test(container): assert OCI Config.User is unset in static-image checks#17621
Open
christopherco wants to merge 1 commit into
Open
test(container): assert OCI Config.User is unset in static-image checks#17621christopherco wants to merge 1 commit into
christopherco wants to merge 1 commit into
Conversation
Collaborator
Author
|
Corresponding OCI test fixtures and static test for #17619 |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a shared static-image-checks assertion for Azure Linux container images to ensure OCI config.User is not explicitly set, aligning container image metadata with AZL 3.0 and common base-image conventions. This expands the static test suite coverage to distroless container images and introduces a small helper to inspect OCI config without unpacking.
Changes:
- Add
inspect_oci_config()helper that runsskopeo inspect --configand parses the OCI config JSON. - Add a session-scoped
oci_image_configfixture (container-only; cleanly skips for VM images) and a shared test validatingConfig.Useris absent. - Wire distroless container images into
static-image-checksand declare container capabilities (includingruntime-package-management = false).
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| base/images/tests/utils/extract.py | Adds inspect_oci_config() helper to fetch OCI config JSON via skopeo. |
| base/images/tests/README.md | Documents the new shared container test and the oci_image_config fixture. |
| base/images/tests/conftest.py | Adds oci_image_config session fixture gated by image_type. |
| base/images/tests/cases/test_oci_config.py | Introduces shared test asserting OCI config.User key is absent. |
| base/images/images.toml | Enables static-image-checks and capability declarations for distroless container images. |
reubeno
reviewed
Jun 4, 2026
Member
reubeno
left a comment
reubeno
left a comment
There was a problem hiding this comment.
Love the idea of the test! A couple of quick comments.
| [images.container-distroless-minimal] | ||
| description = "Container Distroless Minimal Image" | ||
| definition = { type = "kiwi", path = "container-base/container-base.kiwi", profile = "distroless-minimal" } | ||
| tests.test-suites = [{ name = "static-image-checks" }] |
Member
There was a problem hiding this comment.
Thanks for the metadata updates here; their omission on the distroless containers was an oversight.
| from __future__ import annotations | ||
|
|
||
|
|
||
| def test_no_explicit_config_user(oci_image_config: dict[str, object]) -> None: |
Member
There was a problem hiding this comment.
Should use a marker, e.g.: @pytest.mark.require_capability with an appropriate capability if there is one.
Collaborator
Author
There was a problem hiding this comment.
Added the container capability
Add a shared static-image-checks test that fails if a container image's
OCI manifest declares an explicit Config.User (e.g. user="root" in the
kiwi <containerconfig>). An explicit user diverges from the unset default
used by AZL 3.0 and mainstream base images.
- conftest: new session fixture `oci_image_config` returning the parsed
`skopeo inspect --config` output.
- extract: `inspect_oci_config()` helper using `skopeo inspect --config`
(skopeo is already a declared container tool; no umoci needed).
- cases/test_oci_config.py: shared test gated on the `container`
capability via `@pytest.mark.require_capability("container")` (matching
the existing test_packages.py convention) so it runs for every
container image family and skips VM images. Asserts `User` is absent
from the OCI config (an explicit empty string also fails).
- images.toml: wire the three distroless images into static-image-checks
with a `container = true` capability table so the new test covers them
(package tests correctly skip — no runtime-package-management).
Fixes: AB#20622
Signed-off-by: Chris Co <chrco@microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
christopherco
force-pushed
the
chrco/static-image-no-config-user
branch
from
f84b96e to
d344d8d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a shared static-image-checks test that fails if a container image's
OCI manifest declares an explicit Config.User (e.g. user="root" in the
kiwi ). An explicit user diverges from the unset default
used by AZL 3.0 and mainstream base images.
oci_image_configreturning the parsedskopeo inspect --configoutput.inspect_oci_config()helper usingskopeo inspect --config(skopeo is already a declared container tool; no umoci needed).
containercapability via
@pytest.mark.require_capability("container")(matchingthe existing test_packages.py convention) so it runs for every
container image family and skips VM images. Asserts
Useris absentfrom the OCI config (an explicit empty string also fails).
with a
container = truecapability table so the new test covers them(package tests correctly skip — no runtime-package-management).
Fixes: AB#20622