tls: move remotesystem cert generation into bats setup

Signed-off-by: Andrew Melnick <[email protected]>

Author: meln5674

Makefile

@@ -708,52 +708,22 @@ localmachine:
 	@echo /define.gitCommit=$(GIT_COMMIT)
 	$(MAKE) ginkgo-run GINKGO_PARALLEL=n TAGS="$(REMOTETAGS)" GINKGO_FLAKE_ATTEMPTS=0 FOCUS_FILE=$(FOCUS_FILE) GINKGOWHAT=pkg/machine/e2e/.
 
-REMOTESYSTEM_TCP_PORT ?= 8080
-REMOTESYSTEM_TLS_CA_CRT ?= $(CURDIR)/bin/remotesystem.ca.crt.pem
-REMOTESYSTEM_TLS_CA_KEY ?= $(CURDIR)/bin/remotesystem.ca.key.pem
-REMOTESYSTEM_TLS_SERVER_CRT ?= $(CURDIR)/bin/remotesystem.server.crt.pem
-REMOTESYSTEM_TLS_SERVER_KEY ?= $(CURDIR)/bin/remotesystem.server.key.pem
-REMOTESYSTEM_TLS_CLIENT_CRT ?= $(CURDIR)/bin/remotesystem.client.crt.pem
-REMOTESYSTEM_TLS_CLIENT_KEY ?= $(CURDIR)/bin/remotesystem.client.key.pem
-REMOTESYSTEM_TLS_BOGUS_CRT ?= $(CURDIR)/bin/remotesystem.bogus.crt.pem
-REMOTESYSTEM_TLS_BOGUS_KEY ?= $(CURDIR)/bin/remotesystem.bogus.key.pem
-
-export \
-	REMOTESYSTEM_TCP_PORT \
-	REMOTESYSTEM_TLS_CA_KEY \
-	REMOTESYSTEM_TLS_CA_CRT \
-	REMOTESYSTEM_TLS_SERVER_CRT \
-	REMOTESYSTEM_TLS_SERVER_KEY \
-	REMOTESYSTEM_TLS_CLIENT_CRT \
-	REMOTESYSTEM_TLS_CLIENT_KEY \
-	REMOTESYSTEM_TLS_BOGUS_CRT \
-	REMOTESYSTEM_TLS_BOGUS_KEY
-
-$(REMOTESYSTEM_TLS_CA_CRT) $(REMOTESYSTEM_TLS_CA_KEY) \
-$(REMOTESYSTEM_TLS_CLIENT_CRT) $(REMOTESYSTEM_TLS_CLIENT_KEY) \
-$(REMOTESYSTEM_TLS_SERVER_CRT) $(REMOTESYSTEM_TLS_SERVER_KEY) \
-$(REMOTESYSTEM_TLS_BOGUS_CRT) $(REMOTESYSTEM_TLS_BOGUS_KEY) \
-&:
-	source hack/remotesystem.env ; remotesystem-gen-tls
-
 .PHONY: localsystem
-localsystem: $(REMOTESYSTEM_TLS_CA_CRT) $(REMOTESYSTEM_TLS_SERVER_CRT) $(REMOTESYSTEM_TLS_CLIENT_CRT) $(REMOTESYSTEM_TLS_BOGUS_CRT)
+localsystem:
 	# Wipe existing config, database, and cache: start with clean slate.
 	$(RM) -rf ${HOME}/.local/share/containers ${HOME}/.config/containers
 	PODMAN=$(CURDIR)/bin/podman QUADLET=$(CURDIR)/bin/quadlet bats -T --filter-tags '!ci:parallel' test/system/
 	PODMAN=$(CURDIR)/bin/podman QUADLET=$(CURDIR)/bin/quadlet bats -T --filter-tags ci:parallel -j $$(nproc) test/system/
 
 
 .PHONY: remotesystem
-remotesystem: $(REMOTESYSTEM_TLS_CA_CRT) $(REMOTESYSTEM_TLS_SERVER_CRT) $(REMOTESYSTEM_TLS_CLIENT_CRT) $(REMOTESYSTEM_TLS_BOGUS_CRT)
+remotesystem:
 	# Wipe existing config, database, and cache: start with clean slate.
 	$(RM) -rf ${HOME}/.local/share/containers ${HOME}/.config/containers
-	source hack/remotesystem.env ; \
-	set -x ; \
-	remotesystem-ensure-timeout-cmd $@ || exit ; \
-	remotesystem-podman-service $(REMOTESYSTEM_TRANSPORT) $(PODMAN_SERVER_LOG) && \
-	remotesystem-wait-podman-service $(REMOTESYSTEM_TRANSPORT) && \
-	remotesystem-bats $(REMOTESYSTEM_TRANSPORT) $(CURDIR)/bin/podman-remote
+	PODMAN=$(CURDIR)/bin/podman-remote QUADLET=$(CURDIR)/bin/quadlet \
+		bats -T --filter-tags '!ci:parallel' test/system/
+	PODMAN=$(CURDIR)/bin/podman-remote QUADLET=$(CURDIR)/bin/quadlet \
+		bats -T --filter-tags ci:parallel -j $$(nproc) test/system/
 
 .PHONY: localapiv2-bash
 localapiv2-bash:

hack/remotesystem.env

@@ -392,6 +392,9 @@ $c2[ ]\+tcp://localhost:54321[ ]\+true[ ]\+true" \
     if [[ "${REMOTESYSTEM_TRANSPORT}" =~ tcp|tls|mtls ]]; then
         run_podman_remote --remote info --format '{{.Host.RemoteSocket.Path}}'
         assert "$output" =~ "tcp://localhost:${REMOTESYSTEM_TCP_PORT}"
+    elif [[ "${REMOTESYSTEM_TRANSPORT}" =~ unix ]]; then
+        run_podman_remote --remote info --format '{{.Host.RemoteSocket.Path}}'
+        assert "$output" =~ "unix://${REMOTESYSTEM_UNIX_SOCK}"
     else
       # This only works in upstream CI, where we run with a nonstandard socket.
       # In gating we use the default /run/...

test/system/272-system-connection.bats

@@ -14,7 +14,7 @@ function setup() {
 
 function teardown() {
   # Ignore exit status: this is just a backup stop in case tests failed
-  run systemctl stop "$SERVICE_NAME"
+  run systemctl-user stop "$SERVICE_NAME"
   rm -f $PODMAN_TMPDIR/myunix.sock
 
   basic_teardown
@@ -25,7 +25,7 @@ function teardown() {
 
   URL=unix:$PODMAN_TMPDIR/myunix.sock
 
-  systemd-run --unit=$SERVICE_NAME ${PODMAN%%-remote*} system service $URL --time=0
+  systemd-run-user --unit=$SERVICE_NAME ${PODMAN%%-remote*} system service $URL --time=0
   wait_for_file $PODMAN_TMPDIR/myunix.sock
 
   # Variable works
@@ -44,7 +44,7 @@ function teardown() {
     run --rm -i $IMAGE /bin/sh -c 'echo -n foo; sleep 0.1; echo -n bar; sleep 0.1; echo -n baz'
   is "$output" foobarbaz
 
-  systemctl stop $SERVICE_NAME
+  systemctl-user stop $SERVICE_NAME
   rm -f $PODMAN_TMPDIR/myunix.sock
 }
 
@@ -54,7 +54,7 @@ function teardown() {
   port=$(random_free_port)
   URL=tcp://127.0.0.1:$port
 
-  systemd-run --unit=$SERVICE_NAME ${PODMAN%%-remote*} system service $URL --time=0
+  systemd-run-user --unit=$SERVICE_NAME ${PODMAN%%-remote*} system service $URL --time=0
   wait_for_port 127.0.0.1 $port
 
   # Variable works
@@ -73,7 +73,7 @@ function teardown() {
     run --rm -i $IMAGE /bin/sh -c 'echo -n foo; sleep 0.1; echo -n bar; sleep 0.1; echo -n baz'
   is "$output" foobarbaz
 
-  systemctl stop $SERVICE_NAME
+  systemctl-user stop $SERVICE_NAME
 }
 
 @test "tls remote" {
@@ -82,7 +82,7 @@ function teardown() {
   port=$(random_free_port)
   URL=tcp://127.0.0.1:$port
 
-  systemd-run --unit=$SERVICE_NAME ${PODMAN%%-remote*} system service $URL --time=0 \
+  systemd-run-user --unit=$SERVICE_NAME ${PODMAN%%-remote*} system service $URL --time=0 \
     --tls-key="${REMOTESYSTEM_TLS_SERVER_KEY}" \
     --tls-cert="${REMOTESYSTEM_TLS_SERVER_CRT}"
   wait_for_port 127.0.0.1 $port
@@ -106,7 +106,7 @@ function teardown() {
     run --rm -i $IMAGE /bin/sh -c 'echo -n foo; sleep 0.1; echo -n bar; sleep 0.1; echo -n baz'
   is "$output" foobarbaz
 
-  systemctl stop $SERVICE_NAME
+  systemctl-user stop $SERVICE_NAME
 }
 
 @test "mtls remote" {
@@ -115,7 +115,7 @@ function teardown() {
   port=$(random_free_port)
   URL=tcp://127.0.0.1:$port
 
-  systemd-run --unit=$SERVICE_NAME ${PODMAN%%-remote*} system service $URL --time=0 \
+  systemd-run-user --unit=$SERVICE_NAME ${PODMAN%%-remote*} system service $URL --time=0 \
     --tls-client-ca="${REMOTESYSTEM_TLS_CA_CRT}" \
     --tls-key="${REMOTESYSTEM_TLS_SERVER_KEY}" \
     --tls-cert="${REMOTESYSTEM_TLS_SERVER_CRT}"
@@ -146,5 +146,5 @@ function teardown() {
     run --rm -i $IMAGE /bin/sh -c 'echo -n foo; sleep 0.1; echo -n bar; sleep 0.1; echo -n baz'
   is "$output" foobarbaz
 
-  systemctl stop $SERVICE_NAME
+  systemctl-user stop $SERVICE_NAME
 }

test/system/273-remote-spot-check.bats

@@ -63,9 +63,12 @@ EOF
         url="${PODMAN##*--url }"
         url="${url%% *}"
         op='='
-    elif [[ "${REMOTESYSTEM_TRANSPORT}" =~ tcp|tls|mtls ]]; then
+    elif is_remote && [[ "${REMOTESYSTEM_TRANSPORT}" =~ tcp|tls|mtls ]]; then
         url="tcp://localhost:${REMOTESYSTEM_TCP_PORT}"
         op='='
+    elif is_remote && [[ "${REMOTESYSTEM_TRANSPORT}" =~ unix ]]; then
+        url="unix://${REMOTESYSTEM_UNIX_SOCK}"
+        op='='
     fi
     # podman-remote test might run with --url so unset this because the socket will be used otherwise
     CONTAINERS_CONF_OVERRIDE=$compose_conf run_podman compose env