1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
|
#!/usr/bin/env bats
load helpers
@test "push-flags-order-verification" {
run_buildah 125 push img1 dest1 -q
check_options_flag_err "-q"
run_buildah 125 push img1 --tls-verify dest1
check_options_flag_err "--tls-verify"
run_buildah 125 push img1 dest1 arg3 --creds user1:pass1
check_options_flag_err "--creds"
run_buildah 125 push img1 --creds=user1:pass1 dest1
check_options_flag_err "--creds=user1:pass1"
}
@test "push" {
skip_if_rootless_environment
touch ${TEST_SCRATCH_DIR}/reference-time-file
for source in scratch scratch-image; do
run_buildah from --quiet --pull=false $WITH_POLICY_JSON ${source}
cid=$output
for format in "" docker oci ; do
mkdir -p ${TEST_SCRATCH_DIR}/committed${format:+.${format}}
# Force no compression to generate what we push.
run_buildah commit -D ${format:+--format ${format}} --reference-time ${TEST_SCRATCH_DIR}/reference-time-file $WITH_POLICY_JSON "$cid" scratch-image${format:+-${format}}
run_buildah commit -D ${format:+--format ${format}} --reference-time ${TEST_SCRATCH_DIR}/reference-time-file $WITH_POLICY_JSON "$cid" dir:${TEST_SCRATCH_DIR}/committed${format:+.${format}}
mkdir -p ${TEST_SCRATCH_DIR}/pushed${format:+.${format}}
run_buildah push -D $WITH_POLICY_JSON scratch-image${format:+-${format}} dir:${TEST_SCRATCH_DIR}/pushed${format:+.${format}}
# Re-encode the manifest to lose variations due to different encoders or definitions of structures.
imgtype -expected-manifest-type "*" -rebuild-manifest -show-manifest dir:${TEST_SCRATCH_DIR}/committed${format:+.${format}} > ${TEST_SCRATCH_DIR}/manifest.committed${format:+.${format}}
imgtype -expected-manifest-type "*" -rebuild-manifest -show-manifest dir:${TEST_SCRATCH_DIR}/pushed${format:+.${format}} > ${TEST_SCRATCH_DIR}/manifest.pushed${format:+.${format}}
diff -u ${TEST_SCRATCH_DIR}/manifest.committed${format:+.${format}} ${TEST_SCRATCH_DIR}/manifest.pushed${format:+.${format}}
done
run_buildah rm "$cid"
done
}
@test "push with manifest type conversion" {
mytmpdir=${TEST_SCRATCH_DIR}/my-dir
mkdir -p $mytmpdir
_prefetch alpine
run_buildah from --quiet --pull=false $WITH_POLICY_JSON alpine
cid=$output
run_buildah push --retry 4 --retry-delay 4s $WITH_POLICY_JSON --format oci alpine dir:$mytmpdir
run cat $mytmpdir/manifest.json
expect_output --substring "application/vnd.oci.image.config.v1\\+json"
run_buildah push $WITH_POLICY_JSON --format v2s2 alpine dir:$mytmpdir
run cat $mytmpdir/manifest.json
expect_output --substring "application/vnd.docker.distribution.manifest.v2\\+json"
}
@test "push with imageid" {
mytmpdir=${TEST_SCRATCH_DIR}/my-dir
mkdir -p $mytmpdir
_prefetch alpine
run_buildah from --quiet --pull=false $WITH_POLICY_JSON alpine
cid=$output
run_buildah images -q
imageid=$output
run_buildah push $WITH_POLICY_JSON $imageid dir:$mytmpdir
}
@test "push with imageid and digest file" {
mytmpdir=${TEST_SCRATCH_DIR}/my-dir
mkdir -p $mytmpdir
_prefetch alpine
run_buildah from --quiet --pull=false $WITH_POLICY_JSON alpine
cid=$output
run_buildah images -q
imageid=$output
run_buildah push --digestfile=${TEST_SCRATCH_DIR}/digest.txt $WITH_POLICY_JSON $imageid dir:$mytmpdir
cat ${TEST_SCRATCH_DIR}/digest.txt
test -s ${TEST_SCRATCH_DIR}/digest.txt
}
@test "push without destination" {
_prefetch busybox
run_buildah pull $WITH_POLICY_JSON busybox
run_buildah 125 push $WITH_POLICY_JSON busybox
expect_output --substring "busybox"
}
@test "push should fail with nonexistent authfile" {
_prefetch alpine
run_buildah from --quiet --pull $WITH_POLICY_JSON alpine
cid=$output
run_buildah images -q
imageid=$output
run_buildah 125 push $WITH_POLICY_JSON --authfile /tmp/nonexistent $imageid dir:${TEST_SCRATCH_DIR}/my-tmp-dir
}
@test "push-denied-by-registry-sources" {
_prefetch busybox
export BUILD_REGISTRY_SOURCES='{"blockedRegistries": ["registry.example.com"]}'
run_buildah from --quiet $WITH_POLICY_JSON --quiet busybox
cid=$output
run_buildah 125 commit $WITH_POLICY_JSON ${cid} docker://registry.example.com/busierbox
expect_output --substring 'commit to registry at "registry.example.com" denied by policy: it is in the blocked registries list'
run_buildah pull $WITH_POLICY_JSON --quiet busybox
run_buildah 125 push $WITH_POLICY_JSON busybox docker://registry.example.com/evenbusierbox
export BUILD_REGISTRY_SOURCES='{"allowedRegistries": ["some-other-registry.example.com"]}'
run_buildah from --quiet $WITH_POLICY_JSON --quiet busybox
cid=$output
run_buildah 125 commit $WITH_POLICY_JSON ${cid} docker://registry.example.com/busierbox
expect_output --substring 'commit to registry at "registry.example.com" denied by policy: not in allowed registries list'
run_buildah pull $WITH_POLICY_JSON --quiet busybox
run_buildah 125 push $WITH_POLICY_JSON busybox docker://registry.example.com/evenbusierbox
expect_output --substring 'registry "registry.example.com" denied by policy: not in allowed registries list'
}
@test "buildah push image to containers-storage" {
_prefetch busybox
run_buildah push $WITH_POLICY_JSON busybox containers-storage:newimage:latest
run_buildah images
expect_output --substring "newimage"
}
@test "buildah push image to docker-archive and oci-archive" {
_prefetch busybox
for dest in docker-archive oci-archive; do
mkdir ${TEST_SCRATCH_DIR}/tmp
run_buildah push $WITH_POLICY_JSON busybox $dest:${TEST_SCRATCH_DIR}/tmp/busybox.tar:latest
ls ${TEST_SCRATCH_DIR}/tmp/busybox.tar
rm -rf ${TEST_SCRATCH_DIR}/tmp
done
}
@test "buildah push image to docker and docker registry" {
skip_if_no_docker
_prefetch busybox
run_buildah push $WITH_POLICY_JSON busybox docker-daemon:buildah/busybox:latest
run docker images
expect_output --substring "buildah/busybox"
docker rmi buildah/busybox
start_registry
run_buildah push $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword docker.io/busybox:latest docker://localhost:${REGISTRY_PORT}/buildah/busybox:latest
docker login localhost:${REGISTRY_PORT} --username testuser --password-stdin <<<testpassword
docker pull localhost:${REGISTRY_PORT}/buildah/busybox:latest
output=$(docker images)
expect_output --substring "buildah/busybox"
docker rmi localhost:${REGISTRY_PORT}/buildah/busybox:latest
docker logout localhost:${REGISTRY_PORT}
}
@test "buildah oci encrypt and push local oci" {
skip_if_rootless_environment
_prefetch busybox
mkdir ${TEST_SCRATCH_DIR}/tmp
openssl genrsa -out ${TEST_SCRATCH_DIR}/tmp/mykey.pem 1024
openssl rsa -in ${TEST_SCRATCH_DIR}/tmp/mykey.pem -pubout > ${TEST_SCRATCH_DIR}/tmp/mykey.pub
run_buildah push $WITH_POLICY_JSON --encryption-key jwe:${TEST_SCRATCH_DIR}/tmp/mykey.pub busybox oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc
imgtype -show-manifest oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc | grep "+encrypted"
rm -rf ${TEST_SCRATCH_DIR}/tmp
}
@test "buildah oci encrypt and push registry" {
_prefetch busybox
mkdir ${TEST_SCRATCH_DIR}/tmp
start_registry
openssl genrsa -out ${TEST_SCRATCH_DIR}/tmp/mykey.pem 1024
openssl rsa -in ${TEST_SCRATCH_DIR}/tmp/mykey.pem -pubout > ${TEST_SCRATCH_DIR}/tmp/mykey.pub
run_buildah push $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --encryption-key jwe:${TEST_SCRATCH_DIR}/tmp/mykey.pub busybox docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest
# this test, just checks the ability to push an image
# there is no good way to test the details of the image unless with ./buildah pull, test will be in pull.bats
rm -rf ${TEST_SCRATCH_DIR}/tmp
}
@test "buildah push to registry allowed by BUILD_REGISTRY_SOURCES" {
_prefetch busybox
start_registry
export BUILD_REGISTRY_SOURCES='{"insecureRegistries": ["localhost:${REGISTRY_PORT}"]}'
run_buildah 125 push --creds testuser:testpassword $WITH_POLICY_JSON --tls-verify=true busybox docker://localhost:${REGISTRY_PORT}/buildah/busybox:latest
expect_output --substring "certificate signed by unknown authority"
run_buildah push --creds testuser:testpassword $WITH_POLICY_JSON --cert-dir ${TEST_SCRATCH_DIR}/registry busybox docker://localhost:${REGISTRY_PORT}/buildah/busybox:latest
}
@test "push with authfile" {
_prefetch busybox
mkdir ${TEST_SCRATCH_DIR}/tmp
start_registry
run_buildah login --authfile ${TEST_SCRATCH_DIR}/tmp/test.auth --username testuser --password testpassword --tls-verify=false localhost:${REGISTRY_PORT}
run_buildah push --authfile ${TEST_SCRATCH_DIR}/tmp/test.auth $WITH_POLICY_JSON --tls-verify=false busybox docker://localhost:${REGISTRY_PORT}/buildah/busybox:latest
expect_output --substring "Copying"
run_buildah manifest create localhost:${REGISTRY_PORT}/testmanifest
run_buildah manifest push --authfile ${TEST_SCRATCH_DIR}/tmp/test.auth $WITH_POLICY_JSON --tls-verify=false localhost:${REGISTRY_PORT}/testmanifest
expect_output --substring "Writing manifest list to image destination"
}
@test "push with --quiet" {
mytmpdir=${TEST_SCRATCH_DIR}/my-dir
mkdir -p $mytmpdir
_prefetch alpine
run_buildah push --quiet $WITH_POLICY_JSON alpine dir:$mytmpdir
expect_output ""
}
@test "push with --compression-format" {
_prefetch alpine
run_buildah from --quiet --pull alpine
cid=$output
run_buildah images -q
imageid=$output
run_buildah push --format oci --compression-format zstd:chunked $imageid dir:${TEST_SCRATCH_DIR}/zstd
# Verify there is some zstd compressed layer.
grep application/vnd.oci.image.layer.v1.tar+zstd ${TEST_SCRATCH_DIR}/zstd/manifest.json
}
|
