[ { "path": ".dockerignore", "content": "# artifacts\n/nerdctl\n_output\n*.gomodjail\n\n# golangci-lint\n/build\n\n# vagrant\n/.vagrant\n" }, { "path": ".github/ISSUE_TEMPLATE/bug_report.yaml", "content": "name: Bug report\ndescription: Create a bug report to help improve nerdctl\nlabels: kind/unconfirmed-bug-claim\nbody:\n - type: markdown\n attributes:\n value: |\n If you are reporting a new issue, make sure that we do not have any duplicates\n already open. You can ensure this by searching the issue list for this\n repository. If there is a duplicate, please close your issue and add a comment\n to the existing issue instead.\n\n Please also see [the FAQs and Troubleshooting](https://github.com/containerd/nerdctl/blob/main/docs/faq.md).\n\n - type: textarea\n attributes:\n label: Description\n description: |\n Briefly describe the problem you are having in a few paragraphs.\n validations:\n required: true\n\n - type: textarea\n attributes:\n label: Steps to reproduce the issue\n value: |\n 1.\n 2.\n 3.\n\n - type: textarea\n attributes:\n label: Describe the results you received and expected\n validations:\n required: true\n\n - type: textarea\n attributes:\n label: What version of nerdctl are you using?\n placeholder: nerdctl version\n validations:\n required: true\n\n - type: dropdown\n attributes:\n label: Are you using a variant of nerdctl? (e.g., Rancher Desktop)\n options:\n - Rancher Desktop for Windows\n - Rancher Desktop for macOS\n - Lima\n - Colima\n - Others\n\n - type: textarea\n attributes:\n label: Host information\n placeholder: nerdctl info\n" }, { "path": ".github/ISSUE_TEMPLATE/config.yml", "content": "blank_issues_enabled: true\ncontact_links:\n - name: Ask a question (GitHub Discussions)\n url: https://github.com/containerd/nerdctl/discussions\n about: |\n Please do not submit \"a bug report\" for asking a question.\n In most cases, GitHub Discussions is the best place to ask a question.\n If you are not sure whether you are going to report a bug or ask a question,\n please consider asking in GitHub Discussions first.\n - name: Chat with containerd/nerdctl users and developers\n url: https://slack.cncf.io/\n about: CNCF slack has `#containerd` and `#containerd-dev` channels\n" }, { "path": ".github/ISSUE_TEMPLATE/feature_request.yaml", "content": "name: Feature request\ndescription: Suggest an idea for nerdctl\nlabels: kind/feature\nbody:\n - type: textarea\n attributes:\n label: What is the problem you're trying to solve\n description: |\n A clear and concise description of what the problem is.\n validations:\n required: true\n\n - type: textarea\n attributes:\n label: Describe the solution you'd like\n description: |\n A clear and concise description of what you'd like to happen.\n validations:\n required: true\n\n - type: textarea\n attributes:\n label: Additional context\n description: |\n Add any other context about the feature request here.\n" }, { "path": ".github/dependabot.yml", "content": "# -----------------------------------------------------------------------------\n# Forked from https://raw.githubusercontent.com/opencontainers/runc/2888e6e54339e52ae45710daa9e47cdb2e1926f9/.github/dependabot.yml\n# Copyright The runc Authors.\n# Licensed under the Apache License, Version 2.0\n# -----------------------------------------------------------------------------\n\n# Please see the documentation for all configuration options:\n# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates\n\nversion: 2\nupdates:\n # Dependencies listed in go.mod\n - package-ecosystem: \"gomod\"\n directory: \"/\" # Location of package manifests\n schedule:\n interval: \"daily\"\n groups:\n golang-x:\n patterns:\n - \"golang.org/x/*\"\n moby-sys:\n patterns:\n - \"github.com/moby/sys/*\"\n docker:\n patterns:\n - \"github.com/docker/docker\"\n - \"github.com/docker/cli\"\n containerd:\n patterns:\n - \"github.com/containerd/containerd\"\n - \"github.com/containerd/containerd/api\"\n stargz:\n patterns:\n - \"github.com/containerd/stargz-snapshotter\"\n - \"github.com/containerd/stargz-snapshotter/estargz\"\n - \"github.com/containerd/stargz-snapshotter/ipfs\"\n\n # Dependencies listed in .github/workflows/*.yml\n - package-ecosystem: \"github-actions\"\n directory: \"/\"\n schedule:\n interval: \"daily\"\n\n # Dependencies listed in Dockerfile\n - package-ecosystem: \"docker\"\n directory: \"/\"\n schedule:\n interval: \"daily\"\n" }, { "path": ".github/workflows/ghcr-image-build-and-publish.yml", "content": "name: image\n\n# This workflow uses actions that are not certified by GitHub.\n# They are provided by a third-party and are governed by\n# separate terms of service, privacy policy, and support\n# documentation.\n\non:\n push:\n branches: [main]\n # Publish semver tags as releases.\n tags: ['v*.*.*']\n pull_request:\n branches: [main]\n paths-ignore:\n - '**.md'\n\nenv:\n # Use docker.io for Docker Hub if empty\n REGISTRY: ghcr.io\n # github.repository as /\n IMAGE_NAME: ${{ github.repository }}\n\njobs:\n build:\n\n runs-on: ubuntu-24.04\n permissions:\n contents: read\n packages: write\n\n steps:\n - name: Checkout repository\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n\n # FIXME: setup-qemu-action is depended by `gomodjail pack`\n - name: Set up QEMU\n uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0\n\n - name: Set up Docker Buildx\n uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0\n\n # Login against a Docker registry except on PR\n # https://github.com/docker/login-action\n - name: Log into registry ${{ env.REGISTRY }}\n if: github.event_name != 'pull_request'\n uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0\n with:\n registry: ${{ env.REGISTRY }}\n username: ${{ github.actor }}\n password: ${{ secrets.GITHUB_TOKEN }}\n\n # Extract metadata (tags, labels) for Docker\n # https://github.com/docker/metadata-action\n - name: Extract Docker metadata\n id: meta\n uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0\n with:\n images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}\n\n # Build and push Docker image with Buildx (don't push on PR)\n # https://github.com/docker/build-push-action\n - name: Build and push Docker image\n uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0\n with:\n context: .\n platforms: linux/amd64,linux/arm64\n push: ${{ github.event_name != 'pull_request' }}\n tags: ${{ steps.meta.outputs.tags }}\n labels: ${{ steps.meta.outputs.labels }}\n secrets: |\n github_token=${{ secrets.GITHUB_TOKEN }}\n" }, { "path": ".github/workflows/job-build.yml", "content": "# This job just builds nerdctl for the golang versions we support (as a smoke test)\nname: job-build\n\non:\n workflow_call:\n inputs:\n timeout:\n required: true\n type: number\n go-version:\n required: true\n type: string\n runner:\n required: true\n type: string\n canary:\n required: false\n default: false\n type: boolean\n\nenv:\n GOTOOLCHAIN: local\n\njobs:\n build-all-targets:\n name: ${{ format('go {0}', inputs.canary && 'canary' || inputs.go-version ) }}\n timeout-minutes: ${{ inputs.timeout }}\n runs-on: \"${{ inputs.runner }}\"\n defaults:\n run:\n shell: bash\n\n env:\n GO_VERSION: ${{ inputs.go-version }}\n\n steps:\n - name: \"Init: checkout\"\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 1\n\n - if: ${{ inputs.canary }}\n name: \"Init (canary): retrieve GO_VERSION\"\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n run: |\n . ./hack/github/action-helpers.sh\n latest_go=\"$(. ./hack/provisioning/version/fetch.sh; go::canary::for::go-setup)\"\n printf \"GO_VERSION=%s\\n\" \"$latest_go\" >> \"$GITHUB_ENV\"\n [ \"$latest_go\" != \"\" ] || \\\n github::log::warning \"No canary go\" \"There is currently no canary go version to test. Steps will not run.\"\n\n - if: ${{ env.GO_VERSION != '' }}\n name: \"Init: install go\"\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version: ${{ env.GO_VERSION }}\n check-latest: true\n\n - if: ${{ env.GO_VERSION != '' }}\n name: \"Run: make binaries\"\n run: |\n . ./hack/github/action-helpers.sh\n\n github::md::table::header \"OS\" \"Arch\" \"Result\" \"Time\" >> $GITHUB_STEP_SUMMARY\n\n failure=\n\n build(){\n local goos=\"$1\"\n local goarch=\"${2:-amd64}\"\n local goarm=\"${3:-}\"\n local result\n\n GOOS=\"$goos\" GOARCH=\"$goarch\" GOARM=\"$goarm\" go build ./examples/...\n\n github::timer::begin\n\n GOOS=\"$goos\" GOARCH=\"$goarch\" GOARM=\"$goarm\" make binaries \\\n && result=\"$decorator_success\" \\\n || {\n failure=true\n result=\"$decorator_failure\"\n }\n\n [ ! \"$goarm\" ] || goarch=\"$goarch/v$goarm\"\n github::md::table::line \"$goos\" \"$goarch\" \"$result\" \"$(github::timer::format <(github::timer::tick))\" >> $GITHUB_STEP_SUMMARY\n }\n\n # We officially support these\n build linux\n build linux arm64\n build windows\n build freebsd\n # These architectures are not released, but we still verify that we can at least compile\n build darwin\n build linux arm 6\n build linux loong64\n build linux ppc64le\n build linux riscv64\n build linux s390x\n\n [ ! \"$failure\" ] || exit 1\n\n - if: ${{ env.GO_VERSION != '' }}\n name: \"Run: make binaries with custom BUILDTAGS\"\n run: |\n set -eux\n # no_ipfs: make sure it does not incur any IPFS-related dependency\n go mod vendor\n rm -rf vendor/github.com/ipfs vendor/github.com/multiformats\n BUILDTAGS=no_ipfs make binaries\n" }, { "path": ".github/workflows/job-lint-go.yml", "content": "# This job runs golangci-lint\n# Note that technically, `make lint-go-all` would run the linter for all targets, and could be called once, on a single instance.\n# The point of running it on a matrix instead, each GOOS separately, is to verify that the tooling itself is working on the target OS.\nname: job-lint-go\n\non:\n workflow_call:\n inputs:\n timeout:\n required: true\n type: number\n go-version:\n required: true\n type: string\n runner:\n required: true\n type: string\n canary:\n required: false\n default: false\n type: boolean\n goos:\n required: true\n type: string\n\nenv:\n GOTOOLCHAIN: local\n\njobs:\n lint-go:\n name: ${{ format('{0}{1}', inputs.goos, inputs.canary && ' (go canary)' || '') }}\n timeout-minutes: ${{ inputs.timeout }}\n runs-on: \"${{ inputs.runner }}\"\n defaults:\n run:\n shell: bash\n env:\n GO_VERSION: ${{ inputs.go-version }}\n\n steps:\n - name: \"Init: checkout\"\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 1\n\n - if: ${{ inputs.canary }}\n name: \"Init (canary): retrieve GO_VERSION\"\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n run: |\n latest_go=\"$(. ./hack/provisioning/version/fetch.sh; go::canary::for::go-setup)\"\n printf \"GO_VERSION=%s\\n\" \"$latest_go\" >> \"$GITHUB_ENV\"\n [ \"$latest_go\" != \"\" ] || \\\n echo \"::warning title=No canary go::There is currently no canary go version to test. Steps will not run.\"\n\n - if: ${{ env.GO_VERSION != '' }}\n name: \"Init: install go\"\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version: ${{ env.GO_VERSION }}\n check-latest: true\n\n - if: ${{ env.GO_VERSION != '' }}\n name: \"Init: install dev-tools\"\n run: |\n echo \"::group:: make install-dev-tools\"\n make install-dev-tools\n echo \"::endgroup::\"\n\n - if: ${{ env.GO_VERSION != '' }}\n name: \"Run\"\n run: |\n # On canary, lint for all supported targets\n if [ \"${{ inputs.canary }}\" == \"true\" ]; then\n NO_COLOR=true make lint-go-all\n else\n NO_COLOR=true GOOS=\"${{ inputs.goos }}\" make lint-go\n fi\n" }, { "path": ".github/workflows/job-lint-other.yml", "content": "# This job runs any subsidiary linter not part of golangci (shell, yaml, etc)\nname: job-lint-other\n\non:\n workflow_call:\n inputs:\n timeout:\n required: true\n type: number\n runner:\n required: true\n type: string\n\nenv:\n GOTOOLCHAIN: local\n\njobs:\n lint-other:\n name: \"yaml | shell\"\n timeout-minutes: ${{ inputs.timeout }}\n runs-on: ${{ inputs.runner }}\n defaults:\n run:\n shell: bash\n\n steps:\n - name: \"Init: checkout\"\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 1\n\n - name: \"Run: yaml\"\n run: |\n make lint-yaml\n\n - name: \"Run: shell\"\n run: |\n make lint-shell\n" }, { "path": ".github/workflows/job-lint-project.yml", "content": "# This job runs containerd shared project-checks, that verifies licenses, headers, and commits.\n# To run locally, you may just use `make lint` instead, that does the same thing\n# (albeit `make lint` uses more modern versions).\nname: job-lint-project\n\non:\n workflow_call:\n inputs:\n timeout:\n required: true\n type: number\n go-version:\n required: true\n type: string\n runner:\n required: true\n type: string\n\nenv:\n GOTOOLCHAIN: local\n\njobs:\n project:\n name: \"commits, licenses...\"\n timeout-minutes: ${{ inputs.timeout }}\n runs-on: ${{ inputs.runner }}\n defaults:\n run:\n shell: bash\n\n steps:\n - name: \"Init: checkout\"\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 100\n path: src/github.com/containerd/nerdctl\n\n - name: \"Init: install go\"\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version: ${{ inputs.go-version }}\n check-latest: true\n cache-dependency-path: src/github.com/containerd/nerdctl\n\n - name: \"Run\"\n uses: containerd/project-checks@d7751f3c375b8fe4a84c02a068184ee4c1f59bc4 # v1.2.2\n with:\n working-directory: src/github.com/containerd/nerdctl\n repo-access-token: ${{ secrets.GITHUB_TOKEN }}\n # go-licenses-ignore is set because go-licenses cannot detect the license of the following package:\n # * go-base36: Apache-2.0 OR MIT (https://github.com/multiformats/go-base36/blob/master/LICENSE.md)\n # * filepath-securejoin: MPL-2.0 AND BSD-3-Clause, exceptionally approved by CNCF\n # (https://github.com/cncf/foundation/issues/1154#issuecomment-3562385979)\n #\n # The list of the CNCF-approved licenses can be found here:\n # https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md\n go-licenses-ignore: |\n github.com/multiformats/go-base36\n github.com/cyphar/filepath-securejoin\n" }, { "path": ".github/workflows/job-test-dependencies.yml", "content": "# This job pre-heats the cache for the test image by building all dependencies\nname: job-test-dependencies\n\non:\n workflow_call:\n inputs:\n timeout:\n required: true\n type: number\n runner:\n required: true\n type: string\n containerd-version:\n required: false\n default: ''\n type: string\n\nenv:\n GOTOOLCHAIN: local\n\njobs:\n # This job builds the dependency target of the test docker image for all supported architectures and cache it in GHA\n build-dependencies:\n # Note: for whatever reason, you cannot access env.RUNNER_ARCH here\n name: \"${{ contains(inputs.runner, 'arm') && 'arm64' || 'amd64' }}${{ inputs.containerd-version && format(' | {0}', inputs.containerd-version) || ''}}\"\n timeout-minutes: ${{ inputs.timeout }}\n runs-on: \"${{ inputs.runner }}\"\n defaults:\n run:\n shell: bash\n\n steps:\n - name: \"Init: checkout\"\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 1\n\n - name: \"Init: expose GitHub Runtime variables for gha\"\n uses: crazy-max/ghaction-github-runtime@04d248b84655b509d8c44dc1d6f990c879747487 # v4.0.0\n\n - name: \"Run: build dependencies for the integration test environment image\"\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n run: |\n # Cache is sharded per-architecture\n arch=${{ env.RUNNER_ARCH == 'ARM64' && 'arm64' || 'amd64' }}\n docker buildx create --name with-gha --use\n # Honor old containerd if requested\n args=()\n if [ \"${{ inputs.containerd-version }}\" != \"\" ]; then\n args=(--build-arg CONTAINERD_VERSION=${{ inputs.containerd-version }})\n fi\n docker buildx build \\\n --secret id=github_token,env=GITHUB_TOKEN \\\n --cache-to type=gha,compression=zstd,mode=max,scope=test-integration-dependencies-\"$arch\" \\\n --cache-from type=gha,scope=test-integration-dependencies-\"$arch\" \\\n --target build-dependencies \"${args[@]}\" .\n" }, { "path": ".github/workflows/job-test-in-container.yml", "content": "# This job runs integration tests inside a container, for all supported variants (ipv6, canary, etc)\n# Note that it is linux and nerdctl (+/- gomodjail) only.\nname: job-test-in-container\n\non:\n workflow_call:\n inputs:\n timeout:\n required: true\n type: number\n runner:\n required: true\n type: string\n canary:\n required: false\n default: false\n type: boolean\n target:\n required: false\n default: ''\n type: string\n binary:\n required: false\n default: nerdctl\n type: string\n containerd-version:\n required: false\n default: ''\n type: string\n rootlesskit-version:\n required: false\n default: ''\n type: string\n ipv6:\n required: false\n default: false\n type: boolean\n skip-flaky:\n required: false\n default: false\n type: boolean\n\nenv:\n GOTOOLCHAIN: local\n\njobs:\n test:\n name: |\n ${{ inputs.binary != 'nerdctl' && format('{0} < ', inputs.binary) || '' }}\n ${{ inputs.target }}\n ${{ contains(inputs.runner, 'arm') && '(arm)' || '' }}\n ${{ contains(inputs.runner, '22.04') && '(old ubuntu)' || '' }}\n ${{ inputs.ipv6 && ' (ipv6)' || '' }}\n ${{ inputs.canary && ' (canary)' || '' }}\n ${{ inputs.containerd-version && format(' (ctd: {0})', inputs.containerd-version) || '' }}\n ${{ inputs.rootlesskit-version && format(' (rlk: {0})', inputs.rootlesskit-version) || '' }}\n timeout-minutes: ${{ inputs.timeout }}\n runs-on: ${{ inputs.runner }}\n defaults:\n run:\n shell: bash\n\n env:\n # https://github.com/containerd/nerdctl/issues/622\n # The only case when rootlesskit-version is force-specified is when we downgrade explicitly to v1\n WORKAROUND_ISSUE_622: ${{ inputs.rootlesskit-version }}\n\n steps:\n - name: \"Init: checkout\"\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 1\n\n - name: \"Init: expose GitHub Runtime variables for gha\"\n uses: crazy-max/ghaction-github-runtime@04d248b84655b509d8c44dc1d6f990c879747487 # v4.0.0\n\n - name: \"Init: install br-netfilter\"\n run: |\n # This ensures that bridged traffic goes through netfilter\n sudo modprobe br-netfilter\n - name: \"Init: register QEMU (tonistiigi/binfmt)\"\n run: |\n # `--install all` will only install emulation for architectures that cannot be natively executed\n # Since some arm64 platforms do provide native fallback execution for 32 bits,\n # armv7 emulation may or may not be installed, causing variance in the result of `uname -m`.\n # To avoid that, we explicitly list the architectures we do want emulation for.\n docker run --privileged --rm tonistiigi/binfmt --install linux/amd64\n docker run --privileged --rm tonistiigi/binfmt --install linux/arm64\n docker run --privileged --rm tonistiigi/binfmt --install linux/arm/v7\n - if: ${{ inputs.canary }}\n name: \"Init (canary): prepare updated test image\"\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n run: |\n . ./hack/build-integration-canary.sh\n canary::build::integration\n - if: ${{ ! inputs.canary }}\n name: \"Init: prepare test image\"\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n run: |\n buildargs=()\n # If the runner is old, use old ubuntu inside the container as well\n [ \"${{ contains(inputs.runner, '22.04') }}\" != \"true\" ] || buildargs=(--build-arg UBUNTU_VERSION=22.04)\n # Honor if we want old containerd\n [ \"${{ inputs.containerd-version }}\" == \"\" ] || buildargs+=(--build-arg CONTAINERD_VERSION=${{ inputs.containerd-version }})\n # Honor custom targets and if we want old rootlesskit\n target=test-integration\n if [ \"${{ inputs.target }}\" != \"rootful\" ]; then\n target+=-${{ inputs.target }}\n if [ \"${{ inputs.rootlesskit-version }}\" != \"\" ]; then\n buildargs+=(--build-arg ROOTLESSKIT_VERSION=${{ inputs.rootlesskit-version }})\n fi\n fi\n # Cache is sharded per-architecture\n arch=${{ env.RUNNER_ARCH == 'ARM64' && 'arm64' || 'amd64' }}\n docker buildx create --name with-gha --use\n docker buildx build \\\n --secret id=github_token,env=GITHUB_TOKEN \\\n --output=type=docker \\\n --cache-from type=gha,scope=test-integration-dependencies-\"$arch\" \\\n -t \"$target\" --target \"$target\" \\\n \"${buildargs[@]}\" \\\n .\n # Rootful needs to disable snap\n - if: ${{ inputs.target == 'rootful' }}\n name: \"Init: remove snap loopback devices (conflicts with our loopback devices in TestRunDevice)\"\n run: |\n sudo systemctl disable --now snapd.service snapd.socket\n sudo apt-get purge -qq snapd\n sudo losetup -Dv\n sudo losetup -lv\n # Rootless on modern ubuntu wants apparmor\n - if: ${{ inputs.target != 'rootful' && ! contains(inputs.runner, '22.04') }}\n name: \"Init: prepare apparmor for rootless + ubuntu 24+\"\n run: |\n cat <,\n include \n /usr/local/bin/rootlesskit flags=(unconfined) {\n userns,\n # Site-specific additions and overrides. See local/README for details.\n include if exists \n }\n EOT\n sudo systemctl restart apparmor.service\n # ipv6 wants... ipv6\n - if: ${{ inputs.ipv6 }}\n name: \"Init: ipv6\"\n run: |\n # Enable ipv4 and ipv6 forwarding\n sudo sysctl -w net.ipv6.conf.all.forwarding=1\n sudo sysctl -w net.ipv4.ip_forward=1\n # Enable IPv6 for Docker, and configure docker to use containerd for gha\n sudo mkdir -p /etc/docker\n echo '{\"ipv6\": true, \"fixed-cidr-v6\": \"2001:db8:1::/64\", \"ip6tables\": true}' | sudo tee /etc/docker/daemon.json\n - name: \"Init: enable Docker experimental features\"\n run: |\n sudo mkdir -p /etc/docker\n if [ -f /etc/docker/daemon.json ]; then\n tmpfile=\"$(sudo mktemp)\"\n sudo jq '.experimental = true' /etc/docker/daemon.json | sudo tee \"$tmpfile\" >/dev/null\n sudo mv \"$tmpfile\" /etc/docker/daemon.json\n else\n echo '{\"experimental\": true}' | sudo tee /etc/docker/daemon.json >/dev/null\n fi\n sudo systemctl restart docker\n - name: \"Run: integration tests\"\n run: |\n . ./hack/github/action-helpers.sh\n github::md::h2 \"non-flaky\" >> \"$GITHUB_STEP_SUMMARY\"\n\n # IPV6 note: nested IPv6 network inside docker and qemu is complex and needs a bunch of sysctl config.\n # Therefore, it's hard to debug why the IPv6 tests fail in such an isolation layer.\n # On the other side, using the host network is easier at configuration.\n # Besides, each job is running on a different instance, which means using host network here\n # is safe and has no side effects on others.\n [ \"${{ inputs.target }}\" == \"rootful\" ] \\\n && args=(test-integration ./hack/test-integration.sh -test.allow-modify-users=true) \\\n || args=(test-integration-${{ inputs.target }} /test-integration-rootless.sh ./hack/test-integration.sh)\n if [ \"${{ inputs.ipv6 }}\" == true ]; then\n docker run --network host -t --rm --privileged -e GITHUB_STEP_SUMMARY=\"$GITHUB_STEP_SUMMARY\" -v \"$GITHUB_STEP_SUMMARY\":\"$GITHUB_STEP_SUMMARY\" -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622:-} \"${args[@]}\" -test.only-flaky=false -test.only-ipv6 -test.target=${{ inputs.binary }}\n else\n docker run -t --rm --privileged -e GITHUB_STEP_SUMMARY=\"$GITHUB_STEP_SUMMARY\" -v \"$GITHUB_STEP_SUMMARY\":\"$GITHUB_STEP_SUMMARY\" -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622:-} \"${args[@]}\" -test.only-flaky=false -test.target=${{ inputs.binary }}\n fi\n # FIXME: this NEEDS to go away\n - name: \"Run: integration tests (flaky)\"\n if: ${{ !fromJSON(inputs.skip-flaky) }}\n run: |\n . ./hack/github/action-helpers.sh\n github::md::h2 \"flaky\" >> \"$GITHUB_STEP_SUMMARY\"\n\n [ \"${{ inputs.target }}\" == \"rootful\" ] \\\n && args=(test-integration ./hack/test-integration.sh) \\\n || args=(test-integration-${{ inputs.target }} /test-integration-rootless.sh ./hack/test-integration.sh)\n if [ \"${{ inputs.ipv6 }}\" == true ]; then\n docker run --network host -t --rm --privileged -e GITHUB_STEP_SUMMARY=\"$GITHUB_STEP_SUMMARY\" -v \"$GITHUB_STEP_SUMMARY\":\"$GITHUB_STEP_SUMMARY\" -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622:-} \"${args[@]}\" -test.only-flaky=true -test.only-ipv6 -test.target=${{ inputs.binary }}\n else\n docker run -t --rm --privileged -e GITHUB_STEP_SUMMARY=\"$GITHUB_STEP_SUMMARY\" -v \"$GITHUB_STEP_SUMMARY\":\"$GITHUB_STEP_SUMMARY\" -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622:-} \"${args[@]}\" -test.only-flaky=true -test.target=${{ inputs.binary }}\n fi\n" }, { "path": ".github/workflows/job-test-in-host.yml", "content": "# This currently test docker and nerdctl on windows (w/o canary)\n# Structure is in to allow testing nerdctl on linux as well, though more work is required to make it functional.\nname: job-test-in-host\n\non:\n workflow_call:\n inputs:\n timeout:\n required: true\n type: number\n runner:\n required: true\n type: string\n canary:\n required: false\n default: false\n type: boolean\n binary:\n required: false\n default: nerdctl\n type: string\n go-version:\n required: true\n type: string\n docker-version:\n required: true\n type: string\n containerd-version:\n required: true\n type: string\n containerd-sha:\n required: true\n type: string\n containerd-service-sha:\n required: true\n type: string\n windows-cni-version:\n required: true\n type: string\n linux-cni-version:\n required: true\n type: string\n linux-cni-sha:\n required: true\n type: string\n\nenv:\n GOTOOLCHAIN: local\n\njobs:\n test:\n name: |\n ${{ inputs.binary != 'nerdctl' && format('{0} < ', inputs.binary) || '' }}\n ${{ contains(inputs.runner, 'ubuntu') && ' linux' || ' windows' }}\n ${{ contains(inputs.runner, 'arm') && '(arm)' || '' }}\n ${{ contains(inputs.runner, '22.04') && '(old ubuntu)' || '' }}\n ${{ inputs.canary && ' (canary)' || '' }}\n timeout-minutes: ${{ inputs.timeout }}\n runs-on: \"${{ inputs.runner }}\"\n defaults:\n run:\n shell: bash\n\n env:\n SHOULD_RUN: \"yes\"\n GO_VERSION: ${{ inputs.go-version }}\n # Both Docker and nerdctl on linux need rootful right now\n WITH_SUDO: ${{ contains(inputs.runner, 'ubuntu') }}\n CONTAINERD_VERSION: ${{ inputs.containerd-version }}\n CONTAINERD_SHA: ${{ inputs.containerd-sha }}\n\n steps:\n - name: \"Init: checkout\"\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 1\n\n - if: ${{ inputs.canary }}\n name: \"Init (canary): retrieve latest go and containerd\"\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n run: |\n latest_go=\"$(. ./hack/provisioning/version/fetch.sh; go::canary::for::go-setup)\"\n latest_containerd=\"$(. ./hack/provisioning/version/fetch.sh; github::project::latest \"containerd/containerd\")\"\n\n [ \"$latest_go\" == \"\" ] || \\\n printf \"GO_VERSION=%s\\n\" \"$latest_go\" >> \"$GITHUB_ENV\"\n [ \"${latest_containerd:1}\" == \"$CONTAINERD_VERSION\" ] || {\n printf \"CONTAINERD_VERSION=%s\\n\" \"${latest_containerd:1}\" >> \"$GITHUB_ENV\"\n printf \"CONTAINERD_SHA=canary is volatile and I accept the risk\\n\" >> \"$GITHUB_ENV\"\n }\n if [ \"$latest_go\" == \"\" ] && [ \"${latest_containerd:1}\" == \"$CONTAINERD_VERSION\" ]; then\n echo \"::warning title=No canary::There is currently no canary versions to test. Steps will not run.\";\n printf \"SHOULD_RUN=no\\n\" >> \"$GITHUB_ENV\"\n fi\n\n - if: ${{ env.SHOULD_RUN == 'yes' }}\n name: \"Init: install go\"\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version: ${{ env.GO_VERSION }}\n check-latest: true\n\n # XXX RUNNER_OS and generally env is too unreliable\n # - if: ${{ env.RUNNER_OS == 'Linux' }}\n - if: ${{ contains(inputs.runner, 'ubuntu') && env.SHOULD_RUN == 'yes' }}\n name: \"Init (linux): prepare host\"\n run: |\n if [ \"${{ contains(inputs.binary, 'docker') }}\" == true ]; then\n echo \"::group:: configure cdi and experimental for docker\"\n sudo mkdir -p /etc/docker\n sudo jq -n '.features.cdi = true | .experimental = true' | sudo tee /etc/docker/daemon.json\n echo \"::endgroup::\"\n echo \"::group:: downgrade docker to the specific version we want to test (${{ inputs.docker-version }})\"\n sudo apt-get update -qq\n sudo apt-get install -qq ca-certificates curl\n sudo install -m 0755 -d /etc/apt/keyrings\n sudo cp ./hack/provisioning/gpg/docker /etc/apt/keyrings/docker.asc\n sudo chmod a+r /etc/apt/keyrings/docker.asc\n echo \"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \\\n $(. /etc/os-release && echo \"${UBUNTU_CODENAME:-$VERSION_CODENAME}\") stable\" \\\n | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null\n sudo apt-get update -qq\n sudo apt-get install -qq --allow-downgrades docker-ce=${{ inputs.docker-version }} docker-ce-cli=${{ inputs.docker-version }}\n sudo systemctl restart docker\n echo \"::endgroup::\"\n else\n # FIXME: this is missing runc (see top level workflow note about the state of this)\n echo \"::group:: install dependencies\"\n sudo ./hack/provisioning/linux/containerd.sh uninstall\n ./hack/provisioning/linux/containerd.sh rootful \"$CONTAINERD_VERSION\" \"amd64\" \"$CONTAINERD_SHA\" \"${{ inputs.containerd-service-sha }}\"\n sudo ./hack/provisioning/linux/cni.sh uninstall\n ./hack/provisioning/linux/cni.sh install \"${{ inputs.linux-cni-version }}\" \"amd64\" \"${{ inputs.linux-cni-sha }}\"\n echo \"::endgroup::\"\n\n echo \"::group:: build nerctl\"\n go install ./cmd/nerdctl\n echo \"$HOME/go/bin\" >> \"$GITHUB_PATH\"\n # Since tests are going to run root, we need nerdctl to be in a PATH that will survive `sudo`\n sudo cp \"$(which nerdctl)\" /usr/local/bin\n echo \"::endgroup::\"\n fi\n\n # Register QEMU (tonistiigi/binfmt)\n # `--install all` will only install emulation for architectures that cannot be natively executed\n # Since some arm64 platforms do provide native fallback execution for 32 bits,\n # armv7 emulation may or may not be installed, causing variance in the result of `uname -m`.\n # To avoid that, we explicitly list the architectures we do want emulation for.\n echo \"::group:: install binfmt\"\n docker run --quiet --privileged --rm tonistiigi/binfmt --install linux/amd64\n docker run --quiet --privileged --rm tonistiigi/binfmt --install linux/arm64\n docker run --quiet --privileged --rm tonistiigi/binfmt --install linux/arm/v7\n echo \"::endgroup::\"\n\n # FIXME: remove expect when we are done removing unbuffer from tests\n echo \"::group:: installing test dependencies\"\n sudo add-apt-repository ppa:criu/ppa -y\n sudo apt-get install -qq expect criu\n echo \"::endgroup::\"\n\n # This ensures that bridged traffic goes through netfilter\n sudo modprobe br-netfilter\n\n - if: ${{ contains(inputs.runner, 'windows') && env.SHOULD_RUN == 'yes' }}\n name: \"Init (windows): prepare host\"\n env:\n ctrdVersion: ${{ env.CONTAINERD_VERSION }}\n run: |\n # Install WinCNI\n echo \"::group:: install wincni\"\n GOPATH=$(go env GOPATH) WINCNI_VERSION=${{ inputs.windows-cni-version }} ./hack/provisioning/windows/cni.sh\n echo \"::endgroup::\"\n\n # Install containerd\n echo \"::group:: install containerd\"\n powershell hack/provisioning/windows/containerd.ps1\n echo \"::endgroup::\"\n\n # Install nerdctl\n echo \"::group:: build nerctl\"\n go install ./cmd/nerdctl\n echo \"::endgroup::\"\n\n choco install jq\n\n - if: ${{ env.SHOULD_RUN == 'yes' }}\n name: \"Init: install dev tools\"\n run: |\n echo \"::group:: make install-dev-tools\"\n make install-dev-tools\n echo \"::endgroup::\"\n\n # ipv6 is tested only on linux\n - if: ${{ contains(inputs.runner, 'ubuntu') && env.SHOULD_RUN == 'yes' }}\n name: \"Run (linux): integration tests (IPv6)\"\n run: |\n . ./hack/github/action-helpers.sh\n github::md::h2 \"ipv6\" >> \"$GITHUB_STEP_SUMMARY\"\n\n ./hack/test-integration.sh -test.target=${{ inputs.binary }} -test.only-ipv6\n\n - if: ${{ env.SHOULD_RUN == 'yes' }}\n name: \"Run: integration tests\"\n run: |\n . ./hack/github/action-helpers.sh\n github::md::h2 \"non-flaky\" >> \"$GITHUB_STEP_SUMMARY\"\n\n ./hack/test-integration.sh -test.target=${{ inputs.binary }} -test.only-flaky=false\n\n # FIXME: this must go\n - if: ${{ env.SHOULD_RUN == 'yes' }}\n name: \"Run: integration tests (flaky)\"\n run: |\n . ./hack/github/action-helpers.sh\n github::md::h2 \"flaky\" >> \"$GITHUB_STEP_SUMMARY\"\n\n ./hack/test-integration.sh -test.target=${{ inputs.binary }} -test.only-flaky=true\n" }, { "path": ".github/workflows/job-test-in-lima.yml", "content": "# Currently, Lima job test only for EL, though in the future it could be used to also test FreeBSD or other linux-es\nname: job-test-in-lima\n\non:\n workflow_call:\n inputs:\n timeout:\n required: true\n type: number\n runner:\n required: true\n type: string\n target:\n required: true\n type: string\n guest:\n required: true\n type: string\n skip-flaky:\n required: false\n default: false\n type: boolean\n\njobs:\n test:\n name: \"${{ inputs.guest }} ${{ inputs.target }}\"\n timeout-minutes: ${{ inputs.timeout }}\n runs-on: \"${{ inputs.runner }}\"\n env:\n TARGET: ${{ inputs.target }}\n steps:\n - name: \"Init: checkout\"\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 1\n\n - name: \"Init: lima\"\n uses: lima-vm/lima-actions/setup@55627e31b78637bf254a8b2a14da8ea7d12564e5 # v1.1.0\n id: lima-actions-setup\n\n - name: \"Init: Cache\"\n uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3\n with:\n path: ~/.cache/lima\n key: lima-${{ steps.lima-actions-setup.outputs.version }}\n\n - name: \"Init: start the guest VM\"\n run: |\n set -eux\n # containerd=none is set because the built-in containerd support conflicts with Docker\n limactl start \\\n --name=default \\\n --cpus=4 \\\n --memory=12 \\\n --containerd=none \\\n --set '.mounts=null | .portForwards=[{\"guestSocket\":\"/var/run/docker.sock\",\"hostSocket\":\"{{.Dir}}/sock/docker.sock\"}]' \\\n template://${{ inputs.guest }}\n\n # FIXME: the tests should be directly executed in the VM without nesting Docker inside it\n # https://github.com/containerd/nerdctl/issues/3858\n - name: \"Init: install dockerd in the guest VM\"\n run: |\n set -eux\n lima sudo mkdir -p /etc/systemd/system/docker.socket.d\n cat <<-EOF | lima sudo tee /etc/systemd/system/docker.socket.d/override.conf\n [Socket]\n SocketUser=$(whoami)\n EOF\n lima sudo dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo\n lima sudo dnf -q -y install docker-ce --nobest\n lima sudo systemctl enable --now docker\n\n - name: \"Init: configure the host to use dockerd in the guest VM\"\n run: |\n set -eux\n sudo systemctl disable --now docker.service docker.socket\n export DOCKER_HOST=\"unix://$(limactl ls --format '{{.Dir}}/sock/docker.sock' default)\"\n echo \"DOCKER_HOST=${DOCKER_HOST}\" >>$GITHUB_ENV\n docker info\n docker version\n\n - name: \"Init: install br-netfilter in the guest VM\"\n run: |\n lima sudo modprobe br-netfilter\n\n - name: \"Init: expose GitHub Runtime variables for gha\"\n uses: crazy-max/ghaction-github-runtime@04d248b84655b509d8c44dc1d6f990c879747487 # v4.0.0\n\n - name: \"Init: prepare integration tests\"\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n run: |\n set -eux\n\n sudo losetup -Dv\n sudo losetup -lv\n\n [ \"$TARGET\" = \"rootless\" ] && TARGET=test-integration-rootless || TARGET=test-integration\n docker buildx create --name with-gha --use\n docker buildx build \\\n --secret id=github_token,env=GITHUB_TOKEN \\\n --output=type=docker \\\n --cache-from type=gha,scope=test-integration-dependencies-amd64 \\\n -t test-integration --target \"${TARGET}\" \\\n .\n\n - name: \"Run integration tests\"\n # Presumably, something is broken with the way docker exposes /dev to the container, as it appears to only\n # randomly work. Mounting /dev does workaround the issue.\n # This might be due to the old kernel shipped with Alma (4.18), or something else between centos/docker.\n run: |\n set -eux\n if [ \"$TARGET\" = \"rootless\" ]; then\n echo \"rootless\"\n docker run -t -v /dev:/dev --rm --privileged test-integration /test-integration-rootless.sh ./hack/test-integration.sh -test.only-flaky=false\n else\n echo \"rootful\"\n docker run -t -v /dev:/dev --rm --privileged test-integration ./hack/test-integration.sh -test.only-flaky=false\n fi\n - name: \"Run: integration tests (flaky)\"\n if: ${{ !fromJSON(inputs.skip-flaky) }}\n run: |\n set -eux\n if [ \"$TARGET\" = \"rootless\" ]; then\n echo \"rootless\"\n docker run -t -v /dev:/dev --rm --privileged test-integration /test-integration-rootless.sh ./hack/test-integration.sh -test.only-flaky=true\n else\n echo \"rootful\"\n docker run -t -v /dev:/dev --rm --privileged test-integration ./hack/test-integration.sh -test.only-flaky=true\n fi\n" }, { "path": ".github/workflows/job-test-in-vagrant.yml", "content": "# Right now, this is testing solely FreeBSD, but could be used to test other targets.\n# Alternatively, this might get replaced entirely by Lima eventually.\nname: job-test-in-vagrant\n\non:\n workflow_call:\n inputs:\n timeout:\n required: true\n type: number\n runner:\n required: true\n type: string\n\njobs:\n test:\n # Will appear as freebsd / 14 in GitHub UI\n name: \"14\"\n timeout-minutes: ${{ inputs.timeout }}\n runs-on: \"${{ inputs.runner }}\"\n steps:\n - name: \"Init: checkout\"\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 1\n\n - name: \"Init: setup cache\"\n uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3\n with:\n path: /root/.vagrant.d\n key: vagrant\n\n - name: \"Init: set up vagrant\"\n run: |\n # from https://github.com/containerd/containerd/blob/v2.0.2/.github/workflows/ci.yml#L583-L596\n # which is based on https://github.com/opencontainers/runc/blob/v1.1.8/.cirrus.yml#L41-L49\n # FIXME: https://github.com/containerd/nerdctl/issues/4163\n cat ./hack/provisioning/gpg/hashicorp | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg\n echo \"deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main\" | sudo tee /etc/apt/sources.list.d/hashicorp.list\n sudo sed -i 's/^Types: deb$/Types: deb deb-src/' /etc/apt/sources.list.d/ubuntu.sources\n sudo apt-get update -qq\n sudo apt-get install -qq libvirt-daemon libvirt-daemon-system vagrant ovmf\n # https://github.com/vagrant-libvirt/vagrant-libvirt/issues/1725#issuecomment-1454058646\n sudo cp /usr/share/OVMF/OVMF_VARS_4M.fd /var/lib/libvirt/qemu/nvram/\n sudo systemctl enable --now libvirtd\n sudo apt-get build-dep -qq ruby-libvirt\n sudo apt-get install -qq --no-install-recommends libxslt-dev libxml2-dev libvirt-dev ruby-bundler ruby-dev zlib1g-dev\n # Disable strict dependency enforcement to bypass gem version conflicts during the installation of the vagrant-libvirt plugin.\n sudo env VAGRANT_DISABLE_STRICT_DEPENDENCY_ENFORCEMENT=1 vagrant plugin install vagrant-libvirt\n\n - name: \"Init: boot VM\"\n run: |\n ln -sf Vagrantfile.freebsd Vagrantfile\n sudo vagrant up --no-tty\n\n - name: \"Run: test-unit\"\n run: sudo vagrant up --provision-with=test-unit\n\n - name: \"Run: test-integration\"\n run: sudo vagrant up --provision-with=test-integration\n" }, { "path": ".github/workflows/job-test-unit.yml", "content": "# Note: freebsd tests are not ran here (see integration instead)\nname: job-test-unit\n\non:\n workflow_call:\n inputs:\n timeout:\n required: true\n type: number\n go-version:\n required: true\n type: string\n runner:\n required: true\n type: string\n canary:\n required: false\n default: false\n type: boolean\n windows-cni-version:\n required: true\n type: string\n linux-cni-version:\n required: true\n type: string\n linux-cni-sha:\n required: true\n type: string\n\nenv:\n GOTOOLCHAIN: local\n # Windows fails without this\n CGO_ENABLED: 0\n\njobs:\n test-unit:\n name: ${{ format('{0}{1}', inputs.runner, inputs.canary && ' (go canary)' || '') }}\n timeout-minutes: ${{ inputs.timeout }}\n runs-on: \"${{ inputs.runner }}\"\n defaults:\n run:\n shell: bash\n\n env:\n GO_VERSION: ${{ inputs.go-version }}\n\n steps:\n - name: \"Init: checkout\"\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 1\n\n # If canary is requested, check for the latest unstable release\n - if: ${{ inputs.canary }}\n name: \"Init (canary): retrieve GO_VERSION\"\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n run: |\n latest_go=\"$(. ./hack/provisioning/version/fetch.sh; go::canary::for::go-setup)\"\n printf \"GO_VERSION=%s\\n\" \"$latest_go\" >> \"$GITHUB_ENV\"\n [ \"$latest_go\" != \"\" ] || \\\n echo \"::warning title=No canary go::There is currently no canary go version to test. Following steps will not run.\"\n\n - if: ${{ env.GO_VERSION != '' }}\n name: \"Init: install go\"\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version: ${{ env.GO_VERSION }}\n check-latest: true\n\n # Install CNI and CRIU\n - if: ${{ env.GO_VERSION != '' }}\n name: \"Init: set up CNI and CRIU\"\n run: |\n if [ \"$RUNNER_OS\" == \"Windows\" ]; then\n GOPATH=$(go env GOPATH) WINCNI_VERSION=${{ inputs.windows-cni-version }} ./hack/provisioning/windows/cni.sh\n elif [ \"$RUNNER_OS\" == \"Linux\" ]; then\n ./hack/provisioning/linux/cni.sh install \"${{ inputs.linux-cni-version }}\" \"amd64\" \"${{ inputs.linux-cni-sha }}\"\n sudo apt-get update -qq\n sudo add-apt-repository ppa:criu/ppa -y\n sudo apt-get install -qq criu\n fi\n\n - if: ${{ env.GO_VERSION != '' }}\n name: \"Run\"\n run: |\n make test-unit\n\n # On linux, also run with root\n - if: ${{ env.GO_VERSION != '' && env.RUNNER_OS == 'Linux' }}\n name: \"Run: with root\"\n run: |\n sudo make test-unit\n" }, { "path": ".github/workflows/release.yml", "content": "# See https://github.com/containerd/nerdctl/blob/main/MAINTAINERS_GUIDE.md for how to make a release.\nname: Release\non:\n push:\n tags:\n - 'v*'\n - 'test-action-release-*'\n pull_request:\n paths-ignore:\n - '**.md'\n\nenv:\n GOTOOLCHAIN: local\n\njobs:\n release:\n runs-on: ubuntu-24.04\n timeout-minutes: 40\n # The maximum access is \"read\" for PRs from public forked repos\n # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token\n permissions:\n contents: write # for releases\n id-token: write # for provenances\n attestations: write # for provenances\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n # FIXME: setup-qemu-action is depended by `gomodjail pack`\n - name: \"Set up QEMU\"\n uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0\n - name: \"Install go\"\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version: \"1.25\"\n check-latest: true\n - name: \"Compile binaries\"\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n run: make artifacts\n - name: \"SHA256SUMS\"\n run: |\n ( cd _output; sha256sum nerdctl-* ) | tee /tmp/SHA256SUMS\n mv /tmp/SHA256SUMS _output/SHA256SUMS\n - name: \"The sha256sum of the SHA256SUMS file\"\n run: (cd _output; sha256sum SHA256SUMS)\n - name: \"Prepare the release note\"\n run: |\n shasha=$(sha256sum _output/SHA256SUMS | awk '{print $1}')\n cat <<-EOF | tee /tmp/release-note.txt\n $(hack/generate-release-note.sh)\n - - -\n The binaries were built automatically on GitHub Actions.\n The build log is available for 90 days: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}\n\n The sha256sum of the SHA256SUMS file itself is \\`${shasha}\\` .\n - - -\n Release manager: [ADD YOUR NAME HERE] (@[ADD YOUR GITHUB ID HERE])\n EOF\n - name: \"Generate artifact attestation\"\n uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0\n if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')\n with:\n subject-path: _output/*\n - name: \"Create release\"\n if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n run: |\n tag=\"${GITHUB_REF##*/}\"\n gh release create -F /tmp/release-note.txt --draft --title \"${tag}\" \"${tag}\" _output/*\n" }, { "path": ".github/workflows/workflow-flaky.yml", "content": "# This workflow puts together all known \"flaky\" and experimental targets\nname: \"[flaky, see #3988]\"\n\non:\n push:\n branches:\n - main\n - 'release/**'\n pull_request:\n paths-ignore:\n - '**.md'\n\njobs:\n test-integration-el:\n name: \"EL${{ inputs.hack }}\"\n uses: ./.github/workflows/job-test-in-lima.yml\n strategy:\n fail-fast: false\n # EL8 is used for testing compatibility with cgroup v1.\n # Unfortunately, EL8 is hard to debug for ARM Mac users (as Lima+ARM Mac+EL8 is not runnable because of page size),\n # and it currently shows numerous issues.\n # ARM Mac users may use oraclelinux-8 instead for debugging cgroup v1 issues, although its kernel is different from\n # other EL8 variants.\n matrix:\n guest: [\"almalinux-8\"]\n target: [\"rootful\", \"rootless\"]\n with:\n timeout: 60\n runner: ubuntu-24.04\n guest: ${{ matrix.guest }}\n target: ${{ matrix.target }}\n skip-flaky: true # skip the most flaky ones for now\n\n test-integration-freebsd:\n name: \"FreeBSD\"\n uses: ./.github/workflows/job-test-in-vagrant.yml\n with:\n timeout: 15\n runner: ubuntu-24.04\n\n kube:\n name: \"kubernetes\"\n runs-on: ubuntu-24.04\n timeout-minutes: 15\n env:\n ROOTFUL: true\n steps:\n - name: \"Init: checkout\"\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 1\n - name: \"Run\"\n run: |\n # FIXME: this should be a bit more elegant to use.\n ./hack/provisioning/kube/kind.sh\n # See https://github.com/containerd/nerdctl/blob/main/docs/testing/README.md#about-parallelization\n sudo ./_output/nerdctl exec nerdctl-test-control-plane bash -c -- 'export TMPDIR=\"$HOME\"/tmp; mkdir -p \"$TMPDIR\"; cd /nerdctl-source; /usr/local/go/bin/go test -p 1 ./cmd/nerdctl/... -test.only-kubernetes'\n" }, { "path": ".github/workflows/workflow-lint.yml", "content": "name: lint\n\non:\n push:\n branches:\n - main\n - 'release/**'\n pull_request:\n\njobs:\n # Runs golangci to ensure that:\n # 1. the tooling is working on the target platform\n # 2. the linter is happy\n # 3. for canary (if there is a canary go version), does lint for all supported goos\n lint-go:\n name: \"go${{ inputs.hack }}\"\n uses: ./.github/workflows/job-lint-go.yml\n strategy:\n fail-fast: false\n matrix:\n include:\n - runner: ubuntu-24.04\n goos: linux\n - runner: ubuntu-24.04\n goos: freebsd\n - runner: macos-15\n goos: darwin\n # FIXME: this is currently failing in a nonsensical way, so, running on linux instead...\n # - runner: windows-2022\n - runner: ubuntu-24.04\n goos: windows\n # Additionally lint for canary\n - runner: ubuntu-24.04\n goos: linux\n canary: true\n with:\n timeout: 10\n go-version: \"1.25\"\n runner: ubuntu-24.04\n # Note: in GitHub yaml world, if `matrix.canary` is undefined, and is passed to `inputs.canary`, the job\n # will not run. However, if you test it, it will coerce to `false`, hence:\n canary: ${{ matrix.canary && true || false }}\n goos: ${{ matrix.goos }}\n\n # Run common project checks (commits, licenses, etc)\n lint-project-checks:\n name: \"project checks\"\n uses: ./.github/workflows/job-lint-project.yml\n with:\n timeout: 5\n go-version: \"1.25\"\n runner: ubuntu-24.04\n\n # Lint for shell and yaml files\n lint-other:\n name: \"other\"\n uses: ./.github/workflows/job-lint-other.yml\n with:\n timeout: 5\n runner: ubuntu-24.04\n\n # Verify we can actually build on all supported platforms, and a bunch of architectures\n build-for-go:\n name: \"build for${{ inputs.hack }}\"\n uses: ./.github/workflows/job-build.yml\n strategy:\n fail-fast: false\n matrix:\n include:\n # Build for both old and stable go\n - go-version: \"1.24\"\n - go-version: \"1.25\"\n # Additionally build for canary\n - go-version: \"1.25\"\n canary: true\n with:\n timeout: 10\n go-version: ${{ matrix.go-version }}\n runner: ubuntu-24.04\n canary: ${{ matrix.canary && true || false }}\n" }, { "path": ".github/workflows/workflow-test.yml", "content": "name: test\n\non:\n push:\n branches:\n - main\n - 'release/**'\n pull_request:\n paths-ignore:\n - '**.md'\n\njobs:\n test-unit:\n # Note: inputs.hack is undefined - its purpose is to prevent GitHub Actions from displaying all matrix variants as part of the name.\n name: \"unit${{ inputs.hack }}\"\n uses: ./.github/workflows/job-test-unit.yml\n strategy:\n fail-fast: false\n matrix:\n # Run on all supported platforms but freebsd\n # Additionally run on canary for linux\n include:\n - runner: \"ubuntu-24.04\"\n - runner: \"macos-15\"\n - runner: \"windows-2025\"\n - runner: \"ubuntu-24.04\"\n canary: true\n with:\n runner: ${{ matrix.runner }}\n canary: ${{ matrix.canary && true || false }}\n # Windows routinely go over 5 minutes\n timeout: 10\n go-version: 1.25\n windows-cni-version: v0.3.1\n linux-cni-version: v1.7.1\n linux-cni-sha: 1a28a0506bfe5bcdc981caf1a49eeab7e72da8321f1119b7be85f22621013098\n\n # This job builds the dependency target of the test-image for all supported architectures and cache it in GHA\n build-dependencies:\n name: \"dependencies${{ inputs.hack }}\"\n uses: ./.github/workflows/job-test-dependencies.yml\n strategy:\n fail-fast: false\n matrix:\n include:\n # Build for arm & amd, current containerd\n - runner: ubuntu-24.04\n - runner: ubuntu-24.04-arm\n # Additionally build for old containerd on amd\n - runner: ubuntu-24.04\n containerd-version: v1.7.30\n with:\n runner: ${{ matrix.runner }}\n containerd-version: ${{ matrix.containerd-version }}\n timeout: 20\n\n test-integration-container:\n name: \"in-container${{ inputs.hack }}\"\n uses: ./.github/workflows/job-test-in-container.yml\n needs: build-dependencies\n strategy:\n fail-fast: false\n matrix:\n include:\n ###### Rootless\n # amd64\n - runner: ubuntu-24.04\n target: rootless\n # arm64\n - runner: ubuntu-24.04-arm\n target: rootless\n skip-flaky: true\n # port-slirp4netns\n - runner: ubuntu-24.04\n target: rootless-port-slirp4netns\n skip-flaky: true\n # old containerd + old ubuntu + old rootlesskit\n - runner: ubuntu-22.04\n target: rootless\n containerd-version: v1.7.30\n rootlesskit-version: v1.1.1\n # gomodjail\n - runner: ubuntu-24.04\n target: rootless\n binary: \"nerdctl.gomodjail\"\n ###### Rootful\n # amd64\n - runner: ubuntu-24.04\n target: rootful\n # arm64\n - runner: ubuntu-24.04-arm\n target: rootful\n skip-flaky: true\n # old containerd + old ubuntu\n - runner: ubuntu-22.04\n target: rootful\n containerd-version: v1.7.30\n # ipv6\n - runner: ubuntu-24.04\n target: rootful\n ipv6: true\n skip-flaky: true\n # all canary\n - runner: ubuntu-24.04\n target: rootful\n canary: true\n\n with:\n timeout: 80\n runner: ${{ matrix.runner }}\n target: ${{ matrix.target }}\n binary: ${{ matrix.binary && matrix.binary || 'nerdctl' }}\n containerd-version: ${{ matrix.containerd-version }}\n rootlesskit-version: ${{ matrix.rootlesskit-version }}\n ipv6: ${{ matrix.ipv6 && true || false }}\n canary: ${{ matrix.canary && true || false }}\n skip-flaky: ${{ matrix.skip-flaky && true || false }}\n\n test-integration-host:\n name: \"in-host${{ inputs.hack }}\"\n uses: ./.github/workflows/job-test-in-host.yml\n strategy:\n fail-fast: false\n matrix:\n include:\n # Test on windows w/o canary\n - runner: windows-2022\n - runner: windows-2025\n canary: true\n # Test docker on linux\n - runner: ubuntu-24.04\n binary: docker\n\n # FIXME: running nerdctl on the host is work in progress\n # (we miss runc to be installed on the host - and obviously other deps)\n # Plan is to pause this for now and first consolidate dependencies management (wrt Dockerfile vs. host-testing CI)\n # before we can really start testing linux nerdctl on the host.\n # - runner: ubuntu-24.04\n # - runner: ubuntu-24.04\n # canary: true\n with:\n timeout: 45\n runner: ${{ matrix.runner }}\n binary: ${{ matrix.binary != '' && matrix.binary || 'nerdctl' }}\n canary: ${{ matrix.canary && true || false }}\n go-version: 1.25\n windows-cni-version: v0.3.1\n docker-version: 5:28.0.4-1~ubuntu.24.04~noble\n containerd-version: 2.2.1\n # Note: these as for amd64\n containerd-sha: f5d8e90ecb6c1c7e33ecddf8cc268a93b9e5b54e0e850320d765511d76624f41\n containerd-service-sha: 1941362cbaa89dd591b99c32b050d82c583d3cd2e5fa63085d7017457ec5fca8\n linux-cni-version: v1.9.0\n linux-cni-sha: 58c03705426e929658f45a851df15a86d06ef680cacbf3f2dc127731ca265c28\n" }, { "path": ".github/workflows/workflow-tigron.yml", "content": "name: tigron\n\non:\n push:\n branches:\n - main\n - 'release/**'\n pull_request:\n paths: 'mod/tigron/**'\n\nenv:\n GO_VERSION: \"1.25\"\n GOTOOLCHAIN: local\n\njobs:\n lint:\n timeout-minutes: 15\n name: \"${{ matrix.goos }} ${{ matrix.runner }} | go ${{ matrix.canary }}\"\n runs-on: ${{ matrix.runner }}\n defaults:\n run:\n shell: bash\n strategy:\n matrix:\n include:\n - runner: ubuntu-24.04\n - runner: macos-15\n - runner: windows-2022\n - runner: ubuntu-24.04\n goos: freebsd\n - runner: ubuntu-24.04\n canary: go-canary\n steps:\n - name: \"Checkout project\"\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 100\n - if: ${{ matrix.canary }}\n name: \"Init (canary): retrieve GO_VERSION\"\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n run: |\n latest_go=\"$(. ./hack/provisioning/version/fetch.sh; go::canary::for::go-setup)\"\n printf \"GO_VERSION=%s\\n\" \"$latest_go\" >> \"$GITHUB_ENV\"\n [ \"$latest_go\" != \"\" ] || \\\n echo \"::warning title=No canary go::There is currently no canary go version to test. Steps will not run.\"\n - if: ${{ env.GO_VERSION != '' }}\n name: \"Install go\"\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version: ${{ env.GO_VERSION }}\n check-latest: true\n - if: ${{ env.GO_VERSION != '' }}\n name: \"Install tools\"\n run: |\n cd mod/tigron\n echo \"::group:: make install-dev-tools\"\n make install-dev-tools\n if [ \"$RUNNER_OS\" == macOS ]; then\n brew install yamllint shellcheck\n fi\n echo \"::endgroup::\"\n - if: ${{ env.GO_VERSION != '' && matrix.goos == '' }}\n name: \"lint\"\n env:\n NO_COLOR: true\n run: |\n if [ \"$RUNNER_OS\" == Linux ]; then\n echo \"::group:: lint\"\n cd mod/tigron\n export LINT_COMMIT_RANGE=\"$(jq -r '.after + \"..HEAD\"' ${GITHUB_EVENT_PATH})\"\n make lint\n echo \"::endgroup::\"\n else\n echo \"Lint is disabled on $RUNNER_OS\"\n fi\n - if: ${{ env.GO_VERSION != '' }}\n name: \"test-unit\"\n run: |\n echo \"::group:: unit test\"\n cd mod/tigron\n make test-unit\n echo \"::endgroup::\"\n - if: ${{ env.GO_VERSION != '' }}\n name: \"test-unit-race\"\n run: |\n echo \"::group:: race test\"\n cd mod/tigron\n make test-unit-race\n echo \"::endgroup::\"\n - if: ${{ env.GO_VERSION != '' }}\n name: \"test-unit-bench\"\n run: |\n echo \"::group:: bench\"\n cd mod/tigron\n make test-unit-bench\n echo \"::endgroup::\"\n" }, { "path": ".gitignore", "content": "# artifacts\n/nerdctl\n_output\n*.gomodjail\n\n# golangci-lint\n/build\n\n# vagrant\n/.vagrant\nVagrantfile\n" }, { "path": ".golangci.yml", "content": "version: \"2\"\n\nrun:\n modules-download-mode: readonly\n\nissues:\n max-issues-per-linter: 0\n max-same-issues: 0\n\nlinters:\n default: none\n enable:\n # 1. This is the default enabled set of golanci\n\n # We should consider enabling errcheck\n # - errcheck\n - govet\n - ineffassign\n - staticcheck\n - unused\n\n # 2. These are not part of the default set\n\n # Important to prevent import of certain packages\n - depguard\n # Removes unnecessary conversions\n - unconvert\n # Flag common typos\n - misspell\n # A meta-linter seen as a good replacement for golint\n - revive\n # Gocritic\n - gocritic\n - forbidigo\n\n # 3. We used to use these, but have now removed them\n\n # Use of prealloc is generally premature optimization and performance profiling should be done instead\n # https://golangci-lint.run/usage/linters/#prealloc\n # - prealloc\n # Provided by revive in a better way\n # - nakedret\n\n settings:\n forbidigo:\n forbid:\n # FIXME: there are still calls to os.WriteFile in tests under `cmd`\n - pattern: ^os\\.WriteFile.*$\n pkg: github.com/containerd/nerdctl/v2/pkg\n msg: os.WriteFile is neither atomic nor durable - use nerdctl filesystem.WriteFile instead\n - pattern: ^os\\.ReadFile.*$\n pkg: github.com/containerd/nerdctl/v2/pkg\n msg: use filesystem.ReadFile instead of os.ReadFile\n staticcheck:\n checks:\n # Below is the default set\n - \"all\"\n - \"-ST1000\"\n - \"-ST1003\"\n - \"-ST1016\"\n - \"-ST1020\"\n - \"-ST1021\"\n - \"-ST1022\"\n\n ##### TODO: fix and enable these\n # 6 occurrences.\n # Apply De Morgan’s law https://staticcheck.dev/docs/checks#QF1001\n - \"-QF1001\"\n # 10 occurrences.\n # Convert if/else-if chain to tagged switch https://staticcheck.dev/docs/checks#QF1003\n - \"-QF1003\"\n\n ##### These have been vetted to be disabled.\n # 55 occurrences. Omit embedded fields from selector expression https://staticcheck.dev/docs/checks#QF1008\n # Usefulness is questionable.\n - \"-QF1008\"\n\n revive:\n enable-all-rules: true\n rules:\n # See https://revive.run/r\n\n ##### P0: we should do it ASAP.\n - name: max-control-nesting\n # 10 occurences (at default 5). Deep nesting hurts readibility.\n arguments: [7]\n - name: deep-exit\n # 11 occurrences. Do not exit in random places.\n disabled: true\n - name: unchecked-type-assertion\n # 14 occurrences. This is generally risky and encourages bad coding for newcomers.\n disabled: true\n - name: bare-return\n # 31 occurrences. Bare returns are just evil, very unfriendly, and make reading and editing much harder.\n disabled: true\n - name: import-shadowing\n # 44 occurrences. Shadowing makes things prone to errors / confusing to read.\n disabled: true\n - name: use-errors-new\n # 84 occurrences. Improves error testing.\n disabled: true\n - name: struct-tag\n # 2 occurrences.\n disabled: true\n\n ##### P1: consider making a dent on these, but not critical.\n - name: argument-limit\n # 4 occurrences (at default 8). Long windy arguments list for functions are hard to read. Use structs instead.\n arguments: [12]\n - name: unnecessary-stmt\n # 5 occurrences. Increase readability.\n disabled: true\n - name: defer\n # 7 occurrences. Confusing to read for newbies.\n disabled: true\n - name: confusing-naming\n # 10 occurrences. Hurts readability.\n disabled: true\n - name: early-return\n # 10 occurrences. Would improve readability.\n disabled: true\n - name: function-result-limit\n # 12 occurrences (at default 3). A function returning many results is probably too big.\n arguments: [7]\n - name: function-length\n # 155 occurrences (at default 0, 75). Really long functions should really be broken up in most cases.\n arguments: [0, 500]\n - name: cyclomatic\n # 204 occurrences (at default 10)\n arguments: [100]\n - name: unhandled-error\n # 222 occurrences. Could indicate failure to handle broken conditions.\n disabled: true\n - name: cognitive-complexity\n arguments: [205]\n # 441 occurrences (at default 7). We should try to lower it (involves significant refactoring).\n - name: var-naming\n # 1 occurrence.\n disabled: true\n\n ##### P2: nice to have.\n - name: max-public-structs\n # 7 occurrences (at default 5). Might indicate overcrowding of public API.\n arguments: [25]\n - name: confusing-results\n # 13 occurrences. Have named returns when the type stutters.\n # Makes it a bit easier to figure out function behavior just looking at signature.\n disabled: true\n - name: comment-spacings\n # 50 occurrences. Makes code look less wonky / ease readability.\n disabled: true\n - name: use-any\n # 30 occurrences. `any` instead of `interface{}`. Cosmetic.\n disabled: true\n - name: empty-lines\n # 85 occurrences. Makes code look less wonky / ease readability.\n disabled: true\n - name: package-comments\n # 100 occurrences. Better for documentation...\n disabled: true\n - name: exported\n # 577 occurrences. Forces documentation of any exported symbol.\n disabled: true\n - name: unnecessary-format\n # Many occurrences.\n disabled: true\n\n ###### Permanently disabled. Below have been reviewed and vetted to be unnecessary.\n - name: line-length-limit\n # Formatter `golines` takes care of this.\n disabled: true\n - name: nested-structs\n # 5 occurrences. Trivial. This is not that hard to read.\n disabled: true\n - name: flag-parameter\n # 52 occurrences. Not sure if this is valuable.\n disabled: true\n - name: unused-parameter\n # 505 occurrences. A lot of work for a marginal improvement.\n disabled: true\n - name: unused-receiver\n # 31 occurrences. Ibid.\n disabled: true\n - name: add-constant\n # 2605 occurrences. Kind of useful in itself, but unacceptable amount of effort to fix\n disabled: true\n - name: enforce-switch-style\n # Many occurrences.\n disabled: true\n\n depguard:\n rules:\n no-patent:\n # do not link in golang-lru anywhere (problematic patent)\n deny:\n - pkg: github.com/hashicorp/golang-lru/arc/v2\n desc: patented (https://github.com/hashicorp/golang-lru/blob/arc/v2.0.7/arc/arc.go#L18)\n pkg:\n # pkg files must not depend on cobra nor anything in cmd\n files:\n - '**/pkg/**/*.go'\n deny:\n - pkg: github.com/spf13/cobra\n desc: pkg must not depend on cobra\n - pkg: github.com/spf13/pflag\n desc: pkg must not depend on pflag\n - pkg: github.com/spf13/viper\n desc: pkg must not depend on viper\n - pkg: github.com/containerd/nerdctl/v2/cmd\n desc: pkg must not depend on any cmd files\n gocritic:\n disabled-checks:\n # Below are normally enabled by default, but we do not pass\n - appendAssign\n - ifElseChain\n - unslice\n - badCall\n - assignOp\n - commentFormatting\n - captLocal\n - singleCaseSwitch\n - wrapperFunc\n - elseif\n - regexpMust\n enabled-checks:\n # Below used to be enabled, but we do not pass anymore\n # - paramTypeCombine\n # - octalLiteral\n # - unnamedResult\n # - equalFold\n # - sloppyReassign\n # - emptyStringTest\n # - hugeParam\n # - appendCombine\n # - stringXbytes\n # - ptrToRefParam\n # - commentedOutCode\n # - rangeValCopy\n # - methodExprCall\n # - yodaStyleExpr\n # - typeUnparen\n\n # We enabled these and we pass\n - nilValReturn\n - weakCond\n - indexAlloc\n - rangeExprCopy\n - boolExprSimplify\n - commentedOutImport\n - docStub\n - emptyFallthrough\n - hexLiteral\n - typeAssertChain\n - unlabelStmt\n - builtinShadow\n - initClause\n - nestingReduce\n - unnecessaryBlock\n exclusions:\n generated: disable\n\nformatters:\n settings:\n gci:\n sections:\n - standard\n - default\n - prefix(github.com/containerd)\n - localmodule\n no-inline-comments: true\n no-prefix-comments: true\n custom-order: true\n gofumpt:\n extra-rules: true\n golines:\n max-len: 500\n tab-len: 4\n shorten-comments: true\n enable:\n - gci\n - gofmt\n # We might consider enabling the following:\n # - gofumpt\n - golines\n exclusions:\n generated: disable\n" }, { "path": ".yamllint", "content": "---\n\nextends: default\n\nrules:\n indentation:\n spaces: 2\n indent-sequences: consistent\n truthy:\n allowed-values: ['true', 'false', 'on', 'off']\n comments-indentation: disable\n document-start: disable\n line-length: disable\n" }, { "path": "BUILDING.md", "content": "# Building nerdctl\n\nTo build nerdctl, use `make`:\n\n```bash\nmake\nsudo make install\n```\n\nAlternatively, nerdctl can be also built with `go build ./cmd/nerdctl`.\nHowever, this is not recommended as it does not populate the version string (`nerdctl -v`).\n\n## Customization\n\nTo specify build tags, set the `BUILDTAGS` variable as follows:\n\n```bash\nBUILDTAGS=no_ipfs make\n```\n\nThe following build tags are supported:\n* `no_ipfs` (since v2.1.3): Disable IPFS\n" }, { "path": "Dockerfile", "content": "# Copyright The containerd Authors.\n\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n\n# http://www.apache.org/licenses/LICENSE-2.0\n\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n# -----------------------------------------------------------------------------\n# Usage: `docker run -it --privileged `. Make sure to add `-t` and `--privileged`.\n\n# Basic deps\n# @BINARY: the binary checksums are verified via Dockerfile.d/SHA256SUMS.d/-\nARG CONTAINERD_VERSION=v2.2.1@dea7da592f5d1d2b7755e3a161be07f43fad8f75\nARG RUNC_VERSION=v1.4.0@8bd78a9977e604c4d5f67a7415d7b8b8c109cdc4\nARG CNI_PLUGINS_VERSION=v1.9.0@BINARY\n\n# Extra deps: Build\nARG BUILDKIT_VERSION=v0.26.3@BINARY\n# Extra deps: Lazy-pulling\nARG STARGZ_SNAPSHOTTER_VERSION=v0.18.1@BINARY\n# Extra deps: Encryption\nARG IMGCRYPT_VERSION=v2.0.2@6892f4df2405cd15acbefd1dca970f53ba38bfda\n# Extra deps: Rootless\nARG ROOTLESSKIT_VERSION=v2.3.6@BINARY\nARG SLIRP4NETNS_VERSION=v1.3.3@BINARY\n# Extra deps: bypass4netns\nARG BYPASS4NETNS_VERSION=v0.4.2@aa04bd3dcc48c6dae6d7327ba219bda8fe2a4634\n# Extra deps: FUSE-OverlayFS\nARG FUSE_OVERLAYFS_VERSION=v1.16@BINARY\nARG CONTAINERD_FUSE_OVERLAYFS_VERSION=v2.1.7@BINARY\n# Extra deps: Init\nARG TINI_VERSION=v0.19.0@BINARY\n# Extra deps: Debug\nARG BUILDG_VERSION=v0.5.3@BINARY\n# Extra deps: gomodjail\nARG GOMODJAIL_VERSION=v0.1.3@cea529ddd971b677c67d8af7e936fbc62b35b98c\n\n# Test deps\n# Currently, the Docker Official Images and the test deps are not pinned by the hash\nARG GO_VERSION=1.25\nARG UBUNTU_VERSION=24.04\nARG CONTAINERIZED_SYSTEMD_VERSION=v0.1.1\nARG GOTESTSUM_VERSION=v1.13.0\nARG NYDUS_VERSION=v2.3.9\nARG SOCI_SNAPSHOTTER_VERSION=0.12.1\nARG KUBO_VERSION=v0.39.0\n\nFROM --platform=$BUILDPLATFORM tonistiigi/xx:1.9.0@sha256:c64defb9ed5a91eacb37f96ccc3d4cd72521c4bd18d5442905b95e2226b0e707 AS xx\n\n\nFROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-trixie AS build-base\nCOPY --from=xx / /\nENV DEBIAN_FRONTEND=noninteractive\nRUN apt-get update -qq && apt-get install -qq --no-install-recommends \\\n make \\\n git \\\n jq \\\n curl \\\n dpkg-dev\nARG TARGETARCH\n# libbtrfs: for containerd\n# libseccomp: for runc and bypass4netns\nRUN xx-apt-get update -qq && xx-apt-get install -qq --no-install-recommends \\\n binutils \\\n gcc \\\n libc6-dev \\\n libbtrfs-dev \\\n libseccomp-dev \\\n pkg-config\nRUN git config --global advice.detachedHead false\nADD hack/git-checkout-tag-with-hash.sh /usr/local/bin/\nADD hack/scripts/lib.sh /usr/local/bin/http::helper\n\nFROM build-base AS build-containerd\nARG TARGETARCH\nARG CONTAINERD_VERSION\nRUN git clone --quiet --depth 1 --branch \"${CONTAINERD_VERSION%%@*}\" https://github.com/containerd/containerd.git /go/src/github.com/containerd/containerd\nWORKDIR /go/src/github.com/containerd/containerd\nRUN git-checkout-tag-with-hash.sh ${CONTAINERD_VERSION} && \\\n mkdir -p /out /out/$TARGETARCH && \\\n cp -a containerd.service /out\nRUN GO=xx-go make STATIC=1 && \\\n cp -a bin/containerd bin/containerd-shim-runc-v2 bin/ctr /out/$TARGETARCH\n\nFROM build-base AS build-runc\nARG RUNC_VERSION\nARG TARGETARCH\nRUN git clone --quiet --depth 1 --branch \"${RUNC_VERSION%%@*}\" https://github.com/opencontainers/runc.git /go/src/github.com/opencontainers/runc\nWORKDIR /go/src/github.com/opencontainers/runc\nRUN git-checkout-tag-with-hash.sh ${RUNC_VERSION} && \\\n mkdir -p /out\nENV CGO_ENABLED=1\n# FIXME: avoid omitting libpathrs\nRUN set -x ; GO=xx-go CC=$(xx-info)-gcc STRIP=$(xx-info)-strip make BUILDTAGS=\"$(grep -oP \"^BUILDTAGS := \\K.*\" Makefile | sed -e s/libpathrs//)\" static && \\\n xx-verify --static runc && cp -v -a runc /out/runc.${TARGETARCH}\n\nFROM build-base AS build-bypass4netns\nARG BYPASS4NETNS_VERSION\nARG TARGETARCH\nRUN git clone --quiet --depth 1 --branch \"${BYPASS4NETNS_VERSION%%@*}\" https://github.com/rootless-containers/bypass4netns.git /go/src/github.com/rootless-containers/bypass4netns\nWORKDIR /go/src/github.com/rootless-containers/bypass4netns\nRUN git-checkout-tag-with-hash.sh ${BYPASS4NETNS_VERSION} && \\\n mkdir -p /out/${TARGETARCH}\nENV CGO_ENABLED=1\nRUN GO=xx-go make static && \\\n xx-verify --static bypass4netns && cp -a bypass4netns bypass4netnsd /out/${TARGETARCH}\n\nFROM build-base AS build-gomodjail\nARG GOMODJAIL_VERSION\nARG TARGETARCH\nRUN git clone --quiet --depth 1 --branch \"${GOMODJAIL_VERSION%%@*}\" https://github.com/AkihiroSuda/gomodjail.git /go/src/github.com/AkihiroSuda/gomodjail\nWORKDIR /go/src/github.com/AkihiroSuda/gomodjail\nRUN git-checkout-tag-with-hash.sh ${GOMODJAIL_VERSION} && \\\n mkdir -p /out/${TARGETARCH}\nRUN GO=xx-go make STATIC=1 && \\\n xx-verify --static _output/bin/gomodjail && cp -a _output/bin/gomodjail /out/${TARGETARCH}\n\nFROM build-base AS build-kubo\nARG KUBO_VERSION\nARG TARGETARCH\nRUN git clone --quiet --depth 1 --branch \"${KUBO_VERSION%%@*}\" https://github.com/ipfs/kubo.git /go/src/github.com/ipfs/kubo\nWORKDIR /go/src/github.com/ipfs/kubo\nRUN git-checkout-tag-with-hash.sh ${KUBO_VERSION} && \\\n mkdir -p /out/${TARGETARCH}\nENV CGO_ENABLED=0\nRUN xx-go --wrap && \\\n make build && \\\n xx-verify --static cmd/ipfs/ipfs && cp -a cmd/ipfs/ipfs /out/${TARGETARCH}\n\nFROM build-base AS build-minimal\nRUN BINDIR=/out/bin make binaries install\n# We do not set CMD to `go test` here, because it requires systemd\n\nFROM build-base AS build-dependencies\nARG TARGETARCH\nENV GOARCH=${TARGETARCH}\nCOPY ./Dockerfile.d/SHA256SUMS.d/ /SHA256SUMS.d\nWORKDIR /nowhere\nRUN echo \"${TARGETARCH:-amd64}\" | sed -e s/amd64/x86_64/ -e s/arm64/aarch64/ | tee /target_uname_m\nRUN mkdir -p /out/share/doc/nerdctl-full && touch /out/share/doc/nerdctl-full/README.md\nARG CONTAINERD_VERSION\nCOPY --from=build-containerd /out/${TARGETARCH:-amd64}/* /out/bin/\nCOPY --from=build-containerd /out/containerd.service /out/lib/systemd/system/containerd.service\nRUN echo \"- containerd: ${CONTAINERD_VERSION%%@*}\" >> /out/share/doc/nerdctl-full/README.md\nARG RUNC_VERSION\nCOPY --from=build-runc /out/runc.${TARGETARCH:-amd64} /out/bin/runc\nRUN echo \"- runc: ${RUNC_VERSION%%@*}\" >> /out/share/doc/nerdctl-full/README.md\nARG CNI_PLUGINS_VERSION\nRUN CNI_PLUGINS_VERSION=${CNI_PLUGINS_VERSION%%@*}; \\\n fname=\"cni-plugins-${TARGETOS:-linux}-${TARGETARCH:-amd64}-${CNI_PLUGINS_VERSION}.tgz\" && \\\n curl -o \"${fname}\" -fsSL --retry 5 --retry-delay 5 --retry-max-time 120 --connect-timeout 20 --proto '=https' --tlsv1.2 \"https://github.com/containernetworking/plugins/releases/download/${CNI_PLUGINS_VERSION}/${fname}\" && \\\n grep \"${fname}\" \"/SHA256SUMS.d/cni-plugins-${CNI_PLUGINS_VERSION}\" | sha256sum -c && \\\n mkdir -p /out/libexec/cni && \\\n tar xzf \"${fname}\" -C /out/libexec/cni && \\\n rm -f \"${fname}\" && \\\n echo \"- CNI plugins: ${CNI_PLUGINS_VERSION}\" >> /out/share/doc/nerdctl-full/README.md\nARG BUILDKIT_VERSION\nRUN BUILDKIT_VERSION=${BUILDKIT_VERSION%%@*}; \\\n fname=\"buildkit-${BUILDKIT_VERSION}.${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz\" && \\\n curl -o \"${fname}\" -fsSL --retry 5 --retry-delay 5 --retry-max-time 120 --connect-timeout 20 --proto '=https' --tlsv1.2 \"https://github.com/moby/buildkit/releases/download/${BUILDKIT_VERSION}/${fname}\" && \\\n grep \"${fname}\" \"/SHA256SUMS.d/buildkit-${BUILDKIT_VERSION}\" | sha256sum -c && \\\n tar xzf \"${fname}\" -C /out && \\\n rm -f \"${fname}\" /out/bin/buildkit-qemu-* /out/bin/buildkit-cni-* /out/bin/buildkit-runc && \\\n for f in /out/libexec/cni/*; do [ -x \"$f\" ] && [ -f \"$f\" ] && ln -s ../libexec/cni/$(basename $f) /out/bin/buildkit-cni-$(basename $f); done && \\\n echo \"- BuildKit: ${BUILDKIT_VERSION}\" >> /out/share/doc/nerdctl-full/README.md\n# NOTE: github.com/moby/buildkit/examples/systemd is not included in BuildKit v0.8.x, will be included in v0.9.x\nRUN cd /out/lib/systemd/system && \\\n sedcomm='s@bin/containerd@bin/buildkitd@g; s@(Description|Documentation)=.*@@' && \\\n sed -E \"${sedcomm}\" containerd.service > buildkit.service && \\\n echo \"\" >> buildkit.service && \\\n echo \"# This file was converted from containerd.service, with \\`sed -E '${sedcomm}'\\`\" >> buildkit.service\nARG STARGZ_SNAPSHOTTER_VERSION\nRUN --mount=type=secret,id=github_token,env=GITHUB_TOKEN \\\n STARGZ_SNAPSHOTTER_VERSION=${STARGZ_SNAPSHOTTER_VERSION%%@*}; \\\n fname=\"stargz-snapshotter-${STARGZ_SNAPSHOTTER_VERSION}-${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz\" && \\\n curl -o \"${fname}\" -fsSL --retry 5 --retry-delay 5 --retry-max-time 120 --connect-timeout 20 --proto '=https' --tlsv1.2 \"https://github.com/containerd/stargz-snapshotter/releases/download/${STARGZ_SNAPSHOTTER_VERSION}/${fname}\" && \\\n http::helper github::file containerd/stargz-snapshotter script/config/etc/systemd/system/stargz-snapshotter.service \"${STARGZ_SNAPSHOTTER_VERSION}\" > \"stargz-snapshotter.service\" && \\\n grep \"${fname}\" \"/SHA256SUMS.d/stargz-snapshotter-${STARGZ_SNAPSHOTTER_VERSION}\" | sha256sum -c - && \\\n grep \"stargz-snapshotter.service\" \"/SHA256SUMS.d/stargz-snapshotter-${STARGZ_SNAPSHOTTER_VERSION}\" | sha256sum -c - && \\\n tar xzf \"${fname}\" -C /out/bin && \\\n rm -f \"${fname}\" /out/bin/stargz-store && \\\n mv stargz-snapshotter.service /out/lib/systemd/system/stargz-snapshotter.service && \\\n echo \"- Stargz Snapshotter: ${STARGZ_SNAPSHOTTER_VERSION}\" >> /out/share/doc/nerdctl-full/README.md\nARG IMGCRYPT_VERSION\nRUN git clone --quiet --depth 1 --branch \"${IMGCRYPT_VERSION%%@*}\" https://github.com/containerd/imgcrypt.git /go/src/github.com/containerd/imgcrypt && \\\n cd /go/src/github.com/containerd/imgcrypt && \\\n git-checkout-tag-with-hash.sh \"${IMGCRYPT_VERSION}\" && \\\n CGO_ENABLED=0 make && DESTDIR=/out make install && \\\n echo \"- imgcrypt: ${IMGCRYPT_VERSION%%@*}\" >> /out/share/doc/nerdctl-full/README.md\nARG SLIRP4NETNS_VERSION\nRUN SLIRP4NETNS_VERSION=${SLIRP4NETNS_VERSION%%@*}; \\\n fname=\"slirp4netns-$(cat /target_uname_m)\" && \\\n curl -o \"${fname}\" -fsSL --retry 5 --retry-delay 5 --retry-max-time 120 --connect-timeout 20 --proto '=https' --tlsv1.2 \"https://github.com/rootless-containers/slirp4netns/releases/download/${SLIRP4NETNS_VERSION}/${fname}\" && \\\n grep \"${fname}\" \"/SHA256SUMS.d/slirp4netns-${SLIRP4NETNS_VERSION}\" | sha256sum -c && \\\n mv \"${fname}\" /out/bin/slirp4netns && \\\n chmod +x /out/bin/slirp4netns && \\\n echo \"- slirp4netns: ${SLIRP4NETNS_VERSION}\" >> /out/share/doc/nerdctl-full/README.md\nARG BYPASS4NETNS_VERSION\nCOPY --from=build-bypass4netns /out/${TARGETARCH:-amd64}/* /out/bin/\nRUN echo \"- bypass4netns: ${BYPASS4NETNS_VERSION%%@*}\" >> /out/share/doc/nerdctl-full/README.md\nARG FUSE_OVERLAYFS_VERSION\nRUN FUSE_OVERLAYFS_VERSION=${FUSE_OVERLAYFS_VERSION%%@*}; \\\n fname=\"fuse-overlayfs-$(cat /target_uname_m)\" && \\\n curl -o \"${fname}\" -fsSL --retry 5 --retry-delay 5 --retry-max-time 120 --connect-timeout 20 --proto '=https' --tlsv1.2 \"https://github.com/containers/fuse-overlayfs/releases/download/${FUSE_OVERLAYFS_VERSION}/${fname}\" && \\\n grep \"${fname}\" \"/SHA256SUMS.d/fuse-overlayfs-${FUSE_OVERLAYFS_VERSION}\" | sha256sum -c && \\\n mv \"${fname}\" /out/bin/fuse-overlayfs && \\\n chmod +x /out/bin/fuse-overlayfs && \\\n echo \"- fuse-overlayfs: ${FUSE_OVERLAYFS_VERSION}\" >> /out/share/doc/nerdctl-full/README.md\nARG CONTAINERD_FUSE_OVERLAYFS_VERSION\nRUN CONTAINERD_FUSE_OVERLAYFS_VERSION=${CONTAINERD_FUSE_OVERLAYFS_VERSION%%@*}; \\\n fname=\"containerd-fuse-overlayfs-${CONTAINERD_FUSE_OVERLAYFS_VERSION##*v}-${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz\" && \\\n curl -o \"${fname}\" -fsSL --retry 5 --retry-delay 5 --retry-max-time 120 --connect-timeout 20 --proto '=https' --tlsv1.2 \"https://github.com/containerd/fuse-overlayfs-snapshotter/releases/download/${CONTAINERD_FUSE_OVERLAYFS_VERSION}/${fname}\" && \\\n grep \"${fname}\" \"/SHA256SUMS.d/containerd-fuse-overlayfs-${CONTAINERD_FUSE_OVERLAYFS_VERSION}\" | sha256sum -c && \\\n tar xzf \"${fname}\" -C /out/bin && \\\n rm -f \"${fname}\" && \\\n echo \"- containerd-fuse-overlayfs: ${CONTAINERD_FUSE_OVERLAYFS_VERSION}\" >> /out/share/doc/nerdctl-full/README.md\nARG TINI_VERSION\nRUN TINI_VERSION=${TINI_VERSION%%@*}; \\\n fname=\"tini-static-${TARGETARCH:-amd64}\" && \\\n curl -o \"${fname}\" -fsSL --retry 5 --retry-delay 5 --retry-max-time 120 --connect-timeout 20 --proto '=https' --tlsv1.2 \"https://github.com/krallin/tini/releases/download/${TINI_VERSION}/${fname}\" && \\\n grep \"${fname}\" \"/SHA256SUMS.d/tini-${TINI_VERSION}\" | sha256sum -c && \\\n cp -a \"${fname}\" /out/bin/tini && chmod +x /out/bin/tini && \\\n echo \"- Tini: ${TINI_VERSION}\" >> /out/share/doc/nerdctl-full/README.md\nARG BUILDG_VERSION\n# FIXME: this is a mildly-confusing approach. Buildkit will perform some \"smart\" replacement at build time and output\n# confusing debugging information, eg: BUILDG_VERSION will appear as if the original ARG value was used.\nRUN BUILDG_VERSION=${BUILDG_VERSION%%@*}; \\\n fname=\"buildg-${BUILDG_VERSION}-${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz\" && \\\n curl -o \"${fname}\" -fsSL --retry 5 --retry-delay 5 --retry-max-time 120 --connect-timeout 20 --proto '=https' --tlsv1.2 \"https://github.com/ktock/buildg/releases/download/${BUILDG_VERSION}/${fname}\" && \\\n grep \"${fname}\" \"/SHA256SUMS.d/buildg-${BUILDG_VERSION}\" | sha256sum -c && \\\n tar xzf \"${fname}\" -C /out/bin && \\\n rm -f \"${fname}\" && \\\n echo \"- buildg: ${BUILDG_VERSION}\" >> /out/share/doc/nerdctl-full/README.md\nARG ROOTLESSKIT_VERSION\nRUN ROOTLESSKIT_VERSION=${ROOTLESSKIT_VERSION%%@*}; \\\n fname=\"rootlesskit-$(cat /target_uname_m).tar.gz\" && \\\n curl -o \"${fname}\" -fsSL --retry 5 --retry-delay 5 --retry-max-time 120 --connect-timeout 20 --proto '=https' --tlsv1.2 \"https://github.com/rootless-containers/rootlesskit/releases/download/${ROOTLESSKIT_VERSION}/${fname}\" && \\\n grep \"${fname}\" \"/SHA256SUMS.d/rootlesskit-${ROOTLESSKIT_VERSION}\" | sha256sum -c && \\\n tar xzf \"${fname}\" -C /out/bin && \\\n rm -f \"${fname}\" /out/bin/rootlesskit-docker-proxy && \\\n echo \"- RootlessKit: ${ROOTLESSKIT_VERSION}\" >> /out/share/doc/nerdctl-full/README.md\nARG GOMODJAIL_VERSION\nCOPY --from=build-gomodjail /out/${TARGETARCH:-amd64}/* /out/bin/\nRUN echo \"- gomodjail: ${GOMODJAIL_VERSION}\" >> /out/share/doc/nerdctl-full/README.md\nARG CONTAINERIZED_SYSTEMD_VERSION\nRUN --mount=type=secret,id=github_token,env=GITHUB_TOKEN \\\n http::helper github::file AkihiroSuda/containerized-systemd docker-entrypoint.sh \"${CONTAINERIZED_SYSTEMD_VERSION}\" > /docker-entrypoint.sh && \\\n chmod +x /docker-entrypoint.sh\n\nRUN echo \"\" >> /out/share/doc/nerdctl-full/README.md && \\\n echo \"## License\" >> /out/share/doc/nerdctl-full/README.md && \\\n echo \"- bin/slirp4netns: [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/rootless-containers/slirp4netns/blob/${SLIRP4NETNS_VERSION%%@*}/COPYING)\" >> /out/share/doc/nerdctl-full/README.md && \\\n echo \"- bin/fuse-overlayfs: [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/containers/fuse-overlayfs/blob/${FUSE_OVERLAYFS_VERSION%%@*}/COPYING)\" >> /out/share/doc/nerdctl-full/README.md && \\\n echo \"- bin/{runc,bypass4netns,bypass4netnsd}: Apache License 2.0, statically linked with libseccomp ([LGPL 2.1](https://github.com/seccomp/libseccomp/blob/main/LICENSE), source code available at https://github.com/seccomp/libseccomp/)\" >> /out/share/doc/nerdctl-full/README.md && \\\n echo \"- bin/tini: [MIT License](https://github.com/krallin/tini/blob/${TINI_VERSION%%@*}/LICENSE)\" >> /out/share/doc/nerdctl-full/README.md && \\\n echo \"- Other files: [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0)\" >> /out/share/doc/nerdctl-full/README.md\n\nFROM build-dependencies AS build-full\nCOPY . /go/src/github.com/containerd/nerdctl\nRUN { echo \"# nerdctl (full distribution)\"; echo \"- nerdctl: $(cd /go/src/github.com/containerd/nerdctl && git describe --tags)\"; cat /out/share/doc/nerdctl-full/README.md; } > /out/share/doc/nerdctl-full/README.md.new; mv /out/share/doc/nerdctl-full/README.md.new /out/share/doc/nerdctl-full/README.md\nWORKDIR /go/src/github.com/containerd/nerdctl\nRUN BINDIR=/out/bin make binaries install\n# FIXME: `gomodjail pack` depends on QEMU for non-native architecture\n# TODO: gomodjail should provide a plain shell script that utilizes `zip(1)` for packing the self-extract archive, without running `gomodjail pack`..\nRUN /out/bin/gomodjail pack --go-mod=/go/src/github.com/containerd/nerdctl/go.mod /out/bin/nerdctl && \\\n cp -a nerdctl.gomodjail /out/bin/\nCOPY README.md /out/share/doc/nerdctl/\nCOPY docs /out/share/doc/nerdctl/docs\nRUN (cd /out && find ! -type d | sort | xargs sha256sum > /tmp/SHA256SUMS ) && \\\n mv /tmp/SHA256SUMS /out/share/doc/nerdctl-full/SHA256SUMS && \\\n chown -R 0:0 /out\n\nFROM scratch AS out-full\nCOPY --from=build-full /out /\n\nFROM ubuntu:${UBUNTU_VERSION} AS base\n# fuse3 is required by stargz snapshotter\nRUN apt-get update -qq && apt-get install -qq -y --no-install-recommends \\\n apparmor \\\n bash-completion \\\n ca-certificates curl \\\n iproute2 iptables \\\n dbus dbus-user-session systemd systemd-sysv \\\n fuse3\nCOPY --from=build-full /docker-entrypoint.sh /docker-entrypoint.sh\nCOPY --from=out-full / /usr/local/\nRUN perl -pi -e 's/multi-user.target/docker-entrypoint.target/g' /usr/local/lib/systemd/system/*.service && \\\n systemctl enable containerd buildkit stargz-snapshotter && \\\n mkdir -p /etc/bash_completion.d && \\\n nerdctl completion bash >/etc/bash_completion.d/nerdctl && \\\n mkdir -p -m 0755 /etc/cni\nCOPY ./Dockerfile.d/etc_containerd_config.toml /etc/containerd/config.toml\nCOPY ./Dockerfile.d/etc_buildkit_buildkitd.toml /etc/buildkit/buildkitd.toml\nVOLUME /var/lib/containerd\nVOLUME /var/lib/buildkit\nVOLUME /var/lib/containerd-stargz-grpc\nVOLUME /var/lib/nerdctl\nENTRYPOINT [\"/docker-entrypoint.sh\"]\nCMD [\"bash\", \"--login\", \"-i\"]\n\nFROM base AS test-integration\nARG DEBIAN_FRONTEND=noninteractive\n# `expect` package contains `unbuffer(1)`, which is used for emulating TTY for testing\n# `jq` is required to generate test summaries\nRUN apt-get update -qq && apt-get install -qq --no-install-recommends \\\n software-properties-common \\\n gnupg \\\n gpg-agent \\\n ca-certificates && \\\n add-apt-repository ppa:criu/ppa && \\\n apt-get update -qq && apt-get install -qq --no-install-recommends \\\n expect \\\n jq \\\n git \\\n make \\\n criu\n# We wouldn't need this if Docker Hub could have \"golang:${GO_VERSION}-ubuntu\"\nCOPY --from=build-base /usr/local/go /usr/local/go\nARG TARGETARCH\nENV PATH=/usr/local/go/bin:$PATH\nARG GOTESTSUM_VERSION\nRUN GOBIN=/usr/local/bin go install gotest.tools/gotestsum@${GOTESTSUM_VERSION}\nCOPY . /go/src/github.com/containerd/nerdctl\nWORKDIR /go/src/github.com/containerd/nerdctl\nVOLUME /tmp\nENV CGO_ENABLED=0\n# copy cosign binary for integration test\nCOPY --from=ghcr.io/sigstore/cosign/cosign:v2.2.3@sha256:8fc9cad121611e8479f65f79f2e5bea58949e8a87ffac2a42cb99cf0ff079ba7 /ko-app/cosign /usr/local/bin/cosign\n# installing soci for integration test\nARG SOCI_SNAPSHOTTER_VERSION\nRUN fname=\"soci-snapshotter-${SOCI_SNAPSHOTTER_VERSION}-${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz\" && \\\n curl -o \"${fname}\" -fsSL --retry 5 --retry-delay 5 --retry-max-time 120 --connect-timeout 20 --proto '=https' --tlsv1.2 \"https://github.com/awslabs/soci-snapshotter/releases/download/v${SOCI_SNAPSHOTTER_VERSION}/${fname}\" && \\\n tar -C /usr/local/bin -xvf \"${fname}\" soci soci-snapshotter-grpc && \\\n mkdir -p /etc/soci-snapshotter-grpc && \\\n touch /etc/soci-snapshotter-grpc/config.toml && \\\n echo \"\\n[pull_modes]\\n [pull_modes.soci_v1]\\n enable = true\" >> /etc/soci-snapshotter-grpc/config.toml\n# enable offline ipfs for integration test\nCOPY --from=build-kubo /out/${TARGETARCH:-amd64}/* /usr/local/bin/\nCOPY ./Dockerfile.d/test-integration-etc_containerd-stargz-grpc_config.toml /etc/containerd-stargz-grpc/config.toml\nCOPY ./Dockerfile.d/test-integration-ipfs-offline.service /usr/local/lib/systemd/system/\nCOPY ./Dockerfile.d/test-integration-buildkit-nerdctl-test.service /usr/local/lib/systemd/system/\nCOPY ./Dockerfile.d/test-integration-soci-snapshotter.service /usr/local/lib/systemd/system/\nRUN cp /usr/local/bin/tini /usr/local/bin/tini-custom\n# using test integration containerd config\nCOPY ./Dockerfile.d/test-integration-etc_containerd_config.toml /etc/containerd/config.toml\n# install ipfs service. avoid using 5001(api)/8080(gateway) which are reserved by tests.\nRUN systemctl enable test-integration-ipfs-offline test-integration-buildkit-nerdctl-test test-integration-soci-snapshotter && \\\n ipfs init && \\\n ipfs config Addresses.API \"/ip4/127.0.0.1/tcp/5888\" && \\\n ipfs config Addresses.Gateway \"/ip4/127.0.0.1/tcp/5889\"\n# install nydus components\nARG NYDUS_VERSION\nRUN curl -o nydus-static.tgz -fsSL --retry 5 --retry-delay 5 --retry-max-time 120 --connect-timeout 20 --proto '=https' --tlsv1.2 \"https://github.com/dragonflyoss/image-service/releases/download/${NYDUS_VERSION}/nydus-static-${NYDUS_VERSION}-linux-${TARGETARCH}.tgz\" && \\\n tar xzf nydus-static.tgz && \\\n mv nydus-static/nydus-image nydus-static/nydusd nydus-static/nydusify /usr/bin/ && \\\n rm nydus-static.tgz\nCMD [\"./hack/test-integration.sh\"]\n\nFROM test-integration AS test-integration-rootless\n# Install SSH for creating systemd user session.\n# (`sudo` does not work for this purpose,\n# OTOH `machinectl shell` can create the session but does not propagate exit code)\nRUN apt-get update -qq && apt-get install -qq --no-install-recommends \\\n uidmap \\\n openssh-server \\\n openssh-client\n# TODO: update containerized-systemd to enable sshd by default, or allow `systemctl wants ssh` here\nRUN ssh-keygen -q -t rsa -f /root/.ssh/id_rsa -N '' && \\\n useradd -m -s /bin/bash rootless && \\\n mkdir -p -m 0700 /home/rootless/.ssh && \\\n cp -a /root/.ssh/id_rsa.pub /home/rootless/.ssh/authorized_keys && \\\n mkdir -p /home/rootless/.local/share && \\\n chown -R rootless:rootless /home/rootless\nCOPY ./Dockerfile.d/etc_systemd_system_user@.service.d_delegate.conf /etc/systemd/system/user@.service.d/delegate.conf\n# ipfs daemon for rootless containerd will be enabled in /test-integration-rootless.sh\nRUN systemctl disable test-integration-ipfs-offline\nVOLUME /home/rootless/.local/share\nCOPY ./Dockerfile.d/test-integration-rootless.sh /\nRUN chmod a+rx /test-integration-rootless.sh\nCMD [\"/test-integration-rootless.sh\", \"./hack/test-integration.sh\"]\n\n# test for CONTAINERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns\nFROM test-integration-rootless AS test-integration-rootless-port-slirp4netns\nCOPY ./Dockerfile.d/home_rootless_.config_systemd_user_containerd.service.d_port-slirp4netns.conf /home/rootless/.config/systemd/user/containerd.service.d/port-slirp4netns.conf\nRUN chown -R rootless:rootless /home/rootless/.config\n\nFROM base AS demo\n" }, { "path": "Dockerfile.d/SHA256SUMS.d/SHA256SUMS", "content": "3edc52986c442576da856a66b59a61d16cf765359712c5ecf2d147c69f0df6e9 rootlesskit-aarch64.tar.gz\n6ce9eed50f9e12f18f3e5197cf93d226bc9290185880a626ab186244593d2eed rootlesskit-armv7l.tar.gz\n730ef884439e2fe15551218b05d5c4f96d96d6945db8ad7e89b1d12946408a8d rootlesskit-ppc64le.tar.gz\n05da5803d0f023ec51112bbdf8967a3e12ae19544f8c101a7f08f3bb9c6548fd rootlesskit-riscv64.tar.gz\n199f6bfcd0495d0b944d95f70e6fa1177ace16d801e2693fdd86fdaafa69b01a rootlesskit-s390x.tar.gz\nafc52e9fa2f7a2d4bb692f675cf3d2f70f3a184f02593e8b18cfbbbc34cbfd41 rootlesskit-x86_64.tar.gz\n" }, { "path": "Dockerfile.d/SHA256SUMS.d/buildg-v0.5.3", "content": "cf4c40c58ca795eeb6e75e2c6a0e5bb3a6a9c0623d51bc3b85163e5d483eeade buildg-full-v0.5.3-linux-amd64.tar.gz\n47c479f2e5150c9c76294fa93a03ad20e5928f4315bf52ca8432bfb6707d4276 buildg-full-v0.5.3-linux-arm64.tar.gz\nc289a454ae8673ff99acf56dec9ba97274c20d2015e80f7ac3b8eb8e4f77888f buildg-v0.5.3-linux-amd64.tar.gz\nb2e244250ce7ea5c090388f2025a9c546557861d25bba7b0666aa512f01fa6cd buildg-v0.5.3-linux-arm64.tar.gz\n" }, { "path": "Dockerfile.d/SHA256SUMS.d/buildkit-v0.26.3", "content": "249ae16ba4be59fadb51a49ff4d632bbf37200e2b6e187fa8574f0f1bce8166b buildkit-v0.26.3.linux-amd64.tar.gz\na98829f1b1b9ec596eb424dd03f03b9c7b596edac83e6700adf83ba0cb0d5f80 buildkit-v0.26.3.linux-arm64.tar.gz\n" }, { "path": "Dockerfile.d/SHA256SUMS.d/cni-plugins-v1.9.0", "content": "58c03705426e929658f45a851df15a86d06ef680cacbf3f2dc127731ca265c28 cni-plugins-linux-amd64-v1.9.0.tgz\n2596ef56329dd1269026f46b8df262f09ba43c92dbfb940e1e69fbccccd30a29 cni-plugins-linux-arm64-v1.9.0.tgz\n" }, { "path": "Dockerfile.d/SHA256SUMS.d/containerd-fuse-overlayfs-v2.1.7", "content": "d54148043c22381af89cec2a167431e40668716404a1eb682ca69dfb890376f3 containerd-fuse-overlayfs-2.1.7-linux-amd64.tar.gz\na301030391d51356065f628b5e6e5a5a8c55f1978289eb71d8f5284af7a81eda containerd-fuse-overlayfs-2.1.7-linux-arm-v7.tar.gz\n94ed6c2c3bece42e0c789ea056565b64fe487de4644121ee0dfb8acd8ef9369c containerd-fuse-overlayfs-2.1.7-linux-arm64.tar.gz\n1bfb1f86894b640781d837ec0f66997222b419532fae730579140dbc1c7ea858 containerd-fuse-overlayfs-2.1.7-linux-ppc64le.tar.gz\n9f2ef69b06229f5357f3fc23524922cea6616663ff220979a110a7742aaffee6 containerd-fuse-overlayfs-2.1.7-linux-riscv64.tar.gz\n03f61035cef5fff33c5084c55f133d0340597520d8d12112970609dff0bd1e7a containerd-fuse-overlayfs-2.1.7-linux-s390x.tar.gz\n" }, { "path": "Dockerfile.d/SHA256SUMS.d/fuse-overlayfs-v1.16", "content": "6c9ee54166fe7d33ebbfb085812585441f22ebe2a24a868d0a878d3127bcb89e fuse-overlayfs-aarch64\nfc2a73ace8eb6a0553204532de615d782cb98d86deeb0fa7b5d14347d0b95823 fuse-overlayfs-armv7l\n3c07b76b432a5b4e5e0ccd986919b478d096701178617175b0c71bcce7c6f6a0 fuse-overlayfs-ppc64le\n404fd7a762255d554e70849612fb6979639e1eb23a740487dbe3bac2bccc37c1 fuse-overlayfs-riscv64\n9e96cfe091b4342b8de3e239a96d5fecfb8692fbb4a201c256790c270526fd1b fuse-overlayfs-s390x\n30c6b9e192600d6854e13397974c709d7cabd980b7d1a4d67defd8eb69677e91 fuse-overlayfs-x86_64\n" }, { "path": "Dockerfile.d/SHA256SUMS.d/rootlesskit-v1.1.1", "content": "b74c577abd6ad721e0b7e10a74f4c5ac26cb3afe005ad3d28d4d7912c356079f rootlesskit-aarch64.tar.gz\n95c27e6808c942c67ab93d94e37bada3a62cfc47de848101889f8e3ba5c9f7dd rootlesskit-armv7l.tar.gz\ndf35c74cd030e1b3978f28d1cb7c909da2ab962fb0c9369463d43a89b9f16cc2 rootlesskit-ppc64le.tar.gz\n79af3e96e9d6deddc5faa4680de7e28120ae333386c48a30e79fe156f17bad9b rootlesskit-riscv64.tar.gz\n32da9a11b67340ff498de8a3268673277a1e1d9e9d8d5f619bbf09305beaaa6c rootlesskit-s390x.tar.gz\n3c83affbb405cafe2d32e2e24462af9b4dcfa19e3809030012ad0d4e3fd49e8f rootlesskit-x86_64.tar.gz\n" }, { "path": "Dockerfile.d/SHA256SUMS.d/rootlesskit-v2.3.6", "content": "3edc52986c442576da856a66b59a61d16cf765359712c5ecf2d147c69f0df6e9 rootlesskit-aarch64.tar.gz\n6ce9eed50f9e12f18f3e5197cf93d226bc9290185880a626ab186244593d2eed rootlesskit-armv7l.tar.gz\n730ef884439e2fe15551218b05d5c4f96d96d6945db8ad7e89b1d12946408a8d rootlesskit-ppc64le.tar.gz\n05da5803d0f023ec51112bbdf8967a3e12ae19544f8c101a7f08f3bb9c6548fd rootlesskit-riscv64.tar.gz\n199f6bfcd0495d0b944d95f70e6fa1177ace16d801e2693fdd86fdaafa69b01a rootlesskit-s390x.tar.gz\nafc52e9fa2f7a2d4bb692f675cf3d2f70f3a184f02593e8b18cfbbbc34cbfd41 rootlesskit-x86_64.tar.gz\n" }, { "path": "Dockerfile.d/SHA256SUMS.d/slirp4netns-v1.3.3", "content": "d0e6a13342efbedb8b7454629a0e9ce9b7a937c261034c85f46ed81af76307d8 SOURCE_DATE_EPOCH\n1ca9d2f5f1fb4beb91f354653e5dad35b95c049afb264268d99a96ff2a10d903 slirp4netns-aarch64\n3e209d1c56fccbe627a038d311b233c15e8d914b30f9b981b5ed78b98e836859 slirp4netns-armv7l\n4d1003a98103ee170c0fcd4aad8a5e0ba7aa2e70fbca883cbb6a39f40447c8da slirp4netns-ppc64le\n06a13b398d88120097b20dace966d7dd5e2fbfd284b95a086347808df392200e slirp4netns-riscv64\n23d4a206edd6d3fc9c86f8b05c0881ff77a607b8d471f20964ad9f9c3f3176b1 slirp4netns-s390x\n5618887b671a30a2f7548f2bdf7fba98a53981abc80cfd3183cd28b4dc8b2b97 slirp4netns-x86_64\n" }, { "path": "Dockerfile.d/SHA256SUMS.d/stargz-snapshotter-v0.18.1", "content": "f8f106a61b9fc797a6336d6c06435cdbf8b896f3f49fdc5288e08e87dff6bbdf stargz-snapshotter-v0.18.1-linux-amd64.tar.gz\n643d04f5e97e83606b9ee129c2c33513df13a091dbc1dc084256d13a1034b749 stargz-snapshotter-v0.18.1-linux-arm64.tar.gz\nf1cf855870af16a653d8acb9daa3edf84687c2c05323cb958f078fb148af3eec stargz-snapshotter.service\n" }, { "path": "Dockerfile.d/SHA256SUMS.d/tini-v0.19.0", "content": "c5b0666b4cb676901f90dfcb37106783c5fe2077b04590973b885950611b30ee tini-static-amd64\neae1d3aa50c48fb23b8cbdf4e369d0910dfc538566bfd09df89a774aa84a48b9 tini-static-arm64\n" }, { "path": "Dockerfile.d/etc_buildkit_buildkitd.toml", "content": "[worker.oci]\n enabled = false\n\n[worker.containerd]\n enabled = true\n namespace = \"default\"\n" }, { "path": "Dockerfile.d/etc_containerd_config.toml", "content": "version = 2\n\n# Enable stargz snapshotter\n[proxy_plugins]\n [proxy_plugins.stargz]\n type = \"snapshot\"\n address = \"/run/containerd-stargz-grpc/containerd-stargz-grpc.sock\"\n [proxy_plugins.stargz.exports]\n root = \"/var/lib/containerd-stargz-grpc/\"\n enable_remote_snapshot_annotations = \"true\"\n[[plugins.\"io.containerd.transfer.v1.local\".unpack_config]]\n platform = \"linux\"\n snapshotter = \"overlayfs\"\n[[plugins.\"io.containerd.transfer.v1.local\".unpack_config]]\n platform = \"linux\"\n snapshotter = \"stargz\"\n" }, { "path": "Dockerfile.d/etc_systemd_system_user@.service.d_delegate.conf", "content": "[Service]\nDelegate=yes\n" }, { "path": "Dockerfile.d/home_rootless_.config_systemd_user_containerd.service.d_port-slirp4netns.conf", "content": "[Service]\n# Change the port driver from \"builtin\" to \"slirp4netns\". Only used in CI.\nEnvironment=\"CONTAINERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns\"\n" }, { "path": "Dockerfile.d/test-integration-buildkit-nerdctl-test.service", "content": "# Copyright The containerd Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n# Copied from released buildkit.service\n\n[Unit]\nAfter=network.target local-fs.target\nDescription=buildkit daemon for integration test (namespace: nerdctl-test)\n\n[Service]\nExecStartPre=-/sbin/modprobe overlay\nExecStart=/usr/local/bin/buildkitd --oci-worker=false --containerd-worker=true --addr=\"unix:///run/buildkit-nerdctl-test/buildkitd.sock\" --root=/var/lib/buildkit-nerdctl-test --containerd-worker-namespace=nerdctl-test\n\nType=notify\nDelegate=yes\nKillMode=process\nRestart=always\nRestartSec=5\n# Having non-zero Limit*s causes performance problems due to accounting overhead\n# in the kernel. We recommend using cgroups to do container-local accounting.\nLimitNPROC=infinity\nLimitCORE=infinity\nLimitNOFILE=infinity\n# Comment TasksMax if your systemd version does not supports it.\n# Only systemd 226 and above support this version.\nTasksMax=infinity\nOOMScoreAdjust=-999\n\n[Install]\nWantedBy=docker-entrypoint.target\n" }, { "path": "Dockerfile.d/test-integration-etc_containerd-stargz-grpc_config.toml", "content": "version = 2\n\n# Enable IPFS\nipfs = true" }, { "path": "Dockerfile.d/test-integration-etc_containerd_config.toml", "content": "version = 2\n\n# Enable stargz snapshotter\n[proxy_plugins]\n [proxy_plugins.stargz]\n type = \"snapshot\"\n address = \"/run/containerd-stargz-grpc/containerd-stargz-grpc.sock\"\n [proxy_plugins.stargz.exports]\n root = \"/var/lib/containerd-stargz-grpc/\"\n enable_remote_snapshot_annotations = \"true\"\n\n# Enable soci snapshotter\n [proxy_plugins.soci]\n type = \"snapshot\"\n address = \"/run/soci-snapshotter-grpc/soci-snapshotter-grpc.sock\"\n [proxy_plugins.soci.exports]\n root = \"/var/lib/soci-snapshotter-grpc\"\n enable_remote_snapshot_annotations = \"true\"\n\n[[plugins.\"io.containerd.transfer.v1.local\".unpack_config]]\n platform = \"linux\"\n snapshotter = \"overlayfs\"\n\n[[plugins.\"io.containerd.transfer.v1.local\".unpack_config]]\n platform = \"linux\"\n snapshotter = \"soci\"\n\n[[plugins.\"io.containerd.transfer.v1.local\".unpack_config]]\n platform = \"linux\"\n snapshotter = \"stargz\"\n" }, { "path": "Dockerfile.d/test-integration-ipfs-offline.service", "content": "[Unit]\nDescription=ipfs daemon for integration test (offline)\n\n[Service]\nExecStart=ipfs daemon --init --offline\nEnvironment=IPFS_PATH=\"%h/.ipfs\"\n\n[Install]\nWantedBy=docker-entrypoint.target\n" }, { "path": "Dockerfile.d/test-integration-rootless.sh", "content": "#!/bin/bash\n\n# Copyright The containerd Authors.\n\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n\n# http://www.apache.org/licenses/LICENSE-2.0\n\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nset -eux -o pipefail\nif [[ \"$(id -u)\" = \"0\" ]]; then\n # Ensure securityfs is mounted for apparmor to work\n if ! mountpoint -q /sys/kernel/security; then\n mount -tsecurityfs securityfs /sys/kernel/security\n fi\n\tif [ -e /sys/kernel/security/apparmor/profiles ]; then\n\t\t# Load the \"nerdctl-default\" profile for TestRunApparmor\n\t\tnerdctl apparmor load\n\tfi\n\n\t: \"${WORKAROUND_ISSUE_622:=}\"\n\tif [[ \"$WORKAROUND_ISSUE_622\" != \"\" ]]; then\n\t\ttouch /workaround-issue-622\n\tfi\n\n\t# Switch to the rootless user via SSH\n\tsystemctl start ssh\n\texec ssh -o StrictHostKeyChecking=no rootless@localhost \"$0\" \"$@\"\nelse\n\tcontainerd-rootless-setuptool.sh install\n\tif grep -q \"options use-vc\" /etc/resolv.conf; then\n\t\tcontainerd-rootless-setuptool.sh nsenter -- sh -euc 'echo \"options use-vc\" >>/etc/resolv.conf'\n\tfi\n\n\tif [[ -e /workaround-issue-622 ]]; then\n\t\techo \"WORKAROUND_ISSUE_622: Not enabling BuildKit (https://github.com/containerd/nerdctl/issues/622)\" >&2\n\telse\n\t\tCONTAINERD_NAMESPACE=\"nerdctl-test\" containerd-rootless-setuptool.sh install-buildkit-containerd\n\tfi\n\tcontainerd-rootless-setuptool.sh install-stargz\n\tif [ ! -f \"/home/rootless/.config/containerd/config.toml\" ] ; then\n\t\techo \"version = 2\" > /home/rootless/.config/containerd/config.toml\n\tfi\n\tcat <>/home/rootless/.config/containerd/config.toml\n[proxy_plugins]\n [proxy_plugins.\"stargz\"]\n type = \"snapshot\"\n address = \"/run/user/$(id -u)/containerd-stargz-grpc/containerd-stargz-grpc.sock\"\n [proxy_plugins.stargz.exports]\n root = \"/home/rootless/.local/share/containerd-stargz-grpc/\"\n enable_remote_snapshot_annotations = \"true\"\n[[plugins.\"io.containerd.transfer.v1.local\".unpack_config]]\n platform = \"linux\"\n snapshotter = \"overlayfs\"\n[[plugins.\"io.containerd.transfer.v1.local\".unpack_config]]\n platform = \"linux\"\n snapshotter = \"stargz\"\nEOF\n\tsystemctl --user restart containerd.service\n\tcontainerd-rootless-setuptool.sh -- install-ipfs --init --offline # offline ipfs daemon for testing\n\techo \"ipfs = true\" >>/home/rootless/.config/containerd-stargz-grpc/config.toml\n\tsystemctl --user restart stargz-snapshotter.service\n\texport IPFS_PATH=\"/home/rootless/.local/share/ipfs\"\n\tcontainerd-rootless-setuptool.sh install-bypass4netnsd\n\t# Once ssh-ed, we lost the Dockerfile working dir, so, get back in the nerdctl checkout\n\tcd /go/src/github.com/containerd/nerdctl\n\t# We also lose the PATH (and SendEnv=PATH would require sshd config changes)\n\texec env PATH=\"/usr/local/go/bin:$PATH\" \"$@\"\nfi\n" }, { "path": "Dockerfile.d/test-integration-soci-snapshotter.service", "content": "[Unit]\nDescription=soci snapshotter containerd plugin for integration test\nDocumentation=https://github.com/awslabs/soci-snapshotter\nAfter=network.target\nBefore=containerd.service\n\n[Service]\nType=notify\nExecStartPre=/bin/bash -c 'mkdir -p /var/lib/soci-snapshotter-grpc && mount -t tmpfs none /var/lib/soci-snapshotter-grpc'\nExecStart=/usr/local/bin/soci-snapshotter-grpc\nRestart=always\nRestartSec=5\n\n[Install]\nWantedBy=docker-entrypoint.target\n" }, { "path": "EMERITUS.md", "content": "See [`MAINTAINERS`](./MAINTAINERS) for the current active maintainers.\n- - -\n# nerdctl Emeritus Maintainers\n\n## Committers\n### Ye Sijun ([@junnplus](https://github.com/junnplus))\nYe Sijun (GitHub ID [@junnplus](https://github.com/junnplus)) served as\na Committer of nerdctl from November 2022 to June 2024.\nPrior to his role as a Committer, Sijun served as a Reviewer since February 2022.\n\nSijun has made [significant improvements](https://github.com/containerd/nerdctl/pulls?q=author%3Ajunnplus+)\nespecially to `nerdctl compose`, IPAM, and cosign integration.\n\n## Reviewers\n### Hanchin Hsieh ([@yuchanns](https://github.com/yuchanns))\nHanchin Hsieh (GitHub ID [@yuchanns](https://github.com/yuchanns)) served as\na Reviewer of nerdctl from November 2022 to June 2024.\n\nHanchin has made significant contributions such as the addition of\n[syslog driver](https://github.com/containerd/nerdctl/pull/1377) and\n[IPv6 networking](https://github.com/containerd/nerdctl/pull/1558).\n\n### Manu Gupta ([@manugupt1](https://github.com/manugupt1))\nManu Gupta (GitHub ID [@manugupt1](https://github.com/manugupt1)) served as\na Reviewer of nerdctl from 2022 to August 2025.\n\nManu has made [significant improvements](https://github.com/containerd/nerdctl/pulls?q=author%3Amanugupt1+)\nespecially to image and volume management, container runtime features, build system enhancements,\nand CI/CD infrastructure. Notable contributions include image filtering capabilities, volume size\ninspection, Docker Compose enhancements, and multi-architecture build support.\n" }, { "path": "LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "MAINTAINERS", "content": "# nerdctl maintainers\n#\n# As a containerd sub-project, containerd maintainers are also included from https://github.com/containerd/project/blob/main/MAINTAINERS.\n# See https://github.com/containerd/project/blob/main/GOVERNANCE.md for description of maintainer role\n#\n# See also MAINTAINERS_GUIDE.md\n\n# CORE COMMITTERS who regularly contribute to nerdctl\n# (Extracted from https://github.com/containerd/project/blob/main/MAINTAINERS for ease of reference)\n# GitHub ID, Name, Email address, GPG fingerprint\n\"AkihiroSuda\",\"Akihiro Suda\",\"akihiro.suda.cz@hco.ntt.co.jp\",\"C020 EA87 6CE4 E06C 7AB9 5AEF 4952 4C6F 9F63 8F1A\"\n\n# COMMITTERS\n# GitHub ID, Name, Email address, GPG fingerprint\n\"ktock\",\"Kohei Tokunaga\",\"ktokunaga.mail@gmail.com\",\"\"\n\"fahedouch\",\"Fahed Dorgaa\",\"fahed.dorgaa@gmail.com\",\"EE7A 5503 CE0D 38AC 5B95 A500 F35F F497 60A8 65FA\"\n\"Zheaoli\", \"Zheao Li\", \"me@manjusaka.me\",\"6E0D D9FA BAD5 AF61 D884 01EE 878F 445D 9C6C E65E\"\n\"djdongjin\", \"Jin Dong\", \"djdongjin95@gmail.com\",\"\"\n\"yankay\", \"Kay Yan\", \"kay.yan@daocloud.io\", \"\"\n\"ChengyuZhu6\",\"Chengyu Zhu\",\"hudson@cyzhu.com\",\"\"\n\n# REVIEWERS\n# GitHub ID, Name, Email address, GPG fingerprint\n\"jsturtevant\",\"James Sturtevant\",\"jstur@microsoft.com\",\"\"\n\"Shubhranshu153\",\"Shubharanshu Mahapatra\",\"shubhum@amazon.com\",\"\"\n\"haytok\",\"Hayato Kiwata\",\"haytok@amazon.co.jp\",\"B485 C5AA 6220 0A06 78FD 294D FA4F 2421 1D65 269F\"\n\n# EMERITUS\n# See EMERITUS.md\n" }, { "path": "MAINTAINERS_GUIDE.md", "content": "# Maintainers' guide\n\n## Maintainer list\n\n- Core: https://github.com/containerd/project/blob/main/MAINTAINERS\n- Non-core: [`MAINTAINERS`](./MAINTAINERS)\n\n## Governance\n\nSee https://github.com/containerd/project/blob/main/GOVERNANCE.md\n\n## Creating a release\n\nEligibility to be a release manager:\n- MUST be an active Commiter (Core or Non-core)\n- MUST have the GPG fingerprint listed in [`MAINTAINERS`](./MAINTAINERS)\n- MUST upload the GPG public key to `https://github.com/USERNAME.gpg`\n- MUST protect the GPG key with a passphrase or a hardware token.\n\nRelease steps:\n- Open a PR to keep the dependencies up-to-date.\n Update `go.mod` for Go dependencies (usually Dependabot automatically updates them).\n Update `Dockerfile` and relevant files under `Dockerfile.d` for `nerdctl-full` dependencies.\n- Open an issue to propose making a new release.\n The proposal should be public, with an exception for vulnerability fixes.\n If this is the first time for you to take a role of release management,\n you SHOULD make a beta (or alpha, RC) release as an exercise before releasing GA.\n- Make sure that all the merged PRs are associated with the correct [Milestone](https://github.com/containerd/nerdctl/milestones).\n- Run `git tag --sign vX.Y.Z-beta.W` .\n- Run `git push UPSTREAM vX.Y.Z-beta.W` .\n- Wait for the `Release` action on GitHub Actions to complete. A draft release will appear in https://github.com/containerd/nerdctl/releases .\n- Download `SHA256SUMS` from the draft release, and confirm that it corresponds to the hashes printed in the build logs on the `Release` action.\n- Sign `SHA256SUMS` with `gpg --detach-sign -a SHA256SUMS` to produce `SHA256SUMS.asc`, and upload it to the draft release.\n- Add release notes in the draft release, to explain the changes and show appreciation to the contributors.\n Make sure to fulfill the `Release manager: [ADD YOUR NAME HERE] (@[ADD YOUR GITHUB ID HERE])` line with your name.\n e.g., `Release manager: Akihiro Suda (@AkihiroSuda)` .\n- Click the `Set as a pre-release` checkbox if this release is a beta (or alpha, RC).\n- Click the `Publish release` button.\n- Close the [Milestone](https://github.com/containerd/nerdctl/milestones).\n" }, { "path": "Makefile", "content": "# Copyright The containerd Authors.\n\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n\n# http://www.apache.org/licenses/LICENSE-2.0\n\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n# -----------------------------------------------------------------------------\n# Portions from https://github.com/kubernetes-sigs/cri-tools/blob/v1.19.0/Makefile\n# Copyright The Kubernetes Authors.\n# Licensed under the Apache License, Version 2.0\n# -----------------------------------------------------------------------------\n\n##########################\n# Configuration\n##########################\nPACKAGE := \"github.com/containerd/nerdctl/v2\"\n\nDOCKER ?= docker\nGO ?= go\nGOOS ?= $(shell $(GO) env GOOS)\nGOARCH ?= $(shell $(GO) env GOARCH)\nifeq ($(GOOS),windows)\n\tBIN_EXT := .exe\nendif\n\n# distro builders might want to override these\nPREFIX ?= /usr/local\nBINDIR ?= $(PREFIX)/bin\nDATADIR ?= $(PREFIX)/share\nDOCDIR ?= $(DATADIR)/doc\n\nBINARY ?= \"nerdctl\"\nMAKEFILE_DIR := $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST)))))\nVERSION ?= $(shell git -C $(MAKEFILE_DIR) describe --match 'v[0-9]*' --dirty='.m' --always --tags 2>/dev/null || echo no_git_information)\nVERSION_TRIMMED := $(VERSION:v%=%)\nREVISION ?= $(shell git -C $(MAKEFILE_DIR) rev-parse HEAD 2>/dev/null || echo no_git_information)$(shell if ! git -C $(MAKEFILE_DIR) diff --no-ext-diff --quiet --exit-code 2>/dev/null; then echo .m; fi)\nLINT_COMMIT_RANGE ?= main..HEAD\nGO_BUILD_LDFLAGS ?= -s -w\nGO_BUILD_FLAGS ?=\n\nBUILDTAGS ?=\nGO_TAGS=$(if $(BUILDTAGS),-tags \"$(strip $(BUILDTAGS))\",)\n\n##########################\n# Helpers\n##########################\nifdef VERBOSE\n\tVERBOSE_FLAG := -v\n\tVERBOSE_FLAG_LONG := --verbose\nendif\n\nexport GO_BUILD=CGO_ENABLED=0 GOOS=$(GOOS) $(GO) -C $(MAKEFILE_DIR) build $(GO_TAGS) -ldflags \"$(GO_BUILD_LDFLAGS) $(VERBOSE_FLAG) -X $(PACKAGE)/pkg/version.Version=$(VERSION) -X $(PACKAGE)/pkg/version.Revision=$(REVISION)\"\n\nifndef NO_COLOR\n NC := \\033[0m\n GREEN := \\033[1;32m\n ORANGE := \\033[1;33m\nendif\n\nrecursive_wildcard=$(wildcard $1$2) $(foreach e,$(wildcard $1*),$(call recursive_wildcard,$e/,$2))\n\ndefine title\n\t@printf \"$(GREEN)____________________________________________________________________________________________________\\n\"\n\t@printf \"$(GREEN)%*s\\n\" $$(( ( $(shell echo \"🤓$(1) 🤓\" | wc -c ) + 100 ) / 2 )) \"🤓$(1) 🤓\"\n\t@printf \"$(GREEN)____________________________________________________________________________________________________\\n$(ORANGE)\"\nendef\n\ndefine footer\n\t@printf \"$(GREEN)> %s: done!\\n\" \"$(1)\"\n\t@printf \"$(GREEN)____________________________________________________________________________________________________\\n$(NC)\"\nendef\n\n##########################\n# High-level tasks definitions\n##########################\nall: binaries\n\nlint: lint-go-all lint-yaml lint-shell lint-commits lint-mod lint-licenses-all\n\nfix: fix-mod fix-go-all\n\n# TODO: fix race task and add it\ntest: test-unit # test-unit-race test-unit-bench\n\nhelp:\n\t@echo \"Usage: make \"\n\t@echo\n\t@echo \" * 'lint' - Run linters against codebase.\"\n\t@echo \" * 'fix' - Automatically fixes imports, modules, and simple formatting.\"\n\t@echo \" * 'test' - Run basic unit testing.\"\n\t@echo \" * 'binaries' - Build nerdctl.\"\n\t@echo \" * 'install' - Install binaries to system locations.\"\n\t@echo \" * 'clean' - Clean artifacts.\"\n\n##########################\n# Building and installation tasks\n##########################\nbinaries: $(CURDIR)/_output/$(BINARY)$(BIN_EXT)\n\n$(CURDIR)/_output/$(BINARY)$(BIN_EXT):\n\t$(call title, $@: $(GOOS)/$(GOARCH))\n\t$(GO_BUILD) $(GO_BUILD_FLAGS) $(VERBOSE_FLAG) -o $(CURDIR)/_output/$(BINARY)$(BIN_EXT) ./cmd/nerdctl\n\t$(call footer, $@)\n\ninstall:\n\t$(call title, $@)\n\tinstall -D -m 755 $(CURDIR)/_output/$(BINARY) $(DESTDIR)$(BINDIR)/$(BINARY)\n\tinstall -D -m 755 $(MAKEFILE_DIR)/extras/rootless/containerd-rootless.sh $(DESTDIR)$(BINDIR)/containerd-rootless.sh\n\tinstall -D -m 755 $(MAKEFILE_DIR)/extras/rootless/containerd-rootless-setuptool.sh $(DESTDIR)$(BINDIR)/containerd-rootless-setuptool.sh\n\tinstall -D -m 644 -t $(DESTDIR)$(DOCDIR)/nerdctl $(MAKEFILE_DIR)/docs/*.md\n\t$(call footer, $@)\n\nclean:\n\t$(call title, $@)\n\tfind . -name \\*~ -delete\n\tfind . -name \\#\\* -delete\n\trm -rf $(CURDIR)/_output/* $(MAKEFILE_DIR)/vendor\n\t$(call footer, $@)\n\n##########################\n# Linting tasks\n##########################\nlint-go:\n\t$(call title, $@: $(GOOS))\n\t@cd $(MAKEFILE_DIR) \\\n\t\t&& golangci-lint run $(VERBOSE_FLAG_LONG) ./...\n\t$(call footer, $@)\n\nlint-go-all:\n\t$(call title, $@)\n\t@cd $(MAKEFILE_DIR) \\\n\t\t&& GOOS=linux make lint-go \\\n\t\t&& GOOS=windows make lint-go \\\n\t\t&& GOOS=freebsd make lint-go \\\n\t\t&& GOOS=darwin make lint-go\n\t$(call footer, $@)\n\nlint-yaml:\n\t$(call title, $@)\n\tcd $(MAKEFILE_DIR) \\\n\t\t&& yamllint .\n\t$(call footer, $@)\n\nlint-shell: $(call recursive_wildcard,$(MAKEFILE_DIR)/,*.sh)\n\t$(call title, $@)\n\tshellcheck -a -x $^\n\t$(call footer, $@)\n\nlint-commits:\n\t$(call title, $@)\n\t@cd $(MAKEFILE_DIR) \\\n\t\t&& git-validation $(VERBOSE_FLAG) -run DCO,short-subject,dangling-whitespace -range \"$(LINT_COMMIT_RANGE)\"\n\t$(call footer, $@)\n\nlint-mod:\n\t$(call title, $@)\n\t@cd $(MAKEFILE_DIR) \\\n\t\t&& go mod tidy --diff\n\t$(call footer, $@)\n\n# FIXME: go-licenses cannot find LICENSE from root of repo when submodule is imported:\n# https://github.com/google/go-licenses/issues/186\n# This is impacting gotest.tools\n# FIXME: go-base36 is multi-license (MIT/Apache), using a custom boilerplate file that go-licenses fails to understand\nlint-licenses:\n\t$(call title, $@: $(GOOS))\n\t@cd $(MAKEFILE_DIR) \\\n\t\t&& go-licenses check --include_tests --allowed_licenses=Apache-2.0,BSD-2-Clause,BSD-2-Clause-FreeBSD,BSD-3-Clause,MIT,ISC,Python-2.0,PostgreSQL,X11,Zlib \\\n\t\t --ignore gotest.tools \\\n\t\t --ignore github.com/multiformats/go-base36 \\\n\t\t ./...\n\t$(call footer, $@)\n\nlint-licenses-all:\n\t$(call title, $@)\n\t@cd $(MAKEFILE_DIR) \\\n\t\t&& GOOS=linux make lint-licenses \\\n\t\t&& GOOS=windows make lint-licenses \\\n\t\t&& GOOS=freebsd make lint-licenses \\\n\t\t&& GOOS=darwin make lint-licenses\n\t$(call footer, $@)\n\n##########################\n# Automated fixing tasks\n##########################\nfix-go:\n\t$(call title, $@: $(GOOS))\n\t@cd $(MAKEFILE_DIR) \\\n\t\t&& golangci-lint run --fix\n\t$(call footer, $@)\n\nfix-go-all:\n\t$(call title, $@)\n\t@cd $(MAKEFILE_DIR) \\\n\t\t&& GOOS=linux make fix-go \\\n\t\t&& GOOS=windows make fix-go \\\n\t\t&& GOOS=freebsd make fix-go \\\n\t\t&& GOOS=darwin make fix-go\n\t$(call footer, $@)\n\nfix-mod:\n\t$(call title, $@)\n\t@cd $(MAKEFILE_DIR) \\\n\t\t&& go mod tidy\n\t$(call footer, $@)\n\n##########################\n# Development tools installation\n##########################\ninstall-dev-tools:\n\t$(call title, $@)\n\t# golangci: v2.4.0 (2025-08-14)\n\t# git-validation: main (2025-02-25)\n\t# ltag: main (2025-03-04)\n\t# go-licenses: v2.0.0-alpha.1 (2024-06-27)\n\t# stubbing go-licenses with dependency upgrade due to non-compatibility with golang 1.25rc1\n\t# Issue: https://github.com/google/go-licenses/issues/312\n\t@cd $(MAKEFILE_DIR) \\\n\t && go install github.com/Shubhranshu153/go-licenses/v2@f8c503d1357dffb6c97ed3b94e912ab294dde24a \\\n\t\t&& go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@43d03392d7dc3746fa776dbddd66dfcccff70651 \\\n\t\t&& go install github.com/vbatts/git-validation@7b60e35b055dd2eab5844202ffffad51d9c93922 \\\n\t\t&& go install github.com/containerd/ltag@66e6a514664ee2d11a470735519fa22b1a9eaabd \\\n\t\t&& go install gotest.tools/gotestsum@0d9599e513d70e5792bb9334869f82f6e8b53d4d\n\t@echo \"Remember to add \\$$HOME/go/bin to your path\"\n\t$(call footer, $@)\n\n##########################\n# Testing tasks\n##########################\ntest-unit:\n\t$(call title, $@)\n\t@go test $(VERBOSE_FLAG) $(MAKEFILE_DIR)/pkg/...\n\t$(call footer, $@)\n\ntest-unit-bench:\n\t$(call title, $@)\n\t@go test $(VERBOSE_FLAG) $(MAKEFILE_DIR)/pkg/... -bench=.\n\t$(call footer, $@)\n\ntest-unit-race:\n\t$(call title, $@)\n\t@go test $(VERBOSE_FLAG) $(MAKEFILE_DIR)/pkg/... -race\n\t$(call footer, $@)\n\n##########################\n# Release tasks\n##########################\n# Note that these options will not work on macOS - unless you use gnu-tar instead of tar\nTAR_OWNER0_FLAGS=--owner=0 --group=0\nTAR_FLATTEN_FLAGS=--transform 's/.*\\///g'\n\ndefine make_artifact_full_linux\n\t$(DOCKER) build --secret id=github_token,env=GITHUB_TOKEN --output type=tar,dest=$(CURDIR)/_output/nerdctl-full-$(VERSION_TRIMMED)-linux-$(1).tar --target out-full --platform $(1) --build-arg GO_VERSION -f $(MAKEFILE_DIR)/Dockerfile $(MAKEFILE_DIR)\n\tgzip -9 $(CURDIR)/_output/nerdctl-full-$(VERSION_TRIMMED)-linux-$(1).tar\nendef\n\nartifacts: clean\n\t$(call title, $@)\n\tGOOS=linux GOARCH=amd64 make -C $(CURDIR) -f $(MAKEFILE_DIR)/Makefile binaries\n\ttar $(TAR_OWNER0_FLAGS) $(TAR_FLATTEN_FLAGS) -czvf $(CURDIR)/_output/nerdctl-$(VERSION_TRIMMED)-linux-amd64.tar.gz $(CURDIR)/_output/nerdctl $(MAKEFILE_DIR)/extras/rootless/*\n\n\tGOOS=linux GOARCH=arm64 make -C $(CURDIR) -f $(MAKEFILE_DIR)/Makefile binaries\n\ttar $(TAR_OWNER0_FLAGS) $(TAR_FLATTEN_FLAGS) -czvf $(CURDIR)/_output/nerdctl-$(VERSION_TRIMMED)-linux-arm64.tar.gz $(CURDIR)/_output/nerdctl $(MAKEFILE_DIR)/extras/rootless/*\n\n\tGOOS=linux GOARCH=arm GOARM=7 make -C $(CURDIR) -f $(MAKEFILE_DIR)/Makefile binaries\n\ttar $(TAR_OWNER0_FLAGS) $(TAR_FLATTEN_FLAGS) -czvf $(CURDIR)/_output/nerdctl-$(VERSION_TRIMMED)-linux-arm-v7.tar.gz $(CURDIR)/_output/nerdctl $(MAKEFILE_DIR)/extras/rootless/*\n\n\tGOOS=linux GOARCH=loong64 make -C $(CURDIR) -f $(MAKEFILE_DIR)/Makefile binaries\n\ttar $(TAR_OWNER0_FLAGS) $(TAR_FLATTEN_FLAGS) -czvf $(CURDIR)/_output/nerdctl-$(VERSION_TRIMMED)-linux-loong64.tar.gz $(CURDIR)/_output/nerdctl $(MAKEFILE_DIR)/extras/rootless/*\n\n\tGOOS=linux GOARCH=ppc64le make -C $(CURDIR) -f $(MAKEFILE_DIR)/Makefile binaries\n\ttar $(TAR_OWNER0_FLAGS) $(TAR_FLATTEN_FLAGS) -czvf $(CURDIR)/_output/nerdctl-$(VERSION_TRIMMED)-linux-ppc64le.tar.gz $(CURDIR)/_output/nerdctl $(MAKEFILE_DIR)/extras/rootless/*\n\n\tGOOS=linux GOARCH=riscv64 make -C $(CURDIR) -f $(MAKEFILE_DIR)/Makefile binaries\n\ttar $(TAR_OWNER0_FLAGS) $(TAR_FLATTEN_FLAGS) -czvf $(CURDIR)/_output/nerdctl-$(VERSION_TRIMMED)-linux-riscv64.tar.gz $(CURDIR)/_output/nerdctl $(MAKEFILE_DIR)/extras/rootless/*\n\n\tGOOS=linux GOARCH=s390x make -C $(CURDIR) -f $(MAKEFILE_DIR)/Makefile binaries\n\ttar $(TAR_OWNER0_FLAGS) $(TAR_FLATTEN_FLAGS) -czvf $(CURDIR)/_output/nerdctl-$(VERSION_TRIMMED)-linux-s390x.tar.gz $(CURDIR)/_output/nerdctl $(MAKEFILE_DIR)/extras/rootless/*\n\n\tGOOS=windows GOARCH=amd64 make -C $(CURDIR) -f $(MAKEFILE_DIR)/Makefile binaries\n\ttar $(TAR_OWNER0_FLAGS) $(TAR_FLATTEN_FLAGS) -czvf $(CURDIR)/_output/nerdctl-$(VERSION_TRIMMED)-windows-amd64.tar.gz $(CURDIR)/_output/nerdctl.exe\n\n\tGOOS=freebsd GOARCH=amd64 make -C $(CURDIR) -f $(MAKEFILE_DIR)/Makefile binaries\n\ttar $(TAR_OWNER0_FLAGS) $(TAR_FLATTEN_FLAGS) -czvf $(CURDIR)/_output/nerdctl-$(VERSION_TRIMMED)-freebsd-amd64.tar.gz $(CURDIR)/_output/nerdctl\n\n\trm -f $(CURDIR)/_output/nerdctl $(CURDIR)/_output/nerdctl.exe\n\n\t$(call make_artifact_full_linux,amd64)\n\t$(call make_artifact_full_linux,arm64)\n\n\t$(GO) -C $(MAKEFILE_DIR) mod vendor\n\ttar $(TAR_OWNER0_FLAGS) -czf $(CURDIR)/_output/nerdctl-$(VERSION_TRIMMED)-go-mod-vendor.tar.gz $(MAKEFILE_DIR)/go.mod $(MAKEFILE_DIR)/go.sum $(MAKEFILE_DIR)/vendor\n\t$(call footer, $@)\n\n.PHONY: \\\n\tall \\\n\tlint \\\n\tfix \\\n\ttest \\\n\thelp \\\n\tbinaries \\\n\tinstall \\\n\tclean \\\n\tlint-go lint-go-all lint-yaml lint-shell lint-commits lint-mod lint-licenses lint-licenses-all \\\n\tfix-go fix-go-all fix-mod \\\n\tinstall-dev-tools \\\n\ttest-unit test-unit-race test-unit-bench \\\n\tartifacts\n" }, { "path": "NOTICE", "content": "nerdctl\nCopyright The containerd Authors.\n\nThis project contains portions of other projects that are licensed under the terms of Apache License 2.0.\nThe NOTICE files of those projects are replicated here.\n\n=== https://github.com/moby/moby , https://github.com/docker/cli ===\nhttps://github.com/moby/moby/blob/v20.10.14/LICENSE , https://github.com/docker/cli/blob/v20.10.14/LICENSE\nhttps://github.com/moby/moby/blob/v20.10.14/NOTICE , https://github.com/docker/cli/blob/v20.10.14/NOTICE\n\n> Docker\n> Copyright 2012-2017 Docker, Inc.\n>\n> This product includes software developed at Docker, Inc. (https://www.docker.com).\n>\n> This product contains software (https://github.com/creack/pty) developed\n> by Keith Rarick, licensed under the MIT License.\n>\n> The following is courtesy of our legal counsel:\n>\n>\n> Use and transfer of Docker may be subject to certain restrictions by the\n> United States and other governments.\n> It is your responsibility to ensure that your use and/or transfer does not\n> violate applicable laws.\n>\n> For more information, please see https://www.bis.doc.gov\n>\n> See also https://www.apache.org/dev/crypto.html and/or seek legal counsel.\n\n=== https://github.com/docker/compose ===\nhttps://github.com/docker/compose/blob/v2.4.1/LICENSE\nhttps://github.com/docker/compose/blob/v2.4.1/NOTICE\n\n> Docker Compose V2\n> Copyright 2020 Docker Compose authors\n>\n> This product includes software developed at Docker, Inc. (https://www.docker.com).\n" }, { "path": "README.md", "content": "[[⬇️ **Download]**](https://github.com/containerd/nerdctl/releases)\n[[📖 **Command reference]**](./docs/command-reference.md)\n[[❓**FAQs & Troubleshooting]**](./docs/faq.md)\n[[📚 **Additional documents]**](#additional-documents)\n\n# nerdctl: Docker-compatible CLI for containerd\n\n\n \n \n \"logo\"\n\n\n`nerdctl` is a Docker-compatible CLI for [contai**nerd**](https://containerd.io).\n\n ✅ Same UI/UX as `docker`\n\n ✅ Supports Docker Compose (`nerdctl compose up`)\n\n ✅ [Optional] Supports [rootless mode, without slirp overhead (bypass4netns)](./docs/rootless.md)\n\n ✅ [Optional] Supports lazy-pulling ([Stargz](./docs/stargz.md), [Nydus](./docs/nydus.md), [OverlayBD](./docs/overlaybd.md))\n\n ✅ [Optional] Supports [encrypted images (ocicrypt)](./docs/ocicrypt.md)\n\n ✅ [Optional] Supports [P2P image distribution (IPFS)](./docs/ipfs.md) (\\*1)\n\n ✅ [Optional] Supports [container image signing and verifying (cosign)](./docs/cosign.md)\n\nnerdctl is a **non-core** sub-project of containerd.\n\n\\*1: P2P image distribution (IPFS) is completely optional. Your host is NOT connected to any P2P network, unless you opt in to [install and run IPFS daemon](https://docs.ipfs.io/install/).\n\n## Examples\n\n### Basic usage\n\nTo run a container with the default `bridge` CNI network (10.4.0.0/24):\n\n```console\n# nerdctl run -it --rm alpine\n```\n\nTo build an image using BuildKit:\n\n```console\n# nerdctl build -t foo /some-dockerfile-directory\n# nerdctl run -it --rm foo\n```\n\nTo build and send output to a local directory using BuildKit:\n\n```console\n# nerdctl build -o type=local,dest=. /some-dockerfile-directory\n```\n\nTo run containers from `docker-compose.yaml`:\n\n```console\n# nerdctl compose -f ./examples/compose-wordpress/docker-compose.yaml up\n```\n\nSee also [`./examples/compose-wordpress`](./examples/compose-wordpress).\n\n### Debugging Kubernetes\n\nTo list local Kubernetes containers:\n\n```console\n# nerdctl --namespace k8s.io ps -a\n```\n\nTo build an image for local Kubernetes without using registry:\n\n```console\n# nerdctl --namespace k8s.io build -t foo /some-dockerfile-directory\n# kubectl apply -f - <\n\nIn addition to containerd, the following components should be installed:\n\n- [CNI plugins](https://github.com/containernetworking/plugins): for using `nerdctl run`.\n - v1.1.0 or later is highly recommended.\n- [BuildKit](https://github.com/moby/buildkit) (OPTIONAL): for using `nerdctl build`. BuildKit daemon (`buildkitd`) needs to be running. See also [the document about setting up BuildKit](./docs/build.md).\n - v0.11.0 or later is highly recommended. Some features, such as pruning caches with `nerdctl system prune`, do not work with older versions.\n- [RootlessKit](https://github.com/rootless-containers/rootlesskit) and [slirp4netns](https://github.com/rootless-containers/slirp4netns) (OPTIONAL): for [Rootless mode](./docs/rootless.md)\n - RootlessKit needs to be v0.10.0 or later. v2.0.0 or later is recommended.\n - slirp4netns needs to be v0.4.0 or later. v1.1.7 or later is recommended.\n\nThese dependencies are included in `nerdctl-full---.tar.gz`, but not included in `nerdctl---.tar.gz`.\n\n### Brew\n\nOn Linux systems you can install nerdctl via [brew](https://brew.sh):\n\n```bash\nbrew install nerdctl\n```\n\nThis is currently not supported for macOS. The section below shows how to install on macOS using brew.\n\n### macOS\n\n[Lima](https://github.com/lima-vm/lima) project provides Linux virtual machines for macOS, with built-in integration for nerdctl.\n\n```console\n$ brew install lima\n$ limactl start\n$ lima nerdctl run -d --name nginx -p 127.0.0.1:8080:80 nginx:alpine\n```\n\n### FreeBSD\n\nSee [`./docs/freebsd.md`](docs/freebsd.md).\n\n### Windows\n\n- Linux containers: Known to work on WSL2\n- Windows containers: experimental support for Windows (see below for features that are currently known to work)\n\n### Docker\n\nTo run containerd and nerdctl inside Docker:\n\n```bash\ndocker build -t nerdctl .\ndocker run -it --rm --privileged nerdctl\n```\n\n## Motivation\n\nThe goal of `nerdctl` is to facilitate experimenting the cutting-edge features of containerd that are not present in Docker (see below).\n\nNote that competing with Docker is _not_ the goal of `nerdctl`. Those cutting-edge features are expected to be eventually available in Docker as well.\n\nAlso, `nerdctl` might be potentially useful for debugging Kubernetes clusters, but it is not the primary goal.\n\n## Features present in `nerdctl` but not present in Docker\n\nMajor:\n\n- On-demand image pulling (lazy-pulling) using [Stargz](./docs/stargz.md)/[Nydus](./docs/nydus.md)/[OverlayBD](./docs/overlaybd.md)/[SOCI](./docs/soci.md) Snapshotter: `nerdctl --snapshotter=stargz|nydus|overlaybd|soci run IMAGE` .\n- [Image encryption and decryption using ocicrypt (imgcrypt)](./docs/ocicrypt.md): `nerdctl image (encrypt|decrypt) SRC DST`\n- [P2P image distribution using IPFS](./docs/ipfs.md): `nerdctl run ipfs://CID` .\n P2P image distribution (IPFS) is completely optional. Your host is NOT connected to any P2P network, unless you opt in to [install and run IPFS daemon](https://docs.ipfs.io/install/).\n- [Cosign integration](./docs/cosign.md): `nerdctl pull --verify=cosign` and `nerdctl push --sign=cosign`, and [in Compose](./docs/cosign.md#cosign-in-compose)\n- [Accelerated rootless containers using bypass4netns](./docs/rootless.md): `nerdctl run --annotation nerdctl/bypass4netns=true`\n\nMinor:\n\n- Namespacing: `nerdctl --namespace= ps` .\n (NOTE: All Kubernetes containers are in the `k8s.io` containerd namespace regardless to Kubernetes namespaces)\n- Exporting Docker/OCI dual-format archives: `nerdctl save` .\n- Importing OCI archives as well as Docker archives: `nerdctl load` .\n- Specifying a non-image rootfs: `nerdctl run -it --rootfs /bin/sh` . The CLI syntax conforms to Podman convention.\n- Connecting a container to multiple networks at once: `nerdctl run --net foo --net bar`\n- Running [FreeBSD jails](./docs/freebsd.md).\n- Better multi-platform support, e.g., `nerdctl pull --all-platforms IMAGE`\n- Applying an (existing) AppArmor profile to rootless containers: `nerdctl run --security-opt apparmor=`.\n Use `sudo nerdctl apparmor load` to load the `nerdctl-default` profile.\n- Systemd compatibility support: `nerdctl run --systemd=always`\n\nTrivial:\n\n- Inspecting raw OCI config: `nerdctl container inspect --mode=native` .\n\n## Features implemented in `nerdctl` ahead of Docker\n\n- Recursive read-only (RRO) bind-mount: `nerdctl run -v /mnt:/mnt:rro` (make children such as `/mnt/usb` to be read-only, too).\n Requires kernel >= 5.12.\nThe same feature was later introduced in Docker v25 with a different syntax. nerdctl will support Docker v25 syntax too in the future.\n## Similar tools\n\n- [`ctr`](https://github.com/containerd/containerd/tree/main/cmd/ctr): incompatible with Docker CLI, and not friendly to users.\n Notably, `ctr` lacks the equivalents of the following nerdctl commands:\n - `nerdctl run -p `\n - `nerdctl run --restart=always --net=bridge`\n - `nerdctl pull` with `~/.docker/config.json` and credential helper binaries such as `docker-credential-ecr-login`\n - `nerdctl logs`\n - `nerdctl build`\n - `nerdctl compose up`\n\n- [`crictl`](https://github.com/kubernetes-sigs/cri-tools): incompatible with Docker CLI, not friendly to users, and does not support non-CRI features\n- [k3c v0.2 (abandoned)](https://github.com/rancher/k3c/tree/v0.2.1): needs an extra daemon, and does not support non-CRI features\n- [Rancher Kim (nee k3c v0.3)](https://github.com/rancher/kim): needs Kubernetes, and only focuses on image management commands such as `kim build` and `kim push`\n- [PouchContainer (abandoned?)](https://github.com/alibaba/pouch): needs an extra daemon\n\n## Developer guide\n\nnerdctl is a containerd **non-core** sub-project, licensed under the [Apache 2.0 license](./LICENSE).\nAs a containerd non-core sub-project, you will find the:\n\n- [Project governance](https://github.com/containerd/project/blob/main/GOVERNANCE.md),\n- [Maintainers](./MAINTAINERS),\n- and [Contributing guidelines](https://github.com/containerd/project/blob/main/CONTRIBUTING.md)\n\ninformation in our [`containerd/project`](https://github.com/containerd/project) repository.\n\n### Compiling nerdctl from source\n\nRun `make && sudo make install`.\n\nSee the header of [`go.mod`](./go.mod) for the minimum supported version of Go.\n\nUsing `go install github.com/containerd/nerdctl/v2/cmd/nerdctl` is possible, but unrecommended because it does not fill version strings printed in `nerdctl version`\n\n### Testing\n\nSee [testing nerdctl](docs/testing/README.md).\n\n### Contributing to nerdctl\n\nLots of commands and flags are currently missing. Pull requests are highly welcome.\n\nPlease certify your [Developer Certificate of Origin (DCO)](https://developercertificate.org/), by signing off your commit with `git commit -s` and with your real name.\n\n# Command reference\n\nMoved to [`./docs/command-reference.md`](./docs/command-reference.md)\n\n# Additional documents\n\nConfiguration guide:\n\n- [`./docs/config.md`](./docs/config.md): Configuration (`/etc/nerdctl/nerdctl.toml`, `~/.config/nerdctl/nerdctl.toml`)\n- [`./docs/registry.md`](./docs/registry.md): Registry authentication (`~/.docker/config.json`)\n\nBasic features:\n\n- [`./docs/compose.md`](./docs/compose.md): Compose\n- [`./docs/rootless.md`](./docs/rootless.md): Rootless mode\n- [`./docs/cni.md`](./docs/cni.md): CNI for containers network\n- [`./docs/build.md`](./docs/build.md): `nerdctl build` with BuildKit\n\nAdvanced features:\n\n- [`./docs/stargz.md`](./docs/stargz.md): Lazy-pulling using Stargz Snapshotter\n- [`./docs/nydus.md`](./docs/nydus.md): Lazy-pulling using Nydus Snapshotter\n- [`./docs/soci.md`](./docs/soci.md): Lazy-pulling using SOCI Snapshotter\n- [`./docs/overlaybd.md`](./docs/overlaybd.md): Lazy-pulling using OverlayBD Snapshotter\n- [`./docs/ocicrypt.md`](./docs/ocicrypt.md): Running encrypted images\n- [`./docs/gpu.md`](./docs/gpu.md): Using GPUs inside containers\n- [`./docs/multi-platform.md`](./docs/multi-platform.md): Multi-platform mode\n\nExperimental features:\n\n- [`./docs/experimental.md`](./docs/experimental.md): Experimental features\n- [`./docs/freebsd.md`](./docs/freebsd.md): Running FreeBSD jails\n- [`./docs/ipfs.md`](./docs/ipfs.md): Distributing images on IPFS\n- [`./docs/builder-debug.md`](./docs/builder-debug.md): Interactive debugging of Dockerfile\n\nImplementation details:\n\n- [`./docs/dir.md`](./docs/dir.md): Directory layout (`/var/lib/nerdctl`)\n\nMisc:\n\n- [`./docs/faq.md`](./docs/faq.md): FAQs and Troubleshooting\n" }, { "path": "SECURITY.md", "content": "See https://github.com/containerd/project/blob/main/SECURITY.md for reporting a vulnerability.\n" }, { "path": "Vagrantfile.freebsd", "content": "# -*- mode: ruby -*-\n# vi: set ft=ruby :\n\n# Copyright The containerd Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n\n# http://www.apache.org/licenses/LICENSE-2.0\n\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n# Vagrantfile for FreeBSD\nVagrant.configure(\"2\") do |config|\n config.vm.box = \"generic/freebsd14\"\n\n memory = 2048\n cpus = 1\n config.vm.provider :virtualbox do |v, o|\n v.memory = memory\n v.cpus = cpus\n end\n config.vm.provider :libvirt do |v|\n v.memory = memory\n v.cpus = cpus\n end\n\n config.vm.synced_folder \".\", \"/vagrant\", type: \"rsync\"\n\n config.vm.provision \"install\", type: \"shell\", run: \"once\" do |sh|\n sh.inline = <<~SHELL\n #!/usr/bin/env bash\n set -eux -o pipefail\n freebsd-version -kru\n # switching to \"release_2\" ensures compatibility with the current Vagrant box\n # https://github.com/moby/buildkit/pull/5893\n sed -i '' 's/latest/release_2/' /usr/local/etc/pkg/repos/FreeBSD.conf\n # `pkg install go` still installs Go 1.20 (March 2024)\n pkg install -y go122 containerd runj\n ln -s go122 /usr/local/bin/go\n cd /vagrant\n go install ./cmd/nerdctl\n SHELL\n end\n\n config.vm.provision \"test-unit\", type: \"shell\", run: \"never\" do |sh|\n sh.inline = <<~SHELL\n #!/usr/bin/env bash\n set -eux -o pipefail\n cd /vagrant\n go test -v ./pkg/...\n SHELL\n end\n\n config.vm.provision \"test-integration\", type: \"shell\", run: \"never\" do |sh|\n sh.inline = <<~SHELL\n #!/usr/bin/env bash\n set -eux -o pipefail\n daemon -o containerd.out containerd\n sleep 3\n CONTAINERD_ADDRESS=/run/containerd/containerd.sock /root/go/bin/nerdctl run --rm --quiet --net=none dougrabson/freebsd-minimal:13 echo \"Nerdctl is up and running.\"\n SHELL\n end\n\nend\n" }, { "path": "cmd/nerdctl/apparmor/apparmor_inspect_linux.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage apparmor\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/apparmor\"\n\t\"github.com/containerd/nerdctl/v2/pkg/defaults\"\n)\n\nfunc inspectCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"inspect\",\n\t\tShort: fmt.Sprintf(\"Display the default AppArmor profile %q. Other profiles cannot be displayed with this command.\", defaults.AppArmorProfileName),\n\t\tArgs: cobra.NoArgs,\n\t\tRunE: inspectAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\treturn cmd\n}\n\nfunc inspectAction(cmd *cobra.Command, args []string) error {\n\treturn apparmor.Inspect(types.ApparmorInspectOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t})\n}\n" }, { "path": "cmd/nerdctl/apparmor/apparmor_linux.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage apparmor\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n)\n\nfunc Command() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tAnnotations: map[string]string{helpers.Category: helpers.Management},\n\t\tUse: \"apparmor\",\n\t\tShort: \"Manage AppArmor profiles\",\n\t\tRunE: helpers.UnknownSubcommandAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.AddCommand(\n\t\tlistCommand(),\n\t\tinspectCommand(),\n\t\tloadCommand(),\n\t\tunloadCommand(),\n\t)\n\treturn cmd\n}\n" }, { "path": "cmd/nerdctl/apparmor/apparmor_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage apparmor\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n)\n\nfunc TestMain(m *testing.M) {\n\ttestutil.M(m)\n}\n" }, { "path": "cmd/nerdctl/apparmor/apparmor_list_linux.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage apparmor\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/apparmor\"\n)\n\nfunc listCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"ls\",\n\t\tAliases: []string{\"list\"},\n\t\tShort: \"List the loaded AppArmor profiles\",\n\t\tArgs: cobra.NoArgs,\n\t\tRunE: listAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().BoolP(\"quiet\", \"q\", false, \"Only display profile names\")\n\t// Alias \"-f\" is reserved for \"--filter\"\n\tcmd.Flags().String(\"format\", \"\", \"Format the output using the given go template\")\n\tcmd.RegisterFlagCompletionFunc(\"format\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"json\", \"table\", \"wide\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\treturn cmd\n}\n\nfunc listOptions(cmd *cobra.Command) (types.ApparmorListOptions, error) {\n\tquiet, err := cmd.Flags().GetBool(\"quiet\")\n\tif err != nil {\n\t\treturn types.ApparmorListOptions{}, err\n\t}\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn types.ApparmorListOptions{}, err\n\t}\n\treturn types.ApparmorListOptions{\n\t\tQuiet: quiet,\n\t\tFormat: format,\n\t\tStdout: cmd.OutOrStdout(),\n\t}, nil\n}\n\nfunc listAction(cmd *cobra.Command, args []string) error {\n\toptions, err := listOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn apparmor.List(options)\n}\n" }, { "path": "cmd/nerdctl/apparmor/apparmor_load_linux.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage apparmor\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/apparmor\"\n\t\"github.com/containerd/nerdctl/v2/pkg/defaults\"\n)\n\nfunc loadCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"load\",\n\t\tShort: fmt.Sprintf(\"Load the default AppArmor profile %q. Requires root.\", defaults.AppArmorProfileName),\n\t\tArgs: cobra.NoArgs,\n\t\tRunE: loadAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\treturn cmd\n}\n\nfunc loadAction(cmd *cobra.Command, args []string) error {\n\treturn apparmor.Load()\n}\n" }, { "path": "cmd/nerdctl/apparmor/apparmor_unload_linux.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage apparmor\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/apparmor\"\n\t\"github.com/containerd/nerdctl/v2/pkg/defaults\"\n)\n\nfunc unloadCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"unload [PROFILE]\",\n\t\tShort: fmt.Sprintf(\"Unload an AppArmor profile. The target profile name defaults to %q. Requires root.\", defaults.AppArmorProfileName),\n\t\tArgs: cobra.MaximumNArgs(1),\n\t\tRunE: unloadAction,\n\t\tValidArgsFunction: unloadShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\treturn cmd\n}\n\nfunc unloadAction(cmd *cobra.Command, args []string) error {\n\ttarget := defaults.AppArmorProfileName\n\tif len(args) > 0 {\n\t\ttarget = args[0]\n\t}\n\treturn apparmor.Unload(target)\n}\n\nfunc unloadShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn completion.ApparmorProfiles(cmd)\n}\n" }, { "path": "cmd/nerdctl/builder/builder.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage builder\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"os/exec\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/docker/go-units\"\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/builder\"\n)\n\nfunc Command() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tAnnotations: map[string]string{helpers.Category: helpers.Management},\n\t\tUse: \"builder\",\n\t\tShort: \"Manage builds\",\n\t\tRunE: helpers.UnknownSubcommandAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.AddCommand(\n\t\tBuildCommand(),\n\t\tpruneCommand(),\n\t\tdebugCommand(),\n\t)\n\treturn cmd\n}\n\nfunc pruneCommand() *cobra.Command {\n\tshortHelp := `Clean up BuildKit build cache`\n\tvar cmd = &cobra.Command{\n\t\tUse: \"prune\",\n\t\tArgs: cobra.NoArgs,\n\t\tShort: shortHelp,\n\t\tRunE: pruneAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\n\tcmd.Flags().String(\"buildkit-host\", \"\", \"BuildKit address\")\n\tcmd.Flags().BoolP(\"all\", \"a\", false, \"Remove all unused build cache, not just dangling ones\")\n\tcmd.Flags().BoolP(\"force\", \"f\", false, \"Do not prompt for confirmation\")\n\treturn cmd\n}\n\nfunc pruneAction(cmd *cobra.Command, _ []string) error {\n\toptions, err := pruneOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif !options.Force {\n\t\tvar msg string\n\n\t\tif options.All {\n\t\t\tmsg = \"This will remove all build cache.\"\n\t\t} else {\n\t\t\tmsg = \"This will remove any dangling build cache.\"\n\t\t}\n\n\t\tif confirmed, err := helpers.Confirm(cmd, fmt.Sprintf(\"WARNING! %s.\", msg)); err != nil || !confirmed {\n\t\t\treturn err\n\t\t}\n\t}\n\n\tprunedObjects, err := builder.Prune(cmd.Context(), options)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tvar totalReclaimedSpace int64\n\n\tfor _, prunedObject := range prunedObjects {\n\t\ttotalReclaimedSpace += prunedObject.Size\n\t}\n\n\tfmt.Fprintf(cmd.OutOrStdout(), \"Total: %s\\n\", units.BytesSize(float64(totalReclaimedSpace)))\n\n\treturn nil\n}\n\nfunc pruneOptions(cmd *cobra.Command) (types.BuilderPruneOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.BuilderPruneOptions{}, err\n\t}\n\n\tbuildkitHost, err := GetBuildkitHost(cmd, globalOptions.Namespace)\n\tif err != nil {\n\t\treturn types.BuilderPruneOptions{}, err\n\t}\n\n\tall, err := cmd.Flags().GetBool(\"all\")\n\tif err != nil {\n\t\treturn types.BuilderPruneOptions{}, err\n\t}\n\n\tforce, err := cmd.Flags().GetBool(\"force\")\n\tif err != nil {\n\t\treturn types.BuilderPruneOptions{}, err\n\t}\n\n\treturn types.BuilderPruneOptions{\n\t\tStderr: cmd.OutOrStderr(),\n\t\tGOptions: globalOptions,\n\t\tBuildKitHost: buildkitHost,\n\t\tAll: all,\n\t\tForce: force,\n\t}, nil\n}\n\nfunc debugCommand() *cobra.Command {\n\tshortHelp := `Debug Dockerfile`\n\tvar cmd = &cobra.Command{\n\t\tUse: \"debug\",\n\t\tShort: shortHelp,\n\t\tPreRunE: helpers.CheckExperimental(\"`nerdctl builder debug`\"),\n\t\tRunE: debugAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().StringP(\"file\", \"f\", \"\", \"Name of the Dockerfile\")\n\tcmd.Flags().String(\"target\", \"\", \"Set the target build stage to build\")\n\tcmd.Flags().StringArray(\"build-arg\", nil, \"Set build-time variables\")\n\tcmd.Flags().String(\"image\", \"\", \"Image to use for debugging stage\")\n\tcmd.Flags().StringArray(\"ssh\", nil, \"Allow forwarding SSH agent to the build. Format: default|[=|[,]]\")\n\tcmd.Flags().StringArray(\"secret\", nil, \"Expose secret value to the build. Format: id=secretname,src=filepath\")\n\thelpers.AddDurationFlag(cmd, \"buildg-startup-timeout\", nil, 1*time.Minute, \"\", \"Timeout for starting up buildg\")\n\treturn cmd\n}\n\nfunc debugAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif len(args) < 1 {\n\t\treturn fmt.Errorf(\"context needs to be specified\")\n\t}\n\n\tbuildgBinary, err := exec.LookPath(\"buildg\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tbuildgArgs := []string{\"debug\"}\n\tif globalOptions.Debug {\n\t\tbuildgArgs = append([]string{\"--debug\"}, buildgArgs...)\n\t}\n\n\tstartupTimeout, err := cmd.Flags().GetDuration(\"buildg-startup-timeout\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tbuildgArgs = append(buildgArgs, \"--startup-timeout=\"+startupTimeout.String())\n\n\tif file, err := cmd.Flags().GetString(\"file\"); err != nil {\n\t\treturn err\n\t} else if file != \"\" {\n\t\tbuildgArgs = append(buildgArgs, \"--file=\"+file)\n\t}\n\n\tif target, err := cmd.Flags().GetString(\"target\"); err != nil {\n\t\treturn err\n\t} else if target != \"\" {\n\t\tbuildgArgs = append(buildgArgs, \"--target=\"+target)\n\t}\n\n\tif buildArgsValue, err := cmd.Flags().GetStringArray(\"build-arg\"); err != nil {\n\t\treturn err\n\t} else if len(buildArgsValue) > 0 {\n\t\tfor _, v := range buildArgsValue {\n\t\t\tarr := strings.Split(v, \"=\")\n\t\t\tif len(arr) == 1 && len(arr[0]) > 0 {\n\t\t\t\t// Avoid masking default build arg value from Dockerfile if environment variable is not set\n\t\t\t\t// https://github.com/moby/moby/issues/24101\n\t\t\t\tval, ok := os.LookupEnv(arr[0])\n\t\t\t\tif ok {\n\t\t\t\t\tbuildgArgs = append(buildgArgs, fmt.Sprintf(\"--build-arg=%s=%s\", v, val))\n\t\t\t\t}\n\t\t\t} else if len(arr) > 1 && len(arr[0]) > 0 {\n\t\t\t\tbuildgArgs = append(buildgArgs, \"--build-arg=\"+v)\n\t\t\t} else {\n\t\t\t\treturn fmt.Errorf(\"invalid build arg %q\", v)\n\t\t\t}\n\t\t}\n\t}\n\n\tif imageValue, err := cmd.Flags().GetString(\"image\"); err != nil {\n\t\treturn err\n\t} else if imageValue != \"\" {\n\t\tbuildgArgs = append(buildgArgs, \"--image=\"+imageValue)\n\t}\n\n\tif sshValue, err := cmd.Flags().GetStringArray(\"ssh\"); err != nil {\n\t\treturn err\n\t} else if len(sshValue) > 0 {\n\t\tfor _, v := range sshValue {\n\t\t\tbuildgArgs = append(buildgArgs, \"--ssh=\"+v)\n\t\t}\n\t}\n\n\tif secretValue, err := cmd.Flags().GetStringArray(\"secret\"); err != nil {\n\t\treturn err\n\t} else if len(secretValue) > 0 {\n\t\tfor _, v := range secretValue {\n\t\t\tbuildgArgs = append(buildgArgs, \"--secret=\"+v)\n\t\t}\n\t}\n\n\tbuildgCmd := exec.Command(buildgBinary, append(buildgArgs, args[0])...)\n\tbuildgCmd.Env = os.Environ()\n\tbuildgCmd.Stdin = cmd.InOrStdin()\n\tbuildgCmd.Stdout = cmd.OutOrStdout()\n\tbuildgCmd.Stderr = cmd.ErrOrStderr()\n\tif err := buildgCmd.Start(); err != nil {\n\t\treturn err\n\t}\n\n\treturn buildgCmd.Wait()\n}\n" }, { "path": "cmd/nerdctl/builder/builder_build.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage builder\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/log\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/buildkitutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/builder\"\n\t\"github.com/containerd/nerdctl/v2/pkg/strutil\"\n)\n\nfunc BuildCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"build [flags] PATH\",\n\t\tShort: \"Build an image from a Dockerfile. Needs buildkitd to be running.\",\n\t\tLong: `Build an image from a Dockerfile. Needs buildkitd to be running.\nIf Dockerfile is not present and -f is not specified, it will look for Containerfile and build with it. `,\n\t\tRunE: buildAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().String(\"buildkit-host\", \"\", \"BuildKit address\")\n\tcmd.Flags().StringArray(\"add-host\", nil, \"Add a custom host-to-IP mapping (format: \\\"host:ip\\\")\")\n\tcmd.Flags().StringArrayP(\"tag\", \"t\", nil, \"Name and optionally a tag in the 'name:tag' format\")\n\tcmd.Flags().StringP(\"file\", \"f\", \"\", \"Name of the Dockerfile\")\n\tcmd.Flags().String(\"target\", \"\", \"Set the target build stage to build\")\n\tcmd.Flags().StringArray(\"build-arg\", nil, \"Set build-time variables\")\n\tcmd.Flags().Bool(\"no-cache\", false, \"Do not use cache when building the image\")\n\tcmd.Flags().StringP(\"output\", \"o\", \"\", \"Output destination (format: type=local,dest=path)\")\n\tcmd.Flags().String(\"progress\", \"auto\", \"Set type of progress output (auto, plain, tty). Use plain to show container output\")\n\tcmd.Flags().String(\"provenance\", \"\", \"Shorthand for \\\"--attest=type=provenance\\\"\")\n\tcmd.Flags().Bool(\"pull\", false, \"On true, always attempt to pull latest image version from remote. Default uses buildkit's default.\")\n\tcmd.Flags().StringArray(\"secret\", nil, \"Secret file to expose to the build: id=mysecret,src=/local/secret\")\n\tcmd.Flags().StringArray(\"allow\", nil, \"Allow extra privileged entitlement, e.g. network.host, security.insecure\")\n\tcmd.RegisterFlagCompletionFunc(\"allow\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"network.host\", \"security.insecure\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\tcmd.Flags().StringArray(\"attest\", nil, \"Attestation parameters (format: \\\"type=sbom,generator=image\\\")\")\n\tcmd.Flags().StringArray(\"ssh\", nil, \"SSH agent socket or keys to expose to the build (format: default|[=|[,]])\")\n\tcmd.Flags().BoolP(\"quiet\", \"q\", false, \"Suppress the build output and print image ID on success\")\n\tcmd.Flags().String(\"sbom\", \"\", \"Shorthand for \\\"--attest=type=sbom\\\"\")\n\tcmd.Flags().StringArray(\"cache-from\", nil, \"External cache sources (eg. user/app:cache, type=local,src=path/to/dir)\")\n\tcmd.Flags().StringArray(\"cache-to\", nil, \"Cache export destinations (eg. user/app:cache, type=local,dest=path/to/dir)\")\n\tcmd.Flags().Bool(\"rm\", true, \"Remove intermediate containers after a successful build\")\n\tcmd.Flags().String(\"network\", \"default\", \"Set type of network for build (format:network=default|none|host)\")\n\tcmd.RegisterFlagCompletionFunc(\"network\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"default\", \"host\", \"none\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\t// #region platform flags\n\t// platform is defined as StringSlice, not StringArray, to allow specifying \"--platform=amd64,arm64\"\n\tcmd.Flags().StringSlice(\"platform\", []string{}, \"Set target platform for build (e.g., \\\"amd64\\\", \\\"arm64\\\")\")\n\tcmd.RegisterFlagCompletionFunc(\"platform\", completion.Platforms)\n\tcmd.Flags().StringArray(\"build-context\", []string{}, \"Additional build contexts (e.g., name=path)\")\n\t// #endregion\n\n\tcmd.Flags().String(\"iidfile\", \"\", \"Write the image ID to the file\")\n\tcmd.Flags().StringArray(\"label\", nil, \"Set metadata for an image\")\n\tcmd.Flags().String(\"source-policy-file\", \"\", \"BuildKit source policy file (see https://github.com/moby/buildkit/blob/master/docs/build-repro.md)\")\n\n\treturn cmd\n}\n\nfunc processBuildCommandFlag(cmd *cobra.Command, args []string) (types.BuilderBuildOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\tbuildKitHost, err := GetBuildkitHost(cmd, globalOptions.Namespace)\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\textraHosts, err := cmd.Flags().GetStringArray(\"add-host\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\tplatform, err := cmd.Flags().GetStringSlice(\"platform\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\tplatform = strutil.DedupeStrSlice(platform)\n\tif len(args) < 1 {\n\t\treturn types.BuilderBuildOptions{}, errors.New(\"context needs to be specified\")\n\t}\n\tbuildContext := args[0]\n\tif buildContext == \"-\" || strings.Contains(buildContext, \"://\") {\n\t\treturn types.BuilderBuildOptions{}, fmt.Errorf(\"unsupported build context: %q\", buildContext)\n\t}\n\toutput, err := cmd.Flags().GetString(\"output\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\ttagValue, err := cmd.Flags().GetStringArray(\"tag\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\tprogress, err := cmd.Flags().GetString(\"progress\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\tfilename, err := cmd.Flags().GetString(\"file\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\ttarget, err := cmd.Flags().GetString(\"target\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\tbuildArgs, err := cmd.Flags().GetStringArray(\"build-arg\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\tlabel, err := cmd.Flags().GetStringArray(\"label\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\tnoCache, err := cmd.Flags().GetBool(\"no-cache\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\tvar pull *bool\n\tif cmd.Flags().Changed(\"pull\") {\n\t\tpullFlag, err := cmd.Flags().GetBool(\"pull\")\n\t\tif err != nil {\n\t\t\treturn types.BuilderBuildOptions{}, err\n\t\t}\n\t\tpull = &pullFlag\n\t}\n\tsecret, err := cmd.Flags().GetStringArray(\"secret\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\tallow, err := cmd.Flags().GetStringArray(\"allow\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\tssh, err := cmd.Flags().GetStringArray(\"ssh\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\tcacheFrom, err := cmd.Flags().GetStringArray(\"cache-from\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\tcacheTo, err := cmd.Flags().GetStringArray(\"cache-to\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\trm, err := cmd.Flags().GetBool(\"rm\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\tiidfile, err := cmd.Flags().GetString(\"iidfile\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\tquiet, err := cmd.Flags().GetBool(\"quiet\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\tnetwork, err := cmd.Flags().GetString(\"network\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\n\tattest, err := cmd.Flags().GetStringArray(\"attest\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\tsbom, err := cmd.Flags().GetString(\"sbom\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\tif sbom != \"\" {\n\t\tattest = append(attest, canonicalizeAttest(\"sbom\", sbom))\n\t}\n\tprovenance, err := cmd.Flags().GetString(\"provenance\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\tif provenance != \"\" {\n\t\tattest = append(attest, canonicalizeAttest(\"provenance\", provenance))\n\t}\n\textendedBuildCtx, err := cmd.Flags().GetStringArray(\"build-context\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\tsourcePolicyFile, err := cmd.Flags().GetString(\"source-policy-file\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t}\n\n\tusernsRemap, err := cmd.Flags().GetString(\"userns-remap\")\n\tif err != nil {\n\t\treturn types.BuilderBuildOptions{}, err\n\t} else if usernsRemap != \"\" {\n\t\tlog.L.Warn(\"userns remap is not supported with nerdctl build. dropping the config.\")\n\t}\n\n\treturn types.BuilderBuildOptions{\n\t\tGOptions: globalOptions,\n\t\tBuildKitHost: buildKitHost,\n\t\tBuildContext: buildContext,\n\t\tOutput: output,\n\t\tTag: tagValue,\n\t\tProgress: progress,\n\t\tFile: filename,\n\t\tTarget: target,\n\t\tBuildArgs: buildArgs,\n\t\tLabel: label,\n\t\tNoCache: noCache,\n\t\tPull: pull,\n\t\tSecret: secret,\n\t\tAllow: allow,\n\t\tAttest: attest,\n\t\tSSH: ssh,\n\t\tCacheFrom: cacheFrom,\n\t\tCacheTo: cacheTo,\n\t\tRm: rm,\n\t\tIidFile: iidfile,\n\t\tQuiet: quiet,\n\t\tPlatform: platform,\n\t\tStdout: cmd.OutOrStdout(),\n\t\tStderr: cmd.OutOrStderr(),\n\t\tStdin: cmd.InOrStdin(),\n\t\tNetworkMode: network,\n\t\tExtendedBuildContext: extendedBuildCtx,\n\t\tExtraHosts: extraHosts,\n\t\tSourcePolicyFile: sourcePolicyFile,\n\t}, nil\n}\n\nfunc GetBuildkitHost(cmd *cobra.Command, namespace string) (string, error) {\n\tif cmd.Flags().Changed(\"buildkit-host\") {\n\t\t// If address is explicitly specified, use it.\n\t\tbuildkitHost, err := cmd.Flags().GetString(\"buildkit-host\")\n\t\tif err != nil {\n\t\t\treturn \"\", err\n\t\t}\n\t\tif err := buildkitutil.PingBKDaemon(buildkitHost); err != nil {\n\t\t\treturn \"\", err\n\t\t}\n\t\treturn buildkitHost, nil\n\t}\n\n\treturn buildkitutil.GetBuildkitHost(namespace)\n}\n\nfunc buildAction(cmd *cobra.Command, args []string) error {\n\toptions, err := processBuildCommandFlag(cmd, args)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn builder.Build(ctx, client, options)\n}\n\n// canonicalizeAttest is from https://github.com/docker/buildx/blob/v0.12/util/buildflags/attests.go##L13-L21\nfunc canonicalizeAttest(attestType string, in string) string {\n\tif in == \"\" {\n\t\treturn \"\"\n\t}\n\tif b, err := strconv.ParseBool(in); err == nil {\n\t\treturn fmt.Sprintf(\"type=%s,disabled=%t\", attestType, !b)\n\t}\n\treturn fmt.Sprintf(\"type=%s,%s\", attestType, in)\n}\n" }, { "path": "cmd/nerdctl/builder/builder_build_oci_layout_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage builder\n\nimport (\n\t\"fmt\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestBuildContextWithOCILayout(t *testing.T) {\n\tnerdtest.Setup()\n\n\tvar dockerBuilderArgs []string\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\tnerdtest.Build,\n\t\t\trequire.Not(require.Windows),\n\t\t),\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\tif nerdtest.IsDocker() {\n\t\t\t\thelpers.Anyhow(\"buildx\", \"stop\", data.Identifier(\"container\"))\n\t\t\t\thelpers.Anyhow(\"buildx\", \"rm\", \"--force\", data.Identifier(\"container\"))\n\t\t\t}\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier(\"parent\"))\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier(\"child\"))\n\t\t},\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t// Default docker driver does not support OCI exporter.\n\t\t\t// Reference: https://docs.docker.com/build/exporters/oci-docker/\n\t\t\tif nerdtest.IsDocker() {\n\t\t\t\tname := data.Identifier(\"container\")\n\t\t\t\thelpers.Ensure(\"buildx\", \"create\", \"--name\", name, \"--driver=docker-container\")\n\t\t\t\tdockerBuilderArgs = []string{\"buildx\", \"--builder\", name}\n\t\t\t}\n\n\t\t\tdockerfile := fmt.Sprintf(`FROM %s\nLABEL layer=oci-layout-parent\nCMD [\"echo\", \"test-nerdctl-build-context-oci-layout-parent\"]`, testutil.CommonImage)\n\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\tdest := data.Temp().Dir(\"parent\")\n\t\t\ttarPath := data.Temp().Path(\"parent.tar\")\n\n\t\t\thelpers.Ensure(\"build\", data.Temp().Path(), \"--tag\", data.Identifier(\"parent\"))\n\t\t\thelpers.Ensure(\"image\", \"save\", \"--output\", tarPath, data.Identifier(\"parent\"))\n\t\t\thelpers.Custom(\"tar\", \"Cxf\", dest, tarPath).Run(&test.Expected{\n\t\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\t})\n\t\t},\n\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\tdockerfile := `FROM parent\nCMD [\"echo\", \"test-nerdctl-build-context-oci-layout\"]`\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\n\t\t\tvar cmd test.TestableCommand\n\t\t\tif nerdtest.IsDocker() {\n\t\t\t\tcmd = helpers.Command(dockerBuilderArgs...)\n\t\t\t} else {\n\t\t\t\tcmd = helpers.Command()\n\t\t\t}\n\t\t\tcmd.WithArgs(\n\t\t\t\t\"build\",\n\t\t\t\tdata.Temp().Path(),\n\t\t\t\tfmt.Sprintf(\"--build-context=parent=oci-layout://%s\", filepath.Join(data.Temp().Path(), \"parent\")),\n\t\t\t\t\"--tag\",\n\t\t\t\tdata.Identifier(\"child\"),\n\t\t\t)\n\t\t\tif nerdtest.IsDocker() {\n\t\t\t\t// Need to load the container image from the builder to be able to run it.\n\t\t\t\tcmd.WithArgs(\"--load\")\n\t\t\t}\n\t\t\treturn cmd\n\t\t},\n\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\treturn &test.Expected{\n\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\tassert.Assert(\n\t\t\t\t\t\tt,\n\t\t\t\t\t\tstrings.Contains(\n\t\t\t\t\t\t\thelpers.Capture(\"run\", \"--rm\", data.Identifier(\"child\")),\n\t\t\t\t\t\t\t\"test-nerdctl-build-context-oci-layout\",\n\t\t\t\t\t\t),\n\t\t\t\t\t)\n\t\t\t\t},\n\t\t\t}\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/builder/builder_build_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage builder\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"regexp\"\n\t\"runtime\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/buildkitutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/platformutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestBuildBasics(t *testing.T) {\n\tnerdtest.Setup()\n\n\tdockerfile := fmt.Sprintf(`FROM %s\nCMD [\"echo\", \"nerdctl-build-test-string\"]`, testutil.CommonImage)\n\n\ttestCase := &test.Case{\n\t\tRequire: nerdtest.Build,\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\tdata.Labels().Set(\"buildCtx\", data.Temp().Path())\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"Successfully build with 'tag first', 'buildctx second'\",\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"build\", \"-t\", data.Identifier(), data.Labels().Get(\"buildCtx\"))\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"nerdctl-build-test-string\\n\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Successfully build with 'buildctx first', 'tag second'\",\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"build\", data.Labels().Get(\"buildCtx\"), \"-t\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"nerdctl-build-test-string\\n\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Successfully build with output docker, main tag still works\",\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\n\t\t\t\t\t\t\"build\",\n\t\t\t\t\t\tdata.Labels().Get(\"buildCtx\"),\n\t\t\t\t\t\t\"-t\",\n\t\t\t\t\t\tdata.Identifier(),\n\t\t\t\t\t\t\"--output=type=docker,name=\"+data.Identifier(\"ignored\"),\n\t\t\t\t\t)\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"nerdctl-build-test-string\\n\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Successfully build with output docker, name cannot be used\",\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\n\t\t\t\t\t\t\"build\",\n\t\t\t\t\t\tdata.Labels().Get(\"buildCtx\"),\n\t\t\t\t\t\t\"-t\",\n\t\t\t\t\t\tdata.Identifier(),\n\t\t\t\t\t\t\"--output=type=docker,name=\"+data.Identifier(\"ignored\"),\n\t\t\t\t\t)\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Identifier(\"ignored\"))\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier(\"ignored\"))\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, nil, nil),\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestCanBuildOnOtherPlatform(t *testing.T) {\n\tnerdtest.Setup()\n\n\trequireEmulation := &test.Requirement{\n\t\tCheck: func(data test.Data, helpers test.Helpers) (bool, string) {\n\t\t\tcandidateArch := \"arm64\"\n\t\t\tif runtime.GOARCH == \"arm64\" {\n\t\t\t\tcandidateArch = \"amd64\"\n\t\t\t}\n\t\t\tcan, err := platformutil.CanExecProbably(\"linux/\" + candidateArch)\n\t\t\tassert.NilError(helpers.T(), err)\n\n\t\t\tdata.Labels().Set(\"OS\", \"linux\")\n\t\t\tdata.Labels().Set(\"Architecture\", candidateArch)\n\t\t\treturn can, \"Current environment does not support emulation\"\n\t\t},\n\t}\n\n\tdockerfile := fmt.Sprintf(`FROM %s\nRUN echo hello > /hello\nCMD [\"echo\", \"nerdctl-build-test-string\"]`, testutil.CommonImage)\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\tnerdtest.Build,\n\t\t\trequireEmulation,\n\t\t),\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\tdata.Labels().Set(\"buildCtx\", data.Temp().Path())\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\n\t\t\t\t\"build\",\n\t\t\t\tdata.Labels().Get(\"buildCtx\"),\n\t\t\t\t\"--platform\",\n\t\t\t\tfmt.Sprintf(\"%s/%s\", data.Labels().Get(\"OS\"), data.Labels().Get(\"Architecture\")),\n\t\t\t\t\"-t\",\n\t\t\t\tdata.Identifier(),\n\t\t\t)\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t},\n\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, nil),\n\t}\n\n\ttestCase.Run(t)\n}\n\n// TestBuildBaseImage tests if an image can be built on the previously built image.\n// This isn't currently supported by nerdctl with BuildKit OCI worker.\nfunc TestBuildBaseImage(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tRequire: nerdtest.Build,\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier(\"first\"))\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier(\"second\"))\n\t\t},\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdockerfile := fmt.Sprintf(`FROM %s\nRUN echo hello > /hello\nCMD [\"echo\", \"nerdctl-build-test-string\"]`, testutil.CommonImage)\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\thelpers.Ensure(\"build\", \"-t\", data.Identifier(\"first\"), data.Temp().Path())\n\n\t\t\tdockerfileSecond := fmt.Sprintf(`FROM %s\nRUN echo hello2 > /hello2\nCMD [\"cat\", \"/hello2\"]`, data.Identifier(\"first\"))\n\t\t\tdata.Temp().Save(dockerfileSecond, \"Dockerfile\")\n\t\t\thelpers.Ensure(\"build\", \"-t\", data.Identifier(\"second\"), data.Temp().Path())\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Identifier(\"second\"))\n\t\t},\n\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"hello2\\n\")),\n\t}\n\n\ttestCase.Run(t)\n}\n\n// TestBuildFromContainerd tests if an image can be built on an image pulled by nerdctl.\n// This isn't currently supported by nerdctl with BuildKit OCI worker.\nfunc TestBuildFromContainerd(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\tnerdtest.Build,\n\t\t\trequire.Not(nerdtest.Docker),\n\t\t),\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier(\"first\"))\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier(\"second\"))\n\t\t},\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\thelpers.Ensure(\"tag\", testutil.CommonImage, data.Identifier(\"first\"))\n\n\t\t\tdockerfile := fmt.Sprintf(`FROM %s\nRUN echo hello2 > /hello2\nCMD [\"cat\", \"/hello2\"]`, data.Identifier(\"first\"))\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\thelpers.Ensure(\"build\", \"-t\", data.Identifier(\"second\"), data.Temp().Path())\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Identifier(\"second\"))\n\t\t},\n\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"hello2\\n\")),\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestBuildFromStdin(t *testing.T) {\n\tnerdtest.Setup()\n\n\tdockerfile := fmt.Sprintf(`FROM %s\nCMD [\"echo\", \"nerdctl-build-test-stdin\"]`, testutil.CommonImage)\n\n\ttestCase := &test.Case{\n\t\tRequire: nerdtest.Build,\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\tcmd := helpers.Command(\"build\", \"-t\", data.Identifier(), \"-f\", \"-\", \".\")\n\t\t\tcmd.Feed(strings.NewReader(dockerfile))\n\t\t\treturn cmd\n\t\t},\n\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\treturn &test.Expected{\n\t\t\t\tErrors: []error{errors.New(data.Identifier())},\n\t\t\t}\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestBuildWithDockerfile(t *testing.T) {\n\tnerdtest.Setup()\n\n\tdockerfile := fmt.Sprintf(`FROM %s\nCMD [\"echo\", \"nerdctl-build-test-dockerfile\"]\n\t`, testutil.CommonImage)\n\n\ttestCase := &test.Case{\n\t\tRequire: nerdtest.Build,\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Temp().Save(dockerfile, \"test\", \"Dockerfile\")\n\t\t\tdata.Labels().Set(\"buildCtx\", data.Temp().Path(\"test\"))\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"Dockerfile ..\",\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\tcmd := helpers.Command(\"build\", \"-t\", data.Identifier(), \"-f\", \"Dockerfile\", \"..\")\n\t\t\t\t\tcmd.WithCwd(data.Labels().Get(\"buildCtx\"))\n\t\t\t\t\treturn cmd\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Dockerfile .\",\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\tcmd := helpers.Command(\"build\", \"-t\", data.Identifier(), \"-f\", \"Dockerfile\", \".\")\n\t\t\t\t\tcmd.WithCwd(data.Labels().Get(\"buildCtx\"))\n\t\t\t\t\treturn cmd\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"../Dockerfile .\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\tcmd := helpers.Command(\"build\", \"-t\", data.Identifier(), \"-f\", \"../Dockerfile\", \".\")\n\t\t\t\t\tcmd.WithCwd(data.Labels().Get(\"buildCtx\"))\n\t\t\t\t\treturn cmd\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(1, nil, nil),\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestBuildLocal(t *testing.T) {\n\tnerdtest.Setup()\n\n\tconst testFileName = \"nerdctl-build-test\"\n\tconst testContent = \"nerdctl\"\n\n\tdockerfile := fmt.Sprintf(`FROM scratch\nCOPY %s /`, testFileName)\n\n\ttestCase := &test.Case{\n\t\tRequire: nerdtest.Build,\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\tdata.Temp().Save(testContent, testFileName)\n\t\t\tdata.Labels().Set(\"buildCtx\", data.Temp().Path())\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\t// GOTCHA: avoid comma and = in the test name, or buildctl will misparse the destination direction\n\t\t\t\tDescription: \"-o type local destination DIR: verify the file copied from context is in the output directory\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"build\", \"-o\", fmt.Sprintf(\"type=local,dest=%s\", data.Temp().Path()), data.Labels().Get(\"buildCtx\"))\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\t// Expecting testFileName to exist inside the output target directory\n\t\t\t\t\t\t\tassert.Equal(t, data.Temp().Load(testFileName), testContent, \"file content is identical\")\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"-o DIR: verify the file copied from context is in the output directory\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"build\", \"-o\", data.Temp().Path(), data.Labels().Get(\"buildCtx\"))\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tassert.Equal(t, data.Temp().Load(testFileName), testContent, \"file content is identical\")\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestBuildWithBuildArg(t *testing.T) {\n\tnerdtest.Setup()\n\n\tdockerfile := fmt.Sprintf(`FROM %s\nARG TEST_STRING=1\nENV TEST_STRING=$TEST_STRING\nCMD echo $TEST_STRING\n\t`, testutil.CommonImage)\n\n\ttestCase := &test.Case{\n\t\tRequire: nerdtest.Build,\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t},\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\tdata.Labels().Set(\"buildCtx\", data.Temp().Path())\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"No args\",\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"build\", data.Labels().Get(\"buildCtx\"), \"-t\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"1\\n\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"ArgValueOverridesDefault\",\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"build\", data.Labels().Get(\"buildCtx\"), \"--build-arg\", \"TEST_STRING=2\", \"-t\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"2\\n\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"EmptyArgValueOverridesDefault\",\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"build\", data.Labels().Get(\"buildCtx\"), \"--build-arg\", \"TEST_STRING=\", \"-t\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"\\n\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"UnsetArgKeyPreservesDefault\",\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"build\", data.Labels().Get(\"buildCtx\"), \"--build-arg\", \"TEST_STRING\", \"-t\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"1\\n\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"EnvValueOverridesDefault\",\n\t\t\t\tEnv: map[string]string{\n\t\t\t\t\t\"TEST_STRING\": \"3\",\n\t\t\t\t},\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"build\", data.Labels().Get(\"buildCtx\"), \"--build-arg\", \"TEST_STRING\", \"-t\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"3\\n\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"EmptyEnvValueOverridesDefault\",\n\t\t\t\tEnv: map[string]string{\n\t\t\t\t\t\"TEST_STRING\": \"\",\n\t\t\t\t},\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"build\", data.Labels().Get(\"buildCtx\"), \"--build-arg\", \"TEST_STRING\", \"-t\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"\\n\")),\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestBuildWithIIDFile(t *testing.T) {\n\tnerdtest.Setup()\n\n\tdockerfile := fmt.Sprintf(`FROM %s\nCMD [\"echo\", \"nerdctl-build-test-string\"]\n\t`, testutil.CommonImage)\n\n\ttestCase := &test.Case{\n\t\tRequire: nerdtest.Build,\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t},\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\thelpers.Ensure(\"build\", data.Temp().Path(), \"--iidfile\", data.Temp().Path(\"id.txt\"), \"-t\", data.Identifier())\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Temp().Load(\"id.txt\"))\n\t\t},\n\n\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"nerdctl-build-test-string\\n\")),\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestBuildWithLabels(t *testing.T) {\n\tnerdtest.Setup()\n\n\tdockerfile := fmt.Sprintf(`FROM %s\nLABEL name=nerdctl-build-test-label\n\t`, testutil.CommonImage)\n\n\ttestCase := &test.Case{\n\t\tRequire: nerdtest.Build,\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t},\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\thelpers.Ensure(\"build\", data.Temp().Path(), \"--label\", \"label=test\", \"-t\", data.Identifier())\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"inspect\", data.Identifier(), \"--format\", \"{{json .Config.Labels }}\")\n\t\t},\n\n\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"{\\\"label\\\":\\\"test\\\",\\\"name\\\":\\\"nerdctl-build-test-label\\\"}\\n\")),\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestBuildMultipleTags(t *testing.T) {\n\tnerdtest.Setup()\n\n\tdockerfile := fmt.Sprintf(`FROM %s\nCMD [\"echo\", \"nerdctl-build-test-string\"]\n\t`, testutil.CommonImage)\n\n\ttestCase := &test.Case{\n\t\tRequire: nerdtest.Build,\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(\"i1\"))\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(\"i2\"))\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(\"i3\"))\n\t\t},\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Labels().Set(\"i1\", data.Identifier(\"image\"))\n\t\t\tdata.Labels().Set(\"i2\", data.Identifier(\"image2\"))\n\t\t\tdata.Labels().Set(\"i3\", data.Identifier(\"image3\")+\":hello\")\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\thelpers.Ensure(\n\t\t\t\t\"build\",\n\t\t\t\tdata.Temp().Path(),\n\t\t\t\t\"-t\", data.Labels().Get(\"i1\"),\n\t\t\t\t\"-t\", data.Labels().Get(\"i2\"),\n\t\t\t\t\"-t\", data.Labels().Get(\"i3\"),\n\t\t\t)\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"i1\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Labels().Get(\"i1\"))\n\t\t\t\t},\n\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"nerdctl-build-test-string\\n\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"i2\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Labels().Get(\"i2\"))\n\t\t\t\t},\n\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"nerdctl-build-test-string\\n\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"i3\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Labels().Get(\"i3\"))\n\t\t\t\t},\n\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"nerdctl-build-test-string\\n\")),\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestBuildWithContainerfile(t *testing.T) {\n\tnerdtest.Setup()\n\n\tdockerfile := fmt.Sprintf(`FROM %s\nCMD [\"echo\", \"nerdctl-build-test-string\"]\n\t`, testutil.CommonImage)\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\tnerdtest.Build,\n\t\t\trequire.Not(nerdtest.Docker),\n\t\t),\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t},\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\thelpers.Ensure(\"build\", data.Temp().Path(), \"-t\", data.Identifier())\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Identifier())\n\t\t},\n\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"nerdctl-build-test-string\\n\")),\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestBuildWithDockerFileAndContainerfile(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tRequire: nerdtest.Build,\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t},\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdockerfile := fmt.Sprintf(`FROM %s\nCMD [\"echo\", \"dockerfile\"]\n\t`, testutil.CommonImage)\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\n\t\t\tdockerfile = fmt.Sprintf(`FROM %s\nCMD [\"echo\", \"containerfile\"]\n\t`, testutil.CommonImage)\n\t\t\tdata.Temp().Save(dockerfile, \"Containerfile\")\n\n\t\t\thelpers.Ensure(\"build\", data.Temp().Path(), \"-t\", data.Identifier())\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Identifier())\n\t\t},\n\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"dockerfile\\n\")),\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestBuildNoTag(t *testing.T) {\n\tnerdtest.Setup()\n\n\tdockerfile := fmt.Sprintf(`FROM %s\nCMD [\"echo\", \"nerdctl-build-test-string\"]\n\t`, testutil.CommonImage)\n\n\t// FIXME: this test should be rewritten and instead get the image id from the build, then query the image explicitly - instead of pruning / noparallel\n\ttestCase := &test.Case{\n\t\tNoParallel: true,\n\t\tRequire: nerdtest.Build,\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Ensure(\"image\", \"prune\", \"--force\", \"--all\")\n\t\t},\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\n\t\t\t// XXX FIXME\n\t\t\thelpers.Capture(\"build\", data.Temp().Path())\n\t\t},\n\t\tCommand: test.Command(\"images\"),\n\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"\")),\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestBuildContextDockerImageAlias(t *testing.T) {\n\tnerdtest.Setup()\n\n\tdockerfile := `FROM myorg/myapp\nCMD [\"echo\", \"nerdctl-build-myorg/myapp\"]`\n\n\ttestCase := &test.Case{\n\t\tRequire: nerdtest.Build,\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t},\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\n\t\t\t\t\"build\",\n\t\t\t\t\"-t\",\n\t\t\t\tdata.Identifier(),\n\t\t\t\tdata.Temp().Path(),\n\t\t\t\tfmt.Sprintf(\"--build-context=myorg/myapp=docker-image://%s\", testutil.CommonImage),\n\t\t\t)\n\t\t},\n\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, nil),\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestBuildContextWithCopyFromDir(t *testing.T) {\n\tnerdtest.Setup()\n\n\tcontent := \"hello_from_dir_2\"\n\tfilename := \"hello.txt\"\n\tdockerfile := fmt.Sprintf(`FROM %s\nCOPY --from=dir2 /%s /hello_from_dir2.txt\nRUN [\"cat\", \"/hello_from_dir2.txt\"]`, testutil.CommonImage, filename)\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\tnerdtest.Build,\n\t\t\trequire.Not(nerdtest.Docker),\n\t\t),\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t},\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Temp().Save(dockerfile, \"context\", \"Dockerfile\")\n\t\t\tdata.Temp().Save(content, \"other-directory\", filename)\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\n\t\t\t\t\"build\",\n\t\t\t\t\"-t\",\n\t\t\t\tdata.Identifier(),\n\t\t\t\tdata.Temp().Path(\"context\"),\n\t\t\t\tfmt.Sprintf(\"--build-context=dir2=%s\", data.Temp().Path(\"other-directory\")),\n\t\t\t)\n\t\t},\n\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, nil),\n\t}\n\n\ttestCase.Run(t)\n}\n\n// TestBuildSourceDateEpoch tests that $SOURCE_DATE_EPOCH is propagated from the client env\n// https://github.com/docker/buildx/pull/1482\nfunc TestBuildSourceDateEpoch(t *testing.T) {\n\tnerdtest.Setup()\n\n\tdockerfile := fmt.Sprintf(`FROM %s\nARG SOURCE_DATE_EPOCH\nRUN echo $SOURCE_DATE_EPOCH >/source-date-epoch\nCMD [\"cat\", \"/source-date-epoch\"]\n\t`, testutil.CommonImage)\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\tnerdtest.Build,\n\t\t\trequire.Not(nerdtest.Docker),\n\t\t),\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\tdata.Labels().Set(\"buildCtx\", data.Temp().Path())\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"1111111111\",\n\t\t\t\tEnv: map[string]string{\n\t\t\t\t\t\"SOURCE_DATE_EPOCH\": \"1111111111\",\n\t\t\t\t},\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"build\", data.Labels().Get(\"buildCtx\"), \"-t\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"1111111111\\n\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"2222222222\",\n\t\t\t\tEnv: map[string]string{\n\t\t\t\t\t\"SOURCE_DATE_EPOCH\": \"1111111111\",\n\t\t\t\t},\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"build\", data.Labels().Get(\"buildCtx\"), \"--build-arg\", \"SOURCE_DATE_EPOCH=2222222222\", \"-t\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"2222222222\\n\")),\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestBuildNetwork(t *testing.T) {\n\tnerdtest.Setup()\n\n\tdockerfile := fmt.Sprintf(`FROM %s\nRUN apk add --no-cache curl\nRUN curl -I http://google.com\n\t`, testutil.CommonImage)\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\tnerdtest.Build,\n\t\t\trequire.Not(nerdtest.Docker),\n\t\t),\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\tdata.Labels().Set(\"buildCtx\", data.Temp().Path())\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"none\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"build\", data.Labels().Get(\"buildCtx\"), \"-t\", data.Identifier(), \"--no-cache\", \"--network\", \"none\")\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(1, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"empty\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"build\", data.Labels().Get(\"buildCtx\"), \"-t\", data.Identifier(), \"--no-cache\", \"--network\", \"\")\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"default\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"build\", data.Labels().Get(\"buildCtx\"), \"-t\", data.Identifier(), \"--no-cache\", \"--network\", \"default\")\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, nil),\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestBuildAttestation(t *testing.T) {\n\tnerdtest.Setup()\n\n\t// Using regex patterns to match SBOM and provenance files with optional platform suffix\n\tconst testSBOMFilePattern = `sbom\\.spdx(?:\\.[a-z0-9_]+)?\\.json`\n\tconst testProvenanceFilePattern = `provenance(?:\\.[a-z0-9_]+)?\\.json`\n\n\tdockerfile := fmt.Sprintf(`FROM %s`, testutil.CommonImage)\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\tnerdtest.Build,\n\t\t\trequire.Not(nerdtest.Docker),\n\t\t),\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\tif nerdtest.IsDocker() {\n\t\t\t\thelpers.Anyhow(\"buildx\", \"rm\", data.Identifier(\"builder\"))\n\t\t\t}\n\t\t},\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tif nerdtest.IsDocker() {\n\t\t\t\thelpers.Anyhow(\"buildx\", \"create\", \"--name\", data.Identifier(\"builder\"), \"--bootstrap\", \"--use\")\n\t\t\t}\n\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\tdata.Labels().Set(\"buildCtx\", data.Temp().Path())\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"SBOM\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\tcmd := helpers.Command(\"build\")\n\t\t\t\t\tif nerdtest.IsDocker() {\n\t\t\t\t\t\tcmd.WithArgs(\"--builder\", data.Identifier(\"builder\"))\n\t\t\t\t\t}\n\t\t\t\t\tcmd.WithArgs(\n\t\t\t\t\t\t\"--sbom=true\",\n\t\t\t\t\t\t\"-o\", fmt.Sprintf(\"type=local,dest=%s\", data.Temp().Path(\"dir-for-bom\")),\n\t\t\t\t\t\tdata.Labels().Get(\"buildCtx\"),\n\t\t\t\t\t)\n\t\t\t\t\treturn cmd\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tfiles, err := os.ReadDir(data.Temp().Path(\"dir-for-bom\"))\n\t\t\t\t\t\t\tassert.NilError(t, err, \"failed to read directory\")\n\n\t\t\t\t\t\t\tfound := false\n\t\t\t\t\t\t\tfor _, file := range files {\n\t\t\t\t\t\t\t\tif !file.IsDir() && regexp.MustCompile(testSBOMFilePattern).MatchString(file.Name()) {\n\t\t\t\t\t\t\t\t\tfound = true\n\t\t\t\t\t\t\t\t\tbreak\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tassert.Assert(t, found, \"no SBOM file matching pattern %s found\", testSBOMFilePattern)\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Provenance\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\tcmd := helpers.Command(\"build\")\n\t\t\t\t\tif nerdtest.IsDocker() {\n\t\t\t\t\t\tcmd.WithArgs(\"--builder\", data.Identifier(\"builder\"))\n\t\t\t\t\t}\n\t\t\t\t\tcmd.WithArgs(\n\t\t\t\t\t\t\"--provenance=mode=min\",\n\t\t\t\t\t\t\"-o\", fmt.Sprintf(\"type=local,dest=%s\", data.Temp().Path(\"dir-for-prov\")),\n\t\t\t\t\t\tdata.Labels().Get(\"buildCtx\"),\n\t\t\t\t\t)\n\t\t\t\t\treturn cmd\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tfiles, err := os.ReadDir(data.Temp().Path(\"dir-for-prov\"))\n\t\t\t\t\t\t\tassert.NilError(t, err, \"failed to read directory\")\n\n\t\t\t\t\t\t\tfound := false\n\t\t\t\t\t\t\tfor _, file := range files {\n\t\t\t\t\t\t\t\tif !file.IsDir() && regexp.MustCompile(testProvenanceFilePattern).MatchString(file.Name()) {\n\t\t\t\t\t\t\t\t\tfound = true\n\t\t\t\t\t\t\t\t\tbreak\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tassert.Assert(t, found, \"no provenance file matching pattern %s found\", testProvenanceFilePattern)\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Attestation\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\tcmd := helpers.Command(\"build\")\n\t\t\t\t\tif nerdtest.IsDocker() {\n\t\t\t\t\t\tcmd.WithArgs(\"--builder\", data.Identifier(\"builder\"))\n\t\t\t\t\t}\n\t\t\t\t\tcmd.WithArgs(\n\t\t\t\t\t\t\"--attest=type=provenance,mode=min\",\n\t\t\t\t\t\t\"--attest=type=sbom\",\n\t\t\t\t\t\t\"-o\", fmt.Sprintf(\"type=local,dest=%s\", data.Temp().Path(\"dir-for-attest\")),\n\t\t\t\t\t\tdata.Labels().Get(\"buildCtx\"),\n\t\t\t\t\t)\n\t\t\t\t\treturn cmd\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\t// Check if any file in the directory matches the SBOM file pattern\n\t\t\t\t\t\t\tfiles, err := os.ReadDir(data.Temp().Path(\"dir-for-attest\"))\n\t\t\t\t\t\t\tassert.NilError(t, err, \"failed to read directory\")\n\n\t\t\t\t\t\t\tsbomFound := false\n\t\t\t\t\t\t\tfor _, file := range files {\n\t\t\t\t\t\t\t\tif !file.IsDir() && regexp.MustCompile(testSBOMFilePattern).MatchString(file.Name()) {\n\t\t\t\t\t\t\t\t\tsbomFound = true\n\t\t\t\t\t\t\t\t\tbreak\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tassert.Assert(t, sbomFound, \"no SBOM file matching pattern %s found\", testSBOMFilePattern)\n\n\t\t\t\t\t\t\t// Check if any file in the directory matches the provenance file pattern\n\t\t\t\t\t\t\tprovenanceFound := false\n\t\t\t\t\t\t\tfor _, file := range files {\n\t\t\t\t\t\t\t\tif !file.IsDir() && regexp.MustCompile(testProvenanceFilePattern).MatchString(file.Name()) {\n\t\t\t\t\t\t\t\t\tprovenanceFound = true\n\t\t\t\t\t\t\t\t\tbreak\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tassert.Assert(t, provenanceFound, \"no provenance file matching pattern %s found\", testProvenanceFilePattern)\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestBuildAddHost(t *testing.T) {\n\tnerdtest.Setup()\n\n\tdockerfile := fmt.Sprintf(`FROM %s\nRUN ping -c 5 alpha\nRUN ping -c 5 beta\n`, testutil.CommonImage)\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\tnerdtest.Build,\n\t\t),\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t},\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\n\t\t\t\t\"build\", data.Temp().Path(),\n\t\t\t\t\"-t\", data.Identifier(),\n\t\t\t\t\"--add-host\", \"alpha:127.0.0.1\",\n\t\t\t\t\"--add-host\", \"beta:127.0.0.1\",\n\t\t\t)\n\t\t},\n\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, nil),\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestBuildWithBuildkitConfig(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\tnerdtest.Build,\n\t\t\trequire.Not(nerdtest.Docker),\n\t\t),\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdockerfile := fmt.Sprintf(`FROM %s\nCMD [\"echo\", \"nerdctl-build-test-string\"]`, testutil.CommonImage)\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\tdata.Labels().Set(\"buildCtx\", data.Temp().Path())\n\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"build with buildkit-host\",\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\t// Get BuildkitAddr\n\t\t\t\t\tbuildkitAddr, err := buildkitutil.GetBuildkitHost(testutil.Namespace)\n\t\t\t\t\tassert.NilError(helpers.T(), err)\n\t\t\t\t\tbuildkitAddr = strings.TrimPrefix(buildkitAddr, \"unix://\")\n\n\t\t\t\t\t// Symlink the buildkit Socket for testing\n\t\t\t\t\tsymlinkedBuildkitAddr := filepath.Join(data.Temp().Path(), \"buildkit.sock\")\n\n\t\t\t\t\t// Do a negative test to check the setup\n\t\t\t\t\thelpers.Fail(\"build\", \"-t\", data.Identifier(), \"--buildkit-host\", fmt.Sprintf(\"unix://%s\", symlinkedBuildkitAddr), data.Labels().Get(\"buildCtx\"))\n\n\t\t\t\t\t// Test build with the symlinked socket\n\t\t\t\t\tcmd := helpers.Custom(\"ln\", \"-s\", buildkitAddr, symlinkedBuildkitAddr)\n\t\t\t\t\tcmd.Run(&test.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t})\n\t\t\t\t\thelpers.Ensure(\"build\", \"-t\", data.Identifier(), \"--buildkit-host\", fmt.Sprintf(\"unix://%s\", symlinkedBuildkitAddr), data.Labels().Get(\"buildCtx\"))\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"nerdctl-build-test-string\\n\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"build with env specified\",\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\t// Get BuildkitAddr\n\t\t\t\t\tbuildkitAddr, err := buildkitutil.GetBuildkitHost(testutil.Namespace)\n\t\t\t\t\tassert.NilError(helpers.T(), err)\n\t\t\t\t\tbuildkitAddr = strings.TrimPrefix(buildkitAddr, \"unix://\")\n\n\t\t\t\t\t// Symlink the buildkit Socket for testing\n\t\t\t\t\tsymlinkedBuildkitAddr := filepath.Join(data.Temp().Path(), \"buildkit-env.sock\")\n\n\t\t\t\t\t// Do a negative test to ensure setting up the env variable is effective\n\t\t\t\t\tcmd := helpers.Command(\"build\", \"-t\", data.Identifier(), data.Labels().Get(\"buildCtx\"))\n\t\t\t\t\tcmd.Setenv(\"BUILDKIT_HOST\", fmt.Sprintf(\"unix://%s\", symlinkedBuildkitAddr))\n\t\t\t\t\tcmd.Run(&test.Expected{ExitCode: expect.ExitCodeGenericFail})\n\n\t\t\t\t\t// Symlink the buildkit socket for testing\n\t\t\t\t\tcmd = helpers.Custom(\"ln\", \"-s\", buildkitAddr, symlinkedBuildkitAddr)\n\t\t\t\t\tcmd.Run(&test.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t})\n\n\t\t\t\t\tcmd = helpers.Command(\"build\", \"-t\", data.Identifier(), data.Labels().Get(\"buildCtx\"))\n\t\t\t\t\tcmd.Setenv(\"BUILDKIT_HOST\", fmt.Sprintf(\"unix://%s\", symlinkedBuildkitAddr))\n\t\t\t\t\tcmd.Run(&test.Expected{ExitCode: expect.ExitCodeSuccess})\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"nerdctl-build-test-string\\n\")),\n\t\t\t},\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/builder/builder_builder_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage builder\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/buildkitutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/referenceutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestBuilder(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tNoParallel: true,\n\t\tRequire: require.All(\n\t\t\tnerdtest.Build,\n\t\t\trequire.Not(require.Windows),\n\t\t),\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"PruneForce\",\n\t\t\t\tNoParallel: true,\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\tdockerfile := fmt.Sprintf(`FROM %s\nCMD [\"echo\", \"nerdctl-test-builder-prune\"]`, testutil.CommonImage)\n\t\t\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\t\t\thelpers.Ensure(\"build\", data.Temp().Path())\n\t\t\t\t},\n\t\t\t\tCommand: test.Command(\"builder\", \"prune\", \"--force\"),\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"PruneForceAll\",\n\t\t\t\tNoParallel: true,\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\tdockerfile := fmt.Sprintf(`FROM %s\nCMD [\"echo\", \"nerdctl-test-builder-prune\"]`, testutil.CommonImage)\n\t\t\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\t\t\thelpers.Ensure(\"build\", data.Temp().Path())\n\t\t\t\t},\n\t\t\t\tCommand: test.Command(\"builder\", \"prune\", \"--force\", \"--all\"),\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"builder with buildkit-host\",\n\t\t\t\tNoParallel: true,\n\t\t\t\tRequire: require.Not(nerdtest.Docker),\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\t// Get BuildkitAddr\n\t\t\t\t\tbuildkitAddr, err := buildkitutil.GetBuildkitHost(testutil.Namespace)\n\t\t\t\t\tassert.NilError(helpers.T(), err)\n\t\t\t\t\tbuildkitAddr = strings.TrimPrefix(buildkitAddr, \"unix://\")\n\n\t\t\t\t\t// Symlink the buildkit Socket for testing\n\t\t\t\t\tsymlinkedBuildkitAddr := filepath.Join(data.Temp().Path(), \"buildkit.sock\")\n\t\t\t\t\tdata.Labels().Set(\"symlinkedBuildkitAddr\", symlinkedBuildkitAddr)\n\n\t\t\t\t\t// Do a negative test to check the setup\n\t\t\t\t\thelpers.Fail(\"builder\", \"prune\", \"--force\", \"--buildkit-host\", fmt.Sprintf(\"unix://%s\", symlinkedBuildkitAddr))\n\n\t\t\t\t\t// Test build with the symlinked socket\n\t\t\t\t\tcmd := helpers.Custom(\"ln\", \"-s\", buildkitAddr, symlinkedBuildkitAddr)\n\t\t\t\t\tcmd.Run(&test.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t})\n\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"builder\", \"prune\", \"--force\", \"--buildkit-host\", fmt.Sprintf(\"unix://%s\", data.Labels().Get(\"symlinkedBuildkitAddr\")))\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"builder with env\",\n\t\t\t\tNoParallel: true,\n\t\t\t\tRequire: require.Not(nerdtest.Docker),\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\t// Get BuildkitAddr\n\t\t\t\t\tbuildkitAddr, err := buildkitutil.GetBuildkitHost(testutil.Namespace)\n\t\t\t\t\tassert.NilError(helpers.T(), err)\n\t\t\t\t\tbuildkitAddr = strings.TrimPrefix(buildkitAddr, \"unix://\")\n\n\t\t\t\t\t// Symlink the buildkit Socket for testing\n\t\t\t\t\tsymlinkedBuildkitAddr := filepath.Join(data.Temp().Path(), \"buildkit-env.sock\")\n\t\t\t\t\tdata.Labels().Set(\"symlinkedBuildkitAddr\", symlinkedBuildkitAddr)\n\n\t\t\t\t\t// Do a negative test to ensure setting up the env variable is effective\n\t\t\t\t\tcmd := helpers.Command(\"builder\", \"prune\", \"--force\")\n\t\t\t\t\tcmd.Setenv(\"BUILDKIT_HOST\", fmt.Sprintf(\"unix://%s\", symlinkedBuildkitAddr))\n\t\t\t\t\tcmd.Run(&test.Expected{ExitCode: expect.ExitCodeGenericFail})\n\n\t\t\t\t\t// Symlink the buildkit socket for testing\n\t\t\t\t\tcmd = helpers.Custom(\"ln\", \"-s\", buildkitAddr, symlinkedBuildkitAddr)\n\t\t\t\t\tcmd.Run(&test.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t})\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\tsymlinkedBuildkitAddr := data.Labels().Get(\"symlinkedBuildkitAddr\")\n\t\t\t\t\tcmd := helpers.Command(\"builder\", \"prune\", \"--force\")\n\t\t\t\t\tcmd.Setenv(\"BUILDKIT_HOST\", fmt.Sprintf(\"unix://%s\", symlinkedBuildkitAddr))\n\t\t\t\t\treturn cmd\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Debug\",\n\t\t\t\t// `nerdctl builder debug` is currently incompatible with `docker buildx debug`.\n\t\t\t\tRequire: require.All(require.Not(nerdtest.Docker)),\n\t\t\t\tNoParallel: true,\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\tdockerfile := fmt.Sprintf(`FROM %s\nCMD [\"echo\", \"nerdctl-builder-debug-test-string\"]`, testutil.CommonImage)\n\t\t\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\t\t\tcmd := helpers.Command(\"builder\", \"debug\", data.Temp().Path())\n\t\t\t\t\tcmd.Feed(strings.NewReader(\"c\\n\"))\n\t\t\t\t\treturn cmd\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"WithPull\",\n\t\t\t\tNoParallel: true,\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\t// FIXME: this test should be rewritten to dynamically retrieve the ids, and use images\n\t\t\t\t\t// available on all platforms\n\t\t\t\t\toldImage := testutil.BusyboxImage\n\t\t\t\t\tparsedOldImage, err := referenceutil.Parse(oldImage)\n\t\t\t\t\tassert.NilError(helpers.T(), err)\n\t\t\t\t\toldImageSha := parsedOldImage.Digest.String()\n\n\t\t\t\t\tnewImage := testutil.AlpineImage\n\t\t\t\t\tparsedNewImage, err := referenceutil.Parse(newImage)\n\t\t\t\t\tassert.NilError(helpers.T(), err)\n\t\t\t\t\tnewImageSha := parsedNewImage.Digest.String()\n\n\t\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", oldImage)\n\t\t\t\t\thelpers.Ensure(\"tag\", oldImage, parsedNewImage.Domain+\"/\"+parsedNewImage.Path+\":\"+parsedNewImage.Tag)\n\n\t\t\t\t\tdockerfile := fmt.Sprintf(`FROM %s`, parsedNewImage.Domain+\"/\"+parsedNewImage.Path+\":\"+parsedNewImage.Tag)\n\t\t\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\t\t\tdata.Labels().Set(\"oldImageSha\", oldImageSha)\n\t\t\t\t\tdata.Labels().Set(\"newImageSha\", newImageSha)\n\t\t\t\t\tdata.Labels().Set(\"base\", data.Temp().Dir())\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", testutil.AlpineImage)\n\t\t\t\t},\n\t\t\t\tSubTests: []*test.Case{\n\t\t\t\t\t{\n\t\t\t\t\t\tDescription: \"pull false\",\n\t\t\t\t\t\tNoParallel: true,\n\t\t\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\t\t\treturn helpers.Command(\"build\", data.Labels().Get(\"base\"), \"--pull=false\")\n\t\t\t\t\t\t},\n\t\t\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\t\t\tErrors: []error{errors.New(data.Labels().Get(\"oldImageSha\"))},\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tDescription: \"pull true\",\n\t\t\t\t\t\tNoParallel: true,\n\t\t\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\t\t\treturn helpers.Command(\"build\", data.Labels().Get(\"base\"), \"--pull=true\")\n\t\t\t\t\t\t},\n\t\t\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\t\t\tErrors: []error{errors.New(data.Labels().Get(\"newImageSha\"))},\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tDescription: \"no pull\",\n\t\t\t\t\t\tNoParallel: true,\n\t\t\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\t\t\treturn helpers.Command(\"build\", data.Labels().Get(\"base\"))\n\t\t\t\t\t\t},\n\t\t\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\t\t\tErrors: []error{errors.New(data.Labels().Get(\"newImageSha\"))},\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/builder/builder_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage builder\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n)\n\nfunc TestMain(m *testing.M) {\n\ttestutil.M(m)\n}\n" }, { "path": "cmd/nerdctl/checkpoint/checkpoint.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage checkpoint\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n)\n\nfunc Command() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tAnnotations: map[string]string{helpers.Category: helpers.Management},\n\t\tUse: \"checkpoint\",\n\t\tShort: \"Manage checkpoints.\",\n\t\tRunE: helpers.UnknownSubcommandAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\n\tcmd.AddCommand(\n\t\tcreateCommand(),\n\t\tlsCommand(),\n\t\trmCommand(),\n\t)\n\n\treturn cmd\n}\n\nfunc lsCommand() *cobra.Command {\n\tx := listCommand()\n\tx.Use = \"ls\"\n\tx.Aliases = []string{\"list\"}\n\treturn x\n}\nfunc rmCommand() *cobra.Command {\n\tx := removeCommand()\n\tx.Use = \"rm\"\n\tx.Aliases = []string{\"remove\"}\n\treturn x\n}\n" }, { "path": "cmd/nerdctl/checkpoint/checkpoint_create.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage checkpoint\n\nimport (\n\t\"path/filepath\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/checkpoint\"\n)\n\nfunc createCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"create [OPTIONS] CONTAINER CHECKPOINT\",\n\t\tShort: \"Create a checkpoint from a running container\",\n\t\tArgs: cobra.ExactArgs(2),\n\t\tRunE: createAction,\n\t\tValidArgsFunction: createShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().Bool(\"leave-running\", false, \"Leave the container running after checkpointing\")\n\tcmd.Flags().String(\"checkpoint-dir\", \"\", \"Checkpoint directory\")\n\treturn cmd\n}\n\nfunc processCreateFlags(cmd *cobra.Command) (types.CheckpointCreateOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.CheckpointCreateOptions{}, err\n\t}\n\n\tleaveRunning, err := cmd.Flags().GetBool(\"leave-running\")\n\tif err != nil {\n\t\treturn types.CheckpointCreateOptions{}, err\n\t}\n\tcheckpointDir, err := cmd.Flags().GetString(\"checkpoint-dir\")\n\tif err != nil {\n\t\treturn types.CheckpointCreateOptions{}, err\n\t}\n\tif checkpointDir == \"\" {\n\t\tcheckpointDir = filepath.Join(globalOptions.DataRoot, \"checkpoints\")\n\t}\n\n\treturn types.CheckpointCreateOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tGOptions: globalOptions,\n\t\tLeaveRunning: leaveRunning,\n\t\tCheckpointDir: checkpointDir,\n\t}, nil\n}\n\nfunc createAction(cmd *cobra.Command, args []string) error {\n\tcreateOptions, err := processCreateFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), createOptions.GOptions.Namespace, createOptions.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\terr = checkpoint.Create(ctx, client, args[0], args[1], createOptions)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn nil\n}\n\nfunc createShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn completion.ImageNames(cmd)\n}\n" }, { "path": "cmd/nerdctl/checkpoint/checkpoint_create_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage checkpoint\n\nimport (\n\t\"errors\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestCheckpointCreateErrors(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = require.All(\n\t\trequire.Not(nerdtest.Rootless),\n\t\t// Docker version 28.x has a known regression that breaks Checkpoint/Restore functionality.\n\t\t// The issue is tracked in the moby/moby project as https://github.com/moby/moby/issues/50750.\n\t\trequire.Not(nerdtest.Docker),\n\t)\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"too-few-arguments\",\n\t\t\tCommand: test.Command(\"checkpoint\", \"create\", \"too-few-arguments\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"too-many-arguments\",\n\t\t\tCommand: test.Command(\"checkpoint\", \"create\", \"too\", \"many\", \"arguments\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"invalid-container-id\",\n\t\t\tCommand: test.Command(\"checkpoint\", \"create\", \"foo\", \"bar\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(\"error creating checkpoint for container: foo\")},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestCheckpointCreate(t *testing.T) {\n\tconst (\n\t\tcheckpointName = \"checkpoint-bar\"\n\t\tcheckpointDir = \"/dir/foo\"\n\t)\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.All(\n\t\trequire.Not(nerdtest.Rootless),\n\t\t// Docker version 28.x has a known regression that breaks Checkpoint/Restore functionality.\n\t\t// The issue is tracked in the moby/moby project as https://github.com/moby/moby/issues/50750.\n\t\trequire.Not(nerdtest.Docker),\n\t)\n\ttestCase.NoParallel = true\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"leave-running=true\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(\"container-running\"), testutil.CommonImage, \"sleep\", \"infinity\")\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"container-running\"))\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"checkpoint\", \"create\", \"--leave-running\", \"--checkpoint-dir\", checkpointDir, data.Identifier(\"container-running\"), checkpointName+\"running\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.Equals(checkpointName + \"running\\n\"),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"leave-running=false\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(\"container-exit\"), testutil.CommonImage, \"sleep\", \"infinity\")\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"container-exit\"))\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"checkpoint\", \"create\", \"--checkpoint-dir\", checkpointDir, data.Identifier(\"container-exit\"), checkpointName+\"exit\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.Equals(checkpointName + \"exit\\n\"),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/checkpoint/checkpoint_list.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage checkpoint\n\nimport (\n\t\"fmt\"\n\t\"text/tabwriter\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/checkpoint\"\n)\n\nfunc listCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"list [OPTIONS] CONTAINER\",\n\t\tShort: \"List checkpoints for a container\",\n\t\tArgs: cobra.ExactArgs(1),\n\t\tRunE: listAction,\n\t\tValidArgsFunction: listShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().String(\"checkpoint-dir\", \"\", \"Checkpoint directory\")\n\treturn cmd\n}\n\nfunc processListFlags(cmd *cobra.Command) (types.CheckpointListOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.CheckpointListOptions{}, err\n\t}\n\n\tcheckpointDir, err := cmd.Flags().GetString(\"checkpoint-dir\")\n\tif err != nil {\n\t\treturn types.CheckpointListOptions{}, err\n\t}\n\tif checkpointDir == \"\" {\n\t\tcheckpointDir = globalOptions.DataRoot + \"/checkpoints\"\n\t}\n\n\treturn types.CheckpointListOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tGOptions: globalOptions,\n\t\tCheckpointDir: checkpointDir,\n\t}, nil\n}\n\nfunc listAction(cmd *cobra.Command, args []string) error {\n\tlistOptions, err := processListFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), listOptions.GOptions.Namespace, listOptions.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\tcheckpoints, err := checkpoint.List(ctx, client, args[0], listOptions)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tw := tabwriter.NewWriter(listOptions.Stdout, 4, 8, 4, ' ', 0)\n\tfmt.Fprintln(w, \"CHECKPOINT NAME\")\n\n\tfor _, cp := range checkpoints {\n\t\tfmt.Fprintln(w, cp.Name)\n\t}\n\n\treturn w.Flush()\n}\n\nfunc listShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn completion.ImageNames(cmd)\n}\n" }, { "path": "cmd/nerdctl/checkpoint/checkpoint_list_linux_test.go", "content": "//go:build linux\n\n/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage checkpoint\n\nimport (\n\t\"errors\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestCheckpointListErrors(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = require.All(\n\t\trequire.Not(nerdtest.Rootless),\n\t\t// Docker version 28.x has a known regression that breaks Checkpoint/Restore functionality.\n\t\t// The issue is tracked in the moby/moby project as https://github.com/moby/moby/issues/50750.\n\t\trequire.Not(nerdtest.Docker),\n\t)\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"too-few-arguments\",\n\t\t\tCommand: test.Command(\"checkpoint\", \"list\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{ExitCode: 1}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"too-many-arguments\",\n\t\t\tCommand: test.Command(\"checkpoint\", \"list\", \"too\", \"many\", \"arguments\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{ExitCode: 1}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"invalid-container-id\",\n\t\t\tCommand: test.Command(\"checkpoint\", \"list\", \"no-such-container\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(\"error list checkpoint for container: no-such-container\")},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestCheckpointList(t *testing.T) {\n\tconst checkpointName = \"checkpoint-list\"\n\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.All(\n\t\trequire.Not(nerdtest.Rootless),\n\t\t// Docker version 28.x has a known regression that breaks Checkpoint/Restore functionality.\n\t\t// The issue is tracked in the moby/moby project as https://github.com/moby/moby/issues/50750.\n\t\trequire.Not(nerdtest.Docker),\n\t)\n\ttestCase.NoParallel = true\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", \"infinity\")\n\t\thelpers.Ensure(\"checkpoint\", \"create\", data.Identifier(), checkpointName)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"checkpoint\", \"list\", data.Identifier())\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: 0,\n\t\t\t// First line is header, second should include the checkpoint name\n\t\t\tOutput: expect.Contains(\"CHECKPOINT NAME\\n\" + checkpointName + \"\\n\"),\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/checkpoint/checkpoint_remove.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage checkpoint\n\nimport (\n\t\"path/filepath\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/checkpoint\"\n)\n\nfunc removeCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"rm [OPTIONS] CONTAINER CHECKPOINT\",\n\t\tShort: \"Remove a checkpoint\",\n\t\tArgs: cobra.ExactArgs(2),\n\t\tRunE: removeAction,\n\t\tValidArgsFunction: removeShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().String(\"checkpoint-dir\", \"\", \"Checkpoint directory\")\n\treturn cmd\n}\n\nfunc processRemoveFlags(cmd *cobra.Command) (types.CheckpointRemoveOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.CheckpointRemoveOptions{}, err\n\t}\n\n\tcheckpointDir, err := cmd.Flags().GetString(\"checkpoint-dir\")\n\tif err != nil {\n\t\treturn types.CheckpointRemoveOptions{}, err\n\t}\n\tif checkpointDir == \"\" {\n\t\tcheckpointDir = filepath.Join(globalOptions.DataRoot, \"checkpoints\")\n\t}\n\n\treturn types.CheckpointRemoveOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tGOptions: globalOptions,\n\t\tCheckpointDir: checkpointDir,\n\t}, nil\n}\n\nfunc removeAction(cmd *cobra.Command, args []string) error {\n\tremoveOptions, err := processRemoveFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), removeOptions.GOptions.Namespace, removeOptions.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\terr = checkpoint.Remove(ctx, client, args[0], args[1], removeOptions)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn nil\n}\n\nfunc removeShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn completion.ImageNames(cmd)\n}\n" }, { "path": "cmd/nerdctl/checkpoint/checkpoint_remove_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage checkpoint\n\nimport (\n\t\"errors\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestCheckpointRemoveErrors(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = require.All(\n\t\trequire.Not(nerdtest.Rootless),\n\t\t// Docker version 28.x has a known regression that breaks Checkpoint/Restore functionality.\n\t\t// The issue is tracked in the moby/moby project as https://github.com/moby/moby/issues/50750.\n\t\trequire.Not(nerdtest.Docker),\n\t)\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"too-few-arguments\",\n\t\t\tCommand: test.Command(\"checkpoint\", \"rm\", \"too-few-arguments\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"too-many-arguments\",\n\t\t\tCommand: test.Command(\"checkpoint\", \"rm\", \"too\", \"many\", \"arguments\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"invalid-container-id\",\n\t\t\tCommand: test.Command(\"checkpoint\", \"rm\", \"foo\", \"bar\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(\"error removing checkpoint for container: foo\")},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestCheckpointRemove(t *testing.T) {\n\tconst (\n\t\tcheckpointName = \"checkpoint-remove\"\n\t\tcheckpointDir = \"/dir/remove\"\n\t)\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.All(\n\t\trequire.Not(nerdtest.Rootless),\n\t\t// Docker version 28.x has a known regression that breaks Checkpoint/Restore functionality.\n\t\t// The issue is tracked in the moby/moby project as https://github.com/moby/moby/issues/50750.\n\t\trequire.Not(nerdtest.Docker),\n\t)\n\ttestCase.NoParallel = true\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"remove-existing\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(\"container-running-remove\"), testutil.CommonImage, \"sleep\", \"infinity\")\n\t\t\t\thelpers.Ensure(\"checkpoint\", \"create\", \"--checkpoint-dir\", checkpointDir, data.Identifier(\"container-running-remove\"), checkpointName)\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"container-running-remove\"))\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"checkpoint\", \"rm\", \"--checkpoint-dir\", checkpointDir, data.Identifier(\"container-running-remove\"), checkpointName)\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.Equals(\"\"),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"remove-nonexistent-checkpoint\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(\"container-clean-remove\"), testutil.CommonImage, \"sleep\", \"infinity\")\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"container-clean-remove\"))\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"checkpoint\", \"rm\", \"--checkpoint-dir\", checkpointDir, data.Identifier(\"container-clean-remove\"), checkpointName)\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(\"checkpoint \" + checkpointName + \" does not exist for container\")},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/checkpoint/checkpoint_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage checkpoint\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n)\n\nfunc TestMain(m *testing.M) {\n\ttestutil.M(m)\n}\n" }, { "path": "cmd/nerdctl/completion/completion.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage completion\n\nimport (\n\t\"context\"\n\t\"time\"\n\n\t\"github.com/spf13/cobra\"\n\n\tcontainerd \"github.com/containerd/containerd/v2/client\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/volume\"\n\t\"github.com/containerd/nerdctl/v2/pkg/inspecttypes/native\"\n\t\"github.com/containerd/nerdctl/v2/pkg/labels\"\n\t\"github.com/containerd/nerdctl/v2/pkg/netutil\"\n)\n\nfunc ImageNames(cmd *cobra.Command) ([]string, cobra.ShellCompDirective) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn nil, cobra.ShellCompDirectiveError\n\t}\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn nil, cobra.ShellCompDirectiveError\n\t}\n\tdefer cancel()\n\n\timageList, err := client.ImageService().List(ctx, \"\")\n\n\tif err != nil {\n\t\treturn nil, cobra.ShellCompDirectiveError\n\t}\n\tcandidates := []string{}\n\tfor _, img := range imageList {\n\t\tcandidates = append(candidates, img.Name)\n\t}\n\treturn candidates, cobra.ShellCompDirectiveNoFileComp\n}\n\nfunc ContainerNames(cmd *cobra.Command, filterFunc func(containerd.ProcessStatus) bool) ([]string, cobra.ShellCompDirective) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn nil, cobra.ShellCompDirectiveError\n\t}\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn nil, cobra.ShellCompDirectiveError\n\t}\n\tdefer cancel()\n\tcontainers, err := client.Containers(ctx)\n\tif err != nil {\n\t\treturn nil, cobra.ShellCompDirectiveError\n\t}\n\tgetStatus := func(c containerd.Container) containerd.ProcessStatus {\n\t\tctx2, cancel2 := context.WithTimeout(ctx, 100*time.Millisecond)\n\t\tdefer cancel2()\n\t\ttask, err := c.Task(ctx2, nil)\n\t\tif err != nil {\n\t\t\treturn containerd.Unknown\n\t\t}\n\t\tst, err := task.Status(ctx2)\n\t\tif err != nil {\n\t\t\treturn containerd.Unknown\n\t\t}\n\t\treturn st.Status\n\t}\n\tcandidates := []string{}\n\tfor _, c := range containers {\n\t\tif filterFunc != nil {\n\t\t\tif !filterFunc(getStatus(c)) {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\tlab, err := c.Labels(ctx)\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\t\tname := lab[labels.Name]\n\t\tif name != \"\" {\n\t\t\tcandidates = append(candidates, name)\n\t\t\tcontinue\n\t\t}\n\t\tcandidates = append(candidates, c.ID())\n\t}\n\treturn candidates, cobra.ShellCompDirectiveNoFileComp\n}\n\n// NetworkNames includes {\"bridge\",\"host\",\"none\"}\nfunc NetworkNames(cmd *cobra.Command, exclude []string) ([]string, cobra.ShellCompDirective) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn nil, cobra.ShellCompDirectiveError\n\t}\n\texcludeMap := make(map[string]struct{}, len(exclude))\n\tfor _, ex := range exclude {\n\t\texcludeMap[ex] = struct{}{}\n\t}\n\n\te, err := netutil.NewCNIEnv(globalOptions.CNIPath, globalOptions.CNINetConfPath, netutil.WithNamespace(globalOptions.Namespace))\n\tif err != nil {\n\t\treturn nil, cobra.ShellCompDirectiveError\n\t}\n\tcandidates := []string{}\n\tnetConfigs, err := e.NetworkMap()\n\tif err != nil {\n\t\treturn nil, cobra.ShellCompDirectiveError\n\t}\n\tfor netName, network := range netConfigs {\n\t\tif _, ok := excludeMap[netName]; !ok {\n\t\t\tcandidates = append(candidates, netName)\n\t\t\tif network.NerdctlID != nil {\n\t\t\t\tcandidates = append(candidates, *network.NerdctlID)\n\t\t\t\tcandidates = append(candidates, (*network.NerdctlID)[0:12])\n\t\t\t}\n\t\t}\n\t}\n\tfor _, s := range []string{\"host\", \"none\"} {\n\t\tif _, ok := excludeMap[s]; !ok {\n\t\t\tcandidates = append(candidates, s)\n\t\t}\n\t}\n\treturn candidates, cobra.ShellCompDirectiveNoFileComp\n}\n\nfunc VolumeNames(cmd *cobra.Command) ([]string, cobra.ShellCompDirective) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn nil, cobra.ShellCompDirectiveError\n\t}\n\tvols, err := getVolumes(cmd, globalOptions)\n\tif err != nil {\n\t\treturn nil, cobra.ShellCompDirectiveError\n\t}\n\tcandidates := []string{}\n\tfor _, v := range vols {\n\t\tcandidates = append(candidates, v.Name)\n\t}\n\treturn candidates, cobra.ShellCompDirectiveNoFileComp\n}\n\nfunc Platforms(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\tcandidates := []string{\n\t\t\"amd64\",\n\t\t\"arm64\",\n\t\t\"riscv64\",\n\t\t\"ppc64le\",\n\t\t\"s390x\",\n\t\t\"loong64\",\n\t\t\"386\",\n\t\t\"arm\", // alias of \"linux/arm/v7\"\n\t\t\"linux/arm/v6\", // \"arm/v6\" is invalid (interpreted as OS=\"arm\", Arch=\"v7\")\n\t}\n\treturn candidates, cobra.ShellCompDirectiveNoFileComp\n}\n\nfunc getVolumes(cmd *cobra.Command, globalOptions types.GlobalCommandOptions) (map[string]native.Volume, error) {\n\tvolumeSize, err := cmd.Flags().GetBool(\"size\")\n\tif err != nil {\n\t\t// The `nerdctl volume rm` does not have the flag `size`, so set it to false as the default value.\n\t\tvolumeSize = false\n\t}\n\treturn volume.Volumes(globalOptions.Namespace, globalOptions.DataRoot, globalOptions.Address, volumeSize, nil)\n}\n" }, { "path": "cmd/nerdctl/completion/completion_linux.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage completion\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/apparmorutil\"\n\tncdefaults \"github.com/containerd/nerdctl/v2/pkg/defaults\"\n\t\"github.com/containerd/nerdctl/v2/pkg/rootlessutil\"\n)\n\nfunc ApparmorProfiles(cmd *cobra.Command) ([]string, cobra.ShellCompDirective) {\n\tprofiles, err := apparmorutil.Profiles()\n\tif err != nil {\n\t\treturn nil, cobra.ShellCompDirectiveError\n\t}\n\tvar names []string // nolint: prealloc\n\tfor _, f := range profiles {\n\t\tnames = append(names, f.Name)\n\t}\n\treturn names, cobra.ShellCompDirectiveNoFileComp\n}\n\nfunc CgroupManagerNames(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\tcandidates := []string{\"cgroupfs\"}\n\tif ncdefaults.IsSystemdAvailable() {\n\t\tcandidates = append(candidates, \"systemd\")\n\t}\n\tif rootlessutil.IsRootless() {\n\t\tcandidates = append(candidates, \"none\")\n\t}\n\treturn candidates, cobra.ShellCompDirectiveNoFileComp\n}\n" }, { "path": "cmd/nerdctl/completion/completion_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage completion\n\nimport (\n\t\"os/exec\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestMain(m *testing.M) {\n\ttestutil.M(m)\n}\n\nfunc TestCompletion(t *testing.T) {\n\tnerdtest.Setup()\n\n\t// Note: some functions need to be tested without the automatic --namespace nerdctl-test argument, so we need\n\t// to retrieve the binary name.\n\t// Note that we know this works already, so no need to assert err.\n\tbin, _ := exec.LookPath(testutil.GetTarget())\n\n\ttestCase := &test.Case{\n\t\tRequire: require.Not(nerdtest.Docker),\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tidentifier := data.Identifier()\n\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\thelpers.Ensure(\"network\", \"create\", identifier)\n\t\t\thelpers.Ensure(\"volume\", \"create\", identifier)\n\t\t\tdata.Labels().Set(\"identifier\", identifier)\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\tidentifier := data.Identifier()\n\t\t\thelpers.Anyhow(\"network\", \"rm\", identifier)\n\t\t\thelpers.Anyhow(\"volume\", \"rm\", identifier)\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"--cgroup-manager\",\n\t\t\t\tRequire: require.Not(require.Windows),\n\t\t\t\tCommand: test.Command(\"__complete\", \"--cgroup-manager\", \"\"),\n\t\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"cgroupfs\\n\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"--snapshotter\",\n\t\t\t\tRequire: require.Not(require.Windows),\n\t\t\t\tCommand: test.Command(\"__complete\", \"--snapshotter\", \"\"),\n\t\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"native\\n\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"empty\",\n\t\t\t\tCommand: test.Command(\"__complete\", \"\"),\n\t\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"run\\t\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"build --network\",\n\t\t\t\tCommand: test.Command(\"__complete\", \"build\", \"--network\", \"\"),\n\t\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"default\\n\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"run -\",\n\t\t\t\tCommand: test.Command(\"__complete\", \"run\", \"-\"),\n\t\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"--network\\t\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"run --n\",\n\t\t\t\tCommand: test.Command(\"__complete\", \"run\", \"--n\"),\n\t\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"--network\\t\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"run --ne\",\n\t\t\t\tCommand: test.Command(\"__complete\", \"run\", \"--ne\"),\n\t\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"--network\\t\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"run --net\",\n\t\t\t\tCommand: test.Command(\"__complete\", \"run\", \"--net\", \"\"),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: expect.Contains(\"host\\n\", data.Labels().Get(\"identifier\")+\"\\n\"),\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"run -it --net\",\n\t\t\t\tCommand: test.Command(\"__complete\", \"run\", \"-it\", \"--net\", \"\"),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: expect.Contains(\"host\\n\", data.Labels().Get(\"identifier\")+\"\\n\"),\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"run -ti --rm --net\",\n\t\t\t\tCommand: test.Command(\"__complete\", \"run\", \"-it\", \"--rm\", \"--net\", \"\"),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: expect.Contains(\"host\\n\", data.Labels().Get(\"identifier\")+\"\\n\"),\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"run --restart\",\n\t\t\t\tCommand: test.Command(\"__complete\", \"run\", \"--restart\", \"\"),\n\t\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"always\\n\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"network --rm\",\n\t\t\t\tCommand: test.Command(\"__complete\", \"network\", \"rm\", \"\"),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\t\texpect.DoesNotContain(\"host\\n\"),\n\t\t\t\t\t\t\texpect.Contains(data.Labels().Get(\"identifier\")+\"\\n\"),\n\t\t\t\t\t\t),\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"run --cap-add\",\n\t\t\t\tRequire: require.Not(require.Windows),\n\t\t\t\tCommand: test.Command(\"__complete\", \"run\", \"--cap-add\", \"\"),\n\t\t\t\tExpected: test.Expects(0, nil, expect.All(\n\t\t\t\t\texpect.Contains(\"sys_admin\\n\"),\n\t\t\t\t\texpect.DoesNotContain(\"CAP_SYS_ADMIN\\n\"),\n\t\t\t\t)),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"volume inspect\",\n\t\t\t\tCommand: test.Command(\"__complete\", \"volume\", \"inspect\", \"\"),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: expect.Contains(data.Labels().Get(\"identifier\") + \"\\n\"),\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"volume rm\",\n\t\t\t\tCommand: test.Command(\"__complete\", \"volume\", \"rm\", \"\"),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: expect.Contains(data.Labels().Get(\"identifier\") + \"\\n\"),\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"--cgroup-manager\",\n\t\t\t\tRequire: require.Not(require.Windows),\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"__complete\", \"--cgroup-manager\", \"\")\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"cgroupfs\\n\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"empty\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"__complete\", \"\")\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"run\\t\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"namespace space empty\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\t// mind {\"--namespace=nerdctl-test\"} vs {\"--namespace\", \"nerdctl-test\"}\n\t\t\t\t\treturn helpers.Custom(bin, \"__complete\", \"--namespace\", string(helpers.Read(nerdtest.Namespace)), \"\")\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"run\\t\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"run -i\",\n\t\t\t\tCommand: test.Command(\"__complete\", \"run\", \"-i\", \"\"),\n\t\t\t\tExpected: test.Expects(0, nil, expect.Contains(testutil.CommonImage)),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"run -it\",\n\t\t\t\tCommand: test.Command(\"__complete\", \"run\", \"-it\", \"\"),\n\t\t\t\tExpected: test.Expects(0, nil, expect.Contains(testutil.CommonImage)),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"run -it --rm\",\n\t\t\t\tCommand: test.Command(\"__complete\", \"run\", \"-it\", \"--rm\", \"\"),\n\t\t\t\tExpected: test.Expects(0, nil, expect.Contains(testutil.CommonImage)),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"namespace run -i\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\t// mind {\"--namespace=nerdctl-test\"} vs {\"--namespace\", \"nerdctl-test\"}\n\t\t\t\t\treturn helpers.Custom(bin, \"__complete\", \"--namespace\", string(helpers.Read(nerdtest.Namespace)), \"run\", \"-i\", \"\")\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, expect.Contains(testutil.CommonImage+\"\\n\")),\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/completion/completion_unix.go", "content": "//go:build unix\n\n/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage completion\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/log\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/infoutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/rootlessutil\"\n)\n\nfunc NetworkDrivers(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\tcandidates := []string{\"bridge\", \"macvlan\", \"ipvlan\"}\n\treturn candidates, cobra.ShellCompDirectiveNoFileComp\n}\n\nfunc IPAMDrivers(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn []string{\"default\", \"host-local\", \"dhcp\"}, cobra.ShellCompDirectiveNoFileComp\n}\n\nfunc NetworkOptions(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\tdriver, _ := cmd.Flags().GetString(\"driver\")\n\tif driver == \"\" {\n\t\tdriver = \"bridge\"\n\t}\n\n\tvar candidates []string\n\tswitch driver {\n\tcase \"bridge\":\n\t\tcandidates = []string{\n\t\t\t\"mtu=\",\n\t\t\t\"com.docker.network.driver.mtu=\",\n\t\t\t\"ip-masq=\",\n\t\t\t\"com.docker.network.bridge.enable_ip_masquerade=\",\n\t\t}\n\tcase \"macvlan\":\n\t\tcandidates = []string{\n\t\t\t\"mtu=\",\n\t\t\t\"com.docker.network.driver.mtu=\",\n\t\t\t\"mode=bridge\",\n\t\t\t\"macvlan_mode=bridge\",\n\t\t\t\"parent=\",\n\t\t}\n\tcase \"ipvlan\":\n\t\tcandidates = []string{\n\t\t\t\"mtu=\",\n\t\t\t\"com.docker.network.driver.mtu=\",\n\t\t\t\"mode=l2\",\n\t\t\t\"mode=l3\",\n\t\t\t\"ipvlan_mode=l2\",\n\t\t\t\"ipvlan_mode=l3\",\n\t\t\t\"parent=\",\n\t\t}\n\tdefault:\n\t\tcandidates = []string{\n\t\t\t\"mtu=\",\n\t\t\t\"com.docker.network.driver.mtu=\",\n\t\t\t\"parent=\",\n\t\t}\n\t}\n\treturn candidates, cobra.ShellCompDirectiveNoSpace\n}\n\nfunc NamespaceNames(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn nil, cobra.ShellCompDirectiveError\n\t}\n\tif rootlessutil.IsRootlessParent() {\n\t\t_ = rootlessutil.ParentMain(globalOptions.HostGatewayIP)\n\t\treturn nil, cobra.ShellCompDirectiveNoFileComp\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn nil, cobra.ShellCompDirectiveError\n\t}\n\tdefer cancel()\n\tnsService := client.NamespaceService()\n\tnsList, err := nsService.List(ctx)\n\tif err != nil {\n\t\tlog.L.Warn(err)\n\t\treturn nil, cobra.ShellCompDirectiveError\n\t}\n\tvar candidates []string\n\tcandidates = append(candidates, nsList...)\n\treturn candidates, cobra.ShellCompDirectiveNoFileComp\n}\n\nfunc SnapshotterNames(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn nil, cobra.ShellCompDirectiveError\n\t}\n\tif rootlessutil.IsRootlessParent() {\n\t\t_ = rootlessutil.ParentMain(globalOptions.HostGatewayIP)\n\t\treturn nil, cobra.ShellCompDirectiveNoFileComp\n\t}\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn nil, cobra.ShellCompDirectiveError\n\t}\n\tdefer cancel()\n\tsnapshotterPlugins, err := infoutil.GetSnapshotterNames(ctx, client.IntrospectionService())\n\tif err != nil {\n\t\treturn nil, cobra.ShellCompDirectiveError\n\t}\n\tvar candidates []string\n\tcandidates = append(candidates, snapshotterPlugins...)\n\treturn candidates, cobra.ShellCompDirectiveNoFileComp\n}\n" }, { "path": "cmd/nerdctl/completion/completion_unix_nolinux.go", "content": "//go:build unix && !linux\n\n/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage completion\n\nimport \"github.com/spf13/cobra\"\n\nfunc CgroupManagerNames(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn nil, cobra.ShellCompDirectiveNoFileComp\n}\n" }, { "path": "cmd/nerdctl/completion/completion_windows.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage completion\n\nimport \"github.com/spf13/cobra\"\n\nfunc NamespaceNames(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn nil, cobra.ShellCompDirectiveNoFileComp\n}\n\nfunc SnapshotterNames(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn nil, cobra.ShellCompDirectiveNoFileComp\n}\n\nfunc CgroupManagerNames(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn nil, cobra.ShellCompDirectiveNoFileComp\n}\n\nfunc NetworkDrivers(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\tcandidates := []string{\"nat\"}\n\treturn candidates, cobra.ShellCompDirectiveNoFileComp\n}\n\nfunc IPAMDrivers(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn []string{\"default\"}, cobra.ShellCompDirectiveNoFileComp\n}\n\nfunc NetworkOptions(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\tdriver, _ := cmd.Flags().GetString(\"driver\")\n\tif driver == \"\" {\n\t\tdriver = \"nat\"\n\t}\n\n\tvar candidates []string\n\tswitch driver {\n\tcase \"nat\":\n\t\tcandidates = []string{\n\t\t\t\"mtu=\",\n\t\t\t\"com.docker.network.driver.mtu=\",\n\t\t}\n\tdefault:\n\t\tcandidates = []string{\n\t\t\t\"mtu=\",\n\t\t\t\"com.docker.network.driver.mtu=\",\n\t\t}\n\t}\n\treturn candidates, cobra.ShellCompDirectiveNoSpace\n}\n" }, { "path": "cmd/nerdctl/compose/compose.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/composer\"\n)\n\nfunc Command() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"compose [flags] COMMAND\",\n\t\tShort: \"Compose\",\n\t\tRunE: helpers.UnknownSubcommandAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t\tTraverseChildren: true, // required for global short hands like -f\n\t}\n\t// `-f` is a nonPersistentAlias, as it conflicts with `nerdctl compose logs --follow`\n\thelpers.AddPersistentStringArrayFlag(cmd, \"file\", nil, []string{\"f\"}, nil, \"\", \"Specify an alternate compose file\")\n\tcmd.PersistentFlags().String(\"project-directory\", \"\", \"Specify an alternate working directory\")\n\tcmd.PersistentFlags().StringP(\"project-name\", \"p\", \"\", \"Specify an alternate project name\")\n\tcmd.PersistentFlags().String(\"env-file\", \"\", \"Specify an alternate environment file\")\n\tcmd.PersistentFlags().String(\"ipfs-address\", \"\", \"multiaddr of IPFS API (default uses $IPFS_PATH env variable if defined or local directory ~/.ipfs)\")\n\tcmd.PersistentFlags().StringArray(\"profile\", []string{}, \"Specify a profile to enable\")\n\n\tcmd.AddCommand(\n\t\tupCommand(),\n\t\tlogsCommand(),\n\t\tconfigCommand(),\n\t\tcopyCommand(),\n\t\tbuildCommand(),\n\t\texecCommand(),\n\t\timagesCommand(),\n\t\tportCommand(),\n\t\tpushCommand(),\n\t\tpullCommand(),\n\t\tdownCommand(),\n\t\tpsCommand(),\n\t\tkillCommand(),\n\t\trestartCommand(),\n\t\tremoveCommand(),\n\t\trunCommand(),\n\t\tversionCommand(),\n\t\tstartCommand(),\n\t\tstopCommand(),\n\t\tpauseCommand(),\n\t\tunpauseCommand(),\n\t\ttopCommand(),\n\t\tcreateCommand(),\n\t)\n\n\treturn cmd\n}\n\nfunc getComposeOptions(cmd *cobra.Command, debugFull, experimental bool) (composer.Options, error) {\n\tnerdctlCmd, nerdctlArgs := helpers.GlobalFlags(cmd)\n\tprojectDirectory, err := cmd.Flags().GetString(\"project-directory\")\n\tif err != nil {\n\t\treturn composer.Options{}, err\n\t}\n\tenvFile, err := cmd.Flags().GetString(\"env-file\")\n\tif err != nil {\n\t\treturn composer.Options{}, err\n\t}\n\tprojectName, err := cmd.Flags().GetString(\"project-name\")\n\tif err != nil {\n\t\treturn composer.Options{}, err\n\t}\n\tfiles, err := cmd.Flags().GetStringArray(\"file\")\n\tif err != nil {\n\t\treturn composer.Options{}, err\n\t}\n\tipfsAddressStr, err := cmd.Flags().GetString(\"ipfs-address\")\n\tif err != nil {\n\t\treturn composer.Options{}, err\n\t}\n\tprofiles, err := cmd.Flags().GetStringArray(\"profile\")\n\tif err != nil {\n\t\treturn composer.Options{}, err\n\t}\n\n\treturn composer.Options{\n\t\tProject: projectName,\n\t\tProjectDirectory: projectDirectory,\n\t\tConfigPaths: files,\n\t\tProfiles: profiles,\n\t\tEnvFile: envFile,\n\t\tNerdctlCmd: nerdctlCmd,\n\t\tNerdctlArgs: nerdctlArgs,\n\t\tDebugPrintFull: debugFull,\n\t\tExperimental: experimental,\n\t\tIPFSAddress: ipfsAddressStr,\n\t}, nil\n}\n" }, { "path": "cmd/nerdctl/compose/compose_build.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/compose\"\n\t\"github.com/containerd/nerdctl/v2/pkg/composer\"\n)\n\nfunc buildCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"build [flags] [SERVICE...]\",\n\t\tShort: \"Build or rebuild services\",\n\t\tRunE: buildAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().StringArray(\"build-arg\", nil, \"Set build-time variables for services.\")\n\tcmd.Flags().Bool(\"no-cache\", false, \"Do not use cache when building the image.\")\n\tcmd.Flags().String(\"progress\", \"\", \"Set type of progress output (auto, plain, tty). Use plain to show container output\")\n\n\treturn cmd\n}\n\nfunc buildAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tbuildArg, err := cmd.Flags().GetStringArray(\"build-arg\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tnoCache, err := cmd.Flags().GetBool(\"no-cache\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tprogress, err := cmd.Flags().GetString(\"progress\")\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\toptions, err := getComposeOptions(cmd, globalOptions.DebugFull, globalOptions.Experimental)\n\tif err != nil {\n\t\treturn err\n\t}\n\tc, err := compose.New(client, globalOptions, options, cmd.OutOrStdout(), cmd.ErrOrStderr())\n\tif err != nil {\n\t\treturn err\n\t}\n\tbo := composer.BuildOptions{\n\t\tArgs: buildArg,\n\t\tNoCache: noCache,\n\t\tProgress: progress,\n\t}\n\treturn c.Build(ctx, bo, args)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_build_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestComposeBuild(t *testing.T) {\n\tdockerfile := \"FROM \" + testutil.CommonImage\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = nerdtest.Build\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\t// Make sure we shard the image name to something unique to the test to avoid conflicts with other tests\n\t\timageSvc0 := data.Identifier(\"svc0\")\n\t\timageSvc1 := data.Identifier(\"svc1\")\n\t\timageSvc2 := data.Identifier(\"svc2\")\n\n\t\t// We are not going to run them, so, ports conflicts should not matter here\n\t\tdockerComposeYAML := fmt.Sprintf(`\nservices:\n svc0:\n build: .\n image: %s\n depends_on:\n - svc1\n svc1:\n build: .\n image: %s\n svc2:\n image: %s\n build:\n context: .\n dockerfile_inline: |\n FROM %s\n`, imageSvc0, imageSvc1, imageSvc2, testutil.CommonImage)\n\n\t\tdata.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\n\t\tdata.Labels().Set(\"composeYaml\", data.Temp().Path(\"compose.yaml\"))\n\t\tdata.Labels().Set(\"imageSvc0\", imageSvc0)\n\t\tdata.Labels().Set(\"imageSvc1\", imageSvc1)\n\t\tdata.Labels().Set(\"imageSvc2\", imageSvc2)\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"build svc0\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"build\", \"svc0\")\n\t\t\t},\n\n\t\t\tCommand: test.Command(\"images\"),\n\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.Contains(data.Labels().Get(\"imageSvc0\")),\n\t\t\t\t\t\texpect.DoesNotContain(data.Labels().Get(\"imageSvc1\")),\n\t\t\t\t\t\texpect.DoesNotContain(data.Labels().Get(\"imageSvc2\")),\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"build svc2\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"build\", \"svc2\")\n\t\t\t},\n\n\t\t\tCommand: test.Command(\"images\"),\n\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.Contains(data.Labels().Get(\"imageSvc2\")),\n\t\t\t\t\t\texpect.DoesNotContain(data.Labels().Get(\"imageSvc1\")),\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"build svc0, svc1, svc2\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"build\", \"svc0\", \"svc1\", \"svc2\")\n\t\t\t},\n\n\t\t\tCommand: test.Command(\"images\"),\n\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.Contains(data.Labels().Get(\"imageSvc0\"), data.Labels().Get(\"imageSvc1\"), data.Labels().Get(\"imageSvc2\")),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"build no arg\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"build\")\n\t\t\t},\n\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"build bogus\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\n\t\t\t\t\t\"compose\",\n\t\t\t\t\t\"-f\",\n\t\t\t\t\tdata.Labels().Get(\"composeYaml\"),\n\t\t\t\t\t\"build\",\n\t\t\t\t\t\"svc0\",\n\t\t\t\t\t\"svc100\",\n\t\t\t\t)\n\t\t\t},\n\n\t\t\tExpected: test.Expects(1, []error{errors.New(\"no such service: svc100\")}, nil),\n\t\t},\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif data.Labels().Get(\"imageSvc0\") != \"\" {\n\t\t\thelpers.Anyhow(\"rmi\", data.Labels().Get(\"imageSvc0\"), data.Labels().Get(\"imageSvc1\"), data.Labels().Get(\"imageSvc2\"))\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_config.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/compose\"\n\t\"github.com/containerd/nerdctl/v2/pkg/composer\"\n)\n\nfunc configCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"config\",\n\t\tShort: \"Validate and view the Compose file\",\n\t\tRunE: configAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().BoolP(\"quiet\", \"q\", false, \"Only validate the configuration, don't print anything.\")\n\tcmd.Flags().Bool(\"services\", false, \"Print the service names, one per line.\")\n\tcmd.Flags().Bool(\"volumes\", false, \"Print the volume names, one per line.\")\n\tcmd.Flags().String(\"hash\", \"\", \"Print the service config hash, one per line.\")\n\tcmd.RegisterFlagCompletionFunc(\"hash\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"\\\"*\\\"\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\treturn cmd\n}\n\nfunc configAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif len(args) != 0 {\n\t\t// TODO: support specifying service names as args\n\t\treturn fmt.Errorf(\"arguments %v not supported\", args)\n\t}\n\tquiet, err := cmd.Flags().GetBool(\"quiet\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tservices, err := cmd.Flags().GetBool(\"services\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tvolumes, err := cmd.Flags().GetBool(\"volumes\")\n\tif err != nil {\n\t\treturn err\n\t}\n\thash, err := cmd.Flags().GetString(\"hash\")\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\toptions, err := getComposeOptions(cmd, globalOptions.DebugFull, globalOptions.Experimental)\n\tif err != nil {\n\t\treturn err\n\t}\n\tc, err := compose.New(client, globalOptions, options, cmd.OutOrStdout(), cmd.ErrOrStderr())\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif quiet {\n\t\treturn nil\n\t}\n\tco := composer.ConfigOptions{\n\t\tServices: services,\n\t\tVolumes: volumes,\n\t\tHash: hash,\n\t}\n\treturn c.Config(ctx, cmd.OutOrStdout(), co)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_config_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"fmt\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestComposeConfig(t *testing.T) {\n\tdockerComposeYAML := fmt.Sprintf(`\nservices:\n hello:\n image: %s\n`, testutil.CommonImage)\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdata.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\t\tdata.Labels().Set(\"composeYaml\", data.Temp().Path(\"compose.yaml\"))\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"config contains service name\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"config\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"hello:\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"config --services is exactly service name\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\n\t\t\t\t\t\"compose\",\n\t\t\t\t\t\"-f\",\n\t\t\t\t\tdata.Labels().Get(\"composeYaml\"),\n\t\t\t\t\t\"config\",\n\t\t\t\t\t\"--services\",\n\t\t\t\t)\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"hello\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"config --hash=* contains service name\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"config\", \"--hash=*\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"hello\")),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeConfigWithPrintServiceHash(t *testing.T) {\n\tconst dockerComposeYAML = `\nservices:\n hello:\n image: alpine:%s\n`\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdata.Temp().Save(fmt.Sprintf(dockerComposeYAML, \"3.13\"), \"compose.yaml\")\n\n\t\thash := helpers.Capture(\n\t\t\t\"compose\",\n\t\t\t\"-f\",\n\t\t\tdata.Temp().Path(\"compose.yaml\"),\n\t\t\t\"config\",\n\t\t\t\"--hash=hello\",\n\t\t)\n\n\t\tdata.Labels().Set(\"hash\", hash)\n\n\t\tdata.Temp().Save(fmt.Sprintf(dockerComposeYAML, \"3.14\"), \"compose.yaml\")\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\n\t\t\t\"compose\",\n\t\t\t\"-f\",\n\t\t\tdata.Temp().Path(\"compose.yaml\"),\n\t\t\t\"config\",\n\t\t\t\"--hash=hello\",\n\t\t)\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: 0,\n\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\tassert.Assert(t, data.Labels().Get(\"hash\") != stdout, \"hash should be different\")\n\t\t\t},\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeConfigWithMultipleFile(t *testing.T) {\n\tconst dockerComposeBase = `\nservices:\n hello1:\n image: alpine:3.13\n`\n\n\tconst dockerComposeTest = `\nservices:\n hello2:\n image: alpine:3.14\n`\n\n\tconst dockerComposeOverride = `\nservices:\n hello1:\n image: alpine:3.14\n`\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdata.Temp().Save(dockerComposeBase, \"compose.yaml\")\n\t\tdata.Temp().Save(dockerComposeTest, \"docker-compose.test.yml\")\n\t\tdata.Temp().Save(dockerComposeOverride, \"docker-compose.override.yml\")\n\n\t\tdata.Labels().Set(\"composeDir\", data.Temp().Path())\n\t\tdata.Labels().Set(\"composeYaml\", data.Temp().Path(\"compose.yaml\"))\n\t\tdata.Labels().Set(\"composeYamlTest\", data.Temp().Path(\"docker-compose.test.yml\"))\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"config override\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\n\t\t\t\t\t\"compose\",\n\t\t\t\t\t\"-f\", data.Labels().Get(\"composeYaml\"),\n\t\t\t\t\t\"-f\", data.Labels().Get(\"composeYamlTest\"),\n\t\t\t\t\t\"config\",\n\t\t\t\t)\n\t\t\t},\n\t\t\tExpected: test.Expects(\n\t\t\t\texpect.ExitCodeSuccess,\n\t\t\t\tnil,\n\t\t\t\texpect.Contains(\"alpine:3.13\", \"alpine:3.14\", \"hello1\", \"hello2\"),\n\t\t\t),\n\t\t},\n\t\t{\n\t\t\tDescription: \"project dir\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\n\t\t\t\t\t\"compose\",\n\t\t\t\t\t\"--project-directory\", data.Labels().Get(\"composeDir\"), \"config\",\n\t\t\t\t)\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"alpine:3.14\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"project dir services\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\n\t\t\t\t\t\"compose\",\n\t\t\t\t\t\"--project-directory\", data.Labels().Get(\"composeDir\"), \"config\", \"--services\",\n\t\t\t\t)\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"hello1\\n\")),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeConfigWithComposeFileEnv(t *testing.T) {\n\tconst dockerComposeBase = `\nservices:\n hello1:\n image: alpine:3.13\n`\n\n\tconst dockerComposeTest = `\nservices:\n hello2:\n image: alpine:3.14\n`\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdata.Temp().Save(dockerComposeBase, \"compose.yaml\")\n\t\tdata.Temp().Save(dockerComposeTest, \"docker-compose.test.yml\")\n\n\t\tdata.Labels().Set(\"composeDir\", data.Temp().Path())\n\t\tdata.Labels().Set(\"composeYaml\", data.Temp().Path(\"compose.yaml\"))\n\t\tdata.Labels().Set(\"composeYamlTest\", data.Temp().Path(\"docker-compose.test.yml\"))\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"env config\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\n\t\t\t\t\t\"compose\",\n\t\t\t\t\t\"config\",\n\t\t\t\t)\n\t\t\t\tcmd.Setenv(\"COMPOSE_FILE\", data.Labels().Get(\"composeYaml\")+\",\"+data.Labels().Get(\"composeYamlTest\"))\n\t\t\t\tcmd.Setenv(\"COMPOSE_PATH_SEPARATOR\", \",\")\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: test.Expects(\n\t\t\t\texpect.ExitCodeSuccess,\n\t\t\t\tnil,\n\t\t\t\texpect.Contains(\"alpine:3.13\", \"alpine:3.14\", \"hello1\", \"hello2\"),\n\t\t\t),\n\t\t},\n\t\t{\n\t\t\tDescription: \"env with project dir\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\n\t\t\t\t\t\"compose\",\n\t\t\t\t\t\"--project-directory\", data.Labels().Get(\"composeDir\"),\n\t\t\t\t\t\"config\",\n\t\t\t\t)\n\t\t\t\tcmd.Setenv(\"COMPOSE_FILE\", data.Labels().Get(\"composeYaml\")+\",\"+data.Labels().Get(\"composeYamlTest\"))\n\t\t\t\tcmd.Setenv(\"COMPOSE_PATH_SEPARATOR\", \",\")\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: test.Expects(\n\t\t\t\texpect.ExitCodeSuccess,\n\t\t\t\tnil,\n\t\t\t\texpect.Contains(\"alpine:3.13\", \"alpine:3.14\", \"hello1\", \"hello2\"),\n\t\t\t),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeConfigWithEnvFile(t *testing.T) {\n\tconst dockerComposeYAML = `\nservices:\n hello:\n image: ${image}\n`\n\tconst envFileContent = `\nimage: hello-world\n`\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdata.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\t\tdata.Temp().Save(envFileContent, \"env\")\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"compose\",\n\t\t\t\"-f\", data.Temp().Path(\"compose.yaml\"),\n\t\t\t\"--env-file\", data.Temp().Path(\"env\"),\n\t\t\t\"config\",\n\t\t)\n\t}\n\n\ttestCase.Expected = test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"image: hello-world\"))\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_cp.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"errors\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/compose\"\n\t\"github.com/containerd/nerdctl/v2/pkg/composer\"\n\t\"github.com/containerd/nerdctl/v2/pkg/rootlessutil\"\n)\n\nfunc copyCommand() *cobra.Command {\n\tusage := `cp [OPTIONS] SERVICE:SRC_PATH DEST_PATH|-\n nerdctl compose cp [OPTIONS] SRC_PATH|- SERVICE:DEST_PATH`\n\tvar cmd = &cobra.Command{\n\t\tUse: usage,\n\t\tShort: \"Copy files/folders between a service container and the local filesystem\",\n\t\tArgs: cobra.ExactArgs(2),\n\t\tRunE: copyAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().Bool(\"dry-run\", false, \"Execute command in dry run mode\")\n\tcmd.Flags().BoolP(\"follow-link\", \"L\", false, \"Always follow symbol link in SRC_PATH\")\n\tcmd.Flags().Int(\"index\", 0, \"index of the container if service has multiple replicas\")\n\treturn cmd\n}\n\nfunc copyAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tsource := args[0]\n\tif source == \"\" {\n\t\treturn errors.New(\"source can not be empty\")\n\t}\n\tdestination := args[1]\n\tif destination == \"\" {\n\t\treturn errors.New(\"destination can not be empty\")\n\t}\n\n\tdryRun, err := cmd.Flags().GetBool(\"dry-run\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tfollowLink, err := cmd.Flags().GetBool(\"follow-link\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tindex, err := cmd.Flags().GetInt(\"index\")\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// rootless cp runs in the host namespaces, so the address is different\n\tif rootlessutil.IsRootless() {\n\t\tglobalOptions.Address, err = rootlessutil.RootlessContainredSockAddress()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\toptions, err := getComposeOptions(cmd, globalOptions.DebugFull, globalOptions.Experimental)\n\tif err != nil {\n\t\treturn err\n\t}\n\tc, err := compose.New(client, globalOptions, options, cmd.OutOrStdout(), cmd.ErrOrStderr())\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tco := composer.CopyOptions{\n\t\tSource: source,\n\t\tDestination: destination,\n\t\tIndex: index,\n\t\tFollowLink: followLink,\n\t\tDryRun: dryRun,\n\t}\n\treturn c.Copy(ctx, co)\n\n}\n" }, { "path": "cmd/nerdctl/compose/compose_cp_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"fmt\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestComposeCopy(t *testing.T) {\n\tvar dockerComposeYAML = fmt.Sprintf(`\nservices:\n svc0:\n image: %s\n command: \"sleep infinity\"\n`, testutil.CommonImage)\n\n\tconst testFileContent = \"test-file-content\"\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tcompYamlPath := data.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\t\thelpers.Ensure(\"compose\", \"-f\", compYamlPath, \"up\", \"-d\")\n\n\t\tsrcFilePath := data.Temp().Save(testFileContent, \"test-file\")\n\n\t\tdata.Labels().Set(\"composeYaml\", compYamlPath)\n\t\tdata.Labels().Set(\"srcFile\", srcFilePath)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"down\", \"-v\")\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"test copy to service /dest-no-exist-no-slash\",\n\t\t\t// These are expected to run in sequence\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\",\n\t\t\t\t\t\"-f\", data.Labels().Get(\"composeYaml\"),\n\t\t\t\t\t\"cp\", data.Labels().Get(\"srcFile\"), \"svc0:/dest-no-exist-no-slash\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"test copy from service test-file2\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\",\n\t\t\t\t\t\"-f\", data.Labels().Get(\"composeYaml\"),\n\t\t\t\t\t\"cp\", \"svc0:/dest-no-exist-no-slash\", data.Temp().Path(\"test-file2\"))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tcopied := data.Temp().Load(\"test-file2\")\n\t\t\t\t\t\tassert.Equal(t, copied, testFileContent)\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_create.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"errors\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/compose\"\n\t\"github.com/containerd/nerdctl/v2/pkg/composer\"\n)\n\nfunc createCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"create [flags] [SERVICE...]\",\n\t\tShort: \"Creates containers for one or more services\",\n\t\tRunE: createAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().Bool(\"build\", false, \"Build images before starting containers.\")\n\tcmd.Flags().Bool(\"no-build\", false, \"Don't build an image even if it's missing, conflict with --build.\")\n\tcmd.Flags().Bool(\"force-recreate\", false, \"Recreate containers even if their configuration and image haven't changed.\")\n\tcmd.Flags().Bool(\"no-recreate\", false, \"Don't recreate containers if they exist, conflict with --force-recreate.\")\n\tcmd.Flags().String(\"pull\", \"missing\", \"Pull images before running. (support always|missing|never)\")\n\treturn cmd\n}\n\nfunc createAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tbuild, err := cmd.Flags().GetBool(\"build\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tnoBuild, err := cmd.Flags().GetBool(\"no-build\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tif build && noBuild {\n\t\treturn errors.New(\"flag --build and --no-build cannot be specified together\")\n\t}\n\tforceRecreate, err := cmd.Flags().GetBool(\"force-recreate\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tnoRecreate, err := cmd.Flags().GetBool(\"no-recreate\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tif forceRecreate && noRecreate {\n\t\treturn errors.New(\"flag --force-recreate and --no-recreate cannot be specified together\")\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\toptions, err := getComposeOptions(cmd, globalOptions.DebugFull, globalOptions.Experimental)\n\tif err != nil {\n\t\treturn err\n\t}\n\tc, err := compose.New(client, globalOptions, options, cmd.OutOrStdout(), cmd.ErrOrStderr())\n\tif err != nil {\n\t\treturn err\n\t}\n\n\topt := composer.CreateOptions{\n\t\tBuild: build,\n\t\tNoBuild: noBuild,\n\t\tForceRecreate: forceRecreate,\n\t\tNoRecreate: noRecreate,\n\t}\n\n\tif cmd.Flags().Changed(\"pull\") {\n\t\tpull, err := cmd.Flags().GetString(\"pull\")\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topt.Pull = &pull\n\t}\n\n\treturn c.Create(ctx, opt, args)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_create_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"path/filepath\"\n\t\"regexp\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/composer/serviceparser\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestComposeCreate(t *testing.T) {\n\tvar dockerComposeYAML = fmt.Sprintf(`\nservices:\n svc0:\n image: %s\n`, testutil.CommonImage)\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tcompYamlPath := data.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\t\tdata.Labels().Set(\"composeYaml\", compYamlPath)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"down\", \"-v\")\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"`compose create` should work\",\n\t\t\t// These are sequential\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"create\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"`compose create` should have created service container (in `created` status)\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"ps\", \"svc0\", \"-a\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, func(stdout string, t tig.T) {\n\t\t\t\tassert.Assert(t,\n\t\t\t\t\tstrings.Contains(stdout, \"created\") || strings.Contains(stdout, \"Created\"),\n\t\t\t\t\t\"stdout should contain `created`\")\n\t\t\t}),\n\t\t},\n\t\t{\n\t\t\tDescription: \"`created container can be started by `compose start`\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"start\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, nil),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeCreateDependency(t *testing.T) {\n\tvar dockerComposeYAML = fmt.Sprintf(`\nservices:\n svc0:\n image: %s\n depends_on:\n - \"svc1\"\n svc1:\n image: %s\n`, testutil.CommonImage, testutil.CommonImage)\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tcompYamlPath := data.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\t\tdata.Labels().Set(\"composeYaml\", compYamlPath)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"down\", \"-v\")\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"`compose create` should work\",\n\t\t\t// These are sequential\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"create\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"`compose create` should have created svc0 (in `created` status)\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"ps\", \"svc0\", \"-a\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, func(stdout string, t tig.T) {\n\t\t\t\tassert.Assert(t,\n\t\t\t\t\tstrings.Contains(stdout, \"created\") || strings.Contains(stdout, \"Created\"),\n\t\t\t\t\t\"stdout should contain `created`\")\n\t\t\t}),\n\t\t},\n\t\t{\n\t\t\tDescription: \"`compose create` should have created svc1 (in `created` status)\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"ps\", \"svc1\", \"-a\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, func(stdout string, t tig.T) {\n\t\t\t\tassert.Assert(t,\n\t\t\t\t\tstrings.Contains(stdout, \"created\") || strings.Contains(stdout, \"Created\"),\n\t\t\t\t\t\"stdout should contain `created`\")\n\t\t\t}),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeCreatePull(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.NoParallel = true\n\ttestCase.Require = nerdtest.Private\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tcomposeYAML := fmt.Sprintf(`\nservices:\n svc0:\n image: %s\n`, testutil.CommonImage)\n\n\t\tcomposePath := data.Temp().Save(composeYAML, \"compose.yaml\")\n\n\t\tprojectName := filepath.Base(filepath.Dir(composePath))\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\tdata.Labels().Set(\"composeYAML\", composePath)\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"compose create --pull never fails when image missing\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"rmi\", \"-f\", testutil.CommonImage)\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"create\", \"--pull\", \"never\")\n\t\t\t},\n\t\t\tExpected: test.Expects(1, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"compose create --pull missing (default) pulls and creates a container\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"rmi\", \"-f\", testutil.CommonImage)\n\t\t\t\thelpers.Ensure(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"create\")\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"ps\", \"svc0\", \"-a\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Match(regexp.MustCompile(`Created|created`))),\n\t\t},\n\t\t{\n\t\t\tDescription: \"compose create --pull always pulls and creates a container\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"rmi\", \"-f\", testutil.CommonImage)\n\t\t\t\thelpers.Ensure(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"create\", \"--pull\", \"always\")\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"ps\", \"svc0\", \"-a\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Match(regexp.MustCompile(`Created|created`))),\n\t\t},\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif data.Labels().Get(\"composeYAML\") != \"\" {\n\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\", \"-v\")\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeCreatePullInvalidOption(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tcomposeYAML := fmt.Sprintf(`\nservices:\n svc0:\n image: %s\n`, testutil.CommonImage)\n\n\t\tcomposePath := data.Temp().Save(composeYAML, \"compose.yaml\")\n\t\tdata.Labels().Set(\"composeYAML\", composePath)\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t// nerver isn't never.\n\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"create\", \"--pull\", \"nerver\")\n\t}\n\n\ttestCase.Expected = test.Expects(1, []error{errors.New(`invalid --pull option \\\"nerver\\\"`)}, nil)\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif path := data.Labels().Get(\"composeYAML\"); path != \"\" {\n\t\t\thelpers.Anyhow(\"compose\", \"-f\", path, \"down\", \"-v\")\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeCreateBuild(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.NoParallel = true\n\ttestCase.Require = require.All(\n\t\tnerdtest.Private,\n\t\tnerdtest.Build,\n\t)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\timageSvc0 := data.Identifier(\"composebuild_svc0\")\n\t\tcomposeYAML := fmt.Sprintf(`\nservices:\n svc0:\n build: .\n image: %s\n`, imageSvc0)\n\t\tdockerfile := fmt.Sprintf(`FROM %s`, testutil.CommonImage)\n\n\t\tcomposePath := data.Temp().Save(composeYAML, \"compose.yaml\")\n\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\n\t\tprojectName := filepath.Base(filepath.Dir(composePath))\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\tdata.Labels().Set(\"composeYAML\", composePath)\n\t\tdata.Labels().Set(\"imageName\", imageSvc0)\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"compose create --no-build fails when image needs to be built\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"create\", \"--no-build\")\n\t\t\t},\n\t\t\tExpected: test.Expects(1, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"compose create --build builds image and creates container\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"create\", \"--build\")\n\t\t\t\thelpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"images\", \"svc0\").Run(\n\t\t\t\t\t&test.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(stdout, data.Labels().Get(\"imageName\")))\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t)\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"ps\", \"svc0\", \"-a\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Match(regexp.MustCompile(`Created|created`))),\n\t\t},\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif data.Labels().Get(\"composeYAML\") != \"\" {\n\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\", \"-v\")\n\t\t}\n\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(\"imageName\"))\n\t\thelpers.Anyhow(\"builder\", \"prune\", \"--all\", \"--force\")\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeCreateWritesConfigHashLabel(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tvar composeYAML = fmt.Sprintf(`\nservices:\n svc0:\n image: %s\n`, testutil.CommonImage)\n\t\tcomposePath := data.Temp().Save(composeYAML, \"compose.yaml\")\n\n\t\tprojectName := filepath.Base(filepath.Dir(composePath))\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\tdata.Labels().Set(\"composeYAML\", composePath)\n\t\tdata.Labels().Set(\"containerName\", serviceparser.DefaultContainerName(projectName, \"svc0\", \"1\"))\n\n\t\thelpers.Ensure(\"compose\", \"-f\", composePath, \"create\")\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"inspect\", \"--format\", \"{{json .Config.Labels}}\", data.Labels().Get(\"containerName\"))\n\t}\n\n\ttestCase.Expected = test.Expects(0, nil, expect.Contains(\"com.docker.compose.config-hash\"))\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif path := data.Labels().Get(\"composeYAML\"); path != \"\" {\n\t\t\thelpers.Anyhow(\"compose\", \"-f\", path, \"down\", \"-v\")\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_down.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/compose\"\n\t\"github.com/containerd/nerdctl/v2/pkg/composer\"\n)\n\nfunc downCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"down\",\n\t\tShort: \"Remove containers and associated resources\",\n\t\tArgs: cobra.NoArgs,\n\t\tRunE: downAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().BoolP(\"volumes\", \"v\", false, \"Remove named volumes declared in the `volumes` section of the Compose file and anonymous volumes attached to containers.\")\n\tcmd.Flags().Bool(\"remove-orphans\", false, \"Remove containers for services not defined in the Compose file.\")\n\treturn cmd\n}\n\nfunc downAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tvolumes, err := cmd.Flags().GetBool(\"volumes\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tremoveOrphans, err := cmd.Flags().GetBool(\"remove-orphans\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\toptions, err := getComposeOptions(cmd, globalOptions.DebugFull, globalOptions.Experimental)\n\tif err != nil {\n\t\treturn err\n\t}\n\tc, err := compose.New(client, globalOptions, options, cmd.OutOrStdout(), cmd.ErrOrStderr())\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tdownOpts := composer.DownOptions{\n\t\tRemoveVolumes: volumes,\n\t\tRemoveOrphans: removeOrphans,\n\t}\n\treturn c.Down(ctx, downOpts)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_down_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"fmt\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/composer/serviceparser\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestComposeDownRemoveUsedNetwork(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdockerComposeYAMLOrphan := fmt.Sprintf(`\nservices:\n test:\n image: %s\n command: \"sleep infinity\"\n`, testutil.CommonImage)\n\n\t\tdockerComposeYAMLFull := fmt.Sprintf(`\n%s\n orphan:\n image: %s\n command: \"sleep infinity\"\n`, dockerComposeYAMLOrphan, testutil.CommonImage)\n\n\t\tcomposeOrphanPath := data.Temp().Save(dockerComposeYAMLOrphan, \"compose-orphan.yaml\")\n\t\tcomposeFullPath := data.Temp().Save(dockerComposeYAMLFull, \"compose-full.yaml\")\n\n\t\tprojectName := data.Identifier(\"project\")\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\ttestContainer := serviceparser.DefaultContainerName(projectName, \"test\", \"1\")\n\t\torphanContainer := serviceparser.DefaultContainerName(projectName, \"orphan\", \"1\")\n\n\t\tdata.Labels().Set(\"composeOrphan\", composeOrphanPath)\n\t\tdata.Labels().Set(\"composeFull\", composeFullPath)\n\t\tdata.Labels().Set(\"projectName\", projectName)\n\n\t\thelpers.Ensure(\"compose\", \"-p\", projectName, \"-f\", composeFullPath, \"up\", \"-d\")\n\t\tnerdtest.EnsureContainerStarted(helpers, testContainer)\n\t\tnerdtest.EnsureContainerStarted(helpers, orphanContainer)\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"compose\", \"-p\", data.Labels().Get(\"projectName\"), \"-f\", data.Labels().Get(\"composeOrphan\"), \"down\", \"-v\")\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: 0,\n\t\t\tErrors: []error{\n\t\t\t\tfmt.Errorf(\"in use\"),\n\t\t\t},\n\t\t}\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif composeFull := data.Labels().Get(\"composeFull\"); composeFull != \"\" {\n\t\t\thelpers.Anyhow(\"compose\", \"-p\", data.Labels().Get(\"projectName\"), \"-f\", composeFull, \"down\", \"--remove-orphans\")\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeDownRemoveOrphans(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdockerComposeYAMLOrphan := fmt.Sprintf(`\nservices:\n test:\n image: %s\n command: \"sleep infinity\"\n`, testutil.CommonImage)\n\n\t\tdockerComposeYAMLFull := fmt.Sprintf(`\n%s\n orphan:\n image: %s\n command: \"sleep infinity\"\n`, dockerComposeYAMLOrphan, testutil.CommonImage)\n\n\t\tcomposeOrphanPath := data.Temp().Save(dockerComposeYAMLOrphan, \"compose-orphan.yaml\")\n\t\tcomposeFullPath := data.Temp().Save(dockerComposeYAMLFull, \"compose-full.yaml\")\n\n\t\tprojectName := data.Identifier(\"project\")\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\ttestContainer := serviceparser.DefaultContainerName(projectName, \"test\", \"1\")\n\t\torphanContainer := serviceparser.DefaultContainerName(projectName, \"orphan\", \"1\")\n\n\t\tdata.Labels().Set(\"composeOrphan\", composeOrphanPath)\n\t\tdata.Labels().Set(\"composeFull\", composeFullPath)\n\t\tdata.Labels().Set(\"projectName\", projectName)\n\t\tdata.Labels().Set(\"orphanContainer\", orphanContainer)\n\n\t\thelpers.Ensure(\"compose\", \"-p\", projectName, \"-f\", composeFullPath, \"up\", \"-d\")\n\t\tnerdtest.EnsureContainerStarted(helpers, testContainer)\n\t\tnerdtest.EnsureContainerStarted(helpers, orphanContainer)\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"compose\", \"-p\", data.Labels().Get(\"projectName\"), \"-f\", data.Labels().Get(\"composeOrphan\"), \"down\", \"--remove-orphans\")\n\t}\n\n\ttestCase.Expected = test.Expects(0, nil, nil)\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"orphan container removed\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-p\", data.Labels().Get(\"projectName\"), \"-f\", data.Labels().Get(\"composeFull\"), \"ps\", \"-a\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.DoesNotContain(data.Labels().Get(\"orphanContainer\")),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif composeFull := data.Labels().Get(\"composeFull\"); composeFull != \"\" {\n\t\t\thelpers.Anyhow(\"compose\", \"-p\", data.Labels().Get(\"projectName\"), \"-f\", composeFull, \"down\", \"-v\")\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_exec.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"errors\"\n\t\"os\"\n\n\t\"github.com/moby/term\"\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/compose\"\n\t\"github.com/containerd/nerdctl/v2/pkg/composer\"\n)\n\nfunc execCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"exec [flags] SERVICE COMMAND [ARGS...]\",\n\t\tShort: \"Execute a command in a running container of the service\",\n\t\tArgs: cobra.MinimumNArgs(2),\n\t\tRunE: execAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().SetInterspersed(false)\n\n\t_, isTerminal := term.GetFdInfo(os.Stdout)\n\tcmd.Flags().BoolP(\"no-TTY\", \"T\", !isTerminal, \"Disable pseudo-TTY allocation. By default nerdctl compose exec allocates a TTY.\")\n\tcmd.Flags().BoolP(\"detach\", \"d\", false, \"Detached mode: Run containers in the background\")\n\tcmd.Flags().StringP(\"workdir\", \"w\", \"\", \"Working directory inside the container\")\n\t// env needs to be StringArray, not StringSlice, to prevent \"FOO=foo1,foo2\" from being split to {\"FOO=foo1\", \"foo2\"}\n\tcmd.Flags().StringArrayP(\"env\", \"e\", nil, \"Set environment variables\")\n\tcmd.Flags().Bool(\"privileged\", false, \"Give extended privileges to the command\")\n\tcmd.Flags().StringP(\"user\", \"u\", \"\", \"Username or UID (format: [:])\")\n\tcmd.Flags().Int(\"index\", 1, \"index of the container if the service has multiple instances.\")\n\n\tcmd.Flags().BoolP(\"interactive\", \"i\", true, \"Keep STDIN open even if not attached\")\n\tcmd.Flags().MarkHidden(\"interactive\")\n\t// The -t does not has effect to keep the compatibility with docker.\n\t// The proposal of -t is to keep \"muscle memory\" with compose v1: https://github.com/docker/compose/issues/9207\n\t// FYI: https://github.com/docker/compose/blob/v2.23.1/cmd/compose/exec.go#L77\n\tcmd.Flags().BoolP(\"tty\", \"t\", true, \"Allocate a pseudo-TTY\")\n\tcmd.Flags().MarkHidden(\"tty\")\n\n\treturn cmd\n}\n\nfunc execAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tinteractive, err := cmd.Flags().GetBool(\"interactive\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tnoTty, err := cmd.Flags().GetBool(\"no-TTY\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tdetach, err := cmd.Flags().GetBool(\"detach\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tworkdir, err := cmd.Flags().GetString(\"workdir\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tenv, err := cmd.Flags().GetStringArray(\"env\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tprivileged, err := cmd.Flags().GetBool(\"privileged\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tuser, err := cmd.Flags().GetString(\"user\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tindex, err := cmd.Flags().GetInt(\"index\")\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif index < 1 {\n\t\treturn errors.New(\"index starts from 1 and should be equal or greater than 1\")\n\t}\n\t// https://github.com/containerd/nerdctl/blob/v1.0.0/cmd/nerdctl/exec.go#L116\n\tif interactive && detach {\n\t\treturn errors.New(\"currently flag -i and -d cannot be specified together (FIXME)\")\n\t}\n\t// https://github.com/containerd/nerdctl/blob/v1.0.0/cmd/nerdctl/exec.go#L122\n\tif !noTty && detach {\n\t\treturn errors.New(\"currently flag -d should be specified with --no-TTY (FIXME)\")\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\toptions, err := getComposeOptions(cmd, globalOptions.DebugFull, globalOptions.Experimental)\n\tif err != nil {\n\t\treturn err\n\t}\n\tc, err := compose.New(client, globalOptions, options, cmd.OutOrStdout(), cmd.ErrOrStderr())\n\tif err != nil {\n\t\treturn err\n\t}\n\n\teo := composer.ExecOptions{\n\t\tServiceName: args[0],\n\t\tIndex: index,\n\n\t\tInteractive: interactive,\n\t\tTty: !noTty,\n\t\tDetach: detach,\n\t\tWorkDir: workdir,\n\t\tEnv: env,\n\t\tPrivileged: privileged,\n\t\tUser: user,\n\t\tArgs: args[1:],\n\t}\n\n\treturn c.Exec(ctx, eo)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_exec_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"fmt\"\n\t\"net\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestComposeExec(t *testing.T) {\n\tdockerComposeYAML := fmt.Sprintf(`\nservices:\n svc0:\n image: %s\n command: \"sleep infinity\"\n svc1:\n image: %s\n command: \"sleep infinity\"\n`, testutil.CommonImage, testutil.CommonImage)\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tyamlPath := data.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\t\tdata.Labels().Set(\"YAMLPath\", yamlPath)\n\t\thelpers.Ensure(\"compose\", \"-f\", yamlPath, \"up\", \"-d\", \"svc0\")\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"down\", \"-v\")\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"exec no tty\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\n\t\t\t\t\t\"compose\",\n\t\t\t\t\t\"-f\",\n\t\t\t\t\tdata.Labels().Get(\"YAMLPath\"),\n\t\t\t\t\t\"exec\",\n\t\t\t\t\t\"-i=false\",\n\t\t\t\t\t\"--no-TTY\",\n\t\t\t\t\t\"svc0\",\n\t\t\t\t\t\"echo\",\n\t\t\t\t\t\"success\",\n\t\t\t\t)\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"success\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"exec no tty with workdir\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\n\t\t\t\t\t\"compose\",\n\t\t\t\t\t\"-f\",\n\t\t\t\t\tdata.Labels().Get(\"YAMLPath\"),\n\t\t\t\t\t\"exec\",\n\t\t\t\t\t\"-i=false\",\n\t\t\t\t\t\"--no-TTY\",\n\t\t\t\t\t\"--workdir\",\n\t\t\t\t\t\"/tmp\",\n\t\t\t\t\t\"svc0\",\n\t\t\t\t\t\"pwd\",\n\t\t\t\t)\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"/tmp\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"cannot exec on non-running service\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"YAMLPath\"), \"exec\", \"svc1\", \"echo\", \"success\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"with env\",\n\t\t\tEnv: map[string]string{\n\t\t\t\t\"CORGE\": \"corge-value-in-host\",\n\t\t\t\t\"GARPLY\": \"garply-value-in-host\",\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\n\t\t\t\t\t\"compose\",\n\t\t\t\t\t\"-f\",\n\t\t\t\t\tdata.Labels().Get(\"YAMLPath\"),\n\t\t\t\t\t\"exec\",\n\t\t\t\t\t\"-i=false\",\n\t\t\t\t\t\"--no-TTY\",\n\t\t\t\t\t\"--env\", \"FOO=foo1,foo2\",\n\t\t\t\t\t\"--env\", \"BAR=bar1 bar2\",\n\t\t\t\t\t\"--env\", \"BAZ=\",\n\t\t\t\t\t\"--env\", \"QUX\", // not exported in OS\n\t\t\t\t\t\"--env\", \"QUUX=quux1\",\n\t\t\t\t\t\"--env\", \"QUUX=quux2\",\n\t\t\t\t\t\"--env\", \"CORGE\", // OS exported\n\t\t\t\t\t\"--env\", \"GRAULT=grault_key=grault_value\", // value contains `=` char\n\t\t\t\t\t\"--env\", \"GARPLY=\", // OS exported\n\t\t\t\t\t\"--env\", \"WALDO=\", // not exported in OS\n\t\t\t\t\t\"svc0\",\n\t\t\t\t\t\"env\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.All(\n\t\t\t\texpect.Contains(\n\t\t\t\t\t\"\\nFOO=foo1,foo2\\n\",\n\t\t\t\t\t\"\\nBAR=bar1 bar2\\n\",\n\t\t\t\t\t\"\\nBAZ=\\n\",\n\t\t\t\t\t\"\\nQUUX=quux2\\n\",\n\t\t\t\t\t\"\\nCORGE=corge-value-in-host\\n\",\n\t\t\t\t\t\"\\nGRAULT=grault_key=grault_value\\n\",\n\t\t\t\t\t\"\\nGARPLY=\\n\",\n\t\t\t\t\t\"\\nWALDO=\\n\"),\n\t\t\t\texpect.DoesNotContain(\"QUX\"),\n\t\t\t)),\n\t\t},\n\t}\n\n\tuserSubTest := &test.Case{\n\t\tDescription: \"with user\",\n\t\tSubTests: []*test.Case{},\n\t}\n\n\tuserCasesMap := map[string]string{\n\t\t\"\": \"uid=0(root) gid=0(root)\",\n\t\t\"1000\": \"uid=1000 gid=0(root)\",\n\t\t\"1000:users\": \"uid=1000 gid=100(users)\",\n\t\t\"guest\": \"uid=405(guest) gid=100(users)\",\n\t\t\"nobody\": \"uid=65534(nobody) gid=65534(nobody)\",\n\t\t\"nobody:users\": \"uid=65534(nobody) gid=100(users)\",\n\t}\n\n\tfor k, v := range userCasesMap {\n\t\tuserSubTest.SubTests = append(userSubTest.SubTests, &test.Case{\n\t\t\tDescription: k + \" \" + v,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\targs := []string{\"compose\", \"-f\", data.Labels().Get(\"YAMLPath\"), \"exec\", \"-i=false\", \"--no-TTY\"}\n\t\t\t\tif k != \"\" {\n\t\t\t\t\targs = append(args, \"--user\", k)\n\t\t\t\t}\n\t\t\t\targs = append(args, \"svc0\", \"id\")\n\t\t\t\treturn helpers.Command(args...)\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(v)),\n\t\t})\n\t}\n\n\ttestCase.SubTests = append(testCase.SubTests, userSubTest)\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeExecTTY(t *testing.T) {\n\tconst expectedOutput = \"speed 38400 baud\"\n\tdockerComposeYAML := fmt.Sprintf(`\nservices:\n svc0:\n image: %s\n svc1:\n image: %s\n`, testutil.CommonImage, testutil.CommonImage)\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tyamlPath := data.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\t\tdata.Labels().Set(\"YAMLPath\", yamlPath)\n\t\thelpers.Ensure(\n\t\t\t\"compose\",\n\t\t\t\"-f\",\n\t\t\tyamlPath,\n\t\t\t\"run\",\n\t\t\t\"-d\",\n\t\t\t\"-i=false\",\n\t\t\t\"--name\",\n\t\t\tdata.Identifier(),\n\t\t\t\"svc0\",\n\t\t\t\"sleep\",\n\t\t\t\"1h\",\n\t\t)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\t// FIXME?\n\t\t// similar, other test does *also* remove the container\n\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"YAMLPath\"), \"down\", \"-v\")\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"stty exec\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"YAMLPath\"), \"exec\", \"svc0\", \"stty\")\n\t\t\t\tcmd.WithPseudoTTY()\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(expectedOutput)),\n\t\t},\n\t\t{\n\t\t\tDescription: \"-i=false stty exec\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"YAMLPath\"), \"exec\", \"-i=false\", \"svc0\", \"stty\")\n\t\t\t\tcmd.WithPseudoTTY()\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(expectedOutput)),\n\t\t},\n\t\t{\n\t\t\tDescription: \"--no-TTY stty exec\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"YAMLPath\"), \"exec\", \"--no-TTY\", \"svc0\", \"stty\")\n\t\t\t\tcmd.WithPseudoTTY()\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"-i=false --no-TTY stty exec\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\n\t\t\t\t\t\"compose\",\n\t\t\t\t\t\"-f\",\n\t\t\t\t\tdata.Labels().Get(\"YAMLPath\"),\n\t\t\t\t\t\"exec\",\n\t\t\t\t\t\"-i=false\",\n\t\t\t\t\t\"--no-TTY\",\n\t\t\t\t\t\"svc0\",\n\t\t\t\t\t\"stty\",\n\t\t\t\t)\n\t\t\t\tcmd.WithPseudoTTY()\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, nil, nil),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeExecWithIndex(t *testing.T) {\n\tdockerComposeYAML := fmt.Sprintf(`\nservices:\n svc0:\n image: %s\n command: \"sleep infinity\"\n deploy:\n replicas: 3\n`, testutil.CommonImage)\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tyamlPath := data.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\t\tdata.Labels().Set(\"YAMLPath\", yamlPath)\n\t\tdata.Labels().Set(\"projectName\", strings.ToLower(filepath.Base(data.Temp().Dir())))\n\n\t\thelpers.Ensure(\"compose\", \"-f\", yamlPath, \"up\", \"-d\", \"svc0\")\n\n\t\t// Make sure all containers are started so that /etc/hosts is consistent.\n\t\tfor _, index := range []string{\"1\", \"2\", \"3\"} {\n\t\t\tnerdtest.EnsureContainerStarted(helpers, fmt.Sprintf(\"%s-svc0-%s\", data.Labels().Get(\"projectName\"), index))\n\t\t}\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"down\", \"-v\")\n\t}\n\n\tfor _, index := range []string{\"1\", \"2\", \"3\"} {\n\t\ttestCase.SubTests = append(testCase.SubTests, &test.Case{\n\t\t\tDescription: index,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t// try 5 times to ensure that results are stable\n\t\t\t\tfor range 5 {\n\t\t\t\t\tcmds := []string{\n\t\t\t\t\t\t\"compose\",\n\t\t\t\t\t\t\"-f\",\n\t\t\t\t\t\tdata.Labels().Get(\"YAMLPath\"),\n\t\t\t\t\t\t\"exec\",\n\t\t\t\t\t\t\"-i=false\",\n\t\t\t\t\t\t\"--no-TTY\",\n\t\t\t\t\t\t\"--index\",\n\t\t\t\t\t\tindex,\n\t\t\t\t\t\t\"svc0\",\n\t\t\t\t\t}\n\n\t\t\t\t\thsts := helpers.Capture(append(cmds, \"cat\", \"/etc/hosts\")...)\n\t\t\t\t\tips := helpers.Capture(append(cmds, \"ip\", \"addr\", \"show\", \"dev\", \"eth0\")...)\n\n\t\t\t\t\tvar (\n\t\t\t\t\t\texpectIP string\n\t\t\t\t\t\trealIP string\n\t\t\t\t\t)\n\t\t\t\t\tname := fmt.Sprintf(\"%s-svc0-%s\", data.Labels().Get(\"projectName\"), index)\n\t\t\t\t\thost := fmt.Sprintf(\"%s.%s_default\", name, data.Labels().Get(\"projectName\"))\n\t\t\t\t\tif nerdtest.IsDocker() {\n\t\t\t\t\t\thost = strings.TrimSpace(helpers.Capture(\"ps\", \"--filter\", \"name=\"+name, \"--format\", \"{{.ID}}\"))\n\t\t\t\t\t}\n\n\t\t\t\t\tlines := strings.Split(hsts, \"\\n\")\n\t\t\t\t\tfor _, line := range lines {\n\t\t\t\t\t\tif !strings.Contains(line, host) {\n\t\t\t\t\t\t\tcontinue\n\t\t\t\t\t\t}\n\t\t\t\t\t\tfields := strings.Fields(line)\n\t\t\t\t\t\tif len(fields) == 0 {\n\t\t\t\t\t\t\tcontinue\n\t\t\t\t\t\t}\n\t\t\t\t\t\texpectIP = fields[0]\n\t\t\t\t\t}\n\n\t\t\t\t\tvar ip string\n\t\t\t\t\tlines = strings.Split(ips, \"\\n\")\n\t\t\t\t\tfor _, line := range lines {\n\t\t\t\t\t\tif !strings.Contains(line, \"inet \") {\n\t\t\t\t\t\t\tcontinue\n\t\t\t\t\t\t}\n\t\t\t\t\t\tfields := strings.Fields(line)\n\t\t\t\t\t\tif len(fields) <= 1 {\n\t\t\t\t\t\t\tcontinue\n\t\t\t\t\t\t}\n\t\t\t\t\t\tip = strings.Split(fields[1], \"/\")[0]\n\t\t\t\t\t\tbreak\n\t\t\t\t\t}\n\n\t\t\t\t\tpip := net.ParseIP(ip)\n\n\t\t\t\t\tassert.Assert(helpers.T(), pip != nil, \"fail to get the real ip address\")\n\t\t\t\t\trealIP = pip.String()\n\n\t\t\t\t\tassert.Equal(helpers.T(), realIP, expectIP)\n\t\t\t\t}\n\t\t\t},\n\t\t})\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_images.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"strings\"\n\t\"text/tabwriter\"\n\n\t\"github.com/spf13/cobra\"\n\t\"golang.org/x/sync/errgroup\"\n\n\tcontainerd \"github.com/containerd/containerd/v2/client\"\n\t\"github.com/containerd/containerd/v2/core/snapshots\"\n\t\"github.com/containerd/containerd/v2/pkg/progress\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/compose\"\n\t\"github.com/containerd/nerdctl/v2/pkg/formatter\"\n\t\"github.com/containerd/nerdctl/v2/pkg/imgutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/labels\"\n\t\"github.com/containerd/nerdctl/v2/pkg/strutil\"\n)\n\nfunc imagesCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"images [flags] [SERVICE...]\",\n\t\tShort: \"List images used by created containers in services\",\n\t\tRunE: imagesAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().String(\"format\", \"\", \"Format the output. Supported values: [json]\")\n\tcmd.Flags().BoolP(\"quiet\", \"q\", false, \"Only show numeric image IDs\")\n\treturn cmd\n}\n\nfunc imagesAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tquiet, err := cmd.Flags().GetBool(\"quiet\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tif format != \"json\" && format != \"\" {\n\t\treturn fmt.Errorf(\"unsupported format %s, supported formats are: [json]\", format)\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\toptions, err := getComposeOptions(cmd, globalOptions.DebugFull, globalOptions.Experimental)\n\tif err != nil {\n\t\treturn err\n\t}\n\tc, err := compose.New(client, globalOptions, options, cmd.OutOrStdout(), cmd.ErrOrStderr())\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tserviceNames, err := c.ServiceNames(args...)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tcontainers, err := c.Containers(ctx, serviceNames...)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif quiet {\n\t\treturn printComposeImageIDs(ctx, containers)\n\t}\n\n\tsn := client.SnapshotService(globalOptions.Snapshotter)\n\n\treturn printComposeImages(ctx, cmd, containers, sn, format)\n}\n\nfunc printComposeImageIDs(ctx context.Context, containers []containerd.Container) error {\n\tids := []string{}\n\tfor _, c := range containers {\n\t\timage, err := c.Image(ctx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tmetaImage := image.Metadata()\n\t\tid := metaImage.Target.Digest.String()\n\t\tif !strutil.InStringSlice(ids, id) {\n\t\t\tids = append(ids, id)\n\t\t}\n\t}\n\n\tfor _, id := range ids {\n\t\t// always truncate image ids.\n\t\tfmt.Println(strings.Split(id, \":\")[1][:12])\n\t}\n\treturn nil\n}\n\nfunc printComposeImages(ctx context.Context, cmd *cobra.Command, containers []containerd.Container, sn snapshots.Snapshotter, format string) error {\n\ttype composeImagePrintable struct {\n\t\tContainerName string\n\t\tRepository string\n\t\tTag string\n\t\tImageID string\n\t\tSize string\n\t}\n\n\timagePrintables := make([]composeImagePrintable, len(containers))\n\teg, ctx := errgroup.WithContext(ctx)\n\tfor i, c := range containers {\n\t\ti, c := i, c\n\t\teg.Go(func() error {\n\t\t\tinfo, err := c.Info(ctx, containerd.WithoutRefreshedMetadata)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tcontainerName := info.Labels[labels.Name]\n\n\t\t\timage, err := c.Image(ctx)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\n\t\t\tsize, err := imgutil.UnpackedImageSize(ctx, sn, image)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\n\t\t\tmetaImage := image.Metadata()\n\t\t\trepository, tag := imgutil.ParseRepoTag(metaImage.Name)\n\t\t\timageID := metaImage.Target.Digest.String()\n\t\t\tif repository == \"\" {\n\t\t\t\trepository = \"\"\n\t\t\t}\n\t\t\tif tag == \"\" {\n\t\t\t\ttag = \"\"\n\t\t\t}\n\t\t\tif format != \"json\" {\n\t\t\t\timageID = strings.Split(imageID, \":\")[1][:12]\n\t\t\t}\n\n\t\t\t// no race condition since each goroutine accesses different `i`\n\t\t\timagePrintables[i] = composeImagePrintable{\n\t\t\t\tContainerName: containerName,\n\t\t\t\tRepository: repository,\n\t\t\t\tTag: tag,\n\t\t\t\tImageID: imageID,\n\t\t\t\tSize: progress.Bytes(size).String(),\n\t\t\t}\n\n\t\t\treturn nil\n\t\t})\n\t}\n\n\tif err := eg.Wait(); err != nil {\n\t\treturn err\n\t}\n\n\tif format == \"json\" {\n\t\toutJSON, err := formatter.ToJSON(imagePrintables, \"\", \"\")\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = fmt.Fprint(cmd.OutOrStdout(), outJSON)\n\t\treturn err\n\t}\n\n\tw := tabwriter.NewWriter(cmd.OutOrStdout(), 4, 8, 4, ' ', 0)\n\tfmt.Fprintln(w, \"Container\\tRepository\\tTag\\tImage Id\\tSize\")\n\tfor _, p := range imagePrintables {\n\t\tif _, err := fmt.Fprintf(w, \"%s\\t%s\\t%s\\t%s\\t%s\\n\",\n\t\t\tp.ContainerName,\n\t\t\tp.Repository,\n\t\t\tp.Tag,\n\t\t\tp.ImageID,\n\t\t\tp.Size,\n\t\t); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\treturn w.Flush()\n}\n" }, { "path": "cmd/nerdctl/compose/compose_images_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"fmt\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/referenceutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestComposeImages(t *testing.T) {\n\tvar dockerComposeYAML = fmt.Sprintf(`\nservices:\n wordpress:\n image: %s\n container_name: wordpress\n environment:\n WORDPRESS_DB_HOST: db\n WORDPRESS_DB_USER: exampleuser\n WORDPRESS_DB_PASSWORD: examplepass\n WORDPRESS_DB_NAME: exampledb\n volumes:\n - wordpress:/var/www/html\n db:\n image: %s\n container_name: db\n environment:\n MYSQL_DATABASE: exampledb\n MYSQL_USER: exampleuser\n MYSQL_PASSWORD: examplepass\n MYSQL_RANDOM_ROOT_PASSWORD: '1'\n volumes:\n - db:/var/lib/mysql\n\nvolumes:\n wordpress:\n db:\n`, testutil.WordpressImage, testutil.MariaDBImage)\n\n\twordpressImageName, _ := referenceutil.Parse(testutil.WordpressImage)\n\tdbImageName, _ := referenceutil.Parse(testutil.MariaDBImage)\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdata.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\t\tdata.Labels().Set(\"composeYaml\", data.Temp().Path(\"compose.yaml\"))\n\t\thelpers.Ensure(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"up\", \"-d\")\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"down\")\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"images db\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"images\", \"db\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.All(\n\t\t\t\texpect.Contains(dbImageName.Name()),\n\t\t\t\texpect.DoesNotContain(wordpressImageName.Name()),\n\t\t\t)),\n\t\t},\n\t\t{\n\t\t\tDescription: \"images\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"images\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(dbImageName.Name(), wordpressImageName.Name())),\n\t\t},\n\t\t{\n\t\t\tDescription: \"images --format yaml\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"images\", \"--format\", \"yaml\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"images --format json\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"images\", \"--format\", \"json\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.All(\n\t\t\t\texpect.JSON([]composeContainerPrintable{}, func(printables []composeContainerPrintable, t tig.T) {\n\t\t\t\t\tassert.Equal(t, len(printables), 2)\n\t\t\t\t}),\n\t\t\t\texpect.Contains(`\"ContainerName\":\"wordpress\"`, `\"ContainerName\":\"db\"`),\n\t\t\t)),\n\t\t},\n\t\t{\n\t\t\tDescription: \"images --format json wordpress\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"images\", \"--format\", \"json\", \"wordpress\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.All(\n\t\t\t\texpect.JSON([]composeContainerPrintable{}, func(printables []composeContainerPrintable, t tig.T) {\n\t\t\t\t\tassert.Equal(t, len(printables), 1)\n\t\t\t\t}),\n\t\t\t\texpect.Contains(`\"ContainerName\":\"wordpress\"`),\n\t\t\t)),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_kill.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/compose\"\n\t\"github.com/containerd/nerdctl/v2/pkg/composer\"\n)\n\nfunc killCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"kill [flags] [SERVICE...]\",\n\t\tShort: \"Force stop service containers\",\n\t\tRunE: killAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().StringP(\"signal\", \"s\", \"SIGKILL\", \"SIGNAL to send to the container.\")\n\treturn cmd\n}\n\nfunc killAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tsignal, err := cmd.Flags().GetString(\"signal\")\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\toptions, err := getComposeOptions(cmd, globalOptions.DebugFull, globalOptions.Experimental)\n\tif err != nil {\n\t\treturn err\n\t}\n\tc, err := compose.New(client, globalOptions, options, cmd.OutOrStdout(), cmd.ErrOrStderr())\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tkillOpts := composer.KillOptions{\n\t\tSignal: signal,\n\t}\n\treturn c.Kill(ctx, killOpts, args)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_kill_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"fmt\"\n\t\"path/filepath\"\n\t\"regexp\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/composer/serviceparser\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestComposeKill(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdockerComposeYAML := fmt.Sprintf(`\nservices:\n\n wordpress:\n image: %s\n environment:\n WORDPRESS_DB_HOST: db\n WORDPRESS_DB_USER: exampleuser\n WORDPRESS_DB_PASSWORD: examplepass\n WORDPRESS_DB_NAME: exampledb\n volumes:\n - wordpress:/var/www/html\n\n db:\n image: %s\n environment:\n MYSQL_DATABASE: exampledb\n MYSQL_USER: exampleuser\n MYSQL_PASSWORD: examplepass\n MYSQL_RANDOM_ROOT_PASSWORD: '1'\n volumes:\n - db:/var/lib/mysql\n\nvolumes:\n wordpress:\n db:\n`, testutil.WordpressImage, testutil.MariaDBImage)\n\n\t\tcomposePath := data.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\n\t\tprojectName := filepath.Base(filepath.Dir(composePath))\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\twordpressContainerName := serviceparser.DefaultContainerName(projectName, \"wordpress\", \"1\")\n\t\tdbContainerName := serviceparser.DefaultContainerName(projectName, \"db\", \"1\")\n\n\t\tdata.Labels().Set(\"composeYAML\", composePath)\n\t\tdata.Labels().Set(\"wordpressContainer\", wordpressContainerName)\n\t\tdata.Labels().Set(\"dbContainer\", dbContainerName)\n\n\t\thelpers.Ensure(\"compose\", \"-f\", composePath, \"up\", \"-d\")\n\t\tnerdtest.EnsureContainerStarted(helpers, wordpressContainerName)\n\t\tnerdtest.EnsureContainerStarted(helpers, dbContainerName)\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"kill db container and exit with 137\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"kill\", \"db\")\n\t\t\t\tnerdtest.EnsureContainerExited(helpers, data.Labels().Get(\"dbContainer\"), expect.ExitCodeSigkill)\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"ps\", \"db\", \"-a\")\n\t\t\t},\n\t\t\t// Docker Compose v1: \"Exit 137\", v2: \"exited (137)\"\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Match(regexp.MustCompile(` 137|\\(137\\)`))),\n\t\t},\n\t\t{\n\t\t\tDescription: \"wordpress container is still running\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"ps\", \"wordpress\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Match(regexp.MustCompile(\"Up|running\"))),\n\t\t},\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif data.Labels().Get(\"composeYAML\") != \"\" {\n\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\", \"-v\")\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_logs.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/compose\"\n\t\"github.com/containerd/nerdctl/v2/pkg/composer\"\n)\n\nfunc logsCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"logs [flags] [SERVICE...]\",\n\t\tShort: \"Show logs of running containers\",\n\t\tRunE: logsAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().BoolP(\"follow\", \"f\", false, \"Follow log output.\")\n\tcmd.Flags().BoolP(\"timestamps\", \"t\", false, \"Show timestamps\")\n\tcmd.Flags().String(\"tail\", \"all\", \"Number of lines to show from the end of the logs\")\n\tcmd.Flags().Bool(\"no-color\", false, \"Produce monochrome output\")\n\tcmd.Flags().Bool(\"no-log-prefix\", false, \"Don't print prefix in logs\")\n\treturn cmd\n}\n\nfunc logsAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfollow, err := cmd.Flags().GetBool(\"follow\")\n\tif err != nil {\n\t\treturn err\n\t}\n\ttimestamps, err := cmd.Flags().GetBool(\"timestamps\")\n\tif err != nil {\n\t\treturn err\n\t}\n\ttail, err := cmd.Flags().GetString(\"tail\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tnoColor, err := cmd.Flags().GetBool(\"no-color\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tnoLogPrefix, err := cmd.Flags().GetBool(\"no-log-prefix\")\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\toptions, err := getComposeOptions(cmd, globalOptions.DebugFull, globalOptions.Experimental)\n\tif err != nil {\n\t\treturn err\n\t}\n\tc, err := compose.New(client, globalOptions, options, cmd.OutOrStdout(), cmd.ErrOrStderr())\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tlo := composer.LogsOptions{\n\t\tFollow: follow,\n\t\tTimestamps: timestamps,\n\t\tTail: tail,\n\t\tNoColor: noColor,\n\t\tNoLogPrefix: noLogPrefix,\n\t}\n\treturn c.Logs(ctx, lo, args)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_pause.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/compose\"\n)\n\nfunc pauseCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"pause [SERVICE...]\",\n\t\tShort: \"Pause all processes within containers of service(s). They can be unpaused with nerdctl compose unpause\",\n\t\tRunE: pauseAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t\tDisableFlagsInUseLine: true,\n\t}\n\treturn cmd\n}\n\nfunc pauseAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\toptions, err := getComposeOptions(cmd, globalOptions.DebugFull, globalOptions.Experimental)\n\tif err != nil {\n\t\treturn err\n\t}\n\tc, err := compose.New(client, globalOptions, options, cmd.OutOrStdout(), cmd.ErrOrStderr())\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn c.Pause(ctx, args, cmd.OutOrStdout())\n}\n\nfunc unpauseCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"unpause [SERVICE...]\",\n\t\tShort: \"Unpause all processes within containers of service(s).\",\n\t\tRunE: unpauseAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t\tDisableFlagsInUseLine: true,\n\t}\n\treturn cmd\n}\n\nfunc unpauseAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\toptions, err := getComposeOptions(cmd, globalOptions.DebugFull, globalOptions.Experimental)\n\tif err != nil {\n\t\treturn err\n\t}\n\tc, err := compose.New(client, globalOptions, options, cmd.OutOrStdout(), cmd.ErrOrStderr())\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn c.Unpause(ctx, args, cmd.OutOrStdout())\n}\n" }, { "path": "cmd/nerdctl/compose/compose_pause_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"fmt\"\n\t\"path/filepath\"\n\t\"regexp\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/composer/serviceparser\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestComposePauseAndUnpause(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = nerdtest.CGroup\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdockerComposeYAML := fmt.Sprintf(`\nservices:\n svc0:\n image: %s\n command: \"sleep infinity\"\n svc1:\n image: %s\n command: \"sleep infinity\"\n`, testutil.CommonImage, testutil.CommonImage)\n\n\t\tcomposePath := data.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\n\t\tprojectName := filepath.Base(filepath.Dir(composePath))\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\tsvc0Container := serviceparser.DefaultContainerName(projectName, \"svc0\", \"1\")\n\t\tsvc1Container := serviceparser.DefaultContainerName(projectName, \"svc1\", \"1\")\n\n\t\tdata.Labels().Set(\"composeYAML\", composePath)\n\n\t\thelpers.Ensure(\"compose\", \"-f\", composePath, \"up\", \"-d\")\n\t\tnerdtest.EnsureContainerStarted(helpers, svc0Container)\n\t\tnerdtest.EnsureContainerStarted(helpers, svc1Container)\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t// pause a service should (only) pause its own container\n\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"pause\", \"svc0\")\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\tsvc0Paused := helpers.Capture(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"ps\", \"svc0\", \"-a\")\n\t\t\t\texpect.Match(regexp.MustCompile(\"Paused|paused\"))(svc0Paused, t)\n\n\t\t\t\tsvc1Running := helpers.Capture(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"ps\", \"svc1\")\n\t\t\t\texpect.Match(regexp.MustCompile(\"Up|running\"))(svc1Running, t)\n\n\t\t\t\t// unpause should be able to recover the paused service container\n\t\t\t\thelpers.Ensure(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"unpause\", \"svc0\")\n\t\t\t\tsvc0Running := helpers.Capture(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"ps\", \"svc0\")\n\t\t\t\texpect.Match(regexp.MustCompile(\"Up|running\"))(svc0Running, t)\n\t\t\t},\n\t\t}\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif data.Labels().Get(\"composeYAML\") != \"\" {\n\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\", \"-v\")\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_port.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"fmt\"\n\t\"strconv\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/compose\"\n\t\"github.com/containerd/nerdctl/v2/pkg/composer\"\n)\n\nfunc portCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"port [flags] SERVICE PRIVATE_PORT\",\n\t\tShort: \"Print the public port for a port binding\",\n\t\tArgs: cobra.ExactArgs(2),\n\t\tRunE: portAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().Int(\"index\", 1, \"index of the container if the service has multiple instances.\")\n\tcmd.Flags().String(\"protocol\", \"tcp\", \"protocol of the port (tcp|udp)\")\n\n\treturn cmd\n}\n\nfunc portAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tindex, err := cmd.Flags().GetInt(\"index\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tif index < 1 {\n\t\treturn fmt.Errorf(\"index starts from 1 and should be equal or greater than 1, given index: %d\", index)\n\t}\n\n\tprotocol, err := cmd.Flags().GetString(\"protocol\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tswitch protocol {\n\tcase \"tcp\", \"udp\":\n\tdefault:\n\t\treturn fmt.Errorf(\"unsupported protocol: %s (only tcp and udp are supported)\", protocol)\n\t}\n\n\tport, err := strconv.Atoi(args[1])\n\tif err != nil {\n\t\treturn err\n\t}\n\tif port <= 0 {\n\t\treturn fmt.Errorf(\"unexpected port: %d\", port)\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\toptions, err := getComposeOptions(cmd, globalOptions.DebugFull, globalOptions.Experimental)\n\tif err != nil {\n\t\treturn err\n\t}\n\tc, err := compose.New(client, globalOptions, options, cmd.OutOrStdout(), cmd.ErrOrStderr())\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tdataStore, err := clientutil.DataStore(globalOptions.DataRoot, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tpo := composer.PortOptions{\n\t\tServiceName: args[0],\n\t\tIndex: index,\n\t\tPort: port,\n\t\tProtocol: protocol,\n\t\tDataStore: dataStore,\n\t\tNamespace: globalOptions.Namespace,\n\t}\n\n\treturn c.Port(ctx, cmd.OutOrStdout(), po)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_port_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"fmt\"\n\t\"path/filepath\"\n\t\"strconv\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/portlock\"\n)\n\nfunc TestComposePort(t *testing.T) {\n\tconst portCount = 2\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tfor i := 0; i < portCount; i++ {\n\t\t\tport, err := portlock.Acquire(0)\n\t\t\tif err != nil {\n\t\t\t\thelpers.T().Log(fmt.Sprintf(\"Failed to acquire port: %v\", err))\n\t\t\t\thelpers.T().FailNow()\n\t\t\t}\n\t\t\tdata.Labels().Set(fmt.Sprintf(\"hostPort%d\", i), strconv.Itoa(port))\n\t\t}\n\n\t\tdockerComposeYAML := fmt.Sprintf(`\nservices:\n svc0:\n image: %s\n command: \"sleep infinity\"\n ports:\n - \"%s:10000\"\n - \"%s:10001/udp\"\n`, testutil.CommonImage, data.Labels().Get(\"hostPort0\"), data.Labels().Get(\"hostPort1\"))\n\n\t\tcompYamlPath := data.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\t\tdata.Labels().Set(\"composeYaml\", compYamlPath)\n\t\tprojectName := filepath.Base(filepath.Dir(compYamlPath))\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\thelpers.Ensure(\"compose\", \"-f\", compYamlPath, \"up\", \"-d\")\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"down\", \"-v\")\n\t\tfor i := 0; i < portCount; i++ {\n\t\t\tport, _ := strconv.Atoi(data.Labels().Get(fmt.Sprintf(\"hostPort%d\", i)))\n\t\t\t_ = portlock.Release(port)\n\t\t}\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"port should return host port for TCP\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"port\", \"svc0\", \"10000\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\t\t\tOutput: expect.Equals(fmt.Sprintf(\"0.0.0.0:%s\\n\", data.Labels().Get(\"hostPort0\"))),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"port should return host port for UDP\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"port\", \"--protocol\", \"udp\", \"svc0\", \"10001\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\t\t\tOutput: expect.Equals(fmt.Sprintf(\"0.0.0.0:%s\\n\", data.Labels().Get(\"hostPort1\"))),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposePortFailure(t *testing.T) {\n\tconst portCount = 2\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tfor i := 0; i < portCount; i++ {\n\t\t\tport, err := portlock.Acquire(0)\n\t\t\tif err != nil {\n\t\t\t\thelpers.T().Log(fmt.Sprintf(\"Failed to acquire port: %v\", err))\n\t\t\t\thelpers.T().FailNow()\n\t\t\t}\n\t\t\tdata.Labels().Set(fmt.Sprintf(\"hostPort%d\", i), strconv.Itoa(port))\n\t\t}\n\n\t\tdockerComposeYAML := fmt.Sprintf(`\nservices:\n svc0:\n image: %s\n command: \"sleep infinity\"\n ports:\n - \"%s:10000\"\n - \"%s:10001/udp\"\n`, testutil.CommonImage, data.Labels().Get(\"hostPort0\"), data.Labels().Get(\"hostPort1\"))\n\n\t\tcompYamlPath := data.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\t\tdata.Labels().Set(\"composeYaml\", compYamlPath)\n\t\tprojectName := filepath.Base(filepath.Dir(compYamlPath))\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\thelpers.Ensure(\"compose\", \"-f\", compYamlPath, \"up\", \"-d\")\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"down\", \"-v\")\n\t\tfor i := 0; i < portCount; i++ {\n\t\t\tport, _ := strconv.Atoi(data.Labels().Get(fmt.Sprintf(\"hostPort%d\", i)))\n\t\t\t_ = portlock.Release(port)\n\t\t}\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"port should fail for non-existent port\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"port\", \"svc0\", \"9999\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"port should fail for wrong protocol (UDP on TCP port)\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"port\", \"--protocol\", \"udp\", \"svc0\", \"10000\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"port should fail for wrong protocol (TCP on UDP port)\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"port\", \"--protocol\", \"tcp\", \"svc0\", \"10001\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, nil, nil),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\n// TestComposeMultiplePorts tests whether it is possible to allocate a large\n// number of ports. (https://github.com/containerd/nerdctl/issues/4027)\nfunc TestComposeMultiplePorts(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.NoParallel = true\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdockerComposeYAML := fmt.Sprintf(`\nservices:\n svc0:\n image: %s\n command: \"sleep infinity\"\n ports:\n - '32000-32060:32000-32060'\n`, testutil.AlpineImage)\n\n\t\tcompYamlPath := data.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\t\tdata.Labels().Set(\"composeYaml\", compYamlPath)\n\t\tprojectName := filepath.Base(filepath.Dir(compYamlPath))\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\thelpers.Ensure(\"compose\", \"-f\", compYamlPath, \"up\", \"-d\")\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"down\", \"-v\")\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"Issue #4027 - Allocate a large number of ports.\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYaml\"), \"port\", \"svc0\", \"32000\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"0.0.0.0:32000\")),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_ps.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"strings\"\n\t\"text/tabwriter\"\n\n\t\"github.com/spf13/cobra\"\n\t\"golang.org/x/sync/errgroup\"\n\n\tcontainerd \"github.com/containerd/containerd/v2/client\"\n\t\"github.com/containerd/containerd/v2/core/runtime/restart\"\n\t\"github.com/containerd/errdefs\"\n\t\"github.com/containerd/go-cni\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/compose\"\n\t\"github.com/containerd/nerdctl/v2/pkg/containerutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/formatter\"\n\t\"github.com/containerd/nerdctl/v2/pkg/labels\"\n\t\"github.com/containerd/nerdctl/v2/pkg/portutil\"\n)\n\nfunc psCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"ps [flags] [SERVICE...]\",\n\t\tShort: \"List containers of services\",\n\t\tRunE: psAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().String(\"format\", \"table\", \"Format the output. Supported values: [table|json]\")\n\tcmd.Flags().String(\"filter\", \"\", \"Filter matches containers based on given conditions\")\n\tcmd.Flags().StringArray(\"status\", []string{}, \"Filter services by status. Values: [paused | restarting | removing | running | dead | created | exited]\")\n\tcmd.Flags().BoolP(\"quiet\", \"q\", false, \"Only display container IDs\")\n\tcmd.Flags().Bool(\"services\", false, \"Display services\")\n\tcmd.Flags().BoolP(\"all\", \"a\", false, \"Show all containers (default shows just running)\")\n\treturn cmd\n}\n\ntype composeContainerPrintable struct {\n\tID string\n\tName string\n\tImage string\n\tCommand string\n\tProject string\n\tService string\n\tState string\n\tHealth string // placeholder, lack containerd support.\n\tExitCode uint32\n\t// `Publishers` stores docker-compatible ports and used for json output.\n\t// `Ports` stores formatted ports and only used for console output.\n\tPublishers []PortPublisher\n\tPorts string `json:\"-\"`\n}\n\nfunc psAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tif format != \"json\" && format != \"table\" {\n\t\treturn fmt.Errorf(\"unsupported format %s, supported formats are: [table|json]\", format)\n\t}\n\tstatus, err := cmd.Flags().GetStringArray(\"status\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tquiet, err := cmd.Flags().GetBool(\"quiet\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tdisplayServices, err := cmd.Flags().GetBool(\"services\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tfilter, err := cmd.Flags().GetString(\"filter\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tif filter != \"\" {\n\t\tsplited := strings.SplitN(filter, \"=\", 2)\n\t\tif len(splited) != 2 {\n\t\t\treturn fmt.Errorf(\"invalid argument \\\"%s\\\" for \\\"-f, --filter\\\": bad format of filter (expected name=value)\", filter)\n\t\t}\n\t\t// currently only the 'status' filter is supported\n\t\tif splited[0] != \"status\" {\n\t\t\treturn fmt.Errorf(\"invalid filter '%s'\", splited[0])\n\t\t}\n\t\tstatus = append(status, splited[1])\n\t}\n\n\tall, err := cmd.Flags().GetBool(\"all\")\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\toptions, err := getComposeOptions(cmd, globalOptions.DebugFull, globalOptions.Experimental)\n\tif err != nil {\n\t\treturn err\n\t}\n\tc, err := compose.New(client, globalOptions, options, cmd.OutOrStdout(), cmd.ErrOrStderr())\n\tif err != nil {\n\t\treturn err\n\t}\n\tserviceNames, err := c.ServiceNames(args...)\n\tif err != nil {\n\t\treturn err\n\t}\n\tcontainers, err := c.Containers(ctx, serviceNames...)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif !all {\n\t\tvar upContainers []containerd.Container\n\t\tfor _, container := range containers {\n\t\t\t// cStatus := formatter.ContainerStatus(ctx, c)\n\t\t\tcStatus, err := containerutil.ContainerStatus(ctx, container)\n\t\t\tif err != nil {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tif cStatus.Status == containerd.Running {\n\t\t\t\tupContainers = append(upContainers, container)\n\t\t\t}\n\t\t}\n\t\tcontainers = upContainers\n\t}\n\n\tif len(status) != 0 {\n\t\tvar filterdContainers []containerd.Container\n\t\tfor _, container := range containers {\n\t\t\tcStatus := statusForFilter(ctx, container)\n\t\t\tfor _, s := range status {\n\t\t\t\tif cStatus == s {\n\t\t\t\t\tfilterdContainers = append(filterdContainers, container)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tcontainers = filterdContainers\n\t}\n\n\tif quiet {\n\t\tfor _, c := range containers {\n\t\t\tfmt.Fprintln(cmd.OutOrStdout(), c.ID())\n\t\t}\n\t\treturn nil\n\t}\n\n\tcontainersPrintable := make([]composeContainerPrintable, len(containers))\n\teg, ctx := errgroup.WithContext(ctx)\n\tfor i, container := range containers {\n\t\ti, container := i, container\n\t\teg.Go(func() error {\n\t\t\tvar p composeContainerPrintable\n\t\t\tvar err error\n\t\t\tif format == \"json\" {\n\t\t\t\tp, err = composeContainerPrintableJSON(ctx, container, globalOptions)\n\t\t\t} else {\n\t\t\t\tp, err = composeContainerPrintableTab(ctx, container, globalOptions)\n\t\t\t}\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tcontainersPrintable[i] = p\n\t\t\treturn nil\n\t\t})\n\t}\n\n\tif err := eg.Wait(); err != nil {\n\t\treturn err\n\t}\n\n\tif displayServices {\n\t\tfor _, p := range containersPrintable {\n\t\t\tfmt.Fprintln(cmd.OutOrStdout(), p.Service)\n\t\t}\n\t\treturn nil\n\t}\n\tif format == \"json\" {\n\t\toutJSON, err := formatter.ToJSON(containersPrintable, \"\", \"\")\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = fmt.Fprint(cmd.OutOrStdout(), outJSON)\n\t\treturn err\n\t}\n\n\tw := tabwriter.NewWriter(cmd.OutOrStdout(), 4, 8, 4, ' ', 0)\n\tfmt.Fprintln(w, \"NAME\\tIMAGE\\tCOMMAND\\tSERVICE\\tSTATUS\\tPORTS\")\n\tfor _, p := range containersPrintable {\n\t\tif _, err := fmt.Fprintf(w, \"%s\\t%s\\t%s\\t%s\\t%s\\t%s\\n\",\n\t\t\tp.Name,\n\t\t\tp.Image,\n\t\t\tp.Command,\n\t\t\tp.Service,\n\t\t\tp.State,\n\t\t\tp.Ports,\n\t\t); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\treturn w.Flush()\n}\n\n// composeContainerPrintableTab constructs composeContainerPrintable with fields\n// only for console output.\nfunc composeContainerPrintableTab(ctx context.Context, container containerd.Container, gOptions types.GlobalCommandOptions) (composeContainerPrintable, error) {\n\tinfo, err := container.Info(ctx, containerd.WithoutRefreshedMetadata)\n\tif err != nil {\n\t\treturn composeContainerPrintable{}, err\n\t}\n\tspec, err := container.Spec(ctx)\n\tif err != nil {\n\t\treturn composeContainerPrintable{}, err\n\t}\n\tstatus := formatter.ContainerStatus(ctx, container)\n\tif status == \"Up\" {\n\t\tstatus = \"running\" // corresponds to Docker Compose v2.0.1\n\t}\n\timage, err := container.Image(ctx)\n\tif err != nil {\n\t\treturn composeContainerPrintable{}, err\n\t}\n\tdataStore, err := clientutil.DataStore(gOptions.DataRoot, gOptions.Address)\n\tif err != nil {\n\t\treturn composeContainerPrintable{}, err\n\t}\n\tcontainerLabels, err := container.Labels(ctx)\n\tif err != nil {\n\t\treturn composeContainerPrintable{}, err\n\t}\n\tports, err := portutil.LoadPortMappings(dataStore, gOptions.Namespace, info.ID, containerLabels)\n\tif err != nil {\n\t\treturn composeContainerPrintable{}, err\n\t}\n\n\treturn composeContainerPrintable{\n\t\tName: info.Labels[labels.Name],\n\t\tImage: image.Metadata().Name,\n\t\tCommand: formatter.InspectContainerCommandTrunc(spec),\n\t\tService: info.Labels[labels.ComposeService],\n\t\tState: status,\n\t\tPorts: formatter.FormatPorts(ports),\n\t}, nil\n}\n\n// composeContainerPrintableJSON constructs composeContainerPrintable with fields\n// only for json output and compatible docker output.\nfunc composeContainerPrintableJSON(ctx context.Context, container containerd.Container, gOptions types.GlobalCommandOptions) (composeContainerPrintable, error) {\n\tinfo, err := container.Info(ctx, containerd.WithoutRefreshedMetadata)\n\tif err != nil {\n\t\treturn composeContainerPrintable{}, err\n\t}\n\tspec, err := container.Spec(ctx)\n\tif err != nil {\n\t\treturn composeContainerPrintable{}, err\n\t}\n\n\tvar (\n\t\tstate string\n\t\texitCode uint32\n\t)\n\tstatus, err := containerutil.ContainerStatus(ctx, container)\n\tif err == nil {\n\t\t// show exitCode only when container is exited/stopped\n\t\tif status.Status == containerd.Stopped {\n\t\t\tstate = \"exited\"\n\t\t\texitCode = status.ExitStatus\n\t\t} else {\n\t\t\tstate = string(status.Status)\n\t\t}\n\t} else {\n\t\tstate = string(containerd.Unknown)\n\t}\n\timage, err := container.Image(ctx)\n\tif err != nil {\n\t\treturn composeContainerPrintable{}, err\n\t}\n\tdataStore, err := clientutil.DataStore(gOptions.DataRoot, gOptions.Address)\n\tif err != nil {\n\t\treturn composeContainerPrintable{}, err\n\t}\n\tcontainerLabels, err := container.Labels(ctx)\n\tif err != nil {\n\t\treturn composeContainerPrintable{}, err\n\t}\n\tportMappings, err := portutil.LoadPortMappings(dataStore, gOptions.Namespace, info.ID, containerLabels)\n\tif err != nil {\n\t\treturn composeContainerPrintable{}, err\n\t}\n\n\treturn composeContainerPrintable{\n\t\tID: container.ID(),\n\t\tName: info.Labels[labels.Name],\n\t\tImage: image.Metadata().Name,\n\t\tCommand: formatter.InspectContainerCommand(spec, false, false),\n\t\tProject: info.Labels[labels.ComposeProject],\n\t\tService: info.Labels[labels.ComposeService],\n\t\tState: state,\n\t\tHealth: \"\",\n\t\tExitCode: exitCode,\n\t\tPublishers: formatPublishers(portMappings),\n\t}, nil\n}\n\n// PortPublisher hold status about published port\n// Use this to match the json output with docker compose\n// FYI: https://github.com/docker/compose/blob/v2.13.0/pkg/api/api.go#L305C27-L311\ntype PortPublisher struct {\n\tURL string\n\tTargetPort int\n\tPublishedPort int\n\tProtocol string\n}\n\n// formatPublishers parses and returns docker-compatible []PortPublisher from\n// label map. If an error happens, an empty slice is returned.\nfunc formatPublishers(portMappings []cni.PortMapping) []PortPublisher {\n\tmapper := func(pm cni.PortMapping) PortPublisher {\n\t\treturn PortPublisher{\n\t\t\tURL: pm.HostIP,\n\t\t\tTargetPort: int(pm.ContainerPort),\n\t\t\tPublishedPort: int(pm.HostPort),\n\t\t\tProtocol: pm.Protocol,\n\t\t}\n\t}\n\n\tvar dockerPorts []PortPublisher\n\tfor _, p := range portMappings {\n\t\tdockerPorts = append(dockerPorts, mapper(p))\n\t}\n\treturn dockerPorts\n}\n\n// statusForFilter returns the status value to be matched with the 'status' filter\nfunc statusForFilter(ctx context.Context, c containerd.Container) string {\n\ttask, err := c.Task(ctx, nil)\n\tif err != nil {\n\t\t// NOTE: NotFound doesn't mean that container hasn't started.\n\t\t// In docker/CRI-containerd plugin, the task will be deleted\n\t\t// when it exits. So, the status will be \"created\" for this\n\t\t// case.\n\t\tif errdefs.IsNotFound(err) {\n\t\t\treturn string(containerd.Created)\n\t\t}\n\t\treturn string(containerd.Unknown)\n\t}\n\n\tstatus, err := task.Status(ctx)\n\tif err != nil {\n\t\treturn string(containerd.Unknown)\n\t}\n\tlabels, err := c.Labels(ctx)\n\tif err != nil {\n\t\treturn string(containerd.Unknown)\n\t}\n\n\tswitch s := status.Status; s {\n\tcase containerd.Stopped:\n\t\tif labels[restart.StatusLabel] == string(containerd.Running) && restart.Reconcile(status, labels) {\n\t\t\treturn \"restarting\"\n\t\t}\n\t\treturn \"exited\"\n\tdefault:\n\t\treturn string(s)\n\t}\n}\n" }, { "path": "cmd/nerdctl/compose/compose_ps_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/tabutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n)\n\nfunc TestComposePs(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\tvar dockerComposeYAML = fmt.Sprintf(`\nservices:\n wordpress:\n image: %s\n container_name: wordpress_container\n environment:\n WORDPRESS_DB_HOST: db\n WORDPRESS_DB_USER: exampleuser\n WORDPRESS_DB_PASSWORD: examplepass\n WORDPRESS_DB_NAME: exampledb\n volumes:\n - wordpress:/var/www/html\n db:\n image: %s\n container_name: db_container\n environment:\n MYSQL_DATABASE: exampledb\n MYSQL_USER: exampleuser\n MYSQL_PASSWORD: examplepass\n MYSQL_RANDOM_ROOT_PASSWORD: '1'\n volumes:\n - db:/var/lib/mysql\n alpine:\n image: %s\n container_name: alpine_container\n\nvolumes:\n wordpress:\n db:\n`, testutil.WordpressImage, testutil.MariaDBImage, testutil.CommonImage)\n\tcomp := testutil.NewComposeDir(t, dockerComposeYAML)\n\tdefer comp.CleanUp()\n\tprojectName := comp.ProjectName()\n\tt.Logf(\"projectName=%q\", projectName)\n\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"up\", \"-d\").AssertOK()\n\tdefer base.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"down\", \"-v\").Run()\n\n\tassertHandler := func(expectedName, expectedImage string) func(stdout string) error {\n\t\treturn func(stdout string) error {\n\t\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\tif len(lines) < 2 {\n\t\t\t\treturn fmt.Errorf(\"expected at least 2 lines, got %d\", len(lines))\n\t\t\t}\n\n\t\t\ttab := tabutil.NewReader(\"NAME\\tIMAGE\\tCOMMAND\\tSERVICE\\tSTATUS\\tPORTS\")\n\t\t\terr := tab.ParseHeader(lines[0])\n\t\t\tif err != nil {\n\t\t\t\treturn fmt.Errorf(\"failed to parse header: %v\", err)\n\t\t\t}\n\n\t\t\tcontainer, _ := tab.ReadRow(lines[1], \"NAME\")\n\t\t\tassert.Equal(t, container, expectedName)\n\n\t\t\timage, _ := tab.ReadRow(lines[1], \"IMAGE\")\n\t\t\tassert.Equal(t, image, expectedImage)\n\n\t\t\treturn nil\n\t\t}\n\n\t}\n\n\ttime.Sleep(3 * time.Second)\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"ps\", \"wordpress\").AssertOutWithFunc(assertHandler(\"wordpress_container\", testutil.WordpressImage))\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"ps\", \"db\").AssertOutWithFunc(assertHandler(\"db_container\", testutil.MariaDBImage))\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"ps\").AssertOutNotContains(testutil.CommonImage)\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"ps\", \"alpine\", \"-a\").AssertOutWithFunc(assertHandler(\"alpine_container\", testutil.CommonImage))\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"ps\", \"-a\", \"--filter\", \"status=exited\").AssertOutWithFunc(assertHandler(\"alpine_container\", testutil.CommonImage))\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"ps\", \"--services\", \"-a\").AssertOutContainsAll(\"wordpress\\n\", \"db\\n\", \"alpine\\n\")\n}\n\nfunc TestComposePsJSON(t *testing.T) {\n\t// docker parses unknown 'format' as a Go template and won't output an error\n\ttestutil.DockerIncompatible(t)\n\n\tbase := testutil.NewBase(t)\n\tvar dockerComposeYAML = fmt.Sprintf(`\nservices:\n wordpress:\n image: %s\n ports:\n - 8080:80\n environment:\n WORDPRESS_DB_HOST: db\n WORDPRESS_DB_USER: exampleuser\n WORDPRESS_DB_PASSWORD: examplepass\n WORDPRESS_DB_NAME: exampledb\n volumes:\n - wordpress:/var/www/html\n db:\n image: %s\n environment:\n MYSQL_DATABASE: exampledb\n MYSQL_USER: exampleuser\n MYSQL_PASSWORD: examplepass\n MYSQL_RANDOM_ROOT_PASSWORD: '1'\n volumes:\n - db:/var/lib/mysql\n\nvolumes:\n wordpress:\n db:\n`, testutil.WordpressImage, testutil.MariaDBImage)\n\n\tcomp := testutil.NewComposeDir(t, dockerComposeYAML)\n\tdefer comp.CleanUp()\n\tprojectName := comp.ProjectName()\n\tt.Logf(\"projectName=%q\", projectName)\n\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"up\", \"-d\").AssertOK()\n\tdefer base.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"down\", \"-v\").Run()\n\n\tassertHandler := func(svc string, count int, fields ...string) func(stdout string) error {\n\t\treturn func(stdout string) error {\n\t\t\t// 1. check json output can be unmarshalled back to printables.\n\t\t\tvar printables []composeContainerPrintable\n\t\t\tif err := json.Unmarshal([]byte(stdout), &printables); err != nil {\n\t\t\t\treturn fmt.Errorf(\"[service: %s]failed to unmarshal json output from `compose ps`: %s\", svc, stdout)\n\t\t\t}\n\t\t\t// 2. check #printables matches expected count.\n\t\t\tif len(printables) != count {\n\t\t\t\treturn fmt.Errorf(\"[service: %s]unmarshal generates %d printables, expected %d: %s\", svc, len(printables), count, stdout)\n\t\t\t}\n\t\t\t// 3. check marshalled json string has all expected substrings.\n\t\t\tfor _, field := range fields {\n\t\t\t\tif !strings.Contains(stdout, field) {\n\t\t\t\t\treturn fmt.Errorf(\"[service: %s]marshalled json output doesn't have expected string (%s): %s\", svc, field, stdout)\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn nil\n\t\t}\n\t}\n\n\t// check other formats are not supported\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"ps\", \"--format\", \"yaml\").AssertFail()\n\t// check all services are up (can be marshalled and unmarshalled) and check Image field exists\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"ps\", \"--format\", \"json\").\n\t\tAssertOutWithFunc(assertHandler(\"all\", 2, `\"Service\":\"wordpress\"`, `\"Service\":\"db\"`,\n\t\t\tfmt.Sprintf(`\"Image\":\"%s\"`, testutil.WordpressImage), fmt.Sprintf(`\"Image\":\"%s\"`, testutil.MariaDBImage)))\n\t// check wordpress is running\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"ps\", \"--format\", \"json\", \"wordpress\").\n\t\tAssertOutWithFunc(assertHandler(\"wordpress\", 1, `\"Service\":\"wordpress\"`, `\"State\":\"running\"`, `\"TargetPort\":80`, `\"PublishedPort\":8080`))\n\t// check wordpress is stopped\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"stop\", \"wordpress\").AssertOK()\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"ps\", \"--format\", \"json\", \"wordpress\", \"-a\").\n\t\tAssertOutWithFunc(assertHandler(\"wordpress\", 1, `\"Service\":\"wordpress\"`, `\"State\":\"exited\"`))\n\t// check wordpress is removed\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"rm\", \"-f\", \"wordpress\").AssertOK()\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"ps\", \"--format\", \"json\", \"wordpress\").\n\t\tAssertOutWithFunc(assertHandler(\"wordpress\", 0))\n}\n" }, { "path": "cmd/nerdctl/compose/compose_pull.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/compose\"\n\t\"github.com/containerd/nerdctl/v2/pkg/composer\"\n)\n\nfunc pullCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"pull [flags] [SERVICE...]\",\n\t\tShort: \"Pull service images\",\n\t\tRunE: pullAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().BoolP(\"quiet\", \"q\", false, \"Pull without printing progress information\")\n\treturn cmd\n}\n\nfunc pullAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\toptions, err := getComposeOptions(cmd, globalOptions.DebugFull, globalOptions.Experimental)\n\tif err != nil {\n\t\treturn err\n\t}\n\tc, err := compose.New(client, globalOptions, options, cmd.OutOrStdout(), cmd.ErrOrStderr())\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tquiet, err := cmd.Flags().GetBool(\"quiet\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tpo := composer.PullOptions{\n\t\tQuiet: quiet,\n\t}\n\treturn c.Pull(ctx, po, args)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_pull_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"fmt\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n)\n\nfunc TestComposePullWithService(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\tvar dockerComposeYAML = fmt.Sprintf(`\nservices:\n\n wordpress:\n image: %s\n environment:\n WORDPRESS_DB_HOST: db\n WORDPRESS_DB_USER: exampleuser\n WORDPRESS_DB_PASSWORD: examplepass\n WORDPRESS_DB_NAME: exampledb\n volumes:\n - wordpress:/var/www/html\n\n db:\n image: %s\n environment:\n MYSQL_DATABASE: exampledb\n MYSQL_USER: exampleuser\n MYSQL_PASSWORD: examplepass\n MYSQL_RANDOM_ROOT_PASSWORD: '1'\n volumes:\n - db:/var/lib/mysql\n\nvolumes:\n wordpress:\n db:\n`, testutil.WordpressImage, testutil.MariaDBImage)\n\n\tcomp := testutil.NewComposeDir(t, dockerComposeYAML)\n\tdefer comp.CleanUp()\n\tprojectName := comp.ProjectName()\n\tt.Logf(\"projectName=%q\", projectName)\n\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"pull\", \"db\").AssertOutNotContains(\"wordpress\")\n}\n" }, { "path": "cmd/nerdctl/compose/compose_push.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/compose\"\n\t\"github.com/containerd/nerdctl/v2/pkg/composer\"\n)\n\nfunc pushCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"push [flags] [SERVICE...]\",\n\t\tShort: \"Push service images\",\n\t\tRunE: pushAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\treturn cmd\n}\n\nfunc pushAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\toptions, err := getComposeOptions(cmd, globalOptions.DebugFull, globalOptions.Experimental)\n\tif err != nil {\n\t\treturn err\n\t}\n\tc, err := compose.New(client, globalOptions, options, cmd.OutOrStdout(), cmd.ErrOrStderr())\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tpo := composer.PushOptions{}\n\treturn c.Push(ctx, po, args)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_restart.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/compose\"\n\t\"github.com/containerd/nerdctl/v2/pkg/composer\"\n)\n\nfunc restartCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"restart [flags] [SERVICE...]\",\n\t\tShort: \"Restart containers of given (or all) services\",\n\t\tRunE: restartAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().UintP(\"timeout\", \"t\", 10, \"Seconds to wait before restarting them\")\n\treturn cmd\n}\n\nfunc restartAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tvar opt composer.RestartOptions\n\n\tif cmd.Flags().Changed(\"timeout\") {\n\t\ttimeValue, err := cmd.Flags().GetUint(\"timeout\")\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topt.Timeout = &timeValue\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\toptions, err := getComposeOptions(cmd, globalOptions.DebugFull, globalOptions.Experimental)\n\tif err != nil {\n\t\treturn err\n\t}\n\tc, err := compose.New(client, globalOptions, options, cmd.OutOrStdout(), cmd.ErrOrStderr())\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn c.Restart(ctx, opt, args)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_restart_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"fmt\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n)\n\nfunc TestComposeRestart(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\tvar dockerComposeYAML = fmt.Sprintf(`\nservices:\n wordpress:\n image: %s\n environment:\n WORDPRESS_DB_HOST: db\n WORDPRESS_DB_USER: exampleuser\n WORDPRESS_DB_PASSWORD: examplepass\n WORDPRESS_DB_NAME: exampledb\n volumes:\n - wordpress:/var/www/html\n db:\n image: %s\n environment:\n MYSQL_DATABASE: exampledb\n MYSQL_USER: exampleuser\n MYSQL_PASSWORD: examplepass\n MYSQL_RANDOM_ROOT_PASSWORD: '1'\n volumes:\n - db:/var/lib/mysql\n\nvolumes:\n wordpress:\n db:\n`, testutil.WordpressImage, testutil.MariaDBImage)\n\n\tcomp := testutil.NewComposeDir(t, dockerComposeYAML)\n\tdefer comp.CleanUp()\n\tprojectName := comp.ProjectName()\n\tt.Logf(\"projectName=%q\", projectName)\n\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"up\", \"-d\").AssertOK()\n\tdefer base.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"down\", \"-v\").Run()\n\n\t// stop and restart a single service.\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"stop\", \"db\").AssertOK()\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"ps\", \"db\", \"-a\").AssertOutContainsAny(\"Exit\", \"exited\")\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"restart\", \"db\").AssertOK()\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"ps\", \"db\").AssertOutContainsAny(\"Up\", \"running\")\n\n\t// stop one service and restart all (also check `--timeout` arg).\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"stop\", \"db\").AssertOK()\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"ps\", \"db\", \"-a\").AssertOutContainsAny(\"Exit\", \"exited\")\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"restart\", \"--timeout\", \"5\").AssertOK()\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"ps\", \"db\").AssertOutContainsAny(\"Up\", \"running\")\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"ps\", \"wordpress\").AssertOutContainsAny(\"Up\", \"running\")\n}\n" }, { "path": "cmd/nerdctl/compose/compose_rm.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/compose\"\n\t\"github.com/containerd/nerdctl/v2/pkg/composer\"\n)\n\nfunc removeCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"rm [flags] [SERVICE...]\",\n\t\tShort: \"Remove stopped service containers\",\n\t\tRunE: removeAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().BoolP(\"force\", \"f\", false, \"Do not prompt for confirmation\")\n\tcmd.Flags().BoolP(\"stop\", \"s\", false, \"Stop containers before removing\")\n\tcmd.Flags().BoolP(\"volumes\", \"v\", false, \"Remove anonymous volumes associated with containers\")\n\treturn cmd\n}\n\nfunc removeAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tforce, err := cmd.Flags().GetBool(\"force\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tif !force {\n\t\tservices := \"all\"\n\t\tif len(args) != 0 {\n\t\t\tservices = strings.Join(args, \",\")\n\t\t}\n\n\t\tmsg := fmt.Sprintf(\"This will remove all stopped containers from services: %s.\", services)\n\n\t\tif confirmed, err := helpers.Confirm(cmd, fmt.Sprintf(\"WARNING! %s.\", msg)); err != nil || !confirmed {\n\t\t\treturn err\n\t\t}\n\t}\n\n\tstop, err := cmd.Flags().GetBool(\"stop\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tvolumes, err := cmd.Flags().GetBool(\"volumes\")\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\toptions, err := getComposeOptions(cmd, globalOptions.DebugFull, globalOptions.Experimental)\n\tif err != nil {\n\t\treturn err\n\t}\n\tc, err := compose.New(client, globalOptions, options, cmd.OutOrStdout(), cmd.ErrOrStderr())\n\tif err != nil {\n\t\treturn err\n\t}\n\n\trmOpts := composer.RemoveOptions{\n\t\tStop: stop,\n\t\tVolumes: volumes,\n\t}\n\treturn c.Remove(ctx, rmOpts, args)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_rm_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"fmt\"\n\t\"regexp\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestComposeRemove(t *testing.T) {\n\tvar dockerComposeYAML = fmt.Sprintf(`\nservices:\n\n wordpress:\n image: %s\n environment:\n WORDPRESS_DB_HOST: db\n WORDPRESS_DB_USER: exampleuser\n WORDPRESS_DB_PASSWORD: examplepass\n WORDPRESS_DB_NAME: exampledb\n volumes:\n - wordpress:/var/www/html\n\n db:\n image: %s\n environment:\n MYSQL_DATABASE: exampledb\n MYSQL_USER: exampleuser\n MYSQL_PASSWORD: examplepass\n MYSQL_RANDOM_ROOT_PASSWORD: '1'\n volumes:\n - db:/var/lib/mysql\n\nvolumes:\n wordpress:\n db:\n`, testutil.WordpressImage, testutil.MariaDBImage)\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"down\")\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdata.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\t\thelpers.Ensure(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"up\", \"-d\")\n\t\tdata.Labels().Set(\"yamlPath\", data.Temp().Path(\"compose.yaml\"))\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"All services are still up\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"yamlPath\"), \"rm\", \"-f\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\twp := helpers.Capture(\"compose\", \"-f\", data.Labels().Get(\"yamlPath\"), \"ps\", \"wordpress\")\n\t\t\t\t\t\tdb := helpers.Capture(\"compose\", \"-f\", data.Labels().Get(\"yamlPath\"), \"ps\", \"db\")\n\t\t\t\t\t\tcomp := expect.Match(regexp.MustCompile(\"Up|running\"))\n\t\t\t\t\t\tcomp(wp, t)\n\t\t\t\t\t\tcomp(db, t)\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Remove stopped service\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\thelpers.Ensure(\"compose\", \"-f\", data.Labels().Get(\"yamlPath\"), \"stop\", \"wordpress\")\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"yamlPath\"), \"rm\", \"-f\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\twp := helpers.Capture(\"compose\", \"-f\", data.Labels().Get(\"yamlPath\"), \"ps\", \"wordpress\")\n\t\t\t\t\t\tdb := helpers.Capture(\"compose\", \"-f\", data.Labels().Get(\"yamlPath\"), \"ps\", \"db\")\n\t\t\t\t\t\texpect.DoesNotContain(\"wordpress\")(wp, t)\n\t\t\t\t\t\texpect.Match(regexp.MustCompile(\"Up|running\"))(db, t)\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Remove all services with stop\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"yamlPath\"), \"rm\", \"-f\", \"-s\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tdb := helpers.Capture(\"compose\", \"-f\", data.Labels().Get(\"yamlPath\"), \"ps\", \"db\")\n\t\t\t\t\t\texpect.DoesNotContain(\"db\")(db, t)\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_run.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/compose\"\n\t\"github.com/containerd/nerdctl/v2/pkg/composer\"\n)\n\nfunc runCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"run [flags] SERVICE [COMMAND] [ARGS...]\",\n\t\tShort: \"Run a one-off command on a service\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tRunE: runAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t\tDisableFlagsInUseLine: true,\n\t}\n\tcmd.Flags().SetInterspersed(false)\n\tcmd.Flags().BoolP(\"detach\", \"d\", false, \"Detached mode: Run containers in the background\")\n\tcmd.Flags().Bool(\"no-build\", false, \"Don't build an image, even if it's missing.\")\n\tcmd.Flags().Bool(\"no-color\", false, \"Produce monochrome output\")\n\tcmd.Flags().Bool(\"no-log-prefix\", false, \"Don't print prefix in logs\")\n\tcmd.Flags().Bool(\"build\", false, \"Build images before starting containers.\")\n\tcmd.Flags().Bool(\"quiet-pull\", false, \"Pull without printing progress information\")\n\tcmd.Flags().Bool(\"remove-orphans\", false, \"Remove containers for services not defined in the Compose file.\")\n\n\tcmd.Flags().String(\"name\", \"\", \"Assign a name to the container\")\n\tcmd.Flags().Bool(\"no-deps\", false, \"Don't start dependencies\")\n\t// TODO: no-TTY flag\n\t// In docker-compose's documentation, no-TTY is automatically detected\n\t// But, it follows `-i` flag because currently `run` command needs `-it` simultaneously.\n\tcmd.Flags().BoolP(\"interactive\", \"i\", true, \"Keep STDIN open even if not attached\")\n\tcmd.Flags().Bool(\"rm\", false, \"Automatically remove the container when it exits\")\n\tcmd.Flags().StringP(\"user\", \"u\", \"\", \"Username or UID (format: [:])\")\n\tcmd.Flags().StringArrayP(\"volume\", \"v\", nil, \"Bind mount a volume\")\n\tcmd.Flags().StringArray(\"entrypoint\", nil, \"Overwrite the default ENTRYPOINT of the image\")\n\tcmd.Flags().StringArrayP(\"env\", \"e\", nil, \"Set environment variables\")\n\tcmd.Flags().StringArrayP(\"label\", \"l\", nil, \"Set metadata on container\")\n\tcmd.Flags().StringP(\"workdir\", \"w\", \"\", \"Working directory inside the container\")\n\t// FIXME: `-p` conflicts with the `--project-name` in PersistentFlags of parent command `compose`\n\t// For docker compatibility, it should be fixed.\n\tcmd.Flags().StringSlice(\"publish\", nil, \"Publish a container's port(s) to the host\")\n\tcmd.Flags().Bool(\"service-ports\", false, \"Run command with the service's ports enabled and mapped to the host\")\n\t// TODO: use-aliases\n\n\treturn cmd\n}\n\nfunc runAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdetach, err := cmd.Flags().GetBool(\"detach\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tnoBuild, err := cmd.Flags().GetBool(\"no-build\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tnoColor, err := cmd.Flags().GetBool(\"no-color\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tnoLogPrefix, err := cmd.Flags().GetBool(\"no-log-prefix\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tbuild, err := cmd.Flags().GetBool(\"build\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tif build && noBuild {\n\t\treturn errors.New(\"--build and --no-build can not be combined\")\n\t}\n\tquietPull, err := cmd.Flags().GetBool(\"quiet-pull\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tremoveOrphans, err := cmd.Flags().GetBool(\"remove-orphans\")\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tname, err := cmd.Flags().GetString(\"name\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tnodeps, err := cmd.Flags().GetBool(\"no-deps\")\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tinteractive, err := cmd.Flags().GetBool(\"interactive\")\n\tif err != nil {\n\t\treturn err\n\t}\n\t// FIXME : https://github.com/containerd/nerdctl/blob/v0.22.2/cmd/nerdctl/run.go#L100\n\ttty := interactive\n\trm, err := cmd.Flags().GetBool(\"rm\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tuser, err := cmd.Flags().GetString(\"user\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tvolume, err := cmd.Flags().GetStringArray(\"volume\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tentrypoint, err := cmd.Flags().GetStringArray(\"entrypoint\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tenv, err := cmd.Flags().GetStringArray(\"env\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tlabel, err := cmd.Flags().GetStringArray(\"label\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tworkdir, err := cmd.Flags().GetString(\"workdir\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tpublish, err := cmd.Flags().GetStringSlice(\"publish\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tservicePorts, err := cmd.Flags().GetBool(\"service-ports\")\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif servicePorts && publish != nil && len(publish) > 0 {\n\t\treturn fmt.Errorf(\"--service-ports and --publish(-p) cannot exist simultaneously\")\n\t}\n\t// https://github.com/containerd/nerdctl/blob/v0.22.2/cmd/nerdctl/run.go#L475\n\tif interactive && detach {\n\t\treturn errors.New(\"currently flag -i and -d cannot be specified together (FIXME)\")\n\t}\n\n\t// https://github.com/containerd/nerdctl/blob/v0.22.2/cmd/nerdctl/run.go#L479\n\tif tty && detach {\n\t\treturn errors.New(\"currently flag -t and -d cannot be specified together (FIXME)\")\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\toptions, err := getComposeOptions(cmd, globalOptions.DebugFull, globalOptions.Experimental)\n\tif err != nil {\n\t\treturn err\n\t}\n\tc, err := compose.New(client, globalOptions, options, cmd.OutOrStdout(), cmd.ErrOrStderr())\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tro := composer.RunOptions{\n\t\tDetach: detach,\n\t\tNoBuild: noBuild,\n\t\tNoColor: noColor,\n\t\tNoLogPrefix: noLogPrefix,\n\t\tForceBuild: build,\n\t\tQuietPull: quietPull,\n\t\tRemoveOrphans: removeOrphans,\n\n\t\tServiceName: args[0],\n\t\tArgs: args[1:],\n\n\t\tName: name,\n\t\tNoDeps: nodeps,\n\t\tTty: tty,\n\t\tInteractive: interactive,\n\t\tRm: rm,\n\t\tUser: user,\n\t\tVolume: volume,\n\t\tEntrypoint: entrypoint,\n\t\tEnv: env,\n\t\tLabel: label,\n\t\tWorkDir: workdir,\n\t\tServicePorts: servicePorts,\n\t\tPublish: publish,\n\t}\n\n\treturn c.Run(ctx, ro)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_run_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/log\"\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nettestutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/testregistry\"\n)\n\nfunc TestComposeRun(t *testing.T) {\n\tconst expectedOutput = \"speed 38400 baud\"\n\n\tdockerComposeYAML := fmt.Sprintf(`\nservices:\n alpine:\n image: %s\n entrypoint:\n - stty\n`, testutil.CommonImage)\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"pty run\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tdata.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\n\t\t\t\t\t\"compose\",\n\t\t\t\t\t\"-f\",\n\t\t\t\t\tdata.Temp().Path(\"compose.yaml\"),\n\t\t\t\t\t\"run\",\n\t\t\t\t\t\"--name\",\n\t\t\t\t\tdata.Identifier(),\n\t\t\t\t\t\"alpine\",\n\t\t\t\t)\n\t\t\t\tcmd.WithPseudoTTY()\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(expectedOutput)),\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", \"-v\", data.Identifier())\n\t\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"down\", \"-v\")\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"pty run with --rm\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tdata.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\n\t\t\t\t\t\"compose\",\n\t\t\t\t\t\"-f\",\n\t\t\t\t\tdata.Temp().Path(\"compose.yaml\"),\n\t\t\t\t\t\"run\",\n\t\t\t\t\t\"--name\",\n\t\t\t\t\tdata.Identifier(),\n\t\t\t\t\t\"--rm\",\n\t\t\t\t\t\"alpine\",\n\t\t\t\t)\n\t\t\t\tcmd.WithPseudoTTY()\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t// Ensure the container has been removed\n\t\t\t\tcapt := helpers.Capture(\"ps\", \"-a\", \"--format=\\\"{{.Names}}\\\"\")\n\t\t\t\tassert.Assert(t, !strings.Contains(capt, data.Identifier()), capt)\n\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.Contains(expectedOutput),\n\t\t\t\t}\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", \"-v\", data.Identifier())\n\t\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"down\", \"-v\")\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeRunWithServicePorts(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\t// specify the name of container in order to remove\n\t// TODO: when `compose rm` is implemented, replace it.\n\tcontainerName := testutil.Identifier(t)\n\n\tdockerComposeYAML := fmt.Sprintf(`\nservices:\n web:\n image: %s\n ports:\n - 8080:80\n`, testutil.NginxAlpineImage)\n\n\tcomp := testutil.NewComposeDir(t, dockerComposeYAML)\n\tdefer comp.CleanUp()\n\tprojectName := comp.ProjectName()\n\tt.Logf(\"projectName=%q\", projectName)\n\tdefer base.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"down\", \"-v\").Run()\n\n\tdefer base.Cmd(\"rm\", \"-f\", \"-v\", containerName).Run()\n\tgo func() {\n\t\t// unbuffer(1) emulates tty, which is required by `nerdctl run -t`.\n\t\t// unbuffer(1) can be installed with `apt-get install expect`.\n\t\tunbuffer := []string{\"unbuffer\"}\n\t\tbase.ComposeCmdWithHelper(unbuffer, \"-f\", comp.YAMLFullPath(),\n\t\t\t\"run\", \"--service-ports\", \"--name\", containerName, \"web\").Run()\n\t}()\n\n\tcheckNginx := func() error {\n\t\tresp, err := nettestutil.HTTPGet(\"http://127.0.0.1:8080\", 5, false)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trespBody, err := io.ReadAll(resp.Body)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif !strings.Contains(string(respBody), testutil.NginxAlpineIndexHTMLSnippet) {\n\t\t\tt.Logf(\"respBody=%q\", respBody)\n\t\t\treturn fmt.Errorf(\"respBody does not contain %q\", testutil.NginxAlpineIndexHTMLSnippet)\n\t\t}\n\t\treturn nil\n\t}\n\tvar nginxWorking bool\n\tfor i := 0; i < 30; i++ {\n\t\tt.Logf(\"(retry %d)\", i)\n\t\terr := checkNginx()\n\t\tif err == nil {\n\t\t\tnginxWorking = true\n\t\t\tbreak\n\t\t}\n\t\tt.Log(err)\n\t\ttime.Sleep(3 * time.Second)\n\t}\n\tif !nginxWorking {\n\t\tt.Fatal(\"nginx is not working\")\n\t}\n\tt.Log(\"nginx seems functional\")\n}\n\nfunc TestComposeRunWithPublish(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\t// specify the name of container in order to remove\n\t// TODO: when `compose rm` is implemented, replace it.\n\tcontainerName := testutil.Identifier(t)\n\n\tdockerComposeYAML := fmt.Sprintf(`\nservices:\n web:\n image: %s\n`, testutil.NginxAlpineImage)\n\n\tcomp := testutil.NewComposeDir(t, dockerComposeYAML)\n\tdefer comp.CleanUp()\n\tprojectName := comp.ProjectName()\n\tt.Logf(\"projectName=%q\", projectName)\n\tdefer base.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"down\", \"-v\").Run()\n\n\tdefer base.Cmd(\"rm\", \"-f\", \"-v\", containerName).Run()\n\tgo func() {\n\t\t// unbuffer(1) emulates tty, which is required by `nerdctl run -t`.\n\t\t// unbuffer(1) can be installed with `apt-get install expect`.\n\t\tunbuffer := []string{\"unbuffer\"}\n\t\tbase.ComposeCmdWithHelper(unbuffer, \"-f\", comp.YAMLFullPath(),\n\t\t\t\"run\", \"--publish\", \"8080:80\", \"--name\", containerName, \"web\").Run()\n\t}()\n\n\tcheckNginx := func() error {\n\t\tresp, err := nettestutil.HTTPGet(\"http://127.0.0.1:8080\", 5, false)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trespBody, err := io.ReadAll(resp.Body)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif !strings.Contains(string(respBody), testutil.NginxAlpineIndexHTMLSnippet) {\n\t\t\tt.Logf(\"respBody=%q\", respBody)\n\t\t\treturn fmt.Errorf(\"respBody does not contain %q\", testutil.NginxAlpineIndexHTMLSnippet)\n\t\t}\n\t\treturn nil\n\t}\n\tvar nginxWorking bool\n\tfor i := 0; i < 30; i++ {\n\t\tt.Logf(\"(retry %d)\", i)\n\t\terr := checkNginx()\n\t\tif err == nil {\n\t\t\tnginxWorking = true\n\t\t\tbreak\n\t\t}\n\t\tt.Log(err)\n\t\ttime.Sleep(3 * time.Second)\n\t}\n\tif !nginxWorking {\n\t\tt.Fatal(\"nginx is not working\")\n\t}\n\tt.Log(\"nginx seems functional\")\n}\n\nfunc TestComposeRunWithEnv(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\t// specify the name of container in order to remove\n\t// TODO: when `compose rm` is implemented, replace it.\n\tcontainerName := testutil.Identifier(t)\n\n\tdockerComposeYAML := fmt.Sprintf(`\nservices:\n alpine:\n image: %s\n entrypoint:\n - sh\n - -c\n - \"echo $$FOO\"\n`, testutil.CommonImage)\n\n\tcomp := testutil.NewComposeDir(t, dockerComposeYAML)\n\tdefer comp.CleanUp()\n\tprojectName := comp.ProjectName()\n\tt.Logf(\"projectName=%q\", projectName)\n\tdefer base.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"down\", \"-v\").Run()\n\n\tdefer base.Cmd(\"rm\", \"-f\", \"-v\", containerName).Run()\n\tconst partialOutput = \"bar\"\n\t// unbuffer(1) emulates tty, which is required by `nerdctl run -t`.\n\t// unbuffer(1) can be installed with `apt-get install expect`.\n\tunbuffer := []string{\"unbuffer\"}\n\tbase.ComposeCmdWithHelper(unbuffer, \"-f\", comp.YAMLFullPath(),\n\t\t\"run\", \"-e\", \"FOO=bar\", \"--name\", containerName, \"alpine\").AssertOutContains(partialOutput)\n}\n\nfunc TestComposeRunWithUser(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\t// specify the name of container in order to remove\n\t// TODO: when `compose rm` is implemented, replace it.\n\tcontainerName := testutil.Identifier(t)\n\n\tdockerComposeYAML := fmt.Sprintf(`\nservices:\n alpine:\n image: %s\n entrypoint:\n - id\n - -u\n`, testutil.CommonImage)\n\n\tcomp := testutil.NewComposeDir(t, dockerComposeYAML)\n\tdefer comp.CleanUp()\n\tprojectName := comp.ProjectName()\n\tt.Logf(\"projectName=%q\", projectName)\n\tdefer base.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"down\", \"-v\").Run()\n\n\tdefer base.Cmd(\"rm\", \"-f\", \"-v\", containerName).Run()\n\tconst partialOutput = \"5000\"\n\t// unbuffer(1) emulates tty, which is required by `nerdctl run -t`.\n\t// unbuffer(1) can be installed with `apt-get install expect`.\n\tunbuffer := []string{\"unbuffer\"}\n\tbase.ComposeCmdWithHelper(unbuffer, \"-f\", comp.YAMLFullPath(),\n\t\t\"run\", \"--user\", \"5000\", \"--name\", containerName, \"alpine\").AssertOutContains(partialOutput)\n}\n\nfunc TestComposeRunWithLabel(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\tcontainerName := testutil.Identifier(t)\n\n\tdockerComposeYAML := fmt.Sprintf(`\nservices:\n alpine:\n image: %s\n entrypoint:\n - echo\n - \"dummy log\"\n labels:\n - \"foo=bar\"\n`, testutil.CommonImage)\n\n\tcomp := testutil.NewComposeDir(t, dockerComposeYAML)\n\tdefer comp.CleanUp()\n\tprojectName := comp.ProjectName()\n\tt.Logf(\"projectName=%q\", projectName)\n\tdefer base.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"down\", \"-v\").Run()\n\n\tdefer base.Cmd(\"rm\", \"-f\", \"-v\", containerName).Run()\n\t// unbuffer(1) emulates tty, which is required by `nerdctl run -t`.\n\t// unbuffer(1) can be installed with `apt-get install expect`.\n\tunbuffer := []string{\"unbuffer\"}\n\tbase.ComposeCmdWithHelper(unbuffer, \"-f\", comp.YAMLFullPath(),\n\t\t\"run\", \"--label\", \"foo=rab\", \"--label\", \"x=y\", \"--name\", containerName, \"alpine\").AssertOK()\n\n\tcontainer := base.InspectContainer(containerName)\n\tif container.Config == nil {\n\t\tlog.L.Errorf(\"test failed, cannot fetch container config\")\n\t\tt.Fail()\n\t}\n\tassert.Equal(t, container.Config.Labels[\"foo\"], \"rab\")\n\tassert.Equal(t, container.Config.Labels[\"x\"], \"y\")\n}\n\nfunc TestComposeRunWithArgs(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\tcontainerName := testutil.Identifier(t)\n\n\tdockerComposeYAML := fmt.Sprintf(`\nservices:\n alpine:\n image: %s\n entrypoint:\n - echo\n`, testutil.CommonImage)\n\n\tcomp := testutil.NewComposeDir(t, dockerComposeYAML)\n\tdefer comp.CleanUp()\n\tprojectName := comp.ProjectName()\n\tt.Logf(\"projectName=%q\", projectName)\n\tdefer base.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"down\", \"-v\").Run()\n\n\tdefer base.Cmd(\"rm\", \"-f\", \"-v\", containerName).Run()\n\tconst partialOutput = \"hello world\"\n\t// unbuffer(1) emulates tty, which is required by `nerdctl run -t`.\n\t// unbuffer(1) can be installed with `apt-get install expect`.\n\tunbuffer := []string{\"unbuffer\"}\n\tbase.ComposeCmdWithHelper(unbuffer, \"-f\", comp.YAMLFullPath(),\n\t\t\"run\", \"--name\", containerName, \"alpine\", partialOutput).AssertOutContains(partialOutput)\n}\n\nfunc TestComposeRunWithEntrypoint(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\t// specify the name of container in order to remove\n\t// TODO: when `compose rm` is implemented, replace it.\n\tcontainerName := testutil.Identifier(t)\n\n\tdockerComposeYAML := fmt.Sprintf(`\nservices:\n alpine:\n image: %s\n entrypoint:\n - stty # should be changed\n`, testutil.CommonImage)\n\n\tcomp := testutil.NewComposeDir(t, dockerComposeYAML)\n\tdefer comp.CleanUp()\n\tprojectName := comp.ProjectName()\n\tt.Logf(\"projectName=%q\", projectName)\n\tdefer base.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"down\", \"-v\").Run()\n\n\tdefer base.Cmd(\"rm\", \"-f\", \"-v\", containerName).Run()\n\tconst partialOutput = \"hello world\"\n\t// unbuffer(1) emulates tty, which is required by `nerdctl run -t`.\n\t// unbuffer(1) can be installed with `apt-get install expect`.\n\tunbuffer := []string{\"unbuffer\"}\n\tbase.ComposeCmdWithHelper(unbuffer, \"-f\", comp.YAMLFullPath(),\n\t\t\"run\", \"--entrypoint\", \"echo\", \"--name\", containerName, \"alpine\", partialOutput).AssertOutContains(partialOutput)\n}\n\nfunc TestComposeRunWithVolume(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\tcontainerName := testutil.Identifier(t)\n\n\tdockerComposeYAML := fmt.Sprintf(`\nservices:\n alpine:\n image: %s\n entrypoint:\n - stty # no meaning, just put any command\n`, testutil.CommonImage)\n\n\tcomp := testutil.NewComposeDir(t, dockerComposeYAML)\n\tdefer comp.CleanUp()\n\tprojectName := comp.ProjectName()\n\tt.Logf(\"projectName=%q\", projectName)\n\tdefer base.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"down\", \"-v\").Run()\n\n\t// The directory is automatically removed by Cleanup\n\ttmpDir := t.TempDir()\n\tdestinationDir := \"/data\"\n\tvolumeFlagStr := fmt.Sprintf(\"%s:%s\", tmpDir, destinationDir)\n\n\tdefer base.Cmd(\"rm\", \"-f\", \"-v\", containerName).Run()\n\t// unbuffer(1) emulates tty, which is required by `nerdctl run -t`.\n\t// unbuffer(1) can be installed with `apt-get install expect`.\n\tunbuffer := []string{\"unbuffer\"}\n\tbase.ComposeCmdWithHelper(unbuffer, \"-f\", comp.YAMLFullPath(),\n\t\t\"run\", \"--volume\", volumeFlagStr, \"--name\", containerName, \"alpine\").AssertOK()\n\n\tcontainer := base.InspectContainer(containerName)\n\terrMsg := fmt.Sprintf(\"test failed, cannot find volume: %v\", container.Mounts)\n\tassert.Assert(t, container.Mounts != nil, errMsg)\n\tassert.Assert(t, len(container.Mounts) == 1, errMsg)\n\tassert.Assert(t, container.Mounts[0].Source == tmpDir, errMsg)\n\tassert.Assert(t, container.Mounts[0].Destination == destinationDir, errMsg)\n}\n\nfunc TestComposePushAndPullWithCosignVerify(t *testing.T) {\n\ttestutil.RequireExecutable(t, \"cosign\")\n\ttestutil.DockerIncompatible(t)\n\ttestutil.RequiresBuild(t)\n\ttestutil.RegisterBuildCacheCleanup(t)\n\tt.Parallel()\n\n\tbase := testutil.NewBase(t)\n\tbase.Env = append(base.Env, \"COSIGN_PASSWORD=1\")\n\n\tkeyPair := helpers.NewCosignKeyPair(t, \"cosign-key-pair\", \"1\")\n\treg := testregistry.NewWithNoAuth(base, 0, false)\n\tt.Cleanup(func() {\n\t\tkeyPair.Cleanup()\n\t\treg.Cleanup(nil)\n\t})\n\n\ttID := testutil.Identifier(t)\n\ttestImageRefPrefix := fmt.Sprintf(\"127.0.0.1:%d/%s/\", reg.Port, tID)\n\n\tvar (\n\t\timageSvc0 = testImageRefPrefix + \"composebuild_svc0\"\n\t\timageSvc1 = testImageRefPrefix + \"composebuild_svc1\"\n\t\timageSvc2 = testImageRefPrefix + \"composebuild_svc2\"\n\t)\n\n\tdockerComposeYAML := fmt.Sprintf(`\nservices:\n svc0:\n build: .\n image: %s\n x-nerdctl-verify: cosign\n x-nerdctl-cosign-public-key: %s\n x-nerdctl-sign: cosign\n x-nerdctl-cosign-private-key: %s\n entrypoint:\n - stty\n svc1:\n build: .\n image: %s\n x-nerdctl-verify: cosign\n x-nerdctl-cosign-public-key: dummy_pub_key\n x-nerdctl-sign: cosign\n x-nerdctl-cosign-private-key: %s\n entrypoint:\n - stty\n svc2:\n build: .\n image: %s\n x-nerdctl-verify: none\n x-nerdctl-sign: none\n entrypoint:\n - stty\n`, imageSvc0, keyPair.PublicKey, keyPair.PrivateKey,\n\t\timageSvc1, keyPair.PrivateKey, imageSvc2)\n\n\tdockerfile := fmt.Sprintf(`FROM %s`, testutil.CommonImage)\n\n\tcomp := testutil.NewComposeDir(t, dockerComposeYAML)\n\tdefer comp.CleanUp()\n\tcomp.WriteFile(\"Dockerfile\", dockerfile)\n\n\tprojectName := comp.ProjectName()\n\tt.Logf(\"projectName=%q\", projectName)\n\tdefer base.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"down\", \"-v\").Run()\n\n\t// 1. build both services/images\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"build\").AssertOK()\n\t// 2. compose push with cosign for svc0/svc1, (and none for svc2)\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"push\").AssertOK()\n\t// 3. compose pull with cosign\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"pull\", \"svc0\").AssertOK() // key match\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"pull\", \"svc1\").AssertFail() // key mismatch\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"pull\", \"svc2\").AssertOK() // verify passed\n\t// 4. compose run\n\tconst sttyPartialOutput = \"speed 38400 baud\"\n\t// unbuffer(1) emulates tty, which is required by `nerdctl run -t`.\n\t// unbuffer(1) can be installed with `apt-get install expect`.\n\tunbuffer := []string{\"unbuffer\"}\n\tbase.ComposeCmdWithHelper(unbuffer, \"-f\", comp.YAMLFullPath(), \"run\", \"svc0\").AssertOutContains(sttyPartialOutput) // key match\n\tbase.ComposeCmdWithHelper(unbuffer, \"-f\", comp.YAMLFullPath(), \"run\", \"svc1\").AssertFail() // key mismatch\n\tbase.ComposeCmdWithHelper(unbuffer, \"-f\", comp.YAMLFullPath(), \"run\", \"svc2\").AssertOutContains(sttyPartialOutput) // verify passed\n\t// 5. compose up\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"up\", \"svc0\").AssertOK() // key match\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"up\", \"svc1\").AssertFail() // key mismatch\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"up\", \"svc2\").AssertOK() // verify passed\n}\n" }, { "path": "cmd/nerdctl/compose/compose_start.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"os\"\n\n\t\"github.com/spf13/cobra\"\n\t\"golang.org/x/sync/errgroup\"\n\n\tcontainerd \"github.com/containerd/containerd/v2/client\"\n\t\"github.com/containerd/errdefs\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/compose\"\n\t\"github.com/containerd/nerdctl/v2/pkg/config\"\n\t\"github.com/containerd/nerdctl/v2/pkg/containerutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/labels\"\n)\n\nfunc startCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"start [SERVICE...]\",\n\t\tShort: \"Start existing containers for service(s)\",\n\t\tRunE: startAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t\tDisableFlagsInUseLine: true,\n\t}\n\treturn cmd\n}\n\nfunc startAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tnerdctlCmd, nerdctlArgs := helpers.GlobalFlags(cmd)\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\toptions, err := getComposeOptions(cmd, globalOptions.DebugFull, globalOptions.Experimental)\n\tif err != nil {\n\t\treturn err\n\t}\n\tc, err := compose.New(client, globalOptions, options, cmd.OutOrStdout(), cmd.ErrOrStderr())\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// TODO(djdongjin): move to `pkg/composer` and rewrite `c.Services + for-loop`\n\t// with `c.project.WithServices` after refactor (#1639) is done.\n\tservices, err := c.Services(ctx, args...)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfor _, svc := range services {\n\t\tsvcName := svc.Unparsed.Name\n\t\tcontainers, err := c.Containers(ctx, svcName)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// return error if no containers and service replica is not zero\n\t\tif len(containers) == 0 {\n\t\t\tif len(svc.Containers) == 0 {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\treturn fmt.Errorf(\"service %q has no container to start\", svcName)\n\t\t}\n\n\t\tif err := startContainers(ctx, client, containers, &globalOptions, nerdctlCmd, nerdctlArgs); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc startContainers(ctx context.Context, client *containerd.Client, containers []containerd.Container, globalOptions *types.GlobalCommandOptions, nerdctlCmd string, nerdctlArgs []string) error {\n\teg, ctx := errgroup.WithContext(ctx)\n\tfor _, c := range containers {\n\t\tc := c\n\t\teg.Go(func() error {\n\t\t\tif cStatus, err := containerutil.ContainerStatus(ctx, c); err != nil {\n\t\t\t\t// NOTE: NotFound doesn't mean that container hasn't started.\n\t\t\t\t// In docker/CRI-containerd plugin, the task will be deleted\n\t\t\t\t// when it exits. So, the status will be \"created\" for this\n\t\t\t\t// case.\n\t\t\t\tif !errdefs.IsNotFound(err) {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t} else if cStatus.Status == containerd.Running {\n\t\t\t\treturn nil\n\t\t\t}\n\n\t\t\t// in compose, always disable attach\n\t\t\tif err := containerutil.Start(ctx, c, false, false, client, \"\", \"\", (*config.Config)(globalOptions), nerdctlCmd, nerdctlArgs); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tinfo, err := c.Info(ctx, containerd.WithoutRefreshedMetadata)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\n\t\t\t_, err = fmt.Fprintf(os.Stdout, \"Container %s started\\n\", info.Labels[labels.Name])\n\t\t\treturn err\n\t\t})\n\t}\n\n\treturn eg.Wait()\n}\n" }, { "path": "cmd/nerdctl/compose/compose_start_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"fmt\"\n\t\"regexp\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestComposeStart(t *testing.T) {\n\tvar dockerComposeYAML = fmt.Sprintf(`\nservices:\n svc0:\n image: %s\n command: \"sleep infinity\"\n svc1:\n image: %s\n command: \"sleep infinity\"\n`, testutil.CommonImage, testutil.CommonImage)\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"down\")\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdata.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\t\thelpers.Ensure(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"up\", \"-d\")\n\t\thelpers.Ensure(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"start\")\n\t\thelpers.Ensure(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"stop\", \"--timeout\", \"1\", \"svc0\")\n\t\thelpers.Ensure(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"kill\", \"svc1\")\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"start\")\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: 0,\n\t\t\tErrors: nil,\n\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\tsvc0 := helpers.Capture(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"ps\", \"svc0\")\n\t\t\t\tsvc1 := helpers.Capture(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"ps\", \"svc1\")\n\t\t\t\tcomp := expect.Match(regexp.MustCompile(\"Up|running\"))\n\t\t\t\tcomp(svc0, t)\n\t\t\t\tcomp(svc1, t)\n\t\t\t},\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeStartFailWhenServicePause(t *testing.T) {\n\tvar dockerComposeYAML = fmt.Sprintf(`\nservices:\n svc0:\n image: %s\n command: \"sleep infinity\"\n`, testutil.CommonImage)\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = nerdtest.CGroup\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"down\")\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdata.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\t\thelpers.Ensure(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"up\", \"-d\")\n\t\thelpers.Ensure(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"pause\", \"svc0\")\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"start\")\n\t}\n\n\ttestCase.Expected = test.Expects(expect.ExitCodeGenericFail, nil, nil)\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_stop.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/compose\"\n\t\"github.com/containerd/nerdctl/v2/pkg/composer\"\n)\n\nfunc stopCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"stop [flags] [SERVICE...]\",\n\t\tShort: \"Stop running containers without removing them.\",\n\t\tRunE: stopAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().UintP(\"timeout\", \"t\", 10, \"Seconds to wait for stop before killing them\")\n\treturn cmd\n}\n\nfunc stopAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tvar opt composer.StopOptions\n\n\tif cmd.Flags().Changed(\"timeout\") {\n\t\ttimeValue, err := cmd.Flags().GetUint(\"timeout\")\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topt.Timeout = &timeValue\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\toptions, err := getComposeOptions(cmd, globalOptions.DebugFull, globalOptions.Experimental)\n\tif err != nil {\n\t\treturn err\n\t}\n\tc, err := compose.New(client, globalOptions, options, cmd.OutOrStdout(), cmd.ErrOrStderr())\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn c.Stop(ctx, opt, args)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_stop_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"fmt\"\n\t\"regexp\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestComposeStop(t *testing.T) {\n\tvar dockerComposeYAML = fmt.Sprintf(`\nservices:\n\n wordpress:\n image: %s\n environment:\n WORDPRESS_DB_HOST: db\n WORDPRESS_DB_USER: exampleuser\n WORDPRESS_DB_PASSWORD: examplepass\n WORDPRESS_DB_NAME: exampledb\n volumes:\n - wordpress:/var/www/html\n\n db:\n image: %s\n environment:\n MYSQL_DATABASE: exampledb\n MYSQL_USER: exampleuser\n MYSQL_PASSWORD: examplepass\n MYSQL_RANDOM_ROOT_PASSWORD: '1'\n volumes:\n - db:/var/lib/mysql\n\nvolumes:\n wordpress:\n db:\n`, testutil.WordpressImage, testutil.MariaDBImage)\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdata.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\t\thelpers.Ensure(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"up\", \"-d\")\n\t\tdata.Labels().Set(\"yamlPath\", data.Temp().Path(\"compose.yaml\"))\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"down\")\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"stop db\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"compose\", \"-f\", data.Labels().Get(\"yamlPath\"), \"stop\", \"db\")\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"yamlPath\"), \"ps\", \"db\", \"-a\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Match(regexp.MustCompile(\"Exit|exited\"))),\n\t\t},\n\t\t{\n\t\t\tDescription: \"wordpress is still running\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"yamlPath\"), \"ps\", \"wordpress\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Match(regexp.MustCompile(\"Up|running\"))),\n\t\t},\n\t\t{\n\t\t\tDescription: \"stop wordpress\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"compose\", \"-f\", data.Labels().Get(\"yamlPath\"), \"stop\", \"--timeout\", \"5\", \"wordpress\")\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"yamlPath\"), \"ps\", \"wordpress\", \"-a\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Match(regexp.MustCompile(\"Exit|exited\"))),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n)\n\nfunc TestMain(m *testing.M) {\n\ttestutil.M(m)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_top.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/spf13/cobra\"\n\n\tcontainerd \"github.com/containerd/containerd/v2/client\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/compose\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n\t\"github.com/containerd/nerdctl/v2/pkg/containerutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/labels\"\n)\n\nfunc topCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"top [SERVICE...]\",\n\t\tShort: \"Display the running processes of service containers\",\n\t\tRunE: topAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t\tDisableFlagsInUseLine: true,\n\t}\n\treturn cmd\n}\n\nfunc topAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\toptions, err := getComposeOptions(cmd, globalOptions.DebugFull, globalOptions.Experimental)\n\tif err != nil {\n\t\treturn err\n\t}\n\tc, err := compose.New(client, globalOptions, options, cmd.OutOrStdout(), cmd.ErrOrStderr())\n\tif err != nil {\n\t\treturn err\n\t}\n\tserviceNames, err := c.ServiceNames(args...)\n\tif err != nil {\n\t\treturn err\n\t}\n\tcontainers, err := c.Containers(ctx, serviceNames...)\n\tif err != nil {\n\t\treturn err\n\t}\n\tstdout := cmd.OutOrStdout()\n\tfor _, c := range containers {\n\t\tcStatus, err := containerutil.ContainerStatus(ctx, c)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif cStatus.Status != containerd.Running {\n\t\t\tcontinue\n\t\t}\n\n\t\tinfo, err := c.Info(ctx, containerd.WithoutRefreshedMetadata)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfmt.Fprintln(stdout, info.Labels[labels.Name])\n\t\t// `compose ps` uses empty ps args\n\t\terr = container.Top(ctx, client, []string{c.ID()}, types.ContainerTopOptions{\n\t\t\tStdout: cmd.OutOrStdout(),\n\t\t\tGOptions: globalOptions,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfmt.Fprintln(stdout)\n\t}\n\n\treturn nil\n}\n" }, { "path": "cmd/nerdctl/compose/compose_top_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"fmt\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestComposeTop(t *testing.T) {\n\tvar dockerComposeYAML = fmt.Sprintf(`\nservices:\n svc0:\n image: %s\n command: \"sleep infinity\"\n svc1:\n image: %s\n`, testutil.CommonImage, testutil.NginxAlpineImage)\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = require.All(nerdtest.CgroupsAccessible)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdata.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\t\thelpers.Ensure(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"up\", \"-d\")\n\t\tdata.Labels().Set(\"yamlPath\", data.Temp().Path(\"compose.yaml\"))\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"down\")\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"svc0 contains sleep infinity\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"yamlPath\"), \"top\", \"svc0\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"sleep infinity\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"svc1 contains sleep nginx\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"yamlPath\"), \"top\", \"svc1\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"nginx\")),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_up.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/compose\"\n\t\"github.com/containerd/nerdctl/v2/pkg/composer\"\n)\n\nfunc upCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"up [flags] [SERVICE...]\",\n\t\tShort: \"Create and start containers\",\n\t\tRunE: upAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().Bool(\"abort-on-container-exit\", false, \"Stops all containers if any container was stopped. Incompatible with -d.\")\n\tcmd.Flags().BoolP(\"detach\", \"d\", false, \"Detached mode: Run containers in the background. Incompatible with --abort-on-container-exit.\")\n\tcmd.Flags().Bool(\"no-build\", false, \"Don't build an image, even if it's missing.\")\n\tcmd.Flags().Bool(\"no-color\", false, \"Produce monochrome output\")\n\tcmd.Flags().Bool(\"no-log-prefix\", false, \"Don't print prefix in logs\")\n\tcmd.Flags().Bool(\"build\", false, \"Build images before starting containers.\")\n\tcmd.Flags().Bool(\"ipfs\", false, \"Allow pulling base images from IPFS during build\")\n\tcmd.Flags().Bool(\"quiet-pull\", false, \"Pull without printing progress information\")\n\tcmd.Flags().Bool(\"remove-orphans\", false, \"Remove containers for services not defined in the Compose file.\")\n\tcmd.Flags().Bool(\"force-recreate\", false, \"Recreate containers even if their configuration and image haven't changed.\")\n\tcmd.Flags().Bool(\"no-recreate\", false, \"Don't recreate containers if they exist, conflict with --force-recreate.\")\n\tcmd.Flags().StringArray(\"scale\", []string{}, \"Scale SERVICE to NUM instances. Overrides the `scale` setting in the Compose file if present.\")\n\tcmd.Flags().String(\"pull\", \"\", \"Pull image before running (\\\"always\\\"|\\\"missing\\\"|\\\"never\\\")\")\n\treturn cmd\n}\n\nfunc upAction(cmd *cobra.Command, services []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdetach, err := cmd.Flags().GetBool(\"detach\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tabortOnContainerExit, err := cmd.Flags().GetBool(\"abort-on-container-exit\")\n\tif detach && abortOnContainerExit {\n\t\treturn fmt.Errorf(\"--abort-on-container-exit flag is incompatible with flag --detach\")\n\t}\n\tif err != nil {\n\t\treturn err\n\t}\n\tnoBuild, err := cmd.Flags().GetBool(\"no-build\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tnoColor, err := cmd.Flags().GetBool(\"no-color\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tnoLogPrefix, err := cmd.Flags().GetBool(\"no-log-prefix\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tbuild, err := cmd.Flags().GetBool(\"build\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tif build && noBuild {\n\t\treturn errors.New(\"--build and --no-build can not be combined\")\n\t}\n\tenableIPFS, err := cmd.Flags().GetBool(\"ipfs\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tquietPull, err := cmd.Flags().GetBool(\"quiet-pull\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tpull, err := cmd.Flags().GetString(\"pull\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tremoveOrphans, err := cmd.Flags().GetBool(\"remove-orphans\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tscaleSlice, err := cmd.Flags().GetStringArray(\"scale\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tforceRecreate, err := cmd.Flags().GetBool(\"force-recreate\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tnoRecreate, err := cmd.Flags().GetBool(\"no-recreate\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tif forceRecreate && noRecreate {\n\t\treturn errors.New(\"flag --force-recreate and --no-recreate cannot be specified together\")\n\t}\n\tscale := make(map[string]int)\n\tfor _, s := range scaleSlice {\n\t\tparts := strings.Split(s, \"=\")\n\t\tif len(parts) != 2 {\n\t\t\treturn fmt.Errorf(\"invalid --scale option %q. Should be SERVICE=NUM\", s)\n\t\t}\n\t\treplicas, err := strconv.Atoi(parts[1])\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tscale[parts[0]] = replicas\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\toptions, err := getComposeOptions(cmd, globalOptions.DebugFull, globalOptions.Experimental)\n\tif err != nil {\n\t\treturn err\n\t}\n\toptions.Services = services\n\tc, err := compose.New(client, globalOptions, options, cmd.OutOrStdout(), cmd.ErrOrStderr())\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tuo := composer.UpOptions{\n\t\tAbortOnContainerExit: abortOnContainerExit,\n\t\tDetach: detach,\n\t\tNoBuild: noBuild,\n\t\tNoColor: noColor,\n\t\tNoLogPrefix: noLogPrefix,\n\t\tForceBuild: build,\n\t\tIPFS: enableIPFS,\n\t\tQuietPull: quietPull,\n\t\tRemoveOrphans: removeOrphans,\n\t\tScale: scale,\n\t\tPull: pull,\n\t\tForceRecreate: forceRecreate,\n\t\tNoRecreate: noRecreate,\n\t}\n\treturn c.Up(ctx, uo, services)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_up_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"path/filepath\"\n\t\"strconv\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/docker/go-connections/nat\"\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/composer/serviceparser\"\n\t\"github.com/containerd/nerdctl/v2/pkg/inspecttypes/dockercompat\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nettestutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/portlock\"\n)\n\nfunc TestComposeUp(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thostPort, err := portlock.Acquire(0)\n\t\tif err != nil {\n\t\t\thelpers.T().Log(fmt.Sprintf(\"Failed to acquire port: %v\", err))\n\t\t\thelpers.T().FailNow()\n\t\t}\n\n\t\tcomposeYAML := fmt.Sprintf(`\nservices:\n wordpress:\n image: %s\n restart: always\n ports:\n - %d:80\n environment:\n WORDPRESS_DB_HOST: db\n WORDPRESS_DB_USER: exampleuser\n WORDPRESS_DB_PASSWORD: examplepass\n WORDPRESS_DB_NAME: exampledb\n volumes:\n - wordpress:/var/www/html\n db:\n image: %s\n restart: always\n environment:\n MYSQL_DATABASE: exampledb\n MYSQL_USER: exampleuser\n MYSQL_PASSWORD: examplepass\n MYSQL_RANDOM_ROOT_PASSWORD: '1'\n volumes:\n - db:/var/lib/mysql\n\nvolumes:\n wordpress:\n db:\n`, testutil.WordpressImage, hostPort, testutil.MariaDBImage)\n\n\t\tcomposePath := data.Temp().Save(composeYAML, \"compose.yaml\")\n\n\t\tprojectName := filepath.Base(filepath.Dir(composePath))\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\twordpressContainerName := serviceparser.DefaultContainerName(projectName, \"wordpress\", \"1\")\n\t\tdbContainerName := serviceparser.DefaultContainerName(projectName, \"db\", \"1\")\n\n\t\tdata.Labels().Set(\"hostPort\", strconv.Itoa(hostPort))\n\t\tdata.Labels().Set(\"composeYAML\", composePath)\n\t\tdata.Labels().Set(\"projectName\", projectName)\n\t\tdata.Labels().Set(\"wordpressContainerName\", wordpressContainerName)\n\t\tdata.Labels().Set(\"dbContainerName\", dbContainerName)\n\n\t\thelpers.Ensure(\"compose\", \"-f\", composePath, \"up\", \"-d\")\n\t\tnerdtest.EnsureContainerStarted(helpers, wordpressContainerName)\n\t\tnerdtest.EnsureContainerStarted(helpers, dbContainerName)\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"ps\")\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: 0,\n\t\t\tOutput: expect.All(\n\t\t\t\texpect.Contains(data.Labels().Get(\"wordpressContainerName\")),\n\t\t\t\texpect.Contains(data.Labels().Get(\"dbContainerName\")),\n\t\t\t),\n\t\t}\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif data.Labels().Get(\"composeYAML\") != \"\" {\n\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\", \"-v\")\n\t\t}\n\t\tif p := data.Labels().Get(\"hostPort\"); p != \"\" {\n\t\t\tif port, err := strconv.Atoi(p); err == nil {\n\t\t\t\t_ = portlock.Release(port)\n\t\t\t}\n\t\t}\n\t\tif projectName := data.Labels().Get(\"projectName\"); projectName != \"\" {\n\t\t\thelpers.Command(\"volume\", \"inspect\", fmt.Sprintf(\"%s_db\", projectName)).Run(&test.Expected{ExitCode: 1})\n\t\t\thelpers.Command(\"network\", \"inspect\", fmt.Sprintf(\"%s_default\", projectName)).Run(&test.Expected{ExitCode: 1})\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeUpBuild(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = nerdtest.Build\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thostPort, err := portlock.Acquire(0)\n\t\tif err != nil {\n\t\t\thelpers.T().Log(fmt.Sprintf(\"Failed to acquire port: %v\", err))\n\t\t\thelpers.T().FailNow()\n\t\t}\n\n\t\tcomposeYAML := fmt.Sprintf(`\nservices:\n web:\n build: .\n ports:\n - %d:80\n`, hostPort)\n\t\tdockerfile := fmt.Sprintf(`FROM %s\nCOPY index.html /usr/share/nginx/html/index.html\n`, testutil.NginxAlpineImage)\n\t\tindexHTML := data.Identifier(\"indexHTML\")\n\n\t\tcomposePath := data.Temp().Save(composeYAML, \"compose.yaml\")\n\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\tdata.Temp().Save(indexHTML, \"index.html\")\n\n\t\tprojectName := filepath.Base(filepath.Dir(composePath))\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\tdata.Labels().Set(\"hostPort\", strconv.Itoa(hostPort))\n\t\tdata.Labels().Set(\"composeYAML\", composePath)\n\t\tdata.Labels().Set(\"indexHTML\", data.Temp().Path(\"index.html\"))\n\n\t\thelpers.Ensure(\"compose\", \"-f\", composePath, \"up\", \"-d\", \"--build\")\n\t\tnerdtest.EnsureContainerStarted(helpers, serviceparser.DefaultContainerName(projectName, \"web\", \"1\"))\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"HTTP request to the web container\",\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\thost := fmt.Sprintf(\"http://127.0.0.1:%s\", data.Labels().Get(\"hostPort\"))\n\t\t\t\t\t\tresp, err := nettestutil.HTTPGet(host, 5, false)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t\trespBody, err := io.ReadAll(resp.Body)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t\tt.Log(fmt.Sprintf(\"respBody=%q\", respBody))\n\t\t\t\t\t\tassert.Assert(t, strings.Contains(string(respBody), data.Labels().Get(\"indexHTML\")))\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif data.Labels().Get(\"composeYAML\") != \"\" {\n\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\", \"-v\")\n\t\t}\n\t\thelpers.Anyhow(\"builder\", \"prune\", \"--all\", \"--force\")\n\t\tif portStr := data.Labels().Get(\"hostPort\"); portStr != \"\" {\n\t\t\tport, _ := strconv.Atoi(portStr)\n\t\t\t_ = portlock.Release(port)\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeUpNetWithStaticIP(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = require.All(\n\t\trequire.Not(nerdtest.Rootless),\n\t)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tstaticIP := \"10.4.255.254\"\n\t\tsubnet := \"10.4.255.0/24\"\n\t\tvar composeYAML = fmt.Sprintf(`\nservices:\n svc0:\n image: %s\n networks:\n net0:\n ipv4_address: %s\n\nnetworks:\n net0:\n ipam:\n config:\n - subnet: %s\n`, testutil.NginxAlpineImage, staticIP, subnet)\n\n\t\tcomposePath := data.Temp().Save(composeYAML, \"compose.yaml\")\n\n\t\tprojectName := filepath.Base(filepath.Dir(composePath))\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\tcontainerName := serviceparser.DefaultContainerName(projectName, \"svc0\", \"1\")\n\n\t\tdata.Labels().Set(\"staticIP\", staticIP)\n\t\tdata.Labels().Set(\"composeYAML\", composePath)\n\t\tdata.Labels().Set(\"containerName\", containerName)\n\n\t\thelpers.Ensure(\"compose\", \"-f\", composePath, \"up\", \"-d\")\n\t\tnerdtest.EnsureContainerStarted(helpers, containerName)\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"static IP is assigned to container\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"inspect\", data.Labels().Get(\"containerName\"), \"--format\", \"\\\"{{range .NetworkSettings.Networks}} {{.IPAddress}}{{end}}\\\"\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tassert.Assert(t, strings.Contains(stdout, data.Labels().Get(\"staticIP\")))\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif data.Labels().Get(\"composeYAML\") != \"\" {\n\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\", \"-v\")\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeUpMultiNet(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tvar composeYAML = fmt.Sprintf(`\nservices:\n svc0:\n image: %s\n networks:\n - net0\n - net1\n - net2\n svc1:\n image: %s\n networks:\n - net0\n - net1\n svc2:\n image: %s\n networks:\n - net2\n\nnetworks:\n net0: {}\n net1: {}\n net2: {}\n`, testutil.NginxAlpineImage, testutil.NginxAlpineImage, testutil.NginxAlpineImage)\n\n\t\tcomposePath := data.Temp().Save(composeYAML, \"compose.yaml\")\n\n\t\tprojectName := filepath.Base(filepath.Dir(composePath))\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\tsvc0 := serviceparser.DefaultContainerName(projectName, \"svc0\", \"1\")\n\t\tsvc1 := serviceparser.DefaultContainerName(projectName, \"svc1\", \"1\")\n\t\tsvc2 := serviceparser.DefaultContainerName(projectName, \"svc2\", \"1\")\n\n\t\tdata.Labels().Set(\"composeYAML\", composePath)\n\t\tdata.Labels().Set(\"svc0\", svc0)\n\t\tdata.Labels().Set(\"svc1\", svc1)\n\t\tdata.Labels().Set(\"svc2\", svc2)\n\n\t\thelpers.Ensure(\"compose\", \"-f\", composePath, \"up\", \"-d\")\n\t\tnerdtest.EnsureContainerStarted(helpers, svc0)\n\t\tnerdtest.EnsureContainerStarted(helpers, svc1)\n\t\tnerdtest.EnsureContainerStarted(helpers, svc2)\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"svc0 can ping itself\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"exec\", data.Labels().Get(\"svc0\"), \"ping\", \"-c\", \"1\", \"svc0\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"svc0 can ping svc1\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"exec\", data.Labels().Get(\"svc0\"), \"ping\", \"-c\", \"1\", \"svc1\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"svc0 can ping svc2\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"exec\", data.Labels().Get(\"svc0\"), \"ping\", \"-c\", \"1\", \"svc2\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"svc1 can ping svc0\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"exec\", data.Labels().Get(\"svc1\"), \"ping\", \"-c\", \"1\", \"svc0\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"svc2 can ping svc0\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"exec\", data.Labels().Get(\"svc2\"), \"ping\", \"-c\", \"1\", \"svc0\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"svc1 cannot ping svc2\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"exec\", data.Labels().Get(\"svc1\"), \"ping\", \"-c\", \"1\", \"svc2\")\n\t\t\t},\n\t\t\tExpected: test.Expects(1, nil, nil),\n\t\t},\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif data.Labels().Get(\"composeYAML\") != \"\" {\n\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\", \"-v\")\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeUpOsEnvVar(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Env = map[string]string{\n\t\t\"ADDRESS\": \"0.0.0.0\",\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tconst containerName = \"nginxAlpine\"\n\n\t\thostPort, err := portlock.Acquire(0)\n\t\tif err != nil {\n\t\t\thelpers.T().Log(fmt.Sprintf(\"Failed to acquire port: %v\", err))\n\t\t\thelpers.T().FailNow()\n\t\t}\n\n\t\tvar composeYAML = fmt.Sprintf(`\nservices:\n svc1:\n image: %s\n container_name: %s\n ports:\n - ${ADDRESS:-127.0.0.1}:%d:80\n`, testutil.NginxAlpineImage, containerName, hostPort)\n\n\t\tcomposePath := data.Temp().Save(composeYAML, \"compose.yaml\")\n\n\t\tprojectName := filepath.Base(filepath.Dir(composePath))\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\tdata.Labels().Set(\"containerName\", containerName)\n\t\tdata.Labels().Set(\"hostPort\", strconv.Itoa(hostPort))\n\t\tdata.Labels().Set(\"composeYAML\", composePath)\n\n\t\thelpers.Ensure(\"compose\", \"-f\", composePath, \"up\", \"-d\")\n\t\tnerdtest.EnsureContainerStarted(helpers, containerName)\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"container\", \"inspect\", data.Labels().Get(\"containerName\"))\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: 0,\n\t\t\tOutput: expect.JSON([]dockercompat.Container{}, func(dc []dockercompat.Container, t tig.T) {\n\t\t\t\tassert.Equal(t, 1, len(dc), \"unexpected number of containers\")\n\t\t\t\tinspect80TCP := (*dc[0].NetworkSettings.Ports)[\"80/tcp\"]\n\t\t\t\tassert.Assert(t, len(inspect80TCP) > 0, \"no host bindings for 80/tcp\")\n\t\t\t\texpected := nat.PortBinding{\n\t\t\t\t\tHostIP: \"0.0.0.0\",\n\t\t\t\t\tHostPort: data.Labels().Get(\"hostPort\"),\n\t\t\t\t}\n\t\t\t\tassert.Equal(t, expected, inspect80TCP[0])\n\t\t\t}),\n\t\t}\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif data.Labels().Get(\"composeYAML\") != \"\" {\n\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\", \"-v\")\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeUpDotEnvFile(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tvar composeYAML = `\nservices:\n svc3:\n image: ghcr.io/stargz-containers/nginx:$TAG\n`\n\n\t\tcomposePath := data.Temp().Save(composeYAML, \"compose.yaml\")\n\t\tdata.Temp().Save(`TAG=1.19-alpine-org`, \".env\")\n\n\t\tprojectName := filepath.Base(filepath.Dir(composePath))\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\tdata.Labels().Set(\"composeYAML\", composePath)\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"up\", \"-d\")\n\t}\n\n\ttestCase.Expected = test.Expects(0, nil, nil)\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\", \"-v\")\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeUpEnvFileNotFoundError(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tvar composeYAML = `\nservices:\n svc4:\n image: ghcr.io/stargz-containers/nginx:$TAG\n`\n\n\t\tcomposePath := data.Temp().Save(composeYAML, \"compose.yaml\")\n\t\tdata.Temp().Save(`TAG=1.19-alpine-org`, \"envFile\")\n\n\t\tprojectName := filepath.Base(filepath.Dir(composePath))\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\tdata.Labels().Set(\"composeYAML\", composePath)\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t// env-file is relative to the current working directory and not the project directory\n\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"--env-file\", \"envFile\", \"up\", \"-d\")\n\t}\n\n\ttestCase.Expected = test.Expects(1, nil, nil)\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\", \"-v\")\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeUpWithScale(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tvar composeYAML = fmt.Sprintf(`\nservices:\n test:\n image: %s\n command: \"sleep infinity\"\n`, testutil.CommonImage)\n\n\t\tcomposePath := data.Temp().Save(composeYAML, \"compose.yaml\")\n\n\t\tprojectName := filepath.Base(filepath.Dir(composePath))\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\ttest1 := serviceparser.DefaultContainerName(projectName, \"test\", \"1\")\n\t\ttest2 := serviceparser.DefaultContainerName(projectName, \"test\", \"2\")\n\n\t\tdata.Labels().Set(\"composeYAML\", composePath)\n\t\tdata.Labels().Set(\"test1\", test1)\n\t\tdata.Labels().Set(\"test2\", test2)\n\n\t\thelpers.Ensure(\"compose\", \"-f\", composePath, \"up\", \"-d\", \"--scale\", \"test=2\")\n\t\tnerdtest.EnsureContainerStarted(helpers, test1)\n\t\tnerdtest.EnsureContainerStarted(helpers, test2)\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"ps\")\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: 0,\n\t\t\tOutput: expect.All(\n\t\t\t\texpect.Contains(data.Labels().Get(\"test1\")),\n\t\t\t\texpect.Contains(data.Labels().Get(\"test2\")),\n\t\t\t),\n\t\t}\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif data.Labels().Get(\"composeYAML\") != \"\" {\n\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\", \"-v\")\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeIPAMConfig(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tvar composeYAML = fmt.Sprintf(`\nservices:\n foo:\n image: %s\n command: \"sleep infinity\"\n\nnetworks:\n default:\n ipam:\n config:\n - subnet: 10.1.100.0/24\n`, testutil.CommonImage)\n\n\t\tcomposePath := data.Temp().Save(composeYAML, \"compose.yaml\")\n\n\t\tprojectName := filepath.Base(filepath.Dir(composePath))\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\tfooContainer := serviceparser.DefaultContainerName(projectName, \"foo\", \"1\")\n\n\t\tdata.Labels().Set(\"composeYAML\", composePath)\n\t\tdata.Labels().Set(\"fooContainer\", fooContainer)\n\n\t\thelpers.Ensure(\"compose\", \"-f\", composePath, \"up\", \"-d\")\n\t\tnerdtest.EnsureContainerStarted(helpers, fooContainer)\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"inspect\", \"-f\", \"{{json .NetworkSettings.Networks }}\", data.Labels().Get(\"fooContainer\"))\n\t}\n\n\ttestCase.Expected = test.Expects(0, nil, expect.Contains(\"10.1.100.\"))\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif data.Labels().Get(\"composeYAML\") != \"\" {\n\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\", \"-v\")\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeUpRemoveOrphans(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tvar (\n\t\t\tdockerComposeYAMLOrphan = fmt.Sprintf(`\nservices:\n test:\n image: %s\n command: \"sleep infinity\"\n`, testutil.CommonImage)\n\n\t\t\tdockerComposeYAMLFull = fmt.Sprintf(`\n%s\n orphan:\n image: %s\n command: \"sleep infinity\"\n`, dockerComposeYAMLOrphan, testutil.CommonImage)\n\t\t)\n\n\t\tcomposeOrphanPath := data.Temp().Save(dockerComposeYAMLOrphan, \"compose-orphan.yaml\")\n\t\tcomposeFullPath := data.Temp().Save(dockerComposeYAMLFull, \"compose-full.yaml\")\n\n\t\tprojectName := data.Identifier(\"project\")\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\ttestContainer := serviceparser.DefaultContainerName(projectName, \"test\", \"1\")\n\t\torphanContainer := serviceparser.DefaultContainerName(projectName, \"orphan\", \"1\")\n\n\t\tdata.Labels().Set(\"composeOrphanPath\", composeOrphanPath)\n\t\tdata.Labels().Set(\"composeFullPath\", composeFullPath)\n\t\tdata.Labels().Set(\"projectName\", projectName)\n\t\tdata.Labels().Set(\"orphanContainer\", orphanContainer)\n\n\t\thelpers.Ensure(\"compose\", \"-p\", projectName, \"-f\", composeFullPath, \"up\", \"-d\")\n\t\thelpers.Ensure(\"compose\", \"-p\", projectName, \"-f\", composeOrphanPath, \"up\", \"-d\")\n\t\tnerdtest.EnsureContainerStarted(helpers, testContainer)\n\t\tnerdtest.EnsureContainerStarted(helpers, orphanContainer)\n\n\t\thelpers.Command(\"compose\", \"-p\", projectName, \"-f\", composeFullPath, \"ps\").Run(\n\t\t\t&test.Expected{\n\t\t\t\tExitCode: 0,\n\t\t\t\tOutput: expect.Contains(orphanContainer),\n\t\t\t},\n\t\t)\n\t\thelpers.Ensure(\"compose\", \"-p\", projectName, \"-f\", composeOrphanPath, \"up\", \"-d\", \"--remove-orphans\")\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"compose\", \"-p\", data.Labels().Get(\"projectName\"), \"-f\", data.Labels().Get(\"composeFullPath\"), \"ps\")\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: 0,\n\t\t\tOutput: expect.DoesNotContain(data.Labels().Get(\"orphanContainer\")),\n\t\t}\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif data.Labels().Get(\"composeOrphanPath\") != \"\" {\n\t\t\thelpers.Anyhow(\"compose\", \"-p\", data.Labels().Get(\"projectName\"), \"-f\", data.Labels().Get(\"composeOrphanPath\"), \"down\", \"-v\")\n\t\t}\n\t\tif data.Labels().Get(\"composeFullPath\") != \"\" {\n\t\t\thelpers.Anyhow(\"compose\", \"-p\", data.Labels().Get(\"projectName\"), \"-f\", data.Labels().Get(\"composeFullPath\"), \"down\", \"-v\")\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeUpIdempotent(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tcomposeYAML := fmt.Sprintf(`\nservices:\n test:\n image: %s\n command: \"sleep infinity\"\n`, testutil.CommonImage)\n\n\t\tcomposePath := data.Temp().Save(composeYAML, \"compose.yaml\")\n\n\t\tprojectName := filepath.Base(filepath.Dir(composePath))\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\tdata.Labels().Set(\"composeYAML\", composePath)\n\n\t\thelpers.Ensure(\"compose\", \"-f\", composePath, \"up\", \"-d\")\n\t\tnerdtest.EnsureContainerStarted(helpers, serviceparser.DefaultContainerName(projectName, \"test\", \"1\"))\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"up\", \"-d\")\n\t}\n\n\ttestCase.Expected = test.Expects(0, nil, nil)\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif data.Labels().Get(\"composeYAML\") != \"\" {\n\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\", \"-v\")\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeUpNoRecreateDependencies(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tvar composeYAML = fmt.Sprintf(`\nservices:\n foo:\n image: %s\n command: \"sleep infinity\"\n bar:\n image: %s\n command: \"sleep infinity\"\n depends_on:\n - foo\n`, testutil.CommonImage, testutil.CommonImage)\n\n\t\tcomposePath := data.Temp().Save(composeYAML, \"compose.yaml\")\n\n\t\tprojectName := filepath.Base(filepath.Dir(composePath))\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\tfooContainer := serviceparser.DefaultContainerName(projectName, \"foo\", \"1\")\n\t\tbarContainer := serviceparser.DefaultContainerName(projectName, \"bar\", \"1\")\n\n\t\tdata.Labels().Set(\"composeYAML\", composePath)\n\t\tdata.Labels().Set(\"projectName\", projectName)\n\t\tdata.Labels().Set(\"fooContainer\", fooContainer)\n\t\tdata.Labels().Set(\"barContainer\", barContainer)\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"foo is not recreated when starting bar\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"up\", \"-d\", \"foo\")\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Labels().Get(\"fooContainer\"))\n\n\t\t\t\thelpers.Command(\"inspect\", data.Labels().Get(\"fooContainer\"), \"--format\", \"{{.Id}}\").Run(\n\t\t\t\t\t&test.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tdata.Labels().Set(\"fooContainerID\", strings.TrimSpace(stdout))\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t)\n\n\t\t\t\t// Bring up dependent service; ensure foo is not recreated (ID unchanged)\n\t\t\t\thelpers.Ensure(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"up\", \"-d\", \"bar\")\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Labels().Get(\"barContainer\"))\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"inspect\", data.Labels().Get(\"fooContainer\"), \"--format\", \"{{.Id}}\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tassert.Equal(t, strings.TrimSpace(stdout), data.Labels().Get(\"fooContainerID\"))\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif data.Labels().Get(\"composeYAML\") != \"\" {\n\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\", \"-v\")\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeUpWithExternalNetwork(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tvar dockerComposeYaml1 = fmt.Sprintf(`\nservices:\n %s:\n image: %s\n container_name: %s\n networks:\n %s:\n aliases:\n - nginx-1\nnetworks:\n %s:\n external: true\n`, data.Identifier(\"con-1\"), testutil.NginxAlpineImage, data.Identifier(\"con-1\"), data.Identifier(\"network\"), data.Identifier(\"network\"))\n\t\tvar dockerComposeYaml2 = fmt.Sprintf(`\nservices:\n %s:\n image: %s\n container_name: %s\n networks:\n %s:\n aliases:\n - nginx-2\nnetworks:\n %s:\n external: true\n`, data.Identifier(\"con-2\"), testutil.NginxAlpineImage, data.Identifier(\"con-2\"), data.Identifier(\"network\"), data.Identifier(\"network\"))\n\t\ttmp := data.Temp()\n\n\t\ttmp.Save(dockerComposeYaml1, \"project-1\", \"compose.yaml\")\n\t\ttmp.Save(dockerComposeYaml2, \"project-2\", \"compose.yaml\")\n\n\t\thelpers.Ensure(\"network\", \"create\", data.Identifier(\"network\"))\n\t\thelpers.Ensure(\"compose\", \"-f\", tmp.Path(\"project-1\", \"compose.yaml\"), \"up\", \"-d\")\n\t\thelpers.Ensure(\"compose\", \"-f\", tmp.Path(\"project-2\", \"compose.yaml\"), \"up\", \"-d\")\n\t\thelpers.Ensure(\"compose\", \"-f\", tmp.Path(\"project-2\", \"compose.yaml\"), \"down\", \"-v\")\n\t\thelpers.Ensure(\"compose\", \"-f\", tmp.Path(\"project-2\", \"compose.yaml\"), \"up\", \"-d\")\n\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier(\"con-2\"))\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\thelpers.Ensure(\"exec\", data.Identifier(\"con-1\"), \"cat\", \"/etc/hosts\")\n\t\treturn helpers.Command(\"exec\", data.Identifier(\"con-1\"), \"wget\", \"-qO-\", \"http://\"+data.Identifier(\"con-2\"))\n\t}\n\n\ttestCase.Expected = test.Expects(0, nil, expect.Contains(testutil.NginxAlpineIndexHTMLSnippet))\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"compose\", \"-f\", data.Temp().Path(\"project-1\", \"compose.yaml\"), \"down\", \"-v\")\n\t\thelpers.Anyhow(\"compose\", \"-f\", data.Temp().Path(\"project-2\", \"compose.yaml\"), \"down\", \"-v\")\n\t\thelpers.Anyhow(\"network\", \"rm\", data.Identifier(\"network\"))\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeUpWithBypass4netns(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = require.All(\n\t\trequire.Not(nerdtest.Docker),\n\t\tnerdtest.Rootless,\n\t)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\ttestutil.RequireKernelVersion(t, \">= 5.9.0-0\")\n\t\ttestutil.RequireSystemService(t, \"bypass4netnsd\")\n\n\t\thostPort, err := portlock.Acquire(0)\n\t\tif err != nil {\n\t\t\thelpers.T().Log(fmt.Sprintf(\"Failed to acquire port: %v\", err))\n\t\t\thelpers.T().FailNow()\n\t\t}\n\n\t\tcomposeYAML := fmt.Sprintf(`\nservices:\n wordpress:\n image: %s\n restart: always\n ports:\n - %d:80\n environment:\n WORDPRESS_DB_HOST: db\n WORDPRESS_DB_USER: exampleuser\n WORDPRESS_DB_PASSWORD: examplepass\n WORDPRESS_DB_NAME: exampledb\n volumes:\n - wordpress:/var/www/html\n annotations:\n - nerdctl/bypass4netns=1\n db:\n image: %s\n restart: always\n environment:\n MYSQL_DATABASE: exampledb\n MYSQL_USER: exampleuser\n MYSQL_PASSWORD: examplepass\n MYSQL_RANDOM_ROOT_PASSWORD: '1'\n volumes:\n - db:/var/lib/mysql\n annotations:\n - nerdctl/bypass4netns=1\n\nvolumes:\n wordpress:\n db:\n`, testutil.WordpressImage, hostPort, testutil.MariaDBImage)\n\n\t\tcomposePath := data.Temp().Save(composeYAML, \"compose.yaml\")\n\t\tprojectName := filepath.Base(filepath.Dir(composePath))\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\tdata.Labels().Set(\"hostPort\", strconv.Itoa(hostPort))\n\t\tdata.Labels().Set(\"composeYAML\", composePath)\n\t\tdata.Labels().Set(\"projectName\", projectName)\n\n\t\thelpers.Ensure(\"compose\", \"-f\", composePath, \"up\", \"-d\")\n\t\tnerdtest.EnsureContainerStarted(helpers, serviceparser.DefaultContainerName(projectName, \"wordpress\", \"1\"))\n\t\tnerdtest.EnsureContainerStarted(helpers, serviceparser.DefaultContainerName(projectName, \"db\", \"1\"))\n\n\t\thelpers.Command(\"volume\", \"inspect\", fmt.Sprintf(\"%s_db\", projectName)).Run(&test.Expected{ExitCode: 0})\n\t\thelpers.Command(\"network\", \"inspect\", fmt.Sprintf(\"%s_default\", projectName)).Run(&test.Expected{ExitCode: 0})\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tOutput: func(_ string, tt tig.T) {\n\t\t\t\thost := fmt.Sprintf(\"http://127.0.0.1:%s\", data.Labels().Get(\"hostPort\"))\n\t\t\t\tresp, err := nettestutil.HTTPGet(host, 5, false)\n\t\t\t\tassert.NilError(tt, err)\n\t\t\t\tbody, err := io.ReadAll(resp.Body)\n\t\t\t\tassert.NilError(tt, err)\n\t\t\t\t_ = resp.Body.Close()\n\t\t\t\tassert.Assert(tt, strings.Contains(string(body), testutil.WordpressIndexHTMLSnippet))\n\t\t\t\tt.Log(\"wordpress seems functional\")\n\t\t\t},\n\t\t}\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif data.Labels().Get(\"composeYAML\") != \"\" {\n\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\", \"-v\")\n\t\t}\n\t\tif p := data.Labels().Get(\"hostPort\"); p != \"\" {\n\t\t\tif port, err := strconv.Atoi(p); err == nil {\n\t\t\t\t_ = portlock.Release(port)\n\t\t\t}\n\t\t}\n\n\t\tif projectName := data.Labels().Get(\"projectName\"); projectName != \"\" {\n\t\t\thelpers.Command(\"volume\", \"inspect\", fmt.Sprintf(\"%s_db\", projectName)).Run(&test.Expected{ExitCode: 1})\n\t\t\thelpers.Command(\"network\", \"inspect\", fmt.Sprintf(\"%s_default\", projectName)).Run(&test.Expected{ExitCode: 1})\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeUpProfile(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tserviceRegular := data.Identifier(\"regular\")\n\t\tserviceProfiled := data.Identifier(\"profiled\")\n\n\t\tenvFilePath := data.Temp().Save(`TEST_ENV_INJECTION=WORKS\\n`, \"env.common\")\n\n\t\tcomposeYAML := fmt.Sprintf(`\nservices:\n %s:\n image: %[3]s\n\n %[2]s:\n image: %[3]s\n profiles:\n - test-profile\n env_file:\n - %[4]s\n`, serviceRegular, serviceProfiled, testutil.NginxAlpineImage, envFilePath)\n\n\t\tcomposePath := data.Temp().Save(composeYAML, \"compose.yaml\")\n\n\t\tprojectName := filepath.Base(filepath.Dir(composePath))\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\tdata.Labels().Set(\"serviceRegular\", serviceRegular)\n\t\tdata.Labels().Set(\"serviceProfiled\", serviceProfiled)\n\t\tdata.Labels().Set(\"composeYAML\", composePath)\n\t\tdata.Labels().Set(\"regularContainer\", serviceparser.DefaultContainerName(projectName, serviceRegular, \"1\"))\n\t\tdata.Labels().Set(\"profiledContainer\", serviceparser.DefaultContainerName(projectName, serviceProfiled, \"1\"))\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"with profile\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"--profile\", \"test-profile\", \"up\", \"-d\")\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Labels().Get(\"regularContainer\"))\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Labels().Get(\"profiledContainer\"))\n\n\t\t\t\thelpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"exec\", data.Labels().Get(\"serviceProfiled\"), \"env\").\n\t\t\t\t\tRun(&test.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t\tOutput: expect.Contains(\"TEST_ENV_INJECTION=WORKS\"),\n\t\t\t\t\t})\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"ps\", \"-a\", \"--format={{.Names}}\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.Contains(data.Labels().Get(\"serviceRegular\")),\n\t\t\t\t\t\texpect.Contains(data.Labels().Get(\"serviceProfiled\")),\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"--profile\", \"test-profile\", \"down\", \"-v\")\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"profiled not started without profile flag\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"up\", \"-d\")\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Labels().Get(\"regularContainer\"))\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"ps\", \"-a\", \"--format={{.Names}}\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.Contains(data.Labels().Get(\"serviceRegular\")),\n\t\t\t\t\t\texpect.DoesNotContain(data.Labels().Get(\"serviceProfiled\")),\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\", \"-v\")\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeUpAbortOnContainerExit(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tserviceRegular := data.Identifier(\"regular\")\n\t\tserviceProfiled := data.Identifier(\"exited\")\n\t\tcomposeYAML := fmt.Sprintf(`\nservices:\n %s:\n image: %s\n %s:\n image: %s\n entrypoint: /bin/sh -c \"exit 1\"\n`, serviceRegular, testutil.NginxAlpineImage, serviceProfiled, testutil.BusyboxImage)\n\n\t\tcomposePath := data.Temp().Save(composeYAML, \"compose.yaml\")\n\t\tprojectName := filepath.Base(filepath.Dir(composePath))\n\t\tt.Logf(\"projectName=%q\", projectName)\n\n\t\tdata.Labels().Set(\"serviceRegular\", serviceRegular)\n\t\tdata.Labels().Set(\"serviceProfiled\", serviceProfiled)\n\t\tdata.Labels().Set(\"composeYAML\", composePath)\n\t\tdata.Labels().Set(\"regularContainer\", serviceparser.DefaultContainerName(projectName, serviceRegular, \"1\"))\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"abort on container exit\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"up\", \"--abort-on-container-exit\").Run(\n\t\t\t\t\t&test.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t},\n\t\t\t\t)\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"ps\", \"-a\", \"--format={{.Names}}\", \"--filter\", \"status=exited\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.Contains(data.Labels().Get(\"serviceRegular\")),\n\t\t\t\t\t\texpect.Contains(data.Labels().Get(\"serviceProfiled\")),\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\", \"-v\")\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"no abort flag keeps other services running\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"up\", \"-d\")\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Labels().Get(\"regularContainer\"))\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"ps\", \"-a\", \"--format={{.Names}}\", \"--filter\", \"status=exited\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.DoesNotContain(data.Labels().Get(\"serviceRegular\")),\n\t\t\t\t\t\texpect.Contains(data.Labels().Get(\"serviceProfiled\")),\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\", \"-v\")\n\t\t\t},\n\t\t},\n\t\t// in this sub-test we are ensuring that flags '-d' and '--abort-on-container-exit' cannot be ran together\n\t\t{\n\t\t\tDescription: \"flag -d incompatible with --abort-on-container-exit\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"up\", \"-d\", \"--abort-on-container-exit\")\n\t\t\t},\n\t\t\tExpected: test.Expects(1, nil, nil),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeUpPull(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.NoParallel = true\n\ttestCase.Require = nerdtest.Private\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tcomposeYAML := fmt.Sprintf(`\nservices:\n test:\n image: %s\n command: sh -euxc \"echo hi\"\n`, testutil.CommonImage)\n\n\t\tcomposePath := data.Temp().Save(composeYAML, \"compose.yaml\")\n\n\t\tdata.Labels().Set(\"composeYAML\", composePath)\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"pull=missing\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"rmi\", \"-f\", testutil.CommonImage)\n\t\t\t\thelpers.Command(\"images\").Run(\n\t\t\t\t\t&test.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t\tOutput: expect.DoesNotContain(testutil.CommonImage),\n\t\t\t\t\t},\n\t\t\t\t)\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"up\", \"--pull\", \"missing\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"hi\")),\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\")\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"pull=always\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"rmi\", \"-f\", testutil.CommonImage)\n\t\t\t\thelpers.Command(\"images\").Run(\n\t\t\t\t\t&test.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t\tOutput: expect.DoesNotContain(testutil.CommonImage),\n\t\t\t\t\t},\n\t\t\t\t)\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"up\", \"--pull\", \"always\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"hi\")),\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\")\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"pull=never, no pull\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"rmi\", \"-f\", testutil.CommonImage)\n\t\t\t\thelpers.Command(\"images\").Run(\n\t\t\t\t\t&test.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t\tOutput: expect.DoesNotContain(testutil.CommonImage),\n\t\t\t\t\t},\n\t\t\t\t)\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"up\", \"--pull\", \"never\")\n\t\t\t},\n\t\t\tExpected: test.Expects(1, nil, nil),\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\")\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeUpServicePullPolicy(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = nerdtest.Private\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tvar composeYAML = fmt.Sprintf(`\nservices:\n test:\n image: %s\n command: sh -euxc \"echo hi\"\n pull_policy: \"never\"\n`, testutil.CommonImage)\n\n\t\tcomposePath := data.Temp().Save(composeYAML, \"compose.yaml\")\n\n\t\tdata.Labels().Set(\"composeYAML\", composePath)\n\n\t\thelpers.Ensure(\"rmi\", \"-f\", testutil.CommonImage)\n\t\thelpers.Command(\"images\").Run(\n\t\t\t&test.Expected{\n\t\t\t\tExitCode: 0,\n\t\t\t\tOutput: expect.DoesNotContain(testutil.CommonImage),\n\t\t\t},\n\t\t)\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"up\")\n\t}\n\n\ttestCase.Expected = test.Expects(1, nil, nil)\n\n\ttestCase.Run(t)\n}\n\nfunc TestComposeTmpfsVolume(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tcontainerName := data.Identifier(\"tmpfs\")\n\t\tcomposeYAML := fmt.Sprintf(`\nservices:\n tmpfs:\n container_name: %s\n image: %s\n command: sleep infinity\n volumes:\n - type: tmpfs\n target: /target-rw\n tmpfs:\n size: 64m\n - type: tmpfs\n target: /target-ro\n read_only: true\n tmpfs:\n size: 64m\n mode: 0o1770\n`, containerName, testutil.CommonImage)\n\n\t\tcomposeYAMLPath := data.Temp().Save(composeYAML, \"compose.yaml\")\n\n\t\thelpers.Ensure(\"compose\", \"-f\", composeYAMLPath, \"up\", \"-d\")\n\t\tnerdtest.EnsureContainerStarted(helpers, containerName)\n\n\t\tdata.Labels().Set(\"composeYAML\", composeYAMLPath)\n\t\tdata.Labels().Set(\"containerName\", containerName)\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"rw tmpfs mount\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"exec\", data.Labels().Get(\"containerName\"), \"grep\", \"/target-rw\", \"/proc/mounts\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil,\n\t\t\t\texpect.All(\n\t\t\t\t\texpect.Contains(\"/target-rw\"),\n\t\t\t\t\texpect.Contains(\"rw\"),\n\t\t\t\t\texpect.Contains(\"size=65536k\"),\n\t\t\t\t),\n\t\t\t),\n\t\t},\n\t\t{\n\t\t\tDescription: \"ro tmpfs mount with mode\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"exec\", data.Labels().Get(\"containerName\"), \"grep\", \"/target-ro\", \"/proc/mounts\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil,\n\t\t\t\texpect.All(\n\t\t\t\t\texpect.Contains(\"/target-ro\"),\n\t\t\t\t\texpect.Contains(\"ro\"),\n\t\t\t\t\texpect.Contains(\"size=65536k\"),\n\t\t\t\t\texpect.Contains(\"mode=1770\"),\n\t\t\t\t),\n\t\t\t),\n\t\t},\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"compose\", \"-f\", data.Labels().Get(\"composeYAML\"), \"down\")\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_up_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\n// https://github.com/containerd/nerdctl/issues/1942\nfunc TestComposeUpDetailedError(t *testing.T) {\n\tdockerComposeYAML := fmt.Sprintf(`\nservices:\n foo:\n image: %s\n runtime: invalid\n`, testutil.CommonImage)\n\n\ttestCase := nerdtest.Setup()\n\n\t// \"FIXME: test does not work on Windows yet (runtime \\\"io.containerd.runc.v2\\\" binary not installed \\\"containerd-shim-runc-v2.exe\\\": file does not exist)\n\ttestCase.Require = require.Not(require.Windows)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdata.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"up\", \"-d\")\n\t}\n\n\ttestCase.Expected = test.Expects(\n\t\t1,\n\t\t[]error{errors.New(`invalid runtime name`)},\n\t\tnil,\n\t)\n\n\ttestCase.Run(t)\n}\n\n// https://github.com/containerd/nerdctl/issues/1652\nfunc TestComposeUpBindCreateHostPath(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t// `FIXME: no support for Windows path: (error: \"volume target must be an absolute path, got \\\"/mnt\\\")`\n\ttestCase.Require = require.Not(require.Windows)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tvar dockerComposeYAML = fmt.Sprintf(`\nservices:\n test:\n image: %s\n command: sh -euxc \"echo hi >/mnt/test\"\n volumes:\n # tempdir/foo should be automatically created\n - %s:/mnt\n`, testutil.CommonImage, data.Temp().Path(\"foo\"))\n\n\t\tdata.Temp().Save(dockerComposeYAML, \"compose.yaml\")\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"up\")\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"compose\", \"-f\", data.Temp().Path(\"compose.yaml\"), \"down\")\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: 0,\n\t\t\tErrors: nil,\n\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\tassert.Equal(t, data.Temp().Load(\"foo\", \"test\"), \"hi\\n\")\n\t\t\t},\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/compose/compose_version.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/version\"\n)\n\nfunc versionCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"version\",\n\t\tShort: \"Show the Compose version information\",\n\t\tArgs: cobra.NoArgs,\n\t\tRunE: versionAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().StringP(\"format\", \"f\", \"pretty\", \"Format the output. Values: [pretty | json]\")\n\tcmd.RegisterFlagCompletionFunc(\"format\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"json\", \"pretty\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\tcmd.Flags().Bool(\"short\", false, \"Shows only Compose's version number\")\n\treturn cmd\n}\n\nfunc versionAction(cmd *cobra.Command, args []string) error {\n\tshort, err := cmd.Flags().GetBool(\"short\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tif short {\n\t\tfmt.Fprintln(cmd.OutOrStdout(), strings.TrimPrefix(version.GetVersion(), \"v\"))\n\t\treturn nil\n\t}\n\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tswitch format {\n\tcase \"pretty\":\n\t\tfmt.Fprintln(cmd.OutOrStdout(), \"nerdctl Compose version \"+version.GetVersion())\n\tcase \"json\":\n\t\tfmt.Fprintf(cmd.OutOrStdout(), \"{\\\"version\\\":\\\"%v\\\"}\\n\", version.Version)\n\tdefault:\n\t\treturn fmt.Errorf(\"format can be either pretty or json, not %v\", format)\n\t}\n\n\treturn nil\n}\n" }, { "path": "cmd/nerdctl/compose/compose_version_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage compose\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestComposeVersion(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Command = test.Command(\"compose\", \"version\")\n\ttestCase.Expected = test.Expects(0, nil, expect.Contains(\"Compose version \"))\n\ttestCase.Run(t)\n}\n\nfunc TestComposeVersionShort(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Command = test.Command(\"compose\", \"version\", \"--short\")\n\ttestCase.Expected = test.Expects(0, nil, nil)\n\ttestCase.Run(t)\n}\n\nfunc TestComposeVersionJson(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Command = test.Command(\"compose\", \"version\", \"--format\", \"json\")\n\ttestCase.Expected = test.Expects(0, nil, expect.Contains(\"{\\\"version\\\":\\\"\"))\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n)\n\nfunc Command() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tAnnotations: map[string]string{helpers.Category: helpers.Management},\n\t\tUse: \"container\",\n\t\tShort: \"Manage containers\",\n\t\tRunE: helpers.UnknownSubcommandAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.AddCommand(\n\t\tCreateCommand(),\n\t\tRunCommand(),\n\t\tUpdateCommand(),\n\t\tExecCommand(),\n\t\tlistCommand(),\n\t\tinspectCommand(),\n\t\tLogsCommand(),\n\t\tPortCommand(),\n\t\tRemoveCommand(),\n\t\tStopCommand(),\n\t\tStartCommand(),\n\t\tRestartCommand(),\n\t\tKillCommand(),\n\t\tPauseCommand(),\n\t\tDiffCommand(),\n\t\tWaitCommand(),\n\t\tUnpauseCommand(),\n\t\tCommitCommand(),\n\t\tRenameCommand(),\n\t\tpruneCommand(),\n\t\tStatsCommand(),\n\t\tAttachCommand(),\n\t\tHealthCheckCommand(),\n\t\tExportCommand(),\n\t)\n\tAddCpCommand(cmd)\n\treturn cmd\n}\n\nfunc listCommand() *cobra.Command {\n\tx := PsCommand()\n\tx.Use = \"ls\"\n\tx.Aliases = []string{\"list\"}\n\treturn x\n}\n" }, { "path": "cmd/nerdctl/container/container_attach.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"io\"\n\n\t\"github.com/spf13/cobra\"\n\n\tcontainerd \"github.com/containerd/containerd/v2/client\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n\t\"github.com/containerd/nerdctl/v2/pkg/consoleutil\"\n)\n\nfunc AttachCommand() *cobra.Command {\n\tconst shortHelp = \"Attach stdin, stdout, and stderr to a running container.\"\n\tconst longHelp = `Attach stdin, stdout, and stderr to a running container. For example:\n\n1. 'nerdctl run -it --name test busybox' to start a container with a pty\n2. 'ctrl-p ctrl-q' to detach from the container\n3. 'nerdctl attach test' to attach to the container\n\nCaveats:\n\n- Currently only one attach session is allowed. When the second session tries to attach, currently no error will be returned from nerdctl.\n However, since behind the scenes, there's only one FIFO for stdin, stdout, and stderr respectively,\n if there are multiple sessions, all the sessions will be reading from and writing to the same 3 FIFOs, which will result in mixed input and partial output.\n- Until dual logging (issue #1946) is implemented,\n a container that is spun up by either 'nerdctl run -d' or 'nerdctl start' (without '--attach') cannot be attached to.`\n\n\tvar cmd = &cobra.Command{\n\t\tUse: \"attach [flags] CONTAINER\",\n\t\tArgs: cobra.ExactArgs(1),\n\t\tShort: shortHelp,\n\t\tLong: longHelp,\n\t\tRunE: attachAction,\n\t\tValidArgsFunction: attachShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().String(\"detach-keys\", consoleutil.DefaultDetachKeys, \"Override the default detach keys\")\n\tcmd.Flags().Bool(\"no-stdin\", false, \"Do not attach STDIN\")\n\treturn cmd\n}\n\nfunc attachOptions(cmd *cobra.Command) (types.ContainerAttachOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ContainerAttachOptions{}, err\n\t}\n\tdetachKeys, err := cmd.Flags().GetString(\"detach-keys\")\n\tif err != nil {\n\t\treturn types.ContainerAttachOptions{}, err\n\t}\n\tnoStdin, err := cmd.Flags().GetBool(\"no-stdin\")\n\tif err != nil {\n\t\treturn types.ContainerAttachOptions{}, err\n\t}\n\n\tvar stdin io.Reader\n\tif !noStdin {\n\t\tstdin = cmd.InOrStdin()\n\t}\n\treturn types.ContainerAttachOptions{\n\t\tGOptions: globalOptions,\n\t\tStdin: stdin,\n\t\tStdout: cmd.OutOrStdout(),\n\t\tStderr: cmd.ErrOrStderr(),\n\t\tDetachKeys: detachKeys,\n\t}, nil\n}\n\nfunc attachAction(cmd *cobra.Command, args []string) error {\n\toptions, err := attachOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn container.Attach(ctx, client, args[0], options)\n}\n\nfunc attachShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\tstatusFilterFn := func(st containerd.ProcessStatus) bool {\n\t\treturn st == containerd.Running\n\t}\n\treturn completion.ContainerNames(cmd, statusFilterFn)\n}\n" }, { "path": "cmd/nerdctl/container/container_attach_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"bytes\"\n\t\"errors\"\n\t\"io\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\n/*\nImportant notes:\n- for both docker and nerdctl, you can run+detach of a container and exit 0, while the container would actually fail starting\n- nerdctl (not docker): on run, detach will race anything on stdin before the detach sequence from reaching the container\n- nerdctl AND docker: on attach ^\n- exit code variants: https://github.com/containerd/nerdctl/issues/3571\n*/\n\nfunc TestAttach(t *testing.T) {\n\t// In nerdctl the detach return code from the container after attach is 0, but in docker the return code is 1.\n\t// This behaviour is reported in https://github.com/containerd/nerdctl/issues/3571\n\tex := 0\n\tif nerdtest.IsDocker() {\n\t\tex = 1\n\t}\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tcmd := helpers.Command(\"run\", \"--rm\", \"-it\", \"--name\", data.Identifier(), testutil.CommonImage)\n\t\tcmd.WithPseudoTTY()\n\t\t// ctrl+p and ctrl+q (see https://en.wikipedia.org/wiki/C0_and_C1_control_codes)\n\t\tcmd.Feed(bytes.NewReader([]byte{16, 17}))\n\n\t\tcmd.Run(&test.Expected{\n\t\t\tExitCode: 0,\n\t\t\tErrors: []error{errors.New(\"read detach keys\")},\n\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\tassert.Assert(t, strings.Contains(helpers.Capture(\"inspect\", \"--format\", \"json\", data.Identifier()), \"\\\"Running\\\":true\"))\n\t\t\t},\n\t\t})\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t// Run interactively and detach\n\t\tcmd := helpers.Command(\"attach\", data.Identifier())\n\n\t\tcmd.WithPseudoTTY()\n\t\tcmd.Feed(strings.NewReader(\"echo mark${NON}mark\\n\"))\n\t\tcmd.WithFeeder(func() io.Reader {\n\t\t\t// Interestingly, and unlike with run, on attach, docker (like nerdctl) ALSO needs a pause so that the\n\t\t\t// container can read stdin before we detach\n\t\t\ttime.Sleep(time.Second)\n\t\t\t// ctrl+p and ctrl+q (see https://en.wikipedia.org/wiki/C0_and_C1_control_codes)\n\t\t\treturn bytes.NewReader([]byte{16, 17})\n\t\t})\n\n\t\treturn cmd\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: ex,\n\t\t\tErrors: []error{errors.New(\"read detach keys\")},\n\t\t\tOutput: expect.All(\n\t\t\t\texpect.Contains(\"markmark\"),\n\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\tassert.Assert(t, strings.Contains(helpers.Capture(\"inspect\", \"--format\", \"json\", data.Identifier()), \"\\\"Running\\\":true\"))\n\t\t\t\t},\n\t\t\t),\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestAttachDetachKeys(t *testing.T) {\n\t// In nerdctl the detach return code from the container after attach is 0, but in docker the return code is 1.\n\t// This behaviour is reported in https://github.com/containerd/nerdctl/issues/3571\n\tex := 0\n\tif nerdtest.IsDocker() {\n\t\tex = 1\n\t}\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tcmd := helpers.Command(\"run\", \"--rm\", \"-it\", \"--detach-keys=ctrl-q\", \"--name\", data.Identifier(), testutil.CommonImage)\n\t\tcmd.WithPseudoTTY()\n\t\tcmd.Feed(bytes.NewReader([]byte{17}))\n\n\t\tcmd.Run(&test.Expected{\n\t\t\tExitCode: 0,\n\t\t\tErrors: []error{errors.New(\"read detach keys\")},\n\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\tassert.Assert(t, strings.Contains(helpers.Capture(\"inspect\", \"--format\", \"json\", data.Identifier()), \"\\\"Running\\\":true\"))\n\t\t\t},\n\t\t})\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t// Run interactively and detach\n\t\tcmd := helpers.Command(\"attach\", \"--detach-keys=ctrl-a,ctrl-b\", data.Identifier())\n\t\tcmd.WithPseudoTTY()\n\t\tcmd.Feed(strings.NewReader(\"echo mark${NON}mark\\n\"))\n\t\tcmd.WithFeeder(func() io.Reader {\n\t\t\t// Interestingly, and unlike with run, on attach, docker (like nerdctl) ALSO needs a pause so that the\n\t\t\t// container can read stdin before we detach\n\t\t\ttime.Sleep(time.Second)\n\t\t\t// ctrl+p and ctrl+q (see https://en.wikipedia.org/wiki/C0_and_C1_control_codes)\n\t\t\treturn bytes.NewReader([]byte{1, 2})\n\t\t})\n\n\t\treturn cmd\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: ex,\n\t\t\tErrors: []error{errors.New(\"read detach keys\")},\n\t\t\tOutput: expect.All(\n\t\t\t\texpect.Contains(\"markmark\"),\n\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\tassert.Assert(t, strings.Contains(helpers.Capture(\"inspect\", \"--format\", \"json\", data.Identifier()), \"\\\"Running\\\":true\"))\n\t\t\t\t},\n\t\t\t),\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\n// TestIssue3568 tests https://github.com/containerd/nerdctl/issues/3568\nfunc TestAttachForAutoRemovedContainer(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Description = \"Issue #3568 - A container should be deleted when detaching and attaching a container started with the --rm option.\"\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tcmd := helpers.Command(\"run\", \"--rm\", \"-it\", \"--detach-keys=ctrl-a,ctrl-b\", \"--name\", data.Identifier(), testutil.CommonImage)\n\t\tcmd.WithPseudoTTY()\n\t\t// ctrl+a and ctrl+b (see https://en.wikipedia.org/wiki/C0_and_C1_control_codes)\n\t\tcmd.Feed(bytes.NewReader([]byte{1, 2}))\n\n\t\tcmd.Run(&test.Expected{\n\t\t\tExitCode: 0,\n\t\t\tErrors: []error{errors.New(\"read detach keys\")},\n\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\tassert.Assert(t, strings.Contains(helpers.Capture(\"inspect\", \"--format\", \"json\", data.Identifier()), \"\\\"Running\\\":true\"))\n\t\t\t},\n\t\t})\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t// Run interactively and detach\n\t\tcmd := helpers.Command(\"attach\", data.Identifier())\n\t\tcmd.WithPseudoTTY()\n\t\tcmd.Feed(strings.NewReader(\"echo mark${NON}mark\\nexit 42\\n\"))\n\n\t\treturn cmd\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: 42,\n\t\t\tOutput: expect.All(\n\t\t\t\texpect.Contains(\"markmark\"),\n\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\tassert.Assert(t, !strings.Contains(helpers.Capture(\"ps\", \"-a\"), data.Identifier()))\n\t\t\t\t},\n\t\t\t),\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestAttachNoStdin(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tcmd := helpers.Command(\"run\", \"-it\", \"--detach-keys=ctrl-p,ctrl-q\", \"--name\", data.Identifier(),\n\t\t\ttestutil.CommonImage, \"sleep\", \"5\")\n\t\tcmd.WithPseudoTTY()\n\t\tcmd.Feed(bytes.NewReader([]byte{16, 17})) // Ctrl-p, Ctrl-q to detach (https://en.wikipedia.org/wiki/C0_and_C1_control_codes)\n\t\tcmd.Run(&test.Expected{\n\t\t\tExitCode: 0,\n\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\tassert.Assert(t, strings.Contains(helpers.Capture(\"inspect\", \"--format\", \"{{.State.Running}}\", data.Identifier()), \"true\"))\n\t\t\t},\n\t\t})\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\tcmd := helpers.Command(\"attach\", \"--no-stdin\", data.Identifier())\n\t\tcmd.WithPseudoTTY()\n\t\tcmd.Feed(strings.NewReader(\"should-not-appear\\n\"))\n\t\tcmd.Feed(bytes.NewReader([]byte{16, 17}))\n\t\treturn cmd\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: 0, // Since it's a normal exit and not detach.\n\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\tlogs := helpers.Capture(\"logs\", data.Identifier())\n\t\t\t\tassert.Assert(t, !strings.Contains(logs, \"should-not-appear\"))\n\t\t\t},\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_commit.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"errors\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n)\n\nfunc CommitCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"commit [flags] CONTAINER REPOSITORY[:TAG]\",\n\t\tShort: \"Create a new image from a container's changes\",\n\t\tArgs: helpers.IsExactArgs(2),\n\t\tRunE: commitAction,\n\t\tValidArgsFunction: commitShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().StringP(\"author\", \"a\", \"\", `Author (e.g., \"nerdctl contributor \")`)\n\tcmd.Flags().StringP(\"message\", \"m\", \"\", \"Commit message\")\n\tcmd.Flags().StringArrayP(\"change\", \"c\", nil, \"Apply Dockerfile instruction to the created image (supported directives: [CMD, ENTRYPOINT])\")\n\tcmd.Flags().BoolP(\"pause\", \"p\", true, \"Pause container during commit\")\n\tcmd.Flags().StringP(\"compression\", \"\", \"gzip\", \"commit compression algorithm (zstd or gzip)\")\n\tcmd.Flags().String(\"format\", \"docker\", \"Format of the committed image (docker or oci)\")\n\tcmd.Flags().Bool(\"estargz\", false, \"Convert the committed layer to eStargz for lazy pulling\")\n\tcmd.Flags().Int(\"estargz-compression-level\", 9, \"eStargz compression level (1-9)\")\n\tcmd.Flags().Int(\"estargz-chunk-size\", 0, \"eStargz chunk size\")\n\tcmd.Flags().Int(\"estargz-min-chunk-size\", 0, \"The minimal number of bytes of data must be written in one gzip stream\")\n\tcmd.Flags().Bool(\"zstdchunked\", false, \"Convert the committed layer to zstd:chunked for lazy pulling\")\n\tcmd.Flags().Int(\"zstdchunked-compression-level\", 3, \"zstd:chunked compression level\")\n\tcmd.Flags().Int(\"zstdchunked-chunk-size\", 0, \"zstd:chunked chunk size\")\n\treturn cmd\n}\n\nfunc commitOptions(cmd *cobra.Command) (types.ContainerCommitOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ContainerCommitOptions{}, err\n\t}\n\tauthor, err := cmd.Flags().GetString(\"author\")\n\tif err != nil {\n\t\treturn types.ContainerCommitOptions{}, err\n\t}\n\tmessage, err := cmd.Flags().GetString(\"message\")\n\tif err != nil {\n\t\treturn types.ContainerCommitOptions{}, err\n\t}\n\tpause, err := cmd.Flags().GetBool(\"pause\")\n\tif err != nil {\n\t\treturn types.ContainerCommitOptions{}, err\n\t}\n\n\tchange, err := cmd.Flags().GetStringArray(\"change\")\n\tif err != nil {\n\t\treturn types.ContainerCommitOptions{}, err\n\t}\n\n\tcom, err := cmd.Flags().GetString(\"compression\")\n\tif err != nil {\n\t\treturn types.ContainerCommitOptions{}, err\n\t}\n\tif com != string(types.Zstd) && com != string(types.Gzip) {\n\t\treturn types.ContainerCommitOptions{}, errors.New(\"--compression param only supports zstd or gzip\")\n\t}\n\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn types.ContainerCommitOptions{}, err\n\t}\n\tif format != string(types.ImageFormatDocker) && format != string(types.ImageFormatOCI) {\n\t\treturn types.ContainerCommitOptions{}, errors.New(\"--format param only supports docker or oci\")\n\t}\n\n\testargz, err := cmd.Flags().GetBool(\"estargz\")\n\tif err != nil {\n\t\treturn types.ContainerCommitOptions{}, err\n\t}\n\testargzCompressionLevel, err := cmd.Flags().GetInt(\"estargz-compression-level\")\n\tif err != nil {\n\t\treturn types.ContainerCommitOptions{}, err\n\t}\n\testargzChunkSize, err := cmd.Flags().GetInt(\"estargz-chunk-size\")\n\tif err != nil {\n\t\treturn types.ContainerCommitOptions{}, err\n\t}\n\testargzMinChunkSize, err := cmd.Flags().GetInt(\"estargz-min-chunk-size\")\n\tif err != nil {\n\t\treturn types.ContainerCommitOptions{}, err\n\t}\n\n\tzstdchunked, err := cmd.Flags().GetBool(\"zstdchunked\")\n\tif err != nil {\n\t\treturn types.ContainerCommitOptions{}, err\n\t}\n\tzstdchunkedCompressionLevel, err := cmd.Flags().GetInt(\"zstdchunked-compression-level\")\n\tif err != nil {\n\t\treturn types.ContainerCommitOptions{}, err\n\t}\n\tzstdchunkedChunkSize, err := cmd.Flags().GetInt(\"zstdchunked-chunk-size\")\n\tif err != nil {\n\t\treturn types.ContainerCommitOptions{}, err\n\t}\n\n\t// estargz and zstdchunked are mutually exclusive\n\tif estargz && zstdchunked {\n\t\treturn types.ContainerCommitOptions{}, errors.New(\"options --estargz and --zstdchunked lead to conflict, only one of them can be used\")\n\t}\n\n\treturn types.ContainerCommitOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tGOptions: globalOptions,\n\t\tAuthor: author,\n\t\tMessage: message,\n\t\tPause: pause,\n\t\tChange: change,\n\t\tCompression: types.CompressionType(com),\n\t\tFormat: types.ImageFormat(format),\n\t\tEstargzOptions: types.EstargzOptions{\n\t\t\tEstargz: estargz,\n\t\t\tEstargzCompressionLevel: estargzCompressionLevel,\n\t\t\tEstargzChunkSize: estargzChunkSize,\n\t\t\tEstargzMinChunkSize: estargzMinChunkSize,\n\t\t},\n\t\tZstdChunkedOptions: types.ZstdChunkedOptions{\n\t\t\tZstdChunked: zstdchunked,\n\t\t\tZstdChunkedCompressionLevel: zstdchunkedCompressionLevel,\n\t\t\tZstdChunkedChunkSize: zstdchunkedChunkSize,\n\t\t},\n\t}, nil\n}\n\nfunc commitAction(cmd *cobra.Command, args []string) error {\n\toptions, err := commitOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn container.Commit(ctx, client, args[1], args[0], options)\n}\n\nfunc commitShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\tif len(args) == 0 {\n\t\treturn completion.ContainerNames(cmd, nil)\n\t}\n\treturn nil, cobra.ShellCompDirectiveNoFileComp\n}\n" }, { "path": "cmd/nerdctl/container/container_commit_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestKubeCommitSave(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = nerdtest.OnlyKubernetes\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tidentifier := data.Identifier()\n\t\tcontainerID := \"\"\n\t\t// NOTE: kubectl namespaces are not the same as containerd namespaces.\n\t\t// We still want kube test objects segregated in their own Kube API namespace.\n\t\tnerdtest.KubeCtlCommand(helpers, \"create\", \"namespace\", \"nerdctl-test-k8s\").Run(&test.Expected{})\n\t\tnerdtest.KubeCtlCommand(helpers, \"run\", \"--image\", testutil.CommonImage, identifier, \"--\", \"sleep\", nerdtest.Infinity).Run(&test.Expected{})\n\t\tnerdtest.KubeCtlCommand(helpers, \"wait\", \"pod\", identifier, \"--for=condition=ready\", \"--timeout=1m\").Run(&test.Expected{})\n\t\tnerdtest.KubeCtlCommand(helpers, \"exec\", identifier, \"--\", \"mkdir\", \"-p\", \"/tmp/whatever\").Run(&test.Expected{})\n\t\tnerdtest.KubeCtlCommand(helpers, \"get\", \"pods\", identifier, \"-o\", \"jsonpath={ .status.containerStatuses[0].containerID }\").Run(&test.Expected{\n\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\tcontainerID = strings.TrimPrefix(stdout, \"containerd://\")\n\t\t\t},\n\t\t})\n\t\tdata.Labels().Set(\"containerID\", containerID)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tnerdtest.KubeCtlCommand(helpers, \"delete\", \"pod\", \"--all\").Run(nil)\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\thelpers.Ensure(\"commit\", data.Labels().Get(\"containerID\"), data.Identifier(\"testcommitsave\"))\n\t\t// Wait for the image to show up\n\t\tfor range 5 {\n\t\t\tfound := false\n\t\t\tcmd := helpers.Command(\"images\", data.Identifier(\"testcommitsave\"), \"--format\", \"json\")\n\t\t\tcmd.Run(&test.Expected{\n\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\tfound = strings.TrimSpace(stdout) != \"\"\n\t\t\t\t},\n\t\t\t})\n\t\t\tif found {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\ttime.Sleep(1 * time.Second)\n\t\t}\n\t\treturn helpers.Command(\"save\", data.Identifier(\"testcommitsave\"))\n\t}\n\n\ttestCase.Expected = test.Expects(0, nil, nil)\n\n\ttestCase.Run(t)\n\n\t// This below is missing configuration to allow for plain http communication\n\t// This is left here for future work to successfully start a registry usable in the cluster\n\t/*\n\t\t// Start a registry\n\t\t\t\tnerdtest.KubeCtlCommand(helpers, \"run\", \"--port\", \"5000\", \"--image\", testutil.RegistryImageStable, \"testregistry\").\n\t\t\t\t\tRun(&test.Expected{})\n\n\t\t\t\tnerdtest.KubeCtlCommand(helpers, \"wait\", \"pod\", \"testregistry\", \"--for=condition=ready\", \"--timeout=1m\").\n\t\t\t\t\tAssertOK()\n\n\t\t\t\tcmd = nerdtest.KubeCtlCommand(helpers, \"get\", \"pods\", tID, \"-o\", \"jsonpath={ .status.hostIPs[0].ip }\")\n\t\t\t\tcmd.Run(&test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tregistryIP = stdout\n\t\t\t\t\t},\n\t\t\t\t})\n\n\t\t\t\tcmd = nerdtest.KubeCtlCommand(helpers, \"apply\", \"-f\", \"-\", fmt.Sprintf(`apiVersion: v1\n\t\t\tkind: ConfigMap\n\t\t\tmetadata:\n\t\t\t\tname: local-registry\n\t\t\t\tnamespace: nerdctl-test\n\t\t\tdata:\n\t\t\t\tlocalRegistryHosting.v1: |\n\t\t\t\thost: \"%s:5000\"\n\t\t\t\thelp: \"https://kind.sigs.k8s.io/docs/user/local-registry/\"\n\t\t`, registryIP))\n\t*/\n}\n" }, { "path": "cmd/nerdctl/container/container_commit_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/inspecttypes/native\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestCommit(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"with pause\",\n\t\t\tRequire: nerdtest.CGroup,\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tidentifier := data.Identifier()\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", identifier)\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", identifier)\n\t\t\t},\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tidentifier := data.Identifier()\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", identifier, testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\thelpers.Ensure(\"exec\", identifier, \"sh\", \"-euxc\", `echo hello-test-commit > /foo`)\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tidentifier := data.Identifier()\n\t\t\t\thelpers.Ensure(\n\t\t\t\t\t\"commit\",\n\t\t\t\t\t\"-c\", `CMD [\"/foo\"]`,\n\t\t\t\t\t\"-c\", `ENTRYPOINT [\"cat\"]`,\n\t\t\t\t\t\"--pause=true\",\n\t\t\t\t\tidentifier, identifier)\n\t\t\t\treturn helpers.Command(\"run\", \"--rm\", identifier)\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"hello-test-commit\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"no pause\",\n\t\t\tRequire: require.Not(require.Windows),\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tidentifier := data.Identifier()\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", identifier)\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", identifier)\n\t\t\t},\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tidentifier := data.Identifier()\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", identifier, testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, identifier)\n\t\t\t\thelpers.Ensure(\"exec\", identifier, \"sh\", \"-euxc\", `echo hello-test-commit > /foo`)\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tidentifier := data.Identifier()\n\t\t\t\thelpers.Ensure(\n\t\t\t\t\t\"commit\",\n\t\t\t\t\t\"-c\", `CMD [\"/foo\"]`,\n\t\t\t\t\t\"-c\", `ENTRYPOINT [\"cat\"]`,\n\t\t\t\t\t\"--pause=false\",\n\t\t\t\t\tidentifier, identifier)\n\t\t\t\treturn helpers.Command(\"run\", \"--rm\", identifier)\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"hello-test-commit\\n\")),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestZstdCommit(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.All(\n\t\t// FIXME: Docker does not support compression\n\t\trequire.Not(nerdtest.Docker),\n\t\tnerdtest.ContainerdVersion(\"2.0.0\"),\n\t\tnerdtest.CGroup,\n\t)\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier(\"image\"))\n\t}\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tidentifier := data.Identifier()\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", identifier, testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\tnerdtest.EnsureContainerStarted(helpers, identifier)\n\t\thelpers.Ensure(\"exec\", identifier, \"sh\", \"-euxc\", `echo hello-test-commit > /foo`)\n\t\thelpers.Ensure(\"commit\", identifier, data.Identifier(\"image\"), \"--compression=zstd\")\n\t\tdata.Labels().Set(\"image\", data.Identifier(\"image\"))\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"verify zstd has been used\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"image\", \"inspect\", \"--mode=native\", data.Labels().Get(\"image\"))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.JSON([]native.Image{}, func(images []native.Image, t tig.T) {\n\t\t\t\t\t\tassert.Equal(t, len(images), 1)\n\t\t\t\t\t\tassert.Equal(helpers.T(), images[0].Manifest.Layers[len(images[0].Manifest.Layers)-1].MediaType, \"application/vnd.docker.image.rootfs.diff.tar.zstd\")\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"verify the image is working\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Labels().Get(\"image\"), \"sh\", \"-c\", \"--\", \"cat /foo\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"hello-test-commit\\n\")),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_cp_acid_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/containerutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\n// This is a separate set of tests for cp specifically meant to test corner or extreme cases that do not fit in the normal testing rig\n// because of their complexity\n\nfunc TestCopyAcid(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\ttestID := data.Identifier()\n\t\ttempDir := t.TempDir()\n\n\t\tsourceFile := filepath.Join(tempDir, \"hostfile\")\n\t\tsourceFileContent := []byte(testID)\n\n\t\troContainer := testID + \"-ro\"\n\t\trwContainer := testID + \"-rw\"\n\n\t\tdata.Labels().Set(\"sourceFile\", sourceFile)\n\t\tdata.Labels().Set(\"sourceFileContent\", string(sourceFileContent))\n\t\tdata.Labels().Set(\"roContainer\", roContainer)\n\t\tdata.Labels().Set(\"rwContainer\", rwContainer)\n\n\t\thelpers.Ensure(\"volume\", \"create\", testID+\"-1-ro\")\n\t\thelpers.Ensure(\"volume\", \"create\", testID+\"-2-ro\")\n\t\thelpers.Ensure(\"volume\", \"create\", testID+\"-3-ro\")\n\n\t\thelpers.Ensure(\"run\", \"-d\", \"-w\", containerCwd, \"--name\", roContainer, \"--read-only\",\n\t\t\t\"-v\", fmt.Sprintf(\"%s:%s:ro\", testID+\"-1-ro\", \"/vol1/dir1/ro\"),\n\t\t\t\"-v\", fmt.Sprintf(\"%s:%s\", testID+\"-2-rw\", \"/vol2/dir2/rw\"),\n\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity,\n\t\t)\n\t\tnerdtest.EnsureContainerStarted(helpers, roContainer)\n\n\t\thelpers.Ensure(\"run\", \"-d\", \"-w\", containerCwd, \"--name\", rwContainer,\n\t\t\t\"-v\", fmt.Sprintf(\"%s:%s:ro\", testID+\"-1-ro\", \"/vol1/dir1/ro\"),\n\t\t\t\"-v\", fmt.Sprintf(\"%s:%s\", testID+\"-3-rw\", \"/vol3/dir3/rw\"),\n\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity,\n\t\t)\n\t\tnerdtest.EnsureContainerStarted(helpers, rwContainer)\n\n\t\thelpers.Ensure(\"exec\", rwContainer, \"sh\", \"-euxc\", \"cd /vol3/dir3/rw; ln -s ../../../ relativelinktoroot\")\n\t\thelpers.Ensure(\"exec\", rwContainer, \"sh\", \"-euxc\", \"cd /vol3/dir3/rw; ln -s / absolutelinktoroot\")\n\t\thelpers.Ensure(\"exec\", roContainer, \"sh\", \"-euxc\", \"cd /vol2/dir2/rw; ln -s ../../../ relativelinktoroot\")\n\t\thelpers.Ensure(\"exec\", roContainer, \"sh\", \"-euxc\", \"cd /vol2/dir2/rw; ln -s / absolutelinktoroot\")\n\n\t\t// Create file on the host\n\t\terr := os.WriteFile(sourceFile, sourceFileContent, filePerm)\n\t\tassert.NilError(t, err)\n\n\t\texpectedErr := containerutil.ErrTargetIsReadOnly.Error()\n\t\tif nerdtest.IsDocker() {\n\t\t\texpectedErr = \"\"\n\t\t}\n\t\tdata.Labels().Set(\"expectedErr\", expectedErr)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\ttestID := data.Identifier()\n\t\thelpers.Anyhow(\"rm\", \"-f\", testID+\"-ro\")\n\t\thelpers.Anyhow(\"rm\", \"-f\", testID+\"-rw\")\n\t\thelpers.Anyhow(\"volume\", \"rm\", testID+\"-1-ro\")\n\t\thelpers.Anyhow(\"volume\", \"rm\", testID+\"-2-rw\")\n\t\thelpers.Anyhow(\"volume\", \"rm\", testID+\"-3-rw\")\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"Cannot copy into a read-only root\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"cp\", data.Labels().Get(\"sourceFile\"), data.Labels().Get(\"roContainer\")+\":/\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(data.Labels().Get(\"expectedErr\"))},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Cannot copy into a read-only mount, in a rw container\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"cp\", data.Labels().Get(\"sourceFile\"), data.Labels().Get(\"rwContainer\")+\":/vol1/dir1/ro\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(data.Labels().Get(\"expectedErr\"))},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Can copy into a read-write mount in a read-only container\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"cp\", data.Labels().Get(\"sourceFile\"), data.Labels().Get(\"roContainer\")+\":/vol2/dir2/rw\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Traverse read-only locations to a read-write location\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"cp\", data.Labels().Get(\"sourceFile\"), data.Labels().Get(\"roContainer\")+\":/vol1/dir1/ro/../../../vol2/dir2/rw\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Follow an absolute symlink inside a read-write mount to a read-only root\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"cp\", data.Labels().Get(\"sourceFile\"), data.Labels().Get(\"roContainer\")+\":/vol2/dir2/rw/absolutelinktoroot\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(data.Labels().Get(\"expectedErr\"))},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Follow am absolute symlink inside a read-write mount to a read-only mount\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"cp\", data.Labels().Get(\"sourceFile\"), data.Labels().Get(\"rwContainer\")+\":/vol3/dir3/rw/absolutelinktoroot/vol1/dir1/ro\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(data.Labels().Get(\"expectedErr\"))},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Follow a relative symlink inside a read-write location to a read-only root\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"cp\", data.Labels().Get(\"sourceFile\"), data.Labels().Get(\"roContainer\")+\":/vol2/dir2/rw/relativelinktoroot\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(data.Labels().Get(\"expectedErr\"))},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Follow a relative symlink inside a read-write location to a read-only mount\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"cp\", data.Labels().Get(\"sourceFile\"), data.Labels().Get(\"rwContainer\")+\":/vol3/dir3/rw/relativelinktoroot/vol1/dir1/ro\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(data.Labels().Get(\"expectedErr\"))},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Cannot copy into a HOST read-only location\",\n\t\t\tRequire: nerdtest.Rootless,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\ttempDir := t.TempDir()\n\t\t\t\terr := os.MkdirAll(filepath.Join(tempDir, \"rotest\"), 0o000)\n\t\t\t\tassert.NilError(t, err)\n\t\t\t\treturn helpers.Command(\"cp\", data.Labels().Get(\"roContainer\")+\":/etc/issue\", filepath.Join(tempDir, \"rotest\"))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(data.Labels().Get(\"expectedErr\"))},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_cp_linux.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"path/filepath\"\n\t\"strings\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n\t\"github.com/containerd/nerdctl/v2/pkg/rootlessutil\"\n)\n\nfunc copyCommand() *cobra.Command {\n\tshortHelp := \"Copy files/folders between a running container and the local filesystem.\"\n\n\tlongHelp := shortHelp + `\nThis command requires 'tar' to be installed on the host (not in the container).\nUsing GNU tar is recommended.\nThe path of the 'tar' binary can be specified with an environment variable '$TAR'.\n\nWARNING: 'nerdctl cp' is designed only for use with trusted, cooperating containers.\nUsing 'nerdctl cp' with untrusted or malicious containers is unsupported and may not provide protection against unexpected behavior.\n`\n\n\tusage := `cp [flags] CONTAINER:SRC_PATH DEST_PATH|-\n nerdctl cp [flags] SRC_PATH|- CONTAINER:DEST_PATH`\n\tvar cmd = &cobra.Command{\n\t\tUse: usage,\n\t\tArgs: helpers.IsExactArgs(2),\n\t\tShort: shortHelp,\n\t\tLong: longHelp,\n\t\tRunE: copyAction,\n\t\tValidArgsFunction: copyShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\n\tcmd.Flags().BoolP(\"follow-link\", \"L\", false, \"Always follow symbolic link in SRC_PATH.\")\n\n\treturn cmd\n}\n\nfunc copyAction(cmd *cobra.Command, args []string) error {\n\toptions, err := copyOptions(cmd, args)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif rootlessutil.IsRootless() {\n\t\toptions.GOptions.Address, err = rootlessutil.RootlessContainredSockAddress()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn container.Cp(ctx, client, options)\n}\n\nfunc copyOptions(cmd *cobra.Command, args []string) (types.ContainerCpOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ContainerCpOptions{}, err\n\t}\n\tflagL, err := cmd.Flags().GetBool(\"follow-link\")\n\tif err != nil {\n\t\treturn types.ContainerCpOptions{}, err\n\t}\n\n\tsrcSpec, err := parseCpFileSpec(args[0])\n\tif err != nil {\n\t\treturn types.ContainerCpOptions{}, err\n\t}\n\n\tdestSpec, err := parseCpFileSpec(args[1])\n\tif err != nil {\n\t\treturn types.ContainerCpOptions{}, err\n\t}\n\n\tif (srcSpec.Container != nil && destSpec.Container != nil) || (len(srcSpec.Path) == 0 && len(destSpec.Path) == 0) {\n\t\treturn types.ContainerCpOptions{}, fmt.Errorf(\"one of src or dest must be a local file specification\")\n\t}\n\tif srcSpec.Container == nil && destSpec.Container == nil {\n\t\treturn types.ContainerCpOptions{}, fmt.Errorf(\"one of src or dest must be a container file specification\")\n\t}\n\n\tcontainer2host := srcSpec.Container != nil\n\tvar containerReq string\n\tif container2host {\n\t\tcontainerReq = *srcSpec.Container\n\t} else {\n\t\tcontainerReq = *destSpec.Container\n\t}\n\treturn types.ContainerCpOptions{\n\t\tGOptions: globalOptions,\n\t\tContainer2Host: container2host,\n\t\tContainerReq: containerReq,\n\t\tDestPath: destSpec.Path,\n\t\tSrcPath: srcSpec.Path,\n\t\tFollowSymLink: flagL,\n\t\tFromStdin: srcSpec.Path == \"-\",\n\t\tToStdout: destSpec.Path == \"-\",\n\t}, nil\n}\n\nfunc AddCpCommand(rootCmd *cobra.Command) {\n\trootCmd.AddCommand(copyCommand())\n}\n\nvar errFileSpecDoesntMatchFormat = errors.New(\"filespec must match the canonical format: [container:]file/path\")\n\nfunc parseCpFileSpec(arg string) (*copyFileSpec, error) {\n\tif arg == \"\" {\n\t\treturn ©FileSpec{\n\t\t\tPath: \"-\",\n\t\t}, nil\n\t}\n\n\ti := strings.Index(arg, \":\")\n\n\t// filespec starting with a semicolon is invalid\n\tif i == 0 {\n\t\treturn nil, errFileSpecDoesntMatchFormat\n\t}\n\n\tif filepath.IsAbs(arg) {\n\t\t// Explicit local absolute path, e.g., `C:\\foo` or `/foo`.\n\t\treturn ©FileSpec{\n\t\t\tContainer: nil,\n\t\t\tPath: arg,\n\t\t}, nil\n\t}\n\n\tparts := strings.SplitN(arg, \":\", 2)\n\n\tif len(parts) == 1 || strings.HasPrefix(parts[0], \".\") {\n\t\t// Either there's no `:` in the arg\n\t\t// OR it's an explicit local relative path like `./file:name.txt`.\n\t\treturn ©FileSpec{\n\t\t\tPath: arg,\n\t\t}, nil\n\t}\n\n\treturn ©FileSpec{\n\t\tContainer: &parts[0],\n\t\tPath: parts[1],\n\t}, nil\n}\n\ntype copyFileSpec struct {\n\tContainer *string\n\tPath string\n}\n\nfunc copyShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn nil, cobra.ShellCompDirectiveFilterFileExt\n}\n" }, { "path": "cmd/nerdctl/container/container_cp_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"syscall\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\t\"gotest.tools/v3/icmd\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/containerutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/rootlessutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/tarutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\n// For the test matrix, see https://docs.docker.com/engine/reference/commandline/cp/\n// Obviously, none of this is fully windows ready - obviously `nerdctl cp` itself is not either, so, ok for now.\nconst (\n\t// Use this to poke the testing rig for improper path handling\n\t// TODO: fuzz this more seriously\n\t// FIXME: the following will break the test (anything that will evaluate on the shell, obviously):\n\t// - `\n\t// - $a, ${a}, etc\n\tcomplexify = \"\" // = \"-~a0-_.(){}[]*#! \\\"'∞\"\n\n\tpathDoesNotExistRelative = \"does-not-exist\" + complexify\n\tpathDoesNotExistAbsolute = string(os.PathSeparator) + \"does-not-exist\" + complexify\n\tpathIsAFileRelative = \"is-a-file\" + complexify\n\tpathIsAFileAbsolute = string(os.PathSeparator) + \"is-a-file\" + complexify\n\tpathIsADirRelative = \"is-a-dir\" + complexify\n\tpathIsADirAbsolute = string(os.PathSeparator) + \"is-a-dir\" + complexify\n\tpathIsAVolumeMount = string(os.PathSeparator) + \"is-a-volume-mount\" + complexify\n\n\tsrcFileName = \"test-file\" + complexify\n\ttarballName = \"test-tar\" + complexify\n\tcpFolderName = \"nerdctl-cp-test\"\n\n\t// Since nerdctl cp must NOT obey container wd, but instead resolve paths against the root, we set this\n\t// explicitly to ensure we do the right thing wrt that.\n\tcontainerCwd = \"/nerdctl/cp/test\"\n\n\tdirPerm = 0o755\n\tfilePerm = 0o644\n)\n\nvar srcDirName = filepath.Join(\"three-levels-src-dir\", \"test-dir\", \"dir\"+complexify)\n\ntype testgroup struct {\n\tdescription string // parent test description\n\ttoContainer bool // copying to, or from container\n\n\t// sourceSpec as specified by the user (without the container: part) - can be relative or absolute -\n\t// if sourceSpec points to a file, you must use srcFileName for filename\n\tsourceSpec string\n\tsourceIsAFile bool // whether the provided sourceSpec points to a file or a dir\n\ttestCases []testcases // testcases\n}\n\ntype testcases struct {\n\tdescription string // textual description of what the test is doing\n\tdestinationSpec string // destination path as specified by the user (without the container: part) - can be relative or absolute\n\texpect icmd.Expected // expectation\n\n\t// Optional\n\tcatFile string // path that we \"cat\" - defaults to destinationSpec if not specified\n\tsetup func(base *testutil.Base, container string, destPath string) // additional test setup if needed\n\ttearDown func() // additional cleanup if needed\n\tvolume func(base *testutil.Base, id string) (string, string, bool) // volume creation function if needed (should return the volume name, mountPoint, readonly flag)\n}\n\nfunc TestCopyToContainer(t *testing.T) {\n\tt.Parallel()\n\n\ttestGroups := []*testgroup{\n\t\t{\n\t\t\tdescription: \"Copying to container, SRC_PATH is a file, absolute\",\n\t\t\tsourceSpec: filepath.Join(string(os.PathSeparator), srcDirName, srcFileName),\n\t\t\tsourceIsAFile: true,\n\t\t\ttoContainer: true,\n\t\t\ttestCases: []testcases{\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH does not exist, relative\",\n\t\t\t\t\tdestinationSpec: pathDoesNotExistRelative,\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH does not exist, absolute\",\n\t\t\t\t\tdestinationSpec: pathDoesNotExistAbsolute,\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH does not exist, relative, and ends with \" + string(os.PathSeparator),\n\t\t\t\t\tdestinationSpec: pathDoesNotExistRelative + string(os.PathSeparator),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\tErr: containerutil.ErrDestinationDirMustExist.Error(),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH does not exist, absolute, and ends with \" + string(os.PathSeparator),\n\t\t\t\t\tdestinationSpec: pathDoesNotExistAbsolute + string(os.PathSeparator),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\tErr: containerutil.ErrDestinationDirMustExist.Error(),\n\t\t\t\t\t},\n\t\t\t\t},\n\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a file, relative\",\n\t\t\t\t\tdestinationSpec: pathIsAFileRelative,\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\tbase.Cmd(\"exec\", container, \"touch\", destPath).AssertOK()\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a file, absolute\",\n\t\t\t\t\tdestinationSpec: pathIsAFileAbsolute,\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\tbase.Cmd(\"exec\", container, \"touch\", destPath).AssertOK()\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a file, relative, ends with improper \" + string(os.PathSeparator),\n\t\t\t\t\tdestinationSpec: pathIsAFileRelative + string(os.PathSeparator),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\tErr: containerutil.ErrDestinationIsNotADir.Error(),\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\tbase.Cmd(\"exec\", container, \"touch\", destPath).AssertOK()\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a file, absolute, ends with improper \" + string(os.PathSeparator),\n\t\t\t\t\tdestinationSpec: pathIsAFileAbsolute + string(os.PathSeparator),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\t// FIXME: it is unclear why the code path with absolute (this test) versus relative (just above)\n\t\t\t\t\t\t// yields a different error. Both should ideally be ErrCannotCopyDirToFile\n\t\t\t\t\t\t// This is probably happening somewhere in resolve.\n\t\t\t\t\t\t// This is not a deal killer, as both DO error with a reasonable explanation, but a bit\n\t\t\t\t\t\t// frustrating\n\t\t\t\t\t\tErr: containerutil.ErrDestinationIsNotADir.Error(),\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\tbase.Cmd(\"exec\", container, \"touch\", destPath).AssertOK()\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a directory, relative\",\n\t\t\t\t\tdestinationSpec: pathIsADirRelative,\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirRelative, srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\tbase.Cmd(\"exec\", container, \"mkdir\", \"-p\", destPath).AssertOK()\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a directory, absolute\",\n\t\t\t\t\tdestinationSpec: pathIsADirAbsolute,\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirAbsolute, srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\tbase.Cmd(\"exec\", container, \"mkdir\", \"-p\", destPath).AssertOK()\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a directory, relative, ends with \" + string(os.PathSeparator),\n\t\t\t\t\tdestinationSpec: pathIsADirRelative + string(os.PathSeparator),\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirRelative, srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\tbase.Cmd(\"exec\", container, \"mkdir\", \"-p\", destPath).AssertOK()\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a directory, absolute, ends with \" + string(os.PathSeparator),\n\t\t\t\t\tdestinationSpec: pathIsADirAbsolute + string(os.PathSeparator),\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirAbsolute, srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\tbase.Cmd(\"exec\", container, \"mkdir\", \"-p\", destPath).AssertOK()\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a volume mount-point\",\n\t\t\t\t\tdestinationSpec: pathIsAVolumeMount,\n\t\t\t\t\tcatFile: filepath.Join(pathIsAVolumeMount, srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\t// FIXME the way we handle volume is not right - too complicated for the test author\n\t\t\t\t\tvolume: func(base *testutil.Base, id string) (string, string, bool) {\n\t\t\t\t\t\tbase.Cmd(\"volume\", \"create\", id).Run()\n\t\t\t\t\t\treturn id, pathIsAVolumeMount, false\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a read-only volume mount-point\",\n\t\t\t\t\tdestinationSpec: pathIsAVolumeMount,\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\tErr: containerutil.ErrTargetIsReadOnly.Error(),\n\t\t\t\t\t},\n\t\t\t\t\tvolume: func(base *testutil.Base, id string) (string, string, bool) {\n\t\t\t\t\t\tbase.Cmd(\"volume\", \"create\", id).Run()\n\t\t\t\t\t\treturn id, pathIsAVolumeMount, true\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tdescription: \"Copying to container, SRC_PATH is a directory\",\n\t\t\tsourceSpec: srcDirName,\n\t\t\ttoContainer: true,\n\t\t\ttestCases: []testcases{\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH does not exist, relative\",\n\t\t\t\t\tdestinationSpec: pathDoesNotExistRelative,\n\t\t\t\t\tcatFile: filepath.Join(pathDoesNotExistRelative, srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH does not exist, absolute\",\n\t\t\t\t\tdestinationSpec: pathDoesNotExistAbsolute,\n\t\t\t\t\tcatFile: filepath.Join(pathDoesNotExistAbsolute, srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH does not exist, relative, and ends with \" + string(os.PathSeparator),\n\t\t\t\t\tdestinationSpec: pathDoesNotExistRelative + string(os.PathSeparator),\n\t\t\t\t\tcatFile: filepath.Join(pathDoesNotExistRelative, srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH does not exist, absolute, and ends with \" + string(os.PathSeparator),\n\t\t\t\t\tdestinationSpec: pathDoesNotExistAbsolute + string(os.PathSeparator),\n\t\t\t\t\tcatFile: filepath.Join(pathDoesNotExistAbsolute, srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a file, relative\",\n\t\t\t\t\tdestinationSpec: pathIsAFileRelative,\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\tErr: containerutil.ErrCannotCopyDirToFile.Error(),\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\tbase.Cmd(\"exec\", container, \"touch\", destPath).AssertOK()\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a file, absolute\",\n\t\t\t\t\tdestinationSpec: pathIsAFileAbsolute,\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\tErr: containerutil.ErrCannotCopyDirToFile.Error(),\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\tbase.Cmd(\"exec\", container, \"touch\", destPath).AssertOK()\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a file, relative, ends with improper \" + string(os.PathSeparator),\n\t\t\t\t\tdestinationSpec: pathIsAFileRelative + string(os.PathSeparator),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\tErr: containerutil.ErrDestinationIsNotADir.Error(),\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\tbase.Cmd(\"exec\", container, \"touch\", destPath).AssertOK()\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a file, absolute, ends with improper \" + string(os.PathSeparator),\n\t\t\t\t\tdestinationSpec: pathIsAFileAbsolute + string(os.PathSeparator),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\t// FIXME: it is unclear why the code path with absolute (this test) versus relative (just above)\n\t\t\t\t\t\t// yields a different error. Both should ideally be ErrCannotCopyDirToFile\n\t\t\t\t\t\t// This is probably happening somewhere in resolve.\n\t\t\t\t\t\t// This is not a deal killer, as both DO error with a reasonable explanation, but a bit\n\t\t\t\t\t\t// frustrating\n\t\t\t\t\t\tErr: containerutil.ErrDestinationIsNotADir.Error(),\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\tbase.Cmd(\"exec\", container, \"touch\", destPath).AssertOK()\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a directory, relative\",\n\t\t\t\t\tdestinationSpec: pathIsADirRelative,\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirRelative, filepath.Base(srcDirName), srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\tbase.Cmd(\"exec\", container, \"mkdir\", \"-p\", destPath).AssertOK()\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a directory, absolute\",\n\t\t\t\t\tdestinationSpec: pathIsADirAbsolute,\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirAbsolute, filepath.Base(srcDirName), srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\tbase.Cmd(\"exec\", container, \"mkdir\", \"-p\", destPath).AssertOK()\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a directory, relative, ends with \" + string(os.PathSeparator),\n\t\t\t\t\tdestinationSpec: pathIsADirRelative + string(os.PathSeparator),\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirRelative, filepath.Base(srcDirName), srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\tbase.Cmd(\"exec\", container, \"mkdir\", \"-p\", destPath).AssertOK()\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a directory, absolute, ends with \" + string(os.PathSeparator),\n\t\t\t\t\tdestinationSpec: pathIsADirAbsolute + string(os.PathSeparator),\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirAbsolute, filepath.Base(srcDirName), srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\tbase.Cmd(\"exec\", container, \"mkdir\", \"-p\", destPath).AssertOK()\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tdescription: \"Copying to container, SRC_PATH is a directory ending with /.\",\n\t\t\tsourceSpec: srcDirName + string(os.PathSeparator) + \".\",\n\t\t\ttoContainer: true,\n\t\t\ttestCases: []testcases{\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a directory, relative\",\n\t\t\t\t\tdestinationSpec: pathIsADirRelative,\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirRelative, srcFileName),\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\tbase.Cmd(\"exec\", container, \"mkdir\", \"-p\", destPath).AssertOK()\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a directory, absolute\",\n\t\t\t\t\tdestinationSpec: pathIsADirAbsolute,\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirAbsolute, srcFileName),\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\tbase.Cmd(\"exec\", container, \"mkdir\", \"-p\", destPath).AssertOK()\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tdescription: \"Copying to container, SRC_PATH is stdin\",\n\t\t\tsourceSpec: \"-\",\n\t\t\tsourceIsAFile: true,\n\t\t\ttoContainer: true,\n\t\t\ttestCases: []testcases{\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a directory, relative\",\n\t\t\t\t\tdestinationSpec: pathIsADirRelative,\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirRelative, srcFileName),\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\tbase.Cmd(\"exec\", container, \"mkdir\", \"-p\", destPath).AssertOK()\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a directory, absolute\",\n\t\t\t\t\tdestinationSpec: pathIsADirAbsolute,\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirAbsolute, srcFileName),\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\tbase.Cmd(\"exec\", container, \"mkdir\", \"-p\", destPath).AssertOK()\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is stdout\",\n\t\t\t\t\tdestinationSpec: \"-\",\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\tErr: \"one of src or dest must be a container file specification\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a file\",\n\t\t\t\t\tdestinationSpec: pathIsAFileAbsolute,\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\tbase.Cmd(\"exec\", container, \"touch\", destPath).AssertOK()\n\t\t\t\t\t},\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\tErr: containerutil.ErrCannotCopyDirToFile.Error(),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, tg := range testGroups {\n\t\tcpTestHelper(t, tg)\n\t}\n}\n\nfunc TestCopyFromContainer(t *testing.T) {\n\tt.Parallel()\n\n\ttestGroups := []*testgroup{\n\t\t{\n\t\t\tdescription: \"Copying from container, SRC_PATH specifies a file\",\n\t\t\tsourceSpec: srcFileName,\n\t\t\tsourceIsAFile: true,\n\t\t\ttestCases: []testcases{\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH does not exist, relative\",\n\t\t\t\t\tdestinationSpec: pathDoesNotExistRelative,\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH does not exist, absolute\",\n\t\t\t\t\tdestinationSpec: pathDoesNotExistAbsolute,\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH does not exist, relative, and ends with a path separator\",\n\t\t\t\t\tdestinationSpec: pathDoesNotExistRelative + string(os.PathSeparator),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\tErr: containerutil.ErrDestinationDirMustExist.Error(),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH does not exist, absolute, and ends with a path separator\",\n\t\t\t\t\tdestinationSpec: pathDoesNotExistAbsolute + string(os.PathSeparator),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\tErr: containerutil.ErrDestinationDirMustExist.Error(),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a file, relative\",\n\t\t\t\t\tdestinationSpec: pathIsAFileRelative,\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\terr := os.WriteFile(destPath, []byte(\"\"), filePerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a file, absolute\",\n\t\t\t\t\tdestinationSpec: pathIsAFileAbsolute,\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\terr := os.WriteFile(destPath, []byte(\"\"), filePerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a file, relative, improperly ends with a separator\",\n\t\t\t\t\tdestinationSpec: pathIsAFileRelative + string(os.PathSeparator),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\tErr: containerutil.ErrDestinationIsNotADir.Error(),\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\terr := os.WriteFile(destPath, []byte(\"\"), filePerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a file, absolute, improperly ends with a separator\",\n\t\t\t\t\tdestinationSpec: pathIsAFileAbsolute + string(os.PathSeparator),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\tErr: containerutil.ErrDestinationIsNotADir.Error(),\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\terr := os.WriteFile(destPath, []byte(\"\"), filePerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a directory, relative\",\n\t\t\t\t\tdestinationSpec: pathIsADirRelative,\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirRelative, srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\terr := os.MkdirAll(destPath, dirPerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a directory, absolute\",\n\t\t\t\t\tdestinationSpec: pathIsADirAbsolute,\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirAbsolute, srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\terr := os.MkdirAll(destPath, dirPerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a directory, relative, ending with a path separator\",\n\t\t\t\t\tdestinationSpec: pathIsADirRelative + string(os.PathSeparator),\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirRelative, srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\terr := os.MkdirAll(destPath, dirPerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a directory, absolute, ending with a path separator\",\n\t\t\t\t\tdestinationSpec: pathIsADirAbsolute + string(os.PathSeparator),\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirAbsolute, srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\terr := os.MkdirAll(destPath, dirPerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is stdout\",\n\t\t\t\t\tdestinationSpec: \"-\",\n\t\t\t\t\t// Extra dir to account for folder created from extracted tar file\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirAbsolute, filepath.Base(srcDirName), srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\terr := os.MkdirAll(destPath, dirPerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tdescription: \"Copying from container, SRC_PATH specifies a dir\",\n\t\t\tsourceSpec: srcDirName,\n\t\t\ttestCases: []testcases{\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH does not exist, relative\",\n\t\t\t\t\tdestinationSpec: pathDoesNotExistRelative,\n\t\t\t\t\tcatFile: filepath.Join(pathDoesNotExistRelative, srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH does not exist, absolute\",\n\t\t\t\t\tdestinationSpec: pathDoesNotExistAbsolute,\n\t\t\t\t\tcatFile: filepath.Join(pathDoesNotExistAbsolute, srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH does not exist, relative, ends with path separator\",\n\t\t\t\t\tdestinationSpec: pathDoesNotExistRelative + string(os.PathSeparator),\n\t\t\t\t\tcatFile: filepath.Join(pathDoesNotExistRelative, srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH does not exist, absolute, ends with path separator\",\n\t\t\t\t\tdestinationSpec: pathDoesNotExistAbsolute + string(os.PathSeparator),\n\t\t\t\t\tcatFile: filepath.Join(pathDoesNotExistAbsolute, srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a file, relative\",\n\t\t\t\t\tdestinationSpec: pathIsAFileRelative,\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\tErr: containerutil.ErrCannotCopyDirToFile.Error(),\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\terr := os.MkdirAll(filepath.Dir(destPath), dirPerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t\terr = os.WriteFile(destPath, []byte(\"\"), filePerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a file, absolute\",\n\t\t\t\t\tdestinationSpec: pathIsAFileAbsolute,\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\tErr: containerutil.ErrCannotCopyDirToFile.Error(),\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\terr := os.MkdirAll(filepath.Dir(destPath), dirPerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t\terr = os.WriteFile(destPath, []byte(\"\"), filePerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a file, relative, improperly ends with path separator\",\n\t\t\t\t\tdestinationSpec: pathIsAFileRelative + string(os.PathSeparator),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\tErr: containerutil.ErrDestinationIsNotADir.Error(),\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\terr := os.MkdirAll(filepath.Dir(destPath), dirPerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t\terr = os.WriteFile(destPath, []byte(\"\"), filePerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a file, absolute, improperly ends with path separator\",\n\t\t\t\t\tdestinationSpec: pathIsAFileAbsolute + string(os.PathSeparator),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\tErr: containerutil.ErrDestinationIsNotADir.Error(),\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\terr := os.MkdirAll(filepath.Dir(destPath), dirPerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t\terr = os.WriteFile(destPath, []byte(\"\"), filePerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a directory, relative\",\n\t\t\t\t\tdestinationSpec: pathIsADirRelative,\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirRelative, filepath.Base(srcDirName), srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\terr := os.MkdirAll(destPath, dirPerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a directory, absolute\",\n\t\t\t\t\tdestinationSpec: pathIsADirAbsolute,\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirAbsolute, filepath.Base(srcDirName), srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\terr := os.MkdirAll(destPath, dirPerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a directory, relative, ends with path separator\",\n\t\t\t\t\tdestinationSpec: pathIsADirRelative + string(os.PathSeparator),\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirRelative, filepath.Base(srcDirName), srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\terr := os.MkdirAll(destPath, dirPerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a directory, absolute, ends with path separator\",\n\t\t\t\t\tdestinationSpec: pathIsADirAbsolute + string(os.PathSeparator),\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirAbsolute, filepath.Base(srcDirName), srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\terr := os.MkdirAll(destPath, dirPerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is stdout\",\n\t\t\t\t\tdestinationSpec: \"-\",\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirAbsolute, srcDirName, srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\t// Don't make the topmost dir as this is where the tarball must extract\n\t\t\t\t\t\terr := os.MkdirAll(filepath.Dir(destPath), dirPerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\n\t\t{\n\t\t\tdescription: \"SRC_PATH is a dir, with a trailing slash/dot\",\n\t\t\tsourceSpec: srcDirName + string(os.PathSeparator) + \".\",\n\t\t\ttestCases: []testcases{\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a directory, relative\",\n\t\t\t\t\tdestinationSpec: pathIsADirRelative,\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirRelative, srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\terr := os.MkdirAll(destPath, dirPerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is a directory, absolute\",\n\t\t\t\t\tdestinationSpec: pathIsADirAbsolute,\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirAbsolute, srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\terr := os.MkdirAll(destPath, dirPerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tdescription: \"DEST_PATH is stdout\",\n\t\t\t\t\tdestinationSpec: \"-\",\n\t\t\t\t\tcatFile: filepath.Join(pathIsADirAbsolute, srcFileName),\n\t\t\t\t\texpect: icmd.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t},\n\t\t\t\t\tsetup: func(base *testutil.Base, container string, destPath string) {\n\t\t\t\t\t\terr := os.MkdirAll(destPath, dirPerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, tg := range testGroups {\n\t\tcpTestHelper(t, tg)\n\t}\n}\n\nfunc assertCatHelper(base *testutil.Base, catPath string, fileContent []byte, container string, expectedUID int, containerIsStopped bool) {\n\tbase.T.Logf(\"catPath=%q\", catPath)\n\tif container != \"\" && containerIsStopped {\n\t\tbase.Cmd(\"start\", container).AssertOK()\n\t\tdefer base.Cmd(\"stop\", container).AssertOK()\n\t}\n\n\tif container == \"\" {\n\t\tgot, err := os.ReadFile(catPath)\n\t\tassert.NilError(base.T, err, \"Failed reading from file\")\n\t\tassert.DeepEqual(base.T, fileContent, got)\n\t\tst, err := os.Stat(catPath)\n\t\tassert.NilError(base.T, err)\n\t\tstSys := st.Sys().(*syscall.Stat_t)\n\t\texpected := uint32(expectedUID)\n\t\tactual := stSys.Uid\n\t\tassert.DeepEqual(base.T, expected, actual)\n\t} else {\n\t\tbase.Cmd(\"exec\", container, \"sh\", \"-c\", \"--\", fmt.Sprintf(\"ls -lA /; echo %q; cat %q\", catPath, catPath)).AssertOutContains(string(fileContent))\n\t\tbase.Cmd(\"exec\", container, \"stat\", \"-c\", \"%u\", catPath).AssertOutExactly(fmt.Sprintf(\"%d\\n\", expectedUID))\n\t}\n}\n\nfunc cpTestHelper(t *testing.T, tg *testgroup) {\n\t// Get the source path\n\tgroupSourceSpec := tg.sourceSpec\n\tgroupSourceDir := groupSourceSpec\n\tfromStdin := false\n\tif tg.sourceSpec == \"-\" {\n\t\tgroupSourceSpec = filepath.Join(srcDirName, tarballName)\n\t\tgroupSourceDir = srcDirName\n\t\tfromStdin = true\n\t} else if tg.sourceIsAFile {\n\t\tgroupSourceDir = filepath.Dir(groupSourceSpec)\n\t}\n\n\t// Copy direction\n\tcopyToContainer := tg.toContainer\n\t// Description\n\tdescription := tg.description\n\t// Test cases\n\ttestCases := tg.testCases\n\n\t// Compute UIDs dependent on cp direction\n\tvar srcUID, destUID int\n\tif copyToContainer {\n\t\tsrcUID = os.Geteuid()\n\t\tdestUID = srcUID\n\t} else {\n\t\tsrcUID = 42\n\t\tdestUID = os.Geteuid()\n\t}\n\n\tt.Run(description, func(t *testing.T) {\n\t\tt.Parallel()\n\n\t\tfor _, tc := range testCases {\n\t\t\ttestCase := tc\n\n\t\t\tt.Run(testCase.description, func(t *testing.T) {\n\t\t\t\tt.Parallel()\n\n\t\t\t\t// Compute test-specific values\n\t\t\t\ttestID := testutil.Identifier(t)\n\t\t\t\tcontainerRunning := testID + \"-r\"\n\t\t\t\tcontainerStopped := testID + \"-s\"\n\t\t\t\tsourceFileContent := []byte(testID)\n\t\t\t\ttempDir := t.TempDir()\n\n\t\t\t\tbase := testutil.NewBase(t)\n\t\t\t\t// Change working directory for commands to execute to the newly created temp directory on the host\n\t\t\t\t// Note that ChDir won't do in a parallel context - and that setup func on the host below\n\t\t\t\t// has to deal with that problem separately by making sure relative paths are resolved against temp\n\t\t\t\tbase.Dir = tempDir\n\n\t\t\t\t// Prepare the specs and derived variables\n\t\t\t\tsourceSpec := groupSourceSpec\n\t\t\t\tcatFile := testCase.catFile\n\n\t\t\t\tdestinationSpec := testCase.destinationSpec\n\t\t\t\ttoStdout := false\n\t\t\t\t// tarball destination just sets up the dir to extract to\n\t\t\t\tif destinationSpec == \"-\" {\n\t\t\t\t\ttoStdout = true\n\t\t\t\t\tdestinationSpec = filepath.Dir(catFile)\n\t\t\t\t}\n\n\t\t\t\t// If the test case does not specify a catFile, start with the destination spec\n\t\t\t\tif catFile == \"\" {\n\t\t\t\t\tcatFile = destinationSpec\n\t\t\t\t}\n\n\t\t\t\tsourceFile := filepath.Join(groupSourceDir, srcFileName)\n\t\t\t\tif copyToContainer {\n\t\t\t\t\tif !filepath.IsAbs(catFile) {\n\t\t\t\t\t\tcatFile = filepath.Join(string(os.PathSeparator), catFile)\n\t\t\t\t\t}\n\n\t\t\t\t\tif fromStdin {\n\t\t\t\t\t\tsourceFile = filepath.Join(tempDir, groupSourceDir, tarballName)\n\t\t\t\t\t} else {\n\t\t\t\t\t\t// Use an absolute path for evaluation\n\t\t\t\t\t\t// If the sourceFile is still relative, make it absolute to the temp\n\t\t\t\t\t\tsourceFile = filepath.Join(tempDir, sourceFile)\n\t\t\t\t\t\t// If the spec path for source on the host was absolute, make sure we put that under tempDir\n\t\t\t\t\t\tif filepath.IsAbs(sourceSpec) {\n\t\t\t\t\t\t\tsourceSpec = tempDir + sourceSpec\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\t// If we are copying to host, we need to make sure we have an absolute path to cat, relative to temp,\n\t\t\t\t\t// whether it is relative, or \"absolute\"\n\t\t\t\t\tcatFile = filepath.Join(tempDir, catFile)\n\t\t\t\t\t// If the spec for destination on the host was absolute, make sure we put that under tempDir\n\t\t\t\t\tif filepath.IsAbs(destinationSpec) {\n\t\t\t\t\t\tdestinationSpec = tempDir + destinationSpec\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t// Teardown: clean-up containers and optional volume\n\t\t\t\ttearDown := func() {\n\t\t\t\t\tbase.Cmd(\"rm\", \"-f\", containerRunning).Run()\n\t\t\t\t\tbase.Cmd(\"rm\", \"-f\", containerStopped).Run()\n\t\t\t\t\tif testCase.volume != nil {\n\t\t\t\t\t\tvolID, _, _ := testCase.volume(base, testID)\n\t\t\t\t\t\tbase.Cmd(\"volume\", \"rm\", volID).Run()\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tcreateFileOnHost := func() {\n\t\t\t\t\tswitch fromStdin {\n\t\t\t\t\tcase true:\n\t\t\t\t\t\td := filepath.Dir(sourceFile)\n\t\t\t\t\t\ttarCpFolder := filepath.Join(d, cpFolderName)\n\t\t\t\t\t\ttarBinary, _, err := tarutil.FindTarBinary()\n\t\t\t\t\t\tassert.NilError(t, err)\n\n\t\t\t\t\t\terr = os.MkdirAll(tarCpFolder, dirPerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t\terr = os.WriteFile(filepath.Join(tarCpFolder, srcFileName), sourceFileContent, filePerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\n\t\t\t\t\t\terr = exec.Command(tarBinary, \"-cf\", sourceFile, \"-C\", tarCpFolder, \".\").Run()\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t\terr = os.RemoveAll(tarCpFolder)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\tcase false:\n\t\t\t\t\t\t// Create file on the host\n\t\t\t\t\t\terr := os.MkdirAll(filepath.Dir(sourceFile), dirPerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t\terr = os.WriteFile(sourceFile, sourceFileContent, filePerm)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t// Setup: create volume, containers, create the source file\n\t\t\t\tsetup := func() {\n\t\t\t\t\targs := []string{\"run\", \"-d\", \"-w\", containerCwd}\n\t\t\t\t\tif testCase.volume != nil {\n\t\t\t\t\t\tvol, mount, ro := testCase.volume(base, testID)\n\t\t\t\t\t\tvolArg := fmt.Sprintf(\"%s:%s\", vol, mount)\n\t\t\t\t\t\tif ro {\n\t\t\t\t\t\t\tvolArg += \":ro\"\n\t\t\t\t\t\t}\n\t\t\t\t\t\targs = append(args, \"-v\", volArg)\n\t\t\t\t\t}\n\t\t\t\t\tbase.Cmd(append(args, \"--name\", containerRunning, testutil.CommonImage, \"sleep\", \"Inf\")...).AssertOK()\n\t\t\t\t\tbase.Cmd(append(args, \"--name\", containerStopped, testutil.CommonImage, \"sleep\", \"Inf\")...).AssertOK()\n\n\t\t\t\t\tif copyToContainer {\n\t\t\t\t\t\tcreateFileOnHost()\n\t\t\t\t\t} else {\n\t\t\t\t\t\t// Create file content in the container\n\t\t\t\t\t\t// Note: cd /, otherwise we end-up in the container cwd, which is NOT obeyed by cp\n\t\t\t\t\t\tmkSrcScript := fmt.Sprintf(\"cd /; mkdir -p %q && echo -n %q >%q && chown %d %q\", filepath.Dir(sourceFile), sourceFileContent, sourceFile, srcUID, sourceFile)\n\t\t\t\t\t\tbase.Cmd(\"exec\", containerRunning, \"sh\", \"-euc\", mkSrcScript).AssertOK()\n\t\t\t\t\t\tbase.Cmd(\"exec\", containerStopped, \"sh\", \"-euc\", mkSrcScript).AssertOK()\n\t\t\t\t\t}\n\n\t\t\t\t\t// If we have optional setup, run that now\n\t\t\t\t\tif testCase.setup != nil {\n\t\t\t\t\t\t// Some specs may come with a trailing slash (proper or improper)\n\t\t\t\t\t\t// Setup should still work in all cases (including if its a file), and get through to the actual test\n\t\t\t\t\t\tsetupDest := destinationSpec\n\t\t\t\t\t\tsetupDest = strings.TrimSuffix(setupDest, string(os.PathSeparator))\n\t\t\t\t\t\tif !filepath.IsAbs(setupDest) {\n\t\t\t\t\t\t\tif copyToContainer {\n\t\t\t\t\t\t\t\tsetupDest = filepath.Join(string(os.PathSeparator), setupDest)\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\tsetupDest = filepath.Join(tempDir, setupDest)\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\ttestCase.setup(base, containerRunning, setupDest)\n\t\t\t\t\t\ttestCase.setup(base, containerStopped, setupDest)\n\t\t\t\t\t}\n\n\t\t\t\t\t// Stop the \"stopped\" container\n\t\t\t\t\tbase.Cmd(\"stop\", containerStopped).AssertOK()\n\t\t\t\t}\n\n\t\t\t\ttearDown()\n\t\t\t\tt.Cleanup(tearDown)\n\t\t\t\t// If we have custom teardown, do that\n\t\t\t\tif testCase.tearDown != nil {\n\t\t\t\t\ttestCase.tearDown()\n\t\t\t\t\tt.Cleanup(testCase.tearDown)\n\t\t\t\t}\n\n\t\t\t\t// Do the setup\n\t\t\t\tsetup()\n\n\t\t\t\t// If Docker, removes the err part of expectation\n\t\t\t\tif nerdtest.IsDocker() {\n\t\t\t\t\ttestCase.expect.Err = \"\"\n\t\t\t\t}\n\n\t\t\t\t// Build the final src and dest specifiers, including `containerXYZ:`\n\t\t\t\tcontainer := \"\"\n\t\t\t\tif copyToContainer {\n\t\t\t\t\tif fromStdin {\n\t\t\t\t\t\tif toStdout {\n\t\t\t\t\t\t\tnerdctlCmd := base.Cmd(\"cp\", \"-\", \"-\")\n\t\t\t\t\t\t\tnerdctlCmd.Run()\n\t\t\t\t\t\t\tnerdctlCmd.Assert(testCase.expect)\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tsourceSpec = \"-\"\n\t\t\t\t\t\t\tf, err := os.Open(sourceFile)\n\t\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t\t\tnerdctlCmd := base.Cmd(\"cp\", sourceSpec, containerRunning+\":\"+destinationSpec)\n\t\t\t\t\t\t\tnerdctlCmd.Stdin = f\n\n\t\t\t\t\t\t\tnerdctlCmd.Run()\n\t\t\t\t\t\t\tnerdctlCmd.Assert(testCase.expect)\n\t\t\t\t\t\t\tf.Close()\n\t\t\t\t\t\t}\n\t\t\t\t\t} else {\n\t\t\t\t\t\tbase.Cmd(\"cp\", sourceSpec, containerRunning+\":\"+destinationSpec).Assert(testCase.expect)\n\t\t\t\t\t}\n\t\t\t\t\tcontainer = containerRunning\n\t\t\t\t} else {\n\t\t\t\t\tnerdctlCmd := base.Cmd(\"cp\", containerRunning+\":\"+sourceSpec, destinationSpec)\n\t\t\t\t\tif toStdout {\n\t\t\t\t\t\tout := nerdctlCmd.Out()\n\t\t\t\t\t\tnerdctlCmd.Assert(testCase.expect)\n\n\t\t\t\t\t\t// Since we can't check tar file directly easily, extract to the same destination\n\t\t\t\t\t\ttarDst := filepath.Dir(catFile)\n\t\t\t\t\t\ttarBinary, _, err := tarutil.FindTarBinary()\n\t\t\t\t\t\tassert.NilError(t, err)\n\n\t\t\t\t\t\ttarCmd := exec.Command(tarBinary, \"-C\", tarDst, \"-xf\", \"-\")\n\t\t\t\t\t\ttarCmd.Stdin = strings.NewReader(out)\n\t\t\t\t\t\ttarCmd.Stdout = os.Stdout\n\n\t\t\t\t\t\ttarCmd.Run()\n\t\t\t\t\t\tassert.NilError(t, tarCmd.Err)\n\t\t\t\t\t} else {\n\t\t\t\t\t\tnerdctlCmd.Assert(testCase.expect)\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t// Run the actual test for the running container\n\t\t\t\t// If we expect the op to be a success, also check the destination file\n\t\t\t\tif testCase.expect.ExitCode == 0 {\n\t\t\t\t\tassertCatHelper(base, catFile, sourceFileContent, container, destUID, false)\n\t\t\t\t}\n\n\t\t\t\t// When copying container > host, we get shadowing from the previous container, possibly hiding failures\n\t\t\t\t// Solution: clear-up the tempDir\n\t\t\t\tif copyToContainer {\n\t\t\t\t\terr := os.RemoveAll(tempDir)\n\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\terr = os.MkdirAll(tempDir, dirPerm)\n\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\tcreateFileOnHost()\n\t\t\t\t\tdefer os.RemoveAll(tempDir)\n\t\t\t\t}\n\n\t\t\t\t// ... and for the stopped container\n\t\t\t\tcontainer = \"\"\n\t\t\t\tvar cmd *testutil.Cmd\n\t\t\t\tif fromStdin && toStdout {\n\t\t\t\t\tcmd = base.Cmd(\"cp\", \"-\", \"-\")\n\t\t\t\t} else if copyToContainer {\n\t\t\t\t\tcontainer = containerStopped\n\t\t\t\t\tcmd = base.Cmd(\"cp\", sourceSpec, containerStopped+\":\"+destinationSpec)\n\t\t\t\t\tif fromStdin {\n\t\t\t\t\t\tf, err := os.Open(sourceFile)\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t\tdefer f.Close()\n\t\t\t\t\t\tcmd.Stdin = f\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tcmd = base.Cmd(\"cp\", containerStopped+\":\"+sourceSpec, destinationSpec)\n\t\t\t\t}\n\n\t\t\t\tif rootlessutil.IsRootless() && !nerdtest.IsDocker() {\n\t\t\t\t\tif fromStdin && toStdout {\n\t\t\t\t\t\t// Regular assert test case should work fine if src and dst are invalid\n\t\t\t\t\t\tcmd.Assert(testCase.expect)\n\t\t\t\t\t} else {\n\t\t\t\t\t\tcmd.Assert(\n\t\t\t\t\t\t\ticmd.Expected{\n\t\t\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\t\t\tErr: containerutil.ErrRootlessCannotCp.Error(),\n\t\t\t\t\t\t\t})\n\t\t\t\t\t}\n\t\t\t\t\treturn\n\t\t\t\t}\n\n\t\t\t\tcmd.Assert(testCase.expect)\n\t\t\t\tif testCase.expect.ExitCode == 0 {\n\t\t\t\t\tassertCatHelper(base, catFile, sourceFileContent, container, destUID, true)\n\t\t\t\t}\n\t\t\t})\n\t\t}\n\t})\n}\n" }, { "path": "cmd/nerdctl/container/container_cp_nolinux.go", "content": "//go:build !linux\n\n/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport \"github.com/spf13/cobra\"\n\nfunc AddCpCommand(rootCmd *cobra.Command) {\n\t// NOP\n}\n" }, { "path": "cmd/nerdctl/container/container_create.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"fmt\"\n\t\"runtime\"\n\n\t\"github.com/spf13/cobra\"\n\tcdiparser \"tags.cncf.io/container-device-interface/pkg/parser\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n\t\"github.com/containerd/nerdctl/v2/pkg/containerutil\"\n)\n\nfunc CreateCommand() *cobra.Command {\n\tshortHelp := \"Create a new container. Optionally specify \\\"ipfs://\\\" or \\\"ipns://\\\" scheme to pull image from IPFS.\"\n\tlongHelp := shortHelp\n\tswitch runtime.GOOS {\n\tcase \"windows\":\n\t\tlongHelp += \"\\n\"\n\t\tlongHelp += \"WARNING: `nerdctl create` is experimental on Windows and currently broken (https://github.com/containerd/nerdctl/issues/28)\"\n\tcase \"freebsd\":\n\t\tlongHelp += \"\\n\"\n\t\tlongHelp += \"WARNING: `nerdctl create` is experimental on FreeBSD and currently requires `--net=none` (https://github.com/containerd/nerdctl/blob/main/docs/freebsd.md)\"\n\t}\n\tvar cmd = &cobra.Command{\n\t\tUse: \"create [flags] IMAGE [COMMAND] [ARG...]\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tShort: shortHelp,\n\t\tLong: longHelp,\n\t\tRunE: createAction,\n\t\tValidArgsFunction: runShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().SetInterspersed(false)\n\tsetCreateFlags(cmd)\n\treturn cmd\n}\n\n//revive:disable:function-length\nfunc createOptions(cmd *cobra.Command) (types.ContainerCreateOptions, error) {\n\tvar err error\n\topt := types.ContainerCreateOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tStderr: cmd.ErrOrStderr(),\n\t}\n\n\topt.GOptions, err = helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\n\topt.NerdctlCmd, opt.NerdctlArgs = helpers.GlobalFlags(cmd)\n\n\t// #region for basic flags\n\t// The command `container start` doesn't support the flag `--interactive`. Set the default value of `opt.Interactive` false.\n\topt.Interactive = false\n\topt.TTY, err = cmd.Flags().GetBool(\"tty\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\t// The nerdctl create command similar to nerdctl run -d except the container is never started.\n\t// So we keep the default value of `opt.Detach` true.\n\topt.Detach = true\n\topt.Restart, err = cmd.Flags().GetString(\"restart\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.Rm, err = cmd.Flags().GetBool(\"rm\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.Pull, err = cmd.Flags().GetString(\"pull\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.Pid, err = cmd.Flags().GetString(\"pid\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.StopSignal, err = cmd.Flags().GetString(\"stop-signal\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.StopTimeout, err = cmd.Flags().GetInt(\"stop-timeout\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\t// #endregion\n\n\t// #region for platform flags\n\topt.Platform, err = cmd.Flags().GetString(\"platform\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\t// #endregion\n\n\t// #region for init process flags\n\topt.InitProcessFlag, err = cmd.Flags().GetBool(\"init\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\tif opt.InitProcessFlag || cmd.Flags().Changed(\"init-binary\") {\n\t\tvar initBinary string\n\t\tinitBinary, err = cmd.Flags().GetString(\"init-binary\")\n\t\tif err != nil {\n\t\t\treturn opt, err\n\t\t}\n\t\topt.InitBinary = &initBinary\n\t}\n\t// #endregion\n\n\t// #region for isolation flags\n\topt.Isolation, err = cmd.Flags().GetString(\"isolation\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\t// #endregion\n\n\t// #region for resource flags\n\topt.CPUs, err = cmd.Flags().GetFloat64(\"cpus\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.CPUQuota, err = cmd.Flags().GetInt64(\"cpu-quota\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.CPUPeriod, err = cmd.Flags().GetUint64(\"cpu-period\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.CPUShares, err = cmd.Flags().GetUint64(\"cpu-shares\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.CPUSetCPUs, err = cmd.Flags().GetString(\"cpuset-cpus\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.CPUSetMems, err = cmd.Flags().GetString(\"cpuset-mems\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.CPURealtimePeriod, err = cmd.Flags().GetUint64(\"cpu-rt-period\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.CPURealtimeRuntime, err = cmd.Flags().GetUint64(\"cpu-rt-runtime\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.Memory, err = cmd.Flags().GetString(\"memory\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.MemoryReservationChanged = cmd.Flags().Changed(\"memory-reservation\")\n\topt.MemoryReservation, err = cmd.Flags().GetString(\"memory-reservation\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.MemorySwap, err = cmd.Flags().GetString(\"memory-swap\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.MemorySwappiness64Changed = cmd.Flags().Changed(\"memory-swappiness\")\n\topt.MemorySwappiness64, err = cmd.Flags().GetInt64(\"memory-swappiness\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.KernelMemoryChanged = cmd.Flag(\"kernel-memory\").Changed\n\topt.KernelMemory, err = cmd.Flags().GetString(\"kernel-memory\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.OomKillDisable, err = cmd.Flags().GetBool(\"oom-kill-disable\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.OomScoreAdjChanged = cmd.Flags().Changed(\"oom-score-adj\")\n\topt.OomScoreAdj, err = cmd.Flags().GetInt(\"oom-score-adj\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.PidsLimit, err = cmd.Flags().GetInt64(\"pids-limit\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.CgroupConf, err = cmd.Flags().GetStringSlice(\"cgroup-conf\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.Cgroupns, err = cmd.Flags().GetString(\"cgroupns\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.CgroupParent, err = cmd.Flags().GetString(\"cgroup-parent\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\n\tallDevices, err := cmd.Flags().GetStringSlice(\"device\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\tfor _, device := range allDevices {\n\t\tif cdiparser.IsQualifiedName(device) {\n\t\t\topt.CDIDevices = append(opt.CDIDevices, device)\n\t\t} else {\n\t\t\topt.Device = append(opt.Device, device)\n\t\t}\n\t}\n\t// #endregion\n\n\t// #region for blkio flags\n\topt.BlkioWeight, err = cmd.Flags().GetUint16(\"blkio-weight\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.BlkioWeightDevice, err = cmd.Flags().GetStringArray(\"blkio-weight-device\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.BlkioDeviceReadBps, err = cmd.Flags().GetStringArray(\"device-read-bps\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.BlkioDeviceWriteBps, err = cmd.Flags().GetStringArray(\"device-write-bps\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.BlkioDeviceReadIOps, err = cmd.Flags().GetStringArray(\"device-read-iops\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.BlkioDeviceWriteIOps, err = cmd.Flags().GetStringArray(\"device-write-iops\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\t// #endregion\n\n\t// #region for healthcheck flags\n\topt.HealthCmd, err = cmd.Flags().GetString(\"health-cmd\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.HealthInterval, err = cmd.Flags().GetDuration(\"health-interval\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.HealthTimeout, err = cmd.Flags().GetDuration(\"health-timeout\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.HealthRetries, err = cmd.Flags().GetInt(\"health-retries\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.HealthStartPeriod, err = cmd.Flags().GetDuration(\"health-start-period\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.NoHealthcheck, err = cmd.Flags().GetBool(\"no-healthcheck\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\tif err := helpers.ValidateHealthcheckFlags(opt); err != nil {\n\t\treturn opt, err\n\t}\n\t// #endregion\n\n\t// #region for intel RDT flags\n\topt.RDTClass, err = cmd.Flags().GetString(\"rdt-class\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\t// #endregion\n\n\t// #region for user flags\n\t// If user is set we will attempt to start container with that user (must be present on the host)\n\t// Otherwise we will inherit permissions from the user that the containerd process is running as\n\topt.User, err = cmd.Flags().GetString(\"user\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.Umask = \"\"\n\tif cmd.Flags().Changed(\"umask\") {\n\t\topt.Umask, err = cmd.Flags().GetString(\"umask\")\n\t\tif err != nil {\n\t\t\treturn opt, err\n\t\t}\n\t}\n\topt.GroupAdd, err = cmd.Flags().GetStringSlice(\"group-add\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\t// #endregion\n\n\t// #region for security flags\n\topt.SecurityOpt, err = cmd.Flags().GetStringArray(\"security-opt\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.CapAdd, err = cmd.Flags().GetStringSlice(\"cap-add\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.CapDrop, err = cmd.Flags().GetStringSlice(\"cap-drop\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.Privileged, err = cmd.Flags().GetBool(\"privileged\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.Systemd, err = cmd.Flags().GetString(\"systemd\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\t// #endregion\n\n\t// #region for runtime flags\n\topt.Runtime, err = cmd.Flags().GetString(\"runtime\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.Sysctl, err = cmd.Flags().GetStringArray(\"sysctl\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\t// #endregion\n\n\t// #region for volume flags\n\topt.Volume, err = cmd.Flags().GetStringArray(\"volume\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\t// tmpfs needs to be StringArray, not StringSlice, to prevent \"/foo:size=64m,exec\" from being split to {\"/foo:size=64m\", \"exec\"}\n\topt.Tmpfs, err = cmd.Flags().GetStringArray(\"tmpfs\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.Mount, err = cmd.Flags().GetStringArray(\"mount\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.VolumesFrom, err = cmd.Flags().GetStringArray(\"volumes-from\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\t// #endregion\n\n\t// #region for rootfs flags\n\topt.ReadOnly, err = cmd.Flags().GetBool(\"read-only\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.Rootfs, err = cmd.Flags().GetBool(\"rootfs\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\t// #endregion\n\n\t// #region for env flags\n\topt.EntrypointChanged = cmd.Flags().Changed(\"entrypoint\")\n\topt.Entrypoint, err = cmd.Flags().GetStringArray(\"entrypoint\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.Workdir, err = cmd.Flags().GetString(\"workdir\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.Env, err = cmd.Flags().GetStringArray(\"env\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.EnvFile, err = cmd.Flags().GetStringSlice(\"env-file\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\t// #endregion\n\n\t// #region for metadata flags\n\topt.Name, err = cmd.Flags().GetString(\"name\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.Label, err = cmd.Flags().GetStringArray(\"label\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.LabelFile, err = cmd.Flags().GetStringSlice(\"label-file\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.Annotations, err = cmd.Flags().GetStringArray(\"annotation\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.CidFile, err = cmd.Flags().GetString(\"cidfile\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.PidFile = \"\"\n\tif cmd.Flags().Changed(\"pidfile\") {\n\t\topt.PidFile, err = cmd.Flags().GetString(\"pidfile\")\n\t\tif err != nil {\n\t\t\treturn opt, err\n\t\t}\n\t}\n\t// #endregion\n\n\t// #region for logging flags\n\t// json-file is the built-in and default log driver for nerdctl\n\topt.LogDriver, err = cmd.Flags().GetString(\"log-driver\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.LogOpt, err = cmd.Flags().GetStringArray(\"log-opt\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\t// #endregion\n\n\t// #region for shared memory flags\n\topt.IPC, err = cmd.Flags().GetString(\"ipc\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.ShmSize, err = cmd.Flags().GetString(\"shm-size\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\t// #endregion\n\n\t// #region for gpu flags\n\topt.GPUs, err = cmd.Flags().GetStringArray(\"gpus\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\t// #endregion\n\n\t// #region for ulimit flags\n\topt.Ulimit, err = cmd.Flags().GetStringSlice(\"ulimit\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\t// #endregion\n\n\t// #region for ipfs flags\n\topt.IPFSAddress, err = cmd.Flags().GetString(\"ipfs-address\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\t// #endregion\n\n\t// #region for image pull and verify options\n\timageVerifyOpt, err := helpers.VerifyOptions(cmd)\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\tquiet, err := cmd.Flags().GetBool(\"quiet\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.ImagePullOpt = types.ImagePullOptions{\n\t\tGOptions: opt.GOptions,\n\t\tVerifyOptions: imageVerifyOpt,\n\t\tIPFSAddress: opt.IPFSAddress,\n\t\tStdout: opt.Stdout,\n\t\tStderr: opt.Stderr,\n\t\tQuiet: quiet,\n\t}\n\t// #endregion\n\n\t// #region for UserNS\n\topt.UserNS, err = cmd.Flags().GetString(\"userns-remap\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\n\tuserns, err := cmd.Flags().GetString(\"userns\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\n\tif userns == \"host\" {\n\t\topt.UserNS = \"\"\n\t} else if userns != \"\" {\n\t\treturn opt, fmt.Errorf(\"invalid user mode\")\n\t}\n\n\tif opt.Privileged && opt.UserNS != \"\" {\n\t\t//userns-remap is not supported with privileged flag.\n\t\t// Ref: https://docs.docker.com/engine/security/userns-remap/\n\t\treturn opt, fmt.Errorf(\"privileged flag cannot be used with userns-remap\")\n\t}\n\t// #endregion\n\n\treturn opt, nil\n}\n\nfunc createAction(cmd *cobra.Command, args []string) error {\n\tcreateOpt, err := createOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif (createOpt.Platform == \"windows\" || createOpt.Platform == \"freebsd\") && !createOpt.GOptions.Experimental {\n\t\treturn fmt.Errorf(\"%s requires experimental mode to be enabled\", createOpt.Platform)\n\t}\n\tclient, ctx, cancel, err := clientutil.NewClientWithPlatform(cmd.Context(), createOpt.GOptions.Namespace, createOpt.GOptions.Address, createOpt.Platform)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\tnetFlags, err := loadNetworkFlags(cmd, createOpt.GOptions)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"failed to load networking flags: %w\", err)\n\t}\n\n\tnetManager, err := containerutil.NewNetworkingOptionsManager(createOpt.GOptions, netFlags, client)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tc, gc, err := container.Create(ctx, client, args, netManager, createOpt)\n\tif err != nil {\n\t\tif gc != nil {\n\t\t\tgc()\n\t\t}\n\t\treturn err\n\t}\n\t// defer setting `nerdctl/error` label in case of error\n\tdefer func() {\n\t\tif err != nil {\n\t\t\tcontainerutil.UpdateErrorLabel(ctx, c, err)\n\t\t}\n\t}()\n\n\tfmt.Fprintln(createOpt.Stdout, c.ID())\n\treturn nil\n}\n" }, { "path": "cmd/nerdctl/container/container_create_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strconv\"\n\t\"strings\"\n\t\"syscall\"\n\t\"testing\"\n\n\t\"github.com/opencontainers/go-digest\"\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/containerd/v2/defaults\"\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nettestutil\"\n)\n\nfunc TestCreateWithLabel(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\ttID := testutil.Identifier(t)\n\n\tbase.Cmd(\"create\", \"--name\", tID, \"--label\", \"foo=bar\", testutil.NginxAlpineImage, \"echo\", \"foo\").AssertOK()\n\tdefer base.Cmd(\"rm\", \"-f\", tID).Run()\n\tinspect := base.InspectContainer(tID)\n\tassert.Equal(base.T, \"bar\", inspect.Config.Labels[\"foo\"])\n\t// the label `maintainer`` is defined by image\n\tassert.Equal(base.T, \"NGINX Docker Maintainers \", inspect.Config.Labels[\"maintainer\"])\n}\n\nfunc TestCreateWithMACAddress(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\ttID := testutil.Identifier(t)\n\tnetworkBridge := \"testNetworkBridge\" + tID\n\tnetworkMACvlan := \"testNetworkMACvlan\" + tID\n\tnetworkIPvlan := \"testNetworkIPvlan\" + tID\n\n\ttearDown := func() {\n\t\tbase.Cmd(\"network\", \"rm\", networkBridge).Run()\n\t\tbase.Cmd(\"network\", \"rm\", networkMACvlan).Run()\n\t\tbase.Cmd(\"network\", \"rm\", networkIPvlan).Run()\n\t}\n\n\ttearDown()\n\tt.Cleanup(tearDown)\n\n\tbase.Cmd(\"network\", \"create\", networkBridge, \"--driver\", \"bridge\").AssertOK()\n\tbase.Cmd(\"network\", \"create\", networkMACvlan, \"--driver\", \"macvlan\").AssertOK()\n\tbase.Cmd(\"network\", \"create\", networkIPvlan, \"--driver\", \"ipvlan\").AssertOK()\n\n\tdefaultMac := base.Cmd(\"run\", \"--rm\", \"-i\", \"--network\", \"host\", testutil.CommonImage).\n\t\tCmdOption(testutil.WithStdin(strings.NewReader(\"ip addr show eth0 | grep ether | awk '{printf $2}'\"))).\n\t\tRun().Stdout()\n\n\tpassedMac := \"we expect the generated mac on the output\"\n\ttests := []struct {\n\t\tNetwork string\n\t\tWantErr bool\n\t\tExpect string\n\t}{\n\t\t{\"host\", false, defaultMac}, // anything but the actual address being passed\n\t\t{\"none\", false, \"\"},\n\t\t{\"container:whatever\" + tID, true, \"container\"}, // \"No such container\" vs. \"could not find container\"\n\t\t{\"bridge\", false, passedMac},\n\t\t{networkBridge, false, passedMac},\n\t\t{networkMACvlan, false, passedMac},\n\t\t{networkIPvlan, true, \"not support\"},\n\t}\n\tfor i, test := range tests {\n\t\tcontainerName := fmt.Sprintf(\"%s_%d\", tID, i)\n\t\ttestName := fmt.Sprintf(\"%s_container:%s_network:%s_expect:%s\", tID, containerName, test.Network, test.Expect)\n\t\texpect := test.Expect\n\t\tnetwork := test.Network\n\t\twantErr := test.WantErr\n\t\tt.Run(testName, func(tt *testing.T) {\n\t\t\ttt.Parallel()\n\n\t\t\tmacAddress, err := nettestutil.GenerateMACAddress()\n\t\t\tif err != nil {\n\t\t\t\ttt.Errorf(\"failed to generate MAC address: %s\", err)\n\t\t\t}\n\t\t\tif expect == passedMac {\n\t\t\t\texpect = macAddress\n\t\t\t}\n\t\t\ttearDown := func() {\n\t\t\t\tbase.Cmd(\"rm\", \"-f\", containerName).Run()\n\t\t\t}\n\t\t\ttearDown()\n\t\t\ttt.Cleanup(tearDown)\n\t\t\t// This is currently blocked by https://github.com/containerd/nerdctl/pull/3104\n\t\t\t// res := base.Cmd(\"create\", \"-i\", \"--network\", network, \"--mac-address\", macAddress, testutil.CommonImage).Run()\n\t\t\tres := base.Cmd(\"create\", \"--network\", network, \"--name\", containerName,\n\t\t\t\t\"--mac-address\", macAddress, testutil.CommonImage,\n\t\t\t\t\"sh\", \"-c\", \"--\", \"ip addr show\").Run()\n\n\t\t\tif !wantErr {\n\t\t\t\tassert.Assert(t, res.ExitCode == 0, \"Command should have succeeded\", res)\n\t\t\t\t// This is currently blocked by: https://github.com/containerd/nerdctl/pull/3104\n\t\t\t\t// res = base.Cmd(\"start\", \"-i\", containerName).\n\t\t\t\t//\tCmdOption(testutil.WithStdin(strings.NewReader(\"ip addr show eth0 | grep ether | awk '{printf $2}'\"))).Run()\n\t\t\t\tres = base.Cmd(\"start\", \"-a\", containerName).Run()\n\t\t\t\t// FIXME: flaky - this has failed on the CI once, with the output NOT containing anything\n\t\t\t\t// https://github.com/containerd/nerdctl/actions/runs/11392051487/job/31697214002?pr=3535#step:7:271\n\t\t\t\tassert.Assert(t, strings.Contains(res.Stdout(), expect), fmt.Sprintf(\"expected output to contain %q: %q\", expect, res.Stdout()))\n\t\t\t\tassert.Assert(t, res.ExitCode == 0, \"Command should have succeeded\")\n\t\t\t} else {\n\t\t\t\tif nerdtest.IsDocker() &&\n\t\t\t\t\t(network == networkIPvlan || network == \"container:whatever\"+tID) {\n\t\t\t\t\t// unlike nerdctl\n\t\t\t\t\t// when using network ipvlan or container in Docker\n\t\t\t\t\t// it delays fail on executing start command\n\t\t\t\t\tassert.Assert(t, res.ExitCode == 0, \"Command should have succeeded\", res)\n\t\t\t\t\tres = base.Cmd(\"start\", \"-i\", \"-a\", containerName).\n\t\t\t\t\t\tCmdOption(testutil.WithStdin(strings.NewReader(\"ip addr show eth0 | grep ether | awk '{printf $2}'\"))).Run()\n\t\t\t\t}\n\n\t\t\t\t// See https://github.com/containerd/nerdctl/issues/3101\n\t\t\t\tif nerdtest.IsDocker() &&\n\t\t\t\t\t(network == networkBridge) {\n\t\t\t\t\texpect = \"\"\n\t\t\t\t}\n\t\t\t\tif expect != \"\" {\n\t\t\t\t\tassert.Assert(t, strings.Contains(res.Combined(), expect), fmt.Sprintf(\"expected output to contain %q: %q\", expect, res.Combined()))\n\t\t\t\t} else {\n\t\t\t\t\tassert.Assert(t, res.Combined() == \"\", fmt.Sprintf(\"expected output to be empty: %q\", res.Combined()))\n\t\t\t\t}\n\t\t\t\tassert.Assert(t, res.ExitCode != 0, \"Command should have failed\", res)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestCreateWithTty(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\timageName := testutil.CommonImage\n\twithoutTtyContainerName := \"without-terminal-\" + testutil.Identifier(t)\n\twithTtyContainerName := \"with-terminal-\" + testutil.Identifier(t)\n\n\t// without -t, fail\n\tbase.Cmd(\"create\", \"--name\", withoutTtyContainerName, imageName, \"stty\").AssertOK()\n\tbase.Cmd(\"start\", withoutTtyContainerName).AssertOK()\n\tdefer base.Cmd(\"container\", \"rm\", \"-f\", withoutTtyContainerName).AssertOK()\n\tbase.Cmd(\"logs\", withoutTtyContainerName).AssertCombinedOutContains(\"stty: standard input: Not a tty\")\n\twithoutTtyContainer := base.InspectContainer(withoutTtyContainerName)\n\tassert.Equal(base.T, 1, withoutTtyContainer.State.ExitCode)\n\n\t// with -t, success\n\tbase.Cmd(\"create\", \"-t\", \"--name\", withTtyContainerName, imageName, \"stty\").AssertOK()\n\tbase.Cmd(\"start\", withTtyContainerName).AssertOK()\n\tdefer base.Cmd(\"container\", \"rm\", \"-f\", withTtyContainerName).AssertOK()\n\tbase.Cmd(\"logs\", withTtyContainerName).AssertCombinedOutContains(\"speed 38400 baud; line = 0;\")\n\twithTtyContainer := base.InspectContainer(withTtyContainerName)\n\tassert.Equal(base.T, 0, withTtyContainer.State.ExitCode)\n}\n\n// TestIssue2993 tests https://github.com/containerd/nerdctl/issues/2993\nfunc TestIssue2993(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\n\tconst (\n\t\tcontainersPathKey = \"containersPath\"\n\t\tetchostsPathKey = \"etchostsPath\"\n\t)\n\n\tgetAddrHash := func(addr string) string {\n\t\tconst addrHashLen = 8\n\n\t\td := digest.SHA256.FromString(addr)\n\t\th := d.Encoded()[0:addrHashLen]\n\n\t\treturn h\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"Issue #2993 - nerdctl no longer leaks containers and etchosts directories and files when container creation fails.\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tdataRoot := data.Temp().Path()\n\n\t\t\t\thelpers.Ensure(\"run\", \"--data-root\", dataRoot, \"--name\", data.Identifier(), \"-d\", testutil.AlpineImage, \"sleep\", nerdtest.Infinity)\n\n\t\t\t\th := getAddrHash(defaults.DefaultAddress)\n\t\t\t\tdataStore := filepath.Join(dataRoot, h)\n\n\t\t\t\tnamespace := string(helpers.Read(nerdtest.Namespace))\n\n\t\t\t\tcontainersPath := filepath.Join(dataStore, \"containers\", namespace)\n\t\t\t\tcontainersDirs, err := os.ReadDir(containersPath)\n\t\t\t\tassert.NilError(t, err)\n\t\t\t\tassert.Equal(t, len(containersDirs), 1)\n\n\t\t\t\tetchostsPath := filepath.Join(dataStore, \"etchosts\", namespace)\n\t\t\t\tetchostsDirs, err := os.ReadDir(etchostsPath)\n\t\t\t\tassert.NilError(t, err)\n\t\t\t\tassert.Equal(t, len(etchostsDirs), 1)\n\n\t\t\t\tdata.Labels().Set(containersPathKey, containersPath)\n\t\t\t\tdata.Labels().Set(etchostsPathKey, etchostsPath)\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"--data-root\", data.Temp().Path(), \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"--data-root\", data.Temp().Path(), \"--name\", data.Identifier(), \"-d\", testutil.AlpineImage, \"sleep\", nerdtest.Infinity)\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(\"is already used by ID\")},\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tcontainersDirs, err := os.ReadDir(data.Labels().Get(containersPathKey))\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t\tassert.Equal(t, len(containersDirs), 1)\n\n\t\t\t\t\t\tetchostsDirs, err := os.ReadDir(data.Labels().Get(etchostsPathKey))\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t\tassert.Equal(t, len(etchostsDirs), 1)\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Issue #2993 - nerdctl no longer leaks containers and etchosts directories and files when containers are removed.\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tdataRoot := data.Temp().Path()\n\n\t\t\t\thelpers.Ensure(\"run\", \"--data-root\", dataRoot, \"--name\", data.Identifier(), \"-d\", testutil.AlpineImage, \"sleep\", nerdtest.Infinity)\n\n\t\t\t\th := getAddrHash(defaults.DefaultAddress)\n\t\t\t\tdataStore := filepath.Join(dataRoot, h)\n\n\t\t\t\tnamespace := string(helpers.Read(nerdtest.Namespace))\n\n\t\t\t\tcontainersPath := filepath.Join(dataStore, \"containers\", namespace)\n\t\t\t\tcontainersDirs, err := os.ReadDir(containersPath)\n\t\t\t\tassert.NilError(t, err)\n\t\t\t\tassert.Equal(t, len(containersDirs), 1)\n\n\t\t\t\tetchostsPath := filepath.Join(dataStore, \"etchosts\", namespace)\n\t\t\t\tetchostsDirs, err := os.ReadDir(etchostsPath)\n\t\t\t\tassert.NilError(t, err)\n\t\t\t\tassert.Equal(t, len(etchostsDirs), 1)\n\n\t\t\t\tdata.Labels().Set(containersPathKey, containersPath)\n\t\t\t\tdata.Labels().Set(etchostsPathKey, etchostsPath)\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"--data-root\", data.Temp().Path(), \"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"--data-root\", data.Temp().Path(), \"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tErrors: []error{},\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tcontainersDirs, err := os.ReadDir(data.Labels().Get(containersPathKey))\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t\tassert.Equal(t, len(containersDirs), 0)\n\n\t\t\t\t\t\tetchostsDirs, err := os.ReadDir(data.Labels().Get(etchostsPathKey))\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t\tassert.Equal(t, len(etchostsDirs), 0)\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestCreateFromOCIArchive(t *testing.T) {\n\ttestutil.RequiresBuild(t)\n\ttestutil.RegisterBuildCacheCleanup(t)\n\n\t// Docker does not support creating containers from OCI archive.\n\ttestutil.DockerIncompatible(t)\n\n\tbase := testutil.NewBase(t)\n\timageName := testutil.Identifier(t)\n\tcontainerName := testutil.Identifier(t)\n\n\tteardown := func() {\n\t\tbase.Cmd(\"rm\", \"-f\", containerName).Run()\n\t\tbase.Cmd(\"rmi\", \"-f\", imageName).Run()\n\t}\n\tdefer teardown()\n\tteardown()\n\n\tconst sentinel = \"test-nerdctl-create-from-oci-archive\"\n\tdockerfile := fmt.Sprintf(`FROM %s\n\tCMD [\"echo\", \"%s\"]`, testutil.CommonImage, sentinel)\n\n\tbuildCtx := helpers.CreateBuildContext(t, dockerfile)\n\ttag := fmt.Sprintf(\"%s:latest\", imageName)\n\ttarPath := fmt.Sprintf(\"%s/%s.tar\", buildCtx, imageName)\n\n\tbase.Cmd(\"build\", \"--tag\", tag, fmt.Sprintf(\"--output=type=oci,dest=%s\", tarPath), buildCtx).AssertOK()\n\tbase.Cmd(\"create\", \"--rm\", \"--name\", containerName, fmt.Sprintf(\"oci-archive://%s\", tarPath)).AssertOK()\n\tbase.Cmd(\"start\", \"--attach\", containerName).AssertOutContains(\"test-nerdctl-create-from-oci-archive\")\n}\n\nfunc TestUsernsMappingCreateCmd(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\tnerdtest.AllowModifyUserns,\n\t\t\tnerdtest.RemapIDs,\n\t\t\trequire.Not(nerdtest.Docker)),\n\t\tNoParallel: true,\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Labels().Set(\"validUserns\", \"nerdctltestuser\")\n\t\t\tdata.Labels().Set(\"expectedHostUID\", \"123456789\")\n\t\t\tdata.Labels().Set(\"invalidUserns\", \"invaliduser\")\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"Test container create with valid Userns\",\n\t\t\t\tNoParallel: true, // Changes system config so running in non parallel mode\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\terr := appendUsernsConfig(data.Labels().Get(\"validUserns\"), data.Labels().Get(\"expectedHostUID\"), helpers)\n\t\t\t\t\tassert.NilError(t, err, \"Failed to append Userns config\")\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\tremoveUsernsConfig(t, data.Labels().Get(\"validUserns\"), helpers)\n\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\thelpers.Ensure(\"create\", \"--tty\", \"--userns-remap\", data.Labels().Get(\"validUserns\"), \"--name\", data.Identifier(), testutil.NginxAlpineImage)\n\t\t\t\t\treturn helpers.Command(\"start\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tactualHostUID, err := getContainerHostUID(helpers, data.Identifier())\n\t\t\t\t\t\t\tassert.NilError(t, err, \"Failed to get container host UID\")\n\t\t\t\t\t\t\tassert.Assert(t, actualHostUID == data.Labels().Get(\"expectedHostUID\"))\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Test container create failure with valid Userns and privileged flag\",\n\t\t\t\tNoParallel: true, // Changes system config so running in non parallel mode\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\terr := appendUsernsConfig(data.Labels().Get(\"validUserns\"), data.Labels().Get(\"expectedHostUID\"), helpers)\n\t\t\t\t\tassert.NilError(t, err, \"Failed to append Userns config\")\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\tremoveUsernsConfig(t, data.Labels().Get(\"validUserns\"), helpers)\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"create\", \"--tty\", \"--privileged\", \"--userns-remap\", data.Labels().Get(\"validUserns\"), \"--name\", data.Identifier(), testutil.NginxAlpineImage)\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Test container create with invalid Userns\",\n\t\t\t\tNoParallel: true, // Changes system config so running in non parallel mode\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"create\", \"--tty\", \"--userns-remap\", data.Labels().Get(\"invalidUserns\"), \"--name\", data.Identifier(), testutil.NginxAlpineImage)\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n\nfunc getContainerHostUID(helpers test.Helpers, containerName string) (string, error) {\n\tresult := helpers.Capture(\"inspect\", \"--format\", \"{{.State.Pid}}\", containerName)\n\tpidStr := strings.TrimSpace(result)\n\tpid, err := strconv.Atoi(pidStr)\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"invalid PID: %v\", err)\n\t}\n\n\tstat, err := os.Stat(fmt.Sprintf(\"/proc/%d\", pid))\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"failed to stat process: %v\", err)\n\t}\n\n\tuid := int(stat.Sys().(*syscall.Stat_t).Uid)\n\treturn strconv.Itoa(uid), nil\n}\n\nfunc appendUsernsConfig(userns string, hostUID string, helpers test.Helpers) error {\n\taddUser(userns, hostUID, helpers)\n\tentry := fmt.Sprintf(\"%s:%s:65536\\n\", userns, hostUID)\n\ttempDir := helpers.T().TempDir()\n\tfiles := []string{\"subuid\", \"subgid\"}\n\tfor _, file := range files {\n\n\t\tfileBak := filepath.Join(tempDir, file)\n\t\tdefer os.Remove(fileBak)\n\t\td, err := os.Create(fileBak)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to create %s: %w\", fileBak, err)\n\t\t}\n\n\t\ts, err := os.Open(filepath.Join(\"/etc\", file))\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to open %s: %w\", file, err)\n\t\t}\n\t\tdefer s.Close()\n\n\t\t_, err = io.Copy(d, s)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to copy %s to %s: %w\", file, fileBak, err)\n\t\t}\n\n\t\tf, err := os.OpenFile(fmt.Sprintf(\"/etc/%s\", file), os.O_APPEND|os.O_WRONLY, 0644)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to open %s: %w\", file, err)\n\t\t}\n\t\tdefer f.Close()\n\n\t\tif _, err := f.WriteString(entry); err != nil {\n\t\t\treturn fmt.Errorf(\"failed to write to %s: %w\", file, err)\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc addUser(username string, hostID string, helpers test.Helpers) {\n\thelpers.Custom(\"groupadd\", \"-g\", hostID, username).Run(&test.Expected{\n\t\tExitCode: 0})\n\thelpers.Custom(\"useradd\", \"-u\", hostID, \"-g\", hostID, \"-s\", \"/bin/false\", username).Run(&test.Expected{\n\t\tExitCode: 0})\n}\n\nfunc removeUsernsConfig(t *testing.T, userns string, helpers test.Helpers) {\n\tdelUser(userns, helpers)\n\tdelGroup(userns, helpers)\n\ttempDir := helpers.T().TempDir()\n\tfiles := []string{\"subuid\", \"subgid\"}\n\tfor _, file := range files {\n\t\tfileBak := filepath.Join(tempDir, file)\n\t\ts, err := os.Open(fileBak)\n\t\tif err != nil {\n\t\t\tt.Logf(\"failed to open %s, Error: %s\", fileBak, err)\n\t\t\tcontinue\n\t\t}\n\t\tdefer s.Close()\n\n\t\td, err := os.Open(filepath.Join(\"/etc/%s\", file))\n\t\tif err != nil {\n\t\t\tt.Logf(\"failed to open %s, Error: %s\", file, err)\n\t\t\tcontinue\n\n\t\t}\n\t\tdefer d.Close()\n\n\t\t_, err = io.Copy(d, s)\n\t\tif err != nil {\n\t\t\tt.Logf(\"failed to restore. Copy %s to %s failed, Error %s\", fileBak, file, err)\n\t\t\tcontinue\n\t\t}\n\n\t}\n}\n\nfunc delUser(username string, helpers test.Helpers) {\n\thelpers.Custom(\"userdel\", username).Run(&test.Expected{ExitCode: expect.ExitCodeNoCheck})\n}\n\nfunc delGroup(groupname string, helpers test.Helpers) {\n\thelpers.Custom(\"groupdel\", groupname).Run(&test.Expected{ExitCode: expect.ExitCodeNoCheck})\n}\n" }, { "path": "cmd/nerdctl/container/container_create_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"testing\"\n\t\"time\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/inspecttypes/dockercompat\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestCreate(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"create\", \"--name\", data.Identifier(\"container\"), testutil.CommonImage, \"echo\", \"foo\")\n\t\tdata.Labels().Set(\"cID\", data.Identifier(\"container\"))\n\t}\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"container\"))\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"ps -a\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"ps\", \"-a\", \"--filter\", \"status=created\", \"--filter\", fmt.Sprintf(\"name=%s\", data.Labels().Get(\"cID\")))\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"Created\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"start\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"start\", \"-a\", data.Labels().Get(\"cID\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"foo\")),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestCreateHyperVContainer(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = nerdtest.HyperV\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"create\", \"--isolation\", \"hyperv\", \"--name\", data.Identifier(\"container\"), testutil.CommonImage, \"echo\", \"foo\")\n\t\tdata.Labels().Set(\"cID\", data.Identifier(\"container\"))\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"container\"))\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"ps -a\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: test.Command(\"ps\", \"-a\"),\n\t\t\t// FIXME: this might get a false positive if other tests have created a container\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"Created\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"start\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"start\", data.Labels().Get(\"cID\"))\n\t\t\t\tran := false\n\t\t\t\tfor i := 0; i < 10 && !ran; i++ {\n\t\t\t\t\thelpers.Command(\"container\", \"inspect\", data.Labels().Get(\"cID\")).\n\t\t\t\t\t\tRun(&test.Expected{\n\t\t\t\t\t\t\tExitCode: expect.ExitCodeNoCheck,\n\t\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\t\tvar dc []dockercompat.Container\n\t\t\t\t\t\t\t\terr := json.Unmarshal([]byte(stdout), &dc)\n\t\t\t\t\t\t\t\tif err != nil || len(dc) == 0 {\n\t\t\t\t\t\t\t\t\treturn\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\tassert.Equal(t, len(dc), 1, \"Unexpectedly got multiple results\\n\")\n\t\t\t\t\t\t\t\tran = dc[0].State.Status == \"exited\"\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t})\n\t\t\t\t\ttime.Sleep(time.Second)\n\t\t\t\t}\n\t\t\t\tassert.Assert(t, ran, \"container did not ran after 10 seconds\")\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"logs\", data.Labels().Get(\"cID\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"foo\")),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_diff.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"time\"\n\n\t\"github.com/opencontainers/image-spec/identity\"\n\t\"github.com/spf13/cobra\"\n\n\tcontainerd \"github.com/containerd/containerd/v2/client\"\n\t\"github.com/containerd/containerd/v2/core/leases\"\n\t\"github.com/containerd/containerd/v2/core/mount\"\n\t\"github.com/containerd/continuity/fs\"\n\t\"github.com/containerd/log\"\n\t\"github.com/containerd/platforms\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/idgen\"\n\t\"github.com/containerd/nerdctl/v2/pkg/idutil/containerwalker\"\n\t\"github.com/containerd/nerdctl/v2/pkg/imgutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/labels\"\n)\n\nfunc DiffCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"diff [CONTAINER]\",\n\t\tShort: \"Inspect changes to files or directories on a container's filesystem\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tRunE: diffAction,\n\t\tValidArgsFunction: diffShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\treturn cmd\n}\n\nfunc diffOptions(cmd *cobra.Command) (types.ContainerDiffOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ContainerDiffOptions{}, err\n\t}\n\n\treturn types.ContainerDiffOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tGOptions: globalOptions,\n\t}, nil\n}\n\nfunc diffAction(cmd *cobra.Command, args []string) error {\n\toptions, err := diffOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\twalker := &containerwalker.ContainerWalker{\n\t\tClient: client,\n\t\tOnFound: func(ctx context.Context, found containerwalker.Found) error {\n\t\t\tif found.MatchCount > 1 {\n\t\t\t\treturn fmt.Errorf(\"multiple IDs found with provided prefix: %s\", found.Req)\n\t\t\t}\n\t\t\tchanges, err := getChanges(ctx, client, found.Container)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\n\t\t\tfor _, change := range changes {\n\t\t\t\tswitch change.Kind {\n\t\t\t\tcase fs.ChangeKindAdd:\n\t\t\t\t\tfmt.Fprintln(options.Stdout, \"A\", change.Path)\n\t\t\t\tcase fs.ChangeKindModify:\n\t\t\t\t\tfmt.Fprintln(options.Stdout, \"C\", change.Path)\n\t\t\t\tcase fs.ChangeKindDelete:\n\t\t\t\t\tfmt.Fprintln(options.Stdout, \"D\", change.Path)\n\t\t\t\tdefault:\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn nil\n\t\t},\n\t}\n\n\tcontainer := args[0]\n\n\tn, err := walker.Walk(ctx, container)\n\tif err != nil {\n\t\treturn err\n\t} else if n == 0 {\n\t\treturn fmt.Errorf(\"no such container %s\", container)\n\t}\n\treturn nil\n}\n\nfunc getChanges(ctx context.Context, client *containerd.Client, container containerd.Container) ([]fs.Change, error) {\n\tid := container.ID()\n\tinfo, err := container.Info(ctx)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tvar (\n\t\tsnName = info.Snapshotter\n\t\tsn = client.SnapshotService(snName)\n\t)\n\n\tmounts, err := sn.Mounts(ctx, id)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\t// NOTE: Moby uses provided rootfs to run container. It doesn't support\n\t// to commit container created by moby.\n\tbaseImgWithoutPlatform, err := client.ImageService().Get(ctx, info.Image)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"container %q lacks image (wasn't created by nerdctl?): %w\", id, err)\n\t}\n\tplatformLabel := info.Labels[labels.Platform]\n\tif platformLabel == \"\" {\n\t\tplatformLabel = platforms.DefaultString()\n\t\tlog.G(ctx).Warnf(\"Image lacks label %q, assuming the platform to be %q\", labels.Platform, platformLabel)\n\t}\n\tocispecPlatform, err := platforms.Parse(platformLabel)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tlog.G(ctx).Debugf(\"ocispecPlatform=%q\", platforms.Format(ocispecPlatform))\n\tplatformMC := platforms.Only(ocispecPlatform)\n\tbaseImg := containerd.NewImageWithPlatform(client, baseImgWithoutPlatform, platformMC)\n\n\tbaseImgConfig, _, err := imgutil.ReadImageConfig(ctx, baseImg)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\t// Don't gc me and clean the dirty data after 1 hour!\n\tctx, done, err := client.WithLease(ctx, leases.WithRandomID(), leases.WithExpiration(1*time.Hour))\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to create lease for diff: %w\", err)\n\t}\n\tdefer done(ctx)\n\n\trootfsID := identity.ChainID(baseImgConfig.RootFS.DiffIDs).String()\n\n\trandomID := idgen.GenerateID()\n\tparent, err := sn.View(ctx, randomID, rootfsID)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer sn.Remove(ctx, randomID)\n\n\tvar changes []fs.Change\n\terr = mount.WithReadonlyTempMount(ctx, parent, func(lower string) error {\n\t\treturn mount.WithReadonlyTempMount(ctx, mounts, func(upper string) error {\n\t\t\treturn fs.Changes(ctx, lower, upper, func(ck fs.ChangeKind, s string, fi os.FileInfo, err error) error {\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tchanges = appendChanges(changes, fs.Change{\n\t\t\t\t\tKind: ck,\n\t\t\t\t\tPath: s,\n\t\t\t\t})\n\t\t\t\treturn nil\n\t\t\t})\n\t\t})\n\t})\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn changes, err\n}\n\nfunc appendChanges(changes []fs.Change, fsChange fs.Change) []fs.Change {\n\tnewDir, _ := filepath.Split(fsChange.Path)\n\tnewDirPath := filepath.SplitList(newDir)\n\n\tif len(changes) == 0 {\n\t\tfor i := 1; i < len(newDirPath); i++ {\n\t\t\tchanges = append(changes, fs.Change{\n\t\t\t\tKind: fs.ChangeKindModify,\n\t\t\t\tPath: filepath.Join(newDirPath[:i+1]...),\n\t\t\t})\n\t\t}\n\t\treturn append(changes, fsChange)\n\t}\n\tlast := changes[len(changes)-1]\n\tlastDir, _ := filepath.Split(last.Path)\n\tlastDirPath := filepath.SplitList(lastDir)\n\tfor i := range newDirPath {\n\t\tif len(lastDirPath) > i && lastDirPath[i] == newDirPath[i] {\n\t\t\tcontinue\n\t\t}\n\t\tchanges = append(changes, fs.Change{\n\t\t\tKind: fs.ChangeKindModify,\n\t\t\tPath: filepath.Join(newDirPath[:i+1]...),\n\t\t})\n\t}\n\treturn append(changes, fsChange)\n}\n\nfunc diffShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show container names\n\treturn completion.ContainerNames(cmd, nil)\n}\n" }, { "path": "cmd/nerdctl/container/container_diff_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestDiff(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t// It is unclear why this is failing with docker when run in parallel\n\t// Obviously some other container test is interfering\n\tif nerdtest.IsDocker() {\n\t\ttestCase.NoParallel = true\n\t}\n\n\ttestCase.Require = require.Not(require.Windows)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"--name\", data.Identifier(), testutil.CommonImage,\n\t\t\t\"sh\", \"-euxc\", \"touch /a; touch /bin/b; rm /bin/base64\")\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"diff\", data.Identifier())\n\t}\n\n\ttestCase.Expected = test.Expects(\n\t\t0,\n\t\tnil,\n\t\texpect.Contains(\n\t\t\t\"A /a\",\n\t\t\t\"C /bin\",\n\t\t\t\"A /bin/b\",\n\t\t\t\"D /bin/base64\"),\n\t)\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_exec.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"errors\"\n\n\t\"github.com/spf13/cobra\"\n\n\tcontainerd \"github.com/containerd/containerd/v2/client\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n)\n\nfunc ExecCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"exec [flags] CONTAINER COMMAND [ARG...]\",\n\t\tArgs: cobra.MinimumNArgs(2),\n\t\tShort: \"Run a command in a running container\",\n\t\tRunE: execAction,\n\t\tValidArgsFunction: execShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().SetInterspersed(false)\n\n\tcmd.Flags().BoolP(\"tty\", \"t\", false, \"Allocate a pseudo-TTY\")\n\tcmd.Flags().BoolP(\"interactive\", \"i\", false, \"Keep STDIN open even if not attached\")\n\tcmd.Flags().BoolP(\"detach\", \"d\", false, \"Detached mode: run command in the background\")\n\tcmd.Flags().StringP(\"workdir\", \"w\", \"\", \"Working directory inside the container\")\n\t// env needs to be StringArray, not StringSlice, to prevent \"FOO=foo1,foo2\" from being split to {\"FOO=foo1\", \"foo2\"}\n\tcmd.Flags().StringArrayP(\"env\", \"e\", nil, \"Set environment variables\")\n\t// env-file is defined as StringSlice, not StringArray, to allow specifying \"--env-file=FILE1,FILE2\" (compatible with Podman)\n\tcmd.Flags().StringSlice(\"env-file\", nil, \"Set environment variables from file\")\n\tcmd.Flags().Bool(\"privileged\", false, \"Give extended privileges to the command\")\n\tcmd.Flags().StringP(\"user\", \"u\", \"\", \"Username or UID (format: [:])\")\n\treturn cmd\n}\n\nfunc execOptions(cmd *cobra.Command) (types.ContainerExecOptions, error) {\n\t// We do not check if we have a terminal here, as container.Exec calling console.Current will ensure that\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ContainerExecOptions{}, err\n\t}\n\n\tisInteractive, err := cmd.Flags().GetBool(\"interactive\")\n\tif err != nil {\n\t\treturn types.ContainerExecOptions{}, err\n\t}\n\tisTerminal, err := cmd.Flags().GetBool(\"tty\")\n\tif err != nil {\n\t\treturn types.ContainerExecOptions{}, err\n\t}\n\tisDetach, err := cmd.Flags().GetBool(\"detach\")\n\tif err != nil {\n\t\treturn types.ContainerExecOptions{}, err\n\t}\n\n\tif isInteractive {\n\t\tif isDetach {\n\t\t\treturn types.ContainerExecOptions{}, errors.New(\"currently flag -i and -d cannot be specified together (FIXME)\")\n\t\t}\n\t}\n\n\tif isTerminal {\n\t\tif isDetach {\n\t\t\treturn types.ContainerExecOptions{}, errors.New(\"currently flag -t and -d cannot be specified together (FIXME)\")\n\t\t}\n\t}\n\n\tworkdir, err := cmd.Flags().GetString(\"workdir\")\n\tif err != nil {\n\t\treturn types.ContainerExecOptions{}, err\n\t}\n\n\tenvFile, err := cmd.Flags().GetStringSlice(\"env-file\")\n\tif err != nil {\n\t\treturn types.ContainerExecOptions{}, err\n\t}\n\tenv, err := cmd.Flags().GetStringArray(\"env\")\n\tif err != nil {\n\t\treturn types.ContainerExecOptions{}, err\n\t}\n\tprivileged, err := cmd.Flags().GetBool(\"privileged\")\n\tif err != nil {\n\t\treturn types.ContainerExecOptions{}, err\n\t}\n\tuser, err := cmd.Flags().GetString(\"user\")\n\tif err != nil {\n\t\treturn types.ContainerExecOptions{}, err\n\t}\n\n\treturn types.ContainerExecOptions{\n\t\tGOptions: globalOptions,\n\t\tTTY: isTerminal,\n\t\tInteractive: isInteractive,\n\t\tDetach: isDetach,\n\t\tWorkdir: workdir,\n\t\tEnv: env,\n\t\tEnvFile: envFile,\n\t\tPrivileged: privileged,\n\t\tUser: user,\n\t}, nil\n}\n\nfunc execAction(cmd *cobra.Command, args []string) error {\n\toptions, err := execOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\t// simulate the behavior of double dash\n\tnewArg := []string{}\n\tif len(args) >= 2 && args[1] == \"--\" {\n\t\tnewArg = append(newArg, args[:1]...)\n\t\tnewArg = append(newArg, args[2:]...)\n\t\targs = newArg\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn container.Exec(ctx, client, args, options)\n}\n\nfunc execShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\tif len(args) == 0 {\n\t\t// show running container names\n\t\tstatusFilterFn := func(st containerd.ProcessStatus) bool {\n\t\t\treturn st == containerd.Running\n\t\t}\n\t\treturn completion.ContainerNames(cmd, statusFilterFn)\n\t}\n\treturn nil, cobra.ShellCompDirectiveNoFileComp\n}\n" }, { "path": "cmd/nerdctl/container/container_exec_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestExecWithUser(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\n\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\n\t\tdata.Labels().Set(\"container_name\", data.Identifier())\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"with no user flag\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"exec\", data.Labels().Get(\"container_name\"), \"id\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"uid=0(root) gid=0(root)\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"with --user 1000\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"exec\", \"--user\", \"1000\", data.Labels().Get(\"container_name\"), \"id\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"uid=1000 gid=0(root)\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"with --user 1000:users\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"exec\", \"--user\", \"1000:users\", data.Labels().Get(\"container_name\"), \"id\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"uid=1000 gid=100(users)\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"with --user guest\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"exec\", \"--user\", \"guest\", data.Labels().Get(\"container_name\"), \"id\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"uid=405(guest) gid=100(users)\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"with --user nobody\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"exec\", \"--user\", \"nobody\", data.Labels().Get(\"container_name\"), \"id\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"uid=65534(nobody) gid=65534(nobody)\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"with --user nobody:users\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"exec\", \"--user\", \"nobody:users\", data.Labels().Get(\"container_name\"), \"id\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"uid=65534(nobody) gid=100(users)\")),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestExecTTY(t *testing.T) {\n\tconst sttyPartialOutput = \"speed 38400 baud\"\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\n\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\n\t\tdata.Labels().Set(\"container_name\", data.Identifier())\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"stty with -it\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\"exec\", \"-it\", data.Labels().Get(\"container_name\"), \"stty\")\n\t\t\t\tcmd.WithPseudoTTY()\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(sttyPartialOutput)),\n\t\t},\n\t\t{\n\t\t\tDescription: \"stty with -t\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\"exec\", \"-t\", data.Labels().Get(\"container_name\"), \"stty\")\n\t\t\t\tcmd.WithPseudoTTY()\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(sttyPartialOutput)),\n\t\t},\n\t\t{\n\t\t\tDescription: \"stty with -i\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\"exec\", \"-i\", data.Labels().Get(\"container_name\"), \"stty\")\n\t\t\t\tcmd.WithPseudoTTY()\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"stty without params\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\"exec\", data.Labels().Get(\"container_name\"), \"stty\")\n\t\t\t\tcmd.WithPseudoTTY()\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, nil, nil),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_exec_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"runtime\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestExec(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"exec\", data.Identifier(), \"echo\", \"success\")\n\t\t},\n\t\tExpected: test.Expects(0, nil, expect.Equals(\"success\\n\")),\n\t}\n\ttestCase.Run(t)\n}\n\nfunc TestExecWithDoubleDash(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tRequire: require.Not(nerdtest.Docker),\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"exec\", data.Identifier(), \"--\", \"echo\", \"success\")\n\t\t},\n\t\tExpected: test.Expects(0, nil, expect.Equals(\"success\\n\")),\n\t}\n\ttestCase.Run(t)\n}\n\nfunc TestExecStdin(t *testing.T) {\n\tnerdtest.Setup()\n\n\tconst testStr = \"test-exec-stdin\"\n\ttestCase := &test.Case{\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\tcmd := helpers.Command(\"exec\", \"-i\", data.Identifier(), \"cat\")\n\t\t\tcmd.Feed(strings.NewReader(testStr))\n\t\t\treturn cmd\n\t\t},\n\t\tExpected: test.Expects(0, nil, expect.Equals(testStr)),\n\t}\n\ttestCase.Run(t)\n}\n\n// FYI: https://github.com/containerd/nerdctl/blob/e4b2b6da56555dc29ed66d0fd8e7094ff2bc002d/cmd/nerdctl/run_test.go#L177\nfunc TestExecEnv(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tEnv: map[string]string{\n\t\t\t\"CORGE\": \"corge-value-in-host\",\n\t\t\t\"GARPLY\": \"garply-value-in-host\",\n\t\t},\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"exec\",\n\t\t\t\t\"--env\", \"FOO=foo1,foo2\",\n\t\t\t\t\"--env\", \"BAR=bar1 bar2\",\n\t\t\t\t\"--env\", \"BAZ=\",\n\t\t\t\t\"--env\", \"QUX\", // not exported in OS\n\t\t\t\t\"--env\", \"QUUX=quux1\",\n\t\t\t\t\"--env\", \"QUUX=quux2\",\n\t\t\t\t\"--env\", \"CORGE\", // OS exported\n\t\t\t\t\"--env\", \"GRAULT=grault_key=grault_value\", // value contains `=` char\n\t\t\t\t\"--env\", \"GARPLY=\", // OS exported\n\t\t\t\t\"--env\", \"WALDO=\", // not exported in OS\n\n\t\t\t\tdata.Identifier(), \"env\")\n\t\t},\n\t\tExpected: test.Expects(0, nil, func(stdout string, t tig.T) {\n\t\t\tassert.Assert(t, strings.Contains(stdout, \"\\nFOO=foo1,foo2\\n\"), \"got bad FOO\")\n\t\t\tassert.Assert(t, strings.Contains(stdout, \"\\nBAR=bar1 bar2\\n\"), \"got bad BAR\")\n\t\t\tif runtime.GOOS != \"windows\" {\n\t\t\t\tassert.Assert(t, strings.Contains(stdout, \"\\nBAZ=\\n\"), \"got bad BAZ\")\n\t\t\t}\n\t\t\tassert.Assert(t, !strings.Contains(stdout, \"QUX\"), \"got bad QUX (should not be set)\")\n\t\t\tassert.Assert(t, strings.Contains(stdout, \"\\nQUUX=quux2\\n\"), \"got bad QUUX\")\n\t\t\tassert.Assert(t, strings.Contains(stdout, \"\\nCORGE=corge-value-in-host\\n\"), \"got bad CORGE\")\n\t\t\tassert.Assert(t, strings.Contains(stdout, \"\\nGRAULT=grault_key=grault_value\\n\"), \"got bad GRAULT\")\n\t\t\tif runtime.GOOS != \"windows\" {\n\t\t\t\tassert.Assert(t, strings.Contains(stdout, \"\\nGARPLY=\\n\"), \"got bad GARPLY\")\n\t\t\t\tassert.Assert(t, strings.Contains(stdout, \"\\nWALDO=\\n\"), \"got bad WALDO\")\n\t\t\t}\n\t\t}),\n\t}\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_export.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\n\t\"github.com/mattn/go-isatty\"\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n)\n\nfunc ExportCommand() *cobra.Command {\n\tvar exportCommand = &cobra.Command{\n\t\tUse: \"export [OPTIONS] CONTAINER\",\n\t\tArgs: cobra.ExactArgs(1),\n\t\tShort: \"Export a containers filesystem as a tar archive\",\n\t\tLong: \"Export a containers filesystem as a tar archive\",\n\t\tRunE: exportAction,\n\t\tValidArgsFunction: exportShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\texportCommand.Flags().StringP(\"output\", \"o\", \"\", \"Write to a file, instead of STDOUT\")\n\n\treturn exportCommand\n}\n\nfunc exportAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif len(args) == 0 {\n\t\treturn fmt.Errorf(\"requires at least 1 argument\")\n\t}\n\n\toutput, err := cmd.Flags().GetString(\"output\")\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\twriter := cmd.OutOrStdout()\n\tif output != \"\" {\n\t\tf, err := os.OpenFile(output, os.O_CREATE|os.O_WRONLY, 0644)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdefer f.Close()\n\t\twriter = f\n\t} else {\n\t\tif isatty.IsTerminal(os.Stdout.Fd()) {\n\t\t\treturn fmt.Errorf(\"cowardly refusing to save to a terminal. Use the -o flag or redirect\")\n\t\t}\n\t}\n\n\toptions := types.ContainerExportOptions{\n\t\tStdout: writer,\n\t\tGOptions: globalOptions,\n\t}\n\n\treturn container.Export(ctx, client, args[0], options)\n}\n\nfunc exportShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show container names\n\treturn completion.ContainerNames(cmd, nil)\n}\n" }, { "path": "cmd/nerdctl/container/container_export_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"archive/tar\"\n\t\"io\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\n// validateExportedTar checks that the tar file exists and contains /bin/busybox\nfunc validateExportedTar(outFile string) test.Comparator {\n\treturn func(stdout string, t tig.T) {\n\t\t// Check if the tar file was created\n\t\t_, err := os.Stat(outFile)\n\t\tassert.Assert(t, !os.IsNotExist(err), \"exported tar file %s was not created\", outFile)\n\n\t\t// Open and read the tar file to check for /bin/busybox\n\t\tfile, err := os.Open(outFile)\n\t\tassert.NilError(t, err, \"failed to open tar file %s\", outFile)\n\t\tdefer file.Close()\n\n\t\ttarReader := tar.NewReader(file)\n\t\tbusyboxFound := false\n\n\t\tfor {\n\t\t\theader, err := tarReader.Next()\n\t\t\tif err == io.EOF {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tassert.NilError(t, err, \"failed to read tar entry\")\n\n\t\t\tif header.Name == \"bin/busybox\" || header.Name == \"./bin/busybox\" {\n\t\t\t\tbusyboxFound = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\n\t\tassert.Assert(t, busyboxFound, \"exported tar file %s does not contain /bin/busybox\", outFile)\n\t\tt.Log(\"Export validation passed: tar file exists and contains /bin/busybox\")\n\t}\n}\n\nfunc TestExportStoppedContainer(t *testing.T) {\n\tif runtime.GOOS == \"windows\" {\n\t\tt.Skip(\"export is not supported on Windows\")\n\t}\n\n\ttestCase := nerdtest.Setup()\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tidentifier := data.Identifier(\"container\")\n\t\thelpers.Ensure(\"create\", \"--name\", identifier, testutil.CommonImage)\n\t\tdata.Labels().Set(\"cID\", identifier)\n\t\tdata.Labels().Set(\"outFile\", filepath.Join(os.TempDir(), identifier+\".tar\"))\n\t}\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"container\", \"rm\", \"-f\", data.Labels().Get(\"cID\"))\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Labels().Get(\"cID\"))\n\t\tos.Remove(data.Labels().Get(\"outFile\"))\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"export command succeeds\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"export\", \"-o\", data.Labels().Get(\"outFile\"), data.Labels().Get(\"cID\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"tar file exists and has content\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t// Use a simple command that always succeeds to trigger the validation\n\t\t\t\treturn helpers.Custom(\"echo\", \"validating tar file\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: validateExportedTar(data.Labels().Get(\"outFile\")),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestExportRunningContainer(t *testing.T) {\n\tif runtime.GOOS == \"windows\" {\n\t\tt.Skip(\"export is not supported on Windows\")\n\t}\n\n\ttestCase := nerdtest.Setup()\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tidentifier := data.Identifier(\"container\")\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", identifier, testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\tdata.Labels().Set(\"cID\", identifier)\n\t\tdata.Labels().Set(\"outFile\", filepath.Join(os.TempDir(), identifier+\".tar\"))\n\t}\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Labels().Get(\"cID\"))\n\t\tos.Remove(data.Labels().Get(\"outFile\"))\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"export command succeeds\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"export\", \"-o\", data.Labels().Get(\"outFile\"), data.Labels().Get(\"cID\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"tar file exists and has content\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t// Use a simple command that always succeeds to trigger the validation\n\t\t\t\treturn helpers.Custom(\"echo\", \"validating tar file\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: validateExportedTar(data.Labels().Get(\"outFile\")),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestExportNonexistentContainer(t *testing.T) {\n\tif runtime.GOOS == \"windows\" {\n\t\tt.Skip(\"export is not supported on Windows\")\n\t}\n\n\ttestCase := nerdtest.Setup()\n\ttestCase.Command = test.Command(\"export\", \"nonexistent-container\")\n\ttestCase.Expected = test.Expects(1, nil, nil)\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_health_check.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\n\t\"github.com/spf13/cobra\"\n\n\tcontainerd \"github.com/containerd/containerd/v2/client\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n\t\"github.com/containerd/nerdctl/v2/pkg/idutil/containerwalker\"\n)\n\n// HealthCheckCommand returns a cobra command for `nerdctl container healthcheck`\nfunc HealthCheckCommand() *cobra.Command {\n\tvar healthCheckCommand = &cobra.Command{\n\t\tUse: \"healthcheck [flags] CONTAINER\",\n\t\tShort: \"Execute the health check command in a container\",\n\t\tArgs: cobra.ExactArgs(1),\n\t\tRunE: healthCheckAction,\n\t\tValidArgsFunction: healthCheckShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\n\treturn healthCheckCommand\n}\n\nfunc healthCheckAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\tcontainerID := args[0]\n\twalker := &containerwalker.ContainerWalker{\n\t\tClient: client,\n\t\tOnFound: func(ctx context.Context, found containerwalker.Found) error {\n\t\t\tif found.MatchCount > 1 {\n\t\t\t\treturn fmt.Errorf(\"multiple IDs found with provided prefix: %s\", found.Req)\n\t\t\t}\n\t\t\treturn container.HealthCheck(ctx, client, found.Container)\n\t\t},\n\t}\n\n\tn, err := walker.Walk(ctx, containerID)\n\tif err != nil {\n\t\treturn err\n\t} else if n == 0 {\n\t\treturn fmt.Errorf(\"no such container %s\", containerID)\n\t}\n\treturn nil\n}\n\nfunc healthCheckShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn completion.ContainerNames(cmd, func(status containerd.ProcessStatus) bool {\n\t\treturn status == containerd.Running\n\t})\n}\n" }, { "path": "cmd/nerdctl/container/container_health_check_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/healthcheck\"\n\t\"github.com/containerd/nerdctl/v2/pkg/inspecttypes/dockercompat\"\n\t\"github.com/containerd/nerdctl/v2/pkg/rootlessutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestContainerHealthCheckBasic(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t// Docker CLI does not provide a standalone healthcheck command.\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\n\t// Skip systemd tests in rootless environment to bypass dbus permission issues\n\tif rootlessutil.IsRootless() {\n\t\tt.Skip(\"systemd healthcheck tests are skipped in rootless environment\")\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"Container does not exist\",\n\t\t\tCommand: test.Command(\"container\", \"healthcheck\", \"non-existent\"),\n\t\t\tExpected: test.Expects(1, []error{errors.New(\"no such container non-existent\")}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Missing health check config\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"container\", \"healthcheck\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: test.Expects(1, []error{errors.New(\"container has no health check configured\")}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Basic health check success\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"echo healthy\",\n\t\t\t\t\t\"--health-interval\", \"45s\",\n\t\t\t\t\t\"--health-timeout\", \"30s\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"container\", \"healthcheck\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(func(stdout string, t tig.T) {\n\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\th := inspect.State.Health\n\t\t\t\t\t\tdebug, _ := json.MarshalIndent(h, \"\", \" \")\n\t\t\t\t\t\tt.Log(string(debug))\n\t\t\t\t\t\tassert.Assert(t, h != nil, \"expected health state to be present\")\n\t\t\t\t\t\tassert.Equal(t, healthcheck.Healthy, h.Status)\n\t\t\t\t\t\tassert.Equal(t, 0, h.FailingStreak)\n\t\t\t\t\t\tassert.Assert(t, len(h.Log) > 0, \"expected at least one health check log entry\")\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Health check on stopped container\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"echo healthy\",\n\t\t\t\t\t\"--health-interval\", \"3s\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", \"2\")\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t\thelpers.Ensure(\"stop\", data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"container\", \"healthcheck\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: test.Expects(1, []error{errors.New(\"container is not running (status: stopped)\")}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Health check without task\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"create\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"echo healthy\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"container\", \"healthcheck\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: test.Expects(1, []error{errors.New(\"failed to get container task: no running task found\")}, nil),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestContainerHealthCheckDefaults(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t// Docker CLI does not provide a standalone healthcheck command.\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\n\t// Skip systemd tests in rootless environment to bypass dbus permission issues\n\tif rootlessutil.IsRootless() {\n\t\tt.Skip(\"systemd healthcheck tests are skipped in rootless environment\")\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"Health check applies default values when not explicitly set\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t// Create container with only --health-cmd, no other health flags\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"echo healthy\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"inspect\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(func(stdout string, t tig.T) {\n\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\n\t\t\t\t\t\t// Parse the healthcheck config from container labels\n\t\t\t\t\t\thcLabel := inspect.Config.Labels[\"nerdctl/healthcheck\"]\n\t\t\t\t\t\tassert.Assert(t, hcLabel != \"\", \"expected healthcheck label to be present\")\n\n\t\t\t\t\t\tvar hc healthcheck.Healthcheck\n\t\t\t\t\t\terr := json.Unmarshal([]byte(hcLabel), &hc)\n\t\t\t\t\t\tassert.NilError(t, err, \"failed to parse healthcheck config\")\n\n\t\t\t\t\t\t// Verify default values are applied\n\t\t\t\t\t\tassert.Equal(t, hc.Interval, 30*time.Second, \"expected default interval of 30s\")\n\t\t\t\t\t\tassert.Equal(t, hc.Timeout, 30*time.Second, \"expected default timeout of 30s\")\n\t\t\t\t\t\tassert.Equal(t, hc.Retries, 3, \"expected default retries of 3\")\n\t\t\t\t\t\tassert.Equal(t, hc.StartPeriod, 0*time.Second, \"expected default start period of 0s\")\n\n\t\t\t\t\t\t// Verify the command was set correctly\n\t\t\t\t\t\tassert.DeepEqual(t, hc.Test, []string{\"CMD-SHELL\", \"echo healthy\"})\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"CLI flags override default values correctly\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t// Create container with custom health flags that override defaults\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"echo custom\",\n\t\t\t\t\t\"--health-interval\", \"45s\",\n\t\t\t\t\t\"--health-timeout\", \"15s\",\n\t\t\t\t\t\"--health-retries\", \"5\",\n\t\t\t\t\t\"--health-start-period\", \"10s\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"inspect\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(func(stdout string, t tig.T) {\n\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\n\t\t\t\t\t\t// Parse the healthcheck config from container labels\n\t\t\t\t\t\thcLabel := inspect.Config.Labels[\"nerdctl/healthcheck\"]\n\t\t\t\t\t\tassert.Assert(t, hcLabel != \"\", \"expected healthcheck label to be present\")\n\n\t\t\t\t\t\tvar hc healthcheck.Healthcheck\n\t\t\t\t\t\terr := json.Unmarshal([]byte(hcLabel), &hc)\n\t\t\t\t\t\tassert.NilError(t, err, \"failed to parse healthcheck config\")\n\n\t\t\t\t\t\t// Verify CLI overrides are applied (not defaults)\n\t\t\t\t\t\tassert.Equal(t, hc.Interval, 45*time.Second, \"expected custom interval of 45s\")\n\t\t\t\t\t\tassert.Equal(t, hc.Timeout, 15*time.Second, \"expected custom timeout of 15s\")\n\t\t\t\t\t\tassert.Equal(t, hc.Retries, 5, \"expected custom retries of 5\")\n\t\t\t\t\t\tassert.Equal(t, hc.StartPeriod, 10*time.Second, \"expected custom start period of 10s\")\n\n\t\t\t\t\t\t// Verify the command was set correctly\n\t\t\t\t\t\tassert.DeepEqual(t, hc.Test, []string{\"CMD-SHELL\", \"echo custom\"})\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"No defaults applied when no healthcheck is configured\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t// Create container without any health flags\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"inspect\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(func(stdout string, t tig.T) {\n\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\n\t\t\t\t\t\t// Verify no healthcheck label is present\n\t\t\t\t\t\thcLabel := inspect.Config.Labels[\"nerdctl/healthcheck\"]\n\t\t\t\t\t\tassert.Equal(t, hcLabel, \"\", \"expected no healthcheck label when no healthcheck is configured\")\n\n\t\t\t\t\t\t// Verify no health state\n\t\t\t\t\t\tassert.Assert(t, inspect.State.Health == nil, \"expected no health state when no healthcheck is configured\")\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestContainerHealthCheckAdvance(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t// Docker CLI does not provide a standalone healthcheck command.\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\n\t// Skip systemd tests in rootless environment to bypass dbus permission issues\n\tif rootlessutil.IsRootless() {\n\t\tt.Skip(\"systemd healthcheck tests are skipped in rootless environment\")\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"Health check timeout scenario\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"sleep 10\",\n\t\t\t\t\t\"--health-timeout\", \"2s\",\n\t\t\t\t\t\"--health-interval\", \"1s\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"container\", \"healthcheck\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(func(stdout string, t tig.T) {\n\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\th := inspect.State.Health\n\t\t\t\t\t\tdebug, _ := json.MarshalIndent(h, \"\", \" \")\n\t\t\t\t\t\tt.Log(string(debug))\n\t\t\t\t\t\tassert.Assert(t, h != nil, \"expected health state\")\n\t\t\t\t\t\tassert.Assert(t, h.FailingStreak >= 1, \"expected at least one failing streak\")\n\t\t\t\t\t\tassert.Assert(t, len(inspect.State.Health.Log) > 0, \"expected health log to have entries\")\n\t\t\t\t\t\tlast := inspect.State.Health.Log[0]\n\t\t\t\t\t\tassert.Equal(t, -1, last.ExitCode)\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Health check failing streak behavior\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"exit 1\",\n\t\t\t\t\t\"--health-interval\", \"1s\",\n\t\t\t\t\t\"--health-retries\", \"2\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t// Run healthcheck twice to ensure failing streak\n\t\t\t\tfor i := 0; i < 2; i++ {\n\t\t\t\t\thelpers.Ensure(\"container\", \"healthcheck\", data.Identifier())\n\t\t\t\t\ttime.Sleep(2 * time.Second)\n\t\t\t\t}\n\t\t\t\treturn helpers.Command(\"inspect\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(func(stdout string, t tig.T) {\n\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\th := inspect.State.Health\n\t\t\t\t\t\tdebug, _ := json.MarshalIndent(h, \"\", \" \")\n\t\t\t\t\t\tt.Log(string(debug))\n\t\t\t\t\t\tassert.Assert(t, h != nil, \"expected health state\")\n\t\t\t\t\t\tassert.Equal(t, h.Status, healthcheck.Unhealthy)\n\t\t\t\t\t\tassert.Assert(t, h.FailingStreak >= 1, \"expected atleast one FailingStreak\")\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Health check with start period\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"exit 1\",\n\t\t\t\t\t\"--health-interval\", \"1s\",\n\t\t\t\t\t\"--health-start-period\", \"60s\",\n\t\t\t\t\t\"--health-retries\", \"2\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"container\", \"healthcheck\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(func(stdout string, t tig.T) {\n\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\th := inspect.State.Health\n\t\t\t\t\t\tdebug, _ := json.MarshalIndent(h, \"\", \" \")\n\t\t\t\t\t\tt.Log(string(debug))\n\t\t\t\t\t\tassert.Assert(t, h != nil, \"expected health state\")\n\t\t\t\t\t\tassert.Equal(t, h.Status, healthcheck.Starting)\n\t\t\t\t\t\tassert.Equal(t, h.FailingStreak, 0)\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Health check with invalid command\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"not-a-real-cmd\",\n\t\t\t\t\t\"--health-interval\", \"1s\",\n\t\t\t\t\t\"--health-retries\", \"1\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"container\", \"healthcheck\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(func(stdout string, t tig.T) {\n\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\th := inspect.State.Health\n\t\t\t\t\t\tdebug, _ := json.MarshalIndent(h, \"\", \" \")\n\t\t\t\t\t\tt.Log(string(debug))\n\t\t\t\t\t\tassert.Assert(t, h != nil, \"expected health state\")\n\t\t\t\t\t\tassert.Equal(t, h.Status, healthcheck.Unhealthy)\n\t\t\t\t\t\tassert.Assert(t, h.FailingStreak >= 1, \"expected at least one failing streak\")\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"No healthcheck flag disables health status\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--no-healthcheck\", testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"inspect\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(func(stdout string, t tig.T) {\n\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\tassert.Assert(t, inspect.State.Health == nil, \"expected health to be nil with --no-healthcheck\")\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Healthcheck using CMD-SHELL format\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"echo shell-format\", \"--health-interval\", \"1s\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"container\", \"healthcheck\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(func(_ string, t tig.T) {\n\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\th := inspect.State.Health\n\t\t\t\t\t\tdebug, _ := json.MarshalIndent(h, \"\", \" \")\n\t\t\t\t\t\tt.Log(string(debug))\n\t\t\t\t\t\tassert.Assert(t, h != nil, \"expected health state\")\n\t\t\t\t\t\tassert.Equal(t, h.Status, healthcheck.Healthy)\n\t\t\t\t\t\tassert.Assert(t, len(h.Log) > 0)\n\t\t\t\t\t\tassert.Assert(t, strings.Contains(h.Log[0].Output, \"shell-format\"))\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Health check uses container environment variables\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--env\", \"MYVAR=test-value\",\n\t\t\t\t\t\"--health-cmd\", \"echo $MYVAR\",\n\t\t\t\t\t\"--health-interval\", \"1s\",\n\t\t\t\t\t\"--health-timeout\", \"1s\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"container\", \"healthcheck\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(func(stdout string, t tig.T) {\n\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\th := inspect.State.Health\n\t\t\t\t\t\tdebug, _ := json.MarshalIndent(h, \"\", \" \")\n\t\t\t\t\t\tt.Log(string(debug))\n\t\t\t\t\t\tassert.Assert(t, h != nil, \"expected health state\")\n\t\t\t\t\t\tassert.Equal(t, h.Status, healthcheck.Healthy)\n\t\t\t\t\t\tassert.Assert(t, h.FailingStreak == 0)\n\t\t\t\t\t\tassert.Assert(t, strings.Contains(h.Log[0].Output, \"test\"), \"expected health log output to contain 'test'\")\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Health check respects container WorkingDir\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--workdir\", \"/tmp\",\n\t\t\t\t\t\"--health-cmd\", \"pwd\",\n\t\t\t\t\t\"--health-interval\", \"1s\",\n\t\t\t\t\t\"--health-timeout\", \"1s\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"container\", \"healthcheck\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(func(stdout string, t tig.T) {\n\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\th := inspect.State.Health\n\t\t\t\t\t\tdebug, _ := json.MarshalIndent(h, \"\", \" \")\n\t\t\t\t\t\tt.Log(string(debug))\n\t\t\t\t\t\tassert.Assert(t, h != nil, \"expected health state\")\n\t\t\t\t\t\tassert.Equal(t, h.Status, healthcheck.Healthy)\n\t\t\t\t\t\tassert.Equal(t, h.FailingStreak, 0)\n\t\t\t\t\t\tassert.Assert(t, strings.Contains(h.Log[0].Output, \"/tmp\"), \"expected health log output to contain '/tmp'\")\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Healthcheck emits large output repeatedly\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"yes X | head -c 60000\",\n\t\t\t\t\t\"--health-interval\", \"1s\", \"--health-timeout\", \"2s\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tfor i := 0; i < 3; i++ {\n\t\t\t\t\thelpers.Ensure(\"container\", \"healthcheck\", data.Identifier())\n\t\t\t\t\ttime.Sleep(2 * time.Second)\n\t\t\t\t}\n\t\t\t\treturn helpers.Command(\"inspect\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(func(_ string, t tig.T) {\n\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\th := inspect.State.Health\n\t\t\t\t\t\tdebug, _ := json.MarshalIndent(h, \"\", \" \")\n\t\t\t\t\t\tt.Log(string(debug))\n\t\t\t\t\t\tassert.Assert(t, h != nil, \"expected health state\")\n\t\t\t\t\t\tassert.Equal(t, h.Status, healthcheck.Healthy)\n\t\t\t\t\t\tassert.Assert(t, len(h.Log) >= 3, \"expected at least 3 health log entries\")\n\t\t\t\t\t\tfor _, log := range h.Log {\n\t\t\t\t\t\t\tassert.Assert(t, len(log.Output) >= 1024, fmt.Sprintf(\"each output should be >= 1024 bytes, was: %s\", log.Output))\n\t\t\t\t\t\t}\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Health log in inspect keeps only the latest 5 entries\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"exit 1\",\n\t\t\t\t\t\"--health-interval\", \"1s\",\n\t\t\t\t\t\"--health-retries\", \"1\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tfor i := 0; i < 7; i++ {\n\t\t\t\t\thelpers.Ensure(\"container\", \"healthcheck\", data.Identifier())\n\t\t\t\t\ttime.Sleep(1 * time.Second)\n\t\t\t\t}\n\t\t\t\treturn helpers.Command(\"inspect\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(func(_ string, t tig.T) {\n\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\th := inspect.State.Health\n\t\t\t\t\t\tdebug, _ := json.MarshalIndent(h, \"\", \" \")\n\t\t\t\t\t\tt.Log(string(debug))\n\t\t\t\t\t\tassert.Assert(t, h != nil, \"expected health state\")\n\t\t\t\t\t\tassert.Equal(t, h.Status, healthcheck.Unhealthy)\n\t\t\t\t\t\tassert.Assert(t, len(h.Log) <= 5, \"expected health log to contain at most 5 entries\")\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Healthcheck with large output gets truncated in health log\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"yes X | head -c 1048576\", // 1MB output\n\t\t\t\t\t\"--health-interval\", \"1s\", \"--health-timeout\", \"2s\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"container\", \"healthcheck\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(func(_ string, t tig.T) {\n\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\th := inspect.State.Health\n\t\t\t\t\t\tdebug, _ := json.MarshalIndent(h, \"\", \" \")\n\t\t\t\t\t\tt.Log(string(debug))\n\t\t\t\t\t\tassert.Assert(t, h != nil, \"expected health state\")\n\t\t\t\t\t\tassert.Equal(t, h.Status, healthcheck.Healthy)\n\t\t\t\t\t\tassert.Equal(t, h.FailingStreak, 0)\n\t\t\t\t\t\tassert.Assert(t, len(h.Log) >= 1, \"expected at least one log entry\")\n\t\t\t\t\t\toutput := h.Log[0].Output\n\t\t\t\t\t\tassert.Assert(t, strings.HasSuffix(output, \"[truncated]\"), \"expected output to be truncated with '[truncated]'\")\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Health status transitions from healthy to unhealthy after retries\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tcontainerName := data.Identifier()\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", containerName,\n\t\t\t\t\t\"--health-cmd\", \"exit 1\",\n\t\t\t\t\t\"--health-timeout\", \"10s\",\n\t\t\t\t\t\"--health-retries\", \"3\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tfor i := 0; i < 4; i++ {\n\t\t\t\t\thelpers.Ensure(\"container\", \"healthcheck\", data.Identifier())\n\t\t\t\t\ttime.Sleep(2 * time.Second)\n\t\t\t\t}\n\t\t\t\treturn helpers.Command(\"inspect\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(func(stdout string, t tig.T) {\n\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\th := inspect.State.Health\n\t\t\t\t\t\tdebug, _ := json.MarshalIndent(h, \"\", \" \")\n\t\t\t\t\t\tt.Log(string(debug))\n\t\t\t\t\t\tassert.Assert(t, h != nil, \"expected health state\")\n\t\t\t\t\t\tassert.Equal(t, h.Status, healthcheck.Unhealthy)\n\t\t\t\t\t\tassert.Assert(t, h.FailingStreak >= 3)\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Failed healthchecks in start-period do not change status\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"ls /foo || exit 1\", \"--health-retries\", \"2\",\n\t\t\t\t\t\"--health-start-period\", \"30s\", // long enough to stay in \"starting\"\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t// Run healthcheck 3 times (should still be in start period)\n\t\t\t\tfor i := 0; i < 3; i++ {\n\t\t\t\t\thelpers.Ensure(\"container\", \"healthcheck\", data.Identifier())\n\t\t\t\t\ttime.Sleep(1 * time.Second)\n\t\t\t\t}\n\t\t\t\treturn helpers.Command(\"inspect\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(func(stdout string, t tig.T) {\n\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\th := inspect.State.Health\n\t\t\t\t\t\tdebug, _ := json.MarshalIndent(h, \"\", \" \")\n\t\t\t\t\t\tt.Log(string(debug))\n\t\t\t\t\t\tassert.Assert(t, h != nil, \"expected health state\")\n\t\t\t\t\t\tassert.Equal(t, h.Status, healthcheck.Starting)\n\t\t\t\t\t\tassert.Equal(t, h.FailingStreak, 0, \"failing streak should not increase during start period\")\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Successful healthcheck in start-period sets status to healthy\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"ls || exit 1\", \"--health-retries\", \"2\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\thelpers.Ensure(\"container\", \"healthcheck\", data.Identifier())\n\t\t\t\ttime.Sleep(1 * time.Second)\n\t\t\t\treturn helpers.Command(\"inspect\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(func(stdout string, t tig.T) {\n\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\th := inspect.State.Health\n\t\t\t\t\t\tdebug, _ := json.MarshalIndent(h, \"\", \" \")\n\t\t\t\t\t\tt.Log(string(debug))\n\t\t\t\t\t\tassert.Assert(t, h != nil, \"expected health state\")\n\t\t\t\t\t\tassert.Equal(t, h.Status, healthcheck.Healthy, \"expected healthy status even during start-period\")\n\t\t\t\t\t\tassert.Equal(t, h.FailingStreak, 0)\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestHealthCheck_SystemdIntegration_Basic(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\t// Skip systemd tests in rootless environment to bypass dbus permission issues\n\tif rootlessutil.IsRootless() {\n\t\tt.Skip(\"systemd healthcheck tests are skipped in rootless environment\")\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"Basic healthy container with systemd-triggered healthcheck\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"echo healthy\",\n\t\t\t\t\t\"--health-interval\", \"2s\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", \"30\")\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t// Ensure proper cleanup of systemd units\n\t\t\t\thelpers.Anyhow(\"stop\", data.Identifier())\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(func(stdout string, t tig.T) {\n\t\t\t\t\t\tvar h *healthcheck.Health\n\n\t\t\t\t\t\t// Poll up to 5 times for health status\n\t\t\t\t\t\tmaxAttempts := 5\n\t\t\t\t\t\tvar finalStatus string\n\n\t\t\t\t\t\tfor i := 0; i < maxAttempts; i++ {\n\t\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\t\th = inspect.State.Health\n\n\t\t\t\t\t\t\tassert.Assert(t, h != nil, \"expected health state to be present\")\n\t\t\t\t\t\t\tfinalStatus = h.Status\n\n\t\t\t\t\t\t\t// If healthy, break and pass the test\n\t\t\t\t\t\t\tif finalStatus == \"healthy\" {\n\t\t\t\t\t\t\t\tt.Log(fmt.Sprintf(\"Container became healthy on attempt %d/%d\", i+1, maxAttempts))\n\t\t\t\t\t\t\t\tbreak\n\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t// If unhealthy, fail immediately\n\t\t\t\t\t\t\tif finalStatus == \"unhealthy\" {\n\t\t\t\t\t\t\t\tassert.Assert(t, false, fmt.Sprintf(\"Container became unhealthy on attempt %d/%d, status: %s\", i+1, maxAttempts, finalStatus))\n\t\t\t\t\t\t\t\treturn\n\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t// If not the last attempt, wait before retrying\n\t\t\t\t\t\t\tif i < maxAttempts-1 {\n\t\t\t\t\t\t\t\tt.Log(fmt.Sprintf(\"Attempt %d/%d: status is '%s', waiting 1 second before retry\", i+1, maxAttempts, finalStatus))\n\t\t\t\t\t\t\t\ttime.Sleep(1 * time.Second)\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tif finalStatus != \"healthy\" {\n\t\t\t\t\t\t\tassert.Assert(t, false, fmt.Sprintf(\"Container did not become healthy after %d attempts, final status: %s\", maxAttempts, finalStatus))\n\t\t\t\t\t\t\treturn\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tassert.Assert(t, len(h.Log) > 0, \"expected at least one health check log entry\")\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Kill stops healthcheck execution and cleans up systemd timer\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"echo healthy\",\n\t\t\t\t\t\"--health-interval\", \"1s\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", \"30\")\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t\thelpers.Ensure(\"kill\", data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t// Container is already killed, just remove it\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeNoCheck,\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t// Get container info for verification\n\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\tcontainerID := inspect.ID\n\t\t\t\t\t\th := inspect.State.Health\n\n\t\t\t\t\t\t// Verify health state and logs exist\n\t\t\t\t\t\tassert.Assert(t, h != nil, \"expected health state to be present\")\n\t\t\t\t\t\tassert.Assert(t, len(h.Log) > 0, \"expected at least one health check log entry\")\n\n\t\t\t\t\t\t// Ensure systemd timers are removed\n\t\t\t\t\t\tresult := helpers.Custom(\"systemctl\", \"list-timers\", \"--all\", \"--no-pager\")\n\t\t\t\t\t\tresult.Run(&test.Expected{\n\t\t\t\t\t\t\tExitCode: expect.ExitCodeNoCheck,\n\t\t\t\t\t\t\tOutput: func(stdout string, _ tig.T) {\n\t\t\t\t\t\t\t\tassert.Assert(t, !strings.Contains(stdout, containerID),\n\t\t\t\t\t\t\t\t\t\"expected nerdctl healthcheck timer for container ID %s to be removed after container stop\", containerID)\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t})\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Remove cleans up systemd timer\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"echo healthy\",\n\t\t\t\t\t\"--health-interval\", \"1s\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", \"30\")\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t\thelpers.Ensure(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t// Container is already removed, no cleanup needed\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeNoCheck,\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\tcontainerID := inspect.ID\n\n\t\t\t\t\t\t// Check systemd timers to ensure cleanup\n\t\t\t\t\t\tresult := helpers.Custom(\"systemctl\", \"list-timers\", \"--all\", \"--no-pager\")\n\t\t\t\t\t\tresult.Run(&test.Expected{\n\t\t\t\t\t\t\tExitCode: expect.ExitCodeNoCheck,\n\t\t\t\t\t\t\tOutput: func(stdout string, _ tig.T) {\n\t\t\t\t\t\t\t\t// Verify systemd timer has been cleaned up by checking systemctl output\n\t\t\t\t\t\t\t\t// We check that no timer contains our test identifier\n\t\t\t\t\t\t\t\tassert.Assert(t, !strings.Contains(stdout, containerID),\n\t\t\t\t\t\t\t\t\t\"expected nerdctl healthcheck timer for container ID %s to be removed after container removal\", containerID)\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t})\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Stop cleans up systemd timer\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"echo healthy\",\n\t\t\t\t\t\"--health-interval\", \"1s\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", \"30\")\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t\thelpers.Ensure(\"stop\", data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t// Container is already stopped, just remove it\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeNoCheck,\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t// Get container info for verification\n\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\tcontainerID := inspect.ID\n\n\t\t\t\t\t\t// Ensure systemd timers are removed\n\t\t\t\t\t\tresult := helpers.Custom(\"systemctl\", \"list-timers\", \"--all\", \"--no-pager\")\n\t\t\t\t\t\tresult.Run(&test.Expected{\n\t\t\t\t\t\t\tExitCode: expect.ExitCodeNoCheck,\n\t\t\t\t\t\t\tOutput: func(stdout string, _ tig.T) {\n\t\t\t\t\t\t\t\tassert.Assert(t, !strings.Contains(stdout, containerID),\n\t\t\t\t\t\t\t\t\t\"expected nerdctl healthcheck timer for container ID %s to be removed after container stop\", containerID)\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t})\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n\nfunc TestHealthCheck_GlobalFlags(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\t// Skip systemd tests in rootless environment to bypass dbus permission issues\n\tif rootlessutil.IsRootless() {\n\t\tt.Skip(\"systemd healthcheck tests are skipped in rootless environment\")\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"Healthcheck works with custom namespace flag\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t// Create container in custom namespace with healthcheck\n\t\t\t\thelpers.Ensure(\"--namespace=healthcheck-test\", \"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"echo healthy\",\n\t\t\t\t\t\"--health-interval\", \"2s\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", \"30\")\n\t\t\t\t// Wait a bit to ensure container is running (can't use EnsureContainerStarted with custom namespace)\n\t\t\t\ttime.Sleep(1 * time.Second)\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"--namespace=healthcheck-test\", \"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t// Wait a bit for healthcheck to run\n\t\t\t\ttime.Sleep(3 * time.Second)\n\t\t\t\t// Verify container is accessible in the custom namespace\n\t\t\t\treturn helpers.Command(\"--namespace=healthcheck-test\", \"inspect\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tvar inspectResults []dockercompat.Container\n\t\t\t\t\t\terr := json.Unmarshal([]byte(stdout), &inspectResults)\n\t\t\t\t\t\tassert.NilError(t, err, \"failed to parse inspect output\")\n\t\t\t\t\t\tassert.Assert(t, len(inspectResults) > 0, \"expected at least one container in inspect results\")\n\n\t\t\t\t\t\tinspect := inspectResults[0]\n\t\t\t\t\t\th := inspect.State.Health\n\t\t\t\t\t\tassert.Assert(t, h != nil, \"expected health state to be present\")\n\t\t\t\t\t\tassert.Assert(t, h.Status == healthcheck.Healthy || h.Status == healthcheck.Starting,\n\t\t\t\t\t\t\t\"expected health status to be healthy or starting, got: %s\", h.Status)\n\t\t\t\t\t\tassert.Assert(t, len(h.Log) > 0, \"expected at least one health check log entry\")\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Healthcheck works correctly with namespace after container restart\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t// Create container in custom namespace\n\t\t\t\thelpers.Ensure(\"--namespace=restart-test\", \"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"echo healthy\",\n\t\t\t\t\t\"--health-interval\", \"2s\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", \"60\")\n\t\t\t\t// Wait a bit to ensure container is running (can't use EnsureContainerStarted with custom namespace)\n\t\t\t\ttime.Sleep(1 * time.Second)\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"--namespace=restart-test\", \"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t// Wait for initial healthcheck\n\t\t\t\ttime.Sleep(3 * time.Second)\n\n\t\t\t\t// Stop and restart the container\n\t\t\t\thelpers.Ensure(\"--namespace=restart-test\", \"stop\", data.Identifier())\n\t\t\t\thelpers.Ensure(\"--namespace=restart-test\", \"start\", data.Identifier())\n\t\t\t\t// Wait a bit to ensure container is running after restart\n\t\t\t\ttime.Sleep(1 * time.Second)\n\n\t\t\t\t// Wait for healthcheck to run after restart\n\t\t\t\ttime.Sleep(3 * time.Second)\n\n\t\t\t\treturn helpers.Command(\"--namespace=restart-test\", \"inspect\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t// Parse the inspect JSON output directly since we're in a custom namespace\n\t\t\t\t\t\tvar inspectResults []dockercompat.Container\n\t\t\t\t\t\terr := json.Unmarshal([]byte(stdout), &inspectResults)\n\t\t\t\t\t\tassert.NilError(t, err, \"failed to parse inspect output\")\n\t\t\t\t\t\tassert.Assert(t, len(inspectResults) > 0, \"expected at least one container in inspect results\")\n\n\t\t\t\t\t\tinspect := inspectResults[0]\n\t\t\t\t\t\th := inspect.State.Health\n\t\t\t\t\t\tassert.Assert(t, h != nil, \"expected health state after restart\")\n\t\t\t\t\t\tassert.Assert(t, h.Status == healthcheck.Healthy || h.Status == healthcheck.Starting,\n\t\t\t\t\t\t\t\"expected health status to be healthy or starting after restart, got: %s\", h.Status)\n\t\t\t\t\t\tassert.Assert(t, len(h.Log) > 0, \"expected health check logs after restart\")\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n\nfunc TestHealthCheck_SystemdIntegration_Advanced(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\t// Skip systemd tests in rootless environment to bypass dbus permission issues\n\tif rootlessutil.IsRootless() {\n\t\tt.Skip(\"systemd healthcheck tests are skipped in rootless environment\")\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\t// Tests that CreateTimer() successfully creates systemd timer units and\n\t\t\t// RemoveTransientHealthCheckFiles() properly cleans up units when container stops.\n\t\t\tDescription: \"Systemd timer unit creation and cleanup\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"echo healthy\",\n\t\t\t\t\t\"--health-interval\", \"1s\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", \"30\")\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"inspect\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(func(stdout string, t tig.T) {\n\t\t\t\t\t\t// Get container ID and check systemd timer\n\t\t\t\t\t\tcontainerInspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\tcontainerID := containerInspect.ID\n\n\t\t\t\t\t\t// Check systemd timer\n\t\t\t\t\t\tresult := helpers.Custom(\"systemctl\", \"list-timers\", \"--all\", \"--no-pager\")\n\t\t\t\t\t\tresult.Run(&test.Expected{\n\t\t\t\t\t\t\tExitCode: expect.ExitCodeNoCheck,\n\t\t\t\t\t\t\tOutput: func(stdout string, _ tig.T) {\n\t\t\t\t\t\t\t\t// Verify that a timer exists for this specific container\n\t\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(stdout, containerID),\n\t\t\t\t\t\t\t\t\t\"expected to find nerdctl healthcheck timer containing container ID: %s\", containerID)\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t})\n\t\t\t\t\t\t// Stop container and verify cleanup\n\t\t\t\t\t\thelpers.Ensure(\"stop\", data.Identifier())\n\n\t\t\t\t\t\t// Check that timer is gone\n\t\t\t\t\t\tresult = helpers.Custom(\"systemctl\", \"list-timers\", \"--all\", \"--no-pager\")\n\t\t\t\t\t\tresult.Run(&test.Expected{\n\t\t\t\t\t\t\tExitCode: expect.ExitCodeNoCheck,\n\t\t\t\t\t\t\tOutput: func(stdout string, _ tig.T) {\n\t\t\t\t\t\t\t\tassert.Assert(t, !strings.Contains(stdout, containerID),\n\t\t\t\t\t\t\t\t\t\"expected nerdctl healthcheck timer for container ID %s to be removed after container stop\", containerID)\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t})\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Container restart recreates systemd timer\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--health-cmd\", \"echo restart-test\",\n\t\t\t\t\t\"--health-interval\", \"2s\",\n\t\t\t\t\ttestutil.CommonImage, \"sleep\", \"60\")\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t// Get container ID for verification\n\t\t\t\tcontainerInspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\tcontainerID := containerInspect.ID\n\n\t\t\t\t// Step 1: Verify timer exists initially\n\t\t\t\tresult := helpers.Custom(\"systemctl\", \"list-timers\", \"--all\", \"--no-pager\")\n\t\t\t\tresult.Run(&test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeNoCheck,\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tassert.Assert(t, strings.Contains(stdout, containerID),\n\t\t\t\t\t\t\t\"expected timer for container %s to exist initially\", containerID)\n\t\t\t\t\t},\n\t\t\t\t})\n\n\t\t\t\t// Step 2: Stop container\n\t\t\t\thelpers.Ensure(\"stop\", data.Identifier())\n\n\t\t\t\t// Step 3: Verify timer is removed after stop\n\t\t\t\tresult = helpers.Custom(\"systemctl\", \"list-timers\", \"--all\", \"--no-pager\")\n\t\t\t\tresult.Run(&test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeNoCheck,\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tassert.Assert(t, !strings.Contains(stdout, containerID),\n\t\t\t\t\t\t\t\"expected timer for container %s to be removed after stop\", containerID)\n\t\t\t\t\t},\n\t\t\t\t})\n\n\t\t\t\t// Step 4: Restart container\n\t\t\t\thelpers.Ensure(\"start\", data.Identifier())\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\n\t\t\t\t// Step 5: Verify timer is recreated after restart - this is our final verification\n\t\t\t\treturn helpers.Custom(\"systemctl\", \"list-timers\", \"--all\", \"--no-pager\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeNoCheck,\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tcontainerInspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\tcontainerID := containerInspect.ID\n\t\t\t\t\t\tassert.Assert(t, strings.Contains(stdout, containerID),\n\t\t\t\t\t\t\t\"expected timer for container %s to be recreated after restart\", containerID)\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_inspect.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/log\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n\t\"github.com/containerd/nerdctl/v2/pkg/formatter\"\n)\n\nfunc inspectCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"inspect [flags] CONTAINER [CONTAINER, ...]\",\n\t\tShort: \"Display detailed information on one or more containers.\",\n\t\tLong: \"Hint: set `--mode=native` for showing the full output\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tRunE: inspectAction,\n\t\tValidArgsFunction: containerInspectShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().String(\"mode\", \"dockercompat\", `Inspect mode, \"dockercompat\" for Docker-compatible output, \"native\" for containerd-native output`)\n\tcmd.Flags().BoolP(\"size\", \"s\", false, \"Display total file sizes\")\n\n\tcmd.RegisterFlagCompletionFunc(\"mode\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"dockercompat\", \"native\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\tcmd.Flags().StringP(\"format\", \"f\", \"\", \"Format the output using the given Go template, e.g, '{{json .}}'\")\n\tcmd.RegisterFlagCompletionFunc(\"format\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"json\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\treturn cmd\n}\n\nvar validModeType = map[string]bool{\n\t\"native\": true,\n\t\"dockercompat\": true,\n}\n\nfunc InspectOptions(cmd *cobra.Command) (opt types.ContainerInspectOptions, err error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn\n\t}\n\tmode, err := cmd.Flags().GetString(\"mode\")\n\tif err != nil {\n\t\treturn\n\t}\n\tif len(mode) > 0 && !validModeType[mode] {\n\t\terr = fmt.Errorf(\"%q is not a valid value for --mode\", mode)\n\t\treturn\n\t}\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn\n\t}\n\n\tsize, err := cmd.Flags().GetBool(\"size\")\n\tif err != nil {\n\t\treturn\n\t}\n\n\treturn types.ContainerInspectOptions{\n\t\tGOptions: globalOptions,\n\t\tFormat: format,\n\t\tMode: mode,\n\t\tSize: size,\n\t\tStdout: cmd.OutOrStdout(),\n\t}, nil\n}\n\nfunc inspectAction(cmd *cobra.Command, args []string) error {\n\topt, err := InspectOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), opt.GOptions.Namespace, opt.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\tentries, err := container.Inspect(ctx, client, args, opt)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// Display\n\tif len(entries) > 0 {\n\t\tif formatErr := formatter.FormatSlice(opt.Format, opt.Stdout, entries); formatErr != nil {\n\t\t\tlog.G(ctx).Error(formatErr)\n\t\t}\n\t}\n\treturn err\n}\n\nfunc containerInspectShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show container names\n\treturn completion.ContainerNames(cmd, nil)\n}\n" }, { "path": "cmd/nerdctl/container/container_inspect_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"os\"\n\t\"slices\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/docker/go-connections/nat\"\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/continuity/testutil/loopback\"\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/infoutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/inspecttypes/dockercompat\"\n\t\"github.com/containerd/nerdctl/v2/pkg/labels\"\n\t\"github.com/containerd/nerdctl/v2/pkg/rootlessutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestContainerInspectContainsPortConfig(t *testing.T) {\n\ttestContainer := testutil.Identifier(t)\n\n\tbase := testutil.NewBase(t)\n\tdefer base.Cmd(\"rm\", \"-f\", testContainer).Run()\n\n\tbase.Cmd(\"run\", \"-d\", \"--name\", testContainer, \"-p\", \"8080:80\", testutil.NginxAlpineImage).AssertOK()\n\tinspect := base.InspectContainer(testContainer)\n\tinspect80TCP := (*inspect.NetworkSettings.Ports)[\"80/tcp\"]\n\texpected := nat.PortBinding{\n\t\tHostIP: \"0.0.0.0\",\n\t\tHostPort: \"8080\",\n\t}\n\tassert.Equal(base.T, expected, inspect80TCP[0])\n}\n\nfunc TestContainerInspectContainsMounts(t *testing.T) {\n\ttestContainer := testutil.Identifier(t)\n\n\tbase := testutil.NewBase(t)\n\n\ttestVolume := testutil.Identifier(t)\n\n\tdefer base.Cmd(\"volume\", \"rm\", \"-f\", testVolume).Run()\n\tbase.Cmd(\"volume\", \"create\", \"--label\", \"tag=testVolume\", testVolume).AssertOK()\n\tinspectVolume := base.InspectVolume(testVolume)\n\tnamedVolumeSource := inspectVolume.Mountpoint\n\n\tdefer base.Cmd(\"rm\", \"-f\", testContainer).Run()\n\tbase.Cmd(\"run\", \"-d\", \"--privileged\",\n\t\t\"--name\", testContainer,\n\t\t\"--network\", \"none\",\n\t\t\"-v\", \"/anony-vol\",\n\t\t\"--tmpfs\", \"/app1:size=64m\",\n\t\t\"--mount\", \"type=bind,src=/tmp,dst=/app2,ro\",\n\t\t\"--mount\", fmt.Sprintf(\"type=volume,src=%s,dst=/app3,readonly=false\", testVolume),\n\t\ttestutil.NginxAlpineImage).AssertOK()\n\n\tinspect := base.InspectContainer(testContainer)\n\t// convert array to map to get by key of Destination\n\tactual := make(map[string]dockercompat.MountPoint)\n\tfor i := range inspect.Mounts {\n\t\tactual[inspect.Mounts[i].Destination] = inspect.Mounts[i]\n\t}\n\tt.Logf(\"actual in TestContainerInspectContainsMounts: %+v\", actual)\n\tconst localDriver = \"local\"\n\n\texpected := []struct {\n\t\tdest string\n\t\tmountPoint dockercompat.MountPoint\n\t}{\n\t\t// anonymous volume\n\t\t{\n\t\t\tdest: \"/anony-vol\",\n\t\t\tmountPoint: dockercompat.MountPoint{\n\t\t\t\tType: \"volume\",\n\t\t\t\tName: \"\",\n\t\t\t\tSource: \"\", // source of anonymous volume is a generated path, so here will not check it.\n\t\t\t\tDestination: \"/anony-vol\",\n\t\t\t\tDriver: localDriver,\n\t\t\t\tRW: true,\n\t\t\t},\n\t\t},\n\n\t\t// bind\n\t\t{\n\t\t\tdest: \"/app2\",\n\t\t\tmountPoint: dockercompat.MountPoint{\n\t\t\t\tType: \"bind\",\n\t\t\t\tName: \"\",\n\t\t\t\tSource: \"/tmp\",\n\t\t\t\tDestination: \"/app2\",\n\t\t\t\tDriver: \"\",\n\t\t\t\tRW: false,\n\t\t\t},\n\t\t},\n\n\t\t// named volume\n\t\t{\n\t\t\tdest: \"/app3\",\n\t\t\tmountPoint: dockercompat.MountPoint{\n\t\t\t\tType: \"volume\",\n\t\t\t\tName: testVolume,\n\t\t\t\tSource: namedVolumeSource,\n\t\t\t\tDestination: \"/app3\",\n\t\t\t\tDriver: localDriver,\n\t\t\t\tRW: true,\n\t\t\t},\n\t\t},\n\t}\n\n\tfor i := range expected {\n\t\ttestCase := expected[i]\n\t\tt.Logf(\"test volume[dest=%q]\", testCase.dest)\n\n\t\tmountPoint, ok := actual[testCase.dest]\n\t\tassert.Assert(base.T, ok)\n\n\t\tassert.Equal(base.T, testCase.mountPoint.Type, mountPoint.Type)\n\t\tassert.Equal(base.T, testCase.mountPoint.Driver, mountPoint.Driver)\n\t\tassert.Equal(base.T, testCase.mountPoint.RW, mountPoint.RW)\n\t\tassert.Equal(base.T, testCase.mountPoint.Destination, mountPoint.Destination)\n\n\t\tif testCase.mountPoint.Source != \"\" {\n\t\t\tassert.Equal(base.T, testCase.mountPoint.Source, mountPoint.Source)\n\t\t}\n\t\tif testCase.mountPoint.Name != \"\" {\n\t\t\tassert.Equal(base.T, testCase.mountPoint.Name, mountPoint.Name)\n\t\t}\n\t}\n}\n\nfunc TestContainerInspectContainsLabel(t *testing.T) {\n\tt.Parallel()\n\ttestContainer := testutil.Identifier(t)\n\n\tbase := testutil.NewBase(t)\n\tdefer base.Cmd(\"rm\", \"-f\", testContainer).Run()\n\n\tbase.Cmd(\"run\", \"-d\", \"--name\", testContainer, \"--label\", \"foo=foo\", \"--label\", \"bar=bar\", testutil.NginxAlpineImage).AssertOK()\n\tbase.EnsureContainerStarted(testContainer)\n\tinspect := base.InspectContainer(testContainer)\n\tlbs := inspect.Config.Labels\n\n\tassert.Equal(base.T, \"foo\", lbs[\"foo\"])\n\tassert.Equal(base.T, \"bar\", lbs[\"bar\"])\n}\n\nfunc TestContainerInspectContainsInternalLabel(t *testing.T) {\n\ttestutil.DockerIncompatible(t)\n\tt.Parallel()\n\ttestContainer := testutil.Identifier(t)\n\n\tbase := testutil.NewBase(t)\n\tdefer base.Cmd(\"rm\", \"-f\", testContainer).Run()\n\n\tbase.Cmd(\"run\", \"-d\", \"--name\", testContainer, \"--mount\", \"type=bind,src=/tmp,dst=/app,readonly=false,bind-propagation=rprivate\", testutil.NginxAlpineImage).AssertOK()\n\tbase.EnsureContainerStarted(testContainer)\n\tinspect := base.InspectContainer(testContainer)\n\tlbs := inspect.Config.Labels\n\n\t// TODO: add more internal labels testcases\n\tlabelMount := lbs[labels.Mounts]\n\texpectedLabelMount := \"[{\\\"Type\\\":\\\"bind\\\",\\\"Source\\\":\\\"/tmp\\\",\\\"Destination\\\":\\\"/app\\\",\\\"Mode\\\":\\\"rprivate,rbind\\\",\\\"RW\\\":true,\\\"Propagation\\\":\\\"rprivate\\\"}]\"\n\tassert.Equal(base.T, expectedLabelMount, labelMount)\n}\n\nfunc TestContainerInspectConfigImage(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tDescription: \"Container inspect contains Config.Image field\",\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(), testutil.AlpineImage, \"sleep\", \"infinity\")\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"inspect\", data.Identifier())\n\t\t},\n\t\tExpected: test.Expects(0, nil, func(stdout string, t tig.T) {\n\t\t\tvar containers []dockercompat.Container\n\t\t\terr := json.Unmarshal([]byte(stdout), &containers)\n\t\t\tassert.NilError(t, err, \"Unable to unmarshal output\\n\")\n\t\t\tassert.Equal(t, 1, len(containers), \"Expected exactly one container in inspect output\")\n\n\t\t\tcontainer := containers[0]\n\t\t\tassert.Assert(t, container.Config != nil, \"container Config should not be nil\")\n\t\t\tassert.Assert(t, container.Config.Image != \"\", \"Config.Image should not be empty\")\n\t\t}),\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestContainerInspectState(t *testing.T) {\n\tt.Parallel()\n\ttestContainer := testutil.Identifier(t)\n\tbase := testutil.NewBase(t)\n\n\ttype testCase struct {\n\t\tname, containerName, cmd string\n\t\twant dockercompat.ContainerState\n\t}\n\t// nerdctl: run error produces a nil Task, so the Status is empty because Status comes from Task.\n\t// docker : run error gives => `Status=created` as in docker there is no a separation between container and Task.\n\terrStatus := \"\"\n\tif nerdtest.IsDocker() {\n\t\terrStatus = \"created\"\n\t}\n\ttestCases := []testCase{\n\t\t{\n\t\t\tname: \"inspect State with error\",\n\t\t\tcontainerName: fmt.Sprintf(\"%s-fail\", testContainer),\n\t\t\tcmd: \"aa\",\n\t\t\twant: dockercompat.ContainerState{\n\t\t\t\tError: \"executable file not found in $PATH\",\n\t\t\t\tStatus: errStatus,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"inspect State without error\",\n\t\t\tcontainerName: fmt.Sprintf(\"%s-success\", testContainer),\n\t\t\tcmd: \"ls\",\n\t\t\twant: dockercompat.ContainerState{\n\t\t\t\tError: \"\",\n\t\t\t\tStatus: \"exited\",\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, tc := range testCases {\n\t\ttc := tc\n\t\tt.Run(tc.name, func(t *testing.T) {\n\t\t\tdefer base.Cmd(\"rm\", \"-f\", tc.containerName).Run()\n\t\t\tif tc.want.Error != \"\" {\n\t\t\t\tbase.Cmd(\"run\", \"--name\", tc.containerName, testutil.AlpineImage, tc.cmd).AssertFail()\n\t\t\t} else {\n\t\t\t\tbase.Cmd(\"run\", \"--name\", tc.containerName, testutil.AlpineImage, tc.cmd).AssertOK()\n\t\t\t}\n\t\t\tinspect := base.InspectContainer(tc.containerName)\n\t\t\tassert.Assert(t, strings.Contains(inspect.State.Error, tc.want.Error), fmt.Sprintf(\"expected: %s, actual: %s\", tc.want.Error, inspect.State.Error))\n\t\t\tassert.Equal(base.T, inspect.State.Status, tc.want.Status)\n\t\t})\n\t}\n\n}\n\nfunc TestContainerInspectHostConfig(t *testing.T) {\n\ttestContainer := testutil.Identifier(t)\n\tif rootlessutil.IsRootless() && infoutil.CgroupsVersion() == \"1\" {\n\t\tt.Skip(\"test skipped for rootless containers on cgroup v1\")\n\t}\n\n\tbase := testutil.NewBase(t)\n\tdefer base.Cmd(\"rm\", \"-f\", testContainer).Run()\n\n\t// Run a container with various HostConfig options\n\tbase.Cmd(\"run\", \"-d\", \"--name\", testContainer,\n\t\t\"--cpuset-cpus\", \"0-1\",\n\t\t\"--cpuset-mems\", \"0\",\n\t\t\"--cpu-shares\", \"1024\",\n\t\t\"--cpu-quota\", \"100000\",\n\t\t\"--group-add\", \"1000\",\n\t\t\"--group-add\", \"2000\",\n\t\t\"--add-host\", \"host1:10.0.0.1\",\n\t\t\"--add-host\", \"host2:10.0.0.2\",\n\t\t\"--ipc\", \"host\",\n\t\t\"--memory\", \"512m\",\n\t\t\"--read-only\",\n\t\t\"--shm-size\", \"256m\",\n\t\t\"--uts\", \"host\",\n\t\t\"--runtime\", \"io.containerd.runc.v2\",\n\t\ttestutil.AlpineImage, \"sleep\", \"infinity\").AssertOK()\n\n\tinspect := base.InspectContainer(testContainer)\n\n\tassert.Equal(t, \"0-1\", inspect.HostConfig.CPUSetCPUs)\n\tassert.Equal(t, \"0\", inspect.HostConfig.CPUSetMems)\n\tassert.Equal(t, uint64(1024), inspect.HostConfig.CPUShares)\n\tassert.Equal(t, int64(100000), inspect.HostConfig.CPUQuota)\n\tassert.Assert(t, slices.Contains(inspect.HostConfig.GroupAdd, \"1000\"), \"Expected '1000' to be in GroupAdd\")\n\tassert.Assert(t, slices.Contains(inspect.HostConfig.GroupAdd, \"2000\"), \"Expected '2000' to be in GroupAdd\")\n\texpectedExtraHosts := []string{\"host1:10.0.0.1\", \"host2:10.0.0.2\"}\n\tassert.DeepEqual(t, expectedExtraHosts, inspect.HostConfig.ExtraHosts)\n\tassert.Equal(t, \"host\", inspect.HostConfig.IpcMode)\n\tassert.Equal(t, int64(536870912), inspect.HostConfig.Memory)\n\tassert.Equal(t, int64(1073741824), inspect.HostConfig.MemorySwap)\n\tassert.Equal(t, true, inspect.HostConfig.ReadonlyRootfs)\n\tassert.Equal(t, \"host\", inspect.HostConfig.UTSMode)\n\tassert.Equal(t, int64(268435456), inspect.HostConfig.ShmSize)\n}\n\nfunc TestContainerInspectHostConfigDefaults(t *testing.T) {\n\ttestContainer := testutil.Identifier(t)\n\n\tbase := testutil.NewBase(t)\n\tdefer base.Cmd(\"rm\", \"-f\", testContainer).Run()\n\n\tvar hc hostConfigValues\n\n\t// Hostconfig default values differ with Docker.\n\t// This is because we directly retrieve the configured values instead of using preset defaults.\n\tif nerdtest.IsDocker() {\n\t\thc.Driver = \"\"\n\t\thc.GroupAddSize = 0\n\t\thc.ShmSize = int64(67108864) // Docker default 64M\n\t\thc.Runtime = \"runc\"\n\t} else {\n\t\thc.GroupAddSize = 10\n\t\thc.Driver = \"json-file\"\n\t\thc.ShmSize = int64(0)\n\t\thc.Runtime = \"io.containerd.runc.v2\"\n\t}\n\n\t// Run a container without specifying HostConfig options\n\tbase.Cmd(\"run\", \"-d\", \"--name\", testContainer, testutil.AlpineImage, \"sleep\", \"infinity\").AssertOK()\n\n\tinspect := base.InspectContainer(testContainer)\n\tt.Logf(\"HostConfig in TestContainerInspectHostConfigDefaults: %+v\", inspect.HostConfig)\n\tassert.Equal(t, \"\", inspect.HostConfig.CPUSetCPUs)\n\tassert.Equal(t, \"\", inspect.HostConfig.CPUSetMems)\n\tassert.Equal(t, uint16(0), inspect.HostConfig.BlkioWeight)\n\tassert.Equal(t, 0, len(inspect.HostConfig.BlkioWeightDevice))\n\tassert.Equal(t, 0, len(inspect.HostConfig.BlkioDeviceReadBps))\n\tassert.Equal(t, 0, len(inspect.HostConfig.BlkioDeviceReadIOps))\n\tassert.Equal(t, 0, len(inspect.HostConfig.BlkioDeviceWriteBps))\n\tassert.Equal(t, 0, len(inspect.HostConfig.BlkioDeviceWriteIOps))\n\tassert.Equal(t, uint64(0), inspect.HostConfig.CPUShares)\n\tassert.Equal(t, int64(0), inspect.HostConfig.CPUQuota)\n\tassert.Equal(t, hc.GroupAddSize, len(inspect.HostConfig.GroupAdd))\n\tassert.Equal(t, 0, len(inspect.HostConfig.ExtraHosts))\n\tassert.Equal(t, \"private\", inspect.HostConfig.IpcMode)\n\tassert.Equal(t, hc.Driver, inspect.HostConfig.LogConfig.Driver)\n\tassert.Equal(t, int64(0), inspect.HostConfig.Memory)\n\tassert.Equal(t, int64(0), inspect.HostConfig.MemorySwap)\n\tassert.Equal(t, bool(false), inspect.HostConfig.OomKillDisable)\n\tassert.Equal(t, bool(false), inspect.HostConfig.ReadonlyRootfs)\n\tassert.Equal(t, \"\", inspect.HostConfig.UTSMode)\n\tassert.Equal(t, hc.ShmSize, inspect.HostConfig.ShmSize)\n\tassert.Equal(t, hc.Runtime, inspect.HostConfig.Runtime)\n\tassert.Equal(t, 0, len(inspect.HostConfig.Devices))\n\t// Sysctls can be empty or contain \"net.ipv4.ip_unprivileged_port_start\" depending on the environment.\n\tgot := len(inspect.HostConfig.Sysctls)\n\tif got != 0 && got != 1 {\n\t\tt.Fatalf(\"unexpected number of Sysctls entries: %d (want 0 or 1)\", got)\n\t}\n}\n\nfunc TestContainerInspectHostConfigDNS(t *testing.T) {\n\ttestContainer := testutil.Identifier(t)\n\n\tbase := testutil.NewBase(t)\n\tdefer base.Cmd(\"rm\", \"-f\", testContainer).Run()\n\n\t// Run a container with DNS options\n\tbase.Cmd(\"run\", \"-d\", \"--name\", testContainer,\n\t\t\"--dns\", \"8.8.8.8\",\n\t\t\"--dns\", \"1.1.1.1\",\n\t\t\"--dns-search\", \"example.com\",\n\t\t\"--dns-search\", \"test.local\",\n\t\t\"--dns-option\", \"ndots:5\",\n\t\t\"--dns-option\", \"timeout:3\",\n\t\ttestutil.AlpineImage, \"sleep\", \"infinity\").AssertOK()\n\n\tinspect := base.InspectContainer(testContainer)\n\n\t// Check DNS servers\n\texpectedDNSServers := []string{\"8.8.8.8\", \"1.1.1.1\"}\n\tassert.DeepEqual(t, expectedDNSServers, inspect.HostConfig.DNS)\n\n\t// Check DNS search domains\n\texpectedDNSSearch := []string{\"example.com\", \"test.local\"}\n\tassert.DeepEqual(t, expectedDNSSearch, inspect.HostConfig.DNSSearch)\n\n\t// Check DNS options\n\texpectedDNSOptions := []string{\"ndots:5\", \"timeout:3\"}\n\tassert.DeepEqual(t, expectedDNSOptions, inspect.HostConfig.DNSOptions)\n}\n\nfunc TestContainerInspectHostConfigDNSDefaults(t *testing.T) {\n\ttestContainer := testutil.Identifier(t)\n\n\tbase := testutil.NewBase(t)\n\tdefer base.Cmd(\"rm\", \"-f\", testContainer).Run()\n\n\t// Run a container without specifying DNS options\n\tbase.Cmd(\"run\", \"-d\", \"--name\", testContainer, testutil.AlpineImage, \"sleep\", \"infinity\").AssertOK()\n\n\tinspect := base.InspectContainer(testContainer)\n\n\t// Check that DNS settings are empty by default\n\tassert.Equal(t, 0, len(inspect.HostConfig.DNS))\n\tassert.Equal(t, 0, len(inspect.HostConfig.DNSSearch))\n\tassert.Equal(t, 0, len(inspect.HostConfig.DNSOptions))\n}\n\nfunc TestContainerInspectHostConfigPID(t *testing.T) {\n\ttestContainer1 := testutil.Identifier(t) + \"-container1\"\n\ttestContainer2 := testutil.Identifier(t) + \"-container2\"\n\n\tbase := testutil.NewBase(t)\n\tdefer base.Cmd(\"rm\", \"-f\", testContainer1, testContainer2).Run()\n\n\t// Run the first container\n\tbase.Cmd(\"run\", \"-d\", \"--name\", testContainer1, testutil.AlpineImage, \"sleep\", \"infinity\").AssertOK()\n\n\tcontainerID1 := strings.TrimSpace(base.Cmd(\"inspect\", \"-f\", \"{{.Id}}\", testContainer1).Out())\n\n\tvar hc hostConfigValues\n\n\tif nerdtest.IsDocker() {\n\t\thc.PidMode = \"container:\" + containerID1\n\t} else {\n\t\thc.PidMode = containerID1\n\t}\n\n\tbase.Cmd(\"run\", \"-d\", \"--name\", testContainer2,\n\t\t\"--pid\", fmt.Sprintf(\"container:%s\", testContainer1),\n\t\ttestutil.AlpineImage, \"sleep\", \"infinity\").AssertOK()\n\n\tinspect := base.InspectContainer(testContainer2)\n\n\tassert.Equal(t, hc.PidMode, inspect.HostConfig.PidMode)\n\n}\n\nfunc TestContainerInspectHostConfigPIDDefaults(t *testing.T) {\n\ttestContainer := testutil.Identifier(t)\n\n\tbase := testutil.NewBase(t)\n\tdefer base.Cmd(\"rm\", \"-f\", testContainer).Run()\n\n\tbase.Cmd(\"run\", \"-d\", \"--name\", testContainer, testutil.AlpineImage, \"sleep\", \"infinity\").AssertOK()\n\n\tinspect := base.InspectContainer(testContainer)\n\n\tassert.Equal(t, \"\", inspect.HostConfig.PidMode)\n}\n\nfunc TestContainerInspectDevices(t *testing.T) {\n\ttestContainer := testutil.Identifier(t)\n\n\tbase := testutil.NewBase(t)\n\tdefer base.Cmd(\"rm\", \"-f\", testContainer).Run()\n\n\tif rootlessutil.IsRootless() && infoutil.CgroupsVersion() == \"1\" {\n\t\tt.Skip(\"test skipped for rootless containers on cgroup v1\")\n\t}\n\n\t// Create a temporary directory\n\tdir, err := os.MkdirTemp(t.TempDir(), \"device-dir\")\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\tif nerdtest.IsDocker() {\n\t\tdir = \"/dev/zero\"\n\t}\n\n\t// Run the container with the directory mapped as a device\n\tbase.Cmd(\"run\", \"-d\", \"--name\", testContainer,\n\t\t\"--device\", dir+\":/dev/xvda\",\n\t\ttestutil.AlpineImage, \"sleep\", \"infinity\").AssertOK()\n\n\tinspect := base.InspectContainer(testContainer)\n\n\texpectedDevices := []dockercompat.DeviceMapping{\n\t\t{\n\t\t\tPathOnHost: dir,\n\t\t\tPathInContainer: \"/dev/xvda\",\n\t\t\tCgroupPermissions: \"rwm\",\n\t\t},\n\t}\n\tassert.DeepEqual(t, expectedDevices, inspect.HostConfig.Devices)\n}\n\nfunc TestContainerInspectBlkioSettings(t *testing.T) {\n\ttestutil.DockerIncompatible(t)\n\ttestContainer := testutil.Identifier(t)\n\t// Some of the blkio settings are not supported in cgroup v1.\n\t// So skip this test if running on cgroup v1\n\tif infoutil.CgroupsVersion() == \"1\" {\n\t\tt.Skip(\"test skipped for rootless containers or if running with cgroup v1\")\n\t}\n\n\tif rootlessutil.IsRootless() {\n\t\tt.Skip(\"test requires root privilege to create a dummy device\")\n\t}\n\n\t// See https://github.com/containerd/nerdctl/issues/4185\n\t// It is unclear if this is truly a kernel version problem, a runc issue, or a distro (EL9) issue.\n\t// For now, disable the test unless on a recent kernel.\n\ttestutil.RequireKernelVersion(t, \">= 6.0.0-0\")\n\n\tlo, err := loopback.New(4096)\n\tif err != nil {\n\t\terr = fmt.Errorf(\"cannot find a loop device: %w\", err)\n\t\tt.Fatal(err)\n\t}\n\tdefer lo.Close()\n\n\tbase := testutil.NewBase(t)\n\tdefer base.Cmd(\"rm\", \"-f\", testContainer).AssertOK()\n\n\tconst (\n\t\tweight = 500\n\t\treadBps = 1048576\n\t\treadIops = 1000\n\t\twriteBps = 2097152\n\t\twriteIops = 2000\n\t)\n\tbase.Cmd(\"run\", \"-d\", \"--name\", testContainer,\n\t\t\"--blkio-weight\", fmt.Sprintf(\"%d\", weight),\n\t\t\"--blkio-weight-device\", fmt.Sprintf(\"%s:%d\", lo.Device, weight),\n\t\t\"--device-read-bps\", fmt.Sprintf(\"%s:%d\", lo.Device, readBps),\n\t\t\"--device-read-iops\", fmt.Sprintf(\"%s:%d\", lo.Device, readIops),\n\t\t\"--device-write-bps\", fmt.Sprintf(\"%s:%d\", lo.Device, writeBps),\n\t\t\"--device-write-iops\", fmt.Sprintf(\"%s:%d\", lo.Device, writeIops),\n\t\ttestutil.AlpineImage, \"sleep\", \"infinity\").AssertOK()\n\n\tinspect := base.InspectContainer(testContainer)\n\tassert.Equal(t, uint16(weight), inspect.HostConfig.BlkioWeight)\n\tassert.Equal(t, 1, len(inspect.HostConfig.BlkioWeightDevice))\n\tassert.Equal(t, lo.Device, inspect.HostConfig.BlkioWeightDevice[0].Path)\n\tassert.Equal(t, uint16(weight), inspect.HostConfig.BlkioWeightDevice[0].Weight)\n\tassert.Equal(t, 1, len(inspect.HostConfig.BlkioDeviceReadBps))\n\tassert.Equal(t, uint64(readBps), inspect.HostConfig.BlkioDeviceReadBps[0].Rate)\n\tassert.Equal(t, 1, len(inspect.HostConfig.BlkioDeviceWriteBps))\n\tassert.Equal(t, uint64(writeBps), inspect.HostConfig.BlkioDeviceWriteBps[0].Rate)\n\tassert.Equal(t, 1, len(inspect.HostConfig.BlkioDeviceReadIOps))\n\tassert.Equal(t, uint64(readIops), inspect.HostConfig.BlkioDeviceReadIOps[0].Rate)\n\tassert.Equal(t, 1, len(inspect.HostConfig.BlkioDeviceWriteIOps))\n\tassert.Equal(t, uint64(writeIops), inspect.HostConfig.BlkioDeviceWriteIOps[0].Rate)\n}\n\nfunc TestContainerInspectUser(t *testing.T) {\n\tnerdtest.Setup()\n\ttestCase := &test.Case{\n\t\tDescription: \"Container inspect contains User\",\n\t\tRequire: nerdtest.Build,\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdockerfile := fmt.Sprintf(`\nFROM %s\nRUN groupadd -r test && useradd -r -g test test\nUSER test\n`, testutil.UbuntuImage)\n\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\n\t\t\thelpers.Ensure(\"build\", \"-t\", data.Identifier(), data.Temp().Path())\n\t\t\thelpers.Ensure(\"create\", \"--name\", data.Identifier(), \"--user\", \"test\", data.Identifier())\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"inspect\", \"--format\", \"{{.Config.User}}\", data.Identifier())\n\t\t},\n\t\tExpected: test.Expects(0, nil, expect.Equals(\"test\\n\")),\n\t}\n\n\ttestCase.Run(t)\n}\n\ntype hostConfigValues struct {\n\tDriver string\n\tShmSize int64\n\tPidMode string\n\tGroupAddSize int\n\tRuntime string\n}\n" }, { "path": "cmd/nerdctl/container/container_inspect_windows_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"encoding/json\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/inspecttypes/dockercompat\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestInspectProcessContainerContainsLabel(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tcontainerName := testutil.Identifier(t)\n\t\tdata.Labels().Set(\"containerName\", containerName)\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", containerName, \"--label\", \"foo=foo\", \"--label\", \"bar=bar\", testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\tnerdtest.EnsureContainerStarted(helpers, containerName)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tcontainerName := data.Labels().Get(\"containerName\")\n\t\thelpers.Anyhow(\"rm\", \"-f\", containerName)\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\tcontainerName := data.Labels().Get(\"containerName\")\n\t\treturn helpers.Command(\"inspect\", containerName)\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\tvar dc []dockercompat.Container\n\n\t\t\t\terr := json.Unmarshal([]byte(stdout), &dc)\n\t\t\t\tassert.NilError(t, err)\n\t\t\t\tassert.Equal(t, 1, len(dc))\n\n\t\t\t\tassert.Equal(t, \"foo\", dc[0].Config.Labels[\"foo\"])\n\t\t\t\tassert.Equal(t, \"bar\", dc[0].Config.Labels[\"bar\"])\n\t\t\t},\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestInspectHyperVContainerContainsLabel(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = nerdtest.HyperV\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tcontainerName := testutil.Identifier(t)\n\t\tdata.Labels().Set(\"containerName\", containerName)\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", containerName, \"--isolation\", \"hyperv\", \"--label\", \"foo=foo\", \"--label\", \"bar=bar\", testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\tnerdtest.EnsureContainerStarted(helpers, containerName)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tcontainerName := data.Labels().Get(\"containerName\")\n\t\thelpers.Anyhow(\"rm\", \"-f\", containerName)\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\tcontainerName := data.Labels().Get(\"containerName\")\n\t\treturn helpers.Command(\"inspect\", containerName)\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\tvar dc []dockercompat.Container\n\n\t\t\t\terr := json.Unmarshal([]byte(stdout), &dc)\n\t\t\t\tassert.NilError(t, err)\n\t\t\t\tassert.Equal(t, 1, len(dc))\n\n\t\t\t\t//check with HCS if the container is ineed a VM\n\t\t\t\tisHypervContainer, err := testutil.HyperVContainer(dc[0])\n\t\t\t\tassert.NilError(t, err)\n\t\t\t\tassert.Equal(t, true, isHypervContainer)\n\n\t\t\t\tassert.Equal(t, \"foo\", dc[0].Config.Labels[\"foo\"])\n\t\t\t\tassert.Equal(t, \"bar\", dc[0].Config.Labels[\"bar\"])\n\t\t\t},\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_kill.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\tcontainerd \"github.com/containerd/containerd/v2/client\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n)\n\nfunc KillCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"kill [flags] CONTAINER [CONTAINER, ...]\",\n\t\tShort: \"Kill one or more running containers\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tRunE: killAction,\n\t\tValidArgsFunction: killShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().StringP(\"signal\", \"s\", \"KILL\", \"Signal to send to the container\")\n\treturn cmd\n}\n\nfunc killAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tkillSignal, err := cmd.Flags().GetString(\"signal\")\n\tif err != nil {\n\t\treturn err\n\t}\n\toptions := types.ContainerKillOptions{\n\t\tGOptions: globalOptions,\n\t\tKillSignal: killSignal,\n\t\tStdout: cmd.OutOrStdout(),\n\t\tStderr: cmd.ErrOrStderr(),\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn container.Kill(ctx, client, args, options)\n}\n\nfunc killShellComplete(cmd *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {\n\t// show non-stopped container names\n\tstatusFilterFn := func(st containerd.ProcessStatus) bool {\n\t\treturn st != containerd.Stopped && st != containerd.Created && st != containerd.Unknown\n\t}\n\treturn completion.ContainerNames(cmd, statusFilterFn)\n}\n" }, { "path": "cmd/nerdctl/container/container_kill_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/coreos/go-iptables/iptables\"\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/rootlessutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\tiptablesutil \"github.com/containerd/nerdctl/v2/pkg/testutil/iptables\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\n// TestKillCleanupForwards runs a container that exposes a port and then kill it.\n// The test checks that the kill command effectively clean up\n// the iptables forwards creted from the run.\nfunc TestKillCleanupForwards(t *testing.T) {\n\tconst (\n\t\thostPort = 9999\n\t\ttestContainerName = \"ngx\"\n\t)\n\tbase := testutil.NewBase(t)\n\tdefer func() {\n\t\tbase.Cmd(\"rm\", \"-f\", testContainerName).Run()\n\t}()\n\n\t// skip if rootless\n\tif rootlessutil.IsRootless() {\n\t\tt.Skip(\"pkg/testutil/iptables does not support rootless\")\n\t}\n\n\tipt, err := iptables.New()\n\tassert.NilError(t, err)\n\n\tcontainerID := base.Cmd(\"run\", \"-d\",\n\t\t\"--restart=no\",\n\t\t\"--name\", testContainerName,\n\t\t\"-p\", fmt.Sprintf(\"127.0.0.1:%d:80\", hostPort),\n\t\ttestutil.NginxAlpineImage).Run().Stdout()\n\tcontainerID = strings.TrimSuffix(containerID, \"\\n\")\n\n\tcontainerIP := base.Cmd(\"inspect\",\n\t\t\"-f\",\n\t\t\"'{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}'\",\n\t\ttestContainerName).Run().Stdout()\n\tcontainerIP = strings.ReplaceAll(containerIP, \"'\", \"\")\n\tcontainerIP = strings.TrimSuffix(containerIP, \"\\n\")\n\n\t// define iptables chain name depending on the target (docker/nerdctl)\n\tvar chain string\n\tif nerdtest.IsDocker() {\n\t\tchain = \"DOCKER\"\n\t} else {\n\t\tredirectChain := \"CNI-HOSTPORT-DNAT\"\n\t\tchain = iptablesutil.GetRedirectedChain(t, ipt, redirectChain, testutil.Namespace, containerID)\n\t}\n\tassert.Equal(t, iptablesutil.ForwardExists(t, ipt, chain, containerIP, hostPort), true)\n\n\tbase.Cmd(\"kill\", testContainerName).AssertOK()\n\tassert.Equal(t, iptablesutil.ForwardExists(t, ipt, chain, containerIP, hostPort), false)\n}\n" }, { "path": "cmd/nerdctl/container/container_list.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"bytes\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"text/tabwriter\"\n\t\"text/template\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n\t\"github.com/containerd/nerdctl/v2/pkg/formatter\"\n)\n\nfunc PsCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"ps\",\n\t\tArgs: cobra.NoArgs,\n\t\tShort: \"List containers\",\n\t\tRunE: psAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().BoolP(\"all\", \"a\", false, \"Show all containers (default shows just running)\")\n\tcmd.Flags().IntP(\"last\", \"n\", -1, \"Show n last created containers (includes all states)\")\n\tcmd.Flags().BoolP(\"latest\", \"l\", false, \"Show the latest created container (includes all states)\")\n\tcmd.Flags().Bool(\"no-trunc\", false, \"Don't truncate output\")\n\tcmd.Flags().BoolP(\"quiet\", \"q\", false, \"Only display container IDs\")\n\tcmd.Flags().BoolP(\"size\", \"s\", false, \"Display total file sizes\")\n\n\t// Alias \"-f\" is reserved for \"--filter\"\n\tcmd.Flags().String(\"format\", \"\", \"Format the output using the given Go template, e.g, '{{json .}}', 'wide'\")\n\tcmd.RegisterFlagCompletionFunc(\"format\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"json\", \"table\", \"wide\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\tcmd.Flags().StringSliceP(\"filter\", \"f\", nil, \"Filter matches containers based on given conditions. When specifying the condition 'status', it filters all containers\")\n\treturn cmd\n}\n\nfunc processOptions(cmd *cobra.Command) (types.ContainerListOptions, FormattingAndPrintingOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ContainerListOptions{}, FormattingAndPrintingOptions{}, err\n\t}\n\tall, err := cmd.Flags().GetBool(\"all\")\n\tif err != nil {\n\t\treturn types.ContainerListOptions{}, FormattingAndPrintingOptions{}, err\n\t}\n\tlatest, err := cmd.Flags().GetBool(\"latest\")\n\tif err != nil {\n\t\treturn types.ContainerListOptions{}, FormattingAndPrintingOptions{}, err\n\t}\n\n\tlastN, err := cmd.Flags().GetInt(\"last\")\n\tif err != nil {\n\t\treturn types.ContainerListOptions{}, FormattingAndPrintingOptions{}, err\n\t}\n\tif lastN == -1 && latest {\n\t\tlastN = 1\n\t}\n\n\tfilters, err := cmd.Flags().GetStringSlice(\"filter\")\n\tif err != nil {\n\t\treturn types.ContainerListOptions{}, FormattingAndPrintingOptions{}, err\n\t}\n\n\tnoTrunc, err := cmd.Flags().GetBool(\"no-trunc\")\n\tif err != nil {\n\t\treturn types.ContainerListOptions{}, FormattingAndPrintingOptions{}, err\n\t}\n\ttrunc := !noTrunc\n\n\tquiet, err := cmd.Flags().GetBool(\"quiet\")\n\tif err != nil {\n\t\treturn types.ContainerListOptions{}, FormattingAndPrintingOptions{}, err\n\t}\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn types.ContainerListOptions{}, FormattingAndPrintingOptions{}, err\n\t}\n\n\tsize := false\n\tif !quiet {\n\t\tsize, err = cmd.Flags().GetBool(\"size\")\n\t\tif err != nil {\n\t\t\treturn types.ContainerListOptions{}, FormattingAndPrintingOptions{}, err\n\t\t}\n\t}\n\n\treturn types.ContainerListOptions{\n\t\t\tGOptions: globalOptions,\n\t\t\tAll: all,\n\t\t\tLastN: lastN,\n\t\t\tTruncate: trunc,\n\t\t\tSize: size || (format == \"wide\" && !quiet),\n\t\t\tFilters: filters,\n\t\t}, FormattingAndPrintingOptions{\n\t\t\tStdout: cmd.OutOrStdout(),\n\t\t\tQuiet: quiet,\n\t\t\tFormat: format,\n\t\t\tSize: size,\n\t\t}, nil\n}\n\nfunc psAction(cmd *cobra.Command, args []string) error {\n\tclOpts, fpOpts, err := processOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), clOpts.GOptions.Namespace, clOpts.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\tcontainers, err := container.List(ctx, client, clOpts)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn formatAndPrintContainerInfo(containers, fpOpts)\n}\n\n// FormattingAndPrintingOptions specifies options for formatting and printing of `nerdctl (container) list`.\ntype FormattingAndPrintingOptions struct {\n\tStdout io.Writer\n\t// Only display container IDs.\n\tQuiet bool\n\t// Format the output using the given Go template (e.g., '{{json .}}', 'table', 'wide').\n\tFormat string\n\t// Display total file sizes.\n\tSize bool\n}\n\nfunc formatAndPrintContainerInfo(containers []container.ListItem, options FormattingAndPrintingOptions) error {\n\tw := options.Stdout\n\tvar (\n\t\twide bool\n\t\ttmpl *template.Template\n\t)\n\tswitch options.Format {\n\tcase \"\", \"table\":\n\t\tw = tabwriter.NewWriter(w, 4, 8, 4, ' ', 0)\n\t\tif !options.Quiet {\n\t\t\tprintHeader := \"CONTAINER ID\\tIMAGE\\tCOMMAND\\tCREATED\\tSTATUS\\tPORTS\\tNAMES\"\n\t\t\tif options.Size {\n\t\t\t\tprintHeader += \"\\tSIZE\"\n\t\t\t}\n\t\t\tfmt.Fprintln(w, printHeader)\n\t\t}\n\tcase \"raw\":\n\t\treturn errors.New(\"unsupported format: \\\"raw\\\"\")\n\tcase \"wide\":\n\t\tw = tabwriter.NewWriter(w, 4, 8, 4, ' ', 0)\n\t\tif !options.Quiet {\n\t\t\tfmt.Fprintln(w, \"CONTAINER ID\\tIMAGE\\tCOMMAND\\tCREATED\\tSTATUS\\tPORTS\\tNAMES\\tRUNTIME\\tPLATFORM\\tSIZE\")\n\t\t\twide = true\n\t\t}\n\tdefault:\n\t\tif options.Quiet {\n\t\t\treturn errors.New(\"format and quiet must not be specified together\")\n\t\t}\n\t\tvar err error\n\t\ttmpl, err = formatter.ParseTemplate(options.Format)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\tfor _, c := range containers {\n\t\tif tmpl != nil {\n\t\t\tvar b bytes.Buffer\n\t\t\tif err := tmpl.Execute(&b, &c); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tif _, err := fmt.Fprintln(w, b.String()); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t} else if options.Quiet {\n\t\t\tif _, err := fmt.Fprintln(w, c.ID); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t} else {\n\t\t\tformat := \"%s\\t%s\\t%s\\t%s\\t%s\\t%s\\t%s\"\n\t\t\targs := []interface{}{\n\t\t\t\tc.ID,\n\t\t\t\tc.Image,\n\t\t\t\tc.Command,\n\t\t\t\tformatter.TimeSinceInHuman(c.CreatedAt),\n\t\t\t\tc.Status,\n\t\t\t\tc.Ports,\n\t\t\t\tc.Names,\n\t\t\t}\n\t\t\tif wide {\n\t\t\t\tformat += \"\\t%s\\t%s\\t%s\\n\"\n\t\t\t\targs = append(args, c.Runtime, c.Platform, c.Size)\n\t\t\t} else if options.Size {\n\t\t\t\tformat += \"\\t%s\\n\"\n\t\t\t\targs = append(args, c.Size)\n\t\t\t} else {\n\t\t\t\tformat += \"\\n\"\n\t\t\t}\n\t\t\tif _, err := fmt.Fprintf(w, format, args...); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\n\t}\n\tif f, ok := w.(formatter.Flusher); ok {\n\t\treturn f.Flush()\n\t}\n\treturn nil\n}\n" }, { "path": "cmd/nerdctl/container/container_list_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"slices\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/formatter\"\n\t\"github.com/containerd/nerdctl/v2/pkg/strutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/tabutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\ntype psTestContainer struct {\n\tname string\n\tlabels map[string]string\n\tvolumes []string\n\tnetwork string\n}\n\n// When keepAlive is false, the container will exit immediately with status 1.\nfunc preparePsTestContainer(t *testing.T, identity string, keepAlive bool) (*testutil.Base, psTestContainer) {\n\tbase := testutil.NewBase(t)\n\n\tbase.Cmd(\"pull\", \"--quiet\", testutil.CommonImage).AssertOK()\n\n\ttestContainerName := testutil.Identifier(t) + identity\n\trwVolName := testContainerName + \"-rw\"\n\t// A container can mount named and anonymous volumes\n\trwDir, err := os.MkdirTemp(t.TempDir(), \"rw\")\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tbase.Cmd(\"network\", \"create\", testContainerName).AssertOK()\n\tt.Cleanup(func() {\n\t\tbase.Cmd(\"rm\", \"-f\", testContainerName).AssertOK()\n\t\tbase.Cmd(\"volume\", \"rm\", \"-f\", rwVolName).Run()\n\t\tbase.Cmd(\"network\", \"rm\", testContainerName).Run()\n\t\tos.RemoveAll(rwDir)\n\t})\n\n\t// A container can have multiple labels.\n\t// Therefore, this test container has multiple labels to check it.\n\ttestLabels := make(map[string]string)\n\tkeys := []string{\n\t\ttestutil.Identifier(t) + identity,\n\t\ttestutil.Identifier(t) + identity,\n\t}\n\t// fill the value of testLabels\n\tfor _, k := range keys {\n\t\ttestLabels[k] = k\n\t}\n\tbase.Cmd(\"volume\", \"create\", rwVolName).AssertOK()\n\tmnt1 := fmt.Sprintf(\"%s:/%s_mnt1\", rwDir, identity)\n\tmnt2 := fmt.Sprintf(\"%s:/%s_mnt3\", rwVolName, identity)\n\n\targs := []string{\n\t\t\"run\",\n\t\t\"-d\",\n\t\t\"--name\",\n\t\ttestContainerName,\n\t\t\"--label\",\n\t\tformatter.FormatLabels(testLabels),\n\t\t\"-v\", mnt1,\n\t\t\"-v\", mnt2,\n\t\t\"--net\", testContainerName,\n\t}\n\tif keepAlive {\n\t\targs = append(args, testutil.CommonImage, \"top\")\n\t} else {\n\t\targs = append(args, \"--restart=no\", testutil.CommonImage, \"false\")\n\t}\n\n\tbase.Cmd(args...).AssertOK()\n\tif keepAlive {\n\t\tbase.EnsureContainerStarted(testContainerName)\n\t} else {\n\t\tbase.EnsureContainerExited(testContainerName, 1)\n\t}\n\n\t// dd if=/dev/zero of=test_file bs=1M count=25\n\t// let the container occupy 25MiB space.\n\tif keepAlive {\n\t\tbase.Cmd(\"exec\", testContainerName, \"dd\", \"if=/dev/zero\", \"of=/test_file\", \"bs=1M\", \"count=25\").AssertOK()\n\t}\n\tvolumes := []string{}\n\tvolumes = append(volumes, strings.Split(mnt1, \":\")...)\n\tvolumes = append(volumes, strings.Split(mnt2, \":\")...)\n\n\treturn base, psTestContainer{\n\t\tname: testContainerName,\n\t\tlabels: testLabels,\n\t\tvolumes: volumes,\n\t\tnetwork: testContainerName,\n\t}\n}\n\nfunc TestContainerList(t *testing.T) {\n\tbase, testContainer := preparePsTestContainer(t, \"list\", true)\n\n\t// hope there are no tests running parallel\n\tbase.Cmd(\"ps\", \"-n\", \"1\", \"-s\").AssertOutWithFunc(func(stdout string) error {\n\t\t// An example of nerdctl/docker ps -n 1 -s\n\t\t// CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES SIZE\n\t\t// be8d386c991e docker.io/library/busybox:latest \"top\" 1 second ago Up c1 16.0 KiB (virtual 1.3 MiB)\n\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) < 2 {\n\t\t\treturn fmt.Errorf(\"expected at least 2 lines, got %d\", len(lines))\n\t\t}\n\n\t\ttab := tabutil.NewReader(\"CONTAINER ID\\tIMAGE\\tCOMMAND\\tCREATED\\tSTATUS\\tPORTS\\tNAMES\\tSIZE\")\n\t\terr := tab.ParseHeader(lines[0])\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to parse header: %v\", err)\n\t\t}\n\n\t\tcontainer, _ := tab.ReadRow(lines[1], \"NAMES\")\n\t\tassert.Equal(t, container, testContainer.name)\n\n\t\timage, _ := tab.ReadRow(lines[1], \"IMAGE\")\n\t\tassert.Equal(t, image, testutil.CommonImage)\n\n\t\tsize, _ := tab.ReadRow(lines[1], \"SIZE\")\n\n\t\t// there is some difference between nerdctl and docker in calculating the size of the container\n\t\texpectedSize := \"26.2MB (virtual \"\n\t\tif !nerdtest.IsDocker() {\n\t\t\texpectedSize = \"25.0 MiB (virtual \"\n\t\t}\n\n\t\tif !strings.Contains(size, expectedSize) {\n\t\t\treturn fmt.Errorf(\"expect container size %s, but got %s\", expectedSize, size)\n\t\t}\n\n\t\treturn nil\n\t})\n}\n\nfunc TestContainerListWideMode(t *testing.T) {\n\ttestutil.DockerIncompatible(t)\n\tbase, testContainer := preparePsTestContainer(t, \"listWithMode\", true)\n\n\t// hope there are no tests running parallel\n\tbase.Cmd(\"ps\", \"-n\", \"1\", \"--format\", \"wide\").AssertOutWithFunc(func(stdout string) error {\n\n\t\t// An example of nerdctl ps --format wide\n\t\t// CONTAINER ID IMAGE PLATFORM COMMAND CREATED STATUS PORTS NAMES RUNTIME SIZE\n\t\t// 17181f208b61 docker.io/library/busybox:latest linux/amd64 \"top\" About an hour ago Up busybox-17181 io.containerd.runc.v2 16.0 KiB (virtual 1.3 MiB)\n\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) < 2 {\n\t\t\treturn fmt.Errorf(\"expected at least 2 lines, got %d\", len(lines))\n\t\t}\n\n\t\ttab := tabutil.NewReader(\"CONTAINER ID\\tIMAGE\\tCOMMAND\\tCREATED\\tSTATUS\\tPORTS\\tNAMES\\tRUNTIME\\tPLATFORM\\tSIZE\")\n\t\terr := tab.ParseHeader(lines[0])\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to parse header: %v\", err)\n\t\t}\n\n\t\tcontainer, _ := tab.ReadRow(lines[1], \"NAMES\")\n\t\tassert.Equal(t, container, testContainer.name)\n\n\t\timage, _ := tab.ReadRow(lines[1], \"IMAGE\")\n\t\tassert.Equal(t, image, testutil.CommonImage)\n\n\t\truntime, _ := tab.ReadRow(lines[1], \"RUNTIME\")\n\t\tassert.Equal(t, runtime, \"io.containerd.runc.v2\")\n\n\t\tsize, _ := tab.ReadRow(lines[1], \"SIZE\")\n\t\texpectedSize := \"25.0 MiB (virtual \"\n\t\tif !strings.Contains(size, expectedSize) {\n\t\t\treturn fmt.Errorf(\"expect container size %s, but got %s\", expectedSize, size)\n\t\t}\n\t\treturn nil\n\t})\n}\n\nfunc TestContainerListWithLabels(t *testing.T) {\n\tbase, testContainer := preparePsTestContainer(t, \"listWithLabels\", true)\n\n\t// hope there are no tests running parallel\n\tbase.Cmd(\"ps\", \"-n\", \"1\", \"--format\", \"{{.Labels}}\").AssertOutWithFunc(func(stdout string) error {\n\n\t\t// An example of nerdctl ps --format \"{{.Labels}}\"\n\t\t// key1=value1,key2=value2,key3=value3\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) != 1 {\n\t\t\treturn fmt.Errorf(\"expected 1 line, got %d\", len(lines))\n\t\t}\n\n\t\t// check labels using map\n\t\t// 1. the results has no guarantee to show the same order.\n\t\t// 2. the results has no guarantee to show only configured labels.\n\t\tlabelsMap, err := strutil.ParseCSVMap(lines[0])\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to parse labels: %v\", err)\n\t\t}\n\n\t\tfor i := range testContainer.labels {\n\t\t\tif value, ok := labelsMap[i]; ok {\n\t\t\t\tassert.Equal(t, value, testContainer.labels[i])\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t})\n}\n\nfunc TestContainerListWithNames(t *testing.T) {\n\tbase, testContainer := preparePsTestContainer(t, \"listWithNames\", true)\n\n\t// hope there are no tests running parallel\n\tbase.Cmd(\"ps\", \"-n\", \"1\", \"--format\", \"{{.Names}}\").AssertOutWithFunc(func(stdout string) error {\n\n\t\t// An example of nerdctl ps --format \"{{.Names}}\"\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) != 1 {\n\t\t\treturn fmt.Errorf(\"expected 1 line, got %d\", len(lines))\n\t\t}\n\n\t\tassert.Equal(t, lines[0], testContainer.name)\n\n\t\treturn nil\n\t})\n}\n\nfunc TestContainerListWithFilter(t *testing.T) {\n\tbase, testContainerA := preparePsTestContainer(t, \"listWithFilterA\", true)\n\t_, testContainerB := preparePsTestContainer(t, \"listWithFilterB\", true)\n\t_, testContainerC := preparePsTestContainer(t, \"listWithFilterC\", false)\n\n\tbase.Cmd(\"ps\", \"--filter\", \"name=\"+testContainerA.name).AssertOutWithFunc(func(stdout string) error {\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) < 2 {\n\t\t\treturn fmt.Errorf(\"expected at least 2 lines, got %d\", len(lines))\n\t\t}\n\n\t\ttab := tabutil.NewReader(\"CONTAINER ID\\tIMAGE\\tCOMMAND\\tCREATED\\tSTATUS\\tPORTS\\tNAMES\")\n\t\terr := tab.ParseHeader(lines[0])\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to parse header: %v\", err)\n\t\t}\n\n\t\tcontainerName, _ := tab.ReadRow(lines[1], \"NAMES\")\n\t\tassert.Equal(t, containerName, testContainerA.name)\n\t\tid, _ := tab.ReadRow(lines[1], \"CONTAINER ID\")\n\t\tbase.Cmd(\"ps\", \"-q\", \"--filter\", \"id=\"+id).AssertOutWithFunc(func(stdout string) error {\n\t\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\tif len(lines) != 1 {\n\t\t\t\treturn fmt.Errorf(\"expected 1 line, got %d\", len(lines))\n\t\t\t}\n\t\t\tif lines[0] != id {\n\t\t\t\treturn errors.New(\"failed to filter by id\")\n\t\t\t}\n\t\t\treturn nil\n\t\t})\n\t\tbase.Cmd(\"ps\", \"-q\", \"--filter\", \"id=\"+id+id).AssertOutWithFunc(func(stdout string) error {\n\t\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\tif len(lines) > 0 {\n\t\t\t\tfor _, line := range lines {\n\t\t\t\t\tif line != \"\" {\n\t\t\t\t\t\treturn fmt.Errorf(\"unexpected container found: %s\", line)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn nil\n\t\t})\n\t\tbase.Cmd(\"ps\", \"-q\", \"--filter\", \"id=\").AssertOutWithFunc(func(stdout string) error {\n\t\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\tif len(lines) > 0 {\n\t\t\t\tfor _, line := range lines {\n\t\t\t\t\tif line != \"\" {\n\t\t\t\t\t\treturn fmt.Errorf(\"unexpected container found: %s\", line)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn nil\n\t\t})\n\t\treturn nil\n\t})\n\n\t// should support regexp\n\tbase.Cmd(\"ps\", \"--filter\", \"name=.*\"+testContainerA.name+\".*\").AssertOutWithFunc(func(stdout string) error {\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) < 2 {\n\t\t\treturn fmt.Errorf(\"expected at least 2 lines, got %d\", len(lines))\n\t\t}\n\n\t\ttab := tabutil.NewReader(\"CONTAINER ID\\tIMAGE\\tCOMMAND\\tCREATED\\tSTATUS\\tPORTS\\tNAMES\")\n\t\terr := tab.ParseHeader(lines[0])\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to parse header: %v\", err)\n\t\t}\n\n\t\tcontainerName, _ := tab.ReadRow(lines[1], \"NAMES\")\n\t\tassert.Equal(t, containerName, testContainerA.name)\n\t\treturn nil\n\t})\n\n\t// fully anchored regexp\n\tbase.Cmd(\"ps\", \"--filter\", \"name=^\"+testContainerA.name+\"$\").AssertOutWithFunc(func(stdout string) error {\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) < 2 {\n\t\t\treturn fmt.Errorf(\"expected at least 2 lines, got %d\", len(lines))\n\t\t}\n\n\t\ttab := tabutil.NewReader(\"CONTAINER ID\\tIMAGE\\tCOMMAND\\tCREATED\\tSTATUS\\tPORTS\\tNAMES\")\n\t\terr := tab.ParseHeader(lines[0])\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to parse header: %v\", err)\n\t\t}\n\n\t\tcontainerName, _ := tab.ReadRow(lines[1], \"NAMES\")\n\t\tassert.Equal(t, containerName, testContainerA.name)\n\t\treturn nil\n\t})\n\n\tbase.Cmd(\"ps\", \"-q\", \"--filter\", \"name=\"+testContainerA.name+testContainerA.name).AssertOutWithFunc(func(stdout string) error {\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) > 0 {\n\t\t\tfor _, line := range lines {\n\t\t\t\tif line != \"\" {\n\t\t\t\t\treturn fmt.Errorf(\"unexpected container found: %s\", line)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t})\n\n\tbase.Cmd(\"ps\", \"-q\", \"--filter\", \"name=\").AssertOutWithFunc(func(stdout string) error {\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) == 0 {\n\t\t\treturn errors.New(\"expect at least 1 container, got 0\")\n\t\t}\n\t\treturn nil\n\t})\n\n\tbase.Cmd(\"ps\", \"--filter\", \"name=listWithFilter\").AssertOutWithFunc(func(stdout string) error {\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) < 3 {\n\t\t\treturn fmt.Errorf(\"expected at least 3 lines, got %d\", len(lines))\n\t\t}\n\n\t\ttab := tabutil.NewReader(\"CONTAINER ID\\tIMAGE\\tCOMMAND\\tCREATED\\tSTATUS\\tPORTS\\tNAMES\")\n\t\terr := tab.ParseHeader(lines[0])\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to parse header: %v\", err)\n\t\t}\n\t\tcontainerNames := map[string]struct{}{\n\t\t\ttestContainerA.name: {}, testContainerB.name: {},\n\t\t}\n\t\tfor idx, line := range lines {\n\t\t\tif idx == 0 {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tcontainerName, _ := tab.ReadRow(line, \"NAMES\")\n\t\t\tif _, ok := containerNames[containerName]; !ok {\n\t\t\t\treturn fmt.Errorf(\"unexpected container %s found\", containerName)\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t})\n\n\t// docker filter by id only support full ID no truncate\n\t// https://github.com/docker/for-linux/issues/258\n\t// yet nerdctl also support truncate ID\n\tbase.Cmd(\"ps\", \"--no-trunc\", \"--filter\", \"since=\"+testContainerA.name).AssertOutWithFunc(func(stdout string) error {\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) < 2 {\n\t\t\treturn fmt.Errorf(\"expected at least 2 lines, got %d\", len(lines))\n\t\t}\n\n\t\ttab := tabutil.NewReader(\"CONTAINER ID\\tIMAGE\\tCOMMAND\\tCREATED\\tSTATUS\\tPORTS\\tNAMES\")\n\t\terr := tab.ParseHeader(lines[0])\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to parse header: %v\", err)\n\t\t}\n\t\tvar id string\n\t\tfor idx, line := range lines {\n\t\t\tif idx == 0 {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tcontainerName, _ := tab.ReadRow(line, \"NAMES\")\n\t\t\tif containerName != testContainerB.name {\n\t\t\t\treturn fmt.Errorf(\"unexpected container %s found\", containerName)\n\t\t\t}\n\t\t\tid, _ = tab.ReadRow(line, \"CONTAINER ID\")\n\t\t}\n\t\tbase.Cmd(\"ps\", \"--filter\", \"before=\"+id).AssertOutWithFunc(func(stdout string) error {\n\t\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\tif len(lines) < 2 {\n\t\t\t\treturn fmt.Errorf(\"expected at least 2 lines, got %d\", len(lines))\n\t\t\t}\n\n\t\t\ttab := tabutil.NewReader(\"CONTAINER ID\\tIMAGE\\tCOMMAND\\tCREATED\\tSTATUS\\tPORTS\\tNAMES\")\n\t\t\terr := tab.ParseHeader(lines[0])\n\t\t\tif err != nil {\n\t\t\t\treturn fmt.Errorf(\"failed to parse header: %v\", err)\n\t\t\t}\n\t\t\tfoundA := false\n\t\t\tfor idx, line := range lines {\n\t\t\t\tif idx == 0 {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tcontainerName, _ := tab.ReadRow(line, \"NAMES\")\n\t\t\t\tif containerName == testContainerA.name {\n\t\t\t\t\tfoundA = true\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t\t// there are other containers such as **wordpress** could be listed since\n\t\t\t// their created times are ahead of testContainerB too\n\t\t\tif !foundA {\n\t\t\t\treturn fmt.Errorf(\"expected container %s not found\", testContainerA.name)\n\t\t\t}\n\t\t\treturn nil\n\t\t})\n\t\treturn nil\n\t})\n\n\t// docker filter by id only support full ID no truncate\n\t// https://github.com/docker/for-linux/issues/258\n\t// yet nerdctl also support truncate ID\n\tbase.Cmd(\"ps\", \"--no-trunc\", \"--filter\", \"before=\"+testContainerB.name).AssertOutWithFunc(func(stdout string) error {\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) < 2 {\n\t\t\treturn fmt.Errorf(\"expected at least 2 lines, got %d\", len(lines))\n\t\t}\n\n\t\ttab := tabutil.NewReader(\"CONTAINER ID\\tIMAGE\\tCOMMAND\\tCREATED\\tSTATUS\\tPORTS\\tNAMES\")\n\t\terr := tab.ParseHeader(lines[0])\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to parse header: %v\", err)\n\t\t}\n\t\tfoundA := false\n\t\tvar id string\n\t\tfor idx, line := range lines {\n\t\t\tif idx == 0 {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tcontainerName, _ := tab.ReadRow(line, \"NAMES\")\n\t\t\tif containerName == testContainerA.name {\n\t\t\t\tfoundA = true\n\t\t\t\tid, _ = tab.ReadRow(line, \"CONTAINER ID\")\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\t// there are other containers such as **wordpress** could be listed since\n\t\t// their created times are ahead of testContainerB too\n\t\tif !foundA {\n\t\t\treturn fmt.Errorf(\"expected container %s not found\", testContainerA.name)\n\t\t}\n\t\tbase.Cmd(\"ps\", \"--filter\", \"since=\"+id).AssertOutWithFunc(func(stdout string) error {\n\t\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\tif len(lines) < 2 {\n\t\t\t\treturn fmt.Errorf(\"expected at least 2 lines, got %d\", len(lines))\n\t\t\t}\n\n\t\t\ttab := tabutil.NewReader(\"CONTAINER ID\\tIMAGE\\tCOMMAND\\tCREATED\\tSTATUS\\tPORTS\\tNAMES\")\n\t\t\terr := tab.ParseHeader(lines[0])\n\t\t\tif err != nil {\n\t\t\t\treturn fmt.Errorf(\"failed to parse header: %v\", err)\n\t\t\t}\n\t\t\tfor idx, line := range lines {\n\t\t\t\tif idx == 0 {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tcontainerName, _ := tab.ReadRow(line, \"NAMES\")\n\t\t\t\tif containerName != testContainerB.name {\n\t\t\t\t\treturn fmt.Errorf(\"unexpected container %s found\", containerName)\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn nil\n\t\t})\n\t\treturn nil\n\t})\n\n\tfor _, testContainer := range []psTestContainer{testContainerA, testContainerB} {\n\t\tfor _, volume := range testContainer.volumes {\n\t\t\tbase.Cmd(\"ps\", \"--filter\", \"volume=\"+volume).AssertOutWithFunc(func(stdout string) error {\n\t\t\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\tif len(lines) < 2 {\n\t\t\t\t\treturn fmt.Errorf(\"expected at least 2 lines, got %d\", len(lines))\n\t\t\t\t}\n\n\t\t\t\ttab := tabutil.NewReader(\"CONTAINER ID\\tIMAGE\\tCOMMAND\\tCREATED\\tSTATUS\\tPORTS\\tNAMES\")\n\t\t\t\terr := tab.ParseHeader(lines[0])\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn fmt.Errorf(\"failed to parse header: %v\", err)\n\t\t\t\t}\n\t\t\t\tcontainerName, _ := tab.ReadRow(lines[1], \"NAMES\")\n\t\t\t\tassert.Equal(t, containerName, testContainer.name)\n\t\t\t\treturn nil\n\t\t\t})\n\t\t}\n\t}\n\n\tbase.Cmd(\"ps\", \"--filter\", \"network=\"+testContainerA.network).AssertOutWithFunc(func(stdout string) error {\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) < 2 {\n\t\t\treturn fmt.Errorf(\"expected at least 2 lines, got %d\", len(lines))\n\t\t}\n\n\t\ttab := tabutil.NewReader(\"CONTAINER ID\\tIMAGE\\tCOMMAND\\tCREATED\\tSTATUS\\tPORTS\\tNAMES\")\n\t\terr := tab.ParseHeader(lines[0])\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to parse header: %v\", err)\n\t\t}\n\t\tcontainerName, _ := tab.ReadRow(lines[1], \"NAMES\")\n\t\tassert.Equal(t, containerName, testContainerA.name)\n\t\treturn nil\n\t})\n\n\tfor key, value := range testContainerB.labels {\n\t\tbase.Cmd(\"ps\", \"--filter\", \"label=\"+key+\"=\"+value).AssertOutWithFunc(func(stdout string) error {\n\t\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\tif len(lines) < 2 {\n\t\t\t\treturn fmt.Errorf(\"expected at least 2 lines, got %d\", len(lines))\n\t\t\t}\n\n\t\t\ttab := tabutil.NewReader(\"CONTAINER ID\\tIMAGE\\tCOMMAND\\tCREATED\\tSTATUS\\tPORTS\\tNAMES\")\n\t\t\terr := tab.ParseHeader(lines[0])\n\t\t\tif err != nil {\n\t\t\t\treturn fmt.Errorf(\"failed to parse header: %v\", err)\n\t\t\t}\n\t\t\tcontainerNames := map[string]struct{}{\n\t\t\t\ttestContainerB.name: {},\n\t\t\t}\n\t\t\tfor idx, line := range lines {\n\t\t\t\tif idx == 0 {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tcontainerName, _ := tab.ReadRow(line, \"NAMES\")\n\t\t\t\tif _, ok := containerNames[containerName]; !ok {\n\t\t\t\t\treturn fmt.Errorf(\"unexpected container %s found\", containerName)\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn nil\n\t\t})\n\t}\n\n\tbase.Cmd(\"ps\", \"-a\", \"--filter\", \"exited=1\").AssertOutWithFunc(func(stdout string) error {\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) < 2 {\n\t\t\treturn fmt.Errorf(\"expected at least 2 lines, got %d\", len(lines))\n\t\t}\n\n\t\ttab := tabutil.NewReader(\"CONTAINER ID\\tIMAGE\\tCOMMAND\\tCREATED\\tSTATUS\\tPORTS\\tNAMES\")\n\t\terr := tab.ParseHeader(lines[0])\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to parse header: %v\", err)\n\t\t}\n\t\tcontainerNames := map[string]struct{}{\n\t\t\ttestContainerC.name: {},\n\t\t}\n\t\tfor idx, line := range lines {\n\t\t\tif idx == 0 {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tcontainerName, _ := tab.ReadRow(line, \"NAMES\")\n\t\t\tif _, ok := containerNames[containerName]; !ok {\n\t\t\t\treturn fmt.Errorf(\"unexpected container %s found\", containerName)\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t})\n\n\tbase.Cmd(\"ps\", \"-a\", \"--filter\", \"status=exited\").AssertOutWithFunc(func(stdout string) error {\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) < 2 {\n\t\t\treturn fmt.Errorf(\"expected at least 2 lines, got %d\", len(lines))\n\t\t}\n\n\t\ttab := tabutil.NewReader(\"CONTAINER ID\\tIMAGE\\tCOMMAND\\tCREATED\\tSTATUS\\tPORTS\\tNAMES\")\n\t\terr := tab.ParseHeader(lines[0])\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to parse header: %v\", err)\n\t\t}\n\t\tcontainerNames := map[string]struct{}{\n\t\t\ttestContainerC.name: {},\n\t\t}\n\t\tfor idx, line := range lines {\n\t\t\tif idx == 0 {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tcontainerName, _ := tab.ReadRow(line, \"NAMES\")\n\t\t\tif _, ok := containerNames[containerName]; !ok {\n\t\t\t\treturn fmt.Errorf(\"unexpected container %s found\", containerName)\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t})\n\n\t// filter container state without option \"-a\".\n\tbase.Cmd(\"ps\", \"--filter\", \"status=exited\").AssertOutWithFunc(func(stdout string) error {\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) < 2 {\n\t\t\treturn fmt.Errorf(\"expected at least 2 lines, got %d\", len(lines))\n\t\t}\n\n\t\ttab := tabutil.NewReader(\"CONTAINER ID\\tIMAGE\\tCOMMAND\\tCREATED\\tSTATUS\\tPORTS\\tNAMES\")\n\t\terr := tab.ParseHeader(lines[0])\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to parse header: %v\", err)\n\t\t}\n\t\tcontainerNames := map[string]struct{}{\n\t\t\ttestContainerC.name: {},\n\t\t}\n\t\tfor idx, line := range lines {\n\t\t\tif idx == 0 {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tcontainerName, _ := tab.ReadRow(line, \"NAMES\")\n\t\t\tif _, ok := containerNames[containerName]; !ok {\n\t\t\t\treturn fmt.Errorf(\"unexpected container %s found\", containerName)\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t})\n}\n\nfunc TestContainerListCheckCreatedTime(t *testing.T) {\n\tbase, _ := preparePsTestContainer(t, \"checkCreatedTimeA\", true)\n\tpreparePsTestContainer(t, \"checkCreatedTimeB\", true)\n\tpreparePsTestContainer(t, \"checkCreatedTimeC\", false)\n\tpreparePsTestContainer(t, \"checkCreatedTimeD\", false)\n\n\tvar createdTimes []string\n\n\tbase.Cmd(\"ps\", \"--format\", \"'{{json .CreatedAt}}'\", \"-a\").AssertOutWithFunc(func(stdout string) error {\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) < 4 {\n\t\t\treturn fmt.Errorf(\"expected at least 4 lines, got %d\", len(lines))\n\t\t}\n\t\tcreatedTimes = append(createdTimes, lines...)\n\t\treturn nil\n\t})\n\n\tslices.Reverse(createdTimes)\n\tif !slices.IsSorted(createdTimes) {\n\t\tt.Errorf(\"expected containers in decending order\")\n\t}\n}\n\nfunc TestContainerListStatusFilter(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"create\", \"--name\", data.Identifier(\"container\"), testutil.CommonImage, \"echo\", \"foo\")\n\t\tdata.Labels().Set(\"cID\", data.Identifier(\"container\"))\n\t}\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"container\"))\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t// TODO: Refactor other filter tests\n\t\t{\n\t\t\tDescription: \"ps filter with status=created\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"ps\", \"-a\", \"--filter\", \"status=created\", \"--filter\", fmt.Sprintf(\"name=%s\", data.Labels().Get(\"cID\")))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tassert.Assert(t, strings.Contains(stdout, data.Labels().Get(\"cID\")), \"No container found with status created\")\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_list_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"fmt\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\n// https://github.com/containerd/nerdctl/issues/2598\nfunc TestContainerListWithFormatLabel(t *testing.T) {\n\tnerdtest.Setup()\n\ttestCase := &test.Case{\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tlabelK := \"label-key-\" + data.Identifier()\n\t\t\tlabelV := \"label-value-\" + data.Identifier()\n\t\t\thelpers.Ensure(\"run\", \"-d\",\n\t\t\t\t\"--name\", data.Identifier(),\n\t\t\t\t\"--label\", labelK+\"=\"+labelV,\n\t\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\tlabelK := \"label-key-\" + data.Identifier()\n\t\t\treturn helpers.Command(\"ps\", \"-a\",\n\t\t\t\t\"--filter\", \"label=\"+labelK,\n\t\t\t\t\"--format\", fmt.Sprintf(\"{{.Label %q}}\", labelK)) //nolint:dupামিটার\n\t\t},\n\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\tlabelV := \"label-value-\" + data.Identifier()\n\t\t\treturn test.Expects(0, nil, expect.Equals(labelV+\"\\n\"))(data, helpers)\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n\nfunc TestContainerListWithJsonFormatLabel(t *testing.T) {\n\tnerdtest.Setup()\n\ttestCase := &test.Case{\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tlabelK := \"label-key-\" + data.Identifier()\n\t\t\tlabelV := \"label-value-\" + data.Identifier()\n\t\t\thelpers.Ensure(\"run\", \"-d\",\n\t\t\t\t\"--name\", data.Identifier(),\n\t\t\t\t\"--label\", labelK+\"=\"+labelV,\n\t\t\t\ttestutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\tlabelK := \"label-key-\" + data.Identifier()\n\t\t\treturn helpers.Command(\"ps\", \"-a\",\n\t\t\t\t\"--filter\", \"label=\"+labelK,\n\t\t\t\t\"--format\", \"json\")\n\t\t},\n\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\tlabelK := \"label-key-\" + data.Identifier()\n\t\t\tlabelV := \"label-value-\" + data.Identifier()\n\t\t\treturn test.Expects(0, nil, expect.Contains(fmt.Sprintf(\"%s=%s\", labelK, labelV)))(data, helpers)\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_list_windows_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/formatter\"\n\t\"github.com/containerd/nerdctl/v2/pkg/strutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/tabutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n)\n\ntype psTestContainer struct {\n\tname string\n\tlabels map[string]string\n\tnetwork string\n}\n\nfunc preparePsTestContainer(t *testing.T, identity string, restart bool, hyperv bool) (*testutil.Base, psTestContainer) {\n\tbase := testutil.NewBase(t)\n\n\tbase.Cmd(\"pull\", \"--quiet\", testutil.NginxAlpineImage).AssertOK()\n\n\ttestContainerName := testutil.Identifier(t) + identity\n\tt.Cleanup(func() {\n\t\tbase.Cmd(\"rm\", \"-f\", testContainerName).AssertOK()\n\t})\n\n\t// A container can have multiple labels.\n\t// Therefore, this test container has multiple labels to check it.\n\ttestLabels := make(map[string]string)\n\tkeys := []string{\n\t\ttestutil.Identifier(t) + identity,\n\t\ttestutil.Identifier(t) + identity,\n\t}\n\t// fill the value of testLabels\n\tfor _, k := range keys {\n\t\ttestLabels[k] = k\n\t}\n\n\targs := []string{\n\t\t\"run\",\n\t\t\"-d\",\n\t\t\"--name\",\n\t\ttestContainerName,\n\t\t\"--label\",\n\t\tformatter.FormatLabels(testLabels),\n\t\ttestutil.NginxAlpineImage,\n\t}\n\tif !restart {\n\t\targs = append(args, \"--restart=no\")\n\t}\n\tif hyperv {\n\t\targs = append(args[:3], args[1:]...)\n\t\targs[1], args[2] = \"--isolation\", \"hyperv\"\n\t}\n\n\tbase.Cmd(args...).AssertOK()\n\tif restart {\n\t\tbase.EnsureContainerStarted(testContainerName)\n\t}\n\n\treturn base, psTestContainer{\n\t\tname: testContainerName,\n\t\tlabels: testLabels,\n\t\tnetwork: testContainerName,\n\t}\n}\n\nfunc TestListProcessContainer(t *testing.T) {\n\tbase, testContainer := preparePsTestContainer(t, \"list\", true, false)\n\n\t// hope there are no tests running parallel\n\tbase.Cmd(\"ps\", \"-n\", \"1\", \"-s\").AssertOutWithFunc(func(stdout string) error {\n\t\t// An example of nerdctl/docker ps -n 1 -s\n\t\t// CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES SIZE\n\t\t// be8d386c991e docker.io/library/busybox:latest \"top\" 1 second ago Up c1 16.0 KiB (virtual 1.3 MiB)\n\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) < 2 {\n\t\t\treturn fmt.Errorf(\"expected at least 2 lines, got %d\", len(lines))\n\t\t}\n\n\t\ttab := tabutil.NewReader(\"CONTAINER ID\\tIMAGE\\tCOMMAND\\tCREATED\\tSTATUS\\tPORTS\\tNAMES\\tSIZE\")\n\t\terr := tab.ParseHeader(lines[0])\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to parse header: %v\", err)\n\t\t}\n\n\t\tcontainer, _ := tab.ReadRow(lines[1], \"NAMES\")\n\t\tassert.Equal(t, container, testContainer.name)\n\n\t\timage, _ := tab.ReadRow(lines[1], \"IMAGE\")\n\t\tassert.Equal(t, image, testutil.NginxAlpineImage)\n\n\t\tsize, _ := tab.ReadRow(lines[1], \"SIZE\")\n\n\t\t// there is some difference between nerdctl and docker in calculating the size of the container\n\t\texpectedSize := \"36.0 MiB (virtual \"\n\n\t\tif !strings.Contains(size, expectedSize) {\n\t\t\treturn fmt.Errorf(\"expect container size %s, but got %s\", expectedSize, size)\n\t\t}\n\n\t\treturn nil\n\t})\n}\n\nfunc TestListHyperVContainer(t *testing.T) {\n\tif !testutil.HyperVSupported() {\n\t\tt.Skip(\"HyperV is not enabled, skipping test\")\n\t}\n\n\tbase, testContainer := preparePsTestContainer(t, \"list\", true, true)\n\tinspect := base.InspectContainer(testContainer.name)\n\t//check with HCS if the container is ineed a VM\n\tisHypervContainer, err := testutil.HyperVContainer(inspect)\n\tif err != nil {\n\t\tt.Fatalf(\"unable to list HCS containers: %s\", err)\n\t}\n\tassert.Assert(t, isHypervContainer, true)\n\n\t// hope there are no tests running parallel\n\tbase.Cmd(\"ps\", \"-n\", \"1\", \"-s\").AssertOutWithFunc(func(stdout string) error {\n\t\t// An example of nerdctl/docker ps -n 1 -s\n\t\t// CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES SIZE\n\t\t// be8d386c991e docker.io/library/busybox:latest \"top\" 1 second ago Up c1 16.0 KiB (virtual 1.3 MiB)\n\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) < 2 {\n\t\t\treturn fmt.Errorf(\"expected at least 2 lines, got %d\", len(lines))\n\t\t}\n\n\t\ttab := tabutil.NewReader(\"CONTAINER ID\\tIMAGE\\tCOMMAND\\tCREATED\\tSTATUS\\tPORTS\\tNAMES\\tSIZE\")\n\t\terr := tab.ParseHeader(lines[0])\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to parse header: %v\", err)\n\t\t}\n\n\t\tcontainer, _ := tab.ReadRow(lines[1], \"NAMES\")\n\t\tassert.Equal(t, container, testContainer.name)\n\n\t\timage, _ := tab.ReadRow(lines[1], \"IMAGE\")\n\t\tassert.Equal(t, image, testutil.NginxAlpineImage)\n\n\t\tsize, _ := tab.ReadRow(lines[1], \"SIZE\")\n\n\t\t// there is some difference between nerdctl and docker in calculating the size of the container\n\t\texpectedSize := \"72.0 MiB (virtual \"\n\n\t\tif !strings.Contains(size, expectedSize) {\n\t\t\treturn fmt.Errorf(\"expect container size %s, but got %s\", expectedSize, size)\n\t\t}\n\n\t\treturn nil\n\t})\n}\n\nfunc TestListProcessContainerWideMode(t *testing.T) {\n\ttestutil.DockerIncompatible(t)\n\tbase, testContainer := preparePsTestContainer(t, \"listWithMode\", true, false)\n\n\t// hope there are no tests running parallel\n\tbase.Cmd(\"ps\", \"-n\", \"1\", \"--format\", \"wide\").AssertOutWithFunc(func(stdout string) error {\n\n\t\t// An example of nerdctl ps --format wide\n\t\t// CONTAINER ID IMAGE PLATFORM COMMAND CREATED STATUS PORTS NAMES RUNTIME SIZE\n\t\t// 17181f208b61 docker.io/library/busybox:latest linux/amd64 \"top\" About an hour ago Up busybox-17181 io.containerd.runc.v2 16.0 KiB (virtual 1.3 MiB)\n\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) < 2 {\n\t\t\treturn fmt.Errorf(\"expected at least 2 lines, got %d\", len(lines))\n\t\t}\n\n\t\ttab := tabutil.NewReader(\"CONTAINER ID\\tIMAGE\\tCOMMAND\\tCREATED\\tSTATUS\\tPORTS\\tNAMES\\tRUNTIME\\tPLATFORM\\tSIZE\")\n\t\terr := tab.ParseHeader(lines[0])\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to parse header: %v\", err)\n\t\t}\n\n\t\tcontainer, _ := tab.ReadRow(lines[1], \"NAMES\")\n\t\tassert.Equal(t, container, testContainer.name)\n\n\t\timage, _ := tab.ReadRow(lines[1], \"IMAGE\")\n\t\tassert.Equal(t, image, testutil.NginxAlpineImage)\n\n\t\truntime, _ := tab.ReadRow(lines[1], \"RUNTIME\")\n\t\tassert.Equal(t, runtime, \"io.containerd.runhcs.v1\")\n\n\t\tsize, _ := tab.ReadRow(lines[1], \"SIZE\")\n\t\texpectedSize := \"36.0 MiB (virtual \"\n\t\tif !strings.Contains(size, expectedSize) {\n\t\t\treturn fmt.Errorf(\"expect container size %s, but got %s\", expectedSize, size)\n\t\t}\n\t\treturn nil\n\t})\n}\n\nfunc TestListProcessContainerWithLabels(t *testing.T) {\n\tbase, testContainer := preparePsTestContainer(t, \"listWithLabels\", true, false)\n\n\t// hope there are no tests running parallel\n\tbase.Cmd(\"ps\", \"-n\", \"1\", \"--format\", \"{{.Labels}}\").AssertOutWithFunc(func(stdout string) error {\n\n\t\t// An example of nerdctl ps --format \"{{.Labels}}\"\n\t\t// key1=value1,key2=value2,key3=value3\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) != 1 {\n\t\t\treturn fmt.Errorf(\"expected 1 line, got %d\", len(lines))\n\t\t}\n\n\t\t// check labels using map\n\t\t// 1. the results has no guarantee to show the same order.\n\t\t// 2. the results has no guarantee to show only configured labels.\n\t\tlabelsMap, err := strutil.ParseCSVMap(lines[0])\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to parse labels: %v\", err)\n\t\t}\n\n\t\tfor i := range testContainer.labels {\n\t\t\tif value, ok := labelsMap[i]; ok {\n\t\t\t\tassert.Equal(t, value, testContainer.labels[i])\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t})\n}\n" }, { "path": "cmd/nerdctl/container/container_logs.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"fmt\"\n\t\"strconv\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n)\n\nfunc LogsCommand() *cobra.Command {\n\tconst shortUsage = \"Fetch the logs of a container. Expected to be used with 'nerdctl run -d'.\"\n\tconst longUsage = `Fetch the logs of a container.\n\nThe following containers are supported:\n- Containers created with 'nerdctl run -d'. The log is currently empty for containers created without '-d'.\n- Containers created with 'nerdctl compose'.\n- Containers created with Kubernetes (EXPERIMENTAL).\n`\n\tvar cmd = &cobra.Command{\n\t\tUse: \"logs [flags] CONTAINER\",\n\t\tArgs: helpers.IsExactArgs(1),\n\t\tShort: shortUsage,\n\t\tLong: longUsage,\n\t\tRunE: logsAction,\n\t\tValidArgsFunction: logsShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().BoolP(\"follow\", \"f\", false, \"Follow log output\")\n\tcmd.Flags().BoolP(\"timestamps\", \"t\", false, \"Show timestamps\")\n\tcmd.Flags().StringP(\"tail\", \"n\", \"all\", \"Number of lines to show from the end of the logs\")\n\tcmd.Flags().String(\"since\", \"\", \"Show logs since timestamp (e.g. 2013-01-02T13:23:37Z) or relative (e.g. 42m for 42 minutes)\")\n\tcmd.Flags().String(\"until\", \"\", \"Show logs before a timestamp (e.g. 2013-01-02T13:23:37Z) or relative (e.g. 42m for 42 minutes)\")\n\tcmd.Flags().Bool(\"details\", false, \"Show extra details provided to logs\")\n\treturn cmd\n}\n\nfunc logsOptions(cmd *cobra.Command) (types.ContainerLogsOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ContainerLogsOptions{}, err\n\t}\n\tfollow, err := cmd.Flags().GetBool(\"follow\")\n\tif err != nil {\n\t\treturn types.ContainerLogsOptions{}, err\n\t}\n\ttailArg, err := cmd.Flags().GetString(\"tail\")\n\tif err != nil {\n\t\treturn types.ContainerLogsOptions{}, err\n\t}\n\tvar tail uint\n\tif tailArg != \"\" {\n\t\ttail, err = getTailArgAsUint(tailArg)\n\t\tif err != nil {\n\t\t\treturn types.ContainerLogsOptions{}, err\n\t\t}\n\t}\n\ttimestamps, err := cmd.Flags().GetBool(\"timestamps\")\n\tif err != nil {\n\t\treturn types.ContainerLogsOptions{}, err\n\t}\n\tsince, err := cmd.Flags().GetString(\"since\")\n\tif err != nil {\n\t\treturn types.ContainerLogsOptions{}, err\n\t}\n\tuntil, err := cmd.Flags().GetString(\"until\")\n\tif err != nil {\n\t\treturn types.ContainerLogsOptions{}, err\n\t}\n\tdetails, err := cmd.Flags().GetBool(\"details\")\n\tif err != nil {\n\t\treturn types.ContainerLogsOptions{}, err\n\t}\n\treturn types.ContainerLogsOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tStderr: cmd.OutOrStderr(),\n\t\tGOptions: globalOptions,\n\t\tFollow: follow,\n\t\tTimestamps: timestamps,\n\t\tTail: tail,\n\t\tSince: since,\n\t\tUntil: until,\n\t\tDetails: details,\n\t}, nil\n}\n\nfunc logsAction(cmd *cobra.Command, args []string) error {\n\toptions, err := logsOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn container.Logs(ctx, client, args[0], options)\n}\n\nfunc logsShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show container names (TODO: only show containers with logs)\n\treturn completion.ContainerNames(cmd, nil)\n}\n\n// Attempts to parse the argument given to `-n/--tail` as a uint.\nfunc getTailArgAsUint(arg string) (uint, error) {\n\tif arg == \"all\" {\n\t\treturn 0, nil\n\t}\n\tnum, err := strconv.Atoi(arg)\n\tif err != nil {\n\t\treturn 0, fmt.Errorf(\"failed to parse `-n/--tail` argument %q: %w\", arg, err)\n\t}\n\tif num < 0 {\n\t\treturn 0, fmt.Errorf(\"`-n/--tail` argument must be positive, got: %d\", num)\n\t}\n\treturn uint(num), nil\n}\n" }, { "path": "cmd/nerdctl/container/container_logs_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"regexp\"\n\t\"runtime\"\n\t\"strconv\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestLogs(t *testing.T) {\n\tconst expected = `foo\nbar\n`\n\n\ttestCase := nerdtest.Setup()\n\n\tif runtime.GOOS == \"windows\" {\n\t\ttestCase.Require = nerdtest.NerdctlNeedsFixing(\"https://github.com/containerd/nerdctl/issues/4237\")\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"--quiet\", \"--name\", data.Identifier(), testutil.CommonImage, \"sh\", \"-euxc\", \"echo foo; echo bar;\")\n\t\tdata.Labels().Set(\"cID\", data.Identifier())\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"since 1s\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t// Ensure at least 2 seconds have elapsed since the container ran,\n\t\t\t\t// so that --since 1s does not include the container's output.\n\t\t\t\ttime.Sleep(2 * time.Second)\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"logs\", \"--since\", \"1s\", data.Labels().Get(\"cID\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.DoesNotContain(expected)),\n\t\t},\n\t\t{\n\t\t\tDescription: \"since 60s\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"logs\", \"--since\", \"60s\", data.Labels().Get(\"cID\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(expected)),\n\t\t},\n\t\t{\n\t\t\tDescription: \"until 60s\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"logs\", \"--until\", \"60s\", data.Labels().Get(\"cID\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.DoesNotContain(expected)),\n\t\t},\n\t\t{\n\t\t\tDescription: \"until 1s\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t// Ensure at least 2 seconds have elapsed since the container ran,\n\t\t\t\t// so that --until 1s includes the container's output.\n\t\t\t\ttime.Sleep(2 * time.Second)\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"logs\", \"--until\", \"1s\", data.Labels().Get(\"cID\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(expected)),\n\t\t},\n\t\t{\n\t\t\tDescription: \"follow\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"logs\", \"-f\", data.Labels().Get(\"cID\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(expected)),\n\t\t},\n\t\t{\n\t\t\tDescription: \"timestamp\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"logs\", \"-t\", data.Labels().Get(\"cID\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(time.Now().UTC().Format(\"2006-01-02\"))),\n\t\t},\n\t\t{\n\t\t\tDescription: \"tail flag\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"logs\", \"-n\", \"all\", data.Labels().Get(\"cID\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(expected)),\n\t\t},\n\t\t{\n\t\t\tDescription: \"tail flag\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"logs\", \"-n\", \"1\", data.Labels().Get(\"cID\"))\n\t\t\t},\n\t\t\t// FIXME: why?\n\t\t\tExpected: test.Expects(0, nil, expect.Match(regexp.MustCompile(\"^(?:bar\\n|)$\"))),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\n// Tests whether `nerdctl logs` properly separates stdout/stderr output\n// streams for containers using the jsonfile logging driver:\nfunc TestLogsOutStreamsSeparated(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\tif runtime.GOOS == \"windows\" {\n\t\t// Logging seems broken on windows.\n\t\ttestCase.Require = nerdtest.NerdctlNeedsFixing(\"https://github.com/containerd/nerdctl/issues/4237\")\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"--name\", data.Identifier(), testutil.CommonImage,\n\t\t\t\"sh\", \"-euc\", \"echo stdout1; echo stderr1 >&2; echo stdout2; echo stderr2 >&2\")\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"logs\", data.Identifier())\n\t}\n\n\ttestCase.Expected = test.Expects(expect.ExitCodeSuccess, []error{\n\t\t//revive:disable:error-strings\n\t\terrors.New(\"stderr1\\nstderr2\\n\"),\n\t}, expect.Equals(\"stdout1\\nstdout2\\n\"))\n\n\ttestCase.Run(t)\n}\n\nfunc TestLogsWithInheritedFlags(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"-n=\"+testutil.Namespace, \"run\", \"--name\", data.Identifier(), testutil.CommonImage,\n\t\t\t\"sh\", \"-euxc\", \"echo foo; echo bar\")\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"-n=\"+testutil.Namespace, \"logs\", \"-n\", \"1\", data.Identifier())\n\t}\n\n\t// FIXME: why?\n\ttestCase.Expected = test.Expects(0, nil, expect.Match(regexp.MustCompile(\"^(?:bar\\n|)$\")))\n\n\ttestCase.Run(t)\n}\n\nfunc TestLogsOfJournaldDriver(t *testing.T) {\n\tconst expected = `foo\nbar\n`\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = require.All(\n\t\trequire.Binary(\"journalctl\"),\n\t\t&test.Requirement{\n\t\t\tCheck: func(data test.Data, helpers test.Helpers) (bool, string) {\n\t\t\t\tworks := false\n\t\t\t\tcmd := helpers.Custom(\"journalctl\", \"-xe\")\n\t\t\t\tcmd.Run(&test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeNoCheck,\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tif stdout != \"\" {\n\t\t\t\t\t\t\tworks = true\n\t\t\t\t\t\t}\n\t\t\t\t\t},\n\t\t\t\t})\n\t\t\t\treturn works, \"Journactl to return data for the current user\"\n\t\t\t},\n\t\t},\n\t)\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"--network\", \"none\", \"--log-driver\", \"journald\", \"--name\", data.Identifier(), testutil.CommonImage,\n\t\t\t\"sh\", \"-euxc\", \"echo foo; echo bar\")\n\t\tdata.Labels().Set(\"cID\", data.Identifier())\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"logs\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"logs\", data.Labels().Get(\"cID\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(expected)),\n\t\t},\n\t\t{\n\t\t\tDescription: \"logs --since 60s\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"logs\", \"--since\", \"60s\", data.Labels().Get(\"cID\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.DoesNotContain(\"foo\", \"bar\")),\n\t\t},\n\t}\n}\n\nfunc TestLogsWithFailingContainer(t *testing.T) {\n\tconst expected = `foo\nbar\n`\n\n\ttestCase := nerdtest.Setup()\n\n\tif runtime.GOOS == \"windows\" {\n\t\t// Logging seems broken on windows.\n\t\ttestCase.Require = nerdtest.NerdctlNeedsFixing(\"https://github.com/containerd/nerdctl/issues/4237\")\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"run\", \"--name\", data.Identifier(), testutil.CommonImage, \"sh\", \"-euxc\", \"echo foo; echo bar; exit 42; echo baz\")\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"logs\", data.Identifier())\n\t}\n\n\ttestCase.Expected = test.Expects(0, nil, expect.Equals(expected))\n\n\ttestCase.Run(t)\n}\n\nfunc TestLogsWithRunningContainer(t *testing.T) {\n\texpected := make([]string, 10)\n\tfor i := 0; i < 10; i++ {\n\t\texpected[i] = fmt.Sprint(i + 1)\n\t}\n\n\ttestCase := nerdtest.Setup()\n\n\tif runtime.GOOS == \"windows\" {\n\t\t// Logging seems broken on windows.\n\t\ttestCase.Require = nerdtest.NerdctlNeedsFixing(\"https://github.com/containerd/nerdctl/issues/4237\")\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"--name\", data.Identifier(), testutil.CommonImage, \"sh\", \"-euc\", \"for i in `seq 1 10`; do echo $i; sleep 1; done\")\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"logs\", data.Identifier())\n\t}\n\n\ttestCase.Expected = test.Expects(0, nil, expect.Contains(expected[0], expected[1:]...))\n\n\ttestCase.Run(t)\n}\n\nfunc TestLogsWithoutNewlineOrEOF(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t// FIXME: test does not work on Windows yet because containerd doesn't send an exit event appropriately after task exit on Windows\")\n\t// FIXME: nerdctl behavior does not match docker - test disabled for nerdctl until we fix\n\ttestCase.Require = require.All(\n\t\trequire.Linux,\n\t)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"--name\", data.Identifier(), testutil.CommonImage, \"printf\", \"'Hello World!\\nThere is no newline'\")\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"logs\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Expected = test.Expects(0, nil, expect.Equals(\"'Hello World!\\nThere is no newline'\"))\n\n\ttestCase.Run(t)\n}\n\nfunc TestLogsAfterRestartingContainer(t *testing.T) {\n\tif runtime.GOOS != \"linux\" {\n\t\tt.Skip(\"FIXME: test does not work on Windows yet. Restarting a container fails with: failed to create shim task: hcs::CreateComputeSystem : The requested operation for attach namespace failed.: unknown\")\n\t}\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"--name\", data.Identifier(), testutil.CommonImage,\n\t\t\t\"printf\", \"'Hello World!\\nThere is no newline'\")\n\t\tdata.Labels().Set(\"cID\", data.Identifier())\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"logs -f works\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"logs\", \"-f\", data.Labels().Get(\"cID\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"'Hello World!\\nThere is no newline'\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"logs -f works after restart\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"start\", data.Labels().Get(\"cID\"))\n\t\t\t\t// FIXME: this is inherently flaky\n\t\t\t\ttime.Sleep(5 * time.Second)\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"logs\", \"-f\", data.Labels().Get(\"cID\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"'Hello World!\\nThere is no newline''Hello World!\\nThere is no newline'\")),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestLogsWithForegroundContainers(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\t// dual logging is not supported on Windows\n\ttestCase.Require = require.Not(require.Windows)\n\n\ttestCase.Run(t)\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"foreground\",\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"--name\", data.Identifier(), testutil.CommonImage, \"sh\", \"-euxc\", \"echo foo; echo bar\")\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"logs\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"foo\\nbar\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"interactive\",\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-i\", \"--name\", data.Identifier(), testutil.CommonImage, \"sh\", \"-euxc\", \"echo foo; echo bar\")\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"logs\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"foo\\nbar\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"PTY\",\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tcmd := helpers.Command(\"run\", \"-t\", \"--name\", data.Identifier(), testutil.CommonImage, \"sh\", \"-euxc\", \"echo foo; echo bar\")\n\t\t\t\tcmd.WithPseudoTTY()\n\t\t\t\tcmd.Run(&test.Expected{ExitCode: 0})\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"logs\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"foo\\nbar\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"interactivePTY\",\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tcmd := helpers.Command(\"run\", \"-i\", \"-t\", \"--name\", data.Identifier(), testutil.CommonImage, \"sh\", \"-euxc\", \"echo foo; echo bar\")\n\t\t\t\tcmd.WithPseudoTTY()\n\t\t\t\tcmd.Run(&test.Expected{ExitCode: 0})\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"logs\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"foo\\nbar\\n\")),\n\t\t},\n\t}\n}\n\nfunc TestLogsTailFollowRotate(t *testing.T) {\n\t// FIXME this is flaky by nature... the number of lines is arbitrary, the wait is arbitrary,\n\t// and both are some sort of educated guess that things will mostly always kinda work maybe...\n\tconst sampleJSONLog = `{\"log\":\"A\\n\",\"stream\":\"stdout\",\"time\":\"2024-04-11T12:01:09.800288974Z\"}`\n\tconst linesPerFile = 200\n\n\ttestCase := nerdtest.Setup()\n\n\t// tail log is not supported on Windows\n\ttestCase.Require = require.Not(require.Windows)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"-d\", \"--log-driver\", \"json-file\",\n\t\t\t\"--log-opt\", fmt.Sprintf(\"max-size=%d\", len(sampleJSONLog)*linesPerFile),\n\t\t\t\"--log-opt\", \"max-file=10\",\n\t\t\t\"--name\", data.Identifier(), testutil.CommonImage,\n\t\t\t\"sh\", \"-euc\", \"while true; do echo A; usleep 100; done\")\n\t\t// FIXME: ... inherently racy...\n\t\ttime.Sleep(5 * time.Second)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\tcmd := helpers.Command(\"logs\", \"-f\", data.Identifier())\n\t\t// FIXME: this is flaky by nature. We assume that the container has started and will output enough in 5 seconds.\n\t\tcmd.WithTimeout(5 * time.Second)\n\t\treturn cmd\n\t}\n\n\ttestCase.Expected = test.Expects(expect.ExitCodeTimeout, nil, func(stdout string, t tig.T) {\n\t\ttailLogs := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tfor _, line := range tailLogs {\n\t\t\tif line != \"\" {\n\t\t\t\tassert.Equal(t, \"A\", line)\n\t\t\t}\n\t\t}\n\n\t\tassert.Assert(t, len(tailLogs) > linesPerFile, fmt.Sprintf(\"expected %d lines or more, found %d\", linesPerFile, len(tailLogs)))\n\t})\n\n\ttestCase.Run(t)\n}\n\nfunc TestLogsNoneLoggerHasNoLogURI(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"--name\", data.Identifier(), \"--log-driver\", \"none\", testutil.CommonImage, \"sh\", \"-euxc\", \"echo foo\")\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"logs\", data.Identifier())\n\t}\n\n\ttestCase.Expected = test.Expects(1, nil, nil)\n\n\ttestCase.Run(t)\n}\n\nfunc TestLogsWithDetails(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t// FIXME: this is not working on windows. There is some deep issue with windows logs:\n\t// https://github.com/containerd/nerdctl/issues/4237\n\tif runtime.GOOS == \"windows\" {\n\t\ttestCase.Require = nerdtest.NerdctlNeedsFixing(\"https://github.com/containerd/nerdctl/issues/4237\")\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"--log-driver\", \"json-file\",\n\t\t\t\"--log-opt\", \"max-size=10m\",\n\t\t\t\"--log-opt\", \"max-file=3\",\n\t\t\t\"--log-opt\", \"env=ENV\",\n\t\t\t\"--env\", \"ENV=foo\",\n\t\t\t\"--log-opt\", \"labels=LABEL\",\n\t\t\t\"--label\", \"LABEL=bar\",\n\t\t\t\"--name\", data.Identifier(), testutil.CommonImage,\n\t\t\t\"sh\", \"-ec\", \"echo baz\")\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"logs\", \"--details\", data.Identifier())\n\t}\n\n\ttestCase.Expected = test.Expects(0, nil, expect.Contains(\"ENV=foo\", \"LABEL=bar\", \"baz\"))\n\n\ttestCase.Run(t)\n}\n\nfunc TestLogsFollowNoExtraneousLineFeed(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\t// This test verifies that `nerdctl logs -f` does not add extraneous line feeds\n\ttestCase.Require = require.Not(require.Windows)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\t// Create a container that outputs a message without a trailing newline\n\t\thelpers.Ensure(\"run\", \"--name\", data.Identifier(), testutil.CommonImage,\n\t\t\t\"sh\", \"-c\", \"printf 'Hello without newline'\")\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t// Use logs -f to follow the logs\n\t\treturn helpers.Command(\"logs\", \"-f\", data.Identifier())\n\t}\n\n\t// Verify that the output is exactly \"Hello without newline\" without any additional line feeds\n\ttestCase.Expected = test.Expects(0, nil, expect.Equals(\"Hello without newline\"))\n\n\ttestCase.Run(t)\n}\n\nfunc TestLogsWithStartContainer(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t// Windows does not support dual logging.\n\ttestCase.Require = require.Not(require.Windows)\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"Test logs are directed correctly for container start of a interactive container\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tcmd := helpers.Command(\"run\", \"-it\", \"--name\", data.Identifier(), testutil.CommonImage)\n\t\t\t\tcmd.WithPseudoTTY()\n\t\t\t\tcmd.Feed(strings.NewReader(\"echo foo\\nexit\\n\"))\n\t\t\t\tcmd.Run(&test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t})\n\n\t\t\t\tcmd = helpers.Command(\"start\", \"-ia\", data.Identifier())\n\t\t\t\tcmd.WithPseudoTTY()\n\t\t\t\tcmd.Feed(strings.NewReader(\"echo bar\\nexit\\n\"))\n\t\t\t\tcmd.Run(&test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t})\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"logs\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"foo\", \"bar\")),\n\t\t},\n\t\t{\n\t\t\t// FIXME: is this test safe or could it be racy?\n\t\t\tDescription: \"Test logs are captured after stopping and starting a non-interactive container and continue capturing new logs\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(), testutil.CommonImage, \"sh\", \"-c\", \"while true; do echo foo; sleep 1; done\")\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\thelpers.Ensure(\"stop\", data.Identifier())\n\t\t\t\tinitialLogs := helpers.Capture(\"logs\", data.Identifier())\n\t\t\t\tinitialFooCount := strings.Count(initialLogs, \"foo\")\n\t\t\t\tdata.Labels().Set(\"initialFooCount\", strconv.Itoa(initialFooCount))\n\t\t\t\thelpers.Ensure(\"start\", data.Identifier())\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t\treturn helpers.Command(\"logs\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tfinalLogsCount := strings.Count(stdout, \"foo\")\n\t\t\t\t\t\tinitialFooCount, _ := strconv.Atoi(data.Labels().Get(\"initialFooCount\"))\n\t\t\t\t\t\tassert.Assert(t, finalLogsCount > initialFooCount, \"Expected 'foo' count to increase after restart\")\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_pause.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\tcontainerd \"github.com/containerd/containerd/v2/client\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n)\n\nfunc PauseCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"pause [flags] CONTAINER [CONTAINER, ...]\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tShort: \"Pause all processes within one or more containers\",\n\t\tRunE: pauseAction,\n\t\tValidArgsFunction: pauseShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\treturn cmd\n}\n\nfunc pauseOptions(cmd *cobra.Command) (types.ContainerPauseOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ContainerPauseOptions{}, err\n\t}\n\treturn types.ContainerPauseOptions{\n\t\tGOptions: globalOptions,\n\t\tStdout: cmd.OutOrStdout(),\n\t}, nil\n}\n\nfunc pauseAction(cmd *cobra.Command, args []string) error {\n\toptions, err := pauseOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn container.Pause(ctx, client, args, options)\n}\n\nfunc pauseShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show running container names\n\tstatusFilterFn := func(st containerd.ProcessStatus) bool {\n\t\treturn st == containerd.Running\n\t}\n\treturn completion.ContainerNames(cmd, statusFilterFn)\n}\n" }, { "path": "cmd/nerdctl/container/container_port.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/containerutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/idutil/containerwalker\"\n\t\"github.com/containerd/nerdctl/v2/pkg/portutil\"\n)\n\nfunc PortCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"port [flags] CONTAINER [PRIVATE_PORT[/PROTO]]\",\n\t\tArgs: cobra.RangeArgs(1, 2),\n\t\tShort: \"List port mappings or a specific mapping for the container\",\n\t\tRunE: portAction,\n\t\tValidArgsFunction: portShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\treturn cmd\n}\n\nfunc portAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\targPort := -1\n\targProto := \"\"\n\tportProto := \"\"\n\tif len(args) == 2 {\n\t\tportProto = args[1]\n\t}\n\n\tif portProto != \"\" {\n\t\tsplitBySlash := strings.Split(portProto, \"/\")\n\t\tvar err error\n\t\targPort, err = strconv.Atoi(splitBySlash[0])\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif argPort <= 0 {\n\t\t\treturn fmt.Errorf(\"unexpected port %d\", argPort)\n\t\t}\n\t\tswitch len(splitBySlash) {\n\t\tcase 1:\n\t\t\targProto = \"tcp\"\n\t\tcase 2:\n\t\t\targProto = strings.ToLower(splitBySlash[1])\n\t\tdefault:\n\t\t\treturn fmt.Errorf(\"failed to parse %q\", portProto)\n\t\t}\n\t}\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\tdataStore, err := clientutil.DataStore(globalOptions.DataRoot, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\twalker := &containerwalker.ContainerWalker{\n\t\tClient: client,\n\t\tOnFound: func(ctx context.Context, found containerwalker.Found) error {\n\t\t\tif found.MatchCount > 1 {\n\t\t\t\treturn fmt.Errorf(\"multiple IDs found with provided prefix: %s\", found.Req)\n\t\t\t}\n\t\t\tcontainerLabels, err := found.Container.Labels(ctx)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tports, err := portutil.LoadPortMappings(dataStore, globalOptions.Namespace, found.Container.ID(), containerLabels)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\treturn containerutil.PrintHostPort(ctx, cmd.OutOrStdout(), found.Container, argPort, argProto, ports)\n\t\t},\n\t}\n\treq := args[0]\n\tn, err := walker.Walk(ctx, req)\n\tif err != nil {\n\t\treturn err\n\t} else if n == 0 {\n\t\treturn fmt.Errorf(\"no such container %s\", req)\n\t}\n\treturn nil\n}\n\nfunc portShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn completion.ContainerNames(cmd, nil)\n}\n" }, { "path": "cmd/nerdctl/container/container_prune.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n)\n\nfunc pruneCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"prune [flags]\",\n\t\tShort: \"Remove all stopped containers\",\n\t\tArgs: cobra.NoArgs,\n\t\tRunE: pruneAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().BoolP(\"force\", \"f\", false, \"Do not prompt for confirmation\")\n\treturn cmd\n}\n\nfunc pruneOptions(cmd *cobra.Command) (types.ContainerPruneOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ContainerPruneOptions{}, err\n\t}\n\n\treturn types.ContainerPruneOptions{\n\t\tGOptions: globalOptions,\n\t\tStdout: cmd.OutOrStdout(),\n\t}, nil\n}\n\nfunc grantPrunePermission(cmd *cobra.Command) (bool, error) {\n\tforce, err := cmd.Flags().GetBool(\"force\")\n\tif err != nil {\n\t\treturn false, err\n\t}\n\n\tif !force {\n\t\treturn helpers.Confirm(cmd, \"WARNING! This will remove all stopped containers.\")\n\t}\n\treturn true, nil\n}\n\nfunc pruneAction(cmd *cobra.Command, _ []string) error {\n\toptions, err := pruneOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif ok, err := grantPrunePermission(cmd); err != nil {\n\t\treturn err\n\t} else if !ok {\n\t\treturn nil\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn container.Prune(ctx, client, options)\n}\n" }, { "path": "cmd/nerdctl/container/container_prune_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestPruneContainer(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = nerdtest.Private\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"1\"))\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"2\"))\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(\"1\"), \"-v\", \"/anonymous\", testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\thelpers.Ensure(\"exec\", data.Identifier(\"1\"), \"touch\", \"/anonymous/foo\")\n\t\thelpers.Ensure(\"create\", \"--name\", data.Identifier(\"2\"), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\thelpers.Ensure(\"container\", \"prune\", \"-f\")\n\t\thelpers.Ensure(\"inspect\", data.Identifier(\"1\"))\n\t\thelpers.Fail(\"inspect\", data.Identifier(\"2\"))\n\t\t// https://github.com/containerd/nerdctl/issues/3134\n\t\thelpers.Ensure(\"exec\", data.Identifier(\"1\"), \"ls\", \"-lA\", \"/anonymous/foo\")\n\t\thelpers.Ensure(\"kill\", data.Identifier(\"1\"))\n\t\thelpers.Ensure(\"container\", \"prune\", \"-f\")\n\t\treturn helpers.Command(\"inspect\", data.Identifier(\"1\"))\n\t}\n\n\ttestCase.Expected = test.Expects(1, nil, nil)\n}\n" }, { "path": "cmd/nerdctl/container/container_remove.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n)\n\nfunc RemoveCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"rm [flags] CONTAINER [CONTAINER, ...]\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tShort: \"Remove one or more containers\",\n\t\tRunE: removeAction,\n\t\tValidArgsFunction: rmShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Aliases = []string{\"remove\"}\n\tcmd.Flags().BoolP(\"force\", \"f\", false, \"Force the removal of a running|paused|unknown container (uses SIGKILL)\")\n\tcmd.Flags().BoolP(\"volumes\", \"v\", false, \"Remove volumes associated with the container\")\n\treturn cmd\n}\n\nfunc removeAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tforce, err := cmd.Flags().GetBool(\"force\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tremoveAnonVolumes, err := cmd.Flags().GetBool(\"volumes\")\n\tif err != nil {\n\t\treturn err\n\t}\n\toptions := types.ContainerRemoveOptions{\n\t\tGOptions: globalOptions,\n\t\tForce: force,\n\t\tVolumes: removeAnonVolumes,\n\t\tStdout: cmd.OutOrStdout(),\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn container.Remove(ctx, client, args, options)\n}\n\nfunc rmShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show container names\n\treturn completion.ContainerNames(cmd, nil)\n}\n" }, { "path": "cmd/nerdctl/container/container_remove_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"fmt\"\n\t\"strconv\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/rootlessutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/portlock\"\n)\n\n// iptablesCheckCommand is the shell command to check iptables rules\nconst iptablesCheckCommand = \"iptables -t nat -S && iptables -t filter -S && iptables -t mangle -S\"\n\n// testContainerRmIptablesExecutor is a common executor function for testing iptables rules cleanup\nfunc testContainerRmIptablesExecutor(data test.Data, helpers test.Helpers) test.TestableCommand {\n\tt := helpers.T()\n\n\t// Get the container ID from the label\n\tcontainerID := data.Labels().Get(\"containerID\")\n\n\t// Remove the container\n\thelpers.Ensure(\"rm\", \"-f\", containerID)\n\n\ttime.Sleep(1 * time.Second)\n\n\t// Create a TestableCommand using helpers.Custom\n\tif rootlessutil.IsRootless() {\n\t\t// In rootless mode, we need to enter the rootlesskit network namespace\n\t\tif netns, err := rootlessutil.DetachedNetNS(); err != nil {\n\t\t\tt.Log(fmt.Sprintf(\"Failed to get detached network namespace: %v\", err))\n\t\t\tt.FailNow()\n\t\t} else {\n\t\t\tif netns != \"\" {\n\t\t\t\t// Use containerd-rootless-setuptool.sh to enter the RootlessKit namespace\n\t\t\t\treturn helpers.Custom(\"containerd-rootless-setuptool.sh\", \"nsenter\", \"--\", \"nsenter\", \"--net=\"+netns, \"sh\", \"-ec\", iptablesCheckCommand)\n\t\t\t}\n\t\t\t// Enter into :RootlessKit namespace using containerd-rootless-setuptool.sh\n\t\t\treturn helpers.Custom(\"containerd-rootless-setuptool.sh\", \"nsenter\", \"--\", \"sh\", \"-ec\", iptablesCheckCommand)\n\t\t}\n\t}\n\n\t// In non-rootless mode, check iptables rules directly on the host\n\treturn helpers.Custom(\"sh\", \"-ec\", iptablesCheckCommand)\n}\n\n// TestContainerRmIptables tests that iptables rules are cleared after container deletion\nfunc TestContainerRmIptables(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t// Require iptables and containerd-rootless-setuptool.sh commands to be available\n\ttestCase.Require = require.All(\n\t\trequire.Binary(\"iptables\"),\n\t\trequire.Binary(\"containerd-rootless-setuptool.sh\"),\n\t\trequire.Not(require.Windows),\n\t\trequire.Not(nerdtest.Docker),\n\t)\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"Test iptables rules are cleared after container deletion\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t// Get a free port using portlock\n\t\t\t\tport, err := portlock.Acquire(0)\n\t\t\t\tif err != nil {\n\t\t\t\t\thelpers.T().Log(fmt.Sprintf(\"Failed to acquire port: %v\", err))\n\t\t\t\t\thelpers.T().FailNow()\n\t\t\t\t}\n\t\t\t\tdata.Labels().Set(\"port\", strconv.Itoa(port))\n\n\t\t\t\t// Create a container with port mapping to ensure iptables rules are created\n\t\t\t\tcontainerID := helpers.Capture(\"run\", \"-d\", \"--name\", data.Identifier(), \"-p\", fmt.Sprintf(\"%d:80\", port), testutil.NginxAlpineImage)\n\t\t\t\tdata.Labels().Set(\"containerID\", containerID)\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t// Make sure container is removed even if test fails\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\n\t\t\t\t// Release the acquired port\n\t\t\t\tif portStr := data.Labels().Get(\"port\"); portStr != \"\" {\n\t\t\t\t\tport, _ := strconv.Atoi(portStr)\n\t\t\t\t\t_ = portlock.Release(port)\n\t\t\t\t}\n\t\t\t},\n\t\t\tCommand: testContainerRmIptablesExecutor,\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t// Get the container ID from the label\n\t\t\t\tcontainerID := data.Labels().Get(\"containerID\")\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\t\t\t// Verify that the iptables output does not contain the container ID\n\t\t\t\t\tOutput: expect.DoesNotContain(containerID),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_remove_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestRemoveContainer(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\tcontainerID := data.Identifier()\n\t\thelpers.Fail(\"rm\", containerID)\n\n\t\t// FIXME: should (re-)evaluate this\n\t\t// `kill` seems to return before the container actually stops\n\t\thelpers.Ensure(\"stop\", containerID)\n\n\t\treturn helpers.Command(\"rm\", containerID)\n\t}\n\n\ttestCase.Expected = test.Expects(0, nil, nil)\n}\n" }, { "path": "cmd/nerdctl/container/container_remove_windows_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestRemoveHyperVContainer(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = nerdtest.HyperV\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"-d\", \"--isolation\", \"hyperv\", \"--name\", testutil.Identifier(t), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\tnerdtest.EnsureContainerStarted(helpers, testutil.Identifier(t))\n\n\t\tinspect := nerdtest.InspectContainer(helpers, testutil.Identifier(t))\n\t\t//check with HCS if the container is ineed a VM\n\t\tisHypervContainer, err := testutil.HyperVContainer(inspect)\n\t\tassert.NilError(t, err)\n\t\tassert.Assert(t, isHypervContainer, true)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", testutil.Identifier(t))\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"should fail to remove when still running\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: test.Command(\"rm\", testutil.Identifier(t)),\n\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"should kill the container\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: test.Command(\"kill\", testutil.Identifier(t)),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"should remove the container when terminated\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: test.Command(\"rm\", testutil.Identifier(t)),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, nil),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_rename.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n)\n\nfunc RenameCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"rename [flags] CONTAINER NEW_NAME\",\n\t\tArgs: helpers.IsExactArgs(2),\n\t\tShort: \"rename a container\",\n\t\tRunE: renameAction,\n\t\tValidArgsFunction: renameShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\treturn cmd\n}\n\nfunc renameOptions(cmd *cobra.Command) (types.ContainerRenameOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ContainerRenameOptions{}, err\n\t}\n\treturn types.ContainerRenameOptions{\n\t\tGOptions: globalOptions,\n\t\tStdout: cmd.OutOrStdout(),\n\t}, nil\n}\n\nfunc renameAction(cmd *cobra.Command, args []string) error {\n\toptions, err := renameOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\treturn container.Rename(ctx, client, args[0], args[1], options)\n}\nfunc renameShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn completion.ContainerNames(cmd, nil)\n}\n" }, { "path": "cmd/nerdctl/container/container_rename_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestRename(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\ttestContainerName := data.Identifier()\n\t\tdata.Labels().Set(\"containerName\", testContainerName)\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", testContainerName, testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\tnerdtest.EnsureContainerStarted(helpers, testContainerName)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\thelpers.Anyhow(\"rm\", \"-f\", testContainerName)\n\t\thelpers.Anyhow(\"rm\", \"-f\", testContainerName+\"_new\")\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"`rename` should work\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn helpers.Command(\"rename\", testContainerName, testContainerName+\"_new\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"`rename` should have updated container name\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"ps\", \"-a\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(testContainerName+\"_new\"))(data, helpers)\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"`rename` should fail to rename not existing container\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn helpers.Command(\"rename\", testContainerName, testContainerName+\"_new\")\n\t\t\t},\n\t\t\tExpected: test.Expects(1, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"`rename` should fail to rename to existing name\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn helpers.Command(\"rename\", testContainerName+\"_new\", testContainerName+\"_new\")\n\t\t\t},\n\t\t\tExpected: test.Expects(1, nil, nil),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestRenameUpdateHosts(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\ttestContainerName := data.Identifier()\n\t\tdata.Labels().Set(\"containerName\", testContainerName)\n\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", testContainerName, testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", testContainerName+\"_1\", testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\n\t\tnerdtest.EnsureContainerStarted(helpers, testContainerName)\n\t\tnerdtest.EnsureContainerStarted(helpers, testContainerName+\"_1\")\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\thelpers.Anyhow(\"rm\", \"-f\", testContainerName)\n\t\thelpers.Anyhow(\"rm\", \"-f\", testContainerName+\"_1\")\n\t\thelpers.Anyhow(\"rm\", \"-f\", testContainerName+\"_new\")\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"check '/etc/hosts' for sibling container\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn helpers.Command(\"exec\", testContainerName, \"cat\", \"/etc/hosts\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(testContainerName+\"_1\"))(data, helpers)\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"rename container\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn helpers.Command(\"rename\", testContainerName, testContainerName+\"_new\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"check '/etc/hosts' for renamed container\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn helpers.Command(\"exec\", testContainerName+\"_new\", \"cat\", \"/etc/hosts\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(testContainerName+\"_new\"))(data, helpers)\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"check sibling's '/etc/hosts' for renamed container\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn helpers.Command(\"exec\", testContainerName+\"_1\", \"cat\", \"/etc/hosts\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(testContainerName+\"_new\"))(data, helpers)\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_rename_windows_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestRenameProcessContainer(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\ttestContainerName := testutil.Identifier(t)\n\t\tdata.Labels().Set(\"containerName\", testContainerName)\n\n\t\thelpers.Ensure(\"run\", \"--isolation\", \"process\", \"-d\", \"--name\", testContainerName, testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\tnerdtest.EnsureContainerStarted(helpers, testContainerName)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\thelpers.Anyhow(\"rm\", \"-f\", testContainerName)\n\t\thelpers.Anyhow(\"rm\", \"-f\", testContainerName+\"_new\")\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"`rename` should work\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn helpers.Command(\"rename\", testContainerName, testContainerName+\"_new\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"`rename` should have updated container name\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"ps\", \"-a\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(testContainerName+\"_new\"))(data, helpers)\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"`rename` should fail to rename not existing container\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn helpers.Command(\"rename\", testContainerName, testContainerName+\"_new\")\n\t\t\t},\n\t\t\tExpected: test.Expects(1, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"`rename` should fail to rename to existing name\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn helpers.Command(\"rename\", testContainerName+\"_new\", testContainerName+\"_new\")\n\t\t\t},\n\t\t\tExpected: test.Expects(1, nil, nil),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestRenameHyperVContainer(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = nerdtest.HyperV\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\ttestContainerName := testutil.Identifier(t)\n\t\tdata.Labels().Set(\"containerName\", testContainerName)\n\n\t\thelpers.Ensure(\"run\", \"--isolation\", \"hyperv\", \"-d\", \"--name\", testContainerName, testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\tnerdtest.EnsureContainerStarted(helpers, testContainerName)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\thelpers.Anyhow(\"rm\", \"-f\", testContainerName)\n\t\thelpers.Anyhow(\"rm\", \"-f\", testContainerName+\"_new\")\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"`rename` should work\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn helpers.Command(\"rename\", testContainerName, testContainerName+\"_new\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"`rename` should have updated container name\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"ps\", \"-a\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(testContainerName+\"_new\"))(data, helpers)\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"`rename` should fail to rename not existing container\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn helpers.Command(\"rename\", testContainerName, testContainerName+\"_new\")\n\t\t\t},\n\t\t\tExpected: test.Expects(1, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"`rename` should fail to rename to existing name\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\ttestContainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn helpers.Command(\"rename\", testContainerName+\"_new\", testContainerName+\"_new\")\n\t\t\t},\n\t\t\tExpected: test.Expects(1, nil, nil),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_restart.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"time\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n)\n\nfunc RestartCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"restart [flags] CONTAINER [CONTAINER, ...]\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tShort: \"Restart one or more running containers\",\n\t\tRunE: restartAction,\n\t\tValidArgsFunction: startShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().UintP(\"time\", \"t\", 10, \"Seconds to wait for stop before killing it\")\n\tcmd.Flags().StringP(\"signal\", \"s\", \"\", \"Signal to send to stop the container, before killing it\")\n\treturn cmd\n}\n\nfunc restartOptions(cmd *cobra.Command) (types.ContainerRestartOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ContainerRestartOptions{}, err\n\t}\n\n\t// Call GlobalFlags function here\n\tnerdctlCmd, nerdctlArgs := helpers.GlobalFlags(cmd)\n\n\tvar timeout *time.Duration\n\tif cmd.Flags().Changed(\"time\") {\n\t\t// Seconds to wait for stop before killing it\n\t\ttimeValue, err := cmd.Flags().GetUint(\"time\")\n\t\tif err != nil {\n\t\t\treturn types.ContainerRestartOptions{}, err\n\t\t}\n\t\tt := time.Duration(timeValue) * time.Second\n\t\ttimeout = &t\n\t}\n\n\tvar signal string\n\tif cmd.Flags().Changed(\"signal\") {\n\t\t// Signal to send to stop the container, before killing it\n\t\tsig, err := cmd.Flags().GetString(\"signal\")\n\t\tif err != nil {\n\t\t\treturn types.ContainerRestartOptions{}, err\n\t\t}\n\t\tsignal = sig\n\t}\n\n\treturn types.ContainerRestartOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tGOption: globalOptions,\n\t\tTimeout: timeout,\n\t\tSignal: signal,\n\t\tNerdctlCmd: nerdctlCmd,\n\t\tNerdctlArgs: nerdctlArgs,\n\t}, err\n}\n\nfunc restartAction(cmd *cobra.Command, args []string) error {\n\toptions, err := restartOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOption.Namespace, options.GOption.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn container.Restart(ctx, client, args, options)\n}\n" }, { "path": "cmd/nerdctl/container/container_restart_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"strconv\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/inspecttypes/dockercompat\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestRestart(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", testutil.Identifier(t), testutil.NginxAlpineImage, \"sleep\", nerdtest.Infinity)\n\t\tnerdtest.EnsureContainerStarted(helpers, testutil.Identifier(t))\n\n\t\tinspect := nerdtest.InspectContainer(helpers, testutil.Identifier(t))\n\t\tdata.Labels().Set(\"pid\", strconv.Itoa(inspect.State.Pid))\n\n\t\thelpers.Ensure(\"restart\", testutil.Identifier(t))\n\t\tnerdtest.EnsureContainerStarted(helpers, testutil.Identifier(t))\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", testutil.Identifier(t))\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"inspect\", testutil.Identifier(t))\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\tvar dc []dockercompat.Container\n\n\t\t\t\terr := json.Unmarshal([]byte(stdout), &dc)\n\t\t\t\tassert.NilError(t, err)\n\t\t\t\tassert.Equal(t, 1, len(dc))\n\n\t\t\t\tassert.Assert(t, data.Labels().Get(\"pid\") != strconv.Itoa(dc[0].State.Pid))\n\t\t\t},\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestRestartPIDContainer(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tbaseContainerName := testutil.Identifier(t)\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", baseContainerName, testutil.AlpineImage, \"sleep\", nerdtest.Infinity)\n\t\tnerdtest.EnsureContainerStarted(helpers, baseContainerName)\n\n\t\tsharedContainerName := fmt.Sprintf(\"%s-shared\", baseContainerName)\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", sharedContainerName, fmt.Sprintf(\"--pid=container:%s\", baseContainerName), testutil.AlpineImage, \"sleep\", nerdtest.Infinity)\n\t\tnerdtest.EnsureContainerStarted(helpers, sharedContainerName)\n\n\t\thelpers.Ensure(\"restart\", baseContainerName)\n\t\tnerdtest.EnsureContainerStarted(helpers, baseContainerName)\n\t\thelpers.Ensure(\"restart\", sharedContainerName)\n\t\tnerdtest.EnsureContainerStarted(helpers, sharedContainerName)\n\n\t\t// output format : /proc/1/ns/pid\n\t\t// example output: 4026532581 /proc/1/ns/pid\n\t\tbasePSResult := helpers.Capture(\"exec\", baseContainerName, \"ls\", \"-Li\", \"/proc/1/ns/pid\")\n\t\tbaseOutput := strings.TrimSpace(basePSResult)\n\n\t\tdata.Labels().Set(\"baseContainerName\", baseContainerName)\n\t\tdata.Labels().Set(\"sharedContainerName\", sharedContainerName)\n\t\tdata.Labels().Set(\"baseOutput\", baseOutput)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Labels().Get(\"baseContainerName\"))\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Labels().Get(\"sharedContainerName\"))\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"exec\", data.Labels().Get(\"sharedContainerName\"), \"ls\", \"-Li\", \"/proc/1/ns/pid\")\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\tassert.Equal(t, strings.TrimSpace(stdout), data.Labels().Get(\"baseOutput\"))\n\t\t\t},\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestRestartIPCContainer(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tconst shmSize = \"32m\"\n\t\tbaseContainerName := testutil.Identifier(t)\n\t\thelpers.Ensure(\"run\", \"-d\", \"--shm-size\", shmSize, \"--ipc\", \"shareable\", \"--name\", baseContainerName, testutil.AlpineImage, \"sleep\", nerdtest.Infinity)\n\t\tnerdtest.EnsureContainerStarted(helpers, baseContainerName)\n\n\t\tsharedContainerName := fmt.Sprintf(\"%s-shared\", baseContainerName)\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", sharedContainerName, fmt.Sprintf(\"--ipc=container:%s\", baseContainerName), testutil.AlpineImage, \"sleep\", nerdtest.Infinity)\n\t\tnerdtest.EnsureContainerStarted(helpers, sharedContainerName)\n\n\t\thelpers.Ensure(\"stop\", baseContainerName)\n\t\thelpers.Ensure(\"stop\", sharedContainerName)\n\n\t\thelpers.Ensure(\"restart\", baseContainerName)\n\t\tnerdtest.EnsureContainerStarted(helpers, baseContainerName)\n\t\thelpers.Ensure(\"restart\", sharedContainerName)\n\t\tnerdtest.EnsureContainerStarted(helpers, sharedContainerName)\n\n\t\tbaseShmSizeResult := helpers.Capture(\"exec\", baseContainerName, \"/bin/grep\", \"shm\", \"/proc/self/mounts\")\n\t\tbaseOutput := strings.TrimSpace(baseShmSizeResult)\n\n\t\tdata.Labels().Set(\"baseContainerName\", baseContainerName)\n\t\tdata.Labels().Set(\"sharedContainerName\", sharedContainerName)\n\t\tdata.Labels().Set(\"baseOutput\", baseOutput)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Labels().Get(\"baseContainerName\"))\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Labels().Get(\"sharedContainerName\"))\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"exec\", data.Labels().Get(\"sharedContainerName\"), \"/bin/grep\", \"shm\", \"/proc/self/mounts\")\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\tassert.Equal(t, strings.TrimSpace(stdout), data.Labels().Get(\"baseOutput\"))\n\t\t\t},\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestRestartWithTime(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tcontainerName := testutil.Identifier(t)\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", containerName, testutil.AlpineImage, \"sleep\", nerdtest.Infinity)\n\t\tnerdtest.EnsureContainerStarted(helpers, containerName)\n\n\t\tinspect := nerdtest.InspectContainer(helpers, containerName)\n\t\tpid := inspect.State.Pid\n\n\t\tdata.Labels().Set(\"containerName\", containerName)\n\t\tdata.Labels().Set(\"pid\", strconv.Itoa(pid))\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Labels().Get(\"containerName\"))\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\tdata.Labels().Set(\"timePreRestart\", time.Now().Format(time.RFC3339))\n\t\treturn helpers.Command(\"restart\", \"-t\", \"5\", data.Labels().Get(\"containerName\"))\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\ttimePostRestart := time.Now()\n\t\t\t\ttimePreRestart, err := time.Parse(time.RFC3339, data.Labels().Get(\"timePreRestart\"))\n\t\t\t\tassert.NilError(t, err)\n\t\t\t\t// ensure that stop took at least 5 seconds\n\t\t\t\tassert.Assert(t, timePostRestart.Sub(timePreRestart) >= time.Second*5)\n\n\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Labels().Get(\"containerName\"))\n\t\t\t\tassert.Assert(t, strconv.Itoa(inspect.State.Pid) != data.Labels().Get(\"pid\"))\n\t\t\t},\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestRestartWithSignal(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t// FIXME: gomodjail signal handling is not working yet: https://github.com/AkihiroSuda/gomodjail/issues/51\n\ttestCase.Require = require.Not(nerdtest.Gomodjail)\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\tcmd := nerdtest.RunSigProxyContainer(nerdtest.SigUsr1, false, nil, data, helpers)\n\t\t// Capture the current pid\n\t\tdata.Labels().Set(\"oldpid\", strconv.Itoa(nerdtest.InspectContainer(helpers, data.Identifier()).State.Pid))\n\t\t// Send the signal\n\t\thelpers.Ensure(\"restart\", \"--signal\", \"SIGUSR1\", data.Identifier())\n\t\treturn cmd\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\t// Check the container did indeed exit\n\t\t\tExitCode: 137,\n\t\t\tOutput: expect.All(\n\t\t\t\t// Check that we saw SIGUSR1 inside the container\n\t\t\t\texpect.Contains(nerdtest.SignalCaught),\n\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t// Ensure the container was restarted\n\t\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t\t\t// Check the new pid is different\n\t\t\t\t\tnewpid := strconv.Itoa(nerdtest.InspectContainer(helpers, data.Identifier()).State.Pid)\n\t\t\t\t\tassert.Assert(helpers.T(), newpid != data.Labels().Get(\"oldpid\"))\n\t\t\t\t},\n\t\t\t),\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_run.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"runtime\"\n\t\"strings\"\n\n\t\"github.com/spf13/cobra\"\n\t\"golang.org/x/term\"\n\n\t\"github.com/containerd/console\"\n\tcontainerd \"github.com/containerd/containerd/v2/client\"\n\t\"github.com/containerd/log\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/pkg/annotations\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n\t\"github.com/containerd/nerdctl/v2/pkg/config\"\n\t\"github.com/containerd/nerdctl/v2/pkg/consoleutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/containerutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/defaults\"\n\t\"github.com/containerd/nerdctl/v2/pkg/errutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/healthcheck\"\n\t\"github.com/containerd/nerdctl/v2/pkg/labels\"\n\t\"github.com/containerd/nerdctl/v2/pkg/logging\"\n\t\"github.com/containerd/nerdctl/v2/pkg/netutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/signalutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/taskutil\"\n)\n\nconst (\n\ttiniInitBinary = \"tini\"\n)\n\nfunc RunCommand() *cobra.Command {\n\tshortHelp := \"Run a command in a new container. Optionally specify \\\"ipfs://\\\" or \\\"ipns://\\\" scheme to pull image from IPFS.\"\n\tlongHelp := shortHelp\n\tswitch runtime.GOOS {\n\tcase \"windows\":\n\t\tlongHelp += \"\\n\"\n\t\tlongHelp += \"WARNING: `nerdctl run` is experimental on Windows and currently broken (https://github.com/containerd/nerdctl/issues/28)\"\n\tcase \"freebsd\":\n\t\tlongHelp += \"\\n\"\n\t\tlongHelp += \"WARNING: `nerdctl run` is experimental on FreeBSD and currently requires `--net=none` (https://github.com/containerd/nerdctl/blob/main/docs/freebsd.md)\"\n\t}\n\tvar cmd = &cobra.Command{\n\t\tUse: \"run [flags] IMAGE [COMMAND] [ARG...]\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tShort: shortHelp,\n\t\tLong: longHelp,\n\t\tRunE: runAction,\n\t\tValidArgsFunction: runShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\n\tcmd.Flags().SetInterspersed(false)\n\tsetCreateFlags(cmd)\n\n\tcmd.Flags().BoolP(\"detach\", \"d\", false, \"Run container in background and print container ID\")\n\tcmd.Flags().StringSliceP(\"attach\", \"a\", []string{}, \"Attach STDIN, STDOUT, or STDERR\")\n\n\treturn cmd\n}\n\nfunc setCreateFlags(cmd *cobra.Command) {\n\n\t// No \"-h\" alias for \"--help\", because \"-h\" for \"--hostname\".\n\tcmd.Flags().Bool(\"help\", false, \"show help\")\n\n\tcmd.Flags().BoolP(\"tty\", \"t\", false, \"Allocate a pseudo-TTY\")\n\tcmd.Flags().Bool(\"sig-proxy\", true, \"Proxy received signals to the process (default true)\")\n\tcmd.Flags().BoolP(\"interactive\", \"i\", false, \"Keep STDIN open even if not attached\")\n\tcmd.Flags().String(\"restart\", \"no\", `Restart policy to apply when a container exits (implemented values: \"no\"|\"always|on-failure:n|unless-stopped\")`)\n\tcmd.RegisterFlagCompletionFunc(\"restart\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"no\", \"always\", \"on-failure\", \"unless-stopped\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\tcmd.Flags().Bool(\"rm\", false, \"Automatically remove the container when it exits\")\n\tcmd.Flags().String(\"pull\", \"missing\", `Pull image before running (\"always\"|\"missing\"|\"never\")`)\n\tcmd.Flags().BoolP(\"quiet\", \"q\", false, \"Suppress the pull output\")\n\tcmd.RegisterFlagCompletionFunc(\"pull\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"always\", \"missing\", \"never\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\tcmd.Flags().String(\"stop-signal\", \"SIGTERM\", \"Signal to stop a container\")\n\tcmd.Flags().Int(\"stop-timeout\", 0, \"Timeout (in seconds) to stop a container\")\n\tcmd.Flags().String(\"detach-keys\", consoleutil.DefaultDetachKeys, \"Override the default detach keys\")\n\n\t// #region for init process\n\tcmd.Flags().Bool(\"init\", false, \"Run an init process inside the container, Default to use tini\")\n\tcmd.Flags().String(\"init-binary\", tiniInitBinary, \"The custom binary to use as the init process\")\n\t// #endregion\n\n\t// #region platform flags\n\tcmd.Flags().String(\"platform\", \"\", \"Set platform (e.g. \\\"amd64\\\", \\\"arm64\\\")\") // not a slice, and there is no --all-platforms\n\tcmd.RegisterFlagCompletionFunc(\"platform\", completion.Platforms)\n\t// #endregion\n\n\t// #region network flags\n\t// network (net) is defined as StringSlice, not StringArray, to allow specifying \"--network=cni1,cni2\"\n\tcmd.Flags().StringSlice(\"network\", []string{netutil.DefaultNetworkName}, `Connect a container to a network (\"bridge\"|\"host\"|\"none\"|\"container:\"|\"ns:\"|)`)\n\tcmd.RegisterFlagCompletionFunc(\"network\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn completion.NetworkNames(cmd, []string{})\n\t})\n\tcmd.Flags().StringSlice(\"net\", []string{netutil.DefaultNetworkName}, `Connect a container to a network (\"bridge\"|\"host\"|\"none\"|\"container:\"|\"ns:\"|)`)\n\tcmd.RegisterFlagCompletionFunc(\"net\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn completion.NetworkNames(cmd, []string{})\n\t})\n\t// dns is defined as StringSlice, not StringArray, to allow specifying \"--dns=1.1.1.1,8.8.8.8\" (compatible with Podman)\n\tcmd.Flags().StringSlice(\"dns\", nil, \"Set custom DNS servers\")\n\tcmd.Flags().StringSlice(\"dns-search\", nil, \"Set custom DNS search domains\")\n\t// We allow for both \"--dns-opt\" and \"--dns-option\", although the latter is the recommended way.\n\tcmd.Flags().StringSlice(\"dns-opt\", nil, \"Set DNS options\")\n\tcmd.Flags().StringSlice(\"dns-option\", nil, \"Set DNS options\")\n\t// publish is defined as StringSlice, not StringArray, to allow specifying \"--publish=80:80,443:443\" (compatible with Podman)\n\tcmd.Flags().StringSliceP(\"publish\", \"p\", nil, \"Publish a container's port(s) to the host\")\n\tcmd.Flags().String(\"ip\", \"\", \"IPv4 address to assign to the container\")\n\tcmd.Flags().String(\"ip6\", \"\", \"IPv6 address to assign to the container\")\n\tcmd.Flags().StringP(\"hostname\", \"h\", \"\", \"Container host name\")\n\tcmd.Flags().String(\"domainname\", \"\", \"Container domain name\")\n\tcmd.Flags().String(\"mac-address\", \"\", \"MAC address to assign to the container\")\n\t// #endregion\n\n\tcmd.Flags().String(\"ipc\", \"\", `IPC namespace to use (\"host\"|\"private\"|\"shareable\"|\"container:\")`)\n\tcmd.RegisterFlagCompletionFunc(\"ipc\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\tif strings.HasPrefix(toComplete, \"container:\") {\n\t\t\tnames, directive := completion.ContainerNames(cmd, func(st containerd.ProcessStatus) bool {\n\t\t\t\treturn st == containerd.Running\n\t\t\t})\n\t\t\tvar candidates []string\n\t\t\tfor _, name := range names {\n\t\t\t\tcandidates = append(candidates, \"container:\"+name)\n\t\t\t}\n\t\t\treturn candidates, directive\n\t\t}\n\t\treturn []string{\"host\", \"private\", \"shareable\", \"container:\"}, cobra.ShellCompDirectiveNoSpace\n\t})\n\t// #region cgroups, namespaces, and ulimits flags\n\tcmd.Flags().Float64(\"cpus\", 0.0, \"Number of CPUs\")\n\tcmd.Flags().StringP(\"memory\", \"m\", \"\", \"Memory limit\")\n\tcmd.Flags().String(\"memory-reservation\", \"\", \"Memory soft limit\")\n\tcmd.Flags().String(\"memory-swap\", \"\", \"Swap limit equal to memory plus swap: '-1' to enable unlimited swap\")\n\tcmd.Flags().Int64(\"memory-swappiness\", -1, \"Tune container memory swappiness (0 to 100) (default -1)\")\n\tcmd.Flags().String(\"kernel-memory\", \"\", \"Kernel memory limit (deprecated)\")\n\tcmd.Flags().Bool(\"oom-kill-disable\", false, \"Disable OOM Killer\")\n\tcmd.Flags().Int(\"oom-score-adj\", 0, \"Tune container’s OOM preferences (-1000 to 1000, rootless: 100 to 1000)\")\n\tcmd.Flags().String(\"pid\", \"\", \"PID namespace to use\")\n\tcmd.Flags().String(\"uts\", \"\", \"UTS namespace to use\")\n\tcmd.RegisterFlagCompletionFunc(\"pid\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"host\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\tcmd.Flags().Int64(\"pids-limit\", -1, \"Tune container pids limit (set -1 for unlimited)\")\n\tcmd.Flags().StringSlice(\"cgroup-conf\", nil, \"Configure cgroup v2 (key=value)\")\n\tcmd.Flags().String(\"cgroupns\", defaults.CgroupnsMode(), `Cgroup namespace to use, the default depends on the cgroup version (\"host\"|\"private\")`)\n\tcmd.Flags().String(\"cgroup-parent\", \"\", \"Optional parent cgroup for the container\")\n\tcmd.RegisterFlagCompletionFunc(\"cgroupns\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"host\", \"private\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\tcmd.Flags().String(\"cpuset-cpus\", \"\", \"CPUs in which to allow execution (0-3, 0,1)\")\n\tcmd.Flags().String(\"cpuset-mems\", \"\", \"MEMs in which to allow execution (0-3, 0,1)\")\n\tcmd.Flags().Uint64(\"cpu-shares\", 0, \"CPU shares (relative weight)\")\n\tcmd.Flags().Int64(\"cpu-quota\", -1, \"Limit CPU CFS (Completely Fair Scheduler) quota\")\n\tcmd.Flags().Uint64(\"cpu-period\", 0, \"Limit CPU CFS (Completely Fair Scheduler) period\")\n\tcmd.Flags().Uint64(\"cpu-rt-period\", 0, \"Limit CPU real-time period in microseconds\")\n\tcmd.Flags().Uint64(\"cpu-rt-runtime\", 0, \"Limit CPU real-time runtime in microseconds\")\n\t// device is defined as StringSlice, not StringArray, to allow specifying \"--device=DEV1,DEV2\" (compatible with Podman)\n\tcmd.Flags().StringSlice(\"device\", nil, \"Add a host device to the container\")\n\t// ulimit is defined as StringSlice, not StringArray, to allow specifying \"--ulimit=ULIMIT1,ULIMIT2\" (compatible with Podman)\n\tcmd.Flags().StringSlice(\"ulimit\", nil, \"Ulimit options\")\n\tcmd.Flags().String(\"rdt-class\", \"\", \"Name of the RDT class (or CLOS) to associate the container with\")\n\t// #endregion\n\n\t// #region blkio flags\n\tcmd.Flags().Uint16(\"blkio-weight\", 0, \"Block IO (relative weight), between 10 and 1000, or 0 to disable (default 0)\")\n\tcmd.Flags().StringArray(\"blkio-weight-device\", []string{}, \"Block IO weight (relative device weight) (default [])\")\n\tcmd.Flags().StringArray(\"device-read-bps\", []string{}, \"Limit read rate (bytes per second) from a device (default [])\")\n\tcmd.Flags().StringArray(\"device-read-iops\", []string{}, \"Limit read rate (IO per second) from a device (default [])\")\n\tcmd.Flags().StringArray(\"device-write-bps\", []string{}, \"Limit write rate (bytes per second) to a device (default [])\")\n\tcmd.Flags().StringArray(\"device-write-iops\", []string{}, \"Limit write rate (IO per second) to a device (default [])\")\n\t// #endregion\n\n\t// user flags\n\tcmd.Flags().StringP(\"user\", \"u\", \"\", \"Username or UID (format: [:])\")\n\tcmd.Flags().String(\"umask\", \"\", \"Set the umask inside the container. Defaults to 0022\")\n\tcmd.Flags().StringSlice(\"group-add\", []string{}, \"Add additional groups to join\")\n\n\t// #region security flags\n\tcmd.Flags().StringArray(\"security-opt\", []string{}, \"Security options\")\n\tcmd.RegisterFlagCompletionFunc(\"security-opt\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\n\t\t\t\"seccomp=\", \"seccomp=\" + defaults.SeccompProfileName, \"seccomp=unconfined\",\n\t\t\t\"apparmor=\", \"apparmor=\" + defaults.AppArmorProfileName, \"apparmor=unconfined\",\n\t\t\t\"no-new-privileges\",\n\t\t\t\"systempaths=unconfined\",\n\t\t\t\"privileged-without-host-devices\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\t// cap-add and cap-drop are defined as StringSlice, not StringArray, to allow specifying \"--cap-add=CAP_SYS_ADMIN,CAP_NET_ADMIN\" (compatible with Podman)\n\tcmd.Flags().StringSlice(\"cap-add\", []string{}, \"Add Linux capabilities\")\n\tcmd.RegisterFlagCompletionFunc(\"cap-add\", capShellComplete)\n\tcmd.Flags().StringSlice(\"cap-drop\", []string{}, \"Drop Linux capabilities\")\n\tcmd.RegisterFlagCompletionFunc(\"cap-drop\", capShellComplete)\n\tcmd.Flags().Bool(\"privileged\", false, \"Give extended privileges to this container\")\n\tcmd.Flags().String(\"systemd\", \"false\", \"Allow running systemd in this container (default: false)\")\n\t// #endregion\n\n\t// #region runtime flags\n\tcmd.Flags().String(\"runtime\", defaults.Runtime, \"Runtime to use for this container, e.g. \\\"crun\\\", or \\\"io.containerd.runsc.v1\\\"\")\n\t// sysctl needs to be StringArray, not StringSlice, to prevent \"foo=foo1,foo2\" from being split to {\"foo=foo1\", \"foo2\"}\n\tcmd.Flags().StringArray(\"sysctl\", nil, \"Sysctl options\")\n\t// gpus needs to be StringArray, not StringSlice, to prevent \"capabilities=utility,device=DEV\" from being split to {\"capabilities=utility\", \"device=DEV\"}\n\tcmd.Flags().StringArray(\"gpus\", nil, \"GPU devices to add to the container ('all' to pass all GPUs)\")\n\tcmd.RegisterFlagCompletionFunc(\"gpus\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"all\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\t// #endregion\n\n\t// #region mount flags\n\t// volume needs to be StringArray, not StringSlice, to prevent \"/foo:/foo:ro,Z\" from being split to {\"/foo:/foo:ro\", \"Z\"}\n\tcmd.Flags().StringArrayP(\"volume\", \"v\", nil, \"Bind mount a volume\")\n\t// tmpfs needs to be StringArray, not StringSlice, to prevent \"/foo:size=64m,exec\" from being split to {\"/foo:size=64m\", \"exec\"}\n\tcmd.Flags().StringArray(\"tmpfs\", nil, \"Mount a tmpfs directory\")\n\tcmd.Flags().StringArray(\"mount\", nil, \"Attach a filesystem mount to the container\")\n\t// volumes-from needs to be StringArray, not StringSlice, to prevent \"id1,id2\" from being split to {\"id1\", \"id2\"} (compatible with Docker)\n\tcmd.Flags().StringArray(\"volumes-from\", nil, \"Mount volumes from the specified container(s)\")\n\t// #endregion\n\n\t// rootfs flags\n\tcmd.Flags().Bool(\"read-only\", false, \"Mount the container's root filesystem as read only\")\n\t// rootfs flags (from Podman)\n\tcmd.Flags().Bool(\"rootfs\", false, \"The first argument is not an image but the rootfs to the exploded container\")\n\n\t// Health check flags\n\tcmd.Flags().String(\"health-cmd\", \"\", \"Command to run to check health\")\n\tcmd.Flags().Duration(\"health-interval\", 0, \"Time between running the check (default: 30s)\")\n\tcmd.Flags().Duration(\"health-timeout\", 0, \"Maximum time to allow one check to run (default: 30s)\")\n\tcmd.Flags().Int(\"health-retries\", 0, \"Consecutive failures needed to report unhealthy (default: 3)\")\n\tcmd.Flags().Duration(\"health-start-period\", 0, \"Start period for the container to initialize before starting health-retries countdown\")\n\tcmd.Flags().Bool(\"no-healthcheck\", false, \"Disable any container-specified HEALTHCHECK\")\n\n\t// #region env flags\n\t// entrypoint needs to be StringArray, not StringSlice, to prevent \"FOO=foo1,foo2\" from being split to {\"FOO=foo1\", \"foo2\"}\n\t// entrypoint StringArray is an internal implementation to support `nerdctl compose` entrypoint yaml filed with multiple strings\n\t// users are not expected to specify multiple --entrypoint flags manually.\n\tcmd.Flags().StringArray(\"entrypoint\", nil, \"Overwrite the default ENTRYPOINT of the image\")\n\tcmd.Flags().StringP(\"workdir\", \"w\", \"\", \"Working directory inside the container\")\n\t// env needs to be StringArray, not StringSlice, to prevent \"FOO=foo1,foo2\" from being split to {\"FOO=foo1\", \"foo2\"}\n\tcmd.Flags().StringArrayP(\"env\", \"e\", nil, \"Set environment variables\")\n\t// add-host is defined as StringSlice, not StringArray, to allow specifying \"--add-host=HOST1:IP1,HOST2:IP2\" (compatible with Podman)\n\tcmd.Flags().StringSlice(\"add-host\", nil, \"Add a custom host-to-IP mapping (host:ip)\")\n\t// env-file is defined as StringSlice, not StringArray, to allow specifying \"--env-file=FILE1,FILE2\" (compatible with Podman)\n\tcmd.Flags().StringSlice(\"env-file\", nil, \"Set environment variables from file\")\n\n\t// #region metadata flags\n\tcmd.Flags().String(\"name\", \"\", \"Assign a name to the container\")\n\t// label needs to be StringArray, not StringSlice, to prevent \"foo=foo1,foo2\" from being split to {\"foo=foo1\", \"foo2\"}\n\tcmd.Flags().StringArrayP(\"label\", \"l\", nil, \"Set metadata on container\")\n\t// annotation needs to be StringArray, not StringSlice, to prevent \"foo=foo1,foo2\" from being split to {\"foo=foo1\", \"foo2\"}\n\tcmd.Flags().StringArray(\"annotation\", nil, \"Add an annotation to the container (passed through to the OCI runtime)\")\n\tcmd.RegisterFlagCompletionFunc(\"annotation\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn annotations.ShellCompletions, cobra.ShellCompDirectiveNoFileComp\n\t})\n\n\t// label-file is defined as StringSlice, not StringArray, to allow specifying \"--env-file=FILE1,FILE2\" (compatible with Podman)\n\tcmd.Flags().StringSlice(\"label-file\", nil, \"Set metadata on container from file\")\n\tcmd.Flags().String(\"cidfile\", \"\", \"Write the container ID to the file\")\n\t// #endregion\n\n\t// #region logging flags\n\t// log-opt needs to be StringArray, not StringSlice, to prevent \"env=os,customer\" from being split to {\"env=os\", \"customer\"}\n\tcmd.Flags().String(\"log-driver\", \"json-file\", \"Logging driver for the container. Default is json-file. It also supports logURI (eg: --log-driver binary://)\")\n\tcmd.RegisterFlagCompletionFunc(\"log-driver\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn logging.Drivers(), cobra.ShellCompDirectiveNoFileComp\n\t})\n\tcmd.Flags().StringArray(\"log-opt\", nil, \"Log driver options\")\n\t// #endregion\n\n\t// shared memory flags\n\tcmd.Flags().String(\"shm-size\", \"\", \"Size of /dev/shm\")\n\tcmd.Flags().String(\"pidfile\", \"\", \"file path to write the task's pid\")\n\n\t// #region verify flags\n\tcmd.Flags().String(\"verify\", \"none\", \"Verify the image (none|cosign|notation)\")\n\tcmd.RegisterFlagCompletionFunc(\"verify\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"none\", \"cosign\", \"notation\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\tcmd.Flags().String(\"cosign-key\", \"\", \"Path to the public key file, KMS, URI or Kubernetes Secret for --verify=cosign\")\n\tcmd.Flags().String(\"cosign-certificate-identity\", \"\", \"The identity expected in a valid Fulcio certificate for --verify=cosign. Valid values include email address, DNS names, IP addresses, and URIs. Either --cosign-certificate-identity or --cosign-certificate-identity-regexp must be set for keyless flows\")\n\tcmd.Flags().String(\"cosign-certificate-identity-regexp\", \"\", \"A regular expression alternative to --cosign-certificate-identity for --verify=cosign. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --cosign-certificate-identity or --cosign-certificate-identity-regexp must be set for keyless flows\")\n\tcmd.Flags().String(\"cosign-certificate-oidc-issuer\", \"\", \"The OIDC issuer expected in a valid Fulcio certificate for --verify=cosign, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth. Either --cosign-certificate-oidc-issuer or --cosign-certificate-oidc-issuer-regexp must be set for keyless flows\")\n\tcmd.Flags().String(\"cosign-certificate-oidc-issuer-regexp\", \"\", \"A regular expression alternative to --certificate-oidc-issuer for --verify=cosign. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --cosign-certificate-oidc-issuer or --cosign-certificate-oidc-issuer-regexp must be set for keyless flows\")\n\t// #endregion\n\n\tcmd.Flags().String(\"ipfs-address\", \"\", \"multiaddr of IPFS API (default uses $IPFS_PATH env variable if defined or local directory ~/.ipfs)\")\n\tcmd.Flags().String(\"isolation\", \"default\", \"Specify isolation technology for container. On Linux the only valid value is default. Windows options are host, process and hyperv with process isolation as the default\")\n\tcmd.RegisterFlagCompletionFunc(\"isolation\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\tif runtime.GOOS == \"windows\" {\n\t\t\treturn []string{\"default\", \"host\", \"process\", \"hyperv\"}, cobra.ShellCompDirectiveNoFileComp\n\t\t}\n\t\treturn []string{\"default\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\tcmd.Flags().String(\"userns\", \"\", \"Specify host to disable userns-remap\")\n\n}\n\nfunc processCreateCommandFlagsInRun(cmd *cobra.Command) (types.ContainerCreateOptions, error) {\n\topt, err := createOptions(cmd)\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\n\topt.InRun = true\n\n\topt.SigProxy, err = cmd.Flags().GetBool(\"sig-proxy\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.Interactive, err = cmd.Flags().GetBool(\"interactive\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.Detach, err = cmd.Flags().GetBool(\"detach\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.DetachKeys, err = cmd.Flags().GetString(\"detach-keys\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\topt.Attach, err = cmd.Flags().GetStringSlice(\"attach\")\n\tif err != nil {\n\t\treturn opt, err\n\t}\n\n\tvalidAttachFlag := true\n\tfor i, str := range opt.Attach {\n\t\topt.Attach[i] = strings.ToUpper(str)\n\n\t\tif opt.Attach[i] != \"STDIN\" && opt.Attach[i] != \"STDOUT\" && opt.Attach[i] != \"STDERR\" {\n\t\t\tvalidAttachFlag = false\n\t\t}\n\t}\n\tif !validAttachFlag {\n\t\treturn opt, fmt.Errorf(\"invalid stream specified with -a flag. Valid streams are STDIN, STDOUT, and STDERR\")\n\t}\n\n\treturn opt, nil\n}\n\n// runAction is heavily based on ctr implementation:\n// https://github.com/containerd/containerd/blob/v1.4.3/cmd/ctr/commands/run/run.go\nfunc runAction(cmd *cobra.Command, args []string) error {\n\tvar isDetached bool\n\n\tcreateOpt, err := processCreateCommandFlagsInRun(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClientWithPlatform(cmd.Context(), createOpt.GOptions.Namespace, createOpt.GOptions.Address, createOpt.Platform)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\tif createOpt.Rm && createOpt.Detach {\n\t\treturn errors.New(\"flags -d and --rm cannot be specified together\")\n\t}\n\n\tif len(createOpt.Attach) > 0 && createOpt.Detach {\n\t\treturn errors.New(\"flags -d and -a cannot be specified together\")\n\t}\n\n\tnetFlags, err := loadNetworkFlags(cmd, createOpt.GOptions)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"failed to load networking flags: %w\", err)\n\t}\n\n\tnetManager, err := containerutil.NewNetworkingOptionsManager(createOpt.GOptions, netFlags, client)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tc, gc, err := container.Create(ctx, client, args, netManager, createOpt)\n\tif err != nil {\n\t\tif gc != nil {\n\t\t\tdefer gc()\n\t\t}\n\t\treturn err\n\t}\n\t// defer setting `nerdctl/error` label in case of error\n\tdefer func() {\n\t\tif err != nil {\n\t\t\tcontainerutil.UpdateErrorLabel(ctx, c, err)\n\t\t}\n\t}()\n\n\tid := c.ID()\n\tif createOpt.Rm {\n\t\tdefer func() {\n\t\t\tif isDetached {\n\t\t\t\treturn\n\t\t\t}\n\t\t\tif err := container.RemoveContainer(ctx, c, createOpt.GOptions, true, true, client); err != nil {\n\t\t\t\tlog.L.WithError(err).Warnf(\"failed to remove container %s\", id)\n\t\t\t}\n\t\t}()\n\t}\n\n\tvar con console.Console\n\tif createOpt.TTY && !createOpt.Detach {\n\t\tcon, err = consoleutil.Current()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdefer con.Reset()\n\t\tif _, err := term.MakeRaw(int(con.Fd())); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\tlab, err := c.Labels(ctx)\n\tif err != nil {\n\t\treturn err\n\t}\n\tlogURI := lab[labels.LogURI]\n\tdetachC := make(chan struct{})\n\ttask, err := taskutil.NewTask(ctx, client, c, taskutil.TaskOptions{\n\t\tAttachStreamOpt: createOpt.Attach,\n\t\tIsInteractive: createOpt.Interactive,\n\t\tIsTerminal: createOpt.TTY,\n\t\tIsDetach: createOpt.Detach,\n\t\tCon: con,\n\t\tLogURI: logURI,\n\t\tDetachKeys: createOpt.DetachKeys,\n\t\tNamespace: createOpt.GOptions.Namespace,\n\t\tDetachC: detachC,\n\t\tCheckpointDir: \"\",\n\t})\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tstatusC, err := task.Wait(ctx)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif err := task.Start(ctx); err != nil {\n\t\treturn err\n\t}\n\n\t// Setup container healthchecks.\n\tif err := healthcheck.CreateTimer(ctx, c, (*config.Config)(&createOpt.GOptions), createOpt.NerdctlCmd, createOpt.NerdctlArgs); err != nil {\n\t\treturn fmt.Errorf(\"failed to create healthcheck timer: %w\", err)\n\t}\n\tif err := healthcheck.StartTimer(ctx, c, (*config.Config)(&createOpt.GOptions)); err != nil {\n\t\treturn fmt.Errorf(\"failed to start healthcheck timer: %w\", err)\n\t}\n\n\tif createOpt.Detach {\n\t\tfmt.Fprintln(createOpt.Stdout, id)\n\t\treturn nil\n\t}\n\tif createOpt.TTY {\n\t\tif err := consoleutil.HandleConsoleResize(ctx, task, con); err != nil {\n\t\t\tlog.L.WithError(err).Error(\"console resize\")\n\t\t}\n\t} else {\n\t\tif createOpt.SigProxy {\n\t\t\tsigC := signalutil.ForwardAllSignals(ctx, task)\n\t\t\tdefer signalutil.StopCatch(sigC)\n\t\t}\n\t}\n\n\tselect {\n\t// io.Wait() would return when either 1) the user detaches from the container OR 2) the container is about to exit.\n\t//\n\t// If we replace the `select` block with io.Wait() and\n\t// directly use task.Status() to check the status of the container after io.Wait() returns,\n\t// it can still be running even though the container is about to exit (somehow especially for Windows).\n\t//\n\t// As a result, we need a separate detachC to distinguish from the 2 cases mentioned above.\n\tcase <-detachC:\n\t\tio := task.IO()\n\t\tif io == nil {\n\t\t\treturn errors.New(\"got a nil IO from the task\")\n\t\t}\n\t\tio.Wait()\n\t\tisDetached = true\n\tcase status := <-statusC:\n\t\tif createOpt.Rm {\n\t\t\tif _, taskDeleteErr := task.Delete(ctx); taskDeleteErr != nil {\n\t\t\t\tlog.L.Error(taskDeleteErr)\n\t\t\t}\n\t\t}\n\t\tcode, _, err := status.Result()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif code != 0 {\n\t\t\treturn errutil.NewExitCoderErr(int(code))\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc runShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\tif len(args) == 0 {\n\t\treturn completion.ImageNames(cmd)\n\t}\n\treturn nil, cobra.ShellCompDirectiveNoFileComp\n}\n" }, { "path": "cmd/nerdctl/container/container_run_cgroup_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"regexp\"\n\t\"strconv\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/cgroups/v3\"\n\tcontainerd \"github.com/containerd/containerd/v2/client\"\n\t\"github.com/containerd/continuity/testutil/loopback\"\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n\t\"github.com/containerd/nerdctl/v2/pkg/idutil/containerwalker\"\n\t\"github.com/containerd/nerdctl/v2/pkg/inspecttypes/dockercompat\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestRunCgroupV2(t *testing.T) {\n\tt.Parallel()\n\tif cgroups.Mode() != cgroups.Unified {\n\t\tt.Skip(\"test requires cgroup v2\")\n\t}\n\tbase := testutil.NewBase(t)\n\tinfo := base.Info()\n\tswitch info.CgroupDriver {\n\tcase \"none\", \"\":\n\t\tt.Skip(\"test requires cgroup driver\")\n\t}\n\n\tif !info.MemoryLimit {\n\t\tt.Skip(\"test requires MemoryLimit\")\n\t}\n\tif !info.SwapLimit {\n\t\tt.Skip(\"test requires SwapLimit\")\n\t}\n\tif !info.CPUSet {\n\t\tt.Skip(\"test requires CPUSet\")\n\t}\n\tif !info.PidsLimit {\n\t\tt.Skip(\"test requires PidsLimit\")\n\t}\n\tconst expected1 = `42000 100000\n44040192\n44040192\n42\n0-1\n0\n`\n\tconst expected2 = `42000 100000\n44040192\n60817408\n6291456\n42\n0-1\n0\n`\n\n\tbase.Cmd(\"run\", \"--rm\",\n\t\t\"--cpus\", \"0.42\", \"--cpuset-mems\", \"0\",\n\t\t\"--memory\", \"42m\",\n\t\t\"--pids-limit\", \"42\",\n\t\t\"--cpuset-cpus\", \"0-1\",\n\t\t\"-w\", \"/sys/fs/cgroup\", testutil.AlpineImage,\n\t\t\"cat\", \"cpu.max\", \"memory.max\", \"memory.swap.max\",\n\t\t\"pids.max\", \"cpuset.cpus\", \"cpuset.mems\").AssertOutExactly(expected1)\n\tbase.Cmd(\"run\", \"--rm\",\n\t\t\"--cpu-quota\", \"42000\", \"--cpuset-mems\", \"0\",\n\t\t\"--cpu-period\", \"100000\", \"--memory\", \"42m\", \"--memory-reservation\", \"6m\", \"--memory-swap\", \"100m\",\n\t\t\"--pids-limit\", \"42\", \"--cpuset-cpus\", \"0-1\",\n\t\t\"-w\", \"/sys/fs/cgroup\", testutil.AlpineImage,\n\t\t\"cat\", \"cpu.max\", \"memory.max\", \"memory.swap.max\", \"memory.low\", \"pids.max\",\n\t\t\"cpuset.cpus\", \"cpuset.mems\").AssertOutExactly(expected2)\n\n\tbase.Cmd(\"run\", \"--name\", testutil.Identifier(t)+\"-testUpdate1\", \"-w\", \"/sys/fs/cgroup\", \"-d\",\n\t\ttestutil.AlpineImage, \"sleep\", nerdtest.Infinity).AssertOK()\n\tdefer base.Cmd(\"rm\", \"-f\", testutil.Identifier(t)+\"-testUpdate1\").Run()\n\tupdate := []string{\"update\", \"--cpu-quota\", \"42000\", \"--cpuset-mems\", \"0\", \"--cpu-period\", \"100000\",\n\t\t\"--memory\", \"42m\",\n\t\t\"--pids-limit\", \"42\", \"--cpuset-cpus\", \"0-1\"}\n\tif nerdtest.IsDocker() && info.CgroupVersion == \"2\" && info.SwapLimit {\n\t\t// Workaround for Docker with cgroup v2:\n\t\t// > Error response from daemon: Cannot update container 67c13276a13dd6a091cdfdebb355aa4e1ecb15fbf39c2b5c9abee89053e88fce:\n\t\t// > Memory limit should be smaller than already set memoryswap limit, update the memoryswap at the same time\n\t\tupdate = append(update, \"--memory-swap=84m\")\n\t}\n\tupdate = append(update, testutil.Identifier(t)+\"-testUpdate1\")\n\tbase.Cmd(update...).AssertOK()\n\tbase.Cmd(\"exec\", testutil.Identifier(t)+\"-testUpdate1\",\n\t\t\"cat\", \"cpu.max\", \"memory.max\", \"memory.swap.max\",\n\t\t\"pids.max\", \"cpuset.cpus\", \"cpuset.mems\").AssertOutExactly(expected1)\n\n\tdefer base.Cmd(\"rm\", \"-f\", testutil.Identifier(t)+\"-testUpdate2\").Run()\n\tbase.Cmd(\"run\", \"--name\", testutil.Identifier(t)+\"-testUpdate2\", \"-w\", \"/sys/fs/cgroup\", \"-d\",\n\t\ttestutil.AlpineImage, \"sleep\", nerdtest.Infinity).AssertOK()\n\tbase.EnsureContainerStarted(testutil.Identifier(t) + \"-testUpdate2\")\n\n\tbase.Cmd(\"update\", \"--cpu-quota\", \"42000\", \"--cpuset-mems\", \"0\", \"--cpu-period\", \"100000\",\n\t\t\"--memory\", \"42m\", \"--memory-reservation\", \"6m\", \"--memory-swap\", \"100m\",\n\t\t\"--pids-limit\", \"42\", \"--cpuset-cpus\", \"0-1\",\n\t\ttestutil.Identifier(t)+\"-testUpdate2\").AssertOK()\n\tbase.Cmd(\"exec\", testutil.Identifier(t)+\"-testUpdate2\",\n\t\t\"cat\", \"cpu.max\", \"memory.max\", \"memory.swap.max\", \"memory.low\",\n\t\t\"pids.max\", \"cpuset.cpus\", \"cpuset.mems\").AssertOutExactly(expected2)\n\tbase.Cmd(\"run\", \"--rm\", \"--security-opt\", \"writable-cgroups=true\", testutil.AlpineImage, \"mkdir\", \"/sys/fs/cgroup/foo\").AssertOK()\n\tbase.Cmd(\"run\", \"--rm\", \"--security-opt\", \"writable-cgroups=false\", testutil.AlpineImage, \"mkdir\", \"/sys/fs/cgroup/foo\").AssertFail()\n\tbase.Cmd(\"run\", \"--rm\", testutil.AlpineImage, \"mkdir\", \"/sys/fs/cgroup/foo\").AssertFail()\n}\n\nfunc TestRunCgroupV1(t *testing.T) {\n\tt.Parallel()\n\tswitch cgroups.Mode() {\n\tcase cgroups.Legacy, cgroups.Hybrid:\n\tdefault:\n\t\tt.Skip(\"test requires cgroup v1\")\n\t}\n\tbase := testutil.NewBase(t)\n\tinfo := base.Info()\n\tswitch info.CgroupDriver {\n\tcase \"none\", \"\":\n\t\tt.Skip(\"test requires cgroup driver\")\n\t}\n\tif !info.MemoryLimit {\n\t\tt.Skip(\"test requires MemoryLimit\")\n\t}\n\tif !info.CPUShares {\n\t\tt.Skip(\"test requires CPUShares\")\n\t}\n\tif !info.CPUSet {\n\t\tt.Skip(\"test requires CPUSet\")\n\t}\n\tif !info.PidsLimit {\n\t\tt.Skip(\"test requires PidsLimit\")\n\t}\n\tquota := \"/sys/fs/cgroup/cpu/cpu.cfs_quota_us\"\n\tperiod := \"/sys/fs/cgroup/cpu/cpu.cfs_period_us\"\n\tcpusetMems := \"/sys/fs/cgroup/cpuset/cpuset.mems\"\n\tmemoryLimit := \"/sys/fs/cgroup/memory/memory.limit_in_bytes\"\n\tmemoryReservation := \"/sys/fs/cgroup/memory/memory.soft_limit_in_bytes\"\n\tmemorySwap := \"/sys/fs/cgroup/memory/memory.memsw.limit_in_bytes\"\n\tmemorySwappiness := \"/sys/fs/cgroup/memory/memory.swappiness\"\n\tpidsLimit := \"/sys/fs/cgroup/pids/pids.max\"\n\tcpuShare := \"/sys/fs/cgroup/cpu/cpu.shares\"\n\tcpusetCpus := \"/sys/fs/cgroup/cpuset/cpuset.cpus\"\n\n\tconst expected = \"42000\\n100000\\n0\\n44040192\\n6291456\\n104857600\\n0\\n42\\n2000\\n0-1\\n\"\n\tbase.Cmd(\"run\", \"--rm\", \"--cpus\", \"0.42\", \"--cpuset-mems\", \"0\", \"--memory\", \"42m\", \"--memory-reservation\", \"6m\", \"--memory-swap\", \"100m\", \"--memory-swappiness\", \"0\", \"--pids-limit\", \"42\", \"--cpu-shares\", \"2000\", \"--cpuset-cpus\", \"0-1\", testutil.AlpineImage, \"cat\", quota, period, cpusetMems, memoryLimit, memoryReservation, memorySwap, memorySwappiness, pidsLimit, cpuShare, cpusetCpus).AssertOutExactly(expected)\n\tbase.Cmd(\"run\", \"--rm\", \"--cpu-quota\", \"42000\", \"--cpu-period\", \"100000\", \"--cpuset-mems\", \"0\", \"--memory\", \"42m\", \"--memory-reservation\", \"6m\", \"--memory-swap\", \"100m\", \"--memory-swappiness\", \"0\", \"--pids-limit\", \"42\", \"--cpu-shares\", \"2000\", \"--cpuset-cpus\", \"0-1\", testutil.AlpineImage, \"cat\", quota, period, cpusetMems, memoryLimit, memoryReservation, memorySwap, memorySwappiness, pidsLimit, cpuShare, cpusetCpus).AssertOutExactly(expected)\n\tbase.Cmd(\"run\", \"--rm\", \"--security-opt\", \"writable-cgroups=true\", testutil.AlpineImage, \"mkdir\", \"/sys/fs/cgroup/pids/foo\").AssertOK()\n\tbase.Cmd(\"run\", \"--rm\", \"--security-opt\", \"writable-cgroups=false\", testutil.AlpineImage, \"mkdir\", \"/sys/fs/cgroup/pids/foo\").AssertFail()\n\tbase.Cmd(\"run\", \"--rm\", testutil.AlpineImage, \"mkdir\", \"/sys/fs/cgroup/pids/foo\").AssertFail()\n}\n\n// TestIssue3781 tests https://github.com/containerd/nerdctl/issues/3781\nfunc TestIssue3781(t *testing.T) {\n\tt.Parallel()\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\n\tbase := testutil.NewBase(t)\n\tinfo := base.Info()\n\tswitch info.CgroupDriver {\n\tcase \"none\", \"\":\n\t\tt.Skip(\"test requires cgroup driver\")\n\t}\n\tcontainerName := testutil.Identifier(t)\n\tbase.Cmd(\"run\", \"-d\", \"--name\", containerName, testutil.AlpineImage, \"sleep\", \"infinity\").AssertOK()\n\tdefer func() {\n\t\tbase.Cmd(\"rm\", \"-f\", containerName)\n\t}()\n\tbase.Cmd(\"update\", \"--cpuset-cpus\", \"0-1\", containerName).AssertOK()\n\taddr := base.ContainerdAddress()\n\tclient, err := containerd.New(addr, containerd.WithDefaultNamespace(testutil.Namespace))\n\tassert.NilError(base.T, err)\n\tctx := context.Background()\n\n\t// get container id by container name.\n\tvar cid string\n\tvar args []string\n\targs = append(args, containerName)\n\twalker := &containerwalker.ContainerWalker{\n\t\tClient: client,\n\t\tOnFound: func(ctx context.Context, found containerwalker.Found) error {\n\t\t\tif found.MatchCount > 1 {\n\t\t\t\treturn fmt.Errorf(\"multiple IDs found with provided prefix: %s\", found.Req)\n\t\t\t}\n\t\t\tcid = found.Container.ID()\n\t\t\treturn nil\n\t\t},\n\t}\n\terr = walker.WalkAll(ctx, args, true)\n\tassert.NilError(base.T, err)\n\n\tcontainer, err := client.LoadContainer(ctx, cid)\n\tassert.NilError(base.T, err)\n\tspec, err := container.Spec(ctx)\n\tassert.NilError(base.T, err)\n\tassert.Equal(t, spec.Linux.Resources.Pids == nil, true)\n}\n\nfunc TestRunDevice(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = nerdtest.Rootful\n\n\tconst n = 3\n\tlo := make([]*loopback.Loopback, n)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\n\t\tfor i := 0; i < n; i++ {\n\t\t\tvar err error\n\t\t\tlo[i], err = loopback.New(4096)\n\t\t\tassert.NilError(t, err)\n\t\t\tt.Logf(\"lo[%d] = %+v\", i, lo[i])\n\t\t\tloContent := fmt.Sprintf(\"lo%d-content\", i)\n\t\t\tassert.NilError(t, os.WriteFile(lo[i].Device, []byte(loContent), 0o700))\n\t\t\tdata.Labels().Set(\"loContent\"+strconv.Itoa(i), loContent)\n\t\t}\n\n\t\t// lo0 is readable but not writable.\n\t\t// lo1 is readable and writable\n\t\t// lo2 is not accessible.\n\t\thelpers.Ensure(\"run\",\n\t\t\t\"-d\",\n\t\t\t\"--name\", data.Identifier(),\n\t\t\t\"--device\", lo[0].Device+\":r\",\n\t\t\t\"--device\", lo[1].Device,\n\t\t\ttestutil.AlpineImage, \"sleep\", nerdtest.Infinity)\n\t\tdata.Labels().Set(\"id\", data.Identifier())\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tfor i := 0; i < n; i++ {\n\t\t\tif lo[i] != nil {\n\t\t\t\t_ = lo[i].Close()\n\t\t\t}\n\t\t}\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"can read lo0\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"exec\", data.Labels().Get(\"id\"), \"cat\", lo[0].Device)\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.Contains(data.Labels().Get(\"locontent0\")),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"cannot write lo0\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"exec\", data.Labels().Get(\"id\"), \"sh\", \"-ec\", \"echo -n \\\"overwritten-lo1-content\\\">\"+lo[0].Device)\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"cannot read lo2\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"exec\", data.Labels().Get(\"id\"), \"cat\", lo[2].Device)\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"can read lo1\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"exec\", data.Labels().Get(\"id\"), \"cat\", lo[1].Device)\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.Contains(data.Labels().Get(\"locontent1\")),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"can write lo1 and read back updated value\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"exec\", data.Labels().Get(\"id\"), \"sh\", \"-ec\", \"echo -n \\\"overwritten-lo1-content\\\">\"+lo[1].Device)\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, func(stdout string, t tig.T) {\n\t\t\t\tlo1Read, err := os.ReadFile(lo[1].Device)\n\t\t\t\tassert.NilError(t, err)\n\t\t\t\tassert.Equal(t, string(bytes.Trim(lo1Read, \"\\x00\")), \"overwritten-lo1-content\")\n\t\t\t}),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestParseDevice(t *testing.T) {\n\tt.Parallel()\n\ttype testCase struct {\n\t\ts string\n\t\texpectedDevPath string\n\t\texpectedContainerPath string\n\t\texpectedMode string\n\t\terr string\n\t}\n\ttestCases := []testCase{\n\t\t{\n\t\t\ts: \"/dev/sda1\",\n\t\t\texpectedDevPath: \"/dev/sda1\",\n\t\t\texpectedContainerPath: \"/dev/sda1\",\n\t\t\texpectedMode: \"rwm\",\n\t\t},\n\t\t{\n\t\t\ts: \"/dev/sda2:r\",\n\t\t\texpectedDevPath: \"/dev/sda2\",\n\t\t\texpectedContainerPath: \"/dev/sda2\",\n\t\t\texpectedMode: \"r\",\n\t\t},\n\t\t{\n\t\t\ts: \"/dev/sda3:rw\",\n\t\t\texpectedDevPath: \"/dev/sda3\",\n\t\t\texpectedContainerPath: \"/dev/sda3\",\n\t\t\texpectedMode: \"rw\",\n\t\t},\n\t\t{\n\t\t\ts: \"sda4\",\n\t\t\terr: \"not an absolute path\",\n\t\t},\n\t\t{\n\t\t\ts: \"/dev/sda5:/dev/sda5\",\n\t\t\texpectedDevPath: \"/dev/sda5\",\n\t\t\texpectedContainerPath: \"/dev/sda5\",\n\t\t\texpectedMode: \"rwm\",\n\t\t},\n\t\t{\n\t\t\ts: \"/dev/sda6:/dev/foo6\",\n\t\t\texpectedDevPath: \"/dev/sda6\",\n\t\t\texpectedContainerPath: \"/dev/foo6\",\n\t\t\texpectedMode: \"rwm\",\n\t\t},\n\t\t{\n\t\t\ts: \"/dev/sda7:/dev/sda7:rwmx\",\n\t\t\terr: \"unexpected rune\",\n\t\t},\n\t}\n\n\tfor _, tc := range testCases {\n\t\tt.Log(tc.s)\n\t\tdevPath, containerPath, mode, err := container.ParseDevice(tc.s)\n\t\tif tc.err == \"\" {\n\t\t\tassert.NilError(t, err)\n\t\t\tassert.Equal(t, tc.expectedDevPath, devPath)\n\t\t\tassert.Equal(t, tc.expectedContainerPath, containerPath)\n\t\t\tassert.Equal(t, tc.expectedMode, mode)\n\t\t} else {\n\t\t\tassert.ErrorContains(t, err, tc.err)\n\t\t}\n\t}\n}\n\nfunc TestRunCgroupConf(t *testing.T) {\n\tt.Parallel()\n\tif cgroups.Mode() != cgroups.Unified {\n\t\tt.Skip(\"test requires cgroup v2\")\n\t}\n\ttestutil.DockerIncompatible(t) // Docker lacks --cgroup-conf\n\tbase := testutil.NewBase(t)\n\tinfo := base.Info()\n\tswitch info.CgroupDriver {\n\tcase \"none\", \"\":\n\t\tt.Skip(\"test requires cgroup driver\")\n\t}\n\tif !info.MemoryLimit {\n\t\tt.Skip(\"test requires MemoryLimit\")\n\t}\n\tbase.Cmd(\"run\", \"--rm\", \"--cgroup-conf\", \"memory.high=33554432\", \"-w\", \"/sys/fs/cgroup\", testutil.AlpineImage,\n\t\t\"cat\", \"memory.high\").AssertOutExactly(\"33554432\\n\")\n}\n\nfunc TestRunCgroupParent(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\tinfo := base.Info()\n\tswitch info.CgroupDriver {\n\tcase \"none\", \"\":\n\t\tt.Skip(\"test requires cgroup driver\")\n\t}\n\n\tcontainerName := testutil.Identifier(t)\n\tt.Logf(\"Using %q cgroup driver\", info.CgroupDriver)\n\n\tparent := \"/foobarbaz\"\n\tif info.CgroupDriver == \"systemd\" {\n\t\t// Path separators aren't allowed in systemd path. runc\n\t\t// explicitly checks for this.\n\t\t// https://github.com/opencontainers/runc/blob/016a0d29d1750180b2a619fc70d6fe0d80111be0/libcontainer/cgroups/systemd/common.go#L65-L68\n\t\tparent = \"foobarbaz.slice\"\n\t}\n\n\ttearDown := func() {\n\t\tbase.Cmd(\"rm\", \"-f\", containerName).Run()\n\t}\n\n\ttearDown()\n\tt.Cleanup(tearDown)\n\n\t// cgroup2 without host cgroup ns will just output 0::/ which doesn't help much to verify\n\t// we got our expected path. This approach should work for both cgroup1 and 2, there will\n\t// just be many more entries for cgroup1 as there'll be an entry per controller.\n\tbase.Cmd(\n\t\t\"run\",\n\t\t\"-d\",\n\t\t\"--name\",\n\t\tcontainerName,\n\t\t\"--cgroupns=host\",\n\t\t\"--cgroup-parent\", parent,\n\t\ttestutil.AlpineImage,\n\t\t\"sleep\",\n\t\t\"infinity\",\n\t).AssertOK()\n\n\tid := base.InspectContainer(containerName).ID\n\texpected := filepath.Join(parent, id)\n\tif info.CgroupDriver == \"systemd\" {\n\t\texpected = filepath.Join(parent, fmt.Sprintf(\"nerdctl-%s\", id))\n\t\tif nerdtest.IsDocker() {\n\t\t\texpected = filepath.Join(parent, fmt.Sprintf(\"docker-%s\", id))\n\t\t}\n\t}\n\tbase.Cmd(\"exec\", containerName, \"cat\", \"/proc/self/cgroup\").AssertOutContains(expected)\n}\n\nfunc TestRunBlkioWeightCgroupV2(t *testing.T) {\n\tt.Parallel()\n\tif cgroups.Mode() != cgroups.Unified {\n\t\tt.Skip(\"test requires cgroup v2\")\n\t}\n\tif _, err := os.Stat(\"/sys/module/bfq\"); err != nil {\n\t\tt.Skipf(\"test requires \\\"bfq\\\" module to be loaded: %v\", err)\n\t}\n\tbase := testutil.NewBase(t)\n\tinfo := base.Info()\n\tswitch info.CgroupDriver {\n\tcase \"none\", \"\":\n\t\tt.Skip(\"test requires cgroup driver\")\n\t}\n\tcontainerName := testutil.Identifier(t)\n\tdefer base.Cmd(\"rm\", \"-f\", containerName).AssertOK()\n\t// when bfq io scheduler is used, the io.weight knob is exposed as io.bfq.weight\n\tbase.Cmd(\"run\", \"--name\", containerName, \"--blkio-weight\", \"300\", \"-w\", \"/sys/fs/cgroup\", testutil.AlpineImage, \"sleep\", nerdtest.Infinity).AssertOK()\n\tbase.Cmd(\"exec\", containerName, \"cat\", \"io.bfq.weight\").AssertOutExactly(\"default 300\\n\")\n\tbase.Cmd(\"update\", containerName, \"--blkio-weight\", \"400\").AssertOK()\n\tbase.Cmd(\"exec\", containerName, \"cat\", \"io.bfq.weight\").AssertOutExactly(\"default 400\\n\")\n}\n\nfunc TestRunBlkioSettingCgroupV2(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = nerdtest.Rootful\n\n\t// See https://github.com/containerd/nerdctl/issues/4185\n\t// It is unclear if this is truly a kernel version problem, a runc issue, or a distro (EL9) issue.\n\t// For now, disable the test unless on a recent kernel.\n\ttestutil.RequireKernelVersion(t, \">= 6.0.0-0\")\n\n\tconst (\n\t\tweight = \"150\"\n\t\tdeviceWeight = \"100\"\n\t\treadBps = \"1048576\"\n\t\treadIops = \"1000\"\n\t\twriteBps = \"2097152\"\n\t\twriteIops = \"2000\"\n\t)\n\tvar lo *loopback.Loopback\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tvar err error\n\t\tlo, err = loopback.New(4096)\n\t\tassert.NilError(t, err)\n\t\tt.Logf(\"loopback device: %+v\", lo)\n\t}\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif lo != nil {\n\t\t\t_ = lo.Close()\n\t\t}\n\t}\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"blkio-weight\",\n\t\t\tRequire: nerdtest.CGroupV2,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--blkio-weight\", weight,\n\t\t\t\t\ttestutil.AlpineImage, \"sleep\", \"infinity\")\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(helpers.Capture(\"inspect\", \"--format\", \"{{.HostConfig.BlkioWeight}}\", data.Identifier()), weight))\n\t\t\t\t\t\t},\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"blkio-weight-device\",\n\t\t\tRequire: nerdtest.CGroupV2,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--blkio-weight-device\", fmt.Sprintf(\"%s:%s\", lo.Device, deviceWeight),\n\t\t\t\t\ttestutil.AlpineImage, \"sleep\", \"infinity\")\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\tinspectOut := helpers.Capture(\"inspect\", \"--format\", \"{{range .HostConfig.BlkioWeightDevice}}{{.Weight}}{{end}}\", data.Identifier())\n\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(inspectOut, deviceWeight))\n\t\t\t\t\t\t},\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\tinspectOut := helpers.Capture(\"inspect\", \"--format\", \"{{range .HostConfig.BlkioWeightDevice}}{{.Path}}{{end}}\", data.Identifier())\n\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(inspectOut, lo.Device))\n\t\t\t\t\t\t},\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"device-read-bps\",\n\t\t\tRequire: require.All(\n\t\t\t\tnerdtest.CGroupV2,\n\t\t\t\t// Docker cli (v26.1.3) available in github runners has a bug where some of the blkio options\n\t\t\t\t// do not work https://github.com/docker/cli/issues/5321. The fix has been merged to the latest releases\n\t\t\t\t// but not currently available in the v26 release.\n\t\t\t\trequire.Not(nerdtest.Docker),\n\t\t\t),\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--device-read-bps\", fmt.Sprintf(\"%s:%s\", lo.Device, readBps),\n\t\t\t\t\ttestutil.AlpineImage, \"sleep\", \"infinity\")\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\tinspectOut := helpers.Capture(\"inspect\", \"--format\", \"{{range .HostConfig.BlkioDeviceReadBps}}{{.Rate}}{{end}}\", data.Identifier())\n\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(inspectOut, readBps))\n\t\t\t\t\t\t},\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\tinspectOut := helpers.Capture(\"inspect\", \"--format\", \"{{range .HostConfig.BlkioDeviceReadBps}}{{.Path}}{{end}}\", data.Identifier())\n\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(inspectOut, lo.Device))\n\t\t\t\t\t\t},\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"device-write-bps\",\n\t\t\tRequire: require.All(\n\t\t\t\tnerdtest.CGroupV2,\n\t\t\t\t// Docker cli (v26.1.3) available in github runners has a bug where some of the blkio options\n\t\t\t\t// do not work https://github.com/docker/cli/issues/5321. The fix has been merged to the latest releases\n\t\t\t\t// but not currently available in the v26 release.\n\t\t\t\trequire.Not(nerdtest.Docker),\n\t\t\t),\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--device-write-bps\", fmt.Sprintf(\"%s:%s\", lo.Device, writeBps),\n\t\t\t\t\ttestutil.AlpineImage, \"sleep\", \"infinity\")\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\tinspectOut := helpers.Capture(\"inspect\", \"--format\", \"{{range .HostConfig.BlkioDeviceWriteBps}}{{.Rate}}{{end}}\", data.Identifier())\n\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(inspectOut, writeBps))\n\t\t\t\t\t\t},\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\tinspectOut := helpers.Capture(\"inspect\", \"--format\", \"{{range .HostConfig.BlkioDeviceWriteBps}}{{.Path}}{{end}}\", data.Identifier())\n\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(inspectOut, lo.Device))\n\t\t\t\t\t\t},\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"device-read-iops\",\n\t\t\tRequire: require.All(\n\t\t\t\tnerdtest.CGroupV2,\n\t\t\t\t// Docker cli (v26.1.3) available in github runners has a bug where some of the blkio options\n\t\t\t\t// do not work https://github.com/docker/cli/issues/5321. The fix has been merged to the latest releases\n\t\t\t\t// but not currently available in the v26 release.\n\t\t\t\trequire.Not(nerdtest.Docker),\n\t\t\t),\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--device-read-iops\", fmt.Sprintf(\"%s:%s\", lo.Device, readIops),\n\t\t\t\t\ttestutil.AlpineImage, \"sleep\", \"infinity\")\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\tinspectOut := helpers.Capture(\"inspect\", \"--format\", \"{{range .HostConfig.BlkioDeviceReadIOps}}{{.Rate}}{{end}}\", data.Identifier())\n\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(inspectOut, readIops))\n\t\t\t\t\t\t},\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\tinspectOut := helpers.Capture(\"inspect\", \"--format\", \"{{range .HostConfig.BlkioDeviceReadIOps}}{{.Path}}{{end}}\", data.Identifier())\n\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(inspectOut, lo.Device))\n\t\t\t\t\t\t},\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"device-write-iops\",\n\t\t\tRequire: require.All(\n\t\t\t\tnerdtest.CGroupV2,\n\t\t\t\t// Docker cli (v26.1.3) available in github runners has a bug where some of the blkio options\n\t\t\t\t// do not work https://github.com/docker/cli/issues/5321. The fix has been merged to the latest releases\n\t\t\t\t// but not currently available in the v26 release.\n\t\t\t\trequire.Not(nerdtest.Docker),\n\t\t\t),\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\"--device-write-iops\", fmt.Sprintf(\"%s:%s\", lo.Device, writeIops),\n\t\t\t\t\ttestutil.AlpineImage, \"sleep\", \"infinity\")\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\tinspectOut := helpers.Capture(\"inspect\", \"--format\", \"{{range .HostConfig.BlkioDeviceWriteIOps}}{{.Rate}}{{end}}\", data.Identifier())\n\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(inspectOut, writeIops))\n\t\t\t\t\t\t},\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\tinspectOut := helpers.Capture(\"inspect\", \"--format\", \"{{range .HostConfig.BlkioDeviceWriteIOps}}{{.Path}}{{end}}\", data.Identifier())\n\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(inspectOut, lo.Device))\n\t\t\t\t\t\t},\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunCPURealTimeSettingCgroupV1(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tDescription: \"cpu-rt-runtime-and-period\",\n\t\tRequire: require.All(\n\t\t\trequire.Not(nerdtest.CGroupV2),\n\t\t\tnerdtest.Rootful,\n\t\t),\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"create\", \"--name\", data.Identifier(),\n\t\t\t\t\"--cpu-rt-runtime\", \"950000\",\n\t\t\t\t\"--cpu-rt-period\", \"1000000\",\n\t\t\t\ttestutil.AlpineImage, \"sleep\", \"infinity\")\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t},\n\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\treturn &test.Expected{\n\t\t\t\tExitCode: 0,\n\t\t\t\tOutput: expect.All(\n\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\trtRuntime := helpers.Capture(\"inspect\", \"--format\", \"{{.HostConfig.CPURealtimeRuntime}}\", data.Identifier())\n\t\t\t\t\t\trtPeriod := helpers.Capture(\"inspect\", \"--format\", \"{{.HostConfig.CPURealtimePeriod}}\", data.Identifier())\n\t\t\t\t\t\tassert.Assert(t, strings.Contains(rtRuntime, \"950000\"))\n\t\t\t\t\t\tassert.Assert(t, strings.Contains(rtPeriod, \"1000000\"))\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t}\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunCPUSharesCgroupV2(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\tnerdtest.CGroupV2,\n\t\t\tnerdtest.Info(\n\t\t\t\tfunc(info dockercompat.Info) error {\n\t\t\t\t\tif !info.CPUShares {\n\t\t\t\t\t\treturn fmt.Errorf(\"test requires CPUShares\")\n\t\t\t\t\t}\n\t\t\t\t\treturn nil\n\t\t\t\t},\n\t\t\t),\n\t\t),\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"run\", \"--rm\", \"--cpu-shares\", \"2000\",\n\t\t\t\ttestutil.AlpineImage, \"cat\", \"/sys/fs/cgroup/cpu.weight\")\n\t\t},\n\t\t// The value was historically 77, but with runc v1.4.0-rc.1 it became 170.\n\t\t// https://github.com/opencontainers/runc/issues/4896#issuecomment-3301825811\n\t\tExpected: test.Expects(0, nil, expect.Match(regexp.MustCompile(\"^(77|170)\\n$\"))),\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_run_gpus_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\tis \"gotest.tools/v3/assert/cmp\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n)\n\nfunc TestParseGpusOptAll(t *testing.T) {\n\tt.Parallel()\n\tfor _, testcase := range []string{\n\t\t\"all\",\n\t\t\"-1\",\n\t\t\"count=all\",\n\t\t\"count=-1\",\n\t} {\n\t\treq, err := container.ParseGPUOptCSV(testcase)\n\t\tassert.NilError(t, err)\n\t\tassert.Equal(t, req.Count, -1)\n\t\tassert.Equal(t, len(req.DeviceIDs), 0)\n\t\tassert.Equal(t, len(req.Capabilities), 0)\n\t}\n}\n\nfunc TestParseGpusOpts(t *testing.T) {\n\tt.Parallel()\n\tfor _, testcase := range []string{\n\t\t\"driver=nvidia,\\\"capabilities=compute,utility\\\"\",\n\t\t\"1,driver=nvidia,\\\"capabilities=compute,utility\\\"\",\n\t\t\"count=1,driver=nvidia,\\\"capabilities=compute,utility\\\"\",\n\t\t\"driver=nvidia,\\\"capabilities=compute,utility\\\",count=1\",\n\t\t\"\\\"capabilities=compute,utility\\\",count=1\",\n\t} {\n\t\treq, err := container.ParseGPUOptCSV(testcase)\n\t\tassert.NilError(t, err)\n\t\tassert.Equal(t, req.Count, 1)\n\t\tassert.Equal(t, len(req.DeviceIDs), 0)\n\t\tassert.Check(t, is.DeepEqual(req.Capabilities, []string{\"compute\", \"utility\"}))\n\t}\n}\n" }, { "path": "cmd/nerdctl/container/container_run_linux.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"strings\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/containerd/v2/pkg/cap\"\n)\n\nfunc capShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\tcandidates := []string{}\n\tfor _, c := range cap.Known() {\n\t\t// \"CAP_SYS_ADMIN\" -> \"sys_admin\"\n\t\ts := strings.ToLower(strings.TrimPrefix(c, \"CAP_\"))\n\t\tcandidates = append(candidates, s)\n\t}\n\treturn candidates, cobra.ShellCompDirectiveNoFileComp\n}\n" }, { "path": "cmd/nerdctl/container/container_run_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strconv\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/rootlessutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/strutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nettestutil\"\n)\n\nfunc TestRunCustomRootfs(t *testing.T) {\n\ttestutil.DockerIncompatible(t)\n\t// FIXME: root issue is undiagnosed and this is very likely a containerd bug\n\t// It appears that in certain conditions, the proxy content store info method will fail on the layer of the image\n\t// Search for func (pcs *proxyContentStore) ReaderAt(ctx context.Context, desc ocispec.Descriptor) (content.ReaderAt, error) {\n\t// Note that:\n\t// - the problem is still here with containerd and nerdctl v2\n\t// - it seems to affect images that are tagged multiple times, or that share a layer with another image\n\t// - this test is not parallelized - but the fact that namespacing it solves the problem suggest that something\n\t// happening in the default namespace BEFORE this test is run is SOMETIMES setting conditions that will make this fail\n\t// Possible suspects would be concurrent pulls somehow effing things up w. namespaces.\n\tbase := testutil.NewBaseWithNamespace(t, testutil.Identifier(t))\n\trootfs := prepareCustomRootfs(base, testutil.AlpineImage)\n\tt.Cleanup(func() {\n\t\tbase.Cmd(\"namespace\", \"remove\", testutil.Identifier(t)).Run()\n\t})\n\tdefer os.RemoveAll(rootfs)\n\tbase.Cmd(\"run\", \"--rm\", \"--rootfs\", rootfs, \"/bin/cat\", \"/proc/self/environ\").AssertOutContains(\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\")\n\tbase.Cmd(\"run\", \"--rm\", \"--entrypoint\", \"/bin/echo\", \"--rootfs\", rootfs, \"echo\", \"foo\").AssertOutExactly(\"echo foo\\n\")\n}\n\nfunc prepareCustomRootfs(base *testutil.Base, imageName string) string {\n\tbase.Cmd(\"pull\", \"--quiet\", imageName).AssertOK()\n\ttmpDir, err := os.MkdirTemp(base.T.TempDir(), \"test-save\")\n\tassert.NilError(base.T, err)\n\tdefer os.RemoveAll(tmpDir)\n\tarchiveTarPath := filepath.Join(tmpDir, \"a.tar\")\n\tbase.Cmd(\"save\", \"-o\", archiveTarPath, imageName).AssertOK()\n\trootfs, err := os.MkdirTemp(base.T.TempDir(), \"rootfs\")\n\tassert.NilError(base.T, err)\n\terr = helpers.ExtractDockerArchive(archiveTarPath, rootfs)\n\tassert.NilError(base.T, err)\n\treturn rootfs\n}\n\nfunc TestRunShmSize(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\tconst shmSize = \"32m\"\n\n\tbase.Cmd(\"run\", \"--rm\", \"--shm-size\", shmSize, testutil.AlpineImage, \"/bin/grep\", \"shm\", \"/proc/self/mounts\").AssertOutContains(\"size=32768k\")\n}\n\nfunc TestRunShmSizeIPCShareable(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\tconst shmSize = \"32m\"\n\n\tcontainer := testutil.Identifier(t)\n\tbase.Cmd(\"run\", \"--rm\", \"--name\", container, \"--ipc\", \"shareable\", \"--shm-size\", shmSize, testutil.AlpineImage, \"/bin/grep\", \"shm\", \"/proc/self/mounts\").AssertOutContains(\"size=32768k\")\n\tdefer base.Cmd(\"rm\", \"-f\", container)\n}\n\nfunc TestRunIPCShareableRemoveMount(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\tcontainer := testutil.Identifier(t)\n\n\tbase.Cmd(\"run\", \"--name\", container, \"--ipc\", \"shareable\", testutil.AlpineImage, \"sleep\", \"0\").AssertOK()\n\tbase.Cmd(\"rm\", container).AssertOK()\n}\n\nfunc TestRunIPCContainerNotExists(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\n\tcontainer := testutil.Identifier(t)\n\tresult := base.Cmd(\"run\", \"--name\", container, \"--ipc\", \"container:abcd1234\", testutil.AlpineImage, \"sleep\", nerdtest.Infinity).Run()\n\tdefer base.Cmd(\"rm\", \"-f\", container)\n\tcombined := result.Combined()\n\tif !strings.Contains(strings.ToLower(combined), \"no such container: abcd1234\") {\n\t\tt.Fatalf(\"unexpected output: %s\", combined)\n\t}\n}\n\nfunc TestRunShmSizeIPCContainer(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\n\tconst shmSize = \"32m\"\n\tsharedContainerResult := base.Cmd(\"run\", \"-d\", \"--ipc\", \"shareable\", \"--shm-size\", shmSize, testutil.AlpineImage, \"sleep\", nerdtest.Infinity).Run()\n\tbaseContainerID := strings.TrimSpace(sharedContainerResult.Stdout())\n\tdefer base.Cmd(\"rm\", \"-f\", baseContainerID).Run()\n\n\tbase.Cmd(\"run\", \"--rm\", fmt.Sprintf(\"--ipc=container:%s\", baseContainerID),\n\t\ttestutil.AlpineImage, \"/bin/grep\", \"shm\", \"/proc/self/mounts\").AssertOutContains(\"size=32768k\")\n}\n\nfunc TestRunIPCContainer(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\n\tconst shmSize = \"32m\"\n\tvictimContainerResult := base.Cmd(\"run\", \"-d\", \"--ipc\", \"shareable\", \"--shm-size\", shmSize, testutil.AlpineImage, \"sleep\", nerdtest.Infinity).Run()\n\tvictimContainerID := strings.TrimSpace(victimContainerResult.Stdout())\n\tdefer base.Cmd(\"rm\", \"-f\", victimContainerID).Run()\n\n\tbase.Cmd(\"run\", \"--rm\", fmt.Sprintf(\"--ipc=container:%s\", victimContainerID),\n\t\ttestutil.AlpineImage, \"/bin/grep\", \"shm\", \"/proc/self/mounts\").AssertOutContains(\"size=32768k\")\n}\n\nfunc TestRunPidHost(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\tpid := os.Getpid()\n\n\tbase.Cmd(\"run\", \"--rm\", \"--pid=host\", testutil.AlpineImage, \"ps\", \"auxw\").AssertOutContains(strconv.Itoa(pid))\n}\n\nfunc TestRunUtsHost(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\n\t// Was thinking of os.ReadLink(\"/proc/1/ns/uts\")\n\t// but you'd get EPERM for rootless. Just validate the\n\t// hostname is the same.\n\thostName, err := os.Hostname()\n\tassert.NilError(base.T, err)\n\n\tbase.Cmd(\"run\", \"--rm\", \"--uts=host\", testutil.AlpineImage, \"hostname\").AssertOutContains(hostName)\n\t// Validate we can't provide a hostname with uts=host\n\tbase.Cmd(\"run\", \"--rm\", \"--uts=host\", \"--hostname=foobar\", testutil.AlpineImage, \"hostname\").AssertFail()\n\t// Validate we can't provide a domainname with uts=host\n\tbase.Cmd(\"run\", \"--rm\", \"--uts=host\", \"--domainname=example.com\", testutil.AlpineImage, \"hostname\").AssertFail()\n}\n\nfunc TestRunPidContainer(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\n\tsharedContainerResult := base.Cmd(\"run\", \"-d\", testutil.AlpineImage, \"sleep\", nerdtest.Infinity).Run()\n\tbaseContainerID := strings.TrimSpace(sharedContainerResult.Stdout())\n\tdefer base.Cmd(\"rm\", \"-f\", baseContainerID).Run()\n\n\tbase.Cmd(\"run\", \"--rm\", fmt.Sprintf(\"--pid=container:%s\", baseContainerID),\n\t\ttestutil.AlpineImage, \"ps\", \"ax\").AssertOutContains(\"sleep \" + nerdtest.Infinity)\n}\n\nfunc TestRunIpcHost(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\ttestFilePath := filepath.Join(\"/dev/shm\",\n\t\tfmt.Sprintf(\"%s-%d-%s\", testutil.Identifier(t), os.Geteuid(), base.Target))\n\terr := os.WriteFile(testFilePath, []byte(\"\"), 0o644)\n\tassert.NilError(base.T, err)\n\tdefer os.Remove(testFilePath)\n\n\tbase.Cmd(\"run\", \"--rm\", \"--ipc=host\", testutil.AlpineImage, \"ls\", testFilePath).AssertOK()\n}\n\nfunc TestRunAddHost(t *testing.T) {\n\t// Not parallelizable (https://github.com/containerd/nerdctl/issues/1127)\n\tbase := testutil.NewBase(t)\n\tbase.Cmd(\"run\", \"--rm\", \"--add-host\", \"testing.example.com:10.0.0.1\", testutil.AlpineImage, \"cat\", \"/etc/hosts\").AssertOutWithFunc(func(stdout string) error {\n\t\tvar found bool\n\t\tsc := bufio.NewScanner(bytes.NewBufferString(stdout))\n\t\tfor sc.Scan() {\n\t\t\t// removing spaces and tabs separating items\n\t\t\tline := strings.ReplaceAll(sc.Text(), \" \", \"\")\n\t\t\tline = strings.ReplaceAll(line, \"\\t\", \"\")\n\t\t\tif strings.Contains(line, \"10.0.0.1testing.example.com\") {\n\t\t\t\tfound = true\n\t\t\t}\n\t\t}\n\t\tif !found {\n\t\t\treturn errors.New(\"host was not added\")\n\t\t}\n\t\treturn nil\n\t})\n\tbase.Cmd(\"run\", \"--rm\", \"--add-host\", \"test:10.0.0.1\", \"--add-host\", \"test1:10.0.0.1\", testutil.AlpineImage, \"cat\", \"/etc/hosts\").AssertOutWithFunc(func(stdout string) error {\n\t\tvar found int\n\t\tsc := bufio.NewScanner(bytes.NewBufferString(stdout))\n\t\tfor sc.Scan() {\n\t\t\t// removing spaces and tabs separating items\n\t\t\tline := strings.ReplaceAll(sc.Text(), \" \", \"\")\n\t\t\tline = strings.ReplaceAll(line, \"\\t\", \"\")\n\t\t\tif strutil.InStringSlice([]string{\"10.0.0.1test\", \"10.0.0.1test1\"}, line) {\n\t\t\t\tfound++\n\t\t\t}\n\t\t}\n\t\tif found != 2 {\n\t\t\treturn fmt.Errorf(\"host was not added, found %d\", found)\n\t\t}\n\t\treturn nil\n\t})\n\tbase.Cmd(\"run\", \"--rm\", \"--add-host\", \"10.0.0.1:testing.example.com\", testutil.AlpineImage, \"cat\", \"/etc/hosts\").AssertFail()\n\n\tresponse := \"This is the expected response for --add-host special IP test.\"\n\thttp.HandleFunc(\"/\", func(w http.ResponseWriter, r *http.Request) {\n\t\tio.WriteString(w, response)\n\t})\n\tconst hostPort = 8081\n\ts := http.Server{Addr: fmt.Sprintf(\":%d\", hostPort), Handler: nil, ReadTimeout: 30 * time.Second}\n\tgo s.ListenAndServe()\n\tdefer s.Shutdown(context.Background())\n\tbase.Cmd(\"run\", \"--rm\", \"--add-host\", \"test:host-gateway\", testutil.NginxAlpineImage, \"curl\", fmt.Sprintf(\"test:%d\", hostPort)).AssertOutExactly(response)\n}\n\nfunc TestRunAddHostWithCustomHostGatewayIP(t *testing.T) {\n\t// Not parallelizable (https://github.com/containerd/nerdctl/issues/1127)\n\tbase := testutil.NewBase(t)\n\ttestutil.DockerIncompatible(t)\n\tbase.Cmd(\"run\", \"--rm\", \"--host-gateway-ip\", \"192.168.5.2\", \"--add-host\", \"test:host-gateway\", testutil.AlpineImage, \"cat\", \"/etc/hosts\").AssertOutWithFunc(func(stdout string) error {\n\t\tvar found bool\n\t\tsc := bufio.NewScanner(bytes.NewBufferString(stdout))\n\t\tfor sc.Scan() {\n\t\t\t// removing spaces and tabs separating items\n\t\t\tline := strings.ReplaceAll(sc.Text(), \" \", \"\")\n\t\t\tline = strings.ReplaceAll(line, \"\\t\", \"\")\n\t\t\tif strings.Contains(line, \"192.168.5.2test\") {\n\t\t\t\tfound = true\n\t\t\t}\n\t\t}\n\t\tif !found {\n\t\t\treturn errors.New(\"host was not added\")\n\t\t}\n\t\treturn nil\n\t})\n}\n\nfunc TestRunUlimit(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\tulimit := \"nofile=622:622\"\n\tulimit2 := \"nofile=622:722\"\n\n\tbase.Cmd(\"run\", \"--rm\", \"--ulimit\", ulimit, testutil.AlpineImage, \"sh\", \"-c\", \"ulimit -Sn\").AssertOutExactly(\"622\\n\")\n\tbase.Cmd(\"run\", \"--rm\", \"--ulimit\", ulimit, testutil.AlpineImage, \"sh\", \"-c\", \"ulimit -Hn\").AssertOutExactly(\"622\\n\")\n\n\tbase.Cmd(\"run\", \"--rm\", \"--ulimit\", ulimit2, testutil.AlpineImage, \"sh\", \"-c\", \"ulimit -Sn\").AssertOutExactly(\"622\\n\")\n\tbase.Cmd(\"run\", \"--rm\", \"--ulimit\", ulimit2, testutil.AlpineImage, \"sh\", \"-c\", \"ulimit -Hn\").AssertOutExactly(\"722\\n\")\n}\n\nfunc TestRunWithInit(t *testing.T) {\n\tt.Parallel()\n\ttestutil.DockerIncompatible(t)\n\ttestutil.RequireExecutable(t, \"tini-custom\")\n\tbase := testutil.NewBase(t)\n\n\tcontainer := testutil.Identifier(t)\n\tbase.Cmd(\"run\", \"-d\", \"--name\", container, testutil.AlpineImage, \"sleep\", nerdtest.Infinity).AssertOK()\n\tdefer base.Cmd(\"rm\", \"-f\", container).Run()\n\n\tbase.Cmd(\"stop\", \"--time=3\", container).AssertOK()\n\t// Unable to handle TERM signal, be killed when timeout\n\tassert.Equal(t, base.InspectContainer(container).State.ExitCode, 137)\n\n\t// Test with --init-path\n\tcontainer1 := container + \"-1\"\n\tbase.Cmd(\"run\", \"-d\", \"--name\", container1, \"--init-binary\", \"tini-custom\",\n\t\ttestutil.AlpineImage, \"sleep\", nerdtest.Infinity).AssertOK()\n\tdefer base.Cmd(\"rm\", \"-f\", container1).Run()\n\n\tbase.Cmd(\"stop\", \"--time=3\", container1).AssertOK()\n\tassert.Equal(t, base.InspectContainer(container1).State.ExitCode, 143)\n\n\t// Test with --init\n\tcontainer2 := container + \"-2\"\n\tbase.Cmd(\"run\", \"-d\", \"--name\", container2, \"--init\",\n\t\ttestutil.AlpineImage, \"sleep\", nerdtest.Infinity).AssertOK()\n\tdefer base.Cmd(\"rm\", \"-f\", container2).Run()\n\n\tbase.Cmd(\"stop\", \"--time=3\", container2).AssertOK()\n\tassert.Equal(t, base.InspectContainer(container2).State.ExitCode, 143)\n}\n\nfunc TestRunTTY(t *testing.T) {\n\tconst sttyPartialOutput = \"speed 38400 baud\"\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"stty with -it\",\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\"run\", \"-it\", data.Identifier(), \"stty\")\n\t\t\t\tcmd.WithPseudoTTY()\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(sttyPartialOutput)),\n\t\t},\n\t\t{\n\t\t\tDescription: \"stty with -t\",\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\"run\", \"-t\", data.Identifier(), \"stty\")\n\t\t\t\tcmd.WithPseudoTTY()\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(sttyPartialOutput)),\n\t\t},\n\t\t{\n\t\t\tDescription: \"stty with -i\",\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\"run\", \"-i\", data.Identifier(), \"stty\")\n\t\t\t\tcmd.WithPseudoTTY()\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"stty without params\",\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\"run\", data.Identifier(), \"stty\")\n\t\t\t\tcmd.WithPseudoTTY()\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"stty with -td\",\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\"run\", \"-td\", data.Identifier(), \"stty\")\n\t\t\t\tcmd.WithPseudoTTY()\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t},\n\t}\n}\n\nfunc TestRunSigProxy(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t// FIXME: gomodjail signal handling is not working yet: https://github.com/AkihiroSuda/gomodjail/issues/51\n\ttestCase.Require = require.Not(nerdtest.Gomodjail)\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"SigProxyDefault\",\n\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t// FIXME: os.Interrupt will likely not work on Windows\n\t\t\t\tcmd := nerdtest.RunSigProxyContainer(os.Interrupt, true, nil, data, helpers)\n\t\t\t\terr := cmd.Signal(os.Interrupt)\n\t\t\t\tassert.NilError(helpers.T(), err)\n\t\t\t\treturn cmd\n\t\t\t},\n\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(nerdtest.SignalCaught)),\n\t\t},\n\t\t{\n\t\t\tDescription: \"SigProxyTrue\",\n\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := nerdtest.RunSigProxyContainer(os.Interrupt, true, []string{\"--sig-proxy=true\"}, data, helpers)\n\t\t\t\terr := cmd.Signal(os.Interrupt)\n\t\t\t\tassert.NilError(helpers.T(), err)\n\t\t\t\treturn cmd\n\t\t\t},\n\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(nerdtest.SignalCaught)),\n\t\t},\n\t\t{\n\t\t\tDescription: \"SigProxyFalse\",\n\n\t\t\t// Docker behavior changed sometimes with Docker 27\n\t\t\t// See https://github.com/containerd/nerdctl/issues/4219 for details\n\t\t\tRequire: require.Not(nerdtest.Docker),\n\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := nerdtest.RunSigProxyContainer(os.Interrupt, true, []string{\"--sig-proxy=false\"}, data, helpers)\n\t\t\t\terr := cmd.Signal(os.Interrupt)\n\t\t\t\tassert.NilError(helpers.T(), err)\n\t\t\t\treturn cmd\n\t\t\t},\n\n\t\t\tExpected: test.Expects(expect.ExitCodeSignaled, nil, expect.DoesNotContain(nerdtest.SignalCaught)),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunWithFluentdLogDriver(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\ttempDirectory := t.TempDir()\n\terr := os.Chmod(tempDirectory, 0o777)\n\tassert.NilError(t, err)\n\n\tcontainerName := testutil.Identifier(t)\n\tbase.Cmd(\"run\", \"-d\", \"--name\", containerName, \"-p\", \"24224:24224\",\n\t\t\"-v\", fmt.Sprintf(\"%s:/fluentd/log\", tempDirectory), testutil.FluentdImage).AssertOK()\n\tdefer base.Cmd(\"rm\", \"-f\", containerName).AssertOK()\n\ttime.Sleep(3 * time.Second)\n\n\ttestContainerName := containerName + \"test\"\n\tbase.Cmd(\"run\", \"-d\", \"--log-driver\", \"fluentd\", \"--name\", testContainerName, testutil.CommonImage,\n\t\t\"sh\", \"-c\", \"echo test\").AssertOK()\n\tdefer base.Cmd(\"rm\", \"-f\", testContainerName).AssertOK()\n\n\tinspectedContainer := base.InspectContainer(testContainerName)\n\tmatches, err := filepath.Glob(tempDirectory + \"/\" + \"data.*.log\")\n\tassert.NilError(t, err)\n\tassert.Equal(t, 1, len(matches))\n\n\tdata, err := os.ReadFile(matches[0])\n\tassert.NilError(t, err)\n\tlogData := string(data)\n\tassert.Equal(t, true, strings.Contains(logData, \"test\"))\n\tassert.Equal(t, true, strings.Contains(logData, inspectedContainer.ID))\n}\n\nfunc TestRunWithFluentdLogDriverWithLogOpt(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\ttempDirectory := t.TempDir()\n\terr := os.Chmod(tempDirectory, 0o777)\n\tassert.NilError(t, err)\n\n\tcontainerName := testutil.Identifier(t)\n\tbase.Cmd(\"run\", \"-d\", \"--name\", containerName, \"-p\", \"24225:24224\",\n\t\t\"-v\", fmt.Sprintf(\"%s:/fluentd/log\", tempDirectory), testutil.FluentdImage).AssertOK()\n\tdefer base.Cmd(\"rm\", \"-f\", containerName).AssertOK()\n\ttime.Sleep(3 * time.Second)\n\n\ttestContainerName := containerName + \"test\"\n\tbase.Cmd(\"run\", \"-d\", \"--log-driver\", \"fluentd\", \"--log-opt\", \"fluentd-address=127.0.0.1:24225\",\n\t\t\"--name\", testContainerName, testutil.CommonImage, \"sh\", \"-c\", \"echo test2\").AssertOK()\n\tdefer base.Cmd(\"rm\", \"-f\", testContainerName).AssertOK()\n\n\tinspectedContainer := base.InspectContainer(testContainerName)\n\tmatches, err := filepath.Glob(tempDirectory + \"/\" + \"data.*.log\")\n\tassert.NilError(t, err)\n\tassert.Equal(t, 1, len(matches))\n\n\tdata, err := os.ReadFile(matches[0])\n\tassert.NilError(t, err)\n\tlogData := string(data)\n\tassert.Equal(t, true, strings.Contains(logData, \"test2\"))\n\tassert.Equal(t, true, strings.Contains(logData, inspectedContainer.ID))\n}\n\nfunc TestRunWithOOMScoreAdj(t *testing.T) {\n\tif rootlessutil.IsRootless() {\n\t\tt.Skip(\"test skipped for rootless containers.\")\n\t}\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\tscore := \"-42\"\n\n\tbase.Cmd(\"run\", \"--rm\", \"--oom-score-adj\", score, testutil.AlpineImage, \"cat\", \"/proc/self/oom_score_adj\").AssertOutContains(score)\n}\n\nfunc TestRunWithDetachKeys(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t// Run interactively and detach\n\t\tcmd := helpers.Command(\"run\", \"-it\", \"--detach-keys=ctrl-a,ctrl-b\", \"--name\", data.Identifier(), testutil.CommonImage)\n\t\tcmd.WithPseudoTTY()\n\t\tcmd.Feed(strings.NewReader(\"echo mark${NON}mark\\n\"))\n\t\tcmd.WithFeeder(func() io.Reader {\n\t\t\t// Because of the way we proxy stdin, we have to wait here, otherwise we detach before\n\t\t\t// the rest of the input ever reaches the container\n\t\t\t// Note that this only concerns nerdctl, as docker seems to behave ok LOCALLY.\n\t\t\t// But then, it fails for docker as well ON THE CI. It is unclear why at this point.\n\t\t\t// Arbitrary time pauses would not work: what matters is that the container has started.\n\t\t\t// if !nerdtest.IsDocker() {\n\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t// }\n\t\t\t// ctrl+a and ctrl+b (see https://en.wikipedia.org/wiki/C0_and_C1_control_codes)\n\t\t\treturn bytes.NewReader([]byte{1, 2})\n\t\t})\n\n\t\treturn cmd\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: 0,\n\t\t\tErrors: []error{errors.New(\"detach keys\")},\n\t\t\tOutput: expect.All(\n\t\t\t\texpect.Contains(\"markmark\"),\n\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\tassert.Assert(t, strings.Contains(helpers.Capture(\"inspect\", \"--format\", \"json\", data.Identifier()), \"\\\"Running\\\":true\"))\n\t\t\t\t},\n\t\t\t),\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunWithTtyAndDetached(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\timageName := testutil.CommonImage\n\twithoutTtyContainerName := \"without-terminal-\" + testutil.Identifier(t)\n\twithTtyContainerName := \"with-terminal-\" + testutil.Identifier(t)\n\n\t// without -t, fail\n\tbase.Cmd(\"run\", \"-d\", \"--name\", withoutTtyContainerName, imageName, \"stty\").AssertOK()\n\tdefer base.Cmd(\"container\", \"rm\", \"-f\", withoutTtyContainerName).AssertOK()\n\tbase.Cmd(\"logs\", withoutTtyContainerName).AssertCombinedOutContains(\"stty: standard input: Not a tty\")\n\twithoutTtyContainer := base.InspectContainer(withoutTtyContainerName)\n\tassert.Equal(base.T, 1, withoutTtyContainer.State.ExitCode)\n\n\t// with -t, success\n\tbase.Cmd(\"run\", \"-d\", \"-t\", \"--name\", withTtyContainerName, imageName, \"stty\").AssertOK()\n\tdefer base.Cmd(\"container\", \"rm\", \"-f\", withTtyContainerName).AssertOK()\n\tbase.Cmd(\"logs\", withTtyContainerName).AssertCombinedOutContains(\"speed 38400 baud; line = 0;\")\n\twithTtyContainer := base.InspectContainer(withTtyContainerName)\n\tassert.Equal(base.T, 0, withTtyContainer.State.ExitCode)\n}\n\n// TestIssue3568 tests https://github.com/containerd/nerdctl/issues/3568\nfunc TestIssue3568(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Description = \"Issue #3568 - Detaching from a container started by using --rm option causes the container to be deleted.\"\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t// Run interactively and detach\n\t\tcmd := helpers.Command(\"run\", \"--rm\", \"-it\", \"--detach-keys=ctrl-a,ctrl-b\", \"--name\", data.Identifier(), testutil.CommonImage)\n\t\tcmd.WithPseudoTTY()\n\t\tcmd.Feed(strings.NewReader(\"echo mark${NON}mark\\n\"))\n\t\tcmd.WithFeeder(func() io.Reader {\n\t\t\t// Because of the way we proxy stdin, we have to wait here, otherwise we detach before\n\t\t\t// the rest of the input ever reaches the container\n\t\t\t// Note that this only concerns nerdctl, as docker seems to behave ok LOCALLY.\n\t\t\t// But then, it fails for docker as well ON THE CI. It is unclear why at this point.\n\t\t\t// Arbitrary time pauses would not work: what matters is that the container has started.\n\t\t\t// if !nerdtest.IsDocker() {\n\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t// }\n\t\t\t// ctrl+a and ctrl+b (see https://en.wikipedia.org/wiki/C0_and_C1_control_codes)\n\t\t\treturn bytes.NewReader([]byte{1, 2})\n\t\t})\n\n\t\treturn cmd\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: 0,\n\t\t\tErrors: []error{errors.New(\"detach keys\")},\n\t\t\tOutput: expect.All(\n\t\t\t\texpect.Contains(\"markmark\"),\n\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\tassert.Assert(t, strings.Contains(helpers.Capture(\"inspect\", \"--format\", \"json\", data.Identifier()), \"\\\"Running\\\":true\"))\n\t\t\t\t},\n\t\t\t),\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\n// TestPortBindingWithCustomHost tests https://github.com/containerd/nerdctl/issues/3539\nfunc TestPortBindingWithCustomHost(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\tconst (\n\t\thost = \"127.0.0.2\"\n\t\thostPort = 8080\n\t)\n\taddress := fmt.Sprintf(\"%s:%d\", host, hostPort)\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"Issue #3539 - Access to a container running when 127.0.0.2 is specified in -p in rootless mode.\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(), \"-p\", fmt.Sprintf(\"%s:80\", address), testutil.NginxAlpineImage)\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tErrors: []error{},\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\tresp, err := nettestutil.HTTPGet(address, 5, false)\n\t\t\t\t\t\t\tassert.NilError(t, err)\n\n\t\t\t\t\t\t\trespBody, err := io.ReadAll(resp.Body)\n\t\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(string(respBody), testutil.NginxAlpineIndexHTMLSnippet))\n\t\t\t\t\t\t},\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunDeviceCDI(t *testing.T) {\n\tt.Parallel()\n\t// Although CDI injection is supported by Docker, specifying the --cdi-spec-dirs on the command line is not.\n\ttestutil.DockerIncompatible(t)\n\tcdiSpecDir := filepath.Join(t.TempDir(), \"cdi\")\n\tconst testCDIVendor1 = `\ncdiVersion: \"0.3.0\"\nkind: \"vendor1.com/device\"\ndevices:\n- name: foo\n containerEdits:\n env:\n - FOO=injected\n`\n\twriteTestCDISpec(t, testCDIVendor1, \"vendor1.yaml\", cdiSpecDir)\n\n\tbase := testutil.NewBase(t)\n\tbase.Cmd(\"--cdi-spec-dirs\", cdiSpecDir, \"run\",\n\t\t\"--rm\",\n\t\t\"--device\", \"vendor1.com/device=foo\",\n\t\ttestutil.AlpineImage, \"env\",\n\t).AssertOutContains(\"FOO=injected\")\n}\n\nfunc TestRunDeviceCDIWithNerdctlConfig(t *testing.T) {\n\tt.Parallel()\n\t// Although CDI injection is supported by Docker, specifying the --cdi-spec-dirs on the command line is not.\n\ttestutil.DockerIncompatible(t)\n\tcdiSpecDir := filepath.Join(t.TempDir(), \"cdi\")\n\tconst testCDIVendor1 = `\ncdiVersion: \"0.3.0\"\nkind: \"vendor1.com/device\"\ndevices:\n- name: foo\n containerEdits:\n env:\n - FOO=injected\n`\n\twriteTestCDISpec(t, testCDIVendor1, \"vendor1.yaml\", cdiSpecDir)\n\n\ttomlPath := filepath.Join(t.TempDir(), \"nerdctl.toml\")\n\terr := os.WriteFile(tomlPath, []byte(fmt.Sprintf(`\ncdi_spec_dirs = [\"%s\"]\n`, cdiSpecDir)), 0o400)\n\tassert.NilError(t, err)\n\n\tbase := testutil.NewBase(t)\n\tbase.Env = append(base.Env, \"NERDCTL_TOML=\"+tomlPath)\n\tbase.Cmd(\"run\",\n\t\t\"--rm\",\n\t\t\"--device\", \"vendor1.com/device=foo\",\n\t\ttestutil.AlpineImage, \"env\",\n\t).AssertOutContains(\"FOO=injected\")\n}\n\n// TestRunGPU tests GPU injection using the --gpus flag.\nfunc TestRunGPU(t *testing.T) {\n\tt.Parallel()\n\t// Although CDI injection is supported by Docker, specifying the --cdi-spec-dirs on the command line is not.\n\ttestutil.DockerIncompatible(t)\n\tconst nvidiaSpec = `\ncdiVersion: \"0.5.0\"\nkind: \"nvidia.com/gpu\"\ndevices:\n- name: \"0\"\n containerEdits:\n env:\n - NVIDIA_GPU_0=injected\n- name: \"1\"\n containerEdits:\n env:\n - NVIDIA_GPU_1=injected\n`\n\tconst amdSpec = `\ncdiVersion: \"0.5.0\"\nkind: \"amd.com/gpu\"\ndevices:\n- name: \"0\"\n containerEdits:\n env:\n - AMD_GPU_0=injected\n- name: \"1\"\n containerEdits:\n env:\n - AMD_GPU_1=injected\n`\n\tconst unknownSpec = `\ncdiVersion: \"0.5.0\"\nkind: \"unknown.com/gpu\"\ndevices:\n- name: \"0\"\n containerEdits:\n env:\n - UNKNOWN_GPU_0=injected\n`\n\n\ttestCases := []struct {\n\t\tname string\n\t\tspecs map[string]string\n\t\tgpuFlags []string\n\t\texpectedEnvs []string\n\t\texpectFail bool\n\t}{\n\t\t{\n\t\t\tname: \"nvidia device injection\",\n\t\t\tspecs: map[string]string{\"nvidia.yaml\": nvidiaSpec},\n\t\t\tgpuFlags: []string{\"--gpus\", \"2\"},\n\t\t\texpectedEnvs: []string{\"NVIDIA_GPU_0=injected\", \"NVIDIA_GPU_1=injected\"},\n\t\t},\n\t\t{\n\t\t\tname: \"amd device injection\",\n\t\t\tspecs: map[string]string{\"amd.yaml\": amdSpec},\n\t\t\tgpuFlags: []string{\"--gpus\", \"2\"},\n\t\t\texpectedEnvs: []string{\"AMD_GPU_0=injected\", \"AMD_GPU_1=injected\"},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple vendors\",\n\t\t\tspecs: map[string]string{\"nvidia.yaml\": nvidiaSpec, \"amd.yaml\": amdSpec},\n\t\t\tgpuFlags: []string{\"--gpus\", \"1\"},\n\t\t\texpectedEnvs: []string{\"NVIDIA_GPU_0=injected\"},\n\t\t},\n\t\t{\n\t\t\tname: \"unknown vendor fails\",\n\t\t\tspecs: map[string]string{\"unknown.yaml\": unknownSpec},\n\t\t\tgpuFlags: []string{\"--gpus\", \"1\"},\n\t\t\texpectFail: true,\n\t\t},\n\t}\n\n\tfor _, tc := range testCases {\n\t\tt.Run(tc.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\ttmpDir := t.TempDir()\n\t\t\tfor fileName, spec := range tc.specs {\n\t\t\t\twriteTestCDISpec(t, spec, fileName, tmpDir)\n\t\t\t}\n\n\t\t\tbase := testutil.NewBase(t)\n\t\t\targs := []string{\"--cdi-spec-dirs\", tmpDir, \"run\", \"--rm\"}\n\t\t\targs = append(args, tc.gpuFlags...)\n\t\t\targs = append(args, testutil.AlpineImage, \"env\")\n\n\t\t\tif tc.expectFail {\n\t\t\t\tbase.Cmd(args...).AssertFail()\n\t\t\t} else {\n\t\t\t\tbase.Cmd(args...).AssertOutWithFunc(func(stdout string) error {\n\t\t\t\t\tfor _, expectedEnv := range tc.expectedEnvs {\n\t\t\t\t\t\tif !strings.Contains(stdout, expectedEnv) {\n\t\t\t\t\t\t\treturn fmt.Errorf(\"%s not found\", expectedEnv)\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\treturn nil\n\t\t\t\t})\n\t\t\t}\n\t\t})\n\t}\n}\n\n// TestRunGPUWithOtherCDIDevices tests GPU CDI injection along with other CDI devices.\nfunc TestRunGPUWithOtherCDIDevices(t *testing.T) {\n\tt.Parallel()\n\t// Although CDI injection is supported by Docker, specifying the --cdi-spec-dirs on the command line is not.\n\ttestutil.DockerIncompatible(t)\n\tconst amdSpec = `\ncdiVersion: \"0.5.0\"\nkind: \"amd.com/gpu\"\ndevices:\n- name: \"0\"\n containerEdits:\n env:\n - AMD_GPU_0=injected\n- name: \"1\"\n containerEdits:\n env:\n - AMD_GPU_1=injected\n`\n\tconst vendor1Spec = `\ncdiVersion: \"0.3.0\"\nkind: \"vendor1.com/device\"\ndevices:\n- name: foo\n containerEdits:\n env:\n - FOO=injected\n`\n\n\ttmpDir := t.TempDir()\n\twriteTestCDISpec(t, amdSpec, \"amd.yaml\", tmpDir)\n\twriteTestCDISpec(t, vendor1Spec, \"vendor1.yaml\", tmpDir)\n\n\tbase := testutil.NewBase(t)\n\tbase.Cmd(\"--cdi-spec-dirs\", tmpDir, \"run\", \"--rm\",\n\t\t\"--gpus\", \"2\",\n\t\t\"--device\", \"vendor1.com/device=foo\",\n\t\ttestutil.AlpineImage, \"env\",\n\t).AssertOutWithFunc(func(stdout string) error {\n\t\tif !strings.Contains(stdout, \"AMD_GPU_0=injected\") {\n\t\t\treturn errors.New(\"AMD_GPU_0=injected not found\")\n\t\t}\n\t\tif !strings.Contains(stdout, \"AMD_GPU_1=injected\") {\n\t\t\treturn errors.New(\"AMD_GPU_1=injected not found\")\n\t\t}\n\t\tif !strings.Contains(stdout, \"FOO=injected\") {\n\t\t\treturn errors.New(\"FOO=injected not found\")\n\t\t}\n\t\treturn nil\n\t})\n}\n\nfunc writeTestCDISpec(t *testing.T, spec string, fileName string, cdiSpecDir string) {\n\terr := os.MkdirAll(cdiSpecDir, 0o700)\n\tassert.NilError(t, err)\n\tcdiSpecPath := filepath.Join(cdiSpecDir, fileName)\n\terr = os.WriteFile(cdiSpecPath, []byte(spec), 0o400)\n\tassert.NilError(t, err)\n}\n\nfunc TestSharedIpcSetup(t *testing.T) {\n\tnerdtest.Setup()\n\ttestCase := &test.Case{\n\t\tRequire: require.Not(require.Windows),\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Labels().Set(\"container1\", data.Identifier(\"container1\"))\n\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(\"container1\"), \"--ipc=shareable\",\n\t\t\t\ttestutil.CommonImage, \"sleep\", \"inf\")\n\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier(\"container1\"))\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"container1\"))\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"Test ipc is shared\",\n\t\t\t\tNoParallel: true, // The validation involves starting of the main container: container1\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"container2\"))\n\t\t\t\t},\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\n\t\t\t\t\t\t\"run\", \"-d\", \"--name\", data.Identifier(\"container2\"),\n\t\t\t\t\t\t\"--ipc=container:\"+data.Labels().Get(\"container1\"),\n\t\t\t\t\t\ttestutil.NginxAlpineImage)\n\t\t\t\t\tdata.Labels().Set(\"container2\", data.Identifier(\"container2\"))\n\t\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier(\"container2\"))\n\t\t\t\t},\n\t\t\t\tSubTests: []*test.Case{\n\t\t\t\t\t{\n\t\t\t\t\t\tNoParallel: true,\n\t\t\t\t\t\tDescription: \"Test ipc is shared\",\n\t\t\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\t\t\treturn helpers.Command(\"exec\", data.Labels().Get(\"container2\"), \"readlink\", \"/proc/1/ns/ipc\")\n\t\t\t\t\t\t},\n\t\t\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\t\t\t\tcontainer1IPC := strings.TrimSpace(helpers.Capture(\"exec\", data.Labels().Get(\"container1\"), \"readlink\", \"/proc/1/ns/ipc\"))\n\t\t\t\t\t\t\t\t\t\tcontainer2IPC := strings.TrimSpace(stdout)\n\t\t\t\t\t\t\t\t\t\tassert.Equal(t, container1IPC, container2IPC)\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t),\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tNoParallel: true,\n\t\t\t\t\t\tDescription: \"Test ipc is shared after restart\",\n\t\t\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\t\t\thelpers.Ensure(\"restart\", data.Labels().Get(\"container1\"))\n\t\t\t\t\t\t\thelpers.Ensure(\"stop\", \"--time=1\", data.Labels().Get(\"container2\"))\n\t\t\t\t\t\t\thelpers.Ensure(\"start\", data.Labels().Get(\"container2\"))\n\t\t\t\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Labels().Get(\"container2\"))\n\t\t\t\t\t\t},\n\t\t\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\t\t\treturn helpers.Command(\"exec\", data.Labels().Get(\"container2\"), \"readlink\", \"/proc/1/ns/ipc\")\n\t\t\t\t\t\t},\n\t\t\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\t\t\t\tcontainer1IPC := strings.TrimSpace(helpers.Capture(\"exec\", data.Labels().Get(\"container1\"), \"readlink\", \"/proc/1/ns/ipc\"))\n\t\t\t\t\t\t\t\t\t\tcontainer2IPC := strings.TrimSpace(stdout)\n\t\t\t\t\t\t\t\t\t\tassert.Equal(t, container1IPC, container2IPC)\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t),\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_run_log_driver_syslog_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"runtime\"\n\t\"strconv\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\tsyslog \"github.com/yuchanns/srslog\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/rootlessutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/testca\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/testsyslog\"\n)\n\nfunc runSyslogTest(t *testing.T, networks []string, syslogFacilities map[string]syslog.Priority, fmtValidFuncs map[string]func(string, string, string, string, syslog.Priority, bool) error) {\n\tif runtime.GOOS == \"windows\" {\n\t\tt.Skip(\"syslog container logging is not officially supported on Windows\")\n\t}\n\n\tbase := testutil.NewBase(t)\n\tbase.Cmd(\"pull\", \"--quiet\", testutil.CommonImage).AssertOK()\n\thostname, err := os.Hostname()\n\tif err != nil {\n\t\tt.Fatalf(\"Error retrieving hostname\")\n\t}\n\tca := testca.New(base.T)\n\tcert := ca.NewCert(\"127.0.0.1\")\n\tt.Cleanup(func() {\n\t\tcert.Close()\n\t\tca.Close()\n\t})\n\trI := 0\n\tfor _, network := range networks {\n\t\tfor rFK, rFV := range syslogFacilities {\n\t\t\tfPriV := rFV\n\t\t\t// test both string and number facility\n\t\t\tfor _, fPriK := range []string{rFK, strconv.Itoa(int(fPriV) >> 3)} {\n\t\t\t\tfor fmtK, fmtValidFunc := range fmtValidFuncs {\n\t\t\t\t\tfmtKT := \"empty\"\n\t\t\t\t\tif fmtK != \"\" {\n\t\t\t\t\t\tfmtKT = fmtK\n\t\t\t\t\t}\n\t\t\t\t\tsubTestName := fmt.Sprintf(\"%s_%s_%s\", strings.ReplaceAll(network, \"+\", \"_\"), fPriK, fmtKT)\n\t\t\t\t\ti := rI\n\t\t\t\t\trI++\n\t\t\t\t\tt.Run(subTestName, func(t *testing.T) {\n\t\t\t\t\t\ttID := testutil.Identifier(t)\n\t\t\t\t\t\ttag := tID + \"_syslog_driver\"\n\t\t\t\t\t\tmsg := \"hello, \" + tID + \"_syslog_driver\"\n\t\t\t\t\t\tif !testsyslog.TestableNetwork(network) {\n\t\t\t\t\t\t\tif rootlessutil.IsRootless() {\n\t\t\t\t\t\t\t\tt.Skipf(\"skipping on %s/%s; '%s' for rootless containers are not supported\", runtime.GOOS, runtime.GOARCH, network)\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tt.Skipf(\"skipping on %s/%s; '%s' is not supported\", runtime.GOOS, runtime.GOARCH, network)\n\t\t\t\t\t\t}\n\t\t\t\t\t\ttestContainerName := fmt.Sprintf(\"%s-%d-%s\", tID, i, fPriK)\n\t\t\t\t\t\tdone := make(chan string)\n\t\t\t\t\t\taddr, closer := testsyslog.StartServer(network, \"\", done, cert)\n\t\t\t\t\t\targs := []string{\n\t\t\t\t\t\t\t\"run\",\n\t\t\t\t\t\t\t\"-d\",\n\t\t\t\t\t\t\t\"--name\",\n\t\t\t\t\t\t\ttestContainerName,\n\t\t\t\t\t\t\t\"--restart=no\",\n\t\t\t\t\t\t\t\"--log-driver=syslog\",\n\t\t\t\t\t\t\t\"--log-opt=syslog-facility=\" + fPriK,\n\t\t\t\t\t\t\t\"--log-opt=tag=\" + tag,\n\t\t\t\t\t\t\t\"--log-opt=syslog-format=\" + fmtK,\n\t\t\t\t\t\t\t\"--log-opt=syslog-address=\" + fmt.Sprintf(\"%s://%s\", network, addr),\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif network == \"tcp+tls\" {\n\t\t\t\t\t\t\targs = append(args,\n\t\t\t\t\t\t\t\t\"--log-opt=syslog-tls-cert=\"+cert.CertPath,\n\t\t\t\t\t\t\t\t\"--log-opt=syslog-tls-key=\"+cert.KeyPath,\n\t\t\t\t\t\t\t\t\"--log-opt=syslog-tls-ca-cert=\"+ca.CertPath,\n\t\t\t\t\t\t\t)\n\t\t\t\t\t\t}\n\t\t\t\t\t\targs = append(args, testutil.CommonImage, \"echo\", msg)\n\t\t\t\t\t\tbase.Cmd(args...).AssertOK()\n\t\t\t\t\t\tt.Cleanup(func() {\n\t\t\t\t\t\t\tbase.Cmd(\"rm\", \"-f\", testContainerName).AssertOK()\n\t\t\t\t\t\t})\n\t\t\t\t\t\tdefer closer.Close()\n\t\t\t\t\t\tdefer close(done)\n\t\t\t\t\t\tselect {\n\t\t\t\t\t\tcase rcvd := <-done:\n\t\t\t\t\t\t\tif err := fmtValidFunc(rcvd, msg, tag, hostname, fPriV, network == \"tcp+tls\"); err != nil {\n\t\t\t\t\t\t\t\tt.Error(err)\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\tcase <-time.Tick(time.Second * 3):\n\t\t\t\t\t\t\tt.Errorf(\"timeout with %s\", subTestName)\n\t\t\t\t\t\t}\n\t\t\t\t\t})\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc TestSyslogNetwork(t *testing.T) {\n\tvar syslogFacilities = map[string]syslog.Priority{\n\t\t\"user\": syslog.LOG_USER,\n\t}\n\n\tnetworks := []string{\n\t\t\"udp\",\n\t\t\"tcp\",\n\t\t\"tcp+tls\",\n\t\t\"unix\",\n\t\t\"unixgram\",\n\t}\n\tfmtValidFuncs := map[string]func(string, string, string, string, syslog.Priority, bool) error{\n\t\t\"rfc5424\": func(rcvd, msg, tag, hostname string, pri syslog.Priority, isTLS bool) error {\n\t\t\tvar parsedHostname, timestamp string\n\t\t\tvar length, version, pid int\n\t\t\tif !isTLS {\n\t\t\t\texp := fmt.Sprintf(\"<%d>\", pri|syslog.LOG_INFO) + \"%d %s %s \" + tag + \" %d \" + tag + \" - \" + msg + \"\\n\"\n\t\t\t\tif n, err := fmt.Sscanf(rcvd, exp, &version, ×tamp, &parsedHostname, &pid); n != 4 || err != nil || hostname != parsedHostname {\n\t\t\t\t\treturn fmt.Errorf(\"s.Info() = '%q', didn't match '%q' (%d %s)\", rcvd, exp, n, err)\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\texp := \"%d \" + fmt.Sprintf(\"<%d>\", pri|syslog.LOG_INFO) + \"%d %s %s \" + tag + \" %d \" + tag + \" - \" + msg + \"\\n\"\n\t\t\t\tif n, err := fmt.Sscanf(rcvd, exp, &length, &version, ×tamp, &parsedHostname, &pid); n != 5 || err != nil || hostname != parsedHostname {\n\t\t\t\t\treturn fmt.Errorf(\"s.Info() = '%q', didn't match '%q' (%d %s)\", rcvd, exp, n, err)\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn nil\n\t\t},\n\t}\n\trunSyslogTest(t, networks, syslogFacilities, fmtValidFuncs)\n}\n\nfunc TestSyslogFacilities(t *testing.T) {\n\tvar syslogFacilities = map[string]syslog.Priority{\n\t\t\"kern\": syslog.LOG_KERN,\n\t\t\"user\": syslog.LOG_USER,\n\t\t\"mail\": syslog.LOG_MAIL,\n\t\t\"daemon\": syslog.LOG_DAEMON,\n\t\t\"auth\": syslog.LOG_AUTH,\n\t\t\"syslog\": syslog.LOG_SYSLOG,\n\t\t\"lpr\": syslog.LOG_LPR,\n\t\t\"news\": syslog.LOG_NEWS,\n\t\t\"uucp\": syslog.LOG_UUCP,\n\t\t\"cron\": syslog.LOG_CRON,\n\t\t\"authpriv\": syslog.LOG_AUTHPRIV,\n\t\t\"ftp\": syslog.LOG_FTP,\n\t\t\"local0\": syslog.LOG_LOCAL0,\n\t\t\"local1\": syslog.LOG_LOCAL1,\n\t\t\"local2\": syslog.LOG_LOCAL2,\n\t\t\"local3\": syslog.LOG_LOCAL3,\n\t\t\"local4\": syslog.LOG_LOCAL4,\n\t\t\"local5\": syslog.LOG_LOCAL5,\n\t\t\"local6\": syslog.LOG_LOCAL6,\n\t\t\"local7\": syslog.LOG_LOCAL7,\n\t}\n\n\tnetworks := []string{\"unix\"}\n\tfmtValidFuncs := map[string]func(string, string, string, string, syslog.Priority, bool) error{\n\t\t\"rfc5424\": func(rcvd, msg, tag, hostname string, pri syslog.Priority, isTLS bool) error {\n\t\t\tvar parsedHostname, timestamp string\n\t\t\tvar length, version, pid int\n\t\t\tif !isTLS {\n\t\t\t\texp := fmt.Sprintf(\"<%d>\", pri|syslog.LOG_INFO) + \"%d %s %s \" + tag + \" %d \" + tag + \" - \" + msg + \"\\n\"\n\t\t\t\tif n, err := fmt.Sscanf(rcvd, exp, &version, ×tamp, &parsedHostname, &pid); n != 4 || err != nil || hostname != parsedHostname {\n\t\t\t\t\treturn fmt.Errorf(\"s.Info() = '%q', didn't match '%q' (%d %s)\", rcvd, exp, n, err)\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\texp := \"%d \" + fmt.Sprintf(\"<%d>\", pri|syslog.LOG_INFO) + \"%d %s %s \" + tag + \" %d \" + tag + \" - \" + msg + \"\\n\"\n\t\t\t\tif n, err := fmt.Sscanf(rcvd, exp, &length, &version, ×tamp, &parsedHostname, &pid); n != 5 || err != nil || hostname != parsedHostname {\n\t\t\t\t\treturn fmt.Errorf(\"s.Info() = '%q', didn't match '%q' (%d %s)\", rcvd, exp, n, err)\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn nil\n\t\t},\n\t}\n\trunSyslogTest(t, networks, syslogFacilities, fmtValidFuncs)\n}\n\nfunc TestSyslogFormat(t *testing.T) {\n\tvar syslogFacilities = map[string]syslog.Priority{\n\t\t\"user\": syslog.LOG_USER,\n\t}\n\n\tnetworks := []string{\"unix\"}\n\tfmtValidFuncs := map[string]func(string, string, string, string, syslog.Priority, bool) error{\n\t\t\"\": func(rcvd, msg, tag, hostname string, pri syslog.Priority, isSTLS bool) error {\n\t\t\tvar mon, day, hrs string\n\t\t\tvar pid int\n\t\t\texp := fmt.Sprintf(\"<%d>\", pri|syslog.LOG_INFO) + \"%s %s %s \" + tag + \"[%d]: \" + msg + \"\\n\"\n\t\t\tif n, err := fmt.Sscanf(rcvd, exp, &mon, &day, &hrs, &pid); n != 4 || err != nil {\n\t\t\t\treturn fmt.Errorf(\"s.Info() = '%q', didn't match '%q' (%d %s)\", rcvd, exp, n, err)\n\t\t\t}\n\t\t\treturn nil\n\t\t},\n\t\t\"rfc3164\": func(rcvd, msg, tag, hostname string, pri syslog.Priority, isTLS bool) error {\n\t\t\tvar parsedHostname, mon, day, hrs string\n\t\t\tvar pid int\n\t\t\texp := fmt.Sprintf(\"<%d>\", pri|syslog.LOG_INFO) + \"%s %s %s %s \" + tag + \"[%d]: \" + msg + \"\\n\"\n\t\t\tif n, err := fmt.Sscanf(rcvd, exp, &mon, &day, &hrs, &parsedHostname, &pid); n != 5 || err != nil || hostname != parsedHostname {\n\t\t\t\treturn fmt.Errorf(\"s.Info() = '%q', didn't match '%q' (%d %s)\", rcvd, exp, n, err)\n\t\t\t}\n\t\t\treturn nil\n\t\t},\n\t\t\"rfc5424\": func(rcvd, msg, tag, hostname string, pri syslog.Priority, isTLS bool) error {\n\t\t\tvar parsedHostname, timestamp string\n\t\t\tvar length, version, pid int\n\t\t\tif !isTLS {\n\t\t\t\texp := fmt.Sprintf(\"<%d>\", pri|syslog.LOG_INFO) + \"%d %s %s \" + tag + \" %d \" + tag + \" - \" + msg + \"\\n\"\n\t\t\t\tif n, err := fmt.Sscanf(rcvd, exp, &version, ×tamp, &parsedHostname, &pid); n != 4 || err != nil || hostname != parsedHostname {\n\t\t\t\t\treturn fmt.Errorf(\"s.Info() = '%q', didn't match '%q' (%d %s)\", rcvd, exp, n, err)\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\texp := \"%d \" + fmt.Sprintf(\"<%d>\", pri|syslog.LOG_INFO) + \"%d %s %s \" + tag + \" %d \" + tag + \" - \" + msg + \"\\n\"\n\t\t\t\tif n, err := fmt.Sscanf(rcvd, exp, &length, &version, ×tamp, &parsedHostname, &pid); n != 5 || err != nil || hostname != parsedHostname {\n\t\t\t\t\treturn fmt.Errorf(\"s.Info() = '%q', didn't match '%q' (%d %s)\", rcvd, exp, n, err)\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn nil\n\t\t},\n\t\t\"rfc5424micro\": func(rcvd, msg, tag, hostname string, pri syslog.Priority, isTLS bool) error {\n\t\t\tvar parsedHostname, timestamp string\n\t\t\tvar length, version, pid int\n\t\t\tif !isTLS {\n\t\t\t\texp := fmt.Sprintf(\"<%d>\", pri|syslog.LOG_INFO) + \"%d %s %s \" + tag + \" %d \" + tag + \" - \" + msg + \"\\n\"\n\t\t\t\tif n, err := fmt.Sscanf(rcvd, exp, &version, ×tamp, &parsedHostname, &pid); n != 4 || err != nil || hostname != parsedHostname {\n\t\t\t\t\treturn fmt.Errorf(\"s.Info() = '%q', didn't match '%q' (%d %s)\", rcvd, exp, n, err)\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\texp := \"%d \" + fmt.Sprintf(\"<%d>\", pri|syslog.LOG_INFO) + \"%d %s %s \" + tag + \" %d \" + tag + \" - \" + msg + \"\\n\"\n\t\t\t\tif n, err := fmt.Sscanf(rcvd, exp, &length, &version, ×tamp, &parsedHostname, &pid); n != 5 || err != nil || hostname != parsedHostname {\n\t\t\t\t\treturn fmt.Errorf(\"s.Info() = '%q', didn't match '%q' (%d %s)\", rcvd, exp, n, err)\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn nil\n\t\t},\n\t}\n\trunSyslogTest(t, networks, syslogFacilities, fmtValidFuncs)\n}\n" }, { "path": "cmd/nerdctl/container/container_run_mount_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"testing\"\n\n\tmobymount \"github.com/moby/sys/mount\"\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/containerd/v2/core/mount\"\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/rootlessutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestRunVolume(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\ttID := testutil.Identifier(t)\n\trwDir, err := os.MkdirTemp(t.TempDir(), \"rw\")\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\troDir, err := os.MkdirTemp(t.TempDir(), \"ro\")\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\trwVolName := tID + \"-rw\"\n\troVolName := tID + \"-ro\"\n\tfor _, v := range []string{rwVolName, roVolName} {\n\t\tdefer base.Cmd(\"volume\", \"rm\", \"-f\", v).Run()\n\t\tbase.Cmd(\"volume\", \"create\", v).AssertOK()\n\t}\n\n\tcontainerName := tID\n\tdefer base.Cmd(\"rm\", \"-f\", containerName).AssertOK()\n\tbase.Cmd(\"run\",\n\t\t\"-d\",\n\t\t\"--name\", containerName,\n\t\t\"-v\", fmt.Sprintf(\"%s:/mnt1\", rwDir),\n\t\t\"-v\", fmt.Sprintf(\"%s:/mnt2:ro\", roDir),\n\t\t\"-v\", fmt.Sprintf(\"%s:/mnt3\", rwVolName),\n\t\t\"-v\", fmt.Sprintf(\"%s:/mnt4:ro\", roVolName),\n\t\ttestutil.AlpineImage,\n\t\t\"top\",\n\t).AssertOK()\n\tbase.Cmd(\"exec\", containerName, \"sh\", \"-exc\", \"echo -n str1 > /mnt1/file1\").AssertOK()\n\tbase.Cmd(\"exec\", containerName, \"sh\", \"-exc\", \"echo -n str2 > /mnt2/file2\").AssertFail()\n\tbase.Cmd(\"exec\", containerName, \"sh\", \"-exc\", \"echo -n str3 > /mnt3/file3\").AssertOK()\n\tbase.Cmd(\"exec\", containerName, \"sh\", \"-exc\", \"echo -n str4 > /mnt4/file4\").AssertFail()\n\tbase.Cmd(\"rm\", \"-f\", containerName).AssertOK()\n\tbase.Cmd(\"run\",\n\t\t\"--rm\",\n\t\t\"-v\", fmt.Sprintf(\"%s:/mnt1\", rwDir),\n\t\t\"-v\", fmt.Sprintf(\"%s:/mnt3\", rwVolName),\n\t\ttestutil.AlpineImage,\n\t\t\"cat\", \"/mnt1/file1\", \"/mnt3/file3\",\n\t).AssertOutExactly(\"str1str3\")\n\tbase.Cmd(\"run\",\n\t\t\"--rm\",\n\t\t\"-v\", fmt.Sprintf(\"%s:/mnt3/mnt1\", rwDir),\n\t\t\"-v\", fmt.Sprintf(\"%s:/mnt3\", rwVolName),\n\t\ttestutil.AlpineImage,\n\t\t\"cat\", \"/mnt3/mnt1/file1\", \"/mnt3/file3\",\n\t).AssertOutExactly(\"str1str3\")\n}\n\nfunc TestRunAnonymousVolume(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", \"/foo\", testutil.AlpineImage).AssertOK()\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", \"TestVolume2:/foo\", testutil.AlpineImage).AssertOK()\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", \"TestVolume\", testutil.AlpineImage).AssertOK()\n\n\t// Destination must be an absolute path not named volume\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", \"TestVolume2:TestVolumes\", testutil.AlpineImage).AssertFail()\n}\n\nfunc TestRunVolumeRelativePath(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\tbase.Dir = t.TempDir()\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", \"./foo:/mnt/foo\", testutil.AlpineImage).AssertOK()\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", \"./foo\", testutil.AlpineImage).AssertOK()\n\n\t// Destination must be an absolute path not a relative path\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", \"./foo:./foo\", testutil.AlpineImage).AssertFail()\n}\n\nfunc TestRunAnonymousVolumeWithTypeMountFlag(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\tbase.Cmd(\"run\", \"--rm\", \"--mount\", \"type=volume,dst=/foo\", testutil.AlpineImage,\n\t\t\"mountpoint\", \"-q\", \"/foo\").AssertOK()\n}\n\nfunc TestRunAnonymousVolumeWithBuild(t *testing.T) {\n\tt.Parallel()\n\ttestutil.RequiresBuild(t)\n\ttestutil.RegisterBuildCacheCleanup(t)\n\tbase := testutil.NewBase(t)\n\timageName := testutil.Identifier(t)\n\tdefer base.Cmd(\"rmi\", imageName).Run()\n\n\tdockerfile := fmt.Sprintf(`FROM %s\nVOLUME /foo\n `, testutil.AlpineImage)\n\n\tbuildCtx := helpers.CreateBuildContext(t, dockerfile)\n\n\tbase.Cmd(\"build\", \"-t\", imageName, buildCtx).AssertOK()\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", \"/foo\", testutil.AlpineImage,\n\t\t\"mountpoint\", \"-q\", \"/foo\").AssertOK()\n}\n\nfunc TestRunCopyingUpInitialContentsOnVolume(t *testing.T) {\n\tt.Parallel()\n\ttestutil.RequiresBuild(t)\n\ttestutil.RegisterBuildCacheCleanup(t)\n\tbase := testutil.NewBase(t)\n\timageName := testutil.Identifier(t)\n\tdefer base.Cmd(\"rmi\", imageName).Run()\n\tvolName := testutil.Identifier(t) + \"-vol\"\n\tdefer base.Cmd(\"volume\", \"rm\", volName).Run()\n\n\tdockerfile := fmt.Sprintf(`FROM %s\nRUN mkdir -p /mnt && echo hi > /mnt/initial_file\nCMD [\"cat\", \"/mnt/initial_file\"]\n `, testutil.AlpineImage)\n\n\tbuildCtx := helpers.CreateBuildContext(t, dockerfile)\n\n\tbase.Cmd(\"build\", \"-t\", imageName, buildCtx).AssertOK()\n\n\t//AnonymousVolume\n\tbase.Cmd(\"run\", \"--rm\", imageName).AssertOutExactly(\"hi\\n\")\n\tbase.Cmd(\"run\", \"-v\", \"/mnt\", \"--rm\", imageName).AssertOutExactly(\"hi\\n\")\n\n\t//NamedVolume should be automatically created\n\tbase.Cmd(\"run\", \"-v\", volName+\":/mnt\", \"--rm\", imageName).AssertOutExactly(\"hi\\n\")\n}\n\nfunc TestRunCopyingUpInitialContentsOnDockerfileVolume(t *testing.T) {\n\tt.Parallel()\n\ttestutil.RequiresBuild(t)\n\ttestutil.RegisterBuildCacheCleanup(t)\n\tbase := testutil.NewBase(t)\n\timageName := testutil.Identifier(t)\n\tdefer base.Cmd(\"rmi\", imageName).Run()\n\tvolName := testutil.Identifier(t) + \"-vol\"\n\tdefer base.Cmd(\"volume\", \"rm\", volName).Run()\n\n\tdockerfile := fmt.Sprintf(`FROM %s\nRUN mkdir -p /mnt && echo hi > /mnt/initial_file\nVOLUME /mnt\nCMD [\"cat\", \"/mnt/initial_file\"]\n `, testutil.AlpineImage)\n\n\tbuildCtx := helpers.CreateBuildContext(t, dockerfile)\n\n\tbase.Cmd(\"build\", \"-t\", imageName, buildCtx).AssertOK()\n\t//AnonymousVolume\n\tbase.Cmd(\"run\", \"--rm\", imageName).AssertOutExactly(\"hi\\n\")\n\tbase.Cmd(\"run\", \"-v\", \"/mnt\", \"--rm\", imageName).AssertOutExactly(\"hi\\n\")\n\n\t//NamedVolume\n\tbase.Cmd(\"volume\", \"create\", volName).AssertOK()\n\tbase.Cmd(\"run\", \"-v\", volName+\":/mnt\", \"--rm\", imageName).AssertOutExactly(\"hi\\n\")\n\n\t//mount bind\n\ttmpDir, err := os.MkdirTemp(t.TempDir(), \"hostDir\")\n\tassert.NilError(t, err)\n\n\tbase.Cmd(\"run\", \"-v\", fmt.Sprintf(\"%s:/mnt\", tmpDir), \"--rm\", imageName).AssertFail()\n}\n\nfunc TestRunCopyingUpInitialContentsOnVolumeShouldRetainSymlink(t *testing.T) {\n\tt.Parallel()\n\ttestutil.RequiresBuild(t)\n\ttestutil.RegisterBuildCacheCleanup(t)\n\tbase := testutil.NewBase(t)\n\timageName := testutil.Identifier(t)\n\tdefer base.Cmd(\"rmi\", imageName).Run()\n\n\tdockerfile := fmt.Sprintf(`FROM %s\nRUN ln -s ../../../../../../../../../../../../../../../../../../etc/passwd /mnt/passwd\nVOLUME /mnt\nCMD [\"readlink\", \"/mnt/passwd\"]\n `, testutil.AlpineImage)\n\tconst expected = \"../../../../../../../../../../../../../../../../../../etc/passwd\\n\"\n\n\tbuildCtx := helpers.CreateBuildContext(t, dockerfile)\n\n\tbase.Cmd(\"build\", \"-t\", imageName, buildCtx).AssertOK()\n\n\tbase.Cmd(\"run\", \"--rm\", imageName).AssertOutExactly(expected)\n\tbase.Cmd(\"run\", \"-v\", \"/mnt\", \"--rm\", imageName).AssertOutExactly(expected)\n}\n\nfunc TestRunCopyingUpInitialContentsShouldNotResetTheCopiedContents(t *testing.T) {\n\tt.Parallel()\n\ttestutil.RequiresBuild(t)\n\ttestutil.RegisterBuildCacheCleanup(t)\n\tbase := testutil.NewBase(t)\n\ttID := testutil.Identifier(t)\n\timageName := tID + \"-img\"\n\tvolumeName := tID + \"-vol\"\n\tcontainerName := tID\n\tdefer func() {\n\t\tbase.Cmd(\"rm\", \"-f\", containerName).Run()\n\t\tbase.Cmd(\"volume\", \"rm\", volumeName).Run()\n\t\tbase.Cmd(\"rmi\", imageName).Run()\n\t}()\n\n\tdockerfile := fmt.Sprintf(`FROM %s\nRUN echo -n \"rev0\" > /mnt/file\n`, testutil.AlpineImage)\n\n\tbuildCtx := helpers.CreateBuildContext(t, dockerfile)\n\n\tbase.Cmd(\"build\", \"-t\", imageName, buildCtx).AssertOK()\n\n\tbase.Cmd(\"volume\", \"create\", volumeName)\n\trunContainer := func() {\n\t\tbase.Cmd(\"run\", \"-d\", \"--name\", containerName, \"-v\", volumeName+\":/mnt\", imageName, \"sleep\", nerdtest.Infinity).AssertOK()\n\t}\n\trunContainer()\n\tbase.EnsureContainerStarted(containerName)\n\tbase.Cmd(\"exec\", containerName, \"cat\", \"/mnt/file\").AssertOutExactly(\"rev0\")\n\tbase.Cmd(\"exec\", containerName, \"sh\", \"-euc\", \"echo -n \\\"rev1\\\" >/mnt/file\").AssertOK()\n\tbase.Cmd(\"rm\", \"-f\", containerName).AssertOK()\n\trunContainer()\n\tbase.EnsureContainerStarted(containerName)\n\tbase.Cmd(\"exec\", containerName, \"cat\", \"/mnt/file\").AssertOutExactly(\"rev1\")\n}\n\nfunc TestRunTmpfs(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\tf := func(allow, deny []string) func(stdout string) error {\n\t\treturn func(stdout string) error {\n\t\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\tif len(lines) != 1 {\n\t\t\t\treturn fmt.Errorf(\"expected 1 lines, got %q\", stdout)\n\t\t\t}\n\t\t\tfor _, s := range allow {\n\t\t\t\tif !strings.Contains(stdout, s) {\n\t\t\t\t\treturn fmt.Errorf(\"expected stdout to contain %q, got %q\", s, stdout)\n\t\t\t\t}\n\t\t\t}\n\t\t\tfor _, s := range deny {\n\t\t\t\tif strings.Contains(stdout, s) {\n\t\t\t\t\treturn fmt.Errorf(\"expected stdout not to contain %q, got %q\", s, stdout)\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn nil\n\t\t}\n\t}\n\tbase.Cmd(\"run\", \"--rm\", \"--tmpfs\", \"/tmp\", testutil.AlpineImage, \"grep\", \"/tmp\", \"/proc/mounts\").AssertOutWithFunc(f([]string{\"rw\", \"nosuid\", \"nodev\", \"noexec\"}, nil))\n\tbase.Cmd(\"run\", \"--rm\", \"--tmpfs\", \"/tmp:size=64m,exec\", testutil.AlpineImage, \"grep\", \"/tmp\", \"/proc/mounts\").AssertOutWithFunc(f([]string{\"rw\", \"nosuid\", \"nodev\", \"size=65536k\"}, []string{\"noexec\"}))\n\t// for https://github.com/containerd/nerdctl/issues/594\n\tbase.Cmd(\"run\", \"--rm\", \"--tmpfs\", \"/dev/shm:rw,exec,size=1g\", testutil.AlpineImage, \"grep\", \"/dev/shm\", \"/proc/mounts\").AssertOutWithFunc(f([]string{\"rw\", \"nosuid\", \"nodev\", \"size=1048576k\"}, []string{\"noexec\"}))\n}\n\nfunc TestRunBindMountTmpfs(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\tf := func(allow []string) func(stdout string) error {\n\t\treturn func(stdout string) error {\n\t\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\tif len(lines) != 1 {\n\t\t\t\treturn fmt.Errorf(\"expected 1 lines, got %q\", stdout)\n\t\t\t}\n\t\t\tfor _, s := range allow {\n\t\t\t\tif !strings.Contains(stdout, s) {\n\t\t\t\t\treturn fmt.Errorf(\"expected stdout to contain %q, got %q\", s, stdout)\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn nil\n\t\t}\n\t}\n\tbase.Cmd(\"run\", \"--rm\", \"--mount\", \"type=tmpfs,target=/tmp\", testutil.AlpineImage, \"grep\", \"/tmp\", \"/proc/mounts\").AssertOutWithFunc(f([]string{\"rw\", \"nosuid\", \"nodev\", \"noexec\"}))\n\tbase.Cmd(\"run\", \"--rm\", \"--mount\", \"type=tmpfs,target=/tmp,tmpfs-size=64m\", testutil.AlpineImage, \"grep\", \"/tmp\", \"/proc/mounts\").AssertOutWithFunc(f([]string{\"rw\", \"nosuid\", \"nodev\", \"size=65536k\"}))\n}\n\nfunc mountExistsWithOpt(mountPoint, mountOpt string) test.Comparator {\n\treturn func(stdout string, t tig.T) {\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tmountOutput := []string{}\n\t\tfor _, line := range lines {\n\t\t\tif strings.Contains(line, mountPoint) {\n\t\t\t\tmountOutput = strings.Split(line, \" \")\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\n\t\tassert.Assert(t, len(mountOutput) > 0, \"we should have found the mount point in /proc/mounts\")\n\t\tassert.Assert(t, len(mountOutput) >= 4, \"invalid format for mount line\")\n\n\t\toptions := strings.Split(mountOutput[3], \",\")\n\n\t\tfound := false\n\t\tfor _, opt := range options {\n\t\t\tif mountOpt == opt {\n\t\t\t\tfound = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\n\t\tassert.Assert(t, found, \"mount option %s not found\", mountOpt)\n\t}\n}\n\nfunc TestRunBindMountBind(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\t// Run a container with bind mount directories, one rw, the other ro\n\t\trwDir := data.Temp().Dir(\"rw\")\n\t\troDir := data.Temp().Dir(\"ro\")\n\n\t\thelpers.Ensure(\n\t\t\t\"run\",\n\t\t\t\"-d\",\n\t\t\t\"--name\", data.Identifier(\"container\"),\n\t\t\t\"--mount\", fmt.Sprintf(\"type=bind,src=%s,target=/mntrw\", rwDir),\n\t\t\t\"--mount\", fmt.Sprintf(\"type=bind,src=%s,target=/mntro,ro\", roDir),\n\t\t\ttestutil.AlpineImage,\n\t\t\t\"top\",\n\t\t)\n\n\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier(\"container\"))\n\n\t\t// Save host rwDir location and container id for subtests\n\t\tdata.Labels().Set(\"container\", data.Identifier(\"container\"))\n\t\tdata.Labels().Set(\"rwDir\", rwDir)\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"ensure we cannot write to ro mount\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"exec\", data.Labels().Get(\"container\"), \"sh\", \"-exc\", \"echo -n failure > /mntro/file\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"ensure we can write to rw, and read it back from another container mounting the same target\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"exec\", data.Labels().Get(\"container\"), \"sh\", \"-exc\", \"echo -n success > /mntrw/file\")\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\n\t\t\t\t\t\"run\",\n\t\t\t\t\t\"--rm\",\n\t\t\t\t\t\"--mount\", fmt.Sprintf(\"type=bind,src=%s,target=/mntrw\", data.Labels().Get(\"rwDir\")),\n\t\t\t\t\ttestutil.AlpineImage,\n\t\t\t\t\t\"cat\", \"/mntrw/file\",\n\t\t\t\t)\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"success\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Check that mntrw is seen in /proc/mounts\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"exec\", data.Labels().Get(\"container\"), \"cat\", \"/proc/mounts\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\t// Ensure we have mntrw in the mount list\n\t\t\t\t\t\tmountExistsWithOpt(\"/mntrw\", \"rw\"),\n\t\t\t\t\t\tmountExistsWithOpt(\"/mntro\", \"ro\"),\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"container\"))\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunMountBindMode(t *testing.T) {\n\tif rootlessutil.IsRootless() {\n\t\tt.Skip(\"must be superuser to use mount\")\n\t}\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\n\ttmpDir1, err := os.MkdirTemp(t.TempDir(), \"rw\")\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tdefer os.RemoveAll(tmpDir1)\n\ttmpDir1Mnt := filepath.Join(tmpDir1, \"mnt\")\n\tif err := os.MkdirAll(tmpDir1Mnt, 0700); err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\ttmpDir2, err := os.MkdirTemp(t.TempDir(), \"ro\")\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tdefer os.RemoveAll(tmpDir2)\n\n\tif err := mobymount.Mount(tmpDir2, tmpDir1Mnt, \"none\", \"bind,ro\"); err != nil {\n\t\tt.Fatal(err)\n\t}\n\tdefer func() {\n\t\tif err := mobymount.Unmount(tmpDir1Mnt); err != nil {\n\t\t\tt.Fatal(err)\n\t\t}\n\t}()\n\n\tbase.Cmd(\"run\",\n\t\t\"--rm\",\n\t\t\"--mount\", fmt.Sprintf(\"type=bind,bind-nonrecursive,src=%s,target=/mnt1\", tmpDir1),\n\t\ttestutil.AlpineImage,\n\t\t\"sh\", \"-euxc\", \"apk add findmnt -q && findmnt -nR /mnt1\",\n\t).AssertOutWithFunc(func(stdout string) error {\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) != 1 {\n\t\t\treturn fmt.Errorf(\"expected 1 line, got %q\", stdout)\n\t\t}\n\t\tif !strings.HasPrefix(lines[0], \"/mnt1\") {\n\t\t\treturn fmt.Errorf(\"expected mount /mnt1, got %q\", lines[0])\n\t\t}\n\t\treturn nil\n\t})\n\n\tbase.Cmd(\"run\",\n\t\t\"--rm\",\n\t\t\"--mount\", fmt.Sprintf(\"type=bind,bind-nonrecursive=false,src=%s,target=/mnt1\", tmpDir1),\n\t\ttestutil.AlpineImage,\n\t\t\"sh\", \"-euxc\", \"apk add findmnt -q && findmnt -nR /mnt1\",\n\t).AssertOutWithFunc(func(stdout string) error {\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) != 2 {\n\t\t\treturn fmt.Errorf(\"expected 2 line, got %q\", stdout)\n\t\t}\n\t\tif !strings.HasPrefix(lines[0], \"/mnt1\") {\n\t\t\treturn fmt.Errorf(\"expected mount /mnt1, got %q\", lines[0])\n\t\t}\n\t\treturn nil\n\t})\n}\n\nfunc TestRunVolumeBindMode(t *testing.T) {\n\tif rootlessutil.IsRootless() {\n\t\tt.Skip(\"must be superuser to use mount\")\n\t}\n\ttestutil.DockerIncompatible(t)\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\n\ttmpDir1, err := os.MkdirTemp(t.TempDir(), \"rw\")\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tdefer os.RemoveAll(tmpDir1)\n\ttmpDir1Mnt := filepath.Join(tmpDir1, \"mnt\")\n\tif err := os.MkdirAll(tmpDir1Mnt, 0700); err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\ttmpDir2, err := os.MkdirTemp(t.TempDir(), \"ro\")\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tdefer os.RemoveAll(tmpDir2)\n\n\tif err := mobymount.Mount(tmpDir2, tmpDir1Mnt, \"none\", \"bind,ro\"); err != nil {\n\t\tt.Fatal(err)\n\t}\n\tdefer func() {\n\t\tif err := mobymount.Unmount(tmpDir1Mnt); err != nil {\n\t\t\tt.Fatal(err)\n\t\t}\n\t}()\n\n\tbase.Cmd(\"run\",\n\t\t\"--rm\",\n\t\t\"-v\", fmt.Sprintf(\"%s:/mnt1:bind\", tmpDir1),\n\t\ttestutil.AlpineImage,\n\t\t\"sh\", \"-euxc\", \"apk add findmnt -q && findmnt -nR /mnt1\",\n\t).AssertOutWithFunc(func(stdout string) error {\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) != 1 {\n\t\t\treturn fmt.Errorf(\"expected 1 line, got %q\", stdout)\n\t\t}\n\t\tif !strings.HasPrefix(lines[0], \"/mnt1\") {\n\t\t\treturn fmt.Errorf(\"expected mount /mnt1, got %q\", lines[0])\n\t\t}\n\t\treturn nil\n\t})\n\n\tbase.Cmd(\"run\",\n\t\t\"--rm\",\n\t\t\"-v\", fmt.Sprintf(\"%s:/mnt1:rbind\", tmpDir1),\n\t\ttestutil.AlpineImage,\n\t\t\"sh\", \"-euxc\", \"apk add findmnt -q && findmnt -nR /mnt1\",\n\t).AssertOutWithFunc(func(stdout string) error {\n\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\tif len(lines) != 2 {\n\t\t\treturn fmt.Errorf(\"expected 2 line, got %q\", stdout)\n\t\t}\n\t\tif !strings.HasPrefix(lines[0], \"/mnt1\") {\n\t\t\treturn fmt.Errorf(\"expected mount /mnt1, got %q\", lines[0])\n\t\t}\n\t\treturn nil\n\t})\n}\n\nfunc TestRunBindMountPropagation(t *testing.T) {\n\tt.Skip(\"This test is currently broken. See https://github.com/containerd/nerdctl/issues/3404\")\n\n\ttID := testutil.Identifier(t)\n\n\tif !isRootfsShareableMount() {\n\t\tt.Skipf(\"rootfs doesn't support shared mount, skip test %s\", tID)\n\t}\n\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\n\ttestCases := []struct {\n\t\tpropagation string\n\t\tassertFunc func(containerName, containerNameReplica string)\n\t}{\n\t\t{\n\t\t\tpropagation: \"rshared\",\n\t\t\tassertFunc: func(containerName, containerNameReplica string) {\n\t\t\t\t// replica can get sub-mounts from original\n\t\t\t\tbase.Cmd(\"exec\", containerNameReplica, \"cat\", \"/mnt1/replica/foo.txt\").AssertOutExactly(\"toreplica\")\n\n\t\t\t\t// and sub-mounts from replica will be propagated to the original too\n\t\t\t\tbase.Cmd(\"exec\", containerName, \"cat\", \"/mnt1/bar/bar.txt\").AssertOutExactly(\"fromreplica\")\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tpropagation: \"rslave\",\n\t\t\tassertFunc: func(containerName, containerNameReplica string) {\n\t\t\t\t// replica can get sub-mounts from original\n\t\t\t\tbase.Cmd(\"exec\", containerNameReplica, \"cat\", \"/mnt1/replica/foo.txt\").AssertOutExactly(\"toreplica\")\n\n\t\t\t\t// but sub-mounts from replica will not be propagated to the original\n\t\t\t\tbase.Cmd(\"exec\", containerName, \"cat\", \"/mnt1/bar/bar.txt\").AssertFail()\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tpropagation: \"rprivate\",\n\t\t\tassertFunc: func(containerName, containerNameReplica string) {\n\t\t\t\t// replica can't get sub-mounts from original\n\t\t\t\tbase.Cmd(\"exec\", containerNameReplica, \"cat\", \"/mnt1/replica/foo.txt\").AssertFail()\n\t\t\t\t// and sub-mounts from replica will not be propagated to the original too\n\t\t\t\tbase.Cmd(\"exec\", containerName, \"cat\", \"/mnt1/bar/bar.txt\").AssertFail()\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tpropagation: \"\",\n\t\t\tassertFunc: func(containerName, containerNameReplica string) {\n\t\t\t\t// replica can't get sub-mounts from original\n\t\t\t\tbase.Cmd(\"exec\", containerNameReplica, \"cat\", \"/mnt1/replica/foo.txt\").AssertFail()\n\t\t\t\t// and sub-mounts from replica will not be propagated to the original too\n\t\t\t\tbase.Cmd(\"exec\", containerName, \"cat\", \"/mnt1/bar/bar.txt\").AssertFail()\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, tc := range testCases {\n\t\tpropagationName := tc.propagation\n\t\tif propagationName == \"\" {\n\t\t\tpropagationName = \"default\"\n\t\t}\n\n\t\tt.Logf(\"Running test propagation case %s\", propagationName)\n\n\t\trwDir, err := os.MkdirTemp(t.TempDir(), \"rw\")\n\t\tif err != nil {\n\t\t\tt.Fatal(err)\n\t\t}\n\n\t\tcontainerName := tID + \"-\" + propagationName\n\t\tcontainerNameReplica := containerName + \"-replica\"\n\n\t\tmountOption := fmt.Sprintf(\"type=bind,src=%s,target=/mnt1,bind-propagation=%s\", rwDir, tc.propagation)\n\t\tif tc.propagation == \"\" {\n\t\t\tmountOption = fmt.Sprintf(\"type=bind,src=%s,target=/mnt1\", rwDir)\n\t\t}\n\n\t\tcontainers := []struct {\n\t\t\tname string\n\t\t\tmountOption string\n\t\t}{\n\t\t\t{\n\t\t\t\tname: containerName,\n\t\t\t\tmountOption: fmt.Sprintf(\"type=bind,src=%s,target=/mnt1,bind-propagation=rshared\", rwDir),\n\t\t\t},\n\t\t\t{\n\t\t\t\tname: containerNameReplica,\n\t\t\t\tmountOption: mountOption,\n\t\t\t},\n\t\t}\n\t\tfor _, c := range containers {\n\t\t\tbase.Cmd(\"run\", \"-d\",\n\t\t\t\t\"--privileged\",\n\t\t\t\t\"--name\", c.name,\n\t\t\t\t\"--mount\", c.mountOption,\n\t\t\t\ttestutil.AlpineImage,\n\t\t\t\t\"top\").AssertOK()\n\t\t\tdefer base.Cmd(\"rm\", \"-f\", c.name).Run()\n\t\t}\n\n\t\t// mount in the first container\n\t\tbase.Cmd(\"exec\", containerName, \"sh\", \"-exc\", \"mkdir /app && mkdir /mnt1/replica && mount --bind /app /mnt1/replica && echo -n toreplica > /app/foo.txt\").AssertOK()\n\t\tbase.Cmd(\"exec\", containerName, \"cat\", \"/mnt1/replica/foo.txt\").AssertOutExactly(\"toreplica\")\n\n\t\t// mount in the second container\n\t\tbase.Cmd(\"exec\", containerNameReplica, \"sh\", \"-exc\", \"mkdir /bar && mkdir /mnt1/bar\").AssertOK()\n\t\tbase.Cmd(\"exec\", containerNameReplica, \"sh\", \"-exc\", \"mount --bind /bar /mnt1/bar\").AssertOK()\n\n\t\tbase.Cmd(\"exec\", containerNameReplica, \"sh\", \"-exc\", \"echo -n fromreplica > /bar/bar.txt\").AssertOK()\n\t\tbase.Cmd(\"exec\", containerNameReplica, \"cat\", \"/mnt1/bar/bar.txt\").AssertOutExactly(\"fromreplica\")\n\n\t\t// call case specific assert function\n\t\ttc.assertFunc(containerName, containerNameReplica)\n\n\t\t// umount mount point in the first privileged container\n\t\tbase.Cmd(\"exec\", containerNameReplica, \"sh\", \"-exc\", \"umount /mnt1/bar\").AssertOK()\n\t\tbase.Cmd(\"exec\", containerName, \"sh\", \"-exc\", \"umount /mnt1/replica\").AssertOK()\n\t}\n}\n\n// isRootfsShareableMount will check if /tmp or / support shareable mount\nfunc isRootfsShareableMount() bool {\n\texistFunc := func(mi mount.Info) bool {\n\t\tfor _, opt := range strings.Split(mi.Optional, \" \") {\n\t\t\tif strings.HasPrefix(opt, \"shared:\") {\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\t\treturn false\n\t}\n\n\tmi, err := mount.Lookup(\"/tmp\")\n\tif err == nil {\n\t\treturn existFunc(mi)\n\t}\n\n\tmi, err = mount.Lookup(\"/\")\n\tif err == nil {\n\t\treturn existFunc(mi)\n\t}\n\n\treturn false\n}\n\nfunc TestRunVolumesFrom(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\ttID := testutil.Identifier(t)\n\trwDir, err := os.MkdirTemp(t.TempDir(), \"rw\")\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\troDir, err := os.MkdirTemp(t.TempDir(), \"ro\")\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\trwVolName := tID + \"-rw\"\n\troVolName := tID + \"-ro\"\n\tfor _, v := range []string{rwVolName, roVolName} {\n\t\tdefer base.Cmd(\"volume\", \"rm\", \"-f\", v).Run()\n\t\tbase.Cmd(\"volume\", \"create\", v).AssertOK()\n\t}\n\n\tfromContainerName := tID + \"-from\"\n\ttoContainerName := tID + \"-to\"\n\tdefer base.Cmd(\"rm\", \"-f\", fromContainerName).AssertOK()\n\tdefer base.Cmd(\"rm\", \"-f\", toContainerName).AssertOK()\n\tbase.Cmd(\"run\",\n\t\t\"-d\",\n\t\t\"--name\", fromContainerName,\n\t\t\"-v\", fmt.Sprintf(\"%s:/mnt1\", rwDir),\n\t\t\"-v\", fmt.Sprintf(\"%s:/mnt2:ro\", roDir),\n\t\t\"-v\", fmt.Sprintf(\"%s:/mnt3\", rwVolName),\n\t\t\"-v\", fmt.Sprintf(\"%s:/mnt4:ro\", roVolName),\n\t\ttestutil.AlpineImage,\n\t\t\"top\",\n\t).AssertOK()\n\tbase.Cmd(\"run\",\n\t\t\"-d\",\n\t\t\"--name\", toContainerName,\n\t\t\"--volumes-from\", fromContainerName,\n\t\ttestutil.AlpineImage,\n\t\t\"top\",\n\t).AssertOK()\n\tbase.Cmd(\"exec\", toContainerName, \"sh\", \"-exc\", \"echo -n str1 > /mnt1/file1\").AssertOK()\n\tbase.Cmd(\"exec\", toContainerName, \"sh\", \"-exc\", \"echo -n str2 > /mnt2/file2\").AssertFail()\n\tbase.Cmd(\"exec\", toContainerName, \"sh\", \"-exc\", \"echo -n str3 > /mnt3/file3\").AssertOK()\n\tbase.Cmd(\"exec\", toContainerName, \"sh\", \"-exc\", \"echo -n str4 > /mnt4/file4\").AssertFail()\n\tbase.Cmd(\"rm\", \"-f\", toContainerName).AssertOK()\n\tbase.Cmd(\"run\",\n\t\t\"--rm\",\n\t\t\"--volumes-from\", fromContainerName,\n\t\ttestutil.AlpineImage,\n\t\t\"cat\", \"/mnt1/file1\", \"/mnt3/file3\",\n\t).AssertOutExactly(\"str1str3\")\n}\n\nfunc TestBindMountWhenHostFolderDoesNotExist(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\tcontainerName := testutil.Identifier(t) + \"-host-dir-not-found\"\n\thostDir, err := os.MkdirTemp(t.TempDir(), \"rw\")\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tdefer os.RemoveAll(hostDir)\n\thp := filepath.Join(hostDir, \"does-not-exist\")\n\tbase.Cmd(\"rm\", \"-f\", containerName).AssertOK()\n\tbase.Cmd(\"run\", \"--name\", containerName, \"-d\", \"-v\", fmt.Sprintf(\"%s:/tmp\",\n\t\thp), testutil.AlpineImage).AssertOK()\n\tbase.Cmd(\"rm\", \"-f\", containerName).AssertOK()\n\n\t// Host directory should get created\n\t_, err = os.Stat(hp)\n\tassert.NilError(t, err)\n\n\t// Test for --mount\n\tos.RemoveAll(hp)\n\tbase.Cmd(\"run\", \"--name\", containerName, \"-d\", \"--mount\", fmt.Sprintf(\"type=bind, source=%s, target=/tmp\",\n\t\thp), testutil.AlpineImage).AssertFail()\n\t_, err = os.Stat(hp)\n\tassert.ErrorIs(t, err, os.ErrNotExist)\n}\n" }, { "path": "cmd/nerdctl/container/container_run_mount_windows_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/inspecttypes/dockercompat\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n)\n\nfunc TestRunMountVolume(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\ttID := testutil.Identifier(t)\n\trwDir, err := os.MkdirTemp(t.TempDir(), \"rw\")\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\troDir, err := os.MkdirTemp(t.TempDir(), \"ro\")\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\trwVolName := tID + \"-rw\"\n\troVolName := tID + \"-ro\"\n\tfor _, v := range []string{rwVolName, roVolName} {\n\t\tdefer base.Cmd(\"volume\", \"rm\", \"-f\", v).Run()\n\t\tbase.Cmd(\"volume\", \"create\", v).AssertOK()\n\t}\n\n\tcontainerName := tID\n\tdefer base.Cmd(\"rm\", \"-f\", containerName).AssertOK()\n\tbase.Cmd(\"run\",\n\t\t\"-d\",\n\t\t\"--name\", containerName,\n\t\t\"-v\", fmt.Sprintf(\"%s:C:/mnt1\", rwDir),\n\t\t\"-v\", fmt.Sprintf(\"%s:C:/mnt2:ro\", roDir),\n\t\t\"-v\", fmt.Sprintf(\"%s:C:/mnt3\", rwVolName),\n\t\t\"-v\", fmt.Sprintf(\"%s:C:/mnt4:ro\", roVolName),\n\t\ttestutil.CommonImage,\n\t\t\"ping localhost -t\",\n\t).AssertOK()\n\n\tbase.Cmd(\"exec\", containerName, \"cmd\", \"/c\", \"echo -n str1 > C:/mnt1/file1\").AssertOK()\n\tbase.Cmd(\"exec\", containerName, \"cmd\", \"/c\", \"echo -n str2 > C:/mnt2/file2\").AssertFail()\n\tbase.Cmd(\"exec\", containerName, \"cmd\", \"/c\", \"echo -n str3 > C:/mnt3/file3\").AssertOK()\n\tbase.Cmd(\"exec\", containerName, \"cmd\", \"/c\", \"echo -n str4 > C:/mnt4/file4\").AssertFail()\n\tbase.Cmd(\"rm\", \"-f\", containerName).AssertOK()\n\n\tbase.Cmd(\"run\",\n\t\t\"--rm\",\n\t\t\"-v\", fmt.Sprintf(\"%s:C:/mnt1\", rwDir),\n\t\t\"-v\", fmt.Sprintf(\"%s:C:/mnt3\", rwVolName),\n\t\ttestutil.CommonImage,\n\t\t\"cat\", \"C:/mnt1/file1\", \"C:/mnt3/file3\",\n\t).AssertOutContainsAll(\"str1\", \"str3\")\n\tbase.Cmd(\"run\",\n\t\t\"--rm\",\n\t\t\"-v\", fmt.Sprintf(\"%s:C:/mnt3/mnt1\", rwDir),\n\t\t\"-v\", fmt.Sprintf(\"%s:C:/mnt3\", rwVolName),\n\t\ttestutil.CommonImage,\n\t\t\"cat\", \"C:/mnt3/mnt1/file1\", \"C:/mnt3/file3\",\n\t).AssertOutContainsAll(\"str1\", \"str3\")\n}\n\nfunc TestRunMountVolumeInspect(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\ttestContainer := testutil.Identifier(t)\n\ttestVolume := testutil.Identifier(t)\n\n\tdefer base.Cmd(\"volume\", \"rm\", \"-f\", testVolume).Run()\n\tbase.Cmd(\"volume\", \"create\", testVolume).AssertOK()\n\tinspectVolume := base.InspectVolume(testVolume)\n\tnamedVolumeSource := inspectVolume.Mountpoint\n\n\tbase.Cmd(\n\t\t\"run\", \"-d\", \"--name\", testContainer,\n\t\t\"-v\", \"C:/mnt1\",\n\t\t\"-v\", \"C:/mnt2:C:/mnt2\",\n\t\t\"-v\", \"\\\\\\\\.\\\\pipe\\\\containerd-containerd:\\\\\\\\.\\\\pipe\\\\containerd-containerd\",\n\t\t\"-v\", fmt.Sprintf(\"%s:C:/mnt3\", testVolume),\n\t\ttestutil.CommonImage,\n\t).AssertOK()\n\n\tinspect := base.InspectContainer(testContainer)\n\t// convert array to map to get by key of Destination\n\tactual := make(map[string]dockercompat.MountPoint)\n\tfor i := range inspect.Mounts {\n\t\tactual[inspect.Mounts[i].Destination] = inspect.Mounts[i]\n\t}\n\n\texpected := []struct {\n\t\tdest string\n\t\tmountPoint dockercompat.MountPoint\n\t}{\n\t\t// anonymous volume\n\t\t{\n\t\t\tdest: \"C:\\\\mnt1\",\n\t\t\tmountPoint: dockercompat.MountPoint{\n\t\t\t\tType: \"volume\",\n\t\t\t\tSource: \"\", // source of anonymous volume is a generated path, so here will not check it.\n\t\t\t\tDestination: \"C:\\\\mnt1\",\n\t\t\t},\n\t\t},\n\n\t\t// bind\n\t\t{\n\t\t\tdest: \"C:\\\\mnt2\",\n\t\t\tmountPoint: dockercompat.MountPoint{\n\t\t\t\tType: \"bind\",\n\t\t\t\tSource: \"C:\\\\mnt2\",\n\t\t\t\tDestination: \"C:\\\\mnt2\",\n\t\t\t},\n\t\t},\n\n\t\t// named pipe\n\t\t{\n\t\t\tdest: \"\\\\\\\\.\\\\pipe\\\\containerd-containerd\",\n\t\t\tmountPoint: dockercompat.MountPoint{\n\t\t\t\tType: \"npipe\",\n\t\t\t\tSource: \"\\\\\\\\.\\\\pipe\\\\containerd-containerd\",\n\t\t\t\tDestination: \"\\\\\\\\.\\\\pipe\\\\containerd-containerd\",\n\t\t\t},\n\t\t},\n\n\t\t// named volume\n\t\t{\n\t\t\tdest: \"C:\\\\mnt3\",\n\t\t\tmountPoint: dockercompat.MountPoint{\n\t\t\t\tType: \"volume\",\n\t\t\t\tName: testVolume,\n\t\t\t\tSource: namedVolumeSource,\n\t\t\t\tDestination: \"C:\\\\mnt3\",\n\t\t\t},\n\t\t},\n\t}\n\n\tfor i := range expected {\n\t\ttestCase := expected[i]\n\t\tt.Logf(\"test volume[dest=%q]\", testCase.dest)\n\n\t\tmountPoint, ok := actual[testCase.dest]\n\t\tassert.Assert(base.T, ok)\n\n\t\tassert.Equal(base.T, testCase.mountPoint.Type, mountPoint.Type)\n\t\tassert.Equal(base.T, testCase.mountPoint.Destination, mountPoint.Destination)\n\n\t\tif testCase.mountPoint.Source == \"\" {\n\t\t\t// for anonymous volumes, we want to make sure that the source is not the same as the destination\n\t\t\tassert.Assert(base.T, mountPoint.Source != testCase.mountPoint.Destination)\n\t\t} else {\n\t\t\tassert.Equal(base.T, testCase.mountPoint.Source, mountPoint.Source)\n\t\t}\n\n\t\tif testCase.mountPoint.Name != \"\" {\n\t\t\tassert.Equal(base.T, testCase.mountPoint.Name, mountPoint.Name)\n\t\t}\n\t}\n}\n\nfunc TestRunMountAnonymousVolume(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", \"TestVolume:C:/mnt\", testutil.CommonImage).AssertOK()\n\n\t// For docker-campatibility, Unrecognised volume spec: invalid volume specification: 'TestVolume'\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", \"TestVolume\", testutil.CommonImage).AssertFail()\n\n\t// Destination must be an absolute path not named volume\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", \"TestVolume2:TestVolumes\", testutil.CommonImage).AssertFail()\n}\n\nfunc TestRunMountRelativePath(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", \"./mnt:C:/mnt1\", testutil.CommonImage, \"cmd\").AssertOK()\n\n\t// Destination cannot be a relative path\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", \"./mnt\", testutil.CommonImage).AssertFail()\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", \"./mnt:./mnt1\", testutil.CommonImage, \"cmd\").AssertFail()\n}\n\nfunc TestRunMountNamedPipeVolume(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", `\\\\.\\pipe\\containerd-containerd`, testutil.CommonImage).AssertFail()\n}\n\nfunc TestRunMountVolumeSpec(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", `InvalidPathC:\\TestVolume:C:\\Mount`, testutil.CommonImage).AssertFail()\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", `C:\\TestVolume:C:\\Mount:ro,rw:boot`, testutil.CommonImage).AssertFail()\n\n\t// If -v is an empty string, it will be ignored\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", \"\", testutil.CommonImage).AssertOK()\n}\n" }, { "path": "cmd/nerdctl/container/container_run_network.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"net\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/go-cni\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/dnsutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/portutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/strutil\"\n)\n\nfunc loadNetworkFlags(cmd *cobra.Command, globalOpts types.GlobalCommandOptions) (types.NetworkOptions, error) {\n\tnetOpts := types.NetworkOptions{}\n\n\t// --net/--network= ...\n\tvar netSlice = []string{}\n\tvar networkSet = false\n\tif cmd.Flags().Lookup(\"network\").Changed {\n\t\tnetwork, err := cmd.Flags().GetStringSlice(\"network\")\n\t\tif err != nil {\n\t\t\treturn netOpts, err\n\t\t}\n\t\tnetSlice = append(netSlice, network...)\n\t\tnetworkSet = true\n\t}\n\tif cmd.Flags().Lookup(\"net\").Changed {\n\t\tnet, err := cmd.Flags().GetStringSlice(\"net\")\n\t\tif err != nil {\n\t\t\treturn netOpts, err\n\t\t}\n\t\tnetSlice = append(netSlice, net...)\n\t\tnetworkSet = true\n\t}\n\n\tif !networkSet {\n\t\tnetwork, err := cmd.Flags().GetStringSlice(\"network\")\n\t\tif err != nil {\n\t\t\treturn netOpts, err\n\t\t}\n\t\tnetSlice = append(netSlice, network...)\n\t}\n\tnetOpts.NetworkSlice = strutil.DedupeStrSlice(netSlice)\n\n\t// --mac-address=\n\tmacAddress, err := cmd.Flags().GetString(\"mac-address\")\n\tif err != nil {\n\t\treturn netOpts, err\n\t}\n\tif macAddress != \"\" {\n\t\tif _, err := net.ParseMAC(macAddress); err != nil {\n\t\t\treturn netOpts, err\n\t\t}\n\t}\n\tnetOpts.MACAddress = macAddress\n\n\t// --ip=\n\tipAddress, err := cmd.Flags().GetString(\"ip\")\n\tif err != nil {\n\t\treturn netOpts, err\n\t}\n\tnetOpts.IPAddress = ipAddress\n\n\t// --ip6=\n\tip6Address, err := cmd.Flags().GetString(\"ip6\")\n\tif err != nil {\n\t\treturn netOpts, err\n\t}\n\tnetOpts.IP6Address = ip6Address\n\n\t// -h/--hostname=\n\thostName, err := cmd.Flags().GetString(\"hostname\")\n\tif err != nil {\n\t\treturn netOpts, err\n\t}\n\tnetOpts.Hostname = hostName\n\n\t// --domainname=\n\tdomainname, err := cmd.Flags().GetString(\"domainname\")\n\tif err != nil {\n\t\treturn netOpts, err\n\t}\n\tnetOpts.Domainname = domainname\n\n\t// --dns= ...\n\t// Use command flags if set, otherwise use global config is set\n\tvar dnsSlice []string\n\tif cmd.Flags().Changed(\"dns\") {\n\t\tvar err error\n\t\tdnsSlice, err = cmd.Flags().GetStringSlice(\"dns\")\n\t\tif err != nil {\n\t\t\treturn netOpts, err\n\t\t}\n\t\tif len(dnsSlice) == 0 {\n\t\t\treturn netOpts, errors.New(\"--dns flag was specified but no DNS server was provided\")\n\t\t}\n\t\tfor _, dns := range dnsSlice {\n\t\t\tif _, err := dnsutil.ValidateIPAddress(dns); err != nil {\n\t\t\t\treturn netOpts, fmt.Errorf(\"%w with --dns flag\", err)\n\t\t\t}\n\t\t}\n\t} else {\n\t\tdnsSlice = globalOpts.DNS\n\t}\n\tnetOpts.DNSServers = strutil.DedupeStrSlice(dnsSlice)\n\n\t// --dns-search= ...\n\t// Use command flags if set, otherwise use global config is set\n\tvar dnsSearchSlice []string\n\tif cmd.Flags().Changed(\"dns-search\") {\n\t\tvar err error\n\t\tdnsSearchSlice, err = cmd.Flags().GetStringSlice(\"dns-search\")\n\t\tif err != nil {\n\t\t\treturn netOpts, err\n\t\t}\n\t} else {\n\t\tdnsSearchSlice = globalOpts.DNSSearch\n\t}\n\tnetOpts.DNSSearchDomains = strutil.DedupeStrSlice(dnsSearchSlice)\n\n\t// --dns-opt/--dns-option= ...\n\t// Use command flags if set, otherwise use global config if set\n\tdnsOptions := []string{}\n\n\t// Check if either dns-opt or dns-option flags were set\n\tdnsOptChanged := cmd.Flags().Changed(\"dns-opt\")\n\tdnsOptionChanged := cmd.Flags().Changed(\"dns-option\")\n\n\tif dnsOptChanged || dnsOptionChanged {\n\t\t// Use command flags\n\t\tdnsOptFlags, err := cmd.Flags().GetStringSlice(\"dns-opt\")\n\t\tif err != nil {\n\t\t\treturn netOpts, err\n\t\t}\n\t\tdnsOptions = append(dnsOptions, dnsOptFlags...)\n\n\t\tdnsOptionFlags, err := cmd.Flags().GetStringSlice(\"dns-option\")\n\t\tif err != nil {\n\t\t\treturn netOpts, err\n\t\t}\n\t\tdnsOptions = append(dnsOptions, dnsOptionFlags...)\n\t} else {\n\t\t// Use global config defaults\n\t\tdnsOptions = append(dnsOptions, globalOpts.DNSOpts...)\n\t}\n\n\tnetOpts.DNSResolvConfOptions = strutil.DedupeStrSlice(dnsOptions)\n\n\t// --add-host= ...\n\taddHostFlags, err := cmd.Flags().GetStringSlice(\"add-host\")\n\tif err != nil {\n\t\treturn netOpts, err\n\t}\n\tnetOpts.AddHost = addHostFlags\n\n\t// --uts=\n\tutsNamespace, err := cmd.Flags().GetString(\"uts\")\n\tif err != nil {\n\t\treturn netOpts, err\n\t}\n\tnetOpts.UTSNamespace = utsNamespace\n\n\t// -p/--publish=127.0.0.1:80:8080/tcp ...\n\tportSlice, err := cmd.Flags().GetStringSlice(\"publish\")\n\tif err != nil {\n\t\treturn netOpts, err\n\t}\n\tportSlice = strutil.DedupeStrSlice(portSlice)\n\tportMappings := []cni.PortMapping{}\n\tfor _, p := range portSlice {\n\t\tpm, err := portutil.ParseFlagP(p)\n\t\tif err != nil {\n\t\t\treturn netOpts, err\n\t\t}\n\t\tportMappings = append(portMappings, pm...)\n\t}\n\tnetOpts.PortMappings = portMappings\n\n\treturn netOpts, nil\n}\n" }, { "path": "cmd/nerdctl/container/container_run_network_base_test.go", "content": "//go:build linux || windows\n\n/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nettestutil\"\n)\n\n// Tests various port mapping argument combinations by starting an nginx container and\n// verifying its connectivity and that its serves its index.html from the external\n// host IP as well as through the loopback interface.\n// `loopbackIsolationEnabled` indicates whether the test should expect connections between\n// the loopback interface and external host interface to succeed or not.\nfunc baseTestRunPort(t *testing.T, nginxImage string, nginxIndexHTMLSnippet string, loopbackIsolationEnabled bool) {\n\texpectedIsolationErr := \"\"\n\tif loopbackIsolationEnabled {\n\t\texpectedIsolationErr = testutil.ExpectedConnectionRefusedError\n\t}\n\n\thostIP, err := nettestutil.NonLoopbackIPv4()\n\tassert.NilError(t, err)\n\ttype testCase struct {\n\t\tlistenIP net.IP\n\t\tconnectIP net.IP\n\t\thostPort string\n\t\tcontainerPort string\n\t\tconnectURLPort int\n\t\trunShouldSuccess bool\n\t\terr string\n\t}\n\tlo := net.ParseIP(\"127.0.0.1\")\n\tzeroIP := net.ParseIP(\"0.0.0.0\")\n\ttestCases := []testCase{\n\t\t{\n\t\t\tlistenIP: lo,\n\t\t\tconnectIP: lo,\n\t\t\thostPort: \"8080\",\n\t\t\tcontainerPort: \"80\",\n\t\t\tconnectURLPort: 8080,\n\t\t\trunShouldSuccess: true,\n\t\t},\n\t\t{\n\t\t\t// for https://github.com/containerd/nerdctl/issues/88\n\t\t\tlistenIP: hostIP,\n\t\t\tconnectIP: hostIP,\n\t\t\thostPort: \"8080\",\n\t\t\tcontainerPort: \"80\",\n\t\t\tconnectURLPort: 8080,\n\t\t\trunShouldSuccess: true,\n\t\t},\n\t\t{\n\t\t\tlistenIP: hostIP,\n\t\t\tconnectIP: lo,\n\t\t\thostPort: \"8080\",\n\t\t\tcontainerPort: \"80\",\n\t\t\tconnectURLPort: 8080,\n\t\t\terr: expectedIsolationErr,\n\t\t\trunShouldSuccess: true,\n\t\t},\n\t\t{\n\t\t\tlistenIP: lo,\n\t\t\tconnectIP: hostIP,\n\t\t\thostPort: \"8080\",\n\t\t\tcontainerPort: \"80\",\n\t\t\tconnectURLPort: 8080,\n\t\t\terr: expectedIsolationErr,\n\t\t\trunShouldSuccess: true,\n\t\t},\n\t\t{\n\t\t\tlistenIP: zeroIP,\n\t\t\tconnectIP: lo,\n\t\t\thostPort: \"8080\",\n\t\t\tcontainerPort: \"80\",\n\t\t\tconnectURLPort: 8080,\n\t\t\trunShouldSuccess: true,\n\t\t},\n\t\t{\n\t\t\tlistenIP: zeroIP,\n\t\t\tconnectIP: hostIP,\n\t\t\thostPort: \"8080\",\n\t\t\tcontainerPort: \"80\",\n\t\t\tconnectURLPort: 8080,\n\t\t\trunShouldSuccess: true,\n\t\t},\n\t\t{\n\t\t\tlistenIP: lo,\n\t\t\tconnectIP: lo,\n\t\t\thostPort: \"7000-7005\",\n\t\t\tcontainerPort: \"79-84\",\n\t\t\tconnectURLPort: 7001,\n\t\t\trunShouldSuccess: true,\n\t\t},\n\t\t{\n\t\t\tlistenIP: hostIP,\n\t\t\tconnectIP: hostIP,\n\t\t\thostPort: \"7000-7005\",\n\t\t\tcontainerPort: \"79-84\",\n\t\t\tconnectURLPort: 7001,\n\t\t\trunShouldSuccess: true,\n\t\t},\n\t\t{\n\t\t\tlistenIP: hostIP,\n\t\t\tconnectIP: lo,\n\t\t\thostPort: \"7000-7005\",\n\t\t\tcontainerPort: \"79-84\",\n\t\t\tconnectURLPort: 7001,\n\t\t\terr: expectedIsolationErr,\n\t\t\trunShouldSuccess: true,\n\t\t},\n\t\t{\n\t\t\tlistenIP: lo,\n\t\t\tconnectIP: hostIP,\n\t\t\thostPort: \"7000-7005\",\n\t\t\tcontainerPort: \"79-84\",\n\t\t\tconnectURLPort: 7001,\n\t\t\terr: expectedIsolationErr,\n\t\t\trunShouldSuccess: true,\n\t\t},\n\t\t{\n\t\t\tlistenIP: zeroIP,\n\t\t\tconnectIP: hostIP,\n\t\t\thostPort: \"7000-7005\",\n\t\t\tcontainerPort: \"79-84\",\n\t\t\tconnectURLPort: 7001,\n\t\t\trunShouldSuccess: true,\n\t\t},\n\t\t{\n\t\t\tlistenIP: zeroIP,\n\t\t\tconnectIP: lo,\n\t\t\thostPort: \"7000-7005\",\n\t\t\tcontainerPort: \"80-85\",\n\t\t\tconnectURLPort: 7001,\n\t\t\terr: \"error after 5 attempts\",\n\t\t\trunShouldSuccess: true,\n\t\t},\n\t\t{\n\t\t\tlistenIP: zeroIP,\n\t\t\tconnectIP: lo,\n\t\t\thostPort: \"7000-7005\",\n\t\t\tcontainerPort: \"80\",\n\t\t\tconnectURLPort: 7000,\n\t\t\trunShouldSuccess: true,\n\t\t},\n\t\t{\n\t\t\tlistenIP: zeroIP,\n\t\t\tconnectIP: lo,\n\t\t\thostPort: \"7000-7005\",\n\t\t\tcontainerPort: \"80\",\n\t\t\tconnectURLPort: 7005,\n\t\t\terr: testutil.ExpectedConnectionRefusedError,\n\t\t\trunShouldSuccess: true,\n\t\t},\n\t\t{\n\t\t\tlistenIP: zeroIP,\n\t\t\tconnectIP: lo,\n\t\t\thostPort: \"7000-7005\",\n\t\t\tcontainerPort: \"79-85\",\n\t\t\tconnectURLPort: 7005,\n\t\t\terr: \"invalid ranges specified for container and host Ports\",\n\t\t\trunShouldSuccess: false,\n\t\t},\n\t}\n\n\ttID := testutil.Identifier(t)\n\tfor i, tc := range testCases {\n\t\ti := i\n\t\ttc := tc\n\t\ttcName := fmt.Sprintf(\"%+v\", tc)\n\t\tt.Run(tcName, func(t *testing.T) {\n\t\t\ttestContainerName := fmt.Sprintf(\"%s-%d\", tID, i)\n\t\t\tbase := testutil.NewBase(t)\n\t\t\tdefer base.Cmd(\"rm\", \"-f\", testContainerName).Run()\n\t\t\tpFlag := fmt.Sprintf(\"%s:%s:%s\", tc.listenIP.String(), tc.hostPort, tc.containerPort)\n\t\t\tconnectURL := fmt.Sprintf(\"http://%s:%d\", tc.connectIP.String(), tc.connectURLPort)\n\t\t\tt.Logf(\"pFlag=%q, connectURL=%q\", pFlag, connectURL)\n\t\t\tcmd := base.Cmd(\"run\", \"-d\",\n\t\t\t\t\"--name\", testContainerName,\n\t\t\t\t\"-p\", pFlag,\n\t\t\t\tnginxImage)\n\t\t\tif tc.runShouldSuccess {\n\t\t\t\tcmd.AssertOK()\n\t\t\t} else {\n\t\t\t\tcmd.AssertFail()\n\t\t\t\treturn\n\t\t\t}\n\n\t\t\tresp, err := nettestutil.HTTPGet(connectURL, 5, false)\n\t\t\tif tc.err != \"\" {\n\t\t\t\tassert.ErrorContains(t, err, tc.err)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tassert.NilError(t, err)\n\t\t\trespBody, err := io.ReadAll(resp.Body)\n\t\t\tassert.NilError(t, err)\n\t\t\tassert.Assert(t, strings.Contains(string(respBody), nginxIndexHTMLSnippet))\n\t\t})\n\t}\n\n}\n" }, { "path": "cmd/nerdctl/container/container_run_network_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"regexp\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/containernetworking/plugins/pkg/ns\"\n\t\"github.com/opencontainers/go-digest\"\n\t\"github.com/vishvananda/netlink\"\n\t\"gotest.tools/v3/assert\"\n\t\"gotest.tools/v3/icmd\"\n\n\t\"github.com/containerd/containerd/v2/defaults\"\n\t\"github.com/containerd/containerd/v2/pkg/netns\"\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/rootlessutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nettestutil\"\n)\n\nfunc extractHostPort(portMapping string, port string) (string, error) {\n\t// Regular expression to extract host port from port mapping information\n\tre := regexp.MustCompile(`(?P\\d{1,5})/tcp ->.*?0.0.0.0:(?P\\d{1,5}).*?`)\n\tportMappingLines := strings.Split(portMapping, \"\\n\")\n\tfor _, portMappingLine := range portMappingLines {\n\t\t// Find the matches\n\t\tmatches := re.FindStringSubmatch(portMappingLine)\n\t\t// Check if there is a match\n\t\tif len(matches) >= 3 && matches[1] == port {\n\t\t\t// Extract the host port number\n\t\t\thostPort := matches[2]\n\t\t\treturn hostPort, nil\n\t\t}\n\t}\n\treturn \"\", fmt.Errorf(\"could not extract host port from port mapping: %s\", portMapping)\n}\n\nfunc valuesOfMapStringString(m map[string]string) map[string]struct{} {\n\tres := make(map[string]struct{})\n\tfor _, v := range m {\n\t\tres[v] = struct{}{}\n\t}\n\treturn res\n}\n\n// TestRunInternetConnectivity tests Internet connectivity with `apk update`\nfunc TestRunInternetConnectivity(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\tcustomNet := testutil.Identifier(t)\n\tbase.Cmd(\"network\", \"create\", customNet).AssertOK()\n\tdefer base.Cmd(\"network\", \"rm\", customNet).Run()\n\n\ttype testCase struct {\n\t\targs []string\n\t}\n\tcustomNetID := base.InspectNetwork(customNet).ID\n\ttestCases := []testCase{\n\t\t{\n\t\t\targs: []string{\"--net\", \"bridge\"},\n\t\t},\n\t\t{\n\t\t\targs: []string{\"--net\", customNet},\n\t\t},\n\t\t{\n\t\t\targs: []string{\"--net\", customNetID},\n\t\t},\n\t\t{\n\t\t\targs: []string{\"--net\", customNetID[:12]},\n\t\t},\n\t\t{\n\t\t\targs: []string{\"--net\", \"host\"},\n\t\t},\n\t}\n\tfor _, tc := range testCases {\n\t\ttc := tc // IMPORTANT\n\t\tname := \"default\"\n\t\tif len(tc.args) > 0 {\n\t\t\tname = strings.Join(tc.args, \"_\")\n\t\t}\n\t\tt.Run(name, func(t *testing.T) {\n\t\t\targs := []string{\"run\", \"--rm\"}\n\t\t\targs = append(args, tc.args...)\n\t\t\targs = append(args, testutil.AlpineImage, \"apk\", \"update\")\n\t\t\tcmd := base.Cmd(args...)\n\t\t\tcmd.AssertOutContains(\"OK\")\n\t\t})\n\t}\n}\n\n// TestRunHostLookup tests hostname lookup\nfunc TestRunHostLookup(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\t// key: container name, val: network name\n\tm := map[string]string{\n\t\t\"c0-in-n0\": \"n0\",\n\t\t\"c1-in-n0\": \"n0\",\n\t\t\"c2-in-n1\": \"n1\",\n\t\t\"c3-in-bridge\": \"bridge\",\n\t}\n\tcustomNets := valuesOfMapStringString(m)\n\tdefer func() {\n\t\tfor name := range m {\n\t\t\tbase.Cmd(\"rm\", \"-f\", name).Run()\n\t\t}\n\t\tfor netName := range customNets {\n\t\t\tif netName == \"bridge\" {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tbase.Cmd(\"network\", \"rm\", netName).Run()\n\t\t}\n\t}()\n\n\t// Create networks\n\tfor netName := range customNets {\n\t\tif netName == \"bridge\" {\n\t\t\tcontinue\n\t\t}\n\t\tbase.Cmd(\"network\", \"create\", netName).AssertOK()\n\t}\n\n\t// Create nginx containers\n\tfor name, netName := range m {\n\t\tcmd := base.Cmd(\"run\",\n\t\t\t\"-d\",\n\t\t\t\"--name\", name,\n\t\t\t\"--hostname\", name+\"-foobar\",\n\t\t\t\"--net\", netName,\n\t\t\ttestutil.NginxAlpineImage,\n\t\t)\n\t\tt.Logf(\"creating host lookup testing container with command: %q\", strings.Join(cmd.Command, \" \"))\n\t\tcmd.AssertOK()\n\t}\n\n\ttestWget := func(srcContainer, targetHostname string, expected bool) {\n\t\tt.Logf(\"resolving %q in container %q (should success: %+v)\", targetHostname, srcContainer, expected)\n\t\tcmd := base.Cmd(\"exec\", srcContainer, \"wget\", \"-qO-\", \"http://\"+targetHostname)\n\t\tif expected {\n\t\t\tcmd.AssertOutContains(testutil.NginxAlpineIndexHTMLSnippet)\n\t\t} else {\n\t\t\tcmd.AssertFail()\n\t\t}\n\t}\n\n\t// Tests begin\n\ttestWget(\"c0-in-n0\", \"c1-in-n0\", true)\n\ttestWget(\"c0-in-n0\", \"c1-in-n0.n0\", true)\n\ttestWget(\"c0-in-n0\", \"c1-in-n0-foobar\", true)\n\ttestWget(\"c0-in-n0\", \"c1-in-n0-foobar.n0\", true)\n\ttestWget(\"c0-in-n0\", \"c2-in-n1\", false)\n\ttestWget(\"c0-in-n0\", \"c2-in-n1.n1\", false)\n\ttestWget(\"c0-in-n0\", \"c3-in-bridge\", false)\n\ttestWget(\"c1-in-n0\", \"c0-in-n0\", true)\n\ttestWget(\"c1-in-n0\", \"c0-in-n0.n0\", true)\n\ttestWget(\"c1-in-n0\", \"c0-in-n0-foobar\", true)\n\ttestWget(\"c1-in-n0\", \"c0-in-n0-foobar.n0\", true)\n}\n\nfunc TestRunPortWithNoHostPort(t *testing.T) {\n\tif rootlessutil.IsRootless() {\n\t\tt.Skip(\"Auto port assign is not supported rootless mode yet\")\n\t}\n\n\ttype testCase struct {\n\t\tcontainerPort string\n\t\trunShouldSuccess bool\n\t}\n\ttestCases := []testCase{\n\t\t{\n\t\t\tcontainerPort: \"80\",\n\t\t\trunShouldSuccess: true,\n\t\t},\n\t\t{\n\t\t\tcontainerPort: \"80-81\",\n\t\t\trunShouldSuccess: true,\n\t\t},\n\t\t{\n\t\t\tcontainerPort: \"80-81/tcp\",\n\t\t\trunShouldSuccess: true,\n\t\t},\n\t}\n\ttID := testutil.Identifier(t)\n\tfor i, tc := range testCases {\n\t\ti := i\n\t\ttc := tc\n\t\ttcName := fmt.Sprintf(\"%+v\", tc)\n\t\tt.Run(tcName, func(t *testing.T) {\n\t\t\ttestContainerName := fmt.Sprintf(\"%s-%d\", tID, i)\n\t\t\tbase := testutil.NewBase(t)\n\t\t\tdefer base.Cmd(\"rm\", \"-f\", testContainerName).Run()\n\t\t\tpFlag := tc.containerPort\n\t\t\tcmd := base.Cmd(\"run\", \"-d\",\n\t\t\t\t\"--name\", testContainerName,\n\t\t\t\t\"-p\", pFlag,\n\t\t\t\ttestutil.NginxAlpineImage)\n\t\t\tvar result *icmd.Result\n\t\t\tstdoutContent := \"\"\n\t\t\tif tc.runShouldSuccess {\n\t\t\t\tcmd.AssertOK()\n\t\t\t} else {\n\t\t\t\tcmd.AssertFail()\n\t\t\t\treturn\n\t\t\t}\n\t\t\tportCmd := base.Cmd(\"port\", testContainerName)\n\t\t\tportCmd.Base.T.Helper()\n\t\t\tresult = portCmd.Run()\n\t\t\tstdoutContent = result.Stdout() + result.Stderr()\n\t\t\tassert.Assert(cmd.Base.T, result.ExitCode == 0, stdoutContent)\n\t\t\tregexExpression := regexp.MustCompile(`80\\/tcp.*?->.*?0.0.0.0:(?P\\d{1,5}).*?`)\n\t\t\tmatch := regexExpression.FindStringSubmatch(stdoutContent)\n\t\t\tparamsMap := make(map[string]string)\n\t\t\tfor i, name := range regexExpression.SubexpNames() {\n\t\t\t\tif i > 0 && i <= len(match) {\n\t\t\t\t\tparamsMap[name] = match[i]\n\t\t\t\t}\n\t\t\t}\n\t\t\tif _, ok := paramsMap[\"portNumber\"]; !ok {\n\t\t\t\tt.Fail()\n\t\t\t\treturn\n\t\t\t}\n\t\t\tconnectURL := fmt.Sprintf(\"http://%s:%s\", \"127.0.0.1\", paramsMap[\"portNumber\"])\n\t\t\tresp, err := nettestutil.HTTPGet(connectURL, 5, false)\n\t\t\tassert.NilError(t, err)\n\t\t\trespBody, err := io.ReadAll(resp.Body)\n\t\t\tassert.NilError(t, err)\n\t\t\tassert.Assert(t, strings.Contains(string(respBody), testutil.NginxAlpineIndexHTMLSnippet))\n\t\t})\n\t}\n\n}\n\nfunc TestUniqueHostPortAssignement(t *testing.T) {\n\tif rootlessutil.IsRootless() {\n\t\tt.Skip(\"Auto port assign is not supported rootless mode yet\")\n\t}\n\n\ttype testCase struct {\n\t\tcontainerPort string\n\t\trunShouldSuccess bool\n\t}\n\n\ttestCases := []testCase{\n\t\t{\n\t\t\tcontainerPort: \"80\",\n\t\t\trunShouldSuccess: true,\n\t\t},\n\t\t{\n\t\t\tcontainerPort: \"80-81\",\n\t\t\trunShouldSuccess: true,\n\t\t},\n\t\t{\n\t\t\tcontainerPort: \"80-81/tcp\",\n\t\t\trunShouldSuccess: true,\n\t\t},\n\t}\n\n\ttID := testutil.Identifier(t)\n\n\tfor i, tc := range testCases {\n\t\ti := i\n\t\ttc := tc\n\t\ttcName := fmt.Sprintf(\"%+v\", tc)\n\t\tt.Run(tcName, func(t *testing.T) {\n\t\t\ttestContainerName1 := fmt.Sprintf(\"%s-%d-1\", tID, i)\n\t\t\ttestContainerName2 := fmt.Sprintf(\"%s-%d-2\", tID, i)\n\t\t\tbase := testutil.NewBase(t)\n\t\t\tdefer base.Cmd(\"rm\", \"-f\", testContainerName1, testContainerName2).Run()\n\n\t\t\tpFlag := tc.containerPort\n\t\t\tcmd1 := base.Cmd(\"run\", \"-d\",\n\t\t\t\t\"--name\", testContainerName1, \"-p\",\n\t\t\t\tpFlag,\n\t\t\t\ttestutil.NginxAlpineImage)\n\n\t\t\tcmd2 := base.Cmd(\"run\", \"-d\",\n\t\t\t\t\"--name\", testContainerName2, \"-p\",\n\t\t\t\tpFlag,\n\t\t\t\ttestutil.NginxAlpineImage)\n\t\t\tvar result *icmd.Result\n\t\t\tstdoutContent := \"\"\n\t\t\tif tc.runShouldSuccess {\n\t\t\t\tcmd1.AssertOK()\n\t\t\t\tcmd2.AssertOK()\n\t\t\t} else {\n\t\t\t\tcmd1.AssertFail()\n\t\t\t\tcmd2.AssertFail()\n\t\t\t\treturn\n\t\t\t}\n\t\t\tportCmd1 := base.Cmd(\"port\", testContainerName1)\n\t\t\tportCmd2 := base.Cmd(\"port\", testContainerName2)\n\t\t\tportCmd1.Base.T.Helper()\n\t\t\tportCmd2.Base.T.Helper()\n\t\t\tresult = portCmd1.Run()\n\t\t\tstdoutContent = result.Stdout() + result.Stderr()\n\t\t\tassert.Assert(t, result.ExitCode == 0, stdoutContent)\n\t\t\tport1, err := extractHostPort(stdoutContent, \"80\")\n\t\t\tassert.NilError(t, err)\n\t\t\tresult = portCmd2.Run()\n\t\t\tstdoutContent = result.Stdout() + result.Stderr()\n\t\t\tassert.Assert(t, result.ExitCode == 0, stdoutContent)\n\t\t\tport2, err := extractHostPort(stdoutContent, \"80\")\n\t\t\tassert.NilError(t, err)\n\t\t\tassert.Assert(t, port1 != port2, \"Host ports are not unique\")\n\n\t\t\t// Make HTTP GET request to container 1\n\t\t\tconnectURL1 := fmt.Sprintf(\"http://%s:%s\", \"127.0.0.1\", port1)\n\t\t\tresp1, err := nettestutil.HTTPGet(connectURL1, 5, false)\n\t\t\tassert.NilError(t, err)\n\t\t\trespBody1, err := io.ReadAll(resp1.Body)\n\t\t\tassert.NilError(t, err)\n\t\t\tassert.Assert(t, strings.Contains(string(respBody1), testutil.NginxAlpineIndexHTMLSnippet))\n\n\t\t\t// Make HTTP GET request to container 2\n\t\t\tconnectURL2 := fmt.Sprintf(\"http://%s:%s\", \"127.0.0.1\", port2)\n\t\t\tresp2, err := nettestutil.HTTPGet(connectURL2, 5, false)\n\t\t\tassert.NilError(t, err)\n\t\t\trespBody2, err := io.ReadAll(resp2.Body)\n\t\t\tassert.NilError(t, err)\n\t\t\tassert.Assert(t, strings.Contains(string(respBody2), testutil.NginxAlpineIndexHTMLSnippet))\n\t\t})\n\t}\n}\n\nfunc TestHostPortAlreadyInUse(t *testing.T) {\n\ttestCases := []struct {\n\t\thostPort string\n\t\tcontainerPort string\n\t}{\n\t\t{\n\t\t\thostPort: \"5000\",\n\t\t\tcontainerPort: \"80/tcp\",\n\t\t},\n\t\t{\n\t\t\thostPort: \"5000\",\n\t\t\tcontainerPort: \"80/tcp\",\n\t\t},\n\t\t{\n\t\t\thostPort: \"5000\",\n\t\t\tcontainerPort: \"80/udp\",\n\t\t},\n\t\t{\n\t\t\thostPort: \"5000\",\n\t\t\tcontainerPort: \"80/sctp\",\n\t\t},\n\t}\n\n\ttID := testutil.Identifier(t)\n\n\tfor i, tc := range testCases {\n\t\ttc := tc\n\t\ttcName := fmt.Sprintf(\"%+v\", tc)\n\t\tt.Run(tcName, func(t *testing.T) {\n\t\t\tif strings.Contains(tc.containerPort, \"sctp\") && rootlessutil.IsRootless() {\n\t\t\t\tt.Skip(\"sctp is not supported in rootless mode\")\n\t\t\t}\n\t\t\ttestContainerName1 := fmt.Sprintf(\"%s-%d-1\", tID, i)\n\t\t\ttestContainerName2 := fmt.Sprintf(\"%s-%d-2\", tID, i)\n\t\t\tbase := testutil.NewBase(t)\n\t\t\tt.Cleanup(func() {\n\t\t\t\tbase.Cmd(\"rm\", \"-f\", testContainerName1, testContainerName2).AssertOK()\n\t\t\t})\n\t\t\tpFlag := fmt.Sprintf(\"%s:%s\", tc.hostPort, tc.containerPort)\n\t\t\tcmd1 := base.Cmd(\"run\", \"-d\",\n\t\t\t\t\"--name\", testContainerName1, \"-p\",\n\t\t\t\tpFlag,\n\t\t\t\ttestutil.NginxAlpineImage)\n\n\t\t\tcmd2 := base.Cmd(\"run\", \"-d\",\n\t\t\t\t\"--name\", testContainerName2, \"-p\",\n\t\t\t\tpFlag,\n\t\t\t\ttestutil.NginxAlpineImage)\n\n\t\t\tcmd1.AssertOK()\n\t\t\tcmd2.AssertFail()\n\t\t})\n\t}\n}\n\nfunc TestRunPort(t *testing.T) {\n\tbaseTestRunPort(t, testutil.NginxAlpineImage, testutil.NginxAlpineIndexHTMLSnippet, true)\n}\n\nfunc TestRunWithManyPortsThenCleanUp(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\t// docker does not set label restriction to 4096 bytes\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"Run a container with many ports, and then clean up.\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"--data-root\", data.Temp().Path(), \"--rm\", \"-p\", \"22200-22299:22200-22299\", testutil.CommonImage)\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tErrors: []error{},\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tgetAddrHash := func(addr string) string {\n\t\t\t\t\t\t\tconst addrHashLen = 8\n\n\t\t\t\t\t\t\td := digest.SHA256.FromString(addr)\n\t\t\t\t\t\t\th := d.Encoded()[0:addrHashLen]\n\n\t\t\t\t\t\t\treturn h\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tdataRoot := data.Temp().Path()\n\t\t\t\t\t\th := getAddrHash(defaults.DefaultAddress)\n\t\t\t\t\t\tdataStore := filepath.Join(dataRoot, h)\n\t\t\t\t\t\tnamespace := string(helpers.Read(nerdtest.Namespace))\n\t\t\t\t\t\tetchostsPath := filepath.Join(dataStore, \"etchosts\", namespace)\n\n\t\t\t\t\t\tetchostsDirs, err := os.ReadDir(etchostsPath)\n\n\t\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\t\tassert.Equal(t, len(etchostsDirs), 0)\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunContainerWithStaticIP(t *testing.T) {\n\tif rootlessutil.IsRootless() {\n\t\tt.Skip(\"Static IP assignment is not supported rootless mode yet.\")\n\t}\n\tnetworkName := \"test-network\"\n\tnetworkSubnet := \"172.0.0.0/16\"\n\tbase := testutil.NewBase(t)\n\tcmd := base.Cmd(\"network\", \"create\", networkName, \"--subnet\", networkSubnet)\n\tcmd.AssertOK()\n\tdefer base.Cmd(\"network\", \"rm\", networkName).Run()\n\ttestCases := []struct {\n\t\tip string\n\t\tshouldSuccess bool\n\t\tuseNetwork bool\n\t\tcheckTheIPAddress bool\n\t}{\n\t\t{\n\t\t\tip: \"172.0.0.2\",\n\t\t\tshouldSuccess: true,\n\t\t\tuseNetwork: true,\n\t\t\tcheckTheIPAddress: true,\n\t\t},\n\t\t{\n\t\t\tip: \"192.0.0.2\",\n\t\t\tshouldSuccess: false,\n\t\t\tuseNetwork: true,\n\t\t\tcheckTheIPAddress: false,\n\t\t},\n\t\t// XXX see https://github.com/containerd/nerdctl/issues/3101\n\t\t// docker 24 silently ignored the ip - now, docker 26 is erroring out - furthermore, this ip only makes sense\n\t\t// in the context of nerdctl bridge network, so, this test needs rewritting either way\n\t\t/*\n\t\t\t{\n\t\t\t\tip: \"10.4.0.2\",\n\t\t\t\tshouldSuccess: true,\n\t\t\t\tuseNetwork: false,\n\t\t\t\tcheckTheIPAddress: false,\n\t\t\t},\n\t\t*/\n\t}\n\ttID := testutil.Identifier(t)\n\tfor i, tc := range testCases {\n\t\ti := i\n\t\ttc := tc\n\t\ttcName := fmt.Sprintf(\"%+v\", tc)\n\t\tt.Run(tcName, func(t *testing.T) {\n\t\t\ttestContainerName := fmt.Sprintf(\"%s-%d\", tID, i)\n\t\t\tbase := testutil.NewBase(t)\n\t\t\tdefer base.Cmd(\"rm\", \"-f\", testContainerName).Run()\n\t\t\targs := []string{\n\t\t\t\t\"run\", \"-d\", \"--name\", testContainerName,\n\t\t\t}\n\t\t\tif tc.useNetwork {\n\t\t\t\targs = append(args, []string{\"--network\", networkName}...)\n\t\t\t}\n\t\t\targs = append(args, []string{\"--ip\", tc.ip, testutil.NginxAlpineImage}...)\n\t\t\tcmd := base.Cmd(args...)\n\t\t\tif !tc.shouldSuccess {\n\t\t\t\tcmd.AssertFail()\n\t\t\t\treturn\n\t\t\t}\n\t\t\tcmd.AssertOK()\n\n\t\t\tif tc.checkTheIPAddress {\n\t\t\t\tinspectCmd := base.Cmd(\"inspect\", testContainerName, \"--format\", \"\\\"{{range .NetworkSettings.Networks}} {{.IPAddress}}{{end}}\\\"\")\n\t\t\t\tresult := inspectCmd.Run()\n\t\t\t\tstdoutContent := result.Stdout() + result.Stderr()\n\t\t\t\tassert.Assert(inspectCmd.Base.T, result.ExitCode == 0, stdoutContent)\n\t\t\t\tif !strings.Contains(stdoutContent, tc.ip) {\n\t\t\t\t\tt.Fail()\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestRunDNS(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\n\tbase.Cmd(\"run\", \"--rm\", \"--dns\", \"8.8.8.8\", testutil.CommonImage,\n\t\t\"cat\", \"/etc/resolv.conf\").AssertOutContains(\"nameserver 8.8.8.8\\n\")\n\tbase.Cmd(\"run\", \"--rm\", \"--dns-search\", \"test\", testutil.CommonImage,\n\t\t\"cat\", \"/etc/resolv.conf\").AssertOutContains(\"search test\\n\")\n\tbase.Cmd(\"run\", \"--rm\", \"--dns-search\", \"test\", \"--dns-search\", \"test1\", testutil.CommonImage,\n\t\t\"cat\", \"/etc/resolv.conf\").AssertOutContains(\"search test test1\\n\")\n\tbase.Cmd(\"run\", \"--rm\", \"--dns-opt\", \"no-tld-query\", \"--dns-option\", \"attempts:10\", testutil.CommonImage,\n\t\t\"cat\", \"/etc/resolv.conf\").AssertOutContains(\"options no-tld-query attempts:10\\n\")\n\tcmd := base.Cmd(\"run\", \"--rm\", \"--dns\", \"8.8.8.8\", \"--dns-search\", \"test\", \"--dns-option\", \"attempts:10\", testutil.CommonImage,\n\t\t\"cat\", \"/etc/resolv.conf\")\n\tcmd.AssertOutContains(\"nameserver 8.8.8.8\\n\")\n\tcmd.AssertOutContains(\"search test\\n\")\n\tcmd.AssertOutContains(\"options attempts:10\\n\")\n}\n\nfunc TestRunNetworkHostHostname(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\n\thostname, err := os.Hostname()\n\tassert.NilError(t, err)\n\thostname = hostname + \"\\n\"\n\tbase.Cmd(\"run\", \"--rm\", \"--network\", \"host\", testutil.CommonImage, \"hostname\").AssertOutExactly(hostname)\n\tbase.Cmd(\"run\", \"--rm\", \"--network\", \"host\", testutil.CommonImage, \"sh\", \"-euxc\", \"echo $HOSTNAME\").AssertOutExactly(hostname)\n\tbase.Cmd(\"run\", \"--rm\", \"--network\", \"host\", \"--hostname\", \"override\", testutil.CommonImage, \"hostname\").AssertOutExactly(\"override\\n\")\n\tbase.Cmd(\"run\", \"--rm\", \"--network\", \"host\", \"--hostname\", \"override\", testutil.CommonImage, \"sh\", \"-euxc\", \"echo $HOSTNAME\").AssertOutExactly(\"override\\n\")\n}\n\nfunc TestRunNetworkHost2613(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\n\tbase.Cmd(\"run\", \"--rm\", \"--add-host\", \"foo:1.2.3.4\", testutil.CommonImage, \"getent\", \"hosts\", \"foo\").AssertOutExactly(\"1.2.3.4 foo foo\\n\")\n}\n\nfunc TestSharedNetworkSetup(t *testing.T) {\n\tnerdtest.Setup()\n\ttestCase := &test.Case{\n\t\tRequire: require.Not(require.Windows),\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Labels().Set(\"container1\", data.Identifier(\"container1\"))\n\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(\"container1\"),\n\t\t\t\ttestutil.CommonImage, \"sleep\", \"inf\")\n\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier(\"container1\"))\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"container1\"))\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"Test network is shared\",\n\t\t\t\tNoParallel: true, // The validation involves starting of the main container: container1\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"container2\"))\n\t\t\t\t},\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\n\t\t\t\t\t\t\"run\", \"-d\", \"--name\", data.Identifier(\"container2\"),\n\t\t\t\t\t\t\"--network=container:\"+data.Labels().Get(\"container1\"),\n\t\t\t\t\t\ttestutil.NginxAlpineImage)\n\t\t\t\t\tdata.Labels().Set(\"container2\", data.Identifier(\"container2\"))\n\t\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier(\"container2\"))\n\t\t\t\t},\n\t\t\t\tSubTests: []*test.Case{\n\t\t\t\t\t{\n\t\t\t\t\t\tNoParallel: true,\n\t\t\t\t\t\tDescription: \"Test network is shared\",\n\t\t\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\t\t\treturn helpers.Command(\"exec\", data.Labels().Get(\"container2\"), \"wget\", \"-qO-\", \"http://127.0.0.1:80\")\n\t\t\t\t\t\t},\n\t\t\t\t\t\tExpected: test.Expects(0, nil, expect.Contains(testutil.NginxAlpineIndexHTMLSnippet)),\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tNoParallel: true,\n\t\t\t\t\t\tDescription: \"Test network is shared after restart\",\n\t\t\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\t\t\thelpers.Ensure(\"restart\", data.Labels().Get(\"container1\"))\n\t\t\t\t\t\t\thelpers.Ensure(\"stop\", \"--time=1\", data.Labels().Get(\"container2\"))\n\t\t\t\t\t\t\thelpers.Ensure(\"start\", data.Labels().Get(\"container2\"))\n\t\t\t\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Labels().Get(\"container2\"))\n\t\t\t\t\t\t},\n\t\t\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\t\t\treturn helpers.Command(\"exec\", data.Labels().Get(\"container2\"), \"wget\", \"-qO-\", \"http://127.0.0.1:80\")\n\n\t\t\t\t\t\t},\n\t\t\t\t\t\tExpected: test.Expects(0, nil, expect.Contains(testutil.NginxAlpineIndexHTMLSnippet)),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Test uts is supported in shared network\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", \"--uts\", \"host\",\n\t\t\t\t\t\t\"--network=container:\"+data.Labels().Get(\"container1\"),\n\t\t\t\t\t\ttestutil.CommonImage)\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Test dns is not supported\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", \"--dns\", \"0.1.2.3\",\n\t\t\t\t\t\t\"--network=container:\"+data.Labels().Get(\"container1\"),\n\t\t\t\t\t\ttestutil.CommonImage)\n\t\t\t\t},\n\t\t\t\t// 1 for nerdctl, 125 for docker\n\t\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Test dns options is not supported\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", \"--dns-option\", \"attempts:5\",\n\t\t\t\t\t\t\"--network=container:\"+data.Labels().Get(\"container1\"),\n\t\t\t\t\t\ttestutil.CommonImage, \"cat\", \"/etc/resolv.conf\")\n\t\t\t\t},\n\t\t\t\t// The Option doesn't throw an error but is never inserted to the resolv.conf\n\t\t\t\tExpected: test.Expects(0, nil, expect.DoesNotContain(\"attempts:5\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Test publish is not supported\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", \"--publish\", \"80:8080\",\n\t\t\t\t\t\t\"--network=container:\"+data.Labels().Get(\"container1\"),\n\t\t\t\t\t\ttestutil.AlpineImage)\n\t\t\t\t},\n\t\t\t\t// 1 for nerdctl, 125 for docker\n\t\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Test hostname is not supported\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", \"--hostname\", \"test\",\n\t\t\t\t\t\t\"--network=container:\"+data.Labels().Get(\"container1\"),\n\t\t\t\t\t\ttestutil.AlpineImage)\n\t\t\t\t},\n\t\t\t\t// 1 for nerdctl, 125 for docker\n\t\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, nil, nil),\n\t\t\t},\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n\nfunc TestSharedNetworkWithNone(t *testing.T) {\n\tnerdtest.Setup()\n\ttestCase := &test.Case{\n\t\tRequire: require.Not(require.Windows),\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(\"container1\"), \"--network\", \"none\",\n\t\t\t\ttestutil.CommonImage, \"sleep\", \"inf\")\n\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier(\"container1\"))\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"container1\"))\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"run\", \"--rm\",\n\t\t\t\t\"--network=container:\"+data.Identifier(\"container1\"), testutil.CommonImage)\n\t\t},\n\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, nil),\n\t}\n\ttestCase.Run(t)\n}\n\nfunc TestRunContainerInExistingNetNS(t *testing.T) {\n\tif rootlessutil.IsRootless() {\n\t\tt.Skip(\"Can't create new netns in rootless mode\")\n\t}\n\ttestutil.DockerIncompatible(t)\n\tbase := testutil.NewBase(t)\n\n\tnetNS, err := netns.NewNetNS(t.TempDir() + \"/netns\")\n\tassert.NilError(t, err)\n\terr = netNS.Do(func(netns ns.NetNS) error {\n\t\tloopback, err := netlink.LinkByName(\"lo\")\n\t\tassert.NilError(t, err)\n\t\terr = netlink.LinkSetUp(loopback)\n\t\tassert.NilError(t, err)\n\t\treturn nil\n\t})\n\tassert.NilError(t, err)\n\tdefer netNS.Remove()\n\n\tcontainerName := testutil.Identifier(t)\n\tdefer base.Cmd(\"rm\", \"-f\", containerName).AssertOK()\n\tbase.Cmd(\"run\", \"-d\", \"--name\", containerName,\n\t\t\"--network=ns:\"+netNS.GetPath(), testutil.NginxAlpineImage).AssertOK()\n\tbase.EnsureContainerStarted(containerName)\n\ttime.Sleep(3 * time.Second)\n\n\terr = netNS.Do(func(netns ns.NetNS) error {\n\t\tstdout, err := exec.Command(\"curl\", \"-s\", \"http://127.0.0.1:80\").Output()\n\t\tassert.NilError(t, err)\n\t\tassert.Assert(t, strings.Contains(string(stdout), testutil.NginxAlpineIndexHTMLSnippet))\n\t\treturn nil\n\t})\n\tassert.NilError(t, err)\n}\n\nfunc TestRunContainerWithMACAddress(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\ttID := testutil.Identifier(t)\n\tnetworkBridge := \"testNetworkBridge\" + tID\n\tnetworkMACvlan := \"testNetworkMACvlan\" + tID\n\tnetworkIPvlan := \"testNetworkIPvlan\" + tID\n\ttearDown := func() {\n\t\tbase.Cmd(\"network\", \"rm\", networkBridge).Run()\n\t\tbase.Cmd(\"network\", \"rm\", networkMACvlan).Run()\n\t\tbase.Cmd(\"network\", \"rm\", networkIPvlan).Run()\n\t}\n\n\ttearDown()\n\tt.Cleanup(tearDown)\n\n\tbase.Cmd(\"network\", \"create\", networkBridge, \"--driver\", \"bridge\").AssertOK()\n\tbase.Cmd(\"network\", \"create\", networkMACvlan, \"--driver\", \"macvlan\").AssertOK()\n\tbase.Cmd(\"network\", \"create\", networkIPvlan, \"--driver\", \"ipvlan\").AssertOK()\n\n\tdefaultMac := base.Cmd(\"run\", \"--rm\", \"-i\", \"--network\", \"host\", testutil.CommonImage).\n\t\tCmdOption(testutil.WithStdin(strings.NewReader(\"ip addr show eth0 | grep ether | awk '{printf $2}'\"))).\n\t\tRun().Stdout()\n\n\tpassedMac := \"we expect the generated mac on the output\"\n\n\ttests := []struct {\n\t\tNetwork string\n\t\tWantErr bool\n\t\tExpect string\n\t}{\n\t\t{\"host\", false, defaultMac}, // anything but the actual address being passed\n\t\t{\"none\", false, \"\"}, // nothing\n\t\t{\"container:whatever\" + tID, true, \"container\"}, // \"No such container\" vs. \"could not find container\"\n\t\t{\"bridge\", false, passedMac},\n\t\t{networkBridge, false, passedMac},\n\t\t{networkMACvlan, false, passedMac},\n\t\t{networkIPvlan, true, \"not support\"},\n\t}\n\n\tfor i, test := range tests {\n\t\tcontainerName := fmt.Sprintf(\"%s_%d\", tID, i)\n\t\ttestName := fmt.Sprintf(\"%s_container:%s_network:%s_expect:%s\", tID, containerName, test.Network, test.Expect)\n\t\texpect := test.Expect\n\t\tnetwork := test.Network\n\t\twantErr := test.WantErr\n\t\tt.Run(testName, func(tt *testing.T) {\n\t\t\ttt.Parallel()\n\n\t\t\tmacAddress, err := nettestutil.GenerateMACAddress()\n\t\t\tif err != nil {\n\t\t\t\tt.Errorf(\"failed to generate MAC address: %s\", err)\n\t\t\t}\n\t\t\tif expect == passedMac {\n\t\t\t\texpect = macAddress\n\t\t\t}\n\n\t\t\tres := base.Cmd(\"run\", \"--rm\", \"-i\", \"--network\", network, \"--mac-address\", macAddress, testutil.CommonImage).\n\t\t\t\tCmdOption(testutil.WithStdin(strings.NewReader(\"ip addr show eth0 | grep ether | awk '{printf $2}'\"))).Run()\n\n\t\t\tif wantErr {\n\t\t\t\tassert.Assert(t, res.ExitCode != 0, \"Command should have failed\", res)\n\t\t\t\tassert.Assert(t, strings.Contains(res.Combined(), expect), fmt.Sprintf(\"expected output to contain %q: %q\", expect, res.Combined()))\n\t\t\t} else {\n\t\t\t\tassert.Assert(t, res.ExitCode == 0, \"Command should have succeeded\", res)\n\t\t\t\tassert.Assert(t, strings.Contains(res.Stdout(), expect), fmt.Sprintf(\"expected output to contain %q: %q\", expect, res.Stdout()))\n\t\t\t}\n\t\t})\n\n\t}\n}\n\nfunc TestHostsFileMounts(t *testing.T) {\n\tif rootlessutil.IsRootless() {\n\t\tif detachedNetNS, _ := rootlessutil.DetachedNetNS(); detachedNetNS != \"\" {\n\t\t\tt.Skip(\"/etc/hosts is not writable\")\n\t\t}\n\t}\n\tbase := testutil.NewBase(t)\n\n\tbase.Cmd(\"run\", \"--rm\", testutil.CommonImage,\n\t\t\"sh\", \"-euxc\", \"echo >> /etc/hosts\").AssertOK()\n\tbase.Cmd(\"run\", \"--rm\", \"--network\", \"host\", testutil.CommonImage,\n\t\t\"sh\", \"-euxc\", \"echo >> /etc/hosts\").AssertOK()\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", \"/etc/hosts:/etc/hosts:ro\", \"--network\", \"host\", testutil.CommonImage,\n\t\t\"sh\", \"-euxc\", \"echo >> /etc/hosts\").AssertFail()\n\t// add a line into /etc/hosts and remove it.\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", \"/etc/hosts:/etc/hosts\", \"--network\", \"host\", testutil.CommonImage,\n\t\t\"sh\", \"-euxc\", \"echo >> /etc/hosts\").AssertOK()\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", \"/etc/hosts:/etc/hosts\", \"--network\", \"host\", testutil.CommonImage,\n\t\t\"sh\", \"-euxc\", \"head -n -1 /etc/hosts > temp && cat temp > /etc/hosts\").AssertOK()\n\tbase.Cmd(\"run\", \"--rm\", \"--network\", \"none\", testutil.CommonImage,\n\t\t\"sh\", \"-euxc\", \"echo >> /etc/hosts\").AssertOK()\n\n\tbase.Cmd(\"run\", \"--rm\", testutil.CommonImage,\n\t\t\"sh\", \"-euxc\", \"echo >> /etc/resolv.conf\").AssertOK()\n\tbase.Cmd(\"run\", \"--rm\", \"--network\", \"host\", testutil.CommonImage,\n\t\t\"sh\", \"-euxc\", \"echo >> /etc/resolv.conf\").AssertOK()\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", \"/etc/resolv.conf:/etc/resolv.conf:ro\", \"--network\", \"host\", testutil.CommonImage,\n\t\t\"sh\", \"-euxc\", \"echo >> /etc/resolv.conf\").AssertFail()\n\t// add a line into /etc/resolv.conf and remove it.\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", \"/etc/resolv.conf:/etc/resolv.conf\", \"--network\", \"host\", testutil.CommonImage,\n\t\t\"sh\", \"-euxc\", \"echo >> /etc/resolv.conf\").AssertOK()\n\tbase.Cmd(\"run\", \"--rm\", \"-v\", \"/etc/resolv.conf:/etc/resolv.conf\", \"--network\", \"host\", testutil.CommonImage,\n\t\t\"sh\", \"-euxc\", \"head -n -1 /etc/resolv.conf > temp && cat temp > /etc/resolv.conf\").AssertOK()\n\tbase.Cmd(\"run\", \"--rm\", \"--network\", \"host\", testutil.CommonImage,\n\t\t\"sh\", \"-euxc\", \"echo >> /etc/resolv.conf\").AssertOK()\n}\n\nfunc TestRunContainerWithStaticIP6(t *testing.T) {\n\tif rootlessutil.IsRootless() {\n\t\tt.Skip(\"Static IP6 assignment is not supported rootless mode yet.\")\n\t}\n\tnetworkName := \"test-network\"\n\tnetworkSubnet := \"2001:db8:5::/64\"\n\t_, subnet, err := net.ParseCIDR(networkSubnet)\n\tassert.Assert(t, err == nil)\n\tbase := testutil.NewBaseWithIPv6Compatible(t)\n\tbase.Cmd(\"network\", \"create\", networkName, \"--subnet\", networkSubnet, \"--ipv6\").AssertOK()\n\tt.Cleanup(func() {\n\t\tbase.Cmd(\"network\", \"rm\", networkName).Run()\n\t})\n\ttestCases := []struct {\n\t\tip string\n\t\tshouldSuccess bool\n\t\tcheckTheIPAddress bool\n\t}{\n\t\t{\n\t\t\tip: \"\",\n\t\t\tshouldSuccess: true,\n\t\t\tcheckTheIPAddress: false,\n\t\t},\n\t\t{\n\t\t\tip: \"2001:db8:5::6\",\n\t\t\tshouldSuccess: true,\n\t\t\tcheckTheIPAddress: true,\n\t\t},\n\t\t{\n\t\t\tip: \"2001:db8:4::6\",\n\t\t\tshouldSuccess: false,\n\t\t\tcheckTheIPAddress: false,\n\t\t},\n\t}\n\ttID := testutil.Identifier(t)\n\tfor i, tc := range testCases {\n\t\ti := i\n\t\ttc := tc\n\t\ttcName := fmt.Sprintf(\"%+v\", tc)\n\t\tt.Run(tcName, func(t *testing.T) {\n\t\t\ttestContainerName := fmt.Sprintf(\"%s-%d\", tID, i)\n\t\t\tbase := testutil.NewBaseWithIPv6Compatible(t)\n\t\t\targs := []string{\n\t\t\t\t\"run\", \"--rm\", \"--name\", testContainerName, \"--network\", networkName,\n\t\t\t}\n\t\t\tif tc.ip != \"\" {\n\t\t\t\targs = append(args, \"--ip6\", tc.ip)\n\t\t\t}\n\t\t\targs = append(args, []string{testutil.NginxAlpineImage, \"ip\", \"addr\", \"show\", \"dev\", \"eth0\"}...)\n\t\t\tcmd := base.Cmd(args...)\n\t\t\tif !tc.shouldSuccess {\n\t\t\t\tcmd.AssertFail()\n\t\t\t\treturn\n\t\t\t}\n\t\t\tcmd.AssertOutWithFunc(func(stdout string) error {\n\t\t\t\tip := nerdtest.FindIPv6(stdout)\n\t\t\t\tif !subnet.Contains(ip) {\n\t\t\t\t\treturn fmt.Errorf(\"expected subnet %s include ip %s\", subnet, ip)\n\t\t\t\t}\n\t\t\t\tif tc.checkTheIPAddress {\n\t\t\t\t\tif ip.String() != tc.ip {\n\t\t\t\t\t\treturn fmt.Errorf(\"expected ip %s, got %s\", tc.ip, ip)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\treturn nil\n\t\t\t})\n\t\t})\n\t}\n}\n\nfunc TestNoneNetworkHostName(t *testing.T) {\n\tnerdtest.Setup()\n\ttestCase := &test.Case{\n\t\tRequire: require.Not(require.Windows),\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t},\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\toutput := helpers.Capture(\"run\", \"-d\", \"--name\", data.Identifier(), \"--network\", \"none\", testutil.CommonImage, \"sleep\", \"inf\")\n\t\t\tassert.Assert(helpers.T(), len(output) > 12, output)\n\t\t\tdata.Labels().Set(\"hostname\", output[:12])\n\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"exec\", data.Identifier(), \"cat\", \"/etc/hostname\")\n\t\t},\n\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\treturn &test.Expected{\n\t\t\t\tOutput: expect.Equals(data.Labels().Get(\"hostname\") + \"\\n\"),\n\t\t\t}\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n\nfunc TestHostNetworkHostName(t *testing.T) {\n\tnerdtest.Setup()\n\ttestCase := &test.Case{\n\t\tRequire: require.Not(require.Windows),\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Custom(\"cat\", \"/etc/hostname\").Run(&test.Expected{\n\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\tdata.Labels().Set(\"hostHostname\", stdout)\n\t\t\t\t},\n\t\t\t})\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"run\", \"--rm\",\n\t\t\t\t\"--network\", \"host\",\n\t\t\t\ttestutil.AlpineImage, \"cat\", \"/etc/hostname\")\n\t\t},\n\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\treturn &test.Expected{\n\t\t\t\tOutput: expect.Equals(data.Labels().Get(\"hostHostname\")),\n\t\t\t}\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n\nfunc TestHostNetworkDnsPreserved(t *testing.T) {\n\tnerdtest.Setup()\n\ttestCase := &test.Case{\n\t\tRequire: require.Not(require.Windows),\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t// In some rootless CI job, slirp provides 10.0.2.3 as DNS server.\n\t\t\t// We cannot simply parse host /etc/resolv.conf here.\n\t\t\thelpers.Command(\"run\", \"--rm\",\n\t\t\t\t\"-v\", \"/etc/resolv.conf:/mnt/resolv.conf:ro\",\n\t\t\t\ttestutil.AlpineImage,\n\t\t\t\t\"grep\", \"-E\", \"^nameserver\\\\s+\", \"/mnt/resolv.conf\").Run(&test.Expected{\n\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\tdata.Labels().Set(\"nameservers\", stdout)\n\t\t\t\t},\n\t\t\t})\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"run\", \"--rm\",\n\t\t\t\t\"--network\", \"host\",\n\t\t\t\ttestutil.AlpineImage,\n\t\t\t\t\"grep\", \"-E\", \"^nameserver\\\\s+\", \"/etc/resolv.conf\")\n\t\t},\n\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t// container with --network=host should have same nameserver as host\n\t\t\tnameservers := data.Labels().Get(\"nameservers\")\n\t\t\treturn &test.Expected{\n\t\t\t\tOutput: expect.Equals(nameservers),\n\t\t\t}\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n\nfunc TestDefaultNetworkDnsNoLocalhost(t *testing.T) {\n\tnerdtest.Setup()\n\ttestCase := &test.Case{\n\t\tRequire: require.Not(require.Windows),\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"run\", \"--rm\",\n\t\t\t\ttestutil.AlpineImage, \"grep\", \"-E\", \"^nameserver\\\\s+(127\\\\.|::1)\", \"/etc/resolv.conf\")\n\t\t},\n\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\treturn &test.Expected{\n\t\t\t\tExitCode: 1, // no match\n\t\t\t}\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n\nfunc TestNoneNetworkDnsConfigs(t *testing.T) {\n\tnerdtest.Setup()\n\ttestCase := &test.Case{\n\t\tRequire: require.Not(require.Windows),\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"run\", \"--rm\",\n\t\t\t\t\"--network\", \"none\",\n\t\t\t\t\"--dns\", \"0.1.2.3\", \"--dns-search\", \"example.com\", \"--dns-option\", \"timeout:3\", \"--dns-option\", \"attempts:5\",\n\t\t\t\ttestutil.CommonImage, \"cat\", \"/etc/resolv.conf\")\n\t\t},\n\t\tExpected: test.Expects(0, nil, expect.Contains(\n\t\t\t\"0.1.2.3\",\n\t\t\t\"example.com\",\n\t\t\t\"attempts:5\",\n\t\t\t\"timeout:3\",\n\t\t)),\n\t}\n\ttestCase.Run(t)\n}\n\nfunc TestHostNetworkDnsConfigs(t *testing.T) {\n\tnerdtest.Setup()\n\ttestCase := &test.Case{\n\t\tRequire: require.Not(require.Windows),\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"run\", \"--rm\",\n\t\t\t\t\"--network\", \"host\",\n\t\t\t\t\"--dns\", \"0.1.2.3\", \"--dns-search\", \"example.com\", \"--dns-option\", \"timeout:3\", \"--dns-option\", \"attempts:5\",\n\t\t\t\ttestutil.CommonImage, \"cat\", \"/etc/resolv.conf\")\n\t\t},\n\t\tExpected: test.Expects(0, nil, expect.Contains(\n\t\t\t\"0.1.2.3\",\n\t\t\t\"example.com\",\n\t\t\t\"attempts:5\",\n\t\t\t\"timeout:3\",\n\t\t)),\n\t}\n\ttestCase.Run(t)\n}\n\nfunc TestDNSWithGlobalConfig(t *testing.T) {\n\tvar configContent test.ConfigValue = `debug = false\ndebug_full = false\ndns = [\"10.10.10.10\", \"20.20.20.20\"]\ndns_opts = [\"ndots:2\", \"timeout:5\"]\ndns_search = [\"example.com\", \"test.local\"]`\n\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tConfig: test.WithConfig(nerdtest.NerdctlToml, configContent),\n\t\t// NERDCTL_TOML not supported in Docker\n\t\tRequire: require.Not(nerdtest.Docker),\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"Global DNS settings are used when command line options are not provided\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\tnerdctlTomlContent := string(helpers.Read(nerdtest.NerdctlToml))\n\t\t\t\t\thelpers.T().Log(\"NERDCTL_TOML file content:\\n%s\", nerdctlTomlContent)\n\t\t\t\t\tcmd := helpers.Command(\"run\", \"--rm\", testutil.CommonImage, \"cat\", \"/etc/resolv.conf\")\n\t\t\t\t\treturn cmd\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.All(\n\t\t\t\t\texpect.Contains(\"nameserver 10.10.10.10\"),\n\t\t\t\t\texpect.Contains(\"nameserver 20.20.20.20\"),\n\t\t\t\t\texpect.Contains(\"search example.com test.local\"),\n\t\t\t\t\texpect.Contains(\"options ndots:2 timeout:5\"),\n\t\t\t\t)),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Command line DNS options override global config\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\tnerdctlTomlContent := string(helpers.Read(nerdtest.NerdctlToml))\n\t\t\t\t\thelpers.T().Log(\"NERDCTL_TOML file content:\\n%s\", nerdctlTomlContent)\n\t\t\t\t\tcmd := helpers.Command(\"run\", \"--rm\",\n\t\t\t\t\t\t\"--dns\", \"9.9.9.9\",\n\t\t\t\t\t\t\"--dns-search\", \"override.com\",\n\t\t\t\t\t\t\"--dns-opt\", \"ndots:3\",\n\t\t\t\t\t\ttestutil.CommonImage, \"cat\", \"/etc/resolv.conf\")\n\t\t\t\t\treturn cmd\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.All(\n\t\t\t\t\texpect.Contains(\"nameserver 9.9.9.9\"),\n\t\t\t\t\texpect.Contains(\"search override.com\"),\n\t\t\t\t\texpect.Contains(\"options ndots:3\"),\n\t\t\t\t)),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Global DNS settings should also apply when using host network\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\tnerdctlTomlContent := string(helpers.Read(nerdtest.NerdctlToml))\n\t\t\t\t\thelpers.T().Log(\"NERDCTL_TOML file content:\\n%s\", nerdctlTomlContent)\n\t\t\t\t\tcmd := helpers.Command(\"run\", \"--rm\", \"--network\", \"host\",\n\t\t\t\t\t\ttestutil.CommonImage, \"cat\", \"/etc/resolv.conf\")\n\t\t\t\t\treturn cmd\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.All(\n\t\t\t\t\texpect.Contains(\"nameserver 10.10.10.10\"),\n\t\t\t\t\texpect.Contains(\"nameserver 20.20.20.20\"),\n\t\t\t\t\texpect.Contains(\"search example.com test.local\"),\n\t\t\t\t\texpect.Contains(\"options ndots:2 timeout:5\"),\n\t\t\t\t)),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Global DNS settings should also apply when using none network\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\tnerdctlTomlContent := string(helpers.Read(nerdtest.NerdctlToml))\n\t\t\t\t\thelpers.T().Log(\"NERDCTL_TOML file content:\\n%s\", nerdctlTomlContent)\n\t\t\t\t\tcmd := helpers.Command(\"run\", \"--rm\", \"--network\", \"none\",\n\t\t\t\t\t\ttestutil.CommonImage, \"cat\", \"/etc/resolv.conf\")\n\t\t\t\t\treturn cmd\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.All(\n\t\t\t\t\texpect.Contains(\"nameserver 10.10.10.10\"),\n\t\t\t\t\texpect.Contains(\"nameserver 20.20.20.20\"),\n\t\t\t\t\texpect.Contains(\"search example.com test.local\"),\n\t\t\t\t\texpect.Contains(\"options ndots:2 timeout:5\"),\n\t\t\t\t)),\n\t\t\t},\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n\n// TestReservePorts tests that a published port appears\n// as a listening port on the host.\n// See https://github.com/containerd/nerdctl/pull/4526\nfunc TestReservePorts(t *testing.T) {\n\tnerdtest.Setup()\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\trequire.Not(require.Windows),\n\t\t\trequire.Not(nerdtest.RootlessWithoutDetachNetNS), // RootlessKit v1\n\t\t),\n\t\tNoParallel: true,\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"TCP\",\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(\"nginx\"),\n\t\t\t\t\t\t\"-p\", \"60080:80\", testutil.NginxAlpineImage)\n\t\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier(\"nginx\"))\n\t\t\t\t\ttime.Sleep(3 * time.Second)\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"nginx\"))\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\",\n\t\t\t\t\t\t\"--network=host\", testutil.CommonImage, \"netstat\", \"-lnt\")\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.All(\n\t\t\t\t\texpect.Contains(\":60080\"),\n\t\t\t\t)),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"UDP\",\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(\"coredns\"),\n\t\t\t\t\t\t\"-p\", \"60053:53/udp\", testutil.CoreDNSImage)\n\t\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier(\"coredns\"))\n\t\t\t\t\ttime.Sleep(3 * time.Second)\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"coredns\"))\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\",\n\t\t\t\t\t\t\"--network=host\", testutil.CommonImage, \"netstat\", \"-lnu\")\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.All(\n\t\t\t\t\texpect.Contains(\":60053\"),\n\t\t\t\t)),\n\t\t\t},\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_run_network_windows_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"fmt\"\n\t\"regexp\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/Microsoft/hcsshim\"\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/defaults\"\n\t\"github.com/containerd/nerdctl/v2/pkg/netutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n)\n\n// TestRunInternetConnectivity tests Internet connectivity by pinging github.com.\nfunc TestRunInternetConnectivity(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\n\ttype testCase struct {\n\t\targs []string\n\t}\n\ttestCases := []testCase{\n\t\t{\n\t\t\targs: []string{\"--net\", \"nat\"},\n\t\t},\n\t}\n\tfor _, tc := range testCases {\n\t\ttc := tc // IMPORTANT\n\t\tname := \"default\"\n\t\tif len(tc.args) > 0 {\n\t\t\tname = strings.Join(tc.args, \"_\")\n\t\t}\n\t\tt.Run(name, func(t *testing.T) {\n\t\t\targs := []string{\"run\", \"--rm\"}\n\t\t\targs = append(args, tc.args...)\n\t\t\t// TODO(aznashwan): smarter way to ensure internet connectivity is working.\n\t\t\t// ping doesn't seem to work on GitHub Actions (\"Request timed out.\")\n\t\t\targs = append(args, testutil.CommonImage, \"curl.exe -sSL https://github.com\")\n\t\t\tcmd := base.Cmd(args...)\n\t\t\tcmd.AssertOutContains(\"\")\n\t\t})\n\t}\n}\n\nfunc TestRunPort(t *testing.T) {\n\t// NOTE: currently no isolation between the loopback and host namespaces on Windows.\n\tbaseTestRunPort(t, testutil.NginxAlpineImage, testutil.NginxAlpineIndexHTMLSnippet, false)\n}\n\n// Checks whether an HNS endpoint with a name matching exists.\nfunc listHnsEndpointsRegex(hnsEndpointNameRegex string) ([]hcsshim.HNSEndpoint, error) {\n\tr, err := regexp.Compile(hnsEndpointNameRegex)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\thnsEndpoints, err := hcsshim.HNSListEndpointRequest()\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to list HNS endpoints for request: %w\", err)\n\t}\n\n\tres := []hcsshim.HNSEndpoint{}\n\tfor _, endp := range hnsEndpoints {\n\t\tif r.Match([]byte(endp.Name)) {\n\t\t\tres = append(res, endp)\n\t\t}\n\t}\n\treturn res, nil\n}\n\n// Asserts whether the container with the provided has any HNS endpoints with the expected\n// naming format (`${container_id}_${network_name}`) for all of the provided network names.\n// The container ID can be a regex.\nfunc assertHnsEndpointsExistence(t *testing.T, shouldExist bool, containerIDRegex string, networkNames ...string) {\n\tfor _, netName := range networkNames {\n\t\tendpointName := fmt.Sprintf(\"%s_%s\", containerIDRegex, netName)\n\n\t\ttestName := fmt.Sprintf(\"hns_endpoint_%s_shouldExist_%t\", endpointName, shouldExist)\n\t\tt.Run(testName, func(t *testing.T) {\n\t\t\tmatchingEndpoints, err := listHnsEndpointsRegex(endpointName)\n\t\t\tassert.NilError(t, err)\n\t\t\tif shouldExist {\n\t\t\t\tassert.Equal(t, len(matchingEndpoints), 1)\n\t\t\t\tassert.Equal(t, matchingEndpoints[0].Name, endpointName)\n\t\t\t} else {\n\t\t\t\tassert.Equal(t, len(matchingEndpoints), 0)\n\t\t\t}\n\t\t})\n\t}\n}\n\n// Tests whether HNS endpoints are properly created and managed throughout the lifecycle of a container.\nfunc TestHnsEndpointsExistDuringContainerLifecycle(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\n\ttestNet, err := getTestingNetwork()\n\tassert.NilError(t, err)\n\n\ttID := testutil.Identifier(t)\n\tdefer base.Cmd(\"rm\", \"-f\", tID).Run()\n\tcmd := base.Cmd(\n\t\t\"create\",\n\t\t\"--name\", tID,\n\t\t\"--net\", testNet.Name,\n\t\ttestutil.CommonImage,\n\t\t\"bash\", \"-c\",\n\t\t// NOTE: the BusyBox image used in Windows testing's `sleep` binary\n\t\t// does not support the `infinity` argument.\n\t\t\"tail\", \"-f\",\n\t)\n\tt.Logf(\"Creating HNS lifecycle test container with command: %q\", strings.Join(cmd.Command, \" \"))\n\tcontainerID := strings.TrimSpace(cmd.Run().Stdout())\n\tt.Logf(\"HNS endpoint lifecycle test container ID: %q\", containerID)\n\n\t// HNS endpoints should be allocated on container creation.\n\tassertHnsEndpointsExistence(t, true, containerID, testNet.Name)\n\n\t// Starting and stopping the container should NOT affect/change the endpoints.\n\tbase.Cmd(\"start\", containerID).AssertOK()\n\tassertHnsEndpointsExistence(t, true, containerID, testNet.Name)\n\n\tbase.Cmd(\"stop\", containerID).AssertOK()\n\tassertHnsEndpointsExistence(t, true, containerID, testNet.Name)\n\n\t// Removing the container should remove the HNS endpoints.\n\tbase.Cmd(\"rm\", containerID).AssertOK()\n\tassertHnsEndpointsExistence(t, false, containerID, testNet.Name)\n}\n\n// Returns a network to be used for testing.\n// Note: currently hardcoded to return the default network, as `network create`\n// does not work on Windows.\nfunc getTestingNetwork() (*netutil.NetworkConfig, error) {\n\t// NOTE: cannot currently `nerdctl network create` on Windows so we use a pre-existing network:\n\tcniEnv, err := netutil.NewCNIEnv(defaults.CNIPath(), defaults.CNINetConfPath())\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn cniEnv.GetDefaultNetworkConfig()\n}\n\n// Tests whether HNS endpoints are properly removed when running `run --rm`.\nfunc TestHnsEndpointsRemovedAfterAttachedRun(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\n\ttestNet, err := getTestingNetwork()\n\tassert.NilError(t, err)\n\n\t// NOTE: because we cannot set/obtain the ID of the container to check for the exact HNS\n\t// endpoint name, we record the number of HNS endpoints on the testing network and\n\t// ensure it remains constant until after the test.\n\texistingEndpoints, err := listHnsEndpointsRegex(fmt.Sprintf(\".*_%s\", testNet.Name))\n\tassert.NilError(t, err)\n\toriginalEndpointsCount := len(existingEndpoints)\n\n\ttID := testutil.Identifier(t)\n\tbase.Cmd(\n\t\t\"run\",\n\t\t\"--name\",\n\t\ttID,\n\t\t\"--rm\",\n\t\t\"--net\", testNet.Name,\n\t\ttestutil.CommonImage,\n\t\t\"ipconfig\", \"/all\",\n\t).AssertOK()\n\n\texistingEndpoints, err = listHnsEndpointsRegex(fmt.Sprintf(\".*_%s\", testNet.Name))\n\tassert.NilError(t, err)\n\tassert.Equal(t, originalEndpointsCount, len(existingEndpoints), \"the number of HNS endpoints should equal pre-test amount\")\n}\n" }, { "path": "cmd/nerdctl/container/container_run_nolinux.go", "content": "//go:build !linux\n\n/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"github.com/spf13/cobra\"\n)\n\nfunc capShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\tcandidates := []string{}\n\treturn candidates, cobra.ShellCompDirectiveNoFileComp\n}\n" }, { "path": "cmd/nerdctl/container/container_run_restart_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"os/exec\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"gotest.tools/v3/assert\"\n\t\"gotest.tools/v3/poll\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nettestutil\"\n)\n\nfunc TestRunRestart(t *testing.T) {\n\tconst (\n\t\thostPort = 8080\n\t)\n\ttestContainerName := testutil.Identifier(t)\n\tif testing.Short() {\n\t\tt.Skipf(\"test is long\")\n\t}\n\tbase := testutil.NewBase(t)\n\tif !base.DaemonIsKillable {\n\t\tt.Skip(\"daemon is not killable (hint: set \\\"-test.allow-kill-daemon\\\")\")\n\t}\n\tt.Log(\"NOTE: this test may take a while\")\n\n\tdefer base.Cmd(\"rm\", \"-f\", testContainerName).Run()\n\n\tbase.Cmd(\"run\", \"-d\",\n\t\t\"--restart=always\",\n\t\t\"--name\", testContainerName,\n\t\t\"-p\", fmt.Sprintf(\"127.0.0.1:%d:80\", hostPort),\n\t\ttestutil.NginxAlpineImage).AssertOK()\n\n\tcheck := func(httpGetRetry int) error {\n\t\tresp, err := nettestutil.HTTPGet(fmt.Sprintf(\"http://127.0.0.1:%d\", hostPort), httpGetRetry, false)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trespBody, err := io.ReadAll(resp.Body)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif !strings.Contains(string(respBody), testutil.NginxAlpineIndexHTMLSnippet) {\n\t\t\treturn fmt.Errorf(\"expected contain %q, got %q\",\n\t\t\t\ttestutil.NginxAlpineIndexHTMLSnippet, string(respBody))\n\t\t}\n\t\treturn nil\n\t}\n\tassert.NilError(t, check(5))\n\n\tbase.KillDaemon()\n\tbase.EnsureDaemonActive()\n\n\tconst (\n\t\tmaxRetry = 30\n\t\tsleep = 3 * time.Second\n\t)\n\tfor i := 0; i < maxRetry; i++ {\n\t\tt.Logf(\"(retry %d) ps -a: %q\", i, base.Cmd(\"ps\", \"-a\").Run().Combined())\n\t\terr := check(1)\n\t\tif err == nil {\n\t\t\tt.Logf(\"test is passing, after %d retries\", i)\n\t\t\treturn\n\t\t}\n\t\ttime.Sleep(sleep)\n\t}\n\tbase.DumpDaemonLogs(10)\n\tt.Fatalf(\"the container does not seem to be restarted\")\n}\n\nfunc TestRunRestartWithOnFailure(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\tif !nerdtest.IsDocker() {\n\t\ttestutil.RequireContainerdPlugin(base, \"io.containerd.internal.v1\", \"restart\", []string{\"on-failure\"})\n\t}\n\ttID := testutil.Identifier(t)\n\tdefer base.Cmd(\"rm\", \"-f\", tID).Run()\n\tbase.Cmd(\"run\", \"-d\", \"--restart=on-failure:2\", \"--name\", tID, testutil.AlpineImage, \"sh\", \"-c\", \"exit 1\").AssertOK()\n\n\tcheck := func(log poll.LogT) poll.Result {\n\t\tinspect := base.InspectContainer(tID)\n\t\tif inspect.State != nil && inspect.State.Status == \"exited\" {\n\t\t\treturn poll.Success()\n\t\t}\n\t\treturn poll.Continue(\"container is not yet exited\")\n\t}\n\tpoll.WaitOn(t, check, poll.WithDelay(100*time.Microsecond), poll.WithTimeout(60*time.Second))\n\tinspect := base.InspectContainer(tID)\n\tassert.Equal(t, inspect.RestartCount, 2)\n}\n\nfunc TestRunRestartWithUnlessStopped(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\tif !nerdtest.IsDocker() {\n\t\ttestutil.RequireContainerdPlugin(base, \"io.containerd.internal.v1\", \"restart\", []string{\"unless-stopped\"})\n\t}\n\ttID := testutil.Identifier(t)\n\tdefer base.Cmd(\"rm\", \"-f\", tID).Run()\n\tbase.Cmd(\"run\", \"-d\", \"--restart=unless-stopped\", \"--name\", tID, testutil.AlpineImage, \"sh\", \"-c\", \"exit 1\").AssertOK()\n\n\tcheck := func(log poll.LogT) poll.Result {\n\t\tinspect := base.InspectContainer(tID)\n\t\tif inspect.State != nil && inspect.State.Status == \"exited\" {\n\t\t\treturn poll.Success()\n\t\t}\n\t\tif inspect.RestartCount == 2 {\n\t\t\tbase.Cmd(\"stop\", tID).AssertOK()\n\t\t}\n\t\treturn poll.Continue(\"container is not yet exited\")\n\t}\n\tpoll.WaitOn(t, check, poll.WithDelay(100*time.Microsecond), poll.WithTimeout(60*time.Second))\n\tinspect := base.InspectContainer(tID)\n\tassert.Equal(t, inspect.RestartCount, 2)\n}\n\nfunc TestUpdateRestartPolicy(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\tif !nerdtest.IsDocker() {\n\t\ttestutil.RequireContainerdPlugin(base, \"io.containerd.internal.v1\", \"restart\", []string{\"on-failure\"})\n\t}\n\ttID := testutil.Identifier(t)\n\tdefer base.Cmd(\"rm\", \"-f\", tID).Run()\n\tbase.Cmd(\"run\", \"-d\", \"--restart=on-failure:1\", \"--name\", tID, testutil.AlpineImage, \"sh\", \"-c\", \"exit 1\").AssertOK()\n\tbase.Cmd(\"update\", \"--restart=on-failure:2\", tID).AssertOK()\n\tcheck := func(log poll.LogT) poll.Result {\n\t\tinspect := base.InspectContainer(tID)\n\t\tif inspect.State != nil && inspect.State.Status == \"exited\" {\n\t\t\treturn poll.Success()\n\t\t}\n\t\treturn poll.Continue(\"container is not yet exited\")\n\t}\n\tpoll.WaitOn(t, check, poll.WithDelay(100*time.Microsecond), poll.WithTimeout(60*time.Second))\n\tinspect := base.InspectContainer(tID)\n\tassert.Equal(t, inspect.RestartCount, 2)\n}\n\n// The test is to add a restart policy to a container which has not restart policy before,\n// and check it can work correctly.\nfunc TestAddRestartPolicy(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\tif !nerdtest.IsDocker() {\n\t\ttestutil.RequireContainerdPlugin(base, \"io.containerd.internal.v1\", \"restart\", []string{\"on-failure\"})\n\t}\n\ttID := testutil.Identifier(t)\n\tdefer base.Cmd(\"rm\", \"-f\", tID).Run()\n\tbase.Cmd(\"run\", \"-d\", \"--name\", tID, testutil.NginxAlpineImage).AssertOK()\n\tbase.Cmd(\"update\", \"--restart=on-failure\", tID).AssertOK()\n\tinspect := base.InspectContainer(tID)\n\torgialPid := inspect.State.Pid\n\texec.Command(\"kill\", \"-9\", fmt.Sprintf(\"%v\", orgialPid)).Run()\n\n\tcheck := func(log poll.LogT) poll.Result {\n\t\tinspect := base.InspectContainer(tID)\n\t\tif inspect.State != nil && inspect.State.Status == \"running\" && inspect.State.Pid != orgialPid {\n\t\t\treturn poll.Success()\n\t\t}\n\t\treturn poll.Continue(\"container is not yet running\")\n\t}\n\tpoll.WaitOn(t, check, poll.WithDelay(100*time.Microsecond), poll.WithTimeout(60*time.Second))\n\tinspect = base.InspectContainer(tID)\n\tassert.Equal(t, inspect.RestartCount, 1)\n}\n" }, { "path": "cmd/nerdctl/container/container_run_runtime_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestRunSysctl(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Command = test.Command(\"run\", \"--rm\", \"--sysctl\", \"net.ipv4.ip_forward=1\", testutil.AlpineImage, \"cat\", \"/proc/sys/net/ipv4/ip_forward\")\n\ttestCase.Expected = test.Expects(0, nil, expect.Equals(\"1\\n\"))\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunSysctl_DefaultUnprivilegedPortStart(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t// No --sysctl flags, default network mode (non-host).\n\t// We expect net.ipv4.ip_unprivileged_port_start=0 inside the container,\n\t// because withDefaultUnprivilegedPortSysctl should apply the default.\n\ttestCase.Command = test.Command(\"run\", \"--rm\", testutil.AlpineImage, \"cat\", \"/proc/sys/net/ipv4/ip_unprivileged_port_start\")\n\ttestCase.Expected = test.Expects(0, nil, expect.Equals(\"0\\n\"))\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunSysctl_UnprivilegedPortStartOverride(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t// User explicitly sets net.ipv4.ip_unprivileged_port_start=1000.\n\t// We must NOT override this; the container should see \"1000\".\n\ttestCase.Command = test.Command(\"run\", \"--rm\", \"--sysctl\", \"net.ipv4.ip_unprivileged_port_start=1000\", testutil.AlpineImage, \"cat\", \"/proc/sys/net/ipv4/ip_unprivileged_port_start\")\n\ttestCase.Expected = test.Expects(0, nil, expect.Equals(\"1000\\n\"))\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_run_security_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"os/exec\"\n\t\"strconv\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/apparmorutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/rootlessutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n)\n\nfunc getCapEff(base *testutil.Base, args ...string) uint64 {\n\tfullArgs := []string{\"run\", \"--rm\"}\n\tfullArgs = append(fullArgs, args...)\n\tfullArgs = append(fullArgs,\n\t\ttestutil.AlpineImage,\n\t\t\"sh\",\n\t\t\"-euc\",\n\t\t\"grep -w ^CapEff: /proc/self/status | sed -e \\\"s/^CapEff:[[:space:]]*//g\\\"\",\n\t)\n\tcmd := base.Cmd(fullArgs...)\n\tres := cmd.Run()\n\tassert.NilError(base.T, res.Error)\n\ts := strings.TrimSpace(res.Stdout())\n\tui64, err := strconv.ParseUint(s, 16, 64)\n\tassert.NilError(base.T, err)\n\treturn ui64\n}\n\nconst (\n\tCapNetRaw = 13\n\tCapIPCLock = 14\n)\n\nfunc TestRunCap(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\n\t// allCaps varies depending on the target version and the kernel version.\n\tallCaps := getCapEff(base, \"--privileged\")\n\n\t// https://github.com/containerd/containerd/blob/9a9bd097564b0973bfdb0b39bf8262aa1b7da6aa/oci/spec.go#L93\n\tdefaultCaps := uint64(0xa80425fb)\n\n\tt.Logf(\"allCaps=%016x\", allCaps)\n\n\ttype testCase struct {\n\t\targs []string\n\t\tcapEff uint64\n\t}\n\ttestCases := []testCase{\n\t\t{\n\t\t\tcapEff: allCaps & defaultCaps,\n\t\t},\n\t\t{\n\t\t\targs: []string{\"--cap-add=all\"},\n\t\t\tcapEff: allCaps,\n\t\t},\n\t\t{\n\t\t\targs: []string{\"--cap-add=ipc_lock\"},\n\t\t\tcapEff: (allCaps & defaultCaps) | (1 << CapIPCLock),\n\t\t},\n\t\t{\n\t\t\targs: []string{\"--cap-add=all\", \"--cap-drop=net_raw\"},\n\t\t\tcapEff: allCaps ^ (1 << CapNetRaw),\n\t\t},\n\t\t{\n\t\t\targs: []string{\"--cap-drop=all\", \"--cap-add=net_raw\"},\n\t\t\tcapEff: 1 << CapNetRaw,\n\t\t},\n\t\t{\n\t\t\targs: []string{\"--cap-drop=all\", \"--cap-add=NET_RAW\"},\n\t\t\tcapEff: 1 << CapNetRaw,\n\t\t},\n\t\t{\n\t\t\targs: []string{\"--cap-drop=all\", \"--cap-add=cap_net_raw\"},\n\t\t\tcapEff: 1 << CapNetRaw,\n\t\t},\n\t\t{\n\t\t\targs: []string{\"--cap-drop=all\", \"--cap-add=CAP_NET_RAW\"},\n\t\t\tcapEff: 1 << CapNetRaw,\n\t\t},\n\t}\n\tfor _, tc := range testCases {\n\t\ttc := tc // IMPORTANT\n\t\tname := \"default\"\n\t\tif len(tc.args) > 0 {\n\t\t\tname = strings.Join(tc.args, \"_\")\n\t\t}\n\t\tt.Run(name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tgot := getCapEff(base, tc.args...)\n\t\t\tassert.Equal(t, tc.capEff, got)\n\t\t})\n\t}\n}\n\nfunc TestRunSecurityOptSeccomp(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\ttype testCase struct {\n\t\targs []string\n\t\tseccomp int\n\t}\n\ttestCases := []testCase{\n\t\t{\n\t\t\tseccomp: 2,\n\t\t},\n\t\t{\n\t\t\targs: []string{\"--security-opt\", \"seccomp=unconfined\"},\n\t\t\tseccomp: 0,\n\t\t},\n\t\t{\n\t\t\targs: []string{\"--privileged\"},\n\t\t\tseccomp: 0,\n\t\t},\n\t}\n\tfor _, tc := range testCases {\n\t\ttc := tc // IMPORTANT\n\t\tname := \"default\"\n\t\tif len(tc.args) > 0 {\n\t\t\tname = strings.Join(tc.args, \"_\")\n\t\t}\n\t\tt.Run(name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\targs := []string{\"run\", \"--rm\"}\n\t\t\targs = append(args, tc.args...)\n\t\t\t// NOTE: busybox grep does not support -oP \\K\n\t\t\targs = append(args, testutil.AlpineImage, \"grep\", \"-Eo\", `^Seccomp:\\s*([0-9]+)`, \"/proc/1/status\")\n\t\t\tcmd := base.Cmd(args...)\n\t\t\tf := func(expectedSeccomp int) func(string) error {\n\t\t\t\treturn func(stdout string) error {\n\t\t\t\t\ts := strings.TrimPrefix(stdout, \"Seccomp:\")\n\t\t\t\t\ts = strings.TrimSpace(s)\n\t\t\t\t\ti, err := strconv.Atoi(s)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\treturn fmt.Errorf(\"failed to parse line %q: %w\", stdout, err)\n\t\t\t\t\t}\n\t\t\t\t\tif i != expectedSeccomp {\n\t\t\t\t\t\treturn fmt.Errorf(\"expected Seccomp to be %d, got %d\", expectedSeccomp, i)\n\t\t\t\t\t}\n\t\t\t\t\treturn nil\n\t\t\t\t}\n\t\t\t}\n\t\t\tcmd.AssertOutWithFunc(f(tc.seccomp))\n\t\t})\n\t}\n}\n\nfunc TestRunApparmor(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\tdefaultProfile := fmt.Sprintf(\"%s-default\", base.Target)\n\tif !apparmorutil.CanLoadNewProfile() && !apparmorutil.CanApplySpecificExistingProfile(defaultProfile) {\n\t\tt.Skipf(\"needs to be able to apply %q profile\", defaultProfile)\n\t}\n\tattrCurrentPath := \"/proc/self/attr/apparmor/current\"\n\tif _, err := os.Stat(attrCurrentPath); err != nil {\n\t\tattrCurrentPath = \"/proc/self/attr/current\"\n\t}\n\tattrCurrentEnforceExpected := fmt.Sprintf(\"%s (enforce)\\n\", defaultProfile)\n\tbase.Cmd(\"run\", \"--rm\", testutil.AlpineImage, \"cat\", attrCurrentPath).AssertOutExactly(attrCurrentEnforceExpected)\n\tbase.Cmd(\"run\", \"--rm\", \"--security-opt\", \"apparmor=\"+defaultProfile, testutil.AlpineImage, \"cat\", attrCurrentPath).AssertOutExactly(attrCurrentEnforceExpected)\n\tbase.Cmd(\"run\", \"--rm\", \"--security-opt\", \"apparmor=unconfined\", testutil.AlpineImage, \"cat\", attrCurrentPath).AssertOutContains(\"unconfined\")\n\tbase.Cmd(\"run\", \"--rm\", \"--privileged\", testutil.AlpineImage, \"cat\", attrCurrentPath).AssertOutContains(\"unconfined\")\n}\n\n// TestRunSeccompCapSysPtrace tests https://github.com/containerd/nerdctl/issues/976\nfunc TestRunSeccompCapSysPtrace(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\tbase.Cmd(\"run\", \"--rm\", \"--cap-add\", \"sys_ptrace\", testutil.AlpineImage, \"sh\", \"-euxc\", \"apk add -q strace && strace true\").AssertOK()\n\t// Docker/Moby 's seccomp profile allows ptrace(2) by default, but containerd does not (yet): https://github.com/containerd/containerd/issues/6802\n}\n\nfunc TestRunSystemPathsUnconfined(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\n\tconst findmnt = \"`apk add -q findmnt && findmnt -R /proc && findmnt -R /sys`\"\n\tresult := base.Cmd(\"run\", \"--rm\", testutil.AlpineImage, \"sh\", \"-euxc\", findmnt).Run()\n\tdefaultContainerOutput := result.Combined()\n\n\tvar confined []string\n\n\tfor _, path := range []string{\n\t\t\"/proc/kcore\",\n\t\t\"/proc/keys\",\n\t\t\"/proc/latency_stats\",\n\t\t\"/proc/sched_debug\",\n\t\t\"/proc/scsi\",\n\t\t\"/proc/timer_list\",\n\t\t\"/proc/timer_stats\",\n\t\t\"/sys/firmware\",\n\t\t\"/sys/fs/selinux\",\n\t} {\n\t\t// Not each distribution will support every masked path here.\n\t\tif strings.Contains(defaultContainerOutput, path) {\n\t\t\tconfined = append(confined, path)\n\t\t}\n\t}\n\n\tassert.Check(t, len(confined) != 0, \"Default container has no confined paths to validate\")\n\n\tresult = base.Cmd(\"run\", \"--rm\", \"--security-opt\", \"systempaths=unconfined\", testutil.AlpineImage, \"sh\", \"-euxc\", findmnt).Run()\n\tunconfinedContainerOutput := result.Combined()\n\n\tfor _, path := range confined {\n\t\tassert.Assert(t, !strings.Contains(unconfinedContainerOutput, path), fmt.Sprintf(\"%s should not be masked when unconfined\", path))\n\t}\n\n\tfor _, path := range []string{\n\t\t\"/proc/acpi\",\n\t\t\"/proc/bus\",\n\t\t\"/proc/fs\",\n\t\t\"/proc/irq\",\n\t\t\"/proc/sysrq-trigger\",\n\t\t\"/proc/sys\",\n\t} {\n\t\tfindmntPath := fmt.Sprintf(\"`apk add -q findmnt && findmnt %s`\", path)\n\n\t\tresult := base.Cmd(\"run\", \"--rm\", testutil.AlpineImage, \"sh\", \"-euxc\", findmntPath).Run()\n\n\t\t// Not each distribution will support every read-only path here.\n\t\tif strings.Contains(result.Combined(), path) {\n\t\t\tresult = base.Cmd(\"run\", \"--rm\", \"--security-opt\", \"systempaths=unconfined\", testutil.AlpineImage, \"sh\", \"-euxc\", findmntPath).Run()\n\t\t\tassert.Assert(t, !strings.Contains(result.Combined(), \"ro,\"), fmt.Sprintf(\"%s should not be read-only when unconfined\", path))\n\t\t}\n\t}\n}\n\nfunc TestRunPrivileged(t *testing.T) {\n\t// docker does not support --privileged-without-host-devices\n\ttestutil.DockerIncompatible(t)\n\n\tif rootlessutil.IsRootless() {\n\t\tt.Skip(\"test skipped for rootless privileged containers\")\n\t}\n\n\tbase := testutil.NewBase(t)\n\n\tdevPath := \"/dev/dummy-zero\"\n\n\t// a dummy zero device: mknod /dev/dummy-zero c 1 5\n\thelperCmd := exec.Command(\"mknod\", []string{devPath, \"c\", \"1\", \"5\"}...)\n\tif out, err := helperCmd.CombinedOutput(); err != nil {\n\t\terr = fmt.Errorf(\"cannot create %q: %q: %w\", devPath, string(out), err)\n\t\tt.Fatal(err)\n\t}\n\n\t// ensure the file will be removed in case of failed in the test\n\tdefer func() {\n\t\texec.Command(\"rm\", devPath).Run()\n\t}()\n\n\t// get device with host devices\n\tbase.Cmd(\"run\", \"--rm\", \"--privileged\", testutil.AlpineImage, \"ls\", devPath).AssertOutExactly(devPath + \"\\n\")\n\n\t// get device without host devices\n\tres := base.Cmd(\"run\", \"--rm\", \"--privileged\", \"--security-opt\", \"privileged-without-host-devices\", testutil.AlpineImage, \"ls\", devPath).Run()\n\n\t// normally for not a exists file, the `ls` will return `1``.\n\tassert.Check(t, res.ExitCode != 0, res)\n\n\t// something like `ls: /dev/dummy-zero: No such file or directory`\n\tassert.Check(t, strings.Contains(res.Combined(), \"No such file or directory\"))\n}\n" }, { "path": "cmd/nerdctl/container/container_run_soci_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"strconv\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestRunSoci(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = require.All(\n\t\trequire.Not(nerdtest.Docker),\n\t\trequire.Amd64,\n\t\tnerdtest.Soci,\n\t)\n\n\t// Tests relying on the output of \"mount\" cannot be run in parallel obviously\n\ttestCase.NoParallel = true\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Custom(\"mount\").Run(&test.Expected{\n\t\t\tExitCode: 0,\n\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\tdata.Labels().Set(\"beforeCount\", strconv.Itoa(strings.Count(stdout, \"fuse.rawBridge\")))\n\t\t\t},\n\t\t})\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rmi\", \"-f\", testutil.FfmpegSociImage)\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"--snapshotter=soci\", \"run\", \"--rm\", testutil.FfmpegSociImage)\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\tvar afterCount int\n\t\t\t\tbeforeCount, _ := strconv.Atoi(data.Labels().Get(\"beforeCount\"))\n\n\t\t\t\thelpers.Custom(\"mount\").Run(&test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tafterCount = strings.Count(stdout, \"fuse.rawBridge\")\n\t\t\t\t\t},\n\t\t\t\t})\n\n\t\t\t\tassert.Equal(t, 11, afterCount-beforeCount, \"expected the number of fuse.rawBridge\")\n\t\t\t},\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_run_stargz_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestRunStargz(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = require.All(\n\t\tnerdtest.Stargz,\n\t\trequire.Amd64,\n\t\trequire.Not(nerdtest.Docker),\n\t)\n\n\ttestCase.Command = test.Command(\"--snapshotter=stargz\", \"run\", \"--quiet\", \"--rm\", testutil.FedoraESGZImage, \"ls\", \"/.stargz-snapshotter\")\n\n\ttestCase.Expected = test.Expects(0, nil, nil)\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_run_systemd_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"errors\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestRunWithSystemdAlways(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdata.Labels().Set(\"containerName\", testutil.Identifier(t))\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tcontainerName := data.Labels().Get(\"containerName\")\n\t\thelpers.Anyhow(\"container\", \"rm\", \"-f\", containerName)\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"should mount cgroup filesystem as rw\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcontainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn helpers.Command(\"run\", \"--name\", containerName, \"--systemd=always\", \"--entrypoint=/bin/bash\", testutil.UbuntuImage, \"-c\", \"mount | grep cgroup\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"(rw,\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"should expose SIGTERM+3 stop signal label\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcontainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn helpers.Command(\"inspect\", \"--format\", \"{{json .Config.Labels}}\", containerName)\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"SIGRTMIN+3\")),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunWithSystemdTrueEnabled(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.All(\n\t\trequire.Amd64,\n\t\trequire.Not(nerdtest.Docker),\n\t)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(), \"--systemd=true\", \"--entrypoint=/sbin/init\", testutil.SystemdImage)\n\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier())\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"container\", \"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t// should expose SIGTERM+3 stop signal labels\n\t\thelpers.Command(\"inspect\", \"--format\", \"{{json .Config.Labels}}\", data.Identifier()).\n\t\t\tRun(&test.Expected{\n\t\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\t\tOutput: expect.Contains(\"SIGRTMIN+3\"),\n\t\t\t})\n\n\t\t// waits for systemd to become ready and lists systemd jobs\n\t\treturn helpers.Command(\"exec\", data.Identifier(), \"sh\", \"-c\", \"--\", `tries=0\nuntil systemctl is-system-running >/dev/null 2>&1; do\n\t>&2 printf \"Waiting for systemd to come up...\\n\"\n\tsleep 1s\n\ttries=$(( tries + 1))\n\t[ $tries -lt 10 ] || {\n\t\t>&2 printf \"systemd failed to come up in a reasonable amount of time\\n\"\n\t\texit 1\n\t}\ndone\nsystemctl list-jobs`)\n\t}\n\n\ttestCase.Expected = test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"jobs\"))\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunWithSystemdTrueDisabled(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.All(\n\t\trequire.Amd64,\n\t\trequire.Not(nerdtest.Docker),\n\t)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdata.Labels().Set(\"containerName\", testutil.Identifier(t))\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tcontainerName := data.Labels().Get(\"containerName\")\n\t\thelpers.Anyhow(\"container\", \"rm\", \"-f\", containerName)\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\tcontainerName := data.Labels().Get(\"containerName\")\n\t\treturn helpers.Command(\"run\", \"--name\", containerName, \"--systemd=true\", \"--entrypoint=/bin/bash\", testutil.SystemdImage, \"-c\", \"systemctl list-jobs\")\n\t}\n\ttestCase.Expected = test.Expects(1, []error{errors.New(\"System has not been booted with systemd as init system\")}, nil)\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunWithSystemdFalse(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdata.Labels().Set(\"containerName\", testutil.Identifier(t))\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tcontainerName := data.Labels().Get(\"containerName\")\n\t\thelpers.Anyhow(\"container\", \"rm\", \"-f\", containerName)\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"should mount cgroup filesystem as ro\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcontainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn helpers.Command(\"run\", \"--name\", containerName, \"--systemd=false\", \"--entrypoint=/bin/bash\", testutil.UbuntuImage, \"-c\", \"mount | grep cgroup\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"(ro,\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"should expose SIGTERM stop signal label\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcontainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn helpers.Command(\"inspect\", \"--format\", \"{{json .Config.Labels}}\", containerName)\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"SIGTERM\")),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunWithNoSystemd(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdata.Labels().Set(\"containerName\", testutil.Identifier(t))\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tcontainerName := data.Labels().Get(\"containerName\")\n\t\thelpers.Anyhow(\"container\", \"rm\", \"-f\", containerName)\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"should mount cgroup filesystem as ro\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcontainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn helpers.Command(\"run\", \"--name\", containerName, \"--entrypoint=/bin/bash\", testutil.UbuntuImage, \"-c\", \"mount | grep cgroup\")\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"(ro,\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"should expose SIGTERM stop signal label\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcontainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn helpers.Command(\"inspect\", \"--format\", \"{{json .Config.Labels}}\", containerName)\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"SIGTERM\")),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunWithSystemdPrivilegedError(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.All(\n\t\trequire.Amd64,\n\t\trequire.Not(nerdtest.Docker),\n\t)\n\n\ttestCase.Command = test.Command(\"run\", \"--privileged\", \"--rm\", \"--systemd=always\", \"--entrypoint=/sbin/init\", testutil.SystemdImage)\n\ttestCase.Expected = test.Expects(1, []error{errors.New(\"if --privileged is used with systemd `--security-opt privileged-without-host-devices` must also be used\")}, nil)\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunWithSystemdPrivilegedSuccess(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.All(\n\t\trequire.Amd64,\n\t\trequire.Not(nerdtest.Docker),\n\t)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tcontainerName := testutil.Identifier(t)\n\t\tdata.Labels().Set(\"containerName\", containerName)\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", containerName, \"--privileged\", \"--security-opt\", \"privileged-without-host-devices\", \"--systemd=true\", \"--entrypoint=/sbin/init\", testutil.SystemdImage)\n\t\tnerdtest.EnsureContainerStarted(helpers, containerName)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tcontainerName := data.Labels().Get(\"containerName\")\n\t\thelpers.Anyhow(\"container\", \"rm\", \"-f\", containerName)\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\tcontainerName := data.Labels().Get(\"containerName\")\n\t\treturn helpers.Command(\"inspect\", \"--format\", \"{{json .Config.Labels}}\", containerName)\n\t}\n\n\ttestCase.Expected = test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"SIGRTMIN+3\"))\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_run_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"regexp\"\n\t\"runtime\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"gotest.tools/v3/assert\"\n\t\"gotest.tools/v3/icmd\"\n\t\"gotest.tools/v3/poll\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/rootlessutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestRunEntrypointWithBuild(t *testing.T) {\n\tnerdtest.Setup()\n\n\tdockerfile := fmt.Sprintf(`FROM %s\nENTRYPOINT [\"echo\", \"foo\"]\nCMD [\"echo\", \"bar\"]\n\t`, testutil.CommonImage)\n\n\ttestCase := &test.Case{\n\t\tRequire: nerdtest.Build,\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\tdata.Labels().Set(\"image\", data.Identifier())\n\t\t\thelpers.Ensure(\"build\", \"-t\", data.Labels().Get(\"image\"), data.Temp().Path())\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"Run image\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Labels().Get(\"image\"))\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"foo echo bar\\n\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Run image empty entrypoint\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", \"--entrypoint\", \"\", data.Labels().Get(\"image\"))\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Run image time entrypoint\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", \"--entrypoint\", \"time\", data.Labels().Get(\"image\"))\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Run image empty entrypoint custom command\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", \"--entrypoint\", \"\", data.Labels().Get(\"image\"), \"echo\", \"blah\")\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.All(\n\t\t\t\t\texpect.Contains(\"blah\"),\n\t\t\t\t\texpect.DoesNotContain(\"foo\", \"bar\"),\n\t\t\t\t)),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Run image time entrypoint custom command\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", \"--entrypoint\", \"time\", data.Labels().Get(\"image\"), \"echo\", \"blah\")\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.All(\n\t\t\t\t\texpect.Contains(\"blah\"),\n\t\t\t\t\texpect.DoesNotContain(\"foo\", \"bar\"),\n\t\t\t\t)),\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunWorkdir(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\tdir := \"/foo\"\n\tif runtime.GOOS == \"windows\" {\n\t\tdir = \"c:\" + dir\n\t}\n\n\ttestCase.Command = test.Command(\"run\", \"--rm\", \"--workdir=\"+dir, testutil.CommonImage, \"pwd\")\n\n\ttestCase.Expected = test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(dir))\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunWithDoubleDash(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\n\ttestCase.Command = test.Command(\"run\", \"--rm\", testutil.CommonImage, \"--\", \"sh\", \"-euxc\", \"exit 0\")\n\n\ttestCase.Expected = test.Expects(expect.ExitCodeSuccess, nil, nil)\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunExitCode(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"exit0\"))\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"exit123\"))\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"--name\", data.Identifier(\"exit0\"), testutil.CommonImage, \"sh\", \"-euxc\", \"exit 0\")\n\t\thelpers.Command(\"run\", \"--name\", data.Identifier(\"exit123\"), testutil.CommonImage, \"sh\", \"-euxc\", \"exit 123\").\n\t\t\tRun(&test.Expected{ExitCode: 123})\n\t}\n\n\ttestCase.Command = test.Command(\"ps\", \"-a\")\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\tErrors: nil,\n\t\t\tOutput: expect.All(\n\t\t\t\texpect.Match(regexp.MustCompile(\"Exited [(]123[)][A-Za-z0-9 ]+\"+data.Identifier(\"exit123\"))),\n\t\t\t\texpect.Match(regexp.MustCompile(\"Exited [(]0[)][A-Za-z0-9 ]+\"+data.Identifier(\"exit0\"))),\n\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\tassert.Equal(t, nerdtest.InspectContainer(helpers, data.Identifier(\"exit0\")).State.Status, \"exited\")\n\t\t\t\t\tassert.Equal(t, nerdtest.InspectContainer(helpers, data.Identifier(\"exit123\")).State.Status, \"exited\")\n\t\t\t\t},\n\t\t\t),\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunCIDFile(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"--rm\", \"--cidfile\", data.Temp().Path(\"cid-file\"), testutil.CommonImage)\n\t\tdata.Temp().Exists(\"cid-file\")\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"run\", \"--rm\", \"--cidfile\", data.Temp().Path(\"cid-file\"), testutil.CommonImage)\n\t}\n\n\t// Docker will return 125 while nerdctl returns 1, so, generic fail instead of specific exit code\n\ttestCase.Expected = test.Expects(expect.ExitCodeGenericFail, []error{errors.New(\"container ID file found\")}, nil)\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunEnvFile(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Env = map[string]string{\n\t\t\"HOST_ENV\": \"ENV-IN-HOST\",\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdata.Temp().Save(\"# this is a comment line\\nTESTKEY1=TESTVAL1\", \"env1-file\")\n\t\tdata.Temp().Save(\"# this is a comment line\\nTESTKEY2=TESTVAL2\\nHOST_ENV\", \"env2-file\")\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\n\t\t\t\"run\", \"--rm\",\n\t\t\t\"--env-file\", data.Temp().Path(\"env1-file\"),\n\t\t\t\"--env-file\", data.Temp().Path(\"env2-file\"),\n\t\t\ttestutil.CommonImage, \"env\")\n\t}\n\n\ttestCase.Expected = test.Expects(\n\t\texpect.ExitCodeSuccess,\n\t\tnil,\n\t\texpect.Contains(\"TESTKEY1=TESTVAL1\", \"TESTKEY2=TESTVAL2\", \"HOST_ENV=ENV-IN-HOST\"),\n\t)\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunEnv(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Env = map[string]string{\n\t\t\"CORGE\": \"corge-value-in-host\",\n\t\t\"GARPLY\": \"garply-value-in-host\",\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"run\", \"--rm\",\n\t\t\t\"--env\", \"FOO=foo1,foo2\",\n\t\t\t\"--env\", \"BAR=bar1 bar2\",\n\t\t\t\"--env\", \"BAZ=\",\n\t\t\t\"--env\", \"QUX\", // not exported in OS\n\t\t\t\"--env\", \"QUUX=quux1\",\n\t\t\t\"--env\", \"QUUX=quux2\",\n\t\t\t\"--env\", \"CORGE\", // OS exported\n\t\t\t\"--env\", \"GRAULT=grault_key=grault_value\", // value contains `=` char\n\t\t\t\"--env\", \"GARPLY=\", // OS exported\n\t\t\t\"--env\", \"WALDO=\", // not exported in OS\n\t\t\ttestutil.CommonImage, \"env\")\n\t}\n\n\tvalidate := []test.Comparator{\n\t\texpect.Contains(\n\t\t\t\"\\nFOO=foo1,foo2\\n\",\n\t\t\t\"\\nBAR=bar1 bar2\\n\",\n\t\t\t\"\\nQUUX=quux2\\n\",\n\t\t\t\"\\nCORGE=corge-value-in-host\\n\",\n\t\t\t\"\\nGRAULT=grault_key=grault_value\\n\",\n\t\t),\n\t\texpect.DoesNotContain(\"QUX\"),\n\t}\n\n\tif runtime.GOOS != \"windows\" {\n\t\tvalidate = append(\n\t\t\tvalidate,\n\t\t\texpect.Contains(\n\t\t\t\t\"\\nBAZ=\\n\",\n\t\t\t\t\"\\nGARPLY=\\n\",\n\t\t\t\t\"\\nWALDO=\\n\",\n\t\t\t),\n\t\t)\n\t}\n\n\ttestCase.Expected = test.Expects(expect.ExitCodeSuccess, nil, expect.All(validate...))\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunHostnameEnv(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"default hostname\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\"run\", \"--rm\", \"--quiet\", testutil.CommonImage)\n\t\t\t\t// Note: on Windows, just straight passing the command will not work (some cmd escaping weirdness?)\n\t\t\t\tcmd.Feed(strings.NewReader(`[[ \"HOSTNAME=$(hostname)\" == \"$(env | grep HOSTNAME)\" ]]`))\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"with --hostname\",\n\t\t\t// Windows does not support --hostname\n\t\t\tRequire: require.Not(require.Windows),\n\t\t\tCommand: test.Command(\"run\", \"--rm\", \"--quiet\", \"--hostname\", \"foobar\", testutil.CommonImage, \"env\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"HOSTNAME=foobar\")),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunStdin(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\tconst testStr = \"test-run-stdin\"\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\tcmd := helpers.Command(\"run\", \"--rm\", \"-i\", testutil.CommonImage, \"cat\")\n\t\tcmd.Feed(strings.NewReader(testStr))\n\t\treturn cmd\n\t}\n\n\ttestCase.Expected = test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(testStr))\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunWithJsonFileLogDriver(t *testing.T) {\n\tif runtime.GOOS == \"windows\" {\n\t\tt.Skip(\"json-file log driver is not yet implemented on Windows\")\n\t}\n\tbase := testutil.NewBase(t)\n\tcontainerName := testutil.Identifier(t)\n\n\tdefer base.Cmd(\"rm\", \"-f\", containerName).AssertOK()\n\tbase.Cmd(\"run\", \"-d\", \"--log-driver\", \"json-file\", \"--log-opt\", \"max-size=5K\", \"--log-opt\", \"max-file=2\", \"--name\", containerName, testutil.CommonImage,\n\t\t\"sh\", \"-euxc\", \"hexdump -C /dev/urandom | head -n1000\").AssertOK()\n\n\ttime.Sleep(3 * time.Second)\n\tinspectedContainer := base.InspectContainer(containerName)\n\tlogJSONPath := filepath.Dir(inspectedContainer.LogPath)\n\t// matches = current log file + old log files to retain\n\tmatches, err := filepath.Glob(filepath.Join(logJSONPath, inspectedContainer.ID+\"*\"))\n\tassert.NilError(t, err)\n\tif len(matches) != 2 {\n\t\tt.Fatalf(\"the number of log files is not equal to 2 files, got: %s\", matches)\n\t}\n\tfor _, file := range matches {\n\t\tfInfo, err := os.Stat(file)\n\t\tassert.NilError(t, err)\n\t\t// The log file size is compared to 5200 bytes (instead 5k) to keep docker compatibility.\n\t\t// Docker log rotation lacks precision because the size check is done at the log entry level\n\t\t// and not at the byte level (io.Writer), so docker log files can exceed 5k\n\t\tif fInfo.Size() > 5200 {\n\t\t\tt.Fatal(\"file size exceeded 5k\")\n\t\t}\n\t}\n}\n\nfunc TestRunWithJsonFileLogDriverAndLogPathOpt(t *testing.T) {\n\tif runtime.GOOS == \"windows\" {\n\t\tt.Skip(\"json-file log driver is not yet implemented on Windows\")\n\t}\n\ttestutil.DockerIncompatible(t)\n\tbase := testutil.NewBase(t)\n\tcontainerName := testutil.Identifier(t)\n\n\tdefer base.Cmd(\"rm\", \"-f\", containerName).AssertOK()\n\tcustomLogJSONPath := filepath.Join(t.TempDir(), containerName, containerName+\"-json.log\")\n\tbase.Cmd(\"run\", \"-d\", \"--log-driver\", \"json-file\", \"--log-opt\", fmt.Sprintf(\"log-path=%s\", customLogJSONPath), \"--log-opt\", \"max-size=5K\", \"--log-opt\", \"max-file=2\", \"--name\", containerName, testutil.CommonImage,\n\t\t\"sh\", \"-euxc\", \"hexdump -C /dev/urandom | head -n1000\").AssertOK()\n\n\ttime.Sleep(3 * time.Second)\n\trawBytes, err := os.ReadFile(customLogJSONPath)\n\tassert.NilError(t, err)\n\tif len(rawBytes) == 0 {\n\t\tt.Fatalf(\"logs are not written correctly to log-path: %s\", customLogJSONPath)\n\t}\n\n\t// matches = current log file + old log files to retain\n\tmatches, err := filepath.Glob(filepath.Join(filepath.Dir(customLogJSONPath), containerName+\"*\"))\n\tassert.NilError(t, err)\n\tif len(matches) != 2 {\n\t\tt.Fatalf(\"the number of log files is not equal to 2 files, got: %s\", matches)\n\t}\n\tfor _, file := range matches {\n\t\tfInfo, err := os.Stat(file)\n\t\tassert.NilError(t, err)\n\t\tif fInfo.Size() > 5200 {\n\t\t\tt.Fatal(\"file size exceeded 5k\")\n\t\t}\n\t}\n}\n\nfunc TestRunWithJournaldLogDriver(t *testing.T) {\n\ttestutil.RequireExecutable(t, \"journalctl\")\n\tjournalctl, _ := exec.LookPath(\"journalctl\")\n\tres := icmd.RunCmd(icmd.Command(journalctl, \"-xe\"))\n\tif res.ExitCode != 0 {\n\t\tt.Skipf(\"current user is not allowed to access journal logs: %s\", res.Combined())\n\t}\n\n\tif runtime.GOOS == \"windows\" {\n\t\tt.Skip(\"journald log driver is not yet implemented on Windows\")\n\t}\n\tbase := testutil.NewBase(t)\n\tcontainerName := testutil.Identifier(t)\n\n\tdefer base.Cmd(\"rm\", \"-f\", containerName).AssertOK()\n\tbase.Cmd(\"run\", \"-d\", \"--log-driver\", \"journald\", \"--name\", containerName, testutil.CommonImage,\n\t\t\"sh\", \"-euxc\", \"echo foo; echo bar\").AssertOK()\n\n\ttime.Sleep(3 * time.Second)\n\n\tinspectedContainer := base.InspectContainer(containerName)\n\n\ttype testCase struct {\n\t\tname string\n\t\tfilter string\n\t}\n\ttestCases := []testCase{\n\t\t{\n\t\t\tname: \"filter journald logs using SYSLOG_IDENTIFIER field\",\n\t\t\tfilter: fmt.Sprintf(\"SYSLOG_IDENTIFIER=%s\", inspectedContainer.ID[:12]),\n\t\t},\n\t\t{\n\t\t\tname: \"filter journald logs using CONTAINER_NAME field\",\n\t\t\tfilter: fmt.Sprintf(\"CONTAINER_NAME=%s\", containerName),\n\t\t},\n\t\t{\n\t\t\tname: \"filter journald logs using IMAGE_NAME field\",\n\t\t\tfilter: fmt.Sprintf(\"IMAGE_NAME=%s\", testutil.CommonImage),\n\t\t},\n\t}\n\tfor _, tc := range testCases {\n\t\ttc := tc\n\t\tt.Run(tc.name, func(t *testing.T) {\n\t\t\tfound := 0\n\t\t\tcheck := func(log poll.LogT) poll.Result {\n\t\t\t\tres := icmd.RunCmd(icmd.Command(journalctl, \"--no-pager\", \"--since\", \"2 minutes ago\", tc.filter))\n\t\t\t\tassert.Equal(t, 0, res.ExitCode, res)\n\t\t\t\tif strings.Contains(res.Stdout(), \"bar\") && strings.Contains(res.Stdout(), \"foo\") {\n\t\t\t\t\tfound = 1\n\t\t\t\t\treturn poll.Success()\n\t\t\t\t}\n\t\t\t\treturn poll.Continue(\"reading from journald is not yet finished\")\n\t\t\t}\n\t\t\tpoll.WaitOn(t, check, poll.WithDelay(100*time.Microsecond), poll.WithTimeout(20*time.Second))\n\t\t\tassert.Equal(t, 1, found)\n\t\t})\n\t}\n}\n\nfunc TestRunWithJournaldLogDriverAndLogOpt(t *testing.T) {\n\ttestutil.RequireExecutable(t, \"journalctl\")\n\tjournalctl, _ := exec.LookPath(\"journalctl\")\n\tres := icmd.RunCmd(icmd.Command(journalctl, \"-xe\"))\n\tif res.ExitCode != 0 {\n\t\tt.Skipf(\"current user is not allowed to access journal logs: %s\", res.Combined())\n\t}\n\n\tif runtime.GOOS == \"windows\" {\n\t\tt.Skip(\"journald log driver is not yet implemented on Windows\")\n\t}\n\tbase := testutil.NewBase(t)\n\tcontainerName := testutil.Identifier(t)\n\n\tdefer base.Cmd(\"rm\", \"-f\", containerName).AssertOK()\n\tbase.Cmd(\"run\", \"-d\", \"--log-driver\", \"journald\", \"--log-opt\", \"tag={{.FullID}}\", \"--name\", containerName, testutil.CommonImage,\n\t\t\"sh\", \"-euxc\", \"echo foo; echo bar\").AssertOK()\n\n\ttime.Sleep(3 * time.Second)\n\tinspectedContainer := base.InspectContainer(containerName)\n\tfound := 0\n\tcheck := func(log poll.LogT) poll.Result {\n\t\tres := icmd.RunCmd(icmd.Command(journalctl, \"--no-pager\", \"--since\", \"2 minutes ago\", fmt.Sprintf(\"SYSLOG_IDENTIFIER=%s\", inspectedContainer.ID)))\n\t\tassert.Equal(t, 0, res.ExitCode, res)\n\t\tif strings.Contains(res.Stdout(), \"bar\") && strings.Contains(res.Stdout(), \"foo\") {\n\t\t\tfound = 1\n\t\t\treturn poll.Success()\n\t\t}\n\t\treturn poll.Continue(\"reading from journald is not yet finished\")\n\t}\n\tpoll.WaitOn(t, check, poll.WithDelay(100*time.Microsecond), poll.WithTimeout(20*time.Second))\n\tassert.Equal(t, 1, found)\n}\n\nfunc TestRunWithLogBinary(t *testing.T) {\n\ttestutil.RequiresBuild(t)\n\tif runtime.GOOS == \"windows\" {\n\t\tt.Skip(\"buildkit is not enabled on windows, this feature may work on windows.\")\n\t}\n\ttestutil.DockerIncompatible(t)\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\timageName := testutil.Identifier(t) + \"-image\"\n\tcontainerName := testutil.Identifier(t)\n\n\tvar dockerfile = `\nFROM ` + testutil.GolangImage + ` as builder\nWORKDIR /go/src/\nRUN mkdir -p logger\nWORKDIR /go/src/logger\nRUN echo '\\\n\tpackage main \\n\\\n\t\\n\\\n\timport ( \\n\\\n\t\"bufio\" \\n\\\n\t\"context\" \\n\\\n\t\"fmt\" \\n\\\n\t\"io\" \\n\\\n\t\"os\" \\n\\\n\t\"path/filepath\" \\n\\\n\t\"sync\" \\n\\\n\t\\n\\\n\t\"github.com/containerd/containerd/v2/core/runtime/v2/logging\"\\n\\\n\t)\\n\\\n\n\tfunc main() {\\n\\\n\t\tlogging.Run(log)\\n\\\n\t}\\n\\\n\n\tfunc log(ctx context.Context, config *logging.Config, ready func() error) error {\\n\\\n\t\tvar wg sync.WaitGroup \\n\\\n\t\twg.Add(2) \\n\\\n\t\t// forward both stdout and stderr to temp files \\n\\\n\t\tgo copy(&wg, config.Stdout, config.ID, \"stdout\") \\n\\\n\t\tgo copy(&wg, config.Stderr, config.ID, \"stderr\") \\n\\\n\n\t\t// signal that we are ready and setup for the container to be started \\n\\\n\t\tif err := ready(); err != nil { \\n\\\n\t\treturn err \\n\\\n\t\t} \\n\\\n\t\twg.Wait() \\n\\\n\t\treturn nil \\n\\\n\t}\\n\\\n\t\\n\\\n\tfunc copy(wg *sync.WaitGroup, r io.Reader, id string, kind string) { \\n\\\n\t\tf, _ := os.Create(filepath.Join(os.TempDir(), fmt.Sprintf(\"%s_%s.log\", id, kind))) \\n\\\n\t\tdefer f.Close() \\n\\\n\t\tdefer wg.Done() \\n\\\n\t\ts := bufio.NewScanner(r) \\n\\\n\t\tfor s.Scan() { \\n\\\n\t\t\tf.WriteString(s.Text()) \\n\\\n\t\t} \\n\\\n\t}\\n' >> main.go\n\n\nRUN go mod init\n# Workaround for \"package slices is not in GOROOT\" https://github.com/containerd/nerdctl/issues/4214\nRUN go get github.com/containerd/containerd/v2@v2.0.5\nRUN go mod tidy\nRUN go build .\n\nFROM scratch\nCOPY --from=builder /go/src/logger/logger /\n\t`\n\n\tbuildCtx := helpers.CreateBuildContext(t, dockerfile)\n\ttmpDir := t.TempDir()\n\tbase.Cmd(\"build\", buildCtx, \"--output\", fmt.Sprintf(\"type=local,src=/go/src/logger/logger,dest=%s\", tmpDir)).AssertOK()\n\tdefer base.Cmd(\"image\", \"rm\", \"-f\", imageName).AssertOK()\n\n\tbase.Cmd(\"container\", \"rm\", \"-f\", containerName).AssertOK()\n\tbase.Cmd(\"run\", \"-d\", \"--log-driver\", fmt.Sprintf(\"binary://%s/logger\", tmpDir), \"--name\", containerName, testutil.CommonImage,\n\t\t\"sh\", \"-euxc\", \"echo foo; echo bar\").AssertOK()\n\tdefer base.Cmd(\"container\", \"rm\", \"-f\", containerName).AssertOK()\n\n\tinspectedContainer := base.InspectContainer(containerName)\n\tbytes, err := os.ReadFile(filepath.Join(os.TempDir(), fmt.Sprintf(\"%s_%s.log\", inspectedContainer.ID, \"stdout\")))\n\tassert.NilError(t, err)\n\tlog := string(bytes)\n\tassert.Check(t, strings.Contains(log, \"foo\"))\n\tassert.Check(t, strings.Contains(log, \"bar\"))\n}\n\n// history: There was a bug that the --add-host items disappear when the another container created.\n// This test ensures that it doesn't happen.\n// (https://github.com/containerd/nerdctl/issues/2560)\nfunc TestRunAddHostRemainsWhenAnotherContainerCreated(t *testing.T) {\n\tif runtime.GOOS == \"windows\" {\n\t\tt.Skip(\"ocihook is not yet supported on Windows\")\n\t}\n\tbase := testutil.NewBase(t)\n\n\tcontainerName := testutil.Identifier(t)\n\thostMapping := \"test-add-host:10.0.0.1\"\n\tbase.Cmd(\"run\", \"-d\", \"--add-host\", hostMapping, \"--name\", containerName, testutil.CommonImage, \"sleep\", nerdtest.Infinity).AssertOK()\n\tdefer base.Cmd(\"container\", \"rm\", \"-f\", containerName).Run()\n\n\tcheckEtcHosts := func(stdout string) error {\n\t\tmatcher, err := regexp.Compile(`^10.0.0.1\\s+test-add-host$`)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar found bool\n\t\tsc := bufio.NewScanner(bytes.NewBufferString(stdout))\n\t\tfor sc.Scan() {\n\t\t\tif matcher.Match(sc.Bytes()) {\n\t\t\t\tfound = true\n\t\t\t}\n\t\t}\n\t\tif !found {\n\t\t\treturn fmt.Errorf(\"host not found\")\n\t\t}\n\t\treturn nil\n\t}\n\tbase.Cmd(\"exec\", containerName, \"cat\", \"/etc/hosts\").AssertOutWithFunc(checkEtcHosts)\n\n\t// run another container\n\tbase.Cmd(\"run\", \"--rm\", testutil.CommonImage).AssertOK()\n\n\tbase.Cmd(\"exec\", containerName, \"cat\", \"/etc/hosts\").AssertOutWithFunc(checkEtcHosts)\n}\n\n// https://github.com/containerd/nerdctl/issues/2726\nfunc TestRunRmTime(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\tbase.Cmd(\"pull\", \"--quiet\", testutil.CommonImage)\n\tt0 := time.Now()\n\tbase.Cmd(\"run\", \"--rm\", testutil.CommonImage, \"true\").AssertOK()\n\tt1 := time.Now()\n\ttook := t1.Sub(t0)\n\tvar deadline = 3 * time.Second\n\t// FIXME: Investigate? it appears that since the move to containerd 2 on Windows, this is taking longer.\n\tif runtime.GOOS == \"windows\" {\n\t\tdeadline = 10 * time.Second\n\t}\n\tif took > deadline {\n\t\tt.Fatalf(\"expected to have completed in %v, took %v\", deadline, took)\n\t}\n}\n\nfunc runAttachStdin(t *testing.T, testStr string, args []string) string {\n\tif runtime.GOOS == \"windows\" {\n\t\tt.Skip(\"run attach test is not yet implemented on Windows\")\n\t}\n\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\tcontainerName := testutil.Identifier(t)\n\n\topts := []func(*testutil.Cmd){\n\t\ttestutil.WithStdin(strings.NewReader(\"echo \" + testStr + \"\\nexit\\n\")),\n\t}\n\n\tfullArgs := []string{\"run\", \"--rm\", \"-i\"}\n\tfullArgs = append(fullArgs, args...)\n\tfullArgs = append(fullArgs,\n\t\t\"--name\",\n\t\tcontainerName,\n\t\ttestutil.CommonImage,\n\t)\n\n\tdefer base.Cmd(\"rm\", \"-f\", containerName).AssertOK()\n\tresult := base.Cmd(fullArgs...).CmdOption(opts...).Run()\n\n\treturn result.Combined()\n}\n\nfunc runAttach(t *testing.T, testStr string, args []string) string {\n\tif runtime.GOOS == \"windows\" {\n\t\tt.Skip(\"run attach test is not yet implemented on Windows\")\n\t}\n\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\tcontainerName := testutil.Identifier(t)\n\n\tfullArgs := []string{\"run\"}\n\tfullArgs = append(fullArgs, args...)\n\tfullArgs = append(fullArgs,\n\t\t\"--name\",\n\t\tcontainerName,\n\t\ttestutil.CommonImage,\n\t\t\"sh\",\n\t\t\"-euxc\",\n\t\t\"echo \"+testStr,\n\t)\n\n\tdefer base.Cmd(\"rm\", \"-f\", containerName).AssertOK()\n\tresult := base.Cmd(fullArgs...).Run()\n\n\treturn result.Combined()\n}\n\nfunc TestRunAttachFlag(t *testing.T) {\n\n\ttype testCase struct {\n\t\tname string\n\t\targs []string\n\t\ttestFunc func(t *testing.T, testStr string, args []string) string\n\t\ttestStr string\n\t\texpectedOut string\n\t\tdockerOut string\n\t}\n\ttestCases := []testCase{\n\t\t{\n\t\t\tname: \"AttachFlagStdin\",\n\t\t\targs: []string{\"-a\", \"STDIN\", \"-a\", \"STDOUT\"},\n\t\t\ttestFunc: runAttachStdin,\n\t\t\ttestStr: \"test-run-stdio\",\n\t\t\texpectedOut: \"test-run-stdio\",\n\t\t\tdockerOut: \"test-run-stdio\",\n\t\t},\n\t\t{\n\t\t\tname: \"AttachFlagStdOut\",\n\t\t\targs: []string{\"-a\", \"STDOUT\"},\n\t\t\ttestFunc: runAttach,\n\t\t\ttestStr: \"foo\",\n\t\t\texpectedOut: \"foo\",\n\t\t\tdockerOut: \"foo\",\n\t\t},\n\t\t{\n\t\t\tname: \"AttachFlagMixedValue\",\n\t\t\targs: []string{\"-a\", \"STDIN\", \"-a\", \"invalid-value\"},\n\t\t\ttestFunc: runAttach,\n\t\t\ttestStr: \"foo\",\n\t\t\texpectedOut: \"invalid stream specified with -a flag. Valid streams are STDIN, STDOUT, and STDERR\",\n\t\t\tdockerOut: \"valid streams are STDIN, STDOUT and STDERR\",\n\t\t},\n\t\t{\n\t\t\tname: \"AttachFlagInvalidValue\",\n\t\t\targs: []string{\"-a\", \"invalid-stream\"},\n\t\t\ttestFunc: runAttach,\n\t\t\ttestStr: \"foo\",\n\t\t\texpectedOut: \"invalid stream specified with -a flag. Valid streams are STDIN, STDOUT, and STDERR\",\n\t\t\tdockerOut: \"valid streams are STDIN, STDOUT and STDERR\",\n\t\t},\n\t\t{\n\t\t\tname: \"AttachFlagCaseInsensitive\",\n\t\t\targs: []string{\"-a\", \"stdin\", \"-a\", \"stdout\"},\n\t\t\ttestFunc: runAttachStdin,\n\t\t\ttestStr: \"test-run-stdio\",\n\t\t\texpectedOut: \"test-run-stdio\",\n\t\t\tdockerOut: \"test-run-stdio\",\n\t\t},\n\t}\n\n\tfor _, tc := range testCases {\n\t\ttc := tc\n\t\tt.Run(tc.name, func(t *testing.T) {\n\t\t\tactualOut := tc.testFunc(t, tc.testStr, tc.args)\n\t\t\terrorMsg := fmt.Sprintf(\"%s failed;\\nExpected: '%s'\\nActual: '%s'\", tc.name, tc.expectedOut, actualOut)\n\t\t\tif nerdtest.IsDocker() {\n\t\t\t\tassert.Equal(t, true, strings.Contains(actualOut, tc.dockerOut), errorMsg)\n\t\t\t} else {\n\t\t\t\tassert.Equal(t, true, strings.Contains(actualOut, tc.expectedOut), errorMsg)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestRunQuiet(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\n\tteardown := func() {\n\t\tbase.Cmd(\"rmi\", \"-f\", testutil.CommonImage).Run()\n\t}\n\tdefer teardown()\n\tteardown()\n\n\tsentinel := \"test run quiet\"\n\tresult := base.Cmd(\"run\", \"--rm\", \"--quiet\", testutil.CommonImage, fmt.Sprintf(`echo \"%s\"`, sentinel)).Run()\n\tassert.Assert(t, strings.Contains(result.Combined(), sentinel))\n\n\twasQuiet := func(output, sentinel string) bool {\n\t\treturn !strings.Contains(output, sentinel)\n\t}\n\n\t// Docker and nerdctl image pulls are not 1:1.\n\tif nerdtest.IsDocker() {\n\t\tsentinel = \"Pull complete\"\n\t} else {\n\t\tsentinel = \"resolved\"\n\t}\n\n\tassert.Assert(t, wasQuiet(result.Combined(), sentinel), \"Found %s in container run output\", sentinel)\n}\n\nfunc TestRunFromOCIArchive(t *testing.T) {\n\ttestutil.RequiresBuild(t)\n\ttestutil.RegisterBuildCacheCleanup(t)\n\n\t// Docker does not support running container images from OCI archive.\n\ttestutil.DockerIncompatible(t)\n\n\tbase := testutil.NewBase(t)\n\timageName := testutil.Identifier(t)\n\n\tteardown := func() {\n\t\tbase.Cmd(\"rmi\", \"-f\", imageName).Run()\n\t}\n\tdefer teardown()\n\tteardown()\n\n\tconst sentinel = \"test-nerdctl-run-from-oci-archive\"\n\tdockerfile := fmt.Sprintf(`FROM %s\n\tCMD [\"echo\", \"%s\"]`, testutil.CommonImage, sentinel)\n\n\tbuildCtx := helpers.CreateBuildContext(t, dockerfile)\n\ttag := fmt.Sprintf(\"%s:latest\", imageName)\n\ttarPath := fmt.Sprintf(\"%s/%s.tar\", buildCtx, imageName)\n\n\tbase.Cmd(\"build\", \"--tag\", tag, fmt.Sprintf(\"--output=type=oci,dest=%s\", tarPath), buildCtx).AssertOK()\n\tbase.Cmd(\"run\", \"--rm\", fmt.Sprintf(\"oci-archive://%s\", tarPath)).AssertOutContainsAll(tag, sentinel)\n}\n\nfunc TestRunDomainname(t *testing.T) {\n\tt.Parallel()\n\n\tif runtime.GOOS == \"windows\" {\n\t\tt.Skip(\"run --hostname not implemented on Windows yet\")\n\t}\n\n\ttestCases := []struct {\n\t\tname string\n\t\thostname string\n\t\tdomainname string\n\t\tCmd string\n\t\tCmdFlag string\n\t\texpectedOut string\n\t}{\n\t\t{\n\t\t\tname: \"Check domain name\",\n\t\t\thostname: \"foobar\",\n\t\t\tdomainname: \"example.com\",\n\t\t\tCmd: \"hostname\",\n\t\t\tCmdFlag: \"-d\",\n\t\t\texpectedOut: \"example.com\",\n\t\t},\n\t\t{\n\t\t\tname: \"check fqdn\",\n\t\t\thostname: \"foobar\",\n\t\t\tdomainname: \"example.com\",\n\t\t\tCmd: \"hostname\",\n\t\t\tCmdFlag: \"-f\",\n\t\t\texpectedOut: \"foobar.example.com\",\n\t\t},\n\t}\n\n\tfor _, tc := range testCases {\n\t\ttc := tc // capture range variable\n\t\tt.Run(tc.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tbase := testutil.NewBase(t)\n\n\t\t\tbase.Cmd(\"run\",\n\t\t\t\t\"--rm\",\n\t\t\t\t\"--hostname\", tc.hostname,\n\t\t\t\t\"--domainname\", tc.domainname,\n\t\t\t\ttestutil.CommonImage,\n\t\t\t\ttc.Cmd,\n\t\t\t\ttc.CmdFlag,\n\t\t\t).AssertOutContains(tc.expectedOut)\n\t\t})\n\t}\n}\n\nfunc TestRunHealthcheckFlags(t *testing.T) {\n\tif rootlessutil.IsRootless() {\n\t\tt.Skip(\"healthcheck tests are skipped in rootless environment\")\n\t}\n\ttestCase := nerdtest.Setup()\n\n\ttestCases := []struct {\n\t\tname string\n\t\targs []string\n\t\tshouldFail bool\n\t\texpectTest []string\n\t\texpectRetries int\n\t\texpectInterval time.Duration\n\t\texpectTimeout time.Duration\n\t\texpectStartPeriod time.Duration\n\t}{\n\t\t{\n\t\t\tname: \"Valid_full_config\",\n\t\t\targs: []string{\n\t\t\t\t\"--health-cmd\", \"curl -f http://localhost || exit 1\",\n\t\t\t\t\"--health-interval\", \"30s\",\n\t\t\t\t\"--health-timeout\", \"5s\",\n\t\t\t\t\"--health-retries\", \"3\",\n\t\t\t\t\"--health-start-period\", \"2s\",\n\t\t\t},\n\t\t\texpectTest: []string{\"CMD-SHELL\", \"curl -f http://localhost || exit 1\"},\n\t\t\texpectInterval: 30 * time.Second,\n\t\t\texpectTimeout: 5 * time.Second,\n\t\t\texpectRetries: 3,\n\t\t\texpectStartPeriod: 2 * time.Second,\n\t\t},\n\t\t{\n\t\t\tname: \"No_healthcheck\",\n\t\t\targs: []string{\n\t\t\t\t\"--no-healthcheck\",\n\t\t\t},\n\t\t\texpectTest: []string{\"NONE\"},\n\t\t},\n\t\t{\n\t\t\tname: \"No_healthcheck_flag\",\n\t\t\targs: []string{},\n\t\t\texpectTest: nil,\n\t\t},\n\t\t{\n\t\t\tname: \"Conflicting_flags\",\n\t\t\targs: []string{\n\t\t\t\t\"--no-healthcheck\", \"--health-cmd\", \"true\",\n\t\t\t},\n\t\t\tshouldFail: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Negative_retries\",\n\t\t\targs: []string{\n\t\t\t\t\"--health-cmd\", \"true\",\n\t\t\t\t\"--health-retries\", \"-2\",\n\t\t\t},\n\t\t\tshouldFail: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Negative_timeout\",\n\t\t\targs: []string{\n\t\t\t\t\"--health-cmd\", \"true\",\n\t\t\t\t\"--health-timeout\", \"-5s\",\n\t\t\t},\n\t\t\tshouldFail: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Invalid_timeout_format\",\n\t\t\targs: []string{\n\t\t\t\t\"--health-cmd\", \"true\",\n\t\t\t\t\"--health-timeout\", \"5blah\",\n\t\t\t},\n\t\t\tshouldFail: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Health_cmd_cmd_shell\",\n\t\t\targs: []string{\n\t\t\t\t\"--health-cmd\", \"curl -f http://localhost || exit 1\",\n\t\t\t},\n\t\t\texpectTest: []string{\"CMD-SHELL\", \"curl -f http://localhost || exit 1\"},\n\t\t},\n\t\t{\n\t\t\tname: \"Health_cmd_array_like\",\n\t\t\targs: []string{\n\t\t\t\t\"--health-cmd\", \"echo hello\",\n\t\t\t},\n\t\t\texpectTest: []string{\"CMD-SHELL\", \"echo hello\"},\n\t\t},\n\t\t{\n\t\t\tname: \"Health_cmd_empty\",\n\t\t\targs: []string{\n\t\t\t\t\"--health-cmd\", \"\",\n\t\t\t\t\"--health-retries\", \"2\",\n\t\t\t},\n\t\t\texpectTest: nil,\n\t\t\texpectRetries: 2,\n\t\t},\n\t}\n\n\tfor _, tc := range testCases {\n\t\ttc := tc\n\n\t\ttestCase.SubTests = append(testCase.SubTests, &test.Case{\n\t\t\tDescription: tc.name,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\targs := append([]string{\"run\", \"-d\", \"--name\", tc.name}, tc.args...)\n\t\t\t\targs = append(args, testutil.CommonImage, \"sleep\", \"infinity\")\n\t\t\t\treturn helpers.Command(args...)\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\tif tc.shouldFail {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tExitCode: expect.ExitCodeGenericFail,\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, tc.name)\n\t\t\t\t\t\t\thc := inspect.Config.Healthcheck\n\t\t\t\t\t\t\tif tc.expectTest == nil {\n\t\t\t\t\t\t\t\tassert.Assert(t, hc == nil || len(hc.Test) == 0)\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\tassert.Assert(t, hc != nil)\n\t\t\t\t\t\t\t\tassert.DeepEqual(t, hc.Test, tc.expectTest)\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tif tc.expectRetries > 0 {\n\t\t\t\t\t\t\t\tassert.Equal(t, hc.Retries, tc.expectRetries)\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tif tc.expectTimeout > 0 {\n\t\t\t\t\t\t\t\tassert.Equal(t, hc.Timeout, tc.expectTimeout)\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tif tc.expectInterval > 0 {\n\t\t\t\t\t\t\t\tassert.Equal(t, hc.Interval, tc.expectInterval)\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tif tc.expectStartPeriod > 0 {\n\t\t\t\t\t\t\t\tassert.Equal(t, hc.StartPeriod, tc.expectStartPeriod)\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t},\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", tc.name)\n\t\t\t},\n\t\t})\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestRunHealthcheckFromImage(t *testing.T) {\n\tif rootlessutil.IsRootless() {\n\t\tt.Skip(\"healthcheck tests are skipped in rootless environment\")\n\t}\n\tnerdtest.Setup()\n\n\tdockerfile := fmt.Sprintf(`FROM %s\nHEALTHCHECK --interval=30s --timeout=10s CMD wget -q --spider http://localhost:8080 || exit 1\n\t`, testutil.CommonImage)\n\n\ttestCase := &test.Case{\n\t\tRequire: nerdtest.Build,\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\tdata.Labels().Set(\"image\", data.Identifier())\n\t\t\thelpers.Ensure(\"build\", \"-t\", data.Labels().Get(\"image\"), data.Temp().Path())\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"merge_with_image\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\t\"--health-retries=5\",\n\t\t\t\t\t\t\"--health-interval=45s\",\n\t\t\t\t\t\tdata.Labels().Get(\"image\"))\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\t\t\t\tOutput: expect.All(func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\t\thc := inspect.Config.Healthcheck\n\t\t\t\t\t\t\tassert.Assert(t, hc != nil, \"expected healthcheck config to be present\")\n\t\t\t\t\t\t\tassert.DeepEqual(t, hc.Test, []string{\"CMD-SHELL\", \"wget -q --spider http://localhost:8080 || exit 1\"})\n\t\t\t\t\t\t\tassert.Equal(t, 5, hc.Retries) // From CLI flags\n\t\t\t\t\t\t\tassert.Equal(t, 45*time.Second, hc.Interval) // From CLI flags\n\t\t\t\t\t\t\tassert.Equal(t, 10*time.Second, hc.Timeout) // From Dockerfile\n\t\t\t\t\t\t}),\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Disable image health checks via runtime flag\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\n\t\t\t\t\t\t\"run\", \"-d\", \"--name\", data.Identifier(),\n\t\t\t\t\t\t\"--no-healthcheck\",\n\t\t\t\t\t\tdata.Labels().Get(\"image\"),\n\t\t\t\t\t)\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\t\t\t\tOutput: expect.All(func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\t\t\thc := inspect.Config.Healthcheck\n\t\t\t\t\t\t\tassert.Assert(t, hc != nil, \"expected healthcheck config to be present\")\n\t\t\t\t\t\t\tassert.DeepEqual(t, hc.Test, []string{\"NONE\"})\n\t\t\t\t\t\t}),\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc countFIFOFiles(root string) (int, error) {\n\tcount := 0\n\terr := filepath.Walk(root, func(path string, info os.FileInfo, err error) error {\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif info.Mode()&os.ModeNamedPipe != 0 {\n\t\t\tcount++\n\t\t}\n\t\treturn nil\n\t})\n\treturn count, err\n}\nfunc TestCleanupFIFOs(t *testing.T) {\n\tif rootlessutil.IsRootless() {\n\t\tt.Skip(\"/run/containerd/fifo/ doesn't exist on rootless\")\n\t}\n\tif runtime.GOOS == \"windows\" {\n\t\tt.Skip(\"test is not compatible with windows\")\n\t}\n\ttestutil.DockerIncompatible(t)\n\ttestCase := nerdtest.Setup()\n\ttestCase.NoParallel = true\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tcmd := helpers.Command(\"run\", \"-it\", \"--rm\", testutil.CommonImage, \"date\")\n\t\tcmd.WithPseudoTTY()\n\t\tcmd.Run(&test.Expected{\n\t\t\tExitCode: 0,\n\t\t})\n\t\toldNumFifos, err := countFIFOFiles(\"/run/containerd/fifo/\")\n\t\tassert.NilError(t, err)\n\n\t\tcmd = helpers.Command(\"run\", \"-it\", \"--rm\", testutil.CommonImage, \"date\")\n\t\tcmd.WithPseudoTTY()\n\t\tcmd.Run(&test.Expected{\n\t\t\tExitCode: 0,\n\t\t})\n\t\tnewNumFifos, err := countFIFOFiles(\"/run/containerd/fifo/\")\n\t\tassert.NilError(t, err)\n\t\tassert.Equal(t, oldNumFifos, newNumFifos)\n\t}\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_run_user_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"fmt\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestRunUserGID(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"Test container run as default user (root) and verify root belongs to standard system groups\",\n\t\t\tCommand: test.Command(\"run\", \"--rm\", testutil.AlpineImage, \"id\", \"-nG\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"root bin daemon sys adm disk wheel floppy dialout tape video\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Test container run with numeric UID (1000) and verify it resolves to root group inside the container\",\n\t\t\tCommand: test.Command(\"run\", \"--rm\", \"--user\", \"1000\", testutil.AlpineImage, \"id\", \"-nG\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"root\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Test container run as user (guest) and verify group membership is resolved correctly\",\n\t\t\tCommand: test.Command(\"run\", \"--rm\", \"--user\", \"guest\", testutil.AlpineImage, \"id\", \"-nG\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"users\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Test container run with well-known user 'nobody' and verify it belongs to the 'nobody' group\",\n\t\t\tCommand: test.Command(\"run\", \"--rm\", \"--user\", \"nobody\", testutil.AlpineImage, \"id\", \"-nG\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"nobody\")),\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n\nfunc TestRunUmask(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\ttestCase.Command = test.Command(\"run\", \"--rm\", \"--umask\", \"0200\", testutil.AlpineImage, \"sh\", \"-c\", \"umask\")\n\ttestCase.Expected = test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"0200\"))\n\ttestCase.Run(t)\n}\n\nfunc TestRunAddGroup(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"Test container run as default root user and its inherited system groups\",\n\t\t\tCommand: test.Command(\"run\", \"--rm\", testutil.AlpineImage, \"id\", \"-nG\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"root bin daemon sys adm disk wheel floppy dialout tape video\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Test container run as numeric UID only and its fallback to root group\",\n\t\t\tCommand: test.Command(\"run\", \"--rm\", \"--user\", \"1000\", testutil.AlpineImage, \"id\", \"-nG\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"root\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Test container run as numeric UID with extra group addition\",\n\t\t\tCommand: test.Command(\"run\", \"--rm\", \"--user\", \"1000\", \"--group-add\", \"nogroup\", testutil.AlpineImage, \"id\", \"-nG\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"root nogroup\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Test container run as UID:GID pair with extra group addition\",\n\t\t\tCommand: test.Command(\"run\", \"--rm\", \"--user\", \"1000:wheel\", \"--group-add\", \"nogroup\", testutil.AlpineImage, \"id\", \"-nG\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"wheel nogroup\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Test container run as root with extra group addition and system group persistence\",\n\t\t\tCommand: test.Command(\"run\", \"--rm\", \"--user\", \"root\", \"--group-add\", \"nogroup\", testutil.AlpineImage, \"id\", \"-nG\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"root bin daemon sys adm disk wheel floppy dialout tape video nogroup\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Test container run as root:group override and its effect on supplementary groups\",\n\t\t\tCommand: test.Command(\"run\", \"--rm\", \"--user\", \"root:nogroup\", \"--group-add\", \"nogroup\", testutil.AlpineImage, \"id\", \"-nG\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"nogroup\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Test container run as named non-root user with multiple group additions\",\n\t\t\tCommand: test.Command(\"run\", \"--rm\", \"--user\", \"guest\", \"--group-add\", \"root\", \"--group-add\", \"nogroup\", testutil.AlpineImage, \"id\", \"-nG\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"users root nogroup\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Test container run as named user:group with numeric GID resolution\",\n\t\t\tCommand: test.Command(\"run\", \"--rm\", \"--user\", \"guest:nogroup\", \"--group-add\", \"0\", testutil.AlpineImage, \"id\", \"-nG\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals(\"nogroup root\\n\")),\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n\n// TestRunAddGroup_CVE_2023_25173 tests https://github.com/advisories/GHSA-hmfx-3pcx-653p\n//\n// Equates to https://github.com/containerd/containerd/commit/286a01f350a2298b4fdd7e2a0b31c04db3937ea8\nfunc TestRunAddGroup_CVE_2023_25173(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.BusyboxImage)\n\t}\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"Test container run as default root user\",\n\t\t\tCommand: test.Command(\"run\", \"--rm\", testutil.BusyboxImage, \"id\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"groups=0(root),10(wheel)\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Test container run as root with additional groups\",\n\t\t\tCommand: test.Command(\"run\", \"--rm\", \"--group-add\", \"1\", \"--group-add\", \"1234\", testutil.BusyboxImage, \"id\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"groups=0(root),1(daemon),10(wheel),1234\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Test container run as custom UID with inherited root group\",\n\t\t\tCommand: test.Command(\"run\", \"--rm\", \"--user\", \"1234\", testutil.BusyboxImage, \"id\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"groups=0(root)\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Test container run as custom UID and GID pair\",\n\t\t\tCommand: test.Command(\"run\", \"--rm\", \"--user\", \"1234:1234\", testutil.BusyboxImage, \"id\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"groups=1234\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Test container run as custom UID with explicit group add\",\n\t\t\tCommand: test.Command(\"run\", \"--rm\", \"--user\", \"1234\", \"--group-add\", \"1234\", testutil.BusyboxImage, \"id\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"groups=0(root),1234\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Test container run as named non-root user (daemon)\",\n\t\t\tCommand: test.Command(\"run\", \"--rm\", \"--user\", \"daemon\", testutil.BusyboxImage, \"id\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"groups=1(daemon)\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Test container run as named user with extra groups\",\n\t\t\tCommand: test.Command(\"run\", \"--rm\", \"--user\", \"daemon\", \"--group-add\", \"1234\", testutil.BusyboxImage, \"id\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"groups=1(daemon),1234\\n\")),\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n\nfunc TestUsernsMappingRunCmd(t *testing.T) {\n\tnerdtest.Setup()\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\tnerdtest.AllowModifyUserns,\n\t\t\tnerdtest.RemapIDs,\n\t\t\trequire.Not(nerdtest.Docker),\n\t\t),\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Labels().Set(\"validUserns\", \"nerdctltestuser\")\n\t\t\tdata.Labels().Set(\"expectedHostUID\", \"123456789\")\n\t\t\tdata.Labels().Set(\"validUid\", \"123456789\")\n\t\t\tdata.Labels().Set(\"net-container\", \"net-container\")\n\t\t\tdata.Labels().Set(\"invalidUserns\", \"invaliduser\")\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"Test container run with valid Userns format userns username\",\n\t\t\t\tNoParallel: true, // Changes system config so running in non parallel mode\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\terr := appendUsernsConfig(data.Labels().Get(\"validUserns\"), data.Labels().Get(\"expectedHostUID\"), helpers)\n\t\t\t\t\tassert.NilError(t, err, \"Failed to append Userns config\")\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\t\tremoveUsernsConfig(t, data.Labels().Get(\"validUserns\"), helpers)\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--tty\", \"-d\", \"--userns-remap\", data.Labels().Get(\"validUserns\"), \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", \"inf\")\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tactualHostUID, err := getContainerHostUID(helpers, data.Identifier())\n\t\t\t\t\t\t\tif err != nil {\n\t\t\t\t\t\t\t\tt.Log(fmt.Sprintf(\"Failed to get container host UID: %v\", err))\n\t\t\t\t\t\t\t\tt.FailNow()\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tassert.Assert(t, actualHostUID == data.Labels().Get(\"expectedHostUID\"))\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Test container run with valid Userns --userns uid\",\n\t\t\t\tNoParallel: true, // Changes system config so running in non parallel mode\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\terr := appendUsernsConfig(data.Labels().Get(\"validUserns\"), data.Labels().Get(\"expectedHostUID\"), helpers)\n\t\t\t\t\tassert.NilError(t, err, \"Failed to append Userns config\")\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\t\tremoveUsernsConfig(t, data.Labels().Get(\"validUserns\"), helpers)\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--tty\", \"-d\", \"--userns-remap\", data.Labels().Get(\"validUid\"), \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", \"inf\")\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tactualHostUID, err := getContainerHostUID(helpers, data.Identifier())\n\t\t\t\t\t\t\tif err != nil {\n\t\t\t\t\t\t\t\tt.Log(fmt.Sprintf(\"Failed to get container host UID: %v\", err))\n\t\t\t\t\t\t\t\tt.FailNow()\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tassert.Assert(t, actualHostUID == data.Labels().Get(\"expectedHostUID\"))\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Test container run failure with valid Userns and privileged flag\",\n\t\t\t\tNoParallel: true, // Changes system config so running in non parallel mode\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\terr := appendUsernsConfig(data.Labels().Get(\"validUserns\"), data.Labels().Get(\"expectedHostUID\"), helpers)\n\t\t\t\t\tassert.NilError(t, err, \"Failed to append Userns config\")\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\tremoveUsernsConfig(t, data.Labels().Get(\"validUserns\"), helpers)\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--tty\", \"--privileged\", \"--userns-remap\", data.Labels().Get(\"validUserns\"), \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", \"inf\")\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Test container run with valid Userns format --userns :\",\n\t\t\t\tNoParallel: true, // Changes system config so running in non parallel mode\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\terr := appendUsernsConfig(data.Labels().Get(\"validUserns\"), data.Labels().Get(\"expectedHostUID\"), helpers)\n\t\t\t\t\tassert.NilError(t, err, \"Failed to append Userns config\")\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\t\tremoveUsernsConfig(t, data.Labels().Get(\"validUserns\"), helpers)\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--tty\", \"-d\", \"--userns-remap\", fmt.Sprintf(\"%s:%s\", data.Labels().Get(\"validUserns\"), data.Labels().Get(\"validUserns\")), \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", \"inf\")\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tactualHostUID, err := getContainerHostUID(helpers, data.Identifier())\n\t\t\t\t\t\t\tif err != nil {\n\t\t\t\t\t\t\t\tt.Log(fmt.Sprintf(\"Failed to get container host UID: %v\", err))\n\t\t\t\t\t\t\t\tt.FailNow()\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tassert.Assert(t, actualHostUID == data.Labels().Get(\"expectedHostUID\"))\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Test container run with valid Userns --userns uid:gid\",\n\t\t\t\tNoParallel: true, // Changes system config so running in non parallel mode\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\terr := appendUsernsConfig(data.Labels().Get(\"validUserns\"), data.Labels().Get(\"expectedHostUID\"), helpers)\n\t\t\t\t\tassert.NilError(t, err, \"Failed to append Userns config\")\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\t\tremoveUsernsConfig(t, data.Labels().Get(\"validUserns\"), helpers)\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--tty\", \"-d\", \"--userns-remap\", fmt.Sprintf(\"%s:%s\", data.Labels().Get(\"validUid\"), data.Labels().Get(\"validUid\")), \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", \"inf\")\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tactualHostUID, err := getContainerHostUID(helpers, data.Identifier())\n\t\t\t\t\t\t\tif err != nil {\n\t\t\t\t\t\t\t\tt.Log(fmt.Sprintf(\"Failed to get container host UID: %v\", err))\n\t\t\t\t\t\t\t\tt.FailNow()\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tassert.Assert(t, actualHostUID == data.Labels().Get(\"expectedHostUID\"))\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Test container network share with valid Userns\",\n\t\t\t\tNoParallel: true, // Changes system config so running in non parallel mode\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\terr := appendUsernsConfig(data.Labels().Get(\"validUserns\"), data.Labels().Get(\"expectedHostUID\"), helpers)\n\t\t\t\t\tassert.NilError(t, err, \"Failed to append Userns config\")\n\t\t\t\t\thelpers.Ensure(\"run\", \"--tty\", \"-d\", \"--userns-remap\", data.Labels().Get(\"validUserns\"), \"--name\", data.Labels().Get(\"net-container\"), testutil.CommonImage, \"sleep\", \"inf\")\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Labels().Get(\"net-container\"))\n\t\t\t\t\tremoveUsernsConfig(t, data.Labels().Get(\"validUserns\"), helpers)\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--tty\", \"-d\", \"--userns-remap\", data.Labels().Get(\"validUserns\"), \"--net\", fmt.Sprintf(\"container:%s\", data.Labels().Get(\"net-container\")), \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", \"inf\")\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Test container run with valid Userns with override --userns=host\",\n\t\t\t\tNoParallel: true, // Changes system config so running in non parallel mode\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\terr := appendUsernsConfig(data.Labels().Get(\"validUserns\"), data.Labels().Get(\"expectedHostUID\"), helpers)\n\t\t\t\t\tassert.NilError(t, err, \"Failed to append Userns config\")\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\t\tremoveUsernsConfig(t, data.Labels().Get(\"validUserns\"), helpers)\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--tty\", \"-d\", \"--userns-remap\", data.Labels().Get(\"validUserns\"), \"--userns\", \"host\", \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", \"inf\")\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tactualHostUID, err := getContainerHostUID(helpers, data.Identifier())\n\t\t\t\t\t\t\tif err != nil {\n\t\t\t\t\t\t\t\tt.Log(fmt.Sprintf(\"Failed to get container host UID: %v\", err))\n\t\t\t\t\t\t\t\tt.FailNow()\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tassert.Assert(t, actualHostUID == \"0\")\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Test container run with valid Userns with invalid overrid --userns=hostinvalid\",\n\t\t\t\tNoParallel: true, // Changes system config so running in non parallel mode\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\terr := appendUsernsConfig(data.Labels().Get(\"validUserns\"), data.Labels().Get(\"expectedHostUID\"), helpers)\n\t\t\t\t\tassert.NilError(t, err, \"Failed to append Userns config\")\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\t\tremoveUsernsConfig(t, data.Labels().Get(\"validUserns\"), helpers)\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--tty\", \"-d\", \"--userns-remap\", data.Labels().Get(\"validUserns\"), \"--userns\", \"hostinvalid\", \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", \"inf\")\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(1, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Test container run with invalid Userns\",\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--tty\", \"-d\", \"--userns-remap\", data.Labels().Get(\"invalidUserns\"), \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", \"inf\")\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(1, nil, nil),\n\t\t\t},\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_run_user_windows_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestRunUserName(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"should run Windows container as ContainerAdministrator by default\",\n\t\t\tCommand: test.Command(\"run\", \"--rm\", testutil.WindowsNano, \"whoami\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"ContainerAdministrator\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"should run Windows container as ContainerAdministrator when user is set to ContainerAdministrator\",\n\t\t\tCommand: test.Command(\"run\", \"--rm\", \"--user\", \"ContainerAdministrator\", testutil.WindowsNano, \"whoami\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"ContainerAdministrator\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"should run Windows container as ContainerUser when user is set to ContainerUser\",\n\t\t\tCommand: test.Command(\"run\", \"--rm\", \"--user\", \"ContainerUser\", testutil.WindowsNano, \"whoami\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"ContainerUser\")),\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_run_verify_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"fmt\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest/registry\"\n)\n\nfunc TestRunVerifyCosign(t *testing.T) {\n\tdockerfile := fmt.Sprintf(`FROM %s\nCMD [\"echo\", \"nerdctl-build-test-string\"]\n\t`, testutil.CommonImage)\n\n\ttestCase := nerdtest.Setup()\n\n\tvar reg *registry.Server\n\n\ttestCase.Require = require.All(\n\t\trequire.Binary(\"cosign\"),\n\t\trequire.Not(nerdtest.Docker),\n\t\tnerdtest.Build,\n\t\tnerdtest.Registry,\n\t)\n\n\ttestCase.Env[\"COSIGN_PASSWORD\"] = \"1\"\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\tpri, pub := nerdtest.GenerateCosignKeyPair(data, helpers, \"1\")\n\t\treg = nerdtest.RegistryWithNoAuth(data, helpers, 0, false)\n\t\treg.Setup(data, helpers)\n\n\t\ttestImageRef := fmt.Sprintf(\"127.0.0.1:%d/%s\", reg.Port, data.Identifier(\"push-cosign-image\"))\n\t\thelpers.Ensure(\"build\", \"-t\", testImageRef, data.Temp().Path())\n\t\thelpers.Ensure(\"push\", testImageRef, \"--sign=cosign\", \"--cosign-key=\"+pri)\n\n\t\tdata.Labels().Set(\"public_key\", pub)\n\t\tdata.Labels().Set(\"image_ref\", testImageRef)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif reg != nil {\n\t\t\treg.Cleanup(data, helpers)\n\t\t}\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\thelpers.Fail(\n\t\t\t\"run\", \"--rm\", \"--verify=cosign\",\n\t\t\t\"--cosign-key=dummy\",\n\t\t\tdata.Labels().Get(\"image_ref\"))\n\n\t\treturn helpers.Command(\n\t\t\t\"run\", \"--rm\", \"--verify=cosign\",\n\t\t\t\"--cosign-key=\"+data.Labels().Get(\"public_key\"),\n\t\t\tdata.Labels().Get(\"image_ref\"))\n\t}\n\n\ttestCase.Expected = test.Expects(expect.ExitCodeSuccess, nil, nil)\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_run_windows_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"bytes\"\n\t\"os/exec\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestRunHostProcessContainer(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thostname, err := exec.Command(\"hostname\").Output()\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"unable to get hostname: %s\", err)\n\t\t}\n\t\tdata.Labels().Set(\"hostname\", string(bytes.TrimSpace(hostname)))\n\n\t\twhoami := helpers.Capture(\"run\", \"--rm\", \"--isolation=host\", testutil.WindowsNano, \"whoami\")\n\t\tt.Logf(\"whoami %s\", whoami)\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"run\", \"--rm\", \"--isolation=host\", testutil.WindowsNano, \"hostname\")\n\t}\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(data.Labels().Get(\"hostname\")))(data, helpers)\n\t}\n\ttestCase.Run(t)\n}\n\nfunc TestRunHostProcessContainerAsUser(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\ttestCase.Command = test.Command(\"run\", \"--rm\", \"--isolation=host\", \"-u\", \"NT AUTHORITY\\\\SYSTEM\", testutil.WindowsNano, \"whoami\")\n\ttestCase.Expected = test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"nt authority\\\\system\"))\n\ttestCase.Run(t)\n}\n\nfunc TestRunHostProcessContainerAsLocalService(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\ttestCase.Command = test.Command(\"run\", \"--rm\", \"--isolation=host\", \"-u\", \"NT AUTHORITY\\\\Local Service\", testutil.WindowsNano, \"whoami\")\n\ttestCase.Expected = test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"nt authority\\\\local service\"))\n\ttestCase.Run(t)\n}\n\nfunc TestRunHostProcessContainerAsNetworkService(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\ttestCase.Command = test.Command(\"run\", \"--rm\", \"--isolation=host\", \"-u\", \"NT AUTHORITY\\\\Network Service\", testutil.WindowsNano, \"whoami\")\n\ttestCase.Expected = test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"nt authority\\\\network service\"))\n\ttestCase.Run(t)\n}\n\nfunc TestRunProcessIsolated(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdata.Labels().Set(\"containeruser\", \"ContainerUser\")\n\t}\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"run\", \"--rm\", \"--isolation=process\", \"-u\", data.Labels().Get(\"containeruser\"), testutil.WindowsNano, \"whoami\")\n\t}\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(data.Labels().Get(\"containeruser\")))(data, helpers)\n\t}\n\ttestCase.Run(t)\n}\n\nfunc TestRunHyperVContainer(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.All(\n\t\trequire.Not(nerdtest.Docker),\n\t\tnerdtest.HyperV,\n\t)\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\t// hyperv must not be in the name for this test, the output is parsed for it\n\t\tcontainerName := \"nerdctl-testwcowcontainer\"\n\t\tdata.Labels().Set(\"containerName\", containerName)\n\t\thelpers.Ensure(\"run\", \"--isolation\", \"hyperv\", \"--name\", containerName, testutil.WindowsNano)\n\t}\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Labels().Get(\"containerName\"))\n\t}\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"container\", \"inspect\", \"--mode\", \"native\", data.Labels().Get(\"containerName\"))\n\t}\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"hyperv\"))(data, helpers)\n\t}\n\ttestCase.Run(t)\n}\n\nfunc TestRunProcessContainer(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"--isolation\", \"process\", \"--name\", data.Identifier(), testutil.WindowsNano)\n\t}\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"container\", \"inspect\", \"--mode\", \"native\", data.Identifier())\n\t}\n\ttestCase.Expected = test.Expects(expect.ExitCodeSuccess, nil, expect.DoesNotContain(\"hyperv\"))\n\ttestCase.Run(t)\n}\n\n// Note that the current implementation of this test is not ideal, since it relies on internal HCS details that\n// Microsoft could decide to change in the future (breaking both this unit test and the one in containerd itself):\n// https://github.com/containerd/containerd/pull/6618#discussion_r823302852\nfunc TestRunProcessContainerWithDevice(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\ttestCase.Command = test.Command(\n\t\t\"run\",\n\t\t\"--rm\",\n\t\t\"--isolation=process\",\n\t\t\"--device\", \"class://5B45201D-F2F2-4F3B-85BB-30FF1F953599\",\n\t\ttestutil.WindowsNano,\n\t\t\"cmd\", \"/S\", \"/C\", \"dir C:\\\\Windows\\\\System32\\\\HostDriverStore\",\n\t)\n\ttestCase.Expected = test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(\"FileRepository\"))\n\ttestCase.Run(t)\n}\n\nfunc TestRunWithTtyAndDetached(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t// This test is currently disabled, as it is failing most of the time.\n\ttestCase.Require = nerdtest.NerdctlNeedsFixing(\"https://github.com/containerd/nerdctl/issues/3437\")\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\t// with -t, success, the container should run with tty support.\n\t\thelpers.Ensure(\"run\", \"-d\", \"-t\", \"--name\", data.Identifier(\"with-terminal\"), testutil.CommonImage, \"cmd\", \"/c\", \"echo\", \"Hello, World with TTY!\")\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"container\", \"rm\", \"-f\", data.Identifier(\"with-terminal\"))\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\twithTtyContainer := nerdtest.InspectContainer(helpers, data.Identifier(\"with-terminal\"))\n\t\tassert.Equal(helpers.T(), 0, withTtyContainer.State.ExitCode)\n\t\treturn helpers.Command(\"logs\", data.Identifier(\"with-terminal\"))\n\t}\n\n\ttestCase.Expected = test.Expects(0, nil, expect.Contains(\"Hello, World with TTY!\"))\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_start.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\tcontainerd \"github.com/containerd/containerd/v2/client\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n\t\"github.com/containerd/nerdctl/v2/pkg/consoleutil\"\n)\n\nfunc StartCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"start [flags] CONTAINER [CONTAINER, ...]\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tShort: \"Start one or more running containers\",\n\t\tRunE: startAction,\n\t\tValidArgsFunction: startShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\n\tcmd.Flags().SetInterspersed(false)\n\tcmd.Flags().BoolP(\"attach\", \"a\", false, \"Attach STDOUT/STDERR and forward signals\")\n\tcmd.Flags().String(\"detach-keys\", consoleutil.DefaultDetachKeys, \"Override the default detach keys\")\n\tcmd.Flags().BoolP(\"interactive\", \"i\", false, \"Attach container's STDIN\")\n\tcmd.Flags().String(\"checkpoint\", \"\", \"checkpoint name\")\n\tcmd.Flags().String(\"checkpoint-dir\", \"\", \"checkpoint directory\")\n\treturn cmd\n}\n\nfunc startOptions(cmd *cobra.Command) (types.ContainerStartOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ContainerStartOptions{}, err\n\t}\n\tattach, err := cmd.Flags().GetBool(\"attach\")\n\tif err != nil {\n\t\treturn types.ContainerStartOptions{}, err\n\t}\n\tdetachKeys, err := cmd.Flags().GetString(\"detach-keys\")\n\tif err != nil {\n\t\treturn types.ContainerStartOptions{}, err\n\t}\n\tinteractive, err := cmd.Flags().GetBool(\"interactive\")\n\tif err != nil {\n\t\treturn types.ContainerStartOptions{}, err\n\t}\n\tcheckpoint, err := cmd.Flags().GetString(\"checkpoint\")\n\tif err != nil {\n\t\treturn types.ContainerStartOptions{}, err\n\t}\n\tcheckpointDir, err := cmd.Flags().GetString(\"checkpoint-dir\")\n\tif err != nil {\n\t\treturn types.ContainerStartOptions{}, err\n\t}\n\treturn types.ContainerStartOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tGOptions: globalOptions,\n\t\tAttach: attach,\n\t\tDetachKeys: detachKeys,\n\t\tInteractive: interactive,\n\t\tCheckpoint: checkpoint,\n\t\tCheckpointDir: checkpointDir,\n\t}, nil\n}\n\nfunc startAction(cmd *cobra.Command, args []string) error {\n\toptions, err := startOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\toptions.NerdctlCmd, options.NerdctlArgs = helpers.GlobalFlags(cmd)\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn container.Start(ctx, client, args, options)\n}\n\nfunc startShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show non-running container names\n\tstatusFilterFn := func(st containerd.ProcessStatus) bool {\n\t\treturn st != containerd.Running && st != containerd.Unknown\n\t}\n\treturn completion.ContainerNames(cmd, statusFilterFn)\n}\n" }, { "path": "cmd/nerdctl/container/container_start_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"bytes\"\n\t\"errors\"\n\t\"io\"\n\t\"strconv\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestStartDetachKeys(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tcmd := helpers.Command(\"run\", \"-it\", \"--name\", data.Identifier(), testutil.CommonImage)\n\t\tcmd.WithPseudoTTY()\n\t\tcmd.Feed(strings.NewReader(\"exit\\n\"))\n\t\tcmd.Run(&test.Expected{\n\t\t\tExitCode: 0,\n\t\t})\n\t\tassert.Assert(t,\n\t\t\tstrings.Contains(helpers.Capture(\"inspect\", \"--format\", \"json\", data.Identifier()), \"\\\"Running\\\":false\"),\n\t\t)\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\tcmd := helpers.Command(\"start\", \"-ai\", \"--detach-keys=ctrl-a,ctrl-b\", data.Identifier())\n\t\tcmd.WithPseudoTTY()\n\t\tcmd.WithFeeder(func() io.Reader {\n\t\t\t// ctrl+a and ctrl+b (see https://en.wikipedia.org/wiki/C0_and_C1_control_codes)\n\t\t\treturn bytes.NewReader([]byte{1, 2})\n\t\t})\n\n\t\treturn cmd\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: 0,\n\t\t\tErrors: []error{errors.New(\"detach keys\")},\n\t\t\tOutput: expect.All(\n\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\tassert.Assert(t, strings.Contains(helpers.Capture(\"inspect\", \"--format\", \"json\", data.Identifier()), \"\\\"Running\\\":true\"))\n\t\t\t\t},\n\t\t\t),\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestStartWithCheckpoint(t *testing.T) {\n\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.All(\n\t\trequire.Not(nerdtest.Rootless),\n\t\t// Docker version 28.x has a known regression that breaks Checkpoint/Restore functionality.\n\t\t// The issue is tracked in the moby/moby project as https://github.com/moby/moby/issues/50750.\n\t\trequire.Not(nerdtest.Docker),\n\t)\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\t// Use an in-memory tmpfs to model in-memory state without introducing extra processes\n\t\t// Single PID 1 shell: continuously increment a counter and write to /state/counter (tmpfs)\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(), \"--tmpfs\", \"/state\", testutil.CommonImage,\n\t\t\t\"sh\", \"-c\", `i=0; while true; do i=$((i+1)); printf \"%d\\n\" \"$i\" >/state/counter; sleep 0.2; done`)\n\t\t// Give some time for the counter to increase before checkpoint to validate continuity after restore\n\t\ttime.Sleep(1 * time.Second)\n\t\thelpers.Ensure(\"checkpoint\", \"create\", data.Identifier(), data.Identifier()+\"-checkpoint\")\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"start\", \"--checkpoint\", data.Identifier()+\"-checkpoint\", data.Identifier())\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tExitCode: 0,\n\t\t\tOutput: expect.All(\n\t\t\t\tfunc(_ string, t tig.T) {\n\t\t\t\t\t// Validate in-memory state continuity via tmpfs: counter should not reset and must keep increasing\n\t\t\t\t\t// Short delay to allow the container to resume; if the counter had reset to 0, it could not reach >5 this fast\n\t\t\t\t\ttime.Sleep(200 * time.Millisecond)\n\t\t\t\t\tc1Str := strings.TrimSpace(helpers.Capture(\"exec\", data.Identifier(), \"cat\", \"/state/counter\"))\n\t\t\t\t\tvar parseErrs []error\n\t\t\t\t\tc1, err1 := strconv.Atoi(c1Str)\n\t\t\t\t\tif err1 != nil {\n\t\t\t\t\t\tparseErrs = append(parseErrs, err1)\n\t\t\t\t\t}\n\t\t\t\t\tassert.Assert(t, len(parseErrs) == 0, \"failed to parse counter values: %v\", parseErrs)\n\t\t\t\t\tassert.Assert(t, c1 > 5, \"tmpfs in-memory counter seems reset or too small: %d\", c1)\n\t\t\t\t},\n\t\t\t),\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_start_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestStart(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Ensure(\"run\", \"-d\",\n\t\t\t\t\"--name\", data.Identifier(),\n\t\t\t\ttestutil.CommonImage)\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"start\", data.Identifier())\n\t\t},\n\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\treturn test.Expects(0, nil, expect.Contains(data.Identifier()))(data, helpers)\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n\nfunc TestStartAttach(t *testing.T) {\n\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tRequire: require.Not(require.Windows),\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Ensure(\"run\",\n\t\t\t\t\"--name\", data.Identifier(),\n\t\t\t\ttestutil.CommonImage, \"sh\", \"-euxc\", \"echo foo\")\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"start\", \"-a\", data.Identifier())\n\t\t},\n\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\treturn test.Expects(0, nil, expect.Contains(\"foo\"))(data, helpers)\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_stats.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\tcontainerd \"github.com/containerd/containerd/v2/client\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n)\n\nfunc StatsCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"stats\",\n\t\tShort: \"Display a live stream of container(s) resource usage statistics.\",\n\t\tRunE: statsAction,\n\t\tValidArgsFunction: statsShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\n\taddStatsFlags(cmd)\n\n\treturn cmd\n}\n\nfunc addStatsFlags(cmd *cobra.Command) {\n\tcmd.Flags().BoolP(\"all\", \"a\", false, \"Show all containers (default shows just running)\")\n\tcmd.Flags().String(\"format\", \"\", \"Pretty-print images using a Go template, e.g, '{{json .}}'\")\n\tcmd.Flags().Bool(\"no-stream\", false, \"Disable streaming stats and only pull the first result\")\n\tcmd.Flags().Bool(\"no-trunc\", false, \"Do not truncate output\")\n}\n\nfunc processStatsCommandFlags(cmd *cobra.Command) (types.ContainerStatsOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ContainerStatsOptions{}, err\n\t}\n\n\tall, err := cmd.Flags().GetBool(\"all\")\n\tif err != nil {\n\t\treturn types.ContainerStatsOptions{}, err\n\t}\n\n\tnoStream, err := cmd.Flags().GetBool(\"no-stream\")\n\tif err != nil {\n\t\treturn types.ContainerStatsOptions{}, err\n\t}\n\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn types.ContainerStatsOptions{}, err\n\t}\n\n\tnoTrunc, err := cmd.Flags().GetBool(\"no-trunc\")\n\tif err != nil {\n\t\treturn types.ContainerStatsOptions{}, err\n\t}\n\n\treturn types.ContainerStatsOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tStderr: cmd.ErrOrStderr(),\n\t\tGOptions: globalOptions,\n\t\tAll: all,\n\t\tFormat: format,\n\t\tNoStream: noStream,\n\t\tNoTrunc: noTrunc,\n\t}, nil\n}\n\nfunc statsAction(cmd *cobra.Command, args []string) error {\n\toptions, err := processStatsCommandFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn container.Stats(ctx, client, args, options)\n}\n\nfunc statsShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show running container names\n\tstatusFilterFn := func(st containerd.ProcessStatus) bool {\n\t\treturn st == containerd.Running\n\t}\n\treturn completion.ContainerNames(cmd, statusFilterFn)\n}\n" }, { "path": "cmd/nerdctl/container/container_stats_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"runtime\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestStats(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t// FIXME: does not seem to work on windows\n\ttestCase.Require = require.Not(require.Windows)\n\n\tif runtime.GOOS == \"linux\" {\n\t\t// this comment is for `nerdctl ps` but it also valid for `nerdctl stats` :\n\t\t// https://github.com/containerd/nerdctl/pull/223#issuecomment-851395178\n\t\ttestCase.Require = require.All(\n\t\t\ttestCase.Require,\n\t\t\tnerdtest.CgroupsAccessible,\n\t\t)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"container\"))\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"memlimited\"))\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"exited\"))\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(\"container\"), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(\"memlimited\"), \"--memory\", \"1g\", testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\thelpers.Ensure(\"run\", \"--name\", data.Identifier(\"exited\"), testutil.CommonImage, \"echo\", \"'exited'\")\n\t\tdata.Labels().Set(\"id\", data.Identifier(\"container\"))\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"stats\",\n\t\t\tCommand: test.Command(\"stats\", \"--no-stream\", \"--no-trunc\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.Contains(data.Labels().Get(\"id\")),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"container stats\",\n\t\t\tCommand: test.Command(\"container\", \"stats\", \"--no-stream\", \"--no-trunc\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.Contains(data.Labels().Get(\"id\")),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"stats ID\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"stats\", \"--no-stream\", data.Labels().Get(\"id\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"container stats ID\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"container\", \"stats\", \"--no-stream\", data.Labels().Get(\"id\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"no mem limit set\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"stats\", \"--no-stream\")\n\t\t\t},\n\t\t\t// https://github.com/containerd/nerdctl/issues/1240\n\t\t\t// nerdctl used to print UINT64_MAX as the memory limit, so, ensure it does no more\n\t\t\tExpected: test.Expects(0, nil, expect.DoesNotContain(\"16EiB\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"mem limit set\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"stats\", \"--no-stream\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"1GiB\")),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_stop.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"time\"\n\n\t\"github.com/spf13/cobra\"\n\n\tcontainerd \"github.com/containerd/containerd/v2/client\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n)\n\nfunc StopCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"stop [flags] CONTAINER [CONTAINER, ...]\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tShort: \"Stop one or more running containers\",\n\t\tRunE: stopAction,\n\t\tValidArgsFunction: stopShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().IntP(\"time\", \"t\", 10, \"Seconds to wait before sending a SIGKILL\")\n\tcmd.Flags().StringP(\"signal\", \"s\", \"SIGTERM\", \"Signal to send to the container\")\n\treturn cmd\n}\n\nfunc stopOptions(cmd *cobra.Command) (types.ContainerStopOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ContainerStopOptions{}, err\n\t}\n\tvar timeout *time.Duration\n\tif cmd.Flags().Changed(\"time\") {\n\t\ttimeValue, err := cmd.Flags().GetInt(\"time\")\n\t\tif err != nil {\n\t\t\treturn types.ContainerStopOptions{}, err\n\t\t}\n\t\tt := time.Duration(timeValue) * time.Second\n\t\ttimeout = &t\n\t}\n\tvar signal string\n\tif cmd.Flags().Changed(\"signal\") {\n\t\tsignalValue, err := cmd.Flags().GetString(\"signal\")\n\t\tif err != nil {\n\t\t\treturn types.ContainerStopOptions{}, err\n\t\t}\n\t\tsignal = signalValue\n\t}\n\treturn types.ContainerStopOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tStderr: cmd.ErrOrStderr(),\n\t\tGOptions: globalOptions,\n\t\tTimeout: timeout,\n\t\tSignal: signal,\n\t}, nil\n}\n\nfunc stopAction(cmd *cobra.Command, args []string) error {\n\toptions, err := stopOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn container.Stop(ctx, client, args, options)\n}\n\nfunc stopShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show non-stopped container names\n\tstatusFilterFn := func(st containerd.ProcessStatus) bool {\n\t\treturn st != containerd.Stopped && st != containerd.Created && st != containerd.Unknown\n\t}\n\treturn completion.ContainerNames(cmd, statusFilterFn)\n}\n" }, { "path": "cmd/nerdctl/container/container_stop_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/coreos/go-iptables/iptables\"\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/rootlessutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\tiptablesutil \"github.com/containerd/nerdctl/v2/pkg/testutil/iptables\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nettestutil\"\n)\n\nfunc TestStopStart(t *testing.T) {\n\tconst (\n\t\thostPort = 8080\n\t)\n\ttestContainerName := testutil.Identifier(t)\n\tbase := testutil.NewBase(t)\n\tdefer base.Cmd(\"rm\", \"-f\", testContainerName).Run()\n\n\tbase.Cmd(\"run\", \"-d\",\n\t\t\"--restart=no\",\n\t\t\"--name\", testContainerName,\n\t\t\"-p\", fmt.Sprintf(\"127.0.0.1:%d:80\", hostPort),\n\t\ttestutil.NginxAlpineImage).AssertOK()\n\n\tcheck := func(httpGetRetry int) error {\n\t\tresp, err := nettestutil.HTTPGet(fmt.Sprintf(\"http://127.0.0.1:%d\", hostPort), httpGetRetry, false)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trespBody, err := io.ReadAll(resp.Body)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif !strings.Contains(string(respBody), testutil.NginxAlpineIndexHTMLSnippet) {\n\t\t\treturn fmt.Errorf(\"expected contain %q, got %q\",\n\t\t\t\ttestutil.NginxAlpineIndexHTMLSnippet, string(respBody))\n\t\t}\n\t\treturn nil\n\t}\n\n\tassert.NilError(t, check(5))\n\tbase.Cmd(\"stop\", testContainerName).AssertOK()\n\tbase.Cmd(\"exec\", testContainerName, \"ps\").AssertFail()\n\tif check(1) == nil {\n\t\tt.Fatal(\"expected to get an error\")\n\t}\n\tbase.Cmd(\"start\", testContainerName).AssertOK()\n\tassert.NilError(t, check(5))\n}\n\nfunc TestStopWithStopSignal(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\tcmd := nerdtest.RunSigProxyContainer(nerdtest.SigQuit, false,\n\t\t\t[]string{\"--stop-signal\", nerdtest.SigQuit.String()}, data, helpers)\n\t\thelpers.Ensure(\"stop\", data.Identifier())\n\t\treturn cmd\n\t}\n\n\t// Verify that SIGQUIT was sent to the container AND that the container did forcefully exit\n\ttestCase.Expected = test.Expects(137, nil, expect.Contains(nerdtest.SignalCaught))\n\n\ttestCase.Run(t)\n}\n\nfunc TestStopCleanupForwards(t *testing.T) {\n\tconst (\n\t\thostPort = 9999\n\t\ttestContainerName = \"ngx\"\n\t)\n\tbase := testutil.NewBase(t)\n\tdefer func() {\n\t\tbase.Cmd(\"rm\", \"-f\", testContainerName).Run()\n\t}()\n\n\t// skip if rootless\n\tif rootlessutil.IsRootless() {\n\t\tt.Skip(\"pkg/testutil/iptables does not support rootless\")\n\t}\n\n\tipt, err := iptables.New()\n\tassert.NilError(t, err)\n\n\tcontainerID := base.Cmd(\"run\", \"-d\",\n\t\t\"--restart=no\",\n\t\t\"--name\", testContainerName,\n\t\t\"-p\", fmt.Sprintf(\"127.0.0.1:%d:80\", hostPort),\n\t\ttestutil.NginxAlpineImage).Run().Stdout()\n\tcontainerID = strings.TrimSuffix(containerID, \"\\n\")\n\n\tcontainerIP := base.Cmd(\"inspect\",\n\t\t\"-f\",\n\t\t\"'{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}'\",\n\t\ttestContainerName).Run().Stdout()\n\tcontainerIP = strings.ReplaceAll(containerIP, \"'\", \"\")\n\tcontainerIP = strings.TrimSuffix(containerIP, \"\\n\")\n\n\t// define iptables chain name depending on the target (docker/nerdctl)\n\tvar chain string\n\tif nerdtest.IsDocker() {\n\t\tchain = \"DOCKER\"\n\t} else {\n\t\tredirectChain := \"CNI-HOSTPORT-DNAT\"\n\t\tchain = iptablesutil.GetRedirectedChain(t, ipt, redirectChain, testutil.Namespace, containerID)\n\t}\n\tassert.Equal(t, iptablesutil.ForwardExists(t, ipt, chain, containerIP, hostPort), true)\n\n\tbase.Cmd(\"stop\", testContainerName).AssertOK()\n\tassert.Equal(t, iptablesutil.ForwardExists(t, ipt, chain, containerIP, hostPort), false)\n}\n\n// Regression test for https://github.com/containerd/nerdctl/issues/3353\nfunc TestStopCreated(t *testing.T) {\n\tt.Parallel()\n\n\tbase := testutil.NewBase(t)\n\ttID := testutil.Identifier(t)\n\n\ttearDown := func() {\n\t\tbase.Cmd(\"rm\", \"-f\", tID).Run()\n\t}\n\n\tsetup := func() {\n\t\tbase.Cmd(\"create\", \"--name\", tID, testutil.CommonImage).AssertOK()\n\t}\n\n\tt.Cleanup(tearDown)\n\ttearDown()\n\tsetup()\n\n\tbase.Cmd(\"stop\", tID).AssertOK()\n}\n\nfunc TestStopWithLongTimeoutAndSIGKILL(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\ttestContainerName := testutil.Identifier(t)\n\tdefer base.Cmd(\"rm\", \"-f\", testContainerName).Run()\n\n\t// Start a container that sleeps forever\n\tbase.Cmd(\"run\", \"-d\", \"--name\", testContainerName, testutil.CommonImage, \"sleep\", \"Inf\").AssertOK()\n\n\t// Stop the container with a 5-second timeout and SIGKILL\n\tstart := time.Now()\n\tbase.Cmd(\"stop\", \"--time=5\", \"--signal\", \"SIGKILL\", testContainerName).AssertOK()\n\telapsed := time.Since(start)\n\n\t// The container should be stopped almost immediately, well before the 5-second timeout\n\tassert.Assert(t, elapsed < 5*time.Second, \"Container wasn't stopped immediately with SIGKILL\")\n}\n\nfunc TestStopWithTimeout(t *testing.T) {\n\tt.Parallel()\n\tbase := testutil.NewBase(t)\n\ttestContainerName := testutil.Identifier(t)\n\tdefer base.Cmd(\"rm\", \"-f\", testContainerName).Run()\n\n\t// Start a container that sleeps forever\n\tbase.Cmd(\"run\", \"-d\", \"--name\", testContainerName, testutil.CommonImage, \"sleep\", \"Inf\").AssertOK()\n\n\t// Stop the container with a 3-second timeout\n\tstart := time.Now()\n\tbase.Cmd(\"stop\", \"--time=3\", testContainerName).AssertOK()\n\telapsed := time.Since(start)\n\n\t// The container should get the SIGKILL before the 10s default timeout\n\tassert.Assert(t, elapsed < 10*time.Second, \"Container did not respect --timeout flag\")\n}\nfunc TestStopCleanupFIFOs(t *testing.T) {\n\tif rootlessutil.IsRootless() {\n\t\tt.Skip(\"/run/containerd/fifo/ doesn't exist on rootless\")\n\t}\n\ttestutil.DockerIncompatible(t)\n\tbase := testutil.NewBase(t)\n\ttestContainerName := testutil.Identifier(t)\n\toldNumFifos, err := countFIFOFiles(\"/run/containerd/fifo/\")\n\tassert.NilError(t, err)\n\t// Stop the container after 2 seconds\n\tgo func() {\n\t\ttime.Sleep(2 * time.Second)\n\t\tbase.Cmd(\"stop\", testContainerName).AssertOK()\n\t\tnewNumFifos, err := countFIFOFiles(\"/run/containerd/fifo/\")\n\t\tassert.NilError(t, err)\n\t\tassert.Equal(t, oldNumFifos, newNumFifos)\n\t}()\n\t// Start a container that is automatically removed after it exits\n\tbase.Cmd(\"run\", \"--rm\", \"--name\", testContainerName, testutil.NginxAlpineImage).AssertOK()\n}\n" }, { "path": "cmd/nerdctl/container/container_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n)\n\nfunc TestMain(m *testing.M) {\n\ttestutil.M(m)\n}\n" }, { "path": "cmd/nerdctl/container/container_top.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"strings\"\n\n\t\"github.com/spf13/cobra\"\n\n\tcontainerd \"github.com/containerd/containerd/v2/client\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n\t\"github.com/containerd/nerdctl/v2/pkg/infoutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/rootlessutil\"\n)\n\nfunc TopCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"top CONTAINER [ps OPTIONS]\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tShort: \"Display the running processes of a container\",\n\t\tRunE: topAction,\n\t\tValidArgsFunction: topShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().SetInterspersed(false)\n\treturn cmd\n}\n\nfunc topAction(cmd *cobra.Command, args []string) error {\n\t// NOTE: rootless container does not rely on cgroupv1.\n\t// more details about possible ways to resolve this concern: #223\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif rootlessutil.IsRootless() && infoutil.CgroupsVersion() == \"1\" {\n\t\treturn fmt.Errorf(\"top requires cgroup v2 for rootless containers, see https://rootlesscontaine.rs/getting-started/common/cgroup2/\")\n\t}\n\n\tif globalOptions.CgroupManager == \"none\" {\n\t\treturn errors.New(\"cgroup manager must not be \\\"none\\\"\")\n\t}\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\tcontainerID := args[0]\n\tvar psArgs string\n\tif len(args) > 1 {\n\t\t// Join all remaining arguments as ps args\n\t\tpsArgs = strings.Join(args[1:], \" \")\n\t}\n\n\treturn container.Top(ctx, client, []string{containerID}, types.ContainerTopOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tGOptions: globalOptions,\n\t\tPsArgs: psArgs,\n\t})\n\n}\n\nfunc topShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show running container names\n\tstatusFilterFn := func(st containerd.ProcessStatus) bool {\n\t\treturn st == containerd.Running\n\t}\n\treturn completion.ContainerNames(cmd, statusFilterFn)\n}\n" }, { "path": "cmd/nerdctl/container/container_top_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"runtime\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestTop(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t//more details https://github.com/containerd/nerdctl/pull/223#issuecomment-851395178\n\tif runtime.GOOS == \"linux\" {\n\t\ttestCase.Require = nerdtest.CgroupsAccessible\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\t// FIXME: busybox 1.36 on windows still appears to not support sleep inf. Unclear why.\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\tdata.Labels().Set(\"cID\", data.Identifier())\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"with o pid,user,cmd\",\n\t\t\t// Docker does not support top -o\n\t\t\tRequire: require.Not(nerdtest.Docker),\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"top\", data.Labels().Get(\"cID\"), \"-o\", \"pid,user,cmd\")\n\t\t\t},\n\n\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"simple\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"top\", data.Labels().Get(\"cID\"))\n\t\t\t},\n\n\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestTopHyperVContainer(t *testing.T) {\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = nerdtest.HyperV\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\t// FIXME: busybox 1.36 on windows still appears to not support sleep inf. Unclear why.\n\t\thelpers.Ensure(\"run\", \"--isolation\", \"hyperv\", \"-d\", \"--name\", data.Identifier(\"container\"), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"container\"))\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"top\", data.Identifier(\"container\"))\n\t}\n\n\ttestCase.Expected = test.Expects(0, nil, nil)\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_unpause.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\tcontainerd \"github.com/containerd/containerd/v2/client\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n)\n\nfunc UnpauseCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"unpause [flags] CONTAINER [CONTAINER, ...]\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tShort: \"Unpause all processes within one or more containers\",\n\t\tRunE: unpauseAction,\n\t\tValidArgsFunction: unpauseShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\treturn cmd\n}\n\nfunc unpauseOptions(cmd *cobra.Command) (types.ContainerUnpauseOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ContainerUnpauseOptions{}, err\n\t}\n\tnerdctlCmd, nerdctlArgs := helpers.GlobalFlags(cmd)\n\treturn types.ContainerUnpauseOptions{\n\t\tGOptions: globalOptions,\n\t\tStdout: cmd.OutOrStdout(),\n\t\tNerdctlCmd: nerdctlCmd,\n\t\tNerdctlArgs: nerdctlArgs,\n\t}, nil\n}\n\nfunc unpauseAction(cmd *cobra.Command, args []string) error {\n\toptions, err := unpauseOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn container.Unpause(ctx, client, args, options)\n}\n\nfunc unpauseShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show paused container names\n\tstatusFilterFn := func(st containerd.ProcessStatus) bool {\n\t\treturn st == containerd.Paused\n\t}\n\treturn completion.ContainerNames(cmd, statusFilterFn)\n}\n" }, { "path": "cmd/nerdctl/container/container_update.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"runtime\"\n\t\"time\"\n\n\t\"github.com/docker/go-units\"\n\truntimespec \"github.com/opencontainers/runtime-spec/specs-go\"\n\t\"github.com/spf13/cobra\"\n\n\tcontainerd \"github.com/containerd/containerd/v2/client\"\n\t\"github.com/containerd/containerd/v2/core/containers\"\n\t\"github.com/containerd/errdefs\"\n\t\"github.com/containerd/log\"\n\t\"github.com/containerd/typeurl/v2\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\tnerdctlcontainer \"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n\t\"github.com/containerd/nerdctl/v2/pkg/formatter\"\n\t\"github.com/containerd/nerdctl/v2/pkg/idutil/containerwalker\"\n\t\"github.com/containerd/nerdctl/v2/pkg/infoutil\"\n)\n\ntype updateResourceOptions struct {\n\tCPUPeriod uint64\n\tCPUQuota int64\n\tCPUShares uint64\n\tMemoryLimitInBytes int64\n\tMemoryReservation int64\n\tMemorySwapInBytes int64\n\tCpusetCpus string\n\tCpusetMems string\n\tPidsLimit int64\n\tBlkioWeight uint16\n}\n\nfunc UpdateCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"update [flags] CONTAINER [CONTAINER, ...]\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tShort: \"Update one or more running containers\",\n\t\tRunE: updateAction,\n\t\tValidArgsFunction: updateShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().SetInterspersed(false)\n\tsetUpdateFlags(cmd)\n\treturn cmd\n}\n\nfunc setUpdateFlags(cmd *cobra.Command) {\n\tcmd.Flags().Float64(\"cpus\", 0.0, \"Number of CPUs\")\n\tcmd.Flags().Uint64(\"cpu-period\", 0, \"Limit CPU CFS (Completely Fair Scheduler) period\")\n\tcmd.Flags().Int64(\"cpu-quota\", -1, \"Limit CPU CFS (Completely Fair Scheduler) quota\")\n\tcmd.Flags().Uint64(\"cpu-shares\", 0, \"CPU shares (relative weight)\")\n\tcmd.Flags().StringP(\"memory\", \"m\", \"\", \"Memory limit\")\n\tcmd.Flags().String(\"memory-reservation\", \"\", \"Memory soft limit\")\n\tcmd.Flags().String(\"memory-swap\", \"\", \"Swap limit equal to memory plus swap: '-1' to enable unlimited swap\")\n\tcmd.Flags().String(\"kernel-memory\", \"\", \"Kernel memory limit (deprecated)\")\n\tcmd.Flags().String(\"cpuset-cpus\", \"\", \"CPUs in which to allow execution (0-3, 0,1)\")\n\tcmd.Flags().String(\"cpuset-mems\", \"\", \"MEMs in which to allow execution (0-3, 0,1)\")\n\tcmd.Flags().Int64(\"pids-limit\", -1, \"Tune container pids limit (set -1 for unlimited)\")\n\tcmd.Flags().Uint16(\"blkio-weight\", 0, \"Block IO (relative weight), between 10 and 1000, or 0 to disable (default 0)\")\n\tcmd.Flags().String(\"restart\", \"no\", `Restart policy to apply when a container exits (implemented values: \"no\"|\"always|on-failure:n|unless-stopped\")`)\n\tcmd.RegisterFlagCompletionFunc(\"restart\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"no\", \"always\", \"on-failure\", \"unless-stopped\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n}\n\nfunc updateAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\toptions, err := getUpdateOption(cmd, globalOptions)\n\tif err != nil {\n\t\treturn err\n\t}\n\twalker := &containerwalker.ContainerWalker{\n\t\tClient: client,\n\t\tOnFound: func(ctx context.Context, found containerwalker.Found) error {\n\t\t\tif found.MatchCount > 1 {\n\t\t\t\treturn fmt.Errorf(\"multiple IDs found with provided prefix: %s\", found.Req)\n\t\t\t}\n\t\t\terr = updateContainer(ctx, client, found.Container.ID(), options, cmd)\n\t\t\treturn err\n\t\t},\n\t}\n\n\treturn walker.WalkAll(ctx, args, true)\n}\n\nfunc getUpdateOption(cmd *cobra.Command, globalOptions types.GlobalCommandOptions) (updateResourceOptions, error) {\n\tvar options updateResourceOptions\n\tcpus, err := cmd.Flags().GetFloat64(\"cpus\")\n\tif err != nil {\n\t\treturn options, err\n\t}\n\tcpuPeriod, err := cmd.Flags().GetUint64(\"cpu-period\")\n\tif err != nil {\n\t\treturn options, err\n\t}\n\tcpuQuota, err := cmd.Flags().GetInt64(\"cpu-quota\")\n\tif err != nil {\n\t\treturn options, err\n\t}\n\tif cpuQuota != -1 || cpuPeriod != 0 {\n\t\tif cpus > 0.0 {\n\t\t\treturn options, errors.New(\"cpus and quota/period should be used separately\")\n\t\t}\n\t}\n\tif cpus > 0.0 {\n\t\tcpuPeriod = uint64(100000)\n\t\tcpuQuota = int64(cpus * 100000.0)\n\t}\n\tshares, err := cmd.Flags().GetUint64(\"cpu-shares\")\n\tif err != nil {\n\t\treturn options, err\n\t}\n\tmemStr, err := cmd.Flags().GetString(\"memory\")\n\tif err != nil {\n\t\treturn options, err\n\t}\n\tmemSwap, err := cmd.Flags().GetString(\"memory-swap\")\n\tif err != nil {\n\t\treturn options, err\n\t}\n\tvar mem64 int64\n\tif memStr != \"\" {\n\t\tmem64, err = units.RAMInBytes(memStr)\n\t\tif err != nil {\n\t\t\treturn options, fmt.Errorf(\"failed to parse memory bytes %q: %w\", memStr, err)\n\t\t}\n\t}\n\tvar memSwap64 int64\n\tif memSwap != \"\" {\n\t\tif memSwap == \"-1\" {\n\t\t\tmemSwap64 = -1\n\t\t} else {\n\t\t\tmemSwap64, err = units.RAMInBytes(memSwap)\n\t\t\tif err != nil {\n\t\t\t\treturn options, fmt.Errorf(\"failed to parse memory-swap bytes %q: %w\", memSwap, err)\n\t\t\t}\n\t\t\tif mem64 > 0 && memSwap64 > 0 && memSwap64 < mem64 {\n\t\t\t\treturn options, fmt.Errorf(\"minimum memoryswap limit should be larger than memory limit, see usage\")\n\t\t\t}\n\t\t}\n\t} else {\n\t\tmemSwap64 = mem64 * 2\n\t}\n\tif memSwap64 == 0 {\n\t\tmemSwap64 = mem64 * 2\n\t}\n\tmemReserve, err := cmd.Flags().GetString(\"memory-reservation\")\n\tif err != nil {\n\t\treturn options, err\n\t}\n\tvar memReserve64 int64\n\tif memReserve != \"\" {\n\t\tmemReserve64, err = units.RAMInBytes(memReserve)\n\t\tif err != nil {\n\t\t\treturn options, fmt.Errorf(\"failed to parse memory bytes %q: %w\", memReserve, err)\n\t\t}\n\t}\n\tif mem64 > 0 && memReserve64 > 0 && mem64 < memReserve64 {\n\t\treturn options, fmt.Errorf(\"minimum memory limit can not be less than memory reservation limit, see usage\")\n\t}\n\n\tkernelMemStr, err := cmd.Flags().GetString(\"kernel-memory\")\n\tif err != nil {\n\t\treturn options, err\n\t}\n\tif kernelMemStr != \"\" && cmd.Flag(\"kernel-memory\").Changed {\n\t\tlog.L.Warnf(\"The --kernel-memory flag is no longer supported. This flag is a noop.\")\n\t}\n\tcpuset, err := cmd.Flags().GetString(\"cpuset-cpus\")\n\tif err != nil {\n\t\treturn options, err\n\t}\n\tcpusetMems, err := cmd.Flags().GetString(\"cpuset-mems\")\n\tif err != nil {\n\t\treturn options, err\n\t}\n\tpidsLimit, err := cmd.Flags().GetInt64(\"pids-limit\")\n\tif err != nil {\n\t\treturn options, err\n\t}\n\tblkioWeight, err := cmd.Flags().GetUint16(\"blkio-weight\")\n\tif err != nil {\n\t\treturn options, err\n\t}\n\tif blkioWeight != 0 && !infoutil.BlockIOWeight(globalOptions.CgroupManager) {\n\t\treturn options, fmt.Errorf(\"kernel support for cgroup blkio weight missing, weight discarded\")\n\t}\n\tif blkioWeight > 0 && blkioWeight < 10 || blkioWeight > 1000 {\n\t\treturn options, errors.New(\"range of blkio weight is from 10 to 1000\")\n\t}\n\n\tif runtime.GOOS == \"linux\" {\n\t\toptions = updateResourceOptions{\n\t\t\tCPUPeriod: cpuPeriod,\n\t\t\tCPUQuota: cpuQuota,\n\t\t\tCPUShares: shares,\n\t\t\tCpusetCpus: cpuset,\n\t\t\tCpusetMems: cpusetMems,\n\t\t\tMemoryLimitInBytes: mem64,\n\t\t\tMemoryReservation: memReserve64,\n\t\t\tMemorySwapInBytes: memSwap64,\n\t\t\tPidsLimit: pidsLimit,\n\t\t\tBlkioWeight: blkioWeight,\n\t\t}\n\t}\n\treturn options, nil\n}\n\nfunc updateContainer(ctx context.Context, client *containerd.Client, id string, opts updateResourceOptions, cmd *cobra.Command) (retErr error) {\n\tcontainer, err := client.LoadContainer(ctx, id)\n\tif err != nil {\n\t\treturn err\n\t}\n\tcStatus := formatter.ContainerStatus(ctx, container)\n\tif cStatus == \"pausing\" {\n\t\treturn fmt.Errorf(\"container %q is in pausing state\", id)\n\t}\n\tspec, err := container.Spec(ctx)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\toldSpec, err := copySpec(spec)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif runtime.GOOS == \"linux\" {\n\t\tif spec.Linux == nil {\n\t\t\tspec.Linux = &runtimespec.Linux{}\n\t\t}\n\t\tif spec.Linux.Resources == nil {\n\t\t\tspec.Linux.Resources = &runtimespec.LinuxResources{}\n\t\t}\n\t\tif cmd.Flags().Changed(\"blkio-weight\") {\n\t\t\tif spec.Linux.Resources.BlockIO == nil {\n\t\t\t\tspec.Linux.Resources.BlockIO = &runtimespec.LinuxBlockIO{}\n\t\t\t}\n\t\t\tif spec.Linux.Resources.BlockIO.Weight != &opts.BlkioWeight {\n\t\t\t\tspec.Linux.Resources.BlockIO.Weight = &opts.BlkioWeight\n\t\t\t}\n\t\t}\n\t\tif cmd.Flags().Changed(\"cpu-shares\") || cmd.Flags().Changed(\"cpu-quota\") || cmd.Flags().Changed(\"cpu-period\") || cmd.Flags().Changed(\"cpus\") || cmd.Flags().Changed(\"cpuset-mems\") || cmd.Flags().Changed(\"cpuset-cpus\") {\n\t\t\tif spec.Linux.Resources.CPU == nil {\n\t\t\t\tspec.Linux.Resources.CPU = &runtimespec.LinuxCPU{}\n\t\t\t}\n\t\t}\n\t\tif cmd.Flags().Changed(\"cpu-shares\") {\n\t\t\tif spec.Linux.Resources.CPU.Shares != &opts.CPUShares {\n\t\t\t\tspec.Linux.Resources.CPU.Shares = &opts.CPUShares\n\t\t\t}\n\t\t}\n\t\tif cmd.Flags().Changed(\"cpu-quota\") {\n\t\t\tif spec.Linux.Resources.CPU.Quota != &opts.CPUQuota {\n\t\t\t\tspec.Linux.Resources.CPU.Quota = &opts.CPUQuota\n\t\t\t}\n\t\t}\n\t\tif cmd.Flags().Changed(\"cpu-period\") {\n\t\t\tif spec.Linux.Resources.CPU.Period != &opts.CPUPeriod {\n\t\t\t\tspec.Linux.Resources.CPU.Period = &opts.CPUPeriod\n\t\t\t}\n\t\t}\n\t\tif cmd.Flags().Changed(\"cpus\") {\n\t\t\tif spec.Linux.Resources.CPU.Cpus != opts.CpusetCpus {\n\t\t\t\tspec.Linux.Resources.CPU.Cpus = opts.CpusetCpus\n\t\t\t}\n\t\t}\n\t\tif cmd.Flags().Changed(\"cpuset-mems\") {\n\t\t\tif spec.Linux.Resources.CPU.Mems != opts.CpusetMems {\n\t\t\t\tspec.Linux.Resources.CPU.Mems = opts.CpusetMems\n\t\t\t}\n\t\t}\n\n\t\tif cmd.Flags().Changed(\"cpuset-cpus\") {\n\t\t\tif spec.Linux.Resources.CPU.Cpus != opts.CpusetCpus {\n\t\t\t\tspec.Linux.Resources.CPU.Cpus = opts.CpusetCpus\n\t\t\t}\n\t\t}\n\t\tif cmd.Flags().Changed(\"memory\") || cmd.Flags().Changed(\"memory-reservation\") {\n\t\t\tif spec.Linux.Resources.Memory == nil {\n\t\t\t\tspec.Linux.Resources.Memory = &runtimespec.LinuxMemory{}\n\t\t\t}\n\t\t}\n\t\tif cmd.Flags().Changed(\"memory\") {\n\t\t\tif spec.Linux.Resources.Memory.Limit != &opts.MemoryLimitInBytes {\n\t\t\t\tspec.Linux.Resources.Memory.Limit = &opts.MemoryLimitInBytes\n\t\t\t}\n\t\t\tif spec.Linux.Resources.Memory.Swap != &opts.MemorySwapInBytes {\n\t\t\t\tspec.Linux.Resources.Memory.Swap = &opts.MemorySwapInBytes\n\t\t\t}\n\t\t}\n\t\tif cmd.Flags().Changed(\"memory-reservation\") {\n\t\t\tif spec.Linux.Resources.Memory.Reservation != &opts.MemoryReservation {\n\t\t\t\tspec.Linux.Resources.Memory.Reservation = &opts.MemoryReservation\n\t\t\t}\n\t\t}\n\t\tif cmd.Flags().Changed(\"pids-limit\") {\n\t\t\tif spec.Linux.Resources.Pids == nil {\n\t\t\t\tspec.Linux.Resources.Pids = &runtimespec.LinuxPids{}\n\t\t\t}\n\t\t\tif spec.Linux.Resources.Pids.Limit == nil || (spec.Linux.Resources.Pids.Limit != nil && *spec.Linux.Resources.Pids.Limit != opts.PidsLimit) {\n\t\t\t\tspec.Linux.Resources.Pids.Limit = &opts.PidsLimit\n\t\t\t}\n\t\t}\n\t}\n\n\tif err := updateContainerSpec(ctx, container, spec); err != nil {\n\t\treturn fmt.Errorf(\"failed to update spec %+v for container %q\", spec, id)\n\t}\n\tdefer func() {\n\t\tif retErr != nil {\n\t\t\tdeferCtx, deferCancel := context.WithTimeout(ctx, 1*time.Minute)\n\t\t\tdefer deferCancel()\n\t\t\t// Reset spec on error.\n\t\t\tif err := updateContainerSpec(deferCtx, container, oldSpec); err != nil {\n\t\t\t\tlog.G(ctx).WithError(err).Errorf(\"Failed to update spec %+v for container %q\", oldSpec, id)\n\t\t\t}\n\t\t}\n\t}()\n\n\trestart, err := cmd.Flags().GetString(\"restart\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tif cmd.Flags().Changed(\"restart\") && restart != \"\" {\n\t\tif err := nerdctlcontainer.UpdateContainerRestartPolicyLabel(ctx, client, container, restart); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\t// If container is not running, only update spec is enough, new resource\n\t// limit will be applied when container start.\n\tif cStatus != \"Up\" {\n\t\treturn nil\n\t}\n\ttask, err := container.Task(ctx, nil)\n\tif err != nil {\n\t\tif errdefs.IsNotFound(err) {\n\t\t\t// Task exited already.\n\t\t\treturn nil\n\t\t}\n\t\treturn fmt.Errorf(\"failed to get task:%w\", err)\n\t}\n\treturn task.Update(ctx, containerd.WithResources(spec.Linux.Resources))\n}\n\nfunc updateContainerSpec(ctx context.Context, container containerd.Container, spec *runtimespec.Spec) error {\n\tif err := container.Update(ctx, func(ctx context.Context, client *containerd.Client, c *containers.Container) error {\n\t\ta, err := typeurl.MarshalAny(spec)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to marshal spec %+v:%w\", spec, err)\n\t\t}\n\t\tc.Spec = a\n\t\treturn nil\n\t}); err != nil {\n\t\treturn fmt.Errorf(\"failed to update container spec:%w\", err)\n\t}\n\treturn nil\n}\n\nfunc copySpec(spec *runtimespec.Spec) (*runtimespec.Spec, error) {\n\tvar copySpec runtimespec.Spec\n\tif spec == nil {\n\t\treturn nil, errors.New(\"spec cannot be nil\")\n\t}\n\tbytes, err := json.Marshal(spec)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to marshal spec: %w\", err)\n\t}\n\terr = json.Unmarshal(bytes, ©Spec)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to unmarshal into spec copy: %w\", err)\n\t}\n\treturn ©Spec, nil\n}\n\nfunc updateShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn completion.ContainerNames(cmd, nil)\n}\n" }, { "path": "cmd/nerdctl/container/container_update_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"errors\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestUpdateContainer(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tcontainerName := testutil.Identifier(t)\n\t\tdata.Labels().Set(\"containerName\", containerName)\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", containerName, testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\tnerdtest.EnsureContainerStarted(helpers, containerName)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tcontainerName := data.Labels().Get(\"containerName\")\n\t\thelpers.Anyhow(\"rm\", \"-f\", containerName)\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"should fail on unsupported restart policy value\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcontainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn helpers.Command(\"update\", \"--memory\", \"999999999\", \"--restart\", \"123\", containerName)\n\t\t\t},\n\t\t\tExpected: test.Expects(1, []error{errors.New(\"unsupported restart policy\")}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"should not update memory in inspect\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcontainerName := data.Labels().Get(\"containerName\")\n\t\t\t\treturn helpers.Command(\"inspect\", \"--mode=native\", containerName)\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeSuccess, nil, expect.DoesNotContain(`\"limit\": 999999999,`)),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/container_wait.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\tcontainerd \"github.com/containerd/containerd/v2/client\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n)\n\nfunc WaitCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"wait [flags] CONTAINER [CONTAINER, ...]\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tShort: \"Block until one or more containers stop, then print their exit codes.\",\n\t\tRunE: waitAction,\n\t\tValidArgsFunction: waitShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\treturn cmd\n}\n\nfunc waitOptions(cmd *cobra.Command) (types.ContainerWaitOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ContainerWaitOptions{}, err\n\t}\n\treturn types.ContainerWaitOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tGOptions: globalOptions,\n\t}, nil\n}\n\nfunc waitAction(cmd *cobra.Command, args []string) error {\n\toptions, err := waitOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn container.Wait(ctx, client, args, options)\n}\n\nfunc waitShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show running container names\n\tstatusFilterFn := func(st containerd.ProcessStatus) bool {\n\t\treturn st == containerd.Running\n\t}\n\treturn completion.ContainerNames(cmd, statusFilterFn)\n}\n" }, { "path": "cmd/nerdctl/container/container_wait_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestWait(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"1\"), data.Identifier(\"2\"), data.Identifier(\"3\"))\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(\"1\"), testutil.CommonImage)\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(\"2\"), testutil.CommonImage, \"sleep\", \"1\")\n\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(\"3\"), testutil.CommonImage, \"sh\", \"-euxc\", \"sleep 5; exit 123\")\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"wait\", data.Identifier(\"1\"), data.Identifier(\"2\"), data.Identifier(\"3\"))\n\t}\n\n\ttestCase.Expected = test.Expects(0, nil, expect.Equals(`0\n0\n123\n`))\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/container/multi_platform_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage container\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nettestutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/testregistry\"\n)\n\nfunc testMultiPlatformRun(base *testutil.Base, alpineImage string) {\n\tt := base.T\n\ttestutil.RequireExecPlatform(t, \"linux/amd64\", \"linux/arm64\", \"linux/arm/v7\")\n\ttestCases := map[string]string{\n\t\t\"amd64\": \"x86_64\",\n\t\t\"arm64\": \"aarch64\",\n\t\t\"arm\": \"armv7l\",\n\t\t\"linux/arm\": \"armv7l\",\n\t\t\"linux/arm/v7\": \"armv7l\",\n\t}\n\tfor plat, expectedUnameM := range testCases {\n\t\tt.Logf(\"Testing %q (%q)\", plat, expectedUnameM)\n\t\tcmd := base.Cmd(\"run\", \"--rm\", \"--platform=\"+plat, alpineImage, \"uname\", \"-m\")\n\t\tcmd.AssertOutExactly(expectedUnameM + \"\\n\")\n\t}\n}\n\nfunc TestMultiPlatformRun(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\ttestMultiPlatformRun(base, testutil.AlpineImage)\n}\n\nfunc TestMultiPlatformBuildPush(t *testing.T) {\n\ttestutil.DockerIncompatible(t) // non-buildx version of `docker build` lacks multi-platform. Also, `docker push` lacks --platform.\n\ttestutil.RequiresBuild(t)\n\ttestutil.RegisterBuildCacheCleanup(t)\n\ttestutil.RequireExecPlatform(t, \"linux/amd64\", \"linux/arm64\", \"linux/arm/v7\")\n\tbase := testutil.NewBase(t)\n\ttID := testutil.Identifier(t)\n\treg := testregistry.NewWithNoAuth(base, 0, false)\n\tdefer reg.Cleanup(nil)\n\n\timageName := fmt.Sprintf(\"localhost:%d/%s:latest\", reg.Port, tID)\n\tdefer base.Cmd(\"rmi\", imageName).Run()\n\n\tdockerfile := fmt.Sprintf(`FROM %s\nRUN echo dummy\n\t`, testutil.AlpineImage)\n\n\tbuildCtx := helpers.CreateBuildContext(t, dockerfile)\n\n\tbase.Cmd(\"build\", \"-t\", imageName, \"--platform=amd64,arm64,linux/arm/v7\", buildCtx).AssertOK()\n\ttestMultiPlatformRun(base, imageName)\n\tbase.Cmd(\"push\", \"--platform=amd64,arm64,linux/arm/v7\", imageName).AssertOK()\n}\n\n// TestMultiPlatformBuildPushNoRun tests if the push succeeds in a situation where nerdctl builds\n// a Dockerfile without RUN, COPY, etc commands. In such situation, BuildKit doesn't download the base image\n// so nerdctl needs to ensure these blobs to be locally available.\nfunc TestMultiPlatformBuildPushNoRun(t *testing.T) {\n\ttestutil.DockerIncompatible(t) // non-buildx version of `docker build` lacks multi-platform. Also, `docker push` lacks --platform.\n\ttestutil.RequiresBuild(t)\n\ttestutil.RegisterBuildCacheCleanup(t)\n\ttestutil.RequireExecPlatform(t, \"linux/amd64\", \"linux/arm64\", \"linux/arm/v7\")\n\tbase := testutil.NewBase(t)\n\ttID := testutil.Identifier(t)\n\treg := testregistry.NewWithNoAuth(base, 0, false)\n\tdefer reg.Cleanup(nil)\n\n\timageName := fmt.Sprintf(\"localhost:%d/%s:latest\", reg.Port, tID)\n\tdefer base.Cmd(\"rmi\", imageName).Run()\n\n\tdockerfile := fmt.Sprintf(`FROM %s\nCMD echo dummy\n\t`, testutil.AlpineImage)\n\n\tbuildCtx := helpers.CreateBuildContext(t, dockerfile)\n\n\tbase.Cmd(\"build\", \"-t\", imageName, \"--platform=amd64,arm64,linux/arm/v7\", buildCtx).AssertOK()\n\ttestMultiPlatformRun(base, imageName)\n\tbase.Cmd(\"push\", \"--platform=amd64,arm64,linux/arm/v7\", imageName).AssertOK()\n}\n\nfunc TestMultiPlatformPullPushAllPlatforms(t *testing.T) {\n\ttestutil.DockerIncompatible(t)\n\tbase := testutil.NewBase(t)\n\ttID := testutil.Identifier(t)\n\treg := testregistry.NewWithNoAuth(base, 0, false)\n\tdefer reg.Cleanup(nil)\n\n\tpushImageName := fmt.Sprintf(\"localhost:%d/%s:latest\", reg.Port, tID)\n\tdefer base.Cmd(\"rmi\", pushImageName).Run()\n\n\tbase.Cmd(\"pull\", \"--quiet\", \"--all-platforms\", testutil.AlpineImage).AssertOK()\n\tbase.Cmd(\"tag\", testutil.AlpineImage, pushImageName).AssertOK()\n\tbase.Cmd(\"push\", \"--all-platforms\", pushImageName).AssertOK()\n\ttestMultiPlatformRun(base, pushImageName)\n}\n\nfunc TestMultiPlatformComposeUpBuild(t *testing.T) {\n\ttestutil.DockerIncompatible(t)\n\ttestutil.RequiresBuild(t)\n\ttestutil.RegisterBuildCacheCleanup(t)\n\ttestutil.RequireExecPlatform(t, \"linux/amd64\", \"linux/arm64\", \"linux/arm/v7\")\n\tbase := testutil.NewBase(t)\n\n\tconst dockerComposeYAML = `\nservices:\n svc0:\n build: .\n platform: amd64\n ports:\n - 8080:80\n svc1:\n build: .\n platform: arm64\n ports:\n - 8081:80\n svc2:\n build: .\n platform: linux/arm/v7\n ports:\n - 8082:80\n`\n\tdockerfile := fmt.Sprintf(`FROM %s\nRUN uname -m > /usr/share/nginx/html/index.html\n`, testutil.NginxAlpineImage)\n\n\tcomp := testutil.NewComposeDir(t, dockerComposeYAML)\n\tdefer comp.CleanUp()\n\n\tcomp.WriteFile(\"Dockerfile\", dockerfile)\n\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"up\", \"-d\", \"--build\").AssertOK()\n\tdefer base.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"down\", \"-v\").Run()\n\n\ttestCases := map[string]string{\n\t\t\"http://127.0.0.1:8080\": \"x86_64\",\n\t\t\"http://127.0.0.1:8081\": \"aarch64\",\n\t\t\"http://127.0.0.1:8082\": \"armv7l\",\n\t}\n\n\tfor testURL, expectedIndexHTML := range testCases {\n\t\tresp, err := nettestutil.HTTPGet(testURL, 5, false)\n\t\tassert.NilError(t, err)\n\t\trespBody, err := io.ReadAll(resp.Body)\n\t\tassert.NilError(t, err)\n\t\tt.Logf(\"respBody=%q\", respBody)\n\t\tassert.Assert(t, strings.Contains(string(respBody), expectedIndexHTML))\n\t}\n}\n" }, { "path": "cmd/nerdctl/helpers/cobra.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage helpers\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"strconv\"\n\t\"time\"\n\n\t\"github.com/spf13/cobra\"\n\t\"github.com/spf13/pflag\"\n\n\t\"github.com/containerd/log\"\n)\n\n// UnknownSubcommandAction is needed to let `nerdctl system non-existent-command` fail\n// https://github.com/containerd/nerdctl/issues/487\n//\n// Ideally this should be implemented in Cobra itself.\nfunc UnknownSubcommandAction(cmd *cobra.Command, args []string) error {\n\tif len(args) == 0 {\n\t\treturn cmd.Help()\n\t}\n\t// The output mimics https://github.com/spf13/cobra/blob/v1.2.1/command.go#L647-L662\n\tmsg := fmt.Sprintf(\"unknown subcommand %q for %q\", args[0], cmd.Name())\n\tif suggestions := cmd.SuggestionsFor(args[0]); len(suggestions) > 0 {\n\t\tmsg += \"\\n\\nDid you mean this?\\n\"\n\t\tfor _, s := range suggestions {\n\t\t\tmsg += fmt.Sprintf(\"\\t%v\\n\", s)\n\t\t}\n\t}\n\treturn errors.New(msg)\n}\n\n// IsExactArgs returns an error if there is not the exact number of args\nfunc IsExactArgs(number int) cobra.PositionalArgs {\n\treturn func(cmd *cobra.Command, args []string) error {\n\t\tif len(args) == number {\n\t\t\treturn nil\n\t\t}\n\t\treturn fmt.Errorf(\n\t\t\t\"%q requires exactly %d %s.\\nSee '%s --help'.\\n\\nUsage: %s\\n\\n%s\",\n\t\t\tcmd.CommandPath(),\n\t\t\tnumber,\n\t\t\t\"argument(s)\",\n\t\t\tcmd.CommandPath(),\n\t\t\tcmd.UseLine(),\n\t\t\tcmd.Short,\n\t\t)\n\t}\n}\n\n// AddStringFlag is similar to cmd.Flags().String but supports aliases and env var\nfunc AddStringFlag(cmd *cobra.Command, name string, aliases []string, value string, env, usage string) {\n\tif env != \"\" {\n\t\tusage = fmt.Sprintf(\"%s [$%s]\", usage, env)\n\t}\n\tif envV, ok := os.LookupEnv(env); ok {\n\t\tvalue = envV\n\t}\n\taliasesUsage := fmt.Sprintf(\"Alias of --%s\", name)\n\tp := new(string)\n\tflags := cmd.Flags()\n\tflags.StringVar(p, name, value, usage)\n\tfor _, a := range aliases {\n\t\tif len(a) == 1 {\n\t\t\t// pflag doesn't support short-only flags, so we have to register long one as well here\n\t\t\tflags.StringVarP(p, a, a, value, aliasesUsage)\n\t\t} else {\n\t\t\tflags.StringVar(p, a, value, aliasesUsage)\n\t\t}\n\t}\n}\n\n// AddIntFlag is similar to cmd.Flags().Int but supports aliases and env var\nfunc AddIntFlag(cmd *cobra.Command, name string, aliases []string, value int, env, usage string) {\n\tif env != \"\" {\n\t\tusage = fmt.Sprintf(\"%s [$%s]\", usage, env)\n\t}\n\tif envV, ok := os.LookupEnv(env); ok {\n\t\tv, err := strconv.ParseInt(envV, 10, 64)\n\t\tif err != nil {\n\t\t\tlog.L.WithError(err).Warnf(\"Invalid int value for `%s`\", env)\n\t\t}\n\t\tvalue = int(v)\n\t}\n\taliasesUsage := fmt.Sprintf(\"Alias of --%s\", name)\n\tp := new(int)\n\tflags := cmd.Flags()\n\tflags.IntVar(p, name, value, usage)\n\tfor _, a := range aliases {\n\t\tif len(a) == 1 {\n\t\t\t// pflag doesn't support short-only flags, so we have to register long one as well here\n\t\t\tflags.IntVarP(p, a, a, value, aliasesUsage)\n\t\t} else {\n\t\t\tflags.IntVar(p, a, value, aliasesUsage)\n\t\t}\n\t}\n}\n\n// AddDurationFlag is similar to cmd.Flags().Duration but supports aliases and env var\nfunc AddDurationFlag(cmd *cobra.Command, name string, aliases []string, value time.Duration, env, usage string) {\n\tif env != \"\" {\n\t\tusage = fmt.Sprintf(\"%s [$%s]\", usage, env)\n\t}\n\tif envV, ok := os.LookupEnv(env); ok {\n\t\tvar err error\n\t\tvalue, err = time.ParseDuration(envV)\n\t\tif err != nil {\n\t\t\tlog.L.WithError(err).Warnf(\"Invalid duration value for `%s`\", env)\n\t\t}\n\t}\n\taliasesUsage := fmt.Sprintf(\"Alias of --%s\", name)\n\tp := new(time.Duration)\n\tflags := cmd.Flags()\n\tflags.DurationVar(p, name, value, usage)\n\tfor _, a := range aliases {\n\t\tif len(a) == 1 {\n\t\t\t// pflag doesn't support short-only flags, so we have to register long one as well here\n\t\t\tflags.DurationVarP(p, a, a, value, aliasesUsage)\n\t\t} else {\n\t\t\tflags.DurationVar(p, a, value, aliasesUsage)\n\t\t}\n\t}\n}\n\nfunc GlobalFlags(cmd *cobra.Command) (string, []string) {\n\targs0, err := os.Executable()\n\tif err != nil {\n\t\tlog.L.WithError(err).Warnf(\"cannot call os.Executable(), assuming the executable to be %q\", os.Args[0])\n\t\targs0 = os.Args[0]\n\t}\n\tif len(os.Args) < 2 {\n\t\treturn args0, nil\n\t}\n\n\trootCmd := cmd.Root()\n\tflagSet := rootCmd.Flags()\n\targs := []string{}\n\tflagSet.VisitAll(func(f *pflag.Flag) {\n\t\tkey := f.Name\n\t\tval := f.Value.String()\n\t\t// Include flag if:\n\t\t// 1. It was explicitly changed via CLI (highest priority), OR\n\t\t// 2. It has a non-default value (from TOML config)\n\t\t// This ensures both CLI flags and TOML config values are propagated\n\t\tif f.Changed || (val != f.DefValue && val != \"\") {\n\t\t\targs = append(args, \"--\"+key+\"=\"+val)\n\t\t}\n\t})\n\treturn args0, args\n}\n\n// AddPersistentStringArrayFlag is similar to cmd.Flags().StringArray but supports aliases and env var and persistent.\n// See https://github.com/spf13/cobra/blob/main/user_guide.md#persistent-flags to learn what is \"persistent\".\nfunc AddPersistentStringArrayFlag(cmd *cobra.Command, name string, aliases, nonPersistentAliases []string, value []string, env string, usage string) {\n\tif env != \"\" {\n\t\tusage = fmt.Sprintf(\"%s [$%s]\", usage, env)\n\t}\n\tif envV, ok := os.LookupEnv(env); ok {\n\t\tvalue = []string{envV}\n\t}\n\taliasesUsage := fmt.Sprintf(\"Alias of --%s\", name)\n\tp := new([]string)\n\tflags := cmd.Flags()\n\tfor _, a := range nonPersistentAliases {\n\t\tif len(a) == 1 {\n\t\t\t// pflag doesn't support short-only flags, so we have to register long one as well here\n\t\t\tflags.StringArrayVarP(p, a, a, value, aliasesUsage)\n\t\t} else {\n\t\t\tflags.StringArrayVar(p, a, value, aliasesUsage)\n\t\t}\n\t}\n\n\tpersistentFlags := cmd.PersistentFlags()\n\tpersistentFlags.StringArrayVar(p, name, value, usage)\n\tfor _, a := range aliases {\n\t\tif len(a) == 1 {\n\t\t\t// pflag doesn't support short-only flags, so we have to register long one as well here\n\t\t\tpersistentFlags.StringArrayVarP(p, a, a, value, aliasesUsage)\n\t\t} else {\n\t\t\tpersistentFlags.StringArrayVar(p, a, value, aliasesUsage)\n\t\t}\n\t}\n}\n\n// AddPersistentStringFlag is similar to AddStringFlag but persistent.\n// See https://github.com/spf13/cobra/blob/main/user_guide.md#persistent-flags to learn what is \"persistent\".\nfunc AddPersistentStringFlag(cmd *cobra.Command, name string, aliases, localAliases, persistentAliases []string, aliasToBeInherited *pflag.FlagSet, value string, env, usage string) {\n\tif env != \"\" {\n\t\tusage = fmt.Sprintf(\"%s [$%s]\", usage, env)\n\t}\n\tif envV, ok := os.LookupEnv(env); ok {\n\t\tvalue = envV\n\t}\n\taliasesUsage := fmt.Sprintf(\"Alias of --%s\", name)\n\tp := new(string)\n\n\t// flags is full set of flag(s)\n\t// flags can redefine alias already used in subcommands\n\tflags := cmd.Flags()\n\tfor _, a := range aliases {\n\t\tif len(a) == 1 {\n\t\t\t// pflag doesn't support short-only flags, so we have to register long one as well here\n\t\t\tflags.StringVarP(p, a, a, value, aliasesUsage)\n\t\t} else {\n\t\t\tflags.StringVar(p, a, value, aliasesUsage)\n\t\t}\n\t\t// non-persistent flags are not added to the InheritedFlags, so we should add them manually\n\t\tf := flags.Lookup(a)\n\t\taliasToBeInherited.AddFlag(f)\n\t}\n\n\t// localFlags are local to the rootCmd\n\tlocalFlags := cmd.LocalFlags()\n\tfor _, a := range localAliases {\n\t\tif len(a) == 1 {\n\t\t\t// pflag doesn't support short-only flags, so we have to register long one as well here\n\t\t\tlocalFlags.StringVarP(p, a, a, value, aliasesUsage)\n\t\t} else {\n\t\t\tlocalFlags.StringVar(p, a, value, aliasesUsage)\n\t\t}\n\t}\n\n\t// persistentFlags cannot redefine alias already used in subcommands\n\tpersistentFlags := cmd.PersistentFlags()\n\tpersistentFlags.StringVar(p, name, value, usage)\n\tfor _, a := range persistentAliases {\n\t\tif len(a) == 1 {\n\t\t\t// pflag doesn't support short-only flags, so we have to register long one as well here\n\t\t\tpersistentFlags.StringVarP(p, a, a, value, aliasesUsage)\n\t\t} else {\n\t\t\tpersistentFlags.StringVar(p, a, value, aliasesUsage)\n\t\t}\n\t}\n}\n\n// AddPersistentBoolFlag is similar to AddBoolFlag but persistent.\n// See https://github.com/spf13/cobra/blob/main/user_guide.md#persistent-flags to learn what is \"persistent\".\nfunc AddPersistentBoolFlag(cmd *cobra.Command, name string, aliases, nonPersistentAliases []string, value bool, env, usage string) {\n\tif env != \"\" {\n\t\tusage = fmt.Sprintf(\"%s [$%s]\", usage, env)\n\t}\n\tif envV, ok := os.LookupEnv(env); ok {\n\t\tvar err error\n\t\tvalue, err = strconv.ParseBool(envV)\n\t\tif err != nil {\n\t\t\tlog.L.WithError(err).Warnf(\"Invalid boolean value for `%s`\", env)\n\t\t}\n\t}\n\taliasesUsage := fmt.Sprintf(\"Alias of --%s\", name)\n\tp := new(bool)\n\tflags := cmd.Flags()\n\tfor _, a := range nonPersistentAliases {\n\t\tif len(a) == 1 {\n\t\t\t// pflag doesn't support short-only flags, so we have to register long one as well here\n\t\t\tflags.BoolVarP(p, a, a, value, aliasesUsage)\n\t\t} else {\n\t\t\tflags.BoolVar(p, a, value, aliasesUsage)\n\t\t}\n\t}\n\n\tpersistentFlags := cmd.PersistentFlags()\n\tpersistentFlags.BoolVar(p, name, value, usage)\n\tfor _, a := range aliases {\n\t\tif len(a) == 1 {\n\t\t\t// pflag doesn't support short-only flags, so we have to register long one as well here\n\t\t\tpersistentFlags.BoolVarP(p, a, a, value, aliasesUsage)\n\t\t} else {\n\t\t\tpersistentFlags.BoolVar(p, a, value, aliasesUsage)\n\t\t}\n\t}\n}\n\n// HiddenPersistentStringArrayFlag creates a persistent string slice flag and hides it.\n// Used mainly to pass global config values to individual commands.\nfunc HiddenPersistentStringArrayFlag(cmd *cobra.Command, name string, value []string, usage string) {\n\tcmd.PersistentFlags().StringSlice(name, value, usage)\n\tcmd.PersistentFlags().MarkHidden(name)\n}\n" }, { "path": "cmd/nerdctl/helpers/consts.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage helpers\n\nconst (\n\tCategory = \"category\"\n\tManagement = \"management\"\n)\n" }, { "path": "cmd/nerdctl/helpers/flagutil.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage helpers\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/fs\"\n)\n\nfunc VerifyOptions(cmd *cobra.Command) (opt types.ImageVerifyOptions, err error) {\n\tif opt.Provider, err = cmd.Flags().GetString(\"verify\"); err != nil {\n\t\treturn\n\t}\n\tif opt.CosignKey, err = cmd.Flags().GetString(\"cosign-key\"); err != nil {\n\t\treturn\n\t}\n\tif opt.CosignCertificateIdentity, err = cmd.Flags().GetString(\"cosign-certificate-identity\"); err != nil {\n\t\treturn\n\t}\n\tif opt.CosignCertificateIdentityRegexp, err = cmd.Flags().GetString(\"cosign-certificate-identity-regexp\"); err != nil {\n\t\treturn\n\t}\n\tif opt.CosignCertificateOidcIssuer, err = cmd.Flags().GetString(\"cosign-certificate-oidc-issuer\"); err != nil {\n\t\treturn\n\t}\n\tif opt.CosignCertificateOidcIssuerRegexp, err = cmd.Flags().GetString(\"cosign-certificate-oidc-issuer-regexp\"); err != nil {\n\t\treturn\n\t}\n\treturn\n}\n\nfunc ValidateHealthcheckFlags(options types.ContainerCreateOptions) error {\n\thealthFlagsSet :=\n\t\toptions.HealthInterval != 0 ||\n\t\t\toptions.HealthTimeout != 0 ||\n\t\t\toptions.HealthRetries != 0 ||\n\t\t\toptions.HealthStartPeriod != 0\n\n\tif options.NoHealthcheck {\n\t\tif options.HealthCmd != \"\" || healthFlagsSet {\n\t\t\treturn fmt.Errorf(\"--no-healthcheck conflicts with --health-* options\")\n\t\t}\n\t}\n\n\t// Note: HealthCmd can be empty with other healthcheck flags set cause healthCmd could be coming from image.\n\tif options.HealthInterval < 0 {\n\t\treturn fmt.Errorf(\"--health-interval cannot be negative\")\n\t}\n\tif options.HealthTimeout < 0 {\n\t\treturn fmt.Errorf(\"--health-timeout cannot be negative\")\n\t}\n\tif options.HealthRetries < 0 {\n\t\treturn fmt.Errorf(\"--health-retries cannot be negative\")\n\t}\n\tif options.HealthStartPeriod < 0 {\n\t\treturn fmt.Errorf(\"--health-start-period cannot be negative\")\n\t}\n\treturn nil\n}\n\nfunc ProcessRootCmdFlags(cmd *cobra.Command) (types.GlobalCommandOptions, error) {\n\tdebug, err := cmd.Flags().GetBool(\"debug\")\n\tif err != nil {\n\t\treturn types.GlobalCommandOptions{}, err\n\t}\n\tdebugFull, err := cmd.Flags().GetBool(\"debug-full\")\n\tif err != nil {\n\t\treturn types.GlobalCommandOptions{}, err\n\t}\n\taddress, err := cmd.Flags().GetString(\"address\")\n\tif err != nil {\n\t\treturn types.GlobalCommandOptions{}, err\n\t}\n\tnamespace, err := cmd.Flags().GetString(\"namespace\")\n\tif err != nil {\n\t\treturn types.GlobalCommandOptions{}, err\n\t}\n\tsnapshotter, err := cmd.Flags().GetString(\"snapshotter\")\n\tif err != nil {\n\t\treturn types.GlobalCommandOptions{}, err\n\t}\n\tcniPath, err := cmd.Flags().GetString(\"cni-path\")\n\tif err != nil {\n\t\treturn types.GlobalCommandOptions{}, err\n\t}\n\tcniConfigPath, err := cmd.Flags().GetString(\"cni-netconfpath\")\n\tif err != nil {\n\t\treturn types.GlobalCommandOptions{}, err\n\t}\n\tdataRoot, err := cmd.Flags().GetString(\"data-root\")\n\tif err != nil {\n\t\treturn types.GlobalCommandOptions{}, err\n\t}\n\tcgroupManager, err := cmd.Flags().GetString(\"cgroup-manager\")\n\tif err != nil {\n\t\treturn types.GlobalCommandOptions{}, err\n\t}\n\tinsecureRegistry, err := cmd.Flags().GetBool(\"insecure-registry\")\n\tif err != nil {\n\t\treturn types.GlobalCommandOptions{}, err\n\t}\n\thostsDir, err := cmd.Flags().GetStringSlice(\"hosts-dir\")\n\tif err != nil {\n\t\treturn types.GlobalCommandOptions{}, err\n\t}\n\texperimental, err := cmd.Flags().GetBool(\"experimental\")\n\tif err != nil {\n\t\treturn types.GlobalCommandOptions{}, err\n\t}\n\thostGatewayIP, err := cmd.Flags().GetString(\"host-gateway-ip\")\n\tif err != nil {\n\t\treturn types.GlobalCommandOptions{}, err\n\t}\n\tbridgeIP, err := cmd.Flags().GetString(\"bridge-ip\")\n\tif err != nil {\n\t\treturn types.GlobalCommandOptions{}, err\n\t}\n\tkubeHideDupe, err := cmd.Flags().GetBool(\"kube-hide-dupe\")\n\tif err != nil {\n\t\treturn types.GlobalCommandOptions{}, err\n\t}\n\tcdiSpecDirs, err := cmd.Flags().GetStringSlice(\"cdi-spec-dirs\")\n\tif err != nil {\n\t\treturn types.GlobalCommandOptions{}, err\n\t}\n\tdns, err := cmd.Flags().GetStringSlice(\"global-dns\")\n\tif err != nil {\n\t\treturn types.GlobalCommandOptions{}, err\n\t}\n\tdnsOpts, err := cmd.Flags().GetStringSlice(\"global-dns-opts\")\n\tif err != nil {\n\t\treturn types.GlobalCommandOptions{}, err\n\t}\n\tdnsSearch, err := cmd.Flags().GetStringSlice(\"global-dns-search\")\n\tif err != nil {\n\t\treturn types.GlobalCommandOptions{}, err\n\t}\n\n\t// Point to dataRoot for filesystem-helpers implementing rollback / backups.\n\terr = fs.InitFS(dataRoot)\n\tif err != nil {\n\t\treturn types.GlobalCommandOptions{}, err\n\t}\n\n\treturn types.GlobalCommandOptions{\n\t\tDebug: debug,\n\t\tDebugFull: debugFull,\n\t\tAddress: address,\n\t\tNamespace: namespace,\n\t\tSnapshotter: snapshotter,\n\t\tCNIPath: cniPath,\n\t\tCNINetConfPath: cniConfigPath,\n\t\tDataRoot: dataRoot,\n\t\tCgroupManager: cgroupManager,\n\t\tInsecureRegistry: insecureRegistry,\n\t\tHostsDir: hostsDir,\n\t\tExperimental: experimental,\n\t\tHostGatewayIP: hostGatewayIP,\n\t\tBridgeIP: bridgeIP,\n\t\tKubeHideDupe: kubeHideDupe,\n\t\tCDISpecDirs: cdiSpecDirs,\n\t\tDNS: dns,\n\t\tDNSOpts: dnsOpts,\n\t\tDNSSearch: dnsSearch,\n\t}, nil\n}\n\nfunc CheckExperimental(feature string) func(cmd *cobra.Command, args []string) error {\n\treturn func(cmd *cobra.Command, args []string) error {\n\t\tglobalOptions, err := ProcessRootCmdFlags(cmd)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif !globalOptions.Experimental {\n\t\t\treturn fmt.Errorf(\"%s is experimental feature, you should enable experimental config\", feature)\n\t\t}\n\t\treturn nil\n\t}\n}\n" }, { "path": "cmd/nerdctl/helpers/prompt.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage helpers\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n\n\t\"github.com/spf13/cobra\"\n)\n\nfunc Confirm(cmd *cobra.Command, message string) (bool, error) {\n\tmessage += \"\\nAre you sure you want to continue? [y/N] \"\n\t_, err := fmt.Fprint(cmd.OutOrStdout(), message)\n\tif err != nil {\n\t\treturn false, err\n\t}\n\n\tvar confirm string\n\t_, err = fmt.Fscanf(cmd.InOrStdin(), \"%s\", &confirm)\n\tif err != nil {\n\t\treturn false, err\n\t}\n\treturn strings.ToLower(confirm) == \"y\", err\n}\n" }, { "path": "cmd/nerdctl/helpers/testing.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage helpers\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n)\n\nfunc CreateBuildContext(t *testing.T, dockerfile string) string {\n\ttmpDir := t.TempDir()\n\terr := os.WriteFile(filepath.Join(tmpDir, \"Dockerfile\"), []byte(dockerfile), 0644)\n\tassert.NilError(t, err)\n\treturn tmpDir\n}\n\nfunc ExtractDockerArchive(archiveTarPath, rootfsPath string) error {\n\tif err := os.MkdirAll(rootfsPath, 0755); err != nil {\n\t\treturn err\n\t}\n\tworkDir, err := os.MkdirTemp(\"\", \"extract-docker-archive\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer os.RemoveAll(workDir)\n\tif err := ExtractTarFile(workDir, archiveTarPath); err != nil {\n\t\treturn err\n\t}\n\tmanifestJSONPath := filepath.Join(workDir, \"manifest.json\")\n\tmanifestJSONBytes, err := os.ReadFile(manifestJSONPath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tvar mani DockerArchiveManifestJSON\n\tif err := json.Unmarshal(manifestJSONBytes, &mani); err != nil {\n\t\treturn err\n\t}\n\tif len(mani) > 1 {\n\t\treturn fmt.Errorf(\"multi-image archive cannot be extracted: contains %d images\", len(mani))\n\t}\n\tif len(mani) < 1 {\n\t\treturn errors.New(\"invalid archive\")\n\t}\n\tent := mani[0]\n\tfor _, l := range ent.Layers {\n\t\tlayerTarPath := filepath.Join(workDir, l)\n\t\tif err := ExtractTarFile(rootfsPath, layerTarPath); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn nil\n}\n\ntype DockerArchiveManifestJSON []DockerArchiveManifestJSONEntry\n\ntype DockerArchiveManifestJSONEntry struct {\n\tConfig string\n\tRepoTags []string\n\tLayers []string\n}\n\nfunc ExtractTarFile(dirPath, tarFilePath string) error {\n\tcmd := exec.Command(\"tar\", \"Cxf\", dirPath, tarFilePath)\n\tif out, err := cmd.CombinedOutput(); err != nil {\n\t\treturn fmt.Errorf(\"failed to run %v: %q: %w\", cmd.Args, string(out), err)\n\t}\n\treturn nil\n}\n" }, { "path": "cmd/nerdctl/helpers/testing_linux.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage helpers\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nettestutil\"\n)\n\ntype CosignKeyPair struct {\n\tPublicKey string\n\tPrivateKey string\n\tCleanup func()\n}\n\nfunc NewCosignKeyPair(t testing.TB, path string, password string) *CosignKeyPair {\n\ttd, err := os.MkdirTemp(t.TempDir(), path)\n\tassert.NilError(t, err)\n\n\tcmd := exec.Command(\"cosign\", \"generate-key-pair\")\n\tcmd.Dir = td\n\tcmd.Env = append(cmd.Env, fmt.Sprintf(\"COSIGN_PASSWORD=%s\", password))\n\tif out, err := cmd.CombinedOutput(); err != nil {\n\t\tt.Fatalf(\"failed to run %v: %v (%q)\", cmd.Args, err, string(out))\n\t}\n\n\tpublicKey := filepath.Join(td, \"cosign.pub\")\n\tprivateKey := filepath.Join(td, \"cosign.key\")\n\n\treturn &CosignKeyPair{\n\t\tPublicKey: publicKey,\n\t\tPrivateKey: privateKey,\n\t\tCleanup: func() {\n\t\t\t_ = os.RemoveAll(td)\n\t\t},\n\t}\n}\n\nfunc ComposeUp(t *testing.T, base *testutil.Base, dockerComposeYAML string, opts ...string) {\n\tcomp := testutil.NewComposeDir(t, dockerComposeYAML)\n\tdefer comp.CleanUp()\n\n\tprojectName := comp.ProjectName()\n\tt.Logf(\"projectName=%q\", projectName)\n\n\tbase.ComposeCmd(append(append([]string{\"-f\", comp.YAMLFullPath()}, opts...), \"up\", \"-d\")...).AssertOK()\n\tdefer base.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"down\", \"-v\").Run()\n\tbase.Cmd(\"volume\", \"inspect\", fmt.Sprintf(\"%s_db\", projectName)).AssertOK()\n\tbase.Cmd(\"network\", \"inspect\", fmt.Sprintf(\"%s_default\", projectName)).AssertOK()\n\n\tcheckWordpress := func() error {\n\t\tresp, err := nettestutil.HTTPGet(\"http://127.0.0.1:8080\", 5, false)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trespBody, err := io.ReadAll(resp.Body)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif !strings.Contains(string(respBody), testutil.WordpressIndexHTMLSnippet) {\n\t\t\tt.Logf(\"respBody=%q\", respBody)\n\t\t\treturn fmt.Errorf(\"respBody does not contain %q\", testutil.WordpressIndexHTMLSnippet)\n\t\t}\n\t\treturn nil\n\t}\n\n\tvar wordpressWorking bool\n\tfor i := 0; i < 30; i++ {\n\t\tt.Logf(\"(retry %d)\", i)\n\t\terr := checkWordpress()\n\t\tif err == nil {\n\t\t\twordpressWorking = true\n\t\t\tbreak\n\t\t}\n\t\t// NOTE: \"

Error establishing a database connection

\" is expected for the first few iterations\n\t\tt.Log(err)\n\t\ttime.Sleep(3 * time.Second)\n\t}\n\n\tif !wordpressWorking {\n\t\tt.Fatal(\"wordpress is not working\")\n\t}\n\tt.Log(\"wordpress seems functional\")\n\n\tbase.ComposeCmd(\"-f\", comp.YAMLFullPath(), \"down\", \"-v\").AssertOK()\n\tbase.Cmd(\"volume\", \"inspect\", fmt.Sprintf(\"%s_db\", projectName)).AssertFail()\n\tbase.Cmd(\"network\", \"inspect\", fmt.Sprintf(\"%s_default\", projectName)).AssertFail()\n}\n" }, { "path": "cmd/nerdctl/image/image.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/builder\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n)\n\nfunc Command() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tAnnotations: map[string]string{helpers.Category: helpers.Management},\n\t\tUse: \"image\",\n\t\tShort: \"Manage images\",\n\t\tRunE: helpers.UnknownSubcommandAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.AddCommand(\n\t\tbuilder.BuildCommand(),\n\t\t// commitCommand is in \"container\", not in \"image\"\n\t\timageLsCommand(),\n\t\tHistoryCommand(),\n\t\tPullCommand(),\n\t\tPushCommand(),\n\t\tLoadCommand(),\n\t\tSaveCommand(),\n\t\tImportCommand(),\n\t\tTagCommand(),\n\t\timageRemoveCommand(),\n\t\tconvertCommand(),\n\t\tinspectCommand(),\n\t\tencryptCommand(),\n\t\tdecryptCommand(),\n\t\tpruneCommand(),\n\t)\n\treturn cmd\n}\n\nfunc imageLsCommand() *cobra.Command {\n\tx := ImagesCommand()\n\tx.Use = \"ls\"\n\tx.Aliases = []string{\"list\"}\n\treturn x\n}\n\nfunc imageRemoveCommand() *cobra.Command {\n\tx := RmiCommand()\n\tx.Use = \"rm\"\n\tx.Aliases = []string{\"remove\"}\n\treturn x\n}\n" }, { "path": "cmd/nerdctl/image/image_convert.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"compress/gzip\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/image\"\n)\n\nconst imageConvertHelp = `Convert an image format.\n\ne.g., 'nerdctl image convert --estargz --oci example.com/foo:orig example.com/foo:esgz'\n\nUse '--platform' to define the output platform.\nWhen '--all-platforms' is given all images in a manifest list must be available.\n\nFor encryption and decryption, use 'nerdctl image (encrypt|decrypt)' command.\n`\n\n// imageConvertCommand is from https://github.com/containerd/stargz-snapshotter/blob/d58f43a8235e46da73fb94a1a35280cb4d607b2c/cmd/ctr-remote/commands/convert.go\nfunc convertCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"convert [flags] ...\",\n\t\tShort: \"convert an image\",\n\t\tLong: imageConvertHelp,\n\t\tArgs: cobra.MinimumNArgs(2),\n\t\tRunE: imageConvertAction,\n\t\tValidArgsFunction: imageConvertShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\n\tcmd.Flags().String(\"format\", \"\", \"Format the output using the given Go template, e.g, 'json'\")\n\n\t// #region estargz flags\n\tcmd.Flags().Bool(\"estargz\", false, \"Convert legacy tar(.gz) layers to eStargz for lazy pulling. Should be used in conjunction with '--oci'\")\n\tcmd.Flags().String(\"estargz-record-in\", \"\", \"Read 'ctr-remote optimize --record-out=' record file (EXPERIMENTAL)\")\n\tcmd.Flags().Int(\"estargz-compression-level\", gzip.BestCompression, \"eStargz compression level\")\n\tcmd.Flags().Int(\"estargz-chunk-size\", 0, \"eStargz chunk size\")\n\tcmd.Flags().Int(\"estargz-min-chunk-size\", 0, \"The minimal number of bytes of data must be written in one gzip stream. (requires stargz-snapshotter >= v0.13.0)\")\n\tcmd.Flags().Bool(\"estargz-external-toc\", false, \"Separate TOC JSON into another image (called \\\"TOC image\\\"). The name of TOC image is the original + \\\"-esgztoc\\\" suffix. Both eStargz and the TOC image should be pushed to the same registry. (requires stargz-snapshotter >= v0.13.0) (EXPERIMENTAL)\")\n\tcmd.Flags().Bool(\"estargz-keep-diff-id\", false, \"Convert to esgz without changing diffID (cannot be used in conjunction with '--estargz-record-in'. must be specified with '--estargz-external-toc')\")\n\tcmd.Flags().String(\"estargz-gzip-helper\", \"\", \"Helper command for decompressing layers compressed with gzip. Options: pigz, igzip, or gzip.\")\n\t// #endregion\n\n\t// #region zstd flags\n\tcmd.Flags().Bool(\"zstd\", false, \"Convert legacy tar(.gz) layers to zstd. Should be used in conjunction with '--oci'\")\n\tcmd.Flags().Int(\"zstd-compression-level\", 3, \"zstd compression level\")\n\t// #endregion\n\n\t// #region zstd:chunked flags\n\tcmd.Flags().Bool(\"zstdchunked\", false, \"Convert legacy tar(.gz) layers to zstd:chunked for lazy pulling. Should be used in conjunction with '--oci'\")\n\tcmd.Flags().String(\"zstdchunked-record-in\", \"\", \"Read 'ctr-remote optimize --record-out=' record file (EXPERIMENTAL)\")\n\tcmd.Flags().Int(\"zstdchunked-compression-level\", 3, \"zstd:chunked compression level\") // SpeedDefault; see also https://pkg.go.dev/github.com/klauspost/compress/zstd#EncoderLevel\n\tcmd.Flags().Int(\"zstdchunked-chunk-size\", 0, \"zstd:chunked chunk size\")\n\t// #endregion\n\n\t// #region nydus flags\n\tcmd.Flags().Bool(\"nydus\", false, \"Convert an OCI image to Nydus image. Should be used in conjunction with '--oci'\")\n\tcmd.Flags().String(\"nydus-builder-path\", \"nydus-image\", \"The nydus-image binary path, if unset, search in PATH environment\")\n\tcmd.Flags().String(\"nydus-work-dir\", \"\", \"Work directory path for image conversion, default is the nerdctl data root directory\")\n\tcmd.Flags().String(\"nydus-prefetch-patterns\", \"\", \"The file path pattern list want to prefetch\")\n\tcmd.Flags().String(\"nydus-compressor\", \"lz4_block\", \"Nydus blob compression algorithm, possible values: `none`, `lz4_block`, `zstd`, default is `lz4_block`\")\n\t// #endregion\n\n\t// #region overlaybd flags\n\tcmd.Flags().Bool(\"overlaybd\", false, \"Convert tar.gz layers to overlaybd layers\")\n\tcmd.Flags().String(\"overlaybd-fs-type\", \"ext4\", \"Filesystem type for overlaybd\")\n\tcmd.Flags().String(\"overlaybd-dbstr\", \"\", \"Database config string for overlaybd\")\n\t// #endregion\n\n\t// #region soci flags\n\tcmd.Flags().Bool(\"soci\", false, \"Convert image to SOCI Index V2 format.\")\n\tcmd.Flags().Int64(\"soci-min-layer-size\", -1, \"The minimum size of layers that will be converted to SOCI Index V2 format\")\n\tcmd.Flags().Int64(\"soci-span-size\", -1, \"The size of SOCI spans\")\n\t// #endregion\n\n\t// #region generic flags\n\tcmd.Flags().Bool(\"uncompress\", false, \"Convert tar.gz layers to uncompressed tar layers\")\n\tcmd.Flags().Bool(\"oci\", false, \"Convert Docker media types to OCI media types\")\n\t// #endregion\n\n\t// #region platform flags\n\t// platform is defined as StringSlice, not StringArray, to allow specifying \"--platform=amd64,arm64\"\n\tcmd.Flags().StringSlice(\"platform\", []string{}, \"Convert content for a specific platform\")\n\tcmd.RegisterFlagCompletionFunc(\"platform\", completion.Platforms)\n\tcmd.Flags().Bool(\"all-platforms\", false, \"Convert content for all platforms\")\n\t// #endregion\n\n\treturn cmd\n}\n\nfunc convertOptions(cmd *cobra.Command) (types.ImageConvertOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\n\tprogressOutput := cmd.ErrOrStderr()\n\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\n\t// #region estargz flags\n\testargz, err := cmd.Flags().GetBool(\"estargz\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\testargzRecordIn, err := cmd.Flags().GetString(\"estargz-record-in\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\testargzCompressionLevel, err := cmd.Flags().GetInt(\"estargz-compression-level\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\testargzChunkSize, err := cmd.Flags().GetInt(\"estargz-chunk-size\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\testargzMinChunkSize, err := cmd.Flags().GetInt(\"estargz-min-chunk-size\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\testargzExternalTOC, err := cmd.Flags().GetBool(\"estargz-external-toc\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\testargzKeepDiffID, err := cmd.Flags().GetBool(\"estargz-keep-diff-id\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\testargzGzipHelper, err := cmd.Flags().GetString(\"estargz-gzip-helper\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\t// #endregion\n\n\t// #region zstd flags\n\tzstd, err := cmd.Flags().GetBool(\"zstd\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\tzstdCompressionLevel, err := cmd.Flags().GetInt(\"zstd-compression-level\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\t// #endregion\n\n\t// #region zstd:chunked flags\n\tzstdchunked, err := cmd.Flags().GetBool(\"zstdchunked\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\tzstdChunkedCompressionLevel, err := cmd.Flags().GetInt(\"zstdchunked-compression-level\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\tzstdChunkedChunkSize, err := cmd.Flags().GetInt(\"zstdchunked-chunk-size\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\tzstdChunkedRecordIn, err := cmd.Flags().GetString(\"zstdchunked-record-in\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\t// #endregion\n\n\t// #region nydus flags\n\tnydus, err := cmd.Flags().GetBool(\"nydus\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\tnydusBuilderPath, err := cmd.Flags().GetString(\"nydus-builder-path\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\tnydusWorkDir, err := cmd.Flags().GetString(\"nydus-work-dir\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\tnydusPrefetchPatterns, err := cmd.Flags().GetString(\"nydus-prefetch-patterns\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\tnydusCompressor, err := cmd.Flags().GetString(\"nydus-compressor\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\t// #endregion\n\n\t// #region overlaybd flags\n\toverlaybd, err := cmd.Flags().GetBool(\"overlaybd\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\toverlaybdFsType, err := cmd.Flags().GetString(\"overlaybd-fs-type\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\toverlaybdDbstr, err := cmd.Flags().GetString(\"overlaybd-dbstr\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\t// #endregion\n\n\t// #region soci flags\n\tsoci, err := cmd.Flags().GetBool(\"soci\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\tsociMinLayerSize, err := cmd.Flags().GetInt64(\"soci-min-layer-size\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\tsociSpanSize, err := cmd.Flags().GetInt64(\"soci-span-size\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\t// #endregion\n\n\t// #region generic flags\n\tuncompress, err := cmd.Flags().GetBool(\"uncompress\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\toci, err := cmd.Flags().GetBool(\"oci\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\t// #endregion\n\n\t// #region platform flags\n\tplatforms, err := cmd.Flags().GetStringSlice(\"platform\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\tallPlatforms, err := cmd.Flags().GetBool(\"all-platforms\")\n\tif err != nil {\n\t\treturn types.ImageConvertOptions{}, err\n\t}\n\t// #endregion\n\treturn types.ImageConvertOptions{\n\t\tGOptions: globalOptions,\n\t\tFormat: format,\n\t\t// #region generic flags\n\t\tUncompress: uncompress,\n\t\tOci: oci,\n\t\t// #endregion\n\t\t// #region platform flags\n\t\tPlatforms: platforms,\n\t\tAllPlatforms: allPlatforms,\n\t\t// #endregion\n\t\t// Embed image format options\n\t\tEstargzOptions: types.EstargzOptions{\n\t\t\tEstargz: estargz,\n\t\t\tEstargzRecordIn: estargzRecordIn,\n\t\t\tEstargzCompressionLevel: estargzCompressionLevel,\n\t\t\tEstargzChunkSize: estargzChunkSize,\n\t\t\tEstargzMinChunkSize: estargzMinChunkSize,\n\t\t\tEstargzExternalToc: estargzExternalTOC,\n\t\t\tEstargzKeepDiffID: estargzKeepDiffID,\n\t\t\tEstargzGzipHelper: estargzGzipHelper,\n\t\t},\n\t\tZstdOptions: types.ZstdOptions{\n\t\t\tZstd: zstd,\n\t\t\tZstdCompressionLevel: zstdCompressionLevel,\n\t\t},\n\t\tZstdChunkedOptions: types.ZstdChunkedOptions{\n\t\t\tZstdChunked: zstdchunked,\n\t\t\tZstdChunkedCompressionLevel: zstdChunkedCompressionLevel,\n\t\t\tZstdChunkedChunkSize: zstdChunkedChunkSize,\n\t\t\tZstdChunkedRecordIn: zstdChunkedRecordIn,\n\t\t},\n\t\tNydusOptions: types.NydusOptions{\n\t\t\tNydus: nydus,\n\t\t\tNydusBuilderPath: nydusBuilderPath,\n\t\t\tNydusWorkDir: nydusWorkDir,\n\t\t\tNydusPrefetchPatterns: nydusPrefetchPatterns,\n\t\t\tNydusCompressor: nydusCompressor,\n\t\t},\n\t\tOverlaybdOptions: types.OverlaybdOptions{\n\t\t\tOverlaybd: overlaybd,\n\t\t\tOverlayFsType: overlaybdFsType,\n\t\t\tOverlaydbDBStr: overlaybdDbstr,\n\t\t},\n\t\tSociConvertOptions: types.SociConvertOptions{\n\t\t\tSoci: soci,\n\t\t\tSociOptions: types.SociOptions{\n\t\t\t\tSpanSize: sociSpanSize,\n\t\t\t\tMinLayerSize: sociMinLayerSize,\n\t\t\t\tPlatforms: platforms,\n\t\t\t\tAllPlatforms: allPlatforms,\n\t\t\t},\n\t\t},\n\t\tProgressOutput: progressOutput,\n\t\tStdout: cmd.OutOrStdout(),\n\t}, nil\n}\n\nfunc imageConvertAction(cmd *cobra.Command, args []string) error {\n\toptions, err := convertOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tsrcRawRef := args[0]\n\tdestRawRef := args[1]\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn image.Convert(ctx, client, srcRawRef, destRawRef, options)\n}\n\nfunc imageConvertShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show image names\n\treturn completion.ImageNames(cmd)\n}\n" }, { "path": "cmd/nerdctl/image/image_convert_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"fmt\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest/registry\"\n)\n\nfunc TestImageConvert(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\t// FIXME: windows does not support stargz\n\t\t\trequire.Not(require.Windows),\n\t\t\trequire.Not(nerdtest.Docker),\n\t\t),\n\t\tNoParallel: true,\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Ensure(\"pull\", \"--quiet\", \"--all-platforms\", testutil.CommonImage)\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"esgz\",\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier(\"converted-image\"))\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"image\", \"convert\", \"--oci\", \"--estargz\",\n\t\t\t\t\t\ttestutil.CommonImage, data.Identifier(\"converted-image\"))\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"nydus\",\n\t\t\t\tRequire: require.All(\n\t\t\t\t\trequire.Binary(\"nydus-image\"),\n\t\t\t\t),\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier(\"converted-image\"))\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"image\", \"convert\", \"--oci\", \"--nydus\",\n\t\t\t\t\t\ttestutil.CommonImage, data.Identifier(\"converted-image\"))\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"zstd\",\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier(\"converted-image\"))\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"image\", \"convert\", \"--oci\", \"--zstd\", \"--zstd-compression-level\", \"3\",\n\t\t\t\t\t\ttestutil.CommonImage, data.Identifier(\"converted-image\"))\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"zstdchunked\",\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier(\"converted-image\"))\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"image\", \"convert\", \"--oci\", \"--zstdchunked\", \"--zstdchunked-compression-level\", \"3\",\n\t\t\t\t\t\ttestutil.CommonImage, data.Identifier(\"converted-image\"))\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"soci\",\n\t\t\t\tNoParallel: true,\n\t\t\t\tRequire: require.All(\n\t\t\t\t\trequire.Not(nerdtest.Docker),\n\t\t\t\t\tnerdtest.Soci,\n\t\t\t\t\tnerdtest.SociVersion(\"0.10.0\"),\n\t\t\t\t),\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier(\"converted-image\"))\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"image\", \"convert\", \"--soci\",\n\t\t\t\t\t\t\"--soci-span-size\", \"2097152\",\n\t\t\t\t\t\t\"--soci-min-layer-size\", \"0\",\n\t\t\t\t\t\ttestutil.CommonImage, data.Identifier(\"converted-image\"))\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"soci with all-platforms\",\n\t\t\t\tNoParallel: true,\n\t\t\t\tRequire: require.All(\n\t\t\t\t\trequire.Not(nerdtest.Docker),\n\t\t\t\t\tnerdtest.Soci,\n\t\t\t\t\tnerdtest.SociVersion(\"0.10.0\"),\n\t\t\t\t),\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier(\"converted-image\"))\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"image\", \"convert\", \"--soci\", \"--all-platforms\",\n\t\t\t\t\t\t\"--soci-span-size\", \"2097152\",\n\t\t\t\t\t\t\"--soci-min-layer-size\", \"0\",\n\t\t\t\t\t\ttestutil.CommonImage, data.Identifier(\"converted-image\"))\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n\n}\n\nfunc TestImageConvertNydusVerify(t *testing.T) {\n\tnerdtest.Setup()\n\n\tconst remoteImageKey = \"remoteImageKey\"\n\n\tvar reg *registry.Server\n\n\t// It is unclear what is problematic here, but we use the kernel version to discriminate against EL\n\t// See: https://github.com/containerd/nerdctl/issues/4332\n\ttestutil.RequireKernelVersion(t, \">= 6.0.0-0\")\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\trequire.Linux,\n\t\t\trequire.Binary(\"nydus-image\"),\n\t\t\trequire.Binary(\"nydusify\"),\n\t\t\trequire.Binary(\"nydusd\"),\n\t\t\trequire.Not(nerdtest.Docker),\n\t\t\tnerdtest.Rootful,\n\t\t\tnerdtest.Registry,\n\t\t),\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\treg = nerdtest.RegistryWithNoAuth(data, helpers, 0, false)\n\t\t\treg.Setup(data, helpers)\n\n\t\t\tdata.Labels().Set(remoteImageKey, fmt.Sprintf(\"%s:%d/nydusd-image:test\", \"localhost\", reg.Port))\n\t\t\thelpers.Ensure(\"image\", \"convert\", \"--nydus\", \"--oci\", testutil.CommonImage, data.Identifier(\"converted-image\"))\n\t\t\thelpers.Ensure(\"tag\", data.Identifier(\"converted-image\"), data.Labels().Get(remoteImageKey))\n\t\t\thelpers.Ensure(\"push\", data.Labels().Get(remoteImageKey))\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier(\"converted-image\"))\n\t\t\tif reg != nil {\n\t\t\t\treg.Cleanup(data, helpers)\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(remoteImageKey))\n\t\t\t}\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\tcmd := helpers.Custom(\"nydusify\",\n\t\t\t\t\"check\",\n\t\t\t\t\"--work-dir\",\n\t\t\t\tdata.Temp().Dir(\"nydusify-temp\"),\n\t\t\t\t\"--source\",\n\t\t\t\ttestutil.CommonImage,\n\t\t\t\t\"--target\",\n\t\t\t\tdata.Labels().Get(remoteImageKey),\n\t\t\t\t\"--source-insecure\",\n\t\t\t\t\"--target-insecure\",\n\t\t\t)\n\t\t\tcmd.WithTimeout(30 * time.Second)\n\t\t\treturn cmd\n\t\t},\n\t\tExpected: test.Expects(0, nil, nil),\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/image/image_cryptutil.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/image\"\n)\n\n// registerImgcryptFlags register flags that correspond to parseImgcryptFlags().\n// Platform flags are registered too.\n//\n// From:\n// - https://github.com/containerd/imgcrypt/blob/v1.1.2/cmd/ctr/commands/flags/flags.go#L23-L44 (except skip-decrypt-auth)\n// - https://github.com/containerd/imgcrypt/blob/v1.1.2/cmd/ctr/commands/images/encrypt.go#L52-L55\nfunc registerImgcryptFlags(cmd *cobra.Command, encrypt bool) {\n\tflags := cmd.Flags()\n\n\t// #region platform flags\n\t// platform is defined as StringSlice, not StringArray, to allow specifying \"--platform=amd64,arm64\"\n\tflags.StringSlice(\"platform\", []string{}, \"Convert content for a specific platform\")\n\tcmd.RegisterFlagCompletionFunc(\"platform\", completion.Platforms)\n\tflags.Bool(\"all-platforms\", false, \"Convert content for all platforms\")\n\t// #endregion\n\n\tflags.String(\"gpg-homedir\", \"\", \"The GPG homedir to use; by default gpg uses ~/.gnupg\")\n\tflags.String(\"gpg-version\", \"\", \"The GPG version (\\\"v1\\\" or \\\"v2\\\"), default will make an educated guess\")\n\tflags.StringSlice(\"key\", []string{}, \"A secret key's filename and an optional password separated by colon; this option may be provided multiple times\")\n\t// While --recipient can be specified only for `nerdctl image encrypt`,\n\t// --dec-recipient can be specified for both `nerdctl image encrypt` and `nerdctl image decrypt`.\n\tflags.StringSlice(\"dec-recipient\", []string{}, \"Recipient of the image; used only for PKCS7 and must be an x509 certificate\")\n\n\tif encrypt {\n\t\t// recipient is defined as StringSlice, not StringArray, to allow specifying \"--recipient=jwe:FILE1,jwe:FILE2\"\n\t\tflags.StringSlice(\"recipient\", []string{}, \"Recipient of the image is the person who can decrypt it in the form specified above (i.e. jwe:/path/to/pubkey)\")\n\t}\n}\n\nfunc cryptOptions(cmd *cobra.Command, args []string, encrypt bool) (types.ImageCryptOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ImageCryptOptions{}, err\n\t}\n\tplatforms, err := cmd.Flags().GetStringSlice(\"platform\")\n\tif err != nil {\n\t\treturn types.ImageCryptOptions{}, err\n\t}\n\tallPlatforms, err := cmd.Flags().GetBool(\"all-platforms\")\n\tif err != nil {\n\t\treturn types.ImageCryptOptions{}, err\n\t}\n\tgpgHomeDir, err := cmd.Flags().GetString(\"gpg-homedir\")\n\tif err != nil {\n\t\treturn types.ImageCryptOptions{}, err\n\t}\n\tgpgVersion, err := cmd.Flags().GetString(\"gpg-version\")\n\tif err != nil {\n\t\treturn types.ImageCryptOptions{}, err\n\t}\n\tkeys, err := cmd.Flags().GetStringSlice(\"key\")\n\tif err != nil {\n\t\treturn types.ImageCryptOptions{}, err\n\t}\n\tdecRecipients, err := cmd.Flags().GetStringSlice(\"dec-recipient\")\n\tif err != nil {\n\t\treturn types.ImageCryptOptions{}, err\n\t}\n\tvar recipients []string\n\tif encrypt {\n\t\trecipients, err = cmd.Flags().GetStringSlice(\"recipient\")\n\t\tif err != nil {\n\t\t\treturn types.ImageCryptOptions{}, err\n\t\t}\n\t}\n\treturn types.ImageCryptOptions{\n\t\tGOptions: globalOptions,\n\t\tPlatforms: platforms,\n\t\tAllPlatforms: allPlatforms,\n\t\tGpgHomeDir: gpgHomeDir,\n\t\tGpgVersion: gpgVersion,\n\t\tKeys: keys,\n\t\tDecRecipients: decRecipients,\n\t\tRecipients: recipients,\n\t\tStdout: cmd.OutOrStdout(),\n\t}, nil\n}\n\nfunc getImgcryptAction(encrypt bool) func(cmd *cobra.Command, args []string) error {\n\treturn func(cmd *cobra.Command, args []string) error {\n\t\toptions, err := cryptOptions(cmd, args, encrypt)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tsrcRawRef := args[0]\n\t\ttargetRawRef := args[1]\n\n\t\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdefer cancel()\n\n\t\treturn image.Crypt(ctx, client, srcRawRef, targetRawRef, encrypt, options)\n\t}\n}\n\nfunc imgcryptShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show image names\n\treturn completion.ImageNames(cmd)\n}\n" }, { "path": "cmd/nerdctl/image/image_decrypt.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"github.com/spf13/cobra\"\n)\n\nconst imageDecryptHelp = `Decrypt an image locally.\n\nUse '--key' to specify the private keys.\nPrivate keys in PEM format may be encrypted and the password may be passed\nalong in any of the following formats:\n- :\n- :pass=\n- :fd= (not available for rootless mode)\n- :filename=\n\nUse '--platform' to define the platforms to decrypt. Defaults to the host platform.\nWhen '--all-platforms' is given all images in a manifest list must be available.\nUnspecified platforms are omitted from the output image.\n\nExample (encrypt):\n openssl genrsa -out mykey.pem\n openssl rsa -in mykey.pem -pubout -out mypubkey.pem\n nerdctl image encrypt --recipient=jwe:mypubkey.pem --platform=linux/amd64,linux/arm64 foo example.com/foo:encrypted\n nerdctl push example.com/foo:encrypted\n\nExample (decrypt):\n nerdctl pull --unpack=false example.com/foo:encrypted\n nerdctl image decrypt --key=mykey.pem example.com/foo:encrypted foo:decrypted\n`\n\nfunc decryptCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"decrypt [flags] ...\",\n\t\tShort: \"decrypt an image\",\n\t\tLong: imageDecryptHelp,\n\t\tArgs: cobra.MinimumNArgs(2),\n\t\tRunE: getImgcryptAction(false),\n\t\tValidArgsFunction: imgcryptShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tregisterImgcryptFlags(cmd, false)\n\treturn cmd\n}\n" }, { "path": "cmd/nerdctl/image/image_encrypt.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"github.com/spf13/cobra\"\n)\n\nconst imageEncryptHelp = `Encrypt image layers.\n\nUse '--recipient' to specify the recipients.\nThe following protocol prefixes are supported:\n- pgp:\n- jwe:\n- pkcs7:\n\nUse '--platform' to define the platforms to encrypt. Defaults to the host platform.\nWhen '--all-platforms' is given all images in a manifest list must be available.\nUnspecified platforms are omitted from the output image.\n\nExample:\n openssl genrsa -out mykey.pem\n openssl rsa -in mykey.pem -pubout -out mypubkey.pem\n nerdctl image encrypt --recipient=jwe:mypubkey.pem --platform=linux/amd64,linux/arm64 foo example.com/foo:encrypted\n nerdctl push example.com/foo:encrypted\n\nTo run the encrypted image, put the private key file (mykey.pem) to /etc/containerd/ocicrypt/keys (rootful) or ~/.config/containerd/ocicrypt/keys (rootless).\ncontainerd before v1.4 requires extra configuration steps, see https://github.com/containerd/nerdctl/blob/main/docs/ocicrypt.md\n\nCAUTION: This command only encrypts image layers, but does NOT encrypt container configuration such as 'Env' and 'Cmd'.\nTo see non-encrypted information, run 'nerdctl image inspect --mode=native --platform=PLATFORM example.com/foo:encrypted' .\n`\n\nfunc encryptCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"encrypt [flags] ...\",\n\t\tShort: \"encrypt image layers\",\n\t\tLong: imageEncryptHelp,\n\t\tArgs: cobra.MinimumNArgs(2),\n\t\tRunE: getImgcryptAction(true),\n\t\tValidArgsFunction: imgcryptShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tregisterImgcryptFlags(cmd, true)\n\treturn cmd\n}\n" }, { "path": "cmd/nerdctl/image/image_encrypt_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest/registry\"\n)\n\nfunc TestImageEncryptJWE(t *testing.T) {\n\tnerdtest.Setup()\n\n\tvar reg *registry.Server\n\n\tconst remoteImageKey = \"remoteImageKey\"\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\trequire.Linux,\n\t\t\trequire.Not(nerdtest.Docker),\n\t\t\t// This test needs to rmi the common image\n\t\t\tnerdtest.Private,\n\t\t\tnerdtest.Registry,\n\t\t),\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\tif reg != nil {\n\t\t\t\treg.Cleanup(data, helpers)\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(remoteImageKey))\n\t\t\t}\n\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier(\"decrypted\"))\n\t\t},\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tpri, pub := nerdtest.GenerateJWEKeyPair(data, helpers)\n\t\t\tdata.Labels().Set(\"private\", pri)\n\t\t\tdata.Labels().Set(\"public\", pub)\n\n\t\t\treg = nerdtest.RegistryWithNoAuth(data, helpers, 0, false)\n\t\t\treg.Setup(data, helpers)\n\n\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\tencryptImageRef := fmt.Sprintf(\"127.0.0.1:%d/%s:encrypted\", reg.Port, data.Identifier())\n\t\t\thelpers.Ensure(\"image\", \"encrypt\", \"--recipient=jwe:\"+pub, testutil.CommonImage, encryptImageRef)\n\t\t\tinspector := helpers.Capture(\"image\", \"inspect\", \"--mode=native\", \"--format={{len .Index.Manifests}}\", encryptImageRef)\n\t\t\tassert.Equal(t, inspector, \"1\\n\")\n\t\t\tinspector = helpers.Capture(\"image\", \"inspect\", \"--mode=native\", \"--format={{json .Manifest.Layers}}\", encryptImageRef)\n\t\t\tassert.Assert(t, strings.Contains(inspector, \"org.opencontainers.image.enc.keys.jwe\"))\n\t\t\thelpers.Ensure(\"push\", encryptImageRef)\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", encryptImageRef)\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", testutil.CommonImage)\n\t\t\tdata.Labels().Set(remoteImageKey, encryptImageRef)\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\thelpers.Fail(\"pull\", data.Labels().Get(remoteImageKey))\n\t\t\thelpers.Ensure(\"pull\", \"--quiet\", \"--unpack=false\", data.Labels().Get(remoteImageKey))\n\t\t\thelpers.Fail(\"image\", \"decrypt\", \"--key=\"+data.Labels().Get(\"public\"), data.Labels().Get(remoteImageKey), data.Identifier(\"decrypted\")) // decryption needs prv key, not pub key\n\t\t\treturn helpers.Command(\"image\", \"decrypt\", \"--key=\"+data.Labels().Get(\"private\"), data.Labels().Get(remoteImageKey), data.Identifier(\"decrypted\"))\n\t\t},\n\t\tExpected: test.Expects(0, nil, nil),\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/image/image_history.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"strconv\"\n\t\"text/tabwriter\"\n\t\"text/template\"\n\t\"time\"\n\n\t\"github.com/docker/go-units\"\n\t\"github.com/opencontainers/image-spec/identity\"\n\t\"github.com/spf13/cobra\"\n\n\tcontainerd \"github.com/containerd/containerd/v2/client\"\n\t\"github.com/containerd/log\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/formatter\"\n\t\"github.com/containerd/nerdctl/v2/pkg/idutil/imagewalker\"\n\t\"github.com/containerd/nerdctl/v2/pkg/imgutil\"\n)\n\nfunc HistoryCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"history [flags] IMAGE\",\n\t\tShort: \"Show the history of an image\",\n\t\tArgs: helpers.IsExactArgs(1),\n\t\tRunE: historyAction,\n\t\tValidArgsFunction: historyShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\taddHistoryFlags(cmd)\n\treturn cmd\n}\n\nfunc addHistoryFlags(cmd *cobra.Command) {\n\tcmd.Flags().StringP(\"format\", \"f\", \"\", \"Format the output using the given Go template, e.g, '{{json .}}'\")\n\tcmd.RegisterFlagCompletionFunc(\"format\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"json\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\tcmd.Flags().BoolP(\"quiet\", \"q\", false, \"Only show numeric IDs\")\n\tcmd.Flags().BoolP(\"human\", \"H\", true, \"Print sizes and dates in human readable format (default true)\")\n\tcmd.Flags().Bool(\"no-trunc\", false, \"Don't truncate output\")\n}\n\ntype historyPrintable struct {\n\tcreationTime *time.Time\n\tsize int64\n\n\tSnapshot string\n\tCreatedAt string\n\tCreatedSince string\n\tCreatedBy string\n\tSize string\n\tComment string\n}\n\nfunc historyAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\twalker := &imagewalker.ImageWalker{\n\t\tClient: client,\n\t\tOnFound: func(ctx context.Context, found imagewalker.Found) error {\n\t\t\tif found.MatchCount > 1 {\n\t\t\t\treturn fmt.Errorf(\"multiple IDs found with provided prefix: %s\", found.Req)\n\t\t\t}\n\t\t\tctx, cancel := context.WithTimeout(ctx, 5*time.Second)\n\t\t\tdefer cancel()\n\t\t\timg := containerd.NewImage(client, found.Image)\n\t\t\timageConfig, _, err := imgutil.ReadImageConfig(ctx, img)\n\t\t\tif err != nil {\n\t\t\t\treturn fmt.Errorf(\"failed to ReadImageConfig: %w\", err)\n\t\t\t}\n\t\t\tconfigHistories := imageConfig.History\n\t\t\tlayerCounter := 0\n\t\t\tdiffIDs, err := img.RootFS(ctx)\n\t\t\tif err != nil {\n\t\t\t\treturn fmt.Errorf(\"failed to get diffIDS: %w\", err)\n\t\t\t}\n\t\t\tvar historys []historyPrintable\n\t\t\tfor _, h := range configHistories {\n\t\t\t\tvar size int64\n\t\t\t\tvar snapshotName string\n\t\t\t\tif !h.EmptyLayer {\n\t\t\t\t\tif len(diffIDs) <= layerCounter {\n\t\t\t\t\t\treturn fmt.Errorf(\"too many non-empty layers in History section\")\n\t\t\t\t\t}\n\t\t\t\t\tdiffIDs := diffIDs[0 : layerCounter+1]\n\t\t\t\t\tchainID := identity.ChainID(diffIDs).String()\n\n\t\t\t\t\ts := client.SnapshotService(globalOptions.Snapshotter)\n\t\t\t\t\tstat, err := s.Stat(ctx, chainID)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\treturn fmt.Errorf(\"failed to get stat: %w\", err)\n\t\t\t\t\t}\n\t\t\t\t\tuse, err := s.Usage(ctx, chainID)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\treturn fmt.Errorf(\"failed to get usage: %w\", err)\n\t\t\t\t\t}\n\t\t\t\t\tsize = use.Size\n\t\t\t\t\tsnapshotName = stat.Name\n\t\t\t\t\tlayerCounter++\n\t\t\t\t} else {\n\t\t\t\t\tsize = 0\n\t\t\t\t\tsnapshotName = \"\"\n\t\t\t\t}\n\t\t\t\thistory := historyPrintable{\n\t\t\t\t\tcreationTime: h.Created,\n\t\t\t\t\tsize: size,\n\t\t\t\t\tSnapshot: snapshotName,\n\t\t\t\t\tCreatedBy: h.CreatedBy,\n\t\t\t\t\tComment: h.Comment,\n\t\t\t\t}\n\t\t\t\thistorys = append(historys, history)\n\t\t\t}\n\t\t\terr = printHistory(cmd, historys)\n\t\t\tif err != nil {\n\t\t\t\treturn fmt.Errorf(\"failed printHistory: %w\", err)\n\t\t\t}\n\t\t\treturn nil\n\t\t},\n\t}\n\n\treturn walker.WalkAll(ctx, args, true)\n}\n\ntype historyPrinter struct {\n\tw io.Writer\n\tquiet, noTrunc, human bool\n\ttmpl *template.Template\n}\n\nfunc printHistory(cmd *cobra.Command, historys []historyPrintable) error {\n\tquiet, err := cmd.Flags().GetBool(\"quiet\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tnoTrunc, err := cmd.Flags().GetBool(\"no-trunc\")\n\tif err != nil {\n\t\treturn err\n\t}\n\thuman, err := cmd.Flags().GetBool(\"human\")\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tvar w io.Writer\n\tw = os.Stdout\n\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tvar tmpl *template.Template\n\tswitch format {\n\tcase \"\", \"table\":\n\t\tw = tabwriter.NewWriter(w, 4, 8, 4, ' ', 0)\n\t\tif !quiet {\n\t\t\tfmt.Fprintln(w, \"SNAPSHOT\\tCREATED\\tCREATED BY\\tSIZE\\tCOMMENT\")\n\t\t}\n\tcase \"raw\":\n\t\treturn errors.New(\"unsupported format: \\\"raw\\\"\")\n\tdefault:\n\t\tquiet = false\n\t\tvar err error\n\t\ttmpl, err = formatter.ParseTemplate(format)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\tprinter := &historyPrinter{\n\t\tw: w,\n\t\tquiet: quiet,\n\t\tnoTrunc: noTrunc,\n\t\thuman: human,\n\t\ttmpl: tmpl,\n\t}\n\n\tfor index := len(historys) - 1; index >= 0; index-- {\n\t\tif err := printer.printHistory(historys[index]); err != nil {\n\t\t\tlog.L.Warn(err)\n\t\t}\n\t}\n\n\tif f, ok := w.(formatter.Flusher); ok {\n\t\treturn f.Flush()\n\t}\n\treturn nil\n}\n\nfunc (x *historyPrinter) printHistory(printable historyPrintable) error {\n\t// Truncate long values unless --no-trunc is passed\n\tif !x.noTrunc {\n\t\tif len(printable.CreatedBy) > 45 {\n\t\t\tprintable.CreatedBy = printable.CreatedBy[0:44] + \"…\"\n\t\t}\n\t\t// Do not truncate snapshot id if quiet is being passed\n\t\tif !x.quiet && len(printable.Snapshot) > 45 {\n\t\t\tprintable.Snapshot = printable.Snapshot[0:44] + \"…\"\n\t\t}\n\t}\n\n\t// Format date and size for display based on --human preference\n\tprintable.CreatedAt = printable.creationTime.Local().Format(time.RFC3339)\n\tif x.human {\n\t\tprintable.CreatedSince = formatter.TimeSinceInHuman(*printable.creationTime)\n\t\tprintable.Size = units.HumanSize(float64(printable.size))\n\t} else {\n\t\tprintable.CreatedSince = printable.CreatedAt\n\t\tprintable.Size = strconv.FormatInt(printable.size, 10)\n\t}\n\n\tif x.tmpl != nil {\n\t\tvar b bytes.Buffer\n\t\tif err := x.tmpl.Execute(&b, printable); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif _, err := fmt.Fprintln(x.w, b.String()); err != nil {\n\t\t\treturn err\n\t\t}\n\t} else if x.quiet {\n\t\tif _, err := fmt.Fprintln(x.w, printable.Snapshot); err != nil {\n\t\t\treturn err\n\t\t}\n\t} else {\n\t\tif _, err := fmt.Fprintf(x.w, \"%s\\t%s\\t%s\\t%s\\t%s\\n\",\n\t\t\tprintable.Snapshot,\n\t\t\tprintable.CreatedSince,\n\t\t\tprintable.CreatedBy,\n\t\t\tprintable.Size,\n\t\t\tprintable.Comment,\n\t\t); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc historyShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show image names\n\treturn completion.ImageNames(cmd)\n}\n" }, { "path": "cmd/nerdctl/image/image_history_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"io\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/formatter\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\ntype historyObj struct {\n\tSnapshot string\n\tCreatedAt string\n\tCreatedSince string\n\tCreatedBy string\n\tSize string\n\tComment string\n}\n\nconst createdAt1 = \"2021-03-31T10:21:21-07:00\"\nconst createdAt2 = \"2021-03-31T10:21:23-07:00\"\n\n// Expected content of the common image on arm64\nvar (\n\tcreatedAtTime, _ = time.Parse(time.RFC3339, createdAt2)\n\texpectedHistory = []historyObj{\n\t\t{\n\t\t\tCreatedBy: \"/bin/sh -c #(nop) CMD [\\\"/bin/sh\\\"]\",\n\t\t\tSize: \"0B\",\n\t\t\tCreatedAt: createdAt2,\n\t\t\tSnapshot: \"\",\n\t\t\tComment: \"\",\n\t\t\tCreatedSince: formatter.TimeSinceInHuman(createdAtTime),\n\t\t},\n\t\t{\n\t\t\tCreatedBy: \"/bin/sh -c #(nop) ADD file:3b16ffee2b26d8af5…\",\n\t\t\tSize: \"5.947MB\",\n\t\t\tCreatedAt: createdAt1,\n\t\t\tSnapshot: \"sha256:56bf55b8eed1f0b4794a30386e4d1d3da949c…\",\n\t\t\tComment: \"\",\n\t\t\tCreatedSince: formatter.TimeSinceInHuman(createdAtTime),\n\t\t},\n\t}\n\texpectedHistoryNoTrunc = []historyObj{\n\t\t{\n\t\t\tSnapshot: \"\",\n\t\t\tSize: \"0\",\n\t\t},\n\t\t{\n\t\t\tSnapshot: \"sha256:56bf55b8eed1f0b4794a30386e4d1d3da949c25bcb5155e898097cd75dc77c2a\",\n\t\t\tCreatedBy: \"/bin/sh -c #(nop) ADD file:3b16ffee2b26d8af5db152fcc582aaccd9e1ec9e3343874e9969a205550fe07d in / \",\n\t\t\tSize: \"5947392\",\n\t\t},\n\t}\n)\n\nfunc decode(stdout string) ([]historyObj, error) {\n\tdec := json.NewDecoder(strings.NewReader(stdout))\n\tobject := []historyObj{}\n\tfor {\n\t\tvar v historyObj\n\t\tif err := dec.Decode(&v); err == io.EOF {\n\t\t\tbreak\n\t\t} else if err != nil {\n\t\t\treturn nil, errors.New(\"failed to decode history object\")\n\t\t}\n\t\tobject = append(object, v)\n\t}\n\n\treturn object, nil\n}\n\nfunc TestImageHistory(t *testing.T) {\n\t// Here are the current issues with regard to docker true compatibility:\n\t// - we have a different definition of what a layer id is (snapshot vs. id)\n\t// this will require indepth convergence when moby will handle multi-platform images\n\t// - our definition of size is different\n\t// this requires some investigation to figure out why it differs\n\t// possibly one is unpacked on the filessystem while the other is the tar file size?\n\t// - we do not truncate ids when --quiet has been provided\n\t// this is a conscious decision here - truncating with --quiet does not make much sense\n\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\trequire.Not(nerdtest.Docker),\n\t\t\t// XXX the results here are obviously platform dependent - and it seems like windows cannot pull a linux image?\n\t\t\trequire.Not(require.Windows),\n\t\t\t// XXX Currently, history does not work on non-native platform, so, we cannot test reliably on other platforms\n\t\t\trequire.Arm64,\n\t\t),\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t// XXX: despite efforts to isolate this test, it keeps on having side effects linked to\n\t\t\t// https://github.com/containerd/nerdctl/issues/3512\n\t\t\t// Isolating it into a completely different root is the last ditched attempt at avoiding the issue\n\t\t\thelpers.Write(nerdtest.DataRoot, test.ConfigValue(data.Temp().Path()))\n\t\t\thelpers.Ensure(\"pull\", \"--quiet\", \"--platform\", \"linux/arm64\", testutil.CommonImage)\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"trunc, no quiet, human\",\n\t\t\t\tCommand: test.Command(\"image\", \"history\", \"--human=true\", \"--format=json\", testutil.CommonImage),\n\t\t\t\tExpected: test.Expects(0, nil, func(stdout string, t tig.T) {\n\t\t\t\t\thistory, err := decode(stdout)\n\t\t\t\t\tassert.NilError(t, err, \"decode should not fail\")\n\t\t\t\t\tassert.Equal(t, len(history), 2, \"history should be 2 in length\")\n\n\t\t\t\t\th0Time, _ := time.Parse(time.RFC3339, history[0].CreatedAt)\n\t\t\t\t\th1Time, _ := time.Parse(time.RFC3339, history[1].CreatedAt)\n\t\t\t\t\tcomp0Time, _ := time.Parse(time.RFC3339, expectedHistory[0].CreatedAt)\n\t\t\t\t\tcomp1Time, _ := time.Parse(time.RFC3339, expectedHistory[1].CreatedAt)\n\n\t\t\t\t\tassert.Equal(t, h0Time.UTC().String(), comp0Time.UTC().String())\n\t\t\t\t\tassert.Equal(t, history[0].CreatedBy, expectedHistory[0].CreatedBy)\n\t\t\t\t\tassert.Equal(t, history[0].Size, expectedHistory[0].Size)\n\t\t\t\t\tassert.Equal(t, history[0].CreatedSince, expectedHistory[0].CreatedSince)\n\t\t\t\t\tassert.Equal(t, history[0].Snapshot, expectedHistory[0].Snapshot)\n\t\t\t\t\tassert.Equal(t, history[0].Comment, expectedHistory[0].Comment)\n\n\t\t\t\t\tassert.Equal(t, h1Time.UTC().String(), comp1Time.UTC().String())\n\t\t\t\t\tassert.Equal(t, history[1].CreatedBy, expectedHistory[1].CreatedBy)\n\t\t\t\t\tassert.Equal(t, history[1].Size, expectedHistory[1].Size)\n\t\t\t\t\tassert.Equal(t, history[1].CreatedSince, expectedHistory[1].CreatedSince)\n\t\t\t\t\tassert.Equal(t, history[1].Snapshot, expectedHistory[1].Snapshot)\n\t\t\t\t\tassert.Equal(t, history[1].Comment, expectedHistory[1].Comment)\n\t\t\t\t}),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"no human - dates and sizes are not prettyfied\",\n\t\t\t\tCommand: test.Command(\"image\", \"history\", \"--human=false\", \"--format=json\", testutil.CommonImage),\n\t\t\t\tExpected: test.Expects(0, nil, func(stdout string, t tig.T) {\n\t\t\t\t\thistory, err := decode(stdout)\n\t\t\t\t\tassert.NilError(t, err, \"decode should not fail\")\n\t\t\t\t\tassert.Equal(t, history[0].Size, expectedHistoryNoTrunc[0].Size)\n\t\t\t\t\tassert.Equal(t, history[0].CreatedSince, history[0].CreatedAt)\n\t\t\t\t\tassert.Equal(t, history[1].Size, expectedHistoryNoTrunc[1].Size)\n\t\t\t\t\tassert.Equal(t, history[1].CreatedSince, history[1].CreatedAt)\n\t\t\t\t}),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"no trunc - do not truncate sha or cmd\",\n\t\t\t\tCommand: test.Command(\"image\", \"history\", \"--human=false\", \"--no-trunc\", \"--format=json\", testutil.CommonImage),\n\t\t\t\tExpected: test.Expects(0, nil, func(stdout string, t tig.T) {\n\t\t\t\t\thistory, err := decode(stdout)\n\t\t\t\t\tassert.NilError(t, err, \"decode should not fail\")\n\t\t\t\t\tassert.Equal(t, history[1].Snapshot, expectedHistoryNoTrunc[1].Snapshot)\n\t\t\t\t\tassert.Equal(t, history[1].CreatedBy, expectedHistoryNoTrunc[1].CreatedBy)\n\t\t\t\t}),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Quiet has no effect with format, so, go no-json, no-trunc\",\n\t\t\t\tCommand: test.Command(\"image\", \"history\", \"--human=false\", \"--no-trunc\", \"--quiet\", testutil.CommonImage),\n\t\t\t\tExpected: test.Expects(0, nil, func(stdout string, t tig.T) {\n\t\t\t\t\tassert.Equal(t, stdout, expectedHistoryNoTrunc[0].Snapshot+\"\\n\"+expectedHistoryNoTrunc[1].Snapshot+\"\\n\")\n\t\t\t\t}),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"With quiet, trunc has no effect\",\n\t\t\t\tCommand: test.Command(\"image\", \"history\", \"--human=false\", \"--no-trunc\", \"--quiet\", testutil.CommonImage),\n\t\t\t\tExpected: test.Expects(0, nil, func(stdout string, t tig.T) {\n\t\t\t\t\tassert.Equal(t, stdout, expectedHistoryNoTrunc[0].Snapshot+\"\\n\"+expectedHistoryNoTrunc[1].Snapshot+\"\\n\")\n\t\t\t\t}),\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/image/image_import.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"os\"\n\t\"strings\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/image\"\n)\n\nfunc ImportCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"import [OPTIONS] file|URL|- [REPOSITORY[:TAG]]\",\n\t\tShort: \"Import the contents from a tarball to create a filesystem image\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tRunE: importAction,\n\t\tValidArgsFunction: imageImportShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\n\tcmd.Flags().StringP(\"message\", \"m\", \"\", \"Set commit message for imported image\")\n\tcmd.Flags().String(\"platform\", \"\", \"Set platform for imported image (e.g., linux/amd64)\")\n\treturn cmd\n}\n\nfunc importOptions(cmd *cobra.Command, args []string) (types.ImageImportOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ImageImportOptions{}, err\n\t}\n\tmessage, err := cmd.Flags().GetString(\"message\")\n\tif err != nil {\n\t\treturn types.ImageImportOptions{}, err\n\t}\n\tplatform, err := cmd.Flags().GetString(\"platform\")\n\tif err != nil {\n\t\treturn types.ImageImportOptions{}, err\n\t}\n\tvar reference string\n\tif len(args) > 1 {\n\t\treference = args[1]\n\t}\n\n\tvar in io.ReadCloser\n\tsrc := args[0]\n\tswitch {\n\tcase src == \"-\":\n\t\tin = io.NopCloser(cmd.InOrStdin())\n\tcase hasHTTPPrefix(src):\n\t\tresp, err := http.Get(src)\n\t\tif err != nil {\n\t\t\treturn types.ImageImportOptions{}, err\n\t\t}\n\t\tif resp.StatusCode < 200 || resp.StatusCode >= 300 {\n\t\t\tdefer resp.Body.Close()\n\t\t\treturn types.ImageImportOptions{}, fmt.Errorf(\"failed to download %s: %s\", src, resp.Status)\n\t\t}\n\t\tin = resp.Body\n\tdefault:\n\t\tf, err := os.Open(src)\n\t\tif err != nil {\n\t\t\treturn types.ImageImportOptions{}, err\n\t\t}\n\t\tin = f\n\t}\n\n\treturn types.ImageImportOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tStdin: in,\n\t\tGOptions: globalOptions,\n\t\tSource: args[0],\n\t\tReference: reference,\n\t\tMessage: message,\n\t\tPlatform: platform,\n\t}, nil\n}\n\nfunc importAction(cmd *cobra.Command, args []string) error {\n\topt, err := importOptions(cmd, args)\n\tif err != nil {\n\t\treturn err\n\t}\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), opt.GOptions.Namespace, opt.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\tdefer func() {\n\t\tif rc, ok := opt.Stdin.(io.ReadCloser); ok {\n\t\t\t_ = rc.Close()\n\t\t}\n\t}()\n\n\tname, err := image.Import(ctx, client, opt)\n\tif err != nil {\n\t\treturn err\n\t}\n\t_, err = cmd.OutOrStdout().Write([]byte(name + \"\\n\"))\n\treturn err\n}\n\nfunc imageImportShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn completion.ImageNames(cmd)\n}\n\nfunc hasHTTPPrefix(s string) bool {\n\treturn strings.HasPrefix(s, \"http://\") || strings.HasPrefix(s, \"https://\")\n}\n" }, { "path": "cmd/nerdctl/image/image_import_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"archive/tar\"\n\t\"bytes\"\n\t\"errors\"\n\t\"net/http\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\n// minimalRootfsTar returns a valid tar archive with no files.\nfunc minimalRootfsTar(t *testing.T) *bytes.Buffer {\n\tt.Helper()\n\tbuf := new(bytes.Buffer)\n\ttw := tar.NewWriter(buf)\n\tassert.NilError(t, tw.Close())\n\treturn buf\n}\n\nfunc TestImageImportErrors(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tDescription: \"TestImageImportErrors\",\n\t\tRequire: require.Linux,\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"import\", \"\", \"image:tag\")\n\t\t},\n\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\treturn &test.Expected{\n\t\t\t\tExitCode: 1,\n\t\t\t\tErrors: []error{errors.New(data.Labels().Get(\"error\"))},\n\t\t\t}\n\t\t},\n\t\tData: test.WithLabels(map[string]string{\n\t\t\t\"error\": \"no such file or directory\",\n\t\t}),\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestImageImport(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\tvar stopServer func()\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"image import from stdin\",\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\"import\", \"-\", data.Identifier())\n\t\t\t\tcmd.Feed(bytes.NewReader(minimalRootfsTar(t).Bytes()))\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\tidentifier := data.Identifier()\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\timgs := helpers.Capture(\"images\")\n\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(imgs, identifier))\n\t\t\t\t\t\t},\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"image import from file\",\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tp := filepath.Join(data.Temp().Path(), \"rootfs.tar\")\n\t\t\t\tassert.NilError(t, os.WriteFile(p, minimalRootfsTar(t).Bytes(), 0644))\n\t\t\t\tdata.Labels().Set(\"tar\", p)\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"import\", data.Labels().Get(\"tar\"), data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\tidentifier := data.Identifier()\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\timgs := helpers.Capture(\"images\")\n\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(imgs, identifier))\n\t\t\t\t\t\t},\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"image import with message\",\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\"import\", \"-m\", \"A message\", \"-\", data.Identifier())\n\t\t\t\tcmd.Feed(bytes.NewReader(minimalRootfsTar(t).Bytes()))\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\tidentifier := data.Identifier() + \":latest\"\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\timg := nerdtest.InspectImage(helpers, identifier)\n\t\t\t\t\t\t\tassert.Equal(t, img.Comment, \"A message\")\n\t\t\t\t\t\t},\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"image import with platform\",\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\"import\", \"--platform\", \"linux/amd64\", \"-\", data.Identifier())\n\t\t\t\tcmd.Feed(bytes.NewReader(minimalRootfsTar(t).Bytes()))\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\tidentifier := data.Identifier() + \":latest\"\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\timg := nerdtest.InspectImage(helpers, identifier)\n\t\t\t\t\t\t\tassert.Equal(t, img.Architecture, \"amd64\")\n\t\t\t\t\t\t\tassert.Equal(t, img.Os, \"linux\")\n\t\t\t\t\t\t},\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"image import from URL\",\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tif stopServer != nil {\n\t\t\t\t\tstopServer()\n\t\t\t\t\tstopServer = nil\n\t\t\t\t}\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\t\t\t\tw.Header().Set(\"Content-Type\", \"application/x-tar\")\n\t\t\t\t\t_, _ = w.Write(minimalRootfsTar(t).Bytes())\n\t\t\t\t})\n\t\t\t\turl, stop, err := nerdtest.StartHTTPServer(handler)\n\t\t\t\tassert.NilError(t, err)\n\t\t\t\tstopServer = stop\n\t\t\t\tdata.Labels().Set(\"url\", url)\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"import\", data.Labels().Get(\"url\"), data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\tidentifier := data.Identifier()\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\timgs := helpers.Capture(\"images\")\n\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(imgs, identifier))\n\t\t\t\t\t\t},\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/image/image_inspect.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/log\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/image\"\n\t\"github.com/containerd/nerdctl/v2/pkg/formatter\"\n)\n\nfunc inspectCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"inspect [flags] IMAGE [IMAGE...]\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tShort: \"Display detailed information on one or more images.\",\n\t\tLong: \"Hint: set `--mode=native` for showing the full output\",\n\t\tRunE: imageInspectAction,\n\t\tValidArgsFunction: imageInspectShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().String(\"mode\", \"dockercompat\", `Inspect mode, \"dockercompat\" for Docker-compatible output, \"native\" for containerd-native output`)\n\tcmd.RegisterFlagCompletionFunc(\"mode\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"dockercompat\", \"native\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\tcmd.Flags().StringP(\"format\", \"f\", \"\", \"Format the output using the given Go template, e.g, '{{json .}}'\")\n\tcmd.RegisterFlagCompletionFunc(\"format\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"json\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\n\t// #region platform flags\n\tcmd.Flags().String(\"platform\", \"\", \"Inspect a specific platform\") // not a slice, and there is no --all-platforms\n\tcmd.RegisterFlagCompletionFunc(\"platform\", completion.Platforms)\n\t// #endregion\n\n\treturn cmd\n}\n\nfunc InspectOptions(cmd *cobra.Command, platform *string) (types.ImageInspectOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ImageInspectOptions{}, err\n\t}\n\tmode, err := cmd.Flags().GetString(\"mode\")\n\tif err != nil {\n\t\treturn types.ImageInspectOptions{}, err\n\t}\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn types.ImageInspectOptions{}, err\n\t}\n\tif platform == nil {\n\t\ttempPlatform, err := cmd.Flags().GetString(\"platform\")\n\t\tif err != nil {\n\t\t\treturn types.ImageInspectOptions{}, err\n\t\t}\n\t\tplatform = &tempPlatform\n\t}\n\treturn types.ImageInspectOptions{\n\t\tGOptions: globalOptions,\n\t\tMode: mode,\n\t\tFormat: format,\n\t\tPlatform: *platform,\n\t\tStdout: cmd.OutOrStdout(),\n\t}, nil\n}\n\nfunc imageInspectAction(cmd *cobra.Command, args []string) error {\n\toptions, err := InspectOptions(cmd, nil)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// Verify we have a valid mode\n\tif options.Mode != \"native\" && options.Mode != \"dockercompat\" {\n\t\treturn fmt.Errorf(\"unknown mode %q\", options.Mode)\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClientWithPlatform(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address, options.Platform)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\tentries, err := image.Inspect(ctx, client, args, options)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// Display\n\tif len(entries) > 0 {\n\t\tif formatErr := formatter.FormatSlice(options.Format, options.Stdout, entries); formatErr != nil {\n\t\t\tlog.G(ctx).Error(formatErr)\n\t\t}\n\t}\n\treturn err\n}\n\nfunc imageInspectShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show image names\n\treturn completion.ImageNames(cmd)\n}\n" }, { "path": "cmd/nerdctl/image/image_inspect_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"runtime\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/inspecttypes/dockercompat\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestImageInspectSimpleCases(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.CommonImage)\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"Contains some stuff\",\n\t\t\t\tCommand: test.Command(\"image\", \"inspect\", testutil.CommonImage),\n\t\t\t\tExpected: test.Expects(0, nil, func(stdout string, t tig.T) {\n\t\t\t\t\tvar dc []dockercompat.Image\n\t\t\t\t\terr := json.Unmarshal([]byte(stdout), &dc)\n\t\t\t\t\tassert.NilError(t, err, \"Unable to unmarshal output\\n\")\n\t\t\t\t\tassert.Equal(t, 1, len(dc), \"Unexpectedly got multiple results\\n\")\n\t\t\t\t\tassert.Assert(t, len(dc[0].RootFS.Layers) > 0, \"there should be at least one rootfs layer\\n\")\n\t\t\t\t\tassert.Assert(t, dc[0].Architecture != \"\", \"architecture should be set\\n\")\n\t\t\t\t\tassert.Assert(t, dc[0].Size > 0, \"size should be > 0 \\n\")\n\t\t\t\t}),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"RawFormat support (.Id)\",\n\t\t\t\tCommand: test.Command(\"image\", \"inspect\", testutil.CommonImage, \"--format\", \"{{.Id}}\"),\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"typedFormat support (.ID)\",\n\t\t\t\tCommand: test.Command(\"image\", \"inspect\", testutil.CommonImage, \"--format\", \"{{.ID}}\"),\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Config.Image field is set\",\n\t\t\t\tCommand: test.Command(\"image\", \"inspect\", testutil.CommonImage),\n\t\t\t\tExpected: test.Expects(0, nil, func(stdout string, t tig.T) {\n\t\t\t\t\tvar dc []dockercompat.Image\n\t\t\t\t\terr := json.Unmarshal([]byte(stdout), &dc)\n\t\t\t\t\tassert.NilError(t, err, \"Unable to unmarshal output\\n\")\n\t\t\t\t\tassert.Equal(t, 1, len(dc), \"Unexpectedly got multiple results\\n\")\n\t\t\t\t\tassert.Assert(t, dc[0].Config != nil, \"image Config should not be nil\")\n\t\t\t\t\tassert.Assert(t, dc[0].Config.Image != \"\", \"Config.Image should not be empty\")\n\t\t\t\t}),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Error for image not found\",\n\t\t\t\tCommand: test.Command(\"image\", \"inspect\", \"dne:latest\", \"dne2:latest\"),\n\t\t\t\tExpected: test.Expects(1, []error{\n\t\t\t\t\terrors.New(\"no such image: dne:latest\"),\n\t\t\t\t\terrors.New(\"no such image: dne2:latest\"),\n\t\t\t\t}, nil),\n\t\t\t},\n\t\t},\n\t}\n\n\tif runtime.GOOS == \"windows\" {\n\t\ttestCase.Require = nerdtest.IsFlaky(\"https://github.com/containerd/nerdctl/issues/3524\")\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestImageInspectDifferentValidReferencesForTheSameImage(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttags := []string{\n\t\t\"\",\n\t\t\":latest\",\n\t}\n\tnames := []string{\n\t\t\"busybox\",\n\t\t\"docker.io/library/busybox\",\n\t\t\"registry-1.docker.io/library/busybox\",\n\t}\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\trequire.Not(nerdtest.Docker),\n\t\t\t// FIXME: this test depends on hub images that do not have windows versions\n\t\t\trequire.Not(require.Windows),\n\t\t\t// We need a clean slate\n\t\t\tnerdtest.Private,\n\t\t),\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Ensure(\"pull\", \"--quiet\", \"alpine\")\n\t\t\thelpers.Ensure(\"pull\", \"--quiet\", \"busybox\")\n\t\t\thelpers.Ensure(\"pull\", \"--quiet\", \"registry-1.docker.io/library/busybox\")\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"name and tags +/- sha combinations\",\n\t\t\t\tCommand: test.Command(\"image\", \"inspect\", \"busybox\"),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tvar dc []dockercompat.Image\n\t\t\t\t\t\t\terr := json.Unmarshal([]byte(stdout), &dc)\n\t\t\t\t\t\t\tassert.NilError(t, err, \"Unable to unmarshal output\\n\")\n\t\t\t\t\t\t\tassert.Equal(t, 1, len(dc), \"Unexpectedly got multiple results\\n\")\n\t\t\t\t\t\t\treference := dc[0].ID\n\t\t\t\t\t\t\tsha := strings.TrimPrefix(dc[0].RepoDigests[0], \"busybox@sha256:\")\n\n\t\t\t\t\t\t\tfor _, name := range names {\n\t\t\t\t\t\t\t\tfor _, tag := range tags {\n\t\t\t\t\t\t\t\t\tit := nerdtest.InspectImage(helpers, name+tag)\n\t\t\t\t\t\t\t\t\tassert.Equal(t, it.ID, reference)\n\t\t\t\t\t\t\t\t\tit = nerdtest.InspectImage(helpers, name+tag+\"@sha256:\"+sha)\n\t\t\t\t\t\t\t\t\tassert.Equal(t, it.ID, reference)\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"by digest, short or long, with or without prefix\",\n\t\t\t\tCommand: test.Command(\"image\", \"inspect\", \"busybox\"),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tvar dc []dockercompat.Image\n\t\t\t\t\t\t\terr := json.Unmarshal([]byte(stdout), &dc)\n\t\t\t\t\t\t\tassert.NilError(t, err, \"Unable to unmarshal output\\n\")\n\t\t\t\t\t\t\tassert.Equal(t, 1, len(dc), \"Unexpectedly got multiple results\\n\")\n\t\t\t\t\t\t\treference := dc[0].ID\n\t\t\t\t\t\t\tsha := strings.TrimPrefix(dc[0].RepoDigests[0], \"busybox@sha256:\")\n\n\t\t\t\t\t\t\tfor _, id := range []string{\"sha256:\" + sha, sha, sha[0:8], \"sha256:\" + sha[0:8]} {\n\t\t\t\t\t\t\t\tit := nerdtest.InspectImage(helpers, id)\n\t\t\t\t\t\t\t\tassert.Equal(t, it.ID, reference)\n\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t// Now, tag alpine with a short id\n\t\t\t\t\t\t\t// Build reference values for comparison\n\t\t\t\t\t\t\talpine := nerdtest.InspectImage(helpers, \"alpine\")\n\n\t\t\t\t\t\t\t// Demonstrate image name precedence over digest lookup\n\t\t\t\t\t\t\t// Using the shortened sha should no longer get busybox, but rather the newly tagged Alpine\n\t\t\t\t\t\t\t// FIXME: this is triggering https://github.com/containerd/nerdctl/issues/3016\n\t\t\t\t\t\t\t// We cannot get rid of that image now, which does break local testing\n\t\t\t\t\t\t\thelpers.Ensure(\"tag\", \"alpine\", sha[0:8])\n\t\t\t\t\t\t\tit := nerdtest.InspectImage(helpers, sha[0:8])\n\t\t\t\t\t\t\tassert.Equal(t, it.ID, alpine.ID)\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"prove that wrong references with correct digest do not get resolved\",\n\t\t\t\tCommand: test.Command(\"image\", \"inspect\", \"busybox\"),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tvar dc []dockercompat.Image\n\t\t\t\t\t\t\terr := json.Unmarshal([]byte(stdout), &dc)\n\t\t\t\t\t\t\tassert.NilError(t, err, \"Unable to unmarshal output\\n\")\n\t\t\t\t\t\t\tassert.Equal(t, 1, len(dc), \"Unexpectedly got multiple results\\n\")\n\t\t\t\t\t\t\tsha := strings.TrimPrefix(dc[0].RepoDigests[0], \"busybox@sha256:\")\n\n\t\t\t\t\t\t\tfor _, id := range []string{\"doesnotexist\", \"doesnotexist:either\", \"busybox:bogustag\"} {\n\t\t\t\t\t\t\t\tcmd := helpers.Command(\"image\", \"inspect\", id+\"@sha256:\"+sha)\n\t\t\t\t\t\t\t\tcmd.Run(&test.Expected{\n\t\t\t\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\t\t\t\tErrors: []error{fmt.Errorf(\"no such image: %s@sha256:%s\", id, sha)},\n\t\t\t\t\t\t\t\t})\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"prove that invalid reference return no result without crashing\",\n\t\t\t\tCommand: test.Command(\"image\", \"inspect\", \"busybox\"),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tvar dc []dockercompat.Image\n\t\t\t\t\t\t\terr := json.Unmarshal([]byte(stdout), &dc)\n\t\t\t\t\t\t\tassert.NilError(t, err, \"Unable to unmarshal output\\n\")\n\t\t\t\t\t\t\tassert.Equal(t, 1, len(dc), \"Unexpectedly got multiple results\\n\")\n\n\t\t\t\t\t\t\tfor _, id := range []string{\"∞∞∞∞∞∞∞∞∞∞\", \"busybox:∞∞∞∞∞∞∞∞∞∞\"} {\n\t\t\t\t\t\t\t\tcmd := helpers.Command(\"image\", \"inspect\", id)\n\t\t\t\t\t\t\t\tcmd.Run(&test.Expected{\n\t\t\t\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\t\t\t\tErrors: []error{fmt.Errorf(\"invalid reference format: %s\", id)},\n\t\t\t\t\t\t\t\t})\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"retrieving multiple entries at once\",\n\t\t\t\tCommand: test.Command(\"image\", \"inspect\", \"busybox\", \"busybox\"),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tvar dc []dockercompat.Image\n\t\t\t\t\t\t\terr := json.Unmarshal([]byte(stdout), &dc)\n\t\t\t\t\t\t\tassert.NilError(t, err, \"Unable to unmarshal output\\n\")\n\t\t\t\t\t\t\tassert.Equal(t, 2, len(dc), \"Unexpectedly did not get 2 results\\n\")\n\t\t\t\t\t\t\treference := nerdtest.InspectImage(helpers, \"busybox\")\n\t\t\t\t\t\t\tassert.Equal(t, dc[0].ID, reference.ID)\n\t\t\t\t\t\t\tassert.Equal(t, dc[1].ID, reference.ID)\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/image/image_list.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/image\"\n\t\"github.com/containerd/nerdctl/v2/pkg/referenceutil\"\n)\n\nfunc ImagesCommand() *cobra.Command {\n\tshortHelp := \"List images\"\n\tlongHelp := shortHelp + `\n\nProperties:\n- REPOSITORY: Repository\n- TAG: Tag\n- NAME: Name of the image, --names for skip parsing as repository and tag.\n- IMAGE ID: OCI Digest. Usually different from Docker image ID. Shared for multi-platform images.\n- CREATED: Created time\n- PLATFORM: Platform\n- SIZE: Size of the unpacked snapshots\n- BLOB SIZE: Size of the blobs (such as layer tarballs) in the content store\n`\n\tvar cmd = &cobra.Command{\n\t\tUse: \"images [flags] [REPOSITORY[:TAG]]\",\n\t\tShort: shortHelp,\n\t\tLong: longHelp,\n\t\tArgs: cobra.MaximumNArgs(1),\n\t\tRunE: imagesAction,\n\t\tValidArgsFunction: imagesShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t\tDisableFlagsInUseLine: true,\n\t}\n\n\tcmd.Flags().BoolP(\"quiet\", \"q\", false, \"Only show numeric IDs\")\n\tcmd.Flags().Bool(\"no-trunc\", false, \"Don't truncate output\")\n\t// Alias \"-f\" is reserved for \"--filter\"\n\tcmd.Flags().String(\"format\", \"\", \"Format the output using the given Go template, e.g, '{{json .}}', 'wide'\")\n\tcmd.Flags().StringSliceP(\"filter\", \"f\", []string{}, \"Filter output based on conditions provided\")\n\tcmd.RegisterFlagCompletionFunc(\"format\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"json\", \"table\", \"wide\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\tcmd.Flags().Bool(\"digests\", false, \"Show digests (compatible with Docker, unlike ID)\")\n\tcmd.Flags().Bool(\"names\", false, \"Show image names\")\n\tcmd.Flags().BoolP(\"all\", \"a\", true, \"(unimplemented yet, always true)\")\n\n\treturn cmd\n}\n\nfunc listOptions(cmd *cobra.Command, args []string) (*types.ImageListOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tvar filters []string\n\tif len(args) > 0 {\n\t\tparsedReference, err := referenceutil.Parse(args[0])\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tfilters = []string{fmt.Sprintf(\"name==%s\", parsedReference)}\n\t}\n\tquiet, err := cmd.Flags().GetBool(\"quiet\")\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tnoTrunc, err := cmd.Flags().GetBool(\"no-trunc\")\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tvar inputFilters []string\n\tif cmd.Flags().Changed(\"filter\") {\n\t\tinputFilters, err = cmd.Flags().GetStringSlice(\"filter\")\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\tdigests, err := cmd.Flags().GetBool(\"digests\")\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tnames, err := cmd.Flags().GetBool(\"names\")\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn &types.ImageListOptions{\n\t\tGOptions: globalOptions,\n\t\tQuiet: quiet,\n\t\tNoTrunc: noTrunc,\n\t\tFormat: format,\n\t\tFilters: inputFilters,\n\t\tNameAndRefFilter: filters,\n\t\tDigests: digests,\n\t\tNames: names,\n\t\tAll: true,\n\t\tStdout: cmd.OutOrStdout(),\n\t}, nil\n\n}\n\nfunc imagesAction(cmd *cobra.Command, args []string) error {\n\toptions, err := listOptions(cmd, args)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif !options.All {\n\t\toptions.All = true\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn image.ListCommandHandler(ctx, client, options)\n}\n\nfunc imagesShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\tif len(args) == 0 {\n\t\t// show image names\n\t\treturn completion.ImageNames(cmd)\n\t}\n\treturn nil, cobra.ShellCompDirectiveNoFileComp\n}\n" }, { "path": "cmd/nerdctl/image/image_list_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"regexp\"\n\t\"runtime\"\n\t\"slices\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/referenceutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/tabutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestImages(t *testing.T) {\n\tnerdtest.Setup()\n\n\tcommonImage, _ := referenceutil.Parse(testutil.CommonImage)\n\n\ttestCase := &test.Case{\n\t\tRequire: require.Not(nerdtest.Docker),\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Ensure(\"pull\", \"--quiet\", commonImage.String())\n\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.NginxAlpineImage)\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"No params\",\n\t\t\t\tCommand: test.Command(\"images\"),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\t\tassert.Assert(t, len(lines) >= 2, \"there should be at least two lines\\n\")\n\t\t\t\t\t\t\theader := \"REPOSITORY\\tTAG\\tIMAGE ID\\tCREATED\\tPLATFORM\\tSIZE\\tBLOB SIZE\"\n\t\t\t\t\t\t\tif nerdtest.IsDocker() {\n\t\t\t\t\t\t\t\theader = \"REPOSITORY\\tTAG\\tIMAGE ID\\tCREATED\\tSIZE\"\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\ttab := tabutil.NewReader(header)\n\t\t\t\t\t\t\terr := tab.ParseHeader(lines[0])\n\t\t\t\t\t\t\tassert.NilError(t, err, \"ParseHeader should not fail\\n\")\n\t\t\t\t\t\t\tfound := false\n\t\t\t\t\t\t\tfor _, line := range lines[1:] {\n\t\t\t\t\t\t\t\trepo, _ := tab.ReadRow(line, \"REPOSITORY\")\n\t\t\t\t\t\t\t\ttag, _ := tab.ReadRow(line, \"TAG\")\n\t\t\t\t\t\t\t\tif repo+\":\"+tag == commonImage.FamiliarName()+\":\"+commonImage.Tag {\n\t\t\t\t\t\t\t\t\tfound = true\n\t\t\t\t\t\t\t\t\tbreak\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tassert.Assert(t, found, \"we should have found an image\\n\")\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"With names\",\n\t\t\t\tCommand: test.Command(\"images\", \"--names\", commonImage.String()),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\t\texpect.Contains(commonImage.String()),\n\t\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\t\t\tassert.Assert(t, len(lines) >= 2, \"there should be at least two lines\\n\")\n\t\t\t\t\t\t\t\ttab := tabutil.NewReader(\"NAME\\tIMAGE ID\\tCREATED\\tPLATFORM\\tSIZE\\tBLOB SIZE\")\n\t\t\t\t\t\t\t\terr := tab.ParseHeader(lines[0])\n\t\t\t\t\t\t\t\tassert.NilError(t, err, \"ParseHeader should not fail\\n\")\n\t\t\t\t\t\t\t\tfound := false\n\t\t\t\t\t\t\t\tfor _, line := range lines[1:] {\n\t\t\t\t\t\t\t\t\tname, _ := tab.ReadRow(line, \"NAME\")\n\t\t\t\t\t\t\t\t\tif name == commonImage.String() {\n\t\t\t\t\t\t\t\t\t\tfound = true\n\t\t\t\t\t\t\t\t\t\tbreak\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\tassert.Assert(t, found, \"we should have found an image\\n\")\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t),\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"CheckCreatedTime\",\n\t\t\t\tCommand: test.Command(\"images\", \"--format\", \"'{{json .CreatedAt}}'\"),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\t\tassert.Assert(t, len(lines) >= 2, \"there should be at least two lines\\n\")\n\t\t\t\t\t\t\tcreatedTimes := lines\n\t\t\t\t\t\t\tslices.Reverse(createdTimes)\n\t\t\t\t\t\t\tassert.Assert(t, slices.IsSorted(createdTimes), \"created times should be sorted\\n\")\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\tif runtime.GOOS == \"windows\" {\n\t\ttestCase.Require = require.All(\n\t\t\ttestCase.Require,\n\t\t\tnerdtest.IsFlaky(\"https://github.com/containerd/nerdctl/issues/3524\"),\n\t\t)\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestImagesFilter(t *testing.T) {\n\tnerdtest.Setup()\n\n\tcommonImage, _ := referenceutil.Parse(testutil.CommonImage)\n\n\ttestCase := &test.Case{\n\t\tRequire: nerdtest.Build,\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Ensure(\"pull\", \"--quiet\", commonImage.String())\n\t\t\thelpers.Ensure(\"tag\", commonImage.String(), \"taggedimage:one-fragment-one\")\n\t\t\thelpers.Ensure(\"tag\", commonImage.String(), \"taggedimage:two-fragment-two\")\n\n\t\t\tdockerfile := fmt.Sprintf(`FROM %s\nCMD [\"echo\", \"nerdctl-build-test-string\"] \\n\nLABEL foo=bar\nLABEL version=0.1\nRUN echo \"actually creating a layer so that docker sets the createdAt time\"\n`, commonImage.String())\n\t\t\tbuildCtx := data.Temp().Path()\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\tdata.Labels().Set(\"buildCtx\", buildCtx)\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", \"taggedimage:one-fragment-one\")\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", \"taggedimage:two-fragment-two\")\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\tdata.Labels().Set(\"builtImageID\", data.Identifier())\n\t\t\treturn helpers.Command(\"build\", \"-t\", data.Identifier(), data.Labels().Get(\"buildCtx\"))\n\t\t},\n\t\tExpected: test.Expects(0, nil, nil),\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"label=foo=bar\",\n\t\t\t\tCommand: test.Command(\"images\", \"--filter\", \"label=foo=bar\"),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: expect.Contains(data.Labels().Get(\"builtImageID\")),\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"label=foo=bar1\",\n\t\t\t\tCommand: test.Command(\"images\", \"--filter\", \"label=foo=bar1\"),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: expect.DoesNotContain(data.Labels().Get(\"builtImageID\")),\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"label=foo=bar label=version=0.1\",\n\t\t\t\tCommand: test.Command(\"images\", \"--filter\", \"label=foo=bar\", \"--filter\", \"label=version=0.1\"),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: expect.Contains(data.Labels().Get(\"builtImageID\")),\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"label=foo=bar label=version=0.2\",\n\t\t\t\tCommand: test.Command(\"images\", \"--filter\", \"label=foo=bar\", \"--filter\", \"label=version=0.2\"),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: expect.DoesNotContain(data.Labels().Get(\"builtImageID\")),\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"label=version\",\n\t\t\t\tCommand: test.Command(\"images\", \"--filter\", \"label=version\"),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: expect.Contains(data.Labels().Get(\"builtImageID\")),\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"reference=ID*\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"images\", \"--filter\", fmt.Sprintf(\"reference=%s*\", data.Labels().Get(\"builtImageID\")))\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: expect.Contains(data.Labels().Get(\"builtImageID\")),\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"reference=tagged*:*fragment*\",\n\t\t\t\tCommand: test.Command(\"images\", \"--filter\", \"reference=tagged*:*fragment*\"),\n\t\t\t\tExpected: test.Expects(\n\t\t\t\t\t0,\n\t\t\t\t\tnil,\n\t\t\t\t\texpect.Contains(\"one-\", \"two-\"),\n\t\t\t\t),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"before=ID:latest\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"images\", \"--filter\", fmt.Sprintf(\"before=%s:latest\", data.Labels().Get(\"builtImageID\")))\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\t\texpect.Contains(commonImage.FamiliarName(), commonImage.Tag),\n\t\t\t\t\t\t\texpect.DoesNotContain(data.Labels().Get(\"builtImageID\")),\n\t\t\t\t\t\t),\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"since=\" + commonImage.String(),\n\t\t\t\tCommand: test.Command(\"images\", \"--filter\", fmt.Sprintf(\"since=%s\", commonImage.String())),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\t\texpect.Contains(data.Labels().Get(\"builtImageID\")),\n\t\t\t\t\t\t\texpect.DoesNotMatch(regexp.MustCompile(commonImage.FamiliarName()+\"[\\\\s]+\"+commonImage.Tag)),\n\t\t\t\t\t\t),\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"since=\" + commonImage.String() + \" \" + commonImage.String(),\n\t\t\t\tCommand: test.Command(\"images\", \"--filter\", fmt.Sprintf(\"since=%s\", commonImage.String()), commonImage.String()),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\t\texpect.DoesNotContain(data.Labels().Get(\"builtImageID\")),\n\t\t\t\t\t\t\texpect.DoesNotMatch(regexp.MustCompile(commonImage.FamiliarName()+\"[\\\\s]+\"+commonImage.Tag)),\n\t\t\t\t\t\t),\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"since=non-exists-image\",\n\t\t\t\tCommand: test.Command(\"images\", \"--filter\", \"since=non-exists-image\"),\n\t\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, []error{errors.New(\"no such image: \")}, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"before=non-exists-image\",\n\t\t\t\tCommand: test.Command(\"images\", \"--filter\", \"before=non-exists-image\"),\n\t\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, []error{errors.New(\"no such image: \")}, nil),\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestImagesFilterDangling(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tDescription: \"TestImagesFilterDangling\",\n\t\t// This test relies on a clean slate and the ability to GC everything\n\t\tNoParallel: true,\n\t\tRequire: nerdtest.Build,\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdockerfile := fmt.Sprintf(`FROM %s\nCMD [\"echo\", \"nerdctl-build-notag-string\"]\n\t`, testutil.CommonImage)\n\t\t\tbuildCtx := data.Temp().Path()\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\tdata.Labels().Set(\"buildCtx\", buildCtx)\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"container\", \"prune\", \"-f\")\n\t\t\thelpers.Anyhow(\"image\", \"prune\", \"--all\", \"-f\")\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"build\", data.Labels().Get(\"buildCtx\"))\n\t\t},\n\t\tExpected: test.Expects(0, nil, nil),\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"dangling\",\n\t\t\t\tCommand: test.Command(\"images\", \"--filter\", \"dangling=true\"),\n\t\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"\")),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"not dangling\",\n\t\t\t\tCommand: test.Command(\"images\", \"--filter\", \"dangling=false\"),\n\t\t\t\tExpected: test.Expects(0, nil, expect.DoesNotContain(\"\")),\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestImagesKubeWithKubeHideDupe(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\tnerdtest.OnlyKubernetes,\n\t\t),\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.BusyboxImage)\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"The same imageID will not print no-repo:tag in k8s.io with kube-hide-dupe\",\n\t\t\t\tCommand: test.Command(\"--kube-hide-dupe\", \"images\"),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tvar imageID string\n\t\t\t\t\t\t\tvar skipLine int\n\t\t\t\t\t\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\t\theader := \"REPOSITORY\\tTAG\\tIMAGE ID\\tCREATED\\tPLATFORM\\tSIZE\\tBLOB SIZE\"\n\t\t\t\t\t\t\tif nerdtest.IsDocker() {\n\t\t\t\t\t\t\t\theader = \"REPOSITORY\\tTAG\\tIMAGE ID\\tCREATED\\tSIZE\"\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\ttab := tabutil.NewReader(header)\n\t\t\t\t\t\t\terr := tab.ParseHeader(lines[0])\n\t\t\t\t\t\t\tassert.NilError(t, err, \"ParseHeader should not fail\\n\")\n\t\t\t\t\t\t\tfound := true\n\t\t\t\t\t\t\tfor i, line := range lines[1:] {\n\t\t\t\t\t\t\t\trepo, _ := tab.ReadRow(line, \"REPOSITORY\")\n\t\t\t\t\t\t\t\ttag, _ := tab.ReadRow(line, \"TAG\")\n\t\t\t\t\t\t\t\tif repo+\":\"+tag == testutil.BusyboxImage {\n\t\t\t\t\t\t\t\t\tskipLine = i\n\t\t\t\t\t\t\t\t\timageID, _ = tab.ReadRow(line, \"IMAGE ID\")\n\t\t\t\t\t\t\t\t\tbreak\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tfor i, line := range lines[1:] {\n\t\t\t\t\t\t\t\tif i == skipLine {\n\t\t\t\t\t\t\t\t\tcontinue\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\tid, _ := tab.ReadRow(line, \"IMAGE ID\")\n\t\t\t\t\t\t\t\tif id == imageID {\n\t\t\t\t\t\t\t\t\tfound = false\n\t\t\t\t\t\t\t\t\tbreak\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tassert.Assert(t, found, \"We should have found the image\\n\")\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"the same imageId will print no-repo:tag in k8s.io without kube-hide-dupe\",\n\t\t\t\tCommand: test.Command(\"images\"),\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: expect.Contains(\"\"),\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/image/image_load.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/imgutil/load\"\n)\n\nfunc LoadCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"load\",\n\t\tArgs: cobra.NoArgs,\n\t\tShort: \"Load an image from a tar archive or STDIN\",\n\t\tLong: \"Supports both Docker Image Spec v1.2 and OCI Image Spec v1.0.\",\n\t\tRunE: loadAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\n\tcmd.Flags().StringP(\"input\", \"i\", \"\", \"Read from tar archive file, instead of STDIN\")\n\tcmd.Flags().BoolP(\"quiet\", \"q\", false, \"Suppress the load output\")\n\n\t// #region platform flags\n\t// platform is defined as StringSlice, not StringArray, to allow specifying \"--platform=amd64,arm64\"\n\tcmd.Flags().StringSlice(\"platform\", []string{}, \"Import content for a specific platform\")\n\tcmd.RegisterFlagCompletionFunc(\"platform\", completion.Platforms)\n\tcmd.Flags().Bool(\"all-platforms\", false, \"Import content for all platforms\")\n\t// #endregion\n\n\treturn cmd\n}\n\nfunc processLoadCommandFlags(cmd *cobra.Command) (types.ImageLoadOptions, error) {\n\tinput, err := cmd.Flags().GetString(\"input\")\n\tif err != nil {\n\t\treturn types.ImageLoadOptions{}, err\n\t}\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ImageLoadOptions{}, err\n\t}\n\tallPlatforms, err := cmd.Flags().GetBool(\"all-platforms\")\n\tif err != nil {\n\t\treturn types.ImageLoadOptions{}, err\n\t}\n\tplatform, err := cmd.Flags().GetStringSlice(\"platform\")\n\tif err != nil {\n\t\treturn types.ImageLoadOptions{}, err\n\t}\n\tquiet, err := cmd.Flags().GetBool(\"quiet\")\n\tif err != nil {\n\t\treturn types.ImageLoadOptions{}, err\n\t}\n\treturn types.ImageLoadOptions{\n\t\tGOptions: globalOptions,\n\t\tInput: input,\n\t\tPlatform: platform,\n\t\tAllPlatforms: allPlatforms,\n\t\tStdout: cmd.OutOrStdout(),\n\t\tStdin: cmd.InOrStdin(),\n\t\tQuiet: quiet,\n\t}, nil\n}\n\nfunc loadAction(cmd *cobra.Command, _ []string) error {\n\toptions, err := processLoadCommandFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\t_, err = load.FromArchive(ctx, client, options)\n\treturn err\n}\n" }, { "path": "cmd/nerdctl/image/image_load_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestLoadStdinFromPipe(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tDescription: \"TestLoadStdinFromPipe\",\n\t\tRequire: require.Linux,\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tidentifier := data.Identifier()\n\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\thelpers.Ensure(\"tag\", testutil.CommonImage, identifier)\n\t\t\thelpers.Ensure(\"save\", identifier, \"-o\", filepath.Join(data.Temp().Path(), \"common.tar\"))\n\t\t\thelpers.Ensure(\"rmi\", \"-f\", identifier)\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\tcmd := helpers.Command(\"load\")\n\t\t\treader, err := os.Open(filepath.Join(data.Temp().Path(), \"common.tar\"))\n\t\t\tassert.NilError(t, err, \"failed to open common.tar\")\n\t\t\tcmd.Feed(reader)\n\t\t\treturn cmd\n\t\t},\n\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\tidentifier := data.Identifier()\n\t\t\treturn &test.Expected{\n\t\t\t\tOutput: expect.All(\n\t\t\t\t\texpect.Contains(identifier),\n\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\tassert.Assert(t, strings.Contains(helpers.Capture(\"images\"), identifier))\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t}\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestLoadStdinEmpty(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tDescription: \"TestLoadStdinEmpty\",\n\t\tRequire: require.Linux,\n\t\tCommand: test.Command(\"load\"),\n\t\tExpected: test.Expects(1, nil, nil),\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestLoadQuiet(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tDescription: \"TestLoadQuiet\",\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tidentifier := data.Identifier()\n\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\thelpers.Ensure(\"tag\", testutil.CommonImage, identifier)\n\t\t\thelpers.Ensure(\"save\", identifier, \"-o\", filepath.Join(data.Temp().Path(), \"common.tar\"))\n\t\t\thelpers.Ensure(\"rmi\", \"-f\", identifier)\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"load\", \"--quiet\", \"--input\", filepath.Join(data.Temp().Path(), \"common.tar\"))\n\t\t},\n\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\treturn &test.Expected{\n\t\t\t\tOutput: expect.All(\n\t\t\t\t\texpect.Contains(data.Identifier()),\n\t\t\t\t\texpect.DoesNotContain(\"Loading layer\"),\n\t\t\t\t),\n\t\t\t}\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/image/image_prune.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/image\"\n)\n\nfunc pruneCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"prune [flags]\",\n\t\tShort: \"Remove unused images\",\n\t\tArgs: cobra.NoArgs,\n\t\tRunE: imagePruneAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\n\tcmd.Flags().BoolP(\"all\", \"a\", false, \"Remove all unused images, not just dangling ones\")\n\tcmd.Flags().StringSlice(\"filter\", []string{}, \"Filter output based on conditions provided\")\n\tcmd.Flags().BoolP(\"force\", \"f\", false, \"Do not prompt for confirmation\")\n\treturn cmd\n}\n\nfunc pruneOptions(cmd *cobra.Command) (types.ImagePruneOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ImagePruneOptions{}, err\n\t}\n\tall, err := cmd.Flags().GetBool(\"all\")\n\tif err != nil {\n\t\treturn types.ImagePruneOptions{}, err\n\t}\n\n\tvar filters []string\n\tif cmd.Flags().Changed(\"filter\") {\n\t\tfilters, err = cmd.Flags().GetStringSlice(\"filter\")\n\t\tif err != nil {\n\t\t\treturn types.ImagePruneOptions{}, err\n\t\t}\n\t}\n\n\tforce, err := cmd.Flags().GetBool(\"force\")\n\tif err != nil {\n\t\treturn types.ImagePruneOptions{}, err\n\t}\n\n\treturn types.ImagePruneOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tGOptions: globalOptions,\n\t\tAll: all,\n\t\tFilters: filters,\n\t\tForce: force,\n\t}, err\n}\n\nfunc imagePruneAction(cmd *cobra.Command, _ []string) error {\n\toptions, err := pruneOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif !options.Force {\n\t\tvar msg string\n\t\tif !options.All {\n\t\t\tmsg = \"This will remove all dangling images.\"\n\t\t} else {\n\t\t\tmsg = \"This will remove all images without at least one container associated to them.\"\n\t\t}\n\n\t\tif confirmed, err := helpers.Confirm(cmd, fmt.Sprintf(\"WARNING! %s.\", msg)); err != nil || !confirmed {\n\t\t\treturn err\n\t\t}\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn image.Prune(ctx, client, options)\n}\n" }, { "path": "cmd/nerdctl/image/image_prune_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestImagePrune(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t// Cannot use a custom namespace with buildkitd right now, so, no parallel it is\n\ttestCase.NoParallel = true\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\t// Stop and remove all running containers. This is to ensure we can remove all\n\t\tcontList := strings.TrimSpace(helpers.Capture(\"ps\", \"-aq\"))\n\t\tif contList != \"\" {\n\t\t\thelpers.Ensure(append([]string{\"rm\", \"-f\"}, strings.Split(contList, \"\\n\")...)...)\n\t\t}\n\n\t\t// We need to delete everything here for prune to make any sense\n\t\timgList := strings.TrimSpace(helpers.Capture(\"images\", \"--no-trunc\", \"-aq\"))\n\t\tif imgList != \"\" {\n\t\t\thelpers.Ensure(append([]string{\"rmi\", \"-f\"}, strings.Split(imgList, \"\\n\")...)...)\n\t\t}\n\t}\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"without all\",\n\t\t\tNoParallel: true,\n\t\t\tRequire: require.All(\n\t\t\t\t// This never worked with Docker - the only reason we ever got was side effects from other tests\n\t\t\t\t// See inline comments.\n\t\t\t\trequire.Not(nerdtest.Docker),\n\t\t\t\tnerdtest.Build,\n\t\t\t),\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tidentifier := data.Identifier()\n\t\t\t\tdockerfile := fmt.Sprintf(`FROM %s\n\t\t\t\tCMD [\"echo\", \"nerdctl-test-image-prune\"]\n\t\t\t\t\t`, testutil.CommonImage)\n\n\t\t\t\tbuildCtx := data.Temp().Path()\n\t\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\t\thelpers.Ensure(\"build\", buildCtx)\n\t\t\t\t// After we rebuild with tag, docker will no longer show the version from above\n\t\t\t\t// Swapping order does not change anything.\n\t\t\t\thelpers.Ensure(\"build\", \"-t\", identifier, buildCtx)\n\t\t\t\timgList := helpers.Capture(\"images\")\n\t\t\t\tassert.Assert(t, strings.Contains(imgList, \"\"), \"Missing \")\n\t\t\t\tassert.Assert(t, strings.Contains(imgList, identifier), \"Missing \"+identifier)\n\t\t\t},\n\t\t\tCommand: test.Command(\"image\", \"prune\", \"--force\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\tidentifier := data.Identifier()\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\tassert.Assert(t, !strings.Contains(stdout, identifier))\n\t\t\t\t\t\t},\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\timgList := helpers.Capture(\"images\")\n\t\t\t\t\t\t\tassert.Assert(t, !strings.Contains(imgList, \"\"), imgList)\n\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(imgList, identifier))\n\t\t\t\t\t\t},\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"with all\",\n\t\t\tRequire: require.All(\n\t\t\t\t// Same as above\n\t\t\t\trequire.Not(nerdtest.Docker),\n\t\t\t\tnerdtest.Build,\n\t\t\t),\n\t\t\t// Cannot use a custom namespace with buildkitd right now, so, no parallel it is\n\t\t\tNoParallel: true,\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tidentifier := data.Identifier()\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", identifier)\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", identifier)\n\t\t\t},\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tidentifier := data.Identifier()\n\t\t\t\tdockerfile := fmt.Sprintf(`FROM %s\n\t\t\t\tCMD [\"echo\", \"nerdctl-test-image-prune\"]\n\t\t\t\t\t`, testutil.CommonImage)\n\n\t\t\t\tbuildCtx := data.Temp().Path()\n\t\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\t\thelpers.Ensure(\"build\", buildCtx)\n\t\t\t\thelpers.Ensure(\"build\", \"-t\", identifier, buildCtx)\n\t\t\t\timgList := helpers.Capture(\"images\")\n\t\t\t\tassert.Assert(t, strings.Contains(imgList, \"\"), \"Missing \")\n\t\t\t\tassert.Assert(t, strings.Contains(imgList, identifier), \"Missing \"+identifier)\n\t\t\t\thelpers.Ensure(\"run\", \"--name\", identifier, identifier)\n\t\t\t},\n\t\t\tCommand: test.Command(\"image\", \"prune\", \"--force\", \"--all\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\tassert.Assert(t, !strings.Contains(stdout, data.Identifier()))\n\t\t\t\t\t\t},\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\timgList := helpers.Capture(\"images\")\n\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(imgList, data.Identifier()))\n\t\t\t\t\t\t\tassert.Assert(t, !strings.Contains(imgList, \"\"), imgList)\n\t\t\t\t\t\t\thelpers.Ensure(\"rm\", \"-f\", data.Identifier())\n\t\t\t\t\t\t\tremoved := helpers.Capture(\"image\", \"prune\", \"--force\", \"--all\")\n\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(removed, data.Identifier()))\n\t\t\t\t\t\t\timgList = helpers.Capture(\"images\")\n\t\t\t\t\t\t\tassert.Assert(t, !strings.Contains(imgList, data.Identifier()))\n\t\t\t\t\t\t},\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"with filter label\",\n\t\t\tRequire: nerdtest.Build,\n\t\t\t// Cannot use a custom namespace with buildkitd right now, so, no parallel it is\n\t\t\tNoParallel: true,\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tdockerfile := fmt.Sprintf(`FROM %s\nCMD [\"echo\", \"nerdctl-test-image-prune-filter-label\"]\nLABEL foo=bar\nLABEL version=0.1`, testutil.CommonImage)\n\t\t\t\tbuildCtx := data.Temp().Path()\n\t\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\t\thelpers.Ensure(\"build\", \"-t\", data.Identifier(), buildCtx)\n\t\t\t\timgList := helpers.Capture(\"images\")\n\t\t\t\tassert.Assert(t, strings.Contains(imgList, data.Identifier()), \"Missing \"+data.Identifier())\n\t\t\t},\n\t\t\tCommand: test.Command(\"image\", \"prune\", \"--force\", \"--all\", \"--filter\", \"label=foo=baz\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\tassert.Assert(t, !strings.Contains(stdout, data.Identifier()))\n\t\t\t\t\t\t},\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\timgList := helpers.Capture(\"images\")\n\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(imgList, data.Identifier()))\n\t\t\t\t\t\t},\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\tprune := helpers.Capture(\"image\", \"prune\", \"--force\", \"--all\", \"--filter\", \"label=foo=bar\")\n\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(prune, data.Identifier()))\n\t\t\t\t\t\t\timgList := helpers.Capture(\"images\")\n\t\t\t\t\t\t\tassert.Assert(t, !strings.Contains(imgList, data.Identifier()))\n\t\t\t\t\t\t},\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"with until\",\n\t\t\tRequire: nerdtest.Build,\n\t\t\t// Cannot use a custom namespace with buildkitd right now, so, no parallel it is\n\t\t\tNoParallel: true,\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tdockerfile := fmt.Sprintf(`FROM %s\nRUN echo \"Anything, so that we create actual content for docker to set the current time for CreatedAt\"\nCMD [\"echo\", \"nerdctl-test-image-prune-until\"]`, testutil.CommonImage)\n\t\t\t\tbuildCtx := data.Temp().Path()\n\t\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\t\thelpers.Ensure(\"build\", \"-t\", data.Identifier(), buildCtx)\n\t\t\t\timgList := helpers.Capture(\"images\")\n\t\t\t\tassert.Assert(t, strings.Contains(imgList, data.Identifier()), \"Missing \"+data.Identifier())\n\t\t\t\tdata.Labels().Set(\"imageID\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: test.Command(\"image\", \"prune\", \"--force\", \"--all\", \"--filter\", \"until=12h\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.DoesNotContain(data.Labels().Get(\"imageID\")),\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\timgList := helpers.Capture(\"images\")\n\t\t\t\t\t\t\tassert.Assert(t, strings.Contains(imgList, data.Labels().Get(\"imageID\")))\n\t\t\t\t\t\t},\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t\tSubTests: []*test.Case{\n\t\t\t\t{\n\t\t\t\t\tDescription: \"Wait and remove until=10ms\",\n\t\t\t\t\tNoParallel: true,\n\t\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\t\ttime.Sleep(1 * time.Second)\n\t\t\t\t\t},\n\t\t\t\t\tCommand: test.Command(\"image\", \"prune\", \"--force\", \"--all\", \"--filter\", \"until=10ms\"),\n\t\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\t\t\texpect.Contains(data.Labels().Get(\"imageID\")),\n\t\t\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\t\t\timgList := helpers.Capture(\"images\")\n\t\t\t\t\t\t\t\t\tassert.Assert(t, !strings.Contains(imgList, data.Labels().Get(\"imageID\")), imgList)\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t),\n\t\t\t\t\t\t}\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/image/image_pull.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/image\"\n\t\"github.com/containerd/nerdctl/v2/pkg/platformutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/strutil\"\n)\n\nfunc PullCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"pull [flags] NAME[:TAG]\",\n\t\tShort: \"Pull an image from a registry. Optionally specify \\\"ipfs://\\\" or \\\"ipns://\\\" scheme to pull image from IPFS.\",\n\t\tArgs: helpers.IsExactArgs(1),\n\t\tRunE: pullAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().String(\"unpack\", \"auto\", \"Unpack the image for the current single platform (auto/true/false)\")\n\tcmd.RegisterFlagCompletionFunc(\"unpack\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"auto\", \"true\", \"false\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\n\t// #region platform flags\n\t// platform is defined as StringSlice, not StringArray, to allow specifying \"--platform=amd64,arm64\"\n\tcmd.Flags().StringSlice(\"platform\", nil, \"Pull content for a specific platform\")\n\tcmd.RegisterFlagCompletionFunc(\"platform\", completion.Platforms)\n\tcmd.Flags().Bool(\"all-platforms\", false, \"Pull content for all platforms\")\n\t// #endregion\n\n\t// #region verify flags\n\tcmd.Flags().String(\"verify\", \"none\", \"Verify the image (none|cosign|notation)\")\n\tcmd.RegisterFlagCompletionFunc(\"verify\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"none\", \"cosign\", \"notation\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\tcmd.Flags().String(\"cosign-key\", \"\", \"Path to the public key file, KMS, URI or Kubernetes Secret for --verify=cosign\")\n\tcmd.Flags().String(\"cosign-certificate-identity\", \"\", \"The identity expected in a valid Fulcio certificate for --verify=cosign. Valid values include email address, DNS names, IP addresses, and URIs. Either --cosign-certificate-identity or --cosign-certificate-identity-regexp must be set for keyless flows\")\n\tcmd.Flags().String(\"cosign-certificate-identity-regexp\", \"\", \"A regular expression alternative to --cosign-certificate-identity for --verify=cosign. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --cosign-certificate-identity or --cosign-certificate-identity-regexp must be set for keyless flows\")\n\tcmd.Flags().String(\"cosign-certificate-oidc-issuer\", \"\", \"The OIDC issuer expected in a valid Fulcio certificate for --verify=cosign,, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth. Either --cosign-certificate-oidc-issuer or --cosign-certificate-oidc-issuer-regexp must be set for keyless flows\")\n\tcmd.Flags().String(\"cosign-certificate-oidc-issuer-regexp\", \"\", \"A regular expression alternative to --certificate-oidc-issuer for --verify=cosign,. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --cosign-certificate-oidc-issuer or --cosign-certificate-oidc-issuer-regexp must be set for keyless flows\")\n\t// #endregion\n\n\t// #region socipull flags\n\tcmd.Flags().String(\"soci-index-digest\", \"\", \"Specify a particular index digest for SOCI. If left empty, SOCI will automatically use the index determined by the selection policy.\")\n\t// #endregion\n\n\tcmd.Flags().BoolP(\"quiet\", \"q\", false, \"Suppress verbose output\")\n\n\tcmd.Flags().String(\"ipfs-address\", \"\", \"multiaddr of IPFS API (default uses $IPFS_PATH env variable if defined or local directory ~/.ipfs)\")\n\n\treturn cmd\n}\n\nfunc processPullCommandFlags(cmd *cobra.Command) (types.ImagePullOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ImagePullOptions{}, err\n\t}\n\tallPlatforms, err := cmd.Flags().GetBool(\"all-platforms\")\n\tif err != nil {\n\t\treturn types.ImagePullOptions{}, err\n\t}\n\tplatform, err := cmd.Flags().GetStringSlice(\"platform\")\n\tif err != nil {\n\t\treturn types.ImagePullOptions{}, err\n\t}\n\n\tociSpecPlatform, err := platformutil.NewOCISpecPlatformSlice(allPlatforms, platform)\n\tif err != nil {\n\t\treturn types.ImagePullOptions{}, err\n\t}\n\n\tunpackStr, err := cmd.Flags().GetString(\"unpack\")\n\tif err != nil {\n\t\treturn types.ImagePullOptions{}, err\n\t}\n\tunpack, err := strutil.ParseBoolOrAuto(unpackStr)\n\tif err != nil {\n\t\treturn types.ImagePullOptions{}, err\n\t}\n\n\tquiet, err := cmd.Flags().GetBool(\"quiet\")\n\tif err != nil {\n\t\treturn types.ImagePullOptions{}, err\n\t}\n\tipfsAddressStr, err := cmd.Flags().GetString(\"ipfs-address\")\n\tif err != nil {\n\t\treturn types.ImagePullOptions{}, err\n\t}\n\n\tsociIndexDigest, err := cmd.Flags().GetString(\"soci-index-digest\")\n\tif err != nil {\n\t\treturn types.ImagePullOptions{}, err\n\t}\n\n\tverifyOptions, err := helpers.VerifyOptions(cmd)\n\tif err != nil {\n\t\treturn types.ImagePullOptions{}, err\n\t}\n\treturn types.ImagePullOptions{\n\t\tGOptions: globalOptions,\n\t\tVerifyOptions: verifyOptions,\n\t\tOCISpecPlatform: ociSpecPlatform,\n\t\tUnpack: unpack,\n\t\tMode: \"always\",\n\t\tQuiet: quiet,\n\t\tIPFSAddress: ipfsAddressStr,\n\t\tRFlags: types.RemoteSnapshotterFlags{\n\t\t\tSociIndexDigest: sociIndexDigest,\n\t\t},\n\t\tStdout: cmd.OutOrStdout(),\n\t\tStderr: cmd.OutOrStderr(),\n\t\tProgressOutputToStdout: true,\n\t}, nil\n}\n\nfunc pullAction(cmd *cobra.Command, args []string) error {\n\toptions, err := processPullCommandFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn image.Pull(ctx, client, args[0], options)\n}\n" }, { "path": "cmd/nerdctl/image/image_pull_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"fmt\"\n\t\"strconv\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest/registry\"\n)\n\nfunc TestImagePullWithCosign(t *testing.T) {\n\tdockerfile := fmt.Sprintf(`FROM %s\nCMD [\"echo\", \"nerdctl-build-test-string\"]\n\t`, testutil.CommonImage)\n\n\tnerdtest.Setup()\n\n\tvar reg *registry.Server\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\trequire.Linux,\n\t\t\tnerdtest.Build,\n\t\t\trequire.Binary(\"cosign\"),\n\t\t\trequire.Not(nerdtest.Docker),\n\t\t\tnerdtest.Registry,\n\t\t),\n\n\t\tEnv: map[string]string{\n\t\t\t\"COSIGN_PASSWORD\": \"1\",\n\t\t},\n\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\tpri, pub := nerdtest.GenerateCosignKeyPair(data, helpers, \"1\")\n\t\t\treg = nerdtest.RegistryWithNoAuth(data, helpers, 0, false)\n\t\t\treg.Setup(data, helpers)\n\t\t\ttestImageRef := fmt.Sprintf(\"%s:%d/%s\", \"127.0.0.1\", reg.Port, data.Identifier())\n\t\t\tbuildCtx := data.Temp().Path()\n\n\t\t\thelpers.Ensure(\"build\", \"-t\", testImageRef+\":one\", buildCtx)\n\t\t\thelpers.Ensure(\"build\", \"-t\", testImageRef+\":two\", buildCtx)\n\t\t\thelpers.Ensure(\"push\", \"--sign=cosign\", \"--cosign-key=\"+pri, testImageRef+\":one\")\n\t\t\thelpers.Ensure(\"push\", \"--sign=cosign\", \"--cosign-key=\"+pri, testImageRef+\":two\")\n\n\t\t\tdata.Labels().Set(\"public_key\", pub)\n\t\t\tdata.Labels().Set(\"image_ref\", testImageRef)\n\t\t},\n\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\tif reg != nil {\n\t\t\t\treg.Cleanup(data, helpers)\n\t\t\t\ttestImageRef := data.Labels().Get(\"image_ref\")\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", testImageRef+\":one\")\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", testImageRef+\":two\")\n\t\t\t}\n\t\t},\n\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"Pull with the correct key\",\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\n\t\t\t\t\t\t\"pull\", \"--quiet\", \"--verify=cosign\",\n\t\t\t\t\t\t\"--cosign-key=\"+data.Labels().Get(\"public_key\"),\n\t\t\t\t\t\tdata.Labels().Get(\"image_ref\")+\":one\")\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Pull with unrelated key\",\n\t\t\t\tEnv: map[string]string{\n\t\t\t\t\t\"COSIGN_PASSWORD\": \"2\",\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\t_, pub := nerdtest.GenerateCosignKeyPair(data, helpers, \"2\")\n\t\t\t\t\treturn helpers.Command(\"pull\", \"--quiet\", \"--verify=cosign\", \"--cosign-key=\"+pub, data.Labels().Get(\"image_ref\")+\":two\")\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(12, nil, nil),\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestImagePullPlainHttpWithDefaultPort(t *testing.T) {\n\tnerdtest.Setup()\n\n\tvar reg *registry.Server\n\tdockerfile := fmt.Sprintf(`FROM %s\nCMD [\"echo\", \"nerdctl-build-test-string\"]\n\t`, testutil.CommonImage)\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\trequire.Linux,\n\t\t\trequire.Not(nerdtest.Docker),\n\t\t\tnerdtest.Build,\n\t\t\tnerdtest.Registry,\n\t\t),\n\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\t\t\treg = nerdtest.RegistryWithNoAuth(data, helpers, 80, false)\n\t\t\treg.Setup(data, helpers)\n\t\t\ttestImageRef := fmt.Sprintf(\"%s/%s\",\n\t\t\t\treg.IP.String(), data.Identifier())\n\t\t\tbuildCtx := data.Temp().Path()\n\n\t\t\thelpers.Ensure(\"build\", \"-t\", testImageRef, buildCtx)\n\t\t\thelpers.Ensure(\"--insecure-registry\", \"push\", testImageRef)\n\t\t\thelpers.Ensure(\"rmi\", \"-f\", testImageRef)\n\n\t\t\tdata.Labels().Set(\"image_ref\", testImageRef)\n\t\t},\n\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"--insecure-registry\", \"pull\", data.Labels().Get(\"image_ref\"))\n\t\t},\n\n\t\tExpected: test.Expects(0, nil, nil),\n\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\tif reg != nil {\n\t\t\t\treg.Cleanup(data, helpers)\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(\"image_ref\"))\n\t\t\t}\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestImagePullSoci(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\trequire.Linux,\n\t\t\trequire.Not(nerdtest.Docker),\n\t\t\tnerdtest.Soci,\n\t\t),\n\n\t\t// NOTE: these tests cannot be run in parallel, as they depend on the output of host `mount`\n\t\t// They also feel prone to raciness...\n\t\tNoParallel: true,\n\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"Run without specifying SOCI index\",\n\t\t\t\tNoParallel: true,\n\t\t\t\tData: test.WithLabels(map[string]string{\n\t\t\t\t\t\"remoteSnapshotsExpectedCount\": \"11\",\n\t\t\t\t\t\"sociIndexDigest\": \"\",\n\t\t\t\t}),\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\tcmd := helpers.Custom(\"mount\")\n\t\t\t\t\tcmd.Run(&test.Expected{\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tdata.Labels().Set(\"remoteSnapshotsInitialCount\", strconv.Itoa(strings.Count(stdout, \"fuse.rawBridge\")))\n\t\t\t\t\t\t},\n\t\t\t\t\t})\n\t\t\t\t\thelpers.Ensure(\"--snapshotter=soci\", \"pull\", testutil.FfmpegSociImage)\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", testutil.FfmpegSociImage)\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Custom(\"mount\")\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tremoteSnapshotsInitialCount, _ := strconv.Atoi(data.Labels().Get(\"remoteSnapshotsInitialCount\"))\n\t\t\t\t\t\t\tremoteSnapshotsActualCount := strings.Count(stdout, \"fuse.rawBridge\")\n\t\t\t\t\t\t\tassert.Equal(t,\n\t\t\t\t\t\t\t\tdata.Labels().Get(\"remoteSnapshotsExpectedCount\"),\n\t\t\t\t\t\t\t\tstrconv.Itoa(remoteSnapshotsActualCount-remoteSnapshotsInitialCount),\n\t\t\t\t\t\t\t\t\"expected remote snapshot count to match\",\n\t\t\t\t\t\t\t)\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Run with bad SOCI index\",\n\t\t\t\tNoParallel: true,\n\t\t\t\tData: test.WithLabels(map[string]string{\n\t\t\t\t\t\"remoteSnapshotsExpectedCount\": \"11\",\n\t\t\t\t\t\"sociIndexDigest\": \"sha256:thisisabadindex0000000000000000000000000000000000000000000000000\",\n\t\t\t\t}),\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\tcmd := helpers.Custom(\"mount\")\n\t\t\t\t\tcmd.Run(&test.Expected{\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tdata.Labels().Set(\"remoteSnapshotsInitialCount\", strconv.Itoa(strings.Count(stdout, \"fuse.rawBridge\")))\n\t\t\t\t\t\t},\n\t\t\t\t\t})\n\t\t\t\t\thelpers.Ensure(\"--snapshotter=soci\", \"pull\", testutil.FfmpegSociImage)\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", testutil.FfmpegSociImage)\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Custom(\"mount\")\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tremoteSnapshotsInitialCount, _ := strconv.Atoi(data.Labels().Get(\"remoteSnapshotsInitialCount\"))\n\t\t\t\t\t\t\tremoteSnapshotsActualCount := strings.Count(stdout, \"fuse.rawBridge\")\n\t\t\t\t\t\t\tassert.Equal(t,\n\t\t\t\t\t\t\t\tdata.Labels().Get(\"remoteSnapshotsExpectedCount\"),\n\t\t\t\t\t\t\t\tstrconv.Itoa(remoteSnapshotsActualCount-remoteSnapshotsInitialCount),\n\t\t\t\t\t\t\t\t\"expected remote snapshot count to match\")\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestImagePullProcessOutput(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"Pull Image - output should be in stdout\",\n\t\t\t\tNoParallel: true,\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", testutil.BusyboxImage)\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"pull\", testutil.BusyboxImage)\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, expect.Contains(testutil.BusyboxImage)),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"Run Container with image pull - output should be in stderr\",\n\t\t\t\tNoParallel: true,\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", testutil.BusyboxImage)\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"run\", \"--rm\", testutil.BusyboxImage)\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, expect.DoesNotContain(testutil.BusyboxImage)),\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/image/image_push.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/image\"\n)\n\nconst (\n\tallowNonDistFlag = \"allow-nondistributable-artifacts\"\n)\n\nfunc PushCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"push [flags] NAME[:TAG]\",\n\t\tShort: \"Push an image or a repository to a registry. Optionally specify \\\"ipfs://\\\" or \\\"ipns://\\\" scheme to push image to IPFS.\",\n\t\tArgs: helpers.IsExactArgs(1),\n\t\tRunE: pushAction,\n\t\tValidArgsFunction: pushShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\t// #region platform flags\n\t// platform is defined as StringSlice, not StringArray, to allow specifying \"--platform=amd64,arm64\"\n\tcmd.Flags().StringSlice(\"platform\", []string{}, \"Push content for a specific platform\")\n\tcmd.RegisterFlagCompletionFunc(\"platform\", completion.Platforms)\n\tcmd.Flags().Bool(\"all-platforms\", false, \"Push content for all platforms\")\n\t// #endregion\n\n\tcmd.Flags().Bool(\"estargz\", false, \"Convert the image into eStargz\")\n\tcmd.Flags().Bool(\"ipfs-ensure-image\", true, \"Ensure the entire contents of the image is locally available before push\")\n\tcmd.Flags().String(\"ipfs-address\", \"\", \"multiaddr of IPFS API (default uses $IPFS_PATH env variable if defined or local directory ~/.ipfs)\")\n\n\t// #region sign flags\n\tcmd.Flags().String(\"sign\", \"none\", \"Sign the image (none|cosign|notation\")\n\tcmd.RegisterFlagCompletionFunc(\"sign\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"none\", \"cosign\", \"notation\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\tcmd.Flags().String(\"cosign-key\", \"\", \"Path to the private key file, KMS URI or Kubernetes Secret for --sign=cosign\")\n\tcmd.Flags().String(\"notation-key-name\", \"\", \"Signing key name for a key previously added to notation's key list for --sign=notation\")\n\t// #endregion\n\n\t// #region soci flags\n\tcmd.Flags().Int64(\"soci-span-size\", -1, \"Span size that soci index uses to segment layer data. Default is 4 MiB.\")\n\tcmd.Flags().Int64(\"soci-min-layer-size\", -1, \"Minimum layer size to build zTOC for. Smaller layers won't have zTOC and not lazy pulled. Default is 10 MiB.\")\n\t// #endregion\n\n\tcmd.Flags().BoolP(\"quiet\", \"q\", false, \"Suppress verbose output\")\n\n\tcmd.Flags().Bool(allowNonDistFlag, false, \"Allow pushing images with non-distributable blobs\")\n\n\treturn cmd\n}\n\nfunc pushOptions(cmd *cobra.Command) (types.ImagePushOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ImagePushOptions{}, err\n\t}\n\tplatform, err := cmd.Flags().GetStringSlice(\"platform\")\n\tif err != nil {\n\t\treturn types.ImagePushOptions{}, err\n\t}\n\tallPlatforms, err := cmd.Flags().GetBool(\"all-platforms\")\n\tif err != nil {\n\t\treturn types.ImagePushOptions{}, err\n\t}\n\testargz, err := cmd.Flags().GetBool(\"estargz\")\n\tif err != nil {\n\t\treturn types.ImagePushOptions{}, err\n\t}\n\tipfsEnsureImage, err := cmd.Flags().GetBool(\"ipfs-ensure-image\")\n\tif err != nil {\n\t\treturn types.ImagePushOptions{}, err\n\t}\n\tipfsAddress, err := cmd.Flags().GetString(\"ipfs-address\")\n\tif err != nil {\n\t\treturn types.ImagePushOptions{}, err\n\t}\n\tquiet, err := cmd.Flags().GetBool(\"quiet\")\n\tif err != nil {\n\t\treturn types.ImagePushOptions{}, err\n\t}\n\tallowNonDist, err := cmd.Flags().GetBool(allowNonDistFlag)\n\tif err != nil {\n\t\treturn types.ImagePushOptions{}, err\n\t}\n\tsignOptions, err := signOptions(cmd)\n\tif err != nil {\n\t\treturn types.ImagePushOptions{}, err\n\t}\n\tsociOptions, err := sociOptions(cmd)\n\tif err != nil {\n\t\treturn types.ImagePushOptions{}, err\n\t}\n\treturn types.ImagePushOptions{\n\t\tGOptions: globalOptions,\n\t\tSignOptions: signOptions,\n\t\tSociOptions: sociOptions,\n\t\tPlatforms: platform,\n\t\tAllPlatforms: allPlatforms,\n\t\tEstargz: estargz,\n\t\tIpfsEnsureImage: ipfsEnsureImage,\n\t\tIpfsAddress: ipfsAddress,\n\t\tQuiet: quiet,\n\t\tAllowNondistributableArtifacts: allowNonDist,\n\t\tStdout: cmd.OutOrStdout(),\n\t}, nil\n}\n\nfunc pushAction(cmd *cobra.Command, args []string) error {\n\toptions, err := pushOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\trawRef := args[0]\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn image.Push(ctx, client, rawRef, options)\n}\n\nfunc pushShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show image names\n\treturn completion.ImageNames(cmd)\n}\n\nfunc signOptions(cmd *cobra.Command) (opt types.ImageSignOptions, err error) {\n\tif opt.Provider, err = cmd.Flags().GetString(\"sign\"); err != nil {\n\t\treturn\n\t}\n\tif opt.CosignKey, err = cmd.Flags().GetString(\"cosign-key\"); err != nil {\n\t\treturn\n\t}\n\tif opt.NotationKeyName, err = cmd.Flags().GetString(\"notation-key-name\"); err != nil {\n\t\treturn\n\t}\n\treturn\n}\n\nfunc sociOptions(cmd *cobra.Command) (opt types.SociOptions, err error) {\n\tif opt.SpanSize, err = cmd.Flags().GetInt64(\"soci-span-size\"); err != nil {\n\t\treturn\n\t}\n\tif opt.MinLayerSize, err = cmd.Flags().GetInt64(\"soci-min-layer-size\"); err != nil {\n\t\treturn\n\t}\n\treturn\n}\n" }, { "path": "cmd/nerdctl/image/image_push_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest/registry\"\n)\n\nfunc TestPush(t *testing.T) {\n\tnerdtest.Setup()\n\n\tvar registryNoAuthHTTPRandom, registryNoAuthHTTPDefault, registryTokenAuthHTTPSRandom *registry.Server\n\tvar tokenServer *registry.TokenAuthServer\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\trequire.Linux,\n\t\t\tnerdtest.Registry,\n\t\t\tnerdtest.IsFlaky(\"https://github.com/containerd/nerdctl/issues/4470\"),\n\t\t),\n\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tregistryNoAuthHTTPRandom = nerdtest.RegistryWithNoAuth(data, helpers, 0, false)\n\t\t\tregistryNoAuthHTTPRandom.Setup(data, helpers)\n\t\t\tregistryNoAuthHTTPDefault = nerdtest.RegistryWithNoAuth(data, helpers, 80, false)\n\t\t\tregistryNoAuthHTTPDefault.Setup(data, helpers)\n\t\t\tregistryTokenAuthHTTPSRandom, tokenServer = nerdtest.RegistryWithTokenAuth(data, helpers, \"admin\", \"badmin\", 0, true)\n\t\t\ttokenServer.Setup(data, helpers)\n\t\t\tregistryTokenAuthHTTPSRandom.Setup(data, helpers)\n\t\t},\n\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\tif registryNoAuthHTTPRandom != nil {\n\t\t\t\tregistryNoAuthHTTPRandom.Cleanup(data, helpers)\n\t\t\t}\n\t\t\tif registryNoAuthHTTPDefault != nil {\n\t\t\t\tregistryNoAuthHTTPDefault.Cleanup(data, helpers)\n\t\t\t}\n\t\t\tif registryTokenAuthHTTPSRandom != nil {\n\t\t\t\tregistryTokenAuthHTTPSRandom.Cleanup(data, helpers)\n\t\t\t}\n\t\t\tif tokenServer != nil {\n\t\t\t\ttokenServer.Cleanup(data, helpers)\n\t\t\t}\n\t\t},\n\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"plain http\",\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\t\t\ttestImageRef := fmt.Sprintf(\"%s:%d/%s\",\n\t\t\t\t\t\tregistryNoAuthHTTPRandom.IP.String(), registryNoAuthHTTPRandom.Port, data.Identifier())\n\t\t\t\t\tdata.Labels().Set(\"testImageRef\", testImageRef)\n\t\t\t\t\thelpers.Ensure(\"tag\", testutil.CommonImage, testImageRef)\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\tif data.Labels().Get(\"testImageRef\") != \"\" {\n\t\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(\"testImageRef\"))\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"push\", data.Labels().Get(\"testImageRef\"))\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(1, []error{errors.New(\"server gave HTTP response to HTTPS client\")}, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"plain http with insecure\",\n\t\t\t\tRequire: require.Not(nerdtest.Docker),\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\t\t\ttestImageRef := fmt.Sprintf(\"%s:%d/%s\",\n\t\t\t\t\t\tregistryNoAuthHTTPRandom.IP.String(), registryNoAuthHTTPRandom.Port, data.Identifier())\n\t\t\t\t\tdata.Labels().Set(\"testImageRef\", testImageRef)\n\t\t\t\t\thelpers.Ensure(\"tag\", testutil.CommonImage, testImageRef)\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\tif data.Labels().Get(\"testImageRef\") != \"\" {\n\t\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(\"testImageRef\"))\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"push\", \"--insecure-registry\", data.Labels().Get(\"testImageRef\"))\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"plain http with localhost\",\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\t\t\ttestImageRef := fmt.Sprintf(\"%s:%d/%s\",\n\t\t\t\t\t\t\"127.0.0.1\", registryNoAuthHTTPRandom.Port, data.Identifier())\n\t\t\t\t\tdata.Labels().Set(\"testImageRef\", testImageRef)\n\t\t\t\t\thelpers.Ensure(\"tag\", testutil.CommonImage, testImageRef)\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"push\", data.Labels().Get(\"testImageRef\"))\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"plain http with insecure, default port\",\n\t\t\t\tRequire: require.Not(nerdtest.Docker),\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\t\t\ttestImageRef := fmt.Sprintf(\"%s/%s\",\n\t\t\t\t\t\tregistryNoAuthHTTPDefault.IP.String(), data.Identifier())\n\t\t\t\t\tdata.Labels().Set(\"testImageRef\", testImageRef)\n\t\t\t\t\thelpers.Ensure(\"tag\", testutil.CommonImage, testImageRef)\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\tif data.Labels().Get(\"testImageRef\") != \"\" {\n\t\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(\"testImageRef\"))\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"push\", \"--insecure-registry\", data.Labels().Get(\"testImageRef\"))\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"with insecure, with login\",\n\t\t\t\tRequire: require.Not(nerdtest.Docker),\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\t\t\ttestImageRef := fmt.Sprintf(\"%s:%d/%s\",\n\t\t\t\t\t\tregistryTokenAuthHTTPSRandom.IP.String(), registryTokenAuthHTTPSRandom.Port, data.Identifier())\n\t\t\t\t\tdata.Labels().Set(\"testImageRef\", testImageRef)\n\t\t\t\t\thelpers.Ensure(\"tag\", testutil.CommonImage, testImageRef)\n\t\t\t\t\thelpers.Ensure(\"--insecure-registry\", \"login\", \"-u\", \"admin\", \"-p\", \"badmin\",\n\t\t\t\t\t\tfmt.Sprintf(\"%s:%d\", registryTokenAuthHTTPSRandom.IP.String(), registryTokenAuthHTTPSRandom.Port))\n\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\tif data.Labels().Get(\"testImageRef\") != \"\" {\n\t\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(\"testImageRef\"))\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"push\", \"--insecure-registry\", data.Labels().Get(\"testImageRef\"))\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"with hosts dir, with login\",\n\t\t\t\tRequire: require.Not(nerdtest.Docker),\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\t\t\ttestImageRef := fmt.Sprintf(\"%s:%d/%s\",\n\t\t\t\t\t\tregistryTokenAuthHTTPSRandom.IP.String(), registryTokenAuthHTTPSRandom.Port, data.Identifier())\n\t\t\t\t\tdata.Labels().Set(\"testImageRef\", testImageRef)\n\t\t\t\t\thelpers.Ensure(\"tag\", testutil.CommonImage, testImageRef)\n\t\t\t\t\thelpers.Ensure(\"--hosts-dir\", registryTokenAuthHTTPSRandom.HostsDir, \"login\", \"-u\", \"admin\", \"-p\", \"badmin\",\n\t\t\t\t\t\tfmt.Sprintf(\"%s:%d\", registryTokenAuthHTTPSRandom.IP.String(), registryTokenAuthHTTPSRandom.Port))\n\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\tif data.Labels().Get(\"testImageRef\") != \"\" {\n\t\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(\"testImageRef\"))\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"push\", \"--hosts-dir\", registryTokenAuthHTTPSRandom.HostsDir, data.Labels().Get(\"testImageRef\"))\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"non distributable artifacts\",\n\t\t\t\tRequire: require.Not(nerdtest.Docker),\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.NonDistBlobImage)\n\t\t\t\t\ttestImageRef := fmt.Sprintf(\"%s:%d/%s\",\n\t\t\t\t\t\tregistryNoAuthHTTPRandom.IP.String(), registryNoAuthHTTPRandom.Port, data.Identifier())\n\t\t\t\t\tdata.Labels().Set(\"testImageRef\", testImageRef)\n\t\t\t\t\thelpers.Ensure(\"tag\", testutil.NonDistBlobImage, testImageRef)\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\tif data.Labels().Get(\"testImageRef\") != \"\" {\n\t\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(\"testImageRef\"))\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"push\", \"--insecure-registry\", data.Labels().Get(\"testImageRef\"))\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tblobURL := fmt.Sprintf(\"http://%s:%d/v2/%s/blobs/%s\", registryNoAuthHTTPRandom.IP.String(), registryNoAuthHTTPRandom.Port, data.Identifier(), testutil.NonDistBlobDigest)\n\t\t\t\t\t\t\tresp, err := http.Get(blobURL)\n\t\t\t\t\t\t\tassert.Assert(t, err, \"error making http request\")\n\t\t\t\t\t\t\tif resp.Body != nil {\n\t\t\t\t\t\t\t\t_ = resp.Body.Close()\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tassert.Equal(t, resp.StatusCode, http.StatusNotFound, \"non-distributable blob should not be available\")\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"non distributable artifacts (with)\",\n\t\t\t\tRequire: require.Not(nerdtest.Docker),\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.NonDistBlobImage)\n\t\t\t\t\ttestImageRef := fmt.Sprintf(\"%s:%d/%s\",\n\t\t\t\t\t\tregistryNoAuthHTTPRandom.IP.String(), registryNoAuthHTTPRandom.Port, data.Identifier())\n\t\t\t\t\tdata.Labels().Set(\"testImageRef\", testImageRef)\n\t\t\t\t\thelpers.Ensure(\"tag\", testutil.NonDistBlobImage, testImageRef)\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\tif data.Labels().Get(\"testImageRef\") != \"\" {\n\t\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(\"testImageRef\"))\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"push\", \"--insecure-registry\", \"--allow-nondistributable-artifacts\", data.Labels().Get(\"testImageRef\"))\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\tblobURL := fmt.Sprintf(\"http://%s:%d/v2/%s/blobs/%s\", registryNoAuthHTTPRandom.IP.String(), registryNoAuthHTTPRandom.Port, data.Identifier(), testutil.NonDistBlobDigest)\n\t\t\t\t\t\t\tresp, err := http.Get(blobURL)\n\t\t\t\t\t\t\tassert.Assert(t, err, \"error making http request\")\n\t\t\t\t\t\t\tif resp.Body != nil {\n\t\t\t\t\t\t\t\t_ = resp.Body.Close()\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tassert.Equal(t, resp.StatusCode, http.StatusOK, \"non-distributable blob should be available\")\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"soci\",\n\t\t\t\tRequire: require.All(\n\t\t\t\t\tnerdtest.Soci,\n\t\t\t\t\trequire.Not(nerdtest.Docker),\n\t\t\t\t),\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.UbuntuImage)\n\t\t\t\t\ttestImageRef := fmt.Sprintf(\"%s:%d/%s\",\n\t\t\t\t\t\tregistryNoAuthHTTPRandom.IP.String(), registryNoAuthHTTPRandom.Port, data.Identifier())\n\t\t\t\t\tdata.Labels().Set(\"testImageRef\", testImageRef)\n\t\t\t\t\thelpers.Ensure(\"tag\", testutil.UbuntuImage, testImageRef)\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\tif data.Labels().Get(\"testImageRef\") != \"\" {\n\t\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(\"testImageRef\"))\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"push\", \"--snapshotter=soci\", \"--insecure-registry\", \"--soci-span-size=2097152\", \"--soci-min-layer-size=20971520\", data.Labels().Get(\"testImageRef\"))\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/image/image_remove.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/image\"\n)\n\nfunc RmiCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"rmi [flags] IMAGE [IMAGE, ...]\",\n\t\tShort: \"Remove one or more images\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tRunE: rmiAction,\n\t\tValidArgsFunction: rmiShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().BoolP(\"force\", \"f\", false, \"Force removal of the image\")\n\t// Alias `-a` is reserved for `--all`. Should be compatible with `podman rmi --all`.\n\tcmd.Flags().Bool(\"async\", false, \"Asynchronous mode\")\n\treturn cmd\n}\n\nfunc removeOptions(cmd *cobra.Command) (types.ImageRemoveOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ImageRemoveOptions{}, err\n\t}\n\n\tforce, err := cmd.Flags().GetBool(\"force\")\n\tif err != nil {\n\t\treturn types.ImageRemoveOptions{}, err\n\t}\n\tasync, err := cmd.Flags().GetBool(\"async\")\n\tif err != nil {\n\t\treturn types.ImageRemoveOptions{}, err\n\t}\n\n\treturn types.ImageRemoveOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tGOptions: globalOptions,\n\t\tForce: force,\n\t\tAsync: async,\n\t}, nil\n}\n\nfunc rmiAction(cmd *cobra.Command, args []string) error {\n\toptions, err := removeOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn image.Remove(ctx, client, args, options)\n}\n\nfunc rmiShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show image names\n\treturn completion.ImageNames(cmd)\n}\n" }, { "path": "cmd/nerdctl/image/image_remove_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"errors\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/imgutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestRemove(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\tconst (\n\t\timgShortIDKey = \"imgShortID\"\n\t)\n\n\trepoName, _ := imgutil.ParseRepoTag(testutil.CommonImage)\n\tnginxRepoName, _ := imgutil.ParseRepoTag(testutil.NginxAlpineImage)\n\t// NOTES:\n\t// - since all of these are rmi-ing the common image, we need private mode\n\ttestCase.Require = nerdtest.Private\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"Remove image with stopped container - without -f\",\n\t\t\tNoParallel: true,\n\t\t\tRequire: require.All(\n\t\t\t\trequire.Not(nerdtest.Docker),\n\t\t\t),\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"--quiet\", \"--pull\", \"always\", \"--name\", data.Identifier(), testutil.CommonImage)\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: test.Command(\"rmi\", testutil.CommonImage),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(\"image is being used\")},\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\thelpers.Command(\"images\").Run(&test.Expected{\n\t\t\t\t\t\t\tOutput: expect.Contains(repoName),\n\t\t\t\t\t\t})\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Remove image with stopped container - with -f\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"--quiet\", \"--pull\", \"always\", \"--name\", data.Identifier(), testutil.CommonImage)\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: test.Command(\"rmi\", \"-f\", testutil.CommonImage),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\thelpers.Command(\"images\").Run(&test.Expected{\n\t\t\t\t\t\t\tOutput: expect.DoesNotContain(repoName),\n\t\t\t\t\t\t})\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Remove image with running container - without -f\",\n\t\t\tNoParallel: true,\n\t\t\tRequire: require.All(\n\t\t\t\trequire.Not(nerdtest.Docker),\n\t\t\t),\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"--quiet\", \"--pull\", \"always\", \"-d\", \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: test.Command(\"rmi\", testutil.CommonImage),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(\"image is being used\")},\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\thelpers.Command(\"images\").Run(&test.Expected{\n\t\t\t\t\t\t\tOutput: expect.Contains(repoName),\n\t\t\t\t\t\t})\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Remove image with running container - with -f\",\n\t\t\tNoParallel: true,\n\t\t\tRequire: require.All(\n\t\t\t\trequire.Not(nerdtest.Docker),\n\t\t\t),\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"--quiet\", \"--pull\", \"always\", \"-d\", \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\n\t\t\t\timg := nerdtest.InspectImage(helpers, testutil.CommonImage)\n\t\t\t\trepoName, _ := imgutil.ParseRepoTag(testutil.CommonImage)\n\t\t\t\timgShortID := strings.TrimPrefix(img.RepoDigests[0], repoName+\"@sha256:\")[0:8]\n\n\t\t\t\tdata.Labels().Set(imgShortIDKey, imgShortID)\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(imgShortIDKey))\n\t\t\t},\n\t\t\tCommand: test.Command(\"rmi\", \"-f\", testutil.CommonImage),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tErrors: []error{},\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\thelpers.Command(\"images\").Run(&test.Expected{\n\t\t\t\t\t\t\tOutput: expect.Contains(\"\"),\n\t\t\t\t\t\t})\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Remove image with created container - without -f\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"create\", \"--quiet\", \"--pull\", \"always\", \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: test.Command(\"rmi\", testutil.CommonImage),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(\"image is being used\")},\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\thelpers.Command(\"images\").Run(&test.Expected{\n\t\t\t\t\t\t\tOutput: expect.Contains(repoName),\n\t\t\t\t\t\t})\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Remove image with created container - with -f\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.NginxAlpineImage)\n\t\t\t\thelpers.Ensure(\"create\", \"--quiet\", \"--pull\", \"always\", \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\thelpers.Ensure(\"rmi\", testutil.NginxAlpineImage)\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: test.Command(\"rmi\", \"-f\", testutil.CommonImage),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\thelpers.Command(\"images\").Run(&test.Expected{\n\t\t\t\t\t\t\t// a created container with removed image doesn't impact other `rmi` command\n\t\t\t\t\t\t\tOutput: expect.DoesNotContain(repoName, nginxRepoName),\n\t\t\t\t\t\t})\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Remove image with paused container - without -f\",\n\t\t\tNoParallel: true,\n\t\t\tRequire: require.All(\n\t\t\t\trequire.Not(nerdtest.Docker),\n\t\t\t\tnerdtest.CGroup,\n\t\t\t),\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"--quiet\", \"--pull\", \"always\", \"-d\", \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\thelpers.Ensure(\"pause\", data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: test.Command(\"rmi\", testutil.CommonImage),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(\"image is being used\")},\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\thelpers.Command(\"images\").Run(&test.Expected{\n\t\t\t\t\t\t\tOutput: expect.Contains(repoName),\n\t\t\t\t\t\t})\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Remove image with paused container - with -f\",\n\t\t\tNoParallel: true,\n\t\t\tRequire: require.All(\n\t\t\t\tnerdtest.CGroup,\n\t\t\t\trequire.Not(nerdtest.Docker),\n\t\t\t),\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"--quiet\", \"--pull\", \"always\", \"-d\", \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\thelpers.Ensure(\"pause\", data.Identifier())\n\n\t\t\t\timg := nerdtest.InspectImage(helpers, testutil.CommonImage)\n\t\t\t\trepoName, _ := imgutil.ParseRepoTag(testutil.CommonImage)\n\t\t\t\timgShortID := strings.TrimPrefix(img.RepoDigests[0], repoName+\"@sha256:\")[0:8]\n\n\t\t\t\tdata.Labels().Set(imgShortIDKey, imgShortID)\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(imgShortIDKey))\n\t\t\t},\n\t\t\tCommand: test.Command(\"rmi\", \"-f\", testutil.CommonImage),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tErrors: []error{},\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\thelpers.Command(\"images\").Run(&test.Expected{\n\t\t\t\t\t\t\tOutput: expect.Contains(\"\"),\n\t\t\t\t\t\t})\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Remove image with killed container - without -f\",\n\t\t\tNoParallel: true,\n\t\t\tRequire: require.All(\n\t\t\t\trequire.Not(nerdtest.Docker),\n\t\t\t),\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"--quiet\", \"--pull\", \"always\", \"-d\", \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\thelpers.Ensure(\"kill\", data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: test.Command(\"rmi\", testutil.CommonImage),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(\"image is being used\")},\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\thelpers.Command(\"images\").Run(&test.Expected{\n\t\t\t\t\t\t\tOutput: expect.Contains(repoName),\n\t\t\t\t\t\t})\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Remove image with killed container - with -f\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"--quiet\", \"--pull\", \"always\", \"-d\", \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\thelpers.Ensure(\"kill\", data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: test.Command(\"rmi\", \"-f\", testutil.CommonImage),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\thelpers.Command(\"images\").Run(&test.Expected{\n\t\t\t\t\t\t\tOutput: expect.DoesNotContain(repoName),\n\t\t\t\t\t\t})\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\n// TestIssue3016 tests https://github.com/containerd/nerdctl/issues/3016\nfunc TestIssue3016(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\tconst (\n\t\ttagIDKey = \"tagID\"\n\t)\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"Issue #3016 - Tags created using the short digest ids of container images cannot be deleted using the nerdctl rmi command.\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.NginxAlpineImage)\n\n\t\t\t\timg := nerdtest.InspectImage(helpers, testutil.NginxAlpineImage)\n\t\t\t\trepoName, _ := imgutil.ParseRepoTag(testutil.NginxAlpineImage)\n\t\t\t\ttagID := strings.TrimPrefix(img.RepoDigests[0], repoName+\"@sha256:\")[0:8]\n\n\t\t\t\thelpers.Ensure(\"tag\", testutil.CommonImage, tagID)\n\n\t\t\t\tdata.Labels().Set(tagIDKey, tagID)\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"rmi\", data.Labels().Get(tagIDKey))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tErrors: []error{},\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\thelpers.Command(\"images\", data.Labels().Get(tagIDKey)).Run(&test.Expected{\n\t\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\t\tassert.Equal(t, len(strings.Split(stdout, \"\\n\")), 2)\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t})\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestRemoveKubeWithKubeHideDupe(t *testing.T) {\n\tvar numTags, numNoTags int\n\ttestCase := nerdtest.Setup()\n\ttestCase.NoParallel = true\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"--kube-hide-dupe\", \"rmi\", \"-f\", testutil.BusyboxImage)\n\t}\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tnumTags = len(strings.Split(strings.TrimSpace(helpers.Capture(\"--kube-hide-dupe\", \"images\")), \"\\n\"))\n\t\tnumNoTags = len(strings.Split(strings.TrimSpace(helpers.Capture(\"images\")), \"\\n\"))\n\t}\n\ttestCase.Require = require.All(\n\t\tnerdtest.OnlyKubernetes,\n\t)\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"After removing the tag without kube-hide-dupe, repodigest is shown as \",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.BusyboxImage)\n\t\t\t},\n\t\t\tCommand: test.Command(\"rmi\", \"-f\", testutil.BusyboxImage),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tErrors: []error{},\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\thelpers.Command(\"--kube-hide-dupe\", \"images\").Run(&test.Expected{\n\t\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\t\t\tassert.Assert(t, len(lines) == numTags+1)\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t})\n\t\t\t\t\t\thelpers.Command(\"images\").Run(&test.Expected{\n\t\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\t\t\tassert.Assert(t, len(lines) == numNoTags+1)\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t})\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"If there are other tags, the Repodigest will not be deleted\",\n\t\t\tNoParallel: true,\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"--kube-hide-dupe\", \"rmi\", data.Identifier())\n\t\t\t},\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.BusyboxImage)\n\t\t\t\thelpers.Ensure(\"tag\", testutil.BusyboxImage, data.Identifier())\n\t\t\t},\n\t\t\tCommand: test.Command(\"--kube-hide-dupe\", \"rmi\", testutil.BusyboxImage),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tErrors: []error{},\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\thelpers.Command(\"--kube-hide-dupe\", \"images\").Run(&test.Expected{\n\t\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\t\t\tassert.Assert(t, len(lines) == numTags+1)\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t})\n\t\t\t\t\t\thelpers.Command(\"images\").Run(&test.Expected{\n\t\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\t\t\tassert.Assert(t, len(lines) == numNoTags+2)\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t})\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"After deleting all repo:tag entries, all repodigests will be cleaned up\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.BusyboxImage)\n\t\t\t\thelpers.Ensure(\"tag\", testutil.BusyboxImage, data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\thelpers.Ensure(\"--kube-hide-dupe\", \"rmi\", \"-f\", testutil.BusyboxImage)\n\t\t\t\treturn helpers.Command(\"--kube-hide-dupe\", \"rmi\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\thelpers.Command(\"--kube-hide-dupe\", \"images\").Run(&test.Expected{\n\t\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\t\t\tassert.Assert(t, len(lines) == numTags)\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t})\n\t\t\t\t\t\thelpers.Command(\"images\").Run(&test.Expected{\n\t\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\t\t\tassert.Assert(t, len(lines) == numNoTags)\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t})\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Test multiple IDs found with provided prefix and force with shortID\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.BusyboxImage)\n\t\t\t\thelpers.Ensure(\"tag\", testutil.BusyboxImage, data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"--kube-hide-dupe\", \"images\", testutil.BusyboxImage, \"-q\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\thelpers.Command(\"--kube-hide-dupe\", \"rmi\", stdout[0:12]).Run(&test.Expected{\n\t\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\t\tErrors: []error{errors.New(\"multiple IDs found with provided prefix: \")},\n\t\t\t\t\t\t})\n\t\t\t\t\t\thelpers.Command(\"--kube-hide-dupe\", \"rmi\", \"--force\", stdout[0:12]).Run(&test.Expected{\n\t\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t\t})\n\t\t\t\t\t\thelpers.Command(\"images\").Run(&test.Expected{\n\t\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\t\t\tassert.Assert(t, len(lines) == numNoTags)\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t})\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Test remove image with digestID\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.BusyboxImage)\n\t\t\t\thelpers.Ensure(\"tag\", testutil.BusyboxImage, data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"--kube-hide-dupe\", \"images\", testutil.BusyboxImage, \"-q\", \"--no-trunc\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\timgID := strings.Split(stdout, \"\\n\")\n\t\t\t\t\t\thelpers.Command(\"--kube-hide-dupe\", \"rmi\", imgID[0]).Run(&test.Expected{\n\t\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\t\tErrors: []error{errors.New(\"multiple IDs found with provided prefix: \")},\n\t\t\t\t\t\t})\n\t\t\t\t\t\thelpers.Command(\"--kube-hide-dupe\", \"rmi\", \"--force\", imgID[0]).Run(&test.Expected{\n\t\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t\t})\n\t\t\t\t\t\thelpers.Command(\"images\").Run(&test.Expected{\n\t\t\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t\t\tlines := strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\t\t\tassert.Assert(t, len(lines) == numNoTags)\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t})\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/image/image_save.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\n\t\"github.com/mattn/go-isatty\"\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/image\"\n)\n\nfunc SaveCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"save [flags] IMAGE [IMAGE...]\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tShort: \"Save one or more images to a tar archive (streamed to STDOUT by default)\",\n\t\tLong: \"The archive implements both Docker Image Spec v1.2 and OCI Image Spec v1.0.\",\n\t\tRunE: saveAction,\n\t\tValidArgsFunction: saveShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().StringP(\"output\", \"o\", \"\", \"Write to a file, instead of STDOUT\")\n\n\t// #region platform flags\n\t// platform is defined as StringSlice, not StringArray, to allow specifying \"--platform=amd64,arm64\"\n\tcmd.Flags().StringSlice(\"platform\", []string{}, \"Export content for a specific platform\")\n\tcmd.RegisterFlagCompletionFunc(\"platform\", completion.Platforms)\n\tcmd.Flags().Bool(\"all-platforms\", false, \"Export content for all platforms\")\n\t// #endregion\n\n\treturn cmd\n}\n\nfunc saveOptions(cmd *cobra.Command) (types.ImageSaveOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ImageSaveOptions{}, err\n\t}\n\n\tallPlatforms, err := cmd.Flags().GetBool(\"all-platforms\")\n\tif err != nil {\n\t\treturn types.ImageSaveOptions{}, err\n\t}\n\tplatform, err := cmd.Flags().GetStringSlice(\"platform\")\n\tif err != nil {\n\t\treturn types.ImageSaveOptions{}, err\n\t}\n\n\treturn types.ImageSaveOptions{\n\t\tGOptions: globalOptions,\n\t\tAllPlatforms: allPlatforms,\n\t\tPlatform: platform,\n\t}, err\n}\n\nfunc saveAction(cmd *cobra.Command, args []string) error {\n\toptions, err := saveOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\toutput := cmd.OutOrStdout()\n\toutputPath, err := cmd.Flags().GetString(\"output\")\n\tif err != nil {\n\t\treturn err\n\t} else if outputPath != \"\" {\n\t\tf, err := os.OpenFile(outputPath, os.O_CREATE|os.O_WRONLY, 0644)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\toutput = f\n\t\tdefer f.Close()\n\t} else if out, ok := output.(*os.File); ok && isatty.IsTerminal(out.Fd()) {\n\t\treturn fmt.Errorf(\"cowardly refusing to save to a terminal. Use the -o flag or redirect\")\n\t}\n\toptions.Stdout = output\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\tif err = image.Save(ctx, client, args, options); err != nil && outputPath != \"\" {\n\t\tos.Remove(outputPath)\n\t}\n\treturn err\n}\n\nfunc saveShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show image names\n\treturn completion.ImageNames(cmd)\n}\n" }, { "path": "cmd/nerdctl/image/image_save_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"os\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\ttesthelpers \"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestSaveContent(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttestCase := &test.Case{\n\t\t// FIXME: move to busybox for windows?\n\t\tRequire: require.Not(require.Windows),\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.CommonImage)\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"save\", \"-o\", filepath.Join(data.Temp().Path(), \"out.tar\"), testutil.CommonImage)\n\t\t},\n\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\treturn &test.Expected{\n\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\trootfsPath := filepath.Join(data.Temp().Path(), \"rootfs\")\n\t\t\t\t\terr := testhelpers.ExtractDockerArchive(filepath.Join(data.Temp().Path(), \"out.tar\"), rootfsPath)\n\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\tetcOSReleasePath := filepath.Join(rootfsPath, \"/etc/os-release\")\n\t\t\t\t\tetcOSReleaseBytes, err := os.ReadFile(etcOSReleasePath)\n\t\t\t\t\tassert.NilError(t, err)\n\t\t\t\t\tetcOSRelease := string(etcOSReleaseBytes)\n\t\t\t\t\tassert.Assert(t, strings.Contains(etcOSRelease, \"Alpine\"))\n\t\t\t\t},\n\t\t\t}\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestSave(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t// This test relies on the fact that we can remove the common image, which definitely conflicts with others,\n\t// hence the private mode.\n\t// Further note though, that this will hide the fact this the save command could fail if some layers are missing.\n\t// See https://github.com/containerd/nerdctl/issues/3425 and others for details.\n\ttestCase.Require = nerdtest.Private\n\n\tif runtime.GOOS == \"windows\" {\n\t\ttestCase.Require = nerdtest.IsFlaky(\"https://github.com/containerd/nerdctl/issues/3524\")\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"Single image, by id\",\n\t\t\tNoParallel: true,\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tif data.Labels().Get(\"id\") != \"\" {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(\"id\"))\n\t\t\t\t}\n\t\t\t},\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\t\timg := nerdtest.InspectImage(helpers, testutil.CommonImage)\n\t\t\t\tvar id string\n\t\t\t\t// Docker and Nerdctl do not agree on what is the definition of an image ID\n\t\t\t\tif nerdtest.IsDocker() {\n\t\t\t\t\tid = img.ID\n\t\t\t\t} else {\n\t\t\t\t\tid = strings.Split(img.RepoDigests[0], \":\")[1]\n\t\t\t\t}\n\t\t\t\ttarPath := filepath.Join(data.Temp().Path(), \"out.tar\")\n\t\t\t\thelpers.Ensure(\"save\", \"-o\", tarPath, id)\n\t\t\t\thelpers.Ensure(\"rmi\", \"-f\", testutil.CommonImage)\n\t\t\t\thelpers.Ensure(\"load\", \"-i\", tarPath)\n\t\t\t\tdata.Labels().Set(\"id\", id)\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Labels().Get(\"id\"), \"sh\", \"-euxc\", \"echo foo\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"foo\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Image with different names, by id\",\n\t\t\tNoParallel: true,\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tif data.Labels().Get(\"id\") != \"\" {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(\"id\"))\n\t\t\t\t}\n\t\t\t},\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\t\timg := nerdtest.InspectImage(helpers, testutil.CommonImage)\n\t\t\t\tvar id string\n\t\t\t\tif nerdtest.IsDocker() {\n\t\t\t\t\tid = img.ID\n\t\t\t\t} else {\n\t\t\t\t\tid = strings.Split(img.RepoDigests[0], \":\")[1]\n\t\t\t\t}\n\t\t\t\thelpers.Ensure(\"tag\", testutil.CommonImage, data.Identifier())\n\t\t\t\ttarPath := filepath.Join(data.Temp().Path(), \"out.tar\")\n\t\t\t\thelpers.Ensure(\"save\", \"-o\", tarPath, id)\n\t\t\t\thelpers.Ensure(\"rmi\", \"-f\", testutil.CommonImage)\n\t\t\t\thelpers.Ensure(\"load\", \"-i\", tarPath)\n\t\t\t\tdata.Labels().Set(\"id\", id)\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Labels().Get(\"id\"), \"sh\", \"-euxc\", \"echo foo\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"foo\\n\")),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\n// TestSaveMultipleImagesWithSameIDAndLoad tests https://github.com/containerd/nerdctl/issues/3806\nfunc TestSaveMultipleImagesWithSameIDAndLoad(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t// This test relies on the fact that we can remove the common image, which definitely conflicts with others,\n\t// hence the private mode.\n\t// Further note though, that this will hide the fact this the save command could fail if some layers are missing.\n\t// See https://github.com/containerd/nerdctl/issues/3425 and others for details.\n\ttestCase.Require = nerdtest.Private\n\n\tif runtime.GOOS == \"windows\" {\n\t\ttestCase.Require = nerdtest.IsFlaky(\"https://github.com/containerd/nerdctl/issues/3524\")\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"Issue #3568 - Save multiple container images with the same image ID but different image names\",\n\t\t\tNoParallel: true,\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tif data.Labels().Get(\"id\") != \"\" {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(\"id\"))\n\t\t\t\t}\n\t\t\t},\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\t\timg := nerdtest.InspectImage(helpers, testutil.CommonImage)\n\t\t\t\tvar id string\n\t\t\t\tif nerdtest.IsDocker() {\n\t\t\t\t\tid = img.ID\n\t\t\t\t} else {\n\t\t\t\t\tid = strings.Split(img.RepoDigests[0], \":\")[1]\n\t\t\t\t}\n\t\t\t\thelpers.Ensure(\"tag\", testutil.CommonImage, data.Identifier())\n\t\t\t\ttarPath := filepath.Join(data.Temp().Path(), \"out.tar\")\n\t\t\t\thelpers.Ensure(\"save\", \"-o\", tarPath, testutil.CommonImage, data.Identifier())\n\t\t\t\thelpers.Ensure(\"rmi\", \"-f\", id)\n\t\t\t\thelpers.Ensure(\"load\", \"-i\", tarPath)\n\t\t\t\tdata.Labels().Set(\"id\", id)\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"images\", \"--no-trunc\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tErrors: []error{},\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tassert.Equal(t, strings.Count(stdout, data.Labels().Get(\"id\")), 2)\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/image/image_tag.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/image\"\n)\n\nfunc TagCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"tag [flags] SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]\",\n\t\tShort: \"Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE\",\n\t\tArgs: helpers.IsExactArgs(2),\n\t\tRunE: tagAction,\n\t\tValidArgsFunction: tagShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\treturn cmd\n}\n\nfunc tagAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\toptions := types.ImageTagOptions{\n\t\tGOptions: globalOptions,\n\t\tSource: args[0],\n\t\tTarget: args[1],\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn image.Tag(ctx, client, options)\n}\n\nfunc tagShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\tif len(args) < 2 {\n\t\t// show image names\n\t\treturn completion.ImageNames(cmd)\n\t}\n\treturn nil, cobra.ShellCompDirectiveNoFileComp\n}\n" }, { "path": "cmd/nerdctl/image/image_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage image\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n)\n\nfunc TestMain(m *testing.M) {\n\ttestutil.M(m)\n}\n" }, { "path": "cmd/nerdctl/inspect/inspect.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage inspect\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/log\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\tcontainercmd \"github.com/containerd/nerdctl/v2/cmd/nerdctl/container\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\timagecmd \"github.com/containerd/nerdctl/v2/cmd/nerdctl/image\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/container\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/image\"\n\t\"github.com/containerd/nerdctl/v2/pkg/formatter\"\n\t\"github.com/containerd/nerdctl/v2/pkg/idutil/containerwalker\"\n\t\"github.com/containerd/nerdctl/v2/pkg/idutil/imagewalker\"\n)\n\nfunc Command() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"inspect\",\n\t\tShort: \"Return low-level information on objects.\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tRunE: inspectAction,\n\t\tValidArgsFunction: inspectShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\n\taddInspectFlags(cmd)\n\n\treturn cmd\n}\n\nvar validInspectType = map[string]bool{\n\t\"container\": true,\n\t\"image\": true,\n}\n\nfunc addInspectFlags(cmd *cobra.Command) {\n\tcmd.Flags().BoolP(\"size\", \"s\", false, \"Display total file sizes (for containers)\")\n\n\tcmd.Flags().StringP(\"format\", \"f\", \"\", \"Format the output using the given Go template, e.g, '{{json .}}'\")\n\tcmd.RegisterFlagCompletionFunc(\"format\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"json\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\tcmd.Flags().String(\"type\", \"\", \"Return JSON for specified type\")\n\tcmd.RegisterFlagCompletionFunc(\"type\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"image\", \"container\", \"\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\tcmd.Flags().String(\"mode\", \"dockercompat\", `Inspect mode, \"dockercompat\" for Docker-compatible output, \"native\" for containerd-native output`)\n\tcmd.RegisterFlagCompletionFunc(\"mode\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"dockercompat\", \"native\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n}\n\nfunc inspectAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tnamespace := globalOptions.Namespace\n\taddress := globalOptions.Address\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tinspectType, err := cmd.Flags().GetString(\"type\")\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif len(inspectType) > 0 && !validInspectType[inspectType] {\n\t\treturn fmt.Errorf(\"%q is not a valid value for --type\", inspectType)\n\t}\n\n\t// container and image inspect can share the same client, since no `platform`\n\t// flag will be passed for image inspect.\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), namespace, address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\timagewalker := &imagewalker.ImageWalker{\n\t\tClient: client,\n\t\tOnFound: func(ctx context.Context, found imagewalker.Found) error {\n\t\t\treturn nil\n\t\t},\n\t}\n\n\tcontainerwalker := &containerwalker.ContainerWalker{\n\t\tClient: client,\n\t\tOnFound: func(ctx context.Context, found containerwalker.Found) error {\n\t\t\treturn nil\n\t\t},\n\t}\n\n\tinspectImage := len(inspectType) == 0 || inspectType == \"image\"\n\tinspectContainer := len(inspectType) == 0 || inspectType == \"container\"\n\n\tvar imageInspectOptions types.ImageInspectOptions\n\tvar containerInspectOptions types.ContainerInspectOptions\n\tif inspectImage {\n\t\tplatform := \"\"\n\t\timageInspectOptions, err = imagecmd.InspectOptions(cmd, &platform)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tif inspectContainer {\n\t\tcontainerInspectOptions, err = containercmd.InspectOptions(cmd)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\tvar errs []error\n\tvar entries []interface{}\n\tfor _, req := range args {\n\t\tvar ni int\n\t\tvar nc int\n\n\t\tif inspectImage {\n\t\t\tni, err = imagewalker.Walk(ctx, req)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tif inspectContainer {\n\t\t\tnc, err = containerwalker.Walk(ctx, req)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\n\t\tif ni == 0 && nc == 0 {\n\t\t\terrs = append(errs, fmt.Errorf(\"no such object %s\", req))\n\t\t} else if ni > 0 {\n\t\t\tif imageEntries, err := image.Inspect(ctx, client, []string{req}, imageInspectOptions); err != nil {\n\t\t\t\terrs = append(errs, err)\n\t\t\t} else {\n\t\t\t\tentries = append(entries, imageEntries...)\n\t\t\t}\n\t\t} else if nc > 0 {\n\t\t\tif containerEntries, err := container.Inspect(ctx, client, []string{req}, containerInspectOptions); err != nil {\n\t\t\t\terrs = append(errs, err)\n\t\t\t} else {\n\t\t\t\tentries = append(entries, containerEntries...)\n\t\t\t}\n\t\t}\n\t}\n\n\tif len(errs) > 0 {\n\t\treturn fmt.Errorf(\"%d errors: %v\", len(errs), errs)\n\t}\n\n\tif formatErr := formatter.FormatSlice(format, cmd.OutOrStdout(), entries); formatErr != nil {\n\t\tlog.G(ctx).Error(formatErr)\n\t}\n\n\treturn nil\n}\n\nfunc inspectShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show container names\n\tcontainers, _ := completion.ContainerNames(cmd, nil)\n\t// show image names\n\timages, _ := completion.ImageNames(cmd)\n\treturn append(containers, images...), cobra.ShellCompDirectiveNoFileComp\n}\n" }, { "path": "cmd/nerdctl/inspect/inspect_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage inspect\n\nimport (\n\t\"encoding/json\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/inspecttypes/dockercompat\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestMain(m *testing.M) {\n\ttestutil.M(m)\n}\n\nfunc TestInspectSimpleCase(t *testing.T) {\n\tnerdtest.Setup()\n\ttestCase := &test.Case{\n\t\tDescription: \"inspect container and image return one single json array\",\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tidentifier := data.Identifier()\n\t\t\thelpers.Ensure(\"run\", \"-d\", \"--quiet\", \"--name\", identifier, testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\tidentifier := data.Identifier()\n\t\t\thelpers.Anyhow(\"rm\", \"-f\", identifier)\n\t\t},\n\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\treturn helpers.Command(\"inspect\", testutil.CommonImage, data.Identifier())\n\t\t},\n\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\treturn &test.Expected{\n\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\tvar inspectResult []json.RawMessage\n\t\t\t\t\terr := json.Unmarshal([]byte(stdout), &inspectResult)\n\t\t\t\t\tassert.NilError(t, err, \"Unable to unmarshal output\\n\")\n\t\t\t\t\tassert.Equal(t, len(inspectResult), 2, \"Unexpectedly got multiple results\\n\")\n\n\t\t\t\t\tvar dci dockercompat.Image\n\t\t\t\t\terr = json.Unmarshal(inspectResult[0], &dci)\n\t\t\t\t\tassert.NilError(t, err, \"Unable to unmarshal output\\n\")\n\t\t\t\t\tinspecti := nerdtest.InspectImage(helpers, testutil.CommonImage)\n\t\t\t\t\tassert.Equal(t, dci.ID, inspecti.ID, \"id should match\\n\")\n\n\t\t\t\t\tvar dcc dockercompat.Container\n\t\t\t\t\terr = json.Unmarshal(inspectResult[1], &dcc)\n\t\t\t\t\tassert.NilError(t, err, \"Unable to unmarshal output\\n\")\n\t\t\t\t\tinspectc := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\t\tassert.Equal(t, dcc.ID, inspectc.ID, \"id should match\\n\")\n\t\t\t\t},\n\t\t\t}\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/internal/internal.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage internal\n\nimport (\n\t\"github.com/spf13/cobra\"\n)\n\nfunc Command() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"internal\",\n\t\tShort: \"DO NOT EXECUTE MANUALLY\",\n\t\tHidden: true,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\n\tcmd.AddCommand(\n\t\tnewInternalOCIHookCommandCommand(),\n\t)\n\n\treturn cmd\n}\n" }, { "path": "cmd/nerdctl/internal/internal_oci_hook.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage internal\n\nimport (\n\t\"errors\"\n\t\"os\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/ocihook\"\n)\n\nfunc newInternalOCIHookCommandCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"oci-hook\",\n\t\tShort: \"OCI hook\",\n\t\tRunE: internalOCIHookAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\treturn cmd\n}\n\nfunc internalOCIHookAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tevent := \"\"\n\tif len(args) > 0 {\n\t\tevent = args[0]\n\t}\n\tif event == \"\" {\n\t\treturn errors.New(\"event type needs to be passed\")\n\t}\n\tdataStore, err := clientutil.DataStore(globalOptions.DataRoot, globalOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tcniPath := globalOptions.CNIPath\n\tcniNetconfpath := globalOptions.CNINetConfPath\n\tbridgeIP := globalOptions.BridgeIP\n\treturn ocihook.Run(os.Stdin, os.Stderr, event,\n\t\tdataStore,\n\t\tcniPath,\n\t\tcniNetconfpath,\n\t\tbridgeIP,\n\t)\n}\n" }, { "path": "cmd/nerdctl/ipfs/ipfs.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage ipfs\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n)\n\nfunc NewIPFSCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tAnnotations: map[string]string{helpers.Category: helpers.Management},\n\t\tUse: \"ipfs\",\n\t\tShort: \"Distributing images on IPFS\",\n\t\tRunE: helpers.UnknownSubcommandAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.AddCommand(\n\t\tnewIPFSRegistryCommand(),\n\t)\n\treturn cmd\n}\n" }, { "path": "cmd/nerdctl/ipfs/ipfs_compose_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage ipfs\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"strconv\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest/registry\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nettestutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/portlock\"\n)\n\nfunc TestIPFSCompNoBuild(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\tconst ipfsAddrKey = \"ipfsAddrKey\"\n\n\tvar ipfsRegistry *registry.Server\n\n\ttestCase.Require = require.All(\n\t\trequire.Linux,\n\t\trequire.Not(nerdtest.Docker),\n\t\tnerdtest.Registry,\n\t\tnerdtest.IPFS,\n\t\tnerdtest.IsFlaky(\"https://github.com/containerd/nerdctl/issues/3510\"),\n\t\t// See note below\n\t\t// nerdtest.Private,\n\t)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\t// Start Kubo\n\t\tipfsRegistry = registry.NewKuboRegistry(data, helpers, t, nil, 0, nil)\n\t\tipfsRegistry.Setup(data, helpers)\n\t\tdata.Labels().Set(ipfsAddrKey, fmt.Sprintf(\"/ip4/%s/tcp/%d\", ipfsRegistry.IP, ipfsRegistry.Port))\n\n\t\t// Ensure we have the images\n\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.WordpressImage)\n\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.MariaDBImage)\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\tsubtestTestIPFSCompNoB(t, false, false),\n\t\tsubtestTestIPFSCompNoB(t, true, false),\n\t\tsubtestTestIPFSCompNoB(t, false, true),\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif ipfsRegistry != nil {\n\t\t\tipfsRegistry.Cleanup(data, helpers)\n\t\t}\n\t\thelpers.Anyhow(\"rmi\", \"-f\", testutil.WordpressImage)\n\t\thelpers.Anyhow(\"rmi\", \"-f\", testutil.MariaDBImage)\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc subtestTestIPFSCompNoB(t *testing.T, stargz bool, byAddr bool) *test.Case {\n\tt.Helper()\n\n\tconst ipfsAddrKey = \"ipfsAddrKey\"\n\tconst mariaImageCIDKey = \"mariaImageCIDKey\"\n\tconst wordpressImageCIDKey = \"wordpressImageCIDKey\"\n\tconst composeExtraKey = \"composeExtraKey\"\n\n\ttestCase := &test.Case{}\n\n\ttestCase.Description += \"with\"\n\n\tif !stargz {\n\t\ttestCase.Description += \"-no\"\n\t}\n\ttestCase.Description += \"-stargz\"\n\n\tif !byAddr {\n\t\ttestCase.Description += \"-no\"\n\t}\n\ttestCase.Description += \"-byAddr\"\n\n\tif stargz {\n\t\ttestCase.Require = nerdtest.Stargz\n\t}\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tvar ipfsCIDWP, ipfsCIDMD string\n\t\tif stargz {\n\t\t\tipfsCIDWP = pushToIPFS(helpers, testutil.WordpressImage, \"--estargz\")\n\t\t\tipfsCIDMD = pushToIPFS(helpers, testutil.MariaDBImage, \"--estargz\")\n\t\t} else if byAddr {\n\t\t\tipfsCIDWP = pushToIPFS(helpers, testutil.WordpressImage, \"--ipfs-address=\"+data.Labels().Get(ipfsAddrKey))\n\t\t\tipfsCIDMD = pushToIPFS(helpers, testutil.MariaDBImage, \"--ipfs-address=\"+data.Labels().Get(ipfsAddrKey))\n\t\t\tdata.Labels().Set(composeExtraKey, \"--ipfs-address=\"+data.Labels().Get(ipfsAddrKey))\n\t\t} else {\n\t\t\tipfsCIDWP = pushToIPFS(helpers, testutil.WordpressImage)\n\t\t\tipfsCIDMD = pushToIPFS(helpers, testutil.MariaDBImage)\n\t\t}\n\t\tdata.Labels().Set(wordpressImageCIDKey, ipfsCIDWP)\n\t\tdata.Labels().Set(mariaImageCIDKey, ipfsCIDMD)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\t// NOTE:\n\t\t// Removing these images locally forces tests to be sequentials (as IPFS being content addressable,\n\t\t// they have the same cid - except for the estargz version obviously)\n\t\t// Deliberately electing to not remove them here so that we can parallelize and cut down the running time\n\t\t/*\n\t\t\tif data.Labels().Get(mariaImageCIDKey) != \"\" {\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(mariaImageCIDKey))\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(wordpressImageCIDKey))\n\t\t\t}\n\t\t*/\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\tsafePort, err := portlock.Acquire(0)\n\t\tassert.NilError(helpers.T(), err)\n\t\tdata.Labels().Set(\"wordpressPort\", strconv.Itoa(safePort))\n\t\tcomposeUP(data, helpers, fmt.Sprintf(`\nversion: '3.1'\n\nservices:\n\n wordpress:\n image: ipfs://%s\n restart: always\n ports:\n - %d:80\n environment:\n WORDPRESS_DB_HOST: db\n WORDPRESS_DB_USER: exampleuser\n WORDPRESS_DB_PASSWORD: examplepass\n WORDPRESS_DB_NAME: exampledb\n # FIXME: this is flaky and will make the container fail on occasions\n volumes:\n - wordpress:/var/www/html\n\n db:\n image: ipfs://%s\n restart: always\n environment:\n MYSQL_DATABASE: exampledb\n MYSQL_USER: exampleuser\n MYSQL_PASSWORD: examplepass\n MYSQL_RANDOM_ROOT_PASSWORD: '1'\n volumes:\n - db:/var/lib/mysql\n\nvolumes:\n wordpress:\n db:\n`, data.Labels().Get(wordpressImageCIDKey), safePort, data.Labels().Get(mariaImageCIDKey)), data.Labels().Get(composeExtraKey))\n\t\t// FIXME: need to break down composeUP into testable commands instead\n\t\t// Right now, this is just a dummy placeholder\n\t\treturn helpers.Command(\"info\")\n\t}\n\n\ttestCase.Expected = test.Expects(0, nil, nil)\n\n\treturn testCase\n}\n\nfunc TestIPFSCompBuild(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\tvar ipfsServer test.TestableCommand\n\tvar comp *testutil.ComposeDir\n\n\tconst mainImageCIDKey = \"mainImageCIDKey\"\n\tsafePort, err := portlock.Acquire(0)\n\tassert.NilError(t, err)\n\tvar listenAddr = \"localhost:\" + strconv.Itoa(safePort)\n\n\ttestCase.Require = require.All(\n\t\t// Linux only\n\t\trequire.Linux,\n\t\t// Obviously not docker supported\n\t\trequire.Not(nerdtest.Docker),\n\t\tnerdtest.Build,\n\t\tnerdtest.IPFS,\n\t)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\t// Get alpine\n\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.NginxAlpineImage)\n\t\t// Start a local ipfs backed registry\n\t\t// FIXME: this is bad and likely to collide with other tests\n\t\tipfsServer = helpers.Command(\"ipfs\", \"registry\", \"serve\", \"--listen-registry\", listenAddr)\n\t\t// This should not take longer than that\n\t\tipfsServer.WithTimeout(30 * time.Second)\n\t\tipfsServer.Background()\n\t\t// Apparently necessary to let it start...\n\t\ttime.Sleep(time.Second)\n\n\t\t// Save nginx to ipfs\n\t\tdata.Labels().Set(mainImageCIDKey, pushToIPFS(helpers, testutil.NginxAlpineImage))\n\n\t\tconst dockerComposeYAML = `\nservices:\n web:\n build: .\n ports:\n - 8081:80\n`\n\t\tdockerfile := fmt.Sprintf(`FROM %s/ipfs/%s\nCOPY index.html /usr/share/nginx/html/index.html\n`, listenAddr, data.Labels().Get(mainImageCIDKey))\n\n\t\tcomp = testutil.NewComposeDir(t, dockerComposeYAML)\n\t\tcomp.WriteFile(\"Dockerfile\", dockerfile)\n\t\tcomp.WriteFile(\"index.html\", data.Identifier(\"indexhtml\"))\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif ipfsServer != nil {\n\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(mainImageCIDKey))\n\t\t\tipfsServer.Signal(os.Kill)\n\t\t}\n\t\tif comp != nil {\n\t\t\thelpers.Anyhow(\"compose\", \"-f\", comp.YAMLFullPath(), \"down\", \"-v\")\n\t\t\tcomp.CleanUp()\n\t\t}\n\t}\n\n\ttestCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\treturn helpers.Command(\"compose\", \"-f\", comp.YAMLFullPath(), \"up\", \"-d\", \"--build\")\n\t}\n\n\ttestCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\treturn &test.Expected{\n\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\tresp, err := nettestutil.HTTPGet(\"http://127.0.0.1:8081\", 5, false)\n\t\t\t\tassert.NilError(t, err)\n\t\t\t\trespBody, err := io.ReadAll(resp.Body)\n\t\t\t\tassert.NilError(t, err)\n\t\t\t\tt.Log(fmt.Sprintf(\"respBody=%q\", respBody))\n\t\t\t\tassert.Assert(t, strings.Contains(string(respBody), data.Identifier(\"indexhtml\")))\n\t\t\t},\n\t\t}\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc composeUP(data test.Data, helpers test.Helpers, dockerComposeYAML string, opts string) {\n\tcomp := testutil.NewComposeDir(helpers.T(), dockerComposeYAML)\n\t// defer comp.CleanUp()\n\n\t// Because it might or might not happen, and\n\thelpers.Anyhow(\"compose\", \"-f\", comp.YAMLFullPath(), \"down\", \"-v\")\n\tdefer helpers.Anyhow(\"compose\", \"-f\", comp.YAMLFullPath(), \"down\", \"-v\")\n\n\tprojectName := comp.ProjectName()\n\n\targs := []string{\"compose\", \"-f\", comp.YAMLFullPath()}\n\tif opts != \"\" {\n\t\targs = append(args, opts)\n\t}\n\n\thelpers.Ensure(append(args, \"up\", \"--quiet-pull\", \"-d\")...)\n\n\thelpers.Ensure(\"volume\", \"inspect\", fmt.Sprintf(\"%s_db\", projectName))\n\thelpers.Ensure(\"network\", \"inspect\", fmt.Sprintf(\"%s_default\", projectName))\n\n\tcheckWordpress := func() error {\n\t\t// FIXME: see other notes on using the same port repeatedly\n\t\tresp, err := nettestutil.HTTPGet(\"http://127.0.0.1:\"+data.Labels().Get(\"wordpressPort\"), 5, false)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trespBody, err := io.ReadAll(resp.Body)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif !strings.Contains(string(respBody), testutil.WordpressIndexHTMLSnippet) {\n\t\t\treturn fmt.Errorf(\"respBody does not contain %q (%s)\", testutil.WordpressIndexHTMLSnippet, string(respBody))\n\t\t}\n\t\treturn nil\n\t}\n\n\tvar wordpressWorking bool\n\tvar err error\n\t// 15 seconds is long enough\n\tfor i := 0; i < 5; i++ {\n\t\terr = checkWordpress()\n\t\tif err == nil {\n\t\t\twordpressWorking = true\n\t\t\tbreak\n\t\t}\n\t\ttime.Sleep(3 * time.Second)\n\t}\n\n\tif !wordpressWorking {\n\t\tccc := helpers.Capture(\"ps\", \"-a\")\n\t\thelpers.T().Log(ccc)\n\t\thelpers.T().Log(helpers.Err(\"logs\", projectName+\"-wordpress-1\"))\n\t\thelpers.T().Log(fmt.Sprintf(\"wordpress is not working %v\", err))\n\t\thelpers.T().FailNow()\n\t}\n\n\thelpers.Ensure(\"compose\", \"-f\", comp.YAMLFullPath(), \"down\", \"-v\")\n\thelpers.Fail(\"volume\", \"inspect\", fmt.Sprintf(\"%s_db\", projectName))\n\thelpers.Fail(\"network\", \"inspect\", fmt.Sprintf(\"%s_default\", projectName))\n}\n" }, { "path": "cmd/nerdctl/ipfs/ipfs_kubo_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage ipfs\n\nimport (\n\t\"fmt\"\n\t\"regexp\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest/registry\"\n)\n\nfunc TestIPFSAddrWithKubo(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\tconst mainImageCIDKey = \"mainImagemainImageCIDKey\"\n\tconst ipfsAddrKey = \"ipfsAddrKey\"\n\n\tvar ipfsRegistry *registry.Server\n\n\ttestCase.Require = require.All(\n\t\trequire.Linux,\n\t\trequire.Not(nerdtest.Docker),\n\t\tnerdtest.Registry,\n\t\tnerdtest.Private,\n\t)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.CommonImage)\n\n\t\tipfsRegistry = registry.NewKuboRegistry(data, helpers, t, nil, 0, nil)\n\t\tipfsRegistry.Setup(data, helpers)\n\t\tipfsAddr := fmt.Sprintf(\"/ip4/%s/tcp/%d\", ipfsRegistry.IP, ipfsRegistry.Port)\n\t\tdata.Labels().Set(ipfsAddrKey, ipfsAddr)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif ipfsRegistry != nil {\n\t\t\tipfsRegistry.Cleanup(data, helpers)\n\t\t}\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"with default snapshotter\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tipfsCID := pushToIPFS(helpers, testutil.CommonImage, fmt.Sprintf(\"--ipfs-address=%s\", data.Labels().Get(ipfsAddrKey)))\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", \"--ipfs-address\", data.Labels().Get(ipfsAddrKey), \"ipfs://\"+ipfsCID)\n\t\t\t\tdata.Labels().Set(mainImageCIDKey, ipfsCID)\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tif data.Labels().Get(mainImageCIDKey) != \"\" {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(mainImageCIDKey))\n\t\t\t\t}\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Labels().Get(mainImageCIDKey), \"echo\", \"hello\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"hello\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"with stargz snapshotter\",\n\t\t\tNoParallel: true,\n\t\t\tRequire: require.All(\n\t\t\t\tnerdtest.Stargz,\n\t\t\t\tnerdtest.Private,\n\t\t\t\tnerdtest.NerdctlNeedsFixing(\"https://github.com/containerd/nerdctl/issues/3475\"),\n\t\t\t),\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tipfsCID := pushToIPFS(helpers, testutil.CommonImage, fmt.Sprintf(\"--ipfs-address=%s\", data.Labels().Get(ipfsAddrKey)), \"--estargz\")\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", \"--ipfs-address\", data.Labels().Get(ipfsAddrKey), \"ipfs://\"+ipfsCID)\n\t\t\t\tdata.Labels().Set(mainImageCIDKey, ipfsCID)\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tif data.Labels().Get(mainImageCIDKey) != \"\" {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(mainImageCIDKey))\n\t\t\t\t}\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Labels().Get(mainImageCIDKey), \"ls\", \"/.stargz-snapshotter\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Match(regexp.MustCompile(\"sha256:.*[.]json[\\n]\"))),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/ipfs/ipfs_registry.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage ipfs\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n)\n\nfunc newIPFSRegistryCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tAnnotations: map[string]string{helpers.Category: helpers.Management},\n\t\tUse: \"registry\",\n\t\tShort: \"Manage read-only registry backed by IPFS\",\n\t\tPreRunE: helpers.CheckExperimental(\"ipfs\"),\n\t\tRunE: helpers.UnknownSubcommandAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.AddCommand(\n\t\tnewIPFSRegistryServeCommand(),\n\t)\n\treturn cmd\n}\n" }, { "path": "cmd/nerdctl/ipfs/ipfs_registry_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage ipfs\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"regexp\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc pushToIPFS(helpers test.Helpers, name string, opts ...string) string {\n\tvar ipfsCID string\n\tcmd := helpers.Command(\"push\", \"ipfs://\"+name)\n\tcmd.WithArgs(opts...)\n\tcmd.Run(&test.Expected{\n\t\tOutput: func(stdout string, t tig.T) {\n\t\t\tlines := strings.Split(stdout, \"\\n\")\n\t\t\tassert.Equal(t, len(lines) >= 2, true)\n\t\t\tipfsCID = lines[len(lines)-2]\n\t\t},\n\t})\n\treturn ipfsCID\n}\n\nfunc TestIPFSNerdctlRegistry(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t// FIXME: this is bad and likely to collide with other tests\n\tconst listenAddr = \"localhost:5555\"\n\n\tconst ipfsImageURLKey = \"ipfsImageURLKey\"\n\n\tvar ipfsServer test.TestableCommand\n\n\ttestCase.Require = require.All(\n\t\trequire.Linux,\n\t\trequire.Not(nerdtest.Docker),\n\t\tnerdtest.IPFS,\n\t)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.CommonImage)\n\n\t\t// Start a local ipfs backed registry\n\t\tipfsServer = helpers.Command(\"ipfs\", \"registry\", \"serve\", \"--listen-registry\", listenAddr)\n\t\t// This should not take longer than that\n\t\tipfsServer.WithTimeout(30 * time.Second)\n\t\tipfsServer.Background()\n\t\t// Apparently necessary to let it start...\n\t\ttime.Sleep(time.Second)\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif ipfsServer != nil {\n\t\t\t// Close the server once done\n\t\t\tipfsServer.Signal(os.Kill)\n\t\t}\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"with default snapshotter\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tdata.Labels().Set(ipfsImageURLKey, listenAddr+\"/ipfs/\"+pushToIPFS(helpers, testutil.CommonImage))\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", data.Labels().Get(ipfsImageURLKey))\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tif data.Labels().Get(ipfsImageURLKey) != \"\" {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(ipfsImageURLKey))\n\t\t\t\t}\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Labels().Get(ipfsImageURLKey), \"echo\", \"hello\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"hello\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"with stargz snapshotterr\",\n\t\t\tNoParallel: true,\n\t\t\tRequire: nerdtest.Stargz,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tdata.Labels().Set(ipfsImageURLKey, listenAddr+\"/ipfs/\"+pushToIPFS(helpers, testutil.CommonImage, \"--estargz\"))\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", data.Labels().Get(ipfsImageURLKey))\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tif data.Labels().Get(ipfsImageURLKey) != \"\" {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(ipfsImageURLKey))\n\t\t\t\t}\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Labels().Get(ipfsImageURLKey), \"ls\", \"/.stargz-snapshotter\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Match(regexp.MustCompile(\"sha256:.*[.]json[\\n]\"))),\n\t\t},\n\t\t{\n\t\t\tDescription: \"with build\",\n\t\t\tNoParallel: true,\n\t\t\tRequire: nerdtest.Build,\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier(\"built-image\"))\n\t\t\t\tif data.Labels().Get(ipfsImageURLKey) != \"\" {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(ipfsImageURLKey))\n\t\t\t\t}\n\t\t\t},\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tdata.Labels().Set(ipfsImageURLKey, listenAddr+\"/ipfs/\"+pushToIPFS(helpers, testutil.CommonImage))\n\n\t\t\t\tdockerfile := fmt.Sprintf(`FROM %s\nCMD [\"echo\", \"nerdctl-build-test-string\"]\n\t`, data.Labels().Get(ipfsImageURLKey))\n\n\t\t\t\tbuildCtx := data.Temp().Path()\n\t\t\t\tdata.Temp().Save(dockerfile, \"Dockerfile\")\n\n\t\t\t\thelpers.Ensure(\"build\", \"-t\", data.Identifier(\"built-image\"), buildCtx)\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Identifier(\"built-image\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"nerdctl-build-test-string\\n\")),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/ipfs/ipfs_registry_serve.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage ipfs\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/ipfs\"\n)\n\nconst (\n\tdefaultIPFSRegistry = \"localhost:5050\"\n\tdefaultIPFSReadRetryNum = 0\n\tdefaultIPFSReadTimeoutDuration = 0\n)\n\nfunc newIPFSRegistryServeCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"serve\",\n\t\tShort: \"serve read-only registry backed by IPFS on localhost.\",\n\t\tRunE: ipfsRegistryServeAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\n\thelpers.AddStringFlag(cmd, \"listen-registry\", nil, defaultIPFSRegistry, \"IPFS_REGISTRY_SERVE_LISTEN_REGISTRY\", \"address to listen\")\n\thelpers.AddStringFlag(cmd, \"ipfs-address\", nil, \"\", \"IPFS_REGISTRY_SERVE_IPFS_ADDRESS\", \"multiaddr of IPFS API (default is pulled from $IPFS_PATH/api file. If $IPFS_PATH env var is not present, it defaults to ~/.ipfs)\")\n\thelpers.AddIntFlag(cmd, \"read-retry-num\", nil, defaultIPFSReadRetryNum, \"IPFS_REGISTRY_SERVE_READ_RETRY_NUM\", \"times to retry query on IPFS. Zero or lower means no retry.\")\n\thelpers.AddDurationFlag(cmd, \"read-timeout\", nil, defaultIPFSReadTimeoutDuration, \"IPFS_REGISTRY_SERVE_READ_TIMEOUT\", \"timeout duration of a read request to IPFS. Zero means no timeout.\")\n\n\treturn cmd\n}\n\nfunc processIPFSRegistryServeOptions(cmd *cobra.Command) (opts types.IPFSRegistryServeOptions, err error) {\n\tipfsAddressStr, err := cmd.Flags().GetString(\"ipfs-address\")\n\tif err != nil {\n\t\treturn types.IPFSRegistryServeOptions{}, err\n\t}\n\tlistenAddress, err := cmd.Flags().GetString(\"listen-registry\")\n\tif err != nil {\n\t\treturn types.IPFSRegistryServeOptions{}, err\n\t}\n\treadTimeout, err := cmd.Flags().GetDuration(\"read-timeout\")\n\tif err != nil {\n\t\treturn types.IPFSRegistryServeOptions{}, err\n\t}\n\treadRetryNum, err := cmd.Flags().GetInt(\"read-retry-num\")\n\tif err != nil {\n\t\treturn types.IPFSRegistryServeOptions{}, err\n\t}\n\treturn types.IPFSRegistryServeOptions{\n\t\tListenRegistry: listenAddress,\n\t\tIPFSAddress: ipfsAddressStr,\n\t\tReadTimeout: readTimeout,\n\t\tReadRetryNum: readRetryNum,\n\t}, nil\n}\n\nfunc ipfsRegistryServeAction(cmd *cobra.Command, args []string) error {\n\toptions, err := processIPFSRegistryServeOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn ipfs.RegistryServe(options)\n}\n" }, { "path": "cmd/nerdctl/ipfs/ipfs_simple_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage ipfs\n\nimport (\n\t\"regexp\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestIPFSSimple(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\tconst mainImageCIDKey = \"mainImageCIDKey\"\n\tconst transformedImageCIDKey = \"transformedImageCIDKey\"\n\n\ttestCase.Require = require.All(\n\t\trequire.Linux,\n\t\trequire.Not(nerdtest.Docker),\n\t\tnerdtest.IPFS,\n\t\t// We constantly rmi the image by its CID which is shared across tests, so, we make this group private\n\t\t// and every subtest NoParallel\n\t\tnerdtest.Private,\n\t)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"pull\", \"--quiet\", testutil.CommonImage)\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"with default snapshotter\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tdata.Labels().Set(mainImageCIDKey, pushToIPFS(helpers, testutil.CommonImage))\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", \"ipfs://\"+data.Labels().Get(mainImageCIDKey))\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tif data.Labels().Get(mainImageCIDKey) != \"\" {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(mainImageCIDKey))\n\t\t\t\t}\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Labels().Get(mainImageCIDKey), \"echo\", \"hello\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"hello\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"with stargz snapshotter\",\n\t\t\tNoParallel: true,\n\t\t\tRequire: require.All(\n\t\t\t\tnerdtest.Stargz,\n\t\t\t\tnerdtest.NerdctlNeedsFixing(\"https://github.com/containerd/nerdctl/issues/3475\"),\n\t\t\t),\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tdata.Labels().Set(mainImageCIDKey, pushToIPFS(helpers, testutil.CommonImage, \"--estargz\"))\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", \"ipfs://\"+data.Labels().Get(mainImageCIDKey))\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tif data.Labels().Get(mainImageCIDKey) != \"\" {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(mainImageCIDKey))\n\t\t\t\t}\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Labels().Get(mainImageCIDKey), \"ls\", \"/.stargz-snapshotter\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Match(regexp.MustCompile(\"sha256:.*[.]json[\\n]\"))),\n\t\t},\n\t\t{\n\t\t\tDescription: \"with commit and push\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tdata.Labels().Set(mainImageCIDKey, pushToIPFS(helpers, testutil.CommonImage))\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", \"ipfs://\"+data.Labels().Get(mainImageCIDKey))\n\n\t\t\t\t// Run a container that does modify something, then commit and push it\n\t\t\t\thelpers.Ensure(\"run\", \"--name\", data.Identifier(\"commit-container\"), data.Labels().Get(mainImageCIDKey), \"sh\", \"-c\", \"--\", \"echo hello > /hello\")\n\t\t\t\thelpers.Ensure(\"commit\", data.Identifier(\"commit-container\"), data.Identifier(\"commit-image\"))\n\t\t\t\tdata.Labels().Set(transformedImageCIDKey, pushToIPFS(helpers, data.Identifier(\"commit-image\")))\n\n\t\t\t\t// Clean-up\n\t\t\t\thelpers.Ensure(\"rm\", data.Identifier(\"commit-container\"))\n\t\t\t\thelpers.Ensure(\"rmi\", data.Identifier(\"commit-image\"))\n\n\t\t\t\t// Pull back the committed image\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", \"ipfs://\"+data.Labels().Get(transformedImageCIDKey))\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"commit-container\"))\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier(\"commit-image\"))\n\t\t\t\tif data.Labels().Get(mainImageCIDKey) != \"\" {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(mainImageCIDKey))\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(transformedImageCIDKey))\n\t\t\t\t}\n\t\t\t},\n\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Labels().Get(transformedImageCIDKey), \"cat\", \"/hello\")\n\t\t\t},\n\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"hello\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"with commit and push, stargz lazy pulling\",\n\t\t\tNoParallel: true,\n\t\t\tRequire: require.All(\n\t\t\t\tnerdtest.Stargz,\n\t\t\t\tnerdtest.NerdctlNeedsFixing(\"https://github.com/containerd/nerdctl/issues/3475\"),\n\t\t\t),\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tdata.Labels().Set(mainImageCIDKey, pushToIPFS(helpers, testutil.CommonImage, \"--estargz\"))\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", \"ipfs://\"+data.Labels().Get(mainImageCIDKey))\n\n\t\t\t\t// Run a container that does modify something, then commit and push it\n\t\t\t\thelpers.Ensure(\"run\", \"--name\", data.Identifier(\"commit-container\"), data.Labels().Get(mainImageCIDKey), \"sh\", \"-c\", \"--\", \"echo hello > /hello\")\n\t\t\t\thelpers.Ensure(\"commit\", data.Identifier(\"commit-container\"), data.Identifier(\"commit-image\"))\n\t\t\t\tdata.Labels().Set(transformedImageCIDKey, pushToIPFS(helpers, data.Identifier(\"commit-image\")))\n\n\t\t\t\t// Clean-up\n\t\t\t\thelpers.Ensure(\"rm\", data.Identifier(\"commit-container\"))\n\t\t\t\thelpers.Ensure(\"rmi\", data.Identifier(\"commit-image\"))\n\n\t\t\t\t// Pull back the image\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", \"ipfs://\"+data.Labels().Get(transformedImageCIDKey))\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"commit-container\"))\n\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier(\"commit-image\"))\n\t\t\t\tif data.Labels().Get(mainImageCIDKey) != \"\" {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(mainImageCIDKey))\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(transformedImageCIDKey))\n\t\t\t\t}\n\t\t\t},\n\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"--rm\", data.Labels().Get(transformedImageCIDKey), \"sh\", \"-c\", \"--\", \"cat /hello && ls /.stargz-snapshotter\")\n\t\t\t},\n\n\t\t\tExpected: test.Expects(0, nil, expect.Match(regexp.MustCompile(\"hello[\\n]sha256:.*[.]json[\\n]\"))),\n\t\t},\n\t\t{\n\t\t\tDescription: \"with encryption\",\n\t\t\tNoParallel: true,\n\t\t\tRequire: require.Binary(\"openssl\"),\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tdata.Labels().Set(mainImageCIDKey, pushToIPFS(helpers, testutil.CommonImage))\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", \"ipfs://\"+data.Labels().Get(mainImageCIDKey))\n\n\t\t\t\t// Prep a key pair\n\t\t\t\tpri, pub := nerdtest.GenerateJWEKeyPair(data, helpers)\n\t\t\t\tdata.Labels().Set(\"prv\", pri)\n\t\t\t\tdata.Labels().Set(\"pub\", pub)\n\n\t\t\t\t// Encrypt the image, and verify it is encrypted\n\t\t\t\thelpers.Ensure(\"image\", \"encrypt\", \"--recipient=jwe:\"+pub, data.Labels().Get(mainImageCIDKey), data.Identifier(\"encrypted\"))\n\t\t\t\tcmd := helpers.Command(\"image\", \"inspect\", \"--mode=native\", \"--format={{len .Index.Manifests}}\", data.Identifier(\"encrypted\"))\n\t\t\t\tcmd.Run(&test.Expected{\n\t\t\t\t\tOutput: expect.Equals(\"1\\n\"),\n\t\t\t\t})\n\t\t\t\tcmd = helpers.Command(\"image\", \"inspect\", \"--mode=native\", \"--format={{json (index .Manifest.Layers 0) }}\", data.Identifier(\"encrypted\"))\n\t\t\t\tcmd.Run(&test.Expected{\n\t\t\t\t\tOutput: expect.Contains(\"org.opencontainers.image.enc.keys.jwe\"),\n\t\t\t\t})\n\n\t\t\t\t// Push the encrypted image and save the CID\n\t\t\t\tdata.Labels().Set(transformedImageCIDKey, pushToIPFS(helpers, data.Identifier(\"encrypted\")))\n\n\t\t\t\t// Remove both images locally\n\t\t\t\thelpers.Ensure(\"rmi\", \"-f\", data.Labels().Get(mainImageCIDKey))\n\t\t\t\thelpers.Ensure(\"rmi\", \"-f\", data.Labels().Get(transformedImageCIDKey))\n\n\t\t\t\t// Pull back without unpacking\n\t\t\t\thelpers.Ensure(\"pull\", \"--quiet\", \"--unpack=false\", \"ipfs://\"+data.Labels().Get(transformedImageCIDKey))\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tif data.Labels().Get(mainImageCIDKey) != \"\" {\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(mainImageCIDKey))\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Labels().Get(transformedImageCIDKey))\n\t\t\t\t}\n\t\t\t},\n\t\t\tSubTests: []*test.Case{\n\t\t\t\t{\n\t\t\t\t\tDescription: \"decrypt with pub key does not work\",\n\t\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"decrypted\"))\n\t\t\t\t\t},\n\t\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\t\treturn helpers.Command(\"image\", \"decrypt\", \"--key=\"+data.Labels().Get(\"pub\"), data.Labels().Get(transformedImageCIDKey), data.Identifier(\"decrypted\"))\n\t\t\t\t\t},\n\t\t\t\t\tExpected: test.Expects(1, nil, nil),\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tDescription: \"decrypt with priv key does work\",\n\t\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"decrypted\"))\n\t\t\t\t\t},\n\t\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\t\treturn helpers.Command(\"image\", \"decrypt\", \"--key=\"+data.Labels().Get(\"prv\"), data.Labels().Get(transformedImageCIDKey), data.Identifier(\"decrypted\"))\n\t\t\t\t\t},\n\t\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/ipfs/ipfs_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage ipfs\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n)\n\nfunc TestMain(m *testing.M) {\n\ttestutil.M(m)\n}\n" }, { "path": "cmd/nerdctl/issues/issues_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\n// Package issues is meant to document testing for complex scenarios type of issues that cannot simply be ascribed\n// to a specific package.\npackage issues\n\nimport (\n\t\"fmt\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest/registry\"\n)\n\nfunc TestIssue3425(t *testing.T) {\n\tnerdtest.Setup()\n\n\tvar reg *registry.Server\n\n\ttestCase := &test.Case{\n\t\tRequire: nerdtest.Registry,\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\treg = nerdtest.RegistryWithNoAuth(data, helpers, 0, false)\n\t\t\treg.Setup(data, helpers)\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\tif reg != nil {\n\t\t\t\treg.Cleanup(data, helpers)\n\t\t\t}\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"with tag\",\n\t\t\t\tRequire: nerdtest.Private,\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\tidentifier := data.Identifier()\n\t\t\t\t\thelpers.Ensure(\"image\", \"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", identifier, testutil.CommonImage)\n\t\t\t\t\thelpers.Ensure(\"image\", \"rm\", \"-f\", testutil.CommonImage)\n\t\t\t\t\thelpers.Ensure(\"image\", \"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\t\t\thelpers.Ensure(\"tag\", testutil.CommonImage, fmt.Sprintf(\"localhost:%d/%s\", reg.Port, identifier))\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\tidentifier := data.Identifier()\n\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", identifier)\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", fmt.Sprintf(\"localhost:%d/%s\", reg.Port, identifier))\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"push\", fmt.Sprintf(\"localhost:%d/%s\", reg.Port, data.Identifier()))\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"with commit\",\n\t\t\t\tRequire: nerdtest.Private,\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\tidentifier := data.Identifier()\n\t\t\t\t\thelpers.Ensure(\"image\", \"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", identifier, testutil.CommonImage, \"touch\", \"/something\")\n\t\t\t\t\thelpers.Ensure(\"image\", \"rm\", \"-f\", testutil.CommonImage)\n\t\t\t\t\thelpers.Ensure(\"image\", \"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\t\t\thelpers.Ensure(\"commit\", identifier, fmt.Sprintf(\"localhost:%d/%s\", reg.Port, identifier))\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", fmt.Sprintf(\"localhost:%d/%s\", reg.Port, data.Identifier()))\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"push\", fmt.Sprintf(\"localhost:%d/%s\", reg.Port, data.Identifier()))\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"with save\",\n\t\t\t\tRequire: nerdtest.Private,\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"image\", \"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(), testutil.CommonImage)\n\t\t\t\t\thelpers.Ensure(\"image\", \"rm\", \"-f\", testutil.CommonImage)\n\t\t\t\t\thelpers.Ensure(\"image\", \"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"save\", testutil.CommonImage)\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"with convert\",\n\t\t\t\tRequire: require.All(\n\t\t\t\t\tnerdtest.Private,\n\t\t\t\t\trequire.Not(require.Windows),\n\t\t\t\t\trequire.Not(nerdtest.Docker),\n\t\t\t\t),\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"image\", \"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(), testutil.CommonImage)\n\t\t\t\t\thelpers.Ensure(\"image\", \"rm\", \"-f\", testutil.CommonImage)\n\t\t\t\t\thelpers.Ensure(\"image\", \"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"image\", \"convert\", \"--oci\", \"--estargz\", testutil.CommonImage, data.Identifier())\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"with ipfs\",\n\t\t\t\tRequire: require.All(\n\t\t\t\t\tnerdtest.Private,\n\t\t\t\t\tnerdtest.IPFS,\n\t\t\t\t\trequire.Not(require.Windows),\n\t\t\t\t\trequire.Not(nerdtest.Docker),\n\t\t\t\t),\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Ensure(\"image\", \"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(), testutil.CommonImage)\n\t\t\t\t\thelpers.Ensure(\"image\", \"rm\", \"-f\", testutil.CommonImage)\n\t\t\t\t\thelpers.Ensure(\"image\", \"pull\", \"--quiet\", testutil.CommonImage)\n\t\t\t\t},\n\t\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\t\thelpers.Anyhow(\"rmi\", \"-f\", data.Identifier())\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\treturn helpers.Command(\"image\", \"push\", \"ipfs://\"+testutil.CommonImage)\n\t\t\t\t},\n\t\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/issues/main_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage issues\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestMain(m *testing.M) {\n\ttestutil.M(m)\n}\n\n// TestIssue108 tests https://github.com/containerd/nerdctl/issues/108\n// (\"`nerdctl run --net=host -it` fails while `nerdctl run -it --net=host` works\")\nfunc TestIssue108(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"-it --net=host\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\"run\", \"--quiet\", \"-it\", \"--rm\", \"--net=host\", testutil.CommonImage, \"echo\", \"this was always working\")\n\t\t\t\tcmd.WithPseudoTTY()\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"this was always working\\r\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"--net=host -it\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Command(\"run\", \"--quiet\", \"--rm\", \"--net=host\", \"-it\", testutil.CommonImage, \"echo\", \"this was not working due to issue #108\")\n\t\t\t\tcmd.WithPseudoTTY()\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"this was not working due to issue #108\\r\\n\")),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/login/login.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage login\n\nimport (\n\t\"errors\"\n\t\"io\"\n\t\"strings\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/log\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/login\"\n)\n\nfunc Command() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"login [flags] [SERVER]\",\n\t\tArgs: cobra.MaximumNArgs(1),\n\t\tShort: \"Log in to a container registry\",\n\t\tRunE: loginAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().StringP(\"username\", \"u\", \"\", \"Username\")\n\tcmd.Flags().StringP(\"password\", \"p\", \"\", \"Password\")\n\tcmd.Flags().Bool(\"password-stdin\", false, \"Take the password from stdin\")\n\treturn cmd\n}\n\nfunc loginOptions(cmd *cobra.Command) (types.LoginCommandOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.LoginCommandOptions{}, err\n\t}\n\n\tusername, err := cmd.Flags().GetString(\"username\")\n\tif err != nil {\n\t\treturn types.LoginCommandOptions{}, err\n\t}\n\tpassword, err := cmd.Flags().GetString(\"password\")\n\tif err != nil {\n\t\treturn types.LoginCommandOptions{}, err\n\t}\n\tpasswordStdin, err := cmd.Flags().GetBool(\"password-stdin\")\n\tif err != nil {\n\t\treturn types.LoginCommandOptions{}, err\n\t}\n\n\tif strings.Contains(username, \":\") {\n\t\treturn types.LoginCommandOptions{}, errors.New(\"username cannot contain colons\")\n\t}\n\n\tif password != \"\" {\n\t\tlog.L.Warn(\"WARNING! Using --password via the CLI is insecure. Use --password-stdin.\")\n\t\tif passwordStdin {\n\t\t\treturn types.LoginCommandOptions{}, errors.New(\"--password and --password-stdin are mutually exclusive\")\n\t\t}\n\t}\n\n\tif passwordStdin {\n\t\tif username == \"\" {\n\t\t\treturn types.LoginCommandOptions{}, errors.New(\"must provide --username with --password-stdin\")\n\t\t}\n\n\t\tcontents, err := io.ReadAll(cmd.InOrStdin())\n\t\tif err != nil {\n\t\t\treturn types.LoginCommandOptions{}, err\n\t\t}\n\n\t\tpassword = strings.TrimSuffix(string(contents), \"\\n\")\n\t\tpassword = strings.TrimSuffix(password, \"\\r\")\n\t}\n\treturn types.LoginCommandOptions{\n\t\tGOptions: globalOptions,\n\t\tUsername: username,\n\t\tPassword: password,\n\t}, nil\n}\n\nfunc loginAction(cmd *cobra.Command, args []string) error {\n\toptions, err := loginOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif len(args) == 1 {\n\t\toptions.ServerAddress = args[0]\n\t}\n\n\treturn login.Login(cmd.Context(), options, cmd.OutOrStdout())\n}\n" }, { "path": "cmd/nerdctl/login/login_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\n// https://docs.docker.com/reference/cli/dockerd/#insecure-registries\n// Local registries, whose IP address falls in the 127.0.0.0/8 range, are automatically marked as insecure as of Docker 1.3.2.\n// It isn't recommended to rely on this, as it may change in the future.\n// \"--insecure\" means that either the certificates are untrusted, or that the protocol is plain http\npackage login\n\nimport (\n\t\"fmt\"\n\t\"net\"\n\t\"os\"\n\t\"strconv\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/icmd\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/utils\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/imgutil/dockerconfigresolver\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/testca\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/testregistry\"\n)\n\ntype Client struct {\n\targs []string\n\tconfigPath string\n}\n\nfunc (ag *Client) WithInsecure(value bool) *Client {\n\tag.args = append(ag.args, \"--insecure-registry=\"+strconv.FormatBool(value))\n\treturn ag\n}\n\nfunc (ag *Client) WithHostsDir(hostDirs string) *Client {\n\tag.args = append(ag.args, \"--hosts-dir\", hostDirs)\n\treturn ag\n}\n\nfunc (ag *Client) WithCredentials(username, password string) *Client {\n\tif username != \"\" {\n\t\tag.args = append(ag.args, \"--username\", username)\n\t}\n\tif password != \"\" {\n\t\tag.args = append(ag.args, \"--password\", password)\n\t}\n\treturn ag\n}\n\nfunc (ag *Client) WithConfigPath(value string) *Client {\n\tag.configPath = value\n\treturn ag\n}\n\nfunc (ag *Client) GetConfigPath() string {\n\treturn ag.configPath\n}\n\nfunc (ag *Client) Run(base *testutil.Base, host string) *testutil.Cmd {\n\tif ag.configPath == \"\" {\n\t\tag.configPath, _ = os.MkdirTemp(base.T.TempDir(), \"docker-config\")\n\t}\n\targs := []string{\"login\"}\n\tif !nerdtest.IsDocker() {\n\t\targs = append(args, \"--debug-full\")\n\t}\n\targs = append(args, ag.args...)\n\ticmdCmd := icmd.Command(base.Binary, append(base.Args, append(args, host)...)...)\n\ticmdCmd.Env = append(base.Env, \"HOME=\"+os.Getenv(\"HOME\"), \"DOCKER_CONFIG=\"+ag.configPath)\n\n\treturn &testutil.Cmd{\n\t\tCmd: icmdCmd,\n\t\tBase: base,\n\t}\n}\n\nfunc TestLoginPersistence(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\tt.Parallel()\n\n\t// Retrieve from the store\n\ttestCases := []struct {\n\t\tauth string\n\t}{\n\t\t{\n\t\t\t\"basic\",\n\t\t},\n\t\t{\n\t\t\t\"token\",\n\t\t},\n\t}\n\n\tfor _, tc := range testCases {\n\t\ttc := tc\n\t\tt.Run(fmt.Sprintf(\"Server %s\", tc.auth), func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tusername := utils.RandomStringBase64(30) + \"∞\"\n\t\t\tpassword := utils.RandomStringBase64(30) + \":∞\"\n\n\t\t\t// Add the requested authentication\n\t\t\tvar auth testregistry.Auth\n\t\t\tvar dependentCleanup func(error)\n\n\t\t\tauth = &testregistry.NoAuth{}\n\t\t\tif tc.auth == \"basic\" {\n\t\t\t\tauth = &testregistry.BasicAuth{\n\t\t\t\t\tUsername: username,\n\t\t\t\t\tPassword: password,\n\t\t\t\t}\n\t\t\t} else if tc.auth == \"token\" {\n\t\t\t\tauthCa := testca.New(base.T)\n\t\t\t\tas := testregistry.NewAuthServer(base, authCa, 0, username, password, false)\n\t\t\t\tauth = &testregistry.TokenAuth{\n\t\t\t\t\tAddress: as.Scheme + \"://\" + net.JoinHostPort(as.IP.String(), strconv.Itoa(as.Port)),\n\t\t\t\t\tCertPath: as.CertPath,\n\t\t\t\t}\n\t\t\t\tdependentCleanup = as.Cleanup\n\t\t\t}\n\n\t\t\t// Start the registry with the requested options\n\t\t\treg := testregistry.NewRegistry(base, nil, 0, auth, dependentCleanup)\n\n\t\t\t// Register registry cleanup\n\t\t\tt.Cleanup(func() {\n\t\t\t\treg.Cleanup(nil)\n\t\t\t})\n\n\t\t\t// First, login successfully\n\t\t\tc := (&Client{}).\n\t\t\t\tWithCredentials(username, password)\n\n\t\t\tc.Run(base, fmt.Sprintf(\"localhost:%d\", reg.Port)).\n\t\t\t\tAssertOK()\n\n\t\t\t// Now, log in successfully without passing any explicit credentials\n\t\t\tnc := (&Client{}).\n\t\t\t\tWithConfigPath(c.GetConfigPath())\n\t\t\tnc.Run(base, fmt.Sprintf(\"localhost:%d\", reg.Port)).\n\t\t\t\tAssertOK()\n\n\t\t\t// Now fail while using invalid credentials\n\t\t\tnc.WithCredentials(\"invalid\", \"invalid\").\n\t\t\t\tRun(base, fmt.Sprintf(\"localhost:%d\", reg.Port)).\n\t\t\t\tAssertFail()\n\n\t\t\t// And login again without, reverting to the last saved good state\n\t\t\tnc = (&Client{}).\n\t\t\t\tWithConfigPath(c.GetConfigPath())\n\n\t\t\tnc.Run(base, fmt.Sprintf(\"localhost:%d\", reg.Port)).\n\t\t\t\tAssertOK()\n\t\t})\n\t}\n}\n\n/*\nfunc TestAgainstNoAuth(t *testing.T) {\n\tbase := testutil.NewBase(t)\n\tt.Parallel()\n\n\t// Start the registry with the requested options\n\treg := testregistry.NewRegistry(base, nil, 0, &testregistry.NoAuth{}, nil)\n\n\t// Register registry cleanup\n\tt.Cleanup(func() {\n\t\treg.Cleanup(nil)\n\t})\n\n\tc := (&Client{}).\n\t\tWithCredentials(\"invalid\", \"invalid\")\n\n\tc.Run(base, fmt.Sprintf(\"localhost:%d\", reg.Port)).\n\t\tAssertOK()\n\n\tcontent, _ := os.ReadFile(filepath.Join(c.configPath, \"config.json\"))\n\tfmt.Println(string(content))\n\n\tc.Run(base, fmt.Sprintf(\"localhost:%d\", reg.Port)).\n\t\tAssertFail()\n\n}\n\n*/\n\nfunc TestLoginAgainstVariants(t *testing.T) {\n\t// Skip docker, because Docker doesn't have `--hosts-dir` nor `insecure-registry` option\n\t// This will test access to a wide variety of servers, with or without TLS, with basic or token authentication\n\ttestutil.DockerIncompatible(t)\n\n\tbase := testutil.NewBase(t)\n\tt.Parallel()\n\n\ttestCases := []struct {\n\t\tport int\n\t\ttls bool\n\t\tauth string\n\t}{\n\t\t// Basic auth, no TLS\n\t\t{\n\t\t\t80,\n\t\t\tfalse,\n\t\t\t\"basic\",\n\t\t},\n\t\t{\n\t\t\t443,\n\t\t\tfalse,\n\t\t\t\"basic\",\n\t\t},\n\t\t{\n\t\t\t0,\n\t\t\tfalse,\n\t\t\t\"basic\",\n\t\t},\n\t\t// Token auth, no TLS\n\t\t{\n\t\t\t80,\n\t\t\tfalse,\n\t\t\t\"token\",\n\t\t},\n\t\t{\n\t\t\t443,\n\t\t\tfalse,\n\t\t\t\"token\",\n\t\t},\n\t\t{\n\t\t\t0,\n\t\t\tfalse,\n\t\t\t\"token\",\n\t\t},\n\t\t// Basic auth, with TLS\n\t\t/*\n\t\t\t// This is not working currently, unless we would force a server https:// in hosts\n\t\t\t// To be fixed with login rewrite\n\t\t\t{\n\t\t\t\t80,\n\t\t\t\ttrue,\n\t\t\t\t\"basic\",\n\t\t\t},\n\t\t*/\n\t\t{\n\t\t\t443,\n\t\t\ttrue,\n\t\t\t\"basic\",\n\t\t},\n\t\t{\n\t\t\t0,\n\t\t\ttrue,\n\t\t\t\"basic\",\n\t\t},\n\t\t// Token auth, with TLS\n\t\t/*\n\t\t\t// This is not working currently, unless we would force a server https:// in hosts\n\t\t\t// To be fixed with login rewrite\n\t\t\t{\n\t\t\t\t80,\n\t\t\t\ttrue,\n\t\t\t\t\"token\",\n\t\t\t},\n\t\t*/\n\t\t{\n\t\t\t443,\n\t\t\ttrue,\n\t\t\t\"token\",\n\t\t},\n\t\t{\n\t\t\t0,\n\t\t\ttrue,\n\t\t\t\"token\",\n\t\t},\n\t}\n\n\t// Iterate through all cases, that will present a variety of port (80, 443, random), TLS (yes or no), and authentication (basic, token) type combinations\n\tfor _, tc := range testCases {\n\t\tport := tc.port\n\t\ttls := tc.tls\n\t\tauth := tc.auth\n\n\t\tt.Run(fmt.Sprintf(\"Login against `tls: %t port: %d auth: %s`\", tls, port, auth), func(t *testing.T) {\n\t\t\t// Tests with fixed ports should not be parallelized (although the port locking mechanism will prevent conflicts)\n\t\t\t// as their children tests are parallelized, and this might deadlock given the way `Parallel` works\n\t\t\tif port == 0 {\n\t\t\t\tt.Parallel()\n\t\t\t}\n\n\t\t\t// Generate credentials that are specific to each registry, so that we never cross hit another one\n\t\t\tusername := utils.RandomStringBase64(30) + \"∞\"\n\t\t\tpassword := utils.RandomStringBase64(30) + \":∞\"\n\n\t\t\t// Get a CA if we want TLS\n\t\t\tvar ca *testca.CA\n\t\t\tif tls {\n\t\t\t\tca = testca.New(base.T)\n\t\t\t}\n\n\t\t\t// Add the requested authenticator\n\t\t\tvar authenticator testregistry.Auth\n\t\t\tvar dependentCleanup func(error)\n\n\t\t\tauthenticator = &testregistry.NoAuth{}\n\t\t\tif auth == \"basic\" {\n\t\t\t\tauthenticator = &testregistry.BasicAuth{\n\t\t\t\t\tUsername: username,\n\t\t\t\t\tPassword: password,\n\t\t\t\t}\n\t\t\t} else if auth == \"token\" {\n\t\t\t\tauthCa := ca\n\t\t\t\t// We could be on !tls, meaning no ca - but we still need a CA to sign jwt tokens\n\t\t\t\tif authCa == nil {\n\t\t\t\t\tauthCa = testca.New(base.T)\n\t\t\t\t}\n\t\t\t\tas := testregistry.NewAuthServer(base, authCa, 0, username, password, tls)\n\t\t\t\tauthenticator = &testregistry.TokenAuth{\n\t\t\t\t\tAddress: as.Scheme + \"://\" + net.JoinHostPort(as.IP.String(), strconv.Itoa(as.Port)),\n\t\t\t\t\tCertPath: as.CertPath,\n\t\t\t\t}\n\t\t\t\tdependentCleanup = as.Cleanup\n\t\t\t}\n\n\t\t\t// Start the registry with the requested options\n\t\t\treg := testregistry.NewRegistry(base, ca, port, authenticator, dependentCleanup)\n\n\t\t\t// Register registry cleanup\n\t\t\tt.Cleanup(func() {\n\t\t\t\treg.Cleanup(nil)\n\t\t\t})\n\n\t\t\t// Any registry is reachable through its ip+port, and localhost variants\n\t\t\tregHosts := []string{\n\t\t\t\tnet.JoinHostPort(reg.IP.String(), strconv.Itoa(reg.Port)),\n\t\t\t\tnet.JoinHostPort(\"localhost\", strconv.Itoa(reg.Port)),\n\t\t\t\tnet.JoinHostPort(\"127.0.0.1\", strconv.Itoa(reg.Port)),\n\t\t\t\t// TODO: ipv6\n\t\t\t\t// net.JoinHostPort(\"::1\", strconv.Itoa(reg.Port)),\n\t\t\t}\n\n\t\t\t// Registries that use port 443 also allow access without specifying a port\n\t\t\tif reg.Port == 443 {\n\t\t\t\tregHosts = append(regHosts, reg.IP.String())\n\t\t\t\tregHosts = append(regHosts, \"localhost\")\n\t\t\t\tregHosts = append(regHosts, \"127.0.0.1\")\n\t\t\t\t// TODO: ipv6\n\t\t\t\t// regHosts = append(regHosts, \"::1\")\n\t\t\t}\n\n\t\t\t// Iterate through these hosts access points, and create a test per-variant\n\t\t\tfor _, value := range regHosts {\n\t\t\t\tregHost := value\n\t\t\t\tt.Run(regHost, func(t *testing.T) {\n\t\t\t\t\tt.Parallel()\n\n\t\t\t\t\t// 1. test with valid credentials but no access to the CA\n\t\t\t\t\tt.Run(\"1. valid credentials (no CA) \", func(t *testing.T) {\n\t\t\t\t\t\tt.Parallel()\n\n\t\t\t\t\t\tc := (&Client{}).\n\t\t\t\t\t\t\tWithCredentials(username, password)\n\n\t\t\t\t\t\trl, _ := dockerconfigresolver.Parse(regHost)\n\t\t\t\t\t\t// a. Insecure flag not being set\n\t\t\t\t\t\t// TODO: remove specialization when we fix the localhost mess\n\t\t\t\t\t\tif rl.IsLocalhost() && !tls {\n\t\t\t\t\t\t\tc.Run(base, regHost).\n\t\t\t\t\t\t\t\tAssertOK()\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tc.Run(base, regHost).\n\t\t\t\t\t\t\t\tAssertFail()\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\t// b. Insecure flag set to false\n\t\t\t\t\t\t// TODO: remove specialization when we fix the localhost mess\n\t\t\t\t\t\tif !rl.IsLocalhost() {\n\t\t\t\t\t\t\t(&Client{}).\n\t\t\t\t\t\t\t\tWithCredentials(username, password).\n\t\t\t\t\t\t\t\tWithInsecure(false).\n\t\t\t\t\t\t\t\tRun(base, regHost).\n\t\t\t\t\t\t\t\tAssertFail()\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\t// c. Insecure flag set to true\n\t\t\t\t\t\t// TODO: remove specialization when we fix the localhost mess\n\t\t\t\t\t\tif !rl.IsLocalhost() || !tls {\n\t\t\t\t\t\t\t(&Client{}).\n\t\t\t\t\t\t\t\tWithCredentials(username, password).\n\t\t\t\t\t\t\t\tWithInsecure(true).\n\t\t\t\t\t\t\t\tRun(base, regHost).\n\t\t\t\t\t\t\t\tAssertOK()\n\t\t\t\t\t\t}\n\t\t\t\t\t})\n\n\t\t\t\t\t// 2. test with valid credentials AND access to the CA\n\t\t\t\t\tt.Run(\"2. valid credentials (with access to server CA)\", func(t *testing.T) {\n\t\t\t\t\t\tt.Parallel()\n\n\t\t\t\t\t\trl, _ := dockerconfigresolver.Parse(regHost)\n\n\t\t\t\t\t\t// a. Insecure flag not being set\n\t\t\t\t\t\tc := (&Client{}).\n\t\t\t\t\t\t\tWithCredentials(username, password).\n\t\t\t\t\t\t\tWithHostsDir(reg.HostsDir)\n\n\t\t\t\t\t\tif tls || rl.IsLocalhost() {\n\t\t\t\t\t\t\tc.Run(base, regHost).\n\t\t\t\t\t\t\t\tAssertOK()\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tc.Run(base, regHost).\n\t\t\t\t\t\t\t\tAssertFail()\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\t// b. Insecure flag set to false\n\t\t\t\t\t\tif tls {\n\t\t\t\t\t\t\tc.WithInsecure(false).\n\t\t\t\t\t\t\t\tRun(base, regHost).\n\t\t\t\t\t\t\t\tAssertOK()\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t// TODO: remove specialization when we fix the localhost mess\n\t\t\t\t\t\t\tif !rl.IsLocalhost() {\n\t\t\t\t\t\t\t\tc.WithInsecure(false).\n\t\t\t\t\t\t\t\t\tRun(base, regHost).\n\t\t\t\t\t\t\t\t\tAssertFail()\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\t// c. Insecure flag set to true\n\t\t\t\t\t\tc.WithInsecure(true).\n\t\t\t\t\t\t\tRun(base, regHost).\n\t\t\t\t\t\t\tAssertOK()\n\t\t\t\t\t})\n\n\t\t\t\t\tt.Run(\"3. valid credentials, any url variant, should always succeed\", func(t *testing.T) {\n\t\t\t\t\t\tt.Parallel()\n\t\t\t\t\t\tc := (&Client{}).\n\t\t\t\t\t\t\tWithCredentials(username, password).\n\t\t\t\t\t\t\tWithHostsDir(reg.HostsDir).\n\t\t\t\t\t\t\t// Just use insecure here for all servers - it does not matter for what we are testing here\n\t\t\t\t\t\t\t// in this case, which is whether we can successfully log in against any of these variants\n\t\t\t\t\t\t\tWithInsecure(true)\n\n\t\t\t\t\t\t// TODO: remove specialization when we fix the localhost mess\n\t\t\t\t\t\trl, _ := dockerconfigresolver.Parse(regHost)\n\t\t\t\t\t\tif !rl.IsLocalhost() || !tls {\n\t\t\t\t\t\t\tc.Run(base, \"http://\"+regHost).AssertOK()\n\t\t\t\t\t\t\tc.Run(base, \"https://\"+regHost).AssertOK()\n\t\t\t\t\t\t\tc.Run(base, \"http://\"+regHost+\"/whatever?foo=bar;foo:bar#foo=bar\").AssertOK()\n\t\t\t\t\t\t\tc.Run(base, \"https://\"+regHost+\"/whatever?foo=bar&bar=foo;foo=foo+bar:bar#foo=bar\").AssertOK()\n\t\t\t\t\t\t}\n\t\t\t\t\t})\n\n\t\t\t\t\tt.Run(\"4. wrong password should always fail\", func(t *testing.T) {\n\t\t\t\t\t\tt.Parallel()\n\n\t\t\t\t\t\t(&Client{}).\n\t\t\t\t\t\t\tWithCredentials(username, \"invalid\").\n\t\t\t\t\t\t\tWithHostsDir(reg.HostsDir).\n\t\t\t\t\t\t\tRun(base, regHost).\n\t\t\t\t\t\t\tAssertFail()\n\n\t\t\t\t\t\t(&Client{}).\n\t\t\t\t\t\t\tWithCredentials(username, \"invalid\").\n\t\t\t\t\t\t\tWithHostsDir(reg.HostsDir).\n\t\t\t\t\t\t\tWithInsecure(false).\n\t\t\t\t\t\t\tRun(base, regHost).\n\t\t\t\t\t\t\tAssertFail()\n\n\t\t\t\t\t\t(&Client{}).\n\t\t\t\t\t\t\tWithCredentials(username, \"invalid\").\n\t\t\t\t\t\t\tWithHostsDir(reg.HostsDir).\n\t\t\t\t\t\t\tWithInsecure(true).\n\t\t\t\t\t\t\tRun(base, regHost).\n\t\t\t\t\t\t\tAssertFail()\n\n\t\t\t\t\t\t(&Client{}).\n\t\t\t\t\t\t\tWithCredentials(username, \"invalid\").\n\t\t\t\t\t\t\tRun(base, regHost).\n\t\t\t\t\t\t\tAssertFail()\n\n\t\t\t\t\t\t(&Client{}).\n\t\t\t\t\t\t\tWithCredentials(username, \"invalid\").\n\t\t\t\t\t\t\tWithInsecure(false).\n\t\t\t\t\t\t\tRun(base, regHost).\n\t\t\t\t\t\t\tAssertFail()\n\n\t\t\t\t\t\t(&Client{}).\n\t\t\t\t\t\t\tWithCredentials(username, \"invalid\").\n\t\t\t\t\t\t\tWithInsecure(true).\n\t\t\t\t\t\t\tRun(base, regHost).\n\t\t\t\t\t\t\tAssertFail()\n\t\t\t\t\t})\n\n\t\t\t\t\tt.Run(\"5. wrong username should always fail\", func(t *testing.T) {\n\t\t\t\t\t\tt.Parallel()\n\n\t\t\t\t\t\t(&Client{}).\n\t\t\t\t\t\t\tWithCredentials(\"invalid\", password).\n\t\t\t\t\t\t\tWithHostsDir(reg.HostsDir).\n\t\t\t\t\t\t\tRun(base, regHost).\n\t\t\t\t\t\t\tAssertFail()\n\n\t\t\t\t\t\t(&Client{}).\n\t\t\t\t\t\t\tWithCredentials(\"invalid\", password).\n\t\t\t\t\t\t\tWithHostsDir(reg.HostsDir).\n\t\t\t\t\t\t\tWithInsecure(false).\n\t\t\t\t\t\t\tRun(base, regHost).\n\t\t\t\t\t\t\tAssertFail()\n\n\t\t\t\t\t\t(&Client{}).\n\t\t\t\t\t\t\tWithCredentials(\"invalid\", password).\n\t\t\t\t\t\t\tWithHostsDir(reg.HostsDir).\n\t\t\t\t\t\t\tWithInsecure(true).\n\t\t\t\t\t\t\tRun(base, regHost).\n\t\t\t\t\t\t\tAssertFail()\n\n\t\t\t\t\t\t(&Client{}).\n\t\t\t\t\t\t\tWithCredentials(\"invalid\", password).\n\t\t\t\t\t\t\tRun(base, regHost).\n\t\t\t\t\t\t\tAssertFail()\n\n\t\t\t\t\t\t(&Client{}).\n\t\t\t\t\t\t\tWithCredentials(\"invalid\", password).\n\t\t\t\t\t\t\tWithInsecure(false).\n\t\t\t\t\t\t\tRun(base, regHost).\n\t\t\t\t\t\t\tAssertFail()\n\n\t\t\t\t\t\t(&Client{}).\n\t\t\t\t\t\t\tWithCredentials(\"invalid\", password).\n\t\t\t\t\t\t\tWithInsecure(true).\n\t\t\t\t\t\t\tRun(base, regHost).\n\t\t\t\t\t\t\tAssertFail()\n\t\t\t\t\t})\n\t\t\t\t})\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "cmd/nerdctl/login/login_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage login\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n)\n\nfunc TestMain(m *testing.M) {\n\ttestutil.M(m)\n}\n" }, { "path": "cmd/nerdctl/login/logout.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage login\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/log\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/logout\"\n)\n\nfunc LogoutCommand() *cobra.Command {\n\treturn &cobra.Command{\n\t\tUse: \"logout [flags] [SERVER]\",\n\t\tArgs: cobra.MaximumNArgs(1),\n\t\tShort: \"Log out from a container registry\",\n\t\tRunE: logoutAction,\n\t\tValidArgsFunction: logoutShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n}\n\nfunc logoutAction(cmd *cobra.Command, args []string) error {\n\tlogoutServer := \"\"\n\tif len(args) > 0 {\n\t\tlogoutServer = args[0]\n\t}\n\n\terrGroup, err := logout.Logout(cmd.Context(), logoutServer)\n\tif err != nil {\n\t\tlog.L.WithError(err).Errorf(\"Failed to erase credentials for: %s\", logoutServer)\n\t}\n\tif errGroup != nil {\n\t\tlog.L.Error(\"None of the following entries could be found\")\n\t\tfor _, v := range errGroup {\n\t\t\tlog.L.Errorf(\"%s\", v)\n\t\t}\n\t}\n\n\treturn err\n}\n\nfunc logoutShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\tcandidates, err := logout.ShellCompletion()\n\tif err != nil {\n\t\treturn nil, cobra.ShellCompDirectiveError\n\t}\n\n\treturn candidates, cobra.ShellCompDirectiveNoFileComp\n}\n" }, { "path": "cmd/nerdctl/main.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage main\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"runtime\"\n\t\"strings\"\n\n\t\"github.com/fatih/color\"\n\t\"github.com/pelletier/go-toml/v2\"\n\t\"github.com/spf13/cobra\"\n\t\"github.com/spf13/pflag\"\n\n\t\"github.com/containerd/log\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/builder\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/checkpoint\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/compose\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/container\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/image\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/inspect\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/internal\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/ipfs\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/login\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/manifest\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/namespace\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/network\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/search\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/system\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/volume\"\n\t\"github.com/containerd/nerdctl/v2/pkg/config\"\n\tncdefaults \"github.com/containerd/nerdctl/v2/pkg/defaults\"\n\t\"github.com/containerd/nerdctl/v2/pkg/errutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/logging\"\n\t\"github.com/containerd/nerdctl/v2/pkg/rootlessutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/store\"\n\t\"github.com/containerd/nerdctl/v2/pkg/version\"\n)\n\nvar (\n\t// To print Bold Text\n\tBold = color.New(color.Bold).SprintfFunc()\n)\n\n// usage was derived from https://github.com/spf13/cobra/blob/v1.2.1/command.go#L491-L514\nfunc usage(c *cobra.Command) error {\n\ts := \"Usage: \"\n\tif c.HasSubCommands() {\n\t\ts += c.CommandPath() + \" [command]\\n\"\n\t} else if c.Runnable() {\n\t\ts += c.UseLine() + \"\\n\"\n\t} else {\n\t\ts += c.CommandPath() + \" [command]\\n\"\n\t}\n\ts += \"\\n\"\n\tif len(c.Aliases) > 0 {\n\t\ts += \"Aliases: \" + c.NameAndAliases() + \"\\n\"\n\t}\n\tif c.HasExample() {\n\t\ts += \"Example:\\n\"\n\t\ts += c.Example + \"\\n\"\n\t}\n\n\tvar managementCommands, nonManagementCommands []*cobra.Command\n\tfor _, f := range c.Commands() {\n\t\tf := f\n\t\tif f.Hidden {\n\t\t\tcontinue\n\t\t}\n\t\tif f.Annotations[helpers.Category] == helpers.Management {\n\t\t\tmanagementCommands = append(managementCommands, f)\n\t\t} else {\n\t\t\tnonManagementCommands = append(nonManagementCommands, f)\n\t\t}\n\t}\n\tprintCommands := func(title string, commands []*cobra.Command) string {\n\t\tif len(commands) == 0 {\n\t\t\treturn \"\"\n\t\t}\n\t\tvar longest int\n\t\tfor _, f := range commands {\n\t\t\tif l := len(f.Name()); l > longest {\n\t\t\t\tlongest = l\n\t\t\t}\n\t\t}\n\n\t\ttitle = Bold(title)\n\t\tt := title + \":\\n\"\n\t\tfor _, f := range commands {\n\t\t\tt += \" \"\n\t\t\tt += f.Name()\n\t\t\tt += strings.Repeat(\" \", longest-len(f.Name()))\n\t\t\tt += \" \" + f.Short + \"\\n\"\n\t\t}\n\t\tt += \"\\n\"\n\t\treturn t\n\t}\n\ts += printCommands(\"Management commands\", managementCommands)\n\ts += printCommands(\"Commands\", nonManagementCommands)\n\n\ts += Bold(\"Flags\") + \":\\n\"\n\ts += c.LocalFlags().FlagUsages() + \"\\n\"\n\n\tif c == c.Root() {\n\t\ts += \"Run '\" + c.CommandPath() + \" COMMAND --help' for more information on a command.\\n\"\n\t} else {\n\t\ts += \"See also '\" + c.Root().CommandPath() + \" --help' for the global flags such as '--namespace', '--snapshotter', and '--cgroup-manager'.\"\n\t}\n\tfmt.Fprintln(c.OutOrStdout(), s)\n\treturn nil\n}\n\nfunc main() {\n\tif err := xmain(); err != nil {\n\t\terrutil.HandleExitCoder(err)\n\t\tlog.L.Fatal(err)\n\t}\n}\n\nfunc xmain() error {\n\tif len(os.Args) == 3 && os.Args[1] == logging.MagicArgv1 {\n\t\t// containerd runtime v2 logging plugin mode.\n\t\t// \"binary://BIN?KEY=VALUE\" URI is parsed into Args {BIN, KEY, VALUE}.\n\t\treturn logging.Main(os.Args[2])\n\t}\n\t// nerdctl CLI mode\n\tapp, err := newApp()\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn app.Execute()\n}\n\nfunc initRootCmdFlags(rootCmd *cobra.Command, tomlPath string) (*pflag.FlagSet, error) {\n\tcfg := config.New()\n\tif r, err := os.Open(tomlPath); err == nil {\n\t\tlog.L.Debugf(\"Loading config from %q\", tomlPath)\n\t\tdefer r.Close()\n\t\tdec := toml.NewDecoder(r).DisallowUnknownFields() // set Strict to detect typo\n\t\tif err := dec.Decode(cfg); err != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to load nerdctl config (not daemon config) from %q (Hint: don't mix up daemon's `config.toml` with `nerdctl.toml`): %w\", tomlPath, err)\n\t\t}\n\t\tlog.L.Debugf(\"Loaded config %+v\", cfg)\n\t} else {\n\t\tlog.L.WithError(err).Debugf(\"Not loading config from %q\", tomlPath)\n\t\tif !errors.Is(err, os.ErrNotExist) {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\taliasToBeInherited := pflag.NewFlagSet(rootCmd.Name(), pflag.ExitOnError)\n\n\trootCmd.PersistentFlags().Bool(\"debug\", cfg.Debug, \"debug mode\")\n\trootCmd.PersistentFlags().Bool(\"debug-full\", cfg.DebugFull, \"debug mode (with full output)\")\n\t// -a is aliases (conflicts with nerdctl images -a)\n\thelpers.AddPersistentStringFlag(rootCmd, \"address\", []string{\"a\", \"H\"}, nil, []string{\"host\"}, aliasToBeInherited, cfg.Address, \"CONTAINERD_ADDRESS\", `containerd address, optionally with \"unix://\" prefix`)\n\t// -n is aliases (conflicts with nerdctl logs -n)\n\thelpers.AddPersistentStringFlag(rootCmd, \"namespace\", []string{\"n\"}, nil, nil, aliasToBeInherited, cfg.Namespace, \"CONTAINERD_NAMESPACE\", `containerd namespace, such as \"moby\" for Docker, \"k8s.io\" for Kubernetes`)\n\trootCmd.RegisterFlagCompletionFunc(\"namespace\", completion.NamespaceNames)\n\thelpers.AddPersistentStringFlag(rootCmd, \"snapshotter\", nil, nil, []string{\"storage-driver\"}, aliasToBeInherited, cfg.Snapshotter, \"CONTAINERD_SNAPSHOTTER\", \"containerd snapshotter\")\n\trootCmd.RegisterFlagCompletionFunc(\"snapshotter\", completion.SnapshotterNames)\n\trootCmd.RegisterFlagCompletionFunc(\"storage-driver\", completion.SnapshotterNames)\n\thelpers.AddPersistentStringFlag(rootCmd, \"cni-path\", nil, nil, nil, aliasToBeInherited, cfg.CNIPath, \"CNI_PATH\", \"cni plugins binary directory\")\n\thelpers.AddPersistentStringFlag(rootCmd, \"cni-netconfpath\", nil, nil, nil, aliasToBeInherited, cfg.CNINetConfPath, \"NETCONFPATH\", \"cni config directory\")\n\trootCmd.PersistentFlags().String(\"data-root\", cfg.DataRoot, \"Root directory of persistent nerdctl state (managed by nerdctl, not by containerd)\")\n\trootCmd.PersistentFlags().String(\"cgroup-manager\", cfg.CgroupManager, `Cgroup manager to use (\"cgroupfs\"|\"systemd\")`)\n\trootCmd.RegisterFlagCompletionFunc(\"cgroup-manager\", completion.CgroupManagerNames)\n\trootCmd.PersistentFlags().Bool(\"insecure-registry\", cfg.InsecureRegistry, \"skips verifying HTTPS certs, and allows falling back to plain HTTP\")\n\t// hosts-dir is defined as StringSlice, not StringArray, to allow specifying \"--hosts-dir=/etc/containerd/certs.d,/etc/docker/certs.d\"\n\trootCmd.PersistentFlags().StringSlice(\"hosts-dir\", cfg.HostsDir, \"A directory that contains /hosts.toml (containerd style) or /{ca.cert, cert.pem, key.pem} (docker style)\")\n\t// Experimental enable experimental feature, see in https://github.com/containerd/nerdctl/blob/main/docs/experimental.md\n\thelpers.AddPersistentBoolFlag(rootCmd, \"experimental\", nil, nil, cfg.Experimental, \"NERDCTL_EXPERIMENTAL\", \"Control experimental: https://github.com/containerd/nerdctl/blob/main/docs/experimental.md\")\n\thelpers.AddPersistentStringFlag(rootCmd, \"host-gateway-ip\", nil, nil, nil, aliasToBeInherited, cfg.HostGatewayIP, \"NERDCTL_HOST_GATEWAY_IP\", \"IP address that the special 'host-gateway' string in --add-host resolves to. Defaults to the IP address of the host. It has no effect without setting --add-host\")\n\thelpers.AddPersistentStringFlag(rootCmd, \"bridge-ip\", nil, nil, nil, aliasToBeInherited, cfg.BridgeIP, \"NERDCTL_BRIDGE_IP\", \"IP address for the default nerdctl bridge network\")\n\trootCmd.PersistentFlags().Bool(\"kube-hide-dupe\", cfg.KubeHideDupe, \"Deduplicate images for Kubernetes with namespace k8s.io\")\n\trootCmd.PersistentFlags().StringSlice(\"cdi-spec-dirs\", cfg.CDISpecDirs, \"The directories to search for CDI spec files. Defaults to /etc/cdi,/var/run/cdi\")\n\trootCmd.PersistentFlags().String(\"userns-remap\", cfg.UsernsRemap, \"Support idmapping for creating and running containers. This options is only supported on linux. If `host` is passed, no idmapping is done. if a user name is passed, it does idmapping based on the uidmap and gidmap ranges specified in /etc/subuid and /etc/subgid respectively\")\n\thelpers.HiddenPersistentStringArrayFlag(rootCmd, \"global-dns\", cfg.DNS, \"Global DNS servers for containers\")\n\thelpers.HiddenPersistentStringArrayFlag(rootCmd, \"global-dns-opts\", cfg.DNSOpts, \"Global DNS options for containers\")\n\thelpers.HiddenPersistentStringArrayFlag(rootCmd, \"global-dns-search\", cfg.DNSSearch, \"Global DNS search domains for containers\")\n\treturn aliasToBeInherited, nil\n}\n\nfunc newApp() (*cobra.Command, error) {\n\ttomlPath := ncdefaults.NerdctlTOML()\n\tif v, ok := os.LookupEnv(\"NERDCTL_TOML\"); ok {\n\t\ttomlPath = v\n\t}\n\n\tshort := \"nerdctl is a command line interface for containerd\"\n\tlong := fmt.Sprintf(`%s\n\nConfig file ($NERDCTL_TOML): %s\n`, short, tomlPath)\n\tvar rootCmd = &cobra.Command{\n\t\tUse: \"nerdctl\",\n\t\tShort: short,\n\t\tLong: long,\n\t\tVersion: strings.TrimPrefix(version.GetVersion(), \"v\"),\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t\tTraverseChildren: true, // required for global short hands like -a, -H, -n\n\t}\n\n\trootCmd.SetUsageFunc(usage)\n\taliasToBeInherited, err := initRootCmdFlags(rootCmd, tomlPath)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif err := resetSavedSETUID(); err != nil {\n\t\treturn nil, err\n\t}\n\n\trootCmd.PersistentPreRunE = func(cmd *cobra.Command, args []string) error {\n\t\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdebug := globalOptions.DebugFull\n\t\tif !debug {\n\t\t\tdebug = globalOptions.Debug\n\t\t}\n\t\tif debug {\n\t\t\tlog.SetLevel(log.DebugLevel.String())\n\t\t}\n\t\taddress := globalOptions.Address\n\t\tif strings.Contains(address, \"://\") && !strings.HasPrefix(address, \"unix://\") {\n\t\t\treturn fmt.Errorf(\"invalid address %q\", address)\n\t\t}\n\t\tcgroupManager := globalOptions.CgroupManager\n\t\tif runtime.GOOS == \"linux\" {\n\t\t\tswitch cgroupManager {\n\t\t\tcase \"systemd\", \"cgroupfs\", \"none\":\n\t\t\tdefault:\n\t\t\t\treturn fmt.Errorf(\"invalid cgroup-manager %q (supported values: \\\"systemd\\\", \\\"cgroupfs\\\", \\\"none\\\")\", cgroupManager)\n\t\t\t}\n\t\t}\n\n\t\t// Since we store containers' stateful information on the filesystem per namespace, we need namespaces to be\n\t\t// valid, safe path segments.\n\t\t// Note that the container runtime will further enforce additional restrictions on namespace names\n\t\t// (containerd treats namespaces as valid identifiers - eg: alphanumericals + dash, starting with a letter)\n\t\t// See https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#path-segment-names for\n\t\t// considerations about path segments identifiers.\n\t\tif err = store.IsFilesystemSafe(globalOptions.Namespace); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif appNeedsRootlessParentMain(cmd, args) {\n\t\t\t// reexec /proc/self/exe with `nsenter` into RootlessKit namespaces\n\t\t\treturn rootlessutil.ParentMain(globalOptions.HostGatewayIP)\n\t\t}\n\t\treturn nil\n\t}\n\trootCmd.RunE = helpers.UnknownSubcommandAction\n\trootCmd.AddCommand(\n\t\tcontainer.CreateCommand(),\n\t\t// #region Run & Exec\n\t\tcontainer.RunCommand(),\n\t\tcontainer.UpdateCommand(),\n\t\tcontainer.ExecCommand(),\n\t\t// #endregion\n\n\t\t// #region Container management\n\t\tcontainer.PsCommand(),\n\t\tcontainer.LogsCommand(),\n\t\tcontainer.PortCommand(),\n\t\tcontainer.StopCommand(),\n\t\tcontainer.StartCommand(),\n\t\tcontainer.DiffCommand(),\n\t\tcontainer.RestartCommand(),\n\t\tcontainer.KillCommand(),\n\t\tcontainer.RemoveCommand(),\n\t\tcontainer.PauseCommand(),\n\t\tcontainer.UnpauseCommand(),\n\t\tcontainer.CommitCommand(),\n\t\tcontainer.ExportCommand(),\n\t\tcontainer.WaitCommand(),\n\t\tcontainer.RenameCommand(),\n\t\tcontainer.AttachCommand(),\n\t\tcontainer.HealthCheckCommand(),\n\t\t// #endregion\n\n\t\t// Build\n\t\tbuilder.BuildCommand(),\n\n\t\t// #region Image management\n\t\timage.ImagesCommand(),\n\t\timage.PullCommand(),\n\t\timage.PushCommand(),\n\t\timage.LoadCommand(),\n\t\timage.SaveCommand(),\n\t\timage.ImportCommand(),\n\t\timage.TagCommand(),\n\t\timage.RmiCommand(),\n\t\timage.HistoryCommand(),\n\t\tsearch.Command(),\n\t\t// #endregion\n\n\t\t// #region System\n\t\tsystem.EventsCommand(),\n\t\tsystem.InfoCommand(),\n\t\tversionCommand(),\n\t\t// #endregion\n\n\t\t// Inspect\n\t\tinspect.Command(),\n\n\t\t// stats\n\t\tcontainer.TopCommand(),\n\t\tcontainer.StatsCommand(),\n\n\t\t// #region helpers.Management\n\t\tcontainer.Command(),\n\t\timage.Command(),\n\t\tnetwork.Command(),\n\t\tvolume.Command(),\n\t\tsystem.Command(),\n\t\tnamespace.Command(),\n\t\tbuilder.Command(),\n\t\t// #endregion\n\n\t\t// Internal\n\t\tinternal.Command(),\n\n\t\t// login\n\t\tlogin.Command(),\n\n\t\t// Logout\n\t\tlogin.LogoutCommand(),\n\n\t\t// Compose\n\t\tcompose.Command(),\n\n\t\t// IPFS\n\t\tipfs.NewIPFSCommand(),\n\n\t\t// Manifest\n\t\tmanifest.Command(),\n\n\t\t// Checkpoint\n\t\tcheckpoint.Command(),\n\t)\n\taddApparmorCommand(rootCmd)\n\tcontainer.AddCpCommand(rootCmd)\n\n\t// add aliasToBeInherited to subCommand(s) InheritedFlags\n\tfor _, subCmd := range rootCmd.Commands() {\n\t\tsubCmd.InheritedFlags().AddFlagSet(aliasToBeInherited)\n\t}\n\treturn rootCmd, nil\n}\n" }, { "path": "cmd/nerdctl/main_linux.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage main\n\nimport (\n\t\"github.com/spf13/cobra\"\n\t\"golang.org/x/sys/unix\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/apparmor\"\n\t\"github.com/containerd/nerdctl/v2/pkg/rootlessutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/strutil\"\n)\n\nfunc appNeedsRootlessParentMain(cmd *cobra.Command, args []string) bool {\n\tcommands := []string{}\n\tfor tcmd := cmd; tcmd != nil; tcmd = tcmd.Parent() {\n\t\tcommands = append(commands, tcmd.Name())\n\t}\n\tcommands = strutil.ReverseStrSlice(commands)\n\n\tif !rootlessutil.IsRootlessParent() {\n\t\treturn false\n\t}\n\tif len(commands) < 2 {\n\t\treturn true\n\t}\n\tswitch commands[1] {\n\t// completion, login, logout, version: false, because it shouldn't require the daemon to be running\n\t// apparmor: false, because it requires the initial mount namespace to access /sys/kernel/security\n\t// cp, compose cp: false, because it requires the initial mount namespace to inspect file owners\n\tcase \"\", \"completion\", \"login\", \"logout\", \"apparmor\", \"cp\", \"version\":\n\t\treturn false\n\tcase \"container\":\n\t\tif len(commands) < 3 {\n\t\t\treturn true\n\t\t}\n\t\tswitch commands[2] {\n\t\tcase \"cp\":\n\t\t\treturn false\n\t\t}\n\tcase \"compose\":\n\t\tif len(commands) < 3 {\n\t\t\treturn true\n\t\t}\n\t\tswitch commands[2] {\n\t\tcase \"cp\":\n\t\t\treturn false\n\t\t}\n\t}\n\treturn true\n}\n\nfunc addApparmorCommand(rootCmd *cobra.Command) {\n\trootCmd.AddCommand(apparmor.Command())\n}\n\n// resetSavedSETUID drops the saved UID of a setuid-root process to the original real UID.\n// This ensures the process cannot regain root privileges later.\n// It only performs the operation if the process is currently running with effective UID 0 (root)\n// and was started by a non-root user (i.e., real UID != effective UID).\n// For more info see issue https://github.com/containerd/nerdctl/issues/4098\nfunc resetSavedSETUID() error {\n\tvar err error\n\tuid := unix.Getuid()\n\teuid := unix.Geteuid()\n\tif uid != euid && euid == 0 {\n\t\terr = unix.Setresuid(0, 0, uid)\n\t}\n\treturn err\n}\n" }, { "path": "cmd/nerdctl/main_nolinux.go", "content": "//go:build !linux\n\n/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage main\n\nimport (\n\t\"github.com/spf13/cobra\"\n)\n\nfunc appNeedsRootlessParentMain(cmd *cobra.Command, args []string) bool {\n\treturn false\n}\n\nfunc addApparmorCommand(rootCmd *cobra.Command) {\n\t// NOP\n}\n\nfunc resetSavedSETUID() error {\n\t// NOP\n\treturn nil\n}\n" }, { "path": "cmd/nerdctl/main_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage main\n\nimport (\n\t\"errors\"\n\t\"testing\"\n\n\t\"github.com/containerd/containerd/v2/defaults\"\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestMain(m *testing.M) {\n\ttestutil.M(m)\n}\n\n// TestUnknownCommand tests https://github.com/containerd/nerdctl/issues/487\nfunc TestUnknownCommand(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\tvar cmd = errors.New(\"unknown subcommand\")\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"non-existent-command\",\n\t\t\tCommand: test.Command(\"non-existent-command\"),\n\t\t\tExpected: test.Expects(1, []error{cmd}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"non-existent-command info\",\n\t\t\tCommand: test.Command(\"non-existent-command\", \"info\"),\n\t\t\tExpected: test.Expects(1, []error{cmd}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"system non-existent-command\",\n\t\t\tCommand: test.Command(\"system\", \"non-existent-command\"),\n\t\t\tExpected: test.Expects(1, []error{cmd}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"system non-existent-command info\",\n\t\t\tCommand: test.Command(\"system\", \"non-existent-command\", \"info\"),\n\t\t\tExpected: test.Expects(1, []error{cmd}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"system\",\n\t\t\tCommand: test.Command(\"system\"),\n\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"system info\",\n\t\t\tCommand: test.Command(\"system\", \"info\"),\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"Kernel Version:\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"info\",\n\t\t\tCommand: test.Command(\"info\"),\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"Kernel Version:\")),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\n// TestNerdctlConfig validates the configuration precedence [CLI, Env, TOML, Default] and broken config rejection\nfunc TestNerdctlConfig(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t// Docker does not support nerdctl.toml obviously\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"Default\",\n\t\t\tCommand: test.Command(\"info\", \"-f\", \"{{.Driver}}\"),\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(defaults.DefaultSnapshotter+\"\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"TOML > Default\",\n\t\t\tCommand: test.Command(\"info\", \"-f\", \"{{.Driver}}\"),\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"dummy-snapshotter-via-toml\\n\")),\n\t\t\tConfig: test.WithConfig(nerdtest.NerdctlToml, `snapshotter = \"dummy-snapshotter-via-toml\"`),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Cli > TOML > Default\",\n\t\t\tCommand: test.Command(\"info\", \"-f\", \"{{.Driver}}\", \"--snapshotter=dummy-snapshotter-via-cli\"),\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"dummy-snapshotter-via-cli\\n\")),\n\t\t\tConfig: test.WithConfig(nerdtest.NerdctlToml, `snapshotter = \"dummy-snapshotter-via-toml\"`),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Env > TOML > Default\",\n\t\t\tCommand: test.Command(\"info\", \"-f\", \"{{.Driver}}\"),\n\t\t\tEnv: map[string]string{\"CONTAINERD_SNAPSHOTTER\": \"dummy-snapshotter-via-env\"},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"dummy-snapshotter-via-env\\n\")),\n\t\t\tConfig: test.WithConfig(nerdtest.NerdctlToml, `snapshotter = \"dummy-snapshotter-via-toml\"`),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Cli > Env > TOML > Default\",\n\t\t\tCommand: test.Command(\"info\", \"-f\", \"{{.Driver}}\", \"--snapshotter=dummy-snapshotter-via-cli\"),\n\t\t\tEnv: map[string]string{\"CONTAINERD_SNAPSHOTTER\": \"dummy-snapshotter-via-env\"},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"dummy-snapshotter-via-cli\\n\")),\n\t\t\tConfig: test.WithConfig(nerdtest.NerdctlToml, `snapshotter = \"dummy-snapshotter-via-toml\"`),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Broken config\",\n\t\t\tCommand: test.Command(\"info\"),\n\t\t\tExpected: test.Expects(1, []error{errors.New(\"failed to load nerdctl config\")}, nil),\n\t\t\tConfig: test.WithConfig(nerdtest.NerdctlToml, `# containerd config, not nerdctl config\nversion = 2`),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/main_test_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage main\n\nimport (\n\t\"errors\"\n\t\"log\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\n// TestTest is testing the test tooling itself\nfunc TestTest(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"failure\",\n\t\t\tCommand: test.Command(\"undefinedcommand\"),\n\t\t\tExpected: test.Expects(1, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"success\",\n\t\t\tCommand: test.Command(\"info\"),\n\t\t\tExpected: test.Expects(0, nil, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"failure with single error testing\",\n\t\t\tCommand: test.Command(\"undefinedcommand\"),\n\t\t\tExpected: test.Expects(1, []error{errors.New(\"unknown subcommand\")}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"success with contains output testing\",\n\t\t\tCommand: test.Command(\"info\"),\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"Kernel\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"success with negative output testing\",\n\t\t\tCommand: test.Command(\"info\"),\n\t\t\tExpected: test.Expects(0, nil, expect.DoesNotContain(\"foobar\")),\n\t\t},\n\t\t// Note that docker annoyingly returns 125 in a few conditions like this\n\t\t{\n\t\t\tDescription: \"failure with multiple error testing\",\n\t\t\tCommand: test.Command(\"-fail\"),\n\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, []error{errors.New(\"unknown\"), errors.New(\"shorthand\")}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"success with exact output testing\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Custom(\"echo\", \"foobar\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"foobar\\n\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"data propagation\",\n\t\t\tData: test.WithLabels(map[string]string{\"status\": \"uninitialized\"}),\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tdata.Labels().Set(\"status\", data.Labels().Get(\"status\")+\"-setup\")\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tcmd := helpers.Custom(\"printf\", data.Labels().Get(\"status\"))\n\t\t\t\tdata.Labels().Set(\"status\", data.Labels().Get(\"status\")+\"-command\")\n\t\t\t\treturn cmd\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tif data.Labels().Get(\"status\") == \"uninitialized\" {\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tif data.Labels().Get(\"status\") != \"uninitialized-setup-command\" {\n\t\t\t\t\tlog.Fatalf(\"unexpected status label %q\", data.Labels().Get(\"status\"))\n\t\t\t\t}\n\t\t\t\tdata.Labels().Set(\"status\", data.Labels().Get(\"status\")+\"-cleanup\")\n\t\t\t},\n\t\t\tSubTests: []*test.Case{\n\t\t\t\t{\n\t\t\t\t\tDescription: \"Subtest data propagation\",\n\t\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\t\treturn helpers.Custom(\"printf\", data.Labels().Get(\"status\"))\n\t\t\t\t\t},\n\t\t\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"uninitialized-setup-command\")),\n\t\t\t\t},\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Equals(\"uninitialized-setup\")),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/manifest/manifest.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage manifest\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n)\n\nfunc Command() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tAnnotations: map[string]string{helpers.Category: helpers.Management},\n\t\tUse: \"manifest\",\n\t\tShort: \"Manage image manifests.\",\n\t\tRunE: helpers.UnknownSubcommandAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\n\tcmd.AddCommand(\n\t\tinspectCommand(),\n\t\tcreateCommand(),\n\t\tannotateCommand(),\n\t\tremoveCommand(),\n\t\tpushCommand(),\n\t)\n\n\treturn cmd\n}\n" }, { "path": "cmd/nerdctl/manifest/manifest_annotate.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage manifest\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/manifest\"\n)\n\nfunc annotateCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"annotate INDEX/MANIFESTLIST MANIFEST\",\n\t\tShort: \"Add additional information to a local image manifest\",\n\t\tArgs: cobra.ExactArgs(2),\n\t\tRunE: annotateAction,\n\t\tValidArgsFunction: annotateShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().String(\"os\", \"\", \"Set operating system\")\n\tcmd.Flags().String(\"arch\", \"\", \"Set architecture\")\n\tcmd.Flags().String(\"os-version\", \"\", \"Set operating system version\")\n\tcmd.Flags().String(\"variant\", \"\", \"Set operating system feature\")\n\tcmd.Flags().StringArray(\"os-features\", []string{}, \"Set architecture variant\")\n\treturn cmd\n}\n\nfunc processAnnotateFlags(cmd *cobra.Command) (types.ManifestAnnotateOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ManifestAnnotateOptions{}, err\n\t}\n\n\tos, err := cmd.Flags().GetString(\"os\")\n\tif err != nil {\n\t\treturn types.ManifestAnnotateOptions{}, err\n\t}\n\tarch, err := cmd.Flags().GetString(\"arch\")\n\tif err != nil {\n\t\treturn types.ManifestAnnotateOptions{}, err\n\t}\n\tosVersion, err := cmd.Flags().GetString(\"os-version\")\n\tif err != nil {\n\t\treturn types.ManifestAnnotateOptions{}, err\n\t}\n\tvariant, err := cmd.Flags().GetString(\"variant\")\n\tif err != nil {\n\t\treturn types.ManifestAnnotateOptions{}, err\n\t}\n\tosFeatures, err := cmd.Flags().GetStringArray(\"os-features\")\n\tif err != nil {\n\t\treturn types.ManifestAnnotateOptions{}, err\n\t}\n\n\treturn types.ManifestAnnotateOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tGOptions: globalOptions,\n\t\tOs: os,\n\t\tArch: arch,\n\t\tOsVersion: osVersion,\n\t\tVariant: variant,\n\t\tOsFeatures: osFeatures,\n\t}, nil\n}\n\nfunc annotateAction(cmd *cobra.Command, args []string) error {\n\tannotateOptions, err := processAnnotateFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tlistRef := args[0]\n\tmanifestRef := args[1]\n\n\treturn manifest.Annotate(cmd.Context(), listRef, manifestRef, annotateOptions)\n}\n\nfunc annotateShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn completion.ImageNames(cmd)\n}\n" }, { "path": "cmd/nerdctl/manifest/manifest_annotate_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage manifest\n\nimport (\n\t\"errors\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestManifestAnnotateErrors(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\tmanifestListName := \"test-list:v1\"\n\tmanifestName := \"example.com/alpine:latest\"\n\tinvalidName := \"invalid/name/with/special@chars\"\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"too-few-arguments\",\n\t\t\tCommand: test.Command(\"manifest\", \"annotate\", manifestListName),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"invalid-list-name\",\n\t\t\tCommand: test.Command(\"manifest\", \"annotate\", invalidName, manifestName),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(data.Labels().Get(\"error\"))},\n\t\t\t\t}\n\t\t\t},\n\t\t\tData: test.WithLabels(map[string]string{\n\t\t\t\t\"error\": \"invalid reference format\",\n\t\t\t}),\n\t\t},\n\t\t{\n\t\t\tDescription: \"invalid-manifest-reference\",\n\t\t\tCommand: test.Command(\"manifest\", \"annotate\", manifestListName, invalidName),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(data.Labels().Get(\"error\"))},\n\t\t\t\t}\n\t\t\t},\n\t\t\tData: test.WithLabels(map[string]string{\n\t\t\t\t\"error\": \"invalid reference format\",\n\t\t\t}),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestManifestAnnotate(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\tmanifestListName := \"example.com/test-list-annotate:v1\"\n\tmanifestRef := testutil.GetTestImageWithoutTag(\"alpine\") + \"@\" + testutil.GetTestImageManifestDigest(\"alpine\", \"linux/amd64\")\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"annotate-non-existent-manifest\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tcmd := helpers.Command(\"manifest\", \"create\", manifestListName, manifestRef)\n\t\t\t\tcmd.Run(&test.Expected{ExitCode: 0})\n\t\t\t},\n\t\t\tCommand: test.Command(\"manifest\", \"annotate\", manifestListName, \"example.com/fake:0.0\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(data.Labels().Get(\"error\"))},\n\t\t\t\t}\n\t\t\t},\n\t\t\tData: test.WithLabels(map[string]string{\n\t\t\t\t\"error\": \"manifest for image example.com/fake:0.0 does not exist\",\n\t\t\t}),\n\t\t},\n\t\t{\n\t\t\tDescription: \"annotate-success\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tcmd := helpers.Command(\"manifest\", \"create\", manifestListName+\"-success\", manifestRef)\n\t\t\t\tcmd.Run(&test.Expected{ExitCode: 0})\n\t\t\t},\n\t\t\tCommand: test.Command(\"manifest\", \"annotate\",\n\t\t\t\tmanifestListName+\"-success\",\n\t\t\t\tmanifestRef,\n\t\t\t\t\"--os\", \"freebsd\",\n\t\t\t\t\"--arch\", \"arm\",\n\t\t\t\t\"--os-version\", \"1\",\n\t\t\t\t\"--os-features\", \"feature1\",\n\t\t\t\t\"--variant\", \"v7\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/manifest/manifest_create.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage manifest\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/manifest\"\n)\n\nfunc createCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"create INDEX/MANIFESTLIST MANIFEST [MANIFEST...]\",\n\t\tShort: \"Create a local index/manifest list for annotating and pushing to a registry\",\n\t\tArgs: cobra.MinimumNArgs(2),\n\t\tRunE: createAction,\n\t\tValidArgsFunction: createShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().Bool(\"amend\", false, \"Amend the existing index/manifest list\")\n\tcmd.Flags().Bool(\"insecure\", false, \"Allow communication with an insecure registry\")\n\treturn cmd\n}\n\nfunc processCreateFlags(cmd *cobra.Command) (types.ManifestCreateOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ManifestCreateOptions{}, err\n\t}\n\tamend, err := cmd.Flags().GetBool(\"amend\")\n\tif err != nil {\n\t\treturn types.ManifestCreateOptions{}, err\n\t}\n\tinsecure, err := cmd.Flags().GetBool(\"insecure\")\n\tif err != nil {\n\t\treturn types.ManifestCreateOptions{}, err\n\t}\n\treturn types.ManifestCreateOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tGOptions: globalOptions,\n\t\tAmend: amend,\n\t\tInsecure: insecure,\n\t}, nil\n}\n\nfunc createAction(cmd *cobra.Command, args []string) error {\n\tcreateOptions, err := processCreateFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tlistRef := args[0]\n\tmanifestRefs := args[1:]\n\n\tlistRef, err = manifest.Create(cmd.Context(), listRef, manifestRefs, createOptions)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tfmt.Fprintln(createOptions.Stdout, \"Created manifest list\", listRef)\n\n\treturn nil\n}\n\nfunc createShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn completion.ImageNames(cmd)\n}\n" }, { "path": "cmd/nerdctl/manifest/manifest_create_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage manifest\n\nimport (\n\t\"errors\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestManifestCreateErrors(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\tmanifestListName := \"test-list:v1\"\n\tmanifestName := \"example.com/alpine:latest\"\n\tinvalidName := \"invalid/name/with/special@chars\"\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"too-few-arguments\",\n\t\t\tCommand: test.Command(\"manifest\", \"create\", manifestListName),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(data.Labels().Get(\"error\"))},\n\t\t\t\t}\n\t\t\t},\n\t\t\tData: test.WithLabels(map[string]string{\n\t\t\t\t\"error\": \"requires at least 2 arg\",\n\t\t\t}),\n\t\t},\n\t\t{\n\t\t\tDescription: \"invalid-list-name\",\n\t\t\tCommand: test.Command(\"manifest\", \"create\", invalidName, manifestName),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(data.Labels().Get(\"error\"))},\n\t\t\t\t}\n\t\t\t},\n\t\t\tData: test.WithLabels(map[string]string{\n\t\t\t\t\"error\": \"invalid reference format\",\n\t\t\t}),\n\t\t},\n\t\t{\n\t\t\tDescription: \"invalid-manifest-reference\",\n\t\t\tCommand: test.Command(\"manifest\", \"create\", manifestListName, invalidName),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(data.Labels().Get(\"error\"))},\n\t\t\t\t}\n\t\t\t},\n\t\t\tData: test.WithLabels(map[string]string{\n\t\t\t\t\"error\": \"invalid reference format\",\n\t\t\t}),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestManifestCreate(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\tmanifestListName := \"test-list-create:v1\"\n\tmanifestRef := testutil.GetTestImageWithoutTag(\"alpine\") + \"@\" + testutil.GetTestImageManifestDigest(\"alpine\", \"linux/amd64\")\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"create-manifest-list\",\n\t\t\tCommand: test.Command(\"manifest\", \"create\", manifestListName, manifestRef),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.Contains(data.Labels().Get(\"output\")),\n\t\t\t\t}\n\t\t\t},\n\t\t\tData: test.WithLabels(map[string]string{\n\t\t\t\t\"output\": \"Created manifest list docker.io/library/\" + manifestListName,\n\t\t\t}),\n\t\t},\n\t\t{\n\t\t\tDescription: \"create-existed-manifest-list-without-amend-flag\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tcmd := helpers.Command(\"manifest\", \"create\", manifestListName+\"-without-amend-flag\", manifestRef)\n\t\t\t\tcmd.Run(&test.Expected{ExitCode: 0})\n\t\t\t},\n\t\t\tCommand: test.Command(\"manifest\", \"create\", manifestListName+\"-without-amend-flag\", manifestRef),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(data.Labels().Get(\"error\"))},\n\t\t\t\t}\n\t\t\t},\n\t\t\tData: test.WithLabels(map[string]string{\n\t\t\t\t\"error\": \"refusing to amend an existing manifest list with no --amend flag\",\n\t\t\t}),\n\t\t},\n\t\t{\n\t\t\tDescription: \"create-manifest-list-with-amend-flag\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tcmd := helpers.Command(\"manifest\", \"create\", manifestListName+\"-with-amend-flag\", manifestRef)\n\t\t\t\tcmd.Run(&test.Expected{ExitCode: 0})\n\t\t\t},\n\t\t\tCommand: test.Command(\"manifest\", \"create\", \"--amend\", manifestListName+\"-with-amend-flag\", manifestRef),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: expect.Contains(data.Labels().Get(\"output\")),\n\t\t\t\t}\n\t\t\t},\n\t\t\tData: test.WithLabels(map[string]string{\n\t\t\t\t\"output\": \"Created manifest list docker.io/library/\" + manifestListName + \"-with-amend-flag\",\n\t\t\t}),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/manifest/manifest_inspect.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage manifest\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/manifest\"\n\t\"github.com/containerd/nerdctl/v2/pkg/formatter\"\n)\n\nfunc inspectCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"inspect MANIFEST\",\n\t\tShort: \"Display the contents of a manifest or image index/manifest list\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tRunE: inspectAction,\n\t\tValidArgsFunction: inspectShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().Bool(\"verbose\", false, \"Verbose output additional info including layers and platform\")\n\tcmd.Flags().Bool(\"insecure\", false, \"Allow communication with an insecure registry\")\n\treturn cmd\n}\n\nfunc processInspectFlags(cmd *cobra.Command) (types.ManifestInspectOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ManifestInspectOptions{}, err\n\t}\n\tverbose, err := cmd.Flags().GetBool(\"verbose\")\n\tif err != nil {\n\t\treturn types.ManifestInspectOptions{}, err\n\t}\n\tinsecure, err := cmd.Flags().GetBool(\"insecure\")\n\tif err != nil {\n\t\treturn types.ManifestInspectOptions{}, err\n\t}\n\treturn types.ManifestInspectOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tGOptions: globalOptions,\n\t\tVerbose: verbose,\n\t\tInsecure: insecure,\n\t}, nil\n}\n\nfunc inspectAction(cmd *cobra.Command, args []string) error {\n\tinspectOptions, err := processInspectFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\trawRef := args[0]\n\tres, err := manifest.Inspect(cmd.Context(), rawRef, inspectOptions)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// Output format: single object for single result, array for multiple results\n\tif len(res) == 1 {\n\t\tjsonStr, err := formatter.ToJSON(res[0], \"\", \" \")\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfmt.Fprint(inspectOptions.Stdout, jsonStr)\n\t} else {\n\t\tif formatErr := formatter.FormatSlice(\"\", inspectOptions.Stdout, res); formatErr != nil {\n\t\t\treturn formatErr\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc inspectShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn completion.ImageNames(cmd)\n}\n" }, { "path": "cmd/nerdctl/manifest/manifest_inspect_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage manifest\n\nimport (\n\t\"encoding/json\"\n\t\"testing\"\n\n\tocispec \"github.com/opencontainers/image-spec/specs-go/v1\"\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/manifesttypes\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nconst (\n\ttestImageName = \"alpine\"\n\ttestPlatform = \"linux/amd64\"\n)\n\ntype testData struct {\n\timageName string\n\tplatform string\n\timageRef string\n\tmanifestDigest string\n\tconfigDigest string\n\trawData string\n}\n\nfunc newTestData(imageName, platform string) *testData {\n\treturn &testData{\n\t\timageName: imageName,\n\t\tplatform: platform,\n\t\timageRef: testutil.GetTestImage(imageName),\n\t\tmanifestDigest: testutil.GetTestImageManifestDigest(imageName, platform),\n\t\tconfigDigest: testutil.GetTestImageConfigDigest(imageName, platform),\n\t\trawData: testutil.GetTestImageRaw(imageName, platform),\n\t}\n}\n\nfunc (td *testData) imageWithDigest() string {\n\treturn testutil.GetTestImageWithoutTag(td.imageName) + \"@\" + td.manifestDigest\n}\n\nfunc (td *testData) isAmd64Platform(platform *ocispec.Platform) bool {\n\treturn platform != nil &&\n\t\tplatform.Architecture == \"amd64\" &&\n\t\tplatform.OS == \"linux\"\n}\n\nfunc TestManifestInspect(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\ttd := newTestData(testImageName, testPlatform)\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"tag-non-verbose\",\n\t\t\tCommand: test.Command(\"manifest\", \"inspect\", td.imageRef),\n\t\t\tExpected: test.Expects(0, nil, func(stdout string, t tig.T) {\n\t\t\t\tvar manifest manifesttypes.DockerManifestListStruct\n\t\t\t\tassert.NilError(t, json.Unmarshal([]byte(stdout), &manifest))\n\n\t\t\t\tassert.Equal(t, manifest.SchemaVersion, testutil.GetTestImageSchemaVersion(td.imageName))\n\t\t\t\tassert.Equal(t, manifest.MediaType, testutil.GetTestImageMediaType(td.imageName))\n\t\t\t\tassert.Assert(t, len(manifest.Manifests) > 0)\n\n\t\t\t\tvar foundManifest *ocispec.Descriptor\n\t\t\t\tfor _, m := range manifest.Manifests {\n\t\t\t\t\tif td.isAmd64Platform(m.Platform) {\n\t\t\t\t\t\tfoundManifest = &m\n\t\t\t\t\t\tbreak\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tassert.Assert(t, foundManifest != nil, \"should find amd64 platform manifest\")\n\t\t\t\tassert.Equal(t, foundManifest.Digest.String(), td.manifestDigest)\n\t\t\t\tassert.Equal(t, foundManifest.MediaType, testutil.GetTestImagePlatformMediaType(td.imageName, td.platform))\n\t\t\t}),\n\t\t},\n\t\t{\n\t\t\tDescription: \"tag-verbose\",\n\t\t\tCommand: test.Command(\"manifest\", \"inspect\", td.imageRef, \"--verbose\"),\n\t\t\tExpected: test.Expects(0, nil, func(stdout string, t tig.T) {\n\t\t\t\tvar entries []manifesttypes.DockerManifestEntry\n\t\t\t\tassert.NilError(t, json.Unmarshal([]byte(stdout), &entries))\n\t\t\t\tassert.Assert(t, len(entries) > 0)\n\n\t\t\t\tvar foundEntry *manifesttypes.DockerManifestEntry\n\t\t\t\tfor _, e := range entries {\n\t\t\t\t\tif td.isAmd64Platform(e.Descriptor.Platform) {\n\t\t\t\t\t\tfoundEntry = &e\n\t\t\t\t\t\tbreak\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tassert.Assert(t, foundEntry != nil, \"should find amd64 platform entry\")\n\n\t\t\t\texpectedRef := td.imageRef + \"@\" + td.manifestDigest\n\t\t\t\tassert.Equal(t, foundEntry.Ref, expectedRef)\n\t\t\t\tassert.Equal(t, foundEntry.Descriptor.Digest.String(), td.manifestDigest)\n\t\t\t\tassert.Equal(t, foundEntry.Descriptor.MediaType, testutil.GetTestImagePlatformMediaType(td.imageName, td.platform))\n\t\t\t\tassert.Equal(t, foundEntry.Raw, td.rawData)\n\t\t\t}),\n\t\t},\n\t\t{\n\t\t\tDescription: \"digest-non-verbose\",\n\t\t\tCommand: test.Command(\"manifest\", \"inspect\", td.imageWithDigest()),\n\t\t\tExpected: test.Expects(0, nil, func(stdout string, t tig.T) {\n\t\t\t\tvar manifest manifesttypes.DockerManifestStruct\n\t\t\t\tassert.NilError(t, json.Unmarshal([]byte(stdout), &manifest))\n\n\t\t\t\tassert.Equal(t, manifest.SchemaVersion, testutil.GetTestImageSchemaVersion(td.imageName))\n\t\t\t\tassert.Equal(t, manifest.MediaType, testutil.GetTestImagePlatformMediaType(td.imageName, td.platform))\n\t\t\t\tassert.Equal(t, manifest.Config.Digest.String(), td.configDigest)\n\t\t\t}),\n\t\t},\n\t\t{\n\t\t\tDescription: \"digest-verbose\",\n\t\t\tCommand: test.Command(\"manifest\", \"inspect\", td.imageWithDigest(), \"--verbose\"),\n\t\t\tExpected: test.Expects(0, nil, func(stdout string, t tig.T) {\n\t\t\t\tvar entry manifesttypes.DockerManifestEntry\n\t\t\t\tassert.NilError(t, json.Unmarshal([]byte(stdout), &entry))\n\n\t\t\t\tassert.Equal(t, entry.Ref, td.imageWithDigest())\n\t\t\t\tassert.Equal(t, entry.Descriptor.Digest.String(), td.manifestDigest)\n\t\t\t\tassert.Equal(t, entry.Descriptor.MediaType, testutil.GetTestImagePlatformMediaType(td.imageName, td.platform))\n\t\t\t\tassert.Equal(t, entry.Raw, td.rawData)\n\t\t\t}),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/manifest/manifest_push.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage manifest\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/manifest\"\n)\n\nfunc pushCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"push [OPTIONS] INDEX/MANIFESTLIST\",\n\t\tShort: \"Push a manifest list to a registry\",\n\t\tArgs: cobra.ExactArgs(1),\n\t\tRunE: pushAction,\n\t\tValidArgsFunction: pushShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().Bool(\"insecure\", false, \"Allow communication with an insecure registry\")\n\tcmd.Flags().Bool(\"purge\", false, \"Remove the manifest list after pushing\")\n\treturn cmd\n}\n\nfunc processPushFlags(cmd *cobra.Command) (types.ManifestPushOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.ManifestPushOptions{}, err\n\t}\n\n\tinsecure, err := cmd.Flags().GetBool(\"insecure\")\n\tif err != nil {\n\t\treturn types.ManifestPushOptions{}, err\n\t}\n\tpurge, err := cmd.Flags().GetBool(\"purge\")\n\tif err != nil {\n\t\treturn types.ManifestPushOptions{}, err\n\t}\n\n\treturn types.ManifestPushOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tGOptions: globalOptions,\n\t\tInsecure: insecure,\n\t\tPurge: purge,\n\t}, nil\n}\n\nfunc pushAction(cmd *cobra.Command, args []string) error {\n\tpushOptions, err := processPushFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\terr = manifest.Push(cmd.Context(), args[0], pushOptions)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn nil\n}\n\nfunc pushShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn completion.ImageNames(cmd)\n}\n" }, { "path": "cmd/nerdctl/manifest/manifest_push_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage manifest\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest/registry\"\n)\n\nfunc TestManifestPushErrors(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\tinvalidName := \"invalid/name/with/special@chars\"\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"require-one-argument\",\n\t\t\tCommand: test.Command(\"manifest\", \"push\", \"arg1\", \"arg2\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"invalid-list-name\",\n\t\t\tCommand: test.Command(\"manifest\", \"push\", invalidName),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(data.Labels().Get(\"error\"))},\n\t\t\t\t}\n\t\t\t},\n\t\t\tData: test.WithLabels(map[string]string{\n\t\t\t\t\"error\": \"invalid reference format\",\n\t\t\t}),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestManifestPush(t *testing.T) {\n\tnerdtest.Setup()\n\n\tvar registryTokenAuthHTTPSRandom *registry.Server\n\tvar tokenServer *registry.TokenAuthServer\n\n\tmanifestRef := testutil.GetTestImageWithoutTag(\"alpine\") + \"@\" + testutil.GetTestImageManifestDigest(\"alpine\", \"linux/amd64\")\n\texpectedDigest := \"sha256:5317ce2da263afa23570c692d62c1b01381285b2198b3ea9739ce64bec22aff2\"\n\n\ttestCase := &test.Case{\n\t\tRequire: require.All(\n\t\t\trequire.Linux,\n\t\t\tnerdtest.Registry,\n\t\t),\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\tregistryTokenAuthHTTPSRandom, tokenServer = nerdtest.RegistryWithTokenAuth(data, helpers, \"admin\", \"badmin\", 0, true)\n\t\t\ttokenServer.Setup(data, helpers)\n\t\t\tregistryTokenAuthHTTPSRandom.Setup(data, helpers)\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\tif registryTokenAuthHTTPSRandom != nil {\n\t\t\t\tregistryTokenAuthHTTPSRandom.Cleanup(data, helpers)\n\t\t\t}\n\t\t\tif tokenServer != nil {\n\t\t\t\ttokenServer.Cleanup(data, helpers)\n\t\t\t}\n\t\t},\n\t\tSubTests: []*test.Case{\n\t\t\t{\n\t\t\t\tDescription: \"push-to-registry\",\n\t\t\t\tRequire: require.Not(nerdtest.Docker),\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\ttargetRef := fmt.Sprintf(\"%s:%d/%s\",\n\t\t\t\t\t\tregistryTokenAuthHTTPSRandom.IP.String(), registryTokenAuthHTTPSRandom.Port, \"test-list-push:v1\")\n\t\t\t\t\thelpers.Ensure(\"pull\", manifestRef)\n\t\t\t\t\thelpers.Ensure(\"tag\", manifestRef, targetRef)\n\t\t\t\t\thelpers.Ensure(\"--hosts-dir\", registryTokenAuthHTTPSRandom.HostsDir, \"login\", \"-u\", \"admin\", \"-p\", \"badmin\",\n\t\t\t\t\t\tfmt.Sprintf(\"%s:%d\", registryTokenAuthHTTPSRandom.IP.String(), registryTokenAuthHTTPSRandom.Port))\n\t\t\t\t\thelpers.Ensure(\"push\", \"--hosts-dir\", registryTokenAuthHTTPSRandom.HostsDir, targetRef)\n\t\t\t\t\thelpers.Ensure(\"rmi\", targetRef)\n\t\t\t\t\thelpers.Ensure(\"manifest\", \"create\", \"--insecure\", targetRef+\"-success\", targetRef)\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\ttargetRef := fmt.Sprintf(\"%s:%d/%s\",\n\t\t\t\t\t\tregistryTokenAuthHTTPSRandom.IP.String(), registryTokenAuthHTTPSRandom.Port, \"test-list-push:v1\")\n\t\t\t\t\treturn helpers.Command(\"manifest\", \"push\", \"--insecure\", targetRef+\"-success\")\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tExitCode: 0,\n\t\t\t\t\t\tOutput: expect.Contains(data.Labels().Get(\"output\")),\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t\tData: test.WithLabels(map[string]string{\n\t\t\t\t\t\"output\": expectedDigest,\n\t\t\t\t}),\n\t\t\t},\n\t\t\t{\n\t\t\t\tDescription: \"reject-cross-registry-sources\",\n\t\t\t\tRequire: require.Not(nerdtest.Docker),\n\t\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t\ttargetRef := fmt.Sprintf(\"%s:%d/%s\",\n\t\t\t\t\t\tregistryTokenAuthHTTPSRandom.IP.String(), registryTokenAuthHTTPSRandom.Port, \"test-list-push:v1\")\n\t\t\t\t\thelpers.Ensure(\"manifest\", \"create\", \"--insecure\", targetRef+\"-cross\", manifestRef)\n\t\t\t\t},\n\t\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t\ttargetRef := fmt.Sprintf(\"%s:%d/%s\",\n\t\t\t\t\t\tregistryTokenAuthHTTPSRandom.IP.String(), registryTokenAuthHTTPSRandom.Port, \"test-list-push:v1\")\n\t\t\t\t\treturn helpers.Command(\"manifest\", \"push\", \"--insecure\", targetRef+\"-cross\")\n\t\t\t\t},\n\t\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\t\treturn &test.Expected{\n\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\tErrors: []error{errors.New(data.Labels().Get(\"error\"))},\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t\tData: test.WithLabels(map[string]string{\n\t\t\t\t\t\"error\": \"cannot use source images from a different registry than the target image:\",\n\t\t\t\t}),\n\t\t\t},\n\t\t},\n\t}\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/manifest/manifest_remove.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage manifest\n\nimport (\n\t\"errors\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/manifest\"\n)\n\nfunc removeCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"rm INDEX/MANIFESTLIST [INDEX/MANIFESTLIST...]\",\n\t\tShort: \"Remove one or more index/manifest lists\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tRunE: removeAction,\n\t\tValidArgsFunction: removeShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\treturn cmd\n}\n\nfunc removeAction(cmd *cobra.Command, refs []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tvar errs []error\n\tfor _, ref := range refs {\n\t\terr := manifest.Remove(cmd.Context(), ref, globalOptions)\n\t\tif err != nil {\n\t\t\terrs = append(errs, err)\n\t\t}\n\t}\n\treturn errors.Join(errs...)\n}\n\nfunc removeShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn completion.ImageNames(cmd)\n}\n" }, { "path": "cmd/nerdctl/manifest/manifest_remove_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage manifest\n\nimport (\n\t\"errors\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestManifestsRemove(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\tmanifestListName1 := \"example.com/test-list-remove:v1\"\n\tmanifestListName2 := \"example.com/test-list-remove:v2\"\n\tmanifestRef1 := testutil.GetTestImageWithoutTag(\"alpine\") + \"@\" + testutil.GetTestImageManifestDigest(\"alpine\", \"linux/amd64\")\n\tmanifestRef2 := testutil.GetTestImageWithoutTag(\"alpine\") + \"@\" + testutil.GetTestImageManifestDigest(\"alpine\", \"linux/arm64\")\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"remove-several-manifestlists\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tcmd := helpers.Command(\"manifest\", \"create\", manifestListName1, manifestRef1)\n\t\t\t\tcmd.Run(&test.Expected{ExitCode: 0})\n\t\t\t\tcmd = helpers.Command(\"manifest\", \"create\", manifestListName2, manifestRef2)\n\t\t\t\tcmd.Run(&test.Expected{ExitCode: 0})\n\t\t\t},\n\t\t\tCommand: test.Command(\"manifest\", \"rm\", manifestListName1, manifestListName2),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"remove-non-existent-manifestlist\",\n\t\t\tCommand: test.Command(\"manifest\", \"rm\", \"example.com/non-existent:latest\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errors.New(data.Labels().Get(\"error\"))},\n\t\t\t\t}\n\t\t\t},\n\t\t\tData: test.WithLabels(map[string]string{\n\t\t\t\t\"error\": \"No such manifest: example.com/non-existent:latest\",\n\t\t\t}),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/manifest/manifest_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage manifest\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n)\n\nfunc TestMain(m *testing.M) {\n\ttestutil.M(m)\n}\n" }, { "path": "cmd/nerdctl/namespace/namespace.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage namespace\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n)\n\nfunc Command() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tAnnotations: map[string]string{helpers.Category: helpers.Management},\n\t\tUse: \"namespace\",\n\t\tAliases: []string{\"ns\"},\n\t\tShort: \"Manage containerd namespaces\",\n\t\tLong: \"Unrelated to Linux namespaces and Kubernetes namespaces\",\n\t\tRunE: helpers.UnknownSubcommandAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.AddCommand(listCommand())\n\tcmd.AddCommand(removeCommand())\n\tcmd.AddCommand(createCommand())\n\tcmd.AddCommand(updateCommand())\n\tcmd.AddCommand(inspectCommand())\n\treturn cmd\n}\n" }, { "path": "cmd/nerdctl/namespace/namespace_create.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage namespace\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/namespace\"\n)\n\nfunc createCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"create NAMESPACE\",\n\t\tShort: \"Create a new namespace\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tRunE: createAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\n\tcmd.Flags().StringArrayP(\"label\", \"l\", nil, \"Set labels for a namespace\")\n\treturn cmd\n}\n\nfunc processNamespaceCreateCommandOption(cmd *cobra.Command) (types.NamespaceCreateOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.NamespaceCreateOptions{}, err\n\t}\n\tlabels, err := cmd.Flags().GetStringArray(\"label\")\n\tif err != nil {\n\t\treturn types.NamespaceCreateOptions{}, err\n\t}\n\treturn types.NamespaceCreateOptions{\n\t\tGOptions: globalOptions,\n\t\tLabels: labels,\n\t}, nil\n}\n\nfunc createAction(cmd *cobra.Command, args []string) error {\n\toptions, err := processNamespaceCreateCommandOption(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn namespace.Create(ctx, client, args[0], options)\n}\n" }, { "path": "cmd/nerdctl/namespace/namespace_inspect.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage namespace\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/namespace\"\n)\n\nfunc inspectCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"inspect NAMESPACE\",\n\t\tShort: \"Display detailed information on one or more namespaces.\",\n\t\tRunE: inspectAction,\n\t\tValidArgsFunction: namespaceInspectShellComplete,\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().StringP(\"format\", \"f\", \"\", \"Format the output using the given Go template, e.g, '{{json .}}'\")\n\tcmd.RegisterFlagCompletionFunc(\"format\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"json\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\treturn cmd\n}\n\nfunc inspectOptions(cmd *cobra.Command) (types.NamespaceInspectOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.NamespaceInspectOptions{}, err\n\t}\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn types.NamespaceInspectOptions{}, err\n\t}\n\treturn types.NamespaceInspectOptions{\n\t\tGOptions: globalOptions,\n\t\tFormat: format,\n\t\tStdout: cmd.OutOrStdout(),\n\t}, nil\n}\n\nfunc inspectAction(cmd *cobra.Command, args []string) error {\n\toptions, err := inspectOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn namespace.Inspect(ctx, client, args, options)\n}\n\nfunc namespaceInspectShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn completion.NamespaceNames(cmd, args, toComplete)\n}\n" }, { "path": "cmd/nerdctl/namespace/namespace_list.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage namespace\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/namespace\"\n)\n\nfunc listCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"ls\",\n\t\tAliases: []string{\"list\"},\n\t\tShort: \"List containerd namespaces\",\n\t\tRunE: listAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().BoolP(\"quiet\", \"q\", false, \"Only display names\")\n\tcmd.Flags().StringP(\"format\", \"f\", \"\", \"Format the output using the given Go template, e.g, '{{json .}}'\")\n\treturn cmd\n}\n\nfunc listOptions(cmd *cobra.Command) (types.NamespaceListOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.NamespaceListOptions{}, err\n\t}\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn types.NamespaceListOptions{}, err\n\t}\n\tquiet, err := cmd.Flags().GetBool(\"quiet\")\n\tif err != nil {\n\t\treturn types.NamespaceListOptions{}, err\n\t}\n\treturn types.NamespaceListOptions{\n\t\tGOptions: globalOptions,\n\t\tFormat: format,\n\t\tQuiet: quiet,\n\t\tStdout: cmd.OutOrStdout(),\n\t}, nil\n}\n\nfunc listAction(cmd *cobra.Command, args []string) error {\n\toptions, err := listOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn namespace.List(ctx, client, options)\n}\n" }, { "path": "cmd/nerdctl/namespace/namespace_remove.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage namespace\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/namespace\"\n)\n\nfunc removeCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"remove [flags] NAMESPACE [NAMESPACE...]\",\n\t\tAliases: []string{\"rm\"},\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tShort: \"Remove one or more namespaces\",\n\t\tRunE: removeAction,\n\t\tValidArgsFunction: namespaceRemoveShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().BoolP(\"cgroup\", \"c\", false, \"delete the namespace's cgroup\")\n\treturn cmd\n}\n\nfunc removeOptions(cmd *cobra.Command) (types.NamespaceRemoveOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.NamespaceRemoveOptions{}, err\n\t}\n\tcgroup, err := cmd.Flags().GetBool(\"cgroup\")\n\tif err != nil {\n\t\treturn types.NamespaceRemoveOptions{}, err\n\t}\n\treturn types.NamespaceRemoveOptions{\n\t\tGOptions: globalOptions,\n\t\tCGroup: cgroup,\n\t\tStdout: cmd.OutOrStdout(),\n\t}, nil\n}\n\nfunc removeAction(cmd *cobra.Command, args []string) error {\n\toptions, err := removeOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn namespace.Remove(ctx, client, args, options)\n}\n\nfunc namespaceRemoveShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn completion.NamespaceNames(cmd, args, toComplete)\n}\n" }, { "path": "cmd/nerdctl/namespace/namespace_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage namespace\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n)\n\nfunc TestMain(m *testing.M) {\n\ttestutil.M(m)\n}\n" }, { "path": "cmd/nerdctl/namespace/namespace_update.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage namespace\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/namespace\"\n)\n\nfunc updateCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"update [flags] NAMESPACE\",\n\t\tShort: \"Update labels for a namespace\",\n\t\tRunE: updateAction,\n\t\tValidArgsFunction: namespaceUpdateShellComplete,\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().StringArrayP(\"label\", \"l\", nil, \"Set labels for a namespace (required)\")\n\tcmd.MarkFlagRequired(\"label\")\n\treturn cmd\n}\n\nfunc processNamespaceUpdateCommandOption(cmd *cobra.Command) (types.NamespaceUpdateOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.NamespaceUpdateOptions{}, err\n\t}\n\tlabels, err := cmd.Flags().GetStringArray(\"label\")\n\tif err != nil {\n\t\treturn types.NamespaceUpdateOptions{}, err\n\t}\n\treturn types.NamespaceUpdateOptions{\n\t\tGOptions: globalOptions,\n\t\tLabels: labels,\n\t}, nil\n}\n\nfunc updateAction(cmd *cobra.Command, args []string) error {\n\toptions, err := processNamespaceUpdateCommandOption(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn namespace.Update(ctx, client, args[0], options)\n}\n\nfunc namespaceUpdateShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\treturn completion.NamespaceNames(cmd, args, toComplete)\n}\n" }, { "path": "cmd/nerdctl/network/network.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage network\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n)\n\nfunc Command() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tAnnotations: map[string]string{helpers.Category: helpers.Management},\n\t\tUse: \"network\",\n\t\tShort: \"Manage networks\",\n\t\tRunE: helpers.UnknownSubcommandAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.AddCommand(\n\t\tlistCommand(),\n\t\tinspectCommand(),\n\t\tcreateCommand(),\n\t\tremoveCommand(),\n\t\tpruneCommand(),\n\t)\n\treturn cmd\n}\n" }, { "path": "cmd/nerdctl/network/network_create.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage network\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/network\"\n\t\"github.com/containerd/nerdctl/v2/pkg/identifiers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/strutil\"\n)\n\nfunc createCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"create [flags] NETWORK\",\n\t\tShort: \"Create a network\",\n\t\tLong: `NOTE: To isolate CNI bridge, CNI plugin \"firewall\" (>= v1.1.0) is needed.`,\n\t\tArgs: helpers.IsExactArgs(1),\n\t\tRunE: createAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().StringP(\"driver\", \"d\", DefaultNetworkDriver, \"Driver to manage the Network\")\n\tcmd.RegisterFlagCompletionFunc(\"driver\", completion.NetworkDrivers)\n\tcmd.Flags().StringArrayP(\"opt\", \"o\", nil, \"Set driver specific options\")\n\tcmd.RegisterFlagCompletionFunc(\"opt\", completion.NetworkOptions)\n\tcmd.Flags().String(\"ipam-driver\", \"default\", \"IP Address helpers.Management Driver\")\n\tcmd.RegisterFlagCompletionFunc(\"ipam-driver\", completion.IPAMDrivers)\n\tcmd.Flags().StringArray(\"ipam-opt\", nil, \"Set IPAM driver specific options\")\n\tcmd.Flags().StringArray(\"subnet\", nil, `Subnet in CIDR format that represents a network segment, e.g. \"10.5.0.0/16\"`)\n\tcmd.Flags().String(\"gateway\", \"\", `Gateway for the master subnet`)\n\tcmd.Flags().String(\"ip-range\", \"\", `Allocate container ip from a sub-range`)\n\tcmd.Flags().StringArray(\"label\", nil, \"Set metadata for a network\")\n\tcmd.Flags().Bool(\"ipv6\", false, \"Enable IPv6 networking\")\n\tcmd.Flags().Bool(\"internal\", false, \"Restrict external access to the network\")\n\treturn cmd\n}\n\nfunc createAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tname := args[0]\n\tif err := identifiers.ValidateDockerCompat(name); err != nil {\n\t\treturn fmt.Errorf(\"invalid network name: %w\", err)\n\t}\n\tdriver, err := cmd.Flags().GetString(\"driver\")\n\tif err != nil {\n\t\treturn err\n\t}\n\topts, err := cmd.Flags().GetStringArray(\"opt\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tipamDriver, err := cmd.Flags().GetString(\"ipam-driver\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tipamOpts, err := cmd.Flags().GetStringArray(\"ipam-opt\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tsubnets, err := cmd.Flags().GetStringArray(\"subnet\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tgatewayStr, err := cmd.Flags().GetString(\"gateway\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tipRangeStr, err := cmd.Flags().GetString(\"ip-range\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tlabels, err := cmd.Flags().GetStringArray(\"label\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tlabels = strutil.DedupeStrSlice(labels)\n\tipv6, err := cmd.Flags().GetBool(\"ipv6\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tinternal, err := cmd.Flags().GetBool(\"internal\")\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn network.Create(types.NetworkCreateOptions{\n\t\tGOptions: globalOptions,\n\t\tName: name,\n\t\tDriver: driver,\n\t\tOptions: strutil.ConvertKVStringsToMap(opts),\n\t\tIPAMDriver: ipamDriver,\n\t\tIPAMOptions: strutil.ConvertKVStringsToMap(ipamOpts),\n\t\tSubnets: subnets,\n\t\tGateway: gatewayStr,\n\t\tIPRange: ipRangeStr,\n\t\tLabels: labels,\n\t\tIPv6: ipv6,\n\t\tInternal: internal,\n\t}, cmd.OutOrStdout())\n}\n" }, { "path": "cmd/nerdctl/network/network_create_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage network\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestNetworkCreate(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"vanilla\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tidentifier := data.Identifier()\n\t\t\t\thelpers.Ensure(\"network\", \"create\", identifier)\n\t\t\t\tnetw := nerdtest.InspectNetwork(helpers, identifier)\n\t\t\t\tassert.Equal(t, len(netw.IPAM.Config), 1)\n\t\t\t\tdata.Labels().Set(\"subnet\", netw.IPAM.Config[0].Subnet)\n\n\t\t\t\thelpers.Ensure(\"network\", \"create\", data.Identifier(\"1\"))\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"network\", \"rm\", data.Identifier())\n\t\t\t\thelpers.Anyhow(\"network\", \"rm\", data.Identifier(\"1\"))\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tdata.Labels().Set(\"container2\", helpers.Capture(\"run\", \"--rm\", \"--net\", data.Identifier(\"1\"), testutil.CommonImage, \"ip\", \"route\"))\n\t\t\t\treturn helpers.Command(\"run\", \"--rm\", \"--net\", data.Identifier(), testutil.CommonImage, \"ip\", \"route\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tErrors: nil,\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tassert.Assert(t, strings.Contains(stdout, data.Labels().Get(\"subnet\")))\n\t\t\t\t\t\tassert.Assert(t, !strings.Contains(data.Labels().Get(\"container2\"), data.Labels().Get(\"subnet\")))\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"with MTU\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"network\", \"create\", data.Identifier(), \"--driver\", \"bridge\", \"--opt\", \"com.docker.network.driver.mtu=9216\")\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"network\", \"rm\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"--rm\", \"--net\", data.Identifier(), testutil.CommonImage, \"ifconfig\", \"eth0\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"MTU:9216\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"with ipv6\",\n\t\t\tRequire: nerdtest.OnlyIPv6,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tsubnetStr := \"2001:db8:8::/64\"\n\t\t\t\tdata.Labels().Set(\"subnetStr\", subnetStr)\n\t\t\t\t_, _, err := net.ParseCIDR(subnetStr)\n\t\t\t\tassert.Assert(t, err == nil)\n\n\t\t\t\thelpers.Ensure(\"network\", \"create\", data.Identifier(), \"--ipv6\", \"--subnet\", subnetStr)\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"network\", \"rm\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"--rm\", \"--net\", data.Identifier(), testutil.CommonImage, \"ip\", \"addr\", \"show\", \"dev\", \"eth0\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t_, subnet, _ := net.ParseCIDR(data.Labels().Get(\"subnetStr\"))\n\t\t\t\t\t\tip := nerdtest.FindIPv6(stdout)\n\t\t\t\t\t\tassert.Assert(t, subnet.Contains(ip), fmt.Sprintf(\"subnet %s contains ip %s\", subnet, ip))\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"internal enabled\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"network\", \"create\", \"--internal\", data.Identifier())\n\t\t\t\tnetw := nerdtest.InspectNetwork(helpers, data.Identifier())\n\t\t\t\tassert.Equal(t, len(netw.IPAM.Config), 1)\n\t\t\t\tdata.Labels().Set(\"subnet\", netw.IPAM.Config[0].Subnet)\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"network\", \"rm\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"run\", \"--rm\", \"--net\", data.Identifier(), testutil.CommonImage, \"ip\", \"route\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tassert.Assert(t, strings.Contains(stdout, data.Labels().Get(\"subnet\")))\n\t\t\t\t\t\tassert.Assert(t, !strings.Contains(stdout, \"default \"))\n\t\t\t\t\t\tif nerdtest.IsDocker() {\n\t\t\t\t\t\t\treturn\n\t\t\t\t\t\t}\n\t\t\t\t\t\tnativeNet := nerdtest.InspectNetworkNative(helpers, data.Identifier())\n\t\t\t\t\t\tvar cni struct {\n\t\t\t\t\t\t\tPlugins []struct {\n\t\t\t\t\t\t\t\tType string `json:\"type\"`\n\t\t\t\t\t\t\t\tIsGW bool `json:\"isGateway\"`\n\t\t\t\t\t\t\t\tIPMasq bool `json:\"ipMasq\"`\n\t\t\t\t\t\t\t} `json:\"plugins\"`\n\t\t\t\t\t\t}\n\t\t\t\t\t\t_ = json.Unmarshal(nativeNet.CNI, &cni)\n\t\t\t\t\t\t// bridge plugin assertions and no portmap\n\t\t\t\t\t\tfoundBridge := false\n\t\t\t\t\t\tfor _, p := range cni.Plugins {\n\t\t\t\t\t\t\tassert.Assert(t, p.Type != \"portmap\")\n\t\t\t\t\t\t\tif p.Type == \"bridge\" {\n\t\t\t\t\t\t\t\tfoundBridge = true\n\t\t\t\t\t\t\t\tassert.Assert(t, !p.IsGW)\n\t\t\t\t\t\t\t\tassert.Assert(t, !p.IPMasq)\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\tassert.Assert(t, foundBridge)\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestNetworkCreateICC(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = require.All(\n\t\trequire.Linux,\n\t)\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"with enable_icc=false\",\n\t\t\tRequire: nerdtest.CNIFirewallVersion(\"1.7.1\"),\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t// Create a network with ICC disabled\n\t\t\t\thelpers.Ensure(\"network\", \"create\", data.Identifier(), \"--driver\", \"bridge\",\n\t\t\t\t\t\"--opt\", \"com.docker.network.bridge.enable_icc=false\")\n\n\t\t\t\t// Run a container in that network\n\t\t\t\tdata.Labels().Set(\"container1\", helpers.Capture(\"run\", \"-d\", \"--net\", data.Identifier(),\n\t\t\t\t\t\"--name\", data.Identifier(\"c1\"), testutil.CommonImage, \"sleep\", \"infinity\"))\n\n\t\t\t\t// Wait for container to be running\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier(\"c1\"))\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"container\", \"rm\", \"-f\", data.Identifier(\"c1\"))\n\t\t\t\thelpers.Anyhow(\"network\", \"rm\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t// DEBUG: Check br_netfilter module status\n\t\t\t\thelpers.Custom(\"sh\", \"-ec\", \"lsmod | grep br_netfilter || echo 'br_netfilter not loaded'\").Run(&test.Expected{})\n\t\t\t\thelpers.Custom(\"sh\", \"-ec\", \"cat /proc/sys/net/bridge/bridge-nf-call-iptables 2>/dev/null || echo 'bridge-nf-call-iptables not available'\").Run(&test.Expected{})\n\t\t\t\thelpers.Custom(\"sh\", \"-ec\", \"ls /proc/sys/net/bridge/ 2>/dev/null || echo 'bridge sysctl not available'\").Run(&test.Expected{})\n\t\t\t\t// Try to ping the other container in the same network\n\t\t\t\t// This should fail when ICC is disabled\n\t\t\t\treturn helpers.Command(\"run\", \"--rm\", \"--net\", data.Identifier(),\n\t\t\t\t\ttestutil.CommonImage, \"ping\", \"-c\", \"1\", \"-W\", \"1\", data.Identifier(\"c1\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, nil, nil), // Expect ping to fail with exit code 1\n\t\t},\n\t\t{\n\t\t\tDescription: \"with enable_icc=true\",\n\t\t\tRequire: nerdtest.CNIFirewallVersion(\"1.7.1\"),\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t// Create a network with ICC enabled (default)\n\t\t\t\thelpers.Ensure(\"network\", \"create\", data.Identifier(), \"--driver\", \"bridge\",\n\t\t\t\t\t\"--opt\", \"com.docker.network.bridge.enable_icc=true\")\n\n\t\t\t\t// Run a container in that network\n\t\t\t\tdata.Labels().Set(\"container1\", helpers.Capture(\"run\", \"-d\", \"--net\", data.Identifier(),\n\t\t\t\t\t\"--name\", data.Identifier(\"c1\"), testutil.CommonImage, \"sleep\", \"infinity\"))\n\t\t\t\t// Wait for container to be running\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier(\"c1\"))\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"container\", \"rm\", \"-f\", data.Identifier(\"c1\"))\n\t\t\t\thelpers.Anyhow(\"network\", \"rm\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t// Try to ping the other container in the same network\n\t\t\t\t// This should succeed when ICC is enabled\n\t\t\t\treturn helpers.Command(\"run\", \"--rm\", \"--net\", data.Identifier(),\n\t\t\t\t\ttestutil.CommonImage, \"ping\", \"-c\", \"1\", \"-W\", \"1\", data.Identifier(\"c1\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, nil), // Expect ping to succeed with exit code 0\n\t\t},\n\t\t{\n\t\t\tDescription: \"with no enable_icc option set\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\t// Create a network with ICC enabled (default)\n\t\t\t\thelpers.Ensure(\"network\", \"create\", data.Identifier(), \"--driver\", \"bridge\")\n\n\t\t\t\t// Run a container in that network\n\t\t\t\tdata.Labels().Set(\"container1\", helpers.Capture(\"run\", \"-d\", \"--net\", data.Identifier(),\n\t\t\t\t\t\"--name\", data.Identifier(\"c1\"), testutil.CommonImage, \"sleep\", \"infinity\"))\n\t\t\t\t// Wait for container to be running\n\t\t\t\tnerdtest.EnsureContainerStarted(helpers, data.Identifier(\"c1\"))\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"container\", \"rm\", \"-f\", data.Identifier(\"c1\"))\n\t\t\t\thelpers.Anyhow(\"network\", \"rm\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t// Try to ping the other container in the same network\n\t\t\t\t// This should succeed when no ICC is set\n\t\t\t\treturn helpers.Command(\"run\", \"--rm\", \"--net\", data.Identifier(),\n\t\t\t\t\ttestutil.CommonImage, \"ping\", \"-c\", \"1\", \"-W\", \"1\", data.Identifier(\"c1\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, nil), // Expect ping to succeed with exit code 0\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/network/network_create_unix.go", "content": "//go:build unix\n\n/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage network\n\nconst DefaultNetworkDriver = \"bridge\"\n" }, { "path": "cmd/nerdctl/network/network_create_windows.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage network\n\nconst DefaultNetworkDriver = \"nat\"\n" }, { "path": "cmd/nerdctl/network/network_inspect.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage network\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/network\"\n)\n\nfunc inspectCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"inspect [flags] NETWORK [NETWORK, ...]\",\n\t\tShort: \"Display detailed information on one or more networks\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tRunE: inspectAction,\n\t\tValidArgsFunction: networkInspectShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().String(\"mode\", \"dockercompat\", `Inspect mode, \"dockercompat\" for Docker-compatible output, \"native\" for containerd-native output`)\n\tcmd.RegisterFlagCompletionFunc(\"mode\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"dockercompat\", \"native\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\tcmd.Flags().StringP(\"format\", \"f\", \"\", \"Format the output using the given Go template, e.g, '{{json .}}'\")\n\tcmd.RegisterFlagCompletionFunc(\"format\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"json\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\treturn cmd\n}\n\nfunc inspectAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tmode, err := cmd.Flags().GetString(\"mode\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn err\n\t}\n\n\toptions := types.NetworkInspectOptions{\n\t\tGOptions: globalOptions,\n\t\tMode: mode,\n\t\tFormat: format,\n\t\tNetworks: args,\n\t\tStdout: cmd.OutOrStdout(),\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn network.Inspect(ctx, client, options)\n}\n\nfunc networkInspectShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show network names, including \"bridge\"\n\texclude := []string{\"host\", \"none\"}\n\treturn completion.NetworkNames(cmd, exclude)\n}\n" }, { "path": "cmd/nerdctl/network/network_inspect_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage network\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"os/exec\"\n\t\"runtime\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/inspecttypes/dockercompat\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestNetworkInspect(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\tconst (\n\t\ttestSubnet = \"10.24.24.0/24\"\n\t\ttestGateway = \"10.24.24.1\"\n\t\ttestIPRange = \"10.24.24.0/25\"\n\t)\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"network\", \"create\", data.Identifier(\"basenet\"))\n\t\tdata.Labels().Set(\"basenet\", data.Identifier(\"basenet\"))\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"network\", \"rm\", data.Identifier(\"basenet\"))\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"non existent network\",\n\t\t\tCommand: test.Command(\"network\", \"inspect\", \"nonexistent\"),\n\t\t\t// FIXME: where is this error even comin from?\n\t\t\tExpected: test.Expects(1, []error{errors.New(\"no network found matching\")}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"invalid name network\",\n\t\t\tCommand: test.Command(\"network\", \"inspect\", \"∞\"),\n\t\t\t// FIXME: this is not even a valid identifier\n\t\t\tExpected: test.Expects(1, []error{errors.New(\"no network found matching\")}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"none\",\n\t\t\tRequire: nerdtest.NerdctlNeedsFixing(\"no issue opened\"),\n\t\t\tCommand: test.Command(\"network\", \"inspect\", \"none\"),\n\t\t\tExpected: test.Expects(0, nil, func(stdout string, t tig.T) {\n\t\t\t\tvar dc []dockercompat.Network\n\t\t\t\terr := json.Unmarshal([]byte(stdout), &dc)\n\t\t\t\tassert.NilError(t, err, \"Unable to unmarshal output\\n\")\n\t\t\t\tassert.Equal(t, 1, len(dc), \"Unexpectedly got multiple results\\n\")\n\t\t\t\tassert.Equal(t, dc[0].Name, \"none\")\n\t\t\t}),\n\t\t},\n\t\t{\n\t\t\tDescription: \"host\",\n\t\t\tRequire: nerdtest.NerdctlNeedsFixing(\"no issue opened\"),\n\t\t\tCommand: test.Command(\"network\", \"inspect\", \"host\"),\n\t\t\tExpected: test.Expects(0, nil, func(stdout string, t tig.T) {\n\t\t\t\tvar dc []dockercompat.Network\n\t\t\t\terr := json.Unmarshal([]byte(stdout), &dc)\n\t\t\t\tassert.NilError(t, err, \"Unable to unmarshal output\\n\")\n\t\t\t\tassert.Equal(t, 1, len(dc), \"Unexpectedly got multiple results\\n\")\n\t\t\t\tassert.Equal(t, dc[0].Name, \"host\")\n\t\t\t}),\n\t\t},\n\t\t{\n\t\t\tDescription: \"bridge\",\n\t\t\tRequire: require.Not(require.Windows),\n\t\t\tCommand: test.Command(\"network\", \"inspect\", \"bridge\"),\n\t\t\tExpected: test.Expects(0, nil, func(stdout string, t tig.T) {\n\t\t\t\tvar dc []dockercompat.Network\n\t\t\t\terr := json.Unmarshal([]byte(stdout), &dc)\n\t\t\t\tassert.NilError(t, err, \"Unable to unmarshal output\\n\")\n\t\t\t\tassert.Equal(t, 1, len(dc), \"Unexpectedly got multiple results\\n\")\n\t\t\t\tassert.Equal(t, dc[0].Name, \"bridge\")\n\t\t\t}),\n\t\t},\n\t\t{\n\t\t\tDescription: \"nat\",\n\t\t\tRequire: require.Windows,\n\t\t\tCommand: test.Command(\"network\", \"inspect\", \"nat\"),\n\t\t\tExpected: test.Expects(0, nil, func(stdout string, t tig.T) {\n\t\t\t\tvar dc []dockercompat.Network\n\t\t\t\terr := json.Unmarshal([]byte(stdout), &dc)\n\t\t\t\tassert.NilError(t, err, \"Unable to unmarshal output\\n\")\n\t\t\t\tassert.Equal(t, 1, len(dc), \"Unexpectedly got multiple results\\n\")\n\t\t\t\tassert.Equal(t, dc[0].Name, \"nat\")\n\t\t\t}),\n\t\t},\n\t\t{\n\t\t\tDescription: \"custom\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"network\", \"create\", \"custom\")\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"network\", \"remove\", \"custom\")\n\t\t\t},\n\t\t\tCommand: test.Command(\"network\", \"inspect\", \"custom\"),\n\t\t\tExpected: test.Expects(0, nil, func(stdout string, t tig.T) {\n\t\t\t\tvar dc []dockercompat.Network\n\t\t\t\terr := json.Unmarshal([]byte(stdout), &dc)\n\t\t\t\tassert.NilError(t, err, \"Unable to unmarshal output\\n\")\n\t\t\t\tassert.Equal(t, 1, len(dc), \"Unexpectedly got multiple results\\n\")\n\t\t\t\tassert.Equal(t, dc[0].Name, \"custom\")\n\t\t\t}),\n\t\t},\n\t\t{\n\t\t\tDescription: \"match exact id\",\n\t\t\t// See notes below\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tid := strings.TrimSpace(helpers.Capture(\"network\", \"inspect\", data.Labels().Get(\"basenet\"), \"--format\", \"{{ .Id }}\"))\n\t\t\t\treturn helpers.Command(\"network\", \"inspect\", id)\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tvar dc []dockercompat.Network\n\t\t\t\t\t\terr := json.Unmarshal([]byte(stdout), &dc)\n\t\t\t\t\t\tassert.NilError(t, err, \"Unable to unmarshal output\\n\")\n\t\t\t\t\t\tassert.Equal(t, 1, len(dc), \"Unexpectedly got multiple results\\n\")\n\t\t\t\t\t\tassert.Equal(t, dc[0].Name, data.Labels().Get(\"basenet\"))\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"match part of id\",\n\t\t\t// FIXME: for windows, network inspect testnetworkinspect-basenet-468cf999 --format {{ .Id }} MAY fail here\n\t\t\t// This is bizarre, as it is working in the match exact id test - and there does not seem to be a particular reason for that\n\t\t\tRequire: require.Not(require.Windows),\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\tid := strings.TrimSpace(helpers.Capture(\"network\", \"inspect\", data.Labels().Get(\"basenet\"), \"--format\", \"{{ .Id }}\"))\n\t\t\t\treturn helpers.Command(\"network\", \"inspect\", id[0:25])\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tvar dc []dockercompat.Network\n\t\t\t\t\t\terr := json.Unmarshal([]byte(stdout), &dc)\n\t\t\t\t\t\tassert.NilError(t, err, \"Unable to unmarshal output\\n\")\n\t\t\t\t\t\tassert.Equal(t, 1, len(dc), \"Unexpectedly got multiple results\\n\")\n\t\t\t\t\t\tassert.Equal(t, dc[0].Name, data.Labels().Get(\"basenet\"))\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"using another net short id\",\n\t\t\t// FIXME: for windows, network inspect testnetworkinspect-basenet-468cf999 --format {{ .Id }} MAY fail here\n\t\t\t// This is bizarre, as it is working in the match exact id test - and there does not seem to be a particular reason for that\n\t\t\tRequire: require.Not(require.Windows),\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tid := strings.TrimSpace(helpers.Capture(\"network\", \"inspect\", data.Labels().Get(\"basenet\"), \"--format\", \"{{ .Id }}\"))\n\t\t\t\thelpers.Ensure(\"network\", \"create\", id[0:12])\n\t\t\t\tdata.Labels().Set(\"netname\", id[0:12])\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"network\", \"remove\", data.Labels().Get(\"netname\"))\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"network\", \"inspect\", data.Labels().Get(\"netname\"))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tvar dc []dockercompat.Network\n\t\t\t\t\t\terr := json.Unmarshal([]byte(stdout), &dc)\n\t\t\t\t\t\tassert.NilError(t, err, \"Unable to unmarshal output\\n\")\n\t\t\t\t\t\tassert.Equal(t, 1, len(dc), \"Unexpectedly got multiple results\\n\")\n\t\t\t\t\t\tassert.Equal(t, dc[0].Name, data.Labels().Get(\"netname\"))\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"basic\",\n\t\t\t// FIXME: IPAMConfig is not implemented on Windows yet\n\t\t\tRequire: require.Not(require.Windows),\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"network\", \"create\", \"--label\", \"tag=testNetwork\", \"--subnet\", testSubnet,\n\t\t\t\t\t\"--gateway\", testGateway, \"--ip-range\", testIPRange, data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"network\", \"rm\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"network\", \"inspect\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tvar dc []dockercompat.Network\n\n\t\t\t\t\t\terr := json.Unmarshal([]byte(stdout), &dc)\n\t\t\t\t\t\tassert.NilError(t, err, \"Unable to unmarshal output\\n\")\n\t\t\t\t\t\tassert.Equal(t, 1, len(dc), \"Unexpectedly got multiple results\\n\")\n\t\t\t\t\t\tgot := dc[0]\n\n\t\t\t\t\t\tassert.Equal(t, got.Name, data.Identifier())\n\t\t\t\t\t\tassert.Equal(t, got.Labels[\"tag\"], \"testNetwork\")\n\t\t\t\t\t\tassert.Equal(t, len(got.IPAM.Config), 1)\n\t\t\t\t\t\tassert.Equal(t, got.IPAM.Config[0].Subnet, testSubnet)\n\t\t\t\t\t\tassert.Equal(t, got.IPAM.Config[0].Gateway, testGateway)\n\t\t\t\t\t\tassert.Equal(t, got.IPAM.Config[0].IPRange, testIPRange)\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"with namespace\",\n\t\t\tRequire: require.Not(nerdtest.Docker),\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tidentifier := data.Identifier()\n\t\t\t\thelpers.Anyhow(\"network\", \"rm\", identifier)\n\t\t\t\thelpers.Anyhow(\"namespace\", \"remove\", identifier)\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"network\", \"create\", data.Identifier())\n\t\t\t},\n\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t// Note: some functions need to be tested without the automatic --namespace nerdctl-test argument, so we need\n\t\t\t\t\t\t// to retrieve the binary name.\n\t\t\t\t\t\t// Note that we know this works already, so no need to assert err.\n\t\t\t\t\t\tbin, _ := exec.LookPath(testutil.GetTarget())\n\t\t\t\t\t\tcmd := helpers.Custom(bin, \"--namespace\", data.Identifier())\n\n\t\t\t\t\t\tcom := cmd.Clone()\n\t\t\t\t\t\tcom.WithArgs(\"network\", \"inspect\", data.Identifier())\n\t\t\t\t\t\tcom.Run(&test.Expected{\n\t\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\t\tErrors: []error{errors.New(\"no network found\")},\n\t\t\t\t\t\t})\n\n\t\t\t\t\t\tcom = cmd.Clone()\n\t\t\t\t\t\tcom.WithArgs(\"network\", \"remove\", data.Identifier())\n\t\t\t\t\t\tcom.Run(&test.Expected{\n\t\t\t\t\t\t\tExitCode: 1,\n\t\t\t\t\t\t\tErrors: []error{errors.New(\"no network found\")},\n\t\t\t\t\t\t})\n\n\t\t\t\t\t\tcom = cmd.Clone()\n\t\t\t\t\t\tcom.WithArgs(\"network\", \"ls\")\n\t\t\t\t\t\tcom.Run(&test.Expected{\n\t\t\t\t\t\t\tOutput: expect.DoesNotContain(data.Identifier()),\n\t\t\t\t\t\t})\n\n\t\t\t\t\t\tcom = cmd.Clone()\n\t\t\t\t\t\tcom.WithArgs(\"network\", \"prune\", \"-f\")\n\t\t\t\t\t\tcom.Run(&test.Expected{\n\t\t\t\t\t\t\tOutput: expect.DoesNotContain(data.Identifier()),\n\t\t\t\t\t\t})\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Verify that only active containers appear in the network inspect output\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"network\", \"create\", data.Identifier(\"nginx-network-1\"))\n\t\t\t\thelpers.Ensure(\"network\", \"create\", data.Identifier(\"nginx-network-2\"))\n\n\t\t\t\t// See https://github.com/containerd/nerdctl/issues/4322\n\t\t\t\t// Maybe network create on windows is asynchronous?\n\t\t\t\tif runtime.GOOS == \"windows\" {\n\t\t\t\t\ttime.Sleep(time.Second)\n\t\t\t\t}\n\n\t\t\t\thelpers.Ensure(\"create\", \"--name\", data.Identifier(\"nginx-container-1\"), \"--network\", data.Identifier(\"nginx-network-1\"), testutil.NginxAlpineImage)\n\t\t\t\thelpers.Ensure(\"create\", \"--name\", data.Identifier(\"nginx-container-2\"), \"--network\", data.Identifier(\"nginx-network-1\"), testutil.NginxAlpineImage)\n\t\t\t\thelpers.Ensure(\"create\", \"--name\", data.Identifier(\"nginx-container-on-diff-network\"), \"--network\", data.Identifier(\"nginx-network-2\"), testutil.NginxAlpineImage)\n\t\t\t\thelpers.Ensure(\"start\", data.Identifier(\"nginx-container-1\"), data.Identifier(\"nginx-container-on-diff-network\"))\n\t\t\t\tdata.Labels().Set(\"nginx-container-1-id\", strings.Trim(helpers.Capture(\"inspect\", data.Identifier(\"nginx-container-1\"), \"--format\", \"{{.Id}}\"), \"\\n\"))\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"nginx-container-1\"))\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"nginx-container-2\"))\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier(\"nginx-container-on-diff-network\"))\n\t\t\t\thelpers.Anyhow(\"network\", \"remove\", data.Identifier(\"nginx-network-1\"))\n\t\t\t\thelpers.Anyhow(\"network\", \"remove\", data.Identifier(\"nginx-network-2\"))\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"network\", \"inspect\", data.Identifier(\"nginx-network-1\"))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tvar dc []dockercompat.Network\n\t\t\t\t\t\terr := json.Unmarshal([]byte(stdout), &dc)\n\t\t\t\t\t\tassert.NilError(t, err, \"Unable to unmarshal output\\n\")\n\t\t\t\t\t\tassert.Equal(t, 1, len(dc), \"Unexpectedly got multiple results\\n\")\n\t\t\t\t\t\tassert.Equal(t, dc[0].Name, data.Identifier(\"nginx-network-1\"))\n\t\t\t\t\t\t// Assert only the \"running\" containers on the same network are returned.\n\t\t\t\t\t\tassert.Equal(t, 1, len(dc[0].Containers), \"Expected a single container as per configuration, but got multiple.\")\n\t\t\t\t\t\tassert.Equal(t, data.Identifier(\"nginx-container-1\"), dc[0].Containers[data.Labels().Get(\"nginx-container-1-id\")].Name)\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Display containers belonging to multiple networks in the output of nerdctl network inspect\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"network\", \"create\", data.Identifier(\"network-1\"))\n\t\t\t\thelpers.Ensure(\"network\", \"create\", data.Identifier(\"network-2\"))\n\n\t\t\t\t// See https://github.com/containerd/nerdctl/issues/4322\n\t\t\t\t// Maybe network create on windows is asynchronous?\n\t\t\t\tif runtime.GOOS == \"windows\" {\n\t\t\t\t\ttime.Sleep(time.Second)\n\t\t\t\t}\n\n\t\t\t\tcontainerID := helpers.Capture(\"run\", \"-d\", \"--name\", data.Identifier(), \"--network\", data.Identifier(\"network-1\"), \"--network\", data.Identifier(\"network-2\"), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\n\t\t\t\tdata.Labels().Set(\"containerID\", strings.Trim(containerID, \"\\n\"))\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\thelpers.Anyhow(\"network\", \"remove\", data.Identifier(\"network-1\"))\n\t\t\t\thelpers.Anyhow(\"network\", \"remove\", data.Identifier(\"network-2\"))\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"network\", \"inspect\", data.Identifier(\"network-1\"))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.JSON([]dockercompat.Network{}, func(dc []dockercompat.Network, t tig.T) {\n\t\t\t\t\t\tassert.Equal(t, 1, len(dc), \"Unexpectedly got multiple results\\n\")\n\t\t\t\t\t\tassert.Equal(t, dc[0].Name, data.Identifier(\"network-1\"))\n\t\t\t\t\t\tassert.Equal(t, 1, len(dc[0].Containers), \"Expected a single container as per configuration, but got multiple.\")\n\t\t\t\t\t\tassert.Equal(t, data.Identifier(), dc[0].Containers[data.Labels().Get(\"containerID\")].Name)\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Display only containers attached to the specific network\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"network\", \"create\", data.Identifier(\"some-network\"))\n\t\t\t\thelpers.Ensure(\"network\", \"create\", data.Identifier(\"some-network-as-well\"))\n\n\t\t\t\t// See https://github.com/containerd/nerdctl/issues/4322\n\t\t\t\t// Maybe network create on windows is asynchronous?\n\t\t\t\tif runtime.GOOS == \"windows\" {\n\t\t\t\t\ttime.Sleep(time.Second)\n\t\t\t\t}\n\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--name\", data.Identifier(), \"--network\", data.Identifier(\"some-network-as-well\"), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\thelpers.Anyhow(\"network\", \"remove\", data.Identifier(\"some-network\"))\n\t\t\t\thelpers.Anyhow(\"network\", \"remove\", data.Identifier(\"some-network-as-well\"))\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"network\", \"inspect\", data.Identifier(\"some-network\"))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.JSON([]dockercompat.Network{}, func(dc []dockercompat.Network, t tig.T) {\n\t\t\t\t\t\tassert.Equal(t, 1, len(dc), \"Unexpectedly got multiple results\\n\")\n\t\t\t\t\t\tassert.Equal(t, dc[0].Name, data.Identifier(\"some-network\"))\n\t\t\t\t\t\tassert.Equal(t, 0, len(dc[0].Containers), \"Expected no containers as per configuration, but got multiple.\")\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/network/network_list.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage network\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/network\"\n)\n\nfunc listCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"ls\",\n\t\tAliases: []string{\"list\"},\n\t\tShort: \"List networks\",\n\t\tArgs: cobra.NoArgs,\n\t\tRunE: listAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().BoolP(\"quiet\", \"q\", false, \"Only display network IDs\")\n\tcmd.Flags().StringSliceP(\"filter\", \"f\", []string{}, \"Provide filter values (e.g. \\\"name=default\\\")\")\n\tcmd.Flags().String(\"format\", \"\", \"Format the output using the given Go template, e.g, '{{json .}}'\")\n\tcmd.RegisterFlagCompletionFunc(\"format\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"json\", \"table\", \"wide\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\treturn cmd\n}\n\nfunc listAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tquiet, err := cmd.Flags().GetBool(\"quiet\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tfilters, err := cmd.Flags().GetStringSlice(\"filter\")\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn network.List(cmd.Context(), types.NetworkListOptions{\n\t\tGOptions: globalOptions,\n\t\tQuiet: quiet,\n\t\tFormat: format,\n\t\tFilters: filters,\n\t\tStdout: cmd.OutOrStdout(),\n\t})\n}\n" }, { "path": "cmd/nerdctl/network/network_list_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage network\n\nimport (\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestNetworkLsFilter(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdata.Labels().Set(\"identifier\", data.Identifier())\n\t\tdata.Labels().Set(\"label\", \"mylabel=label-1\")\n\t\tdata.Labels().Set(\"net1\", data.Identifier(\"1\"))\n\t\tdata.Labels().Set(\"net2\", data.Identifier(\"2\"))\n\t\tdata.Labels().Set(\"netID1\", helpers.Capture(\"network\", \"create\", \"--label=\"+data.Labels().Get(\"label\"), data.Labels().Get(\"net1\")))\n\t\tdata.Labels().Set(\"netID2\", helpers.Capture(\"network\", \"create\", data.Labels().Get(\"net2\")))\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"network\", \"rm\", data.Identifier(\"1\"))\n\t\thelpers.Anyhow(\"network\", \"rm\", data.Identifier(\"2\"))\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"filter label\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"network\", \"ls\", \"--quiet\", \"--filter\", \"label=\"+data.Labels().Get(\"label\"))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tvar lines = strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\tassert.Assert(t, len(lines) >= 1, \"expected at least one line\\n\")\n\t\t\t\t\t\tnetNames := map[string]struct{}{\n\t\t\t\t\t\t\tdata.Labels().Get(\"netID1\")[:12]: {},\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tfor _, name := range lines {\n\t\t\t\t\t\t\t_, ok := netNames[name]\n\t\t\t\t\t\t\tassert.Assert(t, ok, \"expected to find name\\n\")\n\t\t\t\t\t\t}\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"filter name\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"network\", \"ls\", \"--quiet\", \"--filter\", \"name=\"+data.Labels().Get(\"net2\"))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tvar lines = strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\tassert.Assert(t, len(lines) >= 1, \"expected at least one line\\n\")\n\t\t\t\t\t\tnetNames := map[string]struct{}{\n\t\t\t\t\t\t\tdata.Labels().Get(\"netID2\")[:12]: {},\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tfor _, name := range lines {\n\t\t\t\t\t\t\t_, ok := netNames[name]\n\t\t\t\t\t\t\tassert.Assert(t, ok, \"expected to find name\\n\")\n\t\t\t\t\t\t}\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"filter name regexp\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"network\", \"ls\", \"--quiet\", \"--filter\", \"name=.*\"+data.Labels().Get(\"net2\")+\".*\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tvar lines = strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\tassert.Assert(t, len(lines) >= 1)\n\t\t\t\t\t\tnetNames := map[string]struct{}{\n\t\t\t\t\t\t\tdata.Labels().Get(\"netID2\")[:12]: {},\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tfor _, name := range lines {\n\t\t\t\t\t\t\t_, ok := netNames[name]\n\t\t\t\t\t\t\tassert.Assert(t, ok)\n\t\t\t\t\t\t}\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/network/network_prune.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage network\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/network\"\n)\n\nvar NetworkDriversToKeep = []string{\"host\", \"none\", DefaultNetworkDriver}\n\nfunc pruneCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"prune [flags]\",\n\t\tShort: \"Remove all unused networks\",\n\t\tArgs: cobra.NoArgs,\n\t\tRunE: pruneAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().BoolP(\"force\", \"f\", false, \"Do not prompt for confirmation\")\n\treturn cmd\n}\n\nfunc pruneAction(cmd *cobra.Command, _ []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tforce, err := cmd.Flags().GetBool(\"force\")\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif !force {\n\t\tvar confirm string\n\t\tmsg := \"This will remove all custom networks not used by at least one container.\"\n\t\tmsg += \"\\nAre you sure you want to continue? [y/N] \"\n\n\t\tfmt.Fprintf(cmd.OutOrStdout(), \"WARNING! %s\", msg)\n\t\tfmt.Fscanf(cmd.InOrStdin(), \"%s\", &confirm)\n\n\t\tif strings.ToLower(confirm) != \"y\" {\n\t\t\treturn nil\n\t\t}\n\t}\n\toptions := types.NetworkPruneOptions{\n\t\tGOptions: globalOptions,\n\t\tNetworkDriversToKeep: NetworkDriversToKeep,\n\t\tStdout: cmd.OutOrStdout(),\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn network.Prune(ctx, client, options)\n}\n" }, { "path": "cmd/nerdctl/network/network_prune_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage network\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestNetworkPrune(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = nerdtest.Private\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"Prune does not collect started container network\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tidentifier := data.Identifier()\n\t\t\t\thelpers.Ensure(\"network\", \"create\", identifier)\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--net\", identifier, \"--name\", identifier, testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\thelpers.Anyhow(\"network\", \"rm\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: test.Command(\"network\", \"prune\", \"-f\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.DoesNotContain(data.Identifier()),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Prune does collect stopped container network\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"network\", \"create\", data.Identifier())\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--net\", data.Identifier(), \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t\thelpers.Ensure(\"stop\", data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\thelpers.Anyhow(\"network\", \"rm\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: test.Command(\"network\", \"prune\", \"-f\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.Contains(data.Identifier()),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/network/network_remove.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage network\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/network\"\n\t\"github.com/containerd/nerdctl/v2/pkg/netutil\"\n)\n\nfunc removeCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"rm [flags] NETWORK [NETWORK, ...]\",\n\t\tAliases: []string{\"remove\"},\n\t\tShort: \"Remove one or more networks\",\n\t\tLong: \"NOTE: network in use is deleted without caution\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tRunE: removeAction,\n\t\tValidArgsFunction: networkRmShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\treturn cmd\n}\n\nfunc removeAction(cmd *cobra.Command, args []string) error {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\toptions := types.NetworkRemoveOptions{\n\t\tGOptions: globalOptions,\n\t\tNetworks: args,\n\t\tStdout: cmd.OutOrStdout(),\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn network.Remove(ctx, client, options)\n}\n\nfunc networkRmShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show network names, including \"bridge\"\n\texclude := []string{netutil.DefaultNetworkName, \"host\", \"none\"}\n\treturn completion.NetworkNames(cmd, exclude)\n}\n" }, { "path": "cmd/nerdctl/network/network_remove_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage network\n\nimport (\n\t\"errors\"\n\t\"testing\"\n\n\t\"github.com/vishvananda/netlink\"\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestNetworkRemove(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = nerdtest.Rootful\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"Simple network remove\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\tidentifier := data.Identifier()\n\t\t\t\thelpers.Ensure(\"network\", \"create\", identifier)\n\t\t\t\tdata.Labels().Set(\"netID\", nerdtest.InspectNetwork(helpers, identifier).ID)\n\t\t\t\thelpers.Ensure(\"run\", \"--rm\", \"--net\", identifier, \"--name\", identifier, testutil.CommonImage)\n\t\t\t\t// Verity the network is here\n\t\t\t\t_, err := netlink.LinkByName(\"br-\" + data.Labels().Get(\"netID\")[:12])\n\t\t\t\tassert.NilError(t, err, \"failed to find network br-\"+data.Labels().Get(\"netID\")[:12], \"%v\")\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"network\", \"rm\", data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"network\", \"rm\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t_, err := netlink.LinkByName(\"br-\" + data.Labels().Get(\"netID\")[:12])\n\t\t\t\t\t\tassert.Error(t, err, \"Link not found\")\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Network remove when linked to container\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"network\", \"create\", data.Identifier())\n\t\t\t\thelpers.Ensure(\"run\", \"-d\", \"--net\", data.Identifier(), \"--name\", data.Identifier(), testutil.CommonImage, \"sleep\", nerdtest.Infinity)\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"network\", \"rm\", data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\thelpers.Anyhow(\"network\", \"rm\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: test.Expects(1, []error{errors.New(\"is in use\")}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"Network remove by id\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"network\", \"create\", data.Identifier())\n\t\t\t\tdata.Labels().Set(\"netID\", nerdtest.InspectNetwork(helpers, data.Identifier()).ID)\n\t\t\t\thelpers.Ensure(\"run\", \"--rm\", \"--net\", data.Identifier(), \"--name\", data.Identifier(), testutil.CommonImage)\n\t\t\t\t// Verity the network is here\n\t\t\t\t_, err := netlink.LinkByName(\"br-\" + data.Labels().Get(\"netID\")[:12])\n\t\t\t\tassert.NilError(t, err, \"failed to find network br-\"+data.Labels().Get(\"netID\")[:12], \"%v\")\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"network\", \"rm\", data.Labels().Get(\"netID\"))\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"network\", \"rm\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t_, err := netlink.LinkByName(\"br-\" + data.Labels().Get(\"netID\")[:12])\n\t\t\t\t\t\tassert.Error(t, err, \"Link not found\")\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Network remove by short id\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"network\", \"create\", data.Identifier())\n\t\t\t\tdata.Labels().Set(\"netID\", nerdtest.InspectNetwork(helpers, data.Identifier()).ID)\n\t\t\t\thelpers.Ensure(\"run\", \"--rm\", \"--net\", data.Identifier(), \"--name\", data.Identifier(), testutil.CommonImage)\n\t\t\t\t// Verity the network is here\n\t\t\t\t_, err := netlink.LinkByName(\"br-\" + data.Labels().Get(\"netID\")[:12])\n\t\t\t\tassert.NilError(t, err, \"failed to find network br-\"+data.Labels().Get(\"netID\")[:12], \"%v\")\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"network\", \"rm\", data.Labels().Get(\"netID\")[:12])\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"network\", \"rm\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\t_, err := netlink.LinkByName(\"br-\" + data.Labels().Get(\"netID\")[:12])\n\t\t\t\t\t\tassert.Error(t, err, \"Link not found\")\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/network/network_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage network\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n)\n\nfunc TestMain(m *testing.M) {\n\ttestutil.M(m)\n}\n" }, { "path": "cmd/nerdctl/search/search.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage search\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/search\"\n)\n\nfunc Command() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"search [OPTIONS] TERM\",\n\t\tShort: \"Search registry for images\",\n\t\tArgs: cobra.ExactArgs(1),\n\t\tRunE: runSearch,\n\t\tDisableFlagsInUseLine: true,\n\t}\n\n\tflags := cmd.Flags()\n\n\tflags.Bool(\"no-trunc\", false, \"Don't truncate output\")\n\tflags.StringSliceP(\"filter\", \"f\", nil, \"Filter output based on conditions provided\")\n\tflags.Int(\"limit\", 0, \"Max number of search results\")\n\tflags.String(\"format\", \"\", \"Pretty-print search using a Go template\")\n\n\treturn cmd\n}\n\nfunc processSearchFlags(cmd *cobra.Command) (types.SearchOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.SearchOptions{}, err\n\t}\n\n\tnoTrunc, err := cmd.Flags().GetBool(\"no-trunc\")\n\tif err != nil {\n\t\treturn types.SearchOptions{}, err\n\t}\n\tlimit, err := cmd.Flags().GetInt(\"limit\")\n\tif err != nil {\n\t\treturn types.SearchOptions{}, err\n\t}\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn types.SearchOptions{}, err\n\t}\n\tfilter, err := cmd.Flags().GetStringSlice(\"filter\")\n\tif err != nil {\n\t\treturn types.SearchOptions{}, err\n\t}\n\n\treturn types.SearchOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tGOptions: globalOptions,\n\t\tNoTrunc: noTrunc,\n\t\tLimit: limit,\n\t\tFilters: filter,\n\t\tFormat: format,\n\t}, nil\n}\n\nfunc runSearch(cmd *cobra.Command, args []string) error {\n\toptions, err := processSearchFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn search.Search(cmd.Context(), args[0], options)\n}\n" }, { "path": "cmd/nerdctl/search/search_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage search\n\nimport (\n\t\"errors\"\n\t\"regexp\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\n// All tests in this file are based on the output of `nerdctl search alpine`.\n//\n// Expected output format (default behavior with --limit 10):\n//\n// NAME DESCRIPTION STARS OFFICIAL\n// alpine A minimal Docker image based on Alpine Linux… 11437 [OK]\n// alpine/git A simple git container running in alpine li… 249\n// alpine/socat Run socat command in alpine container 115\n// alpine/helm Auto-trigger docker build for kubernetes hel… 69\n// alpine/curl 11\n// alpine/k8s Kubernetes toolbox for EKS (kubectl, helm, i… 64\n// alpine/bombardier Auto-trigger docker build for bombardier whe… 28\n// alpine/httpie Auto-trigger docker build for `httpie` when … 21\n// alpine/terragrunt Auto-trigger docker build for terragrunt whe… 18\n// alpine/openssl openssl 7\n\nfunc TestSearch(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"basic-search\",\n\t\t\tCommand: test.Command(\"search\", \"alpine\", \"--limit\", \"5\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.Contains(\"NAME\"),\n\t\t\t\t\t\texpect.Contains(\"DESCRIPTION\"),\n\t\t\t\t\t\texpect.Contains(\"STARS\"),\n\t\t\t\t\t\texpect.Contains(\"OFFICIAL\"),\n\t\t\t\t\t\texpect.Match(regexp.MustCompile(`NAME\\s+DESCRIPTION\\s+STARS\\s+OFFICIAL`)),\n\t\t\t\t\t\texpect.Contains(\"alpine\"),\n\t\t\t\t\t\texpect.Match(regexp.MustCompile(`alpine\\s+A minimal Docker image based on Alpine Linux`)),\n\t\t\t\t\t\texpect.Match(regexp.MustCompile(`alpine\\s+.*\\s+\\d+\\s+\\[OK\\]`)),\n\t\t\t\t\t\texpect.Contains(\"[OK]\"),\n\t\t\t\t\t\texpect.Match(regexp.MustCompile(`alpine/\\w+`)),\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"search-library-image\",\n\t\t\tCommand: test.Command(\"search\", \"library/alpine\", \"--limit\", \"5\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.Contains(\"NAME\"),\n\t\t\t\t\t\texpect.Contains(\"DESCRIPTION\"),\n\t\t\t\t\t\texpect.Contains(\"STARS\"),\n\t\t\t\t\t\texpect.Contains(\"OFFICIAL\"),\n\t\t\t\t\t\texpect.Contains(\"alpine\"),\n\t\t\t\t\t\texpect.Match(regexp.MustCompile(`alpine\\s+.*\\s+\\d+\\s+\\[OK\\]`)),\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"search-with-no-trunc\",\n\t\t\tCommand: test.Command(\"search\", \"alpine\", \"--limit\", \"3\", \"--no-trunc\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.Contains(\"NAME\"),\n\t\t\t\t\t\texpect.Contains(\"DESCRIPTION\"),\n\t\t\t\t\t\texpect.Contains(\"alpine\"),\n\t\t\t\t\t\t// With --no-trunc, the full description should be visible (not truncated with …)\n\t\t\t\t\t\texpect.Match(regexp.MustCompile(`alpine\\s+A minimal Docker image based on Alpine Linux with a complete package index and only 5 MB in size!`)),\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"search-with-format\",\n\t\t\tCommand: test.Command(\"search\", \"alpine\", \"--limit\", \"2\", \"--format\", \"{{.Name}}: {{.StarCount}}\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.Match(regexp.MustCompile(`alpine:\\s*\\d+`)),\n\t\t\t\t\t\texpect.DoesNotContain(\"NAME\"),\n\t\t\t\t\t\texpect.DoesNotContain(\"DESCRIPTION\"),\n\t\t\t\t\t\texpect.DoesNotContain(\"OFFICIAL\"),\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"search-output-format\",\n\t\t\tCommand: test.Command(\"search\", \"alpine\", \"--limit\", \"5\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.Match(regexp.MustCompile(`NAME\\s+DESCRIPTION\\s+STARS\\s+OFFICIAL`)),\n\t\t\t\t\t\texpect.Match(regexp.MustCompile(`(?m)^alpine\\s+.*\\s+\\d+\\s+\\[OK\\]\\s*$`)),\n\t\t\t\t\t\texpect.Match(regexp.MustCompile(`(?m)^alpine/\\w+\\s+.*\\s+\\d+\\s*$`)),\n\t\t\t\t\t\texpect.DoesNotMatch(regexp.MustCompile(`(?m)^\\s+\\d+\\s*$`)),\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"search-description-formatting\",\n\t\t\tCommand: test.Command(\"search\", \"alpine\", \"--limit\", \"10\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.Match(regexp.MustCompile(`Alpine Linux…`)),\n\t\t\t\t\t\texpect.DoesNotMatch(regexp.MustCompile(`(?m)^\\s+\\d+\\s+`)),\n\t\t\t\t\t\texpect.Match(regexp.MustCompile(`(?m)^[a-z0-9/_-]+\\s+.*\\s+\\d+`)),\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestSearchWithFilter(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"filter-is-official-true\",\n\t\t\tCommand: test.Command(\"search\", \"alpine\", \"--filter\", \"is-official=true\", \"--limit\", \"5\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.Contains(\"NAME\"),\n\t\t\t\t\t\texpect.Contains(\"OFFICIAL\"),\n\t\t\t\t\t\texpect.Contains(\"alpine\"),\n\t\t\t\t\t\texpect.Contains(\"[OK]\"),\n\t\t\t\t\t\texpect.Match(regexp.MustCompile(`alpine\\s+.*\\s+\\d+\\s+\\[OK\\]`)),\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"filter-stars\",\n\t\t\tCommand: test.Command(\"search\", \"alpine\", \"--filter\", \"stars=10000\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeSuccess,\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.Contains(\"NAME\"),\n\t\t\t\t\t\texpect.Contains(\"STARS\"),\n\t\t\t\t\t\texpect.Contains(\"alpine\"),\n\t\t\t\t\t\t// The official alpine image has > 10000 stars\n\t\t\t\t\t\texpect.Match(regexp.MustCompile(`alpine\\s+.*\\s+\\d{4,}\\s+\\[OK\\]`)),\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n\nfunc TestSearchFilterErrors(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"invalid-filter-format\",\n\t\t\tCommand: test.Command(\"search\", \"alpine\", \"--filter\", \"foo\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeGenericFail,\n\t\t\t\t\tErrors: []error{errors.New(\"bad format of filter (expected name=value)\")},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"invalid-filter-key\",\n\t\t\tCommand: test.Command(\"search\", \"alpine\", \"--filter\", \"foo=bar\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeGenericFail,\n\t\t\t\t\tErrors: []error{errors.New(\"invalid filter 'foo'\")},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"invalid-stars-value\",\n\t\t\tCommand: test.Command(\"search\", \"alpine\", \"--filter\", \"stars=abc\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeGenericFail,\n\t\t\t\t\tErrors: []error{errors.New(\"invalid filter 'stars=abc'\")},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"invalid-is-official-value\",\n\t\t\tCommand: test.Command(\"search\", \"alpine\", \"--filter\", \"is-official=abc\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeGenericFail,\n\t\t\t\t\tErrors: []error{errors.New(\"invalid filter 'is-official=abc'\")},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/search/search_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage search\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n)\n\nfunc TestMain(m *testing.M) {\n\ttestutil.M(m)\n}\n" }, { "path": "cmd/nerdctl/system/system.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage system\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n)\n\nfunc Command() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tAnnotations: map[string]string{helpers.Category: helpers.Management},\n\t\tUse: \"system\",\n\t\tShort: \"Manage containerd\",\n\t\tRunE: helpers.UnknownSubcommandAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\t// versionCommand is not here\n\tcmd.AddCommand(\n\t\tEventsCommand(),\n\t\tInfoCommand(),\n\t\tpruneCommand(),\n\t)\n\treturn cmd\n}\n" }, { "path": "cmd/nerdctl/system/system_events.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage system\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/system\"\n)\n\nfunc EventsCommand() *cobra.Command {\n\tshortHelp := `Get real time events from the server`\n\tlongHelp := shortHelp + \"\\nNOTE: The output format is not compatible with Docker.\"\n\tvar cmd = &cobra.Command{\n\t\tUse: \"events\",\n\t\tArgs: cobra.NoArgs,\n\t\tShort: shortHelp,\n\t\tLong: longHelp,\n\t\tRunE: eventsAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().String(\"format\", \"\", \"Format the output using the given Go template, e.g, '{{json .}}'\")\n\tcmd.RegisterFlagCompletionFunc(\"format\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"json\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\tcmd.Flags().StringSliceP(\"filter\", \"f\", []string{}, \"Filter matches containers based on given conditions\")\n\treturn cmd\n}\n\nfunc eventsOptions(cmd *cobra.Command) (types.SystemEventsOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.SystemEventsOptions{}, err\n\t}\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn types.SystemEventsOptions{}, err\n\t}\n\tfilters, err := cmd.Flags().GetStringSlice(\"filter\")\n\tif err != nil {\n\t\treturn types.SystemEventsOptions{}, err\n\t}\n\treturn types.SystemEventsOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tGOptions: globalOptions,\n\t\tFormat: format,\n\t\tFilters: filters,\n\t}, nil\n}\n\nfunc eventsAction(cmd *cobra.Command, args []string) error {\n\toptions, err := eventsOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\treturn system.Events(ctx, client, options)\n}\n" }, { "path": "cmd/nerdctl/system/system_events_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage system\n\nimport (\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc testEventFilterExecutor(data test.Data, helpers test.Helpers) test.TestableCommand {\n\thelpers.Ensure(\"pull\", testutil.CommonImage)\n\tcmd := helpers.Command(\"events\", \"--filter\", data.Labels().Get(\"filter\"), \"--format\", \"json\")\n\t// 3 seconds is too short on slow rig (EL8)\n\tcmd.WithTimeout(10 * time.Second)\n\tcmd.Background()\n\thelpers.Ensure(\"run\", \"--rm\", testutil.CommonImage)\n\treturn cmd\n}\n\nfunc TestEventFilters(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"CapitalizedFilter\",\n\t\t\tRequire: require.Not(nerdtest.Docker),\n\t\t\tCommand: testEventFilterExecutor,\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeTimeout,\n\t\t\t\t\tOutput: expect.Contains(data.Labels().Get(\"output\")),\n\t\t\t\t}\n\t\t\t},\n\t\t\tData: test.WithLabels(map[string]string{\n\t\t\t\t\"filter\": \"event=START\",\n\t\t\t\t\"output\": \"\\\"Status\\\":\\\"start\\\"\",\n\t\t\t}),\n\t\t},\n\t\t{\n\t\t\tDescription: \"StartEventFilter\",\n\t\t\tCommand: testEventFilterExecutor,\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeTimeout,\n\t\t\t\t\tOutput: expect.Contains(data.Labels().Get(\"output\")),\n\t\t\t\t}\n\t\t\t},\n\t\t\tData: test.WithLabels(map[string]string{\n\t\t\t\t\"filter\": \"event=start\",\n\t\t\t\t\"output\": \"tatus\\\":\\\"start\\\"\",\n\t\t\t}),\n\t\t},\n\t\t{\n\t\t\tDescription: \"UnsupportedEventFilter\",\n\t\t\tRequire: require.Not(nerdtest.Docker),\n\t\t\tCommand: testEventFilterExecutor,\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeTimeout,\n\t\t\t\t\tOutput: expect.Contains(data.Labels().Get(\"output\")),\n\t\t\t\t}\n\t\t\t},\n\t\t\tData: test.WithLabels(map[string]string{\n\t\t\t\t\"filter\": \"event=unknown\",\n\t\t\t\t\"output\": \"\\\"Status\\\":\\\"unknown\\\"\",\n\t\t\t}),\n\t\t},\n\t\t{\n\t\t\tDescription: \"StatusFilter\",\n\t\t\tCommand: testEventFilterExecutor,\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeTimeout,\n\t\t\t\t\tOutput: expect.Contains(data.Labels().Get(\"output\")),\n\t\t\t\t}\n\t\t\t},\n\t\t\tData: test.WithLabels(map[string]string{\n\t\t\t\t\"filter\": \"status=start\",\n\t\t\t\t\"output\": \"tatus\\\":\\\"start\\\"\",\n\t\t\t}),\n\t\t},\n\t\t{\n\t\t\tDescription: \"UnsupportedStatusFilter\",\n\t\t\tRequire: require.Not(nerdtest.Docker),\n\t\t\tCommand: testEventFilterExecutor,\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: expect.ExitCodeTimeout,\n\t\t\t\t\tOutput: expect.Contains(data.Labels().Get(\"output\")),\n\t\t\t\t}\n\t\t\t},\n\t\t\tData: test.WithLabels(map[string]string{\n\t\t\t\t\"filter\": \"status=unknown\",\n\t\t\t\t\"output\": \"\\\"Status\\\":\\\"unknown\\\"\",\n\t\t\t}),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/system/system_info.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage system\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/system\"\n)\n\nfunc InfoCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"info\",\n\t\tArgs: cobra.NoArgs,\n\t\tShort: \"Display system-wide information\",\n\t\tRunE: infoAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().String(\"mode\", \"dockercompat\", `Information mode, \"dockercompat\" for Docker-compatible output, \"native\" for containerd-native output`)\n\tcmd.RegisterFlagCompletionFunc(\"mode\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"dockercompat\", \"native\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\tcmd.Flags().StringP(\"format\", \"f\", \"\", \"Format the output using the given Go template, e.g, '{{json .}}'\")\n\tcmd.RegisterFlagCompletionFunc(\"format\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"json\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\treturn cmd\n}\n\nfunc infoOptions(cmd *cobra.Command) (types.SystemInfoOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.SystemInfoOptions{}, err\n\t}\n\n\tmode, err := cmd.Flags().GetString(\"mode\")\n\tif err != nil {\n\t\treturn types.SystemInfoOptions{}, err\n\t}\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn types.SystemInfoOptions{}, err\n\t}\n\treturn types.SystemInfoOptions{\n\t\tGOptions: globalOptions,\n\t\tMode: mode,\n\t\tFormat: format,\n\t\tStdout: cmd.OutOrStdout(),\n\t\tStderr: cmd.OutOrStderr(),\n\t}, nil\n}\n\nfunc infoAction(cmd *cobra.Command, args []string) error {\n\toptions, err := infoOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn system.Info(ctx, client, options)\n}\n" }, { "path": "cmd/nerdctl/system/system_info_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage system\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"os/exec\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/infoutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/inspecttypes/dockercompat\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc testInfoComparator(stdout string, t tig.T) {\n\tvar dinf dockercompat.Info\n\terr := json.Unmarshal([]byte(stdout), &dinf)\n\tassert.NilError(t, err, \"failed to unmarshal stdout\")\n\tunameM := infoutil.UnameM()\n\tassert.Assert(t, dinf.Architecture == unameM, fmt.Sprintf(\"expected info.Architecture to be %q, got %q\", unameM, dinf.Architecture))\n}\n\nfunc TestInfo(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t// Note: some functions need to be tested without the automatic --namespace nerdctl-test argument, so we need\n\t// to retrieve the binary name.\n\t// Note that we know this works already, so no need to assert err.\n\tbin, _ := exec.LookPath(testutil.GetTarget())\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"info\",\n\t\t\tCommand: test.Command(\"info\", \"--format\", \"{{json .}}\"),\n\t\t\tExpected: test.Expects(0, nil, testInfoComparator),\n\t\t},\n\t\t{\n\t\t\tDescription: \"info convenience form\",\n\t\t\tCommand: test.Command(\"info\", \"--format\", \"json\"),\n\t\t\tExpected: test.Expects(0, nil, testInfoComparator),\n\t\t},\n\t\t{\n\t\t\tDescription: \"info with namespace\",\n\t\t\tRequire: require.Not(nerdtest.Docker),\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Custom(bin, \"info\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"Namespace:\tdefault\")),\n\t\t},\n\t\t{\n\t\t\tDescription: \"info with namespace env var\",\n\t\t\tEnv: map[string]string{\n\t\t\t\t\"CONTAINERD_NAMESPACE\": \"test\",\n\t\t\t},\n\t\t\tRequire: require.Not(nerdtest.Docker),\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Custom(bin, \"info\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"Namespace:\ttest\")),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/system/system_prune.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage system\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/log\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/builder\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/network\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/system\"\n)\n\nfunc pruneCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"prune [flags]\",\n\t\tShort: \"Remove unused data\",\n\t\tArgs: cobra.NoArgs,\n\t\tRunE: pruneAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().BoolP(\"all\", \"a\", false, \"Remove all unused images, not just dangling ones\")\n\tcmd.Flags().BoolP(\"force\", \"f\", false, \"Do not prompt for confirmation\")\n\tcmd.Flags().Bool(\"volumes\", false, \"Prune volumes\")\n\treturn cmd\n}\n\nfunc pruneOptions(cmd *cobra.Command) (types.SystemPruneOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.SystemPruneOptions{}, err\n\t}\n\n\tall, err := cmd.Flags().GetBool(\"all\")\n\tif err != nil {\n\t\treturn types.SystemPruneOptions{}, err\n\t}\n\n\tvFlag, err := cmd.Flags().GetBool(\"volumes\")\n\tif err != nil {\n\t\treturn types.SystemPruneOptions{}, err\n\t}\n\n\tbuildkitHost, err := builder.GetBuildkitHost(cmd, globalOptions.Namespace)\n\tif err != nil {\n\t\tlog.L.WithError(err).Warn(\"BuildKit is not running. Build caches will not be pruned.\")\n\t\tbuildkitHost = \"\"\n\t}\n\n\treturn types.SystemPruneOptions{\n\t\tStdout: cmd.OutOrStdout(),\n\t\tStderr: cmd.ErrOrStderr(),\n\t\tGOptions: globalOptions,\n\t\tAll: all,\n\t\tVolumes: vFlag,\n\t\tBuildKitHost: buildkitHost,\n\t\tNetworkDriversToKeep: network.NetworkDriversToKeep,\n\t}, nil\n}\n\nfunc grantSystemPrunePermission(cmd *cobra.Command, options types.SystemPruneOptions) (bool, error) {\n\tforce, err := cmd.Flags().GetBool(\"force\")\n\tif err != nil {\n\t\treturn false, err\n\t}\n\n\tif !force {\n\t\tvar confirm string\n\t\tmsg := `This will remove:\n - all stopped containers\n - all networks not used by at least one container`\n\t\tif options.Volumes {\n\t\t\tmsg += `\n - all volumes not used by at least one container`\n\t\t}\n\t\tif options.All {\n\t\t\tmsg += `\n - all images without at least one container associated to them\n - all build cache`\n\t\t} else {\n\t\t\tmsg += `\n - all dangling images\n - all dangling build cache`\n\t\t}\n\n\t\tmsg += \"\\nAre you sure you want to continue? [y/N] \"\n\t\tfmt.Fprintf(options.Stdout, \"WARNING! %s\", msg)\n\t\tfmt.Fscanf(cmd.InOrStdin(), \"%s\", &confirm)\n\n\t\tif strings.ToLower(confirm) != \"y\" {\n\t\t\treturn false, nil\n\t\t}\n\t}\n\n\treturn true, nil\n}\n\nfunc pruneAction(cmd *cobra.Command, _ []string) error {\n\toptions, err := pruneOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif ok, err := grantSystemPrunePermission(cmd, options); err != nil {\n\t\treturn err\n\t} else if !ok {\n\t\treturn nil\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn system.Prune(ctx, client, options)\n}\n" }, { "path": "cmd/nerdctl/system/system_prune_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage system\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestSystemPrune(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.NoParallel = true\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"volume prune all success\",\n\t\t\t// Private because of prune evidently\n\t\t\tRequire: nerdtest.Private,\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"network\", \"create\", data.Identifier())\n\t\t\t\thelpers.Ensure(\"volume\", \"create\", data.Identifier())\n\t\t\t\tanonIdentifier := helpers.Capture(\"volume\", \"create\")\n\t\t\t\thelpers.Ensure(\"run\", \"-v\", fmt.Sprintf(\"%s:/volume\", data.Identifier()),\n\t\t\t\t\t\"--net\", data.Identifier(), \"--name\", data.Identifier(), testutil.CommonImage)\n\n\t\t\t\tdata.Labels().Set(\"anonIdentifier\", anonIdentifier)\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"network\", \"rm\", data.Identifier())\n\t\t\t\thelpers.Anyhow(\"volume\", \"rm\", data.Identifier())\n\t\t\t\thelpers.Anyhow(\"volume\", \"rm\", data.Labels().Get(\"anonIdentifier\"))\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: test.Command(\"system\", \"prune\", \"-f\", \"--volumes\", \"--all\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 0,\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tvolumes := helpers.Capture(\"volume\", \"ls\")\n\t\t\t\t\t\tnetworks := helpers.Capture(\"network\", \"ls\")\n\t\t\t\t\t\timages := helpers.Capture(\"images\")\n\t\t\t\t\t\tcontainers := helpers.Capture(\"ps\", \"-a\")\n\t\t\t\t\t\tassert.Assert(t, strings.Contains(volumes, data.Identifier()), volumes)\n\t\t\t\t\t\tassert.Assert(t, !strings.Contains(volumes, data.Labels().Get(\"anonIdentifier\")), volumes)\n\t\t\t\t\t\tassert.Assert(t, !strings.Contains(containers, data.Identifier()), containers)\n\t\t\t\t\t\tassert.Assert(t, !strings.Contains(networks, data.Identifier()), networks)\n\t\t\t\t\t\tassert.Assert(t, !strings.Contains(images, testutil.CommonImage), images)\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"buildkit\",\n\t\t\t// FIXME: using a dedicated namespace does not work with rootful (because of buildkitd)\n\t\t\tNoParallel: true,\n\t\t\t// buildkitd is not available with docker\n\t\t\tRequire: require.All(nerdtest.Build, require.Not(nerdtest.Docker)),\n\t\t\t// FIXME: this test will happily say \"green\" even if the command actually fails to do its duty\n\t\t\t// if there is nothing in the build cache.\n\t\t\t// Ensure with setup here that we DO build something first\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"system\", \"prune\", \"-f\", \"--volumes\", \"--all\")\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn nerdtest.BuildCtlCommand(helpers, \"du\")\n\t\t\t},\n\t\t\tExpected: test.Expects(0, nil, expect.Contains(\"Total:\\t\\t0B\")),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/system/system_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage system\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n)\n\nfunc TestMain(m *testing.M) {\n\ttestutil.M(m)\n}\n" }, { "path": "cmd/nerdctl/version.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage main\n\nimport (\n\t\"bytes\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"text/template\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/log\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/formatter\"\n\t\"github.com/containerd/nerdctl/v2/pkg/infoutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/inspecttypes/dockercompat\"\n\t\"github.com/containerd/nerdctl/v2/pkg/rootlessutil\"\n)\n\nfunc versionCommand() *cobra.Command {\n\tvar cmd = &cobra.Command{\n\t\tUse: \"version\",\n\t\tArgs: cobra.NoArgs,\n\t\tShort: \"Show the nerdctl version information\",\n\t\tRunE: versionAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().StringP(\"format\", \"f\", \"\", \"Format the output using the given Go template, e.g, '{{json .}}'\")\n\tcmd.RegisterFlagCompletionFunc(\"format\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"json\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\treturn cmd\n}\n\nfunc versionAction(cmd *cobra.Command, args []string) error {\n\tvar w io.Writer = os.Stdout\n\tvar tmpl *template.Template\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tif format != \"\" {\n\t\tvar err error\n\t\ttmpl, err = formatter.ParseTemplate(format)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\taddress := globalOptions.Address\n\t// rootless `nerdctl version` runs in the host namespaces, so the address is different\n\tif rootlessutil.IsRootless() {\n\t\taddress, err = rootlessutil.RootlessContainredSockAddress()\n\t\tif err != nil {\n\t\t\tlog.L.WithError(err).Warning(\"failed to inspect the rootless containerd socket address\")\n\t\t\taddress = \"\"\n\t\t}\n\t}\n\n\tv, vErr := versionInfo(cmd, globalOptions.Namespace, address)\n\tif tmpl != nil {\n\t\tvar b bytes.Buffer\n\t\tif err := tmpl.Execute(&b, v); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif _, err := fmt.Fprintln(w, b.String()); err != nil {\n\t\t\treturn err\n\t\t}\n\t} else {\n\t\tfmt.Fprintln(w, \"Client:\")\n\t\tfmt.Fprintf(w, \" Version:\\t%s\\n\", v.Client.Version)\n\t\tfmt.Fprintf(w, \" OS/Arch:\\t%s/%s\\n\", v.Client.Os, v.Client.Arch)\n\t\tfmt.Fprintf(w, \" Git commit:\\t%s\\n\", v.Client.GitCommit)\n\t\tfor _, compo := range v.Client.Components {\n\t\t\tfmt.Fprintf(w, \" %s:\\n\", compo.Name)\n\t\t\tfmt.Fprintf(w, \" Version:\\t%s\\n\", compo.Version)\n\t\t\tfor detailK, detailV := range compo.Details {\n\t\t\t\tfmt.Fprintf(w, \" %s:\\t%s\\n\", detailK, detailV)\n\t\t\t}\n\t\t}\n\t\tif v.Server != nil {\n\t\t\tfmt.Fprintln(w)\n\t\t\tfmt.Fprintln(w, \"Server:\")\n\t\t\tfor _, compo := range v.Server.Components {\n\t\t\t\tfmt.Fprintf(w, \" %s:\\n\", compo.Name)\n\t\t\t\tfmt.Fprintf(w, \" Version:\\t%s\\n\", compo.Version)\n\t\t\t\tfor detailK, detailV := range compo.Details {\n\t\t\t\t\tfmt.Fprintf(w, \" %s:\\t%s\\n\", detailK, detailV)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\treturn vErr\n}\n\n// versionInfo may return partial VersionInfo on error.\n// Address can be empty to skip inspecting the server.\nfunc versionInfo(cmd *cobra.Command, ns, address string) (dockercompat.VersionInfo, error) {\n\tv := dockercompat.VersionInfo{\n\t\tClient: infoutil.ClientVersion(),\n\t}\n\tif address == \"\" {\n\t\treturn v, nil\n\t}\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), ns, address)\n\tif err != nil {\n\t\treturn v, err\n\t}\n\tdefer cancel()\n\tv.Server, err = infoutil.ServerVersion(ctx, client)\n\treturn v, err\n}\n" }, { "path": "cmd/nerdctl/volume/volume.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage volume\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n)\n\nfunc Command() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tAnnotations: map[string]string{helpers.Category: helpers.Management},\n\t\tUse: \"volume\",\n\t\tShort: \"Manage volumes\",\n\t\tRunE: helpers.UnknownSubcommandAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.AddCommand(\n\t\tlistCommand(),\n\t\tinspectCommand(),\n\t\tcreateCommand(),\n\t\tremoveCommand(),\n\t\tpruneCommand(),\n\t)\n\treturn cmd\n}\n" }, { "path": "cmd/nerdctl/volume/volume_create.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage volume\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/errdefs\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/volume\"\n)\n\nfunc createCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"create [flags] [VOLUME]\",\n\t\tShort: \"Create a volume\",\n\t\tArgs: cobra.MaximumNArgs(1),\n\t\tRunE: createAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().StringArray(\"label\", nil, \"Set a label on the volume\")\n\treturn cmd\n}\n\nfunc createOptions(cmd *cobra.Command) (types.VolumeCreateOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.VolumeCreateOptions{}, err\n\t}\n\tlabels, err := cmd.Flags().GetStringArray(\"label\")\n\tif err != nil {\n\t\treturn types.VolumeCreateOptions{}, err\n\t}\n\tfor _, label := range labels {\n\t\tif label == \"\" {\n\t\t\treturn types.VolumeCreateOptions{}, fmt.Errorf(\"labels cannot be empty (%w)\", errdefs.ErrInvalidArgument)\n\t\t}\n\t}\n\n\treturn types.VolumeCreateOptions{\n\t\tGOptions: globalOptions,\n\t\tLabels: labels,\n\t\tStdout: cmd.OutOrStdout(),\n\t}, nil\n}\n\nfunc createAction(cmd *cobra.Command, args []string) error {\n\toptions, err := createOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\tvolumeName := \"\"\n\tif len(args) > 0 {\n\t\tvolumeName = args[0]\n\t}\n\t_, err = volume.Create(volumeName, options)\n\n\treturn err\n}\n" }, { "path": "cmd/nerdctl/volume/volume_create_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage volume\n\nimport (\n\t\"errors\"\n\t\"regexp\"\n\t\"testing\"\n\n\t\"github.com/containerd/errdefs\"\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestVolumeCreate(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"arg missing should create anonymous volume\",\n\t\t\tCommand: test.Command(\"volume\", \"create\"),\n\t\t\tExpected: test.Expects(0, nil, expect.Match(regexp.MustCompile(\"^[a-f0-9]{64}\\n$\"))),\n\t\t},\n\t\t{\n\t\t\tDescription: \"invalid identifier should fail\",\n\t\t\tCommand: test.Command(\"volume\", \"create\", \"∞\"),\n\t\t\tExpected: test.Expects(1, []error{errdefs.ErrInvalidArgument}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"too many args should fail\",\n\t\t\tCommand: test.Command(\"volume\", \"create\", \"too\", \"many\"),\n\t\t\tExpected: test.Expects(1, []error{errors.New(\"at most 1 arg\")}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"success\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"create\", data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.Equals(data.Identifier() + \"\\n\"),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"success with labels\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"create\", \"--label\", \"foo1=baz1\", \"--label\", \"foo2=baz2\", data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.Equals(data.Identifier() + \"\\n\"),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"invalid labels should fail\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t// See https://github.com/containerd/nerdctl/issues/3126\n\t\t\t\treturn helpers.Command(\"volume\", \"create\", \"--label\", \"a\", \"--label\", \"\", data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\t// NOTE: docker returns 125 on this\n\t\t\tExpected: test.Expects(expect.ExitCodeGenericFail, []error{errdefs.ErrInvalidArgument}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"creating already existing volume should succeed\",\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"volume\", \"create\", data.Identifier())\n\t\t\t},\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"create\", data.Identifier())\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.Equals(data.Identifier() + \"\\n\"),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/volume/volume_inspect.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage volume\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/volume\"\n)\n\nfunc inspectCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"inspect [flags] VOLUME [VOLUME...]\",\n\t\tShort: \"Display detailed information on one or more volumes\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tRunE: inspectAction,\n\t\tValidArgsFunction: volumeInspectShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().StringP(\"format\", \"f\", \"\", \"Format the output using the given Go template, e.g, '{{json .}}'\")\n\tcmd.Flags().BoolP(\"size\", \"s\", false, \"Display the disk usage of the volume\")\n\tcmd.RegisterFlagCompletionFunc(\"format\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"json\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\treturn cmd\n}\n\nfunc inspectOptions(cmd *cobra.Command) (types.VolumeInspectOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.VolumeInspectOptions{}, err\n\t}\n\tvolumeSize, err := cmd.Flags().GetBool(\"size\")\n\tif err != nil {\n\t\treturn types.VolumeInspectOptions{}, err\n\t}\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn types.VolumeInspectOptions{}, err\n\t}\n\treturn types.VolumeInspectOptions{\n\t\tGOptions: globalOptions,\n\t\tFormat: format,\n\t\tSize: volumeSize,\n\t\tStdout: cmd.OutOrStdout(),\n\t}, nil\n}\n\nfunc inspectAction(cmd *cobra.Command, args []string) error {\n\toptions, err := inspectOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn volume.Inspect(cmd.Context(), args, options)\n}\n\nfunc volumeInspectShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show volume names\n\treturn completion.VolumeNames(cmd)\n}\n" }, { "path": "cmd/nerdctl/volume/volume_inspect_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage volume\n\nimport (\n\t\"crypto/rand\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/errdefs\"\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/inspecttypes/native\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc createFileWithSize(mountPoint string, size int64) error {\n\ttoken := make([]byte, size)\n\t_, _ = rand.Read(token)\n\terr := os.WriteFile(filepath.Join(mountPoint, \"test-file\"), token, 0644)\n\treturn err\n}\n\nfunc TestVolumeInspect(t *testing.T) {\n\tvar size int64 = 1028\n\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = nerdtest.BrokenTest(\"This test assumes that the host-side of a volume can be written into, \"+\n\t\t\"which is not always true. To be replaced by cp into the container.\",\n\t\t&test.Requirement{\n\t\t\tCheck: func(data test.Data, helpers test.Helpers) (bool, string) {\n\t\t\t\tisDocker, _ := nerdtest.Docker.Check(data, helpers)\n\t\t\t\treturn !isDocker || os.Geteuid() == 0, \"docker cli needs to be run as root\"\n\t\t\t},\n\t\t})\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Ensure(\"volume\", \"create\", data.Identifier(\"first\"))\n\t\thelpers.Ensure(\"volume\", \"create\", \"--label\", \"foo=fooval\", \"--label\", \"bar=barval\", data.Identifier(\"second\"))\n\t\t// Obviously note here that if inspect code gets totally hosed, this entire suite will\n\t\t// probably fail right here on the Setup instead of actually testing something\n\t\tvol := nerdtest.InspectVolume(helpers, data.Identifier(\"first\"))\n\t\terr := createFileWithSize(vol.Mountpoint, size)\n\t\tassert.NilError(t, err, \"File creation failed\")\n\t\tdata.Labels().Set(\"vol1\", data.Identifier(\"first\"))\n\t\tdata.Labels().Set(\"vol2\", data.Identifier(\"second\"))\n\t}\n\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Identifier(\"first\"))\n\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Identifier(\"second\"))\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"arg missing should fail\",\n\t\t\tCommand: test.Command(\"volume\", \"inspect\"),\n\t\t\tExpected: test.Expects(1, []error{errors.New(\"requires at least 1 arg\")}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"invalid identifier should fail\",\n\t\t\tCommand: test.Command(\"volume\", \"inspect\", \"∞\"),\n\t\t\tExpected: test.Expects(1, []error{errdefs.ErrInvalidArgument}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"non existent volume should fail\",\n\t\t\tCommand: test.Command(\"volume\", \"inspect\", \"doesnotexist\"),\n\t\t\tExpected: test.Expects(1, []error{errdefs.ErrNotFound}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"success\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"inspect\", data.Labels().Get(\"vol1\"))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.Contains(data.Labels().Get(\"vol1\")),\n\t\t\t\t\t\texpect.JSON([]native.Volume{}, func(dc []native.Volume, t tig.T) {\n\t\t\t\t\t\t\tassert.Assert(t, len(dc) == 1, fmt.Sprintf(\"one result, not %d\", len(dc)))\n\t\t\t\t\t\t\tassert.Assert(t, dc[0].Name == data.Labels().Get(\"vol1\"), fmt.Sprintf(\"expected name to be %q (was %q)\", data.Labels().Get(\"vol1\"), dc[0].Name))\n\t\t\t\t\t\t\tassert.Assert(t, dc[0].Labels == nil, fmt.Sprintf(\"expected labels to be nil and were %v\", dc[0].Labels))\n\t\t\t\t\t\t}),\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"inspect labels\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"inspect\", data.Labels().Get(\"vol2\"))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.Contains(data.Labels().Get(\"vol2\")),\n\t\t\t\t\t\texpect.JSON([]native.Volume{}, func(dc []native.Volume, t tig.T) {\n\t\t\t\t\t\t\tlabels := *dc[0].Labels\n\t\t\t\t\t\t\tassert.Assert(t, len(labels) == 2, fmt.Sprintf(\"two results, not %d\", len(labels)))\n\t\t\t\t\t\t\tassert.Assert(t, labels[\"foo\"] == \"fooval\", fmt.Sprintf(\"label foo should be fooval, not %s\", labels[\"foo\"]))\n\t\t\t\t\t\t\tassert.Assert(t, labels[\"bar\"] == \"barval\", fmt.Sprintf(\"label bar should be barval, not %s\", labels[\"bar\"]))\n\t\t\t\t\t\t}),\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"inspect size\",\n\t\t\tRequire: require.Not(nerdtest.Docker),\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"inspect\", \"--size\", data.Labels().Get(\"vol1\"))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.Contains(data.Labels().Get(\"vol1\")),\n\t\t\t\t\t\texpect.JSON([]native.Volume{}, func(dc []native.Volume, t tig.T) {\n\t\t\t\t\t\t\tassert.Assert(t, dc[0].Size == size, fmt.Sprintf(\"expected size to be %d (was %d)\", size, dc[0].Size))\n\t\t\t\t\t\t}),\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"multi success\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"inspect\", data.Labels().Get(\"vol1\"), data.Labels().Get(\"vol2\"))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.Contains(data.Labels().Get(\"vol1\"), data.Labels().Get(\"vol2\")),\n\t\t\t\t\t\texpect.JSON([]native.Volume{}, func(dc []native.Volume, t tig.T) {\n\t\t\t\t\t\t\tassert.Assert(t, len(dc) == 2, fmt.Sprintf(\"two results, not %d\", len(dc)))\n\t\t\t\t\t\t\tassert.Assert(t, dc[0].Name == data.Labels().Get(\"vol1\"), fmt.Sprintf(\"expected name to be %q (was %q)\", data.Labels().Get(\"vol1\"), dc[0].Name))\n\t\t\t\t\t\t\tassert.Assert(t, dc[1].Name == data.Labels().Get(\"vol2\"), fmt.Sprintf(\"expected name to be %q (was %q)\", data.Labels().Get(\"vol2\"), dc[1].Name))\n\t\t\t\t\t\t}),\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"part success multi\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"inspect\", \"invalid∞\", \"nonexistent\", data.Labels().Get(\"vol1\"))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{errdefs.ErrNotFound, errdefs.ErrInvalidArgument},\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.Contains(data.Labels().Get(\"vol1\")),\n\t\t\t\t\t\texpect.JSON([]native.Volume{}, func(dc []native.Volume, t tig.T) {\n\t\t\t\t\t\t\tassert.Assert(t, len(dc) == 1, fmt.Sprintf(\"one result, not %d\", len(dc)))\n\t\t\t\t\t\t\tassert.Assert(t, dc[0].Name == data.Labels().Get(\"vol1\"), fmt.Sprintf(\"expected name to be %q (was %q)\", data.Labels().Get(\"vol1\"), dc[0].Name))\n\t\t\t\t\t\t}),\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"multi failure\",\n\t\t\tCommand: test.Command(\"volume\", \"inspect\", \"invalid∞\", \"nonexistent\"),\n\t\t\tExpected: test.Expects(1, []error{errdefs.ErrNotFound, errdefs.ErrInvalidArgument}, nil),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/volume/volume_list.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage volume\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/volume\"\n)\n\nfunc listCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"ls\",\n\t\tAliases: []string{\"list\"},\n\t\tShort: \"List volumes\",\n\t\tRunE: listAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\n\tcmd.Flags().BoolP(\"quiet\", \"q\", false, \"Only display volume names\")\n\t// Alias \"-f\" is reserved for \"--filter\"\n\tcmd.Flags().String(\"format\", \"\", \"Format the output using the given go template\")\n\tcmd.Flags().BoolP(\"size\", \"s\", false, \"Display the disk usage of volumes. Can be slow with volumes having loads of directories.\")\n\tcmd.RegisterFlagCompletionFunc(\"format\", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t\treturn []string{\"json\", \"table\", \"wide\"}, cobra.ShellCompDirectiveNoFileComp\n\t})\n\tcmd.Flags().StringSliceP(\"filter\", \"f\", []string{}, \"Filter matches volumes based on given conditions\")\n\treturn cmd\n}\n\nfunc listOptions(cmd *cobra.Command) (types.VolumeListOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.VolumeListOptions{}, err\n\t}\n\tquiet, err := cmd.Flags().GetBool(\"quiet\")\n\tif err != nil {\n\t\treturn types.VolumeListOptions{}, err\n\t}\n\tformat, err := cmd.Flags().GetString(\"format\")\n\tif err != nil {\n\t\treturn types.VolumeListOptions{}, err\n\t}\n\tsize, err := cmd.Flags().GetBool(\"size\")\n\tif err != nil {\n\t\treturn types.VolumeListOptions{}, err\n\t}\n\tfilters, err := cmd.Flags().GetStringSlice(\"filter\")\n\tif err != nil {\n\t\treturn types.VolumeListOptions{}, err\n\t}\n\treturn types.VolumeListOptions{\n\t\tGOptions: globalOptions,\n\t\tQuiet: quiet,\n\t\tFormat: format,\n\t\tSize: size,\n\t\tFilters: filters,\n\t\tStdout: cmd.OutOrStdout(),\n\t}, nil\n}\n\nfunc listAction(cmd *cobra.Command, args []string) error {\n\toptions, err := listOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn volume.List(options)\n}\n" }, { "path": "cmd/nerdctl/volume/volume_list_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage volume\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/tabutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestVolumeLsSize(t *testing.T) {\n\tnerdtest.Setup()\n\n\ttc := &test.Case{\n\t\tRequire: require.Not(nerdtest.Docker),\n\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Ensure(\"volume\", \"create\", data.Identifier(\"1\"))\n\t\t\thelpers.Ensure(\"volume\", \"create\", data.Identifier(\"2\"))\n\t\t\thelpers.Ensure(\"volume\", \"create\", data.Identifier(\"empty\"))\n\t\t\tvol1 := nerdtest.InspectVolume(helpers, data.Identifier(\"1\"))\n\t\t\tvol2 := nerdtest.InspectVolume(helpers, data.Identifier(\"2\"))\n\n\t\t\terr := createFileWithSize(vol1.Mountpoint, 102400)\n\t\t\tassert.NilError(t, err, \"File creation failed\")\n\t\t\terr = createFileWithSize(vol2.Mountpoint, 204800)\n\t\t\tassert.NilError(t, err, \"File creation failed\")\n\t\t},\n\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Identifier(\"1\"))\n\t\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Identifier(\"2\"))\n\t\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Identifier(\"empty\"))\n\t\t},\n\t\tCommand: test.Command(\"volume\", \"ls\", \"--size\"),\n\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\treturn &test.Expected{\n\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\tvar lines = strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\tassert.Assert(t, len(lines) >= 4, \"expected at least 4 lines\")\n\t\t\t\t\tvolSizes := map[string]string{\n\t\t\t\t\t\tdata.Identifier(\"1\"): \"100.0 KiB\",\n\t\t\t\t\t\tdata.Identifier(\"2\"): \"200.0 KiB\",\n\t\t\t\t\t\tdata.Identifier(\"empty\"): \"0.0 B\",\n\t\t\t\t\t}\n\n\t\t\t\t\tvar numMatches = 0\n\t\t\t\t\tvar tab = tabutil.NewReader(\"VOLUME NAME\\tDIRECTORY\\tSIZE\")\n\t\t\t\t\tvar err = tab.ParseHeader(lines[0])\n\t\t\t\t\tassert.NilError(t, err, \"ParseHeader should not fail\\n\")\n\n\t\t\t\t\tfor _, line := range lines {\n\t\t\t\t\t\tname, _ := tab.ReadRow(line, \"VOLUME NAME\")\n\t\t\t\t\t\tsize, _ := tab.ReadRow(line, \"SIZE\")\n\t\t\t\t\t\texpectSize, ok := volSizes[name]\n\t\t\t\t\t\tif !ok {\n\t\t\t\t\t\t\tcontinue\n\t\t\t\t\t\t}\n\t\t\t\t\t\tassert.Assert(t, size == expectSize, fmt.Sprintf(\"expected size %s for volume %s, got %s\", expectSize, name, size))\n\t\t\t\t\t\tnumMatches++\n\t\t\t\t\t}\n\t\t\t\t\tassert.Assert(t, numMatches == len(volSizes), fmt.Sprintf(\"expected %d volumes, got: %d\", len(volSizes), numMatches))\n\t\t\t\t},\n\t\t\t}\n\t\t},\n\t}\n\n\ttc.Run(t)\n}\n\nfunc TestVolumeLsFilter(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.Require = nerdtest.BrokenTest(\"This test assumes that the host-side of a volume can be written into, \"+\n\t\t\"which is not always true. To be replaced by cp into the container.\",\n\t\t&test.Requirement{\n\t\t\tCheck: func(data test.Data, helpers test.Helpers) (bool, string) {\n\t\t\t\tisDocker, _ := nerdtest.Docker.Check(data, helpers)\n\t\t\t\treturn !isDocker || os.Geteuid() == 0, \"docker cli needs to be run as root\"\n\t\t\t},\n\t\t})\n\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tvar vol1, vol2, vol3, vol4 = data.Identifier(\"1\"), data.Identifier(\"2\"), data.Identifier(\"3\"), data.Identifier(\"4\")\n\t\tvar label1, label2, label3, label4 = \"mylabel=label-1\", \"mylabel=label-2\", \"mylabel=label-3\", \"mylabel-group=label-4\"\n\n\t\thelpers.Ensure(\"volume\", \"create\", \"--label=\"+label1, \"--label=\"+label4, vol1)\n\t\thelpers.Ensure(\"volume\", \"create\", \"--label=\"+label2, \"--label=\"+label4, vol2)\n\t\thelpers.Ensure(\"volume\", \"create\", \"--label=\"+label3, vol3)\n\t\thelpers.Ensure(\"volume\", \"create\", vol4)\n\n\t\t// FIXME\n\t\t// This will not work with Docker rootful and Docker cli run as a user\n\t\t// We should replace it with cp inside the container\n\t\terr := createFileWithSize(nerdtest.InspectVolume(helpers, vol1).Mountpoint, 409600)\n\t\tassert.NilError(t, err, \"File creation failed\")\n\t\terr = createFileWithSize(nerdtest.InspectVolume(helpers, vol2).Mountpoint, 1024000)\n\t\tassert.NilError(t, err, \"File creation failed\")\n\t\terr = createFileWithSize(nerdtest.InspectVolume(helpers, vol3).Mountpoint, 409600)\n\t\tassert.NilError(t, err, \"File creation failed\")\n\t\terr = createFileWithSize(nerdtest.InspectVolume(helpers, vol4).Mountpoint, 1024000)\n\t\tassert.NilError(t, err, \"File creation failed\")\n\n\t\tdata.Labels().Set(\"vol1\", vol1)\n\t\tdata.Labels().Set(\"vol2\", vol2)\n\t\tdata.Labels().Set(\"vol3\", vol3)\n\t\tdata.Labels().Set(\"vol4\", vol4)\n\t\tdata.Labels().Set(\"mainlabel\", \"mylabel\")\n\t\tdata.Labels().Set(\"label1\", label1)\n\t\tdata.Labels().Set(\"label2\", label2)\n\t\tdata.Labels().Set(\"label3\", label3)\n\t\tdata.Labels().Set(\"label4\", label4)\n\n\t}\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Labels().Get(\"vol1\"))\n\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Labels().Get(\"vol2\"))\n\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Labels().Get(\"vol3\"))\n\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Labels().Get(\"vol4\"))\n\t}\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"No filter\",\n\t\t\tCommand: test.Command(\"volume\", \"ls\", \"--quiet\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tvar lines = strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\tassert.Assert(t, len(lines) >= 4, \"expected at least 4 lines\")\n\t\t\t\t\t\tvolNames := map[string]struct{}{\n\t\t\t\t\t\t\tdata.Labels().Get(\"vol1\"): {},\n\t\t\t\t\t\t\tdata.Labels().Get(\"vol2\"): {},\n\t\t\t\t\t\t\tdata.Labels().Get(\"vol3\"): {},\n\t\t\t\t\t\t\tdata.Labels().Get(\"vol4\"): {},\n\t\t\t\t\t\t}\n\t\t\t\t\t\tvar numMatches = 0\n\t\t\t\t\t\tfor _, name := range lines {\n\t\t\t\t\t\t\t_, ok := volNames[name]\n\t\t\t\t\t\t\tif !ok {\n\t\t\t\t\t\t\t\tcontinue\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tnumMatches++\n\t\t\t\t\t\t}\n\t\t\t\t\t\tassert.Assert(t, len(volNames) == numMatches, fmt.Sprintf(\"expected %d volumes, got: %d\", len(volNames), numMatches))\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Retrieving label=mainlabel\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"ls\", \"--quiet\", \"--filter\", \"label=\"+data.Labels().Get(\"mainlabel\"))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tvar lines = strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\tassert.Assert(t, len(lines) >= 3, \"expected at least 3 lines\")\n\t\t\t\t\t\tvolNames := map[string]struct{}{\n\t\t\t\t\t\t\tdata.Labels().Get(\"vol1\"): {},\n\t\t\t\t\t\t\tdata.Labels().Get(\"vol2\"): {},\n\t\t\t\t\t\t\tdata.Labels().Get(\"vol3\"): {},\n\t\t\t\t\t\t}\n\t\t\t\t\t\tfor _, name := range lines {\n\t\t\t\t\t\t\t_, ok := volNames[name]\n\t\t\t\t\t\t\tassert.Assert(t, ok, fmt.Sprintf(\"unexpected volume %s found\", name))\n\t\t\t\t\t\t}\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Retrieving label=mainlabel=label2\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"ls\", \"--quiet\", \"--filter\", \"label=\"+data.Labels().Get(\"label2\"))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tvar lines = strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\tassert.Assert(t, len(lines) >= 1, \"expected at least 1 lines\")\n\t\t\t\t\t\tvolNames := map[string]struct{}{\n\t\t\t\t\t\t\tdata.Labels().Get(\"vol2\"): {},\n\t\t\t\t\t\t}\n\t\t\t\t\t\tfor _, name := range lines {\n\t\t\t\t\t\t\t_, ok := volNames[name]\n\t\t\t\t\t\t\tassert.Assert(t, ok, fmt.Sprintf(\"unexpected volume %s found\", name))\n\t\t\t\t\t\t}\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Retrieving label=mainlabel=\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"ls\", \"--quiet\", \"--filter\", \"label=\"+data.Labels().Get(\"mainlabel\")+\"=\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tassert.Assert(t, strings.TrimSpace(stdout) == \"\", \"expected no result\")\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Retrieving label=mainlabel=label1 and label=mainlabel=label2\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"ls\", \"--quiet\", \"--filter\", \"label=\"+data.Labels().Get(\"label1\"), \"--filter\", \"label=\"+data.Labels().Get(\"label2\"))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tassert.Assert(t, strings.TrimSpace(stdout) == \"\", \"expected no result\")\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Retrieving label=mainlabel and label=grouplabel=label4\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"ls\", \"--quiet\", \"--filter\", \"label=\"+data.Labels().Get(\"mainlabel\"), \"--filter\", \"label=\"+data.Labels().Get(\"label4\"))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tvar lines = strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\tassert.Assert(t, len(lines) >= 2, \"expected at least 2 lines\")\n\t\t\t\t\t\tvolNames := map[string]struct{}{\n\t\t\t\t\t\t\tdata.Labels().Get(\"vol1\"): {},\n\t\t\t\t\t\t\tdata.Labels().Get(\"vol2\"): {},\n\t\t\t\t\t\t}\n\t\t\t\t\t\tfor _, name := range lines {\n\t\t\t\t\t\t\t_, ok := volNames[name]\n\t\t\t\t\t\t\tassert.Assert(t, ok, fmt.Sprintf(\"unexpected volume %s found\", name))\n\t\t\t\t\t\t}\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Retrieving name=volume1\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"ls\", \"--quiet\", \"--filter\", \"name=\"+data.Labels().Get(\"vol1\"))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tvar lines = strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\tassert.Assert(t, len(lines) >= 1, \"expected at least 1 line\")\n\t\t\t\t\t\tvolNames := map[string]struct{}{\n\t\t\t\t\t\t\tdata.Labels().Get(\"vol1\"): {},\n\t\t\t\t\t\t}\n\t\t\t\t\t\tfor _, name := range lines {\n\t\t\t\t\t\t\t_, ok := volNames[name]\n\t\t\t\t\t\t\tassert.Assert(t, ok, fmt.Sprintf(\"unexpected volume %s found\", name))\n\t\t\t\t\t\t}\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Retrieving name=.*volume1.*\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"ls\", \"--quiet\", \"--filter\", \"name=.*\"+data.Labels().Get(\"vol1\")+\".*\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tvar lines = strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\tassert.Assert(t, len(lines) >= 1, \"expected at least 1 line\")\n\t\t\t\t\t\tvolNames := map[string]struct{}{\n\t\t\t\t\t\t\tdata.Labels().Get(\"vol1\"): {},\n\t\t\t\t\t\t}\n\t\t\t\t\t\tfor _, name := range lines {\n\t\t\t\t\t\t\t_, ok := volNames[name]\n\t\t\t\t\t\t\tassert.Assert(t, ok, fmt.Sprintf(\"unexpected volume %s found\", name))\n\t\t\t\t\t\t}\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Retrieving name=volume1 and name=volume2\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"ls\", \"--quiet\", \"--filter\", \"name=\"+data.Labels().Get(\"vol1\"), \"--filter\", \"name=\"+data.Labels().Get(\"vol2\"))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tvar lines = strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\tassert.Assert(t, len(lines) >= 2, \"expected at least 2 lines\")\n\t\t\t\t\t\tvolNames := map[string]struct{}{\n\t\t\t\t\t\t\tdata.Labels().Get(\"vol1\"): {},\n\t\t\t\t\t\t\tdata.Labels().Get(\"vol2\"): {},\n\t\t\t\t\t\t}\n\t\t\t\t\t\tfor _, name := range lines {\n\t\t\t\t\t\t\t_, ok := volNames[name]\n\t\t\t\t\t\t\tassert.Assert(t, ok, fmt.Sprintf(\"unexpected volume %s found\", name))\n\t\t\t\t\t\t}\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Retrieving size=1024000\",\n\t\t\tRequire: require.Not(nerdtest.Docker),\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"ls\", \"--size\", \"--filter\", \"size=1024000\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tvar lines = strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\tassert.Assert(t, len(lines) >= 3, \"expected at least 3 lines\")\n\t\t\t\t\t\tvolNames := map[string]struct{}{\n\t\t\t\t\t\t\tdata.Labels().Get(\"vol2\"): {},\n\t\t\t\t\t\t\tdata.Labels().Get(\"vol4\"): {},\n\t\t\t\t\t\t}\n\t\t\t\t\t\tvar tab = tabutil.NewReader(\"VOLUME NAME\\tDIRECTORY\\tSIZE\")\n\t\t\t\t\t\tvar err = tab.ParseHeader(lines[0])\n\t\t\t\t\t\tassert.NilError(t, err, \"Tab reader failed\")\n\t\t\t\t\t\tfor _, line := range lines {\n\n\t\t\t\t\t\t\tname, _ := tab.ReadRow(line, \"VOLUME NAME\")\n\t\t\t\t\t\t\tif name == \"VOLUME NAME\" {\n\t\t\t\t\t\t\t\tcontinue\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t_, ok := volNames[name]\n\t\t\t\t\t\t\tassert.Assert(t, ok, fmt.Sprintf(\"unexpected volume %s found\", name))\n\t\t\t\t\t\t}\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Retrieving size>=1024000 size<=2048000\",\n\t\t\tRequire: require.Not(nerdtest.Docker),\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"ls\", \"--size\", \"--filter\", \"size>=1024000\", \"--filter\", \"size<=2048000\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tvar lines = strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\tassert.Assert(t, len(lines) >= 3, \"expected at least 3 lines\")\n\t\t\t\t\t\tvolNames := map[string]struct{}{\n\t\t\t\t\t\t\tdata.Labels().Get(\"vol2\"): {},\n\t\t\t\t\t\t\tdata.Labels().Get(\"vol4\"): {},\n\t\t\t\t\t\t}\n\t\t\t\t\t\tvar tab = tabutil.NewReader(\"VOLUME NAME\\tDIRECTORY\\tSIZE\")\n\t\t\t\t\t\tvar err = tab.ParseHeader(lines[0])\n\t\t\t\t\t\tassert.NilError(t, err, \"Tab reader failed\")\n\t\t\t\t\t\tfor _, line := range lines {\n\n\t\t\t\t\t\t\tname, _ := tab.ReadRow(line, \"VOLUME NAME\")\n\t\t\t\t\t\t\tif name == \"VOLUME NAME\" {\n\t\t\t\t\t\t\t\tcontinue\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t_, ok := volNames[name]\n\t\t\t\t\t\t\tassert.Assert(t, ok, fmt.Sprintf(\"unexpected volume %s found\", name))\n\t\t\t\t\t\t}\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"Retrieving size>204800 size<1024000\",\n\t\t\tRequire: require.Not(nerdtest.Docker),\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"ls\", \"--size\", \"--filter\", \"size>204800\", \"--filter\", \"size<1024000\")\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\tvar lines = strings.Split(strings.TrimSpace(stdout), \"\\n\")\n\t\t\t\t\t\tassert.Assert(t, len(lines) >= 3, \"expected at least 3 lines\")\n\t\t\t\t\t\tvolNames := map[string]struct{}{\n\t\t\t\t\t\t\tdata.Labels().Get(\"vol1\"): {},\n\t\t\t\t\t\t\tdata.Labels().Get(\"vol3\"): {},\n\t\t\t\t\t\t}\n\t\t\t\t\t\tvar tab = tabutil.NewReader(\"VOLUME NAME\\tDIRECTORY\\tSIZE\")\n\t\t\t\t\t\tvar err = tab.ParseHeader(lines[0])\n\t\t\t\t\t\tassert.NilError(t, err, \"Tab reader failed\")\n\t\t\t\t\t\tfor _, line := range lines {\n\n\t\t\t\t\t\t\tname, _ := tab.ReadRow(line, \"VOLUME NAME\")\n\t\t\t\t\t\t\tif name == \"VOLUME NAME\" {\n\t\t\t\t\t\t\t\tcontinue\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t_, ok := volNames[name]\n\t\t\t\t\t\t\tassert.Assert(t, ok, fmt.Sprintf(\"unexpected volume %s found\", name))\n\t\t\t\t\t\t}\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/volume/volume_namespace_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage volume\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/errdefs\"\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/require\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestVolumeNamespace(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\t// Docker does not support namespaces\n\ttestCase.Require = require.Not(nerdtest.Docker)\n\n\t// Create a volume in a different namespace\n\ttestCase.Setup = func(data test.Data, helpers test.Helpers) {\n\t\tdata.Labels().Set(\"root_namespace\", data.Identifier())\n\t\tdata.Labels().Set(\"root_volume\", data.Identifier())\n\t\thelpers.Ensure(\"--namespace\", data.Identifier(), \"volume\", \"create\", data.Identifier())\n\t}\n\n\t// Cleanup once done\n\ttestCase.Cleanup = func(data test.Data, helpers test.Helpers) {\n\t\tif data.Labels().Get(\"root_namespace\") != \"\" {\n\t\t\thelpers.Anyhow(\"--namespace\", data.Identifier(), \"volume\", \"remove\", data.Identifier())\n\t\t\thelpers.Anyhow(\"namespace\", \"remove\", data.Identifier())\n\t\t}\n\t}\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"inspect another namespace volume should fail\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"inspect\", data.Labels().Get(\"root_volume\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(1, []error{\n\t\t\t\terrdefs.ErrNotFound,\n\t\t\t}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"removing another namespace volume should fail\",\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"remove\", data.Labels().Get(\"root_volume\"))\n\t\t\t},\n\t\t\tExpected: test.Expects(1, []error{\n\t\t\t\terrdefs.ErrNotFound,\n\t\t\t}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"prune should leave another namespace volume untouched\",\n\t\t\t// Make it private so that we do not interact with other tests in the main namespace\n\t\t\tRequire: nerdtest.Private,\n\t\t\tCommand: test.Command(\"volume\", \"prune\", \"-a\", \"-f\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.DoesNotContain(data.Labels().Get(\"root_volume\")),\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\thelpers.Ensure(\"--namespace\", data.Labels().Get(\"root_namespace\"), \"volume\", \"inspect\", data.Labels().Get(\"root_volume\"))\n\t\t\t\t\t\t},\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"create with the same name should work, then delete it\",\n\t\t\tNoParallel: true,\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"create\", data.Labels().Get(\"root_volume\"))\n\t\t\t},\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"volume\", \"rm\", data.Labels().Get(\"root_volume\"))\n\t\t\t},\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: func(stdout string, t tig.T) {\n\t\t\t\t\t\thelpers.Ensure(\"volume\", \"inspect\", data.Labels().Get(\"root_volume\"))\n\t\t\t\t\t\thelpers.Ensure(\"volume\", \"rm\", data.Labels().Get(\"root_volume\"))\n\t\t\t\t\t\thelpers.Ensure(\"--namespace\", data.Labels().Get(\"root_namespace\"), \"volume\", \"inspect\", data.Labels().Get(\"root_volume\"))\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/volume/volume_prune.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage volume\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/volume\"\n)\n\nfunc pruneCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"prune [flags]\",\n\t\tShort: \"Remove all unused local volumes\",\n\t\tArgs: cobra.NoArgs,\n\t\tRunE: pruneAction,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().BoolP(\"all\", \"a\", false, \"Remove all unused volumes, not just anonymous ones\")\n\tcmd.Flags().BoolP(\"force\", \"f\", false, \"Do not prompt for confirmation\")\n\treturn cmd\n}\n\nfunc pruneOptions(cmd *cobra.Command) (types.VolumePruneOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.VolumePruneOptions{}, err\n\t}\n\n\tall, err := cmd.Flags().GetBool(\"all\")\n\tif err != nil {\n\t\treturn types.VolumePruneOptions{}, err\n\t}\n\n\tforce, err := cmd.Flags().GetBool(\"force\")\n\tif err != nil {\n\t\treturn types.VolumePruneOptions{}, err\n\t}\n\n\toptions := types.VolumePruneOptions{\n\t\tGOptions: globalOptions,\n\t\tAll: all,\n\t\tForce: force,\n\t\tStdout: cmd.OutOrStdout(),\n\t}\n\treturn options, nil\n}\n\nfunc pruneAction(cmd *cobra.Command, _ []string) error {\n\toptions, err := pruneOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif !options.Force {\n\t\tvar confirm string\n\t\tmsg := \"This will remove all local volumes not used by at least one container.\"\n\t\tmsg += \"\\nAre you sure you want to continue? [y/N] \"\n\t\tfmt.Fprintf(options.Stdout, \"WARNING! %s\", msg)\n\t\tfmt.Fscanf(cmd.InOrStdin(), \"%s\", &confirm)\n\n\t\tif strings.ToLower(confirm) != \"y\" {\n\t\t\treturn nil\n\t\t}\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn volume.Prune(ctx, client, options)\n}\n" }, { "path": "cmd/nerdctl/volume/volume_prune_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage volume\n\nimport (\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\t\"github.com/containerd/nerdctl/mod/tigron/tig\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\nfunc TestVolumePrune(t *testing.T) {\n\tvar setup = func(data test.Data, helpers test.Helpers) {\n\t\tanonIDBusy := strings.TrimSpace(helpers.Capture(\"volume\", \"create\"))\n\t\tanonIDDangling := strings.TrimSpace(helpers.Capture(\"volume\", \"create\"))\n\n\t\tnamedBusy := data.Identifier(\"busy\")\n\t\tnamedDangling := data.Identifier(\"free\")\n\n\t\thelpers.Ensure(\"volume\", \"create\", namedBusy)\n\t\thelpers.Ensure(\"volume\", \"create\", namedDangling)\n\t\thelpers.Ensure(\"run\", \"--name\", data.Identifier(),\n\t\t\t\"-v\", namedBusy+\":/namedbusyvolume\",\n\t\t\t\"-v\", anonIDBusy+\":/anonbusyvolume\", testutil.CommonImage)\n\n\t\tdata.Labels().Set(\"anonIDBusy\", anonIDBusy)\n\t\tdata.Labels().Set(\"anonIDDangling\", anonIDDangling)\n\t\tdata.Labels().Set(\"namedBusy\", namedBusy)\n\t\tdata.Labels().Set(\"namedDangling\", namedDangling)\n\t}\n\n\tvar cleanup = func(data test.Data, helpers test.Helpers) {\n\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Labels().Get(\"anonIDBusy\"))\n\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Labels().Get(\"anonIDDangling\"))\n\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Labels().Get(\"namedBusy\"))\n\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Labels().Get(\"namedDangling\"))\n\t}\n\n\ttestCase := nerdtest.Setup()\n\t// This set must be marked as private, since we cannot prune without interacting with other tests.\n\ttestCase.Require = nerdtest.Private\n\t// Furthermore, these two subtests cannot be run in parallel\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"prune anonymous only\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: setup,\n\t\t\tCleanup: cleanup,\n\t\t\tCommand: test.Command(\"volume\", \"prune\", \"-f\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.Contains(data.Labels().Get(\"anonIDDangling\")),\n\t\t\t\t\t\texpect.DoesNotContain(\n\t\t\t\t\t\t\tdata.Labels().Get(\"anonIDBusy\"),\n\t\t\t\t\t\t\tdata.Labels().Get(\"namedBusy\"),\n\t\t\t\t\t\t\tdata.Labels().Get(\"namedDangling\"),\n\t\t\t\t\t\t),\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\thelpers.Ensure(\"volume\", \"inspect\", data.Labels().Get(\"anonIDBusy\"))\n\t\t\t\t\t\t\thelpers.Fail(\"volume\", \"inspect\", data.Labels().Get(\"anonIDDangling\"))\n\t\t\t\t\t\t\thelpers.Ensure(\"volume\", \"inspect\", data.Labels().Get(\"namedBusy\"))\n\t\t\t\t\t\t\thelpers.Ensure(\"volume\", \"inspect\", data.Labels().Get(\"namedDangling\"))\n\t\t\t\t\t\t},\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"prune all\",\n\t\t\tNoParallel: true,\n\t\t\tSetup: setup,\n\t\t\tCleanup: cleanup,\n\t\t\tCommand: test.Command(\"volume\", \"prune\", \"-f\", \"--all\"),\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.All(\n\t\t\t\t\t\texpect.DoesNotContain(data.Labels().Get(\"anonIDBusy\"), data.Labels().Get(\"namedBusy\")),\n\t\t\t\t\t\texpect.Contains(data.Labels().Get(\"anonIDDangling\"), data.Labels().Get(\"namedDangling\")),\n\t\t\t\t\t\tfunc(stdout string, t tig.T) {\n\t\t\t\t\t\t\thelpers.Ensure(\"volume\", \"inspect\", data.Labels().Get(\"anonIDBusy\"))\n\t\t\t\t\t\t\thelpers.Fail(\"volume\", \"inspect\", data.Labels().Get(\"anonIDDangling\"))\n\t\t\t\t\t\t\thelpers.Ensure(\"volume\", \"inspect\", data.Labels().Get(\"namedBusy\"))\n\t\t\t\t\t\t\thelpers.Fail(\"volume\", \"inspect\", data.Labels().Get(\"namedDangling\"))\n\t\t\t\t\t\t},\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/volume/volume_remove.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage volume\n\nimport (\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion\"\n\t\"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers\"\n\t\"github.com/containerd/nerdctl/v2/pkg/api/types\"\n\t\"github.com/containerd/nerdctl/v2/pkg/clientutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/cmd/volume\"\n)\n\nfunc removeCommand() *cobra.Command {\n\tcmd := &cobra.Command{\n\t\tUse: \"rm [flags] VOLUME [VOLUME...]\",\n\t\tAliases: []string{\"remove\"},\n\t\tShort: \"Remove one or more volumes\",\n\t\tLong: \"NOTE: You cannot remove a volume that is in use by a container.\",\n\t\tArgs: cobra.MinimumNArgs(1),\n\t\tRunE: removeAction,\n\t\tValidArgsFunction: removeShellComplete,\n\t\tSilenceUsage: true,\n\t\tSilenceErrors: true,\n\t}\n\tcmd.Flags().BoolP(\"force\", \"f\", false, \"(unimplemented yet)\")\n\treturn cmd\n}\n\nfunc removeOptions(cmd *cobra.Command) (types.VolumeRemoveOptions, error) {\n\tglobalOptions, err := helpers.ProcessRootCmdFlags(cmd)\n\tif err != nil {\n\t\treturn types.VolumeRemoveOptions{}, err\n\t}\n\tforce, err := cmd.Flags().GetBool(\"force\")\n\tif err != nil {\n\t\treturn types.VolumeRemoveOptions{}, err\n\t}\n\treturn types.VolumeRemoveOptions{\n\t\tGOptions: globalOptions,\n\t\tForce: force,\n\t\tStdout: cmd.OutOrStdout(),\n\t}, nil\n}\n\nfunc removeAction(cmd *cobra.Command, args []string) error {\n\toptions, err := removeOptions(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient, ctx, cancel, err := clientutil.NewClient(cmd.Context(), options.GOptions.Namespace, options.GOptions.Address)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer cancel()\n\n\treturn volume.Remove(ctx, client, args, options)\n}\n\nfunc removeShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {\n\t// show volume names\n\treturn completion.VolumeNames(cmd)\n}\n" }, { "path": "cmd/nerdctl/volume/volume_remove_linux_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage volume\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"testing\"\n\n\t\"gotest.tools/v3/assert\"\n\n\t\"github.com/containerd/errdefs\"\n\t\"github.com/containerd/nerdctl/mod/tigron/expect\"\n\t\"github.com/containerd/nerdctl/mod/tigron/test\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest\"\n)\n\n// TestVolumeRemove does test a large variety of volume remove situations, albeit none of them being\n// hard filesystem errors.\n// Behavior in such cases is largely unspecified, as there is no easy way to compare with Docker.\n// Anyhow, borked filesystem conditions is not something we should be expected to deal with in a smart way.\nfunc TestVolumeRemove(t *testing.T) {\n\ttestCase := nerdtest.Setup()\n\n\ttestCase.SubTests = []*test.Case{\n\t\t{\n\t\t\tDescription: \"arg missing should fail\",\n\t\t\tCommand: test.Command(\"volume\", \"rm\"),\n\t\t\tExpected: test.Expects(1, []error{errors.New(\"requires at least 1 arg\")}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"invalid identifier should fail\",\n\t\t\tCommand: test.Command(\"volume\", \"rm\", \"∞\"),\n\t\t\tExpected: test.Expects(1, []error{errdefs.ErrInvalidArgument}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"non existent volume should fail\",\n\t\t\tCommand: test.Command(\"volume\", \"rm\", \"doesnotexist\"),\n\t\t\tExpected: test.Expects(1, []error{errdefs.ErrNotFound}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"busy volume should fail\",\n\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"volume\", \"create\", data.Identifier())\n\t\t\t\thelpers.Ensure(\"run\", \"-v\", fmt.Sprintf(\"%s:/volume\", data.Identifier()),\n\t\t\t\t\t\"--name\", data.Identifier(), testutil.CommonImage)\n\t\t\t},\n\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"rm\", data.Identifier())\n\t\t\t},\n\n\t\t\tExpected: test.Expects(1, []error{errdefs.ErrFailedPrecondition}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"busy anonymous volume should fail\",\n\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"run\", \"-v\", \"/volume\", \"--name\", data.Identifier(), testutil.CommonImage)\n\t\t\t\t// Inspect the container and find the anonymous volume id\n\t\t\t\tinspect := nerdtest.InspectContainer(helpers, data.Identifier())\n\t\t\t\tvar anonName string\n\t\t\t\tfor _, v := range inspect.Mounts {\n\t\t\t\t\tif v.Destination == \"/volume\" {\n\t\t\t\t\t\tanonName = v.Name\n\t\t\t\t\t\tbreak\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tassert.Assert(t, anonName != \"\", \"Failed to find anonymous volume id\", inspect)\n\t\t\t\tdata.Labels().Set(\"anonName\", anonName)\n\t\t\t},\n\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Labels().Get(\"anonName\"))\n\t\t\t},\n\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\t// Try to remove that anon volume\n\t\t\t\treturn helpers.Command(\"volume\", \"rm\", data.Labels().Get(\"anonName\"))\n\t\t\t},\n\n\t\t\tExpected: test.Expects(1, []error{errdefs.ErrFailedPrecondition}, nil),\n\t\t},\n\t\t{\n\t\t\tDescription: \"freed volume should succeed\",\n\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"volume\", \"create\", data.Identifier())\n\t\t\t\thelpers.Ensure(\"run\", \"-v\", fmt.Sprintf(\"%s:/volume\", data.Identifier()), \"--name\", data.Identifier(), testutil.CommonImage)\n\t\t\t\thelpers.Ensure(\"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"rm\", data.Identifier())\n\t\t\t},\n\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.Equals(data.Identifier() + \"\\n\"),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"dangling volume should succeed\",\n\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"volume\", \"create\", data.Identifier())\n\t\t\t},\n\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Identifier())\n\t\t\t},\n\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"rm\", data.Identifier())\n\t\t\t},\n\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.Equals(data.Identifier() + \"\\n\"),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"part success multi-remove\",\n\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"volume\", \"create\", data.Identifier())\n\t\t\t\thelpers.Ensure(\"volume\", \"create\", data.Identifier(\"busy\"))\n\t\t\t\thelpers.Ensure(\"run\", \"-v\", fmt.Sprintf(\"%s:/volume\", data.Identifier(\"busy\")), \"--name\", data.Identifier(), testutil.CommonImage)\n\t\t\t},\n\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Identifier())\n\t\t\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Identifier(\"busy\"))\n\t\t\t},\n\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"rm\", \"invalid∞\", \"nonexistent\", data.Identifier(\"busy\"), data.Identifier())\n\t\t\t},\n\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tExitCode: 1,\n\t\t\t\t\tErrors: []error{\n\t\t\t\t\t\terrdefs.ErrNotFound,\n\t\t\t\t\t\terrdefs.ErrFailedPrecondition,\n\t\t\t\t\t\terrdefs.ErrInvalidArgument,\n\t\t\t\t\t},\n\t\t\t\t\tOutput: expect.Equals(data.Identifier() + \"\\n\"),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"success multi-remove\",\n\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"volume\", \"create\", data.Identifier(\"1\"))\n\t\t\t\thelpers.Ensure(\"volume\", \"create\", data.Identifier(\"2\"))\n\t\t\t},\n\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Identifier(\"1\"), data.Identifier(\"2\"))\n\t\t\t},\n\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"rm\", data.Identifier(\"1\"), data.Identifier(\"2\"))\n\t\t\t},\n\n\t\t\tExpected: func(data test.Data, helpers test.Helpers) *test.Expected {\n\t\t\t\treturn &test.Expected{\n\t\t\t\t\tOutput: expect.Equals(data.Identifier(\"1\") + \"\\n\" + data.Identifier(\"2\") + \"\\n\"),\n\t\t\t\t}\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tDescription: \"failing multi-remove\",\n\n\t\t\tSetup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Ensure(\"volume\", \"create\", data.Identifier(\"busy\"))\n\t\t\t\thelpers.Ensure(\"run\", \"-v\", fmt.Sprintf(\"%s:/volume\", data.Identifier(\"busy\")), \"--name\", data.Identifier(), testutil.CommonImage)\n\t\t\t},\n\n\t\t\tCleanup: func(data test.Data, helpers test.Helpers) {\n\t\t\t\thelpers.Anyhow(\"rm\", \"-f\", data.Identifier())\n\t\t\t\thelpers.Anyhow(\"volume\", \"rm\", \"-f\", data.Identifier(\"busy\"))\n\t\t\t},\n\n\t\t\tCommand: func(data test.Data, helpers test.Helpers) test.TestableCommand {\n\t\t\t\treturn helpers.Command(\"volume\", \"rm\", \"invalid∞\", \"nonexistent\", data.Identifier(\"busy\"))\n\t\t\t},\n\n\t\t\tExpected: test.Expects(1, []error{\n\t\t\t\terrdefs.ErrNotFound,\n\t\t\t\terrdefs.ErrFailedPrecondition,\n\t\t\t\terrdefs.ErrInvalidArgument,\n\t\t\t}, nil),\n\t\t},\n\t}\n\n\ttestCase.Run(t)\n}\n" }, { "path": "cmd/nerdctl/volume/volume_test.go", "content": "/*\n Copyright The containerd Authors.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n*/\n\npackage volume\n\nimport (\n\t\"testing\"\n\n\t\"github.com/containerd/nerdctl/v2/pkg/testutil\"\n)\n\nfunc TestMain(m *testing.M) {\n\ttestutil.M(m)\n}\n" }, { "path": "docs/build.md", "content": "# Setting up `nerdctl build` with BuildKit\n\n`nerdctl build` (and `nerdctl compose build`) relies on [BuildKit](https://github.com/moby/buildkit).\nTo use it, you need to set up BuildKit.\n\nBuildKit has 2 types of backends.\n\n- **containerd worker**: BuildKit relies on containerd to manage containers and images, etc. containerd needs to be up-and-running on the host.\n- **OCI worker**: BuildKit manages containers and images, etc. containerd isn't needed. This worker relies on runc for container execution.\n\nYou need to set up BuildKit with either of the above workers.\n\nNote that OCI worker cannot access base images (`FROM` images in Dockerfiles) managed by containerd.\nThus you cannot let `nerdctl build` use containerd-managed images as the base image.\nThey include images previously built using `nerdctl build`.\n\nFor example, the following build `bar` fails with OCI worker because it tries to use the previously built and containerd-managed image `foo`.\n\n```console\n$ mkdir -p /tmp/ctx && cat < /tmp/ctx/Dockerfile\nFROM ghcr.io/stargz-containers/ubuntu:20.04-org\nRUN echo hello\nEOF\n$ nerdctl build -t foo /tmp/ctx\n$ cat < /tmp/ctx/Dockerfile\nFROM foo\nRUN echo bar\nEOF\n$ nerdctl build -t bar /tmp/ctx\n```\n\nThis limitation can be avoided using containerd worker as mentioned later.\n\n## Setting up BuildKit with containerd worker\n\n### Rootless\n\n| :zap: Requirement | nerdctl >= 0.18, BuildKit >= 0.10 |\n|-------------------|-----------------------------------|\n\n```\n$ CONTAINERD_NAMESPACE=default containerd-rootless-setuptool.sh install-buildkit-containerd\n```\n\n`containerd-rootless-setuptool.sh` is aware of `CONTAINERD_NAMESPACE` and `CONTAINERD_SNAPSHOTTER` envvars.\nIt installs buildkitd to the specified containerd namespace.\nThis allows BuildKit using containerd-managed images in that namespace as the base image.\nNote that BuildKit can't use images in other namespaces as of now.\n\nIf `CONTAINERD_NAMESPACE` envvar is not specified, this script configures buildkitd to use \"buildkit\" namespace (not \"default\" namespace).\n\nYou can install an additional buildkitd process in a different namespace by executing this script with specifying the namespace with `CONTAINERD_NAMESPACE`.\n\nBuildKit will expose the socket at `$XDG_RUNTIME_DIR/buildkit-$CONTAINERD_NAMESPACE/buildkitd.sock` if `CONTAINERD_NAMESPACE` is specified.\nIf `CONTAINERD_NAMESPACE` is not specified, that location will be `$XDG_RUNTIME_DIR/buildkit/buildkitd.sock`.\n\n### Rootful\n\n```\n$ sudo systemctl enable --now buildkit\n```\n\nThen add the following configuration to `/etc/buildkit/buildkitd.toml` to enable containerd worker.\n\n```toml\n[worker.oci]\n enabled = false\n\n[worker.containerd]\n enabled = true\n # namespace should be \"k8s.io\" for Kubernetes (including Rancher Desktop)\n namespace = \"default\"\n```\n\n## Setting up BuildKit with OCI worker\n\n### Rootless\n\n```\n$ containerd-rootless-setuptool.sh install-buildkit\n```\n\nAs mentioned in the above, BuildKit with this configuration cannot use images managed by containerd.\nThey include images previously built with `nerdctl build`.\n\nBuildKit will expose the socket at `$XDG_RUNTIME_DIR/buildkit/buildkitd.sock`.\n\n### rootful\n\n```\n$ sudo systemctl enable --now buildkit\n```\n\n## Which BuildKit socket will nerdctl use?\n\nYou can specify BuildKit address for `nerdctl build` using `--buildkit-host` flag or `BUILDKIT_HOST` envvar.\nWhen BuildKit address isn't specified, nerdctl tries some default BuildKit addresses the following order and uses the first available one.\n\n- `/buildkit-/buildkitd.sock`\n- `/buildkit-default/buildkitd.sock`\n- `/buildkit/buildkitd.sock`\n\nFor example, if you run rootless nerdctl with `test` containerd namespace, it tries to use `$XDG_RUNTIME_DIR/buildkit-test/buildkitd.sock` by default then try to fall back to `$XDG_RUNTIME_DIR/buildkit-default/buildkitd.sock` and `$XDG_RUNTIME_DIR/buildkit/buildkitd.sock`\n" }, { "path": "docs/builder-debug.md", "content": "# Interactive debugging of Dockerfile (Experimental)\n\nnerdctl supports interactive debugging of Dockerfile as `nerdctl builder debug`.\n\n```\n$ nerdctl builder debug /path/to/context\n```\n\nThis feature leverages [buildg](https://github.com/ktock/buildg), interactive debugger of Dockerfile.\nFor command reference, please refer to the [Command reference doc in buildg repo](https://github.com/ktock/buildg#command-reference).\n\n:warning: This command currently doesn't use the host's `buildkitd` daemon but uses the patched version of BuildKit provided by buildg. This should be fixed to use the host's `buildkitd` in the future.\n\n## Example\n\nExample Dockerfile:\n\n```Dockerfile\nFROM busybox AS build1\nRUN echo a > /a\nRUN echo b > /b\nRUN echo c > /c\n```\n\nExample debugging:\n\n```console\n$ nerdctl builder debug --image=ubuntu:22.04 /tmp/ctx/\nWARN[2022-05-17T10:15:48Z] using host network as the default#1 [internal] load .dockerignore\n#1 transferring context: 2B done\n#1 DONE 0.1s\n\n#2 [internal] load build definition from Dockerfile\n#2 transferring dockerfile: 108B done\n#2 DONE 0.1s\n\n#3 [internal] load metadata for docker.io/library/busybox:latest\nINFO[2022-05-17T10:15:51Z] debug session started. type \"help\" for command reference.\nFilename: \"Dockerfile\"\n => 1| FROM busybox AS build1\n 2| RUN echo a > /a\n 3| RUN echo b > /b\n 4| RUN echo c > /c\n(buildg) break 3\n(buildg) breakpoints\n[0]: line: Dockerfile:3\n[on-fail]: breaks on fail\n(buildg) continue\n#3 DONE 3.1s\n\n#4 [1/4] FROM docker.io/library/busybox@sha256:d2b53584f580310186df7a2055ce3ff83cc0df6caacf1e3489bff8cf5d0af5d8\n#4 resolve docker.io/library/busybox@sha256:d2b53584f580310186df7a2055ce3ff83cc0df6caacf1e3489bff8cf5d0af5d8 0.0s done\n#4 sha256:50e8d59317eb665383b2ef4d9434aeaa394dcd6f54b96bb7810fdde583e9c2d1 0B / 772.81kB 0.2s\n#4 sha256:50e8d59317eb665383b2ef4d9434aeaa394dcd6f54b96bb7810fdde583e9c2d1 0B / 772.81kB 5.3s\n#4 sha256:50e8d59317eb665383b2ef4d9434aeaa394dcd6f54b96bb7810fdde583e9c2d1 0B / 772.81kB 10.4s\n#4 sha256:50e8d59317eb665383b2ef4d9434aeaa394dcd6f54b96bb7810fdde583e9c2d1 772.81kB / 772.81kB 11.4s done\n#4 extracting sha256:50e8d59317eb665383b2ef4d9434aeaa394dcd6f54b96bb7810fdde583e9c2d1 0.1s done\n#4 DONE 20.2s\n\n#5 [2/4] RUN echo a > /a\n#5 DONE 0.1s\nBreakpoint[0]: reached line: Dockerfile:3\nFilename: \"Dockerfile\"\n 1| FROM busybox AS build1\n 2| RUN echo a > /a\n*=> 3| RUN echo b > /b\n 4| RUN echo c > /c\n(buildg) exec --image sh\n# ls /debugroot/\na b bin dev\tetc home proc root tmp usr var\n# cat /debugroot/a /debugroot/b\na\nb\n#\n(buildg) quit\n```\n" }, { "path": "docs/cni.md", "content": "# Using CNI with nerdctl\n\nnerdctl uses CNI plugins for its container network, you can set network by\neither `--network` or `--net` option.\n\n## Basic networks\n\nnerdctl support some basic types of CNI plugins without any configuration\nneeded(you should have CNI plugin be installed), for Linux systems the basic\nCNI plugin types are `bridge`, `portmap`, `firewall`, `tuning`, for Windows\nsystem, the supported CNI plugin types are `nat` only.\n\nThe default network `bridge` for Linux and `nat` for Windows if you\ndon't set any network options.\n\nConfiguration of the default network `bridge` of Linux:\n\n```json\n{\n \"cniVersion\": \"1.0.0\",\n \"name\": \"bridge\",\n \"plugins\": [\n {\n \"type\": \"bridge\",\n \"bridge\": \"nerdctl0\",\n \"isGateway\": true,\n \"ipMasq\": true,\n \"hairpinMode\": true,\n \"ipam\": {\n \"type\": \"host-local\",\n \"routes\": [{ \"dst\": \"0.0.0.0/0\" }],\n \"ranges\": [\n [\n {\n \"subnet\": \"10.4.0.0/24\",\n \"gateway\": \"10.4.0.1\"\n }\n ]\n ]\n }\n },\n {\n \"type\": \"portmap\",\n \"capabilities\": {\n \"portMappings\": true\n }\n },\n {\n \"type\": \"firewall\",\n \"ingressPolicy\": \"same-bridge\"\n },\n {\n \"type\": \"tuning\"\n }\n ]\n}\n```\n\n## Bridge isolation\n\nnerdctl >= 0.18 sets the `ingressPolicy` to `same-bridge` when `firewall` plugin >= 1.1.0 is installed.\nThis `ingressPolicy` replaces the CNI `isolation` plugin used in nerdctl <= 0.17.\n\nWhen `firewall` plugin >= 1.1.0 is not found, nerdctl does not enable the bridge isolation.\nThis means a container in `--net=foo` can connect to a container in `--net=bar`.\n\n## macvlan/IPvlan networks\n\nnerdctl also support macvlan and IPvlan network driver.\n\nTo create a `macvlan` network which bridges with a given physical network interface, use `--driver macvlan` with\n`nerdctl network create` command.\n\n```\n# nerdctl network create mac0 --driver macvlan \\\n --subnet=192.168.5.0/24\n --gateway=192.168.5.2\n -o parent=eth0\n```\n\nYou can specify the `parent`, which is the interface the traffic will physically go through on the host,\ndefaults to default route interface.\n\nAnd the `subnet` should be under the same network as the network interface,\nan easier way is to use DHCP to assign the IP:\n\n```\n# nerdctl network create mac0 --driver macvlan --ipam-driver=dhcp\n```\n\nUsing `--driver ipvlan` can create `ipvlan` network, the default mode for IPvlan is `l2`.\n\n## DHCP host-name and other DHCP options\n\nNerdctl automatically sets the DHCP host-name option to the hostname value of the container.\n\nFurthermore, on network creation, nerdctl supports the ability to set other DHCP options through `--ipam-options`.\n\nCurrently, the following options are supported by the DHCP plugin:\n```\ndhcp-client-identifier\nsubnet-mask\nrouters\nuser-class\nvendor-class-identifier\n```\n\nFor example:\n```\n# nerdctl network create --driver macvlan \\\n --ipam-driver dhcp \\\n --ipam-opt 'vendor-class-identifier={\"type\": \"provide\", \"value\": \"Hey! Its me!\"}' \\\n my-dhcp-net\n```\n\n## Custom networks\n\nYou can also customize your CNI network by providing configuration files.\n\nWhen rootful, the expected root location is `/etc/cni/net.d`.\nFor rootless, the expected root location is `~/.config/cni/net.d/`\n\nConfiguration files (like `10-mynet.conf`) can be placed either in the root location,\nor under a subfolder.\nIf in the root location, this network will be available to all nerdctl namespaces.\nIf placed in a subfolder, it will be available only to the identically named namespace.\n\nFor example, you have one configuration file(`/etc/cni/net.d/10-mynet.conf`)\nfor `bridge` network:\n\n```json\n{\n \"cniVersion\": \"1.0.0\",\n \"name\": \"mynet\",\n \"type\": \"bridge\",\n \"bridge\": \"cni0\",\n \"isGateway\": true,\n \"ipMasq\": true,\n \"ipam\": {\n \"type\": \"host-local\",\n \"subnet\": \"172.19.0.0/24\",\n \"routes\": [\n { \"dst\": \"0.0.0.0/0\" }\n ]\n }\n}\n```\n\nThis will configure a new CNI network with the name `mynet`, and you can use\nthis network to create a container in any namespace:\n\n```console\n# nerdctl run -it --net mynet --rm alpine ip addr show\n1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1000\n link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n inet 127.0.0.1/8 scope host lo\n valid_lft forever preferred_lft forever\n inet6 ::1/128 scope host\n valid_lft forever preferred_lft forever\n3: eth0@if6120: mtu 1500 qdisc noqueue state UP\n link/ether 5e:5b:3f:0c:36:56 brd ff:ff:ff:ff:ff:ff\n inet 172.19.0.51/24 brd 172.19.0.255 scope global eth0\n valid_lft forever preferred_lft forever\n inet6 fe80::5c5b:3fff:fe0c:3656/64 scope link tentative\n valid_lft forever preferred_lft forever\n```\n" }, { "path": "docs/command-reference.md", "content": "# Command reference\n\n:whale: = Docker compatible\n\n:nerd_face: = nerdctl specific\n\n> [!NOTE]\n> - Unlisted `docker` CLI flags are unimplemented yet in `nerdctl` CLI.\n> It does not necessarily mean that the corresponding features are missing in containerd.\n> - Some commands and flags are only available on Linux.\n\n\n\n\n- [Container management](#container-management)\n - [:whale: nerdctl run](#whale-nerdctl-run)\n - [:whale: nerdctl exec](#whale-nerdctl-exec)\n - [:whale: nerdctl create](#whale-nerdctl-create)\n - [:whale: nerdctl cp](#whale-nerdctl-cp)\n - [:whale: nerdctl ps](#whale-nerdctl-ps)\n - [:whale: nerdctl inspect](#whale-nerdctl-inspect)\n - [:whale: nerdctl logs](#whale-nerdctl-logs)\n - [:whale: nerdctl port](#whale-nerdctl-port)\n - [:whale: nerdctl rm](#whale-nerdctl-rm)\n - [:whale: nerdctl stop](#whale-nerdctl-stop)\n - [:whale: nerdctl start](#whale-nerdctl-start)\n - [:whale: nerdctl restart](#whale-nerdctl-restart)\n - [:whale: nerdctl update](#whale-nerdctl-update)\n - [:whale: nerdctl wait](#whale-nerdctl-wait)\n - [:whale: nerdctl kill](#whale-nerdctl-kill)\n - [:whale: nerdctl pause](#whale-nerdctl-pause)\n - [:whale: nerdctl unpause](#whale-nerdctl-unpause)\n - [:whale: nerdctl rename](#whale-nerdctl-rename)\n - [:whale: nerdctl attach](#whale-nerdctl-attach)\n - [:whale: nerdctl container prune](#whale-nerdctl-container-prune)\n - [:whale: nerdctl diff](#whale-nerdctl-diff)\n - [:whale: nerdctl export](#whale-nerdctl-export)\n- [Build](#build)\n - [:whale: nerdctl build](#whale-nerdctl-build)\n - [:whale: nerdctl commit](#whale-nerdctl-commit)\n- [Image management](#image-management)\n - [:whale: nerdctl images](#whale-nerdctl-images)\n - [:whale: nerdctl pull](#whale-nerdctl-pull)\n - [:whale: nerdctl push](#whale-nerdctl-push)\n - [:whale: nerdctl load](#whale-nerdctl-load)\n - [:whale: nerdctl save](#whale-nerdctl-save)\n - [:whale: nerdctl import](#whale-nerdctl-import)\n - [:whale: nerdctl tag](#whale-nerdctl-tag)\n - [:whale: nerdctl rmi](#whale-nerdctl-rmi)\n - [:whale: nerdctl image inspect](#whale-nerdctl-image-inspect)\n - [:whale: nerdctl image history](#whale-nerdctl-image-history)\n - [:whale: nerdctl image prune](#whale-nerdctl-image-prune)\n - [:nerd_face: nerdctl image convert](#nerd_face-nerdctl-image-convert)\n - [:nerd_face: nerdctl image encrypt](#nerd_face-nerdctl-image-encrypt)\n - [:nerd_face: nerdctl image decrypt](#nerd_face-nerdctl-image-decrypt)\n- [Checkpoint management](#checkpoint-management)\n - [:whale: nerdctl checkpoint create](#whale-nerdctl-checkpoint-create)\n - [:whale: nerdctl checkpoint list](#whale-nerdctl-checkpoint-list)\n - [:whale: nerdctl checkpoint remove](#whale-nerdctl-checkpoint-remove)\n- [Manifest management](#manifest-management)\n - [:whale: nerdctl manifest annotate](#whale-nerdctl-manifest-annotate)\n - [:whale: nerdctl manifest create](#whale-nerdctl-manifest-create)\n - [:whale: nerdctl manifest inspect](#whale-nerdctl-manifest-inspect)\n - [:whale: nerdctl manifest push](#whale-nerdctl-manifest-push)\n - [:whale: nerdctl manifest rm](#whale-nerdctl-manifest-rm)\n- [Registry](#registry)\n - [:whale: nerdctl login](#whale-nerdctl-login)\n - [:whale: nerdctl logout](#whale-nerdctl-logout)\n - [:whale: nerdctl search](#whale-nerdctl-search)\n- [Network management](#network-management)\n - [:whale: nerdctl network create](#whale-nerdctl-network-create)\n - [:whale: nerdctl network ls](#whale-nerdctl-network-ls)\n - [:whale: nerdctl network inspect](#whale-nerdctl-network-inspect)\n - [:whale: nerdctl network rm](#whale-nerdctl-network-rm)\n - [:whale: nerdctl network prune](#whale-nerdctl-network-prune)\n- [Volume management](#volume-management)\n - [:whale: nerdctl volume create](#whale-nerdctl-volume-create)\n - [:whale: nerdctl volume ls](#whale-nerdctl-volume-ls)\n - [:whale: nerdctl volume inspect](#whale-nerdctl-volume-inspect)\n - [:whale: nerdctl volume rm](#whale-nerdctl-volume-rm)\n - [:whale: nerdctl volume prune](#whale-nerdctl-volume-prune)\n- [Namespace management](#namespace-management)\n - [:nerd_face: nerdctl namespace create](#nerd_face-nerdctl-namespace-create)\n - [:nerd_face: nerdctl namespace inspect](#nerd_face-nerdctl-namespace-inspect)\n - [:nerd_face: nerdctl namespace ls](#nerd_face-nerdctl-namespace-ls)\n - [:nerd_face: nerdctl namespace remove](#nerd_face-nerdctl-namespace-remove)\n - [:nerd_face: nerdctl namespace update](#nerd_face-nerdctl-namespace-update)\n- [AppArmor profile management](#apparmor-profile-management)\n - [:nerd_face: nerdctl apparmor inspect](#nerd_face-nerdctl-apparmor-inspect)\n - [:nerd_face: nerdctl apparmor load](#nerd_face-nerdctl-apparmor-load)\n - [:nerd_face: nerdctl apparmor ls](#nerd_face-nerdctl-apparmor-ls)\n - [:nerd_face: nerdctl apparmor unload](#nerd_face-nerdctl-apparmor-unload)\n- [Builder management](#builder-management)\n - [:whale: nerdctl builder prune](#whale-nerdctl-builder-prune)\n - [:nerd_face: nerdctl builder debug](#nerd_face-nerdctl-builder-debug)\n- [System](#system)\n - [:whale: nerdctl events](#whale-nerdctl-events)\n - [:whale: nerdctl info](#whale-nerdctl-info)\n - [:whale: nerdctl version](#whale-nerdctl-version)\n - [:whale: nerdctl system prune](#whale-nerdctl-system-prune)\n- [Stats](#stats)\n - [:whale: nerdctl stats](#whale-nerdctl-stats)\n - [:whale: nerdctl top](#whale-nerdctl-top)\n- [Shell completion](#shell-completion)\n - [:nerd_face: nerdctl completion bash](#nerd_face-nerdctl-completion-bash)\n - [:nerd_face: nerdctl completion zsh](#nerd_face-nerdctl-completion-zsh)\n - [:nerd_face: nerdctl completion fish](#nerd_face-nerdctl-completion-fish)\n - [:nerd_face: nerdctl completion powershell](#nerd_face-nerdctl-completion-powershell)\n- [Compose](#compose)\n - [:whale: nerdctl compose](#whale-nerdctl-compose)\n - [:whale: nerdctl compose up](#whale-nerdctl-compose-up)\n - [:whale: nerdctl compose logs](#whale-nerdctl-compose-logs)\n - [:whale: nerdctl compose build](#whale-nerdctl-compose-build)\n - [:whale: nerdctl compose create](#whale-nerdctl-compose-create)\n - [:whale: nerdctl compose exec](#whale-nerdctl-compose-exec)\n - [:whale: nerdctl compose down](#whale-nerdctl-compose-down)\n - [:whale: nerdctl compose images](#whale-nerdctl-compose-images)\n - [:whale: nerdctl compose start](#whale-nerdctl-compose-start)\n - [:whale: nerdctl compose stop](#whale-nerdctl-compose-stop)\n - [:whale: nerdctl compose port](#whale-nerdctl-compose-port)\n - [:whale: nerdctl compose ps](#whale-nerdctl-compose-ps)\n - [:whale: nerdctl compose pull](#whale-nerdctl-compose-pull)\n - [:whale: nerdctl compose push](#whale-nerdctl-compose-push)\n - [:whale: nerdctl compose pause](#whale-nerdctl-compose-pause)\n - [:whale: nerdctl compose unpause](#whale-nerdctl-compose-unpause)\n - [:whale: nerdctl compose config](#whale-nerdctl-compose-config)\n - [:whale: nerdctl compose cp](#whale-nerdctl-compose-cp)\n - [:whale: nerdctl compose kill](#whale-nerdctl-compose-kill)\n - [:whale: nerdctl compose restart](#whale-nerdctl-compose-restart)\n - [:whale: nerdctl compose rm](#whale-nerdctl-compose-rm)\n - [:whale: nerdctl compose run](#whale-nerdctl-compose-run)\n - [:whale: nerdctl compose top](#whale-nerdctl-compose-top)\n - [:whale: nerdctl compose version](#whale-nerdctl-compose-version)\n- [IPFS management](#ipfs-management)\n - [:nerd_face: nerdctl ipfs registry serve](#nerd_face-nerdctl-ipfs-registry-serve)\n- [Global flags](#global-flags)\n- [Unimplemented Docker commands](#unimplemented-docker-commands)\n\n\n\n## Container management\n\n### :whale: nerdctl run\n\nRun a command in a new container.\n\nUsage: `nerdctl run [OPTIONS] IMAGE [COMMAND] [ARG...]`\n\n:nerd_face: `ipfs://` prefix can be used for `IMAGE` to pull it from IPFS. See [`ipfs.md`](./ipfs.md) for details.\n:nerd_face: `oci-archive://` prefix can be used for `IMAGE` to specify a local file system path to an OCI formatted tarball.\n\nBasic flags:\n\n- :whale: `-a, --attach`: Attach STDIN, STDOUT, or STDERR\n- :whale: `-i, --interactive`: Keep STDIN open even if not attached\"\n- :whale: `-t, --tty`: Allocate a pseudo-TTY\n - :warning: WIP: currently `-t` conflicts with `-d`\n- :whale: `-sig-proxy`: Proxy received signals to the process (default true)\n- :whale: `-d, --detach`: Run container in background and print container ID\n- :whale: `--restart=(no|always|on-failure|unless-stopped)`: Restart policy to apply when a container exits\n - Default: \"no\"\n - always: Always restart the container if it stops.\n - on-failure[:max-retries]: Restart only if the container exits with a non-zero exit status. Optionally, limit the number of times attempts to restart the container using the :max-retries option.\n - unless-stopped: Always restart the container unless it is stopped.\n- :whale: `--rm`: Automatically remove the container when it exits\n- :whale: `--pull=(always|missing|never)`: Pull image before running\n - Default: \"missing\"\n- :whale: `-q, --quiet`: Suppress the pull output\n- :whale: `--pid=(host|container:)`: PID namespace to use\n- :whale: `--uts=(host)` : UTS namespace to use\n- :whale: `--stop-signal`: Signal to stop a container (default \"SIGTERM\")\n- :whale: `--stop-timeout`: Timeout (in seconds) to stop a container\n- :whale: `--detach-keys`: Override the default detach keys\n\nPlatform flags:\n\n- :whale: `--platform=(amd64|arm64|...)`: Set platform\n\nInit process flags:\n\n- :whale: `--init`: Run an init inside the container that forwards signals and reaps processes.\n- :nerd_face: `--init-binary=`: The custom init binary to use. We suggest you use the [tini](https://github.com/krallin/tini) binary which is used in Docker project to get the same behavior.\n Please make sure the binary exists in your `PATH`.\n - Default: `tini`\n\nIsolation flags:\n\n- :whale: :nerd_face: `--isolation=(default|process|host|hyperv)`: Used on Windows to change process isolation level. `default` will use the runtime options configured in `default_runtime` in the [containerd configuration](https://github.com/containerd/containerd/blob/master/docs/cri/config.md#cri-plugin-config-guide) which is `process` in containerd by default. `process` runs process isolated containers. `host` runs [Host Process containers](https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/). Host process containers inherit permissions from containerd process unless `--user` is specified then will start with user specified and the user specified must be present on the host. `host` requires Containerd 1.7+. `hyperv` runs Hyper-V hypervisor partition-based isolated containers. Not implemented for Linux.\n\nNetwork flags:\n\n- :whale: `--net, --network=(bridge|host|none|container:|ns:|)`: Connect a container to a network.\n - Default: \"bridge\"\n - `container:`: reuse another container's network stack, container has to be precreated.\n - :nerd_face: `ns:`: run inside an existing network namespace\n - :nerd_face: Unlike Docker, this flag can be specified multiple times (`--net foo --net bar`)\n- :whale: `-p, --publish`: Publish a container's port(s) to the host\n- :whale: `--dns`: Set custom DNS servers\n- :whale: `--dns-search`: Set custom DNS search domains\n- :whale: `--dns-opt, --dns-option`: Set DNS options\n- :whale: `-h, --hostname`: Container host name\n- :whale: `--domainname`: Container domain name\n- :whale: `--add-host`: Add a custom host-to-IP mapping (host:ip). `ip` could be a special string `host-gateway`,\n- which will be resolved to the `host-gateway-ip` in nerdctl.toml or global flag.\n- :whale: `--ip`: Specific static IP address(es) to use. Note that unlike docker, nerdctl allows specifying it with the default bridge network.\n- :whale: `--ip6`: Specific static IP6 address(es) to use. Should be used with user networks\n- :whale: `--mac-address`: Specific MAC address to use. Be aware that it does not\n check if manually specified MAC addresses are unique. Supports network\n type `bridge` and `macvlan`\n\nResource flags:\n\n- :whale: `--cpus`: Number of CPUs\n- :whale: `--cpu-quota`: Limit the CPU CFS (Completely Fair Scheduler) quota\n- :whale: `--cpu-period`: Limit the CPU CFS (Completely Fair Scheduler) period\n- :whale: `--cpu-shares`: CPU shares (relative weight)\n- :whale: `--cpuset-cpus`: CPUs in which to allow execution (0-3, 0,1)\n- :whale: `--cpuset-mems`: Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems\n- :whale: `--cpu-rt-period`: Limit CPU real-time period in microseconds. Only supported with cgroup v1.\n- :whale: `--cpu-rt-runtime`: Limit CPU real-time runtime in microseconds. Only supported with cgroup v1.\n- :whale: `--memory`: Memory limit\n- :whale: `--memory-reservation`: Memory soft limit\n- :whale: `--memory-swap`: Swap limit equal to memory plus swap: '-1' to enable unlimited swap\n- :whale: `--memory-swappiness`: Tune container memory swappiness (0 to 100) (default -1)\n- :whale: `--kernel-memory`: Kernel memory limit (deprecated)\n- :whale: `--oom-kill-disable`: Disable OOM Killer\n- :whale: `--oom-score-adj`: Tune container’s OOM preferences (-1000 to 1000, rootless: 100 to 1000)\n- :whale: `--pids-limit`: Tune container pids limit\n- :nerd_face: `--cgroup-conf`: Configure cgroup v2 (key=value)\n- :whale: `--blkio-weight`: Block IO (relative weight), between 10 and 1000, or 0 to disable (default 0)\n- :whale: `--blkio-weight-device`: Block IO weight (relative device weight)\n- :whale: `--device-read-bps`: Limit read rate (bytes per second) from a device\n- :whale: `--device-read-iops`: Limit read rate (IO per second) from a device\n- :whale: `--device-write-bps`: Limit write rate (bytes per second) to a device\n- :whale: `--device-write-iops`: Limit write rate (IO per second) to a device\n- :whale: `--cgroupns=(host|private)`: Cgroup namespace to use\n - Default: \"private\" on cgroup v2 hosts, \"host\" on cgroup v1 hosts\n- :whale: `--cgroup-parent`: Optional parent cgroup for the container\n- :whale: `--device`: Add a host device to the container\n\nIntel RDT flags:\n\n- :nerd_face: `--rdt-class=CLASS`: Name of the RDT class (or CLOS) to associate the container wit\n\nUser flags:\n\n- :whale: `-u, --user`: Username or UID (format: [:])\n- :nerd_face: `--umask`: Set the umask inside the container. Defaults to 0022.\n Corresponds to Podman CLI.\n- :whale: `--group-add`: Add additional groups to join\n- :whale: `--userns`: Set it to `host` to disable user namespacing set in nerdctl.toml or in cli.\n\n\nSecurity flags:\n\n- :whale: `--security-opt seccomp=`: specify custom seccomp profile\n- :whale: `--security-opt apparmor=`: specify custom AppArmor profile\n- :whale: `--security-opt no-new-privileges`: disallow privilege escalation, e.g., setuid and file capabilities\n- :whale: `--security-opt systempaths=unconfined`: Turn off confinement for system paths (masked paths, read-only paths) for the container\n- :whale: `--security-opt writable-cgroups`: making the cgroups writeable\n- :nerd_face: `--security-opt privileged-without-host-devices`: Don't pass host devices to privileged containers\n- :whale: `--cap-add=`: Add Linux capabilities\n- :whale: `--cap-drop=`: Drop Linux capabilities\n- :whale: `--privileged`: Give extended privileges to this container\n- :nerd_face: `--systemd=(true|false|always)`: Enable systemd compatibility (default: false).\n - Default: \"false\"\n - true: Enable systemd compatibility is enabled if the entrypoint executable matches one of the following paths:\n - `/sbin/init`\n - `/usr/sbin/init`\n - `/usr/local/sbin/init`\n - always: Always enable systemd compatibility\n\nCorresponds to Podman CLI.\n\nRuntime flags:\n\n- :whale: `--runtime`: Runtime to use for this container, e.g. \\\"crun\\\", or \\\"io.containerd.runsc.v1\\\".\n- :whale: `--sysctl`: Sysctl options, e.g \\\"net.ipv4.ip_forward=1\\\"\n\nVolume flags:\n\n- :whale: `-v, --volume :[:]`: Bind mount a volume, e.g., `-v /mnt:/mnt:rro,rprivate`\n - :whale: option `rw` : Read/Write (when writable)\n - :whale: option `ro` : Non-recursive read-only\n - :nerd_face: option `rro`: Recursive read-only. Should be used in conjunction with `rprivate`. e.g., `-v /mnt:/mnt:rro,rprivate` makes children such as `/mnt/usb` to be read-only, too.\n Requires kernel >= 5.12, and crun >= 1.4 or runc >= 1.1 (PR [#3272](https://github.com/opencontainers/runc/pull/3272)). With older runc, `rro` just works as `ro`.\n - :whale: option `shared`, `slave`, `private`: Non-recursive \"shared\" / \"slave\" / \"private\" propagation\n - :whale: option `rshared`, `rslave`, `rprivate`: Recursive \"shared\" / \"slave\" / \"private\" propagation\n - :nerd_face: option `bind`: Not-recursively bind-mounted\n - :nerd_face: option `rbind`: Recursively bind-mounted\n - unimplemented options: `:z` and `:Z` (SELinux relabeling)\n- :whale: `--tmpfs`: Mount a tmpfs directory, e.g. `--tmpfs /tmp:size=64m,exec`.\n- :whale: `--mount`: Attach a filesystem mount to the container.\n Consists of multiple key-value pairs, separated by commas and each\n consisting of a `=` tuple.\n e.g., `-- mount type=bind,source=/src,target=/app,bind-propagation=shared`.\n - :whale: `type`: Current supported mount types are `bind`, `volume`, `tmpfs`.\n The default type will be set to `volume` if not specified.\n i.e., `--mount src=vol-1,dst=/app,readonly` equals `--mount type=volume,src=vol-1,dst=/app,readonly`\n - unimplemented type: `image`\n - Common Options:\n - :whale: `src`, `source`: Mount source spec for bind and volume. Mandatory for bind.\n - :whale: `dst`, `destination`, `target`: Mount destination spec.\n - :whale: `readonly`, `ro`, `rw`, `rro`: Filesystem permissions.\n - Options specific to `bind`:\n - :whale: `bind-propagation`: `shared`, `slave`, `private`, `rshared`, `rslave`, or `rprivate`(default).\n - :whale: `bind-nonrecursive`: `true` or `false`(default). If set to true, submounts are not recursively bind-mounted. This option is useful for readonly bind mount.\n - unimplemented options: `consistency`\n - Options specific to `tmpfs`:\n - :whale: `tmpfs-size`: Size of the tmpfs mount in bytes. Unlimited by default.\n - :whale: `tmpfs-mode`: File mode of the tmpfs in **octal**.\n Defaults to `1777` or world-writable.\n - Options specific to `volume`:\n - unimplemented options: `volume-nocopy`, `volume-label`, `volume-driver`, `volume-opt`\n- :whale: `--volumes-from`: Mount volumes from the specified container(s), e.g. \"--volumes-from my-container\".\n\nRootfs flags:\n\n- :whale: `--read-only`: Mount the container's root filesystem as read only\n- :nerd_face: `--rootfs`: The first argument is not an image but the rootfs to the exploded container.\n Corresponds to Podman CLI.\n\nEnv flags:\n\n- :whale: `--entrypoint`: Overwrite the default ENTRYPOINT of the image\n- :whale: `-w, --workdir`: Working directory inside the container\n- :whale: `-e, --env`: Set environment variables\n- :whale: `--env-file`: Set environment variables from file\n\nMetadata flags:\n\n- :whale: `--name`: Assign a name to the container\n- :whale: `-l, --label`: Set meta data on a container (Not passed through the OCI runtime since nerdctl v2.0, with an exception for `nerdctl/bypass4netns`)\n- :whale: `--label-file`: Read in a line delimited file of labels\n- :whale: `--annotation`: Add an annotation to the container (passed through to the OCI runtime)\n- :whale: `--cidfile`: Write the container ID to the file\n- :nerd_face: `--pidfile`: file path to write the task's pid. The CLI syntax conforms to Podman convention.\n\nHealth check flags:\n\n- :whale: `--health-cmd`: Command to run to check container health\n- :whale: `--health-interval`: Time between running the check (e.g., 30s, 1m)\n- :whale: `--health-timeout`: Time to wait before considering the check failed (e.g., 5s)\n- :whale: `--health-retries`: Number of failures before container is considered unhealthy\n- :whale: `--health-start-period`: Start period for the container to initialize before starting health-retries countdown\n- :whale: `--health-start-interval`: Interval between checks during the start period\n- :whale: `--no-healthcheck`: Disable any health checks defined by image or CLI\n\nLogging flags:\n\n- :whale: `--log-driver=(json-file|journald|fluentd|syslog|none)`: Logging driver for the container (default `json-file`).\n - :whale: `--log-driver=json-file`: The logs are formatted as JSON. The default logging driver for nerdctl.\n - The `json-file` logging driver supports the following logging options:\n - :whale: `--log-opt=max-size=`: The maximum size of the log before it is rolled. A positive integer plus a modifier representing the unit of measure (k, m, or g). Defaults to unlimited.\n - :whale: `--log-opt=max-file=`: The maximum number of log files that can be present. If rolling the logs creates excess files, the oldest file is removed. Only effective when `max-size` is also set. A positive integer. Defaults to 1.\n - :nerd_face: `--log-opt=log-path=`: The log path where the logs are written. The path will be created if it does not exist. If the log file exists, the old file will be renamed to `.1`.\n - Default: `////-json.log`\n - Example: `/var/lib/nerdctl/1935db59/containers/default//-json.log`\n - :whale: `--log-opt labels=production_status,geo`: A comma-separated list of logging-related labels this daemon accepts.\n - :whale: `--log-opt env=os,customer`: A comma-separated list of logging-related environment variables this daemon accepts.\n - :whale: `--log-driver=journald`: Writes log messages to `journald`. The `journald` daemon must be running on the host machine.\n - :whale: `--log-opt=tag=