Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test: save containerd image into archive and use in tests #7816

Merged
merged 6 commits into from
Nov 4, 2024
Merged

test: save containerd image into archive and use in tests #7816

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
83f8cba
feat(mage): save containerd image using `fixtureContainerImages` command
DmitriyLewen Oct 29, 2024
d7d1e6d
test(containerd): load `containerd` image from tar file before run `c…
DmitriyLewen Oct 29, 2024
494d6e7
ci: add containerd to calculate digest for trivy-test-images
DmitriyLewen Oct 29, 2024
eec981a
fix: typo
DmitriyLewen Oct 29, 2024
f478633
ci: use only sorted tags for cache digest
DmitriyLewen Oct 30, 2024
29a4c15
Merge branch 'main' of github.com:DmitriyLewen/trivy into test/cache-…
DmitriyLewen Oct 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/cache-test-images.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ jobs:
run: |
source integration/testimages.ini
IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"]' | sha256sum | cut -d' ' -f1)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I realized the order depends on the registry. I think we should sort the image list.

$ crane ls public.ecr.aws/aquasecurity/trivy-test-images
centos-6
almalinux-8
photon-30
sle-micro-rancher-5.4_ndb
alpine-310
alpine-distroless
fluentd-multiple-lockfiles
debian-stretch
centos-7
ubi-7
debian-buster
distroless-python27
opensuse-leap-151
spring4shell-jre8
ubuntu-1604
distroless-base
fedora-35
mariner-1.0
busybox-with-lockfile
alpine-39
ubuntu-1804
vulnimage
amazon-2
oraclelinux-8
rockylinux-8
amazon-1
suse-15.3_ndb
opensuse-tumbleweed
spring4shell-jre11

Copy link
Contributor Author

@DmitriyLewen DmitriyLewen Oct 30, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch!

I also found, that skopeo list-tags returns repository name:

# skopeo list-tags docker://ghcr.io/knqyf263/trivy-test-images
{
    "Repository": "ghcr.io/knqyf263/trivy-test-images",
    "Tags": [
        "spring4shell-jre11",
        "spring4shell-jre8",
        "almalinux-8",
        "alpine-39",
        "alpine-310",
        "alpine-distroless",
        "busybox-with-lockfile",
        "fluentd-multiple-lockfiles",
        "amazon-1",
        "amazon-2",
        "centos-6",
        "centos-7",
        "debian-buster",
        "debian-stretch",
        "distroless-base",
        "distroless-python27",
        "mariner-1.0",
        "opensuse-leap-151",
        "photon-30",
        "rockylinux-8",
        "ubi-7",
        "ubuntu-1604",
        "ubuntu-1804",
        "vulnimage",
        "oraclelinux-8",
        "suse-15.3_ndb",
        "fedora-35",
        "opensuse-tumbleweed",
        "sle-micro-rancher-5.4_ndb"
    ]
}

Therefore, to calculate the digest I take only sorted tags (see f478633):

root@73c3501e9402:/scripts# TEST_IMAGES=public.ecr.aws/aquasecurity/trivy-test-images ./script.sh 
digest=d8b4d51584e5d09e38687eb50c7d6a2ff49d57c28ff14e3d04cd22d9c8175354
root@73c3501e9402:/scripts# TEST_IMAGES=ghcr.io/knqyf263/trivy-test-images ./script.sh 
digest=d8b4d51584e5d09e38687eb50c7d6a2ff49d57c28ff14e3d04cd22d9c8175354

echo "digest=$DIGEST" >> $GITHUB_OUTPUT

## We need to work with test image cache only for main branch
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ jobs:
run: |
source integration/testimages.ini
IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"]' | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT

- name: Restore test images from cache
Expand Down Expand Up @@ -151,7 +151,7 @@ jobs:
run: |
source integration/testimages.ini
IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"]' | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT

- name: Restore test images from cache
Expand Down
55 changes: 38 additions & 17 deletions magefiles/fixture.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,36 +14,57 @@ import (
"github.com/aquasecurity/trivy/internal/testutil"
)

const dir = "integration/testdata/fixtures/images/"

func fixtureContainerImages() error {
var testImages = testutil.ImageName("", "", "")
const dir = "integration/testdata/fixtures/images/"

if err := os.MkdirAll(dir, 0750); err != nil {
return err
}
tags, err := crane.ListTags(testImages)
if err != nil {
return err
}
// Save all tags for trivy-test-images
for _, tag := range tags {
fileName := tag + ".tar.gz"
filePath := filepath.Join(dir, fileName)
if exists(filePath) {
continue
}
fmt.Printf("Downloading %s...\n", tag)
imgName := fmt.Sprintf("%s:%s", testImages, tag)
img, err := crane.Pull(imgName)
if err != nil {
return err
}
tarPath := strings.TrimSuffix(filePath, ".gz")
if err = crane.Save(img, imgName, tarPath); err != nil {
return err
}
if err = sh.Run("gzip", tarPath); err != nil {
if err := saveImage("", tag); err != nil {
return err
}
}

// Save trivy-test-images/containerd image
if err := saveImage("containerd", "latest"); err != nil {
return err
}
return nil
}

func saveImage(subpath, tag string) error {
fileName := tag + ".tar.gz"
imgName := testutil.ImageName("", tag, "")
if subpath != "" {
fileName = subpath + ".tar.gz"
imgName = testutil.ImageName(subpath, "", "")
}
filePath := filepath.Join(dir, fileName)
if exists(filePath) {
return nil
}
fmt.Printf("Downloading %s...\n", imgName)

img, err := crane.Pull(imgName)
if err != nil {
return err
}
tarPath := strings.TrimSuffix(filePath, ".gz")
if err = crane.Save(img, imgName, tarPath); err != nil {
return err
}
if err = sh.Run("gzip", tarPath); err != nil {
return err
}

return nil
}

Expand Down
7 changes: 6 additions & 1 deletion pkg/fanal/test/integration/containerd_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,9 +76,14 @@ func setupContainerd(t *testing.T, ctx context.Context, namespace string) *conta
func startContainerd(t *testing.T, ctx context.Context, hostPath string) {
t.Helper()
t.Setenv("TESTCONTAINERS_RYUK_DISABLED", "true")

// Load `containerd` image from tar file to avoid fetching it from remote registry
cli := testutil.NewDockerClient(t)
loadedImage := cli.ImageLoad(t, ctx, "../../../../integration/testdata/fixtures/images/containerd.tar.gz")

req := testcontainers.ContainerRequest{
Name: "containerd",
Image: testutil.ImageName("containerd", "latest", ""),
Image: loadedImage,
Entrypoint: []string{
"/bin/sh",
"-c",
Expand Down