-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DO NOT MERGE: set up a local registry, cache images #22726
base: main
Are you sure you want to change the base?
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: edsantiago The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Ephemeral COPR build failed. @containers/packit-build please check. |
684512b
to
c82b31a
Compare
test/e2e/pull_test.go
Outdated
@@ -38,7 +38,8 @@ var _ = Describe("Podman pull", func() { | |||
|
|||
session := podmanTest.Podman([]string{"pull", "quay.io/libpod/ibetthisdoesntexist:there"}) | |||
session.WaitWithDefaultTimeout() | |||
Expect(session).To(ExitWithError(125, "nitializing source docker://quay.io/libpod/ibetthisdoesntexist:there: reading manifest there in quay.io/libpod/ibetthisdoesntexist: unauthorized: access to the requested resource is not authorized")) | |||
// FIXME: uncomfortable hardcoding of localhost:56789 | |||
Expect(session).To(ExitWithError(125, "nitializing source docker://quay.io/libpod/ibetthisdoesntexist:there: reading manifest there in localhost:56789/libpod/ibetthisdoesntexist: manifest unknown")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
heads up, tests should still pass locally and I don't think we want to setup a local registry there right?
Thus I would think we need a regex or a Or()
matcher to match both strings anyway
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is thorny. As tests are currently written, e2e tests hard-force the use of test/registries.conf
. No matter where they're run (CI, laptop, anywhere). This may need to be reevaluated, but I'm not bothering with any of that until I find out if this approach is viable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes sure keep testing, just keep in mind that the end result must still work locally
contrib/cirrus/runner.sh
Outdated
set -x | ||
# shellcheck disable=SC2154 | ||
exec bin/podman run --rm --privileged --net=host --cgroupns=host \ | ||
-v `mktemp -d -p /var/tmp`:/var/tmp:Z \ | ||
--tmpfs /tmp:mode=1777 \ | ||
--expose 56789 \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this does not do anything, not sure if you were expecting anything with that or if this serves documentation purposes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I need the container to be able to talk to host:56789. --port
does the opposite, IIRC: host can talk to container. I'll look at logs and see what happens.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The container uses --network=host so it shares the network namespace with the host so from a network POV there should be no functional difference
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Duh. Thanks, I missed that.
03825bc
to
48e506f
Compare
contrib/cirrus/local-cache-registry
Outdated
|
||
# Run the registry container. | ||
must_pass podman run --quiet -d \ | ||
-p ${PODMAN_REGISTRY_PORT}:5000 \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I recommend to use --network host
and set -e REGISTRY_HTTP_ADDR=0.0.0.0:${PODMAN_REGISTRY_PORT}
instead.
Reason by using already a podman container you sort of conflict with later running containers networking wise. The network reload tests that nuke iptables,etc... will cause issues for connectivity one way or another.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ohhhhhh.. thank you. That's probably the cause of the hangs in the 700-kube tests.
293a60b
to
88fa517
Compare
6cc76b9
to
3bc7dbf
Compare
ab22542
to
7b333a9
Compare
08e647d
to
7a0d1e9
Compare
As of containers/automation_images#357 our CI VMs include a local registry preloaded with all(*) images used in tests. * where "all" means "most". This commit starts that registry as part of VM setup, and installs a new registries.conf that redirects docker and quay to the new local registry. The hope is that this will reduce CI flakes. Since tests change over time, and new tests may require new images, this commit also adds a mechanism for pulling in remote images at test run time. Obviously this negates the purpose of the cache, since it introduces a flake pain point. The idea is: DO NOT DO THIS UNLESS ABSOLUTELY NECESSARY, and then, if we have to do this, hurry up and spin new CI VMs that include the new image(s). Signed-off-by: Ed Santiago <santiago@redhat.com>
This commit gets tests working under the new local-registry system: * amend a few image names, mostly just sticking to a consistent list of those images in our registry cache. Mostly minor tag updates. * trickier: pull_test: change some error messages, and remove a test that's now a NOP. Basically, with a local (unprotected) registry we always get "404 manifest unknown"; with a real registry we'll get "403 I can't tell you". * trickiest: seccomp_test: build our own images at run time, with our desired labels. Until now we've been pulling prebuilt images, but those will not copy to the local cache registry. Something about v1? Anyhow, I gave up trying to cache them, and the workaround is straightforward. Also took the liberty of strengthening a few error-message checks Signed-off-by: Ed Santiago <santiago@redhat.com>
New tool, get-local-registry-script, intended for developers to get a local registry running in their environment. This is now necessary for e2e and apiv2 tests, because those use an immutable registries.conf file. Signed-off-by: Ed Santiago <santiago@redhat.com>
Signed-off-by: Ed Santiago <santiago@redhat.com>
Signed-off-by: Ed Santiago <santiago@redhat.com>
7a0d1e9
to
fabc5f2
Compare
On each test VM:
Yes, this is stupid as it stands. It gains us nothing. It's just
a proof of concept. If it works, the registry setup and cache
will be moved to automation_images, so each CI VM will come
preloaded with a cache registry. And if it doesn't work, this
PR is a much much faster way to find out than a constant
flurry of spinning up new images.
Signed-off-by: Ed Santiago santiago@redhat.com