github.com/containers/podman/v5@v5.1.0-rc1/test/system/255-auto-update.bats (about) 1 #!/usr/bin/env bats -*- bats -*- 2 # 3 # Tests for automatically update images for containerized services 4 # 5 6 load helpers 7 load helpers.network 8 load helpers.registry 9 load helpers.systemd 10 11 export SNAME_FILE 12 13 function setup() { 14 skip_if_remote "systemd tests are meaningless over remote" 15 basic_setup 16 17 SNAME_FILE=${PODMAN_TMPDIR}/services 18 } 19 20 function teardown() { 21 if [[ -e $SNAME_FILE ]]; then 22 while read line; do 23 if [[ "$line" =~ "podman-auto-update" ]]; then 24 echo "Stop timer: $line.timer" 25 systemctl stop $line.timer 26 systemctl disable $line.timer 27 else 28 systemctl stop $line 29 fi 30 rm -f $UNIT_DIR/$line.{service,timer} 31 done < $SNAME_FILE 32 33 rm -f $SNAME_FILE 34 fi 35 SNAME_FILE= 36 37 run_podman rmi -f \ 38 quay.io/libpod/alpine:latest \ 39 quay.io/libpod/busybox:latest \ 40 quay.io/libpod/localtest:latest \ 41 quay.io/libpod/autoupdatebroken:latest \ 42 quay.io/libpod/test:latest 43 44 # The rollback tests may leave some dangling images behind, so let's prune 45 # them to leave a clean state. 46 run_podman image prune -f 47 basic_teardown 48 } 49 50 # This functions is used for handle the basic step in auto-update related 51 # tests. Including following steps: 52 # 1. Generate a random container name and echo it to output. 53 # 2. Tag the fake image before test 54 # 3. Start a container with io.containers.autoupdate 55 # 4. Generate the service file from the container 56 # 5. Remove the origin container 57 # 6. Start the container from service 58 # 7. Use this fully-qualified image instead of 2) 59 function generate_service() { 60 local target_img_basename=$1 61 local autoupdate=$2 62 local command=$3 63 local extraArgs=$4 64 local noTag=$5 65 local requires=$6 66 67 # Unless specified, set a default command. 68 if [[ -z "$command" ]]; then 69 command="top -d 120" 70 fi 71 72 # Container name. Include the autoupdate type, to make debugging easier. 73 # IMPORTANT: variable 'cname' is passed (out of scope) up to caller! 74 cname=c_${autoupdate//\'/}_$(random_string) 75 target_img="quay.io/libpod/$target_img_basename:latest" 76 if [[ -n "$7" ]]; then 77 target_img="$7" 78 fi 79 80 if [[ -z "$noTag" ]]; then 81 run_podman tag $IMAGE $target_img 82 fi 83 84 if [[ -n "$autoupdate" ]]; then 85 label="--label io.containers.autoupdate=$autoupdate" 86 else 87 label="" 88 fi 89 90 if [[ -n "$requires" ]]; then 91 requires="--requires=$requires" 92 fi 93 94 run_podman create $extraArgs --name $cname $label $target_img $command 95 96 (cd $UNIT_DIR; run_podman generate systemd --new --files --name $requires $cname) 97 echo "container-$cname" >> $SNAME_FILE 98 run_podman rm -t 0 -f $cname 99 100 systemctl daemon-reload 101 systemctl_start container-$cname 102 systemctl status container-$cname 103 104 # Original image ID. 105 # IMPORTANT: variable 'ori_image' is passed (out of scope) up to caller! 106 run_podman inspect --format "{{.Image}}" $cname 107 ori_image=$output 108 } 109 110 function _wait_service_ready() { 111 local sname=$1 112 113 local timeout=6 114 while [[ $timeout -gt 1 ]]; do 115 if systemctl -q is-active $sname; then 116 return 117 fi 118 sleep 1 119 let timeout=$timeout-1 120 done 121 122 # Print service status as debug information before failed the case 123 systemctl status $sname 124 die "Timed out waiting for $sname to start" 125 } 126 127 # Wait for container to update, as confirmed by its image ID changing 128 function _confirm_update() { 129 local cname=$1 130 local old_iid=$2 131 132 # Image has already been pulled, so this shouldn't take too long 133 local timeout=10 134 while [[ $timeout -gt 0 ]]; do 135 sleep 1 136 run_podman '?' inspect --format "{{.Image}}" $cname 137 if [[ $status != 0 ]]; then 138 if [[ $output =~ (no such object|does not exist in database): ]]; then 139 # this is ok, it just means the container is being restarted 140 : 141 else 142 die "podman inspect $cname failed unexpectedly" 143 fi 144 elif [[ $output != $old_iid ]]; then 145 return 146 fi 147 timeout=$((timeout - 1)) 148 done 149 150 die "Timed out waiting for $cname to update; old IID=$old_iid" 151 } 152 153 @test "podman auto-update - validate input" { 154 # Fully-qualified image reference is required 155 run_podman create --label io.containers.autoupdate=registry $IMAGE 156 run_podman rm -f "$output" 157 158 # Short name does not work 159 shortname="shortname:latest" 160 run_podman image tag $IMAGE $shortname 161 run_podman 125 create --label io.containers.autoupdate=registry $shortname 162 is "$output" "Error: short name: auto updates require fully-qualified image reference: \"$shortname\"" 163 164 # Requires docker (or no) transport 165 archive=$PODMAN_TMPDIR/archive.tar 166 run_podman save -o $archive $IMAGE 167 run_podman 125 create --label io.containers.autoupdate=registry docker-archive:$archive 168 is "$output" ".*Error: auto updates require the docker image transport but image is of transport \"docker-archive\"" 169 170 run_podman rmi $shortname 171 } 172 173 # This test can fail in dev. environment because of SELinux. 174 # quick fix: chcon -t container_runtime_exec_t ./bin/podman 175 @test "podman auto-update - label io.containers.autoupdate=image" { 176 since=$(date --iso-8601=seconds) 177 run_podman auto-update 178 is "$output" "" 179 run_podman events --filter type=system --since $since --stream=false 180 is "$output" "" 181 182 # Generate two units. The first "parent" to be auto updated, the second 183 # "child" depends on/requires the "parent" and is expected to get restarted 184 # as well on auto updates (regression test for #18926). 185 generate_service alpine image 186 ctr_parent=$cname 187 _wait_service_ready container-$ctr_parent.service 188 189 generate_service alpine image "" "" "" "container-$ctr_parent.service" 190 ctr_child=$cname 191 _wait_service_ready container-$ctr_child.service 192 run_podman container inspect --format "{{.ID}}" $ctr_child 193 old_child_id=$output 194 195 since=$(date --iso-8601=seconds) 196 run_podman auto-update --dry-run --format "{{.Unit}},{{.Image}},{{.Updated}},{{.Policy}}" 197 is "$output" ".*container-$ctr_parent.service,quay.io/libpod/alpine:latest,pending,registry.*" "Image update is pending." 198 run_podman events --filter type=system --since $since --stream=false 199 is "$output" ".* system auto-update" 200 201 since=$(date --iso-8601=seconds) 202 run_podman auto-update --rollback=false --format "{{.Unit}},{{.Image}},{{.Updated}},{{.Policy}}" 203 is "$output" "Trying to pull.*" "Image is updated." 204 is "$output" ".*container-$ctr_parent.service,quay.io/libpod/alpine:latest,true,registry.*" "Image is updated." 205 run_podman events --filter type=system --since $since --stream=false 206 is "$output" ".* system auto-update" 207 208 # Confirm that the update was successful and that the child container/unit 209 # has been restarted as well. 210 _confirm_update $ctr_parent $ori_image 211 run_podman container inspect --format "{{.ID}}" $ctr_child 212 assert "$output" != "$old_child_id" \ 213 "child container/unit has not been restarted during update" 214 run_podman container inspect --format "{{.ID}}" $ctr_child 215 run_podman container inspect --format "{{.State.Status}}" $ctr_child 216 is "$output" "running" "child container is in running state" 217 } 218 219 @test "podman auto-update - label io.containers.autoupdate=image with rollback" { 220 # FIXME: this test should exercise the authfile label to have a regression 221 # test for #11171. 222 223 # Note: the autoupdatebroken image is empty on purpose so it cannot be 224 # executed and force a rollback. The rollback test for the local policy 225 # is exercising the case where the container doesn't send a ready message. 226 image=quay.io/libpod/autoupdatebroken 227 228 run_podman tag $IMAGE $image 229 generate_service autoupdatebroken image 230 231 _wait_service_ready container-$cname.service 232 run_podman auto-update --dry-run --format "{{.Unit}},{{.Image}},{{.Updated}},{{.Policy}}" 233 is "$output" ".*container-$cname.service,$image:latest,pending,registry.*" "Image update is pending." 234 235 run_podman container inspect --format "{{.Image}}" $cname 236 oldID="$output" 237 238 run_podman inspect --format "{{.ID}}" $cname 239 containerID="$output" 240 241 run_podman auto-update --format "{{.Unit}},{{.Image}},{{.Updated}},{{.Policy}}" 242 is "$output" "Trying to pull.*" "Image is updated." 243 is "$output" ".*container-$cname.service,$image:latest,rolled back,registry.*" "Image has been rolled back." 244 245 run_podman container inspect --format "{{.Image}}" $cname 246 is "$output" "$oldID" "container rolled back to previous image" 247 248 run_podman container inspect --format "{{.ID}}" $cname 249 assert "$output" != "$containerID" \ 250 "container has not been restarted during rollback" 251 } 252 253 @test "podman auto-update - label io.containers.autoupdate=disabled" { 254 generate_service alpine disabled 255 256 _wait_service_ready container-$cname.service 257 run_podman auto-update 258 is "$output" "" "Image is not updated when autoupdate=disabled." 259 260 run_podman inspect --format "{{.Image}}" $cname 261 is "$output" "$ori_image" "Image ID should not change" 262 } 263 264 @test "podman auto-update - label io.containers.autoupdate=fakevalue" { 265 fakevalue=fake_$(random_string) 266 generate_service alpine $fakevalue 267 268 _wait_service_ready container-$cname.service 269 run_podman 125 auto-update 270 is "$output" ".*invalid auto-update policy.*" "invalid policy setup" 271 272 run_podman inspect --format "{{.Image}}" $cname 273 is "$output" "$ori_image" "Image ID should not change" 274 } 275 276 @test "podman auto-update - label io.containers.autoupdate=local" { 277 generate_service localtest local 278 _wait_service_ready container-$cname.service 279 280 image=quay.io/libpod/localtest:latest 281 run_podman commit --change CMD=/bin/bash $cname $image 282 run_podman image inspect --format "{{.ID}}" $image 283 284 run_podman auto-update --dry-run --format "{{.Unit}},{{.Image}},{{.Updated}},{{.Policy}}" 285 is "$output" ".*container-$cname.service,quay.io/libpod/localtest:latest,pending,local.*" "Image update is pending." 286 287 run_podman auto-update --rollback=false --format "{{.Unit}},{{.Image}},{{.Updated}},{{.Policy}}" 288 is "$output" ".*container-$cname.service,quay.io/libpod/localtest:latest,true,local.*" "Image is updated." 289 290 _confirm_update $cname $ori_image 291 } 292 293 # This test can fail in dev. environment because of SELinux. 294 # quick fix: chcon -t container_runtime_exec_t ./bin/podman 295 @test "podman auto-update - label io.containers.autoupdate=local with rollback" { 296 # sdnotify fails with runc 1.0.0-3-dev2 on Ubuntu. Let's just 297 # assume that we work only with crun, nothing else. 298 # [copied from 260-sdnotify.bats] 299 runtime=$(podman_runtime) 300 if [[ "$runtime" != "crun" ]]; then 301 skip "this test only works with crun, not $runtime" 302 fi 303 304 _prefetch $SYSTEMD_IMAGE 305 306 dockerfile1=$PODMAN_TMPDIR/Dockerfile.1 307 cat >$dockerfile1 <<EOF 308 FROM $SYSTEMD_IMAGE 309 RUN echo -e "#!/bin/sh\n\ 310 printenv NOTIFY_SOCKET; echo READY; systemd-notify --ready;\n\ 311 trap 'echo Received SIGTERM, finishing; exit' SIGTERM; echo WAITING; while :; do sleep 0.1; done" \ 312 >> /runme 313 RUN chmod +x /runme 314 EOF 315 316 dockerfile2=$PODMAN_TMPDIR/Dockerfile.2 317 cat >$dockerfile2 <<EOF 318 FROM $SYSTEMD_IMAGE 319 RUN echo -e "#!/bin/sh\n\ 320 exit 1" >> /runme 321 RUN chmod +x /runme 322 EOF 323 image=test 324 325 # Generate a healthy image that will run correctly. 326 run_podman build -t quay.io/libpod/$image -f $dockerfile1 327 328 generate_service $image local /runme --sdnotify=container noTag 329 _wait_service_ready container-$cname.service 330 331 run_podman auto-update --dry-run --format "{{.Unit}},{{.Image}},{{.Updated}},{{.Policy}}" 332 is "$output" ".*container-$cname.service,quay.io/libpod/$image:latest,false,local.*" "No update available" 333 334 # Generate an unhealthy image that will fail. 335 run_podman build -t quay.io/libpod/$image -f $dockerfile2 336 run_podman image inspect --format "{{.ID}}" $image 337 newID="$output" 338 339 run_podman auto-update --dry-run --format "{{.Unit}},{{.Image}},{{.Updated}},{{.Policy}}" 340 is "$output" ".*container-$cname.service,quay.io/libpod/$image:latest,pending,local.*" "Image updated is pending" 341 342 # Note: we rollback automatically by default. 343 run_podman auto-update --format "{{.Unit}},{{.Image}},{{.Updated}},{{.Policy}}" 344 is "$output" ".*container-$cname.service,quay.io/libpod/$image:latest,rolled back,local.*" "Rolled back to old image" 345 346 # Make sure that new container is not using the new image ID anymore. 347 _confirm_update $cname $newID 348 } 349 350 @test "podman auto-update with multiple services" { 351 # Preserve original image ID, to confirm that it changes (or not) 352 run_podman inspect --format "{{.Id}}" $IMAGE 353 local img_id="$output" 354 355 local cnames=() 356 local -A expect_update 357 local -A will_update=([image]=1 [registry]=1 [local]=1) 358 359 local fakevalue=fake_$(random_string) 360 for auto_update in image registry "" disabled "''" $fakevalue local 361 do 362 local img_base="alpine" 363 if [[ $auto_update == "registry" ]]; then 364 img_base="busybox" 365 elif [[ $auto_update == "local" ]]; then 366 img_base="localtest" 367 fi 368 generate_service $img_base $auto_update 369 cnames+=($cname) 370 if [[ $auto_update == "local" ]]; then 371 local_cname=$cname 372 fi 373 374 if [[ -n "$auto_update" && -n "${will_update[$auto_update]}" ]]; then 375 expect_update[$cname]=1 376 fi 377 done 378 379 # Make sure all services are ready. 380 for cname in "${cnames[@]}"; do 381 _wait_service_ready container-$cname.service 382 done 383 run_podman commit --change CMD=/bin/bash $local_cname quay.io/libpod/localtest:latest 384 # Exit code is expected, due to invalid 'fakevalue' 385 run_podman 125 auto-update --rollback=false 386 update_log=$output 387 is "$update_log" ".*invalid auto-update policy.*" "invalid policy setup" 388 is "$update_log" ".*Error: invalid auto-update policy.*" "invalid policy setup" 389 390 local n_updated=$(grep -c 'Trying to pull' <<<"$update_log") 391 is "$n_updated" "2" "Number of images updated from registry." 392 393 for cname in "${!expect_update[@]}"; do 394 is "$update_log" ".*$cname.*" "container with auto-update policy image updated" 395 # Just because podman says it fetched, doesn't mean it actually updated 396 _confirm_update $cname $img_id 397 done 398 399 # Final confirmation that all image IDs have/haven't changed 400 for cname in "${cnames[@]}"; do 401 run_podman inspect --format "{{.Image}}" $cname 402 if [[ -n "${expect_update[$cname]}" ]]; then 403 assert "$output" != "$img_id" "$cname: image ID did not change" 404 else 405 assert "$output" = "$img_id" "Image ID should not be changed." 406 fi 407 done 408 } 409 410 @test "podman auto-update using systemd" { 411 skip_if_journald_unavailable 412 413 generate_service alpine image 414 415 cat >$UNIT_DIR/podman-auto-update-$cname.timer <<EOF 416 [Unit] 417 Description=Podman auto-update testing timer 418 419 [Timer] 420 OnCalendar=*-*-* *:*:0/2 421 Persistent=true 422 423 [Install] 424 WantedBy=timers.target 425 EOF 426 cat >$UNIT_DIR/podman-auto-update-$cname.service <<EOF 427 [Unit] 428 Description=Podman auto-update testing service 429 Documentation=man:podman-auto-update(1) 430 Wants=network-online.target 431 After=network-online.target 432 433 [Service] 434 Type=oneshot 435 ExecStart=$PODMAN auto-update 436 Environment="http_proxy=${http_proxy}" 437 Environment="HTTP_PROXY=${HTTP_PROXY}" 438 Environment="https_proxy=${https_proxy}" 439 Environment="HTTPS_PROXY=${HTTPS_PROXY}" 440 Environment="no_proxy=${no_proxy}" 441 Environment="NO_PROXY=${NO_PROXY}" 442 443 [Install] 444 WantedBy=default.target 445 EOF 446 447 echo "podman-auto-update-$cname" >> $SNAME_FILE 448 systemctl enable --now podman-auto-update-$cname.timer 449 systemctl list-timers --all 450 451 # systemd <245 displays 'Started Podman auto-update ...' 452 # systemd 245 - <250 displays 'Finished Podman auto-update ...' 453 # systemd 250 - ???? displays 'Finished <unit name> - Podman auto-...' 454 local expect='(Started|Finished.*) Podman auto-update testing service' 455 local failed_start=failed 456 local count=0 457 while [ $count -lt 120 ]; do 458 run journalctl -n 15 -u podman-auto-update-$cname.service 459 if [[ "$output" =~ $expect ]]; then 460 failed_start= 461 break 462 fi 463 ((count+=1)) 464 sleep 1 465 done 466 467 if [[ -n "$failed_start" ]]; then 468 echo "journalctl output:" 469 sed -e 's/^/ /' <<<"$output" 470 die "Did not find expected string '$expect' in journalctl output for $cname" 471 fi 472 473 _confirm_update $cname $ori_image 474 } 475 476 @test "podman-kube@.service template with rollback" { 477 # sdnotify fails with runc 1.0.0-3-dev2 on Ubuntu. Let's just 478 # assume that we work only with crun, nothing else. 479 # [copied from 260-sdnotify.bats] 480 runtime=$(podman_runtime) 481 if [[ "$runtime" != "crun" ]]; then 482 skip "this test only works with crun, not $runtime" 483 fi 484 485 _prefetch $SYSTEMD_IMAGE 486 install_kube_template 487 488 dockerfile1=$PODMAN_TMPDIR/Dockerfile.1 489 cat >$dockerfile1 <<EOF 490 FROM $SYSTEMD_IMAGE 491 RUN echo -e "#!/bin/sh\n\ 492 printenv NOTIFY_SOCKET; echo READY; systemd-notify --ready;\n\ 493 trap 'echo Received SIGTERM, finishing; exit' SIGTERM; echo WAITING; while :; do sleep 0.1; done" \ 494 >> /runme 495 RUN chmod +x /runme 496 EOF 497 498 dockerfile2=$PODMAN_TMPDIR/Dockerfile.2 499 cat >$dockerfile2 <<EOF 500 FROM $SYSTEMD_IMAGE 501 RUN echo -e "#!/bin/sh\n\ 502 exit 1" >> /runme 503 RUN chmod +x /runme 504 EOF 505 local_image=localhost/image:$(random_string 10) 506 507 # Generate a healthy image that will run correctly. 508 run_podman build -t $local_image -f $dockerfile1 509 run_podman image inspect --format "{{.ID}}" $local_image 510 oldID="$output" 511 512 # Create the YAMl file 513 yaml_source="$PODMAN_TMPDIR/test.yaml" 514 cat >$yaml_source <<EOF 515 apiVersion: v1 516 kind: Pod 517 metadata: 518 annotations: 519 io.containers.autoupdate: "registry" 520 io.containers.autoupdate/b: "local" 521 io.containers.sdnotify/b: "container" 522 labels: 523 app: test 524 name: test_pod 525 spec: 526 containers: 527 - command: 528 - top 529 image: $IMAGE 530 name: a 531 - command: 532 - /runme 533 image: $local_image 534 name: b 535 EOF 536 537 # Dispatch the YAML file 538 service_name="podman-kube@$(systemd-escape $yaml_source).service" 539 systemctl_start $service_name 540 systemctl is-active $service_name 541 542 # Make sure the containers are properly configured 543 run_podman auto-update --dry-run --format "{{.Unit}},{{.Container}},{{.Image}},{{.Updated}},{{.Policy}}" 544 is "$output" ".*$service_name,.* (test_pod-a),$IMAGE,false,registry.*" "global auto-update policy gets applied" 545 is "$output" ".*$service_name,.* (test_pod-b),$local_image,false,local.*" "container-specified auto-update policy gets applied" 546 547 # Generate a broken image that will fail. 548 run_podman build -t $local_image -f $dockerfile2 549 run_podman image inspect --format "{{.ID}}" $local_image 550 newID="$output" 551 552 assert "$oldID" != "$newID" "broken image really is a new one" 553 554 # Make sure container b sees the new image 555 run_podman auto-update --dry-run --format "{{.Unit}},{{.Container}},{{.Image}},{{.Updated}},{{.Policy}}" 556 is "$output" ".*$service_name,.* (test_pod-a),$IMAGE,false,registry.*" "global auto-update policy gets applied" 557 is "$output" ".*$service_name,.* (test_pod-b),$local_image,pending,local.*" "container b sees the new image" 558 559 # Now update and check for the rollback 560 run_podman auto-update --format "{{.Unit}},{{.Container}},{{.Image}},{{.Updated}},{{.Policy}}" 561 is "$output" ".*$service_name,.* (test_pod-a),$IMAGE,rolled back,registry.*" "container a was rolled back as the update of b failed" 562 is "$output" ".*$service_name,.* (test_pod-b),$local_image,rolled back,local.*" "container b was rolled back as its update has failed" 563 564 # Clean up 565 systemctl stop $service_name 566 run_podman rmi -f $(pause_image) $local_image $newID $oldID 567 rm -f $UNIT_DIR/$unit_name 568 } 569 570 @test "podman auto-update - pod" { 571 dockerfile=$PODMAN_TMPDIR/Dockerfile 572 cat >$dockerfile <<EOF 573 FROM $IMAGE 574 RUN touch /123 575 EOF 576 577 podname=$(random_string) 578 ctrname=$(random_string) 579 podunit="$UNIT_DIR/pod-$podname.service.*" 580 ctrunit="$UNIT_DIR/container-$ctrname.service.*" 581 local_image=localhost/image:$(random_string 10) 582 583 run_podman tag $IMAGE $local_image 584 585 run_podman pod create --name=$podname 586 run_podman create --label "io.containers.autoupdate=local" --pod=$podname --name=$ctrname $local_image top 587 588 # cd into the unit dir to generate the two files. 589 pushd "$UNIT_DIR" 590 run_podman generate systemd --name --new --files $podname 591 is "$output" ".*$podunit.*" 592 is "$output" ".*$ctrunit.*" 593 popd 594 595 systemctl daemon-reload 596 597 systemctl_start pod-$podname.service 598 _wait_service_ready container-$ctrname.service 599 600 run_podman pod inspect --format "{{.State}}" $podname 601 is "$output" "Running" "pod is in running state" 602 run_podman container inspect --format "{{.State.Status}}" $ctrname 603 is "$output" "running" "container is in running state" 604 605 run_podman pod inspect --format "{{.ID}}" $podname 606 podid="$output" 607 run_podman container inspect --format "{{.ID}}" $ctrname 608 ctrid="$output" 609 610 # Note that the pod's unit is listed below, not the one of the container. 611 run_podman auto-update --dry-run --format "{{.Unit}},{{.Image}},{{.Updated}},{{.Policy}}" 612 is "$output" ".*pod-$podname.service,$local_image,false,local.*" "No update available" 613 614 run_podman build -t $local_image -f $dockerfile 615 616 run_podman auto-update --dry-run --format "{{.Unit}},{{.Image}},{{.Updated}},{{.Policy}}" 617 is "$output" ".*pod-$podname.service,$local_image,pending,local.*" "Image updated is pending" 618 619 run_podman auto-update --format "{{.Unit}},{{.Image}},{{.Updated}},{{.Policy}}" 620 is "$output" ".*pod-$podname.service,$local_image,true,local.*" "Service has been restarted" 621 _wait_service_ready container-$ctrname.service 622 623 run_podman pod inspect --format "{{.ID}}" $podname 624 assert "$output" != "$podid" "pod has been recreated" 625 run_podman container inspect --format "{{.ID}}" $ctrname 626 assert "$output" != "$ctrid" "container has been recreated" 627 628 run systemctl stop pod-$podname.service 629 assert $status -eq 0 "Error stopping pod systemd unit: $output" 630 631 run_podman pod rm -f $podname 632 run_podman rmi $local_image $(pause_image) 633 rm -f $podunit $ctrunit 634 systemctl daemon-reload 635 } 636 637 @test "podman-auto-update --authfile" { 638 # Test the three supported ways of using authfiles with auto updates 639 # 1) Passed via --authfile CLI flag 640 # 2) Passed via the REGISTRY_AUTH_FILE env variable 641 # 3) Via a label at container creation where 1) and 2) will be ignored 642 643 registry=localhost:${PODMAN_LOGIN_REGISTRY_PORT} 644 image_on_local_registry=$registry/name:tag 645 authfile=$PODMAN_TMPDIR/authfile.json 646 647 # First, start the registry and populate the authfile that we can use for the test. 648 start_registry 649 run_podman login --authfile=$authfile \ 650 --tls-verify=false \ 651 --username ${PODMAN_LOGIN_USER} \ 652 --password ${PODMAN_LOGIN_PASS} \ 653 $registry 654 655 # Push the image to the registry and pull it down again to make sure we 656 # have the identical digest in the local storage 657 run_podman push --tls-verify=false --creds "${PODMAN_LOGIN_USER}:${PODMAN_LOGIN_PASS}" $IMAGE $image_on_local_registry 658 run_podman pull --tls-verify=false --creds "${PODMAN_LOGIN_USER}:${PODMAN_LOGIN_PASS}" $image_on_local_registry 659 660 # Generate a systemd service with the "registry" auto-update policy running 661 # "top" inside the image we just pushed to the local registry. 662 generate_service "" registry top "" "" "" $image_on_local_registry 663 ctr=$cname 664 _wait_service_ready container-$ctr.service 665 666 run_podman 125 auto-update 667 is "$output" \ 668 ".*Error: checking image updates for container .*: x509: .*" 669 670 run_podman 125 auto-update --tls-verify=false 671 is "$output" \ 672 ".*Error: checking image updates for container .*: authentication required" 673 674 # Test 1) 675 run_podman auto-update --authfile=$authfile --tls-verify=false --dry-run --format "{{.Unit}},{{.Image}},{{.Updated}},{{.Policy}}" 676 is "$output" "container-$ctr.service,$image_on_local_registry,false,registry" "auto-update works with authfile" 677 678 # Test 2) 679 REGISTRY_AUTH_FILE=$authfile run_podman auto-update --tls-verify=false --dry-run --format "{{.Unit}},{{.Image}},{{.Updated}},{{.Policy}}" 680 is "$output" "container-$ctr.service,$image_on_local_registry,false,registry" "auto-update works with env var" 681 systemctl stop container-$ctr.service 682 run_podman rm -f -t0 --ignore $ctr 683 684 # Create a container with the auth-file label 685 generate_service "" registry top "--label io.containers.autoupdate.authfile=$authfile" "" "" $image_on_local_registry 686 ctr=$cname 687 _wait_service_ready container-$ctr.service 688 689 # Test 3) 690 # Also make sure that the label takes precedence over the CLI flag. 691 run_podman auto-update --authfile=/dev/null --tls-verify=false --dry-run --format "{{.Unit}},{{.Image}},{{.Updated}},{{.Policy}}" 692 is "$output" "container-$ctr.service,$image_on_local_registry,false,registry" "auto-update works with authfile container label" 693 run_podman rm -f -t0 --ignore $ctr 694 run_podman rmi $image_on_local_registry 695 } 696 697 # vim: filetype=sh