github.com/containers/podman/v5@v5.1.0-rc1/test/system/helpers.registry.bash (about) 1 # -*- bash -*- 2 # 3 # helpers for starting/stopping a local registry. 4 # 5 # Used primarily in 150-login.bats 6 # 7 8 ############################################################################### 9 # BEGIN one-time envariable setup 10 11 # Override any user-set path to an auth file 12 unset REGISTRY_AUTH_FILE 13 14 # END one-time envariable setup 15 ############################################################################### 16 17 # Start a local registry. Only needed on demand (e.g. by 150-login.bats) 18 # and then only once: if we start, leave it running until final teardown. 19 function start_registry() { 20 if [[ -d "$PODMAN_LOGIN_WORKDIR/auth" ]]; then 21 # Already started 22 23 # Fixes very obscure corner case in root system tests: 24 # 1) we run 150-login tests, starting a registry; then 25 # 2) run 500-network, which runs iptables -F; then 26 # 3) run 700-play, the "private" test, which needs the 27 # already-started registry, but its port is now DROPped, 28 # so the test times out trying to talk to registry 29 run_podman --storage-driver vfs $(podman_isolation_opts ${PODMAN_LOGIN_WORKDIR}) network reload --all 30 return 31 fi 32 33 AUTHDIR=${PODMAN_LOGIN_WORKDIR}/auth 34 mkdir -p $AUTHDIR 35 36 # Registry image; copy of docker.io, but on our own registry 37 local REGISTRY_IMAGE="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/registry:2.8" 38 39 # Pull registry image, but into a separate container storage and DB and everything 40 PODMAN_LOGIN_ARGS="--storage-driver vfs $(podman_isolation_opts ${PODMAN_LOGIN_WORKDIR})" 41 # _prefetch() will retry twice on network error, and will also use 42 # a pre-cached image if present (helpful on dev workstation, not in CI). 43 _PODMAN_TEST_OPTS="${PODMAN_LOGIN_ARGS}" _prefetch $REGISTRY_IMAGE 44 45 # Registry image needs a cert. Self-signed is good enough. 46 CERT=$AUTHDIR/domain.crt 47 if [ ! -e $CERT ]; then 48 openssl req -newkey rsa:4096 -nodes -sha256 \ 49 -keyout $AUTHDIR/domain.key -x509 -days 2 \ 50 -out $AUTHDIR/domain.crt \ 51 -subj "/C=US/ST=Foo/L=Bar/O=Red Hat, Inc./CN=localhost" \ 52 -addext "subjectAltName=DNS:localhost" 53 fi 54 55 # Copy a cert to another directory for --cert-dir option tests 56 mkdir -p ${PODMAN_LOGIN_WORKDIR}/trusted-registry-cert-dir 57 cp $CERT ${PODMAN_LOGIN_WORKDIR}/trusted-registry-cert-dir 58 59 # Store credentials where container will see them 60 htpasswd -Bbn ${PODMAN_LOGIN_USER} ${PODMAN_LOGIN_PASS} > $AUTHDIR/htpasswd 61 62 # In case $PODMAN_TEST_KEEP_LOGIN_REGISTRY is set, for testing later 63 echo "${PODMAN_LOGIN_USER}:${PODMAN_LOGIN_PASS}" > $AUTHDIR/htpasswd-plaintext 64 65 # Run the registry container. 66 run_podman ${PODMAN_LOGIN_ARGS} run -d \ 67 -p 127.0.0.1:${PODMAN_LOGIN_REGISTRY_PORT}:5000 \ 68 --name registry \ 69 -v $AUTHDIR:/auth:Z \ 70 -e "REGISTRY_AUTH=htpasswd" \ 71 -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ 72 -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ 73 -e REGISTRY_HTTP_TLS_CERTIFICATE=/auth/domain.crt \ 74 -e REGISTRY_HTTP_TLS_KEY=/auth/domain.key \ 75 $REGISTRY_IMAGE 76 cid="$output" 77 78 # wait_for_port isn't enough: that just checks that podman has mapped the port... 79 wait_for_port 127.0.0.1 ${PODMAN_LOGIN_REGISTRY_PORT} 80 # ...so we look in container logs for confirmation that registry is running. 81 _PODMAN_TEST_OPTS="${PODMAN_LOGIN_ARGS}" wait_for_output "listening on .::.:5000" $cid 82 } 83 84 function stop_registry() { 85 if [[ ! -d "$PODMAN_LOGIN_WORKDIR/auth" ]]; then 86 # No registry running 87 return 88 fi 89 90 # For manual debugging; user may request keeping the registry running 91 if [ -n "${PODMAN_TEST_KEEP_LOGIN_REGISTRY}" ]; then 92 skip "[leaving registry running by request]" 93 fi 94 95 opts="--storage-driver vfs $(podman_isolation_opts ${PODMAN_LOGIN_WORKDIR})" 96 run_podman $opts rm -f -t0 registry 97 run_podman $opts rmi -a -f 98 99 # By default, clean up 100 if [ -z "${PODMAN_TEST_KEEP_LOGIN_WORKDIR}" ]; then 101 # FIXME: why is this necessary??? If we don't do this, we can't 102 # rm -rf the workdir, because ..../overlay is mounted 103 mount | grep ${PODMAN_LOGIN_WORKDIR} | awk '{print $3}' | xargs --no-run-if-empty umount 104 105 if [[ $(id -u) -eq 0 ]]; then 106 rm -rf ${PODMAN_LOGIN_WORKDIR} 107 else 108 # rootless image data is owned by a subuid 109 run_podman unshare rm -rf ${PODMAN_LOGIN_WORKDIR} 110 fi 111 fi 112 113 # Make sure socket is closed 114 if tcp_port_probe $PODMAN_LOGIN_REGISTRY_PORT; then 115 # for debugging flakes 116 echo "" 117 echo "ps auxww --forest" 118 ps auxww --forest 119 echo "" 120 echo "lsof -i -P" 121 lsof -i -P 122 die "Socket still seems open" 123 fi 124 } 125 126 function pause_registry() { 127 if [[ ! -d "$PODMAN_LOGIN_WORKDIR/auth" ]]; then 128 # No registry running 129 return 130 fi 131 132 opts="--storage-driver vfs $(podman_isolation_opts ${PODMAN_LOGIN_WORKDIR})" 133 run_podman $opts stop registry 134 } 135 136 function unpause_registry() { 137 if [[ ! -d "$PODMAN_LOGIN_WORKDIR/auth" ]]; then 138 # No registry running 139 return 140 fi 141 142 opts="--storage-driver vfs $(podman_isolation_opts ${PODMAN_LOGIN_WORKDIR})" 143 run_podman $opts start registry 144 }