system tests: new tests

- podman network create: new test

- podman pull by-sha + podman images -a (containers#7651)

- podman image mount: new test

- podman pod: --infra-image and --infra-command (containers#7167)

For convenience and robustness, build a new testimage
containing a custom file /home/podman/testimage-id
with contents YYYYMMDD (same as image tag). The
image-mount test checks that this file exists and
has the desired content. New testimage also includes
a dummy 'pause' executable, for testing pod infra.

Updates from testimage:20200902 to :20200917

Signed-off-by: Ed Santiago <[email protected]>

test/system/010-images.bats

@@ -112,4 +112,51 @@ Labels.created_at | 20[0-9-]\\\+T[0-9:]\\\+Z
     run_podman rm  mytinycontainer
 }
 
+# Regression test for https://github.com/containers/podman/issues/7651
+# in which "podman pull image-with-sha" causes "images -a" to crash
+@test "podman images -a, after pulling by sha " {
+    # Get a baseline for 'images -a'
+    run_podman images -a
+    local images_baseline="$output"
+
+    # Get the digest of our local test image. We need to do this in two steps
+    # because 'podman inspect' only works reliably on *IMAGE ID*, not name.
+    # See https://github.com/containers/podman/issues/3761
+    run_podman inspect --format '{{.Id}}' $IMAGE
+    local iid="$output"
+    run_podman inspect --format '{{.Digest}}' $iid
+    local sha="$output"
+
+    local imgbase="${PODMAN_TEST_IMAGE_REGISTRY}/${PODMAN_TEST_IMAGE_USER}/${PODMAN_TEST_IMAGE_NAME}"
+    local fqin="${imgbase}@$sha"
+
+    # This will always pull, because even though it's the same image we
+    # already have, podman doesn't actually know that.
+    run_podman pull $fqin
+    is "$output" "Trying to pull ${fqin}\.\.\..*" "output of podman pull"
+
+    # Prior to #7654, this would crash and burn. Now podman recognizes it
+    # as the same image and, even though it internally tags it with the
+    # sha, still only shows us one image (which should be our baseline)
+    #
+    # WARNING! If this test fails, we're going to see a lot of failures
+    # in subsequent tests due to 'podman ps' showing the '@sha' tag!
+    # I choose not to add a complicated teardown() (with 'rmi @sha')
+    # because the failure window here is small, and if it fails it
+    # needs attention anyway. So if you see lots of failures, but
+    # start here because this is the first one, fix this problem.
+    # You can (probably) ignore any subsequent failures showing '@sha'
+    # in the error output.
+    run_podman images -a
+    is "$output" "$images_baseline" "images -a, after pull: same as before"
+
+    # Clean up: this should simply untag, not remove
+    run_podman rmi $fqin
+    is "$output" "Untagged: $fqin" "podman rmi untags, does not remove"
+
+    # ...and now we should still have our same image.
+    run_podman images -a
+    is "$output" "$images_baseline" "after podman rmi @sha, still the same"
+}
+
 # vim: filetype=sh

test/system/060-mount.bats

@@ -35,4 +35,34 @@ load helpers
     fi
 }
 
+
+@test "podman image mount" {
+    skip_if_remote "mounting remote is meaningless"
+    skip_if_rootless "too hard to test rootless"
+
+    # Start with clean slate
+    run_podman image umount -a
+
+    run_podman image mount $IMAGE
+    mount_path="$output"
+
+    test -d $mount_path
+
+    # Image is custom-built and has a file containing the YMD tag. Check it.
+    testimage_file="/home/podman/testimage-id"
+    test -e "$mount_path$testimage_file"
+    is $(< "$mount_path$testimage_file") "$PODMAN_TEST_IMAGE_TAG"  \
+       "Contents of $testimage_file in image"
+
+    # 'image mount', no args, tells us what's mounted
+    run_podman image mount
+    is "$output" "$IMAGE $mount_path" "podman image mount with no args"
+
+    # Clean up
+    run_podman image umount $IMAGE
+
+    run_podman image mount
+    is "$output" "" "podman image mount, no args, after umount"
+}
+
 # vim: filetype=sh

test/system/200-pod.bats

@@ -173,6 +173,19 @@ function random_ip() {
     # FIXME: --ip=$ip fails:
     #      Error adding network: failed to allocate all requested IPs
     local mac_option="--mac-address=$mac"
+
+    # Create a custom image so we can test --infra-image and -command.
+    # It will have a randomly generated infra command, using the
+    # existing 'pause' script in our testimage. We assign a bogus
+    # entrypoint to confirm that --infra-command will override.
+    local infra_image="infra_$(random_string 10 | tr A-Z a-z)"
+    local infra_command="/pause_$(random_string 10)"
+    run_podman build -t $infra_image - << EOF
+FROM $IMAGE
+RUN ln /home/podman/pause $infra_command
+ENTRYPOINT ["/original-entrypoint-should-be-overridden"]
+EOF
+
     if is_rootless; then
         mac_option=
     fi
@@ -185,12 +198,21 @@ function random_ip() {
                --dns-search "$dns_search"                \
                --dns-opt    "$dns_opt"                   \
                --publish    "$port_out:$port_in"         \
-               --label      "${labelname}=${labelvalue}"
+               --label      "${labelname}=${labelvalue}" \
+               --infra-image   "$infra_image"            \
+               --infra-command "$infra_command"
     pod_id="$output"
 
     # Check --pod-id-file
     is "$(<$pod_id_file)" "$pod_id" "contents of pod-id-file"
 
+    # Get ID of infra container
+    run_podman pod inspect --format '{{(index .Containers 0).ID}}' mypod
+    local infra_cid="$output"
+    # confirm that entrypoint is what we set
+    run_podman container inspect --format '{{.Config.Entrypoint}}' $infra_cid
+    is "$output" "$infra_command" "infra-command took effect"
+
     # Check each of the options
     if [ -n "$mac_option" ]; then
         run_podman run --rm --pod mypod $IMAGE ip link show
@@ -249,9 +271,16 @@ function random_ip() {
     run_podman logs $cid
     is "$output" "$teststring" "test string received on container"
 
+    # Finally, confirm the infra-container and -command. We run this late,
+    # not at pod creation, to give the infra container time to start & log.
+    run_podman logs $infra_cid
+    is "$output" "Confirmed: testimage pause invoked as $infra_command" \
+       "pod ran with our desired infra container + command"
+
     # Clean up
     run_podman rm $cid
     run_podman pod rm -f mypod
+    run_podman rmi $infra_image
 }
 
 # vim: filetype=sh

test/system/500-networking.bats

@@ -80,4 +80,33 @@ load helpers
     run_podman rm $cid
 }
 
+# "network create" now works rootless, with the help of a special container
+@test "podman network create" {
+    local mynetname=testnet-$(random_string 10)
+    local mysubnet=$(random_rfc1918_subnet)
+
+    run_podman network create --subnet "${mysubnet}.0/24" $mynetname
+    is "$output" ".*/cni/net.d/$mynetname.conflist" "output of 'network create'"
+
+    # WARNING: this pulls a ~100MB image from quay.io, hence is slow/flaky
+    run_podman run --rm --network $mynetname $IMAGE ip a
+    is "$output" ".* inet ${mysubnet}\.2/24 brd ${mysubnet}\.255 " \
+       "sdfsdf"
+
+    # Cannot create network with the same name
+    run_podman 125 network create $mynetname
+    is "$output" "Error: the network name $mynetname is already used" \
+       "Trying to create an already-existing network"
+
+    run_podman network rm $mynetname
+    run_podman 125 network rm $mynetname
+
+    # rootless CNI leaves behind an image pulled by SHA, hence with no tag.
+    # Remove it if present; we can only remove it by ID.
+    run_podman images --format '{{.Id}}' rootless-cni-infra
+    if [ -n "$output" ]; then
+        run_podman rmi $output
+    fi
+}
+
 # vim: filetype=sh

test/system/build-testimage

@@ -26,23 +26,51 @@ create_time_z=$(env TZ=UTC date +'%Y-%m-%dT%H:%M:%SZ')
 
 set -ex
 
+# We'll need to create a Containerfile plus various other files to add in
+#
 # Please document the reason for all flags, apk's, and anything non-obvious
+tmpdir=$(mktemp -t -d $(basename $0).tmp.XXXXXXX)
+cd $tmpdir
+
+# 'image mount' test will confirm that this file exists and has our YMD tag
+echo $YMD >testimage-id
+
+# 'pod' test will use this for --infra-command
+cat >pause <<EOF
+#!/bin/sh
 #
-#    --squash-all    : needed by 'tree' test in 070-build.bats
-#    busybox-extras  : provides httpd needed in 500-networking.bats
+# Trivial little pause script, used in one of the pod tests
 #
-podman rmi -f testimage &> /dev/null || true
-podman build --squash-all -t testimage - <<EOF
+echo Confirmed: testimage pause invoked as \$0
+while :; do
+    sleep 0.1
+done
+EOF
+chmod 755 pause
+
+# alpine because it's small and light and reliable
+# busybox-extras provides httpd needed in 500-networking.bats
+cat >Containerfile <<EOF
 FROM docker.io/library/alpine:3.12.0
 RUN apk add busybox-extras
+ADD testimage-id pause /home/podman/
 LABEL created_by=$create_script
 LABEL created_at=$create_time_z
+WORKDIR /home/podman
 CMD ["/bin/echo", "This container is intended for podman CI testing"]
 EOF
 
+# --squash-all    : needed by 'tree' test in 070-build.bats
+podman rmi -f testimage &> /dev/null || true
+podman build --squash-all -t testimage .
+
+# Clean up
+cd /tmp
+rm -rf $tmpdir
+
 # Tag and push to quay.
-podman tag testimage quay.io/edsantiago/testimage:$YMD
-podman push quay.io/edsantiago/testimage:$YMD
+podman tag testimage quay.io/libpod/testimage:$YMD
+podman push quay.io/libpod/testimage:$YMD
 
 # Side note: there should always be a testimage tagged ':00000000'
 # (eight zeroes) in the same location; this is used by tests which
@@ -54,6 +82,6 @@ podman push quay.io/edsantiago/testimage:$YMD
 #
 #    podman pull docker.io/library/busybox:1.32.0
 #    podman tag  docker.io/library/busybox:1.32.0 \
-#                quay.io/edsantiago/testimage:00000000
-#    podman push quay.io/edsantiago/testimage:00000000
+#                quay.io/libpod/testimage:00000000
+#    podman push quay.io/libpod/testimage:00000000
 #

test/system/helpers.bash

@@ -7,7 +7,7 @@ PODMAN=${PODMAN:-podman}
 PODMAN_TEST_IMAGE_REGISTRY=${PODMAN_TEST_IMAGE_REGISTRY:-"quay.io"}
 PODMAN_TEST_IMAGE_USER=${PODMAN_TEST_IMAGE_USER:-"libpod"}
 PODMAN_TEST_IMAGE_NAME=${PODMAN_TEST_IMAGE_NAME:-"testimage"}
-PODMAN_TEST_IMAGE_TAG=${PODMAN_TEST_IMAGE_TAG:-"20200902"}
+PODMAN_TEST_IMAGE_TAG=${PODMAN_TEST_IMAGE_TAG:-"20200917"}
 PODMAN_TEST_IMAGE_FQN="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODMAN_TEST_IMAGE_NAME:$PODMAN_TEST_IMAGE_TAG"
 
 # Because who wants to spell that out each time?
@@ -397,6 +397,35 @@ function random_string() {
 }
 
 
+###########################
+#  random_rfc1918_subnet  #
+###########################
+#
+# Use the class B set, because much of our CI environment (Google, RH)
+# already uses up much of the class A, and it's really hard to test
+# if a block is in use.
+#
+# This returns THREE OCTETS! It is up to our caller to append .0/24, .255, &c.
+#
+function random_rfc1918_subnet() {
+    local retries=1024
+
+    while [ "$retries" -gt 0 ];do
+        local cidr=172.$(( 16 + $RANDOM % 16 )).$(( $RANDOM & 255 ))
+
+        in_use=$(ip route list | fgrep $cidr)
+        if [ -z "$in_use" ]; then
+            echo "$cidr"
+            return
+        fi
+
+        retries=$(( retries - 1 ))
+    done
+
+    die "Could not find a random not-in-use rfc1918 subnet"
+}
+
+
 #########################
 #  find_exec_pid_files  #  Returns nothing or exec_pid hash files
 #########################