Add smoke tests for encryption CLI helpers #4745
Conversation
|
Cc: @lumjjb |
|
I am not a buildah maintainer so ultimately I do not really care but this sounds like a breaking change. If you now require the option explicitly this can break existing users that depend on it. We should avoid such changes at all costs. |
|
Note #4746 as an alternative implementation approach.
Yes… but it was also, to my knowledge, never documented in Buildah to work this way. I don’t know for sure whether it was intended to work this way, or documented elsewhere to work this way. I’ll defer to @lumjjb on that.
I don’t think we have a general obligation to be bug-for-bug-compatible, and I would fairly strongly push against being bug-for-bug-compatible “at all costs”. Still, it’s a valid concern. I can imagine changing Most of the diagnosis and discussion has been in containers/podman#18196 , and there are two Buildah PRs in flight. Let’s concentrate the design discussion in the Podman containers/podman#18196 issue, for now. |
mtrmac
force-pushed
the
explicit-decrypt
branch
from
470cbcb to
49d0d54
Compare
Thanks for pointing that out. Actually I would expect some of the existing tests to fail with a different error message, so bypassing that for now to see the real failures… |
mtrmac
force-pushed
the
explicit-decrypt
branch
from
49d0d54 to
2e92317
Compare
|
I am fine with making them consistent since buildah vendored into Podman means podman build works differently then podman pull. |
|
Anyway to add a warning? I.e. if the environment points at keys, but the option is not specified, then print a warning message? IDK for sure that we would want to do that, but just wondering. |
If the image isn’t encrypted, we probably wouldn’t want to warn:
OTOH if the image is encrypted and we no longer decrypt by default, |
mtrmac
force-pushed
the
explicit-decrypt
branch
from
2e92317 to
e795044
Compare
tests/from.bats
Outdated
| @@ -427,8 +427,8 @@ load helpers | |||
| run_buildah push $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --encryption-key jwe:${TEST_SCRATCH_DIR}/tmp/mykey.pub busybox oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc | |||
|
|
|||
| # Try encrypted image without key should fail | |||
| run_buildah 125 from oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc | |||
| expect_output --substring "decrypting layer .* missing private key needed for decryption" | |||
| run_buildah 1 from oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc | |||
There was a problem hiding this comment.
This exit code changes because the error stack, ultimately, contains an exec.ExitError from invoking an untar subprocess; and the top level of Buildah checks for exec.ExitError, and returns that exit code.
One can read that as a failure of the Go error wrapping design… or, alternatively, as Builder’s main matching too loosely if it wants only specific subprocesses’ exit codes to be returned unmodified.
AFAICS the exit code from Buildah is, apart from buildah manifest exists, not documented, so this PR just changes tests to accept the status 1. If we do actually commit (whether in documentation in or in practice) to returning 125 on unspecific failures, and this needs to be made more precise, please let me know (and also define which subprocess invocations that could fail with ExitError should be propagated.)
|
We only document the exit codes for the run commands, I believe. The question is do we take this PR and leave multiple implementation of the same code, or take mine and vendor the code into Podman. |
|
I think the primary question is whether we want this; as @Luap99 points out, this might be a compatibility break. If we do want this, I completely agree that sharing the code, per your PR, is the better approach — consider using the test updates from here, to make it pass. |
|
I don't see this as an important breaking change, since having it two different ways within Podman is more important. |
mtrmac
force-pushed
the
explicit-decrypt
branch
from
e795044 to
1bb65e2
Compare
|
A friendly reminder that this PR had no activity for 30 days. |
|
(I think the consensus is to prefer #4746 … except that it doesn’t build.) |
openshift-merge-robot
added
the
needs-rebase
Signed-off-by: Miloslav Trmač <[email protected]>
openshift-merge-robot
removed
the
needs-rebase
mtrmac
changed the title
|
#4746 has implemented the primary (and better) fix; this now just carries the remaining unit tests. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mtrmac, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold cancel |
What type of PR is this?
What this PR does / why we need it:
A non-
nilbut empty decryption configuration seems to be valid enough to trigger decryption in some configurations, per containers/podman#18196 .Like in Skopeo and Podman, only decrypt when the user explicitly instructs us to (e.g. not triggering decryption based on environment variables).
How to verify it
Manually, I guess.
Which issue(s) this PR fixes:
None
Special notes for your reviewer:
Does this PR introduce a user-facing change?