integration tests: learn to start a dummy registry

[nalind]

What type of PR is this?

/kind other

What this PR does / why we need it:

When a test needs to talk to a registry server, launch one as part of the test rather than depending on it having been started by someone else.

Use run_buildah where we used to use 'run buildah' without checking the return code, and in a few cases where we did check it.

In the "from with non buildah container" test, use "podman create" with host networking, in an attempt to avoid messing with networking in cases where we're running on a system with a version of podman that will create a bridge with CNI that we'll also create with netavark. We're not sharing storage between the two invocations, so the logic that tries to detect this problem won't detect it.

How to verify it

Updates to tests!

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

This gets us closer to being able to run integration tests anywhere by pointing bats at our tests directory.

Does this PR introduce a user-facing change?

None

[TomSweeneyRedHat]

I think we may call this a fair number of times during the tests and I wonder if we'll hit the rate limits. Would it make sense to have our own registry image tucked away on quay.io somewhere? Do they have one for Podman already?

[nalind]

I'm not against that, but I have no idea if we have a plan in place to keep any of those up to date. The start_registry function uses _prefetch, so it should be pulled, at most, once in a given CI job.

[vrothberg]

Consider using quay.io/libpod/registry:2.6. I recall that an update to the one on Docker Hub once broke gating.

[nalind]

Using 2.7 now. 2.6 and 2.7 are not multi-arch, and 2.8 isn't in that repository. How/when do they get updated?

[vrothberg]

I think they're under the loving care of @edsantiago

[edsantiago]

2.8 copy in progress; it'll take a long time (30m?) due to my slow network.

$ skopeo copy --all docker://docker.io/registry:2.8 docker://quay.io/libpod/registry:2.8

[vrothberg]

@edsantiago, feel free to ping me next time. Still enjoying fast French fibre :)

[edsantiago]

Done:

$ buildah manifest inspect quay.io/libpod/registry:2.8 | jq '.manifests[].platform.architecture'
"amd64"
"arm"
"arm"
"arm64"
"ppc64le"
"s390x"

[edsantiago]

This one is failing on setxattr (without the l)

[nalind]

This one is failing on setxattr (without the l)

This was trying to re-enable a test that was previously disabled under SELinux, but I guess we didn't work around it after all.

[TomSweeneyRedHat]

The integration test is failing with one that I've not seen before:

[+1249s] not ok 286 bud-multiple-platform-no-run
...
[+1249s] # 9505e448a8192a7713bf10737028537f74f36a1fb89298e8b4914548eaca053c
[+1249s] # --> dc60ecdbd35
[+1249s] # dc60ecdbd35d1c5a9e89efd7f77f8c820d97643f3a5e4c03e2bf4d23e670a5b3
[+1249s] # error creating build container: writing blob: adding layer with blob "sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1": ApplyLayer exit status 1 stdout:  stderr: Error making old root private after pivot: no such file or directory
[+1249s] # [ rc=125 (** EXPECTED 0 **) ]

Later, it can't find containers.conf in a few tests:

[+1532s] ok 364 containers.conf selinux test
[+1532s] time="2022-04-04T16:56:02-05:00" level=warning msg="Error loading container config when searching for local runtime: finding config on system: CONTAINERS_CONF file: stat /var/tmp/go/src/github.com/containers/buildah/tests/./containers1.conf: no such file or directory"
[+1532s] time="2022-04-04T16:56:02-05:00" level=error msg="failed to setup From and Build flags: failed to get container config: finding config on system: CONTAINERS_CONF file: stat /var/tmp/go/src/github.com/containers/buildah/tests/./containers1.conf: no such file or directory"

[edsantiago]

@TomSweeneyRedHat that's our nemesis, #3710

[TomSweeneyRedHat]

A thought for later. Should we define ${FEDORA_MINIMAL} or some such in helpers.bat? That way if we need to bump from 35 to 36, we only have one place to do it.

[nalind]

This could as likely have left the version tag off of the image spec, since the test doesn't care about it as much, but don't let me stop you.

[edsantiago]

The problem with omitting the version spec is that the next (or next-next) version will introduce some sort of breakage that will cause us to scramble in a panic. . Example: containers/podman#12343

[nalind]

Fair enough.

[edsantiago]

See also #3640. If there is a critical need to use f35 here, can we push a copy to quay instead?

[nalind]

It isn't critical that it be Fedora or Fedora-based, more that it have working setcap, getfattr, and setfattr commands. I'll add comment there to try to clarify that. If you've another image in mind that would work better, I'm happy to switch to using it.

[edsantiago]

My question was, is fedora-minimal:34 not working? If it no longer works, can we push a new image to quay? If it still works, can we keep it?

[nalind]

I guess it will. I switched to 35 mainly because I know 34 is going EOL in a little over a month. Changing it back to 34.

[TomSweeneyRedHat]

LGTM

[TomSweeneyRedHat]

Happy green test buttons.

[edsantiago]

Isn't this just a complicated way of saying:

    local testuser="${1:-testuser}"
    local testpass="${2:-testpassword}"

[nalind]

That whole section probably makes more sense as a case statement. Reworking it.

[edsantiago]

What I don't understand is, why the special case at all?

[nalind]

It's an attempt to sort of future-proof that, but thinking on it more, it's better to just avoid needing htpasswd, so I'll drop that case.

[edsantiago]

htpasswd is already a hard requirement for the buildah-tests package, in both fedora and rhel, because a registry is already mandatory for running tests (and has been from day one).

[nalind]

If we use previously-computed hash values for passwords that we hard-code in the tests, we'll no longer need to call out to htpasswd when the tests are run. Are you saying that's harmful? I'm missing how that would be.

[edsantiago]

It's the hardcoding I most object to: although right now all tests use testuser/testpassword, we have the option (and should take advantage of it) of using randomly-generated user and password which would improve confidence in testing.

[nalind]

We check in "authenticate: cert and credentials" that we can successfully authenticate to the registry with a known-good username/password pair, and that we get an error when we intentionally supply values that we know the registry isn't configured to accept. What types of bugs do you see us catching by randomly selecting unique known-good values for each test?

[edsantiago]

Mostly my paranoia: with static values (credentials, input/output test strings) there's always a chance that you're not really testing what you think you're testing: that there's a leftover process somewhere and you're talking to it instead of the registry/httpserver/whatever that you think you're talking to. With unique values that worry is diminished.

[nalind]

Hmm, I still like the idea of reducing the set of requirements that someone needs to have installed in order to run the tests, and it turns out we can generate the hashes for passwords ourselves by wrapping the right function call. I'll add that and switch the "authenticate: cert and credentials" test to randomize them.

[edsantiago]

How about die "Error computing hashed password"?

[nalind]

That'll work. Changing it.

[edsantiago]

Likewise, die might be better

[nalind]

Changing it.

[edsantiago]

Just plain false is enough, that will abort bats for the given test

(sorry for all the single-comments; I'm just worried that this will merge too early. Feel free to batch up my comments until I say "done with review")

[nalind]

Changing it. No worries, I'll try to make sure it's all sorted before the next rebase.

[edsantiago]

likewise, false

[nalind]

Changing it.

[edsantiago]

unnecessary

[nalind]

Dropping it.

[edsantiago]

I'm not a big fan of wait-loops that simply time out without failing. If you're going to time out, I like it big & bold. Would you consider:

  # record the coprocess's ID and try to parse the listening port from the log
  # we're separating all of this from the storage for any test that might call
  # this function and using vfs to minimize the cleanup required
  REGISTRY_PID="${COPROC_PID}"
  REGISTRY_DIR="${TESTDIR}"/registry
  local waited=0
  REGISTRY_PORT=
  while [[ -z "$REGISTRY_PORT" ]]; do
    if [[ $waited -gt $BUILDAH_TIMEOUT ]]; then
      echo "Could not determine listening port from log:"
      sed -e 's/^/  >/' <${REGISTRY_DIR}/registry.log
      false
    fi
    waited=$((waited+1))

    sleep 1
    REGISTRY_PORT=$(sed -ne 's^.*listening on.*:\([0-9]\+\),.*^\1^p' <${REGISTRY_DIR}/registry.log)
  done

[nalind]

Taking this almost verbatim.

[edsantiago]

Another argument for declaring local testuser/testpass variables at function start

[edsantiago]

LGTM with a few suggestions. Thanks for doing this, it greatly simplifies our gating-test setup.

[rhatdan]

/approve
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nalind, rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [nalind,rhatdan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment