Proofing

Signed-off-by: apostasie <[email protected]>

Author: apostasie

.github/workflows/workflow-mod-proofing.yml

@@ -0,0 +1,71 @@
+name: proofing
+
+on:
+  push:
+    branches:
+      - main
+      - 'release/**'
+  pull_request:
+
+env:
+  GOTOOLCHAIN: local
+
+jobs:
+  proofing:
+    name: "proofing"
+    timeout-minutes: 15
+    runs-on: ubuntu-24.04
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: "Checkout project"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - name: "Install go"
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b  # v5.4.0
+        with:
+          go-version: 1.24
+          check-latest: true
+
+      - name: setup
+        run: |
+          set -x
+
+          CLI=docker ./mod/proofing/spoof.sh server::start ./pkg/testutil/images.env
+
+          # Check the server is reachable
+          curl -iv https://proofing:443/v2 || true
+
+          # Restart services so they catch-up on the system store changes?
+          sudo systemctl stop containerd || true
+          sudo systemctl start containerd || true
+          systemctl --user stop containerd || true
+          systemctl --user start containerd || true
+          sudo systemctl stop docker || true
+          sudo systemctl start docker || true
+
+          make binaries
+          sudo -E PATH="_output:$PATH" nerdctl pull debian
+          sudo -E PATH="_output:$PATH" nerdctl tag debian proofing:443/debian || true
+          sudo -E PATH="_output:$PATH" nerdctl --insecure-registry push proofing:443/debian || true
+          sudo -E PATH="_output:$PATH" nerdctl push proofing:443/debian || true
+
+          PATH="_output:$PATH" nerdctl pull debian
+          PATH="_output:$PATH" nerdctl tag debian proofing:443/debian || true
+          PATH="_output:$PATH" nerdctl --insecure-registry push proofing:443/debian || true
+          PATH="_output:$PATH" nerdctl push proofing:443/debian || true
+
+#            sudo -E PATH="_output:$PATH" ./mod/proofing/spoof.sh server::seed ./pkg/testutil/images.env
+      - name: test in container
+        run: |
+          set -x
+
+          docker run -ti debian bash -c -- '
+            ip="$(cat /etc/hosts | grep proofing | awk '{print $1}')"
+            ./mod/proofing/spoof.sh guest::configure ./pkg/testutil/images.env "$ip"
+            curl -iv "https://docker.io/v2"
+            curl -iv "https://proofing/v2"
+          '

cmd/nerdctl/builder/builder_builder_test.go

@@ -30,6 +30,7 @@ import (
 	"github.com/containerd/nerdctl/mod/tigron/test"
 
 	"github.com/containerd/nerdctl/v2/pkg/buildkitutil"
+	"github.com/containerd/nerdctl/v2/pkg/referenceutil"
 	"github.com/containerd/nerdctl/v2/pkg/testutil"
 	"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest"
 )
@@ -152,14 +153,19 @@ CMD ["echo", "nerdctl-builder-debug-test-string"]`, testutil.CommonImage)
 					// FIXME: this test should be rewritten to dynamically retrieve the ids, and use images
 					// available on all platforms
 					oldImage := testutil.BusyboxImage
-					oldImageSha := "7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c"
+					parsedOldImage, err := referenceutil.Parse(oldImage)
+					assert.NilError(helpers.T(), err)
+					oldImageSha := parsedOldImage.Digest.String()
+
 					newImage := testutil.AlpineImage
-					newImageSha := "ec14c7992a97fc11425907e908340c6c3d6ff602f5f13d899e6b7027c9b4133a"
+					parsedNewImage, err := referenceutil.Parse(newImage)
+					assert.NilError(helpers.T(), err)
+					newImageSha := parsedNewImage.Digest.String()
 
 					helpers.Ensure("pull", "--quiet", oldImage)
-					helpers.Ensure("tag", oldImage, newImage)
+					helpers.Ensure("tag", oldImage, parsedNewImage.Domain+"/"+parsedNewImage.Path+":"+parsedNewImage.Tag)
 
-					dockerfile := fmt.Sprintf(`FROM %s`, newImage)
+					dockerfile := fmt.Sprintf(`FROM %s`, parsedNewImage.Domain+"/"+parsedNewImage.Path+":"+parsedNewImage.Tag)
 					data.Temp().Save(dockerfile, "Dockerfile")
 					data.Labels().Set("oldImageSha", oldImageSha)
 					data.Labels().Set("newImageSha", newImageSha)

cmd/nerdctl/container/container_run_mount_linux_test.go

@@ -29,6 +29,7 @@ import (
 	"github.com/containerd/containerd/v2/core/mount"
 	"github.com/containerd/nerdctl/mod/tigron/expect"
 	"github.com/containerd/nerdctl/mod/tigron/test"
+	"github.com/containerd/nerdctl/mod/tigron/tig"
 
 	"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers"
 	"github.com/containerd/nerdctl/v2/pkg/rootlessutil"
@@ -307,7 +308,7 @@ func TestRunBindMountTmpfs(t *testing.T) {
 }
 
 func mountExistsWithOpt(mountPoint, mountOpt string) test.Comparator {
-	return func(stdout, info string, t *testing.T) {
+	return func(stdout string, t tig.T) {
 		lines := strings.Split(strings.TrimSpace(stdout), "\n")
 		mountOutput := []string{}
 		for _, line := range lines {

cmd/nerdctl/image/image_history_test.go

@@ -134,22 +134,22 @@ func TestImageHistory(t *testing.T) {
 				Expected: test.Expects(0, nil, func(stdout string, t tig.T) {
 					history, err := decode(stdout)
 					assert.NilError(t, err, "decode should not fail")
-					assert.Equal(t, history[1].Snapshot, "sha256:56bf55b8eed1f0b4794a30386e4d1d3da949c25bcb5155e898097cd75dc77c2a")
+					assert.Equal(t, history[1].Snapshot, "sha256:a16e98724c05975ee8c40d8fe389c3481373d34ab20a1cf52ea2accc43f71f4c")
 					assert.Equal(t, history[1].CreatedBy, "/bin/sh -c #(nop) ADD file:3b16ffee2b26d8af5db152fcc582aaccd9e1ec9e3343874e9969a205550fe07d in / ")
 				}),
 			},
 			{
 				Description: "Quiet has no effect with format, so, go no-json, no-trunc",
 				Command:     test.Command("image", "history", "--human=false", "--no-trunc", "--quiet", testutil.CommonImage),
 				Expected: test.Expects(0, nil, func(stdout string, t tig.T) {
-					assert.Equal(t, stdout, "<missing>\nsha256:56bf55b8eed1f0b4794a30386e4d1d3da949c25bcb5155e898097cd75dc77c2a\n")
+					assert.Equal(t, stdout, "<missing>\nsha256:a16e98724c05975ee8c40d8fe389c3481373d34ab20a1cf52ea2accc43f71f4c\n")
 				}),
 			},
 			{
 				Description: "With quiet, trunc has no effect",
 				Command:     test.Command("image", "history", "--human=false", "--no-trunc", "--quiet", testutil.CommonImage),
 				Expected: test.Expects(0, nil, func(stdout string, t tig.T) {
-					assert.Equal(t, stdout, "<missing>\nsha256:56bf55b8eed1f0b4794a30386e4d1d3da949c25bcb5155e898097cd75dc77c2a\n")
+					assert.Equal(t, stdout, "<missing>\nsha256:a16e98724c05975ee8c40d8fe389c3481373d34ab20a1cf52ea2accc43f71f4c\n")
 				}),
 			},
 		},

cmd/nerdctl/image/image_pull_linux_test.go

@@ -29,6 +29,7 @@ import (
 	"github.com/containerd/nerdctl/mod/tigron/test"
 	"github.com/containerd/nerdctl/mod/tigron/tig"
 
+	"github.com/containerd/nerdctl/v2/pkg/referenceutil"
 	"github.com/containerd/nerdctl/v2/pkg/testutil"
 	"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest"
 	"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest/registry"
@@ -114,6 +115,7 @@ func TestImagePullPlainHttpWithDefaultPort(t *testing.T) {
 	nerdtest.Setup()
 
 	var reg *registry.Server
+	im, _ := referenceutil.Parse(testutil.CommonImage)
 	dockerfile := fmt.Sprintf(`FROM %s
 CMD ["echo", "nerdctl-build-test-string"]
 	`, testutil.CommonImage)
@@ -131,7 +133,7 @@ CMD ["echo", "nerdctl-build-test-string"]
 			reg = nerdtest.RegistryWithNoAuth(data, helpers, 80, false)
 			reg.Setup(data, helpers)
 			testImageRef := fmt.Sprintf("%s/%s:%s",
-				reg.IP.String(), data.Identifier(), strings.Split(testutil.CommonImage, ":")[1])
+				reg.IP.String(), data.Identifier(), im.Tag)
 			buildCtx := data.Temp().Path()
 
 			helpers.Ensure("build", "-t", testImageRef, buildCtx)

cmd/nerdctl/image/image_push_linux_test.go

@@ -29,6 +29,7 @@ import (
 	"github.com/containerd/nerdctl/mod/tigron/test"
 	"github.com/containerd/nerdctl/mod/tigron/tig"
 
+	"github.com/containerd/nerdctl/v2/pkg/referenceutil"
 	"github.com/containerd/nerdctl/v2/pkg/testutil"
 	"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest"
 	"github.com/containerd/nerdctl/v2/pkg/testutil/testregistry"
@@ -38,6 +39,7 @@ func TestPush(t *testing.T) {
 	nerdtest.Setup()
 
 	var registryNoAuthHTTPRandom, registryNoAuthHTTPDefault, registryTokenAuthHTTPSRandom *testregistry.RegistryServer
+	commonImage, _ := referenceutil.Parse(testutil.CommonImage)
 
 	testCase := &test.Case{
 		Require: require.Linux,
@@ -67,7 +69,7 @@ func TestPush(t *testing.T) {
 				Setup: func(data test.Data, helpers test.Helpers) {
 					helpers.Ensure("pull", "--quiet", testutil.CommonImage)
 					testImageRef := fmt.Sprintf("%s:%d/%s:%s",
-						registryNoAuthHTTPRandom.IP.String(), registryNoAuthHTTPRandom.Port, data.Identifier(), strings.Split(testutil.CommonImage, ":")[1])
+						registryNoAuthHTTPRandom.IP.String(), registryNoAuthHTTPRandom.Port, data.Identifier(), commonImage.Tag)
 					data.Labels().Set("testImageRef", testImageRef)
 					helpers.Ensure("tag", testutil.CommonImage, testImageRef)
 				},

hack/provisioning/linux/cni.sh

@@ -48,4 +48,4 @@ provision::cni(){
   cd - >/dev/null
 }
 
-provision::cni "$1" "$2" "$3"
+provision::cni "$@"

hack/provisioning/linux/containerd.sh

@@ -42,27 +42,23 @@ provision::containerd::uninstall(){
 provision::containerd::rootful(){
   local version="$1"
   local arch="$2"
-  local bin_sha="$3"
-  local service_sha="$4"
 
   # Be tolerant with passed versions - with or without leading "v"
   [ "${version:0:1}" != "v" ] || version="${version:1}"
 
   cd "$(fs::mktemp "containerd-install")"
 
   # Get the binary and install it
-  http::get::secure \
+  http::get \
     containerd.tar.gz \
-    https://github.com/containerd/containerd/releases/download/v"$version"/containerd-"$version"-linux-"$arch".tar.gz \
-    "$bin_sha"
+    https://github.com/containerd/containerd/releases/download/v"$version"/containerd-"$version"-linux-"$arch".tar.gz
 
-  sudo tar::expand /usr/local containerd.tar.gz
+  sudo tar -C /usr/local -xvf containerd.tar.gz
 
   # Get the systemd unit
-  http::get::secure \
+  http::get \
     containerd.service \
-    https://raw.githubusercontent.com/containerd/containerd/refs/tags/v"$version"/containerd.service \
-    "$service_sha"
+    https://raw.githubusercontent.com/containerd/containerd/refs/tags/v"$version"/containerd.service
 
   sudo cp containerd.service /lib/systemd/system/containerd.service
 
@@ -73,4 +69,4 @@ provision::containerd::rootful(){
   cd - >/dev/null || true
 }
 
-provision::containerd::rootful "$1" "$2" "$3" "$4"
+provision::containerd::rootful "$@"

hack/test-integration.sh

@@ -26,6 +26,11 @@ if [[ "$(id -u)" = "0" ]]; then
   fi
 fi
 
+# If we are being asked to use the proofing system, configure it
+if [ "${PROOFING_IP:-}" != "" ]; then
+  "$root"/../mod/proofing/spoof.sh guest::configure "$root"/pkg/testutil/images.env "$PROOFING_IP"
+fi
+
 readonly timeout="60m"
 readonly retries="2"
 readonly needsudo="${WITH_SUDO:-}"

mod/proofing/.env

@@ -0,0 +1,10 @@
+# This is the minimal env file you need to have
+# You must at least point to a usable docker registry image
+REGISTRY=registry:3.0.0@sha256:1fc7de654f2ac1247f0b67e8a459e273b0993be7d2beda1f3f56fbf1001ed3e7
+
+# You can then add below whatever image you want mocked, for any origin.
+# Short syntax is accepted (eg: `busybox`, or `library:busybox`) though you MUST provide a tag AND a digest
+
+# Examples:
+# NANOSERVER=mcr.microsoft.com/windows/nanoserver:ltsc2022@sha256:16b61ffac72961551c4b5312a7ab3da7c3dc3258510e40bee309e6e51f006ac6
+# DEBIAN=debian:bookworm-slim@sha256:b1211f6d19afd012477bd34fdcabb6b663d680e0f4b0537da6e6b0fd057a3ec3