --substring "unable to find network with name or ID bogus: network not found"
@@ -699,7 +702,7 @@ function configure_and_check_user() {
 	expect_output --substring ""
 	run_buildah rm -a

-	run_buildah from --quiet --pull=false $WITH_POLICY_JSON debian
+	run_buildah from --quiet --pull=false $WITH_POLICY_JSON ubuntu
 	cid=$output
 	run_buildah run --network=host --hostname $hostname $cid cat /etc/hosts
 	assert "$output" =~ "$ip[[:blank:]]$hostname"
@@ -715,7 +718,7 @@ function configure_and_check_user() {
 	assert "$output" =~ "$ip[[:blank:]]$hostname"
 	run_buildah rm -a

-	run_buildah from --quiet --pull=false $WITH_POLICY_JSON debian
+	run_buildah from --quiet --pull=false $WITH_POLICY_JSON ubuntu
 	cid=$output
 	run_buildah run --network=none $cid sh -c 'echo "110.110.110.0 fake_host" >> /etc/hosts; cat /etc/hosts'
 	expect_output "110.110.110.0 fake_host"