EXPERIMENTAL: set up a local registry, cache images

On each test VM:
- bring up a local registry
- copy all images used by tests, from quay to this registry
- change the registries.conf used by tests so it points to this reg

Yes, this is stupid as it stands. It gains us nothing. It's just
a proof of concept. If it works, the registry setup and cache
will be moved to automation_images, so each CI VM will come
preloaded with a cache registry. And if it doesn't work, this
PR is a much much faster way to find out than a constant
flurry of spinning up new images.

Signed-off-by: Ed Santiago <santiago@redhat.com>

.cirrus.yml

@@ -33,7 +33,7 @@ env:
     DEBIAN_NAME: "debian-13"
 
     # Image identifiers
-    IMAGE_SUFFIX: "c20240529t141726z-f40f39d13"
+    IMAGE_SUFFIX: "c20240529t184216z-f40f39d13"
 
     # EC2 images
     FEDORA_AMI: "fedora-aws-${IMAGE_SUFFIX}"

contrib/cirrus/runner.sh

@@ -141,6 +141,7 @@ exec_container() {
 
     # VM Images and Container images are built using (nearly) identical operations.
     set -x
+    env CONTAINERS_REGISTRIES_CONF=/dev/null bin/podman pull -q $CTR_FQIN
     # shellcheck disable=SC2154
     exec bin/podman run --rm --privileged --net=host --cgroupns=host \
         -v `mktemp -d -p /var/tmp`:/var/tmp:Z \

contrib/cirrus/setup_environment.sh

@@ -321,6 +321,12 @@ case "$PODBIN_NAME" in
     *) die_unknown PODBIN_NAME
 esac
 
+# If our CI VMs have a preinstalled registry, start it
+LCR=/var/tmp/podman-registry/local-cache-registry
+if [[ -x $LCR ]]; then
+    $LCR start
+fi
+
 # Required to be defined by caller: The primary type of testing that will be performed
 # shellcheck disable=SC2154
 showrun echo "about to set up for TEST_FLAVOR [=$TEST_FLAVOR]"
@@ -413,6 +419,7 @@ case "$TEST_FLAVOR" in
         showrun dnf install -y podman-gvproxy*
         remove_packaged_podman_files
         showrun make install PREFIX=/usr ETCDIR=/etc
+        /var/tmp/podman-registry/local-cache-registry cache podman/machine-os:5.2
         install_test_configs
         ;;
     swagger)

hack/podman-registry

@@ -7,7 +7,7 @@ ME=$(basename $0)
 ###############################################################################
 # BEGIN defaults
 
-PODMAN_REGISTRY_IMAGE=quay.io/libpod/registry:2.8
+PODMAN_REGISTRY_IMAGE=quay.io/libpod/registry:2.8.2
 
 PODMAN_REGISTRY_USER=
 PODMAN_REGISTRY_PASS=

pkg/bindings/test/images_test.go

@@ -177,7 +177,7 @@ var _ = Describe("Podman images", func() {
 
 		// Adding one more image. There Should be no errors in the response.
 		// And the count should be three now.
-		bt.Pull("testimage:20200929")
+		bt.Pull("testimage:20221018")
 		imageSummary, err = images.List(bt.conn, nil)
 		Expect(err).ToNot(HaveOccurred())
 		Expect(len(imageSummary)).To(BeNumerically(">=", 2))

test/apiv2/10-images.at

@@ -7,7 +7,9 @@
 podman pull -q $IMAGE
 
 t GET libpod/images/json 200 \
-  .[0].Id~[0-9a-f]\\{64\\}
+  length=1 \
+  .[0].Id~[0-9a-f]\\{64\\} \
+  .[0].Names[0]="$IMAGE"
 iid=$(jq -r '.[0].Id' <<<"$output")
 
 # Create an empty manifest and make sure it is not listed
@@ -18,7 +20,7 @@ t GET images/json 200 length=1
 t GET libpod/images/json 200 length=2
 
 t GET libpod/images/$iid/exists                     204
-t GET libpod/images/$PODMAN_TEST_IMAGE_NAME/exists  204
+t GET libpod/images/$PODMAN_TEST_IMAGE_NAME:$PODMAN_TEST_IMAGE_TAG/exists  204
 t GET libpod/images/${iid}abcdef/exists  404 \
   .cause="failed to find image ${iid}abcdef"
 
@@ -51,11 +53,13 @@ t GET images/$iid/json 200 \
 t POST "images/create?fromImage=alpine" 200 .error~null .status~".*Download complete.*"
 t POST "libpod/images/pull?reference=alpine&compatMode=true" 200 .error~null .status~".*Download complete.*"
 
-t POST "images/create?fromImage=alpine&tag=latest" 200
+t POST "images/create?fromImage=alpine&tag=latest" 200 \
+  .status~"Already exists"
 
 # 10977 - handle platform parameter correctly
-t POST "images/create?fromImage=quay.io/libpod/testimage:20240123&platform=linux/arm64" 200
-t GET  "images/testimage:20240123/json" 200 \
+# THIS IMAGE MUST NOT BE THE SAME AS $IMAGE
+t POST "images/create?fromImage=quay.io/libpod/testimage:20221018&platform=linux/arm64" 200
+t GET  "images/testimage:20221018/json" 200 \
   .Architecture=arm64
 
 # Make sure that new images are pulled
@@ -78,34 +82,40 @@ t POST /images/create?fromImage=busybox:invalidtag123 404
 # Display the image history
 t GET libpod/images/nonesuch/history 404
 
-for i in $iid ${iid:0:12} $PODMAN_TEST_IMAGE_NAME; do
+for i in $iid ${iid:0:12} $PODMAN_TEST_IMAGE_NAME:$PODMAN_TEST_IMAGE_TAG; do
   t GET libpod/images/$i/history 200 \
     .[0].Id=$iid \
     .[0].Created~[0-9]\\{10\\} \
     .[0].Tags[0]="$IMAGE" \
-    .[0].Size=0 \
-    .[0].Comment=
+    .[0].Size=1024 \
+    .[0].Comment="FROM localhost/interim-image:latest"
 done
 
-for i in $iid ${iid:0:12} $PODMAN_TEST_IMAGE_NAME; do
+for i in $iid ${iid:0:12} $PODMAN_TEST_IMAGE_NAME:$PODMAN_TEST_IMAGE_TAG; do
   t GET images/$i/history 200 \
     .[0].Id="sha256:"$iid \
     .[0].Created~[0-9]\\{10\\} \
     .[0].Tags[0]="$IMAGE" \
-    .[0].Size=0 \
-    .[0].Comment=
+    .[0].Size=1024 \
+    .[0].Comment="FROM localhost/interim-image:latest"
 done
 
 # compat api pull image unauthorized message error
-t POST "/images/create?fromImage=quay.io/idonotexist/idonotexist:dummy" 401 \
-  .message="unauthorized: access to the requested resource is not authorized"
+# FIXME: this depends on whether we're using local cache registry or real quay
+if false; then
+    t POST "/images/create?fromImage=quay.io/idonotexist/idonotexist:dummy" 401 \
+      .message="unauthorized: access to the requested resource is not authorized"
+else
+    t POST "/images/create?fromImage=quay.io/idonotexist/idonotexist:dummy" 404 \
+      .message="manifest unknown: manifest unknown"
+fi
 
 # Export an image on the local
 t GET libpod/images/nonesuch/get 404
 t GET libpod/images/$iid/get?format=foo 500
 t GET libpod/images/$PODMAN_TEST_IMAGE_NAME/get?compress=bar 400
 
-for i in $iid ${iid:0:12} $PODMAN_TEST_IMAGE_NAME; do
+for i in $iid ${iid:0:12} $PODMAN_TEST_IMAGE_NAME:$PODMAN_TEST_IMAGE_TAG; do
   t GET "libpod/images/$i/get"                200 '[POSIX tar archive]'
   t GET "libpod/images/$i/get?compress=true"  200 '[POSIX tar archive]'
   t GET "libpod/images/$i/get?compress=false" 200 '[POSIX tar archive]'
@@ -291,9 +301,9 @@ t DELETE libpod/images/test:test 200
 # If it fails and begins to flake, investigate a retry loop.
 sleep 1
 t GET "libpod/events?stream=false&since=$START"  200  \
-  'select(.status | contains("remove")).Action=remove'
+  'select(.status | contains("remove")).Actor.Attributes.name=localhost/test:test'
 t GET "events?stream=false&since=$START"  200  \
-  'select(.status | contains("delete")).Action=delete'
+  'select(.status | contains("delete")).Actor.Attributes.name=localhost/test:test'
 
 # Test image removal with `noprune={true,false}`
 podman create --name c_test1 $IMAGE true

test/apiv2/20-containers.at

@@ -4,12 +4,10 @@
 #
 
 # WORKDIR=/data
-ENV_WORKDIR_IMG=quay.io/libpod/testimage:20240123
 MultiTagName=localhost/test/testformultitag:tag
 
 podman pull $IMAGE &>/dev/null
 podman tag $IMAGE $MultiTagName
-podman pull $ENV_WORKDIR_IMG &>/dev/null
 # Unimplemented
 #t POST libpod/containers/create '' 201 'sdf'
 
@@ -301,7 +299,7 @@ t DELETE libpod/containers/bogus 404
 
 
 # test apiv2 create container with correct entrypoint and cmd
-# --data '{"Image":"quay.io/libpod/alpine_labels:latest","Entrypoint":["echo"],"Cmd":["param1","param2"]}'
+# --data '{"Image":"quay.io/libpod/some:thing","Entrypoint":["echo"],"Cmd":["param1","param2"]}'
 t POST containers/create \
   Image=$IMAGE \
   Entrypoint='["echo"]' \
@@ -372,7 +370,7 @@ t DELETE containers/$cid_top 204
 
 # test the WORKDIR and StopSignal
 t POST containers/create \
-  Image=$ENV_WORKDIR_IMG \
+  Image=$IMAGE \
   WorkingDir=/dataDir \
   StopSignal=\"9\" \
   201 \
@@ -426,7 +424,7 @@ t GET containers/json 200 \
 podman stop bar
 
 #compat api list containers sanity checks
-podman run -d --rm --name labelcontainer_with $ENV_WORKDIR_IMG top
+podman run -d --rm --name labelcontainer_with --label slartibart=fast $IMAGE top
 podman run -d --rm --name labelcontainer_without $IMAGE top
 
 t GET containers/json?filters='garb1age}' 500 \
@@ -456,10 +454,10 @@ t POST containers/prune?filters='{"label":["tes' 500 \
 t POST libpod/containers/prune?filters='{"label":["tes' 500 \
     .cause="unexpected end of JSON input"
 
-t GET libpod/containers/json?filters='{"label":["created_by"]}' 200 \
+t GET libpod/containers/json?filters='{"label":["slartibart"]}' 200 \
   length=1 \
   .[0].Names[0]="labelcontainer_with"
-t GET libpod/containers/json?filters='{"label!":["created_by"]}' 200 \
+t GET libpod/containers/json?filters='{"label!":["slartibart"]}' 200 \
   length=1 \
   .[0].Names[0]="labelcontainer_without"
 t GET libpod/containers/json?filters='{"label!":["testlabel"]}' 200 length=2

test/apiv2/test-apiv2

@@ -11,13 +11,13 @@ ME=$(basename $0)
 
 PODMAN_TEST_IMAGE_REGISTRY=${PODMAN_TEST_IMAGE_REGISTRY:-"quay.io"}
 PODMAN_TEST_IMAGE_USER=${PODMAN_TEST_IMAGE_USER:-"libpod"}
-PODMAN_TEST_IMAGE_NAME=${PODMAN_TEST_IMAGE_NAME:-"alpine_labels"}
-PODMAN_TEST_IMAGE_TAG=${PODMAN_TEST_IMAGE_TAG:-"latest"}
+PODMAN_TEST_IMAGE_NAME=${PODMAN_TEST_IMAGE_NAME:-"testimage"}
+PODMAN_TEST_IMAGE_TAG=${PODMAN_TEST_IMAGE_TAG:-"20240123"}
 PODMAN_TEST_IMAGE_FQN="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODMAN_TEST_IMAGE_NAME:$PODMAN_TEST_IMAGE_TAG"
 
 IMAGE=$PODMAN_TEST_IMAGE_FQN
 
-REGISTRY_IMAGE="${PODMAN_TEST_IMAGE_REGISTRY}/${PODMAN_TEST_IMAGE_USER}/registry:2.7"
+REGISTRY_IMAGE="${PODMAN_TEST_IMAGE_REGISTRY}/${PODMAN_TEST_IMAGE_USER}/registry:2.8.2"
 
 # END   stuff you can but probably shouldn't customize
 ###############################################################################
@@ -526,7 +526,7 @@ function start_registry() {
     mkdir -p $AUTHDIR
 
     mkdir -p ${REGDIR}/{root,runroot}
-    local PODMAN_REGISTRY_ARGS="--root ${REGDIR}/root --runroot ${REGDIR}/runroot"
+    local PODMAN_REGISTRY_ARGS="--root ${REGDIR}/root --runroot ${REGDIR}/runroot --tmpdir ${REGDIR}/tmp"
 
     # Give it three tries, to compensate for network flakes
     podman ${PODMAN_REGISTRY_ARGS} pull $REGISTRY_IMAGE ||

test/e2e/load_test.go

@@ -148,7 +148,7 @@ var _ = Describe("Podman load", func() {
 			Skip("skip on ppc64le")
 		}
 		outfile := filepath.Join(podmanTest.TempDir, "alpine.tar")
-		alpVersion := "quay.io/libpod/alpine:3.2"
+		alpVersion := "quay.io/libpod/alpine:3.10.2"
 
 		pull := podmanTest.Podman([]string{"pull", "-q", alpVersion})
 		pull.WaitWithDefaultTimeout()
@@ -169,6 +169,7 @@ var _ = Describe("Podman load", func() {
 		inspect := podmanTest.Podman([]string{"inspect", ALPINE})
 		inspect.WaitWithDefaultTimeout()
 		Expect(result).Should(ExitCleanly())
+		// FIXME: this should probably check output
 		inspect = podmanTest.Podman([]string{"inspect", alpVersion})
 		inspect.WaitWithDefaultTimeout()
 		Expect(result).Should(ExitCleanly())

test/e2e/pull_test.go

@@ -21,7 +21,7 @@ var _ = Describe("Podman pull", func() {
 
 		session = podmanTest.Podman([]string{"pull", "busybox:latest", "docker.io/library/ibetthisdoesnotexistfr:random", "alpine"})
 		session.WaitWithDefaultTimeout()
-		Expect(session).Should(ExitWithError(125, "initializing source docker://ibetthisdoesnotexistfr:random: reading manifest random in quay.io/libpod/ibetthisdoesnotexistfr:"))
+		Expect(session).Should(ExitWithError(125, "initializing source docker://ibetthisdoesnotexistfr:random: reading manifest random in 127.0.0.1:60333/libpod/ibetthisdoesnotexistfr:"))
 
 		session = podmanTest.Podman([]string{"rmi", "busybox:musl", "alpine", "quay.io/libpod/cirros", "testdigest_v2s2@sha256:755f4d90b3716e2bf57060d249e2cd61c9ac089b1233465c5c2cb2d7ee550fdb"})
 		session.WaitWithDefaultTimeout()
@@ -38,7 +38,8 @@ var _ = Describe("Podman pull", func() {
 
 		session := podmanTest.Podman([]string{"pull", "quay.io/libpod/ibetthisdoesntexist:there"})
 		session.WaitWithDefaultTimeout()
-		Expect(session).To(ExitWithError(125, "nitializing source docker://quay.io/libpod/ibetthisdoesntexist:there: reading manifest there in quay.io/libpod/ibetthisdoesntexist: unauthorized: access to the requested resource is not authorized"))
+		// FIXME: uncomfortable hardcoding of localhost:60333
+		Expect(session).To(ExitWithError(125, "nitializing source docker://quay.io/libpod/ibetthisdoesntexist:there: reading manifest there in 127.0.0.1:60333/libpod/ibetthisdoesntexist: manifest unknown"))
 	})
 
 	It("podman pull with tag --quiet", func() {

test/e2e/run_seccomp_test.go

@@ -8,6 +8,10 @@ import (
 
 var _ = Describe("Podman run", func() {
 
+	BeforeEach(func() {
+		Skip("FIXME-temporary, until Ed can figure out how to local-cache the seccomp images")
+	})
+
 	It("podman run --seccomp-policy default", func() {
 		session := podmanTest.Podman([]string{"run", "-q", "--seccomp-policy", "default", alpineSeccomp, "ls"})
 		session.WaitWithDefaultTimeout()

test/registries.conf

@@ -7,14 +7,21 @@ unqualified-search-registries = ['docker.io', 'quay.io', 'registry.fedoraproject
 # unqualified `docker.io` images.
 # Ref: https://cloud.google.com/container-registry/docs/pulling-cached-images
 prefix="docker.io"
-location="mirror.gcr.io"
+location="127.0.0.1:60333"
+insecure=true
+
+[[registry]]
+prefix="quay.io"
+location="127.0.0.1:60333"
+insecure=true
 
 # 2020-10-27 a number of images are not present in gcr.io, and podman
 # barfs spectacularly when trying to fetch them. We've hand-copied
 # those to quay, using skopeo copy --all ...
 [[registry]]
 prefix="docker.io/library"
-location="quay.io/libpod"
+location="127.0.0.1:60333/libpod"
+insecure=true
 
 # For testing #11933 to make sure that registries.conf is consulted unless
 # --tls-verify is used during container creation.

test/system/700-play.bats

@@ -397,6 +397,8 @@ _EOF
 
     _write_test_yaml command=id image=quay.io/libpod/userimage
     run_podman 125 play kube --build --start=false $PODMAN_TMPDIR/test.yaml
+    assert "$output" =~ "initializing source docker://quay.io/libpod/userimage:latest: reading manifest latest in "
+
     run_podman play kube --replace --context-dir=$PODMAN_TMPDIR --build --start=false $PODMAN_TMPDIR/test.yaml
     run_podman inspect --format "{{ .Config.User }}" test_pod-test
     is "$output" bin "expect container within pod to run as the bin user"

test/system/helpers.registry.bash

@@ -34,7 +34,7 @@ function start_registry() {
     mkdir -p $AUTHDIR
 
     # Registry image; copy of docker.io, but on our own registry
-    local REGISTRY_IMAGE="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/registry:2.8"
+    local REGISTRY_IMAGE="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/registry:2.8.2"
 
     # Pull registry image, but into a separate container storage and DB and everything
     PODMAN_LOGIN_ARGS="--storage-driver vfs $(podman_isolation_opts ${PODMAN_LOGIN_WORKDIR})"