integration tests: learn to start a dummy registry

Makefile

@@ -37,7 +37,7 @@ LIBSECCOMP_COMMIT := release-2.3
 
 EXTRA_LDFLAGS ?=
 BUILDAH_LDFLAGS := $(GO_LDFLAGS) '-X main.GitCommit=$(GIT_COMMIT) -X main.buildInfo=$(SOURCE_DATE_EPOCH) -X main.cniVersion=$(CNI_COMMIT) $(EXTRA_LDFLAGS)'
-SOURCES=*.go imagebuildah/*.go bind/*.go chroot/*.go copier/*.go define/*.go docker/*.go manifests/*.go pkg/chrootuser/*.go pkg/cli/*.go pkg/completion/*.go pkg/formats/*.go pkg/overlay/*.go pkg/parse/*.go pkg/rusage/*.go pkg/sshagent/*.go pkg/umask/*.go pkg/util/*.go util/*.go
+SOURCES=*.go imagebuildah/*.go bind/*.go chroot/*.go copier/*.go define/*.go docker/*.go internal/parse/*.go internal/source/*.go internal/util/*.go manifests/*.go pkg/chrootuser/*.go pkg/cli/*.go pkg/completion/*.go pkg/formats/*.go pkg/overlay/*.go pkg/parse/*.go pkg/rusage/*.go pkg/sshagent/*.go pkg/umask/*.go pkg/util/*.go util/*.go
 
 LINTFLAGS ?=
 

cmd/buildah/passwd.go

@@ -0,0 +1,34 @@
+package main
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/crypto/bcrypt"
+)
+
+var (
+	passwdDescription = `Generate a password hash using golang.org/x/crypto/bcrypt.`
+	passwdCommand     = &cobra.Command{
+		Use:     "passwd",
+		Short:   "Generate a password hash",
+		Long:    passwdDescription,
+		RunE:    passwdCmd,
+		Example: `buildah passwd testpassword`,
+		Args:    cobra.ExactArgs(1),
+		Hidden:  true,
+	}
+)
+
+func passwdCmd(c *cobra.Command, args []string) error {
+	passwd, err := bcrypt.GenerateFromPassword([]byte(args[0]), bcrypt.DefaultCost)
+	if err != nil {
+		return err
+	}
+	fmt.Println(string(passwd))
+	return nil
+}
+
+func init() {
+	rootCmd.AddCommand(passwdCommand)
+}

internal/parse/parse.go

@@ -38,7 +38,7 @@ var (
 	errBadOptionArg  = errors.New("must provide an argument for option")
 	errBadVolDest    = errors.New("must set volume destination")
 	errBadVolSrc     = errors.New("must set volume source")
-	errDuplicateDest = errors.Errorf("duplicate mount destination")
+	errDuplicateDest = errors.New("duplicate mount destination")
 )
 
 // GetBindMount parses a single bind mount entry from the --mount flag.

tests/authenticate.bats

@@ -3,110 +3,112 @@
 load helpers
 
 @test "authenticate: login/logout" {
-  run_buildah 0 login --username testuserfoo --password testpassword docker.io
+  start_registry testuserfoo testpassword
 
-  run_buildah 0 logout docker.io
+  run_buildah 0 login --cert-dir $REGISTRY_DIR --username testuserfoo --password testpassword localhost:$REGISTRY_PORT
+
+  run_buildah 0 logout localhost:$REGISTRY_PORT
 }
 
 @test "authenticate: login/logout should succeed with XDG_RUNTIME_DIR unset" {
   unset XDG_RUNTIME_DIR
-  run_buildah 0 login --username testuserfoo --password testpassword docker.io
 
-  run_buildah 0 logout docker.io
+  start_registry testuserfoo testpassword
+
+  run_buildah 0 login --cert-dir $REGISTRY_DIR --username testuserfoo --password testpassword localhost:$REGISTRY_PORT
+
+  run_buildah 0 logout localhost:$REGISTRY_PORT
 }
 
 @test "authenticate: logout should fail with nonexistent authfile" {
-  run_buildah 0 login --username testuserfoo --password testpassword docker.io
+  start_registry testuserfoo testpassword
 
-  run_buildah 125 logout --authfile /tmp/nonexistent docker.io
+  run_buildah 0 login --cert-dir $REGISTRY_DIR --username testuserfoo --password testpassword localhost:$REGISTRY_PORT
+
+  run_buildah 125 logout --authfile /tmp/nonexistent localhost:$REGISTRY_PORT
   expect_output "checking authfile: stat /tmp/nonexistent: no such file or directory"
 
-  run_buildah 0 logout docker.io
+  run_buildah 0 logout localhost:$REGISTRY_PORT
 }
 
 @test "authenticate: cert and credentials" {
-
   _prefetch alpine
 
+  testuser="testuser$RANDOM"
+  testpassword="testpassword$RANDOM"
+  start_registry "$testuser" "$testpassword"
+
   # Basic test: should pass
-  run_buildah push --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds testuser:testpassword alpine localhost:5000/my-alpine
+  run_buildah push --cert-dir $REGISTRY_DIR --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds "$testuser":"$testpassword" alpine localhost:$REGISTRY_PORT/my-alpine
   expect_output --substring "Writing manifest to image destination"
 
   # With tls-verify=true, should fail due to self-signed cert
-  # The magic GODEBUG is needed for RHEL on 2021-01-20. Without it,
-  # we get the following error instead of 'unknown authority':
-  #   x509: certificate relies on legacy Common Name field, use SANs or [...]
-  # It is possible that this is a temporary workaround, and Go
-  # may remove it without notice. We'll deal with that then.
-  GODEBUG=x509ignoreCN=0 run_buildah 125 push  --signature-policy ${TESTSDIR}/policy.json --tls-verify=true alpine localhost:5000/my-alpine
+  run_buildah 125 push --signature-policy ${TESTSDIR}/policy.json --tls-verify=true alpine localhost:$REGISTRY_PORT/my-alpine
   expect_output --substring " x509: certificate signed by unknown authority" \
                 "push with --tls-verify=true"
 
   # wrong credentials: should fail
-  run_buildah 125 from --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds baduser:badpassword localhost:5000/my-alpine
+  run_buildah 125 from --cert-dir $REGISTRY_DIR --signature-policy ${TESTSDIR}/policy.json --creds baduser:badpassword localhost:$REGISTRY_PORT/my-alpine
+  expect_output --substring "unauthorized: authentication required"
+  run_buildah 125 from --cert-dir $REGISTRY_DIR --signature-policy ${TESTSDIR}/policy.json --creds "$testuser":badpassword localhost:$REGISTRY_PORT/my-alpine
+  expect_output --substring "unauthorized: authentication required"
+  run_buildah 125 from --cert-dir $REGISTRY_DIR --signature-policy ${TESTSDIR}/policy.json --creds baduser:"$testpassword" localhost:$REGISTRY_PORT/my-alpine
   expect_output --substring "unauthorized: authentication required"
 
   # This should work
-  run_buildah from --name "my-alpine-work-ctr" --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds testuser:testpassword localhost:5000/my-alpine
+  run_buildah from --cert-dir $REGISTRY_DIR --name "my-alpine-work-ctr" --signature-policy ${TESTSDIR}/policy.json --creds "$testuser":"$testpassword" localhost:$REGISTRY_PORT/my-alpine
   expect_output --from="${lines[-1]}" "my-alpine-work-ctr"
 
   # Create Dockerfile for bud tests
   mkdir -p ${TESTDIR}/dockerdir
   DOCKERFILE=${TESTDIR}/dockerdir/Dockerfile
   /bin/cat <<EOM >$DOCKERFILE
-FROM localhost:5000/my-alpine
+FROM localhost:$REGISTRY_PORT/my-alpine
 EOM
 
   # Remove containers and images before bud tests
   run_buildah rm --all
   run_buildah rmi -f --all
 
   # bud test bad password should fail
-  run_buildah 125 bud -f $DOCKERFILE --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds=testuser:badpassword
+  run_buildah 125 bud -f $DOCKERFILE --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds="$testuser":badpassword
   expect_output --substring "unauthorized: authentication required" \
                 "buildah bud with wrong credentials"
 
   # bud test this should work
-  run_buildah bud -f $DOCKERFILE --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds=testuser:testpassword .
-  expect_output --from="${lines[0]}" "STEP 1/1: FROM localhost:5000/my-alpine"
+  run_buildah bud -f $DOCKERFILE --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds="$testuser":"$testpassword" .
+  expect_output --from="${lines[0]}" "STEP 1/1: FROM localhost:$REGISTRY_PORT/my-alpine"
   expect_output --substring "Writing manifest to image destination"
 }
 
 
 @test "authenticate: with --tls-verify=true" {
-  if [ -z "$BUILDAH_AUTHDIR" ]; then
-    # Special case: in Cirrus, the registry auth dir is hardcoded
-    if [ -n "$CIRRUS_CI" -a -e "$HOME/auth/domain.cert" ]; then
-      BUILDAH_AUTHDIR="$HOME/auth"
-    else
-      skip "\$BUILDAH_AUTHDIR undefined"
-    fi
-  fi
-
   _prefetch alpine
 
+  start_registry
+
   # Push with correct credentials: should pass
-  run_buildah push --signature-policy ${TESTSDIR}/policy.json --tls-verify=true --cert-dir=$BUILDAH_AUTHDIR --creds testuser:testpassword alpine localhost:5000/my-alpine
+  run_buildah push --signature-policy ${TESTSDIR}/policy.json --tls-verify=true --cert-dir=$REGISTRY_DIR --creds testuser:testpassword alpine localhost:$REGISTRY_PORT/my-alpine
   expect_output --substring "Writing manifest to image destination"
 
   # Push with wrong credentials: should fail
-  run_buildah 125 push --signature-policy ${TESTSDIR}/policy.json --tls-verify=true --cert-dir=$BUILDAH_AUTHDIR --creds testuser:WRONGPASSWORD alpine localhost:5000/my-alpine
+  run_buildah 125 push --signature-policy ${TESTSDIR}/policy.json --tls-verify=true --cert-dir=$REGISTRY_DIR --creds testuser:WRONGPASSWORD alpine localhost:$REGISTRY_PORT/my-alpine
   expect_output --substring "unauthorized: authentication required"
 
   # Make sure we can fetch it
-  run_buildah from --pull-always --cert-dir=$BUILDAH_AUTHDIR --tls-verify=true --creds=testuser:testpassword localhost:5000/my-alpine
+  run_buildah from --pull-always --cert-dir=$REGISTRY_DIR --tls-verify=true --creds=testuser:testpassword localhost:$REGISTRY_PORT/my-alpine
   expect_output --from="${lines[-1]}" "localhost-working-container"
   cid="${lines[-1]}"
 
   # Commit with correct credentials
   run_buildah run $cid touch testfile
-  run_buildah commit --signature-policy ${TESTSDIR}/policy.json --cert-dir=$BUILDAH_AUTHDIR --tls-verify=true --creds=testuser:testpassword $cid docker://localhost:5000/my-alpine
+  run_buildah commit --signature-policy ${TESTSDIR}/policy.json --cert-dir=$REGISTRY_DIR --tls-verify=true --creds=testuser:testpassword $cid docker://localhost:$REGISTRY_PORT/my-alpine
 
   # Create Dockerfile for bud tests
   mkdir -p ${TESTDIR}/dockerdir
   DOCKERFILE=${TESTDIR}/dockerdir/Dockerfile
   /bin/cat <<EOM >$DOCKERFILE
-FROM localhost:5000/my-alpine
+FROM localhost:$REGISTRY_PORT/my-alpine
 RUN rm testfile
 EOM
 
@@ -115,30 +117,32 @@ EOM
   run_buildah rmi -f --all
 
   # bud with correct credentials
-  run_buildah bud -f $DOCKERFILE --signature-policy ${TESTSDIR}/policy.json --cert-dir=$BUILDAH_AUTHDIR --tls-verify=true --creds=testuser:testpassword .
-  expect_output --from="${lines[0]}" "STEP 1/2: FROM localhost:5000/my-alpine"
+  run_buildah bud -f $DOCKERFILE --signature-policy ${TESTSDIR}/policy.json --cert-dir=$REGISTRY_DIR --tls-verify=true --creds=testuser:testpassword .
+  expect_output --from="${lines[0]}" "STEP 1/2: FROM localhost:$REGISTRY_PORT/my-alpine"
   expect_output --substring "Writing manifest to image destination"
 }
 
 
 @test "authenticate: with cached (not command-line) credentials" {
   _prefetch alpine
 
-  run_buildah 0 login --tls-verify=false --username testuser --password testpassword localhost:5000
+  start_registry
+
+  run_buildah 0 login --tls-verify=false --username testuser --password testpassword localhost:$REGISTRY_PORT
   expect_output "Login Succeeded!"
 
   # After login, push should pass
-  run_buildah push --signature-policy ${TESTSDIR}/policy.json --tls-verify=false alpine localhost:5000/my-alpine
+  run_buildah push --signature-policy ${TESTSDIR}/policy.json --tls-verify=false alpine localhost:$REGISTRY_PORT/my-alpine
   expect_output --substring "Storing signatures"
 
-  run_buildah 125 login --tls-verify=false --username testuser --password WRONGPASSWORD localhost:5000
-  expect_output 'error logging into "localhost:5000": invalid username/password' \
+  run_buildah 125 login --tls-verify=false --username testuser --password WRONGPASSWORD localhost:$REGISTRY_PORT
+  expect_output 'error logging into "localhost:'"$REGISTRY_PORT"'": invalid username/password' \
                 "buildah login, wrong credentials"
 
-  run_buildah 0 logout localhost:5000
-  expect_output "Removed login credentials for localhost:5000"
+  run_buildah 0 logout localhost:$REGISTRY_PORT
+  expect_output "Removed login credentials for localhost:$REGISTRY_PORT"
 
-  run_buildah 125 push --signature-policy ${TESTSDIR}/policy.json --tls-verify=false alpine localhost:5000/my-alpine
+  run_buildah 125 push --signature-policy ${TESTSDIR}/policy.json --tls-verify=false alpine localhost:$REGISTRY_PORT/my-alpine
   expect_output --substring "unauthorized: authentication required" \
                 "buildah push after buildah logout"
 }

tests/bud.bats

@@ -2574,15 +2574,17 @@ EOM
   openssl genrsa -out ${TESTDIR}/tmp/mykey.pem 1024
   openssl genrsa -out ${TESTDIR}/tmp/mykey2.pem 1024
   openssl rsa -in ${TESTDIR}/tmp/mykey.pem -pubout > ${TESTDIR}/tmp/mykey.pub
-  run_buildah push --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds testuser:testpassword --encryption-key jwe:${TESTDIR}/tmp/mykey.pub busybox docker://localhost:5000/buildah/busybox_encrypted:latest
+  start_registry
+  run_buildah push --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds testuser:testpassword --encryption-key jwe:${TESTDIR}/tmp/mykey.pub busybox docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest
 
   target=busybox-image
+  echo FROM localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest > ${TESTDIR}/tmp/Dockerfile
   # Try to build from encrypted image without key
-  run_buildah 125 build --signature-policy ${TESTSDIR}/policy.json --tls-verify=false  --creds testuser:testpassword -t ${target} -f ${TESTSDIR}/bud/from-encrypted-image/Dockerfile
+  run_buildah 125 build --signature-policy ${TESTSDIR}/policy.json --tls-verify=false  --creds testuser:testpassword -t ${target} -f ${TESTDIR}/tmp/Dockerfile
   # Try to build from encrypted image with wrong key
-  run_buildah 125 build --signature-policy ${TESTSDIR}/policy.json --tls-verify=false  --creds testuser:testpassword --decryption-key ${TESTDIR}/tmp/mykey2.pem -t ${target} -f ${TESTSDIR}/bud/from-encrypted-image/Dockerfile
+  run_buildah 125 build --signature-policy ${TESTSDIR}/policy.json --tls-verify=false  --creds testuser:testpassword --decryption-key ${TESTDIR}/tmp/mykey2.pem -t ${target} -f ${TESTDIR}/tmp/Dockerfile
   # Try to build with the correct key
-  run_buildah build --signature-policy ${TESTSDIR}/policy.json --tls-verify=false  --creds testuser:testpassword --decryption-key ${TESTDIR}/tmp/mykey.pem -t ${target} -f ${TESTSDIR}/bud/from-encrypted-image/Dockerfile
+  run_buildah build --signature-policy ${TESTSDIR}/policy.json --tls-verify=false  --creds testuser:testpassword --decryption-key ${TESTDIR}/tmp/mykey.pem -t ${target} -f ${TESTDIR}/tmp/Dockerfile
 
   rm -rf ${TESTDIR}/tmp
 }
@@ -3047,17 +3049,18 @@ _EOF
 
 @test "bud --authfile" {
   _prefetch alpine
-  run_buildah login --tls-verify=false --authfile ${TESTDIR}/test.auth --username testuser --password testpassword localhost:5000
-  run_buildah push --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --authfile ${TESTDIR}/test.auth alpine docker://localhost:5000/buildah/alpine
+  start_registry
+  run_buildah login --tls-verify=false --authfile ${TESTDIR}/test.auth --username testuser --password testpassword localhost:${REGISTRY_PORT}
+  run_buildah push --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --authfile ${TESTDIR}/test.auth alpine docker://localhost:${REGISTRY_PORT}/buildah/alpine
 
   mytmpdir=${TESTDIR}/my-dir
   mkdir -p ${mytmpdir}
   cat > $mytmpdir/Containerfile << _EOF
-FROM localhost:5000/buildah/alpine
+FROM localhost:${REGISTRY_PORT}/buildah/alpine
 RUN touch /test
 _EOF
   run_buildah build -t myalpine --authfile ${TESTDIR}/test.auth --tls-verify=false --signature-policy ${TESTSDIR}/policy.json --file ${mytmpdir} .
-  run_buildah rmi localhost:5000/buildah/alpine
+  run_buildah rmi localhost:${REGISTRY_PORT}/buildah/alpine
   run_buildah rmi myalpine
 }
 
@@ -3571,12 +3574,12 @@ _EOF
   # assume that emulation for other architectures is in place.
   os=`go env GOOS`
   run_buildah from --signature-policy ${TESTSDIR}/policy.json --name try-386 --platform=$os/386 alpine
-  run buildah run try-386 true
+  run_buildah '?' run try-386 true
   if test $status -ne 0 ; then
     skip "unable to run 386 container, assuming emulation is not available"
   fi
   run_buildah from --signature-policy ${TESTSDIR}/policy.json --name try-arm --platform=$os/arm alpine
-  run buildah run try-arm true
+  run_buildah '?' run try-arm true
   if test $status -ne 0 ; then
     skip "unable to run arm container, assuming emulation is not available"
   fi
@@ -3607,12 +3610,12 @@ _EOF
     skip "test Dockerfile is ubi, we can't run it"
   fi
   run_buildah from --signature-policy ${TESTSDIR}/policy.json --name try-386 --platform=$os/386 alpine
-  run buildah run try-386 true
+  run_buildah '?' run try-386 true
   if test $status -ne 0 ; then
     skip "unable to run 386 container, assuming emulation is not available"
   fi
   run_buildah from --signature-policy ${TESTSDIR}/policy.json --name try-arm --platform=$os/arm alpine
-  run buildah run try-arm true
+  run_buildah '?' run try-arm true
   if test $status -ne 0 ; then
     skip "unable to run arm container, assuming emulation is not available"
   fi
@@ -3714,18 +3717,15 @@ _EOF
 
 @test "bud with run should not leave mounts behind cleanup test" {
   skip_if_in_container
-  run which podman
-  if [[ $status -ne 0 ]]; then
-    skip "podman is not installed"
-  fi
+  skip_if_no_podman
 
   # Create target dir where we will export tar
   target=cleanable
   mkdir ${TESTDIR}/${target}
 
   # Build and export container to tar
   run_buildah build --no-cache --signature-policy ${TESTSDIR}/policy.json -t ${target} -f ${TESTSDIR}/bud/containerfile/Containerfile.in ${TESTSDIR}/bud/containerfile
-  podman export $(podman create --name ${target} ${target}) --output=${TESTDIR}/${target}.tar
+  podman export $(podman create --name ${target} --net=host ${target}) --output=${TESTDIR}/${target}.tar
 
   # We are done exporting so remove images and containers which are not needed
   podman rm -f ${target}
@@ -3740,18 +3740,15 @@ _EOF
 
 @test "bud with custom files in /run/ should persist cleanup test" {
   skip_if_in_container
-  run which podman
-  if [[ $status -ne 0 ]]; then
-    skip "podman is not installed"
-  fi
+  skip_if_no_podman
 
   # Create target dir where we will export tar
   target=cleanable
   mkdir ${TESTDIR}/${target}
 
   # Build and export container to tar
   run_buildah build --no-cache --signature-policy ${TESTSDIR}/policy.json -t ${target} -f ${TESTSDIR}/bud/add-run-dir
-  podman export $(podman create --name ${target} ${target}) --output=${TESTDIR}/${target}.tar
+  podman export $(podman create --name ${target} --net=host ${target}) --output=${TESTDIR}/${target}.tar
 
   # We are done exporting so remove images and containers which are not needed
   podman rm -f ${target}