Use custom dind for talking to insecure registry

jupyterhub · Feb 28, 2025 · a8369be · a8369be
1 parent 69e67a2
commit a8369be
Showing 1 changed file with 54 additions and 6 deletions.
diff --git a/tests/registry/test_registry.py b/tests/registry/test_registry.py
@@ -1,3 +1,5 @@
+import os
+import socket
 from pathlib import Path
 import subprocess
 import pytest
@@ -9,17 +11,62 @@
 
 HERE = Path(__file__).parent
 
-@pytest.fixture
-def registry():
+@pytest.fixture(scope="session")
+def dind(registry, host_ip):
+    port = get_free_port()
+    dind_image = "docker:dind"
+    subprocess.check_call(["docker", "pull", dind_image])
+    # This is insecure, because I'm disabling all kinds of authentication on the docker daemon.
+    # FIXME: Use TLS verification.
+    # but also docker this is your own fucking fault for making technical choices that force dockerhub
+    # to be the primary registry, so your registry handling sucks and forces these kinds of difficulties.
+    cmd = [
+        "docker", "run", "-e", 'DOCKER_TLS_CERTDIR=',
+        "--privileged", "-p", f"{port}:2376", dind_image,
+        "--host", "0.0.0.0:2376",
+        "--insecure-registry", registry,
+        "--tls=false"
+    ]
+    proc = subprocess.Popen(cmd)
+    time.sleep(5)
+
+    try:
+        yield f"tcp://{host_ip}:{port}"
+    finally:
+        proc.terminate()
+        proc.wait()
+
+@pytest.fixture(scope="session")
+def host_ip():
+    # Get the IP of the current machine, as we need to use the same IP
+    # for all our docker commands, *and* the dind we run needs to reach it
+    # in the same way.
+    # Thanks to https://stackoverflow.com/a/28950776
+    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+    s.settimeout(0)
+    try:
+        # doesn't even have to be reachable
+        s.connect(('10.254.254.254', 1))
+        host_ip = s.getsockname()[0]
+    finally:
+        s.close()
+
+    return host_ip
+
+@pytest.fixture(scope="session")
+def registry(host_ip):
     port = get_free_port()
     # Explicitly pull the image first so it runs on time
     registry_image =  "registry:3.0.0-rc.3"
     subprocess.check_call(["docker", "pull", registry_image])
+
+
     cmd = [
-        "docker", "run", "-p", f"{port}:5000", registry_image
+        "docker", "run", "--rm",
+        "-p", f"{port}:5000", registry_image
     ]
     proc = subprocess.Popen(cmd)
-    health_url = f'http://localhost:{port}/v2'
+    health_url = f'http://{host_ip}:{port}/v2'
     # Wait for the registry to actually come up
     for i in range(10):
         try:
@@ -34,19 +81,20 @@ def registry():
         raise TimeoutError("Test registry did not come up in time")
 
     try:
-        yield f"localhost:{port}"
+        yield f"{host_ip}:{port}"
     finally:
         proc.terminate()
         proc.wait()
 
 
-def test_registry(registry):
+def test_registry(registry, dind):
     image_name = f"{registry}/{secrets.token_hex(8)}:latest"
     r2d = make_r2d([
         "--image", image_name,
         "--push", "--no-run", str(HERE)
     ])
 
+    os.environ["DOCKER_HOST"] = dind
     r2d.start()
 
     proc = subprocess.run(["docker", "manifest", "inspect", "--insecure", image_name])