Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move secret-verify-leak containerfile into its own Directory #13457

Merged
merged 1 commit into from
Mar 8, 2022

Conversation

ashley-cui
Copy link
Member

Secret-verify-leak is causing flakes, when running in parallel tests.
This is because remote secrets are copied into the context directory to
send to the API server, and secret-verify-leak is doing a COPY * and
then checking if the temporary secret file ends up in the container or
not. Since all the temporary files are prefixed with
"podman-build-secret", this test checks if podman-build-secret is in the
image. However, when run in parallel with other tests, other temporary
podman-build-secrets might be in the context dir. Moving
secret-verify-leak into its own directory makes sure that the context
dir is used only by this one test.

Also renamed Dockerfile -> Containerfile and cleaned up unused
Containerfiles.

Signed-off-by: Ashley Cui acui@redhat.com

Fixes: #13417

Secret-verify-leak is causing flakes, when running in parallel tests.
This is because remote secrets are copied into the context directory to
send to the API server, and secret-verify-leak is doing a COPY * and
then checking if the temporary secret file ends up in the container or
not. Since all the temporary files are prefixed with
"podman-build-secret", this test checks if podman-build-secret is in the
image. However, when run in parallel with other tests, other temporary
podman-build-secrets might be in the context dir. Moving
secret-verify-leak into its own directory makes sure that the context
dir is used only by this one test.

Also renamed Dockerfile -> Containerfile and cleaned up unused
Containerfiles.

Signed-off-by: Ashley Cui <acui@redhat.com>
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 8, 2022
@edsantiago
Copy link
Member

LGTM, thank you!

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 8, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ashley-cui, flouthoc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [ashley-cui,flouthoc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@rhatdan
Copy link
Member

rhatdan commented Mar 8, 2022

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 8, 2022
@openshift-merge-robot openshift-merge-robot merged commit a08e4e5 into containers:main Mar 8, 2022
@ashley-cui ashley-cui deleted the flake branch June 3, 2022 17:51
ashley-cui added a commit to ashley-cui/podman that referenced this pull request Jun 3, 2022
Setting the build context to a dedicated subdir makes sure that the test does not
flake when running in parallel, as the test is isolated from other tests
that may dump secrets in a higher level context dir.

This should have been done in
containers#13457, as this makes that PR
actually work.

Signed-off-by: Ashley Cui <acui@redhat.com>
mheon pushed a commit to mheon/libpod that referenced this pull request Jun 14, 2022
Setting the build context to a dedicated subdir makes sure that the test does not
flake when running in parallel, as the test is isolated from other tests
that may dump secrets in a higher level context dir.

This should have been done in
containers#13457, as this makes that PR
actually work.

Signed-off-by: Ashley Cui <acui@redhat.com>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CI flake: secret file is not leaked into image
5 participants