From 8cf872c7491adeeb80b4e132fab49b3a9363853c Mon Sep 17 00:00:00 2001 From: konard Date: Wed, 10 Jun 2026 14:25:36 +0000 Subject: [PATCH 1/2] Initial commit with task details Adding .gitkeep for PR creation (default mode). This file will be removed when the task is complete. Issue: https://github.com/link-foundation/box/issues/96 --- .gitkeep | 1 + 1 file changed, 1 insertion(+) create mode 100644 .gitkeep diff --git a/.gitkeep b/.gitkeep new file mode 100644 index 0000000..79eb50a --- /dev/null +++ b/.gitkeep @@ -0,0 +1 @@ +# .gitkeep file auto-generated at 2026-06-10T14:25:36.200Z for PR creation at branch issue-96-9e584ef3ffff for issue https://github.com/link-foundation/box/issues/96 \ No newline at end of file From 98a45267a7faf7c6c12b00b59d0a680ba4f87630 Mon Sep 17 00:00:00 2001 From: konard Date: Wed, 10 Jun 2026 14:40:01 +0000 Subject: [PATCH 2/2] test(dind): assert public-mode passthrough actually copies a public host image (issue #96) The host-image passthrough test only asserted the negative path for the default public mode: a locally-built fixture (no RepoDigest) is skipped. The positive path the feature exists for - a genuinely public image (carrying a RepoDigest from an allowlisted registry) IS copied into the inner daemon - was structurally untested. The throwaway host daemon was seeded with only the offline fixture, so public mode had no eligible image at all and a 'public copies nothing' regression would ship green. Seed the throwaway host daemon with a real pulled alpine:3.20 (pulling is what records a RepoDigest; docker save/load does not preserve one) and assert in the public-mode block that the image lands in the inner daemon and is logged as loaded. Closes the false-positive gap downstream (link-assistant/hive-mind#1879) relies on. Also drop the stray root .gitkeep PR-creation artifact. Fixes #96 --- ...6-public-passthrough-positive-assertion.md | 5 ++++ .gitkeep | 1 - tests/dind/example-preload-images.sh | 26 ++++++++++++++++++- 3 files changed, 30 insertions(+), 2 deletions(-) create mode 100644 .changeset/issue-96-public-passthrough-positive-assertion.md delete mode 100644 .gitkeep diff --git a/.changeset/issue-96-public-passthrough-positive-assertion.md b/.changeset/issue-96-public-passthrough-positive-assertion.md new file mode 100644 index 0000000..eee3693 --- /dev/null +++ b/.changeset/issue-96-public-passthrough-positive-assertion.md @@ -0,0 +1,5 @@ +--- +bump: patch +--- + +dind-box: close a false-positive coverage gap in the host-image passthrough test (issue #96). `tests/dind/example-preload-images.sh` previously only asserted that `public` mode skips a locally-built fixture (no RepoDigest); it never asserted the positive path — that a genuinely public image (carrying a RepoDigest from an allowlisted registry) IS copied into the inner daemon. The throwaway host daemon is now also seeded with a real pulled `alpine:3.20`, and the `public`-mode block asserts that image lands in the nested daemon and is logged as loaded. A "public copies nothing" regression — the exact symptom downstream (`link-assistant/hive-mind#1879`) relies on not happening — now fails CI instead of shipping green. diff --git a/.gitkeep b/.gitkeep deleted file mode 100644 index 79eb50a..0000000 --- a/.gitkeep +++ /dev/null @@ -1 +0,0 @@ -# .gitkeep file auto-generated at 2026-06-10T14:25:36.200Z for PR creation at branch issue-96-9e584ef3ffff for issue https://github.com/link-foundation/box/issues/96 \ No newline at end of file diff --git a/tests/dind/example-preload-images.sh b/tests/dind/example-preload-images.sh index be16206..c94939c 100755 --- a/tests/dind/example-preload-images.sh +++ b/tests/dind/example-preload-images.sh @@ -145,6 +145,17 @@ log "throwaway host daemon is ready" docker exec -i "$host_daemon_container" \ docker -H unix:///sockets/docker.sock load < "$tarball_dir/image.tar" +# Also seed it with a genuinely public image. Pulling it from a public registry +# is what records a RepoDigest (docker save/load does NOT preserve one), so this +# is the "freely re-pullable" case the default public mode MUST pass through. +# This is the positive counterpart to the fixture: without it, public mode has no +# eligible image and a "public copies nothing" regression would ship green. +public_image="alpine:3.20" +log "pulling a real public image (${public_image}) into the throwaway host daemon" +if ! $host_docker pull "$public_image" >/dev/null; then + fail "could not pull ${public_image} into the throwaway host daemon (network required)" +fi + # all mode: every tagged host image is copied, including this local fixture. log "starting consumer with DIND_HOST_PASSTHROUGH=all" run_dind_container "$all_container" \ @@ -174,6 +185,19 @@ if ! docker logs "$public_container" 2>&1 | grep -q "host-image passthrough (mod docker logs "$public_container" >&2 || true fail "expected the consumer to run host-image passthrough in public mode" fi -log "public-mode passthrough correctly skipped the local fixture (security filter held)" +# Positive assertion: a host image carrying a RepoDigest from an allowlisted +# public registry MUST land in the inner daemon. This is the behavior downstream +# relies on (link-assistant/hive-mind#1879) and the path the suite previously +# left structurally untested, so a "public copies nothing" regression now fails. +if ! docker exec "$public_container" docker image inspect "$public_image" >/dev/null 2>&1; then + docker logs "$public_container" >&2 || true + docker exec "$public_container" docker images >&2 || true + fail "public mode must pass through a host image that has a public RepoDigest (${public_image})" +fi +if ! docker logs "$public_container" 2>&1 | grep -q "passthrough loading host image: ${public_image}"; then + docker logs "$public_container" >&2 || true + fail "expected public mode to log loading the public host image (${public_image})" +fi +log "public-mode passthrough copied the public image and skipped the local fixture (security filter held)" log "preload example passed"